Send only one byte of data in the first CBC encrypted aplication data

record.

This randomizes the IV in a backward compatible manner.

R=agl@chromium.org
BUG=87159
TEST=HTTPS sites continue to work.

Review URL: http://codereview.chromium.org/7621002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97269 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 97 insertions, 1 deletions

diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index 0e7206c..1c6f604 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -51,6 +51,12 @@ Patches:
     previous session.
     patches/didhandshakeresume.patch
 
+  * Start each set of CBC encrypted application data records, resulting from
+    a single call to ssl3_SendApplicationData, with a one-byte application
+    data record in order to randomize the IV in a backward compatible manner.
+    https://bugzilla.mozilla.org/show_bug.cgi?id=665814
+    patches/cbcrandomiv.patch
+
   * Support origin bound certificates.
     http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.txt
     patches/origin_bound_certs.patch
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
index 3bf1561..d39e441 100755
--- a/net/third_party/nss/patches/applypatches.sh
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -23,6 +23,8 @@ patch -p6 < $patches_dir/cachedinfo.patch
 
 patch -p6 < $patches_dir/didhandshakeresume.patch
 
+patch -p5 < $patches_dir/cbcrandomiv.patch
+
 patch -p6 < $patches_dir/origin_bound_certs.patch
 
 patch -p6 < $patches_dir/secret_exporter.patch
diff --git a/net/third_party/nss/patches/cbcrandomiv.patch b/net/third_party/nss/patches/cbcrandomiv.patch
new file mode 100644
index 0000000..16f2609
--- /dev/null
+++ b/net/third_party/nss/patches/cbcrandomiv.patch
@@ -0,0 +1,59 @@
+Index: mozilla/security/nss/lib/ssl/ssl3con.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
+retrieving revision 1.142.2.5
+diff -u -p -u -r1.142.2.5 ssl3con.c
+--- mozilla/security/nss/lib/ssl/ssl3con.c	25 Jan 2011 01:49:22 -0000	1.142.2.5
++++ mozilla/security/nss/lib/ssl/ssl3con.c	11 Aug 2011 02:15:58 -0000
+@@ -2315,6 +2315,8 @@ ssl3_SendApplicationData(sslSocket *ss, 
+ {
+     PRInt32   totalSent	= 0;
+     PRInt32   discarded = 0;
++    PRBool    isBlockCipher;
++    int       recordIndex;
+ 
+     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+     if (len < 0 || !in) {
+@@ -2339,7 +2341,12 @@ ssl3_SendApplicationData(sslSocket *ss, 
+ 	len--;
+ 	discarded = 1;
+     }
+-    while (len > totalSent) {
++
++    ssl_GetSpecReadLock(ss);
++    isBlockCipher = ss->ssl3.cwSpec->cipher_def->type == type_block;
++    ssl_ReleaseSpecReadLock(ss);
++
++    for (recordIndex = 0; len > totalSent; recordIndex++) {
+ 	PRInt32   sent, toSend;
+ 
+ 	if (totalSent > 0) {
+@@ -2354,6 +2361,28 @@ ssl3_SendApplicationData(sslSocket *ss, 
+ 	    ssl_GetXmitBufLock(ss);
+ 	}
+ 	toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
++	if (isBlockCipher &&
++	    ss->ssl3.cwSpec->version <= SSL_LIBRARY_VERSION_3_1_TLS) {
++	    /*
++	     * We assume that block ciphers are used in CBC mode and send
++	     * only one byte in the first record.  This effectively
++	     * randomizes the IV in a backward compatible way.
++	     *
++	     * We get back to the MAX_FRAGMENT_LENGTH record boundary in
++	     * the second record.  So for a large amount of data, we send
++	     *     1
++	     *     MAX_FRAGMENT_LENGTH - 1
++	     *     MAX_FRAGMENT_LENGTH
++	     *     MAX_FRAGMENT_LENGTH
++	     *     ...
++	     */
++	    if (recordIndex == 0) {
++		toSend = 1;
++	    } else if (recordIndex == 1 &&
++		       len - totalSent > MAX_FRAGMENT_LENGTH) {
++		toSend--;
++	    }
++	}
+ 	sent = ssl3_SendRecord(ss, content_application_data, 
+ 	                       in + totalSent, toSend, flags);
+ 	if (sent < 0) {
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index 65bd6ae..48459c7a 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -2321,6 +2321,8 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
 {
     PRInt32   totalSent	= 0;
     PRInt32   discarded = 0;
+    PRBool    isBlockCipher;
+    int       recordIndex;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
     if (len < 0 || !in) {
@@ -2345,7 +2347,12 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
 	len--;
 	discarded = 1;
     }
-    while (len > totalSent) {
+
+    ssl_GetSpecReadLock(ss);
+    isBlockCipher = ss->ssl3.cwSpec->cipher_def->type == type_block;
+    ssl_ReleaseSpecReadLock(ss);
+
+    for (recordIndex = 0; len > totalSent; recordIndex++) {
 	PRInt32   sent, toSend;
 
 	if (totalSent > 0) {
@@ -2360,6 +2367,28 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
 	    ssl_GetXmitBufLock(ss);
 	}
 	toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
+	if (isBlockCipher &&
+	    ss->ssl3.cwSpec->version <= SSL_LIBRARY_VERSION_3_1_TLS) {
+	    /*
+	     * We assume that block ciphers are used in CBC mode and send
+	     * only one byte in the first record.  This effectively
+	     * randomizes the IV in a backward compatible way.
+	     *
+	     * We get back to the MAX_FRAGMENT_LENGTH record boundary in
+	     * the second record.  So for a large amount of data, we send
+	     *     1
+	     *     MAX_FRAGMENT_LENGTH - 1
+	     *     MAX_FRAGMENT_LENGTH
+	     *     MAX_FRAGMENT_LENGTH
+	     *     ...
+	     */
+	    if (recordIndex == 0) {
+		toSend = 1;
+	    } else if (recordIndex == 1 &&
+		       len - totalSent > MAX_FRAGMENT_LENGTH) {
+		toSend--;
+	    }
+	}
 	sent = ssl3_SendRecord(ss, content_application_data, 
 	                       in + totalSent, toSend, flags);
 	if (sent < 0) {