michael@0: /* michael@0: * Gather (Read) entire SSL2 records from socket into buffer. michael@0: * michael@0: * This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: #include "cert.h" michael@0: #include "ssl.h" michael@0: #include "sslimpl.h" michael@0: #include "sslproto.h" michael@0: michael@0: /* Forward static declarations */ michael@0: static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss); michael@0: michael@0: /* michael@0: ** Gather a single record of data from the receiving stream. This code michael@0: ** first gathers the header (2 or 3 bytes long depending on the value of michael@0: ** the most significant bit in the first byte) then gathers up the data michael@0: ** for the record into gs->buf. This code handles non-blocking I/O michael@0: ** and is to be called multiple times until ss->sec.recordLen != 0. michael@0: ** This function decrypts the gathered record in place, in gs_buf. michael@0: * michael@0: * Caller must hold RecvBufLock. michael@0: * michael@0: * Returns +1 when it has gathered a complete SSLV2 record. michael@0: * Returns 0 if it hits EOF. michael@0: * Returns -1 (SECFailure) on any error michael@0: * Returns -2 (SECWouldBlock) when it gathers an SSL v3 client hello header. michael@0: ** michael@0: ** The SSL2 Gather State machine has 4 states: michael@0: ** GS_INIT - Done reading in previous record. Haven't begun to read in michael@0: ** next record. When ssl2_GatherData is called with the machine michael@0: ** in this state, the machine will attempt to read the first 3 michael@0: ** bytes of the SSL2 record header, and will advance the state michael@0: ** to GS_HEADER. michael@0: ** michael@0: ** GS_HEADER - The machine is in this state while waiting for the completion michael@0: ** of the first 3 bytes of the SSL2 record. When complete, the michael@0: ** machine will compute the remaining unread length of this record michael@0: ** and will initiate a read of that many bytes. The machine will michael@0: ** advance to one of two states, depending on whether the record michael@0: ** is encrypted (GS_MAC), or unencrypted (GS_DATA). michael@0: ** michael@0: ** GS_MAC - The machine is in this state while waiting for the remainder michael@0: ** of the SSL2 record to be read in. When the read is completed, michael@0: ** the machine checks the record for valid length, decrypts it, michael@0: ** and checks and discards the MAC, then advances to GS_INIT. michael@0: ** michael@0: ** GS_DATA - The machine is in this state while waiting for the remainder michael@0: ** of the unencrypted SSL2 record to be read in. Upon completion, michael@0: ** the machine advances to the GS_INIT state and returns the data. michael@0: */ michael@0: int michael@0: ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags) michael@0: { michael@0: unsigned char * bp; michael@0: unsigned char * pBuf; michael@0: int nb, err, rv; michael@0: michael@0: PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); michael@0: michael@0: if (gs->state == GS_INIT) { michael@0: /* Initialize gathering engine */ michael@0: gs->state = GS_HEADER; michael@0: gs->remainder = 3; michael@0: gs->count = 3; michael@0: gs->offset = 0; michael@0: gs->recordLen = 0; michael@0: gs->recordPadding = 0; michael@0: gs->hdr[2] = 0; michael@0: michael@0: gs->writeOffset = 0; michael@0: gs->readOffset = 0; michael@0: } michael@0: if (gs->encrypted) { michael@0: PORT_Assert(ss->sec.hash != 0); michael@0: } michael@0: michael@0: pBuf = gs->buf.buf; michael@0: for (;;) { michael@0: SSL_TRC(30, ("%d: SSL[%d]: gather state %d (need %d more)", michael@0: SSL_GETPID(), ss->fd, gs->state, gs->remainder)); michael@0: bp = ((gs->state != GS_HEADER) ? pBuf : gs->hdr) + gs->offset; michael@0: nb = ssl_DefRecv(ss, bp, gs->remainder, flags); michael@0: if (nb > 0) { michael@0: PRINT_BUF(60, (ss, "raw gather data:", bp, nb)); michael@0: } michael@0: if (nb == 0) { michael@0: /* EOF */ michael@0: SSL_TRC(30, ("%d: SSL[%d]: EOF", SSL_GETPID(), ss->fd)); michael@0: rv = 0; michael@0: break; michael@0: } michael@0: if (nb < 0) { michael@0: SSL_DBG(("%d: SSL[%d]: recv error %d", SSL_GETPID(), ss->fd, michael@0: PR_GetError())); michael@0: rv = SECFailure; michael@0: break; michael@0: } michael@0: michael@0: gs->offset += nb; michael@0: gs->remainder -= nb; michael@0: michael@0: if (gs->remainder > 0) { michael@0: continue; michael@0: } michael@0: michael@0: /* Probably finished this piece */ michael@0: switch (gs->state) { michael@0: case GS_HEADER: michael@0: if (!SSL3_ALL_VERSIONS_DISABLED(&ss->vrange) && !ss->firstHsDone) { michael@0: michael@0: PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); michael@0: michael@0: /* If this looks like an SSL3 handshake record, michael@0: ** and we're expecting an SSL2 Hello message from our peer, michael@0: ** handle it here. michael@0: */ michael@0: if (gs->hdr[0] == content_handshake) { michael@0: if ((ss->nextHandshake == ssl2_HandleClientHelloMessage) || michael@0: (ss->nextHandshake == ssl2_HandleServerHelloMessage)) { michael@0: rv = ssl2_HandleV3HandshakeRecord(ss); michael@0: if (rv == SECFailure) { michael@0: return SECFailure; michael@0: } michael@0: } michael@0: /* XXX_1 The call stack to here is: michael@0: * ssl_Do1stHandshake -> ssl_GatherRecord1stHandshake -> michael@0: * ssl2_GatherRecord -> here. michael@0: * We want to return all the way out to ssl_Do1stHandshake, michael@0: * and have it call ssl_GatherRecord1stHandshake again. michael@0: * ssl_GatherRecord1stHandshake will call michael@0: * ssl3_GatherCompleteHandshake when it is called again. michael@0: * michael@0: * Returning SECWouldBlock here causes michael@0: * ssl_GatherRecord1stHandshake to return without clearing michael@0: * ss->handshake, ensuring that ssl_Do1stHandshake will michael@0: * call it again immediately. michael@0: * michael@0: * If we return 1 here, ssl_GatherRecord1stHandshake will michael@0: * clear ss->handshake before returning, and thus will not michael@0: * be called again by ssl_Do1stHandshake. michael@0: */ michael@0: return SECWouldBlock; michael@0: } else if (gs->hdr[0] == content_alert) { michael@0: if (ss->nextHandshake == ssl2_HandleServerHelloMessage) { michael@0: /* XXX This is a hack. We're assuming that any failure michael@0: * XXX on the client hello is a failure to match michael@0: * XXX ciphers. michael@0: */ michael@0: PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); michael@0: return SECFailure; michael@0: } michael@0: } michael@0: } michael@0: michael@0: /* we've got the first 3 bytes. The header may be two or three. */ michael@0: if (gs->hdr[0] & 0x80) { michael@0: /* This record has a 2-byte header, and no padding */ michael@0: gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1]; michael@0: gs->recordPadding = 0; michael@0: } else { michael@0: /* This record has a 3-byte header that is all read in now. */ michael@0: gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1]; michael@0: /* is_escape = (gs->hdr[0] & 0x40) != 0; */ michael@0: gs->recordPadding = gs->hdr[2]; michael@0: } michael@0: if (!gs->count) { michael@0: PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); michael@0: goto cleanup; michael@0: } michael@0: michael@0: if (gs->count > gs->buf.space) { michael@0: err = sslBuffer_Grow(&gs->buf, gs->count); michael@0: if (err) { michael@0: return err; michael@0: } michael@0: pBuf = gs->buf.buf; michael@0: } michael@0: michael@0: michael@0: if (gs->hdr[0] & 0x80) { michael@0: /* we've already read in the first byte of the body. michael@0: ** Put it into the buffer. michael@0: */ michael@0: pBuf[0] = gs->hdr[2]; michael@0: gs->offset = 1; michael@0: gs->remainder = gs->count - 1; michael@0: } else { michael@0: gs->offset = 0; michael@0: gs->remainder = gs->count; michael@0: } michael@0: michael@0: if (gs->encrypted) { michael@0: gs->state = GS_MAC; michael@0: gs->recordLen = gs->count - gs->recordPadding michael@0: - ss->sec.hash->length; michael@0: } else { michael@0: gs->state = GS_DATA; michael@0: gs->recordLen = gs->count; michael@0: } michael@0: michael@0: break; michael@0: michael@0: michael@0: case GS_MAC: michael@0: /* Have read in entire rest of the ciphertext. michael@0: ** Check for valid length. michael@0: ** Decrypt it. michael@0: ** Check the MAC. michael@0: */ michael@0: PORT_Assert(gs->encrypted); michael@0: michael@0: { michael@0: unsigned int macLen; michael@0: int nout; michael@0: unsigned char mac[SSL_MAX_MAC_BYTES]; michael@0: michael@0: ssl_GetSpecReadLock(ss); /**********************************/ michael@0: michael@0: /* If this is a stream cipher, blockSize will be 1, michael@0: * and this test will always be false. michael@0: * If this is a block cipher, this will detect records michael@0: * that are not a multiple of the blocksize in length. michael@0: */ michael@0: if (gs->count & (ss->sec.blockSize - 1)) { michael@0: /* This is an error. Sender is misbehaving */ michael@0: SSL_DBG(("%d: SSL[%d]: sender, count=%d blockSize=%d", michael@0: SSL_GETPID(), ss->fd, gs->count, michael@0: ss->sec.blockSize)); michael@0: PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING); michael@0: rv = SECFailure; michael@0: goto spec_locked_done; michael@0: } michael@0: PORT_Assert(gs->count == gs->offset); michael@0: michael@0: if (gs->offset == 0) { michael@0: rv = 0; /* means EOF. */ michael@0: goto spec_locked_done; michael@0: } michael@0: michael@0: /* Decrypt the portion of data that we just received. michael@0: ** Decrypt it in place. michael@0: */ michael@0: rv = (*ss->sec.dec)(ss->sec.readcx, pBuf, &nout, gs->offset, michael@0: pBuf, gs->offset); michael@0: if (rv != SECSuccess) { michael@0: goto spec_locked_done; michael@0: } michael@0: michael@0: michael@0: /* Have read in all the MAC portion of record michael@0: ** michael@0: ** Prepare MAC by resetting it and feeding it the shared secret michael@0: */ michael@0: macLen = ss->sec.hash->length; michael@0: if (gs->offset >= macLen) { michael@0: PRUint32 sequenceNumber = ss->sec.rcvSequence++; michael@0: unsigned char seq[4]; michael@0: michael@0: seq[0] = (unsigned char) (sequenceNumber >> 24); michael@0: seq[1] = (unsigned char) (sequenceNumber >> 16); michael@0: seq[2] = (unsigned char) (sequenceNumber >> 8); michael@0: seq[3] = (unsigned char) (sequenceNumber); michael@0: michael@0: (*ss->sec.hash->begin)(ss->sec.hashcx); michael@0: (*ss->sec.hash->update)(ss->sec.hashcx, ss->sec.rcvSecret.data, michael@0: ss->sec.rcvSecret.len); michael@0: (*ss->sec.hash->update)(ss->sec.hashcx, pBuf + macLen, michael@0: gs->offset - macLen); michael@0: (*ss->sec.hash->update)(ss->sec.hashcx, seq, 4); michael@0: (*ss->sec.hash->end)(ss->sec.hashcx, mac, &macLen, macLen); michael@0: michael@0: PORT_Assert(macLen == ss->sec.hash->length); michael@0: michael@0: ssl_ReleaseSpecReadLock(ss); /******************************/ michael@0: michael@0: if (NSS_SecureMemcmp(mac, pBuf, macLen) != 0) { michael@0: /* MAC's didn't match... */ michael@0: SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d", michael@0: SSL_GETPID(), ss->fd, ss->sec.rcvSequence)); michael@0: PRINT_BUF(1, (ss, "computed mac:", mac, macLen)); michael@0: PRINT_BUF(1, (ss, "received mac:", pBuf, macLen)); michael@0: PORT_SetError(SSL_ERROR_BAD_MAC_READ); michael@0: rv = SECFailure; michael@0: goto cleanup; michael@0: } michael@0: } else { michael@0: ssl_ReleaseSpecReadLock(ss); /******************************/ michael@0: } michael@0: michael@0: if (gs->recordPadding + macLen <= gs->offset) { michael@0: gs->recordOffset = macLen; michael@0: gs->readOffset = macLen; michael@0: gs->writeOffset = gs->offset - gs->recordPadding; michael@0: rv = 1; michael@0: } else { michael@0: PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING); michael@0: cleanup: michael@0: /* nothing in the buffer any more. */ michael@0: gs->recordOffset = 0; michael@0: gs->readOffset = 0; michael@0: gs->writeOffset = 0; michael@0: rv = SECFailure; michael@0: } michael@0: michael@0: gs->recordLen = gs->writeOffset - gs->readOffset; michael@0: gs->recordPadding = 0; /* forget we did any padding. */ michael@0: gs->state = GS_INIT; michael@0: michael@0: michael@0: if (rv > 0) { michael@0: PRINT_BUF(50, (ss, "recv clear record:", michael@0: pBuf + gs->recordOffset, gs->recordLen)); michael@0: } michael@0: return rv; michael@0: michael@0: spec_locked_done: michael@0: ssl_ReleaseSpecReadLock(ss); michael@0: return rv; michael@0: } michael@0: michael@0: case GS_DATA: michael@0: /* Have read in all the DATA portion of record */ michael@0: michael@0: gs->recordOffset = 0; michael@0: gs->readOffset = 0; michael@0: gs->writeOffset = gs->offset; michael@0: PORT_Assert(gs->recordLen == gs->writeOffset - gs->readOffset); michael@0: gs->recordLen = gs->offset; michael@0: gs->recordPadding = 0; michael@0: gs->state = GS_INIT; michael@0: michael@0: ++ss->sec.rcvSequence; michael@0: michael@0: PRINT_BUF(50, (ss, "recv clear record:", michael@0: pBuf + gs->recordOffset, gs->recordLen)); michael@0: return 1; michael@0: michael@0: } /* end switch gs->state */ michael@0: } /* end gather loop. */ michael@0: return rv; michael@0: } michael@0: michael@0: /* michael@0: ** Gather a single record of data from the receiving stream. This code michael@0: ** first gathers the header (2 or 3 bytes long depending on the value of michael@0: ** the most significant bit in the first byte) then gathers up the data michael@0: ** for the record into the readBuf. This code handles non-blocking I/O michael@0: ** and is to be called multiple times until ss->sec.recordLen != 0. michael@0: * michael@0: * Returns +1 when it has gathered a complete SSLV2 record. michael@0: * Returns 0 if it hits EOF. michael@0: * Returns -1 (SECFailure) on any error michael@0: * Returns -2 (SECWouldBlock) michael@0: * michael@0: * Called by ssl_GatherRecord1stHandshake in sslcon.c, michael@0: * and by DoRecv in sslsecur.c michael@0: * Caller must hold RecvBufLock. michael@0: */ michael@0: int michael@0: ssl2_GatherRecord(sslSocket *ss, int flags) michael@0: { michael@0: return ssl2_GatherData(ss, &ss->gs, flags); michael@0: } michael@0: michael@0: /* Caller should hold RecvBufLock. */ michael@0: SECStatus michael@0: ssl_InitGather(sslGather *gs) michael@0: { michael@0: SECStatus status; michael@0: michael@0: gs->state = GS_INIT; michael@0: gs->writeOffset = 0; michael@0: gs->readOffset = 0; michael@0: gs->dtlsPacketOffset = 0; michael@0: gs->dtlsPacket.len = 0; michael@0: status = sslBuffer_Grow(&gs->buf, 4096); michael@0: return status; michael@0: } michael@0: michael@0: /* Caller must hold RecvBufLock. */ michael@0: void michael@0: ssl_DestroyGather(sslGather *gs) michael@0: { michael@0: if (gs) { /* the PORT_*Free functions check for NULL pointers. */ michael@0: PORT_ZFree(gs->buf.buf, gs->buf.space); michael@0: PORT_Free(gs->inbuf.buf); michael@0: PORT_Free(gs->dtlsPacket.buf); michael@0: } michael@0: } michael@0: michael@0: /* Caller must hold RecvBufLock. */ michael@0: static SECStatus michael@0: ssl2_HandleV3HandshakeRecord(sslSocket *ss) michael@0: { michael@0: SECStatus rv; michael@0: michael@0: PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); michael@0: PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); michael@0: michael@0: /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */ michael@0: ss->gs.remainder = 2; michael@0: ss->gs.count = 0; michael@0: michael@0: /* Clearing these handshake pointers ensures that michael@0: * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return. michael@0: */ michael@0: ss->nextHandshake = 0; michael@0: ss->securityHandshake = 0; michael@0: michael@0: /* Setting ss->version to an SSL 3.x value will cause michael@0: ** ssl_GatherRecord1stHandshake to invoke ssl3_GatherCompleteHandshake() michael@0: ** the next time it is called. michael@0: **/ michael@0: rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED, michael@0: PR_TRUE); michael@0: if (rv != SECSuccess) { michael@0: return rv; michael@0: } michael@0: michael@0: ss->sec.send = ssl3_SendApplicationData; michael@0: michael@0: return SECSuccess; michael@0: }