OLD | NEW |
| (Empty) |
1 /* | |
2 * Gather (Read) entire SSL2 records from socket into buffer. | |
3 * | |
4 * This Source Code Form is subject to the terms of the Mozilla Public | |
5 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
7 #include "cert.h" | |
8 #include "ssl.h" | |
9 #include "sslimpl.h" | |
10 #include "sslproto.h" | |
11 | |
12 /* Forward static declarations */ | |
13 static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss); | |
14 | |
15 /* | |
16 ** Gather a single record of data from the receiving stream. This code | |
17 ** first gathers the header (2 or 3 bytes long depending on the value of | |
18 ** the most significant bit in the first byte) then gathers up the data | |
19 ** for the record into gs->buf. This code handles non-blocking I/O | |
20 ** and is to be called multiple times until ss->sec.recordLen != 0. | |
21 ** This function decrypts the gathered record in place, in gs_buf. | |
22 * | |
23 * Caller must hold RecvBufLock. | |
24 * | |
25 * Returns +1 when it has gathered a complete SSLV2 record. | |
26 * Returns 0 if it hits EOF. | |
27 * Returns -1 (SECFailure) on any error | |
28 * Returns -2 (SECWouldBlock) when it gathers an SSL v3 client hello header. | |
29 ** | |
30 ** The SSL2 Gather State machine has 4 states: | |
31 ** GS_INIT - Done reading in previous record. Haven't begun to read in | |
32 ** next record. When ssl2_GatherData is called with the machine | |
33 ** in this state, the machine will attempt to read the first 3 | |
34 ** bytes of the SSL2 record header, and will advance the state | |
35 ** to GS_HEADER. | |
36 ** | |
37 ** GS_HEADER - The machine is in this state while waiting for the completion | |
38 ** of the first 3 bytes of the SSL2 record. When complete, the | |
39 ** machine will compute the remaining unread length of this record | |
40 ** and will initiate a read of that many bytes. The machine will | |
41 ** advance to one of two states, depending on whether the record | |
42 ** is encrypted (GS_MAC), or unencrypted (GS_DATA). | |
43 ** | |
44 ** GS_MAC - The machine is in this state while waiting for the remainder | |
45 ** of the SSL2 record to be read in. When the read is completed, | |
46 ** the machine checks the record for valid length, decrypts it, | |
47 ** and checks and discards the MAC, then advances to GS_INIT. | |
48 ** | |
49 ** GS_DATA - The machine is in this state while waiting for the remainder | |
50 ** of the unencrypted SSL2 record to be read in. Upon completion, | |
51 ** the machine advances to the GS_INIT state and returns the data. | |
52 */ | |
53 int | |
54 ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags) | |
55 { | |
56 unsigned char *bp; | |
57 unsigned char *pBuf; | |
58 int nb, err, rv; | |
59 | |
60 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
61 | |
62 if (gs->state == GS_INIT) { | |
63 /* Initialize gathering engine */ | |
64 gs->state = GS_HEADER; | |
65 gs->remainder = 3; | |
66 gs->count = 3; | |
67 gs->offset = 0; | |
68 gs->recordLen = 0; | |
69 gs->recordPadding = 0; | |
70 gs->hdr[2] = 0; | |
71 | |
72 gs->writeOffset = 0; | |
73 gs->readOffset = 0; | |
74 } | |
75 if (gs->encrypted) { | |
76 PORT_Assert(ss->sec.hash != 0); | |
77 } | |
78 | |
79 pBuf = gs->buf.buf; | |
80 for (;;) { | |
81 SSL_TRC(30, ("%d: SSL[%d]: gather state %d (need %d more)", | |
82 SSL_GETPID(), ss->fd, gs->state, gs->remainder)); | |
83 bp = ((gs->state != GS_HEADER) ? pBuf : gs->hdr) + gs->offset; | |
84 nb = ssl_DefRecv(ss, bp, gs->remainder, flags); | |
85 if (nb > 0) { | |
86 PRINT_BUF(60, (ss, "raw gather data:", bp, nb)); | |
87 } | |
88 if (nb == 0) { | |
89 /* EOF */ | |
90 SSL_TRC(30, ("%d: SSL[%d]: EOF", SSL_GETPID(), ss->fd)); | |
91 rv = 0; | |
92 break; | |
93 } | |
94 if (nb < 0) { | |
95 SSL_DBG(("%d: SSL[%d]: recv error %d", SSL_GETPID(), ss->fd, | |
96 PR_GetError())); | |
97 rv = SECFailure; | |
98 break; | |
99 } | |
100 | |
101 gs->offset += nb; | |
102 gs->remainder -= nb; | |
103 | |
104 if (gs->remainder > 0) { | |
105 continue; | |
106 } | |
107 | |
108 /* Probably finished this piece */ | |
109 switch (gs->state) { | |
110 case GS_HEADER: | |
111 if (!SSL3_ALL_VERSIONS_DISABLED(&ss->vrange) && !ss->firstHsDone
) { | |
112 | |
113 PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss))
; | |
114 | |
115 /* If this looks like an SSL3 handshake record, | |
116 ** and we're expecting an SSL2 Hello message from our peer, | |
117 ** handle it here. | |
118 */ | |
119 if (gs->hdr[0] == content_handshake) { | |
120 if ((ss->nextHandshake == ssl2_HandleClientHelloMessage)
|| | |
121 (ss->nextHandshake == ssl2_HandleServerHelloMessage)
) { | |
122 rv = ssl2_HandleV3HandshakeRecord(ss); | |
123 if (rv == SECFailure) { | |
124 return SECFailure; | |
125 } | |
126 } | |
127 /* XXX_1 The call stack to here is: | |
128 * ssl_Do1stHandshake -> ssl_GatherRecord1stHandshake -> | |
129 * ssl2_GatherRecord -> here. | |
130 * We want to return all the way out to ssl_Do1stHandsha
ke, | |
131 * and have it call ssl_GatherRecord1stHandshake again. | |
132 * ssl_GatherRecord1stHandshake will call | |
133 * ssl3_GatherCompleteHandshake when it is called again. | |
134 * | |
135 * Returning SECWouldBlock here causes | |
136 * ssl_GatherRecord1stHandshake to return without cleari
ng | |
137 * ss->handshake, ensuring that ssl_Do1stHandshake will | |
138 * call it again immediately. | |
139 * | |
140 * If we return 1 here, ssl_GatherRecord1stHandshake wil
l | |
141 * clear ss->handshake before returning, and thus will n
ot | |
142 * be called again by ssl_Do1stHandshake. | |
143 */ | |
144 return SECWouldBlock; | |
145 } else if (gs->hdr[0] == content_alert) { | |
146 if (ss->nextHandshake == ssl2_HandleServerHelloMessage)
{ | |
147 /* XXX This is a hack. We're assuming that any fail
ure | |
148 * XXX on the client hello is a failure to match | |
149 * XXX ciphers. | |
150 */ | |
151 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | |
152 return SECFailure; | |
153 } | |
154 } | |
155 } | |
156 | |
157 /* we've got the first 3 bytes. The header may be two or three.
*/ | |
158 if (gs->hdr[0] & 0x80) { | |
159 /* This record has a 2-byte header, and no padding */ | |
160 gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1]; | |
161 gs->recordPadding = 0; | |
162 } else { | |
163 /* This record has a 3-byte header that is all read in now.
*/ | |
164 gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1]; | |
165 /* is_escape = (gs->hdr[0] & 0x40) != 0; */ | |
166 gs->recordPadding = gs->hdr[2]; | |
167 } | |
168 if (!gs->count) { | |
169 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | |
170 goto cleanup; | |
171 } | |
172 | |
173 if (gs->count > gs->buf.space) { | |
174 err = sslBuffer_Grow(&gs->buf, gs->count); | |
175 if (err) { | |
176 return err; | |
177 } | |
178 pBuf = gs->buf.buf; | |
179 } | |
180 | |
181 if (gs->hdr[0] & 0x80) { | |
182 /* we've already read in the first byte of the body. | |
183 ** Put it into the buffer. | |
184 */ | |
185 pBuf[0] = gs->hdr[2]; | |
186 gs->offset = 1; | |
187 gs->remainder = gs->count - 1; | |
188 } else { | |
189 gs->offset = 0; | |
190 gs->remainder = gs->count; | |
191 } | |
192 | |
193 if (gs->encrypted) { | |
194 gs->state = GS_MAC; | |
195 gs->recordLen = gs->count - gs->recordPadding - | |
196 ss->sec.hash->length; | |
197 } else { | |
198 gs->state = GS_DATA; | |
199 gs->recordLen = gs->count; | |
200 } | |
201 | |
202 break; | |
203 | |
204 case GS_MAC: | |
205 /* Have read in entire rest of the ciphertext. | |
206 ** Check for valid length. | |
207 ** Decrypt it. | |
208 ** Check the MAC. | |
209 */ | |
210 PORT_Assert(gs->encrypted); | |
211 | |
212 { | |
213 unsigned int macLen; | |
214 int nout; | |
215 unsigned char mac[SSL_MAX_MAC_BYTES]; | |
216 | |
217 ssl_GetSpecReadLock(ss); /**********************************
/ | |
218 | |
219 /* If this is a stream cipher, blockSize will be 1, | |
220 * and this test will always be false. | |
221 * If this is a block cipher, this will detect records | |
222 * that are not a multiple of the blocksize in length. | |
223 */ | |
224 if (gs->count & (ss->sec.blockSize - 1)) { | |
225 /* This is an error. Sender is misbehaving */ | |
226 SSL_DBG(("%d: SSL[%d]: sender, count=%d blockSize=%d", | |
227 SSL_GETPID(), ss->fd, gs->count, | |
228 ss->sec.blockSize)); | |
229 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING); | |
230 rv = SECFailure; | |
231 goto spec_locked_done; | |
232 } | |
233 PORT_Assert(gs->count == gs->offset); | |
234 | |
235 if (gs->offset == 0) { | |
236 rv = 0; /* means EOF. */ | |
237 goto spec_locked_done; | |
238 } | |
239 | |
240 /* Decrypt the portion of data that we just received. | |
241 ** Decrypt it in place. | |
242 */ | |
243 rv = (*ss->sec.dec)(ss->sec.readcx, pBuf, &nout, gs->offset, | |
244 pBuf, gs->offset); | |
245 if (rv != SECSuccess) { | |
246 goto spec_locked_done; | |
247 } | |
248 | |
249 /* Have read in all the MAC portion of record | |
250 ** | |
251 ** Prepare MAC by resetting it and feeding it the shared sec
ret | |
252 */ | |
253 macLen = ss->sec.hash->length; | |
254 if (gs->offset >= macLen) { | |
255 PRUint32 sequenceNumber = ss->sec.rcvSequence++; | |
256 unsigned char seq[4]; | |
257 | |
258 seq[0] = (unsigned char)(sequenceNumber >> 24); | |
259 seq[1] = (unsigned char)(sequenceNumber >> 16); | |
260 seq[2] = (unsigned char)(sequenceNumber >> 8); | |
261 seq[3] = (unsigned char)(sequenceNumber); | |
262 | |
263 (*ss->sec.hash->begin)(ss->sec.hashcx); | |
264 (*ss->sec.hash->update)(ss->sec.hashcx, ss->sec.rcvSecre
t.data, | |
265 ss->sec.rcvSecret.len); | |
266 (*ss->sec.hash->update)(ss->sec.hashcx, pBuf + macLen, | |
267 gs->offset - macLen); | |
268 (*ss->sec.hash->update)(ss->sec.hashcx, seq, 4); | |
269 (*ss->sec.hash->end)(ss->sec.hashcx, mac, &macLen, macLe
n); | |
270 | |
271 PORT_Assert(macLen == ss->sec.hash->length); | |
272 | |
273 ssl_ReleaseSpecReadLock(ss); /**************************
****/ | |
274 | |
275 if (NSS_SecureMemcmp(mac, pBuf, macLen) != 0) { | |
276 /* MAC's didn't match... */ | |
277 SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d", | |
278 SSL_GETPID(), ss->fd, ss->sec.rcvSequence))
; | |
279 PRINT_BUF(1, (ss, "computed mac:", mac, macLen)); | |
280 PRINT_BUF(1, (ss, "received mac:", pBuf, macLen)); | |
281 PORT_SetError(SSL_ERROR_BAD_MAC_READ); | |
282 rv = SECFailure; | |
283 goto cleanup; | |
284 } | |
285 } else { | |
286 ssl_ReleaseSpecReadLock(ss); /**************************
****/ | |
287 } | |
288 | |
289 if (gs->recordPadding + macLen <= gs->offset) { | |
290 gs->recordOffset = macLen; | |
291 gs->readOffset = macLen; | |
292 gs->writeOffset = gs->offset - gs->recordPadding; | |
293 rv = 1; | |
294 } else { | |
295 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING); | |
296 cleanup: | |
297 /* nothing in the buffer any more. */ | |
298 gs->recordOffset = 0; | |
299 gs->readOffset = 0; | |
300 gs->writeOffset = 0; | |
301 rv = SECFailure; | |
302 } | |
303 | |
304 gs->recordLen = gs->writeOffset - gs->readOffset; | |
305 gs->recordPadding = 0; /* forget we did any padding. */ | |
306 gs->state = GS_INIT; | |
307 | |
308 if (rv > 0) { | |
309 PRINT_BUF(50, (ss, "recv clear record:", | |
310 pBuf + gs->recordOffset, gs->recordLen)); | |
311 } | |
312 return rv; | |
313 | |
314 spec_locked_done: | |
315 ssl_ReleaseSpecReadLock(ss); | |
316 return rv; | |
317 } | |
318 | |
319 case GS_DATA: | |
320 /* Have read in all the DATA portion of record */ | |
321 | |
322 gs->recordOffset = 0; | |
323 gs->readOffset = 0; | |
324 gs->writeOffset = gs->offset; | |
325 PORT_Assert(gs->recordLen == gs->writeOffset - gs->readOffset); | |
326 gs->recordLen = gs->offset; | |
327 gs->recordPadding = 0; | |
328 gs->state = GS_INIT; | |
329 | |
330 ++ss->sec.rcvSequence; | |
331 | |
332 PRINT_BUF(50, (ss, "recv clear record:", | |
333 pBuf + gs->recordOffset, gs->recordLen)); | |
334 return 1; | |
335 | |
336 } /* end switch gs->state */ | |
337 } /* end gather loop. */ | |
338 return rv; | |
339 } | |
340 | |
341 /* | |
342 ** Gather a single record of data from the receiving stream. This code | |
343 ** first gathers the header (2 or 3 bytes long depending on the value of | |
344 ** the most significant bit in the first byte) then gathers up the data | |
345 ** for the record into the readBuf. This code handles non-blocking I/O | |
346 ** and is to be called multiple times until ss->sec.recordLen != 0. | |
347 * | |
348 * Returns +1 when it has gathered a complete SSLV2 record. | |
349 * Returns 0 if it hits EOF. | |
350 * Returns -1 (SECFailure) on any error | |
351 * Returns -2 (SECWouldBlock) | |
352 * | |
353 * Called by ssl_GatherRecord1stHandshake in sslcon.c, | |
354 * and by DoRecv in sslsecur.c | |
355 * Caller must hold RecvBufLock. | |
356 */ | |
357 int | |
358 ssl2_GatherRecord(sslSocket *ss, int flags) | |
359 { | |
360 return ssl2_GatherData(ss, &ss->gs, flags); | |
361 } | |
362 | |
363 /* Caller should hold RecvBufLock. */ | |
364 SECStatus | |
365 ssl_InitGather(sslGather *gs) | |
366 { | |
367 SECStatus status; | |
368 | |
369 gs->state = GS_INIT; | |
370 gs->writeOffset = 0; | |
371 gs->readOffset = 0; | |
372 gs->dtlsPacketOffset = 0; | |
373 gs->dtlsPacket.len = 0; | |
374 status = sslBuffer_Grow(&gs->buf, 4096); | |
375 return status; | |
376 } | |
377 | |
378 /* Caller must hold RecvBufLock. */ | |
379 void | |
380 ssl_DestroyGather(sslGather *gs) | |
381 { | |
382 if (gs) { /* the PORT_*Free functions check for NULL pointers. */ | |
383 PORT_ZFree(gs->buf.buf, gs->buf.space); | |
384 PORT_Free(gs->inbuf.buf); | |
385 PORT_Free(gs->dtlsPacket.buf); | |
386 } | |
387 } | |
388 | |
389 /* Caller must hold RecvBufLock. */ | |
390 static SECStatus | |
391 ssl2_HandleV3HandshakeRecord(sslSocket *ss) | |
392 { | |
393 SECStatus rv; | |
394 | |
395 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
396 PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss)); | |
397 | |
398 /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */ | |
399 ss->gs.remainder = 2; | |
400 ss->gs.count = 0; | |
401 | |
402 /* Clearing these handshake pointers ensures that | |
403 * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return. | |
404 */ | |
405 ss->nextHandshake = 0; | |
406 ss->securityHandshake = 0; | |
407 | |
408 /* Setting ss->version to an SSL 3.x value will cause | |
409 ** ssl_GatherRecord1stHandshake to invoke ssl3_GatherCompleteHandshake() | |
410 ** the next time it is called. | |
411 **/ | |
412 rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED, | |
413 PR_TRUE); | |
414 if (rv != SECSuccess) { | |
415 return rv; | |
416 } | |
417 | |
418 ss->sec.send = ssl3_SendApplicationData; | |
419 | |
420 return SECSuccess; | |
421 } | |
OLD | NEW |