1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/stream.h> 30 #include <sys/strsun.h> 31 #include <sys/cmn_err.h> 32 #include <sys/kmem.h> 33 #include <sys/cpuvar.h> 34 #include <sys/atomic.h> 35 #include <sys/sysmacros.h> 36 37 #include <inet/common.h> 38 #include <inet/ip.h> 39 #include <inet/ip6.h> 40 41 #include <sys/systm.h> 42 #include <sys/param.h> 43 #include <sys/tihdr.h> 44 45 #include "ksslimpl.h" 46 #include "ksslproto.h" 47 #include "ksslapi.h" 48 49 static kssl_cmd_t kssl_handle_any_record(kssl_ctx_t ctx, mblk_t *mp, 50 mblk_t **decrmp, kssl_callback_t cbfn, void *arg); 51 static boolean_t kssl_enqueue(kssl_chain_t **head, void *item); 52 static void kssl_dequeue(kssl_chain_t **head, void *item); 53 static kssl_status_t kssl_build_single_record(ssl_t *ssl, mblk_t *mp); 54 55 /* 56 * The socket T_bind_req message is intercepted and re-routed here 57 * to see is there is SSL relevant job to do, based on the kssl config 58 * in the kssl_entry_tab. 59 * Looks up the kernel SSL proxy table, to find an entry that matches the 60 * same serveraddr, and has one of the following two criteria: 61 * 1. in_port is an ssl_port. This endpoint can be used later as a fallback 62 * to complete connections that cannot be handled by the SSL kernel proxy 63 * (typically non supported ciphersuite). The cookie for the calling client 64 * is saved with the kssl_entry to be retrieved for the fallback. 65 * The function returns KSSL_HAS_PROXY. 66 * 67 * 2. in_port is a proxy port for another ssl port. The ssl port is then 68 * substituted to the in_port in the bind_req TPI structure, so that 69 * the bind falls through to the SSL port. At the end of this operation, 70 * all the packets arriving to the SSL port will be delivered to an 71 * accepted endpoint child of this bound socket. 72 * The kssl_entry_t is returned in *ksslent, for later use by the 73 * lower modules' SSL hooks that handle the Handshake messages. 74 * The function returns KSSL_IS_PROXY. 75 * 76 * The function returns KSSL_NO_PROXY otherwise. We do not suppport 77 * IPv6 addresses. 78 */ 79 80 kssl_endpt_type_t 81 kssl_check_proxy(mblk_t *bindmp, void *cookie, kssl_ent_t *ksslent) 82 { 83 int i; 84 kssl_endpt_type_t ret; 85 kssl_entry_t *ep; 86 sin_t *sin; 87 struct T_bind_req *tbr; 88 ipaddr_t v4addr; 89 in_port_t in_port; 90 91 if (kssl_enabled == 0) { 92 return (KSSL_NO_PROXY); 93 } 94 95 tbr = (struct T_bind_req *)bindmp->b_rptr; 96 97 ret = KSSL_NO_PROXY; 98 99 100 switch (tbr->ADDR_length) { 101 case sizeof (sin_t): 102 sin = (sin_t *)(bindmp->b_rptr + tbr->ADDR_length); 103 in_port = ntohs(sin->sin_port); 104 v4addr = sin->sin_addr.s_addr; 105 break; 106 107 case sizeof (sin6_t): 108 /* Future support of IPv6 goes here */ 109 default: 110 /* Should ASSERT() here? */ 111 return (ret); 112 } 113 114 mutex_enter(&kssl_tab_mutex); 115 116 for (i = 0; i < kssl_entry_tab_size; i++) { 117 if ((ep = kssl_entry_tab[i]) == NULL) 118 continue; 119 120 if ((ep->ke_laddr == v4addr) || (ep->ke_laddr == INADDR_ANY)) { 121 122 /* This is an SSL port to fallback to */ 123 if (ep->ke_ssl_port == in_port) { 124 125 /* 126 * Let's see first if there's at least 127 * an endpoint for a proxy server. 128 * If there's none, then we return as we have 129 * no proxy, so that the bind() to the 130 * transport layer goes through. 131 * The calling module will ask for this 132 * cookie if it wants to fall back to it, 133 * so add this one to the list of fallback 134 * clients. 135 */ 136 if (!kssl_enqueue((kssl_chain_t **) 137 &(ep->ke_fallback_head), cookie)) { 138 break; 139 } 140 141 /* 142 * Now transform the T_BIND_REQ into 143 * a T_BIND_ACK. 144 */ 145 tbr->PRIM_type = T_BIND_ACK; 146 bindmp->b_datap->db_type = M_PCPROTO; 147 148 KSSL_ENTRY_REFHOLD(ep); 149 *ksslent = (kssl_ent_t)ep; 150 151 ret = KSSL_HAS_PROXY; 152 break; 153 } 154 155 /* This is a proxy port. */ 156 if (ep->ke_proxy_port == in_port) { 157 mblk_t *entmp; 158 159 /* Append this entry to the bind_req mblk */ 160 161 entmp = allocb(sizeof (kssl_entry_t), 162 BPRI_MED); 163 if (entmp == NULL) 164 break; 165 *((kssl_entry_t **)entmp->b_rptr) = ep; 166 167 entmp->b_wptr = entmp->b_rptr + 168 sizeof (kssl_entry_t); 169 170 bindmp->b_cont = entmp; 171 172 /* Add the caller's cookie to proxies list */ 173 174 if (!kssl_enqueue((kssl_chain_t **) 175 &(ep->ke_proxy_head), cookie)) { 176 freeb(bindmp->b_cont); 177 bindmp->b_cont = NULL; 178 break; 179 } 180 181 /* 182 * Make this look like the SSL port to the 183 * transport below 184 */ 185 sin->sin_port = htons(ep->ke_ssl_port); 186 187 tbr->PRIM_type = T_SSL_PROXY_BIND_REQ; 188 189 KSSL_ENTRY_REFHOLD(ep); 190 *ksslent = (kssl_ent_t)ep; 191 192 ret = KSSL_IS_PROXY; 193 break; 194 } 195 } 196 } 197 198 mutex_exit(&kssl_tab_mutex); 199 return (ret); 200 } 201 202 /* 203 * Retrieved an endpoint "bound" to the SSL entry. 204 * Such endpoint has previously called kssl_check_proxy(), got itself 205 * linked to the kssl_entry's ke_fallback_head list. 206 * This routine returns the cookie from that SSL entry ke_fallback_head list. 207 */ 208 void * 209 kssl_find_fallback(kssl_ent_t ksslent) 210 { 211 kssl_entry_t *kssl_entry = (kssl_entry_t *)ksslent; 212 213 if (kssl_entry->ke_fallback_head != NULL) 214 return (kssl_entry->ke_fallback_head->fallback_bound); 215 216 KSSL_COUNTER(proxy_fallback_failed, 1); 217 218 return (NULL); 219 } 220 221 /* 222 * Re-usable code for adding and removing an element to/from a chain that 223 * matches "item" 224 * The chain is simple-linked and NULL ended. 225 */ 226 227 /* 228 * This routine returns TRUE if the item was either successfully added to 229 * the chain, or is already there. It returns FALSE otherwise. 230 */ 231 static boolean_t 232 kssl_enqueue(kssl_chain_t **head, void *item) 233 { 234 kssl_chain_t *newchain, *cur; 235 236 /* Lookup the existing entries to avoid duplicates */ 237 cur = *head; 238 while (cur != NULL) { 239 if (cur->item == item) { 240 return (B_TRUE); 241 } 242 cur = cur->next; 243 } 244 245 newchain = kmem_alloc(sizeof (kssl_chain_t), KM_NOSLEEP); 246 if (newchain == NULL) { 247 return (B_FALSE); 248 } 249 250 newchain->item = item; 251 newchain->next = *head; 252 *head = newchain; 253 return (B_TRUE); 254 } 255 256 static void 257 kssl_dequeue(kssl_chain_t **head, void *item) 258 { 259 kssl_chain_t *prev, *cur; 260 261 prev = cur = *head; 262 while (cur != NULL) { 263 if (cur->item == item) { 264 if (cur == *head) 265 *head = (*head)->next; 266 else 267 prev->next = cur->next; 268 kmem_free(cur, sizeof (kssl_chain_t)); 269 return; 270 } 271 prev = cur; 272 cur = cur->next; 273 } 274 } 275 276 /* 277 * Holds the kssl_entry 278 */ 279 void 280 kssl_hold_ent(kssl_ent_t ksslent) 281 { 282 KSSL_ENTRY_REFHOLD((kssl_entry_t *)ksslent); 283 } 284 285 /* 286 * Releases the kssl_entry 287 * If the caller passes a cookie, then it should be removed from both 288 * proxies and fallbacks chains. 289 */ 290 void 291 kssl_release_ent(kssl_ent_t ksslent, void *cookie, kssl_endpt_type_t endpt_type) 292 { 293 kssl_entry_t *kssl_entry = (kssl_entry_t *)ksslent; 294 295 if (cookie != NULL) { 296 if (endpt_type == KSSL_IS_PROXY) 297 ASSERT(kssl_entry->ke_proxy_head != NULL); 298 kssl_dequeue( 299 (kssl_chain_t **)&kssl_entry->ke_proxy_head, 300 cookie); 301 if (endpt_type == KSSL_HAS_PROXY) 302 ASSERT(kssl_entry->ke_fallback_head != NULL); 303 kssl_dequeue( 304 (kssl_chain_t **)&kssl_entry->ke_fallback_head, 305 cookie); 306 } 307 KSSL_ENTRY_REFRELE(kssl_entry); 308 } 309 310 /* 311 * Holds the kssl context 312 */ 313 void 314 kssl_hold_ctx(kssl_ctx_t ksslctx) 315 { 316 ssl_t *ssl = (ssl_t *)ksslctx; 317 318 KSSL_SSL_REFHOLD(ssl); 319 } 320 321 /* 322 * Releases the kssl_context 323 */ 324 void 325 kssl_release_ctx(kssl_ctx_t ksslctx) 326 { 327 KSSL_SSL_REFRELE((ssl_t *)ksslctx); 328 } 329 330 /* 331 * Packets are accumulated here, if there are packets already queued, 332 * or if the context is active. 333 * The context is active when an incoming record processing function 334 * is already executing on a different thread. 335 * Queued packets are handled either when an mblk arrived and completes 336 * a record, or, when the active context processor finishes the task at 337 * hand. 338 * The caller has to keep calling this routine in a loop until it returns 339 * B_FALSE in *more. The reason for this is SSL3: The protocol 340 * allows the client to send its first application_data message right 341 * after it had sent its Finished message, and not wait for the server 342 * ChangeCipherSpec and Finished. This overlap means we can't batch up 343 * a returned Handshake message to be sent on the wire 344 * with a decrypted application_data to be delivered to the application. 345 */ 346 kssl_cmd_t 347 kssl_input(kssl_ctx_t ctx, mblk_t *mp, mblk_t **decrmp, boolean_t *more, 348 kssl_callback_t cbfn, void *arg) 349 { 350 mblk_t *recmp, *outmp = NULL; 351 kssl_cmd_t kssl_cmd; 352 ssl_t *ssl; 353 uint8_t *rec_sz_p; 354 int mplen; 355 SSL3ContentType content_type; 356 uint16_t rec_sz; 357 358 ASSERT(ctx != NULL); 359 360 if (mp != NULL) { 361 ASSERT(mp->b_prev == NULL && mp->b_next == NULL); 362 } 363 364 ssl = (ssl_t *)(ctx); 365 366 *decrmp = NULL; 367 *more = B_FALSE; 368 369 mutex_enter(&ssl->kssl_lock); 370 371 if (ssl->close_notify == B_TRUE) { 372 goto sendnewalert; 373 } 374 375 /* Whomever is currently processing this connection will get to this */ 376 if (ssl->activeinput) { 377 if (mp != NULL) { 378 KSSL_ENQUEUE_MP(ssl, mp); 379 } 380 mutex_exit(&ssl->kssl_lock); 381 return (KSSL_CMD_NONE); 382 } 383 384 /* 385 * Fast path for complete incoming application_data records on an empty 386 * queue. 387 * This is by far the most frequently encountered case 388 */ 389 390 if ((!ssl->activeinput) && (ssl->rec_ass_head == NULL) && 391 ((mp != NULL) && (mplen = MBLKL(mp)) > SSL3_HDR_LEN)) { 392 393 content_type = (SSL3ContentType)mp->b_rptr[0]; 394 395 if ((content_type == content_application_data) && 396 (ssl->hs_waitstate == idle_handshake)) { 397 rec_sz_p = SSL3_REC_SIZE(mp); 398 rec_sz = BE16_TO_U16(rec_sz_p); 399 400 if ((mp->b_cont == NULL) && (mplen == rec_sz)) { 401 402 mp->b_flag &= ~DBLK_COOKED; 403 *decrmp = mp; 404 mutex_exit(&ssl->kssl_lock); 405 return (KSSL_CMD_DELIVER_PROXY); 406 } 407 } 408 } 409 410 ssl->activeinput = B_TRUE; 411 /* Accumulate at least one record */ 412 if (mp != NULL) { 413 KSSL_ENQUEUE_MP(ssl, mp); 414 mp = NULL; 415 } 416 recmp = kssl_get_next_record(ssl); 417 418 if (recmp == NULL) { 419 ssl->activeinput = B_FALSE; 420 if (ssl->alert_sendbuf != NULL) { 421 goto sendalert; 422 } 423 /* Not even a complete header yet. wait for the rest */ 424 mutex_exit(&ssl->kssl_lock); 425 return (KSSL_CMD_NONE); 426 } 427 428 do { 429 if ((SSL3ContentType)recmp->b_rptr[0] == 430 content_application_data) { 431 /* 432 * application_data records are decrypted and 433 * MAC-verified by the stream head, and in the context 434 * a read()'ing thread. This avoids unfairly charging 435 * the cost of handling this record on the whole system, 436 * and prevents doing it while in the shared IP 437 * perimeter. 438 */ 439 ssl->activeinput = B_FALSE; 440 if (ssl->hs_waitstate != idle_handshake) { 441 goto sendnewalert; 442 } 443 outmp = recmp; 444 kssl_cmd = KSSL_CMD_DELIVER_PROXY; 445 } else { 446 /* 447 * If we're past the initial handshake, start letting 448 * the stream head process all records, in particular 449 * the close_notify. 450 * This is needed to avoid processing them out of 451 * sequence when previous application data packets are 452 * waiting to be decrypted/MAC'ed and delivered. 453 */ 454 if (ssl->hs_waitstate == idle_handshake) { 455 ssl->activeinput = B_FALSE; 456 outmp = recmp; 457 kssl_cmd = KSSL_CMD_DELIVER_PROXY; 458 } else { 459 kssl_cmd = kssl_handle_any_record(ssl, recmp, 460 &outmp, cbfn, arg); 461 } 462 } 463 464 /* Priority to Alert messages */ 465 if (ssl->alert_sendbuf != NULL) { 466 goto sendalert; 467 } 468 469 /* Then handshake messages */ 470 if (ssl->handshake_sendbuf) { 471 if (*decrmp != NULL) { 472 linkb(*decrmp, ssl->handshake_sendbuf); 473 } else { 474 *decrmp = ssl->handshake_sendbuf; 475 } 476 ssl->handshake_sendbuf = NULL; 477 478 *more = ((ssl->rec_ass_head != NULL) && 479 (!ssl->activeinput)); 480 mutex_exit(&ssl->kssl_lock); 481 return (kssl_cmd); 482 } 483 484 if (ssl->hs_waitstate == idle_handshake) { 485 *more = ((ssl->rec_ass_head != NULL) && 486 (!ssl->activeinput)); 487 } 488 489 if (outmp != NULL) { 490 *decrmp = outmp; 491 /* 492 * Don't process any packet after an application_data. 493 * We could well receive the close_notify which should 494 * be handled separately. 495 */ 496 mutex_exit(&ssl->kssl_lock); 497 return (kssl_cmd); 498 } 499 /* 500 * The current record isn't done yet. Don't start the next one 501 */ 502 if (ssl->activeinput) { 503 mutex_exit(&ssl->kssl_lock); 504 return (kssl_cmd); 505 } 506 } while ((recmp = kssl_get_next_record(ssl)) != NULL); 507 508 mutex_exit(&ssl->kssl_lock); 509 return (kssl_cmd); 510 511 sendnewalert: 512 kssl_send_alert(ssl, alert_fatal, unexpected_message); 513 if (mp != NULL) { 514 freeb(mp); 515 } 516 517 sendalert: 518 *decrmp = ssl->alert_sendbuf; 519 ssl->alert_sendbuf = NULL; 520 mutex_exit(&ssl->kssl_lock); 521 return (KSSL_CMD_SEND); 522 } 523 524 /* 525 * Decrypt and verify the MAC of an incoming chain of application_data record. 526 * Each block has exactly one SSL record. 527 * This routine recycles its incoming mblk, and flags it as DBLK_COOKED 528 */ 529 kssl_cmd_t 530 kssl_handle_record(kssl_ctx_t ctx, mblk_t **mpp, mblk_t **outmp) 531 { 532 uchar_t *recend, *rec_sz_p; 533 uchar_t *real_recend; 534 mblk_t *prevmp = NULL, *nextmp, *firstmp, *mp, *copybp; 535 int mac_sz; 536 uchar_t version[2]; 537 uint16_t rec_sz; 538 SSL3AlertDescription desc; 539 SSL3ContentType content_type; 540 ssl_t *ssl; 541 KSSLCipherSpec *spec; 542 int error = 0, ret; 543 kssl_cmd_t kssl_cmd = KSSL_CMD_DELIVER_PROXY; 544 boolean_t deliverit = B_FALSE; 545 crypto_data_t cipher_data; 546 547 ASSERT(ctx != NULL); 548 549 ssl = (ssl_t *)(ctx); 550 551 mp = firstmp = *mpp; 552 *outmp = NULL; 553 554 more: 555 556 while (mp != NULL) { 557 558 if (DB_REF(mp) > 1) { 559 /* 560 * Fortunately copyb() preserves the offset, 561 * tail space and alignement so the copy is 562 * ready to be made an SSL record. 563 */ 564 if ((copybp = copyb(mp)) == NULL) 565 return (NULL); 566 567 copybp->b_cont = mp->b_cont; 568 if (mp == firstmp) { 569 *mpp = copybp; 570 } else { 571 prevmp->b_cont = copybp; 572 } 573 freeb(mp); 574 mp = copybp; 575 } 576 577 content_type = (SSL3ContentType)mp->b_rptr[0]; 578 579 if (content_type != content_application_data) { 580 nextmp = mp->b_cont; 581 582 /* Remove this message */ 583 if (prevmp != NULL) { 584 prevmp->b_cont = nextmp; 585 586 /* 587 * If we had processed blocks that need to 588 * be delivered, then remember that error code 589 */ 590 if (kssl_cmd == KSSL_CMD_DELIVER_PROXY) 591 deliverit = B_TRUE; 592 } 593 594 mutex_enter(&ssl->kssl_lock); 595 kssl_cmd = kssl_handle_any_record(ssl, mp, outmp, 596 NULL, NULL); 597 598 if (ssl->alert_sendbuf != NULL) { 599 goto sendalert; 600 } 601 mutex_exit(&ssl->kssl_lock); 602 603 if (deliverit) { 604 kssl_cmd = KSSL_CMD_DELIVER_PROXY; 605 } 606 607 mp = nextmp; 608 continue; 609 } 610 611 version[0] = mp->b_rptr[1]; 612 version[1] = mp->b_rptr[2]; 613 rec_sz_p = SSL3_REC_SIZE(mp); 614 rec_sz = BE16_TO_U16(rec_sz_p); 615 616 mp->b_rptr += SSL3_HDR_LEN; 617 recend = mp->b_rptr + rec_sz; 618 real_recend = recend; 619 620 spec = &ssl->spec[KSSL_READ]; 621 mac_sz = spec->mac_hashsz; 622 if (spec->cipher_ctx != 0) { 623 624 /* 625 * The record length must be a multiple of the 626 * block size for block ciphers. 627 * The cipher_bsize is always a power of 2. 628 */ 629 if ((spec->cipher_type == type_block) && 630 ((rec_sz & (spec->cipher_bsize - 1)) != 0)) { 631 #ifdef DEBUG 632 cmn_err(CE_WARN, "kssl_handle_record: " 633 "bad record size"); 634 #endif /* DEBUG */ 635 KSSL_COUNTER(record_decrypt_failure, 1); 636 mp->b_rptr = recend; 637 desc = decrypt_error; 638 goto makealert; 639 } 640 641 cipher_data.cd_format = CRYPTO_DATA_RAW; 642 cipher_data.cd_offset = 0; 643 cipher_data.cd_length = rec_sz; 644 cipher_data.cd_miscdata = NULL; 645 cipher_data.cd_raw.iov_base = (char *)mp->b_rptr; 646 cipher_data.cd_raw.iov_len = rec_sz; 647 error = crypto_decrypt_update(spec->cipher_ctx, 648 &cipher_data, NULL, NULL); 649 if (CRYPTO_ERR(error)) { 650 #ifdef DEBUG 651 cmn_err(CE_WARN, "kssl_handle_record: " 652 "crypto_decrypt_update failed: 0x%02X", 653 error); 654 #endif /* DEBUG */ 655 KSSL_COUNTER(record_decrypt_failure, 1); 656 mp->b_rptr = recend; 657 desc = decrypt_error; 658 goto makealert; 659 } 660 } 661 if (spec->cipher_type == type_block) { 662 uint_t pad_sz = recend[-1]; 663 pad_sz++; 664 if (pad_sz + mac_sz > rec_sz) { 665 mp->b_rptr = recend; 666 desc = bad_record_mac; 667 goto makealert; 668 } 669 rec_sz -= pad_sz; 670 recend -= pad_sz; 671 } 672 if (mac_sz != 0) { 673 uchar_t hash[MAX_HASH_LEN]; 674 if (rec_sz < mac_sz) { 675 mp->b_rptr = real_recend; 676 desc = bad_record_mac; 677 goto makealert; 678 } 679 rec_sz -= mac_sz; 680 recend -= mac_sz; 681 ret = kssl_compute_record_mac(ssl, KSSL_READ, 682 ssl->seq_num[KSSL_READ], content_type, 683 version, mp->b_rptr, rec_sz, hash); 684 if (ret != CRYPTO_SUCCESS || 685 bcmp(hash, recend, mac_sz)) { 686 mp->b_rptr = real_recend; 687 desc = bad_record_mac; 688 #ifdef DEBUG 689 cmn_err(CE_WARN, "kssl_handle_record: " 690 "msg MAC mismatch"); 691 #endif /* DEBUG */ 692 KSSL_COUNTER(verify_mac_failure, 1); 693 goto makealert; 694 } 695 ssl->seq_num[KSSL_READ]++; 696 } 697 698 if (ssl->hs_waitstate != idle_handshake) { 699 mp->b_rptr = real_recend; 700 desc = unexpected_message; 701 goto makealert; 702 } 703 mp->b_wptr = recend; 704 705 prevmp = mp; 706 mp = mp->b_cont; 707 } 708 709 KSSL_COUNTER(appdata_record_ins, 1); 710 return (kssl_cmd); 711 712 makealert: 713 nextmp = mp->b_cont; 714 freeb(mp); 715 mp = nextmp; 716 mutex_enter(&ssl->kssl_lock); 717 kssl_send_alert(ssl, alert_fatal, desc); 718 719 if (ssl->alert_sendbuf == NULL) { 720 /* internal memory allocation failure. just return. */ 721 #ifdef DEBUG 722 cmn_err(CE_WARN, "kssl_handle_record: " 723 "alert message allocation failed"); 724 #endif /* DEBUG */ 725 mutex_exit(&ssl->kssl_lock); 726 727 if (mp) { 728 prevmp = NULL; 729 goto more; 730 } 731 732 return (KSSL_CMD_NONE); 733 } 734 kssl_cmd = KSSL_CMD_SEND; 735 sendalert: 736 if (*outmp == NULL) { 737 *outmp = ssl->alert_sendbuf; 738 } else { 739 linkb(*outmp, ssl->alert_sendbuf); 740 } 741 ssl->alert_sendbuf = NULL; 742 mutex_exit(&ssl->kssl_lock); 743 744 if (mp) { 745 prevmp = NULL; 746 goto more; 747 } 748 749 return (kssl_cmd); 750 } 751 /* 752 * This is the routine that handles incoming SSL records. 753 * When called the first time, with a NULL context, this routine expects 754 * a ClientHello SSL Handshake packet and shall allocate a context 755 * of a new SSL connection. 756 * During the rest of the handshake packets, the routine adjusts the 757 * state of the context according to the record received. 758 * After the ChangeCipherSpec message is received, the routine first 759 * decrypts/authenticated the packet using the key materials in the 760 * connection's context. 761 * The return code tells the caller what to do with the returned packet. 762 */ 763 static kssl_cmd_t 764 kssl_handle_any_record(kssl_ctx_t ctx, mblk_t *mp, mblk_t **decrmp, 765 kssl_callback_t cbfn, void *arg) 766 { 767 uchar_t *recend, *rec_sz_p; 768 uchar_t version[2]; 769 uchar_t *real_recend, *save_rptr, *save_wptr; 770 int rhsz = SSL3_HDR_LEN; 771 uint16_t rec_sz; 772 int sz; 773 int mac_sz; 774 SSL3AlertDescription desc; 775 SSL3AlertLevel level; 776 SSL3ContentType content_type; 777 ssl_t *ssl; 778 KSSLCipherSpec *spec; 779 int error = 0, ret; 780 781 ASSERT(ctx != NULL); 782 783 ssl = (ssl_t *)(ctx); 784 785 *decrmp = NULL; 786 787 save_rptr = mp->b_rptr; 788 save_wptr = mp->b_wptr; 789 790 ASSERT(MUTEX_HELD(&ssl->kssl_lock)); 791 792 content_type = (SSL3ContentType)mp->b_rptr[0]; 793 if (content_type == content_handshake_v2) { 794 if (ssl->hs_waitstate == wait_client_hello) { 795 /* V2 compatible ClientHello */ 796 if (mp->b_rptr[3] == 0x03 && 797 (mp->b_rptr[4] == 0x01 || 798 mp->b_rptr[4] == 0x00)) { 799 ssl->major_version = version[0] = mp->b_rptr[3]; 800 ssl->minor_version = version[1] = mp->b_rptr[4]; 801 } else { 802 /* We don't support "pure" SSLv2 */ 803 desc = protocol_version; 804 goto sendalert; 805 } 806 } 807 rec_sz = (uint16_t)mp->b_rptr[1]; 808 rhsz = 2; 809 } else { 810 ssl->major_version = version[0] = mp->b_rptr[1]; 811 ssl->minor_version = version[1] = mp->b_rptr[2]; 812 rec_sz_p = SSL3_REC_SIZE(mp); 813 rec_sz = BE16_TO_U16(rec_sz_p); 814 } 815 816 mp->b_rptr += rhsz; 817 recend = mp->b_rptr + rec_sz; 818 real_recend = recend; 819 820 spec = &ssl->spec[KSSL_READ]; 821 mac_sz = spec->mac_hashsz; 822 if (spec->cipher_ctx != 0) { 823 /* 824 * The record length must be a multiple of the 825 * block size for block ciphers. 826 */ 827 if ((spec->cipher_type == type_block) && 828 ((rec_sz & (spec->cipher_bsize - 1)) != 0)) { 829 #ifdef DEBUG 830 cmn_err(CE_WARN, "kssl_handle_any_record: " 831 "bad record size"); 832 #endif /* DEBUG */ 833 KSSL_COUNTER(record_decrypt_failure, 1); 834 mp->b_rptr = recend; 835 desc = decrypt_error; 836 goto sendalert; 837 } 838 839 spec->cipher_data.cd_length = rec_sz; 840 spec->cipher_data.cd_raw.iov_base = (char *)mp->b_rptr; 841 spec->cipher_data.cd_raw.iov_len = rec_sz; 842 error = crypto_decrypt_update(spec->cipher_ctx, 843 &spec->cipher_data, NULL, NULL); 844 if (CRYPTO_ERR(error)) { 845 #ifdef DEBUG 846 cmn_err(CE_WARN, 847 "kssl_handle_any_record: crypto_decrypt_update " 848 "failed: 0x%02X", error); 849 #endif /* DEBUG */ 850 KSSL_COUNTER(record_decrypt_failure, 1); 851 mp->b_rptr = recend; 852 desc = decrypt_error; 853 goto sendalert; 854 } 855 } 856 if (spec->cipher_type == type_block) { 857 uint_t pad_sz = recend[-1]; 858 pad_sz++; 859 if (pad_sz + mac_sz > rec_sz) { 860 mp->b_rptr = recend; 861 desc = bad_record_mac; 862 goto sendalert; 863 } 864 rec_sz -= pad_sz; 865 recend -= pad_sz; 866 } 867 if (mac_sz != 0) { 868 uchar_t hash[MAX_HASH_LEN]; 869 if (rec_sz < mac_sz) { 870 mp->b_rptr = real_recend; 871 desc = bad_record_mac; 872 goto sendalert; 873 } 874 rec_sz -= mac_sz; 875 recend -= mac_sz; 876 ret = kssl_compute_record_mac(ssl, KSSL_READ, 877 ssl->seq_num[KSSL_READ], content_type, 878 version, mp->b_rptr, rec_sz, hash); 879 if (ret != CRYPTO_SUCCESS || 880 bcmp(hash, recend, mac_sz)) { 881 mp->b_rptr = real_recend; 882 desc = bad_record_mac; 883 #ifdef DEBUG 884 cmn_err(CE_WARN, "kssl_handle_any_record: " 885 "msg MAC mismatch"); 886 #endif /* DEBUG */ 887 KSSL_COUNTER(verify_mac_failure, 1); 888 goto sendalert; 889 } 890 ssl->seq_num[KSSL_READ]++; 891 } 892 893 switch (content_type) { 894 case content_handshake: 895 do { 896 if (error != 0 || 897 /* ignore client renegotiation for now */ 898 ssl->hs_waitstate == idle_handshake) { 899 mp->b_rptr = recend; 900 } 901 if (mp->b_rptr == recend) { 902 mp->b_rptr = real_recend; 903 if (error != 0) { 904 goto error; 905 } 906 freeb(mp); 907 908 if (ssl->hs_waitstate == wait_client_key_done) 909 return (KSSL_CMD_QUEUED); 910 911 return ((ssl->handshake_sendbuf != NULL) ? 912 KSSL_CMD_SEND : KSSL_CMD_NONE); 913 } 914 if (ssl->msg.state < MSG_BODY) { 915 if (ssl->msg.state == MSG_INIT) { 916 ssl->msg.type = 917 (SSL3HandshakeType)*mp->b_rptr++; 918 ssl->msg.state = MSG_INIT_LEN; 919 } 920 if (ssl->msg.state == MSG_INIT_LEN) { 921 int msglenb = 922 ssl->msg.msglen_bytes; 923 int msglen = ssl->msg.msglen; 924 while (mp->b_rptr < recend && 925 msglenb < 3) { 926 msglen = (msglen << 8) + 927 (uint_t)(*mp->b_rptr++); 928 msglenb++; 929 } 930 ssl->msg.msglen_bytes = msglenb; 931 ssl->msg.msglen = msglen; 932 if (msglenb == 3) { 933 ssl->msg.state = MSG_BODY; 934 } 935 } 936 if (mp->b_rptr == recend) { 937 mp->b_rptr = real_recend; 938 freeb(mp); 939 return (KSSL_CMD_NONE); 940 } 941 } 942 ASSERT(ssl->msg.state == MSG_BODY); 943 944 sz = recend - mp->b_rptr; 945 946 if (ssl->msg.head == NULL && 947 ssl->msg.msglen <= sz) { 948 continue; 949 } 950 if (ssl->msg.head != NULL) { 951 sz += msgdsize(ssl->msg.head); 952 if (ssl->msg.msglen <= sz) { 953 ssl->msg.tail->b_cont = mp; 954 mp = ssl->msg.head; 955 ssl->sslcnt = 100; 956 ssl->msg.head = NULL; 957 ssl->msg.tail = NULL; 958 if (pullupmsg(mp, -1)) { 959 recend = mp->b_rptr + sz; 960 ASSERT(recend <= mp->b_wptr); 961 continue; 962 } 963 mp->b_rptr = real_recend; 964 error = ENOMEM; 965 KSSL_COUNTER(alloc_fails, 1); 966 goto error; 967 } 968 } 969 970 mp->b_wptr = recend; 971 972 if (ssl->msg.head == NULL) { 973 ssl->msg.head = mp; 974 ssl->msg.tail = mp; 975 return (KSSL_CMD_NONE); 976 } else { 977 ssl->msg.tail->b_cont = mp; 978 ssl->msg.tail = mp; 979 return (KSSL_CMD_NONE); 980 } 981 } while (kssl_handle_handshake_message(ssl, mp, &error, cbfn, 982 arg)); 983 if (error == SSL_MISS) { 984 mp->b_rptr = save_rptr; 985 mp->b_wptr = save_wptr; 986 KSSL_COUNTER(fallback_connections, 1); 987 return (KSSL_CMD_NOT_SUPPORTED); 988 } 989 if (ssl->hs_waitstate == wait_client_key_done) { 990 return (KSSL_CMD_QUEUED); 991 } else { 992 return (KSSL_CMD_NONE); 993 } 994 case content_alert: 995 if (rec_sz != 2) { 996 mp->b_rptr = real_recend; 997 desc = illegal_parameter; 998 goto sendalert; 999 } else { 1000 level = *mp->b_rptr++; 1001 desc = *mp->b_rptr++; 1002 mp->b_rptr = real_recend; 1003 if (level != alert_warning || desc != close_notify) { 1004 if (ssl->sid.cached == B_TRUE) { 1005 kssl_uncache_sid(&ssl->sid, 1006 ssl->kssl_entry); 1007 ssl->sid.cached = B_FALSE; 1008 } 1009 ssl->fatal_alert = B_TRUE; 1010 error = EBADMSG; 1011 goto error; 1012 } else { 1013 ssl->close_notify = B_TRUE; 1014 ssl->activeinput = B_FALSE; 1015 freeb(mp); 1016 return (KSSL_CMD_NONE); 1017 } 1018 } 1019 case content_change_cipher_spec: 1020 if (ssl->hs_waitstate != wait_change_cipher) { 1021 desc = unexpected_message; 1022 } else if (rec_sz != 1 || *mp->b_rptr != 1) { 1023 desc = illegal_parameter; 1024 } else { 1025 mp->b_rptr = real_recend; 1026 ssl->hs_waitstate = wait_finished; 1027 ssl->seq_num[KSSL_READ] = 0; 1028 if ((error = kssl_spec_init(ssl, KSSL_READ)) != 0) { 1029 #ifdef DEBUG 1030 cmn_err(CE_WARN, 1031 "kssl_spec_init returned error " 1032 "0x%02X", error); 1033 #endif /* DEBUG */ 1034 goto error; 1035 } 1036 ssl->activeinput = B_FALSE; 1037 freeb(mp); 1038 return (KSSL_CMD_NONE); 1039 } 1040 mp->b_rptr = real_recend; 1041 goto sendalert; 1042 1043 case content_application_data: 1044 if (ssl->hs_waitstate != idle_handshake) { 1045 mp->b_rptr = real_recend; 1046 desc = unexpected_message; 1047 goto sendalert; 1048 } 1049 mp->b_wptr = recend; 1050 *decrmp = mp; 1051 ssl->activeinput = B_FALSE; 1052 return (KSSL_CMD_DELIVER_PROXY); 1053 1054 case content_handshake_v2: 1055 error = kssl_handle_v2client_hello(ssl, mp, rec_sz); 1056 if (error == SSL_MISS) { 1057 mp->b_rptr = save_rptr; 1058 mp->b_wptr = save_wptr; 1059 KSSL_COUNTER(fallback_connections, 1); 1060 return (KSSL_CMD_NOT_SUPPORTED); 1061 } else if (error != 0) { 1062 goto error; 1063 } 1064 freeb(mp); 1065 return (KSSL_CMD_SEND); 1066 default: 1067 mp->b_rptr = real_recend; 1068 desc = unexpected_message; 1069 break; 1070 } 1071 1072 sendalert: 1073 kssl_send_alert(ssl, alert_fatal, desc); 1074 *decrmp = ssl->alert_sendbuf; 1075 ssl->alert_sendbuf = NULL; 1076 freeb(mp); 1077 return ((*decrmp != NULL) ? KSSL_CMD_SEND : KSSL_CMD_NONE); 1078 error: 1079 freeb(mp); 1080 return (KSSL_CMD_NONE); 1081 } 1082 1083 /* 1084 * Initialize the context of an SSL connection, coming to the specified 1085 * address. 1086 * the ssl structure returned is held. 1087 */ 1088 kssl_status_t 1089 kssl_init_context(kssl_ent_t kssl_ent, ipaddr_t faddr, int mss, 1090 kssl_ctx_t *kssl_ctxp) 1091 { 1092 ssl_t *ssl = kmem_cache_alloc(kssl_cache, KM_NOSLEEP); 1093 1094 if (ssl == NULL) { 1095 return (KSSL_STS_ERR); 1096 } 1097 1098 kssl_cache_count++; 1099 1100 bzero(ssl, sizeof (ssl_t)); 1101 1102 ssl->kssl_entry = (kssl_entry_t *)kssl_ent; 1103 KSSL_ENTRY_REFHOLD(ssl->kssl_entry); 1104 1105 ssl->faddr = faddr; 1106 ssl->tcp_mss = mss; 1107 ssl->sendalert_level = alert_warning; 1108 ssl->sendalert_desc = close_notify; 1109 ssl->sid.cached = B_FALSE; 1110 1111 *kssl_ctxp = (kssl_ctx_t)ssl; 1112 KSSL_SSL_REFHOLD(ssl); 1113 return (KSSL_STS_OK); 1114 } 1115 1116 /* 1117 * Builds SSL records out of the chain of mblks, and returns it. 1118 * Taked a copy of the message before encypting it if it has another 1119 * reference. 1120 * In case of failure, NULL is returned, and the message will be 1121 * freed by the caller. 1122 * A NULL mp means a close_notify is requested. 1123 */ 1124 mblk_t * 1125 kssl_build_record(kssl_ctx_t ctx, mblk_t *mp) 1126 { 1127 ssl_t *ssl = (ssl_t *)ctx; 1128 mblk_t *retmp = mp, *bp = mp, *prevbp = mp, *copybp; 1129 1130 ASSERT(ssl != NULL); 1131 ASSERT(mp != NULL); 1132 1133 do { 1134 if (DB_REF(bp) > 1) { 1135 /* 1136 * Fortunately copyb() preserves the offset, 1137 * tail space and alignement so the copy is 1138 * ready to be made an SSL record. 1139 */ 1140 if ((copybp = copyb(bp)) == NULL) 1141 return (NULL); 1142 1143 copybp->b_cont = bp->b_cont; 1144 if (bp == mp) { 1145 retmp = copybp; 1146 } else { 1147 prevbp->b_cont = copybp; 1148 } 1149 freeb(bp); 1150 bp = copybp; 1151 } 1152 1153 if (kssl_build_single_record(ssl, bp) != KSSL_STS_OK) 1154 return (NULL); 1155 1156 prevbp = bp; 1157 bp = bp->b_cont; 1158 } while (bp != NULL); 1159 1160 return (retmp); 1161 } 1162 1163 /* 1164 * Builds a single SSL record 1165 * In-line encryption of the record. 1166 */ 1167 static kssl_status_t 1168 kssl_build_single_record(ssl_t *ssl, mblk_t *mp) 1169 { 1170 int len; 1171 int reclen = 0; 1172 uchar_t *recstart, *versionp; 1173 KSSLCipherSpec *spec; 1174 int mac_sz; 1175 int pad_sz = 0; 1176 1177 1178 spec = &ssl->spec[KSSL_WRITE]; 1179 mac_sz = spec->mac_hashsz; 1180 1181 1182 ASSERT(DB_REF(mp) == 1); 1183 ASSERT((mp->b_rptr - mp->b_datap->db_base >= SSL3_HDR_LEN) && 1184 (mp->b_datap->db_lim - mp->b_wptr >= mac_sz + spec->cipher_bsize)); 1185 1186 len = MBLKL(mp); 1187 1188 ASSERT(len > 0); 1189 1190 mutex_enter(&ssl->kssl_lock); 1191 1192 recstart = mp->b_rptr = mp->b_rptr - SSL3_HDR_LEN; 1193 recstart[0] = content_application_data; 1194 recstart[1] = ssl->major_version; 1195 recstart[2] = ssl->minor_version; 1196 versionp = &recstart[1]; 1197 1198 reclen = len + mac_sz; 1199 if (spec->cipher_type == type_block) { 1200 pad_sz = spec->cipher_bsize - 1201 (reclen & (spec->cipher_bsize - 1)); 1202 ASSERT(reclen + pad_sz <= 1203 SSL3_MAX_RECORD_LENGTH); 1204 reclen += pad_sz; 1205 } 1206 recstart[3] = (reclen >> 8) & 0xff; 1207 recstart[4] = reclen & 0xff; 1208 1209 if (kssl_mac_encrypt_record(ssl, content_application_data, versionp, 1210 recstart, mp) != 0) { 1211 /* Do we need an internal_error Alert here? */ 1212 mutex_exit(&ssl->kssl_lock); 1213 return (KSSL_STS_ERR); 1214 } 1215 1216 KSSL_COUNTER(appdata_record_outs, 1); 1217 mutex_exit(&ssl->kssl_lock); 1218 return (KSSL_STS_OK); 1219 } 1220