ipxe/src/net/tls.c

/*
 * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 */

FILE_LICENCE ( GPL2_OR_LATER );

/**
 * @file
 *
 * Transport Layer Security Protocol
 */

#include <stdint.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <errno.h>
#include <byteswap.h>
#include <ipxe/hmac.h>
#include <ipxe/md5.h>
#include <ipxe/sha1.h>
#include <ipxe/aes.h>
#include <ipxe/rsa.h>
#include <ipxe/iobuf.h>
#include <ipxe/xfer.h>
#include <ipxe/open.h>
#include <ipxe/asn1.h>
#include <ipxe/x509.h>
#include <ipxe/rbg.h>
#include <ipxe/tls.h>

static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
				const void *data, size_t len );
static void tls_clear_cipher ( struct tls_session *tls,
			       struct tls_cipherspec *cipherspec );

/******************************************************************************
 *
 * Utility functions
 *
 ******************************************************************************
 */

/**
 * Extract 24-bit field value
 *
 * @v field24		24-bit field
 * @ret value		Field value
 *
 * TLS uses 24-bit integers in several places, which are awkward to
 * parse in C.
 */
static unsigned long tls_uint24 ( uint8_t field24[3] ) {
	return ( ( field24[0] << 16 ) + ( field24[1] << 8 ) + field24[2] );
}

/******************************************************************************
 *
 * Cleanup functions
 *
 ******************************************************************************
 */

/**
 * Free TLS session
 *
 * @v refcnt		Reference counter
 */
static void free_tls ( struct refcnt *refcnt ) {
	struct tls_session *tls =
		container_of ( refcnt, struct tls_session, refcnt );

	/* Free dynamically-allocated resources */
	tls_clear_cipher ( tls, &tls->tx_cipherspec );
	tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
	tls_clear_cipher ( tls, &tls->rx_cipherspec );
	tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
	x509_free_rsa_public_key ( &tls->rsa );
	free ( tls->rx_data );

	/* Free TLS structure itself */
	free ( tls );	
}

/**
 * Finish with TLS session
 *
 * @v tls		TLS session
 * @v rc		Status code
 */
static void tls_close ( struct tls_session *tls, int rc ) {

	/* Remove process */
	process_del ( &tls->process );
	
	/* Close ciphertext and plaintext streams */
	intf_shutdown ( &tls->cipherstream, rc );
	intf_shutdown ( &tls->plainstream, rc );
}

/******************************************************************************
 *
 * Random number generation
 *
 ******************************************************************************
 */

/**
 * Generate random data
 *
 * @v tls		TLS session
 * @v data		Buffer to fill
 * @v len		Length of buffer
 * @ret rc		Return status code
 */
static int tls_generate_random ( struct tls_session *tls,
				 void *data, size_t len ) {
	int rc;

	/* Generate random bits with no additional input and without
	 * prediction resistance
	 */
	if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
		DBGC ( tls, "TLS %p could not generate random data: %s\n",
		       tls, strerror ( rc ) );
		return rc;
	}

	return 0;
}

/**
 * Update HMAC with a list of ( data, len ) pairs
 *
 * @v digest		Hash function to use
 * @v digest_ctx	Digest context
 * @v args		( data, len ) pairs of data, terminated by NULL
 */
static void tls_hmac_update_va ( struct digest_algorithm *digest,
				 void *digest_ctx, va_list args ) {
	void *data;
	size_t len;

	while ( ( data = va_arg ( args, void * ) ) ) {
		len = va_arg ( args, size_t );
		hmac_update ( digest, digest_ctx, data, len );
	}
}

/**
 * Generate secure pseudo-random data using a single hash function
 *
 * @v tls		TLS session
 * @v digest		Hash function to use
 * @v secret		Secret
 * @v secret_len	Length of secret
 * @v out		Output buffer
 * @v out_len		Length of output buffer
 * @v seeds		( data, len ) pairs of seed data, terminated by NULL
 */
static void tls_p_hash_va ( struct tls_session *tls,
			    struct digest_algorithm *digest,
			    void *secret, size_t secret_len,
			    void *out, size_t out_len,
			    va_list seeds ) {
	uint8_t secret_copy[secret_len];
	uint8_t digest_ctx[digest->ctxsize];
	uint8_t digest_ctx_partial[digest->ctxsize];
	uint8_t a[digest->digestsize];
	uint8_t out_tmp[digest->digestsize];
	size_t frag_len = digest->digestsize;
	va_list tmp;

	/* Copy the secret, in case HMAC modifies it */
	memcpy ( secret_copy, secret, secret_len );
	secret = secret_copy;
	DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
	DBGC2_HD ( tls, secret, secret_len );

	/* Calculate A(1) */
	hmac_init ( digest, digest_ctx, secret, &secret_len );
	va_copy ( tmp, seeds );
	tls_hmac_update_va ( digest, digest_ctx, tmp );
	va_end ( tmp );
	hmac_final ( digest, digest_ctx, secret, &secret_len, a );
	DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
	DBGC2_HD ( tls, &a, sizeof ( a ) );

	/* Generate as much data as required */
	while ( out_len ) {
		/* Calculate output portion */
		hmac_init ( digest, digest_ctx, secret, &secret_len );
		hmac_update ( digest, digest_ctx, a, sizeof ( a ) );
		memcpy ( digest_ctx_partial, digest_ctx, digest->ctxsize );
		va_copy ( tmp, seeds );
		tls_hmac_update_va ( digest, digest_ctx, tmp );
		va_end ( tmp );
		hmac_final ( digest, digest_ctx,
			     secret, &secret_len, out_tmp );

		/* Copy output */
		if ( frag_len > out_len )
			frag_len = out_len;
		memcpy ( out, out_tmp, frag_len );
		DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
		DBGC2_HD ( tls, out, frag_len );

		/* Calculate A(i) */
		hmac_final ( digest, digest_ctx_partial,
			     secret, &secret_len, a );
		DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
		DBGC2_HD ( tls, &a, sizeof ( a ) );

		out += frag_len;
		out_len -= frag_len;
	}
}

/**
 * Generate secure pseudo-random data
 *
 * @v tls		TLS session
 * @v secret		Secret
 * @v secret_len	Length of secret
 * @v out		Output buffer
 * @v out_len		Length of output buffer
 * @v ...		( data, len ) pairs of seed data, terminated by NULL
 */
static void tls_prf ( struct tls_session *tls, void *secret, size_t secret_len,
		      void *out, size_t out_len, ... ) {
	va_list seeds;
	va_list tmp;
	size_t subsecret_len;
	void *md5_secret;
	void *sha1_secret;
	uint8_t out_md5[out_len];
	uint8_t out_sha1[out_len];
	unsigned int i;

	va_start ( seeds, out_len );

	/* Split secret into two, with an overlap of up to one byte */
	subsecret_len = ( ( secret_len + 1 ) / 2 );
	md5_secret = secret;
	sha1_secret = ( secret + secret_len - subsecret_len );

	/* Calculate MD5 portion */
	va_copy ( tmp, seeds );
	tls_p_hash_va ( tls, &md5_algorithm, md5_secret, subsecret_len,
			out_md5, out_len, seeds );
	va_end ( tmp );

	/* Calculate SHA1 portion */
	va_copy ( tmp, seeds );
	tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret, subsecret_len,
			out_sha1, out_len, seeds );
	va_end ( tmp );

	/* XOR the two portions together into the final output buffer */
	for ( i = 0 ; i < out_len ; i++ ) {
		*( ( uint8_t * ) out + i ) = ( out_md5[i] ^ out_sha1[i] );
	}

	va_end ( seeds );
}

/**
 * Generate secure pseudo-random data
 *
 * @v secret		Secret
 * @v secret_len	Length of secret
 * @v out		Output buffer
 * @v out_len		Length of output buffer
 * @v label		String literal label
 * @v ...		( data, len ) pairs of seed data
 */
#define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
	tls_prf ( (tls), (secret), (secret_len), (out), (out_len),	   \
		  label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )

/******************************************************************************
 *
 * Secret management
 *
 ******************************************************************************
 */

/**
 * Generate master secret
 *
 * @v tls		TLS session
 *
 * The pre-master secret and the client and server random values must
 * already be known.
 */
static void tls_generate_master_secret ( struct tls_session *tls ) {
	DBGC ( tls, "TLS %p pre-master-secret:\n", tls );
	DBGC_HD ( tls, &tls->pre_master_secret,
		  sizeof ( tls->pre_master_secret ) );
	DBGC ( tls, "TLS %p client random bytes:\n", tls );
	DBGC_HD ( tls, &tls->client_random, sizeof ( tls->client_random ) );
	DBGC ( tls, "TLS %p server random bytes:\n", tls );
	DBGC_HD ( tls, &tls->server_random, sizeof ( tls->server_random ) );

	tls_prf_label ( tls, &tls->pre_master_secret,
			sizeof ( tls->pre_master_secret ),
			&tls->master_secret, sizeof ( tls->master_secret ),
			"master secret",
			&tls->client_random, sizeof ( tls->client_random ),
			&tls->server_random, sizeof ( tls->server_random ) );

	DBGC ( tls, "TLS %p generated master secret:\n", tls );
	DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
}

/**
 * Generate key material
 *
 * @v tls		TLS session
 *
 * The master secret must already be known.
 */
static int tls_generate_keys ( struct tls_session *tls ) {
	struct tls_cipherspec *tx_cipherspec = &tls->tx_cipherspec_pending;
	struct tls_cipherspec *rx_cipherspec = &tls->rx_cipherspec_pending;
	size_t hash_size = tx_cipherspec->digest->digestsize;
	size_t key_size = tx_cipherspec->key_len;
	size_t iv_size = tx_cipherspec->cipher->blocksize;
	size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
	uint8_t key_block[total];
	uint8_t *key;
	int rc;

	/* Generate key block */
	tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
			key_block, sizeof ( key_block ), "key expansion",
			&tls->server_random, sizeof ( tls->server_random ),
			&tls->client_random, sizeof ( tls->client_random ) );

	/* Split key block into portions */
	key = key_block;

	/* TX MAC secret */
	memcpy ( tx_cipherspec->mac_secret, key, hash_size );
	DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
	DBGC_HD ( tls, key, hash_size );
	key += hash_size;

	/* RX MAC secret */
	memcpy ( rx_cipherspec->mac_secret, key, hash_size );
	DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
	DBGC_HD ( tls, key, hash_size );
	key += hash_size;

	/* TX key */
	if ( ( rc = cipher_setkey ( tx_cipherspec->cipher,
				    tx_cipherspec->cipher_ctx,
				    key, key_size ) ) != 0 ) {
		DBGC ( tls, "TLS %p could not set TX key: %s\n",
		       tls, strerror ( rc ) );
		return rc;
	}
	DBGC ( tls, "TLS %p TX key:\n", tls );
	DBGC_HD ( tls, key, key_size );
	key += key_size;

	/* RX key */
	if ( ( rc = cipher_setkey ( rx_cipherspec->cipher,
				    rx_cipherspec->cipher_ctx,
				    key, key_size ) ) != 0 ) {
		DBGC ( tls, "TLS %p could not set TX key: %s\n",
		       tls, strerror ( rc ) );
		return rc;
	}
	DBGC ( tls, "TLS %p RX key:\n", tls );
	DBGC_HD ( tls, key, key_size );
	key += key_size;

	/* TX initialisation vector */
	cipher_setiv ( tx_cipherspec->cipher, tx_cipherspec->cipher_ctx, key );
	DBGC ( tls, "TLS %p TX IV:\n", tls );
	DBGC_HD ( tls, key, iv_size );
	key += iv_size;

	/* RX initialisation vector */
	cipher_setiv ( rx_cipherspec->cipher, rx_cipherspec->cipher_ctx, key );
	DBGC ( tls, "TLS %p RX IV:\n", tls );
	DBGC_HD ( tls, key, iv_size );
	key += iv_size;

	assert ( ( key_block + total ) == key );

	return 0;
}

/******************************************************************************
 *
 * Cipher suite management
 *
 ******************************************************************************
 */

/**
 * Clear cipher suite
 *
 * @v cipherspec	TLS cipher specification
 */
static void tls_clear_cipher ( struct tls_session *tls __unused,
			       struct tls_cipherspec *cipherspec ) {
	free ( cipherspec->dynamic );
	memset ( cipherspec, 0, sizeof ( cipherspec ) );
	cipherspec->pubkey = &pubkey_null;
	cipherspec->cipher = &cipher_null;
	cipherspec->digest = &digest_null;
}

/**
 * Set cipher suite
 *
 * @v tls		TLS session
 * @v cipherspec	TLS cipher specification
 * @v pubkey		Public-key encryption elgorithm
 * @v cipher		Bulk encryption cipher algorithm
 * @v digest		MAC digest algorithm
 * @v key_len		Key length
 * @ret rc		Return status code
 */
static int tls_set_cipher ( struct tls_session *tls,
			    struct tls_cipherspec *cipherspec,
			    struct pubkey_algorithm *pubkey,
			    struct cipher_algorithm *cipher,
			    struct digest_algorithm *digest,
			    size_t key_len ) {
	size_t total;
	void *dynamic;

	/* Clear out old cipher contents, if any */
	tls_clear_cipher ( tls, cipherspec );
	
	/* Allocate dynamic storage */
	total = ( pubkey->ctxsize + 2 * cipher->ctxsize + digest->digestsize );
	dynamic = malloc ( total );
	if ( ! dynamic ) {
		DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
		       "context\n", tls, total );
		return -ENOMEM;
	}
	memset ( dynamic, 0, total );

	/* Assign storage */
	cipherspec->dynamic = dynamic;
	cipherspec->pubkey_ctx = dynamic;	dynamic += pubkey->ctxsize;
	cipherspec->cipher_ctx = dynamic;	dynamic += cipher->ctxsize;
	cipherspec->cipher_next_ctx = dynamic;	dynamic += cipher->ctxsize;
	cipherspec->mac_secret = dynamic;	dynamic += digest->digestsize;
	assert ( ( cipherspec->dynamic + total ) == dynamic );

	/* Store parameters */
	cipherspec->pubkey = pubkey;
	cipherspec->cipher = cipher;
	cipherspec->digest = digest;
	cipherspec->key_len = key_len;

	return 0;
}

/**
 * Select next cipher suite
 *
 * @v tls		TLS session
 * @v cipher_suite	Cipher suite specification
 * @ret rc		Return status code
 */
static int tls_select_cipher ( struct tls_session *tls,
			       unsigned int cipher_suite ) {
	struct pubkey_algorithm *pubkey = &pubkey_null;
	struct cipher_algorithm *cipher = &cipher_null;
	struct digest_algorithm *digest = &digest_null;
	unsigned int key_len = 0;
	int rc;

	switch ( cipher_suite ) {
	case htons ( TLS_RSA_WITH_AES_128_CBC_SHA ):
		key_len = ( 128 / 8 );
		cipher = &aes_cbc_algorithm;
		digest = &sha1_algorithm;
		break;
	case htons ( TLS_RSA_WITH_AES_256_CBC_SHA ):
		key_len = ( 256 / 8 );
		cipher = &aes_cbc_algorithm;
		digest = &sha1_algorithm;
		break;
	default:
		DBGC ( tls, "TLS %p does not support cipher %04x\n",
		       tls, ntohs ( cipher_suite ) );
		return -ENOTSUP;
	}

	/* Set ciphers */
	if ( ( rc = tls_set_cipher ( tls, &tls->tx_cipherspec_pending, pubkey,
				     cipher, digest, key_len ) ) != 0 )
		return rc;
	if ( ( rc = tls_set_cipher ( tls, &tls->rx_cipherspec_pending, pubkey,
				     cipher, digest, key_len ) ) != 0 )
		return rc;

	DBGC ( tls, "TLS %p selected %s-%s-%d-%s\n", tls,
	       pubkey->name, cipher->name, ( key_len * 8 ), digest->name );

	return 0;
}

/**
 * Activate next cipher suite
 *
 * @v tls		TLS session
 * @v pending		Pending cipher specification
 * @v active		Active cipher specification to replace
 * @ret rc		Return status code
 */
static int tls_change_cipher ( struct tls_session *tls,
			       struct tls_cipherspec *pending,
			       struct tls_cipherspec *active ) {

	/* Sanity check */
	if ( /* FIXME (when pubkey is not hard-coded to RSA):
	      * ( pending->pubkey == &pubkey_null ) || */
	     ( pending->cipher == &cipher_null ) ||
	     ( pending->digest == &digest_null ) ) {
		DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
		return -ENOTSUP;
	}

	tls_clear_cipher ( tls, active );
	memswap ( active, pending, sizeof ( *active ) );
	return 0;
}

/******************************************************************************
 *
 * Handshake verification
 *
 ******************************************************************************
 */

/**
 * Add handshake record to verification hash
 *
 * @v tls		TLS session
 * @v data		Handshake record
 * @v len		Length of handshake record
 */
static void tls_add_handshake ( struct tls_session *tls,
				const void *data, size_t len ) {

	digest_update ( &md5_algorithm, tls->handshake_md5_ctx, data, len );
	digest_update ( &sha1_algorithm, tls->handshake_sha1_ctx, data, len );
}

/**
 * Calculate handshake verification hash
 *
 * @v tls		TLS session
 * @v out		Output buffer
 *
 * Calculates the MD5+SHA1 digest over all handshake messages seen so
 * far.
 */
static void tls_verify_handshake ( struct tls_session *tls, void *out ) {
	struct digest_algorithm *md5 = &md5_algorithm;
	struct digest_algorithm *sha1 = &sha1_algorithm;
	uint8_t md5_ctx[md5->ctxsize];
	uint8_t sha1_ctx[sha1->ctxsize];
	void *md5_digest = out;
	void *sha1_digest = ( out + md5->digestsize );

	memcpy ( md5_ctx, tls->handshake_md5_ctx, sizeof ( md5_ctx ) );
	memcpy ( sha1_ctx, tls->handshake_sha1_ctx, sizeof ( sha1_ctx ) );
	digest_final ( md5, md5_ctx, md5_digest );
	digest_final ( sha1, sha1_ctx, sha1_digest );
}

/******************************************************************************
 *
 * Record handling
 *
 ******************************************************************************
 */

/**
 * Resume TX state machine
 *
 * @v tls		TLS session
 */
static void tls_tx_resume ( struct tls_session *tls ) {
	process_add ( &tls->process );
}

/**
 * Transmit Handshake record
 *
 * @v tls		TLS session
 * @v data		Plaintext record
 * @v len		Length of plaintext record
 * @ret rc		Return status code
 */
static int tls_send_handshake ( struct tls_session *tls,
				void *data, size_t len ) {

	/* Add to handshake digest */
	tls_add_handshake ( tls, data, len );

	/* Send record */
	return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
}

/**
 * Transmit Client Hello record
 *
 * @v tls		TLS session
 * @ret rc		Return status code
 */
static int tls_send_client_hello ( struct tls_session *tls ) {
	struct {
		uint32_t type_length;
		uint16_t version;
		uint8_t random[32];
		uint8_t session_id_len;
		uint16_t cipher_suite_len;
		uint16_t cipher_suites[2];
		uint8_t compression_methods_len;
		uint8_t compression_methods[1];
		uint16_t extensions_len;
		struct {
			uint16_t server_name_type;
			uint16_t server_name_len;
			struct {
				uint16_t len;
				struct {
					uint8_t type;
					uint16_t len;
					uint8_t name[ strlen ( tls->name ) ];
				} __attribute__ (( packed )) list[1];
			} __attribute__ (( packed )) server_name;
		} __attribute__ (( packed )) extensions;
	} __attribute__ (( packed )) hello;

	memset ( &hello, 0, sizeof ( hello ) );
	hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
			      htonl ( sizeof ( hello ) -
				      sizeof ( hello.type_length ) ) );
	hello.version = htons ( tls->version );
	memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
	hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
	hello.cipher_suites[0] = htons ( TLS_RSA_WITH_AES_128_CBC_SHA );
	hello.cipher_suites[1] = htons ( TLS_RSA_WITH_AES_256_CBC_SHA );
	hello.compression_methods_len = sizeof ( hello.compression_methods );
	hello.extensions_len = htons ( sizeof ( hello.extensions ) );
	hello.extensions.server_name_type = htons ( TLS_SERVER_NAME );
	hello.extensions.server_name_len
		= htons ( sizeof ( hello.extensions.server_name ) );
	hello.extensions.server_name.len
		= htons ( sizeof ( hello.extensions.server_name.list ) );
	hello.extensions.server_name.list[0].type = TLS_SERVER_NAME_HOST_NAME;
	hello.extensions.server_name.list[0].len
		= htons ( sizeof ( hello.extensions.server_name.list[0].name ));
	memcpy ( hello.extensions.server_name.list[0].name, tls->name,
		 sizeof ( hello.extensions.server_name.list[0].name ) );

	return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
}

/**
 * Transmit Client Key Exchange record
 *
 * @v tls		TLS session
 * @ret rc		Return status code
 */
static int tls_send_client_key_exchange ( struct tls_session *tls ) {
	/* FIXME: Hack alert */
	RSA_CTX *rsa_ctx;
	RSA_pub_key_new ( &rsa_ctx, tls->rsa.modulus, tls->rsa.modulus_len,
			  tls->rsa.exponent, tls->rsa.exponent_len );
	struct {
		uint32_t type_length;
		uint16_t encrypted_pre_master_secret_len;
		uint8_t encrypted_pre_master_secret[rsa_ctx->num_octets];
	} __attribute__ (( packed )) key_xchg;

	memset ( &key_xchg, 0, sizeof ( key_xchg ) );
	key_xchg.type_length = ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
				 htonl ( sizeof ( key_xchg ) -
					 sizeof ( key_xchg.type_length ) ) );
	key_xchg.encrypted_pre_master_secret_len
		= htons ( sizeof ( key_xchg.encrypted_pre_master_secret ) );

	/* FIXME: Hack alert */
	DBGC ( tls, "RSA encrypting plaintext, modulus, exponent:\n" );
	DBGC_HD ( tls, &tls->pre_master_secret,
		  sizeof ( tls->pre_master_secret ) );
	DBGC_HD ( tls, tls->rsa.modulus, tls->rsa.modulus_len );
	DBGC_HD ( tls, tls->rsa.exponent, tls->rsa.exponent_len );
	RSA_encrypt ( rsa_ctx, ( const uint8_t * ) &tls->pre_master_secret,
		      sizeof ( tls->pre_master_secret ),
		      key_xchg.encrypted_pre_master_secret, 0 );
	DBGC ( tls, "RSA encrypt done.  Ciphertext:\n" );
	DBGC_HD ( tls, &key_xchg.encrypted_pre_master_secret,
		  sizeof ( key_xchg.encrypted_pre_master_secret ) );
	RSA_free ( rsa_ctx );


	return tls_send_handshake ( tls, &key_xchg, sizeof ( key_xchg ) );
}

/**
 * Transmit Change Cipher record
 *
 * @v tls		TLS session
 * @ret rc		Return status code
 */
static int tls_send_change_cipher ( struct tls_session *tls ) {
	static const uint8_t change_cipher[1] = { 1 };
	return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
				    change_cipher, sizeof ( change_cipher ) );
}

/**
 * Transmit Finished record
 *
 * @v tls		TLS session
 * @ret rc		Return status code
 */
static int tls_send_finished ( struct tls_session *tls ) {
	struct {
		uint32_t type_length;
		uint8_t verify_data[12];
	} __attribute__ (( packed )) finished;
	uint8_t digest[MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE];

	memset ( &finished, 0, sizeof ( finished ) );
	finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
				 htonl ( sizeof ( finished ) -
					 sizeof ( finished.type_length ) ) );
	tls_verify_handshake ( tls, digest );
	tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
			finished.verify_data, sizeof ( finished.verify_data ),
			"client finished", digest, sizeof ( digest ) );

	return tls_send_handshake ( tls, &finished, sizeof ( finished ) );
}

/**
 * Receive new Change Cipher record
 *
 * @v tls		TLS session
 * @v data		Plaintext record
 * @v len		Length of plaintext record
 * @ret rc		Return status code
 */
static int tls_new_change_cipher ( struct tls_session *tls,
				   void *data, size_t len ) {
	int rc;

	if ( ( len != 1 ) || ( *( ( uint8_t * ) data ) != 1 ) ) {
		DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
		DBGC_HD ( tls, data, len );
		return -EINVAL;
	}

	if ( ( rc = tls_change_cipher ( tls, &tls->rx_cipherspec_pending,
					&tls->rx_cipherspec ) ) != 0 ) {
		DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
		       tls, strerror ( rc ) );
		return rc;
	}
	tls->rx_seq = ~( ( uint64_t ) 0 );

	return 0;
}

/**
 * Receive new Alert record
 *
 * @v tls		TLS session
 * @v data		Plaintext record
 * @v len		Length of plaintext record
 * @ret rc		Return status code
 */
static int tls_new_alert ( struct tls_session *tls, void *data, size_t len ) {
	struct {
		uint8_t level;
		uint8_t description;
		char next[0];
	} __attribute__ (( packed )) *alert = data;
	void *end = alert->next;

	/* Sanity check */
	if ( end != ( data + len ) ) {
		DBGC ( tls, "TLS %p received overlength Alert\n", tls );
		DBGC_HD ( tls, data, len );
		return -EINVAL;
	}

	switch ( alert->level ) {
	case TLS_ALERT_WARNING:
		DBGC ( tls, "TLS %p received warning alert %d\n",
		       tls, alert->description );
		return 0;
	case TLS_ALERT_FATAL:
		DBGC ( tls, "TLS %p received fatal alert %d\n",
		       tls, alert->description );
		return -EPERM;
	default:
		DBGC ( tls, "TLS %p received unknown alert level %d"
		       "(alert %d)\n", tls, alert->level, alert->description );
		return -EIO;
	}
}

/**
 * Receive new Server Hello handshake record
 *
 * @v tls		TLS session
 * @v data		Plaintext handshake record
 * @v len		Length of plaintext handshake record
 * @ret rc		Return status code
 */
static int tls_new_server_hello ( struct tls_session *tls,
				  void *data, size_t len ) {
	struct {
		uint16_t version;
		uint8_t random[32];
		uint8_t session_id_len;
		char next[0];
	} __attribute__ (( packed )) *hello_a = data;
	struct {
		uint8_t session_id[hello_a->session_id_len];
		uint16_t cipher_suite;
		uint8_t compression_method;
		char next[0];
	} __attribute__ (( packed )) *hello_b = ( void * ) &hello_a->next;
	void *end = hello_b->next;
	uint16_t version;
	int rc;

	/* Sanity check */
	if ( end > ( data + len ) ) {
		DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
		DBGC_HD ( tls, data, len );
		return -EINVAL;
	}

	/* Check and store protocol version */
	version = ntohs ( hello_a->version );
	if ( version < TLS_VERSION_TLS_1_0 ) {
		DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
		       tls, ( version >> 8 ), ( version & 0xff ) );
		return -ENOTSUP;
	}
	if ( version > tls->version ) {
		DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
		       "protocol version %d.%d\n",
		       tls, ( version >> 8 ), ( version & 0xff ) );
		return -EPROTO;
	}
	tls->version = version;
	DBGC ( tls, "TLS %p using protocol version %d.%d\n",
	       tls, ( version >> 8 ), ( version & 0xff ) );

	/* Copy out server random bytes */
	memcpy ( &tls->server_random, &hello_a->random,
		 sizeof ( tls->server_random ) );

	/* Select cipher suite */
	if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
		return rc;

	/* Generate secrets */
	tls_generate_master_secret ( tls );
	if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
		return rc;

	return 0;
}

/**
 * Receive new Certificate handshake record
 *
 * @v tls		TLS session
 * @v data		Plaintext handshake record
 * @v len		Length of plaintext handshake record
 * @ret rc		Return status code
 */
static int tls_new_certificate ( struct tls_session *tls,
				 void *data, size_t len ) {
	struct {
		uint8_t length[3];
		uint8_t certificates[0];
	} __attribute__ (( packed )) *certificate = data;
	struct {
		uint8_t length[3];
		uint8_t certificate[0];
	} __attribute__ (( packed )) *element =
		  ( ( void * ) certificate->certificates );
	size_t elements_len = tls_uint24 ( certificate->length );
	void *end = ( certificate->certificates + elements_len );
	struct asn1_cursor cursor;
	int rc;

	/* Sanity check */
	if ( end != ( data + len ) ) {
		DBGC ( tls, "TLS %p received overlength Server Certificate\n",
		       tls );
		DBGC_HD ( tls, data, len );
		return -EINVAL;
	}

	/* Traverse certificate chain */
	do {
		cursor.data = element->certificate;
		cursor.len = tls_uint24 ( element->length );
		if ( ( cursor.data + cursor.len ) > end ) {
			DBGC ( tls, "TLS %p received corrupt Server "
			       "Certificate\n", tls );
			DBGC_HD ( tls, data, len );
			return -EINVAL;
		}

		// HACK
		if ( ( rc = x509_rsa_public_key ( &cursor,
						  &tls->rsa ) ) != 0 ) {
			DBGC ( tls, "TLS %p cannot determine RSA public key: "
			       "%s\n", tls, strerror ( rc ) );
			return rc;
		}
		return 0;

		element = ( cursor.data + cursor.len );
	} while ( element != end );

	return -EINVAL;
}

/**
 * Receive new Server Hello Done handshake record
 *
 * @v tls		TLS session
 * @v data		Plaintext handshake record
 * @v len		Length of plaintext handshake record
 * @ret rc		Return status code
 */
static int tls_new_server_hello_done ( struct tls_session *tls,
				       void *data, size_t len ) {
	struct {
		char next[0];
	} __attribute__ (( packed )) *hello_done = data;
	void *end = hello_done->next;

	/* Sanity check */
	if ( end != ( data + len ) ) {
		DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
		       tls );
		DBGC_HD ( tls, data, len );
		return -EINVAL;
	}

	/* Schedule Client Key Exchange, Change Cipher, and Finished */
	tls->tx_pending |= ( TLS_TX_CLIENT_KEY_EXCHANGE |
			     TLS_TX_CHANGE_CIPHER |
			     TLS_TX_FINISHED );
	tls_tx_resume ( tls );

	return 0;
}

/**
 * Receive new Finished handshake record
 *
 * @v tls		TLS session
 * @v data		Plaintext handshake record
 * @v len		Length of plaintext handshake record
 * @ret rc		Return status code
 */
static int tls_new_finished ( struct tls_session *tls,
			      void *data, size_t len ) {

	/* FIXME: Handle this properly */
	( void ) data;
	( void ) len;

	/* Mark session as ready to transmit plaintext data */
	tls->tx_ready = 1;

	/* Send notification of a window change */
	xfer_window_changed ( &tls->plainstream );

	return 0;
}

/**
 * Receive new Handshake record
 *
 * @v tls		TLS session
 * @v data		Plaintext record
 * @v len		Length of plaintext record
 * @ret rc		Return status code
 */
static int tls_new_handshake ( struct tls_session *tls,
			       void *data, size_t len ) {
	void *end = ( data + len );
	int rc;

	while ( data != end ) {
		struct {
			uint8_t type;
			uint8_t length[3];
			uint8_t payload[0];
		} __attribute__ (( packed )) *handshake = data;
		void *payload = &handshake->payload;
		size_t payload_len = tls_uint24 ( handshake->length );
		void *next = ( payload + payload_len );

		/* Sanity check */
		if ( next > end ) {
			DBGC ( tls, "TLS %p received overlength Handshake\n",
			       tls );
			DBGC_HD ( tls, data, len );
			return -EINVAL;
		}

		switch ( handshake->type ) {
		case TLS_SERVER_HELLO:
			rc = tls_new_server_hello ( tls, payload, payload_len );
			break;
		case TLS_CERTIFICATE:
			rc = tls_new_certificate ( tls, payload, payload_len );
			break;
		case TLS_SERVER_HELLO_DONE:
			rc = tls_new_server_hello_done ( tls, payload,
							 payload_len );
			break;
		case TLS_FINISHED:
			rc = tls_new_finished ( tls, payload, payload_len );
			break;
		default:
			DBGC ( tls, "TLS %p ignoring handshake type %d\n",
			       tls, handshake->type );
			rc = 0;
			break;
		}

		/* Add to handshake digest (except for Hello Requests,
		 * which are explicitly excluded).
		 */
		if ( handshake->type != TLS_HELLO_REQUEST )
			tls_add_handshake ( tls, data,
					    sizeof ( *handshake ) +
					    payload_len );

		/* Abort on failure */
		if ( rc != 0 )
			return rc;

		/* Move to next handshake record */
		data = next;
	}

	return 0;
}

/**
 * Receive new record
 *
 * @v tls		TLS session
 * @v type		Record type
 * @v data		Plaintext record
 * @v len		Length of plaintext record
 * @ret rc		Return status code
 */
static int tls_new_record ( struct tls_session *tls,
			    unsigned int type, void *data, size_t len ) {

	switch ( type ) {
	case TLS_TYPE_CHANGE_CIPHER:
		return tls_new_change_cipher ( tls, data, len );
	case TLS_TYPE_ALERT:
		return tls_new_alert ( tls, data, len );
	case TLS_TYPE_HANDSHAKE:
		return tls_new_handshake ( tls, data, len );
	case TLS_TYPE_DATA:
		return xfer_deliver_raw ( &tls->plainstream, data, len );
	default:
		/* RFC4346 says that we should just ignore unknown
		 * record types.
		 */
		DBGC ( tls, "TLS %p ignoring record type %d\n", tls, type );
		return 0;
	}
}

/******************************************************************************
 *
 * Record encryption/decryption
 *
 ******************************************************************************
 */

/**
 * Calculate HMAC
 *
 * @v tls		TLS session
 * @v cipherspec	Cipher specification
 * @v seq		Sequence number
 * @v tlshdr		TLS header
 * @v data		Data
 * @v len		Length of data
 * @v mac		HMAC to fill in
 */
static void tls_hmac ( struct tls_session *tls __unused,
		       struct tls_cipherspec *cipherspec,
		       uint64_t seq, struct tls_header *tlshdr,
		       const void *data, size_t len, void *hmac ) {
	struct digest_algorithm *digest = cipherspec->digest;
	uint8_t digest_ctx[digest->ctxsize];

	hmac_init ( digest, digest_ctx, cipherspec->mac_secret,
		    &digest->digestsize );
	seq = cpu_to_be64 ( seq );
	hmac_update ( digest, digest_ctx, &seq, sizeof ( seq ) );
	hmac_update ( digest, digest_ctx, tlshdr, sizeof ( *tlshdr ) );
	hmac_update ( digest, digest_ctx, data, len );
	hmac_final ( digest, digest_ctx, cipherspec->mac_secret,
		     &digest->digestsize, hmac );
}

/**
 * Allocate and assemble stream-ciphered record from data and MAC portions
 *
 * @v tls		TLS session
 * @ret data		Data
 * @ret len		Length of data
 * @ret digest		MAC digest
 * @ret plaintext_len	Length of plaintext record
 * @ret plaintext	Allocated plaintext record
 */
static void * __malloc tls_assemble_stream ( struct tls_session *tls,
				    const void *data, size_t len,
				    void *digest, size_t *plaintext_len ) {
	size_t mac_len = tls->tx_cipherspec.digest->digestsize;
	void *plaintext;
	void *content;
	void *mac;

	/* Calculate stream-ciphered struct length */
	*plaintext_len = ( len + mac_len );

	/* Allocate stream-ciphered struct */
	plaintext = malloc ( *plaintext_len );
	if ( ! plaintext )
		return NULL;
	content = plaintext;
	mac = ( content + len );

	/* Fill in stream-ciphered struct */
	memcpy ( content, data, len );
	memcpy ( mac, digest, mac_len );

	return plaintext;
}

/**
 * Allocate and assemble block-ciphered record from data and MAC portions
 *
 * @v tls		TLS session
 * @ret data		Data
 * @ret len		Length of data
 * @ret digest		MAC digest
 * @ret plaintext_len	Length of plaintext record
 * @ret plaintext	Allocated plaintext record
 */
static void * tls_assemble_block ( struct tls_session *tls,
				   const void *data, size_t len,
				   void *digest, size_t *plaintext_len ) {
	size_t blocksize = tls->tx_cipherspec.cipher->blocksize;
	size_t mac_len = tls->tx_cipherspec.digest->digestsize;
	size_t iv_len;
	size_t padding_len;
	void *plaintext;
	void *iv;
	void *content;
	void *mac;
	void *padding;

	/* TLSv1.1 and later use an explicit IV */
	iv_len = ( ( tls->version >= TLS_VERSION_TLS_1_1 ) ? blocksize : 0 );

	/* Calculate block-ciphered struct length */
	padding_len = ( ( blocksize - 1 ) & -( iv_len + len + mac_len + 1 ) );
	*plaintext_len = ( iv_len + len + mac_len + padding_len + 1 );

	/* Allocate block-ciphered struct */
	plaintext = malloc ( *plaintext_len );
	if ( ! plaintext )
		return NULL;
	iv = plaintext;
	content = ( iv + iv_len );
	mac = ( content + len );
	padding = ( mac + mac_len );

	/* Fill in block-ciphered struct */
	tls_generate_random ( tls, iv, iv_len );
	memcpy ( content, data, len );
	memcpy ( mac, digest, mac_len );
	memset ( padding, padding_len, ( padding_len + 1 ) );

	return plaintext;
}

/**
 * Send plaintext record
 *
 * @v tls		TLS session
 * @v type		Record type
 * @v data		Plaintext record
 * @v len		Length of plaintext record
 * @ret rc		Return status code
 */
static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
				const void *data, size_t len ) {
	struct tls_header plaintext_tlshdr;
	struct tls_header *tlshdr;
	struct tls_cipherspec *cipherspec = &tls->tx_cipherspec;
	void *plaintext = NULL;
	size_t plaintext_len;
	struct io_buffer *ciphertext = NULL;
	size_t ciphertext_len;
	size_t mac_len = cipherspec->digest->digestsize;
	uint8_t mac[mac_len];
	int rc;

	/* Construct header */
	plaintext_tlshdr.type = type;
	plaintext_tlshdr.version = htons ( tls->version );
	plaintext_tlshdr.length = htons ( len );

	/* Calculate MAC */
	tls_hmac ( tls, cipherspec, tls->tx_seq, &plaintext_tlshdr,
		   data, len, mac );

	/* Allocate and assemble plaintext struct */
	if ( is_stream_cipher ( cipherspec->cipher ) ) {
		plaintext = tls_assemble_stream ( tls, data, len, mac,
						  &plaintext_len );
	} else {
		plaintext = tls_assemble_block ( tls, data, len, mac,
						 &plaintext_len );
	}
	if ( ! plaintext ) {
		DBGC ( tls, "TLS %p could not allocate %zd bytes for "
		       "plaintext\n", tls, plaintext_len );
		rc = -ENOMEM;
		goto done;
	}

	DBGC2 ( tls, "Sending plaintext data:\n" );
	DBGC2_HD ( tls, plaintext, plaintext_len );

	/* Allocate ciphertext */
	ciphertext_len = ( sizeof ( *tlshdr ) + plaintext_len );
	ciphertext = xfer_alloc_iob ( &tls->cipherstream, ciphertext_len );
	if ( ! ciphertext ) {
		DBGC ( tls, "TLS %p could not allocate %zd bytes for "
		       "ciphertext\n", tls, ciphertext_len );
		rc = -ENOMEM;
		goto done;
	}

	/* Assemble ciphertext */
	tlshdr = iob_put ( ciphertext, sizeof ( *tlshdr ) );
	tlshdr->type = type;
	tlshdr->version = htons ( tls->version );
	tlshdr->length = htons ( plaintext_len );
	memcpy ( cipherspec->cipher_next_ctx, cipherspec->cipher_ctx,
		 cipherspec->cipher->ctxsize );
	cipher_encrypt ( cipherspec->cipher, cipherspec->cipher_next_ctx,
			 plaintext, iob_put ( ciphertext, plaintext_len ),
			 plaintext_len );

	/* Free plaintext as soon as possible to conserve memory */
	free ( plaintext );
	plaintext = NULL;

	/* Send ciphertext */
	if ( ( rc = xfer_deliver_iob ( &tls->cipherstream,
				       iob_disown ( ciphertext ) ) ) != 0 ) {
		DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
		       tls, strerror ( rc ) );
		goto done;
	}

	/* Update TX state machine to next record */
	tls->tx_seq += 1;
	memcpy ( tls->tx_cipherspec.cipher_ctx,
		 tls->tx_cipherspec.cipher_next_ctx,
		 tls->tx_cipherspec.cipher->ctxsize );

 done:
	free ( plaintext );
	free_iob ( ciphertext );
	return rc;
}

/**
 * Split stream-ciphered record into data and MAC portions
 *
 * @v tls		TLS session
 * @v plaintext		Plaintext record
 * @v plaintext_len	Length of record
 * @ret data		Data
 * @ret len		Length of data
 * @ret digest		MAC digest
 * @ret rc		Return status code
 */
static int tls_split_stream ( struct tls_session *tls,
			      void *plaintext, size_t plaintext_len,
			      void **data, size_t *len, void **digest ) {
	void *content;
	size_t content_len;
	void *mac;
	size_t mac_len;

	/* Decompose stream-ciphered data */
	mac_len = tls->rx_cipherspec.digest->digestsize;
	if ( plaintext_len < mac_len ) {
		DBGC ( tls, "TLS %p received underlength record\n", tls );
		DBGC_HD ( tls, plaintext, plaintext_len );
		return -EINVAL;
	}
	content_len = ( plaintext_len - mac_len );
	content = plaintext;
	mac = ( content + content_len );

	/* Fill in return values */
	*data = content;
	*len = content_len;
	*digest = mac;

	return 0;
}

/**
 * Split block-ciphered record into data and MAC portions
 *
 * @v tls		TLS session
 * @v plaintext		Plaintext record
 * @v plaintext_len	Length of record
 * @ret data		Data
 * @ret len		Length of data
 * @ret digest		MAC digest
 * @ret rc		Return status code
 */
static int tls_split_block ( struct tls_session *tls,
			     void *plaintext, size_t plaintext_len,
			     void **data, size_t *len,
			     void **digest ) {
	void *iv;
	size_t iv_len;
	void *content;
	size_t content_len;
	void *mac;
	size_t mac_len;
	void *padding;
	size_t padding_len;
	unsigned int i;

	/* Sanity check */
	if ( plaintext_len < 1 ) {
		DBGC ( tls, "TLS %p received underlength record\n", tls );
		DBGC_HD ( tls, plaintext, plaintext_len );
		return -EINVAL;
	}

	/* TLSv1.1 and later use an explicit IV */
	iv_len = ( ( tls->version >= TLS_VERSION_TLS_1_1 ) ?
		   tls->rx_cipherspec.cipher->blocksize : 0 );

	/* Decompose block-ciphered data */
	mac_len = tls->rx_cipherspec.digest->digestsize;
	padding_len = *( ( uint8_t * ) ( plaintext + plaintext_len - 1 ) );
	if ( plaintext_len < ( iv_len + mac_len + padding_len + 1 ) ) {
		DBGC ( tls, "TLS %p received underlength record\n", tls );
		DBGC_HD ( tls, plaintext, plaintext_len );
		return -EINVAL;
	}
	content_len = ( plaintext_len - iv_len - mac_len - padding_len - 1 );
	iv = plaintext;
	content = ( iv + iv_len );
	mac = ( content + content_len );
	padding = ( mac + mac_len );

	/* Verify padding bytes */
	for ( i = 0 ; i < padding_len ; i++ ) {
		if ( *( ( uint8_t * ) ( padding + i ) ) != padding_len ) {
			DBGC ( tls, "TLS %p received bad padding\n", tls );
			DBGC_HD ( tls, plaintext, plaintext_len );
			return -EINVAL;
		}
	}

	/* Fill in return values */
	*data = content;
	*len = content_len;
	*digest = mac;

	return 0;
}

/**
 * Receive new ciphertext record
 *
 * @v tls		TLS session
 * @v tlshdr		Record header
 * @v ciphertext	Ciphertext record
 * @ret rc		Return status code
 */
static int tls_new_ciphertext ( struct tls_session *tls,
				struct tls_header *tlshdr, void *ciphertext ) {
	struct tls_header plaintext_tlshdr;
	struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
	size_t record_len = ntohs ( tlshdr->length );
	void *plaintext = NULL;
	void *data;
	size_t len;
	void *mac;
	size_t mac_len = cipherspec->digest->digestsize;
	uint8_t verify_mac[mac_len];
	int rc;

	/* Allocate buffer for plaintext */
	plaintext = malloc ( record_len );
	if ( ! plaintext ) {
		DBGC ( tls, "TLS %p could not allocate %zd bytes for "
		       "decryption buffer\n", tls, record_len );
		rc = -ENOMEM;
		goto done;
	}

	/* Decrypt the record */
	cipher_decrypt ( cipherspec->cipher, cipherspec->cipher_ctx,
			 ciphertext, plaintext, record_len );

	/* Split record into content and MAC */
	if ( is_stream_cipher ( cipherspec->cipher ) ) {
		if ( ( rc = tls_split_stream ( tls, plaintext, record_len,
					       &data, &len, &mac ) ) != 0 )
			goto done;
	} else {
		if ( ( rc = tls_split_block ( tls, plaintext, record_len,
					      &data, &len, &mac ) ) != 0 )
			goto done;
	}

	/* Verify MAC */
	plaintext_tlshdr.type = tlshdr->type;
	plaintext_tlshdr.version = tlshdr->version;
	plaintext_tlshdr.length = htons ( len );
	tls_hmac ( tls, cipherspec, tls->rx_seq, &plaintext_tlshdr,
		   data, len, verify_mac);
	if ( memcmp ( mac, verify_mac, mac_len ) != 0 ) {
		DBGC ( tls, "TLS %p failed MAC verification\n", tls );
		DBGC_HD ( tls, plaintext, record_len );
		goto done;
	}

	DBGC2 ( tls, "Received plaintext data:\n" );
	DBGC2_HD ( tls, data, len );

	/* Process plaintext record */
	if ( ( rc = tls_new_record ( tls, tlshdr->type, data, len ) ) != 0 )
		goto done;

	rc = 0;
 done:
	free ( plaintext );
	return rc;
}

/******************************************************************************
 *
 * Plaintext stream operations
 *
 ******************************************************************************
 */

/**
 * Check flow control window
 *
 * @v tls		TLS session
 * @ret len		Length of window
 */
static size_t tls_plainstream_window ( struct tls_session *tls ) {

	/* Block window unless we are ready to accept data */
	if ( ! tls->tx_ready )
		return 0;

	return xfer_window ( &tls->cipherstream );
}

/**
 * Deliver datagram as raw data
 *
 * @v tls		TLS session
 * @v iobuf		I/O buffer
 * @v meta		Data transfer metadata
 * @ret rc		Return status code
 */
static int tls_plainstream_deliver ( struct tls_session *tls,
				     struct io_buffer *iobuf,
				     struct xfer_metadata *meta __unused ) {
	int rc;
	
	/* Refuse unless we are ready to accept data */
	if ( ! tls->tx_ready ) {
		rc = -ENOTCONN;
		goto done;
	}

	if ( ( rc = tls_send_plaintext ( tls, TLS_TYPE_DATA, iobuf->data,
					 iob_len ( iobuf ) ) ) != 0 )
		goto done;

 done:
	free_iob ( iobuf );
	return rc;
}

/** TLS plaintext stream interface operations */
static struct interface_operation tls_plainstream_ops[] = {
	INTF_OP ( xfer_deliver, struct tls_session *, tls_plainstream_deliver ),
	INTF_OP ( xfer_window, struct tls_session *, tls_plainstream_window ),
	INTF_OP ( intf_close, struct tls_session *, tls_close ),
};

/** TLS plaintext stream interface descriptor */
static struct interface_descriptor tls_plainstream_desc =
	INTF_DESC_PASSTHRU ( struct tls_session, plainstream,
			     tls_plainstream_ops, cipherstream );

/******************************************************************************
 *
 * Ciphertext stream operations
 *
 ******************************************************************************
 */

/**
 * Handle received TLS header
 *
 * @v tls		TLS session
 * @ret rc		Returned status code
 */
static int tls_newdata_process_header ( struct tls_session *tls ) {
	size_t data_len = ntohs ( tls->rx_header.length );

	/* Allocate data buffer now that we know the length */
	assert ( tls->rx_data == NULL );
	tls->rx_data = malloc ( data_len );
	if ( ! tls->rx_data ) {
		DBGC ( tls, "TLS %p could not allocate %zd bytes "
		       "for receive buffer\n", tls, data_len );
		return -ENOMEM;
	}

	/* Move to data state */
	tls->rx_state = TLS_RX_DATA;

	return 0;
}

/**
 * Handle received TLS data payload
 *
 * @v tls		TLS session
 * @ret rc		Returned status code
 */
static int tls_newdata_process_data ( struct tls_session *tls ) {
	int rc;

	/* Process record */
	if ( ( rc = tls_new_ciphertext ( tls, &tls->rx_header,
					 tls->rx_data ) ) != 0 )
		return rc;

	/* Increment RX sequence number */
	tls->rx_seq += 1;

	/* Free data buffer */
	free ( tls->rx_data );
	tls->rx_data = NULL;

	/* Return to header state */
	tls->rx_state = TLS_RX_HEADER;

	return 0;
}

/**
 * Receive new ciphertext
 *
 * @v tls		TLS session
 * @v iobuf		I/O buffer
 * @v meta		Data transfer metadat
 * @ret rc		Return status code
 */
static int tls_cipherstream_deliver ( struct tls_session *tls,
				      struct io_buffer *iobuf,
				      struct xfer_metadata *xfer __unused ) {
	size_t frag_len;
	void *buf;
	size_t buf_len;
	int ( * process ) ( struct tls_session *tls );
	int rc;

	while ( iob_len ( iobuf ) ) {
		/* Select buffer according to current state */
		switch ( tls->rx_state ) {
		case TLS_RX_HEADER:
			buf = &tls->rx_header;
			buf_len = sizeof ( tls->rx_header );
			process = tls_newdata_process_header;
			break;
		case TLS_RX_DATA:
			buf = tls->rx_data;
			buf_len = ntohs ( tls->rx_header.length );
			process = tls_newdata_process_data;
			break;
		default:
			assert ( 0 );
			rc = -EINVAL;
			goto done;
		}

		/* Copy data portion to buffer */
		frag_len = ( buf_len - tls->rx_rcvd );
		if ( frag_len > iob_len  ( iobuf ) )
			frag_len = iob_len ( iobuf );
		memcpy ( ( buf + tls->rx_rcvd ), iobuf->data, frag_len );
		tls->rx_rcvd += frag_len;
		iob_pull ( iobuf, frag_len );

		/* Process data if buffer is now full */
		if ( tls->rx_rcvd == buf_len ) {
			if ( ( rc = process ( tls ) ) != 0 ) {
				tls_close ( tls, rc );
				goto done;
			}
			tls->rx_rcvd = 0;
		}
	}
	rc = 0;

 done:
	free_iob ( iobuf );
	return rc;
}

/** TLS ciphertext stream interface operations */
static struct interface_operation tls_cipherstream_ops[] = {
	INTF_OP ( xfer_deliver, struct tls_session *,
		  tls_cipherstream_deliver ),
	INTF_OP ( xfer_window_changed, struct tls_session *, tls_tx_resume ),
	INTF_OP ( intf_close, struct tls_session *, tls_close ),
};

/** TLS ciphertext stream interface descriptor */
static struct interface_descriptor tls_cipherstream_desc =
	INTF_DESC_PASSTHRU ( struct tls_session, cipherstream,
			     tls_cipherstream_ops, plainstream );

/******************************************************************************
 *
 * Controlling process
 *
 ******************************************************************************
 */

/**
 * TLS TX state machine
 *
 * @v tls		TLS session
 */
static void tls_tx_step ( struct tls_session *tls ) {
	int rc;

	/* Wait for cipherstream to become ready */
	if ( ! xfer_window ( &tls->cipherstream ) )
		return;

	/* Send first pending transmission */
	if ( tls->tx_pending & TLS_TX_CLIENT_HELLO ) {
		/* Send Client Hello */
		if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
			DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
			       tls, strerror ( rc ) );
			goto err;
		}
		tls->tx_pending &= ~TLS_TX_CLIENT_HELLO;
	} else if ( tls->tx_pending & TLS_TX_CLIENT_KEY_EXCHANGE ) {
		/* Send Client Key Exchange */
		if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
			DBGC ( tls, "TLS %p could send Client Key Exchange: "
			       "%s\n", tls, strerror ( rc ) );
			goto err;
		}
		tls->tx_pending &= ~TLS_TX_CLIENT_KEY_EXCHANGE;
	} else if ( tls->tx_pending & TLS_TX_CHANGE_CIPHER ) {
		/* Send Change Cipher, and then change the cipher in use */
		if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
			DBGC ( tls, "TLS %p could not send Change Cipher: "
			       "%s\n", tls, strerror ( rc ) );
			goto err;
		}
		if ( ( rc = tls_change_cipher ( tls,
						&tls->tx_cipherspec_pending,
						&tls->tx_cipherspec )) != 0 ){
			DBGC ( tls, "TLS %p could not activate TX cipher: "
			       "%s\n", tls, strerror ( rc ) );
			goto err;
		}
		tls->tx_seq = 0;
		tls->tx_pending &= ~TLS_TX_CHANGE_CIPHER;
	} else if ( tls->tx_pending & TLS_TX_FINISHED ) {
		/* Send Finished */
		if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
			DBGC ( tls, "TLS %p could not send Finished: %s\n",
			       tls, strerror ( rc ) );
			goto err;
		}
		tls->tx_pending &= ~TLS_TX_FINISHED;
	}

	/* Reschedule process if pending transmissions remain */
	if ( tls->tx_pending )
		tls_tx_resume ( tls );

	return;

 err:
	tls_close ( tls, rc );
}

/** TLS TX process descriptor */
static struct process_descriptor tls_process_desc =
	PROC_DESC_ONCE ( struct tls_session, process, tls_tx_step );

/******************************************************************************
 *
 * Instantiator
 *
 ******************************************************************************
 */

int add_tls ( struct interface *xfer, const char *name,
	      struct interface **next ) {
	struct tls_session *tls;
	int rc;

	/* Allocate and initialise TLS structure */
	tls = malloc ( sizeof ( *tls ) );
	if ( ! tls ) {
		rc = -ENOMEM;
		goto err_alloc;
	}
	memset ( tls, 0, sizeof ( *tls ) );
	ref_init ( &tls->refcnt, free_tls );
	tls->name = name;
	intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
	intf_init ( &tls->cipherstream, &tls_cipherstream_desc, &tls->refcnt );
	tls->version = TLS_VERSION_TLS_1_1;
	tls_clear_cipher ( tls, &tls->tx_cipherspec );
	tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
	tls_clear_cipher ( tls, &tls->rx_cipherspec );
	tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
	tls->client_random.gmt_unix_time = 0;
	if ( ( rc = tls_generate_random ( tls, &tls->client_random.random,
			  ( sizeof ( tls->client_random.random ) ) ) ) != 0 ) {
		goto err_random;
	}
	tls->pre_master_secret.version = htons ( tls->version );
	if ( ( rc = tls_generate_random ( tls, &tls->pre_master_secret.random,
		      ( sizeof ( tls->pre_master_secret.random ) ) ) ) != 0 ) {
		goto err_random;
	}
	digest_init ( &md5_algorithm, tls->handshake_md5_ctx );
	digest_init ( &sha1_algorithm, tls->handshake_sha1_ctx );
	tls->tx_pending = TLS_TX_CLIENT_HELLO;
	process_init ( &tls->process, &tls_process_desc, &tls->refcnt );

	/* Attach to parent interface, mortalise self, and return */
	intf_plug_plug ( &tls->plainstream, xfer );
	*next = &tls->cipherstream;
	ref_put ( &tls->refcnt );
	return 0;

 err_random:
	ref_put ( &tls->refcnt );
 err_alloc:
	return rc;
}