1 /*

     2  * CDDL HEADER START

     3  *

     4  * The contents of this file are subject to the terms of the

     5  * Common Development and Distribution License, Version 1.0 only

     6  * (the "License").  You may not use this file except in compliance

     7  * with the License.

     8  *

     9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE

    10  * or http://www.opensolaris.org/os/licensing.

    11  * See the License for the specific language governing permissions

    12  * and limitations under the License.

    13  *

    14  * When distributing Covered Code, include this CDDL HEADER in each

    15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.

    16  * If applicable, add the following below this CDDL HEADER, with the

    17  * fields enclosed by brackets "[]" replaced with your own identifying

    18  * information: Portions Copyright [yyyy] [name of copyright owner]

    19  *

    20  * CDDL HEADER END

    21  */

    22 /*

    23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.

    24  * Use is subject to license terms.

    25  */

    26 

    27 #ifndef	_INET_KSSL_KSSLIMPL_H

    28 #define	_INET_KSSL_KSSLIMPL_H

    29 

    30 #pragma ident	"%Z%%M%	%I%	%E% SMI"

    31 

    32 #ifdef	__cplusplus

    33 extern "C" {

    34 #endif

    35 

    36 #include <sys/types.h>

    37 #include <netinet/in.h>

    38 #include <sys/socket.h>

    39 #include <sys/atomic.h>

    40 #include <sys/mutex.h>

    41 #include <sys/crypto/common.h>

    42 #include <sys/kstat.h>

    43 #include <inet/kssl/ksslapi.h>

    44 #include <inet/kssl/ksslproto.h>

    45 

    46 /*

    47  * Certificate structure. The msg field is the BER data of the

    48  * certificate.

    49  */

    50 typedef struct Certificate {

    51     uchar_t *msg;

    52     int len;

    53 } Certificate_t;

    54 

    55 /* Generic linked chain type */

    56 typedef struct kssl_chain_s {

    57 	struct kssl_chain_s	*next;

    58 	void			*item;

    59 } kssl_chain_t;

    60 

    61 /* Proxies chain. follows the generic kssl_chain_t layout */

    62 typedef struct kssl_proxy_s {

    63 	struct kssl_proxy_s	*next;

    64 	void			*proxy_bound;

    65 } kssl_proxy_t;

    66 

    67 /* Fallback endpoints chain. Ditto. */

    68 typedef struct kssl_fallback_s {

    69 	struct kssl_fallback_s	*next;

    70 	void			*fallback_bound;

    71 } kssl_fallback_t;

    72 

    73 /* kssl_entry_t structure. */

    74 

    75 typedef struct kssl_entry_s {

    76 	uint_t			ke_refcnt;	/* for hold/release */

    77 	boolean_t		ke_no_freeall;

    78 	kmutex_t		ke_mutex;

    79 

    80 	ipaddr_t		ke_laddr;	/* Only IPv4 is supported */

    81 	in_port_t		ke_ssl_port;	/* SSL port */

    82 	in_port_t		ke_proxy_port;	/* SSL proxy port */

    83 

    84 	uint32_t		sid_cache_timeout; /* In seconds */

    85 	uint32_t		sid_cache_nentries;

    86 	kssl_sid_ent_t		*sid_cache;

    87 

    88 	uint16_t		kssl_cipherSuites[CIPHER_SUITE_COUNT];

    89 	int			kssl_cipherSuites_nentries;

    90 	uint16_t		kssl_saved_Suites[CIPHER_SUITE_COUNT];

    91 

    92 	crypto_key_t		*ke_private_key; /* instance's private key */

    93 	Certificate_t		*ke_server_certificate;

    94 

    95 	Certificate_t		**ke_cacert_chain;

    96 

    97 	kssl_proxy_t	*ke_proxy_head;		/* Proxies chain */

    98 	kssl_fallback_t	*ke_fallback_head;	/* Fall-back endpoints chain */

    99 

   100 } kssl_entry_t;

   101 

   102 typedef struct mech_to_cipher_s {

   103 	crypto_mech_type_t mech;

   104 	char *name;

   105 	uint16_t kssl_suites[CIPHER_SUITE_COUNT];

   106 } mech_to_cipher_t;

   107 

   108 #define	KSSL_ENTRY_REFHOLD(kssl_entry) {				\

   109 	atomic_add_32(&(kssl_entry)->ke_refcnt, 1);			\

   110 	ASSERT((kssl_entry)->ke_refcnt != 0);				\

   111 }

   112 

   113 #define	KSSL_ENTRY_REFRELE(kssl_entry) {				\

   114 	ASSERT((kssl_entry)->ke_refcnt != 0);				\

   115 	membar_exit();							\

   116 	if (atomic_add_32_nv(&(kssl_entry)->ke_refcnt, -1) == 0) {	\

   117 		kssl_free_entry((kssl_entry));				\

   118 	}								\

   119 }

   120 

   121 #define	KSSL_SSL_REFHOLD(ssl) {						\

   122 	atomic_add_32(&(ssl)->kssl_refcnt, 1);				\

   123 	ASSERT((ssl)->kssl_refcnt != 0);				\

   124 	ASSERT((ssl)->kssl_refcnt < 100000);				\

   125 }

   126 

   127 #define	KSSL_SSL_REFRELE(ssl) {						\

   128 	ASSERT((ssl)->kssl_refcnt != 0);				\

   129 	ASSERT((ssl)->kssl_refcnt < 100000);				\

   130 	membar_exit();							\

   131 	if (atomic_add_32_nv(&(ssl)->kssl_refcnt, -1) == 0) {		\

   132 		kssl_free_context((ssl));				\

   133 	}								\

   134 }

   135 

   136 #define	CRYPTO_ERR(r) ((r) != CRYPTO_SUCCESS && (r) != CRYPTO_QUEUED)

   137 

   138 #define	KSSL_ENQUEUE_MP(ssl, mp)					\

   139 	if ((ssl)->rec_ass_tail == NULL) {				\

   140 		(ssl)->rec_ass_head = (mp);				\

   141 		(ssl)->rec_ass_tail = (mp);				\

   142 	} else {							\

   143 		(ssl)->rec_ass_tail->b_cont = (mp);			\

   144 		(ssl)->rec_ass_tail = (mp);				\

   145 	}

   146 

   147 #define	SSL_MISS	123	/* Internal SSL error */

   148 

   149 extern crypto_mechanism_t rsa_x509_mech;

   150 extern crypto_mechanism_t hmac_md5_mech;

   151 extern crypto_mechanism_t hmac_sha1_mech;

   152 extern crypto_call_flag_t kssl_call_flag;

   153 extern KSSLCipherDef cipher_defs[];

   154 

   155 extern int kssl_enabled;

   156 extern int kssl_cache_count;

   157 extern struct kmem_cache *kssl_cache;

   158 

   159 #define	KSSL_TAB_INITSIZE	32

   160 extern kssl_entry_t **kssl_entry_tab;

   161 extern int kssl_entry_tab_size;

   162 extern int kssl_entry_tab_nentries;

   163 extern kmutex_t kssl_tab_mutex;

   164 

   165 typedef struct kssl_stats {

   166 	kstat_named_t sid_cache_lookups;

   167 	kstat_named_t sid_cache_hits;

   168 	kstat_named_t sid_uncached;

   169 	kstat_named_t full_handshakes;

   170 	kstat_named_t resumed_sessions;

   171 	kstat_named_t fallback_connections;

   172 	kstat_named_t proxy_fallback_failed;

   173 	kstat_named_t appdata_record_ins;

   174 	kstat_named_t appdata_record_outs;

   175 	kstat_named_t alloc_fails;

   176 	kstat_named_t fatal_alerts;

   177 	kstat_named_t warning_alerts;

   178 	kstat_named_t no_suite_found;

   179 	kstat_named_t compute_mac_failure;

   180 	kstat_named_t verify_mac_failure;

   181 	kstat_named_t record_decrypt_failure;

   182 	kstat_named_t bad_pre_master_secret;

   183 } kssl_stats_t;

   184 

   185 extern kssl_stats_t *kssl_statp;

   186 

   187 #define	KSSL_COUNTER(p, v)	 atomic_add_64(&kssl_statp->p.value.ui64, v)

   188 

   189 #define	IS_SSL_PORT	1

   190 #define	IS_PROXY_PORT	2

   191 

   192 extern void kssl_free_entry(kssl_entry_t *);

   193 extern void kssl_free_context(ssl_t *);

   194 extern int kssl_compute_record_mac(ssl_t *, int, uint64_t, SSL3ContentType,

   195     uchar_t *, uchar_t *, int, uchar_t *);

   196 extern int kssl_handle_handshake_message(ssl_t *, mblk_t *, int *,

   197     kssl_callback_t, void *);

   198 extern int kssl_handle_v2client_hello(ssl_t *, mblk_t *, int);

   199 extern void kssl_uncache_sid(sslSessionID *, kssl_entry_t *);

   200 extern int kssl_mac_encrypt_record(ssl_t *, SSL3ContentType, uchar_t *,

   201     uchar_t *, mblk_t *);

   202 extern mblk_t *kssl_get_next_record(ssl_t *);

   203 

   204 #ifdef	__cplusplus

   205 }

   206 #endif

   207 

   208 #endif /* _INET_KSSL_KSSLIMPL_H */