Chromium Code Reviews Chromium Code Reviews
Issue 23621040:
Make SSL False Start work with asynchronous certificate validation (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| Index: net/third_party/nss/ssl/ssl3con.c |
| =================================================================== |
| --- net/third_party/nss/ssl/ssl3con.c (revision 222795) |
| +++ net/third_party/nss/ssl/ssl3con.c (working copy) |
| @@ -2815,7 +2815,7 @@ |
| SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", |
| SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type), |
| nIn)); |
| - PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn)); |
| + PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn)); |
|
agl
2013/09/13 15:03:29
This seems to be an unrelated change.
wtc
2013/09/18 22:57:23
Done.
|
| PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
| @@ -7266,35 +7266,42 @@ |
| return rv; |
| } |
| -PRBool |
| -ssl3_CanFalseStart(sslSocket *ss) { |
| - PRBool rv; |
| +static SECStatus |
| +ssl3_CheckFalseStart(sslSocket *ss) |
| +{ |
| + SECStatus rv; |
| + PRBool maybeFalseStart = PR_TRUE; |
| PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| + PORT_Assert( !ss->ssl3.hs.authCertificatePending ); |
| - /* XXX: does not take into account whether we are waiting for |
| - * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when |
| - * that is done, this function could return different results each time it |
| - * would be called. |
| - */ |
| + /* An attacker can control the selected ciphersuite so we only wish to |
| + * do False Start in the case that the selected ciphersuite is |
| + * sufficiently strong that the attack can gain no advantage. |
| + * Therefore we always require an 80-bit cipher. */ |
| ssl_GetSpecReadLock(ss); |
| - rv = ss->opt.enableFalseStart && |
| - !ss->sec.isServer && |
| - !ss->ssl3.hs.isResuming && |
| - ss->ssl3.cwSpec && |
| + if (ss->ssl3.cwSpec->cipher_def->secret_key_size < 10) { |
| + ss->ssl3.hs.canFalseStart = PR_FALSE; |
| + maybeFalseStart = PR_FALSE; |
| + } |
| + ssl_ReleaseSpecReadLock(ss); |
| + if (!maybeFalseStart) { |
| + return SECSuccess; |
| + } |
| - /* An attacker can control the selected ciphersuite so we only wish to |
| - * do False Start in the case that the selected ciphersuite is |
| - * sufficiently strong that the attack can gain no advantage. |
| - * Therefore we require an 80-bit cipher and a forward-secret key |
| - * exchange. */ |
| - ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 && |
| - (ss->ssl3.hs.kea_def->kea == kea_dhe_dss || |
| - ss->ssl3.hs.kea_def->kea == kea_dhe_rsa || |
| - ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa || |
| - ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa); |
| - ssl_ReleaseSpecReadLock(ss); |
| + if (!ss->canFalseStartCallback) { |
| + rv = SSL_DefaultCanFalseStart(ss->fd, &ss->ssl3.hs.canFalseStart); |
| + } else { |
| + rv = (ss->canFalseStartCallback)(ss->fd, |
| + ss->canFalseStartCallbackData, |
| + &ss->ssl3.hs.canFalseStart); |
| + } |
| + |
| + if (rv != SECSuccess) { |
| + ss->ssl3.hs.canFalseStart = PR_FALSE; |
| + } |
| + |
| return rv; |
| } |
| @@ -7324,6 +7331,7 @@ |
| return SECFailure; |
| } |
| + ss->enoughFirstHsDone = PR_TRUE; |
|
wtc
2013/09/18 22:57:23
I think we need to wait until we have called ssl3_
|
| rv = ssl3_SendClientSecondRound(ss); |
| return rv; |
| @@ -7422,20 +7430,51 @@ |
| goto loser; /* err code was set. */ |
| } |
| - /* XXX: If the server's certificate hasn't been authenticated by this |
| - * point, then we may be leaking this NPN message to an attacker. |
| - */ |
| if (!ss->firstHsDone) { |
| + /* XXX: If the server's certificate hasn't been authenticated by this |
| + * point, then we may be leaking this NPN message to an attacker. |
| + */ |
| rv = ssl3_SendNextProto(ss); |
| if (rv != SECSuccess) { |
| goto loser; /* err code was set. */ |
| } |
| } |
| + |
| rv = ssl3_SendEncryptedExtensions(ss); |
| if (rv != SECSuccess) { |
| goto loser; /* err code was set. */ |
| } |
| + if (!ss->firstHsDone) { |
| + if (ss->opt.enableFalseStart) { |
| + if (!ss->ssl3.hs.authCertificatePending) { |
| + /* When we fix bug 589047, we will need to know whether we are |
| + * false starting before we try to flush the client second |
| + * round to the network. With that in mind, we purposefully |
| + * call ssl3_CheckFalseStart before calling ssl3_SendFinished, |
| + * which includes a call to ssl3_FlushHandshake, so that |
| + * no application develops a reliance on such flushing being |
| + * done before its false start callback is called. |
| + */ |
| + ssl_ReleaseXmitBufLock(ss); |
| + rv = ssl3_CheckFalseStart(ss); |
| + ssl_GetXmitBufLock(ss); |
| + if (rv != SECSuccess) { |
| + goto loser; |
| + } |
| + } else { |
| + /* The certificate authentication and the server's Finished |
| + * message are racing each other. If the certificate |
| + * authentication wins, then we will try to false start in |
| + * ssl3_AuthCertificateComplete. |
| + */ |
| + SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because" |
| + " certificate authentication is still pending.", |
| + SSL_GETPID(), ss->fd)); |
| + } |
| + } |
| + } |
| + |
| rv = ssl3_SendFinished(ss, 0); |
| if (rv != SECSuccess) { |
| goto loser; /* err code was set. */ |
| @@ -7448,8 +7487,16 @@ |
| else |
| ss->ssl3.hs.ws = wait_change_cipher; |
| - /* Do the handshake callback for sslv3 here, if we can false start. */ |
| - if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) { |
| + if (ss->handshakeCallback && |
| + (ss->ssl3.hs.canFalseStart && !ss->canFalseStartCallback)) { |
| + /* Call the handshake callback here for backwards compatibility with |
| + * applications that were using false start before |
| + * canFalseStartCallback was added. Note that we do this after calling |
| + * ssl3_SendFinished, which includes a call to ssl3_FlushHandshake, |
| + * just in case the application is relying on having the handshake |
| + * messages flushed to the network before its handshake callback is |
| + * called. |
|
Ryan Sleevi
2013/09/14 02:13:31
This was Brian's concession to Chromium, but as yo
wtc
2013/09/16 16:14:48
I should have pointed out that Brian's patch also
|
| + */ |
| (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); |
| } |
| @@ -10068,13 +10115,6 @@ |
| ss->ssl3.hs.authCertificatePending = PR_TRUE; |
| rv = SECSuccess; |
| - |
| - /* XXX: Async cert validation and False Start don't work together |
| - * safely yet; if we leave False Start enabled, we may end up false |
| - * starting (sending application data) before we |
| - * SSL_AuthCertificateComplete has been called. |
| - */ |
| - ss->opt.enableFalseStart = PR_FALSE; |
| } |
| if (rv != SECSuccess) { |
| @@ -10199,6 +10239,12 @@ |
| } else if (ss->ssl3.hs.restartTarget != NULL) { |
| sslRestartTarget target = ss->ssl3.hs.restartTarget; |
| ss->ssl3.hs.restartTarget = NULL; |
| + |
| + if (target == ssl3_FinishHandshake) { |
| + SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race" |
| + " with peer's finished message", SSL_GETPID(), ss->fd)); |
| + } |
| + |
| rv = target(ss); |
| /* Even if we blocked here, we have accomplished enough to claim |
| * success. Any remaining work will be taken care of by subsequent |
| @@ -10208,7 +10254,39 @@ |
| rv = SECSuccess; |
| } |
| } else { |
| - rv = SECSuccess; |
| + PORT_Assert(!ss->firstHsDone); |
| + PORT_Assert(!ss->sec.isServer); |
| + PORT_Assert(!ss->ssl3.hs.isResuming); |
| + PORT_Assert(ss->ssl3.hs.ws == wait_change_cipher || |
| + ss->ssl3.hs.ws == wait_finished || |
| + ss->ssl3.hs.ws == wait_new_session_ticket); |
| + |
| + SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with" |
| + " peer's finished message", SSL_GETPID(), ss->fd)); |
| + |
| + /* ssl3_SendClientSecondRound deferred the false start check because |
| + * certificate authentication was pending, so we have to do it now. |
| + */ |
| + if (ss->opt.enableFalseStart && |
| + !ss->firstHsDone && |
| + !ss->sec.isServer && |
| + !ss->ssl3.hs.isResuming && |
| + (ss->ssl3.hs.ws == wait_change_cipher || |
| + ss->ssl3.hs.ws == wait_finished || |
| + ss->ssl3.hs.ws == wait_new_session_ticket)) { |
| + rv = ssl3_CheckFalseStart(ss); |
| + if (rv == SECSuccess && |
| + ss->handshakeCallback && |
| + (ss->ssl3.hs.canFalseStart && !ss->canFalseStartCallback)) { |
| + /* Call the handshake callback here for backwards compatibility |
| + * with applications that were using false start before |
| + * canFalseStartCallback was added. |
| + */ |
| + (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); |
| + } |
|
wtc
2013/09/18 22:57:23
It seems that we should still set rv to SECSuccess
|
| + } else { |
| + rv = SECSuccess; |
| + } |
| } |
| done: |
| @@ -10904,6 +10982,8 @@ |
| SECStatus |
| ssl3_FinishHandshake(sslSocket * ss) |
| { |
| + PRBool falseStarted; |
| + |
| PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| PORT_Assert( ss->ssl3.hs.restartTarget == NULL ); |
| @@ -10911,19 +10991,25 @@ |
| /* The first handshake is now completed. */ |
| ss->handshake = NULL; |
| ss->firstHsDone = PR_TRUE; |
| + ss->enoughFirstHsDone = PR_TRUE; |
| if (ss->ssl3.hs.cacheSID) { |
| (*ss->sec.cache)(ss->sec.ci.sid); |
| ss->ssl3.hs.cacheSID = PR_FALSE; |
| } |
| - ss->ssl3.hs.ws = idle_handshake; |
| + falseStarted = ss->ssl3.hs.canFalseStart; |
| + ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */ |
| - /* Do the handshake callback for sslv3 here, if we cannot false start. */ |
| - if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) { |
| + /* Call the handshake callback for sslv3 here, unless we called it already |
| + * for the case where false start was done without a canFalseStartCallback. |
| + */ |
| + if (ss->handshakeCallback != NULL && |
| + !(falseStarted && !ss->canFalseStartCallback)) { |
| (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); |
| } |
| + ss->ssl3.hs.ws = idle_handshake; |
|
wtc
2013/09/18 22:57:23
I will ask Brian if it's important to set ss->ssl3
|
| return SECSuccess; |
| } |
