xref: /titanic_52/usr/src/uts/common/inet/kssl/ksslrec.c (revision 5bb86dd8f405a48942aaaab3ca1f410ed7e6db4d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/strsubr.h>
31 #include <sys/stropts.h>
32 #include <sys/strsun.h>
33 #define	_SUN_TPI_VERSION 2
34 #include <sys/ddi.h>
35 #include <sys/sunddi.h>
36 #include <sys/debug.h>
37 #include <sys/vtrace.h>
38 #include <sys/kmem.h>
39 #include <sys/cpuvar.h>
40 #include <sys/atomic.h>
41 #include <sys/sysmacros.h>
42 
43 #include <sys/errno.h>
44 #include <sys/isa_defs.h>
45 #include <sys/md5.h>
46 #include <sys/sha1.h>
47 #include <sys/random.h>
48 #include <inet/common.h>
49 #include <netinet/in.h>
50 
51 #include <sys/systm.h>
52 #include <sys/param.h>
53 
54 #include "ksslimpl.h"
55 #include "ksslapi.h"
56 #include "ksslproto.h"
57 
58 static ssl3CipherSuiteDef cipher_suite_defs[] = {
59 	{SSL_RSA_WITH_RC4_128_SHA,	cipher_rc4,	mac_sha,	72},
60 	{SSL_RSA_WITH_RC4_128_MD5,	cipher_rc4,	mac_md5,	64},
61 	{SSL_RSA_WITH_DES_CBC_SHA,	cipher_des,	mac_sha,	72},
62 	{SSL_RSA_WITH_3DES_EDE_CBC_SHA,	cipher_3des,	mac_sha,	104},
63 	{SSL_RSA_WITH_NULL_SHA,		cipher_null,	mac_sha,	40}
64 };
65 
66 static int cipher_suite_defs_nentries =
67     sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]);
68 
69 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
70 	/* macsz padsz HashInit HashUpdate HashFinal */
71 
72 	{MD5_HASH_LEN, SSL3_MD5_PAD_LEN,
73 	    (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update,
74 	    (hashfinal_func_t)MD5Final},
75 
76 	{SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN,
77 	    (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update,
78 	    (hashfinal_func_t)SHA1Final},
79 };
80 
81 static uchar_t kssl_pad_1[60] = {
82     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
83     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
84     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
85     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
86     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
87     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
88     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
89     0x36, 0x36, 0x36, 0x36
90 };
91 static uchar_t kssl_pad_2[60] = {
92     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
93     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
94     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
95     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
96     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
97     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
98     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
99     0x5c, 0x5c, 0x5c, 0x5c
100 };
101 
102 int kssl_cache_count;
103 static boolean_t kssl_synchronous = B_FALSE;
104 
105 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t);
106 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t);
107 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int);
108 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int,
109     kssl_callback_t, void *);
110 static int kssl_send_server_hello(ssl_t *);
111 static int kssl_send_certificate_and_server_hello_done(ssl_t *);
112 static int kssl_send_change_cipher_specs(ssl_t *);
113 static int kssl_send_finished(ssl_t *, int);
114 static int kssl_handle_finished(ssl_t *, mblk_t *, int);
115 static void kssl_get_hello_random(uchar_t *);
116 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *);
117 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *);
118 static void kssl_lookup_sid(sslSessionID *, uchar_t *, ipaddr_t,
119     kssl_entry_t *);
120 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t);
121 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t);
122 static int kssl_generate_tls_keyblock(ssl_t *);
123 static void kssl_generate_keyblock(ssl_t *);
124 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t,
125     int, uchar_t *, int);
126 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t,
127     uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
128 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *,
129     size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
130 static void kssl_cke_done(void *, int);
131 
132 #define	MAX_TLS_KEYBLOCK_SIZE 160 /* more than enough for largest TLS key */
133 
134 #define	HMAC_INIT(m, k, c) \
135 	rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end;
136 
137 #define	HMAC_UPDATE(c, d, l) \
138 	dd.cd_raw.iov_base = (char *)d; \
139 	dd.cd_length = dd.cd_raw.iov_len = l; \
140 	rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end;
141 
142 #define	HMAC_FINAL(c, d, l) \
143 	mac.cd_raw.iov_base = (char *)d; \
144 	mac.cd_length = mac.cd_raw.iov_len = l; \
145 	rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end;
146 
147 /*
148  * This hack can go away once we have SSL3 MAC support by KCF
149  * software providers (See 4873559).
150  */
151 extern int kcf_md5_threshold;
152 
153 int
154 kssl_compute_record_mac(
155 	ssl_t *ssl,
156 	int direction,
157 	uint64_t seq_num,
158 	SSL3ContentType ct,
159 	uchar_t *versionp,
160 	uchar_t *buf,
161 	int len,
162 	uchar_t *digest)
163 {
164 	KSSL_HASHCTX mac_ctx;
165 	KSSL_HASHCTX *ctx = &mac_ctx;
166 	uchar_t temp[16], *p;
167 	KSSLCipherSpec *spec;
168 	boolean_t hash_use_ok = B_FALSE;
169 	int rv = 0;
170 
171 	spec = &ssl->spec[direction];
172 
173 	if (spec->mac_hashsz == 0) {
174 		return (1);
175 	}
176 
177 	p = temp;
178 
179 	*p++ = (seq_num >> 56) & 0xff;
180 	*p++ = (seq_num >> 48) & 0xff;
181 	*p++ = (seq_num >> 40) & 0xff;
182 	*p++ = (seq_num >> 32) & 0xff;
183 	*p++ = (seq_num >> 24) & 0xff;
184 	*p++ = (seq_num >> 16) & 0xff;
185 	*p++ = (seq_num >> 8) & 0xff;
186 	*p++ = (seq_num) & 0xff;
187 	*p++ = (uchar_t)ct;
188 	if (IS_TLS(ssl)) {
189 		*p++ = versionp[0];
190 		*p++ = versionp[1];
191 	}
192 	*p++ = (len >> 8) & 0xff;
193 	*p++ = (len) & 0xff;
194 
195 	if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
196 	    len >= kcf_md5_threshold)) {
197 		crypto_data_t dd, mac;
198 		struct uio uio_pt;
199 		struct iovec iovarray_pt[2];
200 
201 		/* init the array of iovecs for use in the uio struct */
202 		iovarray_pt[0].iov_base = (char *)temp;
203 		iovarray_pt[0].iov_len = (p - temp);
204 		iovarray_pt[1].iov_base = (char *)buf;
205 		iovarray_pt[1].iov_len = len;
206 
207 		/* init the uio struct for use in the crypto_data_t struct */
208 		bzero(&uio_pt, sizeof (uio_pt));
209 		uio_pt.uio_iov = iovarray_pt;
210 		uio_pt.uio_iovcnt = 2;
211 		uio_pt.uio_segflg = UIO_SYSSPACE;
212 
213 		dd.cd_format = CRYPTO_DATA_UIO;
214 		dd.cd_offset = 0;
215 		dd.cd_length =  (p - temp) + len;
216 		dd.cd_miscdata = NULL;
217 		dd.cd_uio = &uio_pt;
218 
219 		mac.cd_format = CRYPTO_DATA_RAW;
220 		mac.cd_offset = 0;
221 		mac.cd_raw.iov_base = (char *)digest;
222 		mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz;
223 
224 		/*
225 		 * The calling context can tolerate a blocking call here.
226 		 * For outgoing traffic, we are in user context
227 		 * when called from strsock_kssl_output(). For incoming
228 		 * traffic past the SSL handshake, we are in user
229 		 * context when called from strsock_kssl_input(). During the
230 		 * SSL handshake, we are called for client_finished message
231 		 * handling from a squeue worker thread that gets scheduled
232 		 * by an squeue_fill() call. This thread is not in interrupt
233 		 * context and so can block.
234 		 */
235 		rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
236 		    NULL, &mac, NULL);
237 
238 		if (CRYPTO_ERR(rv)) {
239 			hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED &&
240 			    !IS_TLS(ssl));
241 			if (!hash_use_ok) {
242 				DTRACE_PROBE1(kssl_err__crypto_mac_error,
243 				    int, rv);
244 				KSSL_COUNTER(compute_mac_failure, 1);
245 			}
246 		}
247 	} else
248 		hash_use_ok = B_TRUE;
249 
250 	if (hash_use_ok) {
251 		bcopy(&(ssl->mac_ctx[direction][0]), ctx,
252 		    sizeof (KSSL_HASHCTX));
253 		spec->MAC_HashUpdate((void *)ctx, temp, p - temp);
254 		spec->MAC_HashUpdate((void *)ctx, buf, len);
255 		spec->MAC_HashFinal(digest, (void *)ctx);
256 
257 		bcopy(&(ssl->mac_ctx[direction][1]), ctx,
258 		    sizeof (KSSL_HASHCTX));
259 		spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz);
260 		spec->MAC_HashFinal(digest, (void *)ctx);
261 	}
262 
263 	return (rv);
264 }
265 
266 /*
267  * Handles handshake messages.
268  * Messages to be replied are returned in handshake_sendbuf.
269  */
270 int
271 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
272     kssl_callback_t cbfn, void *arg)
273 {
274 	uint32_t msglen;
275 	uchar_t msghdr[4];
276 
277 	ASSERT(ssl->msg.state == MSG_BODY);
278 	ASSERT(ssl->msg.msglen_bytes == 3);
279 	ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen);
280 
281 	ssl->sslcnt++;
282 	msglen = ssl->msg.msglen;
283 
284 	if (ssl->msg.type == client_hello) {
285 		MD5Init(&ssl->hs_md5);
286 		SHA1Init(&ssl->hs_sha1);
287 	}
288 
289 	if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
290 		if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
291 		    sender_client) != 0) {
292 			*err = SSL_MISS;
293 			return (0);
294 		}
295 	}
296 
297 	if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
298 		msghdr[0] = (uchar_t)ssl->msg.type;
299 
300 		msghdr[1] = (uchar_t)(msglen >> 16);
301 		msghdr[2] = (uchar_t)(msglen >> 8);
302 		msghdr[3] = (uchar_t)(msglen);
303 		kssl_update_handshake_hashes(ssl, msghdr, 4);
304 		kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen);
305 	}
306 
307 	ssl->msg.state = MSG_INIT;
308 	ssl->msg.msglen = 0;
309 	ssl->msg.msglen_bytes = 0;
310 
311 	switch (ssl->msg.type) {
312 	case client_hello:
313 		if (ssl->hs_waitstate != wait_client_hello) {
314 			kssl_send_alert(ssl, alert_fatal,
315 			    unexpected_message);
316 			*err = EBADMSG;
317 			ssl->activeinput = B_FALSE;
318 			return (1);
319 		}
320 		*err = kssl_handle_client_hello(ssl, mp, msglen);
321 		if (*err == SSL_MISS) {
322 			ssl->activeinput = B_FALSE;
323 			return (0);
324 		}
325 		return (1);
326 	case client_key_exchange:
327 		if (ssl->hs_waitstate != wait_client_key) {
328 			kssl_send_alert(ssl, alert_fatal,
329 			    unexpected_message);
330 			*err = EBADMSG;
331 			ssl->activeinput = B_FALSE;
332 			return (1);
333 		}
334 		*err = kssl_handle_client_key_exchange(ssl, mp,
335 		    msglen, cbfn, arg);
336 		return (1);
337 	case finished:
338 		if (ssl->hs_waitstate != wait_finished) {
339 			kssl_send_alert(ssl, alert_fatal,
340 			    unexpected_message);
341 			*err = EBADMSG;
342 			ssl->activeinput = B_FALSE;
343 			return (1);
344 		}
345 		*err = kssl_handle_finished(ssl, mp, msglen);
346 		return (1);
347 	default:
348 		kssl_send_alert(ssl, alert_fatal, unexpected_message);
349 		ssl->activeinput = B_FALSE;
350 		*err = EBADMSG;
351 		return (1);
352 	}
353 }
354 
355 static void
356 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
357 {
358 	MD5Update(&ssl->hs_md5, buf, len);
359 	SHA1Update(&ssl->hs_sha1, buf, len);
360 }
361 
362 static int
363 kssl_compute_handshake_hashes(
364 	ssl_t *ssl,
365 	SSL3Hashes *hashes,
366 	uint32_t sender)
367 {
368 	MD5_CTX md5 = ssl->hs_md5;	/* clone md5 context */
369 	SHA1_CTX sha1 = ssl->hs_sha1;	/* clone sha1 context */
370 	MD5_CTX *md5ctx = &md5;
371 	SHA1_CTX *sha1ctx = &sha1;
372 
373 	if (IS_TLS(ssl)) {
374 		uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN];
375 		char *label;
376 
377 		/*
378 		 * Do not take another hash step here.
379 		 * Just complete the operation.
380 		 */
381 		MD5Final(hashes->md5, md5ctx);
382 		SHA1Final(hashes->sha1, sha1ctx);
383 
384 		bcopy(hashes->md5, seed, MD5_HASH_LEN);
385 		bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN);
386 
387 		if (sender == sender_client)
388 			label = TLS_CLIENT_FINISHED_LABEL;
389 		else
390 			label = TLS_SERVER_FINISHED_LABEL;
391 
392 		return (kssl_tls_PRF(ssl,
393 		    ssl->sid.master_secret,
394 		    (size_t)SSL3_MASTER_SECRET_LEN,
395 		    (uchar_t *)label, strlen(label),
396 		    seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN),
397 		    hashes->tlshash, (size_t)TLS_FINISHED_SIZE));
398 	} else {
399 		uchar_t s[4];
400 		s[0] = (sender >> 24) & 0xff;
401 		s[1] = (sender >> 16) & 0xff;
402 		s[2] = (sender >> 8) & 0xff;
403 		s[3] = (sender) & 0xff;
404 
405 		MD5Update(md5ctx, s, 4);
406 		MD5Update(md5ctx, ssl->sid.master_secret,
407 		    SSL3_MASTER_SECRET_LEN);
408 		MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN);
409 		MD5Final(hashes->md5, md5ctx);
410 
411 		MD5Init(md5ctx);
412 		MD5Update(md5ctx, ssl->sid.master_secret,
413 		    SSL3_MASTER_SECRET_LEN);
414 		MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN);
415 		MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN);
416 		MD5Final(hashes->md5, md5ctx);
417 
418 		SHA1Update(sha1ctx, s, 4);
419 		SHA1Update(sha1ctx, ssl->sid.master_secret,
420 		    SSL3_MASTER_SECRET_LEN);
421 		SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN);
422 		SHA1Final(hashes->sha1, sha1ctx);
423 
424 		SHA1Init(sha1ctx);
425 		SHA1Update(sha1ctx, ssl->sid.master_secret,
426 		    SSL3_MASTER_SECRET_LEN);
427 		SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN);
428 		SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN);
429 		SHA1Final(hashes->sha1, sha1ctx);
430 		return (0);
431 	}
432 }
433 
434 
435 #define	KSSL_SSL3_CH_MIN_MSGLEN	(39)
436 
437 static int
438 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
439 {
440 	uchar_t *msgend;
441 	int err;
442 	SSL3AlertDescription desc = illegal_parameter;
443 	uint_t sidlen;
444 	uint_t nsuites;
445 	uchar_t *suitesp;
446 	uint_t i, j;
447 	uint16_t suite;
448 	int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN;
449 
450 	ASSERT(mp->b_wptr >= mp->b_rptr + msglen);
451 	ASSERT(ssl->msg.type == client_hello);
452 	ASSERT(ssl->hs_waitstate == wait_client_hello);
453 	ASSERT(ssl->resumed == B_FALSE);
454 
455 	if (msglen < ch_msglen) {
456 		goto falert;
457 	}
458 
459 	msgend = mp->b_rptr + msglen;
460 
461 	/* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */
462 	if (ssl->major_version != 3 || (ssl->major_version == 3 &&
463 	    ssl->minor_version != 0 && ssl->minor_version != 1)) {
464 		DTRACE_PROBE2(kssl_err__SSL_version_not_supported,
465 		    uchar_t, ssl->major_version,
466 		    uchar_t, ssl->minor_version);
467 		desc = handshake_failure;
468 		goto falert;
469 	}
470 	mp->b_rptr += 2; /* skip the version bytes */
471 
472 	bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
473 	mp->b_rptr += SSL3_RANDOM_LENGTH;
474 
475 	ASSERT(ssl->sid.cached == B_FALSE);
476 	sidlen = *mp->b_rptr++;
477 	ch_msglen += sidlen;
478 	if (msglen < ch_msglen) {
479 		goto falert;
480 	}
481 	if (sidlen != SSL3_SESSIONID_BYTES) {
482 		mp->b_rptr += sidlen;
483 	} else {
484 		kssl_lookup_sid(&ssl->sid, mp->b_rptr, ssl->faddr,
485 		    ssl->kssl_entry);
486 		mp->b_rptr += SSL3_SESSIONID_BYTES;
487 	}
488 
489 	nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
490 	mp->b_rptr += 2;
491 	ch_msglen += nsuites;
492 	if (msglen != ch_msglen) {
493 		goto falert;
494 	}
495 	if (nsuites & 0x1) {
496 		goto falert;
497 	}
498 	suitesp = mp->b_rptr;
499 	if (ssl->sid.cached == B_TRUE) {
500 		suite = ssl->sid.cipher_suite;
501 		for (j = 0; j < nsuites; j += 2) {
502 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
503 			    suitesp[j + 1] == (suite & 0xff)) {
504 				break;
505 			}
506 		}
507 		if (j < nsuites) {
508 			goto suite_found;
509 		}
510 		kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
511 		ssl->sid.cached = B_FALSE;
512 	}
513 
514 	/* Check if this server is capable of the cipher suite */
515 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
516 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
517 		for (j = 0; j < nsuites; j += 2) {
518 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
519 			    suitesp[j + 1] == (suite & 0xff)) {
520 				break;
521 			}
522 		}
523 		if (j < nsuites) {
524 			break;
525 		}
526 	}
527 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
528 		if (ssl->sslcnt == 1) {
529 			KSSL_COUNTER(no_suite_found, 1);
530 			return (SSL_MISS);
531 		}
532 		desc = handshake_failure;
533 		DTRACE_PROBE(kssl_err__no_cipher_suites_found);
534 		goto falert;
535 	}
536 
537 suite_found:
538 
539 	mp->b_rptr += nsuites;
540 	if (*mp->b_rptr++ != 1 || *mp->b_rptr++ != 0) {
541 		desc = handshake_failure;
542 		DTRACE_PROBE(kssl_err__handshake_failure);
543 		goto falert;
544 	}
545 
546 	mp->b_rptr = msgend;
547 
548 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
549 		if (suite == cipher_suite_defs[i].suite) {
550 			break;
551 		}
552 	}
553 
554 	ASSERT(i < cipher_suite_defs_nentries);
555 
556 	ssl->pending_cipher_suite = suite;
557 	ssl->pending_malg = cipher_suite_defs[i].malg;
558 	ssl->pending_calg = cipher_suite_defs[i].calg;
559 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
560 
561 	if (ssl->sid.cached == B_TRUE) {
562 		err = kssl_send_server_hello(ssl);
563 		if (err != 0) {
564 			return (err);
565 		}
566 		if (IS_TLS(ssl))
567 			err = kssl_generate_tls_keyblock(ssl);
568 		else
569 			kssl_generate_keyblock(ssl);
570 
571 		err = kssl_send_change_cipher_specs(ssl);
572 		if (err != 0) {
573 			return (err);
574 		}
575 
576 		err = kssl_send_finished(ssl, 1);
577 		if (err != 0)
578 			return (err);
579 
580 		err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
581 		    sender_client);
582 		if (err != 0)
583 			return (err);
584 
585 		ssl->hs_waitstate = wait_change_cipher;
586 		ssl->resumed = B_TRUE;
587 		ssl->activeinput = B_FALSE;
588 		KSSL_COUNTER(resumed_sessions, 1);
589 		return (0);
590 	}
591 
592 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
593 	    SSL3_SESSIONID_BYTES);
594 	ssl->sid.client_addr = ssl->faddr;
595 	ssl->sid.cipher_suite = suite;
596 
597 	err = kssl_send_server_hello(ssl);
598 	if (err != 0) {
599 		return (err);
600 	}
601 	err = kssl_send_certificate_and_server_hello_done(ssl);
602 	if (err != 0) {
603 		return (err);
604 	}
605 	KSSL_COUNTER(full_handshakes, 1);
606 	ssl->hs_waitstate = wait_client_key;
607 	ssl->activeinput = B_FALSE;
608 	return (0);
609 
610 falert:
611 	kssl_send_alert(ssl, alert_fatal, desc);
612 	return (EBADMSG);
613 }
614 
615 static void
616 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
617 {
618 	uint_t index;
619 	uchar_t *s = sid->session_id;
620 	int l = SSL3_SESSIONID_BYTES - 1;
621 	kmutex_t *lock;
622 
623 	ASSERT(sid->cached == B_TRUE);
624 
625 	index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
626 	    ((int)s[2] << 8) | (int)s[l]);
627 
628 	index %= kssl_entry->sid_cache_nentries;
629 
630 	sid->time = lbolt;
631 
632 	lock = &(kssl_entry->sid_cache[index].se_lock);
633 	mutex_enter(lock);
634 	kssl_entry->sid_cache[index].se_used++;
635 	bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid));
636 	mutex_exit(lock);
637 }
638 
639 static void
640 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, ipaddr_t faddr,
641     kssl_entry_t *kssl_entry)
642 {
643 	uint_t index;
644 	int l = SSL3_SESSIONID_BYTES - 1;
645 	kmutex_t *lock;
646 	sslSessionID *csid;
647 
648 	ASSERT(sid->cached == B_FALSE);
649 
650 	KSSL_COUNTER(sid_cache_lookups, 1);
651 
652 	index = (int)faddr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
653 	    ((int)s[2] << 8) | (int)s[l]);
654 
655 	index %= kssl_entry->sid_cache_nentries;
656 
657 	lock = &(kssl_entry->sid_cache[index].se_lock);
658 	mutex_enter(lock);
659 	csid = &(kssl_entry->sid_cache[index].se_sid);
660 	if (csid->cached == B_FALSE || csid->client_addr != faddr ||
661 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
662 		mutex_exit(lock);
663 		return;
664 	}
665 
666 	if (TICK_TO_SEC(lbolt - csid->time) > kssl_entry->sid_cache_timeout) {
667 		csid->cached = B_FALSE;
668 		mutex_exit(lock);
669 		return;
670 	}
671 
672 	bcopy(csid, sid, sizeof (*sid));
673 	mutex_exit(lock);
674 	ASSERT(sid->cached == B_TRUE);
675 
676 	KSSL_COUNTER(sid_cache_hits, 1);
677 }
678 
679 static uchar_t *
680 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp)
681 {
682 	size_t len = *lenp;
683 	int i = 2;
684 
685 	if (buf[0] != 0 || buf[1] != 2) {
686 		return (NULL);
687 	}
688 
689 	while (i < len) {
690 		if (buf[i++] == 0) {
691 			*lenp = len - i;
692 			break;
693 		}
694 	}
695 
696 	if (i == len) {
697 		return (NULL);
698 	}
699 
700 	return (buf + i);
701 }
702 
703 void
704 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
705 {
706 	uint_t index;
707 	uchar_t *s = sid->session_id;
708 	int l = SSL3_SESSIONID_BYTES - 1;
709 	sslSessionID *csid;
710 	kmutex_t *lock;
711 
712 	ASSERT(sid->cached == B_TRUE);
713 
714 	KSSL_COUNTER(sid_uncached, 1);
715 
716 	index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) |
717 	    ((int)s[2] << 8) | (int)s[l]);
718 
719 	index %= kssl_entry->sid_cache_nentries;
720 
721 	lock = &(kssl_entry->sid_cache[index].se_lock);
722 	mutex_enter(lock);
723 	csid = &(kssl_entry->sid_cache[index].se_sid);
724 	if (csid->client_addr != sid->client_addr ||
725 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
726 		mutex_exit(lock);
727 		return;
728 	}
729 	csid->cached = B_FALSE;
730 	mutex_exit(lock);
731 }
732 
733 
734 #define	KSSL_SSL3_SH_RECLEN	(74)
735 #define	KSSL_SSL3_FIN_MSGLEN	(36)
736 
737 #define	KSSL_SSL3_MAX_CCP_FIN_MSGLEN	(128)	/* comfortable upper bound */
738 
739 static int
740 kssl_send_server_hello(ssl_t *ssl)
741 {
742 	mblk_t *mp;
743 	uchar_t *buf;
744 	uchar_t *msgstart;
745 
746 	mp = allocb(ssl->tcp_mss, BPRI_HI);
747 	if (mp == NULL) {
748 		KSSL_COUNTER(alloc_fails, 1);
749 		return (ENOMEM);
750 	}
751 	ssl->handshake_sendbuf = mp;
752 	buf = mp->b_wptr;
753 
754 	/* 5 byte record header */
755 	buf[0] = content_handshake;
756 	buf[1] = ssl->major_version;
757 	buf[2] = ssl->minor_version;
758 	buf[3] = KSSL_SSL3_SH_RECLEN >> 8;
759 	buf[4] = KSSL_SSL3_SH_RECLEN & 0xff;
760 	buf += SSL3_HDR_LEN;
761 
762 	msgstart = buf;
763 
764 	/* 6 byte message header */
765 	buf[0] = (uchar_t)server_hello;			/* message type */
766 	buf[1] = 0;					/* message len byte 0 */
767 	buf[2] = ((KSSL_SSL3_SH_RECLEN - 4) >> 8) &
768 	    0xff;					/* message len byte 1 */
769 	buf[3] = (KSSL_SSL3_SH_RECLEN - 4) & 0xff;	/* message len byte 2 */
770 
771 	buf[4] = ssl->major_version;	/* version byte 0 */
772 	buf[5] = ssl->minor_version;	/* version byte 1 */
773 
774 	buf += 6;
775 
776 	kssl_get_hello_random(ssl->server_random);
777 	bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH);
778 	buf += SSL3_RANDOM_LENGTH;
779 
780 	buf[0] = SSL3_SESSIONID_BYTES;
781 	bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
782 	buf += SSL3_SESSIONID_BYTES + 1;
783 
784 	buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff;
785 	buf[1] = ssl->pending_cipher_suite & 0xff;
786 
787 	buf[2] = 0;	/* No compression */
788 
789 	mp->b_wptr = buf + 3;
790 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
791 
792 	kssl_update_handshake_hashes(ssl, msgstart, KSSL_SSL3_SH_RECLEN);
793 	return (0);
794 }
795 
796 static void
797 kssl_get_hello_random(uchar_t *buf)
798 {
799 	timestruc_t ts;
800 	time_t sec;
801 
802 	gethrestime(&ts);
803 	sec = ts.tv_sec;
804 
805 	buf[0] = (sec >> 24) & 0xff;
806 	buf[1] = (sec >> 16) & 0xff;
807 	buf[2] = (sec >> 8) & 0xff;
808 	buf[3] = (sec) & 0xff;
809 
810 	(void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4);
811 
812 	/* Should this be caching? */
813 }
814 
815 static int
816 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key,
817 	size_t hashlen,
818 	uchar_t *label, size_t label_len,
819 	uchar_t *seed, size_t seedlen,
820 	uchar_t *data, size_t datalen)
821 {
822 	int rv = 0;
823 	uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN];
824 	int bytes_left = datalen;
825 	crypto_data_t dd, mac;
826 	crypto_context_t ctx;
827 
828 	dd.cd_format = CRYPTO_DATA_RAW;
829 	dd.cd_offset = 0;
830 	mac.cd_format = CRYPTO_DATA_RAW;
831 	mac.cd_offset = 0;
832 
833 	/*
834 	 * A(i) = HMAC_hash(secred, seed + A(i-1));
835 	 * A(0) = seed;
836 	 *
837 	 * Compute A(1):
838 	 * A(1) = HMAC_hash(secret, label + seed)
839 	 *
840 	 */
841 	HMAC_INIT(mech, key, &ctx);
842 	HMAC_UPDATE(ctx, label, label_len);
843 	HMAC_UPDATE(ctx, seed, seedlen);
844 	HMAC_FINAL(ctx, A1, hashlen);
845 
846 	/* Compute A(2) ... A(n) */
847 	while (bytes_left > 0) {
848 		HMAC_INIT(mech, key, &ctx);
849 		HMAC_UPDATE(ctx, A1, hashlen);
850 		HMAC_UPDATE(ctx, label, label_len);
851 		HMAC_UPDATE(ctx, seed, seedlen);
852 		HMAC_FINAL(ctx, result, hashlen);
853 
854 		/*
855 		 * The A(i) value is stored in "result".
856 		 * Save the results of the MAC so it can be input to next
857 		 * iteration.
858 		 */
859 		if (bytes_left > hashlen) {
860 			/* Store the chunk result */
861 			bcopy(result, data, hashlen);
862 			data += hashlen;
863 
864 			bytes_left -= hashlen;
865 
866 			/* Update A1 for next iteration */
867 			HMAC_INIT(mech, key, &ctx);
868 			HMAC_UPDATE(ctx, A1, hashlen);
869 			HMAC_FINAL(ctx, A1, hashlen);
870 
871 		} else {
872 			bcopy(result, data, bytes_left);
873 			data += bytes_left;
874 			bytes_left = 0;
875 		}
876 	}
877 end:
878 	if (CRYPTO_ERR(rv)) {
879 		DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv);
880 		KSSL_COUNTER(compute_mac_failure, 1);
881 	}
882 	return (rv);
883 }
884 
885 /* ARGSUSED */
886 static int
887 kssl_tls_PRF(ssl_t *ssl,
888 	uchar_t *secret, size_t secret_len,
889 	uchar_t *label, size_t label_len,
890 	uchar_t *seed, size_t seed_len,
891 	uchar_t *prfresult, size_t prfresult_len)
892 {
893 	/*
894 	 * RFC 2246:
895 	 *  PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
896 	 *				P_SHA1(S2, label + seed);
897 	 * S1 = 1st half of secret.
898 	 * S1 = 2nd half of secret.
899 	 *
900 	 */
901 
902 	int rv = 0, i;
903 	uchar_t psha1[MAX_TLS_KEYBLOCK_SIZE];
904 	crypto_key_t S1, S2;
905 
906 	/* length of secret keys is ceil(length/2) */
907 	size_t slen = roundup(secret_len, 2) / 2;
908 
909 	if (prfresult_len > MAX_TLS_KEYBLOCK_SIZE) {
910 		DTRACE_PROBE1(kssl_err__unexpected_keyblock_size,
911 		    size_t, prfresult_len);
912 		return (CRYPTO_ARGUMENTS_BAD);
913 	}
914 
915 	ASSERT(prfresult != NULL);
916 	ASSERT(label != NULL);
917 	ASSERT(seed != NULL);
918 
919 	S1.ck_data   = secret;
920 	S1.ck_length = slen * 8; /* bits */
921 	S1.ck_format = CRYPTO_KEY_RAW;
922 
923 	S2.ck_data   = secret + slen;
924 	S2.ck_length = slen * 8; /* bits */
925 	S2.ck_format = CRYPTO_KEY_RAW;
926 
927 	rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN,
928 	    label, label_len,
929 	    seed, seed_len,
930 	    prfresult, prfresult_len);
931 	if (CRYPTO_ERR(rv))
932 		goto end;
933 
934 	rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN,
935 	    label, label_len,
936 	    seed, seed_len,
937 	    psha1, prfresult_len);
938 	if (CRYPTO_ERR(rv))
939 		goto end;
940 
941 	for (i = 0; i < prfresult_len; i++)
942 		prfresult[i] ^= psha1[i];
943 
944 end:
945 	if (CRYPTO_ERR(rv))
946 		bzero(prfresult, prfresult_len);
947 
948 	return (rv);
949 }
950 
951 #define	IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)			\
952 	(pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN ||		\
953 	pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
954 
955 #define	FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) {			\
956 		KSSL_COUNTER(bad_pre_master_secret, 1);			\
957 		pms = buf;						\
958 		pmslen = SSL3_PRE_MASTER_SECRET_LEN;			\
959 		pms[0] = ssl->major_version;				\
960 		pms[1] = ssl->minor_version;				\
961 		(void) random_get_pseudo_bytes(&buf[2], pmslen - 2);	\
962 }
963 
964 static int
965 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
966 {
967 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
968 	uchar_t seed[SSL3_RANDOM_LENGTH * 2];
969 
970 	/*
971 	 * Computing the master secret:
972 	 * ----------------------------
973 	 * master_secret = PRF (pms, "master secret",
974 	 *		ClientHello.random + ServerHello.random);
975 	 */
976 	bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH);
977 	bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH,
978 	    SSL3_RANDOM_LENGTH);
979 
980 	/* if pms is bad fake it to thwart Bleichenbacher attack */
981 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
982 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
983 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
984 	}
985 
986 	return (kssl_tls_PRF(ssl,
987 	    pms, pmslen,
988 	    (uchar_t *)TLS_MASTER_SECRET_LABEL,
989 	    (size_t)strlen(TLS_MASTER_SECRET_LABEL),
990 	    seed, sizeof (seed),
991 	    ssl->sid.master_secret,
992 	    (size_t)sizeof (ssl->sid.master_secret)));
993 }
994 
995 
996 static void
997 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
998 {
999 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1000 	uchar_t *ms;
1001 	int hlen = MD5_HASH_LEN;
1002 
1003 	ms = ssl->sid.master_secret;
1004 
1005 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1006 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1007 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1008 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1009 	}
1010 
1011 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
1012 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
1013 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
1014 	    0);
1015 }
1016 
1017 static int
1018 kssl_generate_tls_keyblock(ssl_t *ssl)
1019 {
1020 	uchar_t seed[2 * SSL3_RANDOM_LENGTH];
1021 
1022 	bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH);
1023 	bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH,
1024 	    SSL3_RANDOM_LENGTH);
1025 
1026 	return (kssl_tls_PRF(ssl, ssl->sid.master_secret,
1027 	    (size_t)SSL3_MASTER_SECRET_LEN,
1028 	    (uchar_t *)TLS_KEY_EXPANSION_LABEL,
1029 	    (size_t)strlen(TLS_KEY_EXPANSION_LABEL),
1030 	    seed, (size_t)sizeof (seed),
1031 	    ssl->pending_keyblock,
1032 	    (size_t)ssl->pending_keyblksz));
1033 
1034 }
1035 
1036 static void
1037 kssl_generate_keyblock(ssl_t *ssl)
1038 {
1039 	uchar_t *ms;
1040 	size_t mslen = SSL3_MASTER_SECRET_LEN;
1041 	int hlen = MD5_HASH_LEN;
1042 	uchar_t *keys = ssl->pending_keyblock;
1043 	int steps = howmany(ssl->pending_keyblksz, hlen);
1044 	int i;
1045 
1046 	ms = ssl->sid.master_secret;
1047 
1048 	ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH);
1049 
1050 	for (i = 1; i <= steps; i++) {
1051 		kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
1052 		keys += hlen;
1053 	}
1054 }
1055 
1056 static char *ssl3_key_derive_seeds[8] = {"A", "BB", "CCC", "DDDD", "EEEEE",
1057 					    "FFFFFF", "GGGGGGG", "HHHHHHHH"};
1058 
1059 static void
1060 kssl_ssl3_key_material_derive_step(
1061 	ssl_t *ssl,
1062 	uchar_t *secret,
1063 	size_t secretlen,
1064 	int step,
1065 	uchar_t *dst,
1066 	int sr_first)
1067 {
1068 	SHA1_CTX sha1, *sha1ctx;
1069 	MD5_CTX md5, *md5ctx;
1070 	uchar_t sha1_hash[SHA1_HASH_LEN];
1071 
1072 	sha1ctx = &sha1;
1073 	md5ctx = &md5;
1074 
1075 	ASSERT(step <=
1076 	    sizeof (ssl3_key_derive_seeds) /
1077 	    sizeof (ssl3_key_derive_seeds[0]));
1078 	step--;
1079 
1080 	SHA1Init(sha1ctx);
1081 	SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step],
1082 	    step + 1);
1083 	SHA1Update(sha1ctx, secret, secretlen);
1084 	if (sr_first) {
1085 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1086 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1087 	} else {
1088 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1089 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1090 	}
1091 	SHA1Final(sha1_hash, sha1ctx);
1092 
1093 	MD5Init(md5ctx);
1094 	MD5Update(md5ctx, secret, secretlen);
1095 	MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN);
1096 	MD5Final(dst, md5ctx);
1097 }
1098 
1099 static int
1100 kssl_send_certificate_and_server_hello_done(ssl_t *ssl)
1101 {
1102 	int cur_reclen;
1103 	int mss;
1104 	int len, copylen;
1105 	mblk_t *mp;
1106 	uchar_t *cert_buf;
1107 	int cert_len;
1108 	uchar_t *msgbuf;
1109 	Certificate_t *cert;
1110 
1111 	cert = ssl->kssl_entry->ke_server_certificate;
1112 	if (cert == NULL) {
1113 		return (ENOENT);
1114 	}
1115 	cert_buf = cert->msg;
1116 	cert_len = cert->len;
1117 
1118 	mp = ssl->handshake_sendbuf;
1119 	mss = ssl->tcp_mss;
1120 	ASSERT(mp != NULL);
1121 	cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN;
1122 	ASSERT(cur_reclen == KSSL_SSL3_SH_RECLEN);
1123 	/* Assume MSS is at least 80 bytes */
1124 	ASSERT(mss > cur_reclen + SSL3_HDR_LEN);
1125 	ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */
1126 
1127 	copylen = mss - (cur_reclen + SSL3_HDR_LEN);
1128 	len = cert_len;
1129 	copylen = MIN(copylen, len);
1130 	copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1131 
1132 	/* new record always starts in a new mblk for simplicity */
1133 	msgbuf = cert_buf;
1134 	for (;;) {
1135 		ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim);
1136 		bcopy(msgbuf, mp->b_wptr, copylen);
1137 		msgbuf += copylen;
1138 		mp->b_wptr += copylen;
1139 		cur_reclen += copylen;
1140 		len -= copylen;
1141 		if (len == 0) {
1142 			break;
1143 		}
1144 		if (cur_reclen == SSL3_MAX_RECORD_LENGTH) {
1145 			cur_reclen = 0;
1146 		}
1147 		copylen = MIN(len, mss);
1148 		copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1149 		mp->b_cont = allocb(copylen, BPRI_HI);
1150 		if (mp->b_cont == NULL) {
1151 			KSSL_COUNTER(alloc_fails, 1);
1152 			freemsg(ssl->handshake_sendbuf);
1153 			ssl->handshake_sendbuf = NULL;
1154 			return (ENOMEM);
1155 		}
1156 		mp = mp->b_cont;
1157 		if (cur_reclen == 0) {
1158 			mp->b_wptr[0] = content_handshake;
1159 			mp->b_wptr[1] = ssl->major_version;
1160 			mp->b_wptr[2] = ssl->minor_version;
1161 			cur_reclen = MIN(len, SSL3_MAX_RECORD_LENGTH);
1162 			mp->b_wptr[3] = (cur_reclen >> 8) & 0xff;
1163 			mp->b_wptr[4] = (cur_reclen) & 0xff;
1164 			mp->b_wptr += SSL3_HDR_LEN;
1165 			cur_reclen = 0;
1166 			copylen = MIN(copylen, mss - SSL3_HDR_LEN);
1167 		}
1168 	}
1169 
1170 	/* adjust the record length field for the first record */
1171 	mp = ssl->handshake_sendbuf;
1172 	cur_reclen = MIN(KSSL_SSL3_SH_RECLEN + cert_len,
1173 	    SSL3_MAX_RECORD_LENGTH);
1174 	mp->b_rptr[3] = (cur_reclen >> 8) & 0xff;
1175 	mp->b_rptr[4] = (cur_reclen) & 0xff;
1176 
1177 	kssl_update_handshake_hashes(ssl, cert_buf, cert_len);
1178 
1179 	return (0);
1180 }
1181 
1182 static int
1183 kssl_send_change_cipher_specs(ssl_t *ssl)
1184 {
1185 	mblk_t *mp, *newmp;
1186 	uchar_t *buf;
1187 
1188 	mp = ssl->handshake_sendbuf;
1189 
1190 	/* We're most likely to hit the fast path for resumed sessions */
1191 	if ((mp != NULL) &&
1192 	    (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) {
1193 		buf = mp->b_wptr;
1194 	} else {
1195 		newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI);
1196 
1197 		if (newmp == NULL)
1198 			return (ENOMEM);	/* need to do better job! */
1199 
1200 		if (mp == NULL) {
1201 			ssl->handshake_sendbuf = newmp;
1202 		} else {
1203 			linkb(ssl->handshake_sendbuf, newmp);
1204 		}
1205 		mp = newmp;
1206 		buf = mp->b_rptr;
1207 	}
1208 
1209 	/* 5 byte record header */
1210 	buf[0] = content_change_cipher_spec;
1211 	buf[1] = ssl->major_version;
1212 	buf[2] = ssl->minor_version;
1213 	buf[3] = 0;
1214 	buf[4] = 1;
1215 	buf += SSL3_HDR_LEN;
1216 
1217 	buf[0] = 1;
1218 
1219 	mp->b_wptr = buf + 1;
1220 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1221 
1222 	ssl->seq_num[KSSL_WRITE] = 0;
1223 	return (kssl_spec_init(ssl, KSSL_WRITE));
1224 }
1225 
1226 int
1227 kssl_spec_init(ssl_t *ssl, int dir)
1228 {
1229 	KSSL_HASHCTX *ctx;
1230 	KSSLCipherSpec *spec = &ssl->spec[dir];
1231 	int ret = 0;
1232 
1233 	spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz;
1234 	spec->mac_padsz = mac_defs[ssl->pending_malg].padsz;
1235 
1236 	spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
1237 	spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
1238 	spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
1239 
1240 	if (dir == KSSL_READ) {
1241 		bcopy(ssl->pending_keyblock, ssl->mac_secret[dir],
1242 		    spec->mac_hashsz);
1243 	} else {
1244 		bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]),
1245 		    ssl->mac_secret[dir], spec->mac_hashsz);
1246 	}
1247 
1248 	/* Pre-compute these here. will save cycles on each record later */
1249 	if (!IS_TLS(ssl)) {
1250 		ctx = &ssl->mac_ctx[dir][0];
1251 		spec->MAC_HashInit((void *)ctx);
1252 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1253 		    spec->mac_hashsz);
1254 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_1,
1255 		    spec->mac_padsz);
1256 
1257 		ctx = &ssl->mac_ctx[dir][1];
1258 		spec->MAC_HashInit((void *)ctx);
1259 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1260 		    spec->mac_hashsz);
1261 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_2,
1262 		    spec->mac_padsz);
1263 	}
1264 
1265 	spec->cipher_type = cipher_defs[ssl->pending_calg].type;
1266 	spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
1267 	spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
1268 	spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
1269 
1270 	if (spec->cipher_ctx != NULL) {
1271 		crypto_cancel_ctx(spec->cipher_ctx);
1272 		spec->cipher_ctx = 0;
1273 	}
1274 
1275 	/*
1276 	 * Initialize HMAC keys for TLS and SSL3 HMAC keys
1277 	 * for SSL 3.0.
1278 	 */
1279 	if (IS_TLS(ssl)) {
1280 		if (ssl->pending_malg == mac_md5) {
1281 			spec->hmac_mech = hmac_md5_mech;
1282 		} else if (ssl->pending_malg == mac_sha) {
1283 			spec->hmac_mech = hmac_sha1_mech;
1284 		}
1285 
1286 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1287 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1288 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1289 	} else {
1290 		static uint32_t param;
1291 
1292 		spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID;
1293 		spec->hmac_mech.cm_param = (caddr_t)&param;
1294 		spec->hmac_mech.cm_param_len = sizeof (param);
1295 		if (ssl->pending_malg == mac_md5) {
1296 			spec->hmac_mech.cm_type =
1297 			    crypto_mech2id("CKM_SSL3_MD5_MAC");
1298 			param = MD5_HASH_LEN;
1299 		} else if (ssl->pending_malg == mac_sha) {
1300 			spec->hmac_mech.cm_type =
1301 			    crypto_mech2id("CKM_SSL3_SHA1_MAC");
1302 			param = SHA1_HASH_LEN;
1303 		}
1304 
1305 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1306 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1307 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1308 	}
1309 
1310 	/* We're done if this is the nil cipher */
1311 	if (spec->cipher_keysz == 0) {
1312 		return (0);
1313 	}
1314 
1315 	/* Initialize the key and the active context */
1316 	spec->cipher_key.ck_format = CRYPTO_KEY_RAW;
1317 	spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */
1318 
1319 	if (cipher_defs[ssl->pending_calg].bsize > 0) {
1320 		/* client_write_IV */
1321 		spec->cipher_mech.cm_param =
1322 		    (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
1323 		    2 * spec->cipher_keysz]);
1324 		spec->cipher_mech.cm_param_len = spec->cipher_bsize;
1325 	}
1326 	spec->cipher_data.cd_format = CRYPTO_DATA_RAW;
1327 	if (dir == KSSL_READ) {
1328 		spec->cipher_mech.cm_param_len =
1329 		    cipher_defs[ssl->pending_calg].bsize;
1330 
1331 		/* client_write_key */
1332 		spec->cipher_key.ck_data =
1333 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz]);
1334 
1335 		ret = crypto_decrypt_init(&(spec->cipher_mech),
1336 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1337 		if (CRYPTO_ERR(ret)) {
1338 			DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read,
1339 			    int, ret);
1340 		}
1341 	} else {
1342 		if (cipher_defs[ssl->pending_calg].bsize > 0) {
1343 			spec->cipher_mech.cm_param += spec->cipher_bsize;
1344 		}
1345 		/* server_write_key */
1346 		spec->cipher_key.ck_data =
1347 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz +
1348 		    spec->cipher_keysz]);
1349 
1350 		ret = crypto_encrypt_init(&(spec->cipher_mech),
1351 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1352 		if (CRYPTO_ERR(ret))
1353 			DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read,
1354 			    int, ret);
1355 	}
1356 	return (ret);
1357 }
1358 
1359 static int
1360 kssl_send_finished(ssl_t *ssl, int update_hsh)
1361 {
1362 	mblk_t *mp;
1363 	uchar_t *buf;
1364 	uchar_t *rstart;
1365 	uchar_t *versionp;
1366 	SSL3Hashes ssl3hashes;
1367 	size_t finish_len;
1368 	int ret = 0;
1369 
1370 	mp = ssl->handshake_sendbuf;
1371 	ASSERT(mp != NULL);
1372 	buf = mp->b_wptr;
1373 	ASSERT(buf - mp->b_rptr == SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN +
1374 	    SSL3_HDR_LEN + 1 || buf - mp->b_rptr == SSL3_HDR_LEN + 1);
1375 
1376 	rstart = buf;
1377 
1378 	if (IS_TLS(ssl))
1379 		finish_len = TLS_FINISHED_SIZE;
1380 	else
1381 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1382 
1383 	/* 5 byte record header */
1384 	buf[0] = content_handshake;
1385 	buf[1] = ssl->major_version;
1386 	buf[2] = ssl->minor_version;
1387 	buf[3] = 0;
1388 	buf[4] = 4 + finish_len;
1389 
1390 	versionp = &buf[1];
1391 
1392 	buf += SSL3_HDR_LEN;
1393 
1394 	/* 4 byte message header */
1395 	buf[0] = (uchar_t)finished;	/* message type */
1396 	buf[1] = 0;			/* message len byte 0 */
1397 	buf[2] = 0;			/* message len byte 1 */
1398 	buf[3] = finish_len;	/* message len byte 2 */
1399 	buf += 4;
1400 
1401 	if (IS_TLS(ssl)) {
1402 		bcopy(ssl->hs_hashes.md5, ssl3hashes.md5,
1403 		    sizeof (ssl3hashes.md5));
1404 		bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1,
1405 		    sizeof (ssl3hashes.sha1));
1406 	}
1407 
1408 	/* Compute hashes for the SENDER side */
1409 	ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
1410 	if (ret != 0)
1411 		return (ret);
1412 
1413 	if (IS_TLS(ssl)) {
1414 		bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash));
1415 	} else {
1416 		bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN);
1417 		bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN);
1418 	}
1419 
1420 	if (update_hsh) {
1421 		kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
1422 	}
1423 
1424 	mp->b_wptr = buf + finish_len;
1425 
1426 	ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
1427 	    rstart, mp);
1428 	ASSERT(mp->b_wptr <= mp->b_datap->db_lim);
1429 
1430 	return (ret);
1431 }
1432 
1433 int
1434 kssl_mac_encrypt_record(ssl_t *ssl,
1435 	SSL3ContentType ct,
1436 	uchar_t *versionp,
1437 	uchar_t *rstart,
1438 	mblk_t *mp)
1439 {
1440 	KSSLCipherSpec *spec;
1441 	int mac_sz;
1442 	int ret = 0;
1443 	uint16_t rec_sz;
1444 	int pad_sz;
1445 	int i;
1446 
1447 	ASSERT(ssl != NULL);
1448 	ASSERT(rstart >= mp->b_rptr);
1449 	ASSERT(rstart < mp->b_wptr);
1450 
1451 	spec = &ssl->spec[KSSL_WRITE];
1452 	mac_sz = spec->mac_hashsz;
1453 
1454 	rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN;
1455 	ASSERT(rec_sz > 0);
1456 
1457 	if (mac_sz != 0) {
1458 		ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim);
1459 		ret = kssl_compute_record_mac(ssl, KSSL_WRITE,
1460 		    ssl->seq_num[KSSL_WRITE], ct, versionp,
1461 		    rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr);
1462 		if (ret == CRYPTO_SUCCESS) {
1463 			ssl->seq_num[KSSL_WRITE]++;
1464 			mp->b_wptr += mac_sz;
1465 			rec_sz += mac_sz;
1466 		} else {
1467 			return (ret);
1468 		}
1469 	}
1470 
1471 	if (spec->cipher_type == type_block) {
1472 		pad_sz = spec->cipher_bsize -
1473 		    (rec_sz & (spec->cipher_bsize - 1));
1474 		ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim);
1475 		for (i = 0; i < pad_sz; i++) {
1476 			mp->b_wptr[i] = pad_sz - 1;
1477 		}
1478 		mp->b_wptr += pad_sz;
1479 		rec_sz += pad_sz;
1480 	}
1481 
1482 	ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH);
1483 
1484 	U16_TO_BE16(rec_sz, rstart + 3);
1485 
1486 	if (spec->cipher_ctx == 0)
1487 		return (ret);
1488 
1489 	spec->cipher_data.cd_length = rec_sz;
1490 	spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN);
1491 	spec->cipher_data.cd_raw.iov_len = rec_sz;
1492 	/* One record at a time. Otherwise, gotta allocate the crypt_data_t */
1493 	ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data,
1494 	    NULL, NULL);
1495 	if (CRYPTO_ERR(ret)) {
1496 		DTRACE_PROBE1(kssl_err__crypto_encrypt_update,
1497 		    int, ret);
1498 	}
1499 	return (ret);
1500 }
1501 
1502 void
1503 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
1504 {
1505 	mblk_t *mp;
1506 	uchar_t *buf;
1507 	KSSLCipherSpec *spec;
1508 
1509 	ASSERT(ssl != NULL);
1510 
1511 	ssl->sendalert_level = level;
1512 	ssl->sendalert_desc = desc;
1513 
1514 	if (level == alert_fatal) {
1515 		DTRACE_PROBE2(kssl_sending_alert,
1516 		    SSL3AlertLevel, level, SSL3AlertDescription, desc);
1517 		if (ssl->sid.cached == B_TRUE) {
1518 			kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
1519 			ssl->sid.cached = B_FALSE;
1520 		}
1521 		ssl->fatal_alert = B_TRUE;
1522 		KSSL_COUNTER(fatal_alerts, 1);
1523 	} else
1524 		KSSL_COUNTER(warning_alerts, 1);
1525 
1526 	spec = &ssl->spec[KSSL_WRITE];
1527 
1528 	ASSERT(ssl->alert_sendbuf == NULL);
1529 	ssl->alert_sendbuf = mp = allocb(7 + spec->mac_hashsz +
1530 	    spec->cipher_bsize, BPRI_HI);
1531 	if (mp == NULL) {
1532 		KSSL_COUNTER(alloc_fails, 1);
1533 		return;
1534 	}
1535 	buf = mp->b_wptr;
1536 
1537 	/* 5 byte record header */
1538 	buf[0] = content_alert;
1539 	buf[1] = ssl->major_version;
1540 	buf[2] = ssl->minor_version;
1541 	buf[3] = 0;
1542 	buf[4] = 2;
1543 	buf += SSL3_HDR_LEN;
1544 
1545 	/* alert contents */
1546 	buf[0] = (uchar_t)level;
1547 	buf[1] = (uchar_t)desc;
1548 
1549 	mp->b_wptr = buf + 2;
1550 }
1551 
1552 /* Assumes RSA encryption */
1553 static int
1554 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
1555     kssl_callback_t cbfn, void *arg)
1556 {
1557 	char *buf;
1558 	uchar_t *pms;
1559 	size_t pmslen;
1560 	int allocated;
1561 	int err, rverr = ENOMEM;
1562 	kssl_entry_t *ep;
1563 	crypto_key_t *privkey;
1564 	crypto_data_t *wrapped_pms_data, *pms_data;
1565 	crypto_call_req_t creq, *creqp;
1566 
1567 	ep = ssl->kssl_entry;
1568 	privkey = ep->ke_private_key;
1569 	if (privkey == NULL) {
1570 		return (ENOENT);
1571 	}
1572 
1573 	ASSERT(ssl->msg.type == client_key_exchange);
1574 	ASSERT(ssl->hs_waitstate == wait_client_key);
1575 
1576 	/*
1577 	 * TLS adds an extra 2 byte length field before the data.
1578 	 */
1579 	if (IS_TLS(ssl)) {
1580 		msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1];
1581 		mp->b_rptr += 2;
1582 	}
1583 
1584 	/*
1585 	 * Allocate all we need in one shot. about 300 bytes total, for
1586 	 * 1024 bit RSA modulus.
1587 	 * The buffer layout will be: pms_data, wrapped_pms_data, the
1588 	 * value of the wrapped pms from the client, then room for the
1589 	 * resulting decrypted premaster secret.
1590 	 */
1591 	allocated = 2 * (sizeof (crypto_data_t) + msglen);
1592 	buf = kmem_alloc(allocated, KM_NOSLEEP);
1593 	if (buf == NULL) {
1594 		return (ENOMEM);
1595 	}
1596 
1597 	pms_data = (crypto_data_t *)buf;
1598 	wrapped_pms_data = &(((crypto_data_t *)buf)[1]);
1599 
1600 	wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW;
1601 	wrapped_pms_data->cd_offset = pms_data->cd_offset = 0;
1602 	wrapped_pms_data->cd_length = pms_data->cd_length = msglen;
1603 	wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL;
1604 	wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen;
1605 	wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t);
1606 	pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen;
1607 
1608 	bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen);
1609 	mp->b_rptr += msglen;
1610 
1611 	/* Proceed synchronously if out of interrupt and configured to do so */
1612 	if ((kssl_synchronous) && (!servicing_interrupt())) {
1613 		creqp = NULL;
1614 	} else {
1615 		ssl->cke_callback_func = cbfn;
1616 		ssl->cke_callback_arg = arg;
1617 		creq.cr_flag = kssl_call_flag;
1618 		creq.cr_callback_func = kssl_cke_done;
1619 		creq.cr_callback_arg = ssl;
1620 
1621 		/* The callback routine will release this one */
1622 		KSSL_SSL_REFHOLD(ssl);
1623 
1624 		creqp = &creq;
1625 	}
1626 
1627 	if (ep->ke_is_nxkey) {
1628 		kssl_session_info_t *s;
1629 
1630 		s = ep->ke_sessinfo;
1631 		err = CRYPTO_SUCCESS;
1632 		if (!s->is_valid_handle) {
1633 			/* Reauthenticate to the provider */
1634 			if (s->do_reauth) {
1635 				err = kssl_get_obj_handle(ep);
1636 				if (err == CRYPTO_SUCCESS) {
1637 					s->is_valid_handle = B_TRUE;
1638 					s->do_reauth = B_FALSE;
1639 				}
1640 			} else
1641 				err = CRYPTO_FAILED;
1642 		}
1643 
1644 		if (err == CRYPTO_SUCCESS) {
1645 			ASSERT(s->is_valid_handle);
1646 			err = crypto_decrypt_prov(s->prov, s->sid,
1647 			    &rsa_x509_mech, wrapped_pms_data, &s->key,
1648 			    NULL, pms_data, creqp);
1649 		}
1650 
1651 		/*
1652 		 * Deal with session specific errors. We translate to
1653 		 * the closest errno.
1654 		 */
1655 		switch (err) {
1656 		case CRYPTO_KEY_HANDLE_INVALID:
1657 		case CRYPTO_SESSION_HANDLE_INVALID:
1658 			s->is_valid_handle = B_FALSE;
1659 			s->do_reauth = B_TRUE;
1660 			rverr = EINVAL;
1661 			break;
1662 		case CRYPTO_PIN_EXPIRED:
1663 		case CRYPTO_PIN_LOCKED:
1664 			rverr = EACCES;
1665 			break;
1666 		case CRYPTO_UNKNOWN_PROVIDER:
1667 			rverr = ENXIO;
1668 			break;
1669 		}
1670 	} else {
1671 		err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data,
1672 		    privkey, NULL, pms_data, creqp);
1673 	}
1674 
1675 	switch (err) {
1676 	case CRYPTO_SUCCESS:
1677 		break;
1678 
1679 	case CRYPTO_QUEUED:
1680 		/*
1681 		 * Finish the master secret then the rest of key material
1682 		 * derivation later.
1683 		 */
1684 		ssl->job.kjob = creq.cr_reqid;
1685 		ssl->job.buf = buf;
1686 		ssl->job.buflen = allocated;
1687 		ssl->hs_waitstate = wait_client_key_done;
1688 		return (0);
1689 	default:
1690 		DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err);
1691 		kmem_free(buf, allocated);
1692 		return (rverr);
1693 	}
1694 
1695 	pmslen = pms_data->cd_length;
1696 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1697 
1698 	/* generate master key and save it in the ssl sid structure */
1699 	if (IS_TLS(ssl)) {
1700 		err = kssl_generate_tls_ms(ssl, pms, pmslen);
1701 		if (!CRYPTO_ERR(err))
1702 			err = kssl_generate_tls_keyblock(ssl);
1703 	} else {
1704 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1705 		kssl_generate_keyblock(ssl);
1706 	}
1707 
1708 	if (err == CRYPTO_SUCCESS)
1709 		ssl->hs_waitstate = wait_change_cipher;
1710 
1711 	ssl->activeinput = B_FALSE;
1712 
1713 	kmem_free(buf, allocated);
1714 
1715 	return (0);
1716 }
1717 
1718 static int
1719 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
1720 {
1721 	int err;
1722 	size_t finish_len;
1723 	int hashcompare;
1724 
1725 	ASSERT(ssl->msg.type == finished);
1726 	ASSERT(ssl->hs_waitstate == wait_finished);
1727 
1728 	if (IS_TLS(ssl))
1729 		finish_len = TLS_FINISHED_SIZE;
1730 	else
1731 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1732 
1733 	if (msglen != finish_len) {
1734 		kssl_send_alert(ssl, alert_fatal, illegal_parameter);
1735 		return (EBADMSG);
1736 	}
1737 
1738 	if (IS_TLS(ssl)) {
1739 		hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash,
1740 		    finish_len);
1741 	} else {
1742 		hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
1743 	}
1744 
1745 	/* The handshake hashes should be computed by now */
1746 	if (hashcompare != 0) {
1747 		kssl_send_alert(ssl, alert_fatal, handshake_failure);
1748 		return (EBADMSG);
1749 	}
1750 
1751 	mp->b_rptr += msglen;
1752 
1753 	ssl->hs_waitstate = idle_handshake;
1754 
1755 	if (ssl->resumed == B_TRUE) {
1756 		ssl->activeinput = B_FALSE;
1757 		return (0);
1758 	}
1759 
1760 	err = kssl_send_change_cipher_specs(ssl);
1761 	if (err != 0) {
1762 		return (err);
1763 	}
1764 	err = kssl_send_finished(ssl, 0);
1765 	if (err != 0) {
1766 		return (err);
1767 	}
1768 
1769 	ASSERT(ssl->sid.cached == B_FALSE);
1770 	ssl->sid.cached = B_TRUE;
1771 	kssl_cache_sid(&ssl->sid, ssl->kssl_entry);
1772 	ssl->activeinput = B_FALSE;
1773 
1774 	return (0);
1775 }
1776 
1777 #define	KSSL2_CH_MIN_RECSZ	(9)
1778 
1779 /*
1780  * This method is needed to handle clients which send the
1781  * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers.
1782  * We are not really doing SSLv2 here, just handling the header
1783  * and then switching to SSLv3.
1784  */
1785 int
1786 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
1787 {
1788 	uchar_t *recend;
1789 	int err;
1790 	SSL3AlertDescription desc = illegal_parameter;
1791 	uint_t randlen;
1792 	uint_t sidlen;
1793 	uint_t nsuites;
1794 	uchar_t *suitesp;
1795 	uchar_t *rand;
1796 	uint_t i, j;
1797 	uint16_t suite;
1798 	int ch_recsz = KSSL2_CH_MIN_RECSZ;
1799 
1800 	ASSERT(mp->b_wptr >= mp->b_rptr + recsz);
1801 	ASSERT(ssl->hs_waitstate == wait_client_hello);
1802 	ASSERT(ssl->resumed == B_FALSE);
1803 
1804 	if (recsz < ch_recsz) {
1805 		goto falert;
1806 	}
1807 
1808 	MD5Init(&ssl->hs_md5);
1809 	SHA1Init(&ssl->hs_sha1);
1810 
1811 	kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz);
1812 
1813 	recend = mp->b_rptr + recsz;
1814 
1815 	if (*mp->b_rptr != 1) {
1816 		goto falert;
1817 	}
1818 	mp->b_rptr += 3;
1819 
1820 	nsuites = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
1821 	sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3];
1822 	randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5];
1823 	if (nsuites % 3 != 0) {
1824 		DTRACE_PROBE1(kssl_err__nsuites_error, uint_t, nsuites);
1825 		goto falert;
1826 	}
1827 	if (randlen < SSL_MIN_CHALLENGE_BYTES ||
1828 	    randlen > SSL_MAX_CHALLENGE_BYTES) {
1829 		DTRACE_PROBE1(kssl_err__randlen_out_of_range,
1830 		    uint_t, randlen);
1831 		goto falert;
1832 	}
1833 	mp->b_rptr += 6;
1834 	ch_recsz += nsuites + sidlen + randlen;
1835 	if (recsz != ch_recsz) {
1836 		goto falert;
1837 	}
1838 	suitesp = mp->b_rptr;
1839 	rand = suitesp + nsuites + sidlen;
1840 	if (randlen < SSL3_RANDOM_LENGTH) {
1841 		bzero(ssl->client_random, SSL3_RANDOM_LENGTH);
1842 	}
1843 	bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
1844 	    randlen);
1845 
1846 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
1847 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
1848 		for (j = 0; j < nsuites; j += 3) {
1849 			if (suitesp[j] != 0) {
1850 				continue;
1851 			}
1852 
1853 			if (suitesp[j + 1] == ((suite >> 8) & 0xff) &&
1854 			    suitesp[j + 2] == (suite & 0xff)) {
1855 				break;
1856 			}
1857 		}
1858 		if (j < nsuites) {
1859 			break;
1860 		}
1861 	}
1862 	if (i == ssl->kssl_entry->kssl_cipherSuites_nentries) {
1863 		DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite);
1864 		ssl->activeinput = B_FALSE;
1865 		return (SSL_MISS);
1866 	}
1867 
1868 	mp->b_rptr = recend;
1869 
1870 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
1871 		if (suite == cipher_suite_defs[i].suite) {
1872 			break;
1873 		}
1874 	}
1875 
1876 	ASSERT(i < cipher_suite_defs_nentries);
1877 
1878 	ssl->pending_cipher_suite = suite;
1879 	ssl->pending_malg = cipher_suite_defs[i].malg;
1880 	ssl->pending_calg = cipher_suite_defs[i].calg;
1881 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
1882 
1883 	ASSERT(ssl->sid.cached == B_FALSE);
1884 
1885 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
1886 	    SSL3_SESSIONID_BYTES);
1887 	ssl->sid.client_addr = ssl->faddr;
1888 	ssl->sid.cipher_suite = suite;
1889 
1890 	err = kssl_send_server_hello(ssl);
1891 	if (err != 0) {
1892 		return (err);
1893 	}
1894 	err = kssl_send_certificate_and_server_hello_done(ssl);
1895 	if (err != 0) {
1896 		return (err);
1897 	}
1898 	KSSL_COUNTER(full_handshakes, 1);
1899 	ssl->hs_waitstate = wait_client_key;
1900 	ssl->activeinput = B_FALSE;
1901 	return (0);
1902 
1903 falert:
1904 	kssl_send_alert(ssl, alert_fatal, desc);
1905 	ssl->activeinput = B_FALSE;
1906 	return (EBADMSG);
1907 }
1908 
1909 /*
1910  * Call back routine for asynchronously submitted RSA decryption jobs.
1911  * The routine retreived the pre-master secret, and proceeds to generate
1912  * the remaining key materials.
1913  */
1914 static void
1915 kssl_cke_done(void *arg, int status)
1916 {
1917 	int ret = 0;
1918 	uchar_t *pms;
1919 	size_t pmslen;
1920 	crypto_data_t *pms_data;
1921 	kssl_cmd_t kssl_cmd = KSSL_CMD_NONE;
1922 	ssl_t *ssl = (ssl_t *)arg;
1923 	mblk_t *alertmp;
1924 	kssl_callback_t cbfn;
1925 	void *cbarg;
1926 
1927 	mutex_enter(&ssl->kssl_lock);
1928 
1929 	ASSERT(ssl->msg.type == client_key_exchange);
1930 	ASSERT(ssl->hs_waitstate == wait_client_key_done);
1931 
1932 	if (status != CRYPTO_SUCCESS) {
1933 		kssl_send_alert(ssl, alert_fatal, decrypt_error);
1934 		kssl_cmd = KSSL_CMD_SEND;
1935 		goto out;
1936 	}
1937 
1938 	pms_data = (crypto_data_t *)(ssl->job.buf);
1939 
1940 	ASSERT(pms_data != NULL);
1941 
1942 	pmslen = pms_data->cd_length;
1943 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1944 
1945 	/* generate master key and save it in the ssl sid structure */
1946 	if (IS_TLS(ssl)) {
1947 		ret = kssl_generate_tls_ms(ssl, pms, pmslen);
1948 		if (!CRYPTO_ERR(ret))
1949 			ret = kssl_generate_tls_keyblock(ssl);
1950 	} else {
1951 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1952 		kssl_generate_keyblock(ssl);
1953 	}
1954 
1955 	if (ret == CRYPTO_SUCCESS)
1956 		ssl->hs_waitstate = wait_change_cipher;
1957 
1958 out:
1959 	kmem_free(ssl->job.buf, ssl->job.buflen);
1960 
1961 	ssl->job.kjob = 0;
1962 	ssl->job.buf = NULL;
1963 	ssl->job.buflen = 0;
1964 
1965 	ssl->activeinput = B_FALSE;
1966 
1967 	/* If we're the only ones left, then we won't callback */
1968 	if (ssl->kssl_refcnt == 1) {
1969 		mutex_exit(&ssl->kssl_lock);
1970 		KSSL_SSL_REFRELE(ssl);
1971 		return;
1972 	}
1973 
1974 	cbfn = ssl->cke_callback_func;
1975 	cbarg = ssl->cke_callback_arg;
1976 	alertmp = ssl->alert_sendbuf;
1977 	ssl->alert_sendbuf = NULL;
1978 
1979 	mutex_exit(&ssl->kssl_lock);
1980 
1981 	KSSL_SSL_REFRELE(ssl);
1982 
1983 	/* Now call the callback routine */
1984 	(*(cbfn))(cbarg, alertmp, kssl_cmd);
1985 }
1986 
1987 /*
1988  * Returns the first complete contiguous record out of rec_ass_head
1989  * The record is returned in a separate contiguous mblk, rec_ass_head is
1990  * left pointing to the next record in the queue.
1991  *
1992  * The output looks as follows:
1993  *
1994  * |--------|---------- .... -----|<---------->|<----------->|--- ... ---|
1995  * ^        ^                     ^  mac_size     pad_size               ^
1996  * |        |___ b_rptr  b_wptr __|                                      |
1997  * |                                                                     |
1998  * |___ db_base                                                db_lim ___|
1999  */
2000 mblk_t *
2001 kssl_get_next_record(ssl_t *ssl)
2002 {
2003 	mblk_t *mp, *retmp;
2004 	int rhsz = SSL3_HDR_LEN;
2005 	uint16_t rec_sz;
2006 	int mpsz, total_size;
2007 	SSL3ContentType content_type;
2008 
2009 	ASSERT(MUTEX_HELD(&ssl->kssl_lock));
2010 
2011 	mp = ssl->rec_ass_head;
2012 	if (mp == NULL)
2013 		return (NULL);
2014 
2015 	/* Fast path: when mp has at least a complete record */
2016 	if (MBLKL(mp) < rhsz) {
2017 		DTRACE_PROBE1(kssl_mblk__incomplete_header,
2018 		    mblk_t *, mp);
2019 		/* Not even a complete header in there yet */
2020 		if (msgdsize(mp) < rhsz) {
2021 			return (NULL);
2022 		}
2023 
2024 		if (!pullupmsg(mp, rhsz)) {
2025 			kssl_send_alert(ssl, alert_fatal, internal_error);
2026 			freemsg(mp);
2027 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2028 			return (NULL);
2029 		}
2030 	}
2031 	content_type = (SSL3ContentType)mp->b_rptr[0];
2032 	if (content_type == content_handshake_v2) {
2033 		DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp);
2034 		rec_sz = (uint16_t)mp->b_rptr[1];
2035 		rhsz = 2;
2036 	} else {
2037 		DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp);
2038 		uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3;
2039 		rec_sz = BE16_TO_U16(rec_sz_p);
2040 	}
2041 
2042 	/*
2043 	 * same tests as above. Only rare very fragmented cases will
2044 	 * incur the cost of msgdsize() and msgpullup(). Well formed
2045 	 * packets will fall in the most frequent fast path.
2046 	 */
2047 	total_size = rhsz + rec_sz;
2048 
2049 	/*
2050 	 * Missing: defensive against record fabricated with longer than
2051 	 * MAX record length.
2052 	 */
2053 	if (MBLKL(mp) < total_size) {
2054 		DTRACE_PROBE2(kssl_mblk__smaller_than_total_size,
2055 		    mblk_t *, mp, int, total_size);
2056 		/* Not a complete record yet. Keep accumulating */
2057 		if (msgdsize(mp) < total_size) {
2058 			return (NULL);
2059 		}
2060 
2061 		if (!pullupmsg(mp, total_size)) {
2062 			kssl_send_alert(ssl, alert_fatal, internal_error);
2063 			freemsg(mp);
2064 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2065 			return (NULL);
2066 		}
2067 	}
2068 	mpsz = MBLKL(mp);	/* could've changed after the pullup */
2069 
2070 	if (mpsz > total_size) {
2071 		DTRACE_PROBE2(kssl_mblk__bigger_than_total_size,
2072 		    mblk_t *, mp, int, total_size);
2073 		/* gotta allocate a new block */
2074 		if ((retmp = dupb(mp)) == NULL) {
2075 			kssl_send_alert(ssl, alert_fatal, internal_error);
2076 			freemsg(mp);
2077 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2078 			return (NULL);
2079 		}
2080 
2081 		retmp->b_wptr = retmp->b_rptr + total_size;
2082 		mp->b_rptr += total_size;
2083 		ssl->rec_ass_head = mp;
2084 	} else {
2085 		DTRACE_PROBE2(kssl_mblk__equal_to_total_size,
2086 		    mblk_t *, mp, int, total_size);
2087 		ASSERT(mpsz == total_size);
2088 		ssl->rec_ass_head = mp->b_cont;
2089 		mp->b_cont = NULL;
2090 		retmp = mp;
2091 	}
2092 	/* Adjust the tail */
2093 	if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
2094 		for (; mp->b_cont != NULL; mp = mp->b_cont) {
2095 			ssl->rec_ass_tail = mp->b_cont;
2096 		}
2097 	}
2098 
2099 	return (retmp);
2100 }
2101 
2102 
2103 static void
2104 kssl_mblksfree(ssl_t *ssl)
2105 {
2106 
2107 	ASSERT(ssl != NULL);
2108 
2109 	if (ssl->rec_ass_head != NULL) {
2110 		freemsg(ssl->rec_ass_head);
2111 	}
2112 	ssl->rec_ass_head = NULL;
2113 	ssl->rec_ass_tail = NULL;
2114 
2115 	if (ssl->msg.head != NULL) {
2116 		freemsg(ssl->msg.head);
2117 	}
2118 	ssl->msg.head = NULL;
2119 	ssl->msg.tail = NULL;
2120 
2121 	if (ssl->handshake_sendbuf != NULL) {
2122 		freemsg(ssl->handshake_sendbuf);
2123 		ssl->handshake_sendbuf = NULL;
2124 	}
2125 	if (ssl->alert_sendbuf != NULL) {
2126 		freemsg(ssl->alert_sendbuf);
2127 		ssl->alert_sendbuf = NULL;
2128 	}
2129 }
2130 
2131 static void
2132 kssl_specsfree(ssl_t *ssl)
2133 {
2134 	KSSLCipherSpec *spec = &ssl->spec[KSSL_READ];
2135 
2136 	if (spec->cipher_ctx != NULL) {
2137 		crypto_cancel_ctx(spec->cipher_ctx);
2138 		spec->cipher_ctx = 0;
2139 	}
2140 
2141 	spec = &ssl->spec[KSSL_WRITE];
2142 
2143 	if (spec->cipher_ctx != NULL) {
2144 		crypto_cancel_ctx(spec->cipher_ctx);
2145 		spec->cipher_ctx = 0;
2146 	}
2147 }
2148 
2149 /*
2150  * Frees the ssl structure (aka the context of an SSL session).
2151  * Any pending crypto jobs are cancelled.
2152  * Any initiated crypto contexts are freed as well.
2153  */
2154 void
2155 kssl_free_context(ssl_t *ssl)
2156 {
2157 	ASSERT(ssl != NULL);
2158 	if (!(MUTEX_HELD(&ssl->kssl_lock))) {
2159 		/* we're coming from an external API entry point */
2160 		mutex_enter(&ssl->kssl_lock);
2161 	}
2162 
2163 	if (ssl->job.kjob != NULL) {
2164 		crypto_cancel_req(ssl->job.kjob);
2165 		kmem_free(ssl->job.buf, ssl->job.buflen);
2166 
2167 		ssl->job.kjob = 0;
2168 		ssl->job.buf = NULL;
2169 		ssl->job.buflen = 0;
2170 	}
2171 
2172 	kssl_mblksfree(ssl);
2173 	kssl_specsfree(ssl);
2174 
2175 	KSSL_ENTRY_REFRELE(ssl->kssl_entry);
2176 	ssl->kssl_entry = NULL;
2177 
2178 	mutex_exit(&ssl->kssl_lock);
2179 
2180 	kmem_cache_free(kssl_cache, ssl);
2181 	kssl_cache_count--;
2182 }
2183