Revert "net: Precede each CBC encrypted application data record with an empty one."

This reverts commit r91768.

BUG=91905
TEST=none


Review URL: http://codereview.chromium.org/7583036

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@95932 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 2 insertions, 106 deletions

diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index 47f8d56..790bc61 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -51,11 +51,6 @@ Patches:
     previous session.
     patches/didhandshakeresume.patch
 
-  * Precede each set of CBC encrypted application data records, resulting from
-    a single call to ssl3_SendApplicationData, with an empty application data
-    record in order to randomize the IV in a backwards compatible manner.
-    patches/cbcrandomiv.patch
-
   * Support origin bound certificates.
     http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.txt
     patches/origin_bound_certs.patch
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
index a9ccf44..db9b423 100755
--- a/net/third_party/nss/patches/applypatches.sh
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -23,8 +23,6 @@ patch -p6 < $patches_dir/cachedinfo.patch
 
 patch -p6 < $patches_dir/didhandshakeresume.patch
 
-patch -p6 < $patches_dir/cbcrandomiv.patch
-
 patch -p6 < $patches_dir/origin_bound_certs.patch
 
 patch -p6 < $patches_dir/secret_exporter.patch
diff --git a/net/third_party/nss/patches/cbcrandomiv.patch b/net/third_party/nss/patches/cbcrandomiv.patch
deleted file mode 100644
index 1edc04a..0000000
--- a/net/third_party/nss/patches/cbcrandomiv.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-commit 95cc0cf361c92681803e7ee5d4afe5e40673a4b8
-Author: Adam Langley <agl@chromium.org>
-Date:   Wed Jun 22 13:36:50 2011 -0400
-
-    cbcrandomiv.patch
-
-diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
-index f7064ef..c39b8f8 100644
---- a/mozilla/security/nss/lib/ssl/ssl3con.c
-+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
-@@ -2229,7 +2229,7 @@ ssl3_SendRecord(   sslSocket *        ss,
- 	return SECFailure;
-     }
- 
--    while (nIn > 0) {
-+    do {
- 	PRUint32  contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
- 
- 	if (wrBuf->space < contentLen + SSL3_BUFFER_FUDGE) {
-@@ -2306,7 +2306,7 @@ ssl3_SendRecord(   sslSocket *        ss,
- 	    }
- 	}
- 	totalSent += contentLen;
--    }
-+    } while (nIn > 0);
-     return totalSent;
- }
- 
-@@ -2321,6 +2321,7 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
- {
-     PRInt32   totalSent	= 0;
-     PRInt32   discarded = 0;
-+    PRBool    isBlockCipher;
- 
-     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-     if (len < 0 || !in) {
-@@ -2345,6 +2346,28 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
- 	len--;
- 	discarded = 1;
-     }
-+
-+    ssl_GetSpecReadLock(ss);
-+    isBlockCipher = ss->ssl3.cwSpec->cipher_def->type == type_block;
-+    ssl_ReleaseSpecReadLock(ss);
-+
-+    if (isBlockCipher && len > 0) {
-+	// We assume that block ciphers are used in CBC mode and prepend an
-+	// empty record. This effectively randomizes the IV in a backwards
-+	// compatible way.
-+	PRInt32 sent = ssl3_SendRecord(ss, content_application_data,
-+				       in, 0 /* no payload */, flags);
-+	if (sent < 0) {
-+	    return SECFailure; /* error code set by ssl3_SendRecord */
-+	}
-+	if (ss->pendingBuf.len) {
-+	    /* must be a non-blocking socket */
-+	    PORT_Assert(!ssl_SocketIsBlocking(ss));
-+	    PORT_Assert(ss->lastWriteBlocked);
-+	    return SECFailure;
-+	}
-+    }
-+
-     while (len > totalSent) {
- 	PRInt32   sent, toSend;
- 
-@@ -2377,6 +2400,7 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
- 	    break;	
- 	}
-     }
-+
-     if (ss->pendingBuf.len) {
- 	/* Must be non-blocking. */
- 	PORT_Assert(!ssl_SocketIsBlocking(ss));
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index fd34b9f..3f3e7fd 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -2229,7 +2229,7 @@ ssl3_SendRecord(   sslSocket *        ss,
 	return SECFailure;
     }
 
-    do {
+    while (nIn > 0) {
 	PRUint32  contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
 
 	if (wrBuf->space < contentLen + SSL3_BUFFER_FUDGE) {
@@ -2306,7 +2306,7 @@ ssl3_SendRecord(   sslSocket *        ss,
 	    }
 	}
 	totalSent += contentLen;
-    } while (nIn > 0);
+    }
     return totalSent;
 }
 
@@ -2321,7 +2321,6 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
 {
     PRInt32   totalSent	= 0;
     PRInt32   discarded = 0;
-    PRBool    isBlockCipher;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
     if (len < 0 || !in) {
@@ -2346,28 +2345,6 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
 	len--;
 	discarded = 1;
     }
-
-    ssl_GetSpecReadLock(ss);
-    isBlockCipher = ss->ssl3.cwSpec->cipher_def->type == type_block;
-    ssl_ReleaseSpecReadLock(ss);
-
-    if (isBlockCipher && len > 0) {
-	// We assume that block ciphers are used in CBC mode and prepend an
-	// empty record. This effectively randomizes the IV in a backwards
-	// compatible way.
-	PRInt32 sent = ssl3_SendRecord(ss, content_application_data,
-				       in, 0 /* no payload */, flags);
-	if (sent < 0) {
-	    return SECFailure; /* error code set by ssl3_SendRecord */
-	}
-	if (ss->pendingBuf.len) {
-	    /* must be a non-blocking socket */
-	    PORT_Assert(!ssl_SocketIsBlocking(ss));
-	    PORT_Assert(ss->lastWriteBlocked);
-	    return SECFailure;
-	}
-    }
-
     while (len > totalSent) {
 	PRInt32   sent, toSend;
 
@@ -2400,7 +2377,6 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
 	    break;	
 	}
     }
-
     if (ss->pendingBuf.len) {
 	/* Must be non-blocking. */
 	PORT_Assert(!ssl_SocketIsBlocking(ss));