Google Git
Sign in
boringssl/boringssl.git/adb739e1e59a48a421a080e64ad16f23e6b18cfd^!/.
commit
adb739e1e59a48a421a080e64ad16f23e6b18cfd
[log]
author
Adam Langley <agl@chromium.org>
Fri Jun 20 12:00:00 2014 -0700
committer
Adam Langley <agl@chromium.org>
Fri Jun 20 13:17:32 2014 -0700
tree
a5a3ac4993ad35d2f9ef0cf9712db037e9b5502e
parent
95c29f3cd1f6c08c6c0927868683392eea727ccb [diff]
False Start support.

(Called "cut through" for historical reasons in this patch.)

Enables SSL3+ clients to send application data immediately following the
Finished message even when negotiating full-handshakes.  With this
patch, clients can negotiate SSL connections in 1-RTT even when
performing full-handshakes.

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 9698916..ba0410a 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c

@@ -209,6 +209,12 @@
 		}
 #endif
 
+	if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
+		{
+		/* Send app data along with CCS/Finished */
+		s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED;
+		}
+
 	for (;;)
 		{
 		state=s->state;
@@ -518,14 +524,32 @@
 				}
 			else
 				{
-#ifndef OPENSSL_NO_TLSEXT
-				/* Allow NewSessionTicket if ticket expected */
-				if (s->tlsext_ticket_expected)
-					s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
+				if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
+				    && ssl3_can_cutthrough(s)
+				    && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */
+				   )
+					{
+					if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
+						{
+						s->state=SSL3_ST_CUTTHROUGH_COMPLETE;
+						s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
+						s->s3->delay_buf_pop_ret=0;
+						}
+					else
+						{
+						s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE;
+						}
+					}
 				else
+					{
+#ifndef OPENSSL_NO_TLSEXT
+					/* Allow NewSessionTicket if ticket expected */
+					if (s->tlsext_ticket_expected)
+						s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
+					else
 #endif
-				
-				s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
+						s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
+					}
 				}
 			s->init_num=0;
 			break;
@@ -573,6 +597,24 @@
 			s->state=s->s3->tmp.next_state;
 			break;
 
+		case SSL3_ST_CUTTHROUGH_COMPLETE:
+#ifndef OPENSSL_NO_TLSEXT
+			/* Allow NewSessionTicket if ticket expected */
+			if (s->tlsext_ticket_expected)
+				s->state=SSL3_ST_CR_SESSION_TICKET_A;
+			else
+#endif
+				s->state=SSL3_ST_CR_FINISHED_A;
+
+			/* SSL_write() will take care of flushing buffered data if
+			 * DELAY_CLIENT_FINISHED is set.
+			 */
+			if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED))
+				ssl_free_wbio_buffer(s);
+			ret = 1;
+			goto end;
+			/* break; */
+
 		case SSL_ST_OK:
 			/* clean a few things up */
 			ssl3_cleanup_key_block(s);

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 3a53c68..edffd21 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c

@@ -3963,9 +3963,22 @@
 
 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
 	{
-	int ret;
+	int n,ret;
 	
 	ERR_clear_system_error();
+	if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
+		{
+		/* Deal with an application that calls SSL_read() when handshake data
+		 * is yet to be written.
+		 */
+		if (BIO_wpending(s->wbio) > 0)
+			{
+			s->rwstate=SSL_WRITING;
+			n=BIO_flush(s->wbio);
+			if (n <= 0) return(n);
+			s->rwstate=SSL_NOTHING;
+			}
+		}
 	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
 	s->s3->in_read_app_data=1;
 	ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 91f52ce..e5aa03a 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h

@@ -689,6 +689,7 @@
  * TLS only.)  "Released" buffers are put onto a free-list in the context
  * or just freed (depending on the context's setting for freelist_max_len). */
 #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
+
 /* Send the current time in the Random fields of the ClientHello and
  * ServerHello records for compatibility with hypothetical implementations
  * that require it.
@@ -752,6 +753,11 @@
 #define SSL_CONF_TYPE_FILE		0x2
 #define SSL_CONF_TYPE_DIR		0x3
 
+/* When set, clients may send application data before receipt of CCS
+ * and Finished.  This mode enables full-handshakes to 'complete' in
+ * one RTT. */
+#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000080L
+
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
  * they cannot be used to clear bits. */
 
@@ -1560,10 +1566,12 @@
 /* Is the SSL_connection established? */
 #define SSL_get_state(a)		SSL_state(a)
 #define SSL_is_init_finished(a)		(SSL_state(a) == SSL_ST_OK)
-#define SSL_in_init(a)			(SSL_state(a)&SSL_ST_INIT)
+#define SSL_in_init(a)			((SSL_state(a)&SSL_ST_INIT) && \
+					!SSL_cutthrough_complete(a))
 #define SSL_in_before(a)		(SSL_state(a)&SSL_ST_BEFORE)
 #define SSL_in_connect_init(a)		(SSL_state(a)&SSL_ST_CONNECT)
 #define SSL_in_accept_init(a)		(SSL_state(a)&SSL_ST_ACCEPT)
+int SSL_cutthrough_complete(const SSL *s);
 
 /* The following 2 states are kept in ssl->rstate when reads fail,
  * you should not need these */

diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index e2bb36f..eb179e2 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h

@@ -597,6 +597,7 @@
 /*client */
 /* extra state */
 #define SSL3_ST_CW_FLUSH		(0x100|SSL_ST_CONNECT)
+#define SSL3_ST_CUTTHROUGH_COMPLETE	(0x101|SSL_ST_CONNECT)
 /* write to server */
 #define SSL3_ST_CW_CLNT_HELLO_A		(0x110|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CLNT_HELLO_B		(0x111|SSL_ST_CONNECT)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index eec32b2..c536600 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c

@@ -3308,6 +3308,48 @@
 	SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
 	}
 
+int SSL_cutthrough_complete(const SSL *s)
+	{
+	return (!s->server &&                 /* cutthrough only applies to clients */
+		!s->hit &&                        /* full-handshake */
+		s->version >= SSL3_VERSION &&
+		s->s3->in_read_app_data == 0 &&   /* cutthrough only applies to write() */
+		(SSL_get_mode((SSL*)s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) &&  /* cutthrough enabled */
+		ssl3_can_cutthrough(s) &&                                   /* cutthrough allowed */
+		s->s3->previous_server_finished_len == 0 &&                 /* not a renegotiation handshake */
+		(s->state == SSL3_ST_CR_SESSION_TICKET_A ||                 /* ready to write app-data*/
+			s->state == SSL3_ST_CR_FINISHED_A));
+	}
+
+int ssl3_can_cutthrough(const SSL *s)
+	{
+	const SSL_CIPHER *c;
+
+	/* require a strong enough cipher */
+	if (SSL_get_cipher_bits(s, NULL) < 128)
+		return 0;
+
+	/* require ALPN or NPN extension */
+	if (!s->s3->alpn_selected
+#ifndef OPENSSL_NO_NEXTPROTONEG
+		&& !s->s3->next_proto_neg_seen
+#endif
+	)
+		{
+		return 0;
+		}
+
+	/* require a forward-secret cipher */
+	c = SSL_get_current_cipher(s);
+	if (!c || (c->algorithm_mkey != SSL_kEDH &&
+			c->algorithm_mkey != SSL_kEECDH))
+		{
+		return 0;
+		}
+
+	return 1;
+	}
+
 /* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
  * vairable, freeing  EVP_MD_CTX previously stored in that variable, if
  * any. If EVP_MD pointer is passed, initializes ctx with this md

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index f0b6d42..cbfa172 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h

@@ -1294,6 +1294,8 @@
 void tls1_set_cert_validity(SSL *s);
 
 #endif
+
+int ssl3_can_cutthrough(const SSL *s);
 EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ;
 void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
 int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,