diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-25 17:04:37 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-25 17:04:37 +0000 |
| commit | e5294bd03329974118ac4fcab33fd5fce863b9c3 (patch) | |
| tree | 67af91363ec397cb581fba29549c90222513c5c2 /net/third_party/nss/ssl | |
| parent | b921cfd2c37845a0663570ddd3a6a9ec9c49a093 (diff) | |
| download | chromium_src-e5294bd03329974118ac4fcab33fd5fce863b9c3.zip chromium_src-e5294bd03329974118ac4fcab33fd5fce863b9c3.tar.gz chromium_src-e5294bd03329974118ac4fcab33fd5fce863b9c3.tar.bz2 | |
Revert "SSL False Start Support"
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40024 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/third_party/nss/ssl')
| -rw-r--r-- | net/third_party/nss/ssl/ssl.h | 11 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3con.c | 20 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3gthr.c | 13 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslimpl.h | 3 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslsecur.c | 6 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslsock.c | 11 |
6 files changed, 3 insertions, 61 deletions
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h index 0bc02f8..b0e77df 100644 --- a/net/third_party/nss/ssl/ssl.h +++ b/net/third_party/nss/ssl/ssl.h @@ -128,17 +128,6 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); /* Renegotiation Info (RI) */ /* extension in ALL handshakes. */ /* default: off */ -#define SSL_ENABLE_FALSE_START 22 /* Enable SSL false start (off by */ - /* default, applies only to */ - /* clients). False start is a */ -/* mode where an SSL client will start sending application data before */ -/* verifying the server's Finished message. This means that we could end up */ -/* sending data to an imposter. However, the data will be encrypted and */ -/* only the true server can derive the session key. Thus, so long as the */ -/* cipher isn't broken this is safe. Because of this, False Start will only */ -/* occur on RSA or DH ciphersuites where the cipher's key length is >= 80 */ -/* bits. The advantage of False Start is that it saves a round trip for */ -/* client-speaks-first protocols when performing a full handshake. */ #ifdef SSL_DEPRECATED_FUNCTION /* Old deprecated function names */ diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c index 24dc01c..545e51e 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -5657,17 +5657,7 @@ ssl3_RestartHandshakeAfterCertReq(sslSocket * ss, return rv; } -PRBool -ssl3_CanFalseStart(sslSocket *ss) { - return ss->opt.enableFalseStart && - !ss->sec.isServer && - !ss->ssl3.hs.isResuming && - ss->ssl3.cwSpec && - ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 && - (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa || - ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh || - ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh); -} + /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete * ssl3 Server Hello Done message. @@ -5745,12 +5735,6 @@ ssl3_HandleServerHelloDone(sslSocket *ss) ss->ssl3.hs.ws = wait_new_session_ticket; else ss->ssl3.hs.ws = wait_change_cipher; - - /* Do the handshake callback for sslv3 here. */ - if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) { - (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); - } - return SECSuccess; loser: @@ -8525,7 +8509,7 @@ xmit_loser: ss->ssl3.hs.ws = idle_handshake; /* Do the handshake callback for sslv3 here. */ - if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) { + if (ss->handshakeCallback != NULL) { (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); } diff --git a/net/third_party/nss/ssl/ssl3gthr.c b/net/third_party/nss/ssl/ssl3gthr.c index 28fe154..bdd2958 100644 --- a/net/third_party/nss/ssl/ssl3gthr.c +++ b/net/third_party/nss/ssl/ssl3gthr.c @@ -188,7 +188,6 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags) { SSL3Ciphertext cText; int rv; - PRBool canFalseStart = PR_FALSE; PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); do { @@ -208,17 +207,7 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags) if (rv < 0) { return ss->recvdCloseNotify ? 0 : rv; } - - if (ss->opt.enableFalseStart) { - ssl_GetSSL3HandshakeLock(ss); - canFalseStart = (ss->ssl3.hs.ws == wait_change_cipher || - ss->ssl3.hs.ws == wait_new_session_ticket) && - ssl3_CanFalseStart(ss); - ssl_ReleaseSSL3HandshakeLock(ss); - } - } while (ss->ssl3.hs.ws != idle_handshake && - !canFalseStart && - ss->gs.buf.len == 0); + } while (ss->ssl3.hs.ws != idle_handshake && ss->gs.buf.len == 0); ss->gs.readOffset = 0; ss->gs.writeOffset = ss->gs.buf.len; diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h index a800d56..0658d2c 100644 --- a/net/third_party/nss/ssl/sslimpl.h +++ b/net/third_party/nss/ssl/sslimpl.h @@ -338,7 +338,6 @@ typedef struct sslOptionsStr { unsigned int enableDeflate : 1; /* 19 */ unsigned int enableRenegotiation : 2; /* 20-21 */ unsigned int requireSafeNegotiation : 1; /* 22 */ - unsigned int enableFalseStart : 1; /* 23 */ } sslOptions; typedef enum { sslHandshakingUndetermined = 0, @@ -1267,8 +1266,6 @@ extern void ssl_SetAlwaysBlock(sslSocket *ss); extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled); -extern PRBool ssl3_CanFalseStart(sslSocket *ss); - #define SSL_LOCK_READER(ss) if (ss->recvLock) PZ_Lock(ss->recvLock) #define SSL_UNLOCK_READER(ss) if (ss->recvLock) PZ_Unlock(ss->recvLock) #define SSL_LOCK_WRITER(ss) if (ss->sendLock) PZ_Lock(ss->sendLock) diff --git a/net/third_party/nss/ssl/sslsecur.c b/net/third_party/nss/ssl/sslsecur.c index a8184478..80c2ba6 100644 --- a/net/third_party/nss/ssl/sslsecur.c +++ b/net/third_party/nss/ssl/sslsecur.c @@ -148,12 +148,6 @@ ssl_Do1stHandshake(sslSocket *ss) ss->gs.readOffset = 0; break; } - if (ss->version >= SSL_LIBRARY_VERSION_3_0 && - (ss->ssl3.hs.ws == wait_change_cipher || - ss->ssl3.hs.ws == wait_new_session_ticket) && - ssl3_CanFalseStart(ss)) { - break; - } rv = (*ss->handshake)(ss); ++loopCount; /* This code must continue to loop on SECWouldBlock, diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c index c4611a0..722fe60 100644 --- a/net/third_party/nss/ssl/sslsock.c +++ b/net/third_party/nss/ssl/sslsock.c @@ -184,7 +184,6 @@ static sslOptions ssl_defaults = { PR_FALSE, /* enableDeflate */ 2, /* enableRenegotiation (default: requires extension) */ PR_FALSE, /* requireSafeNegotiation */ - PR_FALSE, /* enableFalseStart */ }; sslSessionIDLookupFunc ssl_sid_lookup; @@ -734,10 +733,6 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) ss->opt.requireSafeNegotiation = on; break; - case SSL_ENABLE_FALSE_START: - ss->opt.enableFalseStart = on; - break; - default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; @@ -801,7 +796,6 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) on = ss->opt.enableRenegotiation; break; case SSL_REQUIRE_SAFE_NEGOTIATION: on = ss->opt.requireSafeNegotiation; break; - case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -852,7 +846,6 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) case SSL_REQUIRE_SAFE_NEGOTIATION: on = ssl_defaults.requireSafeNegotiation; break; - case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -996,10 +989,6 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) ssl_defaults.requireSafeNegotiation = on; break; - case SSL_ENABLE_FALSE_START: - ssl_defaults.enableFalseStart = on; - break; - default: PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; |