Split RC4-encrypted records.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /* $Id: ssl3con.c,v 1.192 2012/09/28 05:10:25 wtc%google.com Exp $ */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
@@ skipping 1774 matching lines @@
         }
     } else {
         PORT_Assert(pwSpec->master_secret);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         rv = SECFailure;
     }
     if (rv != SECSuccess) {
         goto done;
     }
 
+    pwSpec->rc4EncryptedBytes = 0;
+
     /* Generic behaviors -- common to all crypto methods */
     if (!IS_DTLS(ss)) {
         pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0;
     } else {
         if (cwSpec->epoch == PR_UINT16_MAX) {
             /* The problem here is that we have rehandshaked too many
              * times (you are not allowed to wrap the epoch). The
              * spec says you should be discarding the connection
              * and start over, so not much we can do here. */
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
@@ skipping 376 matching lines @@
         (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
         isPresent = PR_FALSE;
     } 
     if (slot) {
         PK11_FreeSlot(slot);
     }
     return isPresent;
 }
 
 /* Caller must hold the spec read lock. */
+/* The function uses the three members of wrBuf as follows:
+ * - Reads wrBuf->buf and wrBuf->space. Note that it does not read wrBuf->len.
+ * - Writes data into the buffer that wrBuf->buf points to.
+ * - Sets wrBuf->len to the number of bytes written on successful return.
+ */
 SECStatus
 ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
                               PRBool             isServer,
                               PRBool             isDTLS,
                               PRBool             capRecordVersion,
                               SSL3ContentType    type,
                               const SSL3Opaque * pIn,
                               PRUint32           contentLen,
                               sslBuffer *        wrBuf)
 {
@@ skipping 155 matching lines @@
 
         if (capRecordVersion) {
             version = PR_MIN(SSL_LIBRARY_VERSION_TLS_1_0, version);
         }
         wrBuf->buf[1] = MSB(version);
         wrBuf->buf[2] = LSB(version);
         wrBuf->buf[3] = MSB(cipherBytes);
         wrBuf->buf[4] = LSB(cipherBytes);
     }
 
+    if (type == content_handshake &&
+        cwSpec->cipher_def->calg == ssl_calg_rc4) {
+        cwSpec->rc4EncryptedBytes += cipherBytes;
+    }
+
     ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
 
     return SECSuccess;
 }
 
 /* Process the plain text before sending it.
  * Returns the number of bytes of plaintext that were successfully sent
  *      plus the number of bytes of plaintext that were copied into the
  *      output (write) buffer.
  * Returns SECFailure on a hard IO error, memory error, or crypto error.
@@ skipping 33 matching lines @@
     SECStatus                 rv;
     PRInt32                   totalSent   = 0;
     PRBool                    capRecordVersion;
 
     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
                 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
                 nIn));
     PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( wrBuf->len == 0 );
 
     capRecordVersion = ((flags & ssl_SEND_FLAG_CAP_RECORD_VERSION) != 0);
 
     if (capRecordVersion) {
         /* ssl_SEND_FLAG_CAP_RECORD_VERSION can only be used with the
          * TLS initial ClientHello. */
         PORT_Assert(!IS_DTLS(ss));
         PORT_Assert(!ss->firstHsDone);
         PORT_Assert(type == content_handshake);
         PORT_Assert(ss->ssl3.hs.ws == wait_server_hello);
@@ skipping 13 matching lines @@
 
     /* check for Token Presence */
     if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
         PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
         return SECFailure;
     }
 
     while (nIn > 0) {
         PRUint32  contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
         unsigned int spaceNeeded;
-        unsigned int numRecords;
+        unsigned int numRecords = 1;
 
         ssl_GetSpecReadLock(ss);    /********************************/
 
         if (nIn > 1 && ss->opt.cbcRandomIV &&
             ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_1 &&
             type == content_application_data &&
             ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) {
             /* We will split the first byte of the record into its own record,
              * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h
              */
             numRecords = 2;
-        } else {
-            numRecords = 1;
+        } else if (nIn > 1 && ss->opt.cbcRandomIV &&
+            type == content_application_data &&
+            ss->ssl3.cwSpec->cipher_def->calg == ssl_calg_rc4 &&
+            ss->ssl3.cwSpec->rc4EncryptedBytes < SSL3_BIASED_RC4_BYTES) {
+            /* We will split the first few bytes of the record into their own
+             * one-byte records so that the biased RC4 keystream bytes are
+             * mostly used to encrypt record MACs.
+             */
+            PRInt32 inBytes = nIn;
+
+            numRecords = 0;
+
+            /* Count how many one-byte records are needed to exhaust the
+             * biased RC4 keystream bytes. */
+            while (inBytes > 0 &&
+                   ss->ssl3.cwSpec->rc4EncryptedBytes < SSL3_BIASED_RC4_BYTES) {
+                ss->ssl3.cwSpec->rc4EncryptedBytes +=

[agl, 2013/03/22 13:44:46]

I doesn't really matter, but these bytes will be accounted for twice in
rc4EncryptedBytes, no? Once here, and then again in
ssl3_CompressMACEncryptRecord.

[wtc, 2013/03/22 17:31:40]

No. In ssl3_CompressMACEncryptRecord, there is a
type == content_handshake check so it will only apply to
handshake records.

I am unhappy about this aspect of the CL because
application data records and handshake records are
counted in different places. I will try to fix this.

+                    1 + ss->ssl3.cwSpec->mac_size;
+                inBytes--;
+                numRecords++;
+            }
+
+            /* Send any remaining bytes in one record. */
+            if (inBytes > 0) {
+                numRecords++;
+            }
         }
 
         spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE);
         if (ss->ssl3.cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
             ss->ssl3.cwSpec->cipher_def->type == type_block) {
             spaceNeeded += ss->ssl3.cwSpec->cipher_def->iv_size;
         }
         if (spaceNeeded > wrBuf->space) {
             rv = sslBuffer_Grow(wrBuf, spaceNeeded);
             if (rv != SECSuccess) {
                 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
                          SSL_GETPID(), ss->fd, spaceNeeded));
                 goto spec_locked_loser; /* sslBuffer_Grow set error code. */
             }
         }
 
-        if (numRecords == 2) {
-            sslBuffer secondRecord;
+        if (numRecords > 1) {
+            sslBuffer recordBuf;
+            unsigned int i;
 
-            rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, IS_DTLS(ss),
-                                               capRecordVersion, type, pIn,
-                                               1, wrBuf);
-            if (rv != SECSuccess)
-                goto spec_locked_loser;
+            wrBuf->len = 0;
+            for (i = 0; i < numRecords; i++) {
+                recordBuf.buf = wrBuf->buf + wrBuf->len;
+                recordBuf.len = 0;
+                recordBuf.space = wrBuf->space - wrBuf->len;
 
-            PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
-                           wrBuf->buf, wrBuf->len));
+                rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
+                                                   ss->sec.isServer,
+                                                   IS_DTLS(ss),
+                                                   capRecordVersion, type,
+                                                   pIn + i,
+                                                   (i != numRecords - 1) ?
+                                                   1 : contentLen - i,
+                                                   &recordBuf);
+                if (rv != SECSuccess)
+                    break;
 
-            secondRecord.buf = wrBuf->buf + wrBuf->len;
-            secondRecord.len = 0;
-            secondRecord.space = wrBuf->space - wrBuf->len;
-
-            rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, IS_DTLS(ss),
-                                               capRecordVersion, type,
-                                               pIn + 1, contentLen - 1,
-                                               &secondRecord);
-            if (rv == SECSuccess) {
-                PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
-                               secondRecord.buf, secondRecord.len));
-                wrBuf->len += secondRecord.len;
+                PRINT_BUF(50, (ss, "send (encrypted) record data:",
+                               recordBuf.buf, recordBuf.len));
+                wrBuf->len += recordBuf.len;
             }
         } else {
             if (!IS_DTLS(ss)) {
                 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
                                                    ss->sec.isServer,
                                                    IS_DTLS(ss),
                                                    capRecordVersion,
                                                    type, pIn,
                                                    contentLen, wrBuf);
             } else {
@@ skipping 66 matching lines @@
                     return SECFailure;
                 }
                 /* now take all the remaining unsent new ciphertext and 
                  * append it to the buffer of previously unsent ciphertext.
                  */
                 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
                 if (rv != SECSuccess) {
                     /* presumably a memory error, SEC_ERROR_NO_MEMORY */
                     return SECFailure;
                 }
+                wrBuf->len = 0; /* All cipher text is saved away. */
             }
         }
         totalSent += contentLen;
     }
     return totalSent;
 }
 
 #define SSL3_PENDING_HIGH_WATER 1024
 
 /* Attempt to send the content of "in" in an SSL application_data record.
@@ skipping 10 matching lines @@
     /* These flags for internal use only */
     PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH |
                            ssl_SEND_FLAG_NO_RETRANSMIT)));
     if (len < 0 || !in) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         return SECFailure;
     }
 
     if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
         !ssl_SocketIsBlocking(ss)) {
-        PORT_Assert(!ssl_SocketIsBlocking(ss));
         PORT_SetError(PR_WOULD_BLOCK_ERROR);
         return SECFailure;
     }
 
     if (ss->appDataBuffered && len) {
         PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered));
         if (in[0] != (unsigned char)(ss->appDataBuffered)) {
             PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
             return SECFailure;
         }
@@ skipping 8156 matching lines @@
     spec->msItem.len               = 0;
 
     spec->client.write_key         = NULL;
     spec->client.write_mac_key     = NULL;
     spec->client.write_mac_context = NULL;
 
     spec->server.write_key         = NULL;
     spec->server.write_mac_key     = NULL;
     spec->server.write_mac_context = NULL;
 
+    spec->rc4EncryptedBytes        = 0;
+
     spec->write_seq_num.high       = 0;
     spec->write_seq_num.low        = 0;
 
     spec->read_seq_num.high        = 0;
     spec->read_seq_num.low         = 0;
 
     spec->epoch                    = 0;
     dtls_InitRecvdRecords(&spec->recvdRecords);
 
     spec->version                  = ss->vrange.max;
@@ skipping 28 matching lines @@
     ss->ssl3.hs.sendingSCSV = PR_FALSE;
     ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
 
     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
 #ifdef NSS_ENABLE_ECC
     ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
 #endif
     ssl_ReleaseSpecWriteLock(ss);
 
+    /* XXX: move xtnData into ss->ssl3? */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     if (IS_DTLS(ss)) {
         ss->ssl3.hs.sendMessageSeq = 0;
         ss->ssl3.hs.recvMessageSeq = 0;
         ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
         ss->ssl3.hs.rtRetries = 0;
         ss->ssl3.hs.recvdHighWater = -1;
         PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
         dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
@@ skipping 407 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */