search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "Merged all Chromoting Host code into remoting_core.dll (Windows)."
[chromium-blink-merge.git] / net / third_party / nss / ssl / sslgathr.c
blob5b112fe3195e5b0f641227dfc277fef3f54984a8
1 /*
2 * Gather (Read) entire SSL2 records from socket into buffer.
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* $Id: sslgathr.c,v 1.15 2012/04/25 14:50:12 gerv%gerv.net Exp $ */
8 #include "cert.h"
9 #include "ssl.h"
10 #include "sslimpl.h"
11 #include "sslproto.h"
12
13 /* Forward static declarations */
14 static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss);
15
16 /*
17 ** Gather a single record of data from the receiving stream. This code
18 ** first gathers the header (2 or 3 bytes long depending on the value of
19 ** the most significant bit in the first byte) then gathers up the data
20 ** for the record into gs->buf. This code handles non-blocking I/O
21 ** and is to be called multiple times until ss->sec.recordLen != 0.
22 ** This function decrypts the gathered record in place, in gs_buf.
23 *
24 * Caller must hold RecvBufLock.
25 *
26 * Returns +1 when it has gathered a complete SSLV2 record.
27 * Returns 0 if it hits EOF.
28 * Returns -1 (SECFailure) on any error
29 * Returns -2 (SECWouldBlock) when it gathers an SSL v3 client hello header.
30 **
31 ** The SSL2 Gather State machine has 4 states:
32 ** GS_INIT - Done reading in previous record. Haven't begun to read in
33 ** next record. When ssl2_GatherData is called with the machine
34 ** in this state, the machine will attempt to read the first 3
35 ** bytes of the SSL2 record header, and will advance the state
36 ** to GS_HEADER.
37 **
38 ** GS_HEADER - The machine is in this state while waiting for the completion
39 ** of the first 3 bytes of the SSL2 record. When complete, the
40 ** machine will compute the remaining unread length of this record
41 ** and will initiate a read of that many bytes. The machine will
42 ** advance to one of two states, depending on whether the record
43 ** is encrypted (GS_MAC), or unencrypted (GS_DATA).
44 **
45 ** GS_MAC - The machine is in this state while waiting for the remainder
46 ** of the SSL2 record to be read in. When the read is completed,
47 ** the machine checks the record for valid length, decrypts it,
48 ** and checks and discards the MAC, then advances to GS_INIT.
49 **
50 ** GS_DATA - The machine is in this state while waiting for the remainder
51 ** of the unencrypted SSL2 record to be read in. Upon completion,
52 ** the machine advances to the GS_INIT state and returns the data.
53 */
54 int
55 ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
56 {
57 unsigned char * bp;
58 unsigned char * pBuf;
59 int nb, err, rv;
60
61 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
62
63 if (gs->state == GS_INIT) {
64 /* Initialize gathering engine */
65 gs->state = GS_HEADER;
66 gs->remainder = 3;
67 gs->count = 3;
68 gs->offset = 0;
69 gs->recordLen = 0;
70 gs->recordPadding = 0;
71 gs->hdr[2] = 0;
72
73 gs->writeOffset = 0;
74 gs->readOffset = 0;
75 }
76 if (gs->encrypted) {
77 PORT_Assert(ss->sec.hash != 0);
78 }
79
80 pBuf = gs->buf.buf;
81 for (;;) {
82 SSL_TRC(30, ("%d: SSL[%d]: gather state %d (need %d more)",
83 SSL_GETPID(), ss->fd, gs->state, gs->remainder));
84 bp = ((gs->state != GS_HEADER) ? pBuf : gs->hdr) + gs->offset;
85 nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
86 if (nb > 0) {
87 PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
88 }
89 if (nb == 0) {
90 /* EOF */
91 SSL_TRC(30, ("%d: SSL[%d]: EOF", SSL_GETPID(), ss->fd));
92 rv = 0;
93 break;
94 }
95 if (nb < 0) {
96 SSL_DBG(("%d: SSL[%d]: recv error %d", SSL_GETPID(), ss->fd,
97 PR_GetError()));
98 rv = SECFailure;
99 break;
100 }
101
102 gs->offset += nb;
103 gs->remainder -= nb;
104
105 if (gs->remainder > 0) {
106 continue;
107 }
108
109 /* Probably finished this piece */
110 switch (gs->state) {
111 case GS_HEADER:
112 if (!SSL3_ALL_VERSIONS_DISABLED(&ss->vrange) && !ss->firstHsDone) {
113
114 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
115
116 /* If this looks like an SSL3 handshake record,
117 ** and we're expecting an SSL2 Hello message from our peer,
118 ** handle it here.
119 */
120 if (gs->hdr[0] == content_handshake) {
121 if ((ss->nextHandshake == ssl2_HandleClientHelloMessage) ||
122 (ss->nextHandshake == ssl2_HandleServerHelloMessage)) {
123 rv = ssl2_HandleV3HandshakeRecord(ss);
124 if (rv == SECFailure) {
125 return SECFailure;
126 }
127 }
128 /* XXX_1 The call stack to here is:
129 * ssl_Do1stHandshake -> ssl_GatherRecord1stHandshake ->
130 * ssl2_GatherRecord -> here.
131 * We want to return all the way out to ssl_Do1stHandshake,
132 * and have it call ssl_GatherRecord1stHandshake again.
133 * ssl_GatherRecord1stHandshake will call
134 * ssl3_GatherCompleteHandshake when it is called again.
135 *
136 * Returning SECWouldBlock here causes
137 * ssl_GatherRecord1stHandshake to return without clearing
138 * ss->handshake, ensuring that ssl_Do1stHandshake will
139 * call it again immediately.
140 *
141 * If we return 1 here, ssl_GatherRecord1stHandshake will
142 * clear ss->handshake before returning, and thus will not
143 * be called again by ssl_Do1stHandshake.
144 */
145 return SECWouldBlock;
146 } else if (gs->hdr[0] == content_alert) {
147 if (ss->nextHandshake == ssl2_HandleServerHelloMessage) {
148 /* XXX This is a hack. We're assuming that any failure
149 * XXX on the client hello is a failure to match
150 * XXX ciphers.
151 */
152 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
153 return SECFailure;
154 }
155 }
156 }
157
158 /* we've got the first 3 bytes. The header may be two or three. */
159 if (gs->hdr[0] & 0x80) {
160 /* This record has a 2-byte header, and no padding */
161 gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1];
162 gs->recordPadding = 0;
163 } else {
164 /* This record has a 3-byte header that is all read in now. */
165 gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1];
166 /* is_escape = (gs->hdr[0] & 0x40) != 0; */
167 gs->recordPadding = gs->hdr[2];
168 }
169 if (!gs->count) {
170 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
171 goto cleanup;
172 }
173
174 if (gs->count > gs->buf.space) {
175 err = sslBuffer_Grow(&gs->buf, gs->count);
176 if (err) {
177 return err;
178 }
179 pBuf = gs->buf.buf;
180 }
181
182
183 if (gs->hdr[0] & 0x80) {
184 /* we've already read in the first byte of the body.
185 ** Put it into the buffer.
186 */
187 pBuf[0] = gs->hdr[2];
188 gs->offset = 1;
189 gs->remainder = gs->count - 1;
190 } else {
191 gs->offset = 0;
192 gs->remainder = gs->count;
193 }
194
195 if (gs->encrypted) {
196 gs->state = GS_MAC;
197 gs->recordLen = gs->count - gs->recordPadding
198 - ss->sec.hash->length;
199 } else {
200 gs->state = GS_DATA;
201 gs->recordLen = gs->count;
202 }
203
204 break;
205
206
207 case GS_MAC:
208 /* Have read in entire rest of the ciphertext.
209 ** Check for valid length.
210 ** Decrypt it.
211 ** Check the MAC.
212 */
213 PORT_Assert(gs->encrypted);
214
215 {
216 unsigned int macLen;
217 int nout;
218 unsigned char mac[SSL_MAX_MAC_BYTES];
219
220 ssl_GetSpecReadLock(ss); /**********************************/
221
222 /* If this is a stream cipher, blockSize will be 1,
223 * and this test will always be false.
224 * If this is a block cipher, this will detect records
225 * that are not a multiple of the blocksize in length.
226 */
227 if (gs->count & (ss->sec.blockSize - 1)) {
228 /* This is an error. Sender is misbehaving */
229 SSL_DBG(("%d: SSL[%d]: sender, count=%d blockSize=%d",
230 SSL_GETPID(), ss->fd, gs->count,
231 ss->sec.blockSize));
232 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
233 rv = SECFailure;
234 goto spec_locked_done;
235 }
236 PORT_Assert(gs->count == gs->offset);
237
238 if (gs->offset == 0) {
239 rv = 0; /* means EOF. */
240 goto spec_locked_done;
241 }
242
243 /* Decrypt the portion of data that we just received.
244 ** Decrypt it in place.
245 */
246 rv = (*ss->sec.dec)(ss->sec.readcx, pBuf, &nout, gs->offset,
247 pBuf, gs->offset);
248 if (rv != SECSuccess) {
249 goto spec_locked_done;
250 }
251
252
253 /* Have read in all the MAC portion of record
254 **
255 ** Prepare MAC by resetting it and feeding it the shared secret
256 */
257 macLen = ss->sec.hash->length;
258 if (gs->offset >= macLen) {
259 PRUint32 sequenceNumber = ss->sec.rcvSequence++;
260 unsigned char seq[4];
261
262 seq[0] = (unsigned char) (sequenceNumber >> 24);
263 seq[1] = (unsigned char) (sequenceNumber >> 16);
264 seq[2] = (unsigned char) (sequenceNumber >> 8);
265 seq[3] = (unsigned char) (sequenceNumber);
266
267 (*ss->sec.hash->begin)(ss->sec.hashcx);
268 (*ss->sec.hash->update)(ss->sec.hashcx, ss->sec.rcvSecret.data,
269 ss->sec.rcvSecret.len);
270 (*ss->sec.hash->update)(ss->sec.hashcx, pBuf + macLen,
271 gs->offset - macLen);
272 (*ss->sec.hash->update)(ss->sec.hashcx, seq, 4);
273 (*ss->sec.hash->end)(ss->sec.hashcx, mac, &macLen, macLen);
274
275 PORT_Assert(macLen == ss->sec.hash->length);
276
277 ssl_ReleaseSpecReadLock(ss); /******************************/
278
279 if (NSS_SecureMemcmp(mac, pBuf, macLen) != 0) {
280 /* MAC's didn't match... */
281 SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d",
282 SSL_GETPID(), ss->fd, ss->sec.rcvSequence));
283 PRINT_BUF(1, (ss, "computed mac:", mac, macLen));
284 PRINT_BUF(1, (ss, "received mac:", pBuf, macLen));
285 PORT_SetError(SSL_ERROR_BAD_MAC_READ);
286 rv = SECFailure;
287 goto cleanup;
288 }
289 } else {
290 ssl_ReleaseSpecReadLock(ss); /******************************/
291 }
292
293 if (gs->recordPadding + macLen <= gs->offset) {
294 gs->recordOffset = macLen;
295 gs->readOffset = macLen;
296 gs->writeOffset = gs->offset - gs->recordPadding;
297 rv = 1;
298 } else {
299 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
300 cleanup:
301 /* nothing in the buffer any more. */
302 gs->recordOffset = 0;
303 gs->readOffset = 0;
304 gs->writeOffset = 0;
305 rv = SECFailure;
306 }
307
308 gs->recordLen = gs->writeOffset - gs->readOffset;
309 gs->recordPadding = 0; /* forget we did any padding. */
310 gs->state = GS_INIT;
311
312
313 if (rv > 0) {
314 PRINT_BUF(50, (ss, "recv clear record:",
315 pBuf + gs->recordOffset, gs->recordLen));
316 }
317 return rv;
318
319 spec_locked_done:
320 ssl_ReleaseSpecReadLock(ss);
321 return rv;
322 }
323
324 case GS_DATA:
325 /* Have read in all the DATA portion of record */
326
327 gs->recordOffset = 0;
328 gs->readOffset = 0;
329 gs->writeOffset = gs->offset;
330 PORT_Assert(gs->recordLen == gs->writeOffset - gs->readOffset);
331 gs->recordLen = gs->offset;
332 gs->recordPadding = 0;
333 gs->state = GS_INIT;
334
335 ++ss->sec.rcvSequence;
336
337 PRINT_BUF(50, (ss, "recv clear record:",
338 pBuf + gs->recordOffset, gs->recordLen));
339 return 1;
340
341 } /* end switch gs->state */
342 } /* end gather loop. */
343 return rv;
344 }
345
346 /*
347 ** Gather a single record of data from the receiving stream. This code
348 ** first gathers the header (2 or 3 bytes long depending on the value of
349 ** the most significant bit in the first byte) then gathers up the data
350 ** for the record into the readBuf. This code handles non-blocking I/O
351 ** and is to be called multiple times until ss->sec.recordLen != 0.
352 *
353 * Returns +1 when it has gathered a complete SSLV2 record.
354 * Returns 0 if it hits EOF.
355 * Returns -1 (SECFailure) on any error
356 * Returns -2 (SECWouldBlock)
357 *
358 * Called by ssl_GatherRecord1stHandshake in sslcon.c,
359 * and by DoRecv in sslsecur.c
360 * Caller must hold RecvBufLock.
361 */
362 int
363 ssl2_GatherRecord(sslSocket *ss, int flags)
364 {
365 return ssl2_GatherData(ss, &ss->gs, flags);
366 }
367
368 /*
369 * Returns +1 when it has gathered a complete SSLV2 record.
370 * Returns 0 if it hits EOF.
371 * Returns -1 (SECFailure) on any error
372 * Returns -2 (SECWouldBlock)
373 *
374 * Called from SocksStartGather in sslsocks.c
375 * Caller must hold RecvBufLock.
376 */
377 int
378 ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, unsigned int count)
379 {
380 int rv;
381
382 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
383 gs->state = GS_DATA;
384 gs->remainder = count;
385 gs->count = count;
386 gs->offset = 0;
387 if (count > gs->buf.space) {
388 rv = sslBuffer_Grow(&gs->buf, count);
389 if (rv) {
390 return rv;
391 }
392 }
393 return ssl2_GatherData(ss, gs, 0);
394 }
395
396 /* Caller should hold RecvBufLock. */
397 SECStatus
398 ssl_InitGather(sslGather *gs)
399 {
400 SECStatus status;
401
402 gs->state = GS_INIT;
403 gs->writeOffset = 0;
404 gs->readOffset = 0;
405 gs->dtlsPacketOffset = 0;
406 gs->dtlsPacket.len = 0;
407 status = sslBuffer_Grow(&gs->buf, 4096);
408 return status;
409 }
410
411 /* Caller must hold RecvBufLock. */
412 void
413 ssl_DestroyGather(sslGather *gs)
414 {
415 if (gs) { /* the PORT_*Free functions check for NULL pointers. */
416 PORT_ZFree(gs->buf.buf, gs->buf.space);
417 PORT_Free(gs->inbuf.buf);
418 PORT_Free(gs->dtlsPacket.buf);
419 }
420 }
421
422 /* Caller must hold RecvBufLock. */
423 static SECStatus
424 ssl2_HandleV3HandshakeRecord(sslSocket *ss)
425 {
426 SECStatus rv;
427
428 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
429 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
430
431 /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */
432 ss->gs.remainder = 2;
433 ss->gs.count = 0;
434
435 /* Clearing these handshake pointers ensures that
436 * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return.
437 */
438 ss->nextHandshake = 0;
439 ss->securityHandshake = 0;
440
441 /* Setting ss->version to an SSL 3.x value will cause
442 ** ssl_GatherRecord1stHandshake to invoke ssl3_GatherCompleteHandshake()
443 ** the next time it is called.
444 **/
445 rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
446 PR_TRUE);
447 if (rv != SECSuccess) {
448 return rv;
449 }
450
451 ss->sec.send = ssl3_SendApplicationData;
452
453 return SECSuccess;
454 }