xref: /titanic_52/usr/src/uts/common/inet/kssl/ksslrec.c (revision 9ff75ade7518b5023d90c864a4c081dba319589e)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <sys/types.h>
26 #include <sys/stream.h>
27 #include <sys/strsubr.h>
28 #include <sys/stropts.h>
29 #include <sys/strsun.h>
30 #define	_SUN_TPI_VERSION 2
31 #include <sys/ddi.h>
32 #include <sys/sunddi.h>
33 #include <sys/debug.h>
34 #include <sys/vtrace.h>
35 #include <sys/kmem.h>
36 #include <sys/cpuvar.h>
37 #include <sys/atomic.h>
38 #include <sys/sysmacros.h>
39 
40 #include <sys/errno.h>
41 #include <sys/isa_defs.h>
42 #include <sys/md5.h>
43 #include <sys/sha1.h>
44 #include <sys/random.h>
45 #include <inet/common.h>
46 #include <netinet/in.h>
47 
48 #include <sys/systm.h>
49 #include <sys/param.h>
50 
51 #include "ksslimpl.h"
52 #include "ksslapi.h"
53 #include "ksslproto.h"
54 
55 static ssl3CipherSuiteDef cipher_suite_defs[] = {
56 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, no IVs */
57 	{SSL_RSA_WITH_RC4_128_SHA,	cipher_rc4,	mac_sha,	72},
58 
59 	/* 2 X 16 byte keys +  2 x 16 byte MAC secrets, no IVs */
60 	{SSL_RSA_WITH_RC4_128_MD5,	cipher_rc4,	mac_md5,	64},
61 
62 	/* 2 X 8 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
63 	{SSL_RSA_WITH_DES_CBC_SHA,	cipher_des,	mac_sha,	72},
64 
65 	/* 2 X 24 byte keys +  2 x 20 byte MAC secrets, 2 x 8 byte IVs */
66 	{SSL_RSA_WITH_3DES_EDE_CBC_SHA,	cipher_3des,	mac_sha,	104},
67 
68 	/* 2 X 16 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
69 	{TLS_RSA_WITH_AES_128_CBC_SHA,	cipher_aes128,	mac_sha,	104},
70 
71 	/* 2 X 32 byte keys +  2 x 20 byte MAC secrets, 2 x 16 byte IVs */
72 	{TLS_RSA_WITH_AES_256_CBC_SHA,	cipher_aes256,	mac_sha,	136},
73 
74 	{SSL_RSA_WITH_NULL_SHA,		cipher_null,	mac_sha,	40}
75 };
76 
77 static int cipher_suite_defs_nentries =
78     sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]);
79 
80 static KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
81 	/* macsz padsz HashInit HashUpdate HashFinal */
82 
83 	{MD5_HASH_LEN, SSL3_MD5_PAD_LEN,
84 	    (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update,
85 	    (hashfinal_func_t)MD5Final},
86 
87 	{SHA1_HASH_LEN, SSL3_SHA1_PAD_LEN,
88 	    (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update,
89 	    (hashfinal_func_t)SHA1Final},
90 };
91 
92 static uchar_t kssl_pad_1[60] = {
93     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
94     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
95     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
96     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
97     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
98     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
99     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
100     0x36, 0x36, 0x36, 0x36
101 };
102 static uchar_t kssl_pad_2[60] = {
103     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
104     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
105     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
106     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
107     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
108     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
109     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
110     0x5c, 0x5c, 0x5c, 0x5c
111 };
112 
113 static boolean_t kssl_synchronous = B_FALSE;
114 
115 static void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t);
116 static int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t);
117 static int kssl_handle_client_hello(ssl_t *, mblk_t *, int);
118 static int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int,
119     kssl_callback_t, void *);
120 static int kssl_send_server_hello(ssl_t *);
121 static int kssl_send_certificate_and_server_hello_done(ssl_t *);
122 static int kssl_send_change_cipher_specs(ssl_t *);
123 static int kssl_send_finished(ssl_t *, int);
124 static int kssl_handle_finished(ssl_t *, mblk_t *, int);
125 static void kssl_get_hello_random(uchar_t *);
126 static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *);
127 static void kssl_cache_sid(sslSessionID *, kssl_entry_t *);
128 static void kssl_lookup_sid(sslSessionID *, uchar_t *, in6_addr_t *,
129     kssl_entry_t *);
130 static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t);
131 static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t);
132 static int kssl_generate_tls_keyblock(ssl_t *);
133 static void kssl_generate_keyblock(ssl_t *);
134 static void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t,
135     int, uchar_t *, int);
136 static int kssl_tls_PRF(ssl_t *, uchar_t *, size_t,
137     uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
138 static int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *,
139     size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
140 static void kssl_cke_done(void *, int);
141 
142 #define	HMAC_INIT(m, k, c) \
143 	rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end;
144 
145 #define	HMAC_UPDATE(c, d, l) \
146 	dd.cd_raw.iov_base = (char *)d; \
147 	dd.cd_length = dd.cd_raw.iov_len = l; \
148 	rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end;
149 
150 #define	HMAC_FINAL(c, d, l) \
151 	mac.cd_raw.iov_base = (char *)d; \
152 	mac.cd_length = mac.cd_raw.iov_len = l; \
153 	rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end;
154 
155 /*
156  * This hack can go away once we have SSL3 MAC support by KCF
157  * software providers (See 4873559).
158  */
159 extern int kcf_md5_threshold;
160 
161 int
162 kssl_compute_record_mac(
163 	ssl_t *ssl,
164 	int direction,
165 	uint64_t seq_num,
166 	SSL3ContentType ct,
167 	uchar_t *versionp,
168 	uchar_t *buf,
169 	int len,
170 	uchar_t *digest)
171 {
172 	KSSL_HASHCTX mac_ctx;
173 	KSSL_HASHCTX *ctx = &mac_ctx;
174 	uchar_t temp[16], *p;
175 	KSSLCipherSpec *spec;
176 	boolean_t hash_use_ok = B_FALSE;
177 	int rv = 0;
178 
179 	spec = &ssl->spec[direction];
180 
181 	if (spec->mac_hashsz == 0) {
182 		return (1);
183 	}
184 
185 	p = temp;
186 
187 	*p++ = (seq_num >> 56) & 0xff;
188 	*p++ = (seq_num >> 48) & 0xff;
189 	*p++ = (seq_num >> 40) & 0xff;
190 	*p++ = (seq_num >> 32) & 0xff;
191 	*p++ = (seq_num >> 24) & 0xff;
192 	*p++ = (seq_num >> 16) & 0xff;
193 	*p++ = (seq_num >> 8) & 0xff;
194 	*p++ = (seq_num) & 0xff;
195 	*p++ = (uchar_t)ct;
196 	if (IS_TLS(ssl)) {
197 		*p++ = versionp[0];
198 		*p++ = versionp[1];
199 	}
200 	*p++ = (len >> 8) & 0xff;
201 	*p++ = (len) & 0xff;
202 
203 	if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
204 	    len >= kcf_md5_threshold)) {
205 		crypto_data_t dd, mac;
206 		struct uio uio_pt;
207 		struct iovec iovarray_pt[2];
208 
209 		/* init the array of iovecs for use in the uio struct */
210 		iovarray_pt[0].iov_base = (char *)temp;
211 		iovarray_pt[0].iov_len = (p - temp);
212 		iovarray_pt[1].iov_base = (char *)buf;
213 		iovarray_pt[1].iov_len = len;
214 
215 		/* init the uio struct for use in the crypto_data_t struct */
216 		bzero(&uio_pt, sizeof (uio_pt));
217 		uio_pt.uio_iov = iovarray_pt;
218 		uio_pt.uio_iovcnt = 2;
219 		uio_pt.uio_segflg = UIO_SYSSPACE;
220 
221 		dd.cd_format = CRYPTO_DATA_UIO;
222 		dd.cd_offset = 0;
223 		dd.cd_length =  (p - temp) + len;
224 		dd.cd_miscdata = NULL;
225 		dd.cd_uio = &uio_pt;
226 
227 		mac.cd_format = CRYPTO_DATA_RAW;
228 		mac.cd_offset = 0;
229 		mac.cd_raw.iov_base = (char *)digest;
230 		mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz;
231 
232 		/*
233 		 * The calling context can tolerate a blocking call here.
234 		 * For outgoing traffic, we are in user context when called
235 		 * from kssl_data_out_cb(). For incoming traffic past the
236 		 * SSL handshake, we are in user context when called from
237 		 * kssl_data_in_proc_cb(). During the SSL handshake, we are
238 		 * called for client_finished message handling from a taskq
239 		 * thread.
240 		 */
241 		rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
242 		    NULL, &mac, NULL);
243 
244 		if (CRYPTO_ERR(rv)) {
245 			hash_use_ok = (rv == CRYPTO_MECH_NOT_SUPPORTED &&
246 			    !IS_TLS(ssl));
247 			if (!hash_use_ok) {
248 				DTRACE_PROBE1(kssl_err__crypto_mac_error,
249 				    int, rv);
250 				KSSL_COUNTER(compute_mac_failure, 1);
251 			}
252 		}
253 	} else
254 		hash_use_ok = B_TRUE;
255 
256 	if (hash_use_ok) {
257 		bcopy(&(ssl->mac_ctx[direction][0]), ctx,
258 		    sizeof (KSSL_HASHCTX));
259 		spec->MAC_HashUpdate((void *)ctx, temp, p - temp);
260 		spec->MAC_HashUpdate((void *)ctx, buf, len);
261 		spec->MAC_HashFinal(digest, (void *)ctx);
262 
263 		bcopy(&(ssl->mac_ctx[direction][1]), ctx,
264 		    sizeof (KSSL_HASHCTX));
265 		spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz);
266 		spec->MAC_HashFinal(digest, (void *)ctx);
267 	}
268 
269 	return (rv);
270 }
271 
272 /*
273  * Handles handshake messages.
274  * Messages to be replied are returned in handshake_sendbuf.
275  */
276 int
277 kssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
278     kssl_callback_t cbfn, void *arg)
279 {
280 	uint32_t msglen;
281 	uchar_t msghdr[4];
282 
283 	ASSERT(ssl->msg.state == MSG_BODY);
284 	ASSERT(ssl->msg.msglen_bytes == 3);
285 	ASSERT(mp->b_wptr >= mp->b_rptr + ssl->msg.msglen);
286 
287 	ssl->sslcnt++;
288 	msglen = ssl->msg.msglen;
289 
290 	if (ssl->msg.type == client_hello) {
291 		MD5Init(&ssl->hs_md5);
292 		SHA1Init(&ssl->hs_sha1);
293 	}
294 
295 	if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
296 		if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
297 		    sender_client) != 0) {
298 			*err = SSL_MISS;
299 			return (0);
300 		}
301 	}
302 
303 	if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
304 		msghdr[0] = (uchar_t)ssl->msg.type;
305 
306 		msghdr[1] = (uchar_t)(msglen >> 16);
307 		msghdr[2] = (uchar_t)(msglen >> 8);
308 		msghdr[3] = (uchar_t)(msglen);
309 		kssl_update_handshake_hashes(ssl, msghdr, 4);
310 		kssl_update_handshake_hashes(ssl, mp->b_rptr, msglen);
311 	}
312 
313 	ssl->msg.state = MSG_INIT;
314 	ssl->msg.msglen = 0;
315 	ssl->msg.msglen_bytes = 0;
316 
317 	switch (ssl->msg.type) {
318 	case client_hello:
319 		if (ssl->hs_waitstate != wait_client_hello) {
320 			kssl_send_alert(ssl, alert_fatal,
321 			    unexpected_message);
322 			*err = EBADMSG;
323 			ssl->activeinput = B_FALSE;
324 			return (1);
325 		}
326 		*err = kssl_handle_client_hello(ssl, mp, msglen);
327 		if (*err == SSL_MISS) {
328 			ssl->activeinput = B_FALSE;
329 			return (0);
330 		}
331 		return (1);
332 	case client_key_exchange:
333 		if (ssl->hs_waitstate != wait_client_key) {
334 			kssl_send_alert(ssl, alert_fatal,
335 			    unexpected_message);
336 			*err = EBADMSG;
337 			ssl->activeinput = B_FALSE;
338 			return (1);
339 		}
340 		*err = kssl_handle_client_key_exchange(ssl, mp,
341 		    msglen, cbfn, arg);
342 		return (1);
343 	case finished:
344 		if (ssl->hs_waitstate != wait_finished) {
345 			kssl_send_alert(ssl, alert_fatal,
346 			    unexpected_message);
347 			*err = EBADMSG;
348 			ssl->activeinput = B_FALSE;
349 			return (1);
350 		}
351 		*err = kssl_handle_finished(ssl, mp, msglen);
352 		return (1);
353 	default:
354 		kssl_send_alert(ssl, alert_fatal, unexpected_message);
355 		ssl->activeinput = B_FALSE;
356 		*err = EBADMSG;
357 		return (1);
358 	}
359 }
360 
361 static void
362 kssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
363 {
364 	MD5Update(&ssl->hs_md5, buf, len);
365 	SHA1Update(&ssl->hs_sha1, buf, len);
366 }
367 
368 static int
369 kssl_compute_handshake_hashes(
370 	ssl_t *ssl,
371 	SSL3Hashes *hashes,
372 	uint32_t sender)
373 {
374 	MD5_CTX md5 = ssl->hs_md5;	/* clone md5 context */
375 	SHA1_CTX sha1 = ssl->hs_sha1;	/* clone sha1 context */
376 	MD5_CTX *md5ctx = &md5;
377 	SHA1_CTX *sha1ctx = &sha1;
378 
379 	if (IS_TLS(ssl)) {
380 		uchar_t seed[MD5_HASH_LEN + SHA1_HASH_LEN];
381 		char *label;
382 
383 		/*
384 		 * Do not take another hash step here.
385 		 * Just complete the operation.
386 		 */
387 		MD5Final(hashes->md5, md5ctx);
388 		SHA1Final(hashes->sha1, sha1ctx);
389 
390 		bcopy(hashes->md5, seed, MD5_HASH_LEN);
391 		bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN);
392 
393 		if (sender == sender_client)
394 			label = TLS_CLIENT_FINISHED_LABEL;
395 		else
396 			label = TLS_SERVER_FINISHED_LABEL;
397 
398 		return (kssl_tls_PRF(ssl,
399 		    ssl->sid.master_secret,
400 		    (size_t)SSL3_MASTER_SECRET_LEN,
401 		    (uchar_t *)label, strlen(label),
402 		    seed, (size_t)(MD5_HASH_LEN + SHA1_HASH_LEN),
403 		    hashes->tlshash, (size_t)TLS_FINISHED_SIZE));
404 	} else {
405 		uchar_t s[4];
406 		s[0] = (sender >> 24) & 0xff;
407 		s[1] = (sender >> 16) & 0xff;
408 		s[2] = (sender >> 8) & 0xff;
409 		s[3] = (sender) & 0xff;
410 
411 		MD5Update(md5ctx, s, 4);
412 		MD5Update(md5ctx, ssl->sid.master_secret,
413 		    SSL3_MASTER_SECRET_LEN);
414 		MD5Update(md5ctx, kssl_pad_1, SSL3_MD5_PAD_LEN);
415 		MD5Final(hashes->md5, md5ctx);
416 
417 		MD5Init(md5ctx);
418 		MD5Update(md5ctx, ssl->sid.master_secret,
419 		    SSL3_MASTER_SECRET_LEN);
420 		MD5Update(md5ctx, kssl_pad_2, SSL3_MD5_PAD_LEN);
421 		MD5Update(md5ctx, hashes->md5, MD5_HASH_LEN);
422 		MD5Final(hashes->md5, md5ctx);
423 
424 		SHA1Update(sha1ctx, s, 4);
425 		SHA1Update(sha1ctx, ssl->sid.master_secret,
426 		    SSL3_MASTER_SECRET_LEN);
427 		SHA1Update(sha1ctx, kssl_pad_1, SSL3_SHA1_PAD_LEN);
428 		SHA1Final(hashes->sha1, sha1ctx);
429 
430 		SHA1Init(sha1ctx);
431 		SHA1Update(sha1ctx, ssl->sid.master_secret,
432 		    SSL3_MASTER_SECRET_LEN);
433 		SHA1Update(sha1ctx, kssl_pad_2, SSL3_SHA1_PAD_LEN);
434 		SHA1Update(sha1ctx, hashes->sha1, SHA1_HASH_LEN);
435 		SHA1Final(hashes->sha1, sha1ctx);
436 		return (0);
437 	}
438 }
439 
440 
441 /*
442  * Minimum message length for a client hello =
443  * 2-byte client_version +
444  * 32-byte random +
445  * 1-byte session_id length +
446  * 2-byte cipher_suites length +
447  * 1-byte compression_methods length +
448  * 1-byte CompressionMethod.null
449  */
450 #define	KSSL_SSL3_CH_MIN_MSGLEN	(39)
451 
452 /*
453  * Process SSL/TLS Client Hello message. Return 0 on success, errno value
454  * or SSL_MISS if no cipher suite of the server matches the list received
455  * in the message.
456  */
457 static int
458 kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
459 {
460 	uchar_t *msgend;
461 	int err;
462 	SSL3AlertDescription desc = illegal_parameter;
463 	uint_t sidlen, cslen, cmlen;
464 	uchar_t *suitesp;
465 	uint_t i, j;
466 	uint16_t suite, selected_suite;
467 	int ch_msglen = KSSL_SSL3_CH_MIN_MSGLEN;
468 	boolean_t suite_found = B_FALSE;
469 
470 	ASSERT(mp->b_wptr >= mp->b_rptr + msglen);
471 	ASSERT(ssl->msg.type == client_hello);
472 	ASSERT(ssl->hs_waitstate == wait_client_hello);
473 	ASSERT(ssl->resumed == B_FALSE);
474 
475 	if (msglen < ch_msglen) {
476 		DTRACE_PROBE2(kssl_err__msglen_less_than_minimum,
477 		    int, msglen, int, ch_msglen);
478 		goto falert;
479 	}
480 
481 	msgend = mp->b_rptr + msglen;
482 
483 	/* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */
484 	if (ssl->major_version != 3 || (ssl->major_version == 3 &&
485 	    ssl->minor_version != 0 && ssl->minor_version != 1)) {
486 		DTRACE_PROBE2(kssl_err__SSL_version_not_supported,
487 		    uchar_t, ssl->major_version,
488 		    uchar_t, ssl->minor_version);
489 		desc = handshake_failure;
490 		goto falert;
491 	}
492 	mp->b_rptr += 2; /* skip the version bytes */
493 
494 	/* read client random field */
495 	bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
496 	mp->b_rptr += SSL3_RANDOM_LENGTH;
497 
498 	/* read session ID length */
499 	ASSERT(ssl->sid.cached == B_FALSE);
500 	sidlen = *mp->b_rptr++;
501 	ch_msglen += sidlen;
502 	if (msglen < ch_msglen) {
503 		DTRACE_PROBE2(kssl_err__invalid_message_length_after_ver,
504 		    int, msglen, int, ch_msglen);
505 		goto falert;
506 	}
507 	if (sidlen != SSL3_SESSIONID_BYTES) {
508 		mp->b_rptr += sidlen;
509 	} else {
510 		kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr,
511 		    ssl->kssl_entry);
512 		mp->b_rptr += SSL3_SESSIONID_BYTES;
513 	}
514 
515 	/* read cipher suite length */
516 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
517 	mp->b_rptr += 2;
518 	ch_msglen += cslen;
519 
520 	/*
521 	 * This check can't be a "!=" since there can be
522 	 * compression methods other than CompressionMethod.null.
523 	 * Also, there can be extra data (TLS extensions) after the
524 	 * compression methods field.
525 	 */
526 	if (msglen < ch_msglen) {
527 		DTRACE_PROBE2(kssl_err__invalid_message_length_after_cslen,
528 		    int, msglen, int, ch_msglen);
529 		goto falert;
530 	}
531 
532 	/* The length has to be even since a cipher suite is 2-byte long. */
533 	if (cslen & 0x1) {
534 		DTRACE_PROBE1(kssl_err__uneven_cipher_suite_length,
535 		    uint_t, cslen);
536 		goto falert;
537 	}
538 	suitesp = mp->b_rptr;
539 
540 	/* session resumption checks */
541 	if (ssl->sid.cached == B_TRUE) {
542 		suite = ssl->sid.cipher_suite;
543 		for (j = 0; j < cslen; j += 2) {
544 			DTRACE_PROBE2(kssl_cipher_suite_check_resumpt,
545 			    uint16_t, suite,
546 			    uint16_t,
547 			    (uint16_t)((suitesp[j] << 8) + suitesp[j+1]));
548 			/* Check for regular (true) cipher suite. */
549 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
550 			    suitesp[j + 1] == (suite & 0xff)) {
551 				DTRACE_PROBE1(kssl_cipher_suite_found_resumpt,
552 				    uint16_t, suite);
553 				suite_found = B_TRUE;
554 				selected_suite = suite;
555 			}
556 
557 			/* Check for SCSV. */
558 			if (suitesp[j] ==  ((SSL_SCSV >> 8) & 0xff) &&
559 			    suitesp[j + 1] == (SSL_SCSV & 0xff)) {
560 				DTRACE_PROBE(kssl_scsv_found_resumpt);
561 				ssl->secure_renegotiation = B_TRUE;
562 			}
563 
564 			/*
565 			 * If we got cipher suite match and SCSV we can
566 			 * terminate the cycle now.
567 			 */
568 			if (suite_found && ssl->secure_renegotiation)
569 				break;
570 		}
571 		if (suite_found)
572 			goto suite_found;
573 		kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
574 	}
575 
576 	/* Check if this server is capable of the cipher suite. */
577 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
578 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
579 		for (j = 0; j < cslen; j += 2) {
580 			DTRACE_PROBE2(kssl_cipher_suite_check, uint16_t, suite,
581 			    uint16_t,
582 			    (uint16_t)((suitesp[j] << 8) + suitesp[j+1]));
583 			/* Check for regular (true) cipher suite. */
584 			if (suitesp[j] == ((suite >> 8) & 0xff) &&
585 			    suitesp[j + 1] == (suite & 0xff)) {
586 				DTRACE_PROBE1(kssl_cipher_suite_found,
587 				    uint16_t, suite);
588 				suite_found = B_TRUE;
589 				selected_suite = suite;
590 			}
591 
592 			/* Check for SCSV. */
593 			if (suitesp[j] ==  ((SSL_SCSV >> 8) & 0xff) &&
594 			    suitesp[j + 1] == (SSL_SCSV & 0xff)) {
595 				DTRACE_PROBE(kssl_scsv_found);
596 				ssl->secure_renegotiation = B_TRUE;
597 			}
598 
599 			/*
600 			 * If we got cipher suite match and SCSV or went
601 			 * through the whole list of client cipher suites
602 			 * (hence we know if SCSV was present or not) we
603 			 * can terminate the cycle now.
604 			 */
605 			if (suite_found &&
606 			    (ssl->secure_renegotiation || (i > 0)))
607 				break;
608 		}
609 		if (suite_found)
610 			break;
611 	}
612 	if (!suite_found) {
613 		if (ssl->sslcnt == 1) {
614 			DTRACE_PROBE(kssl_no_cipher_suite_found);
615 			KSSL_COUNTER(no_suite_found, 1);
616 			/*
617 			 * If there is no fallback point terminate the
618 			 * handshake with SSL alert otherwise return with
619 			 * SSL_MISS.
620 			 */
621 			if (ssl->kssl_entry->ke_fallback_head == NULL) {
622 				DTRACE_PROBE(kssl_no_fallback);
623 				desc = handshake_failure;
624 				goto falert;
625 			} else {
626 				return (SSL_MISS);
627 			}
628 		}
629 		desc = handshake_failure;
630 		DTRACE_PROBE(kssl_err__no_cipher_suites_found);
631 		goto falert;
632 	}
633 
634 suite_found:
635 	mp->b_rptr += cslen;
636 
637 	/*
638 	 * Check for the mandatory CompressionMethod.null. We do not
639 	 * support any other compression methods.
640 	 */
641 	cmlen = *mp->b_rptr++;
642 	ch_msglen += cmlen - 1;	/* -1 accounts for the null method */
643 	if (msglen < ch_msglen) {
644 		DTRACE_PROBE2(kssl_err__invalid_message_length_after_complen,
645 		    int, msglen, int, ch_msglen);
646 		goto falert;
647 	}
648 
649 	/*
650 	 * Search for null compression method (encoded as 0 byte) in the
651 	 * compression methods field.
652 	 */
653 	while (cmlen >= 1) {
654 		if (*mp->b_rptr++ == 0)
655 			break;
656 		cmlen--;
657 	}
658 
659 	if (cmlen == 0) {
660 		desc = handshake_failure;
661 		DTRACE_PROBE(kssl_err__no_null_compression_method);
662 		goto falert;
663 	}
664 
665 	/* Find the suite in the internal cipher suite table. */
666 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
667 		if (selected_suite == cipher_suite_defs[i].suite) {
668 			break;
669 		}
670 	}
671 
672 	/* Get past the remaining compression methods (minus null method). */
673 	mp->b_rptr += cmlen - 1;
674 
675 	ASSERT(i < cipher_suite_defs_nentries);
676 
677 	ssl->pending_cipher_suite = selected_suite;
678 	ssl->pending_malg = cipher_suite_defs[i].malg;
679 	ssl->pending_calg = cipher_suite_defs[i].calg;
680 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
681 
682 	/* Parse TLS extensions (if any). */
683 	if (ch_msglen + 2 < msglen) {
684 		/* Get the length of the extensions. */
685 		uint16_t ext_total_len = ((uint_t)mp->b_rptr[0] << 8) +
686 		    (uint_t)mp->b_rptr[1];
687 		DTRACE_PROBE1(kssl_total_length_extensions, uint16_t,
688 		    ext_total_len);
689 		/*
690 		 * Consider zero extensions length as invalid extension
691 		 * encoding.
692 		 */
693 		if (ext_total_len == 0) {
694 			DTRACE_PROBE1(kssl_err__zero_extensions_length,
695 			    mblk_t *, mp);
696 			goto falert;
697 		}
698 		ch_msglen += 2;
699 		if (ch_msglen + ext_total_len > msglen) {
700 			DTRACE_PROBE2(kssl_err__invalid_extensions_length,
701 			    int, msglen, int, ch_msglen);
702 			goto falert;
703 		}
704 		mp->b_rptr += 2;
705 
706 		/*
707 		 * Go through the TLS extensions. This is only done to check
708 		 * for the presence of renegotiation_info extension. We do not
709 		 * support any other TLS extensions and hence ignore them.
710 		 */
711 		while (mp->b_rptr < msgend) {
712 			uint16_t ext_len, ext_type;
713 
714 			/*
715 			 * Check that the extension has at least type and
716 			 * length (2 + 2 bytes).
717 			 */
718 			if (ch_msglen + 4 > msglen) {
719 				DTRACE_PROBE(kssl_err__invalid_ext_format);
720 				goto falert;
721 			}
722 
723 			/* Get extension type and length */
724 			ext_type = ((uint_t)mp->b_rptr[0] << 8) +
725 			    (uint_t)mp->b_rptr[1];
726 			mp->b_rptr += 2;
727 			ext_len = ((uint_t)mp->b_rptr[0] << 8) +
728 			    (uint_t)mp->b_rptr[1];
729 			mp->b_rptr += 2;
730 			ch_msglen += 4;
731 			DTRACE_PROBE3(kssl_ext_detected, uint16_t, ext_type,
732 			    uint16_t, ext_len, mblk_t *, mp);
733 
734 			/*
735 			 * Make sure the contents of the extension are
736 			 * accessible.
737 			 */
738 			if (ch_msglen + ext_len > msglen) {
739 				DTRACE_PROBE1(
740 				    kssl_err__invalid_ext_len,
741 				    uint16_t, ext_len);
742 				goto falert;
743 			}
744 
745 			switch (ext_type) {
746 			case TLSEXT_RENEGOTIATION_INFO:
747 				/*
748 				 * Search for empty "renegotiation_info"
749 				 * extension (encoded as ff 01 00 01 00).
750 				 */
751 				DTRACE_PROBE(kssl_reneg_info_found);
752 				if ((ext_len != 1) ||
753 				    (*mp->b_rptr != 0)) {
754 					DTRACE_PROBE2(
755 					    kssl_err__non_empty_reneg_info,
756 					    uint16_t, ext_len,
757 					    mblk_t *, mp);
758 					goto falert;
759 				}
760 				ssl->secure_renegotiation = B_TRUE;
761 				break;
762 			default:
763 				/* FALLTHRU */
764 				break;
765 			}
766 
767 			/* jump to the next extension */
768 			ch_msglen += ext_len;
769 			mp->b_rptr += ext_len;
770 		}
771 	}
772 
773 	mp->b_rptr = msgend;
774 
775 	if (ssl->sid.cached == B_TRUE) {
776 		err = kssl_send_server_hello(ssl);
777 		if (err != 0) {
778 			return (err);
779 		}
780 		if (IS_TLS(ssl))
781 			err = kssl_generate_tls_keyblock(ssl);
782 		else
783 			kssl_generate_keyblock(ssl);
784 
785 		err = kssl_send_change_cipher_specs(ssl);
786 		if (err != 0) {
787 			return (err);
788 		}
789 
790 		err = kssl_send_finished(ssl, 1);
791 		if (err != 0)
792 			return (err);
793 
794 		err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
795 		    sender_client);
796 		if (err != 0)
797 			return (err);
798 
799 		ssl->hs_waitstate = wait_change_cipher;
800 		ssl->resumed = B_TRUE;
801 		ssl->activeinput = B_FALSE;
802 		KSSL_COUNTER(resumed_sessions, 1);
803 		return (0);
804 	}
805 
806 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
807 	    SSL3_SESSIONID_BYTES);
808 	ssl->sid.client_addr = ssl->faddr;
809 	ssl->sid.cipher_suite = selected_suite;
810 
811 	err = kssl_send_server_hello(ssl);
812 	if (err != 0) {
813 		return (err);
814 	}
815 	err = kssl_send_certificate_and_server_hello_done(ssl);
816 	if (err != 0) {
817 		return (err);
818 	}
819 	KSSL_COUNTER(full_handshakes, 1);
820 	ssl->hs_waitstate = wait_client_key;
821 	ssl->activeinput = B_FALSE;
822 	return (0);
823 
824 falert:
825 	kssl_send_alert(ssl, alert_fatal, desc);
826 	return (EBADMSG);
827 }
828 
829 #define	SET_HASH_INDEX(index, s, clnt_addr) {				\
830 	int addr;							\
831 									\
832 	IN6_V4MAPPED_TO_IPADDR(clnt_addr, addr);			\
833 	index = addr ^ (((int)(s)[0] << 24) | ((int)(s)[1] << 16) |	\
834 	    ((int)(s)[2] << 8) | (int)(s)[SSL3_SESSIONID_BYTES - 1]);	\
835 }
836 
837 /*
838  * Creates a cache entry. Sets the sid->cached flag
839  * and sid->time fields. So, the caller should not set them.
840  */
841 static void
842 kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
843 {
844 	uint_t index;
845 	uchar_t *s = sid->session_id;
846 	kmutex_t *lock;
847 
848 	ASSERT(sid->cached == B_FALSE);
849 
850 	/* set the values before creating the cache entry */
851 	sid->cached = B_TRUE;
852 	sid->time = ddi_get_lbolt();
853 
854 	SET_HASH_INDEX(index, s, &sid->client_addr);
855 	index %= kssl_entry->sid_cache_nentries;
856 
857 	lock = &(kssl_entry->sid_cache[index].se_lock);
858 	mutex_enter(lock);
859 	kssl_entry->sid_cache[index].se_used++;
860 	bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid));
861 	mutex_exit(lock);
862 
863 	KSSL_COUNTER(sid_cached, 1);
864 }
865 
866 /*
867  * Invalidates the cache entry, if any. Clears the sid->cached flag
868  * as a side effect.
869  */
870 void
871 kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
872 {
873 	uint_t index;
874 	uchar_t *s = sid->session_id;
875 	sslSessionID *csid;
876 	kmutex_t *lock;
877 
878 	ASSERT(sid->cached == B_TRUE);
879 	sid->cached = B_FALSE;
880 
881 	SET_HASH_INDEX(index, s, &sid->client_addr);
882 	index %= kssl_entry->sid_cache_nentries;
883 
884 	lock = &(kssl_entry->sid_cache[index].se_lock);
885 	mutex_enter(lock);
886 	csid = &(kssl_entry->sid_cache[index].se_sid);
887 	if (!(IN6_ARE_ADDR_EQUAL(&csid->client_addr, &sid->client_addr)) ||
888 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
889 		mutex_exit(lock);
890 		return;
891 	}
892 	csid->cached = B_FALSE;
893 	mutex_exit(lock);
894 
895 	KSSL_COUNTER(sid_uncached, 1);
896 }
897 
898 static void
899 kssl_lookup_sid(sslSessionID *sid, uchar_t *s, in6_addr_t *faddr,
900     kssl_entry_t *kssl_entry)
901 {
902 	uint_t index;
903 	kmutex_t *lock;
904 	sslSessionID *csid;
905 
906 	KSSL_COUNTER(sid_cache_lookups, 1);
907 
908 	SET_HASH_INDEX(index, s, faddr);
909 	index %= kssl_entry->sid_cache_nentries;
910 
911 	lock = &(kssl_entry->sid_cache[index].se_lock);
912 	mutex_enter(lock);
913 	csid = &(kssl_entry->sid_cache[index].se_sid);
914 	if (csid->cached == B_FALSE ||
915 	    !IN6_ARE_ADDR_EQUAL(&csid->client_addr, faddr) ||
916 	    bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
917 		mutex_exit(lock);
918 		return;
919 	}
920 
921 	if (TICK_TO_SEC(ddi_get_lbolt() - csid->time) >
922 	    kssl_entry->sid_cache_timeout) {
923 		csid->cached = B_FALSE;
924 		mutex_exit(lock);
925 		return;
926 	}
927 
928 	bcopy(csid, sid, sizeof (*sid));
929 	mutex_exit(lock);
930 	ASSERT(sid->cached == B_TRUE);
931 
932 	KSSL_COUNTER(sid_cache_hits, 1);
933 }
934 
935 static uchar_t *
936 kssl_rsa_unwrap(uchar_t *buf, size_t *lenp)
937 {
938 	size_t len = *lenp;
939 	int i = 2;
940 
941 	if (buf[0] != 0 || buf[1] != 2) {
942 		return (NULL);
943 	}
944 
945 	while (i < len) {
946 		if (buf[i++] == 0) {
947 			*lenp = len - i;
948 			break;
949 		}
950 	}
951 
952 	if (i == len) {
953 		return (NULL);
954 	}
955 
956 	return (buf + i);
957 }
958 
959 
960 #define	KSSL_SSL3_SH_RECLEN	(74)
961 #define	KSSL_SSL3_FIN_MSGLEN	(36)
962 #define	KSSL_EMPTY_RENEG_INFO_LEN	(7)
963 
964 #define	KSSL_SSL3_MAX_CCP_FIN_MSGLEN	(128)	/* comfortable upper bound */
965 
966 /*
967  * Send ServerHello record to the client.
968  */
969 static int
970 kssl_send_server_hello(ssl_t *ssl)
971 {
972 	mblk_t *mp;
973 	uchar_t *buf;
974 	uchar_t *msgstart;
975 	uint16_t reclen = KSSL_SSL3_SH_RECLEN;
976 
977 	mp = allocb(ssl->tcp_mss, BPRI_HI);
978 	if (mp == NULL) {
979 		KSSL_COUNTER(alloc_fails, 1);
980 		return (ENOMEM);
981 	}
982 	ssl->handshake_sendbuf = mp;
983 	buf = mp->b_wptr;
984 
985 	if (ssl->secure_renegotiation)
986 		reclen += KSSL_EMPTY_RENEG_INFO_LEN;
987 
988 	/* 5 byte record header */
989 	buf[0] = content_handshake;
990 	buf[1] = ssl->major_version;
991 	buf[2] = ssl->minor_version;
992 	buf[3] = reclen >> 8;
993 	buf[4] = reclen & 0xff;
994 	buf += SSL3_HDR_LEN;
995 
996 	msgstart = buf;
997 
998 	/* 6 byte message header */
999 	buf[0] = (uchar_t)server_hello;			/* message type */
1000 	buf[1] = 0;					/* message len byte 0 */
1001 	buf[2] = ((reclen - 4) >> 8) &
1002 	    0xff;					/* message len byte 1 */
1003 	buf[3] = (reclen - 4) & 0xff;	/* message len byte 2 */
1004 
1005 	buf[4] = ssl->major_version;	/* version byte 0 */
1006 	buf[5] = ssl->minor_version;	/* version byte 1 */
1007 
1008 	buf += 6;
1009 
1010 	kssl_get_hello_random(ssl->server_random);
1011 	bcopy(ssl->server_random, buf, SSL3_RANDOM_LENGTH);
1012 	buf += SSL3_RANDOM_LENGTH;
1013 
1014 	buf[0] = SSL3_SESSIONID_BYTES;
1015 	bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
1016 	buf += SSL3_SESSIONID_BYTES + 1;
1017 
1018 	buf[0] = (ssl->pending_cipher_suite >> 8) & 0xff;
1019 	buf[1] = ssl->pending_cipher_suite & 0xff;
1020 
1021 	buf[2] = 0;	/* No compression */
1022 	buf += 3;
1023 
1024 	/*
1025 	 * Add "renegotiation_info" extension if the ClientHello message
1026 	 * contained either SCSV value in cipher suite list or
1027 	 * "renegotiation_info" extension. This is per RFC 5746, section 3.6.
1028 	 */
1029 	if (ssl->secure_renegotiation) {
1030 		/* Extensions length */
1031 		buf[0] = 0x00;
1032 		buf[1] = 0x05;
1033 		/* empty renegotiation_info extension encoding (section 3.2) */
1034 		buf[2] = 0xff;
1035 		buf[3] = 0x01;
1036 		buf[4] = 0x00;
1037 		buf[5] = 0x01;
1038 		buf[6] = 0x00;
1039 		buf += KSSL_EMPTY_RENEG_INFO_LEN;
1040 	}
1041 
1042 	mp->b_wptr = buf;
1043 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1044 
1045 	kssl_update_handshake_hashes(ssl, msgstart, reclen);
1046 	return (0);
1047 }
1048 
1049 static void
1050 kssl_get_hello_random(uchar_t *buf)
1051 {
1052 	timestruc_t ts;
1053 	time_t sec;
1054 
1055 	gethrestime(&ts);
1056 	sec = ts.tv_sec;
1057 
1058 	buf[0] = (sec >> 24) & 0xff;
1059 	buf[1] = (sec >> 16) & 0xff;
1060 	buf[2] = (sec >> 8) & 0xff;
1061 	buf[3] = (sec) & 0xff;
1062 
1063 	(void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4);
1064 
1065 	/* Should this be caching? */
1066 }
1067 
1068 static int
1069 kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key,
1070 	size_t hashlen,
1071 	uchar_t *label, size_t label_len,
1072 	uchar_t *seed, size_t seedlen,
1073 	uchar_t *data, size_t datalen)
1074 {
1075 	int rv = 0;
1076 	uchar_t A1[MAX_HASH_LEN], result[MAX_HASH_LEN];
1077 	int bytes_left = (int)datalen;
1078 	crypto_data_t dd, mac;
1079 	crypto_context_t ctx;
1080 
1081 	dd.cd_format = CRYPTO_DATA_RAW;
1082 	dd.cd_offset = 0;
1083 	mac.cd_format = CRYPTO_DATA_RAW;
1084 	mac.cd_offset = 0;
1085 
1086 	/*
1087 	 * A(i) = HMAC_hash(secret, seed + A(i-1));
1088 	 * A(0) = seed;
1089 	 *
1090 	 * Compute A(1):
1091 	 * A(1) = HMAC_hash(secret, label + seed)
1092 	 *
1093 	 */
1094 	HMAC_INIT(mech, key, &ctx);
1095 	HMAC_UPDATE(ctx, label, label_len);
1096 	HMAC_UPDATE(ctx, seed, seedlen);
1097 	HMAC_FINAL(ctx, A1, hashlen);
1098 
1099 	/* Compute A(2) ... A(n) */
1100 	while (bytes_left > 0) {
1101 		HMAC_INIT(mech, key, &ctx);
1102 		HMAC_UPDATE(ctx, A1, hashlen);
1103 		HMAC_UPDATE(ctx, label, label_len);
1104 		HMAC_UPDATE(ctx, seed, seedlen);
1105 		HMAC_FINAL(ctx, result, hashlen);
1106 
1107 		/*
1108 		 * The A(i) value is stored in "result".
1109 		 * Save the results of the MAC so it can be input to next
1110 		 * iteration.
1111 		 */
1112 		if (bytes_left > hashlen) {
1113 			/* Store the chunk result */
1114 			bcopy(result, data, hashlen);
1115 			data += hashlen;
1116 
1117 			bytes_left -= hashlen;
1118 
1119 			/* Update A1 for next iteration */
1120 			HMAC_INIT(mech, key, &ctx);
1121 			HMAC_UPDATE(ctx, A1, hashlen);
1122 			HMAC_FINAL(ctx, A1, hashlen);
1123 
1124 		} else {
1125 			bcopy(result, data, bytes_left);
1126 			data += bytes_left;
1127 			bytes_left = 0;
1128 		}
1129 	}
1130 end:
1131 	if (CRYPTO_ERR(rv)) {
1132 		DTRACE_PROBE1(kssl_err__crypto_mac_error, int, rv);
1133 		KSSL_COUNTER(compute_mac_failure, 1);
1134 	}
1135 	return (rv);
1136 }
1137 
1138 /* ARGSUSED */
1139 static int
1140 kssl_tls_PRF(ssl_t *ssl,
1141 	uchar_t *secret, size_t secret_len,
1142 	uchar_t *label, size_t label_len,
1143 	uchar_t *seed, size_t seed_len,
1144 	uchar_t *prfresult, size_t prfresult_len)
1145 {
1146 	/*
1147 	 * RFC 2246:
1148 	 *  PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
1149 	 *				P_SHA1(S2, label + seed);
1150 	 * S1 = 1st half of secret.
1151 	 * S1 = 2nd half of secret.
1152 	 *
1153 	 */
1154 
1155 	int rv, i;
1156 	uchar_t psha1[MAX_KEYBLOCK_LENGTH];
1157 	crypto_key_t S1, S2;
1158 
1159 	/* length of secret keys is ceil(length/2) */
1160 	size_t slen = roundup(secret_len, 2) / 2;
1161 
1162 	if (prfresult_len >  MAX_KEYBLOCK_LENGTH) {
1163 		DTRACE_PROBE1(kssl_err__unexpected_keyblock_size,
1164 		    size_t, prfresult_len);
1165 		return (CRYPTO_ARGUMENTS_BAD);
1166 	}
1167 
1168 	ASSERT(prfresult != NULL);
1169 	ASSERT(label != NULL);
1170 	ASSERT(seed != NULL);
1171 
1172 	S1.ck_data   = secret;
1173 	S1.ck_length = slen * 8; /* bits */
1174 	S1.ck_format = CRYPTO_KEY_RAW;
1175 
1176 	S2.ck_data   = secret + slen;
1177 	S2.ck_length = slen * 8; /* bits */
1178 	S2.ck_format = CRYPTO_KEY_RAW;
1179 
1180 	rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN,
1181 	    label, label_len,
1182 	    seed, seed_len,
1183 	    prfresult, prfresult_len);
1184 	if (CRYPTO_ERR(rv))
1185 		goto end;
1186 
1187 	rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN,
1188 	    label, label_len,
1189 	    seed, seed_len,
1190 	    psha1, prfresult_len);
1191 	if (CRYPTO_ERR(rv))
1192 		goto end;
1193 
1194 	for (i = 0; i < prfresult_len; i++)
1195 		prfresult[i] ^= psha1[i];
1196 
1197 end:
1198 	if (CRYPTO_ERR(rv))
1199 		bzero(prfresult, prfresult_len);
1200 
1201 	return (rv);
1202 }
1203 
1204 #define	IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)			\
1205 	(pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN ||		\
1206 	pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
1207 
1208 #define	FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) {			\
1209 		KSSL_COUNTER(bad_pre_master_secret, 1);			\
1210 		pms = buf;						\
1211 		pmslen = SSL3_PRE_MASTER_SECRET_LEN;			\
1212 		pms[0] = ssl->major_version;				\
1213 		pms[1] = ssl->minor_version;				\
1214 		(void) random_get_pseudo_bytes(&buf[2], pmslen - 2);	\
1215 }
1216 
1217 static int
1218 kssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1219 {
1220 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1221 	uchar_t seed[SSL3_RANDOM_LENGTH * 2];
1222 
1223 	/*
1224 	 * Computing the master secret:
1225 	 * ----------------------------
1226 	 * master_secret = PRF (pms, "master secret",
1227 	 *		ClientHello.random + ServerHello.random);
1228 	 */
1229 	bcopy(ssl->client_random, seed, SSL3_RANDOM_LENGTH);
1230 	bcopy(ssl->server_random, seed + SSL3_RANDOM_LENGTH,
1231 	    SSL3_RANDOM_LENGTH);
1232 
1233 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1234 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1235 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1236 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1237 	}
1238 
1239 	return (kssl_tls_PRF(ssl,
1240 	    pms, pmslen,
1241 	    (uchar_t *)TLS_MASTER_SECRET_LABEL,
1242 	    (size_t)strlen(TLS_MASTER_SECRET_LABEL),
1243 	    seed, sizeof (seed),
1244 	    ssl->sid.master_secret,
1245 	    (size_t)sizeof (ssl->sid.master_secret)));
1246 }
1247 
1248 
1249 static void
1250 kssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
1251 {
1252 	uchar_t buf[SSL3_PRE_MASTER_SECRET_LEN];
1253 	uchar_t *ms;
1254 	int hlen = MD5_HASH_LEN;
1255 
1256 	ms = ssl->sid.master_secret;
1257 
1258 	/* if pms is bad fake it to thwart Bleichenbacher attack */
1259 	if (IS_BAD_PRE_MASTER_SECRET(pms, pmslen, ssl)) {
1260 		DTRACE_PROBE(kssl_err__under_Bleichenbacher_attack);
1261 		FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf);
1262 	}
1263 
1264 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
1265 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
1266 	kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
1267 	    0);
1268 }
1269 
1270 static int
1271 kssl_generate_tls_keyblock(ssl_t *ssl)
1272 {
1273 	uchar_t seed[2 * SSL3_RANDOM_LENGTH];
1274 
1275 	bcopy(ssl->server_random, seed, SSL3_RANDOM_LENGTH);
1276 	bcopy(ssl->client_random, seed + SSL3_RANDOM_LENGTH,
1277 	    SSL3_RANDOM_LENGTH);
1278 
1279 	return (kssl_tls_PRF(ssl, ssl->sid.master_secret,
1280 	    (size_t)SSL3_MASTER_SECRET_LEN,
1281 	    (uchar_t *)TLS_KEY_EXPANSION_LABEL,
1282 	    (size_t)strlen(TLS_KEY_EXPANSION_LABEL),
1283 	    seed, (size_t)sizeof (seed),
1284 	    ssl->pending_keyblock,
1285 	    (size_t)ssl->pending_keyblksz));
1286 
1287 }
1288 
1289 static void
1290 kssl_generate_keyblock(ssl_t *ssl)
1291 {
1292 	uchar_t *ms;
1293 	size_t mslen = SSL3_MASTER_SECRET_LEN;
1294 	int hlen = MD5_HASH_LEN;
1295 	uchar_t *keys = ssl->pending_keyblock;
1296 	int steps = howmany(ssl->pending_keyblksz, hlen);
1297 	int i;
1298 
1299 	ms = ssl->sid.master_secret;
1300 
1301 	ASSERT(hlen * steps <= MAX_KEYBLOCK_LENGTH);
1302 
1303 	for (i = 1; i <= steps; i++) {
1304 		kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
1305 		keys += hlen;
1306 	}
1307 }
1308 
1309 static char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE",
1310 	"FFFFFF", "GGGGGGG", "HHHHHHHH", "IIIIIIIII"};
1311 
1312 static void
1313 kssl_ssl3_key_material_derive_step(
1314 	ssl_t *ssl,
1315 	uchar_t *secret,
1316 	size_t secretlen,
1317 	int step,
1318 	uchar_t *dst,
1319 	int sr_first)
1320 {
1321 	SHA1_CTX sha1, *sha1ctx;
1322 	MD5_CTX md5, *md5ctx;
1323 	uchar_t sha1_hash[SHA1_HASH_LEN];
1324 
1325 	sha1ctx = &sha1;
1326 	md5ctx = &md5;
1327 
1328 	ASSERT(step <=
1329 	    sizeof (ssl3_key_derive_seeds) /
1330 	    sizeof (ssl3_key_derive_seeds[0]));
1331 	step--;
1332 
1333 	SHA1Init(sha1ctx);
1334 	SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step],
1335 	    step + 1);
1336 	SHA1Update(sha1ctx, secret, secretlen);
1337 	if (sr_first) {
1338 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1339 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1340 	} else {
1341 		SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
1342 		SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
1343 	}
1344 	SHA1Final(sha1_hash, sha1ctx);
1345 
1346 	MD5Init(md5ctx);
1347 	MD5Update(md5ctx, secret, secretlen);
1348 	MD5Update(md5ctx, sha1_hash, SHA1_HASH_LEN);
1349 	MD5Final(dst, md5ctx);
1350 }
1351 
1352 static int
1353 kssl_send_certificate_and_server_hello_done(ssl_t *ssl)
1354 {
1355 	int cur_reclen;
1356 	int mss;
1357 	int len, copylen;
1358 	mblk_t *mp;
1359 	uchar_t *cert_buf;
1360 	int cert_len;
1361 	uchar_t *msgbuf;
1362 	Certificate_t *cert;
1363 	uint16_t reclen = KSSL_SSL3_SH_RECLEN;
1364 
1365 	cert = ssl->kssl_entry->ke_server_certificate;
1366 	if (cert == NULL) {
1367 		return (ENOENT);
1368 	}
1369 	cert_buf = cert->msg;
1370 	cert_len = cert->len;
1371 
1372 	if (ssl->secure_renegotiation)
1373 		reclen += KSSL_EMPTY_RENEG_INFO_LEN;
1374 
1375 	mp = ssl->handshake_sendbuf;
1376 	mss = ssl->tcp_mss;
1377 	ASSERT(mp != NULL);
1378 	cur_reclen = mp->b_wptr - mp->b_rptr - SSL3_HDR_LEN;
1379 	ASSERT(cur_reclen == reclen);
1380 	/* Assume MSS is at least 80 bytes */
1381 	ASSERT(mss > cur_reclen + SSL3_HDR_LEN);
1382 	ASSERT(cur_reclen < SSL3_MAX_RECORD_LENGTH); /* XXX */
1383 
1384 	copylen = mss - (cur_reclen + SSL3_HDR_LEN);
1385 	len = cert_len;
1386 	copylen = MIN(copylen, len);
1387 	copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1388 
1389 	/* new record always starts in a new mblk for simplicity */
1390 	msgbuf = cert_buf;
1391 	for (;;) {
1392 		ASSERT(mp->b_wptr + copylen <= mp->b_datap->db_lim);
1393 		bcopy(msgbuf, mp->b_wptr, copylen);
1394 		msgbuf += copylen;
1395 		mp->b_wptr += copylen;
1396 		cur_reclen += copylen;
1397 		len -= copylen;
1398 		if (len == 0) {
1399 			break;
1400 		}
1401 		if (cur_reclen == SSL3_MAX_RECORD_LENGTH) {
1402 			cur_reclen = 0;
1403 		}
1404 		copylen = MIN(len, mss);
1405 		copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
1406 		mp->b_cont = allocb(copylen, BPRI_HI);
1407 		if (mp->b_cont == NULL) {
1408 			KSSL_COUNTER(alloc_fails, 1);
1409 			freemsg(ssl->handshake_sendbuf);
1410 			ssl->handshake_sendbuf = NULL;
1411 			return (ENOMEM);
1412 		}
1413 		mp = mp->b_cont;
1414 		if (cur_reclen == 0) {
1415 			mp->b_wptr[0] = content_handshake;
1416 			mp->b_wptr[1] = ssl->major_version;
1417 			mp->b_wptr[2] = ssl->minor_version;
1418 			cur_reclen = MIN(len, reclen);
1419 			mp->b_wptr[3] = (cur_reclen >> 8) & 0xff;
1420 			mp->b_wptr[4] = (cur_reclen) & 0xff;
1421 			mp->b_wptr += SSL3_HDR_LEN;
1422 			cur_reclen = 0;
1423 			copylen = MIN(copylen, mss - SSL3_HDR_LEN);
1424 		}
1425 	}
1426 
1427 	/* adjust the record length field for the first record */
1428 	mp = ssl->handshake_sendbuf;
1429 	cur_reclen = MIN(reclen + cert_len, SSL3_MAX_RECORD_LENGTH);
1430 	mp->b_rptr[3] = (cur_reclen >> 8) & 0xff;
1431 	mp->b_rptr[4] = (cur_reclen) & 0xff;
1432 
1433 	kssl_update_handshake_hashes(ssl, cert_buf, cert_len);
1434 
1435 	return (0);
1436 }
1437 
1438 static int
1439 kssl_send_change_cipher_specs(ssl_t *ssl)
1440 {
1441 	mblk_t *mp, *newmp;
1442 	uchar_t *buf;
1443 
1444 	mp = ssl->handshake_sendbuf;
1445 
1446 	/* We're most likely to hit the fast path for resumed sessions */
1447 	if ((mp != NULL) &&
1448 	    (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) {
1449 		buf = mp->b_wptr;
1450 	} else {
1451 		newmp = allocb(KSSL_SSL3_MAX_CCP_FIN_MSGLEN, BPRI_HI);
1452 
1453 		if (newmp == NULL)
1454 			return (ENOMEM);	/* need to do better job! */
1455 
1456 		if (mp == NULL) {
1457 			ssl->handshake_sendbuf = newmp;
1458 		} else {
1459 			linkb(ssl->handshake_sendbuf, newmp);
1460 		}
1461 		mp = newmp;
1462 		buf = mp->b_rptr;
1463 	}
1464 
1465 	/* 5 byte record header */
1466 	buf[0] = content_change_cipher_spec;
1467 	buf[1] = ssl->major_version;
1468 	buf[2] = ssl->minor_version;
1469 	buf[3] = 0;
1470 	buf[4] = 1;
1471 	buf += SSL3_HDR_LEN;
1472 
1473 	buf[0] = 1;
1474 
1475 	mp->b_wptr = buf + 1;
1476 	ASSERT(mp->b_wptr < mp->b_datap->db_lim);
1477 
1478 	ssl->seq_num[KSSL_WRITE] = 0;
1479 	return (kssl_spec_init(ssl, KSSL_WRITE));
1480 }
1481 
1482 int
1483 kssl_spec_init(ssl_t *ssl, int dir)
1484 {
1485 	KSSL_HASHCTX *ctx;
1486 	KSSLCipherSpec *spec = &ssl->spec[dir];
1487 	int ret = 0;
1488 
1489 	spec->mac_hashsz = mac_defs[ssl->pending_malg].hashsz;
1490 	spec->mac_padsz = mac_defs[ssl->pending_malg].padsz;
1491 
1492 	spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
1493 	spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
1494 	spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
1495 
1496 	if (dir == KSSL_READ) {
1497 		bcopy(ssl->pending_keyblock, ssl->mac_secret[dir],
1498 		    spec->mac_hashsz);
1499 	} else {
1500 		bcopy(&(ssl->pending_keyblock[spec->mac_hashsz]),
1501 		    ssl->mac_secret[dir], spec->mac_hashsz);
1502 	}
1503 
1504 	/* Pre-compute these here. will save cycles on each record later */
1505 	if (!IS_TLS(ssl)) {
1506 		ctx = &ssl->mac_ctx[dir][0];
1507 		spec->MAC_HashInit((void *)ctx);
1508 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1509 		    spec->mac_hashsz);
1510 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_1,
1511 		    spec->mac_padsz);
1512 
1513 		ctx = &ssl->mac_ctx[dir][1];
1514 		spec->MAC_HashInit((void *)ctx);
1515 		spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
1516 		    spec->mac_hashsz);
1517 		spec->MAC_HashUpdate((void *)ctx, kssl_pad_2,
1518 		    spec->mac_padsz);
1519 	}
1520 
1521 	spec->cipher_type = cipher_defs[ssl->pending_calg].type;
1522 	spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
1523 	spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
1524 	spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
1525 
1526 	if (spec->cipher_ctx != NULL) {
1527 		crypto_cancel_ctx(spec->cipher_ctx);
1528 		spec->cipher_ctx = 0;
1529 	}
1530 
1531 	/*
1532 	 * Initialize HMAC keys for TLS and SSL3 HMAC keys
1533 	 * for SSL 3.0.
1534 	 */
1535 	if (IS_TLS(ssl)) {
1536 		if (ssl->pending_malg == mac_md5) {
1537 			spec->hmac_mech = hmac_md5_mech;
1538 		} else if (ssl->pending_malg == mac_sha) {
1539 			spec->hmac_mech = hmac_sha1_mech;
1540 		}
1541 
1542 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1543 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1544 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1545 	} else {
1546 		static uint32_t param;
1547 
1548 		spec->hmac_mech.cm_type = CRYPTO_MECH_INVALID;
1549 		spec->hmac_mech.cm_param = (caddr_t)&param;
1550 		spec->hmac_mech.cm_param_len = sizeof (param);
1551 		if (ssl->pending_malg == mac_md5) {
1552 			spec->hmac_mech.cm_type =
1553 			    crypto_mech2id("CKM_SSL3_MD5_MAC");
1554 			param = MD5_HASH_LEN;
1555 		} else if (ssl->pending_malg == mac_sha) {
1556 			spec->hmac_mech.cm_type =
1557 			    crypto_mech2id("CKM_SSL3_SHA1_MAC");
1558 			param = SHA1_HASH_LEN;
1559 		}
1560 
1561 		spec->hmac_key.ck_format = CRYPTO_KEY_RAW;
1562 		spec->hmac_key.ck_data = ssl->mac_secret[dir];
1563 		spec->hmac_key.ck_length = spec->mac_hashsz * 8;
1564 	}
1565 
1566 	/* We're done if this is the nil cipher */
1567 	if (spec->cipher_keysz == 0) {
1568 		return (0);
1569 	}
1570 
1571 	/* Initialize the key and the active context */
1572 	spec->cipher_key.ck_format = CRYPTO_KEY_RAW;
1573 	spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */
1574 
1575 	if (cipher_defs[ssl->pending_calg].bsize > 0) {
1576 		/* client_write_IV */
1577 		spec->cipher_mech.cm_param =
1578 		    (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
1579 		    2 * spec->cipher_keysz]);
1580 		spec->cipher_mech.cm_param_len = spec->cipher_bsize;
1581 	}
1582 	spec->cipher_data.cd_format = CRYPTO_DATA_RAW;
1583 	if (dir == KSSL_READ) {
1584 		spec->cipher_mech.cm_param_len =
1585 		    cipher_defs[ssl->pending_calg].bsize;
1586 
1587 		/* client_write_key */
1588 		spec->cipher_key.ck_data =
1589 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz]);
1590 
1591 		ret = crypto_decrypt_init(&(spec->cipher_mech),
1592 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1593 		if (CRYPTO_ERR(ret)) {
1594 			DTRACE_PROBE1(kssl_err__crypto_decrypt_init_read,
1595 			    int, ret);
1596 		}
1597 	} else {
1598 		if (cipher_defs[ssl->pending_calg].bsize > 0) {
1599 			/* server_write_IV */
1600 			spec->cipher_mech.cm_param += spec->cipher_bsize;
1601 		}
1602 
1603 		/* server_write_key */
1604 		spec->cipher_key.ck_data =
1605 		    &(ssl->pending_keyblock[2 * spec->mac_hashsz +
1606 		    spec->cipher_keysz]);
1607 
1608 		ret = crypto_encrypt_init(&(spec->cipher_mech),
1609 		    &(spec->cipher_key), NULL, &spec->cipher_ctx, NULL);
1610 		if (CRYPTO_ERR(ret))
1611 			DTRACE_PROBE1(kssl_err__crypto_encrypt_init_non_read,
1612 			    int, ret);
1613 	}
1614 	return (ret);
1615 }
1616 
1617 static int
1618 kssl_send_finished(ssl_t *ssl, int update_hsh)
1619 {
1620 	mblk_t *mp;
1621 	uchar_t *buf;
1622 	uchar_t *rstart;
1623 	uchar_t *versionp;
1624 	SSL3Hashes ssl3hashes;
1625 	uchar_t finish_len;
1626 	int ret;
1627 	uint16_t adj_len = 0;
1628 
1629 	mp = ssl->handshake_sendbuf;
1630 	ASSERT(mp != NULL);
1631 	buf = mp->b_wptr;
1632 	if (ssl->secure_renegotiation)
1633 		adj_len = KSSL_EMPTY_RENEG_INFO_LEN;
1634 	/*
1635 	 * It should be either a message with Server Hello record or just plain
1636 	 * SSL header (data packet).
1637 	 */
1638 	ASSERT(buf - mp->b_rptr ==
1639 	    SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + SSL3_HDR_LEN + 1 + adj_len ||
1640 	    buf - mp->b_rptr == SSL3_HDR_LEN + 1);
1641 
1642 	rstart = buf;
1643 
1644 	if (IS_TLS(ssl))
1645 		finish_len = TLS_FINISHED_SIZE;
1646 	else
1647 		finish_len = KSSL_SSL3_FIN_MSGLEN;
1648 
1649 	/* 5 byte record header */
1650 	buf[0] = content_handshake;
1651 	buf[1] = ssl->major_version;
1652 	buf[2] = ssl->minor_version;
1653 	buf[3] = 0;
1654 	buf[4] = 4 + finish_len;
1655 
1656 	versionp = &buf[1];
1657 
1658 	buf += SSL3_HDR_LEN;
1659 
1660 	/* 4 byte message header */
1661 	buf[0] = (uchar_t)finished;	/* message type */
1662 	buf[1] = 0;			/* message len byte 0 */
1663 	buf[2] = 0;			/* message len byte 1 */
1664 	buf[3] = finish_len;	/* message len byte 2 */
1665 	buf += 4;
1666 
1667 	if (IS_TLS(ssl)) {
1668 		bcopy(ssl->hs_hashes.md5, ssl3hashes.md5,
1669 		    sizeof (ssl3hashes.md5));
1670 		bcopy(ssl->hs_hashes.sha1, ssl3hashes.sha1,
1671 		    sizeof (ssl3hashes.sha1));
1672 	}
1673 
1674 	/* Compute hashes for the SENDER side */
1675 	ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
1676 	if (ret != 0)
1677 		return (ret);
1678 
1679 	if (IS_TLS(ssl)) {
1680 		bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash));
1681 	} else {
1682 		bcopy(ssl3hashes.md5, buf, MD5_HASH_LEN);
1683 		bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN);
1684 	}
1685 
1686 	if (update_hsh) {
1687 		kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
1688 	}
1689 
1690 	mp->b_wptr = buf + finish_len;
1691 
1692 	ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
1693 	    rstart, mp);
1694 	ASSERT(mp->b_wptr <= mp->b_datap->db_lim);
1695 
1696 	return (ret);
1697 }
1698 
1699 int
1700 kssl_mac_encrypt_record(ssl_t *ssl,
1701 	SSL3ContentType ct,
1702 	uchar_t *versionp,
1703 	uchar_t *rstart,
1704 	mblk_t *mp)
1705 {
1706 	KSSLCipherSpec *spec;
1707 	int mac_sz;
1708 	int ret = 0;
1709 	uint16_t rec_sz;
1710 	int pad_sz;
1711 	int i;
1712 
1713 	ASSERT(ssl != NULL);
1714 	ASSERT(rstart >= mp->b_rptr);
1715 	ASSERT(rstart < mp->b_wptr);
1716 
1717 	spec = &ssl->spec[KSSL_WRITE];
1718 	mac_sz = spec->mac_hashsz;
1719 
1720 	rec_sz = (mp->b_wptr - rstart) - SSL3_HDR_LEN;
1721 	ASSERT(rec_sz > 0);
1722 
1723 	if (mac_sz != 0) {
1724 		ASSERT(mp->b_wptr + mac_sz <= mp->b_datap->db_lim);
1725 		ret = kssl_compute_record_mac(ssl, KSSL_WRITE,
1726 		    ssl->seq_num[KSSL_WRITE], ct, versionp,
1727 		    rstart + SSL3_HDR_LEN, rec_sz, mp->b_wptr);
1728 		if (ret == CRYPTO_SUCCESS) {
1729 			ssl->seq_num[KSSL_WRITE]++;
1730 			mp->b_wptr += mac_sz;
1731 			rec_sz += mac_sz;
1732 		} else {
1733 			return (ret);
1734 		}
1735 	}
1736 
1737 	if (spec->cipher_type == type_block) {
1738 		pad_sz = spec->cipher_bsize -
1739 		    (rec_sz & (spec->cipher_bsize - 1));
1740 		ASSERT(mp->b_wptr + pad_sz <= mp->b_datap->db_lim);
1741 		for (i = 0; i < pad_sz; i++) {
1742 			mp->b_wptr[i] = pad_sz - 1;
1743 		}
1744 		mp->b_wptr += pad_sz;
1745 		rec_sz += pad_sz;
1746 	}
1747 
1748 	ASSERT(rec_sz <= SSL3_MAX_RECORD_LENGTH);
1749 
1750 	U16_TO_BE16(rec_sz, rstart + 3);
1751 
1752 	if (spec->cipher_ctx == 0)
1753 		return (ret);
1754 
1755 	spec->cipher_data.cd_length = rec_sz;
1756 	spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN);
1757 	spec->cipher_data.cd_raw.iov_len = rec_sz;
1758 	/* One record at a time. Otherwise, gotta allocate the crypt_data_t */
1759 	ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data,
1760 	    NULL, NULL);
1761 	if (CRYPTO_ERR(ret)) {
1762 		DTRACE_PROBE1(kssl_err__crypto_encrypt_update,
1763 		    int, ret);
1764 	}
1765 	return (ret);
1766 }
1767 
1768 /*
1769  * Produce SSL alert message (SSLv3/TLS) or error message (SSLv2). For SSLv2
1770  * it is only done to tear down the SSL connection so it has fixed encoding.
1771  */
1772 void
1773 kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
1774 {
1775 	mblk_t *mp;
1776 	uchar_t *buf;
1777 	KSSLCipherSpec *spec;
1778 	size_t len;
1779 
1780 	ASSERT(ssl != NULL);
1781 
1782 	ssl->sendalert_level = level;
1783 	ssl->sendalert_desc = desc;
1784 
1785 	if (level == alert_fatal) {
1786 		DTRACE_PROBE2(kssl_sending_alert,
1787 		    SSL3AlertLevel, level, SSL3AlertDescription, desc);
1788 		if (ssl->sid.cached == B_TRUE) {
1789 			kssl_uncache_sid(&ssl->sid, ssl->kssl_entry);
1790 		}
1791 		ssl->fatal_alert = B_TRUE;
1792 		KSSL_COUNTER(fatal_alerts, 1);
1793 	} else
1794 		KSSL_COUNTER(warning_alerts, 1);
1795 
1796 	spec = &ssl->spec[KSSL_WRITE];
1797 
1798 	ASSERT(ssl->alert_sendbuf == NULL);
1799 	if (ssl->major_version == 0x03)
1800 		len = 7;
1801 	else
1802 		len = 5;
1803 	ssl->alert_sendbuf = mp = allocb(len + spec->mac_hashsz +
1804 	    spec->cipher_bsize, BPRI_HI);
1805 	if (mp == NULL) {
1806 		KSSL_COUNTER(alloc_fails, 1);
1807 		return;
1808 	}
1809 	buf = mp->b_wptr;
1810 
1811 	/* SSLv3/TLS */
1812 	if (ssl->major_version == 0x03) {
1813 		/* 5 byte record header */
1814 		buf[0] = content_alert;
1815 		buf[1] = ssl->major_version;
1816 		buf[2] = ssl->minor_version;
1817 		buf[3] = 0;
1818 		buf[4] = 2;
1819 		buf += SSL3_HDR_LEN;
1820 
1821 		/* alert contents */
1822 		buf[0] = (uchar_t)level;
1823 		buf[1] = (uchar_t)desc;
1824 		buf += 2;
1825 	} else {
1826 	/* SSLv2 has different encoding. */
1827 		/* 2-byte encoding of the length */
1828 		buf[0] = 0x80;
1829 		buf[1] = 0x03;
1830 		buf += 2;
1831 
1832 		/* Protocol Message Code = Error */
1833 		buf[0] = 0;
1834 		/* Error Message Code = Undefined Error */
1835 		buf[1] = 0;
1836 		buf[2] = 0;
1837 		buf += 3;
1838 	}
1839 
1840 	mp->b_wptr = buf;
1841 }
1842 
1843 /* Assumes RSA encryption */
1844 static int
1845 kssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
1846     kssl_callback_t cbfn, void *arg)
1847 {
1848 	char *buf;
1849 	uchar_t *pms;
1850 	size_t pmslen;
1851 	int allocated;
1852 	int err, rverr = ENOMEM;
1853 	kssl_entry_t *ep;
1854 	crypto_key_t *privkey;
1855 	crypto_data_t *wrapped_pms_data, *pms_data;
1856 	crypto_call_req_t creq, *creqp;
1857 
1858 	ep = ssl->kssl_entry;
1859 	privkey = ep->ke_private_key;
1860 	if (privkey == NULL) {
1861 		return (ENOENT);
1862 	}
1863 
1864 	ASSERT(ssl->msg.type == client_key_exchange);
1865 	ASSERT(ssl->hs_waitstate == wait_client_key);
1866 
1867 	/*
1868 	 * TLS adds an extra 2 byte length field before the data.
1869 	 */
1870 	if (IS_TLS(ssl)) {
1871 		msglen = (mp->b_rptr[0] << 8) | mp->b_rptr[1];
1872 		mp->b_rptr += 2;
1873 	}
1874 
1875 	/*
1876 	 * Allocate all we need in one shot. about 300 bytes total, for
1877 	 * 1024 bit RSA modulus.
1878 	 * The buffer layout will be: pms_data, wrapped_pms_data, the
1879 	 * value of the wrapped pms from the client, then room for the
1880 	 * resulting decrypted premaster secret.
1881 	 */
1882 	allocated = 2 * (sizeof (crypto_data_t) + msglen);
1883 	buf = kmem_alloc(allocated, KM_NOSLEEP);
1884 	if (buf == NULL) {
1885 		return (ENOMEM);
1886 	}
1887 
1888 	pms_data = (crypto_data_t *)buf;
1889 	wrapped_pms_data = &(((crypto_data_t *)buf)[1]);
1890 
1891 	wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW;
1892 	wrapped_pms_data->cd_offset = pms_data->cd_offset = 0;
1893 	wrapped_pms_data->cd_length = pms_data->cd_length = msglen;
1894 	wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL;
1895 	wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen;
1896 	wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t);
1897 	pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen;
1898 
1899 	bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen);
1900 	mp->b_rptr += msglen;
1901 
1902 	/* Proceed synchronously if out of interrupt and configured to do so */
1903 	if ((kssl_synchronous) && (!servicing_interrupt())) {
1904 		creqp = NULL;
1905 	} else {
1906 		ssl->cke_callback_func = cbfn;
1907 		ssl->cke_callback_arg = arg;
1908 		creq.cr_flag = kssl_call_flag;
1909 		creq.cr_callback_func = kssl_cke_done;
1910 		creq.cr_callback_arg = ssl;
1911 
1912 		creqp = &creq;
1913 	}
1914 
1915 	if (ep->ke_is_nxkey) {
1916 		kssl_session_info_t *s;
1917 
1918 		s = ep->ke_sessinfo;
1919 		err = CRYPTO_SUCCESS;
1920 		if (!s->is_valid_handle) {
1921 			/* Reauthenticate to the provider */
1922 			if (s->do_reauth) {
1923 				err = kssl_get_obj_handle(ep);
1924 				if (err == CRYPTO_SUCCESS) {
1925 					s->is_valid_handle = B_TRUE;
1926 					s->do_reauth = B_FALSE;
1927 				}
1928 			} else
1929 				err = CRYPTO_FAILED;
1930 		}
1931 
1932 		if (err == CRYPTO_SUCCESS) {
1933 			ASSERT(s->is_valid_handle);
1934 			err = crypto_decrypt_prov(s->prov, s->sid,
1935 			    &rsa_x509_mech, wrapped_pms_data, &s->key,
1936 			    NULL, pms_data, creqp);
1937 		}
1938 
1939 		/*
1940 		 * Deal with session specific errors. We translate to
1941 		 * the closest errno.
1942 		 */
1943 		switch (err) {
1944 		case CRYPTO_KEY_HANDLE_INVALID:
1945 		case CRYPTO_SESSION_HANDLE_INVALID:
1946 			s->is_valid_handle = B_FALSE;
1947 			s->do_reauth = B_TRUE;
1948 			rverr = EINVAL;
1949 			break;
1950 		case CRYPTO_PIN_EXPIRED:
1951 		case CRYPTO_PIN_LOCKED:
1952 			rverr = EACCES;
1953 			break;
1954 		case CRYPTO_UNKNOWN_PROVIDER:
1955 			rverr = ENXIO;
1956 			break;
1957 		}
1958 	} else {
1959 		err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data,
1960 		    privkey, NULL, pms_data, creqp);
1961 	}
1962 
1963 	switch (err) {
1964 	case CRYPTO_SUCCESS:
1965 		break;
1966 
1967 	case CRYPTO_QUEUED:
1968 		/*
1969 		 * Finish the master secret then the rest of key material
1970 		 * derivation later.
1971 		 */
1972 		ssl->job.kjob = creq.cr_reqid;
1973 		ssl->job.buf = buf;
1974 		ssl->job.buflen = allocated;
1975 		ssl->hs_waitstate = wait_client_key_done;
1976 		return (0);
1977 	default:
1978 		DTRACE_PROBE1(kssl_err__crypto_decrypt, int, err);
1979 		kmem_free(buf, allocated);
1980 		return (rverr);
1981 	}
1982 
1983 	pmslen = pms_data->cd_length;
1984 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
1985 
1986 	/* generate master key and save it in the ssl sid structure */
1987 	if (IS_TLS(ssl)) {
1988 		err = kssl_generate_tls_ms(ssl, pms, pmslen);
1989 		if (!CRYPTO_ERR(err))
1990 			err = kssl_generate_tls_keyblock(ssl);
1991 	} else {
1992 		kssl_generate_ssl_ms(ssl, pms, pmslen);
1993 		kssl_generate_keyblock(ssl);
1994 	}
1995 
1996 	if (err == CRYPTO_SUCCESS)
1997 		ssl->hs_waitstate = wait_change_cipher;
1998 
1999 	ssl->activeinput = B_FALSE;
2000 
2001 	kmem_free(buf, allocated);
2002 
2003 	return (0);
2004 }
2005 
2006 static int
2007 kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
2008 {
2009 	int err;
2010 	size_t finish_len;
2011 	int hashcompare;
2012 
2013 	ASSERT(ssl->msg.type == finished);
2014 	ASSERT(ssl->hs_waitstate == wait_finished);
2015 
2016 	if (IS_TLS(ssl))
2017 		finish_len = TLS_FINISHED_SIZE;
2018 	else
2019 		finish_len = KSSL_SSL3_FIN_MSGLEN;
2020 
2021 	if (msglen != finish_len) {
2022 		kssl_send_alert(ssl, alert_fatal, illegal_parameter);
2023 		return (EBADMSG);
2024 	}
2025 
2026 	if (IS_TLS(ssl)) {
2027 		hashcompare = bcmp(mp->b_rptr, ssl->hs_hashes.tlshash,
2028 		    finish_len);
2029 	} else {
2030 		hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
2031 	}
2032 
2033 	/* The handshake hashes should be computed by now */
2034 	if (hashcompare != 0) {
2035 		kssl_send_alert(ssl, alert_fatal, handshake_failure);
2036 		return (EBADMSG);
2037 	}
2038 
2039 	mp->b_rptr += msglen;
2040 
2041 	ssl->hs_waitstate = idle_handshake;
2042 
2043 	if (ssl->resumed == B_TRUE) {
2044 		ssl->activeinput = B_FALSE;
2045 		return (0);
2046 	}
2047 
2048 	err = kssl_send_change_cipher_specs(ssl);
2049 	if (err != 0) {
2050 		return (err);
2051 	}
2052 	err = kssl_send_finished(ssl, 0);
2053 	if (err != 0) {
2054 		return (err);
2055 	}
2056 
2057 	kssl_cache_sid(&ssl->sid, ssl->kssl_entry);
2058 	ssl->activeinput = B_FALSE;
2059 
2060 	return (0);
2061 }
2062 
2063 #define	KSSL2_CH_MIN_RECSZ	(9)
2064 
2065 /*
2066  * This method is needed to handle clients which send the
2067  * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers.
2068  * We are not really doing SSLv2 here, just handling the header
2069  * and then switching to SSLv3.
2070  */
2071 int
2072 kssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
2073 {
2074 	uchar_t *recend;
2075 	int err;
2076 	SSL3AlertDescription desc = illegal_parameter;
2077 	uint_t randlen;
2078 	uint_t sidlen;
2079 	uint_t cslen;
2080 	uchar_t *suitesp;
2081 	uchar_t *rand;
2082 	uint_t i, j;
2083 	uint16_t suite, selected_suite;
2084 	int ch_recsz = KSSL2_CH_MIN_RECSZ;
2085 	boolean_t suite_found = B_FALSE;
2086 
2087 	ASSERT(mp->b_wptr >= mp->b_rptr + recsz);
2088 	ASSERT(ssl->hs_waitstate == wait_client_hello);
2089 	ASSERT(ssl->resumed == B_FALSE);
2090 
2091 	if (recsz < ch_recsz) {
2092 		DTRACE_PROBE2(kssl_err__reclen_less_than_minimum,
2093 		    int, recsz, int, ch_recsz);
2094 		goto falert;
2095 	}
2096 
2097 	MD5Init(&ssl->hs_md5);
2098 	SHA1Init(&ssl->hs_sha1);
2099 
2100 	kssl_update_handshake_hashes(ssl, mp->b_rptr, recsz);
2101 
2102 	recend = mp->b_rptr + recsz;
2103 
2104 	if (*mp->b_rptr != 1) {
2105 		DTRACE_PROBE1(kssl_err__invalid_version, uint_t, *mp->b_rptr);
2106 		goto falert;
2107 	}
2108 	mp->b_rptr += 3;
2109 
2110 	cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
2111 	sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3];
2112 	randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5];
2113 	if (cslen % 3 != 0) {
2114 		DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen);
2115 		goto falert;
2116 	}
2117 	if (randlen < SSL_MIN_CHALLENGE_BYTES ||
2118 	    randlen > SSL_MAX_CHALLENGE_BYTES) {
2119 		DTRACE_PROBE1(kssl_err__randlen_out_of_range,
2120 		    uint_t, randlen);
2121 		goto falert;
2122 	}
2123 	mp->b_rptr += 6;
2124 	ch_recsz += cslen + sidlen + randlen;
2125 	if (recsz != ch_recsz) {
2126 		DTRACE_PROBE2(kssl_err__invalid_message_len_sum,
2127 		    int, recsz, int, ch_recsz);
2128 		goto falert;
2129 	}
2130 	suitesp = mp->b_rptr;
2131 	rand = suitesp + cslen + sidlen;
2132 	if (randlen < SSL3_RANDOM_LENGTH) {
2133 		bzero(ssl->client_random, SSL3_RANDOM_LENGTH);
2134 	}
2135 	bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
2136 	    randlen);
2137 
2138 	for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
2139 		suite = ssl->kssl_entry->kssl_cipherSuites[i];
2140 		for (j = 0; j < cslen; j += 3) {
2141 			DTRACE_PROBE2(kssl_cipher_suite_check_v2,
2142 			    uint16_t, suite,
2143 			    uint16_t,
2144 			    (uint16_t)((suitesp[j+1] << 8) + suitesp[j+2]));
2145 			if (suitesp[j] != 0) {
2146 				continue;
2147 			}
2148 
2149 			/* Check for regular (true) cipher suite. */
2150 			if (suitesp[j + 1] == ((suite >> 8) & 0xff) &&
2151 			    suitesp[j + 2] == (suite & 0xff)) {
2152 				DTRACE_PROBE1(kssl_cipher_suite_found,
2153 				    uint16_t, suite);
2154 				suite_found = B_TRUE;
2155 				selected_suite = suite;
2156 			}
2157 
2158 			/* Check for SCSV. */
2159 			if (suitesp[j + 1] ==  ((SSL_SCSV >> 8) & 0xff) &&
2160 			    suitesp[j + 2] == (SSL_SCSV & 0xff)) {
2161 				DTRACE_PROBE(kssl_scsv_found);
2162 				ssl->secure_renegotiation = B_TRUE;
2163 			}
2164 			/*
2165 			 * If we got cipher suite match and SCSV or went
2166 			 * through the whole list of client cipher suites
2167 			 * (hence we know if SCSV was present or not) we
2168 			 * can terminate the cycle now.
2169 			 */
2170 			if (suite_found &&
2171 			    (ssl->secure_renegotiation || (i > 0)))
2172 				break;
2173 		}
2174 		if (suite_found)
2175 			break;
2176 	}
2177 	if (!suite_found) {
2178 		DTRACE_PROBE(kssl_err__no_SSLv2_cipher_suite);
2179 		ssl->activeinput = B_FALSE;
2180 		/*
2181 		 * If there is no fallback point terminate the handshake with
2182 		 * SSL alert otherwise return with SSL_MISS.
2183 		 */
2184 		if (ssl->kssl_entry->ke_fallback_head == NULL) {
2185 			DTRACE_PROBE(kssl_no_fallback);
2186 			desc = handshake_failure;
2187 			goto falert;
2188 		} else {
2189 			return (SSL_MISS);
2190 		}
2191 	}
2192 
2193 	mp->b_rptr = recend;
2194 
2195 	for (i = 0; i < cipher_suite_defs_nentries; i++) {
2196 		if (selected_suite == cipher_suite_defs[i].suite) {
2197 			break;
2198 		}
2199 	}
2200 
2201 	ASSERT(i < cipher_suite_defs_nentries);
2202 
2203 	ssl->pending_cipher_suite = selected_suite;
2204 	ssl->pending_malg = cipher_suite_defs[i].malg;
2205 	ssl->pending_calg = cipher_suite_defs[i].calg;
2206 	ssl->pending_keyblksz = cipher_suite_defs[i].keyblksz;
2207 
2208 	ASSERT(ssl->sid.cached == B_FALSE);
2209 
2210 	(void) random_get_pseudo_bytes(ssl->sid.session_id,
2211 	    SSL3_SESSIONID_BYTES);
2212 	ssl->sid.client_addr = ssl->faddr;
2213 	ssl->sid.cipher_suite = selected_suite;
2214 
2215 	err = kssl_send_server_hello(ssl);
2216 	if (err != 0) {
2217 		return (err);
2218 	}
2219 	err = kssl_send_certificate_and_server_hello_done(ssl);
2220 	if (err != 0) {
2221 		return (err);
2222 	}
2223 	KSSL_COUNTER(full_handshakes, 1);
2224 	ssl->hs_waitstate = wait_client_key;
2225 	ssl->activeinput = B_FALSE;
2226 	return (0);
2227 
2228 falert:
2229 	kssl_send_alert(ssl, alert_fatal, desc);
2230 	ssl->activeinput = B_FALSE;
2231 	return (EBADMSG);
2232 }
2233 
2234 /*
2235  * Call back routine for asynchronously submitted RSA decryption jobs.
2236  * This routine retrieves the pre-master secret, and proceeds to generate
2237  * the remaining key materials.
2238  */
2239 static void
2240 kssl_cke_done(void *arg, int status)
2241 {
2242 	int ret = 0;
2243 	uchar_t *pms;
2244 	size_t pmslen;
2245 	crypto_data_t *pms_data;
2246 	kssl_cmd_t kssl_cmd = KSSL_CMD_NONE;
2247 	ssl_t *ssl = (ssl_t *)arg;
2248 	mblk_t *alertmp;
2249 	kssl_callback_t cbfn;
2250 	void *cbarg;
2251 
2252 	mutex_enter(&ssl->kssl_lock);
2253 
2254 	ASSERT(ssl->msg.type == client_key_exchange);
2255 	ASSERT(ssl->hs_waitstate == wait_client_key_done);
2256 
2257 	if (status != CRYPTO_SUCCESS) {
2258 		kssl_send_alert(ssl, alert_fatal, decrypt_error);
2259 		kssl_cmd = KSSL_CMD_SEND;
2260 		goto out;
2261 	}
2262 
2263 	pms_data = (crypto_data_t *)(ssl->job.buf);
2264 
2265 	ASSERT(pms_data != NULL);
2266 
2267 	pmslen = pms_data->cd_length;
2268 	pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
2269 
2270 	/* generate master key and save it in the ssl sid structure */
2271 	if (IS_TLS(ssl)) {
2272 		ret = kssl_generate_tls_ms(ssl, pms, pmslen);
2273 		if (!CRYPTO_ERR(ret))
2274 			ret = kssl_generate_tls_keyblock(ssl);
2275 	} else {
2276 		kssl_generate_ssl_ms(ssl, pms, pmslen);
2277 		kssl_generate_keyblock(ssl);
2278 	}
2279 
2280 	if (ret == CRYPTO_SUCCESS)
2281 		ssl->hs_waitstate = wait_change_cipher;
2282 
2283 out:
2284 	kmem_free(ssl->job.buf, ssl->job.buflen);
2285 
2286 	ssl->job.kjob = 0;
2287 	ssl->job.buf = NULL;
2288 	ssl->job.buflen = 0;
2289 
2290 	ssl->activeinput = B_FALSE;
2291 
2292 	cbfn = ssl->cke_callback_func;
2293 	cbarg = ssl->cke_callback_arg;
2294 	alertmp = ssl->alert_sendbuf;
2295 	ssl->alert_sendbuf = NULL;
2296 
2297 	/* dropped by callback when it has completed */
2298 	ssl->async_ops_pending++;
2299 	mutex_exit(&ssl->kssl_lock);
2300 
2301 	/* Now call the callback routine */
2302 	(*(cbfn))(cbarg, alertmp, kssl_cmd);
2303 }
2304 
2305 /*
2306  * Returns the first complete contiguous record out of rec_ass_head
2307  * The record is returned in a separate contiguous mblk, rec_ass_head is
2308  * left pointing to the next record in the queue.
2309  *
2310  * The output looks as follows:
2311  *
2312  * |--------|---------- .... -----|<---------->|<----------->|--- ... ---|
2313  * ^        ^                     ^  mac_size     pad_size               ^
2314  * |        |___ b_rptr  b_wptr __|                                      |
2315  * |                                                                     |
2316  * |___ db_base                                                db_lim ___|
2317  */
2318 mblk_t *
2319 kssl_get_next_record(ssl_t *ssl)
2320 {
2321 	mblk_t *mp, *retmp;
2322 	int rhsz = SSL3_HDR_LEN;
2323 	uint16_t rec_sz;
2324 	int mpsz, total_size;
2325 	SSL3ContentType content_type;
2326 
2327 	ASSERT(MUTEX_HELD(&ssl->kssl_lock));
2328 
2329 	mp = ssl->rec_ass_head;
2330 	if (mp == NULL)
2331 		return (NULL);
2332 
2333 	/* Fast path: when mp has at least a complete record */
2334 	if (MBLKL(mp) < rhsz) {
2335 		DTRACE_PROBE1(kssl_mblk__incomplete_header,
2336 		    mblk_t *, mp);
2337 		/* Not even a complete header in there yet */
2338 		if (msgdsize(mp) < rhsz) {
2339 			return (NULL);
2340 		}
2341 
2342 		if (!pullupmsg(mp, rhsz)) {
2343 			kssl_send_alert(ssl, alert_fatal, internal_error);
2344 			freemsg(mp);
2345 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2346 			return (NULL);
2347 		}
2348 	}
2349 	content_type = (SSL3ContentType)mp->b_rptr[0];
2350 	if (content_type == content_handshake_v2) {
2351 		DTRACE_PROBE1(kssl_mblk__ssl_v2, mblk_t *, mp);
2352 		rec_sz = (uint16_t)mp->b_rptr[1];
2353 		rhsz = 2;
2354 	} else {
2355 		DTRACE_PROBE1(kssl_mblk__ssl_v3, mblk_t *, mp);
2356 		uint8_t *rec_sz_p = (uint8_t *)mp->b_rptr + 3;
2357 		rec_sz = BE16_TO_U16(rec_sz_p);
2358 	}
2359 
2360 	/*
2361 	 * same tests as above. Only rare very fragmented cases will
2362 	 * incur the cost of msgdsize() and msgpullup(). Well formed
2363 	 * packets will fall in the most frequent fast path.
2364 	 */
2365 	total_size = rhsz + rec_sz;
2366 
2367 	/*
2368 	 * Missing: defensive against record fabricated with longer than
2369 	 * MAX record length.
2370 	 */
2371 	if (MBLKL(mp) < total_size) {
2372 		DTRACE_PROBE2(kssl_mblk__smaller_than_total_size,
2373 		    mblk_t *, mp, int, total_size);
2374 		/* Not a complete record yet. Keep accumulating */
2375 		if (msgdsize(mp) < total_size) {
2376 			return (NULL);
2377 		}
2378 
2379 		if (!pullupmsg(mp, total_size)) {
2380 			kssl_send_alert(ssl, alert_fatal, internal_error);
2381 			freemsg(mp);
2382 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2383 			return (NULL);
2384 		}
2385 	}
2386 	mpsz = MBLKL(mp);	/* could've changed after the pullup */
2387 
2388 	if (mpsz > total_size) {
2389 		DTRACE_PROBE2(kssl_mblk__bigger_than_total_size,
2390 		    mblk_t *, mp, int, total_size);
2391 		/* gotta allocate a new block */
2392 		if ((retmp = dupb(mp)) == NULL) {
2393 			kssl_send_alert(ssl, alert_fatal, internal_error);
2394 			freemsg(mp);
2395 			ssl->rec_ass_head = ssl->rec_ass_tail = NULL;
2396 			return (NULL);
2397 		}
2398 
2399 		retmp->b_wptr = retmp->b_rptr + total_size;
2400 		mp->b_rptr += total_size;
2401 		ssl->rec_ass_head = mp;
2402 	} else {
2403 		DTRACE_PROBE2(kssl_mblk__equal_to_total_size,
2404 		    mblk_t *, mp, int, total_size);
2405 		ASSERT(mpsz == total_size);
2406 		ssl->rec_ass_head = mp->b_cont;
2407 		mp->b_cont = NULL;
2408 		retmp = mp;
2409 	}
2410 	/* Adjust the tail */
2411 	if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
2412 		for (; mp->b_cont != NULL; mp = mp->b_cont) {
2413 			ssl->rec_ass_tail = mp->b_cont;
2414 		}
2415 	}
2416 
2417 	return (retmp);
2418 }
2419 
2420 
2421 static void
2422 kssl_mblksfree(ssl_t *ssl)
2423 {
2424 
2425 	ASSERT(ssl != NULL);
2426 
2427 	if (ssl->rec_ass_head != NULL) {
2428 		freemsg(ssl->rec_ass_head);
2429 	}
2430 	ssl->rec_ass_head = NULL;
2431 	ssl->rec_ass_tail = NULL;
2432 
2433 	if (ssl->msg.head != NULL) {
2434 		freemsg(ssl->msg.head);
2435 	}
2436 	ssl->msg.head = NULL;
2437 	ssl->msg.tail = NULL;
2438 
2439 	if (ssl->handshake_sendbuf != NULL) {
2440 		freemsg(ssl->handshake_sendbuf);
2441 		ssl->handshake_sendbuf = NULL;
2442 	}
2443 	if (ssl->alert_sendbuf != NULL) {
2444 		freemsg(ssl->alert_sendbuf);
2445 		ssl->alert_sendbuf = NULL;
2446 	}
2447 }
2448 
2449 static void
2450 kssl_specsfree(ssl_t *ssl)
2451 {
2452 	KSSLCipherSpec *spec = &ssl->spec[KSSL_READ];
2453 
2454 	if (spec->cipher_ctx != NULL) {
2455 		crypto_cancel_ctx(spec->cipher_ctx);
2456 		spec->cipher_ctx = 0;
2457 	}
2458 
2459 	spec = &ssl->spec[KSSL_WRITE];
2460 
2461 	if (spec->cipher_ctx != NULL) {
2462 		crypto_cancel_ctx(spec->cipher_ctx);
2463 		spec->cipher_ctx = 0;
2464 	}
2465 }
2466 
2467 /*
2468  * Frees the ssl structure (aka the context of an SSL session).
2469  * Any pending crypto jobs are cancelled.
2470  * Any initiated crypto contexts are freed as well.
2471  */
2472 void
2473 kssl_free_context(ssl_t *ssl)
2474 {
2475 	crypto_req_id_t reqid;
2476 
2477 	ASSERT(ssl != NULL);
2478 	if (!(MUTEX_HELD(&ssl->kssl_lock))) {
2479 		/* we're coming from an external API entry point */
2480 		mutex_enter(&ssl->kssl_lock);
2481 	}
2482 
2483 	/*
2484 	 * Cancel any active crypto request and wait for pending async
2485 	 * operations to complete. We loop here because the async thread
2486 	 * might submit a new cryto request.
2487 	 */
2488 	do {
2489 		if (ssl->job.kjob != NULL) {
2490 			/*
2491 			 * Drop the lock before canceling the request;
2492 			 * otherwise we might deadlock if the completion
2493 			 * callback is running.
2494 			 */
2495 			reqid = ssl->job.kjob;
2496 			mutex_exit(&ssl->kssl_lock);
2497 			crypto_cancel_req(reqid);
2498 			mutex_enter(&ssl->kssl_lock);
2499 
2500 			/* completion callback might have done the cleanup */
2501 			if (ssl->job.kjob != NULL) {
2502 				kmem_free(ssl->job.buf, ssl->job.buflen);
2503 				ssl->job.kjob = 0;
2504 				ssl->job.buf = NULL;
2505 				ssl->job.buflen = 0;
2506 			}
2507 		}
2508 		while (ssl->async_ops_pending > 0)
2509 			cv_wait(&ssl->async_cv, &ssl->kssl_lock);
2510 	} while (ssl->job.kjob != NULL);
2511 
2512 	kssl_mblksfree(ssl);
2513 	kssl_specsfree(ssl);
2514 
2515 	KSSL_ENTRY_REFRELE(ssl->kssl_entry);
2516 	ssl->kssl_entry = NULL;
2517 
2518 	mutex_exit(&ssl->kssl_lock);
2519 
2520 	kmem_cache_free(kssl_cache, ssl);
2521 }
2522