1 /*
2 * Gather (Read) entire SSL2 records from socket into buffer.
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #include "cert.h"
8 #include "ssl.h"
9 #include "sslimpl.h"
10 #include "sslproto.h"
11
12 /* Forward static declarations */
13 static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss);
14
15 /*
16 ** Gather a single record of data from the receiving stream. This code
17 ** first gathers the header (2 or 3 bytes long depending on the value of
18 ** the most significant bit in the first byte) then gathers up the data
19 ** for the record into gs->buf. This code handles non-blocking I/O
20 ** and is to be called multiple times until ss->sec.recordLen != 0.
21 ** This function decrypts the gathered record in place, in gs_buf.
22 *
23 * Caller must hold RecvBufLock.
24 *
25 * Returns +1 when it has gathered a complete SSLV2 record.
26 * Returns 0 if it hits EOF.
27 * Returns -1 (SECFailure) on any error
28 * Returns -2 (SECWouldBlock) when it gathers an SSL v3 client hello header.
29 **
30 ** The SSL2 Gather State machine has 4 states:
31 ** GS_INIT - Done reading in previous record. Haven't begun to read in
32 ** next record. When ssl2_GatherData is called with the machine
33 ** in this state, the machine will attempt to read the first 3
34 ** bytes of the SSL2 record header, and will advance the state
35 ** to GS_HEADER.
36 **
37 ** GS_HEADER - The machine is in this state while waiting for the completion
38 ** of the first 3 bytes of the SSL2 record. When complete, the
39 ** machine will compute the remaining unread length of this record
40 ** and will initiate a read of that many bytes. The machine will
41 ** advance to one of two states, depending on whether the record
42 ** is encrypted (GS_MAC), or unencrypted (GS_DATA).
43 **
44 ** GS_MAC - The machine is in this state while waiting for the remainder
45 ** of the SSL2 record to be read in. When the read is completed,
46 ** the machine checks the record for valid length, decrypts it,
47 ** and checks and discards the MAC, then advances to GS_INIT.
48 **
49 ** GS_DATA - The machine is in this state while waiting for the remainder
50 ** of the unencrypted SSL2 record to be read in. Upon completion,
51 ** the machine advances to the GS_INIT state and returns the data.
52 */
53 int
ssl2_GatherData(sslSocket * ss,sslGather * gs,int flags)54 ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
55 {
56 unsigned char * bp;
57 unsigned char * pBuf;
58 int nb, err, rv;
59
60 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
61
62 if (gs->state == GS_INIT) {
63 /* Initialize gathering engine */
64 gs->state = GS_HEADER;
65 gs->remainder = 3;
66 gs->count = 3;
67 gs->offset = 0;
68 gs->recordLen = 0;
69 gs->recordPadding = 0;
70 gs->hdr[2] = 0;
71
72 gs->writeOffset = 0;
73 gs->readOffset = 0;
74 }
75 if (gs->encrypted) {
76 PORT_Assert(ss->sec.hash != 0);
77 }
78
79 pBuf = gs->buf.buf;
80 for (;;) {
81 SSL_TRC(30, ("%d: SSL[%d]: gather state %d (need %d more)",
82 SSL_GETPID(), ss->fd, gs->state, gs->remainder));
83 bp = ((gs->state != GS_HEADER) ? pBuf : gs->hdr) + gs->offset;
84 nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
85 if (nb > 0) {
86 PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
87 }
88 if (nb == 0) {
89 /* EOF */
90 SSL_TRC(30, ("%d: SSL[%d]: EOF", SSL_GETPID(), ss->fd));
91 rv = 0;
92 break;
93 }
94 if (nb < 0) {
95 SSL_DBG(("%d: SSL[%d]: recv error %d", SSL_GETPID(), ss->fd,
96 PR_GetError()));
97 rv = SECFailure;
98 break;
99 }
100
101 gs->offset += nb;
102 gs->remainder -= nb;
103
104 if (gs->remainder > 0) {
105 continue;
106 }
107
108 /* Probably finished this piece */
109 switch (gs->state) {
110 case GS_HEADER:
111 if (!SSL3_ALL_VERSIONS_DISABLED(&ss->vrange) && !ss->firstHsDone) {
112
113 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
114
115 /* If this looks like an SSL3 handshake record,
116 ** and we're expecting an SSL2 Hello message from our peer,
117 ** handle it here.
118 */
119 if (gs->hdr[0] == content_handshake) {
120 if ((ss->nextHandshake == ssl2_HandleClientHelloMessage) ||
121 (ss->nextHandshake == ssl2_HandleServerHelloMessage)) {
122 rv = ssl2_HandleV3HandshakeRecord(ss);
123 if (rv == SECFailure) {
124 return SECFailure;
125 }
126 }
127 /* XXX_1 The call stack to here is:
128 * ssl_Do1stHandshake -> ssl_GatherRecord1stHandshake ->
129 * ssl2_GatherRecord -> here.
130 * We want to return all the way out to ssl_Do1stHandshake,
131 * and have it call ssl_GatherRecord1stHandshake again.
132 * ssl_GatherRecord1stHandshake will call
133 * ssl3_GatherCompleteHandshake when it is called again.
134 *
135 * Returning SECWouldBlock here causes
136 * ssl_GatherRecord1stHandshake to return without clearing
137 * ss->handshake, ensuring that ssl_Do1stHandshake will
138 * call it again immediately.
139 *
140 * If we return 1 here, ssl_GatherRecord1stHandshake will
141 * clear ss->handshake before returning, and thus will not
142 * be called again by ssl_Do1stHandshake.
143 */
144 return SECWouldBlock;
145 } else if (gs->hdr[0] == content_alert) {
146 if (ss->nextHandshake == ssl2_HandleServerHelloMessage) {
147 /* XXX This is a hack. We're assuming that any failure
148 * XXX on the client hello is a failure to match
149 * XXX ciphers.
150 */
151 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
152 return SECFailure;
153 }
154 }
155 }
156
157 /* we've got the first 3 bytes. The header may be two or three. */
158 if (gs->hdr[0] & 0x80) {
159 /* This record has a 2-byte header, and no padding */
160 gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1];
161 gs->recordPadding = 0;
162 } else {
163 /* This record has a 3-byte header that is all read in now. */
164 gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1];
165 /* is_escape = (gs->hdr[0] & 0x40) != 0; */
166 gs->recordPadding = gs->hdr[2];
167 }
168 if (!gs->count) {
169 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
170 goto cleanup;
171 }
172
173 if (gs->count > gs->buf.space) {
174 err = sslBuffer_Grow(&gs->buf, gs->count);
175 if (err) {
176 return err;
177 }
178 pBuf = gs->buf.buf;
179 }
180
181
182 if (gs->hdr[0] & 0x80) {
183 /* we've already read in the first byte of the body.
184 ** Put it into the buffer.
185 */
186 pBuf[0] = gs->hdr[2];
187 gs->offset = 1;
188 gs->remainder = gs->count - 1;
189 } else {
190 gs->offset = 0;
191 gs->remainder = gs->count;
192 }
193
194 if (gs->encrypted) {
195 gs->state = GS_MAC;
196 gs->recordLen = gs->count - gs->recordPadding
197 - ss->sec.hash->length;
198 } else {
199 gs->state = GS_DATA;
200 gs->recordLen = gs->count;
201 }
202
203 break;
204
205
206 case GS_MAC:
207 /* Have read in entire rest of the ciphertext.
208 ** Check for valid length.
209 ** Decrypt it.
210 ** Check the MAC.
211 */
212 PORT_Assert(gs->encrypted);
213
214 {
215 unsigned int macLen;
216 int nout;
217 unsigned char mac[SSL_MAX_MAC_BYTES];
218
219 ssl_GetSpecReadLock(ss); /**********************************/
220
221 /* If this is a stream cipher, blockSize will be 1,
222 * and this test will always be false.
223 * If this is a block cipher, this will detect records
224 * that are not a multiple of the blocksize in length.
225 */
226 if (gs->count & (ss->sec.blockSize - 1)) {
227 /* This is an error. Sender is misbehaving */
228 SSL_DBG(("%d: SSL[%d]: sender, count=%d blockSize=%d",
229 SSL_GETPID(), ss->fd, gs->count,
230 ss->sec.blockSize));
231 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
232 rv = SECFailure;
233 goto spec_locked_done;
234 }
235 PORT_Assert(gs->count == gs->offset);
236
237 if (gs->offset == 0) {
238 rv = 0; /* means EOF. */
239 goto spec_locked_done;
240 }
241
242 /* Decrypt the portion of data that we just received.
243 ** Decrypt it in place.
244 */
245 rv = (*ss->sec.dec)(ss->sec.readcx, pBuf, &nout, gs->offset,
246 pBuf, gs->offset);
247 if (rv != SECSuccess) {
248 goto spec_locked_done;
249 }
250
251
252 /* Have read in all the MAC portion of record
253 **
254 ** Prepare MAC by resetting it and feeding it the shared secret
255 */
256 macLen = ss->sec.hash->length;
257 if (gs->offset >= macLen) {
258 PRUint32 sequenceNumber = ss->sec.rcvSequence++;
259 unsigned char seq[4];
260
261 seq[0] = (unsigned char) (sequenceNumber >> 24);
262 seq[1] = (unsigned char) (sequenceNumber >> 16);
263 seq[2] = (unsigned char) (sequenceNumber >> 8);
264 seq[3] = (unsigned char) (sequenceNumber);
265
266 (*ss->sec.hash->begin)(ss->sec.hashcx);
267 (*ss->sec.hash->update)(ss->sec.hashcx, ss->sec.rcvSecret.data,
268 ss->sec.rcvSecret.len);
269 (*ss->sec.hash->update)(ss->sec.hashcx, pBuf + macLen,
270 gs->offset - macLen);
271 (*ss->sec.hash->update)(ss->sec.hashcx, seq, 4);
272 (*ss->sec.hash->end)(ss->sec.hashcx, mac, &macLen, macLen);
273
274 PORT_Assert(macLen == ss->sec.hash->length);
275
276 ssl_ReleaseSpecReadLock(ss); /******************************/
277
278 if (NSS_SecureMemcmp(mac, pBuf, macLen) != 0) {
279 /* MAC's didn't match... */
280 SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d",
281 SSL_GETPID(), ss->fd, ss->sec.rcvSequence));
282 PRINT_BUF(1, (ss, "computed mac:", mac, macLen));
283 PRINT_BUF(1, (ss, "received mac:", pBuf, macLen));
284 PORT_SetError(SSL_ERROR_BAD_MAC_READ);
285 rv = SECFailure;
286 goto cleanup;
287 }
288 } else {
289 ssl_ReleaseSpecReadLock(ss); /******************************/
290 }
291
292 if (gs->recordPadding + macLen <= gs->offset) {
293 gs->recordOffset = macLen;
294 gs->readOffset = macLen;
295 gs->writeOffset = gs->offset - gs->recordPadding;
296 rv = 1;
297 } else {
298 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
299 cleanup:
300 /* nothing in the buffer any more. */
301 gs->recordOffset = 0;
302 gs->readOffset = 0;
303 gs->writeOffset = 0;
304 rv = SECFailure;
305 }
306
307 gs->recordLen = gs->writeOffset - gs->readOffset;
308 gs->recordPadding = 0; /* forget we did any padding. */
309 gs->state = GS_INIT;
310
311
312 if (rv > 0) {
313 PRINT_BUF(50, (ss, "recv clear record:",
314 pBuf + gs->recordOffset, gs->recordLen));
315 }
316 return rv;
317
318 spec_locked_done:
319 ssl_ReleaseSpecReadLock(ss);
320 return rv;
321 }
322
323 case GS_DATA:
324 /* Have read in all the DATA portion of record */
325
326 gs->recordOffset = 0;
327 gs->readOffset = 0;
328 gs->writeOffset = gs->offset;
329 PORT_Assert(gs->recordLen == gs->writeOffset - gs->readOffset);
330 gs->recordLen = gs->offset;
331 gs->recordPadding = 0;
332 gs->state = GS_INIT;
333
334 ++ss->sec.rcvSequence;
335
336 PRINT_BUF(50, (ss, "recv clear record:",
337 pBuf + gs->recordOffset, gs->recordLen));
338 return 1;
339
340 } /* end switch gs->state */
341 } /* end gather loop. */
342 return rv;
343 }
344
345 /*
346 ** Gather a single record of data from the receiving stream. This code
347 ** first gathers the header (2 or 3 bytes long depending on the value of
348 ** the most significant bit in the first byte) then gathers up the data
349 ** for the record into the readBuf. This code handles non-blocking I/O
350 ** and is to be called multiple times until ss->sec.recordLen != 0.
351 *
352 * Returns +1 when it has gathered a complete SSLV2 record.
353 * Returns 0 if it hits EOF.
354 * Returns -1 (SECFailure) on any error
355 * Returns -2 (SECWouldBlock)
356 *
357 * Called by ssl_GatherRecord1stHandshake in sslcon.c,
358 * and by DoRecv in sslsecur.c
359 * Caller must hold RecvBufLock.
360 */
361 int
ssl2_GatherRecord(sslSocket * ss,int flags)362 ssl2_GatherRecord(sslSocket *ss, int flags)
363 {
364 return ssl2_GatherData(ss, &ss->gs, flags);
365 }
366
367 /*
368 * Returns +1 when it has gathered a complete SSLV2 record.
369 * Returns 0 if it hits EOF.
370 * Returns -1 (SECFailure) on any error
371 * Returns -2 (SECWouldBlock)
372 *
373 * Called from SocksStartGather in sslsocks.c
374 * Caller must hold RecvBufLock.
375 */
376 int
ssl2_StartGatherBytes(sslSocket * ss,sslGather * gs,unsigned int count)377 ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, unsigned int count)
378 {
379 int rv;
380
381 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
382 gs->state = GS_DATA;
383 gs->remainder = count;
384 gs->count = count;
385 gs->offset = 0;
386 if (count > gs->buf.space) {
387 rv = sslBuffer_Grow(&gs->buf, count);
388 if (rv) {
389 return rv;
390 }
391 }
392 return ssl2_GatherData(ss, gs, 0);
393 }
394
395 /* Caller should hold RecvBufLock. */
396 SECStatus
ssl_InitGather(sslGather * gs)397 ssl_InitGather(sslGather *gs)
398 {
399 SECStatus status;
400
401 gs->state = GS_INIT;
402 gs->writeOffset = 0;
403 gs->readOffset = 0;
404 gs->dtlsPacketOffset = 0;
405 gs->dtlsPacket.len = 0;
406 status = sslBuffer_Grow(&gs->buf, 4096);
407 return status;
408 }
409
410 /* Caller must hold RecvBufLock. */
411 void
ssl_DestroyGather(sslGather * gs)412 ssl_DestroyGather(sslGather *gs)
413 {
414 if (gs) { /* the PORT_*Free functions check for NULL pointers. */
415 PORT_ZFree(gs->buf.buf, gs->buf.space);
416 PORT_Free(gs->inbuf.buf);
417 PORT_Free(gs->dtlsPacket.buf);
418 }
419 }
420
421 /* Caller must hold RecvBufLock. */
422 static SECStatus
ssl2_HandleV3HandshakeRecord(sslSocket * ss)423 ssl2_HandleV3HandshakeRecord(sslSocket *ss)
424 {
425 SECStatus rv;
426
427 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
428 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
429
430 /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */
431 ss->gs.remainder = 2;
432 ss->gs.count = 0;
433
434 /* Clearing these handshake pointers ensures that
435 * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return.
436 */
437 ss->nextHandshake = 0;
438 ss->securityHandshake = 0;
439
440 /* Setting ss->version to an SSL 3.x value will cause
441 ** ssl_GatherRecord1stHandshake to invoke ssl3_GatherCompleteHandshake()
442 ** the next time it is called.
443 **/
444 rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
445 PR_TRUE);
446 if (rv != SECSuccess) {
447 return rv;
448 }
449
450 ss->sec.send = ssl3_SendApplicationData;
451
452 return SECSuccess;
453 }
454