Home | History | Annotate | Download | only in ssl
      1 /*
      2  * Gather (Read) entire SSL2 records from socket into buffer.
      3  *
      4  * This Source Code Form is subject to the terms of the Mozilla Public
      5  * License, v. 2.0. If a copy of the MPL was not distributed with this
      6  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      7 #include "cert.h"
      8 #include "ssl.h"
      9 #include "sslimpl.h"
     10 #include "sslproto.h"
     11 
     12 /* Forward static declarations */
     13 static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss);
     14 
     15 /*
     16 ** Gather a single record of data from the receiving stream. This code
     17 ** first gathers the header (2 or 3 bytes long depending on the value of
     18 ** the most significant bit in the first byte) then gathers up the data
     19 ** for the record into gs->buf. This code handles non-blocking I/O
     20 ** and is to be called multiple times until ss->sec.recordLen != 0.
     21 ** This function decrypts the gathered record in place, in gs_buf.
     22  *
     23  * Caller must hold RecvBufLock.
     24  *
     25  * Returns +1 when it has gathered a complete SSLV2 record.
     26  * Returns  0 if it hits EOF.
     27  * Returns -1 (SECFailure)    on any error
     28  * Returns -2 (SECWouldBlock) when it gathers an SSL v3 client hello header.
     29 **
     30 ** The SSL2 Gather State machine has 4 states:
     31 ** GS_INIT   - Done reading in previous record.  Haven't begun to read in
     32 **             next record.  When ssl2_GatherData is called with the machine
     33 **             in this state, the machine will attempt to read the first 3
     34 **             bytes of the SSL2 record header, and will advance the state
     35 **             to GS_HEADER.
     36 **
     37 ** GS_HEADER - The machine is in this state while waiting for the completion
     38 **             of the first 3 bytes of the SSL2 record.  When complete, the
     39 **             machine will compute the remaining unread length of this record
     40 **             and will initiate a read of that many bytes.  The machine will
     41 **             advance to one of two states, depending on whether the record
     42 **             is encrypted (GS_MAC), or unencrypted (GS_DATA).
     43 **
     44 ** GS_MAC    - The machine is in this state while waiting for the remainder
     45 **             of the SSL2 record to be read in.  When the read is completed,
     46 **             the machine checks the record for valid length, decrypts it,
     47 **             and checks and discards the MAC, then advances to GS_INIT.
     48 **
     49 ** GS_DATA   - The machine is in this state while waiting for the remainder
     50 **             of the unencrypted SSL2 record to be read in.  Upon completion,
     51 **             the machine advances to the GS_INIT state and returns the data.
     52 */
     53 int
     54 ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
     55 {
     56     unsigned char *  bp;
     57     unsigned char *  pBuf;
     58     int              nb, err, rv;
     59 
     60     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     61 
     62     if (gs->state == GS_INIT) {
     63 	/* Initialize gathering engine */
     64 	gs->state         = GS_HEADER;
     65 	gs->remainder     = 3;
     66 	gs->count         = 3;
     67 	gs->offset        = 0;
     68 	gs->recordLen     = 0;
     69 	gs->recordPadding = 0;
     70 	gs->hdr[2]        = 0;
     71 
     72 	gs->writeOffset   = 0;
     73 	gs->readOffset    = 0;
     74     }
     75     if (gs->encrypted) {
     76 	PORT_Assert(ss->sec.hash != 0);
     77     }
     78 
     79     pBuf = gs->buf.buf;
     80     for (;;) {
     81 	SSL_TRC(30, ("%d: SSL[%d]: gather state %d (need %d more)",
     82 		     SSL_GETPID(), ss->fd, gs->state, gs->remainder));
     83 	bp = ((gs->state != GS_HEADER) ? pBuf : gs->hdr) + gs->offset;
     84 	nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
     85 	if (nb > 0) {
     86 	    PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
     87 	}
     88 	if (nb == 0) {
     89 	    /* EOF */
     90 	    SSL_TRC(30, ("%d: SSL[%d]: EOF", SSL_GETPID(), ss->fd));
     91 	    rv = 0;
     92 	    break;
     93 	}
     94 	if (nb < 0) {
     95 	    SSL_DBG(("%d: SSL[%d]: recv error %d", SSL_GETPID(), ss->fd,
     96 		     PR_GetError()));
     97 	    rv = SECFailure;
     98 	    break;
     99 	}
    100 
    101 	gs->offset    += nb;
    102 	gs->remainder -= nb;
    103 
    104 	if (gs->remainder > 0) {
    105 	    continue;
    106 	}
    107 
    108 	/* Probably finished this piece */
    109 	switch (gs->state) {
    110 	case GS_HEADER:
    111 	    if (!SSL3_ALL_VERSIONS_DISABLED(&ss->vrange) && !ss->firstHsDone) {
    112 
    113 		PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
    114 
    115 		/* If this looks like an SSL3 handshake record,
    116 		** and we're expecting an SSL2 Hello message from our peer,
    117 		** handle it here.
    118 		*/
    119 		if (gs->hdr[0] == content_handshake) {
    120 		    if ((ss->nextHandshake == ssl2_HandleClientHelloMessage) ||
    121 			(ss->nextHandshake == ssl2_HandleServerHelloMessage)) {
    122 			rv = ssl2_HandleV3HandshakeRecord(ss);
    123 			if (rv == SECFailure) {
    124 			    return SECFailure;
    125 			}
    126 		    }
    127 		    /* XXX_1	The call stack to here is:
    128 		     * ssl_Do1stHandshake -> ssl_GatherRecord1stHandshake ->
    129 		     *			ssl2_GatherRecord -> here.
    130 		     * We want to return all the way out to ssl_Do1stHandshake,
    131 		     * and have it call ssl_GatherRecord1stHandshake again.
    132 		     * ssl_GatherRecord1stHandshake will call
    133 		     * ssl3_GatherCompleteHandshake when it is called again.
    134 		     *
    135 		     * Returning SECWouldBlock here causes
    136 		     * ssl_GatherRecord1stHandshake to return without clearing
    137 		     * ss->handshake, ensuring that ssl_Do1stHandshake will
    138 		     * call it again immediately.
    139 		     *
    140 		     * If we return 1 here, ssl_GatherRecord1stHandshake will
    141 		     * clear ss->handshake before returning, and thus will not
    142 		     * be called again by ssl_Do1stHandshake.
    143 		     */
    144 		    return SECWouldBlock;
    145 		} else if (gs->hdr[0] == content_alert) {
    146 		    if (ss->nextHandshake == ssl2_HandleServerHelloMessage) {
    147 			/* XXX This is a hack.  We're assuming that any failure
    148 			 * XXX on the client hello is a failure to match
    149 			 * XXX ciphers.
    150 			 */
    151 			PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
    152 			return SECFailure;
    153 		    }
    154 		}
    155 	    }
    156 
    157 	    /* we've got the first 3 bytes.  The header may be two or three. */
    158 	    if (gs->hdr[0] & 0x80) {
    159 		/* This record has a 2-byte header, and no padding */
    160 		gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1];
    161 		gs->recordPadding = 0;
    162 	    } else {
    163 		/* This record has a 3-byte header that is all read in now. */
    164 		gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1];
    165 	    /*  is_escape =  (gs->hdr[0] & 0x40) != 0; */
    166 		gs->recordPadding = gs->hdr[2];
    167 	    }
    168 	    if (!gs->count) {
    169 		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
    170 		goto cleanup;
    171 	    }
    172 
    173 	    if (gs->count > gs->buf.space) {
    174 		err = sslBuffer_Grow(&gs->buf, gs->count);
    175 		if (err) {
    176 		    return err;
    177 		}
    178 		pBuf = gs->buf.buf;
    179 	    }
    180 
    181 
    182 	    if (gs->hdr[0] & 0x80) {
    183 	    	/* we've already read in the first byte of the body.
    184 		** Put it into the buffer.
    185 		*/
    186 		pBuf[0]        = gs->hdr[2];
    187 		gs->offset    = 1;
    188 		gs->remainder = gs->count - 1;
    189 	    } else {
    190 		gs->offset    = 0;
    191 		gs->remainder = gs->count;
    192 	    }
    193 
    194 	    if (gs->encrypted) {
    195 		gs->state     = GS_MAC;
    196 		gs->recordLen = gs->count - gs->recordPadding
    197 		                          - ss->sec.hash->length;
    198 	    } else {
    199 		gs->state     = GS_DATA;
    200 		gs->recordLen = gs->count;
    201 	    }
    202 
    203 	    break;
    204 
    205 
    206 	case GS_MAC:
    207 	    /* Have read in entire rest of the ciphertext.
    208 	    ** Check for valid length.
    209 	    ** Decrypt it.
    210 	    ** Check the MAC.
    211 	    */
    212 	    PORT_Assert(gs->encrypted);
    213 
    214 	  {
    215 	    unsigned int     macLen;
    216 	    int              nout;
    217 	    unsigned char    mac[SSL_MAX_MAC_BYTES];
    218 
    219 	    ssl_GetSpecReadLock(ss); /**********************************/
    220 
    221 	    /* If this is a stream cipher, blockSize will be 1,
    222 	     * and this test will always be false.
    223 	     * If this is a block cipher, this will detect records
    224 	     * that are not a multiple of the blocksize in length.
    225 	     */
    226 	    if (gs->count & (ss->sec.blockSize - 1)) {
    227 		/* This is an error. Sender is misbehaving */
    228 		SSL_DBG(("%d: SSL[%d]: sender, count=%d blockSize=%d",
    229 			 SSL_GETPID(), ss->fd, gs->count,
    230 			 ss->sec.blockSize));
    231 		PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
    232 		rv = SECFailure;
    233 		goto spec_locked_done;
    234 	    }
    235 	    PORT_Assert(gs->count == gs->offset);
    236 
    237 	    if (gs->offset == 0) {
    238 		rv = 0;			/* means EOF. */
    239 		goto spec_locked_done;
    240 	    }
    241 
    242 	    /* Decrypt the portion of data that we just received.
    243 	    ** Decrypt it in place.
    244 	    */
    245 	    rv = (*ss->sec.dec)(ss->sec.readcx, pBuf, &nout, gs->offset,
    246 			     pBuf, gs->offset);
    247 	    if (rv != SECSuccess) {
    248 		goto spec_locked_done;
    249 	    }
    250 
    251 
    252 	    /* Have read in all the MAC portion of record
    253 	    **
    254 	    ** Prepare MAC by resetting it and feeding it the shared secret
    255 	    */
    256 	    macLen = ss->sec.hash->length;
    257 	    if (gs->offset >= macLen) {
    258 		PRUint32           sequenceNumber = ss->sec.rcvSequence++;
    259 		unsigned char    seq[4];
    260 
    261 		seq[0] = (unsigned char) (sequenceNumber >> 24);
    262 		seq[1] = (unsigned char) (sequenceNumber >> 16);
    263 		seq[2] = (unsigned char) (sequenceNumber >> 8);
    264 		seq[3] = (unsigned char) (sequenceNumber);
    265 
    266 		(*ss->sec.hash->begin)(ss->sec.hashcx);
    267 		(*ss->sec.hash->update)(ss->sec.hashcx, ss->sec.rcvSecret.data,
    268 				        ss->sec.rcvSecret.len);
    269 		(*ss->sec.hash->update)(ss->sec.hashcx, pBuf + macLen,
    270 				        gs->offset - macLen);
    271 		(*ss->sec.hash->update)(ss->sec.hashcx, seq, 4);
    272 		(*ss->sec.hash->end)(ss->sec.hashcx, mac, &macLen, macLen);
    273 
    274 		PORT_Assert(macLen == ss->sec.hash->length);
    275 
    276 		ssl_ReleaseSpecReadLock(ss);  /******************************/
    277 
    278 		if (NSS_SecureMemcmp(mac, pBuf, macLen) != 0) {
    279 		    /* MAC's didn't match... */
    280 		    SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d",
    281 			     SSL_GETPID(), ss->fd, ss->sec.rcvSequence));
    282 		    PRINT_BUF(1, (ss, "computed mac:", mac, macLen));
    283 		    PRINT_BUF(1, (ss, "received mac:", pBuf, macLen));
    284 		    PORT_SetError(SSL_ERROR_BAD_MAC_READ);
    285 		    rv = SECFailure;
    286 		    goto cleanup;
    287 		}
    288 	    } else {
    289 		ssl_ReleaseSpecReadLock(ss);  /******************************/
    290 	    }
    291 
    292 	    if (gs->recordPadding + macLen <= gs->offset) {
    293 		gs->recordOffset  = macLen;
    294 		gs->readOffset    = macLen;
    295 		gs->writeOffset   = gs->offset - gs->recordPadding;
    296 		rv = 1;
    297 	    } else {
    298 		PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
    299 cleanup:
    300 		/* nothing in the buffer any more. */
    301 		gs->recordOffset  = 0;
    302 		gs->readOffset    = 0;
    303 	    	gs->writeOffset   = 0;
    304 		rv = SECFailure;
    305 	    }
    306 
    307 	    gs->recordLen     = gs->writeOffset - gs->readOffset;
    308 	    gs->recordPadding = 0;	/* forget we did any padding. */
    309 	    gs->state = GS_INIT;
    310 
    311 
    312 	    if (rv > 0) {
    313 		PRINT_BUF(50, (ss, "recv clear record:",
    314 		               pBuf + gs->recordOffset, gs->recordLen));
    315 	    }
    316 	    return rv;
    317 
    318 spec_locked_done:
    319 	    ssl_ReleaseSpecReadLock(ss);
    320 	    return rv;
    321 	  }
    322 
    323 	case GS_DATA:
    324 	    /* Have read in all the DATA portion of record */
    325 
    326 	    gs->recordOffset  = 0;
    327 	    gs->readOffset    = 0;
    328 	    gs->writeOffset   = gs->offset;
    329 	    PORT_Assert(gs->recordLen == gs->writeOffset - gs->readOffset);
    330 	    gs->recordLen     = gs->offset;
    331 	    gs->recordPadding = 0;
    332 	    gs->state         = GS_INIT;
    333 
    334 	    ++ss->sec.rcvSequence;
    335 
    336 	    PRINT_BUF(50, (ss, "recv clear record:",
    337 	                   pBuf + gs->recordOffset, gs->recordLen));
    338 	    return 1;
    339 
    340 	}	/* end switch gs->state */
    341     }		/* end gather loop. */
    342     return rv;
    343 }
    344 
    345 /*
    346 ** Gather a single record of data from the receiving stream. This code
    347 ** first gathers the header (2 or 3 bytes long depending on the value of
    348 ** the most significant bit in the first byte) then gathers up the data
    349 ** for the record into the readBuf. This code handles non-blocking I/O
    350 ** and is to be called multiple times until ss->sec.recordLen != 0.
    351  *
    352  * Returns +1 when it has gathered a complete SSLV2 record.
    353  * Returns  0 if it hits EOF.
    354  * Returns -1 (SECFailure)    on any error
    355  * Returns -2 (SECWouldBlock)
    356  *
    357  * Called by ssl_GatherRecord1stHandshake in sslcon.c,
    358  * and by DoRecv in sslsecur.c
    359  * Caller must hold RecvBufLock.
    360  */
    361 int
    362 ssl2_GatherRecord(sslSocket *ss, int flags)
    363 {
    364     return ssl2_GatherData(ss, &ss->gs, flags);
    365 }
    366 
    367 /*
    368  * Returns +1 when it has gathered a complete SSLV2 record.
    369  * Returns  0 if it hits EOF.
    370  * Returns -1 (SECFailure)    on any error
    371  * Returns -2 (SECWouldBlock)
    372  *
    373  * Called from SocksStartGather in sslsocks.c
    374  * Caller must hold RecvBufLock.
    375  */
    376 int
    377 ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, unsigned int count)
    378 {
    379     int rv;
    380 
    381     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
    382     gs->state     = GS_DATA;
    383     gs->remainder = count;
    384     gs->count     = count;
    385     gs->offset    = 0;
    386     if (count > gs->buf.space) {
    387 	rv = sslBuffer_Grow(&gs->buf, count);
    388 	if (rv) {
    389 	    return rv;
    390 	}
    391     }
    392     return ssl2_GatherData(ss, gs, 0);
    393 }
    394 
    395 /* Caller should hold RecvBufLock. */
    396 SECStatus
    397 ssl_InitGather(sslGather *gs)
    398 {
    399     SECStatus status;
    400 
    401     gs->state = GS_INIT;
    402     gs->writeOffset = 0;
    403     gs->readOffset  = 0;
    404     gs->dtlsPacketOffset = 0;
    405     gs->dtlsPacket.len = 0;
    406     status = sslBuffer_Grow(&gs->buf, 4096);
    407     return status;
    408 }
    409 
    410 /* Caller must hold RecvBufLock. */
    411 void
    412 ssl_DestroyGather(sslGather *gs)
    413 {
    414     if (gs) {	/* the PORT_*Free functions check for NULL pointers. */
    415 	PORT_ZFree(gs->buf.buf, gs->buf.space);
    416 	PORT_Free(gs->inbuf.buf);
    417 	PORT_Free(gs->dtlsPacket.buf);
    418     }
    419 }
    420 
    421 /* Caller must hold RecvBufLock. */
    422 static SECStatus
    423 ssl2_HandleV3HandshakeRecord(sslSocket *ss)
    424 {
    425     SECStatus           rv;
    426 
    427     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
    428     PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
    429 
    430     /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */
    431     ss->gs.remainder         = 2;
    432     ss->gs.count             = 0;
    433 
    434     /* Clearing these handshake pointers ensures that
    435      * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return.
    436      */
    437     ss->nextHandshake     = 0;
    438     ss->securityHandshake = 0;
    439 
    440     /* Setting ss->version to an SSL 3.x value will cause
    441     ** ssl_GatherRecord1stHandshake to invoke ssl3_GatherCompleteHandshake()
    442     ** the next time it is called.
    443     **/
    444     rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
    445 			       PR_TRUE);
    446     if (rv != SECSuccess) {
    447 	return rv;
    448     }
    449 
    450     ss->sec.send         = ssl3_SendApplicationData;
    451 
    452     return SECSuccess;
    453 }
    454