Update net/third_party/nss to NSS 3.15.4.

net/third_party/nss/patches/canfalsestart.patch

-Index: net/third_party/nss/ssl/ssl.h
-===================================================================
---- net/third_party/nss/ssl/ssl.h       (revision 227672)
-+++ net/third_party/nss/ssl/ssl.h       (working copy)
-@@ -121,14 +121,17 @@
- #define SSL_ENABLE_FALSE_START         22 /* Enable SSL false start (off by */
-                                           /* default, applies only to       */
-                                           /* clients). False start is a     */
--/* mode where an SSL client will start sending application data before      */
--/* verifying the server's Finished message. This means that we could end up */
--/* sending data to an imposter. However, the data will be encrypted and     */
--/* only the true server can derive the session key. Thus, so long as the    */
--/* cipher isn't broken this is safe. Because of this, False Start will only */
--/* occur on RSA or DH ciphersuites where the cipher's key length is >= 80   */
--/* bits. The advantage of False Start is that it saves a round trip for     */
--/* client-speaks-first protocols when performing a full handshake.          */
-+/* mode where an SSL client will start sending application data before
-+ * verifying the server's Finished message. This means that we could end up
-+ * sending data to an imposter. However, the data will be encrypted and
-+ * only the true server can derive the session key. Thus, so long as the
-+ * cipher isn't broken this is safe. The advantage of false start is that
-+ * it saves a round trip for client-speaks-first protocols when performing a
-+ * full handshake.
-+ *
-+ * In addition to enabling this option, the application must register a
-+ * callback using the SSL_SetCanFalseStartCallback function.
-+ */
- 
- /* For SSL 3.0 and TLS 1.0, by default we prevent chosen plaintext attacks
-  * on SSL CBC mode cipher suites (see RFC 4346 Section F.3) by splitting
-@@ -741,14 +744,45 @@
- SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString);
- 
- /*
--** Set the callback on a particular socket that gets called when we finish
--** performing a handshake.
-+** Set the callback that gets called when a TLS handshake is complete. The
-+** handshake callback is called after verifying the peer's Finished message and
-+** before processing incoming application data.
-+**
-+** For the initial handshake: If the handshake false started (see
-+** SSL_ENABLE_FALSE_START), then application data may already have been sent
-+** before the handshake callback is called. If we did not false start then the
-+** callback will get called before any application data is sent.
- */
- typedef void (PR_CALLBACK *SSLHandshakeCallback)(PRFileDesc *fd,
-                                                  void *client_data);
- SSL_IMPORT SECStatus SSL_HandshakeCallback(PRFileDesc *fd, 
-                                  SSLHandshakeCallback cb, void *client_data);
- 
-+/* Applications that wish to enable TLS false start must set this callback
-+** function. NSS will invoke the functon to determine if a particular
-+** connection should use false start or not. SECSuccess indicates that the
-+** callback completed successfully, and if so *canFalseStart indicates if false
-+** start can be used. If the callback does not return SECSuccess then the
-+** handshake will be canceled. NSS's recommended criteria can be evaluated by
-+** calling SSL_RecommendedCanFalseStart.
-+**
-+** If no false start callback is registered then false start will never be
-+** done, even if the SSL_ENABLE_FALSE_START option is enabled.
-+**/
-+typedef SECStatus (PR_CALLBACK *SSLCanFalseStartCallback)(
-+    PRFileDesc *fd, void *arg, PRBool *canFalseStart);
-+
-+SSL_IMPORT SECStatus SSL_SetCanFalseStartCallback(
-+    PRFileDesc *fd, SSLCanFalseStartCallback callback, void *arg);
-+
-+/* This function sets *canFalseStart according to the recommended criteria for
-+** false start. These criteria may change from release to release and may depend
-+** on which handshake features have been negotiated and/or properties of the
-+** certifciates/keys used on the connection.
-+*/
-+SSL_IMPORT SECStatus SSL_RecommendedCanFalseStart(PRFileDesc *fd,
-+                                                  PRBool *canFalseStart);
-+
- /*
- ** For the server, request a new handshake.  For the client, begin a new
- ** handshake.  If flushCache is non-zero, the SSL3 cache entry will be 
-Index: net/third_party/nss/ssl/ssl3con.c
-===================================================================
---- net/third_party/nss/ssl/ssl3con.c   (revision 227672)
-+++ net/third_party/nss/ssl/ssl3con.c   (working copy)
-@@ -2890,7 +2890,7 @@
-     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
-                SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
-                nIn));
--    PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
-+    PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
- 
-     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
- 
-@@ -7344,36 +7344,72 @@
-     return rv;
- }
- 
-+static SECStatus
-+ssl3_CheckFalseStart(sslSocket *ss)
-+{
-+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-+    PORT_Assert( !ss->ssl3.hs.authCertificatePending );
-+    PORT_Assert( !ss->ssl3.hs.canFalseStart );
-+
-+    if (!ss->canFalseStartCallback) {
-+       SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
-+                   SSL_GETPID(), ss->fd));
-+    } else {
-+       PRBool maybeFalseStart;
-+       SECStatus rv;
-+
-+       /* An attacker can control the selected ciphersuite so we only wish to
-+        * do False Start in the case that the selected ciphersuite is
-+        * sufficiently strong that the attack can gain no advantage.
-+        * Therefore we always require an 80-bit cipher. */
-+        ssl_GetSpecReadLock(ss);
-+        maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10;
-+        ssl_ReleaseSpecReadLock(ss);
-+
-+       if (!maybeFalseStart) {
-+           SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
-+                       SSL_GETPID(), ss->fd));
-+       } else {
-+           rv = (ss->canFalseStartCallback)(ss->fd,
-+                                            ss->canFalseStartCallbackData,
-+                                            &ss->ssl3.hs.canFalseStart);
-+           if (rv == SECSuccess) {
-+               SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s",
-+                           SSL_GETPID(), ss->fd,
-+                           ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE"));
-+           } else {
-+               SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)",
-+                           SSL_GETPID(), ss->fd,
-+                           PR_ErrorToName(PR_GetError())));
-+           }
-+           return rv;
-+       }
-+    }
-+
-+    ss->ssl3.hs.canFalseStart = PR_FALSE;
-+    return SECSuccess;
-+}
-+
- PRBool
--ssl3_CanFalseStart(sslSocket *ss) {
--    PRBool rv;
-+ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss)
-+{
-+    PRBool result;
- 
-     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
- 
--    /* XXX: does not take into account whether we are waiting for
--     * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
--     * that is done, this function could return different results each time it
--     * would be called.
--     */
-+    switch (ss->ssl3.hs.ws) {
-+    case wait_new_session_ticket:
-+        result = PR_TRUE;
-+        break;
-+    case wait_change_cipher:
-+        result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn);
-+        break;
-+    default:
-+        result = PR_FALSE;
-+        break;
-+    }
- 
--    ssl_GetSpecReadLock(ss);
--    rv = ss->opt.enableFalseStart &&
--        !ss->sec.isServer &&
--        !ss->ssl3.hs.isResuming &&
--        ss->ssl3.cwSpec &&
--
--        /* An attacker can control the selected ciphersuite so we only wish to
--         * do False Start in the case that the selected ciphersuite is
--         * sufficiently strong that the attack can gain no advantage.
--         * Therefore we require an 80-bit cipher and a forward-secret key
--         * exchange. */
--        ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
--       (ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
--        ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
--        ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
--        ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
--    ssl_ReleaseSpecReadLock(ss);
--    return rv;
-+    return result;
- }
- 
- static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
-@@ -7463,6 +7499,9 @@
-     }
-     if (ss->ssl3.hs.authCertificatePending &&
-        (sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) {
-+       SSL_TRC(3, ("%d: SSL3[%p]: deferring ssl3_SendClientSecondRound because"
-+                   " certificate authentication is still pending.",
-+                   SSL_GETPID(), ss->fd));
-        ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound;
-        return SECWouldBlock;
-     }
-@@ -7500,20 +7539,59 @@
-        goto loser;     /* err code was set. */
-     }
- 
--    /* XXX: If the server's certificate hasn't been authenticated by this
--     * point, then we may be leaking this NPN message to an attacker.
-+    /* This must be done after we've set ss->ssl3.cwSpec in
-+     * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information
-+     * from cwSpec. This must be done before we call ssl3_CheckFalseStart
-+     * because the false start callback (if any) may need the information from
-+     * the functions that depend on this being set.
-      */
-+    ss->enoughFirstHsDone = PR_TRUE;
-+
-     if (!ss->firstHsDone) {
-+       /* XXX: If the server's certificate hasn't been authenticated by this
-+        * point, then we may be leaking this NPN message to an attacker.
-+        */
-        rv = ssl3_SendNextProto(ss);
-        if (rv != SECSuccess) {
-            goto loser; /* err code was set. */
-        }
-     }
-+
-     rv = ssl3_SendEncryptedExtensions(ss);
-     if (rv != SECSuccess) {
-        goto loser; /* err code was set. */
-     }
- 
-+    if (!ss->firstHsDone) {
-+       if (ss->opt.enableFalseStart) {
-+           if (!ss->ssl3.hs.authCertificatePending) {
-+               /* When we fix bug 589047, we will need to know whether we are
-+                * false starting before we try to flush the client second
-+                * round to the network. With that in mind, we purposefully
-+                * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
-+                * which includes a call to ssl3_FlushHandshake, so that
-+                * no application develops a reliance on such flushing being
-+                * done before its false start callback is called.
-+                */
-+               ssl_ReleaseXmitBufLock(ss);
-+               rv = ssl3_CheckFalseStart(ss);
-+               ssl_GetXmitBufLock(ss);
-+               if (rv != SECSuccess) {
-+                   goto loser;
-+               }
-+           } else {
-+               /* The certificate authentication and the server's Finished
-+                * message are racing each other. If the certificate
-+                * authentication wins, then we will try to false start in
-+                * ssl3_AuthCertificateComplete.
-+                */
-+               SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
-+                           " certificate authentication is still pending.",
-+                           SSL_GETPID(), ss->fd));
-+           }
-+       }
-+    }
-+
-     rv = ssl3_SendFinished(ss, 0);
-     if (rv != SECSuccess) {
-        goto loser;     /* err code was set. */
-@@ -7526,10 +7604,7 @@
-     else
-        ss->ssl3.hs.ws = wait_change_cipher;
- 
--    /* Do the handshake callback for sslv3 here, if we can false start. */
--    if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) {
--       (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
--    }
-+    PORT_Assert(ssl3_WaitingForStartOfServerSecondRound(ss));
- 
-     return SECSuccess;
- 
-@@ -10147,13 +10222,6 @@
- 
-            ss->ssl3.hs.authCertificatePending = PR_TRUE;
-            rv = SECSuccess;
--
--           /* XXX: Async cert validation and False Start don't work together
--            * safely yet; if we leave False Start enabled, we may end up false
--            * starting (sending application data) before we
--            * SSL_AuthCertificateComplete has been called.
--            */
--           ss->opt.enableFalseStart = PR_FALSE;
-        }
- 
-        if (rv != SECSuccess) {
-@@ -10278,6 +10346,12 @@
-     } else if (ss->ssl3.hs.restartTarget != NULL) {
-        sslRestartTarget target = ss->ssl3.hs.restartTarget;
-        ss->ssl3.hs.restartTarget = NULL;
-+
-+       if (target == ssl3_FinishHandshake) {
-+           SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
-+                      " with peer's finished message", SSL_GETPID(), ss->fd));
-+       }
-+
-        rv = target(ss);
-        /* Even if we blocked here, we have accomplished enough to claim
-         * success. Any remaining work will be taken care of by subsequent
-@@ -10287,7 +10361,27 @@
-            rv = SECSuccess;
-        }
-     } else {
--       rv = SECSuccess;
-+       SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
-+                   " peer's finished message", SSL_GETPID(), ss->fd));
-+
-+       PORT_Assert(!ss->firstHsDone);
-+       PORT_Assert(!ss->sec.isServer);
-+       PORT_Assert(!ss->ssl3.hs.isResuming);
-+       PORT_Assert(ss->ssl3.hs.ws != idle_handshake);
-+
-+       if (ss->opt.enableFalseStart &&
-+           !ss->firstHsDone &&
-+           !ss->sec.isServer &&
-+           !ss->ssl3.hs.isResuming &&
-+           ssl3_WaitingForStartOfServerSecondRound(ss)) {
-+           /* ssl3_SendClientSecondRound deferred the false start check because
-+            * certificate authentication was pending, so we do it now if we still
-+            * haven't received any of the server's second round yet.
-+            */
-+           rv = ssl3_CheckFalseStart(ss);
-+       } else {
-+           rv = SECSuccess;
-+       }
-     }
- 
- done:
-@@ -10913,9 +11007,6 @@
-         return rv;
-     }
- 
--    ss->gs.writeOffset = 0;
--    ss->gs.readOffset  = 0;
--
-     if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
-        effectiveExchKeyType = kt_rsa;
-     } else {
-@@ -10980,6 +11071,9 @@
-     return rv;
- }
- 
-+/* The return type is SECStatus instead of void because this function needs
-+ * to have type sslRestartTarget.
-+ */
- SECStatus
- ssl3_FinishHandshake(sslSocket * ss)
- {
-@@ -10989,19 +11083,16 @@
- 
-     /* The first handshake is now completed. */
-     ss->handshake           = NULL;
--    ss->firstHsDone         = PR_TRUE;
- 
-     if (ss->ssl3.hs.cacheSID) {
-        (*ss->sec.cache)(ss->sec.ci.sid);
-        ss->ssl3.hs.cacheSID = PR_FALSE;
-     }
- 
-+    ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
-     ss->ssl3.hs.ws = idle_handshake;
- 
--    /* Do the handshake callback for sslv3 here, if we cannot false start. */
--    if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
--       (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
--    }
-+    ssl_FinishHandshake(ss);
- 
-     return SECSuccess;
- }
-@@ -11966,7 +12057,6 @@
- 
-     ssl_ReleaseSSL3HandshakeLock(ss);
-     return rv;
--
- }
- 
- /*
-Index: net/third_party/nss/ssl/ssl3gthr.c
-===================================================================
---- net/third_party/nss/ssl/ssl3gthr.c  (revision 227672)
-+++ net/third_party/nss/ssl/ssl3gthr.c  (working copy)
-@@ -275,11 +275,17 @@
- {
-     SSL3Ciphertext cText;
-     int            rv;
--    PRBool         canFalseStart = PR_FALSE;
-+    PRBool         keepGoing = PR_TRUE;
- 
-     SSL_TRC(30, ("ssl3_GatherCompleteHandshake"));
- 
-+    /* ssl3_HandleRecord may end up eventually calling ssl_FinishHandshake,
-+     * which requires the 1stHandshakeLock, which must be acquired before the
-+     * RecvBufLock.
-+     */
-+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-+
-     do {
-        PRBool handleRecordNow = PR_FALSE;
- 
-@@ -364,24 +370,52 @@
- 
-            cText.buf     = &ss->gs.inbuf;
-            rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf);
-+
-+           if (rv == (int) SECSuccess && ss->gs.buf.len > 0) {
-+               /* We have application data to return to the application. This
-+                * prioritizes returning application data to the application over
-+                * completing any renegotiation handshake we may be doing.
-+                */
-+               PORT_Assert(ss->firstHsDone);
-+               PORT_Assert(cText.type == content_application_data);
-+               break;
-+           }
-        }
-        if (rv < 0) {
-            return ss->recvdCloseNotify ? 0 : rv;
-        }
- 
--       /* If we kicked off a false start in ssl3_HandleServerHelloDone, break
--        * out of this loop early without finishing the handshake.
--        */
--       if (ss->opt.enableFalseStart) {
--           ssl_GetSSL3HandshakeLock(ss);
--           canFalseStart = (ss->ssl3.hs.ws == wait_change_cipher ||
--                            ss->ssl3.hs.ws == wait_new_session_ticket) &&
--                           ssl3_CanFalseStart(ss);
--           ssl_ReleaseSSL3HandshakeLock(ss);
-+       PORT_Assert(keepGoing);
-+       ssl_GetSSL3HandshakeLock(ss);
-+       if (ss->ssl3.hs.ws == idle_handshake) {
-+           /* We are done with the current handshake so stop trying to
-+            * handshake. Note that it would be safe to test ss->firstHsDone
-+            * instead of ss->ssl3.hs.ws. By testing ss->ssl3.hs.ws instead,
-+            * we prioritize completing a renegotiation handshake over sending
-+            * application data.
-+            */
-+           PORT_Assert(ss->firstHsDone);
-+           PORT_Assert(!ss->ssl3.hs.canFalseStart);
-+           keepGoing = PR_FALSE;
-+       } else if (ss->ssl3.hs.canFalseStart) {
-+           /* Prioritize sending application data over trying to complete
-+            * the handshake if we're false starting.
-+            *
-+            * If we were to do this check at the beginning of the loop instead
-+            * of here, then this function would become be a no-op after
-+            * receiving the ServerHelloDone in the false start case, and we
-+            * would never complete the handshake.
-+            */
-+           PORT_Assert(!ss->firstHsDone);
-+
-+           if (ssl3_WaitingForStartOfServerSecondRound(ss)) {
-+               keepGoing = PR_FALSE;
-+           } else {
-+               ss->ssl3.hs.canFalseStart = PR_FALSE;
-+           }
-        }
--    } while (ss->ssl3.hs.ws != idle_handshake &&
--             !canFalseStart &&
--             ss->gs.buf.len == 0);
-+       ssl_ReleaseSSL3HandshakeLock(ss);
-+    } while (keepGoing);
- 
-     ss->gs.readOffset = 0;
-     ss->gs.writeOffset = ss->gs.buf.len;
-@@ -404,7 +438,10 @@
- {
-     int            rv;
- 
-+    /* ssl3_GatherCompleteHandshake requires both of these locks. */
-+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-+
-     do {
-        rv = ssl3_GatherCompleteHandshake(ss, flags);
-     } while (rv > 0 && ss->gs.buf.len == 0);
-Index: net/third_party/nss/ssl/sslauth.c
-===================================================================
---- net/third_party/nss/ssl/sslauth.c   (revision 227672)
-+++ net/third_party/nss/ssl/sslauth.c   (working copy)
-@@ -100,7 +100,6 @@
-     sslSocket *ss;
-     const char *cipherName;
-     PRBool isDes = PR_FALSE;
--    PRBool enoughFirstHsDone = PR_FALSE;
- 
-     ss = ssl_FindSocket(fd);
-     if (!ss) {
-@@ -118,14 +117,7 @@
-        *op = SSL_SECURITY_STATUS_OFF;
-     }
- 
--    if (ss->firstHsDone) {
--       enoughFirstHsDone = PR_TRUE;
--    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
--              ssl3_CanFalseStart(ss)) {
--       enoughFirstHsDone = PR_TRUE;
--    }
--
--    if (ss->opt.useSecurity && enoughFirstHsDone) {
-+    if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
-        if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-            cipherName = ssl_cipherName[ss->sec.cipherType];
-        } else {
-Index: net/third_party/nss/ssl/sslimpl.h
-===================================================================
---- net/third_party/nss/ssl/sslimpl.h   (revision 227672)
-+++ net/third_party/nss/ssl/sslimpl.h   (working copy)
-@@ -881,6 +881,8 @@
-     /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
-     PRBool                cacheSID;
- 
-+    PRBool                canFalseStart;   /* Can/did we False Start */
-+
-     /* clientSigAndHash contains the contents of the signature_algorithms
-      * extension (if any) from the client. This is only valid for TLS 1.2
-      * or later. */
-@@ -1162,6 +1164,10 @@
-     unsigned long    clientAuthRequested;
-     unsigned long    delayDisabled;       /* Nagle delay disabled */
-     unsigned long    firstHsDone;         /* first handshake is complete. */
-+    unsigned long    enoughFirstHsDone;   /* enough of the first handshake is
-+                                          * done for callbacks to be able to
-+                                          * retrieve channel security
-+                                          * parameters from the SSL socket. */
-     unsigned long    handshakeBegun;     
-     unsigned long    lastWriteBlocked;   
-     unsigned long    recvdCloseNotify;    /* received SSL EOF. */
-@@ -1210,6 +1216,8 @@
-     void                     *badCertArg;
-     SSLHandshakeCallback      handshakeCallback;
-     void                     *handshakeCallbackData;
-+    SSLCanFalseStartCallback  canFalseStartCallback;
-+    void                     *canFalseStartCallbackData;
-     void                     *pkcs11PinArg;
-     SSLNextProtoCallback      nextProtoCallback;
-     void                     *nextProtoArg;
-@@ -1423,7 +1431,19 @@
- 
- extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
- 
--extern PRBool    ssl3_CanFalseStart(sslSocket *ss);
-+extern void      ssl_FinishHandshake(sslSocket *ss);
-+
-+/* Returns PR_TRUE if we are still waiting for the server to respond to our
-+ * client second round. Once we've received any part of the server's second
-+ * round then we don't bother trying to false start since it is almost always
-+ * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages
-+ * were sent in the same packet and we want to process them all at the same
-+ * time. If we were to try to false start in the middle of the server's second
-+ * round, then we would increase the number of I/O operations
-+ * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake.
-+ */
-+extern PRBool    ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss);
-+
- extern SECStatus
- ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
-                              PRBool             isServer,
-Index: net/third_party/nss/ssl/sslinfo.c
-===================================================================
---- net/third_party/nss/ssl/sslinfo.c   (revision 227672)
-+++ net/third_party/nss/ssl/sslinfo.c   (working copy)
-@@ -26,7 +26,6 @@
-     sslSocket *      ss;
-     SSLChannelInfo   inf;
-     sslSessionID *   sid;
--    PRBool           enoughFirstHsDone = PR_FALSE;
- 
-     if (!info || len < sizeof inf.length) { 
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -43,14 +42,7 @@
-     memset(&inf, 0, sizeof inf);
-     inf.length = PR_MIN(sizeof inf, len);
- 
--    if (ss->firstHsDone) {
--       enoughFirstHsDone = PR_TRUE;
--    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
--              ssl3_CanFalseStart(ss)) {
--       enoughFirstHsDone = PR_TRUE;
--    }
--
--    if (ss->opt.useSecurity && enoughFirstHsDone) {
-+    if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
-         sid = ss->sec.ci.sid;
-        inf.protocolVersion  = ss->version;
-        inf.authKeyBits      = ss->sec.authKeyBits;
-Index: net/third_party/nss/ssl/sslsecur.c
-===================================================================
---- net/third_party/nss/ssl/sslsecur.c  (revision 227672)
-+++ net/third_party/nss/ssl/sslsecur.c  (working copy)
-@@ -97,23 +97,13 @@
-            ss->securityHandshake = 0;
-        }
-        if (ss->handshake == 0) {
--           ssl_GetRecvBufLock(ss);
--           ss->gs.recordLen = 0;
--           ssl_ReleaseRecvBufLock(ss);
--
--           SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
--                       SSL_GETPID(), ss->fd));
--            /* call handshake callback for ssl v2 */
--           /* for v3 this is done in ssl3_HandleFinished() */
--           if ((ss->handshakeCallback != NULL) && /* has callback */
--               (!ss->firstHsDone) &&              /* only first time */
--               (ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
--               ss->firstHsDone     = PR_TRUE;
--               (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-+           /* for v3 this is done in ssl3_FinishHandshake */
-+           if (!ss->firstHsDone && ss->version < SSL_LIBRARY_VERSION_3_0) {
-+               ssl_GetRecvBufLock(ss);
-+               ss->gs.recordLen = 0;
-+               ssl_FinishHandshake(ss);
-+               ssl_ReleaseRecvBufLock(ss);
-            }
--           ss->firstHsDone         = PR_TRUE;
--           ss->gs.writeOffset = 0;
--           ss->gs.readOffset  = 0;
-            break;
-        }
-        rv = (*ss->handshake)(ss);
-@@ -134,6 +124,24 @@
-     return rv;
- }
- 
-+void
-+ssl_FinishHandshake(sslSocket *ss)
-+{
-+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-+
-+    SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd));
-+
-+    ss->firstHsDone = PR_TRUE;
-+    ss->enoughFirstHsDone = PR_TRUE;
-+    ss->gs.writeOffset = 0;
-+    ss->gs.readOffset  = 0;
-+
-+    if (ss->handshakeCallback) {
-+       (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-+    }
-+}
-+
- /*
-  * Handshake function that blocks.  Used to force a
-  * retry on a connection on the next read/write.
-@@ -206,6 +214,7 @@
-     ssl_Get1stHandshakeLock(ss);
- 
-     ss->firstHsDone = PR_FALSE;
-+    ss->enoughFirstHsDone = PR_FALSE;
-     if ( asServer ) {
-        ss->handshake = ssl2_BeginServerHandshake;
-        ss->handshaking = sslHandshakingAsServer;
-@@ -221,6 +230,8 @@
-     ssl_ReleaseRecvBufLock(ss);
- 
-     ssl_GetSSL3HandshakeLock(ss);
-+    ss->ssl3.hs.canFalseStart = PR_FALSE;
-+    ss->ssl3.hs.restartTarget = NULL;
- 
-     /*
-     ** Blow away old security state and get a fresh setup.
-@@ -331,6 +342,71 @@
-     return SECSuccess;
- }
- 
-+/* Register an application callback to be called when false start may happen.
-+** Acquires and releases HandshakeLock.
-+*/
-+SECStatus
-+SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb,
-+                            void *arg)
-+{
-+    sslSocket *ss;
-+
-+    ss = ssl_FindSocket(fd);
-+    if (!ss) {
-+       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback",
-+                SSL_GETPID(), fd));
-+       return SECFailure;
-+    }
-+
-+    if (!ss->opt.useSecurity) {
-+       PORT_SetError(SEC_ERROR_INVALID_ARGS);
-+       return SECFailure;
-+    }
-+
-+    ssl_Get1stHandshakeLock(ss);
-+    ssl_GetSSL3HandshakeLock(ss);
-+
-+    ss->canFalseStartCallback     = cb;
-+    ss->canFalseStartCallbackData = arg;
-+
-+    ssl_ReleaseSSL3HandshakeLock(ss);
-+    ssl_Release1stHandshakeLock(ss);
-+
-+    return SECSuccess;
-+}
-+
-+SECStatus
-+SSL_RecommendedCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart)
-+{
-+    sslSocket *ss;
-+
-+    *canFalseStart = PR_FALSE;
-+    ss = ssl_FindSocket(fd);
-+    if (!ss) {
-+       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RecommendedCanFalseStart",
-+                SSL_GETPID(), fd));
-+       return SECFailure;
-+    }
-+
-+    if (!ss->ssl3.initialized) {
-+       PORT_SetError(SEC_ERROR_INVALID_ARGS);
-+       return SECFailure;
-+    }
-+
-+    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-+       PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
-+       return SECFailure;
-+    }
-+
-+    /* Require a forward-secret key exchange. */
-+    *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
-+                    ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
-+                    ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
-+                    ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa;
-+
-+    return SECSuccess;
-+}
-+
- /* Try to make progress on an SSL handshake by attempting to read the 
- ** next handshake from the peer, and sending any responses.
- ** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
-@@ -524,6 +600,9 @@
-     int              amount;
-     int              available;
- 
-+    /* ssl3_GatherAppDataRecord may call ssl_FinishHandshake, which needs the
-+     * 1stHandshakeLock. */
-+    ssl_Get1stHandshakeLock(ss);
-     ssl_GetRecvBufLock(ss);
- 
-     available = ss->gs.writeOffset - ss->gs.readOffset;
-@@ -590,6 +669,7 @@
- 
- done:
-     ssl_ReleaseRecvBufLock(ss);
-+    ssl_Release1stHandshakeLock(ss);
-     return rv;
- }
- 
-@@ -1156,7 +1236,8 @@
- int
- ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
- {
--    int              rv                = 0;
-+    int rv = 0;
-+    PRBool falseStart = PR_FALSE;
- 
-     SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
-                SSL_GETPID(), ss->fd, len));
-@@ -1191,19 +1272,14 @@
-        ss->writerThread = PR_GetCurrentThread();
-     /* If any of these is non-zero, the initial handshake is not done. */
-     if (!ss->firstHsDone) {
--       PRBool canFalseStart = PR_FALSE;
-        ssl_Get1stHandshakeLock(ss);
--       if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-+       if (ss->opt.enableFalseStart &&
-+           ss->version >= SSL_LIBRARY_VERSION_3_0) {
-            ssl_GetSSL3HandshakeLock(ss);
--           if ((ss->ssl3.hs.ws == wait_change_cipher ||
--               ss->ssl3.hs.ws == wait_finished ||
--               ss->ssl3.hs.ws == wait_new_session_ticket) &&
--               ssl3_CanFalseStart(ss)) {
--               canFalseStart = PR_TRUE;
--           }
-+           falseStart = ss->ssl3.hs.canFalseStart;
-            ssl_ReleaseSSL3HandshakeLock(ss);
-        }
--       if (!canFalseStart &&
-+       if (!falseStart &&
-            (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
-            rv = ssl_Do1stHandshake(ss);
-        }
-@@ -1228,6 +1304,17 @@
-        goto done;
-     }
- 
-+    if (!ss->firstHsDone) {
-+       PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_3_0);
-+#ifdef DEBUG
-+       ssl_GetSSL3HandshakeLock(ss);
-+       PORT_Assert(ss->ssl3.hs.canFalseStart);
-+       ssl_ReleaseSSL3HandshakeLock(ss);
-+#endif
-+       SSL_TRC(3, ("%d: SSL[%d]: SecureSend: sending data due to false start",
-+                   SSL_GETPID(), ss->fd));
-+    }
-+
-     /* Send out the data using one of these functions:
-      * ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock, 
-      *  ssl3_SendApplicationData
-Index: net/third_party/nss/ssl/sslsock.c
-===================================================================
---- net/third_party/nss/ssl/sslsock.c   (revision 227672)
-+++ net/third_party/nss/ssl/sslsock.c   (working copy)
-@@ -366,6 +366,8 @@
-            ss->badCertArg            = os->badCertArg;
-            ss->handshakeCallback     = os->handshakeCallback;
-            ss->handshakeCallbackData = os->handshakeCallbackData;
-+           ss->canFalseStartCallback = os->canFalseStartCallback;
-+           ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
-            ss->pkcs11PinArg          = os->pkcs11PinArg;
-            ss->getChannelID          = os->getChannelID;
-            ss->getChannelIDArg       = os->getChannelIDArg;
-@@ -2457,10 +2459,14 @@
-            } else if (new_flags & PR_POLL_WRITE) {
-                    /* The caller is trying to write, but the handshake is 
-                    ** blocked waiting for data to read, and the first 
--                   ** handshake has been sent.  so do NOT to poll on write.
-+                   ** handshake has been sent.  So do NOT to poll on write
-+                   ** unless we did false start.
-                    */
--                   new_flags ^=  PR_POLL_WRITE;   /* don't select on write. */
--                   new_flags |=  PR_POLL_READ;    /* do    select on read. */
-+                   if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-+                       ss->ssl3.hs.canFalseStart)) {
-+                       new_flags ^= PR_POLL_WRITE; /* don't select on write. */
-+                   }
-+                   new_flags |= PR_POLL_READ;      /* do    select on read. */
-            }
-        }
-     } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {