kssl.c revision 2ec7cc7fc084163eaed884efee9bbd322cc8951b
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* The system call and DDI interface for the kernel SSL module
*/
#include <sys/sysmacros.h>
#include "kssl.h"
#include "ksslimpl.h"
/*
* DDI entry points.
*/
/*
* Module linkage.
*/
kssl_open, /* cb_open */
kssl_close, /* cb_close */
nodev, /* cb_strategy */
nodev, /* cb_print */
nodev, /* cb_dump */
nodev, /* cb_read */
nodev, /* cb_write */
kssl_ioctl, /* cb_ioctl */
nodev, /* cb_devmap */
nodev, /* cb_mmap */
nodev, /* cb_segmap */
nochpoll, /* cb_chpoll */
ddi_prop_op, /* cb_prop_op */
NULL, /* cb_streamtab */
D_MP, /* cb_flag */
CB_REV, /* cb_rev */
nodev, /* cb_aread */
nodev, /* cb_awrite */
};
DEVO_REV, /* devo_rev */
0, /* devo_refcnt */
kssl_getinfo, /* devo_getinfo */
nulldev, /* devo_identify */
nulldev, /* devo_probe */
kssl_attach, /* devo_attach */
kssl_detach, /* devo_detach */
nodev, /* devo_reset */
&cbops, /* devo_cb_ops */
NULL, /* devo_bus_ops */
NULL, /* devo_power */
ddi_quiesce_not_needed, /* devo_quiesce */
};
&mod_driverops, /* drv_modops */
"Kernel SSL Interface", /* drv_linkinfo */
&devops,
};
static struct modlinkage modlinkage = {
MODREV_1, /* ml_rev */
&modldrv, /* ml_linkage */
};
/* type bsize keysz crypto_mech_type_t */
{type_stream, 0, 0, CRYPTO_MECH_INVALID},
/* mech_type to be initialized with CKM_RC4's */
/* mech_type to be initialized with CKM_DES_CBC's */
/* mech_type to be initialized with CKM_DES3_CBC's */
/* mech_type to be initialized with CKM_AES_CBC with 128-bit key */
/* mech_type to be initialized with CKM_AES_CBC with 256-bit key */
};
struct kmem_cache *kssl_cache;
static void kssl_global_init();
static void kssl_init_mechs();
static void kssl_event_callback(uint32_t, void *);
/*
* DDI entry points.
*/
int
_init(void)
{
return (mod_install(&modlinkage));
}
int
{
}
/* ARGSUSED */
static int
{
switch (cmd) {
case DDI_INFO_DEVT2DEVINFO:
return (DDI_SUCCESS);
case DDI_INFO_DEVT2INSTANCE:
*result = (void *)0;
return (DDI_SUCCESS);
}
return (DDI_FAILURE);
}
static int
{
if (cmd != DDI_ATTACH) {
return (DDI_FAILURE);
}
if (ddi_get_instance(dip) != 0) {
/* we only allow instance 0 to attach */
return (DDI_FAILURE);
}
/* create the minor node */
DDI_SUCCESS) {
return (DDI_FAILURE);
}
return (DDI_SUCCESS);
}
static int
{
if (cmd != DDI_DETACH)
return (DDI_FAILURE);
if (kssl_entry_tab_nentries != 0 || kssl_cache_count != 0)
return (DDI_FAILURE);
if (kssl_cache != NULL) {
kssl_cache = NULL;
}
}
return (DDI_SUCCESS);
}
/* ARGSUSED */
static int
{
return (ENXIO);
return (ENXIO);
/* first time here? initialize everything */
}
/* exclusive opens are not supported */
return (ENOTSUP);
return (0);
}
/* ARGSUSED */
static int
{
return (0);
}
/* ARGSUSED */
static int
int *rval)
{
if (secpolicy_net_config(c, B_FALSE) != 0) {
return (EPERM);
}
switch (cmd) {
case KSSL_ADD_ENTRY: {
return (EFAULT);
}
if (len < sizeof (kssl_params_t) ||
len > KSSL_MAX_KEYANDCERTS) {
return (EINVAL);
}
/* Get the whole structure and parameters in one move */
return (EFAULT);
}
if (audit_active)
}
break;
}
case KSSL_DELETE_ENTRY: {
struct sockaddr_in6 server_addr;
return (EFAULT);
}
if (audit_active)
break;
}
}
return (error);
}
#define NUM_MECHS 7
};
static void
{
}
static int
{
int i;
for (i = 0; i < CIPHER_SUITE_COUNT; i++) {
if (s == sarray[i])
return (1);
}
return (0);
}
static int
{
int i;
for (i = 0; i < count; i++) {
return (1);
}
return (0);
}
/*
* Callback function invoked by the crypto framework when a provider's
* mechanism is available/unavailable. This callback updates entries in the
* kssl_entry_tab[] to make changes to the cipher suites of an entry
* which are affected by the mechanism.
*/
static void
{
int i, j;
uint16_t s;
/* ignore events for which we didn't register */
if (event != CRYPTO_EVENT_MECHS_CHANGED) {
return;
}
for (i = 0; i < NUM_MECHS; i++) {
mc = &(mech_to_cipher_tab[i]);
continue;
/*
* Check if this crypto framework provider mechanism being
* added or removed affects us.
*/
CRYPTO_MAX_MECH_NAME) == 0)
break;
}
if (i == NUM_MECHS)
return;
return;
for (i = 0; i < kssl_entry_tab_size; i++) {
continue;
cnt = 0;
rcnt = 0;
for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
tmp_suites[j] = CIPHER_NOTSET;
dis_list[j] = CIPHER_NOTSET;
}
/*
* We start with the saved cipher suite list for the new entry.
* If a mechanism is disabled, resulting in a cipher suite being
* disabled now, we take it out from the list for the new entry.
* If a mechanism is enabled, resulting in a cipher suite being
* enabled now, we don't need to do any thing.
*/
for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
s = mc->kssl_suites[j];
if (s == 0)
break;
/* Disable this cipher suite */
if (!is_in_suites(s, dis_list))
}
}
}
for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
s = old->kssl_saved_Suites[j];
if (!is_in_suites(s, dis_list))
tmp_suites[rcnt] = s;
if (!changed &&
rcnt++;
}
if (changed) {
continue;
for (j = 0; j < CIPHER_SUITE_COUNT; j++)
kssl_entry_tab[i] = new;
}
}
}
static void
{
KSTAT_FLAG_PERSISTENT)) != NULL) {
"kssl_sid_cache_lookups", KSTAT_DATA_UINT64);
"kssl_sid_cache_hits", KSTAT_DATA_UINT64);
"kssl_sid_cached", KSTAT_DATA_UINT64);
"kssl_sid_uncached", KSTAT_DATA_UINT64);
"kssl_full_handshakes", KSTAT_DATA_UINT64);
"kssl_resumed_sessions", KSTAT_DATA_UINT64);
"kssl_fallback_connections", KSTAT_DATA_UINT64);
"kssl_proxy_fallback_failed", KSTAT_DATA_UINT64);
"kssl_appdata_record_ins", KSTAT_DATA_UINT64);
"kssl_appdata_record_outs", KSTAT_DATA_UINT64);
"kssl_fatal_alerts", KSTAT_DATA_UINT64);
"kssl_warning_alerts", KSTAT_DATA_UINT64);
"kssl_no_suite_found", KSTAT_DATA_UINT64);
"kssl_compute_mac_failure", KSTAT_DATA_UINT64);
"kssl_verify_mac_failure", KSTAT_DATA_UINT64);
"kssl_record_decrypt_failure", KSTAT_DATA_UINT64);
"kssl_bad_pre_master_secret", KSTAT_DATA_UINT64);
"kssl_internal_errors", KSTAT_DATA_UINT64);
};
}
/*ARGSUSED*/
static int
{
return (0);
}
/*ARGSUSED*/
static void
{
}
/*
* Handler routine called by the crypto framework when a
* provider is unregistered or registered. We invalidate the
* private key handle if our provider is unregistered. We set
* a flag to reauthenticate if our provider came back.
*/
void
{
int i, rv;
if (event != CRYPTO_EVENT_PROVIDER_UNREGISTERED &&
return;
if (event == CRYPTO_EVENT_PROVIDER_REGISTERED) {
if (rv != CRYPTO_SUCCESS)
return;
}
for (i = 0; i < kssl_entry_tab_size; i++) {
continue;
s = ep->ke_sessinfo;
switch (event) {
s->is_valid_handle = B_FALSE;
}
break;
if (s->is_valid_handle)
break;
CRYPTO_EXT_SIZE_LABEL) == 0) {
}
break;
}
}
}