xref: /titanic_52/usr/src/uts/common/inet/kssl/kssl.c (revision 69112edd987c28fa551d4f8d9362a84a45365f17)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 
27 /*
28  * The system call and DDI interface for the kernel SSL module
29  */
30 
31 #include <sys/types.h>
32 #include <sys/modctl.h>
33 #include <sys/conf.h>
34 #include <sys/stat.h>
35 #include <sys/ddi.h>
36 #include <sys/sunddi.h>
37 #include <sys/kmem.h>
38 #include <sys/errno.h>
39 #include <sys/file.h>
40 #include <sys/open.h>
41 #include <sys/cred.h>
42 #include <sys/proc.h>
43 #include <sys/task.h>
44 #include <sys/model.h>
45 #include <sys/sysmacros.h>
46 #include <sys/policy.h>
47 #include <sys/crypto/common.h>
48 #include <sys/crypto/api.h>
49 #include <c2/audit.h>
50 #include <sys/kstat.h>
51 
52 #include "kssl.h"
53 #include "ksslimpl.h"
54 
55 /*
56  * DDI entry points.
57  */
58 static int kssl_attach(dev_info_t *, ddi_attach_cmd_t);
59 static int kssl_detach(dev_info_t *, ddi_detach_cmd_t);
60 static int kssl_getinfo(dev_info_t *, ddi_info_cmd_t, void *, void **);
61 static int kssl_open(dev_t *, int, int, cred_t *);
62 static int kssl_close(dev_t, int, int, cred_t *);
63 static int kssl_ioctl(dev_t, int, intptr_t, int, cred_t *, int *);
64 
65 static int kssl_constructor(void *buf, void *arg, int kmflags);
66 static void kssl_destructor(void *buf, void *arg);
67 
68 /*
69  * Module linkage.
70  */
71 static struct cb_ops cbops = {
72 	kssl_open,		/* cb_open */
73 	kssl_close,		/* cb_close */
74 	nodev,			/* cb_strategy */
75 	nodev,			/* cb_print */
76 	nodev,			/* cb_dump */
77 	nodev,			/* cb_read */
78 	nodev,			/* cb_write */
79 	kssl_ioctl,		/* cb_ioctl */
80 	nodev,			/* cb_devmap */
81 	nodev,			/* cb_mmap */
82 	nodev,			/* cb_segmap */
83 	nochpoll,		/* cb_chpoll */
84 	ddi_prop_op,		/* cb_prop_op */
85 	NULL,			/* cb_streamtab */
86 	D_MP,			/* cb_flag */
87 	CB_REV,			/* cb_rev */
88 	nodev,			/* cb_aread */
89 	nodev,			/* cb_awrite */
90 };
91 
92 static struct dev_ops devops = {
93 	DEVO_REV,		/* devo_rev */
94 	0,			/* devo_refcnt */
95 	kssl_getinfo,		/* devo_getinfo */
96 	nulldev,		/* devo_identify */
97 	nulldev,		/* devo_probe */
98 	kssl_attach,		/* devo_attach */
99 	kssl_detach,		/* devo_detach */
100 	nodev,			/* devo_reset */
101 	&cbops,			/* devo_cb_ops */
102 	NULL,			/* devo_bus_ops */
103 	NULL,			/* devo_power */
104 	ddi_quiesce_not_needed,		/* devo_quiesce */
105 };
106 
107 static struct modldrv modldrv = {
108 	&mod_driverops,		/* drv_modops */
109 	"Kernel SSL Interface",	/* drv_linkinfo */
110 	&devops,
111 };
112 
113 static struct modlinkage modlinkage = {
114 	MODREV_1,		/* ml_rev */
115 	&modldrv,		/* ml_linkage */
116 	NULL
117 };
118 
119 static dev_info_t *kssl_dip = NULL;
120 
121 crypto_mechanism_t rsa_x509_mech = {CRYPTO_MECH_INVALID, NULL, 0};
122 crypto_mechanism_t hmac_md5_mech = {CRYPTO_MECH_INVALID, NULL, 0};
123 crypto_mechanism_t hmac_sha1_mech = {CRYPTO_MECH_INVALID, NULL, 0};
124 crypto_call_flag_t kssl_call_flag = CRYPTO_ALWAYS_QUEUE;
125 
126 KSSLCipherDef cipher_defs[] = { /* indexed by SSL3BulkCipher */
127 	/* type bsize keysz crypto_mech_type_t */
128 
129 	{type_stream, 0, 0, CRYPTO_MECH_INVALID},
130 
131 	/* mech_type to be initialized with CKM_RC4's */
132 	{type_stream, 0, 16, CRYPTO_MECH_INVALID},
133 
134 	/* mech_type to be initialized with CKM_DES_CBC's */
135 	{type_block, 8, 8, CRYPTO_MECH_INVALID},
136 
137 	/* mech_type to be initialized with CKM_DES3_CBC's */
138 	{type_block, 8, 24, CRYPTO_MECH_INVALID},
139 
140 	/* mech_type to be initialized with CKM_AES_CBC with 128-bit key  */
141 	{type_block, 16, 16, CRYPTO_MECH_INVALID},
142 
143 	/* mech_type to be initialized with CKM_AES_CBC with 256-bit key  */
144 	{type_block, 16, 32, CRYPTO_MECH_INVALID},
145 };
146 
147 struct kmem_cache *kssl_cache;
148 
149 static void kssl_global_init();
150 static void kssl_init_mechs();
151 static void kssl_event_callback(uint32_t, void *);
152 
153 /*
154  * DDI entry points.
155  */
156 int
157 _init(void)
158 {
159 	return (mod_install(&modlinkage));
160 }
161 
162 int
163 _info(struct modinfo *modinfop)
164 {
165 	return (mod_info(&modlinkage, modinfop));
166 }
167 
168 /* ARGSUSED */
169 static int
170 kssl_getinfo(dev_info_t *dip, ddi_info_cmd_t cmd, void *arg, void **result)
171 {
172 	switch (cmd) {
173 	case DDI_INFO_DEVT2DEVINFO:
174 		*result = kssl_dip;
175 		return (DDI_SUCCESS);
176 
177 	case DDI_INFO_DEVT2INSTANCE:
178 		*result = (void *)0;
179 		return (DDI_SUCCESS);
180 	}
181 	return (DDI_FAILURE);
182 }
183 
184 static int
185 kssl_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
186 {
187 	if (cmd != DDI_ATTACH) {
188 		return (DDI_FAILURE);
189 	}
190 
191 	if (ddi_get_instance(dip) != 0) {
192 		/* we only allow instance 0 to attach */
193 		return (DDI_FAILURE);
194 	}
195 
196 	/* create the minor node */
197 	if (ddi_create_minor_node(dip, "kssl", S_IFCHR, 0, DDI_PSEUDO, 0) !=
198 	    DDI_SUCCESS) {
199 		cmn_err(CE_WARN, "kssl_attach: failed creating minor node");
200 		ddi_remove_minor_node(dip, NULL);
201 		return (DDI_FAILURE);
202 	}
203 
204 	kssl_dip = dip;
205 
206 	kssl_global_init();
207 
208 	return (DDI_SUCCESS);
209 }
210 
211 static kstat_t *kssl_ksp = NULL;
212 
213 static int
214 kssl_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
215 {
216 	if (cmd != DDI_DETACH)
217 		return (DDI_FAILURE);
218 
219 	if (kssl_entry_tab_nentries != 0 || kssl_cache_count != 0)
220 		return (DDI_FAILURE);
221 
222 	mutex_destroy(&kssl_tab_mutex);
223 	kssl_dip = NULL;
224 
225 	if (kssl_cache != NULL) {
226 		kmem_cache_destroy(kssl_cache);
227 		kssl_cache = NULL;
228 	}
229 
230 	if (kssl_ksp != NULL) {
231 		kstat_delete(kssl_ksp);
232 		kssl_ksp = NULL;
233 	}
234 
235 	ddi_remove_minor_node(dip, NULL);
236 
237 	return (DDI_SUCCESS);
238 }
239 
240 static crypto_notify_handle_t prov_update_handle = NULL;
241 
242 /* ARGSUSED */
243 static int
244 kssl_open(dev_t *devp, int flag, int otyp, cred_t *credp)
245 {
246 	if (otyp != OTYP_CHR)
247 		return (ENXIO);
248 
249 	if (kssl_dip == NULL)
250 		return (ENXIO);
251 
252 	/* first time here? initialize everything */
253 	if (rsa_x509_mech.cm_type == CRYPTO_MECH_INVALID) {
254 		kssl_init_mechs();
255 		prov_update_handle = crypto_notify_events(
256 		    kssl_event_callback, CRYPTO_EVENT_MECHS_CHANGED);
257 	}
258 
259 	/* exclusive opens are not supported */
260 	if (flag & FEXCL)
261 		return (ENOTSUP);
262 
263 	return (0);
264 }
265 
266 /* ARGSUSED */
267 static int
268 kssl_close(dev_t dev, int flag, int otyp, cred_t *credp)
269 {
270 	return (0);
271 }
272 
273 #define	KSSL_MAX_KEYANDCERTS	80000	/* max 64K plus a little margin */
274 
275 /* ARGSUSED */
276 static int
277 kssl_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *c,
278     int *rval)
279 {
280 	int error = EINVAL;
281 
282 #define	ARG	((caddr_t)arg)
283 
284 	if (secpolicy_net_config(c, B_FALSE) != 0) {
285 		return (EPERM);
286 	}
287 
288 	switch (cmd) {
289 	case KSSL_ADD_ENTRY: {
290 		uint64_t len;
291 		uint32_t ck_rv;
292 		size_t off;
293 		kssl_params_t *kssl_params;
294 
295 		off = offsetof(kssl_params_t, kssl_params_size);
296 		if (copyin(ARG + off, &len, sizeof (len)) != 0) {
297 			return (EFAULT);
298 		}
299 
300 		if (len < sizeof (kssl_params_t) ||
301 		    len > KSSL_MAX_KEYANDCERTS) {
302 			return (EINVAL);
303 		}
304 
305 		kssl_params = kmem_alloc(len, KM_SLEEP);
306 
307 		/* Get the whole structure and parameters in one move */
308 		if (copyin(ARG, kssl_params, len) != 0) {
309 			kmem_free(kssl_params, len);
310 			return (EFAULT);
311 		}
312 		error = kssl_add_entry(kssl_params);
313 	if (audit_active)
314 		audit_kssl(KSSL_ADD_ENTRY, kssl_params, error);
315 		off = offsetof(kssl_params_t, kssl_token) +
316 		    offsetof(kssl_tokinfo_t, ck_rv);
317 		ck_rv = kssl_params->kssl_token.ck_rv;
318 		if (copyout(&ck_rv, ARG + off, sizeof (ck_rv)) != 0) {
319 			error = EFAULT;
320 		}
321 
322 		bzero(kssl_params, len);
323 		kmem_free(kssl_params, len);
324 		break;
325 	}
326 	case KSSL_DELETE_ENTRY: {
327 		struct sockaddr_in6 server_addr;
328 
329 		if (copyin(ARG, &server_addr, sizeof (server_addr)) != 0) {
330 			return (EFAULT);
331 		}
332 
333 		error = kssl_delete_entry(&server_addr);
334 	if (audit_active)
335 		audit_kssl(KSSL_DELETE_ENTRY, &server_addr, error);
336 		break;
337 	}
338 	}
339 
340 	return (error);
341 }
342 
343 #define	NUM_MECHS	7
344 static mech_to_cipher_t mech_to_cipher_tab[NUM_MECHS] = {
345 	{CRYPTO_MECH_INVALID, SUN_CKM_RSA_X_509,
346 	    {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
347 	    SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
348 	    TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
349 	    SSL_RSA_WITH_NULL_SHA}},
350 	{CRYPTO_MECH_INVALID, SUN_CKM_MD5_HMAC, {SSL_RSA_WITH_RC4_128_MD5}},
351 	{CRYPTO_MECH_INVALID, SUN_CKM_SHA1_HMAC,
352 	    {SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA,
353 	    SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_NULL_SHA,
354 	    TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA}},
355 	{CRYPTO_MECH_INVALID, SUN_CKM_RC4,
356 	    {SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA}},
357 	{CRYPTO_MECH_INVALID, SUN_CKM_DES_CBC, {SSL_RSA_WITH_DES_CBC_SHA}},
358 	{CRYPTO_MECH_INVALID, SUN_CKM_DES3_CBC,
359 	    {SSL_RSA_WITH_3DES_EDE_CBC_SHA}},
360 	{CRYPTO_MECH_INVALID, SUN_CKM_AES_CBC,
361 	    {TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA}},
362 };
363 
364 static void
365 kssl_init_mechs()
366 {
367 	mech_to_cipher_tab[0].mech = rsa_x509_mech.cm_type =
368 	    crypto_mech2id(SUN_CKM_RSA_X_509);
369 	mech_to_cipher_tab[1].mech = hmac_md5_mech.cm_type =
370 	    crypto_mech2id(SUN_CKM_MD5_HMAC);
371 	mech_to_cipher_tab[2].mech = hmac_sha1_mech.cm_type =
372 	    crypto_mech2id(SUN_CKM_SHA1_HMAC);
373 
374 	mech_to_cipher_tab[3].mech = cipher_defs[cipher_rc4].mech_type =
375 	    crypto_mech2id(SUN_CKM_RC4);
376 	mech_to_cipher_tab[4].mech = cipher_defs[cipher_des].mech_type =
377 	    crypto_mech2id(SUN_CKM_DES_CBC);
378 	mech_to_cipher_tab[5].mech = cipher_defs[cipher_3des].mech_type =
379 	    crypto_mech2id(SUN_CKM_DES3_CBC);
380 	mech_to_cipher_tab[6].mech = cipher_defs[cipher_aes128].mech_type =
381 	    cipher_defs[cipher_aes256].mech_type =
382 	    crypto_mech2id(SUN_CKM_AES_CBC);
383 }
384 
385 static int
386 is_in_suites(uint16_t s, uint16_t *sarray)
387 {
388 	int i;
389 
390 	for (i = 0; i < CIPHER_SUITE_COUNT; i++) {
391 		if (s == sarray[i])
392 			return (1);
393 	}
394 
395 	return (0);
396 }
397 
398 static int
399 is_in_mechlist(char *name, crypto_mech_name_t *mechs, int count)
400 {
401 	int i;
402 
403 	for (i = 0; i < count; i++) {
404 		if (strncmp(name, mechs[i], CRYPTO_MAX_MECH_NAME) == 0)
405 			return (1);
406 	}
407 
408 	return (0);
409 }
410 
411 /*
412  * Callback function invoked by the crypto framework when a provider's
413  * mechanism is available/unavailable. This callback updates entries in the
414  * kssl_entry_tab[] to make changes to the cipher suites of an entry
415  * which are affected by the mechanism.
416  */
417 static void
418 kssl_event_callback(uint32_t event, void *event_arg)
419 {
420 	int i, j;
421 	int cnt, rcnt;
422 	uint16_t s;
423 	boolean_t changed;
424 	crypto_mech_name_t *mechs;
425 	uint_t mech_count;
426 	mech_to_cipher_t *mc;
427 	kssl_entry_t *old;
428 	kssl_entry_t *new;
429 	uint16_t tmp_suites[CIPHER_SUITE_COUNT];
430 	uint16_t dis_list[CIPHER_SUITE_COUNT];
431 	crypto_notify_event_change_t *prov_change =
432 	    (crypto_notify_event_change_t *)event_arg;
433 
434 	/* ignore events for which we didn't register */
435 	if (event != CRYPTO_EVENT_MECHS_CHANGED) {
436 		return;
437 	}
438 
439 	for (i = 0; i < NUM_MECHS; i++) {
440 		mc = &(mech_to_cipher_tab[i]);
441 		if (mc->mech == CRYPTO_MECH_INVALID)
442 			continue;
443 
444 		/*
445 		 * Check if this crypto framework provider mechanism being
446 		 * added or removed affects us.
447 		 */
448 		if (strncmp(mc->name, prov_change->ec_mech_name,
449 		    CRYPTO_MAX_MECH_NAME) == 0)
450 			break;
451 	}
452 
453 	if (i == NUM_MECHS)
454 		return;
455 
456 	mechs = crypto_get_mech_list(&mech_count, KM_SLEEP);
457 	if (mechs == NULL)
458 		return;
459 
460 	mutex_enter(&kssl_tab_mutex);
461 
462 	for (i = 0; i < kssl_entry_tab_size; i++) {
463 		if ((old = kssl_entry_tab[i]) == NULL)
464 			continue;
465 
466 		cnt = 0;
467 		rcnt = 0;
468 		changed = B_FALSE;
469 		for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
470 			tmp_suites[j] = CIPHER_NOTSET;
471 			dis_list[j] = CIPHER_NOTSET;
472 		}
473 
474 		/*
475 		 * We start with the saved cipher suite list for the new entry.
476 		 * If a mechanism is disabled, resulting in a cipher suite being
477 		 * disabled now, we take it out from the list for the new entry.
478 		 * If a mechanism is enabled, resulting in a cipher suite being
479 		 * enabled now, we don't need to do any thing.
480 		 */
481 		if (!is_in_mechlist(mc->name, mechs, mech_count)) {
482 			for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
483 				s = mc->kssl_suites[j];
484 				if (s == 0)
485 					break;
486 				if (is_in_suites(s, old->kssl_saved_Suites)) {
487 					/* Disable this cipher suite */
488 					if (!is_in_suites(s, dis_list))
489 						dis_list[cnt++] = s;
490 				}
491 			}
492 		}
493 
494 		for (j = 0; j < CIPHER_SUITE_COUNT; j++) {
495 			s = old->kssl_saved_Suites[j];
496 			if (!is_in_suites(s, dis_list))
497 				tmp_suites[rcnt] = s;
498 
499 			if (!changed &&
500 			    (tmp_suites[rcnt] != old->kssl_cipherSuites[rcnt]))
501 				changed = B_TRUE;
502 			rcnt++;
503 		}
504 
505 		if (changed) {
506 			new = kmem_zalloc(sizeof (kssl_entry_t), KM_NOSLEEP);
507 			if (new == NULL)
508 				continue;
509 
510 			*new = *old;		/* Structure copy */
511 			old->ke_no_freeall = B_TRUE;
512 			new->ke_refcnt = 0;
513 			new->kssl_cipherSuites_nentries = rcnt;
514 			for (j = 0; j < CIPHER_SUITE_COUNT; j++)
515 				new->kssl_cipherSuites[j] = tmp_suites[j];
516 
517 			KSSL_ENTRY_REFHOLD(new);
518 			kssl_entry_tab[i] = new;
519 			KSSL_ENTRY_REFRELE(old);
520 		}
521 	}
522 
523 	mutex_exit(&kssl_tab_mutex);
524 	crypto_free_mech_list(mechs, mech_count);
525 }
526 
527 
528 kssl_stats_t *kssl_statp;
529 
530 static void
531 kssl_global_init()
532 {
533 	mutex_init(&kssl_tab_mutex, NULL, MUTEX_DRIVER, NULL);
534 
535 	kssl_cache = kmem_cache_create("kssl_cache", sizeof (ssl_t),
536 	    0, kssl_constructor, kssl_destructor, NULL, NULL, NULL, 0);
537 
538 	if ((kssl_ksp = kstat_create("kssl", 0, "kssl_stats", "crypto",
539 	    KSTAT_TYPE_NAMED, sizeof (kssl_stats_t) / sizeof (kstat_named_t),
540 	    KSTAT_FLAG_PERSISTENT)) != NULL) {
541 		kssl_statp = kssl_ksp->ks_data;
542 
543 		kstat_named_init(&kssl_statp->sid_cache_lookups,
544 		    "kssl_sid_cache_lookups", KSTAT_DATA_UINT64);
545 		kstat_named_init(&kssl_statp->sid_cache_hits,
546 		    "kssl_sid_cache_hits", KSTAT_DATA_UINT64);
547 		kstat_named_init(&kssl_statp->sid_cached,
548 		    "kssl_sid_cached", KSTAT_DATA_UINT64);
549 		kstat_named_init(&kssl_statp->sid_uncached,
550 		    "kssl_sid_uncached", KSTAT_DATA_UINT64);
551 
552 		kstat_named_init(&kssl_statp->full_handshakes,
553 		    "kssl_full_handshakes", KSTAT_DATA_UINT64);
554 		kstat_named_init(&kssl_statp->resumed_sessions,
555 		    "kssl_resumed_sessions", KSTAT_DATA_UINT64);
556 		kstat_named_init(&kssl_statp->fallback_connections,
557 		    "kssl_fallback_connections", KSTAT_DATA_UINT64);
558 		kstat_named_init(&kssl_statp->proxy_fallback_failed,
559 		    "kssl_proxy_fallback_failed", KSTAT_DATA_UINT64);
560 		kstat_named_init(&kssl_statp->appdata_record_ins,
561 		    "kssl_appdata_record_ins", KSTAT_DATA_UINT64);
562 		kstat_named_init(&kssl_statp->appdata_record_outs,
563 		    "kssl_appdata_record_outs", KSTAT_DATA_UINT64);
564 
565 		kstat_named_init(&kssl_statp->alloc_fails, "kssl_alloc_fails",
566 		    KSTAT_DATA_UINT64);
567 		kstat_named_init(&kssl_statp->fatal_alerts,
568 		    "kssl_fatal_alerts", KSTAT_DATA_UINT64);
569 		kstat_named_init(&kssl_statp->warning_alerts,
570 		    "kssl_warning_alerts", KSTAT_DATA_UINT64);
571 		kstat_named_init(&kssl_statp->no_suite_found,
572 		    "kssl_no_suite_found", KSTAT_DATA_UINT64);
573 		kstat_named_init(&kssl_statp->compute_mac_failure,
574 		    "kssl_compute_mac_failure", KSTAT_DATA_UINT64);
575 		kstat_named_init(&kssl_statp->verify_mac_failure,
576 		    "kssl_verify_mac_failure", KSTAT_DATA_UINT64);
577 		kstat_named_init(&kssl_statp->record_decrypt_failure,
578 		    "kssl_record_decrypt_failure", KSTAT_DATA_UINT64);
579 		kstat_named_init(&kssl_statp->bad_pre_master_secret,
580 		    "kssl_bad_pre_master_secret", KSTAT_DATA_UINT64);
581 		kstat_named_init(&kssl_statp->internal_errors,
582 		    "kssl_internal_errors", KSTAT_DATA_UINT64);
583 
584 		kstat_install(kssl_ksp);
585 	};
586 }
587 
588 /*ARGSUSED*/
589 static int
590 kssl_constructor(void *buf, void *arg, int kmflags)
591 {
592 	ssl_t *ssl = buf;
593 
594 	mutex_init(&ssl->kssl_lock, NULL, MUTEX_DEFAULT, NULL);
595 
596 	return (0);
597 }
598 
599 /*ARGSUSED*/
600 static void
601 kssl_destructor(void *buf, void *arg)
602 {
603 	ssl_t *ssl = buf;
604 	mutex_destroy(&ssl->kssl_lock);
605 }
606 
607 /*
608  * Handler routine called by the crypto framework when a
609  * provider is unregistered or registered. We invalidate the
610  * private key handle if our provider is unregistered. We set
611  * a flag to reauthenticate if our provider came back.
612  */
613 void
614 kssl_prov_evnt(uint32_t event, void *event_arg)
615 {
616 	int i, rv;
617 	kssl_entry_t *ep;
618 	kssl_session_info_t *s;
619 	crypto_provider_t prov;
620 	crypto_provider_ext_info_t info;
621 
622 	if (event != CRYPTO_EVENT_PROVIDER_UNREGISTERED &&
623 	    event != CRYPTO_EVENT_PROVIDER_REGISTERED)
624 		return;
625 
626 	prov = (crypto_provider_t)event_arg;
627 	if (event == CRYPTO_EVENT_PROVIDER_REGISTERED) {
628 		rv = crypto_get_provinfo(prov, &info);
629 		if (rv != CRYPTO_SUCCESS)
630 			return;
631 	}
632 
633 	mutex_enter(&kssl_tab_mutex);
634 
635 	for (i = 0; i < kssl_entry_tab_size; i++) {
636 		if ((ep = kssl_entry_tab[i]) == NULL)
637 			continue;
638 
639 		s = ep->ke_sessinfo;
640 		DTRACE_PROBE1(kssl_entry_cycle, kssl_entry_t *, ep);
641 		switch (event) {
642 		case CRYPTO_EVENT_PROVIDER_UNREGISTERED:
643 			if (s->is_valid_handle && s->prov == prov) {
644 				s->is_valid_handle = B_FALSE;
645 				crypto_release_provider(s->prov);
646 			}
647 			break;
648 
649 		case CRYPTO_EVENT_PROVIDER_REGISTERED:
650 			if (s->is_valid_handle)
651 				break;
652 			if (bcmp(s->toklabel, info.ei_label,
653 			    CRYPTO_EXT_SIZE_LABEL) == 0) {
654 				s->do_reauth = B_TRUE;
655 			}
656 			break;
657 		}
658 	}
659 
660 	mutex_exit(&kssl_tab_mutex);
661 }
662