Make SSL False Start work with asynchronous certificate validation

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 2797 matching lines @@
                    PRInt32            flags)
 {
     sslBuffer      *          wrBuf       = &ss->sec.writeBuf;
     SECStatus                 rv;
     PRInt32                   totalSent   = 0;
     PRBool                    capRecordVersion;
 
     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
                 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
                 nIn));
-    PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
+    PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));

[agl, 2013/09/13 15:03:29]

This seems to be an unrelated change.

[wtc, 2013/09/18 22:57:23]

Done.

 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     capRecordVersion = ((flags & ssl_SEND_FLAG_CAP_RECORD_VERSION) != 0);
 
     if (capRecordVersion) {
         /* ssl_SEND_FLAG_CAP_RECORD_VERSION can only be used with the
          * TLS initial ClientHello. */
         PORT_Assert(!IS_DTLS(ss));
         PORT_Assert(!ss->firstHsDone);
@@ skipping 4430 matching lines @@
         }
         if (certChain) {
             CERT_DestroyCertificateList(certChain);
         }
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         rv = SECFailure;
     }
     return rv;
 }
 
-PRBool
-ssl3_CanFalseStart(sslSocket *ss) {
-    PRBool rv;
+static SECStatus
+ssl3_CheckFalseStart(sslSocket *ss)
+{
+    SECStatus rv;
+    PRBool maybeFalseStart = PR_TRUE;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( !ss->ssl3.hs.authCertificatePending );
 
-    /* XXX: does not take into account whether we are waiting for
-     * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
-     * that is done, this function could return different results each time it
-     * would be called.
-     */
+    /* An attacker can control the selected ciphersuite so we only wish to
+     * do False Start in the case that the selected ciphersuite is
+     * sufficiently strong that the attack can gain no advantage.
+     * Therefore we always require an 80-bit cipher. */
 
     ssl_GetSpecReadLock(ss);
-    rv = ss->opt.enableFalseStart &&
-         !ss->sec.isServer &&
-         !ss->ssl3.hs.isResuming &&
-         ss->ssl3.cwSpec &&
+    if (ss->ssl3.cwSpec->cipher_def->secret_key_size < 10) {
+        ss->ssl3.hs.canFalseStart = PR_FALSE;
+        maybeFalseStart = PR_FALSE;
+    }
+    ssl_ReleaseSpecReadLock(ss);
+    if (!maybeFalseStart) {
+        return SECSuccess;
+    }
 
-         /* An attacker can control the selected ciphersuite so we only wish to
-          * do False Start in the case that the selected ciphersuite is
-          * sufficiently strong that the attack can gain no advantage.
-          * Therefore we require an 80-bit cipher and a forward-secret key
-          * exchange. */
-         ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
-        (ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
-         ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
-         ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
-         ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
-    ssl_ReleaseSpecReadLock(ss);
+    if (!ss->canFalseStartCallback) {
+        rv = SSL_DefaultCanFalseStart(ss->fd, &ss->ssl3.hs.canFalseStart);
+    } else {
+        rv = (ss->canFalseStartCallback)(ss->fd,
+                                         ss->canFalseStartCallbackData,
+                                         &ss->ssl3.hs.canFalseStart);
+    }
+
+    if (rv != SECSuccess) {
+        ss->ssl3.hs.canFalseStart = PR_FALSE;
+    }
+
     return rv;
 }
 
 static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 Server Hello Done message.
  * Caller must hold Handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleServerHelloDone(sslSocket *ss)
 {
     SECStatus     rv;
     SSL3WaitState ws          = ss->ssl3.hs.ws;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
                 SSL_GETPID(), ss->fd));
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ws != wait_hello_done  &&
         ws != wait_server_cert &&
         ws != wait_server_key  &&
         ws != wait_cert_request) {
         SSL3_SendAlert(ss, alert_fatal, unexpected_message);
         PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
         return SECFailure;
     }
 
+    ss->enoughFirstHsDone = PR_TRUE;

[wtc, 2013/09/18 22:57:23]

I think we need to wait until we have called ssl3_SendChangeCipherSpecs to set
ss->enoughFirstHsDone to PR_TRUE because SSL_GetChannelInfo requires
ss->ssl3.cwSpec to have been updated.

     rv = ssl3_SendClientSecondRound(ss);
 
     return rv;
 }
 
 /* Called from ssl3_HandleServerHelloDone and ssl3_AuthCertificateComplete.
  *
  * Caller must hold Handshake and RecvBuf locks.
  */
 static SECStatus
@@ skipping 78 matching lines @@
         if (rv != SECSuccess) {
             goto loser; /* err is set. */
         }
     }
 
     rv = ssl3_SendChangeCipherSpecs(ss);
     if (rv != SECSuccess) {
         goto loser;     /* err code was set. */
     }
 
-    /* XXX: If the server's certificate hasn't been authenticated by this
-     * point, then we may be leaking this NPN message to an attacker.
-     */
     if (!ss->firstHsDone) {
+        /* XXX: If the server's certificate hasn't been authenticated by this
+         * point, then we may be leaking this NPN message to an attacker.
+         */
         rv = ssl3_SendNextProto(ss);
         if (rv != SECSuccess) {
             goto loser; /* err code was set. */
         }
     }
+
     rv = ssl3_SendEncryptedExtensions(ss);
     if (rv != SECSuccess) {
         goto loser; /* err code was set. */
     }
 
+    if (!ss->firstHsDone) {
+        if (ss->opt.enableFalseStart) {
+            if (!ss->ssl3.hs.authCertificatePending) {
+                /* When we fix bug 589047, we will need to know whether we are
+                 * false starting before we try to flush the client second
+                 * round to the network. With that in mind, we purposefully
+                 * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
+                 * which includes a call to ssl3_FlushHandshake, so that
+                 * no application develops a reliance on such flushing being
+                 * done before its false start callback is called. 
+                 */
+                ssl_ReleaseXmitBufLock(ss);
+                rv = ssl3_CheckFalseStart(ss);
+                ssl_GetXmitBufLock(ss);
+                if (rv != SECSuccess) {
+                    goto loser;
+                }
+            } else {
+                /* The certificate authentication and the server's Finished
+                 * message are racing each other. If the certificate
+                 * authentication wins, then we will try to false start in
+                 * ssl3_AuthCertificateComplete.
+                 */
+                SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
+                            " certificate authentication is still pending.",
+                            SSL_GETPID(), ss->fd));
+            }
+        }
+    }
+
     rv = ssl3_SendFinished(ss, 0);
     if (rv != SECSuccess) {
         goto loser;     /* err code was set. */
     }
 
     ssl_ReleaseXmitBufLock(ss);         /*******************************/
 
     if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
         ss->ssl3.hs.ws = wait_new_session_ticket;
     else
         ss->ssl3.hs.ws = wait_change_cipher;
 
-    /* Do the handshake callback for sslv3 here, if we can false start. */
-    if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) {
+    if (ss->handshakeCallback &&
+        (ss->ssl3.hs.canFalseStart && !ss->canFalseStartCallback)) {
+        /* Call the handshake callback here for backwards compatibility with
+         * applications that were using false start before
+         * canFalseStartCallback was added. Note that we do this after calling
+         * ssl3_SendFinished, which includes a call to ssl3_FlushHandshake,
+         * just in case the application is relying on having the handshake
+         * messages flushed to the network before its handshake callback is
+         * called.

[Ryan Sleevi, 2013/09/14 02:13:31]

This was Brian's concession to Chromium, but as you've implemented it, we can't
take advantage of it.

[wtc, 2013/09/16 16:14:48]

I should have pointed out that Brian's patch also works in our source
tree without my changes to ssl_client_socket_nss.cc. In that "backward
compatible" mode, we are indeed taking advantage of Brian's concession
here.

After I verified the "backward compatible" mode works in Chromium, I
proceeded to try the new CanFalseStartCallback function. I had to
change ssl_client_socket_nss.cc to call our original HandshakeCallback
manually, after SSL_ForceHandshake returns SECSuccess. Does this change
address your concern?

+         */
         (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
     }
 
     return SECSuccess;
 
 loser:
     ssl_ReleaseXmitBufLock(ss);
     return rv;
 }
 
@@ skipping 2598 matching lines @@
 
         if (rv == SECWouldBlock) {
             if (ss->sec.isServer) {
                 errCode = SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS;
                 rv = SECFailure;
                 goto loser;
             }
 
             ss->ssl3.hs.authCertificatePending = PR_TRUE;
             rv = SECSuccess;
-
-            /* XXX: Async cert validation and False Start don't work together
-             * safely yet; if we leave False Start enabled, we may end up false
-             * starting (sending application data) before we
-             * SSL_AuthCertificateComplete has been called.
-             */
-            ss->opt.enableFalseStart = PR_FALSE;
         }
 
         if (rv != SECSuccess) {
             ssl3_SendAlertForCertError(ss, errCode);
             goto loser;
         }
     }
 
     ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
     ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid);
@@ skipping 104 matching lines @@
 
     ss->ssl3.hs.authCertificatePending = PR_FALSE;
 
     if (error != 0) {
         ss->ssl3.hs.restartTarget = ssl3_AlwaysFail;
         ssl3_SendAlertForCertError(ss, error);
         rv = SECSuccess;
     } else if (ss->ssl3.hs.restartTarget != NULL) {
         sslRestartTarget target = ss->ssl3.hs.restartTarget;
         ss->ssl3.hs.restartTarget = NULL;
+
+        if (target == ssl3_FinishHandshake) {
+            SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
+                       " with peer's finished message", SSL_GETPID(), ss->fd));
+        }
+
         rv = target(ss);
         /* Even if we blocked here, we have accomplished enough to claim
          * success. Any remaining work will be taken care of by subsequent
          * calls to SSL_ForceHandshake/PR_Send/PR_Read/etc. 
          */
         if (rv == SECWouldBlock) {
             rv = SECSuccess;
         }
     } else {
-        rv = SECSuccess;
+        PORT_Assert(!ss->firstHsDone);
+        PORT_Assert(!ss->sec.isServer);
+        PORT_Assert(!ss->ssl3.hs.isResuming);
+        PORT_Assert(ss->ssl3.hs.ws == wait_change_cipher ||
+                    ss->ssl3.hs.ws == wait_finished ||          
+                    ss->ssl3.hs.ws == wait_new_session_ticket);
+
+        SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
+                    " peer's finished message", SSL_GETPID(), ss->fd));
+
+        /* ssl3_SendClientSecondRound deferred the false start check because
+         * certificate authentication was pending, so we have to do it now.
+         */
+        if (ss->opt.enableFalseStart &&
+            !ss->firstHsDone &&
+            !ss->sec.isServer &&
+            !ss->ssl3.hs.isResuming &&
+            (ss->ssl3.hs.ws == wait_change_cipher ||
+             ss->ssl3.hs.ws == wait_finished ||         
+             ss->ssl3.hs.ws == wait_new_session_ticket)) {
+            rv = ssl3_CheckFalseStart(ss);
+            if (rv == SECSuccess &&
+                ss->handshakeCallback &&
+                (ss->ssl3.hs.canFalseStart && !ss->canFalseStartCallback)) {
+                /* Call the handshake callback here for backwards compatibility
+                 * with applications that were using false start before
+                 * canFalseStartCallback was added.
+                 */
+                (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+            }

[wtc, 2013/09/18 22:57:23]

It seems that we should still set rv to SECSuccess even if
ssl3_CheckFalseStart(ss) returned SECFailure.

+        } else {
+            rv = SECSuccess;
+        }
     }
 
 done:
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_ReleaseRecvBufLock(ss);
 
     return rv;
 }
 
 static SECStatus
@@ skipping 675 matching lines @@
         return SECWouldBlock;
     }
 
     rv = ssl3_FinishHandshake(ss);
     return rv;
 }
 
 SECStatus
 ssl3_FinishHandshake(sslSocket * ss)
 {
+    PRBool falseStarted;
+
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->ssl3.hs.restartTarget == NULL );
 
     /* The first handshake is now completed. */
     ss->handshake           = NULL;
     ss->firstHsDone         = PR_TRUE;
+    ss->enoughFirstHsDone   = PR_TRUE;
 
     if (ss->ssl3.hs.cacheSID) {
         (*ss->sec.cache)(ss->sec.ci.sid);
         ss->ssl3.hs.cacheSID = PR_FALSE;
     }
 
-    ss->ssl3.hs.ws = idle_handshake;
+    falseStarted = ss->ssl3.hs.canFalseStart;
+    ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
 
-    /* Do the handshake callback for sslv3 here, if we cannot false start. */
-    if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
+    /* Call the handshake callback for sslv3 here, unless we called it already
+     * for the case where false start was done without a canFalseStartCallback.
+     */
+    if (ss->handshakeCallback != NULL &&
+        !(falseStarted && !ss->canFalseStartCallback)) {
         (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
     }
 
+    ss->ssl3.hs.ws = idle_handshake;

[wtc, 2013/09/18 22:57:23]

I will ask Brian if it's important to set ss->ssl3.hs.ws to idle_handshake
after calling ss->handshakeCallback.

     return SECSuccess;
 }
 
 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
  * hanshake message.
  * Caller must hold Handshake and RecvBuf locks.
  */
 SECStatus
 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
@@ skipping 1454 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */