xref: /illumos-gate/usr/src/uts/common/sys/crypto/spi.h (revision 60405de4d8688d96dd05157c28db3ade5c9bc234)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_SYS_CRYPTO_SPI_H
27 #define	_SYS_CRYPTO_SPI_H
28 
29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
30 
31 /*
32  * CSPI: Cryptographic Service Provider Interface.
33  */
34 
35 #include <sys/types.h>
36 #include <sys/dditypes.h>
37 #include <sys/ddi.h>
38 #include <sys/kmem.h>
39 #include <sys/crypto/common.h>
40 
41 #ifdef	__cplusplus
42 extern "C" {
43 #endif
44 
45 #ifdef	_KERNEL
46 
47 #define	CRYPTO_SPI_VERSION_1	1
48 #define	CRYPTO_SPI_VERSION_2	2
49 
50 /*
51  * Provider-private handle. This handle is specified by a provider
52  * when it registers by means of the pi_provider_handle field of
53  * the crypto_provider_info structure, and passed to the provider
54  * when its entry points are invoked.
55  */
56 typedef void *crypto_provider_handle_t;
57 
58 /*
59  * Context templates can be used to by software providers to pre-process
60  * keying material, such as key schedules. They are allocated by
61  * a software provider create_ctx_template(9E) entry point, and passed
62  * as argument to initialization and atomic provider entry points.
63  */
64 typedef void *crypto_spi_ctx_template_t;
65 
66 /*
67  * Request handles are used by the kernel to identify an asynchronous
68  * request being processed by a provider. It is passed by the kernel
69  * to a hardware provider when submitting a request, and must be
70  * specified by a provider when calling crypto_op_notification(9F)
71  */
72 typedef void *crypto_req_handle_t;
73 
74 /*
75  * The context structure is passed from the kernel to a provider.
76  * It contains the information needed to process a multi-part or
77  * single part operation. The context structure is not used
78  * by atomic operations.
79  *
80  * Parameters needed to perform a cryptographic operation, such
81  * as keys, mechanisms, input and output buffers, are passed
82  * as separate arguments to Provider routines.
83  */
84 typedef struct crypto_ctx {
85 	crypto_provider_handle_t cc_provider;
86 	crypto_session_id_t	cc_session;
87 	void			*cc_provider_private;	/* owned by provider */
88 	void			*cc_framework_private;	/* owned by framework */
89 } crypto_ctx_t;
90 
91 /*
92  * Extended provider information.
93  */
94 
95 /*
96  * valid values for ei_flags field of extended info structure
97  * They match the RSA Security, Inc PKCS#11 tokenInfo flags.
98  */
99 #define	CRYPTO_EXTF_RNG					0x00000001
100 #define	CRYPTO_EXTF_WRITE_PROTECTED			0x00000002
101 #define	CRYPTO_EXTF_LOGIN_REQUIRED			0x00000004
102 #define	CRYPTO_EXTF_USER_PIN_INITIALIZED		0x00000008
103 #define	CRYPTO_EXTF_CLOCK_ON_TOKEN			0x00000040
104 #define	CRYPTO_EXTF_PROTECTED_AUTHENTICATION_PATH	0x00000100
105 #define	CRYPTO_EXTF_DUAL_CRYPTO_OPERATIONS		0x00000200
106 #define	CRYPTO_EXTF_TOKEN_INITIALIZED			0x00000400
107 #define	CRYPTO_EXTF_USER_PIN_COUNT_LOW			0x00010000
108 #define	CRYPTO_EXTF_USER_PIN_FINAL_TRY			0x00020000
109 #define	CRYPTO_EXTF_USER_PIN_LOCKED			0x00040000
110 #define	CRYPTO_EXTF_USER_PIN_TO_BE_CHANGED		0x00080000
111 #define	CRYPTO_EXTF_SO_PIN_COUNT_LOW			0x00100000
112 #define	CRYPTO_EXTF_SO_PIN_FINAL_TRY			0x00200000
113 #define	CRYPTO_EXTF_SO_PIN_LOCKED			0x00400000
114 #define	CRYPTO_EXTF_SO_PIN_TO_BE_CHANGED		0x00800000
115 
116 /*
117  * The crypto_control_ops structure contains pointers to control
118  * operations for cryptographic providers.  It is passed through
119  * the crypto_ops(9S) structure when providers register with the
120  * kernel using crypto_register_provider(9F).
121  */
122 typedef struct crypto_control_ops {
123 	void (*provider_status)(crypto_provider_handle_t, uint_t *);
124 } crypto_control_ops_t;
125 
126 /*
127  * The crypto_ctx_ops structure contains points to context and context
128  * templates management operations for cryptographic providers. It is
129  * passed through the crypto_ops(9S) structure when providers register
130  * with the kernel using crypto_register_provider(9F).
131  */
132 typedef struct crypto_ctx_ops {
133 	int (*create_ctx_template)(crypto_provider_handle_t,
134 	    crypto_mechanism_t *, crypto_key_t *,
135 	    crypto_spi_ctx_template_t *, size_t *, crypto_req_handle_t);
136 	int (*free_context)(crypto_ctx_t *);
137 } crypto_ctx_ops_t;
138 
139 /*
140  * The crypto_digest_ops structure contains pointers to digest
141  * operations for cryptographic providers.  It is passed through
142  * the crypto_ops(9S) structure when providers register with the
143  * kernel using crypto_register_provider(9F).
144  */
145 typedef struct crypto_digest_ops {
146 	int (*digest_init)(crypto_ctx_t *, crypto_mechanism_t *,
147 	    crypto_req_handle_t);
148 	int (*digest)(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
149 	    crypto_req_handle_t);
150 	int (*digest_update)(crypto_ctx_t *, crypto_data_t *,
151 	    crypto_req_handle_t);
152 	int (*digest_key)(crypto_ctx_t *, crypto_key_t *, crypto_req_handle_t);
153 	int (*digest_final)(crypto_ctx_t *, crypto_data_t *,
154 	    crypto_req_handle_t);
155 	int (*digest_atomic)(crypto_provider_handle_t, crypto_session_id_t,
156 	    crypto_mechanism_t *, crypto_data_t *,
157 	    crypto_data_t *, crypto_req_handle_t);
158 } crypto_digest_ops_t;
159 
160 /*
161  * The crypto_cipher_ops structure contains pointers to encryption
162  * and decryption operations for cryptographic providers.  It is
163  * passed through the crypto_ops(9S) structure when providers register
164  * with the kernel using crypto_register_provider(9F).
165  */
166 typedef struct crypto_cipher_ops {
167 	int (*encrypt_init)(crypto_ctx_t *,
168 	    crypto_mechanism_t *, crypto_key_t *,
169 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
170 	int (*encrypt)(crypto_ctx_t *,
171 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
172 	int (*encrypt_update)(crypto_ctx_t *,
173 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
174 	int (*encrypt_final)(crypto_ctx_t *,
175 	    crypto_data_t *, crypto_req_handle_t);
176 	int (*encrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
177 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
178 	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
179 
180 	int (*decrypt_init)(crypto_ctx_t *,
181 	    crypto_mechanism_t *, crypto_key_t *,
182 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
183 	int (*decrypt)(crypto_ctx_t *,
184 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
185 	int (*decrypt_update)(crypto_ctx_t *,
186 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
187 	int (*decrypt_final)(crypto_ctx_t *,
188 	    crypto_data_t *, crypto_req_handle_t);
189 	int (*decrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
190 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
191 	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
192 } crypto_cipher_ops_t;
193 
194 /*
195  * The crypto_mac_ops structure contains pointers to MAC
196  * operations for cryptographic providers.  It is passed through
197  * the crypto_ops(9S) structure when providers register with the
198  * kernel using crypto_register_provider(9F).
199  */
200 typedef struct crypto_mac_ops {
201 	int (*mac_init)(crypto_ctx_t *,
202 	    crypto_mechanism_t *, crypto_key_t *,
203 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
204 	int (*mac)(crypto_ctx_t *,
205 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
206 	int (*mac_update)(crypto_ctx_t *,
207 	    crypto_data_t *, crypto_req_handle_t);
208 	int (*mac_final)(crypto_ctx_t *,
209 	    crypto_data_t *, crypto_req_handle_t);
210 	int (*mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
211 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
212 	    crypto_data_t *, crypto_spi_ctx_template_t,
213 	    crypto_req_handle_t);
214 	int (*mac_verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
215 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
216 	    crypto_data_t *, crypto_spi_ctx_template_t,
217 	    crypto_req_handle_t);
218 } crypto_mac_ops_t;
219 
220 /*
221  * The crypto_sign_ops structure contains pointers to signing
222  * operations for cryptographic providers.  It is passed through
223  * the crypto_ops(9S) structure when providers register with the
224  * kernel using crypto_register_provider(9F).
225  */
226 typedef struct crypto_sign_ops {
227 	int (*sign_init)(crypto_ctx_t *,
228 	    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t,
229 	    crypto_req_handle_t);
230 	int (*sign)(crypto_ctx_t *,
231 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
232 	int (*sign_update)(crypto_ctx_t *,
233 	    crypto_data_t *, crypto_req_handle_t);
234 	int (*sign_final)(crypto_ctx_t *,
235 	    crypto_data_t *, crypto_req_handle_t);
236 	int (*sign_atomic)(crypto_provider_handle_t, crypto_session_id_t,
237 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
238 	    crypto_data_t *, crypto_spi_ctx_template_t,
239 	    crypto_req_handle_t);
240 	int (*sign_recover_init)(crypto_ctx_t *, crypto_mechanism_t *,
241 	    crypto_key_t *, crypto_spi_ctx_template_t,
242 	    crypto_req_handle_t);
243 	int (*sign_recover)(crypto_ctx_t *,
244 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
245 	int (*sign_recover_atomic)(crypto_provider_handle_t,
246 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
247 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
248 	    crypto_req_handle_t);
249 } crypto_sign_ops_t;
250 
251 /*
252  * The crypto_verify_ops structure contains pointers to verify
253  * operations for cryptographic providers.  It is passed through
254  * the crypto_ops(9S) structure when providers register with the
255  * kernel using crypto_register_provider(9F).
256  */
257 typedef struct crypto_verify_ops {
258 	int (*verify_init)(crypto_ctx_t *,
259 	    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t,
260 	    crypto_req_handle_t);
261 	int (*verify)(crypto_ctx_t *,
262 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
263 	int (*verify_update)(crypto_ctx_t *,
264 	    crypto_data_t *, crypto_req_handle_t);
265 	int (*verify_final)(crypto_ctx_t *,
266 	    crypto_data_t *, crypto_req_handle_t);
267 	int (*verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
268 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
269 	    crypto_data_t *, crypto_spi_ctx_template_t,
270 	    crypto_req_handle_t);
271 	int (*verify_recover_init)(crypto_ctx_t *, crypto_mechanism_t *,
272 	    crypto_key_t *, crypto_spi_ctx_template_t,
273 	    crypto_req_handle_t);
274 	int (*verify_recover)(crypto_ctx_t *,
275 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
276 	int (*verify_recover_atomic)(crypto_provider_handle_t,
277 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
278 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
279 	    crypto_req_handle_t);
280 } crypto_verify_ops_t;
281 
282 /*
283  * The crypto_dual_ops structure contains pointers to dual
284  * cipher and sign/verify operations for cryptographic providers.
285  * It is passed through the crypto_ops(9S) structure when
286  * providers register with the kernel using
287  * crypto_register_provider(9F).
288  */
289 typedef struct crypto_dual_ops {
290 	int (*digest_encrypt_update)(
291 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
292 	    crypto_data_t *, crypto_req_handle_t);
293 	int (*decrypt_digest_update)(
294 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
295 	    crypto_data_t *, crypto_req_handle_t);
296 	int (*sign_encrypt_update)(
297 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
298 	    crypto_data_t *, crypto_req_handle_t);
299 	int (*decrypt_verify_update)(
300 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
301 	    crypto_data_t *, crypto_req_handle_t);
302 } crypto_dual_ops_t;
303 
304 /*
305  * The crypto_dual_cipher_mac_ops structure contains pointers to dual
306  * cipher and MAC operations for cryptographic providers.
307  * It is passed through the crypto_ops(9S) structure when
308  * providers register with the kernel using
309  * crypto_register_provider(9F).
310  */
311 typedef struct crypto_dual_cipher_mac_ops {
312 	int (*encrypt_mac_init)(crypto_ctx_t *,
313 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
314 	    crypto_key_t *, crypto_spi_ctx_template_t,
315 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
316 	int (*encrypt_mac)(crypto_ctx_t *,
317 	    crypto_data_t *, crypto_dual_data_t *, crypto_data_t *,
318 	    crypto_req_handle_t);
319 	int (*encrypt_mac_update)(crypto_ctx_t *,
320 	    crypto_data_t *, crypto_dual_data_t *, crypto_req_handle_t);
321 	int (*encrypt_mac_final)(crypto_ctx_t *,
322 	    crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t);
323 	int (*encrypt_mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
324 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
325 	    crypto_key_t *, crypto_data_t *, crypto_dual_data_t *,
326 	    crypto_data_t *, crypto_spi_ctx_template_t,
327 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
328 
329 	int (*mac_decrypt_init)(crypto_ctx_t *,
330 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
331 	    crypto_key_t *, crypto_spi_ctx_template_t,
332 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
333 	int (*mac_decrypt)(crypto_ctx_t *,
334 	    crypto_dual_data_t *, crypto_data_t *, crypto_data_t *,
335 	    crypto_req_handle_t);
336 	int (*mac_decrypt_update)(crypto_ctx_t *,
337 	    crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t);
338 	int (*mac_decrypt_final)(crypto_ctx_t *,
339 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
340 	int (*mac_decrypt_atomic)(crypto_provider_handle_t,
341 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
342 	    crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *,
343 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
344 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
345 	int (*mac_verify_decrypt_atomic)(crypto_provider_handle_t,
346 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
347 	    crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *,
348 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
349 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
350 } crypto_dual_cipher_mac_ops_t;
351 
352 /*
353  * The crypto_random_number_ops structure contains pointers to random
354  * number operations for cryptographic providers.  It is passed through
355  * the crypto_ops(9S) structure when providers register with the
356  * kernel using crypto_register_provider(9F).
357  */
358 typedef struct crypto_random_number_ops {
359 	int (*seed_random)(crypto_provider_handle_t, crypto_session_id_t,
360 	    uchar_t *, size_t, uint_t, uint32_t, crypto_req_handle_t);
361 	int (*generate_random)(crypto_provider_handle_t, crypto_session_id_t,
362 	    uchar_t *, size_t, crypto_req_handle_t);
363 } crypto_random_number_ops_t;
364 
365 /*
366  * Flag values for seed_random.
367  */
368 #define	CRYPTO_SEED_NOW		0x00000001
369 
370 /*
371  * The crypto_session_ops structure contains pointers to session
372  * operations for cryptographic providers.  It is passed through
373  * the crypto_ops(9S) structure when providers register with the
374  * kernel using crypto_register_provider(9F).
375  */
376 typedef struct crypto_session_ops {
377 	int (*session_open)(crypto_provider_handle_t, crypto_session_id_t *,
378 	    crypto_req_handle_t);
379 	int (*session_close)(crypto_provider_handle_t, crypto_session_id_t,
380 	    crypto_req_handle_t);
381 	int (*session_login)(crypto_provider_handle_t, crypto_session_id_t,
382 	    crypto_user_type_t, char *, size_t, crypto_req_handle_t);
383 	int (*session_logout)(crypto_provider_handle_t, crypto_session_id_t,
384 	    crypto_req_handle_t);
385 } crypto_session_ops_t;
386 
387 /*
388  * The crypto_object_ops structure contains pointers to object
389  * operations for cryptographic providers.  It is passed through
390  * the crypto_ops(9S) structure when providers register with the
391  * kernel using crypto_register_provider(9F).
392  */
393 typedef struct crypto_object_ops {
394 	int (*object_create)(crypto_provider_handle_t, crypto_session_id_t,
395 	    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
396 	    crypto_req_handle_t);
397 	int (*object_copy)(crypto_provider_handle_t, crypto_session_id_t,
398 	    crypto_object_id_t, crypto_object_attribute_t *, uint_t,
399 	    crypto_object_id_t *, crypto_req_handle_t);
400 	int (*object_destroy)(crypto_provider_handle_t, crypto_session_id_t,
401 	    crypto_object_id_t, crypto_req_handle_t);
402 	int (*object_get_size)(crypto_provider_handle_t, crypto_session_id_t,
403 	    crypto_object_id_t, size_t *, crypto_req_handle_t);
404 	int (*object_get_attribute_value)(crypto_provider_handle_t,
405 	    crypto_session_id_t, crypto_object_id_t,
406 	    crypto_object_attribute_t *, uint_t, crypto_req_handle_t);
407 	int (*object_set_attribute_value)(crypto_provider_handle_t,
408 	    crypto_session_id_t, crypto_object_id_t,
409 	    crypto_object_attribute_t *,  uint_t, crypto_req_handle_t);
410 	int (*object_find_init)(crypto_provider_handle_t, crypto_session_id_t,
411 	    crypto_object_attribute_t *, uint_t, void **,
412 	    crypto_req_handle_t);
413 	int (*object_find)(crypto_provider_handle_t, void *,
414 	    crypto_object_id_t *, uint_t, uint_t *, crypto_req_handle_t);
415 	int (*object_find_final)(crypto_provider_handle_t, void *,
416 	    crypto_req_handle_t);
417 } crypto_object_ops_t;
418 
419 /*
420  * The crypto_key_ops structure contains pointers to key
421  * operations for cryptographic providers.  It is passed through
422  * the crypto_ops(9S) structure when providers register with the
423  * kernel using crypto_register_provider(9F).
424  */
425 typedef struct crypto_key_ops {
426 	int (*key_generate)(crypto_provider_handle_t, crypto_session_id_t,
427 	    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
428 	    crypto_object_id_t *, crypto_req_handle_t);
429 	int (*key_generate_pair)(crypto_provider_handle_t, crypto_session_id_t,
430 	    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
431 	    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
432 	    crypto_object_id_t *, crypto_req_handle_t);
433 	int (*key_wrap)(crypto_provider_handle_t, crypto_session_id_t,
434 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_id_t *,
435 	    uchar_t *, size_t *, crypto_req_handle_t);
436 	int (*key_unwrap)(crypto_provider_handle_t, crypto_session_id_t,
437 	    crypto_mechanism_t *, crypto_key_t *, uchar_t *, size_t *,
438 	    crypto_object_attribute_t *, uint_t,
439 	    crypto_object_id_t *, crypto_req_handle_t);
440 	int (*key_derive)(crypto_provider_handle_t, crypto_session_id_t,
441 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *,
442 	    uint_t, crypto_object_id_t *, crypto_req_handle_t);
443 	int (*key_check)(crypto_provider_handle_t, crypto_mechanism_t *,
444 	    crypto_key_t *);
445 } crypto_key_ops_t;
446 
447 /*
448  * The crypto_provider_management_ops structure contains pointers
449  * to management operations for cryptographic providers.  It is passed
450  * through the crypto_ops(9S) structure when providers register with the
451  * kernel using crypto_register_provider(9F).
452  */
453 typedef struct crypto_provider_management_ops {
454 	int (*ext_info)(crypto_provider_handle_t,
455 	    crypto_provider_ext_info_t *, crypto_req_handle_t);
456 	int (*init_token)(crypto_provider_handle_t, char *, size_t,
457 	    char *, crypto_req_handle_t);
458 	int (*init_pin)(crypto_provider_handle_t, crypto_session_id_t,
459 	    char *, size_t, crypto_req_handle_t);
460 	int (*set_pin)(crypto_provider_handle_t, crypto_session_id_t,
461 	    char *, size_t, char *, size_t, crypto_req_handle_t);
462 } crypto_provider_management_ops_t;
463 
464 typedef struct crypto_mech_ops {
465 	int (*copyin_mechanism)(crypto_provider_handle_t,
466 	    crypto_mechanism_t *, crypto_mechanism_t *, int *, int);
467 	int (*copyout_mechanism)(crypto_provider_handle_t,
468 	    crypto_mechanism_t *, crypto_mechanism_t *, int *, int);
469 	int (*free_mechanism)(crypto_provider_handle_t, crypto_mechanism_t *);
470 } crypto_mech_ops_t;
471 
472 /*
473  * The crypto_ops(9S) structure contains the structures containing
474  * the pointers to functions implemented by cryptographic providers.
475  * It is specified as part of the crypto_provider_info(9S)
476  * supplied by a provider when it registers with the kernel
477  * by calling crypto_register_provider(9F).
478  */
479 typedef struct crypto_ops_v1 {
480 	crypto_control_ops_t			*co_control_ops;
481 	crypto_digest_ops_t			*co_digest_ops;
482 	crypto_cipher_ops_t			*co_cipher_ops;
483 	crypto_mac_ops_t			*co_mac_ops;
484 	crypto_sign_ops_t			*co_sign_ops;
485 	crypto_verify_ops_t			*co_verify_ops;
486 	crypto_dual_ops_t			*co_dual_ops;
487 	crypto_dual_cipher_mac_ops_t		*co_dual_cipher_mac_ops;
488 	crypto_random_number_ops_t		*co_random_ops;
489 	crypto_session_ops_t			*co_session_ops;
490 	crypto_object_ops_t			*co_object_ops;
491 	crypto_key_ops_t			*co_key_ops;
492 	crypto_provider_management_ops_t	*co_provider_ops;
493 	crypto_ctx_ops_t			*co_ctx_ops;
494 } crypto_ops_v1_t;
495 
496 typedef struct crypto_ops_v2 {
497 	crypto_ops_v1_t				v1_ops;
498 	crypto_mech_ops_t			*co_mech_ops;
499 } crypto_ops_v2_t;
500 
501 typedef struct crypto_ops {
502 	union {
503 		crypto_ops_v2_t	cou_v2;
504 		crypto_ops_v1_t	cou_v1;
505 	} cou;
506 } crypto_ops_t;
507 
508 #define	co_control_ops			cou.cou_v1.co_control_ops
509 #define	co_digest_ops			cou.cou_v1.co_digest_ops
510 #define	co_cipher_ops			cou.cou_v1.co_cipher_ops
511 #define	co_mac_ops			cou.cou_v1.co_mac_ops
512 #define	co_sign_ops			cou.cou_v1.co_sign_ops
513 #define	co_verify_ops			cou.cou_v1.co_verify_ops
514 #define	co_dual_ops			cou.cou_v1.co_dual_ops
515 #define	co_dual_cipher_mac_ops		cou.cou_v1.co_dual_cipher_mac_ops
516 #define	co_random_ops			cou.cou_v1.co_random_ops
517 #define	co_session_ops			cou.cou_v1.co_session_ops
518 #define	co_object_ops			cou.cou_v1.co_object_ops
519 #define	co_key_ops			cou.cou_v1.co_key_ops
520 #define	co_provider_ops			cou.cou_v1.co_provider_ops
521 #define	co_ctx_ops			cou.cou_v1.co_ctx_ops
522 #define	co_mech_ops			cou.cou_v2.co_mech_ops
523 
524 /*
525  * Provider device specification passed during registration.
526  *
527  * Software providers set the pi_provider_type field of provider_info_t
528  * to CRYPTO_SW_PROVIDER, and set the pd_sw field of
529  * crypto_provider_dev_t to the address of their modlinkage.
530  *
531  * Hardware providers set the pi_provider_type field of provider_info_t
532  * to CRYPTO_HW_PROVIDER, and set the pd_hw field of
533  * crypto_provider_dev_t to the dev_info structure corresponding
534  * to the device instance being registered.
535  *
536  * Logical providers set the pi_provider_type field of provider_info_t
537  * to CRYPTO_LOGICAL_PROVIDER, and set the pd_hw field of
538  * crypto_provider_dev_t to the dev_info structure corresponding
539  * to the device instance being registered.
540  */
541 
542 typedef union crypto_provider_dev {
543 	struct modlinkage	*pd_sw; /* for CRYPTO_SW_PROVIDER */
544 	dev_info_t		*pd_hw; /* for CRYPTO_HW_PROVIDER */
545 } crypto_provider_dev_t;
546 
547 /*
548  * The mechanism info structure crypto_mech_info_t contains a function group
549  * bit mask cm_func_group_mask. This field, of type crypto_func_group_t,
550  * specifies the provider entry point that can be used a particular
551  * mechanism. The function group mask is a combination of the following values.
552  */
553 
554 typedef uint32_t crypto_func_group_t;
555 
556 #endif /* _KERNEL */
557 
558 #define	CRYPTO_FG_ENCRYPT		0x00000001 /* encrypt_init() */
559 #define	CRYPTO_FG_DECRYPT		0x00000002 /* decrypt_init() */
560 #define	CRYPTO_FG_DIGEST		0x00000004 /* digest_init() */
561 #define	CRYPTO_FG_SIGN			0x00000008 /* sign_init() */
562 #define	CRYPTO_FG_SIGN_RECOVER		0x00000010 /* sign_recover_init() */
563 #define	CRYPTO_FG_VERIFY		0x00000020 /* verify_init() */
564 #define	CRYPTO_FG_VERIFY_RECOVER	0x00000040 /* verify_recover_init() */
565 #define	CRYPTO_FG_GENERATE		0x00000080 /* key_generate() */
566 #define	CRYPTO_FG_GENERATE_KEY_PAIR	0x00000100 /* key_generate_pair() */
567 #define	CRYPTO_FG_WRAP			0x00000200 /* key_wrap() */
568 #define	CRYPTO_FG_UNWRAP		0x00000400 /* key_unwrap() */
569 #define	CRYPTO_FG_DERIVE		0x00000800 /* key_derive() */
570 #define	CRYPTO_FG_MAC			0x00001000 /* mac_init() */
571 #define	CRYPTO_FG_ENCRYPT_MAC		0x00002000 /* encrypt_mac_init() */
572 #define	CRYPTO_FG_MAC_DECRYPT		0x00004000 /* decrypt_mac_init() */
573 #define	CRYPTO_FG_ENCRYPT_ATOMIC	0x00008000 /* encrypt_atomic() */
574 #define	CRYPTO_FG_DECRYPT_ATOMIC	0x00010000 /* decrypt_atomic() */
575 #define	CRYPTO_FG_MAC_ATOMIC		0x00020000 /* mac_atomic() */
576 #define	CRYPTO_FG_DIGEST_ATOMIC		0x00040000 /* digest_atomic() */
577 #define	CRYPTO_FG_SIGN_ATOMIC		0x00080000 /* sign_atomic() */
578 #define	CRYPTO_FG_SIGN_RECOVER_ATOMIC   0x00100000 /* sign_recover_atomic() */
579 #define	CRYPTO_FG_VERIFY_ATOMIC		0x00200000 /* verify_atomic() */
580 #define	CRYPTO_FG_VERIFY_RECOVER_ATOMIC	0x00400000 /* verify_recover_atomic() */
581 #define	CRYPTO_FG_ENCRYPT_MAC_ATOMIC	0x00800000 /* encrypt_mac_atomic() */
582 #define	CRYPTO_FG_MAC_DECRYPT_ATOMIC	0x01000000 /* mac_decrypt_atomic() */
583 #define	CRYPTO_FG_RESERVED		0x80000000
584 
585 /*
586  * Maximum length of the pi_provider_description field of the
587  * crypto_provider_info structure.
588  */
589 #define	CRYPTO_PROVIDER_DESCR_MAX_LEN	64
590 
591 #ifdef _KERNEL
592 
593 /* Bit mask for all the simple operations */
594 #define	CRYPTO_FG_SIMPLEOP_MASK	(CRYPTO_FG_ENCRYPT | CRYPTO_FG_DECRYPT | \
595     CRYPTO_FG_DIGEST | CRYPTO_FG_SIGN | CRYPTO_FG_VERIFY | CRYPTO_FG_MAC | \
596     CRYPTO_FG_ENCRYPT_ATOMIC | CRYPTO_FG_DECRYPT_ATOMIC |		\
597     CRYPTO_FG_MAC_ATOMIC | CRYPTO_FG_DIGEST_ATOMIC | CRYPTO_FG_SIGN_ATOMIC | \
598     CRYPTO_FG_VERIFY_ATOMIC)
599 
600 /* Bit mask for all the dual operations */
601 #define	CRYPTO_FG_MAC_CIPHER_MASK	(CRYPTO_FG_ENCRYPT_MAC |	\
602     CRYPTO_FG_MAC_DECRYPT | CRYPTO_FG_ENCRYPT_MAC_ATOMIC | 		\
603     CRYPTO_FG_MAC_DECRYPT_ATOMIC)
604 
605 /* Add other combos to CRYPTO_FG_DUAL_MASK */
606 #define	CRYPTO_FG_DUAL_MASK	CRYPTO_FG_MAC_CIPHER_MASK
607 
608 /*
609  * The crypto_mech_info structure specifies one of the mechanisms
610  * supported by a cryptographic provider. The pi_mechanisms field of
611  * the crypto_provider_info structure contains a pointer to an array
612  * of crypto_mech_info's.
613  */
614 typedef struct crypto_mech_info {
615 	crypto_mech_name_t	cm_mech_name;
616 	crypto_mech_type_t	cm_mech_number;
617 	crypto_func_group_t	cm_func_group_mask;
618 	ssize_t			cm_min_key_length;
619 	ssize_t			cm_max_key_length;
620 	crypto_keysize_unit_t	cm_keysize_unit; /* for cm_xxx_key_length */
621 } crypto_mech_info_t;
622 
623 /*
624  * crypto_kcf_provider_handle_t is a handle allocated by the kernel.
625  * It is returned after the provider registers with
626  * crypto_register_provider(), and must be specified by the provider
627  * when calling crypto_unregister_provider(), and
628  * crypto_provider_notification().
629  */
630 typedef uint_t crypto_kcf_provider_handle_t;
631 
632 /*
633  * Provider information. Passed as argument to crypto_register_provider(9F).
634  * Describes the provider and its capabilities. Multiple providers can
635  * register for the same device instance. In this case, the same
636  * pi_provider_dev must be specified with a different pi_provider_handle.
637  */
638 typedef struct crypto_provider_info_v1 {
639 	uint_t				pi_interface_version;
640 	char				*pi_provider_description;
641 	crypto_provider_type_t		pi_provider_type;
642 	crypto_provider_dev_t		pi_provider_dev;
643 	crypto_provider_handle_t	pi_provider_handle;
644 	crypto_ops_t			*pi_ops_vector;
645 	uint_t				pi_mech_list_count;
646 	crypto_mech_info_t		*pi_mechanisms;
647 	uint_t				pi_logical_provider_count;
648 	crypto_kcf_provider_handle_t	*pi_logical_providers;
649 } crypto_provider_info_v1_t;
650 
651 typedef struct crypto_provider_info_v2 {
652 	crypto_provider_info_v1_t	v1_info;
653 	uint_t				pi_flags;
654 } crypto_provider_info_v2_t;
655 
656 typedef struct crypto_provider_info {
657 	union {
658 		crypto_provider_info_v2_t piu_v2;
659 		crypto_provider_info_v1_t piu_v1;
660 	} piu;
661 } crypto_provider_info_t;
662 
663 #define	pi_interface_version		piu.piu_v1.pi_interface_version
664 #define	pi_provider_description		piu.piu_v1.pi_provider_description
665 #define	pi_provider_type		piu.piu_v1.pi_provider_type
666 #define	pi_provider_dev			piu.piu_v1.pi_provider_dev
667 #define	pi_provider_handle		piu.piu_v1.pi_provider_handle
668 #define	pi_ops_vector			piu.piu_v1.pi_ops_vector
669 #define	pi_mech_list_count		piu.piu_v1.pi_mech_list_count
670 #define	pi_mechanisms			piu.piu_v1.pi_mechanisms
671 #define	pi_logical_provider_count	piu.piu_v1.pi_logical_provider_count
672 #define	pi_logical_providers		piu.piu_v1.pi_logical_providers
673 #define	pi_flags			piu.piu_v2.pi_flags
674 
675 /* hidden providers can only be accessed via a logical provider */
676 #define	CRYPTO_HIDE_PROVIDER		0x00000001
677 #define	CRYPTO_PIFLAGS_UNAVAILABLE	0x80000000
678 
679 /*
680  * Provider status passed by a provider to crypto_provider_notification(9F)
681  * and returned by the provider_stauts(9E) entry point.
682  */
683 #define	CRYPTO_PROVIDER_READY		0
684 #define	CRYPTO_PROVIDER_BUSY		1
685 #define	CRYPTO_PROVIDER_FAILED		2
686 
687 /*
688  * Functions exported by Solaris to cryptographic providers. Providers
689  * call these functions to register and unregister, notify the kernel
690  * of state changes, and notify the kernel when a asynchronous request
691  * completed.
692  */
693 extern int crypto_register_provider(crypto_provider_info_t *,
694 		crypto_kcf_provider_handle_t *);
695 extern int crypto_unregister_provider(crypto_kcf_provider_handle_t);
696 extern void crypto_provider_notification(crypto_kcf_provider_handle_t, uint_t);
697 extern void crypto_op_notification(crypto_req_handle_t, int);
698 extern int crypto_kmflag(crypto_req_handle_t);
699 
700 #endif	/* _KERNEL */
701 
702 #ifdef	__cplusplus
703 }
704 #endif
705 
706 #endif	/* _SYS_CRYPTO_SPI_H */
707