/*
Parse incoming data per http://wp.netscape.com/eng/ssl3
*/
int32 matrixSslDecode(ssl_t *ssl, sslBuf_t *in, sslBuf_t *out,
unsigned char *error, unsigned char *alertLevel,
unsigned char *alertDescription)
{
unsigned char *c, *p, *end, *pend, *oend;
unsigned char *mac, macError;
int32 rc;
unsigned char padLen;
/*
If we've had a protocol error, don't allow further use of the session
*/
*error = SSL_ALERT_NONE;
if (ssl->flags & SSL_FLAGS_ERROR || ssl->flags & SSL_FLAGS_CLOSED) {
return SSL_ERROR;
}
/*
This flag is set if the previous call to this routine returned an SSL_FULL
error from encodeResponse, indicating that there is data to be encoded,
but the out buffer was not big enough to handle it. If we fall in this
case, the user has increased the out buffer size and is re-calling this
routine
*/
if (ssl->flags & SSL_FLAGS_NEED_ENCODE) {
ssl->flags &= ~SSL_FLAGS_NEED_ENCODE;
goto encodeResponse;
}
c = in->start;
end = in->end;
oend = out->end;
/*
Processing the SSL Record header:
If the high bit of the first byte is set and this is the first
message we've seen, we parse the request as an SSLv2 request
http://wp.netscape.com/eng/security/SSL_2.html
SSLv2 also supports a 3 byte header when padding is used, but this should
not be required for the initial plaintext message, so we don't support it
v3 Header:
1 byte type
1 byte major version
1 byte minor version
2 bytes length
v2 Header
2 bytes length (ignore high bit)
*/
decodeMore:
sslAssert(out->end == oend);
if (end - c == 0) {
/*
This case could happen if change cipher spec was last
message in the buffer
*/
return SSL_SUCCESS;
}
if (end - c < SSL2_HEADER_LEN) {
return SSL_PARTIAL;
}
if (ssl->majVer != 0 || (*c & 0x80) == 0) {
if (end - c < ssl->recordHeadLen) {
return SSL_PARTIAL;
}
ssl->rec.type = *c; c++;
ssl->rec.majVer = *c; c++;
ssl->rec.minVer = *c; c++;
ssl->rec.len = *c << 8; c++;
ssl->rec.len += *c; c++;
} else {
ssl->rec.type = SSL_RECORD_TYPE_HANDSHAKE;
ssl->rec.majVer = 2;
ssl->rec.minVer = 0;
ssl->rec.len = (*c & 0x7f) << 8; c++;
ssl->rec.len += *c; c++;
}
/*
Validate the various record headers. The type must be valid,
the major and minor versions must match the negotiated versions (if we're
past ClientHello) and the length must be < 16K and > 0
*/
if (ssl->rec.type != SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC &&
ssl->rec.type != SSL_RECORD_TYPE_ALERT &&
ssl->rec.type != SSL_RECORD_TYPE_HANDSHAKE &&
ssl->rec.type != SSL_RECORD_TYPE_APPLICATION_DATA) {
ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE;
matrixIntDebugMsg("Record header type not valid: %d\n", ssl->rec.type);
goto encodeResponse;
}
/*
Verify the record version numbers unless this is the first record we're
reading.
*/
if (ssl->hsState != SSL_HS_SERVER_HELLO &&
ssl->hsState != SSL_HS_CLIENT_HELLO) {
if (ssl->rec.majVer != ssl->majVer || ssl->rec.minVer != ssl->minVer) {
ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
matrixStrDebugMsg("Record header version not valid\n", NULL);
goto encodeResponse;
}
}
/*
Verify max and min record lengths
*/
if (ssl->rec.len > SSL_MAX_RECORD_LEN || ssl->rec.len == 0) {
ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
matrixIntDebugMsg("Record header length not valid: %d\n", ssl->rec.len);
goto encodeResponse;
}
/*
This implementation requires the entire SSL record to be in the 'in' buffer
before we parse it. This is because we need to MAC the entire record before
allowing it to be used by the caller. The only alternative would be to
copy the partial record to an internal buffer, but that would require more
memory usage, which we're trying to keep low.
*/
if (end - c < ssl->rec.len) {
return SSL_PARTIAL;
}
/*
Make sure we have enough room to hold the decoded record
*/
if ((out->buf + out->size) - out->end < ssl->rec.len) {
return SSL_FULL;
}
/*
Decrypt the entire record contents. The record length should be
a multiple of block size, or decrypt will return an error
If we're still handshaking and sending plaintext, the decryption
callback will point to a null provider that passes the data unchanged
*/
if (ssl->decrypt(&ssl->sec.decryptCtx, c, out->end, ssl->rec.len) < 0) {
ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
goto encodeResponse;
}
c += ssl->rec.len;
/*
If we're reading a secure message, we need to validate the MAC and
padding (if using a block cipher). Insecure messages do not have
a trailing MAC or any padding.
SECURITY - There are several vulnerabilities in block cipher padding
that we handle in the below code. For more information see:
http://www.openssl.org/~bodo/tls-cbc.txt
*/
if (ssl->flags & SSL_FLAGS_READ_SECURE) {
/*
Verify the record is at least as big as the MAC
Start tracking MAC errors, rather then immediately catching them to
stop timing and alert description attacks that differentiate between
a padding error and a MAC error.
*/
if (ssl->rec.len < ssl->deMacSize) {
ssl->err = SSL_ALERT_BAD_RECORD_MAC;
matrixStrDebugMsg("Record length too short for MAC\n", NULL);
goto encodeResponse;
}
macError = 0;
/*
Decode padding only if blocksize is > 0 (we're using a block cipher),
otherwise no padding will be present, and the mac is the last
macSize bytes of the record.
*/
if (ssl->deBlockSize <= 1) {
mac = out->end + ssl->rec.len - ssl->deMacSize;
} else {
/*
Verify the pad data for block ciphers
c points within the cipher text, p points within the plaintext
The last byte of the record is the pad length
*/
p = out->end + ssl->rec.len;
padLen = *(p - 1);
/*
SSL3.0 requires the pad length to be less than blockSize
TLS can have a pad length up to 255 for obfuscating the data len
*/
if (ssl->majVer == SSL3_MAJ_VER && ssl->minVer == SSL3_MIN_VER &&
padLen >= ssl->deBlockSize) {
macError++;
}
/*
The minimum record length is the size of the mac, plus pad bytes
plus one length byte
*/
if (ssl->rec.len < ssl->deMacSize + padLen + 1) {
macError++;
}
/*
The mac starts macSize bytes before the padding and length byte.
If we have a macError, just fake the mac as the last macSize bytes
of the record, so we are sure to have enough bytes to verify
against, we'll fail anyway, so the actual contents don't matter.
*/
if (!macError) {
mac = p - padLen - 1 - ssl->deMacSize;
} else {
mac = out->end + ssl->rec.len - ssl->deMacSize;
}
}
/*
Verify the MAC of the message by calculating our own MAC of the message
and comparing it to the one in the message. We do this step regardless
of whether or not we've already set macError to stop timing attacks.
Clear the mac in the callers buffer if we're successful
*/
if (ssl->verifyMac(ssl, ssl->rec.type, out->end,
(int32)(mac - out->end), mac) < 0 || macError) {
ssl->err = SSL_ALERT_BAD_RECORD_MAC;
matrixStrDebugMsg("Couldn't verify MAC or pad of record data\n",
NULL);
goto encodeResponse;
}
memset(mac, 0x0, ssl->deMacSize);
/*
Record data starts at out->end and ends at mac
*/
p = out->end;
pend = mac;
} else {
/*
The record data is the entire record as there is no MAC or padding
*/
p = out->end;
pend = mac = out->end + ssl->rec.len;
}
/*
Check now for maximum plaintext length of 16kb. No appropriate
SSL alert for this
*/
if ((int32)(pend - p) > SSL_MAX_PLAINTEXT_LEN) {
ssl->err = SSL_ALERT_BAD_RECORD_MAC;
matrixStrDebugMsg("Record overflow\n", NULL);
goto encodeResponse;
}
/*
Take action based on the actual record type we're dealing with
'p' points to the start of the data, and 'pend' points to the end
*/
switch (ssl->rec.type) {
case SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC:
/*
Body is single byte with value 1 to indicate that the next message
will be encrypted using the negotiated cipher suite
*/
if (pend - p < 1) {
ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
matrixStrDebugMsg("Invalid length for CipherSpec\n", NULL);
goto encodeResponse;
}
if (*p == 1) {
p++;
} else {
ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
matrixStrDebugMsg("Invalid value for CipherSpec\n", NULL);
goto encodeResponse;
}
/*
If we're expecting finished, then this is the right place to get
this record. It is really part of the handshake but it has its
own record type.
Activate the read cipher callbacks, so we will decrypt incoming
data from now on.
*/
if (ssl->hsState == SSL_HS_FINISHED) {
sslActivateReadCipher(ssl);
} else {
ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE;
matrixIntDebugMsg("Invalid CipherSpec order: %d\n", ssl->hsState);
goto encodeResponse;
}
in->start = c;
goto decodeMore;
case SSL_RECORD_TYPE_ALERT:
/*
1 byte alert level (warning or fatal)
1 byte alert description corresponding to SSL_ALERT_*
*/
if (pend - p < 2) {
ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
matrixStrDebugMsg("Error in length of alert record\n", NULL);
goto encodeResponse;
}
*alertLevel = *p; p++;
*alertDescription = *p; p++;
/*
If the alert is fatal, or is a close message (usually a warning),
flag the session with ERROR so it cannot be used anymore.
Caller can decide whether or not to close on other warnings.
*/
if (*alertLevel == SSL_ALERT_LEVEL_FATAL) {
ssl->flags |= SSL_FLAGS_ERROR;
}
if (*alertDescription == SSL_ALERT_CLOSE_NOTIFY) {
ssl->flags |= SSL_FLAGS_CLOSED;
}
return SSL_ALERT;
case SSL_RECORD_TYPE_HANDSHAKE:
/*
We've got one or more handshake messages in the record data.
The handshake parsing function will take care of all messages
and return an error if there is any problem.
If there is a response to be sent (either a return handshake
or an error alert, send it). If the message was parsed, but no
response is needed, loop up and try to parse another message
*/
rc = parseSSLHandshake(ssl, (char*)p, (int32)(pend - p));
switch (rc) {
case SSL_SUCCESS:
in->start = c;
return SSL_SUCCESS;
case SSL_PROCESS_DATA:
in->start = c;
goto encodeResponse;
case SSL_ERROR:
if (ssl->err == SSL_ALERT_NONE) {
ssl->err = SSL_ALERT_HANDSHAKE_FAILURE;
}
goto encodeResponse;
}
break;
case SSL_RECORD_TYPE_APPLICATION_DATA:
/*
Data is in the out buffer, let user handle it
Don't allow application data until handshake is complete, and we are
secure. It is ok to let application data through on the client
if we are in the SERVER_HELLO state because this could mean that
the client has sent a CLIENT_HELLO message for a rehandshake
and is awaiting reply.
*/
if ((ssl->hsState != SSL_HS_DONE && ssl->hsState != SSL_HS_SERVER_HELLO)
|| !(ssl->flags & SSL_FLAGS_READ_SECURE)) {
ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE;
matrixIntDebugMsg("Incomplete handshake: %d\n", ssl->hsState);
goto encodeResponse;
}
/*
SECURITY - If the mac is at the current out->end, then there is no data
in the record. These records are valid, but are usually not sent by
the application layer protocol. Rather, they are initiated within the
remote SSL protocol implementation to avoid some types of attacks when
using block ciphers. For more information see:
http://www.openssl.org/~bodo/tls-cbc.txt
We eat these records here rather than passing them on to the caller.
The rationale behind this is that if the caller's application protocol
is depending on zero length SSL messages, it will fail anyway if some of
those messages are initiated within the SSL protocol layer. Also
this clears up any confusion where the caller might interpret a zero
length read as an end of file (EOF) or would block (EWOULDBLOCK) type
scenario.
SECURITY - Looping back up and ignoring the message has the potential
for denial of service, because we are not changing the state of the
system in any way when processing these messages. To counteract this,
we maintain a counter that we share with other types of ignored messages
*/
in->start = c;
if (out->end == mac) {
if (ssl->ignoredMessageCount++ < SSL_MAX_IGNORED_MESSAGE_COUNT) {
goto decodeMore;
}
ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE;
matrixIntDebugMsg("Exceeded limit on ignored messages: %d\n",
SSL_MAX_IGNORED_MESSAGE_COUNT);
goto encodeResponse;
}
if (ssl->ignoredMessageCount > 0) {
ssl->ignoredMessageCount--;
}
out->end = mac;
return SSL_PROCESS_DATA;
}
/*
Should not get here
*/
matrixIntDebugMsg("Invalid record type in matrixSslDecode: %d\n",
ssl->rec.type);
return SSL_ERROR;
encodeResponse:
/*
We decoded a record that needs a response, either a handshake response
or an alert if we've detected an error.
SECURITY - Clear the decoded incoming record from outbuf before encoding
the response into outbuf. rec.len could be invalid, clear the minimum
of rec.len and remaining outbuf size
*/
rc = min (ssl->rec.len, (int32)((out->buf + out->size) - out->end));
if (rc > 0) {
memset(out->end, 0x0, rc);
}
if (ssl->hsState == SSL_HS_HELLO_REQUEST) {
/*
Don't clear the session info. If receiving a HELLO_REQUEST from a
MatrixSSL enabled server the determination on whether to reuse the
session is made on that side, so always send the current session
*/
rc = matrixSslEncodeClientHello(ssl, out, ssl->cipher->id);
} else {
rc = sslEncodeResponse(ssl, out);
}
if (rc == SSL_SUCCESS) {
if (ssl->err != SSL_ALERT_NONE) {
*error = (unsigned char)ssl->err;
ssl->flags |= SSL_FLAGS_ERROR;
return SSL_ERROR;
}
return SSL_SEND_RESPONSE;
}
if (rc == SSL_FULL) {
ssl->flags |= SSL_FLAGS_NEED_ENCODE;
return SSL_FULL;
}
return SSL_ERROR;
}
/*
New SSL protocol context
This structure is associated with a single SSL connection. Each socket
using SSL should be associated with a new SSL context.
certBuf and privKey ARE NOT duplicated within the server context, in order
to minimize memory usage with multiple simultaneous requests. They must
not be deleted by caller until all server contexts using them are deleted.
*/
int32 matrixSslNewSession(ssl_t **ssl, sslKeys_t *keys, sslSessionId_t *session,
int32 flags)
{
psPool_t *pool = NULL;
ssl_t *lssl;
/*
First API level chance to make sure a user is not attempting to use
client or server support that was not built into this library compile
*/
#ifndef USE_SERVER_SIDE_SSL
if (flags & SSL_FLAGS_SERVER) {
matrixStrDebugMsg("MatrixSSL lib not compiled with server support\n",
NULL);
return -1;
}
#endif
#ifndef USE_CLIENT_SIDE_SSL
if (!(flags & SSL_FLAGS_SERVER)) {
matrixStrDebugMsg("MatrixSSL lib not compiled with client support\n",
NULL);
return -1;
}
#endif
if (flags & SSL_FLAGS_CLIENT_AUTH) {
matrixStrDebugMsg("MatrixSSL lib not compiled with client " \
"authentication support\n", NULL);
return -1;
}
if (flags & SSL_FLAGS_SERVER) {
if (keys == NULL) {
matrixStrDebugMsg("NULL keys in matrixSslNewSession\n", NULL);
return -1;
}
if (session != NULL) {
matrixStrDebugMsg("Server session must be NULL\n", NULL);
return -1;
}
}
*ssl = lssl = psMalloc(pool, sizeof(ssl_t));
if (lssl == NULL) {
return SSL_MEM_ERROR;
}
memset(lssl, 0x0, sizeof(ssl_t));
lssl->pool = pool;
lssl->cipher = sslGetCipherSpec(SSL_NULL_WITH_NULL_NULL);
sslActivateReadCipher(lssl);
sslActivateWriteCipher(lssl);
sslActivatePublicCipher(lssl);
lssl->recordHeadLen = SSL3_HEADER_LEN;
lssl->hshakeHeadLen = SSL3_HANDSHAKE_HEADER_LEN;
if (flags & SSL_FLAGS_SERVER) {
lssl->flags |= SSL_FLAGS_SERVER;
/*
Client auth can only be requested by server, not set by client
*/
if (flags & SSL_FLAGS_CLIENT_AUTH) {
lssl->flags |= SSL_FLAGS_CLIENT_AUTH;
}
lssl->hsState = SSL_HS_CLIENT_HELLO;
} else {
/*
Client is first to set protocol version information based on
compile and/or the 'flags' parameter so header information in
the handshake messages will be correctly set.
*/
lssl->majVer = SSL3_MAJ_VER;
lssl->minVer = SSL3_MIN_VER;
lssl->hsState = SSL_HS_SERVER_HELLO;
if (session != NULL && session->cipherId != SSL_NULL_WITH_NULL_NULL) {
lssl->cipher = sslGetCipherSpec(session->cipherId);
if (lssl->cipher == NULL) {
matrixStrDebugMsg("Invalid session id to matrixSslNewSession\n",
NULL);
} else {
memcpy(lssl->sec.masterSecret, session->masterSecret,
SSL_HS_MASTER_SIZE);
lssl->sessionIdLen = SSL_MAX_SESSION_ID_SIZE;
memcpy(lssl->sessionId, session->id, SSL_MAX_SESSION_ID_SIZE);
}
}
}
lssl->err = SSL_ALERT_NONE;
lssl->keys = keys;
return 0;
}
/*
New SSL protocol context
This structure is associated with a single SSL connection. Each socket
using SSL should be associated with a new SSL context.
certBuf and privKey ARE NOT duplicated within the server context, in order
to minimize memory usage with multiple simultaneous requests. They must
not be deleted by caller until all server contexts using them are deleted.
*/
int32 matrixSslNewSession(ssl_t **ssl, sslKeys_t *keys, sslSessionId_t *session,
int32 flags)
{
psPool_t *pool = NULL;
ssl_t *lssl;
/*
First API level chance to make sure a user is not attempting to use
client or server support that was not built into this library compile
*/
#ifndef USE_SERVER_SIDE_SSL
if (flags & SSL_FLAGS_SERVER) {
psTraceInfo("SSL_FLAGS_SERVER passed to matrixSslNewSession but MatrixSSL lib was not compiled with server support\n");
return PS_ARG_FAIL;
}
#endif
#ifndef USE_CLIENT_SIDE_SSL
if (!(flags & SSL_FLAGS_SERVER)) {
psTraceInfo("SSL_FLAGS_SERVER was not passed to matrixSslNewSession but MatrixSSL was not compiled with client support\n");
return PS_ARG_FAIL;
}
#endif
if (flags & SSL_FLAGS_CLIENT_AUTH) {
psTraceInfo("SSL_FLAGS_CLIENT_AUTH passed to matrixSslNewSession but MatrixSSL was not compiled with USE_CLIENT_AUTH enabled\n");
return PS_ARG_FAIL;
}
if (flags & SSL_FLAGS_SERVER) {
if (keys == NULL) {
psTraceInfo("NULL keys parameter passed to matrixSslNewSession\n");
return PS_ARG_FAIL;
}
if (session != NULL) {
psTraceInfo("Ignoring session parameter to matrixSslNewSession\n");
}
}
*ssl = lssl = psMalloc(pool, sizeof(ssl_t));
if (lssl == NULL) {
psTraceInfo("Out of memory for ssl_t in matrixSslNewSession\n");
return PS_MEM_FAIL;
}
memset(lssl, 0x0, sizeof(ssl_t));
/*
Data buffers
*/
lssl->outsize = SSL_DEFAULT_OUT_BUF_SIZE;
lssl->outbuf = psMalloc(MATRIX_NO_POOL, lssl->outsize);
if (lssl->outbuf == NULL) {
psTraceInfo("Out of memory for outbuf in matrixSslNewSession\n");
psFree(lssl);
return PS_MEM_FAIL;
}
lssl->insize = SSL_DEFAULT_IN_BUF_SIZE;
lssl->inbuf = psMalloc(MATRIX_NO_POOL, lssl->insize);
if (lssl->inbuf == NULL) {
psTraceInfo("Out of memory for inbuf in matrixSslNewSession\n");
psFree(lssl->outbuf);
psFree(lssl);
return PS_MEM_FAIL;
}
lssl->sPool = pool;
lssl->keys = keys;
lssl->cipher = sslGetCipherSpec(lssl, SSL_NULL_WITH_NULL_NULL);
sslActivateReadCipher(lssl);
sslActivateWriteCipher(lssl);
lssl->recordHeadLen = SSL3_HEADER_LEN;
lssl->hshakeHeadLen = SSL3_HANDSHAKE_HEADER_LEN;
if (flags & SSL_FLAGS_SERVER) {
lssl->flags |= SSL_FLAGS_SERVER;
/*
Client auth can only be requested by server, not set by client
*/
if (flags & SSL_FLAGS_CLIENT_AUTH) {
lssl->flags |= SSL_FLAGS_CLIENT_AUTH;
}
lssl->hsState = SSL_HS_CLIENT_HELLO;
} else {
/*
Client is first to set protocol version information based on
compile and/or the 'flags' parameter so header information in
the handshake messages will be correctly set.
*/
#ifdef USE_TLS
#ifndef DISABLE_TLS_1_0
lssl->majVer = TLS_MAJ_VER;
lssl->minVer = TLS_MIN_VER;
#endif
#if defined(USE_TLS_1_1) && !defined(DISABLE_TLS_1_1)
lssl->majVer = TLS_MAJ_VER;
lssl->minVer = TLS_1_1_MIN_VER;
lssl->flags |= SSL_FLAGS_TLS_1_1;
#endif /* USE_TLS_1_1 */
if (lssl->majVer == 0) {
/* USE_TLS enabled but all DISABLE_TLS versions are enabled so
use SSLv3. Compile time tests would catch if no versions are
enabled at all */
lssl->majVer = SSL3_MAJ_VER;
lssl->minVer = SSL3_MIN_VER;
} else {
lssl->flags |= SSL_FLAGS_TLS;
}
#else /* USE_TLS */
lssl->majVer = SSL3_MAJ_VER;
lssl->minVer = SSL3_MIN_VER;
#endif /* USE_TLS */
lssl->hsState = SSL_HS_SERVER_HELLO;
if (session != NULL && session->cipherId != SSL_NULL_WITH_NULL_NULL) {
lssl->cipher = sslGetCipherSpec(lssl, session->cipherId);
if (lssl->cipher == NULL) {
psTraceInfo("Invalid session id to matrixSslNewSession\n");
} else {
memcpy(lssl->sec.masterSecret, session->masterSecret,
SSL_HS_MASTER_SIZE);
lssl->sessionIdLen = SSL_MAX_SESSION_ID_SIZE;
memcpy(lssl->sessionId, session->id, SSL_MAX_SESSION_ID_SIZE);
}
}
lssl->sid = session;
}
lssl->err = SSL_ALERT_NONE;
return PS_SUCCESS;
}
