xref: /titanic_41/usr/src/uts/common/inet/kssl/kssl.c (revision b02e9a2d4d2071d770e5aa9ae8f83f2bbe1f2ced)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * The system call and DDI interface for the kernel SSL module
30  */
31 
32 #include <sys/types.h>
33 #include <sys/modctl.h>
34 #include <sys/conf.h>
35 #include <sys/stat.h>
36 #include <sys/ddi.h>
37 #include <sys/sunddi.h>
38 #include <sys/kmem.h>
39 #include <sys/errno.h>
40 #include <sys/ksynch.h>
41 #include <sys/file.h>
42 #include <sys/open.h>
43 #include <sys/cred.h>
44 #include <sys/proc.h>
45 #include <sys/task.h>
46 #include <sys/mkdev.h>
47 #include <sys/model.h>
48 #include <sys/sysmacros.h>
49 #include <sys/policy.h>
50 #include <sys/crypto/common.h>
51 #include <sys/crypto/api.h>
52 #include <c2/audit.h>
53 #include <sys/kstat.h>
54 
55 #include "kssl.h"
56 #include "ksslimpl.h"
57 
58 /*
59  * DDI entry points.
60  */
61 static int kssl_attach(dev_info_t *, ddi_attach_cmd_t);
62 static int kssl_detach(dev_info_t *, ddi_detach_cmd_t);
63 static int kssl_getinfo(dev_info_t *, ddi_info_cmd_t, void *, void **);
64 static int kssl_open(dev_t *, int, int, cred_t *);
65 static int kssl_close(dev_t, int, int, cred_t *);
66 static int kssl_ioctl(dev_t, int, intptr_t, int, cred_t *, int *);
67 
68 static int kssl_constructor(void *buf, void *arg, int kmflags);
69 static void kssl_destructor(void *buf, void *arg);
70 
71 /*
72  * Module linkage.
73  */
74 static struct cb_ops cbops = {
75 	kssl_open,		/* cb_open */
76 	kssl_close,		/* cb_close */
77 	nodev,			/* cb_strategy */
78 	nodev,			/* cb_print */
79 	nodev,			/* cb_dump */
80 	nodev,			/* cb_read */
81 	nodev,			/* cb_write */
82 	kssl_ioctl,		/* cb_ioctl */
83 	nodev,			/* cb_devmap */
84 	nodev,			/* cb_mmap */
85 	nodev,			/* cb_segmap */
86 	nochpoll,		/* cb_chpoll */
87 	ddi_prop_op,		/* cb_prop_op */
88 	NULL,			/* cb_streamtab */
89 	D_MP,			/* cb_flag */
90 	CB_REV,			/* cb_rev */
91 	nodev,			/* cb_aread */
92 	nodev,			/* cb_awrite */
93 };
94 
95 static struct dev_ops devops = {
96 	DEVO_REV,		/* devo_rev */
97 	0,			/* devo_refcnt */
98 	kssl_getinfo,		/* devo_getinfo */
99 	nulldev,		/* devo_identify */
100 	nulldev,		/* devo_probe */
101 	kssl_attach,		/* devo_attach */
102 	kssl_detach,		/* devo_detach */
103 	nodev,			/* devo_reset */
104 	&cbops,			/* devo_cb_ops */
105 	NULL,			/* devo_bus_ops */
106 	NULL,			/* devo_power */
107 };
108 
109 static struct modldrv modldrv = {
110 	&mod_driverops,			/* drv_modops */
111 	"Kernel SSL Interface v1.4",	/* drv_linkinfo */
112 	&devops,
113 };
114 
115 static struct modlinkage modlinkage = {
116 	MODREV_1,		/* ml_rev */
117 	&modldrv,		/* ml_linkage */
118 	NULL
119 };
120 
121 static dev_info_t *kssl_dip = NULL;
122 
123 crypto_mechanism_t rsa_x509_mech = {CRYPTO_MECH_INVALID, NULL, 0};
124 crypto_mechanism_t hmac_md5_mech = {CRYPTO_MECH_INVALID, NULL, 0};
125 crypto_mechanism_t hmac_sha1_mech = {CRYPTO_MECH_INVALID, NULL, 0};
126 crypto_call_flag_t kssl_call_flag = CRYPTO_ALWAYS_QUEUE;
127 
128 KSSLCipherDef cipher_defs[] = { /* indexed by SSL3BulkCipher */
129 	/* type bsize keysz crypto_mech_type_t */
130 
131 	{type_stream, 0, 0, CRYPTO_MECH_INVALID},
132 
133 	/* mech_type to be initialized with CKM_RC4's */
134 	{type_stream, 0, 16, CRYPTO_MECH_INVALID},
135 
136 	/* mech_type to be initialized with CKM_DES_CBC's */
137 	{type_block, 8, 8, CRYPTO_MECH_INVALID},
138 
139 	/* mech_type to be initialized with CKM_DES3_CBC's */
140 	{type_block, 8, 24, CRYPTO_MECH_INVALID},
141 };
142 
143 int kssl_enabled = 1;
144 struct kmem_cache *kssl_cache;
145 
146 static void kssl_global_init();
147 static void kssl_init_mechs();
148 static void kssl_event_callback(uint32_t, void *);
149 
150 /*
151  * DDI entry points.
152  */
153 int
154 _init(void)
155 {
156 	return (mod_install(&modlinkage));
157 }
158 
159 int
160 _info(struct modinfo *modinfop)
161 {
162 	return (mod_info(&modlinkage, modinfop));
163 }
164 
165 /* ARGSUSED */
166 static int
167 kssl_getinfo(dev_info_t *dip, ddi_info_cmd_t cmd, void *arg, void **result)
168 {
169 	switch (cmd) {
170 	case DDI_INFO_DEVT2DEVINFO:
171 		*result = kssl_dip;
172 		return (DDI_SUCCESS);
173 
174 	case DDI_INFO_DEVT2INSTANCE:
175 		*result = (void *)0;
176 		return (DDI_SUCCESS);
177 	}
178 	return (DDI_FAILURE);
179 }
180 
181 static int
182 kssl_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
183 {
184 	if (cmd != DDI_ATTACH) {
185 		return (DDI_FAILURE);
186 	}
187 
188 	if (ddi_get_instance(dip) != 0) {
189 		/* we only allow instance 0 to attach */
190 		return (DDI_FAILURE);
191 	}
192 
193 	/* create the minor node */
194 	if (ddi_create_minor_node(dip, "kssl", S_IFCHR, 0, DDI_PSEUDO, 0) !=
195 	    DDI_SUCCESS) {
196 		cmn_err(CE_WARN, "kssl_attach: failed creating minor node");
197 		ddi_remove_minor_node(dip, NULL);
198 		return (DDI_FAILURE);
199 	}
200 
201 	kssl_dip = dip;
202 
203 	kssl_global_init();
204 
205 	return (DDI_SUCCESS);
206 }
207 
208 static kstat_t *kssl_ksp = NULL;
209 
210 static int
211 kssl_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
212 {
213 	if (cmd != DDI_DETACH)
214 		return (DDI_FAILURE);
215 
216 	if (kssl_entry_tab_nentries != 0 || kssl_cache_count != 0)
217 		return (DDI_FAILURE);
218 
219 	mutex_destroy(&kssl_tab_mutex);
220 	kssl_dip = NULL;
221 
222 	if (kssl_cache != NULL) {
223 		kmem_cache_destroy(kssl_cache);
224 		kssl_cache = NULL;
225 	}
226 
227 	if (kssl_ksp != NULL) {
228 		kstat_delete(kssl_ksp);
229 		kssl_ksp = NULL;
230 	}
231 
232 	ddi_remove_minor_node(dip, NULL);
233 
234 	return (DDI_SUCCESS);
235 }
236 
237 static crypto_notify_handle_t prov_update_handle = NULL;
238 
239 /* ARGSUSED */
240 static int
241 kssl_open(dev_t *devp, int flag, int otyp, cred_t *credp)
242 {
243 	if (otyp != OTYP_CHR)
244 		return (ENXIO);
245 
246 	if (kssl_dip == NULL)
247 		return (ENXIO);
248 
249 	/* first time here? initialize everything */
250 	if (rsa_x509_mech.cm_type == CRYPTO_MECH_INVALID) {
251 		kssl_init_mechs();
252 		prov_update_handle = crypto_notify_events(
253 		    kssl_event_callback, CRYPTO_EVENT_MECHS_CHANGED);
254 	}
255 
256 	/* exclusive opens are not supported */
257 	if (flag & FEXCL)
258 		return (ENOTSUP);
259 
260 	return (0);
261 }
262 
263 /* ARGSUSED */
264 static int
265 kssl_close(dev_t dev, int flag, int otyp, cred_t *credp)
266 {
267 	return (0);
268 }
269 
270 #define	KSSL_MAX_KEYANDCERTS	80000	/* max 64K plus a little margin */
271 
272 /* ARGSUSED */
273 static int
274 kssl_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *c,
275     int *rval)
276 {
277 	int error = EINVAL;
278 
279 #define	ARG	((caddr_t)arg)
280 
281 	if (secpolicy_net_config(c, B_FALSE) != 0) {
282 		return (EPERM);
283 	}
284 
285 	switch (cmd) {
286 	case KSSL_ADD_ENTRY: {
287 		uint64_t len;
288 		uint32_t ck_rv;
289 		size_t off;
290 		kssl_params_t *kssl_params;
291 
292 		off = offsetof(kssl_params_t, kssl_params_size);
293 		if (copyin(ARG + off, &len, sizeof (len)) != 0) {
294 			return (EFAULT);
295 		}
296 
297 		if (len < sizeof (kssl_params_t) ||
298 		    len > KSSL_MAX_KEYANDCERTS) {
299 			return (EINVAL);
300 		}
301 
302 		kssl_params = kmem_alloc(len, KM_SLEEP);
303 
304 		/* Get the whole structure and parameters in one move */
305 		if (copyin(ARG, kssl_params, len) != 0) {
306 			kmem_free(kssl_params, len);
307 			return (EFAULT);
308 		}
309 		error = kssl_add_entry(kssl_params);
310 #ifdef C2_AUDIT
311 	if (audit_active)
312 		audit_kssl(KSSL_ADD_ENTRY, kssl_params, error);
313 #endif
314 		off = offsetof(kssl_params_t, kssl_token) +
315 		    offsetof(kssl_tokinfo_t, ck_rv);
316 		ck_rv = kssl_params->kssl_token.ck_rv;
317 		if (copyout(&ck_rv, ARG + off, sizeof (ck_rv)) != 0) {
318 			error = EFAULT;
319 		}
320 
321 		bzero(kssl_params, len);
322 		kmem_free(kssl_params, len);
323 		break;
324 	}
325 	case KSSL_DELETE_ENTRY: {
326 		struct sockaddr_in server_addr;
327 
328 		if (copyin(ARG, &server_addr, sizeof (server_addr)) != 0) {
329 			return (EFAULT);
330 		}
331 
332 		error = kssl_delete_entry(&server_addr);
333 #ifdef C2_AUDIT
334 	if (audit_active)
335 		audit_kssl(KSSL_DELETE_ENTRY, &server_addr, error);
336 #endif
337 		break;
338 	}
339 	}
340 
341 	return (error);
342 }
343 
344 #define	NUM_MECHS	6
345 mech_to_cipher_t mech_to_cipher_tab[NUM_MECHS] = {
346 	{CRYPTO_MECH_INVALID, SUN_CKM_RSA_X_509,
347 	    {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
348 	    SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
349 	    SSL_RSA_WITH_NULL_SHA}},
350 	{CRYPTO_MECH_INVALID, SUN_CKM_MD5_HMAC, {SSL_RSA_WITH_RC4_128_MD5}},
351 	{CRYPTO_MECH_INVALID, SUN_CKM_SHA1_HMAC,
352 	    {SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA,
353 	    SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_NULL_SHA}},
354 	{CRYPTO_MECH_INVALID, SUN_CKM_RC4,
355 	    {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA}},
356 	{CRYPTO_MECH_INVALID, SUN_CKM_DES_CBC, {SSL_RSA_WITH_DES_CBC_SHA}},
357 	{CRYPTO_MECH_INVALID, SUN_CKM_DES3_CBC,
358 	    {SSL_RSA_WITH_3DES_EDE_CBC_SHA}}
359 };
360 
361 static void
362 kssl_init_mechs()
363 {
364 	mech_to_cipher_tab[0].mech = rsa_x509_mech.cm_type =
365 	    crypto_mech2id(SUN_CKM_RSA_X_509);
366 	mech_to_cipher_tab[1].mech = hmac_md5_mech.cm_type =
367 	    crypto_mech2id(SUN_CKM_MD5_HMAC);
368 	mech_to_cipher_tab[2].mech = hmac_sha1_mech.cm_type =
369 	    crypto_mech2id(SUN_CKM_SHA1_HMAC);
370 
371 	mech_to_cipher_tab[3].mech = cipher_defs[cipher_rc4].mech_type =
372 	    crypto_mech2id(SUN_CKM_RC4);
373 	mech_to_cipher_tab[4].mech = cipher_defs[cipher_des].mech_type =
374 	    crypto_mech2id(SUN_CKM_DES_CBC);
375 	mech_to_cipher_tab[5].mech = cipher_defs[cipher_3des].mech_type =
376 	    crypto_mech2id(SUN_CKM_DES3_CBC);
377 }
378 
379 static int
380 is_in_suites(uint16_t s, uint16_t *sarray)
381 {
382 	int i;
383 
384 	for (i = 0; i < CIPHER_SUITE_COUNT; i++) {
385 		if (s == sarray[i])
386 			return (1);
387 	}
388 
389 	return (0);
390 }
391 
392 static int
393 is_in_mechlist(char *name, crypto_mech_name_t *mechs, int count)
394 {
395 	int i;
396 
397 	for (i = 0; i < count; i++) {
398 		if (strncmp(name, mechs[i], CRYPTO_MAX_MECH_NAME) == 0)
399 			return (1);
400 	}
401 
402 	return (0);
403 }
404 
405 /*
406  * Callback function invoked by the crypto framework when a provider's
407  * mechanism is available/unavailable. This callback updates entries in the
408  * kssl_entry_tab[] to make changes to the cipher suites of an entry
409  * which are affected by the mechansim.
410  */
411 static void
412 kssl_event_callback(uint32_t event, void *event_arg)
413 {
414 	int i, j;
415 	int cnt, rcnt;
416 	uint16_t s;
417 	boolean_t changed;
418 	crypto_mech_name_t *mechs;
419 	uint_t mech_count;
420 	mech_to_cipher_t *mc;
421 	kssl_entry_t *old;
422 	kssl_entry_t *new;
423 	uint16_t tmp_suites[CIPHER_SUITE_COUNT];
424 	uint16_t dis_list[CIPHER_SUITE_COUNT];
425 	crypto_notify_event_change_t *prov_change =
426 	    (crypto_notify_event_change_t *)event_arg;
427 
428 	/* ignore events for which we didn't register */
429 	if (event != CRYPTO_EVENT_MECHS_CHANGED) {
430 		return;
431 	}
432 
433 	for (i = 0; i < NUM_MECHS; i++) {
434 		mc = &(mech_to_cipher_tab[i]);
435 		if (mc->mech == CRYPTO_MECH_INVALID)
436 			continue;
437 
438 		/*
439 		 * Check if this crypto framework provider mechanism being
440 		 * added or removed affects us.
441 		 */
442 		if (strncmp(mc->name, prov_change->ec_mech_name,
443 		    CRYPTO_MAX_MECH_NAME) == 0)
444 			break;
445 	}
446 
447 	if (i == NUM_MECHS)
448 		return;
449 
450 	mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
451 	if (mechs == NULL)
452 		return;
453 
454 	mutex_enter(&kssl_tab_mutex);
455 
456 	for (i = 0; i < kssl_entry_tab_size; i++) {
457 		if ((old = kssl_entry_tab[i]) == NULL)
458 			continue;
459 
460 		cnt = 0;
461 		rcnt = 0;
462 		changed = B_FALSE;
463 		for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
464 			tmp_suites[j] = CIPHER_NOTSET;
465 			dis_list[j] = CIPHER_NOTSET;
466 		}
467 
468 		/*
469 		 * We start with the saved cipher suite list for the new entry.
470 		 * If a mechanism is disabled, resulting in a cipher suite being
471 		 * disabled now, we take it out from the list for the new entry.
472 		 * If a mechanism is enabled, resulting in a cipher suite being
473 		 * enabled now, we don't need to do any thing.
474 		 */
475 		if (!is_in_mechlist(mc->name, mechs, mech_count)) {
476 			for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
477 				s = mc->kssl_suites[j];
478 				if (s == 0)
479 					break;
480 				if (is_in_suites(s, old->kssl_saved_Suites)) {
481 					/* Disable this cipher suite */
482 					if (!is_in_suites(s, dis_list))
483 						dis_list[cnt++] = s;
484 				}
485 			}
486 		}
487 
488 		for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
489 			s = old->kssl_saved_Suites[j];
490 			if (!is_in_suites(s, dis_list))
491 				tmp_suites[rcnt] = s;
492 
493 			if (!changed &&
494 			    (tmp_suites[rcnt] != old->kssl_cipherSuites[rcnt]))
495 				changed = B_TRUE;
496 			rcnt++;
497 		}
498 
499 		if (changed) {
500 			new = kmem_zalloc(sizeof (kssl_entry_t), KM_NOSLEEP);
501 			if (new == NULL)
502 				continue;
503 
504 			*new = *old;		/* Structure copy */
505 			old->ke_no_freeall = B_TRUE;
506 			new->ke_refcnt = 0;
507 			new->kssl_cipherSuites_nentries = rcnt;
508 			for (j = 0; j < CIPHER_SUITE_COUNT; j++)
509 				new->kssl_cipherSuites[j] = tmp_suites[j];
510 
511 			KSSL_ENTRY_REFHOLD(new);
512 			kssl_entry_tab[i] = new;
513 			KSSL_ENTRY_REFRELE(old);
514 		}
515 	}
516 
517 	mutex_exit(&kssl_tab_mutex);
518 	crypto_free_mech_list(mechs, mech_count);
519 }
520 
521 
522 kssl_stats_t *kssl_statp;
523 
524 static void
525 kssl_global_init()
526 {
527 	mutex_init(&kssl_tab_mutex, NULL, MUTEX_DRIVER, NULL);
528 
529 	kssl_cache = kmem_cache_create("kssl_cache", sizeof (ssl_t),
530 	    0, kssl_constructor, kssl_destructor, NULL, NULL, NULL, 0);
531 
532 	if ((kssl_ksp = kstat_create("kssl", 0, "kssl_stats", "crypto",
533 	    KSTAT_TYPE_NAMED, sizeof (kssl_stats_t) / sizeof (kstat_named_t),
534 	    KSTAT_FLAG_PERSISTENT)) != NULL) {
535 		kssl_statp = kssl_ksp->ks_data;
536 
537 		kstat_named_init(&kssl_statp->sid_cache_lookups,
538 		    "kssl_sid_cache_lookups", KSTAT_DATA_UINT64);
539 		kstat_named_init(&kssl_statp->sid_cache_hits,
540 		    "kssl_sid_cache_hits", KSTAT_DATA_UINT64);
541 		kstat_named_init(&kssl_statp->sid_uncached,
542 		    "kssl_sid_uncached", KSTAT_DATA_UINT64);
543 
544 		kstat_named_init(&kssl_statp->full_handshakes,
545 		    "kssl_full_handshakes", KSTAT_DATA_UINT64);
546 		kstat_named_init(&kssl_statp->resumed_sessions,
547 		    "kssl_resumed_sessions", KSTAT_DATA_UINT64);
548 		kstat_named_init(&kssl_statp->fallback_connections,
549 		    "kssl_fallback_connections", KSTAT_DATA_UINT64);
550 		kstat_named_init(&kssl_statp->proxy_fallback_failed,
551 		    "kssl_proxy_fallback_failed", KSTAT_DATA_UINT64);
552 		kstat_named_init(&kssl_statp->appdata_record_ins,
553 		    "kssl_appdata_record_ins", KSTAT_DATA_UINT64);
554 		kstat_named_init(&kssl_statp->appdata_record_outs,
555 		    "kssl_appdata_record_outs", KSTAT_DATA_UINT64);
556 
557 		kstat_named_init(&kssl_statp->alloc_fails, "kssl_alloc_fails",
558 		    KSTAT_DATA_UINT64);
559 		kstat_named_init(&kssl_statp->fatal_alerts,
560 		    "kssl_fatal_alerts", KSTAT_DATA_UINT64);
561 		kstat_named_init(&kssl_statp->warning_alerts,
562 		    "kssl_warning_alerts", KSTAT_DATA_UINT64);
563 		kstat_named_init(&kssl_statp->no_suite_found,
564 		    "kssl_no_suite_found", KSTAT_DATA_UINT64);
565 		kstat_named_init(&kssl_statp->compute_mac_failure,
566 		    "kssl_compute_mac_failure", KSTAT_DATA_UINT64);
567 		kstat_named_init(&kssl_statp->verify_mac_failure,
568 		    "kssl_verify_mac_failure", KSTAT_DATA_UINT64);
569 		kstat_named_init(&kssl_statp->record_decrypt_failure,
570 		    "kssl_record_decrypt_failure", KSTAT_DATA_UINT64);
571 		kstat_named_init(&kssl_statp->bad_pre_master_secret,
572 		    "kssl_bad_pre_master_secret", KSTAT_DATA_UINT64);
573 		kstat_named_init(&kssl_statp->internal_errors,
574 		    "kssl_internal_errors", KSTAT_DATA_UINT64);
575 
576 		kstat_install(kssl_ksp);
577 	};
578 }
579 
580 /*ARGSUSED*/
581 static int
582 kssl_constructor(void *buf, void *arg, int kmflags)
583 {
584 	ssl_t *ssl = buf;
585 
586 	mutex_init(&ssl->kssl_lock, NULL, MUTEX_DEFAULT, NULL);
587 
588 	return (0);
589 }
590 
591 /*ARGSUSED*/
592 static void
593 kssl_destructor(void *buf, void *arg)
594 {
595 	ssl_t *ssl = buf;
596 	mutex_destroy(&ssl->kssl_lock);
597 }
598 
599 /*
600  * Handler routine called by the crypto framework when a
601  * provider is unregistered or registered. We invalidate the
602  * private key handle if our provider is unregistered. We set
603  * a flag to reauthenticate if our provider came back.
604  */
605 void
606 kssl_prov_evnt(uint32_t event, void *event_arg)
607 {
608 	int i, rv;
609 	kssl_entry_t *ep;
610 	kssl_session_info_t *s;
611 	crypto_provider_t prov;
612 	crypto_provider_ext_info_t info;
613 
614 	if (event != CRYPTO_EVENT_PROVIDER_UNREGISTERED &&
615 	    event != CRYPTO_EVENT_PROVIDER_REGISTERED)
616 		return;
617 
618 	prov = (crypto_provider_t)event_arg;
619 	if (event == CRYPTO_EVENT_PROVIDER_REGISTERED) {
620 		rv = crypto_get_provinfo(prov, &info);
621 		if (rv != CRYPTO_SUCCESS)
622 			return;
623 	}
624 
625 	mutex_enter(&kssl_tab_mutex);
626 
627 	for (i = 0; i < kssl_entry_tab_size; i++) {
628 		if ((ep = kssl_entry_tab[i]) == NULL)
629 			continue;
630 
631 		s = ep->ke_sessinfo;
632 		switch (event) {
633 		case CRYPTO_EVENT_PROVIDER_UNREGISTERED:
634 			if (s->is_valid_handle && s->prov == prov) {
635 				s->is_valid_handle = B_FALSE;
636 				crypto_release_provider(s->prov);
637 			}
638 			break;
639 
640 		case CRYPTO_EVENT_PROVIDER_REGISTERED:
641 			if (s->is_valid_handle)
642 				break;
643 			if (bcmp(s->toklabel, info.ei_label,
644 			    CRYPTO_EXT_SIZE_LABEL) == 0) {
645 				s->do_reauth = B_TRUE;
646 			}
647 			break;
648 		}
649 	}
650 
651 	mutex_exit(&kssl_tab_mutex);
652 }
653