1 /* $NetBSD: evp-pkcs11.c,v 1.2 2017/01/28 21:31:47 christos Exp $ */ 2 3 /* 4 * Copyright (c) 2015-2016, Secure Endpoints Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * - Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 24 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 28 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 30 * OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 /* PKCS#11 provider */ 34 35 #include <config.h> 36 #include <krb5/roken.h> 37 #include <assert.h> 38 #ifdef HAVE_DLFCN_H 39 #include <dlfcn.h> 40 #ifndef RTLD_LAZY 41 #define RTLD_LAZY 0 42 #endif 43 #ifndef RTLD_LOCAL 44 #define RTLD_LOCAL 0 45 #endif 46 #ifndef RTLD_GROUP 47 #define RTLD_GROUP 0 48 #endif 49 #ifndef RTLD_NODELETE 50 #define RTLD_NODELETE 0 51 #endif 52 #else 53 #error PKCS11 support requires dlfcn.h 54 #endif 55 56 #include <krb5/heimbase.h> 57 58 #include <evp.h> 59 #include <evp-hcrypto.h> 60 #include <evp-pkcs11.h> 61 62 #include <ref/pkcs11.h> 63 64 #if __sun && !defined(PKCS11_MODULE_PATH) 65 # if _LP64 66 # define PKCS11_MODULE_PATH "/usr/lib/64/libpkcs11.so" 67 # else 68 # define PKCS11_MODULE_PATH "/usr/lib/libpkcs11.so" 69 # endif 70 #elif defined(__linux__) 71 /* 72 * XXX We should have an autoconf check for OpenCryptoki and such 73 * things. However, there's no AC_CHECK_OBJECT(), and we'd have to 74 * write one. Today I'm feeling lazy. Another possibility would be to 75 * have a symlink from the libdir we'll install into, and then we could 76 * dlopen() that on all platforms. 77 * 78 * XXX Also, we should pick an appropriate shared object based on 32- vs 79 * 64-bits. 80 */ 81 # define PKCS11_MODULE_PATH "/usr/lib/pkcs11/PKCS11_API.so" 82 #endif 83 84 static CK_FUNCTION_LIST_PTR p11_module; 85 86 static int 87 p11_cleanup(EVP_CIPHER_CTX *ctx); 88 89 struct pkcs11_cipher_ctx { 90 CK_SESSION_HANDLE hSession; 91 CK_OBJECT_HANDLE hSecret; 92 int cipher_init_done; 93 }; 94 95 struct pkcs11_md_ctx { 96 CK_SESSION_HANDLE hSession; 97 }; 98 99 static void *pkcs11_module_handle; 100 static void 101 p11_module_init_once(void *context) 102 { 103 CK_RV rv; 104 CK_FUNCTION_LIST_PTR module; 105 CK_RV (*C_GetFunctionList_fn)(CK_FUNCTION_LIST_PTR_PTR); 106 107 if (!issuid()) { 108 char *pkcs11ModulePath = getenv("PKCS11_MODULE_PATH"); 109 if (pkcs11ModulePath != NULL) { 110 pkcs11_module_handle = 111 dlopen(pkcs11ModulePath, 112 RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP | RTLD_NODELETE); 113 if (pkcs11_module_handle == NULL) 114 fprintf(stderr, "p11_module_init(%s): %s\n", pkcs11ModulePath, dlerror()); 115 } 116 } 117 #ifdef PKCS11_MODULE_PATH 118 if (pkcs11_module_handle == NULL) { 119 pkcs11_module_handle = 120 dlopen(PKCS11_MODULE_PATH, 121 RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP | RTLD_NODELETE); 122 if (pkcs11_module_handle == NULL) 123 fprintf(stderr, "p11_module_init(%s): %s\n", PKCS11_MODULE_PATH, dlerror()); 124 } 125 #endif 126 if (pkcs11_module_handle == NULL) 127 goto cleanup; 128 129 C_GetFunctionList_fn = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR)) 130 dlsym(pkcs11_module_handle, "C_GetFunctionList"); 131 if (C_GetFunctionList_fn == NULL) 132 goto cleanup; 133 134 rv = C_GetFunctionList_fn(&module); 135 if (rv != CKR_OK) 136 goto cleanup; 137 138 rv = module->C_Initialize(NULL); 139 if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED) 140 rv = CKR_OK; 141 if (rv == CKR_OK) 142 *((CK_FUNCTION_LIST_PTR_PTR)context) = module; 143 144 cleanup: 145 if (pkcs11_module_handle != NULL && p11_module == NULL) { 146 dlclose(pkcs11_module_handle); 147 pkcs11_module_handle = NULL; 148 } 149 /* else leak pkcs11_module_handle */ 150 } 151 152 static CK_RV 153 p11_module_init(void) 154 { 155 static heim_base_once_t init_module = HEIM_BASE_ONCE_INIT; 156 157 heim_base_once_f(&init_module, &p11_module, p11_module_init_once); 158 159 return p11_module != NULL ? CKR_OK : CKR_LIBRARY_LOAD_FAILED; 160 } 161 162 static CK_RV 163 p11_session_init(CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE_PTR phSession) 164 { 165 CK_RV rv; 166 CK_ULONG i, ulSlotCount = 0; 167 CK_SLOT_ID_PTR pSlotList = NULL; 168 CK_MECHANISM_INFO info; 169 170 if (phSession != NULL) 171 *phSession = CK_INVALID_HANDLE; 172 173 rv = p11_module_init(); 174 if (rv != CKR_OK) 175 goto cleanup; 176 177 assert(p11_module != NULL); 178 179 rv = p11_module->C_GetSlotList(CK_FALSE, NULL, &ulSlotCount); 180 if (rv != CKR_OK) 181 goto cleanup; 182 183 pSlotList = (CK_SLOT_ID_PTR)calloc(ulSlotCount, sizeof(CK_SLOT_ID)); 184 if (pSlotList == NULL) { 185 rv = CKR_HOST_MEMORY; 186 goto cleanup; 187 } 188 189 rv = p11_module->C_GetSlotList(CK_FALSE, pSlotList, &ulSlotCount); 190 if (rv != CKR_OK) 191 goto cleanup; 192 193 /* 194 * Note that this approach of using the first slot that supports the desired 195 * mechanism may not always be what the user wants (for example it may prefer 196 * software to hardware crypto). We're going to assume that this code will be 197 * principally used on Solaris (which has a meta-slot provider that sorts by 198 * hardware first) or in situations where the user can configure the slots in 199 * order of provider preference. In the future we should make this configurable. 200 */ 201 for (i = 0; i < ulSlotCount; i++) { 202 rv = p11_module->C_GetMechanismInfo(pSlotList[i], mechanismType, &info); 203 if (rv == CKR_OK) 204 break; 205 } 206 207 if (i == ulSlotCount) { 208 rv = CKR_MECHANISM_INVALID; 209 goto cleanup; 210 } 211 212 if (phSession != NULL) { 213 rv = p11_module->C_OpenSession(pSlotList[i], CKF_SERIAL_SESSION, NULL, NULL, phSession); 214 if (rv != CKR_OK) 215 goto cleanup; 216 } 217 218 cleanup: 219 free(pSlotList); 220 221 return rv; 222 } 223 224 static int 225 p11_mech_available_p(CK_MECHANISM_TYPE mechanismType) 226 { 227 return p11_session_init(mechanismType, NULL) == CKR_OK; 228 } 229 230 static CK_KEY_TYPE 231 p11_key_type_for_mech(CK_MECHANISM_TYPE mechanismType) 232 { 233 CK_KEY_TYPE keyType = 0; 234 235 switch (mechanismType) { 236 case CKM_RC2_CBC: 237 keyType = CKK_RC2; 238 break; 239 case CKM_RC4: 240 keyType = CKK_RC4; 241 break; 242 case CKM_DES_CBC: 243 keyType = CKK_DES; 244 break; 245 case CKM_DES3_CBC: 246 keyType = CKK_DES3; 247 break; 248 case CKM_AES_CBC: 249 case CKM_AES_CFB8: 250 keyType = CKK_AES; 251 break; 252 case CKM_CAMELLIA_CBC: 253 keyType = CKK_CAMELLIA; 254 break; 255 default: 256 assert(0 && "Unknown PKCS#11 mechanism type"); 257 break; 258 } 259 260 return keyType; 261 } 262 263 static int 264 p11_key_init(EVP_CIPHER_CTX *ctx, 265 const unsigned char *key, 266 const unsigned char *iv, 267 int encp) 268 { 269 CK_RV rv; 270 CK_BBOOL bFalse = CK_FALSE; 271 CK_BBOOL bTrue = CK_TRUE; 272 CK_MECHANISM_TYPE mechanismType = (CK_MECHANISM_TYPE)ctx->cipher->app_data; 273 CK_KEY_TYPE keyType = p11_key_type_for_mech(mechanismType); 274 CK_OBJECT_CLASS objectClass = CKO_SECRET_KEY; 275 CK_ATTRIBUTE_TYPE op = encp ? CKA_ENCRYPT : CKA_DECRYPT; 276 CK_ATTRIBUTE attributes[] = { 277 { CKA_EXTRACTABLE, &bFalse, sizeof(bFalse) }, 278 { CKA_CLASS, &objectClass, sizeof(objectClass) }, 279 { CKA_KEY_TYPE, &keyType, sizeof(keyType) }, 280 { CKA_TOKEN, &bFalse, sizeof(bFalse) }, 281 { CKA_PRIVATE, &bFalse, sizeof(bFalse) }, 282 { CKA_SENSITIVE, &bTrue, sizeof(bTrue) }, 283 { CKA_VALUE, (void *)key, ctx->key_len }, 284 { op, &bTrue, sizeof(bTrue) } 285 }; 286 struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data; 287 p11ctx->cipher_init_done = 0; 288 289 rv = p11_session_init(mechanismType, &p11ctx->hSession); 290 if (rv != CKR_OK) 291 goto cleanup; 292 293 assert(p11_module != NULL); 294 295 rv = p11_module->C_CreateObject(p11ctx->hSession, attributes, 296 sizeof(attributes) / sizeof(attributes[0]), 297 &p11ctx->hSecret); 298 if (rv != CKR_OK) 299 goto cleanup; 300 301 cleanup: 302 if (rv != CKR_OK) 303 p11_cleanup(ctx); 304 305 return rv == CKR_OK; 306 } 307 308 static int 309 p11_do_cipher(EVP_CIPHER_CTX *ctx, 310 unsigned char *out, 311 const unsigned char *in, 312 unsigned int size) 313 { 314 struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data; 315 CK_RV rv = CKR_OK; 316 CK_ULONG ulCipherTextLen = size; 317 CK_MECHANISM_TYPE mechanismType = (CK_MECHANISM_TYPE)ctx->cipher->app_data; 318 CK_MECHANISM mechanism = { 319 mechanismType, 320 ctx->cipher->iv_len ? ctx->iv : NULL, 321 ctx->cipher->iv_len 322 }; 323 324 assert(p11_module != NULL); 325 /* The EVP layer only ever calls us with complete cipher blocks */ 326 assert(EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_STREAM_CIPHER || 327 (size % ctx->cipher->block_size) == 0); 328 329 if (ctx->encrypt) { 330 if (!p11ctx->cipher_init_done) { 331 rv = p11_module->C_EncryptInit(p11ctx->hSession, &mechanism, p11ctx->hSecret); 332 if (rv == CKR_OK) 333 p11ctx->cipher_init_done = 1; 334 } 335 if (rv == CKR_OK) 336 rv = p11_module->C_EncryptUpdate(p11ctx->hSession, (unsigned char *)in, size, out, &ulCipherTextLen); 337 } else { 338 if (!p11ctx->cipher_init_done) { 339 rv = p11_module->C_DecryptInit(p11ctx->hSession, &mechanism, p11ctx->hSecret); 340 if (rv == CKR_OK) 341 p11ctx->cipher_init_done = 1; 342 } 343 if (rv == CKR_OK) 344 rv = p11_module->C_DecryptUpdate(p11ctx->hSession, (unsigned char *)in, size, out, &ulCipherTextLen); 345 } 346 347 return rv == CKR_OK; 348 } 349 350 static int 351 p11_cleanup(EVP_CIPHER_CTX *ctx) 352 { 353 struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data; 354 355 assert(p11_module != NULL); 356 357 if (p11ctx->hSecret != CK_INVALID_HANDLE) { 358 p11_module->C_DestroyObject(p11ctx->hSession, p11ctx->hSecret); 359 p11ctx->hSecret = CK_INVALID_HANDLE; 360 } 361 if (p11ctx->hSession != CK_INVALID_HANDLE) { 362 p11_module->C_CloseSession(p11ctx->hSession); 363 p11ctx->hSession = CK_INVALID_HANDLE; 364 } 365 366 return 1; 367 } 368 369 static int 370 p11_md_hash_init(CK_MECHANISM_TYPE mechanismType, EVP_MD_CTX *ctx) 371 { 372 struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx; 373 CK_RV rv; 374 375 rv = p11_session_init(mechanismType, &p11ctx->hSession); 376 if (rv == CKR_OK) { 377 CK_MECHANISM mechanism = { mechanismType, NULL, 0 }; 378 379 assert(p11_module != NULL); 380 381 rv = p11_module->C_DigestInit(p11ctx->hSession, &mechanism); 382 } 383 384 return rv == CKR_OK; 385 } 386 387 static int 388 p11_md_update(EVP_MD_CTX *ctx, const void *data, size_t length) 389 { 390 struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx; 391 CK_RV rv; 392 393 assert(p11_module != NULL); 394 395 rv = p11_module->C_DigestUpdate(p11ctx->hSession, (unsigned char *)data, length); 396 397 return rv == CKR_OK; 398 } 399 400 static int 401 p11_md_final(void *digest, EVP_MD_CTX *ctx) 402 { 403 struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx; 404 CK_RV rv; 405 CK_ULONG digestLen = 0; 406 407 assert(p11_module != NULL); 408 409 rv = p11_module->C_DigestFinal(p11ctx->hSession, NULL, &digestLen); 410 if (rv == CKR_OK) 411 rv = p11_module->C_DigestFinal(p11ctx->hSession, digest, &digestLen); 412 413 return rv == CKR_OK; 414 } 415 416 static int 417 p11_md_cleanup(EVP_MD_CTX *ctx) 418 { 419 struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx; 420 CK_RV rv; 421 422 assert(p11_module != NULL); 423 424 rv = p11_module->C_CloseSession(p11ctx->hSession); 425 if (rv == CKR_OK) 426 p11ctx->hSession = CK_INVALID_HANDLE; 427 428 return rv == CKR_OK; 429 } 430 431 #define PKCS11_CIPHER_ALGORITHM(name, mechanismType, block_size, \ 432 key_len, iv_len, flags) \ 433 \ 434 static EVP_CIPHER \ 435 pkcs11_##name = { \ 436 0, \ 437 block_size, \ 438 key_len, \ 439 iv_len, \ 440 flags, \ 441 p11_key_init, \ 442 p11_do_cipher, \ 443 p11_cleanup, \ 444 sizeof(struct pkcs11_cipher_ctx), \ 445 NULL, \ 446 NULL, \ 447 NULL, \ 448 (void *)mechanismType \ 449 }; \ 450 \ 451 const EVP_CIPHER * \ 452 hc_EVP_pkcs11_##name(void) \ 453 { \ 454 if (p11_mech_available_p(mechanismType)) \ 455 return &pkcs11_##name; \ 456 else \ 457 return NULL; \ 458 } \ 459 \ 460 static void \ 461 pkcs11_hcrypto_##name##_init_once(void *context) \ 462 { \ 463 const EVP_CIPHER *cipher; \ 464 \ 465 cipher = hc_EVP_pkcs11_ ##name(); \ 466 if (cipher == NULL && HCRYPTO_FALLBACK) \ 467 cipher = hc_EVP_hcrypto_ ##name(); \ 468 \ 469 *((const EVP_CIPHER **)context) = cipher; \ 470 } \ 471 \ 472 const EVP_CIPHER * \ 473 hc_EVP_pkcs11_hcrypto_##name(void) \ 474 { \ 475 static const EVP_CIPHER *__cipher; \ 476 static heim_base_once_t __init = HEIM_BASE_ONCE_INIT; \ 477 \ 478 heim_base_once_f(&__init, &__cipher, \ 479 pkcs11_hcrypto_##name##_init_once); \ 480 \ 481 return __cipher; \ 482 } 483 484 #define PKCS11_MD_ALGORITHM(name, mechanismType, hash_size, block_size) \ 485 \ 486 static int p11_##name##_init(EVP_MD_CTX *ctx) \ 487 { \ 488 return p11_md_hash_init(mechanismType, ctx); \ 489 } \ 490 \ 491 const EVP_MD * \ 492 hc_EVP_pkcs11_##name(void) \ 493 { \ 494 static struct hc_evp_md name = { \ 495 hash_size, \ 496 block_size, \ 497 sizeof(struct pkcs11_md_ctx), \ 498 p11_##name##_init, \ 499 p11_md_update, \ 500 p11_md_final, \ 501 p11_md_cleanup \ 502 }; \ 503 \ 504 if (p11_mech_available_p(mechanismType)) \ 505 return &name; \ 506 else \ 507 return NULL; \ 508 } \ 509 \ 510 static void \ 511 pkcs11_hcrypto_##name##_init_once(void *context) \ 512 { \ 513 const EVP_MD *md; \ 514 \ 515 md = hc_EVP_pkcs11_ ##name(); \ 516 if (md == NULL && HCRYPTO_FALLBACK) \ 517 md = hc_EVP_hcrypto_ ##name(); \ 518 \ 519 *((const EVP_MD **)context) = md; \ 520 } \ 521 \ 522 const EVP_MD * \ 523 hc_EVP_pkcs11_hcrypto_##name(void) \ 524 { \ 525 static const EVP_MD *__md; \ 526 static heim_base_once_t __init = HEIM_BASE_ONCE_INIT; \ 527 \ 528 heim_base_once_f(&__init, &__md, \ 529 pkcs11_hcrypto_##name##_init_once); \ 530 \ 531 return __md; \ 532 } 533 534 #define PKCS11_MD_ALGORITHM_UNAVAILABLE(name) \ 535 \ 536 const EVP_MD * \ 537 hc_EVP_pkcs11_##name(void) \ 538 { \ 539 return NULL; \ 540 } \ 541 \ 542 const EVP_MD * \ 543 hc_EVP_pkcs11_hcrypto_##name(void) \ 544 { \ 545 return hc_EVP_hcrypto_ ##name(); \ 546 } 547 548 /** 549 * The triple DES cipher type (PKCS#11 provider) 550 * 551 * @return the DES-EDE3-CBC EVP_CIPHER pointer. 552 * 553 * @ingroup hcrypto_evp 554 */ 555 556 PKCS11_CIPHER_ALGORITHM(des_ede3_cbc, 557 CKM_DES3_CBC, 558 8, 559 24, 560 8, 561 EVP_CIPH_CBC_MODE) 562 563 /** 564 * The DES cipher type (PKCS#11 provider) 565 * 566 * @return the DES-CBC EVP_CIPHER pointer. 567 * 568 * @ingroup hcrypto_evp 569 */ 570 571 PKCS11_CIPHER_ALGORITHM(des_cbc, 572 CKM_DES_CBC, 573 8, 574 8, 575 8, 576 EVP_CIPH_CBC_MODE) 577 578 /** 579 * The AES-128 cipher type (PKCS#11 provider) 580 * 581 * @return the AES-128-CBC EVP_CIPHER pointer. 582 * 583 * @ingroup hcrypto_evp 584 */ 585 586 PKCS11_CIPHER_ALGORITHM(aes_128_cbc, 587 CKM_AES_CBC, 588 16, 589 16, 590 16, 591 EVP_CIPH_CBC_MODE) 592 593 /** 594 * The AES-192 cipher type (PKCS#11 provider) 595 * 596 * @return the AES-192-CBC EVP_CIPHER pointer. 597 * 598 * @ingroup hcrypto_evp 599 */ 600 601 PKCS11_CIPHER_ALGORITHM(aes_192_cbc, 602 CKM_AES_CBC, 603 16, 604 24, 605 16, 606 EVP_CIPH_CBC_MODE) 607 608 /** 609 * The AES-256 cipher type (PKCS#11 provider) 610 * 611 * @return the AES-256-CBC EVP_CIPHER pointer. 612 * 613 * @ingroup hcrypto_evp 614 */ 615 616 PKCS11_CIPHER_ALGORITHM(aes_256_cbc, 617 CKM_AES_CBC, 618 16, 619 32, 620 16, 621 EVP_CIPH_CBC_MODE) 622 623 /** 624 * The AES-128 CFB8 cipher type (PKCS#11 provider) 625 * 626 * @return the AES-128-CFB8 EVP_CIPHER pointer. 627 * 628 * @ingroup hcrypto_evp 629 */ 630 631 PKCS11_CIPHER_ALGORITHM(aes_128_cfb8, 632 CKM_AES_CFB8, 633 16, 634 16, 635 16, 636 EVP_CIPH_CFB8_MODE) 637 638 /** 639 * The AES-192 CFB8 cipher type (PKCS#11 provider) 640 * 641 * @return the AES-192-CFB8 EVP_CIPHER pointer. 642 * 643 * @ingroup hcrypto_evp 644 */ 645 646 PKCS11_CIPHER_ALGORITHM(aes_192_cfb8, 647 CKM_AES_CFB8, 648 16, 649 24, 650 16, 651 EVP_CIPH_CFB8_MODE) 652 653 /** 654 * The AES-256 CFB8 cipher type (PKCS#11 provider) 655 * 656 * @return the AES-256-CFB8 EVP_CIPHER pointer. 657 * 658 * @ingroup hcrypto_evp 659 */ 660 661 PKCS11_CIPHER_ALGORITHM(aes_256_cfb8, 662 CKM_AES_CFB8, 663 16, 664 32, 665 16, 666 EVP_CIPH_CFB8_MODE) 667 668 /** 669 * The RC2 cipher type - PKCS#11 670 * 671 * @return the RC2 EVP_CIPHER pointer. 672 * 673 * @ingroup hcrypto_evp 674 */ 675 676 PKCS11_CIPHER_ALGORITHM(rc2_cbc, 677 CKM_RC2_CBC, 678 8, 679 16, 680 8, 681 EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH) 682 683 /** 684 * The RC2-40 cipher type - PKCS#11 685 * 686 * @return the RC2-40 EVP_CIPHER pointer. 687 * 688 * @ingroup hcrypto_evp 689 */ 690 691 PKCS11_CIPHER_ALGORITHM(rc2_40_cbc, 692 CKM_RC2_CBC, 693 8, 694 5, 695 8, 696 EVP_CIPH_CBC_MODE) 697 698 /** 699 * The RC2-64 cipher type - PKCS#11 700 * 701 * @return the RC2-64 EVP_CIPHER pointer. 702 * 703 * @ingroup hcrypto_evp 704 */ 705 706 PKCS11_CIPHER_ALGORITHM(rc2_64_cbc, 707 CKM_RC2_CBC, 708 8, 709 8, 710 8, 711 EVP_CIPH_CBC_MODE) 712 713 /** 714 * The Camellia-128 cipher type - PKCS#11 715 * 716 * @return the Camellia-128 EVP_CIPHER pointer. 717 * 718 * @ingroup hcrypto_evp 719 */ 720 721 PKCS11_CIPHER_ALGORITHM(camellia_128_cbc, 722 CKM_CAMELLIA_CBC, 723 16, 724 16, 725 16, 726 EVP_CIPH_CBC_MODE) 727 728 /** 729 * The Camellia-198 cipher type - PKCS#11 730 * 731 * @return the Camellia-198 EVP_CIPHER pointer. 732 * 733 * @ingroup hcrypto_evp 734 */ 735 736 PKCS11_CIPHER_ALGORITHM(camellia_192_cbc, 737 CKM_CAMELLIA_CBC, 738 16, 739 24, 740 16, 741 EVP_CIPH_CBC_MODE) 742 743 /** 744 * The Camellia-256 cipher type - PKCS#11 745 * 746 * @return the Camellia-256 EVP_CIPHER pointer. 747 * 748 * @ingroup hcrypto_evp 749 */ 750 751 PKCS11_CIPHER_ALGORITHM(camellia_256_cbc, 752 CKM_CAMELLIA_CBC, 753 16, 754 32, 755 16, 756 EVP_CIPH_CBC_MODE) 757 758 /** 759 * The RC4 cipher type (PKCS#11 provider) 760 * 761 * @return the RC4 EVP_CIPHER pointer. 762 * 763 * @ingroup hcrypto_evp 764 */ 765 766 PKCS11_CIPHER_ALGORITHM(rc4, 767 CKM_RC4, 768 1, 769 16, 770 0, 771 EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH) 772 773 /** 774 * The RC4-40 cipher type (PKCS#11 provider) 775 * 776 * @return the RC4 EVP_CIPHER pointer. 777 * 778 * @ingroup hcrypto_evp 779 */ 780 781 PKCS11_CIPHER_ALGORITHM(rc4_40, 782 CKM_RC4, 783 1, 784 5, 785 0, 786 EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH) 787 788 PKCS11_MD_ALGORITHM(md2, CKM_MD2, 16, 16) 789 #ifdef CKM_MD4 /* non-standard extension */ 790 PKCS11_MD_ALGORITHM(md4, CKM_MD4, 16, 64) 791 #else 792 PKCS11_MD_ALGORITHM_UNAVAILABLE(md4) 793 #endif 794 PKCS11_MD_ALGORITHM(md5, CKM_MD5, 16, 64) 795 PKCS11_MD_ALGORITHM(sha1, CKM_SHA_1, 20, 64) 796 PKCS11_MD_ALGORITHM(sha256, CKM_SHA256, 32, 64) 797 PKCS11_MD_ALGORITHM(sha384, CKM_SHA384, 48, 128) 798 PKCS11_MD_ALGORITHM(sha512, CKM_SHA512, 64, 128) 799