xref: /titanic_52/usr/src/uts/common/sys/crypto/impl.h (revision c29dc89d2742efe19b5c044d5d38f822279639b0)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_SYS_CRYPTO_IMPL_H
27 #define	_SYS_CRYPTO_IMPL_H
28 
29 /*
30  * Kernel Cryptographic Framework private implementation definitions.
31  */
32 
33 #include <sys/types.h>
34 #include <sys/param.h>
35 
36 #ifdef _KERNEL
37 #include <sys/crypto/common.h>
38 #include <sys/crypto/api.h>
39 #include <sys/crypto/spi.h>
40 #include <sys/crypto/ioctl.h>
41 #include <sys/tnf_probe.h>
42 #include <sys/atomic.h>
43 #include <sys/project.h>
44 #include <sys/taskq.h>
45 #include <sys/rctl.h>
46 #endif /* _KERNEL */
47 
48 #ifdef	__cplusplus
49 extern "C" {
50 #endif
51 
52 #ifdef _KERNEL
53 
54 #define	KCF_MODULE "kcf"
55 
56 /*
57  * Prefixes convention: structures internal to the kernel cryptographic
58  * framework start with 'kcf_'. Exposed structure start with 'crypto_'.
59  */
60 
61 /* Provider stats. Not protected. */
62 typedef	struct kcf_prov_stats {
63 	kstat_named_t	ps_ops_total;
64 	kstat_named_t	ps_ops_passed;
65 	kstat_named_t	ps_ops_failed;
66 	kstat_named_t	ps_ops_busy_rval;
67 } kcf_prov_stats_t;
68 
69 /* Various kcf stats. Not protected. */
70 typedef	struct kcf_stats {
71 	kstat_named_t	ks_thrs_in_pool;
72 	kstat_named_t	ks_idle_thrs;
73 	kstat_named_t	ks_minthrs;
74 	kstat_named_t	ks_maxthrs;
75 	kstat_named_t	ks_swq_njobs;
76 	kstat_named_t	ks_swq_maxjobs;
77 	kstat_named_t	ks_taskq_threads;
78 	kstat_named_t	ks_taskq_minalloc;
79 	kstat_named_t	ks_taskq_maxalloc;
80 } kcf_stats_t;
81 
82 /*
83  * Keep all the information needed by the scheduler from
84  * this provider.
85  */
86 typedef struct kcf_sched_info {
87 	/* The number of operations dispatched. */
88 	uint64_t	ks_ndispatches;
89 
90 	/* The number of operations that failed. */
91 	uint64_t	ks_nfails;
92 
93 	/* The number of operations that returned CRYPTO_BUSY. */
94 	uint64_t	ks_nbusy_rval;
95 
96 	/* taskq used to dispatch crypto requests */
97 	taskq_t	*ks_taskq;
98 } kcf_sched_info_t;
99 
100 /*
101  * pd_irefcnt approximates the number of inflight requests to the
102  * provider. Though we increment this counter during registration for
103  * other purposes, that base value is mostly same across all providers.
104  * So, it is a good measure of the load on a provider when it is not
105  * in a busy state. Once a provider notifies it is busy, requests
106  * backup in the taskq. So, we use tq_nalloc in that case which gives
107  * the number of task entries in the task queue. Note that we do not
108  * acquire any locks here as it is not critical to get the exact number
109  * and the lock contention may be too costly for this code path.
110  */
111 #define	KCF_PROV_LOAD(pd)	((pd)->pd_state != KCF_PROV_BUSY ?	\
112 	(pd)->pd_irefcnt : (pd)->pd_sched_info.ks_taskq->tq_nalloc)
113 
114 #define	KCF_PROV_INCRSTATS(pd, error)	{				\
115 	(pd)->pd_sched_info.ks_ndispatches++;				\
116 	if (error == CRYPTO_BUSY)					\
117 		(pd)->pd_sched_info.ks_nbusy_rval++;			\
118 	else if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED)	\
119 		(pd)->pd_sched_info.ks_nfails++;			\
120 }
121 
122 
123 /*
124  * The following two macros should be
125  * #define KCF_OPS_CLASSSIZE (KCF_LAST_OPSCLASS - KCF_FIRST_OPSCLASS + 2)
126  * #define KCF_MAXMECHTAB KCF_MAXCIPHER
127  *
128  * However, doing that would involve reorganizing the header file a bit.
129  * When impl.h is broken up (bug# 4703218), this will be done. For now,
130  * we hardcode these values.
131  */
132 #define	KCF_OPS_CLASSSIZE	8
133 #define	KCF_MAXMECHTAB		32
134 
135 /*
136  * Valid values for the state of a provider. The order of
137  * the elements is important.
138  *
139  * Routines which get a provider or the list of providers
140  * should pick only those that are either in KCF_PROV_READY state
141  * or in KCF_PROV_BUSY state.
142  */
143 typedef enum {
144 	KCF_PROV_ALLOCATED = 1,
145 	KCF_PROV_UNVERIFIED,
146 	KCF_PROV_VERIFICATION_FAILED,
147 	/*
148 	 * state < KCF_PROV_READY means the provider can not
149 	 * be used at all.
150 	 */
151 	KCF_PROV_READY,
152 	KCF_PROV_BUSY,
153 	/*
154 	 * state > KCF_PROV_BUSY means the provider can not
155 	 * be used for new requests.
156 	 */
157 	KCF_PROV_FAILED,
158 	/*
159 	 * Threads setting the following two states should do so only
160 	 * if the current state < KCF_PROV_DISABLED.
161 	 */
162 	KCF_PROV_DISABLED,
163 	KCF_PROV_REMOVED,
164 	KCF_PROV_FREED
165 } kcf_prov_state_t;
166 
167 #define	KCF_IS_PROV_UNVERIFIED(pd) ((pd)->pd_state == KCF_PROV_UNVERIFIED)
168 #define	KCF_IS_PROV_USABLE(pd) ((pd)->pd_state == KCF_PROV_READY || \
169 	(pd)->pd_state == KCF_PROV_BUSY)
170 #define	KCF_IS_PROV_REMOVED(pd)	((pd)->pd_state >= KCF_PROV_REMOVED)
171 
172 /* Internal flags valid for pd_flags field */
173 #define	KCF_PROV_RESTRICTED	0x40000000
174 #define	KCF_LPROV_MEMBER	0x80000000 /* is member of a logical provider */
175 
176 /*
177  * A provider descriptor structure. There is one such structure per
178  * provider. It is allocated and initialized at registration time and
179  * freed when the provider unregisters.
180  *
181  * pd_prov_type:	Provider type, hardware or software
182  * pd_sid:		Session ID of the provider used by kernel clients.
183  *			This is valid only for session-oriented providers.
184  * pd_refcnt:		Reference counter to this provider descriptor
185  * pd_irefcnt:		References held by the framework internal structs
186  * pd_lock:		lock protects pd_state and pd_provider_list
187  * pd_state:		State value of the provider
188  * pd_provider_list:	Used to cross-reference logical providers and their
189  *			members. Not used for software providers.
190  * pd_resume_cv:	cv to wait for state to change from KCF_PROV_BUSY
191  * pd_prov_handle:	Provider handle specified by provider
192  * pd_ops_vector:	The ops vector specified by Provider
193  * pd_mech_indx:	Lookup table which maps a core framework mechanism
194  *			number to an index in pd_mechanisms array
195  * pd_mechanisms:	Array of mechanisms supported by the provider, specified
196  *			by the provider during registration
197  * pd_sched_info:	Scheduling information associated with the provider
198  * pd_mech_list_count:	The number of entries in pi_mechanisms, specified
199  *			by the provider during registration
200  * pd_name:		Device name or module name
201  * pd_instance:		Device instance
202  * pd_module_id:	Module ID returned by modload
203  * pd_mctlp:		Pointer to modctl structure for this provider
204  * pd_remove_cv:	cv to wait on while the provider queue drains
205  * pd_description:	Provider description string
206  * pd_flags		bitwise OR of pi_flags from crypto_provider_info_t
207  *			and other internal flags defined above.
208  * pd_hash_limit	Maximum data size that hash mechanisms of this provider
209  * 			can support.
210  * pd_kcf_prov_handle:	KCF-private handle assigned by KCF
211  * pd_prov_id:		Identification # assigned by KCF to provider
212  * pd_kstat:		kstat associated with the provider
213  * pd_ks_data:		kstat data
214  */
215 typedef struct kcf_provider_desc {
216 	crypto_provider_type_t		pd_prov_type;
217 	crypto_session_id_t		pd_sid;
218 	uint_t				pd_refcnt;
219 	uint_t				pd_irefcnt;
220 	kmutex_t			pd_lock;
221 	kcf_prov_state_t		pd_state;
222 	struct kcf_provider_list	*pd_provider_list;
223 	kcondvar_t			pd_resume_cv;
224 	crypto_provider_handle_t	pd_prov_handle;
225 	crypto_ops_t			*pd_ops_vector;
226 	ushort_t			pd_mech_indx[KCF_OPS_CLASSSIZE]\
227 					    [KCF_MAXMECHTAB];
228 	crypto_mech_info_t		*pd_mechanisms;
229 	kcf_sched_info_t		pd_sched_info;
230 	uint_t				pd_mech_list_count;
231 	char				*pd_name;
232 	uint_t				pd_instance;
233 	int				pd_module_id;
234 	struct modctl			*pd_mctlp;
235 	kcondvar_t			pd_remove_cv;
236 	char				*pd_description;
237 	uint_t				pd_flags;
238 	uint_t				pd_hash_limit;
239 	crypto_kcf_provider_handle_t	pd_kcf_prov_handle;
240 	crypto_provider_id_t		pd_prov_id;
241 	kstat_t				*pd_kstat;
242 	kcf_prov_stats_t		pd_ks_data;
243 } kcf_provider_desc_t;
244 
245 /* useful for making a list of providers */
246 typedef struct kcf_provider_list {
247 	struct kcf_provider_list *pl_next;
248 	struct kcf_provider_desc *pl_provider;
249 } kcf_provider_list_t;
250 
251 /*
252  * If a component has a reference to a kcf_provider_desc_t,
253  * it REFHOLD()s. A new provider descriptor which is referenced only
254  * by the providers table has a reference counter of one.
255  */
256 #define	KCF_PROV_REFHOLD(desc) {		\
257 	atomic_add_32(&(desc)->pd_refcnt, 1);	\
258 	ASSERT((desc)->pd_refcnt != 0);		\
259 }
260 
261 #define	KCF_PROV_IREFHOLD(desc) {		\
262 	atomic_add_32(&(desc)->pd_irefcnt, 1);	\
263 	ASSERT((desc)->pd_irefcnt != 0);	\
264 }
265 
266 #define	KCF_PROV_IREFRELE(desc) {				\
267 	ASSERT((desc)->pd_irefcnt != 0);			\
268 	membar_exit();						\
269 	if (atomic_add_32_nv(&(desc)->pd_irefcnt, -1) == 0) {	\
270 		cv_broadcast(&(desc)->pd_remove_cv);		\
271 	}							\
272 }
273 
274 #define	KCF_PROV_REFHELD(desc)	((desc)->pd_refcnt >= 1)
275 
276 #define	KCF_PROV_REFRELE(desc) {				\
277 	ASSERT((desc)->pd_refcnt != 0);				\
278 	membar_exit();						\
279 	if (atomic_add_32_nv(&(desc)->pd_refcnt, -1) == 0) {	\
280 		kcf_provider_zero_refcnt((desc));		\
281 	}							\
282 }
283 
284 
285 /* list of crypto_mech_info_t valid as the second mech in a dual operation */
286 
287 typedef	struct crypto_mech_info_list {
288 	struct crypto_mech_info_list	*ml_next;
289 	crypto_mech_type_t		ml_kcf_mechid;	/* KCF's id */
290 	crypto_mech_info_t		ml_mech_info;
291 } crypto_mech_info_list_t;
292 
293 /*
294  * An element in a mechanism provider descriptors chain.
295  * The kcf_prov_mech_desc_t is duplicated in every chain the provider belongs
296  * to. This is a small tradeoff memory vs mutex spinning time to access the
297  * common provider field.
298  */
299 
300 typedef struct kcf_prov_mech_desc {
301 	struct kcf_mech_entry		*pm_me;		/* Back to the head */
302 	struct kcf_prov_mech_desc	*pm_next;	/* Next in the chain */
303 	crypto_mech_info_t		pm_mech_info;	/* Provider mech info */
304 	crypto_mech_info_list_t		*pm_mi_list;	/* list for duals */
305 	kcf_provider_desc_t		*pm_prov_desc;	/* Common desc. */
306 } kcf_prov_mech_desc_t;
307 
308 /* and the notation shortcuts ... */
309 #define	pm_provider_type	pm_prov_desc.pd_provider_type
310 #define	pm_provider_handle	pm_prov_desc.pd_provider_handle
311 #define	pm_ops_vector		pm_prov_desc.pd_ops_vector
312 
313 
314 #define	KCF_CPU_PAD (128 - sizeof (crypto_mech_name_t) - \
315     sizeof (crypto_mech_type_t) - \
316     sizeof (kmutex_t) - 2 * sizeof (kcf_prov_mech_desc_t *) - \
317     sizeof (int) - sizeof (uint32_t) - sizeof (size_t))
318 
319 /*
320  * A mechanism entry in an xxx_mech_tab[]. KCF_CPU_PAD needs
321  * to be adjusted if this structure is changed.
322  */
323 typedef	struct kcf_mech_entry {
324 	crypto_mech_name_t	me_name;	/* mechanism name */
325 	crypto_mech_type_t	me_mechid;	/* Internal id for mechanism */
326 	kmutex_t		me_mutex;	/* access protection	*/
327 	kcf_prov_mech_desc_t	*me_hw_prov_chain;  /* list of HW providers */
328 	kcf_prov_mech_desc_t	*me_sw_prov;    /* SW provider */
329 	/*
330 	 * Number of HW providers in the chain. There is only one
331 	 * SW provider. So, we need only a count of HW providers.
332 	 */
333 	int			me_num_hwprov;
334 	/*
335 	 * When a SW provider is present, this is the generation number that
336 	 * ensures no objects from old SW providers are used in the new one
337 	 */
338 	uint32_t		me_gen_swprov;
339 	/*
340 	 *  threshold for using hardware providers for this mech
341 	 */
342 	size_t			me_threshold;
343 	uint8_t			me_pad[KCF_CPU_PAD];
344 } kcf_mech_entry_t;
345 
346 /*
347  * A policy descriptor structure. It is allocated and initialized
348  * when administrative ioctls load disabled mechanisms.
349  *
350  * pd_prov_type:	Provider type, hardware or software
351  * pd_name:		Device name or module name.
352  * pd_instance:		Device instance.
353  * pd_refcnt:		Reference counter for this policy descriptor
354  * pd_mutex:		Protects array and count of disabled mechanisms.
355  * pd_disabled_count:	Count of disabled mechanisms.
356  * pd_disabled_mechs:	Array of disabled mechanisms.
357  */
358 typedef struct kcf_policy_desc {
359 	crypto_provider_type_t	pd_prov_type;
360 	char			*pd_name;
361 	uint_t			pd_instance;
362 	uint_t			pd_refcnt;
363 	kmutex_t		pd_mutex;
364 	uint_t			pd_disabled_count;
365 	crypto_mech_name_t	*pd_disabled_mechs;
366 } kcf_policy_desc_t;
367 
368 /*
369  * If a component has a reference to a kcf_policy_desc_t,
370  * it REFHOLD()s. A new policy descriptor which is referenced only
371  * by the policy table has a reference count of one.
372  */
373 #define	KCF_POLICY_REFHOLD(desc) {		\
374 	atomic_add_32(&(desc)->pd_refcnt, 1);	\
375 	ASSERT((desc)->pd_refcnt != 0);		\
376 }
377 
378 /*
379  * Releases a reference to a policy descriptor. When the last
380  * reference is released, the descriptor is freed.
381  */
382 #define	KCF_POLICY_REFRELE(desc) {				\
383 	ASSERT((desc)->pd_refcnt != 0);				\
384 	membar_exit();						\
385 	if (atomic_add_32_nv(&(desc)->pd_refcnt, -1) == 0)	\
386 		kcf_policy_free_desc(desc);			\
387 }
388 
389 /*
390  * This entry stores the name of a software module and its
391  * mechanisms.  The mechanisms are 'hints' that are used to
392  * trigger loading of the module.
393  */
394 typedef struct kcf_soft_conf_entry {
395 	struct kcf_soft_conf_entry	*ce_next;
396 	char				*ce_name;
397 	crypto_mech_name_t		*ce_mechs;
398 	uint_t				ce_count;
399 } kcf_soft_conf_entry_t;
400 
401 extern kmutex_t soft_config_mutex;
402 extern kcf_soft_conf_entry_t *soft_config_list;
403 
404 /*
405  * Global tables. The sizes are from the predefined PKCS#11 v2.20 mechanisms,
406  * with a margin of few extra empty entry points
407  */
408 
409 #define	KCF_MAXDIGEST		16	/* Digests */
410 #define	KCF_MAXCIPHER		64	/* Ciphers */
411 #define	KCF_MAXMAC		40	/* Message authentication codes */
412 #define	KCF_MAXSIGN		24	/* Sign/Verify */
413 #define	KCF_MAXKEYOPS		116	/* Key generation and derivation */
414 #define	KCF_MAXMISC		16	/* Others ... */
415 
416 #define	KCF_MAXMECHS		KCF_MAXDIGEST + KCF_MAXCIPHER + KCF_MAXMAC + \
417 				KCF_MAXSIGN + KCF_MAXKEYOPS + \
418 				KCF_MAXMISC
419 
420 extern kcf_mech_entry_t kcf_digest_mechs_tab[];
421 extern kcf_mech_entry_t kcf_cipher_mechs_tab[];
422 extern kcf_mech_entry_t kcf_mac_mechs_tab[];
423 extern kcf_mech_entry_t kcf_sign_mechs_tab[];
424 extern kcf_mech_entry_t kcf_keyops_mechs_tab[];
425 extern kcf_mech_entry_t kcf_misc_mechs_tab[];
426 
427 extern kmutex_t kcf_mech_tabs_lock;
428 
429 typedef	enum {
430 	KCF_DIGEST_CLASS = 1,
431 	KCF_CIPHER_CLASS,
432 	KCF_MAC_CLASS,
433 	KCF_SIGN_CLASS,
434 	KCF_KEYOPS_CLASS,
435 	KCF_MISC_CLASS
436 } kcf_ops_class_t;
437 
438 #define	KCF_FIRST_OPSCLASS	KCF_DIGEST_CLASS
439 #define	KCF_LAST_OPSCLASS	KCF_MISC_CLASS
440 
441 /* The table of all the kcf_xxx_mech_tab[]s, indexed by kcf_ops_class */
442 
443 typedef	struct kcf_mech_entry_tab {
444 	int			met_size;	/* Size of the met_tab[] */
445 	kcf_mech_entry_t	*met_tab;	/* the table		 */
446 } kcf_mech_entry_tab_t;
447 
448 extern kcf_mech_entry_tab_t kcf_mech_tabs_tab[];
449 
450 #define	KCF_MECHID(class, index)				\
451 	(((crypto_mech_type_t)(class) << 32) | (crypto_mech_type_t)(index))
452 
453 #define	KCF_MECH2CLASS(mech_type) ((kcf_ops_class_t)((mech_type) >> 32))
454 
455 #define	KCF_MECH2INDEX(mech_type) ((int)(mech_type))
456 
457 #define	KCF_TO_PROV_MECH_INDX(pd, mech_type) 			\
458 	((pd)->pd_mech_indx[KCF_MECH2CLASS(mech_type)] 		\
459 	[KCF_MECH2INDEX(mech_type)])
460 
461 #define	KCF_TO_PROV_MECHINFO(pd, mech_type)			\
462 	((pd)->pd_mechanisms[KCF_TO_PROV_MECH_INDX(pd, mech_type)])
463 
464 #define	KCF_TO_PROV_MECHNUM(pd, mech_type)			\
465 	(KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_number)
466 
467 #define	KCF_CAN_SHARE_OPSTATE(pd, mech_type)			\
468 	((KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_flags) &	\
469 	CRYPTO_CAN_SHARE_OPSTATE)
470 
471 /* ps_refcnt is protected by cm_lock in the crypto_minor structure */
472 typedef struct crypto_provider_session {
473 	struct crypto_provider_session *ps_next;
474 	crypto_session_id_t		ps_session;
475 	kcf_provider_desc_t		*ps_provider;
476 	kcf_provider_desc_t		*ps_real_provider;
477 	uint_t				ps_refcnt;
478 } crypto_provider_session_t;
479 
480 typedef struct crypto_session_data {
481 	kmutex_t			sd_lock;
482 	kcondvar_t			sd_cv;
483 	uint32_t			sd_flags;
484 	int				sd_pre_approved_amount;
485 	crypto_ctx_t			*sd_digest_ctx;
486 	crypto_ctx_t			*sd_encr_ctx;
487 	crypto_ctx_t			*sd_decr_ctx;
488 	crypto_ctx_t			*sd_sign_ctx;
489 	crypto_ctx_t			*sd_verify_ctx;
490 	crypto_ctx_t			*sd_sign_recover_ctx;
491 	crypto_ctx_t			*sd_verify_recover_ctx;
492 	kcf_provider_desc_t		*sd_provider;
493 	void				*sd_find_init_cookie;
494 	crypto_provider_session_t	*sd_provider_session;
495 } crypto_session_data_t;
496 
497 #define	CRYPTO_SESSION_IN_USE		0x00000001
498 #define	CRYPTO_SESSION_IS_BUSY		0x00000002
499 #define	CRYPTO_SESSION_IS_CLOSED	0x00000004
500 
501 #define	KCF_MAX_PIN_LEN			1024
502 
503 /*
504  * Per-minor info.
505  *
506  * cm_lock protects everything in this structure except for cm_refcnt.
507  */
508 typedef struct crypto_minor {
509 	uint_t				cm_refcnt;
510 	kmutex_t			cm_lock;
511 	kcondvar_t			cm_cv;
512 	crypto_session_data_t		**cm_session_table;
513 	uint_t				cm_session_table_count;
514 	kcf_provider_desc_t		**cm_provider_array;
515 	uint_t				cm_provider_count;
516 	crypto_provider_session_t	*cm_provider_session;
517 } crypto_minor_t;
518 
519 /* resource control framework handle used by /dev/crypto */
520 extern rctl_hndl_t rc_project_crypto_mem;
521 /*
522  * Return codes for internal functions
523  */
524 #define	KCF_SUCCESS		0x0	/* Successful call */
525 #define	KCF_INVALID_MECH_NUMBER	0x1	/* invalid mechanism number */
526 #define	KCF_INVALID_MECH_NAME	0x2	/* invalid mechanism name */
527 #define	KCF_INVALID_MECH_CLASS	0x3	/* invalid mechanism class */
528 #define	KCF_MECH_TAB_FULL	0x4	/* Need more room in the mech tabs. */
529 #define	KCF_INVALID_INDX	((ushort_t)-1)
530 
531 /*
532  * kCF internal mechanism and function group for tracking RNG providers.
533  */
534 #define	SUN_RANDOM		"random"
535 #define	CRYPTO_FG_RANDOM	0x80000000	/* generate_random() */
536 
537 /*
538  * Wrappers for ops vectors. In the wrapper definitions below, the pd
539  * argument always corresponds to a pointer to a provider descriptor
540  * of type kcf_prov_desc_t.
541  */
542 
543 #define	KCF_PROV_CONTROL_OPS(pd)	((pd)->pd_ops_vector->co_control_ops)
544 #define	KCF_PROV_CTX_OPS(pd)		((pd)->pd_ops_vector->co_ctx_ops)
545 #define	KCF_PROV_DIGEST_OPS(pd)		((pd)->pd_ops_vector->co_digest_ops)
546 #define	KCF_PROV_CIPHER_OPS(pd)		((pd)->pd_ops_vector->co_cipher_ops)
547 #define	KCF_PROV_MAC_OPS(pd)		((pd)->pd_ops_vector->co_mac_ops)
548 #define	KCF_PROV_SIGN_OPS(pd)		((pd)->pd_ops_vector->co_sign_ops)
549 #define	KCF_PROV_VERIFY_OPS(pd)		((pd)->pd_ops_vector->co_verify_ops)
550 #define	KCF_PROV_DUAL_OPS(pd)		((pd)->pd_ops_vector->co_dual_ops)
551 #define	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) \
552 	((pd)->pd_ops_vector->co_dual_cipher_mac_ops)
553 #define	KCF_PROV_RANDOM_OPS(pd)		((pd)->pd_ops_vector->co_random_ops)
554 #define	KCF_PROV_SESSION_OPS(pd)	((pd)->pd_ops_vector->co_session_ops)
555 #define	KCF_PROV_OBJECT_OPS(pd)		((pd)->pd_ops_vector->co_object_ops)
556 #define	KCF_PROV_KEY_OPS(pd)		((pd)->pd_ops_vector->co_key_ops)
557 #define	KCF_PROV_PROVIDER_OPS(pd)	((pd)->pd_ops_vector->co_provider_ops)
558 #define	KCF_PROV_MECH_OPS(pd)		((pd)->pd_ops_vector->co_mech_ops)
559 #define	KCF_PROV_NOSTORE_KEY_OPS(pd)	\
560 	((pd)->pd_ops_vector->co_nostore_key_ops)
561 
562 /*
563  * Wrappers for crypto_control_ops(9S) entry points.
564  */
565 
566 #define	KCF_PROV_STATUS(pd, status) ( \
567 	(KCF_PROV_CONTROL_OPS(pd) && \
568 	KCF_PROV_CONTROL_OPS(pd)->provider_status) ? \
569 	KCF_PROV_CONTROL_OPS(pd)->provider_status( \
570 	    (pd)->pd_prov_handle, status) : \
571 	CRYPTO_NOT_SUPPORTED)
572 
573 /*
574  * Wrappers for crypto_ctx_ops(9S) entry points.
575  */
576 
577 #define	KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size, req) ( \
578 	(KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->create_ctx_template) ? \
579 	KCF_PROV_CTX_OPS(pd)->create_ctx_template( \
580 	    (pd)->pd_prov_handle, mech, key, template, size, req) : \
581 	CRYPTO_NOT_SUPPORTED)
582 
583 #define	KCF_PROV_FREE_CONTEXT(pd, ctx) ( \
584 	(KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->free_context) ? \
585 	KCF_PROV_CTX_OPS(pd)->free_context(ctx) : CRYPTO_NOT_SUPPORTED)
586 
587 #define	KCF_PROV_COPYIN_MECH(pd, umech, kmech, errorp, mode) ( \
588 	(KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyin_mechanism) ? \
589 	KCF_PROV_MECH_OPS(pd)->copyin_mechanism( \
590 	    (pd)->pd_prov_handle, umech, kmech, errorp, mode) : \
591 	CRYPTO_NOT_SUPPORTED)
592 
593 #define	KCF_PROV_COPYOUT_MECH(pd, kmech, umech, errorp, mode) ( \
594 	(KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyout_mechanism) ? \
595 	KCF_PROV_MECH_OPS(pd)->copyout_mechanism( \
596 	    (pd)->pd_prov_handle, kmech, umech, errorp, mode) : \
597 	CRYPTO_NOT_SUPPORTED)
598 
599 #define	KCF_PROV_FREE_MECH(pd, prov_mech) ( \
600 	(KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->free_mechanism) ? \
601 	KCF_PROV_MECH_OPS(pd)->free_mechanism( \
602 	    (pd)->pd_prov_handle, prov_mech) : CRYPTO_NOT_SUPPORTED)
603 
604 /*
605  * Wrappers for crypto_digest_ops(9S) entry points.
606  */
607 
608 #define	KCF_PROV_DIGEST_INIT(pd, ctx, mech, req) ( \
609 	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_init) ? \
610 	KCF_PROV_DIGEST_OPS(pd)->digest_init(ctx, mech, req) : \
611 	CRYPTO_NOT_SUPPORTED)
612 
613 /*
614  * The _ (underscore) in _digest is needed to avoid replacing the
615  * function digest().
616  */
617 #define	KCF_PROV_DIGEST(pd, ctx, data, _digest, req) ( \
618 	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest) ? \
619 	KCF_PROV_DIGEST_OPS(pd)->digest(ctx, data, _digest, req) : \
620 	CRYPTO_NOT_SUPPORTED)
621 
622 #define	KCF_PROV_DIGEST_UPDATE(pd, ctx, data, req) ( \
623 	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_update) ? \
624 	KCF_PROV_DIGEST_OPS(pd)->digest_update(ctx, data, req) : \
625 	CRYPTO_NOT_SUPPORTED)
626 
627 #define	KCF_PROV_DIGEST_KEY(pd, ctx, key, req) ( \
628 	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_key) ? \
629 	KCF_PROV_DIGEST_OPS(pd)->digest_key(ctx, key, req) : \
630 	CRYPTO_NOT_SUPPORTED)
631 
632 #define	KCF_PROV_DIGEST_FINAL(pd, ctx, digest, req) ( \
633 	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_final) ? \
634 	KCF_PROV_DIGEST_OPS(pd)->digest_final(ctx, digest, req) : \
635 	CRYPTO_NOT_SUPPORTED)
636 
637 #define	KCF_PROV_DIGEST_ATOMIC(pd, session, mech, data, digest, req) ( \
638 	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_atomic) ? \
639 	KCF_PROV_DIGEST_OPS(pd)->digest_atomic( \
640 	    (pd)->pd_prov_handle, session, mech, data, digest, req) : \
641 	CRYPTO_NOT_SUPPORTED)
642 
643 /*
644  * Wrappers for crypto_cipher_ops(9S) entry points.
645  */
646 
647 #define	KCF_PROV_ENCRYPT_INIT(pd, ctx, mech, key, template, req) ( \
648 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_init) ? \
649 	KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template, \
650 	    req) : \
651 	CRYPTO_NOT_SUPPORTED)
652 
653 #define	KCF_PROV_ENCRYPT(pd, ctx, plaintext, ciphertext, req) ( \
654 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt) ? \
655 	KCF_PROV_CIPHER_OPS(pd)->encrypt(ctx, plaintext, ciphertext, req) : \
656 	CRYPTO_NOT_SUPPORTED)
657 
658 #define	KCF_PROV_ENCRYPT_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \
659 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_update) ? \
660 	KCF_PROV_CIPHER_OPS(pd)->encrypt_update(ctx, plaintext, \
661 	    ciphertext, req) : \
662 	CRYPTO_NOT_SUPPORTED)
663 
664 #define	KCF_PROV_ENCRYPT_FINAL(pd, ctx, ciphertext, req) ( \
665 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_final) ? \
666 	KCF_PROV_CIPHER_OPS(pd)->encrypt_final(ctx, ciphertext, req) : \
667 	CRYPTO_NOT_SUPPORTED)
668 
669 #define	KCF_PROV_ENCRYPT_ATOMIC(pd, session, mech, key, plaintext, ciphertext, \
670 	    template, req) ( \
671 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \
672 	KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic( \
673 	    (pd)->pd_prov_handle, session, mech, key, plaintext, ciphertext, \
674 	    template, req) : \
675 	CRYPTO_NOT_SUPPORTED)
676 
677 #define	KCF_PROV_DECRYPT_INIT(pd, ctx, mech, key, template, req) ( \
678 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_init) ? \
679 	KCF_PROV_CIPHER_OPS(pd)->decrypt_init(ctx, mech, key, template, \
680 	    req) : \
681 	CRYPTO_NOT_SUPPORTED)
682 
683 #define	KCF_PROV_DECRYPT(pd, ctx, ciphertext, plaintext, req) ( \
684 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt) ? \
685 	KCF_PROV_CIPHER_OPS(pd)->decrypt(ctx, ciphertext, plaintext, req) : \
686 	CRYPTO_NOT_SUPPORTED)
687 
688 #define	KCF_PROV_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \
689 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_update) ? \
690 	KCF_PROV_CIPHER_OPS(pd)->decrypt_update(ctx, ciphertext, \
691 	    plaintext, req) : \
692 	CRYPTO_NOT_SUPPORTED)
693 
694 #define	KCF_PROV_DECRYPT_FINAL(pd, ctx, plaintext, req) ( \
695 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_final) ? \
696 	KCF_PROV_CIPHER_OPS(pd)->decrypt_final(ctx, plaintext, req) : \
697 	CRYPTO_NOT_SUPPORTED)
698 
699 #define	KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \
700 	    template, req) ( \
701 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \
702 	KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic( \
703 	    (pd)->pd_prov_handle, session, mech, key, ciphertext, plaintext, \
704 	    template, req) : \
705 	CRYPTO_NOT_SUPPORTED)
706 
707 /*
708  * Wrappers for crypto_mac_ops(9S) entry points.
709  */
710 
711 #define	KCF_PROV_MAC_INIT(pd, ctx, mech, key, template, req) ( \
712 	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_init) ? \
713 	KCF_PROV_MAC_OPS(pd)->mac_init(ctx, mech, key, template, req) \
714 	: CRYPTO_NOT_SUPPORTED)
715 
716 /*
717  * The _ (underscore) in _mac is needed to avoid replacing the
718  * function mac().
719  */
720 #define	KCF_PROV_MAC(pd, ctx, data, _mac, req) ( \
721 	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac) ? \
722 	KCF_PROV_MAC_OPS(pd)->mac(ctx, data, _mac, req) : \
723 	CRYPTO_NOT_SUPPORTED)
724 
725 #define	KCF_PROV_MAC_UPDATE(pd, ctx, data, req) ( \
726 	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_update) ? \
727 	KCF_PROV_MAC_OPS(pd)->mac_update(ctx, data, req) : \
728 	CRYPTO_NOT_SUPPORTED)
729 
730 #define	KCF_PROV_MAC_FINAL(pd, ctx, mac, req) ( \
731 	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_final) ? \
732 	KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac, req) : \
733 	CRYPTO_NOT_SUPPORTED)
734 
735 #define	KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template, \
736 	    req) ( \
737 	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_atomic) ? \
738 	KCF_PROV_MAC_OPS(pd)->mac_atomic( \
739 	    (pd)->pd_prov_handle, session, mech, key, data, mac, template, \
740 	    req) : \
741 	CRYPTO_NOT_SUPPORTED)
742 
743 #define	KCF_PROV_MAC_VERIFY_ATOMIC(pd, session, mech, key, data, mac, \
744 	    template, req) ( \
745 	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_verify_atomic) ? \
746 	KCF_PROV_MAC_OPS(pd)->mac_verify_atomic( \
747 	    (pd)->pd_prov_handle, session, mech, key, data, mac, template, \
748 	    req) : \
749 	CRYPTO_NOT_SUPPORTED)
750 
751 /*
752  * Wrappers for crypto_sign_ops(9S) entry points.
753  */
754 
755 #define	KCF_PROV_SIGN_INIT(pd, ctx, mech, key, template, req) ( \
756 	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_init) ? \
757 	KCF_PROV_SIGN_OPS(pd)->sign_init( \
758 	    ctx, mech, key, template, req) : CRYPTO_NOT_SUPPORTED)
759 
760 #define	KCF_PROV_SIGN(pd, ctx, data, sig, req) ( \
761 	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign) ? \
762 	KCF_PROV_SIGN_OPS(pd)->sign(ctx, data, sig, req) : \
763 	CRYPTO_NOT_SUPPORTED)
764 
765 #define	KCF_PROV_SIGN_UPDATE(pd, ctx, data, req) ( \
766 	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_update) ? \
767 	KCF_PROV_SIGN_OPS(pd)->sign_update(ctx, data, req) : \
768 	CRYPTO_NOT_SUPPORTED)
769 
770 #define	KCF_PROV_SIGN_FINAL(pd, ctx, sig, req) ( \
771 	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_final) ? \
772 	KCF_PROV_SIGN_OPS(pd)->sign_final(ctx, sig, req) : \
773 	CRYPTO_NOT_SUPPORTED)
774 
775 #define	KCF_PROV_SIGN_ATOMIC(pd, session, mech, key, data, template, \
776 	    sig, req) ( \
777 	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_atomic) ? \
778 	KCF_PROV_SIGN_OPS(pd)->sign_atomic( \
779 	    (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
780 	    req) : CRYPTO_NOT_SUPPORTED)
781 
782 #define	KCF_PROV_SIGN_RECOVER_INIT(pd, ctx, mech, key, template, \
783 	    req) ( \
784 	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover_init) ? \
785 	KCF_PROV_SIGN_OPS(pd)->sign_recover_init(ctx, mech, key, template, \
786 	    req) : CRYPTO_NOT_SUPPORTED)
787 
788 #define	KCF_PROV_SIGN_RECOVER(pd, ctx, data, sig, req) ( \
789 	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover) ? \
790 	KCF_PROV_SIGN_OPS(pd)->sign_recover(ctx, data, sig, req) : \
791 	CRYPTO_NOT_SUPPORTED)
792 
793 #define	KCF_PROV_SIGN_RECOVER_ATOMIC(pd, session, mech, key, data, template, \
794 	    sig, req) ( \
795 	(KCF_PROV_SIGN_OPS(pd) && \
796 	KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic) ? \
797 	KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic( \
798 	    (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
799 	    req) : CRYPTO_NOT_SUPPORTED)
800 
801 /*
802  * Wrappers for crypto_verify_ops(9S) entry points.
803  */
804 
805 #define	KCF_PROV_VERIFY_INIT(pd, ctx, mech, key, template, req) ( \
806 	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_init) ? \
807 	KCF_PROV_VERIFY_OPS(pd)->verify_init(ctx, mech, key, template, \
808 	    req) : CRYPTO_NOT_SUPPORTED)
809 
810 #define	KCF_PROV_VERIFY(pd, ctx, data, sig, req) ( \
811 	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify) ? \
812 	KCF_PROV_VERIFY_OPS(pd)->verify(ctx, data, sig, req) : \
813 	CRYPTO_NOT_SUPPORTED)
814 
815 #define	KCF_PROV_VERIFY_UPDATE(pd, ctx, data, req) ( \
816 	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_update) ? \
817 	KCF_PROV_VERIFY_OPS(pd)->verify_update(ctx, data, req) : \
818 	CRYPTO_NOT_SUPPORTED)
819 
820 #define	KCF_PROV_VERIFY_FINAL(pd, ctx, sig, req) ( \
821 	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_final) ? \
822 	KCF_PROV_VERIFY_OPS(pd)->verify_final(ctx, sig, req) : \
823 	CRYPTO_NOT_SUPPORTED)
824 
825 #define	KCF_PROV_VERIFY_ATOMIC(pd, session, mech, key, data, template, sig, \
826 	    req) ( \
827 	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_atomic) ? \
828 	KCF_PROV_VERIFY_OPS(pd)->verify_atomic( \
829 	    (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
830 	    req) : CRYPTO_NOT_SUPPORTED)
831 
832 #define	KCF_PROV_VERIFY_RECOVER_INIT(pd, ctx, mech, key, template, \
833 	    req) ( \
834 	(KCF_PROV_VERIFY_OPS(pd) && \
835 	KCF_PROV_VERIFY_OPS(pd)->verify_recover_init) ? \
836 	KCF_PROV_VERIFY_OPS(pd)->verify_recover_init(ctx, mech, key, \
837 	    template, req) : CRYPTO_NOT_SUPPORTED)
838 
839 /* verify_recover() CSPI routine has different argument order than verify() */
840 #define	KCF_PROV_VERIFY_RECOVER(pd, ctx, sig, data, req) ( \
841 	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_recover) ? \
842 	KCF_PROV_VERIFY_OPS(pd)->verify_recover(ctx, sig, data, req) : \
843 	CRYPTO_NOT_SUPPORTED)
844 
845 /*
846  * verify_recover_atomic() CSPI routine has different argument order
847  * than verify_atomic().
848  */
849 #define	KCF_PROV_VERIFY_RECOVER_ATOMIC(pd, session, mech, key, sig, \
850 	    template, data,  req) ( \
851 	(KCF_PROV_VERIFY_OPS(pd) && \
852 	KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic) ? \
853 	KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic( \
854 	    (pd)->pd_prov_handle, session, mech, key, sig, data, template, \
855 	    req) : CRYPTO_NOT_SUPPORTED)
856 
857 /*
858  * Wrappers for crypto_dual_ops(9S) entry points.
859  */
860 
861 #define	KCF_PROV_DIGEST_ENCRYPT_UPDATE(digest_ctx, encrypt_ctx, plaintext, \
862 	    ciphertext, req) ( \
863 	(KCF_PROV_DUAL_OPS(pd) && \
864 	KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update) ? \
865 	KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update( \
866 	    digest_ctx, encrypt_ctx, plaintext, ciphertext, req) : \
867 	CRYPTO_NOT_SUPPORTED)
868 
869 #define	KCF_PROV_DECRYPT_DIGEST_UPDATE(decrypt_ctx, digest_ctx, ciphertext, \
870 	    plaintext, req) ( \
871 	(KCF_PROV_DUAL_OPS(pd) && \
872 	KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update) ? \
873 	KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update( \
874 	    decrypt_ctx, digest_ctx, ciphertext, plaintext, req) : \
875 	CRYPTO_NOT_SUPPORTED)
876 
877 #define	KCF_PROV_SIGN_ENCRYPT_UPDATE(sign_ctx, encrypt_ctx, plaintext, \
878 	    ciphertext, req) ( \
879 	(KCF_PROV_DUAL_OPS(pd) && \
880 	KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update) ? \
881 	KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update( \
882 	    sign_ctx, encrypt_ctx, plaintext, ciphertext, req) : \
883 	CRYPTO_NOT_SUPPORTED)
884 
885 #define	KCF_PROV_DECRYPT_VERIFY_UPDATE(decrypt_ctx, verify_ctx, ciphertext, \
886 	    plaintext, req) ( \
887 	(KCF_PROV_DUAL_OPS(pd) && \
888 	KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update) ? \
889 	KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update( \
890 	    decrypt_ctx, verify_ctx, ciphertext, plaintext, req) : \
891 	CRYPTO_NOT_SUPPORTED)
892 
893 /*
894  * Wrappers for crypto_dual_cipher_mac_ops(9S) entry points.
895  */
896 
897 #define	KCF_PROV_ENCRYPT_MAC_INIT(pd, ctx, encr_mech, encr_key, mac_mech, \
898 	    mac_key, encr_ctx_template, mac_ctx_template, req) ( \
899 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
900 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init) ? \
901 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init( \
902 	    ctx, encr_mech, encr_key, mac_mech, mac_key, encr_ctx_template, \
903 	    mac_ctx_template, req) : \
904 	CRYPTO_NOT_SUPPORTED)
905 
906 #define	KCF_PROV_ENCRYPT_MAC(pd, ctx, plaintext, ciphertext, mac, req) ( \
907 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
908 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac) ? \
909 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac( \
910 	    ctx, plaintext, ciphertext, mac, req) : \
911 	CRYPTO_NOT_SUPPORTED)
912 
913 #define	KCF_PROV_ENCRYPT_MAC_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \
914 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
915 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update) ? \
916 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update( \
917 	    ctx, plaintext, ciphertext, req) : \
918 	CRYPTO_NOT_SUPPORTED)
919 
920 #define	KCF_PROV_ENCRYPT_MAC_FINAL(pd, ctx, ciphertext, mac, req) ( \
921 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
922 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final) ? \
923 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final( \
924 	    ctx, ciphertext, mac, req) : \
925 	CRYPTO_NOT_SUPPORTED)
926 
927 #define	KCF_PROV_ENCRYPT_MAC_ATOMIC(pd, session, encr_mech, encr_key, \
928 	    mac_mech, mac_key, plaintext, ciphertext, mac, \
929 	    encr_ctx_template, mac_ctx_template, req) ( \
930 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
931 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic) ? \
932 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic( \
933 	    (pd)->pd_prov_handle, session, encr_mech, encr_key, \
934 	    mac_mech, mac_key, plaintext, ciphertext, mac, \
935 	    encr_ctx_template, mac_ctx_template, req) : \
936 	CRYPTO_NOT_SUPPORTED)
937 
938 #define	KCF_PROV_MAC_DECRYPT_INIT(pd, ctx, mac_mech, mac_key, decr_mech, \
939 	    decr_key, mac_ctx_template, decr_ctx_template, req) ( \
940 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
941 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init) ? \
942 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init( \
943 	    ctx, mac_mech, mac_key, decr_mech, decr_key, mac_ctx_template, \
944 	    decr_ctx_template, req) : \
945 	CRYPTO_NOT_SUPPORTED)
946 
947 #define	KCF_PROV_MAC_DECRYPT(pd, ctx, ciphertext, mac, plaintext, req) ( \
948 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
949 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt) ? \
950 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt( \
951 	    ctx, ciphertext, mac, plaintext, req) : \
952 	CRYPTO_NOT_SUPPORTED)
953 
954 #define	KCF_PROV_MAC_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \
955 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
956 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update) ? \
957 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update( \
958 	    ctx, ciphertext, plaintext, req) : \
959 	CRYPTO_NOT_SUPPORTED)
960 
961 #define	KCF_PROV_MAC_DECRYPT_FINAL(pd, ctx, mac, plaintext, req) ( \
962 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
963 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final) ? \
964 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final( \
965 	    ctx, mac, plaintext, req) : \
966 	CRYPTO_NOT_SUPPORTED)
967 
968 #define	KCF_PROV_MAC_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \
969 	    decr_mech, decr_key, ciphertext, mac, plaintext, \
970 	    mac_ctx_template, decr_ctx_template, req) ( \
971 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
972 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic) ? \
973 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic( \
974 	    (pd)->pd_prov_handle, session, mac_mech, mac_key, \
975 	    decr_mech, decr_key, ciphertext, mac, plaintext, \
976 	    mac_ctx_template, decr_ctx_template, req) : \
977 	CRYPTO_NOT_SUPPORTED)
978 
979 #define	KCF_PROV_MAC_VERIFY_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \
980 	    decr_mech, decr_key, ciphertext, mac, plaintext, \
981 	    mac_ctx_template, decr_ctx_template, req) ( \
982 	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
983 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic \
984 	    != NULL) ? \
985 	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic( \
986 	    (pd)->pd_prov_handle, session, mac_mech, mac_key, \
987 	    decr_mech, decr_key, ciphertext, mac, plaintext, \
988 	    mac_ctx_template, decr_ctx_template, req) : \
989 	CRYPTO_NOT_SUPPORTED)
990 
991 /*
992  * Wrappers for crypto_random_number_ops(9S) entry points.
993  */
994 
995 #define	KCF_PROV_SEED_RANDOM(pd, session, buf, len, est, flags, req) ( \
996 	(KCF_PROV_RANDOM_OPS(pd) && KCF_PROV_RANDOM_OPS(pd)->seed_random) ? \
997 	KCF_PROV_RANDOM_OPS(pd)->seed_random((pd)->pd_prov_handle, \
998 	    session, buf, len, est, flags, req) : CRYPTO_NOT_SUPPORTED)
999 
1000 #define	KCF_PROV_GENERATE_RANDOM(pd, session, buf, len, req) ( \
1001 	(KCF_PROV_RANDOM_OPS(pd) && \
1002 	KCF_PROV_RANDOM_OPS(pd)->generate_random) ? \
1003 	KCF_PROV_RANDOM_OPS(pd)->generate_random((pd)->pd_prov_handle, \
1004 	    session, buf, len, req) : CRYPTO_NOT_SUPPORTED)
1005 
1006 /*
1007  * Wrappers for crypto_session_ops(9S) entry points.
1008  *
1009  * ops_pd is the provider descriptor that supplies the ops_vector.
1010  * pd is the descriptor that supplies the provider handle.
1011  * Only session open/close needs two handles.
1012  */
1013 
1014 #define	KCF_PROV_SESSION_OPEN(ops_pd, session, req, pd) ( \
1015 	(KCF_PROV_SESSION_OPS(ops_pd) && \
1016 	KCF_PROV_SESSION_OPS(ops_pd)->session_open) ? \
1017 	KCF_PROV_SESSION_OPS(ops_pd)->session_open((pd)->pd_prov_handle, \
1018 	    session, req) : CRYPTO_NOT_SUPPORTED)
1019 
1020 #define	KCF_PROV_SESSION_CLOSE(ops_pd, session, req, pd) ( \
1021 	(KCF_PROV_SESSION_OPS(ops_pd) && \
1022 	KCF_PROV_SESSION_OPS(ops_pd)->session_close) ? \
1023 	KCF_PROV_SESSION_OPS(ops_pd)->session_close((pd)->pd_prov_handle, \
1024 	    session, req) : CRYPTO_NOT_SUPPORTED)
1025 
1026 #define	KCF_PROV_SESSION_LOGIN(pd, session, user_type, pin, len, req) ( \
1027 	(KCF_PROV_SESSION_OPS(pd) && \
1028 	KCF_PROV_SESSION_OPS(pd)->session_login) ? \
1029 	KCF_PROV_SESSION_OPS(pd)->session_login((pd)->pd_prov_handle, \
1030 	    session, user_type, pin, len, req) : CRYPTO_NOT_SUPPORTED)
1031 
1032 #define	KCF_PROV_SESSION_LOGOUT(pd, session, req) ( \
1033 	(KCF_PROV_SESSION_OPS(pd) && \
1034 	KCF_PROV_SESSION_OPS(pd)->session_logout) ? \
1035 	KCF_PROV_SESSION_OPS(pd)->session_logout((pd)->pd_prov_handle, \
1036 	    session, req) : CRYPTO_NOT_SUPPORTED)
1037 
1038 /*
1039  * Wrappers for crypto_object_ops(9S) entry points.
1040  */
1041 
1042 #define	KCF_PROV_OBJECT_CREATE(pd, session, template, count, object, req) ( \
1043 	(KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_create) ? \
1044 	KCF_PROV_OBJECT_OPS(pd)->object_create((pd)->pd_prov_handle, \
1045 	    session, template, count, object, req) : CRYPTO_NOT_SUPPORTED)
1046 
1047 #define	KCF_PROV_OBJECT_COPY(pd, session, object, template, count, \
1048 	    new_object, req) ( \
1049 	(KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_copy) ? \
1050 	KCF_PROV_OBJECT_OPS(pd)->object_copy((pd)->pd_prov_handle, \
1051 	session, object, template, count, new_object, req) : \
1052 	    CRYPTO_NOT_SUPPORTED)
1053 
1054 #define	KCF_PROV_OBJECT_DESTROY(pd, session, object, req) ( \
1055 	(KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_destroy) ? \
1056 	KCF_PROV_OBJECT_OPS(pd)->object_destroy((pd)->pd_prov_handle, \
1057 	    session, object, req) : CRYPTO_NOT_SUPPORTED)
1058 
1059 #define	KCF_PROV_OBJECT_GET_SIZE(pd, session, object, size, req) ( \
1060 	(KCF_PROV_OBJECT_OPS(pd) && \
1061 	KCF_PROV_OBJECT_OPS(pd)->object_get_size) ? \
1062 	KCF_PROV_OBJECT_OPS(pd)->object_get_size((pd)->pd_prov_handle, \
1063 	    session, object, size, req) : CRYPTO_NOT_SUPPORTED)
1064 
1065 #define	KCF_PROV_OBJECT_GET_ATTRIBUTE_VALUE(pd, session, object, template, \
1066 	    count, req) ( \
1067 	(KCF_PROV_OBJECT_OPS(pd) && \
1068 	KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value) ? \
1069 	KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value( \
1070 	(pd)->pd_prov_handle, session, object, template, count, req) : \
1071 	    CRYPTO_NOT_SUPPORTED)
1072 
1073 #define	KCF_PROV_OBJECT_SET_ATTRIBUTE_VALUE(pd, session, object, template, \
1074 	    count, req) ( \
1075 	(KCF_PROV_OBJECT_OPS(pd) && \
1076 	KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value) ? \
1077 	KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value( \
1078 	(pd)->pd_prov_handle, session, object, template, count, req) : \
1079 	    CRYPTO_NOT_SUPPORTED)
1080 
1081 #define	KCF_PROV_OBJECT_FIND_INIT(pd, session, template, count, ppriv, \
1082 	    req) ( \
1083 	(KCF_PROV_OBJECT_OPS(pd) && \
1084 	KCF_PROV_OBJECT_OPS(pd)->object_find_init) ? \
1085 	KCF_PROV_OBJECT_OPS(pd)->object_find_init((pd)->pd_prov_handle, \
1086 	session, template, count, ppriv, req) : CRYPTO_NOT_SUPPORTED)
1087 
1088 #define	KCF_PROV_OBJECT_FIND(pd, ppriv, objects, max_objects, object_count, \
1089 	    req) ( \
1090 	(KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_find) ? \
1091 	KCF_PROV_OBJECT_OPS(pd)->object_find( \
1092 	(pd)->pd_prov_handle, ppriv, objects, max_objects, object_count, \
1093 	req) : CRYPTO_NOT_SUPPORTED)
1094 
1095 #define	KCF_PROV_OBJECT_FIND_FINAL(pd, ppriv, req) ( \
1096 	(KCF_PROV_OBJECT_OPS(pd) && \
1097 	KCF_PROV_OBJECT_OPS(pd)->object_find_final) ? \
1098 	KCF_PROV_OBJECT_OPS(pd)->object_find_final( \
1099 	    (pd)->pd_prov_handle, ppriv, req) : CRYPTO_NOT_SUPPORTED)
1100 
1101 /*
1102  * Wrappers for crypto_key_ops(9S) entry points.
1103  */
1104 
1105 #define	KCF_PROV_KEY_GENERATE(pd, session, mech, template, count, object, \
1106 	    req) ( \
1107 	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate) ? \
1108 	KCF_PROV_KEY_OPS(pd)->key_generate((pd)->pd_prov_handle, \
1109 	    session, mech, template, count, object, req) : \
1110 	CRYPTO_NOT_SUPPORTED)
1111 
1112 #define	KCF_PROV_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \
1113 	    pub_count, priv_template, priv_count, pub_key, priv_key, req) ( \
1114 	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate_pair) ? \
1115 	KCF_PROV_KEY_OPS(pd)->key_generate_pair((pd)->pd_prov_handle, \
1116 	    session, mech, pub_template, pub_count, priv_template, \
1117 	    priv_count, pub_key, priv_key, req) : \
1118 	CRYPTO_NOT_SUPPORTED)
1119 
1120 #define	KCF_PROV_KEY_WRAP(pd, session, mech, wrapping_key, key, wrapped_key, \
1121 	    wrapped_key_len, req) ( \
1122 	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_wrap) ? \
1123 	KCF_PROV_KEY_OPS(pd)->key_wrap((pd)->pd_prov_handle, \
1124 	    session, mech, wrapping_key, key, wrapped_key, wrapped_key_len, \
1125 	    req) : \
1126 	CRYPTO_NOT_SUPPORTED)
1127 
1128 #define	KCF_PROV_KEY_UNWRAP(pd, session, mech, unwrapping_key, wrapped_key, \
1129 	    wrapped_key_len, template, count, key, req) ( \
1130 	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_unwrap) ? \
1131 	KCF_PROV_KEY_OPS(pd)->key_unwrap((pd)->pd_prov_handle, \
1132 	    session, mech, unwrapping_key, wrapped_key, wrapped_key_len, \
1133 	    template, count, key, req) : \
1134 	CRYPTO_NOT_SUPPORTED)
1135 
1136 #define	KCF_PROV_KEY_DERIVE(pd, session, mech, base_key, template, count, \
1137 	    key, req) ( \
1138 	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_derive) ? \
1139 	KCF_PROV_KEY_OPS(pd)->key_derive((pd)->pd_prov_handle, \
1140 	    session, mech, base_key, template, count, key, req) : \
1141 	CRYPTO_NOT_SUPPORTED)
1142 
1143 #define	KCF_PROV_KEY_CHECK(pd, mech, key) ( \
1144 	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_check) ? \
1145 	KCF_PROV_KEY_OPS(pd)->key_check((pd)->pd_prov_handle, mech, key) : \
1146 	CRYPTO_NOT_SUPPORTED)
1147 
1148 /*
1149  * Wrappers for crypto_provider_management_ops(9S) entry points.
1150  *
1151  * ops_pd is the provider descriptor that supplies the ops_vector.
1152  * pd is the descriptor that supplies the provider handle.
1153  * Only ext_info needs two handles.
1154  */
1155 
1156 #define	KCF_PROV_EXT_INFO(ops_pd, provext_info, req, pd) ( \
1157 	(KCF_PROV_PROVIDER_OPS(ops_pd) && \
1158 	KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info) ? \
1159 	KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info((pd)->pd_prov_handle, \
1160 	    provext_info, req) : CRYPTO_NOT_SUPPORTED)
1161 
1162 #define	KCF_PROV_INIT_TOKEN(pd, pin, pin_len, label, req) ( \
1163 	(KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_token) ? \
1164 	KCF_PROV_PROVIDER_OPS(pd)->init_token((pd)->pd_prov_handle, \
1165 	    pin, pin_len, label, req) : CRYPTO_NOT_SUPPORTED)
1166 
1167 #define	KCF_PROV_INIT_PIN(pd, session, pin, pin_len, req) ( \
1168 	(KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_pin) ? \
1169 	KCF_PROV_PROVIDER_OPS(pd)->init_pin((pd)->pd_prov_handle, \
1170 	    session, pin, pin_len, req) : CRYPTO_NOT_SUPPORTED)
1171 
1172 #define	KCF_PROV_SET_PIN(pd, session, old_pin, old_len, new_pin, new_len, \
1173 	    req) ( \
1174 	(KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->set_pin) ? \
1175 	KCF_PROV_PROVIDER_OPS(pd)->set_pin((pd)->pd_prov_handle, \
1176 	session, old_pin, old_len, new_pin, new_len, req) : \
1177 	    CRYPTO_NOT_SUPPORTED)
1178 
1179 /*
1180  * Wrappers for crypto_nostore_key_ops(9S) entry points.
1181  */
1182 
1183 #define	KCF_PROV_NOSTORE_KEY_GENERATE(pd, session, mech, template, count, \
1184 	    out_template, out_count, req) ( \
1185 	(KCF_PROV_NOSTORE_KEY_OPS(pd) && \
1186 	    KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate) ? \
1187 	KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate( \
1188 	    (pd)->pd_prov_handle, session, mech, template, count, \
1189 	    out_template, out_count, req) : CRYPTO_NOT_SUPPORTED)
1190 
1191 #define	KCF_PROV_NOSTORE_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \
1192 	    pub_count, priv_template, priv_count, out_pub_template, \
1193 	    out_pub_count, out_priv_template, out_priv_count, req) ( \
1194 	(KCF_PROV_NOSTORE_KEY_OPS(pd) && \
1195 	    KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate_pair) ? \
1196 	KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate_pair( \
1197 	    (pd)->pd_prov_handle, session, mech, pub_template, pub_count, \
1198 	    priv_template, priv_count, out_pub_template, out_pub_count, \
1199 	    out_priv_template, out_priv_count, req) : CRYPTO_NOT_SUPPORTED)
1200 
1201 #define	KCF_PROV_NOSTORE_KEY_DERIVE(pd, session, mech, base_key, template, \
1202 	    count, out_template, out_count, req) ( \
1203 	(KCF_PROV_NOSTORE_KEY_OPS(pd) && \
1204 	    KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_derive) ? \
1205 	KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_derive( \
1206 	    (pd)->pd_prov_handle, session, mech, base_key, template, count, \
1207 	    out_template, out_count, req) : CRYPTO_NOT_SUPPORTED)
1208 
1209 /*
1210  * The following routines are exported by the kcf module (/kernel/misc/kcf)
1211  * to the crypto and cryptoadmin modules.
1212  */
1213 
1214 /* Digest/mac/cipher entry points that take a provider descriptor and session */
1215 extern int crypto_digest_single(crypto_context_t, crypto_data_t *,
1216     crypto_data_t *, crypto_call_req_t *);
1217 
1218 extern int crypto_mac_single(crypto_context_t, crypto_data_t *,
1219     crypto_data_t *, crypto_call_req_t *);
1220 
1221 extern int crypto_encrypt_single(crypto_context_t, crypto_data_t *,
1222     crypto_data_t *, crypto_call_req_t *);
1223 
1224 extern int crypto_decrypt_single(crypto_context_t, crypto_data_t *,
1225     crypto_data_t *, crypto_call_req_t *);
1226 
1227 
1228 /* Other private digest/mac/cipher entry points not exported through k-API */
1229 extern int crypto_digest_key_prov(crypto_context_t, crypto_key_t *,
1230     crypto_call_req_t *);
1231 
1232 /* Private sign entry points exported by KCF */
1233 extern int crypto_sign_single(crypto_context_t, crypto_data_t *,
1234     crypto_data_t *, crypto_call_req_t *);
1235 
1236 extern int crypto_sign_recover_single(crypto_context_t, crypto_data_t *,
1237     crypto_data_t *, crypto_call_req_t *);
1238 
1239 /* Private verify entry points exported by KCF */
1240 extern int crypto_verify_single(crypto_context_t, crypto_data_t *,
1241     crypto_data_t *, crypto_call_req_t *);
1242 
1243 extern int crypto_verify_recover_single(crypto_context_t, crypto_data_t *,
1244     crypto_data_t *, crypto_call_req_t *);
1245 
1246 /* Private dual operations entry points exported by KCF */
1247 extern int crypto_digest_encrypt_update(crypto_context_t, crypto_context_t,
1248     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1249 extern int crypto_decrypt_digest_update(crypto_context_t, crypto_context_t,
1250     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1251 extern int crypto_sign_encrypt_update(crypto_context_t, crypto_context_t,
1252     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1253 extern int crypto_decrypt_verify_update(crypto_context_t, crypto_context_t,
1254     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1255 
1256 /* Random Number Generation */
1257 int crypto_seed_random(crypto_provider_handle_t provider, uchar_t *buf,
1258     size_t len, crypto_call_req_t *req);
1259 int crypto_generate_random(crypto_provider_handle_t provider, uchar_t *buf,
1260     size_t len, crypto_call_req_t *req);
1261 
1262 /* Provider Management */
1263 int crypto_get_provider_info(crypto_provider_id_t id,
1264     crypto_provider_info_t **info, crypto_call_req_t *req);
1265 int crypto_get_provider_mechanisms(crypto_minor_t *, crypto_provider_id_t id,
1266     uint_t *count, crypto_mech_name_t **list);
1267 int crypto_init_token(crypto_provider_handle_t provider, char *pin,
1268     size_t pin_len, char *label, crypto_call_req_t *);
1269 int crypto_init_pin(crypto_provider_handle_t provider, char *pin,
1270     size_t pin_len, crypto_call_req_t *req);
1271 int crypto_set_pin(crypto_provider_handle_t provider, char *old_pin,
1272     size_t old_len, char *new_pin, size_t new_len, crypto_call_req_t *req);
1273 void crypto_free_provider_list(crypto_provider_entry_t *list, uint_t count);
1274 void crypto_free_provider_info(crypto_provider_info_t *info);
1275 
1276 /* Administrative */
1277 int crypto_get_dev_list(uint_t *count, crypto_dev_list_entry_t **list);
1278 int crypto_get_soft_list(uint_t *count, char **list, size_t *len);
1279 int crypto_get_dev_info(char *name, uint_t instance, uint_t *count,
1280     crypto_mech_name_t **list);
1281 int crypto_get_soft_info(caddr_t name, uint_t *count,
1282     crypto_mech_name_t **list);
1283 int crypto_load_dev_disabled(char *name, uint_t instance, uint_t count,
1284     crypto_mech_name_t *list);
1285 int crypto_load_soft_disabled(caddr_t name, uint_t count,
1286     crypto_mech_name_t *list);
1287 int crypto_unload_soft_module(caddr_t path);
1288 int crypto_load_soft_config(caddr_t name, uint_t count,
1289     crypto_mech_name_t *list);
1290 int crypto_load_door(uint_t did);
1291 void crypto_free_mech_list(crypto_mech_name_t *list, uint_t count);
1292 void crypto_free_dev_list(crypto_dev_list_entry_t *list, uint_t count);
1293 
1294 /* Miscellaneous */
1295 int crypto_get_mechanism_number(caddr_t name, crypto_mech_type_t *number);
1296 int crypto_get_function_list(crypto_provider_id_t id,
1297     crypto_function_list_t **list, int kmflag);
1298 void crypto_free_function_list(crypto_function_list_t *list);
1299 int crypto_build_permitted_mech_names(kcf_provider_desc_t *,
1300     crypto_mech_name_t **, uint_t *, int);
1301 extern void kcf_init_mech_tabs(void);
1302 extern int kcf_add_mech_provider(short, kcf_provider_desc_t *,
1303     kcf_prov_mech_desc_t **);
1304 extern void kcf_remove_mech_provider(char *, kcf_provider_desc_t *);
1305 extern int kcf_get_mech_entry(crypto_mech_type_t, kcf_mech_entry_t **);
1306 extern kcf_provider_desc_t *kcf_alloc_provider_desc(crypto_provider_info_t *);
1307 extern void kcf_provider_zero_refcnt(kcf_provider_desc_t *);
1308 extern void kcf_free_provider_desc(kcf_provider_desc_t *);
1309 extern void kcf_soft_config_init(void);
1310 extern int get_sw_provider_for_mech(crypto_mech_name_t, char **);
1311 extern crypto_mech_type_t crypto_mech2id_common(char *, boolean_t);
1312 extern void undo_register_provider(kcf_provider_desc_t *, boolean_t);
1313 extern void redo_register_provider(kcf_provider_desc_t *);
1314 extern void kcf_rnd_init();
1315 extern boolean_t kcf_rngprov_check(void);
1316 extern int kcf_rnd_get_pseudo_bytes(uint8_t *, size_t);
1317 extern int kcf_rnd_get_bytes(uint8_t *, size_t, boolean_t, boolean_t);
1318 extern int random_add_pseudo_entropy(uint8_t *, size_t, uint_t);
1319 extern void kcf_rnd_chpoll(short, int, short *, struct pollhead **);
1320 extern void kcf_rnd_schedule_timeout(boolean_t);
1321 extern int crypto_uio_data(crypto_data_t *, uchar_t *, int, cmd_type_t,
1322     void *, void (*update)());
1323 extern int crypto_mblk_data(crypto_data_t *, uchar_t *, int, cmd_type_t,
1324     void *, void (*update)());
1325 extern int crypto_put_output_data(uchar_t *, crypto_data_t *, int);
1326 extern int crypto_get_input_data(crypto_data_t *, uchar_t **, uchar_t *);
1327 extern int crypto_copy_key_to_ctx(crypto_key_t *, crypto_key_t **, size_t *,
1328     int kmflag);
1329 extern int crypto_digest_data(crypto_data_t *, void *, uchar_t *,
1330     void (*update)(), void (*final)(), uchar_t);
1331 extern int crypto_update_iov(void *, crypto_data_t *, crypto_data_t *,
1332     int (*cipher)(void *, caddr_t, size_t, crypto_data_t *),
1333     void (*copy_block)(uint8_t *, uint64_t *));
1334 extern int crypto_update_uio(void *, crypto_data_t *, crypto_data_t *,
1335     int (*cipher)(void *, caddr_t, size_t, crypto_data_t *),
1336     void (*copy_block)(uint8_t *, uint64_t *));
1337 extern int crypto_update_mp(void *, crypto_data_t *, crypto_data_t *,
1338     int (*cipher)(void *, caddr_t, size_t, crypto_data_t *),
1339     void (*copy_block)(uint8_t *, uint64_t *));
1340 extern int crypto_get_key_attr(crypto_key_t *, crypto_attr_type_t, uchar_t **,
1341     ssize_t *);
1342 
1343 /* Access to the provider's table */
1344 extern void kcf_prov_tab_init(void);
1345 extern int kcf_prov_tab_add_provider(kcf_provider_desc_t *);
1346 extern int kcf_prov_tab_rem_provider(crypto_provider_id_t);
1347 extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_name(char *);
1348 extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_dev(char *, uint_t);
1349 extern int kcf_get_hw_prov_tab(uint_t *, kcf_provider_desc_t ***, int,
1350     char *, uint_t, boolean_t);
1351 extern int kcf_get_slot_list(uint_t *, kcf_provider_desc_t ***, boolean_t);
1352 extern void kcf_free_provider_tab(uint_t, kcf_provider_desc_t **);
1353 extern kcf_provider_desc_t *kcf_prov_tab_lookup(crypto_provider_id_t);
1354 extern int kcf_get_sw_prov(crypto_mech_type_t, kcf_provider_desc_t **,
1355     kcf_mech_entry_t **, boolean_t);
1356 
1357 /* Access to the policy table */
1358 extern boolean_t is_mech_disabled(kcf_provider_desc_t *, crypto_mech_name_t);
1359 extern boolean_t is_mech_disabled_byname(crypto_provider_type_t, char *,
1360     uint_t, crypto_mech_name_t);
1361 extern void kcf_policy_tab_init(void);
1362 extern void kcf_policy_free_desc(kcf_policy_desc_t *);
1363 extern void kcf_policy_remove_by_name(char *, uint_t *, crypto_mech_name_t **);
1364 extern void kcf_policy_remove_by_dev(char *, uint_t, uint_t *,
1365     crypto_mech_name_t **);
1366 extern kcf_policy_desc_t *kcf_policy_lookup_by_name(char *);
1367 extern kcf_policy_desc_t *kcf_policy_lookup_by_dev(char *, uint_t);
1368 extern int kcf_policy_load_soft_disabled(char *, uint_t, crypto_mech_name_t *,
1369     uint_t *, crypto_mech_name_t **);
1370 extern int kcf_policy_load_dev_disabled(char *, uint_t, uint_t,
1371     crypto_mech_name_t *, uint_t *, crypto_mech_name_t **);
1372 extern boolean_t in_soft_config_list(char *);
1373 
1374 #endif	/* _KERNEL */
1375 
1376 #ifdef	__cplusplus
1377 }
1378 #endif
1379 
1380 #endif	/* _SYS_CRYPTO_IMPL_H */
1381