Split RC4-encrypted records.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /* $Id: ssl3con.c,v 1.192 2012/09/28 05:10:25 wtc%google.com Exp $ */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
@@ skipping 2170 matching lines @@
         (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
         isPresent = PR_FALSE;
     } 
     if (slot) {
         PK11_FreeSlot(slot);
     }
     return isPresent;
 }
 
 /* Caller must hold the spec read lock. */
+/* The function uses the three members of wrBuf as follows:
+ * - Reads wrBuf->buf and wrBuf->space. Note that it does not read wrBuf->len.
+ * - Writes data into the buffer that wrBuf->buf points to.
+ * - Sets wrBuf->len to the number of bytes written on successful return.
+ */
 SECStatus
 ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
                               PRBool             isServer,
                               PRBool             isDTLS,
                               PRBool             capRecordVersion,
                               SSL3ContentType    type,
                               const SSL3Opaque * pIn,
                               PRUint32           contentLen,
                               sslBuffer *        wrBuf)
 {
@@ skipping 125 matching lines @@
             p2Len);                            /* input and inputLen*/
         PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
         if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
         cipherBytes += cipherBytesPart2;
     }   
     PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
 
     wrBuf->len    = cipherBytes + headerLen;

[wtc, 2013/03/16 01:15:38]

Here ssl3_CompressMACEncryptRecord sets wrBuf->len to
cipherBytes + headerLen before returning SECSuccess.
This fact will be used by ssl3_SendRecord below to
calculate the RC4 keystream bytes consumed by encrypted
handshake records.

     wrBuf->buf[0] = type;
     if (isDTLS) {
         SSL3ProtocolVersion version;
 
         version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
         wrBuf->buf[1] = MSB(version);
         wrBuf->buf[2] = LSB(version);
         wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24);
         wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16);
         wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >>  8);
@@ skipping 62 matching lines @@
     SECStatus                 rv;
     PRInt32                   totalSent   = 0;
     PRBool                    capRecordVersion;
 
     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
                 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
                 nIn));
     PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( wrBuf->len == 0 );
 
     capRecordVersion = ((flags & ssl_SEND_FLAG_CAP_RECORD_VERSION) != 0);
 
     if (capRecordVersion) {
         /* ssl_SEND_FLAG_CAP_RECORD_VERSION can only be used with the
          * TLS initial ClientHello. */
         PORT_Assert(!IS_DTLS(ss));
         PORT_Assert(!ss->firstHsDone);
         PORT_Assert(type == content_handshake);
         PORT_Assert(ss->ssl3.hs.ws == wait_server_hello);
@@ skipping 13 matching lines @@
 
     /* check for Token Presence */
     if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
         PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
         return SECFailure;
     }
 
     while (nIn > 0) {
         PRUint32  contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
         unsigned int spaceNeeded;
-        unsigned int numRecords;
+        unsigned int numRecords = 1;
 
         ssl_GetSpecReadLock(ss);    /********************************/
 
         if (nIn > 1 && ss->opt.cbcRandomIV &&
             ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_1 &&
             type == content_application_data &&
             ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) {
             /* We will split the first byte of the record into its own record,
              * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h
              */
             numRecords = 2;
-        } else {
-            numRecords = 1;
+        }

[agl, 2013/03/19 16:41:00]

This could be an else if to make it clear that the cases are mutually exclusive.

[wtc, 2013/03/22 01:33:29]

Done.

+        if (nIn > 1 && ss->opt.cbcRandomIV &&
+            type == content_application_data &&
+            ss->ssl3.cwSpec->cipher_def->calg == ssl_calg_rc4 &&
+            ss->ssl3.rc4EncryptedBytes < SSL3_BIASED_RC4_BYTES) {

[wtc, 2013/03/16 01:15:38]

Reminder to self: add a comment to explain how we are splitting
the application data.

+            PRInt32 inBytes = nIn;
+
+            numRecords = 0;
+
+            /* Count how many one-byte records are needed to exhaust the
+             * biased RC4 keystream bytes. */
+            while (inBytes > 0 &&
+                   ss->ssl3.rc4EncryptedBytes < SSL3_BIASED_RC4_BYTES) {
+                ss->ssl3.rc4EncryptedBytes += 1 + ss->ssl3.cwSpec->mac_size;

[wtc, 2013/03/16 01:15:38]

It is non-ideal that we are incrementing ss->ssl3.rc4EncryptedBytes
for application data records here and for handshake records
on lines 2552-2556 below. But this avoids repeating the
calculation.

Also, I am too lazy to come up with a branch-free way to
calculate numRecords.

+                inBytes--;
+                numRecords++;
+            }
+
+            /* Send any remaining bytes in one record. */
+            if (inBytes > 0) {
+                numRecords++;
+            }
         }
 
         spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE);
         if (ss->ssl3.cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
             ss->ssl3.cwSpec->cipher_def->type == type_block) {
             spaceNeeded += ss->ssl3.cwSpec->cipher_def->iv_size;
         }
         if (spaceNeeded > wrBuf->space) {
             rv = sslBuffer_Grow(wrBuf, spaceNeeded);

[Ryan Sleevi, 2013/03/19 17:24:28]

so sslBuffer_Grow caps the growth at MAX_FRAGMENT_LENGTH + 2048 , or 18K.

Have you checked with an SSL write of 12-16K? At 256 (258? > 258?) bytes of
bias, with 20 bytes of SHA1 MAC (note: not counting the record size, which also
factors in on line 2518), that's almost 5K worth of additional record overhead. 
 With a TLSPlaintext size of 2^14, aren't we going to blow past the buffer here,
and fail to grow?

[agl, 2013/03/19 17:26:44]

The MACs are also encrypted so each record is burning 21 bytes of keystream.
There should only be ~256 bytes of extra overhead from the splitting.

[Ryan Sleevi, 2013/03/19 17:29:10]

Doh! Right, forgot that important detail.

             if (rv != SECSuccess) {
                 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
                          SSL_GETPID(), ss->fd, spaceNeeded));
                 goto spec_locked_loser; /* sslBuffer_Grow set error code. */
             }
         }
 
-        if (numRecords == 2) {
-            sslBuffer secondRecord;
+        if (numRecords > 1) {
+            sslBuffer recordBuf;
+            unsigned int i;
 
-            rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, IS_DTLS(ss),
-                                               capRecordVersion, type, pIn,
-                                               1, wrBuf);
-            if (rv != SECSuccess)
-                goto spec_locked_loser;
+            wrBuf->len = 0;
+            for (i = 0; i < numRecords; i++) {
+                recordBuf.buf = wrBuf->buf + wrBuf->len;
+                recordBuf.len = 0;
+                recordBuf.space = wrBuf->space - wrBuf->len;
 
-            PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
-                           wrBuf->buf, wrBuf->len));
+                rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
+                                                   ss->sec.isServer,
+                                                   IS_DTLS(ss),
+                                                   capRecordVersion, type,
+                                                   pIn + i,
+                                                   (i != numRecords - 1) ?
+                                                   1 : contentLen - i,
+                                                   &recordBuf);
+                if (rv != SECSuccess)
+                    break;
 
-            secondRecord.buf = wrBuf->buf + wrBuf->len;
-            secondRecord.len = 0;
-            secondRecord.space = wrBuf->space - wrBuf->len;
-
-            rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, IS_DTLS(ss),
-                                               capRecordVersion, type,
-                                               pIn + 1, contentLen - 1,
-                                               &secondRecord);
-            if (rv == SECSuccess) {
-                PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
-                               secondRecord.buf, secondRecord.len));
-                wrBuf->len += secondRecord.len;
+                PRINT_BUF(50, (ss, "send (encrypted) record data:",
+                               recordBuf.buf, recordBuf.len));
+                wrBuf->len += recordBuf.len;
             }
         } else {
             if (!IS_DTLS(ss)) {
                 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
                                                    ss->sec.isServer,
                                                    IS_DTLS(ss),
                                                    capRecordVersion,
                                                    type, pIn,
                                                    contentLen, wrBuf);
             } else {
                 rv = dtls_CompressMACEncryptRecord(ss, epoch,
                                                    !!(flags & ssl_SEND_FLAG_USE_EPOCH),
                                                    type, pIn,
                                                    contentLen, wrBuf);
             }
 
             if (rv == SECSuccess) {
                 PRINT_BUF(50, (ss, "send (encrypted) record data:",
                                wrBuf->buf, wrBuf->len));
+
+                if (ss->opt.cbcRandomIV && type == content_handshake &&
+                    ss->ssl3.cwSpec->cipher_def->calg == ssl_calg_rc4) {
+                    ss->ssl3.rc4EncryptedBytes +=
+                        wrBuf->len - SSL3_RECORD_HEADER_LENGTH;

[wtc, 2013/03/16 01:15:38]

I could add an output argument to ssl3_CompressMACEncryptRecord
to return the ciphertext length. Here I just subtract
SSL3_RECORD_HEADER_LENGTH from wrBuf->len. I guess
the TLS record header length did not change in TLS 1.2?

[agl, 2013/03/19 16:41:00]

It doesn't. (I don't think it ever could if TLS is to be able to negotiate a
common version with previous implementations.)

+                }
             }
         }
 
 spec_locked_loser:
         ssl_ReleaseSpecReadLock(ss); /************************************/
 
         if (rv != SECSuccess)
             return SECFailure;
 
         pIn += contentLen;
@@ skipping 47 matching lines @@
                     return SECFailure;
                 }
                 /* now take all the remaining unsent new ciphertext and 
                  * append it to the buffer of previously unsent ciphertext.
                  */
                 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
                 if (rv != SECSuccess) {
                     /* presumably a memory error, SEC_ERROR_NO_MEMORY */
                     return SECFailure;
                 }
+                wrBuf->len = 0; /* All cipher text is saved away. */
             }
         }
         totalSent += contentLen;
     }
     return totalSent;
 }
 
 #define SSL3_PENDING_HIGH_WATER 1024
 
 /* Attempt to send the content of "in" in an SSL application_data record.
@@ skipping 10 matching lines @@
     /* These flags for internal use only */
     PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH |
                            ssl_SEND_FLAG_NO_RETRANSMIT)));
     if (len < 0 || !in) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         return SECFailure;
     }
 
     if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
         !ssl_SocketIsBlocking(ss)) {
-        PORT_Assert(!ssl_SocketIsBlocking(ss));
         PORT_SetError(PR_WOULD_BLOCK_ERROR);
         return SECFailure;
     }
 
     if (ss->appDataBuffered && len) {
         PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered));
         if (in[0] != (unsigned char)(ss->appDataBuffered)) {
             PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
             return SECFailure;
         }
         in++;
         len--;
         discarded = 1;
     }
     while (len > totalSent) {
         PRInt32   sent, toSend;
 
         if (totalSent > 0) {
             /*
              * The thread yield is intended to give the reader thread a
              * chance to get some cycles while the writer thread is in
              * the middle of a large application data write.  (See
              * Bugzilla bug 127740, comment #1.)
              */
             ssl_ReleaseXmitBufLock(ss);
             PR_Sleep(PR_INTERVAL_NO_WAIT);      /* PR_Yield(); */
             ssl_GetXmitBufLock(ss);
         }
         toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);

[wtc, 2013/03/19 17:44:02]

This PR_MIN call caps the |nIn| argument for ssl3_SendRecord
at MAX_FRAGMENT_LENGTH.  This should keep us below the buffer
size limit of MAX_FRAGMENT_LENGTH + 2048 in sslBuffer_Grow.

         /*
          * Note that the 0 epoch is OK because flags will never require 
          * its use, as guaranteed by the PORT_Assert above.
          */
         sent = ssl3_SendRecord(ss, 0, content_application_data,
                                in + totalSent, toSend, flags);
         if (sent < 0) {
             if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
                 PORT_Assert(ss->lastWriteBlocked);
                 break;
@@ skipping 1517 matching lines @@
     PORT_Assert(IS_DTLS(ss) || !resending);
 
     /* We might be starting a session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
     ss->ssl3.hs.may_get_cert_status = PR_FALSE;
     if (ss->ssl3.hs.cert_status.data) {
         SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
     }
+    ss->ssl3.rc4EncryptedBytes = 0;

[wtc, 2013/03/16 01:15:38]

I found the places where we need to reset
ss->ssl3.rc4EncryptedBytes to 0 by searching for
"PORT_Memset(&ss->xtnData" and the
"We might be starting a session renegotiation ..."
comment.

I believe we only need to reset
ss->ssl3.rc4EncryptedBytes to 0 in ssl3_SendClientHello
and ssl3_HandleClientHello. But to be safe I reset it
whenever we clear ss->xtnData.

[agl, 2013/03/19 16:41:00]

I think this would be taken care of naturally if the encrypted byte count was
part of cwSpec/crSpec. However, I don't think that it's a big difference.

[wtc, 2013/03/19 17:44:02]

That seems like a good idea because rc4EncryptedBytes is
closely related to the write_seq_num field in cwSpec.

This will also allow me to increment rc4EncryptedBytes
in ssl3_CompressMACEncryptRecord. Originally I wanted to
do that, but ssl3_CompressMACEncryptRecord only has access
to 'cwSpec' but not to 'ss', so I can't do that.

[wtc, 2013/03/22 01:33:29]

Done.

 
     SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
             SSL_GETPID(), ss->fd ));
     rv = ssl3_RestartHandshakeHashes(ss);
     if (rv != SECSuccess) {
         return rv;
     }
 
     /*
      * During a renegotiation, ss->clientHelloVersion will be used again to
@@ skipping 2608 matching lines @@
     if (IS_DTLS(ss)) {
         ss->nextHandshake     = 0;
         ss->securityHandshake = 0;
     }
 
     /* We might be starting session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
     ss->statelessResume = PR_FALSE;
+    ss->ssl3.rc4EncryptedBytes = 0;
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         return rv;              /* ssl3_InitState has set the error code. */
     }
 
     if ((ss->ssl3.hs.ws != wait_client_hello) &&
         (ss->ssl3.hs.ws != idle_handshake)) {
         desc    = unexpected_message;
         errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
@@ skipping 739 matching lines @@
     int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
     SSL3AlertDescription desc    = handshake_failure;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
 
     ssl_GetSSL3HandshakeLock(ss);
 
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
+    ss->ssl3.rc4EncryptedBytes = 0;
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         ssl_ReleaseSSL3HandshakeLock(ss);
         return rv;              /* ssl3_InitState has set the error code. */
     }
 
     if (ss->ssl3.hs.ws != wait_client_hello) {
         desc    = unexpected_message;
         errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
@@ skipping 3251 matching lines @@
     ss->ssl3.hs.sendingSCSV = PR_FALSE;
     ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
 
     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
 #ifdef NSS_ENABLE_ECC
     ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
 #endif
     ssl_ReleaseSpecWriteLock(ss);
 
+    /* XXX: move xtnData into ss->ssl3? */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
+    ss->ssl3.rc4EncryptedBytes = 0;
 
     if (IS_DTLS(ss)) {
         ss->ssl3.hs.sendMessageSeq = 0;
         ss->ssl3.hs.recvMessageSeq = 0;
         ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
         ss->ssl3.hs.rtRetries = 0;
         ss->ssl3.hs.recvdHighWater = -1;
         PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
         dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
     }
@@ skipping 406 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */