1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #ifndef _INET_KSSL_KSSLIMPL_H 26 #define _INET_KSSL_KSSLIMPL_H 27 28 #ifdef __cplusplus 29 extern "C" { 30 #endif 31 32 #include <sys/types.h> 33 #include <netinet/in.h> 34 #include <sys/socket.h> 35 #include <sys/atomic.h> 36 #include <sys/mutex.h> 37 #include <sys/crypto/common.h> 38 #include <sys/kstat.h> 39 #include <sys/sdt.h> 40 #include <inet/kssl/ksslapi.h> 41 #include <inet/kssl/ksslproto.h> 42 43 /* 44 * Certificate structure. The msg field is the BER data of the 45 * certificate. 46 */ 47 typedef struct Certificate { 48 uchar_t *msg; 49 int len; 50 } Certificate_t; 51 52 /* Generic linked chain type */ 53 typedef struct kssl_chain_s { 54 struct kssl_chain_s *next; 55 void *item; 56 } kssl_chain_t; 57 58 /* Proxies chain. follows the generic kssl_chain_t layout */ 59 typedef struct kssl_proxy_s { 60 struct kssl_proxy_s *next; 61 void *proxy_bound; 62 } kssl_proxy_t; 63 64 /* Fallback endpoints chain. Ditto. */ 65 typedef struct kssl_fallback_s { 66 struct kssl_fallback_s *next; 67 void *fallback_bound; 68 } kssl_fallback_t; 69 70 /* 71 * Structure to support using a non-extractable key in 72 * a crypto provider. We keep the token label and pin so 73 * that we can reauthenticate when needed. 74 */ 75 typedef struct kssl_session_info_s { 76 boolean_t is_valid_handle; 77 boolean_t do_reauth; 78 crypto_provider_t prov; 79 crypto_session_id_t sid; 80 crypto_key_t key; 81 crypto_notify_handle_t evnt_handle; 82 char toklabel[CRYPTO_EXT_SIZE_LABEL]; 83 int pinlen; 84 char tokpin[1]; 85 } kssl_session_info_t; 86 87 /* kssl_entry_t structure. */ 88 89 typedef struct kssl_entry_s { 90 uint_t ke_refcnt; /* for hold/release */ 91 boolean_t ke_no_freeall; 92 kmutex_t ke_mutex; 93 94 in6_addr_t ke_laddr; 95 in_port_t ke_ssl_port; /* SSL port */ 96 in_port_t ke_proxy_port; /* SSL proxy port */ 97 98 uint32_t sid_cache_timeout; /* In seconds */ 99 uint32_t sid_cache_nentries; 100 kssl_sid_ent_t *sid_cache; 101 102 uint16_t kssl_cipherSuites[CIPHER_SUITE_COUNT]; 103 int kssl_cipherSuites_nentries; 104 uint16_t kssl_saved_Suites[CIPHER_SUITE_COUNT]; 105 106 boolean_t ke_is_nxkey; 107 kssl_session_info_t *ke_sessinfo; 108 109 crypto_key_t *ke_private_key; /* instance's private key */ 110 Certificate_t *ke_server_certificate; 111 112 Certificate_t **ke_cacert_chain; 113 114 kssl_proxy_t *ke_proxy_head; /* Proxies chain */ 115 kssl_fallback_t *ke_fallback_head; /* Fall-back endpoints chain */ 116 117 } kssl_entry_t; 118 119 typedef struct mech_to_cipher_s { 120 crypto_mech_type_t mech; 121 char *name; 122 uint16_t kssl_suites[CIPHER_SUITE_COUNT]; 123 } mech_to_cipher_t; 124 125 #define KSSL_ENTRY_REFHOLD(kssl_entry) { \ 126 atomic_add_32(&(kssl_entry)->ke_refcnt, 1); \ 127 ASSERT((kssl_entry)->ke_refcnt != 0); \ 128 } 129 130 #define KSSL_ENTRY_REFRELE(kssl_entry) { \ 131 ASSERT((kssl_entry)->ke_refcnt != 0); \ 132 membar_exit(); \ 133 if (atomic_add_32_nv(&(kssl_entry)->ke_refcnt, -1) == 0) { \ 134 kssl_free_entry((kssl_entry)); \ 135 } \ 136 } 137 138 #define CRYPTO_ERR(r) ((r) != CRYPTO_SUCCESS && (r) != CRYPTO_QUEUED) 139 140 /* 141 * Enqueue mblk into KSSL input queue. Watch for mblk b_cont chains 142 * returned by tcp_reass() and enqueue them properly. Caller should 143 * be aware that mp is modified by this macro. 144 */ 145 #define KSSL_ENQUEUE_MP(ssl, mp) { \ 146 DTRACE_PROBE1(kssl_mblk__enqueue_mp, mblk_t *, mp); \ 147 if ((ssl)->rec_ass_tail == NULL) { \ 148 (ssl)->rec_ass_head = (mp); \ 149 while (mp->b_cont) \ 150 mp = mp->b_cont; \ 151 (ssl)->rec_ass_tail = (mp); \ 152 } else { \ 153 (ssl)->rec_ass_tail->b_cont = (mp); \ 154 while (mp->b_cont) \ 155 mp = mp->b_cont; \ 156 (ssl)->rec_ass_tail = (mp); \ 157 } \ 158 } 159 160 #define SSL_MISS 123 /* Internal SSL error */ 161 162 extern crypto_mechanism_t rsa_x509_mech; 163 extern crypto_mechanism_t hmac_md5_mech; 164 extern crypto_mechanism_t hmac_sha1_mech; 165 extern crypto_call_flag_t kssl_call_flag; 166 extern KSSLCipherDef cipher_defs[]; 167 168 extern struct kmem_cache *kssl_cache; 169 170 #define KSSL_TAB_INITSIZE 4 171 extern kssl_entry_t **kssl_entry_tab; 172 extern int kssl_entry_tab_size; 173 extern int kssl_entry_tab_nentries; 174 extern kmutex_t kssl_tab_mutex; 175 176 typedef struct kssl_stats { 177 kstat_named_t sid_cache_lookups; 178 kstat_named_t sid_cache_hits; 179 kstat_named_t sid_cached; 180 kstat_named_t sid_uncached; 181 kstat_named_t full_handshakes; 182 kstat_named_t resumed_sessions; 183 kstat_named_t fallback_connections; 184 kstat_named_t proxy_fallback_failed; 185 kstat_named_t appdata_record_ins; 186 kstat_named_t appdata_record_outs; 187 kstat_named_t alloc_fails; 188 kstat_named_t fatal_alerts; 189 kstat_named_t warning_alerts; 190 kstat_named_t no_suite_found; 191 kstat_named_t compute_mac_failure; 192 kstat_named_t verify_mac_failure; 193 kstat_named_t record_decrypt_failure; 194 kstat_named_t bad_pre_master_secret; 195 kstat_named_t internal_errors; 196 } kssl_stats_t; 197 198 extern kssl_stats_t *kssl_statp; 199 200 #define KSSL_COUNTER(p, v) atomic_add_64(&kssl_statp->p.value.ui64, v) 201 202 #define IS_SSL_PORT 1 203 #define IS_PROXY_PORT 2 204 205 extern void kssl_free_entry(kssl_entry_t *); 206 extern void kssl_free_context(ssl_t *); 207 extern int kssl_compute_record_mac(ssl_t *, int, uint64_t, SSL3ContentType, 208 uchar_t *, uchar_t *, int, uchar_t *); 209 extern int kssl_handle_handshake_message(ssl_t *, mblk_t *, int *, 210 kssl_callback_t, void *); 211 extern int kssl_handle_v2client_hello(ssl_t *, mblk_t *, int); 212 extern void kssl_uncache_sid(sslSessionID *, kssl_entry_t *); 213 extern int kssl_mac_encrypt_record(ssl_t *, SSL3ContentType, uchar_t *, 214 uchar_t *, mblk_t *); 215 extern mblk_t *kssl_get_next_record(ssl_t *); 216 extern int kssl_get_obj_handle(kssl_entry_t *); 217 extern void kssl_prov_evnt(uint32_t, void *); 218 219 #ifdef __cplusplus 220 } 221 #endif 222 223 #endif /* _INET_KSSL_KSSLIMPL_H */ 224