10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
51808Smcpowers * Common Development and Distribution License (the "License").
61808Smcpowers * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
22*12304SValerie.Fenwick@Oracle.COM * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
230Sstevel@tonic-gate */
240Sstevel@tonic-gate
250Sstevel@tonic-gate #include <sys/errno.h>
260Sstevel@tonic-gate #include <sys/types.h>
270Sstevel@tonic-gate #include <sys/kmem.h>
28904Smcpowers #include <sys/sysmacros.h>
290Sstevel@tonic-gate #include <sys/crypto/common.h>
300Sstevel@tonic-gate #include <sys/crypto/impl.h>
310Sstevel@tonic-gate #include <sys/crypto/api.h>
320Sstevel@tonic-gate #include <sys/crypto/spi.h>
330Sstevel@tonic-gate #include <sys/crypto/sched_impl.h>
340Sstevel@tonic-gate
35904Smcpowers #define CRYPTO_OPS_OFFSET(f) offsetof(crypto_ops_t, co_##f)
36904Smcpowers #define CRYPTO_CIPHER_OFFSET(f) offsetof(crypto_cipher_ops_t, f)
37904Smcpowers
380Sstevel@tonic-gate /*
390Sstevel@tonic-gate * Encryption and decryption routines.
400Sstevel@tonic-gate */
410Sstevel@tonic-gate
420Sstevel@tonic-gate /*
430Sstevel@tonic-gate * The following are the possible returned values common to all the routines
440Sstevel@tonic-gate * below. The applicability of some of these return values depends on the
450Sstevel@tonic-gate * presence of the arguments.
460Sstevel@tonic-gate *
470Sstevel@tonic-gate * CRYPTO_SUCCESS: The operation completed successfully.
480Sstevel@tonic-gate * CRYPTO_QUEUED: A request was submitted successfully. The callback
490Sstevel@tonic-gate * routine will be called when the operation is done.
500Sstevel@tonic-gate * CRYPTO_INVALID_MECH_NUMBER, CRYPTO_INVALID_MECH_PARAM, or
510Sstevel@tonic-gate * CRYPTO_INVALID_MECH for problems with the 'mech'.
520Sstevel@tonic-gate * CRYPTO_INVALID_DATA for bogus 'data'
530Sstevel@tonic-gate * CRYPTO_HOST_MEMORY for failure to allocate memory to handle this work.
540Sstevel@tonic-gate * CRYPTO_INVALID_CONTEXT: Not a valid context.
550Sstevel@tonic-gate * CRYPTO_BUSY: Cannot process the request now. Schedule a
560Sstevel@tonic-gate * crypto_bufcall(), or try later.
570Sstevel@tonic-gate * CRYPTO_NOT_SUPPORTED and CRYPTO_MECH_NOT_SUPPORTED: No provider is
580Sstevel@tonic-gate * capable of a function or a mechanism.
590Sstevel@tonic-gate * CRYPTO_INVALID_KEY: bogus 'key' argument.
600Sstevel@tonic-gate * CRYPTO_INVALID_PLAINTEXT: bogus 'plaintext' argument.
610Sstevel@tonic-gate * CRYPTO_INVALID_CIPHERTEXT: bogus 'ciphertext' argument.
620Sstevel@tonic-gate */
630Sstevel@tonic-gate
640Sstevel@tonic-gate /*
650Sstevel@tonic-gate * crypto_cipher_init_prov()
660Sstevel@tonic-gate *
670Sstevel@tonic-gate * Arguments:
680Sstevel@tonic-gate *
690Sstevel@tonic-gate * pd: provider descriptor
700Sstevel@tonic-gate * sid: session id
710Sstevel@tonic-gate * mech: crypto_mechanism_t pointer.
720Sstevel@tonic-gate * mech_type is a valid value previously returned by
730Sstevel@tonic-gate * crypto_mech2id();
740Sstevel@tonic-gate * When the mech's parameter is not NULL, its definition depends
750Sstevel@tonic-gate * on the standard definition of the mechanism.
760Sstevel@tonic-gate * key: pointer to a crypto_key_t structure.
770Sstevel@tonic-gate * tmpl: a crypto_ctx_template_t, opaque template of a context of an
780Sstevel@tonic-gate * encryption or decryption with the 'mech' using 'key'.
790Sstevel@tonic-gate * 'tmpl' is created by a previous call to
800Sstevel@tonic-gate * crypto_create_ctx_template().
810Sstevel@tonic-gate * ctxp: Pointer to a crypto_context_t.
820Sstevel@tonic-gate * func: CRYPTO_FG_ENCRYPT or CRYPTO_FG_DECRYPT.
830Sstevel@tonic-gate * cr: crypto_call_req_t calling conditions and call back info.
840Sstevel@tonic-gate *
850Sstevel@tonic-gate * Description:
860Sstevel@tonic-gate * This is a common function invoked internally by both
870Sstevel@tonic-gate * crypto_encrypt_init() and crypto_decrypt_init().
880Sstevel@tonic-gate * Asynchronously submits a request for, or synchronously performs the
890Sstevel@tonic-gate * initialization of an encryption or a decryption operation.
900Sstevel@tonic-gate * When possible and applicable, will internally use the pre-expanded key
910Sstevel@tonic-gate * schedule from the context template, tmpl.
920Sstevel@tonic-gate * When complete and successful, 'ctxp' will contain a crypto_context_t
930Sstevel@tonic-gate * valid for later calls to encrypt_update() and encrypt_final(), or
940Sstevel@tonic-gate * decrypt_update() and decrypt_final().
950Sstevel@tonic-gate * The caller should hold a reference on the specified provider
960Sstevel@tonic-gate * descriptor before calling this function.
970Sstevel@tonic-gate *
980Sstevel@tonic-gate * Context:
990Sstevel@tonic-gate * Process or interrupt, according to the semantics dictated by the 'cr'.
1000Sstevel@tonic-gate *
1010Sstevel@tonic-gate * Returns:
1020Sstevel@tonic-gate * See comment in the beginning of the file.
1030Sstevel@tonic-gate */
1040Sstevel@tonic-gate static int
crypto_cipher_init_prov(crypto_provider_t provider,crypto_session_id_t sid,crypto_mechanism_t * mech,crypto_key_t * key,crypto_spi_ctx_template_t tmpl,crypto_context_t * ctxp,crypto_call_req_t * crq,crypto_func_group_t func)105904Smcpowers crypto_cipher_init_prov(crypto_provider_t provider, crypto_session_id_t sid,
1060Sstevel@tonic-gate crypto_mechanism_t *mech, crypto_key_t *key,
1070Sstevel@tonic-gate crypto_spi_ctx_template_t tmpl, crypto_context_t *ctxp,
1080Sstevel@tonic-gate crypto_call_req_t *crq, crypto_func_group_t func)
1090Sstevel@tonic-gate {
1100Sstevel@tonic-gate int error;
1110Sstevel@tonic-gate crypto_ctx_t *ctx;
1120Sstevel@tonic-gate kcf_req_params_t params;
113904Smcpowers kcf_provider_desc_t *pd = provider;
114904Smcpowers kcf_provider_desc_t *real_provider = pd;
1150Sstevel@tonic-gate
1160Sstevel@tonic-gate ASSERT(KCF_PROV_REFHELD(pd));
1170Sstevel@tonic-gate
118904Smcpowers if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) {
119904Smcpowers if (func == CRYPTO_FG_ENCRYPT) {
12010444SVladimir.Kotal@Sun.COM error = kcf_get_hardware_provider(mech->cm_type, key,
121*12304SValerie.Fenwick@Oracle.COM CRYPTO_MECH_INVALID, NULL, pd, &real_provider,
122*12304SValerie.Fenwick@Oracle.COM CRYPTO_FG_ENCRYPT);
123904Smcpowers } else {
12410444SVladimir.Kotal@Sun.COM error = kcf_get_hardware_provider(mech->cm_type, key,
125*12304SValerie.Fenwick@Oracle.COM CRYPTO_MECH_INVALID, NULL, pd, &real_provider,
126*12304SValerie.Fenwick@Oracle.COM CRYPTO_FG_DECRYPT);
127904Smcpowers }
128904Smcpowers
129904Smcpowers if (error != CRYPTO_SUCCESS)
130904Smcpowers return (error);
131904Smcpowers }
132904Smcpowers
133904Smcpowers /* Allocate and initialize the canonical context */
134904Smcpowers if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) {
135904Smcpowers if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)
136904Smcpowers KCF_PROV_REFRELE(real_provider);
1370Sstevel@tonic-gate return (CRYPTO_HOST_MEMORY);
138904Smcpowers }
1390Sstevel@tonic-gate
1400Sstevel@tonic-gate /* The fast path for SW providers. */
1410Sstevel@tonic-gate if (CHECK_FASTPATH(crq, pd)) {
1420Sstevel@tonic-gate crypto_mechanism_t lmech;
1430Sstevel@tonic-gate
1440Sstevel@tonic-gate lmech = *mech;
145904Smcpowers KCF_SET_PROVIDER_MECHNUM(mech->cm_type, real_provider, &lmech);
1460Sstevel@tonic-gate
1470Sstevel@tonic-gate if (func == CRYPTO_FG_ENCRYPT)
148904Smcpowers error = KCF_PROV_ENCRYPT_INIT(real_provider, ctx,
149904Smcpowers &lmech, key, tmpl, KCF_SWFP_RHNDL(crq));
1500Sstevel@tonic-gate else {
1510Sstevel@tonic-gate ASSERT(func == CRYPTO_FG_DECRYPT);
1520Sstevel@tonic-gate
153904Smcpowers error = KCF_PROV_DECRYPT_INIT(real_provider, ctx,
154904Smcpowers &lmech, key, tmpl, KCF_SWFP_RHNDL(crq));
1550Sstevel@tonic-gate }
1560Sstevel@tonic-gate KCF_PROV_INCRSTATS(pd, error);
1573708Skrishna
1583708Skrishna goto done;
1593708Skrishna }
1603708Skrishna
1613708Skrishna /* Check if context sharing is possible */
1623708Skrishna if (pd->pd_prov_type == CRYPTO_HW_PROVIDER &&
1633708Skrishna key->ck_format == CRYPTO_KEY_RAW &&
1643708Skrishna KCF_CAN_SHARE_OPSTATE(pd, mech->cm_type)) {
1653708Skrishna kcf_context_t *tctxp = (kcf_context_t *)ctx;
1663708Skrishna kcf_provider_desc_t *tpd = NULL;
1673708Skrishna crypto_mech_info_t *sinfo;
1683708Skrishna
1693708Skrishna if ((kcf_get_sw_prov(mech->cm_type, &tpd, &tctxp->kc_mech,
1703708Skrishna B_FALSE) == CRYPTO_SUCCESS)) {
1713708Skrishna int tlen;
1723708Skrishna
1733708Skrishna sinfo = &(KCF_TO_PROV_MECHINFO(tpd, mech->cm_type));
1743708Skrishna /*
1753708Skrishna * key->ck_length from the consumer is always in bits.
1763708Skrishna * We convert it to be in the same unit registered by
1773708Skrishna * the provider in order to do a comparison.
1783708Skrishna */
1793708Skrishna if (sinfo->cm_mech_flags & CRYPTO_KEYSIZE_UNIT_IN_BYTES)
18011413Sopensolaris@drydog.com tlen = CRYPTO_BITS2BYTES(key->ck_length);
1813708Skrishna else
1823708Skrishna tlen = key->ck_length;
1833708Skrishna /*
1843708Skrishna * Check if the software provider can support context
1853708Skrishna * sharing and support this key length.
1863708Skrishna */
1873708Skrishna if ((sinfo->cm_mech_flags & CRYPTO_CAN_SHARE_OPSTATE) &&
1883708Skrishna (tlen >= sinfo->cm_min_key_length) &&
1893708Skrishna (tlen <= sinfo->cm_max_key_length)) {
1903708Skrishna ctx->cc_flags = CRYPTO_INIT_OPSTATE;
1913708Skrishna tctxp->kc_sw_prov_desc = tpd;
1923708Skrishna } else
1933708Skrishna KCF_PROV_REFRELE(tpd);
1943708Skrishna }
1953708Skrishna }
1963708Skrishna
1973708Skrishna if (func == CRYPTO_FG_ENCRYPT) {
1983708Skrishna KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_INIT, sid,
1993708Skrishna mech, key, NULL, NULL, tmpl);
2000Sstevel@tonic-gate } else {
2013708Skrishna ASSERT(func == CRYPTO_FG_DECRYPT);
2023708Skrishna KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_INIT, sid,
2033708Skrishna mech, key, NULL, NULL, tmpl);
2043708Skrishna }
2050Sstevel@tonic-gate
2063708Skrishna error = kcf_submit_request(real_provider, ctx, crq, ¶ms,
2073708Skrishna B_FALSE);
2080Sstevel@tonic-gate
209904Smcpowers if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)
210904Smcpowers KCF_PROV_REFRELE(real_provider);
211904Smcpowers
2123708Skrishna done:
2130Sstevel@tonic-gate if ((error == CRYPTO_SUCCESS) || (error == CRYPTO_QUEUED))
2140Sstevel@tonic-gate *ctxp = (crypto_context_t)ctx;
2150Sstevel@tonic-gate else {
2160Sstevel@tonic-gate /* Release the hold done in kcf_new_ctx(). */
2170Sstevel@tonic-gate KCF_CONTEXT_REFRELE((kcf_context_t *)ctx->cc_framework_private);
2180Sstevel@tonic-gate }
2190Sstevel@tonic-gate
2200Sstevel@tonic-gate return (error);
2210Sstevel@tonic-gate }
2220Sstevel@tonic-gate
2230Sstevel@tonic-gate /*
2240Sstevel@tonic-gate * Same as crypto_cipher_init_prov(), but relies on the scheduler to pick
2250Sstevel@tonic-gate * an appropriate provider. See crypto_cipher_init_prov() comments for more
2260Sstevel@tonic-gate * details.
2270Sstevel@tonic-gate */
2280Sstevel@tonic-gate static int
crypto_cipher_init(crypto_mechanism_t * mech,crypto_key_t * key,crypto_ctx_template_t tmpl,crypto_context_t * ctxp,crypto_call_req_t * crq,crypto_func_group_t func)2290Sstevel@tonic-gate crypto_cipher_init(crypto_mechanism_t *mech, crypto_key_t *key,
2300Sstevel@tonic-gate crypto_ctx_template_t tmpl, crypto_context_t *ctxp,
2310Sstevel@tonic-gate crypto_call_req_t *crq, crypto_func_group_t func)
2320Sstevel@tonic-gate {
2330Sstevel@tonic-gate int error;
2340Sstevel@tonic-gate kcf_mech_entry_t *me;
2350Sstevel@tonic-gate kcf_provider_desc_t *pd;
2360Sstevel@tonic-gate kcf_ctx_template_t *ctx_tmpl;
2370Sstevel@tonic-gate crypto_spi_ctx_template_t spi_ctx_tmpl = NULL;
2380Sstevel@tonic-gate kcf_prov_tried_t *list = NULL;
2390Sstevel@tonic-gate
2400Sstevel@tonic-gate retry:
2410Sstevel@tonic-gate /* pd is returned held */
24210444SVladimir.Kotal@Sun.COM if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error,
243*12304SValerie.Fenwick@Oracle.COM list, func, 0)) == NULL) {
2440Sstevel@tonic-gate if (list != NULL)
2450Sstevel@tonic-gate kcf_free_triedlist(list);
2460Sstevel@tonic-gate return (error);
2470Sstevel@tonic-gate }
2480Sstevel@tonic-gate
2490Sstevel@tonic-gate /*
2500Sstevel@tonic-gate * For SW providers, check the validity of the context template
2510Sstevel@tonic-gate * It is very rare that the generation number mis-matches, so
2520Sstevel@tonic-gate * is acceptable to fail here, and let the consumer recover by
2530Sstevel@tonic-gate * freeing this tmpl and create a new one for the key and new SW
2540Sstevel@tonic-gate * provider
2550Sstevel@tonic-gate */
2560Sstevel@tonic-gate if ((pd->pd_prov_type == CRYPTO_SW_PROVIDER) &&
2570Sstevel@tonic-gate ((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) {
2580Sstevel@tonic-gate if (ctx_tmpl->ct_generation != me->me_gen_swprov) {
2590Sstevel@tonic-gate if (list != NULL)
2600Sstevel@tonic-gate kcf_free_triedlist(list);
2610Sstevel@tonic-gate KCF_PROV_REFRELE(pd);
2620Sstevel@tonic-gate return (CRYPTO_OLD_CTX_TEMPLATE);
2630Sstevel@tonic-gate } else {
2640Sstevel@tonic-gate spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl;
2650Sstevel@tonic-gate }
2660Sstevel@tonic-gate }
2670Sstevel@tonic-gate
2680Sstevel@tonic-gate error = crypto_cipher_init_prov(pd, pd->pd_sid, mech, key,
2690Sstevel@tonic-gate spi_ctx_tmpl, ctxp, crq, func);
2700Sstevel@tonic-gate if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED &&
2710Sstevel@tonic-gate IS_RECOVERABLE(error)) {
2720Sstevel@tonic-gate /* Add pd to the linked list of providers tried. */
2730Sstevel@tonic-gate if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL)
2740Sstevel@tonic-gate goto retry;
2750Sstevel@tonic-gate }
2760Sstevel@tonic-gate
2770Sstevel@tonic-gate if (list != NULL)
2780Sstevel@tonic-gate kcf_free_triedlist(list);
2790Sstevel@tonic-gate
2800Sstevel@tonic-gate KCF_PROV_REFRELE(pd);
2810Sstevel@tonic-gate return (error);
2820Sstevel@tonic-gate }
2830Sstevel@tonic-gate
2840Sstevel@tonic-gate /*
2850Sstevel@tonic-gate * crypto_encrypt_prov()
2860Sstevel@tonic-gate *
2870Sstevel@tonic-gate * Arguments:
2880Sstevel@tonic-gate * pd: provider descriptor
2890Sstevel@tonic-gate * sid: session id
2900Sstevel@tonic-gate * mech: crypto_mechanism_t pointer.
2910Sstevel@tonic-gate * mech_type is a valid value previously returned by
2920Sstevel@tonic-gate * crypto_mech2id();
2930Sstevel@tonic-gate * When the mech's parameter is not NULL, its definition depends
2940Sstevel@tonic-gate * on the standard definition of the mechanism.
2950Sstevel@tonic-gate * key: pointer to a crypto_key_t structure.
2960Sstevel@tonic-gate * plaintext: The message to be encrypted
2970Sstevel@tonic-gate * ciphertext: Storage for the encrypted message. The length needed
2980Sstevel@tonic-gate * depends on the mechanism, and the plaintext's size.
2990Sstevel@tonic-gate * tmpl: a crypto_ctx_template_t, opaque template of a context of an
3000Sstevel@tonic-gate * encryption with the 'mech' using 'key'. 'tmpl' is created by
3010Sstevel@tonic-gate * a previous call to crypto_create_ctx_template().
3020Sstevel@tonic-gate * cr: crypto_call_req_t calling conditions and call back info.
3030Sstevel@tonic-gate *
3040Sstevel@tonic-gate * Description:
3050Sstevel@tonic-gate * Asynchronously submits a request for, or synchronously performs a
3060Sstevel@tonic-gate * single-part encryption of 'plaintext' with the mechanism 'mech', using
3070Sstevel@tonic-gate * the key 'key'.
3080Sstevel@tonic-gate * When complete and successful, 'ciphertext' will contain the encrypted
3090Sstevel@tonic-gate * message.
3100Sstevel@tonic-gate *
3110Sstevel@tonic-gate * Context:
3120Sstevel@tonic-gate * Process or interrupt, according to the semantics dictated by the 'cr'.
3130Sstevel@tonic-gate *
3140Sstevel@tonic-gate * Returns:
3150Sstevel@tonic-gate * See comment in the beginning of the file.
3160Sstevel@tonic-gate */
3170Sstevel@tonic-gate int
crypto_encrypt_prov(crypto_provider_t provider,crypto_session_id_t sid,crypto_mechanism_t * mech,crypto_data_t * plaintext,crypto_key_t * key,crypto_ctx_template_t tmpl,crypto_data_t * ciphertext,crypto_call_req_t * crq)318904Smcpowers crypto_encrypt_prov(crypto_provider_t provider, crypto_session_id_t sid,
319904Smcpowers crypto_mechanism_t *mech, crypto_data_t *plaintext, crypto_key_t *key,
320904Smcpowers crypto_ctx_template_t tmpl, crypto_data_t *ciphertext,
321904Smcpowers crypto_call_req_t *crq)
3220Sstevel@tonic-gate {
3230Sstevel@tonic-gate kcf_req_params_t params;
324904Smcpowers kcf_provider_desc_t *pd = provider;
325904Smcpowers kcf_provider_desc_t *real_provider = pd;
326904Smcpowers int error;
3270Sstevel@tonic-gate
3280Sstevel@tonic-gate ASSERT(KCF_PROV_REFHELD(pd));
329904Smcpowers
330904Smcpowers if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) {
33110444SVladimir.Kotal@Sun.COM error = kcf_get_hardware_provider(mech->cm_type, key,
332*12304SValerie.Fenwick@Oracle.COM CRYPTO_MECH_INVALID, NULL, pd, &real_provider,
333*12304SValerie.Fenwick@Oracle.COM CRYPTO_FG_ENCRYPT_ATOMIC);
334904Smcpowers
335904Smcpowers if (error != CRYPTO_SUCCESS)
336904Smcpowers return (error);
337904Smcpowers }
338904Smcpowers
3390Sstevel@tonic-gate KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key,
3400Sstevel@tonic-gate plaintext, ciphertext, tmpl);
3410Sstevel@tonic-gate
342904Smcpowers error = kcf_submit_request(real_provider, NULL, crq, ¶ms, B_FALSE);
343904Smcpowers if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)
344904Smcpowers KCF_PROV_REFRELE(real_provider);
345904Smcpowers
346904Smcpowers return (error);
3470Sstevel@tonic-gate }
3480Sstevel@tonic-gate
3490Sstevel@tonic-gate /*
3500Sstevel@tonic-gate * Same as crypto_encrypt_prov(), but relies on the scheduler to pick
3510Sstevel@tonic-gate * a provider. See crypto_encrypt_prov() for more details.
3520Sstevel@tonic-gate */
3530Sstevel@tonic-gate int
crypto_encrypt(crypto_mechanism_t * mech,crypto_data_t * plaintext,crypto_key_t * key,crypto_ctx_template_t tmpl,crypto_data_t * ciphertext,crypto_call_req_t * crq)3540Sstevel@tonic-gate crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext,
3550Sstevel@tonic-gate crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext,
3560Sstevel@tonic-gate crypto_call_req_t *crq)
3570Sstevel@tonic-gate {
3580Sstevel@tonic-gate int error;
3590Sstevel@tonic-gate kcf_mech_entry_t *me;
3600Sstevel@tonic-gate kcf_req_params_t params;
3610Sstevel@tonic-gate kcf_provider_desc_t *pd;
3620Sstevel@tonic-gate kcf_ctx_template_t *ctx_tmpl;
3630Sstevel@tonic-gate crypto_spi_ctx_template_t spi_ctx_tmpl = NULL;
3640Sstevel@tonic-gate kcf_prov_tried_t *list = NULL;
3650Sstevel@tonic-gate
3660Sstevel@tonic-gate retry:
3670Sstevel@tonic-gate /* pd is returned held */
36810444SVladimir.Kotal@Sun.COM if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error,
369*12304SValerie.Fenwick@Oracle.COM list, CRYPTO_FG_ENCRYPT_ATOMIC, plaintext->cd_length)) == NULL) {
3700Sstevel@tonic-gate if (list != NULL)
3710Sstevel@tonic-gate kcf_free_triedlist(list);
3720Sstevel@tonic-gate return (error);
3730Sstevel@tonic-gate }
3740Sstevel@tonic-gate
3750Sstevel@tonic-gate /*
3760Sstevel@tonic-gate * For SW providers, check the validity of the context template
3770Sstevel@tonic-gate * It is very rare that the generation number mis-matches, so
3780Sstevel@tonic-gate * is acceptable to fail here, and let the consumer recover by
3790Sstevel@tonic-gate * freeing this tmpl and create a new one for the key and new SW
3800Sstevel@tonic-gate * provider
3810Sstevel@tonic-gate */
3820Sstevel@tonic-gate if ((pd->pd_prov_type == CRYPTO_SW_PROVIDER) &&
3830Sstevel@tonic-gate ((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) {
3840Sstevel@tonic-gate if (ctx_tmpl->ct_generation != me->me_gen_swprov) {
3850Sstevel@tonic-gate if (list != NULL)
3860Sstevel@tonic-gate kcf_free_triedlist(list);
3870Sstevel@tonic-gate KCF_PROV_REFRELE(pd);
3880Sstevel@tonic-gate return (CRYPTO_OLD_CTX_TEMPLATE);
3890Sstevel@tonic-gate } else {
3900Sstevel@tonic-gate spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl;
3910Sstevel@tonic-gate }
3920Sstevel@tonic-gate }
3930Sstevel@tonic-gate
3940Sstevel@tonic-gate /* The fast path for SW providers. */
3950Sstevel@tonic-gate if (CHECK_FASTPATH(crq, pd)) {
3960Sstevel@tonic-gate crypto_mechanism_t lmech;
3970Sstevel@tonic-gate
3980Sstevel@tonic-gate lmech = *mech;
3990Sstevel@tonic-gate KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech);
4000Sstevel@tonic-gate
4010Sstevel@tonic-gate error = KCF_PROV_ENCRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key,
4020Sstevel@tonic-gate plaintext, ciphertext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq));
4030Sstevel@tonic-gate KCF_PROV_INCRSTATS(pd, error);
4040Sstevel@tonic-gate } else {
4050Sstevel@tonic-gate KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, pd->pd_sid,
4060Sstevel@tonic-gate mech, key, plaintext, ciphertext, spi_ctx_tmpl);
4070Sstevel@tonic-gate error = kcf_submit_request(pd, NULL, crq, ¶ms, B_FALSE);
4080Sstevel@tonic-gate }
4090Sstevel@tonic-gate
4100Sstevel@tonic-gate if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED &&
4110Sstevel@tonic-gate IS_RECOVERABLE(error)) {
4120Sstevel@tonic-gate /* Add pd to the linked list of providers tried. */
4130Sstevel@tonic-gate if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL)
4140Sstevel@tonic-gate goto retry;
4150Sstevel@tonic-gate }
4160Sstevel@tonic-gate
4170Sstevel@tonic-gate if (list != NULL)
4180Sstevel@tonic-gate kcf_free_triedlist(list);
4190Sstevel@tonic-gate
4200Sstevel@tonic-gate KCF_PROV_REFRELE(pd);
4210Sstevel@tonic-gate return (error);
4220Sstevel@tonic-gate }
4230Sstevel@tonic-gate
4240Sstevel@tonic-gate /*
4250Sstevel@tonic-gate * crypto_encrypt_init_prov()
4260Sstevel@tonic-gate *
4270Sstevel@tonic-gate * Calls crypto_cipher_init_prov() to initialize an encryption operation.
4280Sstevel@tonic-gate */
4290Sstevel@tonic-gate int
crypto_encrypt_init_prov(crypto_provider_t pd,crypto_session_id_t sid,crypto_mechanism_t * mech,crypto_key_t * key,crypto_ctx_template_t tmpl,crypto_context_t * ctxp,crypto_call_req_t * crq)430904Smcpowers crypto_encrypt_init_prov(crypto_provider_t pd, crypto_session_id_t sid,
4310Sstevel@tonic-gate crypto_mechanism_t *mech, crypto_key_t *key,
4320Sstevel@tonic-gate crypto_ctx_template_t tmpl, crypto_context_t *ctxp,
4330Sstevel@tonic-gate crypto_call_req_t *crq)
4340Sstevel@tonic-gate {
4350Sstevel@tonic-gate return (crypto_cipher_init_prov(pd, sid, mech, key, tmpl, ctxp, crq,
4360Sstevel@tonic-gate CRYPTO_FG_ENCRYPT));
4370Sstevel@tonic-gate }
4380Sstevel@tonic-gate
4390Sstevel@tonic-gate /*
4400Sstevel@tonic-gate * crypto_encrypt_init()
4410Sstevel@tonic-gate *
4420Sstevel@tonic-gate * Calls crypto_cipher_init() to initialize an encryption operation
4430Sstevel@tonic-gate */
4440Sstevel@tonic-gate int
crypto_encrypt_init(crypto_mechanism_t * mech,crypto_key_t * key,crypto_ctx_template_t tmpl,crypto_context_t * ctxp,crypto_call_req_t * crq)4450Sstevel@tonic-gate crypto_encrypt_init(crypto_mechanism_t *mech, crypto_key_t *key,
4460Sstevel@tonic-gate crypto_ctx_template_t tmpl, crypto_context_t *ctxp,
4470Sstevel@tonic-gate crypto_call_req_t *crq)
4480Sstevel@tonic-gate {
4490Sstevel@tonic-gate return (crypto_cipher_init(mech, key, tmpl, ctxp, crq,
4500Sstevel@tonic-gate CRYPTO_FG_ENCRYPT));
4510Sstevel@tonic-gate }
4520Sstevel@tonic-gate
4530Sstevel@tonic-gate /*
4540Sstevel@tonic-gate * crypto_encrypt_update()
4550Sstevel@tonic-gate *
4560Sstevel@tonic-gate * Arguments:
4570Sstevel@tonic-gate * context: A crypto_context_t initialized by encrypt_init().
4580Sstevel@tonic-gate * plaintext: The message part to be encrypted
4590Sstevel@tonic-gate * ciphertext: Storage for the encrypted message part.
4600Sstevel@tonic-gate * cr: crypto_call_req_t calling conditions and call back info.
4610Sstevel@tonic-gate *
4620Sstevel@tonic-gate * Description:
4630Sstevel@tonic-gate * Asynchronously submits a request for, or synchronously performs a
4640Sstevel@tonic-gate * part of an encryption operation.
4650Sstevel@tonic-gate *
4660Sstevel@tonic-gate * Context:
4670Sstevel@tonic-gate * Process or interrupt, according to the semantics dictated by the 'cr'.
4680Sstevel@tonic-gate *
4690Sstevel@tonic-gate * Returns:
4700Sstevel@tonic-gate * See comment in the beginning of the file.
4710Sstevel@tonic-gate */
4720Sstevel@tonic-gate int
crypto_encrypt_update(crypto_context_t context,crypto_data_t * plaintext,crypto_data_t * ciphertext,crypto_call_req_t * cr)4730Sstevel@tonic-gate crypto_encrypt_update(crypto_context_t context, crypto_data_t *plaintext,
4740Sstevel@tonic-gate crypto_data_t *ciphertext, crypto_call_req_t *cr)
4750Sstevel@tonic-gate {
4760Sstevel@tonic-gate crypto_ctx_t *ctx = (crypto_ctx_t *)context;
4770Sstevel@tonic-gate kcf_context_t *kcf_ctx;
4780Sstevel@tonic-gate kcf_provider_desc_t *pd;
4790Sstevel@tonic-gate int error;
4800Sstevel@tonic-gate kcf_req_params_t params;
4810Sstevel@tonic-gate
4820Sstevel@tonic-gate if ((ctx == NULL) ||
4830Sstevel@tonic-gate ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) ||
4840Sstevel@tonic-gate ((pd = kcf_ctx->kc_prov_desc) == NULL)) {
4850Sstevel@tonic-gate return (CRYPTO_INVALID_CONTEXT);
4860Sstevel@tonic-gate }
4870Sstevel@tonic-gate
488904Smcpowers ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER);
4890Sstevel@tonic-gate
4900Sstevel@tonic-gate /* The fast path for SW providers. */
4910Sstevel@tonic-gate if (CHECK_FASTPATH(cr, pd)) {
4920Sstevel@tonic-gate error = KCF_PROV_ENCRYPT_UPDATE(pd, ctx, plaintext,
4930Sstevel@tonic-gate ciphertext, NULL);
4940Sstevel@tonic-gate KCF_PROV_INCRSTATS(pd, error);
4953708Skrishna return (error);
4960Sstevel@tonic-gate }
4970Sstevel@tonic-gate
4983708Skrishna /* Check if we should use a software provider for small jobs */
4993708Skrishna if ((ctx->cc_flags & CRYPTO_USE_OPSTATE) && cr == NULL) {
5003708Skrishna if (plaintext->cd_length < kcf_ctx->kc_mech->me_threshold &&
5013708Skrishna kcf_ctx->kc_sw_prov_desc != NULL &&
5023708Skrishna KCF_IS_PROV_USABLE(kcf_ctx->kc_sw_prov_desc)) {
5033708Skrishna pd = kcf_ctx->kc_sw_prov_desc;
5043708Skrishna }
5053708Skrishna }
5063708Skrishna
5073708Skrishna KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_UPDATE,
5083708Skrishna ctx->cc_session, NULL, NULL, plaintext, ciphertext, NULL);
5093708Skrishna error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE);
5103708Skrishna
5110Sstevel@tonic-gate return (error);
5120Sstevel@tonic-gate }
5130Sstevel@tonic-gate
5140Sstevel@tonic-gate /*
5150Sstevel@tonic-gate * crypto_encrypt_final()
5160Sstevel@tonic-gate *
5170Sstevel@tonic-gate * Arguments:
5180Sstevel@tonic-gate * context: A crypto_context_t initialized by encrypt_init().
5190Sstevel@tonic-gate * ciphertext: Storage for the last part of encrypted message
5200Sstevel@tonic-gate * cr: crypto_call_req_t calling conditions and call back info.
5210Sstevel@tonic-gate *
5220Sstevel@tonic-gate * Description:
5230Sstevel@tonic-gate * Asynchronously submits a request for, or synchronously performs the
5240Sstevel@tonic-gate * final part of an encryption operation.
5250Sstevel@tonic-gate *
5260Sstevel@tonic-gate * Context:
5270Sstevel@tonic-gate * Process or interrupt, according to the semantics dictated by the 'cr'.
5280Sstevel@tonic-gate *
5290Sstevel@tonic-gate * Returns:
5300Sstevel@tonic-gate * See comment in the beginning of the file.
5310Sstevel@tonic-gate */
5320Sstevel@tonic-gate int
crypto_encrypt_final(crypto_context_t context,crypto_data_t * ciphertext,crypto_call_req_t * cr)5330Sstevel@tonic-gate crypto_encrypt_final(crypto_context_t context, crypto_data_t *ciphertext,
5340Sstevel@tonic-gate crypto_call_req_t *cr)
5350Sstevel@tonic-gate {
5360Sstevel@tonic-gate crypto_ctx_t *ctx = (crypto_ctx_t *)context;
5370Sstevel@tonic-gate kcf_context_t *kcf_ctx;
5380Sstevel@tonic-gate kcf_provider_desc_t *pd;
5390Sstevel@tonic-gate int error;
5400Sstevel@tonic-gate kcf_req_params_t params;
5410Sstevel@tonic-gate
5420Sstevel@tonic-gate if ((ctx == NULL) ||
5430Sstevel@tonic-gate ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) ||
5440Sstevel@tonic-gate ((pd = kcf_ctx->kc_prov_desc) == NULL)) {
5450Sstevel@tonic-gate return (CRYPTO_INVALID_CONTEXT);
5460Sstevel@tonic-gate }
5470Sstevel@tonic-gate
548904Smcpowers ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER);
5490Sstevel@tonic-gate
5500Sstevel@tonic-gate /* The fast path for SW providers. */
5510Sstevel@tonic-gate if (CHECK_FASTPATH(cr, pd)) {
5520Sstevel@tonic-gate error = KCF_PROV_ENCRYPT_FINAL(pd, ctx, ciphertext, NULL);
5530Sstevel@tonic-gate KCF_PROV_INCRSTATS(pd, error);
5540Sstevel@tonic-gate } else {
555904Smcpowers KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_FINAL,
556904Smcpowers ctx->cc_session, NULL, NULL, NULL, ciphertext, NULL);
5570Sstevel@tonic-gate error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE);
5580Sstevel@tonic-gate }
5590Sstevel@tonic-gate
5600Sstevel@tonic-gate /* Release the hold done in kcf_new_ctx() during init step. */
5610Sstevel@tonic-gate KCF_CONTEXT_COND_RELEASE(error, kcf_ctx);
5620Sstevel@tonic-gate return (error);
5630Sstevel@tonic-gate }
5640Sstevel@tonic-gate
5650Sstevel@tonic-gate /*
5660Sstevel@tonic-gate * crypto_decrypt_prov()
5670Sstevel@tonic-gate *
5680Sstevel@tonic-gate * Arguments:
5690Sstevel@tonic-gate * pd: provider descriptor
5700Sstevel@tonic-gate * sid: session id
5710Sstevel@tonic-gate * mech: crypto_mechanism_t pointer.
5720Sstevel@tonic-gate * mech_type is a valid value previously returned by
5730Sstevel@tonic-gate * crypto_mech2id();
5740Sstevel@tonic-gate * When the mech's parameter is not NULL, its definition depends
5750Sstevel@tonic-gate * on the standard definition of the mechanism.
5760Sstevel@tonic-gate * key: pointer to a crypto_key_t structure.
5770Sstevel@tonic-gate * ciphertext: The message to be encrypted
5780Sstevel@tonic-gate * plaintext: Storage for the encrypted message. The length needed
5790Sstevel@tonic-gate * depends on the mechanism, and the plaintext's size.
5800Sstevel@tonic-gate * tmpl: a crypto_ctx_template_t, opaque template of a context of an
5810Sstevel@tonic-gate * encryption with the 'mech' using 'key'. 'tmpl' is created by
5820Sstevel@tonic-gate * a previous call to crypto_create_ctx_template().
5830Sstevel@tonic-gate * cr: crypto_call_req_t calling conditions and call back info.
5840Sstevel@tonic-gate *
5850Sstevel@tonic-gate * Description:
5860Sstevel@tonic-gate * Asynchronously submits a request for, or synchronously performs a
5870Sstevel@tonic-gate * single-part decryption of 'ciphertext' with the mechanism 'mech', using
5880Sstevel@tonic-gate * the key 'key'.
5890Sstevel@tonic-gate * When complete and successful, 'plaintext' will contain the decrypted
5900Sstevel@tonic-gate * message.
5910Sstevel@tonic-gate *
5920Sstevel@tonic-gate * Context:
5930Sstevel@tonic-gate * Process or interrupt, according to the semantics dictated by the 'cr'.
5940Sstevel@tonic-gate *
5950Sstevel@tonic-gate * Returns:
5960Sstevel@tonic-gate * See comment in the beginning of the file.
5970Sstevel@tonic-gate */
5980Sstevel@tonic-gate int
crypto_decrypt_prov(crypto_provider_t provider,crypto_session_id_t sid,crypto_mechanism_t * mech,crypto_data_t * ciphertext,crypto_key_t * key,crypto_ctx_template_t tmpl,crypto_data_t * plaintext,crypto_call_req_t * crq)599904Smcpowers crypto_decrypt_prov(crypto_provider_t provider, crypto_session_id_t sid,
600904Smcpowers crypto_mechanism_t *mech, crypto_data_t *ciphertext, crypto_key_t *key,
601904Smcpowers crypto_ctx_template_t tmpl, crypto_data_t *plaintext,
602904Smcpowers crypto_call_req_t *crq)
6030Sstevel@tonic-gate {
6040Sstevel@tonic-gate kcf_req_params_t params;
605904Smcpowers kcf_provider_desc_t *pd = provider;
606904Smcpowers kcf_provider_desc_t *real_provider = pd;
607904Smcpowers int rv;
6080Sstevel@tonic-gate
6090Sstevel@tonic-gate ASSERT(KCF_PROV_REFHELD(pd));
610904Smcpowers
611904Smcpowers if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) {
61210444SVladimir.Kotal@Sun.COM rv = kcf_get_hardware_provider(mech->cm_type, key,
613*12304SValerie.Fenwick@Oracle.COM CRYPTO_MECH_INVALID, NULL, pd, &real_provider,
614*12304SValerie.Fenwick@Oracle.COM CRYPTO_FG_DECRYPT_ATOMIC);
615904Smcpowers
616904Smcpowers if (rv != CRYPTO_SUCCESS)
617904Smcpowers return (rv);
618904Smcpowers }
619904Smcpowers
6200Sstevel@tonic-gate KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key,
6210Sstevel@tonic-gate ciphertext, plaintext, tmpl);
6220Sstevel@tonic-gate
623904Smcpowers rv = kcf_submit_request(real_provider, NULL, crq, ¶ms, B_FALSE);
624904Smcpowers if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)
625904Smcpowers KCF_PROV_REFRELE(real_provider);
626904Smcpowers
627904Smcpowers return (rv);
6280Sstevel@tonic-gate }
6290Sstevel@tonic-gate
6300Sstevel@tonic-gate /*
6310Sstevel@tonic-gate * Same as crypto_decrypt_prov(), but relies on the KCF scheduler to
6320Sstevel@tonic-gate * choose a provider. See crypto_decrypt_prov() comments for more
6330Sstevel@tonic-gate * information.
6340Sstevel@tonic-gate */
6350Sstevel@tonic-gate int
crypto_decrypt(crypto_mechanism_t * mech,crypto_data_t * ciphertext,crypto_key_t * key,crypto_ctx_template_t tmpl,crypto_data_t * plaintext,crypto_call_req_t * crq)6360Sstevel@tonic-gate crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext,
6370Sstevel@tonic-gate crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext,
6380Sstevel@tonic-gate crypto_call_req_t *crq)
6390Sstevel@tonic-gate {
6400Sstevel@tonic-gate int error;
6410Sstevel@tonic-gate kcf_mech_entry_t *me;
6420Sstevel@tonic-gate kcf_req_params_t params;
6430Sstevel@tonic-gate kcf_provider_desc_t *pd;
6440Sstevel@tonic-gate kcf_ctx_template_t *ctx_tmpl;
6450Sstevel@tonic-gate crypto_spi_ctx_template_t spi_ctx_tmpl = NULL;
6460Sstevel@tonic-gate kcf_prov_tried_t *list = NULL;
6470Sstevel@tonic-gate
6480Sstevel@tonic-gate retry:
6490Sstevel@tonic-gate /* pd is returned held */
65010444SVladimir.Kotal@Sun.COM if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error,
651*12304SValerie.Fenwick@Oracle.COM list, CRYPTO_FG_DECRYPT_ATOMIC, ciphertext->cd_length)) == NULL) {
6520Sstevel@tonic-gate if (list != NULL)
6530Sstevel@tonic-gate kcf_free_triedlist(list);
6540Sstevel@tonic-gate return (error);
6550Sstevel@tonic-gate }
6560Sstevel@tonic-gate
6570Sstevel@tonic-gate /*
6580Sstevel@tonic-gate * For SW providers, check the validity of the context template
6590Sstevel@tonic-gate * It is very rare that the generation number mis-matches, so
6600Sstevel@tonic-gate * is acceptable to fail here, and let the consumer recover by
6610Sstevel@tonic-gate * freeing this tmpl and create a new one for the key and new SW
6620Sstevel@tonic-gate * provider
6630Sstevel@tonic-gate */
6640Sstevel@tonic-gate if ((pd->pd_prov_type == CRYPTO_SW_PROVIDER) &&
6650Sstevel@tonic-gate ((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) {
6660Sstevel@tonic-gate if (ctx_tmpl->ct_generation != me->me_gen_swprov) {
6670Sstevel@tonic-gate if (list != NULL)
6680Sstevel@tonic-gate kcf_free_triedlist(list);
6690Sstevel@tonic-gate KCF_PROV_REFRELE(pd);
6700Sstevel@tonic-gate return (CRYPTO_OLD_CTX_TEMPLATE);
6710Sstevel@tonic-gate } else {
6720Sstevel@tonic-gate spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl;
6730Sstevel@tonic-gate }
6740Sstevel@tonic-gate }
6750Sstevel@tonic-gate
6760Sstevel@tonic-gate /* The fast path for SW providers. */
6770Sstevel@tonic-gate if (CHECK_FASTPATH(crq, pd)) {
6780Sstevel@tonic-gate crypto_mechanism_t lmech;
6790Sstevel@tonic-gate
6800Sstevel@tonic-gate lmech = *mech;
6810Sstevel@tonic-gate KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech);
6820Sstevel@tonic-gate
6830Sstevel@tonic-gate error = KCF_PROV_DECRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key,
6840Sstevel@tonic-gate ciphertext, plaintext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq));
6850Sstevel@tonic-gate KCF_PROV_INCRSTATS(pd, error);
6860Sstevel@tonic-gate } else {
6870Sstevel@tonic-gate KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, pd->pd_sid,
6880Sstevel@tonic-gate mech, key, ciphertext, plaintext, spi_ctx_tmpl);
6890Sstevel@tonic-gate error = kcf_submit_request(pd, NULL, crq, ¶ms, B_FALSE);
6900Sstevel@tonic-gate }
6910Sstevel@tonic-gate
6920Sstevel@tonic-gate if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED &&
6930Sstevel@tonic-gate IS_RECOVERABLE(error)) {
6940Sstevel@tonic-gate /* Add pd to the linked list of providers tried. */
6950Sstevel@tonic-gate if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL)
6960Sstevel@tonic-gate goto retry;
6970Sstevel@tonic-gate }
6980Sstevel@tonic-gate
6990Sstevel@tonic-gate if (list != NULL)
7000Sstevel@tonic-gate kcf_free_triedlist(list);
7010Sstevel@tonic-gate
7020Sstevel@tonic-gate KCF_PROV_REFRELE(pd);
7030Sstevel@tonic-gate return (error);
7040Sstevel@tonic-gate }
7050Sstevel@tonic-gate
7060Sstevel@tonic-gate /*
7070Sstevel@tonic-gate * crypto_decrypt_init_prov()
7080Sstevel@tonic-gate *
7090Sstevel@tonic-gate * Calls crypto_cipher_init_prov() to initialize a decryption operation
7100Sstevel@tonic-gate */
7110Sstevel@tonic-gate int
crypto_decrypt_init_prov(crypto_provider_t pd,crypto_session_id_t sid,crypto_mechanism_t * mech,crypto_key_t * key,crypto_ctx_template_t tmpl,crypto_context_t * ctxp,crypto_call_req_t * crq)712904Smcpowers crypto_decrypt_init_prov(crypto_provider_t pd, crypto_session_id_t sid,
7130Sstevel@tonic-gate crypto_mechanism_t *mech, crypto_key_t *key,
7140Sstevel@tonic-gate crypto_ctx_template_t tmpl, crypto_context_t *ctxp,
7150Sstevel@tonic-gate crypto_call_req_t *crq)
7160Sstevel@tonic-gate {
7170Sstevel@tonic-gate return (crypto_cipher_init_prov(pd, sid, mech, key, tmpl, ctxp, crq,
7180Sstevel@tonic-gate CRYPTO_FG_DECRYPT));
7190Sstevel@tonic-gate }
7200Sstevel@tonic-gate
7210Sstevel@tonic-gate /*
7220Sstevel@tonic-gate * crypto_decrypt_init()
7230Sstevel@tonic-gate *
7240Sstevel@tonic-gate * Calls crypto_cipher_init() to initialize a decryption operation
7250Sstevel@tonic-gate */
7260Sstevel@tonic-gate int
crypto_decrypt_init(crypto_mechanism_t * mech,crypto_key_t * key,crypto_ctx_template_t tmpl,crypto_context_t * ctxp,crypto_call_req_t * crq)7270Sstevel@tonic-gate crypto_decrypt_init(crypto_mechanism_t *mech, crypto_key_t *key,
7280Sstevel@tonic-gate crypto_ctx_template_t tmpl, crypto_context_t *ctxp,
7290Sstevel@tonic-gate crypto_call_req_t *crq)
7300Sstevel@tonic-gate {
7310Sstevel@tonic-gate return (crypto_cipher_init(mech, key, tmpl, ctxp, crq,
7320Sstevel@tonic-gate CRYPTO_FG_DECRYPT));
7330Sstevel@tonic-gate }
7340Sstevel@tonic-gate
7350Sstevel@tonic-gate /*
7360Sstevel@tonic-gate * crypto_decrypt_update()
7370Sstevel@tonic-gate *
7380Sstevel@tonic-gate * Arguments:
7390Sstevel@tonic-gate * context: A crypto_context_t initialized by decrypt_init().
7400Sstevel@tonic-gate * ciphertext: The message part to be decrypted
7410Sstevel@tonic-gate * plaintext: Storage for the decrypted message part.
7420Sstevel@tonic-gate * cr: crypto_call_req_t calling conditions and call back info.
7430Sstevel@tonic-gate *
7440Sstevel@tonic-gate * Description:
7450Sstevel@tonic-gate * Asynchronously submits a request for, or synchronously performs a
7460Sstevel@tonic-gate * part of an decryption operation.
7470Sstevel@tonic-gate *
7480Sstevel@tonic-gate * Context:
7490Sstevel@tonic-gate * Process or interrupt, according to the semantics dictated by the 'cr'.
7500Sstevel@tonic-gate *
7510Sstevel@tonic-gate * Returns:
7520Sstevel@tonic-gate * See comment in the beginning of the file.
7530Sstevel@tonic-gate */
7540Sstevel@tonic-gate int
crypto_decrypt_update(crypto_context_t context,crypto_data_t * ciphertext,crypto_data_t * plaintext,crypto_call_req_t * cr)7550Sstevel@tonic-gate crypto_decrypt_update(crypto_context_t context, crypto_data_t *ciphertext,
7560Sstevel@tonic-gate crypto_data_t *plaintext, crypto_call_req_t *cr)
7570Sstevel@tonic-gate {
7580Sstevel@tonic-gate crypto_ctx_t *ctx = (crypto_ctx_t *)context;
7590Sstevel@tonic-gate kcf_context_t *kcf_ctx;
7600Sstevel@tonic-gate kcf_provider_desc_t *pd;
7610Sstevel@tonic-gate int error;
7620Sstevel@tonic-gate kcf_req_params_t params;
7630Sstevel@tonic-gate
7640Sstevel@tonic-gate if ((ctx == NULL) ||
7650Sstevel@tonic-gate ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) ||
7660Sstevel@tonic-gate ((pd = kcf_ctx->kc_prov_desc) == NULL)) {
7670Sstevel@tonic-gate return (CRYPTO_INVALID_CONTEXT);
7680Sstevel@tonic-gate }
7690Sstevel@tonic-gate
770904Smcpowers ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER);
7710Sstevel@tonic-gate
7720Sstevel@tonic-gate /* The fast path for SW providers. */
7730Sstevel@tonic-gate if (CHECK_FASTPATH(cr, pd)) {
7740Sstevel@tonic-gate error = KCF_PROV_DECRYPT_UPDATE(pd, ctx, ciphertext,
7750Sstevel@tonic-gate plaintext, NULL);
7760Sstevel@tonic-gate KCF_PROV_INCRSTATS(pd, error);
7773708Skrishna return (error);
7780Sstevel@tonic-gate }
7790Sstevel@tonic-gate
7803708Skrishna /* Check if we should use a software provider for small jobs */
7813708Skrishna if ((ctx->cc_flags & CRYPTO_USE_OPSTATE) && cr == NULL) {
7823708Skrishna if (ciphertext->cd_length < kcf_ctx->kc_mech->me_threshold &&
7833708Skrishna kcf_ctx->kc_sw_prov_desc != NULL &&
7843708Skrishna KCF_IS_PROV_USABLE(kcf_ctx->kc_sw_prov_desc)) {
7853708Skrishna pd = kcf_ctx->kc_sw_prov_desc;
7863708Skrishna }
7873708Skrishna }
7883708Skrishna
7893708Skrishna KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_UPDATE,
7903708Skrishna ctx->cc_session, NULL, NULL, ciphertext, plaintext, NULL);
7913708Skrishna error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE);
7923708Skrishna
7930Sstevel@tonic-gate return (error);
7940Sstevel@tonic-gate }
7950Sstevel@tonic-gate
7960Sstevel@tonic-gate /*
7970Sstevel@tonic-gate * crypto_decrypt_final()
7980Sstevel@tonic-gate *
7990Sstevel@tonic-gate * Arguments:
8000Sstevel@tonic-gate * context: A crypto_context_t initialized by decrypt_init().
8010Sstevel@tonic-gate * plaintext: Storage for the last part of the decrypted message
8020Sstevel@tonic-gate * cr: crypto_call_req_t calling conditions and call back info.
8030Sstevel@tonic-gate *
8040Sstevel@tonic-gate * Description:
8050Sstevel@tonic-gate * Asynchronously submits a request for, or synchronously performs the
8060Sstevel@tonic-gate * final part of a decryption operation.
8070Sstevel@tonic-gate *
8080Sstevel@tonic-gate * Context:
8090Sstevel@tonic-gate * Process or interrupt, according to the semantics dictated by the 'cr'.
8100Sstevel@tonic-gate *
8110Sstevel@tonic-gate * Returns:
8120Sstevel@tonic-gate * See comment in the beginning of the file.
8130Sstevel@tonic-gate */
8140Sstevel@tonic-gate int
crypto_decrypt_final(crypto_context_t context,crypto_data_t * plaintext,crypto_call_req_t * cr)8150Sstevel@tonic-gate crypto_decrypt_final(crypto_context_t context, crypto_data_t *plaintext,
8160Sstevel@tonic-gate crypto_call_req_t *cr)
8170Sstevel@tonic-gate {
8180Sstevel@tonic-gate crypto_ctx_t *ctx = (crypto_ctx_t *)context;
8190Sstevel@tonic-gate kcf_context_t *kcf_ctx;
8200Sstevel@tonic-gate kcf_provider_desc_t *pd;
8210Sstevel@tonic-gate int error;
8220Sstevel@tonic-gate kcf_req_params_t params;
8230Sstevel@tonic-gate
8240Sstevel@tonic-gate if ((ctx == NULL) ||
8250Sstevel@tonic-gate ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) ||
8260Sstevel@tonic-gate ((pd = kcf_ctx->kc_prov_desc) == NULL)) {
8270Sstevel@tonic-gate return (CRYPTO_INVALID_CONTEXT);
8280Sstevel@tonic-gate }
8290Sstevel@tonic-gate
830904Smcpowers ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER);
8310Sstevel@tonic-gate
8320Sstevel@tonic-gate /* The fast path for SW providers. */
8330Sstevel@tonic-gate if (CHECK_FASTPATH(cr, pd)) {
834904Smcpowers error = KCF_PROV_DECRYPT_FINAL(pd, ctx, plaintext,
835904Smcpowers NULL);
8360Sstevel@tonic-gate KCF_PROV_INCRSTATS(pd, error);
8370Sstevel@tonic-gate } else {
838904Smcpowers KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_FINAL,
839904Smcpowers ctx->cc_session, NULL, NULL, NULL, plaintext, NULL);
8400Sstevel@tonic-gate error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE);
8410Sstevel@tonic-gate }
8420Sstevel@tonic-gate
8430Sstevel@tonic-gate /* Release the hold done in kcf_new_ctx() during init step. */
8440Sstevel@tonic-gate KCF_CONTEXT_COND_RELEASE(error, kcf_ctx);
8450Sstevel@tonic-gate return (error);
8460Sstevel@tonic-gate }
8470Sstevel@tonic-gate
8480Sstevel@tonic-gate /*
8490Sstevel@tonic-gate * See comments for crypto_encrypt_update().
8500Sstevel@tonic-gate */
8510Sstevel@tonic-gate int
crypto_encrypt_single(crypto_context_t context,crypto_data_t * plaintext,crypto_data_t * ciphertext,crypto_call_req_t * cr)8520Sstevel@tonic-gate crypto_encrypt_single(crypto_context_t context, crypto_data_t *plaintext,
8530Sstevel@tonic-gate crypto_data_t *ciphertext, crypto_call_req_t *cr)
8540Sstevel@tonic-gate {
8550Sstevel@tonic-gate crypto_ctx_t *ctx = (crypto_ctx_t *)context;
8560Sstevel@tonic-gate kcf_context_t *kcf_ctx;
8570Sstevel@tonic-gate kcf_provider_desc_t *pd;
8580Sstevel@tonic-gate int error;
8590Sstevel@tonic-gate kcf_req_params_t params;
8600Sstevel@tonic-gate
8610Sstevel@tonic-gate if ((ctx == NULL) ||
8620Sstevel@tonic-gate ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) ||
8630Sstevel@tonic-gate ((pd = kcf_ctx->kc_prov_desc) == NULL)) {
8640Sstevel@tonic-gate return (CRYPTO_INVALID_CONTEXT);
8650Sstevel@tonic-gate }
8660Sstevel@tonic-gate
8670Sstevel@tonic-gate /* The fast path for SW providers. */
8680Sstevel@tonic-gate if (CHECK_FASTPATH(cr, pd)) {
8690Sstevel@tonic-gate error = KCF_PROV_ENCRYPT(pd, ctx, plaintext,
8700Sstevel@tonic-gate ciphertext, NULL);
8710Sstevel@tonic-gate KCF_PROV_INCRSTATS(pd, error);
8720Sstevel@tonic-gate } else {
8730Sstevel@tonic-gate KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_SINGLE, pd->pd_sid,
8740Sstevel@tonic-gate NULL, NULL, plaintext, ciphertext, NULL);
8750Sstevel@tonic-gate error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE);
8760Sstevel@tonic-gate }
8770Sstevel@tonic-gate
8780Sstevel@tonic-gate /* Release the hold done in kcf_new_ctx() during init step. */
8790Sstevel@tonic-gate KCF_CONTEXT_COND_RELEASE(error, kcf_ctx);
8800Sstevel@tonic-gate return (error);
8810Sstevel@tonic-gate }
8820Sstevel@tonic-gate
8830Sstevel@tonic-gate /*
8840Sstevel@tonic-gate * See comments for crypto_decrypt_update().
8850Sstevel@tonic-gate */
8860Sstevel@tonic-gate int
crypto_decrypt_single(crypto_context_t context,crypto_data_t * ciphertext,crypto_data_t * plaintext,crypto_call_req_t * cr)8870Sstevel@tonic-gate crypto_decrypt_single(crypto_context_t context, crypto_data_t *ciphertext,
8880Sstevel@tonic-gate crypto_data_t *plaintext, crypto_call_req_t *cr)
8890Sstevel@tonic-gate {
8900Sstevel@tonic-gate crypto_ctx_t *ctx = (crypto_ctx_t *)context;
8910Sstevel@tonic-gate kcf_context_t *kcf_ctx;
8920Sstevel@tonic-gate kcf_provider_desc_t *pd;
8930Sstevel@tonic-gate int error;
8940Sstevel@tonic-gate kcf_req_params_t params;
8950Sstevel@tonic-gate
8960Sstevel@tonic-gate if ((ctx == NULL) ||
8970Sstevel@tonic-gate ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) ||
8980Sstevel@tonic-gate ((pd = kcf_ctx->kc_prov_desc) == NULL)) {
8990Sstevel@tonic-gate return (CRYPTO_INVALID_CONTEXT);
9000Sstevel@tonic-gate }
9010Sstevel@tonic-gate
9020Sstevel@tonic-gate /* The fast path for SW providers. */
9030Sstevel@tonic-gate if (CHECK_FASTPATH(cr, pd)) {
9040Sstevel@tonic-gate error = KCF_PROV_DECRYPT(pd, ctx, ciphertext,
9050Sstevel@tonic-gate plaintext, NULL);
9060Sstevel@tonic-gate KCF_PROV_INCRSTATS(pd, error);
9070Sstevel@tonic-gate } else {
9080Sstevel@tonic-gate KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_SINGLE, pd->pd_sid,
9090Sstevel@tonic-gate NULL, NULL, ciphertext, plaintext, NULL);
9100Sstevel@tonic-gate error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE);
9110Sstevel@tonic-gate }
9120Sstevel@tonic-gate
9130Sstevel@tonic-gate /* Release the hold done in kcf_new_ctx() during init step. */
9140Sstevel@tonic-gate KCF_CONTEXT_COND_RELEASE(error, kcf_ctx);
9150Sstevel@tonic-gate return (error);
9160Sstevel@tonic-gate }
917