1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
  23  */
  24 
  25 
  26 /*
  27  * The system call and DDI interface for the kernel SSL module
  28  */
  29 
  30 #include <sys/types.h>
  31 #include <sys/modctl.h>
  32 #include <sys/conf.h>
  33 #include <sys/stat.h>
  34 #include <sys/ddi.h>
  35 #include <sys/sunddi.h>
  36 #include <sys/kmem.h>
  37 #include <sys/errno.h>
  38 #include <sys/file.h>
  39 #include <sys/open.h>
  40 #include <sys/cred.h>
  41 #include <sys/proc.h>
  42 #include <sys/task.h>
  43 #include <sys/model.h>
  44 #include <sys/sysmacros.h>
  45 #include <sys/policy.h>
  46 #include <sys/crypto/common.h>
  47 #include <sys/crypto/api.h>
  48 #include <c2/audit.h>
  49 #include <sys/kstat.h>
  50 
  51 #include "kssl.h"
  52 #include "ksslimpl.h"
  53 
  54 /*
  55  * DDI entry points.
  56  */
  57 static int kssl_attach(dev_info_t *, ddi_attach_cmd_t);
  58 static int kssl_detach(dev_info_t *, ddi_detach_cmd_t);
  59 static int kssl_getinfo(dev_info_t *, ddi_info_cmd_t, void *, void **);
  60 static int kssl_open(dev_t *, int, int, cred_t *);
  61 static int kssl_close(dev_t, int, int, cred_t *);
  62 static int kssl_ioctl(dev_t, int, intptr_t, int, cred_t *, int *);
  63 
  64 static int kssl_constructor(void *buf, void *arg, int kmflags);
  65 static void kssl_destructor(void *buf, void *arg);
  66 
  67 /*
  68  * Module linkage.
  69  */
  70 static struct cb_ops cbops = {
  71         kssl_open,              /* cb_open */
  72         kssl_close,             /* cb_close */
  73         nodev,                  /* cb_strategy */
  74         nodev,                  /* cb_print */
  75         nodev,                  /* cb_dump */
  76         nodev,                  /* cb_read */
  77         nodev,                  /* cb_write */
  78         kssl_ioctl,             /* cb_ioctl */
  79         nodev,                  /* cb_devmap */
  80         nodev,                  /* cb_mmap */
  81         nodev,                  /* cb_segmap */
  82         nochpoll,               /* cb_chpoll */
  83         ddi_prop_op,            /* cb_prop_op */
  84         NULL,                   /* cb_streamtab */
  85         D_MP,                   /* cb_flag */
  86         CB_REV,                 /* cb_rev */
  87         nodev,                  /* cb_aread */
  88         nodev,                  /* cb_awrite */
  89 };
  90 
  91 static struct dev_ops devops = {
  92         DEVO_REV,               /* devo_rev */
  93         0,                      /* devo_refcnt */
  94         kssl_getinfo,           /* devo_getinfo */
  95         nulldev,                /* devo_identify */
  96         nulldev,                /* devo_probe */
  97         kssl_attach,            /* devo_attach */
  98         kssl_detach,            /* devo_detach */
  99         nodev,                  /* devo_reset */
 100         &cbops,                     /* devo_cb_ops */
 101         NULL,                   /* devo_bus_ops */
 102         NULL,                   /* devo_power */
 103         ddi_quiesce_not_needed,         /* devo_quiesce */
 104 };
 105 
 106 static struct modldrv modldrv = {
 107         &mod_driverops,             /* drv_modops */
 108         "Kernel SSL Interface", /* drv_linkinfo */
 109         &devops,
 110 };
 111 
 112 static struct modlinkage modlinkage = {
 113         MODREV_1,               /* ml_rev */
 114         &modldrv,           /* ml_linkage */
 115         NULL
 116 };
 117 
 118 static dev_info_t *kssl_dip = NULL;
 119 
 120 crypto_mechanism_t rsa_x509_mech = {CRYPTO_MECH_INVALID, NULL, 0};
 121 crypto_mechanism_t hmac_md5_mech = {CRYPTO_MECH_INVALID, NULL, 0};
 122 crypto_mechanism_t hmac_sha1_mech = {CRYPTO_MECH_INVALID, NULL, 0};
 123 crypto_call_flag_t kssl_call_flag = CRYPTO_ALWAYS_QUEUE;
 124 
 125 KSSLCipherDef cipher_defs[] = { /* indexed by SSL3BulkCipher */
 126         /* type bsize keysz crypto_mech_type_t */
 127 
 128         {type_stream, 0, 0, CRYPTO_MECH_INVALID},
 129 
 130         /* mech_type to be initialized with CKM_RC4's */
 131         {type_stream, 0, 16, CRYPTO_MECH_INVALID},
 132 
 133         /* mech_type to be initialized with CKM_DES_CBC's */
 134         {type_block, 8, 8, CRYPTO_MECH_INVALID},
 135 
 136         /* mech_type to be initialized with CKM_DES3_CBC's */
 137         {type_block, 8, 24, CRYPTO_MECH_INVALID},
 138 
 139         /* mech_type to be initialized with CKM_AES_CBC with 128-bit key  */
 140         {type_block, 16, 16, CRYPTO_MECH_INVALID},
 141 
 142         /* mech_type to be initialized with CKM_AES_CBC with 256-bit key  */
 143         {type_block, 16, 32, CRYPTO_MECH_INVALID},
 144 };
 145 
 146 struct kmem_cache *kssl_cache;
 147 static crypto_notify_handle_t prov_update_handle = NULL;
 148 
 149 static void kssl_global_init();
 150 static void kssl_global_fini();
 151 static void kssl_init_mechs();
 152 static void kssl_event_callback(uint32_t, void *);
 153 
 154 /*
 155  * DDI entry points.
 156  */
 157 int
 158 _init(void)
 159 {
 160         int error;
 161 
 162         kssl_global_init();
 163 
 164         if ((error = mod_install(&modlinkage)) != 0) {
 165                 kssl_global_fini();
 166                 return (error);
 167         }
 168         return (0);
 169 }
 170 
 171 int
 172 _fini(void)
 173 {
 174         int error;
 175 
 176         if ((error = mod_remove(&modlinkage)) != 0)
 177                 return (error);
 178 
 179         if (prov_update_handle != NULL)
 180                 crypto_unnotify_events(prov_update_handle);
 181 
 182         kssl_global_fini();
 183 
 184         return (0);
 185 }
 186 
 187 int
 188 _info(struct modinfo *modinfop)
 189 {
 190         return (mod_info(&modlinkage, modinfop));
 191 }
 192 
 193 /* ARGSUSED */
 194 static int
 195 kssl_getinfo(dev_info_t *dip, ddi_info_cmd_t cmd, void *arg, void **result)
 196 {
 197         switch (cmd) {
 198         case DDI_INFO_DEVT2DEVINFO:
 199                 *result = kssl_dip;
 200                 return (DDI_SUCCESS);
 201 
 202         case DDI_INFO_DEVT2INSTANCE:
 203                 *result = (void *)0;
 204                 return (DDI_SUCCESS);
 205         }
 206         return (DDI_FAILURE);
 207 }
 208 
 209 static int
 210 kssl_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
 211 {
 212         if (cmd != DDI_ATTACH) {
 213                 return (DDI_FAILURE);
 214         }
 215 
 216         if (ddi_get_instance(dip) != 0) {
 217                 /* we only allow instance 0 to attach */
 218                 return (DDI_FAILURE);
 219         }
 220 
 221         /* create the minor node */
 222         if (ddi_create_minor_node(dip, "kssl", S_IFCHR, 0, DDI_PSEUDO, 0) !=
 223             DDI_SUCCESS) {
 224                 cmn_err(CE_WARN, "kssl_attach: failed creating minor node");
 225                 ddi_remove_minor_node(dip, NULL);
 226                 return (DDI_FAILURE);
 227         }
 228 
 229         kssl_dip = dip;
 230 
 231         return (DDI_SUCCESS);
 232 }
 233 
 234 static kstat_t *kssl_ksp = NULL;
 235 
 236 static int
 237 kssl_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
 238 {
 239         if (cmd != DDI_DETACH)
 240                 return (DDI_FAILURE);
 241 
 242         if (kssl_entry_tab_nentries != 0)
 243                 return (DDI_FAILURE);
 244 
 245         kssl_dip = NULL;
 246 
 247         ddi_remove_minor_node(dip, NULL);
 248 
 249         return (DDI_SUCCESS);
 250 }
 251 
 252 /* ARGSUSED */
 253 static int
 254 kssl_open(dev_t *devp, int flag, int otyp, cred_t *credp)
 255 {
 256         if (otyp != OTYP_CHR)
 257                 return (ENXIO);
 258 
 259         if (kssl_dip == NULL)
 260                 return (ENXIO);
 261 
 262         /* first time here? initialize everything */
 263         if (rsa_x509_mech.cm_type == CRYPTO_MECH_INVALID) {
 264                 kssl_init_mechs();
 265                 prov_update_handle = crypto_notify_events(
 266                     kssl_event_callback, CRYPTO_EVENT_MECHS_CHANGED);
 267         }
 268 
 269         /* exclusive opens are not supported */
 270         if (flag & FEXCL)
 271                 return (ENOTSUP);
 272 
 273         return (0);
 274 }
 275 
 276 /* ARGSUSED */
 277 static int
 278 kssl_close(dev_t dev, int flag, int otyp, cred_t *credp)
 279 {
 280         return (0);
 281 }
 282 
 283 #define KSSL_MAX_KEYANDCERTS    80000   /* max 64K plus a little margin */
 284 
 285 /* ARGSUSED */
 286 static int
 287 kssl_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *c,
 288     int *rval)
 289 {
 290         int error = EINVAL;
 291         uint32_t auditing = AU_AUDITING();
 292 
 293 #define ARG     ((caddr_t)arg)
 294 
 295         if (secpolicy_net_config(c, B_FALSE) != 0) {
 296                 return (EPERM);
 297         }
 298 
 299         switch (cmd) {
 300         case KSSL_ADD_ENTRY: {
 301                 uint64_t len;
 302                 uint32_t ck_rv;
 303                 size_t off;
 304                 kssl_params_t *kssl_params;
 305 
 306                 off = offsetof(kssl_params_t, kssl_params_size);
 307                 if (copyin(ARG + off, &len, sizeof (len)) != 0) {
 308                         return (EFAULT);
 309                 }
 310 
 311                 if (len < sizeof (kssl_params_t) ||
 312                     len > KSSL_MAX_KEYANDCERTS) {
 313                         return (EINVAL);
 314                 }
 315 
 316                 kssl_params = kmem_alloc(len, KM_SLEEP);
 317 
 318                 /* Get the whole structure and parameters in one move */
 319                 if (copyin(ARG, kssl_params, len) != 0) {
 320                         kmem_free(kssl_params, len);
 321                         return (EFAULT);
 322                 }
 323                 error = kssl_add_entry(kssl_params);
 324         if (auditing)
 325                 audit_kssl(KSSL_ADD_ENTRY, kssl_params, error);
 326                 off = offsetof(kssl_params_t, kssl_token) +
 327                     offsetof(kssl_tokinfo_t, ck_rv);
 328                 ck_rv = kssl_params->kssl_token.ck_rv;
 329                 if (copyout(&ck_rv, ARG + off, sizeof (ck_rv)) != 0) {
 330                         error = EFAULT;
 331                 }
 332 
 333                 bzero(kssl_params, len);
 334                 kmem_free(kssl_params, len);
 335                 break;
 336         }
 337         case KSSL_DELETE_ENTRY: {
 338                 struct sockaddr_in6 server_addr;
 339 
 340                 if (copyin(ARG, &server_addr, sizeof (server_addr)) != 0) {
 341                         return (EFAULT);
 342                 }
 343 
 344                 error = kssl_delete_entry(&server_addr);
 345         if (auditing)
 346                 audit_kssl(KSSL_DELETE_ENTRY, &server_addr, error);
 347                 break;
 348         }
 349         }
 350 
 351         return (error);
 352 }
 353 
 354 #define NUM_MECHS       7
 355 static mech_to_cipher_t mech_to_cipher_tab[NUM_MECHS] = {
 356         {CRYPTO_MECH_INVALID, SUN_CKM_RSA_X_509,
 357             {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
 358             SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
 359             TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
 360             SSL_RSA_WITH_NULL_SHA}},
 361         {CRYPTO_MECH_INVALID, SUN_CKM_MD5_HMAC, {SSL_RSA_WITH_RC4_128_MD5}},
 362         {CRYPTO_MECH_INVALID, SUN_CKM_SHA1_HMAC,
 363             {SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA,
 364             SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_NULL_SHA,
 365             TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA}},
 366         {CRYPTO_MECH_INVALID, SUN_CKM_RC4,
 367             {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA}},
 368         {CRYPTO_MECH_INVALID, SUN_CKM_DES_CBC, {SSL_RSA_WITH_DES_CBC_SHA}},
 369         {CRYPTO_MECH_INVALID, SUN_CKM_DES3_CBC,
 370             {SSL_RSA_WITH_3DES_EDE_CBC_SHA}},
 371         {CRYPTO_MECH_INVALID, SUN_CKM_AES_CBC,
 372             {TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA}},
 373 };
 374 
 375 static void
 376 kssl_init_mechs()
 377 {
 378         mech_to_cipher_tab[0].mech = rsa_x509_mech.cm_type =
 379             crypto_mech2id(SUN_CKM_RSA_X_509);
 380         mech_to_cipher_tab[1].mech = hmac_md5_mech.cm_type =
 381             crypto_mech2id(SUN_CKM_MD5_HMAC);
 382         mech_to_cipher_tab[2].mech = hmac_sha1_mech.cm_type =
 383             crypto_mech2id(SUN_CKM_SHA1_HMAC);
 384 
 385         mech_to_cipher_tab[3].mech = cipher_defs[cipher_rc4].mech_type =
 386             crypto_mech2id(SUN_CKM_RC4);
 387         mech_to_cipher_tab[4].mech = cipher_defs[cipher_des].mech_type =
 388             crypto_mech2id(SUN_CKM_DES_CBC);
 389         mech_to_cipher_tab[5].mech = cipher_defs[cipher_3des].mech_type =
 390             crypto_mech2id(SUN_CKM_DES3_CBC);
 391         mech_to_cipher_tab[6].mech = cipher_defs[cipher_aes128].mech_type =
 392             cipher_defs[cipher_aes256].mech_type =
 393             crypto_mech2id(SUN_CKM_AES_CBC);
 394 }
 395 
 396 static int
 397 is_in_suites(uint16_t s, uint16_t *sarray)
 398 {
 399         int i;
 400 
 401         for (i = 0; i < CIPHER_SUITE_COUNT; i++) {
 402                 if (s == sarray[i])
 403                         return (1);
 404         }
 405 
 406         return (0);
 407 }
 408 
 409 static int
 410 is_in_mechlist(char *name, crypto_mech_name_t *mechs, int count)
 411 {
 412         int i;
 413 
 414         for (i = 0; i < count; i++) {
 415                 if (strncmp(name, mechs[i], CRYPTO_MAX_MECH_NAME) == 0)
 416                         return (1);
 417         }
 418 
 419         return (0);
 420 }
 421 
 422 /*
 423  * Callback function invoked by the crypto framework when a provider's
 424  * mechanism is available/unavailable. This callback updates entries in the
 425  * kssl_entry_tab[] to make changes to the cipher suites of an entry
 426  * which are affected by the mechanism.
 427  */
 428 static void
 429 kssl_event_callback(uint32_t event, void *event_arg)
 430 {
 431         int i, j;
 432         int cnt, rcnt;
 433         uint16_t s;
 434         boolean_t changed;
 435         crypto_mech_name_t *mechs;
 436         uint_t mech_count;
 437         mech_to_cipher_t *mc;
 438         kssl_entry_t *old;
 439         kssl_entry_t *new;
 440         uint16_t tmp_suites[CIPHER_SUITE_COUNT];
 441         uint16_t dis_list[CIPHER_SUITE_COUNT];
 442         crypto_notify_event_change_t *prov_change =
 443             (crypto_notify_event_change_t *)event_arg;
 444 
 445         /* ignore events for which we didn't register */
 446         if (event != CRYPTO_EVENT_MECHS_CHANGED) {
 447                 return;
 448         }
 449 
 450         for (i = 0; i < NUM_MECHS; i++) {
 451                 mc = &(mech_to_cipher_tab[i]);
 452                 if (mc->mech == CRYPTO_MECH_INVALID)
 453                         continue;
 454 
 455                 /*
 456                  * Check if this crypto framework provider mechanism being
 457                  * added or removed affects us.
 458                  */
 459                 if (strncmp(mc->name, prov_change->ec_mech_name,
 460                     CRYPTO_MAX_MECH_NAME) == 0)
 461                         break;
 462         }
 463 
 464         if (i == NUM_MECHS)
 465                 return;
 466 
 467         mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
 468         if (mechs == NULL)
 469                 return;
 470 
 471         mutex_enter(&kssl_tab_mutex);
 472 
 473         for (i = 0; i < kssl_entry_tab_size; i++) {
 474                 if ((old = kssl_entry_tab[i]) == NULL)
 475                         continue;
 476 
 477                 cnt = 0;
 478                 rcnt = 0;
 479                 changed = B_FALSE;
 480                 for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
 481                         tmp_suites[j] = CIPHER_NOTSET;
 482                         dis_list[j] = CIPHER_NOTSET;
 483                 }
 484 
 485                 /*
 486                  * We start with the saved cipher suite list for the new entry.
 487                  * If a mechanism is disabled, resulting in a cipher suite being
 488                  * disabled now, we take it out from the list for the new entry.
 489                  * If a mechanism is enabled, resulting in a cipher suite being
 490                  * enabled now, we don't need to do any thing.
 491                  */
 492                 if (!is_in_mechlist(mc->name, mechs, mech_count)) {
 493                         for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
 494                                 s = mc->kssl_suites[j];
 495                                 if (s == 0)
 496                                         break;
 497                                 if (is_in_suites(s, old->kssl_saved_Suites)) {
 498                                         /* Disable this cipher suite */
 499                                         if (!is_in_suites(s, dis_list))
 500                                                 dis_list[cnt++] = s;
 501                                 }
 502                         }
 503                 }
 504 
 505                 for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
 506                         s = old->kssl_saved_Suites[j];
 507                         if (!is_in_suites(s, dis_list))
 508                                 tmp_suites[rcnt] = s;
 509 
 510                         if (!changed &&
 511                             (tmp_suites[rcnt] != old->kssl_cipherSuites[rcnt]))
 512                                 changed = B_TRUE;
 513                         rcnt++;
 514                 }
 515 
 516                 if (changed) {
 517                         new = kmem_zalloc(sizeof (kssl_entry_t), KM_NOSLEEP);
 518                         if (new == NULL)
 519                                 continue;
 520 
 521                         *new = *old;            /* Structure copy */
 522                         old->ke_no_freeall = B_TRUE;
 523                         new->ke_refcnt = 0;
 524                         new->kssl_cipherSuites_nentries = rcnt;
 525                         for (j = 0; j < CIPHER_SUITE_COUNT; j++)
 526                                 new->kssl_cipherSuites[j] = tmp_suites[j];
 527 
 528                         KSSL_ENTRY_REFHOLD(new);
 529                         kssl_entry_tab[i] = new;
 530                         KSSL_ENTRY_REFRELE(old);
 531                 }
 532         }
 533 
 534         mutex_exit(&kssl_tab_mutex);
 535         crypto_free_mech_list(mechs, mech_count);
 536 }
 537 
 538 
 539 kssl_stats_t *kssl_statp;
 540 
 541 static void
 542 kssl_global_init()
 543 {
 544         mutex_init(&kssl_tab_mutex, NULL, MUTEX_DRIVER, NULL);
 545 
 546         kssl_cache = kmem_cache_create("kssl_cache", sizeof (ssl_t),
 547             0, kssl_constructor, kssl_destructor, NULL, NULL, NULL, 0);
 548 
 549         if ((kssl_ksp = kstat_create("kssl", 0, "kssl_stats", "crypto",
 550             KSTAT_TYPE_NAMED, sizeof (kssl_stats_t) / sizeof (kstat_named_t),
 551             KSTAT_FLAG_PERSISTENT)) != NULL) {
 552                 kssl_statp = kssl_ksp->ks_data;
 553 
 554                 kstat_named_init(&kssl_statp->sid_cache_lookups,
 555                     "kssl_sid_cache_lookups", KSTAT_DATA_UINT64);
 556                 kstat_named_init(&kssl_statp->sid_cache_hits,
 557                     "kssl_sid_cache_hits", KSTAT_DATA_UINT64);
 558                 kstat_named_init(&kssl_statp->sid_cached,
 559                     "kssl_sid_cached", KSTAT_DATA_UINT64);
 560                 kstat_named_init(&kssl_statp->sid_uncached,
 561                     "kssl_sid_uncached", KSTAT_DATA_UINT64);
 562 
 563                 kstat_named_init(&kssl_statp->full_handshakes,
 564                     "kssl_full_handshakes", KSTAT_DATA_UINT64);
 565                 kstat_named_init(&kssl_statp->resumed_sessions,
 566                     "kssl_resumed_sessions", KSTAT_DATA_UINT64);
 567                 kstat_named_init(&kssl_statp->fallback_connections,
 568                     "kssl_fallback_connections", KSTAT_DATA_UINT64);
 569                 kstat_named_init(&kssl_statp->proxy_fallback_failed,
 570                     "kssl_proxy_fallback_failed", KSTAT_DATA_UINT64);
 571                 kstat_named_init(&kssl_statp->appdata_record_ins,
 572                     "kssl_appdata_record_ins", KSTAT_DATA_UINT64);
 573                 kstat_named_init(&kssl_statp->appdata_record_outs,
 574                     "kssl_appdata_record_outs", KSTAT_DATA_UINT64);
 575 
 576                 kstat_named_init(&kssl_statp->alloc_fails, "kssl_alloc_fails",
 577                     KSTAT_DATA_UINT64);
 578                 kstat_named_init(&kssl_statp->fatal_alerts,
 579                     "kssl_fatal_alerts", KSTAT_DATA_UINT64);
 580                 kstat_named_init(&kssl_statp->warning_alerts,
 581                     "kssl_warning_alerts", KSTAT_DATA_UINT64);
 582                 kstat_named_init(&kssl_statp->no_suite_found,
 583                     "kssl_no_suite_found", KSTAT_DATA_UINT64);
 584                 kstat_named_init(&kssl_statp->compute_mac_failure,
 585                     "kssl_compute_mac_failure", KSTAT_DATA_UINT64);
 586                 kstat_named_init(&kssl_statp->verify_mac_failure,
 587                     "kssl_verify_mac_failure", KSTAT_DATA_UINT64);
 588                 kstat_named_init(&kssl_statp->record_decrypt_failure,
 589                     "kssl_record_decrypt_failure", KSTAT_DATA_UINT64);
 590                 kstat_named_init(&kssl_statp->bad_pre_master_secret,
 591                     "kssl_bad_pre_master_secret", KSTAT_DATA_UINT64);
 592                 kstat_named_init(&kssl_statp->internal_errors,
 593                     "kssl_internal_errors", KSTAT_DATA_UINT64);
 594 
 595                 kstat_install(kssl_ksp);
 596         };
 597 }
 598 
 599 static void
 600 kssl_global_fini(void)
 601 {
 602         mutex_destroy(&kssl_tab_mutex);
 603 
 604         if (kssl_cache != NULL) {
 605                 kmem_cache_destroy(kssl_cache);
 606                 kssl_cache = NULL;
 607         }
 608 
 609         if (kssl_ksp != NULL) {
 610                 kstat_delete(kssl_ksp);
 611                 kssl_ksp = NULL;
 612         }
 613 }
 614 
 615 /*ARGSUSED*/
 616 static int
 617 kssl_constructor(void *buf, void *arg, int kmflags)
 618 {
 619         ssl_t *ssl = buf;
 620 
 621         mutex_init(&ssl->kssl_lock, NULL, MUTEX_DEFAULT, NULL);
 622         cv_init(&ssl->async_cv, NULL, CV_DEFAULT, NULL);
 623 
 624         return (0);
 625 }
 626 
 627 /*ARGSUSED*/
 628 static void
 629 kssl_destructor(void *buf, void *arg)
 630 {
 631         ssl_t *ssl = buf;
 632         mutex_destroy(&ssl->kssl_lock);
 633         cv_destroy(&ssl->async_cv);
 634 }
 635 
 636 /*
 637  * Handler routine called by the crypto framework when a
 638  * provider is unregistered or registered. We invalidate the
 639  * private key handle if our provider is unregistered. We set
 640  * a flag to reauthenticate if our provider came back.
 641  */
 642 void
 643 kssl_prov_evnt(uint32_t event, void *event_arg)
 644 {
 645         int i, rv;
 646         kssl_entry_t *ep;
 647         kssl_session_info_t *s;
 648         crypto_provider_t prov;
 649         crypto_provider_ext_info_t info;
 650 
 651         if (event != CRYPTO_EVENT_PROVIDER_UNREGISTERED &&
 652             event != CRYPTO_EVENT_PROVIDER_REGISTERED)
 653                 return;
 654 
 655         prov = (crypto_provider_t)event_arg;
 656         if (event == CRYPTO_EVENT_PROVIDER_REGISTERED) {
 657                 rv = crypto_get_provinfo(prov, &info);
 658                 if (rv != CRYPTO_SUCCESS)
 659                         return;
 660         }
 661 
 662         mutex_enter(&kssl_tab_mutex);
 663 
 664         for (i = 0; i < kssl_entry_tab_size; i++) {
 665                 if ((ep = kssl_entry_tab[i]) == NULL)
 666                         continue;
 667 
 668                 s = ep->ke_sessinfo;
 669                 DTRACE_PROBE1(kssl_entry_cycle, kssl_entry_t *, ep);
 670                 switch (event) {
 671                 case CRYPTO_EVENT_PROVIDER_UNREGISTERED:
 672                         if (s->is_valid_handle && s->prov == prov) {
 673                                 s->is_valid_handle = B_FALSE;
 674                                 crypto_release_provider(s->prov);
 675                         }
 676                         break;
 677 
 678                 case CRYPTO_EVENT_PROVIDER_REGISTERED:
 679                         if (s->is_valid_handle)
 680                                 break;
 681                         if (bcmp(s->toklabel, info.ei_label,
 682                             CRYPTO_EXT_SIZE_LABEL) == 0) {
 683                                 s->do_reauth = B_TRUE;
 684                         }
 685                         break;
 686                 }
 687         }
 688 
 689         mutex_exit(&kssl_tab_mutex);
 690 }