/* Parse incoming data per http://wp.netscape.com/eng/ssl3 */ int32 matrixSslDecode(ssl_t *ssl, sslBuf_t *in, sslBuf_t *out, unsigned char *error, unsigned char *alertLevel, unsigned char *alertDescription) { unsigned char *c, *p, *end, *pend, *oend; unsigned char *mac, macError; int32 rc; unsigned char padLen; /* If we've had a protocol error, don't allow further use of the session */ *error = SSL_ALERT_NONE; if (ssl->flags & SSL_FLAGS_ERROR || ssl->flags & SSL_FLAGS_CLOSED) { return SSL_ERROR; } /* This flag is set if the previous call to this routine returned an SSL_FULL error from encodeResponse, indicating that there is data to be encoded, but the out buffer was not big enough to handle it. If we fall in this case, the user has increased the out buffer size and is re-calling this routine */ if (ssl->flags & SSL_FLAGS_NEED_ENCODE) { ssl->flags &= ~SSL_FLAGS_NEED_ENCODE; goto encodeResponse; } c = in->start; end = in->end; oend = out->end; /* Processing the SSL Record header: If the high bit of the first byte is set and this is the first message we've seen, we parse the request as an SSLv2 request http://wp.netscape.com/eng/security/SSL_2.html SSLv2 also supports a 3 byte header when padding is used, but this should not be required for the initial plaintext message, so we don't support it v3 Header: 1 byte type 1 byte major version 1 byte minor version 2 bytes length v2 Header 2 bytes length (ignore high bit) */ decodeMore: sslAssert(out->end == oend); if (end - c == 0) { /* This case could happen if change cipher spec was last message in the buffer */ return SSL_SUCCESS; } if (end - c < SSL2_HEADER_LEN) { return SSL_PARTIAL; } if (ssl->majVer != 0 || (*c & 0x80) == 0) { if (end - c < ssl->recordHeadLen) { return SSL_PARTIAL; } ssl->rec.type = *c; c++; ssl->rec.majVer = *c; c++; ssl->rec.minVer = *c; c++; ssl->rec.len = *c << 8; c++; ssl->rec.len += *c; c++; } else { ssl->rec.type = SSL_RECORD_TYPE_HANDSHAKE; ssl->rec.majVer = 2; ssl->rec.minVer = 0; ssl->rec.len = (*c & 0x7f) << 8; c++; ssl->rec.len += *c; c++; } /* Validate the various record headers. The type must be valid, the major and minor versions must match the negotiated versions (if we're past ClientHello) and the length must be < 16K and > 0 */ if (ssl->rec.type != SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC && ssl->rec.type != SSL_RECORD_TYPE_ALERT && ssl->rec.type != SSL_RECORD_TYPE_HANDSHAKE && ssl->rec.type != SSL_RECORD_TYPE_APPLICATION_DATA) { ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE; matrixIntDebugMsg("Record header type not valid: %d\n", ssl->rec.type); goto encodeResponse; } /* Verify the record version numbers unless this is the first record we're reading. */ if (ssl->hsState != SSL_HS_SERVER_HELLO && ssl->hsState != SSL_HS_CLIENT_HELLO) { if (ssl->rec.majVer != ssl->majVer || ssl->rec.minVer != ssl->minVer) { ssl->err = SSL_ALERT_ILLEGAL_PARAMETER; matrixStrDebugMsg("Record header version not valid\n", NULL); goto encodeResponse; } } /* Verify max and min record lengths */ if (ssl->rec.len > SSL_MAX_RECORD_LEN || ssl->rec.len == 0) { ssl->err = SSL_ALERT_ILLEGAL_PARAMETER; matrixIntDebugMsg("Record header length not valid: %d\n", ssl->rec.len); goto encodeResponse; } /* This implementation requires the entire SSL record to be in the 'in' buffer before we parse it. This is because we need to MAC the entire record before allowing it to be used by the caller. The only alternative would be to copy the partial record to an internal buffer, but that would require more memory usage, which we're trying to keep low. */ if (end - c < ssl->rec.len) { return SSL_PARTIAL; } /* Make sure we have enough room to hold the decoded record */ if ((out->buf + out->size) - out->end < ssl->rec.len) { return SSL_FULL; } /* Decrypt the entire record contents. The record length should be a multiple of block size, or decrypt will return an error If we're still handshaking and sending plaintext, the decryption callback will point to a null provider that passes the data unchanged */ if (ssl->decrypt(&ssl->sec.decryptCtx, c, out->end, ssl->rec.len) < 0) { ssl->err = SSL_ALERT_ILLEGAL_PARAMETER; goto encodeResponse; } c += ssl->rec.len; /* If we're reading a secure message, we need to validate the MAC and padding (if using a block cipher). Insecure messages do not have a trailing MAC or any padding. SECURITY - There are several vulnerabilities in block cipher padding that we handle in the below code. For more information see: http://www.openssl.org/~bodo/tls-cbc.txt */ if (ssl->flags & SSL_FLAGS_READ_SECURE) { /* Verify the record is at least as big as the MAC Start tracking MAC errors, rather then immediately catching them to stop timing and alert description attacks that differentiate between a padding error and a MAC error. */ if (ssl->rec.len < ssl->deMacSize) { ssl->err = SSL_ALERT_BAD_RECORD_MAC; matrixStrDebugMsg("Record length too short for MAC\n", NULL); goto encodeResponse; } macError = 0; /* Decode padding only if blocksize is > 0 (we're using a block cipher), otherwise no padding will be present, and the mac is the last macSize bytes of the record. */ if (ssl->deBlockSize <= 1) { mac = out->end + ssl->rec.len - ssl->deMacSize; } else { /* Verify the pad data for block ciphers c points within the cipher text, p points within the plaintext The last byte of the record is the pad length */ p = out->end + ssl->rec.len; padLen = *(p - 1); /* SSL3.0 requires the pad length to be less than blockSize TLS can have a pad length up to 255 for obfuscating the data len */ if (ssl->majVer == SSL3_MAJ_VER && ssl->minVer == SSL3_MIN_VER && padLen >= ssl->deBlockSize) { macError++; } /* The minimum record length is the size of the mac, plus pad bytes plus one length byte */ if (ssl->rec.len < ssl->deMacSize + padLen + 1) { macError++; } /* The mac starts macSize bytes before the padding and length byte. If we have a macError, just fake the mac as the last macSize bytes of the record, so we are sure to have enough bytes to verify against, we'll fail anyway, so the actual contents don't matter. */ if (!macError) { mac = p - padLen - 1 - ssl->deMacSize; } else { mac = out->end + ssl->rec.len - ssl->deMacSize; } } /* Verify the MAC of the message by calculating our own MAC of the message and comparing it to the one in the message. We do this step regardless of whether or not we've already set macError to stop timing attacks. Clear the mac in the callers buffer if we're successful */ if (ssl->verifyMac(ssl, ssl->rec.type, out->end, (int32)(mac - out->end), mac) < 0 || macError) { ssl->err = SSL_ALERT_BAD_RECORD_MAC; matrixStrDebugMsg("Couldn't verify MAC or pad of record data\n", NULL); goto encodeResponse; } memset(mac, 0x0, ssl->deMacSize); /* Record data starts at out->end and ends at mac */ p = out->end; pend = mac; } else { /* The record data is the entire record as there is no MAC or padding */ p = out->end; pend = mac = out->end + ssl->rec.len; } /* Check now for maximum plaintext length of 16kb. No appropriate SSL alert for this */ if ((int32)(pend - p) > SSL_MAX_PLAINTEXT_LEN) { ssl->err = SSL_ALERT_BAD_RECORD_MAC; matrixStrDebugMsg("Record overflow\n", NULL); goto encodeResponse; } /* Take action based on the actual record type we're dealing with 'p' points to the start of the data, and 'pend' points to the end */ switch (ssl->rec.type) { case SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC: /* Body is single byte with value 1 to indicate that the next message will be encrypted using the negotiated cipher suite */ if (pend - p < 1) { ssl->err = SSL_ALERT_ILLEGAL_PARAMETER; matrixStrDebugMsg("Invalid length for CipherSpec\n", NULL); goto encodeResponse; } if (*p == 1) { p++; } else { ssl->err = SSL_ALERT_ILLEGAL_PARAMETER; matrixStrDebugMsg("Invalid value for CipherSpec\n", NULL); goto encodeResponse; } /* If we're expecting finished, then this is the right place to get this record. It is really part of the handshake but it has its own record type. Activate the read cipher callbacks, so we will decrypt incoming data from now on. */ if (ssl->hsState == SSL_HS_FINISHED) { sslActivateReadCipher(ssl); } else { ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE; matrixIntDebugMsg("Invalid CipherSpec order: %d\n", ssl->hsState); goto encodeResponse; } in->start = c; goto decodeMore; case SSL_RECORD_TYPE_ALERT: /* 1 byte alert level (warning or fatal) 1 byte alert description corresponding to SSL_ALERT_* */ if (pend - p < 2) { ssl->err = SSL_ALERT_ILLEGAL_PARAMETER; matrixStrDebugMsg("Error in length of alert record\n", NULL); goto encodeResponse; } *alertLevel = *p; p++; *alertDescription = *p; p++; /* If the alert is fatal, or is a close message (usually a warning), flag the session with ERROR so it cannot be used anymore. Caller can decide whether or not to close on other warnings. */ if (*alertLevel == SSL_ALERT_LEVEL_FATAL) { ssl->flags |= SSL_FLAGS_ERROR; } if (*alertDescription == SSL_ALERT_CLOSE_NOTIFY) { ssl->flags |= SSL_FLAGS_CLOSED; } return SSL_ALERT; case SSL_RECORD_TYPE_HANDSHAKE: /* We've got one or more handshake messages in the record data. The handshake parsing function will take care of all messages and return an error if there is any problem. If there is a response to be sent (either a return handshake or an error alert, send it). If the message was parsed, but no response is needed, loop up and try to parse another message */ rc = parseSSLHandshake(ssl, (char*)p, (int32)(pend - p)); switch (rc) { case SSL_SUCCESS: in->start = c; return SSL_SUCCESS; case SSL_PROCESS_DATA: in->start = c; goto encodeResponse; case SSL_ERROR: if (ssl->err == SSL_ALERT_NONE) { ssl->err = SSL_ALERT_HANDSHAKE_FAILURE; } goto encodeResponse; } break; case SSL_RECORD_TYPE_APPLICATION_DATA: /* Data is in the out buffer, let user handle it Don't allow application data until handshake is complete, and we are secure. It is ok to let application data through on the client if we are in the SERVER_HELLO state because this could mean that the client has sent a CLIENT_HELLO message for a rehandshake and is awaiting reply. */ if ((ssl->hsState != SSL_HS_DONE && ssl->hsState != SSL_HS_SERVER_HELLO) || !(ssl->flags & SSL_FLAGS_READ_SECURE)) { ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE; matrixIntDebugMsg("Incomplete handshake: %d\n", ssl->hsState); goto encodeResponse; } /* SECURITY - If the mac is at the current out->end, then there is no data in the record. These records are valid, but are usually not sent by the application layer protocol. Rather, they are initiated within the remote SSL protocol implementation to avoid some types of attacks when using block ciphers. For more information see: http://www.openssl.org/~bodo/tls-cbc.txt We eat these records here rather than passing them on to the caller. The rationale behind this is that if the caller's application protocol is depending on zero length SSL messages, it will fail anyway if some of those messages are initiated within the SSL protocol layer. Also this clears up any confusion where the caller might interpret a zero length read as an end of file (EOF) or would block (EWOULDBLOCK) type scenario. SECURITY - Looping back up and ignoring the message has the potential for denial of service, because we are not changing the state of the system in any way when processing these messages. To counteract this, we maintain a counter that we share with other types of ignored messages */ in->start = c; if (out->end == mac) { if (ssl->ignoredMessageCount++ < SSL_MAX_IGNORED_MESSAGE_COUNT) { goto decodeMore; } ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE; matrixIntDebugMsg("Exceeded limit on ignored messages: %d\n", SSL_MAX_IGNORED_MESSAGE_COUNT); goto encodeResponse; } if (ssl->ignoredMessageCount > 0) { ssl->ignoredMessageCount--; } out->end = mac; return SSL_PROCESS_DATA; } /* Should not get here */ matrixIntDebugMsg("Invalid record type in matrixSslDecode: %d\n", ssl->rec.type); return SSL_ERROR; encodeResponse: /* We decoded a record that needs a response, either a handshake response or an alert if we've detected an error. SECURITY - Clear the decoded incoming record from outbuf before encoding the response into outbuf. rec.len could be invalid, clear the minimum of rec.len and remaining outbuf size */ rc = min (ssl->rec.len, (int32)((out->buf + out->size) - out->end)); if (rc > 0) { memset(out->end, 0x0, rc); } if (ssl->hsState == SSL_HS_HELLO_REQUEST) { /* Don't clear the session info. If receiving a HELLO_REQUEST from a MatrixSSL enabled server the determination on whether to reuse the session is made on that side, so always send the current session */ rc = matrixSslEncodeClientHello(ssl, out, ssl->cipher->id); } else { rc = sslEncodeResponse(ssl, out); } if (rc == SSL_SUCCESS) { if (ssl->err != SSL_ALERT_NONE) { *error = (unsigned char)ssl->err; ssl->flags |= SSL_FLAGS_ERROR; return SSL_ERROR; } return SSL_SEND_RESPONSE; } if (rc == SSL_FULL) { ssl->flags |= SSL_FLAGS_NEED_ENCODE; return SSL_FULL; } return SSL_ERROR; }
/* New SSL protocol context This structure is associated with a single SSL connection. Each socket using SSL should be associated with a new SSL context. certBuf and privKey ARE NOT duplicated within the server context, in order to minimize memory usage with multiple simultaneous requests. They must not be deleted by caller until all server contexts using them are deleted. */ int32 matrixSslNewSession(ssl_t **ssl, sslKeys_t *keys, sslSessionId_t *session, int32 flags) { psPool_t *pool = NULL; ssl_t *lssl; /* First API level chance to make sure a user is not attempting to use client or server support that was not built into this library compile */ #ifndef USE_SERVER_SIDE_SSL if (flags & SSL_FLAGS_SERVER) { matrixStrDebugMsg("MatrixSSL lib not compiled with server support\n", NULL); return -1; } #endif #ifndef USE_CLIENT_SIDE_SSL if (!(flags & SSL_FLAGS_SERVER)) { matrixStrDebugMsg("MatrixSSL lib not compiled with client support\n", NULL); return -1; } #endif if (flags & SSL_FLAGS_CLIENT_AUTH) { matrixStrDebugMsg("MatrixSSL lib not compiled with client " \ "authentication support\n", NULL); return -1; } if (flags & SSL_FLAGS_SERVER) { if (keys == NULL) { matrixStrDebugMsg("NULL keys in matrixSslNewSession\n", NULL); return -1; } if (session != NULL) { matrixStrDebugMsg("Server session must be NULL\n", NULL); return -1; } } *ssl = lssl = psMalloc(pool, sizeof(ssl_t)); if (lssl == NULL) { return SSL_MEM_ERROR; } memset(lssl, 0x0, sizeof(ssl_t)); lssl->pool = pool; lssl->cipher = sslGetCipherSpec(SSL_NULL_WITH_NULL_NULL); sslActivateReadCipher(lssl); sslActivateWriteCipher(lssl); sslActivatePublicCipher(lssl); lssl->recordHeadLen = SSL3_HEADER_LEN; lssl->hshakeHeadLen = SSL3_HANDSHAKE_HEADER_LEN; if (flags & SSL_FLAGS_SERVER) { lssl->flags |= SSL_FLAGS_SERVER; /* Client auth can only be requested by server, not set by client */ if (flags & SSL_FLAGS_CLIENT_AUTH) { lssl->flags |= SSL_FLAGS_CLIENT_AUTH; } lssl->hsState = SSL_HS_CLIENT_HELLO; } else { /* Client is first to set protocol version information based on compile and/or the 'flags' parameter so header information in the handshake messages will be correctly set. */ lssl->majVer = SSL3_MAJ_VER; lssl->minVer = SSL3_MIN_VER; lssl->hsState = SSL_HS_SERVER_HELLO; if (session != NULL && session->cipherId != SSL_NULL_WITH_NULL_NULL) { lssl->cipher = sslGetCipherSpec(session->cipherId); if (lssl->cipher == NULL) { matrixStrDebugMsg("Invalid session id to matrixSslNewSession\n", NULL); } else { memcpy(lssl->sec.masterSecret, session->masterSecret, SSL_HS_MASTER_SIZE); lssl->sessionIdLen = SSL_MAX_SESSION_ID_SIZE; memcpy(lssl->sessionId, session->id, SSL_MAX_SESSION_ID_SIZE); } } } lssl->err = SSL_ALERT_NONE; lssl->keys = keys; return 0; }
/* New SSL protocol context This structure is associated with a single SSL connection. Each socket using SSL should be associated with a new SSL context. certBuf and privKey ARE NOT duplicated within the server context, in order to minimize memory usage with multiple simultaneous requests. They must not be deleted by caller until all server contexts using them are deleted. */ int32 matrixSslNewSession(ssl_t **ssl, sslKeys_t *keys, sslSessionId_t *session, int32 flags) { psPool_t *pool = NULL; ssl_t *lssl; /* First API level chance to make sure a user is not attempting to use client or server support that was not built into this library compile */ #ifndef USE_SERVER_SIDE_SSL if (flags & SSL_FLAGS_SERVER) { psTraceInfo("SSL_FLAGS_SERVER passed to matrixSslNewSession but MatrixSSL lib was not compiled with server support\n"); return PS_ARG_FAIL; } #endif #ifndef USE_CLIENT_SIDE_SSL if (!(flags & SSL_FLAGS_SERVER)) { psTraceInfo("SSL_FLAGS_SERVER was not passed to matrixSslNewSession but MatrixSSL was not compiled with client support\n"); return PS_ARG_FAIL; } #endif if (flags & SSL_FLAGS_CLIENT_AUTH) { psTraceInfo("SSL_FLAGS_CLIENT_AUTH passed to matrixSslNewSession but MatrixSSL was not compiled with USE_CLIENT_AUTH enabled\n"); return PS_ARG_FAIL; } if (flags & SSL_FLAGS_SERVER) { if (keys == NULL) { psTraceInfo("NULL keys parameter passed to matrixSslNewSession\n"); return PS_ARG_FAIL; } if (session != NULL) { psTraceInfo("Ignoring session parameter to matrixSslNewSession\n"); } } *ssl = lssl = psMalloc(pool, sizeof(ssl_t)); if (lssl == NULL) { psTraceInfo("Out of memory for ssl_t in matrixSslNewSession\n"); return PS_MEM_FAIL; } memset(lssl, 0x0, sizeof(ssl_t)); /* Data buffers */ lssl->outsize = SSL_DEFAULT_OUT_BUF_SIZE; lssl->outbuf = psMalloc(MATRIX_NO_POOL, lssl->outsize); if (lssl->outbuf == NULL) { psTraceInfo("Out of memory for outbuf in matrixSslNewSession\n"); psFree(lssl); return PS_MEM_FAIL; } lssl->insize = SSL_DEFAULT_IN_BUF_SIZE; lssl->inbuf = psMalloc(MATRIX_NO_POOL, lssl->insize); if (lssl->inbuf == NULL) { psTraceInfo("Out of memory for inbuf in matrixSslNewSession\n"); psFree(lssl->outbuf); psFree(lssl); return PS_MEM_FAIL; } lssl->sPool = pool; lssl->keys = keys; lssl->cipher = sslGetCipherSpec(lssl, SSL_NULL_WITH_NULL_NULL); sslActivateReadCipher(lssl); sslActivateWriteCipher(lssl); lssl->recordHeadLen = SSL3_HEADER_LEN; lssl->hshakeHeadLen = SSL3_HANDSHAKE_HEADER_LEN; if (flags & SSL_FLAGS_SERVER) { lssl->flags |= SSL_FLAGS_SERVER; /* Client auth can only be requested by server, not set by client */ if (flags & SSL_FLAGS_CLIENT_AUTH) { lssl->flags |= SSL_FLAGS_CLIENT_AUTH; } lssl->hsState = SSL_HS_CLIENT_HELLO; } else { /* Client is first to set protocol version information based on compile and/or the 'flags' parameter so header information in the handshake messages will be correctly set. */ #ifdef USE_TLS #ifndef DISABLE_TLS_1_0 lssl->majVer = TLS_MAJ_VER; lssl->minVer = TLS_MIN_VER; #endif #if defined(USE_TLS_1_1) && !defined(DISABLE_TLS_1_1) lssl->majVer = TLS_MAJ_VER; lssl->minVer = TLS_1_1_MIN_VER; lssl->flags |= SSL_FLAGS_TLS_1_1; #endif /* USE_TLS_1_1 */ if (lssl->majVer == 0) { /* USE_TLS enabled but all DISABLE_TLS versions are enabled so use SSLv3. Compile time tests would catch if no versions are enabled at all */ lssl->majVer = SSL3_MAJ_VER; lssl->minVer = SSL3_MIN_VER; } else { lssl->flags |= SSL_FLAGS_TLS; } #else /* USE_TLS */ lssl->majVer = SSL3_MAJ_VER; lssl->minVer = SSL3_MIN_VER; #endif /* USE_TLS */ lssl->hsState = SSL_HS_SERVER_HELLO; if (session != NULL && session->cipherId != SSL_NULL_WITH_NULL_NULL) { lssl->cipher = sslGetCipherSpec(lssl, session->cipherId); if (lssl->cipher == NULL) { psTraceInfo("Invalid session id to matrixSslNewSession\n"); } else { memcpy(lssl->sec.masterSecret, session->masterSecret, SSL_HS_MASTER_SIZE); lssl->sessionIdLen = SSL_MAX_SESSION_ID_SIZE; memcpy(lssl->sessionId, session->id, SSL_MAX_SESSION_ID_SIZE); } } lssl->sid = session; } lssl->err = SSL_ALERT_NONE; return PS_SUCCESS; }