1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/stream.h> 28 #include <sys/strsubr.h> 29 #include <sys/stropts.h> 30 #include <sys/strsun.h> 31 #define _SUN_TPI_VERSION 2 32 #include <sys/ddi.h> 33 #include <sys/sunddi.h> 34 #include <sys/debug.h> 35 #include <sys/vtrace.h> 36 #include <sys/kmem.h> 37 #include <sys/cpuvar.h> 38 #include <sys/atomic.h> 39 #include <sys/sysmacros.h> 40 41 #include <sys/errno.h> 42 #include <sys/isa_defs.h> 43 #include <sys/md5.h> 44 #include <sys/sha1.h> 45 #include <sys/random.h> 46 #include <inet/common.h> 47 #include <netinet/in.h> 48 49 #include <sys/systm.h> 50 #include <sys/param.h> 51 52 #include "ksslimpl.h" 53 #include "ksslapi.h" 54 #include "ksslproto.h" 55 56 static ssl3CipherSuiteDef cipher_suite_defs[] = { 57 /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, no IVs */ 58 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, 72}, 59 60 /* 2 X 16 byte keys + 2 x 16 byte MAC secrets, no IVs */ 61 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, 64}, 62 63 /* 2 X 8 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */ 64 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, 72}, 65 66 /* 2 X 24 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */ 67 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, 104}, 68 69 /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */ 70 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes128, mac_sha, 104}, 71 72 /* 2 X 32 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */ 73 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes256, mac_sha, 136}, 74 75 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, 40} 76 }; 77 78 static int cipher_suite_defs_nentries = 79 sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]); 80 81 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 82 /* macsz padsz HashInit HashUpdate HashFinal */ 83 84 {MD5_HASH_LEN, SSL3_MD5_PAD_LEN, 85 (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update, 86 (hashfinal_func_t)MD5Final}, 87 88 {SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN, 89 (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update, 90 (hashfinal_func_t)SHA1Final}, 91 }; 92 93 static uchar_t kssl_pad_1[60] = { 94 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 95 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 96 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 97 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 98 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 99 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 100 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 101 0x36, 0x36, 0x36, 0x36 102 }; 103 static uchar_t kssl_pad_2[60] = { 104 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 105 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 106 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 107 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 108 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 109 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 110 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 111 0x5c, 0x5c, 0x5c, 0x5c 112 }; 113 114 int kssl_cache_count; 115 static boolean_t kssl_synchronous = B_FALSE; 116 117 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t); 118 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t); 119 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int); 120 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int, 121 kssl_callback_t, void *); 122 static int kssl_send_server_hello(ssl_t *); 123 static int kssl_send_certificate_and_server_hello_done(ssl_t *); 124 static int kssl_send_change_cipher_specs(ssl_t *); 125 static int kssl_send_finished(ssl_t *, int); 126 static int kssl_handle_finished(ssl_t *, mblk_t *, int); 127 static void kssl_get_hello_random(uchar_t *); 128 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *); 129 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *); 130 static void kssl_lookup_sid(sslSessionID *, uchar_t *, in6_addr_t *, 131 kssl_entry_t *); 132 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t); 133 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t); 134 static int kssl_generate_tls_keyblock(ssl_t *); 135 static void kssl_generate_keyblock(ssl_t *); 136 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t, 137 int, uchar_t *, int); 138 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t, 139 uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 140 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *, 141 size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 142 static void kssl_cke_done(void *, int); 143 144 #define HMAC_INIT(m, k, c) \ 145 rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end; 146 147 #define HMAC_UPDATE(c, d, l) \ 148 dd.cd_raw.iov_base = (char *)d; \ 149 dd.cd_length = dd.cd_raw.iov_len = l; \ 150 rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end; 151 152 #define HMAC_FINAL(c, d, l) \ 153 mac.cd_raw.iov_base = (char *)d; \ 154 mac.cd_length = mac.cd_raw.iov_len = l; \ 155 rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end; 156 157 /* 158 * This hack can go away once we have SSL3 MAC support by KCF 159 * software providers (See 4873559). 160 */ 161 extern int kcf_md5_threshold; 162 163 int 164 kssl_compute_record_mac( 165 ssl_t *ssl, 166 int direction, 167 uint64_t seq_num, 168 SSL3ContentType ct, 169 uchar_t *versionp, 170 uchar_t *buf, 171 int len, 172 uchar_t *digest) 173 { 174 KSSL_HASHCTX mac_ctx; 175 KSSL_HASHCTX *ctx = &mac_ctx; 176 uchar_t temp[16], *p; 177 KSSLCipherSpec *spec; 178 boolean_t hash_use_ok = B_FALSE; 179 int rv = 0; 180 181 spec = &ssl->spec[direction]; 182 183 if (spec->mac_hashsz == 0) { 184 return (1); 185 } 186 187 p = temp; 188 189 *p++ = (seq_num >> 56) & 0xff; 190 *p++ = (seq_num >> 48) & 0xff; 191 *p++ = (seq_num >> 40) & 0xff; 192 *p++ = (seq_num >> 32) & 0xff; 193 *p++ = (seq_num >> 24) & 0xff; 194 *p++ = (seq_num >> 16) & 0xff; 195 *p++ = (seq_num >> 8) & 0xff; 196 *p++ = (seq_num) & 0xff; 197 *p++ = (uchar_t)ct; 198 if (IS_TLS(ssl)) { 199 *p++ = versionp[0]; 200 *p++ = versionp[1]; 201 } 202 *p++ = (len >> 8) & 0xff; 203 *p++ = (len) & 0xff; 204 205 if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID && 206 len >= kcf_md5_threshold)) { 207 crypto_data_t dd, mac; 208 struct uio uio_pt; 209 struct iovec iovarray_pt[2]; 210 211 /* init the array of iovecs for use in the uio struct */ 212 iovarray_pt[0].iov_base = (char *)temp; 213 iovarray_pt[0].iov_len = (p - temp); 214 iovarray_pt[1].iov_base = (char *)buf; 215 iovarray_pt[1].iov_len = len; 216 217 /* init the uio struct for use in the crypto_data_t struct */ 218 bzero(&uio_pt, sizeof (uio_pt)); 219 uio_pt.uio_iov = iovarray_pt; 220 uio_pt.uio_iovcnt = 2; 221 uio_pt.uio_segflg = UIO_SYSSPACE; 222 223 dd.cd_format = CRYPTO_DATA_UIO; 224 dd.cd_offset = 0; 225 dd.cd_length = (p - temp) + len; 226 dd.cd_miscdata = NULL; 227 dd.cd_uio = &uio_pt; 228 229 mac.cd_format = CRYPTO_DATA_RAW; 230 mac.cd_offset = 0; 231 mac.cd_raw.iov_base = (char *)digest; 232 mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz; 233 234 /* 235 * The calling context can tolerate a blocking call here. 236 * For outgoing traffic, we are in user context 237 * when called from strsock_kssl_output(). For incoming 238 * traffic past the SSL handshake, we are in user 239 * context when called from strsock_kssl_input(). During the 240 * SSL handshake, we are called for client_finished message 241 * handling from a squeue worker thread that gets scheduled 242 * by an SQ_FILL call. This thread is not in interrupt 243 * context and so can block. 244 */ 245 rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key, 246 NULL, &mac, NULL); 247 248 if (CRYPTO_ERR(rv)) { 249 hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED && 250 !IS_TLS(ssl)); 251 if (!hash_use_ok) { 252 DTRACE_PROBE1(kssl_err__crypto_mac_error, 253 int, rv); 254 KSSL_COUNTER(compute_mac_failure, 1); 255 } 256 } 257 } else 258 hash_use_ok = B_TRUE; 259 260 if (hash_use_ok) { 261 bcopy(&(ssl->mac_ctx[direction][0]), ctx, 262 sizeof (KSSL_HASHCTX)); 263 spec->MAC_HashUpdate((void *)ctx, temp, p - temp); 264 spec->MAC_HashUpdate((void *)ctx, buf, len); 265 spec->MAC_HashFinal(digest, (void *)ctx); 266 267 bcopy(&(ssl->mac_ctx[direction][1]), ctx, 268 sizeof (KSSL_HASHCTX)); 269 spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz); 270 spec->MAC_HashFinal(digest, (void *)ctx); 271 } 272 273 return (rv); 274 } 275 276 /* 277 * Handles handshake messages. 278 * Messages to be replied are returned in handshake_sendbuf. 279 */ 280 int 281 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err, 282 kssl_callback_t cbfn, void *arg) 283 { 284 uint32_t msglen; 285 uchar_t msghdr[4]; 286 287 ASSERT(ssl->msg.state == MSG_BODY); 288 ASSERT(ssl->msg.msglen_bytes == 3); 289 ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen); 290 291 ssl->sslcnt++; 292 msglen = ssl->msg.msglen; 293 294 if (ssl->msg.type == client_hello) { 295 MD5Init(&ssl->hs_md5); 296 SHA1Init(&ssl->hs_sha1); 297 } 298 299 if (ssl->msg.type == finished && ssl->resumed == B_FALSE) { 300 if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 301 sender_client) != 0) { 302 *err = SSL_MISS; 303 return (0); 304 } 305 } 306 307 if (ssl->msg.type != finished || ssl->resumed == B_FALSE) { 308 msghdr[0] = (uchar_t)ssl->msg.type; 309 310 msghdr[1] = (uchar_t)(msglen >> 16); 311 msghdr[2] = (uchar_t)(msglen >> 8); 312 msghdr[3] = (uchar_t)(msglen); 313 kssl_update_handshake_hashes(ssl, msghdr, 4); 314 kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen); 315 } 316 317 ssl->msg.state = MSG_INIT; 318 ssl->msg.msglen = 0; 319 ssl->msg.msglen_bytes = 0; 320 321 switch (ssl->msg.type) { 322 case client_hello: 323 if (ssl->hs_waitstate != wait_client_hello) { 324 kssl_send_alert(ssl, alert_fatal, 325 unexpected_message); 326 *err = EBADMSG; 327 ssl->activeinput = B_FALSE; 328 return (1); 329 } 330 *err = kssl_handle_client_hello(ssl, mp, msglen); 331 if (*err == SSL_MISS) { 332 ssl->activeinput = B_FALSE; 333 return (0); 334 } 335 return (1); 336 case client_key_exchange: 337 if (ssl->hs_waitstate != wait_client_key) { 338 kssl_send_alert(ssl, alert_fatal, 339 unexpected_message); 340 *err = EBADMSG; 341 ssl->activeinput = B_FALSE; 342 return (1); 343 } 344 *err = kssl_handle_client_key_exchange(ssl, mp, 345 msglen, cbfn, arg); 346 return (1); 347 case finished: 348 if (ssl->hs_waitstate != wait_finished) { 349 kssl_send_alert(ssl, alert_fatal, 350 unexpected_message); 351 *err = EBADMSG; 352 ssl->activeinput = B_FALSE; 353 return (1); 354 } 355 *err = kssl_handle_finished(ssl, mp, msglen); 356 return (1); 357 default: 358 kssl_send_alert(ssl, alert_fatal, unexpected_message); 359 ssl->activeinput = B_FALSE; 360 *err = EBADMSG; 361 return (1); 362 } 363 } 364 365 static void 366 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len) 367 { 368 MD5Update(&ssl->hs_md5, buf, len); 369 SHA1Update(&ssl->hs_sha1, buf, len); 370 } 371 372 static int 373 kssl_compute_handshake_hashes( 374 ssl_t *ssl, 375 SSL3Hashes *hashes, 376 uint32_t sender) 377 { 378 MD5_CTX md5 = ssl->hs_md5; /* clone md5 context */ 379 SHA1_CTX sha1 = ssl->hs_sha1; /* clone sha1 context */ 380 MD5_CTX *md5ctx = &md5; 381 SHA1_CTX *sha1ctx = &sha1; 382 383 if (IS_TLS(ssl)) { 384 uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN]; 385 char *label; 386 387 /* 388 * Do not take another hash step here. 389 * Just complete the operation. 390 */ 391 MD5Final(hashes->md5, md5ctx); 392 SHA1Final(hashes->sha1, sha1ctx); 393 394 bcopy(hashes->md5, seed, MD5_HASH_LEN); 395 bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN); 396 397 if (sender == sender_client) 398 label = TLS_CLIENT_FINISHED_LABEL; 399 else 400 label = TLS_SERVER_FINISHED_LABEL; 401 402 return (kssl_tls_PRF(ssl, 403 ssl->sid.master_secret, 404 (size_t)SSL3_MASTER_SECRET_LEN, 405 (uchar_t *)label, strlen(label), 406 seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN), 407 hashes->tlshash, (size_t)TLS_FINISHED_SIZE)); 408 } else { 409 uchar_t s[4]; 410 s[0] = (sender >> 24) & 0xff; 411 s[1] = (sender >> 16) & 0xff; 412 s[2] = (sender >> 8) & 0xff; 413 s[3] = (sender) & 0xff; 414 415 MD5Update(md5ctx, s, 4); 416 MD5Update(md5ctx, ssl->sid.master_secret, 417 SSL3_MASTER_SECRET_LEN); 418 MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN); 419 MD5Final(hashes->md5, md5ctx); 420 421 MD5Init(md5ctx); 422 MD5Update(md5ctx, ssl->sid.master_secret, 423 SSL3_MASTER_SECRET_LEN); 424 MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN); 425 MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN); 426 MD5Final(hashes->md5, md5ctx); 427 428 SHA1Update(sha1ctx, s, 4); 429 SHA1Update(sha1ctx, ssl->sid.master_secret, 430 SSL3_MASTER_SECRET_LEN); 431 SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN); 432 SHA1Final(hashes->sha1, sha1ctx); 433 434 SHA1Init(sha1ctx); 435 SHA1Update(sha1ctx, ssl->sid.master_secret, 436 SSL3_MASTER_SECRET_LEN); 437 SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN); 438 SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN); 439 SHA1Final(hashes->sha1, sha1ctx); 440 return (0); 441 } 442 } 443 444 445 /* 446 * Minimum message length for a client hello = 447 * 2-byte client_version + 448 * 32-byte random + 449 * 1-byte session_id length + 450 * 2-byte cipher_suites length + 451 * 1-byte compression_methods length + 452 * 1-byte CompressionMethod.null 453 */ 454 #define KSSL_SSL3_CH_MIN_MSGLEN (39) 455 456 static int 457 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen) 458 { 459 uchar_t *msgend; 460 int err; 461 SSL3AlertDescription desc = illegal_parameter; 462 uint_t sidlen, cslen, cmlen; 463 uchar_t *suitesp; 464 uint_t i, j; 465 uint16_t suite; 466 int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN; 467 468 ASSERT(mp->b_wptr >= mp->b_rptr + msglen); 469 ASSERT(ssl->msg.type == client_hello); 470 ASSERT(ssl->hs_waitstate == wait_client_hello); 471 ASSERT(ssl->resumed == B_FALSE); 472 473 if (msglen < ch_msglen) { 474 goto falert; 475 } 476 477 msgend = mp->b_rptr + msglen; 478 479 /* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */ 480 if (ssl->major_version != 3 || (ssl->major_version == 3 && 481 ssl->minor_version != 0 && ssl->minor_version != 1)) { 482 DTRACE_PROBE2(kssl_err__SSL_version_not_supported, 483 uchar_t, ssl->major_version, 484 uchar_t, ssl->minor_version); 485 desc = handshake_failure; 486 goto falert; 487 } 488 mp->b_rptr += 2; /* skip the version bytes */ 489 490 bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH); 491 mp->b_rptr += SSL3_RANDOM_LENGTH; 492 493 ASSERT(ssl->sid.cached == B_FALSE); 494 sidlen = *mp->b_rptr++; 495 ch_msglen += sidlen; 496 if (msglen < ch_msglen) { 497 goto falert; 498 } 499 if (sidlen != SSL3_SESSIONID_BYTES) { 500 mp->b_rptr += sidlen; 501 } else { 502 kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr, 503 ssl->kssl_entry); 504 mp->b_rptr += SSL3_SESSIONID_BYTES; 505 } 506 507 cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 508 mp->b_rptr += 2; 509 ch_msglen += cslen; 510 511 /* 512 * This check can't be a "!=" since there can be 513 * compression methods other than CompressionMethod.null. 514 * Also, there can be extra data (TLS extensions) after the 515 * compression methods field. We do not support any TLS 516 * extensions and hence ignore them. 517 */ 518 if (msglen < ch_msglen) { 519 goto falert; 520 } 521 522 /* The length has to be even since a cipher suite is 2-byte long */ 523 if (cslen & 0x1) { 524 goto falert; 525 } 526 suitesp = mp->b_rptr; 527 if (ssl->sid.cached == B_TRUE) { 528 suite = ssl->sid.cipher_suite; 529 for (j = 0; j < cslen; j += 2) { 530 if (suitesp[j] == ((suite >> 8) & 0xff) && 531 suitesp[j + 1] == (suite & 0xff)) { 532 break; 533 } 534 } 535 if (j < cslen) { 536 goto suite_found; 537 } 538 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 539 } 540 541 /* Check if this server is capable of the cipher suite */ 542 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 543 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 544 for (j = 0; j < cslen; j += 2) { 545 if (suitesp[j] == ((suite >> 8) & 0xff) && 546 suitesp[j + 1] == (suite & 0xff)) { 547 break; 548 } 549 } 550 if (j < cslen) { 551 break; 552 } 553 } 554 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 555 if (ssl->sslcnt == 1) { 556 KSSL_COUNTER(no_suite_found, 1); 557 return (SSL_MISS); 558 } 559 desc = handshake_failure; 560 DTRACE_PROBE(kssl_err__no_cipher_suites_found); 561 goto falert; 562 } 563 564 suite_found: 565 mp->b_rptr += cslen; 566 567 /* 568 * Check for the mandatory CompressionMethod.null. We do not 569 * support any other compression methods. 570 */ 571 cmlen = *mp->b_rptr++; 572 ch_msglen += cmlen - 1; /* -1 accounts for the null method */ 573 if (msglen < ch_msglen) { 574 goto falert; 575 } 576 577 while (cmlen >= 1) { 578 if (*mp->b_rptr++ == 0) 579 break; 580 cmlen--; 581 } 582 583 if (cmlen == 0) { 584 desc = handshake_failure; 585 DTRACE_PROBE(kssl_err__no_null_method_failure); 586 goto falert; 587 } 588 589 mp->b_rptr = msgend; 590 591 for (i = 0; i < cipher_suite_defs_nentries; i++) { 592 if (suite == cipher_suite_defs[i].suite) { 593 break; 594 } 595 } 596 597 ASSERT(i < cipher_suite_defs_nentries); 598 599 ssl->pending_cipher_suite = suite; 600 ssl->pending_malg = cipher_suite_defs[i].malg; 601 ssl->pending_calg = cipher_suite_defs[i].calg; 602 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 603 604 if (ssl->sid.cached == B_TRUE) { 605 err = kssl_send_server_hello(ssl); 606 if (err != 0) { 607 return (err); 608 } 609 if (IS_TLS(ssl)) 610 err = kssl_generate_tls_keyblock(ssl); 611 else 612 kssl_generate_keyblock(ssl); 613 614 err = kssl_send_change_cipher_specs(ssl); 615 if (err != 0) { 616 return (err); 617 } 618 619 err = kssl_send_finished(ssl, 1); 620 if (err != 0) 621 return (err); 622 623 err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 624 sender_client); 625 if (err != 0) 626 return (err); 627 628 ssl->hs_waitstate = wait_change_cipher; 629 ssl->resumed = B_TRUE; 630 ssl->activeinput = B_FALSE; 631 KSSL_COUNTER(resumed_sessions, 1); 632 return (0); 633 } 634 635 (void) random_get_pseudo_bytes(ssl->sid.session_id, 636 SSL3_SESSIONID_BYTES); 637 ssl->sid.client_addr = ssl->faddr; 638 ssl->sid.cipher_suite = suite; 639 640 err = kssl_send_server_hello(ssl); 641 if (err != 0) { 642 return (err); 643 } 644 err = kssl_send_certificate_and_server_hello_done(ssl); 645 if (err != 0) { 646 return (err); 647 } 648 KSSL_COUNTER(full_handshakes, 1); 649 ssl->hs_waitstate = wait_client_key; 650 ssl->activeinput = B_FALSE; 651 return (0); 652 653 falert: 654 kssl_send_alert(ssl, alert_fatal, desc); 655 return (EBADMSG); 656 } 657 658 #define SET_HASH_INDEX(index, s, clnt_addr) { \ 659 int addr; \ 660 \ 661 IN6_V4MAPPED_TO_IPADDR(clnt_addr, addr); \ 662 index = addr ^ (((int)(s)[0] << 24) | ((int)(s)[1] << 16) | \ 663 ((int)(s)[2] << 8) | (int)(s)[SSL3_SESSIONID_BYTES - 1]); \ 664 } 665 666 /* 667 * Creates a cache entry. Sets the sid->cached flag 668 * and sid->time fields. So, the caller should not set them. 669 */ 670 static void 671 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 672 { 673 uint_t index; 674 uchar_t *s = sid->session_id; 675 kmutex_t *lock; 676 677 ASSERT(sid->cached == B_FALSE); 678 679 /* set the values before creating the cache entry */ 680 sid->cached = B_TRUE; 681 sid->time = ddi_get_lbolt(); 682 683 SET_HASH_INDEX(index, s, &sid->client_addr); 684 index %= kssl_entry->sid_cache_nentries; 685 686 lock = &(kssl_entry->sid_cache[index].se_lock); 687 mutex_enter(lock); 688 kssl_entry->sid_cache[index].se_used++; 689 bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid)); 690 mutex_exit(lock); 691 692 KSSL_COUNTER(sid_cached, 1); 693 } 694 695 /* 696 * Invalidates the cache entry, if any. Clears the sid->cached flag 697 * as a side effect. 698 */ 699 void 700 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 701 { 702 uint_t index; 703 uchar_t *s = sid->session_id; 704 sslSessionID *csid; 705 kmutex_t *lock; 706 707 ASSERT(sid->cached == B_TRUE); 708 sid->cached = B_FALSE; 709 710 SET_HASH_INDEX(index, s, &sid->client_addr); 711 index %= kssl_entry->sid_cache_nentries; 712 713 lock = &(kssl_entry->sid_cache[index].se_lock); 714 mutex_enter(lock); 715 csid = &(kssl_entry->sid_cache[index].se_sid); 716 if (!(IN6_ARE_ADDR_EQUAL(&csid->client_addr, &sid->client_addr)) || 717 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 718 mutex_exit(lock); 719 return; 720 } 721 csid->cached = B_FALSE; 722 mutex_exit(lock); 723 724 KSSL_COUNTER(sid_uncached, 1); 725 } 726 727 static void 728 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, in6_addr_t *faddr, 729 kssl_entry_t *kssl_entry) 730 { 731 uint_t index; 732 kmutex_t *lock; 733 sslSessionID *csid; 734 735 KSSL_COUNTER(sid_cache_lookups, 1); 736 737 SET_HASH_INDEX(index, s, faddr); 738 index %= kssl_entry->sid_cache_nentries; 739 740 lock = &(kssl_entry->sid_cache[index].se_lock); 741 mutex_enter(lock); 742 csid = &(kssl_entry->sid_cache[index].se_sid); 743 if (csid->cached == B_FALSE || 744 !IN6_ARE_ADDR_EQUAL(&csid->client_addr, faddr) || 745 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 746 mutex_exit(lock); 747 return; 748 } 749 750 if (TICK_TO_SEC(ddi_get_lbolt() - csid->time) > 751 kssl_entry->sid_cache_timeout) { 752 csid->cached = B_FALSE; 753 mutex_exit(lock); 754 return; 755 } 756 757 bcopy(csid, sid, sizeof (*sid)); 758 mutex_exit(lock); 759 ASSERT(sid->cached == B_TRUE); 760 761 KSSL_COUNTER(sid_cache_hits, 1); 762 } 763 764 static uchar_t * 765 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp) 766 { 767 size_t len = *lenp; 768 int i = 2; 769 770 if (buf[0] != 0 || buf[1] != 2) { 771 return (NULL); 772 } 773 774 while (i < len) { 775 if (buf[i++] == 0) { 776 *lenp = len - i; 777 break; 778 } 779 } 780 781 if (i == len) { 782 return (NULL); 783 } 784 785 return (buf + i); 786 } 787 788 789 #define KSSL_SSL3_SH_RECLEN (74) 790 #define KSSL_SSL3_FIN_MSGLEN (36) 791 792 #define KSSL_SSL3_MAX_CCP_FIN_MSGLEN (128) /* comfortable upper bound */ 793 794 static int 795 kssl_send_server_hello(ssl_t *ssl) 796 { 797 mblk_t *mp; 798 uchar_t *buf; 799 uchar_t *msgstart; 800 801 mp = allocb(ssl->tcp_mss, BPRI_HI); 802 if (mp == NULL) { 803 KSSL_COUNTER(alloc_fails, 1); 804 return (ENOMEM); 805 } 806 ssl->handshake_sendbuf = mp; 807 buf = mp->b_wptr; 808 809 /* 5 byte record header */ 810 buf[0] = content_handshake; 811 buf[1] = ssl->major_version; 812 buf[2] = ssl->minor_version; 813 buf[3] = KSSL_SSL3_SH_RECLEN >> 8; 814 buf[4] = KSSL_SSL3_SH_RECLEN & 0xff; 815 buf += SSL3_HDR_LEN; 816 817 msgstart = buf; 818 819 /* 6 byte message header */ 820 buf[0] = (uchar_t)server_hello; /* message type */ 821 buf[1] = 0; /* message len byte 0 */ 822 buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) & 823 0xff; /* message len byte 1 */ 824 buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff; /* message len byte 2 */ 825 826 buf[4] = ssl->major_version; /* version byte 0 */ 827 buf[5] = ssl->minor_version; /* version byte 1 */ 828 829 buf += 6; 830 831 kssl_get_hello_random(ssl->server_random); 832 bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH); 833 buf += SSL3_RANDOM_LENGTH; 834 835 buf[0] = SSL3_SESSIONID_BYTES; 836 bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES); 837 buf += SSL3_SESSIONID_BYTES + 1; 838 839 buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff; 840 buf[1] = ssl->pending_cipher_suite & 0xff; 841 842 buf[2] = 0; /* No compression */ 843 844 mp->b_wptr = buf + 3; 845 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 846 847 kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN); 848 return (0); 849 } 850 851 static void 852 kssl_get_hello_random(uchar_t *buf) 853 { 854 timestruc_t ts; 855 time_t sec; 856 857 gethrestime(&ts); 858 sec = ts.tv_sec; 859 860 buf[0] = (sec >> 24) & 0xff; 861 buf[1] = (sec >> 16) & 0xff; 862 buf[2] = (sec >> 8) & 0xff; 863 buf[3] = (sec) & 0xff; 864 865 (void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4); 866 867 /* Should this be caching? */ 868 } 869 870 static int 871 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key, 872 size_t hashlen, 873 uchar_t *label, size_t label_len, 874 uchar_t *seed, size_t seedlen, 875 uchar_t *data, size_t datalen) 876 { 877 int rv = 0; 878 uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN]; 879 int bytes_left = datalen; 880 crypto_data_t dd, mac; 881 crypto_context_t ctx; 882 883 dd.cd_format = CRYPTO_DATA_RAW; 884 dd.cd_offset = 0; 885 mac.cd_format = CRYPTO_DATA_RAW; 886 mac.cd_offset = 0; 887 888 /* 889 * A(i) = HMAC_hash(secret, seed + A(i-1)); 890 * A(0) = seed; 891 * 892 * Compute A(1): 893 * A(1) = HMAC_hash(secret, label + seed) 894 * 895 */ 896 HMAC_INIT(mech, key, &ctx); 897 HMAC_UPDATE(ctx, label, label_len); 898 HMAC_UPDATE(ctx, seed, seedlen); 899 HMAC_FINAL(ctx, A1, hashlen); 900 901 /* Compute A(2) ... A(n) */ 902 while (bytes_left > 0) { 903 HMAC_INIT(mech, key, &ctx); 904 HMAC_UPDATE(ctx, A1, hashlen); 905 HMAC_UPDATE(ctx, label, label_len); 906 HMAC_UPDATE(ctx, seed, seedlen); 907 HMAC_FINAL(ctx, result, hashlen); 908 909 /* 910 * The A(i) value is stored in "result". 911 * Save the results of the MAC so it can be input to next 912 * iteration. 913 */ 914 if (bytes_left > hashlen) { 915 /* Store the chunk result */ 916 bcopy(result, data, hashlen); 917 data += hashlen; 918 919 bytes_left -= hashlen; 920 921 /* Update A1 for next iteration */ 922 HMAC_INIT(mech, key, &ctx); 923 HMAC_UPDATE(ctx, A1, hashlen); 924 HMAC_FINAL(ctx, A1, hashlen); 925 926 } else { 927 bcopy(result, data, bytes_left); 928 data += bytes_left; 929 bytes_left = 0; 930 } 931 } 932 end: 933 if (CRYPTO_ERR(rv)) { 934 DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv); 935 KSSL_COUNTER(compute_mac_failure, 1); 936 } 937 return (rv); 938 } 939 940 /* ARGSUSED */ 941 static int 942 kssl_tls_PRF(ssl_t *ssl, 943 uchar_t *secret, size_t secret_len, 944 uchar_t *label, size_t label_len, 945 uchar_t *seed, size_t seed_len, 946 uchar_t *prfresult, size_t prfresult_len) 947 { 948 /* 949 * RFC 2246: 950 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR 951 * P_SHA1(S2, label + seed); 952 * S1 = 1st half of secret. 953 * S1 = 2nd half of secret. 954 * 955 */ 956 957 int rv, i; 958 uchar_t psha1[MAX_KEYBLOCK_LENGTH]; 959 crypto_key_t S1, S2; 960 961 /* length of secret keys is ceil(length/2) */ 962 size_t slen = roundup(secret_len, 2) / 2; 963 964 if (prfresult_len > MAX_KEYBLOCK_LENGTH) { 965 DTRACE_PROBE1(kssl_err__unexpected_keyblock_size, 966 size_t, prfresult_len); 967 return (CRYPTO_ARGUMENTS_BAD); 968 } 969 970 ASSERT(prfresult != NULL); 971 ASSERT(label != NULL); 972 ASSERT(seed != NULL); 973 974 S1.ck_data = secret; 975 S1.ck_length = slen * 8; /* bits */ 976 S1.ck_format = CRYPTO_KEY_RAW; 977 978 S2.ck_data = secret + slen; 979 S2.ck_length = slen * 8; /* bits */ 980 S2.ck_format = CRYPTO_KEY_RAW; 981 982 rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN, 983 label, label_len, 984 seed, seed_len, 985 prfresult, prfresult_len); 986 if (CRYPTO_ERR(rv)) 987 goto end; 988 989 rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN, 990 label, label_len, 991 seed, seed_len, 992 psha1, prfresult_len); 993 if (CRYPTO_ERR(rv)) 994 goto end; 995 996 for (i = 0; i < prfresult_len; i++) 997 prfresult[i] ^= psha1[i]; 998 999 end: 1000 if (CRYPTO_ERR(rv)) 1001 bzero(prfresult, prfresult_len); 1002 1003 return (rv); 1004 } 1005 1006 #define IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl) \ 1007 (pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN || \ 1008 pms[0] != ssl->major_version || pms[1] != ssl->minor_version) 1009 1010 #define FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) { \ 1011 KSSL_COUNTER(bad_pre_master_secret, 1); \ 1012 pms = buf; \ 1013 pmslen = SSL3_PRE_MASTER_SECRET_LEN; \ 1014 pms[0] = ssl->major_version; \ 1015 pms[1] = ssl->minor_version; \ 1016 (void) random_get_pseudo_bytes(&buf[2], pmslen - 2); \ 1017 } 1018 1019 static int 1020 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 1021 { 1022 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1023 uchar_t seed[SSL3_RANDOM_LENGTH * 2]; 1024 1025 /* 1026 * Computing the master secret: 1027 * ---------------------------- 1028 * master_secret = PRF (pms, "master secret", 1029 * ClientHello.random + ServerHello.random); 1030 */ 1031 bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH); 1032 bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH, 1033 SSL3_RANDOM_LENGTH); 1034 1035 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1036 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1037 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 1038 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1039 } 1040 1041 return (kssl_tls_PRF(ssl, 1042 pms, pmslen, 1043 (uchar_t *)TLS_MASTER_SECRET_LABEL, 1044 (size_t)strlen(TLS_MASTER_SECRET_LABEL), 1045 seed, sizeof (seed), 1046 ssl->sid.master_secret, 1047 (size_t)sizeof (ssl->sid.master_secret))); 1048 } 1049 1050 1051 static void 1052 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 1053 { 1054 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1055 uchar_t *ms; 1056 int hlen = MD5_HASH_LEN; 1057 1058 ms = ssl->sid.master_secret; 1059 1060 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1061 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1062 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 1063 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1064 } 1065 1066 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0); 1067 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0); 1068 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen, 1069 0); 1070 } 1071 1072 static int 1073 kssl_generate_tls_keyblock(ssl_t *ssl) 1074 { 1075 uchar_t seed[2 * SSL3_RANDOM_LENGTH]; 1076 1077 bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH); 1078 bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH, 1079 SSL3_RANDOM_LENGTH); 1080 1081 return (kssl_tls_PRF(ssl, ssl->sid.master_secret, 1082 (size_t)SSL3_MASTER_SECRET_LEN, 1083 (uchar_t *)TLS_KEY_EXPANSION_LABEL, 1084 (size_t)strlen(TLS_KEY_EXPANSION_LABEL), 1085 seed, (size_t)sizeof (seed), 1086 ssl->pending_keyblock, 1087 (size_t)ssl->pending_keyblksz)); 1088 1089 } 1090 1091 static void 1092 kssl_generate_keyblock(ssl_t *ssl) 1093 { 1094 uchar_t *ms; 1095 size_t mslen = SSL3_MASTER_SECRET_LEN; 1096 int hlen = MD5_HASH_LEN; 1097 uchar_t *keys = ssl->pending_keyblock; 1098 int steps = howmany(ssl->pending_keyblksz, hlen); 1099 int i; 1100 1101 ms = ssl->sid.master_secret; 1102 1103 ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH); 1104 1105 for (i = 1; i <= steps; i++) { 1106 kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1); 1107 keys += hlen; 1108 } 1109 } 1110 1111 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE", 1112 "FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"}; 1113 1114 static void 1115 kssl_ssl3_key_material_derive_step( 1116 ssl_t *ssl, 1117 uchar_t *secret, 1118 size_t secretlen, 1119 int step, 1120 uchar_t *dst, 1121 int sr_first) 1122 { 1123 SHA1_CTX sha1, *sha1ctx; 1124 MD5_CTX md5, *md5ctx; 1125 uchar_t sha1_hash[SHA1_HASH_LEN]; 1126 1127 sha1ctx = &sha1; 1128 md5ctx = &md5; 1129 1130 ASSERT(step <= 1131 sizeof (ssl3_key_derive_seeds) / 1132 sizeof (ssl3_key_derive_seeds[0])); 1133 step--; 1134 1135 SHA1Init(sha1ctx); 1136 SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step], 1137 step + 1); 1138 SHA1Update(sha1ctx, secret, secretlen); 1139 if (sr_first) { 1140 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1141 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1142 } else { 1143 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1144 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1145 } 1146 SHA1Final(sha1_hash, sha1ctx); 1147 1148 MD5Init(md5ctx); 1149 MD5Update(md5ctx, secret, secretlen); 1150 MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN); 1151 MD5Final(dst, md5ctx); 1152 } 1153 1154 static int 1155 kssl_send_certificate_and_server_hello_done(ssl_t *ssl) 1156 { 1157 int cur_reclen; 1158 int mss; 1159 int len, copylen; 1160 mblk_t *mp; 1161 uchar_t *cert_buf; 1162 int cert_len; 1163 uchar_t *msgbuf; 1164 Certificate_t *cert; 1165 1166 cert = ssl->kssl_entry->ke_server_certificate; 1167 if (cert == NULL) { 1168 return (ENOENT); 1169 } 1170 cert_buf = cert->msg; 1171 cert_len = cert->len; 1172 1173 mp = ssl->handshake_sendbuf; 1174 mss = ssl->tcp_mss; 1175 ASSERT(mp != NULL); 1176 cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN; 1177 ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN); 1178 /* Assume MSS is at least 80 bytes */ 1179 ASSERT(mss > cur_reclen + SSL3_HDR_LEN); 1180 ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */ 1181 1182 copylen = mss - (cur_reclen + SSL3_HDR_LEN); 1183 len = cert_len; 1184 copylen = MIN(copylen, len); 1185 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1186 1187 /* new record always starts in a new mblk for simplicity */ 1188 msgbuf = cert_buf; 1189 for (;;) { 1190 ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim); 1191 bcopy(msgbuf, mp->b_wptr, copylen); 1192 msgbuf += copylen; 1193 mp->b_wptr += copylen; 1194 cur_reclen += copylen; 1195 len -= copylen; 1196 if (len == 0) { 1197 break; 1198 } 1199 if (cur_reclen == SSL3_MAX_RECORD_LENGTH) { 1200 cur_reclen = 0; 1201 } 1202 copylen = MIN(len, mss); 1203 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1204 mp->b_cont = allocb(copylen, BPRI_HI); 1205 if (mp->b_cont == NULL) { 1206 KSSL_COUNTER(alloc_fails, 1); 1207 freemsg(ssl->handshake_sendbuf); 1208 ssl->handshake_sendbuf = NULL; 1209 return (ENOMEM); 1210 } 1211 mp = mp->b_cont; 1212 if (cur_reclen == 0) { 1213 mp->b_wptr[0] = content_handshake; 1214 mp->b_wptr[1] = ssl->major_version; 1215 mp->b_wptr[2] = ssl->minor_version; 1216 cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH); 1217 mp->b_wptr[3] = (cur_reclen >> 8) & 0xff; 1218 mp->b_wptr[4] = (cur_reclen) & 0xff; 1219 mp->b_wptr += SSL3_HDR_LEN; 1220 cur_reclen = 0; 1221 copylen = MIN(copylen, mss - SSL3_HDR_LEN); 1222 } 1223 } 1224 1225 /* adjust the record length field for the first record */ 1226 mp = ssl->handshake_sendbuf; 1227 cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len, 1228 SSL3_MAX_RECORD_LENGTH); 1229 mp->b_rptr[3] = (cur_reclen >> 8) & 0xff; 1230 mp->b_rptr[4] = (cur_reclen) & 0xff; 1231 1232 kssl_update_handshake_hashes(ssl, cert_buf, cert_len); 1233 1234 return (0); 1235 } 1236 1237 static int 1238 kssl_send_change_cipher_specs(ssl_t *ssl) 1239 { 1240 mblk_t *mp, *newmp; 1241 uchar_t *buf; 1242 1243 mp = ssl->handshake_sendbuf; 1244 1245 /* We're most likely to hit the fast path for resumed sessions */ 1246 if ((mp != NULL) && 1247 (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) { 1248 buf = mp->b_wptr; 1249 } else { 1250 newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI); 1251 1252 if (newmp == NULL) 1253 return (ENOMEM); /* need to do better job! */ 1254 1255 if (mp == NULL) { 1256 ssl->handshake_sendbuf = newmp; 1257 } else { 1258 linkb(ssl->handshake_sendbuf, newmp); 1259 } 1260 mp = newmp; 1261 buf = mp->b_rptr; 1262 } 1263 1264 /* 5 byte record header */ 1265 buf[0] = content_change_cipher_spec; 1266 buf[1] = ssl->major_version; 1267 buf[2] = ssl->minor_version; 1268 buf[3] = 0; 1269 buf[4] = 1; 1270 buf += SSL3_HDR_LEN; 1271 1272 buf[0] = 1; 1273 1274 mp->b_wptr = buf + 1; 1275 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 1276 1277 ssl->seq_num[KSSL_WRITE] = 0; 1278 return (kssl_spec_init(ssl, KSSL_WRITE)); 1279 } 1280 1281 int 1282 kssl_spec_init(ssl_t *ssl, int dir) 1283 { 1284 KSSL_HASHCTX *ctx; 1285 KSSLCipherSpec *spec = &ssl->spec[dir]; 1286 int ret = 0; 1287 1288 spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz; 1289 spec->mac_padsz = mac_defs[ssl->pending_malg].padsz; 1290 1291 spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit; 1292 spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate; 1293 spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal; 1294 1295 if (dir == KSSL_READ) { 1296 bcopy(ssl->pending_keyblock, ssl->mac_secret[dir], 1297 spec->mac_hashsz); 1298 } else { 1299 bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]), 1300 ssl->mac_secret[dir], spec->mac_hashsz); 1301 } 1302 1303 /* Pre-compute these here. will save cycles on each record later */ 1304 if (!IS_TLS(ssl)) { 1305 ctx = &ssl->mac_ctx[dir][0]; 1306 spec->MAC_HashInit((void *)ctx); 1307 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1308 spec->mac_hashsz); 1309 spec->MAC_HashUpdate((void *)ctx, kssl_pad_1, 1310 spec->mac_padsz); 1311 1312 ctx = &ssl->mac_ctx[dir][1]; 1313 spec->MAC_HashInit((void *)ctx); 1314 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1315 spec->mac_hashsz); 1316 spec->MAC_HashUpdate((void *)ctx, kssl_pad_2, 1317 spec->mac_padsz); 1318 } 1319 1320 spec->cipher_type = cipher_defs[ssl->pending_calg].type; 1321 spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type; 1322 spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize; 1323 spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz; 1324 1325 if (spec->cipher_ctx != NULL) { 1326 crypto_cancel_ctx(spec->cipher_ctx); 1327 spec->cipher_ctx = 0; 1328 } 1329 1330 /* 1331 * Initialize HMAC keys for TLS and SSL3 HMAC keys 1332 * for SSL 3.0. 1333 */ 1334 if (IS_TLS(ssl)) { 1335 if (ssl->pending_malg == mac_md5) { 1336 spec->hmac_mech = hmac_md5_mech; 1337 } else if (ssl->pending_malg == mac_sha) { 1338 spec->hmac_mech = hmac_sha1_mech; 1339 } 1340 1341 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1342 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1343 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1344 } else { 1345 static uint32_t param; 1346 1347 spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID; 1348 spec->hmac_mech.cm_param = (caddr_t)¶m; 1349 spec->hmac_mech.cm_param_len = sizeof (param); 1350 if (ssl->pending_malg == mac_md5) { 1351 spec->hmac_mech.cm_type = 1352 crypto_mech2id("CKM_SSL3_MD5_MAC"); 1353 param = MD5_HASH_LEN; 1354 } else if (ssl->pending_malg == mac_sha) { 1355 spec->hmac_mech.cm_type = 1356 crypto_mech2id("CKM_SSL3_SHA1_MAC"); 1357 param = SHA1_HASH_LEN; 1358 } 1359 1360 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1361 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1362 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1363 } 1364 1365 /* We're done if this is the nil cipher */ 1366 if (spec->cipher_keysz == 0) { 1367 return (0); 1368 } 1369 1370 /* Initialize the key and the active context */ 1371 spec->cipher_key.ck_format = CRYPTO_KEY_RAW; 1372 spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */ 1373 1374 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1375 /* client_write_IV */ 1376 spec->cipher_mech.cm_param = 1377 (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz + 1378 2 * spec->cipher_keysz]); 1379 spec->cipher_mech.cm_param_len = spec->cipher_bsize; 1380 } 1381 spec->cipher_data.cd_format = CRYPTO_DATA_RAW; 1382 if (dir == KSSL_READ) { 1383 spec->cipher_mech.cm_param_len = 1384 cipher_defs[ssl->pending_calg].bsize; 1385 1386 /* client_write_key */ 1387 spec->cipher_key.ck_data = 1388 &(ssl->pending_keyblock[2 * spec->mac_hashsz]); 1389 1390 ret = crypto_decrypt_init(&(spec->cipher_mech), 1391 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1392 if (CRYPTO_ERR(ret)) { 1393 DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read, 1394 int, ret); 1395 } 1396 } else { 1397 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1398 /* server_write_IV */ 1399 spec->cipher_mech.cm_param += spec->cipher_bsize; 1400 } 1401 1402 /* server_write_key */ 1403 spec->cipher_key.ck_data = 1404 &(ssl->pending_keyblock[2 * spec->mac_hashsz + 1405 spec->cipher_keysz]); 1406 1407 ret = crypto_encrypt_init(&(spec->cipher_mech), 1408 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1409 if (CRYPTO_ERR(ret)) 1410 DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read, 1411 int, ret); 1412 } 1413 return (ret); 1414 } 1415 1416 static int 1417 kssl_send_finished(ssl_t *ssl, int update_hsh) 1418 { 1419 mblk_t *mp; 1420 uchar_t *buf; 1421 uchar_t *rstart; 1422 uchar_t *versionp; 1423 SSL3Hashes ssl3hashes; 1424 size_t finish_len; 1425 int ret; 1426 1427 mp = ssl->handshake_sendbuf; 1428 ASSERT(mp != NULL); 1429 buf = mp->b_wptr; 1430 ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + 1431 SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1); 1432 1433 rstart = buf; 1434 1435 if (IS_TLS(ssl)) 1436 finish_len = TLS_FINISHED_SIZE; 1437 else 1438 finish_len = KSSL_SSL3_FIN_MSGLEN; 1439 1440 /* 5 byte record header */ 1441 buf[0] = content_handshake; 1442 buf[1] = ssl->major_version; 1443 buf[2] = ssl->minor_version; 1444 buf[3] = 0; 1445 buf[4] = 4 + finish_len; 1446 1447 versionp = &buf[1]; 1448 1449 buf += SSL3_HDR_LEN; 1450 1451 /* 4 byte message header */ 1452 buf[0] = (uchar_t)finished; /* message type */ 1453 buf[1] = 0; /* message len byte 0 */ 1454 buf[2] = 0; /* message len byte 1 */ 1455 buf[3] = finish_len; /* message len byte 2 */ 1456 buf += 4; 1457 1458 if (IS_TLS(ssl)) { 1459 bcopy(ssl->hs_hashes.md5, ssl3hashes.md5, 1460 sizeof (ssl3hashes.md5)); 1461 bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1, 1462 sizeof (ssl3hashes.sha1)); 1463 } 1464 1465 /* Compute hashes for the SENDER side */ 1466 ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server); 1467 if (ret != 0) 1468 return (ret); 1469 1470 if (IS_TLS(ssl)) { 1471 bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash)); 1472 } else { 1473 bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN); 1474 bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN); 1475 } 1476 1477 if (update_hsh) { 1478 kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4); 1479 } 1480 1481 mp->b_wptr = buf + finish_len; 1482 1483 ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp, 1484 rstart, mp); 1485 ASSERT(mp->b_wptr <= mp->b_datap->db_lim); 1486 1487 return (ret); 1488 } 1489 1490 int 1491 kssl_mac_encrypt_record(ssl_t *ssl, 1492 SSL3ContentType ct, 1493 uchar_t *versionp, 1494 uchar_t *rstart, 1495 mblk_t *mp) 1496 { 1497 KSSLCipherSpec *spec; 1498 int mac_sz; 1499 int ret = 0; 1500 uint16_t rec_sz; 1501 int pad_sz; 1502 int i; 1503 1504 ASSERT(ssl != NULL); 1505 ASSERT(rstart >= mp->b_rptr); 1506 ASSERT(rstart < mp->b_wptr); 1507 1508 spec = &ssl->spec[KSSL_WRITE]; 1509 mac_sz = spec->mac_hashsz; 1510 1511 rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN; 1512 ASSERT(rec_sz > 0); 1513 1514 if (mac_sz != 0) { 1515 ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim); 1516 ret = kssl_compute_record_mac(ssl, KSSL_WRITE, 1517 ssl->seq_num[KSSL_WRITE], ct, versionp, 1518 rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr); 1519 if (ret == CRYPTO_SUCCESS) { 1520 ssl->seq_num[KSSL_WRITE]++; 1521 mp->b_wptr += mac_sz; 1522 rec_sz += mac_sz; 1523 } else { 1524 return (ret); 1525 } 1526 } 1527 1528 if (spec->cipher_type == type_block) { 1529 pad_sz = spec->cipher_bsize - 1530 (rec_sz & (spec->cipher_bsize - 1)); 1531 ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim); 1532 for (i = 0; i < pad_sz; i++) { 1533 mp->b_wptr[i] = pad_sz - 1; 1534 } 1535 mp->b_wptr += pad_sz; 1536 rec_sz += pad_sz; 1537 } 1538 1539 ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH); 1540 1541 U16_TO_BE16(rec_sz, rstart + 3); 1542 1543 if (spec->cipher_ctx == 0) 1544 return (ret); 1545 1546 spec->cipher_data.cd_length = rec_sz; 1547 spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN); 1548 spec->cipher_data.cd_raw.iov_len = rec_sz; 1549 /* One record at a time. Otherwise, gotta allocate the crypt_data_t */ 1550 ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data, 1551 NULL, NULL); 1552 if (CRYPTO_ERR(ret)) { 1553 DTRACE_PROBE1(kssl_err__crypto_encrypt_update, 1554 int, ret); 1555 } 1556 return (ret); 1557 } 1558 1559 void 1560 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc) 1561 { 1562 mblk_t *mp; 1563 uchar_t *buf; 1564 KSSLCipherSpec *spec; 1565 1566 ASSERT(ssl != NULL); 1567 1568 ssl->sendalert_level = level; 1569 ssl->sendalert_desc = desc; 1570 1571 if (level == alert_fatal) { 1572 DTRACE_PROBE2(kssl_sending_alert, 1573 SSL3AlertLevel, level, SSL3AlertDescription, desc); 1574 if (ssl->sid.cached == B_TRUE) { 1575 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 1576 } 1577 ssl->fatal_alert = B_TRUE; 1578 KSSL_COUNTER(fatal_alerts, 1); 1579 } else 1580 KSSL_COUNTER(warning_alerts, 1); 1581 1582 spec = &ssl->spec[KSSL_WRITE]; 1583 1584 ASSERT(ssl->alert_sendbuf == NULL); 1585 ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz + 1586 spec->cipher_bsize, BPRI_HI); 1587 if (mp == NULL) { 1588 KSSL_COUNTER(alloc_fails, 1); 1589 return; 1590 } 1591 buf = mp->b_wptr; 1592 1593 /* 5 byte record header */ 1594 buf[0] = content_alert; 1595 buf[1] = ssl->major_version; 1596 buf[2] = ssl->minor_version; 1597 buf[3] = 0; 1598 buf[4] = 2; 1599 buf += SSL3_HDR_LEN; 1600 1601 /* alert contents */ 1602 buf[0] = (uchar_t)level; 1603 buf[1] = (uchar_t)desc; 1604 1605 mp->b_wptr = buf + 2; 1606 } 1607 1608 /* Assumes RSA encryption */ 1609 static int 1610 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen, 1611 kssl_callback_t cbfn, void *arg) 1612 { 1613 char *buf; 1614 uchar_t *pms; 1615 size_t pmslen; 1616 int allocated; 1617 int err, rverr = ENOMEM; 1618 kssl_entry_t *ep; 1619 crypto_key_t *privkey; 1620 crypto_data_t *wrapped_pms_data, *pms_data; 1621 crypto_call_req_t creq, *creqp; 1622 1623 ep = ssl->kssl_entry; 1624 privkey = ep->ke_private_key; 1625 if (privkey == NULL) { 1626 return (ENOENT); 1627 } 1628 1629 ASSERT(ssl->msg.type == client_key_exchange); 1630 ASSERT(ssl->hs_waitstate == wait_client_key); 1631 1632 /* 1633 * TLS adds an extra 2 byte length field before the data. 1634 */ 1635 if (IS_TLS(ssl)) { 1636 msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1]; 1637 mp->b_rptr += 2; 1638 } 1639 1640 /* 1641 * Allocate all we need in one shot. about 300 bytes total, for 1642 * 1024 bit RSA modulus. 1643 * The buffer layout will be: pms_data, wrapped_pms_data, the 1644 * value of the wrapped pms from the client, then room for the 1645 * resulting decrypted premaster secret. 1646 */ 1647 allocated = 2 * (sizeof (crypto_data_t) + msglen); 1648 buf = kmem_alloc(allocated, KM_NOSLEEP); 1649 if (buf == NULL) { 1650 return (ENOMEM); 1651 } 1652 1653 pms_data = (crypto_data_t *)buf; 1654 wrapped_pms_data = &(((crypto_data_t *)buf)[1]); 1655 1656 wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW; 1657 wrapped_pms_data->cd_offset = pms_data->cd_offset = 0; 1658 wrapped_pms_data->cd_length = pms_data->cd_length = msglen; 1659 wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL; 1660 wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen; 1661 wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t); 1662 pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen; 1663 1664 bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen); 1665 mp->b_rptr += msglen; 1666 1667 /* Proceed synchronously if out of interrupt and configured to do so */ 1668 if ((kssl_synchronous) && (!servicing_interrupt())) { 1669 creqp = NULL; 1670 } else { 1671 ssl->cke_callback_func = cbfn; 1672 ssl->cke_callback_arg = arg; 1673 creq.cr_flag = kssl_call_flag; 1674 creq.cr_callback_func = kssl_cke_done; 1675 creq.cr_callback_arg = ssl; 1676 1677 /* The callback routine will release this one */ 1678 KSSL_SSL_REFHOLD(ssl); 1679 1680 creqp = &creq; 1681 } 1682 1683 if (ep->ke_is_nxkey) { 1684 kssl_session_info_t *s; 1685 1686 s = ep->ke_sessinfo; 1687 err = CRYPTO_SUCCESS; 1688 if (!s->is_valid_handle) { 1689 /* Reauthenticate to the provider */ 1690 if (s->do_reauth) { 1691 err = kssl_get_obj_handle(ep); 1692 if (err == CRYPTO_SUCCESS) { 1693 s->is_valid_handle = B_TRUE; 1694 s->do_reauth = B_FALSE; 1695 } 1696 } else 1697 err = CRYPTO_FAILED; 1698 } 1699 1700 if (err == CRYPTO_SUCCESS) { 1701 ASSERT(s->is_valid_handle); 1702 err = crypto_decrypt_prov(s->prov, s->sid, 1703 &rsa_x509_mech, wrapped_pms_data, &s->key, 1704 NULL, pms_data, creqp); 1705 } 1706 1707 /* 1708 * Deal with session specific errors. We translate to 1709 * the closest errno. 1710 */ 1711 switch (err) { 1712 case CRYPTO_KEY_HANDLE_INVALID: 1713 case CRYPTO_SESSION_HANDLE_INVALID: 1714 s->is_valid_handle = B_FALSE; 1715 s->do_reauth = B_TRUE; 1716 rverr = EINVAL; 1717 break; 1718 case CRYPTO_PIN_EXPIRED: 1719 case CRYPTO_PIN_LOCKED: 1720 rverr = EACCES; 1721 break; 1722 case CRYPTO_UNKNOWN_PROVIDER: 1723 rverr = ENXIO; 1724 break; 1725 } 1726 } else { 1727 err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data, 1728 privkey, NULL, pms_data, creqp); 1729 } 1730 1731 switch (err) { 1732 case CRYPTO_SUCCESS: 1733 break; 1734 1735 case CRYPTO_QUEUED: 1736 /* 1737 * Finish the master secret then the rest of key material 1738 * derivation later. 1739 */ 1740 ssl->job.kjob = creq.cr_reqid; 1741 ssl->job.buf = buf; 1742 ssl->job.buflen = allocated; 1743 ssl->hs_waitstate = wait_client_key_done; 1744 return (0); 1745 default: 1746 DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err); 1747 kmem_free(buf, allocated); 1748 return (rverr); 1749 } 1750 1751 pmslen = pms_data->cd_length; 1752 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1753 1754 /* generate master key and save it in the ssl sid structure */ 1755 if (IS_TLS(ssl)) { 1756 err = kssl_generate_tls_ms(ssl, pms, pmslen); 1757 if (!CRYPTO_ERR(err)) 1758 err = kssl_generate_tls_keyblock(ssl); 1759 } else { 1760 kssl_generate_ssl_ms(ssl, pms, pmslen); 1761 kssl_generate_keyblock(ssl); 1762 } 1763 1764 if (err == CRYPTO_SUCCESS) 1765 ssl->hs_waitstate = wait_change_cipher; 1766 1767 ssl->activeinput = B_FALSE; 1768 1769 kmem_free(buf, allocated); 1770 1771 return (0); 1772 } 1773 1774 static int 1775 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen) 1776 { 1777 int err; 1778 size_t finish_len; 1779 int hashcompare; 1780 1781 ASSERT(ssl->msg.type == finished); 1782 ASSERT(ssl->hs_waitstate == wait_finished); 1783 1784 if (IS_TLS(ssl)) 1785 finish_len = TLS_FINISHED_SIZE; 1786 else 1787 finish_len = KSSL_SSL3_FIN_MSGLEN; 1788 1789 if (msglen != finish_len) { 1790 kssl_send_alert(ssl, alert_fatal, illegal_parameter); 1791 return (EBADMSG); 1792 } 1793 1794 if (IS_TLS(ssl)) { 1795 hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash, 1796 finish_len); 1797 } else { 1798 hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len); 1799 } 1800 1801 /* The handshake hashes should be computed by now */ 1802 if (hashcompare != 0) { 1803 kssl_send_alert(ssl, alert_fatal, handshake_failure); 1804 return (EBADMSG); 1805 } 1806 1807 mp->b_rptr += msglen; 1808 1809 ssl->hs_waitstate = idle_handshake; 1810 1811 if (ssl->resumed == B_TRUE) { 1812 ssl->activeinput = B_FALSE; 1813 return (0); 1814 } 1815 1816 err = kssl_send_change_cipher_specs(ssl); 1817 if (err != 0) { 1818 return (err); 1819 } 1820 err = kssl_send_finished(ssl, 0); 1821 if (err != 0) { 1822 return (err); 1823 } 1824 1825 kssl_cache_sid(&ssl->sid, ssl->kssl_entry); 1826 ssl->activeinput = B_FALSE; 1827 1828 return (0); 1829 } 1830 1831 #define KSSL2_CH_MIN_RECSZ (9) 1832 1833 /* 1834 * This method is needed to handle clients which send the 1835 * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers. 1836 * We are not really doing SSLv2 here, just handling the header 1837 * and then switching to SSLv3. 1838 */ 1839 int 1840 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz) 1841 { 1842 uchar_t *recend; 1843 int err; 1844 SSL3AlertDescription desc = illegal_parameter; 1845 uint_t randlen; 1846 uint_t sidlen; 1847 uint_t cslen; 1848 uchar_t *suitesp; 1849 uchar_t *rand; 1850 uint_t i, j; 1851 uint16_t suite; 1852 int ch_recsz = KSSL2_CH_MIN_RECSZ; 1853 1854 ASSERT(mp->b_wptr >= mp->b_rptr + recsz); 1855 ASSERT(ssl->hs_waitstate == wait_client_hello); 1856 ASSERT(ssl->resumed == B_FALSE); 1857 1858 if (recsz < ch_recsz) { 1859 goto falert; 1860 } 1861 1862 MD5Init(&ssl->hs_md5); 1863 SHA1Init(&ssl->hs_sha1); 1864 1865 kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz); 1866 1867 recend = mp->b_rptr + recsz; 1868 1869 if (*mp->b_rptr != 1) { 1870 goto falert; 1871 } 1872 mp->b_rptr += 3; 1873 1874 cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 1875 sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3]; 1876 randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5]; 1877 if (cslen % 3 != 0) { 1878 DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen); 1879 goto falert; 1880 } 1881 if (randlen < SSL_MIN_CHALLENGE_BYTES || 1882 randlen > SSL_MAX_CHALLENGE_BYTES) { 1883 DTRACE_PROBE1(kssl_err__randlen_out_of_range, 1884 uint_t, randlen); 1885 goto falert; 1886 } 1887 mp->b_rptr += 6; 1888 ch_recsz += cslen + sidlen + randlen; 1889 if (recsz != ch_recsz) { 1890 goto falert; 1891 } 1892 suitesp = mp->b_rptr; 1893 rand = suitesp + cslen + sidlen; 1894 if (randlen < SSL3_RANDOM_LENGTH) { 1895 bzero(ssl->client_random, SSL3_RANDOM_LENGTH); 1896 } 1897 bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen], 1898 randlen); 1899 1900 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 1901 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 1902 for (j = 0; j < cslen; j += 3) { 1903 if (suitesp[j] != 0) { 1904 continue; 1905 } 1906 1907 if (suitesp[j + 1] == ((suite >> 8) & 0xff) && 1908 suitesp[j + 2] == (suite & 0xff)) { 1909 break; 1910 } 1911 } 1912 if (j < cslen) { 1913 break; 1914 } 1915 } 1916 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 1917 DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite); 1918 ssl->activeinput = B_FALSE; 1919 return (SSL_MISS); 1920 } 1921 1922 mp->b_rptr = recend; 1923 1924 for (i = 0; i < cipher_suite_defs_nentries; i++) { 1925 if (suite == cipher_suite_defs[i].suite) { 1926 break; 1927 } 1928 } 1929 1930 ASSERT(i < cipher_suite_defs_nentries); 1931 1932 ssl->pending_cipher_suite = suite; 1933 ssl->pending_malg = cipher_suite_defs[i].malg; 1934 ssl->pending_calg = cipher_suite_defs[i].calg; 1935 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 1936 1937 ASSERT(ssl->sid.cached == B_FALSE); 1938 1939 (void) random_get_pseudo_bytes(ssl->sid.session_id, 1940 SSL3_SESSIONID_BYTES); 1941 ssl->sid.client_addr = ssl->faddr; 1942 ssl->sid.cipher_suite = suite; 1943 1944 err = kssl_send_server_hello(ssl); 1945 if (err != 0) { 1946 return (err); 1947 } 1948 err = kssl_send_certificate_and_server_hello_done(ssl); 1949 if (err != 0) { 1950 return (err); 1951 } 1952 KSSL_COUNTER(full_handshakes, 1); 1953 ssl->hs_waitstate = wait_client_key; 1954 ssl->activeinput = B_FALSE; 1955 return (0); 1956 1957 falert: 1958 kssl_send_alert(ssl, alert_fatal, desc); 1959 ssl->activeinput = B_FALSE; 1960 return (EBADMSG); 1961 } 1962 1963 /* 1964 * Call back routine for asynchronously submitted RSA decryption jobs. 1965 * This routine retrieves the pre-master secret, and proceeds to generate 1966 * the remaining key materials. 1967 */ 1968 static void 1969 kssl_cke_done(void *arg, int status) 1970 { 1971 int ret = 0; 1972 uchar_t *pms; 1973 size_t pmslen; 1974 crypto_data_t *pms_data; 1975 kssl_cmd_t kssl_cmd = KSSL_CMD_NONE; 1976 ssl_t *ssl = (ssl_t *)arg; 1977 mblk_t *alertmp; 1978 kssl_callback_t cbfn; 1979 void *cbarg; 1980 1981 mutex_enter(&ssl->kssl_lock); 1982 1983 ASSERT(ssl->msg.type == client_key_exchange); 1984 ASSERT(ssl->hs_waitstate == wait_client_key_done); 1985 1986 if (status != CRYPTO_SUCCESS) { 1987 kssl_send_alert(ssl, alert_fatal, decrypt_error); 1988 kssl_cmd = KSSL_CMD_SEND; 1989 goto out; 1990 } 1991 1992 pms_data = (crypto_data_t *)(ssl->job.buf); 1993 1994 ASSERT(pms_data != NULL); 1995 1996 pmslen = pms_data->cd_length; 1997 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1998 1999 /* generate master key and save it in the ssl sid structure */ 2000 if (IS_TLS(ssl)) { 2001 ret = kssl_generate_tls_ms(ssl, pms, pmslen); 2002 if (!CRYPTO_ERR(ret)) 2003 ret = kssl_generate_tls_keyblock(ssl); 2004 } else { 2005 kssl_generate_ssl_ms(ssl, pms, pmslen); 2006 kssl_generate_keyblock(ssl); 2007 } 2008 2009 if (ret == CRYPTO_SUCCESS) 2010 ssl->hs_waitstate = wait_change_cipher; 2011 2012 out: 2013 kmem_free(ssl->job.buf, ssl->job.buflen); 2014 2015 ssl->job.kjob = 0; 2016 ssl->job.buf = NULL; 2017 ssl->job.buflen = 0; 2018 2019 ssl->activeinput = B_FALSE; 2020 2021 /* If we're the only ones left, then we won't callback */ 2022 if (ssl->kssl_refcnt == 1) { 2023 mutex_exit(&ssl->kssl_lock); 2024 KSSL_SSL_REFRELE(ssl); 2025 return; 2026 } 2027 2028 cbfn = ssl->cke_callback_func; 2029 cbarg = ssl->cke_callback_arg; 2030 alertmp = ssl->alert_sendbuf; 2031 ssl->alert_sendbuf = NULL; 2032 2033 mutex_exit(&ssl->kssl_lock); 2034 2035 KSSL_SSL_REFRELE(ssl); 2036 2037 /* Now call the callback routine */ 2038 (*(cbfn))(cbarg, alertmp, kssl_cmd); 2039 } 2040 2041 /* 2042 * Returns the first complete contiguous record out of rec_ass_head 2043 * The record is returned in a separate contiguous mblk, rec_ass_head is 2044 * left pointing to the next record in the queue. 2045 * 2046 * The output looks as follows: 2047 * 2048 * |--------|---------- .... -----|<---------->|<----------->|--- ... ---| 2049 * ^ ^ ^ mac_size pad_size ^ 2050 * | |___ b_rptr b_wptr __| | 2051 * | | 2052 * |___ db_base db_lim ___| 2053 */ 2054 mblk_t * 2055 kssl_get_next_record(ssl_t *ssl) 2056 { 2057 mblk_t *mp, *retmp; 2058 int rhsz = SSL3_HDR_LEN; 2059 uint16_t rec_sz; 2060 int mpsz, total_size; 2061 SSL3ContentType content_type; 2062 2063 ASSERT(MUTEX_HELD(&ssl->kssl_lock)); 2064 2065 mp = ssl->rec_ass_head; 2066 if (mp == NULL) 2067 return (NULL); 2068 2069 /* Fast path: when mp has at least a complete record */ 2070 if (MBLKL(mp) < rhsz) { 2071 DTRACE_PROBE1(kssl_mblk__incomplete_header, 2072 mblk_t *, mp); 2073 /* Not even a complete header in there yet */ 2074 if (msgdsize(mp) < rhsz) { 2075 return (NULL); 2076 } 2077 2078 if (!pullupmsg(mp, rhsz)) { 2079 kssl_send_alert(ssl, alert_fatal, internal_error); 2080 freemsg(mp); 2081 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2082 return (NULL); 2083 } 2084 } 2085 content_type = (SSL3ContentType)mp->b_rptr[0]; 2086 if (content_type == content_handshake_v2) { 2087 DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp); 2088 rec_sz = (uint16_t)mp->b_rptr[1]; 2089 rhsz = 2; 2090 } else { 2091 DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp); 2092 uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3; 2093 rec_sz = BE16_TO_U16(rec_sz_p); 2094 } 2095 2096 /* 2097 * same tests as above. Only rare very fragmented cases will 2098 * incur the cost of msgdsize() and msgpullup(). Well formed 2099 * packets will fall in the most frequent fast path. 2100 */ 2101 total_size = rhsz + rec_sz; 2102 2103 /* 2104 * Missing: defensive against record fabricated with longer than 2105 * MAX record length. 2106 */ 2107 if (MBLKL(mp) < total_size) { 2108 DTRACE_PROBE2(kssl_mblk__smaller_than_total_size, 2109 mblk_t *, mp, int, total_size); 2110 /* Not a complete record yet. Keep accumulating */ 2111 if (msgdsize(mp) < total_size) { 2112 return (NULL); 2113 } 2114 2115 if (!pullupmsg(mp, total_size)) { 2116 kssl_send_alert(ssl, alert_fatal, internal_error); 2117 freemsg(mp); 2118 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2119 return (NULL); 2120 } 2121 } 2122 mpsz = MBLKL(mp); /* could've changed after the pullup */ 2123 2124 if (mpsz > total_size) { 2125 DTRACE_PROBE2(kssl_mblk__bigger_than_total_size, 2126 mblk_t *, mp, int, total_size); 2127 /* gotta allocate a new block */ 2128 if ((retmp = dupb(mp)) == NULL) { 2129 kssl_send_alert(ssl, alert_fatal, internal_error); 2130 freemsg(mp); 2131 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2132 return (NULL); 2133 } 2134 2135 retmp->b_wptr = retmp->b_rptr + total_size; 2136 mp->b_rptr += total_size; 2137 ssl->rec_ass_head = mp; 2138 } else { 2139 DTRACE_PROBE2(kssl_mblk__equal_to_total_size, 2140 mblk_t *, mp, int, total_size); 2141 ASSERT(mpsz == total_size); 2142 ssl->rec_ass_head = mp->b_cont; 2143 mp->b_cont = NULL; 2144 retmp = mp; 2145 } 2146 /* Adjust the tail */ 2147 if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) { 2148 for (; mp->b_cont != NULL; mp = mp->b_cont) { 2149 ssl->rec_ass_tail = mp->b_cont; 2150 } 2151 } 2152 2153 return (retmp); 2154 } 2155 2156 2157 static void 2158 kssl_mblksfree(ssl_t *ssl) 2159 { 2160 2161 ASSERT(ssl != NULL); 2162 2163 if (ssl->rec_ass_head != NULL) { 2164 freemsg(ssl->rec_ass_head); 2165 } 2166 ssl->rec_ass_head = NULL; 2167 ssl->rec_ass_tail = NULL; 2168 2169 if (ssl->msg.head != NULL) { 2170 freemsg(ssl->msg.head); 2171 } 2172 ssl->msg.head = NULL; 2173 ssl->msg.tail = NULL; 2174 2175 if (ssl->handshake_sendbuf != NULL) { 2176 freemsg(ssl->handshake_sendbuf); 2177 ssl->handshake_sendbuf = NULL; 2178 } 2179 if (ssl->alert_sendbuf != NULL) { 2180 freemsg(ssl->alert_sendbuf); 2181 ssl->alert_sendbuf = NULL; 2182 } 2183 } 2184 2185 static void 2186 kssl_specsfree(ssl_t *ssl) 2187 { 2188 KSSLCipherSpec *spec = &ssl->spec[KSSL_READ]; 2189 2190 if (spec->cipher_ctx != NULL) { 2191 crypto_cancel_ctx(spec->cipher_ctx); 2192 spec->cipher_ctx = 0; 2193 } 2194 2195 spec = &ssl->spec[KSSL_WRITE]; 2196 2197 if (spec->cipher_ctx != NULL) { 2198 crypto_cancel_ctx(spec->cipher_ctx); 2199 spec->cipher_ctx = 0; 2200 } 2201 } 2202 2203 /* 2204 * Frees the ssl structure (aka the context of an SSL session). 2205 * Any pending crypto jobs are cancelled. 2206 * Any initiated crypto contexts are freed as well. 2207 */ 2208 void 2209 kssl_free_context(ssl_t *ssl) 2210 { 2211 ASSERT(ssl != NULL); 2212 if (!(MUTEX_HELD(&ssl->kssl_lock))) { 2213 /* we're coming from an external API entry point */ 2214 mutex_enter(&ssl->kssl_lock); 2215 } 2216 2217 if (ssl->job.kjob != NULL) { 2218 crypto_cancel_req(ssl->job.kjob); 2219 kmem_free(ssl->job.buf, ssl->job.buflen); 2220 2221 ssl->job.kjob = 0; 2222 ssl->job.buf = NULL; 2223 ssl->job.buflen = 0; 2224 } 2225 2226 kssl_mblksfree(ssl); 2227 kssl_specsfree(ssl); 2228 2229 KSSL_ENTRY_REFRELE(ssl->kssl_entry); 2230 ssl->kssl_entry = NULL; 2231 2232 mutex_exit(&ssl->kssl_lock); 2233 2234 kmem_cache_free(kssl_cache, ssl); 2235 kssl_cache_count--; 2236 } 2237