Crypt-MatrixSSL
view release on metacpan or search on metacpan
matrixssl-1-8-6-open/src/sslDecode.c view on Meta::CPAN
return SSL_PARTIAL;
}
ssl->rec.type = *c; c++;
ssl->rec.majVer = *c; c++;
ssl->rec.minVer = *c; c++;
ssl->rec.len = *c << 8; c++;
ssl->rec.len += *c; c++;
} else {
ssl->rec.type = SSL_RECORD_TYPE_HANDSHAKE;
ssl->rec.majVer = 2;
ssl->rec.minVer = 0;
ssl->rec.len = (*c & 0x7f) << 8; c++;
ssl->rec.len += *c; c++;
}
/*
Validate the various record headers. The type must be valid,
the major and minor versions must match the negotiated versions (if we're
past ClientHello) and the length must be < 16K and > 0
*/
if (ssl->rec.type != SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC &&
ssl->rec.type != SSL_RECORD_TYPE_ALERT &&
ssl->rec.type != SSL_RECORD_TYPE_HANDSHAKE &&
ssl->rec.type != SSL_RECORD_TYPE_APPLICATION_DATA) {
ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE;
matrixIntDebugMsg("Record header type not valid: %d\n", ssl->rec.type);
goto encodeResponse;
}
/*
Verify the record version numbers unless this is the first record we're
reading.
*/
if (ssl->hsState != SSL_HS_SERVER_HELLO &&
ssl->hsState != SSL_HS_CLIENT_HELLO) {
if (ssl->rec.majVer != ssl->majVer || ssl->rec.minVer != ssl->minVer) {
ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
matrixStrDebugMsg("Record header version not valid\n", NULL);
goto encodeResponse;
}
}
/*
Verify max and min record lengths
*/
if (ssl->rec.len > SSL_MAX_RECORD_LEN || ssl->rec.len == 0) {
ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
matrixIntDebugMsg("Record header length not valid: %d\n", ssl->rec.len);
goto encodeResponse;
}
/*
This implementation requires the entire SSL record to be in the 'in' buffer
before we parse it. This is because we need to MAC the entire record before
allowing it to be used by the caller. The only alternative would be to
copy the partial record to an internal buffer, but that would require more
memory usage, which we're trying to keep low.
*/
if (end - c < ssl->rec.len) {
return SSL_PARTIAL;
}
/*
Make sure we have enough room to hold the decoded record
*/
if ((out->buf + out->size) - out->end < ssl->rec.len) {
return SSL_FULL;
}
/*
Decrypt the entire record contents. The record length should be
a multiple of block size, or decrypt will return an error
If we're still handshaking and sending plaintext, the decryption
callback will point to a null provider that passes the data unchanged
*/
if (ssl->decrypt(&ssl->sec.decryptCtx, c, out->end, ssl->rec.len) < 0) {
ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
goto encodeResponse;
}
c += ssl->rec.len;
/*
If we're reading a secure message, we need to validate the MAC and
padding (if using a block cipher). Insecure messages do not have
a trailing MAC or any padding.
SECURITY - There are several vulnerabilities in block cipher padding
that we handle in the below code. For more information see:
http://www.openssl.org/~bodo/tls-cbc.txt
*/
if (ssl->flags & SSL_FLAGS_READ_SECURE) {
/*
Verify the record is at least as big as the MAC
Start tracking MAC errors, rather then immediately catching them to
stop timing and alert description attacks that differentiate between
a padding error and a MAC error.
*/
if (ssl->rec.len < ssl->deMacSize) {
ssl->err = SSL_ALERT_BAD_RECORD_MAC;
matrixStrDebugMsg("Record length too short for MAC\n", NULL);
goto encodeResponse;
}
macError = 0;
/*
Decode padding only if blocksize is > 0 (we're using a block cipher),
otherwise no padding will be present, and the mac is the last
macSize bytes of the record.
*/
if (ssl->deBlockSize <= 1) {
mac = out->end + ssl->rec.len - ssl->deMacSize;
} else {
/*
Verify the pad data for block ciphers
c points within the cipher text, p points within the plaintext
The last byte of the record is the pad length
*/
p = out->end + ssl->rec.len;
padLen = *(p - 1);
/*
SSL3.0 requires the pad length to be less than blockSize
TLS can have a pad length up to 255 for obfuscating the data len
*/
if (ssl->majVer == SSL3_MAJ_VER && ssl->minVer == SSL3_MIN_VER &&
padLen >= ssl->deBlockSize) {
macError++;
matrixssl-1-8-6-open/src/sslDecode.c view on Meta::CPAN
/*
Data is in the out buffer, let user handle it
Don't allow application data until handshake is complete, and we are
secure. It is ok to let application data through on the client
if we are in the SERVER_HELLO state because this could mean that
the client has sent a CLIENT_HELLO message for a rehandshake
and is awaiting reply.
*/
if ((ssl->hsState != SSL_HS_DONE && ssl->hsState != SSL_HS_SERVER_HELLO)
|| !(ssl->flags & SSL_FLAGS_READ_SECURE)) {
ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE;
matrixIntDebugMsg("Incomplete handshake: %d\n", ssl->hsState);
goto encodeResponse;
}
/*
SECURITY - If the mac is at the current out->end, then there is no data
in the record. These records are valid, but are usually not sent by
the application layer protocol. Rather, they are initiated within the
remote SSL protocol implementation to avoid some types of attacks when
using block ciphers. For more information see:
http://www.openssl.org/~bodo/tls-cbc.txt
We eat these records here rather than passing them on to the caller.
The rationale behind this is that if the caller's application protocol
is depending on zero length SSL messages, it will fail anyway if some of
those messages are initiated within the SSL protocol layer. Also
this clears up any confusion where the caller might interpret a zero
length read as an end of file (EOF) or would block (EWOULDBLOCK) type
scenario.
SECURITY - Looping back up and ignoring the message has the potential
for denial of service, because we are not changing the state of the
system in any way when processing these messages. To counteract this,
we maintain a counter that we share with other types of ignored messages
*/
in->start = c;
if (out->end == mac) {
if (ssl->ignoredMessageCount++ < SSL_MAX_IGNORED_MESSAGE_COUNT) {
goto decodeMore;
}
ssl->err = SSL_ALERT_UNEXPECTED_MESSAGE;
matrixIntDebugMsg("Exceeded limit on ignored messages: %d\n",
SSL_MAX_IGNORED_MESSAGE_COUNT);
goto encodeResponse;
}
if (ssl->ignoredMessageCount > 0) {
ssl->ignoredMessageCount--;
}
out->end = mac;
return SSL_PROCESS_DATA;
}
/*
Should not get here
*/
matrixIntDebugMsg("Invalid record type in matrixSslDecode: %d\n",
ssl->rec.type);
return SSL_ERROR;
encodeResponse:
/*
We decoded a record that needs a response, either a handshake response
or an alert if we've detected an error.
SECURITY - Clear the decoded incoming record from outbuf before encoding
the response into outbuf. rec.len could be invalid, clear the minimum
of rec.len and remaining outbuf size
*/
rc = min (ssl->rec.len, (int32)((out->buf + out->size) - out->end));
if (rc > 0) {
memset(out->end, 0x0, rc);
}
if (ssl->hsState == SSL_HS_HELLO_REQUEST) {
/*
Don't clear the session info. If receiving a HELLO_REQUEST from a
MatrixSSL enabled server the determination on whether to reuse the
session is made on that side, so always send the current session
*/
rc = matrixSslEncodeClientHello(ssl, out, ssl->cipher->id);
} else {
rc = sslEncodeResponse(ssl, out);
}
if (rc == SSL_SUCCESS) {
if (ssl->err != SSL_ALERT_NONE) {
*error = (unsigned char)ssl->err;
ssl->flags |= SSL_FLAGS_ERROR;
return SSL_ERROR;
}
return SSL_SEND_RESPONSE;
}
if (rc == SSL_FULL) {
ssl->flags |= SSL_FLAGS_NEED_ENCODE;
return SSL_FULL;
}
return SSL_ERROR;
}
/******************************************************************************/
/*
The workhorse for parsing handshake messages. Also enforces the state
machine for proper ordering of handshake messages.
Parameters:
ssl - ssl context
inbuf - buffer to read handshake message from
len - data length for the current ssl record. The ssl record
can contain multiple handshake messages, so we may need to parse
them all here.
Return:
SSL_SUCCESS
SSL_PROCESS_DATA
SSL_ERROR - see ssl->err for details
*/
static int32 parseSSLHandshake(ssl_t *ssl, char *inbuf, int32 len)
{
unsigned char *c;
unsigned char *end;
unsigned char hsType;
int32 i, hsLen, rc, parseLen = 0;
uint32 cipher = 0;
unsigned char hsMsgHash[SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE];
#ifdef USE_SERVER_SIDE_SSL
unsigned char *p;
int32 suiteLen, challengeLen, pubKeyLen, extLen;
#endif /* USE_SERVER_SIDE_SSL */
( run in 0.502 second using v1.01-cache-2.11-cpan-ceb78f64989 )