xref: /titanic_50/usr/src/uts/common/inet/kssl/ksslimpl.h (revision 407eb7cc0bcf1bc14f8cd498d68af0782e777f74)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_INET_KSSL_KSSLIMPL_H
27 #define	_INET_KSSL_KSSLIMPL_H
28 
29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
30 
31 #ifdef	__cplusplus
32 extern "C" {
33 #endif
34 
35 #include <sys/types.h>
36 #include <netinet/in.h>
37 #include <sys/socket.h>
38 #include <sys/atomic.h>
39 #include <sys/mutex.h>
40 #include <sys/crypto/common.h>
41 #include <sys/kstat.h>
42 #include <inet/kssl/ksslapi.h>
43 #include <inet/kssl/ksslproto.h>
44 
45 /*
46  * Certificate structure. The msg field is the BER data of the
47  * certificate.
48  */
49 typedef struct Certificate {
50     uchar_t *msg;
51     int len;
52 } Certificate_t;
53 
54 /* Generic linked chain type */
55 typedef struct kssl_chain_s {
56 	struct kssl_chain_s	*next;
57 	void			*item;
58 } kssl_chain_t;
59 
60 /* Proxies chain. follows the generic kssl_chain_t layout */
61 typedef struct kssl_proxy_s {
62 	struct kssl_proxy_s	*next;
63 	void			*proxy_bound;
64 } kssl_proxy_t;
65 
66 /* Fallback endpoints chain. Ditto. */
67 typedef struct kssl_fallback_s {
68 	struct kssl_fallback_s	*next;
69 	void			*fallback_bound;
70 } kssl_fallback_t;
71 
72 /*
73  * Structure to support using a non-extractable key in
74  * a crypto provider. We keep the token label and pin so
75  * that we can reauthenticate when needed.
76  */
77 typedef struct kssl_session_info_s {
78 	boolean_t		is_valid_handle;
79 	boolean_t		do_reauth;
80 	crypto_provider_t	prov;
81 	crypto_session_id_t	sid;
82 	crypto_key_t		key;
83 	crypto_notify_handle_t	evnt_handle;
84 	char			toklabel[CRYPTO_EXT_SIZE_LABEL];
85 	int			pinlen;
86 	char			tokpin[1];
87 } kssl_session_info_t;
88 
89 /* kssl_entry_t structure. */
90 
91 typedef struct kssl_entry_s {
92 	uint_t			ke_refcnt;	/* for hold/release */
93 	boolean_t		ke_no_freeall;
94 	kmutex_t		ke_mutex;
95 
96 	ipaddr_t		ke_laddr;	/* Only IPv4 is supported */
97 	in_port_t		ke_ssl_port;	/* SSL port */
98 	in_port_t		ke_proxy_port;	/* SSL proxy port */
99 
100 	uint32_t		sid_cache_timeout; /* In seconds */
101 	uint32_t		sid_cache_nentries;
102 	kssl_sid_ent_t		*sid_cache;
103 
104 	uint16_t		kssl_cipherSuites[CIPHER_SUITE_COUNT];
105 	int			kssl_cipherSuites_nentries;
106 	uint16_t		kssl_saved_Suites[CIPHER_SUITE_COUNT];
107 
108 	boolean_t		ke_is_nxkey;
109 	kssl_session_info_t	*ke_sessinfo;
110 
111 	crypto_key_t		*ke_private_key; /* instance's private key */
112 	Certificate_t		*ke_server_certificate;
113 
114 	Certificate_t		**ke_cacert_chain;
115 
116 	kssl_proxy_t	*ke_proxy_head;		/* Proxies chain */
117 	kssl_fallback_t	*ke_fallback_head;	/* Fall-back endpoints chain */
118 
119 } kssl_entry_t;
120 
121 typedef struct mech_to_cipher_s {
122 	crypto_mech_type_t mech;
123 	char *name;
124 	uint16_t kssl_suites[CIPHER_SUITE_COUNT];
125 } mech_to_cipher_t;
126 
127 #define	KSSL_ENTRY_REFHOLD(kssl_entry) {				\
128 	atomic_add_32(&(kssl_entry)->ke_refcnt, 1);			\
129 	ASSERT((kssl_entry)->ke_refcnt != 0);				\
130 }
131 
132 #define	KSSL_ENTRY_REFRELE(kssl_entry) {				\
133 	ASSERT((kssl_entry)->ke_refcnt != 0);				\
134 	membar_exit();							\
135 	if (atomic_add_32_nv(&(kssl_entry)->ke_refcnt, -1) == 0) {	\
136 		kssl_free_entry((kssl_entry));				\
137 	}								\
138 }
139 
140 #define	KSSL_SSL_REFHOLD(ssl) {						\
141 	atomic_add_32(&(ssl)->kssl_refcnt, 1);				\
142 	ASSERT((ssl)->kssl_refcnt != 0);				\
143 	ASSERT((ssl)->kssl_refcnt < 100000);				\
144 }
145 
146 #define	KSSL_SSL_REFRELE(ssl) {						\
147 	ASSERT((ssl)->kssl_refcnt != 0);				\
148 	ASSERT((ssl)->kssl_refcnt < 100000);				\
149 	membar_exit();							\
150 	if (atomic_add_32_nv(&(ssl)->kssl_refcnt, -1) == 0) {		\
151 		kssl_free_context((ssl));				\
152 	}								\
153 }
154 
155 #define	CRYPTO_ERR(r) ((r) != CRYPTO_SUCCESS && (r) != CRYPTO_QUEUED)
156 
157 #define	KSSL_ENQUEUE_MP(ssl, mp)					\
158 	if ((ssl)->rec_ass_tail == NULL) {				\
159 		(ssl)->rec_ass_head = (mp);				\
160 		(ssl)->rec_ass_tail = (mp);				\
161 	} else {							\
162 		(ssl)->rec_ass_tail->b_cont = (mp);			\
163 		(ssl)->rec_ass_tail = (mp);				\
164 	}
165 
166 #define	SSL_MISS	123	/* Internal SSL error */
167 
168 extern crypto_mechanism_t rsa_x509_mech;
169 extern crypto_mechanism_t hmac_md5_mech;
170 extern crypto_mechanism_t hmac_sha1_mech;
171 extern crypto_call_flag_t kssl_call_flag;
172 extern KSSLCipherDef cipher_defs[];
173 
174 extern int kssl_enabled;
175 extern int kssl_cache_count;
176 extern struct kmem_cache *kssl_cache;
177 
178 #define	KSSL_TAB_INITSIZE	4
179 extern kssl_entry_t **kssl_entry_tab;
180 extern int kssl_entry_tab_size;
181 extern int kssl_entry_tab_nentries;
182 extern kmutex_t kssl_tab_mutex;
183 
184 typedef struct kssl_stats {
185 	kstat_named_t sid_cache_lookups;
186 	kstat_named_t sid_cache_hits;
187 	kstat_named_t sid_uncached;
188 	kstat_named_t full_handshakes;
189 	kstat_named_t resumed_sessions;
190 	kstat_named_t fallback_connections;
191 	kstat_named_t proxy_fallback_failed;
192 	kstat_named_t appdata_record_ins;
193 	kstat_named_t appdata_record_outs;
194 	kstat_named_t alloc_fails;
195 	kstat_named_t fatal_alerts;
196 	kstat_named_t warning_alerts;
197 	kstat_named_t no_suite_found;
198 	kstat_named_t compute_mac_failure;
199 	kstat_named_t verify_mac_failure;
200 	kstat_named_t record_decrypt_failure;
201 	kstat_named_t bad_pre_master_secret;
202 } kssl_stats_t;
203 
204 extern kssl_stats_t *kssl_statp;
205 
206 #define	KSSL_COUNTER(p, v)	 atomic_add_64(&kssl_statp->p.value.ui64, v)
207 
208 #define	IS_SSL_PORT	1
209 #define	IS_PROXY_PORT	2
210 
211 extern void kssl_free_entry(kssl_entry_t *);
212 extern void kssl_free_context(ssl_t *);
213 extern int kssl_compute_record_mac(ssl_t *, int, uint64_t, SSL3ContentType,
214     uchar_t *, uchar_t *, int, uchar_t *);
215 extern int kssl_handle_handshake_message(ssl_t *, mblk_t *, int *,
216     kssl_callback_t, void *);
217 extern int kssl_handle_v2client_hello(ssl_t *, mblk_t *, int);
218 extern void kssl_uncache_sid(sslSessionID *, kssl_entry_t *);
219 extern int kssl_mac_encrypt_record(ssl_t *, SSL3ContentType, uchar_t *,
220     uchar_t *, mblk_t *);
221 extern mblk_t *kssl_get_next_record(ssl_t *);
222 extern int kssl_get_obj_handle(kssl_entry_t *);
223 extern void kssl_prov_evnt(uint32_t, void *);
224 
225 #ifdef	__cplusplus
226 }
227 #endif
228 
229 #endif /* _INET_KSSL_KSSLIMPL_H */
230