Bug 1315455 - Constify sslSocket for extension processing. r=mt.

Summary:
Extension handlers now take a const sslSocket* and a non-const xtnData.

Things aren't entirely clean yet. I had to do two things:

- Write a series of ssl_Ext* thunks for things that have innocuous
  side effects in sslSocket like updating the transcript or
  encrypting stuff.

- Add a CONST_CAST macro for the few cases where it's clear we're
  having real side effects but they weren't simple to unwind.
  them. The macro makes them easy to find.

Test Plan: None

Differential Revision: https://nss-review.dev.mozaws.net/D17

2 files changed, 42 insertions, 5 deletions

diff --git a/gtests/ssl_gtest/libssl_internals.c b/gtests/ssl_gtest/libssl_internals.c
index 5f923cf40..b76394577 100644
--- a/gtests/ssl_gtest/libssl_internals.c
+++ b/gtests/ssl_gtest/libssl_internals.c
@@ -179,12 +179,12 @@ SECStatus SSLInt_Set0RttAlpn(PRFileDesc *fd, PRUint8 *data, unsigned int len) {
     return SECFailure;
   }
 
-  ss->ssl3.nextProtoState = SSL_NEXT_PROTO_EARLY_VALUE;
-  if (ss->ssl3.nextProto.data) {
-    SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
+  ss->xtnData.nextProtoState = SSL_NEXT_PROTO_EARLY_VALUE;
+  if (ss->xtnData.nextProto.data) {
+    SECITEM_FreeItem(&ss->xtnData.nextProto, PR_FALSE);
   }
-  if (!SECITEM_AllocItem(NULL, &ss->ssl3.nextProto, len)) return SECFailure;
-  PORT_Memcpy(ss->ssl3.nextProto.data, data, len);
+  if (!SECITEM_AllocItem(NULL, &ss->xtnData.nextProto, len)) return SECFailure;
+  PORT_Memcpy(ss->xtnData.nextProto.data, data, len);
 
   return SECSuccess;
 }
diff --git a/gtests/ssl_gtest/ssl_extension_unittest.cc b/gtests/ssl_gtest/ssl_extension_unittest.cc
index 04a1d976a..43c9868f7 100644
--- a/gtests/ssl_gtest/ssl_extension_unittest.cc
+++ b/gtests/ssl_gtest/ssl_extension_unittest.cc
@@ -154,6 +154,25 @@ class TlsExtensionTestBase : public TlsConnectTestBase {
     extension->Write(3, namelen, 2);
     extension->Write(5, reinterpret_cast<const uint8_t*>(name), namelen);
   }
+
+  void HrrThenRemoveExtensionsTest(SSLExtensionType type, PRInt32 client_error,
+                                   PRInt32 server_error) {
+    static const std::vector<SSLNamedGroup> client_groups = {
+        ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519};
+    static const std::vector<SSLNamedGroup> server_groups = {
+        ssl_grp_ec_curve25519, ssl_grp_ec_secp384r1};
+    client_->ConfigNamedGroups(client_groups);
+    server_->ConfigNamedGroups(server_groups);
+    EnsureTlsSetup();
+    client_->StartConnect();
+    server_->StartConnect();
+    client_->Handshake();  // Send ClientHello
+    server_->Handshake();  // Send HRR.
+    client_->SetPacketFilter(new TlsExtensionDropper(type));
+    Handshake();
+    client_->CheckErrorCode(client_error);
+    server_->CheckErrorCode(server_error);
+  }
 };
 
 class TlsExtensionTestDtls : public TlsExtensionTestBase,
@@ -772,6 +791,24 @@ TEST_P(TlsExtensionTest13, RemoveTls13FromVersionListBothV12) {
 #endif
 }
 
+TEST_P(TlsExtensionTest13, HrrThenRemoveSignatureAlgorithms) {
+  HrrThenRemoveExtensionsTest(ssl_signature_algorithms_xtn,
+                              SSL_ERROR_MISSING_EXTENSION_ALERT,
+                              SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION);
+}
+
+TEST_P(TlsExtensionTest13, HrrThenRemoveKeyShare) {
+  HrrThenRemoveExtensionsTest(ssl_tls13_key_share_xtn,
+                              SSL_ERROR_ILLEGAL_PARAMETER_ALERT,
+                              SSL_ERROR_BAD_2ND_CLIENT_HELLO);
+}
+
+TEST_P(TlsExtensionTest13, HrrThenRemoveSupportedGroups) {
+  HrrThenRemoveExtensionsTest(ssl_supported_groups_xtn,
+                              SSL_ERROR_MISSING_EXTENSION_ALERT,
+                              SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION);
+}
+
 TEST_P(TlsExtensionTest13, EmptyVersionList) {
   static const uint8_t ext[] = {0x00, 0x00};
   ConnectWithBogusVersionList(ext, sizeof(ext));