xref: /titanic_51/usr/src/uts/common/inet/kssl/ksslrec.c (revision d8d810637042c2a73a269f125dee75e8ed1421d1)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/stream.h>
28 #include <sys/strsubr.h>
29 #include <sys/stropts.h>
30 #include <sys/strsun.h>
31 #define	_SUN_TPI_VERSION 2
32 #include <sys/ddi.h>
33 #include <sys/sunddi.h>
34 #include <sys/debug.h>
35 #include <sys/vtrace.h>
36 #include <sys/kmem.h>
37 #include <sys/cpuvar.h>
38 #include <sys/atomic.h>
39 #include <sys/sysmacros.h>
40 
41 #include <sys/errno.h>
42 #include <sys/isa_defs.h>
43 #include <sys/md5.h>
44 #include <sys/sha1.h>
45 #include <sys/random.h>
46 #include <inet/common.h>
47 #include <netinet/in.h>
48 
49 #include <sys/systm.h>
50 #include <sys/param.h>
51 
52 #include "ksslimpl.h"
53 #include "ksslapi.h"
54 #include "ksslproto.h"
55 
56 static ssl3CipherSuiteDef cipher_suite_defs[] = {
57 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, no IVs */
58 	{SSL_RSA_WITH_RC4_128_SHA,	cipher_rc4,	mac_sha,	72},
59 
60 	/* 2 X 16 byte keys +  2 x 16 byte MAC secrets, no IVs */
61 	{SSL_RSA_WITH_RC4_128_MD5,	cipher_rc4,	mac_md5,	64},
62 
63 	/* 2 X 8 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
64 	{SSL_RSA_WITH_DES_CBC_SHA,	cipher_des,	mac_sha,	72},
65 
66 	/* 2 X 24 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
67 	{SSL_RSA_WITH_3DES_EDE_CBC_SHA,	cipher_3des,	mac_sha,	104},
68 
69 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
70 	{TLS_RSA_WITH_AES_128_CBC_SHA,	cipher_aes128,	mac_sha,	104},
71 
72 	/* 2 X 32 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
73 	{TLS_RSA_WITH_AES_256_CBC_SHA,	cipher_aes256,	mac_sha,	136},
74 
75 	{SSL_RSA_WITH_NULL_SHA,		cipher_null,	mac_sha,	40}
76 };
77 
78 static int cipher_suite_defs_nentries =
79     sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]);
80 
81 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
82 	/* macsz padsz HashInit HashUpdate HashFinal */
83 
84 	{MD5_HASH_LEN, SSL3_MD5_PAD_LEN,
85 	    (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update,
86 	    (hashfinal_func_t)MD5Final},
87 
88 	{SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN,
89 	    (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update,
90 	    (hashfinal_func_t)SHA1Final},
91 };
92 
93 static uchar_t kssl_pad_1[60] = {
94     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
95     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
96     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
97     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
98     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
99     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
100     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
101     0x36, 0x36, 0x36, 0x36
102 };
103 static uchar_t kssl_pad_2[60] = {
104     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
105     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
106     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
107     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
108     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
109     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
110     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
111     0x5c, 0x5c, 0x5c, 0x5c
112 };
113 
114 int kssl_cache_count;
115 static boolean_t kssl_synchronous = B_FALSE;
116 
117 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t);
118 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t);
119 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int);
120 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int,
121     kssl_callback_t, void *);
122 static int kssl_send_server_hello(ssl_t *);
123 static int kssl_send_certificate_and_server_hello_done(ssl_t *);
124 static int kssl_send_change_cipher_specs(ssl_t *);
125 static int kssl_send_finished(ssl_t *, int);
126 static int kssl_handle_finished(ssl_t *, mblk_t *, int);
127 static void kssl_get_hello_random(uchar_t *);
128 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *);
129 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *);
130 static void kssl_lookup_sid(sslSessionID *, uchar_t *, in6_addr_t *,
131     kssl_entry_t *);
132 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t);
133 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t);
134 static int kssl_generate_tls_keyblock(ssl_t *);
135 static void kssl_generate_keyblock(ssl_t *);
136 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t,
137     int, uchar_t *, int);
138 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t,
139     uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
140 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *,
141     size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
142 static void kssl_cke_done(void *, int);
143 
144 #define	HMAC_INIT(m, k, c) \
145 	rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end;
146 
147 #define	HMAC_UPDATE(c, d, l) \
148 	dd.cd_raw.iov_base = (char *)d; \
149 	dd.cd_length = dd.cd_raw.iov_len = l; \
150 	rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end;
151 
152 #define	HMAC_FINAL(c, d, l) \
153 	mac.cd_raw.iov_base = (char *)d; \
154 	mac.cd_length = mac.cd_raw.iov_len = l; \
155 	rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end;
156 
157 /*
158  * This hack can go away once we have SSL3 MAC support by KCF
159  * software providers (See 4873559).
160  */
161 extern int kcf_md5_threshold;
162 
163 int
164 kssl_compute_record_mac(
165 	ssl_t *ssl,
166 	int direction,
167 	uint64_t seq_num,
168 	SSL3ContentType ct,
169 	uchar_t *versionp,
170 	uchar_t *buf,
171 	int len,
172 	uchar_t *digest)
173 {
174 	KSSL_HASHCTX mac_ctx;
175 	KSSL_HASHCTX *ctx = &mac_ctx;
176 	uchar_t temp[16], *p;
177 	KSSLCipherSpec *spec;
178 	boolean_t hash_use_ok = B_FALSE;
179 	int rv = 0;
180 
181 	spec = &ssl->spec[direction];
182 
183 	if (spec->mac_hashsz == 0) {
184 		return (1);
185 	}
186 
187 	p = temp;
188 
189 	*p++ = (seq_num >> 56) & 0xff;
190 	*p++ = (seq_num >> 48) & 0xff;
191 	*p++ = (seq_num >> 40) & 0xff;
192 	*p++ = (seq_num >> 32) & 0xff;
193 	*p++ = (seq_num >> 24) & 0xff;
194 	*p++ = (seq_num >> 16) & 0xff;
195 	*p++ = (seq_num >> 8) & 0xff;
196 	*p++ = (seq_num) & 0xff;
197 	*p++ = (uchar_t)ct;
198 	if (IS_TLS(ssl)) {
199 		*p++ = versionp[0];
200 		*p++ = versionp[1];
201 	}
202 	*p++ = (len >> 8) & 0xff;
203 	*p++ = (len) & 0xff;
204 
205 	if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
206 	    len >= kcf_md5_threshold)) {
207 		crypto_data_t dd, mac;
208 		struct uio uio_pt;
209 		struct iovec iovarray_pt[2];
210 
211 		/* init the array of iovecs for use in the uio struct */
212 		iovarray_pt[0].iov_base = (char *)temp;
213 		iovarray_pt[0].iov_len = (p - temp);
214 		iovarray_pt[1].iov_base = (char *)buf;
215 		iovarray_pt[1].iov_len = len;
216 
217 		/* init the uio struct for use in the crypto_data_t struct */
218 		bzero(&uio_pt, sizeof (uio_pt));
219 		uio_pt.uio_iov = iovarray_pt;
220 		uio_pt.uio_iovcnt = 2;
221 		uio_pt.uio_segflg = UIO_SYSSPACE;
222 
223 		dd.cd_format = CRYPTO_DATA_UIO;
224 		dd.cd_offset = 0;
225 		dd.cd_length =  (p - temp) + len;
226 		dd.cd_miscdata = NULL;
227 		dd.cd_uio = &uio_pt;
228 
229 		mac.cd_format = CRYPTO_DATA_RAW;
230 		mac.cd_offset = 0;
231 		mac.cd_raw.iov_base = (char *)digest;
232 		mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz;
233 
234 		/*
235 		 * The calling context can tolerate a blocking call here.
236 		 * For outgoing traffic, we are in user context
237 		 * when called from strsock_kssl_output(). For incoming
238 		 * traffic past the SSL handshake, we are in user
239 		 * context when called from strsock_kssl_input(). During the
240 		 * SSL handshake, we are called for client_finished message
241 		 * handling from a squeue worker thread that gets scheduled
242 		 * by an squeue_fill() call. This thread is not in interrupt
243 		 * context and so can block.
244 		 */
245 		rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
246 		    NULL, &mac, NULL);
247 
248 		if (CRYPTO_ERR(rv)) {
249 			hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED &&
250 			    !IS_TLS(ssl));
251 			if (!hash_use_ok) {
252 				DTRACE_PROBE1(kssl_err__crypto_mac_error,
253 				    int, rv);
254 				KSSL_COUNTER(compute_mac_failure, 1);
255 			}
256 		}
257 	} else
258 		hash_use_ok = B_TRUE;
259 
260 	if (hash_use_ok) {
261 		bcopy(&(ssl->mac_ctx[direction][0]), ctx,
262 		    sizeof (KSSL_HASHCTX));
263 		spec->MAC_HashUpdate((void *)ctx, temp, p - temp);
264 		spec->MAC_HashUpdate((void *)ctx, buf, len);
265 		spec->MAC_HashFinal(digest, (void *)ctx);
266 
267 		bcopy(&(ssl->mac_ctx[direction][1]), ctx,
268 		    sizeof (KSSL_HASHCTX));
269 		spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz);
270 		spec->MAC_HashFinal(digest, (void *)ctx);
271 	}
272 
273 	return (rv);
274 }
275 
276 /*
277  * Handles handshake messages.
278  * Messages to be replied are returned in handshake_sendbuf.
279  */
280 int
281 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
282     kssl_callback_t cbfn, void *arg)
283 {
284 	uint32_t msglen;
285 	uchar_t msghdr[4];
286 
287 	ASSERT(ssl->msg.state == MSG_BODY);
288 	ASSERT(ssl->msg.msglen_bytes == 3);
289 	ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen);
290 
291 	ssl->sslcnt++;
292 	msglen = ssl->msg.msglen;
293 
294 	if (ssl->msg.type == client_hello) {
295 		MD5Init(&ssl->hs_md5);
296 		SHA1Init(&ssl->hs_sha1);
297 	}
298 
299 	if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
300 		if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
301 		    sender_client) != 0) {
302 			*err = SSL_MISS;
303 			return (0);
304 		}
305 	}
306 
307 	if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
308 		msghdr[0] = (uchar_t)ssl->msg.type;
309 
310 		msghdr[1] = (uchar_t)(msglen >> 16);
311 		msghdr[2] = (uchar_t)(msglen >> 8);
312 		msghdr[3] = (uchar_t)(msglen);
313 		kssl_update_handshake_hashes(ssl, msghdr, 4);
314 		kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen);
315 	}
316 
317 	ssl->msg.state = MSG_INIT;
318 	ssl->msg.msglen = 0;
319 	ssl->msg.msglen_bytes = 0;
320 
321 	switch (ssl->msg.type) {
322 	case client_hello:
323 		if (ssl->hs_waitstate != wait_client_hello) {
324 			kssl_send_alert(ssl, alert_fatal,
325 			    unexpected_message);
326 			*err = EBADMSG;
327 			ssl->activeinput = B_FALSE;
328 			return (1);
329 		}
330 		*err = kssl_handle_client_hello(ssl, mp, msglen);
331 		if (*err == SSL_MISS) {
332 			ssl->activeinput = B_FALSE;
333 			return (0);
334 		}
335 		return (1);
336 	case client_key_exchange:
337 		if (ssl->hs_waitstate != wait_client_key) {
338 			kssl_send_alert(ssl, alert_fatal,
339 			    unexpected_message);
340 			*err = EBADMSG;
341 			ssl->activeinput = B_FALSE;
342 			return (1);
343 		}
344 		*err = kssl_handle_client_key_exchange(ssl, mp,
345 		    msglen, cbfn, arg);
346 		return (1);
347 	case finished:
348 		if (ssl->hs_waitstate != wait_finished) {
349 			kssl_send_alert(ssl, alert_fatal,
350 			    unexpected_message);
351 			*err = EBADMSG;
352 			ssl->activeinput = B_FALSE;
353 			return (1);
354 		}
355 		*err = kssl_handle_finished(ssl, mp, msglen);
356 		return (1);
357 	default:
358 		kssl_send_alert(ssl, alert_fatal, unexpected_message);
359 		ssl->activeinput = B_FALSE;
360 		*err = EBADMSG;
361 		return (1);
362 	}
363 }
364 
365 static void
366 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
367 {
368 	MD5Update(&ssl->hs_md5, buf, len);
369 	SHA1Update(&ssl->hs_sha1, buf, len);
370 }
371 
372 static int
373 kssl_compute_handshake_hashes(
374 	ssl_t *ssl,
375 	SSL3Hashes *hashes,
376 	uint32_t sender)
377 {
378 	MD5_CTX md5 = ssl->hs_md5;	/* clone md5 context */
379 	SHA1_CTX sha1 = ssl->hs_sha1;	/* clone sha1 context */
380 	MD5_CTX *md5ctx = &md5;
381 	SHA1_CTX *sha1ctx = &sha1;
382 
383 	if (IS_TLS(ssl)) {
384 		uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN];
385 		char *label;
386 
387 		/*
388 		 * Do not take another hash step here.
389 		 * Just complete the operation.
390 		 */
391 		MD5Final(hashes->md5, md5ctx);
392 		SHA1Final(hashes->sha1, sha1ctx);
393 
394 		bcopy(hashes->md5, seed, MD5_HASH_LEN);
395 		bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN);
396 
397 		if (sender == sender_client)
398 			label = TLS_CLIENT_FINISHED_LABEL;
399 		else
400 			label = TLS_SERVER_FINISHED_LABEL;
401 
402 		return (kssl_tls_PRF(ssl,
403 		    ssl->sid.master_secret,
404 		    (size_t)SSL3_MASTER_SECRET_LEN,
405 		    (uchar_t *)label, strlen(label),
406 		    seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN),
407 		    hashes->tlshash, (size_t)TLS_FINISHED_SIZE));
408 	} else {
409 		uchar_t s[4];
410 		s[0] = (sender >> 24) & 0xff;
411 		s[1] = (sender >> 16) & 0xff;
412 		s[2] = (sender >> 8) & 0xff;
413 		s[3] = (sender) & 0xff;
414 
415 		MD5Update(md5ctx, s, 4);
416 		MD5Update(md5ctx, ssl->sid.master_secret,
417 		    SSL3_MASTER_SECRET_LEN);
418 		MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN);
419 		MD5Final(hashes->md5, md5ctx);
420 
421 		MD5Init(md5ctx);
422 		MD5Update(md5ctx, ssl->sid.master_secret,
423 		    SSL3_MASTER_SECRET_LEN);
424 		MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN);
425 		MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN);
426 		MD5Final(hashes->md5, md5ctx);
427 
428 		SHA1Update(sha1ctx, s, 4);
429 		SHA1Update(sha1ctx, ssl->sid.master_secret,
430 		    SSL3_MASTER_SECRET_LEN);
431 		SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN);
432 		SHA1Final(hashes->sha1, sha1ctx);
433 
434 		SHA1Init(sha1ctx);
435 		SHA1Update(sha1ctx, ssl->sid.master_secret,
436 		    SSL3_MASTER_SECRET_LEN);
437 		SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN);
438 		SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN);
439 		SHA1Final(hashes->sha1, sha1ctx);
440 		return (0);
441 	}
442 }
443 
444 
445 /*
446  * Minimum message length for a client hello =
447  * 2-byte client_version +
448  * 32-byte random +
449  * 1-byte session_id length +
450  * 2-byte cipher_suites length +
451  * 1-byte compression_methods length +
452  * 1-byte CompressionMethod.null
453  */
454 #define	KSSL_SSL3_CH_MIN_MSGLEN	(39)
455 
456 static int
457 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
458 {
459 	uchar_t *msgend;
460 	int err;
461 	SSL3AlertDescription desc = illegal_parameter;
462 	uint_t sidlen, cslen, cmlen;
463 	uchar_t *suitesp;
464 	uint_t i, j;
465 	uint16_t suite;
466 	int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN;
467 
468 	ASSERT(mp->b_wptr >= mp->b_rptr + msglen);
469 	ASSERT(ssl->msg.type == client_hello);
470 	ASSERT(ssl->hs_waitstate == wait_client_hello);
471 	ASSERT(ssl->resumed == B_FALSE);
472 
473 	if (msglen < ch_msglen) {
474 		goto falert;
475 	}
476 
477 	msgend = mp->b_rptr + msglen;
478 
479 	/* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */
480 	if (ssl->major_version != 3 || (ssl->major_version == 3 &&
481 	    ssl->minor_version != 0 && ssl->minor_version != 1)) {
482 		DTRACE_PROBE2(kssl_err__SSL_version_not_supported,
483 		    uchar_t, ssl->major_version,
484 		    uchar_t, ssl->minor_version);
485 		desc = handshake_failure;
486 		goto falert;
487 	}
488 	mp->b_rptr += 2; /* skip the version bytes */
489 
490 	bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
491 	mp->b_rptr += SSL3_RANDOM_LENGTH;
492 
493 	ASSERT(ssl->sid.cached == B_FALSE);
494 	sidlen = *mp->b_rptr++;
495 	ch_msglen += sidlen;
496 	if (msglen < ch_msglen) {
497 		goto falert;
498 	}
499 	if (sidlen != SSL3_SESSIONID_BYTES) {
500 		mp->b_rptr += sidlen;
501 	} else {
502 		kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr,
503 		    ssl->kssl_entry);
504 		mp->b_rptr += SSL3_SESSIONID_BYTES;
505 	}
506 
507 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
508 	mp->b_rptr += 2;
509 	ch_msglen += cslen;
510 
511 	/*
512 	 * This check can't be a "!=" since there can be
513 	 * compression methods other than CompressionMethod.null.
514 	 * Also, there can be extra data (TLS extensions) after the
515 	 * compression methods field. We do not support any TLS
516 	 * extensions and hence ignore them.
517 	 */
518 	if (msglen < ch_msglen) {
519 		goto falert;
520 	}
521 
522 	/* The length has to be even since a cipher suite is 2-byte long */
523 	if (cslen & 0x1) {
524 		goto falert;
525 	}
526 	suitesp = mp->b_rptr;
527 	if (ssl->sid.cached == B_TRUE) {
528 		suite = ssl->sid.cipher_suite;
529 		for (j = 0; j < cslen; j += 2) {
530 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
531 			    suitesp[j + 1] == (suite & 0xff)) {
532 				break;
533 			}
534 		}
535 		if (j < cslen) {
536 			goto suite_found;
537 		}
538 		kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
539 	}
540 
541 	/* Check if this server is capable of the cipher suite */
542 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
543 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
544 		for (j = 0; j < cslen; j += 2) {
545 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
546 			    suitesp[j + 1] == (suite & 0xff)) {
547 				break;
548 			}
549 		}
550 		if (j < cslen) {
551 			break;
552 		}
553 	}
554 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
555 		if (ssl->sslcnt == 1) {
556 			KSSL_COUNTER(no_suite_found, 1);
557 			return (SSL_MISS);
558 		}
559 		desc = handshake_failure;
560 		DTRACE_PROBE(kssl_err__no_cipher_suites_found);
561 		goto falert;
562 	}
563 
564 suite_found:
565 	mp->b_rptr += cslen;
566 
567 	/*
568 	 * Check for the mandatory CompressionMethod.null. We do not
569 	 * support any other compression methods.
570 	 */
571 	cmlen = *mp->b_rptr++;
572 	ch_msglen += cmlen - 1;	/* -1 accounts for the null method */
573 	if (msglen < ch_msglen) {
574 		goto falert;
575 	}
576 
577 	while (cmlen >= 1) {
578 		if (*mp->b_rptr++ == 0)
579 			break;
580 		cmlen--;
581 	}
582 
583 	if (cmlen == 0) {
584 		desc = handshake_failure;
585 		DTRACE_PROBE(kssl_err__no_null_method_failure);
586 		goto falert;
587 	}
588 
589 	mp->b_rptr = msgend;
590 
591 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
592 		if (suite == cipher_suite_defs[i].suite) {
593 			break;
594 		}
595 	}
596 
597 	ASSERT(i < cipher_suite_defs_nentries);
598 
599 	ssl->pending_cipher_suite = suite;
600 	ssl->pending_malg = cipher_suite_defs[i].malg;
601 	ssl->pending_calg = cipher_suite_defs[i].calg;
602 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
603 
604 	if (ssl->sid.cached == B_TRUE) {
605 		err = kssl_send_server_hello(ssl);
606 		if (err != 0) {
607 			return (err);
608 		}
609 		if (IS_TLS(ssl))
610 			err = kssl_generate_tls_keyblock(ssl);
611 		else
612 			kssl_generate_keyblock(ssl);
613 
614 		err = kssl_send_change_cipher_specs(ssl);
615 		if (err != 0) {
616 			return (err);
617 		}
618 
619 		err = kssl_send_finished(ssl, 1);
620 		if (err != 0)
621 			return (err);
622 
623 		err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
624 		    sender_client);
625 		if (err != 0)
626 			return (err);
627 
628 		ssl->hs_waitstate = wait_change_cipher;
629 		ssl->resumed = B_TRUE;
630 		ssl->activeinput = B_FALSE;
631 		KSSL_COUNTER(resumed_sessions, 1);
632 		return (0);
633 	}
634 
635 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
636 	    SSL3_SESSIONID_BYTES);
637 	ssl->sid.client_addr = ssl->faddr;
638 	ssl->sid.cipher_suite = suite;
639 
640 	err = kssl_send_server_hello(ssl);
641 	if (err != 0) {
642 		return (err);
643 	}
644 	err = kssl_send_certificate_and_server_hello_done(ssl);
645 	if (err != 0) {
646 		return (err);
647 	}
648 	KSSL_COUNTER(full_handshakes, 1);
649 	ssl->hs_waitstate = wait_client_key;
650 	ssl->activeinput = B_FALSE;
651 	return (0);
652 
653 falert:
654 	kssl_send_alert(ssl, alert_fatal, desc);
655 	return (EBADMSG);
656 }
657 
658 #define	SET_HASH_INDEX(index, s, clnt_addr) {				\
659 	int addr;							\
660 									\
661 	IN6_V4MAPPED_TO_IPADDR(clnt_addr, addr);			\
662 	index = addr ^ (((int)(s)[0] << 24) | ((int)(s)[1] << 16) |	\
663 	    ((int)(s)[2] << 8) | (int)(s)[SSL3_SESSIONID_BYTES - 1]);	\
664 }
665 
666 /*
667  * Creates a cache entry. Sets the sid->cached flag
668  * and sid->time fields. So, the caller should not set them.
669  */
670 static void
671 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
672 {
673 	uint_t index;
674 	uchar_t *s = sid->session_id;
675 	kmutex_t *lock;
676 
677 	ASSERT(sid->cached == B_FALSE);
678 
679 	/* set the values before creating the cache entry */
680 	sid->cached = B_TRUE;
681 	sid->time = lbolt;
682 
683 	SET_HASH_INDEX(index, s, &sid->client_addr);
684 	index %= kssl_entry->sid_cache_nentries;
685 
686 	lock = &(kssl_entry->sid_cache[index].se_lock);
687 	mutex_enter(lock);
688 	kssl_entry->sid_cache[index].se_used++;
689 	bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid));
690 	mutex_exit(lock);
691 
692 	KSSL_COUNTER(sid_cached, 1);
693 }
694 
695 /*
696  * Invalidates the cache entry, if any. Clears the sid->cached flag
697  * as a side effect.
698  */
699 void
700 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
701 {
702 	uint_t index;
703 	uchar_t *s = sid->session_id;
704 	sslSessionID *csid;
705 	kmutex_t *lock;
706 
707 	ASSERT(sid->cached == B_TRUE);
708 	sid->cached = B_FALSE;
709 
710 	SET_HASH_INDEX(index, s, &sid->client_addr);
711 	index %= kssl_entry->sid_cache_nentries;
712 
713 	lock = &(kssl_entry->sid_cache[index].se_lock);
714 	mutex_enter(lock);
715 	csid = &(kssl_entry->sid_cache[index].se_sid);
716 	if (!(IN6_ARE_ADDR_EQUAL(&csid->client_addr, &sid->client_addr)) ||
717 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
718 		mutex_exit(lock);
719 		return;
720 	}
721 	csid->cached = B_FALSE;
722 	mutex_exit(lock);
723 
724 	KSSL_COUNTER(sid_uncached, 1);
725 }
726 
727 static void
728 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, in6_addr_t *faddr,
729     kssl_entry_t *kssl_entry)
730 {
731 	uint_t index;
732 	kmutex_t *lock;
733 	sslSessionID *csid;
734 
735 	KSSL_COUNTER(sid_cache_lookups, 1);
736 
737 	SET_HASH_INDEX(index, s, faddr);
738 	index %= kssl_entry->sid_cache_nentries;
739 
740 	lock = &(kssl_entry->sid_cache[index].se_lock);
741 	mutex_enter(lock);
742 	csid = &(kssl_entry->sid_cache[index].se_sid);
743 	if (csid->cached == B_FALSE ||
744 	    !IN6_ARE_ADDR_EQUAL(&csid->client_addr, faddr) ||
745 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
746 		mutex_exit(lock);
747 		return;
748 	}
749 
750 	if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) {
751 		csid->cached = B_FALSE;
752 		mutex_exit(lock);
753 		return;
754 	}
755 
756 	bcopy(csid, sid, sizeof (*sid));
757 	mutex_exit(lock);
758 	ASSERT(sid->cached == B_TRUE);
759 
760 	KSSL_COUNTER(sid_cache_hits, 1);
761 }
762 
763 static uchar_t *
764 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp)
765 {
766 	size_t len = *lenp;
767 	int i = 2;
768 
769 	if (buf[0] != 0 || buf[1] != 2) {
770 		return (NULL);
771 	}
772 
773 	while (i < len) {
774 		if (buf[i++] == 0) {
775 			*lenp = len - i;
776 			break;
777 		}
778 	}
779 
780 	if (i == len) {
781 		return (NULL);
782 	}
783 
784 	return (buf + i);
785 }
786 
787 
788 #define	KSSL_SSL3_SH_RECLEN	(74)
789 #define	KSSL_SSL3_FIN_MSGLEN	(36)
790 
791 #define	KSSL_SSL3_MAX_CCP_FIN_MSGLEN	(128)	/* comfortable upper bound */
792 
793 static int
794 kssl_send_server_hello(ssl_t *ssl)
795 {
796 	mblk_t *mp;
797 	uchar_t *buf;
798 	uchar_t *msgstart;
799 
800 	mp = allocb(ssl->tcp_mss, BPRI_HI);
801 	if (mp == NULL) {
802 		KSSL_COUNTER(alloc_fails, 1);
803 		return (ENOMEM);
804 	}
805 	ssl->handshake_sendbuf = mp;
806 	buf = mp->b_wptr;
807 
808 	/* 5 byte record header */
809 	buf[0] = content_handshake;
810 	buf[1] = ssl->major_version;
811 	buf[2] = ssl->minor_version;
812 	buf[3] = KSSL_SSL3_SH_RECLEN >> 8;
813 	buf[4] = KSSL_SSL3_SH_RECLEN & 0xff;
814 	buf += SSL3_HDR_LEN;
815 
816 	msgstart = buf;
817 
818 	/* 6 byte message header */
819 	buf[0] = (uchar_t)server_hello;			/* message type */
820 	buf[1] = 0;					/* message len byte 0 */
821 	buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) &
822 	    0xff;					/* message len byte 1 */
823 	buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff;	/* message len byte 2 */
824 
825 	buf[4] = ssl->major_version;	/* version byte 0 */
826 	buf[5] = ssl->minor_version;	/* version byte 1 */
827 
828 	buf += 6;
829 
830 	kssl_get_hello_random(ssl->server_random);
831 	bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH);
832 	buf += SSL3_RANDOM_LENGTH;
833 
834 	buf[0] = SSL3_SESSIONID_BYTES;
835 	bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
836 	buf += SSL3_SESSIONID_BYTES + 1;
837 
838 	buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff;
839 	buf[1] = ssl->pending_cipher_suite & 0xff;
840 
841 	buf[2] = 0;	/* No compression */
842 
843 	mp->b_wptr = buf + 3;
844 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
845 
846 	kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN);
847 	return (0);
848 }
849 
850 static void
851 kssl_get_hello_random(uchar_t *buf)
852 {
853 	timestruc_t ts;
854 	time_t sec;
855 
856 	gethrestime(&ts);
857 	sec = ts.tv_sec;
858 
859 	buf[0] = (sec >> 24) & 0xff;
860 	buf[1] = (sec >> 16) & 0xff;
861 	buf[2] = (sec >> 8) & 0xff;
862 	buf[3] = (sec) & 0xff;
863 
864 	(void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4);
865 
866 	/* Should this be caching? */
867 }
868 
869 static int
870 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key,
871 	size_t hashlen,
872 	uchar_t *label, size_t label_len,
873 	uchar_t *seed, size_t seedlen,
874 	uchar_t *data, size_t datalen)
875 {
876 	int rv = 0;
877 	uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN];
878 	int bytes_left = datalen;
879 	crypto_data_t dd, mac;
880 	crypto_context_t ctx;
881 
882 	dd.cd_format = CRYPTO_DATA_RAW;
883 	dd.cd_offset = 0;
884 	mac.cd_format = CRYPTO_DATA_RAW;
885 	mac.cd_offset = 0;
886 
887 	/*
888 	 * A(i) = HMAC_hash(secret, seed + A(i-1));
889 	 * A(0) = seed;
890 	 *
891 	 * Compute A(1):
892 	 * A(1) = HMAC_hash(secret, label + seed)
893 	 *
894 	 */
895 	HMAC_INIT(mech, key, &ctx);
896 	HMAC_UPDATE(ctx, label, label_len);
897 	HMAC_UPDATE(ctx, seed, seedlen);
898 	HMAC_FINAL(ctx, A1, hashlen);
899 
900 	/* Compute A(2) ... A(n) */
901 	while (bytes_left > 0) {
902 		HMAC_INIT(mech, key, &ctx);
903 		HMAC_UPDATE(ctx, A1, hashlen);
904 		HMAC_UPDATE(ctx, label, label_len);
905 		HMAC_UPDATE(ctx, seed, seedlen);
906 		HMAC_FINAL(ctx, result, hashlen);
907 
908 		/*
909 		 * The A(i) value is stored in "result".
910 		 * Save the results of the MAC so it can be input to next
911 		 * iteration.
912 		 */
913 		if (bytes_left > hashlen) {
914 			/* Store the chunk result */
915 			bcopy(result, data, hashlen);
916 			data += hashlen;
917 
918 			bytes_left -= hashlen;
919 
920 			/* Update A1 for next iteration */
921 			HMAC_INIT(mech, key, &ctx);
922 			HMAC_UPDATE(ctx, A1, hashlen);
923 			HMAC_FINAL(ctx, A1, hashlen);
924 
925 		} else {
926 			bcopy(result, data, bytes_left);
927 			data += bytes_left;
928 			bytes_left = 0;
929 		}
930 	}
931 end:
932 	if (CRYPTO_ERR(rv)) {
933 		DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv);
934 		KSSL_COUNTER(compute_mac_failure, 1);
935 	}
936 	return (rv);
937 }
938 
939 /* ARGSUSED */
940 static int
941 kssl_tls_PRF(ssl_t *ssl,
942 	uchar_t *secret, size_t secret_len,
943 	uchar_t *label, size_t label_len,
944 	uchar_t *seed, size_t seed_len,
945 	uchar_t *prfresult, size_t prfresult_len)
946 {
947 	/*
948 	 * RFC 2246:
949 	 *  PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
950 	 *				P_SHA1(S2, label + seed);
951 	 * S1 = 1st half of secret.
952 	 * S1 = 2nd half of secret.
953 	 *
954 	 */
955 
956 	int rv, i;
957 	uchar_t psha1[MAX_KEYBLOCK_LENGTH];
958 	crypto_key_t S1, S2;
959 
960 	/* length of secret keys is ceil(length/2) */
961 	size_t slen = roundup(secret_len, 2) / 2;
962 
963 	if (prfresult_len >  MAX_KEYBLOCK_LENGTH) {
964 		DTRACE_PROBE1(kssl_err__unexpected_keyblock_size,
965 		    size_t, prfresult_len);
966 		return (CRYPTO_ARGUMENTS_BAD);
967 	}
968 
969 	ASSERT(prfresult != NULL);
970 	ASSERT(label != NULL);
971 	ASSERT(seed != NULL);
972 
973 	S1.ck_data   = secret;
974 	S1.ck_length = slen * 8; /* bits */
975 	S1.ck_format = CRYPTO_KEY_RAW;
976 
977 	S2.ck_data   = secret + slen;
978 	S2.ck_length = slen * 8; /* bits */
979 	S2.ck_format = CRYPTO_KEY_RAW;
980 
981 	rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN,
982 	    label, label_len,
983 	    seed, seed_len,
984 	    prfresult, prfresult_len);
985 	if (CRYPTO_ERR(rv))
986 		goto end;
987 
988 	rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN,
989 	    label, label_len,
990 	    seed, seed_len,
991 	    psha1, prfresult_len);
992 	if (CRYPTO_ERR(rv))
993 		goto end;
994 
995 	for (i = 0; i < prfresult_len; i++)
996 		prfresult[i] ^= psha1[i];
997 
998 end:
999 	if (CRYPTO_ERR(rv))
1000 		bzero(prfresult, prfresult_len);
1001 
1002 	return (rv);
1003 }
1004 
1005 #define	IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)			\
1006 	(pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN ||		\
1007 	pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
1008 
1009 #define	FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) {			\
1010 		KSSL_COUNTER(bad_pre_master_secret, 1);			\
1011 		pms = buf;						\
1012 		pmslen = SSL3_PRE_MASTER_SECRET_LEN;			\
1013 		pms[0] = ssl->major_version;				\
1014 		pms[1] = ssl->minor_version;				\
1015 		(void) random_get_pseudo_bytes(&buf[2], pmslen - 2);	\
1016 }
1017 
1018 static int
1019 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1020 {
1021 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1022 	uchar_t seed[SSL3_RANDOM_LENGTH * 2];
1023 
1024 	/*
1025 	 * Computing the master secret:
1026 	 * ----------------------------
1027 	 * master_secret = PRF (pms, "master secret",
1028 	 *		ClientHello.random + ServerHello.random);
1029 	 */
1030 	bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH);
1031 	bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH,
1032 	    SSL3_RANDOM_LENGTH);
1033 
1034 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1035 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1036 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1037 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1038 	}
1039 
1040 	return (kssl_tls_PRF(ssl,
1041 	    pms, pmslen,
1042 	    (uchar_t *)TLS_MASTER_SECRET_LABEL,
1043 	    (size_t)strlen(TLS_MASTER_SECRET_LABEL),
1044 	    seed, sizeof (seed),
1045 	    ssl->sid.master_secret,
1046 	    (size_t)sizeof (ssl->sid.master_secret)));
1047 }
1048 
1049 
1050 static void
1051 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1052 {
1053 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1054 	uchar_t *ms;
1055 	int hlen = MD5_HASH_LEN;
1056 
1057 	ms = ssl->sid.master_secret;
1058 
1059 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1060 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1061 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1062 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1063 	}
1064 
1065 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
1066 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
1067 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
1068 	    0);
1069 }
1070 
1071 static int
1072 kssl_generate_tls_keyblock(ssl_t *ssl)
1073 {
1074 	uchar_t seed[2 * SSL3_RANDOM_LENGTH];
1075 
1076 	bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH);
1077 	bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH,
1078 	    SSL3_RANDOM_LENGTH);
1079 
1080 	return (kssl_tls_PRF(ssl, ssl->sid.master_secret,
1081 	    (size_t)SSL3_MASTER_SECRET_LEN,
1082 	    (uchar_t *)TLS_KEY_EXPANSION_LABEL,
1083 	    (size_t)strlen(TLS_KEY_EXPANSION_LABEL),
1084 	    seed, (size_t)sizeof (seed),
1085 	    ssl->pending_keyblock,
1086 	    (size_t)ssl->pending_keyblksz));
1087 
1088 }
1089 
1090 static void
1091 kssl_generate_keyblock(ssl_t *ssl)
1092 {
1093 	uchar_t *ms;
1094 	size_t mslen = SSL3_MASTER_SECRET_LEN;
1095 	int hlen = MD5_HASH_LEN;
1096 	uchar_t *keys = ssl->pending_keyblock;
1097 	int steps = howmany(ssl->pending_keyblksz, hlen);
1098 	int i;
1099 
1100 	ms = ssl->sid.master_secret;
1101 
1102 	ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH);
1103 
1104 	for (i = 1; i <= steps; i++) {
1105 		kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
1106 		keys += hlen;
1107 	}
1108 }
1109 
1110 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE",
1111 	"FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"};
1112 
1113 static void
1114 kssl_ssl3_key_material_derive_step(
1115 	ssl_t *ssl,
1116 	uchar_t *secret,
1117 	size_t secretlen,
1118 	int step,
1119 	uchar_t *dst,
1120 	int sr_first)
1121 {
1122 	SHA1_CTX sha1, *sha1ctx;
1123 	MD5_CTX md5, *md5ctx;
1124 	uchar_t sha1_hash[SHA1_HASH_LEN];
1125 
1126 	sha1ctx = &sha1;
1127 	md5ctx = &md5;
1128 
1129 	ASSERT(step <=
1130 	    sizeof (ssl3_key_derive_seeds) /
1131 	    sizeof (ssl3_key_derive_seeds[0]));
1132 	step--;
1133 
1134 	SHA1Init(sha1ctx);
1135 	SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step],
1136 	    step + 1);
1137 	SHA1Update(sha1ctx, secret, secretlen);
1138 	if (sr_first) {
1139 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1140 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1141 	} else {
1142 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1143 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1144 	}
1145 	SHA1Final(sha1_hash, sha1ctx);
1146 
1147 	MD5Init(md5ctx);
1148 	MD5Update(md5ctx, secret, secretlen);
1149 	MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN);
1150 	MD5Final(dst, md5ctx);
1151 }
1152 
1153 static int
1154 kssl_send_certificate_and_server_hello_done(ssl_t *ssl)
1155 {
1156 	int cur_reclen;
1157 	int mss;
1158 	int len, copylen;
1159 	mblk_t *mp;
1160 	uchar_t *cert_buf;
1161 	int cert_len;
1162 	uchar_t *msgbuf;
1163 	Certificate_t *cert;
1164 
1165 	cert = ssl->kssl_entry->ke_server_certificate;
1166 	if (cert == NULL) {
1167 		return (ENOENT);
1168 	}
1169 	cert_buf = cert->msg;
1170 	cert_len = cert->len;
1171 
1172 	mp = ssl->handshake_sendbuf;
1173 	mss = ssl->tcp_mss;
1174 	ASSERT(mp != NULL);
1175 	cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN;
1176 	ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN);
1177 	/* Assume MSS is at least 80 bytes */
1178 	ASSERT(mss > cur_reclen + SSL3_HDR_LEN);
1179 	ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */
1180 
1181 	copylen = mss - (cur_reclen + SSL3_HDR_LEN);
1182 	len = cert_len;
1183 	copylen = MIN(copylen, len);
1184 	copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1185 
1186 	/* new record always starts in a new mblk for simplicity */
1187 	msgbuf = cert_buf;
1188 	for (;;) {
1189 		ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim);
1190 		bcopy(msgbuf, mp->b_wptr, copylen);
1191 		msgbuf += copylen;
1192 		mp->b_wptr += copylen;
1193 		cur_reclen += copylen;
1194 		len -= copylen;
1195 		if (len == 0) {
1196 			break;
1197 		}
1198 		if (cur_reclen == SSL3_MAX_RECORD_LENGTH) {
1199 			cur_reclen = 0;
1200 		}
1201 		copylen = MIN(len, mss);
1202 		copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1203 		mp->b_cont = allocb(copylen, BPRI_HI);
1204 		if (mp->b_cont == NULL) {
1205 			KSSL_COUNTER(alloc_fails, 1);
1206 			freemsg(ssl->handshake_sendbuf);
1207 			ssl->handshake_sendbuf = NULL;
1208 			return (ENOMEM);
1209 		}
1210 		mp = mp->b_cont;
1211 		if (cur_reclen == 0) {
1212 			mp->b_wptr[0] = content_handshake;
1213 			mp->b_wptr[1] = ssl->major_version;
1214 			mp->b_wptr[2] = ssl->minor_version;
1215 			cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH);
1216 			mp->b_wptr[3] = (cur_reclen >> 8) & 0xff;
1217 			mp->b_wptr[4] = (cur_reclen) & 0xff;
1218 			mp->b_wptr += SSL3_HDR_LEN;
1219 			cur_reclen = 0;
1220 			copylen = MIN(copylen, mss - SSL3_HDR_LEN);
1221 		}
1222 	}
1223 
1224 	/* adjust the record length field for the first record */
1225 	mp = ssl->handshake_sendbuf;
1226 	cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len,
1227 	    SSL3_MAX_RECORD_LENGTH);
1228 	mp->b_rptr[3] = (cur_reclen >> 8) & 0xff;
1229 	mp->b_rptr[4] = (cur_reclen) & 0xff;
1230 
1231 	kssl_update_handshake_hashes(ssl, cert_buf, cert_len);
1232 
1233 	return (0);
1234 }
1235 
1236 static int
1237 kssl_send_change_cipher_specs(ssl_t *ssl)
1238 {
1239 	mblk_t *mp, *newmp;
1240 	uchar_t *buf;
1241 
1242 	mp = ssl->handshake_sendbuf;
1243 
1244 	/* We're most likely to hit the fast path for resumed sessions */
1245 	if ((mp != NULL) &&
1246 	    (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) {
1247 		buf = mp->b_wptr;
1248 	} else {
1249 		newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI);
1250 
1251 		if (newmp == NULL)
1252 			return (ENOMEM);	/* need to do better job! */
1253 
1254 		if (mp == NULL) {
1255 			ssl->handshake_sendbuf = newmp;
1256 		} else {
1257 			linkb(ssl->handshake_sendbuf, newmp);
1258 		}
1259 		mp = newmp;
1260 		buf = mp->b_rptr;
1261 	}
1262 
1263 	/* 5 byte record header */
1264 	buf[0] = content_change_cipher_spec;
1265 	buf[1] = ssl->major_version;
1266 	buf[2] = ssl->minor_version;
1267 	buf[3] = 0;
1268 	buf[4] = 1;
1269 	buf += SSL3_HDR_LEN;
1270 
1271 	buf[0] = 1;
1272 
1273 	mp->b_wptr = buf + 1;
1274 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1275 
1276 	ssl->seq_num[KSSL_WRITE] = 0;
1277 	return (kssl_spec_init(ssl, KSSL_WRITE));
1278 }
1279 
1280 int
1281 kssl_spec_init(ssl_t *ssl, int dir)
1282 {
1283 	KSSL_HASHCTX *ctx;
1284 	KSSLCipherSpec *spec = &ssl->spec[dir];
1285 	int ret = 0;
1286 
1287 	spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz;
1288 	spec->mac_padsz = mac_defs[ssl->pending_malg].padsz;
1289 
1290 	spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
1291 	spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
1292 	spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
1293 
1294 	if (dir == KSSL_READ) {
1295 		bcopy(ssl->pending_keyblock, ssl->mac_secret[dir],
1296 		    spec->mac_hashsz);
1297 	} else {
1298 		bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]),
1299 		    ssl->mac_secret[dir], spec->mac_hashsz);
1300 	}
1301 
1302 	/* Pre-compute these here. will save cycles on each record later */
1303 	if (!IS_TLS(ssl)) {
1304 		ctx = &ssl->mac_ctx[dir][0];
1305 		spec->MAC_HashInit((void *)ctx);
1306 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1307 		    spec->mac_hashsz);
1308 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_1,
1309 		    spec->mac_padsz);
1310 
1311 		ctx = &ssl->mac_ctx[dir][1];
1312 		spec->MAC_HashInit((void *)ctx);
1313 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1314 		    spec->mac_hashsz);
1315 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_2,
1316 		    spec->mac_padsz);
1317 	}
1318 
1319 	spec->cipher_type = cipher_defs[ssl->pending_calg].type;
1320 	spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
1321 	spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
1322 	spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
1323 
1324 	if (spec->cipher_ctx != NULL) {
1325 		crypto_cancel_ctx(spec->cipher_ctx);
1326 		spec->cipher_ctx = 0;
1327 	}
1328 
1329 	/*
1330 	 * Initialize HMAC keys for TLS and SSL3 HMAC keys
1331 	 * for SSL 3.0.
1332 	 */
1333 	if (IS_TLS(ssl)) {
1334 		if (ssl->pending_malg == mac_md5) {
1335 			spec->hmac_mech = hmac_md5_mech;
1336 		} else if (ssl->pending_malg == mac_sha) {
1337 			spec->hmac_mech = hmac_sha1_mech;
1338 		}
1339 
1340 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1341 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1342 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1343 	} else {
1344 		static uint32_t param;
1345 
1346 		spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID;
1347 		spec->hmac_mech.cm_param = (caddr_t)&param;
1348 		spec->hmac_mech.cm_param_len = sizeof (param);
1349 		if (ssl->pending_malg == mac_md5) {
1350 			spec->hmac_mech.cm_type =
1351 			    crypto_mech2id("CKM_SSL3_MD5_MAC");
1352 			param = MD5_HASH_LEN;
1353 		} else if (ssl->pending_malg == mac_sha) {
1354 			spec->hmac_mech.cm_type =
1355 			    crypto_mech2id("CKM_SSL3_SHA1_MAC");
1356 			param = SHA1_HASH_LEN;
1357 		}
1358 
1359 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1360 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1361 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1362 	}
1363 
1364 	/* We're done if this is the nil cipher */
1365 	if (spec->cipher_keysz == 0) {
1366 		return (0);
1367 	}
1368 
1369 	/* Initialize the key and the active context */
1370 	spec->cipher_key.ck_format = CRYPTO_KEY_RAW;
1371 	spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */
1372 
1373 	if (cipher_defs[ssl->pending_calg].bsize > 0) {
1374 		/* client_write_IV */
1375 		spec->cipher_mech.cm_param =
1376 		    (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
1377 		    2 * spec->cipher_keysz]);
1378 		spec->cipher_mech.cm_param_len = spec->cipher_bsize;
1379 	}
1380 	spec->cipher_data.cd_format = CRYPTO_DATA_RAW;
1381 	if (dir == KSSL_READ) {
1382 		spec->cipher_mech.cm_param_len =
1383 		    cipher_defs[ssl->pending_calg].bsize;
1384 
1385 		/* client_write_key */
1386 		spec->cipher_key.ck_data =
1387 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz]);
1388 
1389 		ret = crypto_decrypt_init(&(spec->cipher_mech),
1390 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1391 		if (CRYPTO_ERR(ret)) {
1392 			DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read,
1393 			    int, ret);
1394 		}
1395 	} else {
1396 		if (cipher_defs[ssl->pending_calg].bsize > 0) {
1397 			/* server_write_IV */
1398 			spec->cipher_mech.cm_param += spec->cipher_bsize;
1399 		}
1400 
1401 		/* server_write_key */
1402 		spec->cipher_key.ck_data =
1403 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz +
1404 		    spec->cipher_keysz]);
1405 
1406 		ret = crypto_encrypt_init(&(spec->cipher_mech),
1407 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1408 		if (CRYPTO_ERR(ret))
1409 			DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read,
1410 			    int, ret);
1411 	}
1412 	return (ret);
1413 }
1414 
1415 static int
1416 kssl_send_finished(ssl_t *ssl, int update_hsh)
1417 {
1418 	mblk_t *mp;
1419 	uchar_t *buf;
1420 	uchar_t *rstart;
1421 	uchar_t *versionp;
1422 	SSL3Hashes ssl3hashes;
1423 	size_t finish_len;
1424 	int ret;
1425 
1426 	mp = ssl->handshake_sendbuf;
1427 	ASSERT(mp != NULL);
1428 	buf = mp->b_wptr;
1429 	ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN +
1430 	    SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1);
1431 
1432 	rstart = buf;
1433 
1434 	if (IS_TLS(ssl))
1435 		finish_len = TLS_FINISHED_SIZE;
1436 	else
1437 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1438 
1439 	/* 5 byte record header */
1440 	buf[0] = content_handshake;
1441 	buf[1] = ssl->major_version;
1442 	buf[2] = ssl->minor_version;
1443 	buf[3] = 0;
1444 	buf[4] = 4 + finish_len;
1445 
1446 	versionp = &buf[1];
1447 
1448 	buf += SSL3_HDR_LEN;
1449 
1450 	/* 4 byte message header */
1451 	buf[0] = (uchar_t)finished;	/* message type */
1452 	buf[1] = 0;			/* message len byte 0 */
1453 	buf[2] = 0;			/* message len byte 1 */
1454 	buf[3] = finish_len;	/* message len byte 2 */
1455 	buf += 4;
1456 
1457 	if (IS_TLS(ssl)) {
1458 		bcopy(ssl->hs_hashes.md5, ssl3hashes.md5,
1459 		    sizeof (ssl3hashes.md5));
1460 		bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1,
1461 		    sizeof (ssl3hashes.sha1));
1462 	}
1463 
1464 	/* Compute hashes for the SENDER side */
1465 	ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
1466 	if (ret != 0)
1467 		return (ret);
1468 
1469 	if (IS_TLS(ssl)) {
1470 		bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash));
1471 	} else {
1472 		bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN);
1473 		bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN);
1474 	}
1475 
1476 	if (update_hsh) {
1477 		kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
1478 	}
1479 
1480 	mp->b_wptr = buf + finish_len;
1481 
1482 	ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
1483 	    rstart, mp);
1484 	ASSERT(mp->b_wptr <= mp->b_datap->db_lim);
1485 
1486 	return (ret);
1487 }
1488 
1489 int
1490 kssl_mac_encrypt_record(ssl_t *ssl,
1491 	SSL3ContentType ct,
1492 	uchar_t *versionp,
1493 	uchar_t *rstart,
1494 	mblk_t *mp)
1495 {
1496 	KSSLCipherSpec *spec;
1497 	int mac_sz;
1498 	int ret = 0;
1499 	uint16_t rec_sz;
1500 	int pad_sz;
1501 	int i;
1502 
1503 	ASSERT(ssl != NULL);
1504 	ASSERT(rstart >= mp->b_rptr);
1505 	ASSERT(rstart < mp->b_wptr);
1506 
1507 	spec = &ssl->spec[KSSL_WRITE];
1508 	mac_sz = spec->mac_hashsz;
1509 
1510 	rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN;
1511 	ASSERT(rec_sz > 0);
1512 
1513 	if (mac_sz != 0) {
1514 		ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim);
1515 		ret = kssl_compute_record_mac(ssl, KSSL_WRITE,
1516 		    ssl->seq_num[KSSL_WRITE], ct, versionp,
1517 		    rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr);
1518 		if (ret == CRYPTO_SUCCESS) {
1519 			ssl->seq_num[KSSL_WRITE]++;
1520 			mp->b_wptr += mac_sz;
1521 			rec_sz += mac_sz;
1522 		} else {
1523 			return (ret);
1524 		}
1525 	}
1526 
1527 	if (spec->cipher_type == type_block) {
1528 		pad_sz = spec->cipher_bsize -
1529 		    (rec_sz & (spec->cipher_bsize - 1));
1530 		ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim);
1531 		for (i = 0; i < pad_sz; i++) {
1532 			mp->b_wptr[i] = pad_sz - 1;
1533 		}
1534 		mp->b_wptr += pad_sz;
1535 		rec_sz += pad_sz;
1536 	}
1537 
1538 	ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH);
1539 
1540 	U16_TO_BE16(rec_sz, rstart + 3);
1541 
1542 	if (spec->cipher_ctx == 0)
1543 		return (ret);
1544 
1545 	spec->cipher_data.cd_length = rec_sz;
1546 	spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN);
1547 	spec->cipher_data.cd_raw.iov_len = rec_sz;
1548 	/* One record at a time. Otherwise, gotta allocate the crypt_data_t */
1549 	ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data,
1550 	    NULL, NULL);
1551 	if (CRYPTO_ERR(ret)) {
1552 		DTRACE_PROBE1(kssl_err__crypto_encrypt_update,
1553 		    int, ret);
1554 	}
1555 	return (ret);
1556 }
1557 
1558 void
1559 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
1560 {
1561 	mblk_t *mp;
1562 	uchar_t *buf;
1563 	KSSLCipherSpec *spec;
1564 
1565 	ASSERT(ssl != NULL);
1566 
1567 	ssl->sendalert_level = level;
1568 	ssl->sendalert_desc = desc;
1569 
1570 	if (level == alert_fatal) {
1571 		DTRACE_PROBE2(kssl_sending_alert,
1572 		    SSL3AlertLevel, level, SSL3AlertDescription, desc);
1573 		if (ssl->sid.cached == B_TRUE) {
1574 			kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
1575 		}
1576 		ssl->fatal_alert = B_TRUE;
1577 		KSSL_COUNTER(fatal_alerts, 1);
1578 	} else
1579 		KSSL_COUNTER(warning_alerts, 1);
1580 
1581 	spec = &ssl->spec[KSSL_WRITE];
1582 
1583 	ASSERT(ssl->alert_sendbuf == NULL);
1584 	ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz +
1585 	    spec->cipher_bsize, BPRI_HI);
1586 	if (mp == NULL) {
1587 		KSSL_COUNTER(alloc_fails, 1);
1588 		return;
1589 	}
1590 	buf = mp->b_wptr;
1591 
1592 	/* 5 byte record header */
1593 	buf[0] = content_alert;
1594 	buf[1] = ssl->major_version;
1595 	buf[2] = ssl->minor_version;
1596 	buf[3] = 0;
1597 	buf[4] = 2;
1598 	buf += SSL3_HDR_LEN;
1599 
1600 	/* alert contents */
1601 	buf[0] = (uchar_t)level;
1602 	buf[1] = (uchar_t)desc;
1603 
1604 	mp->b_wptr = buf + 2;
1605 }
1606 
1607 /* Assumes RSA encryption */
1608 static int
1609 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
1610     kssl_callback_t cbfn, void *arg)
1611 {
1612 	char *buf;
1613 	uchar_t *pms;
1614 	size_t pmslen;
1615 	int allocated;
1616 	int err, rverr = ENOMEM;
1617 	kssl_entry_t *ep;
1618 	crypto_key_t *privkey;
1619 	crypto_data_t *wrapped_pms_data, *pms_data;
1620 	crypto_call_req_t creq, *creqp;
1621 
1622 	ep = ssl->kssl_entry;
1623 	privkey = ep->ke_private_key;
1624 	if (privkey == NULL) {
1625 		return (ENOENT);
1626 	}
1627 
1628 	ASSERT(ssl->msg.type == client_key_exchange);
1629 	ASSERT(ssl->hs_waitstate == wait_client_key);
1630 
1631 	/*
1632 	 * TLS adds an extra 2 byte length field before the data.
1633 	 */
1634 	if (IS_TLS(ssl)) {
1635 		msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1];
1636 		mp->b_rptr += 2;
1637 	}
1638 
1639 	/*
1640 	 * Allocate all we need in one shot. about 300 bytes total, for
1641 	 * 1024 bit RSA modulus.
1642 	 * The buffer layout will be: pms_data, wrapped_pms_data, the
1643 	 * value of the wrapped pms from the client, then room for the
1644 	 * resulting decrypted premaster secret.
1645 	 */
1646 	allocated = 2 * (sizeof (crypto_data_t) + msglen);
1647 	buf = kmem_alloc(allocated, KM_NOSLEEP);
1648 	if (buf == NULL) {
1649 		return (ENOMEM);
1650 	}
1651 
1652 	pms_data = (crypto_data_t *)buf;
1653 	wrapped_pms_data = &(((crypto_data_t *)buf)[1]);
1654 
1655 	wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW;
1656 	wrapped_pms_data->cd_offset = pms_data->cd_offset = 0;
1657 	wrapped_pms_data->cd_length = pms_data->cd_length = msglen;
1658 	wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL;
1659 	wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen;
1660 	wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t);
1661 	pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen;
1662 
1663 	bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen);
1664 	mp->b_rptr += msglen;
1665 
1666 	/* Proceed synchronously if out of interrupt and configured to do so */
1667 	if ((kssl_synchronous) && (!servicing_interrupt())) {
1668 		creqp = NULL;
1669 	} else {
1670 		ssl->cke_callback_func = cbfn;
1671 		ssl->cke_callback_arg = arg;
1672 		creq.cr_flag = kssl_call_flag;
1673 		creq.cr_callback_func = kssl_cke_done;
1674 		creq.cr_callback_arg = ssl;
1675 
1676 		/* The callback routine will release this one */
1677 		KSSL_SSL_REFHOLD(ssl);
1678 
1679 		creqp = &creq;
1680 	}
1681 
1682 	if (ep->ke_is_nxkey) {
1683 		kssl_session_info_t *s;
1684 
1685 		s = ep->ke_sessinfo;
1686 		err = CRYPTO_SUCCESS;
1687 		if (!s->is_valid_handle) {
1688 			/* Reauthenticate to the provider */
1689 			if (s->do_reauth) {
1690 				err = kssl_get_obj_handle(ep);
1691 				if (err == CRYPTO_SUCCESS) {
1692 					s->is_valid_handle = B_TRUE;
1693 					s->do_reauth = B_FALSE;
1694 				}
1695 			} else
1696 				err = CRYPTO_FAILED;
1697 		}
1698 
1699 		if (err == CRYPTO_SUCCESS) {
1700 			ASSERT(s->is_valid_handle);
1701 			err = crypto_decrypt_prov(s->prov, s->sid,
1702 			    &rsa_x509_mech, wrapped_pms_data, &s->key,
1703 			    NULL, pms_data, creqp);
1704 		}
1705 
1706 		/*
1707 		 * Deal with session specific errors. We translate to
1708 		 * the closest errno.
1709 		 */
1710 		switch (err) {
1711 		case CRYPTO_KEY_HANDLE_INVALID:
1712 		case CRYPTO_SESSION_HANDLE_INVALID:
1713 			s->is_valid_handle = B_FALSE;
1714 			s->do_reauth = B_TRUE;
1715 			rverr = EINVAL;
1716 			break;
1717 		case CRYPTO_PIN_EXPIRED:
1718 		case CRYPTO_PIN_LOCKED:
1719 			rverr = EACCES;
1720 			break;
1721 		case CRYPTO_UNKNOWN_PROVIDER:
1722 			rverr = ENXIO;
1723 			break;
1724 		}
1725 	} else {
1726 		err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data,
1727 		    privkey, NULL, pms_data, creqp);
1728 	}
1729 
1730 	switch (err) {
1731 	case CRYPTO_SUCCESS:
1732 		break;
1733 
1734 	case CRYPTO_QUEUED:
1735 		/*
1736 		 * Finish the master secret then the rest of key material
1737 		 * derivation later.
1738 		 */
1739 		ssl->job.kjob = creq.cr_reqid;
1740 		ssl->job.buf = buf;
1741 		ssl->job.buflen = allocated;
1742 		ssl->hs_waitstate = wait_client_key_done;
1743 		return (0);
1744 	default:
1745 		DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err);
1746 		kmem_free(buf, allocated);
1747 		return (rverr);
1748 	}
1749 
1750 	pmslen = pms_data->cd_length;
1751 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1752 
1753 	/* generate master key and save it in the ssl sid structure */
1754 	if (IS_TLS(ssl)) {
1755 		err = kssl_generate_tls_ms(ssl, pms, pmslen);
1756 		if (!CRYPTO_ERR(err))
1757 			err = kssl_generate_tls_keyblock(ssl);
1758 	} else {
1759 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1760 		kssl_generate_keyblock(ssl);
1761 	}
1762 
1763 	if (err == CRYPTO_SUCCESS)
1764 		ssl->hs_waitstate = wait_change_cipher;
1765 
1766 	ssl->activeinput = B_FALSE;
1767 
1768 	kmem_free(buf, allocated);
1769 
1770 	return (0);
1771 }
1772 
1773 static int
1774 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
1775 {
1776 	int err;
1777 	size_t finish_len;
1778 	int hashcompare;
1779 
1780 	ASSERT(ssl->msg.type == finished);
1781 	ASSERT(ssl->hs_waitstate == wait_finished);
1782 
1783 	if (IS_TLS(ssl))
1784 		finish_len = TLS_FINISHED_SIZE;
1785 	else
1786 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1787 
1788 	if (msglen != finish_len) {
1789 		kssl_send_alert(ssl, alert_fatal, illegal_parameter);
1790 		return (EBADMSG);
1791 	}
1792 
1793 	if (IS_TLS(ssl)) {
1794 		hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash,
1795 		    finish_len);
1796 	} else {
1797 		hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
1798 	}
1799 
1800 	/* The handshake hashes should be computed by now */
1801 	if (hashcompare != 0) {
1802 		kssl_send_alert(ssl, alert_fatal, handshake_failure);
1803 		return (EBADMSG);
1804 	}
1805 
1806 	mp->b_rptr += msglen;
1807 
1808 	ssl->hs_waitstate = idle_handshake;
1809 
1810 	if (ssl->resumed == B_TRUE) {
1811 		ssl->activeinput = B_FALSE;
1812 		return (0);
1813 	}
1814 
1815 	err = kssl_send_change_cipher_specs(ssl);
1816 	if (err != 0) {
1817 		return (err);
1818 	}
1819 	err = kssl_send_finished(ssl, 0);
1820 	if (err != 0) {
1821 		return (err);
1822 	}
1823 
1824 	kssl_cache_sid(&ssl->sid, ssl->kssl_entry);
1825 	ssl->activeinput = B_FALSE;
1826 
1827 	return (0);
1828 }
1829 
1830 #define	KSSL2_CH_MIN_RECSZ	(9)
1831 
1832 /*
1833  * This method is needed to handle clients which send the
1834  * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers.
1835  * We are not really doing SSLv2 here, just handling the header
1836  * and then switching to SSLv3.
1837  */
1838 int
1839 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
1840 {
1841 	uchar_t *recend;
1842 	int err;
1843 	SSL3AlertDescription desc = illegal_parameter;
1844 	uint_t randlen;
1845 	uint_t sidlen;
1846 	uint_t cslen;
1847 	uchar_t *suitesp;
1848 	uchar_t *rand;
1849 	uint_t i, j;
1850 	uint16_t suite;
1851 	int ch_recsz = KSSL2_CH_MIN_RECSZ;
1852 
1853 	ASSERT(mp->b_wptr >= mp->b_rptr + recsz);
1854 	ASSERT(ssl->hs_waitstate == wait_client_hello);
1855 	ASSERT(ssl->resumed == B_FALSE);
1856 
1857 	if (recsz < ch_recsz) {
1858 		goto falert;
1859 	}
1860 
1861 	MD5Init(&ssl->hs_md5);
1862 	SHA1Init(&ssl->hs_sha1);
1863 
1864 	kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz);
1865 
1866 	recend = mp->b_rptr + recsz;
1867 
1868 	if (*mp->b_rptr != 1) {
1869 		goto falert;
1870 	}
1871 	mp->b_rptr += 3;
1872 
1873 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
1874 	sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3];
1875 	randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5];
1876 	if (cslen % 3 != 0) {
1877 		DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen);
1878 		goto falert;
1879 	}
1880 	if (randlen < SSL_MIN_CHALLENGE_BYTES ||
1881 	    randlen > SSL_MAX_CHALLENGE_BYTES) {
1882 		DTRACE_PROBE1(kssl_err__randlen_out_of_range,
1883 		    uint_t, randlen);
1884 		goto falert;
1885 	}
1886 	mp->b_rptr += 6;
1887 	ch_recsz += cslen + sidlen + randlen;
1888 	if (recsz != ch_recsz) {
1889 		goto falert;
1890 	}
1891 	suitesp = mp->b_rptr;
1892 	rand = suitesp + cslen + sidlen;
1893 	if (randlen < SSL3_RANDOM_LENGTH) {
1894 		bzero(ssl->client_random, SSL3_RANDOM_LENGTH);
1895 	}
1896 	bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
1897 	    randlen);
1898 
1899 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
1900 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
1901 		for (j = 0; j < cslen; j += 3) {
1902 			if (suitesp[j] != 0) {
1903 				continue;
1904 			}
1905 
1906 			if (suitesp[j + 1] == ((suite >> 8) & 0xff) &&
1907 			    suitesp[j + 2] == (suite & 0xff)) {
1908 				break;
1909 			}
1910 		}
1911 		if (j < cslen) {
1912 			break;
1913 		}
1914 	}
1915 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
1916 		DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite);
1917 		ssl->activeinput = B_FALSE;
1918 		return (SSL_MISS);
1919 	}
1920 
1921 	mp->b_rptr = recend;
1922 
1923 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
1924 		if (suite == cipher_suite_defs[i].suite) {
1925 			break;
1926 		}
1927 	}
1928 
1929 	ASSERT(i < cipher_suite_defs_nentries);
1930 
1931 	ssl->pending_cipher_suite = suite;
1932 	ssl->pending_malg = cipher_suite_defs[i].malg;
1933 	ssl->pending_calg = cipher_suite_defs[i].calg;
1934 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
1935 
1936 	ASSERT(ssl->sid.cached == B_FALSE);
1937 
1938 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
1939 	    SSL3_SESSIONID_BYTES);
1940 	ssl->sid.client_addr = ssl->faddr;
1941 	ssl->sid.cipher_suite = suite;
1942 
1943 	err = kssl_send_server_hello(ssl);
1944 	if (err != 0) {
1945 		return (err);
1946 	}
1947 	err = kssl_send_certificate_and_server_hello_done(ssl);
1948 	if (err != 0) {
1949 		return (err);
1950 	}
1951 	KSSL_COUNTER(full_handshakes, 1);
1952 	ssl->hs_waitstate = wait_client_key;
1953 	ssl->activeinput = B_FALSE;
1954 	return (0);
1955 
1956 falert:
1957 	kssl_send_alert(ssl, alert_fatal, desc);
1958 	ssl->activeinput = B_FALSE;
1959 	return (EBADMSG);
1960 }
1961 
1962 /*
1963  * Call back routine for asynchronously submitted RSA decryption jobs.
1964  * This routine retrieves the pre-master secret, and proceeds to generate
1965  * the remaining key materials.
1966  */
1967 static void
1968 kssl_cke_done(void *arg, int status)
1969 {
1970 	int ret = 0;
1971 	uchar_t *pms;
1972 	size_t pmslen;
1973 	crypto_data_t *pms_data;
1974 	kssl_cmd_t kssl_cmd = KSSL_CMD_NONE;
1975 	ssl_t *ssl = (ssl_t *)arg;
1976 	mblk_t *alertmp;
1977 	kssl_callback_t cbfn;
1978 	void *cbarg;
1979 
1980 	mutex_enter(&ssl->kssl_lock);
1981 
1982 	ASSERT(ssl->msg.type == client_key_exchange);
1983 	ASSERT(ssl->hs_waitstate == wait_client_key_done);
1984 
1985 	if (status != CRYPTO_SUCCESS) {
1986 		kssl_send_alert(ssl, alert_fatal, decrypt_error);
1987 		kssl_cmd = KSSL_CMD_SEND;
1988 		goto out;
1989 	}
1990 
1991 	pms_data = (crypto_data_t *)(ssl->job.buf);
1992 
1993 	ASSERT(pms_data != NULL);
1994 
1995 	pmslen = pms_data->cd_length;
1996 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1997 
1998 	/* generate master key and save it in the ssl sid structure */
1999 	if (IS_TLS(ssl)) {
2000 		ret = kssl_generate_tls_ms(ssl, pms, pmslen);
2001 		if (!CRYPTO_ERR(ret))
2002 			ret = kssl_generate_tls_keyblock(ssl);
2003 	} else {
2004 		kssl_generate_ssl_ms(ssl, pms, pmslen);
2005 		kssl_generate_keyblock(ssl);
2006 	}
2007 
2008 	if (ret == CRYPTO_SUCCESS)
2009 		ssl->hs_waitstate = wait_change_cipher;
2010 
2011 out:
2012 	kmem_free(ssl->job.buf, ssl->job.buflen);
2013 
2014 	ssl->job.kjob = 0;
2015 	ssl->job.buf = NULL;
2016 	ssl->job.buflen = 0;
2017 
2018 	ssl->activeinput = B_FALSE;
2019 
2020 	/* If we're the only ones left, then we won't callback */
2021 	if (ssl->kssl_refcnt == 1) {
2022 		mutex_exit(&ssl->kssl_lock);
2023 		KSSL_SSL_REFRELE(ssl);
2024 		return;
2025 	}
2026 
2027 	cbfn = ssl->cke_callback_func;
2028 	cbarg = ssl->cke_callback_arg;
2029 	alertmp = ssl->alert_sendbuf;
2030 	ssl->alert_sendbuf = NULL;
2031 
2032 	mutex_exit(&ssl->kssl_lock);
2033 
2034 	KSSL_SSL_REFRELE(ssl);
2035 
2036 	/* Now call the callback routine */
2037 	(*(cbfn))(cbarg, alertmp, kssl_cmd);
2038 }
2039 
2040 /*
2041  * Returns the first complete contiguous record out of rec_ass_head
2042  * The record is returned in a separate contiguous mblk, rec_ass_head is
2043  * left pointing to the next record in the queue.
2044  *
2045  * The output looks as follows:
2046  *
2047  * |--------|---------- .... -----|<---------->|<----------->|--- ... ---|
2048  * ^        ^                     ^  mac_size     pad_size               ^
2049  * |        |___ b_rptr  b_wptr __|                                      |
2050  * |                                                                     |
2051  * |___ db_base                                                db_lim ___|
2052  */
2053 mblk_t *
2054 kssl_get_next_record(ssl_t *ssl)
2055 {
2056 	mblk_t *mp, *retmp;
2057 	int rhsz = SSL3_HDR_LEN;
2058 	uint16_t rec_sz;
2059 	int mpsz, total_size;
2060 	SSL3ContentType content_type;
2061 
2062 	ASSERT(MUTEX_HELD(&ssl->kssl_lock));
2063 
2064 	mp = ssl->rec_ass_head;
2065 	if (mp == NULL)
2066 		return (NULL);
2067 
2068 	/* Fast path: when mp has at least a complete record */
2069 	if (MBLKL(mp) < rhsz) {
2070 		DTRACE_PROBE1(kssl_mblk__incomplete_header,
2071 		    mblk_t *, mp);
2072 		/* Not even a complete header in there yet */
2073 		if (msgdsize(mp) < rhsz) {
2074 			return (NULL);
2075 		}
2076 
2077 		if (!pullupmsg(mp, rhsz)) {
2078 			kssl_send_alert(ssl, alert_fatal, internal_error);
2079 			freemsg(mp);
2080 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2081 			return (NULL);
2082 		}
2083 	}
2084 	content_type = (SSL3ContentType)mp->b_rptr[0];
2085 	if (content_type == content_handshake_v2) {
2086 		DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp);
2087 		rec_sz = (uint16_t)mp->b_rptr[1];
2088 		rhsz = 2;
2089 	} else {
2090 		DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp);
2091 		uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3;
2092 		rec_sz = BE16_TO_U16(rec_sz_p);
2093 	}
2094 
2095 	/*
2096 	 * same tests as above. Only rare very fragmented cases will
2097 	 * incur the cost of msgdsize() and msgpullup(). Well formed
2098 	 * packets will fall in the most frequent fast path.
2099 	 */
2100 	total_size = rhsz + rec_sz;
2101 
2102 	/*
2103 	 * Missing: defensive against record fabricated with longer than
2104 	 * MAX record length.
2105 	 */
2106 	if (MBLKL(mp) < total_size) {
2107 		DTRACE_PROBE2(kssl_mblk__smaller_than_total_size,
2108 		    mblk_t *, mp, int, total_size);
2109 		/* Not a complete record yet. Keep accumulating */
2110 		if (msgdsize(mp) < total_size) {
2111 			return (NULL);
2112 		}
2113 
2114 		if (!pullupmsg(mp, total_size)) {
2115 			kssl_send_alert(ssl, alert_fatal, internal_error);
2116 			freemsg(mp);
2117 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2118 			return (NULL);
2119 		}
2120 	}
2121 	mpsz = MBLKL(mp);	/* could've changed after the pullup */
2122 
2123 	if (mpsz > total_size) {
2124 		DTRACE_PROBE2(kssl_mblk__bigger_than_total_size,
2125 		    mblk_t *, mp, int, total_size);
2126 		/* gotta allocate a new block */
2127 		if ((retmp = dupb(mp)) == NULL) {
2128 			kssl_send_alert(ssl, alert_fatal, internal_error);
2129 			freemsg(mp);
2130 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2131 			return (NULL);
2132 		}
2133 
2134 		retmp->b_wptr = retmp->b_rptr + total_size;
2135 		mp->b_rptr += total_size;
2136 		ssl->rec_ass_head = mp;
2137 	} else {
2138 		DTRACE_PROBE2(kssl_mblk__equal_to_total_size,
2139 		    mblk_t *, mp, int, total_size);
2140 		ASSERT(mpsz == total_size);
2141 		ssl->rec_ass_head = mp->b_cont;
2142 		mp->b_cont = NULL;
2143 		retmp = mp;
2144 	}
2145 	/* Adjust the tail */
2146 	if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
2147 		for (; mp->b_cont != NULL; mp = mp->b_cont) {
2148 			ssl->rec_ass_tail = mp->b_cont;
2149 		}
2150 	}
2151 
2152 	return (retmp);
2153 }
2154 
2155 
2156 static void
2157 kssl_mblksfree(ssl_t *ssl)
2158 {
2159 
2160 	ASSERT(ssl != NULL);
2161 
2162 	if (ssl->rec_ass_head != NULL) {
2163 		freemsg(ssl->rec_ass_head);
2164 	}
2165 	ssl->rec_ass_head = NULL;
2166 	ssl->rec_ass_tail = NULL;
2167 
2168 	if (ssl->msg.head != NULL) {
2169 		freemsg(ssl->msg.head);
2170 	}
2171 	ssl->msg.head = NULL;
2172 	ssl->msg.tail = NULL;
2173 
2174 	if (ssl->handshake_sendbuf != NULL) {
2175 		freemsg(ssl->handshake_sendbuf);
2176 		ssl->handshake_sendbuf = NULL;
2177 	}
2178 	if (ssl->alert_sendbuf != NULL) {
2179 		freemsg(ssl->alert_sendbuf);
2180 		ssl->alert_sendbuf = NULL;
2181 	}
2182 }
2183 
2184 static void
2185 kssl_specsfree(ssl_t *ssl)
2186 {
2187 	KSSLCipherSpec *spec = &ssl->spec[KSSL_READ];
2188 
2189 	if (spec->cipher_ctx != NULL) {
2190 		crypto_cancel_ctx(spec->cipher_ctx);
2191 		spec->cipher_ctx = 0;
2192 	}
2193 
2194 	spec = &ssl->spec[KSSL_WRITE];
2195 
2196 	if (spec->cipher_ctx != NULL) {
2197 		crypto_cancel_ctx(spec->cipher_ctx);
2198 		spec->cipher_ctx = 0;
2199 	}
2200 }
2201 
2202 /*
2203  * Frees the ssl structure (aka the context of an SSL session).
2204  * Any pending crypto jobs are cancelled.
2205  * Any initiated crypto contexts are freed as well.
2206  */
2207 void
2208 kssl_free_context(ssl_t *ssl)
2209 {
2210 	ASSERT(ssl != NULL);
2211 	if (!(MUTEX_HELD(&ssl->kssl_lock))) {
2212 		/* we're coming from an external API entry point */
2213 		mutex_enter(&ssl->kssl_lock);
2214 	}
2215 
2216 	if (ssl->job.kjob != NULL) {
2217 		crypto_cancel_req(ssl->job.kjob);
2218 		kmem_free(ssl->job.buf, ssl->job.buflen);
2219 
2220 		ssl->job.kjob = 0;
2221 		ssl->job.buf = NULL;
2222 		ssl->job.buflen = 0;
2223 	}
2224 
2225 	kssl_mblksfree(ssl);
2226 	kssl_specsfree(ssl);
2227 
2228 	KSSL_ENTRY_REFRELE(ssl->kssl_entry);
2229 	ssl->kssl_entry = NULL;
2230 
2231 	mutex_exit(&ssl->kssl_lock);
2232 
2233 	kmem_cache_free(kssl_cache, ssl);
2234 	kssl_cache_count--;
2235 }
2236