nss: fix SSL handshake timeout underflow

CHANGES

@@ -14,6 +14,9 @@ Kamil Dudka (24 Apr 2010)
 - Fixed test536 in order to not fail with threaded DNS resolver and tweaked
   comments in certain examples using curl_multi_fdset().
 
+- Fixed SSL handshake timeout underflow in libcurl-NSS, which caused test405
+  to hang on a slow machine.
+
 Daniel Stenberg (21 Apr 2010)
 - The -O option caused curl to crash on windows and DOS due to the tool
   writing out of boundary memory.

RELEASE-NOTES

@@ -20,6 +20,7 @@ This release includes the following bugfixes:
  o -J/--remote-header-name strips CRLF
  o MSVC makefiles now use ws2_32.lib instead of wsock32.lib
  o -O crash on windows
+ o SSL handshake timeout underflow in libcurl-NSS
 
 This release includes the following known bugs:
 

lib/nss.c

@@ -1025,6 +1025,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
   int curlerr;
   const int *cipher_to_enable;
   PRSocketOptionData sock_opt;
+  long time_left;
   PRUint32 timeout;
 
   curlerr = CURLE_SSL_CONNECT_ERROR;
@@ -1302,8 +1303,15 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
 
   SSL_SetURL(connssl->handle, conn->host.name);
 
+  /* check timeout situation */
+  time_left = Curl_timeleft(conn, NULL, TRUE);
+  if(time_left < 0L) {
+    failf(data, "timed out before SSL handshake");
+    goto error;
+  }
+  timeout = PR_MillisecondsToInterval((PRUint32) time_left);
+
   /* Force the handshake now */
-  timeout = PR_MillisecondsToInterval((PRUint32)Curl_timeleft(conn, NULL, TRUE));
   if(SSL_ForceHandshakeWithTimeout(connssl->handle, timeout) != SECSuccess) {
     if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
       curlerr = CURLE_PEER_FAILED_VERIFICATION;