Rename cutthrough to False Start.

False Start is the name it's known by now. Deprecate the old API and expose new
ones with the new name.

Change-Id: I32d307027e178fd7d9c0069686cc046f75fdbf6f
Reviewed-on: https://boringssl-review.googlesource.com/3481
Reviewed-by: Adam Langley <agl@google.com>

7 files changed, 37 insertions, 24 deletions

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index b1b1b7fc..cabc56db 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -474,9 +474,14 @@ typedef struct timeval OPENSSL_timeval;
 /* Clear verification errors from queue */
 #define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10
 
-/* When set, clients may send application data before receipt of CCS and
- * Finished.  This mode enables full-handshakes to 'complete' in one RTT. */
-#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000080L
+/* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before
+ * receipt of CCS and Finished. This mode enables full-handshakes to 'complete'
+ * in one RTT. See draft-bmoeller-tls-falsestart-01. */
+#define SSL_MODE_ENABLE_FALSE_START 0x00000080L
+
+/* Deprecated: SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as
+ * SSL_MODE_ENABLE_FALSE_START. */
+#define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START
 
 /* When set, TLS 1.0 and SSLv3, multi-byte, CBC records will be split in two:
  * the first record will contain a single byte and the second will contain the
@@ -1386,10 +1391,12 @@ extern "C" {
 #define SSL_in_connect_init(a) (SSL_state(a) & SSL_ST_CONNECT)
 #define SSL_in_accept_init(a) (SSL_state(a) & SSL_ST_ACCEPT)
 
-/* SSL_cutthrough_complete returns one if |s| has a pending unfinished handshake
- * that has completed cut-through. |SSL_write| may be called at this point
- * without waiting for the peer, but |SSL_read| will require the handshake
- * to be completed. */
+/* SSL_in_false_start returns one if |s| has a pending unfinished handshake that
+ * is in False Start. |SSL_write| may be called at this point without waiting
+ * for the peer, but |SSL_read| will require the handshake to be completed. */
+OPENSSL_EXPORT int SSL_in_false_start(const SSL *s);
+
+/* Deprecated: SSL_cutthrough_complete calls |SSL_in_false_start|. */
 OPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *s);
 
 /* The following 2 states are kept in ssl->rstate when reads fail,
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index de3b96cf..ce53801d 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -485,9 +485,9 @@ typedef struct ssl3_state_st {
      * be updated. It is only needed for EAP-FAST, which we don't support. */
     uint8_t new_mac_secret_size;
 
-    /* Client-only: cutthrough_complete is one if there is a pending handshake,
-     * but cut-through is completed so the client may write data. */
-    char cutthrough_complete;
+    /* Client-only: in_false_start is one if there is a pending handshake in
+     * False Start. The client may write data at this point. */
+    char in_false_start;
   } tmp;
 
   /* Connection binding to prevent renegotiation attacks */
@@ -530,7 +530,7 @@ typedef struct ssl3_state_st {
 /* client */
 /* extra state */
 #define SSL3_ST_CW_FLUSH (0x100 | SSL_ST_CONNECT)
-#define SSL3_ST_CUTTHROUGH_COMPLETE (0x101 | SSL_ST_CONNECT)
+#define SSL3_ST_FALSE_START (0x101 | SSL_ST_CONNECT)
 /* write to server */
 #define SSL3_ST_CW_CLNT_HELLO_A (0x110 | SSL_ST_CONNECT)
 #define SSL3_ST_CW_CLNT_HELLO_B (0x111 | SSL_ST_CONNECT)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index c6752ebe..c51ba6d5 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -450,12 +450,12 @@ int ssl3_connect(SSL *s) {
               goto end;
             }
           }
-          if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) &&
-              ssl3_can_cutthrough(s) &&
-              /* no cutthrough on renegotiation (would complicate the state
-               * machine) */
+          if ((SSL_get_mode(s) & SSL_MODE_ENABLE_FALSE_START) &&
+              ssl3_can_false_start(s) &&
+              /* No False Start on renegotiation (would complicate the state
+               * machine). */
               s->s3->previous_server_finished_len == 0) {
-            s->s3->tmp.next_state = SSL3_ST_CUTTHROUGH_COMPLETE;
+            s->s3->tmp.next_state = SSL3_ST_FALSE_START;
           } else {
             /* Allow NewSessionTicket if ticket expected */
             if (s->tlsext_ticket_expected) {
@@ -524,14 +524,14 @@ int ssl3_connect(SSL *s) {
         s->state = s->s3->tmp.next_state;
         break;
 
-      case SSL3_ST_CUTTHROUGH_COMPLETE:
+      case SSL3_ST_FALSE_START:
         /* Allow NewSessionTicket if ticket expected */
         if (s->tlsext_ticket_expected) {
           s->state = SSL3_ST_CR_SESSION_TICKET_A;
         } else {
           s->state = SSL3_ST_CR_CHANGE;
         }
-        s->s3->tmp.cutthrough_complete = 1;
+        s->s3->tmp.in_false_start = 1;
 
         ssl_free_wbio_buffer(s);
         ret = 1;
@@ -552,7 +552,7 @@ int ssl3_connect(SSL *s) {
         s->init_num = 0;
         s->renegotiate = 0;
         s->new_session = 0;
-        s->s3->tmp.cutthrough_complete = 0;
+        s->s3->tmp.in_false_start = 0;
 
         ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
         if (s->hit) {
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 57bb54be..52ab5c0a 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -427,7 +427,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) {
   tot = s->s3->wnum;
   s->s3->wnum = 0;
 
-  if (!s->in_handshake && SSL_in_init(s) && !SSL_cutthrough_complete(s)) {
+  if (!s->in_handshake && SSL_in_init(s) && !SSL_in_false_start(s)) {
     i = s->handshake_func(s);
     if (i < 0) {
       return i;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a4c94dc2..348e2a5d 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2887,8 +2887,12 @@ int ssl_ctx_log_master_secret(SSL_CTX *ctx, const uint8_t *client_random,
   return ret;
 }
 
+int SSL_in_false_start(const SSL *s) {
+  return s->s3->tmp.in_false_start;
+}
+
 int SSL_cutthrough_complete(const SSL *s) {
-  return s->s3->tmp.cutthrough_complete;
+  return SSL_in_false_start(s);
 }
 
 void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size,
@@ -2898,7 +2902,7 @@ void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size,
   *ssl_session_size = sizeof(SSL_SESSION);
 }
 
-int ssl3_can_cutthrough(const SSL *s) {
+int ssl3_can_false_start(const SSL *s) {
   const SSL_CIPHER *c;
 
   /* require a strong enough cipher */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 70195401..d63ddda5 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -974,7 +974,9 @@ int ssl_ctx_log_master_secret(SSL_CTX *ctx, const uint8_t *client_random,
                               size_t client_random_len, const uint8_t *master,
                               size_t master_len);
 
-int ssl3_can_cutthrough(const SSL *s);
+/* ssl3_can_false_start returns one if |s| is allowed to False Start and zero
+ * otherwise. */
+int ssl3_can_false_start(const SSL *s);
 
 /* ssl3_get_enc_method returns the SSL3_ENC_METHOD corresponding to
  * |version|. */
diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 6ec3aff9..90d142a1 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -415,7 +415,7 @@ static int DoExchange(ScopedSSL_SESSION *out_session, SSL_CTX *ssl_ctx,
                    SkipVerify);
   }
   if (config->false_start) {
-    SSL_set_mode(ssl.get(), SSL_MODE_HANDSHAKE_CUTTHROUGH);
+    SSL_set_mode(ssl.get(), SSL_MODE_ENABLE_FALSE_START);
   }
   if (config->cbc_record_splitting) {
     SSL_set_mode(ssl.get(), SSL_MODE_CBC_RECORD_SPLITTING);