xref: /titanic_44/usr/src/uts/common/inet/kssl/ksslrec.c (revision 2fd415f4d49063706ad7fbc8b867ebe4a580b7fd)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/stream.h>
28 #include <sys/strsubr.h>
29 #include <sys/stropts.h>
30 #include <sys/strsun.h>
31 #define	_SUN_TPI_VERSION 2
32 #include <sys/ddi.h>
33 #include <sys/sunddi.h>
34 #include <sys/debug.h>
35 #include <sys/vtrace.h>
36 #include <sys/kmem.h>
37 #include <sys/cpuvar.h>
38 #include <sys/atomic.h>
39 #include <sys/sysmacros.h>
40 
41 #include <sys/errno.h>
42 #include <sys/isa_defs.h>
43 #include <sys/md5.h>
44 #include <sys/sha1.h>
45 #include <sys/random.h>
46 #include <inet/common.h>
47 #include <netinet/in.h>
48 
49 #include <sys/systm.h>
50 #include <sys/param.h>
51 
52 #include "ksslimpl.h"
53 #include "ksslapi.h"
54 #include "ksslproto.h"
55 
56 static ssl3CipherSuiteDef cipher_suite_defs[] = {
57 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, no IVs */
58 	{SSL_RSA_WITH_RC4_128_SHA,	cipher_rc4,	mac_sha,	72},
59 
60 	/* 2 X 16 byte keys +  2 x 16 byte MAC secrets, no IVs */
61 	{SSL_RSA_WITH_RC4_128_MD5,	cipher_rc4,	mac_md5,	64},
62 
63 	/* 2 X 8 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
64 	{SSL_RSA_WITH_DES_CBC_SHA,	cipher_des,	mac_sha,	72},
65 
66 	/* 2 X 24 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
67 	{SSL_RSA_WITH_3DES_EDE_CBC_SHA,	cipher_3des,	mac_sha,	104},
68 
69 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
70 	{TLS_RSA_WITH_AES_128_CBC_SHA,	cipher_aes128,	mac_sha,	104},
71 
72 	/* 2 X 32 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
73 	{TLS_RSA_WITH_AES_256_CBC_SHA,	cipher_aes256,	mac_sha,	136},
74 
75 	{SSL_RSA_WITH_NULL_SHA,		cipher_null,	mac_sha,	40}
76 };
77 
78 static int cipher_suite_defs_nentries =
79     sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]);
80 
81 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
82 	/* macsz padsz HashInit HashUpdate HashFinal */
83 
84 	{MD5_HASH_LEN, SSL3_MD5_PAD_LEN,
85 	    (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update,
86 	    (hashfinal_func_t)MD5Final},
87 
88 	{SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN,
89 	    (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update,
90 	    (hashfinal_func_t)SHA1Final},
91 };
92 
93 static uchar_t kssl_pad_1[60] = {
94     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
95     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
96     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
97     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
98     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
99     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
100     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
101     0x36, 0x36, 0x36, 0x36
102 };
103 static uchar_t kssl_pad_2[60] = {
104     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
105     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
106     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
107     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
108     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
109     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
110     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
111     0x5c, 0x5c, 0x5c, 0x5c
112 };
113 
114 int kssl_cache_count;
115 static boolean_t kssl_synchronous = B_FALSE;
116 
117 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t);
118 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t);
119 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int);
120 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int,
121     kssl_callback_t, void *);
122 static int kssl_send_server_hello(ssl_t *);
123 static int kssl_send_certificate_and_server_hello_done(ssl_t *);
124 static int kssl_send_change_cipher_specs(ssl_t *);
125 static int kssl_send_finished(ssl_t *, int);
126 static int kssl_handle_finished(ssl_t *, mblk_t *, int);
127 static void kssl_get_hello_random(uchar_t *);
128 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *);
129 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *);
130 static void kssl_lookup_sid(sslSessionID *, uchar_t *, in6_addr_t *,
131     kssl_entry_t *);
132 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t);
133 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t);
134 static int kssl_generate_tls_keyblock(ssl_t *);
135 static void kssl_generate_keyblock(ssl_t *);
136 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t,
137     int, uchar_t *, int);
138 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t,
139     uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
140 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *,
141     size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
142 static void kssl_cke_done(void *, int);
143 
144 #define	HMAC_INIT(m, k, c) \
145 	rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end;
146 
147 #define	HMAC_UPDATE(c, d, l) \
148 	dd.cd_raw.iov_base = (char *)d; \
149 	dd.cd_length = dd.cd_raw.iov_len = l; \
150 	rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end;
151 
152 #define	HMAC_FINAL(c, d, l) \
153 	mac.cd_raw.iov_base = (char *)d; \
154 	mac.cd_length = mac.cd_raw.iov_len = l; \
155 	rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end;
156 
157 /*
158  * This hack can go away once we have SSL3 MAC support by KCF
159  * software providers (See 4873559).
160  */
161 extern int kcf_md5_threshold;
162 
163 int
164 kssl_compute_record_mac(
165 	ssl_t *ssl,
166 	int direction,
167 	uint64_t seq_num,
168 	SSL3ContentType ct,
169 	uchar_t *versionp,
170 	uchar_t *buf,
171 	int len,
172 	uchar_t *digest)
173 {
174 	KSSL_HASHCTX mac_ctx;
175 	KSSL_HASHCTX *ctx = &mac_ctx;
176 	uchar_t temp[16], *p;
177 	KSSLCipherSpec *spec;
178 	boolean_t hash_use_ok = B_FALSE;
179 	int rv = 0;
180 
181 	spec = &ssl->spec[direction];
182 
183 	if (spec->mac_hashsz == 0) {
184 		return (1);
185 	}
186 
187 	p = temp;
188 
189 	*p++ = (seq_num >> 56) & 0xff;
190 	*p++ = (seq_num >> 48) & 0xff;
191 	*p++ = (seq_num >> 40) & 0xff;
192 	*p++ = (seq_num >> 32) & 0xff;
193 	*p++ = (seq_num >> 24) & 0xff;
194 	*p++ = (seq_num >> 16) & 0xff;
195 	*p++ = (seq_num >> 8) & 0xff;
196 	*p++ = (seq_num) & 0xff;
197 	*p++ = (uchar_t)ct;
198 	if (IS_TLS(ssl)) {
199 		*p++ = versionp[0];
200 		*p++ = versionp[1];
201 	}
202 	*p++ = (len >> 8) & 0xff;
203 	*p++ = (len) & 0xff;
204 
205 	if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
206 	    len >= kcf_md5_threshold)) {
207 		crypto_data_t dd, mac;
208 		struct uio uio_pt;
209 		struct iovec iovarray_pt[2];
210 
211 		/* init the array of iovecs for use in the uio struct */
212 		iovarray_pt[0].iov_base = (char *)temp;
213 		iovarray_pt[0].iov_len = (p - temp);
214 		iovarray_pt[1].iov_base = (char *)buf;
215 		iovarray_pt[1].iov_len = len;
216 
217 		/* init the uio struct for use in the crypto_data_t struct */
218 		bzero(&uio_pt, sizeof (uio_pt));
219 		uio_pt.uio_iov = iovarray_pt;
220 		uio_pt.uio_iovcnt = 2;
221 		uio_pt.uio_segflg = UIO_SYSSPACE;
222 
223 		dd.cd_format = CRYPTO_DATA_UIO;
224 		dd.cd_offset = 0;
225 		dd.cd_length =  (p - temp) + len;
226 		dd.cd_miscdata = NULL;
227 		dd.cd_uio = &uio_pt;
228 
229 		mac.cd_format = CRYPTO_DATA_RAW;
230 		mac.cd_offset = 0;
231 		mac.cd_raw.iov_base = (char *)digest;
232 		mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz;
233 
234 		/*
235 		 * The calling context can tolerate a blocking call here.
236 		 * For outgoing traffic, we are in user context
237 		 * when called from strsock_kssl_output(). For incoming
238 		 * traffic past the SSL handshake, we are in user
239 		 * context when called from strsock_kssl_input(). During the
240 		 * SSL handshake, we are called for client_finished message
241 		 * handling from a squeue worker thread that gets scheduled
242 		 * by an SQ_FILL call. This thread is not in interrupt
243 		 * context and so can block.
244 		 */
245 		rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
246 		    NULL, &mac, NULL);
247 
248 		if (CRYPTO_ERR(rv)) {
249 			hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED &&
250 			    !IS_TLS(ssl));
251 			if (!hash_use_ok) {
252 				DTRACE_PROBE1(kssl_err__crypto_mac_error,
253 				    int, rv);
254 				KSSL_COUNTER(compute_mac_failure, 1);
255 			}
256 		}
257 	} else
258 		hash_use_ok = B_TRUE;
259 
260 	if (hash_use_ok) {
261 		bcopy(&(ssl->mac_ctx[direction][0]), ctx,
262 		    sizeof (KSSL_HASHCTX));
263 		spec->MAC_HashUpdate((void *)ctx, temp, p - temp);
264 		spec->MAC_HashUpdate((void *)ctx, buf, len);
265 		spec->MAC_HashFinal(digest, (void *)ctx);
266 
267 		bcopy(&(ssl->mac_ctx[direction][1]), ctx,
268 		    sizeof (KSSL_HASHCTX));
269 		spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz);
270 		spec->MAC_HashFinal(digest, (void *)ctx);
271 	}
272 
273 	return (rv);
274 }
275 
276 /*
277  * Handles handshake messages.
278  * Messages to be replied are returned in handshake_sendbuf.
279  */
280 int
281 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
282     kssl_callback_t cbfn, void *arg)
283 {
284 	uint32_t msglen;
285 	uchar_t msghdr[4];
286 
287 	ASSERT(ssl->msg.state == MSG_BODY);
288 	ASSERT(ssl->msg.msglen_bytes == 3);
289 	ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen);
290 
291 	ssl->sslcnt++;
292 	msglen = ssl->msg.msglen;
293 
294 	if (ssl->msg.type == client_hello) {
295 		MD5Init(&ssl->hs_md5);
296 		SHA1Init(&ssl->hs_sha1);
297 	}
298 
299 	if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
300 		if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
301 		    sender_client) != 0) {
302 			*err = SSL_MISS;
303 			return (0);
304 		}
305 	}
306 
307 	if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
308 		msghdr[0] = (uchar_t)ssl->msg.type;
309 
310 		msghdr[1] = (uchar_t)(msglen >> 16);
311 		msghdr[2] = (uchar_t)(msglen >> 8);
312 		msghdr[3] = (uchar_t)(msglen);
313 		kssl_update_handshake_hashes(ssl, msghdr, 4);
314 		kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen);
315 	}
316 
317 	ssl->msg.state = MSG_INIT;
318 	ssl->msg.msglen = 0;
319 	ssl->msg.msglen_bytes = 0;
320 
321 	switch (ssl->msg.type) {
322 	case client_hello:
323 		if (ssl->hs_waitstate != wait_client_hello) {
324 			kssl_send_alert(ssl, alert_fatal,
325 			    unexpected_message);
326 			*err = EBADMSG;
327 			ssl->activeinput = B_FALSE;
328 			return (1);
329 		}
330 		*err = kssl_handle_client_hello(ssl, mp, msglen);
331 		if (*err == SSL_MISS) {
332 			ssl->activeinput = B_FALSE;
333 			return (0);
334 		}
335 		return (1);
336 	case client_key_exchange:
337 		if (ssl->hs_waitstate != wait_client_key) {
338 			kssl_send_alert(ssl, alert_fatal,
339 			    unexpected_message);
340 			*err = EBADMSG;
341 			ssl->activeinput = B_FALSE;
342 			return (1);
343 		}
344 		*err = kssl_handle_client_key_exchange(ssl, mp,
345 		    msglen, cbfn, arg);
346 		return (1);
347 	case finished:
348 		if (ssl->hs_waitstate != wait_finished) {
349 			kssl_send_alert(ssl, alert_fatal,
350 			    unexpected_message);
351 			*err = EBADMSG;
352 			ssl->activeinput = B_FALSE;
353 			return (1);
354 		}
355 		*err = kssl_handle_finished(ssl, mp, msglen);
356 		return (1);
357 	default:
358 		kssl_send_alert(ssl, alert_fatal, unexpected_message);
359 		ssl->activeinput = B_FALSE;
360 		*err = EBADMSG;
361 		return (1);
362 	}
363 }
364 
365 static void
366 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
367 {
368 	MD5Update(&ssl->hs_md5, buf, len);
369 	SHA1Update(&ssl->hs_sha1, buf, len);
370 }
371 
372 static int
373 kssl_compute_handshake_hashes(
374 	ssl_t *ssl,
375 	SSL3Hashes *hashes,
376 	uint32_t sender)
377 {
378 	MD5_CTX md5 = ssl->hs_md5;	/* clone md5 context */
379 	SHA1_CTX sha1 = ssl->hs_sha1;	/* clone sha1 context */
380 	MD5_CTX *md5ctx = &md5;
381 	SHA1_CTX *sha1ctx = &sha1;
382 
383 	if (IS_TLS(ssl)) {
384 		uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN];
385 		char *label;
386 
387 		/*
388 		 * Do not take another hash step here.
389 		 * Just complete the operation.
390 		 */
391 		MD5Final(hashes->md5, md5ctx);
392 		SHA1Final(hashes->sha1, sha1ctx);
393 
394 		bcopy(hashes->md5, seed, MD5_HASH_LEN);
395 		bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN);
396 
397 		if (sender == sender_client)
398 			label = TLS_CLIENT_FINISHED_LABEL;
399 		else
400 			label = TLS_SERVER_FINISHED_LABEL;
401 
402 		return (kssl_tls_PRF(ssl,
403 		    ssl->sid.master_secret,
404 		    (size_t)SSL3_MASTER_SECRET_LEN,
405 		    (uchar_t *)label, strlen(label),
406 		    seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN),
407 		    hashes->tlshash, (size_t)TLS_FINISHED_SIZE));
408 	} else {
409 		uchar_t s[4];
410 		s[0] = (sender >> 24) & 0xff;
411 		s[1] = (sender >> 16) & 0xff;
412 		s[2] = (sender >> 8) & 0xff;
413 		s[3] = (sender) & 0xff;
414 
415 		MD5Update(md5ctx, s, 4);
416 		MD5Update(md5ctx, ssl->sid.master_secret,
417 		    SSL3_MASTER_SECRET_LEN);
418 		MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN);
419 		MD5Final(hashes->md5, md5ctx);
420 
421 		MD5Init(md5ctx);
422 		MD5Update(md5ctx, ssl->sid.master_secret,
423 		    SSL3_MASTER_SECRET_LEN);
424 		MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN);
425 		MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN);
426 		MD5Final(hashes->md5, md5ctx);
427 
428 		SHA1Update(sha1ctx, s, 4);
429 		SHA1Update(sha1ctx, ssl->sid.master_secret,
430 		    SSL3_MASTER_SECRET_LEN);
431 		SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN);
432 		SHA1Final(hashes->sha1, sha1ctx);
433 
434 		SHA1Init(sha1ctx);
435 		SHA1Update(sha1ctx, ssl->sid.master_secret,
436 		    SSL3_MASTER_SECRET_LEN);
437 		SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN);
438 		SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN);
439 		SHA1Final(hashes->sha1, sha1ctx);
440 		return (0);
441 	}
442 }
443 
444 
445 /*
446  * Minimum message length for a client hello =
447  * 2-byte client_version +
448  * 32-byte random +
449  * 1-byte session_id length +
450  * 2-byte cipher_suites length +
451  * 1-byte compression_methods length +
452  * 1-byte CompressionMethod.null
453  */
454 #define	KSSL_SSL3_CH_MIN_MSGLEN	(39)
455 
456 static int
457 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
458 {
459 	uchar_t *msgend;
460 	int err;
461 	SSL3AlertDescription desc = illegal_parameter;
462 	uint_t sidlen, cslen, cmlen;
463 	uchar_t *suitesp;
464 	uint_t i, j;
465 	uint16_t suite;
466 	int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN;
467 
468 	ASSERT(mp->b_wptr >= mp->b_rptr + msglen);
469 	ASSERT(ssl->msg.type == client_hello);
470 	ASSERT(ssl->hs_waitstate == wait_client_hello);
471 	ASSERT(ssl->resumed == B_FALSE);
472 
473 	if (msglen < ch_msglen) {
474 		goto falert;
475 	}
476 
477 	msgend = mp->b_rptr + msglen;
478 
479 	/* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */
480 	if (ssl->major_version != 3 || (ssl->major_version == 3 &&
481 	    ssl->minor_version != 0 && ssl->minor_version != 1)) {
482 		DTRACE_PROBE2(kssl_err__SSL_version_not_supported,
483 		    uchar_t, ssl->major_version,
484 		    uchar_t, ssl->minor_version);
485 		desc = handshake_failure;
486 		goto falert;
487 	}
488 	mp->b_rptr += 2; /* skip the version bytes */
489 
490 	bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
491 	mp->b_rptr += SSL3_RANDOM_LENGTH;
492 
493 	ASSERT(ssl->sid.cached == B_FALSE);
494 	sidlen = *mp->b_rptr++;
495 	ch_msglen += sidlen;
496 	if (msglen < ch_msglen) {
497 		goto falert;
498 	}
499 	if (sidlen != SSL3_SESSIONID_BYTES) {
500 		mp->b_rptr += sidlen;
501 	} else {
502 		kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr,
503 		    ssl->kssl_entry);
504 		mp->b_rptr += SSL3_SESSIONID_BYTES;
505 	}
506 
507 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
508 	mp->b_rptr += 2;
509 	ch_msglen += cslen;
510 
511 	/*
512 	 * This check can't be a "!=" since there can be
513 	 * compression methods other than CompressionMethod.null.
514 	 * Also, there can be extra data (TLS extensions) after the
515 	 * compression methods field. We do not support any TLS
516 	 * extensions and hence ignore them.
517 	 */
518 	if (msglen < ch_msglen) {
519 		goto falert;
520 	}
521 
522 	/* The length has to be even since a cipher suite is 2-byte long */
523 	if (cslen & 0x1) {
524 		goto falert;
525 	}
526 	suitesp = mp->b_rptr;
527 	if (ssl->sid.cached == B_TRUE) {
528 		suite = ssl->sid.cipher_suite;
529 		for (j = 0; j < cslen; j += 2) {
530 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
531 			    suitesp[j + 1] == (suite & 0xff)) {
532 				break;
533 			}
534 		}
535 		if (j < cslen) {
536 			goto suite_found;
537 		}
538 		kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
539 	}
540 
541 	/* Check if this server is capable of the cipher suite */
542 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
543 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
544 		for (j = 0; j < cslen; j += 2) {
545 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
546 			    suitesp[j + 1] == (suite & 0xff)) {
547 				break;
548 			}
549 		}
550 		if (j < cslen) {
551 			break;
552 		}
553 	}
554 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
555 		if (ssl->sslcnt == 1) {
556 			KSSL_COUNTER(no_suite_found, 1);
557 			return (SSL_MISS);
558 		}
559 		desc = handshake_failure;
560 		DTRACE_PROBE(kssl_err__no_cipher_suites_found);
561 		goto falert;
562 	}
563 
564 suite_found:
565 	mp->b_rptr += cslen;
566 
567 	/*
568 	 * Check for the mandatory CompressionMethod.null. We do not
569 	 * support any other compression methods.
570 	 */
571 	cmlen = *mp->b_rptr++;
572 	ch_msglen += cmlen - 1;	/* -1 accounts for the null method */
573 	if (msglen < ch_msglen) {
574 		goto falert;
575 	}
576 
577 	while (cmlen >= 1) {
578 		if (*mp->b_rptr++ == 0)
579 			break;
580 		cmlen--;
581 	}
582 
583 	if (cmlen == 0) {
584 		desc = handshake_failure;
585 		DTRACE_PROBE(kssl_err__no_null_method_failure);
586 		goto falert;
587 	}
588 
589 	mp->b_rptr = msgend;
590 
591 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
592 		if (suite == cipher_suite_defs[i].suite) {
593 			break;
594 		}
595 	}
596 
597 	ASSERT(i < cipher_suite_defs_nentries);
598 
599 	ssl->pending_cipher_suite = suite;
600 	ssl->pending_malg = cipher_suite_defs[i].malg;
601 	ssl->pending_calg = cipher_suite_defs[i].calg;
602 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
603 
604 	if (ssl->sid.cached == B_TRUE) {
605 		err = kssl_send_server_hello(ssl);
606 		if (err != 0) {
607 			return (err);
608 		}
609 		if (IS_TLS(ssl))
610 			err = kssl_generate_tls_keyblock(ssl);
611 		else
612 			kssl_generate_keyblock(ssl);
613 
614 		err = kssl_send_change_cipher_specs(ssl);
615 		if (err != 0) {
616 			return (err);
617 		}
618 
619 		err = kssl_send_finished(ssl, 1);
620 		if (err != 0)
621 			return (err);
622 
623 		err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
624 		    sender_client);
625 		if (err != 0)
626 			return (err);
627 
628 		ssl->hs_waitstate = wait_change_cipher;
629 		ssl->resumed = B_TRUE;
630 		ssl->activeinput = B_FALSE;
631 		KSSL_COUNTER(resumed_sessions, 1);
632 		return (0);
633 	}
634 
635 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
636 	    SSL3_SESSIONID_BYTES);
637 	ssl->sid.client_addr = ssl->faddr;
638 	ssl->sid.cipher_suite = suite;
639 
640 	err = kssl_send_server_hello(ssl);
641 	if (err != 0) {
642 		return (err);
643 	}
644 	err = kssl_send_certificate_and_server_hello_done(ssl);
645 	if (err != 0) {
646 		return (err);
647 	}
648 	KSSL_COUNTER(full_handshakes, 1);
649 	ssl->hs_waitstate = wait_client_key;
650 	ssl->activeinput = B_FALSE;
651 	return (0);
652 
653 falert:
654 	kssl_send_alert(ssl, alert_fatal, desc);
655 	return (EBADMSG);
656 }
657 
658 #define	SET_HASH_INDEX(index, s, clnt_addr) {				\
659 	int addr;							\
660 									\
661 	IN6_V4MAPPED_TO_IPADDR(clnt_addr, addr);			\
662 	index = addr ^ (((int)(s)[0] << 24) | ((int)(s)[1] << 16) |	\
663 	    ((int)(s)[2] << 8) | (int)(s)[SSL3_SESSIONID_BYTES - 1]);	\
664 }
665 
666 /*
667  * Creates a cache entry. Sets the sid->cached flag
668  * and sid->time fields. So, the caller should not set them.
669  */
670 static void
671 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
672 {
673 	uint_t index;
674 	uchar_t *s = sid->session_id;
675 	kmutex_t *lock;
676 
677 	ASSERT(sid->cached == B_FALSE);
678 
679 	/* set the values before creating the cache entry */
680 	sid->cached = B_TRUE;
681 	sid->time = ddi_get_lbolt();
682 
683 	SET_HASH_INDEX(index, s, &sid->client_addr);
684 	index %= kssl_entry->sid_cache_nentries;
685 
686 	lock = &(kssl_entry->sid_cache[index].se_lock);
687 	mutex_enter(lock);
688 	kssl_entry->sid_cache[index].se_used++;
689 	bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid));
690 	mutex_exit(lock);
691 
692 	KSSL_COUNTER(sid_cached, 1);
693 }
694 
695 /*
696  * Invalidates the cache entry, if any. Clears the sid->cached flag
697  * as a side effect.
698  */
699 void
700 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
701 {
702 	uint_t index;
703 	uchar_t *s = sid->session_id;
704 	sslSessionID *csid;
705 	kmutex_t *lock;
706 
707 	ASSERT(sid->cached == B_TRUE);
708 	sid->cached = B_FALSE;
709 
710 	SET_HASH_INDEX(index, s, &sid->client_addr);
711 	index %= kssl_entry->sid_cache_nentries;
712 
713 	lock = &(kssl_entry->sid_cache[index].se_lock);
714 	mutex_enter(lock);
715 	csid = &(kssl_entry->sid_cache[index].se_sid);
716 	if (!(IN6_ARE_ADDR_EQUAL(&csid->client_addr, &sid->client_addr)) ||
717 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
718 		mutex_exit(lock);
719 		return;
720 	}
721 	csid->cached = B_FALSE;
722 	mutex_exit(lock);
723 
724 	KSSL_COUNTER(sid_uncached, 1);
725 }
726 
727 static void
728 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, in6_addr_t *faddr,
729     kssl_entry_t *kssl_entry)
730 {
731 	uint_t index;
732 	kmutex_t *lock;
733 	sslSessionID *csid;
734 
735 	KSSL_COUNTER(sid_cache_lookups, 1);
736 
737 	SET_HASH_INDEX(index, s, faddr);
738 	index %= kssl_entry->sid_cache_nentries;
739 
740 	lock = &(kssl_entry->sid_cache[index].se_lock);
741 	mutex_enter(lock);
742 	csid = &(kssl_entry->sid_cache[index].se_sid);
743 	if (csid->cached == B_FALSE ||
744 	    !IN6_ARE_ADDR_EQUAL(&csid->client_addr, faddr) ||
745 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
746 		mutex_exit(lock);
747 		return;
748 	}
749 
750 	if (TICK_TO_SEC(ddi_get_lbolt() - csid->time) >
751 	    kssl_entry->sid_cache_timeout) {
752 		csid->cached = B_FALSE;
753 		mutex_exit(lock);
754 		return;
755 	}
756 
757 	bcopy(csid, sid, sizeof (*sid));
758 	mutex_exit(lock);
759 	ASSERT(sid->cached == B_TRUE);
760 
761 	KSSL_COUNTER(sid_cache_hits, 1);
762 }
763 
764 static uchar_t *
765 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp)
766 {
767 	size_t len = *lenp;
768 	int i = 2;
769 
770 	if (buf[0] != 0 || buf[1] != 2) {
771 		return (NULL);
772 	}
773 
774 	while (i < len) {
775 		if (buf[i++] == 0) {
776 			*lenp = len - i;
777 			break;
778 		}
779 	}
780 
781 	if (i == len) {
782 		return (NULL);
783 	}
784 
785 	return (buf + i);
786 }
787 
788 
789 #define	KSSL_SSL3_SH_RECLEN	(74)
790 #define	KSSL_SSL3_FIN_MSGLEN	(36)
791 
792 #define	KSSL_SSL3_MAX_CCP_FIN_MSGLEN	(128)	/* comfortable upper bound */
793 
794 static int
795 kssl_send_server_hello(ssl_t *ssl)
796 {
797 	mblk_t *mp;
798 	uchar_t *buf;
799 	uchar_t *msgstart;
800 
801 	mp = allocb(ssl->tcp_mss, BPRI_HI);
802 	if (mp == NULL) {
803 		KSSL_COUNTER(alloc_fails, 1);
804 		return (ENOMEM);
805 	}
806 	ssl->handshake_sendbuf = mp;
807 	buf = mp->b_wptr;
808 
809 	/* 5 byte record header */
810 	buf[0] = content_handshake;
811 	buf[1] = ssl->major_version;
812 	buf[2] = ssl->minor_version;
813 	buf[3] = KSSL_SSL3_SH_RECLEN >> 8;
814 	buf[4] = KSSL_SSL3_SH_RECLEN & 0xff;
815 	buf += SSL3_HDR_LEN;
816 
817 	msgstart = buf;
818 
819 	/* 6 byte message header */
820 	buf[0] = (uchar_t)server_hello;			/* message type */
821 	buf[1] = 0;					/* message len byte 0 */
822 	buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) &
823 	    0xff;					/* message len byte 1 */
824 	buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff;	/* message len byte 2 */
825 
826 	buf[4] = ssl->major_version;	/* version byte 0 */
827 	buf[5] = ssl->minor_version;	/* version byte 1 */
828 
829 	buf += 6;
830 
831 	kssl_get_hello_random(ssl->server_random);
832 	bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH);
833 	buf += SSL3_RANDOM_LENGTH;
834 
835 	buf[0] = SSL3_SESSIONID_BYTES;
836 	bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
837 	buf += SSL3_SESSIONID_BYTES + 1;
838 
839 	buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff;
840 	buf[1] = ssl->pending_cipher_suite & 0xff;
841 
842 	buf[2] = 0;	/* No compression */
843 
844 	mp->b_wptr = buf + 3;
845 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
846 
847 	kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN);
848 	return (0);
849 }
850 
851 static void
852 kssl_get_hello_random(uchar_t *buf)
853 {
854 	timestruc_t ts;
855 	time_t sec;
856 
857 	gethrestime(&ts);
858 	sec = ts.tv_sec;
859 
860 	buf[0] = (sec >> 24) & 0xff;
861 	buf[1] = (sec >> 16) & 0xff;
862 	buf[2] = (sec >> 8) & 0xff;
863 	buf[3] = (sec) & 0xff;
864 
865 	(void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4);
866 
867 	/* Should this be caching? */
868 }
869 
870 static int
871 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key,
872 	size_t hashlen,
873 	uchar_t *label, size_t label_len,
874 	uchar_t *seed, size_t seedlen,
875 	uchar_t *data, size_t datalen)
876 {
877 	int rv = 0;
878 	uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN];
879 	int bytes_left = datalen;
880 	crypto_data_t dd, mac;
881 	crypto_context_t ctx;
882 
883 	dd.cd_format = CRYPTO_DATA_RAW;
884 	dd.cd_offset = 0;
885 	mac.cd_format = CRYPTO_DATA_RAW;
886 	mac.cd_offset = 0;
887 
888 	/*
889 	 * A(i) = HMAC_hash(secret, seed + A(i-1));
890 	 * A(0) = seed;
891 	 *
892 	 * Compute A(1):
893 	 * A(1) = HMAC_hash(secret, label + seed)
894 	 *
895 	 */
896 	HMAC_INIT(mech, key, &ctx);
897 	HMAC_UPDATE(ctx, label, label_len);
898 	HMAC_UPDATE(ctx, seed, seedlen);
899 	HMAC_FINAL(ctx, A1, hashlen);
900 
901 	/* Compute A(2) ... A(n) */
902 	while (bytes_left > 0) {
903 		HMAC_INIT(mech, key, &ctx);
904 		HMAC_UPDATE(ctx, A1, hashlen);
905 		HMAC_UPDATE(ctx, label, label_len);
906 		HMAC_UPDATE(ctx, seed, seedlen);
907 		HMAC_FINAL(ctx, result, hashlen);
908 
909 		/*
910 		 * The A(i) value is stored in "result".
911 		 * Save the results of the MAC so it can be input to next
912 		 * iteration.
913 		 */
914 		if (bytes_left > hashlen) {
915 			/* Store the chunk result */
916 			bcopy(result, data, hashlen);
917 			data += hashlen;
918 
919 			bytes_left -= hashlen;
920 
921 			/* Update A1 for next iteration */
922 			HMAC_INIT(mech, key, &ctx);
923 			HMAC_UPDATE(ctx, A1, hashlen);
924 			HMAC_FINAL(ctx, A1, hashlen);
925 
926 		} else {
927 			bcopy(result, data, bytes_left);
928 			data += bytes_left;
929 			bytes_left = 0;
930 		}
931 	}
932 end:
933 	if (CRYPTO_ERR(rv)) {
934 		DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv);
935 		KSSL_COUNTER(compute_mac_failure, 1);
936 	}
937 	return (rv);
938 }
939 
940 /* ARGSUSED */
941 static int
942 kssl_tls_PRF(ssl_t *ssl,
943 	uchar_t *secret, size_t secret_len,
944 	uchar_t *label, size_t label_len,
945 	uchar_t *seed, size_t seed_len,
946 	uchar_t *prfresult, size_t prfresult_len)
947 {
948 	/*
949 	 * RFC 2246:
950 	 *  PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
951 	 *				P_SHA1(S2, label + seed);
952 	 * S1 = 1st half of secret.
953 	 * S1 = 2nd half of secret.
954 	 *
955 	 */
956 
957 	int rv, i;
958 	uchar_t psha1[MAX_KEYBLOCK_LENGTH];
959 	crypto_key_t S1, S2;
960 
961 	/* length of secret keys is ceil(length/2) */
962 	size_t slen = roundup(secret_len, 2) / 2;
963 
964 	if (prfresult_len >  MAX_KEYBLOCK_LENGTH) {
965 		DTRACE_PROBE1(kssl_err__unexpected_keyblock_size,
966 		    size_t, prfresult_len);
967 		return (CRYPTO_ARGUMENTS_BAD);
968 	}
969 
970 	ASSERT(prfresult != NULL);
971 	ASSERT(label != NULL);
972 	ASSERT(seed != NULL);
973 
974 	S1.ck_data   = secret;
975 	S1.ck_length = slen * 8; /* bits */
976 	S1.ck_format = CRYPTO_KEY_RAW;
977 
978 	S2.ck_data   = secret + slen;
979 	S2.ck_length = slen * 8; /* bits */
980 	S2.ck_format = CRYPTO_KEY_RAW;
981 
982 	rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN,
983 	    label, label_len,
984 	    seed, seed_len,
985 	    prfresult, prfresult_len);
986 	if (CRYPTO_ERR(rv))
987 		goto end;
988 
989 	rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN,
990 	    label, label_len,
991 	    seed, seed_len,
992 	    psha1, prfresult_len);
993 	if (CRYPTO_ERR(rv))
994 		goto end;
995 
996 	for (i = 0; i < prfresult_len; i++)
997 		prfresult[i] ^= psha1[i];
998 
999 end:
1000 	if (CRYPTO_ERR(rv))
1001 		bzero(prfresult, prfresult_len);
1002 
1003 	return (rv);
1004 }
1005 
1006 #define	IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)			\
1007 	(pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN ||		\
1008 	pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
1009 
1010 #define	FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) {			\
1011 		KSSL_COUNTER(bad_pre_master_secret, 1);			\
1012 		pms = buf;						\
1013 		pmslen = SSL3_PRE_MASTER_SECRET_LEN;			\
1014 		pms[0] = ssl->major_version;				\
1015 		pms[1] = ssl->minor_version;				\
1016 		(void) random_get_pseudo_bytes(&buf[2], pmslen - 2);	\
1017 }
1018 
1019 static int
1020 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1021 {
1022 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1023 	uchar_t seed[SSL3_RANDOM_LENGTH * 2];
1024 
1025 	/*
1026 	 * Computing the master secret:
1027 	 * ----------------------------
1028 	 * master_secret = PRF (pms, "master secret",
1029 	 *		ClientHello.random + ServerHello.random);
1030 	 */
1031 	bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH);
1032 	bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH,
1033 	    SSL3_RANDOM_LENGTH);
1034 
1035 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1036 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1037 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1038 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1039 	}
1040 
1041 	return (kssl_tls_PRF(ssl,
1042 	    pms, pmslen,
1043 	    (uchar_t *)TLS_MASTER_SECRET_LABEL,
1044 	    (size_t)strlen(TLS_MASTER_SECRET_LABEL),
1045 	    seed, sizeof (seed),
1046 	    ssl->sid.master_secret,
1047 	    (size_t)sizeof (ssl->sid.master_secret)));
1048 }
1049 
1050 
1051 static void
1052 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1053 {
1054 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1055 	uchar_t *ms;
1056 	int hlen = MD5_HASH_LEN;
1057 
1058 	ms = ssl->sid.master_secret;
1059 
1060 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1061 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1062 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1063 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1064 	}
1065 
1066 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
1067 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
1068 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
1069 	    0);
1070 }
1071 
1072 static int
1073 kssl_generate_tls_keyblock(ssl_t *ssl)
1074 {
1075 	uchar_t seed[2 * SSL3_RANDOM_LENGTH];
1076 
1077 	bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH);
1078 	bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH,
1079 	    SSL3_RANDOM_LENGTH);
1080 
1081 	return (kssl_tls_PRF(ssl, ssl->sid.master_secret,
1082 	    (size_t)SSL3_MASTER_SECRET_LEN,
1083 	    (uchar_t *)TLS_KEY_EXPANSION_LABEL,
1084 	    (size_t)strlen(TLS_KEY_EXPANSION_LABEL),
1085 	    seed, (size_t)sizeof (seed),
1086 	    ssl->pending_keyblock,
1087 	    (size_t)ssl->pending_keyblksz));
1088 
1089 }
1090 
1091 static void
1092 kssl_generate_keyblock(ssl_t *ssl)
1093 {
1094 	uchar_t *ms;
1095 	size_t mslen = SSL3_MASTER_SECRET_LEN;
1096 	int hlen = MD5_HASH_LEN;
1097 	uchar_t *keys = ssl->pending_keyblock;
1098 	int steps = howmany(ssl->pending_keyblksz, hlen);
1099 	int i;
1100 
1101 	ms = ssl->sid.master_secret;
1102 
1103 	ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH);
1104 
1105 	for (i = 1; i <= steps; i++) {
1106 		kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
1107 		keys += hlen;
1108 	}
1109 }
1110 
1111 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE",
1112 	"FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"};
1113 
1114 static void
1115 kssl_ssl3_key_material_derive_step(
1116 	ssl_t *ssl,
1117 	uchar_t *secret,
1118 	size_t secretlen,
1119 	int step,
1120 	uchar_t *dst,
1121 	int sr_first)
1122 {
1123 	SHA1_CTX sha1, *sha1ctx;
1124 	MD5_CTX md5, *md5ctx;
1125 	uchar_t sha1_hash[SHA1_HASH_LEN];
1126 
1127 	sha1ctx = &sha1;
1128 	md5ctx = &md5;
1129 
1130 	ASSERT(step <=
1131 	    sizeof (ssl3_key_derive_seeds) /
1132 	    sizeof (ssl3_key_derive_seeds[0]));
1133 	step--;
1134 
1135 	SHA1Init(sha1ctx);
1136 	SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step],
1137 	    step + 1);
1138 	SHA1Update(sha1ctx, secret, secretlen);
1139 	if (sr_first) {
1140 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1141 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1142 	} else {
1143 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1144 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1145 	}
1146 	SHA1Final(sha1_hash, sha1ctx);
1147 
1148 	MD5Init(md5ctx);
1149 	MD5Update(md5ctx, secret, secretlen);
1150 	MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN);
1151 	MD5Final(dst, md5ctx);
1152 }
1153 
1154 static int
1155 kssl_send_certificate_and_server_hello_done(ssl_t *ssl)
1156 {
1157 	int cur_reclen;
1158 	int mss;
1159 	int len, copylen;
1160 	mblk_t *mp;
1161 	uchar_t *cert_buf;
1162 	int cert_len;
1163 	uchar_t *msgbuf;
1164 	Certificate_t *cert;
1165 
1166 	cert = ssl->kssl_entry->ke_server_certificate;
1167 	if (cert == NULL) {
1168 		return (ENOENT);
1169 	}
1170 	cert_buf = cert->msg;
1171 	cert_len = cert->len;
1172 
1173 	mp = ssl->handshake_sendbuf;
1174 	mss = ssl->tcp_mss;
1175 	ASSERT(mp != NULL);
1176 	cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN;
1177 	ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN);
1178 	/* Assume MSS is at least 80 bytes */
1179 	ASSERT(mss > cur_reclen + SSL3_HDR_LEN);
1180 	ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */
1181 
1182 	copylen = mss - (cur_reclen + SSL3_HDR_LEN);
1183 	len = cert_len;
1184 	copylen = MIN(copylen, len);
1185 	copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1186 
1187 	/* new record always starts in a new mblk for simplicity */
1188 	msgbuf = cert_buf;
1189 	for (;;) {
1190 		ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim);
1191 		bcopy(msgbuf, mp->b_wptr, copylen);
1192 		msgbuf += copylen;
1193 		mp->b_wptr += copylen;
1194 		cur_reclen += copylen;
1195 		len -= copylen;
1196 		if (len == 0) {
1197 			break;
1198 		}
1199 		if (cur_reclen == SSL3_MAX_RECORD_LENGTH) {
1200 			cur_reclen = 0;
1201 		}
1202 		copylen = MIN(len, mss);
1203 		copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1204 		mp->b_cont = allocb(copylen, BPRI_HI);
1205 		if (mp->b_cont == NULL) {
1206 			KSSL_COUNTER(alloc_fails, 1);
1207 			freemsg(ssl->handshake_sendbuf);
1208 			ssl->handshake_sendbuf = NULL;
1209 			return (ENOMEM);
1210 		}
1211 		mp = mp->b_cont;
1212 		if (cur_reclen == 0) {
1213 			mp->b_wptr[0] = content_handshake;
1214 			mp->b_wptr[1] = ssl->major_version;
1215 			mp->b_wptr[2] = ssl->minor_version;
1216 			cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH);
1217 			mp->b_wptr[3] = (cur_reclen >> 8) & 0xff;
1218 			mp->b_wptr[4] = (cur_reclen) & 0xff;
1219 			mp->b_wptr += SSL3_HDR_LEN;
1220 			cur_reclen = 0;
1221 			copylen = MIN(copylen, mss - SSL3_HDR_LEN);
1222 		}
1223 	}
1224 
1225 	/* adjust the record length field for the first record */
1226 	mp = ssl->handshake_sendbuf;
1227 	cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len,
1228 	    SSL3_MAX_RECORD_LENGTH);
1229 	mp->b_rptr[3] = (cur_reclen >> 8) & 0xff;
1230 	mp->b_rptr[4] = (cur_reclen) & 0xff;
1231 
1232 	kssl_update_handshake_hashes(ssl, cert_buf, cert_len);
1233 
1234 	return (0);
1235 }
1236 
1237 static int
1238 kssl_send_change_cipher_specs(ssl_t *ssl)
1239 {
1240 	mblk_t *mp, *newmp;
1241 	uchar_t *buf;
1242 
1243 	mp = ssl->handshake_sendbuf;
1244 
1245 	/* We're most likely to hit the fast path for resumed sessions */
1246 	if ((mp != NULL) &&
1247 	    (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) {
1248 		buf = mp->b_wptr;
1249 	} else {
1250 		newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI);
1251 
1252 		if (newmp == NULL)
1253 			return (ENOMEM);	/* need to do better job! */
1254 
1255 		if (mp == NULL) {
1256 			ssl->handshake_sendbuf = newmp;
1257 		} else {
1258 			linkb(ssl->handshake_sendbuf, newmp);
1259 		}
1260 		mp = newmp;
1261 		buf = mp->b_rptr;
1262 	}
1263 
1264 	/* 5 byte record header */
1265 	buf[0] = content_change_cipher_spec;
1266 	buf[1] = ssl->major_version;
1267 	buf[2] = ssl->minor_version;
1268 	buf[3] = 0;
1269 	buf[4] = 1;
1270 	buf += SSL3_HDR_LEN;
1271 
1272 	buf[0] = 1;
1273 
1274 	mp->b_wptr = buf + 1;
1275 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1276 
1277 	ssl->seq_num[KSSL_WRITE] = 0;
1278 	return (kssl_spec_init(ssl, KSSL_WRITE));
1279 }
1280 
1281 int
1282 kssl_spec_init(ssl_t *ssl, int dir)
1283 {
1284 	KSSL_HASHCTX *ctx;
1285 	KSSLCipherSpec *spec = &ssl->spec[dir];
1286 	int ret = 0;
1287 
1288 	spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz;
1289 	spec->mac_padsz = mac_defs[ssl->pending_malg].padsz;
1290 
1291 	spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
1292 	spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
1293 	spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
1294 
1295 	if (dir == KSSL_READ) {
1296 		bcopy(ssl->pending_keyblock, ssl->mac_secret[dir],
1297 		    spec->mac_hashsz);
1298 	} else {
1299 		bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]),
1300 		    ssl->mac_secret[dir], spec->mac_hashsz);
1301 	}
1302 
1303 	/* Pre-compute these here. will save cycles on each record later */
1304 	if (!IS_TLS(ssl)) {
1305 		ctx = &ssl->mac_ctx[dir][0];
1306 		spec->MAC_HashInit((void *)ctx);
1307 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1308 		    spec->mac_hashsz);
1309 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_1,
1310 		    spec->mac_padsz);
1311 
1312 		ctx = &ssl->mac_ctx[dir][1];
1313 		spec->MAC_HashInit((void *)ctx);
1314 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1315 		    spec->mac_hashsz);
1316 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_2,
1317 		    spec->mac_padsz);
1318 	}
1319 
1320 	spec->cipher_type = cipher_defs[ssl->pending_calg].type;
1321 	spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
1322 	spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
1323 	spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
1324 
1325 	if (spec->cipher_ctx != NULL) {
1326 		crypto_cancel_ctx(spec->cipher_ctx);
1327 		spec->cipher_ctx = 0;
1328 	}
1329 
1330 	/*
1331 	 * Initialize HMAC keys for TLS and SSL3 HMAC keys
1332 	 * for SSL 3.0.
1333 	 */
1334 	if (IS_TLS(ssl)) {
1335 		if (ssl->pending_malg == mac_md5) {
1336 			spec->hmac_mech = hmac_md5_mech;
1337 		} else if (ssl->pending_malg == mac_sha) {
1338 			spec->hmac_mech = hmac_sha1_mech;
1339 		}
1340 
1341 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1342 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1343 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1344 	} else {
1345 		static uint32_t param;
1346 
1347 		spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID;
1348 		spec->hmac_mech.cm_param = (caddr_t)&param;
1349 		spec->hmac_mech.cm_param_len = sizeof (param);
1350 		if (ssl->pending_malg == mac_md5) {
1351 			spec->hmac_mech.cm_type =
1352 			    crypto_mech2id("CKM_SSL3_MD5_MAC");
1353 			param = MD5_HASH_LEN;
1354 		} else if (ssl->pending_malg == mac_sha) {
1355 			spec->hmac_mech.cm_type =
1356 			    crypto_mech2id("CKM_SSL3_SHA1_MAC");
1357 			param = SHA1_HASH_LEN;
1358 		}
1359 
1360 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1361 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1362 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1363 	}
1364 
1365 	/* We're done if this is the nil cipher */
1366 	if (spec->cipher_keysz == 0) {
1367 		return (0);
1368 	}
1369 
1370 	/* Initialize the key and the active context */
1371 	spec->cipher_key.ck_format = CRYPTO_KEY_RAW;
1372 	spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */
1373 
1374 	if (cipher_defs[ssl->pending_calg].bsize > 0) {
1375 		/* client_write_IV */
1376 		spec->cipher_mech.cm_param =
1377 		    (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
1378 		    2 * spec->cipher_keysz]);
1379 		spec->cipher_mech.cm_param_len = spec->cipher_bsize;
1380 	}
1381 	spec->cipher_data.cd_format = CRYPTO_DATA_RAW;
1382 	if (dir == KSSL_READ) {
1383 		spec->cipher_mech.cm_param_len =
1384 		    cipher_defs[ssl->pending_calg].bsize;
1385 
1386 		/* client_write_key */
1387 		spec->cipher_key.ck_data =
1388 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz]);
1389 
1390 		ret = crypto_decrypt_init(&(spec->cipher_mech),
1391 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1392 		if (CRYPTO_ERR(ret)) {
1393 			DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read,
1394 			    int, ret);
1395 		}
1396 	} else {
1397 		if (cipher_defs[ssl->pending_calg].bsize > 0) {
1398 			/* server_write_IV */
1399 			spec->cipher_mech.cm_param += spec->cipher_bsize;
1400 		}
1401 
1402 		/* server_write_key */
1403 		spec->cipher_key.ck_data =
1404 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz +
1405 		    spec->cipher_keysz]);
1406 
1407 		ret = crypto_encrypt_init(&(spec->cipher_mech),
1408 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1409 		if (CRYPTO_ERR(ret))
1410 			DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read,
1411 			    int, ret);
1412 	}
1413 	return (ret);
1414 }
1415 
1416 static int
1417 kssl_send_finished(ssl_t *ssl, int update_hsh)
1418 {
1419 	mblk_t *mp;
1420 	uchar_t *buf;
1421 	uchar_t *rstart;
1422 	uchar_t *versionp;
1423 	SSL3Hashes ssl3hashes;
1424 	size_t finish_len;
1425 	int ret;
1426 
1427 	mp = ssl->handshake_sendbuf;
1428 	ASSERT(mp != NULL);
1429 	buf = mp->b_wptr;
1430 	ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN +
1431 	    SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1);
1432 
1433 	rstart = buf;
1434 
1435 	if (IS_TLS(ssl))
1436 		finish_len = TLS_FINISHED_SIZE;
1437 	else
1438 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1439 
1440 	/* 5 byte record header */
1441 	buf[0] = content_handshake;
1442 	buf[1] = ssl->major_version;
1443 	buf[2] = ssl->minor_version;
1444 	buf[3] = 0;
1445 	buf[4] = 4 + finish_len;
1446 
1447 	versionp = &buf[1];
1448 
1449 	buf += SSL3_HDR_LEN;
1450 
1451 	/* 4 byte message header */
1452 	buf[0] = (uchar_t)finished;	/* message type */
1453 	buf[1] = 0;			/* message len byte 0 */
1454 	buf[2] = 0;			/* message len byte 1 */
1455 	buf[3] = finish_len;	/* message len byte 2 */
1456 	buf += 4;
1457 
1458 	if (IS_TLS(ssl)) {
1459 		bcopy(ssl->hs_hashes.md5, ssl3hashes.md5,
1460 		    sizeof (ssl3hashes.md5));
1461 		bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1,
1462 		    sizeof (ssl3hashes.sha1));
1463 	}
1464 
1465 	/* Compute hashes for the SENDER side */
1466 	ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
1467 	if (ret != 0)
1468 		return (ret);
1469 
1470 	if (IS_TLS(ssl)) {
1471 		bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash));
1472 	} else {
1473 		bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN);
1474 		bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN);
1475 	}
1476 
1477 	if (update_hsh) {
1478 		kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
1479 	}
1480 
1481 	mp->b_wptr = buf + finish_len;
1482 
1483 	ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
1484 	    rstart, mp);
1485 	ASSERT(mp->b_wptr <= mp->b_datap->db_lim);
1486 
1487 	return (ret);
1488 }
1489 
1490 int
1491 kssl_mac_encrypt_record(ssl_t *ssl,
1492 	SSL3ContentType ct,
1493 	uchar_t *versionp,
1494 	uchar_t *rstart,
1495 	mblk_t *mp)
1496 {
1497 	KSSLCipherSpec *spec;
1498 	int mac_sz;
1499 	int ret = 0;
1500 	uint16_t rec_sz;
1501 	int pad_sz;
1502 	int i;
1503 
1504 	ASSERT(ssl != NULL);
1505 	ASSERT(rstart >= mp->b_rptr);
1506 	ASSERT(rstart < mp->b_wptr);
1507 
1508 	spec = &ssl->spec[KSSL_WRITE];
1509 	mac_sz = spec->mac_hashsz;
1510 
1511 	rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN;
1512 	ASSERT(rec_sz > 0);
1513 
1514 	if (mac_sz != 0) {
1515 		ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim);
1516 		ret = kssl_compute_record_mac(ssl, KSSL_WRITE,
1517 		    ssl->seq_num[KSSL_WRITE], ct, versionp,
1518 		    rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr);
1519 		if (ret == CRYPTO_SUCCESS) {
1520 			ssl->seq_num[KSSL_WRITE]++;
1521 			mp->b_wptr += mac_sz;
1522 			rec_sz += mac_sz;
1523 		} else {
1524 			return (ret);
1525 		}
1526 	}
1527 
1528 	if (spec->cipher_type == type_block) {
1529 		pad_sz = spec->cipher_bsize -
1530 		    (rec_sz & (spec->cipher_bsize - 1));
1531 		ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim);
1532 		for (i = 0; i < pad_sz; i++) {
1533 			mp->b_wptr[i] = pad_sz - 1;
1534 		}
1535 		mp->b_wptr += pad_sz;
1536 		rec_sz += pad_sz;
1537 	}
1538 
1539 	ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH);
1540 
1541 	U16_TO_BE16(rec_sz, rstart + 3);
1542 
1543 	if (spec->cipher_ctx == 0)
1544 		return (ret);
1545 
1546 	spec->cipher_data.cd_length = rec_sz;
1547 	spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN);
1548 	spec->cipher_data.cd_raw.iov_len = rec_sz;
1549 	/* One record at a time. Otherwise, gotta allocate the crypt_data_t */
1550 	ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data,
1551 	    NULL, NULL);
1552 	if (CRYPTO_ERR(ret)) {
1553 		DTRACE_PROBE1(kssl_err__crypto_encrypt_update,
1554 		    int, ret);
1555 	}
1556 	return (ret);
1557 }
1558 
1559 void
1560 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
1561 {
1562 	mblk_t *mp;
1563 	uchar_t *buf;
1564 	KSSLCipherSpec *spec;
1565 
1566 	ASSERT(ssl != NULL);
1567 
1568 	ssl->sendalert_level = level;
1569 	ssl->sendalert_desc = desc;
1570 
1571 	if (level == alert_fatal) {
1572 		DTRACE_PROBE2(kssl_sending_alert,
1573 		    SSL3AlertLevel, level, SSL3AlertDescription, desc);
1574 		if (ssl->sid.cached == B_TRUE) {
1575 			kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
1576 		}
1577 		ssl->fatal_alert = B_TRUE;
1578 		KSSL_COUNTER(fatal_alerts, 1);
1579 	} else
1580 		KSSL_COUNTER(warning_alerts, 1);
1581 
1582 	spec = &ssl->spec[KSSL_WRITE];
1583 
1584 	ASSERT(ssl->alert_sendbuf == NULL);
1585 	ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz +
1586 	    spec->cipher_bsize, BPRI_HI);
1587 	if (mp == NULL) {
1588 		KSSL_COUNTER(alloc_fails, 1);
1589 		return;
1590 	}
1591 	buf = mp->b_wptr;
1592 
1593 	/* 5 byte record header */
1594 	buf[0] = content_alert;
1595 	buf[1] = ssl->major_version;
1596 	buf[2] = ssl->minor_version;
1597 	buf[3] = 0;
1598 	buf[4] = 2;
1599 	buf += SSL3_HDR_LEN;
1600 
1601 	/* alert contents */
1602 	buf[0] = (uchar_t)level;
1603 	buf[1] = (uchar_t)desc;
1604 
1605 	mp->b_wptr = buf + 2;
1606 }
1607 
1608 /* Assumes RSA encryption */
1609 static int
1610 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
1611     kssl_callback_t cbfn, void *arg)
1612 {
1613 	char *buf;
1614 	uchar_t *pms;
1615 	size_t pmslen;
1616 	int allocated;
1617 	int err, rverr = ENOMEM;
1618 	kssl_entry_t *ep;
1619 	crypto_key_t *privkey;
1620 	crypto_data_t *wrapped_pms_data, *pms_data;
1621 	crypto_call_req_t creq, *creqp;
1622 
1623 	ep = ssl->kssl_entry;
1624 	privkey = ep->ke_private_key;
1625 	if (privkey == NULL) {
1626 		return (ENOENT);
1627 	}
1628 
1629 	ASSERT(ssl->msg.type == client_key_exchange);
1630 	ASSERT(ssl->hs_waitstate == wait_client_key);
1631 
1632 	/*
1633 	 * TLS adds an extra 2 byte length field before the data.
1634 	 */
1635 	if (IS_TLS(ssl)) {
1636 		msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1];
1637 		mp->b_rptr += 2;
1638 	}
1639 
1640 	/*
1641 	 * Allocate all we need in one shot. about 300 bytes total, for
1642 	 * 1024 bit RSA modulus.
1643 	 * The buffer layout will be: pms_data, wrapped_pms_data, the
1644 	 * value of the wrapped pms from the client, then room for the
1645 	 * resulting decrypted premaster secret.
1646 	 */
1647 	allocated = 2 * (sizeof (crypto_data_t) + msglen);
1648 	buf = kmem_alloc(allocated, KM_NOSLEEP);
1649 	if (buf == NULL) {
1650 		return (ENOMEM);
1651 	}
1652 
1653 	pms_data = (crypto_data_t *)buf;
1654 	wrapped_pms_data = &(((crypto_data_t *)buf)[1]);
1655 
1656 	wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW;
1657 	wrapped_pms_data->cd_offset = pms_data->cd_offset = 0;
1658 	wrapped_pms_data->cd_length = pms_data->cd_length = msglen;
1659 	wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL;
1660 	wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen;
1661 	wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t);
1662 	pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen;
1663 
1664 	bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen);
1665 	mp->b_rptr += msglen;
1666 
1667 	/* Proceed synchronously if out of interrupt and configured to do so */
1668 	if ((kssl_synchronous) && (!servicing_interrupt())) {
1669 		creqp = NULL;
1670 	} else {
1671 		ssl->cke_callback_func = cbfn;
1672 		ssl->cke_callback_arg = arg;
1673 		creq.cr_flag = kssl_call_flag;
1674 		creq.cr_callback_func = kssl_cke_done;
1675 		creq.cr_callback_arg = ssl;
1676 
1677 		/* The callback routine will release this one */
1678 		KSSL_SSL_REFHOLD(ssl);
1679 
1680 		creqp = &creq;
1681 	}
1682 
1683 	if (ep->ke_is_nxkey) {
1684 		kssl_session_info_t *s;
1685 
1686 		s = ep->ke_sessinfo;
1687 		err = CRYPTO_SUCCESS;
1688 		if (!s->is_valid_handle) {
1689 			/* Reauthenticate to the provider */
1690 			if (s->do_reauth) {
1691 				err = kssl_get_obj_handle(ep);
1692 				if (err == CRYPTO_SUCCESS) {
1693 					s->is_valid_handle = B_TRUE;
1694 					s->do_reauth = B_FALSE;
1695 				}
1696 			} else
1697 				err = CRYPTO_FAILED;
1698 		}
1699 
1700 		if (err == CRYPTO_SUCCESS) {
1701 			ASSERT(s->is_valid_handle);
1702 			err = crypto_decrypt_prov(s->prov, s->sid,
1703 			    &rsa_x509_mech, wrapped_pms_data, &s->key,
1704 			    NULL, pms_data, creqp);
1705 		}
1706 
1707 		/*
1708 		 * Deal with session specific errors. We translate to
1709 		 * the closest errno.
1710 		 */
1711 		switch (err) {
1712 		case CRYPTO_KEY_HANDLE_INVALID:
1713 		case CRYPTO_SESSION_HANDLE_INVALID:
1714 			s->is_valid_handle = B_FALSE;
1715 			s->do_reauth = B_TRUE;
1716 			rverr = EINVAL;
1717 			break;
1718 		case CRYPTO_PIN_EXPIRED:
1719 		case CRYPTO_PIN_LOCKED:
1720 			rverr = EACCES;
1721 			break;
1722 		case CRYPTO_UNKNOWN_PROVIDER:
1723 			rverr = ENXIO;
1724 			break;
1725 		}
1726 	} else {
1727 		err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data,
1728 		    privkey, NULL, pms_data, creqp);
1729 	}
1730 
1731 	switch (err) {
1732 	case CRYPTO_SUCCESS:
1733 		break;
1734 
1735 	case CRYPTO_QUEUED:
1736 		/*
1737 		 * Finish the master secret then the rest of key material
1738 		 * derivation later.
1739 		 */
1740 		ssl->job.kjob = creq.cr_reqid;
1741 		ssl->job.buf = buf;
1742 		ssl->job.buflen = allocated;
1743 		ssl->hs_waitstate = wait_client_key_done;
1744 		return (0);
1745 	default:
1746 		DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err);
1747 		kmem_free(buf, allocated);
1748 		return (rverr);
1749 	}
1750 
1751 	pmslen = pms_data->cd_length;
1752 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1753 
1754 	/* generate master key and save it in the ssl sid structure */
1755 	if (IS_TLS(ssl)) {
1756 		err = kssl_generate_tls_ms(ssl, pms, pmslen);
1757 		if (!CRYPTO_ERR(err))
1758 			err = kssl_generate_tls_keyblock(ssl);
1759 	} else {
1760 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1761 		kssl_generate_keyblock(ssl);
1762 	}
1763 
1764 	if (err == CRYPTO_SUCCESS)
1765 		ssl->hs_waitstate = wait_change_cipher;
1766 
1767 	ssl->activeinput = B_FALSE;
1768 
1769 	kmem_free(buf, allocated);
1770 
1771 	return (0);
1772 }
1773 
1774 static int
1775 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
1776 {
1777 	int err;
1778 	size_t finish_len;
1779 	int hashcompare;
1780 
1781 	ASSERT(ssl->msg.type == finished);
1782 	ASSERT(ssl->hs_waitstate == wait_finished);
1783 
1784 	if (IS_TLS(ssl))
1785 		finish_len = TLS_FINISHED_SIZE;
1786 	else
1787 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1788 
1789 	if (msglen != finish_len) {
1790 		kssl_send_alert(ssl, alert_fatal, illegal_parameter);
1791 		return (EBADMSG);
1792 	}
1793 
1794 	if (IS_TLS(ssl)) {
1795 		hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash,
1796 		    finish_len);
1797 	} else {
1798 		hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
1799 	}
1800 
1801 	/* The handshake hashes should be computed by now */
1802 	if (hashcompare != 0) {
1803 		kssl_send_alert(ssl, alert_fatal, handshake_failure);
1804 		return (EBADMSG);
1805 	}
1806 
1807 	mp->b_rptr += msglen;
1808 
1809 	ssl->hs_waitstate = idle_handshake;
1810 
1811 	if (ssl->resumed == B_TRUE) {
1812 		ssl->activeinput = B_FALSE;
1813 		return (0);
1814 	}
1815 
1816 	err = kssl_send_change_cipher_specs(ssl);
1817 	if (err != 0) {
1818 		return (err);
1819 	}
1820 	err = kssl_send_finished(ssl, 0);
1821 	if (err != 0) {
1822 		return (err);
1823 	}
1824 
1825 	kssl_cache_sid(&ssl->sid, ssl->kssl_entry);
1826 	ssl->activeinput = B_FALSE;
1827 
1828 	return (0);
1829 }
1830 
1831 #define	KSSL2_CH_MIN_RECSZ	(9)
1832 
1833 /*
1834  * This method is needed to handle clients which send the
1835  * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers.
1836  * We are not really doing SSLv2 here, just handling the header
1837  * and then switching to SSLv3.
1838  */
1839 int
1840 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
1841 {
1842 	uchar_t *recend;
1843 	int err;
1844 	SSL3AlertDescription desc = illegal_parameter;
1845 	uint_t randlen;
1846 	uint_t sidlen;
1847 	uint_t cslen;
1848 	uchar_t *suitesp;
1849 	uchar_t *rand;
1850 	uint_t i, j;
1851 	uint16_t suite;
1852 	int ch_recsz = KSSL2_CH_MIN_RECSZ;
1853 
1854 	ASSERT(mp->b_wptr >= mp->b_rptr + recsz);
1855 	ASSERT(ssl->hs_waitstate == wait_client_hello);
1856 	ASSERT(ssl->resumed == B_FALSE);
1857 
1858 	if (recsz < ch_recsz) {
1859 		goto falert;
1860 	}
1861 
1862 	MD5Init(&ssl->hs_md5);
1863 	SHA1Init(&ssl->hs_sha1);
1864 
1865 	kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz);
1866 
1867 	recend = mp->b_rptr + recsz;
1868 
1869 	if (*mp->b_rptr != 1) {
1870 		goto falert;
1871 	}
1872 	mp->b_rptr += 3;
1873 
1874 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
1875 	sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3];
1876 	randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5];
1877 	if (cslen % 3 != 0) {
1878 		DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen);
1879 		goto falert;
1880 	}
1881 	if (randlen < SSL_MIN_CHALLENGE_BYTES ||
1882 	    randlen > SSL_MAX_CHALLENGE_BYTES) {
1883 		DTRACE_PROBE1(kssl_err__randlen_out_of_range,
1884 		    uint_t, randlen);
1885 		goto falert;
1886 	}
1887 	mp->b_rptr += 6;
1888 	ch_recsz += cslen + sidlen + randlen;
1889 	if (recsz != ch_recsz) {
1890 		goto falert;
1891 	}
1892 	suitesp = mp->b_rptr;
1893 	rand = suitesp + cslen + sidlen;
1894 	if (randlen < SSL3_RANDOM_LENGTH) {
1895 		bzero(ssl->client_random, SSL3_RANDOM_LENGTH);
1896 	}
1897 	bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
1898 	    randlen);
1899 
1900 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
1901 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
1902 		for (j = 0; j < cslen; j += 3) {
1903 			if (suitesp[j] != 0) {
1904 				continue;
1905 			}
1906 
1907 			if (suitesp[j + 1] == ((suite >> 8) & 0xff) &&
1908 			    suitesp[j + 2] == (suite & 0xff)) {
1909 				break;
1910 			}
1911 		}
1912 		if (j < cslen) {
1913 			break;
1914 		}
1915 	}
1916 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
1917 		DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite);
1918 		ssl->activeinput = B_FALSE;
1919 		return (SSL_MISS);
1920 	}
1921 
1922 	mp->b_rptr = recend;
1923 
1924 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
1925 		if (suite == cipher_suite_defs[i].suite) {
1926 			break;
1927 		}
1928 	}
1929 
1930 	ASSERT(i < cipher_suite_defs_nentries);
1931 
1932 	ssl->pending_cipher_suite = suite;
1933 	ssl->pending_malg = cipher_suite_defs[i].malg;
1934 	ssl->pending_calg = cipher_suite_defs[i].calg;
1935 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
1936 
1937 	ASSERT(ssl->sid.cached == B_FALSE);
1938 
1939 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
1940 	    SSL3_SESSIONID_BYTES);
1941 	ssl->sid.client_addr = ssl->faddr;
1942 	ssl->sid.cipher_suite = suite;
1943 
1944 	err = kssl_send_server_hello(ssl);
1945 	if (err != 0) {
1946 		return (err);
1947 	}
1948 	err = kssl_send_certificate_and_server_hello_done(ssl);
1949 	if (err != 0) {
1950 		return (err);
1951 	}
1952 	KSSL_COUNTER(full_handshakes, 1);
1953 	ssl->hs_waitstate = wait_client_key;
1954 	ssl->activeinput = B_FALSE;
1955 	return (0);
1956 
1957 falert:
1958 	kssl_send_alert(ssl, alert_fatal, desc);
1959 	ssl->activeinput = B_FALSE;
1960 	return (EBADMSG);
1961 }
1962 
1963 /*
1964  * Call back routine for asynchronously submitted RSA decryption jobs.
1965  * This routine retrieves the pre-master secret, and proceeds to generate
1966  * the remaining key materials.
1967  */
1968 static void
1969 kssl_cke_done(void *arg, int status)
1970 {
1971 	int ret = 0;
1972 	uchar_t *pms;
1973 	size_t pmslen;
1974 	crypto_data_t *pms_data;
1975 	kssl_cmd_t kssl_cmd = KSSL_CMD_NONE;
1976 	ssl_t *ssl = (ssl_t *)arg;
1977 	mblk_t *alertmp;
1978 	kssl_callback_t cbfn;
1979 	void *cbarg;
1980 
1981 	mutex_enter(&ssl->kssl_lock);
1982 
1983 	ASSERT(ssl->msg.type == client_key_exchange);
1984 	ASSERT(ssl->hs_waitstate == wait_client_key_done);
1985 
1986 	if (status != CRYPTO_SUCCESS) {
1987 		kssl_send_alert(ssl, alert_fatal, decrypt_error);
1988 		kssl_cmd = KSSL_CMD_SEND;
1989 		goto out;
1990 	}
1991 
1992 	pms_data = (crypto_data_t *)(ssl->job.buf);
1993 
1994 	ASSERT(pms_data != NULL);
1995 
1996 	pmslen = pms_data->cd_length;
1997 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1998 
1999 	/* generate master key and save it in the ssl sid structure */
2000 	if (IS_TLS(ssl)) {
2001 		ret = kssl_generate_tls_ms(ssl, pms, pmslen);
2002 		if (!CRYPTO_ERR(ret))
2003 			ret = kssl_generate_tls_keyblock(ssl);
2004 	} else {
2005 		kssl_generate_ssl_ms(ssl, pms, pmslen);
2006 		kssl_generate_keyblock(ssl);
2007 	}
2008 
2009 	if (ret == CRYPTO_SUCCESS)
2010 		ssl->hs_waitstate = wait_change_cipher;
2011 
2012 out:
2013 	kmem_free(ssl->job.buf, ssl->job.buflen);
2014 
2015 	ssl->job.kjob = 0;
2016 	ssl->job.buf = NULL;
2017 	ssl->job.buflen = 0;
2018 
2019 	ssl->activeinput = B_FALSE;
2020 
2021 	/* If we're the only ones left, then we won't callback */
2022 	if (ssl->kssl_refcnt == 1) {
2023 		mutex_exit(&ssl->kssl_lock);
2024 		KSSL_SSL_REFRELE(ssl);
2025 		return;
2026 	}
2027 
2028 	cbfn = ssl->cke_callback_func;
2029 	cbarg = ssl->cke_callback_arg;
2030 	alertmp = ssl->alert_sendbuf;
2031 	ssl->alert_sendbuf = NULL;
2032 
2033 	mutex_exit(&ssl->kssl_lock);
2034 
2035 	KSSL_SSL_REFRELE(ssl);
2036 
2037 	/* Now call the callback routine */
2038 	(*(cbfn))(cbarg, alertmp, kssl_cmd);
2039 }
2040 
2041 /*
2042  * Returns the first complete contiguous record out of rec_ass_head
2043  * The record is returned in a separate contiguous mblk, rec_ass_head is
2044  * left pointing to the next record in the queue.
2045  *
2046  * The output looks as follows:
2047  *
2048  * |--------|---------- .... -----|<---------->|<----------->|--- ... ---|
2049  * ^        ^                     ^  mac_size     pad_size               ^
2050  * |        |___ b_rptr  b_wptr __|                                      |
2051  * |                                                                     |
2052  * |___ db_base                                                db_lim ___|
2053  */
2054 mblk_t *
2055 kssl_get_next_record(ssl_t *ssl)
2056 {
2057 	mblk_t *mp, *retmp;
2058 	int rhsz = SSL3_HDR_LEN;
2059 	uint16_t rec_sz;
2060 	int mpsz, total_size;
2061 	SSL3ContentType content_type;
2062 
2063 	ASSERT(MUTEX_HELD(&ssl->kssl_lock));
2064 
2065 	mp = ssl->rec_ass_head;
2066 	if (mp == NULL)
2067 		return (NULL);
2068 
2069 	/* Fast path: when mp has at least a complete record */
2070 	if (MBLKL(mp) < rhsz) {
2071 		DTRACE_PROBE1(kssl_mblk__incomplete_header,
2072 		    mblk_t *, mp);
2073 		/* Not even a complete header in there yet */
2074 		if (msgdsize(mp) < rhsz) {
2075 			return (NULL);
2076 		}
2077 
2078 		if (!pullupmsg(mp, rhsz)) {
2079 			kssl_send_alert(ssl, alert_fatal, internal_error);
2080 			freemsg(mp);
2081 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2082 			return (NULL);
2083 		}
2084 	}
2085 	content_type = (SSL3ContentType)mp->b_rptr[0];
2086 	if (content_type == content_handshake_v2) {
2087 		DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp);
2088 		rec_sz = (uint16_t)mp->b_rptr[1];
2089 		rhsz = 2;
2090 	} else {
2091 		DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp);
2092 		uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3;
2093 		rec_sz = BE16_TO_U16(rec_sz_p);
2094 	}
2095 
2096 	/*
2097 	 * same tests as above. Only rare very fragmented cases will
2098 	 * incur the cost of msgdsize() and msgpullup(). Well formed
2099 	 * packets will fall in the most frequent fast path.
2100 	 */
2101 	total_size = rhsz + rec_sz;
2102 
2103 	/*
2104 	 * Missing: defensive against record fabricated with longer than
2105 	 * MAX record length.
2106 	 */
2107 	if (MBLKL(mp) < total_size) {
2108 		DTRACE_PROBE2(kssl_mblk__smaller_than_total_size,
2109 		    mblk_t *, mp, int, total_size);
2110 		/* Not a complete record yet. Keep accumulating */
2111 		if (msgdsize(mp) < total_size) {
2112 			return (NULL);
2113 		}
2114 
2115 		if (!pullupmsg(mp, total_size)) {
2116 			kssl_send_alert(ssl, alert_fatal, internal_error);
2117 			freemsg(mp);
2118 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2119 			return (NULL);
2120 		}
2121 	}
2122 	mpsz = MBLKL(mp);	/* could've changed after the pullup */
2123 
2124 	if (mpsz > total_size) {
2125 		DTRACE_PROBE2(kssl_mblk__bigger_than_total_size,
2126 		    mblk_t *, mp, int, total_size);
2127 		/* gotta allocate a new block */
2128 		if ((retmp = dupb(mp)) == NULL) {
2129 			kssl_send_alert(ssl, alert_fatal, internal_error);
2130 			freemsg(mp);
2131 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2132 			return (NULL);
2133 		}
2134 
2135 		retmp->b_wptr = retmp->b_rptr + total_size;
2136 		mp->b_rptr += total_size;
2137 		ssl->rec_ass_head = mp;
2138 	} else {
2139 		DTRACE_PROBE2(kssl_mblk__equal_to_total_size,
2140 		    mblk_t *, mp, int, total_size);
2141 		ASSERT(mpsz == total_size);
2142 		ssl->rec_ass_head = mp->b_cont;
2143 		mp->b_cont = NULL;
2144 		retmp = mp;
2145 	}
2146 	/* Adjust the tail */
2147 	if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
2148 		for (; mp->b_cont != NULL; mp = mp->b_cont) {
2149 			ssl->rec_ass_tail = mp->b_cont;
2150 		}
2151 	}
2152 
2153 	return (retmp);
2154 }
2155 
2156 
2157 static void
2158 kssl_mblksfree(ssl_t *ssl)
2159 {
2160 
2161 	ASSERT(ssl != NULL);
2162 
2163 	if (ssl->rec_ass_head != NULL) {
2164 		freemsg(ssl->rec_ass_head);
2165 	}
2166 	ssl->rec_ass_head = NULL;
2167 	ssl->rec_ass_tail = NULL;
2168 
2169 	if (ssl->msg.head != NULL) {
2170 		freemsg(ssl->msg.head);
2171 	}
2172 	ssl->msg.head = NULL;
2173 	ssl->msg.tail = NULL;
2174 
2175 	if (ssl->handshake_sendbuf != NULL) {
2176 		freemsg(ssl->handshake_sendbuf);
2177 		ssl->handshake_sendbuf = NULL;
2178 	}
2179 	if (ssl->alert_sendbuf != NULL) {
2180 		freemsg(ssl->alert_sendbuf);
2181 		ssl->alert_sendbuf = NULL;
2182 	}
2183 }
2184 
2185 static void
2186 kssl_specsfree(ssl_t *ssl)
2187 {
2188 	KSSLCipherSpec *spec = &ssl->spec[KSSL_READ];
2189 
2190 	if (spec->cipher_ctx != NULL) {
2191 		crypto_cancel_ctx(spec->cipher_ctx);
2192 		spec->cipher_ctx = 0;
2193 	}
2194 
2195 	spec = &ssl->spec[KSSL_WRITE];
2196 
2197 	if (spec->cipher_ctx != NULL) {
2198 		crypto_cancel_ctx(spec->cipher_ctx);
2199 		spec->cipher_ctx = 0;
2200 	}
2201 }
2202 
2203 /*
2204  * Frees the ssl structure (aka the context of an SSL session).
2205  * Any pending crypto jobs are cancelled.
2206  * Any initiated crypto contexts are freed as well.
2207  */
2208 void
2209 kssl_free_context(ssl_t *ssl)
2210 {
2211 	ASSERT(ssl != NULL);
2212 	if (!(MUTEX_HELD(&ssl->kssl_lock))) {
2213 		/* we're coming from an external API entry point */
2214 		mutex_enter(&ssl->kssl_lock);
2215 	}
2216 
2217 	if (ssl->job.kjob != NULL) {
2218 		crypto_cancel_req(ssl->job.kjob);
2219 		kmem_free(ssl->job.buf, ssl->job.buflen);
2220 
2221 		ssl->job.kjob = 0;
2222 		ssl->job.buf = NULL;
2223 		ssl->job.buflen = 0;
2224 	}
2225 
2226 	kssl_mblksfree(ssl);
2227 	kssl_specsfree(ssl);
2228 
2229 	KSSL_ENTRY_REFRELE(ssl->kssl_entry);
2230 	ssl->kssl_entry = NULL;
2231 
2232 	mutex_exit(&ssl->kssl_lock);
2233 
2234 	kmem_cache_free(kssl_cache, ssl);
2235 	kssl_cache_count--;
2236 }
2237