1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #ifndef _INET_KSSL_KSSLIMPL_H
26 #define _INET_KSSL_KSSLIMPL_H
27
28 #ifdef __cplusplus
29 extern "C" {
30 #endif
31
32 #include <sys/types.h>
33 #include <netinet/in.h>
34 #include <sys/socket.h>
35 #include <sys/atomic.h>
36 #include <sys/mutex.h>
37 #include <sys/crypto/common.h>
38 #include <sys/kstat.h>
39 #include <sys/sdt.h>
40 #include <inet/kssl/ksslapi.h>
41 #include <inet/kssl/ksslproto.h>
42
43 /*
44 * Certificate structure. The msg field is the BER data of the
45 * certificate.
46 */
47 typedef struct Certificate {
48 uchar_t *msg;
49 int len;
50 } Certificate_t;
51
52 /* Generic linked chain type */
53 typedef struct kssl_chain_s {
54 struct kssl_chain_s *next;
55 void *item;
56 } kssl_chain_t;
57
58 /* Proxies chain. follows the generic kssl_chain_t layout */
59 typedef struct kssl_proxy_s {
60 struct kssl_proxy_s *next;
61 void *proxy_bound;
62 } kssl_proxy_t;
63
64 /* Fallback endpoints chain. Ditto. */
65 typedef struct kssl_fallback_s {
66 struct kssl_fallback_s *next;
67 void *fallback_bound;
68 } kssl_fallback_t;
69
70 /*
71 * Structure to support using a non-extractable key in
72 * a crypto provider. We keep the token label and pin so
73 * that we can reauthenticate when needed.
74 */
75 typedef struct kssl_session_info_s {
76 boolean_t is_valid_handle;
77 boolean_t do_reauth;
78 crypto_provider_t prov;
79 crypto_session_id_t sid;
80 crypto_key_t key;
81 crypto_notify_handle_t evnt_handle;
82 char toklabel[CRYPTO_EXT_SIZE_LABEL];
83 int pinlen;
84 char tokpin[1];
85 } kssl_session_info_t;
86
87 /* kssl_entry_t structure. */
88
89 typedef struct kssl_entry_s {
90 uint_t ke_refcnt; /* for hold/release */
91 boolean_t ke_no_freeall;
92 kmutex_t ke_mutex;
93
94 in6_addr_t ke_laddr;
95 in_port_t ke_ssl_port; /* SSL port */
96 in_port_t ke_proxy_port; /* SSL proxy port */
97
98 uint32_t sid_cache_timeout; /* In seconds */
99 uint32_t sid_cache_nentries;
100 kssl_sid_ent_t *sid_cache;
101
102 uint16_t kssl_cipherSuites[CIPHER_SUITE_COUNT];
103 int kssl_cipherSuites_nentries;
104 uint16_t kssl_saved_Suites[CIPHER_SUITE_COUNT];
105
106 boolean_t ke_is_nxkey;
107 kssl_session_info_t *ke_sessinfo;
108
109 crypto_key_t *ke_private_key; /* instance's private key */
110 Certificate_t *ke_server_certificate;
111
112 Certificate_t **ke_cacert_chain;
113
114 kssl_proxy_t *ke_proxy_head; /* Proxies chain */
115 kssl_fallback_t *ke_fallback_head; /* Fall-back endpoints chain */
116
117 } kssl_entry_t;
118
119 typedef struct mech_to_cipher_s {
120 crypto_mech_type_t mech;
121 char *name;
122 uint16_t kssl_suites[CIPHER_SUITE_COUNT];
123 } mech_to_cipher_t;
124
125 #define KSSL_ENTRY_REFHOLD(kssl_entry) { \
126 atomic_add_32(&(kssl_entry)->ke_refcnt, 1); \
127 ASSERT((kssl_entry)->ke_refcnt != 0); \
128 }
129
130 #define KSSL_ENTRY_REFRELE(kssl_entry) { \
131 ASSERT((kssl_entry)->ke_refcnt != 0); \
132 membar_exit(); \
133 if (atomic_add_32_nv(&(kssl_entry)->ke_refcnt, -1) == 0) { \
134 kssl_free_entry((kssl_entry)); \
135 } \
136 }
137
138 #define CRYPTO_ERR(r) ((r) != CRYPTO_SUCCESS && (r) != CRYPTO_QUEUED)
139
140 /*
141 * Enqueue mblk into KSSL input queue. Watch for mblk b_cont chains
142 * returned by tcp_reass() and enqueue them properly. Caller should
143 * be aware that mp is modified by this macro.
144 */
145 #define KSSL_ENQUEUE_MP(ssl, mp) { \
146 DTRACE_PROBE1(kssl_mblk__enqueue_mp, mblk_t *, mp); \
147 if ((ssl)->rec_ass_tail == NULL) { \
148 (ssl)->rec_ass_head = (mp); \
149 while (mp->b_cont) \
150 mp = mp->b_cont; \
151 (ssl)->rec_ass_tail = (mp); \
152 } else { \
153 (ssl)->rec_ass_tail->b_cont = (mp); \
154 while (mp->b_cont) \
155 mp = mp->b_cont; \
156 (ssl)->rec_ass_tail = (mp); \
157 } \
158 }
159
160 #define SSL_MISS 123 /* Internal SSL error */
161
162 extern crypto_mechanism_t rsa_x509_mech;
163 extern crypto_mechanism_t hmac_md5_mech;
164 extern crypto_mechanism_t hmac_sha1_mech;
165 extern crypto_call_flag_t kssl_call_flag;
166 extern KSSLCipherDef cipher_defs[];
167
168 extern struct kmem_cache *kssl_cache;
169
170 #define KSSL_TAB_INITSIZE 4
171 extern kssl_entry_t **kssl_entry_tab;
172 extern int kssl_entry_tab_size;
173 extern int kssl_entry_tab_nentries;
174 extern kmutex_t kssl_tab_mutex;
175
176 typedef struct kssl_stats {
177 kstat_named_t sid_cache_lookups;
178 kstat_named_t sid_cache_hits;
179 kstat_named_t sid_cached;
180 kstat_named_t sid_uncached;
181 kstat_named_t full_handshakes;
182 kstat_named_t resumed_sessions;
183 kstat_named_t fallback_connections;
184 kstat_named_t proxy_fallback_failed;
185 kstat_named_t appdata_record_ins;
186 kstat_named_t appdata_record_outs;
187 kstat_named_t alloc_fails;
188 kstat_named_t fatal_alerts;
189 kstat_named_t warning_alerts;
190 kstat_named_t no_suite_found;
191 kstat_named_t compute_mac_failure;
192 kstat_named_t verify_mac_failure;
193 kstat_named_t record_decrypt_failure;
194 kstat_named_t bad_pre_master_secret;
195 kstat_named_t internal_errors;
196 } kssl_stats_t;
197
198 extern kssl_stats_t *kssl_statp;
199
200 #define KSSL_COUNTER(p, v) atomic_add_64(&kssl_statp->p.value.ui64, v)
201
202 #define IS_SSL_PORT 1
203 #define IS_PROXY_PORT 2
204
205 extern void kssl_free_entry(kssl_entry_t *);
206 extern void kssl_free_context(ssl_t *);
207 extern int kssl_compute_record_mac(ssl_t *, int, uint64_t, SSL3ContentType,
208 uchar_t *, uchar_t *, int, uchar_t *);
209 extern int kssl_handle_handshake_message(ssl_t *, mblk_t *, int *,
210 kssl_callback_t, void *);
211 extern int kssl_handle_v2client_hello(ssl_t *, mblk_t *, int);
212 extern void kssl_uncache_sid(sslSessionID *, kssl_entry_t *);
213 extern int kssl_mac_encrypt_record(ssl_t *, SSL3ContentType, uchar_t *,
214 uchar_t *, mblk_t *);
215 extern mblk_t *kssl_get_next_record(ssl_t *);
216 extern int kssl_get_obj_handle(kssl_entry_t *);
217 extern void kssl_prov_evnt(uint32_t, void *);
218
219 #ifdef __cplusplus
220 }
221 #endif
222
223 #endif /* _INET_KSSL_KSSLIMPL_H */