c28749e97052f09388969427adf7df641cdcdc22kais * CDDL HEADER START
c28749e97052f09388969427adf7df641cdcdc22kais * The contents of this file are subject to the terms of the
968d6dde54d2efa62910a3cf36438325d0b69031krishna * Common Development and Distribution License (the "License").
968d6dde54d2efa62910a3cf36438325d0b69031krishna * You may not use this file except in compliance with the License.
c28749e97052f09388969427adf7df641cdcdc22kais * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
c28749e97052f09388969427adf7df641cdcdc22kais * See the License for the specific language governing permissions
c28749e97052f09388969427adf7df641cdcdc22kais * and limitations under the License.
c28749e97052f09388969427adf7df641cdcdc22kais * When distributing Covered Code, include this CDDL HEADER in each
c28749e97052f09388969427adf7df641cdcdc22kais * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
c28749e97052f09388969427adf7df641cdcdc22kais * If applicable, add the following below this CDDL HEADER, with the
c28749e97052f09388969427adf7df641cdcdc22kais * fields enclosed by brackets "[]" replaced with your own identifying
c28749e97052f09388969427adf7df641cdcdc22kais * information: Portions Copyright [yyyy] [name of copyright owner]
c28749e97052f09388969427adf7df641cdcdc22kais * CDDL HEADER END
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, no IVs */
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna /* 2 X 16 byte keys + 2 x 16 byte MAC secrets, no IVs */
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna /* 2 X 8 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna /* 2 X 24 byte keys + 2 x 20 byte MAC secrets, 2 x 8 byte IVs */
c28749e97052f09388969427adf7df641cdcdc22kais {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, 104},
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna /* 2 X 16 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes128, mac_sha, 104},
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna /* 2 X 32 byte keys + 2 x 20 byte MAC secrets, 2 x 16 byte IVs */
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes256, mac_sha, 136},
c28749e97052f09388969427adf7df641cdcdc22kais sizeof (cipher_suite_defs) / sizeof (cipher_suite_defs[0]);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic KSSLMACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
c28749e97052f09388969427adf7df641cdcdc22kais /* macsz padsz HashInit HashUpdate HashFinal */
c28749e97052f09388969427adf7df641cdcdc22kais (hashinit_func_t)MD5Init, (hashupdate_func_t)MD5Update,
c28749e97052f09388969427adf7df641cdcdc22kais (hashinit_func_t)SHA1Init, (hashupdate_func_t)SHA1Update,
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void kssl_update_handshake_hashes(ssl_t *, uchar_t *, uint_t);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic int kssl_compute_handshake_hashes(ssl_t *, SSL3Hashes *, uint32_t);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic int kssl_handle_client_hello(ssl_t *, mblk_t *, int);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic int kssl_handle_client_key_exchange(ssl_t *, mblk_t *, int,
c28749e97052f09388969427adf7df641cdcdc22kaisstatic int kssl_send_certificate_and_server_hello_done(ssl_t *);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic int kssl_handle_finished(ssl_t *, mblk_t *, int);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void kssl_cache_sid(sslSessionID *, kssl_entry_t *);
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduristatic void kssl_lookup_sid(sslSessionID *, uchar_t *, in6_addr_t *,
c28749e97052f09388969427adf7df641cdcdc22kaisstatic int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void kssl_ssl3_key_material_derive_step(ssl_t *, uchar_t *, size_t,
c28749e97052f09388969427adf7df641cdcdc22kais int, uchar_t *, int);
c28749e97052f09388969427adf7df641cdcdc22kais uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic int kssl_tls_P_hash(crypto_mechanism_t *, crypto_key_t *,
c28749e97052f09388969427adf7df641cdcdc22kais size_t, uchar_t *, size_t, uchar_t *, size_t, uchar_t *, size_t);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void kssl_cke_done(void *, int);
c28749e97052f09388969427adf7df641cdcdc22kais rv = crypto_mac_init(m, k, NULL, c, NULL); if (CRYPTO_ERR(rv)) goto end;
c28749e97052f09388969427adf7df641cdcdc22kais rv = crypto_mac_update(c, &dd, NULL); if (CRYPTO_ERR(rv)) goto end;
c28749e97052f09388969427adf7df641cdcdc22kais rv = crypto_mac_final(c, &mac, NULL); if (CRYPTO_ERR(rv)) goto end;
efe05f9ecde56550699213909fd4152ef8ef6438krishna * This hack can go away once we have SSL3 MAC support by KCF
efe05f9ecde56550699213909fd4152ef8ef6438krishna * software providers (See 4873559).
c28749e97052f09388969427adf7df641cdcdc22kais return (1);
efe05f9ecde56550699213909fd4152ef8ef6438krishna if (IS_TLS(ssl) || (spec->hmac_mech.cm_type != CRYPTO_MECH_INVALID &&
efe05f9ecde56550699213909fd4152ef8ef6438krishna /* init the array of iovecs for use in the uio struct */
efe05f9ecde56550699213909fd4152ef8ef6438krishna /* init the uio struct for use in the crypto_data_t struct */
efe05f9ecde56550699213909fd4152ef8ef6438krishna mac.cd_length = mac.cd_raw.iov_len = spec->mac_hashsz;
efe05f9ecde56550699213909fd4152ef8ef6438krishna * The calling context can tolerate a blocking call here.
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * For outgoing traffic, we are in user context when called
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * from kssl_data_out_cb(). For incoming traffic past the
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * SSL handshake, we are in user context when called from
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * kssl_data_in_proc_cb(). During the SSL handshake, we are
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * called for client_finished message handling from a taskq
efe05f9ecde56550699213909fd4152ef8ef6438krishna rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
c28749e97052f09388969427adf7df641cdcdc22kais spec->MAC_HashUpdate((void *)ctx, digest, spec->mac_hashsz);
c28749e97052f09388969427adf7df641cdcdc22kais * Handles handshake messages.
c28749e97052f09388969427adf7df641cdcdc22kais * Messages to be replied are returned in handshake_sendbuf.
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_handle_handshake_message(ssl_t *ssl, mblk_t *mp, int *err,
c28749e97052f09388969427adf7df641cdcdc22kais if (ssl->msg.type == finished && ssl->resumed == B_FALSE) {
c28749e97052f09388969427adf7df641cdcdc22kais if (kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais if (ssl->msg.type != finished || ssl->resumed == B_FALSE) {
c28749e97052f09388969427adf7df641cdcdc22kais return (1);
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais return (1);
c28749e97052f09388969427adf7df641cdcdc22kais return (1);
c28749e97052f09388969427adf7df641cdcdc22kais return (1);
c28749e97052f09388969427adf7df641cdcdc22kais return (1);
c28749e97052f09388969427adf7df641cdcdc22kais return (1);
c28749e97052f09388969427adf7df641cdcdc22kais return (1);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_update_handshake_hashes(ssl_t *ssl, uchar_t *buf, uint_t len)
c28749e97052f09388969427adf7df641cdcdc22kais * Do not take another hash step here.
c28749e97052f09388969427adf7df641cdcdc22kais * Just complete the operation.
c28749e97052f09388969427adf7df641cdcdc22kais bcopy(hashes->sha1, seed + MD5_HASH_LEN, SHA1_HASH_LEN);
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * Minimum message length for a client hello =
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * 2-byte client_version +
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * 32-byte random +
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * 1-byte session_id length +
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * 2-byte cipher_suites length +
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * 1-byte compression_methods length +
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * 1-byte CompressionMethod.null
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal * Process SSL/TLS Client Hello message. Return 0 on success, errno value
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal * or SSL_MISS if no cipher suite of the server matches the list received
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal * in the message.
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen)
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal DTRACE_PROBE2(kssl_err__msglen_less_than_minimum,
c28749e97052f09388969427adf7df641cdcdc22kais /* Support SSLv3 (version == 3.0) or TLS (version == 3.1) */
c28749e97052f09388969427adf7df641cdcdc22kais if (ssl->major_version != 3 || (ssl->major_version == 3 &&
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal /* read client random field */
c28749e97052f09388969427adf7df641cdcdc22kais bcopy(mp->b_rptr, ssl->client_random, SSL3_RANDOM_LENGTH);
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal /* read session ID length */
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal DTRACE_PROBE2(kssl_err__invalid_message_length_after_ver,
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr,
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal /* read cipher suite length */
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * This check can't be a "!=" since there can be
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * compression methods other than CompressionMethod.null.
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * Also, there can be extra data (TLS extensions) after the
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * compression methods field.
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal DTRACE_PROBE2(kssl_err__invalid_message_length_after_cslen,
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* The length has to be even since a cipher suite is 2-byte long. */
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal DTRACE_PROBE1(kssl_err__uneven_cipher_suite_length,
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* session resumption checks */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal DTRACE_PROBE2(kssl_cipher_suite_check_resumpt,
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal (uint16_t)((suitesp[j] << 8) + suitesp[j+1]));
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Check for regular (true) cipher suite. */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal DTRACE_PROBE1(kssl_cipher_suite_found_resumpt,
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Check for SCSV. */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal if (suitesp[j] == ((SSL_SCSV >> 8) & 0xff) &&
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * If we got cipher suite match and SCSV we can
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * terminate the cycle now.
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal if (suite_found && ssl->secure_renegotiation)
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Check if this server is capable of the cipher suite. */
c28749e97052f09388969427adf7df641cdcdc22kais for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal DTRACE_PROBE2(kssl_cipher_suite_check, uint16_t, suite,
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal (uint16_t)((suitesp[j] << 8) + suitesp[j+1]));
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Check for regular (true) cipher suite. */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Check for SCSV. */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal if (suitesp[j] == ((SSL_SCSV >> 8) & 0xff) &&
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * If we got cipher suite match and SCSV or went
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * through the whole list of client cipher suites
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * (hence we know if SCSV was present or not) we
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * can terminate the cycle now.
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal * If there is no fallback point terminate the
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal * handshake with SSL alert otherwise return with
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal if (ssl->kssl_entry->ke_fallback_head == NULL) {
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * Check for the mandatory CompressionMethod.null. We do not
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * support any other compression methods.
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri ch_msglen += cmlen - 1; /* -1 accounts for the null method */
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal DTRACE_PROBE2(kssl_err__invalid_message_length_after_complen,
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal * Search for null compression method (encoded as 0 byte) in the
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal * compression methods field.
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal DTRACE_PROBE(kssl_err__no_null_compression_method);
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Find the suite in the internal cipher suite table. */
c28749e97052f09388969427adf7df641cdcdc22kais for (i = 0; i < cipher_suite_defs_nentries; i++) {
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal if (selected_suite == cipher_suite_defs[i].suite) {
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Get past the remaining compression methods (minus null method). */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Parse TLS extensions (if any). */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Get the length of the extensions. */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal uint16_t ext_total_len = ((uint_t)mp->b_rptr[0] << 8) +
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal DTRACE_PROBE1(kssl_total_length_extensions, uint16_t,
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * Consider zero extensions length as invalid extension
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal DTRACE_PROBE1(kssl_err__zero_extensions_length,
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal DTRACE_PROBE2(kssl_err__invalid_extensions_length,
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * Go through the TLS extensions. This is only done to check
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * for the presence of renegotiation_info extension. We do not
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * support any other TLS extensions and hence ignore them.
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * Check that the extension has at least type and
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * length (2 + 2 bytes).
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Get extension type and length */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal DTRACE_PROBE3(kssl_ext_detected, uint16_t, ext_type,
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * Make sure the contents of the extension are
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * accessible.
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * Search for empty "renegotiation_info"
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * extension (encoded as ff 01 00 01 00).
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* FALLTHRU */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* jump to the next extension */
c28749e97052f09388969427adf7df641cdcdc22kais if (err != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais if (err != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais err = kssl_compute_handshake_hashes(ssl, &ssl->hs_hashes,
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais if (err != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais err = kssl_send_certificate_and_server_hello_done(ssl);
c28749e97052f09388969427adf7df641cdcdc22kais if (err != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri#define SET_HASH_INDEX(index, s, clnt_addr) { \
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri index = addr ^ (((int)(s)[0] << 24) | ((int)(s)[1] << 16) | \
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri ((int)(s)[2] << 8) | (int)(s)[SSL3_SESSIONID_BYTES - 1]); \
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri * Creates a cache entry. Sets the sid->cached flag
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri * and sid->time fields. So, the caller should not set them.
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri /* set the values before creating the cache entry */
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri SET_HASH_INDEX(index, s, &sid->client_addr);
c28749e97052f09388969427adf7df641cdcdc22kais bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid));
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri * Invalidates the cache entry, if any. Clears the sid->cached flag
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri * as a side effect.
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yendurikssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry)
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri SET_HASH_INDEX(index, s, &sid->client_addr);
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri lock = &(kssl_entry->sid_cache[index].se_lock);
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri csid = &(kssl_entry->sid_cache[index].se_sid);
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri if (!(IN6_ARE_ADDR_EQUAL(&csid->client_addr, &sid->client_addr)) ||
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) {
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yendurikssl_lookup_sid(sslSessionID *sid, uchar_t *s, in6_addr_t *faddr,
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri !IN6_ARE_ADDR_EQUAL(&csid->client_addr, faddr) ||
d3d50737e566cade9a08d73d2af95105ac7cd960Rafael Vanoni if (TICK_TO_SEC(ddi_get_lbolt() - csid->time) >
c28749e97052f09388969427adf7df641cdcdc22kais int i = 2;
c28749e97052f09388969427adf7df641cdcdc22kais while (i < len) {
c28749e97052f09388969427adf7df641cdcdc22kais if (buf[i++] == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais if (i == len) {
c28749e97052f09388969427adf7df641cdcdc22kais return (buf + i);
c28749e97052f09388969427adf7df641cdcdc22kais#define KSSL_SSL3_MAX_CCP_FIN_MSGLEN (128) /* comfortable upper bound */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * Send ServerHello record to the client.
c28749e97052f09388969427adf7df641cdcdc22kais /* 5 byte record header */
c28749e97052f09388969427adf7df641cdcdc22kais /* 6 byte message header */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal buf[3] = (reclen - 4) & 0xff; /* message len byte 2 */
c28749e97052f09388969427adf7df641cdcdc22kais bcopy(ssl->sid.session_id, buf + 1, SSL3_SESSIONID_BYTES);
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * Add "renegotiation_info" extension if the ClientHello message
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * contained either SCSV value in cipher suite list or
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * "renegotiation_info" extension. This is per RFC 5746, section 3.6.
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Extensions length */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* empty renegotiation_info extension encoding (section 3.2) */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal kssl_update_handshake_hashes(ssl, msgstart, reclen);
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void
c28749e97052f09388969427adf7df641cdcdc22kais (void) random_get_pseudo_bytes(&buf[4], SSL3_RANDOM_LENGTH - 4);
c28749e97052f09388969427adf7df641cdcdc22kais /* Should this be caching? */
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key,
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri * A(i) = HMAC_hash(secret, seed + A(i-1));
c28749e97052f09388969427adf7df641cdcdc22kais * A(0) = seed;
c28749e97052f09388969427adf7df641cdcdc22kais * Compute A(1):
c28749e97052f09388969427adf7df641cdcdc22kais * A(1) = HMAC_hash(secret, label + seed)
c28749e97052f09388969427adf7df641cdcdc22kais /* Compute A(2) ... A(n) */
c28749e97052f09388969427adf7df641cdcdc22kais while (bytes_left > 0) {
c28749e97052f09388969427adf7df641cdcdc22kais * The A(i) value is stored in "result".
c28749e97052f09388969427adf7df641cdcdc22kais * Save the results of the MAC so it can be input to next
c28749e97052f09388969427adf7df641cdcdc22kais * iteration.
c28749e97052f09388969427adf7df641cdcdc22kais /* Store the chunk result */
c28749e97052f09388969427adf7df641cdcdc22kais /* Update A1 for next iteration */
c28749e97052f09388969427adf7df641cdcdc22kais/* ARGSUSED */
c28749e97052f09388969427adf7df641cdcdc22kais * RFC 2246:
c28749e97052f09388969427adf7df641cdcdc22kais * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
c28749e97052f09388969427adf7df641cdcdc22kais * P_SHA1(S2, label + seed);
c28749e97052f09388969427adf7df641cdcdc22kais * S1 = 1st half of secret.
c28749e97052f09388969427adf7df641cdcdc22kais * S1 = 2nd half of secret.
c28749e97052f09388969427adf7df641cdcdc22kais /* length of secret keys is ceil(length/2) */
c28749e97052f09388969427adf7df641cdcdc22kais rv = kssl_tls_P_hash(&hmac_md5_mech, &S1, MD5_HASH_LEN,
c28749e97052f09388969427adf7df641cdcdc22kais rv = kssl_tls_P_hash(&hmac_sha1_mech, &S2, SHA1_HASH_LEN,
c28749e97052f09388969427adf7df641cdcdc22kais for (i = 0; i < prfresult_len; i++)
968d6dde54d2efa62910a3cf36438325d0b69031krishna (pms == NULL || pmslen != SSL3_PRE_MASTER_SECRET_LEN || \
968d6dde54d2efa62910a3cf36438325d0b69031krishna pms[0] != ssl->major_version || pms[1] != ssl->minor_version)
968d6dde54d2efa62910a3cf36438325d0b69031krishna#define FAKE_PRE_MASTER_SECRET(pms, pmslen, ssl, buf) { \
968d6dde54d2efa62910a3cf36438325d0b69031krishna (void) random_get_pseudo_bytes(&buf[2], pmslen - 2); \
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_generate_tls_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
c28749e97052f09388969427adf7df641cdcdc22kais * Computing the master secret:
c28749e97052f09388969427adf7df641cdcdc22kais * ----------------------------
c28749e97052f09388969427adf7df641cdcdc22kais * master_secret = PRF (pms, "master secret",
c28749e97052f09388969427adf7df641cdcdc22kais * ClientHello.random + ServerHello.random);
968d6dde54d2efa62910a3cf36438325d0b69031krishna /* if pms is bad fake it to thwart Bleichenbacher attack */
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_generate_ssl_ms(ssl_t *ssl, uchar_t *pms, size_t pmslen)
c28749e97052f09388969427adf7df641cdcdc22kais /* if pms is bad fake it to thwart Bleichenbacher attack */
c28749e97052f09388969427adf7df641cdcdc22kais kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 1, ms, 0);
c28749e97052f09388969427adf7df641cdcdc22kais kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 2, ms + hlen, 0);
c28749e97052f09388969427adf7df641cdcdc22kais kssl_ssl3_key_material_derive_step(ssl, pms, pmslen, 3, ms + 2 * hlen,
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void
c28749e97052f09388969427adf7df641cdcdc22kais kssl_ssl3_key_material_derive_step(ssl, ms, mslen, i, keys, 1);
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishnastatic char *ssl3_key_derive_seeds[9] = {"A", "BB", "CCC", "DDDD", "EEEEE",
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void
c28749e97052f09388969427adf7df641cdcdc22kais SHA1Update(sha1ctx, (uchar_t *)ssl3_key_derive_seeds[step],
c28749e97052f09388969427adf7df641cdcdc22kais SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
c28749e97052f09388969427adf7df641cdcdc22kais SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
c28749e97052f09388969427adf7df641cdcdc22kais SHA1Update(sha1ctx, ssl->client_random, SSL3_RANDOM_LENGTH);
c28749e97052f09388969427adf7df641cdcdc22kais SHA1Update(sha1ctx, ssl->server_random, SSL3_RANDOM_LENGTH);
c28749e97052f09388969427adf7df641cdcdc22kais /* Assume MSS is at least 80 bytes */
c28749e97052f09388969427adf7df641cdcdc22kais copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
c28749e97052f09388969427adf7df641cdcdc22kais /* new record always starts in a new mblk for simplicity */
c28749e97052f09388969427adf7df641cdcdc22kais for (;;) {
c28749e97052f09388969427adf7df641cdcdc22kais if (len == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais copylen = MIN(copylen, SSL3_MAX_RECORD_LENGTH - cur_reclen);
c28749e97052f09388969427adf7df641cdcdc22kais /* adjust the record length field for the first record */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal cur_reclen = MIN(reclen + cert_len, SSL3_MAX_RECORD_LENGTH);
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais /* We're most likely to hit the fast path for resumed sessions */
c28749e97052f09388969427adf7df641cdcdc22kais (mp->b_datap->db_lim - mp->b_wptr > KSSL_SSL3_MAX_CCP_FIN_MSGLEN)) {
c28749e97052f09388969427adf7df641cdcdc22kais /* 5 byte record header */
c28749e97052f09388969427adf7df641cdcdc22kais spec->MAC_HashInit = mac_defs[ssl->pending_malg].HashInit;
c28749e97052f09388969427adf7df641cdcdc22kais spec->MAC_HashUpdate = mac_defs[ssl->pending_malg].HashUpdate;
c28749e97052f09388969427adf7df641cdcdc22kais spec->MAC_HashFinal = mac_defs[ssl->pending_malg].HashFinal;
c28749e97052f09388969427adf7df641cdcdc22kais /* Pre-compute these here. will save cycles on each record later */
c28749e97052f09388969427adf7df641cdcdc22kais spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
c28749e97052f09388969427adf7df641cdcdc22kais spec->MAC_HashUpdate((void *)ctx, ssl->mac_secret[dir],
c28749e97052f09388969427adf7df641cdcdc22kais spec->cipher_type = cipher_defs[ssl->pending_calg].type;
c28749e97052f09388969427adf7df641cdcdc22kais spec->cipher_mech.cm_type = cipher_defs[ssl->pending_calg].mech_type;
c28749e97052f09388969427adf7df641cdcdc22kais spec->cipher_bsize = cipher_defs[ssl->pending_calg].bsize;
c28749e97052f09388969427adf7df641cdcdc22kais spec->cipher_keysz = cipher_defs[ssl->pending_calg].keysz;
efe05f9ecde56550699213909fd4152ef8ef6438krishna * Initialize HMAC keys for TLS and SSL3 HMAC keys
efe05f9ecde56550699213909fd4152ef8ef6438krishna * for SSL 3.0.
c28749e97052f09388969427adf7df641cdcdc22kais /* We're done if this is the nil cipher */
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais /* Initialize the key and the active context */
c28749e97052f09388969427adf7df641cdcdc22kais spec->cipher_key.ck_length = 8 * spec->cipher_keysz; /* in bits */
c28749e97052f09388969427adf7df641cdcdc22kais /* client_write_IV */
c28749e97052f09388969427adf7df641cdcdc22kais (caddr_t)&(ssl->pending_keyblock[2 * spec->mac_hashsz +
c892ebf1bef94f4f922f282c11516677c134dbe0krishna /* client_write_key */
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri /* server_write_IV */
c28749e97052f09388969427adf7df641cdcdc22kais /* server_write_key */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * It should be either a message with Server Hello record or just plain
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * SSL header (data packet).
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal SSL3_HDR_LEN + KSSL_SSL3_SH_RECLEN + SSL3_HDR_LEN + 1 + adj_len ||
c28749e97052f09388969427adf7df641cdcdc22kais /* 5 byte record header */
c28749e97052f09388969427adf7df641cdcdc22kais /* 4 byte message header */
c28749e97052f09388969427adf7df641cdcdc22kais /* Compute hashes for the SENDER side */
c28749e97052f09388969427adf7df641cdcdc22kais ret = kssl_compute_handshake_hashes(ssl, &ssl3hashes, sender_server);
c28749e97052f09388969427adf7df641cdcdc22kais bcopy(ssl3hashes.tlshash, buf, sizeof (ssl3hashes.tlshash));
c28749e97052f09388969427adf7df641cdcdc22kais bcopy(ssl3hashes.sha1, buf + MD5_HASH_LEN, SHA1_HASH_LEN);
c28749e97052f09388969427adf7df641cdcdc22kais kssl_update_handshake_hashes(ssl, buf - 4, finish_len + 4);
c28749e97052f09388969427adf7df641cdcdc22kais ret = kssl_mac_encrypt_record(ssl, content_handshake, versionp,
c28749e97052f09388969427adf7df641cdcdc22kais if (mac_sz != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais for (i = 0; i < pad_sz; i++) {
c28749e97052f09388969427adf7df641cdcdc22kais spec->cipher_data.cd_raw.iov_base = (char *)(rstart + SSL3_HDR_LEN);
c28749e97052f09388969427adf7df641cdcdc22kais /* One record at a time. Otherwise, gotta allocate the crypt_data_t */
c28749e97052f09388969427adf7df641cdcdc22kais ret = crypto_encrypt_update(spec->cipher_ctx, &spec->cipher_data,
7dd0d8ffa6288391fcbac80fa5deeb770d202cb8Vladimir Kotal * Produce SSL alert message (SSLv3/TLS) or error message (SSLv2). For SSLv2
7dd0d8ffa6288391fcbac80fa5deeb770d202cb8Vladimir Kotal * it is only done to tear down the SSL connection so it has fixed encoding.
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc)
9b1bd49f83497d7b339a684a1a76de3aaccf5269Vladimir Kotal /* KSSL generates 5 byte SSLv2 alert messages only. */
7dd0d8ffa6288391fcbac80fa5deeb770d202cb8Vladimir Kotal ssl->alert_sendbuf = mp = allocb(len + spec->mac_hashsz +
7dd0d8ffa6288391fcbac80fa5deeb770d202cb8Vladimir Kotal /* 5 byte record header */
7dd0d8ffa6288391fcbac80fa5deeb770d202cb8Vladimir Kotal /* alert contents */
7dd0d8ffa6288391fcbac80fa5deeb770d202cb8Vladimir Kotal /* SSLv2 has different encoding. */
7dd0d8ffa6288391fcbac80fa5deeb770d202cb8Vladimir Kotal /* 2-byte encoding of the length */
7dd0d8ffa6288391fcbac80fa5deeb770d202cb8Vladimir Kotal /* Protocol Message Code = Error */
7dd0d8ffa6288391fcbac80fa5deeb770d202cb8Vladimir Kotal /* Error Message Code = Undefined Error */
c28749e97052f09388969427adf7df641cdcdc22kais/* Assumes RSA encryption */
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_handle_client_key_exchange(ssl_t *ssl, mblk_t *mp, int msglen,
c28749e97052f09388969427adf7df641cdcdc22kais * TLS adds an extra 2 byte length field before the data.
c28749e97052f09388969427adf7df641cdcdc22kais * Allocate all we need in one shot. about 300 bytes total, for
c28749e97052f09388969427adf7df641cdcdc22kais * 1024 bit RSA modulus.
c28749e97052f09388969427adf7df641cdcdc22kais * The buffer layout will be: pms_data, wrapped_pms_data, the
c28749e97052f09388969427adf7df641cdcdc22kais * value of the wrapped pms from the client, then room for the
c28749e97052f09388969427adf7df641cdcdc22kais * resulting decrypted premaster secret.
c28749e97052f09388969427adf7df641cdcdc22kais wrapped_pms_data->cd_format = pms_data->cd_format = CRYPTO_DATA_RAW;
c28749e97052f09388969427adf7df641cdcdc22kais wrapped_pms_data->cd_length = pms_data->cd_length = msglen;
c28749e97052f09388969427adf7df641cdcdc22kais wrapped_pms_data->cd_miscdata = pms_data->cd_miscdata = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais wrapped_pms_data->cd_raw.iov_len = pms_data->cd_raw.iov_len = msglen;
c28749e97052f09388969427adf7df641cdcdc22kais wrapped_pms_data->cd_raw.iov_base = buf + 2 * sizeof (crypto_data_t);
c28749e97052f09388969427adf7df641cdcdc22kais pms_data->cd_raw.iov_base = wrapped_pms_data->cd_raw.iov_base + msglen;
c28749e97052f09388969427adf7df641cdcdc22kais bcopy(mp->b_rptr, wrapped_pms_data->cd_raw.iov_base, msglen);
c28749e97052f09388969427adf7df641cdcdc22kais /* Proceed synchronously if out of interrupt and configured to do so */
c892ebf1bef94f4f922f282c11516677c134dbe0krishna /* Reauthenticate to the provider */
c892ebf1bef94f4f922f282c11516677c134dbe0krishna * Deal with session specific errors. We translate to
c892ebf1bef94f4f922f282c11516677c134dbe0krishna * the closest errno.
c892ebf1bef94f4f922f282c11516677c134dbe0krishna err = crypto_decrypt(&rsa_x509_mech, wrapped_pms_data,
c28749e97052f09388969427adf7df641cdcdc22kais switch (err) {
c28749e97052f09388969427adf7df641cdcdc22kais * Finish the master secret then the rest of key material
c28749e97052f09388969427adf7df641cdcdc22kais * derivation later.
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
c28749e97052f09388969427adf7df641cdcdc22kais /* generate master key and save it in the ssl sid structure */
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen)
c28749e97052f09388969427adf7df641cdcdc22kais hashcompare = bcmp(mp->b_rptr, &ssl->hs_hashes, finish_len);
c28749e97052f09388969427adf7df641cdcdc22kais /* The handshake hashes should be computed by now */
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais if (err != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais if (err != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais * This method is needed to handle clients which send the
c28749e97052f09388969427adf7df641cdcdc22kais * SSLv2/SSLv3 handshake for backwards compat with SSLv2 servers.
c28749e97052f09388969427adf7df641cdcdc22kais * We are not really doing SSLv2 here, just handling the header
c28749e97052f09388969427adf7df641cdcdc22kais * and then switching to SSLv3.
c28749e97052f09388969427adf7df641cdcdc22kaiskssl_handle_v2client_hello(ssl_t *ssl, mblk_t *mp, int recsz)
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal DTRACE_PROBE2(kssl_err__reclen_less_than_minimum,
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal DTRACE_PROBE1(kssl_err__invalid_version, uint_t, *mp->b_rptr);
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri cslen = ((uint_t)mp->b_rptr[0] << 8) + (uint_t)mp->b_rptr[1];
c28749e97052f09388969427adf7df641cdcdc22kais sidlen = ((uint_t)mp->b_rptr[2] << 8) + (uint_t)mp->b_rptr[3];
c28749e97052f09388969427adf7df641cdcdc22kais randlen = ((uint_t)mp->b_rptr[4] << 8) + (uint_t)mp->b_rptr[5];
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri DTRACE_PROBE1(kssl_err__cipher_suites_len_error, uint_t, cslen);
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal DTRACE_PROBE2(kssl_err__invalid_message_len_sum,
c28749e97052f09388969427adf7df641cdcdc22kais bcopy(rand, &ssl->client_random[SSL3_RANDOM_LENGTH - randlen],
c28749e97052f09388969427adf7df641cdcdc22kais for (i = 0; i < ssl->kssl_entry->kssl_cipherSuites_nentries; i++) {
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal (uint16_t)((suitesp[j+1] << 8) + suitesp[j+2]));
c28749e97052f09388969427adf7df641cdcdc22kais if (suitesp[j] != 0) {
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Check for regular (true) cipher suite. */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* Check for SCSV. */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal if (suitesp[j + 1] == ((SSL_SCSV >> 8) & 0xff) &&
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * If we got cipher suite match and SCSV or went
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * through the whole list of client cipher suites
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * (hence we know if SCSV was present or not) we
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * can terminate the cycle now.
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal * If there is no fallback point terminate the handshake with
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal * SSL alert otherwise return with SSL_MISS.
65d184575ba5adcc532b970fc99d2f67e2df7af6Vladimir Kotal if (ssl->kssl_entry->ke_fallback_head == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais for (i = 0; i < cipher_suite_defs_nentries; i++) {
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal if (selected_suite == cipher_suite_defs[i].suite) {
c28749e97052f09388969427adf7df641cdcdc22kais if (err != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais err = kssl_send_certificate_and_server_hello_done(ssl);
c28749e97052f09388969427adf7df641cdcdc22kais if (err != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais * Call back routine for asynchronously submitted RSA decryption jobs.
51144063f3afc862c6cb3f54fd4341724f765075Krishna Yenduri * This routine retrieves the pre-master secret, and proceeds to generate
c28749e97052f09388969427adf7df641cdcdc22kais * the remaining key materials.
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void
c28749e97052f09388969427adf7df641cdcdc22kais pms = kssl_rsa_unwrap((uchar_t *)pms_data->cd_raw.iov_base, &pmslen);
c28749e97052f09388969427adf7df641cdcdc22kais /* generate master key and save it in the ssl sid structure */
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson /* dropped by callback when it has completed */
c28749e97052f09388969427adf7df641cdcdc22kais /* Now call the callback routine */
c28749e97052f09388969427adf7df641cdcdc22kais * Returns the first complete contiguous record out of rec_ass_head
c28749e97052f09388969427adf7df641cdcdc22kais * The record is returned in a separate contiguous mblk, rec_ass_head is
c28749e97052f09388969427adf7df641cdcdc22kais * left pointing to the next record in the queue.
c28749e97052f09388969427adf7df641cdcdc22kais * The output looks as follows:
c28749e97052f09388969427adf7df641cdcdc22kais * |--------|---------- .... -----|<---------->|<----------->|--- ... ---|
c28749e97052f09388969427adf7df641cdcdc22kais * ^ ^ ^ mac_size pad_size ^
c28749e97052f09388969427adf7df641cdcdc22kais * | |___ b_rptr b_wptr __| |
c28749e97052f09388969427adf7df641cdcdc22kais * |___ db_base db_lim ___|
c28749e97052f09388969427adf7df641cdcdc22kais /* Fast path: when mp has at least a complete record */
c28749e97052f09388969427adf7df641cdcdc22kais /* Not even a complete header in there yet */
c28749e97052f09388969427adf7df641cdcdc22kais * same tests as above. Only rare very fragmented cases will
c28749e97052f09388969427adf7df641cdcdc22kais * incur the cost of msgdsize() and msgpullup(). Well formed
c28749e97052f09388969427adf7df641cdcdc22kais * packets will fall in the most frequent fast path.
c28749e97052f09388969427adf7df641cdcdc22kais * Missing: defensive against record fabricated with longer than
c28749e97052f09388969427adf7df641cdcdc22kais * MAX record length.
c28749e97052f09388969427adf7df641cdcdc22kais /* Not a complete record yet. Keep accumulating */
c28749e97052f09388969427adf7df641cdcdc22kais mpsz = MBLKL(mp); /* could've changed after the pullup */
c28749e97052f09388969427adf7df641cdcdc22kais /* gotta allocate a new block */
c28749e97052f09388969427adf7df641cdcdc22kais /* Adjust the tail */
c28749e97052f09388969427adf7df641cdcdc22kais if ((mp = ssl->rec_ass_tail = ssl->rec_ass_head) != NULL) {
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void
c28749e97052f09388969427adf7df641cdcdc22kaisstatic void
c28749e97052f09388969427adf7df641cdcdc22kais * Frees the ssl structure (aka the context of an SSL session).
c28749e97052f09388969427adf7df641cdcdc22kais * Any pending crypto jobs are cancelled.
c28749e97052f09388969427adf7df641cdcdc22kais * Any initiated crypto contexts are freed as well.
c28749e97052f09388969427adf7df641cdcdc22kais /* we're coming from an external API entry point */
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * Cancel any active crypto request and wait for pending async
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * operations to complete. We loop here because the async thread
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * might submit a new cryto request.
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * Drop the lock before canceling the request;
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * otherwise we might deadlock if the completion
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * callback is running.
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson /* completion callback might have done the cleanup */