1898Skais /* 2898Skais * CDDL HEADER START 3898Skais * 4898Skais * The contents of this file are subject to the terms of the 56788Skrishna * Common Development and Distribution License (the "License"). 66788Skrishna * You may not use this file except in compliance with the License. 7898Skais * 8898Skais * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9898Skais * or http://www.opensolaris.org/os/licensing. 10898Skais * See the License for the specific language governing permissions 11898Skais * and limitations under the License. 12898Skais * 13898Skais * When distributing Covered Code, include this CDDL HEADER in each 14898Skais * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15898Skais * If applicable, add the following below this CDDL HEADER, with the 16898Skais * fields enclosed by brackets "[]" replaced with your own identifying 17898Skais * information: Portions Copyright [yyyy] [name of copyright owner] 18898Skais * 19898Skais * CDDL HEADER END 20898Skais */ 21898Skais /* 2212381SVladimir.Kotal@Sun.COM * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 23898Skais */ 24898Skais 25898Skais #ifndef _INET_KSSL_KSSLPROTO_H 26898Skais #define _INET_KSSL_KSSLPROTO_H 27898Skais 28898Skais #ifdef __cplusplus 29898Skais extern "C" { 30898Skais #endif 31898Skais 32898Skais #include <sys/types.h> 33898Skais #include <sys/stream.h> 34898Skais #include <sys/md5.h> 35898Skais #include <sys/sha1.h> 36898Skais #include <sys/crypto/common.h> 37898Skais #include <sys/crypto/api.h> 38898Skais #include <inet/kssl/kssl.h> /* Cipher suite definitions */ 39898Skais #include <inet/kssl/ksslapi.h> 40898Skais #include <inet/kssl/ksslimpl.h> 41898Skais 42898Skais #define SSL3_RANDOM_LENGTH 32 43898Skais #define SSL3_SESSIONID_BYTES 32 44898Skais #define SSL3_HDR_LEN 5 45*12696SVladimir.Kotal@Sun.COM #define SSL3_ALERT_LEN 2 46898Skais #define SSL3_MAX_RECORD_LENGTH 16384 47898Skais #define SSL3_PRE_MASTER_SECRET_LEN 48 48898Skais #define SSL3_MASTER_SECRET_LEN 48 49898Skais #define SSL3_MD5_PAD_LEN 48 50898Skais #define SSL3_SHA1_PAD_LEN 40 51898Skais 52898Skais #define SSL_MIN_CHALLENGE_BYTES 16 53898Skais #define SSL_MAX_CHALLENGE_BYTES 32 54898Skais 55898Skais #define SHA1_HASH_LEN 20 56898Skais #define MD5_HASH_LEN 16 57898Skais #define MAX_HASH_LEN SHA1_HASH_LEN 58898Skais 59898Skais #define KSSL_READ 0 60898Skais #define KSSL_WRITE 1 61898Skais 62898Skais #define KSSL_ENCRYPT 0 63898Skais #define KSSL_DECRYPT 1 64898Skais 65898Skais #define MSG_INIT 0 66898Skais #define MSG_INIT_LEN 1 67898Skais #define MSG_BODY 2 68898Skais 696788Skrishna /* 706788Skrishna * More than enough for the cipher suite that needs the 716788Skrishna * largest key material (AES_256_CBC_SHA needs 136 bytes). 726788Skrishna */ 736788Skrishna #define MAX_KEYBLOCK_LENGTH 160 74898Skais 75898Skais #define TLS_MASTER_SECRET_LABEL "master secret" 76898Skais #define TLS_CLIENT_WRITE_KEY_LABEL "client write key" 77898Skais #define TLS_SERVER_WRITE_KEY_LABEL "server write key" 78898Skais #define TLS_CLIENT_FINISHED_LABEL "client finished" 79898Skais #define TLS_SERVER_FINISHED_LABEL "server finished" 80898Skais #define TLS_KEY_EXPANSION_LABEL "key expansion" 81898Skais #define TLS_IV_BLOCK_LABEL "IV block" 82898Skais #define TLS_MAX_LABEL_SIZE 24 83898Skais 84898Skais #define TLS_FINISHED_SIZE 12 85898Skais 86898Skais /* 87898Skais * The following constants try to insure an input buffer is optimally aligned 88898Skais * for MAC hash computation. SHA1/MD5 code prefers 4 byte alignment of each 89898Skais * 64byte input block to avoid a copy. Our goal is to reach 4 byte alignment 90898Skais * starting form the 3rd MAC block (input buffer starts in the 3rd block). The 91898Skais * 3rd block includes the first 53 (MD5 SSL3 MAC) or 57 (SHA1 SSL3 MAC) bytes 92898Skais * of the input buffer. This means input buffer should start at offset 3 93898Skais * within a 4 byte word so that its next block is 4 byte aligned. Since the 94898Skais * SSL3 record header is 5 bytes long it should start at at offset 2 within a 95898Skais * 4 byte word. To insure the next record (for buffers that don't fit into 1 96898Skais * SSL3 record) also starts at offset 2 within a 4 byte word the previous 97898Skais * record length should be 3 mod 8 since 5 + 3 mod 8 is 0 i.e. the next record 98898Skais * starts at the same offset within a 4 byte word as the the previous record. 99898Skais */ 100898Skais #define SSL3_MAX_OPTIMAL_RECORD_LENGTH (SSL3_MAX_RECORD_LENGTH - 1) 101898Skais #define SSL3_OPTIMAL_RECORD_ALIGNMENT 2 102898Skais 103898Skais /* session state */ 104898Skais typedef struct sslSessionIDStr { 10510520SBhargava.Yenduri@Sun.COM uchar_t session_id[SSL3_SESSIONID_BYTES]; 10610520SBhargava.Yenduri@Sun.COM uchar_t master_secret[SSL3_MASTER_SECRET_LEN]; 10710520SBhargava.Yenduri@Sun.COM clock_t time; 10810520SBhargava.Yenduri@Sun.COM in6_addr_t client_addr; 10910520SBhargava.Yenduri@Sun.COM boolean_t cached; 11010520SBhargava.Yenduri@Sun.COM uint16_t cipher_suite; 111898Skais } sslSessionID; 112898Skais 113898Skais /* An element of the session cache */ 114898Skais typedef struct kssl_sid_ent { 11510520SBhargava.Yenduri@Sun.COM kmutex_t se_lock; 11610520SBhargava.Yenduri@Sun.COM uint64_t se_used; /* Counter to check hash distribution */ 11710520SBhargava.Yenduri@Sun.COM sslSessionID se_sid; 118898Skais } kssl_sid_ent_t; 119898Skais 120898Skais typedef enum { 12110520SBhargava.Yenduri@Sun.COM content_change_cipher_spec = 20, 12210520SBhargava.Yenduri@Sun.COM content_alert = 21, 12310520SBhargava.Yenduri@Sun.COM content_handshake = 22, 12410520SBhargava.Yenduri@Sun.COM content_application_data = 23, 12510520SBhargava.Yenduri@Sun.COM content_handshake_v2 = 128 126898Skais } SSL3ContentType; 127898Skais 128898Skais typedef enum { 12910520SBhargava.Yenduri@Sun.COM hello_request = 0, 13010520SBhargava.Yenduri@Sun.COM client_hello = 1, 13110520SBhargava.Yenduri@Sun.COM server_hello = 2, 13210520SBhargava.Yenduri@Sun.COM certificate = 11, 13310520SBhargava.Yenduri@Sun.COM server_key_exchange = 12, 13410520SBhargava.Yenduri@Sun.COM certificate_request = 13, 13510520SBhargava.Yenduri@Sun.COM server_hello_done = 14, 13610520SBhargava.Yenduri@Sun.COM certificate_verify = 15, 13710520SBhargava.Yenduri@Sun.COM client_key_exchange = 16, 13810520SBhargava.Yenduri@Sun.COM finished = 20 139898Skais } SSL3HandshakeType; 140898Skais 141898Skais typedef struct SSL3HandshakeMsgStr { 14210520SBhargava.Yenduri@Sun.COM int state; 14310520SBhargava.Yenduri@Sun.COM SSL3HandshakeType type; 14410520SBhargava.Yenduri@Sun.COM int msglen; 14510520SBhargava.Yenduri@Sun.COM int msglen_bytes; 14610520SBhargava.Yenduri@Sun.COM mblk_t *head; 14710520SBhargava.Yenduri@Sun.COM mblk_t *tail; 148898Skais } SSL3HandshakeMsg; 149898Skais 150898Skais typedef struct KSSLJOBStr { 151898Skais struct ssl_s *ssl; 152898Skais crypto_req_id_t kjob; 153898Skais char *buf; 154898Skais size_t buflen; 155898Skais int status; 156898Skais } KSSLJOB; 157898Skais 158898Skais 159898Skais typedef struct { 160898Skais uchar_t md5[MD5_HASH_LEN]; 161898Skais uchar_t sha1[SHA1_HASH_LEN]; 162898Skais uchar_t tlshash[TLS_FINISHED_SIZE]; 163898Skais } SSL3Hashes; 164898Skais 165898Skais typedef enum { 166898Skais close_notify = 0, 167898Skais unexpected_message = 10, 168898Skais bad_record_mac = 20, 169898Skais decompression_failure = 30, 170898Skais handshake_failure = 40, 171898Skais no_certificate = 41, 172898Skais bad_certificate = 42, 173898Skais unsupported_certificate = 43, 174898Skais certificate_revoked = 44, 175898Skais certificate_expired = 45, 176898Skais certificate_unknown = 46, 177898Skais illegal_parameter = 47, 178898Skais unknown_ca = 48, 179898Skais access_denied = 49, 180898Skais decode_error = 50, 181898Skais decrypt_error = 51, 182898Skais export_restriction = 60, 183898Skais protocol_version = 70, 184898Skais insufficient_security = 71, 185898Skais internal_error = 80, 186898Skais user_canceled = 90, 187898Skais no_renegotiation = 100 188898Skais } SSL3AlertDescription; 189898Skais 190898Skais typedef enum { 191898Skais alert_warning = 1, 192898Skais alert_fatal = 2 193898Skais } SSL3AlertLevel; 194898Skais 195898Skais typedef enum { 196898Skais wait_client_hello = 0, 197898Skais wait_client_key = 1, 198898Skais wait_client_key_done = 2, 199898Skais wait_change_cipher = 3, 200898Skais wait_finished = 4, 201898Skais idle_handshake = 5 202898Skais } SSL3WaitState; 203898Skais 204898Skais typedef enum { 20510520SBhargava.Yenduri@Sun.COM sender_client = 0x434c4e54, 20610520SBhargava.Yenduri@Sun.COM sender_server = 0x53525652 207898Skais } SSL3Sender; 208898Skais 209898Skais typedef enum { 21010520SBhargava.Yenduri@Sun.COM mac_md5 = 0, 21110520SBhargava.Yenduri@Sun.COM mac_sha = 1 212898Skais } SSL3MACAlgorithm; 213898Skais 214898Skais /* The SSL bulk cipher definition */ 215898Skais typedef enum { 21610520SBhargava.Yenduri@Sun.COM cipher_null = 0, 21710520SBhargava.Yenduri@Sun.COM cipher_rc4 = 1, 21810520SBhargava.Yenduri@Sun.COM cipher_des = 2, 21910520SBhargava.Yenduri@Sun.COM cipher_3des = 3, 22010520SBhargava.Yenduri@Sun.COM cipher_aes128 = 4, 22110520SBhargava.Yenduri@Sun.COM cipher_aes256 = 5, 222898Skais } SSL3BulkCipher; 223898Skais 224898Skais typedef enum { type_stream = 0, type_block = 1 } CipherType; 225898Skais 226898Skais typedef struct ssl3CipherSuiteDefStr { 227898Skais uint16_t suite; 228898Skais SSL3BulkCipher calg; 229898Skais SSL3MACAlgorithm malg; 230898Skais int keyblksz; 231898Skais } ssl3CipherSuiteDef; 232898Skais 233898Skais typedef void (*hashinit_func_t)(void *); 234898Skais typedef void (*hashupdate_func_t)(void *, uchar_t *, uint32_t); 235898Skais typedef void (*hashfinal_func_t)(uchar_t *, void *); 236898Skais 237898Skais typedef struct KSSLMACDefStr { 238898Skais int hashsz; 239898Skais int padsz; 240898Skais hashinit_func_t HashInit; 241898Skais hashupdate_func_t HashUpdate; 242898Skais hashfinal_func_t HashFinal; 243898Skais } KSSLMACDef; 244898Skais 245898Skais typedef struct KSSLCipherDefStr { 246898Skais CipherType type; 247898Skais int bsize; 248898Skais int keysz; 249898Skais crypto_mech_type_t mech_type; 250898Skais } KSSLCipherDef; 251898Skais 252898Skais typedef union KSSL_HASHCTXUnion { 253898Skais SHA1_CTX sha; 254898Skais MD5_CTX md5; 255898Skais } KSSL_HASHCTX; 256898Skais 257898Skais typedef struct KSSLCipherSpecStr { 258898Skais int mac_hashsz; 259898Skais int mac_padsz; 260898Skais void (*MAC_HashInit)(void *); 261898Skais void (*MAC_HashUpdate)(void *, uchar_t *, uint32_t); 262898Skais void (*MAC_HashFinal)(uchar_t *, void *); 263898Skais 264898Skais CipherType cipher_type; 265898Skais int cipher_bsize; 266898Skais int cipher_keysz; 267898Skais 268898Skais crypto_mechanism_t cipher_mech; 269898Skais crypto_mechanism_t hmac_mech; /* for TLS */ 270898Skais crypto_key_t cipher_key; 271898Skais crypto_key_t hmac_key; /* for TLS */ 272898Skais 273898Skais crypto_context_t cipher_ctx; 274898Skais crypto_data_t cipher_data; 275898Skais 276898Skais } KSSLCipherSpec; 277898Skais 278898Skais /* 27912644SAnders.Persson@Sun.COM * SSL connection state. This one hangs off of a ksslf_t structure. 280898Skais */ 281898Skais typedef struct ssl_s { 282898Skais kmutex_t kssl_lock; 283898Skais struct kssl_entry_s *kssl_entry; 284898Skais mblk_t *rec_ass_head; 285898Skais mblk_t *rec_ass_tail; 28610520SBhargava.Yenduri@Sun.COM in6_addr_t faddr; 287898Skais uint32_t tcp_mss; 288898Skais SSL3WaitState hs_waitstate; 289898Skais boolean_t resumed; 290*12696SVladimir.Kotal@Sun.COM boolean_t close_notify_clnt; 291*12696SVladimir.Kotal@Sun.COM boolean_t close_notify_srvr; 292898Skais boolean_t fatal_alert; 293898Skais boolean_t fatal_error; 294898Skais boolean_t alert_sent; 295898Skais boolean_t appdata_sent; 296898Skais boolean_t activeinput; 297898Skais SSL3AlertLevel sendalert_level; 298898Skais SSL3AlertDescription sendalert_desc; 299898Skais mblk_t *handshake_sendbuf; 300898Skais mblk_t *alert_sendbuf; 301898Skais kssl_callback_t cke_callback_func; 302898Skais void *cke_callback_arg; 303898Skais uint16_t pending_cipher_suite; 304898Skais SSL3MACAlgorithm pending_malg; 305898Skais SSL3BulkCipher pending_calg; 306898Skais int pending_keyblksz; 307898Skais uint64_t seq_num[2]; 308898Skais SSL3HandshakeMsg msg; 309898Skais KSSLJOB job; 310898Skais KSSLCipherSpec spec[2]; 311898Skais uchar_t pending_keyblock[MAX_KEYBLOCK_LENGTH]; 312898Skais uchar_t mac_secret[2][MAX_HASH_LEN]; 313898Skais KSSL_HASHCTX mac_ctx[2][2]; /* inner 'n outer per dir */ 314898Skais sslSessionID sid; 315898Skais SHA1_CTX hs_sha1; 316898Skais MD5_CTX hs_md5; 317898Skais SSL3Hashes hs_hashes; 318898Skais uchar_t client_random[SSL3_RANDOM_LENGTH]; 319898Skais uchar_t server_random[SSL3_RANDOM_LENGTH]; 320898Skais int sslcnt; 321898Skais uchar_t major_version; 322898Skais uchar_t minor_version; 32312381SVladimir.Kotal@Sun.COM boolean_t secure_renegotiation; 32412644SAnders.Persson@Sun.COM uint_t async_ops_pending; 32512644SAnders.Persson@Sun.COM kcondvar_t async_cv; 326898Skais } ssl_t; 327898Skais 328898Skais #define IS_TLS(s) (s->major_version == 3 && s->minor_version == 1) 329898Skais 330898Skais #define SSL3_REC_SIZE(mp) (uint8_t *)(mp)->b_rptr + 3 331898Skais 332898Skais extern int kssl_spec_init(ssl_t *, int); 333898Skais extern void kssl_send_alert(ssl_t *, SSL3AlertLevel, SSL3AlertDescription); 334898Skais 335898Skais #ifdef __cplusplus 336898Skais } 337898Skais #endif 338898Skais 339898Skais #endif /* _INET_KSSL_KSSLPROTO_H */ 340