|
3
|
1 |
/*
|
|
|
2 |
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
|
|
|
3 |
* Use is subject to license terms.
|
|
|
4 |
*/
|
|
|
5 |
|
|
|
6 |
#pragma ident "@(#)hw_pk11.h 1.1 09/11/10 SMI"
|
|
|
7 |
|
|
|
8 |
/* crypto/engine/hw_pk11.h */
|
|
|
9 |
/*
|
|
|
10 |
* This product includes software developed by the OpenSSL Project for
|
|
|
11 |
* use in the OpenSSL Toolkit (http://www.openssl.org/).
|
|
|
12 |
*
|
|
|
13 |
* This project also referenced hw_pkcs11-0.9.7b.patch written by
|
|
|
14 |
* Afchine Madjlessi.
|
|
|
15 |
*/
|
|
|
16 |
/*
|
|
|
17 |
* ====================================================================
|
|
|
18 |
* Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
|
|
|
19 |
*
|
|
|
20 |
* Redistribution and use in source and binary forms, with or without
|
|
|
21 |
* modification, are permitted provided that the following conditions
|
|
|
22 |
* are met:
|
|
|
23 |
*
|
|
|
24 |
* 1. Redistributions of source code must retain the above copyright
|
|
|
25 |
* notice, this list of conditions and the following disclaimer.
|
|
|
26 |
*
|
|
|
27 |
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
28 |
* notice, this list of conditions and the following disclaimer in
|
|
|
29 |
* the documentation and/or other materials provided with the
|
|
|
30 |
* distribution.
|
|
|
31 |
*
|
|
|
32 |
* 3. All advertising materials mentioning features or use of this
|
|
|
33 |
* software must display the following acknowledgment:
|
|
|
34 |
* "This product includes software developed by the OpenSSL Project
|
|
|
35 |
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
|
|
|
36 |
*
|
|
|
37 |
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
|
38 |
* endorse or promote products derived from this software without
|
|
|
39 |
* prior written permission. For written permission, please contact
|
|
|
40 |
* [email protected].
|
|
|
41 |
*
|
|
|
42 |
* 5. Products derived from this software may not be called "OpenSSL"
|
|
|
43 |
* nor may "OpenSSL" appear in their names without prior written
|
|
|
44 |
* permission of the OpenSSL Project.
|
|
|
45 |
*
|
|
|
46 |
* 6. Redistributions of any form whatsoever must retain the following
|
|
|
47 |
* acknowledgment:
|
|
|
48 |
* "This product includes software developed by the OpenSSL Project
|
|
|
49 |
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
|
|
|
50 |
*
|
|
|
51 |
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
|
52 |
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
53 |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
54 |
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
|
55 |
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
56 |
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
57 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
58 |
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
59 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
60 |
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
61 |
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
|
62 |
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
63 |
* ====================================================================
|
|
|
64 |
*
|
|
|
65 |
* This product includes cryptographic software written by Eric Young
|
|
|
66 |
* ([email protected]). This product includes software written by Tim
|
|
|
67 |
* Hudson ([email protected]).
|
|
|
68 |
*
|
|
|
69 |
*/
|
|
|
70 |
|
|
|
71 |
#ifndef HW_PK11_H
|
|
|
72 |
#define HW_PK11_H
|
|
|
73 |
|
|
|
74 |
#include "hw_pk11_err.h"
|
|
|
75 |
|
|
|
76 |
/* max byte length of a symetric key we support */
|
|
|
77 |
#define PK11_KEY_LEN_MAX 32
|
|
|
78 |
|
|
|
79 |
/*
|
|
|
80 |
* This structure encapsulates all reusable information for a PKCS#11
|
|
|
81 |
* session. A list of these objects is created on behalf of the
|
|
|
82 |
* calling application using an on-demand method. Each operation
|
|
|
83 |
* type (see PK11_OPTYPE below) has its own per-process list.
|
|
|
84 |
* Each of the lists is basically a cache for faster PKCS#11 object
|
|
|
85 |
* access to avoid expensive C_Find{,Init,Final}Object() calls.
|
|
|
86 |
*
|
|
|
87 |
* When a new request comes in, an object will be taken from the list
|
|
|
88 |
* (if there is one) or a new one is created to handle the request
|
|
|
89 |
* (if the list is empty). See pk11_get_session() on how it is done.
|
|
|
90 |
*/
|
|
|
91 |
typedef struct PK11_st_SESSION
|
|
|
92 |
{
|
|
|
93 |
struct PK11_st_SESSION *next;
|
|
|
94 |
CK_SESSION_HANDLE session; /* PK11 session handle */
|
|
|
95 |
pid_t pid; /* Current process ID */
|
|
|
96 |
CK_BBOOL persistent; /* is that a keystore object? */
|
|
|
97 |
union
|
|
|
98 |
{
|
|
|
99 |
#ifndef OPENSSL_NO_RSA
|
|
|
100 |
struct
|
|
|
101 |
{
|
|
|
102 |
CK_OBJECT_HANDLE rsa_pub_key; /* pub handle */
|
|
|
103 |
CK_OBJECT_HANDLE rsa_priv_key; /* priv handle */
|
|
|
104 |
RSA *rsa_pub; /* pub key addr */
|
|
|
105 |
BIGNUM *rsa_n_num; /* pub modulus */
|
|
|
106 |
BIGNUM *rsa_e_num; /* pub exponent */
|
|
|
107 |
RSA *rsa_priv; /* priv key addr */
|
|
|
108 |
BIGNUM *rsa_d_num; /* priv exponent */
|
|
|
109 |
} u_RSA;
|
|
|
110 |
#endif /* OPENSSL_NO_RSA */
|
|
|
111 |
#ifndef OPENSSL_NO_DSA
|
|
|
112 |
struct
|
|
|
113 |
{
|
|
|
114 |
CK_OBJECT_HANDLE dsa_pub_key; /* pub handle */
|
|
|
115 |
CK_OBJECT_HANDLE dsa_priv_key; /* priv handle */
|
|
|
116 |
DSA *dsa_pub; /* pub key addr */
|
|
|
117 |
BIGNUM *dsa_pub_num; /* pub key */
|
|
|
118 |
DSA *dsa_priv; /* priv key addr */
|
|
|
119 |
BIGNUM *dsa_priv_num; /* priv key */
|
|
|
120 |
} u_DSA;
|
|
|
121 |
#endif /* OPENSSL_NO_DSA */
|
|
|
122 |
#ifndef OPENSSL_NO_DH
|
|
|
123 |
struct
|
|
|
124 |
{
|
|
|
125 |
CK_OBJECT_HANDLE dh_key; /* key handle */
|
|
|
126 |
DH *dh; /* dh key addr */
|
|
|
127 |
BIGNUM *dh_priv_num; /* priv dh key */
|
|
|
128 |
} u_DH;
|
|
|
129 |
#endif /* OPENSSL_NO_DH */
|
|
|
130 |
struct
|
|
|
131 |
{
|
|
|
132 |
CK_OBJECT_HANDLE cipher_key; /* key handle */
|
|
|
133 |
unsigned char key[PK11_KEY_LEN_MAX];
|
|
|
134 |
int key_len; /* priv key len */
|
|
|
135 |
int encrypt; /* 1/0 enc/decr */
|
|
|
136 |
} u_cipher;
|
|
|
137 |
} opdata_u;
|
|
|
138 |
} PK11_SESSION;
|
|
|
139 |
|
|
|
140 |
#define opdata_rsa_pub_key opdata_u.u_RSA.rsa_pub_key
|
|
|
141 |
#define opdata_rsa_priv_key opdata_u.u_RSA.rsa_priv_key
|
|
|
142 |
#define opdata_rsa_pub opdata_u.u_RSA.rsa_pub
|
|
|
143 |
#define opdata_rsa_priv opdata_u.u_RSA.rsa_priv
|
|
|
144 |
#define opdata_rsa_n_num opdata_u.u_RSA.rsa_n_num
|
|
|
145 |
#define opdata_rsa_e_num opdata_u.u_RSA.rsa_e_num
|
|
|
146 |
#define opdata_rsa_d_num opdata_u.u_RSA.rsa_d_num
|
|
|
147 |
#define opdata_dsa_pub_key opdata_u.u_DSA.dsa_pub_key
|
|
|
148 |
#define opdata_dsa_priv_key opdata_u.u_DSA.dsa_priv_key
|
|
|
149 |
#define opdata_dsa_pub opdata_u.u_DSA.dsa_pub
|
|
|
150 |
#define opdata_dsa_pub_num opdata_u.u_DSA.dsa_pub_num
|
|
|
151 |
#define opdata_dsa_priv opdata_u.u_DSA.dsa_priv
|
|
|
152 |
#define opdata_dsa_priv_num opdata_u.u_DSA.dsa_priv_num
|
|
|
153 |
#define opdata_dh_key opdata_u.u_DH.dh_key
|
|
|
154 |
#define opdata_dh opdata_u.u_DH.dh
|
|
|
155 |
#define opdata_dh_priv_num opdata_u.u_DH.dh_priv_num
|
|
|
156 |
#define opdata_cipher_key opdata_u.u_cipher.cipher_key
|
|
|
157 |
#define opdata_key opdata_u.u_cipher.key
|
|
|
158 |
#define opdata_key_len opdata_u.u_cipher.key_len
|
|
|
159 |
#define opdata_encrypt opdata_u.u_cipher.encrypt
|
|
|
160 |
|
|
|
161 |
/*
|
|
|
162 |
* We have 3 different groups of operation types:
|
|
|
163 |
* 1) asymmetric operations
|
|
|
164 |
* 2) random operations
|
|
|
165 |
* 3) symmetric and digest operations
|
|
|
166 |
*
|
|
|
167 |
* This division into groups stems from the fact that it's common that hardware
|
|
|
168 |
* providers may support operations from one group only. For example, hardware
|
|
|
169 |
* providers on UltraSPARC T2, n2rng(7d), ncp(7d), and n2cp(7d), each support
|
|
|
170 |
* only a single group of operations.
|
|
|
171 |
*
|
|
|
172 |
* For every group a different slot can be chosen. That means that we must have
|
|
|
173 |
* at least 3 different lists of cached PKCS#11 sessions since sessions from
|
|
|
174 |
* different groups may be initialized in different slots.
|
|
|
175 |
*
|
|
|
176 |
* To provide locking granularity in multithreaded environment, the groups are
|
|
|
177 |
* further splitted into types with each type having a separate session cache.
|
|
|
178 |
*/
|
|
|
179 |
typedef enum PK11_OPTYPE_ENUM
|
|
|
180 |
{
|
|
|
181 |
OP_RAND,
|
|
|
182 |
OP_RSA,
|
|
|
183 |
OP_DSA,
|
|
|
184 |
OP_DH,
|
|
|
185 |
OP_CIPHER,
|
|
|
186 |
OP_DIGEST,
|
|
|
187 |
OP_MAX
|
|
|
188 |
} PK11_OPTYPE;
|
|
|
189 |
|
|
|
190 |
/*
|
|
|
191 |
* This structure contains the heads of the lists forming the object caches
|
|
|
192 |
* and locks associated with the lists.
|
|
|
193 |
*/
|
|
|
194 |
typedef struct PK11_st_CACHE
|
|
|
195 |
{
|
|
|
196 |
PK11_SESSION *head;
|
|
|
197 |
pthread_mutex_t *lock;
|
|
|
198 |
} PK11_CACHE;
|
|
|
199 |
|
|
|
200 |
/* structure for tracking handles of asymmetric key objects */
|
|
|
201 |
typedef struct PK11_active_st
|
|
|
202 |
{
|
|
|
203 |
CK_OBJECT_HANDLE h;
|
|
|
204 |
unsigned int refcnt;
|
|
|
205 |
struct PK11_active_st *prev;
|
|
|
206 |
struct PK11_active_st *next;
|
|
|
207 |
} PK11_active;
|
|
|
208 |
|
|
|
209 |
extern pthread_mutex_t *find_lock[];
|
|
|
210 |
extern PK11_active *active_list[];
|
|
|
211 |
/*
|
|
|
212 |
* These variables are specific for the RSA keys by reference code. See
|
|
|
213 |
* hw_pk11_pub.c for explanation.
|
|
|
214 |
*/
|
|
|
215 |
extern char *passphrasedialog;
|
|
|
216 |
extern CK_FLAGS pubkey_token_flags;
|
|
|
217 |
|
|
|
218 |
#define LOCK_OBJSTORE(alg_type) \
|
|
|
219 |
(void) pthread_mutex_lock(find_lock[alg_type])
|
|
|
220 |
#define UNLOCK_OBJSTORE(alg_type) \
|
|
|
221 |
(void) pthread_mutex_unlock(find_lock[alg_type])
|
|
|
222 |
|
|
|
223 |
extern PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
|
|
|
224 |
extern void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
|
|
|
225 |
|
|
|
226 |
#ifndef OPENSSL_NO_RSA
|
|
|
227 |
extern int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
|
|
|
228 |
extern int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
|
|
|
229 |
extern int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
|
|
|
230 |
extern EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *pubkey_file,
|
|
|
231 |
UI_METHOD *ui_method, void *callback_data);
|
|
|
232 |
extern EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
|
|
|
233 |
UI_METHOD *ui_method, void *callback_data);
|
|
|
234 |
extern RSA_METHOD *PK11_RSA(void);
|
|
|
235 |
#endif /* OPENSSL_NO_RSA */
|
|
|
236 |
#ifndef OPENSSL_NO_DSA
|
|
|
237 |
extern int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
|
|
|
238 |
extern int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
|
|
|
239 |
extern int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
|
|
|
240 |
extern DSA_METHOD *PK11_DSA(void);
|
|
|
241 |
#endif /* OPENSSL_NO_DSA */
|
|
|
242 |
#ifndef OPENSSL_NO_DH
|
|
|
243 |
extern int pk11_destroy_dh_key_objects(PK11_SESSION *session);
|
|
|
244 |
extern int pk11_destroy_dh_object(PK11_SESSION *sp, CK_BBOOL uselock);
|
|
|
245 |
extern DH_METHOD *PK11_DH(void);
|
|
|
246 |
#endif /* OPENSSL_NO_DH */
|
|
|
247 |
|
|
|
248 |
extern CK_FUNCTION_LIST_PTR pFuncList;
|
|
|
249 |
|
|
|
250 |
#endif /* HW_PK11_H */
|