xref: /titanic_44/usr/src/uts/common/inet/kssl/ksslrec.c (revision 90bcde942a3919300ffc73f98ea903b58386c395)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/strsubr.h>
31 #include <sys/stropts.h>
32 #include <sys/strsun.h>
33 #define	_SUN_TPI_VERSION 2
34 #include <sys/ddi.h>
35 #include <sys/sunddi.h>
36 #include <sys/debug.h>
37 #include <sys/vtrace.h>
38 #include <sys/kmem.h>
39 #include <sys/cpuvar.h>
40 #include <sys/atomic.h>
41 #include <sys/sysmacros.h>
42 
43 #include <sys/errno.h>
44 #include <sys/isa_defs.h>
45 #include <sys/md5.h>
46 #include <sys/sha1.h>
47 #include <sys/random.h>
48 #include <inet/common.h>
49 #include <netinet/in.h>
50 
51 #include <sys/systm.h>
52 #include <sys/param.h>
53 
54 #include "ksslimpl.h"
55 #include "ksslapi.h"
56 #include "ksslproto.h"
57 
58 static ssl3CipherSuiteDef cipher_suite_defs[] = {
59 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, no IVs */
60 	{SSL_RSA_WITH_RC4_128_SHA,	cipher_rc4,	mac_sha,	72},
61 
62 	/* 2 X 16 byte keys +  2 x 16 byte MAC secrets, no IVs */
63 	{SSL_RSA_WITH_RC4_128_MD5,	cipher_rc4,	mac_md5,	64},
64 
65 	/* 2 X 8 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
66 	{SSL_RSA_WITH_DES_CBC_SHA,	cipher_des,	mac_sha,	72},
67 
68 	/* 2 X 24 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
69 	{SSL_RSA_WITH_3DES_EDE_CBC_SHA,	cipher_3des,	mac_sha,	104},
70 
71 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
72 	{TLS_RSA_WITH_AES_128_CBC_SHA,	cipher_aes128,	mac_sha,	104},
73 
74 	/* 2 X 32 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
75 	{TLS_RSA_WITH_AES_256_CBC_SHA,	cipher_aes256,	mac_sha,	136},
76 
77 	{SSL_RSA_WITH_NULL_SHA,		cipher_null,	mac_sha,	40}
78 };
79 
80 static int cipher_suite_defs_nentries =
81     sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]);
82 
83 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
84 	/* macsz padsz HashInit HashUpdate HashFinal */
85 
86 	{MD5_HASH_LEN, SSL3_MD5_PAD_LEN,
87 	    (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update,
88 	    (hashfinal_func_t)MD5Final},
89 
90 	{SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN,
91 	    (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update,
92 	    (hashfinal_func_t)SHA1Final},
93 };
94 
95 static uchar_t kssl_pad_1[60] = {
96     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
97     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
98     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
99     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
100     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
101     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
102     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
103     0x36, 0x36, 0x36, 0x36
104 };
105 static uchar_t kssl_pad_2[60] = {
106     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
107     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
108     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
109     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
110     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
111     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
112     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
113     0x5c, 0x5c, 0x5c, 0x5c
114 };
115 
116 int kssl_cache_count;
117 static boolean_t kssl_synchronous = B_FALSE;
118 
119 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t);
120 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t);
121 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int);
122 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int,
123     kssl_callback_t, void *);
124 static int kssl_send_server_hello(ssl_t *);
125 static int kssl_send_certificate_and_server_hello_done(ssl_t *);
126 static int kssl_send_change_cipher_specs(ssl_t *);
127 static int kssl_send_finished(ssl_t *, int);
128 static int kssl_handle_finished(ssl_t *, mblk_t *, int);
129 static void kssl_get_hello_random(uchar_t *);
130 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *);
131 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *);
132 static void kssl_lookup_sid(sslSessionID *, uchar_t *, ipaddr_t,
133     kssl_entry_t *);
134 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t);
135 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t);
136 static int kssl_generate_tls_keyblock(ssl_t *);
137 static void kssl_generate_keyblock(ssl_t *);
138 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t,
139     int, uchar_t *, int);
140 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t,
141     uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
142 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *,
143     size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
144 static void kssl_cke_done(void *, int);
145 
146 #define	HMAC_INIT(m, k, c) \
147 	rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end;
148 
149 #define	HMAC_UPDATE(c, d, l) \
150 	dd.cd_raw.iov_base = (char *)d; \
151 	dd.cd_length = dd.cd_raw.iov_len = l; \
152 	rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end;
153 
154 #define	HMAC_FINAL(c, d, l) \
155 	mac.cd_raw.iov_base = (char *)d; \
156 	mac.cd_length = mac.cd_raw.iov_len = l; \
157 	rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end;
158 
159 /*
160  * This hack can go away once we have SSL3 MAC support by KCF
161  * software providers (See 4873559).
162  */
163 extern int kcf_md5_threshold;
164 
165 int
166 kssl_compute_record_mac(
167 	ssl_t *ssl,
168 	int direction,
169 	uint64_t seq_num,
170 	SSL3ContentType ct,
171 	uchar_t *versionp,
172 	uchar_t *buf,
173 	int len,
174 	uchar_t *digest)
175 {
176 	KSSL_HASHCTX mac_ctx;
177 	KSSL_HASHCTX *ctx = &mac_ctx;
178 	uchar_t temp[16], *p;
179 	KSSLCipherSpec *spec;
180 	boolean_t hash_use_ok = B_FALSE;
181 	int rv = 0;
182 
183 	spec = &ssl->spec[direction];
184 
185 	if (spec->mac_hashsz == 0) {
186 		return (1);
187 	}
188 
189 	p = temp;
190 
191 	*p++ = (seq_num >> 56) & 0xff;
192 	*p++ = (seq_num >> 48) & 0xff;
193 	*p++ = (seq_num >> 40) & 0xff;
194 	*p++ = (seq_num >> 32) & 0xff;
195 	*p++ = (seq_num >> 24) & 0xff;
196 	*p++ = (seq_num >> 16) & 0xff;
197 	*p++ = (seq_num >> 8) & 0xff;
198 	*p++ = (seq_num) & 0xff;
199 	*p++ = (uchar_t)ct;
200 	if (IS_TLS(ssl)) {
201 		*p++ = versionp[0];
202 		*p++ = versionp[1];
203 	}
204 	*p++ = (len >> 8) & 0xff;
205 	*p++ = (len) & 0xff;
206 
207 	if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
208 	    len >= kcf_md5_threshold)) {
209 		crypto_data_t dd, mac;
210 		struct uio uio_pt;
211 		struct iovec iovarray_pt[2];
212 
213 		/* init the array of iovecs for use in the uio struct */
214 		iovarray_pt[0].iov_base = (char *)temp;
215 		iovarray_pt[0].iov_len = (p - temp);
216 		iovarray_pt[1].iov_base = (char *)buf;
217 		iovarray_pt[1].iov_len = len;
218 
219 		/* init the uio struct for use in the crypto_data_t struct */
220 		bzero(&uio_pt, sizeof (uio_pt));
221 		uio_pt.uio_iov = iovarray_pt;
222 		uio_pt.uio_iovcnt = 2;
223 		uio_pt.uio_segflg = UIO_SYSSPACE;
224 
225 		dd.cd_format = CRYPTO_DATA_UIO;
226 		dd.cd_offset = 0;
227 		dd.cd_length =  (p - temp) + len;
228 		dd.cd_miscdata = NULL;
229 		dd.cd_uio = &uio_pt;
230 
231 		mac.cd_format = CRYPTO_DATA_RAW;
232 		mac.cd_offset = 0;
233 		mac.cd_raw.iov_base = (char *)digest;
234 		mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz;
235 
236 		/*
237 		 * The calling context can tolerate a blocking call here.
238 		 * For outgoing traffic, we are in user context
239 		 * when called from strsock_kssl_output(). For incoming
240 		 * traffic past the SSL handshake, we are in user
241 		 * context when called from strsock_kssl_input(). During the
242 		 * SSL handshake, we are called for client_finished message
243 		 * handling from a squeue worker thread that gets scheduled
244 		 * by an squeue_fill() call. This thread is not in interrupt
245 		 * context and so can block.
246 		 */
247 		rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
248 		    NULL, &mac, NULL);
249 
250 		if (CRYPTO_ERR(rv)) {
251 			hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED &&
252 			    !IS_TLS(ssl));
253 			if (!hash_use_ok) {
254 				DTRACE_PROBE1(kssl_err__crypto_mac_error,
255 				    int, rv);
256 				KSSL_COUNTER(compute_mac_failure, 1);
257 			}
258 		}
259 	} else
260 		hash_use_ok = B_TRUE;
261 
262 	if (hash_use_ok) {
263 		bcopy(&(ssl->mac_ctx[direction][0]), ctx,
264 		    sizeof (KSSL_HASHCTX));
265 		spec->MAC_HashUpdate((void *)ctx, temp, p - temp);
266 		spec->MAC_HashUpdate((void *)ctx, buf, len);
267 		spec->MAC_HashFinal(digest, (void *)ctx);
268 
269 		bcopy(&(ssl->mac_ctx[direction][1]), ctx,
270 		    sizeof (KSSL_HASHCTX));
271 		spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz);
272 		spec->MAC_HashFinal(digest, (void *)ctx);
273 	}
274 
275 	return (rv);
276 }
277 
278 /*
279  * Handles handshake messages.
280  * Messages to be replied are returned in handshake_sendbuf.
281  */
282 int
283 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
284     kssl_callback_t cbfn, void *arg)
285 {
286 	uint32_t msglen;
287 	uchar_t msghdr[4];
288 
289 	ASSERT(ssl->msg.state == MSG_BODY);
290 	ASSERT(ssl->msg.msglen_bytes == 3);
291 	ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen);
292 
293 	ssl->sslcnt++;
294 	msglen = ssl->msg.msglen;
295 
296 	if (ssl->msg.type == client_hello) {
297 		MD5Init(&ssl->hs_md5);
298 		SHA1Init(&ssl->hs_sha1);
299 	}
300 
301 	if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
302 		if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
303 		    sender_client) != 0) {
304 			*err = SSL_MISS;
305 			return (0);
306 		}
307 	}
308 
309 	if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
310 		msghdr[0] = (uchar_t)ssl->msg.type;
311 
312 		msghdr[1] = (uchar_t)(msglen >> 16);
313 		msghdr[2] = (uchar_t)(msglen >> 8);
314 		msghdr[3] = (uchar_t)(msglen);
315 		kssl_update_handshake_hashes(ssl, msghdr, 4);
316 		kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen);
317 	}
318 
319 	ssl->msg.state = MSG_INIT;
320 	ssl->msg.msglen = 0;
321 	ssl->msg.msglen_bytes = 0;
322 
323 	switch (ssl->msg.type) {
324 	case client_hello:
325 		if (ssl->hs_waitstate != wait_client_hello) {
326 			kssl_send_alert(ssl, alert_fatal,
327 			    unexpected_message);
328 			*err = EBADMSG;
329 			ssl->activeinput = B_FALSE;
330 			return (1);
331 		}
332 		*err = kssl_handle_client_hello(ssl, mp, msglen);
333 		if (*err == SSL_MISS) {
334 			ssl->activeinput = B_FALSE;
335 			return (0);
336 		}
337 		return (1);
338 	case client_key_exchange:
339 		if (ssl->hs_waitstate != wait_client_key) {
340 			kssl_send_alert(ssl, alert_fatal,
341 			    unexpected_message);
342 			*err = EBADMSG;
343 			ssl->activeinput = B_FALSE;
344 			return (1);
345 		}
346 		*err = kssl_handle_client_key_exchange(ssl, mp,
347 		    msglen, cbfn, arg);
348 		return (1);
349 	case finished:
350 		if (ssl->hs_waitstate != wait_finished) {
351 			kssl_send_alert(ssl, alert_fatal,
352 			    unexpected_message);
353 			*err = EBADMSG;
354 			ssl->activeinput = B_FALSE;
355 			return (1);
356 		}
357 		*err = kssl_handle_finished(ssl, mp, msglen);
358 		return (1);
359 	default:
360 		kssl_send_alert(ssl, alert_fatal, unexpected_message);
361 		ssl->activeinput = B_FALSE;
362 		*err = EBADMSG;
363 		return (1);
364 	}
365 }
366 
367 static void
368 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
369 {
370 	MD5Update(&ssl->hs_md5, buf, len);
371 	SHA1Update(&ssl->hs_sha1, buf, len);
372 }
373 
374 static int
375 kssl_compute_handshake_hashes(
376 	ssl_t *ssl,
377 	SSL3Hashes *hashes,
378 	uint32_t sender)
379 {
380 	MD5_CTX md5 = ssl->hs_md5;	/* clone md5 context */
381 	SHA1_CTX sha1 = ssl->hs_sha1;	/* clone sha1 context */
382 	MD5_CTX *md5ctx = &md5;
383 	SHA1_CTX *sha1ctx = &sha1;
384 
385 	if (IS_TLS(ssl)) {
386 		uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN];
387 		char *label;
388 
389 		/*
390 		 * Do not take another hash step here.
391 		 * Just complete the operation.
392 		 */
393 		MD5Final(hashes->md5, md5ctx);
394 		SHA1Final(hashes->sha1, sha1ctx);
395 
396 		bcopy(hashes->md5, seed, MD5_HASH_LEN);
397 		bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN);
398 
399 		if (sender == sender_client)
400 			label = TLS_CLIENT_FINISHED_LABEL;
401 		else
402 			label = TLS_SERVER_FINISHED_LABEL;
403 
404 		return (kssl_tls_PRF(ssl,
405 		    ssl->sid.master_secret,
406 		    (size_t)SSL3_MASTER_SECRET_LEN,
407 		    (uchar_t *)label, strlen(label),
408 		    seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN),
409 		    hashes->tlshash, (size_t)TLS_FINISHED_SIZE));
410 	} else {
411 		uchar_t s[4];
412 		s[0] = (sender >> 24) & 0xff;
413 		s[1] = (sender >> 16) & 0xff;
414 		s[2] = (sender >> 8) & 0xff;
415 		s[3] = (sender) & 0xff;
416 
417 		MD5Update(md5ctx, s, 4);
418 		MD5Update(md5ctx, ssl->sid.master_secret,
419 		    SSL3_MASTER_SECRET_LEN);
420 		MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN);
421 		MD5Final(hashes->md5, md5ctx);
422 
423 		MD5Init(md5ctx);
424 		MD5Update(md5ctx, ssl->sid.master_secret,
425 		    SSL3_MASTER_SECRET_LEN);
426 		MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN);
427 		MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN);
428 		MD5Final(hashes->md5, md5ctx);
429 
430 		SHA1Update(sha1ctx, s, 4);
431 		SHA1Update(sha1ctx, ssl->sid.master_secret,
432 		    SSL3_MASTER_SECRET_LEN);
433 		SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN);
434 		SHA1Final(hashes->sha1, sha1ctx);
435 
436 		SHA1Init(sha1ctx);
437 		SHA1Update(sha1ctx, ssl->sid.master_secret,
438 		    SSL3_MASTER_SECRET_LEN);
439 		SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN);
440 		SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN);
441 		SHA1Final(hashes->sha1, sha1ctx);
442 		return (0);
443 	}
444 }
445 
446 
447 #define	KSSL_SSL3_CH_MIN_MSGLEN	(39)
448 
449 static int
450 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
451 {
452 	uchar_t *msgend;
453 	int err;
454 	SSL3AlertDescription desc = illegal_parameter;
455 	uint_t sidlen;
456 	uint_t nsuites;
457 	uchar_t *suitesp;
458 	uint_t i, j;
459 	uint16_t suite;
460 	int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN;
461 
462 	ASSERT(mp->b_wptr >= mp->b_rptr + msglen);
463 	ASSERT(ssl->msg.type == client_hello);
464 	ASSERT(ssl->hs_waitstate == wait_client_hello);
465 	ASSERT(ssl->resumed == B_FALSE);
466 
467 	if (msglen < ch_msglen) {
468 		goto falert;
469 	}
470 
471 	msgend = mp->b_rptr + msglen;
472 
473 	/* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */
474 	if (ssl->major_version != 3 || (ssl->major_version == 3 &&
475 	    ssl->minor_version != 0 && ssl->minor_version != 1)) {
476 		DTRACE_PROBE2(kssl_err__SSL_version_not_supported,
477 		    uchar_t, ssl->major_version,
478 		    uchar_t, ssl->minor_version);
479 		desc = handshake_failure;
480 		goto falert;
481 	}
482 	mp->b_rptr += 2; /* skip the version bytes */
483 
484 	bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
485 	mp->b_rptr += SSL3_RANDOM_LENGTH;
486 
487 	ASSERT(ssl->sid.cached == B_FALSE);
488 	sidlen = *mp->b_rptr++;
489 	ch_msglen += sidlen;
490 	if (msglen < ch_msglen) {
491 		goto falert;
492 	}
493 	if (sidlen != SSL3_SESSIONID_BYTES) {
494 		mp->b_rptr += sidlen;
495 	} else {
496 		kssl_lookup_sid(&ssl->sid, mp->b_rptr, ssl->faddr,
497 		    ssl->kssl_entry);
498 		mp->b_rptr += SSL3_SESSIONID_BYTES;
499 	}
500 
501 	nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
502 	mp->b_rptr += 2;
503 	ch_msglen += nsuites;
504 	if (msglen != ch_msglen) {
505 		goto falert;
506 	}
507 	if (nsuites & 0x1) {
508 		goto falert;
509 	}
510 	suitesp = mp->b_rptr;
511 	if (ssl->sid.cached == B_TRUE) {
512 		suite = ssl->sid.cipher_suite;
513 		for (j = 0; j < nsuites; j += 2) {
514 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
515 			    suitesp[j + 1] == (suite & 0xff)) {
516 				break;
517 			}
518 		}
519 		if (j < nsuites) {
520 			goto suite_found;
521 		}
522 		kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
523 		ssl->sid.cached = B_FALSE;
524 	}
525 
526 	/* Check if this server is capable of the cipher suite */
527 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
528 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
529 		for (j = 0; j < nsuites; j += 2) {
530 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
531 			    suitesp[j + 1] == (suite & 0xff)) {
532 				break;
533 			}
534 		}
535 		if (j < nsuites) {
536 			break;
537 		}
538 	}
539 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
540 		if (ssl->sslcnt == 1) {
541 			KSSL_COUNTER(no_suite_found, 1);
542 			return (SSL_MISS);
543 		}
544 		desc = handshake_failure;
545 		DTRACE_PROBE(kssl_err__no_cipher_suites_found);
546 		goto falert;
547 	}
548 
549 suite_found:
550 
551 	mp->b_rptr += nsuites;
552 	if (*mp->b_rptr++ != 1 || *mp->b_rptr++ != 0) {
553 		desc = handshake_failure;
554 		DTRACE_PROBE(kssl_err__handshake_failure);
555 		goto falert;
556 	}
557 
558 	mp->b_rptr = msgend;
559 
560 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
561 		if (suite == cipher_suite_defs[i].suite) {
562 			break;
563 		}
564 	}
565 
566 	ASSERT(i < cipher_suite_defs_nentries);
567 
568 	ssl->pending_cipher_suite = suite;
569 	ssl->pending_malg = cipher_suite_defs[i].malg;
570 	ssl->pending_calg = cipher_suite_defs[i].calg;
571 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
572 
573 	if (ssl->sid.cached == B_TRUE) {
574 		err = kssl_send_server_hello(ssl);
575 		if (err != 0) {
576 			return (err);
577 		}
578 		if (IS_TLS(ssl))
579 			err = kssl_generate_tls_keyblock(ssl);
580 		else
581 			kssl_generate_keyblock(ssl);
582 
583 		err = kssl_send_change_cipher_specs(ssl);
584 		if (err != 0) {
585 			return (err);
586 		}
587 
588 		err = kssl_send_finished(ssl, 1);
589 		if (err != 0)
590 			return (err);
591 
592 		err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
593 		    sender_client);
594 		if (err != 0)
595 			return (err);
596 
597 		ssl->hs_waitstate = wait_change_cipher;
598 		ssl->resumed = B_TRUE;
599 		ssl->activeinput = B_FALSE;
600 		KSSL_COUNTER(resumed_sessions, 1);
601 		return (0);
602 	}
603 
604 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
605 	    SSL3_SESSIONID_BYTES);
606 	ssl->sid.client_addr = ssl->faddr;
607 	ssl->sid.cipher_suite = suite;
608 
609 	err = kssl_send_server_hello(ssl);
610 	if (err != 0) {
611 		return (err);
612 	}
613 	err = kssl_send_certificate_and_server_hello_done(ssl);
614 	if (err != 0) {
615 		return (err);
616 	}
617 	KSSL_COUNTER(full_handshakes, 1);
618 	ssl->hs_waitstate = wait_client_key;
619 	ssl->activeinput = B_FALSE;
620 	return (0);
621 
622 falert:
623 	kssl_send_alert(ssl, alert_fatal, desc);
624 	return (EBADMSG);
625 }
626 
627 static void
628 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
629 {
630 	uint_t index;
631 	uchar_t *s = sid->session_id;
632 	int l = SSL3_SESSIONID_BYTES - 1;
633 	kmutex_t *lock;
634 
635 	ASSERT(sid->cached == B_TRUE);
636 
637 	index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
638 	    ((int)s[2] << 8) | (int)s[l]);
639 
640 	index %= kssl_entry->sid_cache_nentries;
641 
642 	sid->time = lbolt;
643 
644 	lock = &(kssl_entry->sid_cache[index].se_lock);
645 	mutex_enter(lock);
646 	kssl_entry->sid_cache[index].se_used++;
647 	bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid));
648 	mutex_exit(lock);
649 }
650 
651 static void
652 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, ipaddr_t faddr,
653     kssl_entry_t *kssl_entry)
654 {
655 	uint_t index;
656 	int l = SSL3_SESSIONID_BYTES - 1;
657 	kmutex_t *lock;
658 	sslSessionID *csid;
659 
660 	ASSERT(sid->cached == B_FALSE);
661 
662 	KSSL_COUNTER(sid_cache_lookups, 1);
663 
664 	index = (int)faddr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
665 	    ((int)s[2] << 8) | (int)s[l]);
666 
667 	index %= kssl_entry->sid_cache_nentries;
668 
669 	lock = &(kssl_entry->sid_cache[index].se_lock);
670 	mutex_enter(lock);
671 	csid = &(kssl_entry->sid_cache[index].se_sid);
672 	if (csid->cached == B_FALSE || csid->client_addr != faddr ||
673 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
674 		mutex_exit(lock);
675 		return;
676 	}
677 
678 	if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) {
679 		csid->cached = B_FALSE;
680 		mutex_exit(lock);
681 		return;
682 	}
683 
684 	bcopy(csid, sid, sizeof (*sid));
685 	mutex_exit(lock);
686 	ASSERT(sid->cached == B_TRUE);
687 
688 	KSSL_COUNTER(sid_cache_hits, 1);
689 }
690 
691 static uchar_t *
692 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp)
693 {
694 	size_t len = *lenp;
695 	int i = 2;
696 
697 	if (buf[0] != 0 || buf[1] != 2) {
698 		return (NULL);
699 	}
700 
701 	while (i < len) {
702 		if (buf[i++] == 0) {
703 			*lenp = len - i;
704 			break;
705 		}
706 	}
707 
708 	if (i == len) {
709 		return (NULL);
710 	}
711 
712 	return (buf + i);
713 }
714 
715 void
716 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
717 {
718 	uint_t index;
719 	uchar_t *s = sid->session_id;
720 	int l = SSL3_SESSIONID_BYTES - 1;
721 	sslSessionID *csid;
722 	kmutex_t *lock;
723 
724 	ASSERT(sid->cached == B_TRUE);
725 
726 	KSSL_COUNTER(sid_uncached, 1);
727 
728 	index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
729 	    ((int)s[2] << 8) | (int)s[l]);
730 
731 	index %= kssl_entry->sid_cache_nentries;
732 
733 	lock = &(kssl_entry->sid_cache[index].se_lock);
734 	mutex_enter(lock);
735 	csid = &(kssl_entry->sid_cache[index].se_sid);
736 	if (csid->client_addr != sid->client_addr ||
737 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
738 		mutex_exit(lock);
739 		return;
740 	}
741 	csid->cached = B_FALSE;
742 	mutex_exit(lock);
743 }
744 
745 
746 #define	KSSL_SSL3_SH_RECLEN	(74)
747 #define	KSSL_SSL3_FIN_MSGLEN	(36)
748 
749 #define	KSSL_SSL3_MAX_CCP_FIN_MSGLEN	(128)	/* comfortable upper bound */
750 
751 static int
752 kssl_send_server_hello(ssl_t *ssl)
753 {
754 	mblk_t *mp;
755 	uchar_t *buf;
756 	uchar_t *msgstart;
757 
758 	mp = allocb(ssl->tcp_mss, BPRI_HI);
759 	if (mp == NULL) {
760 		KSSL_COUNTER(alloc_fails, 1);
761 		return (ENOMEM);
762 	}
763 	ssl->handshake_sendbuf = mp;
764 	buf = mp->b_wptr;
765 
766 	/* 5 byte record header */
767 	buf[0] = content_handshake;
768 	buf[1] = ssl->major_version;
769 	buf[2] = ssl->minor_version;
770 	buf[3] = KSSL_SSL3_SH_RECLEN >> 8;
771 	buf[4] = KSSL_SSL3_SH_RECLEN & 0xff;
772 	buf += SSL3_HDR_LEN;
773 
774 	msgstart = buf;
775 
776 	/* 6 byte message header */
777 	buf[0] = (uchar_t)server_hello;			/* message type */
778 	buf[1] = 0;					/* message len byte 0 */
779 	buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) &
780 	    0xff;					/* message len byte 1 */
781 	buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff;	/* message len byte 2 */
782 
783 	buf[4] = ssl->major_version;	/* version byte 0 */
784 	buf[5] = ssl->minor_version;	/* version byte 1 */
785 
786 	buf += 6;
787 
788 	kssl_get_hello_random(ssl->server_random);
789 	bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH);
790 	buf += SSL3_RANDOM_LENGTH;
791 
792 	buf[0] = SSL3_SESSIONID_BYTES;
793 	bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
794 	buf += SSL3_SESSIONID_BYTES + 1;
795 
796 	buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff;
797 	buf[1] = ssl->pending_cipher_suite & 0xff;
798 
799 	buf[2] = 0;	/* No compression */
800 
801 	mp->b_wptr = buf + 3;
802 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
803 
804 	kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN);
805 	return (0);
806 }
807 
808 static void
809 kssl_get_hello_random(uchar_t *buf)
810 {
811 	timestruc_t ts;
812 	time_t sec;
813 
814 	gethrestime(&ts);
815 	sec = ts.tv_sec;
816 
817 	buf[0] = (sec >> 24) & 0xff;
818 	buf[1] = (sec >> 16) & 0xff;
819 	buf[2] = (sec >> 8) & 0xff;
820 	buf[3] = (sec) & 0xff;
821 
822 	(void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4);
823 
824 	/* Should this be caching? */
825 }
826 
827 static int
828 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key,
829 	size_t hashlen,
830 	uchar_t *label, size_t label_len,
831 	uchar_t *seed, size_t seedlen,
832 	uchar_t *data, size_t datalen)
833 {
834 	int rv = 0;
835 	uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN];
836 	int bytes_left = datalen;
837 	crypto_data_t dd, mac;
838 	crypto_context_t ctx;
839 
840 	dd.cd_format = CRYPTO_DATA_RAW;
841 	dd.cd_offset = 0;
842 	mac.cd_format = CRYPTO_DATA_RAW;
843 	mac.cd_offset = 0;
844 
845 	/*
846 	 * A(i) = HMAC_hash(secred, seed + A(i-1));
847 	 * A(0) = seed;
848 	 *
849 	 * Compute A(1):
850 	 * A(1) = HMAC_hash(secret, label + seed)
851 	 *
852 	 */
853 	HMAC_INIT(mech, key, &ctx);
854 	HMAC_UPDATE(ctx, label, label_len);
855 	HMAC_UPDATE(ctx, seed, seedlen);
856 	HMAC_FINAL(ctx, A1, hashlen);
857 
858 	/* Compute A(2) ... A(n) */
859 	while (bytes_left > 0) {
860 		HMAC_INIT(mech, key, &ctx);
861 		HMAC_UPDATE(ctx, A1, hashlen);
862 		HMAC_UPDATE(ctx, label, label_len);
863 		HMAC_UPDATE(ctx, seed, seedlen);
864 		HMAC_FINAL(ctx, result, hashlen);
865 
866 		/*
867 		 * The A(i) value is stored in "result".
868 		 * Save the results of the MAC so it can be input to next
869 		 * iteration.
870 		 */
871 		if (bytes_left > hashlen) {
872 			/* Store the chunk result */
873 			bcopy(result, data, hashlen);
874 			data += hashlen;
875 
876 			bytes_left -= hashlen;
877 
878 			/* Update A1 for next iteration */
879 			HMAC_INIT(mech, key, &ctx);
880 			HMAC_UPDATE(ctx, A1, hashlen);
881 			HMAC_FINAL(ctx, A1, hashlen);
882 
883 		} else {
884 			bcopy(result, data, bytes_left);
885 			data += bytes_left;
886 			bytes_left = 0;
887 		}
888 	}
889 end:
890 	if (CRYPTO_ERR(rv)) {
891 		DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv);
892 		KSSL_COUNTER(compute_mac_failure, 1);
893 	}
894 	return (rv);
895 }
896 
897 /* ARGSUSED */
898 static int
899 kssl_tls_PRF(ssl_t *ssl,
900 	uchar_t *secret, size_t secret_len,
901 	uchar_t *label, size_t label_len,
902 	uchar_t *seed, size_t seed_len,
903 	uchar_t *prfresult, size_t prfresult_len)
904 {
905 	/*
906 	 * RFC 2246:
907 	 *  PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
908 	 *				P_SHA1(S2, label + seed);
909 	 * S1 = 1st half of secret.
910 	 * S1 = 2nd half of secret.
911 	 *
912 	 */
913 
914 	int rv = 0, i;
915 	uchar_t psha1[MAX_KEYBLOCK_LENGTH];
916 	crypto_key_t S1, S2;
917 
918 	/* length of secret keys is ceil(length/2) */
919 	size_t slen = roundup(secret_len, 2) / 2;
920 
921 	if (prfresult_len >  MAX_KEYBLOCK_LENGTH) {
922 		DTRACE_PROBE1(kssl_err__unexpected_keyblock_size,
923 		    size_t, prfresult_len);
924 		return (CRYPTO_ARGUMENTS_BAD);
925 	}
926 
927 	ASSERT(prfresult != NULL);
928 	ASSERT(label != NULL);
929 	ASSERT(seed != NULL);
930 
931 	S1.ck_data   = secret;
932 	S1.ck_length = slen * 8; /* bits */
933 	S1.ck_format = CRYPTO_KEY_RAW;
934 
935 	S2.ck_data   = secret + slen;
936 	S2.ck_length = slen * 8; /* bits */
937 	S2.ck_format = CRYPTO_KEY_RAW;
938 
939 	rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN,
940 	    label, label_len,
941 	    seed, seed_len,
942 	    prfresult, prfresult_len);
943 	if (CRYPTO_ERR(rv))
944 		goto end;
945 
946 	rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN,
947 	    label, label_len,
948 	    seed, seed_len,
949 	    psha1, prfresult_len);
950 	if (CRYPTO_ERR(rv))
951 		goto end;
952 
953 	for (i = 0; i < prfresult_len; i++)
954 		prfresult[i] ^= psha1[i];
955 
956 end:
957 	if (CRYPTO_ERR(rv))
958 		bzero(prfresult, prfresult_len);
959 
960 	return (rv);
961 }
962 
963 #define	IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)			\
964 	(pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN ||		\
965 	pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
966 
967 #define	FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) {			\
968 		KSSL_COUNTER(bad_pre_master_secret, 1);			\
969 		pms = buf;						\
970 		pmslen = SSL3_PRE_MASTER_SECRET_LEN;			\
971 		pms[0] = ssl->major_version;				\
972 		pms[1] = ssl->minor_version;				\
973 		(void) random_get_pseudo_bytes(&buf[2], pmslen - 2);	\
974 }
975 
976 static int
977 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
978 {
979 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
980 	uchar_t seed[SSL3_RANDOM_LENGTH * 2];
981 
982 	/*
983 	 * Computing the master secret:
984 	 * ----------------------------
985 	 * master_secret = PRF (pms, "master secret",
986 	 *		ClientHello.random + ServerHello.random);
987 	 */
988 	bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH);
989 	bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH,
990 	    SSL3_RANDOM_LENGTH);
991 
992 	/* if pms is bad fake it to thwart Bleichenbacher attack */
993 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
994 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
995 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
996 	}
997 
998 	return (kssl_tls_PRF(ssl,
999 	    pms, pmslen,
1000 	    (uchar_t *)TLS_MASTER_SECRET_LABEL,
1001 	    (size_t)strlen(TLS_MASTER_SECRET_LABEL),
1002 	    seed, sizeof (seed),
1003 	    ssl->sid.master_secret,
1004 	    (size_t)sizeof (ssl->sid.master_secret)));
1005 }
1006 
1007 
1008 static void
1009 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1010 {
1011 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1012 	uchar_t *ms;
1013 	int hlen = MD5_HASH_LEN;
1014 
1015 	ms = ssl->sid.master_secret;
1016 
1017 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1018 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1019 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1020 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1021 	}
1022 
1023 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
1024 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
1025 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
1026 	    0);
1027 }
1028 
1029 static int
1030 kssl_generate_tls_keyblock(ssl_t *ssl)
1031 {
1032 	uchar_t seed[2 * SSL3_RANDOM_LENGTH];
1033 
1034 	bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH);
1035 	bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH,
1036 	    SSL3_RANDOM_LENGTH);
1037 
1038 	return (kssl_tls_PRF(ssl, ssl->sid.master_secret,
1039 	    (size_t)SSL3_MASTER_SECRET_LEN,
1040 	    (uchar_t *)TLS_KEY_EXPANSION_LABEL,
1041 	    (size_t)strlen(TLS_KEY_EXPANSION_LABEL),
1042 	    seed, (size_t)sizeof (seed),
1043 	    ssl->pending_keyblock,
1044 	    (size_t)ssl->pending_keyblksz));
1045 
1046 }
1047 
1048 static void
1049 kssl_generate_keyblock(ssl_t *ssl)
1050 {
1051 	uchar_t *ms;
1052 	size_t mslen = SSL3_MASTER_SECRET_LEN;
1053 	int hlen = MD5_HASH_LEN;
1054 	uchar_t *keys = ssl->pending_keyblock;
1055 	int steps = howmany(ssl->pending_keyblksz, hlen);
1056 	int i;
1057 
1058 	ms = ssl->sid.master_secret;
1059 
1060 	ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH);
1061 
1062 	for (i = 1; i <= steps; i++) {
1063 		kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
1064 		keys += hlen;
1065 	}
1066 }
1067 
1068 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE",
1069 	"FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"};
1070 
1071 static void
1072 kssl_ssl3_key_material_derive_step(
1073 	ssl_t *ssl,
1074 	uchar_t *secret,
1075 	size_t secretlen,
1076 	int step,
1077 	uchar_t *dst,
1078 	int sr_first)
1079 {
1080 	SHA1_CTX sha1, *sha1ctx;
1081 	MD5_CTX md5, *md5ctx;
1082 	uchar_t sha1_hash[SHA1_HASH_LEN];
1083 
1084 	sha1ctx = &sha1;
1085 	md5ctx = &md5;
1086 
1087 	ASSERT(step <=
1088 	    sizeof (ssl3_key_derive_seeds) /
1089 	    sizeof (ssl3_key_derive_seeds[0]));
1090 	step--;
1091 
1092 	SHA1Init(sha1ctx);
1093 	SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step],
1094 	    step + 1);
1095 	SHA1Update(sha1ctx, secret, secretlen);
1096 	if (sr_first) {
1097 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1098 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1099 	} else {
1100 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1101 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1102 	}
1103 	SHA1Final(sha1_hash, sha1ctx);
1104 
1105 	MD5Init(md5ctx);
1106 	MD5Update(md5ctx, secret, secretlen);
1107 	MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN);
1108 	MD5Final(dst, md5ctx);
1109 }
1110 
1111 static int
1112 kssl_send_certificate_and_server_hello_done(ssl_t *ssl)
1113 {
1114 	int cur_reclen;
1115 	int mss;
1116 	int len, copylen;
1117 	mblk_t *mp;
1118 	uchar_t *cert_buf;
1119 	int cert_len;
1120 	uchar_t *msgbuf;
1121 	Certificate_t *cert;
1122 
1123 	cert = ssl->kssl_entry->ke_server_certificate;
1124 	if (cert == NULL) {
1125 		return (ENOENT);
1126 	}
1127 	cert_buf = cert->msg;
1128 	cert_len = cert->len;
1129 
1130 	mp = ssl->handshake_sendbuf;
1131 	mss = ssl->tcp_mss;
1132 	ASSERT(mp != NULL);
1133 	cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN;
1134 	ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN);
1135 	/* Assume MSS is at least 80 bytes */
1136 	ASSERT(mss > cur_reclen + SSL3_HDR_LEN);
1137 	ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */
1138 
1139 	copylen = mss - (cur_reclen + SSL3_HDR_LEN);
1140 	len = cert_len;
1141 	copylen = MIN(copylen, len);
1142 	copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1143 
1144 	/* new record always starts in a new mblk for simplicity */
1145 	msgbuf = cert_buf;
1146 	for (;;) {
1147 		ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim);
1148 		bcopy(msgbuf, mp->b_wptr, copylen);
1149 		msgbuf += copylen;
1150 		mp->b_wptr += copylen;
1151 		cur_reclen += copylen;
1152 		len -= copylen;
1153 		if (len == 0) {
1154 			break;
1155 		}
1156 		if (cur_reclen == SSL3_MAX_RECORD_LENGTH) {
1157 			cur_reclen = 0;
1158 		}
1159 		copylen = MIN(len, mss);
1160 		copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1161 		mp->b_cont = allocb(copylen, BPRI_HI);
1162 		if (mp->b_cont == NULL) {
1163 			KSSL_COUNTER(alloc_fails, 1);
1164 			freemsg(ssl->handshake_sendbuf);
1165 			ssl->handshake_sendbuf = NULL;
1166 			return (ENOMEM);
1167 		}
1168 		mp = mp->b_cont;
1169 		if (cur_reclen == 0) {
1170 			mp->b_wptr[0] = content_handshake;
1171 			mp->b_wptr[1] = ssl->major_version;
1172 			mp->b_wptr[2] = ssl->minor_version;
1173 			cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH);
1174 			mp->b_wptr[3] = (cur_reclen >> 8) & 0xff;
1175 			mp->b_wptr[4] = (cur_reclen) & 0xff;
1176 			mp->b_wptr += SSL3_HDR_LEN;
1177 			cur_reclen = 0;
1178 			copylen = MIN(copylen, mss - SSL3_HDR_LEN);
1179 		}
1180 	}
1181 
1182 	/* adjust the record length field for the first record */
1183 	mp = ssl->handshake_sendbuf;
1184 	cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len,
1185 	    SSL3_MAX_RECORD_LENGTH);
1186 	mp->b_rptr[3] = (cur_reclen >> 8) & 0xff;
1187 	mp->b_rptr[4] = (cur_reclen) & 0xff;
1188 
1189 	kssl_update_handshake_hashes(ssl, cert_buf, cert_len);
1190 
1191 	return (0);
1192 }
1193 
1194 static int
1195 kssl_send_change_cipher_specs(ssl_t *ssl)
1196 {
1197 	mblk_t *mp, *newmp;
1198 	uchar_t *buf;
1199 
1200 	mp = ssl->handshake_sendbuf;
1201 
1202 	/* We're most likely to hit the fast path for resumed sessions */
1203 	if ((mp != NULL) &&
1204 	    (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) {
1205 		buf = mp->b_wptr;
1206 	} else {
1207 		newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI);
1208 
1209 		if (newmp == NULL)
1210 			return (ENOMEM);	/* need to do better job! */
1211 
1212 		if (mp == NULL) {
1213 			ssl->handshake_sendbuf = newmp;
1214 		} else {
1215 			linkb(ssl->handshake_sendbuf, newmp);
1216 		}
1217 		mp = newmp;
1218 		buf = mp->b_rptr;
1219 	}
1220 
1221 	/* 5 byte record header */
1222 	buf[0] = content_change_cipher_spec;
1223 	buf[1] = ssl->major_version;
1224 	buf[2] = ssl->minor_version;
1225 	buf[3] = 0;
1226 	buf[4] = 1;
1227 	buf += SSL3_HDR_LEN;
1228 
1229 	buf[0] = 1;
1230 
1231 	mp->b_wptr = buf + 1;
1232 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1233 
1234 	ssl->seq_num[KSSL_WRITE] = 0;
1235 	return (kssl_spec_init(ssl, KSSL_WRITE));
1236 }
1237 
1238 int
1239 kssl_spec_init(ssl_t *ssl, int dir)
1240 {
1241 	KSSL_HASHCTX *ctx;
1242 	KSSLCipherSpec *spec = &ssl->spec[dir];
1243 	int ret = 0;
1244 
1245 	spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz;
1246 	spec->mac_padsz = mac_defs[ssl->pending_malg].padsz;
1247 
1248 	spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
1249 	spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
1250 	spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
1251 
1252 	if (dir == KSSL_READ) {
1253 		bcopy(ssl->pending_keyblock, ssl->mac_secret[dir],
1254 		    spec->mac_hashsz);
1255 	} else {
1256 		bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]),
1257 		    ssl->mac_secret[dir], spec->mac_hashsz);
1258 	}
1259 
1260 	/* Pre-compute these here. will save cycles on each record later */
1261 	if (!IS_TLS(ssl)) {
1262 		ctx = &ssl->mac_ctx[dir][0];
1263 		spec->MAC_HashInit((void *)ctx);
1264 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1265 		    spec->mac_hashsz);
1266 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_1,
1267 		    spec->mac_padsz);
1268 
1269 		ctx = &ssl->mac_ctx[dir][1];
1270 		spec->MAC_HashInit((void *)ctx);
1271 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1272 		    spec->mac_hashsz);
1273 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_2,
1274 		    spec->mac_padsz);
1275 	}
1276 
1277 	spec->cipher_type = cipher_defs[ssl->pending_calg].type;
1278 	spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
1279 	spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
1280 	spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
1281 
1282 	if (spec->cipher_ctx != NULL) {
1283 		crypto_cancel_ctx(spec->cipher_ctx);
1284 		spec->cipher_ctx = 0;
1285 	}
1286 
1287 	/*
1288 	 * Initialize HMAC keys for TLS and SSL3 HMAC keys
1289 	 * for SSL 3.0.
1290 	 */
1291 	if (IS_TLS(ssl)) {
1292 		if (ssl->pending_malg == mac_md5) {
1293 			spec->hmac_mech = hmac_md5_mech;
1294 		} else if (ssl->pending_malg == mac_sha) {
1295 			spec->hmac_mech = hmac_sha1_mech;
1296 		}
1297 
1298 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1299 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1300 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1301 	} else {
1302 		static uint32_t param;
1303 
1304 		spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID;
1305 		spec->hmac_mech.cm_param = (caddr_t)&param;
1306 		spec->hmac_mech.cm_param_len = sizeof (param);
1307 		if (ssl->pending_malg == mac_md5) {
1308 			spec->hmac_mech.cm_type =
1309 			    crypto_mech2id("CKM_SSL3_MD5_MAC");
1310 			param = MD5_HASH_LEN;
1311 		} else if (ssl->pending_malg == mac_sha) {
1312 			spec->hmac_mech.cm_type =
1313 			    crypto_mech2id("CKM_SSL3_SHA1_MAC");
1314 			param = SHA1_HASH_LEN;
1315 		}
1316 
1317 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1318 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1319 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1320 	}
1321 
1322 	/* We're done if this is the nil cipher */
1323 	if (spec->cipher_keysz == 0) {
1324 		return (0);
1325 	}
1326 
1327 	/* Initialize the key and the active context */
1328 	spec->cipher_key.ck_format = CRYPTO_KEY_RAW;
1329 	spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */
1330 
1331 	if (cipher_defs[ssl->pending_calg].bsize > 0) {
1332 		/* client_write_IV */
1333 		spec->cipher_mech.cm_param =
1334 		    (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
1335 		    2 * spec->cipher_keysz]);
1336 		spec->cipher_mech.cm_param_len = spec->cipher_bsize;
1337 	}
1338 	spec->cipher_data.cd_format = CRYPTO_DATA_RAW;
1339 	if (dir == KSSL_READ) {
1340 		spec->cipher_mech.cm_param_len =
1341 		    cipher_defs[ssl->pending_calg].bsize;
1342 
1343 		/* client_write_key */
1344 		spec->cipher_key.ck_data =
1345 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz]);
1346 
1347 		ret = crypto_decrypt_init(&(spec->cipher_mech),
1348 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1349 		if (CRYPTO_ERR(ret)) {
1350 			DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read,
1351 			    int, ret);
1352 		}
1353 	} else {
1354 		if (cipher_defs[ssl->pending_calg].bsize > 0) {
1355 			spec->cipher_mech.cm_param += spec->cipher_bsize;
1356 		}
1357 		/* server_write_key */
1358 		spec->cipher_key.ck_data =
1359 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz +
1360 		    spec->cipher_keysz]);
1361 
1362 		ret = crypto_encrypt_init(&(spec->cipher_mech),
1363 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1364 		if (CRYPTO_ERR(ret))
1365 			DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read,
1366 			    int, ret);
1367 	}
1368 	return (ret);
1369 }
1370 
1371 static int
1372 kssl_send_finished(ssl_t *ssl, int update_hsh)
1373 {
1374 	mblk_t *mp;
1375 	uchar_t *buf;
1376 	uchar_t *rstart;
1377 	uchar_t *versionp;
1378 	SSL3Hashes ssl3hashes;
1379 	size_t finish_len;
1380 	int ret = 0;
1381 
1382 	mp = ssl->handshake_sendbuf;
1383 	ASSERT(mp != NULL);
1384 	buf = mp->b_wptr;
1385 	ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN +
1386 	    SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1);
1387 
1388 	rstart = buf;
1389 
1390 	if (IS_TLS(ssl))
1391 		finish_len = TLS_FINISHED_SIZE;
1392 	else
1393 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1394 
1395 	/* 5 byte record header */
1396 	buf[0] = content_handshake;
1397 	buf[1] = ssl->major_version;
1398 	buf[2] = ssl->minor_version;
1399 	buf[3] = 0;
1400 	buf[4] = 4 + finish_len;
1401 
1402 	versionp = &buf[1];
1403 
1404 	buf += SSL3_HDR_LEN;
1405 
1406 	/* 4 byte message header */
1407 	buf[0] = (uchar_t)finished;	/* message type */
1408 	buf[1] = 0;			/* message len byte 0 */
1409 	buf[2] = 0;			/* message len byte 1 */
1410 	buf[3] = finish_len;	/* message len byte 2 */
1411 	buf += 4;
1412 
1413 	if (IS_TLS(ssl)) {
1414 		bcopy(ssl->hs_hashes.md5, ssl3hashes.md5,
1415 		    sizeof (ssl3hashes.md5));
1416 		bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1,
1417 		    sizeof (ssl3hashes.sha1));
1418 	}
1419 
1420 	/* Compute hashes for the SENDER side */
1421 	ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
1422 	if (ret != 0)
1423 		return (ret);
1424 
1425 	if (IS_TLS(ssl)) {
1426 		bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash));
1427 	} else {
1428 		bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN);
1429 		bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN);
1430 	}
1431 
1432 	if (update_hsh) {
1433 		kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
1434 	}
1435 
1436 	mp->b_wptr = buf + finish_len;
1437 
1438 	ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
1439 	    rstart, mp);
1440 	ASSERT(mp->b_wptr <= mp->b_datap->db_lim);
1441 
1442 	return (ret);
1443 }
1444 
1445 int
1446 kssl_mac_encrypt_record(ssl_t *ssl,
1447 	SSL3ContentType ct,
1448 	uchar_t *versionp,
1449 	uchar_t *rstart,
1450 	mblk_t *mp)
1451 {
1452 	KSSLCipherSpec *spec;
1453 	int mac_sz;
1454 	int ret = 0;
1455 	uint16_t rec_sz;
1456 	int pad_sz;
1457 	int i;
1458 
1459 	ASSERT(ssl != NULL);
1460 	ASSERT(rstart >= mp->b_rptr);
1461 	ASSERT(rstart < mp->b_wptr);
1462 
1463 	spec = &ssl->spec[KSSL_WRITE];
1464 	mac_sz = spec->mac_hashsz;
1465 
1466 	rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN;
1467 	ASSERT(rec_sz > 0);
1468 
1469 	if (mac_sz != 0) {
1470 		ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim);
1471 		ret = kssl_compute_record_mac(ssl, KSSL_WRITE,
1472 		    ssl->seq_num[KSSL_WRITE], ct, versionp,
1473 		    rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr);
1474 		if (ret == CRYPTO_SUCCESS) {
1475 			ssl->seq_num[KSSL_WRITE]++;
1476 			mp->b_wptr += mac_sz;
1477 			rec_sz += mac_sz;
1478 		} else {
1479 			return (ret);
1480 		}
1481 	}
1482 
1483 	if (spec->cipher_type == type_block) {
1484 		pad_sz = spec->cipher_bsize -
1485 		    (rec_sz & (spec->cipher_bsize - 1));
1486 		ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim);
1487 		for (i = 0; i < pad_sz; i++) {
1488 			mp->b_wptr[i] = pad_sz - 1;
1489 		}
1490 		mp->b_wptr += pad_sz;
1491 		rec_sz += pad_sz;
1492 	}
1493 
1494 	ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH);
1495 
1496 	U16_TO_BE16(rec_sz, rstart + 3);
1497 
1498 	if (spec->cipher_ctx == 0)
1499 		return (ret);
1500 
1501 	spec->cipher_data.cd_length = rec_sz;
1502 	spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN);
1503 	spec->cipher_data.cd_raw.iov_len = rec_sz;
1504 	/* One record at a time. Otherwise, gotta allocate the crypt_data_t */
1505 	ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data,
1506 	    NULL, NULL);
1507 	if (CRYPTO_ERR(ret)) {
1508 		DTRACE_PROBE1(kssl_err__crypto_encrypt_update,
1509 		    int, ret);
1510 	}
1511 	return (ret);
1512 }
1513 
1514 void
1515 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
1516 {
1517 	mblk_t *mp;
1518 	uchar_t *buf;
1519 	KSSLCipherSpec *spec;
1520 
1521 	ASSERT(ssl != NULL);
1522 
1523 	ssl->sendalert_level = level;
1524 	ssl->sendalert_desc = desc;
1525 
1526 	if (level == alert_fatal) {
1527 		DTRACE_PROBE2(kssl_sending_alert,
1528 		    SSL3AlertLevel, level, SSL3AlertDescription, desc);
1529 		if (ssl->sid.cached == B_TRUE) {
1530 			kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
1531 			ssl->sid.cached = B_FALSE;
1532 		}
1533 		ssl->fatal_alert = B_TRUE;
1534 		KSSL_COUNTER(fatal_alerts, 1);
1535 	} else
1536 		KSSL_COUNTER(warning_alerts, 1);
1537 
1538 	spec = &ssl->spec[KSSL_WRITE];
1539 
1540 	ASSERT(ssl->alert_sendbuf == NULL);
1541 	ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz +
1542 	    spec->cipher_bsize, BPRI_HI);
1543 	if (mp == NULL) {
1544 		KSSL_COUNTER(alloc_fails, 1);
1545 		return;
1546 	}
1547 	buf = mp->b_wptr;
1548 
1549 	/* 5 byte record header */
1550 	buf[0] = content_alert;
1551 	buf[1] = ssl->major_version;
1552 	buf[2] = ssl->minor_version;
1553 	buf[3] = 0;
1554 	buf[4] = 2;
1555 	buf += SSL3_HDR_LEN;
1556 
1557 	/* alert contents */
1558 	buf[0] = (uchar_t)level;
1559 	buf[1] = (uchar_t)desc;
1560 
1561 	mp->b_wptr = buf + 2;
1562 }
1563 
1564 /* Assumes RSA encryption */
1565 static int
1566 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
1567     kssl_callback_t cbfn, void *arg)
1568 {
1569 	char *buf;
1570 	uchar_t *pms;
1571 	size_t pmslen;
1572 	int allocated;
1573 	int err, rverr = ENOMEM;
1574 	kssl_entry_t *ep;
1575 	crypto_key_t *privkey;
1576 	crypto_data_t *wrapped_pms_data, *pms_data;
1577 	crypto_call_req_t creq, *creqp;
1578 
1579 	ep = ssl->kssl_entry;
1580 	privkey = ep->ke_private_key;
1581 	if (privkey == NULL) {
1582 		return (ENOENT);
1583 	}
1584 
1585 	ASSERT(ssl->msg.type == client_key_exchange);
1586 	ASSERT(ssl->hs_waitstate == wait_client_key);
1587 
1588 	/*
1589 	 * TLS adds an extra 2 byte length field before the data.
1590 	 */
1591 	if (IS_TLS(ssl)) {
1592 		msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1];
1593 		mp->b_rptr += 2;
1594 	}
1595 
1596 	/*
1597 	 * Allocate all we need in one shot. about 300 bytes total, for
1598 	 * 1024 bit RSA modulus.
1599 	 * The buffer layout will be: pms_data, wrapped_pms_data, the
1600 	 * value of the wrapped pms from the client, then room for the
1601 	 * resulting decrypted premaster secret.
1602 	 */
1603 	allocated = 2 * (sizeof (crypto_data_t) + msglen);
1604 	buf = kmem_alloc(allocated, KM_NOSLEEP);
1605 	if (buf == NULL) {
1606 		return (ENOMEM);
1607 	}
1608 
1609 	pms_data = (crypto_data_t *)buf;
1610 	wrapped_pms_data = &(((crypto_data_t *)buf)[1]);
1611 
1612 	wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW;
1613 	wrapped_pms_data->cd_offset = pms_data->cd_offset = 0;
1614 	wrapped_pms_data->cd_length = pms_data->cd_length = msglen;
1615 	wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL;
1616 	wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen;
1617 	wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t);
1618 	pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen;
1619 
1620 	bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen);
1621 	mp->b_rptr += msglen;
1622 
1623 	/* Proceed synchronously if out of interrupt and configured to do so */
1624 	if ((kssl_synchronous) && (!servicing_interrupt())) {
1625 		creqp = NULL;
1626 	} else {
1627 		ssl->cke_callback_func = cbfn;
1628 		ssl->cke_callback_arg = arg;
1629 		creq.cr_flag = kssl_call_flag;
1630 		creq.cr_callback_func = kssl_cke_done;
1631 		creq.cr_callback_arg = ssl;
1632 
1633 		/* The callback routine will release this one */
1634 		KSSL_SSL_REFHOLD(ssl);
1635 
1636 		creqp = &creq;
1637 	}
1638 
1639 	if (ep->ke_is_nxkey) {
1640 		kssl_session_info_t *s;
1641 
1642 		s = ep->ke_sessinfo;
1643 		err = CRYPTO_SUCCESS;
1644 		if (!s->is_valid_handle) {
1645 			/* Reauthenticate to the provider */
1646 			if (s->do_reauth) {
1647 				err = kssl_get_obj_handle(ep);
1648 				if (err == CRYPTO_SUCCESS) {
1649 					s->is_valid_handle = B_TRUE;
1650 					s->do_reauth = B_FALSE;
1651 				}
1652 			} else
1653 				err = CRYPTO_FAILED;
1654 		}
1655 
1656 		if (err == CRYPTO_SUCCESS) {
1657 			ASSERT(s->is_valid_handle);
1658 			err = crypto_decrypt_prov(s->prov, s->sid,
1659 			    &rsa_x509_mech, wrapped_pms_data, &s->key,
1660 			    NULL, pms_data, creqp);
1661 		}
1662 
1663 		/*
1664 		 * Deal with session specific errors. We translate to
1665 		 * the closest errno.
1666 		 */
1667 		switch (err) {
1668 		case CRYPTO_KEY_HANDLE_INVALID:
1669 		case CRYPTO_SESSION_HANDLE_INVALID:
1670 			s->is_valid_handle = B_FALSE;
1671 			s->do_reauth = B_TRUE;
1672 			rverr = EINVAL;
1673 			break;
1674 		case CRYPTO_PIN_EXPIRED:
1675 		case CRYPTO_PIN_LOCKED:
1676 			rverr = EACCES;
1677 			break;
1678 		case CRYPTO_UNKNOWN_PROVIDER:
1679 			rverr = ENXIO;
1680 			break;
1681 		}
1682 	} else {
1683 		err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data,
1684 		    privkey, NULL, pms_data, creqp);
1685 	}
1686 
1687 	switch (err) {
1688 	case CRYPTO_SUCCESS:
1689 		break;
1690 
1691 	case CRYPTO_QUEUED:
1692 		/*
1693 		 * Finish the master secret then the rest of key material
1694 		 * derivation later.
1695 		 */
1696 		ssl->job.kjob = creq.cr_reqid;
1697 		ssl->job.buf = buf;
1698 		ssl->job.buflen = allocated;
1699 		ssl->hs_waitstate = wait_client_key_done;
1700 		return (0);
1701 	default:
1702 		DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err);
1703 		kmem_free(buf, allocated);
1704 		return (rverr);
1705 	}
1706 
1707 	pmslen = pms_data->cd_length;
1708 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1709 
1710 	/* generate master key and save it in the ssl sid structure */
1711 	if (IS_TLS(ssl)) {
1712 		err = kssl_generate_tls_ms(ssl, pms, pmslen);
1713 		if (!CRYPTO_ERR(err))
1714 			err = kssl_generate_tls_keyblock(ssl);
1715 	} else {
1716 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1717 		kssl_generate_keyblock(ssl);
1718 	}
1719 
1720 	if (err == CRYPTO_SUCCESS)
1721 		ssl->hs_waitstate = wait_change_cipher;
1722 
1723 	ssl->activeinput = B_FALSE;
1724 
1725 	kmem_free(buf, allocated);
1726 
1727 	return (0);
1728 }
1729 
1730 static int
1731 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
1732 {
1733 	int err;
1734 	size_t finish_len;
1735 	int hashcompare;
1736 
1737 	ASSERT(ssl->msg.type == finished);
1738 	ASSERT(ssl->hs_waitstate == wait_finished);
1739 
1740 	if (IS_TLS(ssl))
1741 		finish_len = TLS_FINISHED_SIZE;
1742 	else
1743 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1744 
1745 	if (msglen != finish_len) {
1746 		kssl_send_alert(ssl, alert_fatal, illegal_parameter);
1747 		return (EBADMSG);
1748 	}
1749 
1750 	if (IS_TLS(ssl)) {
1751 		hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash,
1752 		    finish_len);
1753 	} else {
1754 		hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
1755 	}
1756 
1757 	/* The handshake hashes should be computed by now */
1758 	if (hashcompare != 0) {
1759 		kssl_send_alert(ssl, alert_fatal, handshake_failure);
1760 		return (EBADMSG);
1761 	}
1762 
1763 	mp->b_rptr += msglen;
1764 
1765 	ssl->hs_waitstate = idle_handshake;
1766 
1767 	if (ssl->resumed == B_TRUE) {
1768 		ssl->activeinput = B_FALSE;
1769 		return (0);
1770 	}
1771 
1772 	err = kssl_send_change_cipher_specs(ssl);
1773 	if (err != 0) {
1774 		return (err);
1775 	}
1776 	err = kssl_send_finished(ssl, 0);
1777 	if (err != 0) {
1778 		return (err);
1779 	}
1780 
1781 	ASSERT(ssl->sid.cached == B_FALSE);
1782 	ssl->sid.cached = B_TRUE;
1783 	kssl_cache_sid(&ssl->sid, ssl->kssl_entry);
1784 	ssl->activeinput = B_FALSE;
1785 
1786 	return (0);
1787 }
1788 
1789 #define	KSSL2_CH_MIN_RECSZ	(9)
1790 
1791 /*
1792  * This method is needed to handle clients which send the
1793  * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers.
1794  * We are not really doing SSLv2 here, just handling the header
1795  * and then switching to SSLv3.
1796  */
1797 int
1798 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
1799 {
1800 	uchar_t *recend;
1801 	int err;
1802 	SSL3AlertDescription desc = illegal_parameter;
1803 	uint_t randlen;
1804 	uint_t sidlen;
1805 	uint_t nsuites;
1806 	uchar_t *suitesp;
1807 	uchar_t *rand;
1808 	uint_t i, j;
1809 	uint16_t suite;
1810 	int ch_recsz = KSSL2_CH_MIN_RECSZ;
1811 
1812 	ASSERT(mp->b_wptr >= mp->b_rptr + recsz);
1813 	ASSERT(ssl->hs_waitstate == wait_client_hello);
1814 	ASSERT(ssl->resumed == B_FALSE);
1815 
1816 	if (recsz < ch_recsz) {
1817 		goto falert;
1818 	}
1819 
1820 	MD5Init(&ssl->hs_md5);
1821 	SHA1Init(&ssl->hs_sha1);
1822 
1823 	kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz);
1824 
1825 	recend = mp->b_rptr + recsz;
1826 
1827 	if (*mp->b_rptr != 1) {
1828 		goto falert;
1829 	}
1830 	mp->b_rptr += 3;
1831 
1832 	nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
1833 	sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3];
1834 	randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5];
1835 	if (nsuites % 3 != 0) {
1836 		DTRACE_PROBE1(kssl_err__nsuites_error, uint_t, nsuites);
1837 		goto falert;
1838 	}
1839 	if (randlen < SSL_MIN_CHALLENGE_BYTES ||
1840 	    randlen > SSL_MAX_CHALLENGE_BYTES) {
1841 		DTRACE_PROBE1(kssl_err__randlen_out_of_range,
1842 		    uint_t, randlen);
1843 		goto falert;
1844 	}
1845 	mp->b_rptr += 6;
1846 	ch_recsz += nsuites + sidlen + randlen;
1847 	if (recsz != ch_recsz) {
1848 		goto falert;
1849 	}
1850 	suitesp = mp->b_rptr;
1851 	rand = suitesp + nsuites + sidlen;
1852 	if (randlen < SSL3_RANDOM_LENGTH) {
1853 		bzero(ssl->client_random, SSL3_RANDOM_LENGTH);
1854 	}
1855 	bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
1856 	    randlen);
1857 
1858 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
1859 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
1860 		for (j = 0; j < nsuites; j += 3) {
1861 			if (suitesp[j] != 0) {
1862 				continue;
1863 			}
1864 
1865 			if (suitesp[j + 1] == ((suite >> 8) & 0xff) &&
1866 			    suitesp[j + 2] == (suite & 0xff)) {
1867 				break;
1868 			}
1869 		}
1870 		if (j < nsuites) {
1871 			break;
1872 		}
1873 	}
1874 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
1875 		DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite);
1876 		ssl->activeinput = B_FALSE;
1877 		return (SSL_MISS);
1878 	}
1879 
1880 	mp->b_rptr = recend;
1881 
1882 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
1883 		if (suite == cipher_suite_defs[i].suite) {
1884 			break;
1885 		}
1886 	}
1887 
1888 	ASSERT(i < cipher_suite_defs_nentries);
1889 
1890 	ssl->pending_cipher_suite = suite;
1891 	ssl->pending_malg = cipher_suite_defs[i].malg;
1892 	ssl->pending_calg = cipher_suite_defs[i].calg;
1893 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
1894 
1895 	ASSERT(ssl->sid.cached == B_FALSE);
1896 
1897 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
1898 	    SSL3_SESSIONID_BYTES);
1899 	ssl->sid.client_addr = ssl->faddr;
1900 	ssl->sid.cipher_suite = suite;
1901 
1902 	err = kssl_send_server_hello(ssl);
1903 	if (err != 0) {
1904 		return (err);
1905 	}
1906 	err = kssl_send_certificate_and_server_hello_done(ssl);
1907 	if (err != 0) {
1908 		return (err);
1909 	}
1910 	KSSL_COUNTER(full_handshakes, 1);
1911 	ssl->hs_waitstate = wait_client_key;
1912 	ssl->activeinput = B_FALSE;
1913 	return (0);
1914 
1915 falert:
1916 	kssl_send_alert(ssl, alert_fatal, desc);
1917 	ssl->activeinput = B_FALSE;
1918 	return (EBADMSG);
1919 }
1920 
1921 /*
1922  * Call back routine for asynchronously submitted RSA decryption jobs.
1923  * The routine retreived the pre-master secret, and proceeds to generate
1924  * the remaining key materials.
1925  */
1926 static void
1927 kssl_cke_done(void *arg, int status)
1928 {
1929 	int ret = 0;
1930 	uchar_t *pms;
1931 	size_t pmslen;
1932 	crypto_data_t *pms_data;
1933 	kssl_cmd_t kssl_cmd = KSSL_CMD_NONE;
1934 	ssl_t *ssl = (ssl_t *)arg;
1935 	mblk_t *alertmp;
1936 	kssl_callback_t cbfn;
1937 	void *cbarg;
1938 
1939 	mutex_enter(&ssl->kssl_lock);
1940 
1941 	ASSERT(ssl->msg.type == client_key_exchange);
1942 	ASSERT(ssl->hs_waitstate == wait_client_key_done);
1943 
1944 	if (status != CRYPTO_SUCCESS) {
1945 		kssl_send_alert(ssl, alert_fatal, decrypt_error);
1946 		kssl_cmd = KSSL_CMD_SEND;
1947 		goto out;
1948 	}
1949 
1950 	pms_data = (crypto_data_t *)(ssl->job.buf);
1951 
1952 	ASSERT(pms_data != NULL);
1953 
1954 	pmslen = pms_data->cd_length;
1955 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1956 
1957 	/* generate master key and save it in the ssl sid structure */
1958 	if (IS_TLS(ssl)) {
1959 		ret = kssl_generate_tls_ms(ssl, pms, pmslen);
1960 		if (!CRYPTO_ERR(ret))
1961 			ret = kssl_generate_tls_keyblock(ssl);
1962 	} else {
1963 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1964 		kssl_generate_keyblock(ssl);
1965 	}
1966 
1967 	if (ret == CRYPTO_SUCCESS)
1968 		ssl->hs_waitstate = wait_change_cipher;
1969 
1970 out:
1971 	kmem_free(ssl->job.buf, ssl->job.buflen);
1972 
1973 	ssl->job.kjob = 0;
1974 	ssl->job.buf = NULL;
1975 	ssl->job.buflen = 0;
1976 
1977 	ssl->activeinput = B_FALSE;
1978 
1979 	/* If we're the only ones left, then we won't callback */
1980 	if (ssl->kssl_refcnt == 1) {
1981 		mutex_exit(&ssl->kssl_lock);
1982 		KSSL_SSL_REFRELE(ssl);
1983 		return;
1984 	}
1985 
1986 	cbfn = ssl->cke_callback_func;
1987 	cbarg = ssl->cke_callback_arg;
1988 	alertmp = ssl->alert_sendbuf;
1989 	ssl->alert_sendbuf = NULL;
1990 
1991 	mutex_exit(&ssl->kssl_lock);
1992 
1993 	KSSL_SSL_REFRELE(ssl);
1994 
1995 	/* Now call the callback routine */
1996 	(*(cbfn))(cbarg, alertmp, kssl_cmd);
1997 }
1998 
1999 /*
2000  * Returns the first complete contiguous record out of rec_ass_head
2001  * The record is returned in a separate contiguous mblk, rec_ass_head is
2002  * left pointing to the next record in the queue.
2003  *
2004  * The output looks as follows:
2005  *
2006  * |--------|---------- .... -----|<---------->|<----------->|--- ... ---|
2007  * ^        ^                     ^  mac_size     pad_size               ^
2008  * |        |___ b_rptr  b_wptr __|                                      |
2009  * |                                                                     |
2010  * |___ db_base                                                db_lim ___|
2011  */
2012 mblk_t *
2013 kssl_get_next_record(ssl_t *ssl)
2014 {
2015 	mblk_t *mp, *retmp;
2016 	int rhsz = SSL3_HDR_LEN;
2017 	uint16_t rec_sz;
2018 	int mpsz, total_size;
2019 	SSL3ContentType content_type;
2020 
2021 	ASSERT(MUTEX_HELD(&ssl->kssl_lock));
2022 
2023 	mp = ssl->rec_ass_head;
2024 	if (mp == NULL)
2025 		return (NULL);
2026 
2027 	/* Fast path: when mp has at least a complete record */
2028 	if (MBLKL(mp) < rhsz) {
2029 		DTRACE_PROBE1(kssl_mblk__incomplete_header,
2030 		    mblk_t *, mp);
2031 		/* Not even a complete header in there yet */
2032 		if (msgdsize(mp) < rhsz) {
2033 			return (NULL);
2034 		}
2035 
2036 		if (!pullupmsg(mp, rhsz)) {
2037 			kssl_send_alert(ssl, alert_fatal, internal_error);
2038 			freemsg(mp);
2039 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2040 			return (NULL);
2041 		}
2042 	}
2043 	content_type = (SSL3ContentType)mp->b_rptr[0];
2044 	if (content_type == content_handshake_v2) {
2045 		DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp);
2046 		rec_sz = (uint16_t)mp->b_rptr[1];
2047 		rhsz = 2;
2048 	} else {
2049 		DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp);
2050 		uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3;
2051 		rec_sz = BE16_TO_U16(rec_sz_p);
2052 	}
2053 
2054 	/*
2055 	 * same tests as above. Only rare very fragmented cases will
2056 	 * incur the cost of msgdsize() and msgpullup(). Well formed
2057 	 * packets will fall in the most frequent fast path.
2058 	 */
2059 	total_size = rhsz + rec_sz;
2060 
2061 	/*
2062 	 * Missing: defensive against record fabricated with longer than
2063 	 * MAX record length.
2064 	 */
2065 	if (MBLKL(mp) < total_size) {
2066 		DTRACE_PROBE2(kssl_mblk__smaller_than_total_size,
2067 		    mblk_t *, mp, int, total_size);
2068 		/* Not a complete record yet. Keep accumulating */
2069 		if (msgdsize(mp) < total_size) {
2070 			return (NULL);
2071 		}
2072 
2073 		if (!pullupmsg(mp, total_size)) {
2074 			kssl_send_alert(ssl, alert_fatal, internal_error);
2075 			freemsg(mp);
2076 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2077 			return (NULL);
2078 		}
2079 	}
2080 	mpsz = MBLKL(mp);	/* could've changed after the pullup */
2081 
2082 	if (mpsz > total_size) {
2083 		DTRACE_PROBE2(kssl_mblk__bigger_than_total_size,
2084 		    mblk_t *, mp, int, total_size);
2085 		/* gotta allocate a new block */
2086 		if ((retmp = dupb(mp)) == NULL) {
2087 			kssl_send_alert(ssl, alert_fatal, internal_error);
2088 			freemsg(mp);
2089 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2090 			return (NULL);
2091 		}
2092 
2093 		retmp->b_wptr = retmp->b_rptr + total_size;
2094 		mp->b_rptr += total_size;
2095 		ssl->rec_ass_head = mp;
2096 	} else {
2097 		DTRACE_PROBE2(kssl_mblk__equal_to_total_size,
2098 		    mblk_t *, mp, int, total_size);
2099 		ASSERT(mpsz == total_size);
2100 		ssl->rec_ass_head = mp->b_cont;
2101 		mp->b_cont = NULL;
2102 		retmp = mp;
2103 	}
2104 	/* Adjust the tail */
2105 	if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
2106 		for (; mp->b_cont != NULL; mp = mp->b_cont) {
2107 			ssl->rec_ass_tail = mp->b_cont;
2108 		}
2109 	}
2110 
2111 	return (retmp);
2112 }
2113 
2114 
2115 static void
2116 kssl_mblksfree(ssl_t *ssl)
2117 {
2118 
2119 	ASSERT(ssl != NULL);
2120 
2121 	if (ssl->rec_ass_head != NULL) {
2122 		freemsg(ssl->rec_ass_head);
2123 	}
2124 	ssl->rec_ass_head = NULL;
2125 	ssl->rec_ass_tail = NULL;
2126 
2127 	if (ssl->msg.head != NULL) {
2128 		freemsg(ssl->msg.head);
2129 	}
2130 	ssl->msg.head = NULL;
2131 	ssl->msg.tail = NULL;
2132 
2133 	if (ssl->handshake_sendbuf != NULL) {
2134 		freemsg(ssl->handshake_sendbuf);
2135 		ssl->handshake_sendbuf = NULL;
2136 	}
2137 	if (ssl->alert_sendbuf != NULL) {
2138 		freemsg(ssl->alert_sendbuf);
2139 		ssl->alert_sendbuf = NULL;
2140 	}
2141 }
2142 
2143 static void
2144 kssl_specsfree(ssl_t *ssl)
2145 {
2146 	KSSLCipherSpec *spec = &ssl->spec[KSSL_READ];
2147 
2148 	if (spec->cipher_ctx != NULL) {
2149 		crypto_cancel_ctx(spec->cipher_ctx);
2150 		spec->cipher_ctx = 0;
2151 	}
2152 
2153 	spec = &ssl->spec[KSSL_WRITE];
2154 
2155 	if (spec->cipher_ctx != NULL) {
2156 		crypto_cancel_ctx(spec->cipher_ctx);
2157 		spec->cipher_ctx = 0;
2158 	}
2159 }
2160 
2161 /*
2162  * Frees the ssl structure (aka the context of an SSL session).
2163  * Any pending crypto jobs are cancelled.
2164  * Any initiated crypto contexts are freed as well.
2165  */
2166 void
2167 kssl_free_context(ssl_t *ssl)
2168 {
2169 	ASSERT(ssl != NULL);
2170 	if (!(MUTEX_HELD(&ssl->kssl_lock))) {
2171 		/* we're coming from an external API entry point */
2172 		mutex_enter(&ssl->kssl_lock);
2173 	}
2174 
2175 	if (ssl->job.kjob != NULL) {
2176 		crypto_cancel_req(ssl->job.kjob);
2177 		kmem_free(ssl->job.buf, ssl->job.buflen);
2178 
2179 		ssl->job.kjob = 0;
2180 		ssl->job.buf = NULL;
2181 		ssl->job.buflen = 0;
2182 	}
2183 
2184 	kssl_mblksfree(ssl);
2185 	kssl_specsfree(ssl);
2186 
2187 	KSSL_ENTRY_REFRELE(ssl->kssl_entry);
2188 	ssl->kssl_entry = NULL;
2189 
2190 	mutex_exit(&ssl->kssl_lock);
2191 
2192 	kmem_cache_free(kssl_cache, ssl);
2193 	kssl_cache_count--;
2194 }
2195