xref: /illumos-gate/usr/src/uts/common/sys/crypto/spi.h (revision a07094369b21309434206d9b3601d162693466fc)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #ifndef	_SYS_CRYPTO_SPI_H
28 #define	_SYS_CRYPTO_SPI_H
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 /*
33  * CSPI: Cryptographic Service Provider Interface.
34  */
35 
36 #include <sys/types.h>
37 #include <sys/dditypes.h>
38 #include <sys/ddi.h>
39 #include <sys/kmem.h>
40 #include <sys/crypto/common.h>
41 
42 #ifdef	__cplusplus
43 extern "C" {
44 #endif
45 
46 #ifdef	_KERNEL
47 
48 #define	CRYPTO_SPI_VERSION_1	1
49 #define	CRYPTO_SPI_VERSION_2	2
50 
51 /*
52  * Provider-private handle. This handle is specified by a provider
53  * when it registers by means of the pi_provider_handle field of
54  * the crypto_provider_info structure, and passed to the provider
55  * when its entry points are invoked.
56  */
57 typedef void *crypto_provider_handle_t;
58 
59 /*
60  * Context templates can be used to by software providers to pre-process
61  * keying material, such as key schedules. They are allocated by
62  * a software provider create_ctx_template(9E) entry point, and passed
63  * as argument to initialization and atomic provider entry points.
64  */
65 typedef void *crypto_spi_ctx_template_t;
66 
67 /*
68  * Request handles are used by the kernel to identify an asynchronous
69  * request being processed by a provider. It is passed by the kernel
70  * to a hardware provider when submitting a request, and must be
71  * specified by a provider when calling crypto_op_notification(9F)
72  */
73 typedef void *crypto_req_handle_t;
74 
75 /*
76  * The context structure is passed from the kernel to a provider.
77  * It contains the information needed to process a multi-part or
78  * single part operation. The context structure is not used
79  * by atomic operations.
80  *
81  * Parameters needed to perform a cryptographic operation, such
82  * as keys, mechanisms, input and output buffers, are passed
83  * as separate arguments to Provider routines.
84  */
85 typedef struct crypto_ctx {
86 	crypto_provider_handle_t cc_provider;
87 	crypto_session_id_t	cc_session;
88 	void			*cc_provider_private;	/* owned by provider */
89 	void			*cc_framework_private;	/* owned by framework */
90 } crypto_ctx_t;
91 
92 /*
93  * Extended provider information.
94  */
95 
96 /*
97  * valid values for ei_flags field of extended info structure
98  * They match the RSA Security, Inc PKCS#11 tokenInfo flags.
99  */
100 #define	CRYPTO_EXTF_RNG					0x00000001
101 #define	CRYPTO_EXTF_WRITE_PROTECTED			0x00000002
102 #define	CRYPTO_EXTF_LOGIN_REQUIRED			0x00000004
103 #define	CRYPTO_EXTF_USER_PIN_INITIALIZED		0x00000008
104 #define	CRYPTO_EXTF_CLOCK_ON_TOKEN			0x00000040
105 #define	CRYPTO_EXTF_PROTECTED_AUTHENTICATION_PATH	0x00000100
106 #define	CRYPTO_EXTF_DUAL_CRYPTO_OPERATIONS		0x00000200
107 #define	CRYPTO_EXTF_TOKEN_INITIALIZED			0x00000400
108 #define	CRYPTO_EXTF_USER_PIN_COUNT_LOW			0x00010000
109 #define	CRYPTO_EXTF_USER_PIN_FINAL_TRY			0x00020000
110 #define	CRYPTO_EXTF_USER_PIN_LOCKED			0x00040000
111 #define	CRYPTO_EXTF_USER_PIN_TO_BE_CHANGED		0x00080000
112 #define	CRYPTO_EXTF_SO_PIN_COUNT_LOW			0x00100000
113 #define	CRYPTO_EXTF_SO_PIN_FINAL_TRY			0x00200000
114 #define	CRYPTO_EXTF_SO_PIN_LOCKED			0x00400000
115 #define	CRYPTO_EXTF_SO_PIN_TO_BE_CHANGED		0x00800000
116 
117 #endif /* _KERNEL */
118 
119 #define	CRYPTO_EXT_SIZE_LABEL		32
120 #define	CRYPTO_EXT_SIZE_MANUF		32
121 #define	CRYPTO_EXT_SIZE_MODEL		16
122 #define	CRYPTO_EXT_SIZE_SERIAL		16
123 #define	CRYPTO_EXT_SIZE_TIME		16
124 
125 #ifdef _KERNEL
126 
127 typedef struct crypto_provider_ext_info {
128 	uchar_t			ei_label[CRYPTO_EXT_SIZE_LABEL];
129 	uchar_t			ei_manufacturerID[CRYPTO_EXT_SIZE_MANUF];
130 	uchar_t			ei_model[CRYPTO_EXT_SIZE_MODEL];
131 	uchar_t			ei_serial_number[CRYPTO_EXT_SIZE_SERIAL];
132 	ulong_t			ei_flags;
133 	ulong_t			ei_max_session_count;
134 	ulong_t			ei_max_pin_len;
135 	ulong_t			ei_min_pin_len;
136 	ulong_t			ei_total_public_memory;
137 	ulong_t			ei_free_public_memory;
138 	ulong_t			ei_total_private_memory;
139 	ulong_t			ei_free_private_memory;
140 	crypto_version_t	ei_hardware_version;
141 	crypto_version_t	ei_firmware_version;
142 	uchar_t			ei_time[CRYPTO_EXT_SIZE_TIME];
143 } crypto_provider_ext_info_t;
144 
145 /*
146  * The crypto_control_ops structure contains pointers to control
147  * operations for cryptographic providers.  It is passed through
148  * the crypto_ops(9S) structure when providers register with the
149  * kernel using crypto_register_provider(9F).
150  */
151 typedef struct crypto_control_ops {
152 	void (*provider_status)(crypto_provider_handle_t, uint_t *);
153 } crypto_control_ops_t;
154 
155 /*
156  * The crypto_ctx_ops structure contains points to context and context
157  * templates management operations for cryptographic providers. It is
158  * passed through the crypto_ops(9S) structure when providers register
159  * with the kernel using crypto_register_provider(9F).
160  */
161 typedef struct crypto_ctx_ops {
162 	int (*create_ctx_template)(crypto_provider_handle_t,
163 	    crypto_mechanism_t *, crypto_key_t *,
164 	    crypto_spi_ctx_template_t *, size_t *, crypto_req_handle_t);
165 	int (*free_context)(crypto_ctx_t *);
166 } crypto_ctx_ops_t;
167 
168 /*
169  * The crypto_digest_ops structure contains pointers to digest
170  * operations for cryptographic providers.  It is passed through
171  * the crypto_ops(9S) structure when providers register with the
172  * kernel using crypto_register_provider(9F).
173  */
174 typedef struct crypto_digest_ops {
175 	int (*digest_init)(crypto_ctx_t *, crypto_mechanism_t *,
176 	    crypto_req_handle_t);
177 	int (*digest)(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
178 	    crypto_req_handle_t);
179 	int (*digest_update)(crypto_ctx_t *, crypto_data_t *,
180 	    crypto_req_handle_t);
181 	int (*digest_key)(crypto_ctx_t *, crypto_key_t *, crypto_req_handle_t);
182 	int (*digest_final)(crypto_ctx_t *, crypto_data_t *,
183 	    crypto_req_handle_t);
184 	int (*digest_atomic)(crypto_provider_handle_t, crypto_session_id_t,
185 	    crypto_mechanism_t *, crypto_data_t *,
186 	    crypto_data_t *, crypto_req_handle_t);
187 } crypto_digest_ops_t;
188 
189 /*
190  * The crypto_cipher_ops structure contains pointers to encryption
191  * and decryption operations for cryptographic providers.  It is
192  * passed through the crypto_ops(9S) structure when providers register
193  * with the kernel using crypto_register_provider(9F).
194  */
195 typedef struct crypto_cipher_ops {
196 	int (*encrypt_init)(crypto_ctx_t *,
197 	    crypto_mechanism_t *, crypto_key_t *,
198 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
199 	int (*encrypt)(crypto_ctx_t *,
200 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
201 	int (*encrypt_update)(crypto_ctx_t *,
202 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
203 	int (*encrypt_final)(crypto_ctx_t *,
204 	    crypto_data_t *, crypto_req_handle_t);
205 	int (*encrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
206 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
207 	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
208 
209 	int (*decrypt_init)(crypto_ctx_t *,
210 	    crypto_mechanism_t *, crypto_key_t *,
211 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
212 	int (*decrypt)(crypto_ctx_t *,
213 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
214 	int (*decrypt_update)(crypto_ctx_t *,
215 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
216 	int (*decrypt_final)(crypto_ctx_t *,
217 	    crypto_data_t *, crypto_req_handle_t);
218 	int (*decrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
219 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
220 	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
221 } crypto_cipher_ops_t;
222 
223 /*
224  * The crypto_mac_ops structure contains pointers to MAC
225  * operations for cryptographic providers.  It is passed through
226  * the crypto_ops(9S) structure when providers register with the
227  * kernel using crypto_register_provider(9F).
228  */
229 typedef struct crypto_mac_ops {
230 	int (*mac_init)(crypto_ctx_t *,
231 	    crypto_mechanism_t *, crypto_key_t *,
232 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
233 	int (*mac)(crypto_ctx_t *,
234 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
235 	int (*mac_update)(crypto_ctx_t *,
236 	    crypto_data_t *, crypto_req_handle_t);
237 	int (*mac_final)(crypto_ctx_t *,
238 	    crypto_data_t *, crypto_req_handle_t);
239 	int (*mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
240 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
241 	    crypto_data_t *, crypto_spi_ctx_template_t,
242 	    crypto_req_handle_t);
243 	int (*mac_verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
244 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
245 	    crypto_data_t *, crypto_spi_ctx_template_t,
246 	    crypto_req_handle_t);
247 } crypto_mac_ops_t;
248 
249 /*
250  * The crypto_sign_ops structure contains pointers to signing
251  * operations for cryptographic providers.  It is passed through
252  * the crypto_ops(9S) structure when providers register with the
253  * kernel using crypto_register_provider(9F).
254  */
255 typedef struct crypto_sign_ops {
256 	int (*sign_init)(crypto_ctx_t *,
257 	    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t,
258 	    crypto_req_handle_t);
259 	int (*sign)(crypto_ctx_t *,
260 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
261 	int (*sign_update)(crypto_ctx_t *,
262 	    crypto_data_t *, crypto_req_handle_t);
263 	int (*sign_final)(crypto_ctx_t *,
264 	    crypto_data_t *, crypto_req_handle_t);
265 	int (*sign_atomic)(crypto_provider_handle_t, crypto_session_id_t,
266 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
267 	    crypto_data_t *, crypto_spi_ctx_template_t,
268 	    crypto_req_handle_t);
269 	int (*sign_recover_init)(crypto_ctx_t *, crypto_mechanism_t *,
270 	    crypto_key_t *, crypto_spi_ctx_template_t,
271 	    crypto_req_handle_t);
272 	int (*sign_recover)(crypto_ctx_t *,
273 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
274 	int (*sign_recover_atomic)(crypto_provider_handle_t,
275 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
276 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
277 	    crypto_req_handle_t);
278 } crypto_sign_ops_t;
279 
280 /*
281  * The crypto_verify_ops structure contains pointers to verify
282  * operations for cryptographic providers.  It is passed through
283  * the crypto_ops(9S) structure when providers register with the
284  * kernel using crypto_register_provider(9F).
285  */
286 typedef struct crypto_verify_ops {
287 	int (*verify_init)(crypto_ctx_t *,
288 	    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t,
289 	    crypto_req_handle_t);
290 	int (*verify)(crypto_ctx_t *,
291 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
292 	int (*verify_update)(crypto_ctx_t *,
293 	    crypto_data_t *, crypto_req_handle_t);
294 	int (*verify_final)(crypto_ctx_t *,
295 	    crypto_data_t *, crypto_req_handle_t);
296 	int (*verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
297 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
298 	    crypto_data_t *, crypto_spi_ctx_template_t,
299 	    crypto_req_handle_t);
300 	int (*verify_recover_init)(crypto_ctx_t *, crypto_mechanism_t *,
301 	    crypto_key_t *, crypto_spi_ctx_template_t,
302 	    crypto_req_handle_t);
303 	int (*verify_recover)(crypto_ctx_t *,
304 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
305 	int (*verify_recover_atomic)(crypto_provider_handle_t,
306 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
307 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
308 	    crypto_req_handle_t);
309 } crypto_verify_ops_t;
310 
311 /*
312  * The crypto_dual_ops structure contains pointers to dual
313  * cipher and sign/verify operations for cryptographic providers.
314  * It is passed through the crypto_ops(9S) structure when
315  * providers register with the kernel using
316  * crypto_register_provider(9F).
317  */
318 typedef struct crypto_dual_ops {
319 	int (*digest_encrypt_update)(
320 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
321 	    crypto_data_t *, crypto_req_handle_t);
322 	int (*decrypt_digest_update)(
323 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
324 	    crypto_data_t *, crypto_req_handle_t);
325 	int (*sign_encrypt_update)(
326 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
327 	    crypto_data_t *, crypto_req_handle_t);
328 	int (*decrypt_verify_update)(
329 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
330 	    crypto_data_t *, crypto_req_handle_t);
331 } crypto_dual_ops_t;
332 
333 /*
334  * The crypto_dual_cipher_mac_ops structure contains pointers to dual
335  * cipher and MAC operations for cryptographic providers.
336  * It is passed through the crypto_ops(9S) structure when
337  * providers register with the kernel using
338  * crypto_register_provider(9F).
339  */
340 typedef struct crypto_dual_cipher_mac_ops {
341 	int (*encrypt_mac_init)(crypto_ctx_t *,
342 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
343 	    crypto_key_t *, crypto_spi_ctx_template_t,
344 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
345 	int (*encrypt_mac)(crypto_ctx_t *,
346 	    crypto_data_t *, crypto_dual_data_t *, crypto_data_t *,
347 	    crypto_req_handle_t);
348 	int (*encrypt_mac_update)(crypto_ctx_t *,
349 	    crypto_data_t *, crypto_dual_data_t *, crypto_req_handle_t);
350 	int (*encrypt_mac_final)(crypto_ctx_t *,
351 	    crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t);
352 	int (*encrypt_mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
353 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
354 	    crypto_key_t *, crypto_data_t *, crypto_dual_data_t *,
355 	    crypto_data_t *, crypto_spi_ctx_template_t,
356 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
357 
358 	int (*mac_decrypt_init)(crypto_ctx_t *,
359 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
360 	    crypto_key_t *, crypto_spi_ctx_template_t,
361 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
362 	int (*mac_decrypt)(crypto_ctx_t *,
363 	    crypto_dual_data_t *, crypto_data_t *, crypto_data_t *,
364 	    crypto_req_handle_t);
365 	int (*mac_decrypt_update)(crypto_ctx_t *,
366 	    crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t);
367 	int (*mac_decrypt_final)(crypto_ctx_t *,
368 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
369 	int (*mac_decrypt_atomic)(crypto_provider_handle_t,
370 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
371 	    crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *,
372 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
373 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
374 	int (*mac_verify_decrypt_atomic)(crypto_provider_handle_t,
375 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
376 	    crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *,
377 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
378 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
379 } crypto_dual_cipher_mac_ops_t;
380 
381 /*
382  * The crypto_random_number_ops structure contains pointers to random
383  * number operations for cryptographic providers.  It is passed through
384  * the crypto_ops(9S) structure when providers register with the
385  * kernel using crypto_register_provider(9F).
386  */
387 typedef struct crypto_random_number_ops {
388 	int (*seed_random)(crypto_provider_handle_t, crypto_session_id_t,
389 	    uchar_t *, size_t, crypto_req_handle_t);
390 	int (*generate_random)(crypto_provider_handle_t, crypto_session_id_t,
391 	    uchar_t *, size_t, crypto_req_handle_t);
392 } crypto_random_number_ops_t;
393 
394 /*
395  * The crypto_session_ops structure contains pointers to session
396  * operations for cryptographic providers.  It is passed through
397  * the crypto_ops(9S) structure when providers register with the
398  * kernel using crypto_register_provider(9F).
399  */
400 typedef struct crypto_session_ops {
401 	int (*session_open)(crypto_provider_handle_t, crypto_session_id_t *,
402 	    crypto_req_handle_t);
403 	int (*session_close)(crypto_provider_handle_t, crypto_session_id_t,
404 	    crypto_req_handle_t);
405 	int (*session_login)(crypto_provider_handle_t, crypto_session_id_t,
406 	    crypto_user_type_t, char *, size_t, crypto_req_handle_t);
407 	int (*session_logout)(crypto_provider_handle_t, crypto_session_id_t,
408 	    crypto_req_handle_t);
409 } crypto_session_ops_t;
410 
411 /*
412  * The crypto_object_ops structure contains pointers to object
413  * operations for cryptographic providers.  It is passed through
414  * the crypto_ops(9S) structure when providers register with the
415  * kernel using crypto_register_provider(9F).
416  */
417 typedef struct crypto_object_ops {
418 	int (*object_create)(crypto_provider_handle_t, crypto_session_id_t,
419 	    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
420 	    crypto_req_handle_t);
421 	int (*object_copy)(crypto_provider_handle_t, crypto_session_id_t,
422 	    crypto_object_id_t, crypto_object_attribute_t *, uint_t,
423 	    crypto_object_id_t *, crypto_req_handle_t);
424 	int (*object_destroy)(crypto_provider_handle_t, crypto_session_id_t,
425 	    crypto_object_id_t, crypto_req_handle_t);
426 	int (*object_get_size)(crypto_provider_handle_t, crypto_session_id_t,
427 	    crypto_object_id_t, size_t *, crypto_req_handle_t);
428 	int (*object_get_attribute_value)(crypto_provider_handle_t,
429 	    crypto_session_id_t, crypto_object_id_t,
430 	    crypto_object_attribute_t *, uint_t, crypto_req_handle_t);
431 	int (*object_set_attribute_value)(crypto_provider_handle_t,
432 	    crypto_session_id_t, crypto_object_id_t,
433 	    crypto_object_attribute_t *,  uint_t, crypto_req_handle_t);
434 	int (*object_find_init)(crypto_provider_handle_t, crypto_session_id_t,
435 	    crypto_object_attribute_t *, uint_t, void **,
436 	    crypto_req_handle_t);
437 	int (*object_find)(crypto_provider_handle_t, void *,
438 	    crypto_object_id_t *, uint_t, uint_t *, crypto_req_handle_t);
439 	int (*object_find_final)(crypto_provider_handle_t, void *,
440 	    crypto_req_handle_t);
441 } crypto_object_ops_t;
442 
443 /*
444  * The crypto_key_ops structure contains pointers to key
445  * operations for cryptographic providers.  It is passed through
446  * the crypto_ops(9S) structure when providers register with the
447  * kernel using crypto_register_provider(9F).
448  */
449 typedef struct crypto_key_ops {
450 	int (*key_generate)(crypto_provider_handle_t, crypto_session_id_t,
451 	    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
452 	    crypto_object_id_t *, crypto_req_handle_t);
453 	int (*key_generate_pair)(crypto_provider_handle_t, crypto_session_id_t,
454 	    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
455 	    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
456 	    crypto_object_id_t *, crypto_req_handle_t);
457 	int (*key_wrap)(crypto_provider_handle_t, crypto_session_id_t,
458 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_id_t *,
459 	    uchar_t *, size_t *, crypto_req_handle_t);
460 	int (*key_unwrap)(crypto_provider_handle_t, crypto_session_id_t,
461 	    crypto_mechanism_t *, crypto_key_t *, uchar_t *, size_t *,
462 	    crypto_object_attribute_t *, uint_t,
463 	    crypto_object_id_t *, crypto_req_handle_t);
464 	int (*key_derive)(crypto_provider_handle_t, crypto_session_id_t,
465 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *,
466 	    uint_t, crypto_object_id_t *, crypto_req_handle_t);
467 	int (*key_check)(crypto_provider_handle_t, crypto_mechanism_t *,
468 	    crypto_key_t *);
469 } crypto_key_ops_t;
470 
471 /*
472  * The crypto_provider_management_ops structure contains pointers
473  * to management operations for cryptographic providers.  It is passed
474  * through the crypto_ops(9S) structure when providers register with the
475  * kernel using crypto_register_provider(9F).
476  */
477 typedef struct crypto_provider_management_ops {
478 	int (*ext_info)(crypto_provider_handle_t,
479 	    crypto_provider_ext_info_t *, crypto_req_handle_t);
480 	int (*init_token)(crypto_provider_handle_t, char *, size_t,
481 	    char *, crypto_req_handle_t);
482 	int (*init_pin)(crypto_provider_handle_t, crypto_session_id_t,
483 	    char *, size_t, crypto_req_handle_t);
484 	int (*set_pin)(crypto_provider_handle_t, crypto_session_id_t,
485 	    char *, size_t, char *, size_t, crypto_req_handle_t);
486 } crypto_provider_management_ops_t;
487 
488 typedef struct crypto_mech_ops {
489 	int (*copyin_mechanism)(crypto_provider_handle_t,
490 	    crypto_mechanism_t *, crypto_mechanism_t *, int *, int);
491 	int (*copyout_mechanism)(crypto_provider_handle_t,
492 	    crypto_mechanism_t *, crypto_mechanism_t *, int *, int);
493 	int (*free_mechanism)(crypto_provider_handle_t, crypto_mechanism_t *);
494 } crypto_mech_ops_t;
495 
496 /*
497  * The crypto_ops(9S) structure contains the structures containing
498  * the pointers to functions implemented by cryptographic providers.
499  * It is specified as part of the crypto_provider_info(9S)
500  * supplied by a provider when it registers with the kernel
501  * by calling crypto_register_provider(9F).
502  */
503 typedef struct crypto_ops_v1 {
504 	crypto_control_ops_t			*co_control_ops;
505 	crypto_digest_ops_t			*co_digest_ops;
506 	crypto_cipher_ops_t			*co_cipher_ops;
507 	crypto_mac_ops_t			*co_mac_ops;
508 	crypto_sign_ops_t			*co_sign_ops;
509 	crypto_verify_ops_t			*co_verify_ops;
510 	crypto_dual_ops_t			*co_dual_ops;
511 	crypto_dual_cipher_mac_ops_t		*co_dual_cipher_mac_ops;
512 	crypto_random_number_ops_t		*co_random_ops;
513 	crypto_session_ops_t			*co_session_ops;
514 	crypto_object_ops_t			*co_object_ops;
515 	crypto_key_ops_t			*co_key_ops;
516 	crypto_provider_management_ops_t	*co_provider_ops;
517 	crypto_ctx_ops_t			*co_ctx_ops;
518 } crypto_ops_v1_t;
519 
520 typedef struct crypto_ops_v2 {
521 	crypto_ops_v1_t				v1_ops;
522 	crypto_mech_ops_t			*co_mech_ops;
523 } crypto_ops_v2_t;
524 
525 typedef struct crypto_ops {
526 	union {
527 		crypto_ops_v2_t	cou_v2;
528 		crypto_ops_v1_t	cou_v1;
529 	} cou;
530 } crypto_ops_t;
531 
532 #define	co_control_ops			cou.cou_v1.co_control_ops
533 #define	co_digest_ops			cou.cou_v1.co_digest_ops
534 #define	co_cipher_ops			cou.cou_v1.co_cipher_ops
535 #define	co_mac_ops			cou.cou_v1.co_mac_ops
536 #define	co_sign_ops			cou.cou_v1.co_sign_ops
537 #define	co_verify_ops			cou.cou_v1.co_verify_ops
538 #define	co_dual_ops			cou.cou_v1.co_dual_ops
539 #define	co_dual_cipher_mac_ops		cou.cou_v1.co_dual_cipher_mac_ops
540 #define	co_random_ops			cou.cou_v1.co_random_ops
541 #define	co_session_ops			cou.cou_v1.co_session_ops
542 #define	co_object_ops			cou.cou_v1.co_object_ops
543 #define	co_key_ops			cou.cou_v1.co_key_ops
544 #define	co_provider_ops			cou.cou_v1.co_provider_ops
545 #define	co_ctx_ops			cou.cou_v1.co_ctx_ops
546 #define	co_mech_ops			cou.cou_v2.co_mech_ops
547 
548 /*
549  * Provider device specification passed during registration.
550  *
551  * Software providers set the pi_provider_type field of provider_info_t
552  * to CRYPTO_SW_PROVIDER, and set the pd_sw field of
553  * crypto_provider_dev_t to the address of their modlinkage.
554  *
555  * Hardware providers set the pi_provider_type field of provider_info_t
556  * to CRYPTO_HW_PROVIDER, and set the pd_hw field of
557  * crypto_provider_dev_t to the dev_info structure corresponding
558  * to the device instance being registered.
559  *
560  * Logical providers set the pi_provider_type field of provider_info_t
561  * to CRYPTO_LOGICAL_PROVIDER, and set the pd_hw field of
562  * crypto_provider_dev_t to the dev_info structure corresponding
563  * to the device instance being registered.
564  */
565 
566 typedef union crypto_provider_dev {
567 	struct modlinkage	*pd_sw; /* for CRYPTO_SW_PROVIDER */
568 	dev_info_t		*pd_hw; /* for CRYPTO_HW_PROVIDER */
569 } crypto_provider_dev_t;
570 
571 /*
572  * The mechanism info structure crypto_mech_info_t contains a function group
573  * bit mask cm_func_group_mask. This field, of type crypto_func_group_t,
574  * specifies the provider entry point that can be used a particular
575  * mechanism. The function group mask is a combination of the following values.
576  */
577 
578 typedef uint32_t crypto_func_group_t;
579 
580 #endif /* _KERNEL */
581 
582 #define	CRYPTO_FG_ENCRYPT		0x00000001 /* encrypt_init() */
583 #define	CRYPTO_FG_DECRYPT		0x00000002 /* decrypt_init() */
584 #define	CRYPTO_FG_DIGEST		0x00000004 /* digest_init() */
585 #define	CRYPTO_FG_SIGN			0x00000008 /* sign_init() */
586 #define	CRYPTO_FG_SIGN_RECOVER		0x00000010 /* sign_recover_init() */
587 #define	CRYPTO_FG_VERIFY		0x00000020 /* verify_init() */
588 #define	CRYPTO_FG_VERIFY_RECOVER	0x00000040 /* verify_recover_init() */
589 #define	CRYPTO_FG_GENERATE		0x00000080 /* key_generate() */
590 #define	CRYPTO_FG_GENERATE_KEY_PAIR	0x00000100 /* key_generate_pair() */
591 #define	CRYPTO_FG_WRAP			0x00000200 /* key_wrap() */
592 #define	CRYPTO_FG_UNWRAP		0x00000400 /* key_unwrap() */
593 #define	CRYPTO_FG_DERIVE		0x00000800 /* key_derive() */
594 #define	CRYPTO_FG_MAC			0x00001000 /* mac_init() */
595 #define	CRYPTO_FG_ENCRYPT_MAC		0x00002000 /* encrypt_mac_init() */
596 #define	CRYPTO_FG_MAC_DECRYPT		0x00004000 /* decrypt_mac_init() */
597 #define	CRYPTO_FG_ENCRYPT_ATOMIC	0x00008000 /* encrypt_atomic() */
598 #define	CRYPTO_FG_DECRYPT_ATOMIC	0x00010000 /* decrypt_atomic() */
599 #define	CRYPTO_FG_MAC_ATOMIC		0x00020000 /* mac_atomic() */
600 #define	CRYPTO_FG_DIGEST_ATOMIC		0x00040000 /* digest_atomic() */
601 #define	CRYPTO_FG_SIGN_ATOMIC		0x00080000 /* sign_atomic() */
602 #define	CRYPTO_FG_SIGN_RECOVER_ATOMIC   0x00100000 /* sign_recover_atomic() */
603 #define	CRYPTO_FG_VERIFY_ATOMIC		0x00200000 /* verify_atomic() */
604 #define	CRYPTO_FG_VERIFY_RECOVER_ATOMIC	0x00400000 /* verify_recover_atomic() */
605 #define	CRYPTO_FG_ENCRYPT_MAC_ATOMIC	0x00800000 /* encrypt_mac_atomic() */
606 #define	CRYPTO_FG_MAC_DECRYPT_ATOMIC	0x01000000 /* mac_decrypt_atomic() */
607 #define	CRYPTO_FG_RESERVED		0x80000000
608 
609 /*
610  * Maximum length of the pi_provider_description field of the
611  * crypto_provider_info structure.
612  */
613 #define	CRYPTO_PROVIDER_DESCR_MAX_LEN	64
614 
615 #ifdef _KERNEL
616 
617 /* Bit mask for all the simple operations */
618 #define	CRYPTO_FG_SIMPLEOP_MASK	(CRYPTO_FG_ENCRYPT | CRYPTO_FG_DECRYPT | \
619     CRYPTO_FG_DIGEST | CRYPTO_FG_SIGN | CRYPTO_FG_VERIFY | CRYPTO_FG_MAC | \
620     CRYPTO_FG_ENCRYPT_ATOMIC | CRYPTO_FG_DECRYPT_ATOMIC |		\
621     CRYPTO_FG_MAC_ATOMIC | CRYPTO_FG_DIGEST_ATOMIC | CRYPTO_FG_SIGN_ATOMIC | \
622     CRYPTO_FG_VERIFY_ATOMIC)
623 
624 /* Bit mask for all the dual operations */
625 #define	CRYPTO_FG_MAC_CIPHER_MASK	(CRYPTO_FG_ENCRYPT_MAC |	\
626     CRYPTO_FG_MAC_DECRYPT | CRYPTO_FG_ENCRYPT_MAC_ATOMIC | 		\
627     CRYPTO_FG_MAC_DECRYPT_ATOMIC)
628 
629 /* Add other combos to CRYPTO_FG_DUAL_MASK */
630 #define	CRYPTO_FG_DUAL_MASK	CRYPTO_FG_MAC_CIPHER_MASK
631 
632 /*
633  * The crypto_mech_info structure specifies one of the mechanisms
634  * supported by a cryptographic provider. The pi_mechanisms field of
635  * the crypto_provider_info structure contains a pointer to an array
636  * of crypto_mech_info's.
637  */
638 typedef struct crypto_mech_info {
639 	crypto_mech_name_t	cm_mech_name;
640 	crypto_mech_type_t	cm_mech_number;
641 	crypto_func_group_t	cm_func_group_mask;
642 	ssize_t			cm_min_key_length;
643 	ssize_t			cm_max_key_length;
644 	crypto_keysize_unit_t	cm_keysize_unit; /* for cm_xxx_key_length */
645 } crypto_mech_info_t;
646 
647 /*
648  * crypto_kcf_provider_handle_t is a handle allocated by the kernel.
649  * It is returned after the provider registers with
650  * crypto_register_provider(), and must be specified by the provider
651  * when calling crypto_unregister_provider(), and
652  * crypto_provider_notification().
653  */
654 typedef uint_t crypto_kcf_provider_handle_t;
655 
656 /*
657  * Provider information. Passed as argument to crypto_register_provider(9F).
658  * Describes the provider and its capabilities. Multiple providers can
659  * register for the same device instance. In this case, the same
660  * pi_provider_dev must be specified with a different pi_provider_handle.
661  */
662 typedef struct crypto_provider_info_v1 {
663 	uint_t				pi_interface_version;
664 	char				*pi_provider_description;
665 	crypto_provider_type_t		pi_provider_type;
666 	crypto_provider_dev_t		pi_provider_dev;
667 	crypto_provider_handle_t	pi_provider_handle;
668 	crypto_ops_t			*pi_ops_vector;
669 	uint_t				pi_mech_list_count;
670 	crypto_mech_info_t		*pi_mechanisms;
671 	uint_t				pi_logical_provider_count;
672 	crypto_kcf_provider_handle_t	*pi_logical_providers;
673 } crypto_provider_info_v1_t;
674 
675 typedef struct crypto_provider_info_v2 {
676 	crypto_provider_info_v1_t	v1_info;
677 	uint_t				pi_flags;
678 } crypto_provider_info_v2_t;
679 
680 typedef struct crypto_provider_info {
681 	union {
682 		crypto_provider_info_v2_t piu_v2;
683 		crypto_provider_info_v1_t piu_v1;
684 	} piu;
685 } crypto_provider_info_t;
686 
687 #define	pi_interface_version		piu.piu_v1.pi_interface_version
688 #define	pi_provider_description		piu.piu_v1.pi_provider_description
689 #define	pi_provider_type		piu.piu_v1.pi_provider_type
690 #define	pi_provider_dev			piu.piu_v1.pi_provider_dev
691 #define	pi_provider_handle		piu.piu_v1.pi_provider_handle
692 #define	pi_ops_vector			piu.piu_v1.pi_ops_vector
693 #define	pi_mech_list_count		piu.piu_v1.pi_mech_list_count
694 #define	pi_mechanisms			piu.piu_v1.pi_mechanisms
695 #define	pi_logical_provider_count	piu.piu_v1.pi_logical_provider_count
696 #define	pi_logical_providers		piu.piu_v1.pi_logical_providers
697 #define	pi_flags			piu.piu_v2.pi_flags
698 
699 /* hidden providers can only be accessed via a logical provider */
700 #define	CRYPTO_HIDE_PROVIDER		1
701 
702 /*
703  * Provider status passed by a provider to crypto_provider_notification(9F)
704  * and returned by the provider_stauts(9E) entry point.
705  */
706 #define	CRYPTO_PROVIDER_READY		0
707 #define	CRYPTO_PROVIDER_BUSY		1
708 #define	CRYPTO_PROVIDER_FAILED		2
709 
710 /*
711  * Functions exported by Solaris to cryptographic providers. Providers
712  * call these functions to register and unregister, notify the kernel
713  * of state changes, and notify the kernel when a asynchronous request
714  * completed.
715  */
716 extern int crypto_register_provider(crypto_provider_info_t *,
717 		crypto_kcf_provider_handle_t *);
718 extern int crypto_unregister_provider(crypto_kcf_provider_handle_t);
719 extern void crypto_provider_notification(crypto_kcf_provider_handle_t, uint_t);
720 extern void crypto_op_notification(crypto_req_handle_t, int);
721 extern int crypto_kmflag(crypto_req_handle_t);
722 
723 #endif	/* _KERNEL */
724 
725 #ifdef	__cplusplus
726 }
727 #endif
728 
729 #endif	/* _SYS_CRYPTO_SPI_H */
730