crypto/tls: use 1/n-1 record splitting to protect against BEAST

This requires rebasing the block-mode test scripts. I used GnuTLS version 3.1.4. R=agl CC=golang-dev https://golang.org/cl/6844073

crypto/tls: use 1/n-1 record splitting to protect against BEAST
This requires rebasing the block-mode test scripts. I used GnuTLS version 3.1.4. R=agl CC=golang-dev https://golang.org/cl/6844073
1de4d313 · Anthony Martin · f4ed50c2 · 1de4d313 · 1de4d313 · 1de4d313
Commit 1de4d313 authored Nov 26, 2012 by Anthony Martin
3 changed files
--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@@ -758,8 +758,28 @@ func (c *Conn) Write(b []byte) (int, error) {
 		return 0, alertInternalError
 	}
+	// SSL 3.0 and TLS 1.0 are susceptible to a chosen-plaintext
+	// attack when using block mode ciphers due to predictable IVs.
+	// This can be prevented by splitting each Application Data
+	// record into two records, effectively randomizing the IV.
+	//
+	// http://www.openssl.org/~bodo/tls-cbc.txt
+	// https://bugzilla.mozilla.org/show_bug.cgi?id=665814
+	// http://www.imperialviolet.org/2012/01/15/beastfollowup.html
+	var m int
+	if len(b) > 1 && c.vers <= versionTLS10 {
+		if _, ok := c.out.cipher.(cipher.BlockMode); ok {
+			n, err := c.writeRecord(recordTypeApplicationData, b[:1])
+			if err != nil {
+				return n, c.setError(err)
+			}
+			m, b = 1, b[1:]
+		}
+	}
 	n, err := c.writeRecord(recordTypeApplicationData, b)
-	return n, c.setError(err)
+	return n + m, c.setError(err)
 }
 // Read can be made to time out and return a net.Error with Timeout() == true

--- a/src/pkg/crypto/tls/handshake_client_test.go
+++ b/src/pkg/crypto/tls/handshake_client_test.go
--- a/src/pkg/crypto/tls/handshake_server_test.go
+++ b/src/pkg/crypto/tls/handshake_server_test.go