xref: /illumos-gate/usr/src/uts/common/sys/crypto/spi.h (revision 8b08ca3b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_SYS_CRYPTO_SPI_H
27 #define	_SYS_CRYPTO_SPI_H
28 
29 /*
30  * CSPI: Cryptographic Service Provider Interface.
31  */
32 
33 #include <sys/types.h>
34 #include <sys/dditypes.h>
35 #include <sys/ddi.h>
36 #include <sys/kmem.h>
37 #include <sys/crypto/common.h>
38 
39 #ifdef	__cplusplus
40 extern "C" {
41 #endif
42 
43 #ifdef	_KERNEL
44 
45 #define	CRYPTO_SPI_VERSION_1	1
46 #define	CRYPTO_SPI_VERSION_2	2
47 #define	CRYPTO_SPI_VERSION_3	3
48 #define	CRYPTO_SPI_VERSION_4	4
49 
50 /*
51  * Provider-private handle. This handle is specified by a provider
52  * when it registers by means of the pi_provider_handle field of
53  * the crypto_provider_info structure, and passed to the provider
54  * when its entry points are invoked.
55  */
56 typedef void *crypto_provider_handle_t;
57 
58 /*
59  * Context templates can be used to by software providers to pre-process
60  * keying material, such as key schedules. They are allocated by
61  * a software provider create_ctx_template(9E) entry point, and passed
62  * as argument to initialization and atomic provider entry points.
63  */
64 typedef void *crypto_spi_ctx_template_t;
65 
66 /*
67  * Request handles are used by the kernel to identify an asynchronous
68  * request being processed by a provider. It is passed by the kernel
69  * to a hardware provider when submitting a request, and must be
70  * specified by a provider when calling crypto_op_notification(9F)
71  */
72 typedef void *crypto_req_handle_t;
73 
74 /* Values for cc_flags field */
75 #define	CRYPTO_INIT_OPSTATE	0x00000001 /* allocate and init cc_opstate */
76 #define	CRYPTO_USE_OPSTATE	0x00000002 /* .. start using it as context */
77 
78 /*
79  * The context structure is passed from the kernel to a provider.
80  * It contains the information needed to process a multi-part or
81  * single part operation. The context structure is not used
82  * by atomic operations.
83  *
84  * Parameters needed to perform a cryptographic operation, such
85  * as keys, mechanisms, input and output buffers, are passed
86  * as separate arguments to Provider routines.
87  */
88 typedef struct crypto_ctx {
89 	crypto_provider_handle_t cc_provider;
90 	crypto_session_id_t	cc_session;
91 	void			*cc_provider_private;	/* owned by provider */
92 	void			*cc_framework_private;	/* owned by framework */
93 	uint32_t		cc_flags;		/* flags */
94 	void			*cc_opstate;		/* state */
95 } crypto_ctx_t;
96 
97 /*
98  * Extended provider information.
99  */
100 
101 /*
102  * valid values for ei_flags field of extended info structure
103  * They match the RSA Security, Inc PKCS#11 tokenInfo flags.
104  */
105 #define	CRYPTO_EXTF_RNG					0x00000001
106 #define	CRYPTO_EXTF_WRITE_PROTECTED			0x00000002
107 #define	CRYPTO_EXTF_LOGIN_REQUIRED			0x00000004
108 #define	CRYPTO_EXTF_USER_PIN_INITIALIZED		0x00000008
109 #define	CRYPTO_EXTF_CLOCK_ON_TOKEN			0x00000040
110 #define	CRYPTO_EXTF_PROTECTED_AUTHENTICATION_PATH	0x00000100
111 #define	CRYPTO_EXTF_DUAL_CRYPTO_OPERATIONS		0x00000200
112 #define	CRYPTO_EXTF_TOKEN_INITIALIZED			0x00000400
113 #define	CRYPTO_EXTF_USER_PIN_COUNT_LOW			0x00010000
114 #define	CRYPTO_EXTF_USER_PIN_FINAL_TRY			0x00020000
115 #define	CRYPTO_EXTF_USER_PIN_LOCKED			0x00040000
116 #define	CRYPTO_EXTF_USER_PIN_TO_BE_CHANGED		0x00080000
117 #define	CRYPTO_EXTF_SO_PIN_COUNT_LOW			0x00100000
118 #define	CRYPTO_EXTF_SO_PIN_FINAL_TRY			0x00200000
119 #define	CRYPTO_EXTF_SO_PIN_LOCKED			0x00400000
120 #define	CRYPTO_EXTF_SO_PIN_TO_BE_CHANGED		0x00800000
121 
122 /*
123  * The crypto_control_ops structure contains pointers to control
124  * operations for cryptographic providers.  It is passed through
125  * the crypto_ops(9S) structure when providers register with the
126  * kernel using crypto_register_provider(9F).
127  */
128 typedef struct crypto_control_ops {
129 	void (*provider_status)(crypto_provider_handle_t, uint_t *);
130 } crypto_control_ops_t;
131 
132 /*
133  * The crypto_ctx_ops structure contains points to context and context
134  * templates management operations for cryptographic providers. It is
135  * passed through the crypto_ops(9S) structure when providers register
136  * with the kernel using crypto_register_provider(9F).
137  */
138 typedef struct crypto_ctx_ops {
139 	int (*create_ctx_template)(crypto_provider_handle_t,
140 	    crypto_mechanism_t *, crypto_key_t *,
141 	    crypto_spi_ctx_template_t *, size_t *, crypto_req_handle_t);
142 	int (*free_context)(crypto_ctx_t *);
143 } crypto_ctx_ops_t;
144 
145 /*
146  * The crypto_digest_ops structure contains pointers to digest
147  * operations for cryptographic providers.  It is passed through
148  * the crypto_ops(9S) structure when providers register with the
149  * kernel using crypto_register_provider(9F).
150  */
151 typedef struct crypto_digest_ops {
152 	int (*digest_init)(crypto_ctx_t *, crypto_mechanism_t *,
153 	    crypto_req_handle_t);
154 	int (*digest)(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
155 	    crypto_req_handle_t);
156 	int (*digest_update)(crypto_ctx_t *, crypto_data_t *,
157 	    crypto_req_handle_t);
158 	int (*digest_key)(crypto_ctx_t *, crypto_key_t *, crypto_req_handle_t);
159 	int (*digest_final)(crypto_ctx_t *, crypto_data_t *,
160 	    crypto_req_handle_t);
161 	int (*digest_atomic)(crypto_provider_handle_t, crypto_session_id_t,
162 	    crypto_mechanism_t *, crypto_data_t *,
163 	    crypto_data_t *, crypto_req_handle_t);
164 } crypto_digest_ops_t;
165 
166 /*
167  * The crypto_cipher_ops structure contains pointers to encryption
168  * and decryption operations for cryptographic providers.  It is
169  * passed through the crypto_ops(9S) structure when providers register
170  * with the kernel using crypto_register_provider(9F).
171  */
172 typedef struct crypto_cipher_ops {
173 	int (*encrypt_init)(crypto_ctx_t *,
174 	    crypto_mechanism_t *, crypto_key_t *,
175 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
176 	int (*encrypt)(crypto_ctx_t *,
177 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
178 	int (*encrypt_update)(crypto_ctx_t *,
179 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
180 	int (*encrypt_final)(crypto_ctx_t *,
181 	    crypto_data_t *, crypto_req_handle_t);
182 	int (*encrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
183 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
184 	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
185 
186 	int (*decrypt_init)(crypto_ctx_t *,
187 	    crypto_mechanism_t *, crypto_key_t *,
188 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
189 	int (*decrypt)(crypto_ctx_t *,
190 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
191 	int (*decrypt_update)(crypto_ctx_t *,
192 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
193 	int (*decrypt_final)(crypto_ctx_t *,
194 	    crypto_data_t *, crypto_req_handle_t);
195 	int (*decrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
196 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
197 	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
198 } crypto_cipher_ops_t;
199 
200 /*
201  * The crypto_mac_ops structure contains pointers to MAC
202  * operations for cryptographic providers.  It is passed through
203  * the crypto_ops(9S) structure when providers register with the
204  * kernel using crypto_register_provider(9F).
205  */
206 typedef struct crypto_mac_ops {
207 	int (*mac_init)(crypto_ctx_t *,
208 	    crypto_mechanism_t *, crypto_key_t *,
209 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
210 	int (*mac)(crypto_ctx_t *,
211 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
212 	int (*mac_update)(crypto_ctx_t *,
213 	    crypto_data_t *, crypto_req_handle_t);
214 	int (*mac_final)(crypto_ctx_t *,
215 	    crypto_data_t *, crypto_req_handle_t);
216 	int (*mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
217 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
218 	    crypto_data_t *, crypto_spi_ctx_template_t,
219 	    crypto_req_handle_t);
220 	int (*mac_verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
221 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
222 	    crypto_data_t *, crypto_spi_ctx_template_t,
223 	    crypto_req_handle_t);
224 } crypto_mac_ops_t;
225 
226 /*
227  * The crypto_sign_ops structure contains pointers to signing
228  * operations for cryptographic providers.  It is passed through
229  * the crypto_ops(9S) structure when providers register with the
230  * kernel using crypto_register_provider(9F).
231  */
232 typedef struct crypto_sign_ops {
233 	int (*sign_init)(crypto_ctx_t *,
234 	    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t,
235 	    crypto_req_handle_t);
236 	int (*sign)(crypto_ctx_t *,
237 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
238 	int (*sign_update)(crypto_ctx_t *,
239 	    crypto_data_t *, crypto_req_handle_t);
240 	int (*sign_final)(crypto_ctx_t *,
241 	    crypto_data_t *, crypto_req_handle_t);
242 	int (*sign_atomic)(crypto_provider_handle_t, crypto_session_id_t,
243 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
244 	    crypto_data_t *, crypto_spi_ctx_template_t,
245 	    crypto_req_handle_t);
246 	int (*sign_recover_init)(crypto_ctx_t *, crypto_mechanism_t *,
247 	    crypto_key_t *, crypto_spi_ctx_template_t,
248 	    crypto_req_handle_t);
249 	int (*sign_recover)(crypto_ctx_t *,
250 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
251 	int (*sign_recover_atomic)(crypto_provider_handle_t,
252 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
253 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
254 	    crypto_req_handle_t);
255 } crypto_sign_ops_t;
256 
257 /*
258  * The crypto_verify_ops structure contains pointers to verify
259  * operations for cryptographic providers.  It is passed through
260  * the crypto_ops(9S) structure when providers register with the
261  * kernel using crypto_register_provider(9F).
262  */
263 typedef struct crypto_verify_ops {
264 	int (*verify_init)(crypto_ctx_t *,
265 	    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t,
266 	    crypto_req_handle_t);
267 	int (*verify)(crypto_ctx_t *,
268 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
269 	int (*verify_update)(crypto_ctx_t *,
270 	    crypto_data_t *, crypto_req_handle_t);
271 	int (*verify_final)(crypto_ctx_t *,
272 	    crypto_data_t *, crypto_req_handle_t);
273 	int (*verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
274 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
275 	    crypto_data_t *, crypto_spi_ctx_template_t,
276 	    crypto_req_handle_t);
277 	int (*verify_recover_init)(crypto_ctx_t *, crypto_mechanism_t *,
278 	    crypto_key_t *, crypto_spi_ctx_template_t,
279 	    crypto_req_handle_t);
280 	int (*verify_recover)(crypto_ctx_t *,
281 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
282 	int (*verify_recover_atomic)(crypto_provider_handle_t,
283 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
284 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
285 	    crypto_req_handle_t);
286 } crypto_verify_ops_t;
287 
288 /*
289  * The crypto_dual_ops structure contains pointers to dual
290  * cipher and sign/verify operations for cryptographic providers.
291  * It is passed through the crypto_ops(9S) structure when
292  * providers register with the kernel using
293  * crypto_register_provider(9F).
294  */
295 typedef struct crypto_dual_ops {
296 	int (*digest_encrypt_update)(
297 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
298 	    crypto_data_t *, crypto_req_handle_t);
299 	int (*decrypt_digest_update)(
300 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
301 	    crypto_data_t *, crypto_req_handle_t);
302 	int (*sign_encrypt_update)(
303 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
304 	    crypto_data_t *, crypto_req_handle_t);
305 	int (*decrypt_verify_update)(
306 	    crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *,
307 	    crypto_data_t *, crypto_req_handle_t);
308 } crypto_dual_ops_t;
309 
310 /*
311  * The crypto_dual_cipher_mac_ops structure contains pointers to dual
312  * cipher and MAC operations for cryptographic providers.
313  * It is passed through the crypto_ops(9S) structure when
314  * providers register with the kernel using
315  * crypto_register_provider(9F).
316  */
317 typedef struct crypto_dual_cipher_mac_ops {
318 	int (*encrypt_mac_init)(crypto_ctx_t *,
319 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
320 	    crypto_key_t *, crypto_spi_ctx_template_t,
321 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
322 	int (*encrypt_mac)(crypto_ctx_t *,
323 	    crypto_data_t *, crypto_dual_data_t *, crypto_data_t *,
324 	    crypto_req_handle_t);
325 	int (*encrypt_mac_update)(crypto_ctx_t *,
326 	    crypto_data_t *, crypto_dual_data_t *, crypto_req_handle_t);
327 	int (*encrypt_mac_final)(crypto_ctx_t *,
328 	    crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t);
329 	int (*encrypt_mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
330 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
331 	    crypto_key_t *, crypto_data_t *, crypto_dual_data_t *,
332 	    crypto_data_t *, crypto_spi_ctx_template_t,
333 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
334 
335 	int (*mac_decrypt_init)(crypto_ctx_t *,
336 	    crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *,
337 	    crypto_key_t *, crypto_spi_ctx_template_t,
338 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
339 	int (*mac_decrypt)(crypto_ctx_t *,
340 	    crypto_dual_data_t *, crypto_data_t *, crypto_data_t *,
341 	    crypto_req_handle_t);
342 	int (*mac_decrypt_update)(crypto_ctx_t *,
343 	    crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t);
344 	int (*mac_decrypt_final)(crypto_ctx_t *,
345 	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
346 	int (*mac_decrypt_atomic)(crypto_provider_handle_t,
347 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
348 	    crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *,
349 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
350 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
351 	int (*mac_verify_decrypt_atomic)(crypto_provider_handle_t,
352 	    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
353 	    crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *,
354 	    crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
355 	    crypto_spi_ctx_template_t, crypto_req_handle_t);
356 } crypto_dual_cipher_mac_ops_t;
357 
358 /*
359  * The crypto_random_number_ops structure contains pointers to random
360  * number operations for cryptographic providers.  It is passed through
361  * the crypto_ops(9S) structure when providers register with the
362  * kernel using crypto_register_provider(9F).
363  */
364 typedef struct crypto_random_number_ops {
365 	int (*seed_random)(crypto_provider_handle_t, crypto_session_id_t,
366 	    uchar_t *, size_t, uint_t, uint32_t, crypto_req_handle_t);
367 	int (*generate_random)(crypto_provider_handle_t, crypto_session_id_t,
368 	    uchar_t *, size_t, crypto_req_handle_t);
369 } crypto_random_number_ops_t;
370 
371 /*
372  * Flag values for seed_random.
373  */
374 #define	CRYPTO_SEED_NOW		0x00000001
375 
376 /*
377  * The crypto_session_ops structure contains pointers to session
378  * operations for cryptographic providers.  It is passed through
379  * the crypto_ops(9S) structure when providers register with the
380  * kernel using crypto_register_provider(9F).
381  */
382 typedef struct crypto_session_ops {
383 	int (*session_open)(crypto_provider_handle_t, crypto_session_id_t *,
384 	    crypto_req_handle_t);
385 	int (*session_close)(crypto_provider_handle_t, crypto_session_id_t,
386 	    crypto_req_handle_t);
387 	int (*session_login)(crypto_provider_handle_t, crypto_session_id_t,
388 	    crypto_user_type_t, char *, size_t, crypto_req_handle_t);
389 	int (*session_logout)(crypto_provider_handle_t, crypto_session_id_t,
390 	    crypto_req_handle_t);
391 } crypto_session_ops_t;
392 
393 /*
394  * The crypto_object_ops structure contains pointers to object
395  * operations for cryptographic providers.  It is passed through
396  * the crypto_ops(9S) structure when providers register with the
397  * kernel using crypto_register_provider(9F).
398  */
399 typedef struct crypto_object_ops {
400 	int (*object_create)(crypto_provider_handle_t, crypto_session_id_t,
401 	    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
402 	    crypto_req_handle_t);
403 	int (*object_copy)(crypto_provider_handle_t, crypto_session_id_t,
404 	    crypto_object_id_t, crypto_object_attribute_t *, uint_t,
405 	    crypto_object_id_t *, crypto_req_handle_t);
406 	int (*object_destroy)(crypto_provider_handle_t, crypto_session_id_t,
407 	    crypto_object_id_t, crypto_req_handle_t);
408 	int (*object_get_size)(crypto_provider_handle_t, crypto_session_id_t,
409 	    crypto_object_id_t, size_t *, crypto_req_handle_t);
410 	int (*object_get_attribute_value)(crypto_provider_handle_t,
411 	    crypto_session_id_t, crypto_object_id_t,
412 	    crypto_object_attribute_t *, uint_t, crypto_req_handle_t);
413 	int (*object_set_attribute_value)(crypto_provider_handle_t,
414 	    crypto_session_id_t, crypto_object_id_t,
415 	    crypto_object_attribute_t *,  uint_t, crypto_req_handle_t);
416 	int (*object_find_init)(crypto_provider_handle_t, crypto_session_id_t,
417 	    crypto_object_attribute_t *, uint_t, void **,
418 	    crypto_req_handle_t);
419 	int (*object_find)(crypto_provider_handle_t, void *,
420 	    crypto_object_id_t *, uint_t, uint_t *, crypto_req_handle_t);
421 	int (*object_find_final)(crypto_provider_handle_t, void *,
422 	    crypto_req_handle_t);
423 } crypto_object_ops_t;
424 
425 /*
426  * The crypto_key_ops structure contains pointers to key
427  * operations for cryptographic providers.  It is passed through
428  * the crypto_ops(9S) structure when providers register with the
429  * kernel using crypto_register_provider(9F).
430  */
431 typedef struct crypto_key_ops {
432 	int (*key_generate)(crypto_provider_handle_t, crypto_session_id_t,
433 	    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
434 	    crypto_object_id_t *, crypto_req_handle_t);
435 	int (*key_generate_pair)(crypto_provider_handle_t, crypto_session_id_t,
436 	    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
437 	    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
438 	    crypto_object_id_t *, crypto_req_handle_t);
439 	int (*key_wrap)(crypto_provider_handle_t, crypto_session_id_t,
440 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_id_t *,
441 	    uchar_t *, size_t *, crypto_req_handle_t);
442 	int (*key_unwrap)(crypto_provider_handle_t, crypto_session_id_t,
443 	    crypto_mechanism_t *, crypto_key_t *, uchar_t *, size_t *,
444 	    crypto_object_attribute_t *, uint_t,
445 	    crypto_object_id_t *, crypto_req_handle_t);
446 	int (*key_derive)(crypto_provider_handle_t, crypto_session_id_t,
447 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *,
448 	    uint_t, crypto_object_id_t *, crypto_req_handle_t);
449 	int (*key_check)(crypto_provider_handle_t, crypto_mechanism_t *,
450 	    crypto_key_t *);
451 } crypto_key_ops_t;
452 
453 /*
454  * The crypto_provider_management_ops structure contains pointers
455  * to management operations for cryptographic providers.  It is passed
456  * through the crypto_ops(9S) structure when providers register with the
457  * kernel using crypto_register_provider(9F).
458  */
459 typedef struct crypto_provider_management_ops {
460 	int (*ext_info)(crypto_provider_handle_t,
461 	    crypto_provider_ext_info_t *, crypto_req_handle_t);
462 	int (*init_token)(crypto_provider_handle_t, char *, size_t,
463 	    char *, crypto_req_handle_t);
464 	int (*init_pin)(crypto_provider_handle_t, crypto_session_id_t,
465 	    char *, size_t, crypto_req_handle_t);
466 	int (*set_pin)(crypto_provider_handle_t, crypto_session_id_t,
467 	    char *, size_t, char *, size_t, crypto_req_handle_t);
468 } crypto_provider_management_ops_t;
469 
470 typedef struct crypto_mech_ops {
471 	int (*copyin_mechanism)(crypto_provider_handle_t,
472 	    crypto_mechanism_t *, crypto_mechanism_t *, int *, int);
473 	int (*copyout_mechanism)(crypto_provider_handle_t,
474 	    crypto_mechanism_t *, crypto_mechanism_t *, int *, int);
475 	int (*free_mechanism)(crypto_provider_handle_t, crypto_mechanism_t *);
476 } crypto_mech_ops_t;
477 
478 typedef struct crypto_nostore_key_ops {
479 	int (*nostore_key_generate)(crypto_provider_handle_t,
480 	    crypto_session_id_t, crypto_mechanism_t *,
481 	    crypto_object_attribute_t *, uint_t, crypto_object_attribute_t *,
482 	    uint_t, crypto_req_handle_t);
483 	int (*nostore_key_generate_pair)(crypto_provider_handle_t,
484 	    crypto_session_id_t, crypto_mechanism_t *,
485 	    crypto_object_attribute_t *, uint_t, crypto_object_attribute_t *,
486 	    uint_t, crypto_object_attribute_t *, uint_t,
487 	    crypto_object_attribute_t *, uint_t, crypto_req_handle_t);
488 	int (*nostore_key_derive)(crypto_provider_handle_t, crypto_session_id_t,
489 	    crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *,
490 	    uint_t, crypto_object_attribute_t *, uint_t, crypto_req_handle_t);
491 } crypto_nostore_key_ops_t;
492 
493 /*
494  * crypto_fips140_ops provides a function for FIPS 140 Power-On Self Test for
495  * those providers that are part of the Cryptographic Framework bounday.  See
496  * crypto_fips140_ops(9s) for details.
497  */
498 typedef struct crypto_fips140_ops {
499 	void (*fips140_post)(int *);
500 } crypto_fips140_ops_t;
501 
502 /*
503  * The crypto_ops(9S) structure contains the structures containing
504  * the pointers to functions implemented by cryptographic providers.
505  * It is specified as part of the crypto_provider_info(9S)
506  * supplied by a provider when it registers with the kernel
507  * by calling crypto_register_provider(9F).
508  */
509 typedef struct crypto_ops_v1 {
510 	crypto_control_ops_t			*co_control_ops;
511 	crypto_digest_ops_t			*co_digest_ops;
512 	crypto_cipher_ops_t			*co_cipher_ops;
513 	crypto_mac_ops_t			*co_mac_ops;
514 	crypto_sign_ops_t			*co_sign_ops;
515 	crypto_verify_ops_t			*co_verify_ops;
516 	crypto_dual_ops_t			*co_dual_ops;
517 	crypto_dual_cipher_mac_ops_t		*co_dual_cipher_mac_ops;
518 	crypto_random_number_ops_t		*co_random_ops;
519 	crypto_session_ops_t			*co_session_ops;
520 	crypto_object_ops_t			*co_object_ops;
521 	crypto_key_ops_t			*co_key_ops;
522 	crypto_provider_management_ops_t	*co_provider_ops;
523 	crypto_ctx_ops_t			*co_ctx_ops;
524 } crypto_ops_v1_t;
525 
526 typedef struct crypto_ops_v2 {
527 	crypto_ops_v1_t				v1_ops;
528 	crypto_mech_ops_t			*co_mech_ops;
529 } crypto_ops_v2_t;
530 
531 typedef struct crypto_ops_v3 {
532 	crypto_ops_v2_t				v2_ops;
533 	crypto_nostore_key_ops_t		*co_nostore_key_ops;
534 } crypto_ops_v3_t;
535 
536 typedef struct crypto_ops_v4 {
537 	crypto_ops_v3_t				v3_ops;
538 	crypto_fips140_ops_t			*co_fips140_ops;
539 } crypto_ops_v4_t;
540 
541 typedef struct crypto_ops {
542 	union {
543 		crypto_ops_v4_t	cou_v4;
544 		crypto_ops_v3_t	cou_v3;
545 		crypto_ops_v2_t	cou_v2;
546 		crypto_ops_v1_t	cou_v1;
547 	} cou;
548 } crypto_ops_t;
549 
550 #define	co_control_ops			cou.cou_v1.co_control_ops
551 #define	co_digest_ops			cou.cou_v1.co_digest_ops
552 #define	co_cipher_ops			cou.cou_v1.co_cipher_ops
553 #define	co_mac_ops			cou.cou_v1.co_mac_ops
554 #define	co_sign_ops			cou.cou_v1.co_sign_ops
555 #define	co_verify_ops			cou.cou_v1.co_verify_ops
556 #define	co_dual_ops			cou.cou_v1.co_dual_ops
557 #define	co_dual_cipher_mac_ops		cou.cou_v1.co_dual_cipher_mac_ops
558 #define	co_random_ops			cou.cou_v1.co_random_ops
559 #define	co_session_ops			cou.cou_v1.co_session_ops
560 #define	co_object_ops			cou.cou_v1.co_object_ops
561 #define	co_key_ops			cou.cou_v1.co_key_ops
562 #define	co_provider_ops			cou.cou_v1.co_provider_ops
563 #define	co_ctx_ops			cou.cou_v1.co_ctx_ops
564 #define	co_mech_ops			cou.cou_v2.co_mech_ops
565 #define	co_nostore_key_ops		cou.cou_v3.co_nostore_key_ops
566 #define	co_fips140_ops			cou.cou_v4.co_fips140_ops
567 
568 /*
569  * Provider device specification passed during registration.
570  *
571  * Software providers set the pi_provider_type field of provider_info_t
572  * to CRYPTO_SW_PROVIDER, and set the pd_sw field of
573  * crypto_provider_dev_t to the address of their modlinkage.
574  *
575  * Hardware providers set the pi_provider_type field of provider_info_t
576  * to CRYPTO_HW_PROVIDER, and set the pd_hw field of
577  * crypto_provider_dev_t to the dev_info structure corresponding
578  * to the device instance being registered.
579  *
580  * Logical providers set the pi_provider_type field of provider_info_t
581  * to CRYPTO_LOGICAL_PROVIDER, and set the pd_hw field of
582  * crypto_provider_dev_t to the dev_info structure corresponding
583  * to the device instance being registered.
584  */
585 
586 typedef union crypto_provider_dev {
587 	struct modlinkage	*pd_sw; /* for CRYPTO_SW_PROVIDER */
588 	dev_info_t		*pd_hw; /* for CRYPTO_HW_PROVIDER */
589 } crypto_provider_dev_t;
590 
591 #endif /* _KERNEL */
592 
593 /*
594  * The mechanism info structure crypto_mech_info_t contains a function group
595  * bit mask cm_func_group_mask. This field, of type crypto_func_group_t,
596  * specifies the provider entry point that can be used a particular
597  * mechanism. The function group mask is a combination of the following values.
598  */
599 
600 typedef uint32_t crypto_func_group_t;
601 
602 #define	CRYPTO_FG_ENCRYPT		0x00000001 /* encrypt_init() */
603 #define	CRYPTO_FG_DECRYPT		0x00000002 /* decrypt_init() */
604 #define	CRYPTO_FG_DIGEST		0x00000004 /* digest_init() */
605 #define	CRYPTO_FG_SIGN			0x00000008 /* sign_init() */
606 #define	CRYPTO_FG_SIGN_RECOVER		0x00000010 /* sign_recover_init() */
607 #define	CRYPTO_FG_VERIFY		0x00000020 /* verify_init() */
608 #define	CRYPTO_FG_VERIFY_RECOVER	0x00000040 /* verify_recover_init() */
609 #define	CRYPTO_FG_GENERATE		0x00000080 /* key_generate() */
610 #define	CRYPTO_FG_GENERATE_KEY_PAIR	0x00000100 /* key_generate_pair() */
611 #define	CRYPTO_FG_WRAP			0x00000200 /* key_wrap() */
612 #define	CRYPTO_FG_UNWRAP		0x00000400 /* key_unwrap() */
613 #define	CRYPTO_FG_DERIVE		0x00000800 /* key_derive() */
614 #define	CRYPTO_FG_MAC			0x00001000 /* mac_init() */
615 #define	CRYPTO_FG_ENCRYPT_MAC		0x00002000 /* encrypt_mac_init() */
616 #define	CRYPTO_FG_MAC_DECRYPT		0x00004000 /* decrypt_mac_init() */
617 #define	CRYPTO_FG_ENCRYPT_ATOMIC	0x00008000 /* encrypt_atomic() */
618 #define	CRYPTO_FG_DECRYPT_ATOMIC	0x00010000 /* decrypt_atomic() */
619 #define	CRYPTO_FG_MAC_ATOMIC		0x00020000 /* mac_atomic() */
620 #define	CRYPTO_FG_DIGEST_ATOMIC		0x00040000 /* digest_atomic() */
621 #define	CRYPTO_FG_SIGN_ATOMIC		0x00080000 /* sign_atomic() */
622 #define	CRYPTO_FG_SIGN_RECOVER_ATOMIC   0x00100000 /* sign_recover_atomic() */
623 #define	CRYPTO_FG_VERIFY_ATOMIC		0x00200000 /* verify_atomic() */
624 #define	CRYPTO_FG_VERIFY_RECOVER_ATOMIC	0x00400000 /* verify_recover_atomic() */
625 #define	CRYPTO_FG_ENCRYPT_MAC_ATOMIC	0x00800000 /* encrypt_mac_atomic() */
626 #define	CRYPTO_FG_MAC_DECRYPT_ATOMIC	0x01000000 /* mac_decrypt_atomic() */
627 #define	CRYPTO_FG_RESERVED		0x80000000
628 
629 /*
630  * Maximum length of the pi_provider_description field of the
631  * crypto_provider_info structure.
632  */
633 #define	CRYPTO_PROVIDER_DESCR_MAX_LEN	64
634 
635 #ifdef _KERNEL
636 
637 /* Bit mask for all the simple operations */
638 #define	CRYPTO_FG_SIMPLEOP_MASK	(CRYPTO_FG_ENCRYPT | CRYPTO_FG_DECRYPT | \
639     CRYPTO_FG_DIGEST | CRYPTO_FG_SIGN | CRYPTO_FG_VERIFY | CRYPTO_FG_MAC | \
640     CRYPTO_FG_ENCRYPT_ATOMIC | CRYPTO_FG_DECRYPT_ATOMIC |		\
641     CRYPTO_FG_MAC_ATOMIC | CRYPTO_FG_DIGEST_ATOMIC | CRYPTO_FG_SIGN_ATOMIC | \
642     CRYPTO_FG_VERIFY_ATOMIC)
643 
644 /* Bit mask for all the dual operations */
645 #define	CRYPTO_FG_MAC_CIPHER_MASK	(CRYPTO_FG_ENCRYPT_MAC |	\
646     CRYPTO_FG_MAC_DECRYPT | CRYPTO_FG_ENCRYPT_MAC_ATOMIC |		\
647     CRYPTO_FG_MAC_DECRYPT_ATOMIC)
648 
649 /* Add other combos to CRYPTO_FG_DUAL_MASK */
650 #define	CRYPTO_FG_DUAL_MASK	CRYPTO_FG_MAC_CIPHER_MASK
651 
652 /*
653  * The crypto_mech_info structure specifies one of the mechanisms
654  * supported by a cryptographic provider. The pi_mechanisms field of
655  * the crypto_provider_info structure contains a pointer to an array
656  * of crypto_mech_info's.
657  */
658 typedef struct crypto_mech_info {
659 	crypto_mech_name_t	cm_mech_name;
660 	crypto_mech_type_t	cm_mech_number;
661 	crypto_func_group_t	cm_func_group_mask;
662 	ssize_t			cm_min_key_length;
663 	ssize_t			cm_max_key_length;
664 	uint32_t		cm_mech_flags;
665 } crypto_mech_info_t;
666 
667 /* Alias the old name to the new name for compatibility. */
668 #define	cm_keysize_unit	cm_mech_flags
669 
670 /*
671  * crypto_kcf_provider_handle_t is a handle allocated by the kernel.
672  * It is returned after the provider registers with
673  * crypto_register_provider(), and must be specified by the provider
674  * when calling crypto_unregister_provider(), and
675  * crypto_provider_notification().
676  */
677 typedef uint_t crypto_kcf_provider_handle_t;
678 
679 /*
680  * Provider information. Passed as argument to crypto_register_provider(9F).
681  * Describes the provider and its capabilities. Multiple providers can
682  * register for the same device instance. In this case, the same
683  * pi_provider_dev must be specified with a different pi_provider_handle.
684  */
685 typedef struct crypto_provider_info_v1 {
686 	uint_t				pi_interface_version;
687 	char				*pi_provider_description;
688 	crypto_provider_type_t		pi_provider_type;
689 	crypto_provider_dev_t		pi_provider_dev;
690 	crypto_provider_handle_t	pi_provider_handle;
691 	crypto_ops_t			*pi_ops_vector;
692 	uint_t				pi_mech_list_count;
693 	crypto_mech_info_t		*pi_mechanisms;
694 	uint_t				pi_logical_provider_count;
695 	crypto_kcf_provider_handle_t	*pi_logical_providers;
696 } crypto_provider_info_v1_t;
697 
698 typedef struct crypto_provider_info_v2 {
699 	crypto_provider_info_v1_t	v1_info;
700 	uint_t				pi_flags;
701 } crypto_provider_info_v2_t;
702 
703 typedef struct crypto_provider_info {
704 	union {
705 		crypto_provider_info_v2_t piu_v2;
706 		crypto_provider_info_v1_t piu_v1;
707 	} piu;
708 } crypto_provider_info_t;
709 
710 #define	pi_interface_version		piu.piu_v1.pi_interface_version
711 #define	pi_provider_description		piu.piu_v1.pi_provider_description
712 #define	pi_provider_type		piu.piu_v1.pi_provider_type
713 #define	pi_provider_dev			piu.piu_v1.pi_provider_dev
714 #define	pi_provider_handle		piu.piu_v1.pi_provider_handle
715 #define	pi_ops_vector			piu.piu_v1.pi_ops_vector
716 #define	pi_mech_list_count		piu.piu_v1.pi_mech_list_count
717 #define	pi_mechanisms			piu.piu_v1.pi_mechanisms
718 #define	pi_logical_provider_count	piu.piu_v1.pi_logical_provider_count
719 #define	pi_logical_providers		piu.piu_v1.pi_logical_providers
720 #define	pi_flags			piu.piu_v2.pi_flags
721 
722 /* hidden providers can only be accessed via a logical provider */
723 #define	CRYPTO_HIDE_PROVIDER		0x00000001
724 /*
725  * provider can not do multi-part digest (updates) and has a limit
726  * on maximum input data that it can digest. The provider sets
727  * this value in crypto_provider_ext_info_t by implementing
728  * the ext_info entry point in the co_provider_ops vector.
729  */
730 #define	CRYPTO_HASH_NO_UPDATE		0x00000002
731 /*
732  * provider can not do multi-part HMAC (updates) and has a limit
733  * on maximum input data that it can hmac. The provider sets
734  * this value in crypto_provider_ext_info_t by implementing
735  * the ext_info entry point in the co_provider_ops vector.
736  */
737 #define	CRYPTO_HMAC_NO_UPDATE		0x00000008
738 
739 /* provider can handle the request without returning a CRYPTO_QUEUED */
740 #define	CRYPTO_SYNCHRONOUS		0x00000004
741 
742 #define	CRYPTO_PIFLAGS_RESERVED2	0x40000000
743 #define	CRYPTO_PIFLAGS_RESERVED1	0x80000000
744 
745 /*
746  * Provider status passed by a provider to crypto_provider_notification(9F)
747  * and returned by the provider_status(9E) entry point.
748  */
749 #define	CRYPTO_PROVIDER_READY		0
750 #define	CRYPTO_PROVIDER_BUSY		1
751 #define	CRYPTO_PROVIDER_FAILED		2
752 
753 /*
754  * Functions exported by Solaris to cryptographic providers. Providers
755  * call these functions to register and unregister, notify the kernel
756  * of state changes, and notify the kernel when a asynchronous request
757  * completed.
758  */
759 extern int crypto_register_provider(crypto_provider_info_t *,
760 		crypto_kcf_provider_handle_t *);
761 extern int crypto_unregister_provider(crypto_kcf_provider_handle_t);
762 extern void crypto_provider_notification(crypto_kcf_provider_handle_t, uint_t);
763 extern void crypto_op_notification(crypto_req_handle_t, int);
764 extern int crypto_kmflag(crypto_req_handle_t);
765 
766 #endif	/* _KERNEL */
767 
768 #ifdef	__cplusplus
769 }
770 #endif
771 
772 #endif	/* _SYS_CRYPTO_SPI_H */
773