1/* 2 * Gather (Read) entire SSL3 records from socket into buffer. 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 8#include "cert.h" 9#include "ssl.h" 10#include "sslimpl.h" 11#include "ssl3prot.h" 12 13/* 14 * Attempt to read in an entire SSL3 record. 15 * Blocks here for blocking sockets, otherwise returns -1 with 16 * PR_WOULD_BLOCK_ERROR when socket would block. 17 * 18 * returns 1 if received a complete SSL3 record. 19 * returns 0 if recv returns EOF 20 * returns -1 if recv returns < 0 21 * (The error value may have already been set to PR_WOULD_BLOCK_ERROR) 22 * 23 * Caller must hold the recv buf lock. 24 * 25 * The Gather state machine has 3 states: GS_INIT, GS_HEADER, GS_DATA. 26 * GS_HEADER: waiting for the 5-byte SSL3 record header to come in. 27 * GS_DATA: waiting for the body of the SSL3 record to come in. 28 * 29 * This loop returns when either 30 * (a) an error or EOF occurs, 31 * (b) PR_WOULD_BLOCK_ERROR, 32 * (c) data (entire SSL3 record) has been received. 33 */ 34static int 35ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags) 36{ 37 unsigned char *bp; 38 unsigned char *lbp; 39 int nb; 40 int err; 41 int rv = 1; 42 43 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 44 if (gs->state == GS_INIT) { 45 gs->state = GS_HEADER; 46 gs->remainder = 5; 47 gs->offset = 0; 48 gs->writeOffset = 0; 49 gs->readOffset = 0; 50 gs->inbuf.len = 0; 51 } 52 53 lbp = gs->inbuf.buf; 54 for(;;) { 55 SSL_TRC(30, ("%d: SSL3[%d]: gather state %d (need %d more)", 56 SSL_GETPID(), ss->fd, gs->state, gs->remainder)); 57 bp = ((gs->state != GS_HEADER) ? lbp : gs->hdr) + gs->offset; 58 nb = ssl_DefRecv(ss, bp, gs->remainder, flags); 59 60 if (nb > 0) { 61 PRINT_BUF(60, (ss, "raw gather data:", bp, nb)); 62 } else if (nb == 0) { 63 /* EOF */ 64 SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd)); 65 rv = 0; 66 break; 67 } else /* if (nb < 0) */ { 68 SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd, 69 PR_GetError())); 70 rv = SECFailure; 71 break; 72 } 73 74 PORT_Assert( nb <= gs->remainder ); 75 if (nb > gs->remainder) { 76 /* ssl_DefRecv is misbehaving! this error is fatal to SSL. */ 77 gs->state = GS_INIT; /* so we don't crash next time */ 78 rv = SECFailure; 79 break; 80 } 81 82 gs->offset += nb; 83 gs->remainder -= nb; 84 if (gs->state == GS_DATA) 85 gs->inbuf.len += nb; 86 87 /* if there's more to go, read some more. */ 88 if (gs->remainder > 0) { 89 continue; 90 } 91 92 /* have received entire record header, or entire record. */ 93 switch (gs->state) { 94 case GS_HEADER: 95 /* 96 ** Have received SSL3 record header in gs->hdr. 97 ** Now extract the length of the following encrypted data, 98 ** and then read in the rest of the SSL3 record into gs->inbuf. 99 */ 100 gs->remainder = (gs->hdr[3] << 8) | gs->hdr[4]; 101 102 /* This is the max fragment length for an encrypted fragment 103 ** plus the size of the record header. 104 */ 105 if(gs->remainder > (MAX_FRAGMENT_LENGTH + 2048 + 5)) { 106 SSL3_SendAlert(ss, alert_fatal, unexpected_message); 107 gs->state = GS_INIT; 108 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); 109 return SECFailure; 110 } 111 112 gs->state = GS_DATA; 113 gs->offset = 0; 114 gs->inbuf.len = 0; 115 116 if (gs->remainder > gs->inbuf.space) { 117 err = sslBuffer_Grow(&gs->inbuf, gs->remainder); 118 if (err) { /* realloc has set error code to no mem. */ 119 return err; 120 } 121 lbp = gs->inbuf.buf; 122 } 123 break; /* End this case. Continue around the loop. */ 124 125 126 case GS_DATA: 127 /* 128 ** SSL3 record has been completely received. 129 */ 130 gs->state = GS_INIT; 131 return 1; 132 } 133 } 134 135 return rv; 136} 137 138/* 139 * Read in an entire DTLS record. 140 * 141 * Blocks here for blocking sockets, otherwise returns -1 with 142 * PR_WOULD_BLOCK_ERROR when socket would block. 143 * 144 * This is simpler than SSL because we are reading on a datagram socket 145 * and datagrams must contain >=1 complete records. 146 * 147 * returns 1 if received a complete DTLS record. 148 * returns 0 if recv returns EOF 149 * returns -1 if recv returns < 0 150 * (The error value may have already been set to PR_WOULD_BLOCK_ERROR) 151 * 152 * Caller must hold the recv buf lock. 153 * 154 * This loop returns when either 155 * (a) an error or EOF occurs, 156 * (b) PR_WOULD_BLOCK_ERROR, 157 * (c) data (entire DTLS record) has been received. 158 */ 159static int 160dtls_GatherData(sslSocket *ss, sslGather *gs, int flags) 161{ 162 int nb; 163 int err; 164 int rv = 1; 165 166 SSL_TRC(30, ("dtls_GatherData")); 167 168 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 169 170 gs->state = GS_HEADER; 171 gs->offset = 0; 172 173 if (gs->dtlsPacketOffset == gs->dtlsPacket.len) { /* No data left */ 174 gs->dtlsPacketOffset = 0; 175 gs->dtlsPacket.len = 0; 176 177 /* Resize to the maximum possible size so we can fit a full datagram */ 178 /* This is the max fragment length for an encrypted fragment 179 ** plus the size of the record header. 180 ** This magic constant is copied from ssl3_GatherData, with 5 changed 181 ** to 13 (the size of the record header). 182 */ 183 if (gs->dtlsPacket.space < MAX_FRAGMENT_LENGTH + 2048 + 13) { 184 err = sslBuffer_Grow(&gs->dtlsPacket, 185 MAX_FRAGMENT_LENGTH + 2048 + 13); 186 if (err) { /* realloc has set error code to no mem. */ 187 return err; 188 } 189 } 190 191 /* recv() needs to read a full datagram at a time */ 192 nb = ssl_DefRecv(ss, gs->dtlsPacket.buf, gs->dtlsPacket.space, flags); 193 194 if (nb > 0) { 195 PRINT_BUF(60, (ss, "raw gather data:", gs->dtlsPacket.buf, nb)); 196 } else if (nb == 0) { 197 /* EOF */ 198 SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd)); 199 rv = 0; 200 return rv; 201 } else /* if (nb < 0) */ { 202 SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd, 203 PR_GetError())); 204 rv = SECFailure; 205 return rv; 206 } 207 208 gs->dtlsPacket.len = nb; 209 } 210 211 /* At this point we should have >=1 complete records lined up in 212 * dtlsPacket. Read off the header. 213 */ 214 if ((gs->dtlsPacket.len - gs->dtlsPacketOffset) < 13) { 215 SSL_DBG(("%d: SSL3[%d]: rest of DTLS packet " 216 "too short to contain header", SSL_GETPID(), ss->fd)); 217 PR_SetError(PR_WOULD_BLOCK_ERROR, 0); 218 gs->dtlsPacketOffset = 0; 219 gs->dtlsPacket.len = 0; 220 rv = SECFailure; 221 return rv; 222 } 223 memcpy(gs->hdr, gs->dtlsPacket.buf + gs->dtlsPacketOffset, 13); 224 gs->dtlsPacketOffset += 13; 225 226 /* Have received SSL3 record header in gs->hdr. */ 227 gs->remainder = (gs->hdr[11] << 8) | gs->hdr[12]; 228 229 if ((gs->dtlsPacket.len - gs->dtlsPacketOffset) < gs->remainder) { 230 SSL_DBG(("%d: SSL3[%d]: rest of DTLS packet too short " 231 "to contain rest of body", SSL_GETPID(), ss->fd)); 232 PR_SetError(PR_WOULD_BLOCK_ERROR, 0); 233 gs->dtlsPacketOffset = 0; 234 gs->dtlsPacket.len = 0; 235 rv = SECFailure; 236 return rv; 237 } 238 239 /* OK, we have at least one complete packet, copy into inbuf */ 240 if (gs->remainder > gs->inbuf.space) { 241 err = sslBuffer_Grow(&gs->inbuf, gs->remainder); 242 if (err) { /* realloc has set error code to no mem. */ 243 return err; 244 } 245 } 246 247 memcpy(gs->inbuf.buf, gs->dtlsPacket.buf + gs->dtlsPacketOffset, 248 gs->remainder); 249 gs->inbuf.len = gs->remainder; 250 gs->offset = gs->remainder; 251 gs->dtlsPacketOffset += gs->remainder; 252 gs->state = GS_INIT; 253 254 return 1; 255} 256 257/* Gather in a record and when complete, Handle that record. 258 * Repeat this until the handshake is complete, 259 * or until application data is available. 260 * 261 * Returns 1 when the handshake is completed without error, or 262 * application data is available. 263 * Returns 0 if ssl3_GatherData hits EOF. 264 * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error. 265 * Returns -2 on SECWouldBlock return from ssl3_HandleRecord. 266 * 267 * Called from ssl_GatherRecord1stHandshake in sslcon.c, 268 * and from SSL_ForceHandshake in sslsecur.c 269 * and from ssl3_GatherAppDataRecord below (<- DoRecv in sslsecur.c). 270 * 271 * Caller must hold the recv buf lock. 272 */ 273int 274ssl3_GatherCompleteHandshake(sslSocket *ss, int flags) 275{ 276 SSL3Ciphertext cText; 277 int rv; 278 PRBool keepGoing = PR_TRUE; 279 280 SSL_TRC(30, ("ssl3_GatherCompleteHandshake")); 281 282 /* ssl3_HandleRecord may end up eventually calling ssl_FinishHandshake, 283 * which requires the 1stHandshakeLock, which must be acquired before the 284 * RecvBufLock. 285 */ 286 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); 287 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 288 289 do { 290 PRBool handleRecordNow = PR_FALSE; 291 292 ssl_GetSSL3HandshakeLock(ss); 293 294 /* Without this, we may end up wrongly reporting 295 * SSL_ERROR_RX_UNEXPECTED_* errors if we receive any records from the 296 * peer while we are waiting to be restarted. 297 */ 298 if (ss->ssl3.hs.restartTarget) { 299 ssl_ReleaseSSL3HandshakeLock(ss); 300 PORT_SetError(PR_WOULD_BLOCK_ERROR); 301 return (int) SECFailure; 302 } 303 304 /* Treat an empty msgState like a NULL msgState. (Most of the time 305 * when ssl3_HandleHandshake returns SECWouldBlock, it leaves 306 * behind a non-NULL but zero-length msgState). 307 * Test: async_cert_restart_server_sends_hello_request_first_in_separate_record 308 */ 309 if (ss->ssl3.hs.msgState.buf) { 310 if (ss->ssl3.hs.msgState.len == 0) { 311 ss->ssl3.hs.msgState.buf = NULL; 312 } else { 313 handleRecordNow = PR_TRUE; 314 } 315 } 316 317 ssl_ReleaseSSL3HandshakeLock(ss); 318 319 if (handleRecordNow) { 320 /* ssl3_HandleHandshake previously returned SECWouldBlock and the 321 * as-yet-unprocessed plaintext of that previous handshake record. 322 * We need to process it now before we overwrite it with the next 323 * handshake record. 324 */ 325 rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf); 326 } else { 327 /* bring in the next sslv3 record. */ 328 if (ss->recvdCloseNotify) { 329 /* RFC 5246 Section 7.2.1: 330 * Any data received after a closure alert is ignored. 331 */ 332 return 0; 333 } 334 if (!IS_DTLS(ss)) { 335 rv = ssl3_GatherData(ss, &ss->gs, flags); 336 } else { 337 rv = dtls_GatherData(ss, &ss->gs, flags); 338 339 /* If we got a would block error, that means that no data was 340 * available, so we check the timer to see if it's time to 341 * retransmit */ 342 if (rv == SECFailure && 343 (PORT_GetError() == PR_WOULD_BLOCK_ERROR)) { 344 ssl_GetSSL3HandshakeLock(ss); 345 dtls_CheckTimer(ss); 346 ssl_ReleaseSSL3HandshakeLock(ss); 347 /* Restore the error in case something succeeded */ 348 PORT_SetError(PR_WOULD_BLOCK_ERROR); 349 } 350 } 351 352 if (rv <= 0) { 353 return rv; 354 } 355 356 /* decipher it, and handle it if it's a handshake. 357 * If it's application data, ss->gs.buf will not be empty upon return. 358 * If it's a change cipher spec, alert, or handshake message, 359 * ss->gs.buf.len will be 0 when ssl3_HandleRecord returns SECSuccess. 360 */ 361 cText.type = (SSL3ContentType)ss->gs.hdr[0]; 362 cText.version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2]; 363 364 if (IS_DTLS(ss)) { 365 int i; 366 367 cText.version = dtls_DTLSVersionToTLSVersion(cText.version); 368 /* DTLS sequence number */ 369 cText.seq_num.high = 0; cText.seq_num.low = 0; 370 for (i = 0; i < 4; i++) { 371 cText.seq_num.high <<= 8; cText.seq_num.low <<= 8; 372 cText.seq_num.high |= ss->gs.hdr[3 + i]; 373 cText.seq_num.low |= ss->gs.hdr[7 + i]; 374 } 375 } 376 377 cText.buf = &ss->gs.inbuf; 378 rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf); 379 } 380 if (rv < 0) { 381 return ss->recvdCloseNotify ? 0 : rv; 382 } 383 if (ss->gs.buf.len > 0) { 384 /* We have application data to return to the application. This 385 * prioritizes returning application data to the application over 386 * completing any renegotiation handshake we may be doing. 387 */ 388 PORT_Assert(ss->firstHsDone); 389 PORT_Assert(cText.type == content_application_data); 390 break; 391 } 392 393 PORT_Assert(keepGoing); 394 ssl_GetSSL3HandshakeLock(ss); 395 if (ss->ssl3.hs.ws == idle_handshake) { 396 /* We are done with the current handshake so stop trying to 397 * handshake. Note that it would be safe to test ss->firstHsDone 398 * instead of ss->ssl3.hs.ws. By testing ss->ssl3.hs.ws instead, 399 * we prioritize completing a renegotiation handshake over sending 400 * application data. 401 */ 402 PORT_Assert(ss->firstHsDone); 403 PORT_Assert(!ss->ssl3.hs.canFalseStart); 404 keepGoing = PR_FALSE; 405 } else if (ss->ssl3.hs.canFalseStart) { 406 /* Prioritize sending application data over trying to complete 407 * the handshake if we're false starting. 408 * 409 * If we were to do this check at the beginning of the loop instead 410 * of here, then this function would become be a no-op after 411 * receiving the ServerHelloDone in the false start case, and we 412 * would never complete the handshake. 413 */ 414 PORT_Assert(!ss->firstHsDone); 415 416 if (ssl3_WaitingForStartOfServerSecondRound(ss)) { 417 keepGoing = PR_FALSE; 418 } else { 419 ss->ssl3.hs.canFalseStart = PR_FALSE; 420 } 421 } 422 ssl_ReleaseSSL3HandshakeLock(ss); 423 } while (keepGoing); 424 425 ss->gs.readOffset = 0; 426 ss->gs.writeOffset = ss->gs.buf.len; 427 return 1; 428} 429 430/* Repeatedly gather in a record and when complete, Handle that record. 431 * Repeat this until some application data is received. 432 * 433 * Returns 1 when application data is available. 434 * Returns 0 if ssl3_GatherData hits EOF. 435 * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error. 436 * Returns -2 on SECWouldBlock return from ssl3_HandleRecord. 437 * 438 * Called from DoRecv in sslsecur.c 439 * Caller must hold the recv buf lock. 440 */ 441int 442ssl3_GatherAppDataRecord(sslSocket *ss, int flags) 443{ 444 int rv; 445 446 /* ssl3_GatherCompleteHandshake requires both of these locks. */ 447 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); 448 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 449 450 do { 451 rv = ssl3_GatherCompleteHandshake(ss, flags); 452 } while (rv > 0 && ss->gs.buf.len == 0); 453 454 return rv; 455} 456