Disable Nagle on Linux and TLS cut through support

net/third_party/nss/patches/falsestart.patch

+diff --git a/mozilla/security/nss/cmd/strsclnt/strsclnt.c b/mozilla/security/nss/cmd/strsclnt/strsclnt.c

[wtc, 2010/02/20 00:39:51]

Remove the NPN changes from this patch.

+index c266644..1f71434 100644
+--- a/mozilla/security/nss/cmd/strsclnt/strsclnt.c
++++ b/mozilla/security/nss/cmd/strsclnt/strsclnt.c
+@@ -162,6 +162,7 @@ static PRBool disableLocking  = PR_FALSE;
+ static PRBool ignoreErrors    = PR_FALSE;
+ static PRBool enableSessionTickets = PR_FALSE;
+ static PRBool enableCompression    = PR_FALSE;
++static PRBool enableFalseStart     = PR_FALSE;
+ 
+ PRIntervalTime maxInterval    = PR_INTERVAL_NO_TIMEOUT;
+ 
+@@ -197,7 +198,8 @@ Usage(const char *progName)
+         "       -U means enable throttling up threads\n"
+        "       -B bypasses the PKCS11 layer for SSL encryption and MACing\n"
+        "       -u enable TLS Session Ticket extension\n"
+-       "       -z enable compression\n",
++       "       -z enable compression\n"
++       "       -g enable false start\n",
+        progName);
+     exit(1);
+ }
+@@ -1244,6 +1246,12 @@ client_main(
+            errExit("SSL_OptionSet SSL_ENABLE_DEFLATE");
+     }
+ 
++    if (enableFalseStart) {
++       rv = SSL_OptionSet(model_sock, SSL_ENABLE_FALSE_START, PR_TRUE);
++       if (rv != SECSuccess)
++           errExit("SSL_OptionSet SSL_ENABLE_FALSE_START");
++    }
++
+     SSL_SetURL(model_sock, hostName);
+ 
+     SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, 
+@@ -1354,7 +1362,7 @@ main(int argc, char **argv)
+  
+ 
+     optstate = PL_CreateOptState(argc, argv,
+-                                 "23BC:DNP:TUW:a:c:d:f:in:op:qst:uvw:z");
++                                 "23BC:DNP:TUW:a:c:d:f:gin:op:qst:uvw:z");
+     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+        switch(optstate->option) {
+ 
+@@ -1384,6 +1392,8 @@ main(int argc, char **argv)
+ 
+        case 'f': fileName = optstate->value; break;
+ 
++       case 'g': enableFalseStart = PR_TRUE; break;
++
+        case 'i': ignoreErrors = PR_TRUE; break;
+ 
+         case 'n': nickName = PL_strdup(optstate->value); break;
+diff --git a/mozilla/security/nss/cmd/tstclnt/tstclnt.c b/mozilla/security/nss/cmd/tstclnt/tstclnt.c
+index c15a0ad..d209a33 100644
+--- a/mozilla/security/nss/cmd/tstclnt/tstclnt.c
++++ b/mozilla/security/nss/cmd/tstclnt/tstclnt.c
+@@ -225,6 +225,7 @@ static void Usage(const char *progName)
+     fprintf(stderr, "%-20s Renegotiate N times (resuming session if N>1).\n", "-r N");
+     fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u");
+     fprintf(stderr, "%-20s Enable compression.\n", "-z");
++    fprintf(stderr, "%-20s Enable false start.\n", "-g");
+     fprintf(stderr, "%-20s Letter(s) chosen from the following list\n", 
+                     "-c ciphers");
+     fprintf(stderr, 
+@@ -521,6 +522,7 @@ int main(int argc, char **argv)
+     int                useExportPolicy = 0;
+     int                enableSessionTickets = 0;
+     int                enableCompression = 0;
++    int                enableFalseStart = 0;
+     PRSocketOptionData opt;
+     PRNetAddr          addr;
+     PRPollDesc         pollset[2];
+@@ -551,7 +553,7 @@ int main(int argc, char **argv)
+     }
+ 
+     optstate = PL_CreateOptState(argc, argv,
+-                                 "23BSTW:a:c:d:fh:m:n:op:qr:suvw:xz");
++                                 "23BSTW:a:c:d:fgh:m:n:op:qr:suvw:xz");
+     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+        switch (optstate->option) {
+          case '?':
+@@ -578,6 +580,8 @@ int main(int argc, char **argv)
+ 
+           case 'c': cipherString = PORT_Strdup(optstate->value); break;
+ 
++          case 'g': enableFalseStart = 1;              break;
++
+           case 'd': certDir = PORT_Strdup(optstate->value);   break;
+ 
+           case 'f': clientSpeaksFirst = PR_TRUE;        break;
+@@ -863,7 +867,20 @@ int main(int argc, char **argv)
+        SECU_PrintError(progName, "error enabling compression");
+        return 1;
+     }
+-               
++
++    rv = SSL_SetNextProtoNego(s, "\004flip\004http1.1", 10);
++    if (rv != SECSuccess) {
++       SECU_PrintError(progName, "error enabling next protocol negotiation");
++       return 1;
++    }
++
++    /* enable false start. */
++    rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
++    if (rv != SECSuccess) {
++       SECU_PrintError(progName, "error enabling false start");
++       return 1;
++    }
++
+     SSL_SetPKCS11PinArg(s, &pwdata);
+ 
+     SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle);
+diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def
+index d3f455c..a1f4b51 100644
+--- a/mozilla/security/nss/lib/ssl/ssl.def
++++ b/mozilla/security/nss/lib/ssl/ssl.def
+@@ -152,3 +152,10 @@ SSL_SNISocketConfigHook;
+ ;+    local:
+ ;+*;
+ ;+};
++;+NSS_CHROMIUM {
++;+    global:
++SSL_GetNextProto;
++SSL_SetNextProtoNego;
++;+    local:
++;+*;
++;+};
+diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h
+index e285ab4..60fc9b5 100644
+--- a/mozilla/security/nss/lib/ssl/ssl.h
++++ b/mozilla/security/nss/lib/ssl/ssl.h
+@@ -128,6 +128,17 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
+                                           /* Renegotiation  Info (RI)       */
+                                          /* extension in ALL handshakes.   */
+                                           /* default: off                   */
++#define SSL_ENABLE_FALSE_START        22 /* Enable SSL false start (off by */
++                                         /* default, applies only to       */
++                                         /* clients). False start is a     */
++/* mode where an SSL client will start sending application data before      */
++/* verifing the server's Finished message. This means that we could end up  */
++/* sending data to an imposter. However, the data will be encrypted and     */
++/* only the true server can decrypt the session key. Thus, so long as the   */
++/* cipher isn't broken this is safe. Because of this, False Start will only */
++/* occur on RSA ciphersuites where the cipher's key length is >= 80 bits.   */
++/* The advantage of False Start is that it saves a round trip for           */
++/* client-speaks-first protocols when performing a full handshake.          */
+ 
+ #ifdef SSL_DEPRECATED_FUNCTION 
+ /* Old deprecated function names */
+@@ -142,6 +153,18 @@ SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on);
+ SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on);
+ SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle);
+ 
++SSL_IMPORT SECStatus SSL_SetNextProtoNego(PRFileDesc *fd,
++                                         const unsigned char *data,
++                                         unsigned short length);
++SSL_IMPORT SECStatus SSL_GetNextProto(PRFileDesc *fd,
++                                     int *state,
++                                     unsigned char *buf,
++                                     unsigned *length,
++                                     unsigned buf_len);
++#define SSL_NEXT_PROTO_NO_SUPPORT      0 /* No peer support                */
++#define SSL_NEXT_PROTO_NEGOTIATED      1 /* Mutual agreement               */
++#define SSL_NEXT_PROTO_NO_OVERLAP      2 /* No protocol overlap found      */
++
+ /*
+ ** Control ciphers that SSL uses. If on is non-zero then the named cipher
+ ** is enabled, otherwise it is disabled. 
+diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
+index 6b37c4f..dd1ac73 100644
+--- a/mozilla/security/nss/lib/ssl/ssl3con.c
++++ b/mozilla/security/nss/lib/ssl/ssl3con.c
+@@ -81,6 +81,7 @@ static SECStatus ssl3_InitState(             sslSocket *ss);
+ static SECStatus ssl3_SendCertificate(       sslSocket *ss);
+ static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
+ static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
++static SECStatus ssl3_SendNextProto(         sslSocket *ss);
+ static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
+ static SECStatus ssl3_SendServerHello(       sslSocket *ss);
+ static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
+@@ -5656,7 +5657,15 @@ ssl3_RestartHandshakeAfterCertReq(sslSocket *         ss,
+     return rv;
+ }
+ 
+-
++PRBool
++ssl3_CanFalseStart(sslSocket *ss) {
++    return ss->opt.enableFalseStart &&
++          !ss->sec.isServer &&
++          !ss->ssl3.hs.isResuming &&
++          ss->ssl3.cwSpec &&
++          ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
++          ss->ssl3.hs.kea_def->exchKeyType == kt_rsa;
++}
+ 
+ /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+  * ssl3 Server Hello Done message.
+@@ -5717,6 +5726,12 @@ ssl3_HandleServerHelloDone(sslSocket *ss)
+     if (rv != SECSuccess) {
+        goto loser;     /* err code was set. */
+     }
++
++    rv = ssl3_SendNextProto(ss);
++    if (rv != SECSuccess) {
++       goto loser;     /* err code was set. */
++    }
++
+     rv = ssl3_SendFinished(ss, 0);
+     if (rv != SECSuccess) {
+        goto loser;     /* err code was set. */
+@@ -5728,6 +5743,12 @@ ssl3_HandleServerHelloDone(sslSocket *ss)
+        ss->ssl3.hs.ws = wait_new_session_ticket;
+     else
+        ss->ssl3.hs.ws = wait_change_cipher;
++
++    /* Do the handshake callback for sslv3 here. */
++    if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) {
++       (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
++    }
++
+     return SECSuccess;
+ 
+ loser:
+@@ -8138,6 +8159,40 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
+ }
+ 
+ /* called from ssl3_HandleServerHelloDone
++ */
++static SECStatus
++ssl3_SendNextProto(sslSocket *ss)
++{
++    SECStatus rv;
++    int padding_len;
++    static const unsigned char padding[32] = {0};
++
++    if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NO_SUPPORT)
++       return SECSuccess;
++
++    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
++    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
++
++    padding_len = 32 - ((ss->ssl3.nextProto.len + 2) % 32);
++
++    rv = ssl3_AppendHandshakeHeader(ss, next_proto, ss->ssl3.nextProto.len +
++                                                   2 + padding_len);
++    if (rv != SECSuccess) {
++       return rv;      /* error code set by AppendHandshakeHeader */
++    }
++    rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data,
++                                     ss->ssl3.nextProto.len, 1);
++    if (rv != SECSuccess) {
++       return rv;      /* error code set by AppendHandshake */
++    }
++    rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1);
++    if (rv != SECSuccess) {
++       return rv;      /* error code set by AppendHandshake */
++    }
++    return rv;
++}
++
++/* called from ssl3_HandleServerHelloDone
+  *             ssl3_HandleClientHello
+  *             ssl3_HandleFinished
+  */
+@@ -8468,7 +8523,7 @@ xmit_loser:
+     ss->ssl3.hs.ws = idle_handshake;
+ 
+     /* Do the handshake callback for sslv3 here. */
+-    if (ss->handshakeCallback != NULL) {
++    if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
+        (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+     }
+ 
+@@ -9457,6 +9512,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+     ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
+ 
+     ss->ssl3.initialized = PR_FALSE;
++
++    if (ss->ssl3.nextProto.data) {
++       PORT_Free(ss->ssl3.nextProto.data);
++       ss->ssl3.nextProto.data = NULL;
++    }
+ }
+ 
+ /* End of ssl3con.c */
+diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c
+index fd0d9b9..ead0cfd 100644
+--- a/mozilla/security/nss/lib/ssl/ssl3ext.c
++++ b/mozilla/security/nss/lib/ssl/ssl3ext.c
+@@ -235,6 +235,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
+ #endif
+     { ssl_session_ticket_xtn,     &ssl3_ServerHandleSessionTicketXtn },
+     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
++    { ssl_next_proto_neg_xtn,     &ssl3_ServerHandleNextProtoNegoXtn },
+     { -1, NULL }
+ };
+ 
+@@ -245,6 +246,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
+     /* TODO: add a handler for ssl_ec_point_formats_xtn */
+     { ssl_session_ticket_xtn,     &ssl3_ClientHandleSessionTicketXtn },
+     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
++    { ssl_next_proto_neg_xtn,     &ssl3_ClientHandleNextProtoNegoXtn },
+     { -1, NULL }
+ };
+ 
+@@ -267,7 +269,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
+     { ssl_elliptic_curves_xtn,    &ssl3_SendSupportedCurvesXtn },
+     { ssl_ec_point_formats_xtn,   &ssl3_SendSupportedPointFormatsXtn },
+ #endif
+-    { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn }
++    { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
++    { ssl_next_proto_neg_xtn,     &ssl3_ClientSendNextProtoNegoXtn }
+     /* any extra entries will appear as { 0, NULL }    */
+ };
+ 
+@@ -532,6 +535,123 @@ ssl3_SendSessionTicketXtn(
+     return -1;
+ }
+ 
++/* handle an incoming Next Protocol Negotiation extension. */
++SECStatus
++ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
++{
++    if (data->len != 0) {
++       /* Clients MUST send an empty NPN extension, if any. */
++       return SECFailure;
++    }
++
++    ss->ssl3.hs.nextProtoNego = PR_TRUE;
++    return SECSuccess;
++}
++
++/* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none
++ * of the length may be 0 and the sum of the lengths must equal the length of
++ * the block. */
++SECStatus
++ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned short length)
++{
++    unsigned int offset = 0;
++
++    while (offset < length) {
++       if (data[offset] == 0) {
++           return SECFailure;
++       }
++       offset += (unsigned int)data[offset] + 1;
++    }
++
++    if (offset > length)
++       return SECFailure;
++
++    return SECSuccess;
++}
++
++SECStatus
++ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
++                                 SECItem *data)
++{
++    unsigned int i, j;
++    SECStatus rv;
++    unsigned char *result;
++
++    if (data->len == 0) {
++       /* The server supports the extension, but doesn't have any
++        * protocols configured. In this case we request our favoured
++        * protocol. */
++       goto pick_first;
++    }
++
++    rv = ssl3_ValidateNextProtoNego(data->data, data->len);
++    if (rv != SECSuccess)
++       return rv;
++
++    /* For each protocol in server preference order, see if we support it. */
++    for (i = 0; i < data->len; ) {
++       for (j = 0; j < ss->opt.nextProtoNego.len; ) {
++           if (data->data[i] == ss->opt.nextProtoNego.data[j] &&
++               memcmp(&data->data[i+1], &ss->opt.nextProtoNego.data[j+1],
++                      data->data[i]) == 0) {
++               /* We found a match */
++               ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
++               result = &data->data[i];
++               goto found;
++           }
++           j += (unsigned int)ss->opt.nextProtoNego.data[j] + 1;
++       }
++
++       i += (unsigned int)data->data[i] + 1;
++    }
++
++  pick_first:
++    ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NO_OVERLAP;
++    result = ss->opt.nextProtoNego.data;
++
++  found:
++    if (ss->ssl3.nextProto.data)
++       PORT_Free(ss->ssl3.nextProto.data);
++    ss->ssl3.nextProto.data = PORT_Alloc(result[0]);
++    PORT_Memcpy(ss->ssl3.nextProto.data, result + 1, result[0]);
++    ss->ssl3.nextProto.len = result[0];
++    return SECSuccess;
++}
++
++PRInt32
++ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss,
++                              PRBool      append,
++                              PRUint32    maxBytes)
++{
++    PRInt32 extension_length;
++
++    /* Renegotiations do not send this extension. */
++    if (ss->opt.nextProtoNego.len == 0 || ss->firstHsDone) {
++       return 0;
++    }
++
++    extension_length = 4;
++
++    if (append && maxBytes >= extension_length) {
++       SECStatus rv;
++       rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_neg_xtn, 2);
++       if (rv != SECSuccess)
++           goto loser;
++       rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
++       if (rv != SECSuccess)
++           goto loser;
++       ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
++               ssl_next_proto_neg_xtn;
++    } else if (maxBytes < extension_length) {
++       return 0;
++    }
++
++    return extension_length;
++
++ loser:
++    return -1;
++}
++
+ /*
+  * NewSessionTicket
+  * Called from ssl3_HandleFinished
+diff --git a/mozilla/security/nss/lib/ssl/ssl3gthr.c b/mozilla/security/nss/lib/ssl/ssl3gthr.c
+index bdd2958..28fe154 100644
+--- a/mozilla/security/nss/lib/ssl/ssl3gthr.c
++++ b/mozilla/security/nss/lib/ssl/ssl3gthr.c
+@@ -188,6 +188,7 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
+ {
+     SSL3Ciphertext cText;
+     int            rv;
++    PRBool         canFalseStart = PR_FALSE;
+ 
+     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+     do {
+@@ -207,7 +208,17 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
+        if (rv < 0) {
+            return ss->recvdCloseNotify ? 0 : rv;
+        }
+-    } while (ss->ssl3.hs.ws != idle_handshake && ss->gs.buf.len == 0);
++
++       if (ss->opt.enableFalseStart) {
++           ssl_GetSSL3HandshakeLock(ss);
++           canFalseStart = (ss->ssl3.hs.ws == wait_change_cipher ||
++                            ss->ssl3.hs.ws == wait_new_session_ticket) &&
++                           ssl3_CanFalseStart(ss);
++           ssl_ReleaseSSL3HandshakeLock(ss);
++       }
++    } while (ss->ssl3.hs.ws != idle_handshake &&
++             !canFalseStart &&
++             ss->gs.buf.len == 0);
+ 
+     ss->gs.readOffset = 0;
+     ss->gs.writeOffset = ss->gs.buf.len;
+diff --git a/mozilla/security/nss/lib/ssl/ssl3prot.h b/mozilla/security/nss/lib/ssl/ssl3prot.h
+index 0fc1675..c82c891 100644
+--- a/mozilla/security/nss/lib/ssl/ssl3prot.h
++++ b/mozilla/security/nss/lib/ssl/ssl3prot.h
+@@ -157,7 +157,8 @@ typedef enum {
+     server_hello_done  = 14,
+     certificate_verify = 15, 
+     client_key_exchange        = 16, 
+-    finished           = 20
++    finished           = 20,
++    next_proto         = 67
+ } SSL3HandshakeType;
+ 
+ typedef struct {
+diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
+index 7581b98..a800d56 100644
+--- a/mozilla/security/nss/lib/ssl/sslimpl.h
++++ b/mozilla/security/nss/lib/ssl/sslimpl.h
+@@ -313,6 +313,11 @@ typedef struct {
+ #endif /* NSS_ENABLE_ECC */
+ 
+ typedef struct sslOptionsStr {
++    /* For clients, this is a validated list of protocols in preference order
++     * and wire format. For servers, this is the list of support protocols,
++     * also in wire format. */
++    SECItem      nextProtoNego;
++
+     unsigned int useSecurity           : 1;  /*  1 */
+     unsigned int useSocks              : 1;  /*  2 */
+     unsigned int requestCertificate    : 1;  /*  3 */
+@@ -333,6 +338,7 @@ typedef struct sslOptionsStr {
+     unsigned int enableDeflate          : 1;  /* 19 */
+     unsigned int enableRenegotiation    : 2;  /* 20-21 */
+     unsigned int requireSafeNegotiation : 1;  /* 22 */
++    unsigned int enableFalseStart       : 1;  /* 23 */
+ } sslOptions;
+ 
+ typedef enum { sslHandshakingUndetermined = 0,
+@@ -785,6 +791,7 @@ const ssl3CipherSuiteDef *suite_def;
+ #ifdef NSS_ENABLE_ECC
+     PRUint32              negotiatedECCurves; /* bit mask */
+ #endif /* NSS_ENABLE_ECC */
++    PRBool                nextProtoNego;/* Our peer has sent this extension */
+ } SSL3HandshakeState;
+ 
+ 
+@@ -826,6 +833,16 @@ struct ssl3StateStr {
+     PRBool               initialized;
+     SSL3HandshakeState   hs;
+     ssl3CipherSpec       specs[2];     /* one is current, one is pending. */
++
++    /* In a client: if the server supports Next Protocol Negotiation, then
++     * this is the protocol that was requested.
++     * In a server: this is the protocol that the client requested via Next
++     * Protocol Negotiation.
++     *
++     * In either case, if the data pointer is non-NULL, then it is malloced
++     * data.  */
++    SECItem            nextProto;
++    int                        nextProtoState; /* See SSL_NEXT_PROTO_* defines */
+ };
+ 
+ typedef struct {
+@@ -1250,6 +1267,8 @@ extern void      ssl_SetAlwaysBlock(sslSocket *ss);
+ 
+ extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
+ 
++extern PRBool    ssl3_CanFalseStart(sslSocket *ss);
++
+ #define SSL_LOCK_READER(ss)            if (ss->recvLock) PZ_Lock(ss->recvLock)
+ #define SSL_UNLOCK_READER(ss)          if (ss->recvLock) PZ_Unlock(ss->recvLock)
+ #define SSL_LOCK_WRITER(ss)            if (ss->sendLock) PZ_Lock(ss->sendLock)
+@@ -1491,8 +1510,12 @@ extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
+                        PRUint16 ex_type, SECItem *data);
+ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
+                        PRUint16 ex_type, SECItem *data);
++extern SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
++                       PRUint16 ex_type, SECItem *data);
+ extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
+                        PRUint16 ex_type, SECItem *data);
++extern SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
++                       PRUint16 ex_type, SECItem *data);
+ 
+ /* ClientHello and ServerHello extension senders.
+  * Note that not all extension senders are exposed here; only those that
+@@ -1523,6 +1546,10 @@ extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
+ extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss,
+                        PRBool append, PRUint32 maxBytes);
+ #endif
++extern PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
++                                              PRUint32 maxBytes);
++extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data,
++                                           unsigned short length);
+ 
+ /* call the registered extension handlers. */
+ extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, 
+diff --git a/mozilla/security/nss/lib/ssl/sslsecur.c b/mozilla/security/nss/lib/ssl/sslsecur.c
+index 8f79135..33ad2c3 100644
+--- a/mozilla/security/nss/lib/ssl/sslsecur.c
++++ b/mozilla/security/nss/lib/ssl/sslsecur.c
+@@ -148,6 +148,12 @@ ssl_Do1stHandshake(sslSocket *ss)
+            ss->gs.readOffset  = 0;
+            break;
+        }
++       if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
++           ssl3_CanFalseStart(ss) &&
++           (ss->ssl3.hs.ws == wait_change_cipher ||
++            ss->ssl3.hs.ws == wait_new_session_ticket)) {
++           break;
++       }
+        rv = (*ss->handshake)(ss);
+        ++loopCount;
+     /* This code must continue to loop on SECWouldBlock, 
+@@ -1307,6 +1313,10 @@ SSL_SetURL(PRFileDesc *fd, const char *url)
+ SECStatus
+ SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *certList)
+ {
++    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
++    PR_NOT_REACHED("not implemented");
++    return SECFailure;
++#if 0
+     sslSocket *   ss = ssl_FindSocket(fd);
+     CERTDistNames *names = NULL;
+ 
+@@ -1334,6 +1344,7 @@ SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *certList)
+     ssl_Release1stHandshakeLock(ss);
+ 
+     return SECSuccess;
++#endif
+ }
+ 
+ /*
+diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
+index aab48d6..c4611a0 100644
+--- a/mozilla/security/nss/lib/ssl/sslsock.c
++++ b/mozilla/security/nss/lib/ssl/sslsock.c
+@@ -163,6 +163,7 @@ static const sslSocketOps ssl_secure_ops = {        /* SSL. */
+ ** default settings for socket enables
+ */
+ static sslOptions ssl_defaults = {
++    { siBuffer, NULL, 0 },     /* nextProtoNego */
+     PR_TRUE,   /* useSecurity        */
+     PR_FALSE,  /* useSocks           */
+     PR_FALSE,  /* requestCertificate */
+@@ -183,6 +184,7 @@ static sslOptions ssl_defaults = {
+     PR_FALSE,   /* enableDeflate      */
+     2,          /* enableRenegotiation (default: requires extension) */
+     PR_FALSE,   /* requireSafeNegotiation */
++    PR_FALSE,   /* enableFalseStart   */
+ };
+ 
+ sslSessionIDLookupFunc  ssl_sid_lookup;
+@@ -437,6 +439,10 @@ ssl_DestroySocketContents(sslSocket *ss)
+        ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
+        ss->ephemeralECDHKeyPair = NULL;
+     }
++    if (ss->opt.nextProtoNego.data) {
++       PORT_Free(ss->opt.nextProtoNego.data);
++       ss->opt.nextProtoNego.data = NULL;
++    }
+     PORT_Assert(!ss->xtnData.sniNameArr);
+     if (ss->xtnData.sniNameArr) {
+         PORT_Free(ss->xtnData.sniNameArr);
+@@ -728,6 +734,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
+        ss->opt.requireSafeNegotiation = on;
+        break;
+ 
++      case SSL_ENABLE_FALSE_START:
++       ss->opt.enableFalseStart = on;
++       break;
++
+       default:
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        rv = SECFailure;
+@@ -791,6 +801,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
+                                   on = ss->opt.enableRenegotiation; break;
+     case SSL_REQUIRE_SAFE_NEGOTIATION: 
+                                   on = ss->opt.requireSafeNegotiation; break;
++    case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
+ 
+     default:
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -841,6 +852,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
+     case SSL_REQUIRE_SAFE_NEGOTIATION: 
+                                   on = ssl_defaults.requireSafeNegotiation; 
+                                  break;
++    case SSL_ENABLE_FALSE_START:  on = ssl_defaults.enableFalseStart;   break;
+ 
+     default:
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -984,6 +996,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
+        ssl_defaults.requireSafeNegotiation = on;
+        break;
+ 
++      case SSL_ENABLE_FALSE_START:
++       ssl_defaults.enableFalseStart = on;
++       break;
++
+       default:
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+@@ -1255,9 +1271,83 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
+     return fd;
+ }
+ 
++/* SSL_SetNextProtoNego sets the list of supported protocols for the given
++ * socket. The list is a series of 8-bit, length prefixed strings. */
++SECStatus
++SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data,
++                    unsigned short length)
++{
++    sslSocket *ss = ssl_FindSocket(fd);
++
++    if (!ss) {
++       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", SSL_GETPID(),
++               fd));
++       return SECFailure;
++    }
++
++    if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess)
++       return SECFailure;
++
++    ssl_GetSSL3HandshakeLock(ss);
++    if (ss->opt.nextProtoNego.data)
++       PORT_Free(ss->opt.nextProtoNego.data);
++    ss->opt.nextProtoNego.data = PORT_Alloc(length);
++    if (!ss->opt.nextProtoNego.data) {
++       ssl_ReleaseSSL3HandshakeLock(ss);
++       return SECFailure;
++    }
++    memcpy(ss->opt.nextProtoNego.data, data, length);
++    ss->opt.nextProtoNego.len = length;
++    ss->opt.nextProtoNego.type = siBuffer;
++    ssl_ReleaseSSL3HandshakeLock(ss);
++
++    return SECSuccess;
++}
++
++/* SSL_GetNextProto reads the resulting Next Protocol Negotiation result for
++ * the given socket. It's only valid to call this once the handshake has
++ * completed.
++ *
++ * state is set to one of the SSL_NEXT_PROTO_* constants. The negotiated
++ * protocol, if any, is written into buf, which must be at least buf_len
++ * bytes long. If the negotiated protocol is longer than this, it is truncated.
++ * The number of bytes copied is written into length.
++ */
++SECStatus
++SSL_GetNextProto(PRFileDesc *fd, int *state, unsigned char *buf,
++                unsigned int *length, unsigned int buf_len)
++{
++    sslSocket *ss = ssl_FindSocket(fd);
++
++    if (!ss) {
++       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetNextProto", SSL_GETPID(),
++               fd));
++       return SECFailure;
++    }
++
++    *state = ss->ssl3.nextProtoState;
++
++    if (ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT &&
++       ss->ssl3.nextProto.data) {
++       *length = ss->ssl3.nextProto.len;
++       if (*length > buf_len)
++           *length = buf_len;
++       PORT_Memcpy(buf, ss->ssl3.nextProto.data, *length);
++    } else {
++       *length = 0;
++    }
++
++    return SECSuccess;
++}
++
+ PRFileDesc *
+ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
+ {
++    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
++    PR_NOT_REACHED("not implemented");
++    return NULL;
++
++#if 0
+     sslSocket * sm = NULL, *ss = NULL;
+     int i;
+     sslServerCerts * mc = sm->serverCerts;
+@@ -1360,6 +1450,7 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
+     return fd;
+ loser:
+     return NULL;
++#endif
+ }
+ 
+ /************************************************************************/
+diff --git a/mozilla/security/nss/lib/ssl/sslt.h b/mozilla/security/nss/lib/ssl/sslt.h
+index c7d4553..f6e0b62 100644
+--- a/mozilla/security/nss/lib/ssl/sslt.h
++++ b/mozilla/security/nss/lib/ssl/sslt.h
+@@ -203,9 +203,10 @@ typedef enum {
+     ssl_ec_point_formats_xtn         = 11,
+ #endif
+     ssl_session_ticket_xtn           = 35,
++    ssl_next_proto_neg_xtn           = 13172,
+     ssl_renegotiation_info_xtn       = 0xff01  /* experimental number */
+ } SSLExtensionType;
+ 
+-#define SSL_MAX_EXTENSIONS             5
++#define SSL_MAX_EXTENSIONS             6
+ 
+ #endif /* __sslt_h_ */
+diff --git a/mozilla/security/nss/tests/ssl/sslstress.txt b/mozilla/security/nss/tests/ssl/sslstress.txt
+index 9a3aae8..c2a5c76 100644
+--- a/mozilla/security/nss/tests/ssl/sslstress.txt
++++ b/mozilla/security/nss/tests/ssl/sslstress.txt
+@@ -42,9 +42,11 @@
+   noECC     0      _         -c_1000_-C_A                  Stress SSL2 RC4 128 with MD5
+   noECC     0      _         -c_1000_-C_c_-T               Stress SSL3 RC4 128 with MD5
+   noECC     0      _         -c_1000_-C_c                  Stress TLS  RC4 128 with MD5
++  noECC     0      _         -c_1000_-C_c_-h               Stress TLS  RC4 128 with MD5 (false start)
+   noECC     0      -u        -2_-c_1000_-C_c_-u            Stress TLS  RC4 128 with MD5 (session ticket)
+   noECC     0      -z        -2_-c_1000_-C_c_-z            Stress TLS  RC4 128 with MD5 (compression)
+   noECC     0      -u_-z     -2_-c_1000_-C_c_-u_-z         Stress TLS  RC4 128 with MD5 (session ticket, compression)
++  noECC     0      -u_-z     -2_-c_1000_-C_c_-u_-z_-h      Stress TLS  RC4 128 with MD5 (session ticket, compression, false start)
+   SNI       0      -u_-a_Host-sni.Dom -2_-3_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
+ 
+ #
+@@ -55,7 +57,9 @@
+   noECC     0      -r_-r     -c_100_-C_c_-N_-n_TestUser    Stress TLS RC4 128 with MD5 (no reuse, client auth)
+   noECC     0      -r_-r_-u  -2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
+   noECC     0      -r_-r_-z  -2_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
++  noECC     0      -r_-r_-z  -2_-c_100_-C_c_-n_TestUser_-z_-h Stress TLS RC4 128 with MD5 (compression, client auth, false start)
+   noECC     0   -r_-r_-u_-z  -2_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
++  noECC     0   -r_-r_-u_-z  -2_-c_100_-C_c_-n_TestUser_-u_-z_-h Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
+   SNI       0   -r_-r_-u_-a_Host-sni.Dom -2_-3_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
+   SNI       0   -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -2_-3_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
+