]>
Commit | Line | Data |
---|---|---|
86e3c28a CIK |
1 | /* |
2 | * CDDL HEADER START | |
3 | * | |
4 | * The contents of this file are subject to the terms of the | |
5 | * Common Development and Distribution License (the "License"). | |
6 | * You may not use this file except in compliance with the License. | |
7 | * | |
8 | * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE | |
9 | * or http://www.opensolaris.org/os/licensing. | |
10 | * See the License for the specific language governing permissions | |
11 | * and limitations under the License. | |
12 | * | |
13 | * When distributing Covered Code, include this CDDL HEADER in each | |
14 | * file and include the License file at usr/src/OPENSOLARIS.LICENSE. | |
15 | * If applicable, add the following below this CDDL HEADER, with the | |
16 | * fields enclosed by brackets "[]" replaced with your own identifying | |
17 | * information: Portions Copyright [yyyy] [name of copyright owner] | |
18 | * | |
19 | * CDDL HEADER END | |
20 | */ | |
21 | /* | |
22 | * Copyright 2009 Sun Microsystems, Inc. All rights reserved. | |
23 | * Use is subject to license terms. | |
24 | */ | |
25 | ||
26 | #ifndef _SYS_CRYPTO_IMPL_H | |
27 | #define _SYS_CRYPTO_IMPL_H | |
28 | ||
29 | /* | |
30 | * Kernel Cryptographic Framework private implementation definitions. | |
31 | */ | |
32 | ||
33 | #include <sys/zfs_context.h> | |
34 | #include <sys/crypto/common.h> | |
35 | #include <sys/crypto/api.h> | |
36 | #include <sys/crypto/spi.h> | |
37 | #include <sys/crypto/ioctl.h> | |
38 | ||
39 | #ifdef __cplusplus | |
40 | extern "C" { | |
41 | #endif | |
42 | ||
43 | #define KCF_MODULE "kcf" | |
44 | ||
45 | /* | |
46 | * Prefixes convention: structures internal to the kernel cryptographic | |
47 | * framework start with 'kcf_'. Exposed structure start with 'crypto_'. | |
48 | */ | |
49 | ||
50 | /* Provider stats. Not protected. */ | |
51 | typedef struct kcf_prov_stats { | |
52 | kstat_named_t ps_ops_total; | |
53 | kstat_named_t ps_ops_passed; | |
54 | kstat_named_t ps_ops_failed; | |
55 | kstat_named_t ps_ops_busy_rval; | |
56 | } kcf_prov_stats_t; | |
57 | ||
58 | /* Various kcf stats. Not protected. */ | |
59 | typedef struct kcf_stats { | |
60 | kstat_named_t ks_thrs_in_pool; | |
61 | kstat_named_t ks_idle_thrs; | |
62 | kstat_named_t ks_minthrs; | |
63 | kstat_named_t ks_maxthrs; | |
64 | kstat_named_t ks_swq_njobs; | |
65 | kstat_named_t ks_swq_maxjobs; | |
66 | kstat_named_t ks_taskq_threads; | |
67 | kstat_named_t ks_taskq_minalloc; | |
68 | kstat_named_t ks_taskq_maxalloc; | |
69 | } kcf_stats_t; | |
70 | ||
71 | /* | |
72 | * Keep all the information needed by the scheduler from | |
73 | * this provider. | |
74 | */ | |
75 | typedef struct kcf_sched_info { | |
76 | /* The number of operations dispatched. */ | |
77 | uint64_t ks_ndispatches; | |
78 | ||
79 | /* The number of operations that failed. */ | |
80 | uint64_t ks_nfails; | |
81 | ||
82 | /* The number of operations that returned CRYPTO_BUSY. */ | |
83 | uint64_t ks_nbusy_rval; | |
84 | ||
85 | /* taskq used to dispatch crypto requests */ | |
86 | taskq_t *ks_taskq; | |
87 | } kcf_sched_info_t; | |
88 | ||
89 | /* | |
90 | * pd_irefcnt approximates the number of inflight requests to the | |
91 | * provider. Though we increment this counter during registration for | |
92 | * other purposes, that base value is mostly same across all providers. | |
93 | * So, it is a good measure of the load on a provider when it is not | |
94 | * in a busy state. Once a provider notifies it is busy, requests | |
95 | * backup in the taskq. So, we use tq_nalloc in that case which gives | |
96 | * the number of task entries in the task queue. Note that we do not | |
97 | * acquire any locks here as it is not critical to get the exact number | |
98 | * and the lock contention may be too costly for this code path. | |
99 | */ | |
100 | #define KCF_PROV_LOAD(pd) ((pd)->pd_state != KCF_PROV_BUSY ? \ | |
101 | (pd)->pd_irefcnt : (pd)->pd_sched_info.ks_taskq->tq_nalloc) | |
102 | ||
103 | #define KCF_PROV_INCRSTATS(pd, error) { \ | |
104 | (pd)->pd_sched_info.ks_ndispatches++; \ | |
105 | if (error == CRYPTO_BUSY) \ | |
106 | (pd)->pd_sched_info.ks_nbusy_rval++; \ | |
107 | else if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED) \ | |
108 | (pd)->pd_sched_info.ks_nfails++; \ | |
109 | } | |
110 | ||
111 | ||
112 | /* | |
113 | * The following two macros should be | |
114 | * #define KCF_OPS_CLASSSIZE (KCF_LAST_OPSCLASS - KCF_FIRST_OPSCLASS + 2) | |
115 | * #define KCF_MAXMECHTAB KCF_MAXCIPHER | |
116 | * | |
117 | * However, doing that would involve reorganizing the header file a bit. | |
118 | * When impl.h is broken up (bug# 4703218), this will be done. For now, | |
119 | * we hardcode these values. | |
120 | */ | |
121 | #define KCF_OPS_CLASSSIZE 8 | |
122 | #define KCF_MAXMECHTAB 32 | |
123 | ||
124 | /* | |
125 | * Valid values for the state of a provider. The order of | |
126 | * the elements is important. | |
127 | * | |
128 | * Routines which get a provider or the list of providers | |
129 | * should pick only those that are either in KCF_PROV_READY state | |
130 | * or in KCF_PROV_BUSY state. | |
131 | */ | |
132 | typedef enum { | |
133 | KCF_PROV_ALLOCATED = 1, | |
134 | KCF_PROV_UNVERIFIED, | |
135 | KCF_PROV_VERIFICATION_FAILED, | |
136 | /* | |
137 | * state < KCF_PROV_READY means the provider can not | |
138 | * be used at all. | |
139 | */ | |
140 | KCF_PROV_READY, | |
141 | KCF_PROV_BUSY, | |
142 | /* | |
143 | * state > KCF_PROV_BUSY means the provider can not | |
144 | * be used for new requests. | |
145 | */ | |
146 | KCF_PROV_FAILED, | |
147 | /* | |
148 | * Threads setting the following two states should do so only | |
149 | * if the current state < KCF_PROV_DISABLED. | |
150 | */ | |
151 | KCF_PROV_DISABLED, | |
152 | KCF_PROV_REMOVED, | |
153 | KCF_PROV_FREED | |
154 | } kcf_prov_state_t; | |
155 | ||
156 | #define KCF_IS_PROV_UNVERIFIED(pd) ((pd)->pd_state == KCF_PROV_UNVERIFIED) | |
157 | #define KCF_IS_PROV_USABLE(pd) ((pd)->pd_state == KCF_PROV_READY || \ | |
158 | (pd)->pd_state == KCF_PROV_BUSY) | |
159 | #define KCF_IS_PROV_REMOVED(pd) ((pd)->pd_state >= KCF_PROV_REMOVED) | |
160 | ||
161 | /* Internal flags valid for pd_flags field */ | |
162 | #define KCF_PROV_RESTRICTED 0x40000000 | |
163 | #define KCF_LPROV_MEMBER 0x80000000 /* is member of a logical provider */ | |
164 | ||
165 | /* | |
166 | * A provider descriptor structure. There is one such structure per | |
167 | * provider. It is allocated and initialized at registration time and | |
168 | * freed when the provider unregisters. | |
169 | * | |
170 | * pd_prov_type: Provider type, hardware or software | |
171 | * pd_sid: Session ID of the provider used by kernel clients. | |
172 | * This is valid only for session-oriented providers. | |
173 | * pd_refcnt: Reference counter to this provider descriptor | |
174 | * pd_irefcnt: References held by the framework internal structs | |
175 | * pd_lock: lock protects pd_state and pd_provider_list | |
176 | * pd_state: State value of the provider | |
177 | * pd_provider_list: Used to cross-reference logical providers and their | |
178 | * members. Not used for software providers. | |
179 | * pd_resume_cv: cv to wait for state to change from KCF_PROV_BUSY | |
180 | * pd_prov_handle: Provider handle specified by provider | |
181 | * pd_ops_vector: The ops vector specified by Provider | |
182 | * pd_mech_indx: Lookup table which maps a core framework mechanism | |
183 | * number to an index in pd_mechanisms array | |
184 | * pd_mechanisms: Array of mechanisms supported by the provider, specified | |
185 | * by the provider during registration | |
186 | * pd_sched_info: Scheduling information associated with the provider | |
187 | * pd_mech_list_count: The number of entries in pi_mechanisms, specified | |
188 | * by the provider during registration | |
189 | * pd_name: Device name or module name | |
190 | * pd_instance: Device instance | |
191 | * pd_module_id: Module ID returned by modload | |
192 | * pd_mctlp: Pointer to modctl structure for this provider | |
193 | * pd_remove_cv: cv to wait on while the provider queue drains | |
194 | * pd_description: Provider description string | |
195 | * pd_flags bitwise OR of pi_flags from crypto_provider_info_t | |
196 | * and other internal flags defined above. | |
197 | * pd_hash_limit Maximum data size that hash mechanisms of this provider | |
198 | * can support. | |
199 | * pd_kcf_prov_handle: KCF-private handle assigned by KCF | |
200 | * pd_prov_id: Identification # assigned by KCF to provider | |
201 | * pd_kstat: kstat associated with the provider | |
202 | * pd_ks_data: kstat data | |
203 | */ | |
204 | typedef struct kcf_provider_desc { | |
205 | crypto_provider_type_t pd_prov_type; | |
206 | crypto_session_id_t pd_sid; | |
207 | uint_t pd_refcnt; | |
208 | uint_t pd_irefcnt; | |
209 | kmutex_t pd_lock; | |
210 | kcf_prov_state_t pd_state; | |
211 | struct kcf_provider_list *pd_provider_list; | |
212 | kcondvar_t pd_resume_cv; | |
213 | crypto_provider_handle_t pd_prov_handle; | |
214 | crypto_ops_t *pd_ops_vector; | |
215 | ushort_t pd_mech_indx[KCF_OPS_CLASSSIZE]\ | |
216 | [KCF_MAXMECHTAB]; | |
217 | crypto_mech_info_t *pd_mechanisms; | |
218 | kcf_sched_info_t pd_sched_info; | |
219 | uint_t pd_mech_list_count; | |
220 | // char *pd_name; | |
221 | // uint_t pd_instance; | |
222 | // int pd_module_id; | |
223 | // struct modctl *pd_mctlp; | |
224 | kcondvar_t pd_remove_cv; | |
225 | char *pd_description; | |
226 | uint_t pd_flags; | |
227 | uint_t pd_hash_limit; | |
228 | crypto_kcf_provider_handle_t pd_kcf_prov_handle; | |
229 | crypto_provider_id_t pd_prov_id; | |
230 | kstat_t *pd_kstat; | |
231 | kcf_prov_stats_t pd_ks_data; | |
232 | } kcf_provider_desc_t; | |
233 | ||
234 | /* useful for making a list of providers */ | |
235 | typedef struct kcf_provider_list { | |
236 | struct kcf_provider_list *pl_next; | |
237 | struct kcf_provider_desc *pl_provider; | |
238 | } kcf_provider_list_t; | |
239 | ||
240 | /* atomic operations in linux implictly form a memory barrier */ | |
241 | #define membar_exit() | |
242 | ||
243 | /* | |
244 | * If a component has a reference to a kcf_provider_desc_t, | |
245 | * it REFHOLD()s. A new provider descriptor which is referenced only | |
246 | * by the providers table has a reference counter of one. | |
247 | */ | |
248 | #define KCF_PROV_REFHOLD(desc) { \ | |
249 | atomic_add_32(&(desc)->pd_refcnt, 1); \ | |
250 | ASSERT((desc)->pd_refcnt != 0); \ | |
251 | } | |
252 | ||
253 | #define KCF_PROV_IREFHOLD(desc) { \ | |
254 | atomic_add_32(&(desc)->pd_irefcnt, 1); \ | |
255 | ASSERT((desc)->pd_irefcnt != 0); \ | |
256 | } | |
257 | ||
258 | #define KCF_PROV_IREFRELE(desc) { \ | |
259 | ASSERT((desc)->pd_irefcnt != 0); \ | |
260 | membar_exit(); \ | |
261 | if (atomic_add_32_nv(&(desc)->pd_irefcnt, -1) == 0) { \ | |
262 | cv_broadcast(&(desc)->pd_remove_cv); \ | |
263 | } \ | |
264 | } | |
265 | ||
266 | #define KCF_PROV_REFHELD(desc) ((desc)->pd_refcnt >= 1) | |
267 | ||
268 | #define KCF_PROV_REFRELE(desc) { \ | |
269 | ASSERT((desc)->pd_refcnt != 0); \ | |
270 | membar_exit(); \ | |
271 | if (atomic_add_32_nv(&(desc)->pd_refcnt, -1) == 0) { \ | |
272 | kcf_provider_zero_refcnt((desc)); \ | |
273 | } \ | |
274 | } | |
275 | ||
276 | ||
277 | /* list of crypto_mech_info_t valid as the second mech in a dual operation */ | |
278 | ||
279 | typedef struct crypto_mech_info_list { | |
280 | struct crypto_mech_info_list *ml_next; | |
281 | crypto_mech_type_t ml_kcf_mechid; /* KCF's id */ | |
282 | crypto_mech_info_t ml_mech_info; | |
283 | } crypto_mech_info_list_t; | |
284 | ||
285 | /* | |
286 | * An element in a mechanism provider descriptors chain. | |
287 | * The kcf_prov_mech_desc_t is duplicated in every chain the provider belongs | |
288 | * to. This is a small tradeoff memory vs mutex spinning time to access the | |
289 | * common provider field. | |
290 | */ | |
291 | ||
292 | typedef struct kcf_prov_mech_desc { | |
293 | struct kcf_mech_entry *pm_me; /* Back to the head */ | |
294 | struct kcf_prov_mech_desc *pm_next; /* Next in the chain */ | |
295 | crypto_mech_info_t pm_mech_info; /* Provider mech info */ | |
296 | crypto_mech_info_list_t *pm_mi_list; /* list for duals */ | |
297 | kcf_provider_desc_t *pm_prov_desc; /* Common desc. */ | |
298 | } kcf_prov_mech_desc_t; | |
299 | ||
300 | /* and the notation shortcuts ... */ | |
301 | #define pm_provider_type pm_prov_desc.pd_provider_type | |
302 | #define pm_provider_handle pm_prov_desc.pd_provider_handle | |
303 | #define pm_ops_vector pm_prov_desc.pd_ops_vector | |
304 | ||
305 | /* | |
306 | * A mechanism entry in an xxx_mech_tab[]. me_pad was deemed | |
307 | * to be unnecessary and removed. | |
308 | */ | |
309 | typedef struct kcf_mech_entry { | |
310 | crypto_mech_name_t me_name; /* mechanism name */ | |
311 | crypto_mech_type_t me_mechid; /* Internal id for mechanism */ | |
312 | kmutex_t me_mutex; /* access protection */ | |
313 | kcf_prov_mech_desc_t *me_hw_prov_chain; /* list of HW providers */ | |
314 | kcf_prov_mech_desc_t *me_sw_prov; /* SW provider */ | |
315 | /* | |
316 | * Number of HW providers in the chain. There is only one | |
317 | * SW provider. So, we need only a count of HW providers. | |
318 | */ | |
319 | int me_num_hwprov; | |
320 | /* | |
321 | * When a SW provider is present, this is the generation number that | |
322 | * ensures no objects from old SW providers are used in the new one | |
323 | */ | |
324 | uint32_t me_gen_swprov; | |
325 | /* | |
326 | * threshold for using hardware providers for this mech | |
327 | */ | |
328 | size_t me_threshold; | |
329 | } kcf_mech_entry_t; | |
330 | ||
331 | /* | |
332 | * A policy descriptor structure. It is allocated and initialized | |
333 | * when administrative ioctls load disabled mechanisms. | |
334 | * | |
335 | * pd_prov_type: Provider type, hardware or software | |
336 | * pd_name: Device name or module name. | |
337 | * pd_instance: Device instance. | |
338 | * pd_refcnt: Reference counter for this policy descriptor | |
339 | * pd_mutex: Protects array and count of disabled mechanisms. | |
340 | * pd_disabled_count: Count of disabled mechanisms. | |
341 | * pd_disabled_mechs: Array of disabled mechanisms. | |
342 | */ | |
343 | typedef struct kcf_policy_desc { | |
344 | crypto_provider_type_t pd_prov_type; | |
345 | char *pd_name; | |
346 | uint_t pd_instance; | |
347 | uint_t pd_refcnt; | |
348 | kmutex_t pd_mutex; | |
349 | uint_t pd_disabled_count; | |
350 | crypto_mech_name_t *pd_disabled_mechs; | |
351 | } kcf_policy_desc_t; | |
352 | ||
353 | /* | |
354 | * If a component has a reference to a kcf_policy_desc_t, | |
355 | * it REFHOLD()s. A new policy descriptor which is referenced only | |
356 | * by the policy table has a reference count of one. | |
357 | */ | |
358 | #define KCF_POLICY_REFHOLD(desc) { \ | |
359 | atomic_add_32(&(desc)->pd_refcnt, 1); \ | |
360 | ASSERT((desc)->pd_refcnt != 0); \ | |
361 | } | |
362 | ||
363 | /* | |
364 | * Releases a reference to a policy descriptor. When the last | |
365 | * reference is released, the descriptor is freed. | |
366 | */ | |
367 | #define KCF_POLICY_REFRELE(desc) { \ | |
368 | ASSERT((desc)->pd_refcnt != 0); \ | |
369 | membar_exit(); \ | |
370 | if (atomic_add_32_nv(&(desc)->pd_refcnt, -1) == 0) \ | |
371 | kcf_policy_free_desc(desc); \ | |
372 | } | |
373 | ||
374 | /* | |
375 | * This entry stores the name of a software module and its | |
376 | * mechanisms. The mechanisms are 'hints' that are used to | |
377 | * trigger loading of the module. | |
378 | */ | |
379 | typedef struct kcf_soft_conf_entry { | |
380 | struct kcf_soft_conf_entry *ce_next; | |
381 | char *ce_name; | |
382 | crypto_mech_name_t *ce_mechs; | |
383 | uint_t ce_count; | |
384 | } kcf_soft_conf_entry_t; | |
385 | ||
386 | extern kmutex_t soft_config_mutex; | |
387 | extern kcf_soft_conf_entry_t *soft_config_list; | |
388 | ||
389 | /* | |
390 | * Global tables. The sizes are from the predefined PKCS#11 v2.20 mechanisms, | |
391 | * with a margin of few extra empty entry points | |
392 | */ | |
393 | ||
394 | #define KCF_MAXDIGEST 16 /* Digests */ | |
395 | #define KCF_MAXCIPHER 64 /* Ciphers */ | |
396 | #define KCF_MAXMAC 40 /* Message authentication codes */ | |
397 | #define KCF_MAXSIGN 24 /* Sign/Verify */ | |
398 | #define KCF_MAXKEYOPS 116 /* Key generation and derivation */ | |
399 | #define KCF_MAXMISC 16 /* Others ... */ | |
400 | ||
401 | #define KCF_MAXMECHS KCF_MAXDIGEST + KCF_MAXCIPHER + KCF_MAXMAC + \ | |
402 | KCF_MAXSIGN + KCF_MAXKEYOPS + \ | |
403 | KCF_MAXMISC | |
404 | ||
405 | extern kcf_mech_entry_t kcf_digest_mechs_tab[]; | |
406 | extern kcf_mech_entry_t kcf_cipher_mechs_tab[]; | |
407 | extern kcf_mech_entry_t kcf_mac_mechs_tab[]; | |
408 | extern kcf_mech_entry_t kcf_sign_mechs_tab[]; | |
409 | extern kcf_mech_entry_t kcf_keyops_mechs_tab[]; | |
410 | extern kcf_mech_entry_t kcf_misc_mechs_tab[]; | |
411 | ||
412 | extern kmutex_t kcf_mech_tabs_lock; | |
413 | ||
414 | typedef enum { | |
415 | KCF_DIGEST_CLASS = 1, | |
416 | KCF_CIPHER_CLASS, | |
417 | KCF_MAC_CLASS, | |
418 | KCF_SIGN_CLASS, | |
419 | KCF_KEYOPS_CLASS, | |
420 | KCF_MISC_CLASS | |
421 | } kcf_ops_class_t; | |
422 | ||
423 | #define KCF_FIRST_OPSCLASS KCF_DIGEST_CLASS | |
424 | #define KCF_LAST_OPSCLASS KCF_MISC_CLASS | |
425 | ||
426 | /* The table of all the kcf_xxx_mech_tab[]s, indexed by kcf_ops_class */ | |
427 | ||
428 | typedef struct kcf_mech_entry_tab { | |
429 | int met_size; /* Size of the met_tab[] */ | |
430 | kcf_mech_entry_t *met_tab; /* the table */ | |
431 | } kcf_mech_entry_tab_t; | |
432 | ||
433 | extern kcf_mech_entry_tab_t kcf_mech_tabs_tab[]; | |
434 | ||
435 | #define KCF_MECHID(class, index) \ | |
436 | (((crypto_mech_type_t)(class) << 32) | (crypto_mech_type_t)(index)) | |
437 | ||
438 | #define KCF_MECH2CLASS(mech_type) ((kcf_ops_class_t)((mech_type) >> 32)) | |
439 | ||
440 | #define KCF_MECH2INDEX(mech_type) ((int)(mech_type)) | |
441 | ||
442 | #define KCF_TO_PROV_MECH_INDX(pd, mech_type) \ | |
443 | ((pd)->pd_mech_indx[KCF_MECH2CLASS(mech_type)] \ | |
444 | [KCF_MECH2INDEX(mech_type)]) | |
445 | ||
446 | #define KCF_TO_PROV_MECHINFO(pd, mech_type) \ | |
447 | ((pd)->pd_mechanisms[KCF_TO_PROV_MECH_INDX(pd, mech_type)]) | |
448 | ||
449 | #define KCF_TO_PROV_MECHNUM(pd, mech_type) \ | |
450 | (KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_number) | |
451 | ||
452 | #define KCF_CAN_SHARE_OPSTATE(pd, mech_type) \ | |
453 | ((KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_flags) & \ | |
454 | CRYPTO_CAN_SHARE_OPSTATE) | |
455 | ||
456 | /* ps_refcnt is protected by cm_lock in the crypto_minor structure */ | |
457 | typedef struct crypto_provider_session { | |
458 | struct crypto_provider_session *ps_next; | |
459 | crypto_session_id_t ps_session; | |
460 | kcf_provider_desc_t *ps_provider; | |
461 | kcf_provider_desc_t *ps_real_provider; | |
462 | uint_t ps_refcnt; | |
463 | } crypto_provider_session_t; | |
464 | ||
465 | typedef struct crypto_session_data { | |
466 | kmutex_t sd_lock; | |
467 | kcondvar_t sd_cv; | |
468 | uint32_t sd_flags; | |
469 | int sd_pre_approved_amount; | |
470 | crypto_ctx_t *sd_digest_ctx; | |
471 | crypto_ctx_t *sd_encr_ctx; | |
472 | crypto_ctx_t *sd_decr_ctx; | |
473 | crypto_ctx_t *sd_sign_ctx; | |
474 | crypto_ctx_t *sd_verify_ctx; | |
475 | crypto_ctx_t *sd_sign_recover_ctx; | |
476 | crypto_ctx_t *sd_verify_recover_ctx; | |
477 | kcf_provider_desc_t *sd_provider; | |
478 | void *sd_find_init_cookie; | |
479 | crypto_provider_session_t *sd_provider_session; | |
480 | } crypto_session_data_t; | |
481 | ||
482 | #define CRYPTO_SESSION_IN_USE 0x00000001 | |
483 | #define CRYPTO_SESSION_IS_BUSY 0x00000002 | |
484 | #define CRYPTO_SESSION_IS_CLOSED 0x00000004 | |
485 | ||
486 | #define KCF_MAX_PIN_LEN 1024 | |
487 | ||
488 | /* | |
489 | * Per-minor info. | |
490 | * | |
491 | * cm_lock protects everything in this structure except for cm_refcnt. | |
492 | */ | |
493 | typedef struct crypto_minor { | |
494 | uint_t cm_refcnt; | |
495 | kmutex_t cm_lock; | |
496 | kcondvar_t cm_cv; | |
497 | crypto_session_data_t **cm_session_table; | |
498 | uint_t cm_session_table_count; | |
499 | kcf_provider_desc_t **cm_provider_array; | |
500 | uint_t cm_provider_count; | |
501 | crypto_provider_session_t *cm_provider_session; | |
502 | } crypto_minor_t; | |
503 | ||
504 | /* | |
505 | * Return codes for internal functions | |
506 | */ | |
507 | #define KCF_SUCCESS 0x0 /* Successful call */ | |
508 | #define KCF_INVALID_MECH_NUMBER 0x1 /* invalid mechanism number */ | |
509 | #define KCF_INVALID_MECH_NAME 0x2 /* invalid mechanism name */ | |
510 | #define KCF_INVALID_MECH_CLASS 0x3 /* invalid mechanism class */ | |
511 | #define KCF_MECH_TAB_FULL 0x4 /* Need more room in the mech tabs. */ | |
512 | #define KCF_INVALID_INDX ((ushort_t)-1) | |
513 | ||
514 | /* | |
515 | * kCF internal mechanism and function group for tracking RNG providers. | |
516 | */ | |
517 | #define SUN_RANDOM "random" | |
518 | #define CRYPTO_FG_RANDOM 0x80000000 /* generate_random() */ | |
519 | ||
520 | /* | |
521 | * Wrappers for ops vectors. In the wrapper definitions below, the pd | |
522 | * argument always corresponds to a pointer to a provider descriptor | |
523 | * of type kcf_prov_desc_t. | |
524 | */ | |
525 | ||
526 | #define KCF_PROV_CONTROL_OPS(pd) ((pd)->pd_ops_vector->co_control_ops) | |
527 | #define KCF_PROV_CTX_OPS(pd) ((pd)->pd_ops_vector->co_ctx_ops) | |
528 | #define KCF_PROV_DIGEST_OPS(pd) ((pd)->pd_ops_vector->co_digest_ops) | |
529 | #define KCF_PROV_CIPHER_OPS(pd) ((pd)->pd_ops_vector->co_cipher_ops) | |
530 | #define KCF_PROV_MAC_OPS(pd) ((pd)->pd_ops_vector->co_mac_ops) | |
531 | #define KCF_PROV_SIGN_OPS(pd) ((pd)->pd_ops_vector->co_sign_ops) | |
532 | #define KCF_PROV_VERIFY_OPS(pd) ((pd)->pd_ops_vector->co_verify_ops) | |
533 | #define KCF_PROV_DUAL_OPS(pd) ((pd)->pd_ops_vector->co_dual_ops) | |
534 | #define KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) \ | |
535 | ((pd)->pd_ops_vector->co_dual_cipher_mac_ops) | |
536 | #define KCF_PROV_RANDOM_OPS(pd) ((pd)->pd_ops_vector->co_random_ops) | |
537 | #define KCF_PROV_SESSION_OPS(pd) ((pd)->pd_ops_vector->co_session_ops) | |
538 | #define KCF_PROV_OBJECT_OPS(pd) ((pd)->pd_ops_vector->co_object_ops) | |
539 | #define KCF_PROV_KEY_OPS(pd) ((pd)->pd_ops_vector->co_key_ops) | |
540 | #define KCF_PROV_PROVIDER_OPS(pd) ((pd)->pd_ops_vector->co_provider_ops) | |
541 | #define KCF_PROV_MECH_OPS(pd) ((pd)->pd_ops_vector->co_mech_ops) | |
542 | #define KCF_PROV_NOSTORE_KEY_OPS(pd) \ | |
543 | ((pd)->pd_ops_vector->co_nostore_key_ops) | |
544 | ||
545 | /* | |
546 | * Wrappers for crypto_control_ops(9S) entry points. | |
547 | */ | |
548 | ||
549 | #define KCF_PROV_STATUS(pd, status) ( \ | |
550 | (KCF_PROV_CONTROL_OPS(pd) && \ | |
551 | KCF_PROV_CONTROL_OPS(pd)->provider_status) ? \ | |
552 | KCF_PROV_CONTROL_OPS(pd)->provider_status( \ | |
553 | (pd)->pd_prov_handle, status) : \ | |
554 | CRYPTO_NOT_SUPPORTED) | |
555 | ||
556 | /* | |
557 | * Wrappers for crypto_ctx_ops(9S) entry points. | |
558 | */ | |
559 | ||
560 | #define KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size, req) ( \ | |
561 | (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->create_ctx_template) ? \ | |
562 | KCF_PROV_CTX_OPS(pd)->create_ctx_template( \ | |
563 | (pd)->pd_prov_handle, mech, key, template, size, req) : \ | |
564 | CRYPTO_NOT_SUPPORTED) | |
565 | ||
566 | #define KCF_PROV_FREE_CONTEXT(pd, ctx) ( \ | |
567 | (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->free_context) ? \ | |
568 | KCF_PROV_CTX_OPS(pd)->free_context(ctx) : CRYPTO_NOT_SUPPORTED) | |
569 | ||
570 | #define KCF_PROV_COPYIN_MECH(pd, umech, kmech, errorp, mode) ( \ | |
571 | (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyin_mechanism) ? \ | |
572 | KCF_PROV_MECH_OPS(pd)->copyin_mechanism( \ | |
573 | (pd)->pd_prov_handle, umech, kmech, errorp, mode) : \ | |
574 | CRYPTO_NOT_SUPPORTED) | |
575 | ||
576 | #define KCF_PROV_COPYOUT_MECH(pd, kmech, umech, errorp, mode) ( \ | |
577 | (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyout_mechanism) ? \ | |
578 | KCF_PROV_MECH_OPS(pd)->copyout_mechanism( \ | |
579 | (pd)->pd_prov_handle, kmech, umech, errorp, mode) : \ | |
580 | CRYPTO_NOT_SUPPORTED) | |
581 | ||
582 | #define KCF_PROV_FREE_MECH(pd, prov_mech) ( \ | |
583 | (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->free_mechanism) ? \ | |
584 | KCF_PROV_MECH_OPS(pd)->free_mechanism( \ | |
585 | (pd)->pd_prov_handle, prov_mech) : CRYPTO_NOT_SUPPORTED) | |
586 | ||
587 | /* | |
588 | * Wrappers for crypto_digest_ops(9S) entry points. | |
589 | */ | |
590 | ||
591 | #define KCF_PROV_DIGEST_INIT(pd, ctx, mech, req) ( \ | |
592 | (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_init) ? \ | |
593 | KCF_PROV_DIGEST_OPS(pd)->digest_init(ctx, mech, req) : \ | |
594 | CRYPTO_NOT_SUPPORTED) | |
595 | ||
596 | /* | |
597 | * The _ (underscore) in _digest is needed to avoid replacing the | |
598 | * function digest(). | |
599 | */ | |
600 | #define KCF_PROV_DIGEST(pd, ctx, data, _digest, req) ( \ | |
601 | (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest) ? \ | |
602 | KCF_PROV_DIGEST_OPS(pd)->digest(ctx, data, _digest, req) : \ | |
603 | CRYPTO_NOT_SUPPORTED) | |
604 | ||
605 | #define KCF_PROV_DIGEST_UPDATE(pd, ctx, data, req) ( \ | |
606 | (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_update) ? \ | |
607 | KCF_PROV_DIGEST_OPS(pd)->digest_update(ctx, data, req) : \ | |
608 | CRYPTO_NOT_SUPPORTED) | |
609 | ||
610 | #define KCF_PROV_DIGEST_KEY(pd, ctx, key, req) ( \ | |
611 | (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_key) ? \ | |
612 | KCF_PROV_DIGEST_OPS(pd)->digest_key(ctx, key, req) : \ | |
613 | CRYPTO_NOT_SUPPORTED) | |
614 | ||
615 | #define KCF_PROV_DIGEST_FINAL(pd, ctx, digest, req) ( \ | |
616 | (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_final) ? \ | |
617 | KCF_PROV_DIGEST_OPS(pd)->digest_final(ctx, digest, req) : \ | |
618 | CRYPTO_NOT_SUPPORTED) | |
619 | ||
620 | #define KCF_PROV_DIGEST_ATOMIC(pd, session, mech, data, digest, req) ( \ | |
621 | (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_atomic) ? \ | |
622 | KCF_PROV_DIGEST_OPS(pd)->digest_atomic( \ | |
623 | (pd)->pd_prov_handle, session, mech, data, digest, req) : \ | |
624 | CRYPTO_NOT_SUPPORTED) | |
625 | ||
626 | /* | |
627 | * Wrappers for crypto_cipher_ops(9S) entry points. | |
628 | */ | |
629 | ||
630 | #define KCF_PROV_ENCRYPT_INIT(pd, ctx, mech, key, template, req) ( \ | |
631 | (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_init) ? \ | |
632 | KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template, \ | |
633 | req) : \ | |
634 | CRYPTO_NOT_SUPPORTED) | |
635 | ||
636 | #define KCF_PROV_ENCRYPT(pd, ctx, plaintext, ciphertext, req) ( \ | |
637 | (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt) ? \ | |
638 | KCF_PROV_CIPHER_OPS(pd)->encrypt(ctx, plaintext, ciphertext, req) : \ | |
639 | CRYPTO_NOT_SUPPORTED) | |
640 | ||
641 | #define KCF_PROV_ENCRYPT_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \ | |
642 | (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_update) ? \ | |
643 | KCF_PROV_CIPHER_OPS(pd)->encrypt_update(ctx, plaintext, \ | |
644 | ciphertext, req) : \ | |
645 | CRYPTO_NOT_SUPPORTED) | |
646 | ||
647 | #define KCF_PROV_ENCRYPT_FINAL(pd, ctx, ciphertext, req) ( \ | |
648 | (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_final) ? \ | |
649 | KCF_PROV_CIPHER_OPS(pd)->encrypt_final(ctx, ciphertext, req) : \ | |
650 | CRYPTO_NOT_SUPPORTED) | |
651 | ||
652 | #define KCF_PROV_ENCRYPT_ATOMIC(pd, session, mech, key, plaintext, ciphertext, \ | |
653 | template, req) ( \ | |
654 | (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \ | |
655 | KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic( \ | |
656 | (pd)->pd_prov_handle, session, mech, key, plaintext, ciphertext, \ | |
657 | template, req) : \ | |
658 | CRYPTO_NOT_SUPPORTED) | |
659 | ||
660 | #define KCF_PROV_DECRYPT_INIT(pd, ctx, mech, key, template, req) ( \ | |
661 | (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_init) ? \ | |
662 | KCF_PROV_CIPHER_OPS(pd)->decrypt_init(ctx, mech, key, template, \ | |
663 | req) : \ | |
664 | CRYPTO_NOT_SUPPORTED) | |
665 | ||
666 | #define KCF_PROV_DECRYPT(pd, ctx, ciphertext, plaintext, req) ( \ | |
667 | (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt) ? \ | |
668 | KCF_PROV_CIPHER_OPS(pd)->decrypt(ctx, ciphertext, plaintext, req) : \ | |
669 | CRYPTO_NOT_SUPPORTED) | |
670 | ||
671 | #define KCF_PROV_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \ | |
672 | (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_update) ? \ | |
673 | KCF_PROV_CIPHER_OPS(pd)->decrypt_update(ctx, ciphertext, \ | |
674 | plaintext, req) : \ | |
675 | CRYPTO_NOT_SUPPORTED) | |
676 | ||
677 | #define KCF_PROV_DECRYPT_FINAL(pd, ctx, plaintext, req) ( \ | |
678 | (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_final) ? \ | |
679 | KCF_PROV_CIPHER_OPS(pd)->decrypt_final(ctx, plaintext, req) : \ | |
680 | CRYPTO_NOT_SUPPORTED) | |
681 | ||
682 | #define KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \ | |
683 | template, req) ( \ | |
684 | (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \ | |
685 | KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic( \ | |
686 | (pd)->pd_prov_handle, session, mech, key, ciphertext, plaintext, \ | |
687 | template, req) : \ | |
688 | CRYPTO_NOT_SUPPORTED) | |
689 | ||
690 | /* | |
691 | * Wrappers for crypto_mac_ops(9S) entry points. | |
692 | */ | |
693 | ||
694 | #define KCF_PROV_MAC_INIT(pd, ctx, mech, key, template, req) ( \ | |
695 | (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_init) ? \ | |
696 | KCF_PROV_MAC_OPS(pd)->mac_init(ctx, mech, key, template, req) \ | |
697 | : CRYPTO_NOT_SUPPORTED) | |
698 | ||
699 | /* | |
700 | * The _ (underscore) in _mac is needed to avoid replacing the | |
701 | * function mac(). | |
702 | */ | |
703 | #define KCF_PROV_MAC(pd, ctx, data, _mac, req) ( \ | |
704 | (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac) ? \ | |
705 | KCF_PROV_MAC_OPS(pd)->mac(ctx, data, _mac, req) : \ | |
706 | CRYPTO_NOT_SUPPORTED) | |
707 | ||
708 | #define KCF_PROV_MAC_UPDATE(pd, ctx, data, req) ( \ | |
709 | (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_update) ? \ | |
710 | KCF_PROV_MAC_OPS(pd)->mac_update(ctx, data, req) : \ | |
711 | CRYPTO_NOT_SUPPORTED) | |
712 | ||
713 | #define KCF_PROV_MAC_FINAL(pd, ctx, mac, req) ( \ | |
714 | (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_final) ? \ | |
715 | KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac, req) : \ | |
716 | CRYPTO_NOT_SUPPORTED) | |
717 | ||
718 | #define KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template, \ | |
719 | req) ( \ | |
720 | (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_atomic) ? \ | |
721 | KCF_PROV_MAC_OPS(pd)->mac_atomic( \ | |
722 | (pd)->pd_prov_handle, session, mech, key, data, mac, template, \ | |
723 | req) : \ | |
724 | CRYPTO_NOT_SUPPORTED) | |
725 | ||
726 | #define KCF_PROV_MAC_VERIFY_ATOMIC(pd, session, mech, key, data, mac, \ | |
727 | template, req) ( \ | |
728 | (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_verify_atomic) ? \ | |
729 | KCF_PROV_MAC_OPS(pd)->mac_verify_atomic( \ | |
730 | (pd)->pd_prov_handle, session, mech, key, data, mac, template, \ | |
731 | req) : \ | |
732 | CRYPTO_NOT_SUPPORTED) | |
733 | ||
734 | /* | |
735 | * Wrappers for crypto_sign_ops(9S) entry points. | |
736 | */ | |
737 | ||
738 | #define KCF_PROV_SIGN_INIT(pd, ctx, mech, key, template, req) ( \ | |
739 | (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_init) ? \ | |
740 | KCF_PROV_SIGN_OPS(pd)->sign_init( \ | |
741 | ctx, mech, key, template, req) : CRYPTO_NOT_SUPPORTED) | |
742 | ||
743 | #define KCF_PROV_SIGN(pd, ctx, data, sig, req) ( \ | |
744 | (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign) ? \ | |
745 | KCF_PROV_SIGN_OPS(pd)->sign(ctx, data, sig, req) : \ | |
746 | CRYPTO_NOT_SUPPORTED) | |
747 | ||
748 | #define KCF_PROV_SIGN_UPDATE(pd, ctx, data, req) ( \ | |
749 | (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_update) ? \ | |
750 | KCF_PROV_SIGN_OPS(pd)->sign_update(ctx, data, req) : \ | |
751 | CRYPTO_NOT_SUPPORTED) | |
752 | ||
753 | #define KCF_PROV_SIGN_FINAL(pd, ctx, sig, req) ( \ | |
754 | (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_final) ? \ | |
755 | KCF_PROV_SIGN_OPS(pd)->sign_final(ctx, sig, req) : \ | |
756 | CRYPTO_NOT_SUPPORTED) | |
757 | ||
758 | #define KCF_PROV_SIGN_ATOMIC(pd, session, mech, key, data, template, \ | |
759 | sig, req) ( \ | |
760 | (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_atomic) ? \ | |
761 | KCF_PROV_SIGN_OPS(pd)->sign_atomic( \ | |
762 | (pd)->pd_prov_handle, session, mech, key, data, sig, template, \ | |
763 | req) : CRYPTO_NOT_SUPPORTED) | |
764 | ||
765 | #define KCF_PROV_SIGN_RECOVER_INIT(pd, ctx, mech, key, template, \ | |
766 | req) ( \ | |
767 | (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover_init) ? \ | |
768 | KCF_PROV_SIGN_OPS(pd)->sign_recover_init(ctx, mech, key, template, \ | |
769 | req) : CRYPTO_NOT_SUPPORTED) | |
770 | ||
771 | #define KCF_PROV_SIGN_RECOVER(pd, ctx, data, sig, req) ( \ | |
772 | (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover) ? \ | |
773 | KCF_PROV_SIGN_OPS(pd)->sign_recover(ctx, data, sig, req) : \ | |
774 | CRYPTO_NOT_SUPPORTED) | |
775 | ||
776 | #define KCF_PROV_SIGN_RECOVER_ATOMIC(pd, session, mech, key, data, template, \ | |
777 | sig, req) ( \ | |
778 | (KCF_PROV_SIGN_OPS(pd) && \ | |
779 | KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic) ? \ | |
780 | KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic( \ | |
781 | (pd)->pd_prov_handle, session, mech, key, data, sig, template, \ | |
782 | req) : CRYPTO_NOT_SUPPORTED) | |
783 | ||
784 | /* | |
785 | * Wrappers for crypto_verify_ops(9S) entry points. | |
786 | */ | |
787 | ||
788 | #define KCF_PROV_VERIFY_INIT(pd, ctx, mech, key, template, req) ( \ | |
789 | (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_init) ? \ | |
790 | KCF_PROV_VERIFY_OPS(pd)->verify_init(ctx, mech, key, template, \ | |
791 | req) : CRYPTO_NOT_SUPPORTED) | |
792 | ||
793 | #define KCF_PROV_VERIFY(pd, ctx, data, sig, req) ( \ | |
794 | (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->do_verify) ? \ | |
795 | KCF_PROV_VERIFY_OPS(pd)->do_verify(ctx, data, sig, req) : \ | |
796 | CRYPTO_NOT_SUPPORTED) | |
797 | ||
798 | #define KCF_PROV_VERIFY_UPDATE(pd, ctx, data, req) ( \ | |
799 | (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_update) ? \ | |
800 | KCF_PROV_VERIFY_OPS(pd)->verify_update(ctx, data, req) : \ | |
801 | CRYPTO_NOT_SUPPORTED) | |
802 | ||
803 | #define KCF_PROV_VERIFY_FINAL(pd, ctx, sig, req) ( \ | |
804 | (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_final) ? \ | |
805 | KCF_PROV_VERIFY_OPS(pd)->verify_final(ctx, sig, req) : \ | |
806 | CRYPTO_NOT_SUPPORTED) | |
807 | ||
808 | #define KCF_PROV_VERIFY_ATOMIC(pd, session, mech, key, data, template, sig, \ | |
809 | req) ( \ | |
810 | (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_atomic) ? \ | |
811 | KCF_PROV_VERIFY_OPS(pd)->verify_atomic( \ | |
812 | (pd)->pd_prov_handle, session, mech, key, data, sig, template, \ | |
813 | req) : CRYPTO_NOT_SUPPORTED) | |
814 | ||
815 | #define KCF_PROV_VERIFY_RECOVER_INIT(pd, ctx, mech, key, template, \ | |
816 | req) ( \ | |
817 | (KCF_PROV_VERIFY_OPS(pd) && \ | |
818 | KCF_PROV_VERIFY_OPS(pd)->verify_recover_init) ? \ | |
819 | KCF_PROV_VERIFY_OPS(pd)->verify_recover_init(ctx, mech, key, \ | |
820 | template, req) : CRYPTO_NOT_SUPPORTED) | |
821 | ||
822 | /* verify_recover() CSPI routine has different argument order than verify() */ | |
823 | #define KCF_PROV_VERIFY_RECOVER(pd, ctx, sig, data, req) ( \ | |
824 | (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_recover) ? \ | |
825 | KCF_PROV_VERIFY_OPS(pd)->verify_recover(ctx, sig, data, req) : \ | |
826 | CRYPTO_NOT_SUPPORTED) | |
827 | ||
828 | /* | |
829 | * verify_recover_atomic() CSPI routine has different argument order | |
830 | * than verify_atomic(). | |
831 | */ | |
832 | #define KCF_PROV_VERIFY_RECOVER_ATOMIC(pd, session, mech, key, sig, \ | |
833 | template, data, req) ( \ | |
834 | (KCF_PROV_VERIFY_OPS(pd) && \ | |
835 | KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic) ? \ | |
836 | KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic( \ | |
837 | (pd)->pd_prov_handle, session, mech, key, sig, data, template, \ | |
838 | req) : CRYPTO_NOT_SUPPORTED) | |
839 | ||
840 | /* | |
841 | * Wrappers for crypto_dual_ops(9S) entry points. | |
842 | */ | |
843 | ||
844 | #define KCF_PROV_DIGEST_ENCRYPT_UPDATE(digest_ctx, encrypt_ctx, plaintext, \ | |
845 | ciphertext, req) ( \ | |
846 | (KCF_PROV_DUAL_OPS(pd) && \ | |
847 | KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update) ? \ | |
848 | KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update( \ | |
849 | digest_ctx, encrypt_ctx, plaintext, ciphertext, req) : \ | |
850 | CRYPTO_NOT_SUPPORTED) | |
851 | ||
852 | #define KCF_PROV_DECRYPT_DIGEST_UPDATE(decrypt_ctx, digest_ctx, ciphertext, \ | |
853 | plaintext, req) ( \ | |
854 | (KCF_PROV_DUAL_OPS(pd) && \ | |
855 | KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update) ? \ | |
856 | KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update( \ | |
857 | decrypt_ctx, digest_ctx, ciphertext, plaintext, req) : \ | |
858 | CRYPTO_NOT_SUPPORTED) | |
859 | ||
860 | #define KCF_PROV_SIGN_ENCRYPT_UPDATE(sign_ctx, encrypt_ctx, plaintext, \ | |
861 | ciphertext, req) ( \ | |
862 | (KCF_PROV_DUAL_OPS(pd) && \ | |
863 | KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update) ? \ | |
864 | KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update( \ | |
865 | sign_ctx, encrypt_ctx, plaintext, ciphertext, req) : \ | |
866 | CRYPTO_NOT_SUPPORTED) | |
867 | ||
868 | #define KCF_PROV_DECRYPT_VERIFY_UPDATE(decrypt_ctx, verify_ctx, ciphertext, \ | |
869 | plaintext, req) ( \ | |
870 | (KCF_PROV_DUAL_OPS(pd) && \ | |
871 | KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update) ? \ | |
872 | KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update( \ | |
873 | decrypt_ctx, verify_ctx, ciphertext, plaintext, req) : \ | |
874 | CRYPTO_NOT_SUPPORTED) | |
875 | ||
876 | /* | |
877 | * Wrappers for crypto_dual_cipher_mac_ops(9S) entry points. | |
878 | */ | |
879 | ||
880 | #define KCF_PROV_ENCRYPT_MAC_INIT(pd, ctx, encr_mech, encr_key, mac_mech, \ | |
881 | mac_key, encr_ctx_template, mac_ctx_template, req) ( \ | |
882 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
883 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init) ? \ | |
884 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init( \ | |
885 | ctx, encr_mech, encr_key, mac_mech, mac_key, encr_ctx_template, \ | |
886 | mac_ctx_template, req) : \ | |
887 | CRYPTO_NOT_SUPPORTED) | |
888 | ||
889 | #define KCF_PROV_ENCRYPT_MAC(pd, ctx, plaintext, ciphertext, mac, req) ( \ | |
890 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
891 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac) ? \ | |
892 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac( \ | |
893 | ctx, plaintext, ciphertext, mac, req) : \ | |
894 | CRYPTO_NOT_SUPPORTED) | |
895 | ||
896 | #define KCF_PROV_ENCRYPT_MAC_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \ | |
897 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
898 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update) ? \ | |
899 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update( \ | |
900 | ctx, plaintext, ciphertext, req) : \ | |
901 | CRYPTO_NOT_SUPPORTED) | |
902 | ||
903 | #define KCF_PROV_ENCRYPT_MAC_FINAL(pd, ctx, ciphertext, mac, req) ( \ | |
904 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
905 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final) ? \ | |
906 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final( \ | |
907 | ctx, ciphertext, mac, req) : \ | |
908 | CRYPTO_NOT_SUPPORTED) | |
909 | ||
910 | #define KCF_PROV_ENCRYPT_MAC_ATOMIC(pd, session, encr_mech, encr_key, \ | |
911 | mac_mech, mac_key, plaintext, ciphertext, mac, \ | |
912 | encr_ctx_template, mac_ctx_template, req) ( \ | |
913 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
914 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic) ? \ | |
915 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic( \ | |
916 | (pd)->pd_prov_handle, session, encr_mech, encr_key, \ | |
917 | mac_mech, mac_key, plaintext, ciphertext, mac, \ | |
918 | encr_ctx_template, mac_ctx_template, req) : \ | |
919 | CRYPTO_NOT_SUPPORTED) | |
920 | ||
921 | #define KCF_PROV_MAC_DECRYPT_INIT(pd, ctx, mac_mech, mac_key, decr_mech, \ | |
922 | decr_key, mac_ctx_template, decr_ctx_template, req) ( \ | |
923 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
924 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init) ? \ | |
925 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init( \ | |
926 | ctx, mac_mech, mac_key, decr_mech, decr_key, mac_ctx_template, \ | |
927 | decr_ctx_template, req) : \ | |
928 | CRYPTO_NOT_SUPPORTED) | |
929 | ||
930 | #define KCF_PROV_MAC_DECRYPT(pd, ctx, ciphertext, mac, plaintext, req) ( \ | |
931 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
932 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt) ? \ | |
933 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt( \ | |
934 | ctx, ciphertext, mac, plaintext, req) : \ | |
935 | CRYPTO_NOT_SUPPORTED) | |
936 | ||
937 | #define KCF_PROV_MAC_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \ | |
938 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
939 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update) ? \ | |
940 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update( \ | |
941 | ctx, ciphertext, plaintext, req) : \ | |
942 | CRYPTO_NOT_SUPPORTED) | |
943 | ||
944 | #define KCF_PROV_MAC_DECRYPT_FINAL(pd, ctx, mac, plaintext, req) ( \ | |
945 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
946 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final) ? \ | |
947 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final( \ | |
948 | ctx, mac, plaintext, req) : \ | |
949 | CRYPTO_NOT_SUPPORTED) | |
950 | ||
951 | #define KCF_PROV_MAC_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \ | |
952 | decr_mech, decr_key, ciphertext, mac, plaintext, \ | |
953 | mac_ctx_template, decr_ctx_template, req) ( \ | |
954 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
955 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic) ? \ | |
956 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic( \ | |
957 | (pd)->pd_prov_handle, session, mac_mech, mac_key, \ | |
958 | decr_mech, decr_key, ciphertext, mac, plaintext, \ | |
959 | mac_ctx_template, decr_ctx_template, req) : \ | |
960 | CRYPTO_NOT_SUPPORTED) | |
961 | ||
962 | #define KCF_PROV_MAC_VERIFY_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \ | |
963 | decr_mech, decr_key, ciphertext, mac, plaintext, \ | |
964 | mac_ctx_template, decr_ctx_template, req) ( \ | |
965 | (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ | |
966 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic \ | |
967 | != NULL) ? \ | |
968 | KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic( \ | |
969 | (pd)->pd_prov_handle, session, mac_mech, mac_key, \ | |
970 | decr_mech, decr_key, ciphertext, mac, plaintext, \ | |
971 | mac_ctx_template, decr_ctx_template, req) : \ | |
972 | CRYPTO_NOT_SUPPORTED) | |
973 | ||
974 | /* | |
975 | * Wrappers for crypto_random_number_ops(9S) entry points. | |
976 | */ | |
977 | ||
978 | #define KCF_PROV_SEED_RANDOM(pd, session, buf, len, est, flags, req) ( \ | |
979 | (KCF_PROV_RANDOM_OPS(pd) && KCF_PROV_RANDOM_OPS(pd)->seed_random) ? \ | |
980 | KCF_PROV_RANDOM_OPS(pd)->seed_random((pd)->pd_prov_handle, \ | |
981 | session, buf, len, est, flags, req) : CRYPTO_NOT_SUPPORTED) | |
982 | ||
983 | #define KCF_PROV_GENERATE_RANDOM(pd, session, buf, len, req) ( \ | |
984 | (KCF_PROV_RANDOM_OPS(pd) && \ | |
985 | KCF_PROV_RANDOM_OPS(pd)->generate_random) ? \ | |
986 | KCF_PROV_RANDOM_OPS(pd)->generate_random((pd)->pd_prov_handle, \ | |
987 | session, buf, len, req) : CRYPTO_NOT_SUPPORTED) | |
988 | ||
989 | /* | |
990 | * Wrappers for crypto_session_ops(9S) entry points. | |
991 | * | |
992 | * ops_pd is the provider descriptor that supplies the ops_vector. | |
993 | * pd is the descriptor that supplies the provider handle. | |
994 | * Only session open/close needs two handles. | |
995 | */ | |
996 | ||
997 | #define KCF_PROV_SESSION_OPEN(ops_pd, session, req, pd) ( \ | |
998 | (KCF_PROV_SESSION_OPS(ops_pd) && \ | |
999 | KCF_PROV_SESSION_OPS(ops_pd)->session_open) ? \ | |
1000 | KCF_PROV_SESSION_OPS(ops_pd)->session_open((pd)->pd_prov_handle, \ | |
1001 | session, req) : CRYPTO_NOT_SUPPORTED) | |
1002 | ||
1003 | #define KCF_PROV_SESSION_CLOSE(ops_pd, session, req, pd) ( \ | |
1004 | (KCF_PROV_SESSION_OPS(ops_pd) && \ | |
1005 | KCF_PROV_SESSION_OPS(ops_pd)->session_close) ? \ | |
1006 | KCF_PROV_SESSION_OPS(ops_pd)->session_close((pd)->pd_prov_handle, \ | |
1007 | session, req) : CRYPTO_NOT_SUPPORTED) | |
1008 | ||
1009 | #define KCF_PROV_SESSION_LOGIN(pd, session, user_type, pin, len, req) ( \ | |
1010 | (KCF_PROV_SESSION_OPS(pd) && \ | |
1011 | KCF_PROV_SESSION_OPS(pd)->session_login) ? \ | |
1012 | KCF_PROV_SESSION_OPS(pd)->session_login((pd)->pd_prov_handle, \ | |
1013 | session, user_type, pin, len, req) : CRYPTO_NOT_SUPPORTED) | |
1014 | ||
1015 | #define KCF_PROV_SESSION_LOGOUT(pd, session, req) ( \ | |
1016 | (KCF_PROV_SESSION_OPS(pd) && \ | |
1017 | KCF_PROV_SESSION_OPS(pd)->session_logout) ? \ | |
1018 | KCF_PROV_SESSION_OPS(pd)->session_logout((pd)->pd_prov_handle, \ | |
1019 | session, req) : CRYPTO_NOT_SUPPORTED) | |
1020 | ||
1021 | /* | |
1022 | * Wrappers for crypto_object_ops(9S) entry points. | |
1023 | */ | |
1024 | ||
1025 | #define KCF_PROV_OBJECT_CREATE(pd, session, template, count, object, req) ( \ | |
1026 | (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_create) ? \ | |
1027 | KCF_PROV_OBJECT_OPS(pd)->object_create((pd)->pd_prov_handle, \ | |
1028 | session, template, count, object, req) : CRYPTO_NOT_SUPPORTED) | |
1029 | ||
1030 | #define KCF_PROV_OBJECT_COPY(pd, session, object, template, count, \ | |
1031 | new_object, req) ( \ | |
1032 | (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_copy) ? \ | |
1033 | KCF_PROV_OBJECT_OPS(pd)->object_copy((pd)->pd_prov_handle, \ | |
1034 | session, object, template, count, new_object, req) : \ | |
1035 | CRYPTO_NOT_SUPPORTED) | |
1036 | ||
1037 | #define KCF_PROV_OBJECT_DESTROY(pd, session, object, req) ( \ | |
1038 | (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_destroy) ? \ | |
1039 | KCF_PROV_OBJECT_OPS(pd)->object_destroy((pd)->pd_prov_handle, \ | |
1040 | session, object, req) : CRYPTO_NOT_SUPPORTED) | |
1041 | ||
1042 | #define KCF_PROV_OBJECT_GET_SIZE(pd, session, object, size, req) ( \ | |
1043 | (KCF_PROV_OBJECT_OPS(pd) && \ | |
1044 | KCF_PROV_OBJECT_OPS(pd)->object_get_size) ? \ | |
1045 | KCF_PROV_OBJECT_OPS(pd)->object_get_size((pd)->pd_prov_handle, \ | |
1046 | session, object, size, req) : CRYPTO_NOT_SUPPORTED) | |
1047 | ||
1048 | #define KCF_PROV_OBJECT_GET_ATTRIBUTE_VALUE(pd, session, object, template, \ | |
1049 | count, req) ( \ | |
1050 | (KCF_PROV_OBJECT_OPS(pd) && \ | |
1051 | KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value) ? \ | |
1052 | KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value( \ | |
1053 | (pd)->pd_prov_handle, session, object, template, count, req) : \ | |
1054 | CRYPTO_NOT_SUPPORTED) | |
1055 | ||
1056 | #define KCF_PROV_OBJECT_SET_ATTRIBUTE_VALUE(pd, session, object, template, \ | |
1057 | count, req) ( \ | |
1058 | (KCF_PROV_OBJECT_OPS(pd) && \ | |
1059 | KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value) ? \ | |
1060 | KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value( \ | |
1061 | (pd)->pd_prov_handle, session, object, template, count, req) : \ | |
1062 | CRYPTO_NOT_SUPPORTED) | |
1063 | ||
1064 | #define KCF_PROV_OBJECT_FIND_INIT(pd, session, template, count, ppriv, \ | |
1065 | req) ( \ | |
1066 | (KCF_PROV_OBJECT_OPS(pd) && \ | |
1067 | KCF_PROV_OBJECT_OPS(pd)->object_find_init) ? \ | |
1068 | KCF_PROV_OBJECT_OPS(pd)->object_find_init((pd)->pd_prov_handle, \ | |
1069 | session, template, count, ppriv, req) : CRYPTO_NOT_SUPPORTED) | |
1070 | ||
1071 | #define KCF_PROV_OBJECT_FIND(pd, ppriv, objects, max_objects, object_count, \ | |
1072 | req) ( \ | |
1073 | (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_find) ? \ | |
1074 | KCF_PROV_OBJECT_OPS(pd)->object_find( \ | |
1075 | (pd)->pd_prov_handle, ppriv, objects, max_objects, object_count, \ | |
1076 | req) : CRYPTO_NOT_SUPPORTED) | |
1077 | ||
1078 | #define KCF_PROV_OBJECT_FIND_FINAL(pd, ppriv, req) ( \ | |
1079 | (KCF_PROV_OBJECT_OPS(pd) && \ | |
1080 | KCF_PROV_OBJECT_OPS(pd)->object_find_final) ? \ | |
1081 | KCF_PROV_OBJECT_OPS(pd)->object_find_final( \ | |
1082 | (pd)->pd_prov_handle, ppriv, req) : CRYPTO_NOT_SUPPORTED) | |
1083 | ||
1084 | /* | |
1085 | * Wrappers for crypto_key_ops(9S) entry points. | |
1086 | */ | |
1087 | ||
1088 | #define KCF_PROV_KEY_GENERATE(pd, session, mech, template, count, object, \ | |
1089 | req) ( \ | |
1090 | (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate) ? \ | |
1091 | KCF_PROV_KEY_OPS(pd)->key_generate((pd)->pd_prov_handle, \ | |
1092 | session, mech, template, count, object, req) : \ | |
1093 | CRYPTO_NOT_SUPPORTED) | |
1094 | ||
1095 | #define KCF_PROV_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \ | |
1096 | pub_count, priv_template, priv_count, pub_key, priv_key, req) ( \ | |
1097 | (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate_pair) ? \ | |
1098 | KCF_PROV_KEY_OPS(pd)->key_generate_pair((pd)->pd_prov_handle, \ | |
1099 | session, mech, pub_template, pub_count, priv_template, \ | |
1100 | priv_count, pub_key, priv_key, req) : \ | |
1101 | CRYPTO_NOT_SUPPORTED) | |
1102 | ||
1103 | #define KCF_PROV_KEY_WRAP(pd, session, mech, wrapping_key, key, wrapped_key, \ | |
1104 | wrapped_key_len, req) ( \ | |
1105 | (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_wrap) ? \ | |
1106 | KCF_PROV_KEY_OPS(pd)->key_wrap((pd)->pd_prov_handle, \ | |
1107 | session, mech, wrapping_key, key, wrapped_key, wrapped_key_len, \ | |
1108 | req) : \ | |
1109 | CRYPTO_NOT_SUPPORTED) | |
1110 | ||
1111 | #define KCF_PROV_KEY_UNWRAP(pd, session, mech, unwrapping_key, wrapped_key, \ | |
1112 | wrapped_key_len, template, count, key, req) ( \ | |
1113 | (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_unwrap) ? \ | |
1114 | KCF_PROV_KEY_OPS(pd)->key_unwrap((pd)->pd_prov_handle, \ | |
1115 | session, mech, unwrapping_key, wrapped_key, wrapped_key_len, \ | |
1116 | template, count, key, req) : \ | |
1117 | CRYPTO_NOT_SUPPORTED) | |
1118 | ||
1119 | #define KCF_PROV_KEY_DERIVE(pd, session, mech, base_key, template, count, \ | |
1120 | key, req) ( \ | |
1121 | (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_derive) ? \ | |
1122 | KCF_PROV_KEY_OPS(pd)->key_derive((pd)->pd_prov_handle, \ | |
1123 | session, mech, base_key, template, count, key, req) : \ | |
1124 | CRYPTO_NOT_SUPPORTED) | |
1125 | ||
1126 | #define KCF_PROV_KEY_CHECK(pd, mech, key) ( \ | |
1127 | (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_check) ? \ | |
1128 | KCF_PROV_KEY_OPS(pd)->key_check((pd)->pd_prov_handle, mech, key) : \ | |
1129 | CRYPTO_NOT_SUPPORTED) | |
1130 | ||
1131 | /* | |
1132 | * Wrappers for crypto_provider_management_ops(9S) entry points. | |
1133 | * | |
1134 | * ops_pd is the provider descriptor that supplies the ops_vector. | |
1135 | * pd is the descriptor that supplies the provider handle. | |
1136 | * Only ext_info needs two handles. | |
1137 | */ | |
1138 | ||
1139 | #define KCF_PROV_EXT_INFO(ops_pd, provext_info, req, pd) ( \ | |
1140 | (KCF_PROV_PROVIDER_OPS(ops_pd) && \ | |
1141 | KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info) ? \ | |
1142 | KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info((pd)->pd_prov_handle, \ | |
1143 | provext_info, req) : CRYPTO_NOT_SUPPORTED) | |
1144 | ||
1145 | #define KCF_PROV_INIT_TOKEN(pd, pin, pin_len, label, req) ( \ | |
1146 | (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_token) ? \ | |
1147 | KCF_PROV_PROVIDER_OPS(pd)->init_token((pd)->pd_prov_handle, \ | |
1148 | pin, pin_len, label, req) : CRYPTO_NOT_SUPPORTED) | |
1149 | ||
1150 | #define KCF_PROV_INIT_PIN(pd, session, pin, pin_len, req) ( \ | |
1151 | (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_pin) ? \ | |
1152 | KCF_PROV_PROVIDER_OPS(pd)->init_pin((pd)->pd_prov_handle, \ | |
1153 | session, pin, pin_len, req) : CRYPTO_NOT_SUPPORTED) | |
1154 | ||
1155 | #define KCF_PROV_SET_PIN(pd, session, old_pin, old_len, new_pin, new_len, \ | |
1156 | req) ( \ | |
1157 | (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->set_pin) ? \ | |
1158 | KCF_PROV_PROVIDER_OPS(pd)->set_pin((pd)->pd_prov_handle, \ | |
1159 | session, old_pin, old_len, new_pin, new_len, req) : \ | |
1160 | CRYPTO_NOT_SUPPORTED) | |
1161 | ||
1162 | /* | |
1163 | * Wrappers for crypto_nostore_key_ops(9S) entry points. | |
1164 | */ | |
1165 | ||
1166 | #define KCF_PROV_NOSTORE_KEY_GENERATE(pd, session, mech, template, count, \ | |
1167 | out_template, out_count, req) ( \ | |
1168 | (KCF_PROV_NOSTORE_KEY_OPS(pd) && \ | |
1169 | KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate) ? \ | |
1170 | KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate( \ | |
1171 | (pd)->pd_prov_handle, session, mech, template, count, \ | |
1172 | out_template, out_count, req) : CRYPTO_NOT_SUPPORTED) | |
1173 | ||
1174 | #define KCF_PROV_NOSTORE_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \ | |
1175 | pub_count, priv_template, priv_count, out_pub_template, \ | |
1176 | out_pub_count, out_priv_template, out_priv_count, req) ( \ | |
1177 | (KCF_PROV_NOSTORE_KEY_OPS(pd) && \ | |
1178 | KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate_pair) ? \ | |
1179 | KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate_pair( \ | |
1180 | (pd)->pd_prov_handle, session, mech, pub_template, pub_count, \ | |
1181 | priv_template, priv_count, out_pub_template, out_pub_count, \ | |
1182 | out_priv_template, out_priv_count, req) : CRYPTO_NOT_SUPPORTED) | |
1183 | ||
1184 | #define KCF_PROV_NOSTORE_KEY_DERIVE(pd, session, mech, base_key, template, \ | |
1185 | count, out_template, out_count, req) ( \ | |
1186 | (KCF_PROV_NOSTORE_KEY_OPS(pd) && \ | |
1187 | KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_derive) ? \ | |
1188 | KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_derive( \ | |
1189 | (pd)->pd_prov_handle, session, mech, base_key, template, count, \ | |
1190 | out_template, out_count, req) : CRYPTO_NOT_SUPPORTED) | |
1191 | ||
1192 | /* | |
1193 | * The following routines are exported by the kcf module (/kernel/misc/kcf) | |
1194 | * to the crypto and cryptoadmin modules. | |
1195 | */ | |
1196 | ||
1197 | /* Digest/mac/cipher entry points that take a provider descriptor and session */ | |
1198 | extern int crypto_digest_single(crypto_context_t, crypto_data_t *, | |
1199 | crypto_data_t *, crypto_call_req_t *); | |
1200 | ||
1201 | extern int crypto_mac_single(crypto_context_t, crypto_data_t *, | |
1202 | crypto_data_t *, crypto_call_req_t *); | |
1203 | ||
1204 | extern int crypto_encrypt_single(crypto_context_t, crypto_data_t *, | |
1205 | crypto_data_t *, crypto_call_req_t *); | |
1206 | ||
1207 | extern int crypto_decrypt_single(crypto_context_t, crypto_data_t *, | |
1208 | crypto_data_t *, crypto_call_req_t *); | |
1209 | ||
1210 | ||
1211 | /* Other private digest/mac/cipher entry points not exported through k-API */ | |
1212 | extern int crypto_digest_key_prov(crypto_context_t, crypto_key_t *, | |
1213 | crypto_call_req_t *); | |
1214 | ||
1215 | /* Private sign entry points exported by KCF */ | |
1216 | extern int crypto_sign_single(crypto_context_t, crypto_data_t *, | |
1217 | crypto_data_t *, crypto_call_req_t *); | |
1218 | ||
1219 | extern int crypto_sign_recover_single(crypto_context_t, crypto_data_t *, | |
1220 | crypto_data_t *, crypto_call_req_t *); | |
1221 | ||
1222 | /* Private verify entry points exported by KCF */ | |
1223 | extern int crypto_verify_single(crypto_context_t, crypto_data_t *, | |
1224 | crypto_data_t *, crypto_call_req_t *); | |
1225 | ||
1226 | extern int crypto_verify_recover_single(crypto_context_t, crypto_data_t *, | |
1227 | crypto_data_t *, crypto_call_req_t *); | |
1228 | ||
1229 | /* Private dual operations entry points exported by KCF */ | |
1230 | extern int crypto_digest_encrypt_update(crypto_context_t, crypto_context_t, | |
1231 | crypto_data_t *, crypto_data_t *, crypto_call_req_t *); | |
1232 | extern int crypto_decrypt_digest_update(crypto_context_t, crypto_context_t, | |
1233 | crypto_data_t *, crypto_data_t *, crypto_call_req_t *); | |
1234 | extern int crypto_sign_encrypt_update(crypto_context_t, crypto_context_t, | |
1235 | crypto_data_t *, crypto_data_t *, crypto_call_req_t *); | |
1236 | extern int crypto_decrypt_verify_update(crypto_context_t, crypto_context_t, | |
1237 | crypto_data_t *, crypto_data_t *, crypto_call_req_t *); | |
1238 | ||
1239 | /* Random Number Generation */ | |
1240 | int crypto_seed_random(crypto_provider_handle_t provider, uchar_t *buf, | |
1241 | size_t len, crypto_call_req_t *req); | |
1242 | int crypto_generate_random(crypto_provider_handle_t provider, uchar_t *buf, | |
1243 | size_t len, crypto_call_req_t *req); | |
1244 | ||
1245 | /* Provider Management */ | |
1246 | int crypto_get_provider_info(crypto_provider_id_t id, | |
1247 | crypto_provider_info_t **info, crypto_call_req_t *req); | |
1248 | int crypto_get_provider_mechanisms(crypto_minor_t *, crypto_provider_id_t id, | |
1249 | uint_t *count, crypto_mech_name_t **list); | |
1250 | int crypto_init_token(crypto_provider_handle_t provider, char *pin, | |
1251 | size_t pin_len, char *label, crypto_call_req_t *); | |
1252 | int crypto_init_pin(crypto_provider_handle_t provider, char *pin, | |
1253 | size_t pin_len, crypto_call_req_t *req); | |
1254 | int crypto_set_pin(crypto_provider_handle_t provider, char *old_pin, | |
1255 | size_t old_len, char *new_pin, size_t new_len, crypto_call_req_t *req); | |
1256 | void crypto_free_provider_list(crypto_provider_entry_t *list, uint_t count); | |
1257 | void crypto_free_provider_info(crypto_provider_info_t *info); | |
1258 | ||
1259 | /* Administrative */ | |
1260 | int crypto_get_dev_list(uint_t *count, crypto_dev_list_entry_t **list); | |
1261 | int crypto_get_soft_list(uint_t *count, char **list, size_t *len); | |
1262 | int crypto_get_dev_info(char *name, uint_t instance, uint_t *count, | |
1263 | crypto_mech_name_t **list); | |
1264 | int crypto_get_soft_info(caddr_t name, uint_t *count, | |
1265 | crypto_mech_name_t **list); | |
1266 | int crypto_load_dev_disabled(char *name, uint_t instance, uint_t count, | |
1267 | crypto_mech_name_t *list); | |
1268 | int crypto_load_soft_disabled(caddr_t name, uint_t count, | |
1269 | crypto_mech_name_t *list); | |
1270 | int crypto_unload_soft_module(caddr_t path); | |
1271 | int crypto_load_soft_config(caddr_t name, uint_t count, | |
1272 | crypto_mech_name_t *list); | |
1273 | int crypto_load_door(uint_t did); | |
1274 | void crypto_free_mech_list(crypto_mech_name_t *list, uint_t count); | |
1275 | void crypto_free_dev_list(crypto_dev_list_entry_t *list, uint_t count); | |
1276 | ||
1277 | /* Miscellaneous */ | |
1278 | int crypto_get_mechanism_number(caddr_t name, crypto_mech_type_t *number); | |
1279 | int crypto_get_function_list(crypto_provider_id_t id, | |
1280 | crypto_function_list_t **list, int kmflag); | |
1281 | void crypto_free_function_list(crypto_function_list_t *list); | |
1282 | int crypto_build_permitted_mech_names(kcf_provider_desc_t *, | |
1283 | crypto_mech_name_t **, uint_t *, int); | |
1284 | extern void kcf_destroy_mech_tabs(void); | |
1285 | extern void kcf_init_mech_tabs(void); | |
1286 | extern int kcf_add_mech_provider(short, kcf_provider_desc_t *, | |
1287 | kcf_prov_mech_desc_t **); | |
1288 | extern void kcf_remove_mech_provider(char *, kcf_provider_desc_t *); | |
1289 | extern int kcf_get_mech_entry(crypto_mech_type_t, kcf_mech_entry_t **); | |
1290 | extern kcf_provider_desc_t *kcf_alloc_provider_desc(crypto_provider_info_t *); | |
1291 | extern void kcf_provider_zero_refcnt(kcf_provider_desc_t *); | |
1292 | extern void kcf_free_provider_desc(kcf_provider_desc_t *); | |
1293 | extern void kcf_soft_config_init(void); | |
1294 | extern int get_sw_provider_for_mech(crypto_mech_name_t, char **); | |
1295 | extern crypto_mech_type_t crypto_mech2id_common(char *, boolean_t); | |
1296 | extern void undo_register_provider(kcf_provider_desc_t *, boolean_t); | |
1297 | extern void redo_register_provider(kcf_provider_desc_t *); | |
1298 | extern void kcf_rnd_init(void); | |
1299 | extern boolean_t kcf_rngprov_check(void); | |
1300 | extern int kcf_rnd_get_pseudo_bytes(uint8_t *, size_t); | |
1301 | extern int kcf_rnd_get_bytes(uint8_t *, size_t, boolean_t, boolean_t); | |
1302 | extern int random_add_pseudo_entropy(uint8_t *, size_t, uint_t); | |
1303 | extern void kcf_rnd_schedule_timeout(boolean_t); | |
1304 | extern int crypto_uio_data(crypto_data_t *, uchar_t *, int, cmd_type_t, | |
1305 | void *, void (*update)(void)); | |
1306 | extern int crypto_mblk_data(crypto_data_t *, uchar_t *, int, cmd_type_t, | |
1307 | void *, void (*update)(void)); | |
1308 | extern int crypto_put_output_data(uchar_t *, crypto_data_t *, int); | |
1309 | extern int crypto_get_input_data(crypto_data_t *, uchar_t **, uchar_t *); | |
1310 | extern int crypto_copy_key_to_ctx(crypto_key_t *, crypto_key_t **, size_t *, | |
1311 | int kmflag); | |
1312 | extern int crypto_digest_data(crypto_data_t *, void *, uchar_t *, | |
1313 | void (*update)(void), void (*final)(void), uchar_t); | |
1314 | extern int crypto_update_iov(void *, crypto_data_t *, crypto_data_t *, | |
1315 | int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), | |
1316 | void (*copy_block)(uint8_t *, uint64_t *)); | |
1317 | extern int crypto_update_uio(void *, crypto_data_t *, crypto_data_t *, | |
1318 | int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), | |
1319 | void (*copy_block)(uint8_t *, uint64_t *)); | |
1320 | extern int crypto_update_mp(void *, crypto_data_t *, crypto_data_t *, | |
1321 | int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), | |
1322 | void (*copy_block)(uint8_t *, uint64_t *)); | |
1323 | extern int crypto_get_key_attr(crypto_key_t *, crypto_attr_type_t, uchar_t **, | |
1324 | ssize_t *); | |
1325 | ||
1326 | /* Access to the provider's table */ | |
1327 | extern void kcf_prov_tab_destroy(void); | |
1328 | extern void kcf_prov_tab_init(void); | |
1329 | extern int kcf_prov_tab_add_provider(kcf_provider_desc_t *); | |
1330 | extern int kcf_prov_tab_rem_provider(crypto_provider_id_t); | |
1331 | extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_name(char *); | |
1332 | extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_dev(char *, uint_t); | |
1333 | extern int kcf_get_hw_prov_tab(uint_t *, kcf_provider_desc_t ***, int, | |
1334 | char *, uint_t, boolean_t); | |
1335 | extern int kcf_get_slot_list(uint_t *, kcf_provider_desc_t ***, boolean_t); | |
1336 | extern void kcf_free_provider_tab(uint_t, kcf_provider_desc_t **); | |
1337 | extern kcf_provider_desc_t *kcf_prov_tab_lookup(crypto_provider_id_t); | |
1338 | extern int kcf_get_sw_prov(crypto_mech_type_t, kcf_provider_desc_t **, | |
1339 | kcf_mech_entry_t **, boolean_t); | |
1340 | ||
1341 | /* Access to the policy table */ | |
1342 | extern boolean_t is_mech_disabled(kcf_provider_desc_t *, crypto_mech_name_t); | |
1343 | extern boolean_t is_mech_disabled_byname(crypto_provider_type_t, char *, | |
1344 | uint_t, crypto_mech_name_t); | |
1345 | extern void kcf_policy_tab_init(void); | |
1346 | extern void kcf_policy_free_desc(kcf_policy_desc_t *); | |
1347 | extern void kcf_policy_remove_by_name(char *, uint_t *, crypto_mech_name_t **); | |
1348 | extern void kcf_policy_remove_by_dev(char *, uint_t, uint_t *, | |
1349 | crypto_mech_name_t **); | |
1350 | extern kcf_policy_desc_t *kcf_policy_lookup_by_name(char *); | |
1351 | extern kcf_policy_desc_t *kcf_policy_lookup_by_dev(char *, uint_t); | |
1352 | extern int kcf_policy_load_soft_disabled(char *, uint_t, crypto_mech_name_t *, | |
1353 | uint_t *, crypto_mech_name_t **); | |
1354 | extern int kcf_policy_load_dev_disabled(char *, uint_t, uint_t, | |
1355 | crypto_mech_name_t *, uint_t *, crypto_mech_name_t **); | |
1356 | extern boolean_t in_soft_config_list(char *); | |
1357 | ||
1358 | ||
1359 | #ifdef __cplusplus | |
1360 | } | |
1361 | #endif | |
1362 | ||
1363 | #endif /* _SYS_CRYPTO_IMPL_H */ |