1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/websockets/websocket_frame.h"
6
7 #include <stddef.h>
8 #include <string.h>
9
10 #include <ostream>
11
12 #include "base/check.h"
13 #include "base/check_op.h"
14 #include "base/containers/span.h"
15 #include "base/containers/span_writer.h"
16 #include "base/numerics/safe_conversions.h"
17 #include "base/rand_util.h"
18 #include "base/ranges/algorithm.h"
19 #include "base/strings/string_util.h"
20 #include "build/build_config.h"
21 #include "net/base/net_errors.h"
22 #include "net/websockets/websocket_errors.h"
23
24 namespace net {
25
26 namespace {
27
28 // GCC (and Clang) can transparently use vector ops. Only try to do this on
29 // architectures where we know it works, otherwise gcc will attempt to emulate
30 // the vector ops, which is unlikely to be efficient.
31 #if defined(COMPILER_GCC) && \
32 (defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY))
33
34 using PackedMaskType = uint32_t __attribute__((vector_size(16)));
35
36 #else
37
38 using PackedMaskType = size_t;
39
40 #endif // defined(COMPILER_GCC) &&
41 // (defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY))
42
43 constexpr size_t kWebSocketCloseCodeLength = 2;
44
45 constexpr uint8_t kFinalBit = 0x80;
46 constexpr uint8_t kReserved1Bit = 0x40;
47 constexpr uint8_t kReserved2Bit = 0x20;
48 constexpr uint8_t kReserved3Bit = 0x10;
49 constexpr uint8_t kOpCodeMask = 0xF;
50 constexpr uint8_t kMaskBit = 0x80;
51 constexpr uint64_t kMaxPayloadLengthWithoutExtendedLengthField = 125;
52 constexpr uint64_t kPayloadLengthWithTwoByteExtendedLengthField = 126;
53 constexpr uint64_t kPayloadLengthWithEightByteExtendedLengthField = 127;
54
MaskWebSocketFramePayloadByBytes(const WebSocketMaskingKey & masking_key,size_t masking_key_offset,const base::span<uint8_t> payload)55 inline void MaskWebSocketFramePayloadByBytes(
56 const WebSocketMaskingKey& masking_key,
57 size_t masking_key_offset,
58 const base::span<uint8_t> payload) {
59 uint8_t* data = payload.data();
60 const size_t size = payload.size();
61 for (size_t i = 0; i < size; ++i) {
62 // SAFETY: Performance sensitive. `data` is within `payload` bounds.
63 UNSAFE_BUFFERS(data[i]) ^=
64 masking_key.key[masking_key_offset++ %
65 WebSocketFrameHeader::kMaskingKeyLength];
66 }
67 }
68
69 } // namespace
70
Clone() const71 std::unique_ptr<WebSocketFrameHeader> WebSocketFrameHeader::Clone() const {
72 auto ret = std::make_unique<WebSocketFrameHeader>(opcode);
73 ret->CopyFrom(*this);
74 return ret;
75 }
76
CopyFrom(const WebSocketFrameHeader & source)77 void WebSocketFrameHeader::CopyFrom(const WebSocketFrameHeader& source) {
78 final = source.final;
79 reserved1 = source.reserved1;
80 reserved2 = source.reserved2;
81 reserved3 = source.reserved3;
82 opcode = source.opcode;
83 masked = source.masked;
84 masking_key = source.masking_key;
85 payload_length = source.payload_length;
86 }
87
WebSocketFrame(WebSocketFrameHeader::OpCode opcode)88 WebSocketFrame::WebSocketFrame(WebSocketFrameHeader::OpCode opcode)
89 : header(opcode) {}
90
91 WebSocketFrame::~WebSocketFrame() = default;
92
93 WebSocketFrameChunk::WebSocketFrameChunk() = default;
94
95 WebSocketFrameChunk::~WebSocketFrameChunk() = default;
96
GetWebSocketFrameHeaderSize(const WebSocketFrameHeader & header)97 size_t GetWebSocketFrameHeaderSize(const WebSocketFrameHeader& header) {
98 size_t extended_length_size = 0u;
99 if (header.payload_length > kMaxPayloadLengthWithoutExtendedLengthField &&
100 header.payload_length <= UINT16_MAX) {
101 extended_length_size = 2u;
102 } else if (header.payload_length > UINT16_MAX) {
103 extended_length_size = 8u;
104 }
105
106 return (WebSocketFrameHeader::kBaseHeaderSize + extended_length_size +
107 (header.masked ? WebSocketFrameHeader::kMaskingKeyLength : 0u));
108 }
109
WriteWebSocketFrameHeader(const WebSocketFrameHeader & header,const WebSocketMaskingKey * masking_key,base::span<uint8_t> buffer)110 int WriteWebSocketFrameHeader(const WebSocketFrameHeader& header,
111 const WebSocketMaskingKey* masking_key,
112 base::span<uint8_t> buffer) {
113 DCHECK((header.opcode & kOpCodeMask) == header.opcode)
114 << "header.opcode must fit to kOpCodeMask.";
115 DCHECK(header.payload_length <= static_cast<uint64_t>(INT64_MAX))
116 << "WebSocket specification doesn't allow a frame longer than "
117 << "INT64_MAX (0x7FFFFFFFFFFFFFFF) bytes.";
118
119 // WebSocket frame format is as follows:
120 // - Common header (2 bytes)
121 // - Optional extended payload length
122 // (2 or 8 bytes, present if actual payload length is more than 125 bytes)
123 // - Optional masking key (4 bytes, present if MASK bit is on)
124 // - Actual payload (XOR masked with masking key if MASK bit is on)
125 //
126 // This function constructs frame header (the first three in the list
127 // above).
128
129 size_t header_size = GetWebSocketFrameHeaderSize(header);
130 if (header_size > buffer.size()) {
131 return ERR_INVALID_ARGUMENT;
132 }
133
134 base::SpanWriter writer(buffer);
135
136 uint8_t first_byte = 0u;
137 first_byte |= header.final ? kFinalBit : 0u;
138 first_byte |= header.reserved1 ? kReserved1Bit : 0u;
139 first_byte |= header.reserved2 ? kReserved2Bit : 0u;
140 first_byte |= header.reserved3 ? kReserved3Bit : 0u;
141 first_byte |= header.opcode & kOpCodeMask;
142 writer.WriteU8BigEndian(first_byte);
143
144 int extended_length_size = 0;
145 uint8_t second_byte = 0u;
146 second_byte |= header.masked ? kMaskBit : 0u;
147 if (header.payload_length <= kMaxPayloadLengthWithoutExtendedLengthField) {
148 second_byte |= header.payload_length;
149 } else if (header.payload_length <= UINT16_MAX) {
150 second_byte |= kPayloadLengthWithTwoByteExtendedLengthField;
151 extended_length_size = 2;
152 } else {
153 second_byte |= kPayloadLengthWithEightByteExtendedLengthField;
154 extended_length_size = 8;
155 }
156 writer.WriteU8BigEndian(second_byte);
157
158 // Writes "extended payload length" field.
159 if (extended_length_size == 2) {
160 writer.WriteU16BigEndian(static_cast<uint16_t>(header.payload_length));
161 } else if (extended_length_size == 8) {
162 writer.WriteU64BigEndian(header.payload_length);
163 }
164
165 // Writes "masking key" field, if needed.
166 if (header.masked) {
167 DCHECK(masking_key);
168 writer.Write(masking_key->key);
169 } else {
170 DCHECK(!masking_key);
171 }
172
173 // Verify we wrote the expected number of bytes.
174 DCHECK_EQ(header_size, writer.num_written());
175 return header_size;
176 }
177
GenerateWebSocketMaskingKey()178 WebSocketMaskingKey GenerateWebSocketMaskingKey() {
179 // Masking keys should be generated from a cryptographically secure random
180 // number generator, which means web application authors should not be able
181 // to guess the next value of masking key.
182 WebSocketMaskingKey masking_key;
183 base::RandBytes(masking_key.key);
184 return masking_key;
185 }
186
MaskWebSocketFramePayload(const WebSocketMaskingKey & masking_key,uint64_t frame_offset,base::span<uint8_t> data)187 void MaskWebSocketFramePayload(const WebSocketMaskingKey& masking_key,
188 uint64_t frame_offset,
189 base::span<uint8_t> data) {
190 static constexpr size_t kMaskingKeyLength =
191 WebSocketFrameHeader::kMaskingKeyLength;
192
193 // Most of the masking is done in chunks of sizeof(PackedMaskType), except for
194 // the beginning and the end of the buffer which may be unaligned.
195 // PackedMaskType must be a multiple of kMaskingKeyLength in size.
196 PackedMaskType packed_mask_key;
197 static constexpr size_t kPackedMaskKeySize = sizeof(packed_mask_key);
198 static_assert((kPackedMaskKeySize >= kMaskingKeyLength &&
199 kPackedMaskKeySize % kMaskingKeyLength == 0),
200 "PackedMaskType size is not a multiple of mask length");
201 // If the buffer is too small for the vectorised version to be useful, revert
202 // to the byte-at-a-time implementation early.
203 if (data.size() <= kPackedMaskKeySize * 2) {
204 MaskWebSocketFramePayloadByBytes(masking_key,
205 frame_offset % kMaskingKeyLength, data);
206 return;
207 }
208 const size_t data_modulus =
209 reinterpret_cast<size_t>(data.data()) % kPackedMaskKeySize;
210 auto [before_aligned, remaining] = data.split_at(
211 data_modulus == 0 ? 0 : (kPackedMaskKeySize - data_modulus));
212 auto [aligned, after_aligned] = remaining.split_at(
213 remaining.size() - remaining.size() % kPackedMaskKeySize);
214 MaskWebSocketFramePayloadByBytes(
215 masking_key, frame_offset % kMaskingKeyLength, before_aligned);
216
217 // Create a version of the mask which is rotated by the appropriate offset
218 // for our alignment. The "trick" here is that 0 XORed with the mask will
219 // give the value of the mask for the appropriate byte.
220 std::array<uint8_t, kMaskingKeyLength> realigned_mask = {};
221 MaskWebSocketFramePayloadByBytes(
222 masking_key, (frame_offset + before_aligned.size()) % kMaskingKeyLength,
223 base::as_writable_byte_span(realigned_mask));
224
225 base::span<uint8_t> packed_span = base::byte_span_from_ref(packed_mask_key);
226 while (!packed_span.empty()) {
227 packed_span.copy_prefix_from(realigned_mask);
228 packed_span = packed_span.subspan(realigned_mask.size());
229 }
230
231 // The main loop.
232 while (!aligned.empty()) {
233 // This is not quite standard-compliant C++. However, the standard-compliant
234 // equivalent (using memcpy()) compiles to slower code using g++. In
235 // practice, this will work for the compilers and architectures currently
236 // supported by Chromium, and the tests are extremely unlikely to pass if a
237 // future compiler/architecture breaks it.
238 *reinterpret_cast<PackedMaskType*>(aligned.data()) ^= packed_mask_key;
239 aligned = aligned.subspan(kPackedMaskKeySize);
240 }
241
242 MaskWebSocketFramePayloadByBytes(
243 masking_key,
244 (frame_offset + (data.size() - after_aligned.size())) % kMaskingKeyLength,
245 after_aligned);
246 }
247
ParseCloseFrame(base::span<const char> payload)248 ParseCloseFrameResult ParseCloseFrame(base::span<const char> payload) {
249 const uint64_t size = static_cast<uint64_t>(payload.size());
250
251 // Payload size is 0 -> No status received
252 if (size == 0U) {
253 return ParseCloseFrameResult(kWebSocketErrorNoStatusReceived,
254 std::string_view());
255 }
256
257 // Payload size is 1 -> Protocol error (invalid size)
258 if (size == 1U) {
259 return ParseCloseFrameResult(
260 kWebSocketErrorProtocolError, std::string_view(),
261 "Received a broken close frame with an invalid size of 1 byte.");
262 }
263
264 // Get the status code from the first 2 bytes
265 const uint16_t unchecked_code =
266 base::U16FromBigEndian(base::as_byte_span(payload).first<2>());
267
268 // Invalid or reserved status codes
269 if (unchecked_code == kWebSocketErrorNoStatusReceived ||
270 unchecked_code == kWebSocketErrorAbnormalClosure ||
271 unchecked_code == kWebSocketErrorTlsHandshake) {
272 return ParseCloseFrameResult(kWebSocketErrorProtocolError,
273 std::string_view(),
274 "Received a broken close frame containing a "
275 "reserved status code.");
276 }
277
278 // If size is exactly 2, return the code without a reason
279 if (size == 2U) {
280 return ParseCloseFrameResult(unchecked_code, std::string_view());
281 }
282
283 const base::span<const char> reason_span =
284 payload.subspan(kWebSocketCloseCodeLength);
285 const auto reason = base::as_string_view(reason_span);
286
287 if (base::IsStringUTF8AllowingNoncharacters(reason)) {
288 return ParseCloseFrameResult(unchecked_code, reason);
289 }
290
291 return ParseCloseFrameResult(
292 kWebSocketErrorProtocolError,
293 std::string_view("Invalid UTF-8 in Close frame"),
294 "Received a broken close frame containing invalid UTF-8.");
295 }
296
297 } // namespace net
298