1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/stream.h> 28 #include <sys/strsubr.h> 29 #include <sys/stropts.h> 30 #include <sys/strsun.h> 31 #define _SUN_TPI_VERSION 2 32 #include <sys/ddi.h> 33 #include <sys/sunddi.h> 34 #include <sys/debug.h> 35 #include <sys/vtrace.h> 36 #include <sys/kmem.h> 37 #include <sys/cpuvar.h> 38 #include <sys/atomic.h> 39 #include <sys/sysmacros.h> 40 41 #include <sys/errno.h> 42 #include <sys/isa_defs.h> 43 #include <sys/md5.h> 44 #include <sys/sha1.h> 45 #include <sys/random.h> 46 #include <inet/common.h> 47 #include <netinet/in.h> 48 49 #include <sys/systm.h> 50 #include <sys/param.h> 51 52 #include "ksslimpl.h" 53 #include "ksslapi.h" 54 #include "ksslproto.h" 55 56 static ssl3CipherSuiteDef cipher_suite_defs[] = { 57 /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, no IVs */ 58 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, 72}, 59 60 /* 2 X 16 byte keys + 2 x 16 byte MAC secrets, no IVs */ 61 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, 64}, 62 63 /* 2 X 8 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */ 64 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, 72}, 65 66 /* 2 X 24 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */ 67 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, 104}, 68 69 /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */ 70 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes128, mac_sha, 104}, 71 72 /* 2 X 32 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */ 73 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes256, mac_sha, 136}, 74 75 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, 40} 76 }; 77 78 static int cipher_suite_defs_nentries = 79 sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]); 80 81 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 82 /* macsz padsz HashInit HashUpdate HashFinal */ 83 84 {MD5_HASH_LEN, SSL3_MD5_PAD_LEN, 85 (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update, 86 (hashfinal_func_t)MD5Final}, 87 88 {SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN, 89 (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update, 90 (hashfinal_func_t)SHA1Final}, 91 }; 92 93 static uchar_t kssl_pad_1[60] = { 94 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 95 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 96 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 97 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 98 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 99 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 100 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 101 0x36, 0x36, 0x36, 0x36 102 }; 103 static uchar_t kssl_pad_2[60] = { 104 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 105 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 106 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 107 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 108 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 109 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 110 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 111 0x5c, 0x5c, 0x5c, 0x5c 112 }; 113 114 int kssl_cache_count; 115 static boolean_t kssl_synchronous = B_FALSE; 116 117 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t); 118 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t); 119 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int); 120 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int, 121 kssl_callback_t, void *); 122 static int kssl_send_server_hello(ssl_t *); 123 static int kssl_send_certificate_and_server_hello_done(ssl_t *); 124 static int kssl_send_change_cipher_specs(ssl_t *); 125 static int kssl_send_finished(ssl_t *, int); 126 static int kssl_handle_finished(ssl_t *, mblk_t *, int); 127 static void kssl_get_hello_random(uchar_t *); 128 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *); 129 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *); 130 static void kssl_lookup_sid(sslSessionID *, uchar_t *, in6_addr_t *, 131 kssl_entry_t *); 132 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t); 133 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t); 134 static int kssl_generate_tls_keyblock(ssl_t *); 135 static void kssl_generate_keyblock(ssl_t *); 136 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t, 137 int, uchar_t *, int); 138 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t, 139 uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 140 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *, 141 size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 142 static void kssl_cke_done(void *, int); 143 144 #define HMAC_INIT(m, k, c) \ 145 rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end; 146 147 #define HMAC_UPDATE(c, d, l) \ 148 dd.cd_raw.iov_base = (char *)d; \ 149 dd.cd_length = dd.cd_raw.iov_len = l; \ 150 rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end; 151 152 #define HMAC_FINAL(c, d, l) \ 153 mac.cd_raw.iov_base = (char *)d; \ 154 mac.cd_length = mac.cd_raw.iov_len = l; \ 155 rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end; 156 157 /* 158 * This hack can go away once we have SSL3 MAC support by KCF 159 * software providers (See 4873559). 160 */ 161 extern int kcf_md5_threshold; 162 163 int 164 kssl_compute_record_mac( 165 ssl_t *ssl, 166 int direction, 167 uint64_t seq_num, 168 SSL3ContentType ct, 169 uchar_t *versionp, 170 uchar_t *buf, 171 int len, 172 uchar_t *digest) 173 { 174 KSSL_HASHCTX mac_ctx; 175 KSSL_HASHCTX *ctx = &mac_ctx; 176 uchar_t temp[16], *p; 177 KSSLCipherSpec *spec; 178 boolean_t hash_use_ok = B_FALSE; 179 int rv = 0; 180 181 spec = &ssl->spec[direction]; 182 183 if (spec->mac_hashsz == 0) { 184 return (1); 185 } 186 187 p = temp; 188 189 *p++ = (seq_num >> 56) & 0xff; 190 *p++ = (seq_num >> 48) & 0xff; 191 *p++ = (seq_num >> 40) & 0xff; 192 *p++ = (seq_num >> 32) & 0xff; 193 *p++ = (seq_num >> 24) & 0xff; 194 *p++ = (seq_num >> 16) & 0xff; 195 *p++ = (seq_num >> 8) & 0xff; 196 *p++ = (seq_num) & 0xff; 197 *p++ = (uchar_t)ct; 198 if (IS_TLS(ssl)) { 199 *p++ = versionp[0]; 200 *p++ = versionp[1]; 201 } 202 *p++ = (len >> 8) & 0xff; 203 *p++ = (len) & 0xff; 204 205 if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID && 206 len >= kcf_md5_threshold)) { 207 crypto_data_t dd, mac; 208 struct uio uio_pt; 209 struct iovec iovarray_pt[2]; 210 211 /* init the array of iovecs for use in the uio struct */ 212 iovarray_pt[0].iov_base = (char *)temp; 213 iovarray_pt[0].iov_len = (p - temp); 214 iovarray_pt[1].iov_base = (char *)buf; 215 iovarray_pt[1].iov_len = len; 216 217 /* init the uio struct for use in the crypto_data_t struct */ 218 bzero(&uio_pt, sizeof (uio_pt)); 219 uio_pt.uio_iov = iovarray_pt; 220 uio_pt.uio_iovcnt = 2; 221 uio_pt.uio_segflg = UIO_SYSSPACE; 222 223 dd.cd_format = CRYPTO_DATA_UIO; 224 dd.cd_offset = 0; 225 dd.cd_length = (p - temp) + len; 226 dd.cd_miscdata = NULL; 227 dd.cd_uio = &uio_pt; 228 229 mac.cd_format = CRYPTO_DATA_RAW; 230 mac.cd_offset = 0; 231 mac.cd_raw.iov_base = (char *)digest; 232 mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz; 233 234 /* 235 * The calling context can tolerate a blocking call here. 236 * For outgoing traffic, we are in user context 237 * when called from strsock_kssl_output(). For incoming 238 * traffic past the SSL handshake, we are in user 239 * context when called from strsock_kssl_input(). During the 240 * SSL handshake, we are called for client_finished message 241 * handling from a squeue worker thread that gets scheduled 242 * by an SQ_FILL call. This thread is not in interrupt 243 * context and so can block. 244 */ 245 rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key, 246 NULL, &mac, NULL); 247 248 if (CRYPTO_ERR(rv)) { 249 hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED && 250 !IS_TLS(ssl)); 251 if (!hash_use_ok) { 252 DTRACE_PROBE1(kssl_err__crypto_mac_error, 253 int, rv); 254 KSSL_COUNTER(compute_mac_failure, 1); 255 } 256 } 257 } else 258 hash_use_ok = B_TRUE; 259 260 if (hash_use_ok) { 261 bcopy(&(ssl->mac_ctx[direction][0]), ctx, 262 sizeof (KSSL_HASHCTX)); 263 spec->MAC_HashUpdate((void *)ctx, temp, p - temp); 264 spec->MAC_HashUpdate((void *)ctx, buf, len); 265 spec->MAC_HashFinal(digest, (void *)ctx); 266 267 bcopy(&(ssl->mac_ctx[direction][1]), ctx, 268 sizeof (KSSL_HASHCTX)); 269 spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz); 270 spec->MAC_HashFinal(digest, (void *)ctx); 271 } 272 273 return (rv); 274 } 275 276 /* 277 * Handles handshake messages. 278 * Messages to be replied are returned in handshake_sendbuf. 279 */ 280 int 281 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err, 282 kssl_callback_t cbfn, void *arg) 283 { 284 uint32_t msglen; 285 uchar_t msghdr[4]; 286 287 ASSERT(ssl->msg.state == MSG_BODY); 288 ASSERT(ssl->msg.msglen_bytes == 3); 289 ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen); 290 291 ssl->sslcnt++; 292 msglen = ssl->msg.msglen; 293 294 if (ssl->msg.type == client_hello) { 295 MD5Init(&ssl->hs_md5); 296 SHA1Init(&ssl->hs_sha1); 297 } 298 299 if (ssl->msg.type == finished && ssl->resumed == B_FALSE) { 300 if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 301 sender_client) != 0) { 302 *err = SSL_MISS; 303 return (0); 304 } 305 } 306 307 if (ssl->msg.type != finished || ssl->resumed == B_FALSE) { 308 msghdr[0] = (uchar_t)ssl->msg.type; 309 310 msghdr[1] = (uchar_t)(msglen >> 16); 311 msghdr[2] = (uchar_t)(msglen >> 8); 312 msghdr[3] = (uchar_t)(msglen); 313 kssl_update_handshake_hashes(ssl, msghdr, 4); 314 kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen); 315 } 316 317 ssl->msg.state = MSG_INIT; 318 ssl->msg.msglen = 0; 319 ssl->msg.msglen_bytes = 0; 320 321 switch (ssl->msg.type) { 322 case client_hello: 323 if (ssl->hs_waitstate != wait_client_hello) { 324 kssl_send_alert(ssl, alert_fatal, 325 unexpected_message); 326 *err = EBADMSG; 327 ssl->activeinput = B_FALSE; 328 return (1); 329 } 330 *err = kssl_handle_client_hello(ssl, mp, msglen); 331 if (*err == SSL_MISS) { 332 ssl->activeinput = B_FALSE; 333 return (0); 334 } 335 return (1); 336 case client_key_exchange: 337 if (ssl->hs_waitstate != wait_client_key) { 338 kssl_send_alert(ssl, alert_fatal, 339 unexpected_message); 340 *err = EBADMSG; 341 ssl->activeinput = B_FALSE; 342 return (1); 343 } 344 *err = kssl_handle_client_key_exchange(ssl, mp, 345 msglen, cbfn, arg); 346 return (1); 347 case finished: 348 if (ssl->hs_waitstate != wait_finished) { 349 kssl_send_alert(ssl, alert_fatal, 350 unexpected_message); 351 *err = EBADMSG; 352 ssl->activeinput = B_FALSE; 353 return (1); 354 } 355 *err = kssl_handle_finished(ssl, mp, msglen); 356 return (1); 357 default: 358 kssl_send_alert(ssl, alert_fatal, unexpected_message); 359 ssl->activeinput = B_FALSE; 360 *err = EBADMSG; 361 return (1); 362 } 363 } 364 365 static void 366 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len) 367 { 368 MD5Update(&ssl->hs_md5, buf, len); 369 SHA1Update(&ssl->hs_sha1, buf, len); 370 } 371 372 static int 373 kssl_compute_handshake_hashes( 374 ssl_t *ssl, 375 SSL3Hashes *hashes, 376 uint32_t sender) 377 { 378 MD5_CTX md5 = ssl->hs_md5; /* clone md5 context */ 379 SHA1_CTX sha1 = ssl->hs_sha1; /* clone sha1 context */ 380 MD5_CTX *md5ctx = &md5; 381 SHA1_CTX *sha1ctx = &sha1; 382 383 if (IS_TLS(ssl)) { 384 uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN]; 385 char *label; 386 387 /* 388 * Do not take another hash step here. 389 * Just complete the operation. 390 */ 391 MD5Final(hashes->md5, md5ctx); 392 SHA1Final(hashes->sha1, sha1ctx); 393 394 bcopy(hashes->md5, seed, MD5_HASH_LEN); 395 bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN); 396 397 if (sender == sender_client) 398 label = TLS_CLIENT_FINISHED_LABEL; 399 else 400 label = TLS_SERVER_FINISHED_LABEL; 401 402 return (kssl_tls_PRF(ssl, 403 ssl->sid.master_secret, 404 (size_t)SSL3_MASTER_SECRET_LEN, 405 (uchar_t *)label, strlen(label), 406 seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN), 407 hashes->tlshash, (size_t)TLS_FINISHED_SIZE)); 408 } else { 409 uchar_t s[4]; 410 s[0] = (sender >> 24) & 0xff; 411 s[1] = (sender >> 16) & 0xff; 412 s[2] = (sender >> 8) & 0xff; 413 s[3] = (sender) & 0xff; 414 415 MD5Update(md5ctx, s, 4); 416 MD5Update(md5ctx, ssl->sid.master_secret, 417 SSL3_MASTER_SECRET_LEN); 418 MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN); 419 MD5Final(hashes->md5, md5ctx); 420 421 MD5Init(md5ctx); 422 MD5Update(md5ctx, ssl->sid.master_secret, 423 SSL3_MASTER_SECRET_LEN); 424 MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN); 425 MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN); 426 MD5Final(hashes->md5, md5ctx); 427 428 SHA1Update(sha1ctx, s, 4); 429 SHA1Update(sha1ctx, ssl->sid.master_secret, 430 SSL3_MASTER_SECRET_LEN); 431 SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN); 432 SHA1Final(hashes->sha1, sha1ctx); 433 434 SHA1Init(sha1ctx); 435 SHA1Update(sha1ctx, ssl->sid.master_secret, 436 SSL3_MASTER_SECRET_LEN); 437 SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN); 438 SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN); 439 SHA1Final(hashes->sha1, sha1ctx); 440 return (0); 441 } 442 } 443 444 445 /* 446 * Minimum message length for a client hello = 447 * 2-byte client_version + 448 * 32-byte random + 449 * 1-byte session_id length + 450 * 2-byte cipher_suites length + 451 * 1-byte compression_methods length + 452 * 1-byte CompressionMethod.null 453 */ 454 #define KSSL_SSL3_CH_MIN_MSGLEN (39) 455 456 static int 457 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen) 458 { 459 uchar_t *msgend; 460 int err; 461 SSL3AlertDescription desc = illegal_parameter; 462 uint_t sidlen, cslen, cmlen; 463 uchar_t *suitesp; 464 uint_t i, j; 465 uint16_t suite; 466 int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN; 467 468 ASSERT(mp->b_wptr >= mp->b_rptr + msglen); 469 ASSERT(ssl->msg.type == client_hello); 470 ASSERT(ssl->hs_waitstate == wait_client_hello); 471 ASSERT(ssl->resumed == B_FALSE); 472 473 if (msglen < ch_msglen) { 474 goto falert; 475 } 476 477 msgend = mp->b_rptr + msglen; 478 479 /* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */ 480 if (ssl->major_version != 3 || (ssl->major_version == 3 && 481 ssl->minor_version != 0 && ssl->minor_version != 1)) { 482 DTRACE_PROBE2(kssl_err__SSL_version_not_supported, 483 uchar_t, ssl->major_version, 484 uchar_t, ssl->minor_version); 485 desc = handshake_failure; 486 goto falert; 487 } 488 mp->b_rptr += 2; /* skip the version bytes */ 489 490 bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH); 491 mp->b_rptr += SSL3_RANDOM_LENGTH; 492 493 ASSERT(ssl->sid.cached == B_FALSE); 494 sidlen = *mp->b_rptr++; 495 ch_msglen += sidlen; 496 if (msglen < ch_msglen) { 497 goto falert; 498 } 499 if (sidlen != SSL3_SESSIONID_BYTES) { 500 mp->b_rptr += sidlen; 501 } else { 502 kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr, 503 ssl->kssl_entry); 504 mp->b_rptr += SSL3_SESSIONID_BYTES; 505 } 506 507 cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 508 mp->b_rptr += 2; 509 ch_msglen += cslen; 510 511 /* 512 * This check can't be a "!=" since there can be 513 * compression methods other than CompressionMethod.null. 514 * Also, there can be extra data (TLS extensions) after the 515 * compression methods field. We do not support any TLS 516 * extensions and hence ignore them. 517 */ 518 if (msglen < ch_msglen) { 519 goto falert; 520 } 521 522 /* The length has to be even since a cipher suite is 2-byte long */ 523 if (cslen & 0x1) { 524 goto falert; 525 } 526 suitesp = mp->b_rptr; 527 if (ssl->sid.cached == B_TRUE) { 528 suite = ssl->sid.cipher_suite; 529 for (j = 0; j < cslen; j += 2) { 530 if (suitesp[j] == ((suite >> 8) & 0xff) && 531 suitesp[j + 1] == (suite & 0xff)) { 532 break; 533 } 534 } 535 if (j < cslen) { 536 goto suite_found; 537 } 538 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 539 } 540 541 /* Check if this server is capable of the cipher suite */ 542 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 543 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 544 for (j = 0; j < cslen; j += 2) { 545 if (suitesp[j] == ((suite >> 8) & 0xff) && 546 suitesp[j + 1] == (suite & 0xff)) { 547 break; 548 } 549 } 550 if (j < cslen) { 551 break; 552 } 553 } 554 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 555 if (ssl->sslcnt == 1) { 556 KSSL_COUNTER(no_suite_found, 1); 557 return (SSL_MISS); 558 } 559 desc = handshake_failure; 560 DTRACE_PROBE(kssl_err__no_cipher_suites_found); 561 goto falert; 562 } 563 564 suite_found: 565 mp->b_rptr += cslen; 566 567 /* 568 * Check for the mandatory CompressionMethod.null. We do not 569 * support any other compression methods. 570 */ 571 cmlen = *mp->b_rptr++; 572 ch_msglen += cmlen - 1; /* -1 accounts for the null method */ 573 if (msglen < ch_msglen) { 574 goto falert; 575 } 576 577 while (cmlen >= 1) { 578 if (*mp->b_rptr++ == 0) 579 break; 580 cmlen--; 581 } 582 583 if (cmlen == 0) { 584 desc = handshake_failure; 585 DTRACE_PROBE(kssl_err__no_null_method_failure); 586 goto falert; 587 } 588 589 mp->b_rptr = msgend; 590 591 for (i = 0; i < cipher_suite_defs_nentries; i++) { 592 if (suite == cipher_suite_defs[i].suite) { 593 break; 594 } 595 } 596 597 ASSERT(i < cipher_suite_defs_nentries); 598 599 ssl->pending_cipher_suite = suite; 600 ssl->pending_malg = cipher_suite_defs[i].malg; 601 ssl->pending_calg = cipher_suite_defs[i].calg; 602 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 603 604 if (ssl->sid.cached == B_TRUE) { 605 err = kssl_send_server_hello(ssl); 606 if (err != 0) { 607 return (err); 608 } 609 if (IS_TLS(ssl)) 610 err = kssl_generate_tls_keyblock(ssl); 611 else 612 kssl_generate_keyblock(ssl); 613 614 err = kssl_send_change_cipher_specs(ssl); 615 if (err != 0) { 616 return (err); 617 } 618 619 err = kssl_send_finished(ssl, 1); 620 if (err != 0) 621 return (err); 622 623 err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 624 sender_client); 625 if (err != 0) 626 return (err); 627 628 ssl->hs_waitstate = wait_change_cipher; 629 ssl->resumed = B_TRUE; 630 ssl->activeinput = B_FALSE; 631 KSSL_COUNTER(resumed_sessions, 1); 632 return (0); 633 } 634 635 (void) random_get_pseudo_bytes(ssl->sid.session_id, 636 SSL3_SESSIONID_BYTES); 637 ssl->sid.client_addr = ssl->faddr; 638 ssl->sid.cipher_suite = suite; 639 640 err = kssl_send_server_hello(ssl); 641 if (err != 0) { 642 return (err); 643 } 644 err = kssl_send_certificate_and_server_hello_done(ssl); 645 if (err != 0) { 646 return (err); 647 } 648 KSSL_COUNTER(full_handshakes, 1); 649 ssl->hs_waitstate = wait_client_key; 650 ssl->activeinput = B_FALSE; 651 return (0); 652 653 falert: 654 kssl_send_alert(ssl, alert_fatal, desc); 655 return (EBADMSG); 656 } 657 658 #define SET_HASH_INDEX(index, s, clnt_addr) { \ 659 int addr; \ 660 \ 661 IN6_V4MAPPED_TO_IPADDR(clnt_addr, addr); \ 662 index = addr ^ (((int)(s)[0] << 24) | ((int)(s)[1] << 16) | \ 663 ((int)(s)[2] << 8) | (int)(s)[SSL3_SESSIONID_BYTES - 1]); \ 664 } 665 666 /* 667 * Creates a cache entry. Sets the sid->cached flag 668 * and sid->time fields. So, the caller should not set them. 669 */ 670 static void 671 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 672 { 673 uint_t index; 674 uchar_t *s = sid->session_id; 675 kmutex_t *lock; 676 677 ASSERT(sid->cached == B_FALSE); 678 679 /* set the values before creating the cache entry */ 680 sid->cached = B_TRUE; 681 sid->time = lbolt; 682 683 SET_HASH_INDEX(index, s, &sid->client_addr); 684 index %= kssl_entry->sid_cache_nentries; 685 686 lock = &(kssl_entry->sid_cache[index].se_lock); 687 mutex_enter(lock); 688 kssl_entry->sid_cache[index].se_used++; 689 bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid)); 690 mutex_exit(lock); 691 692 KSSL_COUNTER(sid_cached, 1); 693 } 694 695 /* 696 * Invalidates the cache entry, if any. Clears the sid->cached flag 697 * as a side effect. 698 */ 699 void 700 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 701 { 702 uint_t index; 703 uchar_t *s = sid->session_id; 704 sslSessionID *csid; 705 kmutex_t *lock; 706 707 ASSERT(sid->cached == B_TRUE); 708 sid->cached = B_FALSE; 709 710 SET_HASH_INDEX(index, s, &sid->client_addr); 711 index %= kssl_entry->sid_cache_nentries; 712 713 lock = &(kssl_entry->sid_cache[index].se_lock); 714 mutex_enter(lock); 715 csid = &(kssl_entry->sid_cache[index].se_sid); 716 if (!(IN6_ARE_ADDR_EQUAL(&csid->client_addr, &sid->client_addr)) || 717 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 718 mutex_exit(lock); 719 return; 720 } 721 csid->cached = B_FALSE; 722 mutex_exit(lock); 723 724 KSSL_COUNTER(sid_uncached, 1); 725 } 726 727 static void 728 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, in6_addr_t *faddr, 729 kssl_entry_t *kssl_entry) 730 { 731 uint_t index; 732 kmutex_t *lock; 733 sslSessionID *csid; 734 735 KSSL_COUNTER(sid_cache_lookups, 1); 736 737 SET_HASH_INDEX(index, s, faddr); 738 index %= kssl_entry->sid_cache_nentries; 739 740 lock = &(kssl_entry->sid_cache[index].se_lock); 741 mutex_enter(lock); 742 csid = &(kssl_entry->sid_cache[index].se_sid); 743 if (csid->cached == B_FALSE || 744 !IN6_ARE_ADDR_EQUAL(&csid->client_addr, faddr) || 745 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 746 mutex_exit(lock); 747 return; 748 } 749 750 if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) { 751 csid->cached = B_FALSE; 752 mutex_exit(lock); 753 return; 754 } 755 756 bcopy(csid, sid, sizeof (*sid)); 757 mutex_exit(lock); 758 ASSERT(sid->cached == B_TRUE); 759 760 KSSL_COUNTER(sid_cache_hits, 1); 761 } 762 763 static uchar_t * 764 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp) 765 { 766 size_t len = *lenp; 767 int i = 2; 768 769 if (buf[0] != 0 || buf[1] != 2) { 770 return (NULL); 771 } 772 773 while (i < len) { 774 if (buf[i++] == 0) { 775 *lenp = len - i; 776 break; 777 } 778 } 779 780 if (i == len) { 781 return (NULL); 782 } 783 784 return (buf + i); 785 } 786 787 788 #define KSSL_SSL3_SH_RECLEN (74) 789 #define KSSL_SSL3_FIN_MSGLEN (36) 790 791 #define KSSL_SSL3_MAX_CCP_FIN_MSGLEN (128) /* comfortable upper bound */ 792 793 static int 794 kssl_send_server_hello(ssl_t *ssl) 795 { 796 mblk_t *mp; 797 uchar_t *buf; 798 uchar_t *msgstart; 799 800 mp = allocb(ssl->tcp_mss, BPRI_HI); 801 if (mp == NULL) { 802 KSSL_COUNTER(alloc_fails, 1); 803 return (ENOMEM); 804 } 805 ssl->handshake_sendbuf = mp; 806 buf = mp->b_wptr; 807 808 /* 5 byte record header */ 809 buf[0] = content_handshake; 810 buf[1] = ssl->major_version; 811 buf[2] = ssl->minor_version; 812 buf[3] = KSSL_SSL3_SH_RECLEN >> 8; 813 buf[4] = KSSL_SSL3_SH_RECLEN & 0xff; 814 buf += SSL3_HDR_LEN; 815 816 msgstart = buf; 817 818 /* 6 byte message header */ 819 buf[0] = (uchar_t)server_hello; /* message type */ 820 buf[1] = 0; /* message len byte 0 */ 821 buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) & 822 0xff; /* message len byte 1 */ 823 buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff; /* message len byte 2 */ 824 825 buf[4] = ssl->major_version; /* version byte 0 */ 826 buf[5] = ssl->minor_version; /* version byte 1 */ 827 828 buf += 6; 829 830 kssl_get_hello_random(ssl->server_random); 831 bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH); 832 buf += SSL3_RANDOM_LENGTH; 833 834 buf[0] = SSL3_SESSIONID_BYTES; 835 bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES); 836 buf += SSL3_SESSIONID_BYTES + 1; 837 838 buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff; 839 buf[1] = ssl->pending_cipher_suite & 0xff; 840 841 buf[2] = 0; /* No compression */ 842 843 mp->b_wptr = buf + 3; 844 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 845 846 kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN); 847 return (0); 848 } 849 850 static void 851 kssl_get_hello_random(uchar_t *buf) 852 { 853 timestruc_t ts; 854 time_t sec; 855 856 gethrestime(&ts); 857 sec = ts.tv_sec; 858 859 buf[0] = (sec >> 24) & 0xff; 860 buf[1] = (sec >> 16) & 0xff; 861 buf[2] = (sec >> 8) & 0xff; 862 buf[3] = (sec) & 0xff; 863 864 (void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4); 865 866 /* Should this be caching? */ 867 } 868 869 static int 870 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key, 871 size_t hashlen, 872 uchar_t *label, size_t label_len, 873 uchar_t *seed, size_t seedlen, 874 uchar_t *data, size_t datalen) 875 { 876 int rv = 0; 877 uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN]; 878 int bytes_left = datalen; 879 crypto_data_t dd, mac; 880 crypto_context_t ctx; 881 882 dd.cd_format = CRYPTO_DATA_RAW; 883 dd.cd_offset = 0; 884 mac.cd_format = CRYPTO_DATA_RAW; 885 mac.cd_offset = 0; 886 887 /* 888 * A(i) = HMAC_hash(secret, seed + A(i-1)); 889 * A(0) = seed; 890 * 891 * Compute A(1): 892 * A(1) = HMAC_hash(secret, label + seed) 893 * 894 */ 895 HMAC_INIT(mech, key, &ctx); 896 HMAC_UPDATE(ctx, label, label_len); 897 HMAC_UPDATE(ctx, seed, seedlen); 898 HMAC_FINAL(ctx, A1, hashlen); 899 900 /* Compute A(2) ... A(n) */ 901 while (bytes_left > 0) { 902 HMAC_INIT(mech, key, &ctx); 903 HMAC_UPDATE(ctx, A1, hashlen); 904 HMAC_UPDATE(ctx, label, label_len); 905 HMAC_UPDATE(ctx, seed, seedlen); 906 HMAC_FINAL(ctx, result, hashlen); 907 908 /* 909 * The A(i) value is stored in "result". 910 * Save the results of the MAC so it can be input to next 911 * iteration. 912 */ 913 if (bytes_left > hashlen) { 914 /* Store the chunk result */ 915 bcopy(result, data, hashlen); 916 data += hashlen; 917 918 bytes_left -= hashlen; 919 920 /* Update A1 for next iteration */ 921 HMAC_INIT(mech, key, &ctx); 922 HMAC_UPDATE(ctx, A1, hashlen); 923 HMAC_FINAL(ctx, A1, hashlen); 924 925 } else { 926 bcopy(result, data, bytes_left); 927 data += bytes_left; 928 bytes_left = 0; 929 } 930 } 931 end: 932 if (CRYPTO_ERR(rv)) { 933 DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv); 934 KSSL_COUNTER(compute_mac_failure, 1); 935 } 936 return (rv); 937 } 938 939 /* ARGSUSED */ 940 static int 941 kssl_tls_PRF(ssl_t *ssl, 942 uchar_t *secret, size_t secret_len, 943 uchar_t *label, size_t label_len, 944 uchar_t *seed, size_t seed_len, 945 uchar_t *prfresult, size_t prfresult_len) 946 { 947 /* 948 * RFC 2246: 949 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR 950 * P_SHA1(S2, label + seed); 951 * S1 = 1st half of secret. 952 * S1 = 2nd half of secret. 953 * 954 */ 955 956 int rv, i; 957 uchar_t psha1[MAX_KEYBLOCK_LENGTH]; 958 crypto_key_t S1, S2; 959 960 /* length of secret keys is ceil(length/2) */ 961 size_t slen = roundup(secret_len, 2) / 2; 962 963 if (prfresult_len > MAX_KEYBLOCK_LENGTH) { 964 DTRACE_PROBE1(kssl_err__unexpected_keyblock_size, 965 size_t, prfresult_len); 966 return (CRYPTO_ARGUMENTS_BAD); 967 } 968 969 ASSERT(prfresult != NULL); 970 ASSERT(label != NULL); 971 ASSERT(seed != NULL); 972 973 S1.ck_data = secret; 974 S1.ck_length = slen * 8; /* bits */ 975 S1.ck_format = CRYPTO_KEY_RAW; 976 977 S2.ck_data = secret + slen; 978 S2.ck_length = slen * 8; /* bits */ 979 S2.ck_format = CRYPTO_KEY_RAW; 980 981 rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN, 982 label, label_len, 983 seed, seed_len, 984 prfresult, prfresult_len); 985 if (CRYPTO_ERR(rv)) 986 goto end; 987 988 rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN, 989 label, label_len, 990 seed, seed_len, 991 psha1, prfresult_len); 992 if (CRYPTO_ERR(rv)) 993 goto end; 994 995 for (i = 0; i < prfresult_len; i++) 996 prfresult[i] ^= psha1[i]; 997 998 end: 999 if (CRYPTO_ERR(rv)) 1000 bzero(prfresult, prfresult_len); 1001 1002 return (rv); 1003 } 1004 1005 #define IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl) \ 1006 (pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN || \ 1007 pms[0] != ssl->major_version || pms[1] != ssl->minor_version) 1008 1009 #define FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) { \ 1010 KSSL_COUNTER(bad_pre_master_secret, 1); \ 1011 pms = buf; \ 1012 pmslen = SSL3_PRE_MASTER_SECRET_LEN; \ 1013 pms[0] = ssl->major_version; \ 1014 pms[1] = ssl->minor_version; \ 1015 (void) random_get_pseudo_bytes(&buf[2], pmslen - 2); \ 1016 } 1017 1018 static int 1019 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 1020 { 1021 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1022 uchar_t seed[SSL3_RANDOM_LENGTH * 2]; 1023 1024 /* 1025 * Computing the master secret: 1026 * ---------------------------- 1027 * master_secret = PRF (pms, "master secret", 1028 * ClientHello.random + ServerHello.random); 1029 */ 1030 bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH); 1031 bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH, 1032 SSL3_RANDOM_LENGTH); 1033 1034 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1035 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1036 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 1037 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1038 } 1039 1040 return (kssl_tls_PRF(ssl, 1041 pms, pmslen, 1042 (uchar_t *)TLS_MASTER_SECRET_LABEL, 1043 (size_t)strlen(TLS_MASTER_SECRET_LABEL), 1044 seed, sizeof (seed), 1045 ssl->sid.master_secret, 1046 (size_t)sizeof (ssl->sid.master_secret))); 1047 } 1048 1049 1050 static void 1051 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 1052 { 1053 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1054 uchar_t *ms; 1055 int hlen = MD5_HASH_LEN; 1056 1057 ms = ssl->sid.master_secret; 1058 1059 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1060 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1061 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 1062 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1063 } 1064 1065 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0); 1066 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0); 1067 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen, 1068 0); 1069 } 1070 1071 static int 1072 kssl_generate_tls_keyblock(ssl_t *ssl) 1073 { 1074 uchar_t seed[2 * SSL3_RANDOM_LENGTH]; 1075 1076 bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH); 1077 bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH, 1078 SSL3_RANDOM_LENGTH); 1079 1080 return (kssl_tls_PRF(ssl, ssl->sid.master_secret, 1081 (size_t)SSL3_MASTER_SECRET_LEN, 1082 (uchar_t *)TLS_KEY_EXPANSION_LABEL, 1083 (size_t)strlen(TLS_KEY_EXPANSION_LABEL), 1084 seed, (size_t)sizeof (seed), 1085 ssl->pending_keyblock, 1086 (size_t)ssl->pending_keyblksz)); 1087 1088 } 1089 1090 static void 1091 kssl_generate_keyblock(ssl_t *ssl) 1092 { 1093 uchar_t *ms; 1094 size_t mslen = SSL3_MASTER_SECRET_LEN; 1095 int hlen = MD5_HASH_LEN; 1096 uchar_t *keys = ssl->pending_keyblock; 1097 int steps = howmany(ssl->pending_keyblksz, hlen); 1098 int i; 1099 1100 ms = ssl->sid.master_secret; 1101 1102 ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH); 1103 1104 for (i = 1; i <= steps; i++) { 1105 kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1); 1106 keys += hlen; 1107 } 1108 } 1109 1110 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE", 1111 "FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"}; 1112 1113 static void 1114 kssl_ssl3_key_material_derive_step( 1115 ssl_t *ssl, 1116 uchar_t *secret, 1117 size_t secretlen, 1118 int step, 1119 uchar_t *dst, 1120 int sr_first) 1121 { 1122 SHA1_CTX sha1, *sha1ctx; 1123 MD5_CTX md5, *md5ctx; 1124 uchar_t sha1_hash[SHA1_HASH_LEN]; 1125 1126 sha1ctx = &sha1; 1127 md5ctx = &md5; 1128 1129 ASSERT(step <= 1130 sizeof (ssl3_key_derive_seeds) / 1131 sizeof (ssl3_key_derive_seeds[0])); 1132 step--; 1133 1134 SHA1Init(sha1ctx); 1135 SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step], 1136 step + 1); 1137 SHA1Update(sha1ctx, secret, secretlen); 1138 if (sr_first) { 1139 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1140 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1141 } else { 1142 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1143 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1144 } 1145 SHA1Final(sha1_hash, sha1ctx); 1146 1147 MD5Init(md5ctx); 1148 MD5Update(md5ctx, secret, secretlen); 1149 MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN); 1150 MD5Final(dst, md5ctx); 1151 } 1152 1153 static int 1154 kssl_send_certificate_and_server_hello_done(ssl_t *ssl) 1155 { 1156 int cur_reclen; 1157 int mss; 1158 int len, copylen; 1159 mblk_t *mp; 1160 uchar_t *cert_buf; 1161 int cert_len; 1162 uchar_t *msgbuf; 1163 Certificate_t *cert; 1164 1165 cert = ssl->kssl_entry->ke_server_certificate; 1166 if (cert == NULL) { 1167 return (ENOENT); 1168 } 1169 cert_buf = cert->msg; 1170 cert_len = cert->len; 1171 1172 mp = ssl->handshake_sendbuf; 1173 mss = ssl->tcp_mss; 1174 ASSERT(mp != NULL); 1175 cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN; 1176 ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN); 1177 /* Assume MSS is at least 80 bytes */ 1178 ASSERT(mss > cur_reclen + SSL3_HDR_LEN); 1179 ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */ 1180 1181 copylen = mss - (cur_reclen + SSL3_HDR_LEN); 1182 len = cert_len; 1183 copylen = MIN(copylen, len); 1184 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1185 1186 /* new record always starts in a new mblk for simplicity */ 1187 msgbuf = cert_buf; 1188 for (;;) { 1189 ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim); 1190 bcopy(msgbuf, mp->b_wptr, copylen); 1191 msgbuf += copylen; 1192 mp->b_wptr += copylen; 1193 cur_reclen += copylen; 1194 len -= copylen; 1195 if (len == 0) { 1196 break; 1197 } 1198 if (cur_reclen == SSL3_MAX_RECORD_LENGTH) { 1199 cur_reclen = 0; 1200 } 1201 copylen = MIN(len, mss); 1202 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1203 mp->b_cont = allocb(copylen, BPRI_HI); 1204 if (mp->b_cont == NULL) { 1205 KSSL_COUNTER(alloc_fails, 1); 1206 freemsg(ssl->handshake_sendbuf); 1207 ssl->handshake_sendbuf = NULL; 1208 return (ENOMEM); 1209 } 1210 mp = mp->b_cont; 1211 if (cur_reclen == 0) { 1212 mp->b_wptr[0] = content_handshake; 1213 mp->b_wptr[1] = ssl->major_version; 1214 mp->b_wptr[2] = ssl->minor_version; 1215 cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH); 1216 mp->b_wptr[3] = (cur_reclen >> 8) & 0xff; 1217 mp->b_wptr[4] = (cur_reclen) & 0xff; 1218 mp->b_wptr += SSL3_HDR_LEN; 1219 cur_reclen = 0; 1220 copylen = MIN(copylen, mss - SSL3_HDR_LEN); 1221 } 1222 } 1223 1224 /* adjust the record length field for the first record */ 1225 mp = ssl->handshake_sendbuf; 1226 cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len, 1227 SSL3_MAX_RECORD_LENGTH); 1228 mp->b_rptr[3] = (cur_reclen >> 8) & 0xff; 1229 mp->b_rptr[4] = (cur_reclen) & 0xff; 1230 1231 kssl_update_handshake_hashes(ssl, cert_buf, cert_len); 1232 1233 return (0); 1234 } 1235 1236 static int 1237 kssl_send_change_cipher_specs(ssl_t *ssl) 1238 { 1239 mblk_t *mp, *newmp; 1240 uchar_t *buf; 1241 1242 mp = ssl->handshake_sendbuf; 1243 1244 /* We're most likely to hit the fast path for resumed sessions */ 1245 if ((mp != NULL) && 1246 (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) { 1247 buf = mp->b_wptr; 1248 } else { 1249 newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI); 1250 1251 if (newmp == NULL) 1252 return (ENOMEM); /* need to do better job! */ 1253 1254 if (mp == NULL) { 1255 ssl->handshake_sendbuf = newmp; 1256 } else { 1257 linkb(ssl->handshake_sendbuf, newmp); 1258 } 1259 mp = newmp; 1260 buf = mp->b_rptr; 1261 } 1262 1263 /* 5 byte record header */ 1264 buf[0] = content_change_cipher_spec; 1265 buf[1] = ssl->major_version; 1266 buf[2] = ssl->minor_version; 1267 buf[3] = 0; 1268 buf[4] = 1; 1269 buf += SSL3_HDR_LEN; 1270 1271 buf[0] = 1; 1272 1273 mp->b_wptr = buf + 1; 1274 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 1275 1276 ssl->seq_num[KSSL_WRITE] = 0; 1277 return (kssl_spec_init(ssl, KSSL_WRITE)); 1278 } 1279 1280 int 1281 kssl_spec_init(ssl_t *ssl, int dir) 1282 { 1283 KSSL_HASHCTX *ctx; 1284 KSSLCipherSpec *spec = &ssl->spec[dir]; 1285 int ret = 0; 1286 1287 spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz; 1288 spec->mac_padsz = mac_defs[ssl->pending_malg].padsz; 1289 1290 spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit; 1291 spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate; 1292 spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal; 1293 1294 if (dir == KSSL_READ) { 1295 bcopy(ssl->pending_keyblock, ssl->mac_secret[dir], 1296 spec->mac_hashsz); 1297 } else { 1298 bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]), 1299 ssl->mac_secret[dir], spec->mac_hashsz); 1300 } 1301 1302 /* Pre-compute these here. will save cycles on each record later */ 1303 if (!IS_TLS(ssl)) { 1304 ctx = &ssl->mac_ctx[dir][0]; 1305 spec->MAC_HashInit((void *)ctx); 1306 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1307 spec->mac_hashsz); 1308 spec->MAC_HashUpdate((void *)ctx, kssl_pad_1, 1309 spec->mac_padsz); 1310 1311 ctx = &ssl->mac_ctx[dir][1]; 1312 spec->MAC_HashInit((void *)ctx); 1313 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1314 spec->mac_hashsz); 1315 spec->MAC_HashUpdate((void *)ctx, kssl_pad_2, 1316 spec->mac_padsz); 1317 } 1318 1319 spec->cipher_type = cipher_defs[ssl->pending_calg].type; 1320 spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type; 1321 spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize; 1322 spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz; 1323 1324 if (spec->cipher_ctx != NULL) { 1325 crypto_cancel_ctx(spec->cipher_ctx); 1326 spec->cipher_ctx = 0; 1327 } 1328 1329 /* 1330 * Initialize HMAC keys for TLS and SSL3 HMAC keys 1331 * for SSL 3.0. 1332 */ 1333 if (IS_TLS(ssl)) { 1334 if (ssl->pending_malg == mac_md5) { 1335 spec->hmac_mech = hmac_md5_mech; 1336 } else if (ssl->pending_malg == mac_sha) { 1337 spec->hmac_mech = hmac_sha1_mech; 1338 } 1339 1340 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1341 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1342 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1343 } else { 1344 static uint32_t param; 1345 1346 spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID; 1347 spec->hmac_mech.cm_param = (caddr_t)¶m; 1348 spec->hmac_mech.cm_param_len = sizeof (param); 1349 if (ssl->pending_malg == mac_md5) { 1350 spec->hmac_mech.cm_type = 1351 crypto_mech2id("CKM_SSL3_MD5_MAC"); 1352 param = MD5_HASH_LEN; 1353 } else if (ssl->pending_malg == mac_sha) { 1354 spec->hmac_mech.cm_type = 1355 crypto_mech2id("CKM_SSL3_SHA1_MAC"); 1356 param = SHA1_HASH_LEN; 1357 } 1358 1359 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1360 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1361 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1362 } 1363 1364 /* We're done if this is the nil cipher */ 1365 if (spec->cipher_keysz == 0) { 1366 return (0); 1367 } 1368 1369 /* Initialize the key and the active context */ 1370 spec->cipher_key.ck_format = CRYPTO_KEY_RAW; 1371 spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */ 1372 1373 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1374 /* client_write_IV */ 1375 spec->cipher_mech.cm_param = 1376 (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz + 1377 2 * spec->cipher_keysz]); 1378 spec->cipher_mech.cm_param_len = spec->cipher_bsize; 1379 } 1380 spec->cipher_data.cd_format = CRYPTO_DATA_RAW; 1381 if (dir == KSSL_READ) { 1382 spec->cipher_mech.cm_param_len = 1383 cipher_defs[ssl->pending_calg].bsize; 1384 1385 /* client_write_key */ 1386 spec->cipher_key.ck_data = 1387 &(ssl->pending_keyblock[2 * spec->mac_hashsz]); 1388 1389 ret = crypto_decrypt_init(&(spec->cipher_mech), 1390 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1391 if (CRYPTO_ERR(ret)) { 1392 DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read, 1393 int, ret); 1394 } 1395 } else { 1396 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1397 /* server_write_IV */ 1398 spec->cipher_mech.cm_param += spec->cipher_bsize; 1399 } 1400 1401 /* server_write_key */ 1402 spec->cipher_key.ck_data = 1403 &(ssl->pending_keyblock[2 * spec->mac_hashsz + 1404 spec->cipher_keysz]); 1405 1406 ret = crypto_encrypt_init(&(spec->cipher_mech), 1407 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1408 if (CRYPTO_ERR(ret)) 1409 DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read, 1410 int, ret); 1411 } 1412 return (ret); 1413 } 1414 1415 static int 1416 kssl_send_finished(ssl_t *ssl, int update_hsh) 1417 { 1418 mblk_t *mp; 1419 uchar_t *buf; 1420 uchar_t *rstart; 1421 uchar_t *versionp; 1422 SSL3Hashes ssl3hashes; 1423 size_t finish_len; 1424 int ret; 1425 1426 mp = ssl->handshake_sendbuf; 1427 ASSERT(mp != NULL); 1428 buf = mp->b_wptr; 1429 ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + 1430 SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1); 1431 1432 rstart = buf; 1433 1434 if (IS_TLS(ssl)) 1435 finish_len = TLS_FINISHED_SIZE; 1436 else 1437 finish_len = KSSL_SSL3_FIN_MSGLEN; 1438 1439 /* 5 byte record header */ 1440 buf[0] = content_handshake; 1441 buf[1] = ssl->major_version; 1442 buf[2] = ssl->minor_version; 1443 buf[3] = 0; 1444 buf[4] = 4 + finish_len; 1445 1446 versionp = &buf[1]; 1447 1448 buf += SSL3_HDR_LEN; 1449 1450 /* 4 byte message header */ 1451 buf[0] = (uchar_t)finished; /* message type */ 1452 buf[1] = 0; /* message len byte 0 */ 1453 buf[2] = 0; /* message len byte 1 */ 1454 buf[3] = finish_len; /* message len byte 2 */ 1455 buf += 4; 1456 1457 if (IS_TLS(ssl)) { 1458 bcopy(ssl->hs_hashes.md5, ssl3hashes.md5, 1459 sizeof (ssl3hashes.md5)); 1460 bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1, 1461 sizeof (ssl3hashes.sha1)); 1462 } 1463 1464 /* Compute hashes for the SENDER side */ 1465 ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server); 1466 if (ret != 0) 1467 return (ret); 1468 1469 if (IS_TLS(ssl)) { 1470 bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash)); 1471 } else { 1472 bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN); 1473 bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN); 1474 } 1475 1476 if (update_hsh) { 1477 kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4); 1478 } 1479 1480 mp->b_wptr = buf + finish_len; 1481 1482 ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp, 1483 rstart, mp); 1484 ASSERT(mp->b_wptr <= mp->b_datap->db_lim); 1485 1486 return (ret); 1487 } 1488 1489 int 1490 kssl_mac_encrypt_record(ssl_t *ssl, 1491 SSL3ContentType ct, 1492 uchar_t *versionp, 1493 uchar_t *rstart, 1494 mblk_t *mp) 1495 { 1496 KSSLCipherSpec *spec; 1497 int mac_sz; 1498 int ret = 0; 1499 uint16_t rec_sz; 1500 int pad_sz; 1501 int i; 1502 1503 ASSERT(ssl != NULL); 1504 ASSERT(rstart >= mp->b_rptr); 1505 ASSERT(rstart < mp->b_wptr); 1506 1507 spec = &ssl->spec[KSSL_WRITE]; 1508 mac_sz = spec->mac_hashsz; 1509 1510 rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN; 1511 ASSERT(rec_sz > 0); 1512 1513 if (mac_sz != 0) { 1514 ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim); 1515 ret = kssl_compute_record_mac(ssl, KSSL_WRITE, 1516 ssl->seq_num[KSSL_WRITE], ct, versionp, 1517 rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr); 1518 if (ret == CRYPTO_SUCCESS) { 1519 ssl->seq_num[KSSL_WRITE]++; 1520 mp->b_wptr += mac_sz; 1521 rec_sz += mac_sz; 1522 } else { 1523 return (ret); 1524 } 1525 } 1526 1527 if (spec->cipher_type == type_block) { 1528 pad_sz = spec->cipher_bsize - 1529 (rec_sz & (spec->cipher_bsize - 1)); 1530 ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim); 1531 for (i = 0; i < pad_sz; i++) { 1532 mp->b_wptr[i] = pad_sz - 1; 1533 } 1534 mp->b_wptr += pad_sz; 1535 rec_sz += pad_sz; 1536 } 1537 1538 ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH); 1539 1540 U16_TO_BE16(rec_sz, rstart + 3); 1541 1542 if (spec->cipher_ctx == 0) 1543 return (ret); 1544 1545 spec->cipher_data.cd_length = rec_sz; 1546 spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN); 1547 spec->cipher_data.cd_raw.iov_len = rec_sz; 1548 /* One record at a time. Otherwise, gotta allocate the crypt_data_t */ 1549 ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data, 1550 NULL, NULL); 1551 if (CRYPTO_ERR(ret)) { 1552 DTRACE_PROBE1(kssl_err__crypto_encrypt_update, 1553 int, ret); 1554 } 1555 return (ret); 1556 } 1557 1558 void 1559 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc) 1560 { 1561 mblk_t *mp; 1562 uchar_t *buf; 1563 KSSLCipherSpec *spec; 1564 1565 ASSERT(ssl != NULL); 1566 1567 ssl->sendalert_level = level; 1568 ssl->sendalert_desc = desc; 1569 1570 if (level == alert_fatal) { 1571 DTRACE_PROBE2(kssl_sending_alert, 1572 SSL3AlertLevel, level, SSL3AlertDescription, desc); 1573 if (ssl->sid.cached == B_TRUE) { 1574 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 1575 } 1576 ssl->fatal_alert = B_TRUE; 1577 KSSL_COUNTER(fatal_alerts, 1); 1578 } else 1579 KSSL_COUNTER(warning_alerts, 1); 1580 1581 spec = &ssl->spec[KSSL_WRITE]; 1582 1583 ASSERT(ssl->alert_sendbuf == NULL); 1584 ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz + 1585 spec->cipher_bsize, BPRI_HI); 1586 if (mp == NULL) { 1587 KSSL_COUNTER(alloc_fails, 1); 1588 return; 1589 } 1590 buf = mp->b_wptr; 1591 1592 /* 5 byte record header */ 1593 buf[0] = content_alert; 1594 buf[1] = ssl->major_version; 1595 buf[2] = ssl->minor_version; 1596 buf[3] = 0; 1597 buf[4] = 2; 1598 buf += SSL3_HDR_LEN; 1599 1600 /* alert contents */ 1601 buf[0] = (uchar_t)level; 1602 buf[1] = (uchar_t)desc; 1603 1604 mp->b_wptr = buf + 2; 1605 } 1606 1607 /* Assumes RSA encryption */ 1608 static int 1609 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen, 1610 kssl_callback_t cbfn, void *arg) 1611 { 1612 char *buf; 1613 uchar_t *pms; 1614 size_t pmslen; 1615 int allocated; 1616 int err, rverr = ENOMEM; 1617 kssl_entry_t *ep; 1618 crypto_key_t *privkey; 1619 crypto_data_t *wrapped_pms_data, *pms_data; 1620 crypto_call_req_t creq, *creqp; 1621 1622 ep = ssl->kssl_entry; 1623 privkey = ep->ke_private_key; 1624 if (privkey == NULL) { 1625 return (ENOENT); 1626 } 1627 1628 ASSERT(ssl->msg.type == client_key_exchange); 1629 ASSERT(ssl->hs_waitstate == wait_client_key); 1630 1631 /* 1632 * TLS adds an extra 2 byte length field before the data. 1633 */ 1634 if (IS_TLS(ssl)) { 1635 msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1]; 1636 mp->b_rptr += 2; 1637 } 1638 1639 /* 1640 * Allocate all we need in one shot. about 300 bytes total, for 1641 * 1024 bit RSA modulus. 1642 * The buffer layout will be: pms_data, wrapped_pms_data, the 1643 * value of the wrapped pms from the client, then room for the 1644 * resulting decrypted premaster secret. 1645 */ 1646 allocated = 2 * (sizeof (crypto_data_t) + msglen); 1647 buf = kmem_alloc(allocated, KM_NOSLEEP); 1648 if (buf == NULL) { 1649 return (ENOMEM); 1650 } 1651 1652 pms_data = (crypto_data_t *)buf; 1653 wrapped_pms_data = &(((crypto_data_t *)buf)[1]); 1654 1655 wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW; 1656 wrapped_pms_data->cd_offset = pms_data->cd_offset = 0; 1657 wrapped_pms_data->cd_length = pms_data->cd_length = msglen; 1658 wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL; 1659 wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen; 1660 wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t); 1661 pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen; 1662 1663 bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen); 1664 mp->b_rptr += msglen; 1665 1666 /* Proceed synchronously if out of interrupt and configured to do so */ 1667 if ((kssl_synchronous) && (!servicing_interrupt())) { 1668 creqp = NULL; 1669 } else { 1670 ssl->cke_callback_func = cbfn; 1671 ssl->cke_callback_arg = arg; 1672 creq.cr_flag = kssl_call_flag; 1673 creq.cr_callback_func = kssl_cke_done; 1674 creq.cr_callback_arg = ssl; 1675 1676 /* The callback routine will release this one */ 1677 KSSL_SSL_REFHOLD(ssl); 1678 1679 creqp = &creq; 1680 } 1681 1682 if (ep->ke_is_nxkey) { 1683 kssl_session_info_t *s; 1684 1685 s = ep->ke_sessinfo; 1686 err = CRYPTO_SUCCESS; 1687 if (!s->is_valid_handle) { 1688 /* Reauthenticate to the provider */ 1689 if (s->do_reauth) { 1690 err = kssl_get_obj_handle(ep); 1691 if (err == CRYPTO_SUCCESS) { 1692 s->is_valid_handle = B_TRUE; 1693 s->do_reauth = B_FALSE; 1694 } 1695 } else 1696 err = CRYPTO_FAILED; 1697 } 1698 1699 if (err == CRYPTO_SUCCESS) { 1700 ASSERT(s->is_valid_handle); 1701 err = crypto_decrypt_prov(s->prov, s->sid, 1702 &rsa_x509_mech, wrapped_pms_data, &s->key, 1703 NULL, pms_data, creqp); 1704 } 1705 1706 /* 1707 * Deal with session specific errors. We translate to 1708 * the closest errno. 1709 */ 1710 switch (err) { 1711 case CRYPTO_KEY_HANDLE_INVALID: 1712 case CRYPTO_SESSION_HANDLE_INVALID: 1713 s->is_valid_handle = B_FALSE; 1714 s->do_reauth = B_TRUE; 1715 rverr = EINVAL; 1716 break; 1717 case CRYPTO_PIN_EXPIRED: 1718 case CRYPTO_PIN_LOCKED: 1719 rverr = EACCES; 1720 break; 1721 case CRYPTO_UNKNOWN_PROVIDER: 1722 rverr = ENXIO; 1723 break; 1724 } 1725 } else { 1726 err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data, 1727 privkey, NULL, pms_data, creqp); 1728 } 1729 1730 switch (err) { 1731 case CRYPTO_SUCCESS: 1732 break; 1733 1734 case CRYPTO_QUEUED: 1735 /* 1736 * Finish the master secret then the rest of key material 1737 * derivation later. 1738 */ 1739 ssl->job.kjob = creq.cr_reqid; 1740 ssl->job.buf = buf; 1741 ssl->job.buflen = allocated; 1742 ssl->hs_waitstate = wait_client_key_done; 1743 return (0); 1744 default: 1745 DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err); 1746 kmem_free(buf, allocated); 1747 return (rverr); 1748 } 1749 1750 pmslen = pms_data->cd_length; 1751 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1752 1753 /* generate master key and save it in the ssl sid structure */ 1754 if (IS_TLS(ssl)) { 1755 err = kssl_generate_tls_ms(ssl, pms, pmslen); 1756 if (!CRYPTO_ERR(err)) 1757 err = kssl_generate_tls_keyblock(ssl); 1758 } else { 1759 kssl_generate_ssl_ms(ssl, pms, pmslen); 1760 kssl_generate_keyblock(ssl); 1761 } 1762 1763 if (err == CRYPTO_SUCCESS) 1764 ssl->hs_waitstate = wait_change_cipher; 1765 1766 ssl->activeinput = B_FALSE; 1767 1768 kmem_free(buf, allocated); 1769 1770 return (0); 1771 } 1772 1773 static int 1774 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen) 1775 { 1776 int err; 1777 size_t finish_len; 1778 int hashcompare; 1779 1780 ASSERT(ssl->msg.type == finished); 1781 ASSERT(ssl->hs_waitstate == wait_finished); 1782 1783 if (IS_TLS(ssl)) 1784 finish_len = TLS_FINISHED_SIZE; 1785 else 1786 finish_len = KSSL_SSL3_FIN_MSGLEN; 1787 1788 if (msglen != finish_len) { 1789 kssl_send_alert(ssl, alert_fatal, illegal_parameter); 1790 return (EBADMSG); 1791 } 1792 1793 if (IS_TLS(ssl)) { 1794 hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash, 1795 finish_len); 1796 } else { 1797 hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len); 1798 } 1799 1800 /* The handshake hashes should be computed by now */ 1801 if (hashcompare != 0) { 1802 kssl_send_alert(ssl, alert_fatal, handshake_failure); 1803 return (EBADMSG); 1804 } 1805 1806 mp->b_rptr += msglen; 1807 1808 ssl->hs_waitstate = idle_handshake; 1809 1810 if (ssl->resumed == B_TRUE) { 1811 ssl->activeinput = B_FALSE; 1812 return (0); 1813 } 1814 1815 err = kssl_send_change_cipher_specs(ssl); 1816 if (err != 0) { 1817 return (err); 1818 } 1819 err = kssl_send_finished(ssl, 0); 1820 if (err != 0) { 1821 return (err); 1822 } 1823 1824 kssl_cache_sid(&ssl->sid, ssl->kssl_entry); 1825 ssl->activeinput = B_FALSE; 1826 1827 return (0); 1828 } 1829 1830 #define KSSL2_CH_MIN_RECSZ (9) 1831 1832 /* 1833 * This method is needed to handle clients which send the 1834 * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers. 1835 * We are not really doing SSLv2 here, just handling the header 1836 * and then switching to SSLv3. 1837 */ 1838 int 1839 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz) 1840 { 1841 uchar_t *recend; 1842 int err; 1843 SSL3AlertDescription desc = illegal_parameter; 1844 uint_t randlen; 1845 uint_t sidlen; 1846 uint_t cslen; 1847 uchar_t *suitesp; 1848 uchar_t *rand; 1849 uint_t i, j; 1850 uint16_t suite; 1851 int ch_recsz = KSSL2_CH_MIN_RECSZ; 1852 1853 ASSERT(mp->b_wptr >= mp->b_rptr + recsz); 1854 ASSERT(ssl->hs_waitstate == wait_client_hello); 1855 ASSERT(ssl->resumed == B_FALSE); 1856 1857 if (recsz < ch_recsz) { 1858 goto falert; 1859 } 1860 1861 MD5Init(&ssl->hs_md5); 1862 SHA1Init(&ssl->hs_sha1); 1863 1864 kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz); 1865 1866 recend = mp->b_rptr + recsz; 1867 1868 if (*mp->b_rptr != 1) { 1869 goto falert; 1870 } 1871 mp->b_rptr += 3; 1872 1873 cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 1874 sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3]; 1875 randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5]; 1876 if (cslen % 3 != 0) { 1877 DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen); 1878 goto falert; 1879 } 1880 if (randlen < SSL_MIN_CHALLENGE_BYTES || 1881 randlen > SSL_MAX_CHALLENGE_BYTES) { 1882 DTRACE_PROBE1(kssl_err__randlen_out_of_range, 1883 uint_t, randlen); 1884 goto falert; 1885 } 1886 mp->b_rptr += 6; 1887 ch_recsz += cslen + sidlen + randlen; 1888 if (recsz != ch_recsz) { 1889 goto falert; 1890 } 1891 suitesp = mp->b_rptr; 1892 rand = suitesp + cslen + sidlen; 1893 if (randlen < SSL3_RANDOM_LENGTH) { 1894 bzero(ssl->client_random, SSL3_RANDOM_LENGTH); 1895 } 1896 bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen], 1897 randlen); 1898 1899 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 1900 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 1901 for (j = 0; j < cslen; j += 3) { 1902 if (suitesp[j] != 0) { 1903 continue; 1904 } 1905 1906 if (suitesp[j + 1] == ((suite >> 8) & 0xff) && 1907 suitesp[j + 2] == (suite & 0xff)) { 1908 break; 1909 } 1910 } 1911 if (j < cslen) { 1912 break; 1913 } 1914 } 1915 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 1916 DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite); 1917 ssl->activeinput = B_FALSE; 1918 return (SSL_MISS); 1919 } 1920 1921 mp->b_rptr = recend; 1922 1923 for (i = 0; i < cipher_suite_defs_nentries; i++) { 1924 if (suite == cipher_suite_defs[i].suite) { 1925 break; 1926 } 1927 } 1928 1929 ASSERT(i < cipher_suite_defs_nentries); 1930 1931 ssl->pending_cipher_suite = suite; 1932 ssl->pending_malg = cipher_suite_defs[i].malg; 1933 ssl->pending_calg = cipher_suite_defs[i].calg; 1934 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 1935 1936 ASSERT(ssl->sid.cached == B_FALSE); 1937 1938 (void) random_get_pseudo_bytes(ssl->sid.session_id, 1939 SSL3_SESSIONID_BYTES); 1940 ssl->sid.client_addr = ssl->faddr; 1941 ssl->sid.cipher_suite = suite; 1942 1943 err = kssl_send_server_hello(ssl); 1944 if (err != 0) { 1945 return (err); 1946 } 1947 err = kssl_send_certificate_and_server_hello_done(ssl); 1948 if (err != 0) { 1949 return (err); 1950 } 1951 KSSL_COUNTER(full_handshakes, 1); 1952 ssl->hs_waitstate = wait_client_key; 1953 ssl->activeinput = B_FALSE; 1954 return (0); 1955 1956 falert: 1957 kssl_send_alert(ssl, alert_fatal, desc); 1958 ssl->activeinput = B_FALSE; 1959 return (EBADMSG); 1960 } 1961 1962 /* 1963 * Call back routine for asynchronously submitted RSA decryption jobs. 1964 * This routine retrieves the pre-master secret, and proceeds to generate 1965 * the remaining key materials. 1966 */ 1967 static void 1968 kssl_cke_done(void *arg, int status) 1969 { 1970 int ret = 0; 1971 uchar_t *pms; 1972 size_t pmslen; 1973 crypto_data_t *pms_data; 1974 kssl_cmd_t kssl_cmd = KSSL_CMD_NONE; 1975 ssl_t *ssl = (ssl_t *)arg; 1976 mblk_t *alertmp; 1977 kssl_callback_t cbfn; 1978 void *cbarg; 1979 1980 mutex_enter(&ssl->kssl_lock); 1981 1982 ASSERT(ssl->msg.type == client_key_exchange); 1983 ASSERT(ssl->hs_waitstate == wait_client_key_done); 1984 1985 if (status != CRYPTO_SUCCESS) { 1986 kssl_send_alert(ssl, alert_fatal, decrypt_error); 1987 kssl_cmd = KSSL_CMD_SEND; 1988 goto out; 1989 } 1990 1991 pms_data = (crypto_data_t *)(ssl->job.buf); 1992 1993 ASSERT(pms_data != NULL); 1994 1995 pmslen = pms_data->cd_length; 1996 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1997 1998 /* generate master key and save it in the ssl sid structure */ 1999 if (IS_TLS(ssl)) { 2000 ret = kssl_generate_tls_ms(ssl, pms, pmslen); 2001 if (!CRYPTO_ERR(ret)) 2002 ret = kssl_generate_tls_keyblock(ssl); 2003 } else { 2004 kssl_generate_ssl_ms(ssl, pms, pmslen); 2005 kssl_generate_keyblock(ssl); 2006 } 2007 2008 if (ret == CRYPTO_SUCCESS) 2009 ssl->hs_waitstate = wait_change_cipher; 2010 2011 out: 2012 kmem_free(ssl->job.buf, ssl->job.buflen); 2013 2014 ssl->job.kjob = 0; 2015 ssl->job.buf = NULL; 2016 ssl->job.buflen = 0; 2017 2018 ssl->activeinput = B_FALSE; 2019 2020 /* If we're the only ones left, then we won't callback */ 2021 if (ssl->kssl_refcnt == 1) { 2022 mutex_exit(&ssl->kssl_lock); 2023 KSSL_SSL_REFRELE(ssl); 2024 return; 2025 } 2026 2027 cbfn = ssl->cke_callback_func; 2028 cbarg = ssl->cke_callback_arg; 2029 alertmp = ssl->alert_sendbuf; 2030 ssl->alert_sendbuf = NULL; 2031 2032 mutex_exit(&ssl->kssl_lock); 2033 2034 KSSL_SSL_REFRELE(ssl); 2035 2036 /* Now call the callback routine */ 2037 (*(cbfn))(cbarg, alertmp, kssl_cmd); 2038 } 2039 2040 /* 2041 * Returns the first complete contiguous record out of rec_ass_head 2042 * The record is returned in a separate contiguous mblk, rec_ass_head is 2043 * left pointing to the next record in the queue. 2044 * 2045 * The output looks as follows: 2046 * 2047 * |--------|---------- .... -----|<---------->|<----------->|--- ... ---| 2048 * ^ ^ ^ mac_size pad_size ^ 2049 * | |___ b_rptr b_wptr __| | 2050 * | | 2051 * |___ db_base db_lim ___| 2052 */ 2053 mblk_t * 2054 kssl_get_next_record(ssl_t *ssl) 2055 { 2056 mblk_t *mp, *retmp; 2057 int rhsz = SSL3_HDR_LEN; 2058 uint16_t rec_sz; 2059 int mpsz, total_size; 2060 SSL3ContentType content_type; 2061 2062 ASSERT(MUTEX_HELD(&ssl->kssl_lock)); 2063 2064 mp = ssl->rec_ass_head; 2065 if (mp == NULL) 2066 return (NULL); 2067 2068 /* Fast path: when mp has at least a complete record */ 2069 if (MBLKL(mp) < rhsz) { 2070 DTRACE_PROBE1(kssl_mblk__incomplete_header, 2071 mblk_t *, mp); 2072 /* Not even a complete header in there yet */ 2073 if (msgdsize(mp) < rhsz) { 2074 return (NULL); 2075 } 2076 2077 if (!pullupmsg(mp, rhsz)) { 2078 kssl_send_alert(ssl, alert_fatal, internal_error); 2079 freemsg(mp); 2080 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2081 return (NULL); 2082 } 2083 } 2084 content_type = (SSL3ContentType)mp->b_rptr[0]; 2085 if (content_type == content_handshake_v2) { 2086 DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp); 2087 rec_sz = (uint16_t)mp->b_rptr[1]; 2088 rhsz = 2; 2089 } else { 2090 DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp); 2091 uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3; 2092 rec_sz = BE16_TO_U16(rec_sz_p); 2093 } 2094 2095 /* 2096 * same tests as above. Only rare very fragmented cases will 2097 * incur the cost of msgdsize() and msgpullup(). Well formed 2098 * packets will fall in the most frequent fast path. 2099 */ 2100 total_size = rhsz + rec_sz; 2101 2102 /* 2103 * Missing: defensive against record fabricated with longer than 2104 * MAX record length. 2105 */ 2106 if (MBLKL(mp) < total_size) { 2107 DTRACE_PROBE2(kssl_mblk__smaller_than_total_size, 2108 mblk_t *, mp, int, total_size); 2109 /* Not a complete record yet. Keep accumulating */ 2110 if (msgdsize(mp) < total_size) { 2111 return (NULL); 2112 } 2113 2114 if (!pullupmsg(mp, total_size)) { 2115 kssl_send_alert(ssl, alert_fatal, internal_error); 2116 freemsg(mp); 2117 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2118 return (NULL); 2119 } 2120 } 2121 mpsz = MBLKL(mp); /* could've changed after the pullup */ 2122 2123 if (mpsz > total_size) { 2124 DTRACE_PROBE2(kssl_mblk__bigger_than_total_size, 2125 mblk_t *, mp, int, total_size); 2126 /* gotta allocate a new block */ 2127 if ((retmp = dupb(mp)) == NULL) { 2128 kssl_send_alert(ssl, alert_fatal, internal_error); 2129 freemsg(mp); 2130 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2131 return (NULL); 2132 } 2133 2134 retmp->b_wptr = retmp->b_rptr + total_size; 2135 mp->b_rptr += total_size; 2136 ssl->rec_ass_head = mp; 2137 } else { 2138 DTRACE_PROBE2(kssl_mblk__equal_to_total_size, 2139 mblk_t *, mp, int, total_size); 2140 ASSERT(mpsz == total_size); 2141 ssl->rec_ass_head = mp->b_cont; 2142 mp->b_cont = NULL; 2143 retmp = mp; 2144 } 2145 /* Adjust the tail */ 2146 if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) { 2147 for (; mp->b_cont != NULL; mp = mp->b_cont) { 2148 ssl->rec_ass_tail = mp->b_cont; 2149 } 2150 } 2151 2152 return (retmp); 2153 } 2154 2155 2156 static void 2157 kssl_mblksfree(ssl_t *ssl) 2158 { 2159 2160 ASSERT(ssl != NULL); 2161 2162 if (ssl->rec_ass_head != NULL) { 2163 freemsg(ssl->rec_ass_head); 2164 } 2165 ssl->rec_ass_head = NULL; 2166 ssl->rec_ass_tail = NULL; 2167 2168 if (ssl->msg.head != NULL) { 2169 freemsg(ssl->msg.head); 2170 } 2171 ssl->msg.head = NULL; 2172 ssl->msg.tail = NULL; 2173 2174 if (ssl->handshake_sendbuf != NULL) { 2175 freemsg(ssl->handshake_sendbuf); 2176 ssl->handshake_sendbuf = NULL; 2177 } 2178 if (ssl->alert_sendbuf != NULL) { 2179 freemsg(ssl->alert_sendbuf); 2180 ssl->alert_sendbuf = NULL; 2181 } 2182 } 2183 2184 static void 2185 kssl_specsfree(ssl_t *ssl) 2186 { 2187 KSSLCipherSpec *spec = &ssl->spec[KSSL_READ]; 2188 2189 if (spec->cipher_ctx != NULL) { 2190 crypto_cancel_ctx(spec->cipher_ctx); 2191 spec->cipher_ctx = 0; 2192 } 2193 2194 spec = &ssl->spec[KSSL_WRITE]; 2195 2196 if (spec->cipher_ctx != NULL) { 2197 crypto_cancel_ctx(spec->cipher_ctx); 2198 spec->cipher_ctx = 0; 2199 } 2200 } 2201 2202 /* 2203 * Frees the ssl structure (aka the context of an SSL session). 2204 * Any pending crypto jobs are cancelled. 2205 * Any initiated crypto contexts are freed as well. 2206 */ 2207 void 2208 kssl_free_context(ssl_t *ssl) 2209 { 2210 ASSERT(ssl != NULL); 2211 if (!(MUTEX_HELD(&ssl->kssl_lock))) { 2212 /* we're coming from an external API entry point */ 2213 mutex_enter(&ssl->kssl_lock); 2214 } 2215 2216 if (ssl->job.kjob != NULL) { 2217 crypto_cancel_req(ssl->job.kjob); 2218 kmem_free(ssl->job.buf, ssl->job.buflen); 2219 2220 ssl->job.kjob = 0; 2221 ssl->job.buf = NULL; 2222 ssl->job.buflen = 0; 2223 } 2224 2225 kssl_mblksfree(ssl); 2226 kssl_specsfree(ssl); 2227 2228 KSSL_ENTRY_REFRELE(ssl->kssl_entry); 2229 ssl->kssl_entry = NULL; 2230 2231 mutex_exit(&ssl->kssl_lock); 2232 2233 kmem_cache_free(kssl_cache, ssl); 2234 kssl_cache_count--; 2235 } 2236