net: Precede each CBC encrypted application data record with an empty one.

net/third_party/nss/ssl/ssl3con.c

 /*
  * SSL3 Protocol
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
@@ skipping 2211 matching lines @@
             return SECFailure;  /* ssl3_InitState has set the error code. */
         }
     }
 
     /* check for Token Presence */
     if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
         PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
         return SECFailure;
     }
 
-    while (nIn > 0) {
+    do {
         PRUint32  contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
 
         if (wrBuf->space < contentLen + SSL3_BUFFER_FUDGE) {
             PRInt32 newSpace = PR_MAX(wrBuf->space * 2, contentLen);
             newSpace = PR_MIN(newSpace, MAX_FRAGMENT_LENGTH);
             newSpace += SSL3_BUFFER_FUDGE;
             rv = sslBuffer_Grow(wrBuf, newSpace);
             if (rv != SECSuccess) {
                 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
                          SSL_GETPID(), ss->fd, newSpace));
@@ skipping 56 matching lines @@
                  * append it to the buffer of previously unsent ciphertext.
                  */
                 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
                 if (rv != SECSuccess) {
                     /* presumably a memory error, SEC_ERROR_NO_MEMORY */
                     return SECFailure;
                 }
             }
         }
         totalSent += contentLen;
-    }
+    } while (nIn > 0);
     return totalSent;
 }
 
 #define SSL3_PENDING_HIGH_WATER 1024
 
 /* Attempt to send the content of "in" in an SSL application_data record.
  * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
  */
 int
 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
                          PRInt32 len, PRInt32 flags)
 {
     PRInt32   totalSent = 0;
     PRInt32   discarded = 0;
+    PRBool    isBlockCipher;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
     if (len < 0 || !in) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         return SECFailure;
     }
 
     if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
         !ssl_SocketIsBlocking(ss)) {
         PORT_Assert(!ssl_SocketIsBlocking(ss));
         PORT_SetError(PR_WOULD_BLOCK_ERROR);
         return SECFailure;
     }
 
     if (ss->appDataBuffered && len) {
         PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered));
         if (in[0] != (unsigned char)(ss->appDataBuffered)) {
             PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
             return SECFailure;
         }
         in++;
         len--;
         discarded = 1;
     }
+
+    ssl_GetSpecReadLock(ss);
+    isBlockCipher = ss->ssl3.cwSpec->cipher_def->type == type_block;
+    ssl_ReleaseSpecReadLock(ss);
+
+    if (isBlockCipher && len > 0) {
+        // We assume that block ciphers are used in CBC mode and prepend an
+        // empty record. This effectively randomizes the IV in a backwards
+        // compatible way.
+        PRInt32 sent = ssl3_SendRecord(ss, content_application_data,
+                                       in, 0 /* no payload */, flags);
+        if (sent < 0) {
+            return SECFailure; /* error code set by ssl3_SendRecord */
+        }
+        if (ss->pendingBuf.len) {
+            /* must be a non-blocking socket */
+            PORT_Assert(!ssl_SocketIsBlocking(ss));
+            PORT_Assert(ss->lastWriteBlocked);
+            goto writeBlocked;
+        }

[wtc, 2011/06/27 18:11:55]

I suspect what you described will indeed happen if we
simply fall into the while loop below.  But I think it's
better to deal with the if (ss->pendingBuf.len) condition
explicitly; at least it would help me convince myself the
new code is correct.

Because of your comment, I found that given totalSent = 0,
we can simplify it to avoid the goto statement:

        if (ss->pendingBuf.len) {
            /* must be a non-blocking socket */
            PORT_Assert(!ssl_SocketIsBlocking(ss));
            PORT_Assert(ss->lastWriteBlocked);
            PORT_SetError(PR_WOULD_BLOCK_ERROR);
            return SECFailure;
        }

[agl, 2011/06/27 19:05:30]

Done.

+    }
+
     while (len > totalSent) {
         PRInt32   sent, toSend;
 
         if (totalSent > 0) {
             /*
              * The thread yield is intended to give the reader thread a
              * chance to get some cycles while the writer thread is in
              * the middle of a large application data write.  (See
              * Bugzilla bug 127740, comment #1.)
              */
@@ skipping 12 matching lines @@
             return SECFailure; /* error code set by ssl3_SendRecord */
         }
         totalSent += sent;
         if (ss->pendingBuf.len) {
             /* must be a non-blocking socket */
             PORT_Assert(!ssl_SocketIsBlocking(ss));
             PORT_Assert(ss->lastWriteBlocked);
             break;      
         }
     }
+
+  writeBlocked:

[wtc, 2011/06/27 18:11:55]

Nit: labels are not indented in the NSS source code.

[agl, 2011/06/27 19:05:30]

(mooted: line removed.)

     if (ss->pendingBuf.len) {
         /* Must be non-blocking. */
         PORT_Assert(!ssl_SocketIsBlocking(ss));
         if (totalSent > 0) {
             ss->appDataBuffered = 0x100 | in[totalSent - 1];
         }
 
         totalSent = totalSent + discarded - 1;
         if (totalSent <= 0) {
             PORT_SetError(PR_WOULD_BLOCK_ERROR);
@@ skipping 7458 matching lines @@
 
     ss->ssl3.initialized = PR_FALSE;
 
     if (ss->ssl3.nextProto.data) {
         PORT_Free(ss->ssl3.nextProto.data);
         ss->ssl3.nextProto.data = NULL;
     }
 }
 
 /* End of ssl3con.c */