1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/stream.h> 30 #include <sys/strsubr.h> 31 #include <sys/stropts.h> 32 #include <sys/strsun.h> 33 #define _SUN_TPI_VERSION 2 34 #include <sys/ddi.h> 35 #include <sys/sunddi.h> 36 #include <sys/debug.h> 37 #include <sys/vtrace.h> 38 #include <sys/kmem.h> 39 #include <sys/cpuvar.h> 40 #include <sys/atomic.h> 41 #include <sys/sysmacros.h> 42 43 #include <sys/errno.h> 44 #include <sys/isa_defs.h> 45 #include <sys/md5.h> 46 #include <sys/sha1.h> 47 #include <sys/random.h> 48 #include <inet/common.h> 49 #include <netinet/in.h> 50 51 #include <sys/systm.h> 52 #include <sys/param.h> 53 54 #include "ksslimpl.h" 55 #include "ksslapi.h" 56 #include "ksslproto.h" 57 58 static ssl3CipherSuiteDef cipher_suite_defs[] = { 59 /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, no IVs */ 60 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, 72}, 61 62 /* 2 X 16 byte keys + 2 x 16 byte MAC secrets, no IVs */ 63 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, 64}, 64 65 /* 2 X 8 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */ 66 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, 72}, 67 68 /* 2 X 24 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */ 69 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, 104}, 70 71 /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */ 72 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes128, mac_sha, 104}, 73 74 /* 2 X 32 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */ 75 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes256, mac_sha, 136}, 76 77 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, 40} 78 }; 79 80 static int cipher_suite_defs_nentries = 81 sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]); 82 83 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 84 /* macsz padsz HashInit HashUpdate HashFinal */ 85 86 {MD5_HASH_LEN, SSL3_MD5_PAD_LEN, 87 (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update, 88 (hashfinal_func_t)MD5Final}, 89 90 {SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN, 91 (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update, 92 (hashfinal_func_t)SHA1Final}, 93 }; 94 95 static uchar_t kssl_pad_1[60] = { 96 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 97 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 98 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 99 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 100 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 101 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 102 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 103 0x36, 0x36, 0x36, 0x36 104 }; 105 static uchar_t kssl_pad_2[60] = { 106 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 107 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 108 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 109 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 110 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 111 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 112 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 113 0x5c, 0x5c, 0x5c, 0x5c 114 }; 115 116 int kssl_cache_count; 117 static boolean_t kssl_synchronous = B_FALSE; 118 119 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t); 120 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t); 121 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int); 122 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int, 123 kssl_callback_t, void *); 124 static int kssl_send_server_hello(ssl_t *); 125 static int kssl_send_certificate_and_server_hello_done(ssl_t *); 126 static int kssl_send_change_cipher_specs(ssl_t *); 127 static int kssl_send_finished(ssl_t *, int); 128 static int kssl_handle_finished(ssl_t *, mblk_t *, int); 129 static void kssl_get_hello_random(uchar_t *); 130 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *); 131 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *); 132 static void kssl_lookup_sid(sslSessionID *, uchar_t *, ipaddr_t, 133 kssl_entry_t *); 134 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t); 135 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t); 136 static int kssl_generate_tls_keyblock(ssl_t *); 137 static void kssl_generate_keyblock(ssl_t *); 138 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t, 139 int, uchar_t *, int); 140 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t, 141 uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 142 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *, 143 size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 144 static void kssl_cke_done(void *, int); 145 146 #define HMAC_INIT(m, k, c) \ 147 rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end; 148 149 #define HMAC_UPDATE(c, d, l) \ 150 dd.cd_raw.iov_base = (char *)d; \ 151 dd.cd_length = dd.cd_raw.iov_len = l; \ 152 rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end; 153 154 #define HMAC_FINAL(c, d, l) \ 155 mac.cd_raw.iov_base = (char *)d; \ 156 mac.cd_length = mac.cd_raw.iov_len = l; \ 157 rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end; 158 159 /* 160 * This hack can go away once we have SSL3 MAC support by KCF 161 * software providers (See 4873559). 162 */ 163 extern int kcf_md5_threshold; 164 165 int 166 kssl_compute_record_mac( 167 ssl_t *ssl, 168 int direction, 169 uint64_t seq_num, 170 SSL3ContentType ct, 171 uchar_t *versionp, 172 uchar_t *buf, 173 int len, 174 uchar_t *digest) 175 { 176 KSSL_HASHCTX mac_ctx; 177 KSSL_HASHCTX *ctx = &mac_ctx; 178 uchar_t temp[16], *p; 179 KSSLCipherSpec *spec; 180 boolean_t hash_use_ok = B_FALSE; 181 int rv = 0; 182 183 spec = &ssl->spec[direction]; 184 185 if (spec->mac_hashsz == 0) { 186 return (1); 187 } 188 189 p = temp; 190 191 *p++ = (seq_num >> 56) & 0xff; 192 *p++ = (seq_num >> 48) & 0xff; 193 *p++ = (seq_num >> 40) & 0xff; 194 *p++ = (seq_num >> 32) & 0xff; 195 *p++ = (seq_num >> 24) & 0xff; 196 *p++ = (seq_num >> 16) & 0xff; 197 *p++ = (seq_num >> 8) & 0xff; 198 *p++ = (seq_num) & 0xff; 199 *p++ = (uchar_t)ct; 200 if (IS_TLS(ssl)) { 201 *p++ = versionp[0]; 202 *p++ = versionp[1]; 203 } 204 *p++ = (len >> 8) & 0xff; 205 *p++ = (len) & 0xff; 206 207 if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID && 208 len >= kcf_md5_threshold)) { 209 crypto_data_t dd, mac; 210 struct uio uio_pt; 211 struct iovec iovarray_pt[2]; 212 213 /* init the array of iovecs for use in the uio struct */ 214 iovarray_pt[0].iov_base = (char *)temp; 215 iovarray_pt[0].iov_len = (p - temp); 216 iovarray_pt[1].iov_base = (char *)buf; 217 iovarray_pt[1].iov_len = len; 218 219 /* init the uio struct for use in the crypto_data_t struct */ 220 bzero(&uio_pt, sizeof (uio_pt)); 221 uio_pt.uio_iov = iovarray_pt; 222 uio_pt.uio_iovcnt = 2; 223 uio_pt.uio_segflg = UIO_SYSSPACE; 224 225 dd.cd_format = CRYPTO_DATA_UIO; 226 dd.cd_offset = 0; 227 dd.cd_length = (p - temp) + len; 228 dd.cd_miscdata = NULL; 229 dd.cd_uio = &uio_pt; 230 231 mac.cd_format = CRYPTO_DATA_RAW; 232 mac.cd_offset = 0; 233 mac.cd_raw.iov_base = (char *)digest; 234 mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz; 235 236 /* 237 * The calling context can tolerate a blocking call here. 238 * For outgoing traffic, we are in user context 239 * when called from strsock_kssl_output(). For incoming 240 * traffic past the SSL handshake, we are in user 241 * context when called from strsock_kssl_input(). During the 242 * SSL handshake, we are called for client_finished message 243 * handling from a squeue worker thread that gets scheduled 244 * by an squeue_fill() call. This thread is not in interrupt 245 * context and so can block. 246 */ 247 rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key, 248 NULL, &mac, NULL); 249 250 if (CRYPTO_ERR(rv)) { 251 hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED && 252 !IS_TLS(ssl)); 253 if (!hash_use_ok) { 254 DTRACE_PROBE1(kssl_err__crypto_mac_error, 255 int, rv); 256 KSSL_COUNTER(compute_mac_failure, 1); 257 } 258 } 259 } else 260 hash_use_ok = B_TRUE; 261 262 if (hash_use_ok) { 263 bcopy(&(ssl->mac_ctx[direction][0]), ctx, 264 sizeof (KSSL_HASHCTX)); 265 spec->MAC_HashUpdate((void *)ctx, temp, p - temp); 266 spec->MAC_HashUpdate((void *)ctx, buf, len); 267 spec->MAC_HashFinal(digest, (void *)ctx); 268 269 bcopy(&(ssl->mac_ctx[direction][1]), ctx, 270 sizeof (KSSL_HASHCTX)); 271 spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz); 272 spec->MAC_HashFinal(digest, (void *)ctx); 273 } 274 275 return (rv); 276 } 277 278 /* 279 * Handles handshake messages. 280 * Messages to be replied are returned in handshake_sendbuf. 281 */ 282 int 283 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err, 284 kssl_callback_t cbfn, void *arg) 285 { 286 uint32_t msglen; 287 uchar_t msghdr[4]; 288 289 ASSERT(ssl->msg.state == MSG_BODY); 290 ASSERT(ssl->msg.msglen_bytes == 3); 291 ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen); 292 293 ssl->sslcnt++; 294 msglen = ssl->msg.msglen; 295 296 if (ssl->msg.type == client_hello) { 297 MD5Init(&ssl->hs_md5); 298 SHA1Init(&ssl->hs_sha1); 299 } 300 301 if (ssl->msg.type == finished && ssl->resumed == B_FALSE) { 302 if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 303 sender_client) != 0) { 304 *err = SSL_MISS; 305 return (0); 306 } 307 } 308 309 if (ssl->msg.type != finished || ssl->resumed == B_FALSE) { 310 msghdr[0] = (uchar_t)ssl->msg.type; 311 312 msghdr[1] = (uchar_t)(msglen >> 16); 313 msghdr[2] = (uchar_t)(msglen >> 8); 314 msghdr[3] = (uchar_t)(msglen); 315 kssl_update_handshake_hashes(ssl, msghdr, 4); 316 kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen); 317 } 318 319 ssl->msg.state = MSG_INIT; 320 ssl->msg.msglen = 0; 321 ssl->msg.msglen_bytes = 0; 322 323 switch (ssl->msg.type) { 324 case client_hello: 325 if (ssl->hs_waitstate != wait_client_hello) { 326 kssl_send_alert(ssl, alert_fatal, 327 unexpected_message); 328 *err = EBADMSG; 329 ssl->activeinput = B_FALSE; 330 return (1); 331 } 332 *err = kssl_handle_client_hello(ssl, mp, msglen); 333 if (*err == SSL_MISS) { 334 ssl->activeinput = B_FALSE; 335 return (0); 336 } 337 return (1); 338 case client_key_exchange: 339 if (ssl->hs_waitstate != wait_client_key) { 340 kssl_send_alert(ssl, alert_fatal, 341 unexpected_message); 342 *err = EBADMSG; 343 ssl->activeinput = B_FALSE; 344 return (1); 345 } 346 *err = kssl_handle_client_key_exchange(ssl, mp, 347 msglen, cbfn, arg); 348 return (1); 349 case finished: 350 if (ssl->hs_waitstate != wait_finished) { 351 kssl_send_alert(ssl, alert_fatal, 352 unexpected_message); 353 *err = EBADMSG; 354 ssl->activeinput = B_FALSE; 355 return (1); 356 } 357 *err = kssl_handle_finished(ssl, mp, msglen); 358 return (1); 359 default: 360 kssl_send_alert(ssl, alert_fatal, unexpected_message); 361 ssl->activeinput = B_FALSE; 362 *err = EBADMSG; 363 return (1); 364 } 365 } 366 367 static void 368 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len) 369 { 370 MD5Update(&ssl->hs_md5, buf, len); 371 SHA1Update(&ssl->hs_sha1, buf, len); 372 } 373 374 static int 375 kssl_compute_handshake_hashes( 376 ssl_t *ssl, 377 SSL3Hashes *hashes, 378 uint32_t sender) 379 { 380 MD5_CTX md5 = ssl->hs_md5; /* clone md5 context */ 381 SHA1_CTX sha1 = ssl->hs_sha1; /* clone sha1 context */ 382 MD5_CTX *md5ctx = &md5; 383 SHA1_CTX *sha1ctx = &sha1; 384 385 if (IS_TLS(ssl)) { 386 uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN]; 387 char *label; 388 389 /* 390 * Do not take another hash step here. 391 * Just complete the operation. 392 */ 393 MD5Final(hashes->md5, md5ctx); 394 SHA1Final(hashes->sha1, sha1ctx); 395 396 bcopy(hashes->md5, seed, MD5_HASH_LEN); 397 bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN); 398 399 if (sender == sender_client) 400 label = TLS_CLIENT_FINISHED_LABEL; 401 else 402 label = TLS_SERVER_FINISHED_LABEL; 403 404 return (kssl_tls_PRF(ssl, 405 ssl->sid.master_secret, 406 (size_t)SSL3_MASTER_SECRET_LEN, 407 (uchar_t *)label, strlen(label), 408 seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN), 409 hashes->tlshash, (size_t)TLS_FINISHED_SIZE)); 410 } else { 411 uchar_t s[4]; 412 s[0] = (sender >> 24) & 0xff; 413 s[1] = (sender >> 16) & 0xff; 414 s[2] = (sender >> 8) & 0xff; 415 s[3] = (sender) & 0xff; 416 417 MD5Update(md5ctx, s, 4); 418 MD5Update(md5ctx, ssl->sid.master_secret, 419 SSL3_MASTER_SECRET_LEN); 420 MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN); 421 MD5Final(hashes->md5, md5ctx); 422 423 MD5Init(md5ctx); 424 MD5Update(md5ctx, ssl->sid.master_secret, 425 SSL3_MASTER_SECRET_LEN); 426 MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN); 427 MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN); 428 MD5Final(hashes->md5, md5ctx); 429 430 SHA1Update(sha1ctx, s, 4); 431 SHA1Update(sha1ctx, ssl->sid.master_secret, 432 SSL3_MASTER_SECRET_LEN); 433 SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN); 434 SHA1Final(hashes->sha1, sha1ctx); 435 436 SHA1Init(sha1ctx); 437 SHA1Update(sha1ctx, ssl->sid.master_secret, 438 SSL3_MASTER_SECRET_LEN); 439 SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN); 440 SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN); 441 SHA1Final(hashes->sha1, sha1ctx); 442 return (0); 443 } 444 } 445 446 447 #define KSSL_SSL3_CH_MIN_MSGLEN (39) 448 449 static int 450 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen) 451 { 452 uchar_t *msgend; 453 int err; 454 SSL3AlertDescription desc = illegal_parameter; 455 uint_t sidlen; 456 uint_t nsuites; 457 uchar_t *suitesp; 458 uint_t i, j; 459 uint16_t suite; 460 int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN; 461 462 ASSERT(mp->b_wptr >= mp->b_rptr + msglen); 463 ASSERT(ssl->msg.type == client_hello); 464 ASSERT(ssl->hs_waitstate == wait_client_hello); 465 ASSERT(ssl->resumed == B_FALSE); 466 467 if (msglen < ch_msglen) { 468 goto falert; 469 } 470 471 msgend = mp->b_rptr + msglen; 472 473 /* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */ 474 if (ssl->major_version != 3 || (ssl->major_version == 3 && 475 ssl->minor_version != 0 && ssl->minor_version != 1)) { 476 DTRACE_PROBE2(kssl_err__SSL_version_not_supported, 477 uchar_t, ssl->major_version, 478 uchar_t, ssl->minor_version); 479 desc = handshake_failure; 480 goto falert; 481 } 482 mp->b_rptr += 2; /* skip the version bytes */ 483 484 bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH); 485 mp->b_rptr += SSL3_RANDOM_LENGTH; 486 487 ASSERT(ssl->sid.cached == B_FALSE); 488 sidlen = *mp->b_rptr++; 489 ch_msglen += sidlen; 490 if (msglen < ch_msglen) { 491 goto falert; 492 } 493 if (sidlen != SSL3_SESSIONID_BYTES) { 494 mp->b_rptr += sidlen; 495 } else { 496 kssl_lookup_sid(&ssl->sid, mp->b_rptr, ssl->faddr, 497 ssl->kssl_entry); 498 mp->b_rptr += SSL3_SESSIONID_BYTES; 499 } 500 501 nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 502 mp->b_rptr += 2; 503 ch_msglen += nsuites; 504 if (msglen != ch_msglen) { 505 goto falert; 506 } 507 if (nsuites & 0x1) { 508 goto falert; 509 } 510 suitesp = mp->b_rptr; 511 if (ssl->sid.cached == B_TRUE) { 512 suite = ssl->sid.cipher_suite; 513 for (j = 0; j < nsuites; j += 2) { 514 if (suitesp[j] == ((suite >> 8) & 0xff) && 515 suitesp[j + 1] == (suite & 0xff)) { 516 break; 517 } 518 } 519 if (j < nsuites) { 520 goto suite_found; 521 } 522 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 523 ssl->sid.cached = B_FALSE; 524 } 525 526 /* Check if this server is capable of the cipher suite */ 527 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 528 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 529 for (j = 0; j < nsuites; j += 2) { 530 if (suitesp[j] == ((suite >> 8) & 0xff) && 531 suitesp[j + 1] == (suite & 0xff)) { 532 break; 533 } 534 } 535 if (j < nsuites) { 536 break; 537 } 538 } 539 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 540 if (ssl->sslcnt == 1) { 541 KSSL_COUNTER(no_suite_found, 1); 542 return (SSL_MISS); 543 } 544 desc = handshake_failure; 545 DTRACE_PROBE(kssl_err__no_cipher_suites_found); 546 goto falert; 547 } 548 549 suite_found: 550 551 mp->b_rptr += nsuites; 552 if (*mp->b_rptr++ != 1 || *mp->b_rptr++ != 0) { 553 desc = handshake_failure; 554 DTRACE_PROBE(kssl_err__handshake_failure); 555 goto falert; 556 } 557 558 mp->b_rptr = msgend; 559 560 for (i = 0; i < cipher_suite_defs_nentries; i++) { 561 if (suite == cipher_suite_defs[i].suite) { 562 break; 563 } 564 } 565 566 ASSERT(i < cipher_suite_defs_nentries); 567 568 ssl->pending_cipher_suite = suite; 569 ssl->pending_malg = cipher_suite_defs[i].malg; 570 ssl->pending_calg = cipher_suite_defs[i].calg; 571 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 572 573 if (ssl->sid.cached == B_TRUE) { 574 err = kssl_send_server_hello(ssl); 575 if (err != 0) { 576 return (err); 577 } 578 if (IS_TLS(ssl)) 579 err = kssl_generate_tls_keyblock(ssl); 580 else 581 kssl_generate_keyblock(ssl); 582 583 err = kssl_send_change_cipher_specs(ssl); 584 if (err != 0) { 585 return (err); 586 } 587 588 err = kssl_send_finished(ssl, 1); 589 if (err != 0) 590 return (err); 591 592 err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 593 sender_client); 594 if (err != 0) 595 return (err); 596 597 ssl->hs_waitstate = wait_change_cipher; 598 ssl->resumed = B_TRUE; 599 ssl->activeinput = B_FALSE; 600 KSSL_COUNTER(resumed_sessions, 1); 601 return (0); 602 } 603 604 (void) random_get_pseudo_bytes(ssl->sid.session_id, 605 SSL3_SESSIONID_BYTES); 606 ssl->sid.client_addr = ssl->faddr; 607 ssl->sid.cipher_suite = suite; 608 609 err = kssl_send_server_hello(ssl); 610 if (err != 0) { 611 return (err); 612 } 613 err = kssl_send_certificate_and_server_hello_done(ssl); 614 if (err != 0) { 615 return (err); 616 } 617 KSSL_COUNTER(full_handshakes, 1); 618 ssl->hs_waitstate = wait_client_key; 619 ssl->activeinput = B_FALSE; 620 return (0); 621 622 falert: 623 kssl_send_alert(ssl, alert_fatal, desc); 624 return (EBADMSG); 625 } 626 627 static void 628 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 629 { 630 uint_t index; 631 uchar_t *s = sid->session_id; 632 int l = SSL3_SESSIONID_BYTES - 1; 633 kmutex_t *lock; 634 635 ASSERT(sid->cached == B_TRUE); 636 637 index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 638 ((int)s[2] << 8) | (int)s[l]); 639 640 index %= kssl_entry->sid_cache_nentries; 641 642 sid->time = lbolt; 643 644 lock = &(kssl_entry->sid_cache[index].se_lock); 645 mutex_enter(lock); 646 kssl_entry->sid_cache[index].se_used++; 647 bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid)); 648 mutex_exit(lock); 649 } 650 651 static void 652 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, ipaddr_t faddr, 653 kssl_entry_t *kssl_entry) 654 { 655 uint_t index; 656 int l = SSL3_SESSIONID_BYTES - 1; 657 kmutex_t *lock; 658 sslSessionID *csid; 659 660 ASSERT(sid->cached == B_FALSE); 661 662 KSSL_COUNTER(sid_cache_lookups, 1); 663 664 index = (int)faddr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 665 ((int)s[2] << 8) | (int)s[l]); 666 667 index %= kssl_entry->sid_cache_nentries; 668 669 lock = &(kssl_entry->sid_cache[index].se_lock); 670 mutex_enter(lock); 671 csid = &(kssl_entry->sid_cache[index].se_sid); 672 if (csid->cached == B_FALSE || csid->client_addr != faddr || 673 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 674 mutex_exit(lock); 675 return; 676 } 677 678 if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) { 679 csid->cached = B_FALSE; 680 mutex_exit(lock); 681 return; 682 } 683 684 bcopy(csid, sid, sizeof (*sid)); 685 mutex_exit(lock); 686 ASSERT(sid->cached == B_TRUE); 687 688 KSSL_COUNTER(sid_cache_hits, 1); 689 } 690 691 static uchar_t * 692 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp) 693 { 694 size_t len = *lenp; 695 int i = 2; 696 697 if (buf[0] != 0 || buf[1] != 2) { 698 return (NULL); 699 } 700 701 while (i < len) { 702 if (buf[i++] == 0) { 703 *lenp = len - i; 704 break; 705 } 706 } 707 708 if (i == len) { 709 return (NULL); 710 } 711 712 return (buf + i); 713 } 714 715 void 716 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 717 { 718 uint_t index; 719 uchar_t *s = sid->session_id; 720 int l = SSL3_SESSIONID_BYTES - 1; 721 sslSessionID *csid; 722 kmutex_t *lock; 723 724 ASSERT(sid->cached == B_TRUE); 725 726 KSSL_COUNTER(sid_uncached, 1); 727 728 index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 729 ((int)s[2] << 8) | (int)s[l]); 730 731 index %= kssl_entry->sid_cache_nentries; 732 733 lock = &(kssl_entry->sid_cache[index].se_lock); 734 mutex_enter(lock); 735 csid = &(kssl_entry->sid_cache[index].se_sid); 736 if (csid->client_addr != sid->client_addr || 737 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 738 mutex_exit(lock); 739 return; 740 } 741 csid->cached = B_FALSE; 742 mutex_exit(lock); 743 } 744 745 746 #define KSSL_SSL3_SH_RECLEN (74) 747 #define KSSL_SSL3_FIN_MSGLEN (36) 748 749 #define KSSL_SSL3_MAX_CCP_FIN_MSGLEN (128) /* comfortable upper bound */ 750 751 static int 752 kssl_send_server_hello(ssl_t *ssl) 753 { 754 mblk_t *mp; 755 uchar_t *buf; 756 uchar_t *msgstart; 757 758 mp = allocb(ssl->tcp_mss, BPRI_HI); 759 if (mp == NULL) { 760 KSSL_COUNTER(alloc_fails, 1); 761 return (ENOMEM); 762 } 763 ssl->handshake_sendbuf = mp; 764 buf = mp->b_wptr; 765 766 /* 5 byte record header */ 767 buf[0] = content_handshake; 768 buf[1] = ssl->major_version; 769 buf[2] = ssl->minor_version; 770 buf[3] = KSSL_SSL3_SH_RECLEN >> 8; 771 buf[4] = KSSL_SSL3_SH_RECLEN & 0xff; 772 buf += SSL3_HDR_LEN; 773 774 msgstart = buf; 775 776 /* 6 byte message header */ 777 buf[0] = (uchar_t)server_hello; /* message type */ 778 buf[1] = 0; /* message len byte 0 */ 779 buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) & 780 0xff; /* message len byte 1 */ 781 buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff; /* message len byte 2 */ 782 783 buf[4] = ssl->major_version; /* version byte 0 */ 784 buf[5] = ssl->minor_version; /* version byte 1 */ 785 786 buf += 6; 787 788 kssl_get_hello_random(ssl->server_random); 789 bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH); 790 buf += SSL3_RANDOM_LENGTH; 791 792 buf[0] = SSL3_SESSIONID_BYTES; 793 bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES); 794 buf += SSL3_SESSIONID_BYTES + 1; 795 796 buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff; 797 buf[1] = ssl->pending_cipher_suite & 0xff; 798 799 buf[2] = 0; /* No compression */ 800 801 mp->b_wptr = buf + 3; 802 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 803 804 kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN); 805 return (0); 806 } 807 808 static void 809 kssl_get_hello_random(uchar_t *buf) 810 { 811 timestruc_t ts; 812 time_t sec; 813 814 gethrestime(&ts); 815 sec = ts.tv_sec; 816 817 buf[0] = (sec >> 24) & 0xff; 818 buf[1] = (sec >> 16) & 0xff; 819 buf[2] = (sec >> 8) & 0xff; 820 buf[3] = (sec) & 0xff; 821 822 (void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4); 823 824 /* Should this be caching? */ 825 } 826 827 static int 828 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key, 829 size_t hashlen, 830 uchar_t *label, size_t label_len, 831 uchar_t *seed, size_t seedlen, 832 uchar_t *data, size_t datalen) 833 { 834 int rv = 0; 835 uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN]; 836 int bytes_left = datalen; 837 crypto_data_t dd, mac; 838 crypto_context_t ctx; 839 840 dd.cd_format = CRYPTO_DATA_RAW; 841 dd.cd_offset = 0; 842 mac.cd_format = CRYPTO_DATA_RAW; 843 mac.cd_offset = 0; 844 845 /* 846 * A(i) = HMAC_hash(secred, seed + A(i-1)); 847 * A(0) = seed; 848 * 849 * Compute A(1): 850 * A(1) = HMAC_hash(secret, label + seed) 851 * 852 */ 853 HMAC_INIT(mech, key, &ctx); 854 HMAC_UPDATE(ctx, label, label_len); 855 HMAC_UPDATE(ctx, seed, seedlen); 856 HMAC_FINAL(ctx, A1, hashlen); 857 858 /* Compute A(2) ... A(n) */ 859 while (bytes_left > 0) { 860 HMAC_INIT(mech, key, &ctx); 861 HMAC_UPDATE(ctx, A1, hashlen); 862 HMAC_UPDATE(ctx, label, label_len); 863 HMAC_UPDATE(ctx, seed, seedlen); 864 HMAC_FINAL(ctx, result, hashlen); 865 866 /* 867 * The A(i) value is stored in "result". 868 * Save the results of the MAC so it can be input to next 869 * iteration. 870 */ 871 if (bytes_left > hashlen) { 872 /* Store the chunk result */ 873 bcopy(result, data, hashlen); 874 data += hashlen; 875 876 bytes_left -= hashlen; 877 878 /* Update A1 for next iteration */ 879 HMAC_INIT(mech, key, &ctx); 880 HMAC_UPDATE(ctx, A1, hashlen); 881 HMAC_FINAL(ctx, A1, hashlen); 882 883 } else { 884 bcopy(result, data, bytes_left); 885 data += bytes_left; 886 bytes_left = 0; 887 } 888 } 889 end: 890 if (CRYPTO_ERR(rv)) { 891 DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv); 892 KSSL_COUNTER(compute_mac_failure, 1); 893 } 894 return (rv); 895 } 896 897 /* ARGSUSED */ 898 static int 899 kssl_tls_PRF(ssl_t *ssl, 900 uchar_t *secret, size_t secret_len, 901 uchar_t *label, size_t label_len, 902 uchar_t *seed, size_t seed_len, 903 uchar_t *prfresult, size_t prfresult_len) 904 { 905 /* 906 * RFC 2246: 907 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR 908 * P_SHA1(S2, label + seed); 909 * S1 = 1st half of secret. 910 * S1 = 2nd half of secret. 911 * 912 */ 913 914 int rv = 0, i; 915 uchar_t psha1[MAX_KEYBLOCK_LENGTH]; 916 crypto_key_t S1, S2; 917 918 /* length of secret keys is ceil(length/2) */ 919 size_t slen = roundup(secret_len, 2) / 2; 920 921 if (prfresult_len > MAX_KEYBLOCK_LENGTH) { 922 DTRACE_PROBE1(kssl_err__unexpected_keyblock_size, 923 size_t, prfresult_len); 924 return (CRYPTO_ARGUMENTS_BAD); 925 } 926 927 ASSERT(prfresult != NULL); 928 ASSERT(label != NULL); 929 ASSERT(seed != NULL); 930 931 S1.ck_data = secret; 932 S1.ck_length = slen * 8; /* bits */ 933 S1.ck_format = CRYPTO_KEY_RAW; 934 935 S2.ck_data = secret + slen; 936 S2.ck_length = slen * 8; /* bits */ 937 S2.ck_format = CRYPTO_KEY_RAW; 938 939 rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN, 940 label, label_len, 941 seed, seed_len, 942 prfresult, prfresult_len); 943 if (CRYPTO_ERR(rv)) 944 goto end; 945 946 rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN, 947 label, label_len, 948 seed, seed_len, 949 psha1, prfresult_len); 950 if (CRYPTO_ERR(rv)) 951 goto end; 952 953 for (i = 0; i < prfresult_len; i++) 954 prfresult[i] ^= psha1[i]; 955 956 end: 957 if (CRYPTO_ERR(rv)) 958 bzero(prfresult, prfresult_len); 959 960 return (rv); 961 } 962 963 #define IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl) \ 964 (pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN || \ 965 pms[0] != ssl->major_version || pms[1] != ssl->minor_version) 966 967 #define FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) { \ 968 KSSL_COUNTER(bad_pre_master_secret, 1); \ 969 pms = buf; \ 970 pmslen = SSL3_PRE_MASTER_SECRET_LEN; \ 971 pms[0] = ssl->major_version; \ 972 pms[1] = ssl->minor_version; \ 973 (void) random_get_pseudo_bytes(&buf[2], pmslen - 2); \ 974 } 975 976 static int 977 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 978 { 979 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 980 uchar_t seed[SSL3_RANDOM_LENGTH * 2]; 981 982 /* 983 * Computing the master secret: 984 * ---------------------------- 985 * master_secret = PRF (pms, "master secret", 986 * ClientHello.random + ServerHello.random); 987 */ 988 bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH); 989 bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH, 990 SSL3_RANDOM_LENGTH); 991 992 /* if pms is bad fake it to thwart Bleichenbacher attack */ 993 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 994 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 995 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 996 } 997 998 return (kssl_tls_PRF(ssl, 999 pms, pmslen, 1000 (uchar_t *)TLS_MASTER_SECRET_LABEL, 1001 (size_t)strlen(TLS_MASTER_SECRET_LABEL), 1002 seed, sizeof (seed), 1003 ssl->sid.master_secret, 1004 (size_t)sizeof (ssl->sid.master_secret))); 1005 } 1006 1007 1008 static void 1009 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 1010 { 1011 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1012 uchar_t *ms; 1013 int hlen = MD5_HASH_LEN; 1014 1015 ms = ssl->sid.master_secret; 1016 1017 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1018 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1019 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 1020 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1021 } 1022 1023 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0); 1024 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0); 1025 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen, 1026 0); 1027 } 1028 1029 static int 1030 kssl_generate_tls_keyblock(ssl_t *ssl) 1031 { 1032 uchar_t seed[2 * SSL3_RANDOM_LENGTH]; 1033 1034 bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH); 1035 bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH, 1036 SSL3_RANDOM_LENGTH); 1037 1038 return (kssl_tls_PRF(ssl, ssl->sid.master_secret, 1039 (size_t)SSL3_MASTER_SECRET_LEN, 1040 (uchar_t *)TLS_KEY_EXPANSION_LABEL, 1041 (size_t)strlen(TLS_KEY_EXPANSION_LABEL), 1042 seed, (size_t)sizeof (seed), 1043 ssl->pending_keyblock, 1044 (size_t)ssl->pending_keyblksz)); 1045 1046 } 1047 1048 static void 1049 kssl_generate_keyblock(ssl_t *ssl) 1050 { 1051 uchar_t *ms; 1052 size_t mslen = SSL3_MASTER_SECRET_LEN; 1053 int hlen = MD5_HASH_LEN; 1054 uchar_t *keys = ssl->pending_keyblock; 1055 int steps = howmany(ssl->pending_keyblksz, hlen); 1056 int i; 1057 1058 ms = ssl->sid.master_secret; 1059 1060 ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH); 1061 1062 for (i = 1; i <= steps; i++) { 1063 kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1); 1064 keys += hlen; 1065 } 1066 } 1067 1068 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE", 1069 "FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"}; 1070 1071 static void 1072 kssl_ssl3_key_material_derive_step( 1073 ssl_t *ssl, 1074 uchar_t *secret, 1075 size_t secretlen, 1076 int step, 1077 uchar_t *dst, 1078 int sr_first) 1079 { 1080 SHA1_CTX sha1, *sha1ctx; 1081 MD5_CTX md5, *md5ctx; 1082 uchar_t sha1_hash[SHA1_HASH_LEN]; 1083 1084 sha1ctx = &sha1; 1085 md5ctx = &md5; 1086 1087 ASSERT(step <= 1088 sizeof (ssl3_key_derive_seeds) / 1089 sizeof (ssl3_key_derive_seeds[0])); 1090 step--; 1091 1092 SHA1Init(sha1ctx); 1093 SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step], 1094 step + 1); 1095 SHA1Update(sha1ctx, secret, secretlen); 1096 if (sr_first) { 1097 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1098 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1099 } else { 1100 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1101 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1102 } 1103 SHA1Final(sha1_hash, sha1ctx); 1104 1105 MD5Init(md5ctx); 1106 MD5Update(md5ctx, secret, secretlen); 1107 MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN); 1108 MD5Final(dst, md5ctx); 1109 } 1110 1111 static int 1112 kssl_send_certificate_and_server_hello_done(ssl_t *ssl) 1113 { 1114 int cur_reclen; 1115 int mss; 1116 int len, copylen; 1117 mblk_t *mp; 1118 uchar_t *cert_buf; 1119 int cert_len; 1120 uchar_t *msgbuf; 1121 Certificate_t *cert; 1122 1123 cert = ssl->kssl_entry->ke_server_certificate; 1124 if (cert == NULL) { 1125 return (ENOENT); 1126 } 1127 cert_buf = cert->msg; 1128 cert_len = cert->len; 1129 1130 mp = ssl->handshake_sendbuf; 1131 mss = ssl->tcp_mss; 1132 ASSERT(mp != NULL); 1133 cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN; 1134 ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN); 1135 /* Assume MSS is at least 80 bytes */ 1136 ASSERT(mss > cur_reclen + SSL3_HDR_LEN); 1137 ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */ 1138 1139 copylen = mss - (cur_reclen + SSL3_HDR_LEN); 1140 len = cert_len; 1141 copylen = MIN(copylen, len); 1142 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1143 1144 /* new record always starts in a new mblk for simplicity */ 1145 msgbuf = cert_buf; 1146 for (;;) { 1147 ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim); 1148 bcopy(msgbuf, mp->b_wptr, copylen); 1149 msgbuf += copylen; 1150 mp->b_wptr += copylen; 1151 cur_reclen += copylen; 1152 len -= copylen; 1153 if (len == 0) { 1154 break; 1155 } 1156 if (cur_reclen == SSL3_MAX_RECORD_LENGTH) { 1157 cur_reclen = 0; 1158 } 1159 copylen = MIN(len, mss); 1160 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1161 mp->b_cont = allocb(copylen, BPRI_HI); 1162 if (mp->b_cont == NULL) { 1163 KSSL_COUNTER(alloc_fails, 1); 1164 freemsg(ssl->handshake_sendbuf); 1165 ssl->handshake_sendbuf = NULL; 1166 return (ENOMEM); 1167 } 1168 mp = mp->b_cont; 1169 if (cur_reclen == 0) { 1170 mp->b_wptr[0] = content_handshake; 1171 mp->b_wptr[1] = ssl->major_version; 1172 mp->b_wptr[2] = ssl->minor_version; 1173 cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH); 1174 mp->b_wptr[3] = (cur_reclen >> 8) & 0xff; 1175 mp->b_wptr[4] = (cur_reclen) & 0xff; 1176 mp->b_wptr += SSL3_HDR_LEN; 1177 cur_reclen = 0; 1178 copylen = MIN(copylen, mss - SSL3_HDR_LEN); 1179 } 1180 } 1181 1182 /* adjust the record length field for the first record */ 1183 mp = ssl->handshake_sendbuf; 1184 cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len, 1185 SSL3_MAX_RECORD_LENGTH); 1186 mp->b_rptr[3] = (cur_reclen >> 8) & 0xff; 1187 mp->b_rptr[4] = (cur_reclen) & 0xff; 1188 1189 kssl_update_handshake_hashes(ssl, cert_buf, cert_len); 1190 1191 return (0); 1192 } 1193 1194 static int 1195 kssl_send_change_cipher_specs(ssl_t *ssl) 1196 { 1197 mblk_t *mp, *newmp; 1198 uchar_t *buf; 1199 1200 mp = ssl->handshake_sendbuf; 1201 1202 /* We're most likely to hit the fast path for resumed sessions */ 1203 if ((mp != NULL) && 1204 (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) { 1205 buf = mp->b_wptr; 1206 } else { 1207 newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI); 1208 1209 if (newmp == NULL) 1210 return (ENOMEM); /* need to do better job! */ 1211 1212 if (mp == NULL) { 1213 ssl->handshake_sendbuf = newmp; 1214 } else { 1215 linkb(ssl->handshake_sendbuf, newmp); 1216 } 1217 mp = newmp; 1218 buf = mp->b_rptr; 1219 } 1220 1221 /* 5 byte record header */ 1222 buf[0] = content_change_cipher_spec; 1223 buf[1] = ssl->major_version; 1224 buf[2] = ssl->minor_version; 1225 buf[3] = 0; 1226 buf[4] = 1; 1227 buf += SSL3_HDR_LEN; 1228 1229 buf[0] = 1; 1230 1231 mp->b_wptr = buf + 1; 1232 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 1233 1234 ssl->seq_num[KSSL_WRITE] = 0; 1235 return (kssl_spec_init(ssl, KSSL_WRITE)); 1236 } 1237 1238 int 1239 kssl_spec_init(ssl_t *ssl, int dir) 1240 { 1241 KSSL_HASHCTX *ctx; 1242 KSSLCipherSpec *spec = &ssl->spec[dir]; 1243 int ret = 0; 1244 1245 spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz; 1246 spec->mac_padsz = mac_defs[ssl->pending_malg].padsz; 1247 1248 spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit; 1249 spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate; 1250 spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal; 1251 1252 if (dir == KSSL_READ) { 1253 bcopy(ssl->pending_keyblock, ssl->mac_secret[dir], 1254 spec->mac_hashsz); 1255 } else { 1256 bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]), 1257 ssl->mac_secret[dir], spec->mac_hashsz); 1258 } 1259 1260 /* Pre-compute these here. will save cycles on each record later */ 1261 if (!IS_TLS(ssl)) { 1262 ctx = &ssl->mac_ctx[dir][0]; 1263 spec->MAC_HashInit((void *)ctx); 1264 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1265 spec->mac_hashsz); 1266 spec->MAC_HashUpdate((void *)ctx, kssl_pad_1, 1267 spec->mac_padsz); 1268 1269 ctx = &ssl->mac_ctx[dir][1]; 1270 spec->MAC_HashInit((void *)ctx); 1271 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1272 spec->mac_hashsz); 1273 spec->MAC_HashUpdate((void *)ctx, kssl_pad_2, 1274 spec->mac_padsz); 1275 } 1276 1277 spec->cipher_type = cipher_defs[ssl->pending_calg].type; 1278 spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type; 1279 spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize; 1280 spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz; 1281 1282 if (spec->cipher_ctx != NULL) { 1283 crypto_cancel_ctx(spec->cipher_ctx); 1284 spec->cipher_ctx = 0; 1285 } 1286 1287 /* 1288 * Initialize HMAC keys for TLS and SSL3 HMAC keys 1289 * for SSL 3.0. 1290 */ 1291 if (IS_TLS(ssl)) { 1292 if (ssl->pending_malg == mac_md5) { 1293 spec->hmac_mech = hmac_md5_mech; 1294 } else if (ssl->pending_malg == mac_sha) { 1295 spec->hmac_mech = hmac_sha1_mech; 1296 } 1297 1298 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1299 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1300 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1301 } else { 1302 static uint32_t param; 1303 1304 spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID; 1305 spec->hmac_mech.cm_param = (caddr_t)¶m; 1306 spec->hmac_mech.cm_param_len = sizeof (param); 1307 if (ssl->pending_malg == mac_md5) { 1308 spec->hmac_mech.cm_type = 1309 crypto_mech2id("CKM_SSL3_MD5_MAC"); 1310 param = MD5_HASH_LEN; 1311 } else if (ssl->pending_malg == mac_sha) { 1312 spec->hmac_mech.cm_type = 1313 crypto_mech2id("CKM_SSL3_SHA1_MAC"); 1314 param = SHA1_HASH_LEN; 1315 } 1316 1317 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1318 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1319 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1320 } 1321 1322 /* We're done if this is the nil cipher */ 1323 if (spec->cipher_keysz == 0) { 1324 return (0); 1325 } 1326 1327 /* Initialize the key and the active context */ 1328 spec->cipher_key.ck_format = CRYPTO_KEY_RAW; 1329 spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */ 1330 1331 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1332 /* client_write_IV */ 1333 spec->cipher_mech.cm_param = 1334 (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz + 1335 2 * spec->cipher_keysz]); 1336 spec->cipher_mech.cm_param_len = spec->cipher_bsize; 1337 } 1338 spec->cipher_data.cd_format = CRYPTO_DATA_RAW; 1339 if (dir == KSSL_READ) { 1340 spec->cipher_mech.cm_param_len = 1341 cipher_defs[ssl->pending_calg].bsize; 1342 1343 /* client_write_key */ 1344 spec->cipher_key.ck_data = 1345 &(ssl->pending_keyblock[2 * spec->mac_hashsz]); 1346 1347 ret = crypto_decrypt_init(&(spec->cipher_mech), 1348 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1349 if (CRYPTO_ERR(ret)) { 1350 DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read, 1351 int, ret); 1352 } 1353 } else { 1354 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1355 spec->cipher_mech.cm_param += spec->cipher_bsize; 1356 } 1357 /* server_write_key */ 1358 spec->cipher_key.ck_data = 1359 &(ssl->pending_keyblock[2 * spec->mac_hashsz + 1360 spec->cipher_keysz]); 1361 1362 ret = crypto_encrypt_init(&(spec->cipher_mech), 1363 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1364 if (CRYPTO_ERR(ret)) 1365 DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read, 1366 int, ret); 1367 } 1368 return (ret); 1369 } 1370 1371 static int 1372 kssl_send_finished(ssl_t *ssl, int update_hsh) 1373 { 1374 mblk_t *mp; 1375 uchar_t *buf; 1376 uchar_t *rstart; 1377 uchar_t *versionp; 1378 SSL3Hashes ssl3hashes; 1379 size_t finish_len; 1380 int ret = 0; 1381 1382 mp = ssl->handshake_sendbuf; 1383 ASSERT(mp != NULL); 1384 buf = mp->b_wptr; 1385 ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + 1386 SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1); 1387 1388 rstart = buf; 1389 1390 if (IS_TLS(ssl)) 1391 finish_len = TLS_FINISHED_SIZE; 1392 else 1393 finish_len = KSSL_SSL3_FIN_MSGLEN; 1394 1395 /* 5 byte record header */ 1396 buf[0] = content_handshake; 1397 buf[1] = ssl->major_version; 1398 buf[2] = ssl->minor_version; 1399 buf[3] = 0; 1400 buf[4] = 4 + finish_len; 1401 1402 versionp = &buf[1]; 1403 1404 buf += SSL3_HDR_LEN; 1405 1406 /* 4 byte message header */ 1407 buf[0] = (uchar_t)finished; /* message type */ 1408 buf[1] = 0; /* message len byte 0 */ 1409 buf[2] = 0; /* message len byte 1 */ 1410 buf[3] = finish_len; /* message len byte 2 */ 1411 buf += 4; 1412 1413 if (IS_TLS(ssl)) { 1414 bcopy(ssl->hs_hashes.md5, ssl3hashes.md5, 1415 sizeof (ssl3hashes.md5)); 1416 bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1, 1417 sizeof (ssl3hashes.sha1)); 1418 } 1419 1420 /* Compute hashes for the SENDER side */ 1421 ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server); 1422 if (ret != 0) 1423 return (ret); 1424 1425 if (IS_TLS(ssl)) { 1426 bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash)); 1427 } else { 1428 bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN); 1429 bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN); 1430 } 1431 1432 if (update_hsh) { 1433 kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4); 1434 } 1435 1436 mp->b_wptr = buf + finish_len; 1437 1438 ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp, 1439 rstart, mp); 1440 ASSERT(mp->b_wptr <= mp->b_datap->db_lim); 1441 1442 return (ret); 1443 } 1444 1445 int 1446 kssl_mac_encrypt_record(ssl_t *ssl, 1447 SSL3ContentType ct, 1448 uchar_t *versionp, 1449 uchar_t *rstart, 1450 mblk_t *mp) 1451 { 1452 KSSLCipherSpec *spec; 1453 int mac_sz; 1454 int ret = 0; 1455 uint16_t rec_sz; 1456 int pad_sz; 1457 int i; 1458 1459 ASSERT(ssl != NULL); 1460 ASSERT(rstart >= mp->b_rptr); 1461 ASSERT(rstart < mp->b_wptr); 1462 1463 spec = &ssl->spec[KSSL_WRITE]; 1464 mac_sz = spec->mac_hashsz; 1465 1466 rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN; 1467 ASSERT(rec_sz > 0); 1468 1469 if (mac_sz != 0) { 1470 ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim); 1471 ret = kssl_compute_record_mac(ssl, KSSL_WRITE, 1472 ssl->seq_num[KSSL_WRITE], ct, versionp, 1473 rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr); 1474 if (ret == CRYPTO_SUCCESS) { 1475 ssl->seq_num[KSSL_WRITE]++; 1476 mp->b_wptr += mac_sz; 1477 rec_sz += mac_sz; 1478 } else { 1479 return (ret); 1480 } 1481 } 1482 1483 if (spec->cipher_type == type_block) { 1484 pad_sz = spec->cipher_bsize - 1485 (rec_sz & (spec->cipher_bsize - 1)); 1486 ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim); 1487 for (i = 0; i < pad_sz; i++) { 1488 mp->b_wptr[i] = pad_sz - 1; 1489 } 1490 mp->b_wptr += pad_sz; 1491 rec_sz += pad_sz; 1492 } 1493 1494 ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH); 1495 1496 U16_TO_BE16(rec_sz, rstart + 3); 1497 1498 if (spec->cipher_ctx == 0) 1499 return (ret); 1500 1501 spec->cipher_data.cd_length = rec_sz; 1502 spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN); 1503 spec->cipher_data.cd_raw.iov_len = rec_sz; 1504 /* One record at a time. Otherwise, gotta allocate the crypt_data_t */ 1505 ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data, 1506 NULL, NULL); 1507 if (CRYPTO_ERR(ret)) { 1508 DTRACE_PROBE1(kssl_err__crypto_encrypt_update, 1509 int, ret); 1510 } 1511 return (ret); 1512 } 1513 1514 void 1515 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc) 1516 { 1517 mblk_t *mp; 1518 uchar_t *buf; 1519 KSSLCipherSpec *spec; 1520 1521 ASSERT(ssl != NULL); 1522 1523 ssl->sendalert_level = level; 1524 ssl->sendalert_desc = desc; 1525 1526 if (level == alert_fatal) { 1527 DTRACE_PROBE2(kssl_sending_alert, 1528 SSL3AlertLevel, level, SSL3AlertDescription, desc); 1529 if (ssl->sid.cached == B_TRUE) { 1530 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 1531 ssl->sid.cached = B_FALSE; 1532 } 1533 ssl->fatal_alert = B_TRUE; 1534 KSSL_COUNTER(fatal_alerts, 1); 1535 } else 1536 KSSL_COUNTER(warning_alerts, 1); 1537 1538 spec = &ssl->spec[KSSL_WRITE]; 1539 1540 ASSERT(ssl->alert_sendbuf == NULL); 1541 ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz + 1542 spec->cipher_bsize, BPRI_HI); 1543 if (mp == NULL) { 1544 KSSL_COUNTER(alloc_fails, 1); 1545 return; 1546 } 1547 buf = mp->b_wptr; 1548 1549 /* 5 byte record header */ 1550 buf[0] = content_alert; 1551 buf[1] = ssl->major_version; 1552 buf[2] = ssl->minor_version; 1553 buf[3] = 0; 1554 buf[4] = 2; 1555 buf += SSL3_HDR_LEN; 1556 1557 /* alert contents */ 1558 buf[0] = (uchar_t)level; 1559 buf[1] = (uchar_t)desc; 1560 1561 mp->b_wptr = buf + 2; 1562 } 1563 1564 /* Assumes RSA encryption */ 1565 static int 1566 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen, 1567 kssl_callback_t cbfn, void *arg) 1568 { 1569 char *buf; 1570 uchar_t *pms; 1571 size_t pmslen; 1572 int allocated; 1573 int err, rverr = ENOMEM; 1574 kssl_entry_t *ep; 1575 crypto_key_t *privkey; 1576 crypto_data_t *wrapped_pms_data, *pms_data; 1577 crypto_call_req_t creq, *creqp; 1578 1579 ep = ssl->kssl_entry; 1580 privkey = ep->ke_private_key; 1581 if (privkey == NULL) { 1582 return (ENOENT); 1583 } 1584 1585 ASSERT(ssl->msg.type == client_key_exchange); 1586 ASSERT(ssl->hs_waitstate == wait_client_key); 1587 1588 /* 1589 * TLS adds an extra 2 byte length field before the data. 1590 */ 1591 if (IS_TLS(ssl)) { 1592 msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1]; 1593 mp->b_rptr += 2; 1594 } 1595 1596 /* 1597 * Allocate all we need in one shot. about 300 bytes total, for 1598 * 1024 bit RSA modulus. 1599 * The buffer layout will be: pms_data, wrapped_pms_data, the 1600 * value of the wrapped pms from the client, then room for the 1601 * resulting decrypted premaster secret. 1602 */ 1603 allocated = 2 * (sizeof (crypto_data_t) + msglen); 1604 buf = kmem_alloc(allocated, KM_NOSLEEP); 1605 if (buf == NULL) { 1606 return (ENOMEM); 1607 } 1608 1609 pms_data = (crypto_data_t *)buf; 1610 wrapped_pms_data = &(((crypto_data_t *)buf)[1]); 1611 1612 wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW; 1613 wrapped_pms_data->cd_offset = pms_data->cd_offset = 0; 1614 wrapped_pms_data->cd_length = pms_data->cd_length = msglen; 1615 wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL; 1616 wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen; 1617 wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t); 1618 pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen; 1619 1620 bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen); 1621 mp->b_rptr += msglen; 1622 1623 /* Proceed synchronously if out of interrupt and configured to do so */ 1624 if ((kssl_synchronous) && (!servicing_interrupt())) { 1625 creqp = NULL; 1626 } else { 1627 ssl->cke_callback_func = cbfn; 1628 ssl->cke_callback_arg = arg; 1629 creq.cr_flag = kssl_call_flag; 1630 creq.cr_callback_func = kssl_cke_done; 1631 creq.cr_callback_arg = ssl; 1632 1633 /* The callback routine will release this one */ 1634 KSSL_SSL_REFHOLD(ssl); 1635 1636 creqp = &creq; 1637 } 1638 1639 if (ep->ke_is_nxkey) { 1640 kssl_session_info_t *s; 1641 1642 s = ep->ke_sessinfo; 1643 err = CRYPTO_SUCCESS; 1644 if (!s->is_valid_handle) { 1645 /* Reauthenticate to the provider */ 1646 if (s->do_reauth) { 1647 err = kssl_get_obj_handle(ep); 1648 if (err == CRYPTO_SUCCESS) { 1649 s->is_valid_handle = B_TRUE; 1650 s->do_reauth = B_FALSE; 1651 } 1652 } else 1653 err = CRYPTO_FAILED; 1654 } 1655 1656 if (err == CRYPTO_SUCCESS) { 1657 ASSERT(s->is_valid_handle); 1658 err = crypto_decrypt_prov(s->prov, s->sid, 1659 &rsa_x509_mech, wrapped_pms_data, &s->key, 1660 NULL, pms_data, creqp); 1661 } 1662 1663 /* 1664 * Deal with session specific errors. We translate to 1665 * the closest errno. 1666 */ 1667 switch (err) { 1668 case CRYPTO_KEY_HANDLE_INVALID: 1669 case CRYPTO_SESSION_HANDLE_INVALID: 1670 s->is_valid_handle = B_FALSE; 1671 s->do_reauth = B_TRUE; 1672 rverr = EINVAL; 1673 break; 1674 case CRYPTO_PIN_EXPIRED: 1675 case CRYPTO_PIN_LOCKED: 1676 rverr = EACCES; 1677 break; 1678 case CRYPTO_UNKNOWN_PROVIDER: 1679 rverr = ENXIO; 1680 break; 1681 } 1682 } else { 1683 err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data, 1684 privkey, NULL, pms_data, creqp); 1685 } 1686 1687 switch (err) { 1688 case CRYPTO_SUCCESS: 1689 break; 1690 1691 case CRYPTO_QUEUED: 1692 /* 1693 * Finish the master secret then the rest of key material 1694 * derivation later. 1695 */ 1696 ssl->job.kjob = creq.cr_reqid; 1697 ssl->job.buf = buf; 1698 ssl->job.buflen = allocated; 1699 ssl->hs_waitstate = wait_client_key_done; 1700 return (0); 1701 default: 1702 DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err); 1703 kmem_free(buf, allocated); 1704 return (rverr); 1705 } 1706 1707 pmslen = pms_data->cd_length; 1708 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1709 1710 /* generate master key and save it in the ssl sid structure */ 1711 if (IS_TLS(ssl)) { 1712 err = kssl_generate_tls_ms(ssl, pms, pmslen); 1713 if (!CRYPTO_ERR(err)) 1714 err = kssl_generate_tls_keyblock(ssl); 1715 } else { 1716 kssl_generate_ssl_ms(ssl, pms, pmslen); 1717 kssl_generate_keyblock(ssl); 1718 } 1719 1720 if (err == CRYPTO_SUCCESS) 1721 ssl->hs_waitstate = wait_change_cipher; 1722 1723 ssl->activeinput = B_FALSE; 1724 1725 kmem_free(buf, allocated); 1726 1727 return (0); 1728 } 1729 1730 static int 1731 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen) 1732 { 1733 int err; 1734 size_t finish_len; 1735 int hashcompare; 1736 1737 ASSERT(ssl->msg.type == finished); 1738 ASSERT(ssl->hs_waitstate == wait_finished); 1739 1740 if (IS_TLS(ssl)) 1741 finish_len = TLS_FINISHED_SIZE; 1742 else 1743 finish_len = KSSL_SSL3_FIN_MSGLEN; 1744 1745 if (msglen != finish_len) { 1746 kssl_send_alert(ssl, alert_fatal, illegal_parameter); 1747 return (EBADMSG); 1748 } 1749 1750 if (IS_TLS(ssl)) { 1751 hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash, 1752 finish_len); 1753 } else { 1754 hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len); 1755 } 1756 1757 /* The handshake hashes should be computed by now */ 1758 if (hashcompare != 0) { 1759 kssl_send_alert(ssl, alert_fatal, handshake_failure); 1760 return (EBADMSG); 1761 } 1762 1763 mp->b_rptr += msglen; 1764 1765 ssl->hs_waitstate = idle_handshake; 1766 1767 if (ssl->resumed == B_TRUE) { 1768 ssl->activeinput = B_FALSE; 1769 return (0); 1770 } 1771 1772 err = kssl_send_change_cipher_specs(ssl); 1773 if (err != 0) { 1774 return (err); 1775 } 1776 err = kssl_send_finished(ssl, 0); 1777 if (err != 0) { 1778 return (err); 1779 } 1780 1781 ASSERT(ssl->sid.cached == B_FALSE); 1782 ssl->sid.cached = B_TRUE; 1783 kssl_cache_sid(&ssl->sid, ssl->kssl_entry); 1784 ssl->activeinput = B_FALSE; 1785 1786 return (0); 1787 } 1788 1789 #define KSSL2_CH_MIN_RECSZ (9) 1790 1791 /* 1792 * This method is needed to handle clients which send the 1793 * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers. 1794 * We are not really doing SSLv2 here, just handling the header 1795 * and then switching to SSLv3. 1796 */ 1797 int 1798 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz) 1799 { 1800 uchar_t *recend; 1801 int err; 1802 SSL3AlertDescription desc = illegal_parameter; 1803 uint_t randlen; 1804 uint_t sidlen; 1805 uint_t nsuites; 1806 uchar_t *suitesp; 1807 uchar_t *rand; 1808 uint_t i, j; 1809 uint16_t suite; 1810 int ch_recsz = KSSL2_CH_MIN_RECSZ; 1811 1812 ASSERT(mp->b_wptr >= mp->b_rptr + recsz); 1813 ASSERT(ssl->hs_waitstate == wait_client_hello); 1814 ASSERT(ssl->resumed == B_FALSE); 1815 1816 if (recsz < ch_recsz) { 1817 goto falert; 1818 } 1819 1820 MD5Init(&ssl->hs_md5); 1821 SHA1Init(&ssl->hs_sha1); 1822 1823 kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz); 1824 1825 recend = mp->b_rptr + recsz; 1826 1827 if (*mp->b_rptr != 1) { 1828 goto falert; 1829 } 1830 mp->b_rptr += 3; 1831 1832 nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 1833 sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3]; 1834 randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5]; 1835 if (nsuites % 3 != 0) { 1836 DTRACE_PROBE1(kssl_err__nsuites_error, uint_t, nsuites); 1837 goto falert; 1838 } 1839 if (randlen < SSL_MIN_CHALLENGE_BYTES || 1840 randlen > SSL_MAX_CHALLENGE_BYTES) { 1841 DTRACE_PROBE1(kssl_err__randlen_out_of_range, 1842 uint_t, randlen); 1843 goto falert; 1844 } 1845 mp->b_rptr += 6; 1846 ch_recsz += nsuites + sidlen + randlen; 1847 if (recsz != ch_recsz) { 1848 goto falert; 1849 } 1850 suitesp = mp->b_rptr; 1851 rand = suitesp + nsuites + sidlen; 1852 if (randlen < SSL3_RANDOM_LENGTH) { 1853 bzero(ssl->client_random, SSL3_RANDOM_LENGTH); 1854 } 1855 bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen], 1856 randlen); 1857 1858 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 1859 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 1860 for (j = 0; j < nsuites; j += 3) { 1861 if (suitesp[j] != 0) { 1862 continue; 1863 } 1864 1865 if (suitesp[j + 1] == ((suite >> 8) & 0xff) && 1866 suitesp[j + 2] == (suite & 0xff)) { 1867 break; 1868 } 1869 } 1870 if (j < nsuites) { 1871 break; 1872 } 1873 } 1874 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 1875 DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite); 1876 ssl->activeinput = B_FALSE; 1877 return (SSL_MISS); 1878 } 1879 1880 mp->b_rptr = recend; 1881 1882 for (i = 0; i < cipher_suite_defs_nentries; i++) { 1883 if (suite == cipher_suite_defs[i].suite) { 1884 break; 1885 } 1886 } 1887 1888 ASSERT(i < cipher_suite_defs_nentries); 1889 1890 ssl->pending_cipher_suite = suite; 1891 ssl->pending_malg = cipher_suite_defs[i].malg; 1892 ssl->pending_calg = cipher_suite_defs[i].calg; 1893 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 1894 1895 ASSERT(ssl->sid.cached == B_FALSE); 1896 1897 (void) random_get_pseudo_bytes(ssl->sid.session_id, 1898 SSL3_SESSIONID_BYTES); 1899 ssl->sid.client_addr = ssl->faddr; 1900 ssl->sid.cipher_suite = suite; 1901 1902 err = kssl_send_server_hello(ssl); 1903 if (err != 0) { 1904 return (err); 1905 } 1906 err = kssl_send_certificate_and_server_hello_done(ssl); 1907 if (err != 0) { 1908 return (err); 1909 } 1910 KSSL_COUNTER(full_handshakes, 1); 1911 ssl->hs_waitstate = wait_client_key; 1912 ssl->activeinput = B_FALSE; 1913 return (0); 1914 1915 falert: 1916 kssl_send_alert(ssl, alert_fatal, desc); 1917 ssl->activeinput = B_FALSE; 1918 return (EBADMSG); 1919 } 1920 1921 /* 1922 * Call back routine for asynchronously submitted RSA decryption jobs. 1923 * The routine retreived the pre-master secret, and proceeds to generate 1924 * the remaining key materials. 1925 */ 1926 static void 1927 kssl_cke_done(void *arg, int status) 1928 { 1929 int ret = 0; 1930 uchar_t *pms; 1931 size_t pmslen; 1932 crypto_data_t *pms_data; 1933 kssl_cmd_t kssl_cmd = KSSL_CMD_NONE; 1934 ssl_t *ssl = (ssl_t *)arg; 1935 mblk_t *alertmp; 1936 kssl_callback_t cbfn; 1937 void *cbarg; 1938 1939 mutex_enter(&ssl->kssl_lock); 1940 1941 ASSERT(ssl->msg.type == client_key_exchange); 1942 ASSERT(ssl->hs_waitstate == wait_client_key_done); 1943 1944 if (status != CRYPTO_SUCCESS) { 1945 kssl_send_alert(ssl, alert_fatal, decrypt_error); 1946 kssl_cmd = KSSL_CMD_SEND; 1947 goto out; 1948 } 1949 1950 pms_data = (crypto_data_t *)(ssl->job.buf); 1951 1952 ASSERT(pms_data != NULL); 1953 1954 pmslen = pms_data->cd_length; 1955 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1956 1957 /* generate master key and save it in the ssl sid structure */ 1958 if (IS_TLS(ssl)) { 1959 ret = kssl_generate_tls_ms(ssl, pms, pmslen); 1960 if (!CRYPTO_ERR(ret)) 1961 ret = kssl_generate_tls_keyblock(ssl); 1962 } else { 1963 kssl_generate_ssl_ms(ssl, pms, pmslen); 1964 kssl_generate_keyblock(ssl); 1965 } 1966 1967 if (ret == CRYPTO_SUCCESS) 1968 ssl->hs_waitstate = wait_change_cipher; 1969 1970 out: 1971 kmem_free(ssl->job.buf, ssl->job.buflen); 1972 1973 ssl->job.kjob = 0; 1974 ssl->job.buf = NULL; 1975 ssl->job.buflen = 0; 1976 1977 ssl->activeinput = B_FALSE; 1978 1979 /* If we're the only ones left, then we won't callback */ 1980 if (ssl->kssl_refcnt == 1) { 1981 mutex_exit(&ssl->kssl_lock); 1982 KSSL_SSL_REFRELE(ssl); 1983 return; 1984 } 1985 1986 cbfn = ssl->cke_callback_func; 1987 cbarg = ssl->cke_callback_arg; 1988 alertmp = ssl->alert_sendbuf; 1989 ssl->alert_sendbuf = NULL; 1990 1991 mutex_exit(&ssl->kssl_lock); 1992 1993 KSSL_SSL_REFRELE(ssl); 1994 1995 /* Now call the callback routine */ 1996 (*(cbfn))(cbarg, alertmp, kssl_cmd); 1997 } 1998 1999 /* 2000 * Returns the first complete contiguous record out of rec_ass_head 2001 * The record is returned in a separate contiguous mblk, rec_ass_head is 2002 * left pointing to the next record in the queue. 2003 * 2004 * The output looks as follows: 2005 * 2006 * |--------|---------- .... -----|<---------->|<----------->|--- ... ---| 2007 * ^ ^ ^ mac_size pad_size ^ 2008 * | |___ b_rptr b_wptr __| | 2009 * | | 2010 * |___ db_base db_lim ___| 2011 */ 2012 mblk_t * 2013 kssl_get_next_record(ssl_t *ssl) 2014 { 2015 mblk_t *mp, *retmp; 2016 int rhsz = SSL3_HDR_LEN; 2017 uint16_t rec_sz; 2018 int mpsz, total_size; 2019 SSL3ContentType content_type; 2020 2021 ASSERT(MUTEX_HELD(&ssl->kssl_lock)); 2022 2023 mp = ssl->rec_ass_head; 2024 if (mp == NULL) 2025 return (NULL); 2026 2027 /* Fast path: when mp has at least a complete record */ 2028 if (MBLKL(mp) < rhsz) { 2029 DTRACE_PROBE1(kssl_mblk__incomplete_header, 2030 mblk_t *, mp); 2031 /* Not even a complete header in there yet */ 2032 if (msgdsize(mp) < rhsz) { 2033 return (NULL); 2034 } 2035 2036 if (!pullupmsg(mp, rhsz)) { 2037 kssl_send_alert(ssl, alert_fatal, internal_error); 2038 freemsg(mp); 2039 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2040 return (NULL); 2041 } 2042 } 2043 content_type = (SSL3ContentType)mp->b_rptr[0]; 2044 if (content_type == content_handshake_v2) { 2045 DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp); 2046 rec_sz = (uint16_t)mp->b_rptr[1]; 2047 rhsz = 2; 2048 } else { 2049 DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp); 2050 uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3; 2051 rec_sz = BE16_TO_U16(rec_sz_p); 2052 } 2053 2054 /* 2055 * same tests as above. Only rare very fragmented cases will 2056 * incur the cost of msgdsize() and msgpullup(). Well formed 2057 * packets will fall in the most frequent fast path. 2058 */ 2059 total_size = rhsz + rec_sz; 2060 2061 /* 2062 * Missing: defensive against record fabricated with longer than 2063 * MAX record length. 2064 */ 2065 if (MBLKL(mp) < total_size) { 2066 DTRACE_PROBE2(kssl_mblk__smaller_than_total_size, 2067 mblk_t *, mp, int, total_size); 2068 /* Not a complete record yet. Keep accumulating */ 2069 if (msgdsize(mp) < total_size) { 2070 return (NULL); 2071 } 2072 2073 if (!pullupmsg(mp, total_size)) { 2074 kssl_send_alert(ssl, alert_fatal, internal_error); 2075 freemsg(mp); 2076 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2077 return (NULL); 2078 } 2079 } 2080 mpsz = MBLKL(mp); /* could've changed after the pullup */ 2081 2082 if (mpsz > total_size) { 2083 DTRACE_PROBE2(kssl_mblk__bigger_than_total_size, 2084 mblk_t *, mp, int, total_size); 2085 /* gotta allocate a new block */ 2086 if ((retmp = dupb(mp)) == NULL) { 2087 kssl_send_alert(ssl, alert_fatal, internal_error); 2088 freemsg(mp); 2089 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2090 return (NULL); 2091 } 2092 2093 retmp->b_wptr = retmp->b_rptr + total_size; 2094 mp->b_rptr += total_size; 2095 ssl->rec_ass_head = mp; 2096 } else { 2097 DTRACE_PROBE2(kssl_mblk__equal_to_total_size, 2098 mblk_t *, mp, int, total_size); 2099 ASSERT(mpsz == total_size); 2100 ssl->rec_ass_head = mp->b_cont; 2101 mp->b_cont = NULL; 2102 retmp = mp; 2103 } 2104 /* Adjust the tail */ 2105 if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) { 2106 for (; mp->b_cont != NULL; mp = mp->b_cont) { 2107 ssl->rec_ass_tail = mp->b_cont; 2108 } 2109 } 2110 2111 return (retmp); 2112 } 2113 2114 2115 static void 2116 kssl_mblksfree(ssl_t *ssl) 2117 { 2118 2119 ASSERT(ssl != NULL); 2120 2121 if (ssl->rec_ass_head != NULL) { 2122 freemsg(ssl->rec_ass_head); 2123 } 2124 ssl->rec_ass_head = NULL; 2125 ssl->rec_ass_tail = NULL; 2126 2127 if (ssl->msg.head != NULL) { 2128 freemsg(ssl->msg.head); 2129 } 2130 ssl->msg.head = NULL; 2131 ssl->msg.tail = NULL; 2132 2133 if (ssl->handshake_sendbuf != NULL) { 2134 freemsg(ssl->handshake_sendbuf); 2135 ssl->handshake_sendbuf = NULL; 2136 } 2137 if (ssl->alert_sendbuf != NULL) { 2138 freemsg(ssl->alert_sendbuf); 2139 ssl->alert_sendbuf = NULL; 2140 } 2141 } 2142 2143 static void 2144 kssl_specsfree(ssl_t *ssl) 2145 { 2146 KSSLCipherSpec *spec = &ssl->spec[KSSL_READ]; 2147 2148 if (spec->cipher_ctx != NULL) { 2149 crypto_cancel_ctx(spec->cipher_ctx); 2150 spec->cipher_ctx = 0; 2151 } 2152 2153 spec = &ssl->spec[KSSL_WRITE]; 2154 2155 if (spec->cipher_ctx != NULL) { 2156 crypto_cancel_ctx(spec->cipher_ctx); 2157 spec->cipher_ctx = 0; 2158 } 2159 } 2160 2161 /* 2162 * Frees the ssl structure (aka the context of an SSL session). 2163 * Any pending crypto jobs are cancelled. 2164 * Any initiated crypto contexts are freed as well. 2165 */ 2166 void 2167 kssl_free_context(ssl_t *ssl) 2168 { 2169 ASSERT(ssl != NULL); 2170 if (!(MUTEX_HELD(&ssl->kssl_lock))) { 2171 /* we're coming from an external API entry point */ 2172 mutex_enter(&ssl->kssl_lock); 2173 } 2174 2175 if (ssl->job.kjob != NULL) { 2176 crypto_cancel_req(ssl->job.kjob); 2177 kmem_free(ssl->job.buf, ssl->job.buflen); 2178 2179 ssl->job.kjob = 0; 2180 ssl->job.buf = NULL; 2181 ssl->job.buflen = 0; 2182 } 2183 2184 kssl_mblksfree(ssl); 2185 kssl_specsfree(ssl); 2186 2187 KSSL_ENTRY_REFRELE(ssl->kssl_entry); 2188 ssl->kssl_entry = NULL; 2189 2190 mutex_exit(&ssl->kssl_lock); 2191 2192 kmem_cache_free(kssl_cache, ssl); 2193 kssl_cache_count--; 2194 } 2195