xref: /titanic_51/usr/src/uts/common/inet/kssl/ksslrec.c (revision c84b7bbef5ecc2a27799422588073deefd9db715)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <sys/types.h>
26 #include <sys/stream.h>
27 #include <sys/strsubr.h>
28 #include <sys/stropts.h>
29 #include <sys/strsun.h>
30 #define	_SUN_TPI_VERSION 2
31 #include <sys/ddi.h>
32 #include <sys/sunddi.h>
33 #include <sys/debug.h>
34 #include <sys/vtrace.h>
35 #include <sys/kmem.h>
36 #include <sys/cpuvar.h>
37 #include <sys/atomic.h>
38 #include <sys/sysmacros.h>
39 
40 #include <sys/errno.h>
41 #include <sys/isa_defs.h>
42 #include <sys/md5.h>
43 #include <sys/sha1.h>
44 #include <sys/random.h>
45 #include <inet/common.h>
46 #include <netinet/in.h>
47 
48 #include <sys/systm.h>
49 #include <sys/param.h>
50 
51 #include "ksslimpl.h"
52 #include "ksslapi.h"
53 #include "ksslproto.h"
54 
55 static ssl3CipherSuiteDef cipher_suite_defs[] = {
56 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, no IVs */
57 	{SSL_RSA_WITH_RC4_128_SHA,	cipher_rc4,	mac_sha,	72},
58 
59 	/* 2 X 16 byte keys +  2 x 16 byte MAC secrets, no IVs */
60 	{SSL_RSA_WITH_RC4_128_MD5,	cipher_rc4,	mac_md5,	64},
61 
62 	/* 2 X 8 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
63 	{SSL_RSA_WITH_DES_CBC_SHA,	cipher_des,	mac_sha,	72},
64 
65 	/* 2 X 24 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
66 	{SSL_RSA_WITH_3DES_EDE_CBC_SHA,	cipher_3des,	mac_sha,	104},
67 
68 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
69 	{TLS_RSA_WITH_AES_128_CBC_SHA,	cipher_aes128,	mac_sha,	104},
70 
71 	/* 2 X 32 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
72 	{TLS_RSA_WITH_AES_256_CBC_SHA,	cipher_aes256,	mac_sha,	136},
73 
74 	{SSL_RSA_WITH_NULL_SHA,		cipher_null,	mac_sha,	40}
75 };
76 
77 static int cipher_suite_defs_nentries =
78     sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]);
79 
80 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
81 	/* macsz padsz HashInit HashUpdate HashFinal */
82 
83 	{MD5_HASH_LEN, SSL3_MD5_PAD_LEN,
84 	    (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update,
85 	    (hashfinal_func_t)MD5Final},
86 
87 	{SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN,
88 	    (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update,
89 	    (hashfinal_func_t)SHA1Final},
90 };
91 
92 static uchar_t kssl_pad_1[60] = {
93     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
94     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
95     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
96     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
97     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
98     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
99     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
100     0x36, 0x36, 0x36, 0x36
101 };
102 static uchar_t kssl_pad_2[60] = {
103     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
104     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
105     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
106     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
107     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
108     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
109     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
110     0x5c, 0x5c, 0x5c, 0x5c
111 };
112 
113 int kssl_cache_count;
114 static boolean_t kssl_synchronous = B_FALSE;
115 
116 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t);
117 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t);
118 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int);
119 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int,
120     kssl_callback_t, void *);
121 static int kssl_send_server_hello(ssl_t *);
122 static int kssl_send_certificate_and_server_hello_done(ssl_t *);
123 static int kssl_send_change_cipher_specs(ssl_t *);
124 static int kssl_send_finished(ssl_t *, int);
125 static int kssl_handle_finished(ssl_t *, mblk_t *, int);
126 static void kssl_get_hello_random(uchar_t *);
127 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *);
128 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *);
129 static void kssl_lookup_sid(sslSessionID *, uchar_t *, in6_addr_t *,
130     kssl_entry_t *);
131 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t);
132 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t);
133 static int kssl_generate_tls_keyblock(ssl_t *);
134 static void kssl_generate_keyblock(ssl_t *);
135 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t,
136     int, uchar_t *, int);
137 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t,
138     uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
139 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *,
140     size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
141 static void kssl_cke_done(void *, int);
142 
143 #define	HMAC_INIT(m, k, c) \
144 	rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end;
145 
146 #define	HMAC_UPDATE(c, d, l) \
147 	dd.cd_raw.iov_base = (char *)d; \
148 	dd.cd_length = dd.cd_raw.iov_len = l; \
149 	rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end;
150 
151 #define	HMAC_FINAL(c, d, l) \
152 	mac.cd_raw.iov_base = (char *)d; \
153 	mac.cd_length = mac.cd_raw.iov_len = l; \
154 	rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end;
155 
156 /*
157  * This hack can go away once we have SSL3 MAC support by KCF
158  * software providers (See 4873559).
159  */
160 extern int kcf_md5_threshold;
161 
162 int
163 kssl_compute_record_mac(
164 	ssl_t *ssl,
165 	int direction,
166 	uint64_t seq_num,
167 	SSL3ContentType ct,
168 	uchar_t *versionp,
169 	uchar_t *buf,
170 	int len,
171 	uchar_t *digest)
172 {
173 	KSSL_HASHCTX mac_ctx;
174 	KSSL_HASHCTX *ctx = &mac_ctx;
175 	uchar_t temp[16], *p;
176 	KSSLCipherSpec *spec;
177 	boolean_t hash_use_ok = B_FALSE;
178 	int rv = 0;
179 
180 	spec = &ssl->spec[direction];
181 
182 	if (spec->mac_hashsz == 0) {
183 		return (1);
184 	}
185 
186 	p = temp;
187 
188 	*p++ = (seq_num >> 56) & 0xff;
189 	*p++ = (seq_num >> 48) & 0xff;
190 	*p++ = (seq_num >> 40) & 0xff;
191 	*p++ = (seq_num >> 32) & 0xff;
192 	*p++ = (seq_num >> 24) & 0xff;
193 	*p++ = (seq_num >> 16) & 0xff;
194 	*p++ = (seq_num >> 8) & 0xff;
195 	*p++ = (seq_num) & 0xff;
196 	*p++ = (uchar_t)ct;
197 	if (IS_TLS(ssl)) {
198 		*p++ = versionp[0];
199 		*p++ = versionp[1];
200 	}
201 	*p++ = (len >> 8) & 0xff;
202 	*p++ = (len) & 0xff;
203 
204 	if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
205 	    len >= kcf_md5_threshold)) {
206 		crypto_data_t dd, mac;
207 		struct uio uio_pt;
208 		struct iovec iovarray_pt[2];
209 
210 		/* init the array of iovecs for use in the uio struct */
211 		iovarray_pt[0].iov_base = (char *)temp;
212 		iovarray_pt[0].iov_len = (p - temp);
213 		iovarray_pt[1].iov_base = (char *)buf;
214 		iovarray_pt[1].iov_len = len;
215 
216 		/* init the uio struct for use in the crypto_data_t struct */
217 		bzero(&uio_pt, sizeof (uio_pt));
218 		uio_pt.uio_iov = iovarray_pt;
219 		uio_pt.uio_iovcnt = 2;
220 		uio_pt.uio_segflg = UIO_SYSSPACE;
221 
222 		dd.cd_format = CRYPTO_DATA_UIO;
223 		dd.cd_offset = 0;
224 		dd.cd_length =  (p - temp) + len;
225 		dd.cd_miscdata = NULL;
226 		dd.cd_uio = &uio_pt;
227 
228 		mac.cd_format = CRYPTO_DATA_RAW;
229 		mac.cd_offset = 0;
230 		mac.cd_raw.iov_base = (char *)digest;
231 		mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz;
232 
233 		/*
234 		 * The calling context can tolerate a blocking call here.
235 		 * For outgoing traffic, we are in user context
236 		 * when called from strsock_kssl_output(). For incoming
237 		 * traffic past the SSL handshake, we are in user
238 		 * context when called from strsock_kssl_input(). During the
239 		 * SSL handshake, we are called for client_finished message
240 		 * handling from a squeue worker thread that gets scheduled
241 		 * by an SQ_FILL call. This thread is not in interrupt
242 		 * context and so can block.
243 		 */
244 		rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
245 		    NULL, &mac, NULL);
246 
247 		if (CRYPTO_ERR(rv)) {
248 			hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED &&
249 			    !IS_TLS(ssl));
250 			if (!hash_use_ok) {
251 				DTRACE_PROBE1(kssl_err__crypto_mac_error,
252 				    int, rv);
253 				KSSL_COUNTER(compute_mac_failure, 1);
254 			}
255 		}
256 	} else
257 		hash_use_ok = B_TRUE;
258 
259 	if (hash_use_ok) {
260 		bcopy(&(ssl->mac_ctx[direction][0]), ctx,
261 		    sizeof (KSSL_HASHCTX));
262 		spec->MAC_HashUpdate((void *)ctx, temp, p - temp);
263 		spec->MAC_HashUpdate((void *)ctx, buf, len);
264 		spec->MAC_HashFinal(digest, (void *)ctx);
265 
266 		bcopy(&(ssl->mac_ctx[direction][1]), ctx,
267 		    sizeof (KSSL_HASHCTX));
268 		spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz);
269 		spec->MAC_HashFinal(digest, (void *)ctx);
270 	}
271 
272 	return (rv);
273 }
274 
275 /*
276  * Handles handshake messages.
277  * Messages to be replied are returned in handshake_sendbuf.
278  */
279 int
280 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
281     kssl_callback_t cbfn, void *arg)
282 {
283 	uint32_t msglen;
284 	uchar_t msghdr[4];
285 
286 	ASSERT(ssl->msg.state == MSG_BODY);
287 	ASSERT(ssl->msg.msglen_bytes == 3);
288 	ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen);
289 
290 	ssl->sslcnt++;
291 	msglen = ssl->msg.msglen;
292 
293 	if (ssl->msg.type == client_hello) {
294 		MD5Init(&ssl->hs_md5);
295 		SHA1Init(&ssl->hs_sha1);
296 	}
297 
298 	if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
299 		if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
300 		    sender_client) != 0) {
301 			*err = SSL_MISS;
302 			return (0);
303 		}
304 	}
305 
306 	if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
307 		msghdr[0] = (uchar_t)ssl->msg.type;
308 
309 		msghdr[1] = (uchar_t)(msglen >> 16);
310 		msghdr[2] = (uchar_t)(msglen >> 8);
311 		msghdr[3] = (uchar_t)(msglen);
312 		kssl_update_handshake_hashes(ssl, msghdr, 4);
313 		kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen);
314 	}
315 
316 	ssl->msg.state = MSG_INIT;
317 	ssl->msg.msglen = 0;
318 	ssl->msg.msglen_bytes = 0;
319 
320 	switch (ssl->msg.type) {
321 	case client_hello:
322 		if (ssl->hs_waitstate != wait_client_hello) {
323 			kssl_send_alert(ssl, alert_fatal,
324 			    unexpected_message);
325 			*err = EBADMSG;
326 			ssl->activeinput = B_FALSE;
327 			return (1);
328 		}
329 		*err = kssl_handle_client_hello(ssl, mp, msglen);
330 		if (*err == SSL_MISS) {
331 			ssl->activeinput = B_FALSE;
332 			return (0);
333 		}
334 		return (1);
335 	case client_key_exchange:
336 		if (ssl->hs_waitstate != wait_client_key) {
337 			kssl_send_alert(ssl, alert_fatal,
338 			    unexpected_message);
339 			*err = EBADMSG;
340 			ssl->activeinput = B_FALSE;
341 			return (1);
342 		}
343 		*err = kssl_handle_client_key_exchange(ssl, mp,
344 		    msglen, cbfn, arg);
345 		return (1);
346 	case finished:
347 		if (ssl->hs_waitstate != wait_finished) {
348 			kssl_send_alert(ssl, alert_fatal,
349 			    unexpected_message);
350 			*err = EBADMSG;
351 			ssl->activeinput = B_FALSE;
352 			return (1);
353 		}
354 		*err = kssl_handle_finished(ssl, mp, msglen);
355 		return (1);
356 	default:
357 		kssl_send_alert(ssl, alert_fatal, unexpected_message);
358 		ssl->activeinput = B_FALSE;
359 		*err = EBADMSG;
360 		return (1);
361 	}
362 }
363 
364 static void
365 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
366 {
367 	MD5Update(&ssl->hs_md5, buf, len);
368 	SHA1Update(&ssl->hs_sha1, buf, len);
369 }
370 
371 static int
372 kssl_compute_handshake_hashes(
373 	ssl_t *ssl,
374 	SSL3Hashes *hashes,
375 	uint32_t sender)
376 {
377 	MD5_CTX md5 = ssl->hs_md5;	/* clone md5 context */
378 	SHA1_CTX sha1 = ssl->hs_sha1;	/* clone sha1 context */
379 	MD5_CTX *md5ctx = &md5;
380 	SHA1_CTX *sha1ctx = &sha1;
381 
382 	if (IS_TLS(ssl)) {
383 		uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN];
384 		char *label;
385 
386 		/*
387 		 * Do not take another hash step here.
388 		 * Just complete the operation.
389 		 */
390 		MD5Final(hashes->md5, md5ctx);
391 		SHA1Final(hashes->sha1, sha1ctx);
392 
393 		bcopy(hashes->md5, seed, MD5_HASH_LEN);
394 		bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN);
395 
396 		if (sender == sender_client)
397 			label = TLS_CLIENT_FINISHED_LABEL;
398 		else
399 			label = TLS_SERVER_FINISHED_LABEL;
400 
401 		return (kssl_tls_PRF(ssl,
402 		    ssl->sid.master_secret,
403 		    (size_t)SSL3_MASTER_SECRET_LEN,
404 		    (uchar_t *)label, strlen(label),
405 		    seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN),
406 		    hashes->tlshash, (size_t)TLS_FINISHED_SIZE));
407 	} else {
408 		uchar_t s[4];
409 		s[0] = (sender >> 24) & 0xff;
410 		s[1] = (sender >> 16) & 0xff;
411 		s[2] = (sender >> 8) & 0xff;
412 		s[3] = (sender) & 0xff;
413 
414 		MD5Update(md5ctx, s, 4);
415 		MD5Update(md5ctx, ssl->sid.master_secret,
416 		    SSL3_MASTER_SECRET_LEN);
417 		MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN);
418 		MD5Final(hashes->md5, md5ctx);
419 
420 		MD5Init(md5ctx);
421 		MD5Update(md5ctx, ssl->sid.master_secret,
422 		    SSL3_MASTER_SECRET_LEN);
423 		MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN);
424 		MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN);
425 		MD5Final(hashes->md5, md5ctx);
426 
427 		SHA1Update(sha1ctx, s, 4);
428 		SHA1Update(sha1ctx, ssl->sid.master_secret,
429 		    SSL3_MASTER_SECRET_LEN);
430 		SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN);
431 		SHA1Final(hashes->sha1, sha1ctx);
432 
433 		SHA1Init(sha1ctx);
434 		SHA1Update(sha1ctx, ssl->sid.master_secret,
435 		    SSL3_MASTER_SECRET_LEN);
436 		SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN);
437 		SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN);
438 		SHA1Final(hashes->sha1, sha1ctx);
439 		return (0);
440 	}
441 }
442 
443 
444 /*
445  * Minimum message length for a client hello =
446  * 2-byte client_version +
447  * 32-byte random +
448  * 1-byte session_id length +
449  * 2-byte cipher_suites length +
450  * 1-byte compression_methods length +
451  * 1-byte CompressionMethod.null
452  */
453 #define	KSSL_SSL3_CH_MIN_MSGLEN	(39)
454 
455 /*
456  * Process SSL/TLS Client Hello message. Return 0 on success, errno value
457  * or SSL_MISS if no cipher suite of the server matches the list received
458  * in the message.
459  */
460 static int
461 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
462 {
463 	uchar_t *msgend;
464 	int err;
465 	SSL3AlertDescription desc = illegal_parameter;
466 	uint_t sidlen, cslen, cmlen;
467 	uchar_t *suitesp;
468 	uint_t i, j;
469 	uint16_t suite, selected_suite;
470 	int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN;
471 	boolean_t suite_found = B_FALSE;
472 
473 	ASSERT(mp->b_wptr >= mp->b_rptr + msglen);
474 	ASSERT(ssl->msg.type == client_hello);
475 	ASSERT(ssl->hs_waitstate == wait_client_hello);
476 	ASSERT(ssl->resumed == B_FALSE);
477 
478 	if (msglen < ch_msglen) {
479 		DTRACE_PROBE2(kssl_err__msglen_less_than_minimum,
480 		    int, msglen, int, ch_msglen);
481 		goto falert;
482 	}
483 
484 	msgend = mp->b_rptr + msglen;
485 
486 	/* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */
487 	if (ssl->major_version != 3 || (ssl->major_version == 3 &&
488 	    ssl->minor_version != 0 && ssl->minor_version != 1)) {
489 		DTRACE_PROBE2(kssl_err__SSL_version_not_supported,
490 		    uchar_t, ssl->major_version,
491 		    uchar_t, ssl->minor_version);
492 		desc = handshake_failure;
493 		goto falert;
494 	}
495 	mp->b_rptr += 2; /* skip the version bytes */
496 
497 	/* read client random field */
498 	bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
499 	mp->b_rptr += SSL3_RANDOM_LENGTH;
500 
501 	/* read session ID length */
502 	ASSERT(ssl->sid.cached == B_FALSE);
503 	sidlen = *mp->b_rptr++;
504 	ch_msglen += sidlen;
505 	if (msglen < ch_msglen) {
506 		DTRACE_PROBE2(kssl_err__invalid_message_length_after_ver,
507 		    int, msglen, int, ch_msglen);
508 		goto falert;
509 	}
510 	if (sidlen != SSL3_SESSIONID_BYTES) {
511 		mp->b_rptr += sidlen;
512 	} else {
513 		kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr,
514 		    ssl->kssl_entry);
515 		mp->b_rptr += SSL3_SESSIONID_BYTES;
516 	}
517 
518 	/* read cipher suite length */
519 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
520 	mp->b_rptr += 2;
521 	ch_msglen += cslen;
522 
523 	/*
524 	 * This check can't be a "!=" since there can be
525 	 * compression methods other than CompressionMethod.null.
526 	 * Also, there can be extra data (TLS extensions) after the
527 	 * compression methods field.
528 	 */
529 	if (msglen < ch_msglen) {
530 		DTRACE_PROBE2(kssl_err__invalid_message_length_after_cslen,
531 		    int, msglen, int, ch_msglen);
532 		goto falert;
533 	}
534 
535 	/* The length has to be even since a cipher suite is 2-byte long. */
536 	if (cslen & 0x1) {
537 		DTRACE_PROBE1(kssl_err__uneven_cipher_suite_length,
538 		    uint_t, cslen);
539 		goto falert;
540 	}
541 	suitesp = mp->b_rptr;
542 
543 	/* session resumption checks */
544 	if (ssl->sid.cached == B_TRUE) {
545 		suite = ssl->sid.cipher_suite;
546 		for (j = 0; j < cslen; j += 2) {
547 			DTRACE_PROBE2(kssl_cipher_suite_check_resumpt,
548 			    uint16_t, suite,
549 			    uint16_t,
550 			    (uint16_t)((suitesp[j] << 8) + suitesp[j+1]));
551 			/* Check for regular (true) cipher suite. */
552 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
553 			    suitesp[j + 1] == (suite & 0xff)) {
554 				DTRACE_PROBE1(kssl_cipher_suite_found_resumpt,
555 				    uint16_t, suite);
556 				suite_found = B_TRUE;
557 				selected_suite = suite;
558 			}
559 
560 			/* Check for SCSV. */
561 			if (suitesp[j] ==  ((SSL_SCSV >> 8) & 0xff) &&
562 			    suitesp[j + 1] == (SSL_SCSV & 0xff)) {
563 				DTRACE_PROBE(kssl_scsv_found_resumpt);
564 				ssl->secure_renegotiation = B_TRUE;
565 			}
566 
567 			/*
568 			 * If we got cipher suite match and SCSV we can
569 			 * terminate the cycle now.
570 			 */
571 			if (suite_found && ssl->secure_renegotiation)
572 				break;
573 		}
574 		if (suite_found)
575 			goto suite_found;
576 		kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
577 	}
578 
579 	/* Check if this server is capable of the cipher suite. */
580 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
581 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
582 		for (j = 0; j < cslen; j += 2) {
583 			DTRACE_PROBE2(kssl_cipher_suite_check, uint16_t, suite,
584 			    uint16_t,
585 			    (uint16_t)((suitesp[j] << 8) + suitesp[j+1]));
586 			/* Check for regular (true) cipher suite. */
587 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
588 			    suitesp[j + 1] == (suite & 0xff)) {
589 				DTRACE_PROBE1(kssl_cipher_suite_found,
590 				    uint16_t, suite);
591 				suite_found = B_TRUE;
592 				selected_suite = suite;
593 			}
594 
595 			/* Check for SCSV. */
596 			if (suitesp[j] ==  ((SSL_SCSV >> 8) & 0xff) &&
597 			    suitesp[j + 1] == (SSL_SCSV & 0xff)) {
598 				DTRACE_PROBE(kssl_scsv_found);
599 				ssl->secure_renegotiation = B_TRUE;
600 			}
601 
602 			/*
603 			 * If we got cipher suite match and SCSV or went
604 			 * through the whole list of client cipher suites
605 			 * (hence we know if SCSV was present or not) we
606 			 * can terminate the cycle now.
607 			 */
608 			if (suite_found &&
609 			    (ssl->secure_renegotiation || (i > 0)))
610 				break;
611 		}
612 		if (suite_found)
613 			break;
614 	}
615 	if (!suite_found) {
616 		if (ssl->sslcnt == 1) {
617 			DTRACE_PROBE(kssl_no_cipher_suite_found);
618 			KSSL_COUNTER(no_suite_found, 1);
619 			/*
620 			 * If there is no fallback point terminate the
621 			 * handshake with SSL alert otherwise return with
622 			 * SSL_MISS.
623 			 */
624 			if (ssl->kssl_entry->ke_fallback_head == NULL) {
625 				DTRACE_PROBE(kssl_no_fallback);
626 				desc = handshake_failure;
627 				goto falert;
628 			} else {
629 				return (SSL_MISS);
630 			}
631 		}
632 		desc = handshake_failure;
633 		DTRACE_PROBE(kssl_err__no_cipher_suites_found);
634 		goto falert;
635 	}
636 
637 suite_found:
638 	mp->b_rptr += cslen;
639 
640 	/*
641 	 * Check for the mandatory CompressionMethod.null. We do not
642 	 * support any other compression methods.
643 	 */
644 	cmlen = *mp->b_rptr++;
645 	ch_msglen += cmlen - 1;	/* -1 accounts for the null method */
646 	if (msglen < ch_msglen) {
647 		DTRACE_PROBE2(kssl_err__invalid_message_length_after_complen,
648 		    int, msglen, int, ch_msglen);
649 		goto falert;
650 	}
651 
652 	/*
653 	 * Search for null compression method (encoded as 0 byte) in the
654 	 * compression methods field.
655 	 */
656 	while (cmlen >= 1) {
657 		if (*mp->b_rptr++ == 0)
658 			break;
659 		cmlen--;
660 	}
661 
662 	if (cmlen == 0) {
663 		desc = handshake_failure;
664 		DTRACE_PROBE(kssl_err__no_null_compression_method);
665 		goto falert;
666 	}
667 
668 	/* Find the suite in the internal cipher suite table. */
669 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
670 		if (selected_suite == cipher_suite_defs[i].suite) {
671 			break;
672 		}
673 	}
674 
675 	/* Get past the remaining compression methods (minus null method). */
676 	mp->b_rptr += cmlen - 1;
677 
678 	ASSERT(i < cipher_suite_defs_nentries);
679 
680 	ssl->pending_cipher_suite = selected_suite;
681 	ssl->pending_malg = cipher_suite_defs[i].malg;
682 	ssl->pending_calg = cipher_suite_defs[i].calg;
683 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
684 
685 	/* Parse TLS extensions (if any). */
686 	if (ch_msglen + 2 < msglen) {
687 		/* Get the length of the extensions. */
688 		uint16_t ext_total_len = ((uint_t)mp->b_rptr[0] << 8) +
689 		    (uint_t)mp->b_rptr[1];
690 		DTRACE_PROBE1(kssl_total_length_extensions, uint16_t,
691 		    ext_total_len);
692 		/*
693 		 * Consider zero extensions length as invalid extension
694 		 * encoding.
695 		 */
696 		if (ext_total_len == 0) {
697 			DTRACE_PROBE1(kssl_err__zero_extensions_length,
698 			    mblk_t *, mp);
699 			goto falert;
700 		}
701 		ch_msglen += 2;
702 		if (ch_msglen + ext_total_len > msglen) {
703 			DTRACE_PROBE2(kssl_err__invalid_extensions_length,
704 			    int, msglen, int, ch_msglen);
705 			goto falert;
706 		}
707 		mp->b_rptr += 2;
708 
709 		/*
710 		 * Go through the TLS extensions. This is only done to check
711 		 * for the presence of renegotiation_info extension. We do not
712 		 * support any other TLS extensions and hence ignore them.
713 		 */
714 		while (mp->b_rptr < msgend) {
715 			uint16_t ext_len, ext_type;
716 
717 			/*
718 			 * Check that the extension has at least type and
719 			 * length (2 + 2 bytes).
720 			 */
721 			if (ch_msglen + 4 > msglen) {
722 				DTRACE_PROBE(kssl_err__invalid_ext_format);
723 				goto falert;
724 			}
725 
726 			/* Get extension type and length */
727 			ext_type = ((uint_t)mp->b_rptr[0] << 8) +
728 			    (uint_t)mp->b_rptr[1];
729 			mp->b_rptr += 2;
730 			ext_len = ((uint_t)mp->b_rptr[0] << 8) +
731 			    (uint_t)mp->b_rptr[1];
732 			mp->b_rptr += 2;
733 			ch_msglen += 4;
734 			DTRACE_PROBE3(kssl_ext_detected, uint16_t, ext_type,
735 			    uint16_t, ext_len, mblk_t *, mp);
736 
737 			/*
738 			 * Make sure the contents of the extension are
739 			 * accessible.
740 			 */
741 			if (ch_msglen + ext_len > msglen) {
742 				DTRACE_PROBE1(
743 				    kssl_err__invalid_ext_len,
744 				    uint16_t, ext_len);
745 				goto falert;
746 			}
747 
748 			switch (ext_type) {
749 			case TLSEXT_RENEGOTIATION_INFO:
750 				/*
751 				 * Search for empty "renegotiation_info"
752 				 * extension (encoded as ff 01 00 01 00).
753 				 */
754 				DTRACE_PROBE(kssl_reneg_info_found);
755 				if ((ext_len != 1) ||
756 				    (*mp->b_rptr != 0)) {
757 					DTRACE_PROBE2(
758 					    kssl_err__non_empty_reneg_info,
759 					    uint16_t, ext_len,
760 					    mblk_t *, mp);
761 					goto falert;
762 				}
763 				ssl->secure_renegotiation = B_TRUE;
764 				break;
765 			default:
766 				/* FALLTHRU */
767 				break;
768 			}
769 
770 			/* jump to the next extension */
771 			ch_msglen += ext_len;
772 			mp->b_rptr += ext_len;
773 		}
774 	}
775 
776 	mp->b_rptr = msgend;
777 
778 	if (ssl->sid.cached == B_TRUE) {
779 		err = kssl_send_server_hello(ssl);
780 		if (err != 0) {
781 			return (err);
782 		}
783 		if (IS_TLS(ssl))
784 			err = kssl_generate_tls_keyblock(ssl);
785 		else
786 			kssl_generate_keyblock(ssl);
787 
788 		err = kssl_send_change_cipher_specs(ssl);
789 		if (err != 0) {
790 			return (err);
791 		}
792 
793 		err = kssl_send_finished(ssl, 1);
794 		if (err != 0)
795 			return (err);
796 
797 		err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
798 		    sender_client);
799 		if (err != 0)
800 			return (err);
801 
802 		ssl->hs_waitstate = wait_change_cipher;
803 		ssl->resumed = B_TRUE;
804 		ssl->activeinput = B_FALSE;
805 		KSSL_COUNTER(resumed_sessions, 1);
806 		return (0);
807 	}
808 
809 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
810 	    SSL3_SESSIONID_BYTES);
811 	ssl->sid.client_addr = ssl->faddr;
812 	ssl->sid.cipher_suite = selected_suite;
813 
814 	err = kssl_send_server_hello(ssl);
815 	if (err != 0) {
816 		return (err);
817 	}
818 	err = kssl_send_certificate_and_server_hello_done(ssl);
819 	if (err != 0) {
820 		return (err);
821 	}
822 	KSSL_COUNTER(full_handshakes, 1);
823 	ssl->hs_waitstate = wait_client_key;
824 	ssl->activeinput = B_FALSE;
825 	return (0);
826 
827 falert:
828 	kssl_send_alert(ssl, alert_fatal, desc);
829 	return (EBADMSG);
830 }
831 
832 #define	SET_HASH_INDEX(index, s, clnt_addr) {				\
833 	int addr;							\
834 									\
835 	IN6_V4MAPPED_TO_IPADDR(clnt_addr, addr);			\
836 	index = addr ^ (((int)(s)[0] << 24) | ((int)(s)[1] << 16) |	\
837 	    ((int)(s)[2] << 8) | (int)(s)[SSL3_SESSIONID_BYTES - 1]);	\
838 }
839 
840 /*
841  * Creates a cache entry. Sets the sid->cached flag
842  * and sid->time fields. So, the caller should not set them.
843  */
844 static void
845 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
846 {
847 	uint_t index;
848 	uchar_t *s = sid->session_id;
849 	kmutex_t *lock;
850 
851 	ASSERT(sid->cached == B_FALSE);
852 
853 	/* set the values before creating the cache entry */
854 	sid->cached = B_TRUE;
855 	sid->time = ddi_get_lbolt();
856 
857 	SET_HASH_INDEX(index, s, &sid->client_addr);
858 	index %= kssl_entry->sid_cache_nentries;
859 
860 	lock = &(kssl_entry->sid_cache[index].se_lock);
861 	mutex_enter(lock);
862 	kssl_entry->sid_cache[index].se_used++;
863 	bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid));
864 	mutex_exit(lock);
865 
866 	KSSL_COUNTER(sid_cached, 1);
867 }
868 
869 /*
870  * Invalidates the cache entry, if any. Clears the sid->cached flag
871  * as a side effect.
872  */
873 void
874 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
875 {
876 	uint_t index;
877 	uchar_t *s = sid->session_id;
878 	sslSessionID *csid;
879 	kmutex_t *lock;
880 
881 	ASSERT(sid->cached == B_TRUE);
882 	sid->cached = B_FALSE;
883 
884 	SET_HASH_INDEX(index, s, &sid->client_addr);
885 	index %= kssl_entry->sid_cache_nentries;
886 
887 	lock = &(kssl_entry->sid_cache[index].se_lock);
888 	mutex_enter(lock);
889 	csid = &(kssl_entry->sid_cache[index].se_sid);
890 	if (!(IN6_ARE_ADDR_EQUAL(&csid->client_addr, &sid->client_addr)) ||
891 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
892 		mutex_exit(lock);
893 		return;
894 	}
895 	csid->cached = B_FALSE;
896 	mutex_exit(lock);
897 
898 	KSSL_COUNTER(sid_uncached, 1);
899 }
900 
901 static void
902 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, in6_addr_t *faddr,
903     kssl_entry_t *kssl_entry)
904 {
905 	uint_t index;
906 	kmutex_t *lock;
907 	sslSessionID *csid;
908 
909 	KSSL_COUNTER(sid_cache_lookups, 1);
910 
911 	SET_HASH_INDEX(index, s, faddr);
912 	index %= kssl_entry->sid_cache_nentries;
913 
914 	lock = &(kssl_entry->sid_cache[index].se_lock);
915 	mutex_enter(lock);
916 	csid = &(kssl_entry->sid_cache[index].se_sid);
917 	if (csid->cached == B_FALSE ||
918 	    !IN6_ARE_ADDR_EQUAL(&csid->client_addr, faddr) ||
919 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
920 		mutex_exit(lock);
921 		return;
922 	}
923 
924 	if (TICK_TO_SEC(ddi_get_lbolt() - csid->time) >
925 	    kssl_entry->sid_cache_timeout) {
926 		csid->cached = B_FALSE;
927 		mutex_exit(lock);
928 		return;
929 	}
930 
931 	bcopy(csid, sid, sizeof (*sid));
932 	mutex_exit(lock);
933 	ASSERT(sid->cached == B_TRUE);
934 
935 	KSSL_COUNTER(sid_cache_hits, 1);
936 }
937 
938 static uchar_t *
939 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp)
940 {
941 	size_t len = *lenp;
942 	int i = 2;
943 
944 	if (buf[0] != 0 || buf[1] != 2) {
945 		return (NULL);
946 	}
947 
948 	while (i < len) {
949 		if (buf[i++] == 0) {
950 			*lenp = len - i;
951 			break;
952 		}
953 	}
954 
955 	if (i == len) {
956 		return (NULL);
957 	}
958 
959 	return (buf + i);
960 }
961 
962 
963 #define	KSSL_SSL3_SH_RECLEN	(74)
964 #define	KSSL_SSL3_FIN_MSGLEN	(36)
965 #define	KSSL_EMPTY_RENEG_INFO_LEN	(7)
966 
967 #define	KSSL_SSL3_MAX_CCP_FIN_MSGLEN	(128)	/* comfortable upper bound */
968 
969 /*
970  * Send ServerHello record to the client.
971  */
972 static int
973 kssl_send_server_hello(ssl_t *ssl)
974 {
975 	mblk_t *mp;
976 	uchar_t *buf;
977 	uchar_t *msgstart;
978 	uint16_t reclen = KSSL_SSL3_SH_RECLEN;
979 
980 	mp = allocb(ssl->tcp_mss, BPRI_HI);
981 	if (mp == NULL) {
982 		KSSL_COUNTER(alloc_fails, 1);
983 		return (ENOMEM);
984 	}
985 	ssl->handshake_sendbuf = mp;
986 	buf = mp->b_wptr;
987 
988 	if (ssl->secure_renegotiation)
989 		reclen += KSSL_EMPTY_RENEG_INFO_LEN;
990 
991 	/* 5 byte record header */
992 	buf[0] = content_handshake;
993 	buf[1] = ssl->major_version;
994 	buf[2] = ssl->minor_version;
995 	buf[3] = reclen >> 8;
996 	buf[4] = reclen & 0xff;
997 	buf += SSL3_HDR_LEN;
998 
999 	msgstart = buf;
1000 
1001 	/* 6 byte message header */
1002 	buf[0] = (uchar_t)server_hello;			/* message type */
1003 	buf[1] = 0;					/* message len byte 0 */
1004 	buf[2] = ((reclen - 4) >> 8) &
1005 	    0xff;					/* message len byte 1 */
1006 	buf[3] = (reclen - 4) & 0xff;	/* message len byte 2 */
1007 
1008 	buf[4] = ssl->major_version;	/* version byte 0 */
1009 	buf[5] = ssl->minor_version;	/* version byte 1 */
1010 
1011 	buf += 6;
1012 
1013 	kssl_get_hello_random(ssl->server_random);
1014 	bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH);
1015 	buf += SSL3_RANDOM_LENGTH;
1016 
1017 	buf[0] = SSL3_SESSIONID_BYTES;
1018 	bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
1019 	buf += SSL3_SESSIONID_BYTES + 1;
1020 
1021 	buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff;
1022 	buf[1] = ssl->pending_cipher_suite & 0xff;
1023 
1024 	buf[2] = 0;	/* No compression */
1025 	buf += 3;
1026 
1027 	/*
1028 	 * Add "renegotiation_info" extension if the ClientHello message
1029 	 * contained either SCSV value in cipher suite list or
1030 	 * "renegotiation_info" extension. This is per RFC 5746, section 3.6.
1031 	 */
1032 	if (ssl->secure_renegotiation) {
1033 		/* Extensions length */
1034 		buf[0] = 0x00;
1035 		buf[1] = 0x05;
1036 		/* empty renegotiation_info extension encoding (section 3.2) */
1037 		buf[2] = 0xff;
1038 		buf[3] = 0x01;
1039 		buf[4] = 0x00;
1040 		buf[5] = 0x01;
1041 		buf[6] = 0x00;
1042 		buf += KSSL_EMPTY_RENEG_INFO_LEN;
1043 	}
1044 
1045 	mp->b_wptr = buf;
1046 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1047 
1048 	kssl_update_handshake_hashes(ssl, msgstart, reclen);
1049 	return (0);
1050 }
1051 
1052 static void
1053 kssl_get_hello_random(uchar_t *buf)
1054 {
1055 	timestruc_t ts;
1056 	time_t sec;
1057 
1058 	gethrestime(&ts);
1059 	sec = ts.tv_sec;
1060 
1061 	buf[0] = (sec >> 24) & 0xff;
1062 	buf[1] = (sec >> 16) & 0xff;
1063 	buf[2] = (sec >> 8) & 0xff;
1064 	buf[3] = (sec) & 0xff;
1065 
1066 	(void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4);
1067 
1068 	/* Should this be caching? */
1069 }
1070 
1071 static int
1072 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key,
1073 	size_t hashlen,
1074 	uchar_t *label, size_t label_len,
1075 	uchar_t *seed, size_t seedlen,
1076 	uchar_t *data, size_t datalen)
1077 {
1078 	int rv = 0;
1079 	uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN];
1080 	int bytes_left = datalen;
1081 	crypto_data_t dd, mac;
1082 	crypto_context_t ctx;
1083 
1084 	dd.cd_format = CRYPTO_DATA_RAW;
1085 	dd.cd_offset = 0;
1086 	mac.cd_format = CRYPTO_DATA_RAW;
1087 	mac.cd_offset = 0;
1088 
1089 	/*
1090 	 * A(i) = HMAC_hash(secret, seed + A(i-1));
1091 	 * A(0) = seed;
1092 	 *
1093 	 * Compute A(1):
1094 	 * A(1) = HMAC_hash(secret, label + seed)
1095 	 *
1096 	 */
1097 	HMAC_INIT(mech, key, &ctx);
1098 	HMAC_UPDATE(ctx, label, label_len);
1099 	HMAC_UPDATE(ctx, seed, seedlen);
1100 	HMAC_FINAL(ctx, A1, hashlen);
1101 
1102 	/* Compute A(2) ... A(n) */
1103 	while (bytes_left > 0) {
1104 		HMAC_INIT(mech, key, &ctx);
1105 		HMAC_UPDATE(ctx, A1, hashlen);
1106 		HMAC_UPDATE(ctx, label, label_len);
1107 		HMAC_UPDATE(ctx, seed, seedlen);
1108 		HMAC_FINAL(ctx, result, hashlen);
1109 
1110 		/*
1111 		 * The A(i) value is stored in "result".
1112 		 * Save the results of the MAC so it can be input to next
1113 		 * iteration.
1114 		 */
1115 		if (bytes_left > hashlen) {
1116 			/* Store the chunk result */
1117 			bcopy(result, data, hashlen);
1118 			data += hashlen;
1119 
1120 			bytes_left -= hashlen;
1121 
1122 			/* Update A1 for next iteration */
1123 			HMAC_INIT(mech, key, &ctx);
1124 			HMAC_UPDATE(ctx, A1, hashlen);
1125 			HMAC_FINAL(ctx, A1, hashlen);
1126 
1127 		} else {
1128 			bcopy(result, data, bytes_left);
1129 			data += bytes_left;
1130 			bytes_left = 0;
1131 		}
1132 	}
1133 end:
1134 	if (CRYPTO_ERR(rv)) {
1135 		DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv);
1136 		KSSL_COUNTER(compute_mac_failure, 1);
1137 	}
1138 	return (rv);
1139 }
1140 
1141 /* ARGSUSED */
1142 static int
1143 kssl_tls_PRF(ssl_t *ssl,
1144 	uchar_t *secret, size_t secret_len,
1145 	uchar_t *label, size_t label_len,
1146 	uchar_t *seed, size_t seed_len,
1147 	uchar_t *prfresult, size_t prfresult_len)
1148 {
1149 	/*
1150 	 * RFC 2246:
1151 	 *  PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
1152 	 *				P_SHA1(S2, label + seed);
1153 	 * S1 = 1st half of secret.
1154 	 * S1 = 2nd half of secret.
1155 	 *
1156 	 */
1157 
1158 	int rv, i;
1159 	uchar_t psha1[MAX_KEYBLOCK_LENGTH];
1160 	crypto_key_t S1, S2;
1161 
1162 	/* length of secret keys is ceil(length/2) */
1163 	size_t slen = roundup(secret_len, 2) / 2;
1164 
1165 	if (prfresult_len >  MAX_KEYBLOCK_LENGTH) {
1166 		DTRACE_PROBE1(kssl_err__unexpected_keyblock_size,
1167 		    size_t, prfresult_len);
1168 		return (CRYPTO_ARGUMENTS_BAD);
1169 	}
1170 
1171 	ASSERT(prfresult != NULL);
1172 	ASSERT(label != NULL);
1173 	ASSERT(seed != NULL);
1174 
1175 	S1.ck_data   = secret;
1176 	S1.ck_length = slen * 8; /* bits */
1177 	S1.ck_format = CRYPTO_KEY_RAW;
1178 
1179 	S2.ck_data   = secret + slen;
1180 	S2.ck_length = slen * 8; /* bits */
1181 	S2.ck_format = CRYPTO_KEY_RAW;
1182 
1183 	rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN,
1184 	    label, label_len,
1185 	    seed, seed_len,
1186 	    prfresult, prfresult_len);
1187 	if (CRYPTO_ERR(rv))
1188 		goto end;
1189 
1190 	rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN,
1191 	    label, label_len,
1192 	    seed, seed_len,
1193 	    psha1, prfresult_len);
1194 	if (CRYPTO_ERR(rv))
1195 		goto end;
1196 
1197 	for (i = 0; i < prfresult_len; i++)
1198 		prfresult[i] ^= psha1[i];
1199 
1200 end:
1201 	if (CRYPTO_ERR(rv))
1202 		bzero(prfresult, prfresult_len);
1203 
1204 	return (rv);
1205 }
1206 
1207 #define	IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)			\
1208 	(pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN ||		\
1209 	pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
1210 
1211 #define	FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) {			\
1212 		KSSL_COUNTER(bad_pre_master_secret, 1);			\
1213 		pms = buf;						\
1214 		pmslen = SSL3_PRE_MASTER_SECRET_LEN;			\
1215 		pms[0] = ssl->major_version;				\
1216 		pms[1] = ssl->minor_version;				\
1217 		(void) random_get_pseudo_bytes(&buf[2], pmslen - 2);	\
1218 }
1219 
1220 static int
1221 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1222 {
1223 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1224 	uchar_t seed[SSL3_RANDOM_LENGTH * 2];
1225 
1226 	/*
1227 	 * Computing the master secret:
1228 	 * ----------------------------
1229 	 * master_secret = PRF (pms, "master secret",
1230 	 *		ClientHello.random + ServerHello.random);
1231 	 */
1232 	bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH);
1233 	bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH,
1234 	    SSL3_RANDOM_LENGTH);
1235 
1236 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1237 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1238 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1239 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1240 	}
1241 
1242 	return (kssl_tls_PRF(ssl,
1243 	    pms, pmslen,
1244 	    (uchar_t *)TLS_MASTER_SECRET_LABEL,
1245 	    (size_t)strlen(TLS_MASTER_SECRET_LABEL),
1246 	    seed, sizeof (seed),
1247 	    ssl->sid.master_secret,
1248 	    (size_t)sizeof (ssl->sid.master_secret)));
1249 }
1250 
1251 
1252 static void
1253 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1254 {
1255 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1256 	uchar_t *ms;
1257 	int hlen = MD5_HASH_LEN;
1258 
1259 	ms = ssl->sid.master_secret;
1260 
1261 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1262 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1263 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1264 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1265 	}
1266 
1267 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
1268 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
1269 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
1270 	    0);
1271 }
1272 
1273 static int
1274 kssl_generate_tls_keyblock(ssl_t *ssl)
1275 {
1276 	uchar_t seed[2 * SSL3_RANDOM_LENGTH];
1277 
1278 	bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH);
1279 	bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH,
1280 	    SSL3_RANDOM_LENGTH);
1281 
1282 	return (kssl_tls_PRF(ssl, ssl->sid.master_secret,
1283 	    (size_t)SSL3_MASTER_SECRET_LEN,
1284 	    (uchar_t *)TLS_KEY_EXPANSION_LABEL,
1285 	    (size_t)strlen(TLS_KEY_EXPANSION_LABEL),
1286 	    seed, (size_t)sizeof (seed),
1287 	    ssl->pending_keyblock,
1288 	    (size_t)ssl->pending_keyblksz));
1289 
1290 }
1291 
1292 static void
1293 kssl_generate_keyblock(ssl_t *ssl)
1294 {
1295 	uchar_t *ms;
1296 	size_t mslen = SSL3_MASTER_SECRET_LEN;
1297 	int hlen = MD5_HASH_LEN;
1298 	uchar_t *keys = ssl->pending_keyblock;
1299 	int steps = howmany(ssl->pending_keyblksz, hlen);
1300 	int i;
1301 
1302 	ms = ssl->sid.master_secret;
1303 
1304 	ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH);
1305 
1306 	for (i = 1; i <= steps; i++) {
1307 		kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
1308 		keys += hlen;
1309 	}
1310 }
1311 
1312 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE",
1313 	"FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"};
1314 
1315 static void
1316 kssl_ssl3_key_material_derive_step(
1317 	ssl_t *ssl,
1318 	uchar_t *secret,
1319 	size_t secretlen,
1320 	int step,
1321 	uchar_t *dst,
1322 	int sr_first)
1323 {
1324 	SHA1_CTX sha1, *sha1ctx;
1325 	MD5_CTX md5, *md5ctx;
1326 	uchar_t sha1_hash[SHA1_HASH_LEN];
1327 
1328 	sha1ctx = &sha1;
1329 	md5ctx = &md5;
1330 
1331 	ASSERT(step <=
1332 	    sizeof (ssl3_key_derive_seeds) /
1333 	    sizeof (ssl3_key_derive_seeds[0]));
1334 	step--;
1335 
1336 	SHA1Init(sha1ctx);
1337 	SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step],
1338 	    step + 1);
1339 	SHA1Update(sha1ctx, secret, secretlen);
1340 	if (sr_first) {
1341 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1342 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1343 	} else {
1344 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1345 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1346 	}
1347 	SHA1Final(sha1_hash, sha1ctx);
1348 
1349 	MD5Init(md5ctx);
1350 	MD5Update(md5ctx, secret, secretlen);
1351 	MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN);
1352 	MD5Final(dst, md5ctx);
1353 }
1354 
1355 static int
1356 kssl_send_certificate_and_server_hello_done(ssl_t *ssl)
1357 {
1358 	int cur_reclen;
1359 	int mss;
1360 	int len, copylen;
1361 	mblk_t *mp;
1362 	uchar_t *cert_buf;
1363 	int cert_len;
1364 	uchar_t *msgbuf;
1365 	Certificate_t *cert;
1366 	uint16_t reclen = KSSL_SSL3_SH_RECLEN;
1367 
1368 	cert = ssl->kssl_entry->ke_server_certificate;
1369 	if (cert == NULL) {
1370 		return (ENOENT);
1371 	}
1372 	cert_buf = cert->msg;
1373 	cert_len = cert->len;
1374 
1375 	if (ssl->secure_renegotiation)
1376 		reclen += KSSL_EMPTY_RENEG_INFO_LEN;
1377 
1378 	mp = ssl->handshake_sendbuf;
1379 	mss = ssl->tcp_mss;
1380 	ASSERT(mp != NULL);
1381 	cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN;
1382 	ASSERT(cur_reclen == reclen);
1383 	/* Assume MSS is at least 80 bytes */
1384 	ASSERT(mss > cur_reclen + SSL3_HDR_LEN);
1385 	ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */
1386 
1387 	copylen = mss - (cur_reclen + SSL3_HDR_LEN);
1388 	len = cert_len;
1389 	copylen = MIN(copylen, len);
1390 	copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1391 
1392 	/* new record always starts in a new mblk for simplicity */
1393 	msgbuf = cert_buf;
1394 	for (;;) {
1395 		ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim);
1396 		bcopy(msgbuf, mp->b_wptr, copylen);
1397 		msgbuf += copylen;
1398 		mp->b_wptr += copylen;
1399 		cur_reclen += copylen;
1400 		len -= copylen;
1401 		if (len == 0) {
1402 			break;
1403 		}
1404 		if (cur_reclen == SSL3_MAX_RECORD_LENGTH) {
1405 			cur_reclen = 0;
1406 		}
1407 		copylen = MIN(len, mss);
1408 		copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1409 		mp->b_cont = allocb(copylen, BPRI_HI);
1410 		if (mp->b_cont == NULL) {
1411 			KSSL_COUNTER(alloc_fails, 1);
1412 			freemsg(ssl->handshake_sendbuf);
1413 			ssl->handshake_sendbuf = NULL;
1414 			return (ENOMEM);
1415 		}
1416 		mp = mp->b_cont;
1417 		if (cur_reclen == 0) {
1418 			mp->b_wptr[0] = content_handshake;
1419 			mp->b_wptr[1] = ssl->major_version;
1420 			mp->b_wptr[2] = ssl->minor_version;
1421 			cur_reclen = MIN(len, reclen);
1422 			mp->b_wptr[3] = (cur_reclen >> 8) & 0xff;
1423 			mp->b_wptr[4] = (cur_reclen) & 0xff;
1424 			mp->b_wptr += SSL3_HDR_LEN;
1425 			cur_reclen = 0;
1426 			copylen = MIN(copylen, mss - SSL3_HDR_LEN);
1427 		}
1428 	}
1429 
1430 	/* adjust the record length field for the first record */
1431 	mp = ssl->handshake_sendbuf;
1432 	cur_reclen = MIN(reclen + cert_len, SSL3_MAX_RECORD_LENGTH);
1433 	mp->b_rptr[3] = (cur_reclen >> 8) & 0xff;
1434 	mp->b_rptr[4] = (cur_reclen) & 0xff;
1435 
1436 	kssl_update_handshake_hashes(ssl, cert_buf, cert_len);
1437 
1438 	return (0);
1439 }
1440 
1441 static int
1442 kssl_send_change_cipher_specs(ssl_t *ssl)
1443 {
1444 	mblk_t *mp, *newmp;
1445 	uchar_t *buf;
1446 
1447 	mp = ssl->handshake_sendbuf;
1448 
1449 	/* We're most likely to hit the fast path for resumed sessions */
1450 	if ((mp != NULL) &&
1451 	    (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) {
1452 		buf = mp->b_wptr;
1453 	} else {
1454 		newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI);
1455 
1456 		if (newmp == NULL)
1457 			return (ENOMEM);	/* need to do better job! */
1458 
1459 		if (mp == NULL) {
1460 			ssl->handshake_sendbuf = newmp;
1461 		} else {
1462 			linkb(ssl->handshake_sendbuf, newmp);
1463 		}
1464 		mp = newmp;
1465 		buf = mp->b_rptr;
1466 	}
1467 
1468 	/* 5 byte record header */
1469 	buf[0] = content_change_cipher_spec;
1470 	buf[1] = ssl->major_version;
1471 	buf[2] = ssl->minor_version;
1472 	buf[3] = 0;
1473 	buf[4] = 1;
1474 	buf += SSL3_HDR_LEN;
1475 
1476 	buf[0] = 1;
1477 
1478 	mp->b_wptr = buf + 1;
1479 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1480 
1481 	ssl->seq_num[KSSL_WRITE] = 0;
1482 	return (kssl_spec_init(ssl, KSSL_WRITE));
1483 }
1484 
1485 int
1486 kssl_spec_init(ssl_t *ssl, int dir)
1487 {
1488 	KSSL_HASHCTX *ctx;
1489 	KSSLCipherSpec *spec = &ssl->spec[dir];
1490 	int ret = 0;
1491 
1492 	spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz;
1493 	spec->mac_padsz = mac_defs[ssl->pending_malg].padsz;
1494 
1495 	spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
1496 	spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
1497 	spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
1498 
1499 	if (dir == KSSL_READ) {
1500 		bcopy(ssl->pending_keyblock, ssl->mac_secret[dir],
1501 		    spec->mac_hashsz);
1502 	} else {
1503 		bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]),
1504 		    ssl->mac_secret[dir], spec->mac_hashsz);
1505 	}
1506 
1507 	/* Pre-compute these here. will save cycles on each record later */
1508 	if (!IS_TLS(ssl)) {
1509 		ctx = &ssl->mac_ctx[dir][0];
1510 		spec->MAC_HashInit((void *)ctx);
1511 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1512 		    spec->mac_hashsz);
1513 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_1,
1514 		    spec->mac_padsz);
1515 
1516 		ctx = &ssl->mac_ctx[dir][1];
1517 		spec->MAC_HashInit((void *)ctx);
1518 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1519 		    spec->mac_hashsz);
1520 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_2,
1521 		    spec->mac_padsz);
1522 	}
1523 
1524 	spec->cipher_type = cipher_defs[ssl->pending_calg].type;
1525 	spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
1526 	spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
1527 	spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
1528 
1529 	if (spec->cipher_ctx != NULL) {
1530 		crypto_cancel_ctx(spec->cipher_ctx);
1531 		spec->cipher_ctx = 0;
1532 	}
1533 
1534 	/*
1535 	 * Initialize HMAC keys for TLS and SSL3 HMAC keys
1536 	 * for SSL 3.0.
1537 	 */
1538 	if (IS_TLS(ssl)) {
1539 		if (ssl->pending_malg == mac_md5) {
1540 			spec->hmac_mech = hmac_md5_mech;
1541 		} else if (ssl->pending_malg == mac_sha) {
1542 			spec->hmac_mech = hmac_sha1_mech;
1543 		}
1544 
1545 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1546 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1547 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1548 	} else {
1549 		static uint32_t param;
1550 
1551 		spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID;
1552 		spec->hmac_mech.cm_param = (caddr_t)&param;
1553 		spec->hmac_mech.cm_param_len = sizeof (param);
1554 		if (ssl->pending_malg == mac_md5) {
1555 			spec->hmac_mech.cm_type =
1556 			    crypto_mech2id("CKM_SSL3_MD5_MAC");
1557 			param = MD5_HASH_LEN;
1558 		} else if (ssl->pending_malg == mac_sha) {
1559 			spec->hmac_mech.cm_type =
1560 			    crypto_mech2id("CKM_SSL3_SHA1_MAC");
1561 			param = SHA1_HASH_LEN;
1562 		}
1563 
1564 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1565 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1566 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1567 	}
1568 
1569 	/* We're done if this is the nil cipher */
1570 	if (spec->cipher_keysz == 0) {
1571 		return (0);
1572 	}
1573 
1574 	/* Initialize the key and the active context */
1575 	spec->cipher_key.ck_format = CRYPTO_KEY_RAW;
1576 	spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */
1577 
1578 	if (cipher_defs[ssl->pending_calg].bsize > 0) {
1579 		/* client_write_IV */
1580 		spec->cipher_mech.cm_param =
1581 		    (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
1582 		    2 * spec->cipher_keysz]);
1583 		spec->cipher_mech.cm_param_len = spec->cipher_bsize;
1584 	}
1585 	spec->cipher_data.cd_format = CRYPTO_DATA_RAW;
1586 	if (dir == KSSL_READ) {
1587 		spec->cipher_mech.cm_param_len =
1588 		    cipher_defs[ssl->pending_calg].bsize;
1589 
1590 		/* client_write_key */
1591 		spec->cipher_key.ck_data =
1592 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz]);
1593 
1594 		ret = crypto_decrypt_init(&(spec->cipher_mech),
1595 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1596 		if (CRYPTO_ERR(ret)) {
1597 			DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read,
1598 			    int, ret);
1599 		}
1600 	} else {
1601 		if (cipher_defs[ssl->pending_calg].bsize > 0) {
1602 			/* server_write_IV */
1603 			spec->cipher_mech.cm_param += spec->cipher_bsize;
1604 		}
1605 
1606 		/* server_write_key */
1607 		spec->cipher_key.ck_data =
1608 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz +
1609 		    spec->cipher_keysz]);
1610 
1611 		ret = crypto_encrypt_init(&(spec->cipher_mech),
1612 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1613 		if (CRYPTO_ERR(ret))
1614 			DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read,
1615 			    int, ret);
1616 	}
1617 	return (ret);
1618 }
1619 
1620 static int
1621 kssl_send_finished(ssl_t *ssl, int update_hsh)
1622 {
1623 	mblk_t *mp;
1624 	uchar_t *buf;
1625 	uchar_t *rstart;
1626 	uchar_t *versionp;
1627 	SSL3Hashes ssl3hashes;
1628 	size_t finish_len;
1629 	int ret;
1630 	uint16_t adj_len = 0;
1631 
1632 	mp = ssl->handshake_sendbuf;
1633 	ASSERT(mp != NULL);
1634 	buf = mp->b_wptr;
1635 	if (ssl->secure_renegotiation)
1636 		adj_len = KSSL_EMPTY_RENEG_INFO_LEN;
1637 	/*
1638 	 * It should be either a message with Server Hello record or just plain
1639 	 * SSL header (data packet).
1640 	 */
1641 	ASSERT(buf - mp->b_rptr ==
1642 	    SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + SSL3_HDR_LEN + 1 + adj_len ||
1643 	    buf - mp->b_rptr == SSL3_HDR_LEN + 1);
1644 
1645 	rstart = buf;
1646 
1647 	if (IS_TLS(ssl))
1648 		finish_len = TLS_FINISHED_SIZE;
1649 	else
1650 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1651 
1652 	/* 5 byte record header */
1653 	buf[0] = content_handshake;
1654 	buf[1] = ssl->major_version;
1655 	buf[2] = ssl->minor_version;
1656 	buf[3] = 0;
1657 	buf[4] = 4 + finish_len;
1658 
1659 	versionp = &buf[1];
1660 
1661 	buf += SSL3_HDR_LEN;
1662 
1663 	/* 4 byte message header */
1664 	buf[0] = (uchar_t)finished;	/* message type */
1665 	buf[1] = 0;			/* message len byte 0 */
1666 	buf[2] = 0;			/* message len byte 1 */
1667 	buf[3] = finish_len;	/* message len byte 2 */
1668 	buf += 4;
1669 
1670 	if (IS_TLS(ssl)) {
1671 		bcopy(ssl->hs_hashes.md5, ssl3hashes.md5,
1672 		    sizeof (ssl3hashes.md5));
1673 		bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1,
1674 		    sizeof (ssl3hashes.sha1));
1675 	}
1676 
1677 	/* Compute hashes for the SENDER side */
1678 	ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
1679 	if (ret != 0)
1680 		return (ret);
1681 
1682 	if (IS_TLS(ssl)) {
1683 		bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash));
1684 	} else {
1685 		bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN);
1686 		bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN);
1687 	}
1688 
1689 	if (update_hsh) {
1690 		kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
1691 	}
1692 
1693 	mp->b_wptr = buf + finish_len;
1694 
1695 	ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
1696 	    rstart, mp);
1697 	ASSERT(mp->b_wptr <= mp->b_datap->db_lim);
1698 
1699 	return (ret);
1700 }
1701 
1702 int
1703 kssl_mac_encrypt_record(ssl_t *ssl,
1704 	SSL3ContentType ct,
1705 	uchar_t *versionp,
1706 	uchar_t *rstart,
1707 	mblk_t *mp)
1708 {
1709 	KSSLCipherSpec *spec;
1710 	int mac_sz;
1711 	int ret = 0;
1712 	uint16_t rec_sz;
1713 	int pad_sz;
1714 	int i;
1715 
1716 	ASSERT(ssl != NULL);
1717 	ASSERT(rstart >= mp->b_rptr);
1718 	ASSERT(rstart < mp->b_wptr);
1719 
1720 	spec = &ssl->spec[KSSL_WRITE];
1721 	mac_sz = spec->mac_hashsz;
1722 
1723 	rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN;
1724 	ASSERT(rec_sz > 0);
1725 
1726 	if (mac_sz != 0) {
1727 		ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim);
1728 		ret = kssl_compute_record_mac(ssl, KSSL_WRITE,
1729 		    ssl->seq_num[KSSL_WRITE], ct, versionp,
1730 		    rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr);
1731 		if (ret == CRYPTO_SUCCESS) {
1732 			ssl->seq_num[KSSL_WRITE]++;
1733 			mp->b_wptr += mac_sz;
1734 			rec_sz += mac_sz;
1735 		} else {
1736 			return (ret);
1737 		}
1738 	}
1739 
1740 	if (spec->cipher_type == type_block) {
1741 		pad_sz = spec->cipher_bsize -
1742 		    (rec_sz & (spec->cipher_bsize - 1));
1743 		ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim);
1744 		for (i = 0; i < pad_sz; i++) {
1745 			mp->b_wptr[i] = pad_sz - 1;
1746 		}
1747 		mp->b_wptr += pad_sz;
1748 		rec_sz += pad_sz;
1749 	}
1750 
1751 	ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH);
1752 
1753 	U16_TO_BE16(rec_sz, rstart + 3);
1754 
1755 	if (spec->cipher_ctx == 0)
1756 		return (ret);
1757 
1758 	spec->cipher_data.cd_length = rec_sz;
1759 	spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN);
1760 	spec->cipher_data.cd_raw.iov_len = rec_sz;
1761 	/* One record at a time. Otherwise, gotta allocate the crypt_data_t */
1762 	ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data,
1763 	    NULL, NULL);
1764 	if (CRYPTO_ERR(ret)) {
1765 		DTRACE_PROBE1(kssl_err__crypto_encrypt_update,
1766 		    int, ret);
1767 	}
1768 	return (ret);
1769 }
1770 
1771 void
1772 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
1773 {
1774 	mblk_t *mp;
1775 	uchar_t *buf;
1776 	KSSLCipherSpec *spec;
1777 
1778 	ASSERT(ssl != NULL);
1779 
1780 	ssl->sendalert_level = level;
1781 	ssl->sendalert_desc = desc;
1782 
1783 	if (level == alert_fatal) {
1784 		DTRACE_PROBE2(kssl_sending_alert,
1785 		    SSL3AlertLevel, level, SSL3AlertDescription, desc);
1786 		if (ssl->sid.cached == B_TRUE) {
1787 			kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
1788 		}
1789 		ssl->fatal_alert = B_TRUE;
1790 		KSSL_COUNTER(fatal_alerts, 1);
1791 	} else
1792 		KSSL_COUNTER(warning_alerts, 1);
1793 
1794 	spec = &ssl->spec[KSSL_WRITE];
1795 
1796 	ASSERT(ssl->alert_sendbuf == NULL);
1797 	ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz +
1798 	    spec->cipher_bsize, BPRI_HI);
1799 	if (mp == NULL) {
1800 		KSSL_COUNTER(alloc_fails, 1);
1801 		return;
1802 	}
1803 	buf = mp->b_wptr;
1804 
1805 	/* 5 byte record header */
1806 	buf[0] = content_alert;
1807 	buf[1] = ssl->major_version;
1808 	buf[2] = ssl->minor_version;
1809 	buf[3] = 0;
1810 	buf[4] = 2;
1811 	buf += SSL3_HDR_LEN;
1812 
1813 	/* alert contents */
1814 	buf[0] = (uchar_t)level;
1815 	buf[1] = (uchar_t)desc;
1816 
1817 	mp->b_wptr = buf + 2;
1818 }
1819 
1820 /* Assumes RSA encryption */
1821 static int
1822 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
1823     kssl_callback_t cbfn, void *arg)
1824 {
1825 	char *buf;
1826 	uchar_t *pms;
1827 	size_t pmslen;
1828 	int allocated;
1829 	int err, rverr = ENOMEM;
1830 	kssl_entry_t *ep;
1831 	crypto_key_t *privkey;
1832 	crypto_data_t *wrapped_pms_data, *pms_data;
1833 	crypto_call_req_t creq, *creqp;
1834 
1835 	ep = ssl->kssl_entry;
1836 	privkey = ep->ke_private_key;
1837 	if (privkey == NULL) {
1838 		return (ENOENT);
1839 	}
1840 
1841 	ASSERT(ssl->msg.type == client_key_exchange);
1842 	ASSERT(ssl->hs_waitstate == wait_client_key);
1843 
1844 	/*
1845 	 * TLS adds an extra 2 byte length field before the data.
1846 	 */
1847 	if (IS_TLS(ssl)) {
1848 		msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1];
1849 		mp->b_rptr += 2;
1850 	}
1851 
1852 	/*
1853 	 * Allocate all we need in one shot. about 300 bytes total, for
1854 	 * 1024 bit RSA modulus.
1855 	 * The buffer layout will be: pms_data, wrapped_pms_data, the
1856 	 * value of the wrapped pms from the client, then room for the
1857 	 * resulting decrypted premaster secret.
1858 	 */
1859 	allocated = 2 * (sizeof (crypto_data_t) + msglen);
1860 	buf = kmem_alloc(allocated, KM_NOSLEEP);
1861 	if (buf == NULL) {
1862 		return (ENOMEM);
1863 	}
1864 
1865 	pms_data = (crypto_data_t *)buf;
1866 	wrapped_pms_data = &(((crypto_data_t *)buf)[1]);
1867 
1868 	wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW;
1869 	wrapped_pms_data->cd_offset = pms_data->cd_offset = 0;
1870 	wrapped_pms_data->cd_length = pms_data->cd_length = msglen;
1871 	wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL;
1872 	wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen;
1873 	wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t);
1874 	pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen;
1875 
1876 	bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen);
1877 	mp->b_rptr += msglen;
1878 
1879 	/* Proceed synchronously if out of interrupt and configured to do so */
1880 	if ((kssl_synchronous) && (!servicing_interrupt())) {
1881 		creqp = NULL;
1882 	} else {
1883 		ssl->cke_callback_func = cbfn;
1884 		ssl->cke_callback_arg = arg;
1885 		creq.cr_flag = kssl_call_flag;
1886 		creq.cr_callback_func = kssl_cke_done;
1887 		creq.cr_callback_arg = ssl;
1888 
1889 		/* The callback routine will release this one */
1890 		KSSL_SSL_REFHOLD(ssl);
1891 
1892 		creqp = &creq;
1893 	}
1894 
1895 	if (ep->ke_is_nxkey) {
1896 		kssl_session_info_t *s;
1897 
1898 		s = ep->ke_sessinfo;
1899 		err = CRYPTO_SUCCESS;
1900 		if (!s->is_valid_handle) {
1901 			/* Reauthenticate to the provider */
1902 			if (s->do_reauth) {
1903 				err = kssl_get_obj_handle(ep);
1904 				if (err == CRYPTO_SUCCESS) {
1905 					s->is_valid_handle = B_TRUE;
1906 					s->do_reauth = B_FALSE;
1907 				}
1908 			} else
1909 				err = CRYPTO_FAILED;
1910 		}
1911 
1912 		if (err == CRYPTO_SUCCESS) {
1913 			ASSERT(s->is_valid_handle);
1914 			err = crypto_decrypt_prov(s->prov, s->sid,
1915 			    &rsa_x509_mech, wrapped_pms_data, &s->key,
1916 			    NULL, pms_data, creqp);
1917 		}
1918 
1919 		/*
1920 		 * Deal with session specific errors. We translate to
1921 		 * the closest errno.
1922 		 */
1923 		switch (err) {
1924 		case CRYPTO_KEY_HANDLE_INVALID:
1925 		case CRYPTO_SESSION_HANDLE_INVALID:
1926 			s->is_valid_handle = B_FALSE;
1927 			s->do_reauth = B_TRUE;
1928 			rverr = EINVAL;
1929 			break;
1930 		case CRYPTO_PIN_EXPIRED:
1931 		case CRYPTO_PIN_LOCKED:
1932 			rverr = EACCES;
1933 			break;
1934 		case CRYPTO_UNKNOWN_PROVIDER:
1935 			rverr = ENXIO;
1936 			break;
1937 		}
1938 	} else {
1939 		err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data,
1940 		    privkey, NULL, pms_data, creqp);
1941 	}
1942 
1943 	switch (err) {
1944 	case CRYPTO_SUCCESS:
1945 		break;
1946 
1947 	case CRYPTO_QUEUED:
1948 		/*
1949 		 * Finish the master secret then the rest of key material
1950 		 * derivation later.
1951 		 */
1952 		ssl->job.kjob = creq.cr_reqid;
1953 		ssl->job.buf = buf;
1954 		ssl->job.buflen = allocated;
1955 		ssl->hs_waitstate = wait_client_key_done;
1956 		return (0);
1957 	default:
1958 		DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err);
1959 		kmem_free(buf, allocated);
1960 		return (rverr);
1961 	}
1962 
1963 	pmslen = pms_data->cd_length;
1964 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1965 
1966 	/* generate master key and save it in the ssl sid structure */
1967 	if (IS_TLS(ssl)) {
1968 		err = kssl_generate_tls_ms(ssl, pms, pmslen);
1969 		if (!CRYPTO_ERR(err))
1970 			err = kssl_generate_tls_keyblock(ssl);
1971 	} else {
1972 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1973 		kssl_generate_keyblock(ssl);
1974 	}
1975 
1976 	if (err == CRYPTO_SUCCESS)
1977 		ssl->hs_waitstate = wait_change_cipher;
1978 
1979 	ssl->activeinput = B_FALSE;
1980 
1981 	kmem_free(buf, allocated);
1982 
1983 	return (0);
1984 }
1985 
1986 static int
1987 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
1988 {
1989 	int err;
1990 	size_t finish_len;
1991 	int hashcompare;
1992 
1993 	ASSERT(ssl->msg.type == finished);
1994 	ASSERT(ssl->hs_waitstate == wait_finished);
1995 
1996 	if (IS_TLS(ssl))
1997 		finish_len = TLS_FINISHED_SIZE;
1998 	else
1999 		finish_len = KSSL_SSL3_FIN_MSGLEN;
2000 
2001 	if (msglen != finish_len) {
2002 		kssl_send_alert(ssl, alert_fatal, illegal_parameter);
2003 		return (EBADMSG);
2004 	}
2005 
2006 	if (IS_TLS(ssl)) {
2007 		hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash,
2008 		    finish_len);
2009 	} else {
2010 		hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
2011 	}
2012 
2013 	/* The handshake hashes should be computed by now */
2014 	if (hashcompare != 0) {
2015 		kssl_send_alert(ssl, alert_fatal, handshake_failure);
2016 		return (EBADMSG);
2017 	}
2018 
2019 	mp->b_rptr += msglen;
2020 
2021 	ssl->hs_waitstate = idle_handshake;
2022 
2023 	if (ssl->resumed == B_TRUE) {
2024 		ssl->activeinput = B_FALSE;
2025 		return (0);
2026 	}
2027 
2028 	err = kssl_send_change_cipher_specs(ssl);
2029 	if (err != 0) {
2030 		return (err);
2031 	}
2032 	err = kssl_send_finished(ssl, 0);
2033 	if (err != 0) {
2034 		return (err);
2035 	}
2036 
2037 	kssl_cache_sid(&ssl->sid, ssl->kssl_entry);
2038 	ssl->activeinput = B_FALSE;
2039 
2040 	return (0);
2041 }
2042 
2043 #define	KSSL2_CH_MIN_RECSZ	(9)
2044 
2045 /*
2046  * This method is needed to handle clients which send the
2047  * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers.
2048  * We are not really doing SSLv2 here, just handling the header
2049  * and then switching to SSLv3.
2050  */
2051 int
2052 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
2053 {
2054 	uchar_t *recend;
2055 	int err;
2056 	SSL3AlertDescription desc = illegal_parameter;
2057 	uint_t randlen;
2058 	uint_t sidlen;
2059 	uint_t cslen;
2060 	uchar_t *suitesp;
2061 	uchar_t *rand;
2062 	uint_t i, j;
2063 	uint16_t suite, selected_suite;
2064 	int ch_recsz = KSSL2_CH_MIN_RECSZ;
2065 	boolean_t suite_found = B_FALSE;
2066 
2067 	ASSERT(mp->b_wptr >= mp->b_rptr + recsz);
2068 	ASSERT(ssl->hs_waitstate == wait_client_hello);
2069 	ASSERT(ssl->resumed == B_FALSE);
2070 
2071 	if (recsz < ch_recsz) {
2072 		DTRACE_PROBE2(kssl_err__reclen_less_than_minimum,
2073 		    int, recsz, int, ch_recsz);
2074 		goto falert;
2075 	}
2076 
2077 	MD5Init(&ssl->hs_md5);
2078 	SHA1Init(&ssl->hs_sha1);
2079 
2080 	kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz);
2081 
2082 	recend = mp->b_rptr + recsz;
2083 
2084 	if (*mp->b_rptr != 1) {
2085 		DTRACE_PROBE1(kssl_err__invalid_version, uint_t, *mp->b_rptr);
2086 		goto falert;
2087 	}
2088 	mp->b_rptr += 3;
2089 
2090 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
2091 	sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3];
2092 	randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5];
2093 	if (cslen % 3 != 0) {
2094 		DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen);
2095 		goto falert;
2096 	}
2097 	if (randlen < SSL_MIN_CHALLENGE_BYTES ||
2098 	    randlen > SSL_MAX_CHALLENGE_BYTES) {
2099 		DTRACE_PROBE1(kssl_err__randlen_out_of_range,
2100 		    uint_t, randlen);
2101 		goto falert;
2102 	}
2103 	mp->b_rptr += 6;
2104 	ch_recsz += cslen + sidlen + randlen;
2105 	if (recsz != ch_recsz) {
2106 		DTRACE_PROBE2(kssl_err__invalid_message_len_sum,
2107 		    int, recsz, int, ch_recsz);
2108 		goto falert;
2109 	}
2110 	suitesp = mp->b_rptr;
2111 	rand = suitesp + cslen + sidlen;
2112 	if (randlen < SSL3_RANDOM_LENGTH) {
2113 		bzero(ssl->client_random, SSL3_RANDOM_LENGTH);
2114 	}
2115 	bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
2116 	    randlen);
2117 
2118 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
2119 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
2120 		for (j = 0; j < cslen; j += 3) {
2121 			DTRACE_PROBE2(kssl_cipher_suite_check_v2,
2122 			    uint16_t, suite,
2123 			    uint16_t,
2124 			    (uint16_t)((suitesp[j+1] << 8) + suitesp[j+2]));
2125 			if (suitesp[j] != 0) {
2126 				continue;
2127 			}
2128 
2129 			/* Check for regular (true) cipher suite. */
2130 			if (suitesp[j + 1] == ((suite >> 8) & 0xff) &&
2131 			    suitesp[j + 2] == (suite & 0xff)) {
2132 				DTRACE_PROBE1(kssl_cipher_suite_found,
2133 				    uint16_t, suite);
2134 				suite_found = B_TRUE;
2135 				selected_suite = suite;
2136 			}
2137 
2138 			/* Check for SCSV. */
2139 			if (suitesp[j + 1] ==  ((SSL_SCSV >> 8) & 0xff) &&
2140 			    suitesp[j + 2] == (SSL_SCSV & 0xff)) {
2141 				DTRACE_PROBE(kssl_scsv_found);
2142 				ssl->secure_renegotiation = B_TRUE;
2143 			}
2144 			/*
2145 			 * If we got cipher suite match and SCSV or went
2146 			 * through the whole list of client cipher suites
2147 			 * (hence we know if SCSV was present or not) we
2148 			 * can terminate the cycle now.
2149 			 */
2150 			if (suite_found &&
2151 			    (ssl->secure_renegotiation || (i > 0)))
2152 				break;
2153 		}
2154 		if (suite_found)
2155 			break;
2156 	}
2157 	if (!suite_found) {
2158 		DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite);
2159 		ssl->activeinput = B_FALSE;
2160 		/*
2161 		 * If there is no fallback point terminate the handshake with
2162 		 * SSL alert otherwise return with SSL_MISS.
2163 		 */
2164 		if (ssl->kssl_entry->ke_fallback_head == NULL) {
2165 			DTRACE_PROBE(kssl_no_fallback);
2166 			desc = handshake_failure;
2167 			goto falert;
2168 		} else {
2169 			return (SSL_MISS);
2170 		}
2171 	}
2172 
2173 	mp->b_rptr = recend;
2174 
2175 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
2176 		if (selected_suite == cipher_suite_defs[i].suite) {
2177 			break;
2178 		}
2179 	}
2180 
2181 	ASSERT(i < cipher_suite_defs_nentries);
2182 
2183 	ssl->pending_cipher_suite = selected_suite;
2184 	ssl->pending_malg = cipher_suite_defs[i].malg;
2185 	ssl->pending_calg = cipher_suite_defs[i].calg;
2186 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
2187 
2188 	ASSERT(ssl->sid.cached == B_FALSE);
2189 
2190 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
2191 	    SSL3_SESSIONID_BYTES);
2192 	ssl->sid.client_addr = ssl->faddr;
2193 	ssl->sid.cipher_suite = selected_suite;
2194 
2195 	err = kssl_send_server_hello(ssl);
2196 	if (err != 0) {
2197 		return (err);
2198 	}
2199 	err = kssl_send_certificate_and_server_hello_done(ssl);
2200 	if (err != 0) {
2201 		return (err);
2202 	}
2203 	KSSL_COUNTER(full_handshakes, 1);
2204 	ssl->hs_waitstate = wait_client_key;
2205 	ssl->activeinput = B_FALSE;
2206 	return (0);
2207 
2208 falert:
2209 	kssl_send_alert(ssl, alert_fatal, desc);
2210 	ssl->activeinput = B_FALSE;
2211 	return (EBADMSG);
2212 }
2213 
2214 /*
2215  * Call back routine for asynchronously submitted RSA decryption jobs.
2216  * This routine retrieves the pre-master secret, and proceeds to generate
2217  * the remaining key materials.
2218  */
2219 static void
2220 kssl_cke_done(void *arg, int status)
2221 {
2222 	int ret = 0;
2223 	uchar_t *pms;
2224 	size_t pmslen;
2225 	crypto_data_t *pms_data;
2226 	kssl_cmd_t kssl_cmd = KSSL_CMD_NONE;
2227 	ssl_t *ssl = (ssl_t *)arg;
2228 	mblk_t *alertmp;
2229 	kssl_callback_t cbfn;
2230 	void *cbarg;
2231 
2232 	mutex_enter(&ssl->kssl_lock);
2233 
2234 	ASSERT(ssl->msg.type == client_key_exchange);
2235 	ASSERT(ssl->hs_waitstate == wait_client_key_done);
2236 
2237 	if (status != CRYPTO_SUCCESS) {
2238 		kssl_send_alert(ssl, alert_fatal, decrypt_error);
2239 		kssl_cmd = KSSL_CMD_SEND;
2240 		goto out;
2241 	}
2242 
2243 	pms_data = (crypto_data_t *)(ssl->job.buf);
2244 
2245 	ASSERT(pms_data != NULL);
2246 
2247 	pmslen = pms_data->cd_length;
2248 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
2249 
2250 	/* generate master key and save it in the ssl sid structure */
2251 	if (IS_TLS(ssl)) {
2252 		ret = kssl_generate_tls_ms(ssl, pms, pmslen);
2253 		if (!CRYPTO_ERR(ret))
2254 			ret = kssl_generate_tls_keyblock(ssl);
2255 	} else {
2256 		kssl_generate_ssl_ms(ssl, pms, pmslen);
2257 		kssl_generate_keyblock(ssl);
2258 	}
2259 
2260 	if (ret == CRYPTO_SUCCESS)
2261 		ssl->hs_waitstate = wait_change_cipher;
2262 
2263 out:
2264 	kmem_free(ssl->job.buf, ssl->job.buflen);
2265 
2266 	ssl->job.kjob = 0;
2267 	ssl->job.buf = NULL;
2268 	ssl->job.buflen = 0;
2269 
2270 	ssl->activeinput = B_FALSE;
2271 
2272 	/* If we're the only ones left, then we won't callback */
2273 	if (ssl->kssl_refcnt == 1) {
2274 		mutex_exit(&ssl->kssl_lock);
2275 		KSSL_SSL_REFRELE(ssl);
2276 		return;
2277 	}
2278 
2279 	cbfn = ssl->cke_callback_func;
2280 	cbarg = ssl->cke_callback_arg;
2281 	alertmp = ssl->alert_sendbuf;
2282 	ssl->alert_sendbuf = NULL;
2283 
2284 	mutex_exit(&ssl->kssl_lock);
2285 
2286 	KSSL_SSL_REFRELE(ssl);
2287 
2288 	/* Now call the callback routine */
2289 	(*(cbfn))(cbarg, alertmp, kssl_cmd);
2290 }
2291 
2292 /*
2293  * Returns the first complete contiguous record out of rec_ass_head
2294  * The record is returned in a separate contiguous mblk, rec_ass_head is
2295  * left pointing to the next record in the queue.
2296  *
2297  * The output looks as follows:
2298  *
2299  * |--------|---------- .... -----|<---------->|<----------->|--- ... ---|
2300  * ^        ^                     ^  mac_size     pad_size               ^
2301  * |        |___ b_rptr  b_wptr __|                                      |
2302  * |                                                                     |
2303  * |___ db_base                                                db_lim ___|
2304  */
2305 mblk_t *
2306 kssl_get_next_record(ssl_t *ssl)
2307 {
2308 	mblk_t *mp, *retmp;
2309 	int rhsz = SSL3_HDR_LEN;
2310 	uint16_t rec_sz;
2311 	int mpsz, total_size;
2312 	SSL3ContentType content_type;
2313 
2314 	ASSERT(MUTEX_HELD(&ssl->kssl_lock));
2315 
2316 	mp = ssl->rec_ass_head;
2317 	if (mp == NULL)
2318 		return (NULL);
2319 
2320 	/* Fast path: when mp has at least a complete record */
2321 	if (MBLKL(mp) < rhsz) {
2322 		DTRACE_PROBE1(kssl_mblk__incomplete_header,
2323 		    mblk_t *, mp);
2324 		/* Not even a complete header in there yet */
2325 		if (msgdsize(mp) < rhsz) {
2326 			return (NULL);
2327 		}
2328 
2329 		if (!pullupmsg(mp, rhsz)) {
2330 			kssl_send_alert(ssl, alert_fatal, internal_error);
2331 			freemsg(mp);
2332 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2333 			return (NULL);
2334 		}
2335 	}
2336 	content_type = (SSL3ContentType)mp->b_rptr[0];
2337 	if (content_type == content_handshake_v2) {
2338 		DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp);
2339 		rec_sz = (uint16_t)mp->b_rptr[1];
2340 		rhsz = 2;
2341 	} else {
2342 		DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp);
2343 		uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3;
2344 		rec_sz = BE16_TO_U16(rec_sz_p);
2345 	}
2346 
2347 	/*
2348 	 * same tests as above. Only rare very fragmented cases will
2349 	 * incur the cost of msgdsize() and msgpullup(). Well formed
2350 	 * packets will fall in the most frequent fast path.
2351 	 */
2352 	total_size = rhsz + rec_sz;
2353 
2354 	/*
2355 	 * Missing: defensive against record fabricated with longer than
2356 	 * MAX record length.
2357 	 */
2358 	if (MBLKL(mp) < total_size) {
2359 		DTRACE_PROBE2(kssl_mblk__smaller_than_total_size,
2360 		    mblk_t *, mp, int, total_size);
2361 		/* Not a complete record yet. Keep accumulating */
2362 		if (msgdsize(mp) < total_size) {
2363 			return (NULL);
2364 		}
2365 
2366 		if (!pullupmsg(mp, total_size)) {
2367 			kssl_send_alert(ssl, alert_fatal, internal_error);
2368 			freemsg(mp);
2369 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2370 			return (NULL);
2371 		}
2372 	}
2373 	mpsz = MBLKL(mp);	/* could've changed after the pullup */
2374 
2375 	if (mpsz > total_size) {
2376 		DTRACE_PROBE2(kssl_mblk__bigger_than_total_size,
2377 		    mblk_t *, mp, int, total_size);
2378 		/* gotta allocate a new block */
2379 		if ((retmp = dupb(mp)) == NULL) {
2380 			kssl_send_alert(ssl, alert_fatal, internal_error);
2381 			freemsg(mp);
2382 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2383 			return (NULL);
2384 		}
2385 
2386 		retmp->b_wptr = retmp->b_rptr + total_size;
2387 		mp->b_rptr += total_size;
2388 		ssl->rec_ass_head = mp;
2389 	} else {
2390 		DTRACE_PROBE2(kssl_mblk__equal_to_total_size,
2391 		    mblk_t *, mp, int, total_size);
2392 		ASSERT(mpsz == total_size);
2393 		ssl->rec_ass_head = mp->b_cont;
2394 		mp->b_cont = NULL;
2395 		retmp = mp;
2396 	}
2397 	/* Adjust the tail */
2398 	if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
2399 		for (; mp->b_cont != NULL; mp = mp->b_cont) {
2400 			ssl->rec_ass_tail = mp->b_cont;
2401 		}
2402 	}
2403 
2404 	return (retmp);
2405 }
2406 
2407 
2408 static void
2409 kssl_mblksfree(ssl_t *ssl)
2410 {
2411 
2412 	ASSERT(ssl != NULL);
2413 
2414 	if (ssl->rec_ass_head != NULL) {
2415 		freemsg(ssl->rec_ass_head);
2416 	}
2417 	ssl->rec_ass_head = NULL;
2418 	ssl->rec_ass_tail = NULL;
2419 
2420 	if (ssl->msg.head != NULL) {
2421 		freemsg(ssl->msg.head);
2422 	}
2423 	ssl->msg.head = NULL;
2424 	ssl->msg.tail = NULL;
2425 
2426 	if (ssl->handshake_sendbuf != NULL) {
2427 		freemsg(ssl->handshake_sendbuf);
2428 		ssl->handshake_sendbuf = NULL;
2429 	}
2430 	if (ssl->alert_sendbuf != NULL) {
2431 		freemsg(ssl->alert_sendbuf);
2432 		ssl->alert_sendbuf = NULL;
2433 	}
2434 }
2435 
2436 static void
2437 kssl_specsfree(ssl_t *ssl)
2438 {
2439 	KSSLCipherSpec *spec = &ssl->spec[KSSL_READ];
2440 
2441 	if (spec->cipher_ctx != NULL) {
2442 		crypto_cancel_ctx(spec->cipher_ctx);
2443 		spec->cipher_ctx = 0;
2444 	}
2445 
2446 	spec = &ssl->spec[KSSL_WRITE];
2447 
2448 	if (spec->cipher_ctx != NULL) {
2449 		crypto_cancel_ctx(spec->cipher_ctx);
2450 		spec->cipher_ctx = 0;
2451 	}
2452 }
2453 
2454 /*
2455  * Frees the ssl structure (aka the context of an SSL session).
2456  * Any pending crypto jobs are cancelled.
2457  * Any initiated crypto contexts are freed as well.
2458  */
2459 void
2460 kssl_free_context(ssl_t *ssl)
2461 {
2462 	ASSERT(ssl != NULL);
2463 	if (!(MUTEX_HELD(&ssl->kssl_lock))) {
2464 		/* we're coming from an external API entry point */
2465 		mutex_enter(&ssl->kssl_lock);
2466 	}
2467 
2468 	if (ssl->job.kjob != NULL) {
2469 		crypto_cancel_req(ssl->job.kjob);
2470 		kmem_free(ssl->job.buf, ssl->job.buflen);
2471 
2472 		ssl->job.kjob = 0;
2473 		ssl->job.buf = NULL;
2474 		ssl->job.buflen = 0;
2475 	}
2476 
2477 	kssl_mblksfree(ssl);
2478 	kssl_specsfree(ssl);
2479 
2480 	KSSL_ENTRY_REFRELE(ssl->kssl_entry);
2481 	ssl->kssl_entry = NULL;
2482 
2483 	mutex_exit(&ssl->kssl_lock);
2484 
2485 	kmem_cache_free(kssl_cache, ssl);
2486 	kssl_cache_count--;
2487 }
2488