c28749e97052f09388969427adf7df641cdcdc22kais/*
c28749e97052f09388969427adf7df641cdcdc22kais * CDDL HEADER START
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * The contents of this file are subject to the terms of the
c892ebf1bef94f4f922f282c11516677c134dbe0krishna * Common Development and Distribution License (the "License").
c892ebf1bef94f4f922f282c11516677c134dbe0krishna * You may not use this file except in compliance with the License.
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
c28749e97052f09388969427adf7df641cdcdc22kais * or http://www.opensolaris.org/os/licensing.
c28749e97052f09388969427adf7df641cdcdc22kais * See the License for the specific language governing permissions
c28749e97052f09388969427adf7df641cdcdc22kais * and limitations under the License.
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * When distributing Covered Code, include this CDDL HEADER in each
c28749e97052f09388969427adf7df641cdcdc22kais * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
c28749e97052f09388969427adf7df641cdcdc22kais * If applicable, add the following below this CDDL HEADER, with the
c28749e97052f09388969427adf7df641cdcdc22kais * fields enclosed by brackets "[]" replaced with your own identifying
c28749e97052f09388969427adf7df641cdcdc22kais * information: Portions Copyright [yyyy] [name of copyright owner]
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * CDDL HEADER END
c28749e97052f09388969427adf7df641cdcdc22kais */
c28749e97052f09388969427adf7df641cdcdc22kais/*
dd49f125507979bb2ab505a8daf2a46d1be27051Anders Persson * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
c28749e97052f09388969427adf7df641cdcdc22kais */
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#ifndef _INET_KSSL_KSSLIMPL_H
c28749e97052f09388969427adf7df641cdcdc22kais#define _INET_KSSL_KSSLIMPL_H
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#ifdef __cplusplus
c28749e97052f09388969427adf7df641cdcdc22kaisextern "C" {
c28749e97052f09388969427adf7df641cdcdc22kais#endif
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#include <sys/types.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <netinet/in.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <sys/socket.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <sys/atomic.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <sys/mutex.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <sys/crypto/common.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <sys/kstat.h>
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk#include <sys/sdt.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <inet/kssl/ksslapi.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <inet/kssl/ksslproto.h>
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais/*
c28749e97052f09388969427adf7df641cdcdc22kais * Certificate structure. The msg field is the BER data of the
c28749e97052f09388969427adf7df641cdcdc22kais * certificate.
c28749e97052f09388969427adf7df641cdcdc22kais */
c28749e97052f09388969427adf7df641cdcdc22kaistypedef struct Certificate {
c28749e97052f09388969427adf7df641cdcdc22kais uchar_t *msg;
c28749e97052f09388969427adf7df641cdcdc22kais int len;
c28749e97052f09388969427adf7df641cdcdc22kais} Certificate_t;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais/* Generic linked chain type */
c28749e97052f09388969427adf7df641cdcdc22kaistypedef struct kssl_chain_s {
c28749e97052f09388969427adf7df641cdcdc22kais struct kssl_chain_s *next;
c28749e97052f09388969427adf7df641cdcdc22kais void *item;
c28749e97052f09388969427adf7df641cdcdc22kais} kssl_chain_t;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais/* Proxies chain. follows the generic kssl_chain_t layout */
c28749e97052f09388969427adf7df641cdcdc22kaistypedef struct kssl_proxy_s {
c28749e97052f09388969427adf7df641cdcdc22kais struct kssl_proxy_s *next;
c28749e97052f09388969427adf7df641cdcdc22kais void *proxy_bound;
c28749e97052f09388969427adf7df641cdcdc22kais} kssl_proxy_t;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais/* Fallback endpoints chain. Ditto. */
c28749e97052f09388969427adf7df641cdcdc22kaistypedef struct kssl_fallback_s {
c28749e97052f09388969427adf7df641cdcdc22kais struct kssl_fallback_s *next;
c28749e97052f09388969427adf7df641cdcdc22kais void *fallback_bound;
c28749e97052f09388969427adf7df641cdcdc22kais} kssl_fallback_t;
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna/*
c892ebf1bef94f4f922f282c11516677c134dbe0krishna * Structure to support using a non-extractable key in
c892ebf1bef94f4f922f282c11516677c134dbe0krishna * a crypto provider. We keep the token label and pin so
c892ebf1bef94f4f922f282c11516677c134dbe0krishna * that we can reauthenticate when needed.
c892ebf1bef94f4f922f282c11516677c134dbe0krishna */
c892ebf1bef94f4f922f282c11516677c134dbe0krishnatypedef struct kssl_session_info_s {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna boolean_t is_valid_handle;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna boolean_t do_reauth;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna crypto_provider_t prov;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna crypto_session_id_t sid;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna crypto_key_t key;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna crypto_notify_handle_t evnt_handle;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna char toklabel[CRYPTO_EXT_SIZE_LABEL];
c892ebf1bef94f4f922f282c11516677c134dbe0krishna int pinlen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna char tokpin[1];
c892ebf1bef94f4f922f282c11516677c134dbe0krishna} kssl_session_info_t;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
c28749e97052f09388969427adf7df641cdcdc22kais/* kssl_entry_t structure. */
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaistypedef struct kssl_entry_s {
c28749e97052f09388969427adf7df641cdcdc22kais uint_t ke_refcnt; /* for hold/release */
c28749e97052f09388969427adf7df641cdcdc22kais boolean_t ke_no_freeall;
c28749e97052f09388969427adf7df641cdcdc22kais kmutex_t ke_mutex;
c28749e97052f09388969427adf7df641cdcdc22kais
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri in6_addr_t ke_laddr;
c28749e97052f09388969427adf7df641cdcdc22kais in_port_t ke_ssl_port; /* SSL port */
c28749e97052f09388969427adf7df641cdcdc22kais in_port_t ke_proxy_port; /* SSL proxy port */
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais uint32_t sid_cache_timeout; /* In seconds */
c28749e97052f09388969427adf7df641cdcdc22kais uint32_t sid_cache_nentries;
c28749e97052f09388969427adf7df641cdcdc22kais kssl_sid_ent_t *sid_cache;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais uint16_t kssl_cipherSuites[CIPHER_SUITE_COUNT];
c28749e97052f09388969427adf7df641cdcdc22kais int kssl_cipherSuites_nentries;
c28749e97052f09388969427adf7df641cdcdc22kais uint16_t kssl_saved_Suites[CIPHER_SUITE_COUNT];
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna boolean_t ke_is_nxkey;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna kssl_session_info_t *ke_sessinfo;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
c28749e97052f09388969427adf7df641cdcdc22kais crypto_key_t *ke_private_key; /* instance's private key */
c28749e97052f09388969427adf7df641cdcdc22kais Certificate_t *ke_server_certificate;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais Certificate_t **ke_cacert_chain;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais kssl_proxy_t *ke_proxy_head; /* Proxies chain */
c28749e97052f09388969427adf7df641cdcdc22kais kssl_fallback_t *ke_fallback_head; /* Fall-back endpoints chain */
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais} kssl_entry_t;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaistypedef struct mech_to_cipher_s {
c28749e97052f09388969427adf7df641cdcdc22kais crypto_mech_type_t mech;
c28749e97052f09388969427adf7df641cdcdc22kais char *name;
c28749e97052f09388969427adf7df641cdcdc22kais uint16_t kssl_suites[CIPHER_SUITE_COUNT];
c28749e97052f09388969427adf7df641cdcdc22kais} mech_to_cipher_t;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#define KSSL_ENTRY_REFHOLD(kssl_entry) { \
1a5e258f5471356ca102c7176637cdce45bac147Josef 'Jeff' Sipek atomic_inc_32(&(kssl_entry)->ke_refcnt); \
c28749e97052f09388969427adf7df641cdcdc22kais ASSERT((kssl_entry)->ke_refcnt != 0); \
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#define KSSL_ENTRY_REFRELE(kssl_entry) { \
c28749e97052f09388969427adf7df641cdcdc22kais ASSERT((kssl_entry)->ke_refcnt != 0); \
c28749e97052f09388969427adf7df641cdcdc22kais membar_exit(); \
1a5e258f5471356ca102c7176637cdce45bac147Josef 'Jeff' Sipek if (atomic_dec_32_nv(&(kssl_entry)->ke_refcnt) == 0) { \
c28749e97052f09388969427adf7df641cdcdc22kais kssl_free_entry((kssl_entry)); \
c28749e97052f09388969427adf7df641cdcdc22kais } \
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#define CRYPTO_ERR(r) ((r) != CRYPTO_SUCCESS && (r) != CRYPTO_QUEUED)
c28749e97052f09388969427adf7df641cdcdc22kais
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk/*
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk * Enqueue mblk into KSSL input queue. Watch for mblk b_cont chains
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk * returned by tcp_reass() and enqueue them properly. Caller should
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk * be aware that mp is modified by this macro.
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk */
2fce8260ab825d7f8e4b67452e5c0e17bb260e65vk#define KSSL_ENQUEUE_MP(ssl, mp) { \
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk DTRACE_PROBE1(kssl_mblk__enqueue_mp, mblk_t *, mp); \
c28749e97052f09388969427adf7df641cdcdc22kais if ((ssl)->rec_ass_tail == NULL) { \
c28749e97052f09388969427adf7df641cdcdc22kais (ssl)->rec_ass_head = (mp); \
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk while (mp->b_cont) \
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk mp = mp->b_cont; \
c28749e97052f09388969427adf7df641cdcdc22kais (ssl)->rec_ass_tail = (mp); \
c28749e97052f09388969427adf7df641cdcdc22kais } else { \
c28749e97052f09388969427adf7df641cdcdc22kais (ssl)->rec_ass_tail->b_cont = (mp); \
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk while (mp->b_cont) \
51dd2c77f06e5663c28bd4f7a760cae4cf159e79vk mp = mp->b_cont; \
c28749e97052f09388969427adf7df641cdcdc22kais (ssl)->rec_ass_tail = (mp); \
2fce8260ab825d7f8e4b67452e5c0e17bb260e65vk } \
2fce8260ab825d7f8e4b67452e5c0e17bb260e65vk}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#define SSL_MISS 123 /* Internal SSL error */
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaisextern crypto_mechanism_t rsa_x509_mech;
c28749e97052f09388969427adf7df641cdcdc22kaisextern crypto_mechanism_t hmac_md5_mech;
c28749e97052f09388969427adf7df641cdcdc22kaisextern crypto_mechanism_t hmac_sha1_mech;
c28749e97052f09388969427adf7df641cdcdc22kaisextern crypto_call_flag_t kssl_call_flag;
c28749e97052f09388969427adf7df641cdcdc22kaisextern KSSLCipherDef cipher_defs[];
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaisextern struct kmem_cache *kssl_cache;
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna#define KSSL_TAB_INITSIZE 4
c28749e97052f09388969427adf7df641cdcdc22kaisextern kssl_entry_t **kssl_entry_tab;
c28749e97052f09388969427adf7df641cdcdc22kaisextern int kssl_entry_tab_size;
c28749e97052f09388969427adf7df641cdcdc22kaisextern int kssl_entry_tab_nentries;
c28749e97052f09388969427adf7df641cdcdc22kaisextern kmutex_t kssl_tab_mutex;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaistypedef struct kssl_stats {
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t sid_cache_lookups;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t sid_cache_hits;
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri kstat_named_t sid_cached;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t sid_uncached;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t full_handshakes;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t resumed_sessions;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t fallback_connections;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t proxy_fallback_failed;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t appdata_record_ins;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t appdata_record_outs;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t alloc_fails;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t fatal_alerts;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t warning_alerts;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t no_suite_found;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t compute_mac_failure;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t verify_mac_failure;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t record_decrypt_failure;
c28749e97052f09388969427adf7df641cdcdc22kais kstat_named_t bad_pre_master_secret;
847061414af83968a5942c9af9d73f6a44e43402vk kstat_named_t internal_errors;
c28749e97052f09388969427adf7df641cdcdc22kais} kssl_stats_t;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaisextern kssl_stats_t *kssl_statp;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#define KSSL_COUNTER(p, v) atomic_add_64(&kssl_statp->p.value.ui64, v)
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#define IS_SSL_PORT 1
c28749e97052f09388969427adf7df641cdcdc22kais#define IS_PROXY_PORT 2
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaisextern void kssl_free_entry(kssl_entry_t *);
c28749e97052f09388969427adf7df641cdcdc22kaisextern void kssl_free_context(ssl_t *);
c28749e97052f09388969427adf7df641cdcdc22kaisextern int kssl_compute_record_mac(ssl_t *, int, uint64_t, SSL3ContentType,
c28749e97052f09388969427adf7df641cdcdc22kais uchar_t *, uchar_t *, int, uchar_t *);
c28749e97052f09388969427adf7df641cdcdc22kaisextern int kssl_handle_handshake_message(ssl_t *, mblk_t *, int *,
c28749e97052f09388969427adf7df641cdcdc22kais kssl_callback_t, void *);
c28749e97052f09388969427adf7df641cdcdc22kaisextern int kssl_handle_v2client_hello(ssl_t *, mblk_t *, int);
c28749e97052f09388969427adf7df641cdcdc22kaisextern void kssl_uncache_sid(sslSessionID *, kssl_entry_t *);
c28749e97052f09388969427adf7df641cdcdc22kaisextern int kssl_mac_encrypt_record(ssl_t *, SSL3ContentType, uchar_t *,
c28749e97052f09388969427adf7df641cdcdc22kais uchar_t *, mblk_t *);
c28749e97052f09388969427adf7df641cdcdc22kaisextern mblk_t *kssl_get_next_record(ssl_t *);
c892ebf1bef94f4f922f282c11516677c134dbe0krishnaextern int kssl_get_obj_handle(kssl_entry_t *);
c892ebf1bef94f4f922f282c11516677c134dbe0krishnaextern void kssl_prov_evnt(uint32_t, void *);
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#ifdef __cplusplus
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais#endif
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#endif /* _INET_KSSL_KSSLIMPL_H */