xref: /titanic_52/usr/src/uts/common/inet/kssl/ksslrec.c (revision 2ab4ca4ba67b0dc870fbd57becdb9ea51d9b8663)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/stream.h>
28 #include <sys/strsubr.h>
29 #include <sys/stropts.h>
30 #include <sys/strsun.h>
31 #define	_SUN_TPI_VERSION 2
32 #include <sys/ddi.h>
33 #include <sys/sunddi.h>
34 #include <sys/debug.h>
35 #include <sys/vtrace.h>
36 #include <sys/kmem.h>
37 #include <sys/cpuvar.h>
38 #include <sys/atomic.h>
39 #include <sys/sysmacros.h>
40 
41 #include <sys/errno.h>
42 #include <sys/isa_defs.h>
43 #include <sys/md5.h>
44 #include <sys/sha1.h>
45 #include <sys/random.h>
46 #include <inet/common.h>
47 #include <netinet/in.h>
48 
49 #include <sys/systm.h>
50 #include <sys/param.h>
51 
52 #include "ksslimpl.h"
53 #include "ksslapi.h"
54 #include "ksslproto.h"
55 
56 static ssl3CipherSuiteDef cipher_suite_defs[] = {
57 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, no IVs */
58 	{SSL_RSA_WITH_RC4_128_SHA,	cipher_rc4,	mac_sha,	72},
59 
60 	/* 2 X 16 byte keys +  2 x 16 byte MAC secrets, no IVs */
61 	{SSL_RSA_WITH_RC4_128_MD5,	cipher_rc4,	mac_md5,	64},
62 
63 	/* 2 X 8 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
64 	{SSL_RSA_WITH_DES_CBC_SHA,	cipher_des,	mac_sha,	72},
65 
66 	/* 2 X 24 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
67 	{SSL_RSA_WITH_3DES_EDE_CBC_SHA,	cipher_3des,	mac_sha,	104},
68 
69 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
70 	{TLS_RSA_WITH_AES_128_CBC_SHA,	cipher_aes128,	mac_sha,	104},
71 
72 	/* 2 X 32 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
73 	{TLS_RSA_WITH_AES_256_CBC_SHA,	cipher_aes256,	mac_sha,	136},
74 
75 	{SSL_RSA_WITH_NULL_SHA,		cipher_null,	mac_sha,	40}
76 };
77 
78 static int cipher_suite_defs_nentries =
79     sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]);
80 
81 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
82 	/* macsz padsz HashInit HashUpdate HashFinal */
83 
84 	{MD5_HASH_LEN, SSL3_MD5_PAD_LEN,
85 	    (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update,
86 	    (hashfinal_func_t)MD5Final},
87 
88 	{SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN,
89 	    (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update,
90 	    (hashfinal_func_t)SHA1Final},
91 };
92 
93 static uchar_t kssl_pad_1[60] = {
94     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
95     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
96     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
97     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
98     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
99     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
100     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
101     0x36, 0x36, 0x36, 0x36
102 };
103 static uchar_t kssl_pad_2[60] = {
104     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
105     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
106     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
107     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
108     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
109     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
110     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
111     0x5c, 0x5c, 0x5c, 0x5c
112 };
113 
114 int kssl_cache_count;
115 static boolean_t kssl_synchronous = B_FALSE;
116 
117 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t);
118 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t);
119 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int);
120 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int,
121     kssl_callback_t, void *);
122 static int kssl_send_server_hello(ssl_t *);
123 static int kssl_send_certificate_and_server_hello_done(ssl_t *);
124 static int kssl_send_change_cipher_specs(ssl_t *);
125 static int kssl_send_finished(ssl_t *, int);
126 static int kssl_handle_finished(ssl_t *, mblk_t *, int);
127 static void kssl_get_hello_random(uchar_t *);
128 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *);
129 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *);
130 static void kssl_lookup_sid(sslSessionID *, uchar_t *, ipaddr_t,
131     kssl_entry_t *);
132 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t);
133 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t);
134 static int kssl_generate_tls_keyblock(ssl_t *);
135 static void kssl_generate_keyblock(ssl_t *);
136 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t,
137     int, uchar_t *, int);
138 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t,
139     uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
140 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *,
141     size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
142 static void kssl_cke_done(void *, int);
143 
144 #define	HMAC_INIT(m, k, c) \
145 	rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end;
146 
147 #define	HMAC_UPDATE(c, d, l) \
148 	dd.cd_raw.iov_base = (char *)d; \
149 	dd.cd_length = dd.cd_raw.iov_len = l; \
150 	rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end;
151 
152 #define	HMAC_FINAL(c, d, l) \
153 	mac.cd_raw.iov_base = (char *)d; \
154 	mac.cd_length = mac.cd_raw.iov_len = l; \
155 	rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end;
156 
157 /*
158  * This hack can go away once we have SSL3 MAC support by KCF
159  * software providers (See 4873559).
160  */
161 extern int kcf_md5_threshold;
162 
163 int
164 kssl_compute_record_mac(
165 	ssl_t *ssl,
166 	int direction,
167 	uint64_t seq_num,
168 	SSL3ContentType ct,
169 	uchar_t *versionp,
170 	uchar_t *buf,
171 	int len,
172 	uchar_t *digest)
173 {
174 	KSSL_HASHCTX mac_ctx;
175 	KSSL_HASHCTX *ctx = &mac_ctx;
176 	uchar_t temp[16], *p;
177 	KSSLCipherSpec *spec;
178 	boolean_t hash_use_ok = B_FALSE;
179 	int rv = 0;
180 
181 	spec = &ssl->spec[direction];
182 
183 	if (spec->mac_hashsz == 0) {
184 		return (1);
185 	}
186 
187 	p = temp;
188 
189 	*p++ = (seq_num >> 56) & 0xff;
190 	*p++ = (seq_num >> 48) & 0xff;
191 	*p++ = (seq_num >> 40) & 0xff;
192 	*p++ = (seq_num >> 32) & 0xff;
193 	*p++ = (seq_num >> 24) & 0xff;
194 	*p++ = (seq_num >> 16) & 0xff;
195 	*p++ = (seq_num >> 8) & 0xff;
196 	*p++ = (seq_num) & 0xff;
197 	*p++ = (uchar_t)ct;
198 	if (IS_TLS(ssl)) {
199 		*p++ = versionp[0];
200 		*p++ = versionp[1];
201 	}
202 	*p++ = (len >> 8) & 0xff;
203 	*p++ = (len) & 0xff;
204 
205 	if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
206 	    len >= kcf_md5_threshold)) {
207 		crypto_data_t dd, mac;
208 		struct uio uio_pt;
209 		struct iovec iovarray_pt[2];
210 
211 		/* init the array of iovecs for use in the uio struct */
212 		iovarray_pt[0].iov_base = (char *)temp;
213 		iovarray_pt[0].iov_len = (p - temp);
214 		iovarray_pt[1].iov_base = (char *)buf;
215 		iovarray_pt[1].iov_len = len;
216 
217 		/* init the uio struct for use in the crypto_data_t struct */
218 		bzero(&uio_pt, sizeof (uio_pt));
219 		uio_pt.uio_iov = iovarray_pt;
220 		uio_pt.uio_iovcnt = 2;
221 		uio_pt.uio_segflg = UIO_SYSSPACE;
222 
223 		dd.cd_format = CRYPTO_DATA_UIO;
224 		dd.cd_offset = 0;
225 		dd.cd_length =  (p - temp) + len;
226 		dd.cd_miscdata = NULL;
227 		dd.cd_uio = &uio_pt;
228 
229 		mac.cd_format = CRYPTO_DATA_RAW;
230 		mac.cd_offset = 0;
231 		mac.cd_raw.iov_base = (char *)digest;
232 		mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz;
233 
234 		/*
235 		 * The calling context can tolerate a blocking call here.
236 		 * For outgoing traffic, we are in user context
237 		 * when called from strsock_kssl_output(). For incoming
238 		 * traffic past the SSL handshake, we are in user
239 		 * context when called from strsock_kssl_input(). During the
240 		 * SSL handshake, we are called for client_finished message
241 		 * handling from a squeue worker thread that gets scheduled
242 		 * by an squeue_fill() call. This thread is not in interrupt
243 		 * context and so can block.
244 		 */
245 		rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
246 		    NULL, &mac, NULL);
247 
248 		if (CRYPTO_ERR(rv)) {
249 			hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED &&
250 			    !IS_TLS(ssl));
251 			if (!hash_use_ok) {
252 				DTRACE_PROBE1(kssl_err__crypto_mac_error,
253 				    int, rv);
254 				KSSL_COUNTER(compute_mac_failure, 1);
255 			}
256 		}
257 	} else
258 		hash_use_ok = B_TRUE;
259 
260 	if (hash_use_ok) {
261 		bcopy(&(ssl->mac_ctx[direction][0]), ctx,
262 		    sizeof (KSSL_HASHCTX));
263 		spec->MAC_HashUpdate((void *)ctx, temp, p - temp);
264 		spec->MAC_HashUpdate((void *)ctx, buf, len);
265 		spec->MAC_HashFinal(digest, (void *)ctx);
266 
267 		bcopy(&(ssl->mac_ctx[direction][1]), ctx,
268 		    sizeof (KSSL_HASHCTX));
269 		spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz);
270 		spec->MAC_HashFinal(digest, (void *)ctx);
271 	}
272 
273 	return (rv);
274 }
275 
276 /*
277  * Handles handshake messages.
278  * Messages to be replied are returned in handshake_sendbuf.
279  */
280 int
281 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
282     kssl_callback_t cbfn, void *arg)
283 {
284 	uint32_t msglen;
285 	uchar_t msghdr[4];
286 
287 	ASSERT(ssl->msg.state == MSG_BODY);
288 	ASSERT(ssl->msg.msglen_bytes == 3);
289 	ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen);
290 
291 	ssl->sslcnt++;
292 	msglen = ssl->msg.msglen;
293 
294 	if (ssl->msg.type == client_hello) {
295 		MD5Init(&ssl->hs_md5);
296 		SHA1Init(&ssl->hs_sha1);
297 	}
298 
299 	if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
300 		if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
301 		    sender_client) != 0) {
302 			*err = SSL_MISS;
303 			return (0);
304 		}
305 	}
306 
307 	if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
308 		msghdr[0] = (uchar_t)ssl->msg.type;
309 
310 		msghdr[1] = (uchar_t)(msglen >> 16);
311 		msghdr[2] = (uchar_t)(msglen >> 8);
312 		msghdr[3] = (uchar_t)(msglen);
313 		kssl_update_handshake_hashes(ssl, msghdr, 4);
314 		kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen);
315 	}
316 
317 	ssl->msg.state = MSG_INIT;
318 	ssl->msg.msglen = 0;
319 	ssl->msg.msglen_bytes = 0;
320 
321 	switch (ssl->msg.type) {
322 	case client_hello:
323 		if (ssl->hs_waitstate != wait_client_hello) {
324 			kssl_send_alert(ssl, alert_fatal,
325 			    unexpected_message);
326 			*err = EBADMSG;
327 			ssl->activeinput = B_FALSE;
328 			return (1);
329 		}
330 		*err = kssl_handle_client_hello(ssl, mp, msglen);
331 		if (*err == SSL_MISS) {
332 			ssl->activeinput = B_FALSE;
333 			return (0);
334 		}
335 		return (1);
336 	case client_key_exchange:
337 		if (ssl->hs_waitstate != wait_client_key) {
338 			kssl_send_alert(ssl, alert_fatal,
339 			    unexpected_message);
340 			*err = EBADMSG;
341 			ssl->activeinput = B_FALSE;
342 			return (1);
343 		}
344 		*err = kssl_handle_client_key_exchange(ssl, mp,
345 		    msglen, cbfn, arg);
346 		return (1);
347 	case finished:
348 		if (ssl->hs_waitstate != wait_finished) {
349 			kssl_send_alert(ssl, alert_fatal,
350 			    unexpected_message);
351 			*err = EBADMSG;
352 			ssl->activeinput = B_FALSE;
353 			return (1);
354 		}
355 		*err = kssl_handle_finished(ssl, mp, msglen);
356 		return (1);
357 	default:
358 		kssl_send_alert(ssl, alert_fatal, unexpected_message);
359 		ssl->activeinput = B_FALSE;
360 		*err = EBADMSG;
361 		return (1);
362 	}
363 }
364 
365 static void
366 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
367 {
368 	MD5Update(&ssl->hs_md5, buf, len);
369 	SHA1Update(&ssl->hs_sha1, buf, len);
370 }
371 
372 static int
373 kssl_compute_handshake_hashes(
374 	ssl_t *ssl,
375 	SSL3Hashes *hashes,
376 	uint32_t sender)
377 {
378 	MD5_CTX md5 = ssl->hs_md5;	/* clone md5 context */
379 	SHA1_CTX sha1 = ssl->hs_sha1;	/* clone sha1 context */
380 	MD5_CTX *md5ctx = &md5;
381 	SHA1_CTX *sha1ctx = &sha1;
382 
383 	if (IS_TLS(ssl)) {
384 		uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN];
385 		char *label;
386 
387 		/*
388 		 * Do not take another hash step here.
389 		 * Just complete the operation.
390 		 */
391 		MD5Final(hashes->md5, md5ctx);
392 		SHA1Final(hashes->sha1, sha1ctx);
393 
394 		bcopy(hashes->md5, seed, MD5_HASH_LEN);
395 		bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN);
396 
397 		if (sender == sender_client)
398 			label = TLS_CLIENT_FINISHED_LABEL;
399 		else
400 			label = TLS_SERVER_FINISHED_LABEL;
401 
402 		return (kssl_tls_PRF(ssl,
403 		    ssl->sid.master_secret,
404 		    (size_t)SSL3_MASTER_SECRET_LEN,
405 		    (uchar_t *)label, strlen(label),
406 		    seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN),
407 		    hashes->tlshash, (size_t)TLS_FINISHED_SIZE));
408 	} else {
409 		uchar_t s[4];
410 		s[0] = (sender >> 24) & 0xff;
411 		s[1] = (sender >> 16) & 0xff;
412 		s[2] = (sender >> 8) & 0xff;
413 		s[3] = (sender) & 0xff;
414 
415 		MD5Update(md5ctx, s, 4);
416 		MD5Update(md5ctx, ssl->sid.master_secret,
417 		    SSL3_MASTER_SECRET_LEN);
418 		MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN);
419 		MD5Final(hashes->md5, md5ctx);
420 
421 		MD5Init(md5ctx);
422 		MD5Update(md5ctx, ssl->sid.master_secret,
423 		    SSL3_MASTER_SECRET_LEN);
424 		MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN);
425 		MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN);
426 		MD5Final(hashes->md5, md5ctx);
427 
428 		SHA1Update(sha1ctx, s, 4);
429 		SHA1Update(sha1ctx, ssl->sid.master_secret,
430 		    SSL3_MASTER_SECRET_LEN);
431 		SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN);
432 		SHA1Final(hashes->sha1, sha1ctx);
433 
434 		SHA1Init(sha1ctx);
435 		SHA1Update(sha1ctx, ssl->sid.master_secret,
436 		    SSL3_MASTER_SECRET_LEN);
437 		SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN);
438 		SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN);
439 		SHA1Final(hashes->sha1, sha1ctx);
440 		return (0);
441 	}
442 }
443 
444 
445 /*
446  * Minimum message length for a client hello =
447  * 2-byte client_version +
448  * 32-byte random +
449  * 1-byte session_id length +
450  * 2-byte cipher_suites length +
451  * 1-byte compression_methods length +
452  * 1-byte CompressionMethod.null
453  */
454 #define	KSSL_SSL3_CH_MIN_MSGLEN	(39)
455 
456 static int
457 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
458 {
459 	uchar_t *msgend;
460 	int err;
461 	SSL3AlertDescription desc = illegal_parameter;
462 	uint_t sidlen, cslen, cmlen;
463 	uchar_t *suitesp;
464 	uint_t i, j;
465 	uint16_t suite;
466 	int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN;
467 
468 	ASSERT(mp->b_wptr >= mp->b_rptr + msglen);
469 	ASSERT(ssl->msg.type == client_hello);
470 	ASSERT(ssl->hs_waitstate == wait_client_hello);
471 	ASSERT(ssl->resumed == B_FALSE);
472 
473 	if (msglen < ch_msglen) {
474 		goto falert;
475 	}
476 
477 	msgend = mp->b_rptr + msglen;
478 
479 	/* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */
480 	if (ssl->major_version != 3 || (ssl->major_version == 3 &&
481 	    ssl->minor_version != 0 && ssl->minor_version != 1)) {
482 		DTRACE_PROBE2(kssl_err__SSL_version_not_supported,
483 		    uchar_t, ssl->major_version,
484 		    uchar_t, ssl->minor_version);
485 		desc = handshake_failure;
486 		goto falert;
487 	}
488 	mp->b_rptr += 2; /* skip the version bytes */
489 
490 	bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
491 	mp->b_rptr += SSL3_RANDOM_LENGTH;
492 
493 	ASSERT(ssl->sid.cached == B_FALSE);
494 	sidlen = *mp->b_rptr++;
495 	ch_msglen += sidlen;
496 	if (msglen < ch_msglen) {
497 		goto falert;
498 	}
499 	if (sidlen != SSL3_SESSIONID_BYTES) {
500 		mp->b_rptr += sidlen;
501 	} else {
502 		kssl_lookup_sid(&ssl->sid, mp->b_rptr, ssl->faddr,
503 		    ssl->kssl_entry);
504 		mp->b_rptr += SSL3_SESSIONID_BYTES;
505 	}
506 
507 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
508 	mp->b_rptr += 2;
509 	ch_msglen += cslen;
510 
511 	/*
512 	 * This check can't be a "!=" since there can be
513 	 * compression methods other than CompressionMethod.null.
514 	 * Also, there can be extra data (TLS extensions) after the
515 	 * compression methods field. We do not support any TLS
516 	 * extensions and hence ignore them.
517 	 */
518 	if (msglen < ch_msglen) {
519 		goto falert;
520 	}
521 
522 	/* The length has to be even since a cipher suite is 2-byte long */
523 	if (cslen & 0x1) {
524 		goto falert;
525 	}
526 	suitesp = mp->b_rptr;
527 	if (ssl->sid.cached == B_TRUE) {
528 		suite = ssl->sid.cipher_suite;
529 		for (j = 0; j < cslen; j += 2) {
530 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
531 			    suitesp[j + 1] == (suite & 0xff)) {
532 				break;
533 			}
534 		}
535 		if (j < cslen) {
536 			goto suite_found;
537 		}
538 		kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
539 		ssl->sid.cached = B_FALSE;
540 	}
541 
542 	/* Check if this server is capable of the cipher suite */
543 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
544 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
545 		for (j = 0; j < cslen; j += 2) {
546 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
547 			    suitesp[j + 1] == (suite & 0xff)) {
548 				break;
549 			}
550 		}
551 		if (j < cslen) {
552 			break;
553 		}
554 	}
555 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
556 		if (ssl->sslcnt == 1) {
557 			KSSL_COUNTER(no_suite_found, 1);
558 			return (SSL_MISS);
559 		}
560 		desc = handshake_failure;
561 		DTRACE_PROBE(kssl_err__no_cipher_suites_found);
562 		goto falert;
563 	}
564 
565 suite_found:
566 	mp->b_rptr += cslen;
567 
568 	/*
569 	 * Check for the mandatory CompressionMethod.null. We do not
570 	 * support any other compression methods.
571 	 */
572 	cmlen = *mp->b_rptr++;
573 	ch_msglen += cmlen - 1;	/* -1 accounts for the null method */
574 	if (msglen < ch_msglen) {
575 		goto falert;
576 	}
577 
578 	while (cmlen >= 1) {
579 		if (*mp->b_rptr++ == 0)
580 			break;
581 		cmlen--;
582 	}
583 
584 	if (cmlen == 0) {
585 		desc = handshake_failure;
586 		DTRACE_PROBE(kssl_err__no_null_method_failure);
587 		goto falert;
588 	}
589 
590 	mp->b_rptr = msgend;
591 
592 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
593 		if (suite == cipher_suite_defs[i].suite) {
594 			break;
595 		}
596 	}
597 
598 	ASSERT(i < cipher_suite_defs_nentries);
599 
600 	ssl->pending_cipher_suite = suite;
601 	ssl->pending_malg = cipher_suite_defs[i].malg;
602 	ssl->pending_calg = cipher_suite_defs[i].calg;
603 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
604 
605 	if (ssl->sid.cached == B_TRUE) {
606 		err = kssl_send_server_hello(ssl);
607 		if (err != 0) {
608 			return (err);
609 		}
610 		if (IS_TLS(ssl))
611 			err = kssl_generate_tls_keyblock(ssl);
612 		else
613 			kssl_generate_keyblock(ssl);
614 
615 		err = kssl_send_change_cipher_specs(ssl);
616 		if (err != 0) {
617 			return (err);
618 		}
619 
620 		err = kssl_send_finished(ssl, 1);
621 		if (err != 0)
622 			return (err);
623 
624 		err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
625 		    sender_client);
626 		if (err != 0)
627 			return (err);
628 
629 		ssl->hs_waitstate = wait_change_cipher;
630 		ssl->resumed = B_TRUE;
631 		ssl->activeinput = B_FALSE;
632 		KSSL_COUNTER(resumed_sessions, 1);
633 		return (0);
634 	}
635 
636 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
637 	    SSL3_SESSIONID_BYTES);
638 	ssl->sid.client_addr = ssl->faddr;
639 	ssl->sid.cipher_suite = suite;
640 
641 	err = kssl_send_server_hello(ssl);
642 	if (err != 0) {
643 		return (err);
644 	}
645 	err = kssl_send_certificate_and_server_hello_done(ssl);
646 	if (err != 0) {
647 		return (err);
648 	}
649 	KSSL_COUNTER(full_handshakes, 1);
650 	ssl->hs_waitstate = wait_client_key;
651 	ssl->activeinput = B_FALSE;
652 	return (0);
653 
654 falert:
655 	kssl_send_alert(ssl, alert_fatal, desc);
656 	return (EBADMSG);
657 }
658 
659 static void
660 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
661 {
662 	uint_t index;
663 	uchar_t *s = sid->session_id;
664 	int l = SSL3_SESSIONID_BYTES - 1;
665 	kmutex_t *lock;
666 
667 	ASSERT(sid->cached == B_TRUE);
668 
669 	index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
670 	    ((int)s[2] << 8) | (int)s[l]);
671 
672 	index %= kssl_entry->sid_cache_nentries;
673 
674 	sid->time = lbolt;
675 
676 	lock = &(kssl_entry->sid_cache[index].se_lock);
677 	mutex_enter(lock);
678 	kssl_entry->sid_cache[index].se_used++;
679 	bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid));
680 	mutex_exit(lock);
681 }
682 
683 static void
684 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, ipaddr_t faddr,
685     kssl_entry_t *kssl_entry)
686 {
687 	uint_t index;
688 	int l = SSL3_SESSIONID_BYTES - 1;
689 	kmutex_t *lock;
690 	sslSessionID *csid;
691 
692 	ASSERT(sid->cached == B_FALSE);
693 
694 	KSSL_COUNTER(sid_cache_lookups, 1);
695 
696 	index = (int)faddr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
697 	    ((int)s[2] << 8) | (int)s[l]);
698 
699 	index %= kssl_entry->sid_cache_nentries;
700 
701 	lock = &(kssl_entry->sid_cache[index].se_lock);
702 	mutex_enter(lock);
703 	csid = &(kssl_entry->sid_cache[index].se_sid);
704 	if (csid->cached == B_FALSE || csid->client_addr != faddr ||
705 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
706 		mutex_exit(lock);
707 		return;
708 	}
709 
710 	if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) {
711 		csid->cached = B_FALSE;
712 		mutex_exit(lock);
713 		return;
714 	}
715 
716 	bcopy(csid, sid, sizeof (*sid));
717 	mutex_exit(lock);
718 	ASSERT(sid->cached == B_TRUE);
719 
720 	KSSL_COUNTER(sid_cache_hits, 1);
721 }
722 
723 static uchar_t *
724 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp)
725 {
726 	size_t len = *lenp;
727 	int i = 2;
728 
729 	if (buf[0] != 0 || buf[1] != 2) {
730 		return (NULL);
731 	}
732 
733 	while (i < len) {
734 		if (buf[i++] == 0) {
735 			*lenp = len - i;
736 			break;
737 		}
738 	}
739 
740 	if (i == len) {
741 		return (NULL);
742 	}
743 
744 	return (buf + i);
745 }
746 
747 void
748 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
749 {
750 	uint_t index;
751 	uchar_t *s = sid->session_id;
752 	int l = SSL3_SESSIONID_BYTES - 1;
753 	sslSessionID *csid;
754 	kmutex_t *lock;
755 
756 	ASSERT(sid->cached == B_TRUE);
757 
758 	KSSL_COUNTER(sid_uncached, 1);
759 
760 	index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
761 	    ((int)s[2] << 8) | (int)s[l]);
762 
763 	index %= kssl_entry->sid_cache_nentries;
764 
765 	lock = &(kssl_entry->sid_cache[index].se_lock);
766 	mutex_enter(lock);
767 	csid = &(kssl_entry->sid_cache[index].se_sid);
768 	if (csid->client_addr != sid->client_addr ||
769 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
770 		mutex_exit(lock);
771 		return;
772 	}
773 	csid->cached = B_FALSE;
774 	mutex_exit(lock);
775 }
776 
777 
778 #define	KSSL_SSL3_SH_RECLEN	(74)
779 #define	KSSL_SSL3_FIN_MSGLEN	(36)
780 
781 #define	KSSL_SSL3_MAX_CCP_FIN_MSGLEN	(128)	/* comfortable upper bound */
782 
783 static int
784 kssl_send_server_hello(ssl_t *ssl)
785 {
786 	mblk_t *mp;
787 	uchar_t *buf;
788 	uchar_t *msgstart;
789 
790 	mp = allocb(ssl->tcp_mss, BPRI_HI);
791 	if (mp == NULL) {
792 		KSSL_COUNTER(alloc_fails, 1);
793 		return (ENOMEM);
794 	}
795 	ssl->handshake_sendbuf = mp;
796 	buf = mp->b_wptr;
797 
798 	/* 5 byte record header */
799 	buf[0] = content_handshake;
800 	buf[1] = ssl->major_version;
801 	buf[2] = ssl->minor_version;
802 	buf[3] = KSSL_SSL3_SH_RECLEN >> 8;
803 	buf[4] = KSSL_SSL3_SH_RECLEN & 0xff;
804 	buf += SSL3_HDR_LEN;
805 
806 	msgstart = buf;
807 
808 	/* 6 byte message header */
809 	buf[0] = (uchar_t)server_hello;			/* message type */
810 	buf[1] = 0;					/* message len byte 0 */
811 	buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) &
812 	    0xff;					/* message len byte 1 */
813 	buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff;	/* message len byte 2 */
814 
815 	buf[4] = ssl->major_version;	/* version byte 0 */
816 	buf[5] = ssl->minor_version;	/* version byte 1 */
817 
818 	buf += 6;
819 
820 	kssl_get_hello_random(ssl->server_random);
821 	bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH);
822 	buf += SSL3_RANDOM_LENGTH;
823 
824 	buf[0] = SSL3_SESSIONID_BYTES;
825 	bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
826 	buf += SSL3_SESSIONID_BYTES + 1;
827 
828 	buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff;
829 	buf[1] = ssl->pending_cipher_suite & 0xff;
830 
831 	buf[2] = 0;	/* No compression */
832 
833 	mp->b_wptr = buf + 3;
834 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
835 
836 	kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN);
837 	return (0);
838 }
839 
840 static void
841 kssl_get_hello_random(uchar_t *buf)
842 {
843 	timestruc_t ts;
844 	time_t sec;
845 
846 	gethrestime(&ts);
847 	sec = ts.tv_sec;
848 
849 	buf[0] = (sec >> 24) & 0xff;
850 	buf[1] = (sec >> 16) & 0xff;
851 	buf[2] = (sec >> 8) & 0xff;
852 	buf[3] = (sec) & 0xff;
853 
854 	(void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4);
855 
856 	/* Should this be caching? */
857 }
858 
859 static int
860 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key,
861 	size_t hashlen,
862 	uchar_t *label, size_t label_len,
863 	uchar_t *seed, size_t seedlen,
864 	uchar_t *data, size_t datalen)
865 {
866 	int rv = 0;
867 	uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN];
868 	int bytes_left = datalen;
869 	crypto_data_t dd, mac;
870 	crypto_context_t ctx;
871 
872 	dd.cd_format = CRYPTO_DATA_RAW;
873 	dd.cd_offset = 0;
874 	mac.cd_format = CRYPTO_DATA_RAW;
875 	mac.cd_offset = 0;
876 
877 	/*
878 	 * A(i) = HMAC_hash(secred, seed + A(i-1));
879 	 * A(0) = seed;
880 	 *
881 	 * Compute A(1):
882 	 * A(1) = HMAC_hash(secret, label + seed)
883 	 *
884 	 */
885 	HMAC_INIT(mech, key, &ctx);
886 	HMAC_UPDATE(ctx, label, label_len);
887 	HMAC_UPDATE(ctx, seed, seedlen);
888 	HMAC_FINAL(ctx, A1, hashlen);
889 
890 	/* Compute A(2) ... A(n) */
891 	while (bytes_left > 0) {
892 		HMAC_INIT(mech, key, &ctx);
893 		HMAC_UPDATE(ctx, A1, hashlen);
894 		HMAC_UPDATE(ctx, label, label_len);
895 		HMAC_UPDATE(ctx, seed, seedlen);
896 		HMAC_FINAL(ctx, result, hashlen);
897 
898 		/*
899 		 * The A(i) value is stored in "result".
900 		 * Save the results of the MAC so it can be input to next
901 		 * iteration.
902 		 */
903 		if (bytes_left > hashlen) {
904 			/* Store the chunk result */
905 			bcopy(result, data, hashlen);
906 			data += hashlen;
907 
908 			bytes_left -= hashlen;
909 
910 			/* Update A1 for next iteration */
911 			HMAC_INIT(mech, key, &ctx);
912 			HMAC_UPDATE(ctx, A1, hashlen);
913 			HMAC_FINAL(ctx, A1, hashlen);
914 
915 		} else {
916 			bcopy(result, data, bytes_left);
917 			data += bytes_left;
918 			bytes_left = 0;
919 		}
920 	}
921 end:
922 	if (CRYPTO_ERR(rv)) {
923 		DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv);
924 		KSSL_COUNTER(compute_mac_failure, 1);
925 	}
926 	return (rv);
927 }
928 
929 /* ARGSUSED */
930 static int
931 kssl_tls_PRF(ssl_t *ssl,
932 	uchar_t *secret, size_t secret_len,
933 	uchar_t *label, size_t label_len,
934 	uchar_t *seed, size_t seed_len,
935 	uchar_t *prfresult, size_t prfresult_len)
936 {
937 	/*
938 	 * RFC 2246:
939 	 *  PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
940 	 *				P_SHA1(S2, label + seed);
941 	 * S1 = 1st half of secret.
942 	 * S1 = 2nd half of secret.
943 	 *
944 	 */
945 
946 	int rv = 0, i;
947 	uchar_t psha1[MAX_KEYBLOCK_LENGTH];
948 	crypto_key_t S1, S2;
949 
950 	/* length of secret keys is ceil(length/2) */
951 	size_t slen = roundup(secret_len, 2) / 2;
952 
953 	if (prfresult_len >  MAX_KEYBLOCK_LENGTH) {
954 		DTRACE_PROBE1(kssl_err__unexpected_keyblock_size,
955 		    size_t, prfresult_len);
956 		return (CRYPTO_ARGUMENTS_BAD);
957 	}
958 
959 	ASSERT(prfresult != NULL);
960 	ASSERT(label != NULL);
961 	ASSERT(seed != NULL);
962 
963 	S1.ck_data   = secret;
964 	S1.ck_length = slen * 8; /* bits */
965 	S1.ck_format = CRYPTO_KEY_RAW;
966 
967 	S2.ck_data   = secret + slen;
968 	S2.ck_length = slen * 8; /* bits */
969 	S2.ck_format = CRYPTO_KEY_RAW;
970 
971 	rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN,
972 	    label, label_len,
973 	    seed, seed_len,
974 	    prfresult, prfresult_len);
975 	if (CRYPTO_ERR(rv))
976 		goto end;
977 
978 	rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN,
979 	    label, label_len,
980 	    seed, seed_len,
981 	    psha1, prfresult_len);
982 	if (CRYPTO_ERR(rv))
983 		goto end;
984 
985 	for (i = 0; i < prfresult_len; i++)
986 		prfresult[i] ^= psha1[i];
987 
988 end:
989 	if (CRYPTO_ERR(rv))
990 		bzero(prfresult, prfresult_len);
991 
992 	return (rv);
993 }
994 
995 #define	IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)			\
996 	(pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN ||		\
997 	pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
998 
999 #define	FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) {			\
1000 		KSSL_COUNTER(bad_pre_master_secret, 1);			\
1001 		pms = buf;						\
1002 		pmslen = SSL3_PRE_MASTER_SECRET_LEN;			\
1003 		pms[0] = ssl->major_version;				\
1004 		pms[1] = ssl->minor_version;				\
1005 		(void) random_get_pseudo_bytes(&buf[2], pmslen - 2);	\
1006 }
1007 
1008 static int
1009 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1010 {
1011 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1012 	uchar_t seed[SSL3_RANDOM_LENGTH * 2];
1013 
1014 	/*
1015 	 * Computing the master secret:
1016 	 * ----------------------------
1017 	 * master_secret = PRF (pms, "master secret",
1018 	 *		ClientHello.random + ServerHello.random);
1019 	 */
1020 	bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH);
1021 	bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH,
1022 	    SSL3_RANDOM_LENGTH);
1023 
1024 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1025 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1026 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1027 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1028 	}
1029 
1030 	return (kssl_tls_PRF(ssl,
1031 	    pms, pmslen,
1032 	    (uchar_t *)TLS_MASTER_SECRET_LABEL,
1033 	    (size_t)strlen(TLS_MASTER_SECRET_LABEL),
1034 	    seed, sizeof (seed),
1035 	    ssl->sid.master_secret,
1036 	    (size_t)sizeof (ssl->sid.master_secret)));
1037 }
1038 
1039 
1040 static void
1041 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1042 {
1043 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1044 	uchar_t *ms;
1045 	int hlen = MD5_HASH_LEN;
1046 
1047 	ms = ssl->sid.master_secret;
1048 
1049 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1050 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1051 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1052 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1053 	}
1054 
1055 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
1056 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
1057 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
1058 	    0);
1059 }
1060 
1061 static int
1062 kssl_generate_tls_keyblock(ssl_t *ssl)
1063 {
1064 	uchar_t seed[2 * SSL3_RANDOM_LENGTH];
1065 
1066 	bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH);
1067 	bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH,
1068 	    SSL3_RANDOM_LENGTH);
1069 
1070 	return (kssl_tls_PRF(ssl, ssl->sid.master_secret,
1071 	    (size_t)SSL3_MASTER_SECRET_LEN,
1072 	    (uchar_t *)TLS_KEY_EXPANSION_LABEL,
1073 	    (size_t)strlen(TLS_KEY_EXPANSION_LABEL),
1074 	    seed, (size_t)sizeof (seed),
1075 	    ssl->pending_keyblock,
1076 	    (size_t)ssl->pending_keyblksz));
1077 
1078 }
1079 
1080 static void
1081 kssl_generate_keyblock(ssl_t *ssl)
1082 {
1083 	uchar_t *ms;
1084 	size_t mslen = SSL3_MASTER_SECRET_LEN;
1085 	int hlen = MD5_HASH_LEN;
1086 	uchar_t *keys = ssl->pending_keyblock;
1087 	int steps = howmany(ssl->pending_keyblksz, hlen);
1088 	int i;
1089 
1090 	ms = ssl->sid.master_secret;
1091 
1092 	ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH);
1093 
1094 	for (i = 1; i <= steps; i++) {
1095 		kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
1096 		keys += hlen;
1097 	}
1098 }
1099 
1100 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE",
1101 	"FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"};
1102 
1103 static void
1104 kssl_ssl3_key_material_derive_step(
1105 	ssl_t *ssl,
1106 	uchar_t *secret,
1107 	size_t secretlen,
1108 	int step,
1109 	uchar_t *dst,
1110 	int sr_first)
1111 {
1112 	SHA1_CTX sha1, *sha1ctx;
1113 	MD5_CTX md5, *md5ctx;
1114 	uchar_t sha1_hash[SHA1_HASH_LEN];
1115 
1116 	sha1ctx = &sha1;
1117 	md5ctx = &md5;
1118 
1119 	ASSERT(step <=
1120 	    sizeof (ssl3_key_derive_seeds) /
1121 	    sizeof (ssl3_key_derive_seeds[0]));
1122 	step--;
1123 
1124 	SHA1Init(sha1ctx);
1125 	SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step],
1126 	    step + 1);
1127 	SHA1Update(sha1ctx, secret, secretlen);
1128 	if (sr_first) {
1129 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1130 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1131 	} else {
1132 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1133 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1134 	}
1135 	SHA1Final(sha1_hash, sha1ctx);
1136 
1137 	MD5Init(md5ctx);
1138 	MD5Update(md5ctx, secret, secretlen);
1139 	MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN);
1140 	MD5Final(dst, md5ctx);
1141 }
1142 
1143 static int
1144 kssl_send_certificate_and_server_hello_done(ssl_t *ssl)
1145 {
1146 	int cur_reclen;
1147 	int mss;
1148 	int len, copylen;
1149 	mblk_t *mp;
1150 	uchar_t *cert_buf;
1151 	int cert_len;
1152 	uchar_t *msgbuf;
1153 	Certificate_t *cert;
1154 
1155 	cert = ssl->kssl_entry->ke_server_certificate;
1156 	if (cert == NULL) {
1157 		return (ENOENT);
1158 	}
1159 	cert_buf = cert->msg;
1160 	cert_len = cert->len;
1161 
1162 	mp = ssl->handshake_sendbuf;
1163 	mss = ssl->tcp_mss;
1164 	ASSERT(mp != NULL);
1165 	cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN;
1166 	ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN);
1167 	/* Assume MSS is at least 80 bytes */
1168 	ASSERT(mss > cur_reclen + SSL3_HDR_LEN);
1169 	ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */
1170 
1171 	copylen = mss - (cur_reclen + SSL3_HDR_LEN);
1172 	len = cert_len;
1173 	copylen = MIN(copylen, len);
1174 	copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1175 
1176 	/* new record always starts in a new mblk for simplicity */
1177 	msgbuf = cert_buf;
1178 	for (;;) {
1179 		ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim);
1180 		bcopy(msgbuf, mp->b_wptr, copylen);
1181 		msgbuf += copylen;
1182 		mp->b_wptr += copylen;
1183 		cur_reclen += copylen;
1184 		len -= copylen;
1185 		if (len == 0) {
1186 			break;
1187 		}
1188 		if (cur_reclen == SSL3_MAX_RECORD_LENGTH) {
1189 			cur_reclen = 0;
1190 		}
1191 		copylen = MIN(len, mss);
1192 		copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1193 		mp->b_cont = allocb(copylen, BPRI_HI);
1194 		if (mp->b_cont == NULL) {
1195 			KSSL_COUNTER(alloc_fails, 1);
1196 			freemsg(ssl->handshake_sendbuf);
1197 			ssl->handshake_sendbuf = NULL;
1198 			return (ENOMEM);
1199 		}
1200 		mp = mp->b_cont;
1201 		if (cur_reclen == 0) {
1202 			mp->b_wptr[0] = content_handshake;
1203 			mp->b_wptr[1] = ssl->major_version;
1204 			mp->b_wptr[2] = ssl->minor_version;
1205 			cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH);
1206 			mp->b_wptr[3] = (cur_reclen >> 8) & 0xff;
1207 			mp->b_wptr[4] = (cur_reclen) & 0xff;
1208 			mp->b_wptr += SSL3_HDR_LEN;
1209 			cur_reclen = 0;
1210 			copylen = MIN(copylen, mss - SSL3_HDR_LEN);
1211 		}
1212 	}
1213 
1214 	/* adjust the record length field for the first record */
1215 	mp = ssl->handshake_sendbuf;
1216 	cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len,
1217 	    SSL3_MAX_RECORD_LENGTH);
1218 	mp->b_rptr[3] = (cur_reclen >> 8) & 0xff;
1219 	mp->b_rptr[4] = (cur_reclen) & 0xff;
1220 
1221 	kssl_update_handshake_hashes(ssl, cert_buf, cert_len);
1222 
1223 	return (0);
1224 }
1225 
1226 static int
1227 kssl_send_change_cipher_specs(ssl_t *ssl)
1228 {
1229 	mblk_t *mp, *newmp;
1230 	uchar_t *buf;
1231 
1232 	mp = ssl->handshake_sendbuf;
1233 
1234 	/* We're most likely to hit the fast path for resumed sessions */
1235 	if ((mp != NULL) &&
1236 	    (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) {
1237 		buf = mp->b_wptr;
1238 	} else {
1239 		newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI);
1240 
1241 		if (newmp == NULL)
1242 			return (ENOMEM);	/* need to do better job! */
1243 
1244 		if (mp == NULL) {
1245 			ssl->handshake_sendbuf = newmp;
1246 		} else {
1247 			linkb(ssl->handshake_sendbuf, newmp);
1248 		}
1249 		mp = newmp;
1250 		buf = mp->b_rptr;
1251 	}
1252 
1253 	/* 5 byte record header */
1254 	buf[0] = content_change_cipher_spec;
1255 	buf[1] = ssl->major_version;
1256 	buf[2] = ssl->minor_version;
1257 	buf[3] = 0;
1258 	buf[4] = 1;
1259 	buf += SSL3_HDR_LEN;
1260 
1261 	buf[0] = 1;
1262 
1263 	mp->b_wptr = buf + 1;
1264 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1265 
1266 	ssl->seq_num[KSSL_WRITE] = 0;
1267 	return (kssl_spec_init(ssl, KSSL_WRITE));
1268 }
1269 
1270 int
1271 kssl_spec_init(ssl_t *ssl, int dir)
1272 {
1273 	KSSL_HASHCTX *ctx;
1274 	KSSLCipherSpec *spec = &ssl->spec[dir];
1275 	int ret = 0;
1276 
1277 	spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz;
1278 	spec->mac_padsz = mac_defs[ssl->pending_malg].padsz;
1279 
1280 	spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
1281 	spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
1282 	spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
1283 
1284 	if (dir == KSSL_READ) {
1285 		bcopy(ssl->pending_keyblock, ssl->mac_secret[dir],
1286 		    spec->mac_hashsz);
1287 	} else {
1288 		bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]),
1289 		    ssl->mac_secret[dir], spec->mac_hashsz);
1290 	}
1291 
1292 	/* Pre-compute these here. will save cycles on each record later */
1293 	if (!IS_TLS(ssl)) {
1294 		ctx = &ssl->mac_ctx[dir][0];
1295 		spec->MAC_HashInit((void *)ctx);
1296 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1297 		    spec->mac_hashsz);
1298 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_1,
1299 		    spec->mac_padsz);
1300 
1301 		ctx = &ssl->mac_ctx[dir][1];
1302 		spec->MAC_HashInit((void *)ctx);
1303 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1304 		    spec->mac_hashsz);
1305 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_2,
1306 		    spec->mac_padsz);
1307 	}
1308 
1309 	spec->cipher_type = cipher_defs[ssl->pending_calg].type;
1310 	spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
1311 	spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
1312 	spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
1313 
1314 	if (spec->cipher_ctx != NULL) {
1315 		crypto_cancel_ctx(spec->cipher_ctx);
1316 		spec->cipher_ctx = 0;
1317 	}
1318 
1319 	/*
1320 	 * Initialize HMAC keys for TLS and SSL3 HMAC keys
1321 	 * for SSL 3.0.
1322 	 */
1323 	if (IS_TLS(ssl)) {
1324 		if (ssl->pending_malg == mac_md5) {
1325 			spec->hmac_mech = hmac_md5_mech;
1326 		} else if (ssl->pending_malg == mac_sha) {
1327 			spec->hmac_mech = hmac_sha1_mech;
1328 		}
1329 
1330 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1331 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1332 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1333 	} else {
1334 		static uint32_t param;
1335 
1336 		spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID;
1337 		spec->hmac_mech.cm_param = (caddr_t)&param;
1338 		spec->hmac_mech.cm_param_len = sizeof (param);
1339 		if (ssl->pending_malg == mac_md5) {
1340 			spec->hmac_mech.cm_type =
1341 			    crypto_mech2id("CKM_SSL3_MD5_MAC");
1342 			param = MD5_HASH_LEN;
1343 		} else if (ssl->pending_malg == mac_sha) {
1344 			spec->hmac_mech.cm_type =
1345 			    crypto_mech2id("CKM_SSL3_SHA1_MAC");
1346 			param = SHA1_HASH_LEN;
1347 		}
1348 
1349 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1350 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1351 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1352 	}
1353 
1354 	/* We're done if this is the nil cipher */
1355 	if (spec->cipher_keysz == 0) {
1356 		return (0);
1357 	}
1358 
1359 	/* Initialize the key and the active context */
1360 	spec->cipher_key.ck_format = CRYPTO_KEY_RAW;
1361 	spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */
1362 
1363 	if (cipher_defs[ssl->pending_calg].bsize > 0) {
1364 		/* client_write_IV */
1365 		spec->cipher_mech.cm_param =
1366 		    (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
1367 		    2 * spec->cipher_keysz]);
1368 		spec->cipher_mech.cm_param_len = spec->cipher_bsize;
1369 	}
1370 	spec->cipher_data.cd_format = CRYPTO_DATA_RAW;
1371 	if (dir == KSSL_READ) {
1372 		spec->cipher_mech.cm_param_len =
1373 		    cipher_defs[ssl->pending_calg].bsize;
1374 
1375 		/* client_write_key */
1376 		spec->cipher_key.ck_data =
1377 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz]);
1378 
1379 		ret = crypto_decrypt_init(&(spec->cipher_mech),
1380 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1381 		if (CRYPTO_ERR(ret)) {
1382 			DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read,
1383 			    int, ret);
1384 		}
1385 	} else {
1386 		if (cipher_defs[ssl->pending_calg].bsize > 0) {
1387 			/* server_write_IV */
1388 			spec->cipher_mech.cm_param += spec->cipher_bsize;
1389 		}
1390 
1391 		/* server_write_key */
1392 		spec->cipher_key.ck_data =
1393 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz +
1394 		    spec->cipher_keysz]);
1395 
1396 		ret = crypto_encrypt_init(&(spec->cipher_mech),
1397 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1398 		if (CRYPTO_ERR(ret))
1399 			DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read,
1400 			    int, ret);
1401 	}
1402 	return (ret);
1403 }
1404 
1405 static int
1406 kssl_send_finished(ssl_t *ssl, int update_hsh)
1407 {
1408 	mblk_t *mp;
1409 	uchar_t *buf;
1410 	uchar_t *rstart;
1411 	uchar_t *versionp;
1412 	SSL3Hashes ssl3hashes;
1413 	size_t finish_len;
1414 	int ret = 0;
1415 
1416 	mp = ssl->handshake_sendbuf;
1417 	ASSERT(mp != NULL);
1418 	buf = mp->b_wptr;
1419 	ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN +
1420 	    SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1);
1421 
1422 	rstart = buf;
1423 
1424 	if (IS_TLS(ssl))
1425 		finish_len = TLS_FINISHED_SIZE;
1426 	else
1427 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1428 
1429 	/* 5 byte record header */
1430 	buf[0] = content_handshake;
1431 	buf[1] = ssl->major_version;
1432 	buf[2] = ssl->minor_version;
1433 	buf[3] = 0;
1434 	buf[4] = 4 + finish_len;
1435 
1436 	versionp = &buf[1];
1437 
1438 	buf += SSL3_HDR_LEN;
1439 
1440 	/* 4 byte message header */
1441 	buf[0] = (uchar_t)finished;	/* message type */
1442 	buf[1] = 0;			/* message len byte 0 */
1443 	buf[2] = 0;			/* message len byte 1 */
1444 	buf[3] = finish_len;	/* message len byte 2 */
1445 	buf += 4;
1446 
1447 	if (IS_TLS(ssl)) {
1448 		bcopy(ssl->hs_hashes.md5, ssl3hashes.md5,
1449 		    sizeof (ssl3hashes.md5));
1450 		bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1,
1451 		    sizeof (ssl3hashes.sha1));
1452 	}
1453 
1454 	/* Compute hashes for the SENDER side */
1455 	ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
1456 	if (ret != 0)
1457 		return (ret);
1458 
1459 	if (IS_TLS(ssl)) {
1460 		bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash));
1461 	} else {
1462 		bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN);
1463 		bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN);
1464 	}
1465 
1466 	if (update_hsh) {
1467 		kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
1468 	}
1469 
1470 	mp->b_wptr = buf + finish_len;
1471 
1472 	ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
1473 	    rstart, mp);
1474 	ASSERT(mp->b_wptr <= mp->b_datap->db_lim);
1475 
1476 	return (ret);
1477 }
1478 
1479 int
1480 kssl_mac_encrypt_record(ssl_t *ssl,
1481 	SSL3ContentType ct,
1482 	uchar_t *versionp,
1483 	uchar_t *rstart,
1484 	mblk_t *mp)
1485 {
1486 	KSSLCipherSpec *spec;
1487 	int mac_sz;
1488 	int ret = 0;
1489 	uint16_t rec_sz;
1490 	int pad_sz;
1491 	int i;
1492 
1493 	ASSERT(ssl != NULL);
1494 	ASSERT(rstart >= mp->b_rptr);
1495 	ASSERT(rstart < mp->b_wptr);
1496 
1497 	spec = &ssl->spec[KSSL_WRITE];
1498 	mac_sz = spec->mac_hashsz;
1499 
1500 	rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN;
1501 	ASSERT(rec_sz > 0);
1502 
1503 	if (mac_sz != 0) {
1504 		ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim);
1505 		ret = kssl_compute_record_mac(ssl, KSSL_WRITE,
1506 		    ssl->seq_num[KSSL_WRITE], ct, versionp,
1507 		    rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr);
1508 		if (ret == CRYPTO_SUCCESS) {
1509 			ssl->seq_num[KSSL_WRITE]++;
1510 			mp->b_wptr += mac_sz;
1511 			rec_sz += mac_sz;
1512 		} else {
1513 			return (ret);
1514 		}
1515 	}
1516 
1517 	if (spec->cipher_type == type_block) {
1518 		pad_sz = spec->cipher_bsize -
1519 		    (rec_sz & (spec->cipher_bsize - 1));
1520 		ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim);
1521 		for (i = 0; i < pad_sz; i++) {
1522 			mp->b_wptr[i] = pad_sz - 1;
1523 		}
1524 		mp->b_wptr += pad_sz;
1525 		rec_sz += pad_sz;
1526 	}
1527 
1528 	ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH);
1529 
1530 	U16_TO_BE16(rec_sz, rstart + 3);
1531 
1532 	if (spec->cipher_ctx == 0)
1533 		return (ret);
1534 
1535 	spec->cipher_data.cd_length = rec_sz;
1536 	spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN);
1537 	spec->cipher_data.cd_raw.iov_len = rec_sz;
1538 	/* One record at a time. Otherwise, gotta allocate the crypt_data_t */
1539 	ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data,
1540 	    NULL, NULL);
1541 	if (CRYPTO_ERR(ret)) {
1542 		DTRACE_PROBE1(kssl_err__crypto_encrypt_update,
1543 		    int, ret);
1544 	}
1545 	return (ret);
1546 }
1547 
1548 void
1549 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
1550 {
1551 	mblk_t *mp;
1552 	uchar_t *buf;
1553 	KSSLCipherSpec *spec;
1554 
1555 	ASSERT(ssl != NULL);
1556 
1557 	ssl->sendalert_level = level;
1558 	ssl->sendalert_desc = desc;
1559 
1560 	if (level == alert_fatal) {
1561 		DTRACE_PROBE2(kssl_sending_alert,
1562 		    SSL3AlertLevel, level, SSL3AlertDescription, desc);
1563 		if (ssl->sid.cached == B_TRUE) {
1564 			kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
1565 			ssl->sid.cached = B_FALSE;
1566 		}
1567 		ssl->fatal_alert = B_TRUE;
1568 		KSSL_COUNTER(fatal_alerts, 1);
1569 	} else
1570 		KSSL_COUNTER(warning_alerts, 1);
1571 
1572 	spec = &ssl->spec[KSSL_WRITE];
1573 
1574 	ASSERT(ssl->alert_sendbuf == NULL);
1575 	ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz +
1576 	    spec->cipher_bsize, BPRI_HI);
1577 	if (mp == NULL) {
1578 		KSSL_COUNTER(alloc_fails, 1);
1579 		return;
1580 	}
1581 	buf = mp->b_wptr;
1582 
1583 	/* 5 byte record header */
1584 	buf[0] = content_alert;
1585 	buf[1] = ssl->major_version;
1586 	buf[2] = ssl->minor_version;
1587 	buf[3] = 0;
1588 	buf[4] = 2;
1589 	buf += SSL3_HDR_LEN;
1590 
1591 	/* alert contents */
1592 	buf[0] = (uchar_t)level;
1593 	buf[1] = (uchar_t)desc;
1594 
1595 	mp->b_wptr = buf + 2;
1596 }
1597 
1598 /* Assumes RSA encryption */
1599 static int
1600 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
1601     kssl_callback_t cbfn, void *arg)
1602 {
1603 	char *buf;
1604 	uchar_t *pms;
1605 	size_t pmslen;
1606 	int allocated;
1607 	int err, rverr = ENOMEM;
1608 	kssl_entry_t *ep;
1609 	crypto_key_t *privkey;
1610 	crypto_data_t *wrapped_pms_data, *pms_data;
1611 	crypto_call_req_t creq, *creqp;
1612 
1613 	ep = ssl->kssl_entry;
1614 	privkey = ep->ke_private_key;
1615 	if (privkey == NULL) {
1616 		return (ENOENT);
1617 	}
1618 
1619 	ASSERT(ssl->msg.type == client_key_exchange);
1620 	ASSERT(ssl->hs_waitstate == wait_client_key);
1621 
1622 	/*
1623 	 * TLS adds an extra 2 byte length field before the data.
1624 	 */
1625 	if (IS_TLS(ssl)) {
1626 		msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1];
1627 		mp->b_rptr += 2;
1628 	}
1629 
1630 	/*
1631 	 * Allocate all we need in one shot. about 300 bytes total, for
1632 	 * 1024 bit RSA modulus.
1633 	 * The buffer layout will be: pms_data, wrapped_pms_data, the
1634 	 * value of the wrapped pms from the client, then room for the
1635 	 * resulting decrypted premaster secret.
1636 	 */
1637 	allocated = 2 * (sizeof (crypto_data_t) + msglen);
1638 	buf = kmem_alloc(allocated, KM_NOSLEEP);
1639 	if (buf == NULL) {
1640 		return (ENOMEM);
1641 	}
1642 
1643 	pms_data = (crypto_data_t *)buf;
1644 	wrapped_pms_data = &(((crypto_data_t *)buf)[1]);
1645 
1646 	wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW;
1647 	wrapped_pms_data->cd_offset = pms_data->cd_offset = 0;
1648 	wrapped_pms_data->cd_length = pms_data->cd_length = msglen;
1649 	wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL;
1650 	wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen;
1651 	wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t);
1652 	pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen;
1653 
1654 	bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen);
1655 	mp->b_rptr += msglen;
1656 
1657 	/* Proceed synchronously if out of interrupt and configured to do so */
1658 	if ((kssl_synchronous) && (!servicing_interrupt())) {
1659 		creqp = NULL;
1660 	} else {
1661 		ssl->cke_callback_func = cbfn;
1662 		ssl->cke_callback_arg = arg;
1663 		creq.cr_flag = kssl_call_flag;
1664 		creq.cr_callback_func = kssl_cke_done;
1665 		creq.cr_callback_arg = ssl;
1666 
1667 		/* The callback routine will release this one */
1668 		KSSL_SSL_REFHOLD(ssl);
1669 
1670 		creqp = &creq;
1671 	}
1672 
1673 	if (ep->ke_is_nxkey) {
1674 		kssl_session_info_t *s;
1675 
1676 		s = ep->ke_sessinfo;
1677 		err = CRYPTO_SUCCESS;
1678 		if (!s->is_valid_handle) {
1679 			/* Reauthenticate to the provider */
1680 			if (s->do_reauth) {
1681 				err = kssl_get_obj_handle(ep);
1682 				if (err == CRYPTO_SUCCESS) {
1683 					s->is_valid_handle = B_TRUE;
1684 					s->do_reauth = B_FALSE;
1685 				}
1686 			} else
1687 				err = CRYPTO_FAILED;
1688 		}
1689 
1690 		if (err == CRYPTO_SUCCESS) {
1691 			ASSERT(s->is_valid_handle);
1692 			err = crypto_decrypt_prov(s->prov, s->sid,
1693 			    &rsa_x509_mech, wrapped_pms_data, &s->key,
1694 			    NULL, pms_data, creqp);
1695 		}
1696 
1697 		/*
1698 		 * Deal with session specific errors. We translate to
1699 		 * the closest errno.
1700 		 */
1701 		switch (err) {
1702 		case CRYPTO_KEY_HANDLE_INVALID:
1703 		case CRYPTO_SESSION_HANDLE_INVALID:
1704 			s->is_valid_handle = B_FALSE;
1705 			s->do_reauth = B_TRUE;
1706 			rverr = EINVAL;
1707 			break;
1708 		case CRYPTO_PIN_EXPIRED:
1709 		case CRYPTO_PIN_LOCKED:
1710 			rverr = EACCES;
1711 			break;
1712 		case CRYPTO_UNKNOWN_PROVIDER:
1713 			rverr = ENXIO;
1714 			break;
1715 		}
1716 	} else {
1717 		err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data,
1718 		    privkey, NULL, pms_data, creqp);
1719 	}
1720 
1721 	switch (err) {
1722 	case CRYPTO_SUCCESS:
1723 		break;
1724 
1725 	case CRYPTO_QUEUED:
1726 		/*
1727 		 * Finish the master secret then the rest of key material
1728 		 * derivation later.
1729 		 */
1730 		ssl->job.kjob = creq.cr_reqid;
1731 		ssl->job.buf = buf;
1732 		ssl->job.buflen = allocated;
1733 		ssl->hs_waitstate = wait_client_key_done;
1734 		return (0);
1735 	default:
1736 		DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err);
1737 		kmem_free(buf, allocated);
1738 		return (rverr);
1739 	}
1740 
1741 	pmslen = pms_data->cd_length;
1742 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1743 
1744 	/* generate master key and save it in the ssl sid structure */
1745 	if (IS_TLS(ssl)) {
1746 		err = kssl_generate_tls_ms(ssl, pms, pmslen);
1747 		if (!CRYPTO_ERR(err))
1748 			err = kssl_generate_tls_keyblock(ssl);
1749 	} else {
1750 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1751 		kssl_generate_keyblock(ssl);
1752 	}
1753 
1754 	if (err == CRYPTO_SUCCESS)
1755 		ssl->hs_waitstate = wait_change_cipher;
1756 
1757 	ssl->activeinput = B_FALSE;
1758 
1759 	kmem_free(buf, allocated);
1760 
1761 	return (0);
1762 }
1763 
1764 static int
1765 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
1766 {
1767 	int err;
1768 	size_t finish_len;
1769 	int hashcompare;
1770 
1771 	ASSERT(ssl->msg.type == finished);
1772 	ASSERT(ssl->hs_waitstate == wait_finished);
1773 
1774 	if (IS_TLS(ssl))
1775 		finish_len = TLS_FINISHED_SIZE;
1776 	else
1777 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1778 
1779 	if (msglen != finish_len) {
1780 		kssl_send_alert(ssl, alert_fatal, illegal_parameter);
1781 		return (EBADMSG);
1782 	}
1783 
1784 	if (IS_TLS(ssl)) {
1785 		hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash,
1786 		    finish_len);
1787 	} else {
1788 		hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
1789 	}
1790 
1791 	/* The handshake hashes should be computed by now */
1792 	if (hashcompare != 0) {
1793 		kssl_send_alert(ssl, alert_fatal, handshake_failure);
1794 		return (EBADMSG);
1795 	}
1796 
1797 	mp->b_rptr += msglen;
1798 
1799 	ssl->hs_waitstate = idle_handshake;
1800 
1801 	if (ssl->resumed == B_TRUE) {
1802 		ssl->activeinput = B_FALSE;
1803 		return (0);
1804 	}
1805 
1806 	err = kssl_send_change_cipher_specs(ssl);
1807 	if (err != 0) {
1808 		return (err);
1809 	}
1810 	err = kssl_send_finished(ssl, 0);
1811 	if (err != 0) {
1812 		return (err);
1813 	}
1814 
1815 	ASSERT(ssl->sid.cached == B_FALSE);
1816 	ssl->sid.cached = B_TRUE;
1817 	kssl_cache_sid(&ssl->sid, ssl->kssl_entry);
1818 	ssl->activeinput = B_FALSE;
1819 
1820 	return (0);
1821 }
1822 
1823 #define	KSSL2_CH_MIN_RECSZ	(9)
1824 
1825 /*
1826  * This method is needed to handle clients which send the
1827  * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers.
1828  * We are not really doing SSLv2 here, just handling the header
1829  * and then switching to SSLv3.
1830  */
1831 int
1832 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
1833 {
1834 	uchar_t *recend;
1835 	int err;
1836 	SSL3AlertDescription desc = illegal_parameter;
1837 	uint_t randlen;
1838 	uint_t sidlen;
1839 	uint_t cslen;
1840 	uchar_t *suitesp;
1841 	uchar_t *rand;
1842 	uint_t i, j;
1843 	uint16_t suite;
1844 	int ch_recsz = KSSL2_CH_MIN_RECSZ;
1845 
1846 	ASSERT(mp->b_wptr >= mp->b_rptr + recsz);
1847 	ASSERT(ssl->hs_waitstate == wait_client_hello);
1848 	ASSERT(ssl->resumed == B_FALSE);
1849 
1850 	if (recsz < ch_recsz) {
1851 		goto falert;
1852 	}
1853 
1854 	MD5Init(&ssl->hs_md5);
1855 	SHA1Init(&ssl->hs_sha1);
1856 
1857 	kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz);
1858 
1859 	recend = mp->b_rptr + recsz;
1860 
1861 	if (*mp->b_rptr != 1) {
1862 		goto falert;
1863 	}
1864 	mp->b_rptr += 3;
1865 
1866 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
1867 	sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3];
1868 	randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5];
1869 	if (cslen % 3 != 0) {
1870 		DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen);
1871 		goto falert;
1872 	}
1873 	if (randlen < SSL_MIN_CHALLENGE_BYTES ||
1874 	    randlen > SSL_MAX_CHALLENGE_BYTES) {
1875 		DTRACE_PROBE1(kssl_err__randlen_out_of_range,
1876 		    uint_t, randlen);
1877 		goto falert;
1878 	}
1879 	mp->b_rptr += 6;
1880 	ch_recsz += cslen + sidlen + randlen;
1881 	if (recsz != ch_recsz) {
1882 		goto falert;
1883 	}
1884 	suitesp = mp->b_rptr;
1885 	rand = suitesp + cslen + sidlen;
1886 	if (randlen < SSL3_RANDOM_LENGTH) {
1887 		bzero(ssl->client_random, SSL3_RANDOM_LENGTH);
1888 	}
1889 	bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
1890 	    randlen);
1891 
1892 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
1893 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
1894 		for (j = 0; j < cslen; j += 3) {
1895 			if (suitesp[j] != 0) {
1896 				continue;
1897 			}
1898 
1899 			if (suitesp[j + 1] == ((suite >> 8) & 0xff) &&
1900 			    suitesp[j + 2] == (suite & 0xff)) {
1901 				break;
1902 			}
1903 		}
1904 		if (j < cslen) {
1905 			break;
1906 		}
1907 	}
1908 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
1909 		DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite);
1910 		ssl->activeinput = B_FALSE;
1911 		return (SSL_MISS);
1912 	}
1913 
1914 	mp->b_rptr = recend;
1915 
1916 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
1917 		if (suite == cipher_suite_defs[i].suite) {
1918 			break;
1919 		}
1920 	}
1921 
1922 	ASSERT(i < cipher_suite_defs_nentries);
1923 
1924 	ssl->pending_cipher_suite = suite;
1925 	ssl->pending_malg = cipher_suite_defs[i].malg;
1926 	ssl->pending_calg = cipher_suite_defs[i].calg;
1927 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
1928 
1929 	ASSERT(ssl->sid.cached == B_FALSE);
1930 
1931 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
1932 	    SSL3_SESSIONID_BYTES);
1933 	ssl->sid.client_addr = ssl->faddr;
1934 	ssl->sid.cipher_suite = suite;
1935 
1936 	err = kssl_send_server_hello(ssl);
1937 	if (err != 0) {
1938 		return (err);
1939 	}
1940 	err = kssl_send_certificate_and_server_hello_done(ssl);
1941 	if (err != 0) {
1942 		return (err);
1943 	}
1944 	KSSL_COUNTER(full_handshakes, 1);
1945 	ssl->hs_waitstate = wait_client_key;
1946 	ssl->activeinput = B_FALSE;
1947 	return (0);
1948 
1949 falert:
1950 	kssl_send_alert(ssl, alert_fatal, desc);
1951 	ssl->activeinput = B_FALSE;
1952 	return (EBADMSG);
1953 }
1954 
1955 /*
1956  * Call back routine for asynchronously submitted RSA decryption jobs.
1957  * This routine retrieves the pre-master secret, and proceeds to generate
1958  * the remaining key materials.
1959  */
1960 static void
1961 kssl_cke_done(void *arg, int status)
1962 {
1963 	int ret = 0;
1964 	uchar_t *pms;
1965 	size_t pmslen;
1966 	crypto_data_t *pms_data;
1967 	kssl_cmd_t kssl_cmd = KSSL_CMD_NONE;
1968 	ssl_t *ssl = (ssl_t *)arg;
1969 	mblk_t *alertmp;
1970 	kssl_callback_t cbfn;
1971 	void *cbarg;
1972 
1973 	mutex_enter(&ssl->kssl_lock);
1974 
1975 	ASSERT(ssl->msg.type == client_key_exchange);
1976 	ASSERT(ssl->hs_waitstate == wait_client_key_done);
1977 
1978 	if (status != CRYPTO_SUCCESS) {
1979 		kssl_send_alert(ssl, alert_fatal, decrypt_error);
1980 		kssl_cmd = KSSL_CMD_SEND;
1981 		goto out;
1982 	}
1983 
1984 	pms_data = (crypto_data_t *)(ssl->job.buf);
1985 
1986 	ASSERT(pms_data != NULL);
1987 
1988 	pmslen = pms_data->cd_length;
1989 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1990 
1991 	/* generate master key and save it in the ssl sid structure */
1992 	if (IS_TLS(ssl)) {
1993 		ret = kssl_generate_tls_ms(ssl, pms, pmslen);
1994 		if (!CRYPTO_ERR(ret))
1995 			ret = kssl_generate_tls_keyblock(ssl);
1996 	} else {
1997 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1998 		kssl_generate_keyblock(ssl);
1999 	}
2000 
2001 	if (ret == CRYPTO_SUCCESS)
2002 		ssl->hs_waitstate = wait_change_cipher;
2003 
2004 out:
2005 	kmem_free(ssl->job.buf, ssl->job.buflen);
2006 
2007 	ssl->job.kjob = 0;
2008 	ssl->job.buf = NULL;
2009 	ssl->job.buflen = 0;
2010 
2011 	ssl->activeinput = B_FALSE;
2012 
2013 	/* If we're the only ones left, then we won't callback */
2014 	if (ssl->kssl_refcnt == 1) {
2015 		mutex_exit(&ssl->kssl_lock);
2016 		KSSL_SSL_REFRELE(ssl);
2017 		return;
2018 	}
2019 
2020 	cbfn = ssl->cke_callback_func;
2021 	cbarg = ssl->cke_callback_arg;
2022 	alertmp = ssl->alert_sendbuf;
2023 	ssl->alert_sendbuf = NULL;
2024 
2025 	mutex_exit(&ssl->kssl_lock);
2026 
2027 	KSSL_SSL_REFRELE(ssl);
2028 
2029 	/* Now call the callback routine */
2030 	(*(cbfn))(cbarg, alertmp, kssl_cmd);
2031 }
2032 
2033 /*
2034  * Returns the first complete contiguous record out of rec_ass_head
2035  * The record is returned in a separate contiguous mblk, rec_ass_head is
2036  * left pointing to the next record in the queue.
2037  *
2038  * The output looks as follows:
2039  *
2040  * |--------|---------- .... -----|<---------->|<----------->|--- ... ---|
2041  * ^        ^                     ^  mac_size     pad_size               ^
2042  * |        |___ b_rptr  b_wptr __|                                      |
2043  * |                                                                     |
2044  * |___ db_base                                                db_lim ___|
2045  */
2046 mblk_t *
2047 kssl_get_next_record(ssl_t *ssl)
2048 {
2049 	mblk_t *mp, *retmp;
2050 	int rhsz = SSL3_HDR_LEN;
2051 	uint16_t rec_sz;
2052 	int mpsz, total_size;
2053 	SSL3ContentType content_type;
2054 
2055 	ASSERT(MUTEX_HELD(&ssl->kssl_lock));
2056 
2057 	mp = ssl->rec_ass_head;
2058 	if (mp == NULL)
2059 		return (NULL);
2060 
2061 	/* Fast path: when mp has at least a complete record */
2062 	if (MBLKL(mp) < rhsz) {
2063 		DTRACE_PROBE1(kssl_mblk__incomplete_header,
2064 		    mblk_t *, mp);
2065 		/* Not even a complete header in there yet */
2066 		if (msgdsize(mp) < rhsz) {
2067 			return (NULL);
2068 		}
2069 
2070 		if (!pullupmsg(mp, rhsz)) {
2071 			kssl_send_alert(ssl, alert_fatal, internal_error);
2072 			freemsg(mp);
2073 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2074 			return (NULL);
2075 		}
2076 	}
2077 	content_type = (SSL3ContentType)mp->b_rptr[0];
2078 	if (content_type == content_handshake_v2) {
2079 		DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp);
2080 		rec_sz = (uint16_t)mp->b_rptr[1];
2081 		rhsz = 2;
2082 	} else {
2083 		DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp);
2084 		uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3;
2085 		rec_sz = BE16_TO_U16(rec_sz_p);
2086 	}
2087 
2088 	/*
2089 	 * same tests as above. Only rare very fragmented cases will
2090 	 * incur the cost of msgdsize() and msgpullup(). Well formed
2091 	 * packets will fall in the most frequent fast path.
2092 	 */
2093 	total_size = rhsz + rec_sz;
2094 
2095 	/*
2096 	 * Missing: defensive against record fabricated with longer than
2097 	 * MAX record length.
2098 	 */
2099 	if (MBLKL(mp) < total_size) {
2100 		DTRACE_PROBE2(kssl_mblk__smaller_than_total_size,
2101 		    mblk_t *, mp, int, total_size);
2102 		/* Not a complete record yet. Keep accumulating */
2103 		if (msgdsize(mp) < total_size) {
2104 			return (NULL);
2105 		}
2106 
2107 		if (!pullupmsg(mp, total_size)) {
2108 			kssl_send_alert(ssl, alert_fatal, internal_error);
2109 			freemsg(mp);
2110 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2111 			return (NULL);
2112 		}
2113 	}
2114 	mpsz = MBLKL(mp);	/* could've changed after the pullup */
2115 
2116 	if (mpsz > total_size) {
2117 		DTRACE_PROBE2(kssl_mblk__bigger_than_total_size,
2118 		    mblk_t *, mp, int, total_size);
2119 		/* gotta allocate a new block */
2120 		if ((retmp = dupb(mp)) == NULL) {
2121 			kssl_send_alert(ssl, alert_fatal, internal_error);
2122 			freemsg(mp);
2123 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2124 			return (NULL);
2125 		}
2126 
2127 		retmp->b_wptr = retmp->b_rptr + total_size;
2128 		mp->b_rptr += total_size;
2129 		ssl->rec_ass_head = mp;
2130 	} else {
2131 		DTRACE_PROBE2(kssl_mblk__equal_to_total_size,
2132 		    mblk_t *, mp, int, total_size);
2133 		ASSERT(mpsz == total_size);
2134 		ssl->rec_ass_head = mp->b_cont;
2135 		mp->b_cont = NULL;
2136 		retmp = mp;
2137 	}
2138 	/* Adjust the tail */
2139 	if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
2140 		for (; mp->b_cont != NULL; mp = mp->b_cont) {
2141 			ssl->rec_ass_tail = mp->b_cont;
2142 		}
2143 	}
2144 
2145 	return (retmp);
2146 }
2147 
2148 
2149 static void
2150 kssl_mblksfree(ssl_t *ssl)
2151 {
2152 
2153 	ASSERT(ssl != NULL);
2154 
2155 	if (ssl->rec_ass_head != NULL) {
2156 		freemsg(ssl->rec_ass_head);
2157 	}
2158 	ssl->rec_ass_head = NULL;
2159 	ssl->rec_ass_tail = NULL;
2160 
2161 	if (ssl->msg.head != NULL) {
2162 		freemsg(ssl->msg.head);
2163 	}
2164 	ssl->msg.head = NULL;
2165 	ssl->msg.tail = NULL;
2166 
2167 	if (ssl->handshake_sendbuf != NULL) {
2168 		freemsg(ssl->handshake_sendbuf);
2169 		ssl->handshake_sendbuf = NULL;
2170 	}
2171 	if (ssl->alert_sendbuf != NULL) {
2172 		freemsg(ssl->alert_sendbuf);
2173 		ssl->alert_sendbuf = NULL;
2174 	}
2175 }
2176 
2177 static void
2178 kssl_specsfree(ssl_t *ssl)
2179 {
2180 	KSSLCipherSpec *spec = &ssl->spec[KSSL_READ];
2181 
2182 	if (spec->cipher_ctx != NULL) {
2183 		crypto_cancel_ctx(spec->cipher_ctx);
2184 		spec->cipher_ctx = 0;
2185 	}
2186 
2187 	spec = &ssl->spec[KSSL_WRITE];
2188 
2189 	if (spec->cipher_ctx != NULL) {
2190 		crypto_cancel_ctx(spec->cipher_ctx);
2191 		spec->cipher_ctx = 0;
2192 	}
2193 }
2194 
2195 /*
2196  * Frees the ssl structure (aka the context of an SSL session).
2197  * Any pending crypto jobs are cancelled.
2198  * Any initiated crypto contexts are freed as well.
2199  */
2200 void
2201 kssl_free_context(ssl_t *ssl)
2202 {
2203 	ASSERT(ssl != NULL);
2204 	if (!(MUTEX_HELD(&ssl->kssl_lock))) {
2205 		/* we're coming from an external API entry point */
2206 		mutex_enter(&ssl->kssl_lock);
2207 	}
2208 
2209 	if (ssl->job.kjob != NULL) {
2210 		crypto_cancel_req(ssl->job.kjob);
2211 		kmem_free(ssl->job.buf, ssl->job.buflen);
2212 
2213 		ssl->job.kjob = 0;
2214 		ssl->job.buf = NULL;
2215 		ssl->job.buflen = 0;
2216 	}
2217 
2218 	kssl_mblksfree(ssl);
2219 	kssl_specsfree(ssl);
2220 
2221 	KSSL_ENTRY_REFRELE(ssl->kssl_entry);
2222 	ssl->kssl_entry = NULL;
2223 
2224 	mutex_exit(&ssl->kssl_lock);
2225 
2226 	kmem_cache_free(kssl_cache, ssl);
2227 	kssl_cache_count--;
2228 }
2229