1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25
26 /*
27 * The system call and DDI interface for the kernel SSL module
28 */
29
30 #include <sys/types.h>
31 #include <sys/modctl.h>
32 #include <sys/conf.h>
33 #include <sys/stat.h>
34 #include <sys/ddi.h>
35 #include <sys/sunddi.h>
36 #include <sys/kmem.h>
37 #include <sys/errno.h>
38 #include <sys/file.h>
39 #include <sys/open.h>
40 #include <sys/cred.h>
41 #include <sys/proc.h>
42 #include <sys/task.h>
43 #include <sys/model.h>
44 #include <sys/sysmacros.h>
45 #include <sys/policy.h>
46 #include <sys/crypto/common.h>
47 #include <sys/crypto/api.h>
48 #include <c2/audit.h>
49 #include <sys/kstat.h>
50
51 #include "kssl.h"
52 #include "ksslimpl.h"
53
54 /*
55 * DDI entry points.
56 */
57 static int kssl_attach(dev_info_t *, ddi_attach_cmd_t);
58 static int kssl_detach(dev_info_t *, ddi_detach_cmd_t);
59 static int kssl_getinfo(dev_info_t *, ddi_info_cmd_t, void *, void **);
60 static int kssl_open(dev_t *, int, int, cred_t *);
61 static int kssl_close(dev_t, int, int, cred_t *);
62 static int kssl_ioctl(dev_t, int, intptr_t, int, cred_t *, int *);
63
64 static int kssl_constructor(void *buf, void *arg, int kmflags);
65 static void kssl_destructor(void *buf, void *arg);
66
67 /*
68 * Module linkage.
69 */
70 static struct cb_ops cbops = {
71 kssl_open, /* cb_open */
72 kssl_close, /* cb_close */
73 nodev, /* cb_strategy */
74 nodev, /* cb_print */
75 nodev, /* cb_dump */
76 nodev, /* cb_read */
77 nodev, /* cb_write */
78 kssl_ioctl, /* cb_ioctl */
79 nodev, /* cb_devmap */
80 nodev, /* cb_mmap */
81 nodev, /* cb_segmap */
82 nochpoll, /* cb_chpoll */
83 ddi_prop_op, /* cb_prop_op */
84 NULL, /* cb_streamtab */
85 D_MP, /* cb_flag */
86 CB_REV, /* cb_rev */
87 nodev, /* cb_aread */
88 nodev, /* cb_awrite */
89 };
90
91 static struct dev_ops devops = {
92 DEVO_REV, /* devo_rev */
93 0, /* devo_refcnt */
94 kssl_getinfo, /* devo_getinfo */
95 nulldev, /* devo_identify */
96 nulldev, /* devo_probe */
97 kssl_attach, /* devo_attach */
98 kssl_detach, /* devo_detach */
99 nodev, /* devo_reset */
100 &cbops, /* devo_cb_ops */
101 NULL, /* devo_bus_ops */
102 NULL, /* devo_power */
103 ddi_quiesce_not_needed, /* devo_quiesce */
104 };
105
106 static struct modldrv modldrv = {
107 &mod_driverops, /* drv_modops */
108 "Kernel SSL Interface", /* drv_linkinfo */
109 &devops,
110 };
111
112 static struct modlinkage modlinkage = {
113 MODREV_1, /* ml_rev */
114 &modldrv, /* ml_linkage */
115 NULL
116 };
117
118 static dev_info_t *kssl_dip = NULL;
119
120 crypto_mechanism_t rsa_x509_mech = {CRYPTO_MECH_INVALID, NULL, 0};
121 crypto_mechanism_t hmac_md5_mech = {CRYPTO_MECH_INVALID, NULL, 0};
122 crypto_mechanism_t hmac_sha1_mech = {CRYPTO_MECH_INVALID, NULL, 0};
123 crypto_call_flag_t kssl_call_flag = CRYPTO_ALWAYS_QUEUE;
124
125 KSSLCipherDef cipher_defs[] = { /* indexed by SSL3BulkCipher */
126 /* type bsize keysz crypto_mech_type_t */
127
128 {type_stream, 0, 0, CRYPTO_MECH_INVALID},
129
130 /* mech_type to be initialized with CKM_RC4's */
131 {type_stream, 0, 16, CRYPTO_MECH_INVALID},
132
133 /* mech_type to be initialized with CKM_DES_CBC's */
134 {type_block, 8, 8, CRYPTO_MECH_INVALID},
135
136 /* mech_type to be initialized with CKM_DES3_CBC's */
137 {type_block, 8, 24, CRYPTO_MECH_INVALID},
138
139 /* mech_type to be initialized with CKM_AES_CBC with 128-bit key */
140 {type_block, 16, 16, CRYPTO_MECH_INVALID},
141
142 /* mech_type to be initialized with CKM_AES_CBC with 256-bit key */
143 {type_block, 16, 32, CRYPTO_MECH_INVALID},
144 };
145
146 struct kmem_cache *kssl_cache;
147 static crypto_notify_handle_t prov_update_handle = NULL;
148
149 static void kssl_global_init();
150 static void kssl_global_fini();
151 static void kssl_init_mechs();
152 static void kssl_event_callback(uint32_t, void *);
153
154 /*
155 * DDI entry points.
156 */
157 int
158 _init(void)
159 {
160 int error;
161
162 kssl_global_init();
163
164 if ((error = mod_install(&modlinkage)) != 0) {
165 kssl_global_fini();
166 return (error);
167 }
168 return (0);
169 }
170
171 int
172 _fini(void)
173 {
174 int error;
175
176 if ((error = mod_remove(&modlinkage)) != 0)
177 return (error);
178
179 if (prov_update_handle != NULL)
180 crypto_unnotify_events(prov_update_handle);
181
182 kssl_global_fini();
183
184 return (0);
185 }
186
187 int
188 _info(struct modinfo *modinfop)
189 {
190 return (mod_info(&modlinkage, modinfop));
191 }
192
193 /* ARGSUSED */
194 static int
195 kssl_getinfo(dev_info_t *dip, ddi_info_cmd_t cmd, void *arg, void **result)
196 {
197 switch (cmd) {
198 case DDI_INFO_DEVT2DEVINFO:
199 *result = kssl_dip;
200 return (DDI_SUCCESS);
201
202 case DDI_INFO_DEVT2INSTANCE:
203 *result = (void *)0;
204 return (DDI_SUCCESS);
205 }
206 return (DDI_FAILURE);
207 }
208
209 static int
210 kssl_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
211 {
212 if (cmd != DDI_ATTACH) {
213 return (DDI_FAILURE);
214 }
215
216 if (ddi_get_instance(dip) != 0) {
217 /* we only allow instance 0 to attach */
218 return (DDI_FAILURE);
219 }
220
221 /* create the minor node */
222 if (ddi_create_minor_node(dip, "kssl", S_IFCHR, 0, DDI_PSEUDO, 0) !=
223 DDI_SUCCESS) {
224 cmn_err(CE_WARN, "kssl_attach: failed creating minor node");
225 ddi_remove_minor_node(dip, NULL);
226 return (DDI_FAILURE);
227 }
228
229 kssl_dip = dip;
230
231 return (DDI_SUCCESS);
232 }
233
234 static kstat_t *kssl_ksp = NULL;
235
236 static int
237 kssl_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
238 {
239 if (cmd != DDI_DETACH)
240 return (DDI_FAILURE);
241
242 if (kssl_entry_tab_nentries != 0)
243 return (DDI_FAILURE);
244
245 kssl_dip = NULL;
246
247 ddi_remove_minor_node(dip, NULL);
248
249 return (DDI_SUCCESS);
250 }
251
252 /* ARGSUSED */
253 static int
254 kssl_open(dev_t *devp, int flag, int otyp, cred_t *credp)
255 {
256 if (otyp != OTYP_CHR)
257 return (ENXIO);
258
259 if (kssl_dip == NULL)
260 return (ENXIO);
261
262 /* first time here? initialize everything */
263 if (rsa_x509_mech.cm_type == CRYPTO_MECH_INVALID) {
264 kssl_init_mechs();
265 prov_update_handle = crypto_notify_events(
266 kssl_event_callback, CRYPTO_EVENT_MECHS_CHANGED);
267 }
268
269 /* exclusive opens are not supported */
270 if (flag & FEXCL)
271 return (ENOTSUP);
272
273 return (0);
274 }
275
276 /* ARGSUSED */
277 static int
278 kssl_close(dev_t dev, int flag, int otyp, cred_t *credp)
279 {
280 return (0);
281 }
282
283 #define KSSL_MAX_KEYANDCERTS 80000 /* max 64K plus a little margin */
284
285 /* ARGSUSED */
286 static int
287 kssl_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *c,
288 int *rval)
289 {
290 int error = EINVAL;
291 uint32_t auditing = AU_AUDITING();
292
293 #define ARG ((caddr_t)arg)
294
295 if (secpolicy_net_config(c, B_FALSE) != 0) {
296 return (EPERM);
297 }
298
299 switch (cmd) {
300 case KSSL_ADD_ENTRY: {
301 uint64_t len;
302 uint32_t ck_rv;
303 size_t off;
304 kssl_params_t *kssl_params;
305
306 off = offsetof(kssl_params_t, kssl_params_size);
307 if (copyin(ARG + off, &len, sizeof (len)) != 0) {
308 return (EFAULT);
309 }
310
311 if (len < sizeof (kssl_params_t) ||
312 len > KSSL_MAX_KEYANDCERTS) {
313 return (EINVAL);
314 }
315
316 kssl_params = kmem_alloc(len, KM_SLEEP);
317
318 /* Get the whole structure and parameters in one move */
319 if (copyin(ARG, kssl_params, len) != 0) {
320 kmem_free(kssl_params, len);
321 return (EFAULT);
322 }
323 error = kssl_add_entry(kssl_params);
324 if (auditing)
325 audit_kssl(KSSL_ADD_ENTRY, kssl_params, error);
326 off = offsetof(kssl_params_t, kssl_token) +
327 offsetof(kssl_tokinfo_t, ck_rv);
328 ck_rv = kssl_params->kssl_token.ck_rv;
329 if (copyout(&ck_rv, ARG + off, sizeof (ck_rv)) != 0) {
330 error = EFAULT;
331 }
332
333 bzero(kssl_params, len);
334 kmem_free(kssl_params, len);
335 break;
336 }
337 case KSSL_DELETE_ENTRY: {
338 struct sockaddr_in6 server_addr;
339
340 if (copyin(ARG, &server_addr, sizeof (server_addr)) != 0) {
341 return (EFAULT);
342 }
343
344 error = kssl_delete_entry(&server_addr);
345 if (auditing)
346 audit_kssl(KSSL_DELETE_ENTRY, &server_addr, error);
347 break;
348 }
349 }
350
351 return (error);
352 }
353
354 #define NUM_MECHS 7
355 static mech_to_cipher_t mech_to_cipher_tab[NUM_MECHS] = {
356 {CRYPTO_MECH_INVALID, SUN_CKM_RSA_X_509,
357 {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
358 SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
359 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
360 SSL_RSA_WITH_NULL_SHA}},
361 {CRYPTO_MECH_INVALID, SUN_CKM_MD5_HMAC, {SSL_RSA_WITH_RC4_128_MD5}},
362 {CRYPTO_MECH_INVALID, SUN_CKM_SHA1_HMAC,
363 {SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA,
364 SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_NULL_SHA,
365 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA}},
366 {CRYPTO_MECH_INVALID, SUN_CKM_RC4,
367 {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA}},
368 {CRYPTO_MECH_INVALID, SUN_CKM_DES_CBC, {SSL_RSA_WITH_DES_CBC_SHA}},
369 {CRYPTO_MECH_INVALID, SUN_CKM_DES3_CBC,
370 {SSL_RSA_WITH_3DES_EDE_CBC_SHA}},
371 {CRYPTO_MECH_INVALID, SUN_CKM_AES_CBC,
372 {TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA}},
373 };
374
375 static void
376 kssl_init_mechs()
377 {
378 mech_to_cipher_tab[0].mech = rsa_x509_mech.cm_type =
379 crypto_mech2id(SUN_CKM_RSA_X_509);
380 mech_to_cipher_tab[1].mech = hmac_md5_mech.cm_type =
381 crypto_mech2id(SUN_CKM_MD5_HMAC);
382 mech_to_cipher_tab[2].mech = hmac_sha1_mech.cm_type =
383 crypto_mech2id(SUN_CKM_SHA1_HMAC);
384
385 mech_to_cipher_tab[3].mech = cipher_defs[cipher_rc4].mech_type =
386 crypto_mech2id(SUN_CKM_RC4);
387 mech_to_cipher_tab[4].mech = cipher_defs[cipher_des].mech_type =
388 crypto_mech2id(SUN_CKM_DES_CBC);
389 mech_to_cipher_tab[5].mech = cipher_defs[cipher_3des].mech_type =
390 crypto_mech2id(SUN_CKM_DES3_CBC);
391 mech_to_cipher_tab[6].mech = cipher_defs[cipher_aes128].mech_type =
392 cipher_defs[cipher_aes256].mech_type =
393 crypto_mech2id(SUN_CKM_AES_CBC);
394 }
395
396 static int
397 is_in_suites(uint16_t s, uint16_t *sarray)
398 {
399 int i;
400
401 for (i = 0; i < CIPHER_SUITE_COUNT; i++) {
402 if (s == sarray[i])
403 return (1);
404 }
405
406 return (0);
407 }
408
409 static int
410 is_in_mechlist(char *name, crypto_mech_name_t *mechs, int count)
411 {
412 int i;
413
414 for (i = 0; i < count; i++) {
415 if (strncmp(name, mechs[i], CRYPTO_MAX_MECH_NAME) == 0)
416 return (1);
417 }
418
419 return (0);
420 }
421
422 /*
423 * Callback function invoked by the crypto framework when a provider's
424 * mechanism is available/unavailable. This callback updates entries in the
425 * kssl_entry_tab[] to make changes to the cipher suites of an entry
426 * which are affected by the mechanism.
427 */
428 static void
429 kssl_event_callback(uint32_t event, void *event_arg)
430 {
431 int i, j;
432 int cnt, rcnt;
433 uint16_t s;
434 boolean_t changed;
435 crypto_mech_name_t *mechs;
436 uint_t mech_count;
437 mech_to_cipher_t *mc;
438 kssl_entry_t *old;
439 kssl_entry_t *new;
440 uint16_t tmp_suites[CIPHER_SUITE_COUNT];
441 uint16_t dis_list[CIPHER_SUITE_COUNT];
442 crypto_notify_event_change_t *prov_change =
443 (crypto_notify_event_change_t *)event_arg;
444
445 /* ignore events for which we didn't register */
446 if (event != CRYPTO_EVENT_MECHS_CHANGED) {
447 return;
448 }
449
450 for (i = 0; i < NUM_MECHS; i++) {
451 mc = &(mech_to_cipher_tab[i]);
452 if (mc->mech == CRYPTO_MECH_INVALID)
453 continue;
454
455 /*
456 * Check if this crypto framework provider mechanism being
457 * added or removed affects us.
458 */
459 if (strncmp(mc->name, prov_change->ec_mech_name,
460 CRYPTO_MAX_MECH_NAME) == 0)
461 break;
462 }
463
464 if (i == NUM_MECHS)
465 return;
466
467 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
468 if (mechs == NULL)
469 return;
470
471 mutex_enter(&kssl_tab_mutex);
472
473 for (i = 0; i < kssl_entry_tab_size; i++) {
474 if ((old = kssl_entry_tab[i]) == NULL)
475 continue;
476
477 cnt = 0;
478 rcnt = 0;
479 changed = B_FALSE;
480 for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
481 tmp_suites[j] = CIPHER_NOTSET;
482 dis_list[j] = CIPHER_NOTSET;
483 }
484
485 /*
486 * We start with the saved cipher suite list for the new entry.
487 * If a mechanism is disabled, resulting in a cipher suite being
488 * disabled now, we take it out from the list for the new entry.
489 * If a mechanism is enabled, resulting in a cipher suite being
490 * enabled now, we don't need to do any thing.
491 */
492 if (!is_in_mechlist(mc->name, mechs, mech_count)) {
493 for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
494 s = mc->kssl_suites[j];
495 if (s == 0)
496 break;
497 if (is_in_suites(s, old->kssl_saved_Suites)) {
498 /* Disable this cipher suite */
499 if (!is_in_suites(s, dis_list))
500 dis_list[cnt++] = s;
501 }
502 }
503 }
504
505 for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
506 s = old->kssl_saved_Suites[j];
507 if (!is_in_suites(s, dis_list))
508 tmp_suites[rcnt] = s;
509
510 if (!changed &&
511 (tmp_suites[rcnt] != old->kssl_cipherSuites[rcnt]))
512 changed = B_TRUE;
513 rcnt++;
514 }
515
516 if (changed) {
517 new = kmem_zalloc(sizeof (kssl_entry_t), KM_NOSLEEP);
518 if (new == NULL)
519 continue;
520
521 *new = *old; /* Structure copy */
522 old->ke_no_freeall = B_TRUE;
523 new->ke_refcnt = 0;
524 new->kssl_cipherSuites_nentries = rcnt;
525 for (j = 0; j < CIPHER_SUITE_COUNT; j++)
526 new->kssl_cipherSuites[j] = tmp_suites[j];
527
528 KSSL_ENTRY_REFHOLD(new);
529 kssl_entry_tab[i] = new;
530 KSSL_ENTRY_REFRELE(old);
531 }
532 }
533
534 mutex_exit(&kssl_tab_mutex);
535 crypto_free_mech_list(mechs, mech_count);
536 }
537
538
539 kssl_stats_t *kssl_statp;
540
541 static void
542 kssl_global_init()
543 {
544 mutex_init(&kssl_tab_mutex, NULL, MUTEX_DRIVER, NULL);
545
546 kssl_cache = kmem_cache_create("kssl_cache", sizeof (ssl_t),
547 0, kssl_constructor, kssl_destructor, NULL, NULL, NULL, 0);
548
549 if ((kssl_ksp = kstat_create("kssl", 0, "kssl_stats", "crypto",
550 KSTAT_TYPE_NAMED, sizeof (kssl_stats_t) / sizeof (kstat_named_t),
551 KSTAT_FLAG_PERSISTENT)) != NULL) {
552 kssl_statp = kssl_ksp->ks_data;
553
554 kstat_named_init(&kssl_statp->sid_cache_lookups,
555 "kssl_sid_cache_lookups", KSTAT_DATA_UINT64);
556 kstat_named_init(&kssl_statp->sid_cache_hits,
557 "kssl_sid_cache_hits", KSTAT_DATA_UINT64);
558 kstat_named_init(&kssl_statp->sid_cached,
559 "kssl_sid_cached", KSTAT_DATA_UINT64);
560 kstat_named_init(&kssl_statp->sid_uncached,
561 "kssl_sid_uncached", KSTAT_DATA_UINT64);
562
563 kstat_named_init(&kssl_statp->full_handshakes,
564 "kssl_full_handshakes", KSTAT_DATA_UINT64);
565 kstat_named_init(&kssl_statp->resumed_sessions,
566 "kssl_resumed_sessions", KSTAT_DATA_UINT64);
567 kstat_named_init(&kssl_statp->fallback_connections,
568 "kssl_fallback_connections", KSTAT_DATA_UINT64);
569 kstat_named_init(&kssl_statp->proxy_fallback_failed,
570 "kssl_proxy_fallback_failed", KSTAT_DATA_UINT64);
571 kstat_named_init(&kssl_statp->appdata_record_ins,
572 "kssl_appdata_record_ins", KSTAT_DATA_UINT64);
573 kstat_named_init(&kssl_statp->appdata_record_outs,
574 "kssl_appdata_record_outs", KSTAT_DATA_UINT64);
575
576 kstat_named_init(&kssl_statp->alloc_fails, "kssl_alloc_fails",
577 KSTAT_DATA_UINT64);
578 kstat_named_init(&kssl_statp->fatal_alerts,
579 "kssl_fatal_alerts", KSTAT_DATA_UINT64);
580 kstat_named_init(&kssl_statp->warning_alerts,
581 "kssl_warning_alerts", KSTAT_DATA_UINT64);
582 kstat_named_init(&kssl_statp->no_suite_found,
583 "kssl_no_suite_found", KSTAT_DATA_UINT64);
584 kstat_named_init(&kssl_statp->compute_mac_failure,
585 "kssl_compute_mac_failure", KSTAT_DATA_UINT64);
586 kstat_named_init(&kssl_statp->verify_mac_failure,
587 "kssl_verify_mac_failure", KSTAT_DATA_UINT64);
588 kstat_named_init(&kssl_statp->record_decrypt_failure,
589 "kssl_record_decrypt_failure", KSTAT_DATA_UINT64);
590 kstat_named_init(&kssl_statp->bad_pre_master_secret,
591 "kssl_bad_pre_master_secret", KSTAT_DATA_UINT64);
592 kstat_named_init(&kssl_statp->internal_errors,
593 "kssl_internal_errors", KSTAT_DATA_UINT64);
594
595 kstat_install(kssl_ksp);
596 };
597 }
598
599 static void
600 kssl_global_fini(void)
601 {
602 mutex_destroy(&kssl_tab_mutex);
603
604 if (kssl_cache != NULL) {
605 kmem_cache_destroy(kssl_cache);
606 kssl_cache = NULL;
607 }
608
609 if (kssl_ksp != NULL) {
610 kstat_delete(kssl_ksp);
611 kssl_ksp = NULL;
612 }
613 }
614
615 /*ARGSUSED*/
616 static int
617 kssl_constructor(void *buf, void *arg, int kmflags)
618 {
619 ssl_t *ssl = buf;
620
621 mutex_init(&ssl->kssl_lock, NULL, MUTEX_DEFAULT, NULL);
622 cv_init(&ssl->async_cv, NULL, CV_DEFAULT, NULL);
623
624 return (0);
625 }
626
627 /*ARGSUSED*/
628 static void
629 kssl_destructor(void *buf, void *arg)
630 {
631 ssl_t *ssl = buf;
632 mutex_destroy(&ssl->kssl_lock);
633 cv_destroy(&ssl->async_cv);
634 }
635
636 /*
637 * Handler routine called by the crypto framework when a
638 * provider is unregistered or registered. We invalidate the
639 * private key handle if our provider is unregistered. We set
640 * a flag to reauthenticate if our provider came back.
641 */
642 void
643 kssl_prov_evnt(uint32_t event, void *event_arg)
644 {
645 int i, rv;
646 kssl_entry_t *ep;
647 kssl_session_info_t *s;
648 crypto_provider_t prov;
649 crypto_provider_ext_info_t info;
650
651 if (event != CRYPTO_EVENT_PROVIDER_UNREGISTERED &&
652 event != CRYPTO_EVENT_PROVIDER_REGISTERED)
653 return;
654
655 prov = (crypto_provider_t)event_arg;
656 if (event == CRYPTO_EVENT_PROVIDER_REGISTERED) {
657 rv = crypto_get_provinfo(prov, &info);
658 if (rv != CRYPTO_SUCCESS)
659 return;
660 }
661
662 mutex_enter(&kssl_tab_mutex);
663
664 for (i = 0; i < kssl_entry_tab_size; i++) {
665 if ((ep = kssl_entry_tab[i]) == NULL)
666 continue;
667
668 s = ep->ke_sessinfo;
669 DTRACE_PROBE1(kssl_entry_cycle, kssl_entry_t *, ep);
670 switch (event) {
671 case CRYPTO_EVENT_PROVIDER_UNREGISTERED:
672 if (s->is_valid_handle && s->prov == prov) {
673 s->is_valid_handle = B_FALSE;
674 crypto_release_provider(s->prov);
675 }
676 break;
677
678 case CRYPTO_EVENT_PROVIDER_REGISTERED:
679 if (s->is_valid_handle)
680 break;
681 if (bcmp(s->toklabel, info.ei_label,
682 CRYPTO_EXT_SIZE_LABEL) == 0) {
683 s->do_reauth = B_TRUE;
684 }
685 break;
686 }
687 }
688
689 mutex_exit(&kssl_tab_mutex);
690 }