diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h | |
index 3026b48..94935a0 100644 | |
--- a/mozilla/security/nss/lib/ssl/ssl.h | |
+++ b/mozilla/security/nss/lib/ssl/ssl.h | |
@@ -97,40 +97,42 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); | |
#define SSL_ENABLE_SSL2 7 /* enable ssl v2 (on by default) */ | |
#define SSL_ENABLE_SSL3 8 /* enable ssl v3 (on by default) */ | |
#define SSL_NO_CACHE 9 /* don't use the session cache */ | |
/* (off by default) */ | |
#define SSL_REQUIRE_CERTIFICATE 10 /* (SSL_REQUIRE_FIRST_HANDSHAKE */ | |
/* by default) */ | |
#define SSL_ENABLE_FDX 11 /* permit simultaneous read/write */ | |
/* (off by default) */ | |
#define SSL_V2_COMPATIBLE_HELLO 12 /* send v3 client hello in v2 fmt */ | |
/* (on by default) */ | |
#define SSL_ENABLE_TLS 13 /* enable TLS (on by default) */ | |
#define SSL_ROLLBACK_DETECTION 14 /* for compatibility, default: on */ | |
#define SSL_NO_STEP_DOWN 15 /* Disable export cipher suites */ | |
/* if step-down keys are needed. */ | |
/* default: off, generate */ | |
/* step-down keys if needed. */ | |
#define SSL_BYPASS_PKCS11 16 /* use PKCS#11 for pub key only */ | |
#define SSL_NO_LOCKS 17 /* Don't use locks for protection */ | |
#define SSL_ENABLE_SESSION_TICKETS 18 /* Enable TLS SessionTicket */ | |
/* extension (off by default) */ | |
+#define SSL_ENABLE_CUT_THROUGH 19 /* Enable TLS cut through (off by */ | |
+ /* default) */ | |
#ifdef SSL_DEPRECATED_FUNCTION | |
/* Old deprecated function names */ | |
SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on); | |
SSL_IMPORT SECStatus SSL_EnableDefault(int option, PRBool on); | |
#endif | |
/* New function names */ | |
SSL_IMPORT SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 option, PRBool on); | |
SSL_IMPORT SECStatus SSL_OptionGet(PRFileDesc *fd, PRInt32 option, PRBool *on); | |
SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on); | |
SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on); | |
SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle); | |
/* | |
** Control ciphers that SSL uses. If on is non-zero then the named cipher | |
** is enabled, otherwise it is disabled. | |
** The "cipher" values are defined in sslproto.h (the SSL_EN_* values). | |
** EnableCipher records user preferences. | |
** SetPolicy sets the policy according to the policy module. | |
diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c | |
index 7f332e9..0c70beb 100644 | |
--- a/mozilla/security/nss/lib/ssl/ssl3con.c | |
+++ b/mozilla/security/nss/lib/ssl/ssl3con.c | |
@@ -5389,40 +5389,42 @@ ssl3_HandleServerHelloDone(sslSocket *ss) | |
rv = ssl3_SendClientKeyExchange(ss); | |
if (rv != SECSuccess) { | |
goto loser; /* err is set. */ | |
} | |
if (send_verify) { | |
rv = ssl3_SendCertificateVerify(ss); | |
if (rv != SECSuccess) { | |
goto loser; /* err is set. */ | |
} | |
} | |
rv = ssl3_SendChangeCipherSpecs(ss); | |
if (rv != SECSuccess) { | |
goto loser; /* err code was set. */ | |
} | |
rv = ssl3_SendFinished(ss, 0); | |
if (rv != SECSuccess) { | |
goto loser; /* err code was set. */ | |
} | |
+ ss->finishedSent = 1; | |
+ | |
ssl_ReleaseXmitBufLock(ss); /*******************************/ | |
if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn)) | |
ss->ssl3.hs.ws = wait_new_session_ticket; | |
else | |
ss->ssl3.hs.ws = wait_change_cipher; | |
return SECSuccess; | |
loser: | |
ssl_ReleaseXmitBufLock(ss); | |
return rv; | |
} | |
/* | |
* Routines used by servers | |
*/ | |
static SECStatus | |
ssl3_SendHelloRequest(sslSocket *ss) | |
{ | |
SECStatus rv; | |
diff --git a/mozilla/security/nss/lib/ssl/ssl3gthr.c b/mozilla/security/nss/lib/ssl/ssl3gthr.c | |
index bdd2958..432aacb 100644 | |
--- a/mozilla/security/nss/lib/ssl/ssl3gthr.c | |
+++ b/mozilla/security/nss/lib/ssl/ssl3gthr.c | |
@@ -190,41 +190,44 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags) | |
int rv; | |
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | |
do { | |
/* bring in the next sslv3 record. */ | |
rv = ssl3_GatherData(ss, &ss->gs, flags); | |
if (rv <= 0) { | |
return rv; | |
} | |
/* decipher it, and handle it if it's a handshake. | |
* If it's application data, ss->gs.buf will not be empty upon return. | |
*/ | |
cText.type = (SSL3ContentType)ss->gs.hdr[0]; | |
cText.version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2]; | |
cText.buf = &ss->gs.inbuf; | |
rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf); | |
if (rv < 0) { | |
return ss->recvdCloseNotify ? 0 : rv; | |
} | |
- } while (ss->ssl3.hs.ws != idle_handshake && ss->gs.buf.len == 0); | |
+ } while (ss->ssl3.hs.ws != idle_handshake && | |
+ (!ss->opt.enableCutThrough || | |
+ ss->ssl3.hs.ws != wait_change_cipher) && | |
+ ss->gs.buf.len == 0); | |
ss->gs.readOffset = 0; | |
ss->gs.writeOffset = ss->gs.buf.len; | |
return 1; | |
} | |
/* Repeatedly gather in a record and when complete, Handle that record. | |
* Repeat this until some application data is received. | |
* | |
* Returns 1 when application data is available. | |
* Returns 0 if ssl3_GatherData hits EOF. | |
* Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error. | |
* Returns -2 on SECWouldBlock return from ssl3_HandleRecord. | |
* | |
* Called from DoRecv in sslsecur.c | |
* Caller must hold the recv buf lock. | |
*/ | |
int | |
ssl3_GatherAppDataRecord(sslSocket *ss, int flags) | |
{ | |
diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h | |
index cae46a9..1185c93 100644 | |
--- a/mozilla/security/nss/lib/ssl/sslimpl.h | |
+++ b/mozilla/security/nss/lib/ssl/sslimpl.h | |
@@ -317,40 +317,41 @@ typedef struct { | |
#endif /* NSS_ENABLE_ECC */ | |
typedef struct sslOptionsStr { | |
unsigned int useSecurity : 1; /* 1 */ | |
unsigned int useSocks : 1; /* 2 */ | |
unsigned int requestCertificate : 1; /* 3 */ | |
unsigned int requireCertificate : 2; /* 4-5 */ | |
unsigned int handshakeAsClient : 1; /* 6 */ | |
unsigned int handshakeAsServer : 1; /* 7 */ | |
unsigned int enableSSL2 : 1; /* 8 */ | |
unsigned int enableSSL3 : 1; /* 9 */ | |
unsigned int enableTLS : 1; /* 10 */ | |
unsigned int noCache : 1; /* 11 */ | |
unsigned int fdx : 1; /* 12 */ | |
unsigned int v2CompatibleHello : 1; /* 13 */ | |
unsigned int detectRollBack : 1; /* 14 */ | |
unsigned int noStepDown : 1; /* 15 */ | |
unsigned int bypassPKCS11 : 1; /* 16 */ | |
unsigned int noLocks : 1; /* 17 */ | |
unsigned int enableSessionTickets : 1; /* 18 */ | |
+ unsigned int enableCutThrough : 1; /* 19 */ | |
} sslOptions; | |
typedef enum { sslHandshakingUndetermined = 0, | |
sslHandshakingAsClient, | |
sslHandshakingAsServer | |
} sslHandshakingType; | |
typedef struct sslServerCertsStr { | |
/* Configuration state for server sockets */ | |
CERTCertificate * serverCert; | |
CERTCertificateList * serverCertChain; | |
ssl3KeyPair * serverKeyPair; | |
unsigned int serverKeyBits; | |
} sslServerCerts; | |
#define SERVERKEY serverKeyPair->privKey | |
#define SSL_LOCK_RANK_SPEC 255 | |
#define SSL_LOCK_RANK_GLOBAL NSS_RWLOCK_RANK_NONE | |
@@ -967,40 +968,41 @@ struct sslSecurityInfoStr { | |
/* | |
** SSL Socket struct | |
** | |
** Protection: XXX | |
*/ | |
struct sslSocketStr { | |
PRFileDesc * fd; | |
/* Pointer to operations vector for this socket */ | |
const sslSocketOps * ops; | |
/* SSL socket options */ | |
sslOptions opt; | |
/* State flags */ | |
unsigned long clientAuthRequested; | |
unsigned long delayDisabled; /* Nagle delay disabled */ | |
unsigned long firstHsDone; /* first handshake is complete. */ | |
+ unsigned long finishedSent; | |
unsigned long handshakeBegun; | |
unsigned long lastWriteBlocked; | |
unsigned long recvdCloseNotify; /* received SSL EOF. */ | |
unsigned long TCPconnected; | |
unsigned long appDataBuffered; | |
/* version of the protocol to use */ | |
SSL3ProtocolVersion version; | |
SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */ | |
sslSecurityInfo sec; /* not a pointer any more */ | |
/* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */ | |
const char *url; /* ssl 2 & 3 */ | |
sslHandshakeFunc handshake; /*firstHandshakeLock*/ | |
sslHandshakeFunc nextHandshake; /*firstHandshakeLock*/ | |
sslHandshakeFunc securityHandshake; /*firstHandshakeLock*/ | |
/* the following variable is only used with socks or other proxies. */ | |
diff --git a/mozilla/security/nss/lib/ssl/sslsecur.c b/mozilla/security/nss/lib/ssl/sslsecur.c | |
index c13100a..8e9d28c 100644 | |
--- a/mozilla/security/nss/lib/ssl/sslsecur.c | |
+++ b/mozilla/security/nss/lib/ssl/sslsecur.c | |
@@ -131,40 +131,43 @@ ssl_Do1stHandshake(sslSocket *ss) | |
if (ss->handshake == 0) { | |
ssl_GetRecvBufLock(ss); | |
ss->gs.recordLen = 0; | |
ssl_ReleaseRecvBufLock(ss); | |
SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", | |
SSL_GETPID(), ss->fd)); | |
/* call handshake callback for ssl v2 */ | |
/* for v3 this is done in ssl3_HandleFinished() */ | |
if ((ss->handshakeCallback != NULL) && /* has callback */ | |
(!ss->firstHsDone) && /* only first time */ | |
(ss->version < SSL_LIBRARY_VERSION_3_0)) { /* not ssl3 */ | |
ss->firstHsDone = PR_TRUE; | |
(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); | |
} | |
ss->firstHsDone = PR_TRUE; | |
ss->gs.writeOffset = 0; | |
ss->gs.readOffset = 0; | |
break; | |
} | |
+ if (ss->finishedSent) { | |
+ break; | |
+ } | |
rv = (*ss->handshake)(ss); | |
++loopCount; | |
/* This code must continue to loop on SECWouldBlock, | |
* or any positive value. See XXX_1 comments. | |
*/ | |
} while (rv != SECFailure); /* was (rv >= 0); XXX_1 */ | |
PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss)); | |
PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss)); | |
if (rv == SECWouldBlock) { | |
PORT_SetError(PR_WOULD_BLOCK_ERROR); | |
rv = SECFailure; | |
} | |
return rv; | |
} | |
/* | |
* Handshake function that blocks. Used to force a | |
* retry on a connection on the next read/write. | |
diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c | |
index 39e0f57..4676057 100644 | |
--- a/mozilla/security/nss/lib/ssl/sslsock.c | |
+++ b/mozilla/security/nss/lib/ssl/sslsock.c | |
@@ -163,40 +163,41 @@ static const sslSocketOps ssl_secure_ops = { /* SSL. */ | |
** default settings for socket enables | |
*/ | |
static sslOptions ssl_defaults = { | |
PR_TRUE, /* useSecurity */ | |
PR_FALSE, /* useSocks */ | |
PR_FALSE, /* requestCertificate */ | |
2, /* requireCertificate */ | |
PR_FALSE, /* handshakeAsClient */ | |
PR_FALSE, /* handshakeAsServer */ | |
PR_TRUE, /* enableSSL2 */ | |
PR_TRUE, /* enableSSL3 */ | |
PR_TRUE, /* enableTLS */ /* now defaults to on in NSS 3.0 */ | |
PR_FALSE, /* noCache */ | |
PR_FALSE, /* fdx */ | |
PR_TRUE, /* v2CompatibleHello */ | |
PR_TRUE, /* detectRollBack */ | |
PR_FALSE, /* noStepDown */ | |
PR_FALSE, /* bypassPKCS11 */ | |
PR_FALSE, /* noLocks */ | |
PR_FALSE, /* enableSessionTickets */ | |
+ PR_FALSE, /* enableCutThrough */ | |
}; | |
sslSessionIDLookupFunc ssl_sid_lookup; | |
sslSessionIDCacheFunc ssl_sid_cache; | |
sslSessionIDUncacheFunc ssl_sid_uncache; | |
static PRBool ssl_inited = PR_FALSE; | |
static PRDescIdentity ssl_layer_id; | |
PRBool locksEverDisabled; /* implicitly PR_FALSE */ | |
PRBool ssl_force_locks; /* implicitly PR_FALSE */ | |
int ssl_lock_readers = 1; /* default true. */ | |
char ssl_debug; | |
char ssl_trace; | |
FILE * ssl_trace_iob; | |
char lockStatus[] = "Locks are ENABLED. "; | |
#define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ | |
/* forward declarations. */ | |
static sslSocket *ssl_NewSocket(PRBool makeLocks); | |
@@ -688,40 +689,44 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) | |
rv = SECFailure; | |
} | |
if (on && ssl_force_locks) | |
on = PR_FALSE; /* silent override */ | |
ss->opt.noLocks = on; | |
if (on) { | |
locksEverDisabled = PR_TRUE; | |
strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); | |
} else if (!holdingLocks) { | |
rv = ssl_MakeLocks(ss); | |
if (rv != SECSuccess) { | |
ss->opt.noLocks = PR_TRUE; | |
} | |
} | |
break; | |
case SSL_ENABLE_SESSION_TICKETS: | |
ss->opt.enableSessionTickets = on; | |
break; | |
+ case SSL_ENABLE_CUT_THROUGH: | |
+ ss->opt.enableCutThrough = on; | |
+ break; | |
+ | |
default: | |
PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
rv = SECFailure; | |
} | |
/* We can't use the macros for releasing the locks here, | |
* because ss->opt.noLocks might have changed just above. | |
* We must release these locks (monitors) here, if we aquired them above, | |
* regardless of the current value of ss->opt.noLocks. | |
*/ | |
if (holdingLocks) { | |
PZ_ExitMonitor((ss)->ssl3HandshakeLock); | |
PZ_ExitMonitor((ss)->firstHandshakeLock); | |
} | |
return rv; | |
} | |
SECStatus | |
SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) | |
@@ -746,40 +751,41 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) | |
switch (which) { | |
case SSL_SOCKS: on = PR_FALSE; break; | |
case SSL_SECURITY: on = ss->opt.useSecurity; break; | |
case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break; | |
case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break; | |
case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break; | |
case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break; | |
case SSL_ENABLE_TLS: on = ss->opt.enableTLS; break; | |
case SSL_ENABLE_SSL3: on = ss->opt.enableSSL3; break; | |
case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break; | |
case SSL_NO_CACHE: on = ss->opt.noCache; break; | |
case SSL_ENABLE_FDX: on = ss->opt.fdx; break; | |
case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break; | |
case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break; | |
case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break; | |
case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break; | |
case SSL_NO_LOCKS: on = ss->opt.noLocks; break; | |
case SSL_ENABLE_SESSION_TICKETS: | |
on = ss->opt.enableSessionTickets; | |
break; | |
+ case SSL_ENABLE_CUT_THROUGH: on = ss->opt.enableCutThrough; break; | |
default: | |
PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
rv = SECFailure; | |
} | |
ssl_ReleaseSSL3HandshakeLock(ss); | |
ssl_Release1stHandshakeLock(ss); | |
*pOn = on; | |
return rv; | |
} | |
SECStatus | |
SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) | |
{ | |
SECStatus rv = SECSuccess; | |
PRBool on = PR_FALSE; | |
if (!pOn) { | |
@@ -790,40 +796,41 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) | |
switch (which) { | |
case SSL_SOCKS: on = PR_FALSE; break; | |
case SSL_SECURITY: on = ssl_defaults.useSecurity; break; | |
case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; | |
case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; | |
case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; | |
case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; | |
case SSL_ENABLE_TLS: on = ssl_defaults.enableTLS; break; | |
case SSL_ENABLE_SSL3: on = ssl_defaults.enableSSL3; break; | |
case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; | |
case SSL_NO_CACHE: on = ssl_defaults.noCache; break; | |
case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; | |
case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; | |
case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; | |
case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; | |
case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; | |
case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; | |
case SSL_ENABLE_SESSION_TICKETS: | |
on = ssl_defaults.enableSessionTickets; | |
break; | |
+ case SSL_ENABLE_CUT_THROUGH: on = ssl_defaults.enableCutThrough; break; | |
default: | |
PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
rv = SECFailure; | |
} | |
*pOn = on; | |
return rv; | |
} | |
/* XXX Use Global Lock to protect this stuff. */ | |
SECStatus | |
SSL_EnableDefault(int which, PRBool on) | |
{ | |
return SSL_OptionSetDefault(which, on); | |
} | |
SECStatus | |
SSL_OptionSetDefault(PRInt32 which, PRBool on) | |
{ | |
@@ -921,40 +928,44 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) | |
break; | |
case SSL_NO_LOCKS: | |
if (on && ssl_defaults.fdx) { | |
PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
return SECFailure; | |
} | |
if (on && ssl_force_locks) | |
on = PR_FALSE; /* silent override */ | |
ssl_defaults.noLocks = on; | |
if (on) { | |
locksEverDisabled = PR_TRUE; | |
strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); | |
} | |
break; | |
case SSL_ENABLE_SESSION_TICKETS: | |
ssl_defaults.enableSessionTickets = on; | |
break; | |
+ case SSL_ENABLE_CUT_THROUGH: | |
+ ssl_defaults.enableCutThrough = on; | |
+ break; | |
+ | |
default: | |
PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
return SECFailure; | |
} | |
return SECSuccess; | |
} | |
/* function tells us if the cipher suite is one that we no longer support. */ | |
static PRBool | |
ssl_IsRemovedCipherSuite(PRInt32 suite) | |
{ | |
switch (suite) { | |
case SSL_FORTEZZA_DMS_WITH_NULL_SHA: | |
case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: | |
case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: | |
return PR_TRUE; | |
default: | |
return PR_FALSE; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment