1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/stream.h> 30 #include <sys/strsubr.h> 31 #include <sys/stropts.h> 32 #include <sys/strsun.h> 33 #define _SUN_TPI_VERSION 2 34 #include <sys/ddi.h> 35 #include <sys/sunddi.h> 36 #include <sys/debug.h> 37 #include <sys/vtrace.h> 38 #include <sys/kmem.h> 39 #include <sys/cpuvar.h> 40 #include <sys/atomic.h> 41 #include <sys/sysmacros.h> 42 43 #include <sys/errno.h> 44 #include <sys/isa_defs.h> 45 #include <sys/md5.h> 46 #include <sys/sha1.h> 47 #include <sys/random.h> 48 #include <inet/common.h> 49 #include <netinet/in.h> 50 51 #include <sys/systm.h> 52 #include <sys/param.h> 53 54 #include "ksslimpl.h" 55 #include "ksslapi.h" 56 #include "ksslproto.h" 57 58 static ssl3CipherSuiteDef cipher_suite_defs[] = { 59 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, 72}, 60 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, 64}, 61 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, 72}, 62 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, 104}, 63 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, 40} 64 }; 65 66 static int cipher_suite_defs_nentries = 67 sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]); 68 69 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 70 /* macsz padsz HashInit HashUpdate HashFinal */ 71 72 {MD5_HASH_LEN, SSL3_MD5_PAD_LEN, 73 (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update, 74 (hashfinal_func_t)MD5Final}, 75 76 {SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN, 77 (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update, 78 (hashfinal_func_t)SHA1Final}, 79 }; 80 81 static uchar_t kssl_pad_1[60] = { 82 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 83 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 84 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 85 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 86 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 87 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 88 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 89 0x36, 0x36, 0x36, 0x36 90 }; 91 static uchar_t kssl_pad_2[60] = { 92 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 93 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 94 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 95 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 96 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 97 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 98 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 99 0x5c, 0x5c, 0x5c, 0x5c 100 }; 101 102 int kssl_cache_count; 103 static boolean_t kssl_synchronous = B_FALSE; 104 105 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t); 106 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t); 107 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int); 108 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int, 109 kssl_callback_t, void *); 110 static int kssl_send_server_hello(ssl_t *); 111 static int kssl_send_certificate_and_server_hello_done(ssl_t *); 112 static int kssl_send_change_cipher_specs(ssl_t *); 113 static int kssl_send_finished(ssl_t *, int); 114 static int kssl_handle_finished(ssl_t *, mblk_t *, int); 115 static void kssl_get_hello_random(uchar_t *); 116 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *); 117 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *); 118 static void kssl_lookup_sid(sslSessionID *, uchar_t *, ipaddr_t, 119 kssl_entry_t *); 120 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t); 121 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t); 122 static int kssl_generate_tls_keyblock(ssl_t *); 123 static void kssl_generate_keyblock(ssl_t *); 124 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t, 125 int, uchar_t *, int); 126 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t, 127 uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 128 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *, 129 size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 130 static void kssl_cke_done(void *, int); 131 132 #define MAX_TLS_KEYBLOCK_SIZE 160 /* more than enough for largest TLS key */ 133 134 #define HMAC_INIT(m, k, c) \ 135 rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end; 136 137 #define HMAC_UPDATE(c, d, l) \ 138 dd.cd_raw.iov_base = (char *)d; \ 139 dd.cd_length = dd.cd_raw.iov_len = l; \ 140 rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end; 141 142 #define HMAC_FINAL(c, d, l) \ 143 mac.cd_raw.iov_base = (char *)d; \ 144 mac.cd_length = mac.cd_raw.iov_len = l; \ 145 rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end; 146 147 /* 148 * This hack can go away once we have SSL3 MAC support by KCF 149 * software providers (See 4873559). 150 */ 151 extern int kcf_md5_threshold; 152 153 int 154 kssl_compute_record_mac( 155 ssl_t *ssl, 156 int direction, 157 uint64_t seq_num, 158 SSL3ContentType ct, 159 uchar_t *versionp, 160 uchar_t *buf, 161 int len, 162 uchar_t *digest) 163 { 164 KSSL_HASHCTX mac_ctx; 165 KSSL_HASHCTX *ctx = &mac_ctx; 166 uchar_t temp[16], *p; 167 KSSLCipherSpec *spec; 168 boolean_t hash_use_ok = B_FALSE; 169 int rv = 0; 170 171 spec = &ssl->spec[direction]; 172 173 if (spec->mac_hashsz == 0) { 174 return (1); 175 } 176 177 p = temp; 178 179 *p++ = (seq_num >> 56) & 0xff; 180 *p++ = (seq_num >> 48) & 0xff; 181 *p++ = (seq_num >> 40) & 0xff; 182 *p++ = (seq_num >> 32) & 0xff; 183 *p++ = (seq_num >> 24) & 0xff; 184 *p++ = (seq_num >> 16) & 0xff; 185 *p++ = (seq_num >> 8) & 0xff; 186 *p++ = (seq_num) & 0xff; 187 *p++ = (uchar_t)ct; 188 if (IS_TLS(ssl)) { 189 *p++ = versionp[0]; 190 *p++ = versionp[1]; 191 } 192 *p++ = (len >> 8) & 0xff; 193 *p++ = (len) & 0xff; 194 195 if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID && 196 len >= kcf_md5_threshold)) { 197 crypto_data_t dd, mac; 198 struct uio uio_pt; 199 struct iovec iovarray_pt[2]; 200 201 /* init the array of iovecs for use in the uio struct */ 202 iovarray_pt[0].iov_base = (char *)temp; 203 iovarray_pt[0].iov_len = (p - temp); 204 iovarray_pt[1].iov_base = (char *)buf; 205 iovarray_pt[1].iov_len = len; 206 207 /* init the uio struct for use in the crypto_data_t struct */ 208 bzero(&uio_pt, sizeof (uio_pt)); 209 uio_pt.uio_iov = iovarray_pt; 210 uio_pt.uio_iovcnt = 2; 211 uio_pt.uio_segflg = UIO_SYSSPACE; 212 213 dd.cd_format = CRYPTO_DATA_UIO; 214 dd.cd_offset = 0; 215 dd.cd_length = (p - temp) + len; 216 dd.cd_miscdata = NULL; 217 dd.cd_uio = &uio_pt; 218 219 mac.cd_format = CRYPTO_DATA_RAW; 220 mac.cd_offset = 0; 221 mac.cd_raw.iov_base = (char *)digest; 222 mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz; 223 224 /* 225 * The calling context can tolerate a blocking call here. 226 * For outgoing traffic, we are in user context 227 * when called from strsock_kssl_output(). For incoming 228 * traffic past the SSL handshake, we are in user 229 * context when called from strsock_kssl_input(). During the 230 * SSL handshake, we are called for client_finished message 231 * handling from a squeue worker thread that gets scheduled 232 * by an squeue_fill() call. This thread is not in interrupt 233 * context and so can block. 234 */ 235 rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key, 236 NULL, &mac, NULL); 237 238 if (CRYPTO_ERR(rv)) { 239 hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED && 240 !IS_TLS(ssl)); 241 if (!hash_use_ok) { 242 DTRACE_PROBE1(kssl_err__crypto_mac_error, 243 int, rv); 244 KSSL_COUNTER(compute_mac_failure, 1); 245 } 246 } 247 } else 248 hash_use_ok = B_TRUE; 249 250 if (hash_use_ok) { 251 bcopy(&(ssl->mac_ctx[direction][0]), ctx, 252 sizeof (KSSL_HASHCTX)); 253 spec->MAC_HashUpdate((void *)ctx, temp, p - temp); 254 spec->MAC_HashUpdate((void *)ctx, buf, len); 255 spec->MAC_HashFinal(digest, (void *)ctx); 256 257 bcopy(&(ssl->mac_ctx[direction][1]), ctx, 258 sizeof (KSSL_HASHCTX)); 259 spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz); 260 spec->MAC_HashFinal(digest, (void *)ctx); 261 } 262 263 return (rv); 264 } 265 266 /* 267 * Handles handshake messages. 268 * Messages to be replied are returned in handshake_sendbuf. 269 */ 270 int 271 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err, 272 kssl_callback_t cbfn, void *arg) 273 { 274 uint32_t msglen; 275 uchar_t msghdr[4]; 276 277 ASSERT(ssl->msg.state == MSG_BODY); 278 ASSERT(ssl->msg.msglen_bytes == 3); 279 ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen); 280 281 ssl->sslcnt++; 282 msglen = ssl->msg.msglen; 283 284 if (ssl->msg.type == client_hello) { 285 MD5Init(&ssl->hs_md5); 286 SHA1Init(&ssl->hs_sha1); 287 } 288 289 if (ssl->msg.type == finished && ssl->resumed == B_FALSE) { 290 if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 291 sender_client) != 0) { 292 *err = SSL_MISS; 293 return (0); 294 } 295 } 296 297 if (ssl->msg.type != finished || ssl->resumed == B_FALSE) { 298 msghdr[0] = (uchar_t)ssl->msg.type; 299 300 msghdr[1] = (uchar_t)(msglen >> 16); 301 msghdr[2] = (uchar_t)(msglen >> 8); 302 msghdr[3] = (uchar_t)(msglen); 303 kssl_update_handshake_hashes(ssl, msghdr, 4); 304 kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen); 305 } 306 307 ssl->msg.state = MSG_INIT; 308 ssl->msg.msglen = 0; 309 ssl->msg.msglen_bytes = 0; 310 311 switch (ssl->msg.type) { 312 case client_hello: 313 if (ssl->hs_waitstate != wait_client_hello) { 314 kssl_send_alert(ssl, alert_fatal, 315 unexpected_message); 316 *err = EBADMSG; 317 ssl->activeinput = B_FALSE; 318 return (1); 319 } 320 *err = kssl_handle_client_hello(ssl, mp, msglen); 321 if (*err == SSL_MISS) { 322 ssl->activeinput = B_FALSE; 323 return (0); 324 } 325 return (1); 326 case client_key_exchange: 327 if (ssl->hs_waitstate != wait_client_key) { 328 kssl_send_alert(ssl, alert_fatal, 329 unexpected_message); 330 *err = EBADMSG; 331 ssl->activeinput = B_FALSE; 332 return (1); 333 } 334 *err = kssl_handle_client_key_exchange(ssl, mp, 335 msglen, cbfn, arg); 336 return (1); 337 case finished: 338 if (ssl->hs_waitstate != wait_finished) { 339 kssl_send_alert(ssl, alert_fatal, 340 unexpected_message); 341 *err = EBADMSG; 342 ssl->activeinput = B_FALSE; 343 return (1); 344 } 345 *err = kssl_handle_finished(ssl, mp, msglen); 346 return (1); 347 default: 348 kssl_send_alert(ssl, alert_fatal, unexpected_message); 349 ssl->activeinput = B_FALSE; 350 *err = EBADMSG; 351 return (1); 352 } 353 } 354 355 static void 356 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len) 357 { 358 MD5Update(&ssl->hs_md5, buf, len); 359 SHA1Update(&ssl->hs_sha1, buf, len); 360 } 361 362 static int 363 kssl_compute_handshake_hashes( 364 ssl_t *ssl, 365 SSL3Hashes *hashes, 366 uint32_t sender) 367 { 368 MD5_CTX md5 = ssl->hs_md5; /* clone md5 context */ 369 SHA1_CTX sha1 = ssl->hs_sha1; /* clone sha1 context */ 370 MD5_CTX *md5ctx = &md5; 371 SHA1_CTX *sha1ctx = &sha1; 372 373 if (IS_TLS(ssl)) { 374 uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN]; 375 char *label; 376 377 /* 378 * Do not take another hash step here. 379 * Just complete the operation. 380 */ 381 MD5Final(hashes->md5, md5ctx); 382 SHA1Final(hashes->sha1, sha1ctx); 383 384 bcopy(hashes->md5, seed, MD5_HASH_LEN); 385 bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN); 386 387 if (sender == sender_client) 388 label = TLS_CLIENT_FINISHED_LABEL; 389 else 390 label = TLS_SERVER_FINISHED_LABEL; 391 392 return (kssl_tls_PRF(ssl, 393 ssl->sid.master_secret, 394 (size_t)SSL3_MASTER_SECRET_LEN, 395 (uchar_t *)label, strlen(label), 396 seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN), 397 hashes->tlshash, (size_t)TLS_FINISHED_SIZE)); 398 } else { 399 uchar_t s[4]; 400 s[0] = (sender >> 24) & 0xff; 401 s[1] = (sender >> 16) & 0xff; 402 s[2] = (sender >> 8) & 0xff; 403 s[3] = (sender) & 0xff; 404 405 MD5Update(md5ctx, s, 4); 406 MD5Update(md5ctx, ssl->sid.master_secret, 407 SSL3_MASTER_SECRET_LEN); 408 MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN); 409 MD5Final(hashes->md5, md5ctx); 410 411 MD5Init(md5ctx); 412 MD5Update(md5ctx, ssl->sid.master_secret, 413 SSL3_MASTER_SECRET_LEN); 414 MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN); 415 MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN); 416 MD5Final(hashes->md5, md5ctx); 417 418 SHA1Update(sha1ctx, s, 4); 419 SHA1Update(sha1ctx, ssl->sid.master_secret, 420 SSL3_MASTER_SECRET_LEN); 421 SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN); 422 SHA1Final(hashes->sha1, sha1ctx); 423 424 SHA1Init(sha1ctx); 425 SHA1Update(sha1ctx, ssl->sid.master_secret, 426 SSL3_MASTER_SECRET_LEN); 427 SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN); 428 SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN); 429 SHA1Final(hashes->sha1, sha1ctx); 430 return (0); 431 } 432 } 433 434 435 #define KSSL_SSL3_CH_MIN_MSGLEN (39) 436 437 static int 438 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen) 439 { 440 uchar_t *msgend; 441 int err; 442 SSL3AlertDescription desc = illegal_parameter; 443 uint_t sidlen; 444 uint_t nsuites; 445 uchar_t *suitesp; 446 uint_t i, j; 447 uint16_t suite; 448 int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN; 449 450 ASSERT(mp->b_wptr >= mp->b_rptr + msglen); 451 ASSERT(ssl->msg.type == client_hello); 452 ASSERT(ssl->hs_waitstate == wait_client_hello); 453 ASSERT(ssl->resumed == B_FALSE); 454 455 if (msglen < ch_msglen) { 456 goto falert; 457 } 458 459 msgend = mp->b_rptr + msglen; 460 461 /* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */ 462 if (ssl->major_version != 3 || (ssl->major_version == 3 && 463 ssl->minor_version != 0 && ssl->minor_version != 1)) { 464 DTRACE_PROBE2(kssl_err__SSL_version_not_supported, 465 uchar_t, ssl->major_version, 466 uchar_t, ssl->minor_version); 467 desc = handshake_failure; 468 goto falert; 469 } 470 mp->b_rptr += 2; /* skip the version bytes */ 471 472 bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH); 473 mp->b_rptr += SSL3_RANDOM_LENGTH; 474 475 ASSERT(ssl->sid.cached == B_FALSE); 476 sidlen = *mp->b_rptr++; 477 ch_msglen += sidlen; 478 if (msglen < ch_msglen) { 479 goto falert; 480 } 481 if (sidlen != SSL3_SESSIONID_BYTES) { 482 mp->b_rptr += sidlen; 483 } else { 484 kssl_lookup_sid(&ssl->sid, mp->b_rptr, ssl->faddr, 485 ssl->kssl_entry); 486 mp->b_rptr += SSL3_SESSIONID_BYTES; 487 } 488 489 nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 490 mp->b_rptr += 2; 491 ch_msglen += nsuites; 492 if (msglen != ch_msglen) { 493 goto falert; 494 } 495 if (nsuites & 0x1) { 496 goto falert; 497 } 498 suitesp = mp->b_rptr; 499 if (ssl->sid.cached == B_TRUE) { 500 suite = ssl->sid.cipher_suite; 501 for (j = 0; j < nsuites; j += 2) { 502 if (suitesp[j] == ((suite >> 8) & 0xff) && 503 suitesp[j + 1] == (suite & 0xff)) { 504 break; 505 } 506 } 507 if (j < nsuites) { 508 goto suite_found; 509 } 510 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 511 ssl->sid.cached = B_FALSE; 512 } 513 514 /* Check if this server is capable of the cipher suite */ 515 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 516 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 517 for (j = 0; j < nsuites; j += 2) { 518 if (suitesp[j] == ((suite >> 8) & 0xff) && 519 suitesp[j + 1] == (suite & 0xff)) { 520 break; 521 } 522 } 523 if (j < nsuites) { 524 break; 525 } 526 } 527 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 528 if (ssl->sslcnt == 1) { 529 KSSL_COUNTER(no_suite_found, 1); 530 return (SSL_MISS); 531 } 532 desc = handshake_failure; 533 DTRACE_PROBE(kssl_err__no_cipher_suites_found); 534 goto falert; 535 } 536 537 suite_found: 538 539 mp->b_rptr += nsuites; 540 if (*mp->b_rptr++ != 1 || *mp->b_rptr++ != 0) { 541 desc = handshake_failure; 542 DTRACE_PROBE(kssl_err__handshake_failure); 543 goto falert; 544 } 545 546 mp->b_rptr = msgend; 547 548 for (i = 0; i < cipher_suite_defs_nentries; i++) { 549 if (suite == cipher_suite_defs[i].suite) { 550 break; 551 } 552 } 553 554 ASSERT(i < cipher_suite_defs_nentries); 555 556 ssl->pending_cipher_suite = suite; 557 ssl->pending_malg = cipher_suite_defs[i].malg; 558 ssl->pending_calg = cipher_suite_defs[i].calg; 559 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 560 561 if (ssl->sid.cached == B_TRUE) { 562 err = kssl_send_server_hello(ssl); 563 if (err != 0) { 564 return (err); 565 } 566 if (IS_TLS(ssl)) 567 err = kssl_generate_tls_keyblock(ssl); 568 else 569 kssl_generate_keyblock(ssl); 570 571 err = kssl_send_change_cipher_specs(ssl); 572 if (err != 0) { 573 return (err); 574 } 575 576 err = kssl_send_finished(ssl, 1); 577 if (err != 0) 578 return (err); 579 580 err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 581 sender_client); 582 if (err != 0) 583 return (err); 584 585 ssl->hs_waitstate = wait_change_cipher; 586 ssl->resumed = B_TRUE; 587 ssl->activeinput = B_FALSE; 588 KSSL_COUNTER(resumed_sessions, 1); 589 return (0); 590 } 591 592 (void) random_get_pseudo_bytes(ssl->sid.session_id, 593 SSL3_SESSIONID_BYTES); 594 ssl->sid.client_addr = ssl->faddr; 595 ssl->sid.cipher_suite = suite; 596 597 err = kssl_send_server_hello(ssl); 598 if (err != 0) { 599 return (err); 600 } 601 err = kssl_send_certificate_and_server_hello_done(ssl); 602 if (err != 0) { 603 return (err); 604 } 605 KSSL_COUNTER(full_handshakes, 1); 606 ssl->hs_waitstate = wait_client_key; 607 ssl->activeinput = B_FALSE; 608 return (0); 609 610 falert: 611 kssl_send_alert(ssl, alert_fatal, desc); 612 return (EBADMSG); 613 } 614 615 static void 616 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 617 { 618 uint_t index; 619 uchar_t *s = sid->session_id; 620 int l = SSL3_SESSIONID_BYTES - 1; 621 kmutex_t *lock; 622 623 ASSERT(sid->cached == B_TRUE); 624 625 index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 626 ((int)s[2] << 8) | (int)s[l]); 627 628 index %= kssl_entry->sid_cache_nentries; 629 630 sid->time = lbolt; 631 632 lock = &(kssl_entry->sid_cache[index].se_lock); 633 mutex_enter(lock); 634 kssl_entry->sid_cache[index].se_used++; 635 bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid)); 636 mutex_exit(lock); 637 } 638 639 static void 640 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, ipaddr_t faddr, 641 kssl_entry_t *kssl_entry) 642 { 643 uint_t index; 644 int l = SSL3_SESSIONID_BYTES - 1; 645 kmutex_t *lock; 646 sslSessionID *csid; 647 648 ASSERT(sid->cached == B_FALSE); 649 650 KSSL_COUNTER(sid_cache_lookups, 1); 651 652 index = (int)faddr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 653 ((int)s[2] << 8) | (int)s[l]); 654 655 index %= kssl_entry->sid_cache_nentries; 656 657 lock = &(kssl_entry->sid_cache[index].se_lock); 658 mutex_enter(lock); 659 csid = &(kssl_entry->sid_cache[index].se_sid); 660 if (csid->cached == B_FALSE || csid->client_addr != faddr || 661 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 662 mutex_exit(lock); 663 return; 664 } 665 666 if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) { 667 csid->cached = B_FALSE; 668 mutex_exit(lock); 669 return; 670 } 671 672 bcopy(csid, sid, sizeof (*sid)); 673 mutex_exit(lock); 674 ASSERT(sid->cached == B_TRUE); 675 676 KSSL_COUNTER(sid_cache_hits, 1); 677 } 678 679 static uchar_t * 680 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp) 681 { 682 size_t len = *lenp; 683 int i = 2; 684 685 if (buf[0] != 0 || buf[1] != 2) { 686 return (NULL); 687 } 688 689 while (i < len) { 690 if (buf[i++] == 0) { 691 *lenp = len - i; 692 break; 693 } 694 } 695 696 if (i == len) { 697 return (NULL); 698 } 699 700 return (buf + i); 701 } 702 703 void 704 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 705 { 706 uint_t index; 707 uchar_t *s = sid->session_id; 708 int l = SSL3_SESSIONID_BYTES - 1; 709 sslSessionID *csid; 710 kmutex_t *lock; 711 712 ASSERT(sid->cached == B_TRUE); 713 714 KSSL_COUNTER(sid_uncached, 1); 715 716 index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 717 ((int)s[2] << 8) | (int)s[l]); 718 719 index %= kssl_entry->sid_cache_nentries; 720 721 lock = &(kssl_entry->sid_cache[index].se_lock); 722 mutex_enter(lock); 723 csid = &(kssl_entry->sid_cache[index].se_sid); 724 if (csid->client_addr != sid->client_addr || 725 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 726 mutex_exit(lock); 727 return; 728 } 729 csid->cached = B_FALSE; 730 mutex_exit(lock); 731 } 732 733 734 #define KSSL_SSL3_SH_RECLEN (74) 735 #define KSSL_SSL3_FIN_MSGLEN (36) 736 737 #define KSSL_SSL3_MAX_CCP_FIN_MSGLEN (128) /* comfortable upper bound */ 738 739 static int 740 kssl_send_server_hello(ssl_t *ssl) 741 { 742 mblk_t *mp; 743 uchar_t *buf; 744 uchar_t *msgstart; 745 746 mp = allocb(ssl->tcp_mss, BPRI_HI); 747 if (mp == NULL) { 748 KSSL_COUNTER(alloc_fails, 1); 749 return (ENOMEM); 750 } 751 ssl->handshake_sendbuf = mp; 752 buf = mp->b_wptr; 753 754 /* 5 byte record header */ 755 buf[0] = content_handshake; 756 buf[1] = ssl->major_version; 757 buf[2] = ssl->minor_version; 758 buf[3] = KSSL_SSL3_SH_RECLEN >> 8; 759 buf[4] = KSSL_SSL3_SH_RECLEN & 0xff; 760 buf += SSL3_HDR_LEN; 761 762 msgstart = buf; 763 764 /* 6 byte message header */ 765 buf[0] = (uchar_t)server_hello; /* message type */ 766 buf[1] = 0; /* message len byte 0 */ 767 buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) & 768 0xff; /* message len byte 1 */ 769 buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff; /* message len byte 2 */ 770 771 buf[4] = ssl->major_version; /* version byte 0 */ 772 buf[5] = ssl->minor_version; /* version byte 1 */ 773 774 buf += 6; 775 776 kssl_get_hello_random(ssl->server_random); 777 bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH); 778 buf += SSL3_RANDOM_LENGTH; 779 780 buf[0] = SSL3_SESSIONID_BYTES; 781 bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES); 782 buf += SSL3_SESSIONID_BYTES + 1; 783 784 buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff; 785 buf[1] = ssl->pending_cipher_suite & 0xff; 786 787 buf[2] = 0; /* No compression */ 788 789 mp->b_wptr = buf + 3; 790 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 791 792 kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN); 793 return (0); 794 } 795 796 static void 797 kssl_get_hello_random(uchar_t *buf) 798 { 799 timestruc_t ts; 800 time_t sec; 801 802 gethrestime(&ts); 803 sec = ts.tv_sec; 804 805 buf[0] = (sec >> 24) & 0xff; 806 buf[1] = (sec >> 16) & 0xff; 807 buf[2] = (sec >> 8) & 0xff; 808 buf[3] = (sec) & 0xff; 809 810 (void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4); 811 812 /* Should this be caching? */ 813 } 814 815 static int 816 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key, 817 size_t hashlen, 818 uchar_t *label, size_t label_len, 819 uchar_t *seed, size_t seedlen, 820 uchar_t *data, size_t datalen) 821 { 822 int rv = 0; 823 uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN]; 824 int bytes_left = datalen; 825 crypto_data_t dd, mac; 826 crypto_context_t ctx; 827 828 dd.cd_format = CRYPTO_DATA_RAW; 829 dd.cd_offset = 0; 830 mac.cd_format = CRYPTO_DATA_RAW; 831 mac.cd_offset = 0; 832 833 /* 834 * A(i) = HMAC_hash(secred, seed + A(i-1)); 835 * A(0) = seed; 836 * 837 * Compute A(1): 838 * A(1) = HMAC_hash(secret, label + seed) 839 * 840 */ 841 HMAC_INIT(mech, key, &ctx); 842 HMAC_UPDATE(ctx, label, label_len); 843 HMAC_UPDATE(ctx, seed, seedlen); 844 HMAC_FINAL(ctx, A1, hashlen); 845 846 /* Compute A(2) ... A(n) */ 847 while (bytes_left > 0) { 848 HMAC_INIT(mech, key, &ctx); 849 HMAC_UPDATE(ctx, A1, hashlen); 850 HMAC_UPDATE(ctx, label, label_len); 851 HMAC_UPDATE(ctx, seed, seedlen); 852 HMAC_FINAL(ctx, result, hashlen); 853 854 /* 855 * The A(i) value is stored in "result". 856 * Save the results of the MAC so it can be input to next 857 * iteration. 858 */ 859 if (bytes_left > hashlen) { 860 /* Store the chunk result */ 861 bcopy(result, data, hashlen); 862 data += hashlen; 863 864 bytes_left -= hashlen; 865 866 /* Update A1 for next iteration */ 867 HMAC_INIT(mech, key, &ctx); 868 HMAC_UPDATE(ctx, A1, hashlen); 869 HMAC_FINAL(ctx, A1, hashlen); 870 871 } else { 872 bcopy(result, data, bytes_left); 873 data += bytes_left; 874 bytes_left = 0; 875 } 876 } 877 end: 878 if (CRYPTO_ERR(rv)) { 879 DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv); 880 KSSL_COUNTER(compute_mac_failure, 1); 881 } 882 return (rv); 883 } 884 885 /* ARGSUSED */ 886 static int 887 kssl_tls_PRF(ssl_t *ssl, 888 uchar_t *secret, size_t secret_len, 889 uchar_t *label, size_t label_len, 890 uchar_t *seed, size_t seed_len, 891 uchar_t *prfresult, size_t prfresult_len) 892 { 893 /* 894 * RFC 2246: 895 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR 896 * P_SHA1(S2, label + seed); 897 * S1 = 1st half of secret. 898 * S1 = 2nd half of secret. 899 * 900 */ 901 902 int rv = 0, i; 903 uchar_t psha1[MAX_TLS_KEYBLOCK_SIZE]; 904 crypto_key_t S1, S2; 905 906 /* length of secret keys is ceil(length/2) */ 907 size_t slen = roundup(secret_len, 2) / 2; 908 909 if (prfresult_len > MAX_TLS_KEYBLOCK_SIZE) { 910 DTRACE_PROBE1(kssl_err__unexpected_keyblock_size, 911 size_t, prfresult_len); 912 return (CRYPTO_ARGUMENTS_BAD); 913 } 914 915 ASSERT(prfresult != NULL); 916 ASSERT(label != NULL); 917 ASSERT(seed != NULL); 918 919 S1.ck_data = secret; 920 S1.ck_length = slen * 8; /* bits */ 921 S1.ck_format = CRYPTO_KEY_RAW; 922 923 S2.ck_data = secret + slen; 924 S2.ck_length = slen * 8; /* bits */ 925 S2.ck_format = CRYPTO_KEY_RAW; 926 927 rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN, 928 label, label_len, 929 seed, seed_len, 930 prfresult, prfresult_len); 931 if (CRYPTO_ERR(rv)) 932 goto end; 933 934 rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN, 935 label, label_len, 936 seed, seed_len, 937 psha1, prfresult_len); 938 if (CRYPTO_ERR(rv)) 939 goto end; 940 941 for (i = 0; i < prfresult_len; i++) 942 prfresult[i] ^= psha1[i]; 943 944 end: 945 if (CRYPTO_ERR(rv)) 946 bzero(prfresult, prfresult_len); 947 948 return (rv); 949 } 950 951 #define IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl) \ 952 (pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN || \ 953 pms[0] != ssl->major_version || pms[1] != ssl->minor_version) 954 955 #define FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) { \ 956 KSSL_COUNTER(bad_pre_master_secret, 1); \ 957 pms = buf; \ 958 pmslen = SSL3_PRE_MASTER_SECRET_LEN; \ 959 pms[0] = ssl->major_version; \ 960 pms[1] = ssl->minor_version; \ 961 (void) random_get_pseudo_bytes(&buf[2], pmslen - 2); \ 962 } 963 964 static int 965 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 966 { 967 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 968 uchar_t seed[SSL3_RANDOM_LENGTH * 2]; 969 970 /* 971 * Computing the master secret: 972 * ---------------------------- 973 * master_secret = PRF (pms, "master secret", 974 * ClientHello.random + ServerHello.random); 975 */ 976 bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH); 977 bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH, 978 SSL3_RANDOM_LENGTH); 979 980 /* if pms is bad fake it to thwart Bleichenbacher attack */ 981 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 982 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 983 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 984 } 985 986 return (kssl_tls_PRF(ssl, 987 pms, pmslen, 988 (uchar_t *)TLS_MASTER_SECRET_LABEL, 989 (size_t)strlen(TLS_MASTER_SECRET_LABEL), 990 seed, sizeof (seed), 991 ssl->sid.master_secret, 992 (size_t)sizeof (ssl->sid.master_secret))); 993 } 994 995 996 static void 997 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 998 { 999 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1000 uchar_t *ms; 1001 int hlen = MD5_HASH_LEN; 1002 1003 ms = ssl->sid.master_secret; 1004 1005 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1006 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1007 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 1008 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1009 } 1010 1011 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0); 1012 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0); 1013 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen, 1014 0); 1015 } 1016 1017 static int 1018 kssl_generate_tls_keyblock(ssl_t *ssl) 1019 { 1020 uchar_t seed[2 * SSL3_RANDOM_LENGTH]; 1021 1022 bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH); 1023 bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH, 1024 SSL3_RANDOM_LENGTH); 1025 1026 return (kssl_tls_PRF(ssl, ssl->sid.master_secret, 1027 (size_t)SSL3_MASTER_SECRET_LEN, 1028 (uchar_t *)TLS_KEY_EXPANSION_LABEL, 1029 (size_t)strlen(TLS_KEY_EXPANSION_LABEL), 1030 seed, (size_t)sizeof (seed), 1031 ssl->pending_keyblock, 1032 (size_t)ssl->pending_keyblksz)); 1033 1034 } 1035 1036 static void 1037 kssl_generate_keyblock(ssl_t *ssl) 1038 { 1039 uchar_t *ms; 1040 size_t mslen = SSL3_MASTER_SECRET_LEN; 1041 int hlen = MD5_HASH_LEN; 1042 uchar_t *keys = ssl->pending_keyblock; 1043 int steps = howmany(ssl->pending_keyblksz, hlen); 1044 int i; 1045 1046 ms = ssl->sid.master_secret; 1047 1048 ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH); 1049 1050 for (i = 1; i <= steps; i++) { 1051 kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1); 1052 keys += hlen; 1053 } 1054 } 1055 1056 static char *ssl3_key_derive_seeds[8] = {"A", "BB", "CCC", "DDDD", "EEEEE", 1057 "FFFFFF", "GGGGGGG", "HHHHHHHH"}; 1058 1059 static void 1060 kssl_ssl3_key_material_derive_step( 1061 ssl_t *ssl, 1062 uchar_t *secret, 1063 size_t secretlen, 1064 int step, 1065 uchar_t *dst, 1066 int sr_first) 1067 { 1068 SHA1_CTX sha1, *sha1ctx; 1069 MD5_CTX md5, *md5ctx; 1070 uchar_t sha1_hash[SHA1_HASH_LEN]; 1071 1072 sha1ctx = &sha1; 1073 md5ctx = &md5; 1074 1075 ASSERT(step <= 1076 sizeof (ssl3_key_derive_seeds) / 1077 sizeof (ssl3_key_derive_seeds[0])); 1078 step--; 1079 1080 SHA1Init(sha1ctx); 1081 SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step], 1082 step + 1); 1083 SHA1Update(sha1ctx, secret, secretlen); 1084 if (sr_first) { 1085 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1086 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1087 } else { 1088 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1089 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1090 } 1091 SHA1Final(sha1_hash, sha1ctx); 1092 1093 MD5Init(md5ctx); 1094 MD5Update(md5ctx, secret, secretlen); 1095 MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN); 1096 MD5Final(dst, md5ctx); 1097 } 1098 1099 static int 1100 kssl_send_certificate_and_server_hello_done(ssl_t *ssl) 1101 { 1102 int cur_reclen; 1103 int mss; 1104 int len, copylen; 1105 mblk_t *mp; 1106 uchar_t *cert_buf; 1107 int cert_len; 1108 uchar_t *msgbuf; 1109 Certificate_t *cert; 1110 1111 cert = ssl->kssl_entry->ke_server_certificate; 1112 if (cert == NULL) { 1113 return (ENOENT); 1114 } 1115 cert_buf = cert->msg; 1116 cert_len = cert->len; 1117 1118 mp = ssl->handshake_sendbuf; 1119 mss = ssl->tcp_mss; 1120 ASSERT(mp != NULL); 1121 cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN; 1122 ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN); 1123 /* Assume MSS is at least 80 bytes */ 1124 ASSERT(mss > cur_reclen + SSL3_HDR_LEN); 1125 ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */ 1126 1127 copylen = mss - (cur_reclen + SSL3_HDR_LEN); 1128 len = cert_len; 1129 copylen = MIN(copylen, len); 1130 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1131 1132 /* new record always starts in a new mblk for simplicity */ 1133 msgbuf = cert_buf; 1134 for (;;) { 1135 ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim); 1136 bcopy(msgbuf, mp->b_wptr, copylen); 1137 msgbuf += copylen; 1138 mp->b_wptr += copylen; 1139 cur_reclen += copylen; 1140 len -= copylen; 1141 if (len == 0) { 1142 break; 1143 } 1144 if (cur_reclen == SSL3_MAX_RECORD_LENGTH) { 1145 cur_reclen = 0; 1146 } 1147 copylen = MIN(len, mss); 1148 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1149 mp->b_cont = allocb(copylen, BPRI_HI); 1150 if (mp->b_cont == NULL) { 1151 KSSL_COUNTER(alloc_fails, 1); 1152 freemsg(ssl->handshake_sendbuf); 1153 ssl->handshake_sendbuf = NULL; 1154 return (ENOMEM); 1155 } 1156 mp = mp->b_cont; 1157 if (cur_reclen == 0) { 1158 mp->b_wptr[0] = content_handshake; 1159 mp->b_wptr[1] = ssl->major_version; 1160 mp->b_wptr[2] = ssl->minor_version; 1161 cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH); 1162 mp->b_wptr[3] = (cur_reclen >> 8) & 0xff; 1163 mp->b_wptr[4] = (cur_reclen) & 0xff; 1164 mp->b_wptr += SSL3_HDR_LEN; 1165 cur_reclen = 0; 1166 copylen = MIN(copylen, mss - SSL3_HDR_LEN); 1167 } 1168 } 1169 1170 /* adjust the record length field for the first record */ 1171 mp = ssl->handshake_sendbuf; 1172 cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len, 1173 SSL3_MAX_RECORD_LENGTH); 1174 mp->b_rptr[3] = (cur_reclen >> 8) & 0xff; 1175 mp->b_rptr[4] = (cur_reclen) & 0xff; 1176 1177 kssl_update_handshake_hashes(ssl, cert_buf, cert_len); 1178 1179 return (0); 1180 } 1181 1182 static int 1183 kssl_send_change_cipher_specs(ssl_t *ssl) 1184 { 1185 mblk_t *mp, *newmp; 1186 uchar_t *buf; 1187 1188 mp = ssl->handshake_sendbuf; 1189 1190 /* We're most likely to hit the fast path for resumed sessions */ 1191 if ((mp != NULL) && 1192 (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) { 1193 buf = mp->b_wptr; 1194 } else { 1195 newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI); 1196 1197 if (newmp == NULL) 1198 return (ENOMEM); /* need to do better job! */ 1199 1200 if (mp == NULL) { 1201 ssl->handshake_sendbuf = newmp; 1202 } else { 1203 linkb(ssl->handshake_sendbuf, newmp); 1204 } 1205 mp = newmp; 1206 buf = mp->b_rptr; 1207 } 1208 1209 /* 5 byte record header */ 1210 buf[0] = content_change_cipher_spec; 1211 buf[1] = ssl->major_version; 1212 buf[2] = ssl->minor_version; 1213 buf[3] = 0; 1214 buf[4] = 1; 1215 buf += SSL3_HDR_LEN; 1216 1217 buf[0] = 1; 1218 1219 mp->b_wptr = buf + 1; 1220 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 1221 1222 ssl->seq_num[KSSL_WRITE] = 0; 1223 return (kssl_spec_init(ssl, KSSL_WRITE)); 1224 } 1225 1226 int 1227 kssl_spec_init(ssl_t *ssl, int dir) 1228 { 1229 KSSL_HASHCTX *ctx; 1230 KSSLCipherSpec *spec = &ssl->spec[dir]; 1231 int ret = 0; 1232 1233 spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz; 1234 spec->mac_padsz = mac_defs[ssl->pending_malg].padsz; 1235 1236 spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit; 1237 spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate; 1238 spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal; 1239 1240 if (dir == KSSL_READ) { 1241 bcopy(ssl->pending_keyblock, ssl->mac_secret[dir], 1242 spec->mac_hashsz); 1243 } else { 1244 bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]), 1245 ssl->mac_secret[dir], spec->mac_hashsz); 1246 } 1247 1248 /* Pre-compute these here. will save cycles on each record later */ 1249 if (!IS_TLS(ssl)) { 1250 ctx = &ssl->mac_ctx[dir][0]; 1251 spec->MAC_HashInit((void *)ctx); 1252 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1253 spec->mac_hashsz); 1254 spec->MAC_HashUpdate((void *)ctx, kssl_pad_1, 1255 spec->mac_padsz); 1256 1257 ctx = &ssl->mac_ctx[dir][1]; 1258 spec->MAC_HashInit((void *)ctx); 1259 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1260 spec->mac_hashsz); 1261 spec->MAC_HashUpdate((void *)ctx, kssl_pad_2, 1262 spec->mac_padsz); 1263 } 1264 1265 spec->cipher_type = cipher_defs[ssl->pending_calg].type; 1266 spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type; 1267 spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize; 1268 spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz; 1269 1270 if (spec->cipher_ctx != NULL) { 1271 crypto_cancel_ctx(spec->cipher_ctx); 1272 spec->cipher_ctx = 0; 1273 } 1274 1275 /* 1276 * Initialize HMAC keys for TLS and SSL3 HMAC keys 1277 * for SSL 3.0. 1278 */ 1279 if (IS_TLS(ssl)) { 1280 if (ssl->pending_malg == mac_md5) { 1281 spec->hmac_mech = hmac_md5_mech; 1282 } else if (ssl->pending_malg == mac_sha) { 1283 spec->hmac_mech = hmac_sha1_mech; 1284 } 1285 1286 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1287 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1288 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1289 } else { 1290 static uint32_t param; 1291 1292 spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID; 1293 spec->hmac_mech.cm_param = (caddr_t)¶m; 1294 spec->hmac_mech.cm_param_len = sizeof (param); 1295 if (ssl->pending_malg == mac_md5) { 1296 spec->hmac_mech.cm_type = 1297 crypto_mech2id("CKM_SSL3_MD5_MAC"); 1298 param = MD5_HASH_LEN; 1299 } else if (ssl->pending_malg == mac_sha) { 1300 spec->hmac_mech.cm_type = 1301 crypto_mech2id("CKM_SSL3_SHA1_MAC"); 1302 param = SHA1_HASH_LEN; 1303 } 1304 1305 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1306 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1307 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1308 } 1309 1310 /* We're done if this is the nil cipher */ 1311 if (spec->cipher_keysz == 0) { 1312 return (0); 1313 } 1314 1315 /* Initialize the key and the active context */ 1316 spec->cipher_key.ck_format = CRYPTO_KEY_RAW; 1317 spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */ 1318 1319 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1320 /* client_write_IV */ 1321 spec->cipher_mech.cm_param = 1322 (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz + 1323 2 * spec->cipher_keysz]); 1324 spec->cipher_mech.cm_param_len = spec->cipher_bsize; 1325 } 1326 spec->cipher_data.cd_format = CRYPTO_DATA_RAW; 1327 if (dir == KSSL_READ) { 1328 spec->cipher_mech.cm_param_len = 1329 cipher_defs[ssl->pending_calg].bsize; 1330 1331 /* client_write_key */ 1332 spec->cipher_key.ck_data = 1333 &(ssl->pending_keyblock[2 * spec->mac_hashsz]); 1334 1335 ret = crypto_decrypt_init(&(spec->cipher_mech), 1336 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1337 if (CRYPTO_ERR(ret)) { 1338 DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read, 1339 int, ret); 1340 } 1341 } else { 1342 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1343 spec->cipher_mech.cm_param += spec->cipher_bsize; 1344 } 1345 /* server_write_key */ 1346 spec->cipher_key.ck_data = 1347 &(ssl->pending_keyblock[2 * spec->mac_hashsz + 1348 spec->cipher_keysz]); 1349 1350 ret = crypto_encrypt_init(&(spec->cipher_mech), 1351 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1352 if (CRYPTO_ERR(ret)) 1353 DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read, 1354 int, ret); 1355 } 1356 return (ret); 1357 } 1358 1359 static int 1360 kssl_send_finished(ssl_t *ssl, int update_hsh) 1361 { 1362 mblk_t *mp; 1363 uchar_t *buf; 1364 uchar_t *rstart; 1365 uchar_t *versionp; 1366 SSL3Hashes ssl3hashes; 1367 size_t finish_len; 1368 int ret = 0; 1369 1370 mp = ssl->handshake_sendbuf; 1371 ASSERT(mp != NULL); 1372 buf = mp->b_wptr; 1373 ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + 1374 SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1); 1375 1376 rstart = buf; 1377 1378 if (IS_TLS(ssl)) 1379 finish_len = TLS_FINISHED_SIZE; 1380 else 1381 finish_len = KSSL_SSL3_FIN_MSGLEN; 1382 1383 /* 5 byte record header */ 1384 buf[0] = content_handshake; 1385 buf[1] = ssl->major_version; 1386 buf[2] = ssl->minor_version; 1387 buf[3] = 0; 1388 buf[4] = 4 + finish_len; 1389 1390 versionp = &buf[1]; 1391 1392 buf += SSL3_HDR_LEN; 1393 1394 /* 4 byte message header */ 1395 buf[0] = (uchar_t)finished; /* message type */ 1396 buf[1] = 0; /* message len byte 0 */ 1397 buf[2] = 0; /* message len byte 1 */ 1398 buf[3] = finish_len; /* message len byte 2 */ 1399 buf += 4; 1400 1401 if (IS_TLS(ssl)) { 1402 bcopy(ssl->hs_hashes.md5, ssl3hashes.md5, 1403 sizeof (ssl3hashes.md5)); 1404 bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1, 1405 sizeof (ssl3hashes.sha1)); 1406 } 1407 1408 /* Compute hashes for the SENDER side */ 1409 ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server); 1410 if (ret != 0) 1411 return (ret); 1412 1413 if (IS_TLS(ssl)) { 1414 bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash)); 1415 } else { 1416 bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN); 1417 bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN); 1418 } 1419 1420 if (update_hsh) { 1421 kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4); 1422 } 1423 1424 mp->b_wptr = buf + finish_len; 1425 1426 ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp, 1427 rstart, mp); 1428 ASSERT(mp->b_wptr <= mp->b_datap->db_lim); 1429 1430 return (ret); 1431 } 1432 1433 int 1434 kssl_mac_encrypt_record(ssl_t *ssl, 1435 SSL3ContentType ct, 1436 uchar_t *versionp, 1437 uchar_t *rstart, 1438 mblk_t *mp) 1439 { 1440 KSSLCipherSpec *spec; 1441 int mac_sz; 1442 int ret = 0; 1443 uint16_t rec_sz; 1444 int pad_sz; 1445 int i; 1446 1447 ASSERT(ssl != NULL); 1448 ASSERT(rstart >= mp->b_rptr); 1449 ASSERT(rstart < mp->b_wptr); 1450 1451 spec = &ssl->spec[KSSL_WRITE]; 1452 mac_sz = spec->mac_hashsz; 1453 1454 rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN; 1455 ASSERT(rec_sz > 0); 1456 1457 if (mac_sz != 0) { 1458 ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim); 1459 ret = kssl_compute_record_mac(ssl, KSSL_WRITE, 1460 ssl->seq_num[KSSL_WRITE], ct, versionp, 1461 rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr); 1462 if (ret == CRYPTO_SUCCESS) { 1463 ssl->seq_num[KSSL_WRITE]++; 1464 mp->b_wptr += mac_sz; 1465 rec_sz += mac_sz; 1466 } else { 1467 return (ret); 1468 } 1469 } 1470 1471 if (spec->cipher_type == type_block) { 1472 pad_sz = spec->cipher_bsize - 1473 (rec_sz & (spec->cipher_bsize - 1)); 1474 ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim); 1475 for (i = 0; i < pad_sz; i++) { 1476 mp->b_wptr[i] = pad_sz - 1; 1477 } 1478 mp->b_wptr += pad_sz; 1479 rec_sz += pad_sz; 1480 } 1481 1482 ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH); 1483 1484 U16_TO_BE16(rec_sz, rstart + 3); 1485 1486 if (spec->cipher_ctx == 0) 1487 return (ret); 1488 1489 spec->cipher_data.cd_length = rec_sz; 1490 spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN); 1491 spec->cipher_data.cd_raw.iov_len = rec_sz; 1492 /* One record at a time. Otherwise, gotta allocate the crypt_data_t */ 1493 ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data, 1494 NULL, NULL); 1495 if (CRYPTO_ERR(ret)) { 1496 DTRACE_PROBE1(kssl_err__crypto_encrypt_update, 1497 int, ret); 1498 } 1499 return (ret); 1500 } 1501 1502 void 1503 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc) 1504 { 1505 mblk_t *mp; 1506 uchar_t *buf; 1507 KSSLCipherSpec *spec; 1508 1509 ASSERT(ssl != NULL); 1510 1511 ssl->sendalert_level = level; 1512 ssl->sendalert_desc = desc; 1513 1514 if (level == alert_fatal) { 1515 DTRACE_PROBE2(kssl_sending_alert, 1516 SSL3AlertLevel, level, SSL3AlertDescription, desc); 1517 if (ssl->sid.cached == B_TRUE) { 1518 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 1519 ssl->sid.cached = B_FALSE; 1520 } 1521 ssl->fatal_alert = B_TRUE; 1522 KSSL_COUNTER(fatal_alerts, 1); 1523 } else 1524 KSSL_COUNTER(warning_alerts, 1); 1525 1526 spec = &ssl->spec[KSSL_WRITE]; 1527 1528 ASSERT(ssl->alert_sendbuf == NULL); 1529 ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz + 1530 spec->cipher_bsize, BPRI_HI); 1531 if (mp == NULL) { 1532 KSSL_COUNTER(alloc_fails, 1); 1533 return; 1534 } 1535 buf = mp->b_wptr; 1536 1537 /* 5 byte record header */ 1538 buf[0] = content_alert; 1539 buf[1] = ssl->major_version; 1540 buf[2] = ssl->minor_version; 1541 buf[3] = 0; 1542 buf[4] = 2; 1543 buf += SSL3_HDR_LEN; 1544 1545 /* alert contents */ 1546 buf[0] = (uchar_t)level; 1547 buf[1] = (uchar_t)desc; 1548 1549 mp->b_wptr = buf + 2; 1550 } 1551 1552 /* Assumes RSA encryption */ 1553 static int 1554 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen, 1555 kssl_callback_t cbfn, void *arg) 1556 { 1557 char *buf; 1558 uchar_t *pms; 1559 size_t pmslen; 1560 int allocated; 1561 int err, rverr = ENOMEM; 1562 kssl_entry_t *ep; 1563 crypto_key_t *privkey; 1564 crypto_data_t *wrapped_pms_data, *pms_data; 1565 crypto_call_req_t creq, *creqp; 1566 1567 ep = ssl->kssl_entry; 1568 privkey = ep->ke_private_key; 1569 if (privkey == NULL) { 1570 return (ENOENT); 1571 } 1572 1573 ASSERT(ssl->msg.type == client_key_exchange); 1574 ASSERT(ssl->hs_waitstate == wait_client_key); 1575 1576 /* 1577 * TLS adds an extra 2 byte length field before the data. 1578 */ 1579 if (IS_TLS(ssl)) { 1580 msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1]; 1581 mp->b_rptr += 2; 1582 } 1583 1584 /* 1585 * Allocate all we need in one shot. about 300 bytes total, for 1586 * 1024 bit RSA modulus. 1587 * The buffer layout will be: pms_data, wrapped_pms_data, the 1588 * value of the wrapped pms from the client, then room for the 1589 * resulting decrypted premaster secret. 1590 */ 1591 allocated = 2 * (sizeof (crypto_data_t) + msglen); 1592 buf = kmem_alloc(allocated, KM_NOSLEEP); 1593 if (buf == NULL) { 1594 return (ENOMEM); 1595 } 1596 1597 pms_data = (crypto_data_t *)buf; 1598 wrapped_pms_data = &(((crypto_data_t *)buf)[1]); 1599 1600 wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW; 1601 wrapped_pms_data->cd_offset = pms_data->cd_offset = 0; 1602 wrapped_pms_data->cd_length = pms_data->cd_length = msglen; 1603 wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL; 1604 wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen; 1605 wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t); 1606 pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen; 1607 1608 bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen); 1609 mp->b_rptr += msglen; 1610 1611 /* Proceed synchronously if out of interrupt and configured to do so */ 1612 if ((kssl_synchronous) && (!servicing_interrupt())) { 1613 creqp = NULL; 1614 } else { 1615 ssl->cke_callback_func = cbfn; 1616 ssl->cke_callback_arg = arg; 1617 creq.cr_flag = kssl_call_flag; 1618 creq.cr_callback_func = kssl_cke_done; 1619 creq.cr_callback_arg = ssl; 1620 1621 /* The callback routine will release this one */ 1622 KSSL_SSL_REFHOLD(ssl); 1623 1624 creqp = &creq; 1625 } 1626 1627 if (ep->ke_is_nxkey) { 1628 kssl_session_info_t *s; 1629 1630 s = ep->ke_sessinfo; 1631 err = CRYPTO_SUCCESS; 1632 if (!s->is_valid_handle) { 1633 /* Reauthenticate to the provider */ 1634 if (s->do_reauth) { 1635 err = kssl_get_obj_handle(ep); 1636 if (err == CRYPTO_SUCCESS) { 1637 s->is_valid_handle = B_TRUE; 1638 s->do_reauth = B_FALSE; 1639 } 1640 } else 1641 err = CRYPTO_FAILED; 1642 } 1643 1644 if (err == CRYPTO_SUCCESS) { 1645 ASSERT(s->is_valid_handle); 1646 err = crypto_decrypt_prov(s->prov, s->sid, 1647 &rsa_x509_mech, wrapped_pms_data, &s->key, 1648 NULL, pms_data, creqp); 1649 } 1650 1651 /* 1652 * Deal with session specific errors. We translate to 1653 * the closest errno. 1654 */ 1655 switch (err) { 1656 case CRYPTO_KEY_HANDLE_INVALID: 1657 case CRYPTO_SESSION_HANDLE_INVALID: 1658 s->is_valid_handle = B_FALSE; 1659 s->do_reauth = B_TRUE; 1660 rverr = EINVAL; 1661 break; 1662 case CRYPTO_PIN_EXPIRED: 1663 case CRYPTO_PIN_LOCKED: 1664 rverr = EACCES; 1665 break; 1666 case CRYPTO_UNKNOWN_PROVIDER: 1667 rverr = ENXIO; 1668 break; 1669 } 1670 } else { 1671 err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data, 1672 privkey, NULL, pms_data, creqp); 1673 } 1674 1675 switch (err) { 1676 case CRYPTO_SUCCESS: 1677 break; 1678 1679 case CRYPTO_QUEUED: 1680 /* 1681 * Finish the master secret then the rest of key material 1682 * derivation later. 1683 */ 1684 ssl->job.kjob = creq.cr_reqid; 1685 ssl->job.buf = buf; 1686 ssl->job.buflen = allocated; 1687 ssl->hs_waitstate = wait_client_key_done; 1688 return (0); 1689 default: 1690 DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err); 1691 kmem_free(buf, allocated); 1692 return (rverr); 1693 } 1694 1695 pmslen = pms_data->cd_length; 1696 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1697 1698 /* generate master key and save it in the ssl sid structure */ 1699 if (IS_TLS(ssl)) { 1700 err = kssl_generate_tls_ms(ssl, pms, pmslen); 1701 if (!CRYPTO_ERR(err)) 1702 err = kssl_generate_tls_keyblock(ssl); 1703 } else { 1704 kssl_generate_ssl_ms(ssl, pms, pmslen); 1705 kssl_generate_keyblock(ssl); 1706 } 1707 1708 if (err == CRYPTO_SUCCESS) 1709 ssl->hs_waitstate = wait_change_cipher; 1710 1711 ssl->activeinput = B_FALSE; 1712 1713 kmem_free(buf, allocated); 1714 1715 return (0); 1716 } 1717 1718 static int 1719 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen) 1720 { 1721 int err; 1722 size_t finish_len; 1723 int hashcompare; 1724 1725 ASSERT(ssl->msg.type == finished); 1726 ASSERT(ssl->hs_waitstate == wait_finished); 1727 1728 if (IS_TLS(ssl)) 1729 finish_len = TLS_FINISHED_SIZE; 1730 else 1731 finish_len = KSSL_SSL3_FIN_MSGLEN; 1732 1733 if (msglen != finish_len) { 1734 kssl_send_alert(ssl, alert_fatal, illegal_parameter); 1735 return (EBADMSG); 1736 } 1737 1738 if (IS_TLS(ssl)) { 1739 hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash, 1740 finish_len); 1741 } else { 1742 hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len); 1743 } 1744 1745 /* The handshake hashes should be computed by now */ 1746 if (hashcompare != 0) { 1747 kssl_send_alert(ssl, alert_fatal, handshake_failure); 1748 return (EBADMSG); 1749 } 1750 1751 mp->b_rptr += msglen; 1752 1753 ssl->hs_waitstate = idle_handshake; 1754 1755 if (ssl->resumed == B_TRUE) { 1756 ssl->activeinput = B_FALSE; 1757 return (0); 1758 } 1759 1760 err = kssl_send_change_cipher_specs(ssl); 1761 if (err != 0) { 1762 return (err); 1763 } 1764 err = kssl_send_finished(ssl, 0); 1765 if (err != 0) { 1766 return (err); 1767 } 1768 1769 ASSERT(ssl->sid.cached == B_FALSE); 1770 ssl->sid.cached = B_TRUE; 1771 kssl_cache_sid(&ssl->sid, ssl->kssl_entry); 1772 ssl->activeinput = B_FALSE; 1773 1774 return (0); 1775 } 1776 1777 #define KSSL2_CH_MIN_RECSZ (9) 1778 1779 /* 1780 * This method is needed to handle clients which send the 1781 * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers. 1782 * We are not really doing SSLv2 here, just handling the header 1783 * and then switching to SSLv3. 1784 */ 1785 int 1786 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz) 1787 { 1788 uchar_t *recend; 1789 int err; 1790 SSL3AlertDescription desc = illegal_parameter; 1791 uint_t randlen; 1792 uint_t sidlen; 1793 uint_t nsuites; 1794 uchar_t *suitesp; 1795 uchar_t *rand; 1796 uint_t i, j; 1797 uint16_t suite; 1798 int ch_recsz = KSSL2_CH_MIN_RECSZ; 1799 1800 ASSERT(mp->b_wptr >= mp->b_rptr + recsz); 1801 ASSERT(ssl->hs_waitstate == wait_client_hello); 1802 ASSERT(ssl->resumed == B_FALSE); 1803 1804 if (recsz < ch_recsz) { 1805 goto falert; 1806 } 1807 1808 MD5Init(&ssl->hs_md5); 1809 SHA1Init(&ssl->hs_sha1); 1810 1811 kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz); 1812 1813 recend = mp->b_rptr + recsz; 1814 1815 if (*mp->b_rptr != 1) { 1816 goto falert; 1817 } 1818 mp->b_rptr += 3; 1819 1820 nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 1821 sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3]; 1822 randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5]; 1823 if (nsuites % 3 != 0) { 1824 DTRACE_PROBE1(kssl_err__nsuites_error, uint_t, nsuites); 1825 goto falert; 1826 } 1827 if (randlen < SSL_MIN_CHALLENGE_BYTES || 1828 randlen > SSL_MAX_CHALLENGE_BYTES) { 1829 DTRACE_PROBE1(kssl_err__randlen_out_of_range, 1830 uint_t, randlen); 1831 goto falert; 1832 } 1833 mp->b_rptr += 6; 1834 ch_recsz += nsuites + sidlen + randlen; 1835 if (recsz != ch_recsz) { 1836 goto falert; 1837 } 1838 suitesp = mp->b_rptr; 1839 rand = suitesp + nsuites + sidlen; 1840 if (randlen < SSL3_RANDOM_LENGTH) { 1841 bzero(ssl->client_random, SSL3_RANDOM_LENGTH); 1842 } 1843 bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen], 1844 randlen); 1845 1846 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 1847 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 1848 for (j = 0; j < nsuites; j += 3) { 1849 if (suitesp[j] != 0) { 1850 continue; 1851 } 1852 1853 if (suitesp[j + 1] == ((suite >> 8) & 0xff) && 1854 suitesp[j + 2] == (suite & 0xff)) { 1855 break; 1856 } 1857 } 1858 if (j < nsuites) { 1859 break; 1860 } 1861 } 1862 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 1863 DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite); 1864 ssl->activeinput = B_FALSE; 1865 return (SSL_MISS); 1866 } 1867 1868 mp->b_rptr = recend; 1869 1870 for (i = 0; i < cipher_suite_defs_nentries; i++) { 1871 if (suite == cipher_suite_defs[i].suite) { 1872 break; 1873 } 1874 } 1875 1876 ASSERT(i < cipher_suite_defs_nentries); 1877 1878 ssl->pending_cipher_suite = suite; 1879 ssl->pending_malg = cipher_suite_defs[i].malg; 1880 ssl->pending_calg = cipher_suite_defs[i].calg; 1881 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 1882 1883 ASSERT(ssl->sid.cached == B_FALSE); 1884 1885 (void) random_get_pseudo_bytes(ssl->sid.session_id, 1886 SSL3_SESSIONID_BYTES); 1887 ssl->sid.client_addr = ssl->faddr; 1888 ssl->sid.cipher_suite = suite; 1889 1890 err = kssl_send_server_hello(ssl); 1891 if (err != 0) { 1892 return (err); 1893 } 1894 err = kssl_send_certificate_and_server_hello_done(ssl); 1895 if (err != 0) { 1896 return (err); 1897 } 1898 KSSL_COUNTER(full_handshakes, 1); 1899 ssl->hs_waitstate = wait_client_key; 1900 ssl->activeinput = B_FALSE; 1901 return (0); 1902 1903 falert: 1904 kssl_send_alert(ssl, alert_fatal, desc); 1905 ssl->activeinput = B_FALSE; 1906 return (EBADMSG); 1907 } 1908 1909 /* 1910 * Call back routine for asynchronously submitted RSA decryption jobs. 1911 * The routine retreived the pre-master secret, and proceeds to generate 1912 * the remaining key materials. 1913 */ 1914 static void 1915 kssl_cke_done(void *arg, int status) 1916 { 1917 int ret = 0; 1918 uchar_t *pms; 1919 size_t pmslen; 1920 crypto_data_t *pms_data; 1921 kssl_cmd_t kssl_cmd = KSSL_CMD_NONE; 1922 ssl_t *ssl = (ssl_t *)arg; 1923 mblk_t *alertmp; 1924 kssl_callback_t cbfn; 1925 void *cbarg; 1926 1927 mutex_enter(&ssl->kssl_lock); 1928 1929 ASSERT(ssl->msg.type == client_key_exchange); 1930 ASSERT(ssl->hs_waitstate == wait_client_key_done); 1931 1932 if (status != CRYPTO_SUCCESS) { 1933 kssl_send_alert(ssl, alert_fatal, decrypt_error); 1934 kssl_cmd = KSSL_CMD_SEND; 1935 goto out; 1936 } 1937 1938 pms_data = (crypto_data_t *)(ssl->job.buf); 1939 1940 ASSERT(pms_data != NULL); 1941 1942 pmslen = pms_data->cd_length; 1943 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1944 1945 /* generate master key and save it in the ssl sid structure */ 1946 if (IS_TLS(ssl)) { 1947 ret = kssl_generate_tls_ms(ssl, pms, pmslen); 1948 if (!CRYPTO_ERR(ret)) 1949 ret = kssl_generate_tls_keyblock(ssl); 1950 } else { 1951 kssl_generate_ssl_ms(ssl, pms, pmslen); 1952 kssl_generate_keyblock(ssl); 1953 } 1954 1955 if (ret == CRYPTO_SUCCESS) 1956 ssl->hs_waitstate = wait_change_cipher; 1957 1958 out: 1959 kmem_free(ssl->job.buf, ssl->job.buflen); 1960 1961 ssl->job.kjob = 0; 1962 ssl->job.buf = NULL; 1963 ssl->job.buflen = 0; 1964 1965 ssl->activeinput = B_FALSE; 1966 1967 /* If we're the only ones left, then we won't callback */ 1968 if (ssl->kssl_refcnt == 1) { 1969 mutex_exit(&ssl->kssl_lock); 1970 KSSL_SSL_REFRELE(ssl); 1971 return; 1972 } 1973 1974 cbfn = ssl->cke_callback_func; 1975 cbarg = ssl->cke_callback_arg; 1976 alertmp = ssl->alert_sendbuf; 1977 ssl->alert_sendbuf = NULL; 1978 1979 mutex_exit(&ssl->kssl_lock); 1980 1981 KSSL_SSL_REFRELE(ssl); 1982 1983 /* Now call the callback routine */ 1984 (*(cbfn))(cbarg, alertmp, kssl_cmd); 1985 } 1986 1987 /* 1988 * Returns the first complete contiguous record out of rec_ass_head 1989 * The record is returned in a separate contiguous mblk, rec_ass_head is 1990 * left pointing to the next record in the queue. 1991 * 1992 * The output looks as follows: 1993 * 1994 * |--------|---------- .... -----|<---------->|<----------->|--- ... ---| 1995 * ^ ^ ^ mac_size pad_size ^ 1996 * | |___ b_rptr b_wptr __| | 1997 * | | 1998 * |___ db_base db_lim ___| 1999 */ 2000 mblk_t * 2001 kssl_get_next_record(ssl_t *ssl) 2002 { 2003 mblk_t *mp, *retmp; 2004 int rhsz = SSL3_HDR_LEN; 2005 uint16_t rec_sz; 2006 int mpsz, total_size; 2007 SSL3ContentType content_type; 2008 2009 ASSERT(MUTEX_HELD(&ssl->kssl_lock)); 2010 2011 mp = ssl->rec_ass_head; 2012 if (mp == NULL) 2013 return (NULL); 2014 2015 /* Fast path: when mp has at least a complete record */ 2016 if (MBLKL(mp) < rhsz) { 2017 DTRACE_PROBE1(kssl_mblk__incomplete_header, 2018 mblk_t *, mp); 2019 /* Not even a complete header in there yet */ 2020 if (msgdsize(mp) < rhsz) { 2021 return (NULL); 2022 } 2023 2024 if (!pullupmsg(mp, rhsz)) { 2025 kssl_send_alert(ssl, alert_fatal, internal_error); 2026 freemsg(mp); 2027 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2028 return (NULL); 2029 } 2030 } 2031 content_type = (SSL3ContentType)mp->b_rptr[0]; 2032 if (content_type == content_handshake_v2) { 2033 DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp); 2034 rec_sz = (uint16_t)mp->b_rptr[1]; 2035 rhsz = 2; 2036 } else { 2037 DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp); 2038 uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3; 2039 rec_sz = BE16_TO_U16(rec_sz_p); 2040 } 2041 2042 /* 2043 * same tests as above. Only rare very fragmented cases will 2044 * incur the cost of msgdsize() and msgpullup(). Well formed 2045 * packets will fall in the most frequent fast path. 2046 */ 2047 total_size = rhsz + rec_sz; 2048 2049 /* 2050 * Missing: defensive against record fabricated with longer than 2051 * MAX record length. 2052 */ 2053 if (MBLKL(mp) < total_size) { 2054 DTRACE_PROBE2(kssl_mblk__smaller_than_total_size, 2055 mblk_t *, mp, int, total_size); 2056 /* Not a complete record yet. Keep accumulating */ 2057 if (msgdsize(mp) < total_size) { 2058 return (NULL); 2059 } 2060 2061 if (!pullupmsg(mp, total_size)) { 2062 kssl_send_alert(ssl, alert_fatal, internal_error); 2063 freemsg(mp); 2064 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2065 return (NULL); 2066 } 2067 } 2068 mpsz = MBLKL(mp); /* could've changed after the pullup */ 2069 2070 if (mpsz > total_size) { 2071 DTRACE_PROBE2(kssl_mblk__bigger_than_total_size, 2072 mblk_t *, mp, int, total_size); 2073 /* gotta allocate a new block */ 2074 if ((retmp = dupb(mp)) == NULL) { 2075 kssl_send_alert(ssl, alert_fatal, internal_error); 2076 freemsg(mp); 2077 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2078 return (NULL); 2079 } 2080 2081 retmp->b_wptr = retmp->b_rptr + total_size; 2082 mp->b_rptr += total_size; 2083 ssl->rec_ass_head = mp; 2084 } else { 2085 DTRACE_PROBE2(kssl_mblk__equal_to_total_size, 2086 mblk_t *, mp, int, total_size); 2087 ASSERT(mpsz == total_size); 2088 ssl->rec_ass_head = mp->b_cont; 2089 mp->b_cont = NULL; 2090 retmp = mp; 2091 } 2092 /* Adjust the tail */ 2093 if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) { 2094 for (; mp->b_cont != NULL; mp = mp->b_cont) { 2095 ssl->rec_ass_tail = mp->b_cont; 2096 } 2097 } 2098 2099 return (retmp); 2100 } 2101 2102 2103 static void 2104 kssl_mblksfree(ssl_t *ssl) 2105 { 2106 2107 ASSERT(ssl != NULL); 2108 2109 if (ssl->rec_ass_head != NULL) { 2110 freemsg(ssl->rec_ass_head); 2111 } 2112 ssl->rec_ass_head = NULL; 2113 ssl->rec_ass_tail = NULL; 2114 2115 if (ssl->msg.head != NULL) { 2116 freemsg(ssl->msg.head); 2117 } 2118 ssl->msg.head = NULL; 2119 ssl->msg.tail = NULL; 2120 2121 if (ssl->handshake_sendbuf != NULL) { 2122 freemsg(ssl->handshake_sendbuf); 2123 ssl->handshake_sendbuf = NULL; 2124 } 2125 if (ssl->alert_sendbuf != NULL) { 2126 freemsg(ssl->alert_sendbuf); 2127 ssl->alert_sendbuf = NULL; 2128 } 2129 } 2130 2131 static void 2132 kssl_specsfree(ssl_t *ssl) 2133 { 2134 KSSLCipherSpec *spec = &ssl->spec[KSSL_READ]; 2135 2136 if (spec->cipher_ctx != NULL) { 2137 crypto_cancel_ctx(spec->cipher_ctx); 2138 spec->cipher_ctx = 0; 2139 } 2140 2141 spec = &ssl->spec[KSSL_WRITE]; 2142 2143 if (spec->cipher_ctx != NULL) { 2144 crypto_cancel_ctx(spec->cipher_ctx); 2145 spec->cipher_ctx = 0; 2146 } 2147 } 2148 2149 /* 2150 * Frees the ssl structure (aka the context of an SSL session). 2151 * Any pending crypto jobs are cancelled. 2152 * Any initiated crypto contexts are freed as well. 2153 */ 2154 void 2155 kssl_free_context(ssl_t *ssl) 2156 { 2157 ASSERT(ssl != NULL); 2158 if (!(MUTEX_HELD(&ssl->kssl_lock))) { 2159 /* we're coming from an external API entry point */ 2160 mutex_enter(&ssl->kssl_lock); 2161 } 2162 2163 if (ssl->job.kjob != NULL) { 2164 crypto_cancel_req(ssl->job.kjob); 2165 kmem_free(ssl->job.buf, ssl->job.buflen); 2166 2167 ssl->job.kjob = 0; 2168 ssl->job.buf = NULL; 2169 ssl->job.buflen = 0; 2170 } 2171 2172 kssl_mblksfree(ssl); 2173 kssl_specsfree(ssl); 2174 2175 KSSL_ENTRY_REFRELE(ssl->kssl_entry); 2176 ssl->kssl_entry = NULL; 2177 2178 mutex_exit(&ssl->kssl_lock); 2179 2180 kmem_cache_free(kssl_cache, ssl); 2181 kssl_cache_count--; 2182 } 2183