xref: /titanic_52/usr/src/uts/common/sys/crypto/spi.h (revision 1a7c1b724419d3cb5fa6eea75123c6b2060ba31b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #ifndef	_SYS_CRYPTO_SPI_H
28 #define	_SYS_CRYPTO_SPI_H
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 /*
33  * CSPI: Cryptographic Service Provider Interface.
34  */
35 
36 #include <sys/types.h>
37 #include <sys/dditypes.h>
38 #include <sys/ddi.h>
39 #include <sys/kmem.h>
40 #include <sys/crypto/common.h>
41 
42 #ifdef	__cplusplus
43 extern "C" {
44 #endif
45 
46 #ifdef	_KERNEL
47 
48 #define	CRYPTO_SPI_VERSION_1	1
49 
50 /*
51  * Provider-private handle. This handle is specified by a provider
52  * when it registers by means of the pi_provider_handle field of
53  * the crypto_provider_info structure, and passed to the provider
54  * when its entry points are invoked.
55  */
56 typedef void *crypto_provider_handle_t;
57 
58 /*
59  * Context templates can be used to by software providers to pre-process
60  * keying material, such as key schedules. They are allocated by
61  * a software provider create_ctx_template(9E) entry point, and passed
62  * as argument to initialization and atomic provider entry points.
63  */
64 typedef void *crypto_spi_ctx_template_t;
65 
66 /*
67  * Request handles are used by the kernel to identify an asynchronous
68  * request being processed by a provider. It is passed by the kernel
69  * to a hardware provider when submitting a request, and must be
70  * specified by a provider when calling crypto_op_notification(9F)
71  */
72 typedef void *crypto_req_handle_t;
73 
74 /*
75  * The context structure is passed from the kernel to a provider.
76  * It contains the information needed to process a multi-part or
77  * single part operation. The context structure is not used
78  * by atomic operations.
79  *
80  * Parameters needed to perform a cryptographic operation, such
81  * as keys, mechanisms, input and output buffers, are passed
82  * as separate arguments to Provider routines.
83  */
84 typedef struct crypto_ctx {
85 	crypto_provider_handle_t cc_provider;
86 	crypto_session_id_t	cc_session;
87 	void			*cc_provider_private;	/* owned by provider */
88 	void			*cc_framework_private;	/* owned by framework */
89 } crypto_ctx_t;
90 
91 /*
92  * Extended provider information.
93  */
94 
95 /*
96  * valid values for ei_flags field of extended info structure
97  * They match the RSA Security, Inc PKCS#11 tokenInfo flags.
98  */
99 #define	CRYPTO_EXTF_RNG					0x00000001
100 #define	CRYPTO_EXTF_WRITE_PROTECTED			0x00000002
101 #define	CRYPTO_EXTF_LOGIN_REQUIRED			0x00000004
102 #define	CRYPTO_EXTF_USER_PIN_INITIALIZED		0x00000008
103 #define	CRYPTO_EXTF_CLOCK_ON_TOKEN			0x00000040
104 #define	CRYPTO_EXTF_PROTECTED_AUTHENTICATION_PATH	0x00000100
105 #define	CRYPTO_EXTF_DUAL_CRYPTO_OPERATIONS		0x00000200
106 #define	CRYPTO_EXTF_TOKEN_INITIALIZED			0x00000400
107 #define	CRYPTO_EXTF_USER_PIN_COUNT_LOW			0x00010000
108 #define	CRYPTO_EXTF_USER_PIN_FINAL_TRY			0x00020000
109 #define	CRYPTO_EXTF_USER_PIN_LOCKED			0x00040000
110 #define	CRYPTO_EXTF_USER_PIN_TO_BE_CHANGED		0x00080000
111 #define	CRYPTO_EXTF_SO_PIN_COUNT_LOW			0x00100000
112 #define	CRYPTO_EXTF_SO_PIN_FINAL_TRY			0x00200000
113 #define	CRYPTO_EXTF_SO_PIN_LOCKED			0x00400000
114 #define	CRYPTO_EXTF_SO_PIN_TO_BE_CHANGED		0x00800000
115 
116 #endif /* _KERNEL */
117 
118 #define	CRYPTO_EXT_SIZE_LABEL		32
119 #define	CRYPTO_EXT_SIZE_MANUF		32
120 #define	CRYPTO_EXT_SIZE_MODEL		16
121 #define	CRYPTO_EXT_SIZE_SERIAL		16
122 #define	CRYPTO_EXT_SIZE_TIME		16
123 
124 #ifdef _KERNEL
125 
126 typedef struct crypto_provider_ext_info {
127 	uchar_t			ei_label[CRYPTO_EXT_SIZE_LABEL];
128 	uchar_t			ei_manufacturerID[CRYPTO_EXT_SIZE_MANUF];
129 	uchar_t			ei_model[CRYPTO_EXT_SIZE_MODEL];
130 	uchar_t			ei_serial_number[CRYPTO_EXT_SIZE_SERIAL];
131 	ulong_t			ei_flags;
132 	ulong_t			ei_max_session_count;
133 	ulong_t			ei_max_pin_len;
134 	ulong_t			ei_min_pin_len;
135 	ulong_t			ei_total_public_memory;
136 	ulong_t			ei_free_public_memory;
137 	ulong_t			ei_total_private_memory;
138 	ulong_t			ei_free_private_memory;
139 	crypto_version_t	ei_hardware_version;
140 	crypto_version_t	ei_firmware_version;
141 	uchar_t			ei_time[CRYPTO_EXT_SIZE_TIME];
142 } crypto_provider_ext_info_t;
143 
144 /*
145  * The crypto_control_ops structure contains pointers to control
146  * operations for cryptographic providers.  It is passed through
147  * the crypto_ops(9S) structure when providers register with the
148  * kernel using crypto_register_provider(9F).
149  */
150 typedef struct crypto_control_ops {
151 	void (*provider_status)(crypto_provider_handle_t, uint_t *);
152 } crypto_control_ops_t;
153 
154 /*
155  * The crypto_ctx_ops structure contains points to context and context
156  * templates management operations for cryptographic providers. It is
157  * passed through the crypto_ops(9S) structure when providers register
158  * with the kernel using crypto_register_provider(9F).
159  */
160 typedef struct crypto_ctx_ops {
161 	int (*create_ctx_template)(crypto_provider_handle_t,
162 	    crypto_mechanism_t *, crypto_key_t *,
163 	    crypto_spi_ctx_template_t *, size_t *, crypto_req_handle_t);
164 	int (*free_context)(crypto_ctx_t *);
165 } crypto_ctx_ops_t;
166 
167 /*
168  * The crypto_digest_ops structure contains pointers to digest
169  * operations for cryptographic providers.  It is passed through
170  * the crypto_ops(9S) structure when providers register with the
171  * kernel using crypto_register_provider(9F).
172  */
173 typedef struct crypto_digest_ops {
174 	int (*digest_init)(crypto_ctx_t *, crypto_mechanism_t *,
175 	    crypto_req_handle_t);
176 	int (*digest)(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
177 	    crypto_req_handle_t);
178 	int (*digest_update)(crypto_ctx_t *, crypto_data_t *,
179 	    crypto_req_handle_t);
180 	int (*digest_key)(crypto_ctx_t *, crypto_key_t *, crypto_req_handle_t);
181 	int (*digest_final)(crypto_ctx_t *, crypto_data_t *,
182 	    crypto_req_handle_t);
183 	int (*digest_atomic)(crypto_provider_handle_t, crypto_session_id_t,
184 	    crypto_mechanism_t *, crypto_data_t *,
185 	    crypto_data_t *, crypto_req_handle_t);
186 } crypto_digest_ops_t;
187 
188 /*
189  * The crypto_cipher_ops structure contains pointers to encryption
190  * and decryption operations for cryptographic providers.  It is
191  * passed through the crypto_ops(9S) structure when providers register
192  * with the kernel using crypto_register_provider(9F).
193  */
194 typedef struct crypto_cipher_ops {
195 	int (*encrypt_init)(crypto_ctx_t *,
196 	    crypto_mechanism_t *, crypto_key_t *,
197 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
198 	int (*encrypt)(crypto_ctx_t *,
199 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
200 	int (*encrypt_update)(crypto_ctx_t *,
201 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
202 	int (*encrypt_final)(crypto_ctx_t *,
203 	    crypto_data_t *, crypto_req_handle_t);
204 	int (*encrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
205 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
206 	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
207 
208 	int (*decrypt_init)(crypto_ctx_t *,
209 	    crypto_mechanism_t *, crypto_key_t *,
210 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
211 	int (*decrypt)(crypto_ctx_t *,
212 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
213 	int (*decrypt_update)(crypto_ctx_t *,
214 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
215 	int (*decrypt_final)(crypto_ctx_t *,
216 	    crypto_data_t *, crypto_req_handle_t);
217 	int (*decrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
218 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
219 	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
220 } crypto_cipher_ops_t;
221 
222 /*
223  * The crypto_mac_ops structure contains pointers to MAC
224  * operations for cryptographic providers.  It is passed through
225  * the crypto_ops(9S) structure when providers register with the
226  * kernel using crypto_register_provider(9F).
227  */
228 typedef struct crypto_mac_ops {
229 	int (*mac_init)(crypto_ctx_t *,
230 	    crypto_mechanism_t *, crypto_key_t *,
231 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
232 	int (*mac)(crypto_ctx_t *,
233 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
234 	int (*mac_update)(crypto_ctx_t *,
235 	    crypto_data_t *, crypto_req_handle_t);
236 	int (*mac_final)(crypto_ctx_t *,
237 	    crypto_data_t *, crypto_req_handle_t);
238 	int (*mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
239 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
240 	    crypto_data_t *, crypto_spi_ctx_template_t,
241 	    crypto_req_handle_t);
242 	int (*mac_verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
243 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
244 	    crypto_data_t *, crypto_spi_ctx_template_t,
245 	    crypto_req_handle_t);
246 } crypto_mac_ops_t;
247 
248 /*
249  * The crypto_sign_ops structure contains pointers to signing
250  * operations for cryptographic providers.  It is passed through
251  * the crypto_ops(9S) structure when providers register with the
252  * kernel using crypto_register_provider(9F).
253  */
254 typedef struct crypto_sign_ops {
255 	int (*sign_init)(crypto_ctx_t *,
256 	    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t,
257 	    crypto_req_handle_t);
258 	int (*sign)(crypto_ctx_t *,
259 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
260 	int (*sign_update)(crypto_ctx_t *,
261 	    crypto_data_t *, crypto_req_handle_t);
262 	int (*sign_final)(crypto_ctx_t *,
263 	    crypto_data_t *, crypto_req_handle_t);
264 	int (*sign_atomic)(crypto_provider_handle_t, crypto_session_id_t,
265 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
266 	    crypto_data_t *, crypto_spi_ctx_template_t,
267 	    crypto_req_handle_t);
268 	int (*sign_recover_init)(crypto_ctx_t *, crypto_mechanism_t *,
269 	    crypto_key_t *, crypto_spi_ctx_template_t,
270 	    crypto_req_handle_t);
271 	int (*sign_recover)(crypto_ctx_t *,
272 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
273 	int (*sign_recover_atomic)(crypto_provider_handle_t,
274 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
275 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
276 	    crypto_req_handle_t);
277 } crypto_sign_ops_t;
278 
279 /*
280  * The crypto_verify_ops structure contains pointers to verify
281  * operations for cryptographic providers.  It is passed through
282  * the crypto_ops(9S) structure when providers register with the
283  * kernel using crypto_register_provider(9F).
284  */
285 typedef struct crypto_verify_ops {
286 	int (*verify_init)(crypto_ctx_t *,
287 	    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t,
288 	    crypto_req_handle_t);
289 	int (*verify)(crypto_ctx_t *,
290 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
291 	int (*verify_update)(crypto_ctx_t *,
292 	    crypto_data_t *, crypto_req_handle_t);
293 	int (*verify_final)(crypto_ctx_t *,
294 	    crypto_data_t *, crypto_req_handle_t);
295 	int (*verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
296 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
297 	    crypto_data_t *, crypto_spi_ctx_template_t,
298 	    crypto_req_handle_t);
299 	int (*verify_recover_init)(crypto_ctx_t *, crypto_mechanism_t *,
300 	    crypto_key_t *, crypto_spi_ctx_template_t,
301 	    crypto_req_handle_t);
302 	int (*verify_recover)(crypto_ctx_t *,
303 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
304 	int (*verify_recover_atomic)(crypto_provider_handle_t,
305 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
306 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
307 	    crypto_req_handle_t);
308 } crypto_verify_ops_t;
309 
310 /*
311  * The crypto_dual_ops structure contains pointers to dual
312  * cipher and sign/verify operations for cryptographic providers.
313  * It is passed through the crypto_ops(9S) structure when
314  * providers register with the kernel using
315  * crypto_register_provider(9F).
316  */
317 typedef struct crypto_dual_ops {
318 	int (*digest_encrypt_update)(
319 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
320 	    crypto_data_t *, crypto_req_handle_t);
321 	int (*decrypt_digest_update)(
322 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
323 	    crypto_data_t *, crypto_req_handle_t);
324 	int (*sign_encrypt_update)(
325 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
326 	    crypto_data_t *, crypto_req_handle_t);
327 	int (*decrypt_verify_update)(
328 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
329 	    crypto_data_t *, crypto_req_handle_t);
330 } crypto_dual_ops_t;
331 
332 /*
333  * The crypto_dual_cipher_mac_ops structure contains pointers to dual
334  * cipher and MAC operations for cryptographic providers.
335  * It is passed through the crypto_ops(9S) structure when
336  * providers register with the kernel using
337  * crypto_register_provider(9F).
338  */
339 typedef struct crypto_dual_cipher_mac_ops {
340 	int (*encrypt_mac_init)(crypto_ctx_t *,
341 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
342 	    crypto_key_t *, crypto_spi_ctx_template_t,
343 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
344 	int (*encrypt_mac)(crypto_ctx_t *,
345 	    crypto_data_t *, crypto_dual_data_t *, crypto_data_t *,
346 	    crypto_req_handle_t);
347 	int (*encrypt_mac_update)(crypto_ctx_t *,
348 	    crypto_data_t *, crypto_dual_data_t *, crypto_req_handle_t);
349 	int (*encrypt_mac_final)(crypto_ctx_t *,
350 	    crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t);
351 	int (*encrypt_mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
352 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
353 	    crypto_key_t *, crypto_data_t *, crypto_dual_data_t *,
354 	    crypto_data_t *, crypto_spi_ctx_template_t,
355 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
356 
357 	int (*mac_decrypt_init)(crypto_ctx_t *,
358 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
359 	    crypto_key_t *, crypto_spi_ctx_template_t,
360 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
361 	int (*mac_decrypt)(crypto_ctx_t *,
362 	    crypto_dual_data_t *, crypto_data_t *, crypto_data_t *,
363 	    crypto_req_handle_t);
364 	int (*mac_decrypt_update)(crypto_ctx_t *,
365 	    crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t);
366 	int (*mac_decrypt_final)(crypto_ctx_t *,
367 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
368 	int (*mac_decrypt_atomic)(crypto_provider_handle_t,
369 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
370 	    crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *,
371 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
372 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
373 	int (*mac_verify_decrypt_atomic)(crypto_provider_handle_t,
374 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
375 	    crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *,
376 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
377 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
378 } crypto_dual_cipher_mac_ops_t;
379 
380 /*
381  * The crypto_random_number_ops structure contains pointers to random
382  * number operations for cryptographic providers.  It is passed through
383  * the crypto_ops(9S) structure when providers register with the
384  * kernel using crypto_register_provider(9F).
385  */
386 typedef struct crypto_random_number_ops {
387 	int (*seed_random)(crypto_provider_handle_t, crypto_session_id_t,
388 	    uchar_t *, size_t, crypto_req_handle_t);
389 	int (*generate_random)(crypto_provider_handle_t, crypto_session_id_t,
390 	    uchar_t *, size_t, crypto_req_handle_t);
391 } crypto_random_number_ops_t;
392 
393 /*
394  * The crypto_session_ops structure contains pointers to session
395  * operations for cryptographic providers.  It is passed through
396  * the crypto_ops(9S) structure when providers register with the
397  * kernel using crypto_register_provider(9F).
398  */
399 typedef struct crypto_session_ops {
400 	int (*session_open)(crypto_provider_handle_t, crypto_session_id_t *,
401 	    crypto_req_handle_t);
402 	int (*session_close)(crypto_provider_handle_t, crypto_session_id_t,
403 	    crypto_req_handle_t);
404 	int (*session_login)(crypto_provider_handle_t, crypto_session_id_t,
405 	    crypto_user_type_t, char *, size_t, crypto_req_handle_t);
406 	int (*session_logout)(crypto_provider_handle_t, crypto_session_id_t,
407 	    crypto_req_handle_t);
408 } crypto_session_ops_t;
409 
410 /*
411  * The crypto_object_ops structure contains pointers to object
412  * operations for cryptographic providers.  It is passed through
413  * the crypto_ops(9S) structure when providers register with the
414  * kernel using crypto_register_provider(9F).
415  */
416 typedef struct crypto_object_ops {
417 	int (*object_create)(crypto_provider_handle_t, crypto_session_id_t,
418 	    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
419 	    crypto_req_handle_t);
420 	int (*object_copy)(crypto_provider_handle_t, crypto_session_id_t,
421 	    crypto_object_id_t, crypto_object_attribute_t *, uint_t,
422 	    crypto_object_id_t *, crypto_req_handle_t);
423 	int (*object_destroy)(crypto_provider_handle_t, crypto_session_id_t,
424 	    crypto_object_id_t, crypto_req_handle_t);
425 	int (*object_get_size)(crypto_provider_handle_t, crypto_session_id_t,
426 	    crypto_object_id_t, size_t *, crypto_req_handle_t);
427 	int (*object_get_attribute_value)(crypto_provider_handle_t,
428 	    crypto_session_id_t, crypto_object_id_t,
429 	    crypto_object_attribute_t *, uint_t, crypto_req_handle_t);
430 	int (*object_set_attribute_value)(crypto_provider_handle_t,
431 	    crypto_session_id_t, crypto_object_id_t,
432 	    crypto_object_attribute_t *,  uint_t, crypto_req_handle_t);
433 	int (*object_find_init)(crypto_provider_handle_t, crypto_session_id_t,
434 	    crypto_object_attribute_t *, uint_t, void **,
435 	    crypto_req_handle_t);
436 	int (*object_find)(crypto_provider_handle_t, void *,
437 	    crypto_object_id_t *, uint_t, uint_t *, crypto_req_handle_t);
438 	int (*object_find_final)(crypto_provider_handle_t, void *,
439 	    crypto_req_handle_t);
440 } crypto_object_ops_t;
441 
442 /*
443  * The crypto_key_ops structure contains pointers to key
444  * operations for cryptographic providers.  It is passed through
445  * the crypto_ops(9S) structure when providers register with the
446  * kernel using crypto_register_provider(9F).
447  */
448 typedef struct crypto_key_ops {
449 	int (*key_generate)(crypto_provider_handle_t, crypto_session_id_t,
450 	    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
451 	    crypto_object_id_t *, crypto_req_handle_t);
452 	int (*key_generate_pair)(crypto_provider_handle_t, crypto_session_id_t,
453 	    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
454 	    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
455 	    crypto_object_id_t *, crypto_req_handle_t);
456 	int (*key_wrap)(crypto_provider_handle_t, crypto_session_id_t,
457 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_id_t *,
458 	    uchar_t *, size_t *, crypto_req_handle_t);
459 	int (*key_unwrap)(crypto_provider_handle_t, crypto_session_id_t,
460 	    crypto_mechanism_t *, crypto_key_t *, uchar_t *, size_t *,
461 	    crypto_object_attribute_t *, uint_t,
462 	    crypto_object_id_t *, crypto_req_handle_t);
463 	int (*key_derive)(crypto_provider_handle_t, crypto_session_id_t,
464 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *,
465 	    uint_t, crypto_object_id_t *, crypto_req_handle_t);
466 	int (*key_check)(crypto_provider_handle_t, crypto_mechanism_t *,
467 	    crypto_key_t *);
468 } crypto_key_ops_t;
469 
470 /*
471  * The crypto_provider_management_ops structure contains pointers
472  * to management operations for cryptographic providers.  It is passed
473  * through the crypto_ops(9S) structure when providers register with the
474  * kernel using crypto_register_provider(9F).
475  */
476 typedef struct crypto_provider_management_ops {
477 	int (*ext_info)(crypto_provider_handle_t,
478 	    crypto_provider_ext_info_t *, crypto_req_handle_t);
479 	int (*init_token)(crypto_provider_handle_t, char *, size_t,
480 	    char *, crypto_req_handle_t);
481 	int (*init_pin)(crypto_provider_handle_t, crypto_session_id_t,
482 	    char *, size_t, crypto_req_handle_t);
483 	int (*set_pin)(crypto_provider_handle_t, crypto_session_id_t,
484 	    char *, size_t, char *, size_t, crypto_req_handle_t);
485 } crypto_provider_management_ops_t;
486 
487 /*
488  * The crypto_ops(9S) structure contains the structures containing
489  * the pointers to functions implemented by cryptographic providers.
490  * It is specified as part of the crypto_provider_info(9S)
491  * supplied by a provider when it registers with the kernel
492  * by calling crypto_register_provider(9F).
493  */
494 typedef struct crypto_ops {
495 	crypto_control_ops_t			*control_ops;
496 	crypto_digest_ops_t			*digest_ops;
497 	crypto_cipher_ops_t			*cipher_ops;
498 	crypto_mac_ops_t			*mac_ops;
499 	crypto_sign_ops_t			*sign_ops;
500 	crypto_verify_ops_t			*verify_ops;
501 	crypto_dual_ops_t			*dual_ops;
502 	crypto_dual_cipher_mac_ops_t		*dual_cipher_mac_ops;
503 	crypto_random_number_ops_t		*random_ops;
504 	crypto_session_ops_t			*session_ops;
505 	crypto_object_ops_t			*object_ops;
506 	crypto_key_ops_t			*key_ops;
507 	crypto_provider_management_ops_t	*provider_ops;
508 	crypto_ctx_ops_t			*ctx_ops;
509 } crypto_ops_t;
510 
511 /*
512  * Provider device specification passed during registration.
513  *
514  * Software providers set the pi_provider_type field of provider_info_t
515  * to CRYPTO_SW_PROVIDER, and set the pd_sw field of
516  * crypto_provider_dev_t to the address of their modlinkage.
517  *
518  * Hardware providers set the pi_provider_type field of provider_info_t
519  * to CRYPTO_HW_PROVIDER, and set the pd_hw field of
520  * crypto_provider_dev_t to the dev_info structure corresponding
521  * to the device instance being registered.
522  *
523  * Logical providers set the pi_provider_type field of provider_info_t
524  * to CRYPTO_LOGICAL_PROVIDER, and set the pd_hw field of
525  * crypto_provider_dev_t to the dev_info structure corresponding
526  * to the device instance being registered.
527  */
528 
529 typedef union crypto_provider_dev {
530 	struct modlinkage	*pd_sw; /* for CRYPTO_SW_PROVIDER */
531 	dev_info_t		*pd_hw; /* for CRYPTO_HW_PROVIDER */
532 } crypto_provider_dev_t;
533 
534 /*
535  * The mechanism info structure crypto_mech_info_t contains a function group
536  * bit mask cm_func_group_mask. This field, of type crypto_func_group_t,
537  * specifies the provider entry point that can be used a particular
538  * mechanism. The function group mask is a combination of the following values.
539  */
540 
541 typedef uint32_t crypto_func_group_t;
542 
543 #endif /* _KERNEL */
544 
545 #define	CRYPTO_FG_ENCRYPT		0x00000001 /* encrypt_init() */
546 #define	CRYPTO_FG_DECRYPT		0x00000002 /* decrypt_init() */
547 #define	CRYPTO_FG_DIGEST		0x00000004 /* digest_init() */
548 #define	CRYPTO_FG_SIGN			0x00000008 /* sign_init() */
549 #define	CRYPTO_FG_SIGN_RECOVER		0x00000010 /* sign_recover_init() */
550 #define	CRYPTO_FG_VERIFY		0x00000020 /* verify_init() */
551 #define	CRYPTO_FG_VERIFY_RECOVER	0x00000040 /* verify_recover_init() */
552 #define	CRYPTO_FG_GENERATE		0x00000080 /* key_generate() */
553 #define	CRYPTO_FG_GENERATE_KEY_PAIR	0x00000100 /* key_generate_pair() */
554 #define	CRYPTO_FG_WRAP			0x00000200 /* key_wrap() */
555 #define	CRYPTO_FG_UNWRAP		0x00000400 /* key_unwrap() */
556 #define	CRYPTO_FG_DERIVE		0x00000800 /* key_derive() */
557 #define	CRYPTO_FG_MAC			0x00001000 /* mac_init() */
558 #define	CRYPTO_FG_ENCRYPT_MAC		0x00002000 /* encrypt_mac_init() */
559 #define	CRYPTO_FG_MAC_DECRYPT		0x00004000 /* decrypt_mac_init() */
560 #define	CRYPTO_FG_ENCRYPT_ATOMIC	0x00008000 /* encrypt_atomic() */
561 #define	CRYPTO_FG_DECRYPT_ATOMIC	0x00010000 /* decrypt_atomic() */
562 #define	CRYPTO_FG_MAC_ATOMIC		0x00020000 /* mac_atomic() */
563 #define	CRYPTO_FG_DIGEST_ATOMIC		0x00040000 /* digest_atomic() */
564 #define	CRYPTO_FG_SIGN_ATOMIC		0x00080000 /* sign_atomic() */
565 #define	CRYPTO_FG_SIGN_RECOVER_ATOMIC   0x00100000 /* sign_recover_atomic() */
566 #define	CRYPTO_FG_VERIFY_ATOMIC		0x00200000 /* verify_atomic() */
567 #define	CRYPTO_FG_VERIFY_RECOVER_ATOMIC	0x00400000 /* verify_recover_atomic() */
568 #define	CRYPTO_FG_ENCRYPT_MAC_ATOMIC	0x00800000 /* encrypt_mac_atomic() */
569 #define	CRYPTO_FG_MAC_DECRYPT_ATOMIC	0x01000000 /* mac_decrypt_atomic() */
570 #define	CRYPTO_FG_RESERVED		0x80000000
571 
572 /*
573  * Maximum length of the pi_provider_description field of the
574  * crypto_provider_info structure.
575  */
576 #define	CRYPTO_PROVIDER_DESCR_MAX_LEN	64
577 
578 #ifdef _KERNEL
579 
580 /* Bit mask for all the simple operations */
581 #define	CRYPTO_FG_SIMPLEOP_MASK	(CRYPTO_FG_ENCRYPT | CRYPTO_FG_DECRYPT | \
582     CRYPTO_FG_DIGEST | CRYPTO_FG_SIGN | CRYPTO_FG_VERIFY | CRYPTO_FG_MAC | \
583     CRYPTO_FG_ENCRYPT_ATOMIC | CRYPTO_FG_DECRYPT_ATOMIC |		\
584     CRYPTO_FG_MAC_ATOMIC | CRYPTO_FG_DIGEST_ATOMIC | CRYPTO_FG_SIGN_ATOMIC | \
585     CRYPTO_FG_VERIFY_ATOMIC)
586 
587 /* Bit mask for all the dual operations */
588 #define	CRYPTO_FG_MAC_CIPHER_MASK	(CRYPTO_FG_ENCRYPT_MAC |	\
589     CRYPTO_FG_MAC_DECRYPT | CRYPTO_FG_ENCRYPT_MAC_ATOMIC | 		\
590     CRYPTO_FG_MAC_DECRYPT_ATOMIC)
591 
592 /* Add other combos to CRYPTO_FG_DUAL_MASK */
593 #define	CRYPTO_FG_DUAL_MASK	CRYPTO_FG_MAC_CIPHER_MASK
594 
595 /*
596  * The crypto_mech_info structure specifies one of the mechanisms
597  * supported by a cryptographic provider. The pi_mechanisms field of
598  * the crypto_provider_info structure contains a pointer to an array
599  * of crypto_mech_info's.
600  */
601 typedef struct crypto_mech_info {
602 	crypto_mech_name_t	cm_mech_name;
603 	crypto_mech_type_t	cm_mech_number;
604 	crypto_func_group_t	cm_func_group_mask;
605 	ssize_t			cm_min_key_length;
606 	ssize_t			cm_max_key_length;
607 	crypto_keysize_unit_t	cm_keysize_unit; /* for cm_xxx_key_length */
608 } crypto_mech_info_t;
609 
610 /*
611  * crypto_kcf_provider_handle_t is a handle allocated by the kernel.
612  * It is returned after the provider registers with
613  * crypto_register_provider(), and must be specified by the provider
614  * when calling crypto_unregister_provider(), and
615  * crypto_provider_notification().
616  */
617 typedef uint_t crypto_kcf_provider_handle_t;
618 
619 /*
620  * Provider information. Passed as argument to crypto_register_provider(9F).
621  * Describes the provider and its capabilities. Multiple providers can
622  * register for the same device instance. In this case, the same
623  * pi_provider_dev must be specified with a different pi_provider_handle.
624  */
625 typedef struct crypto_provider_info {
626 	uint_t				pi_interface_version;
627 	char				*pi_provider_description;
628 	crypto_provider_type_t		pi_provider_type;
629 	crypto_provider_dev_t		pi_provider_dev;
630 	crypto_provider_handle_t	pi_provider_handle;
631 	crypto_ops_t			*pi_ops_vector;
632 	uint_t				pi_mech_list_count;
633 	crypto_mech_info_t		*pi_mechanisms;
634 	uint_t				pi_logical_provider_count;
635 	crypto_kcf_provider_handle_t	*pi_logical_providers;
636 } crypto_provider_info_t;
637 
638 /*
639  * Provider status passed by a provider to crypto_provider_notification(9F)
640  * and returned by the provider_stauts(9E) entry point.
641  */
642 #define	CRYPTO_PROVIDER_READY		0
643 #define	CRYPTO_PROVIDER_BUSY		1
644 #define	CRYPTO_PROVIDER_FAILED		2
645 
646 /*
647  * Functions exported by Solaris to cryptographic providers. Providers
648  * call these functions to register and unregister, notify the kernel
649  * of state changes, and notify the kernel when a asynchronous request
650  * completed.
651  */
652 extern int crypto_register_provider(crypto_provider_info_t *,
653 		crypto_kcf_provider_handle_t *);
654 extern int crypto_unregister_provider(crypto_kcf_provider_handle_t);
655 extern void crypto_provider_notification(crypto_kcf_provider_handle_t, uint_t);
656 extern void crypto_op_notification(crypto_req_handle_t, int);
657 extern int crypto_kmflag(crypto_req_handle_t);
658 
659 #endif	/* _KERNEL */
660 
661 #ifdef	__cplusplus
662 }
663 #endif
664 
665 #endif	/* _SYS_CRYPTO_SPI_H */
666