Print this page
7127 remove -Wno-missing-braces from Makefile.uts
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/kssl/kssl.c
+++ new/usr/src/uts/common/inet/kssl/kssl.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 */
24 24
25 25
26 26 /*
27 27 * The system call and DDI interface for the kernel SSL module
28 28 */
29 29
30 30 #include <sys/types.h>
31 31 #include <sys/modctl.h>
32 32 #include <sys/conf.h>
33 33 #include <sys/stat.h>
34 34 #include <sys/ddi.h>
35 35 #include <sys/sunddi.h>
36 36 #include <sys/kmem.h>
37 37 #include <sys/errno.h>
38 38 #include <sys/file.h>
39 39 #include <sys/open.h>
40 40 #include <sys/cred.h>
41 41 #include <sys/proc.h>
42 42 #include <sys/task.h>
43 43 #include <sys/model.h>
44 44 #include <sys/sysmacros.h>
45 45 #include <sys/policy.h>
46 46 #include <sys/crypto/common.h>
47 47 #include <sys/crypto/api.h>
48 48 #include <c2/audit.h>
49 49 #include <sys/kstat.h>
50 50
51 51 #include "kssl.h"
52 52 #include "ksslimpl.h"
53 53
54 54 /*
55 55 * DDI entry points.
56 56 */
57 57 static int kssl_attach(dev_info_t *, ddi_attach_cmd_t);
58 58 static int kssl_detach(dev_info_t *, ddi_detach_cmd_t);
59 59 static int kssl_getinfo(dev_info_t *, ddi_info_cmd_t, void *, void **);
60 60 static int kssl_open(dev_t *, int, int, cred_t *);
61 61 static int kssl_close(dev_t, int, int, cred_t *);
62 62 static int kssl_ioctl(dev_t, int, intptr_t, int, cred_t *, int *);
63 63
64 64 static int kssl_constructor(void *buf, void *arg, int kmflags);
65 65 static void kssl_destructor(void *buf, void *arg);
66 66
67 67 /*
68 68 * Module linkage.
69 69 */
70 70 static struct cb_ops cbops = {
71 71 kssl_open, /* cb_open */
72 72 kssl_close, /* cb_close */
73 73 nodev, /* cb_strategy */
74 74 nodev, /* cb_print */
75 75 nodev, /* cb_dump */
76 76 nodev, /* cb_read */
77 77 nodev, /* cb_write */
78 78 kssl_ioctl, /* cb_ioctl */
79 79 nodev, /* cb_devmap */
80 80 nodev, /* cb_mmap */
81 81 nodev, /* cb_segmap */
82 82 nochpoll, /* cb_chpoll */
83 83 ddi_prop_op, /* cb_prop_op */
84 84 NULL, /* cb_streamtab */
85 85 D_MP, /* cb_flag */
86 86 CB_REV, /* cb_rev */
87 87 nodev, /* cb_aread */
88 88 nodev, /* cb_awrite */
89 89 };
90 90
91 91 static struct dev_ops devops = {
92 92 DEVO_REV, /* devo_rev */
93 93 0, /* devo_refcnt */
94 94 kssl_getinfo, /* devo_getinfo */
95 95 nulldev, /* devo_identify */
96 96 nulldev, /* devo_probe */
97 97 kssl_attach, /* devo_attach */
98 98 kssl_detach, /* devo_detach */
99 99 nodev, /* devo_reset */
100 100 &cbops, /* devo_cb_ops */
101 101 NULL, /* devo_bus_ops */
102 102 NULL, /* devo_power */
103 103 ddi_quiesce_not_needed, /* devo_quiesce */
|
↓ open down ↓ |
103 lines elided |
↑ open up ↑ |
104 104 };
105 105
106 106 static struct modldrv modldrv = {
107 107 &mod_driverops, /* drv_modops */
108 108 "Kernel SSL Interface", /* drv_linkinfo */
109 109 &devops,
110 110 };
111 111
112 112 static struct modlinkage modlinkage = {
113 113 MODREV_1, /* ml_rev */
114 - &modldrv, /* ml_linkage */
115 - NULL
114 + { &modldrv, NULL } /* ml_linkage */
116 115 };
117 116
118 117 static dev_info_t *kssl_dip = NULL;
119 118
120 119 crypto_mechanism_t rsa_x509_mech = {CRYPTO_MECH_INVALID, NULL, 0};
121 120 crypto_mechanism_t hmac_md5_mech = {CRYPTO_MECH_INVALID, NULL, 0};
122 121 crypto_mechanism_t hmac_sha1_mech = {CRYPTO_MECH_INVALID, NULL, 0};
123 122 crypto_call_flag_t kssl_call_flag = CRYPTO_ALWAYS_QUEUE;
124 123
125 124 KSSLCipherDef cipher_defs[] = { /* indexed by SSL3BulkCipher */
126 125 /* type bsize keysz crypto_mech_type_t */
127 126
128 127 {type_stream, 0, 0, CRYPTO_MECH_INVALID},
129 128
130 129 /* mech_type to be initialized with CKM_RC4's */
131 130 {type_stream, 0, 16, CRYPTO_MECH_INVALID},
132 131
133 132 /* mech_type to be initialized with CKM_DES_CBC's */
134 133 {type_block, 8, 8, CRYPTO_MECH_INVALID},
135 134
136 135 /* mech_type to be initialized with CKM_DES3_CBC's */
137 136 {type_block, 8, 24, CRYPTO_MECH_INVALID},
138 137
139 138 /* mech_type to be initialized with CKM_AES_CBC with 128-bit key */
140 139 {type_block, 16, 16, CRYPTO_MECH_INVALID},
141 140
142 141 /* mech_type to be initialized with CKM_AES_CBC with 256-bit key */
143 142 {type_block, 16, 32, CRYPTO_MECH_INVALID},
144 143 };
145 144
146 145 struct kmem_cache *kssl_cache;
147 146 static crypto_notify_handle_t prov_update_handle = NULL;
148 147
149 148 static void kssl_global_init();
150 149 static void kssl_global_fini();
151 150 static void kssl_init_mechs();
152 151 static void kssl_event_callback(uint32_t, void *);
153 152
154 153 /*
155 154 * DDI entry points.
156 155 */
157 156 int
158 157 _init(void)
159 158 {
160 159 int error;
161 160
162 161 kssl_global_init();
163 162
164 163 if ((error = mod_install(&modlinkage)) != 0) {
165 164 kssl_global_fini();
166 165 return (error);
167 166 }
168 167 return (0);
169 168 }
170 169
171 170 int
172 171 _fini(void)
173 172 {
174 173 int error;
175 174
176 175 if ((error = mod_remove(&modlinkage)) != 0)
177 176 return (error);
178 177
179 178 if (prov_update_handle != NULL)
180 179 crypto_unnotify_events(prov_update_handle);
181 180
182 181 kssl_global_fini();
183 182
184 183 return (0);
185 184 }
186 185
187 186 int
188 187 _info(struct modinfo *modinfop)
189 188 {
190 189 return (mod_info(&modlinkage, modinfop));
191 190 }
192 191
193 192 /* ARGSUSED */
194 193 static int
195 194 kssl_getinfo(dev_info_t *dip, ddi_info_cmd_t cmd, void *arg, void **result)
196 195 {
197 196 switch (cmd) {
198 197 case DDI_INFO_DEVT2DEVINFO:
199 198 *result = kssl_dip;
200 199 return (DDI_SUCCESS);
201 200
202 201 case DDI_INFO_DEVT2INSTANCE:
203 202 *result = (void *)0;
204 203 return (DDI_SUCCESS);
205 204 }
206 205 return (DDI_FAILURE);
207 206 }
208 207
209 208 static int
210 209 kssl_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
211 210 {
212 211 if (cmd != DDI_ATTACH) {
213 212 return (DDI_FAILURE);
214 213 }
215 214
216 215 if (ddi_get_instance(dip) != 0) {
217 216 /* we only allow instance 0 to attach */
218 217 return (DDI_FAILURE);
219 218 }
220 219
221 220 /* create the minor node */
222 221 if (ddi_create_minor_node(dip, "kssl", S_IFCHR, 0, DDI_PSEUDO, 0) !=
223 222 DDI_SUCCESS) {
224 223 cmn_err(CE_WARN, "kssl_attach: failed creating minor node");
225 224 ddi_remove_minor_node(dip, NULL);
226 225 return (DDI_FAILURE);
227 226 }
228 227
229 228 kssl_dip = dip;
230 229
231 230 return (DDI_SUCCESS);
232 231 }
233 232
234 233 static kstat_t *kssl_ksp = NULL;
235 234
236 235 static int
237 236 kssl_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
238 237 {
239 238 if (cmd != DDI_DETACH)
240 239 return (DDI_FAILURE);
241 240
242 241 if (kssl_entry_tab_nentries != 0)
243 242 return (DDI_FAILURE);
244 243
245 244 kssl_dip = NULL;
246 245
247 246 ddi_remove_minor_node(dip, NULL);
248 247
249 248 return (DDI_SUCCESS);
250 249 }
251 250
252 251 /* ARGSUSED */
253 252 static int
254 253 kssl_open(dev_t *devp, int flag, int otyp, cred_t *credp)
255 254 {
256 255 if (otyp != OTYP_CHR)
257 256 return (ENXIO);
258 257
259 258 if (kssl_dip == NULL)
260 259 return (ENXIO);
261 260
262 261 /* first time here? initialize everything */
263 262 if (rsa_x509_mech.cm_type == CRYPTO_MECH_INVALID) {
264 263 kssl_init_mechs();
265 264 prov_update_handle = crypto_notify_events(
266 265 kssl_event_callback, CRYPTO_EVENT_MECHS_CHANGED);
267 266 }
268 267
269 268 /* exclusive opens are not supported */
270 269 if (flag & FEXCL)
271 270 return (ENOTSUP);
272 271
273 272 return (0);
274 273 }
275 274
276 275 /* ARGSUSED */
277 276 static int
278 277 kssl_close(dev_t dev, int flag, int otyp, cred_t *credp)
279 278 {
280 279 return (0);
281 280 }
282 281
283 282 #define KSSL_MAX_KEYANDCERTS 80000 /* max 64K plus a little margin */
284 283
285 284 /* ARGSUSED */
286 285 static int
287 286 kssl_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *c,
288 287 int *rval)
289 288 {
290 289 int error = EINVAL;
291 290 uint32_t auditing = AU_AUDITING();
292 291
293 292 #define ARG ((caddr_t)arg)
294 293
295 294 if (secpolicy_net_config(c, B_FALSE) != 0) {
296 295 return (EPERM);
297 296 }
298 297
299 298 switch (cmd) {
300 299 case KSSL_ADD_ENTRY: {
301 300 uint64_t len;
302 301 uint32_t ck_rv;
303 302 size_t off;
304 303 kssl_params_t *kssl_params;
305 304
306 305 off = offsetof(kssl_params_t, kssl_params_size);
307 306 if (copyin(ARG + off, &len, sizeof (len)) != 0) {
308 307 return (EFAULT);
309 308 }
310 309
311 310 if (len < sizeof (kssl_params_t) ||
312 311 len > KSSL_MAX_KEYANDCERTS) {
313 312 return (EINVAL);
314 313 }
315 314
316 315 kssl_params = kmem_alloc(len, KM_SLEEP);
317 316
318 317 /* Get the whole structure and parameters in one move */
319 318 if (copyin(ARG, kssl_params, len) != 0) {
320 319 kmem_free(kssl_params, len);
321 320 return (EFAULT);
322 321 }
323 322 error = kssl_add_entry(kssl_params);
324 323 if (auditing)
325 324 audit_kssl(KSSL_ADD_ENTRY, kssl_params, error);
326 325 off = offsetof(kssl_params_t, kssl_token) +
327 326 offsetof(kssl_tokinfo_t, ck_rv);
328 327 ck_rv = kssl_params->kssl_token.ck_rv;
329 328 if (copyout(&ck_rv, ARG + off, sizeof (ck_rv)) != 0) {
330 329 error = EFAULT;
331 330 }
332 331
333 332 bzero(kssl_params, len);
334 333 kmem_free(kssl_params, len);
335 334 break;
336 335 }
337 336 case KSSL_DELETE_ENTRY: {
338 337 struct sockaddr_in6 server_addr;
339 338
340 339 if (copyin(ARG, &server_addr, sizeof (server_addr)) != 0) {
341 340 return (EFAULT);
342 341 }
343 342
344 343 error = kssl_delete_entry(&server_addr);
345 344 if (auditing)
346 345 audit_kssl(KSSL_DELETE_ENTRY, &server_addr, error);
347 346 break;
348 347 }
349 348 }
350 349
351 350 return (error);
352 351 }
353 352
354 353 #define NUM_MECHS 7
355 354 static mech_to_cipher_t mech_to_cipher_tab[NUM_MECHS] = {
356 355 {CRYPTO_MECH_INVALID, SUN_CKM_RSA_X_509,
357 356 {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
358 357 SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
359 358 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
360 359 SSL_RSA_WITH_NULL_SHA}},
361 360 {CRYPTO_MECH_INVALID, SUN_CKM_MD5_HMAC, {SSL_RSA_WITH_RC4_128_MD5}},
362 361 {CRYPTO_MECH_INVALID, SUN_CKM_SHA1_HMAC,
363 362 {SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA,
364 363 SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_NULL_SHA,
365 364 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA}},
366 365 {CRYPTO_MECH_INVALID, SUN_CKM_RC4,
367 366 {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA}},
368 367 {CRYPTO_MECH_INVALID, SUN_CKM_DES_CBC, {SSL_RSA_WITH_DES_CBC_SHA}},
369 368 {CRYPTO_MECH_INVALID, SUN_CKM_DES3_CBC,
370 369 {SSL_RSA_WITH_3DES_EDE_CBC_SHA}},
371 370 {CRYPTO_MECH_INVALID, SUN_CKM_AES_CBC,
372 371 {TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA}},
373 372 };
374 373
375 374 static void
376 375 kssl_init_mechs()
377 376 {
378 377 mech_to_cipher_tab[0].mech = rsa_x509_mech.cm_type =
379 378 crypto_mech2id(SUN_CKM_RSA_X_509);
380 379 mech_to_cipher_tab[1].mech = hmac_md5_mech.cm_type =
381 380 crypto_mech2id(SUN_CKM_MD5_HMAC);
382 381 mech_to_cipher_tab[2].mech = hmac_sha1_mech.cm_type =
383 382 crypto_mech2id(SUN_CKM_SHA1_HMAC);
384 383
385 384 mech_to_cipher_tab[3].mech = cipher_defs[cipher_rc4].mech_type =
386 385 crypto_mech2id(SUN_CKM_RC4);
387 386 mech_to_cipher_tab[4].mech = cipher_defs[cipher_des].mech_type =
388 387 crypto_mech2id(SUN_CKM_DES_CBC);
389 388 mech_to_cipher_tab[5].mech = cipher_defs[cipher_3des].mech_type =
390 389 crypto_mech2id(SUN_CKM_DES3_CBC);
391 390 mech_to_cipher_tab[6].mech = cipher_defs[cipher_aes128].mech_type =
392 391 cipher_defs[cipher_aes256].mech_type =
393 392 crypto_mech2id(SUN_CKM_AES_CBC);
394 393 }
395 394
396 395 static int
397 396 is_in_suites(uint16_t s, uint16_t *sarray)
398 397 {
399 398 int i;
400 399
401 400 for (i = 0; i < CIPHER_SUITE_COUNT; i++) {
402 401 if (s == sarray[i])
403 402 return (1);
404 403 }
405 404
406 405 return (0);
407 406 }
408 407
409 408 static int
410 409 is_in_mechlist(char *name, crypto_mech_name_t *mechs, int count)
411 410 {
412 411 int i;
413 412
414 413 for (i = 0; i < count; i++) {
415 414 if (strncmp(name, mechs[i], CRYPTO_MAX_MECH_NAME) == 0)
416 415 return (1);
417 416 }
418 417
419 418 return (0);
420 419 }
421 420
422 421 /*
423 422 * Callback function invoked by the crypto framework when a provider's
424 423 * mechanism is available/unavailable. This callback updates entries in the
425 424 * kssl_entry_tab[] to make changes to the cipher suites of an entry
426 425 * which are affected by the mechanism.
427 426 */
428 427 static void
429 428 kssl_event_callback(uint32_t event, void *event_arg)
430 429 {
431 430 int i, j;
432 431 int cnt, rcnt;
433 432 uint16_t s;
434 433 boolean_t changed;
435 434 crypto_mech_name_t *mechs;
436 435 uint_t mech_count;
437 436 mech_to_cipher_t *mc;
438 437 kssl_entry_t *old;
439 438 kssl_entry_t *new;
440 439 uint16_t tmp_suites[CIPHER_SUITE_COUNT];
441 440 uint16_t dis_list[CIPHER_SUITE_COUNT];
442 441 crypto_notify_event_change_t *prov_change =
443 442 (crypto_notify_event_change_t *)event_arg;
444 443
445 444 /* ignore events for which we didn't register */
446 445 if (event != CRYPTO_EVENT_MECHS_CHANGED) {
447 446 return;
448 447 }
449 448
450 449 for (i = 0; i < NUM_MECHS; i++) {
451 450 mc = &(mech_to_cipher_tab[i]);
452 451 if (mc->mech == CRYPTO_MECH_INVALID)
453 452 continue;
454 453
455 454 /*
456 455 * Check if this crypto framework provider mechanism being
457 456 * added or removed affects us.
458 457 */
459 458 if (strncmp(mc->name, prov_change->ec_mech_name,
460 459 CRYPTO_MAX_MECH_NAME) == 0)
461 460 break;
462 461 }
463 462
464 463 if (i == NUM_MECHS)
465 464 return;
466 465
467 466 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
468 467 if (mechs == NULL)
469 468 return;
470 469
471 470 mutex_enter(&kssl_tab_mutex);
472 471
473 472 for (i = 0; i < kssl_entry_tab_size; i++) {
474 473 if ((old = kssl_entry_tab[i]) == NULL)
475 474 continue;
476 475
477 476 cnt = 0;
478 477 rcnt = 0;
479 478 changed = B_FALSE;
480 479 for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
481 480 tmp_suites[j] = CIPHER_NOTSET;
482 481 dis_list[j] = CIPHER_NOTSET;
483 482 }
484 483
485 484 /*
486 485 * We start with the saved cipher suite list for the new entry.
487 486 * If a mechanism is disabled, resulting in a cipher suite being
488 487 * disabled now, we take it out from the list for the new entry.
489 488 * If a mechanism is enabled, resulting in a cipher suite being
490 489 * enabled now, we don't need to do any thing.
491 490 */
492 491 if (!is_in_mechlist(mc->name, mechs, mech_count)) {
493 492 for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
494 493 s = mc->kssl_suites[j];
495 494 if (s == 0)
496 495 break;
497 496 if (is_in_suites(s, old->kssl_saved_Suites)) {
498 497 /* Disable this cipher suite */
499 498 if (!is_in_suites(s, dis_list))
500 499 dis_list[cnt++] = s;
501 500 }
502 501 }
503 502 }
504 503
505 504 for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
506 505 s = old->kssl_saved_Suites[j];
507 506 if (!is_in_suites(s, dis_list))
508 507 tmp_suites[rcnt] = s;
509 508
510 509 if (!changed &&
511 510 (tmp_suites[rcnt] != old->kssl_cipherSuites[rcnt]))
512 511 changed = B_TRUE;
513 512 rcnt++;
514 513 }
515 514
516 515 if (changed) {
517 516 new = kmem_zalloc(sizeof (kssl_entry_t), KM_NOSLEEP);
518 517 if (new == NULL)
519 518 continue;
520 519
521 520 *new = *old; /* Structure copy */
522 521 old->ke_no_freeall = B_TRUE;
523 522 new->ke_refcnt = 0;
524 523 new->kssl_cipherSuites_nentries = rcnt;
525 524 for (j = 0; j < CIPHER_SUITE_COUNT; j++)
526 525 new->kssl_cipherSuites[j] = tmp_suites[j];
527 526
528 527 KSSL_ENTRY_REFHOLD(new);
529 528 kssl_entry_tab[i] = new;
530 529 KSSL_ENTRY_REFRELE(old);
531 530 }
532 531 }
533 532
534 533 mutex_exit(&kssl_tab_mutex);
535 534 crypto_free_mech_list(mechs, mech_count);
536 535 }
537 536
538 537
539 538 kssl_stats_t *kssl_statp;
540 539
541 540 static void
542 541 kssl_global_init()
543 542 {
544 543 mutex_init(&kssl_tab_mutex, NULL, MUTEX_DRIVER, NULL);
545 544
546 545 kssl_cache = kmem_cache_create("kssl_cache", sizeof (ssl_t),
547 546 0, kssl_constructor, kssl_destructor, NULL, NULL, NULL, 0);
548 547
549 548 if ((kssl_ksp = kstat_create("kssl", 0, "kssl_stats", "crypto",
550 549 KSTAT_TYPE_NAMED, sizeof (kssl_stats_t) / sizeof (kstat_named_t),
551 550 KSTAT_FLAG_PERSISTENT)) != NULL) {
552 551 kssl_statp = kssl_ksp->ks_data;
553 552
554 553 kstat_named_init(&kssl_statp->sid_cache_lookups,
555 554 "kssl_sid_cache_lookups", KSTAT_DATA_UINT64);
556 555 kstat_named_init(&kssl_statp->sid_cache_hits,
557 556 "kssl_sid_cache_hits", KSTAT_DATA_UINT64);
558 557 kstat_named_init(&kssl_statp->sid_cached,
559 558 "kssl_sid_cached", KSTAT_DATA_UINT64);
560 559 kstat_named_init(&kssl_statp->sid_uncached,
561 560 "kssl_sid_uncached", KSTAT_DATA_UINT64);
562 561
563 562 kstat_named_init(&kssl_statp->full_handshakes,
564 563 "kssl_full_handshakes", KSTAT_DATA_UINT64);
565 564 kstat_named_init(&kssl_statp->resumed_sessions,
566 565 "kssl_resumed_sessions", KSTAT_DATA_UINT64);
567 566 kstat_named_init(&kssl_statp->fallback_connections,
568 567 "kssl_fallback_connections", KSTAT_DATA_UINT64);
569 568 kstat_named_init(&kssl_statp->proxy_fallback_failed,
570 569 "kssl_proxy_fallback_failed", KSTAT_DATA_UINT64);
571 570 kstat_named_init(&kssl_statp->appdata_record_ins,
572 571 "kssl_appdata_record_ins", KSTAT_DATA_UINT64);
573 572 kstat_named_init(&kssl_statp->appdata_record_outs,
574 573 "kssl_appdata_record_outs", KSTAT_DATA_UINT64);
575 574
576 575 kstat_named_init(&kssl_statp->alloc_fails, "kssl_alloc_fails",
577 576 KSTAT_DATA_UINT64);
578 577 kstat_named_init(&kssl_statp->fatal_alerts,
579 578 "kssl_fatal_alerts", KSTAT_DATA_UINT64);
580 579 kstat_named_init(&kssl_statp->warning_alerts,
581 580 "kssl_warning_alerts", KSTAT_DATA_UINT64);
582 581 kstat_named_init(&kssl_statp->no_suite_found,
583 582 "kssl_no_suite_found", KSTAT_DATA_UINT64);
584 583 kstat_named_init(&kssl_statp->compute_mac_failure,
585 584 "kssl_compute_mac_failure", KSTAT_DATA_UINT64);
586 585 kstat_named_init(&kssl_statp->verify_mac_failure,
587 586 "kssl_verify_mac_failure", KSTAT_DATA_UINT64);
588 587 kstat_named_init(&kssl_statp->record_decrypt_failure,
589 588 "kssl_record_decrypt_failure", KSTAT_DATA_UINT64);
590 589 kstat_named_init(&kssl_statp->bad_pre_master_secret,
591 590 "kssl_bad_pre_master_secret", KSTAT_DATA_UINT64);
592 591 kstat_named_init(&kssl_statp->internal_errors,
593 592 "kssl_internal_errors", KSTAT_DATA_UINT64);
594 593
595 594 kstat_install(kssl_ksp);
596 595 };
597 596 }
598 597
599 598 static void
600 599 kssl_global_fini(void)
601 600 {
602 601 mutex_destroy(&kssl_tab_mutex);
603 602
604 603 if (kssl_cache != NULL) {
605 604 kmem_cache_destroy(kssl_cache);
606 605 kssl_cache = NULL;
607 606 }
608 607
609 608 if (kssl_ksp != NULL) {
610 609 kstat_delete(kssl_ksp);
611 610 kssl_ksp = NULL;
612 611 }
613 612 }
614 613
615 614 /*ARGSUSED*/
616 615 static int
617 616 kssl_constructor(void *buf, void *arg, int kmflags)
618 617 {
619 618 ssl_t *ssl = buf;
620 619
621 620 mutex_init(&ssl->kssl_lock, NULL, MUTEX_DEFAULT, NULL);
622 621 cv_init(&ssl->async_cv, NULL, CV_DEFAULT, NULL);
623 622
624 623 return (0);
625 624 }
626 625
627 626 /*ARGSUSED*/
628 627 static void
629 628 kssl_destructor(void *buf, void *arg)
630 629 {
631 630 ssl_t *ssl = buf;
632 631 mutex_destroy(&ssl->kssl_lock);
633 632 cv_destroy(&ssl->async_cv);
634 633 }
635 634
636 635 /*
637 636 * Handler routine called by the crypto framework when a
638 637 * provider is unregistered or registered. We invalidate the
639 638 * private key handle if our provider is unregistered. We set
640 639 * a flag to reauthenticate if our provider came back.
641 640 */
642 641 void
643 642 kssl_prov_evnt(uint32_t event, void *event_arg)
644 643 {
645 644 int i, rv;
646 645 kssl_entry_t *ep;
647 646 kssl_session_info_t *s;
648 647 crypto_provider_t prov;
649 648 crypto_provider_ext_info_t info;
650 649
651 650 if (event != CRYPTO_EVENT_PROVIDER_UNREGISTERED &&
652 651 event != CRYPTO_EVENT_PROVIDER_REGISTERED)
653 652 return;
654 653
655 654 prov = (crypto_provider_t)event_arg;
656 655 if (event == CRYPTO_EVENT_PROVIDER_REGISTERED) {
657 656 rv = crypto_get_provinfo(prov, &info);
658 657 if (rv != CRYPTO_SUCCESS)
659 658 return;
660 659 }
661 660
662 661 mutex_enter(&kssl_tab_mutex);
663 662
664 663 for (i = 0; i < kssl_entry_tab_size; i++) {
665 664 if ((ep = kssl_entry_tab[i]) == NULL)
666 665 continue;
667 666
668 667 s = ep->ke_sessinfo;
669 668 DTRACE_PROBE1(kssl_entry_cycle, kssl_entry_t *, ep);
670 669 switch (event) {
671 670 case CRYPTO_EVENT_PROVIDER_UNREGISTERED:
672 671 if (s->is_valid_handle && s->prov == prov) {
673 672 s->is_valid_handle = B_FALSE;
674 673 crypto_release_provider(s->prov);
675 674 }
676 675 break;
677 676
678 677 case CRYPTO_EVENT_PROVIDER_REGISTERED:
679 678 if (s->is_valid_handle)
680 679 break;
681 680 if (bcmp(s->toklabel, info.ei_label,
682 681 CRYPTO_EXT_SIZE_LABEL) == 0) {
683 682 s->do_reauth = B_TRUE;
684 683 }
685 684 break;
686 685 }
687 686 }
688 687
689 688 mutex_exit(&kssl_tab_mutex);
690 689 }
|
↓ open down ↓ |
565 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX