1/* 2 * Gather (Read) entire SSL2 records from socket into buffer. 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7#include "cert.h" 8#include "ssl.h" 9#include "sslimpl.h" 10#include "sslproto.h" 11 12/* Forward static declarations */ 13static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss); 14 15/* 16** Gather a single record of data from the receiving stream. This code 17** first gathers the header (2 or 3 bytes long depending on the value of 18** the most significant bit in the first byte) then gathers up the data 19** for the record into gs->buf. This code handles non-blocking I/O 20** and is to be called multiple times until ss->sec.recordLen != 0. 21** This function decrypts the gathered record in place, in gs_buf. 22 * 23 * Caller must hold RecvBufLock. 24 * 25 * Returns +1 when it has gathered a complete SSLV2 record. 26 * Returns 0 if it hits EOF. 27 * Returns -1 (SECFailure) on any error 28 * Returns -2 (SECWouldBlock) when it gathers an SSL v3 client hello header. 29** 30** The SSL2 Gather State machine has 4 states: 31** GS_INIT - Done reading in previous record. Haven't begun to read in 32** next record. When ssl2_GatherData is called with the machine 33** in this state, the machine will attempt to read the first 3 34** bytes of the SSL2 record header, and will advance the state 35** to GS_HEADER. 36** 37** GS_HEADER - The machine is in this state while waiting for the completion 38** of the first 3 bytes of the SSL2 record. When complete, the 39** machine will compute the remaining unread length of this record 40** and will initiate a read of that many bytes. The machine will 41** advance to one of two states, depending on whether the record 42** is encrypted (GS_MAC), or unencrypted (GS_DATA). 43** 44** GS_MAC - The machine is in this state while waiting for the remainder 45** of the SSL2 record to be read in. When the read is completed, 46** the machine checks the record for valid length, decrypts it, 47** and checks and discards the MAC, then advances to GS_INIT. 48** 49** GS_DATA - The machine is in this state while waiting for the remainder 50** of the unencrypted SSL2 record to be read in. Upon completion, 51** the machine advances to the GS_INIT state and returns the data. 52*/ 53int 54ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags) 55{ 56 unsigned char * bp; 57 unsigned char * pBuf; 58 int nb, err, rv; 59 60 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 61 62 if (gs->state == GS_INIT) { 63 /* Initialize gathering engine */ 64 gs->state = GS_HEADER; 65 gs->remainder = 3; 66 gs->count = 3; 67 gs->offset = 0; 68 gs->recordLen = 0; 69 gs->recordPadding = 0; 70 gs->hdr[2] = 0; 71 72 gs->writeOffset = 0; 73 gs->readOffset = 0; 74 } 75 if (gs->encrypted) { 76 PORT_Assert(ss->sec.hash != 0); 77 } 78 79 pBuf = gs->buf.buf; 80 for (;;) { 81 SSL_TRC(30, ("%d: SSL[%d]: gather state %d (need %d more)", 82 SSL_GETPID(), ss->fd, gs->state, gs->remainder)); 83 bp = ((gs->state != GS_HEADER) ? pBuf : gs->hdr) + gs->offset; 84 nb = ssl_DefRecv(ss, bp, gs->remainder, flags); 85 if (nb > 0) { 86 PRINT_BUF(60, (ss, "raw gather data:", bp, nb)); 87 } 88 if (nb == 0) { 89 /* EOF */ 90 SSL_TRC(30, ("%d: SSL[%d]: EOF", SSL_GETPID(), ss->fd)); 91 rv = 0; 92 break; 93 } 94 if (nb < 0) { 95 SSL_DBG(("%d: SSL[%d]: recv error %d", SSL_GETPID(), ss->fd, 96 PR_GetError())); 97 rv = SECFailure; 98 break; 99 } 100 101 gs->offset += nb; 102 gs->remainder -= nb; 103 104 if (gs->remainder > 0) { 105 continue; 106 } 107 108 /* Probably finished this piece */ 109 switch (gs->state) { 110 case GS_HEADER: 111 if (!SSL3_ALL_VERSIONS_DISABLED(&ss->vrange) && !ss->firstHsDone) { 112 113 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); 114 115 /* If this looks like an SSL3 handshake record, 116 ** and we're expecting an SSL2 Hello message from our peer, 117 ** handle it here. 118 */ 119 if (gs->hdr[0] == content_handshake) { 120 if ((ss->nextHandshake == ssl2_HandleClientHelloMessage) || 121 (ss->nextHandshake == ssl2_HandleServerHelloMessage)) { 122 rv = ssl2_HandleV3HandshakeRecord(ss); 123 if (rv == SECFailure) { 124 return SECFailure; 125 } 126 } 127 /* XXX_1 The call stack to here is: 128 * ssl_Do1stHandshake -> ssl_GatherRecord1stHandshake -> 129 * ssl2_GatherRecord -> here. 130 * We want to return all the way out to ssl_Do1stHandshake, 131 * and have it call ssl_GatherRecord1stHandshake again. 132 * ssl_GatherRecord1stHandshake will call 133 * ssl3_GatherCompleteHandshake when it is called again. 134 * 135 * Returning SECWouldBlock here causes 136 * ssl_GatherRecord1stHandshake to return without clearing 137 * ss->handshake, ensuring that ssl_Do1stHandshake will 138 * call it again immediately. 139 * 140 * If we return 1 here, ssl_GatherRecord1stHandshake will 141 * clear ss->handshake before returning, and thus will not 142 * be called again by ssl_Do1stHandshake. 143 */ 144 return SECWouldBlock; 145 } else if (gs->hdr[0] == content_alert) { 146 if (ss->nextHandshake == ssl2_HandleServerHelloMessage) { 147 /* XXX This is a hack. We're assuming that any failure 148 * XXX on the client hello is a failure to match 149 * XXX ciphers. 150 */ 151 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); 152 return SECFailure; 153 } 154 } 155 } 156 157 /* we've got the first 3 bytes. The header may be two or three. */ 158 if (gs->hdr[0] & 0x80) { 159 /* This record has a 2-byte header, and no padding */ 160 gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1]; 161 gs->recordPadding = 0; 162 } else { 163 /* This record has a 3-byte header that is all read in now. */ 164 gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1]; 165 /* is_escape = (gs->hdr[0] & 0x40) != 0; */ 166 gs->recordPadding = gs->hdr[2]; 167 } 168 if (!gs->count) { 169 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); 170 goto cleanup; 171 } 172 173 if (gs->count > gs->buf.space) { 174 err = sslBuffer_Grow(&gs->buf, gs->count); 175 if (err) { 176 return err; 177 } 178 pBuf = gs->buf.buf; 179 } 180 181 182 if (gs->hdr[0] & 0x80) { 183 /* we've already read in the first byte of the body. 184 ** Put it into the buffer. 185 */ 186 pBuf[0] = gs->hdr[2]; 187 gs->offset = 1; 188 gs->remainder = gs->count - 1; 189 } else { 190 gs->offset = 0; 191 gs->remainder = gs->count; 192 } 193 194 if (gs->encrypted) { 195 gs->state = GS_MAC; 196 gs->recordLen = gs->count - gs->recordPadding 197 - ss->sec.hash->length; 198 } else { 199 gs->state = GS_DATA; 200 gs->recordLen = gs->count; 201 } 202 203 break; 204 205 206 case GS_MAC: 207 /* Have read in entire rest of the ciphertext. 208 ** Check for valid length. 209 ** Decrypt it. 210 ** Check the MAC. 211 */ 212 PORT_Assert(gs->encrypted); 213 214 { 215 unsigned int macLen; 216 int nout; 217 unsigned char mac[SSL_MAX_MAC_BYTES]; 218 219 ssl_GetSpecReadLock(ss); /**********************************/ 220 221 /* If this is a stream cipher, blockSize will be 1, 222 * and this test will always be false. 223 * If this is a block cipher, this will detect records 224 * that are not a multiple of the blocksize in length. 225 */ 226 if (gs->count & (ss->sec.blockSize - 1)) { 227 /* This is an error. Sender is misbehaving */ 228 SSL_DBG(("%d: SSL[%d]: sender, count=%d blockSize=%d", 229 SSL_GETPID(), ss->fd, gs->count, 230 ss->sec.blockSize)); 231 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING); 232 rv = SECFailure; 233 goto spec_locked_done; 234 } 235 PORT_Assert(gs->count == gs->offset); 236 237 if (gs->offset == 0) { 238 rv = 0; /* means EOF. */ 239 goto spec_locked_done; 240 } 241 242 /* Decrypt the portion of data that we just received. 243 ** Decrypt it in place. 244 */ 245 rv = (*ss->sec.dec)(ss->sec.readcx, pBuf, &nout, gs->offset, 246 pBuf, gs->offset); 247 if (rv != SECSuccess) { 248 goto spec_locked_done; 249 } 250 251 252 /* Have read in all the MAC portion of record 253 ** 254 ** Prepare MAC by resetting it and feeding it the shared secret 255 */ 256 macLen = ss->sec.hash->length; 257 if (gs->offset >= macLen) { 258 PRUint32 sequenceNumber = ss->sec.rcvSequence++; 259 unsigned char seq[4]; 260 261 seq[0] = (unsigned char) (sequenceNumber >> 24); 262 seq[1] = (unsigned char) (sequenceNumber >> 16); 263 seq[2] = (unsigned char) (sequenceNumber >> 8); 264 seq[3] = (unsigned char) (sequenceNumber); 265 266 (*ss->sec.hash->begin)(ss->sec.hashcx); 267 (*ss->sec.hash->update)(ss->sec.hashcx, ss->sec.rcvSecret.data, 268 ss->sec.rcvSecret.len); 269 (*ss->sec.hash->update)(ss->sec.hashcx, pBuf + macLen, 270 gs->offset - macLen); 271 (*ss->sec.hash->update)(ss->sec.hashcx, seq, 4); 272 (*ss->sec.hash->end)(ss->sec.hashcx, mac, &macLen, macLen); 273 274 PORT_Assert(macLen == ss->sec.hash->length); 275 276 ssl_ReleaseSpecReadLock(ss); /******************************/ 277 278 if (NSS_SecureMemcmp(mac, pBuf, macLen) != 0) { 279 /* MAC's didn't match... */ 280 SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d", 281 SSL_GETPID(), ss->fd, ss->sec.rcvSequence)); 282 PRINT_BUF(1, (ss, "computed mac:", mac, macLen)); 283 PRINT_BUF(1, (ss, "received mac:", pBuf, macLen)); 284 PORT_SetError(SSL_ERROR_BAD_MAC_READ); 285 rv = SECFailure; 286 goto cleanup; 287 } 288 } else { 289 ssl_ReleaseSpecReadLock(ss); /******************************/ 290 } 291 292 if (gs->recordPadding + macLen <= gs->offset) { 293 gs->recordOffset = macLen; 294 gs->readOffset = macLen; 295 gs->writeOffset = gs->offset - gs->recordPadding; 296 rv = 1; 297 } else { 298 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING); 299cleanup: 300 /* nothing in the buffer any more. */ 301 gs->recordOffset = 0; 302 gs->readOffset = 0; 303 gs->writeOffset = 0; 304 rv = SECFailure; 305 } 306 307 gs->recordLen = gs->writeOffset - gs->readOffset; 308 gs->recordPadding = 0; /* forget we did any padding. */ 309 gs->state = GS_INIT; 310 311 312 if (rv > 0) { 313 PRINT_BUF(50, (ss, "recv clear record:", 314 pBuf + gs->recordOffset, gs->recordLen)); 315 } 316 return rv; 317 318spec_locked_done: 319 ssl_ReleaseSpecReadLock(ss); 320 return rv; 321 } 322 323 case GS_DATA: 324 /* Have read in all the DATA portion of record */ 325 326 gs->recordOffset = 0; 327 gs->readOffset = 0; 328 gs->writeOffset = gs->offset; 329 PORT_Assert(gs->recordLen == gs->writeOffset - gs->readOffset); 330 gs->recordLen = gs->offset; 331 gs->recordPadding = 0; 332 gs->state = GS_INIT; 333 334 ++ss->sec.rcvSequence; 335 336 PRINT_BUF(50, (ss, "recv clear record:", 337 pBuf + gs->recordOffset, gs->recordLen)); 338 return 1; 339 340 } /* end switch gs->state */ 341 } /* end gather loop. */ 342 return rv; 343} 344 345/* 346** Gather a single record of data from the receiving stream. This code 347** first gathers the header (2 or 3 bytes long depending on the value of 348** the most significant bit in the first byte) then gathers up the data 349** for the record into the readBuf. This code handles non-blocking I/O 350** and is to be called multiple times until ss->sec.recordLen != 0. 351 * 352 * Returns +1 when it has gathered a complete SSLV2 record. 353 * Returns 0 if it hits EOF. 354 * Returns -1 (SECFailure) on any error 355 * Returns -2 (SECWouldBlock) 356 * 357 * Called by ssl_GatherRecord1stHandshake in sslcon.c, 358 * and by DoRecv in sslsecur.c 359 * Caller must hold RecvBufLock. 360 */ 361int 362ssl2_GatherRecord(sslSocket *ss, int flags) 363{ 364 return ssl2_GatherData(ss, &ss->gs, flags); 365} 366 367/* 368 * Returns +1 when it has gathered a complete SSLV2 record. 369 * Returns 0 if it hits EOF. 370 * Returns -1 (SECFailure) on any error 371 * Returns -2 (SECWouldBlock) 372 * 373 * Called from SocksStartGather in sslsocks.c 374 * Caller must hold RecvBufLock. 375 */ 376int 377ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, unsigned int count) 378{ 379 int rv; 380 381 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 382 gs->state = GS_DATA; 383 gs->remainder = count; 384 gs->count = count; 385 gs->offset = 0; 386 if (count > gs->buf.space) { 387 rv = sslBuffer_Grow(&gs->buf, count); 388 if (rv) { 389 return rv; 390 } 391 } 392 return ssl2_GatherData(ss, gs, 0); 393} 394 395/* Caller should hold RecvBufLock. */ 396SECStatus 397ssl_InitGather(sslGather *gs) 398{ 399 SECStatus status; 400 401 gs->state = GS_INIT; 402 gs->writeOffset = 0; 403 gs->readOffset = 0; 404 gs->dtlsPacketOffset = 0; 405 gs->dtlsPacket.len = 0; 406 status = sslBuffer_Grow(&gs->buf, 4096); 407 return status; 408} 409 410/* Caller must hold RecvBufLock. */ 411void 412ssl_DestroyGather(sslGather *gs) 413{ 414 if (gs) { /* the PORT_*Free functions check for NULL pointers. */ 415 PORT_ZFree(gs->buf.buf, gs->buf.space); 416 PORT_Free(gs->inbuf.buf); 417 PORT_Free(gs->dtlsPacket.buf); 418 } 419} 420 421/* Caller must hold RecvBufLock. */ 422static SECStatus 423ssl2_HandleV3HandshakeRecord(sslSocket *ss) 424{ 425 SECStatus rv; 426 427 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 428 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); 429 430 /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */ 431 ss->gs.remainder = 2; 432 ss->gs.count = 0; 433 434 /* Clearing these handshake pointers ensures that 435 * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return. 436 */ 437 ss->nextHandshake = 0; 438 ss->securityHandshake = 0; 439 440 /* Setting ss->version to an SSL 3.x value will cause 441 ** ssl_GatherRecord1stHandshake to invoke ssl3_GatherCompleteHandshake() 442 ** the next time it is called. 443 **/ 444 rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED, 445 PR_TRUE); 446 if (rv != SECSuccess) { 447 return rv; 448 } 449 450 ss->sec.send = ssl3_SendApplicationData; 451 452 return SECSuccess; 453} 454