- add sources.

[platform/framework/web/crosswalk.git] / src / net / third_party / nss / patches / canfalsestart.patch

Index: net/third_party/nss/ssl/ssl.h
===================================================================
--- net/third_party/nss/ssl/ssl.h       (revision 227363)
+++ net/third_party/nss/ssl/ssl.h       (working copy)
@@ -121,14 +121,22 @@
 #define SSL_ENABLE_FALSE_START         22 /* Enable SSL false start (off by */
                                           /* default, applies only to       */
                                           /* clients). False start is a     */
-/* mode where an SSL client will start sending application data before      */
-/* verifying the server's Finished message. This means that we could end up */
-/* sending data to an imposter. However, the data will be encrypted and     */
-/* only the true server can derive the session key. Thus, so long as the    */
-/* cipher isn't broken this is safe. Because of this, False Start will only */
-/* occur on RSA or DH ciphersuites where the cipher's key length is >= 80   */
-/* bits. The advantage of False Start is that it saves a round trip for     */
-/* client-speaks-first protocols when performing a full handshake.          */
+/* mode where an SSL client will start sending application data before
+ * verifying the server's Finished message. This means that we could end up
+ * sending data to an imposter. However, the data will be encrypted and
+ * only the true server can derive the session key. Thus, so long as the
+ * cipher isn't broken this is safe. The advantage of false start is that
+ * it saves a round trip for client-speaks-first protocols when performing a
+ * full handshake.
+ *
+ * See SSL_DefaultCanFalseStart for the default criteria that NSS uses to
+ * determine whether to false start or not. See SSL_SetCanFalseStartCallback
+ * for how to change that criteria. In addition to those criteria, false start
+ * will only be done when the server selects a cipher suite with an effective
+ * key length of 80 bits or more (including RC4-128). Also, see
+ * SSL_HandshakeCallback for a description on how false start affects when the
+ * handshake callback gets called.
+ */
 
 /* For SSL 3.0 and TLS 1.0, by default we prevent chosen plaintext attacks
  * on SSL CBC mode cipher suites (see RFC 4346 Section F.3) by splitting
@@ -741,14 +749,59 @@
 SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString);
 
 /*
-** Set the callback on a particular socket that gets called when we finish
-** performing a handshake.
+** Set the callback that normally gets called when the TLS handshake
+** is complete. If false start is not enabled, then the handshake callback is
+** called after verifying the peer's Finished message and before sending
+** outgoing application data and before processing incoming application data.
+**
+** If false start is enabled and there is a custom CanFalseStartCallback
+** callback set, then the handshake callback gets called after the peer's
+** Finished message has been verified, which may be after application data is
+** sent.
+**
+** If false start is enabled and there is not a custom CanFalseStartCallback
+** callback established with SSL_SetCanFalseStartCallback then the handshake
+** callback gets called before any application data is sent, which may be
+** before the peer's Finished message has been verified.
 */
 typedef void (PR_CALLBACK *SSLHandshakeCallback)(PRFileDesc *fd,
                                                  void *client_data);
 SSL_IMPORT SECStatus SSL_HandshakeCallback(PRFileDesc *fd, 
                                  SSLHandshakeCallback cb, void *client_data);
 
+/* Applications that wish to customize TLS false start should set this callback
+** function. NSS will invoke the functon to determine if a particular
+** connection should use false start or not. SECSuccess indicates that the
+** callback completed successfully, and if so *canFalseStart indicates if false
+** start can be used. If the callback does not return SECSuccess then the
+** handshake will be canceled.
+**
+** Applications that do not set the callback will use an internal set of
+** criteria to determine if the connection should false start. If
+** the callback is set false start will never be used without invoking the
+** callback function, but some connections (e.g. resumed connections) will
+** never use false start and therefore will not invoke the callback.
+**
+** NSS's internal criteria for this connection can be evaluated by calling
+** SSL_DefaultCanFalseStart() from the custom callback.
+**
+** See the description of SSL_HandshakeCallback for important information on
+** how registering a custom false start callback affects when the handshake
+** callback gets called.
+**/
+typedef SECStatus (PR_CALLBACK *SSLCanFalseStartCallback)(
+    PRFileDesc *fd, void *arg, PRBool *canFalseStart);
+
+SSL_IMPORT SECStatus SSL_SetCanFalseStartCallback(
+    PRFileDesc *fd, SSLCanFalseStartCallback callback, void *arg);
+
+/* A utility function that can be called from a custom CanFalseStartCallback
+** function to determine what NSS would have done for this connection if the
+** custom callback was not implemented.
+**/
+SSL_IMPORT SECStatus SSL_DefaultCanFalseStart(PRFileDesc *fd,
+                                              PRBool *canFalseStart);
+
 /*
 ** For the server, request a new handshake.  For the client, begin a new
 ** handshake.  If flushCache is non-zero, the SSL3 cache entry will be 
Index: net/third_party/nss/ssl/ssl3gthr.c
===================================================================
--- net/third_party/nss/ssl/ssl3gthr.c  (revision 227363)
+++ net/third_party/nss/ssl/ssl3gthr.c  (working copy)
@@ -374,9 +374,7 @@
         */
        if (ss->opt.enableFalseStart) {
            ssl_GetSSL3HandshakeLock(ss);
-           canFalseStart = (ss->ssl3.hs.ws == wait_change_cipher ||
-                            ss->ssl3.hs.ws == wait_new_session_ticket) &&
-                           ssl3_CanFalseStart(ss);
+           canFalseStart = ss->ssl3.hs.canFalseStart;
            ssl_ReleaseSSL3HandshakeLock(ss);
        }
     } while (ss->ssl3.hs.ws != idle_handshake &&
Index: net/third_party/nss/ssl/sslinfo.c
===================================================================
--- net/third_party/nss/ssl/sslinfo.c   (revision 227363)
+++ net/third_party/nss/ssl/sslinfo.c   (working copy)
@@ -26,7 +26,6 @@
     sslSocket *      ss;
     SSLChannelInfo   inf;
     sslSessionID *   sid;
-    PRBool           enoughFirstHsDone = PR_FALSE;
 
     if (!info || len < sizeof inf.length) { 
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -43,14 +42,7 @@
     memset(&inf, 0, sizeof inf);
     inf.length = PR_MIN(sizeof inf, len);
 
-    if (ss->firstHsDone) {
-       enoughFirstHsDone = PR_TRUE;
-    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-              ssl3_CanFalseStart(ss)) {
-       enoughFirstHsDone = PR_TRUE;
-    }
-
-    if (ss->opt.useSecurity && enoughFirstHsDone) {
+    if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
         sid = ss->sec.ci.sid;
        inf.protocolVersion  = ss->version;
        inf.authKeyBits      = ss->sec.authKeyBits;
Index: net/third_party/nss/ssl/sslauth.c
===================================================================
--- net/third_party/nss/ssl/sslauth.c   (revision 227363)
+++ net/third_party/nss/ssl/sslauth.c   (working copy)
@@ -100,7 +100,6 @@
     sslSocket *ss;
     const char *cipherName;
     PRBool isDes = PR_FALSE;
-    PRBool enoughFirstHsDone = PR_FALSE;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
@@ -118,14 +117,7 @@
        *op = SSL_SECURITY_STATUS_OFF;
     }
 
-    if (ss->firstHsDone) {
-       enoughFirstHsDone = PR_TRUE;
-    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-              ssl3_CanFalseStart(ss)) {
-       enoughFirstHsDone = PR_TRUE;
-    }
-
-    if (ss->opt.useSecurity && enoughFirstHsDone) {
+    if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
        if (ss->version < SSL_LIBRARY_VERSION_3_0) {
            cipherName = ssl_cipherName[ss->sec.cipherType];
        } else {
Index: net/third_party/nss/ssl/sslimpl.h
===================================================================
--- net/third_party/nss/ssl/sslimpl.h   (revision 227363)
+++ net/third_party/nss/ssl/sslimpl.h   (working copy)
@@ -881,6 +881,8 @@
     /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
     PRBool                cacheSID;
 
+    PRBool                canFalseStart;   /* Can/did we False Start */
+
     /* clientSigAndHash contains the contents of the signature_algorithms
      * extension (if any) from the client. This is only valid for TLS 1.2
      * or later. */
@@ -1162,6 +1164,10 @@
     unsigned long    clientAuthRequested;
     unsigned long    delayDisabled;       /* Nagle delay disabled */
     unsigned long    firstHsDone;         /* first handshake is complete. */
+    unsigned long    enoughFirstHsDone;   /* enough of the first handshake is
+                                          * done for callbacks to be able to
+                                          * retrieve channel security
+                                          * parameters from the SSL socket. */
     unsigned long    handshakeBegun;     
     unsigned long    lastWriteBlocked;   
     unsigned long    recvdCloseNotify;    /* received SSL EOF. */
@@ -1210,6 +1216,8 @@
     void                     *badCertArg;
     SSLHandshakeCallback      handshakeCallback;
     void                     *handshakeCallbackData;
+    SSLCanFalseStartCallback  canFalseStartCallback;
+    void                     *canFalseStartCallbackData;
     void                     *pkcs11PinArg;
     SSLNextProtoCallback      nextProtoCallback;
     void                     *nextProtoArg;
@@ -1423,7 +1431,6 @@
 
 extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
 
-extern PRBool    ssl3_CanFalseStart(sslSocket *ss);
 extern SECStatus
 ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
                              PRBool             isServer,
Index: net/third_party/nss/ssl/sslsecur.c
===================================================================
--- net/third_party/nss/ssl/sslsecur.c  (revision 227363)
+++ net/third_party/nss/ssl/sslsecur.c  (working copy)
@@ -99,21 +99,12 @@
        if (ss->handshake == 0) {
            ssl_GetRecvBufLock(ss);
            ss->gs.recordLen = 0;
+           ss->gs.writeOffset = 0;
+           ss->gs.readOffset = 0;
            ssl_ReleaseRecvBufLock(ss);
 
            SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
                        SSL_GETPID(), ss->fd));
-            /* call handshake callback for ssl v2 */
-           /* for v3 this is done in ssl3_HandleFinished() */
-           if ((ss->handshakeCallback != NULL) && /* has callback */
-               (!ss->firstHsDone) &&              /* only first time */
-               (ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
-               ss->firstHsDone     = PR_TRUE;
-               (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-           }
-           ss->firstHsDone         = PR_TRUE;
-           ss->gs.writeOffset = 0;
-           ss->gs.readOffset  = 0;
            break;
        }
        rv = (*ss->handshake)(ss);
@@ -206,6 +197,7 @@
     ssl_Get1stHandshakeLock(ss);
 
     ss->firstHsDone = PR_FALSE;
+    ss->enoughFirstHsDone = PR_FALSE;
     if ( asServer ) {
        ss->handshake = ssl2_BeginServerHandshake;
        ss->handshaking = sslHandshakingAsServer;
@@ -221,6 +213,8 @@
     ssl_ReleaseRecvBufLock(ss);
 
     ssl_GetSSL3HandshakeLock(ss);
+    ss->ssl3.hs.canFalseStart = PR_FALSE;
+    ss->ssl3.hs.restartTarget = NULL;
 
     /*
     ** Blow away old security state and get a fresh setup.
@@ -266,7 +260,7 @@
 
     /* SSL v2 protocol does not support subsequent handshakes. */
     if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-       PORT_SetError(SEC_ERROR_INVALID_ARGS);
+       PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
        rv = SECFailure;
     } else {
        ssl_GetSSL3HandshakeLock(ss);
@@ -331,6 +325,75 @@
     return SECSuccess;
 }
 
+/* Register an application callback to be called when false start may happen.
+** Acquires and releases HandshakeLock.
+*/
+SECStatus
+SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb,
+                            void *client_data)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback",
+                SSL_GETPID(), fd));
+       return SECFailure;
+    }
+
+    if (!ss->opt.useSecurity) {
+       PORT_SetError(SEC_ERROR_INVALID_ARGS);
+       return SECFailure;
+    }
+
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    ss->canFalseStartCallback     = cb;
+    ss->canFalseStartCallbackData = client_data;
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    return SECSuccess;
+}
+
+/* A utility function that can be called from a custom SSLCanFalseStartCallback
+** function to determine what NSS would have done for this connection if the
+** custom callback was not implemented.
+*/
+SECStatus
+SSL_DefaultCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart)
+{
+    sslSocket *ss;
+
+    *canFalseStart = PR_FALSE;
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DefaultCanFalseStart",
+                SSL_GETPID(), fd));
+       return SECFailure;
+    }
+
+    if (!ss->ssl3.initialized) {
+       PORT_SetError(SEC_ERROR_INVALID_ARGS);
+       return SECFailure;
+    }
+
+    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+       PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+       return SECFailure;
+    }
+
+    /* Require a forward-secret key exchange. */
+    *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
+                    ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
+                    ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
+                    ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa;
+
+    return SECSuccess;
+}
+
 /* Try to make progress on an SSL handshake by attempting to read the 
 ** next handshake from the peer, and sending any responses.
 ** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
@@ -1195,12 +1258,7 @@
        ssl_Get1stHandshakeLock(ss);
        if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
            ssl_GetSSL3HandshakeLock(ss);
-           if ((ss->ssl3.hs.ws == wait_change_cipher ||
-               ss->ssl3.hs.ws == wait_finished ||
-               ss->ssl3.hs.ws == wait_new_session_ticket) &&
-               ssl3_CanFalseStart(ss)) {
-               canFalseStart = PR_TRUE;
-           }
+           canFalseStart = ss->ssl3.hs.canFalseStart;
            ssl_ReleaseSSL3HandshakeLock(ss);
        }
        if (!canFalseStart &&
Index: net/third_party/nss/ssl/sslsock.c
===================================================================
--- net/third_party/nss/ssl/sslsock.c   (revision 227363)
+++ net/third_party/nss/ssl/sslsock.c   (working copy)
@@ -2457,10 +2457,14 @@
            } else if (new_flags & PR_POLL_WRITE) {
                    /* The caller is trying to write, but the handshake is 
                    ** blocked waiting for data to read, and the first 
-                   ** handshake has been sent.  so do NOT to poll on write.
+                   ** handshake has been sent.  So do NOT to poll on write
+                   ** unless we did false start.
                    */
-                   new_flags ^=  PR_POLL_WRITE;   /* don't select on write. */
-                   new_flags |=  PR_POLL_READ;    /* do    select on read. */
+                   if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+                       ss->ssl3.hs.canFalseStart)) {
+                       new_flags ^= PR_POLL_WRITE; /* don't select on write. */
+                   }
+                   new_flags |= PR_POLL_READ;      /* do    select on read. */
            }
        }
     } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
Index: net/third_party/nss/ssl/ssl3con.c
===================================================================
--- net/third_party/nss/ssl/ssl3con.c   (revision 227363)
+++ net/third_party/nss/ssl/ssl3con.c   (working copy)
@@ -2890,7 +2890,7 @@
     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
                SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
                nIn));
-    PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
+    PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
@@ -7344,35 +7344,42 @@
     return rv;
 }
 
-PRBool
-ssl3_CanFalseStart(sslSocket *ss) {
-    PRBool rv;
+static SECStatus
+ssl3_CheckFalseStart(sslSocket *ss)
+{
+    SECStatus rv;
+    PRBool maybeFalseStart = PR_TRUE;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( !ss->ssl3.hs.authCertificatePending );
 
-    /* XXX: does not take into account whether we are waiting for
-     * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
-     * that is done, this function could return different results each time it
-     * would be called.
-     */
+    /* An attacker can control the selected ciphersuite so we only wish to
+     * do False Start in the case that the selected ciphersuite is
+     * sufficiently strong that the attack can gain no advantage.
+     * Therefore we always require an 80-bit cipher. */
 
     ssl_GetSpecReadLock(ss);
-    rv = ss->opt.enableFalseStart &&
-        !ss->sec.isServer &&
-        !ss->ssl3.hs.isResuming &&
-        ss->ssl3.cwSpec &&
+    if (ss->ssl3.cwSpec->cipher_def->secret_key_size < 10) {
+       ss->ssl3.hs.canFalseStart = PR_FALSE;
+       maybeFalseStart = PR_FALSE;
+    }
+    ssl_ReleaseSpecReadLock(ss);
+    if (!maybeFalseStart) {
+       return SECSuccess;
+    }
 
-        /* An attacker can control the selected ciphersuite so we only wish to
-         * do False Start in the case that the selected ciphersuite is
-         * sufficiently strong that the attack can gain no advantage.
-         * Therefore we require an 80-bit cipher and a forward-secret key
-         * exchange. */
-        ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
-       (ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
-        ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
-        ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
-        ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
-    ssl_ReleaseSpecReadLock(ss);
+    if (!ss->canFalseStartCallback) {
+       rv = SSL_DefaultCanFalseStart(ss->fd, &ss->ssl3.hs.canFalseStart);
+    } else {
+       rv = (ss->canFalseStartCallback)(ss->fd,
+                                        ss->canFalseStartCallbackData,
+                                        &ss->ssl3.hs.canFalseStart);
+    }
+
+    if (rv != SECSuccess) {
+       ss->ssl3.hs.canFalseStart = PR_FALSE;
+    }
+
     return rv;
 }
 
@@ -7500,20 +7507,59 @@
        goto loser;     /* err code was set. */
     }
 
-    /* XXX: If the server's certificate hasn't been authenticated by this
-     * point, then we may be leaking this NPN message to an attacker.
+    /* This must be done after we've set ss->ssl3.cwSpec in
+     * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information
+     * from cwSpec. This must be done before we call ssl3_CheckFalseStart
+     * because the false start callback (if any) may need the information from
+     * the functions that depend on this being set.
      */
+    ss->enoughFirstHsDone = PR_TRUE;
+
     if (!ss->firstHsDone) {
+       /* XXX: If the server's certificate hasn't been authenticated by this
+        * point, then we may be leaking this NPN message to an attacker.
+        */
        rv = ssl3_SendNextProto(ss);
        if (rv != SECSuccess) {
            goto loser; /* err code was set. */
        }
     }
+
     rv = ssl3_SendEncryptedExtensions(ss);
     if (rv != SECSuccess) {
        goto loser; /* err code was set. */
     }
 
+    if (!ss->firstHsDone) {
+       if (ss->opt.enableFalseStart) {
+           if (!ss->ssl3.hs.authCertificatePending) {
+               /* When we fix bug 589047, we will need to know whether we are
+                * false starting before we try to flush the client second
+                * round to the network. With that in mind, we purposefully
+                * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
+                * which includes a call to ssl3_FlushHandshake, so that
+                * no application develops a reliance on such flushing being
+                 * done before its false start callback is called.
+                */
+               ssl_ReleaseXmitBufLock(ss);
+               rv = ssl3_CheckFalseStart(ss);
+               ssl_GetXmitBufLock(ss);
+               if (rv != SECSuccess) {
+                   goto loser;
+               }
+           } else {
+               /* The certificate authentication and the server's Finished
+                * message are racing each other. If the certificate
+                * authentication wins, then we will try to false start in
+                * ssl3_AuthCertificateComplete.
+                */
+               SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
+                           " certificate authentication is still pending.",
+                           SSL_GETPID(), ss->fd));
+           }
+       }
+    }
+
     rv = ssl3_SendFinished(ss, 0);
     if (rv != SECSuccess) {
        goto loser;     /* err code was set. */
@@ -7526,8 +7572,16 @@
     else
        ss->ssl3.hs.ws = wait_change_cipher;
 
-    /* Do the handshake callback for sslv3 here, if we can false start. */
-    if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) {
+    if (ss->handshakeCallback &&
+       (ss->ssl3.hs.canFalseStart && !ss->canFalseStartCallback)) {
+       /* Call the handshake callback here for backwards compatibility with
+        * applications that were using false start before
+        * canFalseStartCallback was added. Note that we do this after calling
+        * ssl3_SendFinished, which includes a call to ssl3_FlushHandshake,
+        * just in case the application is relying on having the handshake
+        * messages flushed to the network before its handshake callback is
+        * called.
+        */
        (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
     }
 
@@ -10147,13 +10201,6 @@
 
            ss->ssl3.hs.authCertificatePending = PR_TRUE;
            rv = SECSuccess;
-
-           /* XXX: Async cert validation and False Start don't work together
-            * safely yet; if we leave False Start enabled, we may end up false
-            * starting (sending application data) before we
-            * SSL_AuthCertificateComplete has been called.
-            */
-           ss->opt.enableFalseStart = PR_FALSE;
        }
 
        if (rv != SECSuccess) {
@@ -10278,6 +10325,12 @@
     } else if (ss->ssl3.hs.restartTarget != NULL) {
        sslRestartTarget target = ss->ssl3.hs.restartTarget;
        ss->ssl3.hs.restartTarget = NULL;
+
+       if (target == ssl3_FinishHandshake) {
+           SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
+                      " with peer's finished message", SSL_GETPID(), ss->fd));
+       }
+
        rv = target(ss);
        /* Even if we blocked here, we have accomplished enough to claim
         * success. Any remaining work will be taken care of by subsequent
@@ -10287,7 +10340,39 @@
            rv = SECSuccess;
        }
     } else {
-       rv = SECSuccess;
+       SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race"
+                   " with peer's finished message", SSL_GETPID(), ss->fd));
+
+       PORT_Assert(!ss->firstHsDone);
+       PORT_Assert(!ss->sec.isServer);
+       PORT_Assert(!ss->ssl3.hs.isResuming);
+       PORT_Assert(ss->ssl3.hs.ws == wait_change_cipher ||
+                   ss->ssl3.hs.ws == wait_finished ||          
+                   ss->ssl3.hs.ws == wait_new_session_ticket);
+
+       /* ssl3_SendClientSecondRound deferred the false start check because
+        * certificate authentication was pending, so we have to do it now.
+        */
+       if (ss->opt.enableFalseStart &&
+           !ss->firstHsDone &&
+           !ss->sec.isServer &&
+           !ss->ssl3.hs.isResuming &&
+           (ss->ssl3.hs.ws == wait_change_cipher ||
+            ss->ssl3.hs.ws == wait_finished ||         
+            ss->ssl3.hs.ws == wait_new_session_ticket)) {
+           rv = ssl3_CheckFalseStart(ss);
+           if (rv == SECSuccess &&
+               ss->handshakeCallback &&
+               (ss->ssl3.hs.canFalseStart && !ss->canFalseStartCallback)) {
+               /* Call the handshake callback here for backwards compatibility
+                * with applications that were using false start before
+                * canFalseStartCallback was added.
+                */
+               (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+           }
+       } else {
+           rv = SECSuccess;
+       }
     }
 
 done:
@@ -10983,6 +11068,8 @@
 SECStatus
 ssl3_FinishHandshake(sslSocket * ss)
 {
+    PRBool falseStarted;
+
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->ssl3.hs.restartTarget == NULL );
@@ -10990,6 +11077,7 @@
     /* The first handshake is now completed. */
     ss->handshake           = NULL;
     ss->firstHsDone         = PR_TRUE;
+    ss->enoughFirstHsDone   = PR_TRUE;
 
     if (ss->ssl3.hs.cacheSID) {
        (*ss->sec.cache)(ss->sec.ci.sid);
@@ -10997,9 +11085,14 @@
     }
 
     ss->ssl3.hs.ws = idle_handshake;
+    falseStarted = ss->ssl3.hs.canFalseStart;
+    ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
 
-    /* Do the handshake callback for sslv3 here, if we cannot false start. */
-    if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
+    /* Call the handshake callback for sslv3 here, unless we called it already
+     * for the case where false start was done without a canFalseStartCallback.
+     */
+    if (ss->handshakeCallback &&
+       !(falseStarted && !ss->canFalseStartCallback)) {
        (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
     }