michael@0: /* michael@0: * Gather (Read) entire SSL3 records from socket into buffer. michael@0: * michael@0: * This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #include "cert.h" michael@0: #include "ssl.h" michael@0: #include "sslimpl.h" michael@0: #include "ssl3prot.h" michael@0: michael@0: /* michael@0: * Attempt to read in an entire SSL3 record. michael@0: * Blocks here for blocking sockets, otherwise returns -1 with michael@0: * PR_WOULD_BLOCK_ERROR when socket would block. michael@0: * michael@0: * returns 1 if received a complete SSL3 record. michael@0: * returns 0 if recv returns EOF michael@0: * returns -1 if recv returns < 0 michael@0: * (The error value may have already been set to PR_WOULD_BLOCK_ERROR) michael@0: * michael@0: * Caller must hold the recv buf lock. michael@0: * michael@0: * The Gather state machine has 3 states: GS_INIT, GS_HEADER, GS_DATA. michael@0: * GS_HEADER: waiting for the 5-byte SSL3 record header to come in. michael@0: * GS_DATA: waiting for the body of the SSL3 record to come in. michael@0: * michael@0: * This loop returns when either michael@0: * (a) an error or EOF occurs, michael@0: * (b) PR_WOULD_BLOCK_ERROR, michael@0: * (c) data (entire SSL3 record) has been received. michael@0: */ michael@0: static int michael@0: ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags) michael@0: { michael@0: unsigned char *bp; michael@0: unsigned char *lbp; michael@0: int nb; michael@0: int err; michael@0: int rv = 1; michael@0: michael@0: PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); michael@0: if (gs->state == GS_INIT) { michael@0: gs->state = GS_HEADER; michael@0: gs->remainder = 5; michael@0: gs->offset = 0; michael@0: gs->writeOffset = 0; michael@0: gs->readOffset = 0; michael@0: gs->inbuf.len = 0; michael@0: } michael@0: michael@0: lbp = gs->inbuf.buf; michael@0: for(;;) { michael@0: SSL_TRC(30, ("%d: SSL3[%d]: gather state %d (need %d more)", michael@0: SSL_GETPID(), ss->fd, gs->state, gs->remainder)); michael@0: bp = ((gs->state != GS_HEADER) ? lbp : gs->hdr) + gs->offset; michael@0: nb = ssl_DefRecv(ss, bp, gs->remainder, flags); michael@0: michael@0: if (nb > 0) { michael@0: PRINT_BUF(60, (ss, "raw gather data:", bp, nb)); michael@0: } else if (nb == 0) { michael@0: /* EOF */ michael@0: SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd)); michael@0: rv = 0; michael@0: break; michael@0: } else /* if (nb < 0) */ { michael@0: SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd, michael@0: PR_GetError())); michael@0: rv = SECFailure; michael@0: break; michael@0: } michael@0: michael@0: PORT_Assert( nb <= gs->remainder ); michael@0: if (nb > gs->remainder) { michael@0: /* ssl_DefRecv is misbehaving! this error is fatal to SSL. */ michael@0: gs->state = GS_INIT; /* so we don't crash next time */ michael@0: rv = SECFailure; michael@0: break; michael@0: } michael@0: michael@0: gs->offset += nb; michael@0: gs->remainder -= nb; michael@0: if (gs->state == GS_DATA) michael@0: gs->inbuf.len += nb; michael@0: michael@0: /* if there's more to go, read some more. */ michael@0: if (gs->remainder > 0) { michael@0: continue; michael@0: } michael@0: michael@0: /* have received entire record header, or entire record. */ michael@0: switch (gs->state) { michael@0: case GS_HEADER: michael@0: /* michael@0: ** Have received SSL3 record header in gs->hdr. michael@0: ** Now extract the length of the following encrypted data, michael@0: ** and then read in the rest of the SSL3 record into gs->inbuf. michael@0: */ michael@0: gs->remainder = (gs->hdr[3] << 8) | gs->hdr[4]; michael@0: michael@0: /* This is the max fragment length for an encrypted fragment michael@0: ** plus the size of the record header. michael@0: */ michael@0: if(gs->remainder > (MAX_FRAGMENT_LENGTH + 2048 + 5)) { michael@0: SSL3_SendAlert(ss, alert_fatal, unexpected_message); michael@0: gs->state = GS_INIT; michael@0: PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); michael@0: return SECFailure; michael@0: } michael@0: michael@0: gs->state = GS_DATA; michael@0: gs->offset = 0; michael@0: gs->inbuf.len = 0; michael@0: michael@0: if (gs->remainder > gs->inbuf.space) { michael@0: err = sslBuffer_Grow(&gs->inbuf, gs->remainder); michael@0: if (err) { /* realloc has set error code to no mem. */ michael@0: return err; michael@0: } michael@0: lbp = gs->inbuf.buf; michael@0: } michael@0: break; /* End this case. Continue around the loop. */ michael@0: michael@0: michael@0: case GS_DATA: michael@0: /* michael@0: ** SSL3 record has been completely received. michael@0: */ michael@0: gs->state = GS_INIT; michael@0: return 1; michael@0: } michael@0: } michael@0: michael@0: return rv; michael@0: } michael@0: michael@0: /* michael@0: * Read in an entire DTLS record. michael@0: * michael@0: * Blocks here for blocking sockets, otherwise returns -1 with michael@0: * PR_WOULD_BLOCK_ERROR when socket would block. michael@0: * michael@0: * This is simpler than SSL because we are reading on a datagram socket michael@0: * and datagrams must contain >=1 complete records. michael@0: * michael@0: * returns 1 if received a complete DTLS record. michael@0: * returns 0 if recv returns EOF michael@0: * returns -1 if recv returns < 0 michael@0: * (The error value may have already been set to PR_WOULD_BLOCK_ERROR) michael@0: * michael@0: * Caller must hold the recv buf lock. michael@0: * michael@0: * This loop returns when either michael@0: * (a) an error or EOF occurs, michael@0: * (b) PR_WOULD_BLOCK_ERROR, michael@0: * (c) data (entire DTLS record) has been received. michael@0: */ michael@0: static int michael@0: dtls_GatherData(sslSocket *ss, sslGather *gs, int flags) michael@0: { michael@0: int nb; michael@0: int err; michael@0: int rv = 1; michael@0: michael@0: SSL_TRC(30, ("dtls_GatherData")); michael@0: michael@0: PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); michael@0: michael@0: gs->state = GS_HEADER; michael@0: gs->offset = 0; michael@0: michael@0: if (gs->dtlsPacketOffset == gs->dtlsPacket.len) { /* No data left */ michael@0: gs->dtlsPacketOffset = 0; michael@0: gs->dtlsPacket.len = 0; michael@0: michael@0: /* Resize to the maximum possible size so we can fit a full datagram */ michael@0: /* This is the max fragment length for an encrypted fragment michael@0: ** plus the size of the record header. michael@0: ** This magic constant is copied from ssl3_GatherData, with 5 changed michael@0: ** to 13 (the size of the record header). michael@0: */ michael@0: if (gs->dtlsPacket.space < MAX_FRAGMENT_LENGTH + 2048 + 13) { michael@0: err = sslBuffer_Grow(&gs->dtlsPacket, michael@0: MAX_FRAGMENT_LENGTH + 2048 + 13); michael@0: if (err) { /* realloc has set error code to no mem. */ michael@0: return err; michael@0: } michael@0: } michael@0: michael@0: /* recv() needs to read a full datagram at a time */ michael@0: nb = ssl_DefRecv(ss, gs->dtlsPacket.buf, gs->dtlsPacket.space, flags); michael@0: michael@0: if (nb > 0) { michael@0: PRINT_BUF(60, (ss, "raw gather data:", gs->dtlsPacket.buf, nb)); michael@0: } else if (nb == 0) { michael@0: /* EOF */ michael@0: SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd)); michael@0: rv = 0; michael@0: return rv; michael@0: } else /* if (nb < 0) */ { michael@0: SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd, michael@0: PR_GetError())); michael@0: rv = SECFailure; michael@0: return rv; michael@0: } michael@0: michael@0: gs->dtlsPacket.len = nb; michael@0: } michael@0: michael@0: /* At this point we should have >=1 complete records lined up in michael@0: * dtlsPacket. Read off the header. michael@0: */ michael@0: if ((gs->dtlsPacket.len - gs->dtlsPacketOffset) < 13) { michael@0: SSL_DBG(("%d: SSL3[%d]: rest of DTLS packet " michael@0: "too short to contain header", SSL_GETPID(), ss->fd)); michael@0: PR_SetError(PR_WOULD_BLOCK_ERROR, 0); michael@0: gs->dtlsPacketOffset = 0; michael@0: gs->dtlsPacket.len = 0; michael@0: rv = SECFailure; michael@0: return rv; michael@0: } michael@0: memcpy(gs->hdr, gs->dtlsPacket.buf + gs->dtlsPacketOffset, 13); michael@0: gs->dtlsPacketOffset += 13; michael@0: michael@0: /* Have received SSL3 record header in gs->hdr. */ michael@0: gs->remainder = (gs->hdr[11] << 8) | gs->hdr[12]; michael@0: michael@0: if ((gs->dtlsPacket.len - gs->dtlsPacketOffset) < gs->remainder) { michael@0: SSL_DBG(("%d: SSL3[%d]: rest of DTLS packet too short " michael@0: "to contain rest of body", SSL_GETPID(), ss->fd)); michael@0: PR_SetError(PR_WOULD_BLOCK_ERROR, 0); michael@0: gs->dtlsPacketOffset = 0; michael@0: gs->dtlsPacket.len = 0; michael@0: rv = SECFailure; michael@0: return rv; michael@0: } michael@0: michael@0: /* OK, we have at least one complete packet, copy into inbuf */ michael@0: if (gs->remainder > gs->inbuf.space) { michael@0: err = sslBuffer_Grow(&gs->inbuf, gs->remainder); michael@0: if (err) { /* realloc has set error code to no mem. */ michael@0: return err; michael@0: } michael@0: } michael@0: michael@0: memcpy(gs->inbuf.buf, gs->dtlsPacket.buf + gs->dtlsPacketOffset, michael@0: gs->remainder); michael@0: gs->inbuf.len = gs->remainder; michael@0: gs->offset = gs->remainder; michael@0: gs->dtlsPacketOffset += gs->remainder; michael@0: gs->state = GS_INIT; michael@0: michael@0: return 1; michael@0: } michael@0: michael@0: /* Gather in a record and when complete, Handle that record. michael@0: * Repeat this until the handshake is complete, michael@0: * or until application data is available. michael@0: * michael@0: * Returns 1 when the handshake is completed without error, or michael@0: * application data is available. michael@0: * Returns 0 if ssl3_GatherData hits EOF. michael@0: * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error. michael@0: * Returns -2 on SECWouldBlock return from ssl3_HandleRecord. michael@0: * michael@0: * Called from ssl_GatherRecord1stHandshake in sslcon.c, michael@0: * and from SSL_ForceHandshake in sslsecur.c michael@0: * and from ssl3_GatherAppDataRecord below (<- DoRecv in sslsecur.c). michael@0: * michael@0: * Caller must hold the recv buf lock. michael@0: */ michael@0: int michael@0: ssl3_GatherCompleteHandshake(sslSocket *ss, int flags) michael@0: { michael@0: SSL3Ciphertext cText; michael@0: int rv; michael@0: PRBool keepGoing = PR_TRUE; michael@0: michael@0: SSL_TRC(30, ("ssl3_GatherCompleteHandshake")); michael@0: michael@0: /* ssl3_HandleRecord may end up eventually calling ssl_FinishHandshake, michael@0: * which requires the 1stHandshakeLock, which must be acquired before the michael@0: * RecvBufLock. michael@0: */ michael@0: PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); michael@0: PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); michael@0: michael@0: do { michael@0: PRBool handleRecordNow = PR_FALSE; michael@0: michael@0: ssl_GetSSL3HandshakeLock(ss); michael@0: michael@0: /* Without this, we may end up wrongly reporting michael@0: * SSL_ERROR_RX_UNEXPECTED_* errors if we receive any records from the michael@0: * peer while we are waiting to be restarted. michael@0: */ michael@0: if (ss->ssl3.hs.restartTarget) { michael@0: ssl_ReleaseSSL3HandshakeLock(ss); michael@0: PORT_SetError(PR_WOULD_BLOCK_ERROR); michael@0: return (int) SECFailure; michael@0: } michael@0: michael@0: /* Treat an empty msgState like a NULL msgState. (Most of the time michael@0: * when ssl3_HandleHandshake returns SECWouldBlock, it leaves michael@0: * behind a non-NULL but zero-length msgState). michael@0: * Test: async_cert_restart_server_sends_hello_request_first_in_separate_record michael@0: */ michael@0: if (ss->ssl3.hs.msgState.buf) { michael@0: if (ss->ssl3.hs.msgState.len == 0) { michael@0: ss->ssl3.hs.msgState.buf = NULL; michael@0: } else { michael@0: handleRecordNow = PR_TRUE; michael@0: } michael@0: } michael@0: michael@0: ssl_ReleaseSSL3HandshakeLock(ss); michael@0: michael@0: if (handleRecordNow) { michael@0: /* ssl3_HandleHandshake previously returned SECWouldBlock and the michael@0: * as-yet-unprocessed plaintext of that previous handshake record. michael@0: * We need to process it now before we overwrite it with the next michael@0: * handshake record. michael@0: */ michael@0: rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf); michael@0: } else { michael@0: /* bring in the next sslv3 record. */ michael@0: if (ss->recvdCloseNotify) { michael@0: /* RFC 5246 Section 7.2.1: michael@0: * Any data received after a closure alert is ignored. michael@0: */ michael@0: return 0; michael@0: } michael@0: if (!IS_DTLS(ss)) { michael@0: rv = ssl3_GatherData(ss, &ss->gs, flags); michael@0: } else { michael@0: rv = dtls_GatherData(ss, &ss->gs, flags); michael@0: michael@0: /* If we got a would block error, that means that no data was michael@0: * available, so we check the timer to see if it's time to michael@0: * retransmit */ michael@0: if (rv == SECFailure && michael@0: (PORT_GetError() == PR_WOULD_BLOCK_ERROR)) { michael@0: ssl_GetSSL3HandshakeLock(ss); michael@0: dtls_CheckTimer(ss); michael@0: ssl_ReleaseSSL3HandshakeLock(ss); michael@0: /* Restore the error in case something succeeded */ michael@0: PORT_SetError(PR_WOULD_BLOCK_ERROR); michael@0: } michael@0: } michael@0: michael@0: if (rv <= 0) { michael@0: return rv; michael@0: } michael@0: michael@0: /* decipher it, and handle it if it's a handshake. michael@0: * If it's application data, ss->gs.buf will not be empty upon return. michael@0: * If it's a change cipher spec, alert, or handshake message, michael@0: * ss->gs.buf.len will be 0 when ssl3_HandleRecord returns SECSuccess. michael@0: */ michael@0: cText.type = (SSL3ContentType)ss->gs.hdr[0]; michael@0: cText.version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2]; michael@0: michael@0: if (IS_DTLS(ss)) { michael@0: int i; michael@0: michael@0: cText.version = dtls_DTLSVersionToTLSVersion(cText.version); michael@0: /* DTLS sequence number */ michael@0: cText.seq_num.high = 0; cText.seq_num.low = 0; michael@0: for (i = 0; i < 4; i++) { michael@0: cText.seq_num.high <<= 8; cText.seq_num.low <<= 8; michael@0: cText.seq_num.high |= ss->gs.hdr[3 + i]; michael@0: cText.seq_num.low |= ss->gs.hdr[7 + i]; michael@0: } michael@0: } michael@0: michael@0: cText.buf = &ss->gs.inbuf; michael@0: rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf); michael@0: } michael@0: if (rv < 0) { michael@0: return ss->recvdCloseNotify ? 0 : rv; michael@0: } michael@0: if (ss->gs.buf.len > 0) { michael@0: /* We have application data to return to the application. This michael@0: * prioritizes returning application data to the application over michael@0: * completing any renegotiation handshake we may be doing. michael@0: */ michael@0: PORT_Assert(ss->firstHsDone); michael@0: PORT_Assert(cText.type == content_application_data); michael@0: break; michael@0: } michael@0: michael@0: PORT_Assert(keepGoing); michael@0: ssl_GetSSL3HandshakeLock(ss); michael@0: if (ss->ssl3.hs.ws == idle_handshake) { michael@0: /* We are done with the current handshake so stop trying to michael@0: * handshake. Note that it would be safe to test ss->firstHsDone michael@0: * instead of ss->ssl3.hs.ws. By testing ss->ssl3.hs.ws instead, michael@0: * we prioritize completing a renegotiation handshake over sending michael@0: * application data. michael@0: */ michael@0: PORT_Assert(ss->firstHsDone); michael@0: PORT_Assert(!ss->ssl3.hs.canFalseStart); michael@0: keepGoing = PR_FALSE; michael@0: } else if (ss->ssl3.hs.canFalseStart) { michael@0: /* Prioritize sending application data over trying to complete michael@0: * the handshake if we're false starting. michael@0: * michael@0: * If we were to do this check at the beginning of the loop instead michael@0: * of here, then this function would become be a no-op after michael@0: * receiving the ServerHelloDone in the false start case, and we michael@0: * would never complete the handshake. michael@0: */ michael@0: PORT_Assert(!ss->firstHsDone); michael@0: michael@0: if (ssl3_WaitingForStartOfServerSecondRound(ss)) { michael@0: keepGoing = PR_FALSE; michael@0: } else { michael@0: ss->ssl3.hs.canFalseStart = PR_FALSE; michael@0: } michael@0: } michael@0: ssl_ReleaseSSL3HandshakeLock(ss); michael@0: } while (keepGoing); michael@0: michael@0: ss->gs.readOffset = 0; michael@0: ss->gs.writeOffset = ss->gs.buf.len; michael@0: return 1; michael@0: } michael@0: michael@0: /* Repeatedly gather in a record and when complete, Handle that record. michael@0: * Repeat this until some application data is received. michael@0: * michael@0: * Returns 1 when application data is available. michael@0: * Returns 0 if ssl3_GatherData hits EOF. michael@0: * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error. michael@0: * Returns -2 on SECWouldBlock return from ssl3_HandleRecord. michael@0: * michael@0: * Called from DoRecv in sslsecur.c michael@0: * Caller must hold the recv buf lock. michael@0: */ michael@0: int michael@0: ssl3_GatherAppDataRecord(sslSocket *ss, int flags) michael@0: { michael@0: int rv; michael@0: michael@0: /* ssl3_GatherCompleteHandshake requires both of these locks. */ michael@0: PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); michael@0: PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); michael@0: michael@0: do { michael@0: rv = ssl3_GatherCompleteHandshake(ss, flags); michael@0: } while (rv > 0 && ss->gs.buf.len == 0); michael@0: michael@0: return rv; michael@0: }