xref: /titanic_50/usr/src/uts/common/inet/kssl/ksslrec.c (revision 575a742678105d588b7c8e1653b57a7e3d78440b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/strsubr.h>
31 #include <sys/stropts.h>
32 #include <sys/strsun.h>
33 #define	_SUN_TPI_VERSION 2
34 #include <sys/ddi.h>
35 #include <sys/sunddi.h>
36 #include <sys/cmn_err.h>
37 #include <sys/debug.h>
38 #include <sys/vtrace.h>
39 #include <sys/kmem.h>
40 #include <sys/cpuvar.h>
41 #include <sys/atomic.h>
42 #include <sys/sysmacros.h>
43 
44 #include <sys/errno.h>
45 #include <sys/isa_defs.h>
46 #include <sys/md5.h>
47 #include <sys/sha1.h>
48 #include <sys/random.h>
49 #include <inet/common.h>
50 #include <netinet/in.h>
51 
52 #include <sys/systm.h>
53 #include <sys/param.h>
54 
55 #include "ksslimpl.h"
56 #include "ksslapi.h"
57 #include "ksslproto.h"
58 #include "kssldebug.h"
59 
60 static ssl3CipherSuiteDef cipher_suite_defs[] = {
61 	{SSL_RSA_WITH_RC4_128_SHA,	cipher_rc4,	mac_sha,	72},
62 	{SSL_RSA_WITH_RC4_128_MD5,	cipher_rc4,	mac_md5,	64},
63 	{SSL_RSA_WITH_DES_CBC_SHA,	cipher_des,	mac_sha,	72},
64 	{SSL_RSA_WITH_3DES_EDE_CBC_SHA,	cipher_3des,	mac_sha,	104},
65 	{SSL_RSA_WITH_NULL_SHA,		cipher_null,	mac_sha,	40}
66 };
67 
68 static int cipher_suite_defs_nentries =
69     sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]);
70 
71 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
72 	/* macsz padsz HashInit HashUpdate HashFinal */
73 
74 	{MD5_HASH_LEN, SSL3_MD5_PAD_LEN,
75 	    (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update,
76 	    (hashfinal_func_t)MD5Final},
77 
78 	{SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN,
79 	    (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update,
80 	    (hashfinal_func_t)SHA1Final},
81 };
82 
83 static uchar_t kssl_pad_1[60] = {
84     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
85     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
86     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
87     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
88     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
89     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
90     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
91     0x36, 0x36, 0x36, 0x36
92 };
93 static uchar_t kssl_pad_2[60] = {
94     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
95     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
96     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
97     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
98     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
99     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
100     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
101     0x5c, 0x5c, 0x5c, 0x5c
102 };
103 
104 int kssl_debug;
105 int kssl_cache_count;
106 static boolean_t kssl_synchronous = B_FALSE;
107 
108 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t);
109 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t);
110 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int);
111 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int,
112     kssl_callback_t, void *);
113 static int kssl_send_server_hello(ssl_t *);
114 static int kssl_send_certificate_and_server_hello_done(ssl_t *);
115 static int kssl_send_change_cipher_specs(ssl_t *);
116 static int kssl_send_finished(ssl_t *, int);
117 static int kssl_handle_finished(ssl_t *, mblk_t *, int);
118 static void kssl_get_hello_random(uchar_t *);
119 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *);
120 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *);
121 static void kssl_lookup_sid(sslSessionID *, uchar_t *, ipaddr_t,
122     kssl_entry_t *);
123 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t);
124 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t);
125 static int kssl_generate_tls_keyblock(ssl_t *);
126 static void kssl_generate_keyblock(ssl_t *);
127 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t,
128     int, uchar_t *, int);
129 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t,
130     uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
131 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *,
132     size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
133 static void kssl_cke_done(void *, int);
134 
135 #define	MAX_TLS_KEYBLOCK_SIZE 160 /* more than enough for largest TLS key */
136 
137 #define	HMAC_INIT(m, k, c) \
138 	rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end;
139 
140 #define	HMAC_UPDATE(c, d, l) \
141 	dd.cd_raw.iov_base = (char *)d; \
142 	dd.cd_length = dd.cd_raw.iov_len = l; \
143 	rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end;
144 
145 #define	HMAC_FINAL(c, d, l) \
146 	mac.cd_raw.iov_base = (char *)d; \
147 	mac.cd_length = mac.cd_raw.iov_len = l; \
148 	rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end;
149 
150 /*
151  * This hack can go away once we have SSL3 MAC support by KCF
152  * software providers (See 4873559).
153  */
154 extern int kcf_md5_threshold;
155 
156 int
157 kssl_compute_record_mac(
158 	ssl_t *ssl,
159 	int direction,
160 	uint64_t seq_num,
161 	SSL3ContentType ct,
162 	uchar_t *versionp,
163 	uchar_t *buf,
164 	int len,
165 	uchar_t *digest)
166 {
167 	KSSL_HASHCTX mac_ctx;
168 	KSSL_HASHCTX *ctx = &mac_ctx;
169 	uchar_t temp[16], *p;
170 	KSSLCipherSpec *spec;
171 	boolean_t hash_use_ok = B_FALSE;
172 	int rv = 0;
173 
174 	spec = &ssl->spec[direction];
175 
176 	if (spec->mac_hashsz == 0) {
177 		return (1);
178 	}
179 
180 	p = temp;
181 
182 	*p++ = (seq_num >> 56) & 0xff;
183 	*p++ = (seq_num >> 48) & 0xff;
184 	*p++ = (seq_num >> 40) & 0xff;
185 	*p++ = (seq_num >> 32) & 0xff;
186 	*p++ = (seq_num >> 24) & 0xff;
187 	*p++ = (seq_num >> 16) & 0xff;
188 	*p++ = (seq_num >> 8) & 0xff;
189 	*p++ = (seq_num) & 0xff;
190 	*p++ = (uchar_t)ct;
191 	if (IS_TLS(ssl)) {
192 		*p++ = versionp[0];
193 		*p++ = versionp[1];
194 	}
195 	*p++ = (len >> 8) & 0xff;
196 	*p++ = (len) & 0xff;
197 
198 	if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
199 	    len >= kcf_md5_threshold)) {
200 		crypto_data_t dd, mac;
201 		struct uio uio_pt;
202 		struct iovec iovarray_pt[2];
203 
204 		/* init the array of iovecs for use in the uio struct */
205 		iovarray_pt[0].iov_base = (char *)temp;
206 		iovarray_pt[0].iov_len = (p - temp);
207 		iovarray_pt[1].iov_base = (char *)buf;
208 		iovarray_pt[1].iov_len = len;
209 
210 		/* init the uio struct for use in the crypto_data_t struct */
211 		bzero(&uio_pt, sizeof (uio_pt));
212 		uio_pt.uio_iov = iovarray_pt;
213 		uio_pt.uio_iovcnt = 2;
214 		uio_pt.uio_segflg = UIO_SYSSPACE;
215 
216 		dd.cd_format = CRYPTO_DATA_UIO;
217 		dd.cd_offset = 0;
218 		dd.cd_length =  (p - temp) + len;
219 		dd.cd_miscdata = NULL;
220 		dd.cd_uio = &uio_pt;
221 
222 		mac.cd_format = CRYPTO_DATA_RAW;
223 		mac.cd_offset = 0;
224 		mac.cd_raw.iov_base = (char *)digest;
225 		mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz;
226 
227 		/*
228 		 * The calling context can tolerate a blocking call here.
229 		 * For outgoing traffic, we are in user context
230 		 * when called from strsock_kssl_output(). For incoming
231 		 * traffic past the SSL handshake, we are in user
232 		 * context when called from strsock_kssl_input(). During the
233 		 * SSL handshake, we are called for client_finished message
234 		 * handling from a squeue worker thread that gets scheduled
235 		 * by an squeue_fill() call. This thread is not in interrupt
236 		 * context and so can block.
237 		 */
238 		rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
239 		    NULL, &mac, NULL);
240 
241 		if (CRYPTO_ERR(rv)) {
242 			hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED &&
243 			    !IS_TLS(ssl));
244 			if (!hash_use_ok) {
245 #ifdef	DEBUG
246 				cmn_err(CE_WARN, "kssl_compute_record_mac - "
247 				    "crypto_mac error 0x%0x", rv);
248 #endif	/* DEBUG */
249 				KSSL_COUNTER(compute_mac_failure, 1);
250 			}
251 		}
252 	} else
253 		hash_use_ok = B_TRUE;
254 
255 	if (hash_use_ok) {
256 		bcopy(&(ssl->mac_ctx[direction][0]), ctx,
257 			sizeof (KSSL_HASHCTX));
258 		spec->MAC_HashUpdate((void *)ctx, temp, p - temp);
259 		spec->MAC_HashUpdate((void *)ctx, buf, len);
260 		spec->MAC_HashFinal(digest, (void *)ctx);
261 
262 		bcopy(&(ssl->mac_ctx[direction][1]), ctx,
263 			sizeof (KSSL_HASHCTX));
264 		spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz);
265 		spec->MAC_HashFinal(digest, (void *)ctx);
266 	}
267 
268 	return (rv);
269 }
270 
271 /*
272  * Handles handshake messages.
273  * Messages to be replied are returned in handshake_sendbuf.
274  */
275 int
276 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
277     kssl_callback_t cbfn, void *arg)
278 {
279 	uint32_t msglen;
280 	uchar_t msghdr[4];
281 
282 	ASSERT(ssl->msg.state == MSG_BODY);
283 	ASSERT(ssl->msg.msglen_bytes == 3);
284 	ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen);
285 
286 	ssl->sslcnt++;
287 	msglen = ssl->msg.msglen;
288 
289 	if (ssl->msg.type == client_hello) {
290 		MD5Init(&ssl->hs_md5);
291 		SHA1Init(&ssl->hs_sha1);
292 	}
293 
294 	if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
295 		if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
296 		    sender_client) != 0) {
297 			*err = SSL_MISS;
298 			return (0);
299 		}
300 	}
301 
302 	if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
303 		msghdr[0] = (uchar_t)ssl->msg.type;
304 
305 		msghdr[1] = (uchar_t)(msglen >> 16);
306 		msghdr[2] = (uchar_t)(msglen >> 8);
307 		msghdr[3] = (uchar_t)(msglen);
308 		kssl_update_handshake_hashes(ssl, msghdr, 4);
309 		kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen);
310 	}
311 
312 	ssl->msg.state = MSG_INIT;
313 	ssl->msg.msglen = 0;
314 	ssl->msg.msglen_bytes = 0;
315 
316 	switch (ssl->msg.type) {
317 	case client_hello:
318 		if (ssl->hs_waitstate != wait_client_hello) {
319 			kssl_send_alert(ssl, alert_fatal,
320 			    unexpected_message);
321 			*err = EBADMSG;
322 			ssl->activeinput = B_FALSE;
323 			return (1);
324 		}
325 		*err = kssl_handle_client_hello(ssl, mp, msglen);
326 		if (*err == SSL_MISS) {
327 			ssl->activeinput = B_FALSE;
328 			return (0);
329 		}
330 		return (1);
331 	case client_key_exchange:
332 		if (ssl->hs_waitstate != wait_client_key) {
333 			kssl_send_alert(ssl, alert_fatal,
334 			    unexpected_message);
335 			*err = EBADMSG;
336 			ssl->activeinput = B_FALSE;
337 			return (1);
338 		}
339 		*err = kssl_handle_client_key_exchange(ssl, mp,
340 		    msglen, cbfn, arg);
341 		return (1);
342 	case finished:
343 		if (ssl->hs_waitstate != wait_finished) {
344 			kssl_send_alert(ssl, alert_fatal,
345 				unexpected_message);
346 			*err = EBADMSG;
347 			ssl->activeinput = B_FALSE;
348 			return (1);
349 		}
350 		*err = kssl_handle_finished(ssl, mp, msglen);
351 		return (1);
352 	default:
353 		kssl_send_alert(ssl, alert_fatal, unexpected_message);
354 		ssl->activeinput = B_FALSE;
355 		*err = EBADMSG;
356 		return (1);
357 	}
358 }
359 
360 static void
361 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
362 {
363 	MD5Update(&ssl->hs_md5, buf, len);
364 	SHA1Update(&ssl->hs_sha1, buf, len);
365 }
366 
367 static int
368 kssl_compute_handshake_hashes(
369 	ssl_t *ssl,
370 	SSL3Hashes *hashes,
371 	uint32_t sender)
372 {
373 	MD5_CTX md5 = ssl->hs_md5;	/* clone md5 context */
374 	SHA1_CTX sha1 = ssl->hs_sha1;	/* clone sha1 context */
375 	MD5_CTX *md5ctx = &md5;
376 	SHA1_CTX *sha1ctx = &sha1;
377 
378 	if (IS_TLS(ssl)) {
379 		uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN];
380 		char *label;
381 
382 		/*
383 		 * Do not take another hash step here.
384 		 * Just complete the operation.
385 		 */
386 		MD5Final(hashes->md5, md5ctx);
387 		SHA1Final(hashes->sha1, sha1ctx);
388 
389 		bcopy(hashes->md5, seed, MD5_HASH_LEN);
390 		bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN);
391 
392 		if (sender == sender_client)
393 			label = TLS_CLIENT_FINISHED_LABEL;
394 		else
395 			label = TLS_SERVER_FINISHED_LABEL;
396 
397 		return (kssl_tls_PRF(ssl,
398 			ssl->sid.master_secret, (size_t)SSL3_MASTER_SECRET_LEN,
399 			(uchar_t *)label, strlen(label),
400 			seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN),
401 			hashes->tlshash, (size_t)TLS_FINISHED_SIZE));
402 	} else {
403 		uchar_t s[4];
404 		s[0] = (sender >> 24) & 0xff;
405 		s[1] = (sender >> 16) & 0xff;
406 		s[2] = (sender >> 8) & 0xff;
407 		s[3] = (sender) & 0xff;
408 
409 		MD5Update(md5ctx, s, 4);
410 		MD5Update(md5ctx, ssl->sid.master_secret,
411 		    SSL3_MASTER_SECRET_LEN);
412 		MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN);
413 		MD5Final(hashes->md5, md5ctx);
414 
415 		MD5Init(md5ctx);
416 		MD5Update(md5ctx, ssl->sid.master_secret,
417 		    SSL3_MASTER_SECRET_LEN);
418 		MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN);
419 		MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN);
420 		MD5Final(hashes->md5, md5ctx);
421 
422 		SHA1Update(sha1ctx, s, 4);
423 		SHA1Update(sha1ctx, ssl->sid.master_secret,
424 		    SSL3_MASTER_SECRET_LEN);
425 		SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN);
426 		SHA1Final(hashes->sha1, sha1ctx);
427 
428 		SHA1Init(sha1ctx);
429 		SHA1Update(sha1ctx, ssl->sid.master_secret,
430 		    SSL3_MASTER_SECRET_LEN);
431 		SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN);
432 		SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN);
433 		SHA1Final(hashes->sha1, sha1ctx);
434 		return (0);
435 	}
436 }
437 
438 
439 #define	KSSL_SSL3_CH_MIN_MSGLEN	(39)
440 
441 static int
442 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
443 {
444 	uchar_t *msgend;
445 	int err;
446 	SSL3AlertDescription desc = illegal_parameter;
447 	uint_t sidlen;
448 	uint_t nsuites;
449 	uchar_t *suitesp;
450 	uint_t i, j;
451 	uint16_t suite;
452 	int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN;
453 
454 	ASSERT(mp->b_wptr >= mp->b_rptr + msglen);
455 	ASSERT(ssl->msg.type == client_hello);
456 	ASSERT(ssl->hs_waitstate == wait_client_hello);
457 	ASSERT(ssl->resumed == B_FALSE);
458 
459 	if (msglen < ch_msglen) {
460 		goto falert;
461 	}
462 
463 	msgend = mp->b_rptr + msglen;
464 
465 	/* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */
466 	if (ssl->major_version != 3 || (ssl->major_version == 3 &&
467 		ssl->minor_version != 0 && ssl->minor_version != 1)) {
468 		KSSL_DEBUG3_IF(kssl_debug,
469 			"HandleClientHello: handshake failure - "
470 			"SSL version not supported (%d %d)",
471 			ssl->major_version, ssl->minor_version);
472 		desc = handshake_failure;
473 		goto falert;
474 	}
475 	mp->b_rptr += 2; /* skip the version bytes */
476 
477 	bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
478 	mp->b_rptr += SSL3_RANDOM_LENGTH;
479 
480 	ASSERT(ssl->sid.cached == B_FALSE);
481 	sidlen = *mp->b_rptr++;
482 	ch_msglen += sidlen;
483 	if (msglen < ch_msglen) {
484 		goto falert;
485 	}
486 	if (sidlen != SSL3_SESSIONID_BYTES) {
487 		mp->b_rptr += sidlen;
488 	} else {
489 		kssl_lookup_sid(&ssl->sid, mp->b_rptr, ssl->faddr,
490 		    ssl->kssl_entry);
491 		mp->b_rptr += SSL3_SESSIONID_BYTES;
492 	}
493 
494 	nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
495 	mp->b_rptr += 2;
496 	ch_msglen += nsuites;
497 	if (msglen != ch_msglen) {
498 		goto falert;
499 	}
500 	if (nsuites & 0x1) {
501 		goto falert;
502 	}
503 	suitesp = mp->b_rptr;
504 	if (ssl->sid.cached == B_TRUE) {
505 		suite = ssl->sid.cipher_suite;
506 		for (j = 0; j < nsuites; j += 2) {
507 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
508 			    suitesp[j + 1] == (suite & 0xff)) {
509 				break;
510 			}
511 		}
512 		if (j < nsuites) {
513 			goto suite_found;
514 		}
515 		kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
516 		ssl->sid.cached = B_FALSE;
517 	}
518 
519 	/* Check if this server is capable of the cipher suite */
520 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
521 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
522 		for (j = 0; j < nsuites; j += 2) {
523 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
524 			    suitesp[j + 1] == (suite & 0xff)) {
525 				break;
526 			}
527 		}
528 		if (j < nsuites) {
529 			break;
530 		}
531 	}
532 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
533 		if (ssl->sslcnt == 1) {
534 			KSSL_COUNTER(no_suite_found, 1);
535 			return (SSL_MISS);
536 		}
537 		desc = handshake_failure;
538 		KSSL_DEBUG1_IF(kssl_debug,
539 			"kssl_handle_client_hello: no cipher suites found");
540 		goto falert;
541 	}
542 
543 suite_found:
544 
545 	mp->b_rptr += nsuites;
546 	if (*mp->b_rptr++ != 1 || *mp->b_rptr++ != 0) {
547 		desc = handshake_failure;
548 		KSSL_DEBUG1_IF(kssl_debug,
549 			"kssl_handle_client_hello: handshake failure");
550 		goto falert;
551 	}
552 
553 	mp->b_rptr = msgend;
554 
555 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
556 		if (suite == cipher_suite_defs[i].suite) {
557 			break;
558 		}
559 	}
560 
561 	ASSERT(i < cipher_suite_defs_nentries);
562 
563 	ssl->pending_cipher_suite = suite;
564 	ssl->pending_malg = cipher_suite_defs[i].malg;
565 	ssl->pending_calg = cipher_suite_defs[i].calg;
566 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
567 
568 	if (ssl->sid.cached == B_TRUE) {
569 		err = kssl_send_server_hello(ssl);
570 		if (err != 0) {
571 			return (err);
572 		}
573 		if (IS_TLS(ssl))
574 			err = kssl_generate_tls_keyblock(ssl);
575 		else
576 			kssl_generate_keyblock(ssl);
577 
578 		err = kssl_send_change_cipher_specs(ssl);
579 		if (err != 0) {
580 			return (err);
581 		}
582 
583 		err = kssl_send_finished(ssl, 1);
584 		if (err != 0)
585 			return (err);
586 
587 		err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
588 			sender_client);
589 		if (err != 0)
590 			return (err);
591 
592 		ssl->hs_waitstate = wait_change_cipher;
593 		ssl->resumed = B_TRUE;
594 		ssl->activeinput = B_FALSE;
595 		KSSL_COUNTER(resumed_sessions, 1);
596 		return (0);
597 	}
598 
599 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
600 	    SSL3_SESSIONID_BYTES);
601 	ssl->sid.client_addr = ssl->faddr;
602 	ssl->sid.cipher_suite = suite;
603 
604 	err = kssl_send_server_hello(ssl);
605 	if (err != 0) {
606 		return (err);
607 	}
608 	err = kssl_send_certificate_and_server_hello_done(ssl);
609 	if (err != 0) {
610 		return (err);
611 	}
612 	KSSL_COUNTER(full_handshakes, 1);
613 	ssl->hs_waitstate = wait_client_key;
614 	ssl->activeinput = B_FALSE;
615 	return (0);
616 
617 falert:
618 	kssl_send_alert(ssl, alert_fatal, desc);
619 	return (EBADMSG);
620 }
621 
622 static void
623 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
624 {
625 	uint_t index;
626 	uchar_t *s = sid->session_id;
627 	int l = SSL3_SESSIONID_BYTES - 1;
628 	kmutex_t *lock;
629 
630 	ASSERT(sid->cached == B_TRUE);
631 
632 	index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
633 	    ((int)s[2] << 8) | (int)s[l]);
634 
635 	index %= kssl_entry->sid_cache_nentries;
636 
637 	sid->time = lbolt;
638 
639 	lock = &(kssl_entry->sid_cache[index].se_lock);
640 	mutex_enter(lock);
641 	kssl_entry->sid_cache[index].se_used++;
642 	bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid));
643 	mutex_exit(lock);
644 }
645 
646 static void
647 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, ipaddr_t faddr,
648     kssl_entry_t *kssl_entry)
649 {
650 	uint_t index;
651 	int l = SSL3_SESSIONID_BYTES - 1;
652 	kmutex_t *lock;
653 	sslSessionID *csid;
654 
655 	ASSERT(sid->cached == B_FALSE);
656 
657 	KSSL_COUNTER(sid_cache_lookups, 1);
658 
659 	index = (int)faddr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
660 	    ((int)s[2] << 8) | (int)s[l]);
661 
662 	index %= kssl_entry->sid_cache_nentries;
663 
664 	lock = &(kssl_entry->sid_cache[index].se_lock);
665 	mutex_enter(lock);
666 	csid = &(kssl_entry->sid_cache[index].se_sid);
667 	if (csid->cached == B_FALSE || csid->client_addr != faddr ||
668 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
669 		mutex_exit(lock);
670 		return;
671 	}
672 
673 	if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) {
674 		csid->cached = B_FALSE;
675 		mutex_exit(lock);
676 		return;
677 	}
678 
679 	bcopy(csid, sid, sizeof (*sid));
680 	mutex_exit(lock);
681 	ASSERT(sid->cached == B_TRUE);
682 
683 	KSSL_COUNTER(sid_cache_hits, 1);
684 }
685 
686 static uchar_t *
687 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp)
688 {
689 	size_t len = *lenp;
690 	int i = 2;
691 
692 	if (buf[0] != 0 || buf[1] != 2) {
693 		return (NULL);
694 	}
695 
696 	while (i < len) {
697 		if (buf[i++] == 0) {
698 			*lenp = len - i;
699 			break;
700 		}
701 	}
702 
703 	if (i == len) {
704 		return (NULL);
705 	}
706 
707 	return (buf + i);
708 }
709 
710 void
711 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
712 {
713 	uint_t index;
714 	uchar_t *s = sid->session_id;
715 	int l = SSL3_SESSIONID_BYTES - 1;
716 	sslSessionID *csid;
717 	kmutex_t *lock;
718 
719 	ASSERT(sid->cached == B_TRUE);
720 
721 	KSSL_COUNTER(sid_uncached, 1);
722 
723 	index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
724 	    ((int)s[2] << 8) | (int)s[l]);
725 
726 	index %= kssl_entry->sid_cache_nentries;
727 
728 	lock = &(kssl_entry->sid_cache[index].se_lock);
729 	mutex_enter(lock);
730 	csid = &(kssl_entry->sid_cache[index].se_sid);
731 	if (csid->client_addr != sid->client_addr ||
732 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
733 		mutex_exit(lock);
734 		return;
735 	}
736 	csid->cached = B_FALSE;
737 	mutex_exit(lock);
738 }
739 
740 
741 #define	KSSL_SSL3_SH_RECLEN	(74)
742 #define	KSSL_SSL3_FIN_MSGLEN	(36)
743 
744 #define	KSSL_SSL3_MAX_CCP_FIN_MSGLEN	(128)	/* comfortable upper bound */
745 
746 static int
747 kssl_send_server_hello(ssl_t *ssl)
748 {
749 	mblk_t *mp;
750 	uchar_t *buf;
751 	uchar_t *msgstart;
752 
753 	mp = allocb(ssl->tcp_mss, BPRI_HI);
754 	if (mp == NULL) {
755 		KSSL_COUNTER(alloc_fails, 1);
756 		return (ENOMEM);
757 	}
758 	ssl->handshake_sendbuf = mp;
759 	buf = mp->b_wptr;
760 
761 	/* 5 byte record header */
762 	buf[0] = content_handshake;
763 	buf[1] = ssl->major_version;
764 	buf[2] = ssl->minor_version;
765 	buf[3] = KSSL_SSL3_SH_RECLEN >> 8;
766 	buf[4] = KSSL_SSL3_SH_RECLEN & 0xff;
767 	buf += SSL3_HDR_LEN;
768 
769 	msgstart = buf;
770 
771 	/* 6 byte message header */
772 	buf[0] = (uchar_t)server_hello;			/* message type */
773 	buf[1] = 0;					/* message len byte 0 */
774 	buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) &
775 	    0xff;					/* message len byte 1 */
776 	buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff;	/* message len byte 2 */
777 
778 	buf[4] = ssl->major_version;	/* version byte 0 */
779 	buf[5] = ssl->minor_version;	/* version byte 1 */
780 
781 	buf += 6;
782 
783 	kssl_get_hello_random(ssl->server_random);
784 	bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH);
785 	buf += SSL3_RANDOM_LENGTH;
786 
787 	buf[0] = SSL3_SESSIONID_BYTES;
788 	bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
789 	buf += SSL3_SESSIONID_BYTES + 1;
790 
791 	buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff;
792 	buf[1] = ssl->pending_cipher_suite & 0xff;
793 
794 	buf[2] = 0;	/* No compression */
795 
796 	mp->b_wptr = buf + 3;
797 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
798 
799 	kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN);
800 	return (0);
801 }
802 
803 static void
804 kssl_get_hello_random(uchar_t *buf)
805 {
806 	timestruc_t ts;
807 	time_t sec;
808 
809 	gethrestime(&ts);
810 	sec = ts.tv_sec;
811 
812 	buf[0] = (sec >> 24) & 0xff;
813 	buf[1] = (sec >> 16) & 0xff;
814 	buf[2] = (sec >> 8) & 0xff;
815 	buf[3] = (sec) & 0xff;
816 
817 	(void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4);
818 
819 	/* Should this be caching? */
820 }
821 
822 static int
823 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key,
824 	size_t hashlen,
825 	uchar_t *label, size_t label_len,
826 	uchar_t *seed, size_t seedlen,
827 	uchar_t *data, size_t datalen)
828 {
829 	int rv = 0;
830 	uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN];
831 	int bytes_left = datalen;
832 	crypto_data_t dd, mac;
833 	crypto_context_t ctx;
834 
835 	dd.cd_format = CRYPTO_DATA_RAW;
836 	dd.cd_offset = 0;
837 	mac.cd_format = CRYPTO_DATA_RAW;
838 	mac.cd_offset = 0;
839 
840 	/*
841 	 * A(i) = HMAC_hash(secred, seed + A(i-1));
842 	 * A(0) = seed;
843 	 *
844 	 * Compute A(1):
845 	 * A(1) = HMAC_hash(secret, label + seed)
846 	 *
847 	 */
848 	HMAC_INIT(mech, key, &ctx);
849 	HMAC_UPDATE(ctx, label, label_len);
850 	HMAC_UPDATE(ctx, seed, seedlen);
851 	HMAC_FINAL(ctx, A1, hashlen);
852 
853 	/* Compute A(2) ... A(n) */
854 	while (bytes_left > 0) {
855 		HMAC_INIT(mech, key, &ctx);
856 		HMAC_UPDATE(ctx, A1, hashlen);
857 		HMAC_UPDATE(ctx, label, label_len);
858 		HMAC_UPDATE(ctx, seed, seedlen);
859 		HMAC_FINAL(ctx, result, hashlen);
860 
861 		/*
862 		 * The A(i) value is stored in "result".
863 		 * Save the results of the MAC so it can be input to next
864 		 * iteration.
865 		 */
866 		if (bytes_left > hashlen) {
867 			/* Store the chunk result */
868 			bcopy(result, data, hashlen);
869 			data += hashlen;
870 
871 			bytes_left -= hashlen;
872 
873 			/* Update A1 for next iteration */
874 			HMAC_INIT(mech, key, &ctx);
875 			HMAC_UPDATE(ctx, A1, hashlen);
876 			HMAC_FINAL(ctx, A1, hashlen);
877 
878 		} else {
879 			bcopy(result, data, bytes_left);
880 			data += bytes_left;
881 			bytes_left = 0;
882 		}
883 	}
884 end:
885 	if (CRYPTO_ERR(rv)) {
886 #ifdef	DEBUG
887 		cmn_err(CE_WARN, "kssl_P_hash: crypto_mac error 0x%02X", rv);
888 #endif	/* DEBUG */
889 		KSSL_COUNTER(compute_mac_failure, 1);
890 	}
891 	return (rv);
892 }
893 
894 /* ARGSUSED */
895 static int
896 kssl_tls_PRF(ssl_t *ssl,
897 	uchar_t *secret, size_t secret_len,
898 	uchar_t *label, size_t label_len,
899 	uchar_t *seed, size_t seed_len,
900 	uchar_t *prfresult, size_t prfresult_len)
901 {
902 	/*
903 	 * RFC 2246:
904 	 *  PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
905 	 *				P_SHA1(S2, label + seed);
906 	 * S1 = 1st half of secret.
907 	 * S1 = 2nd half of secret.
908 	 *
909 	 */
910 
911 	int rv = 0, i;
912 	uchar_t psha1[MAX_TLS_KEYBLOCK_SIZE];
913 	crypto_key_t S1, S2;
914 
915 	/* length of secret keys is ceil(length/2) */
916 	size_t slen = roundup(secret_len, 2) / 2;
917 
918 	if (prfresult_len > MAX_TLS_KEYBLOCK_SIZE) {
919 		KSSL_DEBUG2_IF(kssl_debug, "kssl_tls_PRF: unexpected keyblock "
920 			"size (%lu)", prfresult_len);
921 		return (CRYPTO_ARGUMENTS_BAD);
922 	}
923 
924 	ASSERT(prfresult != NULL);
925 	ASSERT(label != NULL);
926 	ASSERT(seed != NULL);
927 
928 	S1.ck_data   = secret;
929 	S1.ck_length = slen * 8; /* bits */
930 	S1.ck_format = CRYPTO_KEY_RAW;
931 
932 	S2.ck_data   = secret + slen;
933 	S2.ck_length = slen * 8; /* bits */
934 	S2.ck_format = CRYPTO_KEY_RAW;
935 
936 	rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN,
937 			label, label_len,
938 			seed, seed_len,
939 			prfresult, prfresult_len);
940 	if (CRYPTO_ERR(rv))
941 		goto end;
942 
943 	rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN,
944 			label, label_len,
945 			seed, seed_len,
946 			psha1, prfresult_len);
947 	if (CRYPTO_ERR(rv))
948 		goto end;
949 
950 	for (i = 0; i < prfresult_len; i++)
951 		prfresult[i] ^= psha1[i];
952 
953 end:
954 	if (CRYPTO_ERR(rv))
955 		bzero(prfresult, prfresult_len);
956 
957 	return (rv);
958 }
959 
960 #define	IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)			\
961 	(pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN ||		\
962 	pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
963 
964 #define	FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) {			\
965 		KSSL_COUNTER(bad_pre_master_secret, 1);			\
966 		pms = buf;						\
967 		pmslen = SSL3_PRE_MASTER_SECRET_LEN;			\
968 		pms[0] = ssl->major_version;				\
969 		pms[1] = ssl->minor_version;				\
970 		(void) random_get_pseudo_bytes(&buf[2], pmslen - 2);	\
971 }
972 
973 static int
974 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
975 {
976 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
977 	uchar_t seed[SSL3_RANDOM_LENGTH * 2];
978 
979 	/*
980 	 * Computing the master secret:
981 	 * ----------------------------
982 	 * master_secret = PRF (pms, "master secret",
983 	 *		ClientHello.random + ServerHello.random);
984 	 */
985 	bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH);
986 	bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH,
987 		SSL3_RANDOM_LENGTH);
988 
989 	/* if pms is bad fake it to thwart Bleichenbacher attack */
990 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
991 #ifdef	DEBUG
992 		cmn_err(CE_WARN, "Under Bleichenbacher attack");
993 #endif	/* DEBUG */
994 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
995 	}
996 
997 	return (kssl_tls_PRF(ssl,
998 		pms, pmslen,
999 		(uchar_t *)TLS_MASTER_SECRET_LABEL,
1000 		(size_t)strlen(TLS_MASTER_SECRET_LABEL),
1001 		seed, sizeof (seed),
1002 		ssl->sid.master_secret,
1003 		(size_t)sizeof (ssl->sid.master_secret)));
1004 }
1005 
1006 
1007 static void
1008 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1009 {
1010 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1011 	uchar_t *ms;
1012 	int hlen = MD5_HASH_LEN;
1013 
1014 	ms = ssl->sid.master_secret;
1015 
1016 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1017 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1018 #ifdef	DEBUG
1019 		cmn_err(CE_WARN, "Under Bleichenbacher attack");
1020 #endif	/* DEBUG */
1021 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1022 	}
1023 
1024 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
1025 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
1026 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
1027 	    0);
1028 }
1029 
1030 static int
1031 kssl_generate_tls_keyblock(ssl_t *ssl)
1032 {
1033 	uchar_t seed[2 * SSL3_RANDOM_LENGTH];
1034 
1035 	bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH);
1036 	bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH,
1037 		SSL3_RANDOM_LENGTH);
1038 
1039 	return (kssl_tls_PRF(ssl, ssl->sid.master_secret,
1040 		(size_t)SSL3_MASTER_SECRET_LEN,
1041 		(uchar_t *)TLS_KEY_EXPANSION_LABEL,
1042 		(size_t)strlen(TLS_KEY_EXPANSION_LABEL),
1043 		seed, (size_t)sizeof (seed),
1044 		ssl->pending_keyblock,
1045 		(size_t)ssl->pending_keyblksz));
1046 
1047 }
1048 
1049 static void
1050 kssl_generate_keyblock(ssl_t *ssl)
1051 {
1052 	uchar_t *ms;
1053 	size_t mslen = SSL3_MASTER_SECRET_LEN;
1054 	int hlen = MD5_HASH_LEN;
1055 	uchar_t *keys = ssl->pending_keyblock;
1056 	int steps = howmany(ssl->pending_keyblksz, hlen);
1057 	int i;
1058 
1059 	ms = ssl->sid.master_secret;
1060 
1061 	ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH);
1062 
1063 	for (i = 1; i <= steps; i++) {
1064 		kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
1065 		keys += hlen;
1066 	}
1067 }
1068 
1069 static char *ssl3_key_derive_seeds[8] = {"A", "BB", "CCC", "DDDD", "EEEEE",
1070 					    "FFFFFF", "GGGGGGG", "HHHHHHHH"};
1071 
1072 static void
1073 kssl_ssl3_key_material_derive_step(
1074 	ssl_t *ssl,
1075 	uchar_t *secret,
1076 	size_t secretlen,
1077 	int step,
1078 	uchar_t *dst,
1079 	int sr_first)
1080 {
1081 	SHA1_CTX sha1, *sha1ctx;
1082 	MD5_CTX md5, *md5ctx;
1083 	uchar_t sha1_hash[SHA1_HASH_LEN];
1084 
1085 	sha1ctx = &sha1;
1086 	md5ctx = &md5;
1087 
1088 	ASSERT(step <=
1089 	    sizeof (ssl3_key_derive_seeds) /
1090 	    sizeof (ssl3_key_derive_seeds[0]));
1091 	step--;
1092 
1093 	SHA1Init(sha1ctx);
1094 	SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step],
1095 	    step + 1);
1096 	SHA1Update(sha1ctx, secret, secretlen);
1097 	if (sr_first) {
1098 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1099 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1100 	} else {
1101 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1102 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1103 	}
1104 	SHA1Final(sha1_hash, sha1ctx);
1105 
1106 	MD5Init(md5ctx);
1107 	MD5Update(md5ctx, secret, secretlen);
1108 	MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN);
1109 	MD5Final(dst, md5ctx);
1110 }
1111 
1112 static int
1113 kssl_send_certificate_and_server_hello_done(ssl_t *ssl)
1114 {
1115 	int cur_reclen;
1116 	int mss;
1117 	int len, copylen;
1118 	mblk_t *mp;
1119 	uchar_t *cert_buf;
1120 	int cert_len;
1121 	uchar_t *msgbuf;
1122 	Certificate_t *cert;
1123 
1124 	cert = ssl->kssl_entry->ke_server_certificate;
1125 	if (cert == NULL) {
1126 	    return (ENOENT);
1127 	}
1128 	cert_buf = cert->msg;
1129 	cert_len = cert->len;
1130 
1131 	mp = ssl->handshake_sendbuf;
1132 	mss = ssl->tcp_mss;
1133 	ASSERT(mp != NULL);
1134 	cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN;
1135 	ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN);
1136 	/* Assume MSS is at least 80 bytes */
1137 	ASSERT(mss > cur_reclen + SSL3_HDR_LEN);
1138 	ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */
1139 
1140 	copylen = mss - (cur_reclen + SSL3_HDR_LEN);
1141 	len = cert_len;
1142 	copylen = MIN(copylen, len);
1143 	copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1144 
1145 	/* new record always starts in a new mblk for simplicity */
1146 	msgbuf = cert_buf;
1147 	for (;;) {
1148 		ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim);
1149 		bcopy(msgbuf, mp->b_wptr, copylen);
1150 		msgbuf += copylen;
1151 		mp->b_wptr += copylen;
1152 		cur_reclen += copylen;
1153 		len -= copylen;
1154 		if (len == 0) {
1155 			break;
1156 		}
1157 		if (cur_reclen == SSL3_MAX_RECORD_LENGTH) {
1158 			cur_reclen = 0;
1159 		}
1160 		copylen = MIN(len, mss);
1161 		copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1162 		mp->b_cont = allocb(copylen, BPRI_HI);
1163 		if (mp->b_cont == NULL) {
1164 			KSSL_COUNTER(alloc_fails, 1);
1165 			freemsg(ssl->handshake_sendbuf);
1166 			ssl->handshake_sendbuf = NULL;
1167 			return (ENOMEM);
1168 		}
1169 		mp = mp->b_cont;
1170 		if (cur_reclen == 0) {
1171 			mp->b_wptr[0] = content_handshake;
1172 			mp->b_wptr[1] = ssl->major_version;
1173 			mp->b_wptr[2] = ssl->minor_version;
1174 			cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH);
1175 			mp->b_wptr[3] = (cur_reclen >> 8) & 0xff;
1176 			mp->b_wptr[4] = (cur_reclen) & 0xff;
1177 			mp->b_wptr += SSL3_HDR_LEN;
1178 			cur_reclen = 0;
1179 			copylen = MIN(copylen, mss - SSL3_HDR_LEN);
1180 		}
1181 	}
1182 
1183 	/* adjust the record length field for the first record */
1184 	mp = ssl->handshake_sendbuf;
1185 	cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len,
1186 	    SSL3_MAX_RECORD_LENGTH);
1187 	mp->b_rptr[3] = (cur_reclen >> 8) & 0xff;
1188 	mp->b_rptr[4] = (cur_reclen) & 0xff;
1189 
1190 	kssl_update_handshake_hashes(ssl, cert_buf, cert_len);
1191 
1192 	return (0);
1193 }
1194 
1195 static int
1196 kssl_send_change_cipher_specs(ssl_t *ssl)
1197 {
1198 	mblk_t *mp, *newmp;
1199 	uchar_t *buf;
1200 
1201 	mp = ssl->handshake_sendbuf;
1202 
1203 	/* We're most likely to hit the fast path for resumed sessions */
1204 	if ((mp != NULL) &&
1205 	    (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) {
1206 		buf = mp->b_wptr;
1207 	} else {
1208 		newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI);
1209 
1210 		if (newmp == NULL)
1211 			return (ENOMEM);	/* need to do better job! */
1212 
1213 		if (mp == NULL) {
1214 			ssl->handshake_sendbuf = newmp;
1215 		} else {
1216 			linkb(ssl->handshake_sendbuf, newmp);
1217 		}
1218 		mp = newmp;
1219 		buf = mp->b_rptr;
1220 	}
1221 
1222 	/* 5 byte record header */
1223 	buf[0] = content_change_cipher_spec;
1224 	buf[1] = ssl->major_version;
1225 	buf[2] = ssl->minor_version;
1226 	buf[3] = 0;
1227 	buf[4] = 1;
1228 	buf += SSL3_HDR_LEN;
1229 
1230 	buf[0] = 1;
1231 
1232 	mp->b_wptr = buf + 1;
1233 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1234 
1235 	ssl->seq_num[KSSL_WRITE] = 0;
1236 	return (kssl_spec_init(ssl, KSSL_WRITE));
1237 }
1238 
1239 int
1240 kssl_spec_init(ssl_t *ssl, int dir)
1241 {
1242 	KSSL_HASHCTX *ctx;
1243 	KSSLCipherSpec *spec = &ssl->spec[dir];
1244 	int ret = 0;
1245 
1246 	spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz;
1247 	spec->mac_padsz = mac_defs[ssl->pending_malg].padsz;
1248 
1249 	spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
1250 	spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
1251 	spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
1252 
1253 	if (dir == KSSL_READ) {
1254 		bcopy(ssl->pending_keyblock, ssl->mac_secret[dir],
1255 		    spec->mac_hashsz);
1256 	} else {
1257 		bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]),
1258 		    ssl->mac_secret[dir], spec->mac_hashsz);
1259 	}
1260 
1261 	/* Pre-compute these here. will save cycles on each record later */
1262 	if (!IS_TLS(ssl)) {
1263 		ctx = &ssl->mac_ctx[dir][0];
1264 		spec->MAC_HashInit((void *)ctx);
1265 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1266 		    spec->mac_hashsz);
1267 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_1,
1268 			spec->mac_padsz);
1269 
1270 		ctx = &ssl->mac_ctx[dir][1];
1271 		spec->MAC_HashInit((void *)ctx);
1272 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1273 		    spec->mac_hashsz);
1274 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_2,
1275 			spec->mac_padsz);
1276 	}
1277 
1278 	spec->cipher_type = cipher_defs[ssl->pending_calg].type;
1279 	spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
1280 	spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
1281 	spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
1282 
1283 	if (spec->cipher_ctx != NULL) {
1284 		crypto_cancel_ctx(spec->cipher_ctx);
1285 		spec->cipher_ctx = 0;
1286 	}
1287 
1288 	/*
1289 	 * Initialize HMAC keys for TLS and SSL3 HMAC keys
1290 	 * for SSL 3.0.
1291 	 */
1292 	if (IS_TLS(ssl)) {
1293 		if (ssl->pending_malg == mac_md5) {
1294 			spec->hmac_mech = hmac_md5_mech;
1295 		} else if (ssl->pending_malg == mac_sha) {
1296 			spec->hmac_mech = hmac_sha1_mech;
1297 		}
1298 
1299 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1300 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1301 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1302 	} else {
1303 		static uint32_t param;
1304 
1305 		spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID;
1306 		spec->hmac_mech.cm_param = (caddr_t)&param;
1307 		spec->hmac_mech.cm_param_len = sizeof (param);
1308 		if (ssl->pending_malg == mac_md5) {
1309 			spec->hmac_mech.cm_type =
1310 			    crypto_mech2id("CKM_SSL3_MD5_MAC");
1311 			param = MD5_HASH_LEN;
1312 		} else if (ssl->pending_malg == mac_sha) {
1313 			spec->hmac_mech.cm_type =
1314 			    crypto_mech2id("CKM_SSL3_SHA1_MAC");
1315 			param = SHA1_HASH_LEN;
1316 		}
1317 
1318 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1319 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1320 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1321 	}
1322 
1323 	/* We're done if this is the nil cipher */
1324 	if (spec->cipher_keysz == 0) {
1325 		return (0);
1326 	}
1327 
1328 	/* Initialize the key and the active context */
1329 	spec->cipher_key.ck_format = CRYPTO_KEY_RAW;
1330 	spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */
1331 
1332 	if (cipher_defs[ssl->pending_calg].bsize > 0) {
1333 		/* client_write_IV */
1334 		spec->cipher_mech.cm_param =
1335 		    (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
1336 		    2 * spec->cipher_keysz]);
1337 		spec->cipher_mech.cm_param_len = spec->cipher_bsize;
1338 	}
1339 	spec->cipher_data.cd_format = CRYPTO_DATA_RAW;
1340 	if (dir == KSSL_READ) {
1341 		spec->cipher_mech.cm_param_len =
1342 		    cipher_defs[ssl->pending_calg].bsize;
1343 
1344 		/* client_write_key */
1345 		spec->cipher_key.ck_data =
1346 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz]);
1347 
1348 		ret = crypto_decrypt_init(&(spec->cipher_mech),
1349 			&(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1350 #ifdef	DEBUG
1351 		if (CRYPTO_ERR(ret)) {
1352 			cmn_err(CE_WARN, "kssl_spec_init: "
1353 				"crypto_decrypt_init error 0x%02X", ret);
1354 		}
1355 #endif	/* DEBUG */
1356 	} else {
1357 		if (cipher_defs[ssl->pending_calg].bsize > 0) {
1358 			spec->cipher_mech.cm_param += spec->cipher_bsize;
1359 		}
1360 		/* server_write_key */
1361 		spec->cipher_key.ck_data =
1362 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz +
1363 		    spec->cipher_keysz]);
1364 
1365 		ret = crypto_encrypt_init(&(spec->cipher_mech),
1366 			&(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1367 #ifdef	DEBUG
1368 		if (CRYPTO_ERR(ret))
1369 			cmn_err(CE_WARN, "kssl_spec_init: "
1370 				"crypto_encrypt_init error 0x%02X", ret);
1371 #endif	/* DEBUG */
1372 	}
1373 	return (ret);
1374 }
1375 
1376 static int
1377 kssl_send_finished(ssl_t *ssl, int update_hsh)
1378 {
1379 	mblk_t *mp;
1380 	uchar_t *buf;
1381 	uchar_t *rstart;
1382 	uchar_t *versionp;
1383 	SSL3Hashes ssl3hashes;
1384 	size_t finish_len;
1385 	int ret = 0;
1386 
1387 	mp = ssl->handshake_sendbuf;
1388 	ASSERT(mp != NULL);
1389 	buf = mp->b_wptr;
1390 	ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN +
1391 	    SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1);
1392 
1393 	rstart = buf;
1394 
1395 	if (IS_TLS(ssl))
1396 		finish_len = TLS_FINISHED_SIZE;
1397 	else
1398 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1399 
1400 	/* 5 byte record header */
1401 	buf[0] = content_handshake;
1402 	buf[1] = ssl->major_version;
1403 	buf[2] = ssl->minor_version;
1404 	buf[3] = 0;
1405 	buf[4] = 4 + finish_len;
1406 
1407 	versionp = &buf[1];
1408 
1409 	buf += SSL3_HDR_LEN;
1410 
1411 	/* 4 byte message header */
1412 	buf[0] = (uchar_t)finished;	/* message type */
1413 	buf[1] = 0;			/* message len byte 0 */
1414 	buf[2] = 0;			/* message len byte 1 */
1415 	buf[3] = finish_len;	/* message len byte 2 */
1416 	buf += 4;
1417 
1418 	if (IS_TLS(ssl)) {
1419 		bcopy(ssl->hs_hashes.md5, ssl3hashes.md5,
1420 			sizeof (ssl3hashes.md5));
1421 		bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1,
1422 			sizeof (ssl3hashes.sha1));
1423 	}
1424 
1425 	/* Compute hashes for the SENDER side */
1426 	ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
1427 	if (ret != 0)
1428 		return (ret);
1429 
1430 	if (IS_TLS(ssl)) {
1431 		bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash));
1432 	} else {
1433 		bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN);
1434 		bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN);
1435 	}
1436 
1437 	if (update_hsh) {
1438 		kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
1439 	}
1440 
1441 	mp->b_wptr = buf + finish_len;
1442 
1443 	ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
1444 	    rstart, mp);
1445 	ASSERT(mp->b_wptr <= mp->b_datap->db_lim);
1446 
1447 	return (ret);
1448 }
1449 
1450 int
1451 kssl_mac_encrypt_record(ssl_t *ssl,
1452 	SSL3ContentType ct,
1453 	uchar_t *versionp,
1454 	uchar_t *rstart,
1455 	mblk_t *mp)
1456 {
1457 	KSSLCipherSpec *spec;
1458 	int mac_sz;
1459 	int ret = 0;
1460 	uint16_t rec_sz;
1461 	int pad_sz;
1462 	int i;
1463 
1464 	ASSERT(ssl != NULL);
1465 	ASSERT(rstart >= mp->b_rptr);
1466 	ASSERT(rstart < mp->b_wptr);
1467 
1468 	spec = &ssl->spec[KSSL_WRITE];
1469 	mac_sz = spec->mac_hashsz;
1470 
1471 	rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN;
1472 	ASSERT(rec_sz > 0);
1473 
1474 	if (mac_sz != 0) {
1475 		ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim);
1476 		ret = kssl_compute_record_mac(ssl, KSSL_WRITE,
1477 		    ssl->seq_num[KSSL_WRITE], ct, versionp,
1478 		    rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr);
1479 		if (ret == CRYPTO_SUCCESS) {
1480 			ssl->seq_num[KSSL_WRITE]++;
1481 			mp->b_wptr += mac_sz;
1482 			rec_sz += mac_sz;
1483 		} else {
1484 			return (ret);
1485 		}
1486 	}
1487 
1488 	if (spec->cipher_type == type_block) {
1489 		pad_sz = spec->cipher_bsize -
1490 		    (rec_sz & (spec->cipher_bsize - 1));
1491 		ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim);
1492 		for (i = 0; i < pad_sz; i++) {
1493 			mp->b_wptr[i] = pad_sz - 1;
1494 		}
1495 		mp->b_wptr += pad_sz;
1496 		rec_sz += pad_sz;
1497 	}
1498 
1499 	ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH);
1500 
1501 	U16_TO_BE16(rec_sz, rstart + 3);
1502 
1503 	if (spec->cipher_ctx == 0)
1504 		return (ret);
1505 
1506 	spec->cipher_data.cd_length = rec_sz;
1507 	spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN);
1508 	spec->cipher_data.cd_raw.iov_len = rec_sz;
1509 	/* One record at a time. Otherwise, gotta allocate the crypt_data_t */
1510 	ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data,
1511 	    NULL, NULL);
1512 #ifdef	DEBUG
1513 	if (CRYPTO_ERR(ret)) {
1514 		cmn_err(CE_WARN,
1515 			"kssl_mac_encrypt_record: crypto_encrypt_update "
1516 			"error 0x%02X", ret);
1517 	}
1518 #endif	/* DEBUG */
1519 	return (ret);
1520 }
1521 
1522 void
1523 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
1524 {
1525 	mblk_t *mp;
1526 	uchar_t *buf;
1527 	KSSLCipherSpec *spec;
1528 
1529 	ASSERT(ssl != NULL);
1530 
1531 	ssl->sendalert_level = level;
1532 	ssl->sendalert_desc = desc;
1533 
1534 	if (level == alert_fatal) {
1535 #ifdef	DEBUG
1536 		cmn_err(CE_WARN, "sending an alert %d %d from %p\n", level,
1537 		    desc, (void *)caller());
1538 #endif	/* DEBUG */
1539 		if (ssl->sid.cached == B_TRUE) {
1540 			kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
1541 			ssl->sid.cached = B_FALSE;
1542 		}
1543 		ssl->fatal_alert = B_TRUE;
1544 		KSSL_COUNTER(fatal_alerts, 1);
1545 	} else
1546 		KSSL_COUNTER(warning_alerts, 1);
1547 
1548 	spec = &ssl->spec[KSSL_WRITE];
1549 
1550 	ASSERT(ssl->alert_sendbuf == NULL);
1551 	ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz +
1552 	    spec->cipher_bsize, BPRI_HI);
1553 	if (mp == NULL) {
1554 		KSSL_COUNTER(alloc_fails, 1);
1555 		return;
1556 	}
1557 	buf = mp->b_wptr;
1558 
1559 	/* 5 byte record header */
1560 	buf[0] = content_alert;
1561 	buf[1] = ssl->major_version;
1562 	buf[2] = ssl->minor_version;
1563 	buf[3] = 0;
1564 	buf[4] = 2;
1565 	buf += SSL3_HDR_LEN;
1566 
1567 	/* alert contents */
1568 	buf[0] = (uchar_t)level;
1569 	buf[1] = (uchar_t)desc;
1570 
1571 	mp->b_wptr = buf + 2;
1572 }
1573 
1574 /* Assumes RSA encryption */
1575 static int
1576 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
1577     kssl_callback_t cbfn, void *arg)
1578 {
1579 	char *buf;
1580 	uchar_t *pms;
1581 	size_t pmslen;
1582 	int allocated;
1583 	int err, rverr = ENOMEM;
1584 	kssl_entry_t *ep;
1585 	crypto_key_t *privkey;
1586 	crypto_data_t *wrapped_pms_data, *pms_data;
1587 	crypto_call_req_t creq, *creqp;
1588 
1589 	ep = ssl->kssl_entry;
1590 	privkey = ep->ke_private_key;
1591 	if (privkey == NULL) {
1592 		return (ENOENT);
1593 	}
1594 
1595 	ASSERT(ssl->msg.type == client_key_exchange);
1596 	ASSERT(ssl->hs_waitstate == wait_client_key);
1597 
1598 	/*
1599 	 * TLS adds an extra 2 byte length field before the data.
1600 	 */
1601 	if (IS_TLS(ssl)) {
1602 		msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1];
1603 		mp->b_rptr += 2;
1604 	}
1605 
1606 	/*
1607 	 * Allocate all we need in one shot. about 300 bytes total, for
1608 	 * 1024 bit RSA modulus.
1609 	 * The buffer layout will be: pms_data, wrapped_pms_data, the
1610 	 * value of the wrapped pms from the client, then room for the
1611 	 * resulting decrypted premaster secret.
1612 	 */
1613 	allocated = 2 * (sizeof (crypto_data_t) + msglen);
1614 	buf = kmem_alloc(allocated, KM_NOSLEEP);
1615 	if (buf == NULL) {
1616 		return (ENOMEM);
1617 	}
1618 
1619 	pms_data = (crypto_data_t *)buf;
1620 	wrapped_pms_data = &(((crypto_data_t *)buf)[1]);
1621 
1622 	wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW;
1623 	wrapped_pms_data->cd_offset = pms_data->cd_offset = 0;
1624 	wrapped_pms_data->cd_length = pms_data->cd_length = msglen;
1625 	wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL;
1626 	wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen;
1627 	wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t);
1628 	pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen;
1629 
1630 	bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen);
1631 	mp->b_rptr += msglen;
1632 
1633 	/* Proceed synchronously if out of interrupt and configured to do so */
1634 	if ((kssl_synchronous) && (!servicing_interrupt())) {
1635 		creqp = NULL;
1636 	} else {
1637 		ssl->cke_callback_func = cbfn;
1638 		ssl->cke_callback_arg = arg;
1639 		creq.cr_flag = kssl_call_flag;
1640 		creq.cr_callback_func = kssl_cke_done;
1641 		creq.cr_callback_arg = ssl;
1642 
1643 		/* The callback routine will release this one */
1644 		KSSL_SSL_REFHOLD(ssl);
1645 
1646 		creqp = &creq;
1647 	}
1648 
1649 	if (ep->ke_is_nxkey) {
1650 		kssl_session_info_t *s;
1651 
1652 		s = ep->ke_sessinfo;
1653 		err = CRYPTO_SUCCESS;
1654 		if (!s->is_valid_handle) {
1655 			/* Reauthenticate to the provider */
1656 			if (s->do_reauth) {
1657 				err = kssl_get_obj_handle(ep);
1658 				if (err == CRYPTO_SUCCESS) {
1659 					s->is_valid_handle = B_TRUE;
1660 					s->do_reauth = B_FALSE;
1661 				}
1662 			} else
1663 				err = CRYPTO_FAILED;
1664 		}
1665 
1666 		if (err == CRYPTO_SUCCESS) {
1667 			ASSERT(s->is_valid_handle);
1668 			err = crypto_decrypt_prov(s->prov, s->sid,
1669 			    &rsa_x509_mech, wrapped_pms_data, &s->key,
1670 			    NULL, pms_data, creqp);
1671 		}
1672 
1673 		/*
1674 		 * Deal with session specific errors. We translate to
1675 		 * the closest errno.
1676 		 */
1677 		switch (err) {
1678 		case CRYPTO_KEY_HANDLE_INVALID:
1679 		case CRYPTO_SESSION_HANDLE_INVALID:
1680 			s->is_valid_handle = B_FALSE;
1681 			s->do_reauth = B_TRUE;
1682 			rverr = EINVAL;
1683 			break;
1684 		case CRYPTO_PIN_EXPIRED:
1685 		case CRYPTO_PIN_LOCKED:
1686 			rverr = EACCES;
1687 			break;
1688 		case CRYPTO_UNKNOWN_PROVIDER:
1689 			rverr = ENXIO;
1690 			break;
1691 		}
1692 	} else {
1693 		err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data,
1694 		    privkey, NULL, pms_data, creqp);
1695 	}
1696 
1697 	switch (err) {
1698 	case CRYPTO_SUCCESS:
1699 		break;
1700 
1701 	case CRYPTO_QUEUED:
1702 		/*
1703 		 * Finish the master secret then the rest of key material
1704 		 * derivation later.
1705 		 */
1706 		ssl->job.kjob = creq.cr_reqid;
1707 		ssl->job.buf = buf;
1708 		ssl->job.buflen = allocated;
1709 		ssl->hs_waitstate = wait_client_key_done;
1710 		return (0);
1711 	default:
1712 #ifdef	DEBUG
1713 		cmn_err(CE_WARN, "kssl_handle_client_key_exchange: "
1714 			"crypto_decrypt error 0x%02X", err);
1715 #endif	/* DEBUG */
1716 		kmem_free(buf, allocated);
1717 		return (rverr);
1718 	}
1719 
1720 	pmslen = pms_data->cd_length;
1721 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1722 
1723 	/* generate master key and save it in the ssl sid structure */
1724 	if (IS_TLS(ssl)) {
1725 		err = kssl_generate_tls_ms(ssl, pms, pmslen);
1726 		if (!CRYPTO_ERR(err))
1727 			err = kssl_generate_tls_keyblock(ssl);
1728 	} else {
1729 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1730 		kssl_generate_keyblock(ssl);
1731 	}
1732 
1733 	if (err == CRYPTO_SUCCESS)
1734 		ssl->hs_waitstate = wait_change_cipher;
1735 
1736 	ssl->activeinput = B_FALSE;
1737 
1738 	kmem_free(buf, allocated);
1739 
1740 	return (0);
1741 }
1742 
1743 static int
1744 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
1745 {
1746 	int err;
1747 	size_t finish_len;
1748 	int hashcompare;
1749 
1750 	ASSERT(ssl->msg.type == finished);
1751 	ASSERT(ssl->hs_waitstate == wait_finished);
1752 
1753 	if (IS_TLS(ssl))
1754 		finish_len = TLS_FINISHED_SIZE;
1755 	else
1756 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1757 
1758 	if (msglen != finish_len) {
1759 		kssl_send_alert(ssl, alert_fatal, illegal_parameter);
1760 		return (EBADMSG);
1761 	}
1762 
1763 	if (IS_TLS(ssl)) {
1764 		hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash,
1765 			finish_len);
1766 	} else {
1767 		hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
1768 	}
1769 
1770 	/* The handshake hashes should be computed by now */
1771 	if (hashcompare != 0) {
1772 		kssl_send_alert(ssl, alert_fatal, handshake_failure);
1773 		return (EBADMSG);
1774 	}
1775 
1776 	mp->b_rptr += msglen;
1777 
1778 	ssl->hs_waitstate = idle_handshake;
1779 
1780 	if (ssl->resumed == B_TRUE) {
1781 		ssl->activeinput = B_FALSE;
1782 		return (0);
1783 	}
1784 
1785 	err = kssl_send_change_cipher_specs(ssl);
1786 	if (err != 0) {
1787 		return (err);
1788 	}
1789 	err = kssl_send_finished(ssl, 0);
1790 	if (err != 0) {
1791 		return (err);
1792 	}
1793 
1794 	ASSERT(ssl->sid.cached == B_FALSE);
1795 	ssl->sid.cached = B_TRUE;
1796 	kssl_cache_sid(&ssl->sid, ssl->kssl_entry);
1797 	ssl->activeinput = B_FALSE;
1798 
1799 	return (0);
1800 }
1801 
1802 #define	KSSL2_CH_MIN_RECSZ	(9)
1803 
1804 /*
1805  * This method is needed to handle clients which send the
1806  * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers.
1807  * We are not really doing SSLv2 here, just handling the header
1808  * and then switching to SSLv3.
1809  */
1810 int
1811 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
1812 {
1813 	uchar_t *recend;
1814 	int err;
1815 	SSL3AlertDescription desc = illegal_parameter;
1816 	uint_t randlen;
1817 	uint_t sidlen;
1818 	uint_t nsuites;
1819 	uchar_t *suitesp;
1820 	uchar_t *rand;
1821 	uint_t i, j;
1822 	uint16_t suite;
1823 	int ch_recsz = KSSL2_CH_MIN_RECSZ;
1824 
1825 	ASSERT(mp->b_wptr >= mp->b_rptr + recsz);
1826 	ASSERT(ssl->hs_waitstate == wait_client_hello);
1827 	ASSERT(ssl->resumed == B_FALSE);
1828 
1829 	if (recsz < ch_recsz) {
1830 		goto falert;
1831 	}
1832 
1833 	MD5Init(&ssl->hs_md5);
1834 	SHA1Init(&ssl->hs_sha1);
1835 
1836 	kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz);
1837 
1838 	recend = mp->b_rptr + recsz;
1839 
1840 	if (*mp->b_rptr != 1) {
1841 		goto falert;
1842 	}
1843 	mp->b_rptr += 3;
1844 
1845 	nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
1846 	sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3];
1847 	randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5];
1848 	if (nsuites % 3 != 0) {
1849 		KSSL_DEBUG2_IF(kssl_debug,
1850 			"kssl_handle_v2client_hello nsuites = %d, error.",
1851 			nsuites);
1852 		goto falert;
1853 	}
1854 	if (randlen < SSL_MIN_CHALLENGE_BYTES ||
1855 	    randlen > SSL_MAX_CHALLENGE_BYTES) {
1856 		KSSL_DEBUG2_IF(kssl_debug,
1857 			"kssl_handle_v2client_hello randlen out of range: %d",
1858 			randlen);
1859 		goto falert;
1860 	}
1861 	mp->b_rptr += 6;
1862 	ch_recsz += nsuites + sidlen + randlen;
1863 	if (recsz != ch_recsz) {
1864 		goto falert;
1865 	}
1866 	suitesp = mp->b_rptr;
1867 	rand = suitesp + nsuites + sidlen;
1868 	if (randlen < SSL3_RANDOM_LENGTH) {
1869 		bzero(ssl->client_random, SSL3_RANDOM_LENGTH);
1870 	}
1871 	bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
1872 	    randlen);
1873 
1874 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
1875 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
1876 		for (j = 0; j < nsuites; j += 3) {
1877 			if (suitesp[j] != 0) {
1878 				continue;
1879 			}
1880 
1881 			if (suitesp[j + 1] == ((suite >> 8) & 0xff) &&
1882 			    suitesp[j + 2] == (suite & 0xff)) {
1883 				break;
1884 			}
1885 		}
1886 		if (j < nsuites) {
1887 			break;
1888 		}
1889 	}
1890 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
1891 		KSSL_DEBUG1_IF(kssl_debug, "kssl_handle_v2client_hello - "
1892 			"cannot find SSLv2 cipher suite");
1893 		ssl->activeinput = B_FALSE;
1894 		return (SSL_MISS);
1895 	}
1896 
1897 	mp->b_rptr = recend;
1898 
1899 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
1900 		if (suite == cipher_suite_defs[i].suite) {
1901 			break;
1902 		}
1903 	}
1904 
1905 	ASSERT(i < cipher_suite_defs_nentries);
1906 
1907 	ssl->pending_cipher_suite = suite;
1908 	ssl->pending_malg = cipher_suite_defs[i].malg;
1909 	ssl->pending_calg = cipher_suite_defs[i].calg;
1910 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
1911 
1912 	ASSERT(ssl->sid.cached == B_FALSE);
1913 
1914 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
1915 	    SSL3_SESSIONID_BYTES);
1916 	ssl->sid.client_addr = ssl->faddr;
1917 	ssl->sid.cipher_suite = suite;
1918 
1919 	err = kssl_send_server_hello(ssl);
1920 	if (err != 0) {
1921 		return (err);
1922 	}
1923 	err = kssl_send_certificate_and_server_hello_done(ssl);
1924 	if (err != 0) {
1925 		return (err);
1926 	}
1927 	KSSL_COUNTER(full_handshakes, 1);
1928 	ssl->hs_waitstate = wait_client_key;
1929 	ssl->activeinput = B_FALSE;
1930 	return (0);
1931 
1932 falert:
1933 	kssl_send_alert(ssl, alert_fatal, desc);
1934 	ssl->activeinput = B_FALSE;
1935 	return (EBADMSG);
1936 }
1937 
1938 /*
1939  * Call back routine for asynchronously submitted RSA decryption jobs.
1940  * The routine retreived the pre-master secret, and proceeds to generate
1941  * the remaining key materials.
1942  */
1943 static void
1944 kssl_cke_done(void *arg, int status)
1945 {
1946 	int ret = 0;
1947 	uchar_t *pms;
1948 	size_t pmslen;
1949 	crypto_data_t *pms_data;
1950 	kssl_cmd_t kssl_cmd = KSSL_CMD_NONE;
1951 	ssl_t *ssl = (ssl_t *)arg;
1952 	mblk_t *alertmp;
1953 	kssl_callback_t cbfn;
1954 	void *cbarg;
1955 
1956 	mutex_enter(&ssl->kssl_lock);
1957 
1958 	ASSERT(ssl->msg.type == client_key_exchange);
1959 	ASSERT(ssl->hs_waitstate == wait_client_key_done);
1960 
1961 	if (status != CRYPTO_SUCCESS) {
1962 		kssl_send_alert(ssl, alert_fatal, decrypt_error);
1963 		kssl_cmd = KSSL_CMD_SEND;
1964 		goto out;
1965 	}
1966 
1967 	pms_data = (crypto_data_t *)(ssl->job.buf);
1968 
1969 	ASSERT(pms_data != NULL);
1970 
1971 	pmslen = pms_data->cd_length;
1972 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1973 
1974 	/* generate master key and save it in the ssl sid structure */
1975 	if (IS_TLS(ssl)) {
1976 		ret = kssl_generate_tls_ms(ssl, pms, pmslen);
1977 		if (!CRYPTO_ERR(ret))
1978 			ret = kssl_generate_tls_keyblock(ssl);
1979 	} else {
1980 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1981 		kssl_generate_keyblock(ssl);
1982 	}
1983 
1984 	if (ret == CRYPTO_SUCCESS)
1985 		ssl->hs_waitstate = wait_change_cipher;
1986 
1987 out:
1988 	kmem_free(ssl->job.buf, ssl->job.buflen);
1989 
1990 	ssl->job.kjob = 0;
1991 	ssl->job.buf = NULL;
1992 	ssl->job.buflen = 0;
1993 
1994 	ssl->activeinput = B_FALSE;
1995 
1996 	/* If we're the only ones left, then we won't callback */
1997 	if (ssl->kssl_refcnt == 1) {
1998 		mutex_exit(&ssl->kssl_lock);
1999 		KSSL_SSL_REFRELE(ssl);
2000 		return;
2001 	}
2002 
2003 	cbfn = ssl->cke_callback_func;
2004 	cbarg = ssl->cke_callback_arg;
2005 	alertmp = ssl->alert_sendbuf;
2006 	ssl->alert_sendbuf = NULL;
2007 
2008 	mutex_exit(&ssl->kssl_lock);
2009 
2010 	KSSL_SSL_REFRELE(ssl);
2011 
2012 	/* Now call the callback routine */
2013 	(*(cbfn))(cbarg, alertmp, kssl_cmd);
2014 }
2015 
2016 /*
2017  * Returns the first complete contiguous record out of rec_ass_head
2018  * The record is returned in a separate contiguous mblk, rec_ass_head is
2019  * left pointing to the next record in the queue.
2020  *
2021  * The output looks as follows:
2022  *
2023  * |--------|---------- .... -----|<---------->|<----------->|--- ... ---|
2024  * ^        ^                     ^  mac_size     pad_size               ^
2025  * |        |___ b_rptr  b_wptr __|                                      |
2026  * |                                                                     |
2027  * |___ db_base                                                db_lim ___|
2028  */
2029 mblk_t *
2030 kssl_get_next_record(ssl_t *ssl)
2031 {
2032 	mblk_t *mp, *retmp;
2033 	int rhsz = SSL3_HDR_LEN;
2034 	uint16_t rec_sz;
2035 	int mpsz, total_size;
2036 	SSL3ContentType content_type;
2037 
2038 	ASSERT(MUTEX_HELD(&ssl->kssl_lock));
2039 
2040 	mp = ssl->rec_ass_head;
2041 	if (mp == NULL)
2042 		return (NULL);
2043 
2044 	/* Fast path: when mp has at least a complete record */
2045 	if (MBLKL(mp) < rhsz) {
2046 		/* Not even a complete header in there yet */
2047 		if (msgdsize(mp) < rhsz) {
2048 			return (NULL);
2049 		}
2050 
2051 		if (!pullupmsg(mp, rhsz)) {
2052 			kssl_send_alert(ssl, alert_fatal, internal_error);
2053 			freemsg(mp);
2054 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2055 			return (NULL);
2056 		}
2057 	}
2058 	content_type = (SSL3ContentType)mp->b_rptr[0];
2059 	if (content_type == content_handshake_v2) {
2060 		rec_sz = (uint16_t)mp->b_rptr[1];
2061 		rhsz = 2;
2062 	} else {
2063 		uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3;
2064 		rec_sz = BE16_TO_U16(rec_sz_p);
2065 	}
2066 
2067 	/*
2068 	 * same tests as above. Only rare very fragmented cases will
2069 	 * incur the cost of msgdsize() and msgpullup(). Well formed
2070 	 * packets will fall in the most frequent fast path.
2071 	 */
2072 	total_size = rhsz + rec_sz;
2073 
2074 	/*
2075 	 * Missing: defensive against record fabricated with longer than
2076 	 * MAX record length.
2077 	 */
2078 	if (MBLKL(mp) < total_size) {
2079 		/* Not a complete record yet. Keep accumulating */
2080 		if (msgdsize(mp) < total_size) {
2081 			return (NULL);
2082 		}
2083 
2084 		if (!pullupmsg(mp, total_size)) {
2085 			kssl_send_alert(ssl, alert_fatal, internal_error);
2086 			freemsg(mp);
2087 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2088 			return (NULL);
2089 		}
2090 	}
2091 	mpsz = MBLKL(mp);	/* could've changed after the pullup */
2092 
2093 	if (mpsz > total_size) {
2094 		/* gotta allocate a new block */
2095 		if ((retmp = dupb(mp)) == NULL) {
2096 			kssl_send_alert(ssl, alert_fatal, internal_error);
2097 			freemsg(mp);
2098 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2099 			return (NULL);
2100 		}
2101 
2102 		retmp->b_wptr = retmp->b_rptr + total_size;
2103 		mp->b_rptr += total_size;
2104 		ssl->rec_ass_head = mp;
2105 	} else {
2106 		ASSERT(mpsz == total_size);
2107 		ssl->rec_ass_head = mp->b_cont;
2108 		mp->b_cont = NULL;
2109 		retmp = mp;
2110 	}
2111 	/* Adjust the tail */
2112 	if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
2113 		for (; mp->b_cont != NULL; mp = mp->b_cont) {
2114 			ssl->rec_ass_tail = mp->b_cont;
2115 		}
2116 	}
2117 
2118 	return (retmp);
2119 }
2120 
2121 
2122 static void
2123 kssl_mblksfree(ssl_t *ssl)
2124 {
2125 
2126 	ASSERT(ssl != NULL);
2127 
2128 	if (ssl->rec_ass_head != NULL) {
2129 		freemsg(ssl->rec_ass_head);
2130 	}
2131 	ssl->rec_ass_head = NULL;
2132 	ssl->rec_ass_tail = NULL;
2133 
2134 	if (ssl->msg.head != NULL) {
2135 		freemsg(ssl->msg.head);
2136 	}
2137 	ssl->msg.head = NULL;
2138 	ssl->msg.tail = NULL;
2139 
2140 	if (ssl->handshake_sendbuf != NULL) {
2141 		freemsg(ssl->handshake_sendbuf);
2142 		ssl->handshake_sendbuf = NULL;
2143 	}
2144 	if (ssl->alert_sendbuf != NULL) {
2145 		freemsg(ssl->alert_sendbuf);
2146 		ssl->alert_sendbuf = NULL;
2147 	}
2148 }
2149 
2150 static void
2151 kssl_specsfree(ssl_t *ssl)
2152 {
2153 	KSSLCipherSpec *spec = &ssl->spec[KSSL_READ];
2154 
2155 	if (spec->cipher_ctx != NULL) {
2156 		crypto_cancel_ctx(spec->cipher_ctx);
2157 		spec->cipher_ctx = 0;
2158 	}
2159 
2160 	spec = &ssl->spec[KSSL_WRITE];
2161 
2162 	if (spec->cipher_ctx != NULL) {
2163 		crypto_cancel_ctx(spec->cipher_ctx);
2164 		spec->cipher_ctx = 0;
2165 	}
2166 }
2167 
2168 /*
2169  * Frees the ssl structure (aka the context of an SSL session).
2170  * Any pending crypto jobs are cancelled.
2171  * Any initiated crypto contexts are freed as well.
2172  */
2173 void
2174 kssl_free_context(ssl_t *ssl)
2175 {
2176 	ASSERT(ssl != NULL);
2177 	if (!(MUTEX_HELD(&ssl->kssl_lock))) {
2178 		/* we're coming from an external API entry point */
2179 		mutex_enter(&ssl->kssl_lock);
2180 	}
2181 
2182 	if (ssl->job.kjob != NULL) {
2183 		crypto_cancel_req(ssl->job.kjob);
2184 		kmem_free(ssl->job.buf, ssl->job.buflen);
2185 
2186 		ssl->job.kjob = 0;
2187 		ssl->job.buf = NULL;
2188 		ssl->job.buflen = 0;
2189 	}
2190 
2191 	kssl_mblksfree(ssl);
2192 	kssl_specsfree(ssl);
2193 
2194 	KSSL_ENTRY_REFRELE(ssl->kssl_entry);
2195 	ssl->kssl_entry = NULL;
2196 
2197 	mutex_exit(&ssl->kssl_lock);
2198 
2199 	kmem_cache_free(kssl_cache, ssl);
2200 	kssl_cache_count--;
2201 }
2202