1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _SYS_CRYPTO_SPI_H 27 #define _SYS_CRYPTO_SPI_H 28 29 /* 30 * CSPI: Cryptographic Service Provider Interface. 31 */ 32 33 #include <sys/types.h> 34 #include <sys/dditypes.h> 35 #include <sys/ddi.h> 36 #include <sys/kmem.h> 37 #include <sys/crypto/common.h> 38 39 #ifdef __cplusplus 40 extern "C" { 41 #endif 42 43 #ifdef _KERNEL 44 45 #define CRYPTO_SPI_VERSION_1 1 46 #define CRYPTO_SPI_VERSION_2 2 47 #define CRYPTO_SPI_VERSION_3 3 48 #define CRYPTO_SPI_VERSION_4 4 49 50 /* 51 * Provider-private handle. This handle is specified by a provider 52 * when it registers by means of the pi_provider_handle field of 53 * the crypto_provider_info structure, and passed to the provider 54 * when its entry points are invoked. 55 */ 56 typedef void *crypto_provider_handle_t; 57 58 /* 59 * Context templates can be used to by software providers to pre-process 60 * keying material, such as key schedules. They are allocated by 61 * a software provider create_ctx_template(9E) entry point, and passed 62 * as argument to initialization and atomic provider entry points. 63 */ 64 typedef void *crypto_spi_ctx_template_t; 65 66 /* 67 * Request handles are used by the kernel to identify an asynchronous 68 * request being processed by a provider. It is passed by the kernel 69 * to a hardware provider when submitting a request, and must be 70 * specified by a provider when calling crypto_op_notification(9F) 71 */ 72 typedef void *crypto_req_handle_t; 73 74 /* Values for cc_flags field */ 75 #define CRYPTO_INIT_OPSTATE 0x00000001 /* allocate and init cc_opstate */ 76 #define CRYPTO_USE_OPSTATE 0x00000002 /* .. start using it as context */ 77 78 /* 79 * The context structure is passed from the kernel to a provider. 80 * It contains the information needed to process a multi-part or 81 * single part operation. The context structure is not used 82 * by atomic operations. 83 * 84 * Parameters needed to perform a cryptographic operation, such 85 * as keys, mechanisms, input and output buffers, are passed 86 * as separate arguments to Provider routines. 87 */ 88 typedef struct crypto_ctx { 89 crypto_provider_handle_t cc_provider; 90 crypto_session_id_t cc_session; 91 void *cc_provider_private; /* owned by provider */ 92 void *cc_framework_private; /* owned by framework */ 93 uint32_t cc_flags; /* flags */ 94 void *cc_opstate; /* state */ 95 } crypto_ctx_t; 96 97 /* 98 * Extended provider information. 99 */ 100 101 /* 102 * valid values for ei_flags field of extended info structure 103 * They match the RSA Security, Inc PKCS#11 tokenInfo flags. 104 */ 105 #define CRYPTO_EXTF_RNG 0x00000001 106 #define CRYPTO_EXTF_WRITE_PROTECTED 0x00000002 107 #define CRYPTO_EXTF_LOGIN_REQUIRED 0x00000004 108 #define CRYPTO_EXTF_USER_PIN_INITIALIZED 0x00000008 109 #define CRYPTO_EXTF_CLOCK_ON_TOKEN 0x00000040 110 #define CRYPTO_EXTF_PROTECTED_AUTHENTICATION_PATH 0x00000100 111 #define CRYPTO_EXTF_DUAL_CRYPTO_OPERATIONS 0x00000200 112 #define CRYPTO_EXTF_TOKEN_INITIALIZED 0x00000400 113 #define CRYPTO_EXTF_USER_PIN_COUNT_LOW 0x00010000 114 #define CRYPTO_EXTF_USER_PIN_FINAL_TRY 0x00020000 115 #define CRYPTO_EXTF_USER_PIN_LOCKED 0x00040000 116 #define CRYPTO_EXTF_USER_PIN_TO_BE_CHANGED 0x00080000 117 #define CRYPTO_EXTF_SO_PIN_COUNT_LOW 0x00100000 118 #define CRYPTO_EXTF_SO_PIN_FINAL_TRY 0x00200000 119 #define CRYPTO_EXTF_SO_PIN_LOCKED 0x00400000 120 #define CRYPTO_EXTF_SO_PIN_TO_BE_CHANGED 0x00800000 121 122 /* 123 * The crypto_control_ops structure contains pointers to control 124 * operations for cryptographic providers. It is passed through 125 * the crypto_ops(9S) structure when providers register with the 126 * kernel using crypto_register_provider(9F). 127 */ 128 typedef struct crypto_control_ops { 129 void (*provider_status)(crypto_provider_handle_t, uint_t *); 130 } crypto_control_ops_t; 131 132 /* 133 * The crypto_ctx_ops structure contains points to context and context 134 * templates management operations for cryptographic providers. It is 135 * passed through the crypto_ops(9S) structure when providers register 136 * with the kernel using crypto_register_provider(9F). 137 */ 138 typedef struct crypto_ctx_ops { 139 int (*create_ctx_template)(crypto_provider_handle_t, 140 crypto_mechanism_t *, crypto_key_t *, 141 crypto_spi_ctx_template_t *, size_t *, crypto_req_handle_t); 142 int (*free_context)(crypto_ctx_t *); 143 } crypto_ctx_ops_t; 144 145 /* 146 * The crypto_digest_ops structure contains pointers to digest 147 * operations for cryptographic providers. It is passed through 148 * the crypto_ops(9S) structure when providers register with the 149 * kernel using crypto_register_provider(9F). 150 */ 151 typedef struct crypto_digest_ops { 152 int (*digest_init)(crypto_ctx_t *, crypto_mechanism_t *, 153 crypto_req_handle_t); 154 int (*digest)(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 155 crypto_req_handle_t); 156 int (*digest_update)(crypto_ctx_t *, crypto_data_t *, 157 crypto_req_handle_t); 158 int (*digest_key)(crypto_ctx_t *, crypto_key_t *, crypto_req_handle_t); 159 int (*digest_final)(crypto_ctx_t *, crypto_data_t *, 160 crypto_req_handle_t); 161 int (*digest_atomic)(crypto_provider_handle_t, crypto_session_id_t, 162 crypto_mechanism_t *, crypto_data_t *, 163 crypto_data_t *, crypto_req_handle_t); 164 } crypto_digest_ops_t; 165 166 /* 167 * The crypto_cipher_ops structure contains pointers to encryption 168 * and decryption operations for cryptographic providers. It is 169 * passed through the crypto_ops(9S) structure when providers register 170 * with the kernel using crypto_register_provider(9F). 171 */ 172 typedef struct crypto_cipher_ops { 173 int (*encrypt_init)(crypto_ctx_t *, 174 crypto_mechanism_t *, crypto_key_t *, 175 crypto_spi_ctx_template_t, crypto_req_handle_t); 176 int (*encrypt)(crypto_ctx_t *, 177 crypto_data_t *, crypto_data_t *, crypto_req_handle_t); 178 int (*encrypt_update)(crypto_ctx_t *, 179 crypto_data_t *, crypto_data_t *, crypto_req_handle_t); 180 int (*encrypt_final)(crypto_ctx_t *, 181 crypto_data_t *, crypto_req_handle_t); 182 int (*encrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t, 183 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 184 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 185 186 int (*decrypt_init)(crypto_ctx_t *, 187 crypto_mechanism_t *, crypto_key_t *, 188 crypto_spi_ctx_template_t, crypto_req_handle_t); 189 int (*decrypt)(crypto_ctx_t *, 190 crypto_data_t *, crypto_data_t *, crypto_req_handle_t); 191 int (*decrypt_update)(crypto_ctx_t *, 192 crypto_data_t *, crypto_data_t *, crypto_req_handle_t); 193 int (*decrypt_final)(crypto_ctx_t *, 194 crypto_data_t *, crypto_req_handle_t); 195 int (*decrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t, 196 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 197 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 198 } crypto_cipher_ops_t; 199 200 /* 201 * The crypto_mac_ops structure contains pointers to MAC 202 * operations for cryptographic providers. It is passed through 203 * the crypto_ops(9S) structure when providers register with the 204 * kernel using crypto_register_provider(9F). 205 */ 206 typedef struct crypto_mac_ops { 207 int (*mac_init)(crypto_ctx_t *, 208 crypto_mechanism_t *, crypto_key_t *, 209 crypto_spi_ctx_template_t, crypto_req_handle_t); 210 int (*mac)(crypto_ctx_t *, 211 crypto_data_t *, crypto_data_t *, crypto_req_handle_t); 212 int (*mac_update)(crypto_ctx_t *, 213 crypto_data_t *, crypto_req_handle_t); 214 int (*mac_final)(crypto_ctx_t *, 215 crypto_data_t *, crypto_req_handle_t); 216 int (*mac_atomic)(crypto_provider_handle_t, crypto_session_id_t, 217 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 218 crypto_data_t *, crypto_spi_ctx_template_t, 219 crypto_req_handle_t); 220 int (*mac_verify_atomic)(crypto_provider_handle_t, crypto_session_id_t, 221 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 222 crypto_data_t *, crypto_spi_ctx_template_t, 223 crypto_req_handle_t); 224 } crypto_mac_ops_t; 225 226 /* 227 * The crypto_sign_ops structure contains pointers to signing 228 * operations for cryptographic providers. It is passed through 229 * the crypto_ops(9S) structure when providers register with the 230 * kernel using crypto_register_provider(9F). 231 */ 232 typedef struct crypto_sign_ops { 233 int (*sign_init)(crypto_ctx_t *, 234 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t, 235 crypto_req_handle_t); 236 int (*sign)(crypto_ctx_t *, 237 crypto_data_t *, crypto_data_t *, crypto_req_handle_t); 238 int (*sign_update)(crypto_ctx_t *, 239 crypto_data_t *, crypto_req_handle_t); 240 int (*sign_final)(crypto_ctx_t *, 241 crypto_data_t *, crypto_req_handle_t); 242 int (*sign_atomic)(crypto_provider_handle_t, crypto_session_id_t, 243 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 244 crypto_data_t *, crypto_spi_ctx_template_t, 245 crypto_req_handle_t); 246 int (*sign_recover_init)(crypto_ctx_t *, crypto_mechanism_t *, 247 crypto_key_t *, crypto_spi_ctx_template_t, 248 crypto_req_handle_t); 249 int (*sign_recover)(crypto_ctx_t *, 250 crypto_data_t *, crypto_data_t *, crypto_req_handle_t); 251 int (*sign_recover_atomic)(crypto_provider_handle_t, 252 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 253 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 254 crypto_req_handle_t); 255 } crypto_sign_ops_t; 256 257 /* 258 * The crypto_verify_ops structure contains pointers to verify 259 * operations for cryptographic providers. It is passed through 260 * the crypto_ops(9S) structure when providers register with the 261 * kernel using crypto_register_provider(9F). 262 */ 263 typedef struct crypto_verify_ops { 264 int (*verify_init)(crypto_ctx_t *, 265 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t, 266 crypto_req_handle_t); 267 int (*verify)(crypto_ctx_t *, 268 crypto_data_t *, crypto_data_t *, crypto_req_handle_t); 269 int (*verify_update)(crypto_ctx_t *, 270 crypto_data_t *, crypto_req_handle_t); 271 int (*verify_final)(crypto_ctx_t *, 272 crypto_data_t *, crypto_req_handle_t); 273 int (*verify_atomic)(crypto_provider_handle_t, crypto_session_id_t, 274 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 275 crypto_data_t *, crypto_spi_ctx_template_t, 276 crypto_req_handle_t); 277 int (*verify_recover_init)(crypto_ctx_t *, crypto_mechanism_t *, 278 crypto_key_t *, crypto_spi_ctx_template_t, 279 crypto_req_handle_t); 280 int (*verify_recover)(crypto_ctx_t *, 281 crypto_data_t *, crypto_data_t *, crypto_req_handle_t); 282 int (*verify_recover_atomic)(crypto_provider_handle_t, 283 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 284 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 285 crypto_req_handle_t); 286 } crypto_verify_ops_t; 287 288 /* 289 * The crypto_dual_ops structure contains pointers to dual 290 * cipher and sign/verify operations for cryptographic providers. 291 * It is passed through the crypto_ops(9S) structure when 292 * providers register with the kernel using 293 * crypto_register_provider(9F). 294 */ 295 typedef struct crypto_dual_ops { 296 int (*digest_encrypt_update)( 297 crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *, 298 crypto_data_t *, crypto_req_handle_t); 299 int (*decrypt_digest_update)( 300 crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *, 301 crypto_data_t *, crypto_req_handle_t); 302 int (*sign_encrypt_update)( 303 crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *, 304 crypto_data_t *, crypto_req_handle_t); 305 int (*decrypt_verify_update)( 306 crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *, 307 crypto_data_t *, crypto_req_handle_t); 308 } crypto_dual_ops_t; 309 310 /* 311 * The crypto_dual_cipher_mac_ops structure contains pointers to dual 312 * cipher and MAC operations for cryptographic providers. 313 * It is passed through the crypto_ops(9S) structure when 314 * providers register with the kernel using 315 * crypto_register_provider(9F). 316 */ 317 typedef struct crypto_dual_cipher_mac_ops { 318 int (*encrypt_mac_init)(crypto_ctx_t *, 319 crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *, 320 crypto_key_t *, crypto_spi_ctx_template_t, 321 crypto_spi_ctx_template_t, crypto_req_handle_t); 322 int (*encrypt_mac)(crypto_ctx_t *, 323 crypto_data_t *, crypto_dual_data_t *, crypto_data_t *, 324 crypto_req_handle_t); 325 int (*encrypt_mac_update)(crypto_ctx_t *, 326 crypto_data_t *, crypto_dual_data_t *, crypto_req_handle_t); 327 int (*encrypt_mac_final)(crypto_ctx_t *, 328 crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t); 329 int (*encrypt_mac_atomic)(crypto_provider_handle_t, crypto_session_id_t, 330 crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *, 331 crypto_key_t *, crypto_data_t *, crypto_dual_data_t *, 332 crypto_data_t *, crypto_spi_ctx_template_t, 333 crypto_spi_ctx_template_t, crypto_req_handle_t); 334 335 int (*mac_decrypt_init)(crypto_ctx_t *, 336 crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *, 337 crypto_key_t *, crypto_spi_ctx_template_t, 338 crypto_spi_ctx_template_t, crypto_req_handle_t); 339 int (*mac_decrypt)(crypto_ctx_t *, 340 crypto_dual_data_t *, crypto_data_t *, crypto_data_t *, 341 crypto_req_handle_t); 342 int (*mac_decrypt_update)(crypto_ctx_t *, 343 crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t); 344 int (*mac_decrypt_final)(crypto_ctx_t *, 345 crypto_data_t *, crypto_data_t *, crypto_req_handle_t); 346 int (*mac_decrypt_atomic)(crypto_provider_handle_t, 347 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 348 crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *, 349 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 350 crypto_spi_ctx_template_t, crypto_req_handle_t); 351 int (*mac_verify_decrypt_atomic)(crypto_provider_handle_t, 352 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 353 crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *, 354 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 355 crypto_spi_ctx_template_t, crypto_req_handle_t); 356 } crypto_dual_cipher_mac_ops_t; 357 358 /* 359 * The crypto_random_number_ops structure contains pointers to random 360 * number operations for cryptographic providers. It is passed through 361 * the crypto_ops(9S) structure when providers register with the 362 * kernel using crypto_register_provider(9F). 363 */ 364 typedef struct crypto_random_number_ops { 365 int (*seed_random)(crypto_provider_handle_t, crypto_session_id_t, 366 uchar_t *, size_t, uint_t, uint32_t, crypto_req_handle_t); 367 int (*generate_random)(crypto_provider_handle_t, crypto_session_id_t, 368 uchar_t *, size_t, crypto_req_handle_t); 369 } crypto_random_number_ops_t; 370 371 /* 372 * Flag values for seed_random. 373 */ 374 #define CRYPTO_SEED_NOW 0x00000001 375 376 /* 377 * The crypto_session_ops structure contains pointers to session 378 * operations for cryptographic providers. It is passed through 379 * the crypto_ops(9S) structure when providers register with the 380 * kernel using crypto_register_provider(9F). 381 */ 382 typedef struct crypto_session_ops { 383 int (*session_open)(crypto_provider_handle_t, crypto_session_id_t *, 384 crypto_req_handle_t); 385 int (*session_close)(crypto_provider_handle_t, crypto_session_id_t, 386 crypto_req_handle_t); 387 int (*session_login)(crypto_provider_handle_t, crypto_session_id_t, 388 crypto_user_type_t, char *, size_t, crypto_req_handle_t); 389 int (*session_logout)(crypto_provider_handle_t, crypto_session_id_t, 390 crypto_req_handle_t); 391 } crypto_session_ops_t; 392 393 /* 394 * The crypto_object_ops structure contains pointers to object 395 * operations for cryptographic providers. It is passed through 396 * the crypto_ops(9S) structure when providers register with the 397 * kernel using crypto_register_provider(9F). 398 */ 399 typedef struct crypto_object_ops { 400 int (*object_create)(crypto_provider_handle_t, crypto_session_id_t, 401 crypto_object_attribute_t *, uint_t, crypto_object_id_t *, 402 crypto_req_handle_t); 403 int (*object_copy)(crypto_provider_handle_t, crypto_session_id_t, 404 crypto_object_id_t, crypto_object_attribute_t *, uint_t, 405 crypto_object_id_t *, crypto_req_handle_t); 406 int (*object_destroy)(crypto_provider_handle_t, crypto_session_id_t, 407 crypto_object_id_t, crypto_req_handle_t); 408 int (*object_get_size)(crypto_provider_handle_t, crypto_session_id_t, 409 crypto_object_id_t, size_t *, crypto_req_handle_t); 410 int (*object_get_attribute_value)(crypto_provider_handle_t, 411 crypto_session_id_t, crypto_object_id_t, 412 crypto_object_attribute_t *, uint_t, crypto_req_handle_t); 413 int (*object_set_attribute_value)(crypto_provider_handle_t, 414 crypto_session_id_t, crypto_object_id_t, 415 crypto_object_attribute_t *, uint_t, crypto_req_handle_t); 416 int (*object_find_init)(crypto_provider_handle_t, crypto_session_id_t, 417 crypto_object_attribute_t *, uint_t, void **, 418 crypto_req_handle_t); 419 int (*object_find)(crypto_provider_handle_t, void *, 420 crypto_object_id_t *, uint_t, uint_t *, crypto_req_handle_t); 421 int (*object_find_final)(crypto_provider_handle_t, void *, 422 crypto_req_handle_t); 423 } crypto_object_ops_t; 424 425 /* 426 * The crypto_key_ops structure contains pointers to key 427 * operations for cryptographic providers. It is passed through 428 * the crypto_ops(9S) structure when providers register with the 429 * kernel using crypto_register_provider(9F). 430 */ 431 typedef struct crypto_key_ops { 432 int (*key_generate)(crypto_provider_handle_t, crypto_session_id_t, 433 crypto_mechanism_t *, crypto_object_attribute_t *, uint_t, 434 crypto_object_id_t *, crypto_req_handle_t); 435 int (*key_generate_pair)(crypto_provider_handle_t, crypto_session_id_t, 436 crypto_mechanism_t *, crypto_object_attribute_t *, uint_t, 437 crypto_object_attribute_t *, uint_t, crypto_object_id_t *, 438 crypto_object_id_t *, crypto_req_handle_t); 439 int (*key_wrap)(crypto_provider_handle_t, crypto_session_id_t, 440 crypto_mechanism_t *, crypto_key_t *, crypto_object_id_t *, 441 uchar_t *, size_t *, crypto_req_handle_t); 442 int (*key_unwrap)(crypto_provider_handle_t, crypto_session_id_t, 443 crypto_mechanism_t *, crypto_key_t *, uchar_t *, size_t *, 444 crypto_object_attribute_t *, uint_t, 445 crypto_object_id_t *, crypto_req_handle_t); 446 int (*key_derive)(crypto_provider_handle_t, crypto_session_id_t, 447 crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *, 448 uint_t, crypto_object_id_t *, crypto_req_handle_t); 449 int (*key_check)(crypto_provider_handle_t, crypto_mechanism_t *, 450 crypto_key_t *); 451 } crypto_key_ops_t; 452 453 /* 454 * The crypto_provider_management_ops structure contains pointers 455 * to management operations for cryptographic providers. It is passed 456 * through the crypto_ops(9S) structure when providers register with the 457 * kernel using crypto_register_provider(9F). 458 */ 459 typedef struct crypto_provider_management_ops { 460 int (*ext_info)(crypto_provider_handle_t, 461 crypto_provider_ext_info_t *, crypto_req_handle_t); 462 int (*init_token)(crypto_provider_handle_t, char *, size_t, 463 char *, crypto_req_handle_t); 464 int (*init_pin)(crypto_provider_handle_t, crypto_session_id_t, 465 char *, size_t, crypto_req_handle_t); 466 int (*set_pin)(crypto_provider_handle_t, crypto_session_id_t, 467 char *, size_t, char *, size_t, crypto_req_handle_t); 468 } crypto_provider_management_ops_t; 469 470 typedef struct crypto_mech_ops { 471 int (*copyin_mechanism)(crypto_provider_handle_t, 472 crypto_mechanism_t *, crypto_mechanism_t *, int *, int); 473 int (*copyout_mechanism)(crypto_provider_handle_t, 474 crypto_mechanism_t *, crypto_mechanism_t *, int *, int); 475 int (*free_mechanism)(crypto_provider_handle_t, crypto_mechanism_t *); 476 } crypto_mech_ops_t; 477 478 typedef struct crypto_nostore_key_ops { 479 int (*nostore_key_generate)(crypto_provider_handle_t, 480 crypto_session_id_t, crypto_mechanism_t *, 481 crypto_object_attribute_t *, uint_t, crypto_object_attribute_t *, 482 uint_t, crypto_req_handle_t); 483 int (*nostore_key_generate_pair)(crypto_provider_handle_t, 484 crypto_session_id_t, crypto_mechanism_t *, 485 crypto_object_attribute_t *, uint_t, crypto_object_attribute_t *, 486 uint_t, crypto_object_attribute_t *, uint_t, 487 crypto_object_attribute_t *, uint_t, crypto_req_handle_t); 488 int (*nostore_key_derive)(crypto_provider_handle_t, crypto_session_id_t, 489 crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *, 490 uint_t, crypto_object_attribute_t *, uint_t, crypto_req_handle_t); 491 } crypto_nostore_key_ops_t; 492 493 /* 494 * crypto_fips140_ops provides a function for FIPS 140 Power-On Self Test for 495 * those providers that are part of the Cryptographic Framework bounday. See 496 * crypto_fips140_ops(9s) for details. 497 */ 498 typedef struct crypto_fips140_ops { 499 void (*fips140_post)(int *); 500 } crypto_fips140_ops_t; 501 502 /* 503 * The crypto_ops(9S) structure contains the structures containing 504 * the pointers to functions implemented by cryptographic providers. 505 * It is specified as part of the crypto_provider_info(9S) 506 * supplied by a provider when it registers with the kernel 507 * by calling crypto_register_provider(9F). 508 */ 509 typedef struct crypto_ops_v1 { 510 crypto_control_ops_t *co_control_ops; 511 crypto_digest_ops_t *co_digest_ops; 512 crypto_cipher_ops_t *co_cipher_ops; 513 crypto_mac_ops_t *co_mac_ops; 514 crypto_sign_ops_t *co_sign_ops; 515 crypto_verify_ops_t *co_verify_ops; 516 crypto_dual_ops_t *co_dual_ops; 517 crypto_dual_cipher_mac_ops_t *co_dual_cipher_mac_ops; 518 crypto_random_number_ops_t *co_random_ops; 519 crypto_session_ops_t *co_session_ops; 520 crypto_object_ops_t *co_object_ops; 521 crypto_key_ops_t *co_key_ops; 522 crypto_provider_management_ops_t *co_provider_ops; 523 crypto_ctx_ops_t *co_ctx_ops; 524 } crypto_ops_v1_t; 525 526 typedef struct crypto_ops_v2 { 527 crypto_ops_v1_t v1_ops; 528 crypto_mech_ops_t *co_mech_ops; 529 } crypto_ops_v2_t; 530 531 typedef struct crypto_ops_v3 { 532 crypto_ops_v2_t v2_ops; 533 crypto_nostore_key_ops_t *co_nostore_key_ops; 534 } crypto_ops_v3_t; 535 536 typedef struct crypto_ops_v4 { 537 crypto_ops_v3_t v3_ops; 538 crypto_fips140_ops_t *co_fips140_ops; 539 } crypto_ops_v4_t; 540 541 typedef struct crypto_ops { 542 union { 543 crypto_ops_v4_t cou_v4; 544 crypto_ops_v3_t cou_v3; 545 crypto_ops_v2_t cou_v2; 546 crypto_ops_v1_t cou_v1; 547 } cou; 548 } crypto_ops_t; 549 550 #define co_control_ops cou.cou_v1.co_control_ops 551 #define co_digest_ops cou.cou_v1.co_digest_ops 552 #define co_cipher_ops cou.cou_v1.co_cipher_ops 553 #define co_mac_ops cou.cou_v1.co_mac_ops 554 #define co_sign_ops cou.cou_v1.co_sign_ops 555 #define co_verify_ops cou.cou_v1.co_verify_ops 556 #define co_dual_ops cou.cou_v1.co_dual_ops 557 #define co_dual_cipher_mac_ops cou.cou_v1.co_dual_cipher_mac_ops 558 #define co_random_ops cou.cou_v1.co_random_ops 559 #define co_session_ops cou.cou_v1.co_session_ops 560 #define co_object_ops cou.cou_v1.co_object_ops 561 #define co_key_ops cou.cou_v1.co_key_ops 562 #define co_provider_ops cou.cou_v1.co_provider_ops 563 #define co_ctx_ops cou.cou_v1.co_ctx_ops 564 #define co_mech_ops cou.cou_v2.co_mech_ops 565 #define co_nostore_key_ops cou.cou_v3.co_nostore_key_ops 566 #define co_fips140_ops cou.cou_v4.co_fips140_ops 567 568 /* 569 * Provider device specification passed during registration. 570 * 571 * Software providers set the pi_provider_type field of provider_info_t 572 * to CRYPTO_SW_PROVIDER, and set the pd_sw field of 573 * crypto_provider_dev_t to the address of their modlinkage. 574 * 575 * Hardware providers set the pi_provider_type field of provider_info_t 576 * to CRYPTO_HW_PROVIDER, and set the pd_hw field of 577 * crypto_provider_dev_t to the dev_info structure corresponding 578 * to the device instance being registered. 579 * 580 * Logical providers set the pi_provider_type field of provider_info_t 581 * to CRYPTO_LOGICAL_PROVIDER, and set the pd_hw field of 582 * crypto_provider_dev_t to the dev_info structure corresponding 583 * to the device instance being registered. 584 */ 585 586 typedef union crypto_provider_dev { 587 struct modlinkage *pd_sw; /* for CRYPTO_SW_PROVIDER */ 588 dev_info_t *pd_hw; /* for CRYPTO_HW_PROVIDER */ 589 } crypto_provider_dev_t; 590 591 #endif /* _KERNEL */ 592 593 /* 594 * The mechanism info structure crypto_mech_info_t contains a function group 595 * bit mask cm_func_group_mask. This field, of type crypto_func_group_t, 596 * specifies the provider entry point that can be used a particular 597 * mechanism. The function group mask is a combination of the following values. 598 */ 599 600 typedef uint32_t crypto_func_group_t; 601 602 #define CRYPTO_FG_ENCRYPT 0x00000001 /* encrypt_init() */ 603 #define CRYPTO_FG_DECRYPT 0x00000002 /* decrypt_init() */ 604 #define CRYPTO_FG_DIGEST 0x00000004 /* digest_init() */ 605 #define CRYPTO_FG_SIGN 0x00000008 /* sign_init() */ 606 #define CRYPTO_FG_SIGN_RECOVER 0x00000010 /* sign_recover_init() */ 607 #define CRYPTO_FG_VERIFY 0x00000020 /* verify_init() */ 608 #define CRYPTO_FG_VERIFY_RECOVER 0x00000040 /* verify_recover_init() */ 609 #define CRYPTO_FG_GENERATE 0x00000080 /* key_generate() */ 610 #define CRYPTO_FG_GENERATE_KEY_PAIR 0x00000100 /* key_generate_pair() */ 611 #define CRYPTO_FG_WRAP 0x00000200 /* key_wrap() */ 612 #define CRYPTO_FG_UNWRAP 0x00000400 /* key_unwrap() */ 613 #define CRYPTO_FG_DERIVE 0x00000800 /* key_derive() */ 614 #define CRYPTO_FG_MAC 0x00001000 /* mac_init() */ 615 #define CRYPTO_FG_ENCRYPT_MAC 0x00002000 /* encrypt_mac_init() */ 616 #define CRYPTO_FG_MAC_DECRYPT 0x00004000 /* decrypt_mac_init() */ 617 #define CRYPTO_FG_ENCRYPT_ATOMIC 0x00008000 /* encrypt_atomic() */ 618 #define CRYPTO_FG_DECRYPT_ATOMIC 0x00010000 /* decrypt_atomic() */ 619 #define CRYPTO_FG_MAC_ATOMIC 0x00020000 /* mac_atomic() */ 620 #define CRYPTO_FG_DIGEST_ATOMIC 0x00040000 /* digest_atomic() */ 621 #define CRYPTO_FG_SIGN_ATOMIC 0x00080000 /* sign_atomic() */ 622 #define CRYPTO_FG_SIGN_RECOVER_ATOMIC 0x00100000 /* sign_recover_atomic() */ 623 #define CRYPTO_FG_VERIFY_ATOMIC 0x00200000 /* verify_atomic() */ 624 #define CRYPTO_FG_VERIFY_RECOVER_ATOMIC 0x00400000 /* verify_recover_atomic() */ 625 #define CRYPTO_FG_ENCRYPT_MAC_ATOMIC 0x00800000 /* encrypt_mac_atomic() */ 626 #define CRYPTO_FG_MAC_DECRYPT_ATOMIC 0x01000000 /* mac_decrypt_atomic() */ 627 #define CRYPTO_FG_RESERVED 0x80000000 628 629 /* 630 * Maximum length of the pi_provider_description field of the 631 * crypto_provider_info structure. 632 */ 633 #define CRYPTO_PROVIDER_DESCR_MAX_LEN 64 634 635 #ifdef _KERNEL 636 637 /* Bit mask for all the simple operations */ 638 #define CRYPTO_FG_SIMPLEOP_MASK (CRYPTO_FG_ENCRYPT | CRYPTO_FG_DECRYPT | \ 639 CRYPTO_FG_DIGEST | CRYPTO_FG_SIGN | CRYPTO_FG_VERIFY | CRYPTO_FG_MAC | \ 640 CRYPTO_FG_ENCRYPT_ATOMIC | CRYPTO_FG_DECRYPT_ATOMIC | \ 641 CRYPTO_FG_MAC_ATOMIC | CRYPTO_FG_DIGEST_ATOMIC | CRYPTO_FG_SIGN_ATOMIC | \ 642 CRYPTO_FG_VERIFY_ATOMIC) 643 644 /* Bit mask for all the dual operations */ 645 #define CRYPTO_FG_MAC_CIPHER_MASK (CRYPTO_FG_ENCRYPT_MAC | \ 646 CRYPTO_FG_MAC_DECRYPT | CRYPTO_FG_ENCRYPT_MAC_ATOMIC | \ 647 CRYPTO_FG_MAC_DECRYPT_ATOMIC) 648 649 /* Add other combos to CRYPTO_FG_DUAL_MASK */ 650 #define CRYPTO_FG_DUAL_MASK CRYPTO_FG_MAC_CIPHER_MASK 651 652 /* 653 * The crypto_mech_info structure specifies one of the mechanisms 654 * supported by a cryptographic provider. The pi_mechanisms field of 655 * the crypto_provider_info structure contains a pointer to an array 656 * of crypto_mech_info's. 657 */ 658 typedef struct crypto_mech_info { 659 crypto_mech_name_t cm_mech_name; 660 crypto_mech_type_t cm_mech_number; 661 crypto_func_group_t cm_func_group_mask; 662 ssize_t cm_min_key_length; 663 ssize_t cm_max_key_length; 664 uint32_t cm_mech_flags; 665 } crypto_mech_info_t; 666 667 /* Alias the old name to the new name for compatibility. */ 668 #define cm_keysize_unit cm_mech_flags 669 670 /* 671 * crypto_kcf_provider_handle_t is a handle allocated by the kernel. 672 * It is returned after the provider registers with 673 * crypto_register_provider(), and must be specified by the provider 674 * when calling crypto_unregister_provider(), and 675 * crypto_provider_notification(). 676 */ 677 typedef uint_t crypto_kcf_provider_handle_t; 678 679 /* 680 * Provider information. Passed as argument to crypto_register_provider(9F). 681 * Describes the provider and its capabilities. Multiple providers can 682 * register for the same device instance. In this case, the same 683 * pi_provider_dev must be specified with a different pi_provider_handle. 684 */ 685 typedef struct crypto_provider_info_v1 { 686 uint_t pi_interface_version; 687 char *pi_provider_description; 688 crypto_provider_type_t pi_provider_type; 689 crypto_provider_dev_t pi_provider_dev; 690 crypto_provider_handle_t pi_provider_handle; 691 crypto_ops_t *pi_ops_vector; 692 uint_t pi_mech_list_count; 693 crypto_mech_info_t *pi_mechanisms; 694 uint_t pi_logical_provider_count; 695 crypto_kcf_provider_handle_t *pi_logical_providers; 696 } crypto_provider_info_v1_t; 697 698 typedef struct crypto_provider_info_v2 { 699 crypto_provider_info_v1_t v1_info; 700 uint_t pi_flags; 701 } crypto_provider_info_v2_t; 702 703 typedef struct crypto_provider_info { 704 union { 705 crypto_provider_info_v2_t piu_v2; 706 crypto_provider_info_v1_t piu_v1; 707 } piu; 708 } crypto_provider_info_t; 709 710 #define pi_interface_version piu.piu_v1.pi_interface_version 711 #define pi_provider_description piu.piu_v1.pi_provider_description 712 #define pi_provider_type piu.piu_v1.pi_provider_type 713 #define pi_provider_dev piu.piu_v1.pi_provider_dev 714 #define pi_provider_handle piu.piu_v1.pi_provider_handle 715 #define pi_ops_vector piu.piu_v1.pi_ops_vector 716 #define pi_mech_list_count piu.piu_v1.pi_mech_list_count 717 #define pi_mechanisms piu.piu_v1.pi_mechanisms 718 #define pi_logical_provider_count piu.piu_v1.pi_logical_provider_count 719 #define pi_logical_providers piu.piu_v1.pi_logical_providers 720 #define pi_flags piu.piu_v2.pi_flags 721 722 /* hidden providers can only be accessed via a logical provider */ 723 #define CRYPTO_HIDE_PROVIDER 0x00000001 724 /* 725 * provider can not do multi-part digest (updates) and has a limit 726 * on maximum input data that it can digest. The provider sets 727 * this value in crypto_provider_ext_info_t by implementing 728 * the ext_info entry point in the co_provider_ops vector. 729 */ 730 #define CRYPTO_HASH_NO_UPDATE 0x00000002 731 /* 732 * provider can not do multi-part HMAC (updates) and has a limit 733 * on maximum input data that it can hmac. The provider sets 734 * this value in crypto_provider_ext_info_t by implementing 735 * the ext_info entry point in the co_provider_ops vector. 736 */ 737 #define CRYPTO_HMAC_NO_UPDATE 0x00000008 738 739 /* provider can handle the request without returning a CRYPTO_QUEUED */ 740 #define CRYPTO_SYNCHRONOUS 0x00000004 741 742 #define CRYPTO_PIFLAGS_RESERVED2 0x40000000 743 #define CRYPTO_PIFLAGS_RESERVED1 0x80000000 744 745 /* 746 * Provider status passed by a provider to crypto_provider_notification(9F) 747 * and returned by the provider_stauts(9E) entry point. 748 */ 749 #define CRYPTO_PROVIDER_READY 0 750 #define CRYPTO_PROVIDER_BUSY 1 751 #define CRYPTO_PROVIDER_FAILED 2 752 753 /* 754 * Functions exported by Solaris to cryptographic providers. Providers 755 * call these functions to register and unregister, notify the kernel 756 * of state changes, and notify the kernel when a asynchronous request 757 * completed. 758 */ 759 extern int crypto_register_provider(crypto_provider_info_t *, 760 crypto_kcf_provider_handle_t *); 761 extern int crypto_unregister_provider(crypto_kcf_provider_handle_t); 762 extern void crypto_provider_notification(crypto_kcf_provider_handle_t, uint_t); 763 extern void crypto_op_notification(crypto_req_handle_t, int); 764 extern int crypto_kmflag(crypto_req_handle_t); 765 766 #endif /* _KERNEL */ 767 768 #ifdef __cplusplus 769 } 770 #endif 771 772 #endif /* _SYS_CRYPTO_SPI_H */ 773