xref: /onnv-gate/usr/src/uts/common/sys/crypto/impl.h (revision 0)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#ifndef	_SYS_CRYPTO_IMPL_H
#define	_SYS_CRYPTO_IMPL_H

#pragma ident	"%Z%%M%	%I%	%E% SMI"

/*
 * Kernel Cryptographic Framework private implementation definitions.
 */

#include <sys/types.h>
#include <sys/param.h>

#ifdef _KERNEL
#include <sys/crypto/common.h>
#include <sys/crypto/api.h>
#include <sys/crypto/spi.h>
#include <sys/crypto/ioctl.h>
#include <sys/tnf_probe.h>
#include <sys/atomic.h>
#include <sys/project.h>
#include <sys/taskq.h>
#include <sys/rctl.h>
#endif /* _KERNEL */

#ifdef	__cplusplus
extern "C" {
#endif

#ifdef _KERNEL

#define	KCF_MODULE "kcf"

/*
 * Prefixes convention: structures internal to the kernel cryptographic
 * framework start with 'kcf_'. Exposed structure start with 'crypto_'.
 */

/* Provider stats. Not protected. */
typedef	struct kcf_prov_stats {
	kstat_named_t	ps_ops_total;
	kstat_named_t	ps_ops_passed;
	kstat_named_t	ps_ops_failed;
	kstat_named_t	ps_ops_busy_rval;
} kcf_prov_stats_t;

/* Various kcf stats. Not protected. */
typedef	struct kcf_stats {
	kstat_named_t	ks_thrs_in_pool;
	kstat_named_t	ks_idle_thrs;
	kstat_named_t	ks_minthrs;
	kstat_named_t	ks_maxthrs;
	kstat_named_t	ks_swq_njobs;
	kstat_named_t	ks_swq_maxjobs;
	kstat_named_t	ks_taskq_minalloc;
	kstat_named_t	ks_taskq_maxalloc;
} kcf_stats_t;

/*
 * Keep all the information needed by the scheduler from
 * this provider.
 */
typedef struct kcf_sched_info {
	/* The number of operations dispatched. */
	uint64_t	ks_ndispatches;

	/* The number of operations that failed. */
	uint64_t	ks_nfails;

	/* The number of operations that returned CRYPTO_BUSY. */
	uint64_t	ks_nbusy_rval;

	/* taskq used to dispatch crypto requests */
	taskq_t	*ks_taskq;
} kcf_sched_info_t;

#define	KCF_PROV_INCRSTATS(pd, error)	{				\
	(pd)->pd_sched_info.ks_ndispatches++;				\
	if (error == CRYPTO_BUSY)					\
		(pd)->pd_sched_info.ks_nbusy_rval++;			\
	else if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED)	\
		(pd)->pd_sched_info.ks_nfails++;			\
}


/*
 * The following two macros should be
 * #define KCF_OPS_CLASSSIZE (KCF_LAST_OPSCLASS - KCF_FIRST_OPSCLASS + 2)
 * #define KCF_MAXMECHTAB KCF_MAXCIPHER
 *
 * However, doing that would involve reorganizing the header file a bit.
 * When impl.h is broken up (bug# 4703218), this will be done. For now,
 * we hardcode these values.
 */
#define	KCF_OPS_CLASSSIZE	8
#define	KCF_MAXMECHTAB		32

/*
 * Valid values for the state of a provider. The order of
 * the elements is important.
 *
 * Routines which get a provider or the list of providers
 * should pick only those that are either in KCF_PROV_READY state
 * or in KCF_PROV_BUSY state.
 */
typedef enum {
	KCF_PROV_ALLOCATED = 1,
	KCF_PROV_UNVERIFIED,
	/*
	 * state < KCF_PROV_READY means the provider can not
	 * be used at all.
	 */
	KCF_PROV_READY,
	KCF_PROV_BUSY,
	/*
	 * state > KCF_PROV_BUSY means the provider can not
	 * be used for new requests.
	 */
	KCF_PROV_FAILED,
	/*
	 * Threads setting the following two states should do so only
	 * if the current state < KCF_PROV_DISABLED.
	 */
	KCF_PROV_DISABLED,
	KCF_PROV_REMOVED,
	KCF_PROV_FREED
} kcf_prov_state_t;

#define	KCF_IS_PROV_UNVERIFIED(pd) ((pd)->pd_state == KCF_PROV_UNVERIFIED)
#define	KCF_IS_PROV_USABLE(pd) ((pd)->pd_state == KCF_PROV_READY || \
	(pd)->pd_state == KCF_PROV_BUSY)
#define	KCF_IS_PROV_REMOVED(pd)	((pd)->pd_state >= KCF_PROV_REMOVED)

/*
 * A provider descriptor structure. There is one such structure per
 * provider. It is allocated and initialized at registration time and
 * freed when the provider unregisters.
 *
 * pd_prov_type:	Provider type, hardware or software
 * pd_prov_handle:	Provider handle specified by provider
 * pd_kcf_prov_handle:	KCF-private handle assigned by KCF
 * pd_prov_id:		Identification # assigned by KCF to provider
 * pd_description:	Provider description string
 * pd_ops_vector:	The ops vector specified by Provider
 * pd_mech_list_count:	The number of entries in pi_mechanisms, specified
 *			by the provider during registration
 * pd_mechanisms:	Mechanisms supported by the provider, specified
 *			by the provider during registration
 * pd_map_mechnums:	Lookup table which maps a core framework mechanism
 *			number to a number understood by this provider
 * pd_ks_data:		kstat data
 * pd_kstat:		kstat associated with the provider
 * pd_sched_info:	Scheduling information associated with the provider
 * pd_refcnt:		Reference counter to this provider descriptor
 * pd_irefcnt:		References held by the framework internal structs
 * pd_name:		Device name or module name
 * pd_instance:		Device instance
 * pd_module_id:	Module ID returned by modload
 * pd_mctlp:		Pointer to modctl structure for this provider
 * pd_sid:		Session ID of the provider used by kernel clients.
 *			This is valid only for session-oriented providers.
 * pd_lock:		lock protects pd_state and pd_real_provider_list
 * pd_state:		State value of the provider
 * pd_resume_cv:	cv to wait for state to change from KCF_PROV_BUSY
 * pd_remove_cv:	cv to wait on while the provider queue drains
 * pd_restricted:	true if this is an export restricted provider
 * pd_provider_list:	Used to cross-reference logical providers and their
 *			members. Not used for software providers.
 */
typedef struct kcf_provider_desc {
	crypto_provider_type_t		pd_prov_type;
	crypto_provider_handle_t	pd_prov_handle;
	crypto_kcf_provider_handle_t	pd_kcf_prov_handle;
	crypto_provider_id_t		pd_prov_id;
	char				*pd_description;
	crypto_ops_t			*pd_ops_vector;
	uint_t				pd_mech_list_count;
	crypto_mech_info_t		*pd_mechanisms;
	crypto_mech_type_t		pd_map_mechnums[KCF_OPS_CLASSSIZE]\
					    [KCF_MAXMECHTAB];
	kcf_stats_t			*pd_stats;
	kcf_prov_stats_t		pd_ks_data;
	kstat_t				*pd_kstat;
	kcf_sched_info_t		pd_sched_info;
	uint_t				pd_refcnt;
	uint_t				pd_irefcnt;
	char				*pd_name;
	uint_t				pd_instance;
	int				pd_module_id;
	struct modctl			*pd_mctlp;
	crypto_session_id_t		pd_sid;
	kmutex_t			pd_lock;
	kcf_prov_state_t		pd_state;
	kcondvar_t			pd_resume_cv;
	kcondvar_t			pd_remove_cv;
	boolean_t			pd_restricted;
	struct kcf_provider_list	*pd_provider_list;
} kcf_provider_desc_t;

/* useful for making a list of providers */
typedef struct kcf_provider_list {
	struct kcf_provider_list *pl_next;
	struct kcf_provider_desc *pl_provider;
} kcf_provider_list_t;

/*
 * If a component has a reference to a kcf_provider_desc_t,
 * it REFHOLD()s. A new provider descriptor which is referenced only
 * by the providers table has a reference counter of one.
 */
#define	KCF_PROV_REFHOLD(desc) {		\
	atomic_add_32(&(desc)->pd_refcnt, 1);	\
	ASSERT((desc)->pd_refcnt != 0);		\
}

#define	KCF_PROV_IREFHOLD(desc) {		\
	atomic_add_32(&(desc)->pd_irefcnt, 1);	\
	ASSERT((desc)->pd_irefcnt != 0);	\
}

#define	KCF_PROV_IREFRELE(desc) {				\
	ASSERT((desc)->pd_irefcnt != 0);			\
	membar_exit();						\
	if (atomic_add_32_nv(&(desc)->pd_irefcnt, -1) == 0) {	\
		cv_broadcast(&(desc)->pd_remove_cv);		\
	}							\
}

#define	KCF_PROV_REFHELD(desc)	((desc)->pd_refcnt >= 1)

#define	KCF_PROV_REFRELE(desc) {				\
	ASSERT((desc)->pd_refcnt != 0);				\
	membar_exit();						\
	if (atomic_add_32_nv(&(desc)->pd_refcnt, -1) == 0) {	\
		kcf_provider_zero_refcnt((desc));		\
	}							\
}


/* list of crypto_mech_info_t valid as the second mech in a dual operation */

typedef	struct crypto_mech_info_list {
	struct crypto_mech_info_list	*ml_next;
	crypto_mech_type_t		ml_kcf_mechid;	/* KCF's id */
	crypto_mech_info_t		ml_mech_info;
} crypto_mech_info_list_t;

/*
 * An element in a mechanism provider descriptors chain.
 * The kcf_prov_mech_desc_t is duplicated in every chain the provider belongs
 * to. This is a small tradeoff memory vs mutex spinning time to access the
 * common provider field.
 */

typedef struct kcf_prov_mech_desc {
	struct kcf_mech_entry		*pm_me;		/* Back to the head */
	struct kcf_prov_mech_desc	*pm_next;	/* Next in the chain */
	crypto_mech_info_t		pm_mech_info;	/* Provider mech info */
	crypto_mech_info_list_t		*pm_mi_list;	/* list for duals */
	kcf_provider_desc_t		*pm_prov_desc;	/* Common desc. */
} kcf_prov_mech_desc_t;

/* and the notation shortcuts ... */
#define	pm_provider_type	pm_prov_desc.pd_provider_type
#define	pm_provider_handle	pm_prov_desc.pd_provider_handle
#define	pm_ops_vector		pm_prov_desc.pd_ops_vector


/*
 * A mechanism entry in an xxx_mech_tab[].
 *
 * NOTE: We need to avoid false sharing involving me_mutex. This can be
 * done by padding this structure so that its size is a multiple of the
 * cache line size, i.e. 64 bytes. However, the size of this structure is
 * already 64 bytes (on a 64-bit kernel). A pad field should be added if
 * this size were to ever change.
 */
typedef	struct kcf_mech_entry {
	crypto_mech_name_t	me_name;	/* mechanism name */
	kmutex_t		me_mutex;	/* access protection	*/
	kcf_prov_mech_desc_t	*me_hw_prov_chain;  /* list of HW providers */
	kcf_prov_mech_desc_t	*me_sw_prov;    /* SW provider */
	/*
	 * Number of HW providers in the chain. There is only one
	 * SW provider. So, we need only a count of HW providers.
	 */
	int			me_num_hwprov;
	/*
	 * When a SW provider is present, this is the generation number that
	 * ensures no objects from old SW providers are used in the new one
	 */
	uint32_t		me_gen_swprov;
	/*
	 *  threshold for using hardware providers for this mech
	 */
	size_t			me_threshold;
} kcf_mech_entry_t;

/*
 * A policy descriptor structure. It is allocated and initialized
 * when administrative ioctls load disabled mechanisms.
 *
 * pd_prov_type:	Provider type, hardware or software
 * pd_name:		Device name or module name.
 * pd_instance:		Device instance.
 * pd_refcnt:		Reference counter for this policy descriptor
 * pd_mutex:		Protects array and count of disabled mechanisms.
 * pd_disabled_count:	Count of disabled mechanisms.
 * pd_disabled_mechs:	Array of disabled mechanisms.
 */
typedef struct kcf_policy_desc {
	crypto_provider_type_t	pd_prov_type;
	char			*pd_name;
	uint_t			pd_instance;
	uint_t			pd_refcnt;
	kmutex_t		pd_mutex;
	uint_t			pd_disabled_count;
	crypto_mech_name_t	*pd_disabled_mechs;
} kcf_policy_desc_t;

/*
 * If a component has a reference to a kcf_policy_desc_t,
 * it REFHOLD()s. A new policy descriptor which is referenced only
 * by the policy table has a reference count of one.
 */
#define	KCF_POLICY_REFHOLD(desc) {		\
	atomic_add_32(&(desc)->pd_refcnt, 1);	\
	ASSERT((desc)->pd_refcnt != 0);		\
}

/*
 * Releases a reference to a policy descriptor. When the last
 * reference is released, the descriptor is freed.
 */
#define	KCF_POLICY_REFRELE(desc) {				\
	ASSERT((desc)->pd_refcnt != 0);				\
	membar_exit();						\
	if (atomic_add_32_nv(&(desc)->pd_refcnt, -1) == 0)	\
		kcf_policy_free_desc(desc);			\
}

/*
 * This entry stores the name of a software module and its
 * mechanisms.  The mechanisms are 'hints' that are used to
 * trigger loading of the module.
 */
typedef struct kcf_soft_conf_entry {
	struct kcf_soft_conf_entry	*ce_next;
	char				*ce_name;
	crypto_mech_name_t		*ce_mechs;
	uint_t				ce_count;
} kcf_soft_conf_entry_t;

extern kmutex_t soft_config_mutex;
extern kcf_soft_conf_entry_t *soft_config_list;

/*
 * Global tables. The sizes are from the predefined PKCS#11 v2.20 mechanisms,
 * with a margin of few extra empty entry points
 */

#define	KCF_MAXDIGEST		16	/* Digests */
#define	KCF_MAXCIPHER		64	/* Ciphers */
#define	KCF_MAXMAC		40	/* Message authentication codes */
#define	KCF_MAXSIGN		24	/* Sign/Verify */
#define	KCF_MAXKEYOPS		116	/* Key generation and derivation */
#define	KCF_MAXMISC		16	/* Others ... */

#define	KCF_MAXMECHS		KCF_MAXDIGEST + KCF_MAXCIPHER + KCF_MAXMAC + \
				KCF_MAXSIGN + KCF_MAXKEYOPS + \
				KCF_MAXMISC

extern kcf_mech_entry_t kcf_digest_mechs_tab[];
extern kcf_mech_entry_t kcf_cipher_mechs_tab[];
extern kcf_mech_entry_t kcf_mac_mechs_tab[];
extern kcf_mech_entry_t kcf_sign_mechs_tab[];
extern kcf_mech_entry_t kcf_keyops_mechs_tab[];
extern kcf_mech_entry_t kcf_misc_mechs_tab[];

extern kmutex_t kcf_mech_tabs_lock;

typedef	enum {
	KCF_DIGEST_CLASS = 1,
	KCF_CIPHER_CLASS,
	KCF_MAC_CLASS,
	KCF_SIGN_CLASS,
	KCF_KEYOPS_CLASS,
	KCF_MISC_CLASS
} kcf_ops_class_t;

#define	KCF_FIRST_OPSCLASS	KCF_DIGEST_CLASS
#define	KCF_LAST_OPSCLASS	KCF_MISC_CLASS

/* The table of all the kcf_xxx_mech_tab[]s, indexed by kcf_ops_class */

typedef	struct kcf_mech_entry_tab {
	int			met_size;	/* Size of the met_tab[] */
	kcf_mech_entry_t	*met_tab;	/* the table		 */
} kcf_mech_entry_tab_t;

extern kcf_mech_entry_tab_t kcf_mech_tabs_tab[];

#define	KCF_MECHID(class, index)				\
	(((crypto_mech_type_t)(class) << 32) | (crypto_mech_type_t)(index))

#define	KCF_MECH2CLASS(mech_type) ((kcf_ops_class_t)((mech_type) >> 32))

#define	KCF_MECH2INDEX(mech_type) ((int)(mech_type))

/* ps_refcnt is protected by cm_lock in the crypto_minor structure */
typedef struct crypto_provider_session {
	struct crypto_provider_session *ps_next;
	crypto_session_id_t		ps_session;
	kcf_provider_desc_t		*ps_provider;
	kcf_provider_desc_t		*ps_real_provider;
	uint_t				ps_refcnt;
} crypto_provider_session_t;

typedef struct crypto_session_data {
	kmutex_t			sd_lock;
	kcondvar_t			sd_cv;
	uint32_t			sd_flags;
	crypto_ctx_t			*sd_digest_ctx;
	crypto_ctx_t			*sd_encr_ctx;
	crypto_ctx_t			*sd_decr_ctx;
	crypto_ctx_t			*sd_sign_ctx;
	crypto_ctx_t			*sd_verify_ctx;
	crypto_ctx_t			*sd_sign_recover_ctx;
	crypto_ctx_t			*sd_verify_recover_ctx;
	kcf_provider_desc_t		*sd_provider;
	void				*sd_find_init_cookie;
	crypto_provider_session_t	*sd_provider_session;
} crypto_session_data_t;

#define	CRYPTO_SESSION_IN_USE		0x00000001
#define	CRYPTO_SESSION_IS_BUSY		0x00000002
#define	CRYPTO_SESSION_IS_CLOSED	0x00000004

#define	KCF_MAX_PIN_LEN			1024

/*
 * Per-minor info.
 *
 * cm_lock protects everything in this structure except for cm_refcnt.
 */
typedef struct crypto_minor {
	uint_t				cm_refcnt;
	kmutex_t			cm_lock;
	kcondvar_t			cm_cv;
	crypto_session_data_t		**cm_session_table;
	uint_t				cm_session_table_count;
	kcf_provider_desc_t		**cm_provider_array;
	uint_t				cm_provider_count;
	crypto_provider_session_t	*cm_provider_session;
	kproject_t			*cm_projp;
} crypto_minor_t;

/* resource control framework handle used by /dev/crypto */
extern rctl_hndl_t rc_project_crypto_mem;
/*
 * Return codes for internal functions
 */
#define	KCF_SUCCESS		0x0	/* Successful call */
#define	KCF_INVALID_MECH_NUMBER	0x1	/* invalid mechanism number */
#define	KCF_INVALID_MECH_NAME	0x2	/* invalid mechanism name */
#define	KCF_INVALID_MECH_CLASS	0x3	/* invalid mechanism class */
#define	KCF_MECH_TAB_FULL	0x4	/* Need more room in the mech tabs. */

/*
 * kCF internal mechanism and function group for tracking RNG providers.
 */
#define	SUN_RANDOM		"random"
#define	CRYPTO_FG_RANDOM	0x80000000	/* generate_random() */

/*
 * Wrappers for ops vectors. In the wrapper definitions below, the pd
 * argument always corresponds to a pointer to a provider descriptor
 * of type kcf_prov_desc_t.
 */

#define	KCF_PROV_CONTROL_OPS(pd)	((pd)->pd_ops_vector->control_ops)
#define	KCF_PROV_CTX_OPS(pd)		((pd)->pd_ops_vector->ctx_ops)
#define	KCF_PROV_DIGEST_OPS(pd)		((pd)->pd_ops_vector->digest_ops)
#define	KCF_PROV_CIPHER_OPS(pd)		((pd)->pd_ops_vector->cipher_ops)
#define	KCF_PROV_MAC_OPS(pd)		((pd)->pd_ops_vector->mac_ops)
#define	KCF_PROV_SIGN_OPS(pd)		((pd)->pd_ops_vector->sign_ops)
#define	KCF_PROV_VERIFY_OPS(pd)		((pd)->pd_ops_vector->verify_ops)
#define	KCF_PROV_DUAL_OPS(pd)		((pd)->pd_ops_vector->dual_ops)
#define	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) \
	((pd)->pd_ops_vector->dual_cipher_mac_ops)
#define	KCF_PROV_RANDOM_OPS(pd)		((pd)->pd_ops_vector->random_ops)
#define	KCF_PROV_SESSION_OPS(pd)	((pd)->pd_ops_vector->session_ops)
#define	KCF_PROV_OBJECT_OPS(pd)		((pd)->pd_ops_vector->object_ops)
#define	KCF_PROV_KEY_OPS(pd)		((pd)->pd_ops_vector->key_ops)
#define	KCF_PROV_PROVIDER_OPS(pd)	((pd)->pd_ops_vector->provider_ops)

/*
 * Wrappers for crypto_control_ops(9S) entry points.
 */

#define	KCF_PROV_STATUS(pd, status) ( \
	(KCF_PROV_CONTROL_OPS(pd) && \
	KCF_PROV_CONTROL_OPS(pd)->provider_status) ? \
	KCF_PROV_CONTROL_OPS(pd)->provider_status( \
	    (pd)->pd_prov_handle, status) : \
	CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_ctx_ops(9S) entry points.
 */

#define	KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size, req) ( \
	(KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->create_ctx_template) ? \
	KCF_PROV_CTX_OPS(pd)->create_ctx_template( \
	    (pd)->pd_prov_handle, mech, key, template, size, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_FREE_CONTEXT(pd, ctx) ( \
	(KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->free_context) ? \
	KCF_PROV_CTX_OPS(pd)->free_context(ctx) : CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_digest_ops(9S) entry points.
 */

#define	KCF_PROV_DIGEST_INIT(pd, ctx, mech, req) ( \
	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_init) ? \
	KCF_PROV_DIGEST_OPS(pd)->digest_init(ctx, mech, req) : \
	CRYPTO_NOT_SUPPORTED)

/*
 * The _ (underscore) in _digest is needed to avoid replacing the
 * function digest().
 */
#define	KCF_PROV_DIGEST(pd, ctx, data, _digest, req) ( \
	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest) ? \
	KCF_PROV_DIGEST_OPS(pd)->digest(ctx, data, _digest, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DIGEST_UPDATE(pd, ctx, data, req) ( \
	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_update) ? \
	KCF_PROV_DIGEST_OPS(pd)->digest_update(ctx, data, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DIGEST_KEY(pd, ctx, key, req) ( \
	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_key) ? \
	KCF_PROV_DIGEST_OPS(pd)->digest_key(ctx, key, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DIGEST_FINAL(pd, ctx, digest, req) ( \
	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_final) ? \
	KCF_PROV_DIGEST_OPS(pd)->digest_final(ctx, digest, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DIGEST_ATOMIC(pd, session, mech, data, digest, req) ( \
	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_atomic) ? \
	KCF_PROV_DIGEST_OPS(pd)->digest_atomic( \
	    (pd)->pd_prov_handle, session, mech, data, digest, req) : \
	CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_cipher_ops(9S) entry points.
 */

#define	KCF_PROV_ENCRYPT_INIT(pd, ctx, mech, key, template, req) ( \
	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_init) ? \
	KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template, \
	    req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_ENCRYPT(pd, ctx, plaintext, ciphertext, req) ( \
	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt) ? \
	KCF_PROV_CIPHER_OPS(pd)->encrypt(ctx, plaintext, ciphertext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_ENCRYPT_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \
	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_update) ? \
	KCF_PROV_CIPHER_OPS(pd)->encrypt_update(ctx, plaintext, \
	    ciphertext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_ENCRYPT_FINAL(pd, ctx, ciphertext, req) ( \
	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_final) ? \
	KCF_PROV_CIPHER_OPS(pd)->encrypt_final(ctx, ciphertext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_ENCRYPT_ATOMIC(pd, session, mech, key, plaintext, ciphertext, \
	    template, req) ( \
	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \
	KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic( \
	    (pd)->pd_prov_handle, session, mech, key, plaintext, ciphertext, \
	    template, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DECRYPT_INIT(pd, ctx, mech, key, template, req) ( \
	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_init) ? \
	KCF_PROV_CIPHER_OPS(pd)->decrypt_init(ctx, mech, key, template, \
	    req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DECRYPT(pd, ctx, ciphertext, plaintext, req) ( \
	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt) ? \
	KCF_PROV_CIPHER_OPS(pd)->decrypt(ctx, ciphertext, plaintext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \
	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_update) ? \
	KCF_PROV_CIPHER_OPS(pd)->decrypt_update(ctx, ciphertext, \
	    plaintext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DECRYPT_FINAL(pd, ctx, plaintext, req) ( \
	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_final) ? \
	KCF_PROV_CIPHER_OPS(pd)->decrypt_final(ctx, plaintext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \
	    template, req) ( \
	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \
	KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic( \
	    (pd)->pd_prov_handle, session, mech, key, ciphertext, plaintext, \
	    template, req) : \
	CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_mac_ops(9S) entry points.
 */

#define	KCF_PROV_MAC_INIT(pd, ctx, mech, key, template, req) ( \
	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_init) ? \
	KCF_PROV_MAC_OPS(pd)->mac_init(ctx, mech, key, template, req) \
	: CRYPTO_NOT_SUPPORTED)

/*
 * The _ (underscore) in _mac is needed to avoid replacing the
 * function mac().
 */
#define	KCF_PROV_MAC(pd, ctx, data, _mac, req) ( \
	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac) ? \
	KCF_PROV_MAC_OPS(pd)->mac(ctx, data, _mac, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_MAC_UPDATE(pd, ctx, data, req) ( \
	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_update) ? \
	KCF_PROV_MAC_OPS(pd)->mac_update(ctx, data, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_MAC_FINAL(pd, ctx, mac, req) ( \
	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_final) ? \
	KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template, \
	    req) ( \
	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_atomic) ? \
	KCF_PROV_MAC_OPS(pd)->mac_atomic( \
	    (pd)->pd_prov_handle, session, mech, key, data, mac, template, \
	    req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_MAC_VERIFY_ATOMIC(pd, session, mech, key, data, mac, \
	    template, req) ( \
	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_verify_atomic) ? \
	KCF_PROV_MAC_OPS(pd)->mac_verify_atomic( \
	    (pd)->pd_prov_handle, session, mech, key, data, mac, template, \
	    req) : \
	CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_sign_ops(9S) entry points.
 */

#define	KCF_PROV_SIGN_INIT(pd, ctx, mech, key, template, req) ( \
	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_init) ? \
	KCF_PROV_SIGN_OPS(pd)->sign_init( \
	    ctx, mech, key, template, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SIGN(pd, ctx, data, sig, req) ( \
	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign) ? \
	KCF_PROV_SIGN_OPS(pd)->sign(ctx, data, sig, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SIGN_UPDATE(pd, ctx, data, req) ( \
	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_update) ? \
	KCF_PROV_SIGN_OPS(pd)->sign_update(ctx, data, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SIGN_FINAL(pd, ctx, sig, req) ( \
	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_final) ? \
	KCF_PROV_SIGN_OPS(pd)->sign_final(ctx, sig, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SIGN_ATOMIC(pd, session, mech, key, data, template, \
	    sig, req) ( \
	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_atomic) ? \
	KCF_PROV_SIGN_OPS(pd)->sign_atomic( \
	    (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
	    req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SIGN_RECOVER_INIT(pd, ctx, mech, key, template, \
	    req) ( \
	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover_init) ? \
	KCF_PROV_SIGN_OPS(pd)->sign_recover_init(ctx, mech, key, template, \
	    req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SIGN_RECOVER(pd, ctx, data, sig, req) ( \
	(KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover) ? \
	KCF_PROV_SIGN_OPS(pd)->sign_recover(ctx, data, sig, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SIGN_RECOVER_ATOMIC(pd, session, mech, key, data, template, \
	    sig, req) ( \
	(KCF_PROV_SIGN_OPS(pd) && \
	KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic) ? \
	KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic( \
	    (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
	    req) : CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_verify_ops(9S) entry points.
 */

#define	KCF_PROV_VERIFY_INIT(pd, ctx, mech, key, template, req) ( \
	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_init) ? \
	KCF_PROV_VERIFY_OPS(pd)->verify_init(ctx, mech, key, template, \
	    req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_VERIFY(pd, ctx, data, sig, req) ( \
	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify) ? \
	KCF_PROV_VERIFY_OPS(pd)->verify(ctx, data, sig, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_VERIFY_UPDATE(pd, ctx, data, req) ( \
	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_update) ? \
	KCF_PROV_VERIFY_OPS(pd)->verify_update(ctx, data, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_VERIFY_FINAL(pd, ctx, sig, req) ( \
	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_final) ? \
	KCF_PROV_VERIFY_OPS(pd)->verify_final(ctx, sig, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_VERIFY_ATOMIC(pd, session, mech, key, data, template, sig, \
	    req) ( \
	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_atomic) ? \
	KCF_PROV_VERIFY_OPS(pd)->verify_atomic( \
	    (pd)->pd_prov_handle, session, mech, key, data, sig, template, \
	    req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_VERIFY_RECOVER_INIT(pd, ctx, mech, key, template, \
	    req) ( \
	(KCF_PROV_VERIFY_OPS(pd) && \
	KCF_PROV_VERIFY_OPS(pd)->verify_recover_init) ? \
	KCF_PROV_VERIFY_OPS(pd)->verify_recover_init(ctx, mech, key, \
	    template, req) : CRYPTO_NOT_SUPPORTED)

/* verify_recover() CSPI routine has different argument order than verify() */
#define	KCF_PROV_VERIFY_RECOVER(pd, ctx, sig, data, req) ( \
	(KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_recover) ? \
	KCF_PROV_VERIFY_OPS(pd)->verify_recover(ctx, sig, data, req) : \
	CRYPTO_NOT_SUPPORTED)

/*
 * verify_recover_atomic() CSPI routine has different argument order
 * than verify_atomic().
 */
#define	KCF_PROV_VERIFY_RECOVER_ATOMIC(pd, session, mech, key, sig, \
	    template, data,  req) ( \
	(KCF_PROV_VERIFY_OPS(pd) && \
	KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic) ? \
	KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic( \
	    (pd)->pd_prov_handle, session, mech, key, sig, data, template, \
	    req) : CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_dual_ops(9S) entry points.
 */

#define	KCF_PROV_DIGEST_ENCRYPT_UPDATE(digest_ctx, encrypt_ctx, plaintext, \
	    ciphertext, req) ( \
	(KCF_PROV_DUAL_OPS(pd) && \
	KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update) ? \
	KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update( \
	    digest_ctx, encrypt_ctx, plaintext, ciphertext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DECRYPT_DIGEST_UPDATE(decrypt_ctx, digest_ctx, ciphertext, \
	    plaintext, req) ( \
	(KCF_PROV_DUAL_OPS(pd) && \
	KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update) ? \
	KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update( \
	    decrypt_ctx, digest_ctx, ciphertext, plaintext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SIGN_ENCRYPT_UPDATE(sign_ctx, encrypt_ctx, plaintext, \
	    ciphertext, req) ( \
	(KCF_PROV_DUAL_OPS(pd) && \
	KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update) ? \
	KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update( \
	    sign_ctx, encrypt_ctx, plaintext, ciphertext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_DECRYPT_VERIFY_UPDATE(decrypt_ctx, verify_ctx, ciphertext, \
	    plaintext, req) ( \
	(KCF_PROV_DUAL_OPS(pd) && \
	KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update) ? \
	KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update( \
	    decrypt_ctx, verify_ctx, ciphertext, plaintext, req) : \
	CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_dual_cipher_mac_ops(9S) entry points.
 */

#define	KCF_PROV_ENCRYPT_MAC_INIT(pd, ctx, encr_mech, encr_key, mac_mech, \
	    mac_key, encr_ctx_template, mac_ctx_template, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init( \
	    ctx, encr_mech, encr_key, mac_mech, mac_key, encr_ctx_template, \
	    mac_ctx_template, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_ENCRYPT_MAC(pd, ctx, plaintext, ciphertext, mac, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac( \
	    ctx, plaintext, ciphertext, mac, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_ENCRYPT_MAC_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update( \
	    ctx, plaintext, ciphertext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_ENCRYPT_MAC_FINAL(pd, ctx, ciphertext, mac, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final( \
	    ctx, ciphertext, mac, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_ENCRYPT_MAC_ATOMIC(pd, session, encr_mech, encr_key, \
	    mac_mech, mac_key, plaintext, ciphertext, mac, \
	    encr_ctx_template, mac_ctx_template, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic( \
	    (pd)->pd_prov_handle, session, encr_mech, encr_key, \
	    mac_mech, mac_key, plaintext, ciphertext, mac, \
	    encr_ctx_template, mac_ctx_template, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_MAC_DECRYPT_INIT(pd, ctx, mac_mech, mac_key, decr_mech, \
	    decr_key, mac_ctx_template, decr_ctx_template, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init( \
	    ctx, mac_mech, mac_key, decr_mech, decr_key, mac_ctx_template, \
	    decr_ctx_template, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_MAC_DECRYPT(pd, ctx, ciphertext, mac, plaintext, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt( \
	    ctx, ciphertext, mac, plaintext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_MAC_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update( \
	    ctx, ciphertext, plaintext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_MAC_DECRYPT_FINAL(pd, ctx, mac, plaintext, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final( \
	    ctx, mac, plaintext, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_MAC_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \
	    decr_mech, decr_key, ciphertext, mac, plaintext, \
	    mac_ctx_template, decr_ctx_template, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic( \
	    (pd)->pd_prov_handle, session, mac_mech, mac_key, \
	    decr_mech, decr_key, ciphertext, mac, plaintext, \
	    mac_ctx_template, decr_ctx_template, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_MAC_VERIFY_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \
	    decr_mech, decr_key, ciphertext, mac, plaintext, \
	    mac_ctx_template, decr_ctx_template, req) ( \
	(KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic \
	    != NULL) ? \
	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic( \
	    (pd)->pd_prov_handle, session, mac_mech, mac_key, \
	    decr_mech, decr_key, ciphertext, mac, plaintext, \
	    mac_ctx_template, decr_ctx_template, req) : \
	CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_random_number_ops(9S) entry points.
 */

#define	KCF_PROV_SEED_RANDOM(pd, session, buf, len, req) ( \
	(KCF_PROV_RANDOM_OPS(pd) && KCF_PROV_RANDOM_OPS(pd)->seed_random) ? \
	KCF_PROV_RANDOM_OPS(pd)->seed_random((pd)->pd_prov_handle, \
	    session, buf, len, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_GENERATE_RANDOM(pd, session, buf, len, req) ( \
	(KCF_PROV_RANDOM_OPS(pd) && \
	KCF_PROV_RANDOM_OPS(pd)->generate_random) ? \
	KCF_PROV_RANDOM_OPS(pd)->generate_random((pd)->pd_prov_handle, \
	    session, buf, len, req) : CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_session_ops(9S) entry points.
 *
 * ops_pd is the provider descriptor that supplies the ops_vector.
 * pd is the descriptor that supplies the provider handle.
 * Only session open/close needs two handles.
 */

#define	KCF_PROV_SESSION_OPEN(ops_pd, session, req, pd) ( \
	(KCF_PROV_SESSION_OPS(ops_pd) && \
	KCF_PROV_SESSION_OPS(ops_pd)->session_open) ? \
	KCF_PROV_SESSION_OPS(ops_pd)->session_open((pd)->pd_prov_handle, \
	    session, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SESSION_CLOSE(ops_pd, session, req, pd) ( \
	(KCF_PROV_SESSION_OPS(ops_pd) && \
	KCF_PROV_SESSION_OPS(ops_pd)->session_close) ? \
	KCF_PROV_SESSION_OPS(ops_pd)->session_close((pd)->pd_prov_handle, \
	    session, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SESSION_LOGIN(pd, session, user_type, pin, len, req) ( \
	(KCF_PROV_SESSION_OPS(pd) && \
	KCF_PROV_SESSION_OPS(pd)->session_login) ? \
	KCF_PROV_SESSION_OPS(pd)->session_login((pd)->pd_prov_handle, \
	    session, user_type, pin, len, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SESSION_LOGOUT(pd, session, req) ( \
	(KCF_PROV_SESSION_OPS(pd) && \
	KCF_PROV_SESSION_OPS(pd)->session_logout) ? \
	KCF_PROV_SESSION_OPS(pd)->session_logout((pd)->pd_prov_handle, \
	    session, req) : CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_object_ops(9S) entry points.
 */

#define	KCF_PROV_OBJECT_CREATE(pd, session, template, count, object, req) ( \
	(KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_create) ? \
	KCF_PROV_OBJECT_OPS(pd)->object_create((pd)->pd_prov_handle, \
	    session, template, count, object, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_OBJECT_COPY(pd, session, object, template, count, \
	    new_object, req) ( \
	(KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_copy) ? \
	KCF_PROV_OBJECT_OPS(pd)->object_copy((pd)->pd_prov_handle, \
	session, object, template, count, new_object, req) : \
	    CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_OBJECT_DESTROY(pd, session, object, req) ( \
	(KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_destroy) ? \
	KCF_PROV_OBJECT_OPS(pd)->object_destroy((pd)->pd_prov_handle, \
	    session, object, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_OBJECT_GET_SIZE(pd, session, object, size, req) ( \
	(KCF_PROV_OBJECT_OPS(pd) && \
	KCF_PROV_OBJECT_OPS(pd)->object_get_size) ? \
	KCF_PROV_OBJECT_OPS(pd)->object_get_size((pd)->pd_prov_handle, \
	    session, object, size, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_OBJECT_GET_ATTRIBUTE_VALUE(pd, session, object, template, \
	    count, req) ( \
	(KCF_PROV_OBJECT_OPS(pd) && \
	KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value) ? \
	KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value( \
	(pd)->pd_prov_handle, session, object, template, count, req) : \
	    CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_OBJECT_SET_ATTRIBUTE_VALUE(pd, session, object, template, \
	    count, req) ( \
	(KCF_PROV_OBJECT_OPS(pd) && \
	KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value) ? \
	KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value( \
	(pd)->pd_prov_handle, session, object, template, count, req) : \
	    CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_OBJECT_FIND_INIT(pd, session, template, count, ppriv, \
	    req) ( \
	(KCF_PROV_OBJECT_OPS(pd) && \
	KCF_PROV_OBJECT_OPS(pd)->object_find_init) ? \
	KCF_PROV_OBJECT_OPS(pd)->object_find_init((pd)->pd_prov_handle, \
	session, template, count, ppriv, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_OBJECT_FIND(pd, ppriv, objects, max_objects, object_count, \
	    req) ( \
	(KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_find) ? \
	KCF_PROV_OBJECT_OPS(pd)->object_find( \
	(pd)->pd_prov_handle, ppriv, objects, max_objects, object_count, \
	req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_OBJECT_FIND_FINAL(pd, ppriv, req) ( \
	(KCF_PROV_OBJECT_OPS(pd) && \
	KCF_PROV_OBJECT_OPS(pd)->object_find_final) ? \
	KCF_PROV_OBJECT_OPS(pd)->object_find_final( \
	    (pd)->pd_prov_handle, ppriv, req) : CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_key_ops(9S) entry points.
 */

#define	KCF_PROV_KEY_GENERATE(pd, session, mech, template, count, object, \
	    req) ( \
	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate) ? \
	KCF_PROV_KEY_OPS(pd)->key_generate((pd)->pd_prov_handle, \
	    session, mech, template, count, object, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \
	    pub_count, priv_template, priv_count, pub_key, priv_key, req) ( \
	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate_pair) ? \
	KCF_PROV_KEY_OPS(pd)->key_generate_pair((pd)->pd_prov_handle, \
	    session, mech, pub_template, pub_count, priv_template, \
	    priv_count, pub_key, priv_key, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_KEY_WRAP(pd, session, mech, wrapping_key, key, wrapped_key, \
	    wrapped_key_len, req) ( \
	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_wrap) ? \
	KCF_PROV_KEY_OPS(pd)->key_wrap((pd)->pd_prov_handle, \
	    session, mech, wrapping_key, key, wrapped_key, wrapped_key_len, \
	    req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_KEY_UNWRAP(pd, session, mech, unwrapping_key, wrapped_key, \
	    wrapped_key_len, template, count, key, req) ( \
	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_unwrap) ? \
	KCF_PROV_KEY_OPS(pd)->key_unwrap((pd)->pd_prov_handle, \
	    session, mech, unwrapping_key, wrapped_key, wrapped_key_len, \
	    template, count, key, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_KEY_DERIVE(pd, session, mech, base_key, template, count, \
	    key, req) ( \
	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_derive) ? \
	KCF_PROV_KEY_OPS(pd)->key_derive((pd)->pd_prov_handle, \
	    session, mech, base_key, template, count, key, req) : \
	CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_KEY_CHECK(pd, mech, key) ( \
	(KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_check) ? \
	KCF_PROV_KEY_OPS(pd)->key_check((pd)->pd_prov_handle, mech, key) : \
	CRYPTO_NOT_SUPPORTED)

/*
 * Wrappers for crypto_provider_management_ops(9S) entry points.
 *
 * ops_pd is the provider descriptor that supplies the ops_vector.
 * pd is the descriptor that supplies the provider handle.
 * Only ext_info needs two handles.
 */

#define	KCF_PROV_EXT_INFO(ops_pd, provext_info, req, pd) ( \
	(KCF_PROV_PROVIDER_OPS(ops_pd) && \
	KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info) ? \
	KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info((pd)->pd_prov_handle, \
	    provext_info, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_INIT_TOKEN(pd, pin, pin_len, label, req) ( \
	(KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_token) ? \
	KCF_PROV_PROVIDER_OPS(pd)->init_token((pd)->pd_prov_handle, \
	    pin, pin_len, label, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_INIT_PIN(pd, session, pin, pin_len, req) ( \
	(KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_pin) ? \
	KCF_PROV_PROVIDER_OPS(pd)->init_pin((pd)->pd_prov_handle, \
	    session, pin, pin_len, req) : CRYPTO_NOT_SUPPORTED)

#define	KCF_PROV_SET_PIN(pd, session, old_pin, old_len, new_pin, new_len, \
	    req) ( \
	(KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->set_pin) ? \
	KCF_PROV_PROVIDER_OPS(pd)->set_pin((pd)->pd_prov_handle, \
	session, old_pin, old_len, new_pin, new_len, req) : \
	    CRYPTO_NOT_SUPPORTED)

/*
 * The following routines are exported by the kcf module (/kernel/misc/kcf)
 * to the crypto and cryptoadmin modules.
 */

/* Digest/mac/cipher entry points that take a provider descriptor and session */
extern int crypto_digest_prov(crypto_mechanism_t *, crypto_data_t *,
    crypto_data_t *, crypto_call_req_t *, kcf_provider_desc_t *,
    crypto_session_id_t);
extern int crypto_digest_init_prov(kcf_provider_desc_t *, crypto_session_id_t,
    crypto_mechanism_t *, crypto_context_t *, crypto_call_req_t *);
extern int crypto_digest_single(crypto_context_t, crypto_data_t *,
    crypto_data_t *, crypto_call_req_t *);

extern int crypto_mac_prov(crypto_mechanism_t *, crypto_data_t *,
    crypto_key_t *, crypto_ctx_template_t, crypto_data_t *,
    crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t);
extern int crypto_mac_verify_prov(crypto_mechanism_t *, crypto_data_t *,
    crypto_key_t *, crypto_ctx_template_t, crypto_data_t *,
    crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t);
extern int crypto_mac_init_prov(kcf_provider_desc_t *, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
    crypto_context_t *, crypto_call_req_t *);
extern int crypto_mac_single(crypto_context_t, crypto_data_t *,
    crypto_data_t *, crypto_call_req_t *);

extern int crypto_encrypt_prov(crypto_mechanism_t *, crypto_data_t *,
    crypto_key_t *, crypto_ctx_template_t, crypto_data_t *,
    crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t);
extern int crypto_encrypt_init_prov(kcf_provider_desc_t *,
    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
    crypto_ctx_template_t, crypto_context_t *, crypto_call_req_t *);
extern int crypto_encrypt_single(crypto_context_t, crypto_data_t *,
    crypto_data_t *, crypto_call_req_t *);

extern int crypto_decrypt_prov(crypto_mechanism_t *, crypto_data_t *,
    crypto_key_t *, crypto_ctx_template_t, crypto_data_t *,
    crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t);
extern int crypto_decrypt_init_prov(kcf_provider_desc_t *, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
    crypto_context_t *, crypto_call_req_t *);
extern int crypto_decrypt_single(crypto_context_t, crypto_data_t *,
    crypto_data_t *, crypto_call_req_t *);


/* Other private digest/mac/cipher entry points not exported through k-API */
extern int crypto_digest_key_prov(crypto_context_t, crypto_key_t *,
    crypto_call_req_t *);

/* Private sign entry points exported by KCF */
extern int crypto_sign_init_prov(kcf_provider_desc_t *, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
    crypto_context_t *, crypto_call_req_t *);
extern int crypto_sign_single(crypto_context_t, crypto_data_t *,
    crypto_data_t *, crypto_call_req_t *);
extern int crypto_sign_prov(kcf_provider_desc_t *, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);

extern int crypto_sign_recover_init_prov(kcf_provider_desc_t *,
    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
    crypto_ctx_template_t tmpl, crypto_context_t *, crypto_call_req_t *);
extern int crypto_sign_recover_single(crypto_context_t, crypto_data_t *,
    crypto_data_t *, crypto_call_req_t *);
extern int crypto_sign_recover_prov(kcf_provider_desc_t *,
    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
    crypto_data_t *, crypto_ctx_template_t, crypto_data_t *,
    crypto_call_req_t *);

/* Private verify entry points exported by KCF */
extern int crypto_verify_init_prov(kcf_provider_desc_t *, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
    crypto_context_t *, crypto_call_req_t *);
extern int crypto_verify_single(crypto_context_t, crypto_data_t *,
    crypto_data_t *, crypto_call_req_t *);
extern int crypto_verify_prov(kcf_provider_desc_t *, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);

extern int crypto_verify_recover_init_prov(kcf_provider_desc_t *,
    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
    crypto_ctx_template_t tmpl, crypto_context_t *, crypto_call_req_t *);
extern int crypto_verify_recover_single(crypto_context_t, crypto_data_t *,
    crypto_data_t *, crypto_call_req_t *);
extern int crypto_verify_recover_prov(kcf_provider_desc_t *,
    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
    crypto_data_t *, crypto_ctx_template_t, crypto_data_t *,
    crypto_call_req_t *);

/* Private dual operations entry points exported by KCF */
extern int crypto_digest_encrypt_update(crypto_context_t, crypto_context_t,
    crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
extern int crypto_decrypt_digest_update(crypto_context_t, crypto_context_t,
    crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
extern int crypto_sign_encrypt_update(crypto_context_t, crypto_context_t,
    crypto_data_t *, crypto_data_t *, crypto_call_req_t *);
extern int crypto_decrypt_verify_update(crypto_context_t, crypto_context_t,
    crypto_data_t *, crypto_data_t *, crypto_call_req_t *);

/* Random Number Generation */
int crypto_seed_random(crypto_provider_handle_t provider, uchar_t *buf,
    size_t len, crypto_call_req_t *req);
int crypto_generate_random(crypto_provider_handle_t provider, uchar_t *buf,
    size_t len, crypto_call_req_t *req);

/* Session Management */
int crypto_session_open(crypto_provider_handle_t provider,
    crypto_session_id_t *session_id, crypto_call_req_t *req);
int crypto_session_close(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_call_req_t *req);
int crypto_session_login(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_user_type_t user_type, char *pin,
    size_t pin_len, crypto_call_req_t *req);
int crypto_session_logout(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_call_req_t *req);

/* Object Management */
int crypto_object_create(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_object_attribute_t *template,
    uint_t attribute_count, crypto_object_id_t *object_handle,
    crypto_call_req_t *req);
int crypto_object_copy(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_object_id_t object_handle,
    crypto_object_attribute_t *template, uint_t attribute_count,
    crypto_object_id_t *new_object_handle, crypto_call_req_t *req);
int crypto_object_destroy(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_object_id_t object_handle,
    crypto_call_req_t *req);
int crypto_object_get_size(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_object_id_t object_handle,
    size_t *size, crypto_call_req_t *req);
int crypto_object_get_attribute_value(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_object_id_t object_handle,
    crypto_object_attribute_t *template, uint_t attribute_count,
    crypto_call_req_t *req);
int crypto_object_set_attribute_value(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_object_id_t object_handle,
    crypto_object_attribute_t *template, uint_t count, crypto_call_req_t *req);
int crypto_object_find_init(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_object_attribute_t *template,
    uint_t attribute_count, void **provider_private, crypto_call_req_t *req);
int crypto_object_find(crypto_provider_handle_t provider,
    void *provider_private, crypto_object_id_t *objects,
    uint_t max_object_count, uint_t *object_count, crypto_call_req_t *req);
int crypto_object_find_final(crypto_provider_handle_t provider,
    void *provider_private, crypto_call_req_t *req);

/* Key Generation */
int crypto_generate_key(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mech,
    crypto_object_attribute_t *key_attributes, uint_t attributes_count,
    crypto_object_id_t *key_handle, crypto_call_req_t *req);
int crypto_generate_key_pair(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mech,
    crypto_object_attribute_t *public_attributes, uint_t public_count,
    crypto_object_attribute_t *private_attributes, uint_t private_count,
    crypto_object_id_t *public_handle, crypto_object_id_t *private_handle,
    crypto_call_req_t *req);
int crypto_wrap_key(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mech,
    crypto_key_t *wrapping_key, crypto_object_id_t *key_handle,
    uchar_t *wrapped_key, size_t wrapped_key_len, crypto_call_req_t *req);
int crypto_unwrap_key(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mech, crypto_key_t *key,
    uchar_t *wrapped_key, size_t wrapped_key_len,
    crypto_object_id_t *key_handle, crypto_call_req_t *req);
int crypto_derive_key(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mech, crypto_key_t *key,
    crypto_object_attribute_t *attributes, uint_t attribute_count,
    crypto_object_id_t *object_handle, crypto_call_req_t *req);

/* Provider Management */
int crypto_get_provider_info(crypto_provider_id_t id,
    crypto_provider_info_t **info, crypto_call_req_t *req);
int crypto_get_provider_mechanisms(crypto_minor_t *, crypto_provider_id_t id,
    uint_t *count, crypto_mech_name_t **list);
int crypto_init_token(crypto_provider_handle_t provider, char *pin,
    size_t pin_len, char *label, crypto_call_req_t *);
int crypto_init_pin(crypto_provider_handle_t provider, char *pin,
    size_t pin_len, crypto_call_req_t *req);
int crypto_set_pin(crypto_provider_handle_t provider, char *old_pin,
    size_t old_len, char *new_pin, size_t new_len, crypto_call_req_t *req);
void crypto_free_provider_list(crypto_provider_entry_t *list, uint_t count);
void crypto_free_provider_info(crypto_provider_info_t *info);

/* Administrative */
int crypto_get_dev_list(uint_t *count, crypto_dev_list_entry_t **list);
int crypto_get_soft_list(uint_t *count, char **list, size_t *len);
int crypto_get_dev_info(char *name, uint_t instance, uint_t *count,
    crypto_mech_name_t **list);
int crypto_get_soft_info(caddr_t name, uint_t *count,
    crypto_mech_name_t **list);
int crypto_load_dev_disabled(char *name, uint_t instance, uint_t count,
    crypto_mech_name_t *list);
int crypto_load_soft_disabled(caddr_t name, uint_t count,
    crypto_mech_name_t *list);
int crypto_unload_soft_module(caddr_t path);
int crypto_load_soft_config(caddr_t name, uint_t count,
    crypto_mech_name_t *list);
int crypto_load_door(uint_t did);
void crypto_free_mech_list(crypto_mech_name_t *list, uint_t count);
void crypto_free_dev_list(crypto_dev_list_entry_t *list, uint_t count);

/* Miscellaneous */
int crypto_get_mechanism_number(caddr_t name, crypto_mech_type_t *number);
int crypto_get_function_list(crypto_provider_id_t id,
    crypto_function_list_t **list, int kmflag);
void crypto_free_function_list(crypto_function_list_t *list);
int crypto_build_permitted_mech_names(kcf_provider_desc_t *,
    crypto_mech_name_t **, uint_t *, int);
extern void kcf_init_mech_tabs(void);
extern int kcf_add_mech_provider(crypto_mech_info_t *, kcf_provider_desc_t *,
    kcf_prov_mech_desc_t **);
extern void kcf_remove_mech_provider(char *, kcf_provider_desc_t *);
extern int kcf_get_mech_entry(crypto_mech_type_t, kcf_mech_entry_t **);
extern kcf_provider_desc_t *kcf_alloc_provider_desc(crypto_provider_info_t *);
extern void kcf_provider_zero_refcnt(kcf_provider_desc_t *);
extern void kcf_free_provider_desc(kcf_provider_desc_t *);
extern void kcf_soft_config_init(void);
extern int get_sw_provider_for_mech(crypto_mech_name_t, char **);
extern void kcf_dup_mech(crypto_mechanism_t *, crypto_mechanism_t *,
    crypto_mech_type_t *);
extern crypto_mech_type_t crypto_mech2id_common(char *, boolean_t);
extern void undo_register_provider(kcf_provider_desc_t *, boolean_t);
extern void redo_register_provider(kcf_provider_desc_t *);
extern void kcf_rnd_init();
extern boolean_t kcf_rngprov_check(void);
extern int kcf_rnd_get_pseudo_bytes(uint8_t *, size_t);
extern int kcf_rnd_get_bytes(uint8_t *, size_t, boolean_t, boolean_t);
extern void kcf_rnd_chpoll(int, short *, struct pollhead **);
extern void kcf_rnd_schedule_timeout(boolean_t);

/* Access to the provider's table */
extern void kcf_prov_tab_init(void);
extern int kcf_prov_tab_add_provider(kcf_provider_desc_t *);
extern int kcf_prov_tab_rem_provider(crypto_provider_id_t);
extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_name(char *);
extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_dev(char *, uint_t);
extern int kcf_get_hw_prov_tab(uint_t *, kcf_provider_desc_t ***, int,
    char *, uint_t, boolean_t);
extern int kcf_get_slot_list(uint_t *, kcf_provider_desc_t ***, boolean_t);
extern void kcf_free_provider_tab(uint_t, kcf_provider_desc_t **);
extern kcf_provider_desc_t *kcf_prov_tab_lookup(crypto_provider_id_t);
extern int kcf_get_sw_prov(crypto_mech_type_t, kcf_provider_desc_t **,
    boolean_t);

/* Access to the policy table */
extern boolean_t is_mech_disabled(kcf_provider_desc_t *, crypto_mech_name_t);
extern boolean_t is_mech_disabled_byname(crypto_provider_type_t, char *,
    uint_t, crypto_mech_name_t);
extern void kcf_policy_tab_init(void);
extern void kcf_policy_free_desc(kcf_policy_desc_t *);
extern void kcf_policy_remove_by_name(char *, uint_t *, crypto_mech_name_t **);
extern void kcf_policy_remove_by_dev(char *, uint_t, uint_t *,
    crypto_mech_name_t **);
extern kcf_policy_desc_t *kcf_policy_lookup_by_name(char *);
extern kcf_policy_desc_t *kcf_policy_lookup_by_dev(char *, uint_t);
extern int kcf_policy_load_soft_disabled(char *, uint_t, crypto_mech_name_t *,
    uint_t *, crypto_mech_name_t **);
extern int kcf_policy_load_dev_disabled(char *, uint_t, uint_t,
    crypto_mech_name_t *, uint_t *, crypto_mech_name_t **);

#endif	/* _KERNEL */

#ifdef	__cplusplus
}
#endif

#endif	/* _SYS_CRYPTO_IMPL_H */