1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/stream.h> 28 #include <sys/strsubr.h> 29 #include <sys/stropts.h> 30 #include <sys/strsun.h> 31 #define _SUN_TPI_VERSION 2 32 #include <sys/ddi.h> 33 #include <sys/sunddi.h> 34 #include <sys/debug.h> 35 #include <sys/vtrace.h> 36 #include <sys/kmem.h> 37 #include <sys/cpuvar.h> 38 #include <sys/atomic.h> 39 #include <sys/sysmacros.h> 40 41 #include <sys/errno.h> 42 #include <sys/isa_defs.h> 43 #include <sys/md5.h> 44 #include <sys/sha1.h> 45 #include <sys/random.h> 46 #include <inet/common.h> 47 #include <netinet/in.h> 48 49 #include <sys/systm.h> 50 #include <sys/param.h> 51 52 #include "ksslimpl.h" 53 #include "ksslapi.h" 54 #include "ksslproto.h" 55 56 static ssl3CipherSuiteDef cipher_suite_defs[] = { 57 /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, no IVs */ 58 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, 72}, 59 60 /* 2 X 16 byte keys + 2 x 16 byte MAC secrets, no IVs */ 61 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, 64}, 62 63 /* 2 X 8 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */ 64 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, 72}, 65 66 /* 2 X 24 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */ 67 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, 104}, 68 69 /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */ 70 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes128, mac_sha, 104}, 71 72 /* 2 X 32 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */ 73 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes256, mac_sha, 136}, 74 75 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, 40} 76 }; 77 78 static int cipher_suite_defs_nentries = 79 sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]); 80 81 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 82 /* macsz padsz HashInit HashUpdate HashFinal */ 83 84 {MD5_HASH_LEN, SSL3_MD5_PAD_LEN, 85 (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update, 86 (hashfinal_func_t)MD5Final}, 87 88 {SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN, 89 (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update, 90 (hashfinal_func_t)SHA1Final}, 91 }; 92 93 static uchar_t kssl_pad_1[60] = { 94 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 95 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 96 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 97 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 98 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 99 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 100 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 101 0x36, 0x36, 0x36, 0x36 102 }; 103 static uchar_t kssl_pad_2[60] = { 104 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 105 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 106 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 107 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 108 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 109 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 110 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 111 0x5c, 0x5c, 0x5c, 0x5c 112 }; 113 114 int kssl_cache_count; 115 static boolean_t kssl_synchronous = B_FALSE; 116 117 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t); 118 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t); 119 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int); 120 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int, 121 kssl_callback_t, void *); 122 static int kssl_send_server_hello(ssl_t *); 123 static int kssl_send_certificate_and_server_hello_done(ssl_t *); 124 static int kssl_send_change_cipher_specs(ssl_t *); 125 static int kssl_send_finished(ssl_t *, int); 126 static int kssl_handle_finished(ssl_t *, mblk_t *, int); 127 static void kssl_get_hello_random(uchar_t *); 128 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *); 129 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *); 130 static void kssl_lookup_sid(sslSessionID *, uchar_t *, ipaddr_t, 131 kssl_entry_t *); 132 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t); 133 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t); 134 static int kssl_generate_tls_keyblock(ssl_t *); 135 static void kssl_generate_keyblock(ssl_t *); 136 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t, 137 int, uchar_t *, int); 138 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t, 139 uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 140 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *, 141 size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 142 static void kssl_cke_done(void *, int); 143 144 #define HMAC_INIT(m, k, c) \ 145 rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end; 146 147 #define HMAC_UPDATE(c, d, l) \ 148 dd.cd_raw.iov_base = (char *)d; \ 149 dd.cd_length = dd.cd_raw.iov_len = l; \ 150 rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end; 151 152 #define HMAC_FINAL(c, d, l) \ 153 mac.cd_raw.iov_base = (char *)d; \ 154 mac.cd_length = mac.cd_raw.iov_len = l; \ 155 rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end; 156 157 /* 158 * This hack can go away once we have SSL3 MAC support by KCF 159 * software providers (See 4873559). 160 */ 161 extern int kcf_md5_threshold; 162 163 int 164 kssl_compute_record_mac( 165 ssl_t *ssl, 166 int direction, 167 uint64_t seq_num, 168 SSL3ContentType ct, 169 uchar_t *versionp, 170 uchar_t *buf, 171 int len, 172 uchar_t *digest) 173 { 174 KSSL_HASHCTX mac_ctx; 175 KSSL_HASHCTX *ctx = &mac_ctx; 176 uchar_t temp[16], *p; 177 KSSLCipherSpec *spec; 178 boolean_t hash_use_ok = B_FALSE; 179 int rv = 0; 180 181 spec = &ssl->spec[direction]; 182 183 if (spec->mac_hashsz == 0) { 184 return (1); 185 } 186 187 p = temp; 188 189 *p++ = (seq_num >> 56) & 0xff; 190 *p++ = (seq_num >> 48) & 0xff; 191 *p++ = (seq_num >> 40) & 0xff; 192 *p++ = (seq_num >> 32) & 0xff; 193 *p++ = (seq_num >> 24) & 0xff; 194 *p++ = (seq_num >> 16) & 0xff; 195 *p++ = (seq_num >> 8) & 0xff; 196 *p++ = (seq_num) & 0xff; 197 *p++ = (uchar_t)ct; 198 if (IS_TLS(ssl)) { 199 *p++ = versionp[0]; 200 *p++ = versionp[1]; 201 } 202 *p++ = (len >> 8) & 0xff; 203 *p++ = (len) & 0xff; 204 205 if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID && 206 len >= kcf_md5_threshold)) { 207 crypto_data_t dd, mac; 208 struct uio uio_pt; 209 struct iovec iovarray_pt[2]; 210 211 /* init the array of iovecs for use in the uio struct */ 212 iovarray_pt[0].iov_base = (char *)temp; 213 iovarray_pt[0].iov_len = (p - temp); 214 iovarray_pt[1].iov_base = (char *)buf; 215 iovarray_pt[1].iov_len = len; 216 217 /* init the uio struct for use in the crypto_data_t struct */ 218 bzero(&uio_pt, sizeof (uio_pt)); 219 uio_pt.uio_iov = iovarray_pt; 220 uio_pt.uio_iovcnt = 2; 221 uio_pt.uio_segflg = UIO_SYSSPACE; 222 223 dd.cd_format = CRYPTO_DATA_UIO; 224 dd.cd_offset = 0; 225 dd.cd_length = (p - temp) + len; 226 dd.cd_miscdata = NULL; 227 dd.cd_uio = &uio_pt; 228 229 mac.cd_format = CRYPTO_DATA_RAW; 230 mac.cd_offset = 0; 231 mac.cd_raw.iov_base = (char *)digest; 232 mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz; 233 234 /* 235 * The calling context can tolerate a blocking call here. 236 * For outgoing traffic, we are in user context 237 * when called from strsock_kssl_output(). For incoming 238 * traffic past the SSL handshake, we are in user 239 * context when called from strsock_kssl_input(). During the 240 * SSL handshake, we are called for client_finished message 241 * handling from a squeue worker thread that gets scheduled 242 * by an squeue_fill() call. This thread is not in interrupt 243 * context and so can block. 244 */ 245 rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key, 246 NULL, &mac, NULL); 247 248 if (CRYPTO_ERR(rv)) { 249 hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED && 250 !IS_TLS(ssl)); 251 if (!hash_use_ok) { 252 DTRACE_PROBE1(kssl_err__crypto_mac_error, 253 int, rv); 254 KSSL_COUNTER(compute_mac_failure, 1); 255 } 256 } 257 } else 258 hash_use_ok = B_TRUE; 259 260 if (hash_use_ok) { 261 bcopy(&(ssl->mac_ctx[direction][0]), ctx, 262 sizeof (KSSL_HASHCTX)); 263 spec->MAC_HashUpdate((void *)ctx, temp, p - temp); 264 spec->MAC_HashUpdate((void *)ctx, buf, len); 265 spec->MAC_HashFinal(digest, (void *)ctx); 266 267 bcopy(&(ssl->mac_ctx[direction][1]), ctx, 268 sizeof (KSSL_HASHCTX)); 269 spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz); 270 spec->MAC_HashFinal(digest, (void *)ctx); 271 } 272 273 return (rv); 274 } 275 276 /* 277 * Handles handshake messages. 278 * Messages to be replied are returned in handshake_sendbuf. 279 */ 280 int 281 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err, 282 kssl_callback_t cbfn, void *arg) 283 { 284 uint32_t msglen; 285 uchar_t msghdr[4]; 286 287 ASSERT(ssl->msg.state == MSG_BODY); 288 ASSERT(ssl->msg.msglen_bytes == 3); 289 ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen); 290 291 ssl->sslcnt++; 292 msglen = ssl->msg.msglen; 293 294 if (ssl->msg.type == client_hello) { 295 MD5Init(&ssl->hs_md5); 296 SHA1Init(&ssl->hs_sha1); 297 } 298 299 if (ssl->msg.type == finished && ssl->resumed == B_FALSE) { 300 if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 301 sender_client) != 0) { 302 *err = SSL_MISS; 303 return (0); 304 } 305 } 306 307 if (ssl->msg.type != finished || ssl->resumed == B_FALSE) { 308 msghdr[0] = (uchar_t)ssl->msg.type; 309 310 msghdr[1] = (uchar_t)(msglen >> 16); 311 msghdr[2] = (uchar_t)(msglen >> 8); 312 msghdr[3] = (uchar_t)(msglen); 313 kssl_update_handshake_hashes(ssl, msghdr, 4); 314 kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen); 315 } 316 317 ssl->msg.state = MSG_INIT; 318 ssl->msg.msglen = 0; 319 ssl->msg.msglen_bytes = 0; 320 321 switch (ssl->msg.type) { 322 case client_hello: 323 if (ssl->hs_waitstate != wait_client_hello) { 324 kssl_send_alert(ssl, alert_fatal, 325 unexpected_message); 326 *err = EBADMSG; 327 ssl->activeinput = B_FALSE; 328 return (1); 329 } 330 *err = kssl_handle_client_hello(ssl, mp, msglen); 331 if (*err == SSL_MISS) { 332 ssl->activeinput = B_FALSE; 333 return (0); 334 } 335 return (1); 336 case client_key_exchange: 337 if (ssl->hs_waitstate != wait_client_key) { 338 kssl_send_alert(ssl, alert_fatal, 339 unexpected_message); 340 *err = EBADMSG; 341 ssl->activeinput = B_FALSE; 342 return (1); 343 } 344 *err = kssl_handle_client_key_exchange(ssl, mp, 345 msglen, cbfn, arg); 346 return (1); 347 case finished: 348 if (ssl->hs_waitstate != wait_finished) { 349 kssl_send_alert(ssl, alert_fatal, 350 unexpected_message); 351 *err = EBADMSG; 352 ssl->activeinput = B_FALSE; 353 return (1); 354 } 355 *err = kssl_handle_finished(ssl, mp, msglen); 356 return (1); 357 default: 358 kssl_send_alert(ssl, alert_fatal, unexpected_message); 359 ssl->activeinput = B_FALSE; 360 *err = EBADMSG; 361 return (1); 362 } 363 } 364 365 static void 366 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len) 367 { 368 MD5Update(&ssl->hs_md5, buf, len); 369 SHA1Update(&ssl->hs_sha1, buf, len); 370 } 371 372 static int 373 kssl_compute_handshake_hashes( 374 ssl_t *ssl, 375 SSL3Hashes *hashes, 376 uint32_t sender) 377 { 378 MD5_CTX md5 = ssl->hs_md5; /* clone md5 context */ 379 SHA1_CTX sha1 = ssl->hs_sha1; /* clone sha1 context */ 380 MD5_CTX *md5ctx = &md5; 381 SHA1_CTX *sha1ctx = &sha1; 382 383 if (IS_TLS(ssl)) { 384 uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN]; 385 char *label; 386 387 /* 388 * Do not take another hash step here. 389 * Just complete the operation. 390 */ 391 MD5Final(hashes->md5, md5ctx); 392 SHA1Final(hashes->sha1, sha1ctx); 393 394 bcopy(hashes->md5, seed, MD5_HASH_LEN); 395 bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN); 396 397 if (sender == sender_client) 398 label = TLS_CLIENT_FINISHED_LABEL; 399 else 400 label = TLS_SERVER_FINISHED_LABEL; 401 402 return (kssl_tls_PRF(ssl, 403 ssl->sid.master_secret, 404 (size_t)SSL3_MASTER_SECRET_LEN, 405 (uchar_t *)label, strlen(label), 406 seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN), 407 hashes->tlshash, (size_t)TLS_FINISHED_SIZE)); 408 } else { 409 uchar_t s[4]; 410 s[0] = (sender >> 24) & 0xff; 411 s[1] = (sender >> 16) & 0xff; 412 s[2] = (sender >> 8) & 0xff; 413 s[3] = (sender) & 0xff; 414 415 MD5Update(md5ctx, s, 4); 416 MD5Update(md5ctx, ssl->sid.master_secret, 417 SSL3_MASTER_SECRET_LEN); 418 MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN); 419 MD5Final(hashes->md5, md5ctx); 420 421 MD5Init(md5ctx); 422 MD5Update(md5ctx, ssl->sid.master_secret, 423 SSL3_MASTER_SECRET_LEN); 424 MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN); 425 MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN); 426 MD5Final(hashes->md5, md5ctx); 427 428 SHA1Update(sha1ctx, s, 4); 429 SHA1Update(sha1ctx, ssl->sid.master_secret, 430 SSL3_MASTER_SECRET_LEN); 431 SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN); 432 SHA1Final(hashes->sha1, sha1ctx); 433 434 SHA1Init(sha1ctx); 435 SHA1Update(sha1ctx, ssl->sid.master_secret, 436 SSL3_MASTER_SECRET_LEN); 437 SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN); 438 SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN); 439 SHA1Final(hashes->sha1, sha1ctx); 440 return (0); 441 } 442 } 443 444 445 /* 446 * Minimum message length for a client hello = 447 * 2-byte client_version + 448 * 32-byte random + 449 * 1-byte session_id length + 450 * 2-byte cipher_suites length + 451 * 1-byte compression_methods length + 452 * 1-byte CompressionMethod.null 453 */ 454 #define KSSL_SSL3_CH_MIN_MSGLEN (39) 455 456 static int 457 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen) 458 { 459 uchar_t *msgend; 460 int err; 461 SSL3AlertDescription desc = illegal_parameter; 462 uint_t sidlen, cslen, cmlen; 463 uchar_t *suitesp; 464 uint_t i, j; 465 uint16_t suite; 466 int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN; 467 468 ASSERT(mp->b_wptr >= mp->b_rptr + msglen); 469 ASSERT(ssl->msg.type == client_hello); 470 ASSERT(ssl->hs_waitstate == wait_client_hello); 471 ASSERT(ssl->resumed == B_FALSE); 472 473 if (msglen < ch_msglen) { 474 goto falert; 475 } 476 477 msgend = mp->b_rptr + msglen; 478 479 /* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */ 480 if (ssl->major_version != 3 || (ssl->major_version == 3 && 481 ssl->minor_version != 0 && ssl->minor_version != 1)) { 482 DTRACE_PROBE2(kssl_err__SSL_version_not_supported, 483 uchar_t, ssl->major_version, 484 uchar_t, ssl->minor_version); 485 desc = handshake_failure; 486 goto falert; 487 } 488 mp->b_rptr += 2; /* skip the version bytes */ 489 490 bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH); 491 mp->b_rptr += SSL3_RANDOM_LENGTH; 492 493 ASSERT(ssl->sid.cached == B_FALSE); 494 sidlen = *mp->b_rptr++; 495 ch_msglen += sidlen; 496 if (msglen < ch_msglen) { 497 goto falert; 498 } 499 if (sidlen != SSL3_SESSIONID_BYTES) { 500 mp->b_rptr += sidlen; 501 } else { 502 kssl_lookup_sid(&ssl->sid, mp->b_rptr, ssl->faddr, 503 ssl->kssl_entry); 504 mp->b_rptr += SSL3_SESSIONID_BYTES; 505 } 506 507 cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 508 mp->b_rptr += 2; 509 ch_msglen += cslen; 510 511 /* 512 * This check can't be a "!=" since there can be 513 * compression methods other than CompressionMethod.null. 514 * Also, there can be extra data (TLS extensions) after the 515 * compression methods field. We do not support any TLS 516 * extensions and hence ignore them. 517 */ 518 if (msglen < ch_msglen) { 519 goto falert; 520 } 521 522 /* The length has to be even since a cipher suite is 2-byte long */ 523 if (cslen & 0x1) { 524 goto falert; 525 } 526 suitesp = mp->b_rptr; 527 if (ssl->sid.cached == B_TRUE) { 528 suite = ssl->sid.cipher_suite; 529 for (j = 0; j < cslen; j += 2) { 530 if (suitesp[j] == ((suite >> 8) & 0xff) && 531 suitesp[j + 1] == (suite & 0xff)) { 532 break; 533 } 534 } 535 if (j < cslen) { 536 goto suite_found; 537 } 538 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 539 ssl->sid.cached = B_FALSE; 540 } 541 542 /* Check if this server is capable of the cipher suite */ 543 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 544 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 545 for (j = 0; j < cslen; j += 2) { 546 if (suitesp[j] == ((suite >> 8) & 0xff) && 547 suitesp[j + 1] == (suite & 0xff)) { 548 break; 549 } 550 } 551 if (j < cslen) { 552 break; 553 } 554 } 555 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 556 if (ssl->sslcnt == 1) { 557 KSSL_COUNTER(no_suite_found, 1); 558 return (SSL_MISS); 559 } 560 desc = handshake_failure; 561 DTRACE_PROBE(kssl_err__no_cipher_suites_found); 562 goto falert; 563 } 564 565 suite_found: 566 mp->b_rptr += cslen; 567 568 /* 569 * Check for the mandatory CompressionMethod.null. We do not 570 * support any other compression methods. 571 */ 572 cmlen = *mp->b_rptr++; 573 ch_msglen += cmlen - 1; /* -1 accounts for the null method */ 574 if (msglen < ch_msglen) { 575 goto falert; 576 } 577 578 while (cmlen >= 1) { 579 if (*mp->b_rptr++ == 0) 580 break; 581 cmlen--; 582 } 583 584 if (cmlen == 0) { 585 desc = handshake_failure; 586 DTRACE_PROBE(kssl_err__no_null_method_failure); 587 goto falert; 588 } 589 590 mp->b_rptr = msgend; 591 592 for (i = 0; i < cipher_suite_defs_nentries; i++) { 593 if (suite == cipher_suite_defs[i].suite) { 594 break; 595 } 596 } 597 598 ASSERT(i < cipher_suite_defs_nentries); 599 600 ssl->pending_cipher_suite = suite; 601 ssl->pending_malg = cipher_suite_defs[i].malg; 602 ssl->pending_calg = cipher_suite_defs[i].calg; 603 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 604 605 if (ssl->sid.cached == B_TRUE) { 606 err = kssl_send_server_hello(ssl); 607 if (err != 0) { 608 return (err); 609 } 610 if (IS_TLS(ssl)) 611 err = kssl_generate_tls_keyblock(ssl); 612 else 613 kssl_generate_keyblock(ssl); 614 615 err = kssl_send_change_cipher_specs(ssl); 616 if (err != 0) { 617 return (err); 618 } 619 620 err = kssl_send_finished(ssl, 1); 621 if (err != 0) 622 return (err); 623 624 err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 625 sender_client); 626 if (err != 0) 627 return (err); 628 629 ssl->hs_waitstate = wait_change_cipher; 630 ssl->resumed = B_TRUE; 631 ssl->activeinput = B_FALSE; 632 KSSL_COUNTER(resumed_sessions, 1); 633 return (0); 634 } 635 636 (void) random_get_pseudo_bytes(ssl->sid.session_id, 637 SSL3_SESSIONID_BYTES); 638 ssl->sid.client_addr = ssl->faddr; 639 ssl->sid.cipher_suite = suite; 640 641 err = kssl_send_server_hello(ssl); 642 if (err != 0) { 643 return (err); 644 } 645 err = kssl_send_certificate_and_server_hello_done(ssl); 646 if (err != 0) { 647 return (err); 648 } 649 KSSL_COUNTER(full_handshakes, 1); 650 ssl->hs_waitstate = wait_client_key; 651 ssl->activeinput = B_FALSE; 652 return (0); 653 654 falert: 655 kssl_send_alert(ssl, alert_fatal, desc); 656 return (EBADMSG); 657 } 658 659 static void 660 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 661 { 662 uint_t index; 663 uchar_t *s = sid->session_id; 664 int l = SSL3_SESSIONID_BYTES - 1; 665 kmutex_t *lock; 666 667 ASSERT(sid->cached == B_TRUE); 668 669 index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 670 ((int)s[2] << 8) | (int)s[l]); 671 672 index %= kssl_entry->sid_cache_nentries; 673 674 sid->time = lbolt; 675 676 lock = &(kssl_entry->sid_cache[index].se_lock); 677 mutex_enter(lock); 678 kssl_entry->sid_cache[index].se_used++; 679 bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid)); 680 mutex_exit(lock); 681 } 682 683 static void 684 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, ipaddr_t faddr, 685 kssl_entry_t *kssl_entry) 686 { 687 uint_t index; 688 int l = SSL3_SESSIONID_BYTES - 1; 689 kmutex_t *lock; 690 sslSessionID *csid; 691 692 ASSERT(sid->cached == B_FALSE); 693 694 KSSL_COUNTER(sid_cache_lookups, 1); 695 696 index = (int)faddr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 697 ((int)s[2] << 8) | (int)s[l]); 698 699 index %= kssl_entry->sid_cache_nentries; 700 701 lock = &(kssl_entry->sid_cache[index].se_lock); 702 mutex_enter(lock); 703 csid = &(kssl_entry->sid_cache[index].se_sid); 704 if (csid->cached == B_FALSE || csid->client_addr != faddr || 705 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 706 mutex_exit(lock); 707 return; 708 } 709 710 if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) { 711 csid->cached = B_FALSE; 712 mutex_exit(lock); 713 return; 714 } 715 716 bcopy(csid, sid, sizeof (*sid)); 717 mutex_exit(lock); 718 ASSERT(sid->cached == B_TRUE); 719 720 KSSL_COUNTER(sid_cache_hits, 1); 721 } 722 723 static uchar_t * 724 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp) 725 { 726 size_t len = *lenp; 727 int i = 2; 728 729 if (buf[0] != 0 || buf[1] != 2) { 730 return (NULL); 731 } 732 733 while (i < len) { 734 if (buf[i++] == 0) { 735 *lenp = len - i; 736 break; 737 } 738 } 739 740 if (i == len) { 741 return (NULL); 742 } 743 744 return (buf + i); 745 } 746 747 void 748 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 749 { 750 uint_t index; 751 uchar_t *s = sid->session_id; 752 int l = SSL3_SESSIONID_BYTES - 1; 753 sslSessionID *csid; 754 kmutex_t *lock; 755 756 ASSERT(sid->cached == B_TRUE); 757 758 KSSL_COUNTER(sid_uncached, 1); 759 760 index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 761 ((int)s[2] << 8) | (int)s[l]); 762 763 index %= kssl_entry->sid_cache_nentries; 764 765 lock = &(kssl_entry->sid_cache[index].se_lock); 766 mutex_enter(lock); 767 csid = &(kssl_entry->sid_cache[index].se_sid); 768 if (csid->client_addr != sid->client_addr || 769 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 770 mutex_exit(lock); 771 return; 772 } 773 csid->cached = B_FALSE; 774 mutex_exit(lock); 775 } 776 777 778 #define KSSL_SSL3_SH_RECLEN (74) 779 #define KSSL_SSL3_FIN_MSGLEN (36) 780 781 #define KSSL_SSL3_MAX_CCP_FIN_MSGLEN (128) /* comfortable upper bound */ 782 783 static int 784 kssl_send_server_hello(ssl_t *ssl) 785 { 786 mblk_t *mp; 787 uchar_t *buf; 788 uchar_t *msgstart; 789 790 mp = allocb(ssl->tcp_mss, BPRI_HI); 791 if (mp == NULL) { 792 KSSL_COUNTER(alloc_fails, 1); 793 return (ENOMEM); 794 } 795 ssl->handshake_sendbuf = mp; 796 buf = mp->b_wptr; 797 798 /* 5 byte record header */ 799 buf[0] = content_handshake; 800 buf[1] = ssl->major_version; 801 buf[2] = ssl->minor_version; 802 buf[3] = KSSL_SSL3_SH_RECLEN >> 8; 803 buf[4] = KSSL_SSL3_SH_RECLEN & 0xff; 804 buf += SSL3_HDR_LEN; 805 806 msgstart = buf; 807 808 /* 6 byte message header */ 809 buf[0] = (uchar_t)server_hello; /* message type */ 810 buf[1] = 0; /* message len byte 0 */ 811 buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) & 812 0xff; /* message len byte 1 */ 813 buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff; /* message len byte 2 */ 814 815 buf[4] = ssl->major_version; /* version byte 0 */ 816 buf[5] = ssl->minor_version; /* version byte 1 */ 817 818 buf += 6; 819 820 kssl_get_hello_random(ssl->server_random); 821 bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH); 822 buf += SSL3_RANDOM_LENGTH; 823 824 buf[0] = SSL3_SESSIONID_BYTES; 825 bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES); 826 buf += SSL3_SESSIONID_BYTES + 1; 827 828 buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff; 829 buf[1] = ssl->pending_cipher_suite & 0xff; 830 831 buf[2] = 0; /* No compression */ 832 833 mp->b_wptr = buf + 3; 834 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 835 836 kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN); 837 return (0); 838 } 839 840 static void 841 kssl_get_hello_random(uchar_t *buf) 842 { 843 timestruc_t ts; 844 time_t sec; 845 846 gethrestime(&ts); 847 sec = ts.tv_sec; 848 849 buf[0] = (sec >> 24) & 0xff; 850 buf[1] = (sec >> 16) & 0xff; 851 buf[2] = (sec >> 8) & 0xff; 852 buf[3] = (sec) & 0xff; 853 854 (void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4); 855 856 /* Should this be caching? */ 857 } 858 859 static int 860 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key, 861 size_t hashlen, 862 uchar_t *label, size_t label_len, 863 uchar_t *seed, size_t seedlen, 864 uchar_t *data, size_t datalen) 865 { 866 int rv = 0; 867 uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN]; 868 int bytes_left = datalen; 869 crypto_data_t dd, mac; 870 crypto_context_t ctx; 871 872 dd.cd_format = CRYPTO_DATA_RAW; 873 dd.cd_offset = 0; 874 mac.cd_format = CRYPTO_DATA_RAW; 875 mac.cd_offset = 0; 876 877 /* 878 * A(i) = HMAC_hash(secred, seed + A(i-1)); 879 * A(0) = seed; 880 * 881 * Compute A(1): 882 * A(1) = HMAC_hash(secret, label + seed) 883 * 884 */ 885 HMAC_INIT(mech, key, &ctx); 886 HMAC_UPDATE(ctx, label, label_len); 887 HMAC_UPDATE(ctx, seed, seedlen); 888 HMAC_FINAL(ctx, A1, hashlen); 889 890 /* Compute A(2) ... A(n) */ 891 while (bytes_left > 0) { 892 HMAC_INIT(mech, key, &ctx); 893 HMAC_UPDATE(ctx, A1, hashlen); 894 HMAC_UPDATE(ctx, label, label_len); 895 HMAC_UPDATE(ctx, seed, seedlen); 896 HMAC_FINAL(ctx, result, hashlen); 897 898 /* 899 * The A(i) value is stored in "result". 900 * Save the results of the MAC so it can be input to next 901 * iteration. 902 */ 903 if (bytes_left > hashlen) { 904 /* Store the chunk result */ 905 bcopy(result, data, hashlen); 906 data += hashlen; 907 908 bytes_left -= hashlen; 909 910 /* Update A1 for next iteration */ 911 HMAC_INIT(mech, key, &ctx); 912 HMAC_UPDATE(ctx, A1, hashlen); 913 HMAC_FINAL(ctx, A1, hashlen); 914 915 } else { 916 bcopy(result, data, bytes_left); 917 data += bytes_left; 918 bytes_left = 0; 919 } 920 } 921 end: 922 if (CRYPTO_ERR(rv)) { 923 DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv); 924 KSSL_COUNTER(compute_mac_failure, 1); 925 } 926 return (rv); 927 } 928 929 /* ARGSUSED */ 930 static int 931 kssl_tls_PRF(ssl_t *ssl, 932 uchar_t *secret, size_t secret_len, 933 uchar_t *label, size_t label_len, 934 uchar_t *seed, size_t seed_len, 935 uchar_t *prfresult, size_t prfresult_len) 936 { 937 /* 938 * RFC 2246: 939 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR 940 * P_SHA1(S2, label + seed); 941 * S1 = 1st half of secret. 942 * S1 = 2nd half of secret. 943 * 944 */ 945 946 int rv = 0, i; 947 uchar_t psha1[MAX_KEYBLOCK_LENGTH]; 948 crypto_key_t S1, S2; 949 950 /* length of secret keys is ceil(length/2) */ 951 size_t slen = roundup(secret_len, 2) / 2; 952 953 if (prfresult_len > MAX_KEYBLOCK_LENGTH) { 954 DTRACE_PROBE1(kssl_err__unexpected_keyblock_size, 955 size_t, prfresult_len); 956 return (CRYPTO_ARGUMENTS_BAD); 957 } 958 959 ASSERT(prfresult != NULL); 960 ASSERT(label != NULL); 961 ASSERT(seed != NULL); 962 963 S1.ck_data = secret; 964 S1.ck_length = slen * 8; /* bits */ 965 S1.ck_format = CRYPTO_KEY_RAW; 966 967 S2.ck_data = secret + slen; 968 S2.ck_length = slen * 8; /* bits */ 969 S2.ck_format = CRYPTO_KEY_RAW; 970 971 rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN, 972 label, label_len, 973 seed, seed_len, 974 prfresult, prfresult_len); 975 if (CRYPTO_ERR(rv)) 976 goto end; 977 978 rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN, 979 label, label_len, 980 seed, seed_len, 981 psha1, prfresult_len); 982 if (CRYPTO_ERR(rv)) 983 goto end; 984 985 for (i = 0; i < prfresult_len; i++) 986 prfresult[i] ^= psha1[i]; 987 988 end: 989 if (CRYPTO_ERR(rv)) 990 bzero(prfresult, prfresult_len); 991 992 return (rv); 993 } 994 995 #define IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl) \ 996 (pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN || \ 997 pms[0] != ssl->major_version || pms[1] != ssl->minor_version) 998 999 #define FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) { \ 1000 KSSL_COUNTER(bad_pre_master_secret, 1); \ 1001 pms = buf; \ 1002 pmslen = SSL3_PRE_MASTER_SECRET_LEN; \ 1003 pms[0] = ssl->major_version; \ 1004 pms[1] = ssl->minor_version; \ 1005 (void) random_get_pseudo_bytes(&buf[2], pmslen - 2); \ 1006 } 1007 1008 static int 1009 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 1010 { 1011 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1012 uchar_t seed[SSL3_RANDOM_LENGTH * 2]; 1013 1014 /* 1015 * Computing the master secret: 1016 * ---------------------------- 1017 * master_secret = PRF (pms, "master secret", 1018 * ClientHello.random + ServerHello.random); 1019 */ 1020 bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH); 1021 bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH, 1022 SSL3_RANDOM_LENGTH); 1023 1024 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1025 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1026 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 1027 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1028 } 1029 1030 return (kssl_tls_PRF(ssl, 1031 pms, pmslen, 1032 (uchar_t *)TLS_MASTER_SECRET_LABEL, 1033 (size_t)strlen(TLS_MASTER_SECRET_LABEL), 1034 seed, sizeof (seed), 1035 ssl->sid.master_secret, 1036 (size_t)sizeof (ssl->sid.master_secret))); 1037 } 1038 1039 1040 static void 1041 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 1042 { 1043 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1044 uchar_t *ms; 1045 int hlen = MD5_HASH_LEN; 1046 1047 ms = ssl->sid.master_secret; 1048 1049 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1050 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1051 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 1052 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1053 } 1054 1055 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0); 1056 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0); 1057 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen, 1058 0); 1059 } 1060 1061 static int 1062 kssl_generate_tls_keyblock(ssl_t *ssl) 1063 { 1064 uchar_t seed[2 * SSL3_RANDOM_LENGTH]; 1065 1066 bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH); 1067 bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH, 1068 SSL3_RANDOM_LENGTH); 1069 1070 return (kssl_tls_PRF(ssl, ssl->sid.master_secret, 1071 (size_t)SSL3_MASTER_SECRET_LEN, 1072 (uchar_t *)TLS_KEY_EXPANSION_LABEL, 1073 (size_t)strlen(TLS_KEY_EXPANSION_LABEL), 1074 seed, (size_t)sizeof (seed), 1075 ssl->pending_keyblock, 1076 (size_t)ssl->pending_keyblksz)); 1077 1078 } 1079 1080 static void 1081 kssl_generate_keyblock(ssl_t *ssl) 1082 { 1083 uchar_t *ms; 1084 size_t mslen = SSL3_MASTER_SECRET_LEN; 1085 int hlen = MD5_HASH_LEN; 1086 uchar_t *keys = ssl->pending_keyblock; 1087 int steps = howmany(ssl->pending_keyblksz, hlen); 1088 int i; 1089 1090 ms = ssl->sid.master_secret; 1091 1092 ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH); 1093 1094 for (i = 1; i <= steps; i++) { 1095 kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1); 1096 keys += hlen; 1097 } 1098 } 1099 1100 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE", 1101 "FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"}; 1102 1103 static void 1104 kssl_ssl3_key_material_derive_step( 1105 ssl_t *ssl, 1106 uchar_t *secret, 1107 size_t secretlen, 1108 int step, 1109 uchar_t *dst, 1110 int sr_first) 1111 { 1112 SHA1_CTX sha1, *sha1ctx; 1113 MD5_CTX md5, *md5ctx; 1114 uchar_t sha1_hash[SHA1_HASH_LEN]; 1115 1116 sha1ctx = &sha1; 1117 md5ctx = &md5; 1118 1119 ASSERT(step <= 1120 sizeof (ssl3_key_derive_seeds) / 1121 sizeof (ssl3_key_derive_seeds[0])); 1122 step--; 1123 1124 SHA1Init(sha1ctx); 1125 SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step], 1126 step + 1); 1127 SHA1Update(sha1ctx, secret, secretlen); 1128 if (sr_first) { 1129 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1130 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1131 } else { 1132 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1133 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1134 } 1135 SHA1Final(sha1_hash, sha1ctx); 1136 1137 MD5Init(md5ctx); 1138 MD5Update(md5ctx, secret, secretlen); 1139 MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN); 1140 MD5Final(dst, md5ctx); 1141 } 1142 1143 static int 1144 kssl_send_certificate_and_server_hello_done(ssl_t *ssl) 1145 { 1146 int cur_reclen; 1147 int mss; 1148 int len, copylen; 1149 mblk_t *mp; 1150 uchar_t *cert_buf; 1151 int cert_len; 1152 uchar_t *msgbuf; 1153 Certificate_t *cert; 1154 1155 cert = ssl->kssl_entry->ke_server_certificate; 1156 if (cert == NULL) { 1157 return (ENOENT); 1158 } 1159 cert_buf = cert->msg; 1160 cert_len = cert->len; 1161 1162 mp = ssl->handshake_sendbuf; 1163 mss = ssl->tcp_mss; 1164 ASSERT(mp != NULL); 1165 cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN; 1166 ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN); 1167 /* Assume MSS is at least 80 bytes */ 1168 ASSERT(mss > cur_reclen + SSL3_HDR_LEN); 1169 ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */ 1170 1171 copylen = mss - (cur_reclen + SSL3_HDR_LEN); 1172 len = cert_len; 1173 copylen = MIN(copylen, len); 1174 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1175 1176 /* new record always starts in a new mblk for simplicity */ 1177 msgbuf = cert_buf; 1178 for (;;) { 1179 ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim); 1180 bcopy(msgbuf, mp->b_wptr, copylen); 1181 msgbuf += copylen; 1182 mp->b_wptr += copylen; 1183 cur_reclen += copylen; 1184 len -= copylen; 1185 if (len == 0) { 1186 break; 1187 } 1188 if (cur_reclen == SSL3_MAX_RECORD_LENGTH) { 1189 cur_reclen = 0; 1190 } 1191 copylen = MIN(len, mss); 1192 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1193 mp->b_cont = allocb(copylen, BPRI_HI); 1194 if (mp->b_cont == NULL) { 1195 KSSL_COUNTER(alloc_fails, 1); 1196 freemsg(ssl->handshake_sendbuf); 1197 ssl->handshake_sendbuf = NULL; 1198 return (ENOMEM); 1199 } 1200 mp = mp->b_cont; 1201 if (cur_reclen == 0) { 1202 mp->b_wptr[0] = content_handshake; 1203 mp->b_wptr[1] = ssl->major_version; 1204 mp->b_wptr[2] = ssl->minor_version; 1205 cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH); 1206 mp->b_wptr[3] = (cur_reclen >> 8) & 0xff; 1207 mp->b_wptr[4] = (cur_reclen) & 0xff; 1208 mp->b_wptr += SSL3_HDR_LEN; 1209 cur_reclen = 0; 1210 copylen = MIN(copylen, mss - SSL3_HDR_LEN); 1211 } 1212 } 1213 1214 /* adjust the record length field for the first record */ 1215 mp = ssl->handshake_sendbuf; 1216 cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len, 1217 SSL3_MAX_RECORD_LENGTH); 1218 mp->b_rptr[3] = (cur_reclen >> 8) & 0xff; 1219 mp->b_rptr[4] = (cur_reclen) & 0xff; 1220 1221 kssl_update_handshake_hashes(ssl, cert_buf, cert_len); 1222 1223 return (0); 1224 } 1225 1226 static int 1227 kssl_send_change_cipher_specs(ssl_t *ssl) 1228 { 1229 mblk_t *mp, *newmp; 1230 uchar_t *buf; 1231 1232 mp = ssl->handshake_sendbuf; 1233 1234 /* We're most likely to hit the fast path for resumed sessions */ 1235 if ((mp != NULL) && 1236 (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) { 1237 buf = mp->b_wptr; 1238 } else { 1239 newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI); 1240 1241 if (newmp == NULL) 1242 return (ENOMEM); /* need to do better job! */ 1243 1244 if (mp == NULL) { 1245 ssl->handshake_sendbuf = newmp; 1246 } else { 1247 linkb(ssl->handshake_sendbuf, newmp); 1248 } 1249 mp = newmp; 1250 buf = mp->b_rptr; 1251 } 1252 1253 /* 5 byte record header */ 1254 buf[0] = content_change_cipher_spec; 1255 buf[1] = ssl->major_version; 1256 buf[2] = ssl->minor_version; 1257 buf[3] = 0; 1258 buf[4] = 1; 1259 buf += SSL3_HDR_LEN; 1260 1261 buf[0] = 1; 1262 1263 mp->b_wptr = buf + 1; 1264 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 1265 1266 ssl->seq_num[KSSL_WRITE] = 0; 1267 return (kssl_spec_init(ssl, KSSL_WRITE)); 1268 } 1269 1270 int 1271 kssl_spec_init(ssl_t *ssl, int dir) 1272 { 1273 KSSL_HASHCTX *ctx; 1274 KSSLCipherSpec *spec = &ssl->spec[dir]; 1275 int ret = 0; 1276 1277 spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz; 1278 spec->mac_padsz = mac_defs[ssl->pending_malg].padsz; 1279 1280 spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit; 1281 spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate; 1282 spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal; 1283 1284 if (dir == KSSL_READ) { 1285 bcopy(ssl->pending_keyblock, ssl->mac_secret[dir], 1286 spec->mac_hashsz); 1287 } else { 1288 bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]), 1289 ssl->mac_secret[dir], spec->mac_hashsz); 1290 } 1291 1292 /* Pre-compute these here. will save cycles on each record later */ 1293 if (!IS_TLS(ssl)) { 1294 ctx = &ssl->mac_ctx[dir][0]; 1295 spec->MAC_HashInit((void *)ctx); 1296 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1297 spec->mac_hashsz); 1298 spec->MAC_HashUpdate((void *)ctx, kssl_pad_1, 1299 spec->mac_padsz); 1300 1301 ctx = &ssl->mac_ctx[dir][1]; 1302 spec->MAC_HashInit((void *)ctx); 1303 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1304 spec->mac_hashsz); 1305 spec->MAC_HashUpdate((void *)ctx, kssl_pad_2, 1306 spec->mac_padsz); 1307 } 1308 1309 spec->cipher_type = cipher_defs[ssl->pending_calg].type; 1310 spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type; 1311 spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize; 1312 spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz; 1313 1314 if (spec->cipher_ctx != NULL) { 1315 crypto_cancel_ctx(spec->cipher_ctx); 1316 spec->cipher_ctx = 0; 1317 } 1318 1319 /* 1320 * Initialize HMAC keys for TLS and SSL3 HMAC keys 1321 * for SSL 3.0. 1322 */ 1323 if (IS_TLS(ssl)) { 1324 if (ssl->pending_malg == mac_md5) { 1325 spec->hmac_mech = hmac_md5_mech; 1326 } else if (ssl->pending_malg == mac_sha) { 1327 spec->hmac_mech = hmac_sha1_mech; 1328 } 1329 1330 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1331 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1332 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1333 } else { 1334 static uint32_t param; 1335 1336 spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID; 1337 spec->hmac_mech.cm_param = (caddr_t)¶m; 1338 spec->hmac_mech.cm_param_len = sizeof (param); 1339 if (ssl->pending_malg == mac_md5) { 1340 spec->hmac_mech.cm_type = 1341 crypto_mech2id("CKM_SSL3_MD5_MAC"); 1342 param = MD5_HASH_LEN; 1343 } else if (ssl->pending_malg == mac_sha) { 1344 spec->hmac_mech.cm_type = 1345 crypto_mech2id("CKM_SSL3_SHA1_MAC"); 1346 param = SHA1_HASH_LEN; 1347 } 1348 1349 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1350 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1351 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1352 } 1353 1354 /* We're done if this is the nil cipher */ 1355 if (spec->cipher_keysz == 0) { 1356 return (0); 1357 } 1358 1359 /* Initialize the key and the active context */ 1360 spec->cipher_key.ck_format = CRYPTO_KEY_RAW; 1361 spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */ 1362 1363 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1364 /* client_write_IV */ 1365 spec->cipher_mech.cm_param = 1366 (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz + 1367 2 * spec->cipher_keysz]); 1368 spec->cipher_mech.cm_param_len = spec->cipher_bsize; 1369 } 1370 spec->cipher_data.cd_format = CRYPTO_DATA_RAW; 1371 if (dir == KSSL_READ) { 1372 spec->cipher_mech.cm_param_len = 1373 cipher_defs[ssl->pending_calg].bsize; 1374 1375 /* client_write_key */ 1376 spec->cipher_key.ck_data = 1377 &(ssl->pending_keyblock[2 * spec->mac_hashsz]); 1378 1379 ret = crypto_decrypt_init(&(spec->cipher_mech), 1380 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1381 if (CRYPTO_ERR(ret)) { 1382 DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read, 1383 int, ret); 1384 } 1385 } else { 1386 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1387 /* server_write_IV */ 1388 spec->cipher_mech.cm_param += spec->cipher_bsize; 1389 } 1390 1391 /* server_write_key */ 1392 spec->cipher_key.ck_data = 1393 &(ssl->pending_keyblock[2 * spec->mac_hashsz + 1394 spec->cipher_keysz]); 1395 1396 ret = crypto_encrypt_init(&(spec->cipher_mech), 1397 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1398 if (CRYPTO_ERR(ret)) 1399 DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read, 1400 int, ret); 1401 } 1402 return (ret); 1403 } 1404 1405 static int 1406 kssl_send_finished(ssl_t *ssl, int update_hsh) 1407 { 1408 mblk_t *mp; 1409 uchar_t *buf; 1410 uchar_t *rstart; 1411 uchar_t *versionp; 1412 SSL3Hashes ssl3hashes; 1413 size_t finish_len; 1414 int ret = 0; 1415 1416 mp = ssl->handshake_sendbuf; 1417 ASSERT(mp != NULL); 1418 buf = mp->b_wptr; 1419 ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + 1420 SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1); 1421 1422 rstart = buf; 1423 1424 if (IS_TLS(ssl)) 1425 finish_len = TLS_FINISHED_SIZE; 1426 else 1427 finish_len = KSSL_SSL3_FIN_MSGLEN; 1428 1429 /* 5 byte record header */ 1430 buf[0] = content_handshake; 1431 buf[1] = ssl->major_version; 1432 buf[2] = ssl->minor_version; 1433 buf[3] = 0; 1434 buf[4] = 4 + finish_len; 1435 1436 versionp = &buf[1]; 1437 1438 buf += SSL3_HDR_LEN; 1439 1440 /* 4 byte message header */ 1441 buf[0] = (uchar_t)finished; /* message type */ 1442 buf[1] = 0; /* message len byte 0 */ 1443 buf[2] = 0; /* message len byte 1 */ 1444 buf[3] = finish_len; /* message len byte 2 */ 1445 buf += 4; 1446 1447 if (IS_TLS(ssl)) { 1448 bcopy(ssl->hs_hashes.md5, ssl3hashes.md5, 1449 sizeof (ssl3hashes.md5)); 1450 bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1, 1451 sizeof (ssl3hashes.sha1)); 1452 } 1453 1454 /* Compute hashes for the SENDER side */ 1455 ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server); 1456 if (ret != 0) 1457 return (ret); 1458 1459 if (IS_TLS(ssl)) { 1460 bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash)); 1461 } else { 1462 bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN); 1463 bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN); 1464 } 1465 1466 if (update_hsh) { 1467 kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4); 1468 } 1469 1470 mp->b_wptr = buf + finish_len; 1471 1472 ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp, 1473 rstart, mp); 1474 ASSERT(mp->b_wptr <= mp->b_datap->db_lim); 1475 1476 return (ret); 1477 } 1478 1479 int 1480 kssl_mac_encrypt_record(ssl_t *ssl, 1481 SSL3ContentType ct, 1482 uchar_t *versionp, 1483 uchar_t *rstart, 1484 mblk_t *mp) 1485 { 1486 KSSLCipherSpec *spec; 1487 int mac_sz; 1488 int ret = 0; 1489 uint16_t rec_sz; 1490 int pad_sz; 1491 int i; 1492 1493 ASSERT(ssl != NULL); 1494 ASSERT(rstart >= mp->b_rptr); 1495 ASSERT(rstart < mp->b_wptr); 1496 1497 spec = &ssl->spec[KSSL_WRITE]; 1498 mac_sz = spec->mac_hashsz; 1499 1500 rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN; 1501 ASSERT(rec_sz > 0); 1502 1503 if (mac_sz != 0) { 1504 ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim); 1505 ret = kssl_compute_record_mac(ssl, KSSL_WRITE, 1506 ssl->seq_num[KSSL_WRITE], ct, versionp, 1507 rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr); 1508 if (ret == CRYPTO_SUCCESS) { 1509 ssl->seq_num[KSSL_WRITE]++; 1510 mp->b_wptr += mac_sz; 1511 rec_sz += mac_sz; 1512 } else { 1513 return (ret); 1514 } 1515 } 1516 1517 if (spec->cipher_type == type_block) { 1518 pad_sz = spec->cipher_bsize - 1519 (rec_sz & (spec->cipher_bsize - 1)); 1520 ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim); 1521 for (i = 0; i < pad_sz; i++) { 1522 mp->b_wptr[i] = pad_sz - 1; 1523 } 1524 mp->b_wptr += pad_sz; 1525 rec_sz += pad_sz; 1526 } 1527 1528 ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH); 1529 1530 U16_TO_BE16(rec_sz, rstart + 3); 1531 1532 if (spec->cipher_ctx == 0) 1533 return (ret); 1534 1535 spec->cipher_data.cd_length = rec_sz; 1536 spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN); 1537 spec->cipher_data.cd_raw.iov_len = rec_sz; 1538 /* One record at a time. Otherwise, gotta allocate the crypt_data_t */ 1539 ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data, 1540 NULL, NULL); 1541 if (CRYPTO_ERR(ret)) { 1542 DTRACE_PROBE1(kssl_err__crypto_encrypt_update, 1543 int, ret); 1544 } 1545 return (ret); 1546 } 1547 1548 void 1549 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc) 1550 { 1551 mblk_t *mp; 1552 uchar_t *buf; 1553 KSSLCipherSpec *spec; 1554 1555 ASSERT(ssl != NULL); 1556 1557 ssl->sendalert_level = level; 1558 ssl->sendalert_desc = desc; 1559 1560 if (level == alert_fatal) { 1561 DTRACE_PROBE2(kssl_sending_alert, 1562 SSL3AlertLevel, level, SSL3AlertDescription, desc); 1563 if (ssl->sid.cached == B_TRUE) { 1564 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 1565 ssl->sid.cached = B_FALSE; 1566 } 1567 ssl->fatal_alert = B_TRUE; 1568 KSSL_COUNTER(fatal_alerts, 1); 1569 } else 1570 KSSL_COUNTER(warning_alerts, 1); 1571 1572 spec = &ssl->spec[KSSL_WRITE]; 1573 1574 ASSERT(ssl->alert_sendbuf == NULL); 1575 ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz + 1576 spec->cipher_bsize, BPRI_HI); 1577 if (mp == NULL) { 1578 KSSL_COUNTER(alloc_fails, 1); 1579 return; 1580 } 1581 buf = mp->b_wptr; 1582 1583 /* 5 byte record header */ 1584 buf[0] = content_alert; 1585 buf[1] = ssl->major_version; 1586 buf[2] = ssl->minor_version; 1587 buf[3] = 0; 1588 buf[4] = 2; 1589 buf += SSL3_HDR_LEN; 1590 1591 /* alert contents */ 1592 buf[0] = (uchar_t)level; 1593 buf[1] = (uchar_t)desc; 1594 1595 mp->b_wptr = buf + 2; 1596 } 1597 1598 /* Assumes RSA encryption */ 1599 static int 1600 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen, 1601 kssl_callback_t cbfn, void *arg) 1602 { 1603 char *buf; 1604 uchar_t *pms; 1605 size_t pmslen; 1606 int allocated; 1607 int err, rverr = ENOMEM; 1608 kssl_entry_t *ep; 1609 crypto_key_t *privkey; 1610 crypto_data_t *wrapped_pms_data, *pms_data; 1611 crypto_call_req_t creq, *creqp; 1612 1613 ep = ssl->kssl_entry; 1614 privkey = ep->ke_private_key; 1615 if (privkey == NULL) { 1616 return (ENOENT); 1617 } 1618 1619 ASSERT(ssl->msg.type == client_key_exchange); 1620 ASSERT(ssl->hs_waitstate == wait_client_key); 1621 1622 /* 1623 * TLS adds an extra 2 byte length field before the data. 1624 */ 1625 if (IS_TLS(ssl)) { 1626 msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1]; 1627 mp->b_rptr += 2; 1628 } 1629 1630 /* 1631 * Allocate all we need in one shot. about 300 bytes total, for 1632 * 1024 bit RSA modulus. 1633 * The buffer layout will be: pms_data, wrapped_pms_data, the 1634 * value of the wrapped pms from the client, then room for the 1635 * resulting decrypted premaster secret. 1636 */ 1637 allocated = 2 * (sizeof (crypto_data_t) + msglen); 1638 buf = kmem_alloc(allocated, KM_NOSLEEP); 1639 if (buf == NULL) { 1640 return (ENOMEM); 1641 } 1642 1643 pms_data = (crypto_data_t *)buf; 1644 wrapped_pms_data = &(((crypto_data_t *)buf)[1]); 1645 1646 wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW; 1647 wrapped_pms_data->cd_offset = pms_data->cd_offset = 0; 1648 wrapped_pms_data->cd_length = pms_data->cd_length = msglen; 1649 wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL; 1650 wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen; 1651 wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t); 1652 pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen; 1653 1654 bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen); 1655 mp->b_rptr += msglen; 1656 1657 /* Proceed synchronously if out of interrupt and configured to do so */ 1658 if ((kssl_synchronous) && (!servicing_interrupt())) { 1659 creqp = NULL; 1660 } else { 1661 ssl->cke_callback_func = cbfn; 1662 ssl->cke_callback_arg = arg; 1663 creq.cr_flag = kssl_call_flag; 1664 creq.cr_callback_func = kssl_cke_done; 1665 creq.cr_callback_arg = ssl; 1666 1667 /* The callback routine will release this one */ 1668 KSSL_SSL_REFHOLD(ssl); 1669 1670 creqp = &creq; 1671 } 1672 1673 if (ep->ke_is_nxkey) { 1674 kssl_session_info_t *s; 1675 1676 s = ep->ke_sessinfo; 1677 err = CRYPTO_SUCCESS; 1678 if (!s->is_valid_handle) { 1679 /* Reauthenticate to the provider */ 1680 if (s->do_reauth) { 1681 err = kssl_get_obj_handle(ep); 1682 if (err == CRYPTO_SUCCESS) { 1683 s->is_valid_handle = B_TRUE; 1684 s->do_reauth = B_FALSE; 1685 } 1686 } else 1687 err = CRYPTO_FAILED; 1688 } 1689 1690 if (err == CRYPTO_SUCCESS) { 1691 ASSERT(s->is_valid_handle); 1692 err = crypto_decrypt_prov(s->prov, s->sid, 1693 &rsa_x509_mech, wrapped_pms_data, &s->key, 1694 NULL, pms_data, creqp); 1695 } 1696 1697 /* 1698 * Deal with session specific errors. We translate to 1699 * the closest errno. 1700 */ 1701 switch (err) { 1702 case CRYPTO_KEY_HANDLE_INVALID: 1703 case CRYPTO_SESSION_HANDLE_INVALID: 1704 s->is_valid_handle = B_FALSE; 1705 s->do_reauth = B_TRUE; 1706 rverr = EINVAL; 1707 break; 1708 case CRYPTO_PIN_EXPIRED: 1709 case CRYPTO_PIN_LOCKED: 1710 rverr = EACCES; 1711 break; 1712 case CRYPTO_UNKNOWN_PROVIDER: 1713 rverr = ENXIO; 1714 break; 1715 } 1716 } else { 1717 err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data, 1718 privkey, NULL, pms_data, creqp); 1719 } 1720 1721 switch (err) { 1722 case CRYPTO_SUCCESS: 1723 break; 1724 1725 case CRYPTO_QUEUED: 1726 /* 1727 * Finish the master secret then the rest of key material 1728 * derivation later. 1729 */ 1730 ssl->job.kjob = creq.cr_reqid; 1731 ssl->job.buf = buf; 1732 ssl->job.buflen = allocated; 1733 ssl->hs_waitstate = wait_client_key_done; 1734 return (0); 1735 default: 1736 DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err); 1737 kmem_free(buf, allocated); 1738 return (rverr); 1739 } 1740 1741 pmslen = pms_data->cd_length; 1742 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1743 1744 /* generate master key and save it in the ssl sid structure */ 1745 if (IS_TLS(ssl)) { 1746 err = kssl_generate_tls_ms(ssl, pms, pmslen); 1747 if (!CRYPTO_ERR(err)) 1748 err = kssl_generate_tls_keyblock(ssl); 1749 } else { 1750 kssl_generate_ssl_ms(ssl, pms, pmslen); 1751 kssl_generate_keyblock(ssl); 1752 } 1753 1754 if (err == CRYPTO_SUCCESS) 1755 ssl->hs_waitstate = wait_change_cipher; 1756 1757 ssl->activeinput = B_FALSE; 1758 1759 kmem_free(buf, allocated); 1760 1761 return (0); 1762 } 1763 1764 static int 1765 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen) 1766 { 1767 int err; 1768 size_t finish_len; 1769 int hashcompare; 1770 1771 ASSERT(ssl->msg.type == finished); 1772 ASSERT(ssl->hs_waitstate == wait_finished); 1773 1774 if (IS_TLS(ssl)) 1775 finish_len = TLS_FINISHED_SIZE; 1776 else 1777 finish_len = KSSL_SSL3_FIN_MSGLEN; 1778 1779 if (msglen != finish_len) { 1780 kssl_send_alert(ssl, alert_fatal, illegal_parameter); 1781 return (EBADMSG); 1782 } 1783 1784 if (IS_TLS(ssl)) { 1785 hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash, 1786 finish_len); 1787 } else { 1788 hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len); 1789 } 1790 1791 /* The handshake hashes should be computed by now */ 1792 if (hashcompare != 0) { 1793 kssl_send_alert(ssl, alert_fatal, handshake_failure); 1794 return (EBADMSG); 1795 } 1796 1797 mp->b_rptr += msglen; 1798 1799 ssl->hs_waitstate = idle_handshake; 1800 1801 if (ssl->resumed == B_TRUE) { 1802 ssl->activeinput = B_FALSE; 1803 return (0); 1804 } 1805 1806 err = kssl_send_change_cipher_specs(ssl); 1807 if (err != 0) { 1808 return (err); 1809 } 1810 err = kssl_send_finished(ssl, 0); 1811 if (err != 0) { 1812 return (err); 1813 } 1814 1815 ASSERT(ssl->sid.cached == B_FALSE); 1816 ssl->sid.cached = B_TRUE; 1817 kssl_cache_sid(&ssl->sid, ssl->kssl_entry); 1818 ssl->activeinput = B_FALSE; 1819 1820 return (0); 1821 } 1822 1823 #define KSSL2_CH_MIN_RECSZ (9) 1824 1825 /* 1826 * This method is needed to handle clients which send the 1827 * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers. 1828 * We are not really doing SSLv2 here, just handling the header 1829 * and then switching to SSLv3. 1830 */ 1831 int 1832 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz) 1833 { 1834 uchar_t *recend; 1835 int err; 1836 SSL3AlertDescription desc = illegal_parameter; 1837 uint_t randlen; 1838 uint_t sidlen; 1839 uint_t cslen; 1840 uchar_t *suitesp; 1841 uchar_t *rand; 1842 uint_t i, j; 1843 uint16_t suite; 1844 int ch_recsz = KSSL2_CH_MIN_RECSZ; 1845 1846 ASSERT(mp->b_wptr >= mp->b_rptr + recsz); 1847 ASSERT(ssl->hs_waitstate == wait_client_hello); 1848 ASSERT(ssl->resumed == B_FALSE); 1849 1850 if (recsz < ch_recsz) { 1851 goto falert; 1852 } 1853 1854 MD5Init(&ssl->hs_md5); 1855 SHA1Init(&ssl->hs_sha1); 1856 1857 kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz); 1858 1859 recend = mp->b_rptr + recsz; 1860 1861 if (*mp->b_rptr != 1) { 1862 goto falert; 1863 } 1864 mp->b_rptr += 3; 1865 1866 cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 1867 sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3]; 1868 randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5]; 1869 if (cslen % 3 != 0) { 1870 DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen); 1871 goto falert; 1872 } 1873 if (randlen < SSL_MIN_CHALLENGE_BYTES || 1874 randlen > SSL_MAX_CHALLENGE_BYTES) { 1875 DTRACE_PROBE1(kssl_err__randlen_out_of_range, 1876 uint_t, randlen); 1877 goto falert; 1878 } 1879 mp->b_rptr += 6; 1880 ch_recsz += cslen + sidlen + randlen; 1881 if (recsz != ch_recsz) { 1882 goto falert; 1883 } 1884 suitesp = mp->b_rptr; 1885 rand = suitesp + cslen + sidlen; 1886 if (randlen < SSL3_RANDOM_LENGTH) { 1887 bzero(ssl->client_random, SSL3_RANDOM_LENGTH); 1888 } 1889 bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen], 1890 randlen); 1891 1892 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 1893 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 1894 for (j = 0; j < cslen; j += 3) { 1895 if (suitesp[j] != 0) { 1896 continue; 1897 } 1898 1899 if (suitesp[j + 1] == ((suite >> 8) & 0xff) && 1900 suitesp[j + 2] == (suite & 0xff)) { 1901 break; 1902 } 1903 } 1904 if (j < cslen) { 1905 break; 1906 } 1907 } 1908 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 1909 DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite); 1910 ssl->activeinput = B_FALSE; 1911 return (SSL_MISS); 1912 } 1913 1914 mp->b_rptr = recend; 1915 1916 for (i = 0; i < cipher_suite_defs_nentries; i++) { 1917 if (suite == cipher_suite_defs[i].suite) { 1918 break; 1919 } 1920 } 1921 1922 ASSERT(i < cipher_suite_defs_nentries); 1923 1924 ssl->pending_cipher_suite = suite; 1925 ssl->pending_malg = cipher_suite_defs[i].malg; 1926 ssl->pending_calg = cipher_suite_defs[i].calg; 1927 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 1928 1929 ASSERT(ssl->sid.cached == B_FALSE); 1930 1931 (void) random_get_pseudo_bytes(ssl->sid.session_id, 1932 SSL3_SESSIONID_BYTES); 1933 ssl->sid.client_addr = ssl->faddr; 1934 ssl->sid.cipher_suite = suite; 1935 1936 err = kssl_send_server_hello(ssl); 1937 if (err != 0) { 1938 return (err); 1939 } 1940 err = kssl_send_certificate_and_server_hello_done(ssl); 1941 if (err != 0) { 1942 return (err); 1943 } 1944 KSSL_COUNTER(full_handshakes, 1); 1945 ssl->hs_waitstate = wait_client_key; 1946 ssl->activeinput = B_FALSE; 1947 return (0); 1948 1949 falert: 1950 kssl_send_alert(ssl, alert_fatal, desc); 1951 ssl->activeinput = B_FALSE; 1952 return (EBADMSG); 1953 } 1954 1955 /* 1956 * Call back routine for asynchronously submitted RSA decryption jobs. 1957 * This routine retrieves the pre-master secret, and proceeds to generate 1958 * the remaining key materials. 1959 */ 1960 static void 1961 kssl_cke_done(void *arg, int status) 1962 { 1963 int ret = 0; 1964 uchar_t *pms; 1965 size_t pmslen; 1966 crypto_data_t *pms_data; 1967 kssl_cmd_t kssl_cmd = KSSL_CMD_NONE; 1968 ssl_t *ssl = (ssl_t *)arg; 1969 mblk_t *alertmp; 1970 kssl_callback_t cbfn; 1971 void *cbarg; 1972 1973 mutex_enter(&ssl->kssl_lock); 1974 1975 ASSERT(ssl->msg.type == client_key_exchange); 1976 ASSERT(ssl->hs_waitstate == wait_client_key_done); 1977 1978 if (status != CRYPTO_SUCCESS) { 1979 kssl_send_alert(ssl, alert_fatal, decrypt_error); 1980 kssl_cmd = KSSL_CMD_SEND; 1981 goto out; 1982 } 1983 1984 pms_data = (crypto_data_t *)(ssl->job.buf); 1985 1986 ASSERT(pms_data != NULL); 1987 1988 pmslen = pms_data->cd_length; 1989 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1990 1991 /* generate master key and save it in the ssl sid structure */ 1992 if (IS_TLS(ssl)) { 1993 ret = kssl_generate_tls_ms(ssl, pms, pmslen); 1994 if (!CRYPTO_ERR(ret)) 1995 ret = kssl_generate_tls_keyblock(ssl); 1996 } else { 1997 kssl_generate_ssl_ms(ssl, pms, pmslen); 1998 kssl_generate_keyblock(ssl); 1999 } 2000 2001 if (ret == CRYPTO_SUCCESS) 2002 ssl->hs_waitstate = wait_change_cipher; 2003 2004 out: 2005 kmem_free(ssl->job.buf, ssl->job.buflen); 2006 2007 ssl->job.kjob = 0; 2008 ssl->job.buf = NULL; 2009 ssl->job.buflen = 0; 2010 2011 ssl->activeinput = B_FALSE; 2012 2013 /* If we're the only ones left, then we won't callback */ 2014 if (ssl->kssl_refcnt == 1) { 2015 mutex_exit(&ssl->kssl_lock); 2016 KSSL_SSL_REFRELE(ssl); 2017 return; 2018 } 2019 2020 cbfn = ssl->cke_callback_func; 2021 cbarg = ssl->cke_callback_arg; 2022 alertmp = ssl->alert_sendbuf; 2023 ssl->alert_sendbuf = NULL; 2024 2025 mutex_exit(&ssl->kssl_lock); 2026 2027 KSSL_SSL_REFRELE(ssl); 2028 2029 /* Now call the callback routine */ 2030 (*(cbfn))(cbarg, alertmp, kssl_cmd); 2031 } 2032 2033 /* 2034 * Returns the first complete contiguous record out of rec_ass_head 2035 * The record is returned in a separate contiguous mblk, rec_ass_head is 2036 * left pointing to the next record in the queue. 2037 * 2038 * The output looks as follows: 2039 * 2040 * |--------|---------- .... -----|<---------->|<----------->|--- ... ---| 2041 * ^ ^ ^ mac_size pad_size ^ 2042 * | |___ b_rptr b_wptr __| | 2043 * | | 2044 * |___ db_base db_lim ___| 2045 */ 2046 mblk_t * 2047 kssl_get_next_record(ssl_t *ssl) 2048 { 2049 mblk_t *mp, *retmp; 2050 int rhsz = SSL3_HDR_LEN; 2051 uint16_t rec_sz; 2052 int mpsz, total_size; 2053 SSL3ContentType content_type; 2054 2055 ASSERT(MUTEX_HELD(&ssl->kssl_lock)); 2056 2057 mp = ssl->rec_ass_head; 2058 if (mp == NULL) 2059 return (NULL); 2060 2061 /* Fast path: when mp has at least a complete record */ 2062 if (MBLKL(mp) < rhsz) { 2063 DTRACE_PROBE1(kssl_mblk__incomplete_header, 2064 mblk_t *, mp); 2065 /* Not even a complete header in there yet */ 2066 if (msgdsize(mp) < rhsz) { 2067 return (NULL); 2068 } 2069 2070 if (!pullupmsg(mp, rhsz)) { 2071 kssl_send_alert(ssl, alert_fatal, internal_error); 2072 freemsg(mp); 2073 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2074 return (NULL); 2075 } 2076 } 2077 content_type = (SSL3ContentType)mp->b_rptr[0]; 2078 if (content_type == content_handshake_v2) { 2079 DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp); 2080 rec_sz = (uint16_t)mp->b_rptr[1]; 2081 rhsz = 2; 2082 } else { 2083 DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp); 2084 uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3; 2085 rec_sz = BE16_TO_U16(rec_sz_p); 2086 } 2087 2088 /* 2089 * same tests as above. Only rare very fragmented cases will 2090 * incur the cost of msgdsize() and msgpullup(). Well formed 2091 * packets will fall in the most frequent fast path. 2092 */ 2093 total_size = rhsz + rec_sz; 2094 2095 /* 2096 * Missing: defensive against record fabricated with longer than 2097 * MAX record length. 2098 */ 2099 if (MBLKL(mp) < total_size) { 2100 DTRACE_PROBE2(kssl_mblk__smaller_than_total_size, 2101 mblk_t *, mp, int, total_size); 2102 /* Not a complete record yet. Keep accumulating */ 2103 if (msgdsize(mp) < total_size) { 2104 return (NULL); 2105 } 2106 2107 if (!pullupmsg(mp, total_size)) { 2108 kssl_send_alert(ssl, alert_fatal, internal_error); 2109 freemsg(mp); 2110 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2111 return (NULL); 2112 } 2113 } 2114 mpsz = MBLKL(mp); /* could've changed after the pullup */ 2115 2116 if (mpsz > total_size) { 2117 DTRACE_PROBE2(kssl_mblk__bigger_than_total_size, 2118 mblk_t *, mp, int, total_size); 2119 /* gotta allocate a new block */ 2120 if ((retmp = dupb(mp)) == NULL) { 2121 kssl_send_alert(ssl, alert_fatal, internal_error); 2122 freemsg(mp); 2123 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2124 return (NULL); 2125 } 2126 2127 retmp->b_wptr = retmp->b_rptr + total_size; 2128 mp->b_rptr += total_size; 2129 ssl->rec_ass_head = mp; 2130 } else { 2131 DTRACE_PROBE2(kssl_mblk__equal_to_total_size, 2132 mblk_t *, mp, int, total_size); 2133 ASSERT(mpsz == total_size); 2134 ssl->rec_ass_head = mp->b_cont; 2135 mp->b_cont = NULL; 2136 retmp = mp; 2137 } 2138 /* Adjust the tail */ 2139 if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) { 2140 for (; mp->b_cont != NULL; mp = mp->b_cont) { 2141 ssl->rec_ass_tail = mp->b_cont; 2142 } 2143 } 2144 2145 return (retmp); 2146 } 2147 2148 2149 static void 2150 kssl_mblksfree(ssl_t *ssl) 2151 { 2152 2153 ASSERT(ssl != NULL); 2154 2155 if (ssl->rec_ass_head != NULL) { 2156 freemsg(ssl->rec_ass_head); 2157 } 2158 ssl->rec_ass_head = NULL; 2159 ssl->rec_ass_tail = NULL; 2160 2161 if (ssl->msg.head != NULL) { 2162 freemsg(ssl->msg.head); 2163 } 2164 ssl->msg.head = NULL; 2165 ssl->msg.tail = NULL; 2166 2167 if (ssl->handshake_sendbuf != NULL) { 2168 freemsg(ssl->handshake_sendbuf); 2169 ssl->handshake_sendbuf = NULL; 2170 } 2171 if (ssl->alert_sendbuf != NULL) { 2172 freemsg(ssl->alert_sendbuf); 2173 ssl->alert_sendbuf = NULL; 2174 } 2175 } 2176 2177 static void 2178 kssl_specsfree(ssl_t *ssl) 2179 { 2180 KSSLCipherSpec *spec = &ssl->spec[KSSL_READ]; 2181 2182 if (spec->cipher_ctx != NULL) { 2183 crypto_cancel_ctx(spec->cipher_ctx); 2184 spec->cipher_ctx = 0; 2185 } 2186 2187 spec = &ssl->spec[KSSL_WRITE]; 2188 2189 if (spec->cipher_ctx != NULL) { 2190 crypto_cancel_ctx(spec->cipher_ctx); 2191 spec->cipher_ctx = 0; 2192 } 2193 } 2194 2195 /* 2196 * Frees the ssl structure (aka the context of an SSL session). 2197 * Any pending crypto jobs are cancelled. 2198 * Any initiated crypto contexts are freed as well. 2199 */ 2200 void 2201 kssl_free_context(ssl_t *ssl) 2202 { 2203 ASSERT(ssl != NULL); 2204 if (!(MUTEX_HELD(&ssl->kssl_lock))) { 2205 /* we're coming from an external API entry point */ 2206 mutex_enter(&ssl->kssl_lock); 2207 } 2208 2209 if (ssl->job.kjob != NULL) { 2210 crypto_cancel_req(ssl->job.kjob); 2211 kmem_free(ssl->job.buf, ssl->job.buflen); 2212 2213 ssl->job.kjob = 0; 2214 ssl->job.buf = NULL; 2215 ssl->job.buflen = 0; 2216 } 2217 2218 kssl_mblksfree(ssl); 2219 kssl_specsfree(ssl); 2220 2221 KSSL_ENTRY_REFRELE(ssl->kssl_entry); 2222 ssl->kssl_entry = NULL; 2223 2224 mutex_exit(&ssl->kssl_lock); 2225 2226 kmem_cache_free(kssl_cache, ssl); 2227 kssl_cache_count--; 2228 } 2229