|
1 /* |
|
2 * CDDL HEADER START |
|
3 * |
|
4 * The contents of this file are subject to the terms of the |
|
5 * Common Development and Distribution License, Version 1.0 only |
|
6 * (the "License"). You may not use this file except in compliance |
|
7 * with the License. |
|
8 * |
|
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
10 * or http://www.opensolaris.org/os/licensing. |
|
11 * See the License for the specific language governing permissions |
|
12 * and limitations under the License. |
|
13 * |
|
14 * When distributing Covered Code, include this CDDL HEADER in each |
|
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
16 * If applicable, add the following below this CDDL HEADER, with the |
|
17 * fields enclosed by brackets "[]" replaced with your own identifying |
|
18 * information: Portions Copyright [yyyy] [name of copyright owner] |
|
19 * |
|
20 * CDDL HEADER END |
|
21 */ |
|
22 /* |
|
23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. |
|
24 * Use is subject to license terms. |
|
25 */ |
|
26 |
|
27 #ifndef _INET_KSSL_KSSLIMPL_H |
|
28 #define _INET_KSSL_KSSLIMPL_H |
|
29 |
|
30 #pragma ident "%Z%%M% %I% %E% SMI" |
|
31 |
|
32 #ifdef __cplusplus |
|
33 extern "C" { |
|
34 #endif |
|
35 |
|
36 #include <sys/types.h> |
|
37 #include <netinet/in.h> |
|
38 #include <sys/socket.h> |
|
39 #include <sys/atomic.h> |
|
40 #include <sys/mutex.h> |
|
41 #include <sys/crypto/common.h> |
|
42 #include <sys/kstat.h> |
|
43 #include <inet/kssl/ksslapi.h> |
|
44 #include <inet/kssl/ksslproto.h> |
|
45 |
|
46 /* |
|
47 * Certificate structure. The msg field is the BER data of the |
|
48 * certificate. |
|
49 */ |
|
50 typedef struct Certificate { |
|
51 uchar_t *msg; |
|
52 int len; |
|
53 } Certificate_t; |
|
54 |
|
55 /* Generic linked chain type */ |
|
56 typedef struct kssl_chain_s { |
|
57 struct kssl_chain_s *next; |
|
58 void *item; |
|
59 } kssl_chain_t; |
|
60 |
|
61 /* Proxies chain. follows the generic kssl_chain_t layout */ |
|
62 typedef struct kssl_proxy_s { |
|
63 struct kssl_proxy_s *next; |
|
64 void *proxy_bound; |
|
65 } kssl_proxy_t; |
|
66 |
|
67 /* Fallback endpoints chain. Ditto. */ |
|
68 typedef struct kssl_fallback_s { |
|
69 struct kssl_fallback_s *next; |
|
70 void *fallback_bound; |
|
71 } kssl_fallback_t; |
|
72 |
|
73 /* kssl_entry_t structure. */ |
|
74 |
|
75 typedef struct kssl_entry_s { |
|
76 uint_t ke_refcnt; /* for hold/release */ |
|
77 boolean_t ke_no_freeall; |
|
78 kmutex_t ke_mutex; |
|
79 |
|
80 ipaddr_t ke_laddr; /* Only IPv4 is supported */ |
|
81 in_port_t ke_ssl_port; /* SSL port */ |
|
82 in_port_t ke_proxy_port; /* SSL proxy port */ |
|
83 |
|
84 uint32_t sid_cache_timeout; /* In seconds */ |
|
85 uint32_t sid_cache_nentries; |
|
86 kssl_sid_ent_t *sid_cache; |
|
87 |
|
88 uint16_t kssl_cipherSuites[CIPHER_SUITE_COUNT]; |
|
89 int kssl_cipherSuites_nentries; |
|
90 uint16_t kssl_saved_Suites[CIPHER_SUITE_COUNT]; |
|
91 |
|
92 crypto_key_t *ke_private_key; /* instance's private key */ |
|
93 Certificate_t *ke_server_certificate; |
|
94 |
|
95 Certificate_t **ke_cacert_chain; |
|
96 |
|
97 kssl_proxy_t *ke_proxy_head; /* Proxies chain */ |
|
98 kssl_fallback_t *ke_fallback_head; /* Fall-back endpoints chain */ |
|
99 |
|
100 } kssl_entry_t; |
|
101 |
|
102 typedef struct mech_to_cipher_s { |
|
103 crypto_mech_type_t mech; |
|
104 char *name; |
|
105 uint16_t kssl_suites[CIPHER_SUITE_COUNT]; |
|
106 } mech_to_cipher_t; |
|
107 |
|
108 #define KSSL_ENTRY_REFHOLD(kssl_entry) { \ |
|
109 atomic_add_32(&(kssl_entry)->ke_refcnt, 1); \ |
|
110 ASSERT((kssl_entry)->ke_refcnt != 0); \ |
|
111 } |
|
112 |
|
113 #define KSSL_ENTRY_REFRELE(kssl_entry) { \ |
|
114 ASSERT((kssl_entry)->ke_refcnt != 0); \ |
|
115 membar_exit(); \ |
|
116 if (atomic_add_32_nv(&(kssl_entry)->ke_refcnt, -1) == 0) { \ |
|
117 kssl_free_entry((kssl_entry)); \ |
|
118 } \ |
|
119 } |
|
120 |
|
121 #define KSSL_SSL_REFHOLD(ssl) { \ |
|
122 atomic_add_32(&(ssl)->kssl_refcnt, 1); \ |
|
123 ASSERT((ssl)->kssl_refcnt != 0); \ |
|
124 ASSERT((ssl)->kssl_refcnt < 100000); \ |
|
125 } |
|
126 |
|
127 #define KSSL_SSL_REFRELE(ssl) { \ |
|
128 ASSERT((ssl)->kssl_refcnt != 0); \ |
|
129 ASSERT((ssl)->kssl_refcnt < 100000); \ |
|
130 membar_exit(); \ |
|
131 if (atomic_add_32_nv(&(ssl)->kssl_refcnt, -1) == 0) { \ |
|
132 kssl_free_context((ssl)); \ |
|
133 } \ |
|
134 } |
|
135 |
|
136 #define CRYPTO_ERR(r) ((r) != CRYPTO_SUCCESS && (r) != CRYPTO_QUEUED) |
|
137 |
|
138 #define KSSL_ENQUEUE_MP(ssl, mp) \ |
|
139 if ((ssl)->rec_ass_tail == NULL) { \ |
|
140 (ssl)->rec_ass_head = (mp); \ |
|
141 (ssl)->rec_ass_tail = (mp); \ |
|
142 } else { \ |
|
143 (ssl)->rec_ass_tail->b_cont = (mp); \ |
|
144 (ssl)->rec_ass_tail = (mp); \ |
|
145 } |
|
146 |
|
147 #define SSL_MISS 123 /* Internal SSL error */ |
|
148 |
|
149 extern crypto_mechanism_t rsa_x509_mech; |
|
150 extern crypto_mechanism_t hmac_md5_mech; |
|
151 extern crypto_mechanism_t hmac_sha1_mech; |
|
152 extern crypto_call_flag_t kssl_call_flag; |
|
153 extern KSSLCipherDef cipher_defs[]; |
|
154 |
|
155 extern int kssl_enabled; |
|
156 extern int kssl_cache_count; |
|
157 extern struct kmem_cache *kssl_cache; |
|
158 |
|
159 #define KSSL_TAB_INITSIZE 32 |
|
160 extern kssl_entry_t **kssl_entry_tab; |
|
161 extern int kssl_entry_tab_size; |
|
162 extern int kssl_entry_tab_nentries; |
|
163 extern kmutex_t kssl_tab_mutex; |
|
164 |
|
165 typedef struct kssl_stats { |
|
166 kstat_named_t sid_cache_lookups; |
|
167 kstat_named_t sid_cache_hits; |
|
168 kstat_named_t sid_uncached; |
|
169 kstat_named_t full_handshakes; |
|
170 kstat_named_t resumed_sessions; |
|
171 kstat_named_t fallback_connections; |
|
172 kstat_named_t proxy_fallback_failed; |
|
173 kstat_named_t appdata_record_ins; |
|
174 kstat_named_t appdata_record_outs; |
|
175 kstat_named_t alloc_fails; |
|
176 kstat_named_t fatal_alerts; |
|
177 kstat_named_t warning_alerts; |
|
178 kstat_named_t no_suite_found; |
|
179 kstat_named_t compute_mac_failure; |
|
180 kstat_named_t verify_mac_failure; |
|
181 kstat_named_t record_decrypt_failure; |
|
182 kstat_named_t bad_pre_master_secret; |
|
183 } kssl_stats_t; |
|
184 |
|
185 extern kssl_stats_t *kssl_statp; |
|
186 |
|
187 #define KSSL_COUNTER(p, v) atomic_add_64(&kssl_statp->p.value.ui64, v) |
|
188 |
|
189 #define IS_SSL_PORT 1 |
|
190 #define IS_PROXY_PORT 2 |
|
191 |
|
192 extern void kssl_free_entry(kssl_entry_t *); |
|
193 extern void kssl_free_context(ssl_t *); |
|
194 extern int kssl_compute_record_mac(ssl_t *, int, uint64_t, SSL3ContentType, |
|
195 uchar_t *, uchar_t *, int, uchar_t *); |
|
196 extern int kssl_handle_handshake_message(ssl_t *, mblk_t *, int *, |
|
197 kssl_callback_t, void *); |
|
198 extern int kssl_handle_v2client_hello(ssl_t *, mblk_t *, int); |
|
199 extern void kssl_uncache_sid(sslSessionID *, kssl_entry_t *); |
|
200 extern int kssl_mac_encrypt_record(ssl_t *, SSL3ContentType, uchar_t *, |
|
201 uchar_t *, mblk_t *); |
|
202 extern mblk_t *kssl_get_next_record(ssl_t *); |
|
203 |
|
204 #ifdef __cplusplus |
|
205 } |
|
206 #endif |
|
207 |
|
208 #endif /* _INET_KSSL_KSSLIMPL_H */ |