Make SSL False Start work with asynchronous certificate validation

net/third_party/nss/ssl/sslsecur.c

 /*
  * Various SSL functions.
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "cert.h"
 #include "secitem.h"
 #include "keyhi.h"
 #include "ssl.h"
@@ skipping 81 matching lines @@
             ss->nextHandshake = 0;
         }
         if (ss->handshake == 0) {
             /* Previous handshake finished. Switch to security handshake */
             ss->handshake = ss->securityHandshake;
             ss->securityHandshake = 0;
         }
         if (ss->handshake == 0) {
             ssl_GetRecvBufLock(ss);
             ss->gs.recordLen = 0;
+            ss->gs.writeOffset = 0;
+            ss->gs.readOffset = 0;
             ssl_ReleaseRecvBufLock(ss);
 
             SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
                         SSL_GETPID(), ss->fd));
-            /* call handshake callback for ssl v2 */
-            /* for v3 this is done in ssl3_HandleFinished() */
-            if ((ss->handshakeCallback != NULL) && /* has callback */
-                (!ss->firstHsDone) &&              /* only first time */
-                (ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
-                ss->firstHsDone     = PR_TRUE;
-                (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-            }
-            ss->firstHsDone         = PR_TRUE;
-            ss->gs.writeOffset = 0;
-            ss->gs.readOffset  = 0;
             break;
         }
         rv = (*ss->handshake)(ss);
         ++loopCount;
     /* This code must continue to loop on SECWouldBlock, 
      * or any positive value.   See XXX_1 comments.
      */
     } while (rv != SECFailure);         /* was (rv >= 0); XXX_1 */
 
     PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
@@ skipping 72 matching lines @@
     if (!ss->opt.useSecurity)
         return SECSuccess;
 
     SSL_LOCK_READER(ss);
     SSL_LOCK_WRITER(ss);
 
     /* Reset handshake state */
     ssl_Get1stHandshakeLock(ss);
 
     ss->firstHsDone = PR_FALSE;
+    ss->enoughFirstHsDone = PR_FALSE;
     if ( asServer ) {
         ss->handshake = ssl2_BeginServerHandshake;
         ss->handshaking = sslHandshakingAsServer;
     } else {
         ss->handshake = ssl2_BeginClientHandshake;
         ss->handshaking = sslHandshakingAsClient;
     }
     ss->nextHandshake       = 0;
     ss->securityHandshake   = 0;
 
     ssl_GetRecvBufLock(ss);
     status = ssl_InitGather(&ss->gs);
     ssl_ReleaseRecvBufLock(ss);
 
     ssl_GetSSL3HandshakeLock(ss);
+    ss->ssl3.hs.canFalseStart = PR_FALSE;
+    ss->ssl3.hs.restartTarget = NULL;
 
     /*
     ** Blow away old security state and get a fresh setup.
     */
     ssl_GetXmitBufLock(ss); 
     ssl_ResetSecurityInfo(&ss->sec, PR_TRUE);
     status = ssl_CreateSecurityInfo(ss);
     ssl_ReleaseXmitBufLock(ss); 
 
     ssl_ReleaseSSL3HandshakeLock(ss);
@@ skipping 25 matching lines @@
         return SECFailure;
     }
 
     if (!ss->opt.useSecurity)
         return SECSuccess;
     
     ssl_Get1stHandshakeLock(ss);
 
     /* SSL v2 protocol does not support subsequent handshakes. */
     if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
         rv = SECFailure;
     } else {
         ssl_GetSSL3HandshakeLock(ss);
         rv = ssl3_RedoHandshake(ss, flushCache); /* force full handshake. */
         ssl_ReleaseSSL3HandshakeLock(ss);
     }
 
     ssl_Release1stHandshakeLock(ss);
 
     return rv;
@@ skipping 44 matching lines @@
 
     ss->handshakeCallback     = cb;
     ss->handshakeCallbackData = client_data;
 
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
 
     return SECSuccess;
 }
 
+/* Register an application callback to be called when false start may happen.
+** Acquires and releases HandshakeLock.
+*/
+SECStatus
+SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb,
+                             void *client_data)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback",
+                 SSL_GETPID(), fd));
+        return SECFailure;
+    }
+
+    if (!ss->opt.useSecurity) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    ss->canFalseStartCallback     = cb;
+    ss->canFalseStartCallbackData = client_data;
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    return SECSuccess;
+}
+
+/* A utility function that can be called from a custom SSLCanFalseStartCallback
+** function to determine what NSS would have done for this connection if the
+** custom callback was not implemented.
+*/
+SECStatus
+SSL_DefaultCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart)
+{
+    sslSocket *ss;
+
+    *canFalseStart = PR_FALSE;
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DefaultCanFalseStart",
+                 SSL_GETPID(), fd));
+        return SECFailure;
+    }
+
+    if (!ss->ssl3.initialized) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+        PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+        return SECFailure;
+    }
+
+    /* Require a forward-secret key exchange. */
+    *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
+                     ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
+                     ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
+                     ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa;
+
+    return SECSuccess;
+}
+
 /* Try to make progress on an SSL handshake by attempting to read the 
 ** next handshake from the peer, and sending any responses.
 ** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
 ** read the next handshake from the underlying socket.
 ** For SSLv2, returns when handshake is complete or fatal error occurs.
 ** For SSLv3, returns when handshake is complete, or application data has
 ** arrived that must be taken by application before handshake can continue, 
 ** or a fatal error occurs.
 ** Application should use handshake completion callback to tell which. 
 */
@@ skipping 844 matching lines @@
     }
 
     if (len > 0) 
         ss->writerThread = PR_GetCurrentThread();
     /* If any of these is non-zero, the initial handshake is not done. */
     if (!ss->firstHsDone) {
         PRBool canFalseStart = PR_FALSE;
         ssl_Get1stHandshakeLock(ss);
         if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
             ssl_GetSSL3HandshakeLock(ss);
-            if ((ss->ssl3.hs.ws == wait_change_cipher ||
-                ss->ssl3.hs.ws == wait_finished ||
-                ss->ssl3.hs.ws == wait_new_session_ticket) &&
-                ssl3_CanFalseStart(ss)) {
-                canFalseStart = PR_TRUE;
-            }
+            canFalseStart = ss->ssl3.hs.canFalseStart;
             ssl_ReleaseSSL3HandshakeLock(ss);
         }
         if (!canFalseStart &&
             (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
             rv = ssl_Do1stHandshake(ss);
         }
         ssl_Release1stHandshakeLock(ss);
     }
     if (rv < 0) {
         ss->writerThread = NULL;
@@ skipping 375 matching lines @@
     if (!ss) {
         SSL_DBG(("%d: SSL[%d]: bad socket in SNISocketConfigHook",
                  SSL_GETPID(), fd));
         return SECFailure;
     }
 
     ss->sniSocketConfig = func;
     ss->sniSocketConfigArg = arg;
     return SECSuccess;
 }