1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <sys/stream.h> 31 #include <sys/strsubr.h> 32 #include <sys/stropts.h> 33 #include <sys/strsun.h> 34 #define _SUN_TPI_VERSION 2 35 #include <sys/ddi.h> 36 #include <sys/sunddi.h> 37 #include <sys/cmn_err.h> 38 #include <sys/debug.h> 39 #include <sys/vtrace.h> 40 #include <sys/kmem.h> 41 #include <sys/cpuvar.h> 42 #include <sys/atomic.h> 43 #include <sys/sysmacros.h> 44 45 #include <sys/errno.h> 46 #include <sys/isa_defs.h> 47 #include <sys/md5.h> 48 #include <sys/sha1.h> 49 #include <sys/random.h> 50 #include <inet/common.h> 51 #include <netinet/in.h> 52 53 #include <sys/systm.h> 54 #include <sys/param.h> 55 56 #include "ksslimpl.h" 57 #include "ksslapi.h" 58 #include "ksslproto.h" 59 #include "kssldebug.h" 60 61 static ssl3CipherSuiteDef cipher_suite_defs[] = { 62 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, 72}, 63 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, 64}, 64 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, 72}, 65 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, 104}, 66 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, 40} 67 }; 68 69 static int cipher_suite_defs_nentries = 70 sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]); 71 72 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 73 /* macsz padsz HashInit HashUpdate HashFinal */ 74 75 {MD5_HASH_LEN, SSL3_MD5_PAD_LEN, 76 (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update, 77 (hashfinal_func_t)MD5Final}, 78 79 {SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN, 80 (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update, 81 (hashfinal_func_t)SHA1Final}, 82 }; 83 84 static uchar_t kssl_pad_1[60] = { 85 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 86 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 87 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 88 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 89 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 90 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 91 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 92 0x36, 0x36, 0x36, 0x36 93 }; 94 static uchar_t kssl_pad_2[60] = { 95 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 96 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 97 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 98 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 99 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 100 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 101 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 102 0x5c, 0x5c, 0x5c, 0x5c 103 }; 104 105 int kssl_debug; 106 int kssl_cache_count; 107 static boolean_t kssl_synchronous = B_FALSE; 108 109 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t); 110 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t); 111 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int); 112 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int, 113 kssl_callback_t, void *); 114 static int kssl_send_server_hello(ssl_t *); 115 static int kssl_send_certificate_and_server_hello_done(ssl_t *); 116 static int kssl_send_change_cipher_specs(ssl_t *); 117 static int kssl_send_finished(ssl_t *, int); 118 static int kssl_handle_finished(ssl_t *, mblk_t *, int); 119 static void kssl_get_hello_random(uchar_t *); 120 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *); 121 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *); 122 static void kssl_lookup_sid(sslSessionID *, uchar_t *, ipaddr_t, 123 kssl_entry_t *); 124 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t); 125 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t); 126 static int kssl_generate_tls_keyblock(ssl_t *); 127 static void kssl_generate_keyblock(ssl_t *); 128 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t, 129 int, uchar_t *, int); 130 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t, 131 uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 132 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *, 133 size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 134 static void kssl_cke_done(void *, int); 135 136 #define MAX_TLS_KEYBLOCK_SIZE 160 /* more than enough for largest TLS key */ 137 138 #define HMAC_INIT(m, k, c) \ 139 rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end; 140 141 #define HMAC_UPDATE(c, d, l) \ 142 dd.cd_raw.iov_base = (char *)d; \ 143 dd.cd_length = dd.cd_raw.iov_len = l; \ 144 rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end; 145 146 #define HMAC_FINAL(c, d, l) \ 147 mac.cd_raw.iov_base = (char *)d; \ 148 mac.cd_length = mac.cd_raw.iov_len = l; \ 149 rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end; 150 151 int 152 kssl_compute_record_mac( 153 ssl_t *ssl, 154 int direction, 155 uint64_t seq_num, 156 SSL3ContentType ct, 157 uchar_t *versionp, 158 uchar_t *buf, 159 int len, 160 uchar_t *digest) 161 { 162 KSSL_HASHCTX mac_ctx; 163 KSSL_HASHCTX *ctx = &mac_ctx; 164 uchar_t temp[16], *p; 165 KSSLCipherSpec *spec; 166 int rv = 0; 167 168 spec = &ssl->spec[direction]; 169 170 if (spec->mac_hashsz == 0) { 171 return (1); 172 } 173 174 /* mac_secret = ssl->mac_secret[direction]; */ 175 176 p = temp; 177 178 *p++ = (seq_num >> 56) & 0xff; 179 *p++ = (seq_num >> 48) & 0xff; 180 *p++ = (seq_num >> 40) & 0xff; 181 *p++ = (seq_num >> 32) & 0xff; 182 *p++ = (seq_num >> 24) & 0xff; 183 *p++ = (seq_num >> 16) & 0xff; 184 *p++ = (seq_num >> 8) & 0xff; 185 *p++ = (seq_num) & 0xff; 186 *p++ = (uchar_t)ct; 187 if (IS_TLS(ssl)) { 188 *p++ = versionp[0]; 189 *p++ = versionp[1]; 190 } 191 *p++ = (len >> 8) & 0xff; 192 *p++ = (len) & 0xff; 193 194 if (IS_TLS(ssl)) { 195 crypto_data_t dd, mac; 196 crypto_context_t ctx; 197 198 dd.cd_format = CRYPTO_DATA_RAW; 199 dd.cd_offset = 0; 200 mac.cd_format = CRYPTO_DATA_RAW; 201 mac.cd_offset = 0; 202 203 HMAC_INIT(&spec->hmac_mech, &spec->hmac_key, &ctx); 204 HMAC_UPDATE(ctx, temp, p - temp); 205 HMAC_UPDATE(ctx, buf, len); 206 HMAC_FINAL(ctx, digest, spec->mac_hashsz); 207 end: 208 if (CRYPTO_ERR(rv)) { 209 #ifdef DEBUG 210 cmn_err(CE_WARN, 211 "kssl_compute_record_mac - crypto_mac error " 212 "0x%0x", rv); 213 #endif /* DEBUG */ 214 KSSL_COUNTER(compute_mac_failure, 1); 215 } 216 } else { 217 bcopy(&(ssl->mac_ctx[direction][0]), ctx, 218 sizeof (KSSL_HASHCTX)); 219 spec->MAC_HashUpdate((void *)ctx, temp, p - temp); 220 spec->MAC_HashUpdate((void *)ctx, buf, len); 221 spec->MAC_HashFinal(digest, (void *)ctx); 222 223 bcopy(&(ssl->mac_ctx[direction][1]), ctx, 224 sizeof (KSSL_HASHCTX)); 225 spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz); 226 spec->MAC_HashFinal(digest, (void *)ctx); 227 } 228 229 return (rv); 230 } 231 232 /* 233 * Handles handshake messages. 234 * Messages to be replied are returned in handshake_sendbuf. 235 */ 236 int 237 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err, 238 kssl_callback_t cbfn, void *arg) 239 { 240 uint32_t msglen; 241 uchar_t msghdr[4]; 242 243 ASSERT(ssl->msg.state == MSG_BODY); 244 ASSERT(ssl->msg.msglen_bytes == 3); 245 ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen); 246 247 ssl->sslcnt++; 248 msglen = ssl->msg.msglen; 249 250 if (ssl->msg.type == client_hello) { 251 MD5Init(&ssl->hs_md5); 252 SHA1Init(&ssl->hs_sha1); 253 } 254 255 if (ssl->msg.type == finished && ssl->resumed == B_FALSE) { 256 if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 257 sender_client) != 0) { 258 *err = SSL_MISS; 259 return (0); 260 } 261 } 262 263 if (ssl->msg.type != finished || ssl->resumed == B_FALSE) { 264 msghdr[0] = (uchar_t)ssl->msg.type; 265 266 msghdr[1] = (uchar_t)(msglen >> 16); 267 msghdr[2] = (uchar_t)(msglen >> 8); 268 msghdr[3] = (uchar_t)(msglen); 269 kssl_update_handshake_hashes(ssl, msghdr, 4); 270 kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen); 271 } 272 273 ssl->msg.state = MSG_INIT; 274 ssl->msg.msglen = 0; 275 ssl->msg.msglen_bytes = 0; 276 277 switch (ssl->msg.type) { 278 case client_hello: 279 if (ssl->hs_waitstate != wait_client_hello) { 280 kssl_send_alert(ssl, alert_fatal, 281 unexpected_message); 282 *err = EBADMSG; 283 ssl->activeinput = B_FALSE; 284 return (1); 285 } 286 *err = kssl_handle_client_hello(ssl, mp, msglen); 287 if (*err == SSL_MISS) { 288 ssl->activeinput = B_FALSE; 289 return (0); 290 } 291 return (1); 292 case client_key_exchange: 293 if (ssl->hs_waitstate != wait_client_key) { 294 kssl_send_alert(ssl, alert_fatal, 295 unexpected_message); 296 *err = EBADMSG; 297 ssl->activeinput = B_FALSE; 298 return (1); 299 } 300 *err = kssl_handle_client_key_exchange(ssl, mp, 301 msglen, cbfn, arg); 302 return (1); 303 case finished: 304 if (ssl->hs_waitstate != wait_finished) { 305 kssl_send_alert(ssl, alert_fatal, 306 unexpected_message); 307 *err = EBADMSG; 308 ssl->activeinput = B_FALSE; 309 return (1); 310 } 311 *err = kssl_handle_finished(ssl, mp, msglen); 312 return (1); 313 default: 314 kssl_send_alert(ssl, alert_fatal, unexpected_message); 315 ssl->activeinput = B_FALSE; 316 *err = EBADMSG; 317 return (1); 318 } 319 } 320 321 static void 322 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len) 323 { 324 MD5Update(&ssl->hs_md5, buf, len); 325 SHA1Update(&ssl->hs_sha1, buf, len); 326 } 327 328 static int 329 kssl_compute_handshake_hashes( 330 ssl_t *ssl, 331 SSL3Hashes *hashes, 332 uint32_t sender) 333 { 334 MD5_CTX md5 = ssl->hs_md5; /* clone md5 context */ 335 SHA1_CTX sha1 = ssl->hs_sha1; /* clone sha1 context */ 336 MD5_CTX *md5ctx = &md5; 337 SHA1_CTX *sha1ctx = &sha1; 338 339 if (IS_TLS(ssl)) { 340 uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN]; 341 char *label; 342 343 /* 344 * Do not take another hash step here. 345 * Just complete the operation. 346 */ 347 MD5Final(hashes->md5, md5ctx); 348 SHA1Final(hashes->sha1, sha1ctx); 349 350 bcopy(hashes->md5, seed, MD5_HASH_LEN); 351 bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN); 352 353 if (sender == sender_client) 354 label = TLS_CLIENT_FINISHED_LABEL; 355 else 356 label = TLS_SERVER_FINISHED_LABEL; 357 358 return (kssl_tls_PRF(ssl, 359 ssl->sid.master_secret, (size_t)SSL3_MASTER_SECRET_LEN, 360 (uchar_t *)label, strlen(label), 361 seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN), 362 hashes->tlshash, (size_t)TLS_FINISHED_SIZE)); 363 } else { 364 uchar_t s[4]; 365 s[0] = (sender >> 24) & 0xff; 366 s[1] = (sender >> 16) & 0xff; 367 s[2] = (sender >> 8) & 0xff; 368 s[3] = (sender) & 0xff; 369 370 MD5Update(md5ctx, s, 4); 371 MD5Update(md5ctx, ssl->sid.master_secret, 372 SSL3_MASTER_SECRET_LEN); 373 MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN); 374 MD5Final(hashes->md5, md5ctx); 375 376 MD5Init(md5ctx); 377 MD5Update(md5ctx, ssl->sid.master_secret, 378 SSL3_MASTER_SECRET_LEN); 379 MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN); 380 MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN); 381 MD5Final(hashes->md5, md5ctx); 382 383 SHA1Update(sha1ctx, s, 4); 384 SHA1Update(sha1ctx, ssl->sid.master_secret, 385 SSL3_MASTER_SECRET_LEN); 386 SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN); 387 SHA1Final(hashes->sha1, sha1ctx); 388 389 SHA1Init(sha1ctx); 390 SHA1Update(sha1ctx, ssl->sid.master_secret, 391 SSL3_MASTER_SECRET_LEN); 392 SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN); 393 SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN); 394 SHA1Final(hashes->sha1, sha1ctx); 395 return (0); 396 } 397 } 398 399 400 #define KSSL_SSL3_CH_MIN_MSGLEN (39) 401 402 static int 403 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen) 404 { 405 uchar_t *msgend; 406 int err; 407 SSL3AlertDescription desc = illegal_parameter; 408 uint_t sidlen; 409 uint_t nsuites; 410 uchar_t *suitesp; 411 uint_t i, j; 412 uint16_t suite; 413 int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN; 414 415 ASSERT(mp->b_wptr >= mp->b_rptr + msglen); 416 ASSERT(ssl->msg.type == client_hello); 417 ASSERT(ssl->hs_waitstate == wait_client_hello); 418 ASSERT(ssl->resumed == B_FALSE); 419 420 if (msglen < ch_msglen) { 421 goto falert; 422 } 423 424 msgend = mp->b_rptr + msglen; 425 426 /* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */ 427 if (ssl->major_version != 3 || (ssl->major_version == 3 && 428 ssl->minor_version != 0 && ssl->minor_version != 1)) { 429 KSSL_DEBUG3_IF(kssl_debug, 430 "HandleClientHello: handshake failure - " 431 "SSL version not supported (%d %d)", 432 ssl->major_version, ssl->minor_version); 433 desc = handshake_failure; 434 goto falert; 435 } 436 mp->b_rptr += 2; /* skip the version bytes */ 437 438 bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH); 439 mp->b_rptr += SSL3_RANDOM_LENGTH; 440 441 ASSERT(ssl->sid.cached == B_FALSE); 442 sidlen = *mp->b_rptr++; 443 ch_msglen += sidlen; 444 if (msglen < ch_msglen) { 445 goto falert; 446 } 447 if (sidlen != SSL3_SESSIONID_BYTES) { 448 mp->b_rptr += sidlen; 449 } else { 450 kssl_lookup_sid(&ssl->sid, mp->b_rptr, ssl->faddr, 451 ssl->kssl_entry); 452 mp->b_rptr += SSL3_SESSIONID_BYTES; 453 } 454 455 nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 456 mp->b_rptr += 2; 457 ch_msglen += nsuites; 458 if (msglen != ch_msglen) { 459 goto falert; 460 } 461 if (nsuites & 0x1) { 462 goto falert; 463 } 464 suitesp = mp->b_rptr; 465 if (ssl->sid.cached == B_TRUE) { 466 suite = ssl->sid.cipher_suite; 467 for (j = 0; j < nsuites; j += 2) { 468 if (suitesp[j] == ((suite >> 8) & 0xff) && 469 suitesp[j + 1] == (suite & 0xff)) { 470 break; 471 } 472 } 473 if (j < nsuites) { 474 goto suite_found; 475 } 476 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 477 ssl->sid.cached = B_FALSE; 478 } 479 480 /* Check if this server is capable of the cipher suite */ 481 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 482 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 483 for (j = 0; j < nsuites; j += 2) { 484 if (suitesp[j] == ((suite >> 8) & 0xff) && 485 suitesp[j + 1] == (suite & 0xff)) { 486 break; 487 } 488 } 489 if (j < nsuites) { 490 break; 491 } 492 } 493 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 494 if (ssl->sslcnt == 1) { 495 KSSL_COUNTER(no_suite_found, 1); 496 return (SSL_MISS); 497 } 498 desc = handshake_failure; 499 KSSL_DEBUG1_IF(kssl_debug, 500 "kssl_handle_client_hello: no cipher suites found"); 501 goto falert; 502 } 503 504 suite_found: 505 506 mp->b_rptr += nsuites; 507 if (*mp->b_rptr++ != 1 || *mp->b_rptr++ != 0) { 508 desc = handshake_failure; 509 KSSL_DEBUG1_IF(kssl_debug, 510 "kssl_handle_client_hello: handshake failure"); 511 goto falert; 512 } 513 514 mp->b_rptr = msgend; 515 516 for (i = 0; i < cipher_suite_defs_nentries; i++) { 517 if (suite == cipher_suite_defs[i].suite) { 518 break; 519 } 520 } 521 522 ASSERT(i < cipher_suite_defs_nentries); 523 524 ssl->pending_cipher_suite = suite; 525 ssl->pending_malg = cipher_suite_defs[i].malg; 526 ssl->pending_calg = cipher_suite_defs[i].calg; 527 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 528 529 if (ssl->sid.cached == B_TRUE) { 530 err = kssl_send_server_hello(ssl); 531 if (err != 0) { 532 return (err); 533 } 534 if (IS_TLS(ssl)) 535 err = kssl_generate_tls_keyblock(ssl); 536 else 537 kssl_generate_keyblock(ssl); 538 539 err = kssl_send_change_cipher_specs(ssl); 540 if (err != 0) { 541 return (err); 542 } 543 544 err = kssl_send_finished(ssl, 1); 545 if (err != 0) 546 return (err); 547 548 err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 549 sender_client); 550 if (err != 0) 551 return (err); 552 553 ssl->hs_waitstate = wait_change_cipher; 554 ssl->resumed = B_TRUE; 555 ssl->activeinput = B_FALSE; 556 KSSL_COUNTER(resumed_sessions, 1); 557 return (0); 558 } 559 560 (void) random_get_pseudo_bytes(ssl->sid.session_id, 561 SSL3_SESSIONID_BYTES); 562 ssl->sid.client_addr = ssl->faddr; 563 ssl->sid.cipher_suite = suite; 564 565 err = kssl_send_server_hello(ssl); 566 if (err != 0) { 567 return (err); 568 } 569 err = kssl_send_certificate_and_server_hello_done(ssl); 570 if (err != 0) { 571 return (err); 572 } 573 KSSL_COUNTER(full_handshakes, 1); 574 ssl->hs_waitstate = wait_client_key; 575 ssl->activeinput = B_FALSE; 576 return (0); 577 578 falert: 579 kssl_send_alert(ssl, alert_fatal, desc); 580 return (EBADMSG); 581 } 582 583 static void 584 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 585 { 586 uint_t index; 587 uchar_t *s = sid->session_id; 588 int l = SSL3_SESSIONID_BYTES - 1; 589 kmutex_t *lock; 590 591 ASSERT(sid->cached == B_TRUE); 592 593 index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 594 ((int)s[2] << 8) | (int)s[l]); 595 596 index %= kssl_entry->sid_cache_nentries; 597 598 sid->time = lbolt; 599 600 lock = &(kssl_entry->sid_cache[index].se_lock); 601 mutex_enter(lock); 602 kssl_entry->sid_cache[index].se_used++; 603 bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid)); 604 mutex_exit(lock); 605 } 606 607 static void 608 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, ipaddr_t faddr, 609 kssl_entry_t *kssl_entry) 610 { 611 uint_t index; 612 int l = SSL3_SESSIONID_BYTES - 1; 613 kmutex_t *lock; 614 sslSessionID *csid; 615 616 ASSERT(sid->cached == B_FALSE); 617 618 KSSL_COUNTER(sid_cache_lookups, 1); 619 620 index = (int)faddr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 621 ((int)s[2] << 8) | (int)s[l]); 622 623 index %= kssl_entry->sid_cache_nentries; 624 625 lock = &(kssl_entry->sid_cache[index].se_lock); 626 mutex_enter(lock); 627 csid = &(kssl_entry->sid_cache[index].se_sid); 628 if (csid->cached == B_FALSE || csid->client_addr != faddr || 629 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 630 mutex_exit(lock); 631 return; 632 } 633 634 if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) { 635 csid->cached = B_FALSE; 636 mutex_exit(lock); 637 return; 638 } 639 640 bcopy(csid, sid, sizeof (*sid)); 641 mutex_exit(lock); 642 ASSERT(sid->cached == B_TRUE); 643 644 KSSL_COUNTER(sid_cache_hits, 1); 645 } 646 647 static uchar_t * 648 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp) 649 { 650 size_t len = *lenp; 651 int i = 2; 652 653 if (buf[0] != 0 || buf[1] != 2) { 654 return (NULL); 655 } 656 657 while (i < len) { 658 if (buf[i++] == 0) { 659 *lenp = len - i; 660 break; 661 } 662 } 663 664 if (i == len) { 665 return (NULL); 666 } 667 668 return (buf + i); 669 } 670 671 void 672 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 673 { 674 uint_t index; 675 uchar_t *s = sid->session_id; 676 int l = SSL3_SESSIONID_BYTES - 1; 677 sslSessionID *csid; 678 kmutex_t *lock; 679 680 ASSERT(sid->cached == B_TRUE); 681 682 KSSL_COUNTER(sid_uncached, 1); 683 684 index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 685 ((int)s[2] << 8) | (int)s[l]); 686 687 index %= kssl_entry->sid_cache_nentries; 688 689 lock = &(kssl_entry->sid_cache[index].se_lock); 690 mutex_enter(lock); 691 csid = &(kssl_entry->sid_cache[index].se_sid); 692 if (csid->client_addr != sid->client_addr || 693 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 694 mutex_exit(lock); 695 return; 696 } 697 csid->cached = B_FALSE; 698 mutex_exit(lock); 699 } 700 701 702 #define KSSL_SSL3_SH_RECLEN (74) 703 #define KSSL_SSL3_FIN_MSGLEN (36) 704 705 #define KSSL_SSL3_MAX_CCP_FIN_MSGLEN (128) /* comfortable upper bound */ 706 707 static int 708 kssl_send_server_hello(ssl_t *ssl) 709 { 710 mblk_t *mp; 711 uchar_t *buf; 712 uchar_t *msgstart; 713 714 mp = allocb(ssl->tcp_mss, BPRI_HI); 715 if (mp == NULL) { 716 KSSL_COUNTER(alloc_fails, 1); 717 return (ENOMEM); 718 } 719 ssl->handshake_sendbuf = mp; 720 buf = mp->b_wptr; 721 722 /* 5 byte record header */ 723 buf[0] = content_handshake; 724 buf[1] = ssl->major_version; 725 buf[2] = ssl->minor_version; 726 buf[3] = KSSL_SSL3_SH_RECLEN >> 8; 727 buf[4] = KSSL_SSL3_SH_RECLEN & 0xff; 728 buf += SSL3_HDR_LEN; 729 730 msgstart = buf; 731 732 /* 6 byte message header */ 733 buf[0] = (uchar_t)server_hello; /* message type */ 734 buf[1] = 0; /* message len byte 0 */ 735 buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) & 736 0xff; /* message len byte 1 */ 737 buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff; /* message len byte 2 */ 738 739 buf[4] = ssl->major_version; /* version byte 0 */ 740 buf[5] = ssl->minor_version; /* version byte 1 */ 741 742 buf += 6; 743 744 kssl_get_hello_random(ssl->server_random); 745 bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH); 746 buf += SSL3_RANDOM_LENGTH; 747 748 buf[0] = SSL3_SESSIONID_BYTES; 749 bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES); 750 buf += SSL3_SESSIONID_BYTES + 1; 751 752 buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff; 753 buf[1] = ssl->pending_cipher_suite & 0xff; 754 755 buf[2] = 0; /* No compression */ 756 757 mp->b_wptr = buf + 3; 758 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 759 760 kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN); 761 return (0); 762 } 763 764 static void 765 kssl_get_hello_random(uchar_t *buf) 766 { 767 timestruc_t ts; 768 time_t sec; 769 770 gethrestime(&ts); 771 sec = ts.tv_sec; 772 773 buf[0] = (sec >> 24) & 0xff; 774 buf[1] = (sec >> 16) & 0xff; 775 buf[2] = (sec >> 8) & 0xff; 776 buf[3] = (sec) & 0xff; 777 778 (void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4); 779 780 /* Should this be caching? */ 781 } 782 783 static int 784 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key, 785 size_t hashlen, 786 uchar_t *label, size_t label_len, 787 uchar_t *seed, size_t seedlen, 788 uchar_t *data, size_t datalen) 789 { 790 int rv = 0; 791 uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN]; 792 int bytes_left = datalen; 793 crypto_data_t dd, mac; 794 crypto_context_t ctx; 795 796 dd.cd_format = CRYPTO_DATA_RAW; 797 dd.cd_offset = 0; 798 mac.cd_format = CRYPTO_DATA_RAW; 799 mac.cd_offset = 0; 800 801 /* 802 * A(i) = HMAC_hash(secred, seed + A(i-1)); 803 * A(0) = seed; 804 * 805 * Compute A(1): 806 * A(1) = HMAC_hash(secret, label + seed) 807 * 808 */ 809 HMAC_INIT(mech, key, &ctx); 810 HMAC_UPDATE(ctx, label, label_len); 811 HMAC_UPDATE(ctx, seed, seedlen); 812 HMAC_FINAL(ctx, A1, hashlen); 813 814 /* Compute A(2) ... A(n) */ 815 while (bytes_left > 0) { 816 HMAC_INIT(mech, key, &ctx); 817 HMAC_UPDATE(ctx, A1, hashlen); 818 HMAC_UPDATE(ctx, label, label_len); 819 HMAC_UPDATE(ctx, seed, seedlen); 820 HMAC_FINAL(ctx, result, hashlen); 821 822 /* 823 * The A(i) value is stored in "result". 824 * Save the results of the MAC so it can be input to next 825 * iteration. 826 */ 827 if (bytes_left > hashlen) { 828 /* Store the chunk result */ 829 bcopy(result, data, hashlen); 830 data += hashlen; 831 832 bytes_left -= hashlen; 833 834 /* Update A1 for next iteration */ 835 HMAC_INIT(mech, key, &ctx); 836 HMAC_UPDATE(ctx, A1, hashlen); 837 HMAC_FINAL(ctx, A1, hashlen); 838 839 } else { 840 bcopy(result, data, bytes_left); 841 data += bytes_left; 842 bytes_left = 0; 843 } 844 } 845 end: 846 if (CRYPTO_ERR(rv)) { 847 #ifdef DEBUG 848 cmn_err(CE_WARN, "kssl_P_hash: crypto_mac error 0x%02X", rv); 849 #endif /* DEBUG */ 850 KSSL_COUNTER(compute_mac_failure, 1); 851 } 852 return (rv); 853 } 854 855 /* ARGSUSED */ 856 static int 857 kssl_tls_PRF(ssl_t *ssl, 858 uchar_t *secret, size_t secret_len, 859 uchar_t *label, size_t label_len, 860 uchar_t *seed, size_t seed_len, 861 uchar_t *prfresult, size_t prfresult_len) 862 { 863 /* 864 * RFC 2246: 865 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR 866 * P_SHA1(S2, label + seed); 867 * S1 = 1st half of secret. 868 * S1 = 2nd half of secret. 869 * 870 */ 871 872 int rv = 0, i; 873 uchar_t psha1[MAX_TLS_KEYBLOCK_SIZE]; 874 crypto_key_t S1, S2; 875 876 /* length of secret keys is ceil(length/2) */ 877 size_t slen = roundup(secret_len, 2) / 2; 878 879 if (prfresult_len > MAX_TLS_KEYBLOCK_SIZE) { 880 KSSL_DEBUG2_IF(kssl_debug, "kssl_tls_PRF: unexpected keyblock " 881 "size (%lu)", prfresult_len); 882 return (CRYPTO_ARGUMENTS_BAD); 883 } 884 885 ASSERT(prfresult != NULL); 886 ASSERT(label != NULL); 887 ASSERT(seed != NULL); 888 889 S1.ck_data = secret; 890 S1.ck_length = slen * 8; /* bits */ 891 S1.ck_format = CRYPTO_KEY_RAW; 892 893 S2.ck_data = secret + slen; 894 S2.ck_length = slen * 8; /* bits */ 895 S2.ck_format = CRYPTO_KEY_RAW; 896 897 rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN, 898 label, label_len, 899 seed, seed_len, 900 prfresult, prfresult_len); 901 if (CRYPTO_ERR(rv)) 902 goto end; 903 904 rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN, 905 label, label_len, 906 seed, seed_len, 907 psha1, prfresult_len); 908 if (CRYPTO_ERR(rv)) 909 goto end; 910 911 for (i = 0; i < prfresult_len; i++) 912 prfresult[i] ^= psha1[i]; 913 914 end: 915 if (CRYPTO_ERR(rv)) 916 bzero(prfresult, prfresult_len); 917 918 return (rv); 919 } 920 921 static int 922 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 923 { 924 uchar_t seed[SSL3_RANDOM_LENGTH * 2]; 925 926 /* 927 * Computing the master secret: 928 * ---------------------------- 929 * master_secret = PRF (pms, "master secret", 930 * ClientHello.random + ServerHello.random); 931 */ 932 bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH); 933 bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH, 934 SSL3_RANDOM_LENGTH); 935 936 return (kssl_tls_PRF(ssl, 937 pms, pmslen, 938 (uchar_t *)TLS_MASTER_SECRET_LABEL, 939 (size_t)strlen(TLS_MASTER_SECRET_LABEL), 940 seed, sizeof (seed), 941 ssl->sid.master_secret, 942 (size_t)sizeof (ssl->sid.master_secret))); 943 } 944 945 static void 946 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 947 { 948 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 949 uchar_t *ms; 950 int hlen = MD5_HASH_LEN; 951 952 ms = ssl->sid.master_secret; 953 954 /* if pms is bad fake it to thwart Bleichenbacher attack */ 955 if (pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN || 956 pms[0] != ssl->major_version || pms[1] != ssl->minor_version) { 957 #ifdef DEBUG 958 cmn_err(CE_WARN, "Under Bleichenbacher attack"); 959 #endif /* DEBUG */ 960 KSSL_COUNTER(bad_pre_master_secret, 1); 961 pms = buf; 962 pmslen = SSL3_PRE_MASTER_SECRET_LEN; 963 pms[0] = ssl->major_version; 964 pms[1] = ssl->minor_version; 965 (void) random_get_pseudo_bytes(&buf[2], pmslen - 2); 966 } 967 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0); 968 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0); 969 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen, 970 0); 971 } 972 973 static int 974 kssl_generate_tls_keyblock(ssl_t *ssl) 975 { 976 uchar_t seed[2 * SSL3_RANDOM_LENGTH]; 977 978 bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH); 979 bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH, 980 SSL3_RANDOM_LENGTH); 981 982 return (kssl_tls_PRF(ssl, ssl->sid.master_secret, 983 (size_t)SSL3_MASTER_SECRET_LEN, 984 (uchar_t *)TLS_KEY_EXPANSION_LABEL, 985 (size_t)strlen(TLS_KEY_EXPANSION_LABEL), 986 seed, (size_t)sizeof (seed), 987 ssl->pending_keyblock, 988 (size_t)ssl->pending_keyblksz)); 989 990 } 991 992 static void 993 kssl_generate_keyblock(ssl_t *ssl) 994 { 995 uchar_t *ms; 996 size_t mslen = SSL3_MASTER_SECRET_LEN; 997 int hlen = MD5_HASH_LEN; 998 uchar_t *keys = ssl->pending_keyblock; 999 int steps = howmany(ssl->pending_keyblksz, hlen); 1000 int i; 1001 1002 ms = ssl->sid.master_secret; 1003 1004 ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH); 1005 1006 for (i = 1; i <= steps; i++) { 1007 kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1); 1008 keys += hlen; 1009 } 1010 } 1011 1012 static char *ssl3_key_derive_seeds[8] = {"A", "BB", "CCC", "DDDD", "EEEEE", 1013 "FFFFFF", "GGGGGGG", "HHHHHHHH"}; 1014 1015 static void 1016 kssl_ssl3_key_material_derive_step( 1017 ssl_t *ssl, 1018 uchar_t *secret, 1019 size_t secretlen, 1020 int step, 1021 uchar_t *dst, 1022 int sr_first) 1023 { 1024 SHA1_CTX sha1, *sha1ctx; 1025 MD5_CTX md5, *md5ctx; 1026 uchar_t sha1_hash[SHA1_HASH_LEN]; 1027 1028 sha1ctx = &sha1; 1029 md5ctx = &md5; 1030 1031 ASSERT(step <= 1032 sizeof (ssl3_key_derive_seeds) / 1033 sizeof (ssl3_key_derive_seeds[0])); 1034 step--; 1035 1036 SHA1Init(sha1ctx); 1037 SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step], 1038 step + 1); 1039 SHA1Update(sha1ctx, secret, secretlen); 1040 if (sr_first) { 1041 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1042 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1043 } else { 1044 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1045 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1046 } 1047 SHA1Final(sha1_hash, sha1ctx); 1048 1049 MD5Init(md5ctx); 1050 MD5Update(md5ctx, secret, secretlen); 1051 MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN); 1052 MD5Final(dst, md5ctx); 1053 } 1054 1055 static int 1056 kssl_send_certificate_and_server_hello_done(ssl_t *ssl) 1057 { 1058 int cur_reclen; 1059 int mss; 1060 int len, copylen; 1061 mblk_t *mp; 1062 uchar_t *cert_buf; 1063 int cert_len; 1064 uchar_t *msgbuf; 1065 Certificate_t *cert; 1066 1067 cert = ssl->kssl_entry->ke_server_certificate; 1068 if (cert == NULL) { 1069 return (ENOENT); 1070 } 1071 cert_buf = cert->msg; 1072 cert_len = cert->len; 1073 1074 mp = ssl->handshake_sendbuf; 1075 mss = ssl->tcp_mss; 1076 ASSERT(mp != NULL); 1077 cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN; 1078 ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN); 1079 /* Assume MSS is at least 80 bytes */ 1080 ASSERT(mss > cur_reclen + SSL3_HDR_LEN); 1081 ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */ 1082 1083 copylen = mss - (cur_reclen + SSL3_HDR_LEN); 1084 len = cert_len; 1085 copylen = MIN(copylen, len); 1086 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1087 1088 /* new record always starts in a new mblk for simplicity */ 1089 msgbuf = cert_buf; 1090 for (;;) { 1091 ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim); 1092 bcopy(msgbuf, mp->b_wptr, copylen); 1093 msgbuf += copylen; 1094 mp->b_wptr += copylen; 1095 cur_reclen += copylen; 1096 len -= copylen; 1097 if (len == 0) { 1098 break; 1099 } 1100 if (cur_reclen == SSL3_MAX_RECORD_LENGTH) { 1101 cur_reclen = 0; 1102 } 1103 copylen = MIN(len, mss); 1104 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1105 mp->b_cont = allocb(copylen, BPRI_HI); 1106 if (mp->b_cont == NULL) { 1107 KSSL_COUNTER(alloc_fails, 1); 1108 freemsg(ssl->handshake_sendbuf); 1109 ssl->handshake_sendbuf = NULL; 1110 return (ENOMEM); 1111 } 1112 mp = mp->b_cont; 1113 if (cur_reclen == 0) { 1114 mp->b_wptr[0] = content_handshake; 1115 mp->b_wptr[1] = ssl->major_version; 1116 mp->b_wptr[2] = ssl->minor_version; 1117 cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH); 1118 mp->b_wptr[3] = (cur_reclen >> 8) & 0xff; 1119 mp->b_wptr[4] = (cur_reclen) & 0xff; 1120 mp->b_wptr += SSL3_HDR_LEN; 1121 cur_reclen = 0; 1122 copylen = MIN(copylen, mss - SSL3_HDR_LEN); 1123 } 1124 } 1125 1126 /* adjust the record length field for the first record */ 1127 mp = ssl->handshake_sendbuf; 1128 cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len, 1129 SSL3_MAX_RECORD_LENGTH); 1130 mp->b_rptr[3] = (cur_reclen >> 8) & 0xff; 1131 mp->b_rptr[4] = (cur_reclen) & 0xff; 1132 1133 kssl_update_handshake_hashes(ssl, cert_buf, cert_len); 1134 1135 return (0); 1136 } 1137 1138 static int 1139 kssl_send_change_cipher_specs(ssl_t *ssl) 1140 { 1141 mblk_t *mp, *newmp; 1142 uchar_t *buf; 1143 1144 mp = ssl->handshake_sendbuf; 1145 1146 /* We're most likely to hit the fast path for resumed sessions */ 1147 if ((mp != NULL) && 1148 (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) { 1149 buf = mp->b_wptr; 1150 } else { 1151 newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI); 1152 1153 if (newmp == NULL) 1154 return (ENOMEM); /* need to do better job! */ 1155 1156 if (mp == NULL) { 1157 ssl->handshake_sendbuf = newmp; 1158 } else { 1159 linkb(ssl->handshake_sendbuf, newmp); 1160 } 1161 mp = newmp; 1162 buf = mp->b_rptr; 1163 } 1164 1165 /* 5 byte record header */ 1166 buf[0] = content_change_cipher_spec; 1167 buf[1] = ssl->major_version; 1168 buf[2] = ssl->minor_version; 1169 buf[3] = 0; 1170 buf[4] = 1; 1171 buf += SSL3_HDR_LEN; 1172 1173 buf[0] = 1; 1174 1175 mp->b_wptr = buf + 1; 1176 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 1177 1178 ssl->seq_num[KSSL_WRITE] = 0; 1179 return (kssl_spec_init(ssl, KSSL_WRITE)); 1180 } 1181 1182 int 1183 kssl_spec_init(ssl_t *ssl, int dir) 1184 { 1185 KSSL_HASHCTX *ctx; 1186 KSSLCipherSpec *spec = &ssl->spec[dir]; 1187 int ret = 0; 1188 1189 spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz; 1190 spec->mac_padsz = mac_defs[ssl->pending_malg].padsz; 1191 1192 spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit; 1193 spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate; 1194 spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal; 1195 1196 if (dir == KSSL_READ) { 1197 bcopy(ssl->pending_keyblock, ssl->mac_secret[dir], 1198 spec->mac_hashsz); 1199 } else { 1200 bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]), 1201 ssl->mac_secret[dir], spec->mac_hashsz); 1202 } 1203 1204 /* Pre-compute these here. will save cycles on each record later */ 1205 if (!IS_TLS(ssl)) { 1206 ctx = &ssl->mac_ctx[dir][0]; 1207 spec->MAC_HashInit((void *)ctx); 1208 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1209 spec->mac_hashsz); 1210 spec->MAC_HashUpdate((void *)ctx, kssl_pad_1, 1211 spec->mac_padsz); 1212 1213 ctx = &ssl->mac_ctx[dir][1]; 1214 spec->MAC_HashInit((void *)ctx); 1215 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1216 spec->mac_hashsz); 1217 spec->MAC_HashUpdate((void *)ctx, kssl_pad_2, 1218 spec->mac_padsz); 1219 } 1220 1221 spec->cipher_type = cipher_defs[ssl->pending_calg].type; 1222 spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type; 1223 spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize; 1224 spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz; 1225 1226 if (spec->cipher_ctx != NULL) { 1227 crypto_cancel_ctx(spec->cipher_ctx); 1228 spec->cipher_ctx = 0; 1229 } 1230 1231 /* 1232 * Initialize HMAC keys for TLS. 1233 */ 1234 if (IS_TLS(ssl)) { 1235 if (ssl->pending_malg == mac_md5) { 1236 spec->hmac_mech = hmac_md5_mech; 1237 } else if (ssl->pending_malg == mac_sha) { 1238 spec->hmac_mech = hmac_sha1_mech; 1239 } 1240 1241 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1242 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1243 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1244 } 1245 1246 /* We're done if this is the nil cipher */ 1247 if (spec->cipher_keysz == 0) { 1248 return (0); 1249 } 1250 1251 /* Initialize the key and the active context */ 1252 spec->cipher_key.ck_format = CRYPTO_KEY_RAW; 1253 spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */ 1254 1255 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1256 /* client_write_IV */ 1257 spec->cipher_mech.cm_param = 1258 (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz + 1259 2 * spec->cipher_keysz]); 1260 spec->cipher_mech.cm_param_len = spec->cipher_bsize; 1261 } 1262 spec->cipher_data.cd_format = CRYPTO_DATA_RAW; 1263 if (dir == KSSL_READ) { 1264 spec->cipher_mech.cm_param_len = 1265 cipher_defs[ssl->pending_calg].bsize; 1266 1267 /* cilent_write_key */ 1268 spec->cipher_key.ck_data = 1269 &(ssl->pending_keyblock[2 * spec->mac_hashsz]); 1270 1271 ret = crypto_decrypt_init(&(spec->cipher_mech), 1272 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1273 #ifdef DEBUG 1274 if (CRYPTO_ERR(ret)) { 1275 cmn_err(CE_WARN, "kssl_spec_init: " 1276 "crypto_decrypt_init error 0x%02X", ret); 1277 } 1278 #endif /* DEBUG */ 1279 } else { 1280 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1281 spec->cipher_mech.cm_param += spec->cipher_bsize; 1282 } 1283 /* server_write_key */ 1284 spec->cipher_key.ck_data = 1285 &(ssl->pending_keyblock[2 * spec->mac_hashsz + 1286 spec->cipher_keysz]); 1287 1288 ret = crypto_encrypt_init(&(spec->cipher_mech), 1289 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1290 #ifdef DEBUG 1291 if (CRYPTO_ERR(ret)) 1292 cmn_err(CE_WARN, "kssl_spec_init: " 1293 "crypto_encrypt_init error 0x%02X", ret); 1294 #endif /* DEBUG */ 1295 } 1296 return (ret); 1297 } 1298 1299 static int 1300 kssl_send_finished(ssl_t *ssl, int update_hsh) 1301 { 1302 mblk_t *mp; 1303 uchar_t *buf; 1304 uchar_t *rstart; 1305 uchar_t *versionp; 1306 SSL3Hashes ssl3hashes; 1307 size_t finish_len; 1308 int ret = 0; 1309 1310 mp = ssl->handshake_sendbuf; 1311 ASSERT(mp != NULL); 1312 buf = mp->b_wptr; 1313 ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + 1314 SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1); 1315 1316 rstart = buf; 1317 1318 if (IS_TLS(ssl)) 1319 finish_len = TLS_FINISHED_SIZE; 1320 else 1321 finish_len = KSSL_SSL3_FIN_MSGLEN; 1322 1323 /* 5 byte record header */ 1324 buf[0] = content_handshake; 1325 buf[1] = ssl->major_version; 1326 buf[2] = ssl->minor_version; 1327 buf[3] = 0; 1328 buf[4] = 4 + finish_len; 1329 1330 versionp = &buf[1]; 1331 1332 buf += SSL3_HDR_LEN; 1333 1334 /* 4 byte message header */ 1335 buf[0] = (uchar_t)finished; /* message type */ 1336 buf[1] = 0; /* message len byte 0 */ 1337 buf[2] = 0; /* message len byte 1 */ 1338 buf[3] = finish_len; /* message len byte 2 */ 1339 buf += 4; 1340 1341 if (IS_TLS(ssl)) { 1342 bcopy(ssl->hs_hashes.md5, ssl3hashes.md5, 1343 sizeof (ssl3hashes.md5)); 1344 bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1, 1345 sizeof (ssl3hashes.sha1)); 1346 } 1347 1348 /* Compute hashes for the SENDER side */ 1349 ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server); 1350 if (ret != 0) 1351 return (ret); 1352 1353 if (IS_TLS(ssl)) { 1354 bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash)); 1355 } else { 1356 bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN); 1357 bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN); 1358 } 1359 1360 if (update_hsh) { 1361 kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4); 1362 } 1363 1364 mp->b_wptr = buf + finish_len; 1365 1366 ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp, 1367 rstart, mp); 1368 ASSERT(mp->b_wptr <= mp->b_datap->db_lim); 1369 1370 return (ret); 1371 } 1372 1373 int 1374 kssl_mac_encrypt_record(ssl_t *ssl, 1375 SSL3ContentType ct, 1376 uchar_t *versionp, 1377 uchar_t *rstart, 1378 mblk_t *mp) 1379 { 1380 KSSLCipherSpec *spec; 1381 int mac_sz; 1382 int ret = 0; 1383 uint16_t rec_sz; 1384 int pad_sz; 1385 int i; 1386 1387 ASSERT(ssl != NULL); 1388 ASSERT(rstart >= mp->b_rptr); 1389 ASSERT(rstart < mp->b_wptr); 1390 1391 spec = &ssl->spec[KSSL_WRITE]; 1392 mac_sz = spec->mac_hashsz; 1393 1394 rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN; 1395 ASSERT(rec_sz > 0); 1396 1397 if (mac_sz != 0) { 1398 ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim); 1399 ret = kssl_compute_record_mac(ssl, KSSL_WRITE, 1400 ssl->seq_num[KSSL_WRITE], ct, versionp, 1401 rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr); 1402 if (ret == CRYPTO_SUCCESS) { 1403 ssl->seq_num[KSSL_WRITE]++; 1404 mp->b_wptr += mac_sz; 1405 rec_sz += mac_sz; 1406 } else { 1407 return (ret); 1408 } 1409 } 1410 1411 if (spec->cipher_type == type_block) { 1412 pad_sz = spec->cipher_bsize - 1413 (rec_sz & (spec->cipher_bsize - 1)); 1414 ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim); 1415 for (i = 0; i < pad_sz; i++) { 1416 mp->b_wptr[i] = pad_sz - 1; 1417 } 1418 mp->b_wptr += pad_sz; 1419 rec_sz += pad_sz; 1420 } 1421 1422 ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH); 1423 1424 U16_TO_BE16(rec_sz, rstart + 3); 1425 1426 if (spec->cipher_ctx == 0) 1427 return (ret); 1428 1429 spec->cipher_data.cd_length = rec_sz; 1430 spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN); 1431 spec->cipher_data.cd_raw.iov_len = rec_sz; 1432 /* One record at a time. Otherwise, gotta allocate the crypt_data_t */ 1433 ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data, 1434 NULL, NULL); 1435 #ifdef DEBUG 1436 if (CRYPTO_ERR(ret)) { 1437 cmn_err(CE_WARN, 1438 "kssl_mac_encrypt_record: crypto_encrypt_update " 1439 "error 0x%02X", ret); 1440 } 1441 #endif /* DEBUG */ 1442 return (ret); 1443 } 1444 1445 void 1446 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc) 1447 { 1448 mblk_t *mp; 1449 uchar_t *buf; 1450 KSSLCipherSpec *spec; 1451 1452 ASSERT(ssl != NULL); 1453 1454 ssl->sendalert_level = level; 1455 ssl->sendalert_desc = desc; 1456 1457 if (level == alert_fatal) { 1458 #ifdef DEBUG 1459 cmn_err(CE_WARN, "sending an alert %d %d from %p\n", level, 1460 desc, (void *)caller()); 1461 #endif /* DEBUG */ 1462 if (ssl->sid.cached == B_TRUE) { 1463 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 1464 ssl->sid.cached = B_FALSE; 1465 } 1466 ssl->fatal_alert = B_TRUE; 1467 KSSL_COUNTER(fatal_alerts, 1); 1468 } else 1469 KSSL_COUNTER(warning_alerts, 1); 1470 1471 spec = &ssl->spec[KSSL_WRITE]; 1472 1473 ASSERT(ssl->alert_sendbuf == NULL); 1474 ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz + 1475 spec->cipher_bsize, BPRI_HI); 1476 if (mp == NULL) { 1477 KSSL_COUNTER(alloc_fails, 1); 1478 return; 1479 } 1480 buf = mp->b_wptr; 1481 1482 /* 5 byte record header */ 1483 buf[0] = content_alert; 1484 buf[1] = ssl->major_version; 1485 buf[2] = ssl->minor_version; 1486 buf[3] = 0; 1487 buf[4] = 2; 1488 buf += SSL3_HDR_LEN; 1489 1490 /* alert contents */ 1491 buf[0] = (uchar_t)level; 1492 buf[1] = (uchar_t)desc; 1493 1494 mp->b_wptr = buf + 2; 1495 } 1496 1497 /* Assumes RSA encryption */ 1498 static int 1499 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen, 1500 kssl_callback_t cbfn, void *arg) 1501 { 1502 char *buf; 1503 uchar_t *pms; 1504 size_t pmslen; 1505 int allocated; 1506 int err; 1507 crypto_key_t *privkey; 1508 crypto_data_t *wrapped_pms_data, *pms_data; 1509 crypto_call_req_t creq, *creqp; 1510 1511 privkey = ssl->kssl_entry->ke_private_key; 1512 if (privkey == NULL) { 1513 return (ENOENT); 1514 } 1515 1516 ASSERT(ssl->msg.type == client_key_exchange); 1517 ASSERT(ssl->hs_waitstate == wait_client_key); 1518 1519 /* 1520 * TLS adds an extra 2 byte length field before the data. 1521 */ 1522 if (IS_TLS(ssl)) { 1523 msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1]; 1524 mp->b_rptr += 2; 1525 } 1526 1527 /* 1528 * Allocate all we need in one shot. about 300 bytes total, for 1529 * 1024 bit RSA modulus. 1530 * The buffer layout will be: pms_data, wrapped_pms_data, the 1531 * value of the wrapped pms from the client, then room for the 1532 * resulting decrypted premaster secret. 1533 */ 1534 allocated = 2 * (sizeof (crypto_data_t) + msglen); 1535 buf = kmem_alloc(allocated, KM_NOSLEEP); 1536 if (buf == NULL) { 1537 return (ENOMEM); 1538 } 1539 1540 pms_data = (crypto_data_t *)buf; 1541 wrapped_pms_data = &(((crypto_data_t *)buf)[1]); 1542 1543 wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW; 1544 wrapped_pms_data->cd_offset = pms_data->cd_offset = 0; 1545 wrapped_pms_data->cd_length = pms_data->cd_length = msglen; 1546 wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL; 1547 wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen; 1548 wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t); 1549 pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen; 1550 1551 bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen); 1552 mp->b_rptr += msglen; 1553 1554 /* Proceed synchronously if out of interrupt and configured to do so */ 1555 if ((kssl_synchronous) && (!servicing_interrupt())) { 1556 creqp = NULL; 1557 } else { 1558 ssl->cke_callback_func = cbfn; 1559 ssl->cke_callback_arg = arg; 1560 creq.cr_flag = kssl_call_flag; 1561 creq.cr_callback_func = kssl_cke_done; 1562 creq.cr_callback_arg = ssl; 1563 1564 /* The callback routine will release this one */ 1565 KSSL_SSL_REFHOLD(ssl); 1566 1567 creqp = &creq; 1568 } 1569 1570 err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data, 1571 privkey, NULL, pms_data, creqp); 1572 1573 switch (err) { 1574 case CRYPTO_SUCCESS: 1575 break; 1576 1577 case CRYPTO_QUEUED: 1578 /* 1579 * Finish the master secret then the rest of key material 1580 * derivation later. 1581 */ 1582 ssl->job.kjob = creq.cr_reqid; 1583 ssl->job.buf = buf; 1584 ssl->job.buflen = allocated; 1585 ssl->hs_waitstate = wait_client_key_done; 1586 return (0); 1587 default: 1588 #ifdef DEBUG 1589 cmn_err(CE_WARN, "kssl_handle_client_key_exchange: " 1590 "crypto_decrypt error 0x%02X", err); 1591 #endif /* DEBUG */ 1592 kmem_free(buf, allocated); 1593 return (ENOMEM); 1594 } 1595 1596 pmslen = pms_data->cd_length; 1597 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1598 1599 /* generate master key and save it in the ssl sid structure */ 1600 if (IS_TLS(ssl)) { 1601 err = kssl_generate_tls_ms(ssl, pms, pmslen); 1602 if (!CRYPTO_ERR(err)) 1603 err = kssl_generate_tls_keyblock(ssl); 1604 } else { 1605 kssl_generate_ssl_ms(ssl, pms, pmslen); 1606 kssl_generate_keyblock(ssl); 1607 } 1608 1609 if (err == CRYPTO_SUCCESS) 1610 ssl->hs_waitstate = wait_change_cipher; 1611 1612 ssl->activeinput = B_FALSE; 1613 1614 kmem_free(buf, allocated); 1615 1616 return (0); 1617 } 1618 1619 static int 1620 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen) 1621 { 1622 int err; 1623 size_t finish_len; 1624 int hashcompare; 1625 1626 ASSERT(ssl->msg.type == finished); 1627 ASSERT(ssl->hs_waitstate == wait_finished); 1628 1629 if (IS_TLS(ssl)) 1630 finish_len = TLS_FINISHED_SIZE; 1631 else 1632 finish_len = KSSL_SSL3_FIN_MSGLEN; 1633 1634 if (msglen != finish_len) { 1635 kssl_send_alert(ssl, alert_fatal, illegal_parameter); 1636 return (EBADMSG); 1637 } 1638 1639 if (IS_TLS(ssl)) { 1640 hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash, 1641 finish_len); 1642 } else { 1643 hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len); 1644 } 1645 1646 /* The handshake hashes should be computed by now */ 1647 if (hashcompare != 0) { 1648 kssl_send_alert(ssl, alert_fatal, handshake_failure); 1649 return (EBADMSG); 1650 } 1651 1652 mp->b_rptr += msglen; 1653 1654 ssl->hs_waitstate = idle_handshake; 1655 1656 if (ssl->resumed == B_TRUE) { 1657 ssl->activeinput = B_FALSE; 1658 return (0); 1659 } 1660 1661 err = kssl_send_change_cipher_specs(ssl); 1662 if (err != 0) { 1663 return (err); 1664 } 1665 err = kssl_send_finished(ssl, 0); 1666 if (err != 0) { 1667 return (err); 1668 } 1669 1670 ASSERT(ssl->sid.cached == B_FALSE); 1671 ssl->sid.cached = B_TRUE; 1672 kssl_cache_sid(&ssl->sid, ssl->kssl_entry); 1673 ssl->activeinput = B_FALSE; 1674 1675 return (0); 1676 } 1677 1678 #define KSSL2_CH_MIN_RECSZ (9) 1679 1680 /* 1681 * This method is needed to handle clients which send the 1682 * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers. 1683 * We are not really doing SSLv2 here, just handling the header 1684 * and then switching to SSLv3. 1685 */ 1686 int 1687 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz) 1688 { 1689 uchar_t *recend; 1690 int err; 1691 SSL3AlertDescription desc = illegal_parameter; 1692 uint_t randlen; 1693 uint_t sidlen; 1694 uint_t nsuites; 1695 uchar_t *suitesp; 1696 uchar_t *rand; 1697 uint_t i, j; 1698 uint16_t suite; 1699 int ch_recsz = KSSL2_CH_MIN_RECSZ; 1700 1701 ASSERT(mp->b_wptr >= mp->b_rptr + recsz); 1702 ASSERT(ssl->hs_waitstate == wait_client_hello); 1703 ASSERT(ssl->resumed == B_FALSE); 1704 1705 if (recsz < ch_recsz) { 1706 goto falert; 1707 } 1708 1709 MD5Init(&ssl->hs_md5); 1710 SHA1Init(&ssl->hs_sha1); 1711 1712 kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz); 1713 1714 recend = mp->b_rptr + recsz; 1715 1716 if (*mp->b_rptr != 1) { 1717 goto falert; 1718 } 1719 mp->b_rptr += 3; 1720 1721 nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 1722 sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3]; 1723 randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5]; 1724 if (nsuites % 3 != 0) { 1725 KSSL_DEBUG2_IF(kssl_debug, 1726 "kssl_handle_v2client_hello nsuites = %d, error.", 1727 nsuites); 1728 goto falert; 1729 } 1730 if (randlen < SSL_MIN_CHALLENGE_BYTES || 1731 randlen > SSL_MAX_CHALLENGE_BYTES) { 1732 KSSL_DEBUG2_IF(kssl_debug, 1733 "kssl_handle_v2client_hello randlen out of range: %d", 1734 randlen); 1735 goto falert; 1736 } 1737 mp->b_rptr += 6; 1738 ch_recsz += nsuites + sidlen + randlen; 1739 if (recsz != ch_recsz) { 1740 goto falert; 1741 } 1742 suitesp = mp->b_rptr; 1743 rand = suitesp + nsuites + sidlen; 1744 if (randlen < SSL3_RANDOM_LENGTH) { 1745 bzero(ssl->client_random, SSL3_RANDOM_LENGTH); 1746 } 1747 bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen], 1748 randlen); 1749 1750 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 1751 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 1752 for (j = 0; j < nsuites; j += 3) { 1753 if (suitesp[j] != 0) { 1754 continue; 1755 } 1756 1757 if (suitesp[j + 1] == ((suite >> 8) & 0xff) && 1758 suitesp[j + 2] == (suite & 0xff)) { 1759 break; 1760 } 1761 } 1762 if (j < nsuites) { 1763 break; 1764 } 1765 } 1766 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 1767 KSSL_DEBUG1_IF(kssl_debug, "kssl_handle_v2client_hello - " 1768 "cannot find SSLv2 cipher suite"); 1769 ssl->activeinput = B_FALSE; 1770 return (SSL_MISS); 1771 } 1772 1773 mp->b_rptr = recend; 1774 1775 for (i = 0; i < cipher_suite_defs_nentries; i++) { 1776 if (suite == cipher_suite_defs[i].suite) { 1777 break; 1778 } 1779 } 1780 1781 ASSERT(i < cipher_suite_defs_nentries); 1782 1783 ssl->pending_cipher_suite = suite; 1784 ssl->pending_malg = cipher_suite_defs[i].malg; 1785 ssl->pending_calg = cipher_suite_defs[i].calg; 1786 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 1787 1788 ASSERT(ssl->sid.cached == B_FALSE); 1789 1790 (void) random_get_pseudo_bytes(ssl->sid.session_id, 1791 SSL3_SESSIONID_BYTES); 1792 ssl->sid.client_addr = ssl->faddr; 1793 ssl->sid.cipher_suite = suite; 1794 1795 err = kssl_send_server_hello(ssl); 1796 if (err != 0) { 1797 return (err); 1798 } 1799 err = kssl_send_certificate_and_server_hello_done(ssl); 1800 if (err != 0) { 1801 return (err); 1802 } 1803 KSSL_COUNTER(full_handshakes, 1); 1804 ssl->hs_waitstate = wait_client_key; 1805 ssl->activeinput = B_FALSE; 1806 return (0); 1807 1808 falert: 1809 kssl_send_alert(ssl, alert_fatal, desc); 1810 ssl->activeinput = B_FALSE; 1811 return (EBADMSG); 1812 } 1813 1814 /* 1815 * Call back routine for asynchronously submitted RSA decryption jobs. 1816 * The routine retreived the pre-master secret, and proceeds to generate 1817 * the remaining key materials. 1818 */ 1819 static void 1820 kssl_cke_done(void *arg, int status) 1821 { 1822 int ret = 0; 1823 uchar_t *pms; 1824 size_t pmslen; 1825 crypto_data_t *pms_data; 1826 kssl_cmd_t kssl_cmd = KSSL_CMD_NONE; 1827 ssl_t *ssl = (ssl_t *)arg; 1828 mblk_t *alertmp; 1829 kssl_callback_t cbfn; 1830 void *cbarg; 1831 1832 mutex_enter(&ssl->kssl_lock); 1833 1834 ASSERT(ssl->msg.type == client_key_exchange); 1835 ASSERT(ssl->hs_waitstate == wait_client_key_done); 1836 1837 if (status != CRYPTO_SUCCESS) { 1838 kssl_send_alert(ssl, alert_fatal, decrypt_error); 1839 kssl_cmd = KSSL_CMD_SEND; 1840 goto out; 1841 } 1842 1843 pms_data = (crypto_data_t *)(ssl->job.buf); 1844 1845 ASSERT(pms_data != NULL); 1846 1847 pmslen = pms_data->cd_length; 1848 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1849 1850 /* generate master key and save it in the ssl sid structure */ 1851 if (IS_TLS(ssl)) { 1852 ret = kssl_generate_tls_ms(ssl, pms, pmslen); 1853 if (!CRYPTO_ERR(ret)) 1854 ret = kssl_generate_tls_keyblock(ssl); 1855 } else { 1856 kssl_generate_ssl_ms(ssl, pms, pmslen); 1857 kssl_generate_keyblock(ssl); 1858 } 1859 1860 if (ret == CRYPTO_SUCCESS) 1861 ssl->hs_waitstate = wait_change_cipher; 1862 1863 out: 1864 kmem_free(ssl->job.buf, ssl->job.buflen); 1865 1866 ssl->job.kjob = 0; 1867 ssl->job.buf = NULL; 1868 ssl->job.buflen = 0; 1869 1870 ssl->activeinput = B_FALSE; 1871 1872 /* If we're the only ones left, then we won't callback */ 1873 if (ssl->kssl_refcnt == 1) { 1874 mutex_exit(&ssl->kssl_lock); 1875 KSSL_SSL_REFRELE(ssl); 1876 return; 1877 } 1878 1879 cbfn = ssl->cke_callback_func; 1880 cbarg = ssl->cke_callback_arg; 1881 alertmp = ssl->alert_sendbuf; 1882 ssl->alert_sendbuf = NULL; 1883 1884 mutex_exit(&ssl->kssl_lock); 1885 1886 KSSL_SSL_REFRELE(ssl); 1887 1888 /* Now call the callback routine */ 1889 (*(cbfn))(cbarg, alertmp, kssl_cmd); 1890 } 1891 1892 /* 1893 * Returns the first complete contiguous record out of rec_ass_head 1894 * The record is returned in a separate contiguous mblk, rec_ass_head is 1895 * left pointing to the next record in the queue. 1896 * 1897 * The output looks as follows: 1898 * 1899 * |--------|---------- .... -----|<---------->|<----------->|--- ... ---| 1900 * ^ ^ ^ mac_size pad_size ^ 1901 * | |___ b_rptr b_wptr __| | 1902 * | | 1903 * |___ db_base db_lim ___| 1904 */ 1905 mblk_t * 1906 kssl_get_next_record(ssl_t *ssl) 1907 { 1908 mblk_t *mp, *retmp; 1909 int rhsz = SSL3_HDR_LEN; 1910 uint16_t rec_sz; 1911 int mpsz, total_size; 1912 SSL3ContentType content_type; 1913 1914 ASSERT(MUTEX_HELD(&ssl->kssl_lock)); 1915 1916 mp = ssl->rec_ass_head; 1917 if (mp == NULL) 1918 return (NULL); 1919 1920 /* Fast path: when mp has at least a complete record */ 1921 if (MBLKL(mp) < rhsz) { 1922 /* Not even a complete header in there yet */ 1923 if (msgdsize(mp) < rhsz) { 1924 return (NULL); 1925 } 1926 1927 if (!pullupmsg(mp, rhsz)) { 1928 kssl_send_alert(ssl, alert_fatal, internal_error); 1929 freemsg(mp); 1930 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 1931 return (NULL); 1932 } 1933 } 1934 content_type = (SSL3ContentType)mp->b_rptr[0]; 1935 if (content_type == content_handshake_v2) { 1936 rec_sz = (uint16_t)mp->b_rptr[1]; 1937 rhsz = 2; 1938 } else { 1939 uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3; 1940 rec_sz = BE16_TO_U16(rec_sz_p); 1941 } 1942 1943 /* 1944 * same tests as above. Only rare very fragmented cases will 1945 * incur the cost of msgdsize() and msgpullup(). Well formed 1946 * packets will fall in the most frequent fast path. 1947 */ 1948 total_size = rhsz + rec_sz; 1949 1950 /* 1951 * Missing: defensive against record fabricated with longer than 1952 * MAX record length. 1953 */ 1954 if (MBLKL(mp) < total_size) { 1955 /* Not a complete record yet. Keep accumulating */ 1956 if (msgdsize(mp) < total_size) { 1957 return (NULL); 1958 } 1959 1960 if (!pullupmsg(mp, total_size)) { 1961 kssl_send_alert(ssl, alert_fatal, internal_error); 1962 freemsg(mp); 1963 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 1964 return (NULL); 1965 } 1966 } 1967 mpsz = MBLKL(mp); /* could've changed after the pullup */ 1968 1969 if (mpsz > total_size) { 1970 /* gotta allocate a new block */ 1971 if ((retmp = dupb(mp)) == NULL) { 1972 kssl_send_alert(ssl, alert_fatal, internal_error); 1973 freemsg(mp); 1974 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 1975 return (NULL); 1976 } 1977 1978 retmp->b_wptr = retmp->b_rptr + total_size; 1979 mp->b_rptr += total_size; 1980 ssl->rec_ass_head = mp; 1981 } else { 1982 ASSERT(mpsz == total_size); 1983 ssl->rec_ass_head = mp->b_cont; 1984 mp->b_cont = NULL; 1985 retmp = mp; 1986 } 1987 /* Adjust the tail */ 1988 if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) { 1989 for (; mp->b_cont != NULL; mp = mp->b_cont) { 1990 ssl->rec_ass_tail = mp->b_cont; 1991 } 1992 } 1993 1994 return (retmp); 1995 } 1996 1997 1998 static void 1999 kssl_mblksfree(ssl_t *ssl) 2000 { 2001 2002 ASSERT(ssl != NULL); 2003 2004 if (ssl->rec_ass_head != NULL) { 2005 freemsg(ssl->rec_ass_head); 2006 } 2007 ssl->rec_ass_head = NULL; 2008 ssl->rec_ass_tail = NULL; 2009 2010 if (ssl->msg.head != NULL) { 2011 freemsg(ssl->msg.head); 2012 } 2013 ssl->msg.head = NULL; 2014 ssl->msg.tail = NULL; 2015 2016 if (ssl->handshake_sendbuf != NULL) { 2017 freemsg(ssl->handshake_sendbuf); 2018 ssl->handshake_sendbuf = NULL; 2019 } 2020 if (ssl->alert_sendbuf != NULL) { 2021 freemsg(ssl->alert_sendbuf); 2022 ssl->alert_sendbuf = NULL; 2023 } 2024 } 2025 2026 static void 2027 kssl_specsfree(ssl_t *ssl) 2028 { 2029 KSSLCipherSpec *spec = &ssl->spec[KSSL_READ]; 2030 2031 if (spec->cipher_ctx != NULL) { 2032 crypto_cancel_ctx(spec->cipher_ctx); 2033 spec->cipher_ctx = 0; 2034 } 2035 2036 spec = &ssl->spec[KSSL_WRITE]; 2037 2038 if (spec->cipher_ctx != NULL) { 2039 crypto_cancel_ctx(spec->cipher_ctx); 2040 spec->cipher_ctx = 0; 2041 } 2042 } 2043 2044 /* 2045 * Frees the ssl structure (aka the context of an SSL session). 2046 * Any pending crypto jobs are cancelled. 2047 * Any initiated crypto contexts are freed as well. 2048 */ 2049 void 2050 kssl_free_context(ssl_t *ssl) 2051 { 2052 ASSERT(ssl != NULL); 2053 if (!(MUTEX_HELD(&ssl->kssl_lock))) { 2054 /* we're coming from an external API entry point */ 2055 mutex_enter(&ssl->kssl_lock); 2056 } 2057 2058 if (ssl->job.kjob != NULL) { 2059 crypto_cancel_req(ssl->job.kjob); 2060 kmem_free(ssl->job.buf, ssl->job.buflen); 2061 2062 ssl->job.kjob = 0; 2063 ssl->job.buf = NULL; 2064 ssl->job.buflen = 0; 2065 } 2066 2067 kssl_mblksfree(ssl); 2068 kssl_specsfree(ssl); 2069 2070 KSSL_ENTRY_REFRELE(ssl->kssl_entry); 2071 ssl->kssl_entry = NULL; 2072 2073 mutex_exit(&ssl->kssl_lock); 2074 2075 kmem_cache_free(kssl_cache, ssl); 2076 kssl_cache_count--; 2077 } 2078