Lines Matching defs:ssl
163 ssl_t *ssl,
179 spec = &ssl->spec[direction];
196 if (IS_TLS(ssl)) {
203 if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
246 !IS_TLS(ssl));
257 bcopy(&(ssl->mac_ctx[direction][0]), ctx,
263 bcopy(&(ssl->mac_ctx[direction][1]), ctx,
277 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
283 ASSERT(ssl->msg.state == MSG_BODY);
284 ASSERT(ssl->msg.msglen_bytes == 3);
285 ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen);
287 ssl->sslcnt++;
288 msglen = ssl->msg.msglen;
290 if (ssl->msg.type == client_hello) {
291 MD5Init(&ssl->hs_md5);
292 SHA1Init(&ssl->hs_sha1);
295 if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
296 if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
303 if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
304 msghdr[0] = (uchar_t)ssl->msg.type;
309 kssl_update_handshake_hashes(ssl, msghdr, 4);
310 kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen);
313 ssl->msg.state = MSG_INIT;
314 ssl->msg.msglen = 0;
315 ssl->msg.msglen_bytes = 0;
317 switch (ssl->msg.type) {
319 if (ssl->hs_waitstate != wait_client_hello) {
320 kssl_send_alert(ssl, alert_fatal,
323 ssl->activeinput = B_FALSE;
326 *err = kssl_handle_client_hello(ssl, mp, msglen);
328 ssl->activeinput = B_FALSE;
333 if (ssl->hs_waitstate != wait_client_key) {
334 kssl_send_alert(ssl, alert_fatal,
337 ssl->activeinput = B_FALSE;
340 *err = kssl_handle_client_key_exchange(ssl, mp,
344 if (ssl->hs_waitstate != wait_finished) {
345 kssl_send_alert(ssl, alert_fatal,
348 ssl->activeinput = B_FALSE;
351 *err = kssl_handle_finished(ssl, mp, msglen);
354 kssl_send_alert(ssl, alert_fatal, unexpected_message);
355 ssl->activeinput = B_FALSE;
362 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
364 MD5Update(&ssl->hs_md5, buf, len);
365 SHA1Update(&ssl->hs_sha1, buf, len);
370 ssl_t *ssl,
374 MD5_CTX md5 = ssl->hs_md5; /* clone md5 context */
375 SHA1_CTX sha1 = ssl->hs_sha1; /* clone sha1 context */
379 if (IS_TLS(ssl)) {
398 return (kssl_tls_PRF(ssl,
399 ssl->sid.master_secret,
412 MD5Update(md5ctx, ssl->sid.master_secret,
418 MD5Update(md5ctx, ssl->sid.master_secret,
425 SHA1Update(sha1ctx, ssl->sid.master_secret,
431 SHA1Update(sha1ctx, ssl->sid.master_secret,
458 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
471 ASSERT(ssl->msg.type == client_hello);
472 ASSERT(ssl->hs_waitstate == wait_client_hello);
473 ASSERT(ssl->resumed == B_FALSE);
484 if (ssl->major_version != 3 || (ssl->major_version == 3 &&
485 ssl->minor_version != 0 && ssl->minor_version != 1)) {
487 uchar_t, ssl->major_version,
488 uchar_t, ssl->minor_version);
495 bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
499 ASSERT(ssl->sid.cached == B_FALSE);
510 kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr,
511 ssl->kssl_entry);
541 if (ssl->sid.cached == B_TRUE) {
542 suite = ssl->sid.cipher_suite;
561 ssl->secure_renegotiation = B_TRUE;
568 if (suite_found && ssl->secure_renegotiation)
573 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
577 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
578 suite = ssl->kssl_entry->kssl_cipherSuites[i];
596 ssl->secure_renegotiation = B_TRUE;
606 (ssl->secure_renegotiation || (i > 0)))
613 if (ssl->sslcnt == 1) {
621 if (ssl->kssl_entry->ke_fallback_head == NULL) {
677 ssl->pending_cipher_suite = selected_suite;
678 ssl->pending_malg = cipher_suite_defs[i].malg;
679 ssl->pending_calg = cipher_suite_defs[i].calg;
680 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
760 ssl->secure_renegotiation = B_TRUE;
775 if (ssl->sid.cached == B_TRUE) {
776 err = kssl_send_server_hello(ssl);
780 if (IS_TLS(ssl))
781 err = kssl_generate_tls_keyblock(ssl);
783 kssl_generate_keyblock(ssl);
785 err = kssl_send_change_cipher_specs(ssl);
790 err = kssl_send_finished(ssl, 1);
794 err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
799 ssl->hs_waitstate = wait_change_cipher;
800 ssl->resumed = B_TRUE;
801 ssl->activeinput = B_FALSE;
806 (void) random_get_pseudo_bytes(ssl->sid.session_id,
808 ssl->sid.client_addr = ssl->faddr;
809 ssl->sid.cipher_suite = selected_suite;
811 err = kssl_send_server_hello(ssl);
815 err = kssl_send_certificate_and_server_hello_done(ssl);
820 ssl->hs_waitstate = wait_client_key;
821 ssl->activeinput = B_FALSE;
825 kssl_send_alert(ssl, alert_fatal, desc);
970 kssl_send_server_hello(ssl_t *ssl)
977 mp = allocb(ssl->tcp_mss, BPRI_HI);
982 ssl->handshake_sendbuf = mp;
985 if (ssl->secure_renegotiation)
990 buf[1] = ssl->major_version;
991 buf[2] = ssl->minor_version;
1005 buf[4] = ssl->major_version; /* version byte 0 */
1006 buf[5] = ssl->minor_version; /* version byte 1 */
1010 kssl_get_hello_random(ssl->server_random);
1011 bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH);
1015 bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
1018 buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff;
1019 buf[1] = ssl->pending_cipher_suite & 0xff;
1029 if (ssl->secure_renegotiation) {
1045 kssl_update_handshake_hashes(ssl, msgstart, reclen);
1140 kssl_tls_PRF(ssl_t *ssl,
1204 #define IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl) \
1206 pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
1208 #define FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) { \
1212 pms[0] = ssl->major_version; \
1213 pms[1] = ssl->minor_version; \
1218 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1229 bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH);
1230 bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH,
1234 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1236 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1239 return (kssl_tls_PRF(ssl,
1244 ssl->sid.master_secret,
1245 (size_t)sizeof (ssl->sid.master_secret)));
1250 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1256 ms = ssl->sid.master_secret;
1259 if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1261 FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1264 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
1265 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
1266 kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
1271 kssl_generate_tls_keyblock(ssl_t *ssl)
1275 bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH);
1276 bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH,
1279 return (kssl_tls_PRF(ssl, ssl->sid.master_secret,
1284 ssl->pending_keyblock,
1285 (size_t)ssl->pending_keyblksz));
1290 kssl_generate_keyblock(ssl_t *ssl)
1295 uchar_t *keys = ssl->pending_keyblock;
1296 int steps = howmany(ssl->pending_keyblksz, hlen);
1299 ms = ssl->sid.master_secret;
1304 kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
1314 ssl_t *ssl,
1338 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1339 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1341 SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1342 SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1353 kssl_send_certificate_and_server_hello_done(ssl_t *ssl)
1365 cert = ssl->kssl_entry->ke_server_certificate;
1372 if (ssl->secure_renegotiation)
1375 mp = ssl->handshake_sendbuf;
1376 mss = ssl->tcp_mss;
1409 freemsg(ssl->handshake_sendbuf);
1410 ssl->handshake_sendbuf = NULL;
1416 mp->b_wptr[1] = ssl->major_version;
1417 mp->b_wptr[2] = ssl->minor_version;
1428 mp = ssl->handshake_sendbuf;
1433 kssl_update_handshake_hashes(ssl, cert_buf, cert_len);
1439 kssl_send_change_cipher_specs(ssl_t *ssl)
1444 mp = ssl->handshake_sendbuf;
1457 ssl->handshake_sendbuf = newmp;
1459 linkb(ssl->handshake_sendbuf, newmp);
1467 buf[1] = ssl->major_version;
1468 buf[2] = ssl->minor_version;
1478 ssl->seq_num[KSSL_WRITE] = 0;
1479 return (kssl_spec_init(ssl, KSSL_WRITE));
1483 kssl_spec_init(ssl_t *ssl, int dir)
1486 KSSLCipherSpec *spec = &ssl->spec[dir];
1489 spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz;
1490 spec->mac_padsz = mac_defs[ssl->pending_malg].padsz;
1492 spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
1493 spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
1494 spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
1497 bcopy(ssl->pending_keyblock, ssl->mac_secret[dir],
1500 bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]),
1501 ssl->mac_secret[dir], spec->mac_hashsz);
1505 if (!IS_TLS(ssl)) {
1506 ctx = &ssl->mac_ctx[dir][0];
1508 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1513 ctx = &ssl->mac_ctx[dir][1];
1515 spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1521 spec->cipher_type = cipher_defs[ssl->pending_calg].type;
1522 spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
1523 spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
1524 spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
1535 if (IS_TLS(ssl)) {
1536 if (ssl->pending_malg == mac_md5) {
1538 } else if (ssl->pending_malg == mac_sha) {
1543 spec->hmac_key.ck_data = ssl->mac_secret[dir];
1551 if (ssl->pending_malg == mac_md5) {
1555 } else if (ssl->pending_malg == mac_sha) {
1562 spec->hmac_key.ck_data = ssl->mac_secret[dir];
1575 if (cipher_defs[ssl->pending_calg].bsize > 0) {
1578 (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
1585 cipher_defs[ssl->pending_calg].bsize;
1589 &(ssl->pending_keyblock[2 * spec->mac_hashsz]);
1598 if (cipher_defs[ssl->pending_calg].bsize > 0) {
1605 &(ssl->pending_keyblock[2 * spec->mac_hashsz +
1618 kssl_send_finished(ssl_t *ssl, int update_hsh)
1629 mp = ssl->handshake_sendbuf;
1632 if (ssl->secure_renegotiation)
1644 if (IS_TLS(ssl))
1651 buf[1] = ssl->major_version;
1652 buf[2] = ssl->minor_version;
1667 if (IS_TLS(ssl)) {
1668 bcopy(ssl->hs_hashes.md5, ssl3hashes.md5,
1670 bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1,
1675 ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
1679 if (IS_TLS(ssl)) {
1687 kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
1692 ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
1700 kssl_mac_encrypt_record(ssl_t *ssl,
1713 ASSERT(ssl != NULL);
1717 spec = &ssl->spec[KSSL_WRITE];
1725 ret = kssl_compute_record_mac(ssl, KSSL_WRITE,
1726 ssl->seq_num[KSSL_WRITE], ct, versionp,
1729 ssl->seq_num[KSSL_WRITE]++;
1773 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
1780 ASSERT(ssl != NULL);
1782 ssl->sendalert_level = level;
1783 ssl->sendalert_desc = desc;
1788 if (ssl->sid.cached == B_TRUE) {
1789 kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
1791 ssl->fatal_alert = B_TRUE;
1796 spec = &ssl->spec[KSSL_WRITE];
1798 ASSERT(ssl->alert_sendbuf == NULL);
1799 if (ssl->major_version == 0x03) {
1805 ssl->alert_sendbuf = mp = allocb(len + spec->mac_hashsz +
1814 if (ssl->major_version == 0x03) {
1817 buf[1] = ssl->major_version;
1818 buf[2] = ssl->minor_version;
1847 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
1860 ep = ssl->kssl_entry;
1866 ASSERT(ssl->msg.type == client_key_exchange);
1867 ASSERT(ssl->hs_waitstate == wait_client_key);
1872 if (IS_TLS(ssl)) {
1908 ssl->cke_callback_func = cbfn;
1909 ssl->cke_callback_arg = arg;
1912 creq.cr_callback_arg = ssl;
1974 ssl->job.kjob = creq.cr_reqid;
1975 ssl->job.buf = buf;
1976 ssl->job.buflen = allocated;
1977 ssl->hs_waitstate = wait_client_key_done;
1988 /* generate master key and save it in the ssl sid structure */
1989 if (IS_TLS(ssl)) {
1990 err = kssl_generate_tls_ms(ssl, pms, pmslen);
1992 err = kssl_generate_tls_keyblock(ssl);
1994 kssl_generate_ssl_ms(ssl, pms, pmslen);
1995 kssl_generate_keyblock(ssl);
1999 ssl->hs_waitstate = wait_change_cipher;
2001 ssl->activeinput = B_FALSE;
2009 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
2015 ASSERT(ssl->msg.type == finished);
2016 ASSERT(ssl->hs_waitstate == wait_finished);
2018 if (IS_TLS(ssl))
2024 kssl_send_alert(ssl, alert_fatal, illegal_parameter);
2028 if (IS_TLS(ssl)) {
2029 hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash,
2032 hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
2037 kssl_send_alert(ssl, alert_fatal, handshake_failure);
2043 ssl->hs_waitstate = idle_handshake;
2045 if (ssl->resumed == B_TRUE) {
2046 ssl->activeinput = B_FALSE;
2050 err = kssl_send_change_cipher_specs(ssl);
2054 err = kssl_send_finished(ssl, 0);
2059 kssl_cache_sid(&ssl->sid, ssl->kssl_entry);
2060 ssl->activeinput = B_FALSE;
2074 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
2090 ASSERT(ssl->hs_waitstate == wait_client_hello);
2091 ASSERT(ssl->resumed == B_FALSE);
2099 MD5Init(&ssl->hs_md5);
2100 SHA1Init(&ssl->hs_sha1);
2102 kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz);
2135 bzero(ssl->client_random, SSL3_RANDOM_LENGTH);
2137 bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
2140 for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
2141 suite = ssl->kssl_entry->kssl_cipherSuites[i];
2164 ssl->secure_renegotiation = B_TRUE;
2173 (ssl->secure_renegotiation || (i > 0)))
2181 ssl->activeinput = B_FALSE;
2186 if (ssl->kssl_entry->ke_fallback_head == NULL) {
2205 ssl->pending_cipher_suite = selected_suite;
2206 ssl->pending_malg = cipher_suite_defs[i].malg;
2207 ssl->pending_calg = cipher_suite_defs[i].calg;
2208 ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
2210 ASSERT(ssl->sid.cached == B_FALSE);
2212 (void) random_get_pseudo_bytes(ssl->sid.session_id,
2214 ssl->sid.client_addr = ssl->faddr;
2215 ssl->sid.cipher_suite = selected_suite;
2217 err = kssl_send_server_hello(ssl);
2221 err = kssl_send_certificate_and_server_hello_done(ssl);
2226 ssl->hs_waitstate = wait_client_key;
2227 ssl->activeinput = B_FALSE;
2231 kssl_send_alert(ssl, alert_fatal, desc);
2232 ssl->activeinput = B_FALSE;
2249 ssl_t *ssl = (ssl_t *)arg;
2254 mutex_enter(&ssl->kssl_lock);
2256 ASSERT(ssl->msg.type == client_key_exchange);
2257 ASSERT(ssl->hs_waitstate == wait_client_key_done);
2260 kssl_send_alert(ssl, alert_fatal, decrypt_error);
2265 pms_data = (crypto_data_t *)(ssl->job.buf);
2272 /* generate master key and save it in the ssl sid structure */
2273 if (IS_TLS(ssl)) {
2274 ret = kssl_generate_tls_ms(ssl, pms, pmslen);
2276 ret = kssl_generate_tls_keyblock(ssl);
2278 kssl_generate_ssl_ms(ssl, pms, pmslen);
2279 kssl_generate_keyblock(ssl);
2283 ssl->hs_waitstate = wait_change_cipher;
2286 kmem_free(ssl->job.buf, ssl->job.buflen);
2288 ssl->job.kjob = 0;
2289 ssl->job.buf = NULL;
2290 ssl->job.buflen = 0;
2292 ssl->activeinput = B_FALSE;
2294 cbfn = ssl->cke_callback_func;
2295 cbarg = ssl->cke_callback_arg;
2296 alertmp = ssl->alert_sendbuf;
2297 ssl->alert_sendbuf = NULL;
2300 ssl->async_ops_pending++;
2301 mutex_exit(&ssl->kssl_lock);
2321 kssl_get_next_record(ssl_t *ssl)
2329 ASSERT(MUTEX_HELD(&ssl->kssl_lock));
2331 mp = ssl->rec_ass_head;
2345 kssl_send_alert(ssl, alert_fatal, internal_error);
2347 ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2382 kssl_send_alert(ssl, alert_fatal, internal_error);
2384 ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2395 kssl_send_alert(ssl, alert_fatal, internal_error);
2397 ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2403 ssl->rec_ass_head = mp;
2408 ssl->rec_ass_head = mp->b_cont;
2413 if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
2415 ssl->rec_ass_tail = mp->b_cont;
2424 kssl_mblksfree(ssl_t *ssl)
2427 ASSERT(ssl != NULL);
2429 if (ssl->rec_ass_head != NULL) {
2430 freemsg(ssl->rec_ass_head);
2432 ssl->rec_ass_head = NULL;
2433 ssl->rec_ass_tail = NULL;
2435 if (ssl->msg.head != NULL) {
2436 freemsg(ssl->msg.head);
2438 ssl->msg.head = NULL;
2439 ssl->msg.tail = NULL;
2441 if (ssl->handshake_sendbuf != NULL) {
2442 freemsg(ssl->handshake_sendbuf);
2443 ssl->handshake_sendbuf = NULL;
2445 if (ssl->alert_sendbuf != NULL) {
2446 freemsg(ssl->alert_sendbuf);
2447 ssl->alert_sendbuf = NULL;
2452 kssl_specsfree(ssl_t *ssl)
2454 KSSLCipherSpec *spec = &ssl->spec[KSSL_READ];
2461 spec = &ssl->spec[KSSL_WRITE];
2470 * Frees the ssl structure (aka the context of an SSL session).
2475 kssl_free_context(ssl_t *ssl)
2479 ASSERT(ssl != NULL);
2480 if (!(MUTEX_HELD(&ssl->kssl_lock))) {
2482 mutex_enter(&ssl->kssl_lock);
2491 if (ssl->job.kjob != NULL) {
2497 reqid = ssl->job.kjob;
2498 mutex_exit(&ssl->kssl_lock);
2500 mutex_enter(&ssl->kssl_lock);
2503 if (ssl->job.kjob != NULL) {
2504 kmem_free(ssl->job.buf, ssl->job.buflen);
2505 ssl->job.kjob = 0;
2506 ssl->job.buf = NULL;
2507 ssl->job.buflen = 0;
2510 while (ssl->async_ops_pending > 0)
2511 cv_wait(&ssl->async_cv, &ssl->kssl_lock);
2512 } while (ssl->job.kjob != NULL);
2514 kssl_mblksfree(ssl);
2515 kssl_specsfree(ssl);
2517 KSSL_ENTRY_REFRELE(ssl->kssl_entry);
2518 ssl->kssl_entry = NULL;
2520 mutex_exit(&ssl->kssl_lock);
2522 kmem_cache_free(kssl_cache, ssl);