1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * The system call and DDI interface for the kernel SSL module 30 */ 31 32 #include <sys/types.h> 33 #include <sys/modctl.h> 34 #include <sys/conf.h> 35 #include <sys/stat.h> 36 #include <sys/ddi.h> 37 #include <sys/sunddi.h> 38 #include <sys/kmem.h> 39 #include <sys/errno.h> 40 #include <sys/ksynch.h> 41 #include <sys/file.h> 42 #include <sys/open.h> 43 #include <sys/cred.h> 44 #include <sys/proc.h> 45 #include <sys/task.h> 46 #include <sys/mkdev.h> 47 #include <sys/model.h> 48 #include <sys/sysmacros.h> 49 #include <sys/policy.h> 50 #include <sys/crypto/common.h> 51 #include <sys/crypto/api.h> 52 #include <c2/audit.h> 53 #include <sys/kstat.h> 54 55 #include "kssl.h" 56 #include "ksslimpl.h" 57 58 /* 59 * DDI entry points. 60 */ 61 static int kssl_attach(dev_info_t *, ddi_attach_cmd_t); 62 static int kssl_detach(dev_info_t *, ddi_detach_cmd_t); 63 static int kssl_getinfo(dev_info_t *, ddi_info_cmd_t, void *, void **); 64 static int kssl_open(dev_t *, int, int, cred_t *); 65 static int kssl_close(dev_t, int, int, cred_t *); 66 static int kssl_ioctl(dev_t, int, intptr_t, int, cred_t *, int *); 67 68 static int kssl_constructor(void *buf, void *arg, int kmflags); 69 static void kssl_destructor(void *buf, void *arg); 70 71 /* 72 * Module linkage. 73 */ 74 static struct cb_ops cbops = { 75 kssl_open, /* cb_open */ 76 kssl_close, /* cb_close */ 77 nodev, /* cb_strategy */ 78 nodev, /* cb_print */ 79 nodev, /* cb_dump */ 80 nodev, /* cb_read */ 81 nodev, /* cb_write */ 82 kssl_ioctl, /* cb_ioctl */ 83 nodev, /* cb_devmap */ 84 nodev, /* cb_mmap */ 85 nodev, /* cb_segmap */ 86 nochpoll, /* cb_chpoll */ 87 ddi_prop_op, /* cb_prop_op */ 88 NULL, /* cb_streamtab */ 89 D_MP, /* cb_flag */ 90 CB_REV, /* cb_rev */ 91 nodev, /* cb_aread */ 92 nodev, /* cb_awrite */ 93 }; 94 95 static struct dev_ops devops = { 96 DEVO_REV, /* devo_rev */ 97 0, /* devo_refcnt */ 98 kssl_getinfo, /* devo_getinfo */ 99 nulldev, /* devo_identify */ 100 nulldev, /* devo_probe */ 101 kssl_attach, /* devo_attach */ 102 kssl_detach, /* devo_detach */ 103 nodev, /* devo_reset */ 104 &cbops, /* devo_cb_ops */ 105 NULL, /* devo_bus_ops */ 106 NULL, /* devo_power */ 107 }; 108 109 static struct modldrv modldrv = { 110 &mod_driverops, /* drv_modops */ 111 "Kernel SSL Interface v1.4", /* drv_linkinfo */ 112 &devops, 113 }; 114 115 static struct modlinkage modlinkage = { 116 MODREV_1, /* ml_rev */ 117 &modldrv, /* ml_linkage */ 118 NULL 119 }; 120 121 static dev_info_t *kssl_dip = NULL; 122 123 crypto_mechanism_t rsa_x509_mech = {CRYPTO_MECH_INVALID, NULL, 0}; 124 crypto_mechanism_t hmac_md5_mech = {CRYPTO_MECH_INVALID, NULL, 0}; 125 crypto_mechanism_t hmac_sha1_mech = {CRYPTO_MECH_INVALID, NULL, 0}; 126 crypto_call_flag_t kssl_call_flag = CRYPTO_ALWAYS_QUEUE; 127 128 KSSLCipherDef cipher_defs[] = { /* indexed by SSL3BulkCipher */ 129 /* type bsize keysz crypto_mech_type_t */ 130 131 {type_stream, 0, 0, CRYPTO_MECH_INVALID}, 132 133 /* mech_type to be initialized with CKM_RC4's */ 134 {type_stream, 0, 16, CRYPTO_MECH_INVALID}, 135 136 /* mech_type to be initialized with CKM_DES_CBC's */ 137 {type_block, 8, 8, CRYPTO_MECH_INVALID}, 138 139 /* mech_type to be initialized with CKM_DES3_CBC's */ 140 {type_block, 8, 24, CRYPTO_MECH_INVALID}, 141 142 /* mech_type to be initialized with CKM_AES_CBC with 128-bit key */ 143 {type_block, 16, 16, CRYPTO_MECH_INVALID}, 144 145 /* mech_type to be initialized with CKM_AES_CBC with 256-bit key */ 146 {type_block, 16, 32, CRYPTO_MECH_INVALID}, 147 }; 148 149 int kssl_enabled = 1; 150 struct kmem_cache *kssl_cache; 151 152 static void kssl_global_init(); 153 static void kssl_init_mechs(); 154 static void kssl_event_callback(uint32_t, void *); 155 156 /* 157 * DDI entry points. 158 */ 159 int 160 _init(void) 161 { 162 return (mod_install(&modlinkage)); 163 } 164 165 int 166 _info(struct modinfo *modinfop) 167 { 168 return (mod_info(&modlinkage, modinfop)); 169 } 170 171 /* ARGSUSED */ 172 static int 173 kssl_getinfo(dev_info_t *dip, ddi_info_cmd_t cmd, void *arg, void **result) 174 { 175 switch (cmd) { 176 case DDI_INFO_DEVT2DEVINFO: 177 *result = kssl_dip; 178 return (DDI_SUCCESS); 179 180 case DDI_INFO_DEVT2INSTANCE: 181 *result = (void *)0; 182 return (DDI_SUCCESS); 183 } 184 return (DDI_FAILURE); 185 } 186 187 static int 188 kssl_attach(dev_info_t *dip, ddi_attach_cmd_t cmd) 189 { 190 if (cmd != DDI_ATTACH) { 191 return (DDI_FAILURE); 192 } 193 194 if (ddi_get_instance(dip) != 0) { 195 /* we only allow instance 0 to attach */ 196 return (DDI_FAILURE); 197 } 198 199 /* create the minor node */ 200 if (ddi_create_minor_node(dip, "kssl", S_IFCHR, 0, DDI_PSEUDO, 0) != 201 DDI_SUCCESS) { 202 cmn_err(CE_WARN, "kssl_attach: failed creating minor node"); 203 ddi_remove_minor_node(dip, NULL); 204 return (DDI_FAILURE); 205 } 206 207 kssl_dip = dip; 208 209 kssl_global_init(); 210 211 return (DDI_SUCCESS); 212 } 213 214 static kstat_t *kssl_ksp = NULL; 215 216 static int 217 kssl_detach(dev_info_t *dip, ddi_detach_cmd_t cmd) 218 { 219 if (cmd != DDI_DETACH) 220 return (DDI_FAILURE); 221 222 if (kssl_entry_tab_nentries != 0 || kssl_cache_count != 0) 223 return (DDI_FAILURE); 224 225 mutex_destroy(&kssl_tab_mutex); 226 kssl_dip = NULL; 227 228 if (kssl_cache != NULL) { 229 kmem_cache_destroy(kssl_cache); 230 kssl_cache = NULL; 231 } 232 233 if (kssl_ksp != NULL) { 234 kstat_delete(kssl_ksp); 235 kssl_ksp = NULL; 236 } 237 238 ddi_remove_minor_node(dip, NULL); 239 240 return (DDI_SUCCESS); 241 } 242 243 static crypto_notify_handle_t prov_update_handle = NULL; 244 245 /* ARGSUSED */ 246 static int 247 kssl_open(dev_t *devp, int flag, int otyp, cred_t *credp) 248 { 249 if (otyp != OTYP_CHR) 250 return (ENXIO); 251 252 if (kssl_dip == NULL) 253 return (ENXIO); 254 255 /* first time here? initialize everything */ 256 if (rsa_x509_mech.cm_type == CRYPTO_MECH_INVALID) { 257 kssl_init_mechs(); 258 prov_update_handle = crypto_notify_events( 259 kssl_event_callback, CRYPTO_EVENT_MECHS_CHANGED); 260 } 261 262 /* exclusive opens are not supported */ 263 if (flag & FEXCL) 264 return (ENOTSUP); 265 266 return (0); 267 } 268 269 /* ARGSUSED */ 270 static int 271 kssl_close(dev_t dev, int flag, int otyp, cred_t *credp) 272 { 273 return (0); 274 } 275 276 #define KSSL_MAX_KEYANDCERTS 80000 /* max 64K plus a little margin */ 277 278 /* ARGSUSED */ 279 static int 280 kssl_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *c, 281 int *rval) 282 { 283 int error = EINVAL; 284 285 #define ARG ((caddr_t)arg) 286 287 if (secpolicy_net_config(c, B_FALSE) != 0) { 288 return (EPERM); 289 } 290 291 switch (cmd) { 292 case KSSL_ADD_ENTRY: { 293 uint64_t len; 294 uint32_t ck_rv; 295 size_t off; 296 kssl_params_t *kssl_params; 297 298 off = offsetof(kssl_params_t, kssl_params_size); 299 if (copyin(ARG + off, &len, sizeof (len)) != 0) { 300 return (EFAULT); 301 } 302 303 if (len < sizeof (kssl_params_t) || 304 len > KSSL_MAX_KEYANDCERTS) { 305 return (EINVAL); 306 } 307 308 kssl_params = kmem_alloc(len, KM_SLEEP); 309 310 /* Get the whole structure and parameters in one move */ 311 if (copyin(ARG, kssl_params, len) != 0) { 312 kmem_free(kssl_params, len); 313 return (EFAULT); 314 } 315 error = kssl_add_entry(kssl_params); 316 if (audit_active) 317 audit_kssl(KSSL_ADD_ENTRY, kssl_params, error); 318 off = offsetof(kssl_params_t, kssl_token) + 319 offsetof(kssl_tokinfo_t, ck_rv); 320 ck_rv = kssl_params->kssl_token.ck_rv; 321 if (copyout(&ck_rv, ARG + off, sizeof (ck_rv)) != 0) { 322 error = EFAULT; 323 } 324 325 bzero(kssl_params, len); 326 kmem_free(kssl_params, len); 327 break; 328 } 329 case KSSL_DELETE_ENTRY: { 330 struct sockaddr_in server_addr; 331 332 if (copyin(ARG, &server_addr, sizeof (server_addr)) != 0) { 333 return (EFAULT); 334 } 335 336 error = kssl_delete_entry(&server_addr); 337 if (audit_active) 338 audit_kssl(KSSL_DELETE_ENTRY, &server_addr, error); 339 break; 340 } 341 } 342 343 return (error); 344 } 345 346 #define NUM_MECHS 7 347 mech_to_cipher_t mech_to_cipher_tab[NUM_MECHS] = { 348 {CRYPTO_MECH_INVALID, SUN_CKM_RSA_X_509, 349 {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, 350 SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 351 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, 352 SSL_RSA_WITH_NULL_SHA}}, 353 {CRYPTO_MECH_INVALID, SUN_CKM_MD5_HMAC, {SSL_RSA_WITH_RC4_128_MD5}}, 354 {CRYPTO_MECH_INVALID, SUN_CKM_SHA1_HMAC, 355 {SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA, 356 SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_NULL_SHA, 357 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA}}, 358 {CRYPTO_MECH_INVALID, SUN_CKM_RC4, 359 {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA}}, 360 {CRYPTO_MECH_INVALID, SUN_CKM_DES_CBC, {SSL_RSA_WITH_DES_CBC_SHA}}, 361 {CRYPTO_MECH_INVALID, SUN_CKM_DES3_CBC, 362 {SSL_RSA_WITH_3DES_EDE_CBC_SHA}}, 363 {CRYPTO_MECH_INVALID, SUN_CKM_AES_CBC, 364 {TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA}}, 365 }; 366 367 static void 368 kssl_init_mechs() 369 { 370 mech_to_cipher_tab[0].mech = rsa_x509_mech.cm_type = 371 crypto_mech2id(SUN_CKM_RSA_X_509); 372 mech_to_cipher_tab[1].mech = hmac_md5_mech.cm_type = 373 crypto_mech2id(SUN_CKM_MD5_HMAC); 374 mech_to_cipher_tab[2].mech = hmac_sha1_mech.cm_type = 375 crypto_mech2id(SUN_CKM_SHA1_HMAC); 376 377 mech_to_cipher_tab[3].mech = cipher_defs[cipher_rc4].mech_type = 378 crypto_mech2id(SUN_CKM_RC4); 379 mech_to_cipher_tab[4].mech = cipher_defs[cipher_des].mech_type = 380 crypto_mech2id(SUN_CKM_DES_CBC); 381 mech_to_cipher_tab[5].mech = cipher_defs[cipher_3des].mech_type = 382 crypto_mech2id(SUN_CKM_DES3_CBC); 383 mech_to_cipher_tab[6].mech = cipher_defs[cipher_aes128].mech_type = 384 cipher_defs[cipher_aes256].mech_type = 385 crypto_mech2id(SUN_CKM_AES_CBC); 386 } 387 388 static int 389 is_in_suites(uint16_t s, uint16_t *sarray) 390 { 391 int i; 392 393 for (i = 0; i < CIPHER_SUITE_COUNT; i++) { 394 if (s == sarray[i]) 395 return (1); 396 } 397 398 return (0); 399 } 400 401 static int 402 is_in_mechlist(char *name, crypto_mech_name_t *mechs, int count) 403 { 404 int i; 405 406 for (i = 0; i < count; i++) { 407 if (strncmp(name, mechs[i], CRYPTO_MAX_MECH_NAME) == 0) 408 return (1); 409 } 410 411 return (0); 412 } 413 414 /* 415 * Callback function invoked by the crypto framework when a provider's 416 * mechanism is available/unavailable. This callback updates entries in the 417 * kssl_entry_tab[] to make changes to the cipher suites of an entry 418 * which are affected by the mechansim. 419 */ 420 static void 421 kssl_event_callback(uint32_t event, void *event_arg) 422 { 423 int i, j; 424 int cnt, rcnt; 425 uint16_t s; 426 boolean_t changed; 427 crypto_mech_name_t *mechs; 428 uint_t mech_count; 429 mech_to_cipher_t *mc; 430 kssl_entry_t *old; 431 kssl_entry_t *new; 432 uint16_t tmp_suites[CIPHER_SUITE_COUNT]; 433 uint16_t dis_list[CIPHER_SUITE_COUNT]; 434 crypto_notify_event_change_t *prov_change = 435 (crypto_notify_event_change_t *)event_arg; 436 437 /* ignore events for which we didn't register */ 438 if (event != CRYPTO_EVENT_MECHS_CHANGED) { 439 return; 440 } 441 442 for (i = 0; i < NUM_MECHS; i++) { 443 mc = &(mech_to_cipher_tab[i]); 444 if (mc->mech == CRYPTO_MECH_INVALID) 445 continue; 446 447 /* 448 * Check if this crypto framework provider mechanism being 449 * added or removed affects us. 450 */ 451 if (strncmp(mc->name, prov_change->ec_mech_name, 452 CRYPTO_MAX_MECH_NAME) == 0) 453 break; 454 } 455 456 if (i == NUM_MECHS) 457 return; 458 459 mechs = crypto_get_mech_list(&mech_count, KM_SLEEP); 460 if (mechs == NULL) 461 return; 462 463 mutex_enter(&kssl_tab_mutex); 464 465 for (i = 0; i < kssl_entry_tab_size; i++) { 466 if ((old = kssl_entry_tab[i]) == NULL) 467 continue; 468 469 cnt = 0; 470 rcnt = 0; 471 changed = B_FALSE; 472 for (j = 0; j < CIPHER_SUITE_COUNT; j++) { 473 tmp_suites[j] = CIPHER_NOTSET; 474 dis_list[j] = CIPHER_NOTSET; 475 } 476 477 /* 478 * We start with the saved cipher suite list for the new entry. 479 * If a mechanism is disabled, resulting in a cipher suite being 480 * disabled now, we take it out from the list for the new entry. 481 * If a mechanism is enabled, resulting in a cipher suite being 482 * enabled now, we don't need to do any thing. 483 */ 484 if (!is_in_mechlist(mc->name, mechs, mech_count)) { 485 for (j = 0; j < CIPHER_SUITE_COUNT; j++) { 486 s = mc->kssl_suites[j]; 487 if (s == 0) 488 break; 489 if (is_in_suites(s, old->kssl_saved_Suites)) { 490 /* Disable this cipher suite */ 491 if (!is_in_suites(s, dis_list)) 492 dis_list[cnt++] = s; 493 } 494 } 495 } 496 497 for (j = 0; j < CIPHER_SUITE_COUNT; j++) { 498 s = old->kssl_saved_Suites[j]; 499 if (!is_in_suites(s, dis_list)) 500 tmp_suites[rcnt] = s; 501 502 if (!changed && 503 (tmp_suites[rcnt] != old->kssl_cipherSuites[rcnt])) 504 changed = B_TRUE; 505 rcnt++; 506 } 507 508 if (changed) { 509 new = kmem_zalloc(sizeof (kssl_entry_t), KM_NOSLEEP); 510 if (new == NULL) 511 continue; 512 513 *new = *old; /* Structure copy */ 514 old->ke_no_freeall = B_TRUE; 515 new->ke_refcnt = 0; 516 new->kssl_cipherSuites_nentries = rcnt; 517 for (j = 0; j < CIPHER_SUITE_COUNT; j++) 518 new->kssl_cipherSuites[j] = tmp_suites[j]; 519 520 KSSL_ENTRY_REFHOLD(new); 521 kssl_entry_tab[i] = new; 522 KSSL_ENTRY_REFRELE(old); 523 } 524 } 525 526 mutex_exit(&kssl_tab_mutex); 527 crypto_free_mech_list(mechs, mech_count); 528 } 529 530 531 kssl_stats_t *kssl_statp; 532 533 static void 534 kssl_global_init() 535 { 536 mutex_init(&kssl_tab_mutex, NULL, MUTEX_DRIVER, NULL); 537 538 kssl_cache = kmem_cache_create("kssl_cache", sizeof (ssl_t), 539 0, kssl_constructor, kssl_destructor, NULL, NULL, NULL, 0); 540 541 if ((kssl_ksp = kstat_create("kssl", 0, "kssl_stats", "crypto", 542 KSTAT_TYPE_NAMED, sizeof (kssl_stats_t) / sizeof (kstat_named_t), 543 KSTAT_FLAG_PERSISTENT)) != NULL) { 544 kssl_statp = kssl_ksp->ks_data; 545 546 kstat_named_init(&kssl_statp->sid_cache_lookups, 547 "kssl_sid_cache_lookups", KSTAT_DATA_UINT64); 548 kstat_named_init(&kssl_statp->sid_cache_hits, 549 "kssl_sid_cache_hits", KSTAT_DATA_UINT64); 550 kstat_named_init(&kssl_statp->sid_uncached, 551 "kssl_sid_uncached", KSTAT_DATA_UINT64); 552 553 kstat_named_init(&kssl_statp->full_handshakes, 554 "kssl_full_handshakes", KSTAT_DATA_UINT64); 555 kstat_named_init(&kssl_statp->resumed_sessions, 556 "kssl_resumed_sessions", KSTAT_DATA_UINT64); 557 kstat_named_init(&kssl_statp->fallback_connections, 558 "kssl_fallback_connections", KSTAT_DATA_UINT64); 559 kstat_named_init(&kssl_statp->proxy_fallback_failed, 560 "kssl_proxy_fallback_failed", KSTAT_DATA_UINT64); 561 kstat_named_init(&kssl_statp->appdata_record_ins, 562 "kssl_appdata_record_ins", KSTAT_DATA_UINT64); 563 kstat_named_init(&kssl_statp->appdata_record_outs, 564 "kssl_appdata_record_outs", KSTAT_DATA_UINT64); 565 566 kstat_named_init(&kssl_statp->alloc_fails, "kssl_alloc_fails", 567 KSTAT_DATA_UINT64); 568 kstat_named_init(&kssl_statp->fatal_alerts, 569 "kssl_fatal_alerts", KSTAT_DATA_UINT64); 570 kstat_named_init(&kssl_statp->warning_alerts, 571 "kssl_warning_alerts", KSTAT_DATA_UINT64); 572 kstat_named_init(&kssl_statp->no_suite_found, 573 "kssl_no_suite_found", KSTAT_DATA_UINT64); 574 kstat_named_init(&kssl_statp->compute_mac_failure, 575 "kssl_compute_mac_failure", KSTAT_DATA_UINT64); 576 kstat_named_init(&kssl_statp->verify_mac_failure, 577 "kssl_verify_mac_failure", KSTAT_DATA_UINT64); 578 kstat_named_init(&kssl_statp->record_decrypt_failure, 579 "kssl_record_decrypt_failure", KSTAT_DATA_UINT64); 580 kstat_named_init(&kssl_statp->bad_pre_master_secret, 581 "kssl_bad_pre_master_secret", KSTAT_DATA_UINT64); 582 kstat_named_init(&kssl_statp->internal_errors, 583 "kssl_internal_errors", KSTAT_DATA_UINT64); 584 585 kstat_install(kssl_ksp); 586 }; 587 } 588 589 /*ARGSUSED*/ 590 static int 591 kssl_constructor(void *buf, void *arg, int kmflags) 592 { 593 ssl_t *ssl = buf; 594 595 mutex_init(&ssl->kssl_lock, NULL, MUTEX_DEFAULT, NULL); 596 597 return (0); 598 } 599 600 /*ARGSUSED*/ 601 static void 602 kssl_destructor(void *buf, void *arg) 603 { 604 ssl_t *ssl = buf; 605 mutex_destroy(&ssl->kssl_lock); 606 } 607 608 /* 609 * Handler routine called by the crypto framework when a 610 * provider is unregistered or registered. We invalidate the 611 * private key handle if our provider is unregistered. We set 612 * a flag to reauthenticate if our provider came back. 613 */ 614 void 615 kssl_prov_evnt(uint32_t event, void *event_arg) 616 { 617 int i, rv; 618 kssl_entry_t *ep; 619 kssl_session_info_t *s; 620 crypto_provider_t prov; 621 crypto_provider_ext_info_t info; 622 623 if (event != CRYPTO_EVENT_PROVIDER_UNREGISTERED && 624 event != CRYPTO_EVENT_PROVIDER_REGISTERED) 625 return; 626 627 prov = (crypto_provider_t)event_arg; 628 if (event == CRYPTO_EVENT_PROVIDER_REGISTERED) { 629 rv = crypto_get_provinfo(prov, &info); 630 if (rv != CRYPTO_SUCCESS) 631 return; 632 } 633 634 mutex_enter(&kssl_tab_mutex); 635 636 for (i = 0; i < kssl_entry_tab_size; i++) { 637 if ((ep = kssl_entry_tab[i]) == NULL) 638 continue; 639 640 s = ep->ke_sessinfo; 641 DTRACE_PROBE1(kssl_entry_cycle, kssl_entry_t *, ep); 642 switch (event) { 643 case CRYPTO_EVENT_PROVIDER_UNREGISTERED: 644 if (s->is_valid_handle && s->prov == prov) { 645 s->is_valid_handle = B_FALSE; 646 crypto_release_provider(s->prov); 647 } 648 break; 649 650 case CRYPTO_EVENT_PROVIDER_REGISTERED: 651 if (s->is_valid_handle) 652 break; 653 if (bcmp(s->toklabel, info.ei_label, 654 CRYPTO_EXT_SIZE_LABEL) == 0) { 655 s->do_reauth = B_TRUE; 656 } 657 break; 658 } 659 } 660 661 mutex_exit(&kssl_tab_mutex); 662 } 663