ksslrec.c revision 11042:2d6e217af1b4
1254721Semaste/* 2254721Semaste * CDDL HEADER START 3254721Semaste * 4254721Semaste * The contents of this file are subject to the terms of the 5254721Semaste * Common Development and Distribution License (the "License"). 6254721Semaste * You may not use this file except in compliance with the License. 7254721Semaste * 8254721Semaste * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9254721Semaste * or http://www.opensolaris.org/os/licensing. 10254721Semaste * See the License for the specific language governing permissions 11254721Semaste * and limitations under the License. 12254721Semaste * 13269024Semaste * When distributing Covered Code, include this CDDL HEADER in each 14254721Semaste * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15254721Semaste * If applicable, add the following below this CDDL HEADER, with the 16254721Semaste * fields enclosed by brackets "[]" replaced with your own identifying 17254721Semaste * information: Portions Copyright [yyyy] [name of copyright owner] 18254721Semaste * 19254721Semaste * CDDL HEADER END 20254721Semaste */ 21254721Semaste/* 22254721Semaste * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23254721Semaste * Use is subject to license terms. 24254721Semaste */ 25254721Semaste 26254721Semaste#include <sys/types.h> 27254721Semaste#include <sys/stream.h> 28254721Semaste#include <sys/strsubr.h> 29254721Semaste#include <sys/stropts.h> 30254721Semaste#include <sys/strsun.h> 31254721Semaste#define _SUN_TPI_VERSION 2 32254721Semaste#include <sys/ddi.h> 33254721Semaste#include <sys/sunddi.h> 34254721Semaste#include <sys/debug.h> 35254721Semaste#include <sys/vtrace.h> 36254721Semaste#include <sys/kmem.h> 37254721Semaste#include <sys/cpuvar.h> 38254721Semaste#include <sys/atomic.h> 39254721Semaste#include <sys/sysmacros.h> 40254721Semaste 41254721Semaste#include <sys/errno.h> 42254721Semaste#include <sys/isa_defs.h> 43254721Semaste#include <sys/md5.h> 44254721Semaste#include <sys/sha1.h> 45254721Semaste#include <sys/random.h> 46254721Semaste#include <inet/common.h> 47254721Semaste#include <netinet/in.h> 48254721Semaste 49254721Semaste#include <sys/systm.h> 50254721Semaste#include <sys/param.h> 51254721Semaste 52254721Semaste#include "ksslimpl.h" 53254721Semaste#include "ksslapi.h" 54254721Semaste#include "ksslproto.h" 55254721Semaste 56254721Semastestatic ssl3CipherSuiteDef cipher_suite_defs[] = { 57254721Semaste /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, no IVs */ 58254721Semaste {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, 72}, 59254721Semaste 60254721Semaste /* 2 X 16 byte keys + 2 x 16 byte MAC secrets, no IVs */ 61254721Semaste {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, 64}, 62254721Semaste 63254721Semaste /* 2 X 8 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */ 64254721Semaste {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, 72}, 65254721Semaste 66254721Semaste /* 2 X 24 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */ 67254721Semaste {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, 104}, 68254721Semaste 69254721Semaste /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */ 70254721Semaste {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes128, mac_sha, 104}, 71254721Semaste 72254721Semaste /* 2 X 32 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */ 73254721Semaste {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes256, mac_sha, 136}, 74254721Semaste 75254721Semaste {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, 40} 76254721Semaste}; 77254721Semaste 78254721Semastestatic int cipher_suite_defs_nentries = 79254721Semaste sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]); 80254721Semaste 81254721Semastestatic KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 82254721Semaste /* macsz padsz HashInit HashUpdate HashFinal */ 83254721Semaste 84254721Semaste {MD5_HASH_LEN, SSL3_MD5_PAD_LEN, 85254721Semaste (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update, 86254721Semaste (hashfinal_func_t)MD5Final}, 87254721Semaste 88254721Semaste {SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN, 89254721Semaste (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update, 90254721Semaste (hashfinal_func_t)SHA1Final}, 91254721Semaste}; 92254721Semaste 93254721Semastestatic uchar_t kssl_pad_1[60] = { 94254721Semaste 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 95254721Semaste 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 96254721Semaste 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 97254721Semaste 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 98254721Semaste 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 99254721Semaste 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 100254721Semaste 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 101254721Semaste 0x36, 0x36, 0x36, 0x36 102254721Semaste}; 103254721Semastestatic uchar_t kssl_pad_2[60] = { 104254721Semaste 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 105254721Semaste 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 106254721Semaste 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 107254721Semaste 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 108254721Semaste 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 109254721Semaste 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 110254721Semaste 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 111254721Semaste 0x5c, 0x5c, 0x5c, 0x5c 112254721Semaste}; 113254721Semaste 114254721Semasteint kssl_cache_count; 115254721Semastestatic boolean_t kssl_synchronous = B_FALSE; 116254721Semaste 117254721Semastestatic void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t); 118254721Semastestatic int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t); 119254721Semastestatic int kssl_handle_client_hello(ssl_t *, mblk_t *, int); 120254721Semastestatic int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int, 121254721Semaste kssl_callback_t, void *); 122254721Semastestatic int kssl_send_server_hello(ssl_t *); 123254721Semastestatic int kssl_send_certificate_and_server_hello_done(ssl_t *); 124254721Semastestatic int kssl_send_change_cipher_specs(ssl_t *); 125254721Semastestatic int kssl_send_finished(ssl_t *, int); 126254721Semastestatic int kssl_handle_finished(ssl_t *, mblk_t *, int); 127254721Semastestatic void kssl_get_hello_random(uchar_t *); 128254721Semastestatic uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *); 129254721Semastestatic void kssl_cache_sid(sslSessionID *, kssl_entry_t *); 130254721Semastestatic void kssl_lookup_sid(sslSessionID *, uchar_t *, in6_addr_t *, 131254721Semaste kssl_entry_t *); 132254721Semastestatic int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t); 133254721Semastestatic void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t); 134254721Semastestatic int kssl_generate_tls_keyblock(ssl_t *); 135254721Semastestatic void kssl_generate_keyblock(ssl_t *); 136254721Semastestatic void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t, 137254721Semaste int, uchar_t *, int); 138254721Semastestatic int kssl_tls_PRF(ssl_t *, uchar_t *, size_t, 139254721Semaste uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 140254721Semastestatic int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *, 141254721Semaste size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t); 142254721Semastestatic void kssl_cke_done(void *, int); 143254721Semaste 144254721Semaste#define HMAC_INIT(m, k, c) \ 145254721Semaste rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end; 146254721Semaste 147254721Semaste#define HMAC_UPDATE(c, d, l) \ 148254721Semaste dd.cd_raw.iov_base = (char *)d; \ 149254721Semaste dd.cd_length = dd.cd_raw.iov_len = l; \ 150254721Semaste rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end; 151254721Semaste 152254721Semaste#define HMAC_FINAL(c, d, l) \ 153254721Semaste mac.cd_raw.iov_base = (char *)d; \ 154254721Semaste mac.cd_length = mac.cd_raw.iov_len = l; \ 155254721Semaste rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end; 156254721Semaste 157254721Semaste/* 158254721Semaste * This hack can go away once we have SSL3 MAC support by KCF 159254721Semaste * software providers (See 4873559). 160254721Semaste */ 161254721Semasteextern int kcf_md5_threshold; 162254721Semaste 163254721Semasteint 164254721Semastekssl_compute_record_mac( 165254721Semaste ssl_t *ssl, 166254721Semaste int direction, 167254721Semaste uint64_t seq_num, 168254721Semaste SSL3ContentType ct, 169254721Semaste uchar_t *versionp, 170254721Semaste uchar_t *buf, 171254721Semaste int len, 172254721Semaste uchar_t *digest) 173254721Semaste{ 174254721Semaste KSSL_HASHCTX mac_ctx; 175254721Semaste KSSL_HASHCTX *ctx = &mac_ctx; 176254721Semaste uchar_t temp[16], *p; 177254721Semaste KSSLCipherSpec *spec; 178254721Semaste boolean_t hash_use_ok = B_FALSE; 179254721Semaste int rv = 0; 180254721Semaste 181254721Semaste spec = &ssl->spec[direction]; 182254721Semaste 183254721Semaste if (spec->mac_hashsz == 0) { 184254721Semaste return (1); 185254721Semaste } 186254721Semaste 187254721Semaste p = temp; 188254721Semaste 189254721Semaste *p++ = (seq_num >> 56) & 0xff; 190254721Semaste *p++ = (seq_num >> 48) & 0xff; 191254721Semaste *p++ = (seq_num >> 40) & 0xff; 192254721Semaste *p++ = (seq_num >> 32) & 0xff; 193254721Semaste *p++ = (seq_num >> 24) & 0xff; 194254721Semaste *p++ = (seq_num >> 16) & 0xff; 195254721Semaste *p++ = (seq_num >> 8) & 0xff; 196254721Semaste *p++ = (seq_num) & 0xff; 197254721Semaste *p++ = (uchar_t)ct; 198254721Semaste if (IS_TLS(ssl)) { 199254721Semaste *p++ = versionp[0]; 200254721Semaste *p++ = versionp[1]; 201254721Semaste } 202254721Semaste *p++ = (len >> 8) & 0xff; 203254721Semaste *p++ = (len) & 0xff; 204254721Semaste 205254721Semaste if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID && 206254721Semaste len >= kcf_md5_threshold)) { 207254721Semaste crypto_data_t dd, mac; 208254721Semaste struct uio uio_pt; 209254721Semaste struct iovec iovarray_pt[2]; 210254721Semaste 211254721Semaste /* init the array of iovecs for use in the uio struct */ 212254721Semaste iovarray_pt[0].iov_base = (char *)temp; 213254721Semaste iovarray_pt[0].iov_len = (p - temp); 214254721Semaste iovarray_pt[1].iov_base = (char *)buf; 215254721Semaste iovarray_pt[1].iov_len = len; 216254721Semaste 217254721Semaste /* init the uio struct for use in the crypto_data_t struct */ 218254721Semaste bzero(&uio_pt, sizeof (uio_pt)); 219254721Semaste uio_pt.uio_iov = iovarray_pt; 220254721Semaste uio_pt.uio_iovcnt = 2; 221254721Semaste uio_pt.uio_segflg = UIO_SYSSPACE; 222254721Semaste 223254721Semaste dd.cd_format = CRYPTO_DATA_UIO; 224254721Semaste dd.cd_offset = 0; 225254721Semaste dd.cd_length = (p - temp) + len; 226254721Semaste dd.cd_miscdata = NULL; 227254721Semaste dd.cd_uio = &uio_pt; 228254721Semaste 229254721Semaste mac.cd_format = CRYPTO_DATA_RAW; 230254721Semaste mac.cd_offset = 0; 231254721Semaste mac.cd_raw.iov_base = (char *)digest; 232254721Semaste mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz; 233254721Semaste 234254721Semaste /* 235254721Semaste * The calling context can tolerate a blocking call here. 236254721Semaste * For outgoing traffic, we are in user context 237254721Semaste * when called from strsock_kssl_output(). For incoming 238254721Semaste * traffic past the SSL handshake, we are in user 239254721Semaste * context when called from strsock_kssl_input(). During the 240254721Semaste * SSL handshake, we are called for client_finished message 241254721Semaste * handling from a squeue worker thread that gets scheduled 242254721Semaste * by an SQ_FILL call. This thread is not in interrupt 243254721Semaste * context and so can block. 244254721Semaste */ 245254721Semaste rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key, 246254721Semaste NULL, &mac, NULL); 247254721Semaste 248254721Semaste if (CRYPTO_ERR(rv)) { 249254721Semaste hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED && 250254721Semaste !IS_TLS(ssl)); 251254721Semaste if (!hash_use_ok) { 252254721Semaste DTRACE_PROBE1(kssl_err__crypto_mac_error, 253254721Semaste int, rv); 254254721Semaste KSSL_COUNTER(compute_mac_failure, 1); 255254721Semaste } 256254721Semaste } 257254721Semaste } else 258254721Semaste hash_use_ok = B_TRUE; 259254721Semaste 260254721Semaste if (hash_use_ok) { 261254721Semaste bcopy(&(ssl->mac_ctx[direction][0]), ctx, 262254721Semaste sizeof (KSSL_HASHCTX)); 263254721Semaste spec->MAC_HashUpdate((void *)ctx, temp, p - temp); 264254721Semaste spec->MAC_HashUpdate((void *)ctx, buf, len); 265254721Semaste spec->MAC_HashFinal(digest, (void *)ctx); 266254721Semaste 267254721Semaste bcopy(&(ssl->mac_ctx[direction][1]), ctx, 268254721Semaste sizeof (KSSL_HASHCTX)); 269254721Semaste spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz); 270254721Semaste spec->MAC_HashFinal(digest, (void *)ctx); 271254721Semaste } 272254721Semaste 273254721Semaste return (rv); 274254721Semaste} 275254721Semaste 276254721Semaste/* 277254721Semaste * Handles handshake messages. 278254721Semaste * Messages to be replied are returned in handshake_sendbuf. 279254721Semaste */ 280254721Semasteint 281254721Semastekssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err, 282254721Semaste kssl_callback_t cbfn, void *arg) 283254721Semaste{ 284254721Semaste uint32_t msglen; 285254721Semaste uchar_t msghdr[4]; 286254721Semaste 287254721Semaste ASSERT(ssl->msg.state == MSG_BODY); 288254721Semaste ASSERT(ssl->msg.msglen_bytes == 3); 289254721Semaste ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen); 290254721Semaste 291254721Semaste ssl->sslcnt++; 292254721Semaste msglen = ssl->msg.msglen; 293254721Semaste 294254721Semaste if (ssl->msg.type == client_hello) { 295254721Semaste MD5Init(&ssl->hs_md5); 296254721Semaste SHA1Init(&ssl->hs_sha1); 297254721Semaste } 298254721Semaste 299254721Semaste if (ssl->msg.type == finished && ssl->resumed == B_FALSE) { 300254721Semaste if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 301254721Semaste sender_client) != 0) { 302254721Semaste *err = SSL_MISS; 303254721Semaste return (0); 304254721Semaste } 305254721Semaste } 306254721Semaste 307254721Semaste if (ssl->msg.type != finished || ssl->resumed == B_FALSE) { 308254721Semaste msghdr[0] = (uchar_t)ssl->msg.type; 309254721Semaste 310254721Semaste msghdr[1] = (uchar_t)(msglen >> 16); 311254721Semaste msghdr[2] = (uchar_t)(msglen >> 8); 312254721Semaste msghdr[3] = (uchar_t)(msglen); 313254721Semaste kssl_update_handshake_hashes(ssl, msghdr, 4); 314254721Semaste kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen); 315254721Semaste } 316254721Semaste 317254721Semaste ssl->msg.state = MSG_INIT; 318254721Semaste ssl->msg.msglen = 0; 319254721Semaste ssl->msg.msglen_bytes = 0; 320254721Semaste 321254721Semaste switch (ssl->msg.type) { 322254721Semaste case client_hello: 323254721Semaste if (ssl->hs_waitstate != wait_client_hello) { 324254721Semaste kssl_send_alert(ssl, alert_fatal, 325254721Semaste unexpected_message); 326254721Semaste *err = EBADMSG; 327254721Semaste ssl->activeinput = B_FALSE; 328254721Semaste return (1); 329254721Semaste } 330254721Semaste *err = kssl_handle_client_hello(ssl, mp, msglen); 331254721Semaste if (*err == SSL_MISS) { 332254721Semaste ssl->activeinput = B_FALSE; 333254721Semaste return (0); 334254721Semaste } 335254721Semaste return (1); 336254721Semaste case client_key_exchange: 337254721Semaste if (ssl->hs_waitstate != wait_client_key) { 338254721Semaste kssl_send_alert(ssl, alert_fatal, 339254721Semaste unexpected_message); 340254721Semaste *err = EBADMSG; 341254721Semaste ssl->activeinput = B_FALSE; 342254721Semaste return (1); 343254721Semaste } 344254721Semaste *err = kssl_handle_client_key_exchange(ssl, mp, 345254721Semaste msglen, cbfn, arg); 346254721Semaste return (1); 347254721Semaste case finished: 348254721Semaste if (ssl->hs_waitstate != wait_finished) { 349254721Semaste kssl_send_alert(ssl, alert_fatal, 350254721Semaste unexpected_message); 351254721Semaste *err = EBADMSG; 352254721Semaste ssl->activeinput = B_FALSE; 353254721Semaste return (1); 354254721Semaste } 355254721Semaste *err = kssl_handle_finished(ssl, mp, msglen); 356254721Semaste return (1); 357254721Semaste default: 358254721Semaste kssl_send_alert(ssl, alert_fatal, unexpected_message); 359254721Semaste ssl->activeinput = B_FALSE; 360254721Semaste *err = EBADMSG; 361254721Semaste return (1); 362254721Semaste } 363254721Semaste} 364254721Semaste 365254721Semastestatic void 366254721Semastekssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len) 367254721Semaste{ 368254721Semaste MD5Update(&ssl->hs_md5, buf, len); 369254721Semaste SHA1Update(&ssl->hs_sha1, buf, len); 370254721Semaste} 371254721Semaste 372254721Semastestatic int 373254721Semastekssl_compute_handshake_hashes( 374254721Semaste ssl_t *ssl, 375254721Semaste SSL3Hashes *hashes, 376254721Semaste uint32_t sender) 377254721Semaste{ 378254721Semaste MD5_CTX md5 = ssl->hs_md5; /* clone md5 context */ 379254721Semaste SHA1_CTX sha1 = ssl->hs_sha1; /* clone sha1 context */ 380254721Semaste MD5_CTX *md5ctx = &md5; 381254721Semaste SHA1_CTX *sha1ctx = &sha1; 382254721Semaste 383254721Semaste if (IS_TLS(ssl)) { 384254721Semaste uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN]; 385254721Semaste char *label; 386254721Semaste 387254721Semaste /* 388254721Semaste * Do not take another hash step here. 389254721Semaste * Just complete the operation. 390254721Semaste */ 391254721Semaste MD5Final(hashes->md5, md5ctx); 392254721Semaste SHA1Final(hashes->sha1, sha1ctx); 393254721Semaste 394254721Semaste bcopy(hashes->md5, seed, MD5_HASH_LEN); 395254721Semaste bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN); 396254721Semaste 397254721Semaste if (sender == sender_client) 398254721Semaste label = TLS_CLIENT_FINISHED_LABEL; 399254721Semaste else 400254721Semaste label = TLS_SERVER_FINISHED_LABEL; 401254721Semaste 402254721Semaste return (kssl_tls_PRF(ssl, 403254721Semaste ssl->sid.master_secret, 404254721Semaste (size_t)SSL3_MASTER_SECRET_LEN, 405254721Semaste (uchar_t *)label, strlen(label), 406254721Semaste seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN), 407254721Semaste hashes->tlshash, (size_t)TLS_FINISHED_SIZE)); 408254721Semaste } else { 409254721Semaste uchar_t s[4]; 410254721Semaste s[0] = (sender >> 24) & 0xff; 411254721Semaste s[1] = (sender >> 16) & 0xff; 412254721Semaste s[2] = (sender >> 8) & 0xff; 413254721Semaste s[3] = (sender) & 0xff; 414254721Semaste 415254721Semaste MD5Update(md5ctx, s, 4); 416254721Semaste MD5Update(md5ctx, ssl->sid.master_secret, 417254721Semaste SSL3_MASTER_SECRET_LEN); 418254721Semaste MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN); 419254721Semaste MD5Final(hashes->md5, md5ctx); 420254721Semaste 421254721Semaste MD5Init(md5ctx); 422254721Semaste MD5Update(md5ctx, ssl->sid.master_secret, 423254721Semaste SSL3_MASTER_SECRET_LEN); 424254721Semaste MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN); 425254721Semaste MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN); 426254721Semaste MD5Final(hashes->md5, md5ctx); 427254721Semaste 428254721Semaste SHA1Update(sha1ctx, s, 4); 429254721Semaste SHA1Update(sha1ctx, ssl->sid.master_secret, 430254721Semaste SSL3_MASTER_SECRET_LEN); 431254721Semaste SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN); 432254721Semaste SHA1Final(hashes->sha1, sha1ctx); 433254721Semaste 434254721Semaste SHA1Init(sha1ctx); 435254721Semaste SHA1Update(sha1ctx, ssl->sid.master_secret, 436254721Semaste SSL3_MASTER_SECRET_LEN); 437254721Semaste SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN); 438254721Semaste SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN); 439254721Semaste SHA1Final(hashes->sha1, sha1ctx); 440254721Semaste return (0); 441254721Semaste } 442254721Semaste} 443254721Semaste 444254721Semaste 445254721Semaste/* 446254721Semaste * Minimum message length for a client hello = 447254721Semaste * 2-byte client_version + 448254721Semaste * 32-byte random + 449254721Semaste * 1-byte session_id length + 450254721Semaste * 2-byte cipher_suites length + 451254721Semaste * 1-byte compression_methods length + 452254721Semaste * 1-byte CompressionMethod.null 453254721Semaste */ 454254721Semaste#define KSSL_SSL3_CH_MIN_MSGLEN (39) 455254721Semaste 456254721Semastestatic int 457254721Semastekssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen) 458254721Semaste{ 459254721Semaste uchar_t *msgend; 460254721Semaste int err; 461254721Semaste SSL3AlertDescription desc = illegal_parameter; 462254721Semaste uint_t sidlen, cslen, cmlen; 463254721Semaste uchar_t *suitesp; 464254721Semaste uint_t i, j; 465254721Semaste uint16_t suite; 466254721Semaste int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN; 467254721Semaste 468254721Semaste ASSERT(mp->b_wptr >= mp->b_rptr + msglen); 469254721Semaste ASSERT(ssl->msg.type == client_hello); 470254721Semaste ASSERT(ssl->hs_waitstate == wait_client_hello); 471254721Semaste ASSERT(ssl->resumed == B_FALSE); 472254721Semaste 473254721Semaste if (msglen < ch_msglen) { 474254721Semaste goto falert; 475254721Semaste } 476254721Semaste 477254721Semaste msgend = mp->b_rptr + msglen; 478254721Semaste 479254721Semaste /* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */ 480254721Semaste if (ssl->major_version != 3 || (ssl->major_version == 3 && 481254721Semaste ssl->minor_version != 0 && ssl->minor_version != 1)) { 482254721Semaste DTRACE_PROBE2(kssl_err__SSL_version_not_supported, 483254721Semaste uchar_t, ssl->major_version, 484254721Semaste uchar_t, ssl->minor_version); 485254721Semaste desc = handshake_failure; 486254721Semaste goto falert; 487254721Semaste } 488254721Semaste mp->b_rptr += 2; /* skip the version bytes */ 489254721Semaste 490254721Semaste bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH); 491254721Semaste mp->b_rptr += SSL3_RANDOM_LENGTH; 492254721Semaste 493254721Semaste ASSERT(ssl->sid.cached == B_FALSE); 494254721Semaste sidlen = *mp->b_rptr++; 495254721Semaste ch_msglen += sidlen; 496254721Semaste if (msglen < ch_msglen) { 497254721Semaste goto falert; 498254721Semaste } 499254721Semaste if (sidlen != SSL3_SESSIONID_BYTES) { 500254721Semaste mp->b_rptr += sidlen; 501254721Semaste } else { 502254721Semaste kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr, 503254721Semaste ssl->kssl_entry); 504254721Semaste mp->b_rptr += SSL3_SESSIONID_BYTES; 505254721Semaste } 506254721Semaste 507254721Semaste cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 508254721Semaste mp->b_rptr += 2; 509254721Semaste ch_msglen += cslen; 510254721Semaste 511254721Semaste /* 512254721Semaste * This check can't be a "!=" since there can be 513254721Semaste * compression methods other than CompressionMethod.null. 514254721Semaste * Also, there can be extra data (TLS extensions) after the 515254721Semaste * compression methods field. We do not support any TLS 516254721Semaste * extensions and hence ignore them. 517254721Semaste */ 518254721Semaste if (msglen < ch_msglen) { 519254721Semaste goto falert; 520254721Semaste } 521254721Semaste 522254721Semaste /* The length has to be even since a cipher suite is 2-byte long */ 523254721Semaste if (cslen & 0x1) { 524254721Semaste goto falert; 525254721Semaste } 526254721Semaste suitesp = mp->b_rptr; 527254721Semaste if (ssl->sid.cached == B_TRUE) { 528254721Semaste suite = ssl->sid.cipher_suite; 529254721Semaste for (j = 0; j < cslen; j += 2) { 530254721Semaste if (suitesp[j] == ((suite >> 8) & 0xff) && 531254721Semaste suitesp[j + 1] == (suite & 0xff)) { 532254721Semaste break; 533254721Semaste } 534254721Semaste } 535254721Semaste if (j < cslen) { 536254721Semaste goto suite_found; 537254721Semaste } 538254721Semaste kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 539254721Semaste } 540254721Semaste 541254721Semaste /* Check if this server is capable of the cipher suite */ 542254721Semaste for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 543254721Semaste suite = ssl->kssl_entry->kssl_cipherSuites[i]; 544254721Semaste for (j = 0; j < cslen; j += 2) { 545254721Semaste if (suitesp[j] == ((suite >> 8) & 0xff) && 546254721Semaste suitesp[j + 1] == (suite & 0xff)) { 547254721Semaste break; 548254721Semaste } 549254721Semaste } 550254721Semaste if (j < cslen) { 551254721Semaste break; 552254721Semaste } 553254721Semaste } 554254721Semaste if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 555254721Semaste if (ssl->sslcnt == 1) { 556254721Semaste KSSL_COUNTER(no_suite_found, 1); 557254721Semaste return (SSL_MISS); 558254721Semaste } 559254721Semaste desc = handshake_failure; 560254721Semaste DTRACE_PROBE(kssl_err__no_cipher_suites_found); 561254721Semaste goto falert; 562254721Semaste } 563254721Semaste 564suite_found: 565 mp->b_rptr += cslen; 566 567 /* 568 * Check for the mandatory CompressionMethod.null. We do not 569 * support any other compression methods. 570 */ 571 cmlen = *mp->b_rptr++; 572 ch_msglen += cmlen - 1; /* -1 accounts for the null method */ 573 if (msglen < ch_msglen) { 574 goto falert; 575 } 576 577 while (cmlen >= 1) { 578 if (*mp->b_rptr++ == 0) 579 break; 580 cmlen--; 581 } 582 583 if (cmlen == 0) { 584 desc = handshake_failure; 585 DTRACE_PROBE(kssl_err__no_null_method_failure); 586 goto falert; 587 } 588 589 mp->b_rptr = msgend; 590 591 for (i = 0; i < cipher_suite_defs_nentries; i++) { 592 if (suite == cipher_suite_defs[i].suite) { 593 break; 594 } 595 } 596 597 ASSERT(i < cipher_suite_defs_nentries); 598 599 ssl->pending_cipher_suite = suite; 600 ssl->pending_malg = cipher_suite_defs[i].malg; 601 ssl->pending_calg = cipher_suite_defs[i].calg; 602 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 603 604 if (ssl->sid.cached == B_TRUE) { 605 err = kssl_send_server_hello(ssl); 606 if (err != 0) { 607 return (err); 608 } 609 if (IS_TLS(ssl)) 610 err = kssl_generate_tls_keyblock(ssl); 611 else 612 kssl_generate_keyblock(ssl); 613 614 err = kssl_send_change_cipher_specs(ssl); 615 if (err != 0) { 616 return (err); 617 } 618 619 err = kssl_send_finished(ssl, 1); 620 if (err != 0) 621 return (err); 622 623 err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes, 624 sender_client); 625 if (err != 0) 626 return (err); 627 628 ssl->hs_waitstate = wait_change_cipher; 629 ssl->resumed = B_TRUE; 630 ssl->activeinput = B_FALSE; 631 KSSL_COUNTER(resumed_sessions, 1); 632 return (0); 633 } 634 635 (void) random_get_pseudo_bytes(ssl->sid.session_id, 636 SSL3_SESSIONID_BYTES); 637 ssl->sid.client_addr = ssl->faddr; 638 ssl->sid.cipher_suite = suite; 639 640 err = kssl_send_server_hello(ssl); 641 if (err != 0) { 642 return (err); 643 } 644 err = kssl_send_certificate_and_server_hello_done(ssl); 645 if (err != 0) { 646 return (err); 647 } 648 KSSL_COUNTER(full_handshakes, 1); 649 ssl->hs_waitstate = wait_client_key; 650 ssl->activeinput = B_FALSE; 651 return (0); 652 653falert: 654 kssl_send_alert(ssl, alert_fatal, desc); 655 return (EBADMSG); 656} 657 658#define SET_HASH_INDEX(index, s, clnt_addr) { \ 659 int addr; \ 660 \ 661 IN6_V4MAPPED_TO_IPADDR(clnt_addr, addr); \ 662 index = addr ^ (((int)(s)[0] << 24) | ((int)(s)[1] << 16) | \ 663 ((int)(s)[2] << 8) | (int)(s)[SSL3_SESSIONID_BYTES - 1]); \ 664} 665 666/* 667 * Creates a cache entry. Sets the sid->cached flag 668 * and sid->time fields. So, the caller should not set them. 669 */ 670static void 671kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 672{ 673 uint_t index; 674 uchar_t *s = sid->session_id; 675 kmutex_t *lock; 676 677 ASSERT(sid->cached == B_FALSE); 678 679 /* set the values before creating the cache entry */ 680 sid->cached = B_TRUE; 681 sid->time = lbolt; 682 683 SET_HASH_INDEX(index, s, &sid->client_addr); 684 index %= kssl_entry->sid_cache_nentries; 685 686 lock = &(kssl_entry->sid_cache[index].se_lock); 687 mutex_enter(lock); 688 kssl_entry->sid_cache[index].se_used++; 689 bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid)); 690 mutex_exit(lock); 691 692 KSSL_COUNTER(sid_cached, 1); 693} 694 695/* 696 * Invalidates the cache entry, if any. Clears the sid->cached flag 697 * as a side effect. 698 */ 699void 700kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) 701{ 702 uint_t index; 703 uchar_t *s = sid->session_id; 704 sslSessionID *csid; 705 kmutex_t *lock; 706 707 ASSERT(sid->cached == B_TRUE); 708 sid->cached = B_FALSE; 709 710 SET_HASH_INDEX(index, s, &sid->client_addr); 711 index %= kssl_entry->sid_cache_nentries; 712 713 lock = &(kssl_entry->sid_cache[index].se_lock); 714 mutex_enter(lock); 715 csid = &(kssl_entry->sid_cache[index].se_sid); 716 if (!(IN6_ARE_ADDR_EQUAL(&csid->client_addr, &sid->client_addr)) || 717 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 718 mutex_exit(lock); 719 return; 720 } 721 csid->cached = B_FALSE; 722 mutex_exit(lock); 723 724 KSSL_COUNTER(sid_uncached, 1); 725} 726 727static void 728kssl_lookup_sid(sslSessionID *sid, uchar_t *s, in6_addr_t *faddr, 729 kssl_entry_t *kssl_entry) 730{ 731 uint_t index; 732 kmutex_t *lock; 733 sslSessionID *csid; 734 735 KSSL_COUNTER(sid_cache_lookups, 1); 736 737 SET_HASH_INDEX(index, s, faddr); 738 index %= kssl_entry->sid_cache_nentries; 739 740 lock = &(kssl_entry->sid_cache[index].se_lock); 741 mutex_enter(lock); 742 csid = &(kssl_entry->sid_cache[index].se_sid); 743 if (csid->cached == B_FALSE || 744 !IN6_ARE_ADDR_EQUAL(&csid->client_addr, faddr) || 745 bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { 746 mutex_exit(lock); 747 return; 748 } 749 750 if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) { 751 csid->cached = B_FALSE; 752 mutex_exit(lock); 753 return; 754 } 755 756 bcopy(csid, sid, sizeof (*sid)); 757 mutex_exit(lock); 758 ASSERT(sid->cached == B_TRUE); 759 760 KSSL_COUNTER(sid_cache_hits, 1); 761} 762 763static uchar_t * 764kssl_rsa_unwrap(uchar_t *buf, size_t *lenp) 765{ 766 size_t len = *lenp; 767 int i = 2; 768 769 if (buf[0] != 0 || buf[1] != 2) { 770 return (NULL); 771 } 772 773 while (i < len) { 774 if (buf[i++] == 0) { 775 *lenp = len - i; 776 break; 777 } 778 } 779 780 if (i == len) { 781 return (NULL); 782 } 783 784 return (buf + i); 785} 786 787 788#define KSSL_SSL3_SH_RECLEN (74) 789#define KSSL_SSL3_FIN_MSGLEN (36) 790 791#define KSSL_SSL3_MAX_CCP_FIN_MSGLEN (128) /* comfortable upper bound */ 792 793static int 794kssl_send_server_hello(ssl_t *ssl) 795{ 796 mblk_t *mp; 797 uchar_t *buf; 798 uchar_t *msgstart; 799 800 mp = allocb(ssl->tcp_mss, BPRI_HI); 801 if (mp == NULL) { 802 KSSL_COUNTER(alloc_fails, 1); 803 return (ENOMEM); 804 } 805 ssl->handshake_sendbuf = mp; 806 buf = mp->b_wptr; 807 808 /* 5 byte record header */ 809 buf[0] = content_handshake; 810 buf[1] = ssl->major_version; 811 buf[2] = ssl->minor_version; 812 buf[3] = KSSL_SSL3_SH_RECLEN >> 8; 813 buf[4] = KSSL_SSL3_SH_RECLEN & 0xff; 814 buf += SSL3_HDR_LEN; 815 816 msgstart = buf; 817 818 /* 6 byte message header */ 819 buf[0] = (uchar_t)server_hello; /* message type */ 820 buf[1] = 0; /* message len byte 0 */ 821 buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) & 822 0xff; /* message len byte 1 */ 823 buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff; /* message len byte 2 */ 824 825 buf[4] = ssl->major_version; /* version byte 0 */ 826 buf[5] = ssl->minor_version; /* version byte 1 */ 827 828 buf += 6; 829 830 kssl_get_hello_random(ssl->server_random); 831 bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH); 832 buf += SSL3_RANDOM_LENGTH; 833 834 buf[0] = SSL3_SESSIONID_BYTES; 835 bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES); 836 buf += SSL3_SESSIONID_BYTES + 1; 837 838 buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff; 839 buf[1] = ssl->pending_cipher_suite & 0xff; 840 841 buf[2] = 0; /* No compression */ 842 843 mp->b_wptr = buf + 3; 844 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 845 846 kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN); 847 return (0); 848} 849 850static void 851kssl_get_hello_random(uchar_t *buf) 852{ 853 timestruc_t ts; 854 time_t sec; 855 856 gethrestime(&ts); 857 sec = ts.tv_sec; 858 859 buf[0] = (sec >> 24) & 0xff; 860 buf[1] = (sec >> 16) & 0xff; 861 buf[2] = (sec >> 8) & 0xff; 862 buf[3] = (sec) & 0xff; 863 864 (void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4); 865 866 /* Should this be caching? */ 867} 868 869static int 870kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key, 871 size_t hashlen, 872 uchar_t *label, size_t label_len, 873 uchar_t *seed, size_t seedlen, 874 uchar_t *data, size_t datalen) 875{ 876 int rv = 0; 877 uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN]; 878 int bytes_left = datalen; 879 crypto_data_t dd, mac; 880 crypto_context_t ctx; 881 882 dd.cd_format = CRYPTO_DATA_RAW; 883 dd.cd_offset = 0; 884 mac.cd_format = CRYPTO_DATA_RAW; 885 mac.cd_offset = 0; 886 887 /* 888 * A(i) = HMAC_hash(secret, seed + A(i-1)); 889 * A(0) = seed; 890 * 891 * Compute A(1): 892 * A(1) = HMAC_hash(secret, label + seed) 893 * 894 */ 895 HMAC_INIT(mech, key, &ctx); 896 HMAC_UPDATE(ctx, label, label_len); 897 HMAC_UPDATE(ctx, seed, seedlen); 898 HMAC_FINAL(ctx, A1, hashlen); 899 900 /* Compute A(2) ... A(n) */ 901 while (bytes_left > 0) { 902 HMAC_INIT(mech, key, &ctx); 903 HMAC_UPDATE(ctx, A1, hashlen); 904 HMAC_UPDATE(ctx, label, label_len); 905 HMAC_UPDATE(ctx, seed, seedlen); 906 HMAC_FINAL(ctx, result, hashlen); 907 908 /* 909 * The A(i) value is stored in "result". 910 * Save the results of the MAC so it can be input to next 911 * iteration. 912 */ 913 if (bytes_left > hashlen) { 914 /* Store the chunk result */ 915 bcopy(result, data, hashlen); 916 data += hashlen; 917 918 bytes_left -= hashlen; 919 920 /* Update A1 for next iteration */ 921 HMAC_INIT(mech, key, &ctx); 922 HMAC_UPDATE(ctx, A1, hashlen); 923 HMAC_FINAL(ctx, A1, hashlen); 924 925 } else { 926 bcopy(result, data, bytes_left); 927 data += bytes_left; 928 bytes_left = 0; 929 } 930 } 931end: 932 if (CRYPTO_ERR(rv)) { 933 DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv); 934 KSSL_COUNTER(compute_mac_failure, 1); 935 } 936 return (rv); 937} 938 939/* ARGSUSED */ 940static int 941kssl_tls_PRF(ssl_t *ssl, 942 uchar_t *secret, size_t secret_len, 943 uchar_t *label, size_t label_len, 944 uchar_t *seed, size_t seed_len, 945 uchar_t *prfresult, size_t prfresult_len) 946{ 947 /* 948 * RFC 2246: 949 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR 950 * P_SHA1(S2, label + seed); 951 * S1 = 1st half of secret. 952 * S1 = 2nd half of secret. 953 * 954 */ 955 956 int rv, i; 957 uchar_t psha1[MAX_KEYBLOCK_LENGTH]; 958 crypto_key_t S1, S2; 959 960 /* length of secret keys is ceil(length/2) */ 961 size_t slen = roundup(secret_len, 2) / 2; 962 963 if (prfresult_len > MAX_KEYBLOCK_LENGTH) { 964 DTRACE_PROBE1(kssl_err__unexpected_keyblock_size, 965 size_t, prfresult_len); 966 return (CRYPTO_ARGUMENTS_BAD); 967 } 968 969 ASSERT(prfresult != NULL); 970 ASSERT(label != NULL); 971 ASSERT(seed != NULL); 972 973 S1.ck_data = secret; 974 S1.ck_length = slen * 8; /* bits */ 975 S1.ck_format = CRYPTO_KEY_RAW; 976 977 S2.ck_data = secret + slen; 978 S2.ck_length = slen * 8; /* bits */ 979 S2.ck_format = CRYPTO_KEY_RAW; 980 981 rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN, 982 label, label_len, 983 seed, seed_len, 984 prfresult, prfresult_len); 985 if (CRYPTO_ERR(rv)) 986 goto end; 987 988 rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN, 989 label, label_len, 990 seed, seed_len, 991 psha1, prfresult_len); 992 if (CRYPTO_ERR(rv)) 993 goto end; 994 995 for (i = 0; i < prfresult_len; i++) 996 prfresult[i] ^= psha1[i]; 997 998end: 999 if (CRYPTO_ERR(rv)) 1000 bzero(prfresult, prfresult_len); 1001 1002 return (rv); 1003} 1004 1005#define IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl) \ 1006 (pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN || \ 1007 pms[0] != ssl->major_version || pms[1] != ssl->minor_version) 1008 1009#define FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) { \ 1010 KSSL_COUNTER(bad_pre_master_secret, 1); \ 1011 pms = buf; \ 1012 pmslen = SSL3_PRE_MASTER_SECRET_LEN; \ 1013 pms[0] = ssl->major_version; \ 1014 pms[1] = ssl->minor_version; \ 1015 (void) random_get_pseudo_bytes(&buf[2], pmslen - 2); \ 1016} 1017 1018static int 1019kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 1020{ 1021 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1022 uchar_t seed[SSL3_RANDOM_LENGTH * 2]; 1023 1024 /* 1025 * Computing the master secret: 1026 * ---------------------------- 1027 * master_secret = PRF (pms, "master secret", 1028 * ClientHello.random + ServerHello.random); 1029 */ 1030 bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH); 1031 bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH, 1032 SSL3_RANDOM_LENGTH); 1033 1034 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1035 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1036 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 1037 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1038 } 1039 1040 return (kssl_tls_PRF(ssl, 1041 pms, pmslen, 1042 (uchar_t *)TLS_MASTER_SECRET_LABEL, 1043 (size_t)strlen(TLS_MASTER_SECRET_LABEL), 1044 seed, sizeof (seed), 1045 ssl->sid.master_secret, 1046 (size_t)sizeof (ssl->sid.master_secret))); 1047} 1048 1049 1050static void 1051kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen) 1052{ 1053 uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN]; 1054 uchar_t *ms; 1055 int hlen = MD5_HASH_LEN; 1056 1057 ms = ssl->sid.master_secret; 1058 1059 /* if pms is bad fake it to thwart Bleichenbacher attack */ 1060 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) { 1061 DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack); 1062 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf); 1063 } 1064 1065 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0); 1066 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0); 1067 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen, 1068 0); 1069} 1070 1071static int 1072kssl_generate_tls_keyblock(ssl_t *ssl) 1073{ 1074 uchar_t seed[2 * SSL3_RANDOM_LENGTH]; 1075 1076 bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH); 1077 bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH, 1078 SSL3_RANDOM_LENGTH); 1079 1080 return (kssl_tls_PRF(ssl, ssl->sid.master_secret, 1081 (size_t)SSL3_MASTER_SECRET_LEN, 1082 (uchar_t *)TLS_KEY_EXPANSION_LABEL, 1083 (size_t)strlen(TLS_KEY_EXPANSION_LABEL), 1084 seed, (size_t)sizeof (seed), 1085 ssl->pending_keyblock, 1086 (size_t)ssl->pending_keyblksz)); 1087 1088} 1089 1090static void 1091kssl_generate_keyblock(ssl_t *ssl) 1092{ 1093 uchar_t *ms; 1094 size_t mslen = SSL3_MASTER_SECRET_LEN; 1095 int hlen = MD5_HASH_LEN; 1096 uchar_t *keys = ssl->pending_keyblock; 1097 int steps = howmany(ssl->pending_keyblksz, hlen); 1098 int i; 1099 1100 ms = ssl->sid.master_secret; 1101 1102 ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH); 1103 1104 for (i = 1; i <= steps; i++) { 1105 kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1); 1106 keys += hlen; 1107 } 1108} 1109 1110static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE", 1111 "FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"}; 1112 1113static void 1114kssl_ssl3_key_material_derive_step( 1115 ssl_t *ssl, 1116 uchar_t *secret, 1117 size_t secretlen, 1118 int step, 1119 uchar_t *dst, 1120 int sr_first) 1121{ 1122 SHA1_CTX sha1, *sha1ctx; 1123 MD5_CTX md5, *md5ctx; 1124 uchar_t sha1_hash[SHA1_HASH_LEN]; 1125 1126 sha1ctx = &sha1; 1127 md5ctx = &md5; 1128 1129 ASSERT(step <= 1130 sizeof (ssl3_key_derive_seeds) / 1131 sizeof (ssl3_key_derive_seeds[0])); 1132 step--; 1133 1134 SHA1Init(sha1ctx); 1135 SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step], 1136 step + 1); 1137 SHA1Update(sha1ctx, secret, secretlen); 1138 if (sr_first) { 1139 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1140 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1141 } else { 1142 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH); 1143 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH); 1144 } 1145 SHA1Final(sha1_hash, sha1ctx); 1146 1147 MD5Init(md5ctx); 1148 MD5Update(md5ctx, secret, secretlen); 1149 MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN); 1150 MD5Final(dst, md5ctx); 1151} 1152 1153static int 1154kssl_send_certificate_and_server_hello_done(ssl_t *ssl) 1155{ 1156 int cur_reclen; 1157 int mss; 1158 int len, copylen; 1159 mblk_t *mp; 1160 uchar_t *cert_buf; 1161 int cert_len; 1162 uchar_t *msgbuf; 1163 Certificate_t *cert; 1164 1165 cert = ssl->kssl_entry->ke_server_certificate; 1166 if (cert == NULL) { 1167 return (ENOENT); 1168 } 1169 cert_buf = cert->msg; 1170 cert_len = cert->len; 1171 1172 mp = ssl->handshake_sendbuf; 1173 mss = ssl->tcp_mss; 1174 ASSERT(mp != NULL); 1175 cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN; 1176 ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN); 1177 /* Assume MSS is at least 80 bytes */ 1178 ASSERT(mss > cur_reclen + SSL3_HDR_LEN); 1179 ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */ 1180 1181 copylen = mss - (cur_reclen + SSL3_HDR_LEN); 1182 len = cert_len; 1183 copylen = MIN(copylen, len); 1184 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1185 1186 /* new record always starts in a new mblk for simplicity */ 1187 msgbuf = cert_buf; 1188 for (;;) { 1189 ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim); 1190 bcopy(msgbuf, mp->b_wptr, copylen); 1191 msgbuf += copylen; 1192 mp->b_wptr += copylen; 1193 cur_reclen += copylen; 1194 len -= copylen; 1195 if (len == 0) { 1196 break; 1197 } 1198 if (cur_reclen == SSL3_MAX_RECORD_LENGTH) { 1199 cur_reclen = 0; 1200 } 1201 copylen = MIN(len, mss); 1202 copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen); 1203 mp->b_cont = allocb(copylen, BPRI_HI); 1204 if (mp->b_cont == NULL) { 1205 KSSL_COUNTER(alloc_fails, 1); 1206 freemsg(ssl->handshake_sendbuf); 1207 ssl->handshake_sendbuf = NULL; 1208 return (ENOMEM); 1209 } 1210 mp = mp->b_cont; 1211 if (cur_reclen == 0) { 1212 mp->b_wptr[0] = content_handshake; 1213 mp->b_wptr[1] = ssl->major_version; 1214 mp->b_wptr[2] = ssl->minor_version; 1215 cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH); 1216 mp->b_wptr[3] = (cur_reclen >> 8) & 0xff; 1217 mp->b_wptr[4] = (cur_reclen) & 0xff; 1218 mp->b_wptr += SSL3_HDR_LEN; 1219 cur_reclen = 0; 1220 copylen = MIN(copylen, mss - SSL3_HDR_LEN); 1221 } 1222 } 1223 1224 /* adjust the record length field for the first record */ 1225 mp = ssl->handshake_sendbuf; 1226 cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len, 1227 SSL3_MAX_RECORD_LENGTH); 1228 mp->b_rptr[3] = (cur_reclen >> 8) & 0xff; 1229 mp->b_rptr[4] = (cur_reclen) & 0xff; 1230 1231 kssl_update_handshake_hashes(ssl, cert_buf, cert_len); 1232 1233 return (0); 1234} 1235 1236static int 1237kssl_send_change_cipher_specs(ssl_t *ssl) 1238{ 1239 mblk_t *mp, *newmp; 1240 uchar_t *buf; 1241 1242 mp = ssl->handshake_sendbuf; 1243 1244 /* We're most likely to hit the fast path for resumed sessions */ 1245 if ((mp != NULL) && 1246 (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) { 1247 buf = mp->b_wptr; 1248 } else { 1249 newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI); 1250 1251 if (newmp == NULL) 1252 return (ENOMEM); /* need to do better job! */ 1253 1254 if (mp == NULL) { 1255 ssl->handshake_sendbuf = newmp; 1256 } else { 1257 linkb(ssl->handshake_sendbuf, newmp); 1258 } 1259 mp = newmp; 1260 buf = mp->b_rptr; 1261 } 1262 1263 /* 5 byte record header */ 1264 buf[0] = content_change_cipher_spec; 1265 buf[1] = ssl->major_version; 1266 buf[2] = ssl->minor_version; 1267 buf[3] = 0; 1268 buf[4] = 1; 1269 buf += SSL3_HDR_LEN; 1270 1271 buf[0] = 1; 1272 1273 mp->b_wptr = buf + 1; 1274 ASSERT(mp->b_wptr < mp->b_datap->db_lim); 1275 1276 ssl->seq_num[KSSL_WRITE] = 0; 1277 return (kssl_spec_init(ssl, KSSL_WRITE)); 1278} 1279 1280int 1281kssl_spec_init(ssl_t *ssl, int dir) 1282{ 1283 KSSL_HASHCTX *ctx; 1284 KSSLCipherSpec *spec = &ssl->spec[dir]; 1285 int ret = 0; 1286 1287 spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz; 1288 spec->mac_padsz = mac_defs[ssl->pending_malg].padsz; 1289 1290 spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit; 1291 spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate; 1292 spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal; 1293 1294 if (dir == KSSL_READ) { 1295 bcopy(ssl->pending_keyblock, ssl->mac_secret[dir], 1296 spec->mac_hashsz); 1297 } else { 1298 bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]), 1299 ssl->mac_secret[dir], spec->mac_hashsz); 1300 } 1301 1302 /* Pre-compute these here. will save cycles on each record later */ 1303 if (!IS_TLS(ssl)) { 1304 ctx = &ssl->mac_ctx[dir][0]; 1305 spec->MAC_HashInit((void *)ctx); 1306 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1307 spec->mac_hashsz); 1308 spec->MAC_HashUpdate((void *)ctx, kssl_pad_1, 1309 spec->mac_padsz); 1310 1311 ctx = &ssl->mac_ctx[dir][1]; 1312 spec->MAC_HashInit((void *)ctx); 1313 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir], 1314 spec->mac_hashsz); 1315 spec->MAC_HashUpdate((void *)ctx, kssl_pad_2, 1316 spec->mac_padsz); 1317 } 1318 1319 spec->cipher_type = cipher_defs[ssl->pending_calg].type; 1320 spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type; 1321 spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize; 1322 spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz; 1323 1324 if (spec->cipher_ctx != NULL) { 1325 crypto_cancel_ctx(spec->cipher_ctx); 1326 spec->cipher_ctx = 0; 1327 } 1328 1329 /* 1330 * Initialize HMAC keys for TLS and SSL3 HMAC keys 1331 * for SSL 3.0. 1332 */ 1333 if (IS_TLS(ssl)) { 1334 if (ssl->pending_malg == mac_md5) { 1335 spec->hmac_mech = hmac_md5_mech; 1336 } else if (ssl->pending_malg == mac_sha) { 1337 spec->hmac_mech = hmac_sha1_mech; 1338 } 1339 1340 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1341 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1342 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1343 } else { 1344 static uint32_t param; 1345 1346 spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID; 1347 spec->hmac_mech.cm_param = (caddr_t)¶m; 1348 spec->hmac_mech.cm_param_len = sizeof (param); 1349 if (ssl->pending_malg == mac_md5) { 1350 spec->hmac_mech.cm_type = 1351 crypto_mech2id("CKM_SSL3_MD5_MAC"); 1352 param = MD5_HASH_LEN; 1353 } else if (ssl->pending_malg == mac_sha) { 1354 spec->hmac_mech.cm_type = 1355 crypto_mech2id("CKM_SSL3_SHA1_MAC"); 1356 param = SHA1_HASH_LEN; 1357 } 1358 1359 spec->hmac_key.ck_format = CRYPTO_KEY_RAW; 1360 spec->hmac_key.ck_data = ssl->mac_secret[dir]; 1361 spec->hmac_key.ck_length = spec->mac_hashsz * 8; 1362 } 1363 1364 /* We're done if this is the nil cipher */ 1365 if (spec->cipher_keysz == 0) { 1366 return (0); 1367 } 1368 1369 /* Initialize the key and the active context */ 1370 spec->cipher_key.ck_format = CRYPTO_KEY_RAW; 1371 spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */ 1372 1373 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1374 /* client_write_IV */ 1375 spec->cipher_mech.cm_param = 1376 (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz + 1377 2 * spec->cipher_keysz]); 1378 spec->cipher_mech.cm_param_len = spec->cipher_bsize; 1379 } 1380 spec->cipher_data.cd_format = CRYPTO_DATA_RAW; 1381 if (dir == KSSL_READ) { 1382 spec->cipher_mech.cm_param_len = 1383 cipher_defs[ssl->pending_calg].bsize; 1384 1385 /* client_write_key */ 1386 spec->cipher_key.ck_data = 1387 &(ssl->pending_keyblock[2 * spec->mac_hashsz]); 1388 1389 ret = crypto_decrypt_init(&(spec->cipher_mech), 1390 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1391 if (CRYPTO_ERR(ret)) { 1392 DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read, 1393 int, ret); 1394 } 1395 } else { 1396 if (cipher_defs[ssl->pending_calg].bsize > 0) { 1397 /* server_write_IV */ 1398 spec->cipher_mech.cm_param += spec->cipher_bsize; 1399 } 1400 1401 /* server_write_key */ 1402 spec->cipher_key.ck_data = 1403 &(ssl->pending_keyblock[2 * spec->mac_hashsz + 1404 spec->cipher_keysz]); 1405 1406 ret = crypto_encrypt_init(&(spec->cipher_mech), 1407 &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL); 1408 if (CRYPTO_ERR(ret)) 1409 DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read, 1410 int, ret); 1411 } 1412 return (ret); 1413} 1414 1415static int 1416kssl_send_finished(ssl_t *ssl, int update_hsh) 1417{ 1418 mblk_t *mp; 1419 uchar_t *buf; 1420 uchar_t *rstart; 1421 uchar_t *versionp; 1422 SSL3Hashes ssl3hashes; 1423 size_t finish_len; 1424 int ret; 1425 1426 mp = ssl->handshake_sendbuf; 1427 ASSERT(mp != NULL); 1428 buf = mp->b_wptr; 1429 ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + 1430 SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1); 1431 1432 rstart = buf; 1433 1434 if (IS_TLS(ssl)) 1435 finish_len = TLS_FINISHED_SIZE; 1436 else 1437 finish_len = KSSL_SSL3_FIN_MSGLEN; 1438 1439 /* 5 byte record header */ 1440 buf[0] = content_handshake; 1441 buf[1] = ssl->major_version; 1442 buf[2] = ssl->minor_version; 1443 buf[3] = 0; 1444 buf[4] = 4 + finish_len; 1445 1446 versionp = &buf[1]; 1447 1448 buf += SSL3_HDR_LEN; 1449 1450 /* 4 byte message header */ 1451 buf[0] = (uchar_t)finished; /* message type */ 1452 buf[1] = 0; /* message len byte 0 */ 1453 buf[2] = 0; /* message len byte 1 */ 1454 buf[3] = finish_len; /* message len byte 2 */ 1455 buf += 4; 1456 1457 if (IS_TLS(ssl)) { 1458 bcopy(ssl->hs_hashes.md5, ssl3hashes.md5, 1459 sizeof (ssl3hashes.md5)); 1460 bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1, 1461 sizeof (ssl3hashes.sha1)); 1462 } 1463 1464 /* Compute hashes for the SENDER side */ 1465 ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server); 1466 if (ret != 0) 1467 return (ret); 1468 1469 if (IS_TLS(ssl)) { 1470 bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash)); 1471 } else { 1472 bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN); 1473 bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN); 1474 } 1475 1476 if (update_hsh) { 1477 kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4); 1478 } 1479 1480 mp->b_wptr = buf + finish_len; 1481 1482 ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp, 1483 rstart, mp); 1484 ASSERT(mp->b_wptr <= mp->b_datap->db_lim); 1485 1486 return (ret); 1487} 1488 1489int 1490kssl_mac_encrypt_record(ssl_t *ssl, 1491 SSL3ContentType ct, 1492 uchar_t *versionp, 1493 uchar_t *rstart, 1494 mblk_t *mp) 1495{ 1496 KSSLCipherSpec *spec; 1497 int mac_sz; 1498 int ret = 0; 1499 uint16_t rec_sz; 1500 int pad_sz; 1501 int i; 1502 1503 ASSERT(ssl != NULL); 1504 ASSERT(rstart >= mp->b_rptr); 1505 ASSERT(rstart < mp->b_wptr); 1506 1507 spec = &ssl->spec[KSSL_WRITE]; 1508 mac_sz = spec->mac_hashsz; 1509 1510 rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN; 1511 ASSERT(rec_sz > 0); 1512 1513 if (mac_sz != 0) { 1514 ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim); 1515 ret = kssl_compute_record_mac(ssl, KSSL_WRITE, 1516 ssl->seq_num[KSSL_WRITE], ct, versionp, 1517 rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr); 1518 if (ret == CRYPTO_SUCCESS) { 1519 ssl->seq_num[KSSL_WRITE]++; 1520 mp->b_wptr += mac_sz; 1521 rec_sz += mac_sz; 1522 } else { 1523 return (ret); 1524 } 1525 } 1526 1527 if (spec->cipher_type == type_block) { 1528 pad_sz = spec->cipher_bsize - 1529 (rec_sz & (spec->cipher_bsize - 1)); 1530 ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim); 1531 for (i = 0; i < pad_sz; i++) { 1532 mp->b_wptr[i] = pad_sz - 1; 1533 } 1534 mp->b_wptr += pad_sz; 1535 rec_sz += pad_sz; 1536 } 1537 1538 ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH); 1539 1540 U16_TO_BE16(rec_sz, rstart + 3); 1541 1542 if (spec->cipher_ctx == 0) 1543 return (ret); 1544 1545 spec->cipher_data.cd_length = rec_sz; 1546 spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN); 1547 spec->cipher_data.cd_raw.iov_len = rec_sz; 1548 /* One record at a time. Otherwise, gotta allocate the crypt_data_t */ 1549 ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data, 1550 NULL, NULL); 1551 if (CRYPTO_ERR(ret)) { 1552 DTRACE_PROBE1(kssl_err__crypto_encrypt_update, 1553 int, ret); 1554 } 1555 return (ret); 1556} 1557 1558void 1559kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc) 1560{ 1561 mblk_t *mp; 1562 uchar_t *buf; 1563 KSSLCipherSpec *spec; 1564 1565 ASSERT(ssl != NULL); 1566 1567 ssl->sendalert_level = level; 1568 ssl->sendalert_desc = desc; 1569 1570 if (level == alert_fatal) { 1571 DTRACE_PROBE2(kssl_sending_alert, 1572 SSL3AlertLevel, level, SSL3AlertDescription, desc); 1573 if (ssl->sid.cached == B_TRUE) { 1574 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); 1575 } 1576 ssl->fatal_alert = B_TRUE; 1577 KSSL_COUNTER(fatal_alerts, 1); 1578 } else 1579 KSSL_COUNTER(warning_alerts, 1); 1580 1581 spec = &ssl->spec[KSSL_WRITE]; 1582 1583 ASSERT(ssl->alert_sendbuf == NULL); 1584 ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz + 1585 spec->cipher_bsize, BPRI_HI); 1586 if (mp == NULL) { 1587 KSSL_COUNTER(alloc_fails, 1); 1588 return; 1589 } 1590 buf = mp->b_wptr; 1591 1592 /* 5 byte record header */ 1593 buf[0] = content_alert; 1594 buf[1] = ssl->major_version; 1595 buf[2] = ssl->minor_version; 1596 buf[3] = 0; 1597 buf[4] = 2; 1598 buf += SSL3_HDR_LEN; 1599 1600 /* alert contents */ 1601 buf[0] = (uchar_t)level; 1602 buf[1] = (uchar_t)desc; 1603 1604 mp->b_wptr = buf + 2; 1605} 1606 1607/* Assumes RSA encryption */ 1608static int 1609kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen, 1610 kssl_callback_t cbfn, void *arg) 1611{ 1612 char *buf; 1613 uchar_t *pms; 1614 size_t pmslen; 1615 int allocated; 1616 int err, rverr = ENOMEM; 1617 kssl_entry_t *ep; 1618 crypto_key_t *privkey; 1619 crypto_data_t *wrapped_pms_data, *pms_data; 1620 crypto_call_req_t creq, *creqp; 1621 1622 ep = ssl->kssl_entry; 1623 privkey = ep->ke_private_key; 1624 if (privkey == NULL) { 1625 return (ENOENT); 1626 } 1627 1628 ASSERT(ssl->msg.type == client_key_exchange); 1629 ASSERT(ssl->hs_waitstate == wait_client_key); 1630 1631 /* 1632 * TLS adds an extra 2 byte length field before the data. 1633 */ 1634 if (IS_TLS(ssl)) { 1635 msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1]; 1636 mp->b_rptr += 2; 1637 } 1638 1639 /* 1640 * Allocate all we need in one shot. about 300 bytes total, for 1641 * 1024 bit RSA modulus. 1642 * The buffer layout will be: pms_data, wrapped_pms_data, the 1643 * value of the wrapped pms from the client, then room for the 1644 * resulting decrypted premaster secret. 1645 */ 1646 allocated = 2 * (sizeof (crypto_data_t) + msglen); 1647 buf = kmem_alloc(allocated, KM_NOSLEEP); 1648 if (buf == NULL) { 1649 return (ENOMEM); 1650 } 1651 1652 pms_data = (crypto_data_t *)buf; 1653 wrapped_pms_data = &(((crypto_data_t *)buf)[1]); 1654 1655 wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW; 1656 wrapped_pms_data->cd_offset = pms_data->cd_offset = 0; 1657 wrapped_pms_data->cd_length = pms_data->cd_length = msglen; 1658 wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL; 1659 wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen; 1660 wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t); 1661 pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen; 1662 1663 bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen); 1664 mp->b_rptr += msglen; 1665 1666 /* Proceed synchronously if out of interrupt and configured to do so */ 1667 if ((kssl_synchronous) && (!servicing_interrupt())) { 1668 creqp = NULL; 1669 } else { 1670 ssl->cke_callback_func = cbfn; 1671 ssl->cke_callback_arg = arg; 1672 creq.cr_flag = kssl_call_flag; 1673 creq.cr_callback_func = kssl_cke_done; 1674 creq.cr_callback_arg = ssl; 1675 1676 /* The callback routine will release this one */ 1677 KSSL_SSL_REFHOLD(ssl); 1678 1679 creqp = &creq; 1680 } 1681 1682 if (ep->ke_is_nxkey) { 1683 kssl_session_info_t *s; 1684 1685 s = ep->ke_sessinfo; 1686 err = CRYPTO_SUCCESS; 1687 if (!s->is_valid_handle) { 1688 /* Reauthenticate to the provider */ 1689 if (s->do_reauth) { 1690 err = kssl_get_obj_handle(ep); 1691 if (err == CRYPTO_SUCCESS) { 1692 s->is_valid_handle = B_TRUE; 1693 s->do_reauth = B_FALSE; 1694 } 1695 } else 1696 err = CRYPTO_FAILED; 1697 } 1698 1699 if (err == CRYPTO_SUCCESS) { 1700 ASSERT(s->is_valid_handle); 1701 err = crypto_decrypt_prov(s->prov, s->sid, 1702 &rsa_x509_mech, wrapped_pms_data, &s->key, 1703 NULL, pms_data, creqp); 1704 } 1705 1706 /* 1707 * Deal with session specific errors. We translate to 1708 * the closest errno. 1709 */ 1710 switch (err) { 1711 case CRYPTO_KEY_HANDLE_INVALID: 1712 case CRYPTO_SESSION_HANDLE_INVALID: 1713 s->is_valid_handle = B_FALSE; 1714 s->do_reauth = B_TRUE; 1715 rverr = EINVAL; 1716 break; 1717 case CRYPTO_PIN_EXPIRED: 1718 case CRYPTO_PIN_LOCKED: 1719 rverr = EACCES; 1720 break; 1721 case CRYPTO_UNKNOWN_PROVIDER: 1722 rverr = ENXIO; 1723 break; 1724 } 1725 } else { 1726 err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data, 1727 privkey, NULL, pms_data, creqp); 1728 } 1729 1730 switch (err) { 1731 case CRYPTO_SUCCESS: 1732 break; 1733 1734 case CRYPTO_QUEUED: 1735 /* 1736 * Finish the master secret then the rest of key material 1737 * derivation later. 1738 */ 1739 ssl->job.kjob = creq.cr_reqid; 1740 ssl->job.buf = buf; 1741 ssl->job.buflen = allocated; 1742 ssl->hs_waitstate = wait_client_key_done; 1743 return (0); 1744 default: 1745 DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err); 1746 kmem_free(buf, allocated); 1747 return (rverr); 1748 } 1749 1750 pmslen = pms_data->cd_length; 1751 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1752 1753 /* generate master key and save it in the ssl sid structure */ 1754 if (IS_TLS(ssl)) { 1755 err = kssl_generate_tls_ms(ssl, pms, pmslen); 1756 if (!CRYPTO_ERR(err)) 1757 err = kssl_generate_tls_keyblock(ssl); 1758 } else { 1759 kssl_generate_ssl_ms(ssl, pms, pmslen); 1760 kssl_generate_keyblock(ssl); 1761 } 1762 1763 if (err == CRYPTO_SUCCESS) 1764 ssl->hs_waitstate = wait_change_cipher; 1765 1766 ssl->activeinput = B_FALSE; 1767 1768 kmem_free(buf, allocated); 1769 1770 return (0); 1771} 1772 1773static int 1774kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen) 1775{ 1776 int err; 1777 size_t finish_len; 1778 int hashcompare; 1779 1780 ASSERT(ssl->msg.type == finished); 1781 ASSERT(ssl->hs_waitstate == wait_finished); 1782 1783 if (IS_TLS(ssl)) 1784 finish_len = TLS_FINISHED_SIZE; 1785 else 1786 finish_len = KSSL_SSL3_FIN_MSGLEN; 1787 1788 if (msglen != finish_len) { 1789 kssl_send_alert(ssl, alert_fatal, illegal_parameter); 1790 return (EBADMSG); 1791 } 1792 1793 if (IS_TLS(ssl)) { 1794 hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash, 1795 finish_len); 1796 } else { 1797 hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len); 1798 } 1799 1800 /* The handshake hashes should be computed by now */ 1801 if (hashcompare != 0) { 1802 kssl_send_alert(ssl, alert_fatal, handshake_failure); 1803 return (EBADMSG); 1804 } 1805 1806 mp->b_rptr += msglen; 1807 1808 ssl->hs_waitstate = idle_handshake; 1809 1810 if (ssl->resumed == B_TRUE) { 1811 ssl->activeinput = B_FALSE; 1812 return (0); 1813 } 1814 1815 err = kssl_send_change_cipher_specs(ssl); 1816 if (err != 0) { 1817 return (err); 1818 } 1819 err = kssl_send_finished(ssl, 0); 1820 if (err != 0) { 1821 return (err); 1822 } 1823 1824 kssl_cache_sid(&ssl->sid, ssl->kssl_entry); 1825 ssl->activeinput = B_FALSE; 1826 1827 return (0); 1828} 1829 1830#define KSSL2_CH_MIN_RECSZ (9) 1831 1832/* 1833 * This method is needed to handle clients which send the 1834 * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers. 1835 * We are not really doing SSLv2 here, just handling the header 1836 * and then switching to SSLv3. 1837 */ 1838int 1839kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz) 1840{ 1841 uchar_t *recend; 1842 int err; 1843 SSL3AlertDescription desc = illegal_parameter; 1844 uint_t randlen; 1845 uint_t sidlen; 1846 uint_t cslen; 1847 uchar_t *suitesp; 1848 uchar_t *rand; 1849 uint_t i, j; 1850 uint16_t suite; 1851 int ch_recsz = KSSL2_CH_MIN_RECSZ; 1852 1853 ASSERT(mp->b_wptr >= mp->b_rptr + recsz); 1854 ASSERT(ssl->hs_waitstate == wait_client_hello); 1855 ASSERT(ssl->resumed == B_FALSE); 1856 1857 if (recsz < ch_recsz) { 1858 goto falert; 1859 } 1860 1861 MD5Init(&ssl->hs_md5); 1862 SHA1Init(&ssl->hs_sha1); 1863 1864 kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz); 1865 1866 recend = mp->b_rptr + recsz; 1867 1868 if (*mp->b_rptr != 1) { 1869 goto falert; 1870 } 1871 mp->b_rptr += 3; 1872 1873 cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1]; 1874 sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3]; 1875 randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5]; 1876 if (cslen % 3 != 0) { 1877 DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen); 1878 goto falert; 1879 } 1880 if (randlen < SSL_MIN_CHALLENGE_BYTES || 1881 randlen > SSL_MAX_CHALLENGE_BYTES) { 1882 DTRACE_PROBE1(kssl_err__randlen_out_of_range, 1883 uint_t, randlen); 1884 goto falert; 1885 } 1886 mp->b_rptr += 6; 1887 ch_recsz += cslen + sidlen + randlen; 1888 if (recsz != ch_recsz) { 1889 goto falert; 1890 } 1891 suitesp = mp->b_rptr; 1892 rand = suitesp + cslen + sidlen; 1893 if (randlen < SSL3_RANDOM_LENGTH) { 1894 bzero(ssl->client_random, SSL3_RANDOM_LENGTH); 1895 } 1896 bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen], 1897 randlen); 1898 1899 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) { 1900 suite = ssl->kssl_entry->kssl_cipherSuites[i]; 1901 for (j = 0; j < cslen; j += 3) { 1902 if (suitesp[j] != 0) { 1903 continue; 1904 } 1905 1906 if (suitesp[j + 1] == ((suite >> 8) & 0xff) && 1907 suitesp[j + 2] == (suite & 0xff)) { 1908 break; 1909 } 1910 } 1911 if (j < cslen) { 1912 break; 1913 } 1914 } 1915 if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) { 1916 DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite); 1917 ssl->activeinput = B_FALSE; 1918 return (SSL_MISS); 1919 } 1920 1921 mp->b_rptr = recend; 1922 1923 for (i = 0; i < cipher_suite_defs_nentries; i++) { 1924 if (suite == cipher_suite_defs[i].suite) { 1925 break; 1926 } 1927 } 1928 1929 ASSERT(i < cipher_suite_defs_nentries); 1930 1931 ssl->pending_cipher_suite = suite; 1932 ssl->pending_malg = cipher_suite_defs[i].malg; 1933 ssl->pending_calg = cipher_suite_defs[i].calg; 1934 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz; 1935 1936 ASSERT(ssl->sid.cached == B_FALSE); 1937 1938 (void) random_get_pseudo_bytes(ssl->sid.session_id, 1939 SSL3_SESSIONID_BYTES); 1940 ssl->sid.client_addr = ssl->faddr; 1941 ssl->sid.cipher_suite = suite; 1942 1943 err = kssl_send_server_hello(ssl); 1944 if (err != 0) { 1945 return (err); 1946 } 1947 err = kssl_send_certificate_and_server_hello_done(ssl); 1948 if (err != 0) { 1949 return (err); 1950 } 1951 KSSL_COUNTER(full_handshakes, 1); 1952 ssl->hs_waitstate = wait_client_key; 1953 ssl->activeinput = B_FALSE; 1954 return (0); 1955 1956falert: 1957 kssl_send_alert(ssl, alert_fatal, desc); 1958 ssl->activeinput = B_FALSE; 1959 return (EBADMSG); 1960} 1961 1962/* 1963 * Call back routine for asynchronously submitted RSA decryption jobs. 1964 * This routine retrieves the pre-master secret, and proceeds to generate 1965 * the remaining key materials. 1966 */ 1967static void 1968kssl_cke_done(void *arg, int status) 1969{ 1970 int ret = 0; 1971 uchar_t *pms; 1972 size_t pmslen; 1973 crypto_data_t *pms_data; 1974 kssl_cmd_t kssl_cmd = KSSL_CMD_NONE; 1975 ssl_t *ssl = (ssl_t *)arg; 1976 mblk_t *alertmp; 1977 kssl_callback_t cbfn; 1978 void *cbarg; 1979 1980 mutex_enter(&ssl->kssl_lock); 1981 1982 ASSERT(ssl->msg.type == client_key_exchange); 1983 ASSERT(ssl->hs_waitstate == wait_client_key_done); 1984 1985 if (status != CRYPTO_SUCCESS) { 1986 kssl_send_alert(ssl, alert_fatal, decrypt_error); 1987 kssl_cmd = KSSL_CMD_SEND; 1988 goto out; 1989 } 1990 1991 pms_data = (crypto_data_t *)(ssl->job.buf); 1992 1993 ASSERT(pms_data != NULL); 1994 1995 pmslen = pms_data->cd_length; 1996 pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen); 1997 1998 /* generate master key and save it in the ssl sid structure */ 1999 if (IS_TLS(ssl)) { 2000 ret = kssl_generate_tls_ms(ssl, pms, pmslen); 2001 if (!CRYPTO_ERR(ret)) 2002 ret = kssl_generate_tls_keyblock(ssl); 2003 } else { 2004 kssl_generate_ssl_ms(ssl, pms, pmslen); 2005 kssl_generate_keyblock(ssl); 2006 } 2007 2008 if (ret == CRYPTO_SUCCESS) 2009 ssl->hs_waitstate = wait_change_cipher; 2010 2011out: 2012 kmem_free(ssl->job.buf, ssl->job.buflen); 2013 2014 ssl->job.kjob = 0; 2015 ssl->job.buf = NULL; 2016 ssl->job.buflen = 0; 2017 2018 ssl->activeinput = B_FALSE; 2019 2020 /* If we're the only ones left, then we won't callback */ 2021 if (ssl->kssl_refcnt == 1) { 2022 mutex_exit(&ssl->kssl_lock); 2023 KSSL_SSL_REFRELE(ssl); 2024 return; 2025 } 2026 2027 cbfn = ssl->cke_callback_func; 2028 cbarg = ssl->cke_callback_arg; 2029 alertmp = ssl->alert_sendbuf; 2030 ssl->alert_sendbuf = NULL; 2031 2032 mutex_exit(&ssl->kssl_lock); 2033 2034 KSSL_SSL_REFRELE(ssl); 2035 2036 /* Now call the callback routine */ 2037 (*(cbfn))(cbarg, alertmp, kssl_cmd); 2038} 2039 2040/* 2041 * Returns the first complete contiguous record out of rec_ass_head 2042 * The record is returned in a separate contiguous mblk, rec_ass_head is 2043 * left pointing to the next record in the queue. 2044 * 2045 * The output looks as follows: 2046 * 2047 * |--------|---------- .... -----|<---------->|<----------->|--- ... ---| 2048 * ^ ^ ^ mac_size pad_size ^ 2049 * | |___ b_rptr b_wptr __| | 2050 * | | 2051 * |___ db_base db_lim ___| 2052 */ 2053mblk_t * 2054kssl_get_next_record(ssl_t *ssl) 2055{ 2056 mblk_t *mp, *retmp; 2057 int rhsz = SSL3_HDR_LEN; 2058 uint16_t rec_sz; 2059 int mpsz, total_size; 2060 SSL3ContentType content_type; 2061 2062 ASSERT(MUTEX_HELD(&ssl->kssl_lock)); 2063 2064 mp = ssl->rec_ass_head; 2065 if (mp == NULL) 2066 return (NULL); 2067 2068 /* Fast path: when mp has at least a complete record */ 2069 if (MBLKL(mp) < rhsz) { 2070 DTRACE_PROBE1(kssl_mblk__incomplete_header, 2071 mblk_t *, mp); 2072 /* Not even a complete header in there yet */ 2073 if (msgdsize(mp) < rhsz) { 2074 return (NULL); 2075 } 2076 2077 if (!pullupmsg(mp, rhsz)) { 2078 kssl_send_alert(ssl, alert_fatal, internal_error); 2079 freemsg(mp); 2080 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2081 return (NULL); 2082 } 2083 } 2084 content_type = (SSL3ContentType)mp->b_rptr[0]; 2085 if (content_type == content_handshake_v2) { 2086 DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp); 2087 rec_sz = (uint16_t)mp->b_rptr[1]; 2088 rhsz = 2; 2089 } else { 2090 DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp); 2091 uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3; 2092 rec_sz = BE16_TO_U16(rec_sz_p); 2093 } 2094 2095 /* 2096 * same tests as above. Only rare very fragmented cases will 2097 * incur the cost of msgdsize() and msgpullup(). Well formed 2098 * packets will fall in the most frequent fast path. 2099 */ 2100 total_size = rhsz + rec_sz; 2101 2102 /* 2103 * Missing: defensive against record fabricated with longer than 2104 * MAX record length. 2105 */ 2106 if (MBLKL(mp) < total_size) { 2107 DTRACE_PROBE2(kssl_mblk__smaller_than_total_size, 2108 mblk_t *, mp, int, total_size); 2109 /* Not a complete record yet. Keep accumulating */ 2110 if (msgdsize(mp) < total_size) { 2111 return (NULL); 2112 } 2113 2114 if (!pullupmsg(mp, total_size)) { 2115 kssl_send_alert(ssl, alert_fatal, internal_error); 2116 freemsg(mp); 2117 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2118 return (NULL); 2119 } 2120 } 2121 mpsz = MBLKL(mp); /* could've changed after the pullup */ 2122 2123 if (mpsz > total_size) { 2124 DTRACE_PROBE2(kssl_mblk__bigger_than_total_size, 2125 mblk_t *, mp, int, total_size); 2126 /* gotta allocate a new block */ 2127 if ((retmp = dupb(mp)) == NULL) { 2128 kssl_send_alert(ssl, alert_fatal, internal_error); 2129 freemsg(mp); 2130 ssl->rec_ass_head = ssl->rec_ass_tail = NULL; 2131 return (NULL); 2132 } 2133 2134 retmp->b_wptr = retmp->b_rptr + total_size; 2135 mp->b_rptr += total_size; 2136 ssl->rec_ass_head = mp; 2137 } else { 2138 DTRACE_PROBE2(kssl_mblk__equal_to_total_size, 2139 mblk_t *, mp, int, total_size); 2140 ASSERT(mpsz == total_size); 2141 ssl->rec_ass_head = mp->b_cont; 2142 mp->b_cont = NULL; 2143 retmp = mp; 2144 } 2145 /* Adjust the tail */ 2146 if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) { 2147 for (; mp->b_cont != NULL; mp = mp->b_cont) { 2148 ssl->rec_ass_tail = mp->b_cont; 2149 } 2150 } 2151 2152 return (retmp); 2153} 2154 2155 2156static void 2157kssl_mblksfree(ssl_t *ssl) 2158{ 2159 2160 ASSERT(ssl != NULL); 2161 2162 if (ssl->rec_ass_head != NULL) { 2163 freemsg(ssl->rec_ass_head); 2164 } 2165 ssl->rec_ass_head = NULL; 2166 ssl->rec_ass_tail = NULL; 2167 2168 if (ssl->msg.head != NULL) { 2169 freemsg(ssl->msg.head); 2170 } 2171 ssl->msg.head = NULL; 2172 ssl->msg.tail = NULL; 2173 2174 if (ssl->handshake_sendbuf != NULL) { 2175 freemsg(ssl->handshake_sendbuf); 2176 ssl->handshake_sendbuf = NULL; 2177 } 2178 if (ssl->alert_sendbuf != NULL) { 2179 freemsg(ssl->alert_sendbuf); 2180 ssl->alert_sendbuf = NULL; 2181 } 2182} 2183 2184static void 2185kssl_specsfree(ssl_t *ssl) 2186{ 2187 KSSLCipherSpec *spec = &ssl->spec[KSSL_READ]; 2188 2189 if (spec->cipher_ctx != NULL) { 2190 crypto_cancel_ctx(spec->cipher_ctx); 2191 spec->cipher_ctx = 0; 2192 } 2193 2194 spec = &ssl->spec[KSSL_WRITE]; 2195 2196 if (spec->cipher_ctx != NULL) { 2197 crypto_cancel_ctx(spec->cipher_ctx); 2198 spec->cipher_ctx = 0; 2199 } 2200} 2201 2202/* 2203 * Frees the ssl structure (aka the context of an SSL session). 2204 * Any pending crypto jobs are cancelled. 2205 * Any initiated crypto contexts are freed as well. 2206 */ 2207void 2208kssl_free_context(ssl_t *ssl) 2209{ 2210 ASSERT(ssl != NULL); 2211 if (!(MUTEX_HELD(&ssl->kssl_lock))) { 2212 /* we're coming from an external API entry point */ 2213 mutex_enter(&ssl->kssl_lock); 2214 } 2215 2216 if (ssl->job.kjob != NULL) { 2217 crypto_cancel_req(ssl->job.kjob); 2218 kmem_free(ssl->job.buf, ssl->job.buflen); 2219 2220 ssl->job.kjob = 0; 2221 ssl->job.buf = NULL; 2222 ssl->job.buflen = 0; 2223 } 2224 2225 kssl_mblksfree(ssl); 2226 kssl_specsfree(ssl); 2227 2228 KSSL_ENTRY_REFRELE(ssl->kssl_entry); 2229 ssl->kssl_entry = NULL; 2230 2231 mutex_exit(&ssl->kssl_lock); 2232 2233 kmem_cache_free(kssl_cache, ssl); 2234 kssl_cache_count--; 2235} 2236