xref: /illumos-gate/usr/src/uts/common/sys/crypto/spi.h (revision f5fc5c043551e3eab595da7d8b5a53479207738f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_SYS_CRYPTO_SPI_H
27 #define	_SYS_CRYPTO_SPI_H
28 
29 /*
30  * CSPI: Cryptographic Service Provider Interface.
31  */
32 
33 #include <sys/types.h>
34 #include <sys/dditypes.h>
35 #include <sys/ddi.h>
36 #include <sys/kmem.h>
37 #include <sys/crypto/common.h>
38 
39 #ifdef	__cplusplus
40 extern "C" {
41 #endif
42 
43 #ifdef	_KERNEL
44 
45 #define	CRYPTO_SPI_VERSION_1	1
46 #define	CRYPTO_SPI_VERSION_2	2
47 #define	CRYPTO_SPI_VERSION_3	3
48 
49 /*
50  * Provider-private handle. This handle is specified by a provider
51  * when it registers by means of the pi_provider_handle field of
52  * the crypto_provider_info structure, and passed to the provider
53  * when its entry points are invoked.
54  */
55 typedef void *crypto_provider_handle_t;
56 
57 /*
58  * Context templates can be used to by software providers to pre-process
59  * keying material, such as key schedules. They are allocated by
60  * a software provider create_ctx_template(9E) entry point, and passed
61  * as argument to initialization and atomic provider entry points.
62  */
63 typedef void *crypto_spi_ctx_template_t;
64 
65 /*
66  * Request handles are used by the kernel to identify an asynchronous
67  * request being processed by a provider. It is passed by the kernel
68  * to a hardware provider when submitting a request, and must be
69  * specified by a provider when calling crypto_op_notification(9F)
70  */
71 typedef void *crypto_req_handle_t;
72 
73 /* Values for cc_flags field */
74 #define	CRYPTO_INIT_OPSTATE	0x00000001 /* allocate and init cc_opstate */
75 #define	CRYPTO_USE_OPSTATE	0x00000002 /* .. start using it as context */
76 
77 /*
78  * The context structure is passed from the kernel to a provider.
79  * It contains the information needed to process a multi-part or
80  * single part operation. The context structure is not used
81  * by atomic operations.
82  *
83  * Parameters needed to perform a cryptographic operation, such
84  * as keys, mechanisms, input and output buffers, are passed
85  * as separate arguments to Provider routines.
86  */
87 typedef struct crypto_ctx {
88 	crypto_provider_handle_t cc_provider;
89 	crypto_session_id_t	cc_session;
90 	void			*cc_provider_private;	/* owned by provider */
91 	void			*cc_framework_private;	/* owned by framework */
92 	uint32_t		cc_flags;		/* flags */
93 	void			*cc_opstate;		/* state */
94 } crypto_ctx_t;
95 
96 /*
97  * Extended provider information.
98  */
99 
100 /*
101  * valid values for ei_flags field of extended info structure
102  * They match the RSA Security, Inc PKCS#11 tokenInfo flags.
103  */
104 #define	CRYPTO_EXTF_RNG					0x00000001
105 #define	CRYPTO_EXTF_WRITE_PROTECTED			0x00000002
106 #define	CRYPTO_EXTF_LOGIN_REQUIRED			0x00000004
107 #define	CRYPTO_EXTF_USER_PIN_INITIALIZED		0x00000008
108 #define	CRYPTO_EXTF_CLOCK_ON_TOKEN			0x00000040
109 #define	CRYPTO_EXTF_PROTECTED_AUTHENTICATION_PATH	0x00000100
110 #define	CRYPTO_EXTF_DUAL_CRYPTO_OPERATIONS		0x00000200
111 #define	CRYPTO_EXTF_TOKEN_INITIALIZED			0x00000400
112 #define	CRYPTO_EXTF_USER_PIN_COUNT_LOW			0x00010000
113 #define	CRYPTO_EXTF_USER_PIN_FINAL_TRY			0x00020000
114 #define	CRYPTO_EXTF_USER_PIN_LOCKED			0x00040000
115 #define	CRYPTO_EXTF_USER_PIN_TO_BE_CHANGED		0x00080000
116 #define	CRYPTO_EXTF_SO_PIN_COUNT_LOW			0x00100000
117 #define	CRYPTO_EXTF_SO_PIN_FINAL_TRY			0x00200000
118 #define	CRYPTO_EXTF_SO_PIN_LOCKED			0x00400000
119 #define	CRYPTO_EXTF_SO_PIN_TO_BE_CHANGED		0x00800000
120 
121 /*
122  * The crypto_control_ops structure contains pointers to control
123  * operations for cryptographic providers.  It is passed through
124  * the crypto_ops(9S) structure when providers register with the
125  * kernel using crypto_register_provider(9F).
126  */
127 typedef struct crypto_control_ops {
128 	void (*provider_status)(crypto_provider_handle_t, uint_t *);
129 } crypto_control_ops_t;
130 
131 /*
132  * The crypto_ctx_ops structure contains points to context and context
133  * templates management operations for cryptographic providers. It is
134  * passed through the crypto_ops(9S) structure when providers register
135  * with the kernel using crypto_register_provider(9F).
136  */
137 typedef struct crypto_ctx_ops {
138 	int (*create_ctx_template)(crypto_provider_handle_t,
139 	    crypto_mechanism_t *, crypto_key_t *,
140 	    crypto_spi_ctx_template_t *, size_t *, crypto_req_handle_t);
141 	int (*free_context)(crypto_ctx_t *);
142 } crypto_ctx_ops_t;
143 
144 /*
145  * The crypto_digest_ops structure contains pointers to digest
146  * operations for cryptographic providers.  It is passed through
147  * the crypto_ops(9S) structure when providers register with the
148  * kernel using crypto_register_provider(9F).
149  */
150 typedef struct crypto_digest_ops {
151 	int (*digest_init)(crypto_ctx_t *, crypto_mechanism_t *,
152 	    crypto_req_handle_t);
153 	int (*digest)(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
154 	    crypto_req_handle_t);
155 	int (*digest_update)(crypto_ctx_t *, crypto_data_t *,
156 	    crypto_req_handle_t);
157 	int (*digest_key)(crypto_ctx_t *, crypto_key_t *, crypto_req_handle_t);
158 	int (*digest_final)(crypto_ctx_t *, crypto_data_t *,
159 	    crypto_req_handle_t);
160 	int (*digest_atomic)(crypto_provider_handle_t, crypto_session_id_t,
161 	    crypto_mechanism_t *, crypto_data_t *,
162 	    crypto_data_t *, crypto_req_handle_t);
163 } crypto_digest_ops_t;
164 
165 /*
166  * The crypto_cipher_ops structure contains pointers to encryption
167  * and decryption operations for cryptographic providers.  It is
168  * passed through the crypto_ops(9S) structure when providers register
169  * with the kernel using crypto_register_provider(9F).
170  */
171 typedef struct crypto_cipher_ops {
172 	int (*encrypt_init)(crypto_ctx_t *,
173 	    crypto_mechanism_t *, crypto_key_t *,
174 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
175 	int (*encrypt)(crypto_ctx_t *,
176 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
177 	int (*encrypt_update)(crypto_ctx_t *,
178 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
179 	int (*encrypt_final)(crypto_ctx_t *,
180 	    crypto_data_t *, crypto_req_handle_t);
181 	int (*encrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
182 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
183 	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
184 
185 	int (*decrypt_init)(crypto_ctx_t *,
186 	    crypto_mechanism_t *, crypto_key_t *,
187 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
188 	int (*decrypt)(crypto_ctx_t *,
189 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
190 	int (*decrypt_update)(crypto_ctx_t *,
191 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
192 	int (*decrypt_final)(crypto_ctx_t *,
193 	    crypto_data_t *, crypto_req_handle_t);
194 	int (*decrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
195 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
196 	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
197 } crypto_cipher_ops_t;
198 
199 /*
200  * The crypto_mac_ops structure contains pointers to MAC
201  * operations for cryptographic providers.  It is passed through
202  * the crypto_ops(9S) structure when providers register with the
203  * kernel using crypto_register_provider(9F).
204  */
205 typedef struct crypto_mac_ops {
206 	int (*mac_init)(crypto_ctx_t *,
207 	    crypto_mechanism_t *, crypto_key_t *,
208 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
209 	int (*mac)(crypto_ctx_t *,
210 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
211 	int (*mac_update)(crypto_ctx_t *,
212 	    crypto_data_t *, crypto_req_handle_t);
213 	int (*mac_final)(crypto_ctx_t *,
214 	    crypto_data_t *, crypto_req_handle_t);
215 	int (*mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
216 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
217 	    crypto_data_t *, crypto_spi_ctx_template_t,
218 	    crypto_req_handle_t);
219 	int (*mac_verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
220 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
221 	    crypto_data_t *, crypto_spi_ctx_template_t,
222 	    crypto_req_handle_t);
223 } crypto_mac_ops_t;
224 
225 /*
226  * The crypto_sign_ops structure contains pointers to signing
227  * operations for cryptographic providers.  It is passed through
228  * the crypto_ops(9S) structure when providers register with the
229  * kernel using crypto_register_provider(9F).
230  */
231 typedef struct crypto_sign_ops {
232 	int (*sign_init)(crypto_ctx_t *,
233 	    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t,
234 	    crypto_req_handle_t);
235 	int (*sign)(crypto_ctx_t *,
236 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
237 	int (*sign_update)(crypto_ctx_t *,
238 	    crypto_data_t *, crypto_req_handle_t);
239 	int (*sign_final)(crypto_ctx_t *,
240 	    crypto_data_t *, crypto_req_handle_t);
241 	int (*sign_atomic)(crypto_provider_handle_t, crypto_session_id_t,
242 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
243 	    crypto_data_t *, crypto_spi_ctx_template_t,
244 	    crypto_req_handle_t);
245 	int (*sign_recover_init)(crypto_ctx_t *, crypto_mechanism_t *,
246 	    crypto_key_t *, crypto_spi_ctx_template_t,
247 	    crypto_req_handle_t);
248 	int (*sign_recover)(crypto_ctx_t *,
249 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
250 	int (*sign_recover_atomic)(crypto_provider_handle_t,
251 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
252 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
253 	    crypto_req_handle_t);
254 } crypto_sign_ops_t;
255 
256 /*
257  * The crypto_verify_ops structure contains pointers to verify
258  * operations for cryptographic providers.  It is passed through
259  * the crypto_ops(9S) structure when providers register with the
260  * kernel using crypto_register_provider(9F).
261  */
262 typedef struct crypto_verify_ops {
263 	int (*verify_init)(crypto_ctx_t *,
264 	    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t,
265 	    crypto_req_handle_t);
266 	int (*verify)(crypto_ctx_t *,
267 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
268 	int (*verify_update)(crypto_ctx_t *,
269 	    crypto_data_t *, crypto_req_handle_t);
270 	int (*verify_final)(crypto_ctx_t *,
271 	    crypto_data_t *, crypto_req_handle_t);
272 	int (*verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
273 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
274 	    crypto_data_t *, crypto_spi_ctx_template_t,
275 	    crypto_req_handle_t);
276 	int (*verify_recover_init)(crypto_ctx_t *, crypto_mechanism_t *,
277 	    crypto_key_t *, crypto_spi_ctx_template_t,
278 	    crypto_req_handle_t);
279 	int (*verify_recover)(crypto_ctx_t *,
280 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
281 	int (*verify_recover_atomic)(crypto_provider_handle_t,
282 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
283 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
284 	    crypto_req_handle_t);
285 } crypto_verify_ops_t;
286 
287 /*
288  * The crypto_dual_ops structure contains pointers to dual
289  * cipher and sign/verify operations for cryptographic providers.
290  * It is passed through the crypto_ops(9S) structure when
291  * providers register with the kernel using
292  * crypto_register_provider(9F).
293  */
294 typedef struct crypto_dual_ops {
295 	int (*digest_encrypt_update)(
296 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
297 	    crypto_data_t *, crypto_req_handle_t);
298 	int (*decrypt_digest_update)(
299 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
300 	    crypto_data_t *, crypto_req_handle_t);
301 	int (*sign_encrypt_update)(
302 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
303 	    crypto_data_t *, crypto_req_handle_t);
304 	int (*decrypt_verify_update)(
305 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
306 	    crypto_data_t *, crypto_req_handle_t);
307 } crypto_dual_ops_t;
308 
309 /*
310  * The crypto_dual_cipher_mac_ops structure contains pointers to dual
311  * cipher and MAC operations for cryptographic providers.
312  * It is passed through the crypto_ops(9S) structure when
313  * providers register with the kernel using
314  * crypto_register_provider(9F).
315  */
316 typedef struct crypto_dual_cipher_mac_ops {
317 	int (*encrypt_mac_init)(crypto_ctx_t *,
318 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
319 	    crypto_key_t *, crypto_spi_ctx_template_t,
320 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
321 	int (*encrypt_mac)(crypto_ctx_t *,
322 	    crypto_data_t *, crypto_dual_data_t *, crypto_data_t *,
323 	    crypto_req_handle_t);
324 	int (*encrypt_mac_update)(crypto_ctx_t *,
325 	    crypto_data_t *, crypto_dual_data_t *, crypto_req_handle_t);
326 	int (*encrypt_mac_final)(crypto_ctx_t *,
327 	    crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t);
328 	int (*encrypt_mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
329 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
330 	    crypto_key_t *, crypto_data_t *, crypto_dual_data_t *,
331 	    crypto_data_t *, crypto_spi_ctx_template_t,
332 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
333 
334 	int (*mac_decrypt_init)(crypto_ctx_t *,
335 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
336 	    crypto_key_t *, crypto_spi_ctx_template_t,
337 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
338 	int (*mac_decrypt)(crypto_ctx_t *,
339 	    crypto_dual_data_t *, crypto_data_t *, crypto_data_t *,
340 	    crypto_req_handle_t);
341 	int (*mac_decrypt_update)(crypto_ctx_t *,
342 	    crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t);
343 	int (*mac_decrypt_final)(crypto_ctx_t *,
344 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
345 	int (*mac_decrypt_atomic)(crypto_provider_handle_t,
346 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
347 	    crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *,
348 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
349 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
350 	int (*mac_verify_decrypt_atomic)(crypto_provider_handle_t,
351 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
352 	    crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *,
353 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
354 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
355 } crypto_dual_cipher_mac_ops_t;
356 
357 /*
358  * The crypto_random_number_ops structure contains pointers to random
359  * number operations for cryptographic providers.  It is passed through
360  * the crypto_ops(9S) structure when providers register with the
361  * kernel using crypto_register_provider(9F).
362  */
363 typedef struct crypto_random_number_ops {
364 	int (*seed_random)(crypto_provider_handle_t, crypto_session_id_t,
365 	    uchar_t *, size_t, uint_t, uint32_t, crypto_req_handle_t);
366 	int (*generate_random)(crypto_provider_handle_t, crypto_session_id_t,
367 	    uchar_t *, size_t, crypto_req_handle_t);
368 } crypto_random_number_ops_t;
369 
370 /*
371  * Flag values for seed_random.
372  */
373 #define	CRYPTO_SEED_NOW		0x00000001
374 
375 /*
376  * The crypto_session_ops structure contains pointers to session
377  * operations for cryptographic providers.  It is passed through
378  * the crypto_ops(9S) structure when providers register with the
379  * kernel using crypto_register_provider(9F).
380  */
381 typedef struct crypto_session_ops {
382 	int (*session_open)(crypto_provider_handle_t, crypto_session_id_t *,
383 	    crypto_req_handle_t);
384 	int (*session_close)(crypto_provider_handle_t, crypto_session_id_t,
385 	    crypto_req_handle_t);
386 	int (*session_login)(crypto_provider_handle_t, crypto_session_id_t,
387 	    crypto_user_type_t, char *, size_t, crypto_req_handle_t);
388 	int (*session_logout)(crypto_provider_handle_t, crypto_session_id_t,
389 	    crypto_req_handle_t);
390 } crypto_session_ops_t;
391 
392 /*
393  * The crypto_object_ops structure contains pointers to object
394  * operations for cryptographic providers.  It is passed through
395  * the crypto_ops(9S) structure when providers register with the
396  * kernel using crypto_register_provider(9F).
397  */
398 typedef struct crypto_object_ops {
399 	int (*object_create)(crypto_provider_handle_t, crypto_session_id_t,
400 	    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
401 	    crypto_req_handle_t);
402 	int (*object_copy)(crypto_provider_handle_t, crypto_session_id_t,
403 	    crypto_object_id_t, crypto_object_attribute_t *, uint_t,
404 	    crypto_object_id_t *, crypto_req_handle_t);
405 	int (*object_destroy)(crypto_provider_handle_t, crypto_session_id_t,
406 	    crypto_object_id_t, crypto_req_handle_t);
407 	int (*object_get_size)(crypto_provider_handle_t, crypto_session_id_t,
408 	    crypto_object_id_t, size_t *, crypto_req_handle_t);
409 	int (*object_get_attribute_value)(crypto_provider_handle_t,
410 	    crypto_session_id_t, crypto_object_id_t,
411 	    crypto_object_attribute_t *, uint_t, crypto_req_handle_t);
412 	int (*object_set_attribute_value)(crypto_provider_handle_t,
413 	    crypto_session_id_t, crypto_object_id_t,
414 	    crypto_object_attribute_t *,  uint_t, crypto_req_handle_t);
415 	int (*object_find_init)(crypto_provider_handle_t, crypto_session_id_t,
416 	    crypto_object_attribute_t *, uint_t, void **,
417 	    crypto_req_handle_t);
418 	int (*object_find)(crypto_provider_handle_t, void *,
419 	    crypto_object_id_t *, uint_t, uint_t *, crypto_req_handle_t);
420 	int (*object_find_final)(crypto_provider_handle_t, void *,
421 	    crypto_req_handle_t);
422 } crypto_object_ops_t;
423 
424 /*
425  * The crypto_key_ops structure contains pointers to key
426  * operations for cryptographic providers.  It is passed through
427  * the crypto_ops(9S) structure when providers register with the
428  * kernel using crypto_register_provider(9F).
429  */
430 typedef struct crypto_key_ops {
431 	int (*key_generate)(crypto_provider_handle_t, crypto_session_id_t,
432 	    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
433 	    crypto_object_id_t *, crypto_req_handle_t);
434 	int (*key_generate_pair)(crypto_provider_handle_t, crypto_session_id_t,
435 	    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
436 	    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
437 	    crypto_object_id_t *, crypto_req_handle_t);
438 	int (*key_wrap)(crypto_provider_handle_t, crypto_session_id_t,
439 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_id_t *,
440 	    uchar_t *, size_t *, crypto_req_handle_t);
441 	int (*key_unwrap)(crypto_provider_handle_t, crypto_session_id_t,
442 	    crypto_mechanism_t *, crypto_key_t *, uchar_t *, size_t *,
443 	    crypto_object_attribute_t *, uint_t,
444 	    crypto_object_id_t *, crypto_req_handle_t);
445 	int (*key_derive)(crypto_provider_handle_t, crypto_session_id_t,
446 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *,
447 	    uint_t, crypto_object_id_t *, crypto_req_handle_t);
448 	int (*key_check)(crypto_provider_handle_t, crypto_mechanism_t *,
449 	    crypto_key_t *);
450 } crypto_key_ops_t;
451 
452 /*
453  * The crypto_provider_management_ops structure contains pointers
454  * to management operations for cryptographic providers.  It is passed
455  * through the crypto_ops(9S) structure when providers register with the
456  * kernel using crypto_register_provider(9F).
457  */
458 typedef struct crypto_provider_management_ops {
459 	int (*ext_info)(crypto_provider_handle_t,
460 	    crypto_provider_ext_info_t *, crypto_req_handle_t);
461 	int (*init_token)(crypto_provider_handle_t, char *, size_t,
462 	    char *, crypto_req_handle_t);
463 	int (*init_pin)(crypto_provider_handle_t, crypto_session_id_t,
464 	    char *, size_t, crypto_req_handle_t);
465 	int (*set_pin)(crypto_provider_handle_t, crypto_session_id_t,
466 	    char *, size_t, char *, size_t, crypto_req_handle_t);
467 } crypto_provider_management_ops_t;
468 
469 typedef struct crypto_mech_ops {
470 	int (*copyin_mechanism)(crypto_provider_handle_t,
471 	    crypto_mechanism_t *, crypto_mechanism_t *, int *, int);
472 	int (*copyout_mechanism)(crypto_provider_handle_t,
473 	    crypto_mechanism_t *, crypto_mechanism_t *, int *, int);
474 	int (*free_mechanism)(crypto_provider_handle_t, crypto_mechanism_t *);
475 } crypto_mech_ops_t;
476 
477 typedef struct crypto_nostore_key_ops {
478 	int (*nostore_key_generate)(crypto_provider_handle_t,
479 	    crypto_session_id_t, crypto_mechanism_t *,
480 	    crypto_object_attribute_t *, uint_t, crypto_object_attribute_t *,
481 	    uint_t, crypto_req_handle_t);
482 	int (*nostore_key_generate_pair)(crypto_provider_handle_t,
483 	    crypto_session_id_t, crypto_mechanism_t *,
484 	    crypto_object_attribute_t *, uint_t, crypto_object_attribute_t *,
485 	    uint_t, crypto_object_attribute_t *, uint_t,
486 	    crypto_object_attribute_t *, uint_t, crypto_req_handle_t);
487 	int (*nostore_key_derive)(crypto_provider_handle_t, crypto_session_id_t,
488 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *,
489 	    uint_t, crypto_object_attribute_t *, uint_t, crypto_req_handle_t);
490 } crypto_nostore_key_ops_t;
491 
492 /*
493  * The crypto_ops(9S) structure contains the structures containing
494  * the pointers to functions implemented by cryptographic providers.
495  * It is specified as part of the crypto_provider_info(9S)
496  * supplied by a provider when it registers with the kernel
497  * by calling crypto_register_provider(9F).
498  */
499 typedef struct crypto_ops_v1 {
500 	crypto_control_ops_t			*co_control_ops;
501 	crypto_digest_ops_t			*co_digest_ops;
502 	crypto_cipher_ops_t			*co_cipher_ops;
503 	crypto_mac_ops_t			*co_mac_ops;
504 	crypto_sign_ops_t			*co_sign_ops;
505 	crypto_verify_ops_t			*co_verify_ops;
506 	crypto_dual_ops_t			*co_dual_ops;
507 	crypto_dual_cipher_mac_ops_t		*co_dual_cipher_mac_ops;
508 	crypto_random_number_ops_t		*co_random_ops;
509 	crypto_session_ops_t			*co_session_ops;
510 	crypto_object_ops_t			*co_object_ops;
511 	crypto_key_ops_t			*co_key_ops;
512 	crypto_provider_management_ops_t	*co_provider_ops;
513 	crypto_ctx_ops_t			*co_ctx_ops;
514 } crypto_ops_v1_t;
515 
516 typedef struct crypto_ops_v2 {
517 	crypto_ops_v1_t				v1_ops;
518 	crypto_mech_ops_t			*co_mech_ops;
519 } crypto_ops_v2_t;
520 
521 typedef struct crypto_ops_v3 {
522 	crypto_ops_v2_t				v2_ops;
523 	crypto_nostore_key_ops_t		*co_nostore_key_ops;
524 } crypto_ops_v3_t;
525 
526 typedef struct crypto_ops {
527 	union {
528 		crypto_ops_v3_t	cou_v3;
529 		crypto_ops_v2_t	cou_v2;
530 		crypto_ops_v1_t	cou_v1;
531 	} cou;
532 } crypto_ops_t;
533 
534 #define	co_control_ops			cou.cou_v1.co_control_ops
535 #define	co_digest_ops			cou.cou_v1.co_digest_ops
536 #define	co_cipher_ops			cou.cou_v1.co_cipher_ops
537 #define	co_mac_ops			cou.cou_v1.co_mac_ops
538 #define	co_sign_ops			cou.cou_v1.co_sign_ops
539 #define	co_verify_ops			cou.cou_v1.co_verify_ops
540 #define	co_dual_ops			cou.cou_v1.co_dual_ops
541 #define	co_dual_cipher_mac_ops		cou.cou_v1.co_dual_cipher_mac_ops
542 #define	co_random_ops			cou.cou_v1.co_random_ops
543 #define	co_session_ops			cou.cou_v1.co_session_ops
544 #define	co_object_ops			cou.cou_v1.co_object_ops
545 #define	co_key_ops			cou.cou_v1.co_key_ops
546 #define	co_provider_ops			cou.cou_v1.co_provider_ops
547 #define	co_ctx_ops			cou.cou_v1.co_ctx_ops
548 #define	co_mech_ops			cou.cou_v2.co_mech_ops
549 #define	co_nostore_key_ops		cou.cou_v3.co_nostore_key_ops
550 
551 /*
552  * Provider device specification passed during registration.
553  *
554  * Software providers set the pi_provider_type field of provider_info_t
555  * to CRYPTO_SW_PROVIDER, and set the pd_sw field of
556  * crypto_provider_dev_t to the address of their modlinkage.
557  *
558  * Hardware providers set the pi_provider_type field of provider_info_t
559  * to CRYPTO_HW_PROVIDER, and set the pd_hw field of
560  * crypto_provider_dev_t to the dev_info structure corresponding
561  * to the device instance being registered.
562  *
563  * Logical providers set the pi_provider_type field of provider_info_t
564  * to CRYPTO_LOGICAL_PROVIDER, and set the pd_hw field of
565  * crypto_provider_dev_t to the dev_info structure corresponding
566  * to the device instance being registered.
567  */
568 
569 typedef union crypto_provider_dev {
570 	struct modlinkage	*pd_sw; /* for CRYPTO_SW_PROVIDER */
571 	dev_info_t		*pd_hw; /* for CRYPTO_HW_PROVIDER */
572 } crypto_provider_dev_t;
573 
574 /*
575  * The mechanism info structure crypto_mech_info_t contains a function group
576  * bit mask cm_func_group_mask. This field, of type crypto_func_group_t,
577  * specifies the provider entry point that can be used a particular
578  * mechanism. The function group mask is a combination of the following values.
579  */
580 
581 typedef uint32_t crypto_func_group_t;
582 
583 #endif /* _KERNEL */
584 
585 #define	CRYPTO_FG_ENCRYPT		0x00000001 /* encrypt_init() */
586 #define	CRYPTO_FG_DECRYPT		0x00000002 /* decrypt_init() */
587 #define	CRYPTO_FG_DIGEST		0x00000004 /* digest_init() */
588 #define	CRYPTO_FG_SIGN			0x00000008 /* sign_init() */
589 #define	CRYPTO_FG_SIGN_RECOVER		0x00000010 /* sign_recover_init() */
590 #define	CRYPTO_FG_VERIFY		0x00000020 /* verify_init() */
591 #define	CRYPTO_FG_VERIFY_RECOVER	0x00000040 /* verify_recover_init() */
592 #define	CRYPTO_FG_GENERATE		0x00000080 /* key_generate() */
593 #define	CRYPTO_FG_GENERATE_KEY_PAIR	0x00000100 /* key_generate_pair() */
594 #define	CRYPTO_FG_WRAP			0x00000200 /* key_wrap() */
595 #define	CRYPTO_FG_UNWRAP		0x00000400 /* key_unwrap() */
596 #define	CRYPTO_FG_DERIVE		0x00000800 /* key_derive() */
597 #define	CRYPTO_FG_MAC			0x00001000 /* mac_init() */
598 #define	CRYPTO_FG_ENCRYPT_MAC		0x00002000 /* encrypt_mac_init() */
599 #define	CRYPTO_FG_MAC_DECRYPT		0x00004000 /* decrypt_mac_init() */
600 #define	CRYPTO_FG_ENCRYPT_ATOMIC	0x00008000 /* encrypt_atomic() */
601 #define	CRYPTO_FG_DECRYPT_ATOMIC	0x00010000 /* decrypt_atomic() */
602 #define	CRYPTO_FG_MAC_ATOMIC		0x00020000 /* mac_atomic() */
603 #define	CRYPTO_FG_DIGEST_ATOMIC		0x00040000 /* digest_atomic() */
604 #define	CRYPTO_FG_SIGN_ATOMIC		0x00080000 /* sign_atomic() */
605 #define	CRYPTO_FG_SIGN_RECOVER_ATOMIC   0x00100000 /* sign_recover_atomic() */
606 #define	CRYPTO_FG_VERIFY_ATOMIC		0x00200000 /* verify_atomic() */
607 #define	CRYPTO_FG_VERIFY_RECOVER_ATOMIC	0x00400000 /* verify_recover_atomic() */
608 #define	CRYPTO_FG_ENCRYPT_MAC_ATOMIC	0x00800000 /* encrypt_mac_atomic() */
609 #define	CRYPTO_FG_MAC_DECRYPT_ATOMIC	0x01000000 /* mac_decrypt_atomic() */
610 #define	CRYPTO_FG_RESERVED		0x80000000
611 
612 /*
613  * Maximum length of the pi_provider_description field of the
614  * crypto_provider_info structure.
615  */
616 #define	CRYPTO_PROVIDER_DESCR_MAX_LEN	64
617 
618 #ifdef _KERNEL
619 
620 /* Bit mask for all the simple operations */
621 #define	CRYPTO_FG_SIMPLEOP_MASK	(CRYPTO_FG_ENCRYPT | CRYPTO_FG_DECRYPT | \
622     CRYPTO_FG_DIGEST | CRYPTO_FG_SIGN | CRYPTO_FG_VERIFY | CRYPTO_FG_MAC | \
623     CRYPTO_FG_ENCRYPT_ATOMIC | CRYPTO_FG_DECRYPT_ATOMIC |		\
624     CRYPTO_FG_MAC_ATOMIC | CRYPTO_FG_DIGEST_ATOMIC | CRYPTO_FG_SIGN_ATOMIC | \
625     CRYPTO_FG_VERIFY_ATOMIC)
626 
627 /* Bit mask for all the dual operations */
628 #define	CRYPTO_FG_MAC_CIPHER_MASK	(CRYPTO_FG_ENCRYPT_MAC |	\
629     CRYPTO_FG_MAC_DECRYPT | CRYPTO_FG_ENCRYPT_MAC_ATOMIC | 		\
630     CRYPTO_FG_MAC_DECRYPT_ATOMIC)
631 
632 /* Add other combos to CRYPTO_FG_DUAL_MASK */
633 #define	CRYPTO_FG_DUAL_MASK	CRYPTO_FG_MAC_CIPHER_MASK
634 
635 /*
636  * The crypto_mech_info structure specifies one of the mechanisms
637  * supported by a cryptographic provider. The pi_mechanisms field of
638  * the crypto_provider_info structure contains a pointer to an array
639  * of crypto_mech_info's.
640  */
641 typedef struct crypto_mech_info {
642 	crypto_mech_name_t	cm_mech_name;
643 	crypto_mech_type_t	cm_mech_number;
644 	crypto_func_group_t	cm_func_group_mask;
645 	ssize_t			cm_min_key_length;
646 	ssize_t			cm_max_key_length;
647 	uint32_t		cm_mech_flags;
648 } crypto_mech_info_t;
649 
650 /* Alias the old name to the new name for compatibility. */
651 #define	cm_keysize_unit	cm_mech_flags
652 
653 /*
654  * The following is used by a provider that sets
655  * CRYPTO_HASH_NO_UPDATE. It needs to specify the maximum
656  * input data size it can digest in this field.
657  */
658 #define	cm_max_input_length	cm_max_key_length
659 
660 /*
661  * crypto_kcf_provider_handle_t is a handle allocated by the kernel.
662  * It is returned after the provider registers with
663  * crypto_register_provider(), and must be specified by the provider
664  * when calling crypto_unregister_provider(), and
665  * crypto_provider_notification().
666  */
667 typedef uint_t crypto_kcf_provider_handle_t;
668 
669 /*
670  * Provider information. Passed as argument to crypto_register_provider(9F).
671  * Describes the provider and its capabilities. Multiple providers can
672  * register for the same device instance. In this case, the same
673  * pi_provider_dev must be specified with a different pi_provider_handle.
674  */
675 typedef struct crypto_provider_info_v1 {
676 	uint_t				pi_interface_version;
677 	char				*pi_provider_description;
678 	crypto_provider_type_t		pi_provider_type;
679 	crypto_provider_dev_t		pi_provider_dev;
680 	crypto_provider_handle_t	pi_provider_handle;
681 	crypto_ops_t			*pi_ops_vector;
682 	uint_t				pi_mech_list_count;
683 	crypto_mech_info_t		*pi_mechanisms;
684 	uint_t				pi_logical_provider_count;
685 	crypto_kcf_provider_handle_t	*pi_logical_providers;
686 } crypto_provider_info_v1_t;
687 
688 typedef struct crypto_provider_info_v2 {
689 	crypto_provider_info_v1_t	v1_info;
690 	uint_t				pi_flags;
691 } crypto_provider_info_v2_t;
692 
693 typedef struct crypto_provider_info {
694 	union {
695 		crypto_provider_info_v2_t piu_v2;
696 		crypto_provider_info_v1_t piu_v1;
697 	} piu;
698 } crypto_provider_info_t;
699 
700 #define	pi_interface_version		piu.piu_v1.pi_interface_version
701 #define	pi_provider_description		piu.piu_v1.pi_provider_description
702 #define	pi_provider_type		piu.piu_v1.pi_provider_type
703 #define	pi_provider_dev			piu.piu_v1.pi_provider_dev
704 #define	pi_provider_handle		piu.piu_v1.pi_provider_handle
705 #define	pi_ops_vector			piu.piu_v1.pi_ops_vector
706 #define	pi_mech_list_count		piu.piu_v1.pi_mech_list_count
707 #define	pi_mechanisms			piu.piu_v1.pi_mechanisms
708 #define	pi_logical_provider_count	piu.piu_v1.pi_logical_provider_count
709 #define	pi_logical_providers		piu.piu_v1.pi_logical_providers
710 #define	pi_flags			piu.piu_v2.pi_flags
711 
712 /* hidden providers can only be accessed via a logical provider */
713 #define	CRYPTO_HIDE_PROVIDER		0x00000001
714 /*
715  * provider can not do multi-part digest (updates) and has a limit
716  * on maximum input data that it can digest.
717  */
718 #define	CRYPTO_HASH_NO_UPDATE		0x00000002
719 
720 /* provider can handle the request without returning a CRYPTO_QUEUED */
721 #define	CRYPTO_SYNCHRONOUS		0x00000004
722 
723 #define	CRYPTO_PIFLAGS_RESERVED2	0x40000000
724 #define	CRYPTO_PIFLAGS_RESERVED1	0x80000000
725 
726 /*
727  * Provider status passed by a provider to crypto_provider_notification(9F)
728  * and returned by the provider_stauts(9E) entry point.
729  */
730 #define	CRYPTO_PROVIDER_READY		0
731 #define	CRYPTO_PROVIDER_BUSY		1
732 #define	CRYPTO_PROVIDER_FAILED		2
733 
734 /*
735  * Functions exported by Solaris to cryptographic providers. Providers
736  * call these functions to register and unregister, notify the kernel
737  * of state changes, and notify the kernel when a asynchronous request
738  * completed.
739  */
740 extern int crypto_register_provider(crypto_provider_info_t *,
741 		crypto_kcf_provider_handle_t *);
742 extern int crypto_unregister_provider(crypto_kcf_provider_handle_t);
743 extern void crypto_provider_notification(crypto_kcf_provider_handle_t, uint_t);
744 extern void crypto_op_notification(crypto_req_handle_t, int);
745 extern int crypto_kmflag(crypto_req_handle_t);
746 
747 #endif	/* _KERNEL */
748 
749 #ifdef	__cplusplus
750 }
751 #endif
752 
753 #endif	/* _SYS_CRYPTO_SPI_H */
754