xref: /titanic_41/usr/src/uts/common/inet/kssl/ksslrec.c (revision 7535ae1914017b0e648abd7a139aca709fa82be3)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <sys/types.h>
26 #include <sys/stream.h>
27 #include <sys/strsubr.h>
28 #include <sys/stropts.h>
29 #include <sys/strsun.h>
30 #define	_SUN_TPI_VERSION 2
31 #include <sys/ddi.h>
32 #include <sys/sunddi.h>
33 #include <sys/debug.h>
34 #include <sys/vtrace.h>
35 #include <sys/kmem.h>
36 #include <sys/cpuvar.h>
37 #include <sys/atomic.h>
38 #include <sys/sysmacros.h>
39 
40 #include <sys/errno.h>
41 #include <sys/isa_defs.h>
42 #include <sys/md5.h>
43 #include <sys/sha1.h>
44 #include <sys/random.h>
45 #include <inet/common.h>
46 #include <netinet/in.h>
47 
48 #include <sys/systm.h>
49 #include <sys/param.h>
50 
51 #include "ksslimpl.h"
52 #include "ksslapi.h"
53 #include "ksslproto.h"
54 
55 static ssl3CipherSuiteDef cipher_suite_defs[] = {
56 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, no IVs */
57 	{SSL_RSA_WITH_RC4_128_SHA,	cipher_rc4,	mac_sha,	72},
58 
59 	/* 2 X 16 byte keys +  2 x 16 byte MAC secrets, no IVs */
60 	{SSL_RSA_WITH_RC4_128_MD5,	cipher_rc4,	mac_md5,	64},
61 
62 	/* 2 X 8 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
63 	{SSL_RSA_WITH_DES_CBC_SHA,	cipher_des,	mac_sha,	72},
64 
65 	/* 2 X 24 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
66 	{SSL_RSA_WITH_3DES_EDE_CBC_SHA,	cipher_3des,	mac_sha,	104},
67 
68 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
69 	{TLS_RSA_WITH_AES_128_CBC_SHA,	cipher_aes128,	mac_sha,	104},
70 
71 	/* 2 X 32 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
72 	{TLS_RSA_WITH_AES_256_CBC_SHA,	cipher_aes256,	mac_sha,	136},
73 
74 	{SSL_RSA_WITH_NULL_SHA,		cipher_null,	mac_sha,	40}
75 };
76 
77 static int cipher_suite_defs_nentries =
78     sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]);
79 
80 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
81 	/* macsz padsz HashInit HashUpdate HashFinal */
82 
83 	{MD5_HASH_LEN, SSL3_MD5_PAD_LEN,
84 	    (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update,
85 	    (hashfinal_func_t)MD5Final},
86 
87 	{SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN,
88 	    (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update,
89 	    (hashfinal_func_t)SHA1Final},
90 };
91 
92 static uchar_t kssl_pad_1[60] = {
93     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
94     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
95     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
96     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
97     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
98     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
99     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
100     0x36, 0x36, 0x36, 0x36
101 };
102 static uchar_t kssl_pad_2[60] = {
103     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
104     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
105     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
106     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
107     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
108     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
109     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
110     0x5c, 0x5c, 0x5c, 0x5c
111 };
112 
113 static boolean_t kssl_synchronous = B_FALSE;
114 
115 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t);
116 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t);
117 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int);
118 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int,
119     kssl_callback_t, void *);
120 static int kssl_send_server_hello(ssl_t *);
121 static int kssl_send_certificate_and_server_hello_done(ssl_t *);
122 static int kssl_send_change_cipher_specs(ssl_t *);
123 static int kssl_send_finished(ssl_t *, int);
124 static int kssl_handle_finished(ssl_t *, mblk_t *, int);
125 static void kssl_get_hello_random(uchar_t *);
126 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *);
127 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *);
128 static void kssl_lookup_sid(sslSessionID *, uchar_t *, in6_addr_t *,
129     kssl_entry_t *);
130 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t);
131 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t);
132 static int kssl_generate_tls_keyblock(ssl_t *);
133 static void kssl_generate_keyblock(ssl_t *);
134 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t,
135     int, uchar_t *, int);
136 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t,
137     uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
138 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *,
139     size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
140 static void kssl_cke_done(void *, int);
141 
142 #define	HMAC_INIT(m, k, c) \
143 	rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end;
144 
145 #define	HMAC_UPDATE(c, d, l) \
146 	dd.cd_raw.iov_base = (char *)d; \
147 	dd.cd_length = dd.cd_raw.iov_len = l; \
148 	rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end;
149 
150 #define	HMAC_FINAL(c, d, l) \
151 	mac.cd_raw.iov_base = (char *)d; \
152 	mac.cd_length = mac.cd_raw.iov_len = l; \
153 	rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end;
154 
155 /*
156  * This hack can go away once we have SSL3 MAC support by KCF
157  * software providers (See 4873559).
158  */
159 extern int kcf_md5_threshold;
160 
161 int
162 kssl_compute_record_mac(
163 	ssl_t *ssl,
164 	int direction,
165 	uint64_t seq_num,
166 	SSL3ContentType ct,
167 	uchar_t *versionp,
168 	uchar_t *buf,
169 	int len,
170 	uchar_t *digest)
171 {
172 	KSSL_HASHCTX mac_ctx;
173 	KSSL_HASHCTX *ctx = &mac_ctx;
174 	uchar_t temp[16], *p;
175 	KSSLCipherSpec *spec;
176 	boolean_t hash_use_ok = B_FALSE;
177 	int rv = 0;
178 
179 	spec = &ssl->spec[direction];
180 
181 	if (spec->mac_hashsz == 0) {
182 		return (1);
183 	}
184 
185 	p = temp;
186 
187 	*p++ = (seq_num >> 56) & 0xff;
188 	*p++ = (seq_num >> 48) & 0xff;
189 	*p++ = (seq_num >> 40) & 0xff;
190 	*p++ = (seq_num >> 32) & 0xff;
191 	*p++ = (seq_num >> 24) & 0xff;
192 	*p++ = (seq_num >> 16) & 0xff;
193 	*p++ = (seq_num >> 8) & 0xff;
194 	*p++ = (seq_num) & 0xff;
195 	*p++ = (uchar_t)ct;
196 	if (IS_TLS(ssl)) {
197 		*p++ = versionp[0];
198 		*p++ = versionp[1];
199 	}
200 	*p++ = (len >> 8) & 0xff;
201 	*p++ = (len) & 0xff;
202 
203 	if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
204 	    len >= kcf_md5_threshold)) {
205 		crypto_data_t dd, mac;
206 		struct uio uio_pt;
207 		struct iovec iovarray_pt[2];
208 
209 		/* init the array of iovecs for use in the uio struct */
210 		iovarray_pt[0].iov_base = (char *)temp;
211 		iovarray_pt[0].iov_len = (p - temp);
212 		iovarray_pt[1].iov_base = (char *)buf;
213 		iovarray_pt[1].iov_len = len;
214 
215 		/* init the uio struct for use in the crypto_data_t struct */
216 		bzero(&uio_pt, sizeof (uio_pt));
217 		uio_pt.uio_iov = iovarray_pt;
218 		uio_pt.uio_iovcnt = 2;
219 		uio_pt.uio_segflg = UIO_SYSSPACE;
220 
221 		dd.cd_format = CRYPTO_DATA_UIO;
222 		dd.cd_offset = 0;
223 		dd.cd_length =  (p - temp) + len;
224 		dd.cd_miscdata = NULL;
225 		dd.cd_uio = &uio_pt;
226 
227 		mac.cd_format = CRYPTO_DATA_RAW;
228 		mac.cd_offset = 0;
229 		mac.cd_raw.iov_base = (char *)digest;
230 		mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz;
231 
232 		/*
233 		 * The calling context can tolerate a blocking call here.
234 		 * For outgoing traffic, we are in user context when called
235 		 * from kssl_data_out_cb(). For incoming traffic past the
236 		 * SSL handshake, we are in user context when called from
237 		 * kssl_data_in_proc_cb(). During the SSL handshake, we are
238 		 * called for client_finished message handling from a taskq
239 		 * thread.
240 		 */
241 		rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
242 		    NULL, &mac, NULL);
243 
244 		if (CRYPTO_ERR(rv)) {
245 			hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED &&
246 			    !IS_TLS(ssl));
247 			if (!hash_use_ok) {
248 				DTRACE_PROBE1(kssl_err__crypto_mac_error,
249 				    int, rv);
250 				KSSL_COUNTER(compute_mac_failure, 1);
251 			}
252 		}
253 	} else
254 		hash_use_ok = B_TRUE;
255 
256 	if (hash_use_ok) {
257 		bcopy(&(ssl->mac_ctx[direction][0]), ctx,
258 		    sizeof (KSSL_HASHCTX));
259 		spec->MAC_HashUpdate((void *)ctx, temp, p - temp);
260 		spec->MAC_HashUpdate((void *)ctx, buf, len);
261 		spec->MAC_HashFinal(digest, (void *)ctx);
262 
263 		bcopy(&(ssl->mac_ctx[direction][1]), ctx,
264 		    sizeof (KSSL_HASHCTX));
265 		spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz);
266 		spec->MAC_HashFinal(digest, (void *)ctx);
267 	}
268 
269 	return (rv);
270 }
271 
272 /*
273  * Handles handshake messages.
274  * Messages to be replied are returned in handshake_sendbuf.
275  */
276 int
277 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
278     kssl_callback_t cbfn, void *arg)
279 {
280 	uint32_t msglen;
281 	uchar_t msghdr[4];
282 
283 	ASSERT(ssl->msg.state == MSG_BODY);
284 	ASSERT(ssl->msg.msglen_bytes == 3);
285 	ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen);
286 
287 	ssl->sslcnt++;
288 	msglen = ssl->msg.msglen;
289 
290 	if (ssl->msg.type == client_hello) {
291 		MD5Init(&ssl->hs_md5);
292 		SHA1Init(&ssl->hs_sha1);
293 	}
294 
295 	if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
296 		if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
297 		    sender_client) != 0) {
298 			*err = SSL_MISS;
299 			return (0);
300 		}
301 	}
302 
303 	if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
304 		msghdr[0] = (uchar_t)ssl->msg.type;
305 
306 		msghdr[1] = (uchar_t)(msglen >> 16);
307 		msghdr[2] = (uchar_t)(msglen >> 8);
308 		msghdr[3] = (uchar_t)(msglen);
309 		kssl_update_handshake_hashes(ssl, msghdr, 4);
310 		kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen);
311 	}
312 
313 	ssl->msg.state = MSG_INIT;
314 	ssl->msg.msglen = 0;
315 	ssl->msg.msglen_bytes = 0;
316 
317 	switch (ssl->msg.type) {
318 	case client_hello:
319 		if (ssl->hs_waitstate != wait_client_hello) {
320 			kssl_send_alert(ssl, alert_fatal,
321 			    unexpected_message);
322 			*err = EBADMSG;
323 			ssl->activeinput = B_FALSE;
324 			return (1);
325 		}
326 		*err = kssl_handle_client_hello(ssl, mp, msglen);
327 		if (*err == SSL_MISS) {
328 			ssl->activeinput = B_FALSE;
329 			return (0);
330 		}
331 		return (1);
332 	case client_key_exchange:
333 		if (ssl->hs_waitstate != wait_client_key) {
334 			kssl_send_alert(ssl, alert_fatal,
335 			    unexpected_message);
336 			*err = EBADMSG;
337 			ssl->activeinput = B_FALSE;
338 			return (1);
339 		}
340 		*err = kssl_handle_client_key_exchange(ssl, mp,
341 		    msglen, cbfn, arg);
342 		return (1);
343 	case finished:
344 		if (ssl->hs_waitstate != wait_finished) {
345 			kssl_send_alert(ssl, alert_fatal,
346 			    unexpected_message);
347 			*err = EBADMSG;
348 			ssl->activeinput = B_FALSE;
349 			return (1);
350 		}
351 		*err = kssl_handle_finished(ssl, mp, msglen);
352 		return (1);
353 	default:
354 		kssl_send_alert(ssl, alert_fatal, unexpected_message);
355 		ssl->activeinput = B_FALSE;
356 		*err = EBADMSG;
357 		return (1);
358 	}
359 }
360 
361 static void
362 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
363 {
364 	MD5Update(&ssl->hs_md5, buf, len);
365 	SHA1Update(&ssl->hs_sha1, buf, len);
366 }
367 
368 static int
369 kssl_compute_handshake_hashes(
370 	ssl_t *ssl,
371 	SSL3Hashes *hashes,
372 	uint32_t sender)
373 {
374 	MD5_CTX md5 = ssl->hs_md5;	/* clone md5 context */
375 	SHA1_CTX sha1 = ssl->hs_sha1;	/* clone sha1 context */
376 	MD5_CTX *md5ctx = &md5;
377 	SHA1_CTX *sha1ctx = &sha1;
378 
379 	if (IS_TLS(ssl)) {
380 		uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN];
381 		char *label;
382 
383 		/*
384 		 * Do not take another hash step here.
385 		 * Just complete the operation.
386 		 */
387 		MD5Final(hashes->md5, md5ctx);
388 		SHA1Final(hashes->sha1, sha1ctx);
389 
390 		bcopy(hashes->md5, seed, MD5_HASH_LEN);
391 		bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN);
392 
393 		if (sender == sender_client)
394 			label = TLS_CLIENT_FINISHED_LABEL;
395 		else
396 			label = TLS_SERVER_FINISHED_LABEL;
397 
398 		return (kssl_tls_PRF(ssl,
399 		    ssl->sid.master_secret,
400 		    (size_t)SSL3_MASTER_SECRET_LEN,
401 		    (uchar_t *)label, strlen(label),
402 		    seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN),
403 		    hashes->tlshash, (size_t)TLS_FINISHED_SIZE));
404 	} else {
405 		uchar_t s[4];
406 		s[0] = (sender >> 24) & 0xff;
407 		s[1] = (sender >> 16) & 0xff;
408 		s[2] = (sender >> 8) & 0xff;
409 		s[3] = (sender) & 0xff;
410 
411 		MD5Update(md5ctx, s, 4);
412 		MD5Update(md5ctx, ssl->sid.master_secret,
413 		    SSL3_MASTER_SECRET_LEN);
414 		MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN);
415 		MD5Final(hashes->md5, md5ctx);
416 
417 		MD5Init(md5ctx);
418 		MD5Update(md5ctx, ssl->sid.master_secret,
419 		    SSL3_MASTER_SECRET_LEN);
420 		MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN);
421 		MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN);
422 		MD5Final(hashes->md5, md5ctx);
423 
424 		SHA1Update(sha1ctx, s, 4);
425 		SHA1Update(sha1ctx, ssl->sid.master_secret,
426 		    SSL3_MASTER_SECRET_LEN);
427 		SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN);
428 		SHA1Final(hashes->sha1, sha1ctx);
429 
430 		SHA1Init(sha1ctx);
431 		SHA1Update(sha1ctx, ssl->sid.master_secret,
432 		    SSL3_MASTER_SECRET_LEN);
433 		SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN);
434 		SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN);
435 		SHA1Final(hashes->sha1, sha1ctx);
436 		return (0);
437 	}
438 }
439 
440 
441 /*
442  * Minimum message length for a client hello =
443  * 2-byte client_version +
444  * 32-byte random +
445  * 1-byte session_id length +
446  * 2-byte cipher_suites length +
447  * 1-byte compression_methods length +
448  * 1-byte CompressionMethod.null
449  */
450 #define	KSSL_SSL3_CH_MIN_MSGLEN	(39)
451 
452 /*
453  * Process SSL/TLS Client Hello message. Return 0 on success, errno value
454  * or SSL_MISS if no cipher suite of the server matches the list received
455  * in the message.
456  */
457 static int
458 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
459 {
460 	uchar_t *msgend;
461 	int err;
462 	SSL3AlertDescription desc = illegal_parameter;
463 	uint_t sidlen, cslen, cmlen;
464 	uchar_t *suitesp;
465 	uint_t i, j;
466 	uint16_t suite, selected_suite;
467 	int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN;
468 	boolean_t suite_found = B_FALSE;
469 
470 	ASSERT(mp->b_wptr >= mp->b_rptr + msglen);
471 	ASSERT(ssl->msg.type == client_hello);
472 	ASSERT(ssl->hs_waitstate == wait_client_hello);
473 	ASSERT(ssl->resumed == B_FALSE);
474 
475 	if (msglen < ch_msglen) {
476 		DTRACE_PROBE2(kssl_err__msglen_less_than_minimum,
477 		    int, msglen, int, ch_msglen);
478 		goto falert;
479 	}
480 
481 	msgend = mp->b_rptr + msglen;
482 
483 	/* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */
484 	if (ssl->major_version != 3 || (ssl->major_version == 3 &&
485 	    ssl->minor_version != 0 && ssl->minor_version != 1)) {
486 		DTRACE_PROBE2(kssl_err__SSL_version_not_supported,
487 		    uchar_t, ssl->major_version,
488 		    uchar_t, ssl->minor_version);
489 		desc = handshake_failure;
490 		goto falert;
491 	}
492 	mp->b_rptr += 2; /* skip the version bytes */
493 
494 	/* read client random field */
495 	bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
496 	mp->b_rptr += SSL3_RANDOM_LENGTH;
497 
498 	/* read session ID length */
499 	ASSERT(ssl->sid.cached == B_FALSE);
500 	sidlen = *mp->b_rptr++;
501 	ch_msglen += sidlen;
502 	if (msglen < ch_msglen) {
503 		DTRACE_PROBE2(kssl_err__invalid_message_length_after_ver,
504 		    int, msglen, int, ch_msglen);
505 		goto falert;
506 	}
507 	if (sidlen != SSL3_SESSIONID_BYTES) {
508 		mp->b_rptr += sidlen;
509 	} else {
510 		kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr,
511 		    ssl->kssl_entry);
512 		mp->b_rptr += SSL3_SESSIONID_BYTES;
513 	}
514 
515 	/* read cipher suite length */
516 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
517 	mp->b_rptr += 2;
518 	ch_msglen += cslen;
519 
520 	/*
521 	 * This check can't be a "!=" since there can be
522 	 * compression methods other than CompressionMethod.null.
523 	 * Also, there can be extra data (TLS extensions) after the
524 	 * compression methods field.
525 	 */
526 	if (msglen < ch_msglen) {
527 		DTRACE_PROBE2(kssl_err__invalid_message_length_after_cslen,
528 		    int, msglen, int, ch_msglen);
529 		goto falert;
530 	}
531 
532 	/* The length has to be even since a cipher suite is 2-byte long. */
533 	if (cslen & 0x1) {
534 		DTRACE_PROBE1(kssl_err__uneven_cipher_suite_length,
535 		    uint_t, cslen);
536 		goto falert;
537 	}
538 	suitesp = mp->b_rptr;
539 
540 	/* session resumption checks */
541 	if (ssl->sid.cached == B_TRUE) {
542 		suite = ssl->sid.cipher_suite;
543 		for (j = 0; j < cslen; j += 2) {
544 			DTRACE_PROBE2(kssl_cipher_suite_check_resumpt,
545 			    uint16_t, suite,
546 			    uint16_t,
547 			    (uint16_t)((suitesp[j] << 8) + suitesp[j+1]));
548 			/* Check for regular (true) cipher suite. */
549 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
550 			    suitesp[j + 1] == (suite & 0xff)) {
551 				DTRACE_PROBE1(kssl_cipher_suite_found_resumpt,
552 				    uint16_t, suite);
553 				suite_found = B_TRUE;
554 				selected_suite = suite;
555 			}
556 
557 			/* Check for SCSV. */
558 			if (suitesp[j] ==  ((SSL_SCSV >> 8) & 0xff) &&
559 			    suitesp[j + 1] == (SSL_SCSV & 0xff)) {
560 				DTRACE_PROBE(kssl_scsv_found_resumpt);
561 				ssl->secure_renegotiation = B_TRUE;
562 			}
563 
564 			/*
565 			 * If we got cipher suite match and SCSV we can
566 			 * terminate the cycle now.
567 			 */
568 			if (suite_found && ssl->secure_renegotiation)
569 				break;
570 		}
571 		if (suite_found)
572 			goto suite_found;
573 		kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
574 	}
575 
576 	/* Check if this server is capable of the cipher suite. */
577 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
578 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
579 		for (j = 0; j < cslen; j += 2) {
580 			DTRACE_PROBE2(kssl_cipher_suite_check, uint16_t, suite,
581 			    uint16_t,
582 			    (uint16_t)((suitesp[j] << 8) + suitesp[j+1]));
583 			/* Check for regular (true) cipher suite. */
584 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
585 			    suitesp[j + 1] == (suite & 0xff)) {
586 				DTRACE_PROBE1(kssl_cipher_suite_found,
587 				    uint16_t, suite);
588 				suite_found = B_TRUE;
589 				selected_suite = suite;
590 			}
591 
592 			/* Check for SCSV. */
593 			if (suitesp[j] ==  ((SSL_SCSV >> 8) & 0xff) &&
594 			    suitesp[j + 1] == (SSL_SCSV & 0xff)) {
595 				DTRACE_PROBE(kssl_scsv_found);
596 				ssl->secure_renegotiation = B_TRUE;
597 			}
598 
599 			/*
600 			 * If we got cipher suite match and SCSV or went
601 			 * through the whole list of client cipher suites
602 			 * (hence we know if SCSV was present or not) we
603 			 * can terminate the cycle now.
604 			 */
605 			if (suite_found &&
606 			    (ssl->secure_renegotiation || (i > 0)))
607 				break;
608 		}
609 		if (suite_found)
610 			break;
611 	}
612 	if (!suite_found) {
613 		if (ssl->sslcnt == 1) {
614 			DTRACE_PROBE(kssl_no_cipher_suite_found);
615 			KSSL_COUNTER(no_suite_found, 1);
616 			/*
617 			 * If there is no fallback point terminate the
618 			 * handshake with SSL alert otherwise return with
619 			 * SSL_MISS.
620 			 */
621 			if (ssl->kssl_entry->ke_fallback_head == NULL) {
622 				DTRACE_PROBE(kssl_no_fallback);
623 				desc = handshake_failure;
624 				goto falert;
625 			} else {
626 				return (SSL_MISS);
627 			}
628 		}
629 		desc = handshake_failure;
630 		DTRACE_PROBE(kssl_err__no_cipher_suites_found);
631 		goto falert;
632 	}
633 
634 suite_found:
635 	mp->b_rptr += cslen;
636 
637 	/*
638 	 * Check for the mandatory CompressionMethod.null. We do not
639 	 * support any other compression methods.
640 	 */
641 	cmlen = *mp->b_rptr++;
642 	ch_msglen += cmlen - 1;	/* -1 accounts for the null method */
643 	if (msglen < ch_msglen) {
644 		DTRACE_PROBE2(kssl_err__invalid_message_length_after_complen,
645 		    int, msglen, int, ch_msglen);
646 		goto falert;
647 	}
648 
649 	/*
650 	 * Search for null compression method (encoded as 0 byte) in the
651 	 * compression methods field.
652 	 */
653 	while (cmlen >= 1) {
654 		if (*mp->b_rptr++ == 0)
655 			break;
656 		cmlen--;
657 	}
658 
659 	if (cmlen == 0) {
660 		desc = handshake_failure;
661 		DTRACE_PROBE(kssl_err__no_null_compression_method);
662 		goto falert;
663 	}
664 
665 	/* Find the suite in the internal cipher suite table. */
666 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
667 		if (selected_suite == cipher_suite_defs[i].suite) {
668 			break;
669 		}
670 	}
671 
672 	/* Get past the remaining compression methods (minus null method). */
673 	mp->b_rptr += cmlen - 1;
674 
675 	ASSERT(i < cipher_suite_defs_nentries);
676 
677 	ssl->pending_cipher_suite = selected_suite;
678 	ssl->pending_malg = cipher_suite_defs[i].malg;
679 	ssl->pending_calg = cipher_suite_defs[i].calg;
680 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
681 
682 	/* Parse TLS extensions (if any). */
683 	if (ch_msglen + 2 < msglen) {
684 		/* Get the length of the extensions. */
685 		uint16_t ext_total_len = ((uint_t)mp->b_rptr[0] << 8) +
686 		    (uint_t)mp->b_rptr[1];
687 		DTRACE_PROBE1(kssl_total_length_extensions, uint16_t,
688 		    ext_total_len);
689 		/*
690 		 * Consider zero extensions length as invalid extension
691 		 * encoding.
692 		 */
693 		if (ext_total_len == 0) {
694 			DTRACE_PROBE1(kssl_err__zero_extensions_length,
695 			    mblk_t *, mp);
696 			goto falert;
697 		}
698 		ch_msglen += 2;
699 		if (ch_msglen + ext_total_len > msglen) {
700 			DTRACE_PROBE2(kssl_err__invalid_extensions_length,
701 			    int, msglen, int, ch_msglen);
702 			goto falert;
703 		}
704 		mp->b_rptr += 2;
705 
706 		/*
707 		 * Go through the TLS extensions. This is only done to check
708 		 * for the presence of renegotiation_info extension. We do not
709 		 * support any other TLS extensions and hence ignore them.
710 		 */
711 		while (mp->b_rptr < msgend) {
712 			uint16_t ext_len, ext_type;
713 
714 			/*
715 			 * Check that the extension has at least type and
716 			 * length (2 + 2 bytes).
717 			 */
718 			if (ch_msglen + 4 > msglen) {
719 				DTRACE_PROBE(kssl_err__invalid_ext_format);
720 				goto falert;
721 			}
722 
723 			/* Get extension type and length */
724 			ext_type = ((uint_t)mp->b_rptr[0] << 8) +
725 			    (uint_t)mp->b_rptr[1];
726 			mp->b_rptr += 2;
727 			ext_len = ((uint_t)mp->b_rptr[0] << 8) +
728 			    (uint_t)mp->b_rptr[1];
729 			mp->b_rptr += 2;
730 			ch_msglen += 4;
731 			DTRACE_PROBE3(kssl_ext_detected, uint16_t, ext_type,
732 			    uint16_t, ext_len, mblk_t *, mp);
733 
734 			/*
735 			 * Make sure the contents of the extension are
736 			 * accessible.
737 			 */
738 			if (ch_msglen + ext_len > msglen) {
739 				DTRACE_PROBE1(
740 				    kssl_err__invalid_ext_len,
741 				    uint16_t, ext_len);
742 				goto falert;
743 			}
744 
745 			switch (ext_type) {
746 			case TLSEXT_RENEGOTIATION_INFO:
747 				/*
748 				 * Search for empty "renegotiation_info"
749 				 * extension (encoded as ff 01 00 01 00).
750 				 */
751 				DTRACE_PROBE(kssl_reneg_info_found);
752 				if ((ext_len != 1) ||
753 				    (*mp->b_rptr != 0)) {
754 					DTRACE_PROBE2(
755 					    kssl_err__non_empty_reneg_info,
756 					    uint16_t, ext_len,
757 					    mblk_t *, mp);
758 					goto falert;
759 				}
760 				ssl->secure_renegotiation = B_TRUE;
761 				break;
762 			default:
763 				/* FALLTHRU */
764 				break;
765 			}
766 
767 			/* jump to the next extension */
768 			ch_msglen += ext_len;
769 			mp->b_rptr += ext_len;
770 		}
771 	}
772 
773 	mp->b_rptr = msgend;
774 
775 	if (ssl->sid.cached == B_TRUE) {
776 		err = kssl_send_server_hello(ssl);
777 		if (err != 0) {
778 			return (err);
779 		}
780 		if (IS_TLS(ssl))
781 			err = kssl_generate_tls_keyblock(ssl);
782 		else
783 			kssl_generate_keyblock(ssl);
784 
785 		err = kssl_send_change_cipher_specs(ssl);
786 		if (err != 0) {
787 			return (err);
788 		}
789 
790 		err = kssl_send_finished(ssl, 1);
791 		if (err != 0)
792 			return (err);
793 
794 		err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
795 		    sender_client);
796 		if (err != 0)
797 			return (err);
798 
799 		ssl->hs_waitstate = wait_change_cipher;
800 		ssl->resumed = B_TRUE;
801 		ssl->activeinput = B_FALSE;
802 		KSSL_COUNTER(resumed_sessions, 1);
803 		return (0);
804 	}
805 
806 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
807 	    SSL3_SESSIONID_BYTES);
808 	ssl->sid.client_addr = ssl->faddr;
809 	ssl->sid.cipher_suite = selected_suite;
810 
811 	err = kssl_send_server_hello(ssl);
812 	if (err != 0) {
813 		return (err);
814 	}
815 	err = kssl_send_certificate_and_server_hello_done(ssl);
816 	if (err != 0) {
817 		return (err);
818 	}
819 	KSSL_COUNTER(full_handshakes, 1);
820 	ssl->hs_waitstate = wait_client_key;
821 	ssl->activeinput = B_FALSE;
822 	return (0);
823 
824 falert:
825 	kssl_send_alert(ssl, alert_fatal, desc);
826 	return (EBADMSG);
827 }
828 
829 #define	SET_HASH_INDEX(index, s, clnt_addr) {				\
830 	int addr;							\
831 									\
832 	IN6_V4MAPPED_TO_IPADDR(clnt_addr, addr);			\
833 	index = addr ^ (((int)(s)[0] << 24) | ((int)(s)[1] << 16) |	\
834 	    ((int)(s)[2] << 8) | (int)(s)[SSL3_SESSIONID_BYTES - 1]);	\
835 }
836 
837 /*
838  * Creates a cache entry. Sets the sid->cached flag
839  * and sid->time fields. So, the caller should not set them.
840  */
841 static void
842 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
843 {
844 	uint_t index;
845 	uchar_t *s = sid->session_id;
846 	kmutex_t *lock;
847 
848 	ASSERT(sid->cached == B_FALSE);
849 
850 	/* set the values before creating the cache entry */
851 	sid->cached = B_TRUE;
852 	sid->time = ddi_get_lbolt();
853 
854 	SET_HASH_INDEX(index, s, &sid->client_addr);
855 	index %= kssl_entry->sid_cache_nentries;
856 
857 	lock = &(kssl_entry->sid_cache[index].se_lock);
858 	mutex_enter(lock);
859 	kssl_entry->sid_cache[index].se_used++;
860 	bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid));
861 	mutex_exit(lock);
862 
863 	KSSL_COUNTER(sid_cached, 1);
864 }
865 
866 /*
867  * Invalidates the cache entry, if any. Clears the sid->cached flag
868  * as a side effect.
869  */
870 void
871 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
872 {
873 	uint_t index;
874 	uchar_t *s = sid->session_id;
875 	sslSessionID *csid;
876 	kmutex_t *lock;
877 
878 	ASSERT(sid->cached == B_TRUE);
879 	sid->cached = B_FALSE;
880 
881 	SET_HASH_INDEX(index, s, &sid->client_addr);
882 	index %= kssl_entry->sid_cache_nentries;
883 
884 	lock = &(kssl_entry->sid_cache[index].se_lock);
885 	mutex_enter(lock);
886 	csid = &(kssl_entry->sid_cache[index].se_sid);
887 	if (!(IN6_ARE_ADDR_EQUAL(&csid->client_addr, &sid->client_addr)) ||
888 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
889 		mutex_exit(lock);
890 		return;
891 	}
892 	csid->cached = B_FALSE;
893 	mutex_exit(lock);
894 
895 	KSSL_COUNTER(sid_uncached, 1);
896 }
897 
898 static void
899 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, in6_addr_t *faddr,
900     kssl_entry_t *kssl_entry)
901 {
902 	uint_t index;
903 	kmutex_t *lock;
904 	sslSessionID *csid;
905 
906 	KSSL_COUNTER(sid_cache_lookups, 1);
907 
908 	SET_HASH_INDEX(index, s, faddr);
909 	index %= kssl_entry->sid_cache_nentries;
910 
911 	lock = &(kssl_entry->sid_cache[index].se_lock);
912 	mutex_enter(lock);
913 	csid = &(kssl_entry->sid_cache[index].se_sid);
914 	if (csid->cached == B_FALSE ||
915 	    !IN6_ARE_ADDR_EQUAL(&csid->client_addr, faddr) ||
916 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
917 		mutex_exit(lock);
918 		return;
919 	}
920 
921 	if (TICK_TO_SEC(ddi_get_lbolt() - csid->time) >
922 	    kssl_entry->sid_cache_timeout) {
923 		csid->cached = B_FALSE;
924 		mutex_exit(lock);
925 		return;
926 	}
927 
928 	bcopy(csid, sid, sizeof (*sid));
929 	mutex_exit(lock);
930 	ASSERT(sid->cached == B_TRUE);
931 
932 	KSSL_COUNTER(sid_cache_hits, 1);
933 }
934 
935 static uchar_t *
936 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp)
937 {
938 	size_t len = *lenp;
939 	int i = 2;
940 
941 	if (buf[0] != 0 || buf[1] != 2) {
942 		return (NULL);
943 	}
944 
945 	while (i < len) {
946 		if (buf[i++] == 0) {
947 			*lenp = len - i;
948 			break;
949 		}
950 	}
951 
952 	if (i == len) {
953 		return (NULL);
954 	}
955 
956 	return (buf + i);
957 }
958 
959 
960 #define	KSSL_SSL3_SH_RECLEN	(74)
961 #define	KSSL_SSL3_FIN_MSGLEN	(36)
962 #define	KSSL_EMPTY_RENEG_INFO_LEN	(7)
963 
964 #define	KSSL_SSL3_MAX_CCP_FIN_MSGLEN	(128)	/* comfortable upper bound */
965 
966 /*
967  * Send ServerHello record to the client.
968  */
969 static int
970 kssl_send_server_hello(ssl_t *ssl)
971 {
972 	mblk_t *mp;
973 	uchar_t *buf;
974 	uchar_t *msgstart;
975 	uint16_t reclen = KSSL_SSL3_SH_RECLEN;
976 
977 	mp = allocb(ssl->tcp_mss, BPRI_HI);
978 	if (mp == NULL) {
979 		KSSL_COUNTER(alloc_fails, 1);
980 		return (ENOMEM);
981 	}
982 	ssl->handshake_sendbuf = mp;
983 	buf = mp->b_wptr;
984 
985 	if (ssl->secure_renegotiation)
986 		reclen += KSSL_EMPTY_RENEG_INFO_LEN;
987 
988 	/* 5 byte record header */
989 	buf[0] = content_handshake;
990 	buf[1] = ssl->major_version;
991 	buf[2] = ssl->minor_version;
992 	buf[3] = reclen >> 8;
993 	buf[4] = reclen & 0xff;
994 	buf += SSL3_HDR_LEN;
995 
996 	msgstart = buf;
997 
998 	/* 6 byte message header */
999 	buf[0] = (uchar_t)server_hello;			/* message type */
1000 	buf[1] = 0;					/* message len byte 0 */
1001 	buf[2] = ((reclen - 4) >> 8) &
1002 	    0xff;					/* message len byte 1 */
1003 	buf[3] = (reclen - 4) & 0xff;	/* message len byte 2 */
1004 
1005 	buf[4] = ssl->major_version;	/* version byte 0 */
1006 	buf[5] = ssl->minor_version;	/* version byte 1 */
1007 
1008 	buf += 6;
1009 
1010 	kssl_get_hello_random(ssl->server_random);
1011 	bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH);
1012 	buf += SSL3_RANDOM_LENGTH;
1013 
1014 	buf[0] = SSL3_SESSIONID_BYTES;
1015 	bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
1016 	buf += SSL3_SESSIONID_BYTES + 1;
1017 
1018 	buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff;
1019 	buf[1] = ssl->pending_cipher_suite & 0xff;
1020 
1021 	buf[2] = 0;	/* No compression */
1022 	buf += 3;
1023 
1024 	/*
1025 	 * Add "renegotiation_info" extension if the ClientHello message
1026 	 * contained either SCSV value in cipher suite list or
1027 	 * "renegotiation_info" extension. This is per RFC 5746, section 3.6.
1028 	 */
1029 	if (ssl->secure_renegotiation) {
1030 		/* Extensions length */
1031 		buf[0] = 0x00;
1032 		buf[1] = 0x05;
1033 		/* empty renegotiation_info extension encoding (section 3.2) */
1034 		buf[2] = 0xff;
1035 		buf[3] = 0x01;
1036 		buf[4] = 0x00;
1037 		buf[5] = 0x01;
1038 		buf[6] = 0x00;
1039 		buf += KSSL_EMPTY_RENEG_INFO_LEN;
1040 	}
1041 
1042 	mp->b_wptr = buf;
1043 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1044 
1045 	kssl_update_handshake_hashes(ssl, msgstart, reclen);
1046 	return (0);
1047 }
1048 
1049 static void
1050 kssl_get_hello_random(uchar_t *buf)
1051 {
1052 	timestruc_t ts;
1053 	time_t sec;
1054 
1055 	gethrestime(&ts);
1056 	sec = ts.tv_sec;
1057 
1058 	buf[0] = (sec >> 24) & 0xff;
1059 	buf[1] = (sec >> 16) & 0xff;
1060 	buf[2] = (sec >> 8) & 0xff;
1061 	buf[3] = (sec) & 0xff;
1062 
1063 	(void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4);
1064 
1065 	/* Should this be caching? */
1066 }
1067 
1068 static int
1069 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key,
1070 	size_t hashlen,
1071 	uchar_t *label, size_t label_len,
1072 	uchar_t *seed, size_t seedlen,
1073 	uchar_t *data, size_t datalen)
1074 {
1075 	int rv = 0;
1076 	uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN];
1077 	int bytes_left = (int)datalen;
1078 	crypto_data_t dd, mac;
1079 	crypto_context_t ctx;
1080 
1081 	dd.cd_format = CRYPTO_DATA_RAW;
1082 	dd.cd_offset = 0;
1083 	mac.cd_format = CRYPTO_DATA_RAW;
1084 	mac.cd_offset = 0;
1085 
1086 	/*
1087 	 * A(i) = HMAC_hash(secret, seed + A(i-1));
1088 	 * A(0) = seed;
1089 	 *
1090 	 * Compute A(1):
1091 	 * A(1) = HMAC_hash(secret, label + seed)
1092 	 *
1093 	 */
1094 	HMAC_INIT(mech, key, &ctx);
1095 	HMAC_UPDATE(ctx, label, label_len);
1096 	HMAC_UPDATE(ctx, seed, seedlen);
1097 	HMAC_FINAL(ctx, A1, hashlen);
1098 
1099 	/* Compute A(2) ... A(n) */
1100 	while (bytes_left > 0) {
1101 		HMAC_INIT(mech, key, &ctx);
1102 		HMAC_UPDATE(ctx, A1, hashlen);
1103 		HMAC_UPDATE(ctx, label, label_len);
1104 		HMAC_UPDATE(ctx, seed, seedlen);
1105 		HMAC_FINAL(ctx, result, hashlen);
1106 
1107 		/*
1108 		 * The A(i) value is stored in "result".
1109 		 * Save the results of the MAC so it can be input to next
1110 		 * iteration.
1111 		 */
1112 		if (bytes_left > hashlen) {
1113 			/* Store the chunk result */
1114 			bcopy(result, data, hashlen);
1115 			data += hashlen;
1116 
1117 			bytes_left -= hashlen;
1118 
1119 			/* Update A1 for next iteration */
1120 			HMAC_INIT(mech, key, &ctx);
1121 			HMAC_UPDATE(ctx, A1, hashlen);
1122 			HMAC_FINAL(ctx, A1, hashlen);
1123 
1124 		} else {
1125 			bcopy(result, data, bytes_left);
1126 			data += bytes_left;
1127 			bytes_left = 0;
1128 		}
1129 	}
1130 end:
1131 	if (CRYPTO_ERR(rv)) {
1132 		DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv);
1133 		KSSL_COUNTER(compute_mac_failure, 1);
1134 	}
1135 	return (rv);
1136 }
1137 
1138 /* ARGSUSED */
1139 static int
1140 kssl_tls_PRF(ssl_t *ssl,
1141 	uchar_t *secret, size_t secret_len,
1142 	uchar_t *label, size_t label_len,
1143 	uchar_t *seed, size_t seed_len,
1144 	uchar_t *prfresult, size_t prfresult_len)
1145 {
1146 	/*
1147 	 * RFC 2246:
1148 	 *  PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
1149 	 *				P_SHA1(S2, label + seed);
1150 	 * S1 = 1st half of secret.
1151 	 * S1 = 2nd half of secret.
1152 	 *
1153 	 */
1154 
1155 	int rv, i;
1156 	uchar_t psha1[MAX_KEYBLOCK_LENGTH];
1157 	crypto_key_t S1, S2;
1158 
1159 	/* length of secret keys is ceil(length/2) */
1160 	size_t slen = roundup(secret_len, 2) / 2;
1161 
1162 	if (prfresult_len >  MAX_KEYBLOCK_LENGTH) {
1163 		DTRACE_PROBE1(kssl_err__unexpected_keyblock_size,
1164 		    size_t, prfresult_len);
1165 		return (CRYPTO_ARGUMENTS_BAD);
1166 	}
1167 
1168 	ASSERT(prfresult != NULL);
1169 	ASSERT(label != NULL);
1170 	ASSERT(seed != NULL);
1171 
1172 	S1.ck_data   = secret;
1173 	S1.ck_length = slen * 8; /* bits */
1174 	S1.ck_format = CRYPTO_KEY_RAW;
1175 
1176 	S2.ck_data   = secret + slen;
1177 	S2.ck_length = slen * 8; /* bits */
1178 	S2.ck_format = CRYPTO_KEY_RAW;
1179 
1180 	rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN,
1181 	    label, label_len,
1182 	    seed, seed_len,
1183 	    prfresult, prfresult_len);
1184 	if (CRYPTO_ERR(rv))
1185 		goto end;
1186 
1187 	rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN,
1188 	    label, label_len,
1189 	    seed, seed_len,
1190 	    psha1, prfresult_len);
1191 	if (CRYPTO_ERR(rv))
1192 		goto end;
1193 
1194 	for (i = 0; i < prfresult_len; i++)
1195 		prfresult[i] ^= psha1[i];
1196 
1197 end:
1198 	if (CRYPTO_ERR(rv))
1199 		bzero(prfresult, prfresult_len);
1200 
1201 	return (rv);
1202 }
1203 
1204 #define	IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)			\
1205 	(pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN ||		\
1206 	pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
1207 
1208 #define	FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) {			\
1209 		KSSL_COUNTER(bad_pre_master_secret, 1);			\
1210 		pms = buf;						\
1211 		pmslen = SSL3_PRE_MASTER_SECRET_LEN;			\
1212 		pms[0] = ssl->major_version;				\
1213 		pms[1] = ssl->minor_version;				\
1214 		(void) random_get_pseudo_bytes(&buf[2], pmslen - 2);	\
1215 }
1216 
1217 static int
1218 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1219 {
1220 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1221 	uchar_t seed[SSL3_RANDOM_LENGTH * 2];
1222 
1223 	/*
1224 	 * Computing the master secret:
1225 	 * ----------------------------
1226 	 * master_secret = PRF (pms, "master secret",
1227 	 *		ClientHello.random + ServerHello.random);
1228 	 */
1229 	bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH);
1230 	bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH,
1231 	    SSL3_RANDOM_LENGTH);
1232 
1233 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1234 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1235 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1236 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1237 	}
1238 
1239 	return (kssl_tls_PRF(ssl,
1240 	    pms, pmslen,
1241 	    (uchar_t *)TLS_MASTER_SECRET_LABEL,
1242 	    (size_t)strlen(TLS_MASTER_SECRET_LABEL),
1243 	    seed, sizeof (seed),
1244 	    ssl->sid.master_secret,
1245 	    (size_t)sizeof (ssl->sid.master_secret)));
1246 }
1247 
1248 
1249 static void
1250 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1251 {
1252 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1253 	uchar_t *ms;
1254 	int hlen = MD5_HASH_LEN;
1255 
1256 	ms = ssl->sid.master_secret;
1257 
1258 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1259 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1260 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1261 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1262 	}
1263 
1264 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
1265 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
1266 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
1267 	    0);
1268 }
1269 
1270 static int
1271 kssl_generate_tls_keyblock(ssl_t *ssl)
1272 {
1273 	uchar_t seed[2 * SSL3_RANDOM_LENGTH];
1274 
1275 	bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH);
1276 	bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH,
1277 	    SSL3_RANDOM_LENGTH);
1278 
1279 	return (kssl_tls_PRF(ssl, ssl->sid.master_secret,
1280 	    (size_t)SSL3_MASTER_SECRET_LEN,
1281 	    (uchar_t *)TLS_KEY_EXPANSION_LABEL,
1282 	    (size_t)strlen(TLS_KEY_EXPANSION_LABEL),
1283 	    seed, (size_t)sizeof (seed),
1284 	    ssl->pending_keyblock,
1285 	    (size_t)ssl->pending_keyblksz));
1286 
1287 }
1288 
1289 static void
1290 kssl_generate_keyblock(ssl_t *ssl)
1291 {
1292 	uchar_t *ms;
1293 	size_t mslen = SSL3_MASTER_SECRET_LEN;
1294 	int hlen = MD5_HASH_LEN;
1295 	uchar_t *keys = ssl->pending_keyblock;
1296 	int steps = howmany(ssl->pending_keyblksz, hlen);
1297 	int i;
1298 
1299 	ms = ssl->sid.master_secret;
1300 
1301 	ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH);
1302 
1303 	for (i = 1; i <= steps; i++) {
1304 		kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
1305 		keys += hlen;
1306 	}
1307 }
1308 
1309 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE",
1310 	"FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"};
1311 
1312 static void
1313 kssl_ssl3_key_material_derive_step(
1314 	ssl_t *ssl,
1315 	uchar_t *secret,
1316 	size_t secretlen,
1317 	int step,
1318 	uchar_t *dst,
1319 	int sr_first)
1320 {
1321 	SHA1_CTX sha1, *sha1ctx;
1322 	MD5_CTX md5, *md5ctx;
1323 	uchar_t sha1_hash[SHA1_HASH_LEN];
1324 
1325 	sha1ctx = &sha1;
1326 	md5ctx = &md5;
1327 
1328 	ASSERT(step <=
1329 	    sizeof (ssl3_key_derive_seeds) /
1330 	    sizeof (ssl3_key_derive_seeds[0]));
1331 	step--;
1332 
1333 	SHA1Init(sha1ctx);
1334 	SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step],
1335 	    step + 1);
1336 	SHA1Update(sha1ctx, secret, secretlen);
1337 	if (sr_first) {
1338 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1339 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1340 	} else {
1341 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1342 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1343 	}
1344 	SHA1Final(sha1_hash, sha1ctx);
1345 
1346 	MD5Init(md5ctx);
1347 	MD5Update(md5ctx, secret, secretlen);
1348 	MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN);
1349 	MD5Final(dst, md5ctx);
1350 }
1351 
1352 static int
1353 kssl_send_certificate_and_server_hello_done(ssl_t *ssl)
1354 {
1355 	int cur_reclen;
1356 	int mss;
1357 	int len, copylen;
1358 	mblk_t *mp;
1359 	uchar_t *cert_buf;
1360 	int cert_len;
1361 	uchar_t *msgbuf;
1362 	Certificate_t *cert;
1363 	uint16_t reclen = KSSL_SSL3_SH_RECLEN;
1364 
1365 	cert = ssl->kssl_entry->ke_server_certificate;
1366 	if (cert == NULL) {
1367 		return (ENOENT);
1368 	}
1369 	cert_buf = cert->msg;
1370 	cert_len = cert->len;
1371 
1372 	if (ssl->secure_renegotiation)
1373 		reclen += KSSL_EMPTY_RENEG_INFO_LEN;
1374 
1375 	mp = ssl->handshake_sendbuf;
1376 	mss = ssl->tcp_mss;
1377 	ASSERT(mp != NULL);
1378 	cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN;
1379 	ASSERT(cur_reclen == reclen);
1380 	/* Assume MSS is at least 80 bytes */
1381 	ASSERT(mss > cur_reclen + SSL3_HDR_LEN);
1382 	ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */
1383 
1384 	copylen = mss - (cur_reclen + SSL3_HDR_LEN);
1385 	len = cert_len;
1386 	copylen = MIN(copylen, len);
1387 	copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1388 
1389 	/* new record always starts in a new mblk for simplicity */
1390 	msgbuf = cert_buf;
1391 	for (;;) {
1392 		ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim);
1393 		bcopy(msgbuf, mp->b_wptr, copylen);
1394 		msgbuf += copylen;
1395 		mp->b_wptr += copylen;
1396 		cur_reclen += copylen;
1397 		len -= copylen;
1398 		if (len == 0) {
1399 			break;
1400 		}
1401 		if (cur_reclen == SSL3_MAX_RECORD_LENGTH) {
1402 			cur_reclen = 0;
1403 		}
1404 		copylen = MIN(len, mss);
1405 		copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1406 		mp->b_cont = allocb(copylen, BPRI_HI);
1407 		if (mp->b_cont == NULL) {
1408 			KSSL_COUNTER(alloc_fails, 1);
1409 			freemsg(ssl->handshake_sendbuf);
1410 			ssl->handshake_sendbuf = NULL;
1411 			return (ENOMEM);
1412 		}
1413 		mp = mp->b_cont;
1414 		if (cur_reclen == 0) {
1415 			mp->b_wptr[0] = content_handshake;
1416 			mp->b_wptr[1] = ssl->major_version;
1417 			mp->b_wptr[2] = ssl->minor_version;
1418 			cur_reclen = MIN(len, reclen);
1419 			mp->b_wptr[3] = (cur_reclen >> 8) & 0xff;
1420 			mp->b_wptr[4] = (cur_reclen) & 0xff;
1421 			mp->b_wptr += SSL3_HDR_LEN;
1422 			cur_reclen = 0;
1423 			copylen = MIN(copylen, mss - SSL3_HDR_LEN);
1424 		}
1425 	}
1426 
1427 	/* adjust the record length field for the first record */
1428 	mp = ssl->handshake_sendbuf;
1429 	cur_reclen = MIN(reclen + cert_len, SSL3_MAX_RECORD_LENGTH);
1430 	mp->b_rptr[3] = (cur_reclen >> 8) & 0xff;
1431 	mp->b_rptr[4] = (cur_reclen) & 0xff;
1432 
1433 	kssl_update_handshake_hashes(ssl, cert_buf, cert_len);
1434 
1435 	return (0);
1436 }
1437 
1438 static int
1439 kssl_send_change_cipher_specs(ssl_t *ssl)
1440 {
1441 	mblk_t *mp, *newmp;
1442 	uchar_t *buf;
1443 
1444 	mp = ssl->handshake_sendbuf;
1445 
1446 	/* We're most likely to hit the fast path for resumed sessions */
1447 	if ((mp != NULL) &&
1448 	    (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) {
1449 		buf = mp->b_wptr;
1450 	} else {
1451 		newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI);
1452 
1453 		if (newmp == NULL)
1454 			return (ENOMEM);	/* need to do better job! */
1455 
1456 		if (mp == NULL) {
1457 			ssl->handshake_sendbuf = newmp;
1458 		} else {
1459 			linkb(ssl->handshake_sendbuf, newmp);
1460 		}
1461 		mp = newmp;
1462 		buf = mp->b_rptr;
1463 	}
1464 
1465 	/* 5 byte record header */
1466 	buf[0] = content_change_cipher_spec;
1467 	buf[1] = ssl->major_version;
1468 	buf[2] = ssl->minor_version;
1469 	buf[3] = 0;
1470 	buf[4] = 1;
1471 	buf += SSL3_HDR_LEN;
1472 
1473 	buf[0] = 1;
1474 
1475 	mp->b_wptr = buf + 1;
1476 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1477 
1478 	ssl->seq_num[KSSL_WRITE] = 0;
1479 	return (kssl_spec_init(ssl, KSSL_WRITE));
1480 }
1481 
1482 int
1483 kssl_spec_init(ssl_t *ssl, int dir)
1484 {
1485 	KSSL_HASHCTX *ctx;
1486 	KSSLCipherSpec *spec = &ssl->spec[dir];
1487 	int ret = 0;
1488 
1489 	spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz;
1490 	spec->mac_padsz = mac_defs[ssl->pending_malg].padsz;
1491 
1492 	spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
1493 	spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
1494 	spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
1495 
1496 	if (dir == KSSL_READ) {
1497 		bcopy(ssl->pending_keyblock, ssl->mac_secret[dir],
1498 		    spec->mac_hashsz);
1499 	} else {
1500 		bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]),
1501 		    ssl->mac_secret[dir], spec->mac_hashsz);
1502 	}
1503 
1504 	/* Pre-compute these here. will save cycles on each record later */
1505 	if (!IS_TLS(ssl)) {
1506 		ctx = &ssl->mac_ctx[dir][0];
1507 		spec->MAC_HashInit((void *)ctx);
1508 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1509 		    spec->mac_hashsz);
1510 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_1,
1511 		    spec->mac_padsz);
1512 
1513 		ctx = &ssl->mac_ctx[dir][1];
1514 		spec->MAC_HashInit((void *)ctx);
1515 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1516 		    spec->mac_hashsz);
1517 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_2,
1518 		    spec->mac_padsz);
1519 	}
1520 
1521 	spec->cipher_type = cipher_defs[ssl->pending_calg].type;
1522 	spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
1523 	spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
1524 	spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
1525 
1526 	if (spec->cipher_ctx != NULL) {
1527 		crypto_cancel_ctx(spec->cipher_ctx);
1528 		spec->cipher_ctx = 0;
1529 	}
1530 
1531 	/*
1532 	 * Initialize HMAC keys for TLS and SSL3 HMAC keys
1533 	 * for SSL 3.0.
1534 	 */
1535 	if (IS_TLS(ssl)) {
1536 		if (ssl->pending_malg == mac_md5) {
1537 			spec->hmac_mech = hmac_md5_mech;
1538 		} else if (ssl->pending_malg == mac_sha) {
1539 			spec->hmac_mech = hmac_sha1_mech;
1540 		}
1541 
1542 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1543 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1544 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1545 	} else {
1546 		static uint32_t param;
1547 
1548 		spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID;
1549 		spec->hmac_mech.cm_param = (caddr_t)&param;
1550 		spec->hmac_mech.cm_param_len = sizeof (param);
1551 		if (ssl->pending_malg == mac_md5) {
1552 			spec->hmac_mech.cm_type =
1553 			    crypto_mech2id("CKM_SSL3_MD5_MAC");
1554 			param = MD5_HASH_LEN;
1555 		} else if (ssl->pending_malg == mac_sha) {
1556 			spec->hmac_mech.cm_type =
1557 			    crypto_mech2id("CKM_SSL3_SHA1_MAC");
1558 			param = SHA1_HASH_LEN;
1559 		}
1560 
1561 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1562 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1563 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1564 	}
1565 
1566 	/* We're done if this is the nil cipher */
1567 	if (spec->cipher_keysz == 0) {
1568 		return (0);
1569 	}
1570 
1571 	/* Initialize the key and the active context */
1572 	spec->cipher_key.ck_format = CRYPTO_KEY_RAW;
1573 	spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */
1574 
1575 	if (cipher_defs[ssl->pending_calg].bsize > 0) {
1576 		/* client_write_IV */
1577 		spec->cipher_mech.cm_param =
1578 		    (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
1579 		    2 * spec->cipher_keysz]);
1580 		spec->cipher_mech.cm_param_len = spec->cipher_bsize;
1581 	}
1582 	spec->cipher_data.cd_format = CRYPTO_DATA_RAW;
1583 	if (dir == KSSL_READ) {
1584 		spec->cipher_mech.cm_param_len =
1585 		    cipher_defs[ssl->pending_calg].bsize;
1586 
1587 		/* client_write_key */
1588 		spec->cipher_key.ck_data =
1589 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz]);
1590 
1591 		ret = crypto_decrypt_init(&(spec->cipher_mech),
1592 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1593 		if (CRYPTO_ERR(ret)) {
1594 			DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read,
1595 			    int, ret);
1596 		}
1597 	} else {
1598 		if (cipher_defs[ssl->pending_calg].bsize > 0) {
1599 			/* server_write_IV */
1600 			spec->cipher_mech.cm_param += spec->cipher_bsize;
1601 		}
1602 
1603 		/* server_write_key */
1604 		spec->cipher_key.ck_data =
1605 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz +
1606 		    spec->cipher_keysz]);
1607 
1608 		ret = crypto_encrypt_init(&(spec->cipher_mech),
1609 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1610 		if (CRYPTO_ERR(ret))
1611 			DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read,
1612 			    int, ret);
1613 	}
1614 	return (ret);
1615 }
1616 
1617 static int
1618 kssl_send_finished(ssl_t *ssl, int update_hsh)
1619 {
1620 	mblk_t *mp;
1621 	uchar_t *buf;
1622 	uchar_t *rstart;
1623 	uchar_t *versionp;
1624 	SSL3Hashes ssl3hashes;
1625 	uchar_t finish_len;
1626 	int ret;
1627 	uint16_t adj_len = 0;
1628 
1629 	mp = ssl->handshake_sendbuf;
1630 	ASSERT(mp != NULL);
1631 	buf = mp->b_wptr;
1632 	if (ssl->secure_renegotiation)
1633 		adj_len = KSSL_EMPTY_RENEG_INFO_LEN;
1634 	/*
1635 	 * It should be either a message with Server Hello record or just plain
1636 	 * SSL header (data packet).
1637 	 */
1638 	ASSERT(buf - mp->b_rptr ==
1639 	    SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + SSL3_HDR_LEN + 1 + adj_len ||
1640 	    buf - mp->b_rptr == SSL3_HDR_LEN + 1);
1641 
1642 	rstart = buf;
1643 
1644 	if (IS_TLS(ssl))
1645 		finish_len = TLS_FINISHED_SIZE;
1646 	else
1647 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1648 
1649 	/* 5 byte record header */
1650 	buf[0] = content_handshake;
1651 	buf[1] = ssl->major_version;
1652 	buf[2] = ssl->minor_version;
1653 	buf[3] = 0;
1654 	buf[4] = 4 + finish_len;
1655 
1656 	versionp = &buf[1];
1657 
1658 	buf += SSL3_HDR_LEN;
1659 
1660 	/* 4 byte message header */
1661 	buf[0] = (uchar_t)finished;	/* message type */
1662 	buf[1] = 0;			/* message len byte 0 */
1663 	buf[2] = 0;			/* message len byte 1 */
1664 	buf[3] = finish_len;	/* message len byte 2 */
1665 	buf += 4;
1666 
1667 	if (IS_TLS(ssl)) {
1668 		bcopy(ssl->hs_hashes.md5, ssl3hashes.md5,
1669 		    sizeof (ssl3hashes.md5));
1670 		bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1,
1671 		    sizeof (ssl3hashes.sha1));
1672 	}
1673 
1674 	/* Compute hashes for the SENDER side */
1675 	ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
1676 	if (ret != 0)
1677 		return (ret);
1678 
1679 	if (IS_TLS(ssl)) {
1680 		bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash));
1681 	} else {
1682 		bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN);
1683 		bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN);
1684 	}
1685 
1686 	if (update_hsh) {
1687 		kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
1688 	}
1689 
1690 	mp->b_wptr = buf + finish_len;
1691 
1692 	ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
1693 	    rstart, mp);
1694 	ASSERT(mp->b_wptr <= mp->b_datap->db_lim);
1695 
1696 	return (ret);
1697 }
1698 
1699 int
1700 kssl_mac_encrypt_record(ssl_t *ssl,
1701 	SSL3ContentType ct,
1702 	uchar_t *versionp,
1703 	uchar_t *rstart,
1704 	mblk_t *mp)
1705 {
1706 	KSSLCipherSpec *spec;
1707 	int mac_sz;
1708 	int ret = 0;
1709 	uint16_t rec_sz;
1710 	int pad_sz;
1711 	int i;
1712 
1713 	ASSERT(ssl != NULL);
1714 	ASSERT(rstart >= mp->b_rptr);
1715 	ASSERT(rstart < mp->b_wptr);
1716 
1717 	spec = &ssl->spec[KSSL_WRITE];
1718 	mac_sz = spec->mac_hashsz;
1719 
1720 	rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN;
1721 	ASSERT(rec_sz > 0);
1722 
1723 	if (mac_sz != 0) {
1724 		ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim);
1725 		ret = kssl_compute_record_mac(ssl, KSSL_WRITE,
1726 		    ssl->seq_num[KSSL_WRITE], ct, versionp,
1727 		    rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr);
1728 		if (ret == CRYPTO_SUCCESS) {
1729 			ssl->seq_num[KSSL_WRITE]++;
1730 			mp->b_wptr += mac_sz;
1731 			rec_sz += mac_sz;
1732 		} else {
1733 			return (ret);
1734 		}
1735 	}
1736 
1737 	if (spec->cipher_type == type_block) {
1738 		pad_sz = spec->cipher_bsize -
1739 		    (rec_sz & (spec->cipher_bsize - 1));
1740 		ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim);
1741 		for (i = 0; i < pad_sz; i++) {
1742 			mp->b_wptr[i] = pad_sz - 1;
1743 		}
1744 		mp->b_wptr += pad_sz;
1745 		rec_sz += pad_sz;
1746 	}
1747 
1748 	ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH);
1749 
1750 	U16_TO_BE16(rec_sz, rstart + 3);
1751 
1752 	if (spec->cipher_ctx == 0)
1753 		return (ret);
1754 
1755 	spec->cipher_data.cd_length = rec_sz;
1756 	spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN);
1757 	spec->cipher_data.cd_raw.iov_len = rec_sz;
1758 	/* One record at a time. Otherwise, gotta allocate the crypt_data_t */
1759 	ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data,
1760 	    NULL, NULL);
1761 	if (CRYPTO_ERR(ret)) {
1762 		DTRACE_PROBE1(kssl_err__crypto_encrypt_update,
1763 		    int, ret);
1764 	}
1765 	return (ret);
1766 }
1767 
1768 /*
1769  * Produce SSL alert message (SSLv3/TLS) or error message (SSLv2). For SSLv2
1770  * it is only done to tear down the SSL connection so it has fixed encoding.
1771  */
1772 void
1773 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
1774 {
1775 	mblk_t *mp;
1776 	uchar_t *buf;
1777 	KSSLCipherSpec *spec;
1778 	size_t len;
1779 
1780 	ASSERT(ssl != NULL);
1781 
1782 	ssl->sendalert_level = level;
1783 	ssl->sendalert_desc = desc;
1784 
1785 	if (level == alert_fatal) {
1786 		DTRACE_PROBE2(kssl_sending_alert,
1787 		    SSL3AlertLevel, level, SSL3AlertDescription, desc);
1788 		if (ssl->sid.cached == B_TRUE) {
1789 			kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
1790 		}
1791 		ssl->fatal_alert = B_TRUE;
1792 		KSSL_COUNTER(fatal_alerts, 1);
1793 	} else
1794 		KSSL_COUNTER(warning_alerts, 1);
1795 
1796 	spec = &ssl->spec[KSSL_WRITE];
1797 
1798 	ASSERT(ssl->alert_sendbuf == NULL);
1799 	if (ssl->major_version == 0x03) {
1800 		len = SSL3_HDR_LEN + SSL3_ALERT_LEN;
1801 	} else {
1802 		/* KSSL generates 5 byte SSLv2 alert messages only. */
1803 		len = 5;
1804 	}
1805 	ssl->alert_sendbuf = mp = allocb(len + spec->mac_hashsz +
1806 	    spec->cipher_bsize, BPRI_HI);
1807 	if (mp == NULL) {
1808 		KSSL_COUNTER(alloc_fails, 1);
1809 		return;
1810 	}
1811 	buf = mp->b_wptr;
1812 
1813 	/* SSLv3/TLS */
1814 	if (ssl->major_version == 0x03) {
1815 		/* 5 byte record header */
1816 		buf[0] = content_alert;
1817 		buf[1] = ssl->major_version;
1818 		buf[2] = ssl->minor_version;
1819 		buf[3] = 0;
1820 		buf[4] = 2;
1821 		buf += SSL3_HDR_LEN;
1822 
1823 		/* alert contents */
1824 		buf[0] = (uchar_t)level;
1825 		buf[1] = (uchar_t)desc;
1826 		buf += SSL3_ALERT_LEN;
1827 	} else {
1828 	/* SSLv2 has different encoding. */
1829 		/* 2-byte encoding of the length */
1830 		buf[0] = 0x80;
1831 		buf[1] = 0x03;
1832 		buf += 2;
1833 
1834 		/* Protocol Message Code = Error */
1835 		buf[0] = 0;
1836 		/* Error Message Code = Undefined Error */
1837 		buf[1] = 0;
1838 		buf[2] = 0;
1839 		buf += 3;
1840 	}
1841 
1842 	mp->b_wptr = buf;
1843 }
1844 
1845 /* Assumes RSA encryption */
1846 static int
1847 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
1848     kssl_callback_t cbfn, void *arg)
1849 {
1850 	char *buf;
1851 	uchar_t *pms;
1852 	size_t pmslen;
1853 	int allocated;
1854 	int err, rverr = ENOMEM;
1855 	kssl_entry_t *ep;
1856 	crypto_key_t *privkey;
1857 	crypto_data_t *wrapped_pms_data, *pms_data;
1858 	crypto_call_req_t creq, *creqp;
1859 
1860 	ep = ssl->kssl_entry;
1861 	privkey = ep->ke_private_key;
1862 	if (privkey == NULL) {
1863 		return (ENOENT);
1864 	}
1865 
1866 	ASSERT(ssl->msg.type == client_key_exchange);
1867 	ASSERT(ssl->hs_waitstate == wait_client_key);
1868 
1869 	/*
1870 	 * TLS adds an extra 2 byte length field before the data.
1871 	 */
1872 	if (IS_TLS(ssl)) {
1873 		msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1];
1874 		mp->b_rptr += 2;
1875 	}
1876 
1877 	/*
1878 	 * Allocate all we need in one shot. about 300 bytes total, for
1879 	 * 1024 bit RSA modulus.
1880 	 * The buffer layout will be: pms_data, wrapped_pms_data, the
1881 	 * value of the wrapped pms from the client, then room for the
1882 	 * resulting decrypted premaster secret.
1883 	 */
1884 	allocated = 2 * (sizeof (crypto_data_t) + msglen);
1885 	buf = kmem_alloc(allocated, KM_NOSLEEP);
1886 	if (buf == NULL) {
1887 		return (ENOMEM);
1888 	}
1889 
1890 	pms_data = (crypto_data_t *)buf;
1891 	wrapped_pms_data = &(((crypto_data_t *)buf)[1]);
1892 
1893 	wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW;
1894 	wrapped_pms_data->cd_offset = pms_data->cd_offset = 0;
1895 	wrapped_pms_data->cd_length = pms_data->cd_length = msglen;
1896 	wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL;
1897 	wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen;
1898 	wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t);
1899 	pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen;
1900 
1901 	bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen);
1902 	mp->b_rptr += msglen;
1903 
1904 	/* Proceed synchronously if out of interrupt and configured to do so */
1905 	if ((kssl_synchronous) && (!servicing_interrupt())) {
1906 		creqp = NULL;
1907 	} else {
1908 		ssl->cke_callback_func = cbfn;
1909 		ssl->cke_callback_arg = arg;
1910 		creq.cr_flag = kssl_call_flag;
1911 		creq.cr_callback_func = kssl_cke_done;
1912 		creq.cr_callback_arg = ssl;
1913 
1914 		creqp = &creq;
1915 	}
1916 
1917 	if (ep->ke_is_nxkey) {
1918 		kssl_session_info_t *s;
1919 
1920 		s = ep->ke_sessinfo;
1921 		err = CRYPTO_SUCCESS;
1922 		if (!s->is_valid_handle) {
1923 			/* Reauthenticate to the provider */
1924 			if (s->do_reauth) {
1925 				err = kssl_get_obj_handle(ep);
1926 				if (err == CRYPTO_SUCCESS) {
1927 					s->is_valid_handle = B_TRUE;
1928 					s->do_reauth = B_FALSE;
1929 				}
1930 			} else
1931 				err = CRYPTO_FAILED;
1932 		}
1933 
1934 		if (err == CRYPTO_SUCCESS) {
1935 			ASSERT(s->is_valid_handle);
1936 			err = crypto_decrypt_prov(s->prov, s->sid,
1937 			    &rsa_x509_mech, wrapped_pms_data, &s->key,
1938 			    NULL, pms_data, creqp);
1939 		}
1940 
1941 		/*
1942 		 * Deal with session specific errors. We translate to
1943 		 * the closest errno.
1944 		 */
1945 		switch (err) {
1946 		case CRYPTO_KEY_HANDLE_INVALID:
1947 		case CRYPTO_SESSION_HANDLE_INVALID:
1948 			s->is_valid_handle = B_FALSE;
1949 			s->do_reauth = B_TRUE;
1950 			rverr = EINVAL;
1951 			break;
1952 		case CRYPTO_PIN_EXPIRED:
1953 		case CRYPTO_PIN_LOCKED:
1954 			rverr = EACCES;
1955 			break;
1956 		case CRYPTO_UNKNOWN_PROVIDER:
1957 			rverr = ENXIO;
1958 			break;
1959 		}
1960 	} else {
1961 		err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data,
1962 		    privkey, NULL, pms_data, creqp);
1963 	}
1964 
1965 	switch (err) {
1966 	case CRYPTO_SUCCESS:
1967 		break;
1968 
1969 	case CRYPTO_QUEUED:
1970 		/*
1971 		 * Finish the master secret then the rest of key material
1972 		 * derivation later.
1973 		 */
1974 		ssl->job.kjob = creq.cr_reqid;
1975 		ssl->job.buf = buf;
1976 		ssl->job.buflen = allocated;
1977 		ssl->hs_waitstate = wait_client_key_done;
1978 		return (0);
1979 	default:
1980 		DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err);
1981 		kmem_free(buf, allocated);
1982 		return (rverr);
1983 	}
1984 
1985 	pmslen = pms_data->cd_length;
1986 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1987 
1988 	/* generate master key and save it in the ssl sid structure */
1989 	if (IS_TLS(ssl)) {
1990 		err = kssl_generate_tls_ms(ssl, pms, pmslen);
1991 		if (!CRYPTO_ERR(err))
1992 			err = kssl_generate_tls_keyblock(ssl);
1993 	} else {
1994 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1995 		kssl_generate_keyblock(ssl);
1996 	}
1997 
1998 	if (err == CRYPTO_SUCCESS)
1999 		ssl->hs_waitstate = wait_change_cipher;
2000 
2001 	ssl->activeinput = B_FALSE;
2002 
2003 	kmem_free(buf, allocated);
2004 
2005 	return (0);
2006 }
2007 
2008 static int
2009 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
2010 {
2011 	int err;
2012 	size_t finish_len;
2013 	int hashcompare;
2014 
2015 	ASSERT(ssl->msg.type == finished);
2016 	ASSERT(ssl->hs_waitstate == wait_finished);
2017 
2018 	if (IS_TLS(ssl))
2019 		finish_len = TLS_FINISHED_SIZE;
2020 	else
2021 		finish_len = KSSL_SSL3_FIN_MSGLEN;
2022 
2023 	if (msglen != finish_len) {
2024 		kssl_send_alert(ssl, alert_fatal, illegal_parameter);
2025 		return (EBADMSG);
2026 	}
2027 
2028 	if (IS_TLS(ssl)) {
2029 		hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash,
2030 		    finish_len);
2031 	} else {
2032 		hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
2033 	}
2034 
2035 	/* The handshake hashes should be computed by now */
2036 	if (hashcompare != 0) {
2037 		kssl_send_alert(ssl, alert_fatal, handshake_failure);
2038 		return (EBADMSG);
2039 	}
2040 
2041 	mp->b_rptr += msglen;
2042 
2043 	ssl->hs_waitstate = idle_handshake;
2044 
2045 	if (ssl->resumed == B_TRUE) {
2046 		ssl->activeinput = B_FALSE;
2047 		return (0);
2048 	}
2049 
2050 	err = kssl_send_change_cipher_specs(ssl);
2051 	if (err != 0) {
2052 		return (err);
2053 	}
2054 	err = kssl_send_finished(ssl, 0);
2055 	if (err != 0) {
2056 		return (err);
2057 	}
2058 
2059 	kssl_cache_sid(&ssl->sid, ssl->kssl_entry);
2060 	ssl->activeinput = B_FALSE;
2061 
2062 	return (0);
2063 }
2064 
2065 #define	KSSL2_CH_MIN_RECSZ	(9)
2066 
2067 /*
2068  * This method is needed to handle clients which send the
2069  * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers.
2070  * We are not really doing SSLv2 here, just handling the header
2071  * and then switching to SSLv3.
2072  */
2073 int
2074 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
2075 {
2076 	uchar_t *recend;
2077 	int err;
2078 	SSL3AlertDescription desc = illegal_parameter;
2079 	uint_t randlen;
2080 	uint_t sidlen;
2081 	uint_t cslen;
2082 	uchar_t *suitesp;
2083 	uchar_t *rand;
2084 	uint_t i, j;
2085 	uint16_t suite, selected_suite;
2086 	int ch_recsz = KSSL2_CH_MIN_RECSZ;
2087 	boolean_t suite_found = B_FALSE;
2088 
2089 	ASSERT(mp->b_wptr >= mp->b_rptr + recsz);
2090 	ASSERT(ssl->hs_waitstate == wait_client_hello);
2091 	ASSERT(ssl->resumed == B_FALSE);
2092 
2093 	if (recsz < ch_recsz) {
2094 		DTRACE_PROBE2(kssl_err__reclen_less_than_minimum,
2095 		    int, recsz, int, ch_recsz);
2096 		goto falert;
2097 	}
2098 
2099 	MD5Init(&ssl->hs_md5);
2100 	SHA1Init(&ssl->hs_sha1);
2101 
2102 	kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz);
2103 
2104 	recend = mp->b_rptr + recsz;
2105 
2106 	if (*mp->b_rptr != 1) {
2107 		DTRACE_PROBE1(kssl_err__invalid_version, uint_t, *mp->b_rptr);
2108 		goto falert;
2109 	}
2110 	mp->b_rptr += 3;
2111 
2112 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
2113 	sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3];
2114 	randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5];
2115 	if (cslen % 3 != 0) {
2116 		DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen);
2117 		goto falert;
2118 	}
2119 	if (randlen < SSL_MIN_CHALLENGE_BYTES ||
2120 	    randlen > SSL_MAX_CHALLENGE_BYTES) {
2121 		DTRACE_PROBE1(kssl_err__randlen_out_of_range,
2122 		    uint_t, randlen);
2123 		goto falert;
2124 	}
2125 	mp->b_rptr += 6;
2126 	ch_recsz += cslen + sidlen + randlen;
2127 	if (recsz != ch_recsz) {
2128 		DTRACE_PROBE2(kssl_err__invalid_message_len_sum,
2129 		    int, recsz, int, ch_recsz);
2130 		goto falert;
2131 	}
2132 	suitesp = mp->b_rptr;
2133 	rand = suitesp + cslen + sidlen;
2134 	if (randlen < SSL3_RANDOM_LENGTH) {
2135 		bzero(ssl->client_random, SSL3_RANDOM_LENGTH);
2136 	}
2137 	bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
2138 	    randlen);
2139 
2140 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
2141 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
2142 		for (j = 0; j < cslen; j += 3) {
2143 			DTRACE_PROBE2(kssl_cipher_suite_check_v2,
2144 			    uint16_t, suite,
2145 			    uint16_t,
2146 			    (uint16_t)((suitesp[j+1] << 8) + suitesp[j+2]));
2147 			if (suitesp[j] != 0) {
2148 				continue;
2149 			}
2150 
2151 			/* Check for regular (true) cipher suite. */
2152 			if (suitesp[j + 1] == ((suite >> 8) & 0xff) &&
2153 			    suitesp[j + 2] == (suite & 0xff)) {
2154 				DTRACE_PROBE1(kssl_cipher_suite_found,
2155 				    uint16_t, suite);
2156 				suite_found = B_TRUE;
2157 				selected_suite = suite;
2158 			}
2159 
2160 			/* Check for SCSV. */
2161 			if (suitesp[j + 1] ==  ((SSL_SCSV >> 8) & 0xff) &&
2162 			    suitesp[j + 2] == (SSL_SCSV & 0xff)) {
2163 				DTRACE_PROBE(kssl_scsv_found);
2164 				ssl->secure_renegotiation = B_TRUE;
2165 			}
2166 			/*
2167 			 * If we got cipher suite match and SCSV or went
2168 			 * through the whole list of client cipher suites
2169 			 * (hence we know if SCSV was present or not) we
2170 			 * can terminate the cycle now.
2171 			 */
2172 			if (suite_found &&
2173 			    (ssl->secure_renegotiation || (i > 0)))
2174 				break;
2175 		}
2176 		if (suite_found)
2177 			break;
2178 	}
2179 	if (!suite_found) {
2180 		DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite);
2181 		ssl->activeinput = B_FALSE;
2182 		/*
2183 		 * If there is no fallback point terminate the handshake with
2184 		 * SSL alert otherwise return with SSL_MISS.
2185 		 */
2186 		if (ssl->kssl_entry->ke_fallback_head == NULL) {
2187 			DTRACE_PROBE(kssl_no_fallback);
2188 			desc = handshake_failure;
2189 			goto falert;
2190 		} else {
2191 			return (SSL_MISS);
2192 		}
2193 	}
2194 
2195 	mp->b_rptr = recend;
2196 
2197 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
2198 		if (selected_suite == cipher_suite_defs[i].suite) {
2199 			break;
2200 		}
2201 	}
2202 
2203 	ASSERT(i < cipher_suite_defs_nentries);
2204 
2205 	ssl->pending_cipher_suite = selected_suite;
2206 	ssl->pending_malg = cipher_suite_defs[i].malg;
2207 	ssl->pending_calg = cipher_suite_defs[i].calg;
2208 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
2209 
2210 	ASSERT(ssl->sid.cached == B_FALSE);
2211 
2212 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
2213 	    SSL3_SESSIONID_BYTES);
2214 	ssl->sid.client_addr = ssl->faddr;
2215 	ssl->sid.cipher_suite = selected_suite;
2216 
2217 	err = kssl_send_server_hello(ssl);
2218 	if (err != 0) {
2219 		return (err);
2220 	}
2221 	err = kssl_send_certificate_and_server_hello_done(ssl);
2222 	if (err != 0) {
2223 		return (err);
2224 	}
2225 	KSSL_COUNTER(full_handshakes, 1);
2226 	ssl->hs_waitstate = wait_client_key;
2227 	ssl->activeinput = B_FALSE;
2228 	return (0);
2229 
2230 falert:
2231 	kssl_send_alert(ssl, alert_fatal, desc);
2232 	ssl->activeinput = B_FALSE;
2233 	return (EBADMSG);
2234 }
2235 
2236 /*
2237  * Call back routine for asynchronously submitted RSA decryption jobs.
2238  * This routine retrieves the pre-master secret, and proceeds to generate
2239  * the remaining key materials.
2240  */
2241 static void
2242 kssl_cke_done(void *arg, int status)
2243 {
2244 	int ret = 0;
2245 	uchar_t *pms;
2246 	size_t pmslen;
2247 	crypto_data_t *pms_data;
2248 	kssl_cmd_t kssl_cmd = KSSL_CMD_NONE;
2249 	ssl_t *ssl = (ssl_t *)arg;
2250 	mblk_t *alertmp;
2251 	kssl_callback_t cbfn;
2252 	void *cbarg;
2253 
2254 	mutex_enter(&ssl->kssl_lock);
2255 
2256 	ASSERT(ssl->msg.type == client_key_exchange);
2257 	ASSERT(ssl->hs_waitstate == wait_client_key_done);
2258 
2259 	if (status != CRYPTO_SUCCESS) {
2260 		kssl_send_alert(ssl, alert_fatal, decrypt_error);
2261 		kssl_cmd = KSSL_CMD_SEND;
2262 		goto out;
2263 	}
2264 
2265 	pms_data = (crypto_data_t *)(ssl->job.buf);
2266 
2267 	ASSERT(pms_data != NULL);
2268 
2269 	pmslen = pms_data->cd_length;
2270 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
2271 
2272 	/* generate master key and save it in the ssl sid structure */
2273 	if (IS_TLS(ssl)) {
2274 		ret = kssl_generate_tls_ms(ssl, pms, pmslen);
2275 		if (!CRYPTO_ERR(ret))
2276 			ret = kssl_generate_tls_keyblock(ssl);
2277 	} else {
2278 		kssl_generate_ssl_ms(ssl, pms, pmslen);
2279 		kssl_generate_keyblock(ssl);
2280 	}
2281 
2282 	if (ret == CRYPTO_SUCCESS)
2283 		ssl->hs_waitstate = wait_change_cipher;
2284 
2285 out:
2286 	kmem_free(ssl->job.buf, ssl->job.buflen);
2287 
2288 	ssl->job.kjob = 0;
2289 	ssl->job.buf = NULL;
2290 	ssl->job.buflen = 0;
2291 
2292 	ssl->activeinput = B_FALSE;
2293 
2294 	cbfn = ssl->cke_callback_func;
2295 	cbarg = ssl->cke_callback_arg;
2296 	alertmp = ssl->alert_sendbuf;
2297 	ssl->alert_sendbuf = NULL;
2298 
2299 	/* dropped by callback when it has completed */
2300 	ssl->async_ops_pending++;
2301 	mutex_exit(&ssl->kssl_lock);
2302 
2303 	/* Now call the callback routine */
2304 	(*(cbfn))(cbarg, alertmp, kssl_cmd);
2305 }
2306 
2307 /*
2308  * Returns the first complete contiguous record out of rec_ass_head
2309  * The record is returned in a separate contiguous mblk, rec_ass_head is
2310  * left pointing to the next record in the queue.
2311  *
2312  * The output looks as follows:
2313  *
2314  * |--------|---------- .... -----|<---------->|<----------->|--- ... ---|
2315  * ^        ^                     ^  mac_size     pad_size               ^
2316  * |        |___ b_rptr  b_wptr __|                                      |
2317  * |                                                                     |
2318  * |___ db_base                                                db_lim ___|
2319  */
2320 mblk_t *
2321 kssl_get_next_record(ssl_t *ssl)
2322 {
2323 	mblk_t *mp, *retmp;
2324 	int rhsz = SSL3_HDR_LEN;
2325 	uint16_t rec_sz;
2326 	int mpsz, total_size;
2327 	SSL3ContentType content_type;
2328 
2329 	ASSERT(MUTEX_HELD(&ssl->kssl_lock));
2330 
2331 	mp = ssl->rec_ass_head;
2332 	if (mp == NULL)
2333 		return (NULL);
2334 
2335 	/* Fast path: when mp has at least a complete record */
2336 	if (MBLKL(mp) < rhsz) {
2337 		DTRACE_PROBE1(kssl_mblk__incomplete_header,
2338 		    mblk_t *, mp);
2339 		/* Not even a complete header in there yet */
2340 		if (msgdsize(mp) < rhsz) {
2341 			return (NULL);
2342 		}
2343 
2344 		if (!pullupmsg(mp, rhsz)) {
2345 			kssl_send_alert(ssl, alert_fatal, internal_error);
2346 			freemsg(mp);
2347 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2348 			return (NULL);
2349 		}
2350 	}
2351 	content_type = (SSL3ContentType)mp->b_rptr[0];
2352 	if (content_type == content_handshake_v2) {
2353 		DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp);
2354 		rec_sz = (uint16_t)mp->b_rptr[1];
2355 		rhsz = 2;
2356 	} else {
2357 		DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp);
2358 		uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3;
2359 		rec_sz = BE16_TO_U16(rec_sz_p);
2360 	}
2361 
2362 	/*
2363 	 * same tests as above. Only rare very fragmented cases will
2364 	 * incur the cost of msgdsize() and msgpullup(). Well formed
2365 	 * packets will fall in the most frequent fast path.
2366 	 */
2367 	total_size = rhsz + rec_sz;
2368 
2369 	/*
2370 	 * Missing: defensive against record fabricated with longer than
2371 	 * MAX record length.
2372 	 */
2373 	if (MBLKL(mp) < total_size) {
2374 		DTRACE_PROBE2(kssl_mblk__smaller_than_total_size,
2375 		    mblk_t *, mp, int, total_size);
2376 		/* Not a complete record yet. Keep accumulating */
2377 		if (msgdsize(mp) < total_size) {
2378 			return (NULL);
2379 		}
2380 
2381 		if (!pullupmsg(mp, total_size)) {
2382 			kssl_send_alert(ssl, alert_fatal, internal_error);
2383 			freemsg(mp);
2384 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2385 			return (NULL);
2386 		}
2387 	}
2388 	mpsz = MBLKL(mp);	/* could've changed after the pullup */
2389 
2390 	if (mpsz > total_size) {
2391 		DTRACE_PROBE2(kssl_mblk__bigger_than_total_size,
2392 		    mblk_t *, mp, int, total_size);
2393 		/* gotta allocate a new block */
2394 		if ((retmp = dupb(mp)) == NULL) {
2395 			kssl_send_alert(ssl, alert_fatal, internal_error);
2396 			freemsg(mp);
2397 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2398 			return (NULL);
2399 		}
2400 
2401 		retmp->b_wptr = retmp->b_rptr + total_size;
2402 		mp->b_rptr += total_size;
2403 		ssl->rec_ass_head = mp;
2404 	} else {
2405 		DTRACE_PROBE2(kssl_mblk__equal_to_total_size,
2406 		    mblk_t *, mp, int, total_size);
2407 		ASSERT(mpsz == total_size);
2408 		ssl->rec_ass_head = mp->b_cont;
2409 		mp->b_cont = NULL;
2410 		retmp = mp;
2411 	}
2412 	/* Adjust the tail */
2413 	if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
2414 		for (; mp->b_cont != NULL; mp = mp->b_cont) {
2415 			ssl->rec_ass_tail = mp->b_cont;
2416 		}
2417 	}
2418 
2419 	return (retmp);
2420 }
2421 
2422 
2423 static void
2424 kssl_mblksfree(ssl_t *ssl)
2425 {
2426 
2427 	ASSERT(ssl != NULL);
2428 
2429 	if (ssl->rec_ass_head != NULL) {
2430 		freemsg(ssl->rec_ass_head);
2431 	}
2432 	ssl->rec_ass_head = NULL;
2433 	ssl->rec_ass_tail = NULL;
2434 
2435 	if (ssl->msg.head != NULL) {
2436 		freemsg(ssl->msg.head);
2437 	}
2438 	ssl->msg.head = NULL;
2439 	ssl->msg.tail = NULL;
2440 
2441 	if (ssl->handshake_sendbuf != NULL) {
2442 		freemsg(ssl->handshake_sendbuf);
2443 		ssl->handshake_sendbuf = NULL;
2444 	}
2445 	if (ssl->alert_sendbuf != NULL) {
2446 		freemsg(ssl->alert_sendbuf);
2447 		ssl->alert_sendbuf = NULL;
2448 	}
2449 }
2450 
2451 static void
2452 kssl_specsfree(ssl_t *ssl)
2453 {
2454 	KSSLCipherSpec *spec = &ssl->spec[KSSL_READ];
2455 
2456 	if (spec->cipher_ctx != NULL) {
2457 		crypto_cancel_ctx(spec->cipher_ctx);
2458 		spec->cipher_ctx = 0;
2459 	}
2460 
2461 	spec = &ssl->spec[KSSL_WRITE];
2462 
2463 	if (spec->cipher_ctx != NULL) {
2464 		crypto_cancel_ctx(spec->cipher_ctx);
2465 		spec->cipher_ctx = 0;
2466 	}
2467 }
2468 
2469 /*
2470  * Frees the ssl structure (aka the context of an SSL session).
2471  * Any pending crypto jobs are cancelled.
2472  * Any initiated crypto contexts are freed as well.
2473  */
2474 void
2475 kssl_free_context(ssl_t *ssl)
2476 {
2477 	crypto_req_id_t reqid;
2478 
2479 	ASSERT(ssl != NULL);
2480 	if (!(MUTEX_HELD(&ssl->kssl_lock))) {
2481 		/* we're coming from an external API entry point */
2482 		mutex_enter(&ssl->kssl_lock);
2483 	}
2484 
2485 	/*
2486 	 * Cancel any active crypto request and wait for pending async
2487 	 * operations to complete. We loop here because the async thread
2488 	 * might submit a new cryto request.
2489 	 */
2490 	do {
2491 		if (ssl->job.kjob != NULL) {
2492 			/*
2493 			 * Drop the lock before canceling the request;
2494 			 * otherwise we might deadlock if the completion
2495 			 * callback is running.
2496 			 */
2497 			reqid = ssl->job.kjob;
2498 			mutex_exit(&ssl->kssl_lock);
2499 			crypto_cancel_req(reqid);
2500 			mutex_enter(&ssl->kssl_lock);
2501 
2502 			/* completion callback might have done the cleanup */
2503 			if (ssl->job.kjob != NULL) {
2504 				kmem_free(ssl->job.buf, ssl->job.buflen);
2505 				ssl->job.kjob = 0;
2506 				ssl->job.buf = NULL;
2507 				ssl->job.buflen = 0;
2508 			}
2509 		}
2510 		while (ssl->async_ops_pending > 0)
2511 			cv_wait(&ssl->async_cv, &ssl->kssl_lock);
2512 	} while (ssl->job.kjob != NULL);
2513 
2514 	kssl_mblksfree(ssl);
2515 	kssl_specsfree(ssl);
2516 
2517 	KSSL_ENTRY_REFRELE(ssl->kssl_entry);
2518 	ssl->kssl_entry = NULL;
2519 
2520 	mutex_exit(&ssl->kssl_lock);
2521 
2522 	kmem_cache_free(kssl_cache, ssl);
2523 }
2524