search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
8322 nl: misleading-indentation
[unleashed/tickless.git] / usr / src / uts / common / inet / kssl / ksslapi.c
blob9110c959b52af3032e012b07f732359a64f27ec6
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #include <sys/types.h>
26 #include <sys/stream.h>
27 #include <sys/strsun.h>
28 #include <sys/kmem.h>
29 #include <sys/cpuvar.h>
30 #include <sys/atomic.h>
31 #include <sys/sysmacros.h>
32
33 #include <inet/common.h>
34 #include <inet/ip.h>
35
36 #include <sys/systm.h>
37 #include <sys/param.h>
38 #include <sys/tihdr.h>
39
40 #include "ksslimpl.h"
41 #include "ksslproto.h"
42 #include "ksslapi.h"
43
44 static kssl_cmd_t kssl_handle_any_record(kssl_ctx_t ctx, mblk_t *mp,
45 mblk_t **decrmp, kssl_callback_t cbfn, void *arg);
46 static boolean_t kssl_enqueue(kssl_chain_t **head, void *item);
47 static void kssl_dequeue(kssl_chain_t **head, void *item);
48 static kssl_status_t kssl_build_single_record(ssl_t *ssl, mblk_t *mp);
49
50 /*
51 * The socket bind request is intercepted and re-routed here
52 * to see is there is SSL relevant job to do, based on the kssl config
53 * in the kssl_entry_tab.
54 * Looks up the kernel SSL proxy table, to find an entry that matches the
55 * same serveraddr, and has one of the following two criteria:
56 * 1. in_port is an ssl_port. This endpoint can be used later as a fallback
57 * to complete connections that cannot be handled by the SSL kernel proxy
58 * (typically non supported ciphersuite). The cookie for the calling client
59 * is saved with the kssl_entry to be retrieved for the fallback.
60 * The function returns KSSL_HAS_PROXY.
61 *
62 * 2. in_port is a proxy port for another ssl port. The ssl port is then
63 * substituted to the in_port in the bind_req TPI structure, so that
64 * the bind falls through to the SSL port. At the end of this operation,
65 * all the packets arriving to the SSL port will be delivered to an
66 * accepted endpoint child of this bound socket.
67 * The kssl_entry_t is returned in *ksslent, for later use by the
68 * lower modules' SSL hooks that handle the Handshake messages.
69 * The function returns KSSL_IS_PROXY.
70 *
71 * The function returns KSSL_NO_PROXY otherwise.
72 */
73
74 kssl_endpt_type_t
75 kssl_check_proxy(struct sockaddr *addr, socklen_t len, void *cookie,
76 kssl_ent_t *ksslent)
77 {
78 int i;
79 kssl_endpt_type_t ret;
80 kssl_entry_t *ep;
81 sin_t *sin;
82 sin6_t *sin6;
83 in6_addr_t mapped_v4addr;
84 in6_addr_t *v6addr;
85 in_port_t in_port;
86
87 if (kssl_entry_tab_nentries == 0) {
88 return (KSSL_NO_PROXY);
89 }
90
91 ret = KSSL_NO_PROXY;
92 sin = (struct sockaddr_in *)addr;
93
94 switch (len) {
95 case sizeof (sin_t):
96 in_port = ntohs(sin->sin_port);
97 IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &mapped_v4addr);
98 v6addr = &mapped_v4addr;
99 break;
100
101 case sizeof (sin6_t):
102 sin6 = (sin6_t *)sin;
103 in_port = ntohs(sin6->sin6_port);
104 v6addr = &sin6->sin6_addr;
105 break;
106
107 default:
108 return (ret);
109 }
110
111 mutex_enter(&kssl_tab_mutex);
112
113 for (i = 0; i < kssl_entry_tab_size; i++) {
114 if ((ep = kssl_entry_tab[i]) == NULL)
115 continue;
116
117 if (IN6_ARE_ADDR_EQUAL(&ep->ke_laddr, v6addr) ||
118 IN6_IS_ADDR_UNSPECIFIED(&ep->ke_laddr)) {
119
120 /* This is an SSL port to fallback to */
121 if (ep->ke_ssl_port == in_port) {
122
123 /*
124 * Let's see first if there's at least
125 * an endpoint for a proxy server.
126 * If there's none, then we return as we have
127 * no proxy, so that the bind() to the
128 * transport layer goes through.
129 * The calling module will ask for this
130 * cookie if it wants to fall back to it,
131 * so add this one to the list of fallback
132 * clients.
133 */
134 if (!kssl_enqueue((kssl_chain_t **)
135 &(ep->ke_fallback_head), cookie)) {
136 break;
137 }
138
139 KSSL_ENTRY_REFHOLD(ep);
140 *ksslent = (kssl_ent_t)ep;
141
142 ret = KSSL_HAS_PROXY;
143 break;
144 }
145
146 /* This is a proxy port. */
147 if (ep->ke_proxy_port == in_port) {
148 /* Add the caller's cookie to proxies list */
149
150 if (!kssl_enqueue((kssl_chain_t **)
151 &(ep->ke_proxy_head), cookie)) {
152 break;
153 }
154
155 /*
156 * Make this look like the SSL port to the
157 * transport below
158 */
159 sin->sin_port = htons(ep->ke_ssl_port);
160
161 KSSL_ENTRY_REFHOLD(ep);
162 *ksslent = (kssl_ent_t)ep;
163
164 ret = KSSL_IS_PROXY;
165 break;
166 }
167 }
168 }
169
170 mutex_exit(&kssl_tab_mutex);
171 return (ret);
172 }
173
174 /*
175 * Retrieved an endpoint "bound" to the SSL entry.
176 * Such endpoint has previously called kssl_check_proxy(), got itself
177 * linked to the kssl_entry's ke_fallback_head list.
178 * This routine returns the cookie from that SSL entry ke_fallback_head list.
179 */
180 void *
181 kssl_find_fallback(kssl_ent_t ksslent)
182 {
183 kssl_entry_t *kssl_entry = (kssl_entry_t *)ksslent;
184
185 if (kssl_entry->ke_fallback_head != NULL)
186 return (kssl_entry->ke_fallback_head->fallback_bound);
187
188 KSSL_COUNTER(proxy_fallback_failed, 1);
189
190 return (NULL);
191 }
192
193 /*
194 * Re-usable code for adding and removing an element to/from a chain that
195 * matches "item"
196 * The chain is simple-linked and NULL ended.
197 */
198
199 /*
200 * This routine returns TRUE if the item was either successfully added to
201 * the chain, or is already there. It returns FALSE otherwise.
202 */
203 static boolean_t
204 kssl_enqueue(kssl_chain_t **head, void *item)
205 {
206 kssl_chain_t *newchain, *cur;
207
208 /* Lookup the existing entries to avoid duplicates */
209 cur = *head;
210 while (cur != NULL) {
211 if (cur->item == item) {
212 return (B_TRUE);
213 }
214 cur = cur->next;
215 }
216
217 newchain = kmem_alloc(sizeof (kssl_chain_t), KM_NOSLEEP);
218 if (newchain == NULL) {
219 return (B_FALSE);
220 }
221
222 newchain->item = item;
223 newchain->next = *head;
224 *head = newchain;
225 return (B_TRUE);
226 }
227
228 static void
229 kssl_dequeue(kssl_chain_t **head, void *item)
230 {
231 kssl_chain_t *prev, *cur;
232
233 prev = cur = *head;
234 while (cur != NULL) {
235 if (cur->item == item) {
236 if (cur == *head)
237 *head = (*head)->next;
238 else
239 prev->next = cur->next;
240 kmem_free(cur, sizeof (kssl_chain_t));
241 return;
242 }
243 prev = cur;
244 cur = cur->next;
245 }
246 }
247
248 /*
249 * Holds the kssl_entry
250 */
251 void
252 kssl_hold_ent(kssl_ent_t ksslent)
253 {
254 KSSL_ENTRY_REFHOLD((kssl_entry_t *)ksslent);
255 }
256
257 /*
258 * Releases the kssl_entry
259 * If the caller passes a cookie, then it should be removed from both
260 * proxies and fallbacks chains.
261 */
262 void
263 kssl_release_ent(kssl_ent_t ksslent, void *cookie, kssl_endpt_type_t endpt_type)
264 {
265 kssl_entry_t *kssl_entry = (kssl_entry_t *)ksslent;
266
267 if (cookie != NULL) {
268 if (endpt_type == KSSL_IS_PROXY) {
269 ASSERT(kssl_entry->ke_proxy_head != NULL);
270 kssl_dequeue(
271 (kssl_chain_t **)&kssl_entry->ke_proxy_head,
272 cookie);
273 }
274 if (endpt_type == KSSL_HAS_PROXY) {
275 ASSERT(kssl_entry->ke_fallback_head != NULL);
276 kssl_dequeue(
277 (kssl_chain_t **)&kssl_entry->ke_fallback_head,
278 cookie);
279 }
280 }
281 KSSL_ENTRY_REFRELE(kssl_entry);
282 }
283
284 /*
285 * Releases the kssl_context
286 */
287 void
288 kssl_release_ctx(kssl_ctx_t ksslctx)
289 {
290 kssl_free_context((ssl_t *)ksslctx);
291 }
292
293 /*
294 * Done with asynchronous processing
295 */
296 void
297 kssl_async_done(kssl_ctx_t ksslctx)
298 {
299 ssl_t *ssl = (ssl_t *)ksslctx;
300
301 mutex_enter(&ssl->kssl_lock);
302 if (--ssl->async_ops_pending == 0)
303 cv_signal(&ssl->async_cv);
304 mutex_exit(&ssl->kssl_lock);
305 }
306
307 /*
308 * Packets are accumulated here, if there are packets already queued,
309 * or if the context is active.
310 * The context is active when an incoming record processing function
311 * is already executing on a different thread.
312 * Queued packets are handled either when an mblk arrived and completes
313 * a record, or, when the active context processor finishes the task at
314 * hand.
315 * The caller has to keep calling this routine in a loop until it returns
316 * B_FALSE in *more. The reason for this is SSL3: The protocol
317 * allows the client to send its first application_data message right
318 * after it had sent its Finished message, and not wait for the server
319 * ChangeCipherSpec and Finished. This overlap means we can't batch up
320 * a returned Handshake message to be sent on the wire
321 * with a decrypted application_data to be delivered to the application.
322 */
323 kssl_cmd_t
324 kssl_input(kssl_ctx_t ctx, mblk_t *mp, mblk_t **decrmp, boolean_t *more,
325 kssl_callback_t cbfn, void *arg)
326 {
327 mblk_t *recmp, *outmp = NULL;
328 kssl_cmd_t kssl_cmd;
329 ssl_t *ssl;
330 uint8_t *rec_sz_p;
331 int mplen;
332 SSL3ContentType content_type;
333 uint16_t rec_sz;
334
335 ASSERT(ctx != NULL);
336
337 if (mp != NULL) {
338 ASSERT(mp->b_prev == NULL && mp->b_next == NULL);
339 }
340
341 ssl = (ssl_t *)(ctx);
342
343 *decrmp = NULL;
344 *more = B_FALSE;
345
346 mutex_enter(&ssl->kssl_lock);
347
348 if (ssl->close_notify_clnt == B_TRUE) {
349 DTRACE_PROBE(kssl_err__close_notify);
350 goto sendnewalert;
351 }
352
353 /* Whomever is currently processing this connection will get to this */
354 if (ssl->activeinput) {
355 if (mp != NULL) {
356 KSSL_ENQUEUE_MP(ssl, mp);
357 }
358 mutex_exit(&ssl->kssl_lock);
359 return (KSSL_CMD_NONE);
360 }
361
362 /*
363 * Fast path for complete incoming application_data records on an empty
364 * queue.
365 * This is by far the most frequently encountered case
366 */
367
368 if ((!ssl->activeinput) && (ssl->rec_ass_head == NULL) &&
369 ((mp != NULL) && (mplen = MBLKL(mp)) > SSL3_HDR_LEN)) {
370
371 DTRACE_PROBE1(kssl_mblk__fast_path, mblk_t *, mp);
372 content_type = (SSL3ContentType)mp->b_rptr[0];
373
374 if ((content_type == content_application_data) &&
375 (ssl->hs_waitstate == idle_handshake)) {
376 rec_sz_p = SSL3_REC_SIZE(mp);
377 rec_sz = BE16_TO_U16(rec_sz_p);
378
379 if ((mp->b_cont == NULL) && (mplen == rec_sz)) {
380
381 *decrmp = mp;
382 mutex_exit(&ssl->kssl_lock);
383 return (KSSL_CMD_DELIVER_PROXY);
384 }
385 }
386 }
387
388 ssl->activeinput = B_TRUE;
389 /* Accumulate at least one record */
390 if (mp != NULL) {
391 KSSL_ENQUEUE_MP(ssl, mp);
392 mp = NULL;
393 }
394 recmp = kssl_get_next_record(ssl);
395
396 if (recmp == NULL) {
397 ssl->activeinput = B_FALSE;
398 if (ssl->alert_sendbuf != NULL) {
399 DTRACE_PROBE(kssl_err__alert_to_send);
400 goto sendalert;
401 }
402 /* Not even a complete header yet. wait for the rest */
403 mutex_exit(&ssl->kssl_lock);
404 return (KSSL_CMD_NONE);
405 }
406
407 do {
408 DTRACE_PROBE1(kssl_mblk__kssl_input_cycle, mblk_t *, recmp);
409 content_type = (SSL3ContentType)recmp->b_rptr[0];
410
411 switch (content_type) {
412 case content_application_data:
413 /*
414 * application_data records are decrypted and
415 * MAC-verified by the stream head, and in the context
416 * a read()'ing thread. This avoids unfairly charging
417 * the cost of handling this record on the whole system,
418 * and prevents doing it while in the shared IP
419 * perimeter.
420 */
421 ssl->activeinput = B_FALSE;
422 if (ssl->hs_waitstate != idle_handshake) {
423 DTRACE_PROBE(kssl_err__waitstate_not_idle);
424 goto sendnewalert;
425 }
426 outmp = recmp;
427 kssl_cmd = KSSL_CMD_DELIVER_PROXY;
428 break;
429 case content_change_cipher_spec:
430 case content_alert:
431 case content_handshake:
432 case content_handshake_v2:
433 /*
434 * If we're past the initial handshake, start letting
435 * the stream head process all records, in particular
436 * the close_notify.
437 * This is needed to avoid processing them out of
438 * sequence when previous application data packets are
439 * waiting to be decrypted/MAC'ed and delivered.
440 */
441 if (ssl->hs_waitstate == idle_handshake) {
442 ssl->activeinput = B_FALSE;
443 outmp = recmp;
444 kssl_cmd = KSSL_CMD_DELIVER_PROXY;
445 } else {
446 kssl_cmd = kssl_handle_any_record(ssl, recmp,
447 &outmp, cbfn, arg);
448 }
449 break;
450 default:
451 ssl->activeinput = B_FALSE;
452 DTRACE_PROBE(kssl_err__invalid_content_type);
453 goto sendnewalert;
454 }
455
456 /* Priority to Alert messages */
457 if (ssl->alert_sendbuf != NULL) {
458 DTRACE_PROBE(kssl_err__alert_to_send_cycle);
459 goto sendalert;
460 }
461
462 /* Then handshake messages */
463 if (ssl->handshake_sendbuf) {
464 if (*decrmp != NULL) {
465 linkb(*decrmp, ssl->handshake_sendbuf);
466 } else {
467 *decrmp = ssl->handshake_sendbuf;
468 }
469 ssl->handshake_sendbuf = NULL;
470
471 *more = ((ssl->rec_ass_head != NULL) &&
472 (!ssl->activeinput));
473 mutex_exit(&ssl->kssl_lock);
474 return (kssl_cmd);
475 }
476
477 if (ssl->hs_waitstate == idle_handshake) {
478 *more = ((ssl->rec_ass_head != NULL) &&
479 (!ssl->activeinput));
480 }
481
482 if (outmp != NULL) {
483 *decrmp = outmp;
484 /*
485 * Don't process any packet after an application_data.
486 * We could well receive the close_notify which should
487 * be handled separately.
488 */
489 mutex_exit(&ssl->kssl_lock);
490 return (kssl_cmd);
491 }
492 /*
493 * The current record isn't done yet. Don't start the next one
494 */
495 if (ssl->activeinput) {
496 mutex_exit(&ssl->kssl_lock);
497 return (kssl_cmd);
498 }
499 } while ((recmp = kssl_get_next_record(ssl)) != NULL);
500
501 mutex_exit(&ssl->kssl_lock);
502 return (kssl_cmd);
503
504 sendnewalert:
505 kssl_send_alert(ssl, alert_fatal, unexpected_message);
506 if (mp != NULL) {
507 freeb(mp);
508 }
509
510 sendalert:
511 *decrmp = ssl->alert_sendbuf;
512 ssl->alert_sendbuf = NULL;
513 mutex_exit(&ssl->kssl_lock);
514 return (KSSL_CMD_SEND);
515 }
516
517 /*
518 * Decrypt and verify the MAC of an incoming chain of application_data record.
519 * Each block has exactly one SSL record.
520 */
521 kssl_cmd_t
522 kssl_handle_mblk(kssl_ctx_t ctx, mblk_t **mpp, mblk_t **outmp)
523 {
524 uchar_t *recend, *rec_sz_p;
525 uchar_t *real_recend;
526 mblk_t *prevmp = NULL, *nextmp, *firstmp, *mp, *copybp;
527 int mac_sz;
528 uchar_t version[2];
529 uint16_t rec_sz;
530 SSL3AlertDescription desc;
531 SSL3ContentType content_type;
532 ssl_t *ssl;
533 KSSLCipherSpec *spec;
534 int error, ret;
535 kssl_cmd_t kssl_cmd = KSSL_CMD_DELIVER_PROXY;
536 boolean_t deliverit = B_FALSE;
537 crypto_data_t cipher_data;
538
539 ASSERT(ctx != NULL);
540
541 ssl = (ssl_t *)(ctx);
542
543 mp = firstmp = *mpp;
544 *outmp = NULL;
545 more:
546
547 while (mp != NULL) {
548 ASSERT(DB_TYPE(mp) == M_DATA);
549
550 if (DB_REF(mp) > 1) {
551 /*
552 * Fortunately copyb() preserves the offset,
553 * tail space and alignment so the copy is
554 * ready to be made an SSL record.
555 */
556 if ((copybp = copyb(mp)) == NULL)
557 return (NULL);
558
559 copybp->b_cont = mp->b_cont;
560 if (mp == firstmp) {
561 *mpp = copybp;
562 } else if (prevmp != NULL) {
563 prevmp->b_cont = copybp;
564 }
565 freeb(mp);
566 mp = copybp;
567 }
568
569 DTRACE_PROBE1(kssl_mblk__handle_record_cycle, mblk_t *, mp);
570 content_type = (SSL3ContentType)mp->b_rptr[0];
571
572 switch (content_type) {
573 case content_application_data:
574 break;
575 case content_change_cipher_spec:
576 case content_alert:
577 case content_handshake:
578 case content_handshake_v2:
579 nextmp = mp->b_cont;
580
581 /* Remove this message */
582 if (prevmp != NULL) {
583 prevmp->b_cont = nextmp;
584
585 /*
586 * If we had processed blocks that need to
587 * be delivered, then remember that error code
588 */
589 if (kssl_cmd == KSSL_CMD_DELIVER_PROXY)
590 deliverit = B_TRUE;
591 }
592
593 mutex_enter(&ssl->kssl_lock);
594 /* NOTE: This routine could free mp. */
595 kssl_cmd = kssl_handle_any_record(ssl, mp, outmp,
596 NULL, NULL);
597
598 if (ssl->alert_sendbuf != NULL) {
599 mp = nextmp;
600 DTRACE_PROBE(kssl_err__alert_after_handle_any);
601 goto sendalert;
602 }
603 mutex_exit(&ssl->kssl_lock);
604
605 if (deliverit) {
606 kssl_cmd = KSSL_CMD_DELIVER_PROXY;
607 }
608
609 mp = nextmp;
610 continue; /* to the while loop */
611 default:
612 desc = decode_error;
613 KSSL_COUNTER(internal_errors, 1);
614 DTRACE_PROBE(kssl_err__decode_error);
615 goto makealert;
616 }
617
618 version[0] = mp->b_rptr[1];
619 version[1] = mp->b_rptr[2];
620 rec_sz_p = SSL3_REC_SIZE(mp);
621 rec_sz = BE16_TO_U16(rec_sz_p);
622
623 mp->b_rptr += SSL3_HDR_LEN;
624 recend = mp->b_rptr + rec_sz;
625 real_recend = recend;
626
627 /*
628 * Check the assumption that each mblk contains exactly
629 * one complete SSL record. We bail out if the check fails.
630 */
631 ASSERT(recend == mp->b_wptr);
632 if (recend != mp->b_wptr) {
633 desc = decode_error;
634 KSSL_COUNTER(internal_errors, 1);
635 DTRACE_PROBE(kssl_err__not_complete_record);
636 goto makealert;
637 }
638
639 spec = &ssl->spec[KSSL_READ];
640 mac_sz = spec->mac_hashsz;
641 if (spec->cipher_ctx != 0) {
642
643 /*
644 * The record length must be a multiple of the
645 * block size for block ciphers.
646 * The cipher_bsize is always a power of 2.
647 */
648 if ((spec->cipher_type == type_block) &&
649 ((rec_sz & (spec->cipher_bsize - 1)) != 0)) {
650 DTRACE_PROBE2(kssl_err__bad_record_size,
651 uint16_t, rec_sz,
652 int, spec->cipher_bsize);
653 KSSL_COUNTER(record_decrypt_failure, 1);
654 mp->b_rptr = recend;
655 desc = decrypt_error;
656 goto makealert;
657 }
658
659 cipher_data.cd_format = CRYPTO_DATA_RAW;
660 cipher_data.cd_offset = 0;
661 cipher_data.cd_length = rec_sz;
662 cipher_data.cd_miscdata = NULL;
663 cipher_data.cd_raw.iov_base = (char *)mp->b_rptr;
664 cipher_data.cd_raw.iov_len = rec_sz;
665 error = crypto_decrypt_update(spec->cipher_ctx,
666 &cipher_data, NULL, NULL);
667 if (CRYPTO_ERR(error)) {
668 DTRACE_PROBE1(
669 kssl_err__crypto_decrypt_update_failed,
670 int, error);
671 KSSL_COUNTER(record_decrypt_failure, 1);
672 mp->b_rptr = recend;
673 desc = decrypt_error;
674 goto makealert;
675 }
676 }
677 if (spec->cipher_type == type_block) {
678 uint_t pad_sz = recend[-1];
679 pad_sz++;
680 if (pad_sz + mac_sz > rec_sz) {
681 DTRACE_PROBE(kssl_err__pad_mac_bigger);
682 mp->b_rptr = recend;
683 desc = bad_record_mac;
684 goto makealert;
685 }
686 rec_sz -= pad_sz;
687 recend -= pad_sz;
688 }
689 if (mac_sz != 0) {
690 uchar_t hash[MAX_HASH_LEN];
691 if (rec_sz < mac_sz) {
692 DTRACE_PROBE(kssl_err__pad_smaller_mac);
693 mp->b_rptr = real_recend;
694 desc = bad_record_mac;
695 goto makealert;
696 }
697 rec_sz -= mac_sz;
698 recend -= mac_sz;
699 ret = kssl_compute_record_mac(ssl, KSSL_READ,
700 ssl->seq_num[KSSL_READ], content_type,
701 version, mp->b_rptr, rec_sz, hash);
702 if (ret != CRYPTO_SUCCESS ||
703 bcmp(hash, recend, mac_sz)) {
704 DTRACE_PROBE1(kssl_mblk__MACmismatch_handlerec,
705 mblk_t *, mp);
706 mp->b_rptr = real_recend;
707 desc = bad_record_mac;
708 DTRACE_PROBE(kssl_err__msg_MAC_mismatch);
709 KSSL_COUNTER(verify_mac_failure, 1);
710 goto makealert;
711 }
712 ssl->seq_num[KSSL_READ]++;
713 }
714
715 if (ssl->hs_waitstate != idle_handshake) {
716 DTRACE_PROBE1(kssl_err__unexpected_msg,
717 SSL3WaitState, ssl->hs_waitstate);
718 mp->b_rptr = real_recend;
719 desc = unexpected_message;
720 goto makealert;
721 }
722 mp->b_wptr = recend;
723
724 DTRACE_PROBE1(kssl_mblk__dblk_cooked, mblk_t *, mp);
725 KSSL_COUNTER(appdata_record_ins, 1);
726
727 prevmp = mp;
728 mp = mp->b_cont;
729 }
730
731 return (kssl_cmd);
732
733 makealert:
734 nextmp = mp->b_cont;
735 freeb(mp);
736 mp = nextmp;
737 mutex_enter(&ssl->kssl_lock);
738 kssl_send_alert(ssl, alert_fatal, desc);
739
740 if (ssl->alert_sendbuf == NULL) {
741 /* internal memory allocation failure. just return. */
742 DTRACE_PROBE(kssl_err__alert_msg_alloc_failed);
743 mutex_exit(&ssl->kssl_lock);
744
745 if (mp) {
746 prevmp = NULL;
747 goto more;
748 }
749
750 return (KSSL_CMD_NONE);
751 }
752 kssl_cmd = KSSL_CMD_SEND;
753 sendalert:
754 if (*outmp == NULL) {
755 *outmp = ssl->alert_sendbuf;
756 } else {
757 linkb(*outmp, ssl->alert_sendbuf);
758 }
759 ssl->alert_sendbuf = NULL;
760 mutex_exit(&ssl->kssl_lock);
761
762 if (mp) {
763 prevmp = NULL;
764 goto more;
765 }
766
767 return (kssl_cmd);
768 }
769 /*
770 * This is the routine that handles incoming SSL records.
771 * When called the first time, with a NULL context, this routine expects
772 * a ClientHello SSL Handshake packet and shall allocate a context
773 * of a new SSL connection.
774 * During the rest of the handshake packets, the routine adjusts the
775 * state of the context according to the record received.
776 * After the ChangeCipherSpec message is received, the routine first
777 * decrypts/authenticated the packet using the key materials in the
778 * connection's context.
779 * The return code tells the caller what to do with the returned packet.
780 */
781 static kssl_cmd_t
782 kssl_handle_any_record(kssl_ctx_t ctx, mblk_t *mp, mblk_t **decrmp,
783 kssl_callback_t cbfn, void *arg)
784 {
785 uchar_t *recend, *rec_sz_p;
786 uchar_t version[2];
787 uchar_t *real_recend, *save_rptr, *save_wptr;
788 int rhsz = SSL3_HDR_LEN;
789 uint16_t rec_sz;
790 int sz;
791 int mac_sz;
792 SSL3AlertDescription desc;
793 SSL3AlertLevel level;
794 SSL3ContentType content_type;
795 ssl_t *ssl;
796 KSSLCipherSpec *spec;
797 int error = 0, ret;
798
799 ASSERT(ctx != NULL);
800
801 ssl = (ssl_t *)(ctx);
802
803 *decrmp = NULL;
804
805 save_rptr = mp->b_rptr;
806 save_wptr = mp->b_wptr;
807
808 ASSERT(MUTEX_HELD(&ssl->kssl_lock));
809
810 content_type = (SSL3ContentType)mp->b_rptr[0];
811 if (content_type == content_handshake_v2) {
812 if (ssl->hs_waitstate == wait_client_hello) {
813 /* V2 compatible ClientHello */
814 if (mp->b_rptr[3] == 0x03 &&
815 (mp->b_rptr[4] == 0x01 ||
816 mp->b_rptr[4] == 0x00)) {
817 ssl->major_version = version[0] = mp->b_rptr[3];
818 ssl->minor_version = version[1] = mp->b_rptr[4];
819 } else {
820 /* We don't support "pure" SSLv2 */
821 DTRACE_PROBE(kssl_err__no_SSLv2);
822 ssl->major_version = mp->b_rptr[3];
823 ssl->minor_version = mp->b_rptr[4];
824 desc = protocol_version;
825 goto sendalert;
826 }
827 }
828 rec_sz = (uint16_t)mp->b_rptr[1];
829 rhsz = 2;
830 } else {
831 ssl->major_version = version[0] = mp->b_rptr[1];
832 ssl->minor_version = version[1] = mp->b_rptr[2];
833 rec_sz_p = SSL3_REC_SIZE(mp);
834 rec_sz = BE16_TO_U16(rec_sz_p);
835 }
836
837 mp->b_rptr += rhsz;
838 recend = mp->b_rptr + rec_sz;
839 real_recend = recend;
840
841 /*
842 * Check the assumption that each mblk contains exactly
843 * one complete SSL record. We bail out if the check fails.
844 */
845 ASSERT(recend == mp->b_wptr);
846 if (recend != mp->b_wptr) {
847 DTRACE_PROBE3(kssl_mblk__handle_any_record_recszerr,
848 mblk_t *, mp, int, rhsz, int, rec_sz);
849 DTRACE_PROBE(kssl_err__record_size);
850 desc = decode_error;
851 KSSL_COUNTER(internal_errors, 1);
852 goto sendalert;
853 }
854
855 spec = &ssl->spec[KSSL_READ];
856 mac_sz = spec->mac_hashsz;
857 if (spec->cipher_ctx != 0) {
858 /*
859 * The record length must be a multiple of the
860 * block size for block ciphers.
861 */
862 if ((spec->cipher_type == type_block) &&
863 ((rec_sz & (spec->cipher_bsize - 1)) != 0)) {
864 DTRACE_PROBE2(kssl_err__bad_record_size,
865 uint16_t, rec_sz, int, spec->cipher_bsize);
866 KSSL_COUNTER(record_decrypt_failure, 1);
867 mp->b_rptr = recend;
868 desc = decrypt_error;
869 goto sendalert;
870 }
871
872 spec->cipher_data.cd_length = rec_sz;
873 spec->cipher_data.cd_raw.iov_base = (char *)mp->b_rptr;
874 spec->cipher_data.cd_raw.iov_len = rec_sz;
875 error = crypto_decrypt_update(spec->cipher_ctx,
876 &spec->cipher_data, NULL, NULL);
877 if (CRYPTO_ERR(error)) {
878 DTRACE_PROBE1(kssl_err__crypto_decrypt_update_failed,
879 int, error);
880 KSSL_COUNTER(record_decrypt_failure, 1);
881 mp->b_rptr = recend;
882 desc = decrypt_error;
883 goto sendalert;
884 }
885 }
886 if (spec->cipher_type == type_block) {
887 uint_t pad_sz = recend[-1];
888 pad_sz++;
889 if (pad_sz + mac_sz > rec_sz) {
890 DTRACE_PROBE2(kssl_err__pad_mac_mismatch,
891 int, pad_sz, int, mac_sz);
892 mp->b_rptr = recend;
893 desc = bad_record_mac;
894 goto sendalert;
895 }
896 rec_sz -= pad_sz;
897 recend -= pad_sz;
898 }
899 if (mac_sz != 0) {
900 uchar_t hash[MAX_HASH_LEN];
901 if (rec_sz < mac_sz) {
902 DTRACE_PROBE1(kssl_err__mac_size_too_big,
903 int, mac_sz);
904 mp->b_rptr = real_recend;
905 desc = bad_record_mac;
906 goto sendalert;
907 }
908 rec_sz -= mac_sz;
909 recend -= mac_sz;
910 ret = kssl_compute_record_mac(ssl, KSSL_READ,
911 ssl->seq_num[KSSL_READ], content_type,
912 version, mp->b_rptr, rec_sz, hash);
913 if (ret != CRYPTO_SUCCESS ||
914 bcmp(hash, recend, mac_sz)) {
915 DTRACE_PROBE1(kssl_mblk__MACmismatch_anyrecord,
916 mblk_t *, mp);
917 mp->b_rptr = real_recend;
918 desc = bad_record_mac;
919 DTRACE_PROBE(kssl_err__msg_MAC_mismatch);
920 KSSL_COUNTER(verify_mac_failure, 1);
921 goto sendalert;
922 }
923 ssl->seq_num[KSSL_READ]++;
924 DTRACE_PROBE1(kssl_mblk__after_compute_MAC,
925 mblk_t *, mp);
926 }
927
928 switch (content_type) {
929 case content_handshake:
930 do {
931 DTRACE_PROBE1(kssl_mblk__content_handshake_cycle,
932 mblk_t *, mp);
933 if (error != 0 ||
934 /* ignore client renegotiation for now */
935 ssl->hs_waitstate == idle_handshake) {
936 mp->b_rptr = recend;
937 DTRACE_PROBE(kssl_renegotiation_request);
938 }
939 if (mp->b_rptr == recend) {
940 mp->b_rptr = real_recend;
941 if (error != 0) {
942 goto error;
943 }
944 freeb(mp);
945
946 if (ssl->hs_waitstate == wait_client_key_done)
947 return (KSSL_CMD_QUEUED);
948
949 return ((ssl->handshake_sendbuf != NULL) ?
950 KSSL_CMD_SEND : KSSL_CMD_NONE);
951 }
952 if (ssl->msg.state < MSG_BODY) {
953 if (ssl->msg.state == MSG_INIT) {
954 ssl->msg.type =
955 (SSL3HandshakeType)*mp->b_rptr++;
956 ssl->msg.state = MSG_INIT_LEN;
957 }
958 if (ssl->msg.state == MSG_INIT_LEN) {
959 int msglenb =
960 ssl->msg.msglen_bytes;
961 int msglen = ssl->msg.msglen;
962 while (mp->b_rptr < recend &&
963 msglenb < 3) {
964 msglen = (msglen << 8) +
965 (uint_t)(*mp->b_rptr++);
966 msglenb++;
967 }
968 ssl->msg.msglen_bytes = msglenb;
969 ssl->msg.msglen = msglen;
970 if (msglenb == 3) {
971 ssl->msg.state = MSG_BODY;
972 }
973 }
974 if (mp->b_rptr == recend) {
975 mp->b_rptr = real_recend;
976 freeb(mp);
977 return (KSSL_CMD_NONE);
978 }
979 }
980 ASSERT(ssl->msg.state == MSG_BODY);
981
982 sz = recend - mp->b_rptr;
983
984 if (ssl->msg.head == NULL &&
985 ssl->msg.msglen <= sz) {
986 continue;
987 }
988 if (ssl->msg.head != NULL) {
989 sz += msgdsize(ssl->msg.head);
990 if (ssl->msg.msglen <= sz) {
991 ssl->msg.tail->b_cont = mp;
992 mp = ssl->msg.head;
993 ssl->sslcnt = 100;
994 ssl->msg.head = NULL;
995 ssl->msg.tail = NULL;
996 if (pullupmsg(mp, -1)) {
997 recend = mp->b_rptr + sz;
998 ASSERT(recend <= mp->b_wptr);
999 continue;
1000 }
1001 mp->b_rptr = real_recend;
1002 error = ENOMEM;
1003 KSSL_COUNTER(alloc_fails, 1);
1004 goto error;
1005 }
1006 }
1007
1008 mp->b_wptr = recend;
1009
1010 if (ssl->msg.head == NULL) {
1011 ssl->msg.head = mp;
1012 ssl->msg.tail = mp;
1013 return (KSSL_CMD_NONE);
1014 } else {
1015 ssl->msg.tail->b_cont = mp;
1016 ssl->msg.tail = mp;
1017 return (KSSL_CMD_NONE);
1018 }
1019 } while (kssl_handle_handshake_message(ssl, mp, &error, cbfn,
1020 arg));
1021 if (error == SSL_MISS) {
1022 mp->b_rptr = save_rptr;
1023 mp->b_wptr = save_wptr;
1024 KSSL_COUNTER(fallback_connections, 1);
1025 return (KSSL_CMD_NOT_SUPPORTED);
1026 }
1027 if (ssl->hs_waitstate == wait_client_key_done) {
1028 return (KSSL_CMD_QUEUED);
1029 } else {
1030 return (KSSL_CMD_NONE);
1031 }
1032 case content_alert:
1033 DTRACE_PROBE1(kssl_mblk__content_alert, mblk_t *, mp);
1034 if (rec_sz != 2) {
1035 DTRACE_PROBE(kssl_err__illegal_param);
1036 mp->b_rptr = real_recend;
1037 desc = illegal_parameter;
1038 goto sendalert;
1039 } else {
1040 level = *mp->b_rptr++;
1041 desc = *mp->b_rptr++;
1042 mp->b_rptr = real_recend;
1043 if (level != alert_warning || desc != close_notify) {
1044 if (ssl->sid.cached == B_TRUE) {
1045 kssl_uncache_sid(&ssl->sid,
1046 ssl->kssl_entry);
1047 }
1048 DTRACE_PROBE2(kssl_err__bad_content_alert,
1049 SSL3AlertLevel, level,
1050 SSL3AlertDescription, desc);
1051 ssl->fatal_alert = B_TRUE;
1052 error = EBADMSG;
1053 goto error;
1054 } else {
1055 ssl->close_notify_clnt = B_TRUE;
1056 ssl->activeinput = B_FALSE;
1057 freeb(mp);
1058 return (KSSL_CMD_NONE);
1059 }
1060 }
1061 case content_change_cipher_spec:
1062 DTRACE_PROBE1(kssl_mblk__change_cipher_spec,
1063 mblk_t *, mp);
1064 if (ssl->hs_waitstate != wait_change_cipher) {
1065 desc = unexpected_message;
1066 } else if (rec_sz != 1 || *mp->b_rptr != 1) {
1067 desc = illegal_parameter;
1068 } else {
1069 mp->b_rptr = real_recend;
1070 ssl->hs_waitstate = wait_finished;
1071 ssl->seq_num[KSSL_READ] = 0;
1072 if ((error = kssl_spec_init(ssl, KSSL_READ)) != 0) {
1073 DTRACE_PROBE1(kssl_err__kssl_spec_init_error,
1074 int, error);
1075 goto error;
1076 }
1077 ssl->activeinput = B_FALSE;
1078 freeb(mp);
1079 return (KSSL_CMD_NONE);
1080 }
1081 mp->b_rptr = real_recend;
1082 DTRACE_PROBE(kssl_err__change_cipher_spec);
1083 goto sendalert;
1084
1085 case content_application_data:
1086 DTRACE_PROBE1(kssl_mblk__content_app_data,
1087 mblk_t *, mp);
1088 if (ssl->hs_waitstate != idle_handshake) {
1089 DTRACE_PROBE(kssl_err__content_app_data);
1090 mp->b_rptr = real_recend;
1091 desc = unexpected_message;
1092 goto sendalert;
1093 }
1094 mp->b_wptr = recend;
1095 *decrmp = mp;
1096 ssl->activeinput = B_FALSE;
1097 return (KSSL_CMD_DELIVER_PROXY);
1098
1099 case content_handshake_v2:
1100 DTRACE_PROBE1(kssl_mblk__content_handshake_v2,
1101 mblk_t *, mp);
1102 error = kssl_handle_v2client_hello(ssl, mp, rec_sz);
1103 if (error == SSL_MISS) {
1104 mp->b_rptr = save_rptr;
1105 mp->b_wptr = save_wptr;
1106 KSSL_COUNTER(fallback_connections, 1);
1107 return (KSSL_CMD_NOT_SUPPORTED);
1108 } else if (error != 0) {
1109 DTRACE_PROBE(kssl_err__v2client_hello_failed);
1110 goto error;
1111 }
1112 freeb(mp);
1113 return (KSSL_CMD_SEND);
1114 default:
1115 DTRACE_PROBE1(kssl_mblk__unexpected_msg,
1116 mblk_t *, mp);
1117 mp->b_rptr = real_recend;
1118 desc = unexpected_message;
1119 break;
1120 }
1121
1122 sendalert:
1123 kssl_send_alert(ssl, alert_fatal, desc);
1124 *decrmp = ssl->alert_sendbuf;
1125 ssl->alert_sendbuf = NULL;
1126 freeb(mp);
1127 return ((*decrmp != NULL) ? KSSL_CMD_SEND : KSSL_CMD_NONE);
1128 error:
1129 freeb(mp);
1130 return (KSSL_CMD_NONE);
1131 }
1132
1133 /*
1134 * Initialize the context of an SSL connection, coming to the specified
1135 * address. The ssl structure is returned held.
1136 */
1137 kssl_status_t
1138 kssl_init_context(kssl_ent_t kssl_ent, struct sockaddr *addr, int mss,
1139 kssl_ctx_t *kssl_ctxp)
1140 {
1141 ssl_t *ssl = kmem_cache_alloc(kssl_cache, KM_NOSLEEP);
1142 struct sockaddr_in *sin = (struct sockaddr_in *)addr;
1143
1144 if (ssl == NULL) {
1145 return (KSSL_STS_ERR);
1146 }
1147
1148 bzero(ssl, sizeof (ssl_t));
1149
1150 ssl->kssl_entry = (kssl_entry_t *)kssl_ent;
1151 KSSL_ENTRY_REFHOLD(ssl->kssl_entry);
1152
1153 if (sin->sin_family == AF_INET) {
1154 IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &ssl->faddr);
1155 } else {
1156 /* struct assignment */
1157 ssl->faddr = ((struct sockaddr_in6 *)addr)->sin6_addr;
1158 }
1159 ssl->tcp_mss = mss;
1160 ssl->sendalert_level = alert_warning;
1161 ssl->sendalert_desc = close_notify;
1162 ssl->sid.cached = B_FALSE;
1163
1164 *kssl_ctxp = (kssl_ctx_t)ssl;
1165 return (KSSL_STS_OK);
1166 }
1167
1168 void
1169 kssl_set_mss(kssl_ctx_t ctx, uint32_t mss)
1170 {
1171 ssl_t *ssl = (ssl_t *)ctx;
1172 ssl->tcp_mss = mss;
1173 }
1174
1175 /*
1176 * Builds SSL records out of the chain of mblks, and returns it.
1177 * Takes a copy of the message before encrypting it if it has another
1178 * reference.
1179 * In case of failure, NULL is returned, and the message will be
1180 * freed by the caller.
1181 * A NULL mp means a close_notify is requested.
1182 */
1183 mblk_t *
1184 kssl_build_record(kssl_ctx_t ctx, mblk_t *mp)
1185 {
1186 ssl_t *ssl = (ssl_t *)ctx;
1187 mblk_t *retmp = mp, *bp = mp, *prevbp = mp, *copybp;
1188
1189 ASSERT(ssl != NULL);
1190
1191 /*
1192 * Produce new close_notify message. This is necessary to perform
1193 * proper cleanup w.r.t. SSL protocol spec by sending close_notify SSL
1194 * alert record if running with KSSL proxy.
1195 * This should be done prior to sending the FIN so the client side can
1196 * attempt to do graceful cleanup. Ideally, we should wait for client's
1197 * close_notify but not all clients send it which would hang the
1198 * connection. This way of closing the SSL session (Incomplete Close)
1199 * prevents truncation attacks for protocols without end-of-data
1200 * markers (as opposed to the Premature Close).
1201 * Checking the close_notify_srvr flag will prevent from sending the
1202 * close_notify message twice in case of duplicate shutdown() calls.
1203 */
1204 if (mp == NULL && !ssl->close_notify_srvr) {
1205 kssl_send_alert(ssl, alert_warning, close_notify);
1206 if (ssl->alert_sendbuf == NULL)
1207 return (NULL);
1208 mp = bp = retmp = prevbp = ssl->alert_sendbuf;
1209 ssl->alert_sendbuf = NULL;
1210 ssl->close_notify_srvr = B_TRUE;
1211 }
1212
1213 ASSERT(mp != NULL);
1214 ASSERT(bp != NULL);
1215
1216 do {
1217 if (DB_REF(bp) > 1) {
1218 /*
1219 * Fortunately copyb() preserves the offset,
1220 * tail space and alignment so the copy is
1221 * ready to be made an SSL record.
1222 */
1223 if ((copybp = copyb(bp)) == NULL)
1224 return (NULL);
1225
1226 copybp->b_cont = bp->b_cont;
1227 if (bp == mp) {
1228 retmp = copybp;
1229 } else {
1230 prevbp->b_cont = copybp;
1231 }
1232 freeb(bp);
1233 bp = copybp;
1234 }
1235
1236 if (kssl_build_single_record(ssl, bp) != KSSL_STS_OK)
1237 return (NULL);
1238
1239 prevbp = bp;
1240 bp = bp->b_cont;
1241 } while (bp != NULL);
1242
1243 return (retmp);
1244 }
1245
1246 /*
1247 * Builds a single SSL record by prepending SSL header (optional) and performing
1248 * encryption and MAC. The encryption of the record is done in-line.
1249 * Expects an mblk with associated dblk's base to have space for the SSL header
1250 * or an mblk which already has the header present. In both cases it presumes
1251 * that the mblk's dblk limit has space for the MAC + padding.
1252 * If the close_notify_srvr flag is set it is presumed that the mblk already
1253 * contains SSL header in which case only the record length field will be
1254 * adjusted with the MAC/padding size.
1255 */
1256 static kssl_status_t
1257 kssl_build_single_record(ssl_t *ssl, mblk_t *mp)
1258 {
1259 int len;
1260 int reclen;
1261 uchar_t *recstart, *versionp;
1262 KSSLCipherSpec *spec;
1263 int mac_sz;
1264 int pad_sz;
1265
1266 spec = &ssl->spec[KSSL_WRITE];
1267 mac_sz = spec->mac_hashsz;
1268
1269 ASSERT(DB_REF(mp) == 1);
1270 /* The dblk must always have space for the padding and MAC suffix. */
1271 ASSERT(mp->b_datap->db_lim - mp->b_wptr >= mac_sz + spec->cipher_bsize);
1272
1273 /* kssl_send_alert() constructs the SSL header by itself. */
1274 if (!ssl->close_notify_srvr)
1275 len = MBLKL(mp) - SSL3_HDR_LEN;
1276 else
1277 len = MBLKL(mp);
1278
1279 ASSERT(len > 0);
1280
1281 mutex_enter(&ssl->kssl_lock);
1282
1283 recstart = mp->b_rptr;
1284 if (!ssl->close_notify_srvr) {
1285 /* The dblk must have space for the SSL header prefix. */
1286 ASSERT(mp->b_rptr - mp->b_datap->db_base >= SSL3_HDR_LEN);
1287 recstart = mp->b_rptr = mp->b_rptr - SSL3_HDR_LEN;
1288 recstart[0] = content_application_data;
1289 recstart[1] = ssl->major_version;
1290 recstart[2] = ssl->minor_version;
1291 }
1292 versionp = &recstart[1];
1293
1294 reclen = len + mac_sz;
1295 if (spec->cipher_type == type_block) {
1296 pad_sz = spec->cipher_bsize -
1297 (reclen & (spec->cipher_bsize - 1));
1298 ASSERT(reclen + pad_sz <=
1299 SSL3_MAX_RECORD_LENGTH);
1300 reclen += pad_sz;
1301 }
1302 recstart[3] = (reclen >> 8) & 0xff;
1303 recstart[4] = reclen & 0xff;
1304
1305 if (kssl_mac_encrypt_record(ssl, recstart[0], versionp,
1306 recstart, mp) != 0) {
1307 /* Do we need an internal_error Alert here? */
1308 mutex_exit(&ssl->kssl_lock);
1309 return (KSSL_STS_ERR);
1310 }
1311
1312 /* Alert messages are accounted in kssl_send_alert(). */
1313 if (recstart[0] == content_application_data)
1314 KSSL_COUNTER(appdata_record_outs, 1);
1315 mutex_exit(&ssl->kssl_lock);
1316 return (KSSL_STS_OK);
1317 }
unleashed repo fork