Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : /* Use usleep */
17 : : #define _XOPEN_SOURCE 500
18 : : #include <errno.h>
19 : : #include <unistd.h>
20 : :
21 : : #include "api/s2n.h"
22 : : #include "error/s2n_errno.h"
23 : : #include "stuffer/s2n_stuffer.h"
24 : : #include "tls/s2n_alerts.h"
25 : : #include "tls/s2n_connection.h"
26 : : #include "tls/s2n_handshake.h"
27 : : #include "tls/s2n_ktls.h"
28 : : #include "tls/s2n_post_handshake.h"
29 : : #include "tls/s2n_record.h"
30 : : #include "tls/s2n_resume.h"
31 : : #include "tls/s2n_tls.h"
32 : : #include "utils/s2n_blob.h"
33 : : #include "utils/s2n_io.h"
34 : : #include "utils/s2n_safety.h"
35 : :
36 : : S2N_RESULT s2n_recv_in_init(struct s2n_connection *conn, uint32_t written, uint32_t total)
37 : 358828 : {
38 [ # # ][ - + ]: 358828 : RESULT_ENSURE_REF(conn);
39 : :
40 : : /* If we're going to initialize conn->in to point to more memory than
41 : : * is actually readable, make sure that the additional memory exists.
42 : : */
43 [ # # ][ - + ]: 358828 : RESULT_ENSURE_LTE(written, total);
44 : 358828 : uint32_t remaining = total - written;
45 [ - + ][ # # ]: 358828 : RESULT_ENSURE_LTE(remaining, s2n_stuffer_space_remaining(&conn->buffer_in));
46 : :
47 : 358828 : uint8_t *data = s2n_stuffer_raw_read(&conn->buffer_in, written);
48 [ - + ][ # # ]: 358828 : RESULT_ENSURE_REF(data);
49 [ - + ]: 358828 : RESULT_GUARD_POSIX(s2n_stuffer_free(&conn->in));
50 [ - + ]: 358828 : RESULT_GUARD_POSIX(s2n_blob_init(&conn->in.blob, data, total));
51 [ - + ]: 358828 : RESULT_GUARD_POSIX(s2n_stuffer_skip_write(&conn->in, written));
52 : 358828 : return S2N_RESULT_OK;
53 : 358828 : }
54 : :
55 : : S2N_RESULT s2n_read_in_bytes(struct s2n_connection *conn, struct s2n_stuffer *output, uint32_t length)
56 : 831966 : {
57 [ + + ]: 1416510 : while (s2n_stuffer_data_available(output) < length) {
58 : 930634 : uint32_t remaining = length - s2n_stuffer_data_available(output);
59 [ + + ]: 930634 : if (conn->recv_buffering) {
60 [ + + ]: 606 : remaining = S2N_MAX(remaining, s2n_stuffer_space_remaining(output));
61 : 606 : }
62 : 930634 : errno = 0;
63 : 930634 : int r = s2n_connection_recv_stuffer(output, conn, remaining);
64 [ + + ]: 930634 : if (r == 0) {
65 : 6 : s2n_atomic_flag_set(&conn->read_closed);
66 : 6 : }
67 [ + + ]: 930634 : RESULT_GUARD(s2n_io_check_read_result(r));
68 : 584544 : conn->wire_bytes_in += r;
69 : 584544 : }
70 : :
71 : 485876 : return S2N_RESULT_OK;
72 : 831966 : }
73 : :
74 : : static S2N_RESULT s2n_recv_buffer_in(struct s2n_connection *conn, size_t min_size)
75 : 832714 : {
76 [ - + ]: 832714 : RESULT_GUARD_POSIX(s2n_stuffer_resize_if_empty(&conn->buffer_in, S2N_LARGE_FRAGMENT_LENGTH));
77 : 832714 : uint32_t buffer_in_available = s2n_stuffer_data_available(&conn->buffer_in);
78 [ + + ]: 832714 : if (buffer_in_available < min_size) {
79 : 831501 : uint32_t remaining = min_size - buffer_in_available;
80 [ + + ]: 831501 : if (s2n_stuffer_space_remaining(&conn->buffer_in) < remaining) {
81 [ - + ]: 502 : RESULT_GUARD_POSIX(s2n_stuffer_shift(&conn->buffer_in));
82 : 502 : }
83 [ + + ]: 831501 : RESULT_GUARD(s2n_read_in_bytes(conn, &conn->buffer_in, min_size));
84 : 831501 : }
85 : 486681 : return S2N_RESULT_OK;
86 : 832714 : }
87 : :
88 : : int s2n_read_full_record(struct s2n_connection *conn, uint8_t *record_type, int *isSSLv2)
89 : 627814 : {
90 : 627814 : *isSSLv2 = 0;
91 : :
92 [ + + ]: 627814 : if (conn->ktls_recv_enabled) {
93 : 22 : return s2n_ktls_read_full_record(conn, record_type);
94 : 22 : }
95 : :
96 : : /* If the record has already been decrypted, then leave it alone */
97 [ + + ]: 627792 : if (conn->in_status == PLAINTEXT) {
98 : : /* Only application data packets count as plaintext */
99 : 35237 : *record_type = TLS_APPLICATION_DATA;
100 : 35237 : return S2N_SUCCESS;
101 : 35237 : }
102 : :
103 : : /* Read the record until we at least have a header */
104 [ - + ]: 592555 : POSIX_GUARD(s2n_stuffer_reread(&conn->header_in));
105 : 592555 : uint32_t header_available = s2n_stuffer_data_available(&conn->header_in);
106 [ + + ]: 592555 : if (header_available < S2N_TLS_RECORD_HEADER_LENGTH) {
107 : 474196 : uint32_t header_remaining = S2N_TLS_RECORD_HEADER_LENGTH - header_available;
108 : 474196 : s2n_result ret = s2n_recv_buffer_in(conn, header_remaining);
109 [ + + ]: 474196 : uint32_t header_read = S2N_MIN(header_remaining, s2n_stuffer_data_available(&conn->buffer_in));
110 [ - + ]: 474196 : POSIX_GUARD(s2n_stuffer_copy(&conn->buffer_in, &conn->header_in, header_read));
111 [ + + ]: 474196 : POSIX_GUARD_RESULT(ret);
112 : 474196 : }
113 : :
114 : 361700 : uint16_t fragment_length = 0;
115 : :
116 : : /* If the first bit is set then this is an SSLv2 record */
117 [ + + ]: 361700 : if (conn->header_in.blob.data[0] & S2N_TLS_SSLV2_HEADER_FLAG) {
118 : 179 : *isSSLv2 = 1;
119 [ - + ][ + - ]: 179 : WITH_ERROR_BLINDING(conn, POSIX_GUARD(s2n_sslv2_record_header_parse(conn, record_type, &conn->client_hello.legacy_version, &fragment_length)));
120 : 361521 : } else {
121 [ + + ][ + - ]: 361521 : WITH_ERROR_BLINDING(conn, POSIX_GUARD(s2n_record_header_parse(conn, record_type, &fragment_length)));
122 : 361521 : }
123 : :
124 : : /* Read enough to have the whole record */
125 : 361699 : uint32_t fragment_available = s2n_stuffer_data_available(&conn->in);
126 [ + + ][ + + ]: 361699 : if (fragment_available < fragment_length || fragment_length == 0) {
127 [ - + ]: 358518 : POSIX_GUARD(s2n_stuffer_rewind_read(&conn->buffer_in, fragment_available));
128 : 358518 : s2n_result ret = s2n_recv_buffer_in(conn, fragment_length);
129 [ + + ]: 358518 : uint32_t fragment_read = S2N_MIN(fragment_length, s2n_stuffer_data_available(&conn->buffer_in));
130 [ - + ]: 358518 : POSIX_GUARD_RESULT(s2n_recv_in_init(conn, fragment_read, fragment_length));
131 [ + + ]: 358518 : POSIX_GUARD_RESULT(ret);
132 : 358518 : }
133 : :
134 [ + + ]: 246521 : if (*isSSLv2) {
135 : 3 : return 0;
136 : 3 : }
137 : :
138 : : /* Decrypt and parse the record */
139 [ + + ]: 246518 : if (s2n_early_data_is_trial_decryption_allowed(conn, *record_type)) {
140 [ + + ][ + - ]: 987 : POSIX_ENSURE(s2n_record_parse(conn) >= S2N_SUCCESS, S2N_ERR_EARLY_DATA_TRIAL_DECRYPT);
141 : 245531 : } else {
142 [ + + ][ + - ]: 245531 : WITH_ERROR_BLINDING(conn, POSIX_GUARD(s2n_record_parse(conn)));
143 : 245531 : }
144 : :
145 : : /* In TLS 1.3, encrypted handshake records would appear to be of record type
146 : : * TLS_APPLICATION_DATA. The actual record content type is found after the encrypted
147 : : * is decrypted.
148 : : */
149 [ + + ][ + + ]: 245103 : if (conn->actual_protocol_version == S2N_TLS13 && *record_type == TLS_APPLICATION_DATA) {
150 [ - + ]: 69185 : POSIX_GUARD(s2n_tls13_parse_record_type(&conn->in, record_type));
151 : 69185 : }
152 : :
153 : 245103 : return 0;
154 : 245103 : }
155 : :
156 : : ssize_t s2n_recv_impl(struct s2n_connection *conn, void *buf, ssize_t size_signed, s2n_blocked_status *blocked)
157 : 419928 : {
158 [ - + ][ # # ]: 419928 : POSIX_ENSURE_GTE(size_signed, 0);
159 : 419928 : size_t size = size_signed;
160 : 419928 : ssize_t bytes_read = 0;
161 : 419928 : struct s2n_blob out = { 0 };
162 [ - + ]: 419928 : POSIX_GUARD(s2n_blob_init(&out, (uint8_t *) buf, 0));
163 : :
164 : : /*
165 : : * Set the `blocked` status to BLOCKED_ON_READ by default
166 : : *
167 : : * The only case in which it should be updated is on a successful read into the provided buffer.
168 : : *
169 : : * Unfortunately, the current `blocked` behavior has become ossified by buggy applications that ignore
170 : : * error types and only read `blocked`. As such, it's very important to avoid changing how this value is updated
171 : : * as it could break applications.
172 : : */
173 : 419928 : *blocked = S2N_BLOCKED_ON_READ;
174 : :
175 [ + + ]: 419928 : if (!s2n_connection_check_io_status(conn, S2N_IO_READABLE)) {
176 : : /*
177 : : *= https://www.rfc-editor.org/rfc/rfc8446#6.1
178 : : *# If a transport-level close
179 : : *# is received prior to a "close_notify", the receiver cannot know that
180 : : *# all the data that was sent has been received.
181 : : *
182 : : *= https://www.rfc-editor.org/rfc/rfc8446#6.1
183 : : *# If the application protocol using TLS provides that any data may be
184 : : *# carried over the underlying transport after the TLS connection is
185 : : *# closed, the TLS implementation MUST receive a "close_notify" alert
186 : : *# before indicating end-of-data to the application layer.
187 : : */
188 [ + + ][ + - ]: 1555 : POSIX_ENSURE(s2n_atomic_flag_test(&conn->close_notify_received), S2N_ERR_CLOSED);
189 : 31 : *blocked = S2N_NOT_BLOCKED;
190 : 31 : return 0;
191 : 1555 : }
192 : :
193 [ + + ][ + - ]: 418373 : POSIX_ENSURE(!s2n_connection_is_quic_enabled(conn), S2N_ERR_UNSUPPORTED_WITH_QUIC);
194 [ + + ]: 418372 : POSIX_GUARD_RESULT(s2n_early_data_validate_recv(conn));
195 : :
196 [ + + ][ + + ]: 445682 : while (size && s2n_connection_check_io_status(conn, S2N_IO_READABLE)) {
197 : 437892 : int isSSLv2 = 0;
198 : 437892 : uint8_t record_type = 0;
199 : 437892 : int r = s2n_read_full_record(conn, &record_type, &isSSLv2);
200 [ + + ]: 437892 : if (r < 0) {
201 : : /* Don't propagate the error if we already read some bytes. */
202 [ + + ][ + + ]: 229786 : if (bytes_read && (s2n_errno == S2N_ERR_CLOSED || s2n_errno == S2N_ERR_IO_BLOCKED)) {
[ + - ]
203 : 285 : break;
204 : 285 : }
205 : :
206 : : /* If we get here, it's an error condition.
207 : : * For stateful resumption, invalidate the session on error to prevent resumption with
208 : : * potentially corrupted session state. This ensures that a bad session state does not
209 : : * lead to repeated failures during resumption attempts.
210 : : */
211 [ + + ][ - + ]: 229501 : if (s2n_errno != S2N_ERR_IO_BLOCKED && s2n_allowed_to_cache_connection(conn) && conn->session_id_len) {
[ # # ]
212 : 0 : conn->config->cache_delete(conn, conn->config->cache_delete_data, conn->session_id, conn->session_id_len);
213 : 0 : }
214 : :
215 : 229501 : S2N_ERROR_PRESERVE_ERRNO();
216 : 229501 : }
217 : :
218 [ - + ][ # # ]: 208106 : S2N_ERROR_IF(isSSLv2, S2N_ERR_BAD_MESSAGE);
219 : :
220 [ + + ]: 208106 : if (record_type != TLS_HANDSHAKE) {
221 : : /*
222 : : *= https://www.rfc-editor.org/rfc/rfc8446#section-5.1
223 : : *# - Handshake messages MUST NOT be interleaved with other record
224 : : *# types. That is, if a handshake message is split over two or more
225 : : *# records, there MUST NOT be any other records between them.
226 : : */
227 [ + + ][ + - ]: 183424 : POSIX_ENSURE(s2n_stuffer_is_wiped(&conn->post_handshake.in), S2N_ERR_BAD_MESSAGE);
228 : :
229 : : /* If not handling a handshake message, free the post-handshake memory.
230 : : * Post-handshake messages are infrequent enough that we don't want to
231 : : * keep a potentially large buffer around unnecessarily.
232 : : */
233 [ + + ]: 183422 : if (!s2n_stuffer_is_freed(&conn->post_handshake.in)) {
234 [ - + ]: 1009 : POSIX_GUARD(s2n_stuffer_free(&conn->post_handshake.in));
235 : 1009 : }
236 : 183422 : }
237 : :
238 [ + + ]: 208104 : if (record_type != TLS_APPLICATION_DATA) {
239 [ + + ]: 26203 : switch (record_type) {
240 [ + + ]: 1520 : case TLS_ALERT:
241 [ + + ]: 1520 : POSIX_GUARD(s2n_process_alert_fragment(conn));
242 : 13 : break;
243 [ + + ]: 24682 : case TLS_HANDSHAKE: {
244 : 24682 : s2n_result result = s2n_post_handshake_recv(conn);
245 : : /* Ignore any errors due to insufficient input data from io.
246 : : * The next iteration of this loop will attempt to read more input data.
247 : : */
248 [ + + ][ + + ]: 24682 : if (s2n_result_is_error(result) && s2n_errno != S2N_ERR_IO_BLOCKED) {
249 [ + - ][ # # ]: 41 : WITH_ERROR_BLINDING(conn, POSIX_GUARD_RESULT(result));
250 : 41 : }
251 : 24641 : break;
252 : 24682 : }
253 : 26203 : }
254 [ - + ]: 24655 : POSIX_GUARD_RESULT(s2n_record_wipe(conn));
255 : 24655 : continue;
256 : 24655 : }
257 : :
258 [ + + ]: 181901 : out.size = S2N_MIN(size, s2n_stuffer_data_available(&conn->in));
259 : :
260 [ - + ]: 181901 : POSIX_GUARD(s2n_stuffer_erase_and_read(&conn->in, &out));
261 : 181901 : bytes_read += out.size;
262 : :
263 : 181901 : out.data += out.size;
264 : 181901 : size -= out.size;
265 : :
266 : : /* Are we ready for more encrypted data? */
267 [ + + ]: 181901 : if (s2n_stuffer_data_available(&conn->in) == 0) {
268 [ - + ]: 146741 : POSIX_GUARD_RESULT(s2n_record_wipe(conn));
269 : 146741 : }
270 : :
271 : : /* If we've read some data, return it in legacy mode */
272 [ + - ][ + + ]: 181901 : if (bytes_read && !conn->config->recv_multi_record) {
273 : 179242 : break;
274 : 179242 : }
275 : 181901 : }
276 : :
277 : : /* Due to the history of this API, some applications depend on the blocked status to know if
278 : : * the connection's `in` stuffer was completely cleared. This behavior needs to be preserved.
279 : : *
280 : : * Moving forward, applications should instead use `s2n_peek`, which accomplishes the same thing
281 : : * without conflating being blocked on reading from the OS socket vs blocked on the application's
282 : : * buffer size.
283 : : */
284 [ + + ]: 187317 : if (s2n_stuffer_data_available(&conn->in) == 0) {
285 : 152155 : *blocked = S2N_NOT_BLOCKED;
286 : 152155 : }
287 : :
288 : 187317 : return bytes_read;
289 : 418368 : }
290 : :
291 : : ssize_t s2n_recv(struct s2n_connection *conn, void *buf, ssize_t size, s2n_blocked_status *blocked)
292 : 419930 : {
293 [ # # ][ - + ]: 419930 : POSIX_ENSURE_REF(conn);
294 [ + + ][ + - ]: 419930 : POSIX_ENSURE(!conn->recv_in_use, S2N_ERR_REENTRANCY);
295 : 419928 : conn->recv_in_use = true;
296 : :
297 : 419928 : ssize_t result = s2n_recv_impl(conn, buf, size, blocked);
298 [ + + ]: 419928 : POSIX_GUARD_RESULT(s2n_early_data_record_bytes(conn, result));
299 : :
300 : : /* finish the recv call */
301 [ - + ]: 419927 : POSIX_GUARD_RESULT(s2n_connection_dynamic_free_in_buffer(conn));
302 : :
303 : 419927 : conn->recv_in_use = false;
304 : 419927 : return result;
305 : 419927 : }
306 : :
307 : : uint32_t s2n_peek(struct s2n_connection *conn)
308 : 4459 : {
309 [ + + ]: 4459 : if (conn == NULL) {
310 : 1 : return 0;
311 : 1 : }
312 : :
313 : : /* If we have partially buffered an encrypted record,
314 : : * we should not report those bytes as available to read.
315 : : */
316 [ + + ]: 4458 : if (conn->in_status != PLAINTEXT) {
317 : 1305 : return 0;
318 : 1305 : }
319 : :
320 : 3153 : return s2n_stuffer_data_available(&conn->in);
321 : 4458 : }
322 : :
323 : : uint32_t s2n_peek_buffered(struct s2n_connection *conn)
324 : 5 : {
325 [ + + ]: 5 : if (conn == NULL) {
326 : 1 : return 0;
327 : 1 : }
328 : 4 : return s2n_stuffer_data_available(&conn->buffer_in);
329 : 5 : }
|