1c28749e9Skais /* 2c28749e9Skais * CDDL HEADER START 3c28749e9Skais * 4c28749e9Skais * The contents of this file are subject to the terms of the 5c892ebf1Skrishna * Common Development and Distribution License (the "License"). 6c892ebf1Skrishna * You may not use this file except in compliance with the License. 7c28749e9Skais * 8c28749e9Skais * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9c28749e9Skais * or http://www.opensolaris.org/os/licensing. 10c28749e9Skais * See the License for the specific language governing permissions 11c28749e9Skais * and limitations under the License. 12c28749e9Skais * 13c28749e9Skais * When distributing Covered Code, include this CDDL HEADER in each 14c28749e9Skais * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15c28749e9Skais * If applicable, add the following below this CDDL HEADER, with the 16c28749e9Skais * fields enclosed by brackets "[]" replaced with your own identifying 17c28749e9Skais * information: Portions Copyright [yyyy] [name of copyright owner] 18c28749e9Skais * 19c28749e9Skais * CDDL HEADER END 20c28749e9Skais */ 21c28749e9Skais /* 22dd49f125SAnders Persson * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 23c28749e9Skais */ 24c28749e9Skais 25c28749e9Skais #ifndef _INET_KSSL_KSSLIMPL_H 26c28749e9Skais #define _INET_KSSL_KSSLIMPL_H 27c28749e9Skais 28c28749e9Skais #ifdef __cplusplus 29c28749e9Skais extern "C" { 30c28749e9Skais #endif 31c28749e9Skais 32c28749e9Skais #include <sys/types.h> 33c28749e9Skais #include <netinet/in.h> 34c28749e9Skais #include <sys/socket.h> 35c28749e9Skais #include <sys/atomic.h> 36c28749e9Skais #include <sys/mutex.h> 37c28749e9Skais #include <sys/crypto/common.h> 38c28749e9Skais #include <sys/kstat.h> 3951dd2c77Svk199839 #include <sys/sdt.h> 40c28749e9Skais #include <inet/kssl/ksslapi.h> 41c28749e9Skais #include <inet/kssl/ksslproto.h> 42c28749e9Skais 43c28749e9Skais /* 44c28749e9Skais * Certificate structure. The msg field is the BER data of the 45c28749e9Skais * certificate. 46c28749e9Skais */ 47c28749e9Skais typedef struct Certificate { 48c28749e9Skais uchar_t *msg; 49c28749e9Skais int len; 50c28749e9Skais } Certificate_t; 51c28749e9Skais 52c28749e9Skais /* Generic linked chain type */ 53c28749e9Skais typedef struct kssl_chain_s { 54c28749e9Skais struct kssl_chain_s *next; 55c28749e9Skais void *item; 56c28749e9Skais } kssl_chain_t; 57c28749e9Skais 58c28749e9Skais /* Proxies chain. follows the generic kssl_chain_t layout */ 59c28749e9Skais typedef struct kssl_proxy_s { 60c28749e9Skais struct kssl_proxy_s *next; 61c28749e9Skais void *proxy_bound; 62c28749e9Skais } kssl_proxy_t; 63c28749e9Skais 64c28749e9Skais /* Fallback endpoints chain. Ditto. */ 65c28749e9Skais typedef struct kssl_fallback_s { 66c28749e9Skais struct kssl_fallback_s *next; 67c28749e9Skais void *fallback_bound; 68c28749e9Skais } kssl_fallback_t; 69c28749e9Skais 70c892ebf1Skrishna /* 71c892ebf1Skrishna * Structure to support using a non-extractable key in 72c892ebf1Skrishna * a crypto provider. We keep the token label and pin so 73c892ebf1Skrishna * that we can reauthenticate when needed. 74c892ebf1Skrishna */ 75c892ebf1Skrishna typedef struct kssl_session_info_s { 76c892ebf1Skrishna boolean_t is_valid_handle; 77c892ebf1Skrishna boolean_t do_reauth; 78c892ebf1Skrishna crypto_provider_t prov; 79c892ebf1Skrishna crypto_session_id_t sid; 80c892ebf1Skrishna crypto_key_t key; 81c892ebf1Skrishna crypto_notify_handle_t evnt_handle; 82c892ebf1Skrishna char toklabel[CRYPTO_EXT_SIZE_LABEL]; 83c892ebf1Skrishna int pinlen; 84c892ebf1Skrishna char tokpin[1]; 85c892ebf1Skrishna } kssl_session_info_t; 86c892ebf1Skrishna 87c28749e9Skais /* kssl_entry_t structure. */ 88c28749e9Skais 89c28749e9Skais typedef struct kssl_entry_s { 90c28749e9Skais uint_t ke_refcnt; /* for hold/release */ 91c28749e9Skais boolean_t ke_no_freeall; 92c28749e9Skais kmutex_t ke_mutex; 93c28749e9Skais 942ec7cc7fSKrishna Yenduri in6_addr_t ke_laddr; 95c28749e9Skais in_port_t ke_ssl_port; /* SSL port */ 96c28749e9Skais in_port_t ke_proxy_port; /* SSL proxy port */ 97c28749e9Skais 98c28749e9Skais uint32_t sid_cache_timeout; /* In seconds */ 99c28749e9Skais uint32_t sid_cache_nentries; 100c28749e9Skais kssl_sid_ent_t *sid_cache; 101c28749e9Skais 102c28749e9Skais uint16_t kssl_cipherSuites[CIPHER_SUITE_COUNT]; 103c28749e9Skais int kssl_cipherSuites_nentries; 104c28749e9Skais uint16_t kssl_saved_Suites[CIPHER_SUITE_COUNT]; 105c28749e9Skais 106c892ebf1Skrishna boolean_t ke_is_nxkey; 107c892ebf1Skrishna kssl_session_info_t *ke_sessinfo; 108c892ebf1Skrishna 109c28749e9Skais crypto_key_t *ke_private_key; /* instance's private key */ 110c28749e9Skais Certificate_t *ke_server_certificate; 111c28749e9Skais 112c28749e9Skais Certificate_t **ke_cacert_chain; 113c28749e9Skais 114c28749e9Skais kssl_proxy_t *ke_proxy_head; /* Proxies chain */ 115c28749e9Skais kssl_fallback_t *ke_fallback_head; /* Fall-back endpoints chain */ 116c28749e9Skais 117c28749e9Skais } kssl_entry_t; 118c28749e9Skais 119c28749e9Skais typedef struct mech_to_cipher_s { 120c28749e9Skais crypto_mech_type_t mech; 121c28749e9Skais char *name; 122c28749e9Skais uint16_t kssl_suites[CIPHER_SUITE_COUNT]; 123c28749e9Skais } mech_to_cipher_t; 124c28749e9Skais 125c28749e9Skais #define KSSL_ENTRY_REFHOLD(kssl_entry) { \ 126*1a5e258fSJosef 'Jeff' Sipek atomic_inc_32(&(kssl_entry)->ke_refcnt); \ 127c28749e9Skais ASSERT((kssl_entry)->ke_refcnt != 0); \ 128c28749e9Skais } 129c28749e9Skais 130c28749e9Skais #define KSSL_ENTRY_REFRELE(kssl_entry) { \ 131c28749e9Skais ASSERT((kssl_entry)->ke_refcnt != 0); \ 132c28749e9Skais membar_exit(); \ 133*1a5e258fSJosef 'Jeff' Sipek if (atomic_dec_32_nv(&(kssl_entry)->ke_refcnt) == 0) { \ 134c28749e9Skais kssl_free_entry((kssl_entry)); \ 135c28749e9Skais } \ 136c28749e9Skais } 137c28749e9Skais 138c28749e9Skais #define CRYPTO_ERR(r) ((r) != CRYPTO_SUCCESS && (r) != CRYPTO_QUEUED) 139c28749e9Skais 14051dd2c77Svk199839 /* 14151dd2c77Svk199839 * Enqueue mblk into KSSL input queue. Watch for mblk b_cont chains 14251dd2c77Svk199839 * returned by tcp_reass() and enqueue them properly. Caller should 14351dd2c77Svk199839 * be aware that mp is modified by this macro. 14451dd2c77Svk199839 */ 1452fce8260Svk199839 #define KSSL_ENQUEUE_MP(ssl, mp) { \ 14651dd2c77Svk199839 DTRACE_PROBE1(kssl_mblk__enqueue_mp, mblk_t *, mp); \ 147c28749e9Skais if ((ssl)->rec_ass_tail == NULL) { \ 148c28749e9Skais (ssl)->rec_ass_head = (mp); \ 14951dd2c77Svk199839 while (mp->b_cont) \ 15051dd2c77Svk199839 mp = mp->b_cont; \ 151c28749e9Skais (ssl)->rec_ass_tail = (mp); \ 152c28749e9Skais } else { \ 153c28749e9Skais (ssl)->rec_ass_tail->b_cont = (mp); \ 15451dd2c77Svk199839 while (mp->b_cont) \ 15551dd2c77Svk199839 mp = mp->b_cont; \ 156c28749e9Skais (ssl)->rec_ass_tail = (mp); \ 1572fce8260Svk199839 } \ 158c28749e9Skais } 159c28749e9Skais 160c28749e9Skais #define SSL_MISS 123 /* Internal SSL error */ 161c28749e9Skais 162c28749e9Skais extern crypto_mechanism_t rsa_x509_mech; 163c28749e9Skais extern crypto_mechanism_t hmac_md5_mech; 164c28749e9Skais extern crypto_mechanism_t hmac_sha1_mech; 165c28749e9Skais extern crypto_call_flag_t kssl_call_flag; 166c28749e9Skais extern KSSLCipherDef cipher_defs[]; 167c28749e9Skais 168c28749e9Skais extern struct kmem_cache *kssl_cache; 169c28749e9Skais 170c892ebf1Skrishna #define KSSL_TAB_INITSIZE 4 171c28749e9Skais extern kssl_entry_t **kssl_entry_tab; 172c28749e9Skais extern int kssl_entry_tab_size; 173c28749e9Skais extern int kssl_entry_tab_nentries; 174c28749e9Skais extern kmutex_t kssl_tab_mutex; 175c28749e9Skais 176c28749e9Skais typedef struct kssl_stats { 177c28749e9Skais kstat_named_t sid_cache_lookups; 178c28749e9Skais kstat_named_t sid_cache_hits; 1792ec7cc7fSKrishna Yenduri kstat_named_t sid_cached; 180c28749e9Skais kstat_named_t sid_uncached; 181c28749e9Skais kstat_named_t full_handshakes; 182c28749e9Skais kstat_named_t resumed_sessions; 183c28749e9Skais kstat_named_t fallback_connections; 184c28749e9Skais kstat_named_t proxy_fallback_failed; 185c28749e9Skais kstat_named_t appdata_record_ins; 186c28749e9Skais kstat_named_t appdata_record_outs; 187c28749e9Skais kstat_named_t alloc_fails; 188c28749e9Skais kstat_named_t fatal_alerts; 189c28749e9Skais kstat_named_t warning_alerts; 190c28749e9Skais kstat_named_t no_suite_found; 191c28749e9Skais kstat_named_t compute_mac_failure; 192c28749e9Skais kstat_named_t verify_mac_failure; 193c28749e9Skais kstat_named_t record_decrypt_failure; 194c28749e9Skais kstat_named_t bad_pre_master_secret; 19584706141Svk199839 kstat_named_t internal_errors; 196c28749e9Skais } kssl_stats_t; 197c28749e9Skais 198c28749e9Skais extern kssl_stats_t *kssl_statp; 199c28749e9Skais 200c28749e9Skais #define KSSL_COUNTER(p, v) atomic_add_64(&kssl_statp->p.value.ui64, v) 201c28749e9Skais 202c28749e9Skais #define IS_SSL_PORT 1 203c28749e9Skais #define IS_PROXY_PORT 2 204c28749e9Skais 205c28749e9Skais extern void kssl_free_entry(kssl_entry_t *); 206c28749e9Skais extern void kssl_free_context(ssl_t *); 207c28749e9Skais extern int kssl_compute_record_mac(ssl_t *, int, uint64_t, SSL3ContentType, 208c28749e9Skais uchar_t *, uchar_t *, int, uchar_t *); 209c28749e9Skais extern int kssl_handle_handshake_message(ssl_t *, mblk_t *, int *, 210c28749e9Skais kssl_callback_t, void *); 211c28749e9Skais extern int kssl_handle_v2client_hello(ssl_t *, mblk_t *, int); 212c28749e9Skais extern void kssl_uncache_sid(sslSessionID *, kssl_entry_t *); 213c28749e9Skais extern int kssl_mac_encrypt_record(ssl_t *, SSL3ContentType, uchar_t *, 214c28749e9Skais uchar_t *, mblk_t *); 215c28749e9Skais extern mblk_t *kssl_get_next_record(ssl_t *); 216c892ebf1Skrishna extern int kssl_get_obj_handle(kssl_entry_t *); 217c892ebf1Skrishna extern void kssl_prov_evnt(uint32_t, void *); 218c28749e9Skais 219c28749e9Skais #ifdef __cplusplus 220c28749e9Skais } 221c28749e9Skais #endif 222c28749e9Skais 223c28749e9Skais #endif /* _INET_KSSL_KSSLIMPL_H */ 224