evp-pkcs11.c revision 1.1
1 1.1 christos /* $NetBSD: evp-pkcs11.c,v 1.1 2017/01/28 20:46:45 christos Exp $ */ 2 1.1 christos 3 1.1 christos /* 4 1.1 christos * Copyright (c) 2015-2016, Secure Endpoints Inc. 5 1.1 christos * All rights reserved. 6 1.1 christos * 7 1.1 christos * Redistribution and use in source and binary forms, with or without 8 1.1 christos * modification, are permitted provided that the following conditions 9 1.1 christos * are met: 10 1.1 christos * 11 1.1 christos * - Redistributions of source code must retain the above copyright 12 1.1 christos * notice, this list of conditions and the following disclaimer. 13 1.1 christos * 14 1.1 christos * - Redistributions in binary form must reproduce the above copyright 15 1.1 christos * notice, this list of conditions and the following disclaimer in 16 1.1 christos * the documentation and/or other materials provided with the 17 1.1 christos * distribution. 18 1.1 christos * 19 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 1.1 christos * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 1.1 christos * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 1.1 christos * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 1.1 christos * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 24 1.1 christos * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 25 1.1 christos * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 1.1 christos * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 1.1 christos * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 28 1.1 christos * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 1.1 christos * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 30 1.1 christos * OF THE POSSIBILITY OF SUCH DAMAGE. 31 1.1 christos */ 32 1.1 christos 33 1.1 christos /* PKCS#11 provider */ 34 1.1 christos 35 1.1 christos #include <config.h> 36 1.1 christos #include <krb5/roken.h> 37 1.1 christos #include <assert.h> 38 1.1 christos #ifdef HAVE_DLFCN_H 39 1.1 christos #include <dlfcn.h> 40 1.1 christos #ifndef RTLD_LAZY 41 1.1 christos #define RTLD_LAZY 0 42 1.1 christos #endif 43 1.1 christos #ifndef RTLD_LOCAL 44 1.1 christos #define RTLD_LOCAL 0 45 1.1 christos #endif 46 1.1 christos #ifndef RTLD_GROUP 47 1.1 christos #define RTLD_GROUP 0 48 1.1 christos #endif 49 1.1 christos #ifndef RTLD_NODELETE 50 1.1 christos #define RTLD_NODELETE 0 51 1.1 christos #endif 52 1.1 christos #else 53 1.1 christos #error PKCS11 support requires dlfcn.h 54 1.1 christos #endif 55 1.1 christos 56 1.1 christos #include <krb5/heimbase.h> 57 1.1 christos 58 1.1 christos #include <evp.h> 59 1.1 christos #include <evp-hcrypto.h> 60 1.1 christos #include <evp-pkcs11.h> 61 1.1 christos 62 1.1 christos #include <ref/pkcs11.h> 63 1.1 christos 64 1.1 christos #if __sun && !defined(PKCS11_MODULE_PATH) 65 1.1 christos # if _LP64 66 1.1 christos # define PKCS11_MODULE_PATH "/usr/lib/64/libpkcs11.so" 67 1.1 christos # else 68 1.1 christos # define PKCS11_MODULE_PATH "/usr/lib/libpkcs11.so" 69 1.1 christos # endif 70 1.1 christos #elif defined(__linux__) 71 1.1 christos /* 72 1.1 christos * XXX We should have an autoconf check for OpenCryptoki and such 73 1.1 christos * things. However, there's no AC_CHECK_OBJECT(), and we'd have to 74 1.1 christos * write one. Today I'm feeling lazy. Another possibility would be to 75 1.1 christos * have a symlink from the libdir we'll install into, and then we could 76 1.1 christos * dlopen() that on all platforms. 77 1.1 christos * 78 1.1 christos * XXX Also, we should pick an appropriate shared object based on 32- vs 79 1.1 christos * 64-bits. 80 1.1 christos */ 81 1.1 christos # define PKCS11_MODULE_PATH "/usr/lib/pkcs11/PKCS11_API.so" 82 1.1 christos #endif 83 1.1 christos 84 1.1 christos static CK_FUNCTION_LIST_PTR p11_module; 85 1.1 christos 86 1.1 christos static int 87 1.1 christos p11_cleanup(EVP_CIPHER_CTX *ctx); 88 1.1 christos 89 1.1 christos struct pkcs11_cipher_ctx { 90 1.1 christos CK_SESSION_HANDLE hSession; 91 1.1 christos CK_OBJECT_HANDLE hSecret; 92 1.1 christos int cipher_init_done; 93 1.1 christos }; 94 1.1 christos 95 1.1 christos struct pkcs11_md_ctx { 96 1.1 christos CK_SESSION_HANDLE hSession; 97 1.1 christos }; 98 1.1 christos 99 1.1 christos static void *pkcs11_module_handle; 100 1.1 christos static void 101 1.1 christos p11_module_init_once(void *context) 102 1.1 christos { 103 1.1 christos CK_RV rv; 104 1.1 christos CK_FUNCTION_LIST_PTR module; 105 1.1 christos CK_RV (*C_GetFunctionList_fn)(CK_FUNCTION_LIST_PTR_PTR); 106 1.1 christos 107 1.1 christos if (!issuid()) { 108 1.1 christos char *pkcs11ModulePath = getenv("PKCS11_MODULE_PATH"); 109 1.1 christos if (pkcs11ModulePath != NULL) { 110 1.1 christos pkcs11_module_handle = 111 1.1 christos dlopen(pkcs11ModulePath, 112 1.1 christos RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP | RTLD_NODELETE); 113 1.1 christos if (pkcs11_module_handle == NULL) 114 1.1 christos fprintf(stderr, "p11_module_init(%s): %s\n", pkcs11ModulePath, dlerror()); 115 1.1 christos } 116 1.1 christos } 117 1.1 christos #ifdef PKCS11_MODULE_PATH 118 1.1 christos if (pkcs11_module_handle == NULL) { 119 1.1 christos pkcs11_module_handle = 120 1.1 christos dlopen(PKCS11_MODULE_PATH, 121 1.1 christos RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP | RTLD_NODELETE); 122 1.1 christos if (pkcs11_module_handle == NULL) 123 1.1 christos fprintf(stderr, "p11_module_init(%s): %s\n", PKCS11_MODULE_PATH, dlerror()); 124 1.1 christos } 125 1.1 christos #endif 126 1.1 christos if (pkcs11_module_handle == NULL) 127 1.1 christos goto cleanup; 128 1.1 christos 129 1.1 christos C_GetFunctionList_fn = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR)) 130 1.1 christos dlsym(pkcs11_module_handle, "C_GetFunctionList"); 131 1.1 christos if (C_GetFunctionList_fn == NULL) 132 1.1 christos goto cleanup; 133 1.1 christos 134 1.1 christos rv = C_GetFunctionList_fn(&module); 135 1.1 christos if (rv != CKR_OK) 136 1.1 christos goto cleanup; 137 1.1 christos 138 1.1 christos rv = module->C_Initialize(NULL); 139 1.1 christos if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED) 140 1.1 christos rv = CKR_OK; 141 1.1 christos if (rv == CKR_OK) 142 1.1 christos *((CK_FUNCTION_LIST_PTR_PTR)context) = module; 143 1.1 christos 144 1.1 christos cleanup: 145 1.1 christos if (pkcs11_module_handle != NULL && p11_module == NULL) { 146 1.1 christos dlclose(pkcs11_module_handle); 147 1.1 christos pkcs11_module_handle = NULL; 148 1.1 christos } 149 1.1 christos /* else leak pkcs11_module_handle */ 150 1.1 christos } 151 1.1 christos 152 1.1 christos static CK_RV 153 1.1 christos p11_module_init(void) 154 1.1 christos { 155 1.1 christos static heim_base_once_t init_module = HEIM_BASE_ONCE_INIT; 156 1.1 christos 157 1.1 christos heim_base_once_f(&init_module, &p11_module, p11_module_init_once); 158 1.1 christos 159 1.1 christos return p11_module != NULL ? CKR_OK : CKR_LIBRARY_LOAD_FAILED; 160 1.1 christos } 161 1.1 christos 162 1.1 christos static CK_RV 163 1.1 christos p11_session_init(CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE_PTR phSession) 164 1.1 christos { 165 1.1 christos CK_RV rv; 166 1.1 christos CK_ULONG i, ulSlotCount = 0; 167 1.1 christos CK_SLOT_ID_PTR pSlotList = NULL; 168 1.1 christos CK_MECHANISM_INFO info; 169 1.1 christos 170 1.1 christos if (phSession != NULL) 171 1.1 christos *phSession = CK_INVALID_HANDLE; 172 1.1 christos 173 1.1 christos rv = p11_module_init(); 174 1.1 christos if (rv != CKR_OK) 175 1.1 christos goto cleanup; 176 1.1 christos 177 1.1 christos assert(p11_module != NULL); 178 1.1 christos 179 1.1 christos rv = p11_module->C_GetSlotList(CK_FALSE, NULL, &ulSlotCount); 180 1.1 christos if (rv != CKR_OK) 181 1.1 christos goto cleanup; 182 1.1 christos 183 1.1 christos pSlotList = (CK_SLOT_ID_PTR)calloc(ulSlotCount, sizeof(CK_SLOT_ID)); 184 1.1 christos if (pSlotList == NULL) { 185 1.1 christos rv = CKR_HOST_MEMORY; 186 1.1 christos goto cleanup; 187 1.1 christos } 188 1.1 christos 189 1.1 christos rv = p11_module->C_GetSlotList(CK_FALSE, pSlotList, &ulSlotCount); 190 1.1 christos if (rv != CKR_OK) 191 1.1 christos goto cleanup; 192 1.1 christos 193 1.1 christos /* 194 1.1 christos * Note that this approach of using the first slot that supports the desired 195 1.1 christos * mechanism may not always be what the user wants (for example it may prefer 196 1.1 christos * software to hardware crypto). We're going to assume that this code will be 197 1.1 christos * principally used on Solaris (which has a meta-slot provider that sorts by 198 1.1 christos * hardware first) or in situations where the user can configure the slots in 199 1.1 christos * order of provider preference. In the future we should make this configurable. 200 1.1 christos */ 201 1.1 christos for (i = 0; i < ulSlotCount; i++) { 202 1.1 christos rv = p11_module->C_GetMechanismInfo(pSlotList[i], mechanismType, &info); 203 1.1 christos if (rv == CKR_OK) 204 1.1 christos break; 205 1.1 christos } 206 1.1 christos 207 1.1 christos if (i == ulSlotCount) { 208 1.1 christos rv = CKR_MECHANISM_INVALID; 209 1.1 christos goto cleanup; 210 1.1 christos } 211 1.1 christos 212 1.1 christos if (phSession != NULL) { 213 1.1 christos rv = p11_module->C_OpenSession(pSlotList[i], CKF_SERIAL_SESSION, NULL, NULL, phSession); 214 1.1 christos if (rv != CKR_OK) 215 1.1 christos goto cleanup; 216 1.1 christos } 217 1.1 christos 218 1.1 christos cleanup: 219 1.1 christos free(pSlotList); 220 1.1 christos 221 1.1 christos return rv; 222 1.1 christos } 223 1.1 christos 224 1.1 christos static int 225 1.1 christos p11_mech_available_p(CK_MECHANISM_TYPE mechanismType) 226 1.1 christos { 227 1.1 christos return p11_session_init(mechanismType, NULL) == CKR_OK; 228 1.1 christos } 229 1.1 christos 230 1.1 christos static CK_KEY_TYPE 231 1.1 christos p11_key_type_for_mech(CK_MECHANISM_TYPE mechanismType) 232 1.1 christos { 233 1.1 christos CK_KEY_TYPE keyType = 0; 234 1.1 christos 235 1.1 christos switch (mechanismType) { 236 1.1 christos case CKM_RC2_CBC: 237 1.1 christos keyType = CKK_RC2; 238 1.1 christos break; 239 1.1 christos case CKM_RC4: 240 1.1 christos keyType = CKK_RC4; 241 1.1 christos break; 242 1.1 christos case CKM_DES_CBC: 243 1.1 christos keyType = CKK_DES; 244 1.1 christos break; 245 1.1 christos case CKM_DES3_CBC: 246 1.1 christos keyType = CKK_DES3; 247 1.1 christos break; 248 1.1 christos case CKM_AES_CBC: 249 1.1 christos case CKM_AES_CFB8: 250 1.1 christos keyType = CKK_AES; 251 1.1 christos break; 252 1.1 christos case CKM_CAMELLIA_CBC: 253 1.1 christos keyType = CKK_CAMELLIA; 254 1.1 christos break; 255 1.1 christos default: 256 1.1 christos assert(0 && "Unknown PKCS#11 mechanism type"); 257 1.1 christos break; 258 1.1 christos } 259 1.1 christos 260 1.1 christos return keyType; 261 1.1 christos } 262 1.1 christos 263 1.1 christos static int 264 1.1 christos p11_key_init(EVP_CIPHER_CTX *ctx, 265 1.1 christos const unsigned char *key, 266 1.1 christos const unsigned char *iv, 267 1.1 christos int encp) 268 1.1 christos { 269 1.1 christos CK_RV rv; 270 1.1 christos CK_BBOOL bFalse = CK_FALSE; 271 1.1 christos CK_BBOOL bTrue = CK_TRUE; 272 1.1 christos CK_MECHANISM_TYPE mechanismType = (CK_MECHANISM_TYPE)ctx->cipher->app_data; 273 1.1 christos CK_KEY_TYPE keyType = p11_key_type_for_mech(mechanismType); 274 1.1 christos CK_OBJECT_CLASS objectClass = CKO_SECRET_KEY; 275 1.1 christos CK_ATTRIBUTE_TYPE op = encp ? CKA_ENCRYPT : CKA_DECRYPT; 276 1.1 christos CK_ATTRIBUTE attributes[] = { 277 1.1 christos { CKA_EXTRACTABLE, &bFalse, sizeof(bFalse) }, 278 1.1 christos { CKA_CLASS, &objectClass, sizeof(objectClass) }, 279 1.1 christos { CKA_KEY_TYPE, &keyType, sizeof(keyType) }, 280 1.1 christos { CKA_TOKEN, &bFalse, sizeof(bFalse) }, 281 1.1 christos { CKA_PRIVATE, &bFalse, sizeof(bFalse) }, 282 1.1 christos { CKA_SENSITIVE, &bTrue, sizeof(bTrue) }, 283 1.1 christos { CKA_VALUE, (void *)key, ctx->key_len }, 284 1.1 christos { op, &bTrue, sizeof(bTrue) } 285 1.1 christos }; 286 1.1 christos struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data; 287 1.1 christos p11ctx->cipher_init_done = 0; 288 1.1 christos 289 1.1 christos rv = p11_session_init(mechanismType, &p11ctx->hSession); 290 1.1 christos if (rv != CKR_OK) 291 1.1 christos goto cleanup; 292 1.1 christos 293 1.1 christos assert(p11_module != NULL); 294 1.1 christos 295 1.1 christos rv = p11_module->C_CreateObject(p11ctx->hSession, attributes, 296 1.1 christos sizeof(attributes) / sizeof(attributes[0]), 297 1.1 christos &p11ctx->hSecret); 298 1.1 christos if (rv != CKR_OK) 299 1.1 christos goto cleanup; 300 1.1 christos 301 1.1 christos cleanup: 302 1.1 christos if (rv != CKR_OK) 303 1.1 christos p11_cleanup(ctx); 304 1.1 christos 305 1.1 christos return rv == CKR_OK; 306 1.1 christos } 307 1.1 christos 308 1.1 christos static int 309 1.1 christos p11_do_cipher(EVP_CIPHER_CTX *ctx, 310 1.1 christos unsigned char *out, 311 1.1 christos const unsigned char *in, 312 1.1 christos unsigned int size) 313 1.1 christos { 314 1.1 christos struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data; 315 1.1 christos CK_RV rv = CKR_OK; 316 1.1 christos CK_ULONG ulCipherTextLen = size; 317 1.1 christos CK_MECHANISM_TYPE mechanismType = (CK_MECHANISM_TYPE)ctx->cipher->app_data; 318 1.1 christos CK_MECHANISM mechanism = { 319 1.1 christos mechanismType, 320 1.1 christos ctx->cipher->iv_len ? ctx->iv : NULL, 321 1.1 christos ctx->cipher->iv_len 322 1.1 christos }; 323 1.1 christos 324 1.1 christos assert(p11_module != NULL); 325 1.1 christos /* The EVP layer only ever calls us with complete cipher blocks */ 326 1.1 christos assert(EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_STREAM_CIPHER || 327 1.1 christos (size % ctx->cipher->block_size) == 0); 328 1.1 christos 329 1.1 christos if (ctx->encrypt) { 330 1.1 christos if (!p11ctx->cipher_init_done) { 331 1.1 christos rv = p11_module->C_EncryptInit(p11ctx->hSession, &mechanism, p11ctx->hSecret); 332 1.1 christos if (rv == CKR_OK) 333 1.1 christos p11ctx->cipher_init_done = 1; 334 1.1 christos } 335 1.1 christos if (rv == CKR_OK) 336 1.1 christos rv = p11_module->C_EncryptUpdate(p11ctx->hSession, (unsigned char *)in, size, out, &ulCipherTextLen); 337 1.1 christos } else { 338 1.1 christos if (!p11ctx->cipher_init_done) { 339 1.1 christos rv = p11_module->C_DecryptInit(p11ctx->hSession, &mechanism, p11ctx->hSecret); 340 1.1 christos if (rv == CKR_OK) 341 1.1 christos p11ctx->cipher_init_done = 1; 342 1.1 christos } 343 1.1 christos if (rv == CKR_OK) 344 1.1 christos rv = p11_module->C_DecryptUpdate(p11ctx->hSession, (unsigned char *)in, size, out, &ulCipherTextLen); 345 1.1 christos } 346 1.1 christos 347 1.1 christos return rv == CKR_OK; 348 1.1 christos } 349 1.1 christos 350 1.1 christos static int 351 1.1 christos p11_cleanup(EVP_CIPHER_CTX *ctx) 352 1.1 christos { 353 1.1 christos struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data; 354 1.1 christos 355 1.1 christos assert(p11_module != NULL); 356 1.1 christos 357 1.1 christos if (p11ctx->hSecret != CK_INVALID_HANDLE) { 358 1.1 christos p11_module->C_DestroyObject(p11ctx->hSession, p11ctx->hSecret); 359 1.1 christos p11ctx->hSecret = CK_INVALID_HANDLE; 360 1.1 christos } 361 1.1 christos if (p11ctx->hSession != CK_INVALID_HANDLE) { 362 1.1 christos p11_module->C_CloseSession(p11ctx->hSession); 363 1.1 christos p11ctx->hSession = CK_INVALID_HANDLE; 364 1.1 christos } 365 1.1 christos 366 1.1 christos return 1; 367 1.1 christos } 368 1.1 christos 369 1.1 christos static int 370 1.1 christos p11_md_hash_init(CK_MECHANISM_TYPE mechanismType, EVP_MD_CTX *ctx) 371 1.1 christos { 372 1.1 christos struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx; 373 1.1 christos CK_RV rv; 374 1.1 christos 375 1.1 christos rv = p11_session_init(mechanismType, &p11ctx->hSession); 376 1.1 christos if (rv == CKR_OK) { 377 1.1 christos CK_MECHANISM mechanism = { mechanismType, NULL, 0 }; 378 1.1 christos 379 1.1 christos assert(p11_module != NULL); 380 1.1 christos 381 1.1 christos rv = p11_module->C_DigestInit(p11ctx->hSession, &mechanism); 382 1.1 christos } 383 1.1 christos 384 1.1 christos return rv == CKR_OK; 385 1.1 christos } 386 1.1 christos 387 1.1 christos static int 388 1.1 christos p11_md_update(EVP_MD_CTX *ctx, const void *data, size_t length) 389 1.1 christos { 390 1.1 christos struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx; 391 1.1 christos CK_RV rv; 392 1.1 christos 393 1.1 christos assert(p11_module != NULL); 394 1.1 christos 395 1.1 christos rv = p11_module->C_DigestUpdate(p11ctx->hSession, (unsigned char *)data, length); 396 1.1 christos 397 1.1 christos return rv == CKR_OK; 398 1.1 christos } 399 1.1 christos 400 1.1 christos static int 401 1.1 christos p11_md_final(void *digest, EVP_MD_CTX *ctx) 402 1.1 christos { 403 1.1 christos struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx; 404 1.1 christos CK_RV rv; 405 1.1 christos CK_ULONG digestLen = 0; 406 1.1 christos 407 1.1 christos assert(p11_module != NULL); 408 1.1 christos 409 1.1 christos rv = p11_module->C_DigestFinal(p11ctx->hSession, NULL, &digestLen); 410 1.1 christos if (rv == CKR_OK) 411 1.1 christos rv = p11_module->C_DigestFinal(p11ctx->hSession, digest, &digestLen); 412 1.1 christos 413 1.1 christos return rv == CKR_OK; 414 1.1 christos } 415 1.1 christos 416 1.1 christos static int 417 1.1 christos p11_md_cleanup(EVP_MD_CTX *ctx) 418 1.1 christos { 419 1.1 christos struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx; 420 1.1 christos CK_RV rv; 421 1.1 christos 422 1.1 christos assert(p11_module != NULL); 423 1.1 christos 424 1.1 christos rv = p11_module->C_CloseSession(p11ctx->hSession); 425 1.1 christos if (rv == CKR_OK) 426 1.1 christos p11ctx->hSession = CK_INVALID_HANDLE; 427 1.1 christos 428 1.1 christos return rv == CKR_OK; 429 1.1 christos } 430 1.1 christos 431 1.1 christos #define PKCS11_CIPHER_ALGORITHM(name, mechanismType, block_size, \ 432 1.1 christos key_len, iv_len, flags) \ 433 1.1 christos \ 434 1.1 christos static EVP_CIPHER \ 435 1.1 christos pkcs11_##name = { \ 436 1.1 christos 0, \ 437 1.1 christos block_size, \ 438 1.1 christos key_len, \ 439 1.1 christos iv_len, \ 440 1.1 christos flags, \ 441 1.1 christos p11_key_init, \ 442 1.1 christos p11_do_cipher, \ 443 1.1 christos p11_cleanup, \ 444 1.1 christos sizeof(struct pkcs11_cipher_ctx), \ 445 1.1 christos NULL, \ 446 1.1 christos NULL, \ 447 1.1 christos NULL, \ 448 1.1 christos (void *)mechanismType \ 449 1.1 christos }; \ 450 1.1 christos \ 451 1.1 christos const EVP_CIPHER * \ 452 1.1 christos hc_EVP_pkcs11_##name(void) \ 453 1.1 christos { \ 454 1.1 christos if (p11_mech_available_p(mechanismType)) \ 455 1.1 christos return &pkcs11_##name; \ 456 1.1 christos else \ 457 1.1 christos return NULL; \ 458 1.1 christos } \ 459 1.1 christos \ 460 1.1 christos static void \ 461 1.1 christos pkcs11_hcrypto_##name##_init_once(void *context) \ 462 1.1 christos { \ 463 1.1 christos const EVP_CIPHER *cipher; \ 464 1.1 christos \ 465 1.1 christos cipher = hc_EVP_pkcs11_ ##name(); \ 466 1.1 christos if (cipher == NULL && HCRYPTO_FALLBACK) \ 467 1.1 christos cipher = hc_EVP_hcrypto_ ##name(); \ 468 1.1 christos \ 469 1.1 christos *((const EVP_CIPHER **)context) = cipher; \ 470 1.1 christos } \ 471 1.1 christos \ 472 1.1 christos const EVP_CIPHER * \ 473 1.1 christos hc_EVP_pkcs11_hcrypto_##name(void) \ 474 1.1 christos { \ 475 1.1 christos static const EVP_CIPHER *__cipher; \ 476 1.1 christos static heim_base_once_t __init = HEIM_BASE_ONCE_INIT; \ 477 1.1 christos \ 478 1.1 christos heim_base_once_f(&__init, &__cipher, \ 479 1.1 christos pkcs11_hcrypto_##name##_init_once); \ 480 1.1 christos \ 481 1.1 christos return __cipher; \ 482 1.1 christos } 483 1.1 christos 484 1.1 christos #define PKCS11_MD_ALGORITHM(name, mechanismType, hash_size, block_size) \ 485 1.1 christos \ 486 1.1 christos static int p11_##name##_init(EVP_MD_CTX *ctx) \ 487 1.1 christos { \ 488 1.1 christos return p11_md_hash_init(mechanismType, ctx); \ 489 1.1 christos } \ 490 1.1 christos \ 491 1.1 christos const EVP_MD * \ 492 1.1 christos hc_EVP_pkcs11_##name(void) \ 493 1.1 christos { \ 494 1.1 christos static struct hc_evp_md name = { \ 495 1.1 christos hash_size, \ 496 1.1 christos block_size, \ 497 1.1 christos sizeof(struct pkcs11_md_ctx), \ 498 1.1 christos p11_##name##_init, \ 499 1.1 christos p11_md_update, \ 500 1.1 christos p11_md_final, \ 501 1.1 christos p11_md_cleanup \ 502 1.1 christos }; \ 503 1.1 christos \ 504 1.1 christos if (p11_mech_available_p(mechanismType)) \ 505 1.1 christos return &name; \ 506 1.1 christos else \ 507 1.1 christos return NULL; \ 508 1.1 christos } \ 509 1.1 christos \ 510 1.1 christos static void \ 511 1.1 christos pkcs11_hcrypto_##name##_init_once(void *context) \ 512 1.1 christos { \ 513 1.1 christos const EVP_MD *md; \ 514 1.1 christos \ 515 1.1 christos md = hc_EVP_pkcs11_ ##name(); \ 516 1.1 christos if (md == NULL && HCRYPTO_FALLBACK) \ 517 1.1 christos md = hc_EVP_hcrypto_ ##name(); \ 518 1.1 christos \ 519 1.1 christos *((const EVP_MD **)context) = md; \ 520 1.1 christos } \ 521 1.1 christos \ 522 1.1 christos const EVP_MD * \ 523 1.1 christos hc_EVP_pkcs11_hcrypto_##name(void) \ 524 1.1 christos { \ 525 1.1 christos static const EVP_MD *__md; \ 526 1.1 christos static heim_base_once_t __init = HEIM_BASE_ONCE_INIT; \ 527 1.1 christos \ 528 1.1 christos heim_base_once_f(&__init, &__md, \ 529 1.1 christos pkcs11_hcrypto_##name##_init_once); \ 530 1.1 christos \ 531 1.1 christos return __md; \ 532 1.1 christos } 533 1.1 christos 534 1.1 christos #define PKCS11_MD_ALGORITHM_UNAVAILABLE(name) \ 535 1.1 christos \ 536 1.1 christos const EVP_MD * \ 537 1.1 christos hc_EVP_pkcs11_##name(void) \ 538 1.1 christos { \ 539 1.1 christos return NULL; \ 540 1.1 christos } \ 541 1.1 christos \ 542 1.1 christos const EVP_MD * \ 543 1.1 christos hc_EVP_pkcs11_hcrypto_##name(void) \ 544 1.1 christos { \ 545 1.1 christos return hc_EVP_hcrypto_ ##name(); \ 546 1.1 christos } 547 1.1 christos 548 1.1 christos /** 549 1.1 christos * The triple DES cipher type (PKCS#11 provider) 550 1.1 christos * 551 1.1 christos * @return the DES-EDE3-CBC EVP_CIPHER pointer. 552 1.1 christos * 553 1.1 christos * @ingroup hcrypto_evp 554 1.1 christos */ 555 1.1 christos 556 1.1 christos PKCS11_CIPHER_ALGORITHM(des_ede3_cbc, 557 1.1 christos CKM_DES3_CBC, 558 1.1 christos 8, 559 1.1 christos 24, 560 1.1 christos 8, 561 1.1 christos EVP_CIPH_CBC_MODE) 562 1.1 christos 563 1.1 christos /** 564 1.1 christos * The DES cipher type (PKCS#11 provider) 565 1.1 christos * 566 1.1 christos * @return the DES-CBC EVP_CIPHER pointer. 567 1.1 christos * 568 1.1 christos * @ingroup hcrypto_evp 569 1.1 christos */ 570 1.1 christos 571 1.1 christos PKCS11_CIPHER_ALGORITHM(des_cbc, 572 1.1 christos CKM_DES_CBC, 573 1.1 christos 8, 574 1.1 christos 8, 575 1.1 christos 8, 576 1.1 christos EVP_CIPH_CBC_MODE) 577 1.1 christos 578 1.1 christos /** 579 1.1 christos * The AES-128 cipher type (PKCS#11 provider) 580 1.1 christos * 581 1.1 christos * @return the AES-128-CBC EVP_CIPHER pointer. 582 1.1 christos * 583 1.1 christos * @ingroup hcrypto_evp 584 1.1 christos */ 585 1.1 christos 586 1.1 christos PKCS11_CIPHER_ALGORITHM(aes_128_cbc, 587 1.1 christos CKM_AES_CBC, 588 1.1 christos 16, 589 1.1 christos 16, 590 1.1 christos 16, 591 1.1 christos EVP_CIPH_CBC_MODE) 592 1.1 christos 593 1.1 christos /** 594 1.1 christos * The AES-192 cipher type (PKCS#11 provider) 595 1.1 christos * 596 1.1 christos * @return the AES-192-CBC EVP_CIPHER pointer. 597 1.1 christos * 598 1.1 christos * @ingroup hcrypto_evp 599 1.1 christos */ 600 1.1 christos 601 1.1 christos PKCS11_CIPHER_ALGORITHM(aes_192_cbc, 602 1.1 christos CKM_AES_CBC, 603 1.1 christos 16, 604 1.1 christos 24, 605 1.1 christos 16, 606 1.1 christos EVP_CIPH_CBC_MODE) 607 1.1 christos 608 1.1 christos /** 609 1.1 christos * The AES-256 cipher type (PKCS#11 provider) 610 1.1 christos * 611 1.1 christos * @return the AES-256-CBC EVP_CIPHER pointer. 612 1.1 christos * 613 1.1 christos * @ingroup hcrypto_evp 614 1.1 christos */ 615 1.1 christos 616 1.1 christos PKCS11_CIPHER_ALGORITHM(aes_256_cbc, 617 1.1 christos CKM_AES_CBC, 618 1.1 christos 16, 619 1.1 christos 32, 620 1.1 christos 16, 621 1.1 christos EVP_CIPH_CBC_MODE) 622 1.1 christos 623 1.1 christos /** 624 1.1 christos * The AES-128 CFB8 cipher type (PKCS#11 provider) 625 1.1 christos * 626 1.1 christos * @return the AES-128-CFB8 EVP_CIPHER pointer. 627 1.1 christos * 628 1.1 christos * @ingroup hcrypto_evp 629 1.1 christos */ 630 1.1 christos 631 1.1 christos PKCS11_CIPHER_ALGORITHM(aes_128_cfb8, 632 1.1 christos CKM_AES_CFB8, 633 1.1 christos 16, 634 1.1 christos 16, 635 1.1 christos 16, 636 1.1 christos EVP_CIPH_CFB8_MODE) 637 1.1 christos 638 1.1 christos /** 639 1.1 christos * The AES-192 CFB8 cipher type (PKCS#11 provider) 640 1.1 christos * 641 1.1 christos * @return the AES-192-CFB8 EVP_CIPHER pointer. 642 1.1 christos * 643 1.1 christos * @ingroup hcrypto_evp 644 1.1 christos */ 645 1.1 christos 646 1.1 christos PKCS11_CIPHER_ALGORITHM(aes_192_cfb8, 647 1.1 christos CKM_AES_CFB8, 648 1.1 christos 16, 649 1.1 christos 24, 650 1.1 christos 16, 651 1.1 christos EVP_CIPH_CFB8_MODE) 652 1.1 christos 653 1.1 christos /** 654 1.1 christos * The AES-256 CFB8 cipher type (PKCS#11 provider) 655 1.1 christos * 656 1.1 christos * @return the AES-256-CFB8 EVP_CIPHER pointer. 657 1.1 christos * 658 1.1 christos * @ingroup hcrypto_evp 659 1.1 christos */ 660 1.1 christos 661 1.1 christos PKCS11_CIPHER_ALGORITHM(aes_256_cfb8, 662 1.1 christos CKM_AES_CFB8, 663 1.1 christos 16, 664 1.1 christos 32, 665 1.1 christos 16, 666 1.1 christos EVP_CIPH_CFB8_MODE) 667 1.1 christos 668 1.1 christos /** 669 1.1 christos * The RC2 cipher type - PKCS#11 670 1.1 christos * 671 1.1 christos * @return the RC2 EVP_CIPHER pointer. 672 1.1 christos * 673 1.1 christos * @ingroup hcrypto_evp 674 1.1 christos */ 675 1.1 christos 676 1.1 christos PKCS11_CIPHER_ALGORITHM(rc2_cbc, 677 1.1 christos CKM_RC2_CBC, 678 1.1 christos 8, 679 1.1 christos 16, 680 1.1 christos 8, 681 1.1 christos EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH) 682 1.1 christos 683 1.1 christos /** 684 1.1 christos * The RC2-40 cipher type - PKCS#11 685 1.1 christos * 686 1.1 christos * @return the RC2-40 EVP_CIPHER pointer. 687 1.1 christos * 688 1.1 christos * @ingroup hcrypto_evp 689 1.1 christos */ 690 1.1 christos 691 1.1 christos PKCS11_CIPHER_ALGORITHM(rc2_40_cbc, 692 1.1 christos CKM_RC2_CBC, 693 1.1 christos 8, 694 1.1 christos 5, 695 1.1 christos 8, 696 1.1 christos EVP_CIPH_CBC_MODE) 697 1.1 christos 698 1.1 christos /** 699 1.1 christos * The RC2-64 cipher type - PKCS#11 700 1.1 christos * 701 1.1 christos * @return the RC2-64 EVP_CIPHER pointer. 702 1.1 christos * 703 1.1 christos * @ingroup hcrypto_evp 704 1.1 christos */ 705 1.1 christos 706 1.1 christos PKCS11_CIPHER_ALGORITHM(rc2_64_cbc, 707 1.1 christos CKM_RC2_CBC, 708 1.1 christos 8, 709 1.1 christos 8, 710 1.1 christos 8, 711 1.1 christos EVP_CIPH_CBC_MODE) 712 1.1 christos 713 1.1 christos /** 714 1.1 christos * The Camellia-128 cipher type - PKCS#11 715 1.1 christos * 716 1.1 christos * @return the Camellia-128 EVP_CIPHER pointer. 717 1.1 christos * 718 1.1 christos * @ingroup hcrypto_evp 719 1.1 christos */ 720 1.1 christos 721 1.1 christos PKCS11_CIPHER_ALGORITHM(camellia_128_cbc, 722 1.1 christos CKM_CAMELLIA_CBC, 723 1.1 christos 16, 724 1.1 christos 16, 725 1.1 christos 16, 726 1.1 christos EVP_CIPH_CBC_MODE) 727 1.1 christos 728 1.1 christos /** 729 1.1 christos * The Camellia-198 cipher type - PKCS#11 730 1.1 christos * 731 1.1 christos * @return the Camellia-198 EVP_CIPHER pointer. 732 1.1 christos * 733 1.1 christos * @ingroup hcrypto_evp 734 1.1 christos */ 735 1.1 christos 736 1.1 christos PKCS11_CIPHER_ALGORITHM(camellia_192_cbc, 737 1.1 christos CKM_CAMELLIA_CBC, 738 1.1 christos 16, 739 1.1 christos 24, 740 1.1 christos 16, 741 1.1 christos EVP_CIPH_CBC_MODE) 742 1.1 christos 743 1.1 christos /** 744 1.1 christos * The Camellia-256 cipher type - PKCS#11 745 1.1 christos * 746 1.1 christos * @return the Camellia-256 EVP_CIPHER pointer. 747 1.1 christos * 748 1.1 christos * @ingroup hcrypto_evp 749 1.1 christos */ 750 1.1 christos 751 1.1 christos PKCS11_CIPHER_ALGORITHM(camellia_256_cbc, 752 1.1 christos CKM_CAMELLIA_CBC, 753 1.1 christos 16, 754 1.1 christos 32, 755 1.1 christos 16, 756 1.1 christos EVP_CIPH_CBC_MODE) 757 1.1 christos 758 1.1 christos /** 759 1.1 christos * The RC4 cipher type (PKCS#11 provider) 760 1.1 christos * 761 1.1 christos * @return the RC4 EVP_CIPHER pointer. 762 1.1 christos * 763 1.1 christos * @ingroup hcrypto_evp 764 1.1 christos */ 765 1.1 christos 766 1.1 christos PKCS11_CIPHER_ALGORITHM(rc4, 767 1.1 christos CKM_RC4, 768 1.1 christos 1, 769 1.1 christos 16, 770 1.1 christos 0, 771 1.1 christos EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH) 772 1.1 christos 773 1.1 christos /** 774 1.1 christos * The RC4-40 cipher type (PKCS#11 provider) 775 1.1 christos * 776 1.1 christos * @return the RC4 EVP_CIPHER pointer. 777 1.1 christos * 778 1.1 christos * @ingroup hcrypto_evp 779 1.1 christos */ 780 1.1 christos 781 1.1 christos PKCS11_CIPHER_ALGORITHM(rc4_40, 782 1.1 christos CKM_RC4, 783 1.1 christos 1, 784 1.1 christos 5, 785 1.1 christos 0, 786 1.1 christos EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH) 787 1.1 christos 788 1.1 christos PKCS11_MD_ALGORITHM(md2, CKM_MD2, 16, 16) 789 1.1 christos #ifdef CKM_MD4 /* non-standard extension */ 790 1.1 christos PKCS11_MD_ALGORITHM(md4, CKM_MD4, 16, 64) 791 1.1 christos #else 792 1.1 christos PKCS11_MD_ALGORITHM_UNAVAILABLE(md4) 793 1.1 christos #endif 794 1.1 christos PKCS11_MD_ALGORITHM(md5, CKM_MD5, 16, 64) 795 1.1 christos PKCS11_MD_ALGORITHM(sha1, CKM_SHA_1, 20, 64) 796 1.1 christos PKCS11_MD_ALGORITHM(sha256, CKM_SHA256, 32, 64) 797 1.1 christos PKCS11_MD_ALGORITHM(sha384, CKM_SHA384, 48, 128) 798 1.1 christos PKCS11_MD_ALGORITHM(sha512, CKM_SHA512, 64, 128) 799
Indexes created Mon Mar 16 00:23:04 UTC 2026