1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  */
  24 
  25 #ifndef _SYS_CRYPTO_IMPL_H
  26 #define _SYS_CRYPTO_IMPL_H
  27 
  28 /*
  29  * Kernel Cryptographic Framework private implementation definitions.
  30  */
  31 
  32 #include <sys/types.h>
  33 #include <sys/param.h>
  34 
  35 #ifdef _KERNEL
  36 #include <sys/crypto/common.h>
  37 #include <sys/crypto/api.h>
  38 #include <sys/crypto/spi.h>
  39 #include <sys/crypto/ioctl.h>
  40 #include <sys/tnf_probe.h>
  41 #include <sys/atomic.h>
  42 #include <sys/project.h>
  43 #include <sys/taskq.h>
  44 #include <sys/rctl.h>
  45 #include <sys/cpuvar.h>
  46 #endif /* _KERNEL */
  47 
  48 #ifdef  __cplusplus
  49 extern "C" {
  50 #endif
  51 
  52 #ifdef _KERNEL
  53 
  54 /*
  55  * Prefixes convention: structures internal to the kernel cryptographic
  56  * framework start with 'kcf_'. Exposed structure start with 'crypto_'.
  57  */
  58 
  59 /* Provider stats. Not protected. */
  60 typedef struct kcf_prov_stats {
  61         kstat_named_t   ps_ops_total;
  62         kstat_named_t   ps_ops_passed;
  63         kstat_named_t   ps_ops_failed;
  64         kstat_named_t   ps_ops_busy_rval;
  65 } kcf_prov_stats_t;
  66 
  67 /* Various kcf stats. Not protected. */
  68 typedef struct kcf_stats {
  69         kstat_named_t   ks_thrs_in_pool;
  70         kstat_named_t   ks_idle_thrs;
  71         kstat_named_t   ks_minthrs;
  72         kstat_named_t   ks_maxthrs;
  73         kstat_named_t   ks_swq_njobs;
  74         kstat_named_t   ks_swq_maxjobs;
  75         kstat_named_t   ks_taskq_threads;
  76         kstat_named_t   ks_taskq_minalloc;
  77         kstat_named_t   ks_taskq_maxalloc;
  78 } kcf_stats_t;
  79 
  80 #define CPU_SEQID       (CPU->cpu_seqid)
  81 
  82 typedef struct kcf_lock_withpad {
  83         kmutex_t        kl_lock;
  84         uint8_t         kl_pad[64 - sizeof (kmutex_t)];
  85 } kcf_lock_withpad_t;
  86 
  87 /*
  88  * Per-CPU structure used by a provider to keep track of
  89  * various counters.
  90  */
  91 typedef struct kcf_prov_cpu {
  92         kmutex_t        kp_lock;
  93         int             kp_holdcnt;     /* can go negative! */
  94         uint_t          kp_jobcnt;
  95 
  96         uint64_t        kp_ndispatches;
  97         uint64_t        kp_nfails;
  98         uint64_t        kp_nbusy_rval;
  99         kcondvar_t      kp_cv;
 100 
 101         uint8_t         kp_pad[64 - sizeof (kmutex_t) - 2 * sizeof (int) -
 102             3 * sizeof (uint64_t) - sizeof (kcondvar_t)];
 103 } kcf_prov_cpu_t;
 104 
 105 /*
 106  * kcf_get_refcnt(pd) is the number of inflight requests to the
 107  * provider. So, it is a good measure of the load on a provider when
 108  * it is not in a busy state. Once a provider notifies it is busy, requests
 109  * backup in the taskq. So, we use tq_nalloc in that case which gives
 110  * the number of task entries in the task queue. Note that we do not
 111  * acquire any locks here as it is not critical to get the exact number
 112  * and the lock contention is too costly for this code path.
 113  */
 114 #define KCF_PROV_LOAD(pd)       ((pd)->pd_state != KCF_PROV_BUSY ?   \
 115         kcf_get_refcnt(pd, B_FALSE) : (pd)->pd_taskq->tq_nalloc)
 116 
 117 
 118 /*
 119  * The following two macros should be
 120  * #define KCF_OPS_CLASSSIZE (KCF_LAST_OPSCLASS - KCF_FIRST_OPSCLASS + 2)
 121  * #define KCF_MAXMECHTAB KCF_MAXCIPHER
 122  *
 123  * However, doing that would involve reorganizing the header file a bit.
 124  * When impl.h is broken up (bug# 4703218), this will be done. For now,
 125  * we hardcode these values.
 126  */
 127 #define KCF_OPS_CLASSSIZE       8
 128 #define KCF_MAXMECHTAB          32
 129 
 130 /*
 131  * Valid values for the state of a provider. The order of
 132  * the elements is important.
 133  *
 134  * Routines which get a provider or the list of providers
 135  * should pick only those that are either in KCF_PROV_READY state
 136  * or in KCF_PROV_BUSY state.
 137  */
 138 typedef enum {
 139         KCF_PROV_ALLOCATED = 1,
 140         KCF_PROV_UNVERIFIED,
 141         KCF_PROV_UNVERIFIED_FIPS140,
 142         KCF_PROV_VERIFICATION_FAILED,
 143         /*
 144          * state < KCF_PROV_READY means the provider can not
 145          * be used at all.
 146          */
 147         KCF_PROV_READY,
 148         KCF_PROV_BUSY,
 149         /*
 150          * state > KCF_PROV_BUSY means the provider can not
 151          * be used for new requests.
 152          */
 153         KCF_PROV_FAILED,
 154         /*
 155          * Threads setting the following two states should do so only
 156          * if the current state < KCF_PROV_DISABLED.
 157          */
 158         KCF_PROV_DISABLED,
 159         KCF_PROV_UNREGISTERING,
 160         KCF_PROV_UNREGISTERED
 161 } kcf_prov_state_t;
 162 
 163 #define KCF_IS_PROV_UNVERIFIED(pd) ((pd)->pd_state == KCF_PROV_UNVERIFIED)
 164 #define KCF_IS_PROV_USABLE(pd) ((pd)->pd_state == KCF_PROV_READY || \
 165         (pd)->pd_state == KCF_PROV_BUSY)
 166 #define KCF_IS_PROV_REMOVED(pd) ((pd)->pd_state >= KCF_PROV_UNREGISTERING)
 167 
 168 /* Internal flags valid for pd_flags field */
 169 #define KCF_LPROV_MEMBER        0x80000000 /* is member of a logical provider */
 170 
 171 /*
 172  * A provider descriptor structure. There is one such structure per
 173  * provider. It is allocated and initialized at registration time and
 174  * freed when the provider unregisters.
 175  *
 176  * pd_prov_type:        Provider type, hardware or software
 177  * pd_sid:              Session ID of the provider used by kernel clients.
 178  *                      This is valid only for session-oriented providers.
 179  * pd_taskq:            taskq used to dispatch crypto requests
 180  * pd_nbins:            number of bins in pd_percpu_bins
 181  * pd_percpu_bins:      Pointer to an array of per-CPU structures
 182  *                      containing a lock, a cv and various counters.
 183  * pd_lock:             lock protects pd_state and pd_provider_list
 184  * pd_state:            State value of the provider
 185  * pd_provider_list:    Used to cross-reference logical providers and their
 186  *                      members. Not used for software providers.
 187  * pd_resume_cv:        cv to wait for state to change from KCF_PROV_BUSY
 188  * pd_prov_handle:      Provider handle specified by provider
 189  * pd_ops_vector:       The ops vector specified by Provider
 190  * pd_mech_indx:        Lookup table which maps a core framework mechanism
 191  *                      number to an index in pd_mechanisms array
 192  * pd_mechanisms:       Array of mechanisms supported by the provider, specified
 193  *                      by the provider during registration
 194  * pd_mech_list_count:  The number of entries in pi_mechanisms, specified
 195  *                      by the provider during registration
 196  * pd_name:             Device name or module name
 197  * pd_instance:         Device instance
 198  * pd_module_id:        Module ID returned by modload
 199  * pd_mctlp:            Pointer to modctl structure for this provider
 200  * pd_description:      Provider description string
 201  * pd_flags:            bitwise OR of pi_flags from crypto_provider_info_t
 202  *                      and other internal flags defined above.
 203  * pd_hash_limit:       Maximum data size that hash mechanisms of this provider
 204  *                      can support.
 205  * pd_hmac_limit:       Maximum data size that HMAC mechanisms of this provider
 206  *                      can support.
 207  * pd_kcf_prov_handle:  KCF-private handle assigned by KCF
 208  * pd_prov_id:          Identification # assigned by KCF to provider
 209  * pd_kstat:            kstat associated with the provider
 210  * pd_ks_data:          kstat data
 211  */
 212 typedef struct kcf_provider_desc {
 213         crypto_provider_type_t          pd_prov_type;
 214         crypto_session_id_t             pd_sid;
 215         taskq_t                         *pd_taskq;
 216         uint_t                          pd_nbins;
 217         kcf_prov_cpu_t                  *pd_percpu_bins;
 218         kmutex_t                        pd_lock;
 219         kcf_prov_state_t                pd_state;
 220         struct kcf_provider_list        *pd_provider_list;
 221         kcondvar_t                      pd_resume_cv;
 222         crypto_provider_handle_t        pd_prov_handle;
 223         crypto_ops_t                    *pd_ops_vector;
 224         ushort_t                        pd_mech_indx[KCF_OPS_CLASSSIZE]\
 225                                             [KCF_MAXMECHTAB];
 226         crypto_mech_info_t              *pd_mechanisms;
 227         uint_t                          pd_mech_list_count;
 228         char                            *pd_name;
 229         uint_t                          pd_instance;
 230         int                             pd_module_id;
 231         struct modctl                   *pd_mctlp;
 232         char                            *pd_description;
 233         uint_t                          pd_flags;
 234         uint_t                          pd_hash_limit;
 235         uint_t                          pd_hmac_limit;
 236         crypto_kcf_provider_handle_t    pd_kcf_prov_handle;
 237         crypto_provider_id_t            pd_prov_id;
 238         kstat_t                         *pd_kstat;
 239         kcf_prov_stats_t                pd_ks_data;
 240 } kcf_provider_desc_t;
 241 
 242 /* useful for making a list of providers */
 243 typedef struct kcf_provider_list {
 244         struct kcf_provider_list *pl_next;
 245         struct kcf_provider_desc *pl_provider;
 246 } kcf_provider_list_t;
 247 
 248 /*
 249  * If a component has a reference to a kcf_provider_desc_t,
 250  * it REFHOLD()s. A new provider descriptor which is referenced only
 251  * by the providers table has a reference counter of one.
 252  */
 253 #define KCF_PROV_REFHOLD(desc) {                        \
 254         kcf_prov_cpu_t  *mp;                            \
 255                                                         \
 256         mp = &((desc)->pd_percpu_bins[CPU_SEQID]);       \
 257         mutex_enter(&mp->kp_lock);                       \
 258         mp->kp_holdcnt++;                            \
 259         mutex_exit(&mp->kp_lock);                        \
 260 }
 261 
 262 #define KCF_PROV_REFRELE(desc) {                        \
 263         kcf_prov_cpu_t  *mp;                            \
 264                                                         \
 265         mp = &((desc)->pd_percpu_bins[CPU_SEQID]);       \
 266         mutex_enter(&mp->kp_lock);                       \
 267         mp->kp_holdcnt--;                            \
 268         mutex_exit(&mp->kp_lock);                        \
 269 }
 270 
 271 #define KCF_PROV_REFHELD(desc)  (kcf_get_refcnt(desc, B_TRUE) >= 1)
 272 
 273 /*
 274  * The JOB macros are used only for a hardware provider.
 275  * Hardware providers can have holds that stay forever.
 276  * So, the job counter is used to check if it is safe to
 277  * unregister a provider.
 278  */
 279 #define KCF_PROV_JOB_HOLD(mp) {                 \
 280         mutex_enter(&(mp)->kp_lock);             \
 281         (mp)->kp_jobcnt++;                   \
 282         mutex_exit(&(mp)->kp_lock);              \
 283 }
 284 
 285 #define KCF_PROV_JOB_RELE(mp) {                 \
 286         mutex_enter(&(mp)->kp_lock);             \
 287         (mp)->kp_jobcnt--;                   \
 288         if ((mp)->kp_jobcnt == 0)            \
 289                 cv_signal(&(mp)->kp_cv); \
 290         mutex_exit(&(mp)->kp_lock);              \
 291 }
 292 
 293 #define KCF_PROV_JOB_RELE_STAT(mp, doincr) {    \
 294         if (doincr)                             \
 295                 (mp)->kp_nfails++;           \
 296         KCF_PROV_JOB_RELE(mp);                  \
 297 }
 298 
 299 #define KCF_PROV_INCRSTATS(pd, error)   {                               \
 300         kcf_prov_cpu_t  *mp;                                            \
 301                                                                         \
 302         mp = &((pd)->pd_percpu_bins[CPU_SEQID]);                 \
 303         mp->kp_ndispatches++;                                                \
 304         if ((error) == CRYPTO_BUSY)                                     \
 305                 mp->kp_nbusy_rval++;                                 \
 306         else if ((error) != CRYPTO_SUCCESS && (error) != CRYPTO_QUEUED) \
 307                 mp->kp_nfails++;                                     \
 308 }
 309 
 310 /* list of crypto_mech_info_t valid as the second mech in a dual operation */
 311 
 312 typedef struct crypto_mech_info_list {
 313         struct crypto_mech_info_list    *ml_next;
 314         crypto_mech_type_t              ml_kcf_mechid;  /* KCF's id */
 315         crypto_mech_info_t              ml_mech_info;
 316 } crypto_mech_info_list_t;
 317 
 318 /*
 319  * An element in a mechanism provider descriptors chain.
 320  * The kcf_prov_mech_desc_t is duplicated in every chain the provider belongs
 321  * to. This is a small tradeoff memory vs mutex spinning time to access the
 322  * common provider field.
 323  */
 324 
 325 typedef struct kcf_prov_mech_desc {
 326         struct kcf_mech_entry           *pm_me;         /* Back to the head */
 327         struct kcf_prov_mech_desc       *pm_next;       /* Next in the chain */
 328         crypto_mech_info_t              pm_mech_info;   /* Provider mech info */
 329         crypto_mech_info_list_t         *pm_mi_list;    /* list for duals */
 330         kcf_provider_desc_t             *pm_prov_desc;  /* Common desc. */
 331 } kcf_prov_mech_desc_t;
 332 
 333 /* and the notation shortcuts ... */
 334 #define pm_provider_type        pm_prov_desc.pd_provider_type
 335 #define pm_provider_handle      pm_prov_desc.pd_provider_handle
 336 #define pm_ops_vector           pm_prov_desc.pd_ops_vector
 337 
 338 extern kcf_lock_withpad_t *me_mutexes;
 339 
 340 #define KCF_CPU_PAD (128 - sizeof (crypto_mech_name_t) - \
 341     sizeof (crypto_mech_type_t) - \
 342     2 * sizeof (kcf_prov_mech_desc_t *) - \
 343     sizeof (int) - sizeof (uint32_t) - sizeof (size_t))
 344 
 345 /*
 346  * A mechanism entry in an xxx_mech_tab[]. KCF_CPU_PAD needs
 347  * to be adjusted if this structure is changed.
 348  */
 349 typedef struct kcf_mech_entry {
 350         crypto_mech_name_t      me_name;        /* mechanism name */
 351         crypto_mech_type_t      me_mechid;      /* Internal id for mechanism */
 352         kcf_prov_mech_desc_t    *me_hw_prov_chain;  /* list of HW providers */
 353         kcf_prov_mech_desc_t    *me_sw_prov;    /* SW provider */
 354         /*
 355          * Number of HW providers in the chain. There is only one
 356          * SW provider. So, we need only a count of HW providers.
 357          */
 358         int                     me_num_hwprov;
 359         /*
 360          * When a SW provider is present, this is the generation number that
 361          * ensures no objects from old SW providers are used in the new one
 362          */
 363         uint32_t                me_gen_swprov;
 364         /*
 365          *  threshold for using hardware providers for this mech
 366          */
 367         size_t                  me_threshold;
 368         uint8_t                 me_pad[KCF_CPU_PAD];
 369 } kcf_mech_entry_t;
 370 
 371 /*
 372  * A policy descriptor structure. It is allocated and initialized
 373  * when administrative ioctls load disabled mechanisms.
 374  *
 375  * pd_prov_type:        Provider type, hardware or software
 376  * pd_name:             Device name or module name.
 377  * pd_instance:         Device instance.
 378  * pd_refcnt:           Reference counter for this policy descriptor
 379  * pd_mutex:            Protects array and count of disabled mechanisms.
 380  * pd_disabled_count:   Count of disabled mechanisms.
 381  * pd_disabled_mechs:   Array of disabled mechanisms.
 382  */
 383 typedef struct kcf_policy_desc {
 384         crypto_provider_type_t  pd_prov_type;
 385         char                    *pd_name;
 386         uint_t                  pd_instance;
 387         uint_t                  pd_refcnt;
 388         kmutex_t                pd_mutex;
 389         uint_t                  pd_disabled_count;
 390         crypto_mech_name_t      *pd_disabled_mechs;
 391 } kcf_policy_desc_t;
 392 
 393 /*
 394  * If a component has a reference to a kcf_policy_desc_t,
 395  * it REFHOLD()s. A new policy descriptor which is referenced only
 396  * by the policy table has a reference count of one.
 397  */
 398 #define KCF_POLICY_REFHOLD(desc) {              \
 399         atomic_add_32(&(desc)->pd_refcnt, 1);    \
 400         ASSERT((desc)->pd_refcnt != 0);              \
 401 }
 402 
 403 /*
 404  * Releases a reference to a policy descriptor. When the last
 405  * reference is released, the descriptor is freed.
 406  */
 407 #define KCF_POLICY_REFRELE(desc) {                              \
 408         ASSERT((desc)->pd_refcnt != 0);                              \
 409         membar_exit();                                          \
 410         if (atomic_add_32_nv(&(desc)->pd_refcnt, -1) == 0)       \
 411                 kcf_policy_free_desc(desc);                     \
 412 }
 413 
 414 /*
 415  * This entry stores the name of a software module and its
 416  * mechanisms.  The mechanisms are 'hints' that are used to
 417  * trigger loading of the module.
 418  */
 419 typedef struct kcf_soft_conf_entry {
 420         struct kcf_soft_conf_entry      *ce_next;
 421         char                            *ce_name;
 422         crypto_mech_name_t              *ce_mechs;
 423         uint_t                          ce_count;
 424 } kcf_soft_conf_entry_t;
 425 
 426 extern kmutex_t soft_config_mutex;
 427 extern kcf_soft_conf_entry_t *soft_config_list;
 428 
 429 /*
 430  * Global tables. The sizes are from the predefined PKCS#11 v2.20 mechanisms,
 431  * with a margin of few extra empty entry points
 432  */
 433 
 434 #define KCF_MAXDIGEST           16      /* Digests */
 435 #define KCF_MAXCIPHER           64      /* Ciphers */
 436 #define KCF_MAXMAC              40      /* Message authentication codes */
 437 #define KCF_MAXSIGN             24      /* Sign/Verify */
 438 #define KCF_MAXKEYOPS           116     /* Key generation and derivation */
 439 #define KCF_MAXMISC             16      /* Others ... */
 440 
 441 #define KCF_MAXMECHS            KCF_MAXDIGEST + KCF_MAXCIPHER + KCF_MAXMAC + \
 442                                 KCF_MAXSIGN + KCF_MAXKEYOPS + \
 443                                 KCF_MAXMISC
 444 
 445 extern kcf_mech_entry_t kcf_digest_mechs_tab[];
 446 extern kcf_mech_entry_t kcf_cipher_mechs_tab[];
 447 extern kcf_mech_entry_t kcf_mac_mechs_tab[];
 448 extern kcf_mech_entry_t kcf_sign_mechs_tab[];
 449 extern kcf_mech_entry_t kcf_keyops_mechs_tab[];
 450 extern kcf_mech_entry_t kcf_misc_mechs_tab[];
 451 
 452 extern kmutex_t kcf_mech_tabs_lock;
 453 
 454 typedef enum {
 455         KCF_DIGEST_CLASS = 1,
 456         KCF_CIPHER_CLASS,
 457         KCF_MAC_CLASS,
 458         KCF_SIGN_CLASS,
 459         KCF_KEYOPS_CLASS,
 460         KCF_MISC_CLASS
 461 } kcf_ops_class_t;
 462 
 463 #define KCF_FIRST_OPSCLASS      KCF_DIGEST_CLASS
 464 #define KCF_LAST_OPSCLASS       KCF_MISC_CLASS
 465 
 466 /* The table of all the kcf_xxx_mech_tab[]s, indexed by kcf_ops_class */
 467 
 468 typedef struct kcf_mech_entry_tab {
 469         int                     met_size;       /* Size of the met_tab[] */
 470         kcf_mech_entry_t        *met_tab;       /* the table             */
 471 } kcf_mech_entry_tab_t;
 472 
 473 extern kcf_mech_entry_tab_t kcf_mech_tabs_tab[];
 474 
 475 #define KCF_MECHID(class, index)                                \
 476         (((crypto_mech_type_t)(class) << 32) | (crypto_mech_type_t)(index))
 477 
 478 #define KCF_MECH2CLASS(mech_type) ((kcf_ops_class_t)((mech_type) >> 32))
 479 
 480 #define KCF_MECH2INDEX(mech_type) ((int)(mech_type))
 481 
 482 #define KCF_TO_PROV_MECH_INDX(pd, mech_type)                    \
 483         ((pd)->pd_mech_indx[KCF_MECH2CLASS(mech_type)]               \
 484         [KCF_MECH2INDEX(mech_type)])
 485 
 486 #define KCF_TO_PROV_MECHINFO(pd, mech_type)                     \
 487         ((pd)->pd_mechanisms[KCF_TO_PROV_MECH_INDX(pd, mech_type)])
 488 
 489 #define KCF_TO_PROV_MECHNUM(pd, mech_type)                      \
 490         (KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_number)
 491 
 492 #define KCF_CAN_SHARE_OPSTATE(pd, mech_type)                    \
 493         ((KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_flags) &      \
 494         CRYPTO_CAN_SHARE_OPSTATE)
 495 
 496 /* ps_refcnt is protected by cm_lock in the crypto_minor structure */
 497 typedef struct crypto_provider_session {
 498         struct crypto_provider_session *ps_next;
 499         crypto_session_id_t             ps_session;
 500         kcf_provider_desc_t             *ps_provider;
 501         kcf_provider_desc_t             *ps_real_provider;
 502         uint_t                          ps_refcnt;
 503 } crypto_provider_session_t;
 504 
 505 typedef struct crypto_session_data {
 506         kmutex_t                        sd_lock;
 507         kcondvar_t                      sd_cv;
 508         uint32_t                        sd_flags;
 509         int                             sd_pre_approved_amount;
 510         crypto_ctx_t                    *sd_digest_ctx;
 511         crypto_ctx_t                    *sd_encr_ctx;
 512         crypto_ctx_t                    *sd_decr_ctx;
 513         crypto_ctx_t                    *sd_sign_ctx;
 514         crypto_ctx_t                    *sd_verify_ctx;
 515         crypto_ctx_t                    *sd_sign_recover_ctx;
 516         crypto_ctx_t                    *sd_verify_recover_ctx;
 517         kcf_provider_desc_t             *sd_provider;
 518         void                            *sd_find_init_cookie;
 519         crypto_provider_session_t       *sd_provider_session;
 520 } crypto_session_data_t;
 521 
 522 #define CRYPTO_SESSION_IN_USE           0x00000001
 523 #define CRYPTO_SESSION_IS_BUSY          0x00000002
 524 #define CRYPTO_SESSION_IS_CLOSED        0x00000004
 525 
 526 #define KCF_MAX_PIN_LEN                 1024
 527 
 528 /*
 529  * Per-minor info.
 530  *
 531  * cm_lock protects everything in this structure except for cm_refcnt.
 532  */
 533 typedef struct crypto_minor {
 534         uint_t                          cm_refcnt;
 535         kmutex_t                        cm_lock;
 536         kcondvar_t                      cm_cv;
 537         crypto_session_data_t           **cm_session_table;
 538         uint_t                          cm_session_table_count;
 539         kcf_provider_desc_t             **cm_provider_array;
 540         uint_t                          cm_provider_count;
 541         crypto_provider_session_t       *cm_provider_session;
 542 } crypto_minor_t;
 543 
 544 /* resource control framework handle used by /dev/crypto */
 545 extern rctl_hndl_t rc_project_crypto_mem;
 546 /*
 547  * Return codes for internal functions
 548  */
 549 #define KCF_SUCCESS             0x0     /* Successful call */
 550 #define KCF_INVALID_MECH_NUMBER 0x1     /* invalid mechanism number */
 551 #define KCF_INVALID_MECH_NAME   0x2     /* invalid mechanism name */
 552 #define KCF_INVALID_MECH_CLASS  0x3     /* invalid mechanism class */
 553 #define KCF_MECH_TAB_FULL       0x4     /* Need more room in the mech tabs. */
 554 #define KCF_INVALID_INDX        ((ushort_t)-1)
 555 
 556 /*
 557  * kCF internal mechanism and function group for tracking RNG providers.
 558  */
 559 #define SUN_RANDOM              "random"
 560 #define CRYPTO_FG_RANDOM        0x80000000      /* generate_random() */
 561 
 562 /*
 563  * Wrappers for ops vectors. In the wrapper definitions below, the pd
 564  * argument always corresponds to a pointer to a provider descriptor
 565  * of type kcf_prov_desc_t.
 566  */
 567 
 568 #define KCF_PROV_CONTROL_OPS(pd)        ((pd)->pd_ops_vector->co_control_ops)
 569 #define KCF_PROV_CTX_OPS(pd)            ((pd)->pd_ops_vector->co_ctx_ops)
 570 #define KCF_PROV_DIGEST_OPS(pd)         ((pd)->pd_ops_vector->co_digest_ops)
 571 #define KCF_PROV_CIPHER_OPS(pd)         ((pd)->pd_ops_vector->co_cipher_ops)
 572 #define KCF_PROV_MAC_OPS(pd)            ((pd)->pd_ops_vector->co_mac_ops)
 573 #define KCF_PROV_SIGN_OPS(pd)           ((pd)->pd_ops_vector->co_sign_ops)
 574 #define KCF_PROV_VERIFY_OPS(pd)         ((pd)->pd_ops_vector->co_verify_ops)
 575 #define KCF_PROV_DUAL_OPS(pd)           ((pd)->pd_ops_vector->co_dual_ops)
 576 #define KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) \
 577         ((pd)->pd_ops_vector->co_dual_cipher_mac_ops)
 578 #define KCF_PROV_RANDOM_OPS(pd)         ((pd)->pd_ops_vector->co_random_ops)
 579 #define KCF_PROV_SESSION_OPS(pd)        ((pd)->pd_ops_vector->co_session_ops)
 580 #define KCF_PROV_OBJECT_OPS(pd)         ((pd)->pd_ops_vector->co_object_ops)
 581 #define KCF_PROV_KEY_OPS(pd)            ((pd)->pd_ops_vector->co_key_ops)
 582 #define KCF_PROV_PROVIDER_OPS(pd)       ((pd)->pd_ops_vector->co_provider_ops)
 583 #define KCF_PROV_MECH_OPS(pd)           ((pd)->pd_ops_vector->co_mech_ops)
 584 #define KCF_PROV_NOSTORE_KEY_OPS(pd)    \
 585         ((pd)->pd_ops_vector->co_nostore_key_ops)
 586 #define KCF_PROV_FIPS140_OPS(pd)        ((pd)->pd_ops_vector->co_fips140_ops)
 587 #define KCF_PROV_PROVMGMT_OPS(pd)       ((pd)->pd_ops_vector->co_provider_ops)
 588 
 589 /*
 590  * Wrappers for crypto_control_ops(9S) entry points.
 591  */
 592 
 593 #define KCF_PROV_STATUS(pd, status) ( \
 594         (KCF_PROV_CONTROL_OPS(pd) && \
 595         KCF_PROV_CONTROL_OPS(pd)->provider_status) ? \
 596         KCF_PROV_CONTROL_OPS(pd)->provider_status( \
 597             (pd)->pd_prov_handle, status) : \
 598         CRYPTO_NOT_SUPPORTED)
 599 
 600 /*
 601  * Wrappers for crypto_ctx_ops(9S) entry points.
 602  */
 603 
 604 #define KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size, req) ( \
 605         (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->create_ctx_template) ? \
 606         KCF_PROV_CTX_OPS(pd)->create_ctx_template( \
 607             (pd)->pd_prov_handle, mech, key, template, size, req) : \
 608         CRYPTO_NOT_SUPPORTED)
 609 
 610 #define KCF_PROV_FREE_CONTEXT(pd, ctx) ( \
 611         (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->free_context) ? \
 612         KCF_PROV_CTX_OPS(pd)->free_context(ctx) : CRYPTO_NOT_SUPPORTED)
 613 
 614 #define KCF_PROV_COPYIN_MECH(pd, umech, kmech, errorp, mode) ( \
 615         (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyin_mechanism) ? \
 616         KCF_PROV_MECH_OPS(pd)->copyin_mechanism( \
 617             (pd)->pd_prov_handle, umech, kmech, errorp, mode) : \
 618         CRYPTO_NOT_SUPPORTED)
 619 
 620 #define KCF_PROV_COPYOUT_MECH(pd, kmech, umech, errorp, mode) ( \
 621         (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyout_mechanism) ? \
 622         KCF_PROV_MECH_OPS(pd)->copyout_mechanism( \
 623             (pd)->pd_prov_handle, kmech, umech, errorp, mode) : \
 624         CRYPTO_NOT_SUPPORTED)
 625 
 626 #define KCF_PROV_FREE_MECH(pd, prov_mech) ( \
 627         (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->free_mechanism) ? \
 628         KCF_PROV_MECH_OPS(pd)->free_mechanism( \
 629             (pd)->pd_prov_handle, prov_mech) : CRYPTO_NOT_SUPPORTED)
 630 
 631 /*
 632  * Wrappers for crypto_digest_ops(9S) entry points.
 633  */
 634 
 635 #define KCF_PROV_DIGEST_INIT(pd, ctx, mech, req) ( \
 636         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_init) ? \
 637         KCF_PROV_DIGEST_OPS(pd)->digest_init(ctx, mech, req) : \
 638         CRYPTO_NOT_SUPPORTED)
 639 
 640 /*
 641  * The _ (underscore) in _digest is needed to avoid replacing the
 642  * function digest().
 643  */
 644 #define KCF_PROV_DIGEST(pd, ctx, data, _digest, req) ( \
 645         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest) ? \
 646         KCF_PROV_DIGEST_OPS(pd)->digest(ctx, data, _digest, req) : \
 647         CRYPTO_NOT_SUPPORTED)
 648 
 649 #define KCF_PROV_DIGEST_UPDATE(pd, ctx, data, req) ( \
 650         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_update) ? \
 651         KCF_PROV_DIGEST_OPS(pd)->digest_update(ctx, data, req) : \
 652         CRYPTO_NOT_SUPPORTED)
 653 
 654 #define KCF_PROV_DIGEST_KEY(pd, ctx, key, req) ( \
 655         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_key) ? \
 656         KCF_PROV_DIGEST_OPS(pd)->digest_key(ctx, key, req) : \
 657         CRYPTO_NOT_SUPPORTED)
 658 
 659 #define KCF_PROV_DIGEST_FINAL(pd, ctx, digest, req) ( \
 660         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_final) ? \
 661         KCF_PROV_DIGEST_OPS(pd)->digest_final(ctx, digest, req) : \
 662         CRYPTO_NOT_SUPPORTED)
 663 
 664 #define KCF_PROV_DIGEST_ATOMIC(pd, session, mech, data, digest, req) ( \
 665         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_atomic) ? \
 666         KCF_PROV_DIGEST_OPS(pd)->digest_atomic( \
 667             (pd)->pd_prov_handle, session, mech, data, digest, req) : \
 668         CRYPTO_NOT_SUPPORTED)
 669 
 670 /*
 671  * Wrappers for crypto_cipher_ops(9S) entry points.
 672  */
 673 
 674 #define KCF_PROV_ENCRYPT_INIT(pd, ctx, mech, key, template, req) ( \
 675         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_init) ? \
 676         KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template, \
 677             req) : \
 678         CRYPTO_NOT_SUPPORTED)
 679 
 680 #define KCF_PROV_ENCRYPT(pd, ctx, plaintext, ciphertext, req) ( \
 681         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt) ? \
 682         KCF_PROV_CIPHER_OPS(pd)->encrypt(ctx, plaintext, ciphertext, req) : \
 683         CRYPTO_NOT_SUPPORTED)
 684 
 685 #define KCF_PROV_ENCRYPT_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \
 686         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_update) ? \
 687         KCF_PROV_CIPHER_OPS(pd)->encrypt_update(ctx, plaintext, \
 688             ciphertext, req) : \
 689         CRYPTO_NOT_SUPPORTED)
 690 
 691 #define KCF_PROV_ENCRYPT_FINAL(pd, ctx, ciphertext, req) ( \
 692         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_final) ? \
 693         KCF_PROV_CIPHER_OPS(pd)->encrypt_final(ctx, ciphertext, req) : \
 694         CRYPTO_NOT_SUPPORTED)
 695 
 696 #define KCF_PROV_ENCRYPT_ATOMIC(pd, session, mech, key, plaintext, ciphertext, \
 697             template, req) ( \
 698         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \
 699         KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic( \
 700             (pd)->pd_prov_handle, session, mech, key, plaintext, ciphertext, \
 701             template, req) : \
 702         CRYPTO_NOT_SUPPORTED)
 703 
 704 #define KCF_PROV_DECRYPT_INIT(pd, ctx, mech, key, template, req) ( \
 705         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_init) ? \
 706         KCF_PROV_CIPHER_OPS(pd)->decrypt_init(ctx, mech, key, template, \
 707             req) : \
 708         CRYPTO_NOT_SUPPORTED)
 709 
 710 #define KCF_PROV_DECRYPT(pd, ctx, ciphertext, plaintext, req) ( \
 711         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt) ? \
 712         KCF_PROV_CIPHER_OPS(pd)->decrypt(ctx, ciphertext, plaintext, req) : \
 713         CRYPTO_NOT_SUPPORTED)
 714 
 715 #define KCF_PROV_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \
 716         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_update) ? \
 717         KCF_PROV_CIPHER_OPS(pd)->decrypt_update(ctx, ciphertext, \
 718             plaintext, req) : \
 719         CRYPTO_NOT_SUPPORTED)
 720 
 721 #define KCF_PROV_DECRYPT_FINAL(pd, ctx, plaintext, req) ( \
 722         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_final) ? \
 723         KCF_PROV_CIPHER_OPS(pd)->decrypt_final(ctx, plaintext, req) : \
 724         CRYPTO_NOT_SUPPORTED)
 725 
 726 #define KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \
 727             template, req) ( \
 728         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \
 729         KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic( \
 730             (pd)->pd_prov_handle, session, mech, key, ciphertext, plaintext, \
 731             template, req) : \
 732         CRYPTO_NOT_SUPPORTED)
 733 
 734 /*
 735  * Wrappers for crypto_mac_ops(9S) entry points.
 736  */
 737 
 738 #define KCF_PROV_MAC_INIT(pd, ctx, mech, key, template, req) ( \
 739         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_init) ? \
 740         KCF_PROV_MAC_OPS(pd)->mac_init(ctx, mech, key, template, req) \
 741         : CRYPTO_NOT_SUPPORTED)
 742 
 743 /*
 744  * The _ (underscore) in _mac is needed to avoid replacing the
 745  * function mac().
 746  */
 747 #define KCF_PROV_MAC(pd, ctx, data, _mac, req) ( \
 748         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac) ? \
 749         KCF_PROV_MAC_OPS(pd)->mac(ctx, data, _mac, req) : \
 750         CRYPTO_NOT_SUPPORTED)
 751 
 752 #define KCF_PROV_MAC_UPDATE(pd, ctx, data, req) ( \
 753         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_update) ? \
 754         KCF_PROV_MAC_OPS(pd)->mac_update(ctx, data, req) : \
 755         CRYPTO_NOT_SUPPORTED)
 756 
 757 #define KCF_PROV_MAC_FINAL(pd, ctx, mac, req) ( \
 758         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_final) ? \
 759         KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac, req) : \
 760         CRYPTO_NOT_SUPPORTED)
 761 
 762 #define KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template, \
 763             req) ( \
 764         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_atomic) ? \
 765         KCF_PROV_MAC_OPS(pd)->mac_atomic( \
 766             (pd)->pd_prov_handle, session, mech, key, data, mac, template, \
 767             req) : \
 768         CRYPTO_NOT_SUPPORTED)
 769 
 770 #define KCF_PROV_MAC_VERIFY_ATOMIC(pd, session, mech, key, data, mac, \
 771             template, req) ( \
 772         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_verify_atomic) ? \
 773         KCF_PROV_MAC_OPS(pd)->mac_verify_atomic( \
 774             (pd)->pd_prov_handle, session, mech, key, data, mac, template, \
 775             req) : \
 776         CRYPTO_NOT_SUPPORTED)
 777 
 778 /*
 779  * Wrappers for crypto_sign_ops(9S) entry points.
 780  */
 781 
 782 #define KCF_PROV_SIGN_INIT(pd, ctx, mech, key, template, req) ( \
 783         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_init) ? \
 784         KCF_PROV_SIGN_OPS(pd)->sign_init( \
 785             ctx, mech, key, template, req) : CRYPTO_NOT_SUPPORTED)
 786 
 787 #define KCF_PROV_SIGN(pd, ctx, data, sig, req) ( \
 788         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign) ? \
 789         KCF_PROV_SIGN_OPS(pd)->sign(ctx, data, sig, req) : \
 790         CRYPTO_NOT_SUPPORTED)
 791 
 792 #define KCF_PROV_SIGN_UPDATE(pd, ctx, data, req) ( \
 793         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_update) ? \
 794         KCF_PROV_SIGN_OPS(pd)->sign_update(ctx, data, req) : \
 795         CRYPTO_NOT_SUPPORTED)
 796 
 797 #define KCF_PROV_SIGN_FINAL(pd, ctx, sig, req) ( \
 798         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_final) ? \
 799         KCF_PROV_SIGN_OPS(pd)->sign_final(ctx, sig, req) : \
 800         CRYPTO_NOT_SUPPORTED)
 801 
 802 #define KCF_PROV_SIGN_ATOMIC(pd, session, mech, key, data, template, \
 803             sig, req) ( \
 804         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_atomic) ? \
 805         KCF_PROV_SIGN_OPS(pd)->sign_atomic( \
 806             (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
 807             req) : CRYPTO_NOT_SUPPORTED)
 808 
 809 #define KCF_PROV_SIGN_RECOVER_INIT(pd, ctx, mech, key, template, \
 810             req) ( \
 811         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover_init) ? \
 812         KCF_PROV_SIGN_OPS(pd)->sign_recover_init(ctx, mech, key, template, \
 813             req) : CRYPTO_NOT_SUPPORTED)
 814 
 815 #define KCF_PROV_SIGN_RECOVER(pd, ctx, data, sig, req) ( \
 816         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover) ? \
 817         KCF_PROV_SIGN_OPS(pd)->sign_recover(ctx, data, sig, req) : \
 818         CRYPTO_NOT_SUPPORTED)
 819 
 820 #define KCF_PROV_SIGN_RECOVER_ATOMIC(pd, session, mech, key, data, template, \
 821             sig, req) ( \
 822         (KCF_PROV_SIGN_OPS(pd) && \
 823         KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic) ? \
 824         KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic( \
 825             (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
 826             req) : CRYPTO_NOT_SUPPORTED)
 827 
 828 /*
 829  * Wrappers for crypto_verify_ops(9S) entry points.
 830  */
 831 
 832 #define KCF_PROV_VERIFY_INIT(pd, ctx, mech, key, template, req) ( \
 833         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_init) ? \
 834         KCF_PROV_VERIFY_OPS(pd)->verify_init(ctx, mech, key, template, \
 835             req) : CRYPTO_NOT_SUPPORTED)
 836 
 837 #define KCF_PROV_VERIFY(pd, ctx, data, sig, req) ( \
 838         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify) ? \
 839         KCF_PROV_VERIFY_OPS(pd)->verify(ctx, data, sig, req) : \
 840         CRYPTO_NOT_SUPPORTED)
 841 
 842 #define KCF_PROV_VERIFY_UPDATE(pd, ctx, data, req) ( \
 843         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_update) ? \
 844         KCF_PROV_VERIFY_OPS(pd)->verify_update(ctx, data, req) : \
 845         CRYPTO_NOT_SUPPORTED)
 846 
 847 #define KCF_PROV_VERIFY_FINAL(pd, ctx, sig, req) ( \
 848         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_final) ? \
 849         KCF_PROV_VERIFY_OPS(pd)->verify_final(ctx, sig, req) : \
 850         CRYPTO_NOT_SUPPORTED)
 851 
 852 #define KCF_PROV_VERIFY_ATOMIC(pd, session, mech, key, data, template, sig, \
 853             req) ( \
 854         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_atomic) ? \
 855         KCF_PROV_VERIFY_OPS(pd)->verify_atomic( \
 856             (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
 857             req) : CRYPTO_NOT_SUPPORTED)
 858 
 859 #define KCF_PROV_VERIFY_RECOVER_INIT(pd, ctx, mech, key, template, \
 860             req) ( \
 861         (KCF_PROV_VERIFY_OPS(pd) && \
 862         KCF_PROV_VERIFY_OPS(pd)->verify_recover_init) ? \
 863         KCF_PROV_VERIFY_OPS(pd)->verify_recover_init(ctx, mech, key, \
 864             template, req) : CRYPTO_NOT_SUPPORTED)
 865 
 866 /* verify_recover() CSPI routine has different argument order than verify() */
 867 #define KCF_PROV_VERIFY_RECOVER(pd, ctx, sig, data, req) ( \
 868         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_recover) ? \
 869         KCF_PROV_VERIFY_OPS(pd)->verify_recover(ctx, sig, data, req) : \
 870         CRYPTO_NOT_SUPPORTED)
 871 
 872 /*
 873  * verify_recover_atomic() CSPI routine has different argument order
 874  * than verify_atomic().
 875  */
 876 #define KCF_PROV_VERIFY_RECOVER_ATOMIC(pd, session, mech, key, sig, \
 877             template, data,  req) ( \
 878         (KCF_PROV_VERIFY_OPS(pd) && \
 879         KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic) ? \
 880         KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic( \
 881             (pd)->pd_prov_handle, session, mech, key, sig, data, template, \
 882             req) : CRYPTO_NOT_SUPPORTED)
 883 
 884 /*
 885  * Wrappers for crypto_dual_ops(9S) entry points.
 886  */
 887 
 888 #define KCF_PROV_DIGEST_ENCRYPT_UPDATE(digest_ctx, encrypt_ctx, plaintext, \
 889             ciphertext, req) ( \
 890         (KCF_PROV_DUAL_OPS(pd) && \
 891         KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update) ? \
 892         KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update( \
 893             digest_ctx, encrypt_ctx, plaintext, ciphertext, req) : \
 894         CRYPTO_NOT_SUPPORTED)
 895 
 896 #define KCF_PROV_DECRYPT_DIGEST_UPDATE(decrypt_ctx, digest_ctx, ciphertext, \
 897             plaintext, req) ( \
 898         (KCF_PROV_DUAL_OPS(pd) && \
 899         KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update) ? \
 900         KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update( \
 901             decrypt_ctx, digest_ctx, ciphertext, plaintext, req) : \
 902         CRYPTO_NOT_SUPPORTED)
 903 
 904 #define KCF_PROV_SIGN_ENCRYPT_UPDATE(sign_ctx, encrypt_ctx, plaintext, \
 905             ciphertext, req) ( \
 906         (KCF_PROV_DUAL_OPS(pd) && \
 907         KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update) ? \
 908         KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update( \
 909             sign_ctx, encrypt_ctx, plaintext, ciphertext, req) : \
 910         CRYPTO_NOT_SUPPORTED)
 911 
 912 #define KCF_PROV_DECRYPT_VERIFY_UPDATE(decrypt_ctx, verify_ctx, ciphertext, \
 913             plaintext, req) ( \
 914         (KCF_PROV_DUAL_OPS(pd) && \
 915         KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update) ? \
 916         KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update( \
 917             decrypt_ctx, verify_ctx, ciphertext, plaintext, req) : \
 918         CRYPTO_NOT_SUPPORTED)
 919 
 920 /*
 921  * Wrappers for crypto_dual_cipher_mac_ops(9S) entry points.
 922  */
 923 
 924 #define KCF_PROV_ENCRYPT_MAC_INIT(pd, ctx, encr_mech, encr_key, mac_mech, \
 925             mac_key, encr_ctx_template, mac_ctx_template, req) ( \
 926         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 927         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init) ? \
 928         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init( \
 929             ctx, encr_mech, encr_key, mac_mech, mac_key, encr_ctx_template, \
 930             mac_ctx_template, req) : \
 931         CRYPTO_NOT_SUPPORTED)
 932 
 933 #define KCF_PROV_ENCRYPT_MAC(pd, ctx, plaintext, ciphertext, mac, req) ( \
 934         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 935         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac) ? \
 936         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac( \
 937             ctx, plaintext, ciphertext, mac, req) : \
 938         CRYPTO_NOT_SUPPORTED)
 939 
 940 #define KCF_PROV_ENCRYPT_MAC_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \
 941         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 942         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update) ? \
 943         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update( \
 944             ctx, plaintext, ciphertext, req) : \
 945         CRYPTO_NOT_SUPPORTED)
 946 
 947 #define KCF_PROV_ENCRYPT_MAC_FINAL(pd, ctx, ciphertext, mac, req) ( \
 948         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 949         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final) ? \
 950         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final( \
 951             ctx, ciphertext, mac, req) : \
 952         CRYPTO_NOT_SUPPORTED)
 953 
 954 #define KCF_PROV_ENCRYPT_MAC_ATOMIC(pd, session, encr_mech, encr_key, \
 955             mac_mech, mac_key, plaintext, ciphertext, mac, \
 956             encr_ctx_template, mac_ctx_template, req) ( \
 957         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 958         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic) ? \
 959         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic( \
 960             (pd)->pd_prov_handle, session, encr_mech, encr_key, \
 961             mac_mech, mac_key, plaintext, ciphertext, mac, \
 962             encr_ctx_template, mac_ctx_template, req) : \
 963         CRYPTO_NOT_SUPPORTED)
 964 
 965 #define KCF_PROV_MAC_DECRYPT_INIT(pd, ctx, mac_mech, mac_key, decr_mech, \
 966             decr_key, mac_ctx_template, decr_ctx_template, req) ( \
 967         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 968         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init) ? \
 969         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init( \
 970             ctx, mac_mech, mac_key, decr_mech, decr_key, mac_ctx_template, \
 971             decr_ctx_template, req) : \
 972         CRYPTO_NOT_SUPPORTED)
 973 
 974 #define KCF_PROV_MAC_DECRYPT(pd, ctx, ciphertext, mac, plaintext, req) ( \
 975         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 976         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt) ? \
 977         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt( \
 978             ctx, ciphertext, mac, plaintext, req) : \
 979         CRYPTO_NOT_SUPPORTED)
 980 
 981 #define KCF_PROV_MAC_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \
 982         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 983         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update) ? \
 984         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update( \
 985             ctx, ciphertext, plaintext, req) : \
 986         CRYPTO_NOT_SUPPORTED)
 987 
 988 #define KCF_PROV_MAC_DECRYPT_FINAL(pd, ctx, mac, plaintext, req) ( \
 989         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 990         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final) ? \
 991         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final( \
 992             ctx, mac, plaintext, req) : \
 993         CRYPTO_NOT_SUPPORTED)
 994 
 995 #define KCF_PROV_MAC_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \
 996             decr_mech, decr_key, ciphertext, mac, plaintext, \
 997             mac_ctx_template, decr_ctx_template, req) ( \
 998         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 999         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic) ? \
1000         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic( \
1001             (pd)->pd_prov_handle, session, mac_mech, mac_key, \
1002             decr_mech, decr_key, ciphertext, mac, plaintext, \
1003             mac_ctx_template, decr_ctx_template, req) : \
1004         CRYPTO_NOT_SUPPORTED)
1005 
1006 #define KCF_PROV_MAC_VERIFY_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \
1007             decr_mech, decr_key, ciphertext, mac, plaintext, \
1008             mac_ctx_template, decr_ctx_template, req) ( \
1009         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
1010         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic \
1011             != NULL) ? \
1012         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic( \
1013             (pd)->pd_prov_handle, session, mac_mech, mac_key, \
1014             decr_mech, decr_key, ciphertext, mac, plaintext, \
1015             mac_ctx_template, decr_ctx_template, req) : \
1016         CRYPTO_NOT_SUPPORTED)
1017 
1018 /*
1019  * Wrappers for crypto_random_number_ops(9S) entry points.
1020  */
1021 
1022 #define KCF_PROV_SEED_RANDOM(pd, session, buf, len, est, flags, req) ( \
1023         (KCF_PROV_RANDOM_OPS(pd) && KCF_PROV_RANDOM_OPS(pd)->seed_random) ? \
1024         KCF_PROV_RANDOM_OPS(pd)->seed_random((pd)->pd_prov_handle, \
1025             session, buf, len, est, flags, req) : CRYPTO_NOT_SUPPORTED)
1026 
1027 #define KCF_PROV_GENERATE_RANDOM(pd, session, buf, len, req) ( \
1028         (KCF_PROV_RANDOM_OPS(pd) && \
1029         KCF_PROV_RANDOM_OPS(pd)->generate_random) ? \
1030         KCF_PROV_RANDOM_OPS(pd)->generate_random((pd)->pd_prov_handle, \
1031             session, buf, len, req) : CRYPTO_NOT_SUPPORTED)
1032 
1033 /*
1034  * Wrappers for crypto_session_ops(9S) entry points.
1035  *
1036  * ops_pd is the provider descriptor that supplies the ops_vector.
1037  * pd is the descriptor that supplies the provider handle.
1038  * Only session open/close needs two handles.
1039  */
1040 
1041 #define KCF_PROV_SESSION_OPEN(ops_pd, session, req, pd) ( \
1042         (KCF_PROV_SESSION_OPS(ops_pd) && \
1043         KCF_PROV_SESSION_OPS(ops_pd)->session_open) ? \
1044         KCF_PROV_SESSION_OPS(ops_pd)->session_open((pd)->pd_prov_handle, \
1045             session, req) : CRYPTO_NOT_SUPPORTED)
1046 
1047 #define KCF_PROV_SESSION_CLOSE(ops_pd, session, req, pd) ( \
1048         (KCF_PROV_SESSION_OPS(ops_pd) && \
1049         KCF_PROV_SESSION_OPS(ops_pd)->session_close) ? \
1050         KCF_PROV_SESSION_OPS(ops_pd)->session_close((pd)->pd_prov_handle, \
1051             session, req) : CRYPTO_NOT_SUPPORTED)
1052 
1053 #define KCF_PROV_SESSION_LOGIN(pd, session, user_type, pin, len, req) ( \
1054         (KCF_PROV_SESSION_OPS(pd) && \
1055         KCF_PROV_SESSION_OPS(pd)->session_login) ? \
1056         KCF_PROV_SESSION_OPS(pd)->session_login((pd)->pd_prov_handle, \
1057             session, user_type, pin, len, req) : CRYPTO_NOT_SUPPORTED)
1058 
1059 #define KCF_PROV_SESSION_LOGOUT(pd, session, req) ( \
1060         (KCF_PROV_SESSION_OPS(pd) && \
1061         KCF_PROV_SESSION_OPS(pd)->session_logout) ? \
1062         KCF_PROV_SESSION_OPS(pd)->session_logout((pd)->pd_prov_handle, \
1063             session, req) : CRYPTO_NOT_SUPPORTED)
1064 
1065 /*
1066  * Wrappers for crypto_object_ops(9S) entry points.
1067  */
1068 
1069 #define KCF_PROV_OBJECT_CREATE(pd, session, template, count, object, req) ( \
1070         (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_create) ? \
1071         KCF_PROV_OBJECT_OPS(pd)->object_create((pd)->pd_prov_handle, \
1072             session, template, count, object, req) : CRYPTO_NOT_SUPPORTED)
1073 
1074 #define KCF_PROV_OBJECT_COPY(pd, session, object, template, count, \
1075             new_object, req) ( \
1076         (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_copy) ? \
1077         KCF_PROV_OBJECT_OPS(pd)->object_copy((pd)->pd_prov_handle, \
1078         session, object, template, count, new_object, req) : \
1079             CRYPTO_NOT_SUPPORTED)
1080 
1081 #define KCF_PROV_OBJECT_DESTROY(pd, session, object, req) ( \
1082         (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_destroy) ? \
1083         KCF_PROV_OBJECT_OPS(pd)->object_destroy((pd)->pd_prov_handle, \
1084             session, object, req) : CRYPTO_NOT_SUPPORTED)
1085 
1086 #define KCF_PROV_OBJECT_GET_SIZE(pd, session, object, size, req) ( \
1087         (KCF_PROV_OBJECT_OPS(pd) && \
1088         KCF_PROV_OBJECT_OPS(pd)->object_get_size) ? \
1089         KCF_PROV_OBJECT_OPS(pd)->object_get_size((pd)->pd_prov_handle, \
1090             session, object, size, req) : CRYPTO_NOT_SUPPORTED)
1091 
1092 #define KCF_PROV_OBJECT_GET_ATTRIBUTE_VALUE(pd, session, object, template, \
1093             count, req) ( \
1094         (KCF_PROV_OBJECT_OPS(pd) && \
1095         KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value) ? \
1096         KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value( \
1097         (pd)->pd_prov_handle, session, object, template, count, req) : \
1098             CRYPTO_NOT_SUPPORTED)
1099 
1100 #define KCF_PROV_OBJECT_SET_ATTRIBUTE_VALUE(pd, session, object, template, \
1101             count, req) ( \
1102         (KCF_PROV_OBJECT_OPS(pd) && \
1103         KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value) ? \
1104         KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value( \
1105         (pd)->pd_prov_handle, session, object, template, count, req) : \
1106             CRYPTO_NOT_SUPPORTED)
1107 
1108 #define KCF_PROV_OBJECT_FIND_INIT(pd, session, template, count, ppriv, \
1109             req) ( \
1110         (KCF_PROV_OBJECT_OPS(pd) && \
1111         KCF_PROV_OBJECT_OPS(pd)->object_find_init) ? \
1112         KCF_PROV_OBJECT_OPS(pd)->object_find_init((pd)->pd_prov_handle, \
1113         session, template, count, ppriv, req) : CRYPTO_NOT_SUPPORTED)
1114 
1115 #define KCF_PROV_OBJECT_FIND(pd, ppriv, objects, max_objects, object_count, \
1116             req) ( \
1117         (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_find) ? \
1118         KCF_PROV_OBJECT_OPS(pd)->object_find( \
1119         (pd)->pd_prov_handle, ppriv, objects, max_objects, object_count, \
1120         req) : CRYPTO_NOT_SUPPORTED)
1121 
1122 #define KCF_PROV_OBJECT_FIND_FINAL(pd, ppriv, req) ( \
1123         (KCF_PROV_OBJECT_OPS(pd) && \
1124         KCF_PROV_OBJECT_OPS(pd)->object_find_final) ? \
1125         KCF_PROV_OBJECT_OPS(pd)->object_find_final( \
1126             (pd)->pd_prov_handle, ppriv, req) : CRYPTO_NOT_SUPPORTED)
1127 
1128 /*
1129  * Wrappers for crypto_key_ops(9S) entry points.
1130  */
1131 
1132 #define KCF_PROV_KEY_GENERATE(pd, session, mech, template, count, object, \
1133             req) ( \
1134         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate) ? \
1135         KCF_PROV_KEY_OPS(pd)->key_generate((pd)->pd_prov_handle, \
1136             session, mech, template, count, object, req) : \
1137         CRYPTO_NOT_SUPPORTED)
1138 
1139 #define KCF_PROV_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \
1140             pub_count, priv_template, priv_count, pub_key, priv_key, req) ( \
1141         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate_pair) ? \
1142         KCF_PROV_KEY_OPS(pd)->key_generate_pair((pd)->pd_prov_handle, \
1143             session, mech, pub_template, pub_count, priv_template, \
1144             priv_count, pub_key, priv_key, req) : \
1145         CRYPTO_NOT_SUPPORTED)
1146 
1147 #define KCF_PROV_KEY_WRAP(pd, session, mech, wrapping_key, key, wrapped_key, \
1148             wrapped_key_len, req) ( \
1149         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_wrap) ? \
1150         KCF_PROV_KEY_OPS(pd)->key_wrap((pd)->pd_prov_handle, \
1151             session, mech, wrapping_key, key, wrapped_key, wrapped_key_len, \
1152             req) : \
1153         CRYPTO_NOT_SUPPORTED)
1154 
1155 #define KCF_PROV_KEY_UNWRAP(pd, session, mech, unwrapping_key, wrapped_key, \
1156             wrapped_key_len, template, count, key, req) ( \
1157         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_unwrap) ? \
1158         KCF_PROV_KEY_OPS(pd)->key_unwrap((pd)->pd_prov_handle, \
1159             session, mech, unwrapping_key, wrapped_key, wrapped_key_len, \
1160             template, count, key, req) : \
1161         CRYPTO_NOT_SUPPORTED)
1162 
1163 #define KCF_PROV_KEY_DERIVE(pd, session, mech, base_key, template, count, \
1164             key, req) ( \
1165         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_derive) ? \
1166         KCF_PROV_KEY_OPS(pd)->key_derive((pd)->pd_prov_handle, \
1167             session, mech, base_key, template, count, key, req) : \
1168         CRYPTO_NOT_SUPPORTED)
1169 
1170 #define KCF_PROV_KEY_CHECK(pd, mech, key) ( \
1171         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_check) ? \
1172         KCF_PROV_KEY_OPS(pd)->key_check((pd)->pd_prov_handle, mech, key) : \
1173         CRYPTO_NOT_SUPPORTED)
1174 
1175 /*
1176  * Wrappers for crypto_provider_management_ops(9S) entry points.
1177  *
1178  * ops_pd is the provider descriptor that supplies the ops_vector.
1179  * pd is the descriptor that supplies the provider handle.
1180  * Only ext_info needs two handles.
1181  */
1182 
1183 #define KCF_PROV_EXT_INFO(ops_pd, provext_info, req, pd) ( \
1184         (KCF_PROV_PROVIDER_OPS(ops_pd) && \
1185         KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info) ? \
1186         KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info((pd)->pd_prov_handle, \
1187             provext_info, req) : CRYPTO_NOT_SUPPORTED)
1188 
1189 #define KCF_PROV_INIT_TOKEN(pd, pin, pin_len, label, req) ( \
1190         (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_token) ? \
1191         KCF_PROV_PROVIDER_OPS(pd)->init_token((pd)->pd_prov_handle, \
1192             pin, pin_len, label, req) : CRYPTO_NOT_SUPPORTED)
1193 
1194 #define KCF_PROV_INIT_PIN(pd, session, pin, pin_len, req) ( \
1195         (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_pin) ? \
1196         KCF_PROV_PROVIDER_OPS(pd)->init_pin((pd)->pd_prov_handle, \
1197             session, pin, pin_len, req) : CRYPTO_NOT_SUPPORTED)
1198 
1199 #define KCF_PROV_SET_PIN(pd, session, old_pin, old_len, new_pin, new_len, \
1200             req) ( \
1201         (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->set_pin) ? \
1202         KCF_PROV_PROVIDER_OPS(pd)->set_pin((pd)->pd_prov_handle, \
1203         session, old_pin, old_len, new_pin, new_len, req) : \
1204             CRYPTO_NOT_SUPPORTED)
1205 
1206 /*
1207  * Wrappers for crypto_nostore_key_ops(9S) entry points.
1208  */
1209 
1210 #define KCF_PROV_NOSTORE_KEY_GENERATE(pd, session, mech, template, count, \
1211             out_template, out_count, req) ( \
1212         (KCF_PROV_NOSTORE_KEY_OPS(pd) && \
1213             KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate) ? \
1214         KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate( \
1215             (pd)->pd_prov_handle, session, mech, template, count, \
1216             out_template, out_count, req) : CRYPTO_NOT_SUPPORTED)
1217 
1218 #define KCF_PROV_NOSTORE_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \
1219             pub_count, priv_template, priv_count, out_pub_template, \
1220             out_pub_count, out_priv_template, out_priv_count, req) ( \
1221         (KCF_PROV_NOSTORE_KEY_OPS(pd) && \
1222             KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate_pair) ? \
1223         KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate_pair( \
1224             (pd)->pd_prov_handle, session, mech, pub_template, pub_count, \
1225             priv_template, priv_count, out_pub_template, out_pub_count, \
1226             out_priv_template, out_priv_count, req) : CRYPTO_NOT_SUPPORTED)
1227 
1228 #define KCF_PROV_NOSTORE_KEY_DERIVE(pd, session, mech, base_key, template, \
1229             count, out_template, out_count, req) ( \
1230         (KCF_PROV_NOSTORE_KEY_OPS(pd) && \
1231             KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_derive) ? \
1232         KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_derive( \
1233             (pd)->pd_prov_handle, session, mech, base_key, template, count, \
1234             out_template, out_count, req) : CRYPTO_NOT_SUPPORTED)
1235 
1236 /*
1237  * The following routines are exported by the kcf module (/kernel/misc/kcf)
1238  * to the crypto and cryptoadmin modules.
1239  */
1240 
1241 /* Digest/mac/cipher entry points that take a provider descriptor and session */
1242 extern int crypto_digest_single(crypto_context_t, crypto_data_t *,
1243     crypto_data_t *, crypto_call_req_t *);
1244 
1245 extern int crypto_mac_single(crypto_context_t, crypto_data_t *,
1246     crypto_data_t *, crypto_call_req_t *);
1247 
1248 extern int crypto_encrypt_single(crypto_context_t, crypto_data_t *,
1249     crypto_data_t *, crypto_call_req_t *);
1250 
1251 extern int crypto_decrypt_single(crypto_context_t, crypto_data_t *,
1252     crypto_data_t *, crypto_call_req_t *);
1253 
1254 
1255 /* Other private digest/mac/cipher entry points not exported through k-API */
1256 extern int crypto_digest_key_prov(crypto_context_t, crypto_key_t *,
1257     crypto_call_req_t *);
1258 
1259 /* Private sign entry points exported by KCF */
1260 extern int crypto_sign_single(crypto_context_t, crypto_data_t *,
1261     crypto_data_t *, crypto_call_req_t *);
1262 
1263 extern int crypto_sign_recover_single(crypto_context_t, crypto_data_t *,
1264     crypto_data_t *, crypto_call_req_t *);
1265 
1266 /* Private verify entry points exported by KCF */
1267 extern int crypto_verify_single(crypto_context_t, crypto_data_t *,
1268     crypto_data_t *, crypto_call_req_t *);
1269 
1270 extern int crypto_verify_recover_single(crypto_context_t, crypto_data_t *,
1271     crypto_data_t *, crypto_call_req_t *);
1272 
1273 /* Private dual operations entry points exported by KCF */
1274 extern int crypto_digest_encrypt_update(crypto_context_t, crypto_context_t,
1275     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1276 extern int crypto_decrypt_digest_update(crypto_context_t, crypto_context_t,
1277     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1278 extern int crypto_sign_encrypt_update(crypto_context_t, crypto_context_t,
1279     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1280 extern int crypto_decrypt_verify_update(crypto_context_t, crypto_context_t,
1281     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1282 
1283 /* Random Number Generation */
1284 int crypto_seed_random(crypto_provider_handle_t provider, uchar_t *buf,
1285     size_t len, crypto_call_req_t *req);
1286 int crypto_generate_random(crypto_provider_handle_t provider, uchar_t *buf,
1287     size_t len, crypto_call_req_t *req);
1288 
1289 /* Provider Management */
1290 int crypto_get_provider_info(crypto_provider_id_t id,
1291     crypto_provider_info_t **info, crypto_call_req_t *req);
1292 int crypto_get_provider_mechanisms(crypto_minor_t *, crypto_provider_id_t id,
1293     uint_t *count, crypto_mech_name_t **list);
1294 int crypto_init_token(crypto_provider_handle_t provider, char *pin,
1295     size_t pin_len, char *label, crypto_call_req_t *);
1296 int crypto_init_pin(crypto_provider_handle_t provider, char *pin,
1297     size_t pin_len, crypto_call_req_t *req);
1298 int crypto_set_pin(crypto_provider_handle_t provider, char *old_pin,
1299     size_t old_len, char *new_pin, size_t new_len, crypto_call_req_t *req);
1300 void crypto_free_provider_list(crypto_provider_entry_t *list, uint_t count);
1301 void crypto_free_provider_info(crypto_provider_info_t *info);
1302 
1303 /* Administrative */
1304 int crypto_get_dev_list(uint_t *count, crypto_dev_list_entry_t **list);
1305 int crypto_get_soft_list(uint_t *count, char **list, size_t *len);
1306 int crypto_get_dev_info(char *name, uint_t instance, uint_t *count,
1307     crypto_mech_name_t **list);
1308 int crypto_get_soft_info(caddr_t name, uint_t *count,
1309     crypto_mech_name_t **list);
1310 int crypto_load_dev_disabled(char *name, uint_t instance, uint_t count,
1311     crypto_mech_name_t *list);
1312 int crypto_load_soft_disabled(caddr_t name, uint_t count,
1313     crypto_mech_name_t *list);
1314 int crypto_unload_soft_module(caddr_t path);
1315 int crypto_load_soft_config(caddr_t name, uint_t count,
1316     crypto_mech_name_t *list);
1317 int crypto_load_door(uint_t did);
1318 void crypto_free_mech_list(crypto_mech_name_t *list, uint_t count);
1319 void crypto_free_dev_list(crypto_dev_list_entry_t *list, uint_t count);
1320 extern void kcf_activate();
1321 
1322 /* Miscellaneous */
1323 int crypto_get_mechanism_number(caddr_t name, crypto_mech_type_t *number);
1324 int crypto_get_function_list(crypto_provider_id_t id,
1325     crypto_function_list_t **list, int kmflag);
1326 void crypto_free_function_list(crypto_function_list_t *list);
1327 int crypto_build_permitted_mech_names(kcf_provider_desc_t *,
1328     crypto_mech_name_t **, uint_t *, int);
1329 extern void kcf_init_mech_tabs(void);
1330 extern int kcf_add_mech_provider(short, kcf_provider_desc_t *,
1331     kcf_prov_mech_desc_t **);
1332 extern void kcf_remove_mech_provider(char *, kcf_provider_desc_t *);
1333 extern int kcf_get_mech_entry(crypto_mech_type_t, kcf_mech_entry_t **);
1334 extern kcf_provider_desc_t *kcf_alloc_provider_desc(crypto_provider_info_t *);
1335 extern void kcf_free_provider_desc(kcf_provider_desc_t *);
1336 extern void kcf_soft_config_init(void);
1337 extern int get_sw_provider_for_mech(crypto_mech_name_t, char **);
1338 extern crypto_mech_type_t crypto_mech2id_common(char *, boolean_t);
1339 extern void undo_register_provider(kcf_provider_desc_t *, boolean_t);
1340 extern void redo_register_provider(kcf_provider_desc_t *);
1341 extern void kcf_rnd_init();
1342 extern boolean_t kcf_rngprov_check(void);
1343 extern int kcf_rnd_get_pseudo_bytes(uint8_t *, size_t);
1344 extern int kcf_rnd_get_bytes(uint8_t *, size_t, boolean_t);
1345 extern int random_add_pseudo_entropy(uint8_t *, size_t, uint_t);
1346 extern void kcf_rnd_chpoll(short, int, short *, struct pollhead **);
1347 extern int crypto_uio_data(crypto_data_t *, uchar_t *, int, cmd_type_t,
1348     void *, void (*update)());
1349 extern int crypto_mblk_data(crypto_data_t *, uchar_t *, int, cmd_type_t,
1350     void *, void (*update)());
1351 extern int crypto_put_output_data(uchar_t *, crypto_data_t *, int);
1352 extern int crypto_get_input_data(crypto_data_t *, uchar_t **, uchar_t *);
1353 extern int crypto_copy_key_to_ctx(crypto_key_t *, crypto_key_t **, size_t *,
1354     int kmflag);
1355 extern int crypto_digest_data(crypto_data_t *, void *, uchar_t *,
1356     void (*update)(), void (*final)(), uchar_t);
1357 extern int crypto_update_iov(void *, crypto_data_t *, crypto_data_t *,
1358     int (*cipher)(void *, caddr_t, size_t, crypto_data_t *),
1359     void (*copy_block)(uint8_t *, uint64_t *));
1360 extern int crypto_update_uio(void *, crypto_data_t *, crypto_data_t *,
1361     int (*cipher)(void *, caddr_t, size_t, crypto_data_t *),
1362     void (*copy_block)(uint8_t *, uint64_t *));
1363 extern int crypto_update_mp(void *, crypto_data_t *, crypto_data_t *,
1364     int (*cipher)(void *, caddr_t, size_t, crypto_data_t *),
1365     void (*copy_block)(uint8_t *, uint64_t *));
1366 extern int crypto_get_key_attr(crypto_key_t *, crypto_attr_type_t, uchar_t **,
1367     ssize_t *);
1368 
1369 /* Access to the provider's table */
1370 extern void kcf_prov_tab_init(void);
1371 extern int kcf_prov_tab_add_provider(kcf_provider_desc_t *);
1372 extern int kcf_prov_tab_rem_provider(crypto_provider_id_t);
1373 extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_name(char *);
1374 extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_dev(char *, uint_t);
1375 extern int kcf_get_hw_prov_tab(uint_t *, kcf_provider_desc_t ***, int,
1376     char *, uint_t, boolean_t);
1377 extern int kcf_get_slot_list(uint_t *, kcf_provider_desc_t ***, boolean_t);
1378 extern void kcf_free_provider_tab(uint_t, kcf_provider_desc_t **);
1379 extern kcf_provider_desc_t *kcf_prov_tab_lookup(crypto_provider_id_t);
1380 extern int kcf_get_sw_prov(crypto_mech_type_t, kcf_provider_desc_t **,
1381     kcf_mech_entry_t **, boolean_t);
1382 
1383 extern kmutex_t prov_tab_mutex;
1384 extern boolean_t kcf_need_provtab_walk;
1385 extern int kcf_get_refcnt(kcf_provider_desc_t *, boolean_t);
1386 
1387 /* Access to the policy table */
1388 extern boolean_t is_mech_disabled(kcf_provider_desc_t *, crypto_mech_name_t);
1389 extern boolean_t is_mech_disabled_byname(crypto_provider_type_t, char *,
1390     uint_t, crypto_mech_name_t);
1391 extern void kcf_policy_tab_init(void);
1392 extern void kcf_policy_free_desc(kcf_policy_desc_t *);
1393 extern void kcf_policy_remove_by_name(char *, uint_t *, crypto_mech_name_t **);
1394 extern void kcf_policy_remove_by_dev(char *, uint_t, uint_t *,
1395     crypto_mech_name_t **);
1396 extern kcf_policy_desc_t *kcf_policy_lookup_by_name(char *);
1397 extern kcf_policy_desc_t *kcf_policy_lookup_by_dev(char *, uint_t);
1398 extern int kcf_policy_load_soft_disabled(char *, uint_t, crypto_mech_name_t *,
1399     uint_t *, crypto_mech_name_t **);
1400 extern int kcf_policy_load_dev_disabled(char *, uint_t, uint_t,
1401     crypto_mech_name_t *, uint_t *, crypto_mech_name_t **);
1402 extern void remove_soft_config(char *);
1403 
1404 #endif  /* _KERNEL */
1405 
1406 #ifdef  __cplusplus
1407 }
1408 #endif
1409 
1410 #endif  /* _SYS_CRYPTO_IMPL_H */