1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2015 by Saso Kiselkov. All rights reserved.
  24  */
  25 
  26 #ifndef _SYS_CRYPTO_IMPL_H
  27 #define _SYS_CRYPTO_IMPL_H
  28 
  29 /*
  30  * Kernel Cryptographic Framework private implementation definitions.
  31  */
  32 
  33 #include <sys/types.h>
  34 #include <sys/param.h>
  35 
  36 #ifdef _KERNEL
  37 #include <sys/crypto/common.h>
  38 #include <sys/crypto/api.h>
  39 #include <sys/crypto/spi.h>
  40 #include <sys/crypto/ioctl.h>
  41 #include <sys/tnf_probe.h>
  42 #include <sys/atomic.h>
  43 #include <sys/project.h>
  44 #include <sys/taskq.h>
  45 #include <sys/rctl.h>
  46 #include <sys/cpuvar.h>
  47 #endif /* _KERNEL */
  48 
  49 #ifdef  __cplusplus
  50 extern "C" {
  51 #endif
  52 
  53 #ifdef _KERNEL
  54 
  55 /*
  56  * Prefixes convention: structures internal to the kernel cryptographic
  57  * framework start with 'kcf_'. Exposed structure start with 'crypto_'.
  58  */
  59 
  60 /* Provider stats. Not protected. */
  61 typedef struct kcf_prov_stats {
  62         kstat_named_t   ps_ops_total;
  63         kstat_named_t   ps_ops_passed;
  64         kstat_named_t   ps_ops_failed;
  65         kstat_named_t   ps_ops_busy_rval;
  66 } kcf_prov_stats_t;
  67 
  68 /* Various kcf stats. Not protected. */
  69 typedef struct kcf_stats {
  70         kstat_named_t   ks_thrs_in_pool;
  71         kstat_named_t   ks_idle_thrs;
  72         kstat_named_t   ks_minthrs;
  73         kstat_named_t   ks_maxthrs;
  74         kstat_named_t   ks_swq_njobs;
  75         kstat_named_t   ks_swq_maxjobs;
  76         kstat_named_t   ks_taskq_threads;
  77         kstat_named_t   ks_taskq_minalloc;
  78         kstat_named_t   ks_taskq_maxalloc;
  79 } kcf_stats_t;
  80 
  81 #define CPU_SEQID       (CPU->cpu_seqid)
  82 
  83 typedef struct kcf_lock_withpad {
  84         kmutex_t        kl_lock;
  85         uint8_t         kl_pad[64 - sizeof (kmutex_t)];
  86 } kcf_lock_withpad_t;
  87 
  88 /*
  89  * Per-CPU structure used by a provider to keep track of
  90  * various counters.
  91  */
  92 typedef struct kcf_prov_cpu {
  93         kmutex_t        kp_lock;
  94         int             kp_holdcnt;     /* can go negative! */
  95         uint_t          kp_jobcnt;
  96 
  97         uint64_t        kp_ndispatches;
  98         uint64_t        kp_nfails;
  99         uint64_t        kp_nbusy_rval;
 100         kcondvar_t      kp_cv;
 101 
 102         uint8_t         kp_pad[64 - sizeof (kmutex_t) - 2 * sizeof (int) -
 103             3 * sizeof (uint64_t) - sizeof (kcondvar_t)];
 104 } kcf_prov_cpu_t;
 105 
 106 /*
 107  * kcf_get_refcnt(pd) is the number of inflight requests to the
 108  * provider. So, it is a good measure of the load on a provider when
 109  * it is not in a busy state. Once a provider notifies it is busy, requests
 110  * backup in the taskq. So, we use tq_nalloc in that case which gives
 111  * the number of task entries in the task queue. Note that we do not
 112  * acquire any locks here as it is not critical to get the exact number
 113  * and the lock contention is too costly for this code path.
 114  */
 115 #define KCF_PROV_LOAD(pd)       ((pd)->pd_state != KCF_PROV_BUSY ?   \
 116         kcf_get_refcnt(pd, B_FALSE) : (pd)->pd_taskq->tq_nalloc)
 117 
 118 
 119 /*
 120  * The following two macros should be
 121  * #define KCF_OPS_CLASSSIZE (KCF_LAST_OPSCLASS - KCF_FIRST_OPSCLASS + 2)
 122  * #define KCF_MAXMECHTAB KCF_MAXCIPHER
 123  *
 124  * However, doing that would involve reorganizing the header file a bit.
 125  * When impl.h is broken up (bug# 4703218), this will be done. For now,
 126  * we hardcode these values.
 127  */
 128 #define KCF_OPS_CLASSSIZE       8
 129 #define KCF_MAXMECHTAB          32
 130 
 131 /*
 132  * Valid values for the state of a provider. The order of
 133  * the elements is important.
 134  *
 135  * Routines which get a provider or the list of providers
 136  * should pick only those that are either in KCF_PROV_READY state
 137  * or in KCF_PROV_BUSY state.
 138  */
 139 typedef enum {
 140         KCF_PROV_ALLOCATED = 1,
 141         KCF_PROV_UNVERIFIED,
 142         KCF_PROV_UNVERIFIED_FIPS140,
 143         KCF_PROV_VERIFICATION_FAILED,
 144         /*
 145          * state < KCF_PROV_READY means the provider can not
 146          * be used at all.
 147          */
 148         KCF_PROV_READY,
 149         KCF_PROV_BUSY,
 150         /*
 151          * state > KCF_PROV_BUSY means the provider can not
 152          * be used for new requests.
 153          */
 154         KCF_PROV_FAILED,
 155         /*
 156          * Threads setting the following two states should do so only
 157          * if the current state < KCF_PROV_DISABLED.
 158          */
 159         KCF_PROV_DISABLED,
 160         KCF_PROV_UNREGISTERING,
 161         KCF_PROV_UNREGISTERED
 162 } kcf_prov_state_t;
 163 
 164 #define KCF_IS_PROV_UNVERIFIED(pd) ((pd)->pd_state == KCF_PROV_UNVERIFIED)
 165 #define KCF_IS_PROV_USABLE(pd) ((pd)->pd_state == KCF_PROV_READY || \
 166         (pd)->pd_state == KCF_PROV_BUSY)
 167 #define KCF_IS_PROV_REMOVED(pd) ((pd)->pd_state >= KCF_PROV_UNREGISTERING)
 168 
 169 /* Internal flags valid for pd_flags field */
 170 #define KCF_LPROV_MEMBER        0x80000000 /* is member of a logical provider */
 171 
 172 /*
 173  * A provider descriptor structure. There is one such structure per
 174  * provider. It is allocated and initialized at registration time and
 175  * freed when the provider unregisters.
 176  *
 177  * pd_prov_type:        Provider type, hardware or software
 178  * pd_sid:              Session ID of the provider used by kernel clients.
 179  *                      This is valid only for session-oriented providers.
 180  * pd_taskq:            taskq used to dispatch crypto requests
 181  * pd_nbins:            number of bins in pd_percpu_bins
 182  * pd_percpu_bins:      Pointer to an array of per-CPU structures
 183  *                      containing a lock, a cv and various counters.
 184  * pd_lock:             lock protects pd_state and pd_provider_list
 185  * pd_state:            State value of the provider
 186  * pd_provider_list:    Used to cross-reference logical providers and their
 187  *                      members. Not used for software providers.
 188  * pd_resume_cv:        cv to wait for state to change from KCF_PROV_BUSY
 189  * pd_prov_handle:      Provider handle specified by provider
 190  * pd_ops_vector:       The ops vector specified by Provider
 191  * pd_mech_indx:        Lookup table which maps a core framework mechanism
 192  *                      number to an index in pd_mechanisms array
 193  * pd_mechanisms:       Array of mechanisms supported by the provider, specified
 194  *                      by the provider during registration
 195  * pd_mech_list_count:  The number of entries in pi_mechanisms, specified
 196  *                      by the provider during registration
 197  * pd_name:             Device name or module name
 198  * pd_instance:         Device instance
 199  * pd_module_id:        Module ID returned by modload
 200  * pd_mctlp:            Pointer to modctl structure for this provider
 201  * pd_description:      Provider description string
 202  * pd_flags:            bitwise OR of pi_flags from crypto_provider_info_t
 203  *                      and other internal flags defined above.
 204  * pd_hash_limit:       Maximum data size that hash mechanisms of this provider
 205  *                      can support.
 206  * pd_hmac_limit:       Maximum data size that HMAC mechanisms of this provider
 207  *                      can support.
 208  * pd_kcf_prov_handle:  KCF-private handle assigned by KCF
 209  * pd_prov_id:          Identification # assigned by KCF to provider
 210  * pd_kstat:            kstat associated with the provider
 211  * pd_ks_data:          kstat data
 212  */
 213 typedef struct kcf_provider_desc {
 214         crypto_provider_type_t          pd_prov_type;
 215         crypto_session_id_t             pd_sid;
 216         taskq_t                         *pd_taskq;
 217         uint_t                          pd_nbins;
 218         kcf_prov_cpu_t                  *pd_percpu_bins;
 219         kmutex_t                        pd_lock;
 220         kcf_prov_state_t                pd_state;
 221         struct kcf_provider_list        *pd_provider_list;
 222         kcondvar_t                      pd_resume_cv;
 223         crypto_provider_handle_t        pd_prov_handle;
 224         crypto_ops_t                    *pd_ops_vector;
 225         ushort_t                        pd_mech_indx[KCF_OPS_CLASSSIZE]\
 226                                             [KCF_MAXMECHTAB];
 227         crypto_mech_info_t              *pd_mechanisms;
 228         uint_t                          pd_mech_list_count;
 229         char                            *pd_name;
 230         uint_t                          pd_instance;
 231         int                             pd_module_id;
 232         struct modctl                   *pd_mctlp;
 233         char                            *pd_description;
 234         uint_t                          pd_flags;
 235         uint_t                          pd_hash_limit;
 236         uint_t                          pd_hmac_limit;
 237         crypto_kcf_provider_handle_t    pd_kcf_prov_handle;
 238         crypto_provider_id_t            pd_prov_id;
 239         kstat_t                         *pd_kstat;
 240         kcf_prov_stats_t                pd_ks_data;
 241 } kcf_provider_desc_t;
 242 
 243 /* useful for making a list of providers */
 244 typedef struct kcf_provider_list {
 245         struct kcf_provider_list *pl_next;
 246         struct kcf_provider_desc *pl_provider;
 247 } kcf_provider_list_t;
 248 
 249 /*
 250  * If a component has a reference to a kcf_provider_desc_t,
 251  * it REFHOLD()s. A new provider descriptor which is referenced only
 252  * by the providers table has a reference counter of one.
 253  */
 254 #define KCF_PROV_REFHOLD(desc) {                        \
 255         kcf_prov_cpu_t  *mp;                            \
 256                                                         \
 257         mp = &((desc)->pd_percpu_bins[CPU_SEQID]);       \
 258         mutex_enter(&mp->kp_lock);                       \
 259         mp->kp_holdcnt++;                            \
 260         mutex_exit(&mp->kp_lock);                        \
 261 }
 262 
 263 #define KCF_PROV_REFRELE(desc) {                        \
 264         kcf_prov_cpu_t  *mp;                            \
 265                                                         \
 266         mp = &((desc)->pd_percpu_bins[CPU_SEQID]);       \
 267         mutex_enter(&mp->kp_lock);                       \
 268         mp->kp_holdcnt--;                            \
 269         mutex_exit(&mp->kp_lock);                        \
 270 }
 271 
 272 #define KCF_PROV_REFHELD(desc)  (kcf_get_refcnt(desc, B_TRUE) >= 1)
 273 
 274 /*
 275  * The JOB macros are used only for a hardware provider.
 276  * Hardware providers can have holds that stay forever.
 277  * So, the job counter is used to check if it is safe to
 278  * unregister a provider.
 279  */
 280 #define KCF_PROV_JOB_HOLD(mp) {                 \
 281         mutex_enter(&(mp)->kp_lock);             \
 282         (mp)->kp_jobcnt++;                   \
 283         mutex_exit(&(mp)->kp_lock);              \
 284 }
 285 
 286 #define KCF_PROV_JOB_RELE(mp) {                 \
 287         mutex_enter(&(mp)->kp_lock);             \
 288         (mp)->kp_jobcnt--;                   \
 289         if ((mp)->kp_jobcnt == 0)            \
 290                 cv_signal(&(mp)->kp_cv); \
 291         mutex_exit(&(mp)->kp_lock);              \
 292 }
 293 
 294 #define KCF_PROV_JOB_RELE_STAT(mp, doincr) {    \
 295         if (doincr)                             \
 296                 (mp)->kp_nfails++;           \
 297         KCF_PROV_JOB_RELE(mp);                  \
 298 }
 299 
 300 #define KCF_PROV_INCRSTATS(pd, error)   {                               \
 301         kcf_prov_cpu_t  *mp;                                            \
 302                                                                         \
 303         mp = &((pd)->pd_percpu_bins[CPU_SEQID]);                 \
 304         mp->kp_ndispatches++;                                                \
 305         if ((error) == CRYPTO_BUSY)                                     \
 306                 mp->kp_nbusy_rval++;                                 \
 307         else if ((error) != CRYPTO_SUCCESS && (error) != CRYPTO_QUEUED) \
 308                 mp->kp_nfails++;                                     \
 309 }
 310 
 311 /* list of crypto_mech_info_t valid as the second mech in a dual operation */
 312 
 313 typedef struct crypto_mech_info_list {
 314         struct crypto_mech_info_list    *ml_next;
 315         crypto_mech_type_t              ml_kcf_mechid;  /* KCF's id */
 316         crypto_mech_info_t              ml_mech_info;
 317 } crypto_mech_info_list_t;
 318 
 319 /*
 320  * An element in a mechanism provider descriptors chain.
 321  * The kcf_prov_mech_desc_t is duplicated in every chain the provider belongs
 322  * to. This is a small tradeoff memory vs mutex spinning time to access the
 323  * common provider field.
 324  */
 325 
 326 typedef struct kcf_prov_mech_desc {
 327         struct kcf_mech_entry           *pm_me;         /* Back to the head */
 328         struct kcf_prov_mech_desc       *pm_next;       /* Next in the chain */
 329         crypto_mech_info_t              pm_mech_info;   /* Provider mech info */
 330         crypto_mech_info_list_t         *pm_mi_list;    /* list for duals */
 331         kcf_provider_desc_t             *pm_prov_desc;  /* Common desc. */
 332 } kcf_prov_mech_desc_t;
 333 
 334 /* and the notation shortcuts ... */
 335 #define pm_provider_type        pm_prov_desc.pd_provider_type
 336 #define pm_provider_handle      pm_prov_desc.pd_provider_handle
 337 #define pm_ops_vector           pm_prov_desc.pd_ops_vector
 338 
 339 extern kcf_lock_withpad_t *me_mutexes;
 340 
 341 #define KCF_CPU_PAD (128 - sizeof (crypto_mech_name_t) - \
 342     sizeof (crypto_mech_type_t) - \
 343     2 * sizeof (kcf_prov_mech_desc_t *) - \
 344     sizeof (int) - sizeof (uint32_t) - sizeof (size_t))
 345 
 346 /*
 347  * A mechanism entry in an xxx_mech_tab[]. KCF_CPU_PAD needs
 348  * to be adjusted if this structure is changed.
 349  */
 350 typedef struct kcf_mech_entry {
 351         crypto_mech_name_t      me_name;        /* mechanism name */
 352         crypto_mech_type_t      me_mechid;      /* Internal id for mechanism */
 353         kcf_prov_mech_desc_t    *me_hw_prov_chain;  /* list of HW providers */
 354         kcf_prov_mech_desc_t    *me_sw_prov;    /* SW provider */
 355         /*
 356          * Number of HW providers in the chain. There is only one
 357          * SW provider. So, we need only a count of HW providers.
 358          */
 359         int                     me_num_hwprov;
 360         /*
 361          * When a SW provider is present, this is the generation number that
 362          * ensures no objects from old SW providers are used in the new one
 363          */
 364         uint32_t                me_gen_swprov;
 365         /*
 366          *  threshold for using hardware providers for this mech
 367          */
 368         size_t                  me_threshold;
 369         uint8_t                 me_pad[KCF_CPU_PAD];
 370 } kcf_mech_entry_t;
 371 
 372 /*
 373  * A policy descriptor structure. It is allocated and initialized
 374  * when administrative ioctls load disabled mechanisms.
 375  *
 376  * pd_prov_type:        Provider type, hardware or software
 377  * pd_name:             Device name or module name.
 378  * pd_instance:         Device instance.
 379  * pd_refcnt:           Reference counter for this policy descriptor
 380  * pd_mutex:            Protects array and count of disabled mechanisms.
 381  * pd_disabled_count:   Count of disabled mechanisms.
 382  * pd_disabled_mechs:   Array of disabled mechanisms.
 383  */
 384 typedef struct kcf_policy_desc {
 385         crypto_provider_type_t  pd_prov_type;
 386         char                    *pd_name;
 387         uint_t                  pd_instance;
 388         uint_t                  pd_refcnt;
 389         kmutex_t                pd_mutex;
 390         uint_t                  pd_disabled_count;
 391         crypto_mech_name_t      *pd_disabled_mechs;
 392 } kcf_policy_desc_t;
 393 
 394 /*
 395  * If a component has a reference to a kcf_policy_desc_t,
 396  * it REFHOLD()s. A new policy descriptor which is referenced only
 397  * by the policy table has a reference count of one.
 398  */
 399 #define KCF_POLICY_REFHOLD(desc) {              \
 400         atomic_inc_32(&(desc)->pd_refcnt);       \
 401         ASSERT((desc)->pd_refcnt != 0);              \
 402 }
 403 
 404 /*
 405  * Releases a reference to a policy descriptor. When the last
 406  * reference is released, the descriptor is freed.
 407  */
 408 #define KCF_POLICY_REFRELE(desc) {                              \
 409         ASSERT((desc)->pd_refcnt != 0);                              \
 410         membar_exit();                                          \
 411         if (atomic_dec_32_nv(&(desc)->pd_refcnt) == 0)   \
 412                 kcf_policy_free_desc(desc);                     \
 413 }
 414 
 415 /*
 416  * This entry stores the name of a software module and its
 417  * mechanisms.  The mechanisms are 'hints' that are used to
 418  * trigger loading of the module.
 419  */
 420 typedef struct kcf_soft_conf_entry {
 421         struct kcf_soft_conf_entry      *ce_next;
 422         char                            *ce_name;
 423         crypto_mech_name_t              *ce_mechs;
 424         uint_t                          ce_count;
 425 } kcf_soft_conf_entry_t;
 426 
 427 extern kmutex_t soft_config_mutex;
 428 extern kcf_soft_conf_entry_t *soft_config_list;
 429 
 430 /*
 431  * Global tables. The sizes are from the predefined PKCS#11 v2.20 mechanisms,
 432  * with a margin of few extra empty entry points
 433  */
 434 
 435 #define KCF_MAXDIGEST           16      /* Digests */
 436 #define KCF_MAXCIPHER           64      /* Ciphers */
 437 #define KCF_MAXMAC              40      /* Message authentication codes */
 438 #define KCF_MAXSIGN             24      /* Sign/Verify */
 439 #define KCF_MAXKEYOPS           116     /* Key generation and derivation */
 440 #define KCF_MAXMISC             16      /* Others ... */
 441 
 442 #define KCF_MAXMECHS            KCF_MAXDIGEST + KCF_MAXCIPHER + KCF_MAXMAC + \
 443                                 KCF_MAXSIGN + KCF_MAXKEYOPS + \
 444                                 KCF_MAXMISC
 445 
 446 extern kcf_mech_entry_t kcf_digest_mechs_tab[];
 447 extern kcf_mech_entry_t kcf_cipher_mechs_tab[];
 448 extern kcf_mech_entry_t kcf_mac_mechs_tab[];
 449 extern kcf_mech_entry_t kcf_sign_mechs_tab[];
 450 extern kcf_mech_entry_t kcf_keyops_mechs_tab[];
 451 extern kcf_mech_entry_t kcf_misc_mechs_tab[];
 452 
 453 extern kmutex_t kcf_mech_tabs_lock;
 454 
 455 typedef enum {
 456         KCF_DIGEST_CLASS = 1,
 457         KCF_CIPHER_CLASS,
 458         KCF_MAC_CLASS,
 459         KCF_SIGN_CLASS,
 460         KCF_KEYOPS_CLASS,
 461         KCF_MISC_CLASS
 462 } kcf_ops_class_t;
 463 
 464 #define KCF_FIRST_OPSCLASS      KCF_DIGEST_CLASS
 465 #define KCF_LAST_OPSCLASS       KCF_MISC_CLASS
 466 
 467 /* The table of all the kcf_xxx_mech_tab[]s, indexed by kcf_ops_class */
 468 
 469 typedef struct kcf_mech_entry_tab {
 470         int                     met_size;       /* Size of the met_tab[] */
 471         kcf_mech_entry_t        *met_tab;       /* the table             */
 472 } kcf_mech_entry_tab_t;
 473 
 474 extern kcf_mech_entry_tab_t kcf_mech_tabs_tab[];
 475 
 476 #define KCF_MECHID(class, index)                                \
 477         (((crypto_mech_type_t)(class) << 32) | (crypto_mech_type_t)(index))
 478 
 479 #define KCF_MECH2CLASS(mech_type) ((kcf_ops_class_t)((mech_type) >> 32))
 480 
 481 #define KCF_MECH2INDEX(mech_type) ((int)(mech_type))
 482 
 483 #define KCF_TO_PROV_MECH_INDX(pd, mech_type)                    \
 484         ((pd)->pd_mech_indx[KCF_MECH2CLASS(mech_type)]               \
 485         [KCF_MECH2INDEX(mech_type)])
 486 
 487 #define KCF_TO_PROV_MECHINFO(pd, mech_type)                     \
 488         ((pd)->pd_mechanisms[KCF_TO_PROV_MECH_INDX(pd, mech_type)])
 489 
 490 #define KCF_TO_PROV_MECHNUM(pd, mech_type)                      \
 491         (KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_number)
 492 
 493 #define KCF_CAN_SHARE_OPSTATE(pd, mech_type)                    \
 494         ((KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_flags) &      \
 495         CRYPTO_CAN_SHARE_OPSTATE)
 496 
 497 /* ps_refcnt is protected by cm_lock in the crypto_minor structure */
 498 typedef struct crypto_provider_session {
 499         struct crypto_provider_session *ps_next;
 500         crypto_session_id_t             ps_session;
 501         kcf_provider_desc_t             *ps_provider;
 502         kcf_provider_desc_t             *ps_real_provider;
 503         uint_t                          ps_refcnt;
 504 } crypto_provider_session_t;
 505 
 506 typedef struct crypto_session_data {
 507         kmutex_t                        sd_lock;
 508         kcondvar_t                      sd_cv;
 509         uint32_t                        sd_flags;
 510         int                             sd_pre_approved_amount;
 511         crypto_ctx_t                    *sd_digest_ctx;
 512         crypto_ctx_t                    *sd_encr_ctx;
 513         crypto_ctx_t                    *sd_decr_ctx;
 514         crypto_ctx_t                    *sd_sign_ctx;
 515         crypto_ctx_t                    *sd_verify_ctx;
 516         crypto_ctx_t                    *sd_sign_recover_ctx;
 517         crypto_ctx_t                    *sd_verify_recover_ctx;
 518         kcf_provider_desc_t             *sd_provider;
 519         void                            *sd_find_init_cookie;
 520         crypto_provider_session_t       *sd_provider_session;
 521 } crypto_session_data_t;
 522 
 523 #define CRYPTO_SESSION_IN_USE           0x00000001
 524 #define CRYPTO_SESSION_IS_BUSY          0x00000002
 525 #define CRYPTO_SESSION_IS_CLOSED        0x00000004
 526 
 527 #define KCF_MAX_PIN_LEN                 1024
 528 
 529 /*
 530  * Per-minor info.
 531  *
 532  * cm_lock protects everything in this structure except for cm_refcnt.
 533  */
 534 typedef struct crypto_minor {
 535         uint_t                          cm_refcnt;
 536         kmutex_t                        cm_lock;
 537         kcondvar_t                      cm_cv;
 538         crypto_session_data_t           **cm_session_table;
 539         uint_t                          cm_session_table_count;
 540         kcf_provider_desc_t             **cm_provider_array;
 541         uint_t                          cm_provider_count;
 542         crypto_provider_session_t       *cm_provider_session;
 543 } crypto_minor_t;
 544 
 545 /* resource control framework handle used by /dev/crypto */
 546 extern rctl_hndl_t rc_project_crypto_mem;
 547 /*
 548  * Return codes for internal functions
 549  */
 550 #define KCF_SUCCESS             0x0     /* Successful call */
 551 #define KCF_INVALID_MECH_NUMBER 0x1     /* invalid mechanism number */
 552 #define KCF_INVALID_MECH_NAME   0x2     /* invalid mechanism name */
 553 #define KCF_INVALID_MECH_CLASS  0x3     /* invalid mechanism class */
 554 #define KCF_MECH_TAB_FULL       0x4     /* Need more room in the mech tabs. */
 555 #define KCF_INVALID_INDX        ((ushort_t)-1)
 556 
 557 /*
 558  * kCF internal mechanism and function group for tracking RNG providers.
 559  */
 560 #define SUN_RANDOM              "random"
 561 #define CRYPTO_FG_RANDOM        0x80000000      /* generate_random() */
 562 
 563 /*
 564  * Wrappers for ops vectors. In the wrapper definitions below, the pd
 565  * argument always corresponds to a pointer to a provider descriptor
 566  * of type kcf_prov_desc_t.
 567  */
 568 
 569 #define KCF_PROV_CONTROL_OPS(pd)        ((pd)->pd_ops_vector->co_control_ops)
 570 #define KCF_PROV_CTX_OPS(pd)            ((pd)->pd_ops_vector->co_ctx_ops)
 571 #define KCF_PROV_DIGEST_OPS(pd)         ((pd)->pd_ops_vector->co_digest_ops)
 572 #define KCF_PROV_CIPHER_OPS(pd)         ((pd)->pd_ops_vector->co_cipher_ops)
 573 #define KCF_PROV_MAC_OPS(pd)            ((pd)->pd_ops_vector->co_mac_ops)
 574 #define KCF_PROV_SIGN_OPS(pd)           ((pd)->pd_ops_vector->co_sign_ops)
 575 #define KCF_PROV_VERIFY_OPS(pd)         ((pd)->pd_ops_vector->co_verify_ops)
 576 #define KCF_PROV_DUAL_OPS(pd)           ((pd)->pd_ops_vector->co_dual_ops)
 577 #define KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) \
 578         ((pd)->pd_ops_vector->co_dual_cipher_mac_ops)
 579 #define KCF_PROV_RANDOM_OPS(pd)         ((pd)->pd_ops_vector->co_random_ops)
 580 #define KCF_PROV_SESSION_OPS(pd)        ((pd)->pd_ops_vector->co_session_ops)
 581 #define KCF_PROV_OBJECT_OPS(pd)         ((pd)->pd_ops_vector->co_object_ops)
 582 #define KCF_PROV_KEY_OPS(pd)            ((pd)->pd_ops_vector->co_key_ops)
 583 #define KCF_PROV_PROVIDER_OPS(pd)       ((pd)->pd_ops_vector->co_provider_ops)
 584 #define KCF_PROV_MECH_OPS(pd)           ((pd)->pd_ops_vector->co_mech_ops)
 585 #define KCF_PROV_NOSTORE_KEY_OPS(pd)    \
 586         ((pd)->pd_ops_vector->co_nostore_key_ops)
 587 #define KCF_PROV_FIPS140_OPS(pd)        ((pd)->pd_ops_vector->co_fips140_ops)
 588 #define KCF_PROV_PROVMGMT_OPS(pd)       ((pd)->pd_ops_vector->co_provider_ops)
 589 
 590 /*
 591  * Wrappers for crypto_control_ops(9S) entry points.
 592  */
 593 
 594 #define KCF_PROV_STATUS(pd, status) ( \
 595         (KCF_PROV_CONTROL_OPS(pd) && \
 596         KCF_PROV_CONTROL_OPS(pd)->provider_status) ? \
 597         KCF_PROV_CONTROL_OPS(pd)->provider_status( \
 598             (pd)->pd_prov_handle, status) : \
 599         CRYPTO_NOT_SUPPORTED)
 600 
 601 /*
 602  * Wrappers for crypto_ctx_ops(9S) entry points.
 603  */
 604 
 605 #define KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size, req) ( \
 606         (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->create_ctx_template) ? \
 607         KCF_PROV_CTX_OPS(pd)->create_ctx_template( \
 608             (pd)->pd_prov_handle, mech, key, template, size, req) : \
 609         CRYPTO_NOT_SUPPORTED)
 610 
 611 #define KCF_PROV_FREE_CONTEXT(pd, ctx) ( \
 612         (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->free_context) ? \
 613         KCF_PROV_CTX_OPS(pd)->free_context(ctx) : CRYPTO_NOT_SUPPORTED)
 614 
 615 #define KCF_PROV_COPYIN_MECH(pd, umech, kmech, errorp, mode) ( \
 616         (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyin_mechanism) ? \
 617         KCF_PROV_MECH_OPS(pd)->copyin_mechanism( \
 618             (pd)->pd_prov_handle, umech, kmech, errorp, mode) : \
 619         CRYPTO_NOT_SUPPORTED)
 620 
 621 #define KCF_PROV_COPYOUT_MECH(pd, kmech, umech, errorp, mode) ( \
 622         (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyout_mechanism) ? \
 623         KCF_PROV_MECH_OPS(pd)->copyout_mechanism( \
 624             (pd)->pd_prov_handle, kmech, umech, errorp, mode) : \
 625         CRYPTO_NOT_SUPPORTED)
 626 
 627 #define KCF_PROV_FREE_MECH(pd, prov_mech) ( \
 628         (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->free_mechanism) ? \
 629         KCF_PROV_MECH_OPS(pd)->free_mechanism( \
 630             (pd)->pd_prov_handle, prov_mech) : CRYPTO_NOT_SUPPORTED)
 631 
 632 /*
 633  * Wrappers for crypto_digest_ops(9S) entry points.
 634  */
 635 
 636 #define KCF_PROV_DIGEST_INIT(pd, ctx, mech, req) ( \
 637         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_init) ? \
 638         KCF_PROV_DIGEST_OPS(pd)->digest_init(ctx, mech, req) : \
 639         CRYPTO_NOT_SUPPORTED)
 640 
 641 /*
 642  * The _ (underscore) in _digest is needed to avoid replacing the
 643  * function digest().
 644  */
 645 #define KCF_PROV_DIGEST(pd, ctx, data, _digest, req) ( \
 646         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest) ? \
 647         KCF_PROV_DIGEST_OPS(pd)->digest(ctx, data, _digest, req) : \
 648         CRYPTO_NOT_SUPPORTED)
 649 
 650 #define KCF_PROV_DIGEST_UPDATE(pd, ctx, data, req) ( \
 651         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_update) ? \
 652         KCF_PROV_DIGEST_OPS(pd)->digest_update(ctx, data, req) : \
 653         CRYPTO_NOT_SUPPORTED)
 654 
 655 #define KCF_PROV_DIGEST_KEY(pd, ctx, key, req) ( \
 656         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_key) ? \
 657         KCF_PROV_DIGEST_OPS(pd)->digest_key(ctx, key, req) : \
 658         CRYPTO_NOT_SUPPORTED)
 659 
 660 #define KCF_PROV_DIGEST_FINAL(pd, ctx, digest, req) ( \
 661         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_final) ? \
 662         KCF_PROV_DIGEST_OPS(pd)->digest_final(ctx, digest, req) : \
 663         CRYPTO_NOT_SUPPORTED)
 664 
 665 #define KCF_PROV_DIGEST_ATOMIC(pd, session, mech, data, digest, req) ( \
 666         (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_atomic) ? \
 667         KCF_PROV_DIGEST_OPS(pd)->digest_atomic( \
 668             (pd)->pd_prov_handle, session, mech, data, digest, req) : \
 669         CRYPTO_NOT_SUPPORTED)
 670 
 671 /*
 672  * Wrappers for crypto_cipher_ops(9S) entry points.
 673  */
 674 
 675 #define KCF_PROV_ENCRYPT_INIT(pd, ctx, mech, key, template, req) ( \
 676         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_init) ? \
 677         KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template, \
 678             req) : \
 679         CRYPTO_NOT_SUPPORTED)
 680 
 681 #define KCF_PROV_ENCRYPT(pd, ctx, plaintext, ciphertext, req) ( \
 682         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt) ? \
 683         KCF_PROV_CIPHER_OPS(pd)->encrypt(ctx, plaintext, ciphertext, req) : \
 684         CRYPTO_NOT_SUPPORTED)
 685 
 686 #define KCF_PROV_ENCRYPT_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \
 687         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_update) ? \
 688         KCF_PROV_CIPHER_OPS(pd)->encrypt_update(ctx, plaintext, \
 689             ciphertext, req) : \
 690         CRYPTO_NOT_SUPPORTED)
 691 
 692 #define KCF_PROV_ENCRYPT_FINAL(pd, ctx, ciphertext, req) ( \
 693         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_final) ? \
 694         KCF_PROV_CIPHER_OPS(pd)->encrypt_final(ctx, ciphertext, req) : \
 695         CRYPTO_NOT_SUPPORTED)
 696 
 697 #define KCF_PROV_ENCRYPT_ATOMIC(pd, session, mech, key, plaintext, ciphertext, \
 698             template, req) ( \
 699         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \
 700         KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic( \
 701             (pd)->pd_prov_handle, session, mech, key, plaintext, ciphertext, \
 702             template, req) : \
 703         CRYPTO_NOT_SUPPORTED)
 704 
 705 #define KCF_PROV_DECRYPT_INIT(pd, ctx, mech, key, template, req) ( \
 706         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_init) ? \
 707         KCF_PROV_CIPHER_OPS(pd)->decrypt_init(ctx, mech, key, template, \
 708             req) : \
 709         CRYPTO_NOT_SUPPORTED)
 710 
 711 #define KCF_PROV_DECRYPT(pd, ctx, ciphertext, plaintext, req) ( \
 712         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt) ? \
 713         KCF_PROV_CIPHER_OPS(pd)->decrypt(ctx, ciphertext, plaintext, req) : \
 714         CRYPTO_NOT_SUPPORTED)
 715 
 716 #define KCF_PROV_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \
 717         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_update) ? \
 718         KCF_PROV_CIPHER_OPS(pd)->decrypt_update(ctx, ciphertext, \
 719             plaintext, req) : \
 720         CRYPTO_NOT_SUPPORTED)
 721 
 722 #define KCF_PROV_DECRYPT_FINAL(pd, ctx, plaintext, req) ( \
 723         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_final) ? \
 724         KCF_PROV_CIPHER_OPS(pd)->decrypt_final(ctx, plaintext, req) : \
 725         CRYPTO_NOT_SUPPORTED)
 726 
 727 #define KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \
 728             template, req) ( \
 729         (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \
 730         KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic( \
 731             (pd)->pd_prov_handle, session, mech, key, ciphertext, plaintext, \
 732             template, req) : \
 733         CRYPTO_NOT_SUPPORTED)
 734 
 735 /*
 736  * Wrappers for crypto_mac_ops(9S) entry points.
 737  */
 738 
 739 #define KCF_PROV_MAC_INIT(pd, ctx, mech, key, template, req) ( \
 740         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_init) ? \
 741         KCF_PROV_MAC_OPS(pd)->mac_init(ctx, mech, key, template, req) \
 742         : CRYPTO_NOT_SUPPORTED)
 743 
 744 /*
 745  * The _ (underscore) in _mac is needed to avoid replacing the
 746  * function mac().
 747  */
 748 #define KCF_PROV_MAC(pd, ctx, data, _mac, req) ( \
 749         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac) ? \
 750         KCF_PROV_MAC_OPS(pd)->mac(ctx, data, _mac, req) : \
 751         CRYPTO_NOT_SUPPORTED)
 752 
 753 #define KCF_PROV_MAC_UPDATE(pd, ctx, data, req) ( \
 754         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_update) ? \
 755         KCF_PROV_MAC_OPS(pd)->mac_update(ctx, data, req) : \
 756         CRYPTO_NOT_SUPPORTED)
 757 
 758 #define KCF_PROV_MAC_FINAL(pd, ctx, mac, req) ( \
 759         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_final) ? \
 760         KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac, req) : \
 761         CRYPTO_NOT_SUPPORTED)
 762 
 763 #define KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template, \
 764             req) ( \
 765         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_atomic) ? \
 766         KCF_PROV_MAC_OPS(pd)->mac_atomic( \
 767             (pd)->pd_prov_handle, session, mech, key, data, mac, template, \
 768             req) : \
 769         CRYPTO_NOT_SUPPORTED)
 770 
 771 #define KCF_PROV_MAC_VERIFY_ATOMIC(pd, session, mech, key, data, mac, \
 772             template, req) ( \
 773         (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_verify_atomic) ? \
 774         KCF_PROV_MAC_OPS(pd)->mac_verify_atomic( \
 775             (pd)->pd_prov_handle, session, mech, key, data, mac, template, \
 776             req) : \
 777         CRYPTO_NOT_SUPPORTED)
 778 
 779 /*
 780  * Wrappers for crypto_sign_ops(9S) entry points.
 781  */
 782 
 783 #define KCF_PROV_SIGN_INIT(pd, ctx, mech, key, template, req) ( \
 784         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_init) ? \
 785         KCF_PROV_SIGN_OPS(pd)->sign_init( \
 786             ctx, mech, key, template, req) : CRYPTO_NOT_SUPPORTED)
 787 
 788 #define KCF_PROV_SIGN(pd, ctx, data, sig, req) ( \
 789         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign) ? \
 790         KCF_PROV_SIGN_OPS(pd)->sign(ctx, data, sig, req) : \
 791         CRYPTO_NOT_SUPPORTED)
 792 
 793 #define KCF_PROV_SIGN_UPDATE(pd, ctx, data, req) ( \
 794         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_update) ? \
 795         KCF_PROV_SIGN_OPS(pd)->sign_update(ctx, data, req) : \
 796         CRYPTO_NOT_SUPPORTED)
 797 
 798 #define KCF_PROV_SIGN_FINAL(pd, ctx, sig, req) ( \
 799         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_final) ? \
 800         KCF_PROV_SIGN_OPS(pd)->sign_final(ctx, sig, req) : \
 801         CRYPTO_NOT_SUPPORTED)
 802 
 803 #define KCF_PROV_SIGN_ATOMIC(pd, session, mech, key, data, template, \
 804             sig, req) ( \
 805         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_atomic) ? \
 806         KCF_PROV_SIGN_OPS(pd)->sign_atomic( \
 807             (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
 808             req) : CRYPTO_NOT_SUPPORTED)
 809 
 810 #define KCF_PROV_SIGN_RECOVER_INIT(pd, ctx, mech, key, template, \
 811             req) ( \
 812         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover_init) ? \
 813         KCF_PROV_SIGN_OPS(pd)->sign_recover_init(ctx, mech, key, template, \
 814             req) : CRYPTO_NOT_SUPPORTED)
 815 
 816 #define KCF_PROV_SIGN_RECOVER(pd, ctx, data, sig, req) ( \
 817         (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover) ? \
 818         KCF_PROV_SIGN_OPS(pd)->sign_recover(ctx, data, sig, req) : \
 819         CRYPTO_NOT_SUPPORTED)
 820 
 821 #define KCF_PROV_SIGN_RECOVER_ATOMIC(pd, session, mech, key, data, template, \
 822             sig, req) ( \
 823         (KCF_PROV_SIGN_OPS(pd) && \
 824         KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic) ? \
 825         KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic( \
 826             (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
 827             req) : CRYPTO_NOT_SUPPORTED)
 828 
 829 /*
 830  * Wrappers for crypto_verify_ops(9S) entry points.
 831  */
 832 
 833 #define KCF_PROV_VERIFY_INIT(pd, ctx, mech, key, template, req) ( \
 834         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_init) ? \
 835         KCF_PROV_VERIFY_OPS(pd)->verify_init(ctx, mech, key, template, \
 836             req) : CRYPTO_NOT_SUPPORTED)
 837 
 838 #define KCF_PROV_VERIFY(pd, ctx, data, sig, req) ( \
 839         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify) ? \
 840         KCF_PROV_VERIFY_OPS(pd)->verify(ctx, data, sig, req) : \
 841         CRYPTO_NOT_SUPPORTED)
 842 
 843 #define KCF_PROV_VERIFY_UPDATE(pd, ctx, data, req) ( \
 844         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_update) ? \
 845         KCF_PROV_VERIFY_OPS(pd)->verify_update(ctx, data, req) : \
 846         CRYPTO_NOT_SUPPORTED)
 847 
 848 #define KCF_PROV_VERIFY_FINAL(pd, ctx, sig, req) ( \
 849         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_final) ? \
 850         KCF_PROV_VERIFY_OPS(pd)->verify_final(ctx, sig, req) : \
 851         CRYPTO_NOT_SUPPORTED)
 852 
 853 #define KCF_PROV_VERIFY_ATOMIC(pd, session, mech, key, data, template, sig, \
 854             req) ( \
 855         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_atomic) ? \
 856         KCF_PROV_VERIFY_OPS(pd)->verify_atomic( \
 857             (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
 858             req) : CRYPTO_NOT_SUPPORTED)
 859 
 860 #define KCF_PROV_VERIFY_RECOVER_INIT(pd, ctx, mech, key, template, \
 861             req) ( \
 862         (KCF_PROV_VERIFY_OPS(pd) && \
 863         KCF_PROV_VERIFY_OPS(pd)->verify_recover_init) ? \
 864         KCF_PROV_VERIFY_OPS(pd)->verify_recover_init(ctx, mech, key, \
 865             template, req) : CRYPTO_NOT_SUPPORTED)
 866 
 867 /* verify_recover() CSPI routine has different argument order than verify() */
 868 #define KCF_PROV_VERIFY_RECOVER(pd, ctx, sig, data, req) ( \
 869         (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_recover) ? \
 870         KCF_PROV_VERIFY_OPS(pd)->verify_recover(ctx, sig, data, req) : \
 871         CRYPTO_NOT_SUPPORTED)
 872 
 873 /*
 874  * verify_recover_atomic() CSPI routine has different argument order
 875  * than verify_atomic().
 876  */
 877 #define KCF_PROV_VERIFY_RECOVER_ATOMIC(pd, session, mech, key, sig, \
 878             template, data,  req) ( \
 879         (KCF_PROV_VERIFY_OPS(pd) && \
 880         KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic) ? \
 881         KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic( \
 882             (pd)->pd_prov_handle, session, mech, key, sig, data, template, \
 883             req) : CRYPTO_NOT_SUPPORTED)
 884 
 885 /*
 886  * Wrappers for crypto_dual_ops(9S) entry points.
 887  */
 888 
 889 #define KCF_PROV_DIGEST_ENCRYPT_UPDATE(digest_ctx, encrypt_ctx, plaintext, \
 890             ciphertext, req) ( \
 891         (KCF_PROV_DUAL_OPS(pd) && \
 892         KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update) ? \
 893         KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update( \
 894             digest_ctx, encrypt_ctx, plaintext, ciphertext, req) : \
 895         CRYPTO_NOT_SUPPORTED)
 896 
 897 #define KCF_PROV_DECRYPT_DIGEST_UPDATE(decrypt_ctx, digest_ctx, ciphertext, \
 898             plaintext, req) ( \
 899         (KCF_PROV_DUAL_OPS(pd) && \
 900         KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update) ? \
 901         KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update( \
 902             decrypt_ctx, digest_ctx, ciphertext, plaintext, req) : \
 903         CRYPTO_NOT_SUPPORTED)
 904 
 905 #define KCF_PROV_SIGN_ENCRYPT_UPDATE(sign_ctx, encrypt_ctx, plaintext, \
 906             ciphertext, req) ( \
 907         (KCF_PROV_DUAL_OPS(pd) && \
 908         KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update) ? \
 909         KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update( \
 910             sign_ctx, encrypt_ctx, plaintext, ciphertext, req) : \
 911         CRYPTO_NOT_SUPPORTED)
 912 
 913 #define KCF_PROV_DECRYPT_VERIFY_UPDATE(decrypt_ctx, verify_ctx, ciphertext, \
 914             plaintext, req) ( \
 915         (KCF_PROV_DUAL_OPS(pd) && \
 916         KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update) ? \
 917         KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update( \
 918             decrypt_ctx, verify_ctx, ciphertext, plaintext, req) : \
 919         CRYPTO_NOT_SUPPORTED)
 920 
 921 /*
 922  * Wrappers for crypto_dual_cipher_mac_ops(9S) entry points.
 923  */
 924 
 925 #define KCF_PROV_ENCRYPT_MAC_INIT(pd, ctx, encr_mech, encr_key, mac_mech, \
 926             mac_key, encr_ctx_template, mac_ctx_template, req) ( \
 927         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 928         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init) ? \
 929         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init( \
 930             ctx, encr_mech, encr_key, mac_mech, mac_key, encr_ctx_template, \
 931             mac_ctx_template, req) : \
 932         CRYPTO_NOT_SUPPORTED)
 933 
 934 #define KCF_PROV_ENCRYPT_MAC(pd, ctx, plaintext, ciphertext, mac, req) ( \
 935         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 936         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac) ? \
 937         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac( \
 938             ctx, plaintext, ciphertext, mac, req) : \
 939         CRYPTO_NOT_SUPPORTED)
 940 
 941 #define KCF_PROV_ENCRYPT_MAC_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \
 942         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 943         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update) ? \
 944         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update( \
 945             ctx, plaintext, ciphertext, req) : \
 946         CRYPTO_NOT_SUPPORTED)
 947 
 948 #define KCF_PROV_ENCRYPT_MAC_FINAL(pd, ctx, ciphertext, mac, req) ( \
 949         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 950         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final) ? \
 951         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final( \
 952             ctx, ciphertext, mac, req) : \
 953         CRYPTO_NOT_SUPPORTED)
 954 
 955 #define KCF_PROV_ENCRYPT_MAC_ATOMIC(pd, session, encr_mech, encr_key, \
 956             mac_mech, mac_key, plaintext, ciphertext, mac, \
 957             encr_ctx_template, mac_ctx_template, req) ( \
 958         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 959         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic) ? \
 960         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic( \
 961             (pd)->pd_prov_handle, session, encr_mech, encr_key, \
 962             mac_mech, mac_key, plaintext, ciphertext, mac, \
 963             encr_ctx_template, mac_ctx_template, req) : \
 964         CRYPTO_NOT_SUPPORTED)
 965 
 966 #define KCF_PROV_MAC_DECRYPT_INIT(pd, ctx, mac_mech, mac_key, decr_mech, \
 967             decr_key, mac_ctx_template, decr_ctx_template, req) ( \
 968         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 969         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init) ? \
 970         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init( \
 971             ctx, mac_mech, mac_key, decr_mech, decr_key, mac_ctx_template, \
 972             decr_ctx_template, req) : \
 973         CRYPTO_NOT_SUPPORTED)
 974 
 975 #define KCF_PROV_MAC_DECRYPT(pd, ctx, ciphertext, mac, plaintext, req) ( \
 976         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 977         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt) ? \
 978         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt( \
 979             ctx, ciphertext, mac, plaintext, req) : \
 980         CRYPTO_NOT_SUPPORTED)
 981 
 982 #define KCF_PROV_MAC_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \
 983         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 984         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update) ? \
 985         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update( \
 986             ctx, ciphertext, plaintext, req) : \
 987         CRYPTO_NOT_SUPPORTED)
 988 
 989 #define KCF_PROV_MAC_DECRYPT_FINAL(pd, ctx, mac, plaintext, req) ( \
 990         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
 991         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final) ? \
 992         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final( \
 993             ctx, mac, plaintext, req) : \
 994         CRYPTO_NOT_SUPPORTED)
 995 
 996 #define KCF_PROV_MAC_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \
 997             decr_mech, decr_key, ciphertext, mac, plaintext, \
 998             mac_ctx_template, decr_ctx_template, req) ( \
 999         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
1000         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic) ? \
1001         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic( \
1002             (pd)->pd_prov_handle, session, mac_mech, mac_key, \
1003             decr_mech, decr_key, ciphertext, mac, plaintext, \
1004             mac_ctx_template, decr_ctx_template, req) : \
1005         CRYPTO_NOT_SUPPORTED)
1006 
1007 #define KCF_PROV_MAC_VERIFY_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \
1008             decr_mech, decr_key, ciphertext, mac, plaintext, \
1009             mac_ctx_template, decr_ctx_template, req) ( \
1010         (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
1011         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic \
1012             != NULL) ? \
1013         KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic( \
1014             (pd)->pd_prov_handle, session, mac_mech, mac_key, \
1015             decr_mech, decr_key, ciphertext, mac, plaintext, \
1016             mac_ctx_template, decr_ctx_template, req) : \
1017         CRYPTO_NOT_SUPPORTED)
1018 
1019 /*
1020  * Wrappers for crypto_random_number_ops(9S) entry points.
1021  */
1022 
1023 #define KCF_PROV_SEED_RANDOM(pd, session, buf, len, est, flags, req) ( \
1024         (KCF_PROV_RANDOM_OPS(pd) && KCF_PROV_RANDOM_OPS(pd)->seed_random) ? \
1025         KCF_PROV_RANDOM_OPS(pd)->seed_random((pd)->pd_prov_handle, \
1026             session, buf, len, est, flags, req) : CRYPTO_NOT_SUPPORTED)
1027 
1028 #define KCF_PROV_GENERATE_RANDOM(pd, session, buf, len, req) ( \
1029         (KCF_PROV_RANDOM_OPS(pd) && \
1030         KCF_PROV_RANDOM_OPS(pd)->generate_random) ? \
1031         KCF_PROV_RANDOM_OPS(pd)->generate_random((pd)->pd_prov_handle, \
1032             session, buf, len, req) : CRYPTO_NOT_SUPPORTED)
1033 
1034 /*
1035  * Wrappers for crypto_session_ops(9S) entry points.
1036  *
1037  * ops_pd is the provider descriptor that supplies the ops_vector.
1038  * pd is the descriptor that supplies the provider handle.
1039  * Only session open/close needs two handles.
1040  */
1041 
1042 #define KCF_PROV_SESSION_OPEN(ops_pd, session, req, pd) ( \
1043         (KCF_PROV_SESSION_OPS(ops_pd) && \
1044         KCF_PROV_SESSION_OPS(ops_pd)->session_open) ? \
1045         KCF_PROV_SESSION_OPS(ops_pd)->session_open((pd)->pd_prov_handle, \
1046             session, req) : CRYPTO_NOT_SUPPORTED)
1047 
1048 #define KCF_PROV_SESSION_CLOSE(ops_pd, session, req, pd) ( \
1049         (KCF_PROV_SESSION_OPS(ops_pd) && \
1050         KCF_PROV_SESSION_OPS(ops_pd)->session_close) ? \
1051         KCF_PROV_SESSION_OPS(ops_pd)->session_close((pd)->pd_prov_handle, \
1052             session, req) : CRYPTO_NOT_SUPPORTED)
1053 
1054 #define KCF_PROV_SESSION_LOGIN(pd, session, user_type, pin, len, req) ( \
1055         (KCF_PROV_SESSION_OPS(pd) && \
1056         KCF_PROV_SESSION_OPS(pd)->session_login) ? \
1057         KCF_PROV_SESSION_OPS(pd)->session_login((pd)->pd_prov_handle, \
1058             session, user_type, pin, len, req) : CRYPTO_NOT_SUPPORTED)
1059 
1060 #define KCF_PROV_SESSION_LOGOUT(pd, session, req) ( \
1061         (KCF_PROV_SESSION_OPS(pd) && \
1062         KCF_PROV_SESSION_OPS(pd)->session_logout) ? \
1063         KCF_PROV_SESSION_OPS(pd)->session_logout((pd)->pd_prov_handle, \
1064             session, req) : CRYPTO_NOT_SUPPORTED)
1065 
1066 /*
1067  * Wrappers for crypto_object_ops(9S) entry points.
1068  */
1069 
1070 #define KCF_PROV_OBJECT_CREATE(pd, session, template, count, object, req) ( \
1071         (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_create) ? \
1072         KCF_PROV_OBJECT_OPS(pd)->object_create((pd)->pd_prov_handle, \
1073             session, template, count, object, req) : CRYPTO_NOT_SUPPORTED)
1074 
1075 #define KCF_PROV_OBJECT_COPY(pd, session, object, template, count, \
1076             new_object, req) ( \
1077         (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_copy) ? \
1078         KCF_PROV_OBJECT_OPS(pd)->object_copy((pd)->pd_prov_handle, \
1079         session, object, template, count, new_object, req) : \
1080             CRYPTO_NOT_SUPPORTED)
1081 
1082 #define KCF_PROV_OBJECT_DESTROY(pd, session, object, req) ( \
1083         (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_destroy) ? \
1084         KCF_PROV_OBJECT_OPS(pd)->object_destroy((pd)->pd_prov_handle, \
1085             session, object, req) : CRYPTO_NOT_SUPPORTED)
1086 
1087 #define KCF_PROV_OBJECT_GET_SIZE(pd, session, object, size, req) ( \
1088         (KCF_PROV_OBJECT_OPS(pd) && \
1089         KCF_PROV_OBJECT_OPS(pd)->object_get_size) ? \
1090         KCF_PROV_OBJECT_OPS(pd)->object_get_size((pd)->pd_prov_handle, \
1091             session, object, size, req) : CRYPTO_NOT_SUPPORTED)
1092 
1093 #define KCF_PROV_OBJECT_GET_ATTRIBUTE_VALUE(pd, session, object, template, \
1094             count, req) ( \
1095         (KCF_PROV_OBJECT_OPS(pd) && \
1096         KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value) ? \
1097         KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value( \
1098         (pd)->pd_prov_handle, session, object, template, count, req) : \
1099             CRYPTO_NOT_SUPPORTED)
1100 
1101 #define KCF_PROV_OBJECT_SET_ATTRIBUTE_VALUE(pd, session, object, template, \
1102             count, req) ( \
1103         (KCF_PROV_OBJECT_OPS(pd) && \
1104         KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value) ? \
1105         KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value( \
1106         (pd)->pd_prov_handle, session, object, template, count, req) : \
1107             CRYPTO_NOT_SUPPORTED)
1108 
1109 #define KCF_PROV_OBJECT_FIND_INIT(pd, session, template, count, ppriv, \
1110             req) ( \
1111         (KCF_PROV_OBJECT_OPS(pd) && \
1112         KCF_PROV_OBJECT_OPS(pd)->object_find_init) ? \
1113         KCF_PROV_OBJECT_OPS(pd)->object_find_init((pd)->pd_prov_handle, \
1114         session, template, count, ppriv, req) : CRYPTO_NOT_SUPPORTED)
1115 
1116 #define KCF_PROV_OBJECT_FIND(pd, ppriv, objects, max_objects, object_count, \
1117             req) ( \
1118         (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_find) ? \
1119         KCF_PROV_OBJECT_OPS(pd)->object_find( \
1120         (pd)->pd_prov_handle, ppriv, objects, max_objects, object_count, \
1121         req) : CRYPTO_NOT_SUPPORTED)
1122 
1123 #define KCF_PROV_OBJECT_FIND_FINAL(pd, ppriv, req) ( \
1124         (KCF_PROV_OBJECT_OPS(pd) && \
1125         KCF_PROV_OBJECT_OPS(pd)->object_find_final) ? \
1126         KCF_PROV_OBJECT_OPS(pd)->object_find_final( \
1127             (pd)->pd_prov_handle, ppriv, req) : CRYPTO_NOT_SUPPORTED)
1128 
1129 /*
1130  * Wrappers for crypto_key_ops(9S) entry points.
1131  */
1132 
1133 #define KCF_PROV_KEY_GENERATE(pd, session, mech, template, count, object, \
1134             req) ( \
1135         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate) ? \
1136         KCF_PROV_KEY_OPS(pd)->key_generate((pd)->pd_prov_handle, \
1137             session, mech, template, count, object, req) : \
1138         CRYPTO_NOT_SUPPORTED)
1139 
1140 #define KCF_PROV_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \
1141             pub_count, priv_template, priv_count, pub_key, priv_key, req) ( \
1142         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate_pair) ? \
1143         KCF_PROV_KEY_OPS(pd)->key_generate_pair((pd)->pd_prov_handle, \
1144             session, mech, pub_template, pub_count, priv_template, \
1145             priv_count, pub_key, priv_key, req) : \
1146         CRYPTO_NOT_SUPPORTED)
1147 
1148 #define KCF_PROV_KEY_WRAP(pd, session, mech, wrapping_key, key, wrapped_key, \
1149             wrapped_key_len, req) ( \
1150         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_wrap) ? \
1151         KCF_PROV_KEY_OPS(pd)->key_wrap((pd)->pd_prov_handle, \
1152             session, mech, wrapping_key, key, wrapped_key, wrapped_key_len, \
1153             req) : \
1154         CRYPTO_NOT_SUPPORTED)
1155 
1156 #define KCF_PROV_KEY_UNWRAP(pd, session, mech, unwrapping_key, wrapped_key, \
1157             wrapped_key_len, template, count, key, req) ( \
1158         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_unwrap) ? \
1159         KCF_PROV_KEY_OPS(pd)->key_unwrap((pd)->pd_prov_handle, \
1160             session, mech, unwrapping_key, wrapped_key, wrapped_key_len, \
1161             template, count, key, req) : \
1162         CRYPTO_NOT_SUPPORTED)
1163 
1164 #define KCF_PROV_KEY_DERIVE(pd, session, mech, base_key, template, count, \
1165             key, req) ( \
1166         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_derive) ? \
1167         KCF_PROV_KEY_OPS(pd)->key_derive((pd)->pd_prov_handle, \
1168             session, mech, base_key, template, count, key, req) : \
1169         CRYPTO_NOT_SUPPORTED)
1170 
1171 #define KCF_PROV_KEY_CHECK(pd, mech, key) ( \
1172         (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_check) ? \
1173         KCF_PROV_KEY_OPS(pd)->key_check((pd)->pd_prov_handle, mech, key) : \
1174         CRYPTO_NOT_SUPPORTED)
1175 
1176 /*
1177  * Wrappers for crypto_provider_management_ops(9S) entry points.
1178  *
1179  * ops_pd is the provider descriptor that supplies the ops_vector.
1180  * pd is the descriptor that supplies the provider handle.
1181  * Only ext_info needs two handles.
1182  */
1183 
1184 #define KCF_PROV_EXT_INFO(ops_pd, provext_info, req, pd) ( \
1185         (KCF_PROV_PROVIDER_OPS(ops_pd) && \
1186         KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info) ? \
1187         KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info((pd)->pd_prov_handle, \
1188             provext_info, req) : CRYPTO_NOT_SUPPORTED)
1189 
1190 #define KCF_PROV_INIT_TOKEN(pd, pin, pin_len, label, req) ( \
1191         (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_token) ? \
1192         KCF_PROV_PROVIDER_OPS(pd)->init_token((pd)->pd_prov_handle, \
1193             pin, pin_len, label, req) : CRYPTO_NOT_SUPPORTED)
1194 
1195 #define KCF_PROV_INIT_PIN(pd, session, pin, pin_len, req) ( \
1196         (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_pin) ? \
1197         KCF_PROV_PROVIDER_OPS(pd)->init_pin((pd)->pd_prov_handle, \
1198             session, pin, pin_len, req) : CRYPTO_NOT_SUPPORTED)
1199 
1200 #define KCF_PROV_SET_PIN(pd, session, old_pin, old_len, new_pin, new_len, \
1201             req) ( \
1202         (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->set_pin) ? \
1203         KCF_PROV_PROVIDER_OPS(pd)->set_pin((pd)->pd_prov_handle, \
1204         session, old_pin, old_len, new_pin, new_len, req) : \
1205             CRYPTO_NOT_SUPPORTED)
1206 
1207 /*
1208  * Wrappers for crypto_nostore_key_ops(9S) entry points.
1209  */
1210 
1211 #define KCF_PROV_NOSTORE_KEY_GENERATE(pd, session, mech, template, count, \
1212             out_template, out_count, req) ( \
1213         (KCF_PROV_NOSTORE_KEY_OPS(pd) && \
1214             KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate) ? \
1215         KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate( \
1216             (pd)->pd_prov_handle, session, mech, template, count, \
1217             out_template, out_count, req) : CRYPTO_NOT_SUPPORTED)
1218 
1219 #define KCF_PROV_NOSTORE_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \
1220             pub_count, priv_template, priv_count, out_pub_template, \
1221             out_pub_count, out_priv_template, out_priv_count, req) ( \
1222         (KCF_PROV_NOSTORE_KEY_OPS(pd) && \
1223             KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate_pair) ? \
1224         KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate_pair( \
1225             (pd)->pd_prov_handle, session, mech, pub_template, pub_count, \
1226             priv_template, priv_count, out_pub_template, out_pub_count, \
1227             out_priv_template, out_priv_count, req) : CRYPTO_NOT_SUPPORTED)
1228 
1229 #define KCF_PROV_NOSTORE_KEY_DERIVE(pd, session, mech, base_key, template, \
1230             count, out_template, out_count, req) ( \
1231         (KCF_PROV_NOSTORE_KEY_OPS(pd) && \
1232             KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_derive) ? \
1233         KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_derive( \
1234             (pd)->pd_prov_handle, session, mech, base_key, template, count, \
1235             out_template, out_count, req) : CRYPTO_NOT_SUPPORTED)
1236 
1237 /*
1238  * The following routines are exported by the kcf module (/kernel/misc/kcf)
1239  * to the crypto and cryptoadmin modules.
1240  */
1241 
1242 /* Digest/mac/cipher entry points that take a provider descriptor and session */
1243 extern int crypto_digest_single(crypto_context_t, crypto_data_t *,
1244     crypto_data_t *, crypto_call_req_t *);
1245 
1246 extern int crypto_mac_single(crypto_context_t, crypto_data_t *,
1247     crypto_data_t *, crypto_call_req_t *);
1248 
1249 extern int crypto_encrypt_single(crypto_context_t, crypto_data_t *,
1250     crypto_data_t *, crypto_call_req_t *);
1251 
1252 extern int crypto_decrypt_single(crypto_context_t, crypto_data_t *,
1253     crypto_data_t *, crypto_call_req_t *);
1254 
1255 
1256 /* Other private digest/mac/cipher entry points not exported through k-API */
1257 extern int crypto_digest_key_prov(crypto_context_t, crypto_key_t *,
1258     crypto_call_req_t *);
1259 
1260 /* Private sign entry points exported by KCF */
1261 extern int crypto_sign_single(crypto_context_t, crypto_data_t *,
1262     crypto_data_t *, crypto_call_req_t *);
1263 
1264 extern int crypto_sign_recover_single(crypto_context_t, crypto_data_t *,
1265     crypto_data_t *, crypto_call_req_t *);
1266 
1267 /* Private verify entry points exported by KCF */
1268 extern int crypto_verify_single(crypto_context_t, crypto_data_t *,
1269     crypto_data_t *, crypto_call_req_t *);
1270 
1271 extern int crypto_verify_recover_single(crypto_context_t, crypto_data_t *,
1272     crypto_data_t *, crypto_call_req_t *);
1273 
1274 /* Private dual operations entry points exported by KCF */
1275 extern int crypto_digest_encrypt_update(crypto_context_t, crypto_context_t,
1276     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1277 extern int crypto_decrypt_digest_update(crypto_context_t, crypto_context_t,
1278     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1279 extern int crypto_sign_encrypt_update(crypto_context_t, crypto_context_t,
1280     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1281 extern int crypto_decrypt_verify_update(crypto_context_t, crypto_context_t,
1282     crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
1283 
1284 /* Random Number Generation */
1285 int crypto_seed_random(crypto_provider_handle_t provider, uchar_t *buf,
1286     size_t len, crypto_call_req_t *req);
1287 int crypto_generate_random(crypto_provider_handle_t provider, uchar_t *buf,
1288     size_t len, crypto_call_req_t *req);
1289 
1290 /* Provider Management */
1291 int crypto_get_provider_info(crypto_provider_id_t id,
1292     crypto_provider_info_t **info, crypto_call_req_t *req);
1293 int crypto_get_provider_mechanisms(crypto_minor_t *, crypto_provider_id_t id,
1294     uint_t *count, crypto_mech_name_t **list);
1295 int crypto_init_token(crypto_provider_handle_t provider, char *pin,
1296     size_t pin_len, char *label, crypto_call_req_t *);
1297 int crypto_init_pin(crypto_provider_handle_t provider, char *pin,
1298     size_t pin_len, crypto_call_req_t *req);
1299 int crypto_set_pin(crypto_provider_handle_t provider, char *old_pin,
1300     size_t old_len, char *new_pin, size_t new_len, crypto_call_req_t *req);
1301 void crypto_free_provider_list(crypto_provider_entry_t *list, uint_t count);
1302 void crypto_free_provider_info(crypto_provider_info_t *info);
1303 
1304 /* Administrative */
1305 int crypto_get_dev_list(uint_t *count, crypto_dev_list_entry_t **list);
1306 int crypto_get_soft_list(uint_t *count, char **list, size_t *len);
1307 int crypto_get_dev_info(char *name, uint_t instance, uint_t *count,
1308     crypto_mech_name_t **list);
1309 int crypto_get_soft_info(caddr_t name, uint_t *count,
1310     crypto_mech_name_t **list);
1311 int crypto_load_dev_disabled(char *name, uint_t instance, uint_t count,
1312     crypto_mech_name_t *list);
1313 int crypto_load_soft_disabled(caddr_t name, uint_t count,
1314     crypto_mech_name_t *list);
1315 int crypto_unload_soft_module(caddr_t path);
1316 int crypto_load_soft_config(caddr_t name, uint_t count,
1317     crypto_mech_name_t *list);
1318 int crypto_load_door(uint_t did);
1319 void crypto_free_mech_list(crypto_mech_name_t *list, uint_t count);
1320 void crypto_free_dev_list(crypto_dev_list_entry_t *list, uint_t count);
1321 extern void kcf_activate();
1322 
1323 /* Miscellaneous */
1324 int crypto_get_mechanism_number(caddr_t name, crypto_mech_type_t *number);
1325 int crypto_get_function_list(crypto_provider_id_t id,
1326     crypto_function_list_t **list, int kmflag);
1327 void crypto_free_function_list(crypto_function_list_t *list);
1328 int crypto_build_permitted_mech_names(kcf_provider_desc_t *,
1329     crypto_mech_name_t **, uint_t *, int);
1330 extern void kcf_init_mech_tabs(void);
1331 extern int kcf_add_mech_provider(short, kcf_provider_desc_t *,
1332     kcf_prov_mech_desc_t **);
1333 extern void kcf_remove_mech_provider(char *, kcf_provider_desc_t *);
1334 extern int kcf_get_mech_entry(crypto_mech_type_t, kcf_mech_entry_t **);
1335 extern kcf_provider_desc_t *kcf_alloc_provider_desc(crypto_provider_info_t *);
1336 extern void kcf_free_provider_desc(kcf_provider_desc_t *);
1337 extern void kcf_soft_config_init(void);
1338 extern int get_sw_provider_for_mech(crypto_mech_name_t, char **);
1339 extern crypto_mech_type_t crypto_mech2id_common(char *, boolean_t);
1340 extern void undo_register_provider(kcf_provider_desc_t *, boolean_t);
1341 extern void redo_register_provider(kcf_provider_desc_t *);
1342 extern void kcf_rnd_init();
1343 extern boolean_t kcf_rngprov_check(void);
1344 extern int kcf_rnd_get_pseudo_bytes(uint8_t *, size_t);
1345 extern int kcf_rnd_get_bytes(uint8_t *, size_t, boolean_t);
1346 extern int random_add_pseudo_entropy(uint8_t *, size_t, uint_t);
1347 extern void kcf_rnd_chpoll(short, int, short *, struct pollhead **);
1348 extern int crypto_uio_data(crypto_data_t *, uchar_t *, int, cmd_type_t,
1349     void *, void (*update)());
1350 extern int crypto_mblk_data(crypto_data_t *, uchar_t *, int, cmd_type_t,
1351     void *, void (*update)());
1352 extern int crypto_put_output_data(uchar_t *, crypto_data_t *, int);
1353 extern int crypto_get_input_data(crypto_data_t *, uchar_t **, uchar_t *);
1354 extern int crypto_copy_key_to_ctx(crypto_key_t *, crypto_key_t **, size_t *,
1355     int kmflag);
1356 extern int crypto_digest_data(crypto_data_t *, void *, uchar_t *,
1357     void (*update)(), void (*final)(), uchar_t);
1358 extern int crypto_update_iov(void *, crypto_data_t *, crypto_data_t *,
1359     int (*cipher)(void *, caddr_t, size_t, crypto_data_t *),
1360     void (*copy_block)(const uint8_t *, uint64_t *));
1361 extern int crypto_update_uio(void *, crypto_data_t *, crypto_data_t *,
1362     int (*cipher)(void *, caddr_t, size_t, crypto_data_t *),
1363     void (*copy_block)(const uint8_t *, uint64_t *));
1364 extern int crypto_update_mp(void *, crypto_data_t *, crypto_data_t *,
1365     int (*cipher)(void *, caddr_t, size_t, crypto_data_t *),
1366     void (*copy_block)(const uint8_t *, uint64_t *));
1367 extern int crypto_get_key_attr(crypto_key_t *, crypto_attr_type_t, uchar_t **,
1368     ssize_t *);
1369 
1370 /* Access to the provider's table */
1371 extern void kcf_prov_tab_init(void);
1372 extern int kcf_prov_tab_add_provider(kcf_provider_desc_t *);
1373 extern int kcf_prov_tab_rem_provider(crypto_provider_id_t);
1374 extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_name(char *);
1375 extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_dev(char *, uint_t);
1376 extern int kcf_get_hw_prov_tab(uint_t *, kcf_provider_desc_t ***, int,
1377     char *, uint_t, boolean_t);
1378 extern int kcf_get_slot_list(uint_t *, kcf_provider_desc_t ***, boolean_t);
1379 extern void kcf_free_provider_tab(uint_t, kcf_provider_desc_t **);
1380 extern kcf_provider_desc_t *kcf_prov_tab_lookup(crypto_provider_id_t);
1381 extern int kcf_get_sw_prov(crypto_mech_type_t, kcf_provider_desc_t **,
1382     kcf_mech_entry_t **, boolean_t);
1383 
1384 extern kmutex_t prov_tab_mutex;
1385 extern boolean_t kcf_need_provtab_walk;
1386 extern int kcf_get_refcnt(kcf_provider_desc_t *, boolean_t);
1387 
1388 /* Access to the policy table */
1389 extern boolean_t is_mech_disabled(kcf_provider_desc_t *, crypto_mech_name_t);
1390 extern boolean_t is_mech_disabled_byname(crypto_provider_type_t, char *,
1391     uint_t, crypto_mech_name_t);
1392 extern void kcf_policy_tab_init(void);
1393 extern void kcf_policy_free_desc(kcf_policy_desc_t *);
1394 extern void kcf_policy_remove_by_name(char *, uint_t *, crypto_mech_name_t **);
1395 extern void kcf_policy_remove_by_dev(char *, uint_t, uint_t *,
1396     crypto_mech_name_t **);
1397 extern kcf_policy_desc_t *kcf_policy_lookup_by_name(char *);
1398 extern kcf_policy_desc_t *kcf_policy_lookup_by_dev(char *, uint_t);
1399 extern int kcf_policy_load_soft_disabled(char *, uint_t, crypto_mech_name_t *,
1400     uint_t *, crypto_mech_name_t **);
1401 extern int kcf_policy_load_dev_disabled(char *, uint_t, uint_t,
1402     crypto_mech_name_t *, uint_t *, crypto_mech_name_t **);
1403 extern void remove_soft_config(char *);
1404 
1405 #endif  /* _KERNEL */
1406 
1407 #ifdef  __cplusplus
1408 }
1409 #endif
1410 
1411 #endif  /* _SYS_CRYPTO_IMPL_H */