diff options
| author | Krishna Yenduri <Bhargava.Yenduri@Sun.COM> | 2009-09-14 11:09:53 -0700 |
|---|---|---|
| committer | Krishna Yenduri <Bhargava.Yenduri@Sun.COM> | 2009-09-14 11:09:53 -0700 |
| commit | 2ec7cc7fc084163eaed884efee9bbd322cc8951b (patch) | |
| tree | f6bb218709f7ca4fbfc99a682052640658b9d70f /usr/src | |
| parent | 53dbcc5939527e6d5d52d814e51e364b5e8bb532 (diff) | |
| download | illumos-joyent-2ec7cc7fc084163eaed884efee9bbd322cc8951b.tar.gz | |
6228975 Need IPv6 support for KSSL
6627569 need kssl_sid_cached kstat counter
6846333 ksslcfg no longer displays version
6668826 missing curly brackets in kssl_release_ent
6873066 cleanup unused code in ksslproto.h and ksslapi.h
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile | 6 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.h | 7 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c | 55 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_delete.c | 11 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.c | 58 | ||||
| -rw-r--r-- | usr/src/uts/common/c2/audit.c | 14 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/kssl/kssl.c | 13 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/kssl/kssl.h | 8 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/kssl/ksslapi.c | 67 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/kssl/ksslapi.h | 11 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/kssl/ksslimpl.h | 8 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/kssl/ksslioctl.c | 50 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/kssl/ksslproto.h | 108 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/kssl/ksslrec.c | 113 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/tcp/tcp_kssl.c | 26 |
15 files changed, 265 insertions, 290 deletions
diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile index 80acedff33..cf51abee85 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile +++ b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile @@ -19,11 +19,9 @@ # CDDL HEADER END # # -# Copyright 2007 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" -# # cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile # @@ -45,7 +43,7 @@ ROOTUSRLIBPROG = $(PROG:%=$(ROOTLIB)/%) CFLAGS += $(CCVERBOSE) -LDLIBS += -lkmf -lpkcs11 -lcryptoutil -lnsl +LDLIBS += -lkmf -lpkcs11 -lcryptoutil -lnsl -lsocket all: $(PROG) diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.h b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.h index a9f4ef22ac..05b8923d2b 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.h +++ b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.h @@ -20,15 +20,13 @@ */ /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #ifndef _KSSLADM_H #define _KSSLADM_H -#pragma ident "%Z%%M% %I% %E% SMI" - /* * Common routines and variables used by kssladm files. */ @@ -69,7 +67,8 @@ extern int PKCS12_get_rsa_key_certs(KMF_HANDLE_T, const char *, extern int get_passphrase(const char *password_file, char *buf, int buf_size); extern int kssl_send_command(char *buf, int cmd); -extern int parse_and_set_addr(char *arg1, char *arg2, struct sockaddr_in *addr); +extern int parse_and_set_addr(char *arg1, char *arg2, + struct sockaddr_in6 *addr); #ifdef __cplusplus } diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c index 74324231d5..6c2dac270a 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c +++ b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c @@ -20,12 +20,10 @@ */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <errno.h> #include <sys/sysmacros.h> #include <security/cryptoki.h> @@ -311,7 +309,6 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, static CK_BYTE aes_param[16]; static CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY; static CK_KEY_TYPE privkey_type = CKK_RSA; - static CK_BBOOL true = TRUE; static CK_BBOOL false = FALSE; boolean_t kmftrue = B_TRUE; boolean_t kmffalse = B_FALSE; @@ -485,7 +482,7 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, * Create a label for the wrapped session key so we can find * it easier later. */ - snprintf(wrapkey_label, sizeof (wrapkey_label), "ksslprikey_%d", + (void) snprintf(wrapkey_label, sizeof (wrapkey_label), "ksslprikey_%d", getpid()); unwrap_tmpl[5].pValue = wrapkey_label; @@ -564,10 +561,10 @@ out: free(wrapped_privkey); if (aes_key_obj != CK_INVALID_HANDLE) - C_DestroyObject(pk11session, aes_key_obj); + (void) C_DestroyObject(pk11session, aes_key_obj); if (sess_privkey_obj != CK_INVALID_HANDLE) - C_DestroyObject(pk11session, sess_privkey_obj); + (void) C_DestroyObject(pk11session, sess_privkey_obj); return (rv); } @@ -930,35 +927,33 @@ load_from_pkcs12(KMF_HANDLE_T kmfh, const char *filename, int parse_and_set_addr(char *server_address, char *server_port, - struct sockaddr_in *addr) + struct sockaddr_in6 *addr) { if (server_port == NULL) { return (-1); } if (server_address == NULL) { - addr->sin_addr.s_addr = INADDR_ANY; + addr->sin6_addr = in6addr_any; } else { - addr->sin_addr.s_addr = inet_addr(server_address); - if ((int)addr->sin_addr.s_addr == -1) { - struct hostent *hp; - - if ((hp = gethostbyname(server_address)) == NULL) { - (void) fprintf(stderr, - "Error: Unknown host: %s\n", - server_address); - return (-1); - } - - (void) memcpy(&addr->sin_addr.s_addr, - hp->h_addr_list[0], - sizeof (addr->sin_addr.s_addr)); + struct hostent *hp; + int error_num; + + if ((hp = (getipnodebyname(server_address, AF_INET6, + AI_DEFAULT, &error_num))) == NULL) { + (void) fprintf(stderr, "Error: Unknown host: %s\n", + server_address); + return (-1); } + + (void) memcpy((caddr_t)&addr->sin6_addr, hp->h_addr, + hp->h_length); + freehostent(hp); } errno = 0; - addr->sin_port = strtol(server_port, NULL, 10); - if (addr->sin_port == 0 || errno != 0) { + addr->sin6_port = strtol(server_port, NULL, 10); + if (addr->sin6_port == 0 || errno != 0) { (void) fprintf(stderr, "Error: Invalid Port value: %s\n", server_port); return (-1); @@ -1037,7 +1032,7 @@ do_create(int argc, char *argv[]) uint32_t scache_size = DEFAULT_SID_CACHE_NENTRIES; uint16_t kssl_suites[CIPHER_SUITE_COUNT - 1]; int proxy_port = -1; - struct sockaddr_in server_addr; + struct sockaddr_in6 server_addr; char *format = NULL; char *port, *addr; char c; @@ -1113,8 +1108,12 @@ do_create(int argc, char *argv[]) } if (verbose) { - (void) printf("addr=%s, port = %d\n", - inet_ntoa(server_addr.sin_addr), server_addr.sin_port); + char buffer[128]; + + (void) inet_ntop(AF_INET6, &server_addr.sin6_addr, buffer, + sizeof (buffer)); + (void) printf("addr = %s, port = %d\n", buffer, + server_addr.sin6_port); } if (format == NULL || proxy_port == -1) { diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_delete.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_delete.c index e39eb5946c..bd5a6b45a4 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_delete.c +++ b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_delete.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,12 +19,10 @@ * CDDL HEADER END */ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <netinet/in.h> /* struct sockaddr_in */ #include <stdio.h> #include <stdlib.h> @@ -47,7 +44,7 @@ usage_delete(boolean_t do_print) int do_delete(int argc, char *argv[]) { - struct sockaddr_in server_addr; + struct sockaddr_in6 server_addr; char c; char *port, *addr; int pcnt; diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.c index d4005fe2d6..80d945ebaf 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.c +++ b/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.c @@ -19,12 +19,10 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <arpa/inet.h> /* inet_addr() */ #include <ctype.h> #include <libscf.h> @@ -46,7 +44,11 @@ * It makes use of kssladm(1M) which does the grunt work. */ -#define KSSLCFG_VERSION "v%I%" +/* + * This version number is rather meaningless. In any case, + * version 2.0 adds support for IPv6 addresses. + */ +#define KSSLCFG_VERSION "Version 2.0" boolean_t verbose = B_FALSE; const char *SERVICE_NAME = "network/ssl/proxy"; @@ -96,12 +98,12 @@ create_instance_name(const char *arg, char **inaddr_any_name, int len; uint16_t port; char *cname; - in_addr_t addr; char *instance_name; const char *prefix = "kssl-"; - char *first_space = strchr(arg, ' '); + char *first_space; - if (first_space == NULL) { + first_space = strchr(arg, ' '); + if (first_space == NULL) { /* No host name. Use INADDR_ANY. */ if (get_portnum(arg, &port) == 0) { (void) fprintf(stderr, gettext("Error: Invalid port value -- %s\n"), @@ -116,6 +118,9 @@ create_instance_name(const char *arg, char **inaddr_any_name, char *ptr; struct hostent *hp; boolean_t do_warn; + int error_num; + in_addr_t v4addr; + in6_addr_t v6addr; if (get_portnum(first_space + 1, &port) == 0) { (void) fprintf(stderr, @@ -129,30 +134,35 @@ create_instance_name(const char *arg, char **inaddr_any_name, return (NULL); *(strchr(temp_str, ' ')) = '\0'; - if ((int)(addr = inet_addr(temp_str)) == -1) { - if ((hp = gethostbyname(temp_str)) == NULL) { - (void) fprintf(stderr, - gettext("Error: Unknown host -- %s\n"), - temp_str); - free(temp_str); - return (NULL); - } + if (inet_pton(AF_INET6, temp_str, &v6addr) == 1) { + /* Do a reverse lookup for the IPv6 address */ + hp = getipnodebyaddr(&v6addr, sizeof (v6addr), + AF_INET6, &error_num); + } else if (inet_pton(AF_INET, temp_str, &v4addr) == 1) { + /* Do a reverse lookup for the IPv4 address */ + hp = getipnodebyaddr(&v4addr, sizeof (v4addr), + AF_INET, &error_num); } else { - /* This is an IP address. Do a reverse lookup. */ - if ((hp = gethostbyaddr((char *)&addr, 4, AF_INET)) - == NULL) { - (void) fprintf(stderr, - gettext("Error: Unknown host -- %s\n"), - temp_str); - free(temp_str); - return (NULL); - } + /* Do a lookup for the host name */ + hp = getipnodebyname(temp_str, AF_INET6, AI_DEFAULT, + &error_num); + } + + if (hp == NULL) { + (void) fprintf(stderr, + gettext("Error: Unknown host -- %s\n"), temp_str); + free(temp_str); + return (NULL); } if ((ptr = cname = strdup(hp->h_name)) == NULL) { + freehostent(hp); free(temp_str); return (NULL); } + + freehostent(hp); + do_warn = B_TRUE; /* "s/./-/g" */ while ((ptr = strchr(ptr, '.')) != NULL) { diff --git a/usr/src/uts/common/c2/audit.c b/usr/src/uts/common/c2/audit.c index d6ffb66927..614fed01af 100644 --- a/usr/src/uts/common/c2/audit.c +++ b/usr/src/uts/common/c2/audit.c @@ -2258,12 +2258,13 @@ audit_kssl(int cmd, void *params, int error) case KSSL_ADD_ENTRY: { char buf[32]; kssl_params_t *kp = (kssl_params_t *)params; - struct sockaddr_in *saddr = &(kp->kssl_addr); + struct sockaddr_in6 *saddr = &kp->kssl_addr; au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY")); - au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); + au_write((caddr_t *)&ad, + au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); (void) snprintf(buf, sizeof (buf), "SSL port=%d", - saddr->sin_port); + saddr->sin6_port); au_write((caddr_t *)&ad, au_to_text(buf)); (void) snprintf(buf, sizeof (buf), "proxy port=%d", @@ -2274,12 +2275,13 @@ audit_kssl(int cmd, void *params, int error) case KSSL_DELETE_ENTRY: { char buf[32]; - struct sockaddr_in *saddr = (struct sockaddr_in *)params; + struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params; au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY")); - au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr))); + au_write((caddr_t *)&ad, + au_to_in_addr_ex((int32_t *)&saddr->sin6_addr)); (void) snprintf(buf, sizeof (buf), "SSL port=%d", - saddr->sin_port); + saddr->sin6_port); au_write((caddr_t *)&ad, au_to_text(buf)); break; } diff --git a/usr/src/uts/common/inet/kssl/kssl.c b/usr/src/uts/common/inet/kssl/kssl.c index ac95cefc8f..19699a3990 100644 --- a/usr/src/uts/common/inet/kssl/kssl.c +++ b/usr/src/uts/common/inet/kssl/kssl.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -36,13 +36,11 @@ #include <sys/sunddi.h> #include <sys/kmem.h> #include <sys/errno.h> -#include <sys/ksynch.h> #include <sys/file.h> #include <sys/open.h> #include <sys/cred.h> #include <sys/proc.h> #include <sys/task.h> -#include <sys/mkdev.h> #include <sys/model.h> #include <sys/sysmacros.h> #include <sys/policy.h> @@ -146,7 +144,6 @@ KSSLCipherDef cipher_defs[] = { /* indexed by SSL3BulkCipher */ {type_block, 16, 32, CRYPTO_MECH_INVALID}, }; -int kssl_enabled = 1; struct kmem_cache *kssl_cache; static void kssl_global_init(); @@ -327,7 +324,7 @@ kssl_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *c, break; } case KSSL_DELETE_ENTRY: { - struct sockaddr_in server_addr; + struct sockaddr_in6 server_addr; if (copyin(ARG, &server_addr, sizeof (server_addr)) != 0) { return (EFAULT); @@ -344,7 +341,7 @@ kssl_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *c, } #define NUM_MECHS 7 -mech_to_cipher_t mech_to_cipher_tab[NUM_MECHS] = { +static mech_to_cipher_t mech_to_cipher_tab[NUM_MECHS] = { {CRYPTO_MECH_INVALID, SUN_CKM_RSA_X_509, {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, @@ -415,7 +412,7 @@ is_in_mechlist(char *name, crypto_mech_name_t *mechs, int count) * Callback function invoked by the crypto framework when a provider's * mechanism is available/unavailable. This callback updates entries in the * kssl_entry_tab[] to make changes to the cipher suites of an entry - * which are affected by the mechansim. + * which are affected by the mechanism. */ static void kssl_event_callback(uint32_t event, void *event_arg) @@ -547,6 +544,8 @@ kssl_global_init() "kssl_sid_cache_lookups", KSTAT_DATA_UINT64); kstat_named_init(&kssl_statp->sid_cache_hits, "kssl_sid_cache_hits", KSTAT_DATA_UINT64); + kstat_named_init(&kssl_statp->sid_cached, + "kssl_sid_cached", KSTAT_DATA_UINT64); kstat_named_init(&kssl_statp->sid_uncached, "kssl_sid_uncached", KSTAT_DATA_UINT64); diff --git a/usr/src/uts/common/inet/kssl/kssl.h b/usr/src/uts/common/inet/kssl/kssl.h index d9936a7f5a..f94c6057b9 100644 --- a/usr/src/uts/common/inet/kssl/kssl.h +++ b/usr/src/uts/common/inet/kssl/kssl.h @@ -19,15 +19,13 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #ifndef _INET_KSSL_KSSL_H #define _INET_KSSL_KSSL_H -#pragma ident "%Z%%M% %I% %E% SMI" - #ifdef __cplusplus extern "C" { #endif @@ -80,7 +78,7 @@ typedef struct kssl_tokinfo_s { typedef struct kssl_params_s { uint64_t kssl_params_size; /* total params buf len */ /* address and port number */ - struct sockaddr_in kssl_addr; + struct sockaddr_in6 kssl_addr; uint16_t kssl_proxy_port; uint32_t kssl_session_cache_timeout; /* In seconds */ @@ -110,7 +108,7 @@ typedef struct kssl_params_s { #ifdef _KERNEL extern int kssl_add_entry(kssl_params_t *); -extern int kssl_delete_entry(struct sockaddr_in *); +extern int kssl_delete_entry(struct sockaddr_in6 *); #endif /* _KERNEL */ diff --git a/usr/src/uts/common/inet/kssl/ksslapi.c b/usr/src/uts/common/inet/kssl/ksslapi.c index dd7641d631..d521c0a017 100644 --- a/usr/src/uts/common/inet/kssl/ksslapi.c +++ b/usr/src/uts/common/inet/kssl/ksslapi.c @@ -33,7 +33,6 @@ #include <inet/common.h> #include <inet/ip.h> -#include <inet/ip6.h> #include <sys/systm.h> #include <sys/param.h> @@ -70,8 +69,7 @@ static kssl_status_t kssl_build_single_record(ssl_t *ssl, mblk_t *mp); * lower modules' SSL hooks that handle the Handshake messages. * The function returns KSSL_IS_PROXY. * - * The function returns KSSL_NO_PROXY otherwise. We do not suppport - * IPv6 addresses. + * The function returns KSSL_NO_PROXY otherwise. */ kssl_endpt_type_t @@ -83,38 +81,32 @@ kssl_check_proxy(mblk_t *bindmp, void *cookie, kssl_ent_t *ksslent) sin_t *sin; sin6_t *sin6; struct T_bind_req *tbr; - ipaddr_t v4addr; + in6_addr_t mapped_v4addr; + in6_addr_t *v6addr; in_port_t in_port; - if (kssl_enabled == 0) { + if (kssl_entry_tab_nentries == 0) { return (KSSL_NO_PROXY); } - tbr = (struct T_bind_req *)bindmp->b_rptr; - ret = KSSL_NO_PROXY; + tbr = (struct T_bind_req *)bindmp->b_rptr; sin = (sin_t *)(bindmp->b_rptr + tbr->ADDR_offset); switch (tbr->ADDR_length) { case sizeof (sin_t): in_port = ntohs(sin->sin_port); - v4addr = sin->sin_addr.s_addr; + IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &mapped_v4addr); + v6addr = &mapped_v4addr; break; case sizeof (sin6_t): - /* - * Handle any IPv4-mapped IPv6 address for now. - * Support of IPv6 will be added later. - */ sin6 = (sin6_t *)sin; - if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { - in_port = ntohs(sin6->sin6_port); - IN6_V4MAPPED_TO_IPADDR(&sin6->sin6_addr, v4addr); - break; - } + in_port = ntohs(sin6->sin6_port); + v6addr = &sin6->sin6_addr; + break; - /* fallthrough for normal IPv6 address */ default: return (ret); } @@ -125,7 +117,8 @@ kssl_check_proxy(mblk_t *bindmp, void *cookie, kssl_ent_t *ksslent) if ((ep = kssl_entry_tab[i]) == NULL) continue; - if ((ep->ke_laddr == v4addr) || (ep->ke_laddr == INADDR_ANY)) { + if (IN6_ARE_ADDR_EQUAL(&ep->ke_laddr, v6addr) || + IN6_IS_ADDR_UNSPECIFIED(&ep->ke_laddr)) { /* This is an SSL port to fallback to */ if (ep->ke_ssl_port == in_port) { @@ -301,16 +294,18 @@ kssl_release_ent(kssl_ent_t ksslent, void *cookie, kssl_endpt_type_t endpt_type) kssl_entry_t *kssl_entry = (kssl_entry_t *)ksslent; if (cookie != NULL) { - if (endpt_type == KSSL_IS_PROXY) + if (endpt_type == KSSL_IS_PROXY) { ASSERT(kssl_entry->ke_proxy_head != NULL); kssl_dequeue( (kssl_chain_t **)&kssl_entry->ke_proxy_head, cookie); - if (endpt_type == KSSL_HAS_PROXY) + } + if (endpt_type == KSSL_HAS_PROXY) { ASSERT(kssl_entry->ke_fallback_head != NULL); kssl_dequeue( (kssl_chain_t **)&kssl_entry->ke_fallback_head, cookie); + } } KSSL_ENTRY_REFRELE(kssl_entry); } @@ -574,7 +569,7 @@ kssl_handle_mblk(kssl_ctx_t ctx, mblk_t **mpp, mblk_t **outmp) SSL3ContentType content_type; ssl_t *ssl; KSSLCipherSpec *spec; - int error = 0, ret; + int error, ret; kssl_cmd_t kssl_cmd = KSSL_CMD_DELIVER_PROXY; boolean_t deliverit = B_FALSE; crypto_data_t cipher_data; @@ -606,7 +601,7 @@ more: if (DB_REF(mp) > 1) { /* * Fortunately copyb() preserves the offset, - * tail space and alignement so the copy is + * tail space and alignment so the copy is * ready to be made an SSL record. */ if ((copybp = copyb(mp)) == NULL) @@ -1098,7 +1093,6 @@ kssl_handle_any_record(kssl_ctx_t ctx, mblk_t *mp, mblk_t **decrmp, if (ssl->sid.cached == B_TRUE) { kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); - ssl->sid.cached = B_FALSE; } DTRACE_PROBE2(kssl_err__bad_content_alert, SSL3AlertLevel, level, @@ -1187,12 +1181,11 @@ error: /* * Initialize the context of an SSL connection, coming to the specified - * address. - * the ssl structure returned is held. + * address. The ssl structure is returned held. */ kssl_status_t -kssl_init_context(kssl_ent_t kssl_ent, ipaddr_t faddr, int mss, - kssl_ctx_t *kssl_ctxp) +kssl_init_context(kssl_ent_t kssl_ent, void *addr, boolean_t is_v4, + int mss, kssl_ctx_t *kssl_ctxp) { ssl_t *ssl = kmem_cache_alloc(kssl_cache, KM_NOSLEEP); @@ -1207,7 +1200,11 @@ kssl_init_context(kssl_ent_t kssl_ent, ipaddr_t faddr, int mss, ssl->kssl_entry = (kssl_entry_t *)kssl_ent; KSSL_ENTRY_REFHOLD(ssl->kssl_entry); - ssl->faddr = faddr; + if (is_v4) { + IN6_IPADDR_TO_V4MAPPED(*((ipaddr_t *)addr), &ssl->faddr); + } else { + ssl->faddr = *((in6_addr_t *)addr); /* struct assignment */ + } ssl->tcp_mss = mss; ssl->sendalert_level = alert_warning; ssl->sendalert_desc = close_notify; @@ -1220,7 +1217,7 @@ kssl_init_context(kssl_ent_t kssl_ent, ipaddr_t faddr, int mss, /* * Builds SSL records out of the chain of mblks, and returns it. - * Taked a copy of the message before encypting it if it has another + * Takes a copy of the message before encrypting it if it has another * reference. * In case of failure, NULL is returned, and the message will be * freed by the caller. @@ -1239,7 +1236,7 @@ kssl_build_record(kssl_ctx_t ctx, mblk_t *mp) if (DB_REF(bp) > 1) { /* * Fortunately copyb() preserves the offset, - * tail space and alignement so the copy is + * tail space and alignment so the copy is * ready to be made an SSL record. */ if ((copybp = copyb(bp)) == NULL) @@ -1266,24 +1263,22 @@ kssl_build_record(kssl_ctx_t ctx, mblk_t *mp) } /* - * Builds a single SSL record + * Builds a single SSL record. * In-line encryption of the record. */ static kssl_status_t kssl_build_single_record(ssl_t *ssl, mblk_t *mp) { int len; - int reclen = 0; + int reclen; uchar_t *recstart, *versionp; KSSLCipherSpec *spec; int mac_sz; - int pad_sz = 0; - + int pad_sz; spec = &ssl->spec[KSSL_WRITE]; mac_sz = spec->mac_hashsz; - ASSERT(DB_REF(mp) == 1); ASSERT((mp->b_rptr - mp->b_datap->db_base >= SSL3_HDR_LEN) && (mp->b_datap->db_lim - mp->b_wptr >= mac_sz + spec->cipher_bsize)); diff --git a/usr/src/uts/common/inet/kssl/ksslapi.h b/usr/src/uts/common/inet/kssl/ksslapi.h index 0dd09bb808..62dd1a7110 100644 --- a/usr/src/uts/common/inet/kssl/ksslapi.h +++ b/usr/src/uts/common/inet/kssl/ksslapi.h @@ -19,15 +19,13 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #ifndef _INET_KSSL_KSSLAPI_H #define _INET_KSSL_KSSLAPI_H -#pragma ident "%Z%%M% %I% %E% SMI" - /* * The kernel SSL proxy interface */ @@ -64,10 +62,6 @@ typedef enum { KSSL_CMD_QUEUED /* Queued, a call back will finish it */ } kssl_cmd_t; -typedef enum { - KSSL_EVENT_CLOSE /* close this context */ -} kssl_event_t; - /* Un opaque context of an SSL connection */ typedef void *kssl_ctx_t; @@ -82,7 +76,8 @@ typedef void *kssl_ent_t; kssl_endpt_type_t kssl_check_proxy(mblk_t *, void *, kssl_ent_t *); -kssl_status_t kssl_init_context(kssl_ent_t, uint32_t, int, kssl_ctx_t *); +kssl_status_t kssl_init_context(kssl_ent_t, void *, boolean_t, + int, kssl_ctx_t *); void kssl_hold_ent(kssl_ent_t); void kssl_release_ent(kssl_ent_t, void *, kssl_endpt_type_t); diff --git a/usr/src/uts/common/inet/kssl/ksslimpl.h b/usr/src/uts/common/inet/kssl/ksslimpl.h index 947939051a..f9f002fff3 100644 --- a/usr/src/uts/common/inet/kssl/ksslimpl.h +++ b/usr/src/uts/common/inet/kssl/ksslimpl.h @@ -19,15 +19,13 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #ifndef _INET_KSSL_KSSLIMPL_H #define _INET_KSSL_KSSLIMPL_H -#pragma ident "%Z%%M% %I% %E% SMI" - #ifdef __cplusplus extern "C" { #endif @@ -94,7 +92,7 @@ typedef struct kssl_entry_s { boolean_t ke_no_freeall; kmutex_t ke_mutex; - ipaddr_t ke_laddr; /* Only IPv4 is supported */ + in6_addr_t ke_laddr; in_port_t ke_ssl_port; /* SSL port */ in_port_t ke_proxy_port; /* SSL proxy port */ @@ -183,7 +181,6 @@ extern crypto_mechanism_t hmac_sha1_mech; extern crypto_call_flag_t kssl_call_flag; extern KSSLCipherDef cipher_defs[]; -extern int kssl_enabled; extern int kssl_cache_count; extern struct kmem_cache *kssl_cache; @@ -196,6 +193,7 @@ extern kmutex_t kssl_tab_mutex; typedef struct kssl_stats { kstat_named_t sid_cache_lookups; kstat_named_t sid_cache_hits; + kstat_named_t sid_cached; kstat_named_t sid_uncached; kstat_named_t full_handshakes; kstat_named_t resumed_sessions; diff --git a/usr/src/uts/common/inet/kssl/ksslioctl.c b/usr/src/uts/common/inet/kssl/ksslioctl.c index cb8d99b006..0a3f1a4f63 100644 --- a/usr/src/uts/common/inet/kssl/ksslioctl.c +++ b/usr/src/uts/common/inet/kssl/ksslioctl.c @@ -19,12 +19,10 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * The kernel SSL module ioctls. */ @@ -32,18 +30,14 @@ #include <sys/types.h> #include <sys/modctl.h> #include <sys/conf.h> -#include <sys/stat.h> #include <sys/ddi.h> #include <sys/sunddi.h> #include <sys/kmem.h> #include <sys/errno.h> -#include <sys/ksynch.h> #include <sys/file.h> -#include <sys/open.h> #include <sys/cred.h> #include <sys/proc.h> #include <sys/task.h> -#include <sys/mkdev.h> #include <sys/model.h> #include <sys/sysmacros.h> #include <sys/policy.h> @@ -51,7 +45,6 @@ #include <sys/crypto/api.h> #include <inet/common.h> #include <inet/ip.h> -#include <inet/ip6.h> #include "ksslimpl.h" #include "kssl.h" @@ -152,7 +145,7 @@ kssl_free_entry(kssl_entry_t *kssl_entry) * the address and port. Returns -1 if no match is found. */ static int -kssl_find_entry(ipaddr_t laddr, in_port_t port, int type, +kssl_find_entry(in6_addr_t laddr, in_port_t port, int type, boolean_t wild_card_match) { int i; @@ -169,8 +162,9 @@ kssl_find_entry(ipaddr_t laddr, in_port_t port, int type, (type == IS_PROXY_PORT && ep->ke_proxy_port == port))) continue; - if ((ep->ke_laddr == laddr) || (wild_card_match && - ((laddr == INADDR_ANY) || (ep->ke_laddr == INADDR_ANY)))) + if (IN6_ARE_ADDR_EQUAL(&laddr, &ep->ke_laddr) || + (wild_card_match && (IN6_IS_ADDR_UNSPECIFIED(&laddr) || + IN6_IS_ADDR_UNSPECIFIED(&ep->ke_laddr)))) break; } @@ -286,7 +280,7 @@ extract_private_key(kssl_params_t *kssl_params, crypto_key_t **privkey) char *end_pos; int i, j, rv; size_t attrs_size; - crypto_object_attribute_t *newattrs = NULL; + crypto_object_attribute_t *newattrs; char *mp_attrs; kssl_object_attribute_t att; char *attval; @@ -415,8 +409,8 @@ create_kssl_entry(kssl_params_t *kssl_params, Certificate_t *cert, kssl_entry = kmem_zalloc(sizeof (kssl_entry_t), KM_SLEEP); - kssl_entry->ke_laddr = kssl_params->kssl_addr.sin_addr.s_addr; - kssl_entry->ke_ssl_port = kssl_params->kssl_addr.sin_port; + kssl_entry->ke_laddr = kssl_params->kssl_addr.sin6_addr; + kssl_entry->ke_ssl_port = kssl_params->kssl_addr.sin6_port; kssl_entry->ke_proxy_port = kssl_params->kssl_proxy_port; if (kssl_params->kssl_session_cache_timeout == 0) kssl_entry->sid_cache_timeout = DEFAULT_SID_TIMEOUT; @@ -533,7 +527,7 @@ kssl_add_entry(kssl_params_t *kssl_params) Certificate_t *cert; crypto_key_t *privkey; kssl_entry_t *kssl_entry; - ipaddr_t laddr; + in6_addr_t laddr; if ((rv = extract_certificate(kssl_params, &cert)) != 0) { return (rv); @@ -551,8 +545,7 @@ kssl_add_entry(kssl_params_t *kssl_params) return (EINVAL); } - /* Revisit here for IPv6 support */ - laddr = kssl_params->kssl_addr.sin_addr.s_addr; + laddr = kssl_params->kssl_addr.sin6_addr; retry: mutex_enter(&kssl_tab_mutex); @@ -578,7 +571,7 @@ retry: } else { /* Check if a matching entry exists already */ index = kssl_find_entry(laddr, - kssl_params->kssl_addr.sin_port, IS_SSL_PORT, B_TRUE); + kssl_params->kssl_addr.sin6_port, IS_SSL_PORT, B_TRUE); if (index == -1) { /* Check if an entry with the same proxy port exists */ @@ -624,16 +617,20 @@ retry: } index = i; } else { + kssl_entry_t *ep; + /* * We do not want an entry with a specific address and * an entry with IN_ADDR_ANY to coexist. We could * replace the existing entry. But, most likely this * is misconfiguration. Better bail out with an error. */ - if ((laddr == INADDR_ANY && - (kssl_entry_tab[index]->ke_laddr != INADDR_ANY)) || - (laddr != INADDR_ANY && - (kssl_entry_tab[index]->ke_laddr == INADDR_ANY))) { + ep = kssl_entry_tab[index]; + + if ((IN6_IS_ADDR_UNSPECIFIED(&laddr) && + !IN6_IS_ADDR_UNSPECIFIED(&ep->ke_laddr)) || + (!IN6_IS_ADDR_UNSPECIFIED(&laddr) && + IN6_IS_ADDR_UNSPECIFIED(&ep->ke_laddr))) { mutex_exit(&kssl_tab_mutex); kssl_free_entry(kssl_entry); return (EEXIST); @@ -654,16 +651,15 @@ retry: } int -kssl_delete_entry(struct sockaddr_in *kssl_addr) +kssl_delete_entry(struct sockaddr_in6 *kssl_addr) { - ipaddr_t laddr; + in6_addr_t laddr; int index; - /* Revisit here for IPv6 support */ - laddr = kssl_addr->sin_addr.s_addr; + laddr = kssl_addr->sin6_addr; mutex_enter(&kssl_tab_mutex); - index = kssl_find_entry(laddr, kssl_addr->sin_port, + index = kssl_find_entry(laddr, kssl_addr->sin6_port, IS_SSL_PORT, B_FALSE); if (index == -1) { diff --git a/usr/src/uts/common/inet/kssl/ksslproto.h b/usr/src/uts/common/inet/kssl/ksslproto.h index 83f1e624ef..7444d9181f 100644 --- a/usr/src/uts/common/inet/kssl/ksslproto.h +++ b/usr/src/uts/common/inet/kssl/ksslproto.h @@ -19,15 +19,13 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #ifndef _INET_KSSL_KSSLPROTO_H #define _INET_KSSL_KSSLPROTO_H -#pragma ident "%Z%%M% %I% %E% SMI" - #ifdef __cplusplus extern "C" { #endif @@ -104,57 +102,49 @@ extern "C" { /* session state */ typedef struct sslSessionIDStr { - uchar_t session_id[SSL3_SESSIONID_BYTES]; - uchar_t master_secret[SSL3_MASTER_SECRET_LEN]; - clock_t time; - ipaddr_t client_addr; - boolean_t cached; - uint16_t cipher_suite; + uchar_t session_id[SSL3_SESSIONID_BYTES]; + uchar_t master_secret[SSL3_MASTER_SECRET_LEN]; + clock_t time; + in6_addr_t client_addr; + boolean_t cached; + uint16_t cipher_suite; } sslSessionID; /* An element of the session cache */ typedef struct kssl_sid_ent { - kmutex_t se_lock; - uint64_t se_used; /* Counter to check hash distribution */ - sslSessionID se_sid; - uchar_t pad[2 * 64 - sizeof (kmutex_t) - sizeof (uint64_t) \ - - sizeof (sslSessionID)]; + kmutex_t se_lock; + uint64_t se_used; /* Counter to check hash distribution */ + sslSessionID se_sid; } kssl_sid_ent_t; -typedef struct RC4ContextStr { - uchar_t i; - uchar_t j; - uchar_t S[256]; -} RC4Context; - typedef enum { - content_change_cipher_spec = 20, - content_alert = 21, - content_handshake = 22, - content_application_data = 23, - content_handshake_v2 = 128 + content_change_cipher_spec = 20, + content_alert = 21, + content_handshake = 22, + content_application_data = 23, + content_handshake_v2 = 128 } SSL3ContentType; typedef enum { - hello_request = 0, - client_hello = 1, - server_hello = 2, - certificate = 11, - server_key_exchange = 12, - certificate_request = 13, - server_hello_done = 14, - certificate_verify = 15, - client_key_exchange = 16, - finished = 20 + hello_request = 0, + client_hello = 1, + server_hello = 2, + certificate = 11, + server_key_exchange = 12, + certificate_request = 13, + server_hello_done = 14, + certificate_verify = 15, + client_key_exchange = 16, + finished = 20 } SSL3HandshakeType; typedef struct SSL3HandshakeMsgStr { - int state; - SSL3HandshakeType type; - int msglen; - int msglen_bytes; - mblk_t *head; - mblk_t *tail; + int state; + SSL3HandshakeType type; + int msglen; + int msglen_bytes; + mblk_t *head; + mblk_t *tail; } SSL3HandshakeMsg; typedef struct KSSLJOBStr { @@ -165,18 +155,6 @@ typedef struct KSSLJOBStr { int status; } KSSLJOB; -typedef struct KSSLMACJOBStr { - struct ssl_s *ssl; - buf_t *in; - buf_t *out; - uchar_t *rstart; - int rlen; - uint64_t seq; - SSL3ContentType ct; - uchar_t *digest; - int dir; -} KSSLMACJOB; - typedef struct { uchar_t md5[MD5_HASH_LEN]; @@ -224,23 +202,23 @@ typedef enum { } SSL3WaitState; typedef enum { - sender_client = 0x434c4e54, - sender_server = 0x53525652 + sender_client = 0x434c4e54, + sender_server = 0x53525652 } SSL3Sender; typedef enum { - mac_md5 = 0, - mac_sha = 1 + mac_md5 = 0, + mac_sha = 1 } SSL3MACAlgorithm; /* The SSL bulk cipher definition */ typedef enum { - cipher_null = 0, - cipher_rc4 = 1, - cipher_des = 2, - cipher_3des = 3, - cipher_aes128 = 4, - cipher_aes256 = 5, + cipher_null = 0, + cipher_rc4 = 1, + cipher_des = 2, + cipher_3des = 3, + cipher_aes128 = 4, + cipher_aes256 = 5, } SSL3BulkCipher; typedef enum { type_stream = 0, type_block = 1 } CipherType; @@ -306,7 +284,7 @@ typedef struct ssl_s { mblk_t *rec_ass_head; mblk_t *rec_ass_tail; uint_t kssl_refcnt; - ipaddr_t faddr; + in6_addr_t faddr; uint32_t tcp_mss; SSL3WaitState hs_waitstate; boolean_t resumed; @@ -322,8 +300,6 @@ typedef struct ssl_s { mblk_t *alert_sendbuf; kssl_callback_t cke_callback_func; void *cke_callback_arg; - uint32_t macjobs_todo; - uint32_t macjobs_done; uint16_t pending_cipher_suite; SSL3MACAlgorithm pending_malg; SSL3BulkCipher pending_calg; diff --git a/usr/src/uts/common/inet/kssl/ksslrec.c b/usr/src/uts/common/inet/kssl/ksslrec.c index 7f47b22b25..14a285b4ab 100644 --- a/usr/src/uts/common/inet/kssl/ksslrec.c +++ b/usr/src/uts/common/inet/kssl/ksslrec.c @@ -127,7 +127,7 @@ static int kssl_handle_finished(ssl_t *, mblk_t *, int); static void kssl_get_hello_random(uchar_t *); static uchar_t *kssl_rsa_unwrap(uchar_t *, size_t *); static void kssl_cache_sid(sslSessionID *, kssl_entry_t *); -static void kssl_lookup_sid(sslSessionID *, uchar_t *, ipaddr_t, +static void kssl_lookup_sid(sslSessionID *, uchar_t *, in6_addr_t *, kssl_entry_t *); static int kssl_generate_tls_ms(ssl_t *, uchar_t *, size_t); static void kssl_generate_ssl_ms(ssl_t *, uchar_t *, size_t); @@ -499,7 +499,7 @@ kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen) if (sidlen != SSL3_SESSIONID_BYTES) { mp->b_rptr += sidlen; } else { - kssl_lookup_sid(&ssl->sid, mp->b_rptr, ssl->faddr, + kssl_lookup_sid(&ssl->sid, mp->b_rptr, &ssl->faddr, ssl->kssl_entry); mp->b_rptr += SSL3_SESSIONID_BYTES; } @@ -536,7 +536,6 @@ kssl_handle_client_hello(ssl_t *ssl, mblk_t *mp, int msglen) goto suite_found; } kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); - ssl->sid.cached = B_FALSE; } /* Check if this server is capable of the cipher suite */ @@ -656,52 +655,93 @@ falert: return (EBADMSG); } +#define SET_HASH_INDEX(index, s, clnt_addr) { \ + int addr; \ + \ + IN6_V4MAPPED_TO_IPADDR(clnt_addr, addr); \ + index = addr ^ (((int)(s)[0] << 24) | ((int)(s)[1] << 16) | \ + ((int)(s)[2] << 8) | (int)(s)[SSL3_SESSIONID_BYTES - 1]); \ +} + +/* + * Creates a cache entry. Sets the sid->cached flag + * and sid->time fields. So, the caller should not set them. + */ static void kssl_cache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) { uint_t index; uchar_t *s = sid->session_id; - int l = SSL3_SESSIONID_BYTES - 1; kmutex_t *lock; - ASSERT(sid->cached == B_TRUE); + ASSERT(sid->cached == B_FALSE); - index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | - ((int)s[2] << 8) | (int)s[l]); + /* set the values before creating the cache entry */ + sid->cached = B_TRUE; + sid->time = lbolt; + SET_HASH_INDEX(index, s, &sid->client_addr); index %= kssl_entry->sid_cache_nentries; - sid->time = lbolt; - lock = &(kssl_entry->sid_cache[index].se_lock); mutex_enter(lock); kssl_entry->sid_cache[index].se_used++; bcopy(sid, &(kssl_entry->sid_cache[index].se_sid), sizeof (*sid)); mutex_exit(lock); + + KSSL_COUNTER(sid_cached, 1); +} + +/* + * Invalidates the cache entry, if any. Clears the sid->cached flag + * as a side effect. + */ +void +kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) +{ + uint_t index; + uchar_t *s = sid->session_id; + sslSessionID *csid; + kmutex_t *lock; + + ASSERT(sid->cached == B_TRUE); + sid->cached = B_FALSE; + + SET_HASH_INDEX(index, s, &sid->client_addr); + index %= kssl_entry->sid_cache_nentries; + + lock = &(kssl_entry->sid_cache[index].se_lock); + mutex_enter(lock); + csid = &(kssl_entry->sid_cache[index].se_sid); + if (!(IN6_ARE_ADDR_EQUAL(&csid->client_addr, &sid->client_addr)) || + bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { + mutex_exit(lock); + return; + } + csid->cached = B_FALSE; + mutex_exit(lock); + + KSSL_COUNTER(sid_uncached, 1); } static void -kssl_lookup_sid(sslSessionID *sid, uchar_t *s, ipaddr_t faddr, +kssl_lookup_sid(sslSessionID *sid, uchar_t *s, in6_addr_t *faddr, kssl_entry_t *kssl_entry) { uint_t index; - int l = SSL3_SESSIONID_BYTES - 1; kmutex_t *lock; sslSessionID *csid; - ASSERT(sid->cached == B_FALSE); - KSSL_COUNTER(sid_cache_lookups, 1); - index = (int)faddr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | - ((int)s[2] << 8) | (int)s[l]); - + SET_HASH_INDEX(index, s, faddr); index %= kssl_entry->sid_cache_nentries; lock = &(kssl_entry->sid_cache[index].se_lock); mutex_enter(lock); csid = &(kssl_entry->sid_cache[index].se_sid); - if (csid->cached == B_FALSE || csid->client_addr != faddr || + if (csid->cached == B_FALSE || + !IN6_ARE_ADDR_EQUAL(&csid->client_addr, faddr) || bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { mutex_exit(lock); return; @@ -744,36 +784,6 @@ kssl_rsa_unwrap(uchar_t *buf, size_t *lenp) return (buf + i); } -void -kssl_uncache_sid(sslSessionID *sid, kssl_entry_t *kssl_entry) -{ - uint_t index; - uchar_t *s = sid->session_id; - int l = SSL3_SESSIONID_BYTES - 1; - sslSessionID *csid; - kmutex_t *lock; - - ASSERT(sid->cached == B_TRUE); - - KSSL_COUNTER(sid_uncached, 1); - - index = (int)sid->client_addr ^ (((int)s[0] << 24) | ((int)s[1] << 16) | - ((int)s[2] << 8) | (int)s[l]); - - index %= kssl_entry->sid_cache_nentries; - - lock = &(kssl_entry->sid_cache[index].se_lock); - mutex_enter(lock); - csid = &(kssl_entry->sid_cache[index].se_sid); - if (csid->client_addr != sid->client_addr || - bcmp(csid->session_id, s, SSL3_SESSIONID_BYTES)) { - mutex_exit(lock); - return; - } - csid->cached = B_FALSE; - mutex_exit(lock); -} - #define KSSL_SSL3_SH_RECLEN (74) #define KSSL_SSL3_FIN_MSGLEN (36) @@ -875,7 +885,7 @@ kssl_tls_P_hash(crypto_mechanism_t *mech, crypto_key_t *key, mac.cd_offset = 0; /* - * A(i) = HMAC_hash(secred, seed + A(i-1)); + * A(i) = HMAC_hash(secret, seed + A(i-1)); * A(0) = seed; * * Compute A(1): @@ -943,7 +953,7 @@ kssl_tls_PRF(ssl_t *ssl, * */ - int rv = 0, i; + int rv, i; uchar_t psha1[MAX_KEYBLOCK_LENGTH]; crypto_key_t S1, S2; @@ -1411,7 +1421,7 @@ kssl_send_finished(ssl_t *ssl, int update_hsh) uchar_t *versionp; SSL3Hashes ssl3hashes; size_t finish_len; - int ret = 0; + int ret; mp = ssl->handshake_sendbuf; ASSERT(mp != NULL); @@ -1562,7 +1572,6 @@ kssl_send_alert(ssl_t *ssl, SSL3AlertLevel level, SSL3AlertDescription desc) SSL3AlertLevel, level, SSL3AlertDescription, desc); if (ssl->sid.cached == B_TRUE) { kssl_uncache_sid(&ssl->sid, ssl->kssl_entry); - ssl->sid.cached = B_FALSE; } ssl->fatal_alert = B_TRUE; KSSL_COUNTER(fatal_alerts, 1); @@ -1812,8 +1821,6 @@ kssl_handle_finished(ssl_t *ssl, mblk_t *mp, int msglen) return (err); } - ASSERT(ssl->sid.cached == B_FALSE); - ssl->sid.cached = B_TRUE; kssl_cache_sid(&ssl->sid, ssl->kssl_entry); ssl->activeinput = B_FALSE; diff --git a/usr/src/uts/common/inet/tcp/tcp_kssl.c b/usr/src/uts/common/inet/tcp/tcp_kssl.c index 8eb8cddff3..75fa36196a 100644 --- a/usr/src/uts/common/inet/tcp/tcp_kssl.c +++ b/usr/src/uts/common/inet/tcp/tcp_kssl.c @@ -19,17 +19,14 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #include <sys/types.h> #include <sys/stream.h> -#include <sys/strsun.h> #include <sys/strsubr.h> #include <sys/stropts.h> -#include <sys/strlog.h> -#include <sys/strsun.h> #include <sys/cmn_err.h> #include <sys/debug.h> #include <sys/vtrace.h> @@ -37,7 +34,6 @@ #include <sys/zone.h> #include <sys/tihdr.h> -#include <sys/errno.h> #include <netinet/in.h> #include <netinet/tcp.h> @@ -46,7 +42,6 @@ #include <inet/ipclassifier.h> #include <inet/ip.h> #include <inet/ip6.h> -#include <inet/mi.h> #include <inet/mib2.h> #include <inet/tcp.h> #include <inet/ipsec_impl.h> @@ -80,12 +75,12 @@ extern int tcp_squeue_flag; * A packet may carry multiple SSL records, so the function * calls kssl_input() in a loop, until all records are * handled. - * As long as this conection is in handshake, that is until the first + * As long as this connection is in handshake, that is until the first * time kssl_input() returns a record to be delivered ustreams, * we maintain the tcp_kssl_inhandshake, and keep an extra reference on * the tcp/connp across the call to kssl_input(). The reason is, that * function may return KSSL_CMD_QUEUED after scheduling an asynchronous - * request and cause tcp_kssl_callback() to be called on adifferent CPU, + * request and cause tcp_kssl_callback() to be called on a different CPU, * which could decrement the conn/tcp reference before we get to increment it. */ void @@ -99,13 +94,22 @@ tcp_kssl_input(tcp_t *tcp, mblk_t *mp) struct T_conn_ind *tci; boolean_t more = B_FALSE; boolean_t conn_held = B_FALSE; + boolean_t is_v4; + void *addr; /* First time here, allocate the SSL context */ if (tcp->tcp_kssl_ctx == NULL) { ASSERT(tcp->tcp_kssl_pending); + is_v4 = (tcp->tcp_ipversion == IPV4_VERSION); + if (is_v4) { + addr = &tcp->tcp_ipha->ipha_dst; + } else { + addr = &tcp->tcp_ip6h->ip6_dst; + } + if (kssl_init_context(tcp->tcp_kssl_ent, - tcp->tcp_ipha->ipha_dst, tcp->tcp_mss, + addr, is_v4, tcp->tcp_mss, &(tcp->tcp_kssl_ctx)) != KSSL_STS_OK) { tcp->tcp_kssl_pending = B_FALSE; kssl_release_ent(tcp->tcp_kssl_ent, NULL, @@ -125,6 +129,7 @@ tcp_kssl_input(tcp_t *tcp, mblk_t *mp) CONN_INC_REF(connp); conn_held = B_TRUE; } + do { kssl_cmd = kssl_input(tcp->tcp_kssl_ctx, mp, &outmp, &more, tcp_kssl_input_callback, (void *)tcp); @@ -308,6 +313,7 @@ no_can_do: } mp = NULL; } while (more); + if (conn_held) { CONN_DEC_REF(connp); } @@ -316,7 +322,7 @@ no_can_do: /* * Callback function for the cases kssl_input() had to submit an asynchronous * job and need to come back when done to carry on the input processing. - * This routine follows the conentions of timeout and interrupt handlers. + * This routine follows the conventions of timeout and interrupt handlers. * (no blocking, ...) */ static void |