net/third_party/nss/ssl/ssl3con.c - Issue 10136001: net: only False Start with forward secret servers.

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 10136001: net: only False Start with forward secret servers. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 8 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 /* -- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -- */	1 /* -- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -- */

2 /*	2 /*

3 * SSL3 Protocol	3 * SSL3 Protocol

4 *	4 *

5 * *** BEGIN LICENSE BLOCK ***	5 * *** BEGIN LICENSE BLOCK ***

6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1	6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

7 *	7 *

8 * The contents of this file are subject to the Mozilla Public License Version	8 * The contents of this file are subject to the Mozilla Public License Version

9 * 1.1 (the "License"); you may not use this file except in compliance with	9 * 1.1 (the "License"); you may not use this file except in compliance with

10 * the License. You may obtain a copy of the License at	10 * the License. You may obtain a copy of the License at

(...skipping 6068 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
6079 /* XXX: does not take into account whether we are waiting for	6079 /* XXX: does not take into account whether we are waiting for

6080 * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when	6080 * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when

6081 * that is done, this function could return different results each time it	6081 * that is done, this function could return different results each time it

6082 * would be called.	6082 * would be called.

6083 */	6083 */

6084	6084

6085 ssl_GetSpecReadLock(ss);	6085 ssl_GetSpecReadLock(ss);

6086 rv = ss->opt.enableFalseStart &&	6086 rv = ss->opt.enableFalseStart &&

6087 !ss->sec.isServer &&	6087 !ss->sec.isServer &&

6088 !ss->ssl3.hs.isResuming &&	6088 !ss->ssl3.hs.isResuming &&

6089 ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn) &&

6090 ss->ssl3.cwSpec &&	6089 ss->ssl3.cwSpec &&

6091 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&	6090 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&

6092 » (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa \|\|	6091 » (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh \|\|

6093 » ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh \|\|

6094 ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh);	6092 ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh);
	wtc 2012/04/19 22:33:53 It would be nice to add a comment to briefly expla It would be nice to add a comment to briefly explain why only certain key exchange algorithms are compatible with False Start. IMPORTANT: Looking at this more closely, I think we're testing the wrong member of ss->ssl3.hs.kea_def here. I assume we don't want to enable False Start with the non-ephemeral DH and ECDH cipher suites such as TLS_ECDH_RSA_WITH_AES_128_CBC_SHA. If so, we should be testing ss->ssl3.hs.kea_def->kea == kea_dhe_dss \|\| ss->ssl3.hs.kea_def->kea == kea_dhe_rsa \|\| ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa \|\| ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa See http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/ssl3... and http://mxr.mozilla.org/security/ident?i=kea_ecdhe_rsa agl 2012/04/20 18:30:29 Done. Show quoted text On 2012/04/19 22:33:53, wtc wrote: > It would be nice to add a comment to briefly explain why > only certain key exchange algorithms are compatible with > False Start. Done. Show quoted text > IMPORTANT: Looking at this more closely, I think we're testing the wrong > member of ss->ssl3.hs.kea_def here. Thanks! Done.
6095 ssl_ReleaseSpecReadLock(ss);	6093 ssl_ReleaseSpecReadLock(ss);

6096 return rv;	6094 return rv;

6097 }	6095 }

6098	6096

6099 static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);	6097 static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);

6100	6098

6101 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete	6099 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete

6102 * ssl3 Server Hello Done message.	6100 * ssl3 Server Hello Done message.

6103 * Caller must hold Handshake and RecvBuf locks.	6101 * Caller must hold Handshake and RecvBuf locks.

6104 */	6102 */

(...skipping 4327 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
10432 PORT_Free(ss->ssl3.hs.recvdFragments.buf);	10430 PORT_Free(ss->ssl3.hs.recvdFragments.buf);

10433 }	10431 }

10434 }	10432 }

10435	10433

10436 ss->ssl3.initialized = PR_FALSE;	10434 ss->ssl3.initialized = PR_FALSE;

10437	10435

10438 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);	10436 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);

10439 }	10437 }

10440	10438

10441 /* End of ssl3con.c */	10439 /* End of ssl3con.c */

OLD	NEW

« no previous file with comments | « net/third_party/nss/patches/falsestartnpn.patch ('k') | net/third_party/nss/ssl/ssl3ext.c » ('j') | no next file with comments »