tcp_kssl.c revision f4b3ec61df05330d25f55a36b975b4d7519fdeb1
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <inet/ipclassifier.h>
#include <inet/ipsec_impl.h>
#include <inet/tcp_trace.h>
#include <inet/tcp_impl.h>
/*
* For the Kernel SSL proxy
*
* Routines in this file are called on tcp's incoming path,
* tcp_rput_data() mainly, and right before the message is
* to be putnext()'ed upstreams.
*/
static void tcp_kssl_input_asynch(void *, mblk_t *, void *);
extern void tcp_output(void *, mblk_t *, void *);
extern void tcp_send_conn_ind(void *, mblk_t *, void *);
extern squeue_func_t tcp_squeue_wput_proc;
/*
* tcp_rput_data() calls this routine for all packet destined to a
* connection to the SSL port, when the SSL kernel proxy is configured
* to intercept and process those packets.
* A packet may carry multiple SSL records, so the function
* calls kssl_input() in a loop, until all records are
* handled.
* As long as this conection is in handshake, that is until the first
* time kssl_input() returns a record to be delivered ustreams,
* we maintain the tcp_kssl_inhandshake, and keep an extra reference on
* function may return KSSL_CMD_QUEUED after scheduling an asynchronous
* request and cause tcp_kssl_callback() to be called on adifferent CPU,
*/
void
{
struct T_conn_ind *tci;
/* First time here, allocate the SSL context */
goto no_can_do;
}
/* we won't be needing this one after now */
}
if (tcp->tcp_kssl_inhandshake) {
}
do {
switch (kssl_cmd) {
case KSSL_CMD_SEND:
/*
* We need to increment tcp_squeue_bytes to account
* for the extra bytes internally injected to the
* outgoing flow. tcp_output() will decrement it
* as they are sent out.
*/
/* FALLTHROUGH */
case KSSL_CMD_NONE:
if (tcp->tcp_kssl_pending) {
/*
* SSL handshake successfully started -
* pass up the T_CONN_IND
*/
/*
* Give this session a chance to fall back to
* userland SSL
*/
goto no_can_do;
/*
* attach the kssl_ctx to the conn_ind and
* transform it to a T_SSL_PROXY_CONN_IND.
* Hold it so that it stays valid till it
* reaches the stream head.
*/
sizeof (kssl_ctx_t);
/*
* The code below is copied from tcp_rput_data()
* delivering the T_CONN_IND on a TCPS_SYN_RCVD,
* and all conn ref cnt comments apply.
*/
} else {
}
}
break;
case KSSL_CMD_QUEUED:
/*
* We hold the conn_t here because an asynchronous
* request have been queued and
* tcp_kssl_input_callback() will be called later.
* It will release the conn_t
*/
break;
case KSSL_CMD_DELIVER_PROXY:
case KSSL_CMD_DELIVER_SSL:
/*
* Keep accumulating if not yet accepted.
*/
} else {
}
/*
* We're at a phase where records are sent upstreams,
* past the handshake
*/
break;
case KSSL_CMD_NOT_SUPPORTED:
/*
* Stop the SSL processing by the proxy, and
* switch to the userland SSL
*/
if (tcp->tcp_kssl_pending) {
}
/*
* Make this a T_SSL_PROXY_CONN_IND, for the
* stream head to deliver it to the SSL
* fall-back listener
*/
/*
* The code below is copied from tcp_rput_data()
* delivering the T_CONN_IND on a TCPS_SYN_RCVD,
* and all conn ref cnt comments apply.
*/
} else {
}
}
break;
}
} while (more);
if (conn_held) {
}
}
/*
* Callback function for the cases kssl_input() had to submit an asynchronous
* job and need to come back when done to carry on the input processing.
* This routine follows the conentions of timeout and interrupt handlers.
* (no blocking, ...)
*/
static void
{
switch (kssl_cmd) {
case KSSL_CMD_SEND:
/* I'm coming from an outside perimeter */
/*
* See comment in tcp_kssl_input() call to tcp_output()
*/
}
/* FALLTHROUGH */
case KSSL_CMD_NONE:
break;
case KSSL_CMD_DELIVER_PROXY:
case KSSL_CMD_DELIVER_SSL:
/*
* Keep accumulating if not yet accepted.
*/
} else {
}
break;
case KSSL_CMD_NOT_SUPPORTED:
/* Stop the SSL processing */
}
/*
* Process any input that may have accumulated while we're waiting for
* the call-back.
* We need to re-enter the squeue for this connp, and a new mp is
* necessary.
*/
}
#ifdef DEBUG
else {
}
#endif /* DEBUG */
}
/*
* Needed by tcp_kssl_input_callback() to continue processing the incoming
* flow on a tcp_t after an asynchronous callback call.
*/
/* ARGSUSED */
void
{
/*
* while we're away
*/
}
}