1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/stream.h> 30 #include <sys/strsubr.h> 31 #include <sys/stropts.h> 32 #include <sys/strsun.h> 33 #define _SUN_TPI_VERSION 2 34 #include <sys/ddi.h> 35 #include <sys/sunddi.h> 36 #include <sys/cmn_err.h> 37 #include <sys/debug.h> 38 #include <sys/vtrace.h> 39 #include <sys/kmem.h> 40 #include <sys/cpuvar.h> 41 #include <sys/atomic.h> 42 #include <sys/sysmacros.h> 43 44 #include <sys/errno.h> 45 #include <sys/isa_defs.h> 46 #include <sys/md5.h> 47 #include <sys/sha1.h> 48 #include <sys/random.h> 49 #include <inet/common.h> 50 #include <netinet/in.h> 51 52 #include <sys/systm.h> 53 #include <sys/param.h> 54 55 #include "ksslimpl.h" 56 #include "ksslapi.h" 57 #include "ksslproto.h" 58 #include "kssldebug.h" 59 60 static ssl3CipherSuiteDef cipher_suite_defs[] = { 61 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, 72}, 62 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, 64}, 63 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, 72}, 64 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, 104}, 65 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, 40} 66 }; 67 68 static int cipher_suite_defs_nentries = 69 sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]); 70 71 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 72 /* macsz padsz HashInit HashUpdate HashFinal */ 73 74 {MD5_HASH_LEN, SSL3_MD5_PAD_LEN, 75 (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update, 76 (hashfinal_func_t)MD5Final}, 77 78 {SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN, 79 (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update, 80 (hashfinal_func_t)SHA1Final}, 81 }; 82 83 static uchar_t kssl_pad_1[60] = { 84 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 85 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 86 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 87 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 88 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 89 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 90 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 91 0x36, 0x36, 0x36, 0x36 92 }; 93 static uchar_t kssl_pad_2[60] = { 94 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 95 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 96 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 97 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 98 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 99 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 100 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 101 0x5c, 0x5c, 0x5c, 0x5c 102 }; 103 104 int kssl_debug; 105 int kssl_cache_count; 106 static boolean_t kssl_synchronous = B_FALSE; 107 108 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t); 109 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t); 110 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int); 111 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int, 112 kssl_callback_t, void *); 113 static int kssl_send_server_hello(ssl_t *); 114 static int kssl_send_certificate_and_server_hello_done(ssl_t *); 115 static int kssl_send_change_cipher_specs(ssl_t *); 116 static int kssl_send_finished(ssl_t *, int); 117 static int kssl_handle_finished(ssl_t *, mblk_t *, int); 118 static void kssl_get_hello_random(uchar_t *); 119 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *); 120 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *); 121 static void kssl_lookup_sid(sslSessionID *, uchar_t *, ipaddr_t, 122 kssl_entry_t *); 123 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t); 124 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t); 125 static int kssl_generate_tls_keyblock(ssl_t *); 126 static void kssl_generate_keyblock(ssl_t *); 127 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t, 128 int, uchar_t *, int); 129 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t, 130 uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 131 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *, 132 size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 133 static void kssl_cke_done(void *, int); 134 135 #define MAX_TLS_KEYBLOCK_SIZE 160 /* more than enough for largest TLS key */ 136 137 #define HMAC_INIT(m, k, c) \ 138 rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end; 139 140 #define HMAC_UPDATE(c, d, l) \ 141 dd.cd_raw.iov_base = (char *)d; \ 142 dd.cd_length = dd.cd_raw.iov_len = l; \ 143 rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end; 144 145 #define HMAC_FINAL(c, d, l) \ 146 mac.cd_raw.iov_base = (char *)d; \ 147 mac.cd_length = mac.cd_raw.iov_len = l; \ 148 rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end; 149 150 /* 151 * This hack can go away once we have SSL3 MAC support by KCF 152 * software providers (See 4873559). 153 */ 154 extern int kcf_md5_threshold; 155 156 int 157 kssl_compute_record_mac( 158 ssl_t *ssl, 159 int direction, 160 uint64_t seq_num, 161 SSL3ContentType ct, 162 uchar_t *versionp, 163 uchar_t *buf, 164 int len, 165 uchar_t *digest) 166 { 167 KSSL_HASHCTX mac_ctx; 168 KSSL_HASHCTX *ctx = &mac_ctx; 169 uchar_t temp[16], *p; 170 KSSLCipherSpec *spec; 171 boolean_t hash_use_ok = B_FALSE; 172 int rv = 0; 173 174 spec = &ssl->spec[direction]; 175 176 if (spec->mac_hashsz == 0) { 177 return (1); 178 } 179 180 p = temp; 181 182 *p++ = (seq_num >> 56) & 0xff; 183 *p++ = (seq_num >> 48) & 0xff; 184 *p++ = (seq_num >> 40) & 0xff; 185 *p++ = (seq_num >> 32) & 0xff; 186 *p++ = (seq_num >> 24) & 0xff; 187 *p++ = (seq_num >> 16) & 0xff; 188 *p++ = (seq_num >> 8) & 0xff; 189 *p++ = (seq_num) & 0xff; 190 *p++ = (uchar_t)ct; 191 if (IS_TLS(ssl)) { 192 *p++ = versionp[0]; 193 *p++ = versionp[1]; 194 } 195 *p++ = (len >> 8) & 0xff; 196 *p++ = (len) & 0xff; 197 198 if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID && 199 len >= kcf_md5_threshold)) { 200 crypto_data_t dd, mac; 201 struct uio uio_pt; 202 struct iovec iovarray_pt[2]; 203 204 /* init the array of iovecs for use in the uio struct */ 205 iovarray_pt[0].iov_base = (char *)temp; 206 iovarray_pt[0].iov_len = (p - temp); 207 iovarray_pt[1].iov_base = (char *)buf; 208 iovarray_pt[1].iov_len = len; 209 210 /* init the uio struct for use in the crypto_data_t struct */ 211 bzero(&uio_pt, sizeof (uio_pt)); 212 uio_pt.uio_iov = iovarray_pt; 213 uio_pt.uio_iovcnt = 2; 214 uio_pt.uio_segflg = UIO_SYSSPACE; 215 216 dd.cd_format = CRYPTO_DATA_UIO; 217 dd.cd_offset = 0; 218 dd.cd_length = (p - temp) + len; 219 dd.cd_miscdata = NULL; 220 dd.cd_uio = &uio_pt; 221 222 mac.cd_format = CRYPTO_DATA_RAW; 223 mac.cd_offset = 0; 224 mac.cd_raw.iov_base = (char *)digest; 225 mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz; 226 227 /* 228 * The calling context can tolerate a blocking call here. 229 * For outgoing traffic, we are in user context 230 * when called from strsock_kssl_output(). For incoming 231 * traffic past the SSL handshake, we are in user 232 * context when called from strsock_kssl_input(). During the 233 * SSL handshake, we are called for client_finished message 234 * handling from a squeue worker thread that gets scheduled 235 * by an squeue_fill() call. This thread is not in interrupt 236 * context and so can block. 237 */ 238 rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key, 239 NULL, &mac, NULL); 240 241 if (CRYPTO_ERR(rv)) { 242 hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED && 243 !IS_TLS(ssl)); 244 if (!hash_use_ok) { 245 #ifdef DEBUG 246 cmn_err(CE_WARN, "kssl_compute_record_mac - " 247 "crypto_mac error 0x%0x", rv); 248 #endif /* DEBUG */ 249 KSSL_COUNTER(compute_mac_failure, 1); 250 } 251 } 252 } else 253 hash_use_ok = B_TRUE; 254 255 if (hash_use_ok) { 256 bcopy(&(ssl->mac_ctx[direction][0]), ctx, 257 sizeof (KSSL_HASHCTX)); 258 spec->MAC_HashUpdate((void *)ctx, temp, p - temp); 259 spec->MAC_HashUpdate((void *)ctx, buf, len); 260 spec->MAC_HashFinal(digest, (void *)ctx); 261 262 bcopy(&(ssl->mac_ctx[direction][1]), ctx, 263 sizeof (KSSL_HASHCTX)); 264 spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz); 265 spec->MAC_HashFinal(digest, (void *)ctx); 266 } 267 268 return (rv); 269 } 270 271 /* 272 * Handles handshake messages. 273 * Messages to be replied are returned in handshake_sendbuf. 274 */ 275 int 276 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err, 277 kssl_callback_t cbfn, void *arg) 278 { 279 uint32_t msglen; 280 uchar_t msghdr[4]; 281 282 ASSERT(ssl->msg.state == MSG_BODY); 283 ASSERT(ssl->msg.msglen_bytes == 3); 284 ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen); 285 286 ssl->sslcnt++; 287 msglen = ssl->msg.msglen; 288 289 if (ssl->msg.type == client_hello) { 290 MD5Init(&ssl->hs_md5); 291 SHA1Init(&ssl->hs_sha1); 292 } 293 294 if (ssl->msg.type == finished && ssl->resumed == B_FALSE) { 295 if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 296 sender_client) != 0) { 297 *err = SSL_MISS; 298 return (0); 299 } 300 } 301 302 if (ssl->msg.type != finished || ssl->resumed == B_FALSE) { 303 msghdr[0] = (uchar_t)ssl->msg.type; 304 305 msghdr[1] = (uchar_t)(msglen >> 16); 306 msghdr[2] = (uchar_t)(msglen >> 8); 307 msghdr[3] = (uchar_t)(msglen); 308 kssl_update_handshake_hashes(ssl, msghdr, 4); 309 kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen); 310 } 311 312 ssl->msg.state = MSG_INIT; 313 ssl->msg.msglen = 0; 314 ssl->msg.msglen_bytes = 0; 315 316 switch (ssl->msg.type) { 317 case client_hello: 318 if (ssl->hs_waitstate != wait_client_hello) { 319 kssl_send_alert(ssl, alert_fatal, 320 unexpected_message); 321 *err = EBADMSG; 322 ssl->activeinput = B_FALSE; 323 return (1); 324 } 325 *err = kssl_handle_client_hello(ssl, mp, msglen); 326 if (*err == SSL_MISS) { 327 ssl->activeinput = B_FALSE; 328 return (0); 329 } 330 return (1); 331 case client_key_exchange: 332 if (ssl->hs_waitstate != wait_client_key) { 333 kssl_send_alert(ssl, alert_fatal, 334 unexpected_message); 335 *err = EBADMSG; 336 ssl->activeinput = B_FALSE; 337 return (1); 338 } 339 *err = kssl_handle_client_key_exchange(ssl, mp, 340 msglen, cbfn, arg); 341 return (1); 342 case finished: 343 if (ssl->hs_waitstate != wait_finished) { 344 kssl_send_alert(ssl, alert_fatal, 345 unexpected_message); 346 *err = EBADMSG; 347 ssl->activeinput = B_FALSE; 348 return (1); 349 } 350 *err = kssl_handle_finished(ssl, mp, msglen); 351 return (1); 352 default: 353 kssl_send_alert(ssl, alert_fatal, unexpected_message); 354 ssl->activeinput = B_FALSE; 355 *err = EBADMSG; 356 return (1); 357 } 358 } 359 360 static void 361 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len) 362 { 363 MD5Update(&ssl->hs_md5, buf, len); 364 SHA1Update(&ssl->hs_sha1, buf, len); 365 } 366 367 static int 368 kssl_compute_handshake_hashes( 369 ssl_t *ssl, 370 SSL3Hashes *hashes, 371 uint32_t sender) 372 { 373 MD5_CTX md5 = ssl->hs_md5; /* clone md5 context */ 374 SHA1_CTX sha1 = ssl->hs_sha1; /* clone sha1 context */ 375 MD5_CTX *md5ctx = &md5; 376 SHA1_CTX *sha1ctx = &sha1; 377 378 if (IS_TLS(ssl)) { 379 uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN]; 380 char *label; 381 382 /* 383 * Do not take another hash step here. 384 * Just complete the operation. 385 */ 386 MD5Final(hashes->md5, md5ctx); 387 SHA1Final(hashes->sha1, sha1ctx); 388 389 bcopy(hashes->md5, seed, MD5_HASH_LEN); 390 bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN); 391 392 if (sender == sender_client) 393 label = TLS_CLIENT_FINISHED_LABEL; 394 else 395 label = TLS_SERVER_FINISHED_LABEL; 396 397 return (kssl_tls_PRF(ssl, 398 ssl->sid.master_secret, (size_t)SSL3_MASTER_SECRET_LEN, 399 (uchar_t *)label, strlen(label), 400 seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN), 401 hashes->tlshash, (size_t)TLS_FINISHED_SIZE)); 402 } else { 403 uchar_t s[4]; 404 s[0] = (sender >> 24) & 0xff; 405 s[1] = (sender >> 16) & 0xff; 406 s[2] = (sender >> 8) & 0xff; 407 s[3] = (sender) & 0xff; 408 409 MD5Update(md5ctx, s, 4); 410 MD5Update(md5ctx, ssl->sid.master_secret, 411 SSL3_MASTER_SECRET_LEN); 412 MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN); 413 MD5Final(hashes->md5, md5ctx); 414 415 MD5Init(md5ctx); 416 MD5Update(md5ctx, ssl->sid.master_secret, 417 SSL3_MASTER_SECRET_LEN); 418 MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN); 419 MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN); 420 MD5Final(hashes->md5, md5ctx); 421 422 SHA1Update(sha1ctx, s, 4); 423 SHA1Update(sha1ctx, ssl->sid.master_secret, 424 SSL3_MASTER_SECRET_LEN); 425 SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN); 426 SHA1Final(hashes->sha1, sha1ctx); 427 428 SHA1Init(sha1ctx); 429 SHA1Update(sha1ctx, ssl->sid.master_secret, 430 SSL3_MASTER_SECRET_LEN); 431 SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN); 432 SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN); 433 SHA1Final(hashes->sha1, sha1ctx); 434 return (0); 435 } 436 } 437 438 439 #define KSSL_SSL3_CH_MIN_MSGLEN (39) 440 441 static int 442 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen) 443 { 444 uchar_t *msgend; 445 int err; 446 SSL3AlertDescription desc = illegal_parameter; 447 uint_t sidlen; 448 uint_t nsuites; 449 uchar_t *suitesp; 450 uint_t i, j; 451 uint16_t suite; 452 int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN; 453 454 ASSERT(mp->b_wptr >= mp->b_rptr + msglen); 455 ASSERT(ssl->msg.type == client_hello); 456 ASSERT(ssl->hs_waitstate == wait_client_hello); 457 ASSERT(ssl->resumed == B_FALSE); 458 459 if (msglen < ch_msglen) { 460 goto falert; 461 } 462 463 msgend = mp->b_rptr + msglen; 464 465 /* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */ 466 if (ssl->major_version != 3 || (ssl->major_version == 3 && 467 ssl->minor_version != 0 && ssl->minor_version != 1)) { 468 KSSL_DEBUG3_IF(kssl_debug, 469 "HandleClientHello: handshake failure - " 470 "SSL version not supported (%d %d)", 471 ssl->major_version, ssl->minor_version); 472 desc = handshake_failure; 473 goto falert; 474 } 475 mp->b_rptr += 2; /* skip the version bytes */ 476 477 bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH); 478 mp->b_rptr += SSL3_RANDOM_LENGTH; 479 480 ASSERT(ssl->sid.cached == B_FALSE); 481 sidlen = *mp->b_rptr++; 482 ch_msglen += sidlen; 483 if (msglen < ch_msglen) { 484 goto falert; 485 } 486 if (sidlen != SSL3_SESSIONID_BYTES) { 487 mp->b_rptr += sidlen; 488 } else { 489 kssl_lookup_sid(&ssl->sid, mp->b_rptr, ssl->faddr, 490 ssl->kssl_entry); 491 mp->b_rptr += SSL3_SESSIONID_BYTES; 492 } 493 494 nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 495 mp->b_rptr += 2; 496 ch_msglen += nsuites; 497 if (msglen != ch_msglen) { 498 goto falert; 499 } 500 if (nsuites & 0x1) { 501 goto falert; 502 } 503 suitesp = mp->b_rptr; 504 if (ssl->sid.cached == B_TRUE) { 505 suite = ssl->sid.cipher_suite; 506 for (j = 0; j < nsuites; j += 2) { 507 if (suitesp[j] == ((suite >> 8) & 0xff) && 508 suitesp[j + 1] == (suite & 0xff)) { 509 break; 510 } 511 } 512 if (j < nsuites) { 513 goto suite_found; 514 } 515 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 516 ssl->sid.cached = B_FALSE; 517 } 518 519 /* Check if this server is capable of the cipher suite */ 520 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 521 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 522 for (j = 0; j < nsuites; j += 2) { 523 if (suitesp[j] == ((suite >> 8) & 0xff) && 524 suitesp[j + 1] == (suite & 0xff)) { 525 break; 526 } 527 } 528 if (j < nsuites) { 529 break; 530 } 531 } 532 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 533 if (ssl->sslcnt == 1) { 534 KSSL_COUNTER(no_suite_found, 1); 535 return (SSL_MISS); 536 } 537 desc = handshake_failure; 538 KSSL_DEBUG1_IF(kssl_debug, 539 "kssl_handle_client_hello: no cipher suites found"); 540 goto falert; 541 } 542 543 suite_found: 544 545 mp->b_rptr += nsuites; 546 if (*mp->b_rptr++ != 1 || *mp->b_rptr++ != 0) { 547 desc = handshake_failure; 548 KSSL_DEBUG1_IF(kssl_debug, 549 "kssl_handle_client_hello: handshake failure"); 550 goto falert; 551 } 552 553 mp->b_rptr = msgend; 554 555 for (i = 0; i < cipher_suite_defs_nentries; i++) { 556 if (suite == cipher_suite_defs[i].suite) { 557 break; 558 } 559 } 560 561 ASSERT(i < cipher_suite_defs_nentries); 562 563 ssl->pending_cipher_suite = suite; 564 ssl->pending_malg = cipher_suite_defs[i].malg; 565 ssl->pending_calg = cipher_suite_defs[i].calg; 566 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 567 568 if (ssl->sid.cached == B_TRUE) { 569 err = kssl_send_server_hello(ssl); 570 if (err != 0) { 571 return (err); 572 } 573 if (IS_TLS(ssl)) 574 err = kssl_generate_tls_keyblock(ssl); 575 else 576 kssl_generate_keyblock(ssl); 577 578 err = kssl_send_change_cipher_specs(ssl); 579 if (err != 0) { 580 return (err); 581 } 582 583 err = kssl_send_finished(ssl, 1); 584 if (err != 0) 585 return (err); 586 587 err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 588 sender_client); 589 if (err != 0) 590 return (err); 591 592 ssl->hs_waitstate = wait_change_cipher; 593 ssl->resumed = B_TRUE; 594 ssl->activeinput = B_FALSE; 595 KSSL_COUNTER(resumed_sessions, 1); 596 return (0); 597 } 598 599 (void) random_get_pseudo_bytes(ssl->sid.session_id, 600 SSL3_SESSIONID_BYTES); 601 ssl->sid.client_addr = ssl->faddr; 602 ssl->sid.cipher_suite = suite; 603 604 err = kssl_send_server_hello(ssl); 605 if (err != 0) { 606 return (err); 607 } 608 err = kssl_send_certificate_and_server_hello_done(ssl); 609 if (err != 0) { 610 return (err); 611 } 612 KSSL_COUNTER(full_handshakes, 1); 613 ssl->hs_waitstate = wait_client_key; 614 ssl->activeinput = B_FALSE; 615 return (0); 616 617 falert: 618 kssl_send_alert(ssl, alert_fatal, desc); 619 return (EBADMSG); 620 } 621 622 static void 623 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 624 { 625 uint_t index; 626 uchar_t *s = sid->session_id; 627 int l = SSL3_SESSIONID_BYTES - 1; 628 kmutex_t *lock; 629 630 ASSERT(sid->cached == B_TRUE); 631 632 index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 633 ((int)s[2] << 8) | (int)s[l]); 634 635 index %= kssl_entry->sid_cache_nentries; 636 637 sid->time = lbolt; 638 639 lock = &(kssl_entry->sid_cache[index].se_lock); 640 mutex_enter(lock); 641 kssl_entry->sid_cache[index].se_used++; 642 bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid)); 643 mutex_exit(lock); 644 } 645 646 static void 647 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, ipaddr_t faddr, 648 kssl_entry_t *kssl_entry) 649 { 650 uint_t index; 651 int l = SSL3_SESSIONID_BYTES - 1; 652 kmutex_t *lock; 653 sslSessionID *csid; 654 655 ASSERT(sid->cached == B_FALSE); 656 657 KSSL_COUNTER(sid_cache_lookups, 1); 658 659 index = (int)faddr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 660 ((int)s[2] << 8) | (int)s[l]); 661 662 index %= kssl_entry->sid_cache_nentries; 663 664 lock = &(kssl_entry->sid_cache[index].se_lock); 665 mutex_enter(lock); 666 csid = &(kssl_entry->sid_cache[index].se_sid); 667 if (csid->cached == B_FALSE || csid->client_addr != faddr || 668 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 669 mutex_exit(lock); 670 return; 671 } 672 673 if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) { 674 csid->cached = B_FALSE; 675 mutex_exit(lock); 676 return; 677 } 678 679 bcopy(csid, sid, sizeof (*sid)); 680 mutex_exit(lock); 681 ASSERT(sid->cached == B_TRUE); 682 683 KSSL_COUNTER(sid_cache_hits, 1); 684 } 685 686 static uchar_t * 687 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp) 688 { 689 size_t len = *lenp; 690 int i = 2; 691 692 if (buf[0] != 0 || buf[1] != 2) { 693 return (NULL); 694 } 695 696 while (i < len) { 697 if (buf[i++] == 0) { 698 *lenp = len - i; 699 break; 700 } 701 } 702 703 if (i == len) { 704 return (NULL); 705 } 706 707 return (buf + i); 708 } 709 710 void 711 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 712 { 713 uint_t index; 714 uchar_t *s = sid->session_id; 715 int l = SSL3_SESSIONID_BYTES - 1; 716 sslSessionID *csid; 717 kmutex_t *lock; 718 719 ASSERT(sid->cached == B_TRUE); 720 721 KSSL_COUNTER(sid_uncached, 1); 722 723 index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | 724 ((int)s[2] << 8) | (int)s[l]); 725 726 index %= kssl_entry->sid_cache_nentries; 727 728 lock = &(kssl_entry->sid_cache[index].se_lock); 729 mutex_enter(lock); 730 csid = &(kssl_entry->sid_cache[index].se_sid); 731 if (csid->client_addr != sid->client_addr || 732 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 733 mutex_exit(lock); 734 return; 735 } 736 csid->cached = B_FALSE; 737 mutex_exit(lock); 738 } 739 740 741 #define KSSL_SSL3_SH_RECLEN (74) 742 #define KSSL_SSL3_FIN_MSGLEN (36) 743 744 #define KSSL_SSL3_MAX_CCP_FIN_MSGLEN (128) /* comfortable upper bound */ 745 746 static int 747 kssl_send_server_hello(ssl_t *ssl) 748 { 749 mblk_t *mp; 750 uchar_t *buf; 751 uchar_t *msgstart; 752 753 mp = allocb(ssl->tcp_mss, BPRI_HI); 754 if (mp == NULL) { 755 KSSL_COUNTER(alloc_fails, 1); 756 return (ENOMEM); 757 } 758 ssl->handshake_sendbuf = mp; 759 buf = mp->b_wptr; 760 761 /* 5 byte record header */ 762 buf[0] = content_handshake; 763 buf[1] = ssl->major_version; 764 buf[2] = ssl->minor_version; 765 buf[3] = KSSL_SSL3_SH_RECLEN >> 8; 766 buf[4] = KSSL_SSL3_SH_RECLEN & 0xff; 767 buf += SSL3_HDR_LEN; 768 769 msgstart = buf; 770 771 /* 6 byte message header */ 772 buf[0] = (uchar_t)server_hello; /* message type */ 773 buf[1] = 0; /* message len byte 0 */ 774 buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) & 775 0xff; /* message len byte 1 */ 776 buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff; /* message len byte 2 */ 777 778 buf[4] = ssl->major_version; /* version byte 0 */ 779 buf[5] = ssl->minor_version; /* version byte 1 */ 780 781 buf += 6; 782 783 kssl_get_hello_random(ssl->server_random); 784 bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH); 785 buf += SSL3_RANDOM_LENGTH; 786 787 buf[0] = SSL3_SESSIONID_BYTES; 788 bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES); 789 buf += SSL3_SESSIONID_BYTES + 1; 790 791 buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff; 792 buf[1] = ssl->pending_cipher_suite & 0xff; 793 794 buf[2] = 0; /* No compression */ 795 796 mp->b_wptr = buf + 3; 797 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 798 799 kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN); 800 return (0); 801 } 802 803 static void 804 kssl_get_hello_random(uchar_t *buf) 805 { 806 timestruc_t ts; 807 time_t sec; 808 809 gethrestime(&ts); 810 sec = ts.tv_sec; 811 812 buf[0] = (sec >> 24) & 0xff; 813 buf[1] = (sec >> 16) & 0xff; 814 buf[2] = (sec >> 8) & 0xff; 815 buf[3] = (sec) & 0xff; 816 817 (void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4); 818 819 /* Should this be caching? */ 820 } 821 822 static int 823 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key, 824 size_t hashlen, 825 uchar_t *label, size_t label_len, 826 uchar_t *seed, size_t seedlen, 827 uchar_t *data, size_t datalen) 828 { 829 int rv = 0; 830 uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN]; 831 int bytes_left = datalen; 832 crypto_data_t dd, mac; 833 crypto_context_t ctx; 834 835 dd.cd_format = CRYPTO_DATA_RAW; 836 dd.cd_offset = 0; 837 mac.cd_format = CRYPTO_DATA_RAW; 838 mac.cd_offset = 0; 839 840 /* 841 * A(i) = HMAC_hash(secred, seed + A(i-1)); 842 * A(0) = seed; 843 * 844 * Compute A(1): 845 * A(1) = HMAC_hash(secret, label + seed) 846 * 847 */ 848 HMAC_INIT(mech, key, &ctx); 849 HMAC_UPDATE(ctx, label, label_len); 850 HMAC_UPDATE(ctx, seed, seedlen); 851 HMAC_FINAL(ctx, A1, hashlen); 852 853 /* Compute A(2) ... A(n) */ 854 while (bytes_left > 0) { 855 HMAC_INIT(mech, key, &ctx); 856 HMAC_UPDATE(ctx, A1, hashlen); 857 HMAC_UPDATE(ctx, label, label_len); 858 HMAC_UPDATE(ctx, seed, seedlen); 859 HMAC_FINAL(ctx, result, hashlen); 860 861 /* 862 * The A(i) value is stored in "result". 863 * Save the results of the MAC so it can be input to next 864 * iteration. 865 */ 866 if (bytes_left > hashlen) { 867 /* Store the chunk result */ 868 bcopy(result, data, hashlen); 869 data += hashlen; 870 871 bytes_left -= hashlen; 872 873 /* Update A1 for next iteration */ 874 HMAC_INIT(mech, key, &ctx); 875 HMAC_UPDATE(ctx, A1, hashlen); 876 HMAC_FINAL(ctx, A1, hashlen); 877 878 } else { 879 bcopy(result, data, bytes_left); 880 data += bytes_left; 881 bytes_left = 0; 882 } 883 } 884 end: 885 if (CRYPTO_ERR(rv)) { 886 #ifdef DEBUG 887 cmn_err(CE_WARN, "kssl_P_hash: crypto_mac error 0x%02X", rv); 888 #endif /* DEBUG */ 889 KSSL_COUNTER(compute_mac_failure, 1); 890 } 891 return (rv); 892 } 893 894 /* ARGSUSED */ 895 static int 896 kssl_tls_PRF(ssl_t *ssl, 897 uchar_t *secret, size_t secret_len, 898 uchar_t *label, size_t label_len, 899 uchar_t *seed, size_t seed_len, 900 uchar_t *prfresult, size_t prfresult_len) 901 { 902 /* 903 * RFC 2246: 904 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR 905 * P_SHA1(S2, label + seed); 906 * S1 = 1st half of secret. 907 * S1 = 2nd half of secret. 908 * 909 */ 910 911 int rv = 0, i; 912 uchar_t psha1[MAX_TLS_KEYBLOCK_SIZE]; 913 crypto_key_t S1, S2; 914 915 /* length of secret keys is ceil(length/2) */ 916 size_t slen = roundup(secret_len, 2) / 2; 917 918 if (prfresult_len > MAX_TLS_KEYBLOCK_SIZE) { 919 KSSL_DEBUG2_IF(kssl_debug, "kssl_tls_PRF: unexpected keyblock " 920 "size (%lu)", prfresult_len); 921 return (CRYPTO_ARGUMENTS_BAD); 922 } 923 924 ASSERT(prfresult != NULL); 925 ASSERT(label != NULL); 926 ASSERT(seed != NULL); 927 928 S1.ck_data = secret; 929 S1.ck_length = slen * 8; /* bits */ 930 S1.ck_format = CRYPTO_KEY_RAW; 931 932 S2.ck_data = secret + slen; 933 S2.ck_length = slen * 8; /* bits */ 934 S2.ck_format = CRYPTO_KEY_RAW; 935 936 rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN, 937 label, label_len, 938 seed, seed_len, 939 prfresult, prfresult_len); 940 if (CRYPTO_ERR(rv)) 941 goto end; 942 943 rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN, 944 label, label_len, 945 seed, seed_len, 946 psha1, prfresult_len); 947 if (CRYPTO_ERR(rv)) 948 goto end; 949 950 for (i = 0; i < prfresult_len; i++) 951 prfresult[i] ^= psha1[i]; 952 953 end: 954 if (CRYPTO_ERR(rv)) 955 bzero(prfresult, prfresult_len); 956 957 return (rv); 958 } 959 960 #define IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl) \ 961 (pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN || \ 962 pms[0] != ssl->major_version || pms[1] != ssl->minor_version) 963 964 #define FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) { \ 965 KSSL_COUNTER(bad_pre_master_secret, 1); \ 966 pms = buf; \ 967 pmslen = SSL3_PRE_MASTER_SECRET_LEN; \ 968 pms[0] = ssl->major_version; \ 969 pms[1] = ssl->minor_version; \ 970 (void) random_get_pseudo_bytes(&buf[2], pmslen - 2); \ 971 } 972 973 static int 974 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 975 { 976 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 977 uchar_t seed[SSL3_RANDOM_LENGTH * 2]; 978 979 /* 980 * Computing the master secret: 981 * ---------------------------- 982 * master_secret = PRF (pms, "master secret", 983 * ClientHello.random + ServerHello.random); 984 */ 985 bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH); 986 bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH, 987 SSL3_RANDOM_LENGTH); 988 989 /* if pms is bad fake it to thwart Bleichenbacher attack */ 990 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 991 #ifdef DEBUG 992 cmn_err(CE_WARN, "Under Bleichenbacher attack"); 993 #endif /* DEBUG */ 994 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 995 } 996 997 return (kssl_tls_PRF(ssl, 998 pms, pmslen, 999 (uchar_t *)TLS_MASTER_SECRET_LABEL, 1000 (size_t)strlen(TLS_MASTER_SECRET_LABEL), 1001 seed, sizeof (seed), 1002 ssl->sid.master_secret, 1003 (size_t)sizeof (ssl->sid.master_secret))); 1004 } 1005 1006 1007 static void 1008 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 1009 { 1010 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1011 uchar_t *ms; 1012 int hlen = MD5_HASH_LEN; 1013 1014 ms = ssl->sid.master_secret; 1015 1016 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1017 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1018 #ifdef DEBUG 1019 cmn_err(CE_WARN, "Under Bleichenbacher attack"); 1020 #endif /* DEBUG */ 1021 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1022 } 1023 1024 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0); 1025 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0); 1026 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen, 1027 0); 1028 } 1029 1030 static int 1031 kssl_generate_tls_keyblock(ssl_t *ssl) 1032 { 1033 uchar_t seed[2 * SSL3_RANDOM_LENGTH]; 1034 1035 bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH); 1036 bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH, 1037 SSL3_RANDOM_LENGTH); 1038 1039 return (kssl_tls_PRF(ssl, ssl->sid.master_secret, 1040 (size_t)SSL3_MASTER_SECRET_LEN, 1041 (uchar_t *)TLS_KEY_EXPANSION_LABEL, 1042 (size_t)strlen(TLS_KEY_EXPANSION_LABEL), 1043 seed, (size_t)sizeof (seed), 1044 ssl->pending_keyblock, 1045 (size_t)ssl->pending_keyblksz)); 1046 1047 } 1048 1049 static void 1050 kssl_generate_keyblock(ssl_t *ssl) 1051 { 1052 uchar_t *ms; 1053 size_t mslen = SSL3_MASTER_SECRET_LEN; 1054 int hlen = MD5_HASH_LEN; 1055 uchar_t *keys = ssl->pending_keyblock; 1056 int steps = howmany(ssl->pending_keyblksz, hlen); 1057 int i; 1058 1059 ms = ssl->sid.master_secret; 1060 1061 ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH); 1062 1063 for (i = 1; i <= steps; i++) { 1064 kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1); 1065 keys += hlen; 1066 } 1067 } 1068 1069 static char *ssl3_key_derive_seeds[8] = {"A", "BB", "CCC", "DDDD", "EEEEE", 1070 "FFFFFF", "GGGGGGG", "HHHHHHHH"}; 1071 1072 static void 1073 kssl_ssl3_key_material_derive_step( 1074 ssl_t *ssl, 1075 uchar_t *secret, 1076 size_t secretlen, 1077 int step, 1078 uchar_t *dst, 1079 int sr_first) 1080 { 1081 SHA1_CTX sha1, *sha1ctx; 1082 MD5_CTX md5, *md5ctx; 1083 uchar_t sha1_hash[SHA1_HASH_LEN]; 1084 1085 sha1ctx = &sha1; 1086 md5ctx = &md5; 1087 1088 ASSERT(step <= 1089 sizeof (ssl3_key_derive_seeds) / 1090 sizeof (ssl3_key_derive_seeds[0])); 1091 step--; 1092 1093 SHA1Init(sha1ctx); 1094 SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step], 1095 step + 1); 1096 SHA1Update(sha1ctx, secret, secretlen); 1097 if (sr_first) { 1098 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1099 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1100 } else { 1101 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1102 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1103 } 1104 SHA1Final(sha1_hash, sha1ctx); 1105 1106 MD5Init(md5ctx); 1107 MD5Update(md5ctx, secret, secretlen); 1108 MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN); 1109 MD5Final(dst, md5ctx); 1110 } 1111 1112 static int 1113 kssl_send_certificate_and_server_hello_done(ssl_t *ssl) 1114 { 1115 int cur_reclen; 1116 int mss; 1117 int len, copylen; 1118 mblk_t *mp; 1119 uchar_t *cert_buf; 1120 int cert_len; 1121 uchar_t *msgbuf; 1122 Certificate_t *cert; 1123 1124 cert = ssl->kssl_entry->ke_server_certificate; 1125 if (cert == NULL) { 1126 return (ENOENT); 1127 } 1128 cert_buf = cert->msg; 1129 cert_len = cert->len; 1130 1131 mp = ssl->handshake_sendbuf; 1132 mss = ssl->tcp_mss; 1133 ASSERT(mp != NULL); 1134 cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN; 1135 ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN); 1136 /* Assume MSS is at least 80 bytes */ 1137 ASSERT(mss > cur_reclen + SSL3_HDR_LEN); 1138 ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */ 1139 1140 copylen = mss - (cur_reclen + SSL3_HDR_LEN); 1141 len = cert_len; 1142 copylen = MIN(copylen, len); 1143 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1144 1145 /* new record always starts in a new mblk for simplicity */ 1146 msgbuf = cert_buf; 1147 for (;;) { 1148 ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim); 1149 bcopy(msgbuf, mp->b_wptr, copylen); 1150 msgbuf += copylen; 1151 mp->b_wptr += copylen; 1152 cur_reclen += copylen; 1153 len -= copylen; 1154 if (len == 0) { 1155 break; 1156 } 1157 if (cur_reclen == SSL3_MAX_RECORD_LENGTH) { 1158 cur_reclen = 0; 1159 } 1160 copylen = MIN(len, mss); 1161 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1162 mp->b_cont = allocb(copylen, BPRI_HI); 1163 if (mp->b_cont == NULL) { 1164 KSSL_COUNTER(alloc_fails, 1); 1165 freemsg(ssl->handshake_sendbuf); 1166 ssl->handshake_sendbuf = NULL; 1167 return (ENOMEM); 1168 } 1169 mp = mp->b_cont; 1170 if (cur_reclen == 0) { 1171 mp->b_wptr[0] = content_handshake; 1172 mp->b_wptr[1] = ssl->major_version; 1173 mp->b_wptr[2] = ssl->minor_version; 1174 cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH); 1175 mp->b_wptr[3] = (cur_reclen >> 8) & 0xff; 1176 mp->b_wptr[4] = (cur_reclen) & 0xff; 1177 mp->b_wptr += SSL3_HDR_LEN; 1178 cur_reclen = 0; 1179 copylen = MIN(copylen, mss - SSL3_HDR_LEN); 1180 } 1181 } 1182 1183 /* adjust the record length field for the first record */ 1184 mp = ssl->handshake_sendbuf; 1185 cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len, 1186 SSL3_MAX_RECORD_LENGTH); 1187 mp->b_rptr[3] = (cur_reclen >> 8) & 0xff; 1188 mp->b_rptr[4] = (cur_reclen) & 0xff; 1189 1190 kssl_update_handshake_hashes(ssl, cert_buf, cert_len); 1191 1192 return (0); 1193 } 1194 1195 static int 1196 kssl_send_change_cipher_specs(ssl_t *ssl) 1197 { 1198 mblk_t *mp, *newmp; 1199 uchar_t *buf; 1200 1201 mp = ssl->handshake_sendbuf; 1202 1203 /* We're most likely to hit the fast path for resumed sessions */ 1204 if ((mp != NULL) && 1205 (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) { 1206 buf = mp->b_wptr; 1207 } else { 1208 newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI); 1209 1210 if (newmp == NULL) 1211 return (ENOMEM); /* need to do better job! */ 1212 1213 if (mp == NULL) { 1214 ssl->handshake_sendbuf = newmp; 1215 } else { 1216 linkb(ssl->handshake_sendbuf, newmp); 1217 } 1218 mp = newmp; 1219 buf = mp->b_rptr; 1220 } 1221 1222 /* 5 byte record header */ 1223 buf[0] = content_change_cipher_spec; 1224 buf[1] = ssl->major_version; 1225 buf[2] = ssl->minor_version; 1226 buf[3] = 0; 1227 buf[4] = 1; 1228 buf += SSL3_HDR_LEN; 1229 1230 buf[0] = 1; 1231 1232 mp->b_wptr = buf + 1; 1233 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 1234 1235 ssl->seq_num[KSSL_WRITE] = 0; 1236 return (kssl_spec_init(ssl, KSSL_WRITE)); 1237 } 1238 1239 int 1240 kssl_spec_init(ssl_t *ssl, int dir) 1241 { 1242 KSSL_HASHCTX *ctx; 1243 KSSLCipherSpec *spec = &ssl->spec[dir]; 1244 int ret = 0; 1245 1246 spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz; 1247 spec->mac_padsz = mac_defs[ssl->pending_malg].padsz; 1248 1249 spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit; 1250 spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate; 1251 spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal; 1252 1253 if (dir == KSSL_READ) { 1254 bcopy(ssl->pending_keyblock, ssl->mac_secret[dir], 1255 spec->mac_hashsz); 1256 } else { 1257 bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]), 1258 ssl->mac_secret[dir], spec->mac_hashsz); 1259 } 1260 1261 /* Pre-compute these here. will save cycles on each record later */ 1262 if (!IS_TLS(ssl)) { 1263 ctx = &ssl->mac_ctx[dir][0]; 1264 spec->MAC_HashInit((void *)ctx); 1265 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1266 spec->mac_hashsz); 1267 spec->MAC_HashUpdate((void *)ctx, kssl_pad_1, 1268 spec->mac_padsz); 1269 1270 ctx = &ssl->mac_ctx[dir][1]; 1271 spec->MAC_HashInit((void *)ctx); 1272 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1273 spec->mac_hashsz); 1274 spec->MAC_HashUpdate((void *)ctx, kssl_pad_2, 1275 spec->mac_padsz); 1276 } 1277 1278 spec->cipher_type = cipher_defs[ssl->pending_calg].type; 1279 spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type; 1280 spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize; 1281 spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz; 1282 1283 if (spec->cipher_ctx != NULL) { 1284 crypto_cancel_ctx(spec->cipher_ctx); 1285 spec->cipher_ctx = 0; 1286 } 1287 1288 /* 1289 * Initialize HMAC keys for TLS and SSL3 HMAC keys 1290 * for SSL 3.0. 1291 */ 1292 if (IS_TLS(ssl)) { 1293 if (ssl->pending_malg == mac_md5) { 1294 spec->hmac_mech = hmac_md5_mech; 1295 } else if (ssl->pending_malg == mac_sha) { 1296 spec->hmac_mech = hmac_sha1_mech; 1297 } 1298 1299 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1300 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1301 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1302 } else { 1303 static uint32_t param; 1304 1305 spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID; 1306 spec->hmac_mech.cm_param = (caddr_t)¶m; 1307 spec->hmac_mech.cm_param_len = sizeof (param); 1308 if (ssl->pending_malg == mac_md5) { 1309 spec->hmac_mech.cm_type = 1310 crypto_mech2id("CKM_SSL3_MD5_MAC"); 1311 param = MD5_HASH_LEN; 1312 } else if (ssl->pending_malg == mac_sha) { 1313 spec->hmac_mech.cm_type = 1314 crypto_mech2id("CKM_SSL3_SHA1_MAC"); 1315 param = SHA1_HASH_LEN; 1316 } 1317 1318 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1319 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1320 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1321 } 1322 1323 /* We're done if this is the nil cipher */ 1324 if (spec->cipher_keysz == 0) { 1325 return (0); 1326 } 1327 1328 /* Initialize the key and the active context */ 1329 spec->cipher_key.ck_format = CRYPTO_KEY_RAW; 1330 spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */ 1331 1332 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1333 /* client_write_IV */ 1334 spec->cipher_mech.cm_param = 1335 (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz + 1336 2 * spec->cipher_keysz]); 1337 spec->cipher_mech.cm_param_len = spec->cipher_bsize; 1338 } 1339 spec->cipher_data.cd_format = CRYPTO_DATA_RAW; 1340 if (dir == KSSL_READ) { 1341 spec->cipher_mech.cm_param_len = 1342 cipher_defs[ssl->pending_calg].bsize; 1343 1344 /* client_write_key */ 1345 spec->cipher_key.ck_data = 1346 &(ssl->pending_keyblock[2 * spec->mac_hashsz]); 1347 1348 ret = crypto_decrypt_init(&(spec->cipher_mech), 1349 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1350 #ifdef DEBUG 1351 if (CRYPTO_ERR(ret)) { 1352 cmn_err(CE_WARN, "kssl_spec_init: " 1353 "crypto_decrypt_init error 0x%02X", ret); 1354 } 1355 #endif /* DEBUG */ 1356 } else { 1357 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1358 spec->cipher_mech.cm_param += spec->cipher_bsize; 1359 } 1360 /* server_write_key */ 1361 spec->cipher_key.ck_data = 1362 &(ssl->pending_keyblock[2 * spec->mac_hashsz + 1363 spec->cipher_keysz]); 1364 1365 ret = crypto_encrypt_init(&(spec->cipher_mech), 1366 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1367 #ifdef DEBUG 1368 if (CRYPTO_ERR(ret)) 1369 cmn_err(CE_WARN, "kssl_spec_init: " 1370 "crypto_encrypt_init error 0x%02X", ret); 1371 #endif /* DEBUG */ 1372 } 1373 return (ret); 1374 } 1375 1376 static int 1377 kssl_send_finished(ssl_t *ssl, int update_hsh) 1378 { 1379 mblk_t *mp; 1380 uchar_t *buf; 1381 uchar_t *rstart; 1382 uchar_t *versionp; 1383 SSL3Hashes ssl3hashes; 1384 size_t finish_len; 1385 int ret = 0; 1386 1387 mp = ssl->handshake_sendbuf; 1388 ASSERT(mp != NULL); 1389 buf = mp->b_wptr; 1390 ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + 1391 SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1); 1392 1393 rstart = buf; 1394 1395 if (IS_TLS(ssl)) 1396 finish_len = TLS_FINISHED_SIZE; 1397 else 1398 finish_len = KSSL_SSL3_FIN_MSGLEN; 1399 1400 /* 5 byte record header */ 1401 buf[0] = content_handshake; 1402 buf[1] = ssl->major_version; 1403 buf[2] = ssl->minor_version; 1404 buf[3] = 0; 1405 buf[4] = 4 + finish_len; 1406 1407 versionp = &buf[1]; 1408 1409 buf += SSL3_HDR_LEN; 1410 1411 /* 4 byte message header */ 1412 buf[0] = (uchar_t)finished; /* message type */ 1413 buf[1] = 0; /* message len byte 0 */ 1414 buf[2] = 0; /* message len byte 1 */ 1415 buf[3] = finish_len; /* message len byte 2 */ 1416 buf += 4; 1417 1418 if (IS_TLS(ssl)) { 1419 bcopy(ssl->hs_hashes.md5, ssl3hashes.md5, 1420 sizeof (ssl3hashes.md5)); 1421 bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1, 1422 sizeof (ssl3hashes.sha1)); 1423 } 1424 1425 /* Compute hashes for the SENDER side */ 1426 ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server); 1427 if (ret != 0) 1428 return (ret); 1429 1430 if (IS_TLS(ssl)) { 1431 bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash)); 1432 } else { 1433 bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN); 1434 bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN); 1435 } 1436 1437 if (update_hsh) { 1438 kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4); 1439 } 1440 1441 mp->b_wptr = buf + finish_len; 1442 1443 ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp, 1444 rstart, mp); 1445 ASSERT(mp->b_wptr <= mp->b_datap->db_lim); 1446 1447 return (ret); 1448 } 1449 1450 int 1451 kssl_mac_encrypt_record(ssl_t *ssl, 1452 SSL3ContentType ct, 1453 uchar_t *versionp, 1454 uchar_t *rstart, 1455 mblk_t *mp) 1456 { 1457 KSSLCipherSpec *spec; 1458 int mac_sz; 1459 int ret = 0; 1460 uint16_t rec_sz; 1461 int pad_sz; 1462 int i; 1463 1464 ASSERT(ssl != NULL); 1465 ASSERT(rstart >= mp->b_rptr); 1466 ASSERT(rstart < mp->b_wptr); 1467 1468 spec = &ssl->spec[KSSL_WRITE]; 1469 mac_sz = spec->mac_hashsz; 1470 1471 rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN; 1472 ASSERT(rec_sz > 0); 1473 1474 if (mac_sz != 0) { 1475 ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim); 1476 ret = kssl_compute_record_mac(ssl, KSSL_WRITE, 1477 ssl->seq_num[KSSL_WRITE], ct, versionp, 1478 rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr); 1479 if (ret == CRYPTO_SUCCESS) { 1480 ssl->seq_num[KSSL_WRITE]++; 1481 mp->b_wptr += mac_sz; 1482 rec_sz += mac_sz; 1483 } else { 1484 return (ret); 1485 } 1486 } 1487 1488 if (spec->cipher_type == type_block) { 1489 pad_sz = spec->cipher_bsize - 1490 (rec_sz & (spec->cipher_bsize - 1)); 1491 ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim); 1492 for (i = 0; i < pad_sz; i++) { 1493 mp->b_wptr[i] = pad_sz - 1; 1494 } 1495 mp->b_wptr += pad_sz; 1496 rec_sz += pad_sz; 1497 } 1498 1499 ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH); 1500 1501 U16_TO_BE16(rec_sz, rstart + 3); 1502 1503 if (spec->cipher_ctx == 0) 1504 return (ret); 1505 1506 spec->cipher_data.cd_length = rec_sz; 1507 spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN); 1508 spec->cipher_data.cd_raw.iov_len = rec_sz; 1509 /* One record at a time. Otherwise, gotta allocate the crypt_data_t */ 1510 ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data, 1511 NULL, NULL); 1512 #ifdef DEBUG 1513 if (CRYPTO_ERR(ret)) { 1514 cmn_err(CE_WARN, 1515 "kssl_mac_encrypt_record: crypto_encrypt_update " 1516 "error 0x%02X", ret); 1517 } 1518 #endif /* DEBUG */ 1519 return (ret); 1520 } 1521 1522 void 1523 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc) 1524 { 1525 mblk_t *mp; 1526 uchar_t *buf; 1527 KSSLCipherSpec *spec; 1528 1529 ASSERT(ssl != NULL); 1530 1531 ssl->sendalert_level = level; 1532 ssl->sendalert_desc = desc; 1533 1534 if (level == alert_fatal) { 1535 #ifdef DEBUG 1536 cmn_err(CE_WARN, "sending an alert %d %d from %p\n", level, 1537 desc, (void *)caller()); 1538 #endif /* DEBUG */ 1539 if (ssl->sid.cached == B_TRUE) { 1540 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 1541 ssl->sid.cached = B_FALSE; 1542 } 1543 ssl->fatal_alert = B_TRUE; 1544 KSSL_COUNTER(fatal_alerts, 1); 1545 } else 1546 KSSL_COUNTER(warning_alerts, 1); 1547 1548 spec = &ssl->spec[KSSL_WRITE]; 1549 1550 ASSERT(ssl->alert_sendbuf == NULL); 1551 ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz + 1552 spec->cipher_bsize, BPRI_HI); 1553 if (mp == NULL) { 1554 KSSL_COUNTER(alloc_fails, 1); 1555 return; 1556 } 1557 buf = mp->b_wptr; 1558 1559 /* 5 byte record header */ 1560 buf[0] = content_alert; 1561 buf[1] = ssl->major_version; 1562 buf[2] = ssl->minor_version; 1563 buf[3] = 0; 1564 buf[4] = 2; 1565 buf += SSL3_HDR_LEN; 1566 1567 /* alert contents */ 1568 buf[0] = (uchar_t)level; 1569 buf[1] = (uchar_t)desc; 1570 1571 mp->b_wptr = buf + 2; 1572 } 1573 1574 /* Assumes RSA encryption */ 1575 static int 1576 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen, 1577 kssl_callback_t cbfn, void *arg) 1578 { 1579 char *buf; 1580 uchar_t *pms; 1581 size_t pmslen; 1582 int allocated; 1583 int err, rverr = ENOMEM; 1584 kssl_entry_t *ep; 1585 crypto_key_t *privkey; 1586 crypto_data_t *wrapped_pms_data, *pms_data; 1587 crypto_call_req_t creq, *creqp; 1588 1589 ep = ssl->kssl_entry; 1590 privkey = ep->ke_private_key; 1591 if (privkey == NULL) { 1592 return (ENOENT); 1593 } 1594 1595 ASSERT(ssl->msg.type == client_key_exchange); 1596 ASSERT(ssl->hs_waitstate == wait_client_key); 1597 1598 /* 1599 * TLS adds an extra 2 byte length field before the data. 1600 */ 1601 if (IS_TLS(ssl)) { 1602 msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1]; 1603 mp->b_rptr += 2; 1604 } 1605 1606 /* 1607 * Allocate all we need in one shot. about 300 bytes total, for 1608 * 1024 bit RSA modulus. 1609 * The buffer layout will be: pms_data, wrapped_pms_data, the 1610 * value of the wrapped pms from the client, then room for the 1611 * resulting decrypted premaster secret. 1612 */ 1613 allocated = 2 * (sizeof (crypto_data_t) + msglen); 1614 buf = kmem_alloc(allocated, KM_NOSLEEP); 1615 if (buf == NULL) { 1616 return (ENOMEM); 1617 } 1618 1619 pms_data = (crypto_data_t *)buf; 1620 wrapped_pms_data = &(((crypto_data_t *)buf)[1]); 1621 1622 wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW; 1623 wrapped_pms_data->cd_offset = pms_data->cd_offset = 0; 1624 wrapped_pms_data->cd_length = pms_data->cd_length = msglen; 1625 wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL; 1626 wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen; 1627 wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t); 1628 pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen; 1629 1630 bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen); 1631 mp->b_rptr += msglen; 1632 1633 /* Proceed synchronously if out of interrupt and configured to do so */ 1634 if ((kssl_synchronous) && (!servicing_interrupt())) { 1635 creqp = NULL; 1636 } else { 1637 ssl->cke_callback_func = cbfn; 1638 ssl->cke_callback_arg = arg; 1639 creq.cr_flag = kssl_call_flag; 1640 creq.cr_callback_func = kssl_cke_done; 1641 creq.cr_callback_arg = ssl; 1642 1643 /* The callback routine will release this one */ 1644 KSSL_SSL_REFHOLD(ssl); 1645 1646 creqp = &creq; 1647 } 1648 1649 if (ep->ke_is_nxkey) { 1650 kssl_session_info_t *s; 1651 1652 s = ep->ke_sessinfo; 1653 err = CRYPTO_SUCCESS; 1654 if (!s->is_valid_handle) { 1655 /* Reauthenticate to the provider */ 1656 if (s->do_reauth) { 1657 err = kssl_get_obj_handle(ep); 1658 if (err == CRYPTO_SUCCESS) { 1659 s->is_valid_handle = B_TRUE; 1660 s->do_reauth = B_FALSE; 1661 } 1662 } else 1663 err = CRYPTO_FAILED; 1664 } 1665 1666 if (err == CRYPTO_SUCCESS) { 1667 ASSERT(s->is_valid_handle); 1668 err = crypto_decrypt_prov(s->prov, s->sid, 1669 &rsa_x509_mech, wrapped_pms_data, &s->key, 1670 NULL, pms_data, creqp); 1671 } 1672 1673 /* 1674 * Deal with session specific errors. We translate to 1675 * the closest errno. 1676 */ 1677 switch (err) { 1678 case CRYPTO_KEY_HANDLE_INVALID: 1679 case CRYPTO_SESSION_HANDLE_INVALID: 1680 s->is_valid_handle = B_FALSE; 1681 s->do_reauth = B_TRUE; 1682 rverr = EINVAL; 1683 break; 1684 case CRYPTO_PIN_EXPIRED: 1685 case CRYPTO_PIN_LOCKED: 1686 rverr = EACCES; 1687 break; 1688 case CRYPTO_UNKNOWN_PROVIDER: 1689 rverr = ENXIO; 1690 break; 1691 } 1692 } else { 1693 err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data, 1694 privkey, NULL, pms_data, creqp); 1695 } 1696 1697 switch (err) { 1698 case CRYPTO_SUCCESS: 1699 break; 1700 1701 case CRYPTO_QUEUED: 1702 /* 1703 * Finish the master secret then the rest of key material 1704 * derivation later. 1705 */ 1706 ssl->job.kjob = creq.cr_reqid; 1707 ssl->job.buf = buf; 1708 ssl->job.buflen = allocated; 1709 ssl->hs_waitstate = wait_client_key_done; 1710 return (0); 1711 default: 1712 #ifdef DEBUG 1713 cmn_err(CE_WARN, "kssl_handle_client_key_exchange: " 1714 "crypto_decrypt error 0x%02X", err); 1715 #endif /* DEBUG */ 1716 kmem_free(buf, allocated); 1717 return (rverr); 1718 } 1719 1720 pmslen = pms_data->cd_length; 1721 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1722 1723 /* generate master key and save it in the ssl sid structure */ 1724 if (IS_TLS(ssl)) { 1725 err = kssl_generate_tls_ms(ssl, pms, pmslen); 1726 if (!CRYPTO_ERR(err)) 1727 err = kssl_generate_tls_keyblock(ssl); 1728 } else { 1729 kssl_generate_ssl_ms(ssl, pms, pmslen); 1730 kssl_generate_keyblock(ssl); 1731 } 1732 1733 if (err == CRYPTO_SUCCESS) 1734 ssl->hs_waitstate = wait_change_cipher; 1735 1736 ssl->activeinput = B_FALSE; 1737 1738 kmem_free(buf, allocated); 1739 1740 return (0); 1741 } 1742 1743 static int 1744 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen) 1745 { 1746 int err; 1747 size_t finish_len; 1748 int hashcompare; 1749 1750 ASSERT(ssl->msg.type == finished); 1751 ASSERT(ssl->hs_waitstate == wait_finished); 1752 1753 if (IS_TLS(ssl)) 1754 finish_len = TLS_FINISHED_SIZE; 1755 else 1756 finish_len = KSSL_SSL3_FIN_MSGLEN; 1757 1758 if (msglen != finish_len) { 1759 kssl_send_alert(ssl, alert_fatal, illegal_parameter); 1760 return (EBADMSG); 1761 } 1762 1763 if (IS_TLS(ssl)) { 1764 hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash, 1765 finish_len); 1766 } else { 1767 hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len); 1768 } 1769 1770 /* The handshake hashes should be computed by now */ 1771 if (hashcompare != 0) { 1772 kssl_send_alert(ssl, alert_fatal, handshake_failure); 1773 return (EBADMSG); 1774 } 1775 1776 mp->b_rptr += msglen; 1777 1778 ssl->hs_waitstate = idle_handshake; 1779 1780 if (ssl->resumed == B_TRUE) { 1781 ssl->activeinput = B_FALSE; 1782 return (0); 1783 } 1784 1785 err = kssl_send_change_cipher_specs(ssl); 1786 if (err != 0) { 1787 return (err); 1788 } 1789 err = kssl_send_finished(ssl, 0); 1790 if (err != 0) { 1791 return (err); 1792 } 1793 1794 ASSERT(ssl->sid.cached == B_FALSE); 1795 ssl->sid.cached = B_TRUE; 1796 kssl_cache_sid(&ssl->sid, ssl->kssl_entry); 1797 ssl->activeinput = B_FALSE; 1798 1799 return (0); 1800 } 1801 1802 #define KSSL2_CH_MIN_RECSZ (9) 1803 1804 /* 1805 * This method is needed to handle clients which send the 1806 * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers. 1807 * We are not really doing SSLv2 here, just handling the header 1808 * and then switching to SSLv3. 1809 */ 1810 int 1811 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz) 1812 { 1813 uchar_t *recend; 1814 int err; 1815 SSL3AlertDescription desc = illegal_parameter; 1816 uint_t randlen; 1817 uint_t sidlen; 1818 uint_t nsuites; 1819 uchar_t *suitesp; 1820 uchar_t *rand; 1821 uint_t i, j; 1822 uint16_t suite; 1823 int ch_recsz = KSSL2_CH_MIN_RECSZ; 1824 1825 ASSERT(mp->b_wptr >= mp->b_rptr + recsz); 1826 ASSERT(ssl->hs_waitstate == wait_client_hello); 1827 ASSERT(ssl->resumed == B_FALSE); 1828 1829 if (recsz < ch_recsz) { 1830 goto falert; 1831 } 1832 1833 MD5Init(&ssl->hs_md5); 1834 SHA1Init(&ssl->hs_sha1); 1835 1836 kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz); 1837 1838 recend = mp->b_rptr + recsz; 1839 1840 if (*mp->b_rptr != 1) { 1841 goto falert; 1842 } 1843 mp->b_rptr += 3; 1844 1845 nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 1846 sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3]; 1847 randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5]; 1848 if (nsuites % 3 != 0) { 1849 KSSL_DEBUG2_IF(kssl_debug, 1850 "kssl_handle_v2client_hello nsuites = %d, error.", 1851 nsuites); 1852 goto falert; 1853 } 1854 if (randlen < SSL_MIN_CHALLENGE_BYTES || 1855 randlen > SSL_MAX_CHALLENGE_BYTES) { 1856 KSSL_DEBUG2_IF(kssl_debug, 1857 "kssl_handle_v2client_hello randlen out of range: %d", 1858 randlen); 1859 goto falert; 1860 } 1861 mp->b_rptr += 6; 1862 ch_recsz += nsuites + sidlen + randlen; 1863 if (recsz != ch_recsz) { 1864 goto falert; 1865 } 1866 suitesp = mp->b_rptr; 1867 rand = suitesp + nsuites + sidlen; 1868 if (randlen < SSL3_RANDOM_LENGTH) { 1869 bzero(ssl->client_random, SSL3_RANDOM_LENGTH); 1870 } 1871 bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen], 1872 randlen); 1873 1874 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 1875 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 1876 for (j = 0; j < nsuites; j += 3) { 1877 if (suitesp[j] != 0) { 1878 continue; 1879 } 1880 1881 if (suitesp[j + 1] == ((suite >> 8) & 0xff) && 1882 suitesp[j + 2] == (suite & 0xff)) { 1883 break; 1884 } 1885 } 1886 if (j < nsuites) { 1887 break; 1888 } 1889 } 1890 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 1891 KSSL_DEBUG1_IF(kssl_debug, "kssl_handle_v2client_hello - " 1892 "cannot find SSLv2 cipher suite"); 1893 ssl->activeinput = B_FALSE; 1894 return (SSL_MISS); 1895 } 1896 1897 mp->b_rptr = recend; 1898 1899 for (i = 0; i < cipher_suite_defs_nentries; i++) { 1900 if (suite == cipher_suite_defs[i].suite) { 1901 break; 1902 } 1903 } 1904 1905 ASSERT(i < cipher_suite_defs_nentries); 1906 1907 ssl->pending_cipher_suite = suite; 1908 ssl->pending_malg = cipher_suite_defs[i].malg; 1909 ssl->pending_calg = cipher_suite_defs[i].calg; 1910 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 1911 1912 ASSERT(ssl->sid.cached == B_FALSE); 1913 1914 (void) random_get_pseudo_bytes(ssl->sid.session_id, 1915 SSL3_SESSIONID_BYTES); 1916 ssl->sid.client_addr = ssl->faddr; 1917 ssl->sid.cipher_suite = suite; 1918 1919 err = kssl_send_server_hello(ssl); 1920 if (err != 0) { 1921 return (err); 1922 } 1923 err = kssl_send_certificate_and_server_hello_done(ssl); 1924 if (err != 0) { 1925 return (err); 1926 } 1927 KSSL_COUNTER(full_handshakes, 1); 1928 ssl->hs_waitstate = wait_client_key; 1929 ssl->activeinput = B_FALSE; 1930 return (0); 1931 1932 falert: 1933 kssl_send_alert(ssl, alert_fatal, desc); 1934 ssl->activeinput = B_FALSE; 1935 return (EBADMSG); 1936 } 1937 1938 /* 1939 * Call back routine for asynchronously submitted RSA decryption jobs. 1940 * The routine retreived the pre-master secret, and proceeds to generate 1941 * the remaining key materials. 1942 */ 1943 static void 1944 kssl_cke_done(void *arg, int status) 1945 { 1946 int ret = 0; 1947 uchar_t *pms; 1948 size_t pmslen; 1949 crypto_data_t *pms_data; 1950 kssl_cmd_t kssl_cmd = KSSL_CMD_NONE; 1951 ssl_t *ssl = (ssl_t *)arg; 1952 mblk_t *alertmp; 1953 kssl_callback_t cbfn; 1954 void *cbarg; 1955 1956 mutex_enter(&ssl->kssl_lock); 1957 1958 ASSERT(ssl->msg.type == client_key_exchange); 1959 ASSERT(ssl->hs_waitstate == wait_client_key_done); 1960 1961 if (status != CRYPTO_SUCCESS) { 1962 kssl_send_alert(ssl, alert_fatal, decrypt_error); 1963 kssl_cmd = KSSL_CMD_SEND; 1964 goto out; 1965 } 1966 1967 pms_data = (crypto_data_t *)(ssl->job.buf); 1968 1969 ASSERT(pms_data != NULL); 1970 1971 pmslen = pms_data->cd_length; 1972 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1973 1974 /* generate master key and save it in the ssl sid structure */ 1975 if (IS_TLS(ssl)) { 1976 ret = kssl_generate_tls_ms(ssl, pms, pmslen); 1977 if (!CRYPTO_ERR(ret)) 1978 ret = kssl_generate_tls_keyblock(ssl); 1979 } else { 1980 kssl_generate_ssl_ms(ssl, pms, pmslen); 1981 kssl_generate_keyblock(ssl); 1982 } 1983 1984 if (ret == CRYPTO_SUCCESS) 1985 ssl->hs_waitstate = wait_change_cipher; 1986 1987 out: 1988 kmem_free(ssl->job.buf, ssl->job.buflen); 1989 1990 ssl->job.kjob = 0; 1991 ssl->job.buf = NULL; 1992 ssl->job.buflen = 0; 1993 1994 ssl->activeinput = B_FALSE; 1995 1996 /* If we're the only ones left, then we won't callback */ 1997 if (ssl->kssl_refcnt == 1) { 1998 mutex_exit(&ssl->kssl_lock); 1999 KSSL_SSL_REFRELE(ssl); 2000 return; 2001 } 2002 2003 cbfn = ssl->cke_callback_func; 2004 cbarg = ssl->cke_callback_arg; 2005 alertmp = ssl->alert_sendbuf; 2006 ssl->alert_sendbuf = NULL; 2007 2008 mutex_exit(&ssl->kssl_lock); 2009 2010 KSSL_SSL_REFRELE(ssl); 2011 2012 /* Now call the callback routine */ 2013 (*(cbfn))(cbarg, alertmp, kssl_cmd); 2014 } 2015 2016 /* 2017 * Returns the first complete contiguous record out of rec_ass_head 2018 * The record is returned in a separate contiguous mblk, rec_ass_head is 2019 * left pointing to the next record in the queue. 2020 * 2021 * The output looks as follows: 2022 * 2023 * |--------|---------- .... -----|<---------->|<----------->|--- ... ---| 2024 * ^ ^ ^ mac_size pad_size ^ 2025 * | |___ b_rptr b_wptr __| | 2026 * | | 2027 * |___ db_base db_lim ___| 2028 */ 2029 mblk_t * 2030 kssl_get_next_record(ssl_t *ssl) 2031 { 2032 mblk_t *mp, *retmp; 2033 int rhsz = SSL3_HDR_LEN; 2034 uint16_t rec_sz; 2035 int mpsz, total_size; 2036 SSL3ContentType content_type; 2037 2038 ASSERT(MUTEX_HELD(&ssl->kssl_lock)); 2039 2040 mp = ssl->rec_ass_head; 2041 if (mp == NULL) 2042 return (NULL); 2043 2044 /* Fast path: when mp has at least a complete record */ 2045 if (MBLKL(mp) < rhsz) { 2046 /* Not even a complete header in there yet */ 2047 if (msgdsize(mp) < rhsz) { 2048 return (NULL); 2049 } 2050 2051 if (!pullupmsg(mp, rhsz)) { 2052 kssl_send_alert(ssl, alert_fatal, internal_error); 2053 freemsg(mp); 2054 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2055 return (NULL); 2056 } 2057 } 2058 content_type = (SSL3ContentType)mp->b_rptr[0]; 2059 if (content_type == content_handshake_v2) { 2060 rec_sz = (uint16_t)mp->b_rptr[1]; 2061 rhsz = 2; 2062 } else { 2063 uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3; 2064 rec_sz = BE16_TO_U16(rec_sz_p); 2065 } 2066 2067 /* 2068 * same tests as above. Only rare very fragmented cases will 2069 * incur the cost of msgdsize() and msgpullup(). Well formed 2070 * packets will fall in the most frequent fast path. 2071 */ 2072 total_size = rhsz + rec_sz; 2073 2074 /* 2075 * Missing: defensive against record fabricated with longer than 2076 * MAX record length. 2077 */ 2078 if (MBLKL(mp) < total_size) { 2079 /* Not a complete record yet. Keep accumulating */ 2080 if (msgdsize(mp) < total_size) { 2081 return (NULL); 2082 } 2083 2084 if (!pullupmsg(mp, total_size)) { 2085 kssl_send_alert(ssl, alert_fatal, internal_error); 2086 freemsg(mp); 2087 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2088 return (NULL); 2089 } 2090 } 2091 mpsz = MBLKL(mp); /* could've changed after the pullup */ 2092 2093 if (mpsz > total_size) { 2094 /* gotta allocate a new block */ 2095 if ((retmp = dupb(mp)) == NULL) { 2096 kssl_send_alert(ssl, alert_fatal, internal_error); 2097 freemsg(mp); 2098 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2099 return (NULL); 2100 } 2101 2102 retmp->b_wptr = retmp->b_rptr + total_size; 2103 mp->b_rptr += total_size; 2104 ssl->rec_ass_head = mp; 2105 } else { 2106 ASSERT(mpsz == total_size); 2107 ssl->rec_ass_head = mp->b_cont; 2108 mp->b_cont = NULL; 2109 retmp = mp; 2110 } 2111 /* Adjust the tail */ 2112 if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) { 2113 for (; mp->b_cont != NULL; mp = mp->b_cont) { 2114 ssl->rec_ass_tail = mp->b_cont; 2115 } 2116 } 2117 2118 return (retmp); 2119 } 2120 2121 2122 static void 2123 kssl_mblksfree(ssl_t *ssl) 2124 { 2125 2126 ASSERT(ssl != NULL); 2127 2128 if (ssl->rec_ass_head != NULL) { 2129 freemsg(ssl->rec_ass_head); 2130 } 2131 ssl->rec_ass_head = NULL; 2132 ssl->rec_ass_tail = NULL; 2133 2134 if (ssl->msg.head != NULL) { 2135 freemsg(ssl->msg.head); 2136 } 2137 ssl->msg.head = NULL; 2138 ssl->msg.tail = NULL; 2139 2140 if (ssl->handshake_sendbuf != NULL) { 2141 freemsg(ssl->handshake_sendbuf); 2142 ssl->handshake_sendbuf = NULL; 2143 } 2144 if (ssl->alert_sendbuf != NULL) { 2145 freemsg(ssl->alert_sendbuf); 2146 ssl->alert_sendbuf = NULL; 2147 } 2148 } 2149 2150 static void 2151 kssl_specsfree(ssl_t *ssl) 2152 { 2153 KSSLCipherSpec *spec = &ssl->spec[KSSL_READ]; 2154 2155 if (spec->cipher_ctx != NULL) { 2156 crypto_cancel_ctx(spec->cipher_ctx); 2157 spec->cipher_ctx = 0; 2158 } 2159 2160 spec = &ssl->spec[KSSL_WRITE]; 2161 2162 if (spec->cipher_ctx != NULL) { 2163 crypto_cancel_ctx(spec->cipher_ctx); 2164 spec->cipher_ctx = 0; 2165 } 2166 } 2167 2168 /* 2169 * Frees the ssl structure (aka the context of an SSL session). 2170 * Any pending crypto jobs are cancelled. 2171 * Any initiated crypto contexts are freed as well. 2172 */ 2173 void 2174 kssl_free_context(ssl_t *ssl) 2175 { 2176 ASSERT(ssl != NULL); 2177 if (!(MUTEX_HELD(&ssl->kssl_lock))) { 2178 /* we're coming from an external API entry point */ 2179 mutex_enter(&ssl->kssl_lock); 2180 } 2181 2182 if (ssl->job.kjob != NULL) { 2183 crypto_cancel_req(ssl->job.kjob); 2184 kmem_free(ssl->job.buf, ssl->job.buflen); 2185 2186 ssl->job.kjob = 0; 2187 ssl->job.buf = NULL; 2188 ssl->job.buflen = 0; 2189 } 2190 2191 kssl_mblksfree(ssl); 2192 kssl_specsfree(ssl); 2193 2194 KSSL_ENTRY_REFRELE(ssl->kssl_entry); 2195 ssl->kssl_entry = NULL; 2196 2197 mutex_exit(&ssl->kssl_lock); 2198 2199 kmem_cache_free(kssl_cache, ssl); 2200 kssl_cache_count--; 2201 } 2202