Make SSL False Start work with asynchronous certificate validation

net/third_party/nss/ssl/sslsecur.c

 /*
  * Various SSL functions.
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "cert.h"
 #include "secitem.h"
 #include "keyhi.h"
 #include "ssl.h"
@@ skipping 79 matching lines @@
             /* Previous handshake finished. Switch to next one */
             ss->handshake = ss->nextHandshake;
             ss->nextHandshake = 0;
         }
         if (ss->handshake == 0) {
             /* Previous handshake finished. Switch to security handshake */
             ss->handshake = ss->securityHandshake;
             ss->securityHandshake = 0;
         }
         if (ss->handshake == 0) {
-            ssl_GetRecvBufLock(ss);
-            ss->gs.recordLen = 0;
-            ssl_ReleaseRecvBufLock(ss);
-
-            SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
-                        SSL_GETPID(), ss->fd));
-            /* call handshake callback for ssl v2 */
-            /* for v3 this is done in ssl3_HandleFinished() */
-            if ((ss->handshakeCallback != NULL) && /* has callback */
-                (!ss->firstHsDone) &&              /* only first time */
-                (ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
-                ss->firstHsDone     = PR_TRUE;
-                (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+            /* for v3 this is done in ssl3_FinishHandshake */
+            if (!ss->firstHsDone && ss->version < SSL_LIBRARY_VERSION_3_0) {
+                ssl_GetRecvBufLock(ss);
+                ss->gs.recordLen = 0;
+                ssl_FinishHandshake(ss);
+                ssl_ReleaseRecvBufLock(ss);
             }
-            ss->firstHsDone         = PR_TRUE;
-            ss->gs.writeOffset = 0;
-            ss->gs.readOffset  = 0;
             break;
         }
         rv = (*ss->handshake)(ss);
         ++loopCount;
     /* This code must continue to loop on SECWouldBlock, 
      * or any positive value.   See XXX_1 comments.
      */
     } while (rv != SECFailure);         /* was (rv >= 0); XXX_1 */
 
     PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
     PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
     PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
 
     if (rv == SECWouldBlock) {
         PORT_SetError(PR_WOULD_BLOCK_ERROR);
         rv = SECFailure;
     }
     return rv;
 }
 
+void
+ssl_FinishHandshake(sslSocket *ss)
+{
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+
+    SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd));
+
+    ss->firstHsDone = PR_TRUE;
+    ss->enoughFirstHsDone = PR_TRUE;
+    ss->gs.writeOffset = 0;
+    ss->gs.readOffset  = 0;
+
+    if (ss->handshakeCallback) {
+        (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+    }
+}
+
 /*
  * Handshake function that blocks.  Used to force a
  * retry on a connection on the next read/write.
  */
 static SECStatus
 ssl3_AlwaysBlock(sslSocket *ss)
 {
     PORT_SetError(PR_WOULD_BLOCK_ERROR);        /* perhaps redundant. */
     return SECWouldBlock;
 }
@@ skipping 52 matching lines @@
     if (!ss->opt.useSecurity)
         return SECSuccess;
 
     SSL_LOCK_READER(ss);
     SSL_LOCK_WRITER(ss);
 
     /* Reset handshake state */
     ssl_Get1stHandshakeLock(ss);
 
     ss->firstHsDone = PR_FALSE;
+    ss->enoughFirstHsDone = PR_FALSE;
     if ( asServer ) {
         ss->handshake = ssl2_BeginServerHandshake;
         ss->handshaking = sslHandshakingAsServer;
     } else {
         ss->handshake = ssl2_BeginClientHandshake;
         ss->handshaking = sslHandshakingAsClient;
     }
     ss->nextHandshake       = 0;
     ss->securityHandshake   = 0;
 
     ssl_GetRecvBufLock(ss);
     status = ssl_InitGather(&ss->gs);
     ssl_ReleaseRecvBufLock(ss);
 
     ssl_GetSSL3HandshakeLock(ss);
+    ss->ssl3.hs.canFalseStart = PR_FALSE;
+    ss->ssl3.hs.restartTarget = NULL;
 
     /*
     ** Blow away old security state and get a fresh setup.
     */
     ssl_GetXmitBufLock(ss); 
     ssl_ResetSecurityInfo(&ss->sec, PR_TRUE);
     status = ssl_CreateSecurityInfo(ss);
     ssl_ReleaseXmitBufLock(ss); 
 
     ssl_ReleaseSSL3HandshakeLock(ss);
@@ skipping 90 matching lines @@
 
     ss->handshakeCallback     = cb;
     ss->handshakeCallbackData = client_data;
 
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
 
     return SECSuccess;
 }
 
+/* Register an application callback to be called when false start may happen.
+** Acquires and releases HandshakeLock.
+*/
+SECStatus
+SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb,
+                             void *arg)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback",
+                 SSL_GETPID(), fd));
+        return SECFailure;
+    }
+
+    if (!ss->opt.useSecurity) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    ss->canFalseStartCallback     = cb;
+    ss->canFalseStartCallbackData = arg;
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    return SECSuccess;
+}
+
+SECStatus
+SSL_RecommendedCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart)
+{
+    sslSocket *ss;
+
+    *canFalseStart = PR_FALSE;
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RecommendedCanFalseStart",
+                 SSL_GETPID(), fd));
+        return SECFailure;
+    }
+
+    if (!ss->ssl3.initialized) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+        PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+        return SECFailure;
+    }
+
+    /* Require a forward-secret key exchange. */
+    *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
+                     ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
+                     ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
+                     ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa;
+
+    return SECSuccess;
+}
+
 /* Try to make progress on an SSL handshake by attempting to read the 
 ** next handshake from the peer, and sending any responses.
 ** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
 ** read the next handshake from the underlying socket.
 ** For SSLv2, returns when handshake is complete or fatal error occurs.
 ** For SSLv3, returns when handshake is complete, or application data has
 ** arrived that must be taken by application before handshake can continue, 
 ** or a fatal error occurs.
 ** Application should use handshake completion callback to tell which. 
 */
@@ skipping 173 matching lines @@
 ** This code is similar to, and easily confused with, 
 **   ssl_GatherRecord1stHandshake() in sslcon.c
 */
 static int 
 DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
 {
     int              rv;
     int              amount;
     int              available;
 
+    /* ssl3_GatherAppDataRecord may call ssl_FinishHandshake, which needs the
+     * 1stHandshakeLock. */
+    ssl_Get1stHandshakeLock(ss);
     ssl_GetRecvBufLock(ss);
 
     available = ss->gs.writeOffset - ss->gs.readOffset;
     if (available == 0) {
         /* Get some more data */
         if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
             /* Wait for application data to arrive.  */
             rv = ssl3_GatherAppDataRecord(ss, 0);
         } else {
             /* See if we have a complete record */
@@ skipping 46 matching lines @@
     }
     PORT_Assert(ss->gs.readOffset <= ss->gs.writeOffset);
     rv = amount;
 
     SSL_TRC(30, ("%d: SSL[%d]: amount=%d available=%d",
                  SSL_GETPID(), ss->fd, amount, available));
     PRINT_BUF(4, (ss, "DoRecv receiving plaintext:", out, amount));
 
 done:
     ssl_ReleaseRecvBufLock(ss);
+    ssl_Release1stHandshakeLock(ss);
     return rv;
 }
 
 /************************************************************************/
 
 /*
 ** Return SSLKEAType derived from cert's Public Key algorithm info.
 */
 SSLKEAType
 NSS_FindCertKEAType(CERTCertificate * cert)
@@ skipping 546 matching lines @@
 int
 ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len)
 {
     return ssl_SecureRecv(ss, buf, len, 0);
 }
 
 /* Caller holds the SSL Socket's write lock. SSL_LOCK_WRITER(ss) */
 int
 ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
 {
-    int              rv         = 0;
+    int rv = 0;
+    PRBool falseStart = PR_FALSE;
 
     SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
                 SSL_GETPID(), ss->fd, len));
 
     if (ss->shutdownHow & ssl_SHUTDOWN_SEND) {
         PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
         rv = PR_FAILURE;
         goto done;
     }
     if (flags) {
@@ skipping 14 matching lines @@
     }
     ssl_ReleaseXmitBufLock(ss);
     if (rv < 0) {
         goto done;
     }
 
     if (len > 0) 
         ss->writerThread = PR_GetCurrentThread();
     /* If any of these is non-zero, the initial handshake is not done. */
     if (!ss->firstHsDone) {
-        PRBool canFalseStart = PR_FALSE;
         ssl_Get1stHandshakeLock(ss);
-        if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+        if (ss->opt.enableFalseStart &&
+            ss->version >= SSL_LIBRARY_VERSION_3_0) {
             ssl_GetSSL3HandshakeLock(ss);
-            if ((ss->ssl3.hs.ws == wait_change_cipher ||
-                ss->ssl3.hs.ws == wait_finished ||
-                ss->ssl3.hs.ws == wait_new_session_ticket) &&
-                ssl3_CanFalseStart(ss)) {
-                canFalseStart = PR_TRUE;
-            }
+            falseStart = ss->ssl3.hs.canFalseStart;
             ssl_ReleaseSSL3HandshakeLock(ss);
         }
-        if (!canFalseStart &&
+        if (!falseStart &&
             (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
             rv = ssl_Do1stHandshake(ss);
         }
         ssl_Release1stHandshakeLock(ss);
     }
     if (rv < 0) {
         ss->writerThread = NULL;
         goto done;
     }
 
     /* Check for zero length writes after we do housekeeping so we make forward
      * progress.
      */
     if (len == 0) {
         rv = 0;
         goto done;
     }
     PORT_Assert(buf != NULL);
     if (!buf) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         rv = PR_FAILURE;
         goto done;
     }
 
+    if (!ss->firstHsDone) {
+        PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_3_0);
+#ifdef DEBUG
+        ssl_GetSSL3HandshakeLock(ss);
+        PORT_Assert(ss->ssl3.hs.canFalseStart);
+        ssl_ReleaseSSL3HandshakeLock(ss);
+#endif
+        SSL_TRC(3, ("%d: SSL[%d]: SecureSend: sending data due to false start",
+                    SSL_GETPID(), ss->fd));
+    }
+
     /* Send out the data using one of these functions:
      *  ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock, 
      *  ssl3_SendApplicationData
      */
     ssl_GetXmitBufLock(ss);
     rv = (*ss->sec.send)(ss, buf, len, flags);
     ssl_ReleaseXmitBufLock(ss);
     ss->writerThread = NULL;
 done:
     if (rv < 0) {
@@ skipping 348 matching lines @@
     if (!ss) {
         SSL_DBG(("%d: SSL[%d]: bad socket in SNISocketConfigHook",
                  SSL_GETPID(), fd));
         return SECFailure;
     }
 
     ss->sniSocketConfig = func;
     ss->sniSocketConfigArg = arg;
     return SECSuccess;
 }