From ef1c363e35e2008bd03aed5318bca050618e3f39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Wed, 22 Dec 2021 21:55:37 +0100 Subject: [PATCH 01/39] module: icp: spi: remove crypto_{provider,op}_notification() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_mech_tabs.c | 1 - module/icp/include/sys/crypto/spi.h | 2 - module/icp/spi/kcf_spi.c | 136 ---------------------------- 3 files changed, 139 deletions(-) diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index 60055e78af68..9df5f0734aa7 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -769,7 +769,6 @@ kcf_get_mech_entry(crypto_mech_type_t mech_type, kcf_mech_entry_t **mep) return (KCF_SUCCESS); } -/* CURRENTLY UNSUPPORTED: attempting to load the module if it isn't found */ /* * Lookup the hash table for an entry that matches the mechname. * If there are no hardware or software providers for the mechanism, diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index 0f1b455c808e..8938b25ea62e 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -714,8 +714,6 @@ typedef struct crypto_provider_info { extern int crypto_register_provider(const crypto_provider_info_t *, crypto_kcf_provider_handle_t *); extern int crypto_unregister_provider(crypto_kcf_provider_handle_t); -extern void crypto_provider_notification(crypto_kcf_provider_handle_t, uint_t); -extern void crypto_op_notification(crypto_req_handle_t, int); extern int crypto_kmflag(crypto_req_handle_t); diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index 25fe9b5b66be..e6b8e29a1d85 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -402,142 +402,6 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle) return (CRYPTO_SUCCESS); } -/* - * This routine is used to notify the framework that the state of - * a cryptographic provider has changed. Valid state codes are: - * - * CRYPTO_PROVIDER_READY - * The provider indicates that it can process more requests. A provider - * will notify with this event if it previously has notified us with a - * CRYPTO_PROVIDER_BUSY. - * - * CRYPTO_PROVIDER_BUSY - * The provider can not take more requests. - * - * CRYPTO_PROVIDER_FAILED - * The provider encountered an internal error. The framework will not - * be sending any more requests to the provider. The provider may notify - * with a CRYPTO_PROVIDER_READY, if it is able to recover from the error. - * - * This routine can be called from user or interrupt context. - */ -void -crypto_provider_notification(crypto_kcf_provider_handle_t handle, uint_t state) -{ - kcf_provider_desc_t *pd; - - /* lookup the provider from the given handle */ - if ((pd = kcf_prov_tab_lookup((crypto_provider_id_t)handle)) == NULL) - return; - - mutex_enter(&pd->pd_lock); - - if (pd->pd_state <= KCF_PROV_VERIFICATION_FAILED) - goto out; - - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - cmn_err(CE_WARN, "crypto_provider_notification: " - "logical provider (%x) ignored\n", handle); - goto out; - } - switch (state) { - case CRYPTO_PROVIDER_READY: - switch (pd->pd_state) { - case KCF_PROV_BUSY: - pd->pd_state = KCF_PROV_READY; - /* - * Signal the per-provider taskq threads that they - * can start submitting requests. - */ - cv_broadcast(&pd->pd_resume_cv); - break; - - case KCF_PROV_FAILED: - /* - * The provider recovered from the error. Let us - * use it now. - */ - pd->pd_state = KCF_PROV_READY; - break; - default: - break; - } - break; - - case CRYPTO_PROVIDER_BUSY: - switch (pd->pd_state) { - case KCF_PROV_READY: - pd->pd_state = KCF_PROV_BUSY; - break; - default: - break; - } - break; - - case CRYPTO_PROVIDER_FAILED: - /* - * We note the failure and return. The per-provider taskq - * threads check this flag and start failing the - * requests, if it is set. See process_req_hwp() for details. - */ - switch (pd->pd_state) { - case KCF_PROV_READY: - pd->pd_state = KCF_PROV_FAILED; - break; - - case KCF_PROV_BUSY: - pd->pd_state = KCF_PROV_FAILED; - /* - * The per-provider taskq threads may be waiting. We - * signal them so that they can start failing requests. - */ - cv_broadcast(&pd->pd_resume_cv); - break; - default: - break; - } - break; - default: - break; - } -out: - mutex_exit(&pd->pd_lock); - KCF_PROV_REFRELE(pd); -} - -/* - * This routine is used to notify the framework the result of - * an asynchronous request handled by a provider. Valid error - * codes are the same as the CRYPTO_* errors defined in common.h. - * - * This routine can be called from user or interrupt context. - */ -void -crypto_op_notification(crypto_req_handle_t handle, int error) -{ - kcf_call_type_t ctype; - - if (handle == NULL) - return; - - if ((ctype = GET_REQ_TYPE(handle)) == CRYPTO_SYNCH) { - kcf_sreq_node_t *sreq = (kcf_sreq_node_t *)handle; - - if (error != CRYPTO_SUCCESS) - sreq->sn_provider->pd_sched_info.ks_nfails++; - KCF_PROV_IREFRELE(sreq->sn_provider); - kcf_sop_done(sreq, error); - } else { - kcf_areq_node_t *areq = (kcf_areq_node_t *)handle; - - ASSERT(ctype == CRYPTO_ASYNCH); - if (error != CRYPTO_SUCCESS) - areq->an_provider->pd_sched_info.ks_nfails++; - KCF_PROV_IREFRELE(areq->an_provider); - kcf_aop_done(areq, error); - } -} - /* * This routine is used by software providers to determine * whether to use KM_SLEEP or KM_NOSLEEP during memory allocation. From 280b1ce1869fcc4328d54b2e585cfda075f2e8fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Wed, 22 Dec 2021 22:03:00 +0100 Subject: [PATCH 02/39] module: icp: spi: remove crypto_control_ops_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_prov_tabs.c | 9 --------- module/icp/include/sys/crypto/impl.h | 12 ------------ module/icp/include/sys/crypto/spi.h | 20 -------------------- module/icp/io/aes.c | 17 ----------------- module/icp/io/sha2_mod.c | 17 ----------------- module/icp/io/skein_mod.c | 17 ----------------- module/icp/spi/kcf_spi.c | 1 - 7 files changed, 93 deletions(-) diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index 664e96da9c28..09fd12bf4b86 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -208,10 +208,6 @@ static void allocate_ops_v1(const crypto_ops_t *src, crypto_ops_t *dst, uint_t *mech_list_count) { - if (src->co_control_ops != NULL) - dst->co_control_ops = kmem_alloc(sizeof (crypto_control_ops_t), - KM_SLEEP); - if (src->co_digest_ops != NULL) dst->co_digest_ops = kmem_alloc(sizeof (crypto_digest_ops_t), KM_SLEEP); @@ -412,11 +408,6 @@ kcf_free_provider_desc(kcf_provider_desc_t *desc) CRYPTO_PROVIDER_DESCR_MAX_LEN + 1); if (desc->pd_ops_vector != NULL) { - - if (desc->pd_ops_vector->co_control_ops != NULL) - kmem_free(desc->pd_ops_vector->co_control_ops, - sizeof (crypto_control_ops_t)); - if (desc->pd_ops_vector->co_digest_ops != NULL) kmem_free(desc->pd_ops_vector->co_digest_ops, sizeof (crypto_digest_ops_t)); diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 4906549b5687..bb777e689f03 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -509,7 +509,6 @@ typedef struct crypto_minor { * of type kcf_prov_desc_t. */ -#define KCF_PROV_CONTROL_OPS(pd) ((pd)->pd_ops_vector->co_control_ops) #define KCF_PROV_CTX_OPS(pd) ((pd)->pd_ops_vector->co_ctx_ops) #define KCF_PROV_DIGEST_OPS(pd) ((pd)->pd_ops_vector->co_digest_ops) #define KCF_PROV_CIPHER_OPS(pd) ((pd)->pd_ops_vector->co_cipher_ops) @@ -528,17 +527,6 @@ typedef struct crypto_minor { #define KCF_PROV_NOSTORE_KEY_OPS(pd) \ ((pd)->pd_ops_vector->co_nostore_key_ops) -/* - * Wrappers for crypto_control_ops(9S) entry points. - */ - -#define KCF_PROV_STATUS(pd, status) ( \ - (KCF_PROV_CONTROL_OPS(pd) && \ - KCF_PROV_CONTROL_OPS(pd)->provider_status) ? \ - KCF_PROV_CONTROL_OPS(pd)->provider_status( \ - (pd)->pd_prov_handle, status) : \ - CRYPTO_NOT_SUPPORTED) - /* * Wrappers for crypto_ctx_ops(9S) entry points. */ diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index 8938b25ea62e..4a4909544dbf 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -119,16 +119,6 @@ typedef struct crypto_ctx { #define CRYPTO_EXTF_SO_PIN_LOCKED 0x00400000 #define CRYPTO_EXTF_SO_PIN_TO_BE_CHANGED 0x00800000 -/* - * The crypto_control_ops structure contains pointers to control - * operations for cryptographic providers. It is passed through - * the crypto_ops(9S) structure when providers register with the - * kernel using crypto_register_provider(9F). - */ -typedef struct crypto_control_ops { - void (*provider_status)(crypto_provider_handle_t, uint_t *); -} __no_const crypto_control_ops_t; - /* * The crypto_ctx_ops structure contains points to context and context * templates management operations for cryptographic providers. It is @@ -498,7 +488,6 @@ typedef struct crypto_nostore_key_ops { * by calling crypto_register_provider(9F). */ typedef struct crypto_ops_v1 { - const crypto_control_ops_t *co_control_ops; const crypto_digest_ops_t *co_digest_ops; const crypto_cipher_ops_t *co_cipher_ops; const crypto_mac_ops_t *co_mac_ops; @@ -532,7 +521,6 @@ typedef struct crypto_ops { } cou; } crypto_ops_t; -#define co_control_ops cou.cou_v1.co_control_ops #define co_digest_ops cou.cou_v1.co_digest_ops #define co_cipher_ops cou.cou_v1.co_cipher_ops #define co_mac_ops cou.cou_v1.co_mac_ops @@ -697,14 +685,6 @@ typedef struct crypto_provider_info { #define CRYPTO_PIFLAGS_RESERVED2 0x40000000 #define CRYPTO_PIFLAGS_RESERVED1 0x80000000 -/* - * Provider status passed by a provider to crypto_provider_notification(9F) - * and returned by the provider_status(9E) entry point. - */ -#define CRYPTO_PROVIDER_READY 0 -#define CRYPTO_PROVIDER_BUSY 1 -#define CRYPTO_PROVIDER_FAILED 2 - /* * Functions exported by Solaris to cryptographic providers. Providers * call these functions to register and unregister, notify the kernel diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index be1736864c0b..686c5fda84c4 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -75,12 +75,6 @@ static const crypto_mech_info_t aes_mech_info_tab[] = { AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES} }; -static void aes_provider_status(crypto_provider_handle_t, uint_t *); - -static const crypto_control_ops_t aes_control_ops = { - aes_provider_status -}; - static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *, @@ -150,7 +144,6 @@ static const crypto_ctx_ops_t aes_ctx_ops = { }; static const crypto_ops_t aes_crypto_ops = {{{{{ - &aes_control_ops, NULL, &aes_cipher_ops, &aes_mac_ops, @@ -284,16 +277,6 @@ init_keysched(crypto_key_t *key, void *newbie) return (CRYPTO_SUCCESS); } -/* - * KCF software provider control entry points. - */ -static void -aes_provider_status(crypto_provider_handle_t provider, uint_t *status) -{ - (void) provider; - *status = CRYPTO_PROVIDER_READY; -} - static int aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_spi_ctx_template_t template, diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index 7ee16e1372ad..df25d1544b14 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -105,12 +105,6 @@ static const crypto_mech_info_t sha2_mech_info_tab[] = { CRYPTO_KEYSIZE_UNIT_IN_BYTES} }; -static void sha2_provider_status(crypto_provider_handle_t, uint_t *); - -static const crypto_control_ops_t sha2_control_ops = { - sha2_provider_status -}; - static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_req_handle_t); static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, @@ -164,7 +158,6 @@ static const crypto_ctx_ops_t sha2_ctx_ops = { }; static const crypto_ops_t sha2_crypto_ops = {{{{{ - &sha2_control_ops, &sha2_digest_ops, NULL, &sha2_mac_ops, @@ -229,16 +222,6 @@ sha2_mod_fini(void) return (ret); } -/* - * KCF software provider control entry points. - */ -static void -sha2_provider_status(crypto_provider_handle_t provider, uint_t *status) -{ - (void) provider; - *status = CRYPTO_PROVIDER_READY; -} - /* * KCF software provider digest entry points. */ diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index d0917e71b12e..b54685873fb1 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -51,12 +51,6 @@ static const crypto_mech_info_t skein_mech_info_tab[] = { CRYPTO_KEYSIZE_UNIT_IN_BYTES} }; -static void skein_provider_status(crypto_provider_handle_t, uint_t *); - -static const crypto_control_ops_t skein_control_ops = { - skein_provider_status -}; - static int skein_digest_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_req_handle_t); static int skein_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, @@ -102,7 +96,6 @@ static const crypto_ctx_ops_t skein_ctx_ops = { }; static const crypto_ops_t skein_crypto_ops = {{{{{ - &skein_control_ops, &skein_digest_ops, NULL, &skein_mac_ops, @@ -222,16 +215,6 @@ skein_mod_fini(void) return (0); } -/* - * KCF software provider control entry points. - */ -static void -skein_provider_status(crypto_provider_handle_t provider, uint_t *status) -{ - (void) provider; - *status = CRYPTO_PROVIDER_READY; -} - /* * General Skein hashing helper functions. */ diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index e6b8e29a1d85..7e7487912bf9 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -72,7 +72,6 @@ static const kcf_prov_stats_t kcf_stats_ks_data_template = { static void copy_ops_vector_v1(const crypto_ops_t *src_ops, crypto_ops_t *dst_ops) { - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_control_ops); KCF_SPI_COPY_OPS(src_ops, dst_ops, co_digest_ops); KCF_SPI_COPY_OPS(src_ops, dst_ops, co_cipher_ops); KCF_SPI_COPY_OPS(src_ops, dst_ops, co_mac_ops); From 4245184489088ad285a8a178e931349007309437 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Wed, 22 Dec 2021 22:09:28 +0100 Subject: [PATCH 03/39] module: icp: spi: flatten struct crypto_ops, crypto_provider_info MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_prov_tabs.c | 16 +------- module/icp/include/sys/crypto/spi.h | 59 +---------------------------- module/icp/io/aes.c | 9 ++--- module/icp/io/sha2_mod.c | 9 ++--- module/icp/io/skein_mod.c | 9 ++--- module/icp/spi/kcf_spi.c | 25 ++---------- 6 files changed, 19 insertions(+), 108 deletions(-) diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index 09fd12bf4b86..ce47109da4e1 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -205,7 +205,7 @@ kcf_prov_tab_lookup(crypto_provider_id_t prov_id) } static void -allocate_ops_v1(const crypto_ops_t *src, crypto_ops_t *dst, +allocate_ops(const crypto_ops_t *src, crypto_ops_t *dst, uint_t *mech_list_count) { if (src->co_digest_ops != NULL) @@ -268,19 +268,11 @@ allocate_ops_v1(const crypto_ops_t *src, crypto_ops_t *dst, if (src->co_ctx_ops != NULL) dst->co_ctx_ops = kmem_alloc(sizeof (crypto_ctx_ops_t), KM_SLEEP); -} -static void -allocate_ops_v2(const crypto_ops_t *src, crypto_ops_t *dst) -{ if (src->co_mech_ops != NULL) dst->co_mech_ops = kmem_alloc(sizeof (crypto_mech_ops_t), KM_SLEEP); -} -static void -allocate_ops_v3(const crypto_ops_t *src, crypto_ops_t *dst) -{ if (src->co_nostore_key_ops != NULL) dst->co_nostore_key_ops = kmem_alloc(sizeof (crypto_nostore_key_ops_t), KM_SLEEP); @@ -329,11 +321,7 @@ kcf_alloc_provider_desc(const crypto_provider_info_t *info) crypto_ops_t *opvec = kmem_zalloc(sizeof (crypto_ops_t), KM_SLEEP); if (info->pi_provider_type != CRYPTO_LOGICAL_PROVIDER) { - allocate_ops_v1(src_ops, opvec, &mech_list_count); - if (info->pi_interface_version >= CRYPTO_SPI_VERSION_2) - allocate_ops_v2(src_ops, opvec); - if (info->pi_interface_version == CRYPTO_SPI_VERSION_3) - allocate_ops_v3(src_ops, opvec); + allocate_ops(src_ops, opvec, &mech_list_count); } desc->pd_ops_vector = opvec; diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index 4a4909544dbf..7e265d3a903c 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -487,7 +487,7 @@ typedef struct crypto_nostore_key_ops { * supplied by a provider when it registers with the kernel * by calling crypto_register_provider(9F). */ -typedef struct crypto_ops_v1 { +typedef struct crypto_ops { const crypto_digest_ops_t *co_digest_ops; const crypto_cipher_ops_t *co_cipher_ops; const crypto_mac_ops_t *co_mac_ops; @@ -501,42 +501,10 @@ typedef struct crypto_ops_v1 { crypto_key_ops_t *co_key_ops; crypto_provider_management_ops_t *co_provider_ops; const crypto_ctx_ops_t *co_ctx_ops; -} crypto_ops_v1_t; - -typedef struct crypto_ops_v2 { - crypto_ops_v1_t v1_ops; crypto_mech_ops_t *co_mech_ops; -} crypto_ops_v2_t; - -typedef struct crypto_ops_v3 { - crypto_ops_v2_t v2_ops; crypto_nostore_key_ops_t *co_nostore_key_ops; -} crypto_ops_v3_t; - -typedef struct crypto_ops { - union { - crypto_ops_v3_t cou_v3; - crypto_ops_v2_t cou_v2; - crypto_ops_v1_t cou_v1; - } cou; } crypto_ops_t; -#define co_digest_ops cou.cou_v1.co_digest_ops -#define co_cipher_ops cou.cou_v1.co_cipher_ops -#define co_mac_ops cou.cou_v1.co_mac_ops -#define co_sign_ops cou.cou_v1.co_sign_ops -#define co_verify_ops cou.cou_v1.co_verify_ops -#define co_dual_ops cou.cou_v1.co_dual_ops -#define co_dual_cipher_mac_ops cou.cou_v1.co_dual_cipher_mac_ops -#define co_random_ops cou.cou_v1.co_random_ops -#define co_session_ops cou.cou_v1.co_session_ops -#define co_object_ops cou.cou_v1.co_object_ops -#define co_key_ops cou.cou_v1.co_key_ops -#define co_provider_ops cou.cou_v1.co_provider_ops -#define co_ctx_ops cou.cou_v1.co_ctx_ops -#define co_mech_ops cou.cou_v2.co_mech_ops -#define co_nostore_key_ops cou.cou_v3.co_nostore_key_ops - /* * The mechanism info structure crypto_mech_info_t contains a function group * bit mask cm_func_group_mask. This field, of type crypto_func_group_t, @@ -636,8 +604,7 @@ typedef uint_t crypto_kcf_provider_handle_t; * register for the same device instance. In this case, the same * pi_provider_dev must be specified with a different pi_provider_handle. */ -typedef struct crypto_provider_info_v1 { - uint_t pi_interface_version; +typedef struct crypto_provider_info { char *pi_provider_description; crypto_provider_type_t pi_provider_type; crypto_provider_handle_t pi_provider_handle; @@ -646,31 +613,9 @@ typedef struct crypto_provider_info_v1 { const crypto_mech_info_t *pi_mechanisms; uint_t pi_logical_provider_count; crypto_kcf_provider_handle_t *pi_logical_providers; -} crypto_provider_info_v1_t; - -typedef struct crypto_provider_info_v2 { - crypto_provider_info_v1_t v1_info; uint_t pi_flags; -} crypto_provider_info_v2_t; - -typedef struct crypto_provider_info { - union { - crypto_provider_info_v2_t piu_v2; - crypto_provider_info_v1_t piu_v1; - } piu; } crypto_provider_info_t; -#define pi_interface_version piu.piu_v1.pi_interface_version -#define pi_provider_description piu.piu_v1.pi_provider_description -#define pi_provider_type piu.piu_v1.pi_provider_type -#define pi_provider_handle piu.piu_v1.pi_provider_handle -#define pi_ops_vector piu.piu_v1.pi_ops_vector -#define pi_mech_list_count piu.piu_v1.pi_mech_list_count -#define pi_mechanisms piu.piu_v1.pi_mechanisms -#define pi_logical_provider_count piu.piu_v1.pi_logical_provider_count -#define pi_logical_providers piu.piu_v1.pi_logical_providers -#define pi_flags piu.piu_v2.pi_flags - /* hidden providers can only be accessed via a logical provider */ #define CRYPTO_HIDE_PROVIDER 0x00000001 /* diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index 686c5fda84c4..1c412d9ee844 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -143,7 +143,7 @@ static const crypto_ctx_ops_t aes_ctx_ops = { .free_context = aes_free_context }; -static const crypto_ops_t aes_crypto_ops = {{{{{ +static const crypto_ops_t aes_crypto_ops = { NULL, &aes_cipher_ops, &aes_mac_ops, @@ -157,17 +157,16 @@ static const crypto_ops_t aes_crypto_ops = {{{{{ NULL, NULL, &aes_ctx_ops -}}}}}; +}; -static const crypto_provider_info_t aes_prov_info = {{{{ - CRYPTO_SPI_VERSION_1, +static const crypto_provider_info_t aes_prov_info = { "AES Software Provider", CRYPTO_SW_PROVIDER, NULL, &aes_crypto_ops, sizeof (aes_mech_info_tab) / sizeof (crypto_mech_info_t), aes_mech_info_tab -}}}}; +}; static crypto_kcf_provider_handle_t aes_prov_handle = 0; static crypto_data_t null_crypto_data = { CRYPTO_DATA_RAW }; diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index df25d1544b14..0c7f8a73d355 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -157,7 +157,7 @@ static const crypto_ctx_ops_t sha2_ctx_ops = { .free_context = sha2_free_context }; -static const crypto_ops_t sha2_crypto_ops = {{{{{ +static const crypto_ops_t sha2_crypto_ops = { &sha2_digest_ops, NULL, &sha2_mac_ops, @@ -171,17 +171,16 @@ static const crypto_ops_t sha2_crypto_ops = {{{{{ NULL, NULL, &sha2_ctx_ops -}}}}}; +}; -static const crypto_provider_info_t sha2_prov_info = {{{{ - CRYPTO_SPI_VERSION_1, +static const crypto_provider_info_t sha2_prov_info = { "SHA2 Software Provider", CRYPTO_SW_PROVIDER, NULL, &sha2_crypto_ops, sizeof (sha2_mech_info_tab) / sizeof (crypto_mech_info_t), sha2_mech_info_tab -}}}}; +}; static crypto_kcf_provider_handle_t sha2_prov_handle = 0; diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index b54685873fb1..cceea29d4f19 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -95,7 +95,7 @@ static const crypto_ctx_ops_t skein_ctx_ops = { .free_context = skein_free_context }; -static const crypto_ops_t skein_crypto_ops = {{{{{ +static const crypto_ops_t skein_crypto_ops = { &skein_digest_ops, NULL, &skein_mac_ops, @@ -109,17 +109,16 @@ static const crypto_ops_t skein_crypto_ops = {{{{{ NULL, NULL, &skein_ctx_ops, -}}}}}; +}; -static const crypto_provider_info_t skein_prov_info = {{{{ - CRYPTO_SPI_VERSION_1, +static const crypto_provider_info_t skein_prov_info = { "Skein Software Provider", CRYPTO_SW_PROVIDER, NULL, &skein_crypto_ops, sizeof (skein_mech_info_tab) / sizeof (crypto_mech_info_t), skein_mech_info_tab -}}}}; +}; static crypto_kcf_provider_handle_t skein_prov_handle = 0; diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index 7e7487912bf9..51670d5b9833 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -70,7 +70,7 @@ static const kcf_prov_stats_t kcf_stats_ks_data_template = { * persistent. */ static void -copy_ops_vector_v1(const crypto_ops_t *src_ops, crypto_ops_t *dst_ops) +copy_ops_vector(const crypto_ops_t *src_ops, crypto_ops_t *dst_ops) { KCF_SPI_COPY_OPS(src_ops, dst_ops, co_digest_ops); KCF_SPI_COPY_OPS(src_ops, dst_ops, co_cipher_ops); @@ -85,17 +85,7 @@ copy_ops_vector_v1(const crypto_ops_t *src_ops, crypto_ops_t *dst_ops) KCF_SPI_COPY_OPS(src_ops, dst_ops, co_key_ops); KCF_SPI_COPY_OPS(src_ops, dst_ops, co_provider_ops); KCF_SPI_COPY_OPS(src_ops, dst_ops, co_ctx_ops); -} - -static void -copy_ops_vector_v2(const crypto_ops_t *src_ops, crypto_ops_t *dst_ops) -{ KCF_SPI_COPY_OPS(src_ops, dst_ops, co_mech_ops); -} - -static void -copy_ops_vector_v3(const crypto_ops_t *src_ops, crypto_ops_t *dst_ops) -{ KCF_SPI_COPY_OPS(src_ops, dst_ops, co_nostore_key_ops); } @@ -116,9 +106,6 @@ crypto_register_provider(const crypto_provider_info_t *info, kcf_provider_desc_t *prov_desc = NULL; int ret = CRYPTO_ARGUMENTS_BAD; - if (info->pi_interface_version > CRYPTO_SPI_VERSION_3) - return (CRYPTO_VERSION_MISMATCH); - /* * Check provider type, must be software, hardware, or logical. */ @@ -159,14 +146,8 @@ crypto_register_provider(const crypto_provider_info_t *info, goto bail; } crypto_ops_t *pvec = (crypto_ops_t *)prov_desc->pd_ops_vector; - copy_ops_vector_v1(info->pi_ops_vector, pvec); - if (info->pi_interface_version >= CRYPTO_SPI_VERSION_2) { - copy_ops_vector_v2(info->pi_ops_vector, pvec); - prov_desc->pd_flags = info->pi_flags; - } - if (info->pi_interface_version == CRYPTO_SPI_VERSION_3) { - copy_ops_vector_v3(info->pi_ops_vector, pvec); - } + copy_ops_vector(info->pi_ops_vector, pvec); + prov_desc->pd_flags = info->pi_flags; } /* object_ops and nostore_key_ops are mutually exclusive */ From 40dc1eacd19e0ebf38289723c1f785bd9d5df6bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Wed, 22 Dec 2021 23:29:25 +0100 Subject: [PATCH 04/39] module: icp: spi: crypto_ops_t: remove unused op types MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/api.h | 199 ---- include/sys/crypto/common.h | 44 - module/icp/api/kcf_cipher.c | 91 +- module/icp/api/kcf_digest.c | 84 +- module/icp/api/kcf_mac.c | 54 +- module/icp/core/kcf_callprov.c | 1002 -------------------- module/icp/core/kcf_mech_tabs.c | 121 +-- module/icp/core/kcf_prov_tabs.c | 216 +---- module/icp/core/kcf_sched.c | 574 +---------- module/icp/include/sys/crypto/impl.h | 653 +------------ module/icp/include/sys/crypto/ops_impl.h | 389 +------- module/icp/include/sys/crypto/sched_impl.h | 27 +- module/icp/include/sys/crypto/spi.h | 358 +------ module/icp/io/aes.c | 15 +- module/icp/io/sha2_mod.c | 11 +- module/icp/io/skein_mod.c | 9 - module/icp/spi/kcf_spi.c | 89 +- 17 files changed, 74 insertions(+), 3862 deletions(-) diff --git a/include/sys/crypto/api.h b/include/sys/crypto/api.h index 17c9a645922e..3e27769e7a49 100644 --- a/include/sys/crypto/api.h +++ b/include/sys/crypto/api.h @@ -109,62 +109,6 @@ extern int crypto_mac_update(crypto_context_t ctx, crypto_data_t *data, extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data, crypto_call_req_t *cr); -/* - * Single and multi-part sign with private key operations. - */ -extern int crypto_sign(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_data_t *data, crypto_ctx_template_t tmpl, - crypto_data_t *signature, crypto_call_req_t *cr); -extern int crypto_sign_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *); -extern int crypto_sign_init(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr); -extern int crypto_sign_init_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t, - crypto_context_t *, crypto_call_req_t *); -extern int crypto_sign_update(crypto_context_t ctx, crypto_data_t *data, - crypto_call_req_t *cr); -extern int crypto_sign_final(crypto_context_t ctx, crypto_data_t *signature, - crypto_call_req_t *cr); -extern int crypto_sign_recover_init_prov(crypto_provider_t, - crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, - crypto_ctx_template_t tmpl, crypto_context_t *, crypto_call_req_t *); -extern int crypto_sign_recover(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_data_t *data, crypto_ctx_template_t tmpl, crypto_data_t *signature, - crypto_call_req_t *cr); -extern int crypto_sign_recover_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *); - -/* - * Single and multi-part verify with public key operations. - */ -extern int crypto_verify(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_data_t *data, crypto_ctx_template_t tmpl, crypto_data_t *signature, - crypto_call_req_t *cr); -extern int crypto_verify_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *); -extern int crypto_verify_init(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr); -extern int crypto_verify_init_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t, - crypto_context_t *, crypto_call_req_t *); -extern int crypto_verify_update(crypto_context_t ctx, crypto_data_t *data, - crypto_call_req_t *cr); -extern int crypto_verify_final(crypto_context_t ctx, crypto_data_t *signature, - crypto_call_req_t *cr); -extern int crypto_verify_recover_init_prov(crypto_provider_t, - crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, - crypto_ctx_template_t tmpl, crypto_context_t *, crypto_call_req_t *); -extern int crypto_verify_recover(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_data_t *signature, crypto_ctx_template_t tmpl, crypto_data_t *data, - crypto_call_req_t *cr); -extern int crypto_verify_recover_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *); - /* * Single and multi-part encryption operations. */ @@ -206,149 +150,6 @@ extern int crypto_decrypt_update(crypto_context_t ctx, extern int crypto_decrypt_final(crypto_context_t ctx, crypto_data_t *plaintext, crypto_call_req_t *cr); -/* - * Single and multi-part encrypt/MAC dual operations. - */ -extern int crypto_encrypt_mac(crypto_mechanism_t *encr_mech, - crypto_mechanism_t *mac_mech, crypto_data_t *pt, - crypto_key_t *encr_key, crypto_key_t *mac_key, - crypto_ctx_template_t encr_tmpl, crypto_ctx_template_t mac_tmpl, - crypto_dual_data_t *ct, crypto_data_t *mac, crypto_call_req_t *cr); -extern int crypto_encrypt_mac_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_mechanism_t *, crypto_data_t *, - crypto_key_t *, crypto_key_t *, crypto_ctx_template_t, - crypto_ctx_template_t, crypto_dual_data_t *, crypto_data_t *, - crypto_call_req_t *); -extern int crypto_encrypt_mac_init(crypto_mechanism_t *encr_mech, - crypto_mechanism_t *mac_mech, crypto_key_t *encr_key, - crypto_key_t *mac_key, crypto_ctx_template_t encr_tmpl, - crypto_ctx_template_t mac_tmpl, crypto_context_t *ctxp, - crypto_call_req_t *cr); -extern int crypto_encrypt_mac_init_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_mechanism_t *, crypto_key_t *, crypto_key_t *, - crypto_ctx_template_t, crypto_ctx_template_t, crypto_context_t *, - crypto_call_req_t *); -extern int crypto_encrypt_mac_update(crypto_context_t ctx, - crypto_data_t *pt, crypto_dual_data_t *ct, crypto_call_req_t *cr); -extern int crypto_encrypt_mac_final(crypto_context_t ctx, - crypto_dual_data_t *ct, crypto_data_t *mac, crypto_call_req_t *cr); - -/* - * Single and multi-part MAC/decrypt dual operations. - */ -extern int crypto_mac_decrypt(crypto_mechanism_t *mac_mech, - crypto_mechanism_t *decr_mech, crypto_dual_data_t *ct, - crypto_key_t *mac_key, crypto_key_t *decr_key, - crypto_ctx_template_t mac_tmpl, crypto_ctx_template_t decr_tmpl, - crypto_data_t *mac, crypto_data_t *pt, crypto_call_req_t *cr); -extern int crypto_mac_decrypt_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *mac_mech, crypto_mechanism_t *decr_mech, - crypto_dual_data_t *ct, crypto_key_t *mac_key, crypto_key_t *decr_key, - crypto_ctx_template_t mac_tmpl, crypto_ctx_template_t decr_tmpl, - crypto_data_t *mac, crypto_data_t *pt, crypto_call_req_t *cr); -extern int crypto_mac_verify_decrypt(crypto_mechanism_t *mac_mech, - crypto_mechanism_t *decr_mech, crypto_dual_data_t *ct, - crypto_key_t *mac_key, crypto_key_t *decr_key, - crypto_ctx_template_t mac_tmpl, crypto_ctx_template_t decr_tmpl, - crypto_data_t *mac, crypto_data_t *pt, crypto_call_req_t *cr); -extern int crypto_mac_verify_decrypt_prov(crypto_provider_t, - crypto_session_id_t, crypto_mechanism_t *mac_mech, - crypto_mechanism_t *decr_mech, crypto_dual_data_t *ct, - crypto_key_t *mac_key, crypto_key_t *decr_key, - crypto_ctx_template_t mac_tmpl, crypto_ctx_template_t decr_tmpl, - crypto_data_t *mac, crypto_data_t *pt, crypto_call_req_t *cr); -extern int crypto_mac_decrypt_init(crypto_mechanism_t *mac_mech, - crypto_mechanism_t *decr_mech, crypto_key_t *mac_key, - crypto_key_t *decr_key, crypto_ctx_template_t mac_tmpl, - crypto_ctx_template_t decr_tmpl, crypto_context_t *ctxp, - crypto_call_req_t *cr); -extern int crypto_mac_decrypt_init_prov(crypto_provider_t, - crypto_session_id_t, crypto_mechanism_t *mac_mech, - crypto_mechanism_t *decr_mech, crypto_key_t *mac_key, - crypto_key_t *decr_key, crypto_ctx_template_t mac_tmpl, - crypto_ctx_template_t decr_tmpl, crypto_context_t *ctxp, - crypto_call_req_t *cr); -extern int crypto_mac_decrypt_update(crypto_context_t ctx, - crypto_dual_data_t *ct, crypto_data_t *pt, crypto_call_req_t *cr); -extern int crypto_mac_decrypt_final(crypto_context_t ctx, crypto_data_t *mac, - crypto_data_t *pt, crypto_call_req_t *cr); - -/* Session Management */ -extern int crypto_session_open(crypto_provider_t, crypto_session_id_t *, - crypto_call_req_t *); -extern int crypto_session_close(crypto_provider_t, crypto_session_id_t, - crypto_call_req_t *); -extern int crypto_session_login(crypto_provider_t, crypto_session_id_t, - crypto_user_type_t, char *, size_t, crypto_call_req_t *); -extern int crypto_session_logout(crypto_provider_t, crypto_session_id_t, - crypto_call_req_t *); - -/* Object Management */ -extern int crypto_object_copy(crypto_provider_t, crypto_session_id_t, - crypto_object_id_t, crypto_object_attribute_t *, uint_t, - crypto_object_id_t *, crypto_call_req_t *); -extern int crypto_object_create(crypto_provider_t, crypto_session_id_t, - crypto_object_attribute_t *, uint_t, crypto_object_id_t *, - crypto_call_req_t *); -extern int crypto_object_destroy(crypto_provider_t, crypto_session_id_t, - crypto_object_id_t, crypto_call_req_t *); -extern int crypto_object_get_attribute_value(crypto_provider_t, - crypto_session_id_t, crypto_object_id_t, crypto_object_attribute_t *, - uint_t, crypto_call_req_t *); -extern int crypto_object_get_size(crypto_provider_t, crypto_session_id_t, - crypto_object_id_t, size_t *, crypto_call_req_t *); -extern int crypto_object_find_final(crypto_provider_t, void *, - crypto_call_req_t *); -extern int crypto_object_find_init(crypto_provider_t, crypto_session_id_t, - crypto_object_attribute_t *, uint_t, void **, crypto_call_req_t *); -extern int crypto_object_find(crypto_provider_t, void *, crypto_object_id_t *, - uint_t *, uint_t, crypto_call_req_t *); -extern int crypto_object_set_attribute_value(crypto_provider_t, - crypto_session_id_t, crypto_object_id_t, crypto_object_attribute_t *, - uint_t, crypto_call_req_t *); - -/* Key Management */ -extern int crypto_key_derive(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *, - uint_t, crypto_object_id_t *, crypto_call_req_t *); -extern int crypto_key_generate(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_object_attribute_t *, uint_t, - crypto_object_id_t *, crypto_call_req_t *); -extern int crypto_key_generate_pair(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_object_attribute_t *, uint_t, - crypto_object_attribute_t *, uint_t, crypto_object_id_t *, - crypto_object_id_t *, crypto_call_req_t *); -extern int crypto_key_unwrap(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, uchar_t *, size_t *, - crypto_object_attribute_t *, uint_t, crypto_object_id_t *, - crypto_call_req_t *); -extern int crypto_key_wrap(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_object_id_t *, uchar_t *, - size_t *, crypto_call_req_t *); -extern int crypto_key_check_prov(crypto_provider_t, crypto_mechanism_t *mech, - crypto_key_t *key); -extern int crypto_key_check(crypto_mechanism_t *mech, crypto_key_t *key); - - -/* - * Routines to cancel a single asynchronous request or all asynchronous - * requests associated with a particular context. - */ -extern void crypto_cancel_req(crypto_req_id_t req); -extern void crypto_cancel_ctx(crypto_context_t ctx); - -/* - * crypto_get_mech_list(9F) allocates and returns the list of currently - * supported cryptographic mechanisms. - */ -extern crypto_mech_name_t *crypto_get_mech_list(uint_t *count, int kmflag); -extern void crypto_free_mech_list(crypto_mech_name_t *mech_names, - uint_t count); - -extern crypto_provider_t crypto_get_provider(char *, char *, char *); -extern int crypto_get_provinfo(crypto_provider_t, crypto_provider_ext_info_t *); -extern void crypto_release_provider(crypto_provider_t); - /* * A kernel consumer can request to be notified when some particular event * occurs. The valid events, callback function type, and functions to diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index 9a239225cd10..fa4d05c6c6b9 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -253,20 +253,6 @@ typedef struct crypto_data { #define cd_uio cdu.cdu_uio #define cd_mp cdu.cdu_mp -typedef struct crypto_dual_data { - crypto_data_t dd_data; /* The data */ - off_t dd_offset2; /* Used by dual operation */ - size_t dd_len2; /* # of bytes to take */ -} crypto_dual_data_t; - -#define dd_format dd_data.cd_format -#define dd_offset1 dd_data.cd_offset -#define dd_len1 dd_data.cd_length -#define dd_miscdata dd_data.cd_miscdata -#define dd_raw dd_data.cd_raw -#define dd_uio dd_data.cd_uio -#define dd_mp dd_data.cd_mp - /* The keys, and their contents */ typedef enum { @@ -430,26 +416,6 @@ typedef void *crypto_provider_t; #define CRYPTO_EXT_SIZE_SERIAL 16 #define CRYPTO_EXT_SIZE_TIME 16 -typedef struct crypto_provider_ext_info { - uchar_t ei_label[CRYPTO_EXT_SIZE_LABEL]; - uchar_t ei_manufacturerID[CRYPTO_EXT_SIZE_MANUF]; - uchar_t ei_model[CRYPTO_EXT_SIZE_MODEL]; - uchar_t ei_serial_number[CRYPTO_EXT_SIZE_SERIAL]; - ulong_t ei_flags; - ulong_t ei_max_session_count; - ulong_t ei_max_pin_len; - ulong_t ei_min_pin_len; - ulong_t ei_total_public_memory; - ulong_t ei_free_public_memory; - ulong_t ei_total_private_memory; - ulong_t ei_free_private_memory; - crypto_version_t ei_hardware_version; - crypto_version_t ei_firmware_version; - uchar_t ei_time[CRYPTO_EXT_SIZE_TIME]; - int ei_hash_max_input_len; - int ei_hmac_max_input_len; -} crypto_provider_ext_info_t; - typedef uint_t crypto_session_id_t; typedef enum cmd_type { @@ -566,16 +532,6 @@ typedef enum cmd_type { */ #define CRYPTO_LAST_ERROR 0x00000053 -/* - * Special values that can be used to indicate that information is unavailable - * or that there is not practical limit. These values can be used - * by fields of the SPI crypto_provider_ext_info(9S) structure. - * The value of CRYPTO_UNAVAILABLE_INFO should be the same as - * CK_UNAVAILABLE_INFO in the PKCS#11 spec. - */ -#define CRYPTO_UNAVAILABLE_INFO ((ulong_t)(-1)) -#define CRYPTO_EFFECTIVELY_INFINITE 0x0 - #ifdef __cplusplus } #endif diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index d6aa48147edb..60a0e189ccff 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -198,8 +198,7 @@ crypto_cipher_init_prov(crypto_provider_t provider, crypto_session_id_t sid, mech, key, NULL, NULL, tmpl); } - error = kcf_submit_request(real_provider, ctx, crq, ¶ms, - B_FALSE); + error = kcf_submit_request(real_provider, ctx, crq, ¶ms); if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) KCF_PROV_REFRELE(real_provider); @@ -334,7 +333,7 @@ crypto_encrypt_prov(crypto_provider_t provider, crypto_session_id_t sid, KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key, plaintext, ciphertext, tmpl); - error = kcf_submit_request(real_provider, NULL, crq, ¶ms, B_FALSE); + error = kcf_submit_request(real_provider, NULL, crq, ¶ms); if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) KCF_PROV_REFRELE(real_provider); @@ -400,7 +399,7 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, } else { KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, pd->pd_sid, mech, key, plaintext, ciphertext, spi_ctx_tmpl); - error = kcf_submit_request(pd, NULL, crq, ¶ms, B_FALSE); + error = kcf_submit_request(pd, NULL, crq, ¶ms); } if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && @@ -502,7 +501,7 @@ crypto_encrypt_update(crypto_context_t context, crypto_data_t *plaintext, KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_UPDATE, ctx->cc_session, NULL, NULL, plaintext, ciphertext, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); + error = kcf_submit_request(pd, ctx, cr, ¶ms); return (error); } @@ -550,7 +549,7 @@ crypto_encrypt_final(crypto_context_t context, crypto_data_t *ciphertext, } else { KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_FINAL, ctx->cc_session, NULL, NULL, NULL, ciphertext, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); + error = kcf_submit_request(pd, ctx, cr, ¶ms); } /* Release the hold done in kcf_new_ctx() during init step. */ @@ -616,7 +615,7 @@ crypto_decrypt_prov(crypto_provider_t provider, crypto_session_id_t sid, KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key, ciphertext, plaintext, tmpl); - rv = kcf_submit_request(real_provider, NULL, crq, ¶ms, B_FALSE); + rv = kcf_submit_request(real_provider, NULL, crq, ¶ms); if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) KCF_PROV_REFRELE(real_provider); @@ -683,7 +682,7 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, } else { KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, pd->pd_sid, mech, key, ciphertext, plaintext, spi_ctx_tmpl); - error = kcf_submit_request(pd, NULL, crq, ¶ms, B_FALSE); + error = kcf_submit_request(pd, NULL, crq, ¶ms); } if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && @@ -785,7 +784,7 @@ crypto_decrypt_update(crypto_context_t context, crypto_data_t *ciphertext, KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_UPDATE, ctx->cc_session, NULL, NULL, ciphertext, plaintext, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); + error = kcf_submit_request(pd, ctx, cr, ¶ms); return (error); } @@ -834,77 +833,7 @@ crypto_decrypt_final(crypto_context_t context, crypto_data_t *plaintext, } else { KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_FINAL, ctx->cc_session, NULL, NULL, NULL, plaintext, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); - } - - /* Release the hold done in kcf_new_ctx() during init step. */ - KCF_CONTEXT_COND_RELEASE(error, kcf_ctx); - return (error); -} - -/* - * See comments for crypto_encrypt_update(). - */ -int -crypto_encrypt_single(crypto_context_t context, crypto_data_t *plaintext, - crypto_data_t *ciphertext, crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_ENCRYPT(pd, ctx, plaintext, - ciphertext, NULL); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_SINGLE, pd->pd_sid, - NULL, NULL, plaintext, ciphertext, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); - } - - /* Release the hold done in kcf_new_ctx() during init step. */ - KCF_CONTEXT_COND_RELEASE(error, kcf_ctx); - return (error); -} - -/* - * See comments for crypto_decrypt_update(). - */ -int -crypto_decrypt_single(crypto_context_t context, crypto_data_t *ciphertext, - crypto_data_t *plaintext, crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_DECRYPT(pd, ctx, ciphertext, - plaintext, NULL); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_SINGLE, pd->pd_sid, - NULL, NULL, ciphertext, plaintext, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); + error = kcf_submit_request(pd, ctx, cr, ¶ms); } /* Release the hold done in kcf_new_ctx() during init step. */ @@ -925,6 +854,4 @@ EXPORT_SYMBOL(crypto_decrypt_init_prov); EXPORT_SYMBOL(crypto_decrypt_init); EXPORT_SYMBOL(crypto_decrypt_update); EXPORT_SYMBOL(crypto_decrypt_final); -EXPORT_SYMBOL(crypto_encrypt_single); -EXPORT_SYMBOL(crypto_decrypt_single); #endif diff --git a/module/icp/api/kcf_digest.c b/module/icp/api/kcf_digest.c index aa68d69bc162..a11edc968d9e 100644 --- a/module/icp/api/kcf_digest.c +++ b/module/icp/api/kcf_digest.c @@ -109,7 +109,7 @@ crypto_digest_prov(crypto_provider_t provider, crypto_session_id_t sid, data, digest); /* no crypto context to carry between multiple parts. */ - rv = kcf_submit_request(real_provider, NULL, crq, ¶ms, B_FALSE); + rv = kcf_submit_request(real_provider, NULL, crq, ¶ms); if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) KCF_PROV_REFRELE(real_provider); @@ -159,8 +159,7 @@ crypto_digest(crypto_mechanism_t *mech, crypto_data_t *data, pd->pd_sid, mech, NULL, data, digest); /* no crypto context to carry between multiple parts. */ - error = kcf_submit_request(pd, NULL, crq, ¶ms, - B_FALSE); + error = kcf_submit_request(pd, NULL, crq, ¶ms); } } @@ -241,8 +240,7 @@ crypto_digest_init_prov(crypto_provider_t provider, crypto_session_id_t sid, } else { KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_INIT, sid, mech, NULL, NULL, NULL); - error = kcf_submit_request(real_provider, ctx, crq, ¶ms, - B_FALSE); + error = kcf_submit_request(real_provider, ctx, crq, ¶ms); } if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) @@ -352,7 +350,7 @@ crypto_digest_update(crypto_context_t context, crypto_data_t *data, } else { KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_UPDATE, ctx->cc_session, NULL, NULL, data, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); + error = kcf_submit_request(pd, ctx, cr, ¶ms); } return (error); @@ -401,77 +399,7 @@ crypto_digest_final(crypto_context_t context, crypto_data_t *digest, } else { KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_FINAL, ctx->cc_session, NULL, NULL, NULL, digest); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); - } - - /* Release the hold done in kcf_new_ctx() during init step. */ - KCF_CONTEXT_COND_RELEASE(error, kcf_ctx); - return (error); -} - -/* - * Performs a digest update on the specified key. Note that there is - * no k-API crypto_digest_key() equivalent of this function. - */ -int -crypto_digest_key_prov(crypto_context_t context, crypto_key_t *key, - crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_DIGEST_KEY(pd, ctx, key, NULL); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_DIGEST_KEY, - ctx->cc_session, NULL, key, NULL, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); - } - - return (error); -} - -/* - * See comments for crypto_digest_update() and crypto_digest_final(). - */ -int -crypto_digest_single(crypto_context_t context, crypto_data_t *data, - crypto_data_t *digest, crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_DIGEST(pd, ctx, data, digest, NULL); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_SINGLE, pd->pd_sid, - NULL, NULL, data, digest); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); + error = kcf_submit_request(pd, ctx, cr, ¶ms); } /* Release the hold done in kcf_new_ctx() during init step. */ @@ -486,6 +414,4 @@ EXPORT_SYMBOL(crypto_digest_init_prov); EXPORT_SYMBOL(crypto_digest_init); EXPORT_SYMBOL(crypto_digest_update); EXPORT_SYMBOL(crypto_digest_final); -EXPORT_SYMBOL(crypto_digest_key_prov); -EXPORT_SYMBOL(crypto_digest_single); #endif diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index a7722d8f914c..3636eea0e1f2 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -109,7 +109,7 @@ crypto_mac_prov(crypto_provider_t provider, crypto_session_id_t sid, KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key, data, mac, tmpl); - rv = kcf_submit_request(real_provider, NULL, crq, ¶ms, B_FALSE); + rv = kcf_submit_request(real_provider, NULL, crq, ¶ms); if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) KCF_PROV_REFRELE(real_provider); @@ -187,8 +187,7 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, pd->pd_sid, mech, key, data, mac, spi_ctx_tmpl); - error = kcf_submit_request(pd, NULL, crq, ¶ms, - KCF_ISDUALREQ(crq)); + error = kcf_submit_request(pd, NULL, crq, ¶ms); } } @@ -234,7 +233,7 @@ crypto_mac_verify_prov(crypto_provider_t provider, crypto_session_id_t sid, KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_MAC_VERIFY_ATOMIC, sid, mech, key, data, mac, tmpl); - rv = kcf_submit_request(real_provider, NULL, crq, ¶ms, B_FALSE); + rv = kcf_submit_request(real_provider, NULL, crq, ¶ms); if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) KCF_PROV_REFRELE(real_provider); @@ -308,8 +307,7 @@ crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data, KCF_OP_MAC_VERIFY_ATOMIC, pd->pd_sid, mech, key, data, mac, spi_ctx_tmpl); - error = kcf_submit_request(pd, NULL, crq, ¶ms, - KCF_ISDUALREQ(crq)); + error = kcf_submit_request(pd, NULL, crq, ¶ms); } } @@ -404,8 +402,7 @@ crypto_mac_init_prov(crypto_provider_t provider, crypto_session_id_t sid, } else { KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_INIT, sid, mech, key, NULL, NULL, tmpl); - rv = kcf_submit_request(real_provider, ctx, crq, ¶ms, - B_FALSE); + rv = kcf_submit_request(real_provider, ctx, crq, ¶ms); } if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) @@ -539,7 +536,7 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data, } else { KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_UPDATE, ctx->cc_session, NULL, NULL, data, NULL, NULL); - rv = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); + rv = kcf_submit_request(pd, ctx, cr, ¶ms); } return (rv); @@ -588,7 +585,7 @@ crypto_mac_final(crypto_context_t context, crypto_data_t *mac, } else { KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_FINAL, ctx->cc_session, NULL, NULL, NULL, mac, NULL); - rv = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); + rv = kcf_submit_request(pd, ctx, cr, ¶ms); } /* Release the hold done in kcf_new_ctx() during init step. */ @@ -596,42 +593,6 @@ crypto_mac_final(crypto_context_t context, crypto_data_t *mac, return (rv); } -/* - * See comments for crypto_mac_update() and crypto_mac_final(). - */ -int -crypto_mac_single(crypto_context_t context, crypto_data_t *data, - crypto_data_t *mac, crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_MAC(pd, ctx, data, mac, NULL); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_SINGLE, pd->pd_sid, - NULL, NULL, data, mac, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms, B_FALSE); - } - - /* Release the hold done in kcf_new_ctx() during init step. */ - KCF_CONTEXT_COND_RELEASE(error, kcf_ctx); - return (error); -} - #if defined(_KERNEL) EXPORT_SYMBOL(crypto_mac_prov); EXPORT_SYMBOL(crypto_mac); @@ -641,5 +602,4 @@ EXPORT_SYMBOL(crypto_mac_init_prov); EXPORT_SYMBOL(crypto_mac_init); EXPORT_SYMBOL(crypto_mac_update); EXPORT_SYMBOL(crypto_mac_final); -EXPORT_SYMBOL(crypto_mac_single); #endif diff --git a/module/icp/core/kcf_callprov.c b/module/icp/core/kcf_callprov.c index 345014d0a1e4..1468e0a1a00d 100644 --- a/module/icp/core/kcf_callprov.c +++ b/module/icp/core/kcf_callprov.c @@ -27,9 +27,6 @@ #include #include -static int kcf_emulate_dual(kcf_provider_desc_t *, crypto_ctx_t *, - kcf_req_params_t *); - void kcf_free_triedlist(kcf_prov_tried_t *list) { @@ -348,144 +345,6 @@ kcf_get_mech_provider(crypto_mech_type_t mech_type, kcf_mech_entry_t **mepp, return (pd); } -/* - * Very similar to kcf_get_mech_provider(). Finds the best provider capable of - * a dual operation with both me1 and me2. - * When no dual-ops capable providers are available, return the best provider - * for me1 only, and sets *prov_mt2 to CRYPTO_INVALID_MECHID; - * We assume/expect that a slower HW capable of the dual is still - * faster than the 2 fastest providers capable of the individual ops - * separately. - */ -kcf_provider_desc_t * -kcf_get_dual_provider(crypto_mechanism_t *mech1, crypto_mechanism_t *mech2, - kcf_mech_entry_t **mepp, crypto_mech_type_t *prov_mt1, - crypto_mech_type_t *prov_mt2, int *error, kcf_prov_tried_t *triedl, - crypto_func_group_t fg1, crypto_func_group_t fg2, boolean_t call_restrict, - size_t data_size) -{ - kcf_provider_desc_t *pd = NULL, *pdm1 = NULL, *pdm1m2 = NULL; - kcf_prov_mech_desc_t *prov_chain, *mdesc; - int len, gqlen = INT_MAX, dgqlen = INT_MAX; - crypto_mech_info_list_t *mil; - crypto_mech_type_t m2id = mech2->cm_type; - kcf_mech_entry_t *me; - - /* when mech is a valid mechanism, me will be its mech_entry */ - if (kcf_get_mech_entry(mech1->cm_type, &me) != KCF_SUCCESS) { - *error = CRYPTO_MECHANISM_INVALID; - return (NULL); - } - - *prov_mt2 = CRYPTO_MECH_INVALID; - - if (mepp != NULL) - *mepp = me; - mutex_enter(&me->me_mutex); - - prov_chain = me->me_hw_prov_chain; - /* - * We check the threshold for using a hardware provider for - * this amount of data. If there is no software provider available - * for the first mechanism, then the threshold is ignored. - */ - if ((prov_chain != NULL) && - ((data_size == 0) || (me->me_threshold == 0) || - (data_size >= me->me_threshold) || - ((mdesc = me->me_sw_prov) == NULL) || - (!IS_FG_SUPPORTED(mdesc, fg1)) || - (!KCF_IS_PROV_USABLE(mdesc->pm_prov_desc)))) { - /* there is at least one provider */ - ASSERT(me->me_num_hwprov > 0); - - /* - * Find the least loaded provider capable of the combo - * me1 + me2, and save a pointer to the least loaded - * provider capable of me1 only. - */ - while (prov_chain != NULL) { - pd = prov_chain->pm_prov_desc; - len = KCF_PROV_LOAD(pd); - - if (!IS_FG_SUPPORTED(prov_chain, fg1) || - !KCF_IS_PROV_USABLE(pd) || - IS_PROVIDER_TRIED(pd, triedl) || - (call_restrict && - (pd->pd_flags & KCF_PROV_RESTRICTED))) { - prov_chain = prov_chain->pm_next; - continue; - } - - /* Save the best provider capable of m1 */ - if (len < gqlen) { - *prov_mt1 = - prov_chain->pm_mech_info.cm_mech_number; - gqlen = len; - pdm1 = pd; - } - - /* See if pd can do me2 too */ - for (mil = prov_chain->pm_mi_list; - mil != NULL; mil = mil->ml_next) { - if ((mil->ml_mech_info.cm_func_group_mask & - fg2) == 0) - continue; - - if ((mil->ml_kcf_mechid == m2id) && - (len < dgqlen)) { - /* Bingo! */ - dgqlen = len; - pdm1m2 = pd; - *prov_mt2 = - mil->ml_mech_info.cm_mech_number; - *prov_mt1 = prov_chain-> - pm_mech_info.cm_mech_number; - break; - } - } - - prov_chain = prov_chain->pm_next; - } - - pd = (pdm1m2 != NULL) ? pdm1m2 : pdm1; - } - - /* no HW provider for this mech, is there a SW provider? */ - if (pd == NULL && (mdesc = me->me_sw_prov) != NULL) { - pd = mdesc->pm_prov_desc; - if (!IS_FG_SUPPORTED(mdesc, fg1) || - !KCF_IS_PROV_USABLE(pd) || - IS_PROVIDER_TRIED(pd, triedl) || - (call_restrict && (pd->pd_flags & KCF_PROV_RESTRICTED))) - pd = NULL; - else { - /* See if pd can do me2 too */ - for (mil = me->me_sw_prov->pm_mi_list; - mil != NULL; mil = mil->ml_next) { - if ((mil->ml_mech_info.cm_func_group_mask & - fg2) == 0) - continue; - - if (mil->ml_kcf_mechid == m2id) { - /* Bingo! */ - *prov_mt2 = - mil->ml_mech_info.cm_mech_number; - break; - } - } - *prov_mt1 = me->me_sw_prov->pm_mech_info.cm_mech_number; - } - } - - if (pd == NULL) - *error = CRYPTO_MECH_NOT_SUPPORTED; - else - KCF_PROV_REFHOLD(pd); - - mutex_exit(&me->me_mutex); - return (pd); -} - /* * Do the actual work of calling the provider routines. * @@ -697,605 +556,6 @@ common_submit_request(kcf_provider_desc_t *pd, crypto_ctx_t *ctx, } break; } - - case KCF_OG_SIGN: { - kcf_sign_ops_params_t *sops = ¶ms->rp_u.sign_params; - - switch (optype) { - case KCF_OP_INIT: - KCF_SET_PROVIDER_MECHNUM(sops->so_framework_mechtype, - pd, &sops->so_mech); - - err = KCF_PROV_SIGN_INIT(pd, ctx, &sops->so_mech, - sops->so_key, sops->so_templ, rhndl); - break; - - case KCF_OP_SIGN_RECOVER_INIT: - KCF_SET_PROVIDER_MECHNUM(sops->so_framework_mechtype, - pd, &sops->so_mech); - - err = KCF_PROV_SIGN_RECOVER_INIT(pd, ctx, - &sops->so_mech, sops->so_key, sops->so_templ, - rhndl); - break; - - case KCF_OP_SINGLE: - err = KCF_PROV_SIGN(pd, ctx, sops->so_data, - sops->so_signature, rhndl); - break; - - case KCF_OP_SIGN_RECOVER: - err = KCF_PROV_SIGN_RECOVER(pd, ctx, - sops->so_data, sops->so_signature, rhndl); - break; - - case KCF_OP_UPDATE: - err = KCF_PROV_SIGN_UPDATE(pd, ctx, sops->so_data, - rhndl); - break; - - case KCF_OP_FINAL: - err = KCF_PROV_SIGN_FINAL(pd, ctx, sops->so_signature, - rhndl); - break; - - case KCF_OP_ATOMIC: - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(sops->so_framework_mechtype, - pd, &sops->so_mech); - - err = KCF_PROV_SIGN_ATOMIC(pd, sops->so_sid, - &sops->so_mech, sops->so_key, sops->so_data, - sops->so_templ, sops->so_signature, rhndl); - break; - - case KCF_OP_SIGN_RECOVER_ATOMIC: - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(sops->so_framework_mechtype, - pd, &sops->so_mech); - - err = KCF_PROV_SIGN_RECOVER_ATOMIC(pd, sops->so_sid, - &sops->so_mech, sops->so_key, sops->so_data, - sops->so_templ, sops->so_signature, rhndl); - break; - - default: - break; - } - break; - } - - case KCF_OG_VERIFY: { - kcf_verify_ops_params_t *vops = ¶ms->rp_u.verify_params; - - switch (optype) { - case KCF_OP_INIT: - KCF_SET_PROVIDER_MECHNUM(vops->vo_framework_mechtype, - pd, &vops->vo_mech); - - err = KCF_PROV_VERIFY_INIT(pd, ctx, &vops->vo_mech, - vops->vo_key, vops->vo_templ, rhndl); - break; - - case KCF_OP_VERIFY_RECOVER_INIT: - KCF_SET_PROVIDER_MECHNUM(vops->vo_framework_mechtype, - pd, &vops->vo_mech); - - err = KCF_PROV_VERIFY_RECOVER_INIT(pd, ctx, - &vops->vo_mech, vops->vo_key, vops->vo_templ, - rhndl); - break; - - case KCF_OP_SINGLE: - err = KCF_PROV_VERIFY(pd, ctx, vops->vo_data, - vops->vo_signature, rhndl); - break; - - case KCF_OP_VERIFY_RECOVER: - err = KCF_PROV_VERIFY_RECOVER(pd, ctx, - vops->vo_signature, vops->vo_data, rhndl); - break; - - case KCF_OP_UPDATE: - err = KCF_PROV_VERIFY_UPDATE(pd, ctx, vops->vo_data, - rhndl); - break; - - case KCF_OP_FINAL: - err = KCF_PROV_VERIFY_FINAL(pd, ctx, vops->vo_signature, - rhndl); - break; - - case KCF_OP_ATOMIC: - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(vops->vo_framework_mechtype, - pd, &vops->vo_mech); - - err = KCF_PROV_VERIFY_ATOMIC(pd, vops->vo_sid, - &vops->vo_mech, vops->vo_key, vops->vo_data, - vops->vo_templ, vops->vo_signature, rhndl); - break; - - case KCF_OP_VERIFY_RECOVER_ATOMIC: - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(vops->vo_framework_mechtype, - pd, &vops->vo_mech); - - err = KCF_PROV_VERIFY_RECOVER_ATOMIC(pd, vops->vo_sid, - &vops->vo_mech, vops->vo_key, vops->vo_signature, - vops->vo_templ, vops->vo_data, rhndl); - break; - - default: - break; - } - break; - } - - case KCF_OG_ENCRYPT_MAC: { - kcf_encrypt_mac_ops_params_t *eops = - ¶ms->rp_u.encrypt_mac_params; - kcf_context_t *kcf_secondctx; - - switch (optype) { - case KCF_OP_INIT: - kcf_secondctx = ((kcf_context_t *) - (ctx->cc_framework_private))->kc_secondctx; - - if (kcf_secondctx != NULL) { - err = kcf_emulate_dual(pd, ctx, params); - break; - } - KCF_SET_PROVIDER_MECHNUM( - eops->em_framework_encr_mechtype, - pd, &eops->em_encr_mech); - - KCF_SET_PROVIDER_MECHNUM( - eops->em_framework_mac_mechtype, - pd, &eops->em_mac_mech); - - err = KCF_PROV_ENCRYPT_MAC_INIT(pd, ctx, - &eops->em_encr_mech, eops->em_encr_key, - &eops->em_mac_mech, eops->em_mac_key, - eops->em_encr_templ, eops->em_mac_templ, - rhndl); - - break; - - case KCF_OP_SINGLE: - err = KCF_PROV_ENCRYPT_MAC(pd, ctx, - eops->em_plaintext, eops->em_ciphertext, - eops->em_mac, rhndl); - break; - - case KCF_OP_UPDATE: - kcf_secondctx = ((kcf_context_t *) - (ctx->cc_framework_private))->kc_secondctx; - if (kcf_secondctx != NULL) { - err = kcf_emulate_dual(pd, ctx, params); - break; - } - err = KCF_PROV_ENCRYPT_MAC_UPDATE(pd, ctx, - eops->em_plaintext, eops->em_ciphertext, rhndl); - break; - - case KCF_OP_FINAL: - kcf_secondctx = ((kcf_context_t *) - (ctx->cc_framework_private))->kc_secondctx; - if (kcf_secondctx != NULL) { - err = kcf_emulate_dual(pd, ctx, params); - break; - } - err = KCF_PROV_ENCRYPT_MAC_FINAL(pd, ctx, - eops->em_ciphertext, eops->em_mac, rhndl); - break; - - case KCF_OP_ATOMIC: - ASSERT(ctx == NULL); - - KCF_SET_PROVIDER_MECHNUM( - eops->em_framework_encr_mechtype, - pd, &eops->em_encr_mech); - - KCF_SET_PROVIDER_MECHNUM( - eops->em_framework_mac_mechtype, - pd, &eops->em_mac_mech); - - err = KCF_PROV_ENCRYPT_MAC_ATOMIC(pd, eops->em_sid, - &eops->em_encr_mech, eops->em_encr_key, - &eops->em_mac_mech, eops->em_mac_key, - eops->em_plaintext, eops->em_ciphertext, - eops->em_mac, - eops->em_encr_templ, eops->em_mac_templ, - rhndl); - - break; - - default: - break; - } - break; - } - - case KCF_OG_MAC_DECRYPT: { - kcf_mac_decrypt_ops_params_t *dops = - ¶ms->rp_u.mac_decrypt_params; - kcf_context_t *kcf_secondctx; - - switch (optype) { - case KCF_OP_INIT: - kcf_secondctx = ((kcf_context_t *) - (ctx->cc_framework_private))->kc_secondctx; - - if (kcf_secondctx != NULL) { - err = kcf_emulate_dual(pd, ctx, params); - break; - } - KCF_SET_PROVIDER_MECHNUM( - dops->md_framework_mac_mechtype, - pd, &dops->md_mac_mech); - - KCF_SET_PROVIDER_MECHNUM( - dops->md_framework_decr_mechtype, - pd, &dops->md_decr_mech); - - err = KCF_PROV_MAC_DECRYPT_INIT(pd, ctx, - &dops->md_mac_mech, dops->md_mac_key, - &dops->md_decr_mech, dops->md_decr_key, - dops->md_mac_templ, dops->md_decr_templ, - rhndl); - - break; - - case KCF_OP_SINGLE: - err = KCF_PROV_MAC_DECRYPT(pd, ctx, - dops->md_ciphertext, dops->md_mac, - dops->md_plaintext, rhndl); - break; - - case KCF_OP_UPDATE: - kcf_secondctx = ((kcf_context_t *) - (ctx->cc_framework_private))->kc_secondctx; - if (kcf_secondctx != NULL) { - err = kcf_emulate_dual(pd, ctx, params); - break; - } - err = KCF_PROV_MAC_DECRYPT_UPDATE(pd, ctx, - dops->md_ciphertext, dops->md_plaintext, rhndl); - break; - - case KCF_OP_FINAL: - kcf_secondctx = ((kcf_context_t *) - (ctx->cc_framework_private))->kc_secondctx; - if (kcf_secondctx != NULL) { - err = kcf_emulate_dual(pd, ctx, params); - break; - } - err = KCF_PROV_MAC_DECRYPT_FINAL(pd, ctx, - dops->md_mac, dops->md_plaintext, rhndl); - break; - - case KCF_OP_ATOMIC: - ASSERT(ctx == NULL); - - KCF_SET_PROVIDER_MECHNUM( - dops->md_framework_mac_mechtype, - pd, &dops->md_mac_mech); - - KCF_SET_PROVIDER_MECHNUM( - dops->md_framework_decr_mechtype, - pd, &dops->md_decr_mech); - - err = KCF_PROV_MAC_DECRYPT_ATOMIC(pd, dops->md_sid, - &dops->md_mac_mech, dops->md_mac_key, - &dops->md_decr_mech, dops->md_decr_key, - dops->md_ciphertext, dops->md_mac, - dops->md_plaintext, - dops->md_mac_templ, dops->md_decr_templ, - rhndl); - - break; - - case KCF_OP_MAC_VERIFY_DECRYPT_ATOMIC: - ASSERT(ctx == NULL); - - KCF_SET_PROVIDER_MECHNUM( - dops->md_framework_mac_mechtype, - pd, &dops->md_mac_mech); - - KCF_SET_PROVIDER_MECHNUM( - dops->md_framework_decr_mechtype, - pd, &dops->md_decr_mech); - - err = KCF_PROV_MAC_VERIFY_DECRYPT_ATOMIC(pd, - dops->md_sid, &dops->md_mac_mech, dops->md_mac_key, - &dops->md_decr_mech, dops->md_decr_key, - dops->md_ciphertext, dops->md_mac, - dops->md_plaintext, - dops->md_mac_templ, dops->md_decr_templ, - rhndl); - - break; - - default: - break; - } - break; - } - - case KCF_OG_KEY: { - kcf_key_ops_params_t *kops = ¶ms->rp_u.key_params; - - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(kops->ko_framework_mechtype, pd, - &kops->ko_mech); - - switch (optype) { - case KCF_OP_KEY_GENERATE: - err = KCF_PROV_KEY_GENERATE(pd, kops->ko_sid, - &kops->ko_mech, - kops->ko_key_template, kops->ko_key_attribute_count, - kops->ko_key_object_id_ptr, rhndl); - break; - - case KCF_OP_KEY_GENERATE_PAIR: - err = KCF_PROV_KEY_GENERATE_PAIR(pd, kops->ko_sid, - &kops->ko_mech, - kops->ko_key_template, kops->ko_key_attribute_count, - kops->ko_private_key_template, - kops->ko_private_key_attribute_count, - kops->ko_key_object_id_ptr, - kops->ko_private_key_object_id_ptr, rhndl); - break; - - case KCF_OP_KEY_WRAP: - err = KCF_PROV_KEY_WRAP(pd, kops->ko_sid, - &kops->ko_mech, - kops->ko_key, kops->ko_key_object_id_ptr, - kops->ko_wrapped_key, kops->ko_wrapped_key_len_ptr, - rhndl); - break; - - case KCF_OP_KEY_UNWRAP: - err = KCF_PROV_KEY_UNWRAP(pd, kops->ko_sid, - &kops->ko_mech, - kops->ko_key, kops->ko_wrapped_key, - kops->ko_wrapped_key_len_ptr, - kops->ko_key_template, kops->ko_key_attribute_count, - kops->ko_key_object_id_ptr, rhndl); - break; - - case KCF_OP_KEY_DERIVE: - err = KCF_PROV_KEY_DERIVE(pd, kops->ko_sid, - &kops->ko_mech, - kops->ko_key, kops->ko_key_template, - kops->ko_key_attribute_count, - kops->ko_key_object_id_ptr, rhndl); - break; - - default: - break; - } - break; - } - - case KCF_OG_RANDOM: { - kcf_random_number_ops_params_t *rops = - ¶ms->rp_u.random_number_params; - - ASSERT(ctx == NULL); - - switch (optype) { - case KCF_OP_RANDOM_SEED: - err = KCF_PROV_SEED_RANDOM(pd, rops->rn_sid, - rops->rn_buf, rops->rn_buflen, rops->rn_entropy_est, - rops->rn_flags, rhndl); - break; - - case KCF_OP_RANDOM_GENERATE: - err = KCF_PROV_GENERATE_RANDOM(pd, rops->rn_sid, - rops->rn_buf, rops->rn_buflen, rhndl); - break; - - default: - break; - } - break; - } - - case KCF_OG_SESSION: { - kcf_session_ops_params_t *sops = ¶ms->rp_u.session_params; - - ASSERT(ctx == NULL); - switch (optype) { - case KCF_OP_SESSION_OPEN: - /* - * so_pd may be a logical provider, in which case - * we need to check whether it has been removed. - */ - if (KCF_IS_PROV_REMOVED(sops->so_pd)) { - err = CRYPTO_DEVICE_ERROR; - break; - } - err = KCF_PROV_SESSION_OPEN(pd, sops->so_sid_ptr, - rhndl, sops->so_pd); - break; - - case KCF_OP_SESSION_CLOSE: - /* - * so_pd may be a logical provider, in which case - * we need to check whether it has been removed. - */ - if (KCF_IS_PROV_REMOVED(sops->so_pd)) { - err = CRYPTO_DEVICE_ERROR; - break; - } - err = KCF_PROV_SESSION_CLOSE(pd, sops->so_sid, - rhndl, sops->so_pd); - break; - - case KCF_OP_SESSION_LOGIN: - err = KCF_PROV_SESSION_LOGIN(pd, sops->so_sid, - sops->so_user_type, sops->so_pin, - sops->so_pin_len, rhndl); - break; - - case KCF_OP_SESSION_LOGOUT: - err = KCF_PROV_SESSION_LOGOUT(pd, sops->so_sid, rhndl); - break; - - default: - break; - } - break; - } - - case KCF_OG_OBJECT: { - kcf_object_ops_params_t *jops = ¶ms->rp_u.object_params; - - ASSERT(ctx == NULL); - switch (optype) { - case KCF_OP_OBJECT_CREATE: - err = KCF_PROV_OBJECT_CREATE(pd, jops->oo_sid, - jops->oo_template, jops->oo_attribute_count, - jops->oo_object_id_ptr, rhndl); - break; - - case KCF_OP_OBJECT_COPY: - err = KCF_PROV_OBJECT_COPY(pd, jops->oo_sid, - jops->oo_object_id, - jops->oo_template, jops->oo_attribute_count, - jops->oo_object_id_ptr, rhndl); - break; - - case KCF_OP_OBJECT_DESTROY: - err = KCF_PROV_OBJECT_DESTROY(pd, jops->oo_sid, - jops->oo_object_id, rhndl); - break; - - case KCF_OP_OBJECT_GET_SIZE: - err = KCF_PROV_OBJECT_GET_SIZE(pd, jops->oo_sid, - jops->oo_object_id, jops->oo_object_size, rhndl); - break; - - case KCF_OP_OBJECT_GET_ATTRIBUTE_VALUE: - err = KCF_PROV_OBJECT_GET_ATTRIBUTE_VALUE(pd, - jops->oo_sid, jops->oo_object_id, - jops->oo_template, jops->oo_attribute_count, rhndl); - break; - - case KCF_OP_OBJECT_SET_ATTRIBUTE_VALUE: - err = KCF_PROV_OBJECT_SET_ATTRIBUTE_VALUE(pd, - jops->oo_sid, jops->oo_object_id, - jops->oo_template, jops->oo_attribute_count, rhndl); - break; - - case KCF_OP_OBJECT_FIND_INIT: - err = KCF_PROV_OBJECT_FIND_INIT(pd, jops->oo_sid, - jops->oo_template, jops->oo_attribute_count, - jops->oo_find_init_pp_ptr, rhndl); - break; - - case KCF_OP_OBJECT_FIND: - err = KCF_PROV_OBJECT_FIND(pd, jops->oo_find_pp, - jops->oo_object_id_ptr, jops->oo_max_object_count, - jops->oo_object_count_ptr, rhndl); - break; - - case KCF_OP_OBJECT_FIND_FINAL: - err = KCF_PROV_OBJECT_FIND_FINAL(pd, jops->oo_find_pp, - rhndl); - break; - - default: - break; - } - break; - } - - case KCF_OG_PROVMGMT: { - kcf_provmgmt_ops_params_t *pops = ¶ms->rp_u.provmgmt_params; - - ASSERT(ctx == NULL); - switch (optype) { - case KCF_OP_MGMT_EXTINFO: - /* - * po_pd may be a logical provider, in which case - * we need to check whether it has been removed. - */ - if (KCF_IS_PROV_REMOVED(pops->po_pd)) { - err = CRYPTO_DEVICE_ERROR; - break; - } - err = KCF_PROV_EXT_INFO(pd, pops->po_ext_info, rhndl, - pops->po_pd); - break; - - case KCF_OP_MGMT_INITTOKEN: - err = KCF_PROV_INIT_TOKEN(pd, pops->po_pin, - pops->po_pin_len, pops->po_label, rhndl); - break; - - case KCF_OP_MGMT_INITPIN: - err = KCF_PROV_INIT_PIN(pd, pops->po_sid, pops->po_pin, - pops->po_pin_len, rhndl); - break; - - case KCF_OP_MGMT_SETPIN: - err = KCF_PROV_SET_PIN(pd, pops->po_sid, - pops->po_old_pin, pops->po_old_pin_len, - pops->po_pin, pops->po_pin_len, rhndl); - break; - - default: - break; - } - break; - } - - case KCF_OG_NOSTORE_KEY: { - kcf_key_ops_params_t *kops = ¶ms->rp_u.key_params; - - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(kops->ko_framework_mechtype, pd, - &kops->ko_mech); - - switch (optype) { - case KCF_OP_KEY_GENERATE: - err = KCF_PROV_NOSTORE_KEY_GENERATE(pd, kops->ko_sid, - &kops->ko_mech, kops->ko_key_template, - kops->ko_key_attribute_count, - kops->ko_out_template1, - kops->ko_out_attribute_count1, rhndl); - break; - - case KCF_OP_KEY_GENERATE_PAIR: - err = KCF_PROV_NOSTORE_KEY_GENERATE_PAIR(pd, - kops->ko_sid, &kops->ko_mech, - kops->ko_key_template, kops->ko_key_attribute_count, - kops->ko_private_key_template, - kops->ko_private_key_attribute_count, - kops->ko_out_template1, - kops->ko_out_attribute_count1, - kops->ko_out_template2, - kops->ko_out_attribute_count2, - rhndl); - break; - - case KCF_OP_KEY_DERIVE: - err = KCF_PROV_NOSTORE_KEY_DERIVE(pd, kops->ko_sid, - &kops->ko_mech, kops->ko_key, - kops->ko_key_template, - kops->ko_key_attribute_count, - kops->ko_out_template1, - kops->ko_out_attribute_count1, rhndl); - break; - - default: - break; - } - break; - } default: break; } /* end of switch(params->rp_opgrp) */ @@ -1303,265 +563,3 @@ common_submit_request(kcf_provider_desc_t *pd, crypto_ctx_t *ctx, KCF_PROV_INCRSTATS(pd, err); return (err); } - - -/* - * Emulate the call for a multipart dual ops with 2 single steps. - * This routine is always called in the context of a working thread - * running kcf_svc_do_run(). - * The single steps are submitted in a pure synchronous way (blocking). - * When this routine returns, kcf_svc_do_run() will call kcf_aop_done() - * so the originating consumer's callback gets invoked. kcf_aop_done() - * takes care of freeing the operation context. So, this routine does - * not free the operation context. - * - * The provider descriptor is assumed held by the callers. - */ -static int -kcf_emulate_dual(kcf_provider_desc_t *pd, crypto_ctx_t *ctx, - kcf_req_params_t *params) -{ - int err = CRYPTO_ARGUMENTS_BAD; - kcf_op_type_t optype; - size_t save_len; - off_t save_offset; - - optype = params->rp_optype; - - switch (params->rp_opgrp) { - case KCF_OG_ENCRYPT_MAC: { - kcf_encrypt_mac_ops_params_t *cmops = - ¶ms->rp_u.encrypt_mac_params; - kcf_context_t *encr_kcf_ctx; - crypto_ctx_t *mac_ctx; - kcf_req_params_t encr_params; - - encr_kcf_ctx = (kcf_context_t *)(ctx->cc_framework_private); - - switch (optype) { - case KCF_OP_INIT: { - encr_kcf_ctx->kc_secondctx = NULL; - - KCF_WRAP_ENCRYPT_OPS_PARAMS(&encr_params, KCF_OP_INIT, - pd->pd_sid, &cmops->em_encr_mech, - cmops->em_encr_key, NULL, NULL, - cmops->em_encr_templ); - - err = kcf_submit_request(pd, ctx, NULL, &encr_params, - B_FALSE); - - /* It can't be CRYPTO_QUEUED */ - if (err != CRYPTO_SUCCESS) { - break; - } - - err = crypto_mac_init(&cmops->em_mac_mech, - cmops->em_mac_key, cmops->em_mac_templ, - (crypto_context_t *)&mac_ctx, NULL); - - if (err == CRYPTO_SUCCESS) { - encr_kcf_ctx->kc_secondctx = (kcf_context_t *) - mac_ctx->cc_framework_private; - KCF_CONTEXT_REFHOLD((kcf_context_t *) - mac_ctx->cc_framework_private); - } - - break; - - } - case KCF_OP_UPDATE: { - crypto_dual_data_t *ct = cmops->em_ciphertext; - crypto_data_t *pt = cmops->em_plaintext; - kcf_context_t *mac_kcf_ctx = encr_kcf_ctx->kc_secondctx; - crypto_ctx_t *mac_ctx = &mac_kcf_ctx->kc_glbl_ctx; - - KCF_WRAP_ENCRYPT_OPS_PARAMS(&encr_params, KCF_OP_UPDATE, - pd->pd_sid, NULL, NULL, pt, (crypto_data_t *)ct, - NULL); - - err = kcf_submit_request(pd, ctx, NULL, &encr_params, - B_FALSE); - - /* It can't be CRYPTO_QUEUED */ - if (err != CRYPTO_SUCCESS) { - break; - } - - save_offset = ct->dd_offset1; - save_len = ct->dd_len1; - if (ct->dd_len2 == 0) { - /* - * The previous encrypt step was an - * accumulation only and didn't produce any - * partial output - */ - if (ct->dd_len1 == 0) - break; - - } else { - ct->dd_offset1 = ct->dd_offset2; - ct->dd_len1 = ct->dd_len2; - } - err = crypto_mac_update((crypto_context_t)mac_ctx, - (crypto_data_t *)ct, NULL); - - ct->dd_offset1 = save_offset; - ct->dd_len1 = save_len; - - break; - } - case KCF_OP_FINAL: { - crypto_dual_data_t *ct = cmops->em_ciphertext; - crypto_data_t *mac = cmops->em_mac; - kcf_context_t *mac_kcf_ctx = encr_kcf_ctx->kc_secondctx; - crypto_ctx_t *mac_ctx = &mac_kcf_ctx->kc_glbl_ctx; - crypto_context_t mac_context = mac_ctx; - - KCF_WRAP_ENCRYPT_OPS_PARAMS(&encr_params, KCF_OP_FINAL, - pd->pd_sid, NULL, NULL, NULL, (crypto_data_t *)ct, - NULL); - - err = kcf_submit_request(pd, ctx, NULL, &encr_params, - B_FALSE); - - /* It can't be CRYPTO_QUEUED */ - if (err != CRYPTO_SUCCESS) { - crypto_cancel_ctx(mac_context); - break; - } - - if (ct->dd_len2 > 0) { - save_offset = ct->dd_offset1; - save_len = ct->dd_len1; - ct->dd_offset1 = ct->dd_offset2; - ct->dd_len1 = ct->dd_len2; - - err = crypto_mac_update(mac_context, - (crypto_data_t *)ct, NULL); - - ct->dd_offset1 = save_offset; - ct->dd_len1 = save_len; - - if (err != CRYPTO_SUCCESS) { - crypto_cancel_ctx(mac_context); - return (err); - } - } - - /* and finally, collect the MAC */ - err = crypto_mac_final(mac_context, mac, NULL); - break; - } - - default: - break; - } - KCF_PROV_INCRSTATS(pd, err); - break; - } - case KCF_OG_MAC_DECRYPT: { - kcf_mac_decrypt_ops_params_t *mdops = - ¶ms->rp_u.mac_decrypt_params; - kcf_context_t *decr_kcf_ctx; - crypto_ctx_t *mac_ctx; - kcf_req_params_t decr_params; - - decr_kcf_ctx = (kcf_context_t *)(ctx->cc_framework_private); - - switch (optype) { - case KCF_OP_INIT: { - decr_kcf_ctx->kc_secondctx = NULL; - - err = crypto_mac_init(&mdops->md_mac_mech, - mdops->md_mac_key, mdops->md_mac_templ, - (crypto_context_t *)&mac_ctx, NULL); - - /* It can't be CRYPTO_QUEUED */ - if (err != CRYPTO_SUCCESS) { - break; - } - - KCF_WRAP_DECRYPT_OPS_PARAMS(&decr_params, KCF_OP_INIT, - pd->pd_sid, &mdops->md_decr_mech, - mdops->md_decr_key, NULL, NULL, - mdops->md_decr_templ); - - err = kcf_submit_request(pd, ctx, NULL, &decr_params, - B_FALSE); - - /* It can't be CRYPTO_QUEUED */ - if (err != CRYPTO_SUCCESS) { - crypto_cancel_ctx((crypto_context_t)mac_ctx); - break; - } - - decr_kcf_ctx->kc_secondctx = (kcf_context_t *) - mac_ctx->cc_framework_private; - KCF_CONTEXT_REFHOLD((kcf_context_t *) - mac_ctx->cc_framework_private); - - break; - default: - break; - - } - case KCF_OP_UPDATE: { - crypto_dual_data_t *ct = mdops->md_ciphertext; - crypto_data_t *pt = mdops->md_plaintext; - kcf_context_t *mac_kcf_ctx = decr_kcf_ctx->kc_secondctx; - crypto_ctx_t *mac_ctx = &mac_kcf_ctx->kc_glbl_ctx; - - err = crypto_mac_update((crypto_context_t)mac_ctx, - (crypto_data_t *)ct, NULL); - - if (err != CRYPTO_SUCCESS) - break; - - save_offset = ct->dd_offset1; - save_len = ct->dd_len1; - - /* zero ct->dd_len2 means decrypt everything */ - if (ct->dd_len2 > 0) { - ct->dd_offset1 = ct->dd_offset2; - ct->dd_len1 = ct->dd_len2; - } - - err = crypto_decrypt_update((crypto_context_t)ctx, - (crypto_data_t *)ct, pt, NULL); - - ct->dd_offset1 = save_offset; - ct->dd_len1 = save_len; - - break; - } - case KCF_OP_FINAL: { - crypto_data_t *pt = mdops->md_plaintext; - crypto_data_t *mac = mdops->md_mac; - kcf_context_t *mac_kcf_ctx = decr_kcf_ctx->kc_secondctx; - crypto_ctx_t *mac_ctx = &mac_kcf_ctx->kc_glbl_ctx; - - err = crypto_mac_final((crypto_context_t)mac_ctx, - mac, NULL); - - if (err != CRYPTO_SUCCESS) { - crypto_cancel_ctx(ctx); - break; - } - - /* Get the last chunk of plaintext */ - KCF_CONTEXT_REFHOLD(decr_kcf_ctx); - err = crypto_decrypt_final((crypto_context_t)ctx, pt, - NULL); - - break; - } - } - break; - } - default: - - break; - } /* end of switch(params->rp_opgrp) */ - - return (err); -} diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index 9df5f0734aa7..4f2e04e37347 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -85,18 +85,12 @@ static kcf_mech_entry_t kcf_digest_mechs_tab[KCF_MAXDIGEST]; static kcf_mech_entry_t kcf_cipher_mechs_tab[KCF_MAXCIPHER]; static kcf_mech_entry_t kcf_mac_mechs_tab[KCF_MAXMAC]; -static kcf_mech_entry_t kcf_sign_mechs_tab[KCF_MAXSIGN]; -static kcf_mech_entry_t kcf_keyops_mechs_tab[KCF_MAXKEYOPS]; -static kcf_mech_entry_t kcf_misc_mechs_tab[KCF_MAXMISC]; const kcf_mech_entry_tab_t kcf_mech_tabs_tab[KCF_LAST_OPSCLASS + 1] = { {0, NULL}, /* No class zero */ {KCF_MAXDIGEST, kcf_digest_mechs_tab}, {KCF_MAXCIPHER, kcf_cipher_mechs_tab}, {KCF_MAXMAC, kcf_mac_mechs_tab}, - {KCF_MAXSIGN, kcf_sign_mechs_tab}, - {KCF_MAXKEYOPS, kcf_keyops_mechs_tab}, - {KCF_MAXMISC, kcf_misc_mechs_tab} }; /* @@ -240,10 +234,6 @@ kcf_init_mech_tabs(void) kcf_mac_mechs_tab[3].me_threshold = kcf_sha1_threshold; - /* 1 random number generation pseudo mechanism */ - (void) strncpy(kcf_misc_mechs_tab[0].me_name, SUN_RANDOM, - CRYPTO_MAX_MECH_NAME); - kcf_mech_hash = mod_hash_create_strhash_nodtr("kcf mech2id hash", kcf_mech_hash_size, mod_hash_null_valdtor); @@ -376,13 +366,8 @@ kcf_add_mech_provider(short mech_indx, int error; kcf_mech_entry_t *mech_entry = NULL; crypto_mech_info_t *mech_info; - crypto_mech_type_t kcf_mech_type, mt; - kcf_prov_mech_desc_t *prov_mech, *prov_mech2; - crypto_func_group_t simple_fg_mask, dual_fg_mask; - crypto_mech_info_t *dmi; - crypto_mech_info_list_t *mil, *mil2; - kcf_mech_entry_t *me; - int i; + crypto_mech_type_t kcf_mech_type; + kcf_prov_mech_desc_t *prov_mech; ASSERT(prov_desc->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); @@ -406,19 +391,8 @@ kcf_add_mech_provider(short mech_indx, class = KCF_CIPHER_CLASS; else if (fg & CRYPTO_FG_MAC || fg & CRYPTO_FG_MAC_ATOMIC) class = KCF_MAC_CLASS; - else if (fg & CRYPTO_FG_SIGN || fg & CRYPTO_FG_VERIFY || - fg & CRYPTO_FG_SIGN_ATOMIC || - fg & CRYPTO_FG_VERIFY_ATOMIC || - fg & CRYPTO_FG_SIGN_RECOVER || - fg & CRYPTO_FG_VERIFY_RECOVER) - class = KCF_SIGN_CLASS; - else if (fg & CRYPTO_FG_GENERATE || - fg & CRYPTO_FG_GENERATE_KEY_PAIR || - fg & CRYPTO_FG_WRAP || fg & CRYPTO_FG_UNWRAP || - fg & CRYPTO_FG_DERIVE) - class = KCF_KEYOPS_CLASS; else - class = KCF_MISC_CLASS; + __builtin_unreachable(); /* * Attempt to create a new mech_entry for the specified @@ -447,95 +421,6 @@ kcf_add_mech_provider(short mech_indx, KCF_PROV_REFHOLD(prov_desc); KCF_PROV_IREFHOLD(prov_desc); - dual_fg_mask = mech_info->cm_func_group_mask & CRYPTO_FG_DUAL_MASK; - - if (dual_fg_mask == ((crypto_func_group_t)0)) - goto add_entry; - - simple_fg_mask = (mech_info->cm_func_group_mask & - CRYPTO_FG_SIMPLEOP_MASK) | CRYPTO_FG_RANDOM; - - for (i = 0; i < prov_desc->pd_mech_list_count; i++) { - dmi = &prov_desc->pd_mechanisms[i]; - - /* skip self */ - if (dmi->cm_mech_number == mech_info->cm_mech_number) - continue; - - /* skip if not a dual operation mechanism */ - if (!(dmi->cm_func_group_mask & dual_fg_mask) || - (dmi->cm_func_group_mask & simple_fg_mask)) - continue; - - mt = kcf_mech_hash_find(dmi->cm_mech_name); - if (mt == CRYPTO_MECH_INVALID) - continue; - - if (kcf_get_mech_entry(mt, &me) != KCF_SUCCESS) - continue; - - mil = kmem_zalloc(sizeof (*mil), KM_SLEEP); - mil2 = kmem_zalloc(sizeof (*mil2), KM_SLEEP); - - /* - * Ignore hard-coded entries in the mech table - * if the provider hasn't registered. - */ - mutex_enter(&me->me_mutex); - if (me->me_hw_prov_chain == NULL && me->me_sw_prov == NULL) { - mutex_exit(&me->me_mutex); - kmem_free(mil, sizeof (*mil)); - kmem_free(mil2, sizeof (*mil2)); - continue; - } - - /* - * Add other dual mechanisms that have registered - * with the framework to this mechanism's - * cross-reference list. - */ - mil->ml_mech_info = *dmi; /* struct assignment */ - mil->ml_kcf_mechid = mt; - - /* add to head of list */ - mil->ml_next = prov_mech->pm_mi_list; - prov_mech->pm_mi_list = mil; - - if (prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER) - prov_mech2 = me->me_hw_prov_chain; - else - prov_mech2 = me->me_sw_prov; - - if (prov_mech2 == NULL) { - kmem_free(mil2, sizeof (*mil2)); - mutex_exit(&me->me_mutex); - continue; - } - - /* - * Update all other cross-reference lists by - * adding this new mechanism. - */ - while (prov_mech2 != NULL) { - if (prov_mech2->pm_prov_desc == prov_desc) { - /* struct assignment */ - mil2->ml_mech_info = *mech_info; - mil2->ml_kcf_mechid = kcf_mech_type; - - /* add to head of list */ - mil2->ml_next = prov_mech2->pm_mi_list; - prov_mech2->pm_mi_list = mil2; - break; - } - prov_mech2 = prov_mech2->pm_next; - } - if (prov_mech2 == NULL) - kmem_free(mil2, sizeof (*mil2)); - - mutex_exit(&me->me_mutex); - } - -add_entry: /* * Add new kcf_prov_mech_desc at the front of HW providers * chain. diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index ce47109da4e1..a5e3f5891d02 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -205,8 +205,7 @@ kcf_prov_tab_lookup(crypto_provider_id_t prov_id) } static void -allocate_ops(const crypto_ops_t *src, crypto_ops_t *dst, - uint_t *mech_list_count) +allocate_ops(const crypto_ops_t *src, crypto_ops_t *dst) { if (src->co_digest_ops != NULL) dst->co_digest_ops = kmem_alloc(sizeof (crypto_digest_ops_t), @@ -220,62 +219,9 @@ allocate_ops(const crypto_ops_t *src, crypto_ops_t *dst, dst->co_mac_ops = kmem_alloc(sizeof (crypto_mac_ops_t), KM_SLEEP); - if (src->co_sign_ops != NULL) - dst->co_sign_ops = kmem_alloc(sizeof (crypto_sign_ops_t), - KM_SLEEP); - - if (src->co_verify_ops != NULL) - dst->co_verify_ops = kmem_alloc(sizeof (crypto_verify_ops_t), - KM_SLEEP); - - if (src->co_dual_ops != NULL) - dst->co_dual_ops = kmem_alloc(sizeof (crypto_dual_ops_t), - KM_SLEEP); - - if (src->co_dual_cipher_mac_ops != NULL) - dst->co_dual_cipher_mac_ops = kmem_alloc( - sizeof (crypto_dual_cipher_mac_ops_t), KM_SLEEP); - - if (src->co_random_ops != NULL) { - dst->co_random_ops = kmem_alloc( - sizeof (crypto_random_number_ops_t), KM_SLEEP); - - /* - * Allocate storage to store the array of supported mechanisms - * specified by provider. We allocate extra mechanism storage - * if the provider has random_ops since we keep an internal - * mechanism, SUN_RANDOM, in this case. - */ - (*mech_list_count)++; - } - - if (src->co_session_ops != NULL) - dst->co_session_ops = kmem_alloc(sizeof (crypto_session_ops_t), - KM_SLEEP); - - if (src->co_object_ops != NULL) - dst->co_object_ops = kmem_alloc(sizeof (crypto_object_ops_t), - KM_SLEEP); - - if (src->co_key_ops != NULL) - dst->co_key_ops = kmem_alloc(sizeof (crypto_key_ops_t), - KM_SLEEP); - - if (src->co_provider_ops != NULL) - dst->co_provider_ops = kmem_alloc( - sizeof (crypto_provider_management_ops_t), KM_SLEEP); - if (src->co_ctx_ops != NULL) dst->co_ctx_ops = kmem_alloc(sizeof (crypto_ctx_ops_t), KM_SLEEP); - - if (src->co_mech_ops != NULL) - dst->co_mech_ops = kmem_alloc(sizeof (crypto_mech_ops_t), - KM_SLEEP); - - if (src->co_nostore_key_ops != NULL) - dst->co_nostore_key_ops = - kmem_alloc(sizeof (crypto_nostore_key_ops_t), KM_SLEEP); } /* @@ -289,7 +235,6 @@ kcf_provider_desc_t * kcf_alloc_provider_desc(const crypto_provider_info_t *info) { kcf_provider_desc_t *desc; - uint_t mech_list_count = info->pi_mech_list_count; const crypto_ops_t *src_ops = info->pi_ops_vector; desc = kmem_zalloc(sizeof (kcf_provider_desc_t), KM_SLEEP); @@ -319,15 +264,13 @@ kcf_alloc_provider_desc(const crypto_provider_info_t *info) * vectors are copied. */ crypto_ops_t *opvec = kmem_zalloc(sizeof (crypto_ops_t), KM_SLEEP); - - if (info->pi_provider_type != CRYPTO_LOGICAL_PROVIDER) { - allocate_ops(src_ops, opvec, &mech_list_count); - } + if (info->pi_provider_type != CRYPTO_LOGICAL_PROVIDER) + allocate_ops(src_ops, opvec); desc->pd_ops_vector = opvec; - desc->pd_mech_list_count = mech_list_count; + desc->pd_mech_list_count = info->pi_mech_list_count; desc->pd_mechanisms = kmem_zalloc(sizeof (crypto_mech_info_t) * - mech_list_count, KM_SLEEP); + info->pi_mech_list_count, KM_SLEEP); for (int i = 0; i < KCF_OPS_CLASSSIZE; i++) for (int j = 0; j < KCF_MAXMECHTAB; j++) desc->pd_mech_indx[i][j] = KCF_INVALID_INDX; @@ -408,54 +351,10 @@ kcf_free_provider_desc(kcf_provider_desc_t *desc) kmem_free(desc->pd_ops_vector->co_mac_ops, sizeof (crypto_mac_ops_t)); - if (desc->pd_ops_vector->co_sign_ops != NULL) - kmem_free(desc->pd_ops_vector->co_sign_ops, - sizeof (crypto_sign_ops_t)); - - if (desc->pd_ops_vector->co_verify_ops != NULL) - kmem_free(desc->pd_ops_vector->co_verify_ops, - sizeof (crypto_verify_ops_t)); - - if (desc->pd_ops_vector->co_dual_ops != NULL) - kmem_free(desc->pd_ops_vector->co_dual_ops, - sizeof (crypto_dual_ops_t)); - - if (desc->pd_ops_vector->co_dual_cipher_mac_ops != NULL) - kmem_free(desc->pd_ops_vector->co_dual_cipher_mac_ops, - sizeof (crypto_dual_cipher_mac_ops_t)); - - if (desc->pd_ops_vector->co_random_ops != NULL) - kmem_free(desc->pd_ops_vector->co_random_ops, - sizeof (crypto_random_number_ops_t)); - - if (desc->pd_ops_vector->co_session_ops != NULL) - kmem_free(desc->pd_ops_vector->co_session_ops, - sizeof (crypto_session_ops_t)); - - if (desc->pd_ops_vector->co_object_ops != NULL) - kmem_free(desc->pd_ops_vector->co_object_ops, - sizeof (crypto_object_ops_t)); - - if (desc->pd_ops_vector->co_key_ops != NULL) - kmem_free(desc->pd_ops_vector->co_key_ops, - sizeof (crypto_key_ops_t)); - - if (desc->pd_ops_vector->co_provider_ops != NULL) - kmem_free(desc->pd_ops_vector->co_provider_ops, - sizeof (crypto_provider_management_ops_t)); - if (desc->pd_ops_vector->co_ctx_ops != NULL) kmem_free(desc->pd_ops_vector->co_ctx_ops, sizeof (crypto_ctx_ops_t)); - if (desc->pd_ops_vector->co_mech_ops != NULL) - kmem_free(desc->pd_ops_vector->co_mech_ops, - sizeof (crypto_mech_ops_t)); - - if (desc->pd_ops_vector->co_nostore_key_ops != NULL) - kmem_free(desc->pd_ops_vector->co_nostore_key_ops, - sizeof (crypto_nostore_key_ops_t)); - kmem_free(desc->pd_ops_vector, sizeof (crypto_ops_t)); } @@ -474,111 +373,6 @@ kcf_free_provider_desc(kcf_provider_desc_t *desc) kmem_free(desc, sizeof (kcf_provider_desc_t)); } -/* - * Returns an array of hardware and logical provider descriptors, - * a.k.a the PKCS#11 slot list. A REFHOLD is done on each descriptor - * before the array is returned. The entire table can be freed by - * calling kcf_free_provider_tab(). - */ -int -kcf_get_slot_list(uint_t *count, kcf_provider_desc_t ***array, - boolean_t unverified) -{ - kcf_provider_desc_t *prov_desc; - kcf_provider_desc_t **p = NULL; - char *last; - uint_t cnt = 0; - uint_t i, j; - int rval = CRYPTO_SUCCESS; - size_t n, final_size; - - /* count the providers */ - mutex_enter(&prov_tab_mutex); - for (i = 0; i < KCF_MAX_PROVIDERS; i++) { - if ((prov_desc = prov_tab[i]) != NULL && - ((prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER && - (prov_desc->pd_flags & CRYPTO_HIDE_PROVIDER) == 0) || - prov_desc->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)) { - if (KCF_IS_PROV_USABLE(prov_desc) || - (unverified && KCF_IS_PROV_UNVERIFIED(prov_desc))) { - cnt++; - } - } - } - mutex_exit(&prov_tab_mutex); - - if (cnt == 0) - goto out; - - n = cnt * sizeof (kcf_provider_desc_t *); -again: - p = kmem_zalloc(n, KM_SLEEP); - - /* pointer to last entry in the array */ - last = (char *)&p[cnt-1]; - - mutex_enter(&prov_tab_mutex); - /* fill the slot list */ - for (i = 0, j = 0; i < KCF_MAX_PROVIDERS; i++) { - if ((prov_desc = prov_tab[i]) != NULL && - ((prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER && - (prov_desc->pd_flags & CRYPTO_HIDE_PROVIDER) == 0) || - prov_desc->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)) { - if (KCF_IS_PROV_USABLE(prov_desc) || - (unverified && KCF_IS_PROV_UNVERIFIED(prov_desc))) { - if ((char *)&p[j] > last) { - mutex_exit(&prov_tab_mutex); - kcf_free_provider_tab(cnt, p); - n = n << 1; - cnt = cnt << 1; - goto again; - } - p[j++] = prov_desc; - KCF_PROV_REFHOLD(prov_desc); - } - } - } - mutex_exit(&prov_tab_mutex); - - final_size = j * sizeof (kcf_provider_desc_t *); - cnt = j; - ASSERT(final_size <= n); - - /* check if buffer we allocated is too large */ - if (final_size < n) { - char *final_buffer = NULL; - - if (final_size > 0) { - final_buffer = kmem_alloc(final_size, KM_SLEEP); - bcopy(p, final_buffer, final_size); - } - kmem_free(p, n); - p = (kcf_provider_desc_t **)final_buffer; - } -out: - *count = cnt; - *array = p; - return (rval); -} - -/* - * Free an array of hardware provider descriptors. A REFRELE - * is done on each descriptor before the table is freed. - */ -void -kcf_free_provider_tab(uint_t count, kcf_provider_desc_t **array) -{ - kcf_provider_desc_t *prov_desc; - int i; - - for (i = 0; i < count; i++) { - if ((prov_desc = array[i]) != NULL) { - KCF_PROV_REFRELE(prov_desc); - } - } - kmem_free(array, count * sizeof (kcf_provider_desc_t *)); -} - /* * Returns in the location pointed to by pd a pointer to the descriptor * for the software provider for the specified mechanism. diff --git a/module/icp/core/kcf_sched.c b/module/icp/core/kcf_sched.c index ee0fe0ac635d..b50e80529c26 100644 --- a/module/icp/core/kcf_sched.c +++ b/module/icp/core/kcf_sched.c @@ -66,8 +66,6 @@ static kcf_stats_t kcf_ksdata = { static kstat_t *kcf_misc_kstat = NULL; ulong_t kcf_swprov_hndl = 0; -static kcf_areq_node_t *kcf_areqnode_alloc(kcf_provider_desc_t *, - kcf_context_t *, crypto_call_req_t *, kcf_req_params_t *, boolean_t); static int kcf_disp_sw_request(kcf_areq_node_t *); static void process_req_hwp(void *); static int kcf_enqueue(kcf_areq_node_t *); @@ -121,7 +119,7 @@ kcf_new_ctx(crypto_call_req_t *crq, kcf_provider_desc_t *pd, */ static kcf_areq_node_t * kcf_areqnode_alloc(kcf_provider_desc_t *pd, kcf_context_t *ictx, - crypto_call_req_t *crq, kcf_req_params_t *req, boolean_t isdual) + crypto_call_req_t *crq, kcf_req_params_t *req) { kcf_areq_node_t *arptr, *areq; @@ -134,7 +132,6 @@ kcf_areqnode_alloc(kcf_provider_desc_t *pd, kcf_context_t *ictx, arptr->an_reqarg = *crq; arptr->an_params = *req; arptr->an_context = ictx; - arptr->an_isdual = isdual; arptr->an_next = arptr->an_prev = NULL; KCF_PROV_REFHOLD(pd); @@ -342,17 +339,16 @@ process_req_hwp(void *ireq) /* * This routine checks if a request can be retried on another * provider. If true, mech1 is initialized to point to the mechanism - * structure. mech2 is also initialized in case of a dual operation. fg - * is initialized to the correct crypto_func_group_t bit flag. They are - * initialized by this routine, so that the caller can pass them to a - * kcf_get_mech_provider() or kcf_get_dual_provider() with no further change. + * structure. fg is initialized to the correct crypto_func_group_t bit flag. + * They are initialized by this routine, so that the caller can pass them to + * kcf_get_mech_provider() with no further change. * * We check that the request is for a init or atomic routine and that * it is for one of the operation groups used from k-api . */ static boolean_t can_resubmit(kcf_areq_node_t *areq, crypto_mechanism_t **mech1, - crypto_mechanism_t **mech2, crypto_func_group_t *fg) + crypto_func_group_t *fg) { kcf_req_params_t *params; kcf_op_type_t optype; @@ -384,44 +380,6 @@ can_resubmit(kcf_areq_node_t *areq, crypto_mechanism_t **mech1, break; } - case KCF_OG_SIGN: { - kcf_sign_ops_params_t *sops = ¶ms->rp_u.sign_params; - - sops->so_mech.cm_type = sops->so_framework_mechtype; - *mech1 = &sops->so_mech; - switch (optype) { - case KCF_OP_INIT: - *fg = CRYPTO_FG_SIGN; - break; - case KCF_OP_ATOMIC: - *fg = CRYPTO_FG_SIGN_ATOMIC; - break; - default: - ASSERT(optype == KCF_OP_SIGN_RECOVER_ATOMIC); - *fg = CRYPTO_FG_SIGN_RECOVER_ATOMIC; - } - break; - } - - case KCF_OG_VERIFY: { - kcf_verify_ops_params_t *vops = ¶ms->rp_u.verify_params; - - vops->vo_mech.cm_type = vops->vo_framework_mechtype; - *mech1 = &vops->vo_mech; - switch (optype) { - case KCF_OP_INIT: - *fg = CRYPTO_FG_VERIFY; - break; - case KCF_OP_ATOMIC: - *fg = CRYPTO_FG_VERIFY_ATOMIC; - break; - default: - ASSERT(optype == KCF_OP_VERIFY_RECOVER_ATOMIC); - *fg = CRYPTO_FG_VERIFY_RECOVER_ATOMIC; - } - break; - } - case KCF_OG_ENCRYPT: { kcf_encrypt_ops_params_t *eops = ¶ms->rp_u.encrypt_params; @@ -442,32 +400,6 @@ can_resubmit(kcf_areq_node_t *areq, crypto_mechanism_t **mech1, break; } - case KCF_OG_ENCRYPT_MAC: { - kcf_encrypt_mac_ops_params_t *eops = - ¶ms->rp_u.encrypt_mac_params; - - eops->em_encr_mech.cm_type = eops->em_framework_encr_mechtype; - *mech1 = &eops->em_encr_mech; - eops->em_mac_mech.cm_type = eops->em_framework_mac_mechtype; - *mech2 = &eops->em_mac_mech; - *fg = (optype == KCF_OP_INIT) ? CRYPTO_FG_ENCRYPT_MAC : - CRYPTO_FG_ENCRYPT_MAC_ATOMIC; - break; - } - - case KCF_OG_MAC_DECRYPT: { - kcf_mac_decrypt_ops_params_t *dops = - ¶ms->rp_u.mac_decrypt_params; - - dops->md_mac_mech.cm_type = dops->md_framework_mac_mechtype; - *mech1 = &dops->md_mac_mech; - dops->md_decr_mech.cm_type = dops->md_framework_decr_mechtype; - *mech2 = &dops->md_decr_mech; - *fg = (optype == KCF_OP_INIT) ? CRYPTO_FG_MAC_DECRYPT : - CRYPTO_FG_MAC_DECRYPT_ATOMIC; - break; - } - default: return (B_FALSE); } @@ -491,11 +423,10 @@ kcf_resubmit_request(kcf_areq_node_t *areq) kcf_context_t *ictx; kcf_provider_desc_t *old_pd; kcf_provider_desc_t *new_pd; - crypto_mechanism_t *mech1 = NULL, *mech2 = NULL; - crypto_mech_type_t prov_mt1, prov_mt2; + crypto_mechanism_t *mech1 = NULL; crypto_func_group_t fg = 0; - if (!can_resubmit(areq, &mech1, &mech2, &fg)) + if (!can_resubmit(areq, &mech1, &fg)) return (error); old_pd = areq->an_provider; @@ -508,17 +439,9 @@ kcf_resubmit_request(kcf_areq_node_t *areq) KM_NOSLEEP) == NULL) return (error); - if (mech1 && !mech2) { - new_pd = kcf_get_mech_provider(mech1->cm_type, NULL, &error, - areq->an_tried_plist, fg, - (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED), 0); - } else { - ASSERT(mech1 != NULL && mech2 != NULL); - - new_pd = kcf_get_dual_provider(mech1, mech2, NULL, &prov_mt1, - &prov_mt2, &error, areq->an_tried_plist, fg, fg, - (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED), 0); - } + new_pd = kcf_get_mech_provider(mech1->cm_type, NULL, &error, + areq->an_tried_plist, fg, + (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED), 0); if (new_pd == NULL) return (error); @@ -588,7 +511,7 @@ kcf_resubmit_request(kcf_areq_node_t *areq) */ int kcf_submit_request(kcf_provider_desc_t *pd, crypto_ctx_t *ctx, - crypto_call_req_t *crq, kcf_req_params_t *params, boolean_t cont) + crypto_call_req_t *crq, kcf_req_params_t *params) { int error = CRYPTO_SUCCESS; kcf_areq_node_t *areq; @@ -703,16 +626,14 @@ kcf_submit_request(kcf_provider_desc_t *pd, crypto_ctx_t *ctx, * queue the request and return. */ areq = kcf_areqnode_alloc(pd, kcf_ctx, crq, - params, cont); + params); if (areq == NULL) error = CRYPTO_HOST_MEMORY; else { if (!(crq->cr_flag & CRYPTO_SKIP_REQID)) { /* - * Set the request handle. This handle - * is used for any crypto_cancel_req(9f) - * calls from the consumer. We have to + * Set the request handle. We have to * do this before dispatching the * request. */ @@ -739,8 +660,7 @@ kcf_submit_request(kcf_provider_desc_t *pd, crypto_ctx_t *ctx, /* * We need to queue the request and return. */ - areq = kcf_areqnode_alloc(pd, kcf_ctx, crq, params, - cont); + areq = kcf_areqnode_alloc(pd, kcf_ctx, crq, params); if (areq == NULL) { error = CRYPTO_HOST_MEMORY; goto done; @@ -760,10 +680,8 @@ kcf_submit_request(kcf_provider_desc_t *pd, crypto_ctx_t *ctx, if (!(crq->cr_flag & CRYPTO_SKIP_REQID)) { /* - * Set the request handle. This handle is used - * for any crypto_cancel_req(9f) calls from the - * consumer. We have to do this before dispatching - * the request. + * Set the request handle. We have to do this + * before dispatching the request. */ crq->cr_reqid = kcf_reqid_insert(areq); } @@ -856,66 +774,6 @@ kcf_free_req(kcf_areq_node_t *areq) kmem_cache_free(kcf_areq_cache, areq); } -/* - * Utility routine to remove a request from the chain of requests - * hanging off a context. - */ -static void -kcf_removereq_in_ctxchain(kcf_context_t *ictx, kcf_areq_node_t *areq) -{ - kcf_areq_node_t *cur, *prev; - - /* - * Get context lock, search for areq in the chain and remove it. - */ - ASSERT(ictx != NULL); - mutex_enter(&ictx->kc_in_use_lock); - prev = cur = ictx->kc_req_chain_first; - - while (cur != NULL) { - if (cur == areq) { - if (prev == cur) { - if ((ictx->kc_req_chain_first = - cur->an_ctxchain_next) == NULL) - ictx->kc_req_chain_last = NULL; - } else { - if (cur == ictx->kc_req_chain_last) - ictx->kc_req_chain_last = prev; - prev->an_ctxchain_next = cur->an_ctxchain_next; - } - - break; - } - prev = cur; - cur = cur->an_ctxchain_next; - } - mutex_exit(&ictx->kc_in_use_lock); -} - -/* - * Remove the specified node from the global software queue. - * - * The caller must hold the queue lock and request lock (an_lock). - */ -static void -kcf_remove_node(kcf_areq_node_t *node) -{ - kcf_areq_node_t *nextp = node->an_next; - kcf_areq_node_t *prevp = node->an_prev; - - if (nextp != NULL) - nextp->an_prev = prevp; - else - gswq->gs_last = prevp; - - if (prevp != NULL) - prevp->an_next = nextp; - else - gswq->gs_first = nextp; - - node->an_state = REQ_CANCELED; -} - /* * Add the request node to the end of the global software queue. * @@ -1224,19 +1082,6 @@ kcf_aop_done(kcf_areq_node_t *areq, int error) } } - /* Deal with the internal continuation to this request first */ - - if (areq->an_isdual) { - kcf_dual_req_t *next_arg; - next_arg = (kcf_dual_req_t *)areq->an_reqarg.cr_callback_arg; - next_arg->kr_areq = areq; - KCF_AREQ_REFHOLD(areq); - areq->an_isdual = B_FALSE; - - NOTIFY_CLIENT(areq, error); - return; - } - /* * If CRYPTO_NOTIFY_OPDONE flag is set, we should notify * always. If this flag is clear, we skip the notification @@ -1344,146 +1189,6 @@ kcf_reqid_delete(kcf_areq_node_t *areq) mutex_exit(&rt->rt_lock); } -/* - * Cancel a single asynchronous request. - * - * We guarantee that no problems will result from calling - * crypto_cancel_req() for a request which is either running, or - * has already completed. We remove the request from any queues - * if it is possible. We wait for request completion if the - * request is dispatched to a provider. - * - * Calling context: - * Can be called from user context only. - * - * NOTE: We acquire the following locks in this routine (in order): - * - rt_lock (kcf_reqid_table_t) - * - gswq->gs_lock - * - areq->an_lock - * - ictx->kc_in_use_lock (from kcf_removereq_in_ctxchain()) - * - * This locking order MUST be maintained in code every where else. - */ -void -crypto_cancel_req(crypto_req_id_t id) -{ - int indx; - kcf_areq_node_t *areq; - kcf_provider_desc_t *pd; - kcf_context_t *ictx; - kcf_reqid_table_t *rt; - - rt = kcf_reqid_table[id & REQID_TABLE_MASK]; - indx = REQID_HASH(id); - - mutex_enter(&rt->rt_lock); - for (areq = rt->rt_idhash[indx]; areq; areq = areq->an_idnext) { - if (GET_REQID(areq) == id) { - /* - * We found the request. It is either still waiting - * in the framework queues or running at the provider. - */ - pd = areq->an_provider; - ASSERT(pd != NULL); - - switch (pd->pd_prov_type) { - case CRYPTO_SW_PROVIDER: - mutex_enter(&gswq->gs_lock); - mutex_enter(&areq->an_lock); - - /* This request can be safely canceled. */ - if (areq->an_state <= REQ_WAITING) { - /* Remove from gswq, global software queue. */ - kcf_remove_node(areq); - if ((ictx = areq->an_context) != NULL) - kcf_removereq_in_ctxchain(ictx, areq); - - mutex_exit(&areq->an_lock); - mutex_exit(&gswq->gs_lock); - mutex_exit(&rt->rt_lock); - - /* Remove areq from hash table and free it. */ - kcf_reqid_delete(areq); - KCF_AREQ_REFRELE(areq); - return; - } - - mutex_exit(&areq->an_lock); - mutex_exit(&gswq->gs_lock); - break; - - case CRYPTO_HW_PROVIDER: - /* - * There is no interface to remove an entry - * once it is on the taskq. So, we do not do - * anything for a hardware provider. - */ - break; - default: - break; - } - - /* - * The request is running. Wait for the request completion - * to notify us. - */ - KCF_AREQ_REFHOLD(areq); - while (GET_REQID(areq) == id) - cv_wait(&areq->an_done, &rt->rt_lock); - KCF_AREQ_REFRELE(areq); - break; - } - } - - mutex_exit(&rt->rt_lock); -} - -/* - * Cancel all asynchronous requests associated with the - * passed in crypto context and free it. - * - * A client SHOULD NOT call this routine after calling a crypto_*_final - * routine. This routine is called only during intermediate operations. - * The client should not use the crypto context after this function returns - * since we destroy it. - * - * Calling context: - * Can be called from user context only. - */ -void -crypto_cancel_ctx(crypto_context_t ctx) -{ - kcf_context_t *ictx; - kcf_areq_node_t *areq; - - if (ctx == NULL) - return; - - ictx = (kcf_context_t *)((crypto_ctx_t *)ctx)->cc_framework_private; - - mutex_enter(&ictx->kc_in_use_lock); - - /* Walk the chain and cancel each request */ - while ((areq = ictx->kc_req_chain_first) != NULL) { - /* - * We have to drop the lock here as we may have - * to wait for request completion. We hold the - * request before dropping the lock though, so that it - * won't be freed underneath us. - */ - KCF_AREQ_REFHOLD(areq); - mutex_exit(&ictx->kc_in_use_lock); - - crypto_cancel_req(GET_REQID(areq)); - KCF_AREQ_REFRELE(areq); - - mutex_enter(&ictx->kc_in_use_lock); - } - - mutex_exit(&ictx->kc_in_use_lock); - KCF_CONTEXT_REFRELE(ictx); -} - /* * Update kstats. */ @@ -1517,250 +1222,3 @@ kcf_misc_kstat_update(kstat_t *ksp, int rw) return (0); } - -/* - * Allocate and initialize a kcf_dual_req, used for saving the arguments of - * a dual operation or an atomic operation that has to be internally - * simulated with multiple single steps. - * crq determines the memory allocation flags. - */ - -kcf_dual_req_t * -kcf_alloc_req(crypto_call_req_t *crq) -{ - kcf_dual_req_t *kcr; - - kcr = kmem_alloc(sizeof (kcf_dual_req_t), KCF_KMFLAG(crq)); - - if (kcr == NULL) - return (NULL); - - /* Copy the whole crypto_call_req struct, as it isn't persistent */ - if (crq != NULL) - kcr->kr_callreq = *crq; - else - bzero(&(kcr->kr_callreq), sizeof (crypto_call_req_t)); - kcr->kr_areq = NULL; - kcr->kr_saveoffset = 0; - kcr->kr_savelen = 0; - - return (kcr); -} - -/* - * Callback routine for the next part of a simulated dual part. - * Schedules the next step. - * - * This routine can be called from interrupt context. - */ -void -kcf_next_req(void *next_req_arg, int status) -{ - kcf_dual_req_t *next_req = (kcf_dual_req_t *)next_req_arg; - kcf_req_params_t *params = &(next_req->kr_params); - kcf_areq_node_t *areq = next_req->kr_areq; - int error = status; - kcf_provider_desc_t *pd = NULL; - crypto_dual_data_t *ct = NULL; - - /* Stop the processing if an error occurred at this step */ - if (error != CRYPTO_SUCCESS) { -out: - areq->an_reqarg = next_req->kr_callreq; - KCF_AREQ_REFRELE(areq); - kmem_free(next_req, sizeof (kcf_dual_req_t)); - areq->an_isdual = B_FALSE; - kcf_aop_done(areq, error); - return; - } - - switch (params->rp_opgrp) { - case KCF_OG_MAC: { - - /* - * The next req is submitted with the same reqid as the - * first part. The consumer only got back that reqid, and - * should still be able to cancel the operation during its - * second step. - */ - kcf_mac_ops_params_t *mops = &(params->rp_u.mac_params); - crypto_ctx_template_t mac_tmpl; - kcf_mech_entry_t *me; - - ct = (crypto_dual_data_t *)mops->mo_data; - mac_tmpl = (crypto_ctx_template_t)mops->mo_templ; - - /* No expected recoverable failures, so no retry list */ - pd = kcf_get_mech_provider(mops->mo_framework_mechtype, - &me, &error, NULL, CRYPTO_FG_MAC_ATOMIC, - (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED), ct->dd_len2); - - if (pd == NULL) { - error = CRYPTO_MECH_NOT_SUPPORTED; - goto out; - } - /* Validate the MAC context template here */ - if ((pd->pd_prov_type == CRYPTO_SW_PROVIDER) && - (mac_tmpl != NULL)) { - kcf_ctx_template_t *ctx_mac_tmpl; - - ctx_mac_tmpl = (kcf_ctx_template_t *)mac_tmpl; - - if (ctx_mac_tmpl->ct_generation != me->me_gen_swprov) { - KCF_PROV_REFRELE(pd); - error = CRYPTO_OLD_CTX_TEMPLATE; - goto out; - } - mops->mo_templ = ctx_mac_tmpl->ct_prov_tmpl; - } - - break; - } - case KCF_OG_DECRYPT: { - kcf_decrypt_ops_params_t *dcrops = - &(params->rp_u.decrypt_params); - - ct = (crypto_dual_data_t *)dcrops->dop_ciphertext; - /* No expected recoverable failures, so no retry list */ - pd = kcf_get_mech_provider(dcrops->dop_framework_mechtype, - NULL, &error, NULL, CRYPTO_FG_DECRYPT_ATOMIC, - (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED), ct->dd_len1); - - if (pd == NULL) { - error = CRYPTO_MECH_NOT_SUPPORTED; - goto out; - } - break; - } - default: - break; - } - - /* The second step uses len2 and offset2 of the dual_data */ - next_req->kr_saveoffset = ct->dd_offset1; - next_req->kr_savelen = ct->dd_len1; - ct->dd_offset1 = ct->dd_offset2; - ct->dd_len1 = ct->dd_len2; - - /* preserve if the caller is restricted */ - if (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED) { - areq->an_reqarg.cr_flag = CRYPTO_RESTRICTED; - } else { - areq->an_reqarg.cr_flag = 0; - } - - areq->an_reqarg.cr_callback_func = kcf_last_req; - areq->an_reqarg.cr_callback_arg = next_req; - areq->an_isdual = B_TRUE; - - /* - * We would like to call kcf_submit_request() here. But, - * that is not possible as that routine allocates a new - * kcf_areq_node_t request structure, while we need to - * reuse the existing request structure. - */ - switch (pd->pd_prov_type) { - case CRYPTO_SW_PROVIDER: - error = common_submit_request(pd, NULL, params, - KCF_RHNDL(KM_NOSLEEP)); - break; - - case CRYPTO_HW_PROVIDER: { - kcf_provider_desc_t *old_pd; - taskq_t *taskq = pd->pd_sched_info.ks_taskq; - - /* - * Set the params for the second step in the - * dual-ops. - */ - areq->an_params = *params; - old_pd = areq->an_provider; - KCF_PROV_REFRELE(old_pd); - KCF_PROV_REFHOLD(pd); - areq->an_provider = pd; - - /* - * Note that we have to do a taskq_dispatch() - * here as we may be in interrupt context. - */ - if (taskq_dispatch(taskq, process_req_hwp, areq, - TQ_NOSLEEP) == (taskqid_t)0) { - error = CRYPTO_HOST_MEMORY; - } else { - error = CRYPTO_QUEUED; - } - break; - } - default: - break; - } - - /* - * We have to release the holds on the request and the provider - * in all cases. - */ - KCF_AREQ_REFRELE(areq); - KCF_PROV_REFRELE(pd); - - if (error != CRYPTO_QUEUED) { - /* restore, clean up, and invoke the client's callback */ - - ct->dd_offset1 = next_req->kr_saveoffset; - ct->dd_len1 = next_req->kr_savelen; - areq->an_reqarg = next_req->kr_callreq; - kmem_free(next_req, sizeof (kcf_dual_req_t)); - areq->an_isdual = B_FALSE; - kcf_aop_done(areq, error); - } -} - -/* - * Last part of an emulated dual operation. - * Clean up and restore ... - */ -void -kcf_last_req(void *last_req_arg, int status) -{ - kcf_dual_req_t *last_req = (kcf_dual_req_t *)last_req_arg; - - kcf_req_params_t *params = &(last_req->kr_params); - kcf_areq_node_t *areq = last_req->kr_areq; - crypto_dual_data_t *ct = NULL; - - switch (params->rp_opgrp) { - case KCF_OG_MAC: { - kcf_mac_ops_params_t *mops = &(params->rp_u.mac_params); - - ct = (crypto_dual_data_t *)mops->mo_data; - break; - } - case KCF_OG_DECRYPT: { - kcf_decrypt_ops_params_t *dcrops = - &(params->rp_u.decrypt_params); - - ct = (crypto_dual_data_t *)dcrops->dop_ciphertext; - break; - } - default: { - panic("invalid kcf_op_group_t %d", (int)params->rp_opgrp); - return; - } - } - ct->dd_offset1 = last_req->kr_saveoffset; - ct->dd_len1 = last_req->kr_savelen; - - /* The submitter used kcf_last_req as its callback */ - - if (areq == NULL) { - crypto_call_req_t *cr = &last_req->kr_callreq; - - (*(cr->cr_callback_func))(cr->cr_callback_arg, status); - kmem_free(last_req, sizeof (kcf_dual_req_t)); - return; - } - areq->an_reqarg = last_req->kr_callreq; - KCF_AREQ_REFRELE(areq); - kmem_free(last_req, sizeof (kcf_dual_req_t)); - areq->an_isdual = B_FALSE; - kcf_aop_done(areq, status); -} diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index bb777e689f03..3c8f4d37eeaf 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -117,7 +117,7 @@ typedef struct kcf_sched_info { * When impl.h is broken up (bug# 4703218), this will be done. For now, * we hardcode these values. */ -#define KCF_OPS_CLASSSIZE 8 +#define KCF_OPS_CLASSSIZE 4 #define KCF_MAXMECHTAB 32 /* @@ -393,21 +393,15 @@ extern kcf_soft_conf_entry_t *soft_config_list; #define KCF_MAXDIGEST 16 /* Digests */ #define KCF_MAXCIPHER 64 /* Ciphers */ #define KCF_MAXMAC 40 /* Message authentication codes */ -#define KCF_MAXSIGN 24 /* Sign/Verify */ -#define KCF_MAXKEYOPS 116 /* Key generation and derivation */ -#define KCF_MAXMISC 16 /* Others ... */ typedef enum { KCF_DIGEST_CLASS = 1, KCF_CIPHER_CLASS, KCF_MAC_CLASS, - KCF_SIGN_CLASS, - KCF_KEYOPS_CLASS, - KCF_MISC_CLASS } kcf_ops_class_t; #define KCF_FIRST_OPSCLASS KCF_DIGEST_CLASS -#define KCF_LAST_OPSCLASS KCF_MISC_CLASS +#define KCF_LAST_OPSCLASS KCF_MAC_CLASS /* The table of all the kcf_xxx_mech_tab[]s, indexed by kcf_ops_class */ @@ -497,66 +491,16 @@ typedef struct crypto_minor { #define KCF_MECH_TAB_FULL 0x4 /* Need more room in the mech tabs. */ #define KCF_INVALID_INDX ((ushort_t)-1) -/* - * kCF internal mechanism and function group for tracking RNG providers. - */ -#define SUN_RANDOM "random" -#define CRYPTO_FG_RANDOM 0x80000000 /* generate_random() */ - /* * Wrappers for ops vectors. In the wrapper definitions below, the pd * argument always corresponds to a pointer to a provider descriptor * of type kcf_prov_desc_t. */ -#define KCF_PROV_CTX_OPS(pd) ((pd)->pd_ops_vector->co_ctx_ops) #define KCF_PROV_DIGEST_OPS(pd) ((pd)->pd_ops_vector->co_digest_ops) #define KCF_PROV_CIPHER_OPS(pd) ((pd)->pd_ops_vector->co_cipher_ops) #define KCF_PROV_MAC_OPS(pd) ((pd)->pd_ops_vector->co_mac_ops) -#define KCF_PROV_SIGN_OPS(pd) ((pd)->pd_ops_vector->co_sign_ops) -#define KCF_PROV_VERIFY_OPS(pd) ((pd)->pd_ops_vector->co_verify_ops) -#define KCF_PROV_DUAL_OPS(pd) ((pd)->pd_ops_vector->co_dual_ops) -#define KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) \ - ((pd)->pd_ops_vector->co_dual_cipher_mac_ops) -#define KCF_PROV_RANDOM_OPS(pd) ((pd)->pd_ops_vector->co_random_ops) -#define KCF_PROV_SESSION_OPS(pd) ((pd)->pd_ops_vector->co_session_ops) -#define KCF_PROV_OBJECT_OPS(pd) ((pd)->pd_ops_vector->co_object_ops) -#define KCF_PROV_KEY_OPS(pd) ((pd)->pd_ops_vector->co_key_ops) -#define KCF_PROV_PROVIDER_OPS(pd) ((pd)->pd_ops_vector->co_provider_ops) -#define KCF_PROV_MECH_OPS(pd) ((pd)->pd_ops_vector->co_mech_ops) -#define KCF_PROV_NOSTORE_KEY_OPS(pd) \ - ((pd)->pd_ops_vector->co_nostore_key_ops) - -/* - * Wrappers for crypto_ctx_ops(9S) entry points. - */ - -#define KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size, req) ( \ - (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->create_ctx_template) ? \ - KCF_PROV_CTX_OPS(pd)->create_ctx_template( \ - (pd)->pd_prov_handle, mech, key, template, size, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_FREE_CONTEXT(pd, ctx) ( \ - (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->free_context) ? \ - KCF_PROV_CTX_OPS(pd)->free_context(ctx) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_COPYIN_MECH(pd, umech, kmech, errorp, mode) ( \ - (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyin_mechanism) ? \ - KCF_PROV_MECH_OPS(pd)->copyin_mechanism( \ - (pd)->pd_prov_handle, umech, kmech, errorp, mode) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_COPYOUT_MECH(pd, kmech, umech, errorp, mode) ( \ - (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyout_mechanism) ? \ - KCF_PROV_MECH_OPS(pd)->copyout_mechanism( \ - (pd)->pd_prov_handle, kmech, umech, errorp, mode) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_FREE_MECH(pd, prov_mech) ( \ - (KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->free_mechanism) ? \ - KCF_PROV_MECH_OPS(pd)->free_mechanism( \ - (pd)->pd_prov_handle, prov_mech) : CRYPTO_NOT_SUPPORTED) +#define KCF_PROV_CTX_OPS(pd) ((pd)->pd_ops_vector->co_ctx_ops) /* * Wrappers for crypto_digest_ops(9S) entry points. @@ -706,552 +650,21 @@ typedef struct crypto_minor { CRYPTO_NOT_SUPPORTED) /* - * Wrappers for crypto_sign_ops(9S) entry points. - */ - -#define KCF_PROV_SIGN_INIT(pd, ctx, mech, key, template, req) ( \ - (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_init) ? \ - KCF_PROV_SIGN_OPS(pd)->sign_init( \ - ctx, mech, key, template, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SIGN(pd, ctx, data, sig, req) ( \ - (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign) ? \ - KCF_PROV_SIGN_OPS(pd)->sign(ctx, data, sig, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SIGN_UPDATE(pd, ctx, data, req) ( \ - (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_update) ? \ - KCF_PROV_SIGN_OPS(pd)->sign_update(ctx, data, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SIGN_FINAL(pd, ctx, sig, req) ( \ - (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_final) ? \ - KCF_PROV_SIGN_OPS(pd)->sign_final(ctx, sig, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SIGN_ATOMIC(pd, session, mech, key, data, template, \ - sig, req) ( \ - (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_atomic) ? \ - KCF_PROV_SIGN_OPS(pd)->sign_atomic( \ - (pd)->pd_prov_handle, session, mech, key, data, sig, template, \ - req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SIGN_RECOVER_INIT(pd, ctx, mech, key, template, \ - req) ( \ - (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover_init) ? \ - KCF_PROV_SIGN_OPS(pd)->sign_recover_init(ctx, mech, key, template, \ - req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SIGN_RECOVER(pd, ctx, data, sig, req) ( \ - (KCF_PROV_SIGN_OPS(pd) && KCF_PROV_SIGN_OPS(pd)->sign_recover) ? \ - KCF_PROV_SIGN_OPS(pd)->sign_recover(ctx, data, sig, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SIGN_RECOVER_ATOMIC(pd, session, mech, key, data, template, \ - sig, req) ( \ - (KCF_PROV_SIGN_OPS(pd) && \ - KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic) ? \ - KCF_PROV_SIGN_OPS(pd)->sign_recover_atomic( \ - (pd)->pd_prov_handle, session, mech, key, data, sig, template, \ - req) : CRYPTO_NOT_SUPPORTED) - -/* - * Wrappers for crypto_verify_ops(9S) entry points. - */ - -#define KCF_PROV_VERIFY_INIT(pd, ctx, mech, key, template, req) ( \ - (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_init) ? \ - KCF_PROV_VERIFY_OPS(pd)->verify_init(ctx, mech, key, template, \ - req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_VERIFY(pd, ctx, data, sig, req) ( \ - (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->do_verify) ? \ - KCF_PROV_VERIFY_OPS(pd)->do_verify(ctx, data, sig, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_VERIFY_UPDATE(pd, ctx, data, req) ( \ - (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_update) ? \ - KCF_PROV_VERIFY_OPS(pd)->verify_update(ctx, data, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_VERIFY_FINAL(pd, ctx, sig, req) ( \ - (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_final) ? \ - KCF_PROV_VERIFY_OPS(pd)->verify_final(ctx, sig, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_VERIFY_ATOMIC(pd, session, mech, key, data, template, sig, \ - req) ( \ - (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_atomic) ? \ - KCF_PROV_VERIFY_OPS(pd)->verify_atomic( \ - (pd)->pd_prov_handle, session, mech, key, data, sig, template, \ - req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_VERIFY_RECOVER_INIT(pd, ctx, mech, key, template, \ - req) ( \ - (KCF_PROV_VERIFY_OPS(pd) && \ - KCF_PROV_VERIFY_OPS(pd)->verify_recover_init) ? \ - KCF_PROV_VERIFY_OPS(pd)->verify_recover_init(ctx, mech, key, \ - template, req) : CRYPTO_NOT_SUPPORTED) - -/* verify_recover() CSPI routine has different argument order than verify() */ -#define KCF_PROV_VERIFY_RECOVER(pd, ctx, sig, data, req) ( \ - (KCF_PROV_VERIFY_OPS(pd) && KCF_PROV_VERIFY_OPS(pd)->verify_recover) ? \ - KCF_PROV_VERIFY_OPS(pd)->verify_recover(ctx, sig, data, req) : \ - CRYPTO_NOT_SUPPORTED) - -/* - * verify_recover_atomic() CSPI routine has different argument order - * than verify_atomic(). - */ -#define KCF_PROV_VERIFY_RECOVER_ATOMIC(pd, session, mech, key, sig, \ - template, data, req) ( \ - (KCF_PROV_VERIFY_OPS(pd) && \ - KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic) ? \ - KCF_PROV_VERIFY_OPS(pd)->verify_recover_atomic( \ - (pd)->pd_prov_handle, session, mech, key, sig, data, template, \ - req) : CRYPTO_NOT_SUPPORTED) - -/* - * Wrappers for crypto_dual_ops(9S) entry points. - */ - -#define KCF_PROV_DIGEST_ENCRYPT_UPDATE(digest_ctx, encrypt_ctx, plaintext, \ - ciphertext, req) ( \ - (KCF_PROV_DUAL_OPS(pd) && \ - KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update) ? \ - KCF_PROV_DUAL_OPS(pd)->digest_encrypt_update( \ - digest_ctx, encrypt_ctx, plaintext, ciphertext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_DECRYPT_DIGEST_UPDATE(decrypt_ctx, digest_ctx, ciphertext, \ - plaintext, req) ( \ - (KCF_PROV_DUAL_OPS(pd) && \ - KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update) ? \ - KCF_PROV_DUAL_OPS(pd)->decrypt_digest_update( \ - decrypt_ctx, digest_ctx, ciphertext, plaintext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SIGN_ENCRYPT_UPDATE(sign_ctx, encrypt_ctx, plaintext, \ - ciphertext, req) ( \ - (KCF_PROV_DUAL_OPS(pd) && \ - KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update) ? \ - KCF_PROV_DUAL_OPS(pd)->sign_encrypt_update( \ - sign_ctx, encrypt_ctx, plaintext, ciphertext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_DECRYPT_VERIFY_UPDATE(decrypt_ctx, verify_ctx, ciphertext, \ - plaintext, req) ( \ - (KCF_PROV_DUAL_OPS(pd) && \ - KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update) ? \ - KCF_PROV_DUAL_OPS(pd)->decrypt_verify_update( \ - decrypt_ctx, verify_ctx, ciphertext, plaintext, req) : \ - CRYPTO_NOT_SUPPORTED) - -/* - * Wrappers for crypto_dual_cipher_mac_ops(9S) entry points. - */ - -#define KCF_PROV_ENCRYPT_MAC_INIT(pd, ctx, encr_mech, encr_key, mac_mech, \ - mac_key, encr_ctx_template, mac_ctx_template, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_init( \ - ctx, encr_mech, encr_key, mac_mech, mac_key, encr_ctx_template, \ - mac_ctx_template, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_ENCRYPT_MAC(pd, ctx, plaintext, ciphertext, mac, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac( \ - ctx, plaintext, ciphertext, mac, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_ENCRYPT_MAC_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_update( \ - ctx, plaintext, ciphertext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_ENCRYPT_MAC_FINAL(pd, ctx, ciphertext, mac, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_final( \ - ctx, ciphertext, mac, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_ENCRYPT_MAC_ATOMIC(pd, session, encr_mech, encr_key, \ - mac_mech, mac_key, plaintext, ciphertext, mac, \ - encr_ctx_template, mac_ctx_template, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->encrypt_mac_atomic( \ - (pd)->pd_prov_handle, session, encr_mech, encr_key, \ - mac_mech, mac_key, plaintext, ciphertext, mac, \ - encr_ctx_template, mac_ctx_template, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_MAC_DECRYPT_INIT(pd, ctx, mac_mech, mac_key, decr_mech, \ - decr_key, mac_ctx_template, decr_ctx_template, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_init( \ - ctx, mac_mech, mac_key, decr_mech, decr_key, mac_ctx_template, \ - decr_ctx_template, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_MAC_DECRYPT(pd, ctx, ciphertext, mac, plaintext, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt( \ - ctx, ciphertext, mac, plaintext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_MAC_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_update( \ - ctx, ciphertext, plaintext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_MAC_DECRYPT_FINAL(pd, ctx, mac, plaintext, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_final( \ - ctx, mac, plaintext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_MAC_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \ - decr_mech, decr_key, ciphertext, mac, plaintext, \ - mac_ctx_template, decr_ctx_template, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_decrypt_atomic( \ - (pd)->pd_prov_handle, session, mac_mech, mac_key, \ - decr_mech, decr_key, ciphertext, mac, plaintext, \ - mac_ctx_template, decr_ctx_template, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_MAC_VERIFY_DECRYPT_ATOMIC(pd, session, mac_mech, mac_key, \ - decr_mech, decr_key, ciphertext, mac, plaintext, \ - mac_ctx_template, decr_ctx_template, req) ( \ - (KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) && \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic \ - != NULL) ? \ - KCF_PROV_DUAL_CIPHER_MAC_OPS(pd)->mac_verify_decrypt_atomic( \ - (pd)->pd_prov_handle, session, mac_mech, mac_key, \ - decr_mech, decr_key, ciphertext, mac, plaintext, \ - mac_ctx_template, decr_ctx_template, req) : \ - CRYPTO_NOT_SUPPORTED) - -/* - * Wrappers for crypto_random_number_ops(9S) entry points. - */ - -#define KCF_PROV_SEED_RANDOM(pd, session, buf, len, est, flags, req) ( \ - (KCF_PROV_RANDOM_OPS(pd) && KCF_PROV_RANDOM_OPS(pd)->seed_random) ? \ - KCF_PROV_RANDOM_OPS(pd)->seed_random((pd)->pd_prov_handle, \ - session, buf, len, est, flags, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_GENERATE_RANDOM(pd, session, buf, len, req) ( \ - (KCF_PROV_RANDOM_OPS(pd) && \ - KCF_PROV_RANDOM_OPS(pd)->generate_random) ? \ - KCF_PROV_RANDOM_OPS(pd)->generate_random((pd)->pd_prov_handle, \ - session, buf, len, req) : CRYPTO_NOT_SUPPORTED) - -/* - * Wrappers for crypto_session_ops(9S) entry points. - * - * ops_pd is the provider descriptor that supplies the ops_vector. - * pd is the descriptor that supplies the provider handle. - * Only session open/close needs two handles. - */ - -#define KCF_PROV_SESSION_OPEN(ops_pd, session, req, pd) ( \ - (KCF_PROV_SESSION_OPS(ops_pd) && \ - KCF_PROV_SESSION_OPS(ops_pd)->session_open) ? \ - KCF_PROV_SESSION_OPS(ops_pd)->session_open((pd)->pd_prov_handle, \ - session, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SESSION_CLOSE(ops_pd, session, req, pd) ( \ - (KCF_PROV_SESSION_OPS(ops_pd) && \ - KCF_PROV_SESSION_OPS(ops_pd)->session_close) ? \ - KCF_PROV_SESSION_OPS(ops_pd)->session_close((pd)->pd_prov_handle, \ - session, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SESSION_LOGIN(pd, session, user_type, pin, len, req) ( \ - (KCF_PROV_SESSION_OPS(pd) && \ - KCF_PROV_SESSION_OPS(pd)->session_login) ? \ - KCF_PROV_SESSION_OPS(pd)->session_login((pd)->pd_prov_handle, \ - session, user_type, pin, len, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SESSION_LOGOUT(pd, session, req) ( \ - (KCF_PROV_SESSION_OPS(pd) && \ - KCF_PROV_SESSION_OPS(pd)->session_logout) ? \ - KCF_PROV_SESSION_OPS(pd)->session_logout((pd)->pd_prov_handle, \ - session, req) : CRYPTO_NOT_SUPPORTED) - -/* - * Wrappers for crypto_object_ops(9S) entry points. - */ - -#define KCF_PROV_OBJECT_CREATE(pd, session, template, count, object, req) ( \ - (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_create) ? \ - KCF_PROV_OBJECT_OPS(pd)->object_create((pd)->pd_prov_handle, \ - session, template, count, object, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_OBJECT_COPY(pd, session, object, template, count, \ - new_object, req) ( \ - (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_copy) ? \ - KCF_PROV_OBJECT_OPS(pd)->object_copy((pd)->pd_prov_handle, \ - session, object, template, count, new_object, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_OBJECT_DESTROY(pd, session, object, req) ( \ - (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_destroy) ? \ - KCF_PROV_OBJECT_OPS(pd)->object_destroy((pd)->pd_prov_handle, \ - session, object, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_OBJECT_GET_SIZE(pd, session, object, size, req) ( \ - (KCF_PROV_OBJECT_OPS(pd) && \ - KCF_PROV_OBJECT_OPS(pd)->object_get_size) ? \ - KCF_PROV_OBJECT_OPS(pd)->object_get_size((pd)->pd_prov_handle, \ - session, object, size, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_OBJECT_GET_ATTRIBUTE_VALUE(pd, session, object, template, \ - count, req) ( \ - (KCF_PROV_OBJECT_OPS(pd) && \ - KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value) ? \ - KCF_PROV_OBJECT_OPS(pd)->object_get_attribute_value( \ - (pd)->pd_prov_handle, session, object, template, count, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_OBJECT_SET_ATTRIBUTE_VALUE(pd, session, object, template, \ - count, req) ( \ - (KCF_PROV_OBJECT_OPS(pd) && \ - KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value) ? \ - KCF_PROV_OBJECT_OPS(pd)->object_set_attribute_value( \ - (pd)->pd_prov_handle, session, object, template, count, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_OBJECT_FIND_INIT(pd, session, template, count, ppriv, \ - req) ( \ - (KCF_PROV_OBJECT_OPS(pd) && \ - KCF_PROV_OBJECT_OPS(pd)->object_find_init) ? \ - KCF_PROV_OBJECT_OPS(pd)->object_find_init((pd)->pd_prov_handle, \ - session, template, count, ppriv, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_OBJECT_FIND(pd, ppriv, objects, max_objects, object_count, \ - req) ( \ - (KCF_PROV_OBJECT_OPS(pd) && KCF_PROV_OBJECT_OPS(pd)->object_find) ? \ - KCF_PROV_OBJECT_OPS(pd)->object_find( \ - (pd)->pd_prov_handle, ppriv, objects, max_objects, object_count, \ - req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_OBJECT_FIND_FINAL(pd, ppriv, req) ( \ - (KCF_PROV_OBJECT_OPS(pd) && \ - KCF_PROV_OBJECT_OPS(pd)->object_find_final) ? \ - KCF_PROV_OBJECT_OPS(pd)->object_find_final( \ - (pd)->pd_prov_handle, ppriv, req) : CRYPTO_NOT_SUPPORTED) - -/* - * Wrappers for crypto_key_ops(9S) entry points. + * Wrappers for crypto_ctx_ops(9S) entry points. */ -#define KCF_PROV_KEY_GENERATE(pd, session, mech, template, count, object, \ - req) ( \ - (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate) ? \ - KCF_PROV_KEY_OPS(pd)->key_generate((pd)->pd_prov_handle, \ - session, mech, template, count, object, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \ - pub_count, priv_template, priv_count, pub_key, priv_key, req) ( \ - (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_generate_pair) ? \ - KCF_PROV_KEY_OPS(pd)->key_generate_pair((pd)->pd_prov_handle, \ - session, mech, pub_template, pub_count, priv_template, \ - priv_count, pub_key, priv_key, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_KEY_WRAP(pd, session, mech, wrapping_key, key, wrapped_key, \ - wrapped_key_len, req) ( \ - (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_wrap) ? \ - KCF_PROV_KEY_OPS(pd)->key_wrap((pd)->pd_prov_handle, \ - session, mech, wrapping_key, key, wrapped_key, wrapped_key_len, \ - req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_KEY_UNWRAP(pd, session, mech, unwrapping_key, wrapped_key, \ - wrapped_key_len, template, count, key, req) ( \ - (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_unwrap) ? \ - KCF_PROV_KEY_OPS(pd)->key_unwrap((pd)->pd_prov_handle, \ - session, mech, unwrapping_key, wrapped_key, wrapped_key_len, \ - template, count, key, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_KEY_DERIVE(pd, session, mech, base_key, template, count, \ - key, req) ( \ - (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_derive) ? \ - KCF_PROV_KEY_OPS(pd)->key_derive((pd)->pd_prov_handle, \ - session, mech, base_key, template, count, key, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_KEY_CHECK(pd, mech, key) ( \ - (KCF_PROV_KEY_OPS(pd) && KCF_PROV_KEY_OPS(pd)->key_check) ? \ - KCF_PROV_KEY_OPS(pd)->key_check((pd)->pd_prov_handle, mech, key) : \ +#define KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size, req) ( \ + (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->create_ctx_template) ? \ + KCF_PROV_CTX_OPS(pd)->create_ctx_template( \ + (pd)->pd_prov_handle, mech, key, template, size, req) : \ CRYPTO_NOT_SUPPORTED) -/* - * Wrappers for crypto_provider_management_ops(9S) entry points. - * - * ops_pd is the provider descriptor that supplies the ops_vector. - * pd is the descriptor that supplies the provider handle. - * Only ext_info needs two handles. - */ - -#define KCF_PROV_EXT_INFO(ops_pd, provext_info, req, pd) ( \ - (KCF_PROV_PROVIDER_OPS(ops_pd) && \ - KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info) ? \ - KCF_PROV_PROVIDER_OPS(ops_pd)->ext_info((pd)->pd_prov_handle, \ - provext_info, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_INIT_TOKEN(pd, pin, pin_len, label, req) ( \ - (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_token) ? \ - KCF_PROV_PROVIDER_OPS(pd)->init_token((pd)->pd_prov_handle, \ - pin, pin_len, label, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_INIT_PIN(pd, session, pin, pin_len, req) ( \ - (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->init_pin) ? \ - KCF_PROV_PROVIDER_OPS(pd)->init_pin((pd)->pd_prov_handle, \ - session, pin, pin_len, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_SET_PIN(pd, session, old_pin, old_len, new_pin, new_len, \ - req) ( \ - (KCF_PROV_PROVIDER_OPS(pd) && KCF_PROV_PROVIDER_OPS(pd)->set_pin) ? \ - KCF_PROV_PROVIDER_OPS(pd)->set_pin((pd)->pd_prov_handle, \ - session, old_pin, old_len, new_pin, new_len, req) : \ - CRYPTO_NOT_SUPPORTED) - -/* - * Wrappers for crypto_nostore_key_ops(9S) entry points. - */ - -#define KCF_PROV_NOSTORE_KEY_GENERATE(pd, session, mech, template, count, \ - out_template, out_count, req) ( \ - (KCF_PROV_NOSTORE_KEY_OPS(pd) && \ - KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate) ? \ - KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate( \ - (pd)->pd_prov_handle, session, mech, template, count, \ - out_template, out_count, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_NOSTORE_KEY_GENERATE_PAIR(pd, session, mech, pub_template, \ - pub_count, priv_template, priv_count, out_pub_template, \ - out_pub_count, out_priv_template, out_priv_count, req) ( \ - (KCF_PROV_NOSTORE_KEY_OPS(pd) && \ - KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate_pair) ? \ - KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_generate_pair( \ - (pd)->pd_prov_handle, session, mech, pub_template, pub_count, \ - priv_template, priv_count, out_pub_template, out_pub_count, \ - out_priv_template, out_priv_count, req) : CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_NOSTORE_KEY_DERIVE(pd, session, mech, base_key, template, \ - count, out_template, out_count, req) ( \ - (KCF_PROV_NOSTORE_KEY_OPS(pd) && \ - KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_derive) ? \ - KCF_PROV_NOSTORE_KEY_OPS(pd)->nostore_key_derive( \ - (pd)->pd_prov_handle, session, mech, base_key, template, count, \ - out_template, out_count, req) : CRYPTO_NOT_SUPPORTED) - -/* - * The following routines are exported by the kcf module (/kernel/misc/kcf) - * to the crypto and cryptoadmin modules. - */ +#define KCF_PROV_FREE_CONTEXT(pd, ctx) ( \ + (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->free_context) ? \ + KCF_PROV_CTX_OPS(pd)->free_context(ctx) : CRYPTO_NOT_SUPPORTED) -/* Digest/mac/cipher entry points that take a provider descriptor and session */ -extern int crypto_digest_single(crypto_context_t, crypto_data_t *, - crypto_data_t *, crypto_call_req_t *); - -extern int crypto_mac_single(crypto_context_t, crypto_data_t *, - crypto_data_t *, crypto_call_req_t *); - -extern int crypto_encrypt_single(crypto_context_t, crypto_data_t *, - crypto_data_t *, crypto_call_req_t *); - -extern int crypto_decrypt_single(crypto_context_t, crypto_data_t *, - crypto_data_t *, crypto_call_req_t *); - - -/* Other private digest/mac/cipher entry points not exported through k-API */ -extern int crypto_digest_key_prov(crypto_context_t, crypto_key_t *, - crypto_call_req_t *); - -/* Private sign entry points exported by KCF */ -extern int crypto_sign_single(crypto_context_t, crypto_data_t *, - crypto_data_t *, crypto_call_req_t *); - -extern int crypto_sign_recover_single(crypto_context_t, crypto_data_t *, - crypto_data_t *, crypto_call_req_t *); - -/* Private verify entry points exported by KCF */ -extern int crypto_verify_single(crypto_context_t, crypto_data_t *, - crypto_data_t *, crypto_call_req_t *); - -extern int crypto_verify_recover_single(crypto_context_t, crypto_data_t *, - crypto_data_t *, crypto_call_req_t *); - -/* Private dual operations entry points exported by KCF */ -extern int crypto_digest_encrypt_update(crypto_context_t, crypto_context_t, - crypto_data_t *, crypto_data_t *, crypto_call_req_t *); -extern int crypto_decrypt_digest_update(crypto_context_t, crypto_context_t, - crypto_data_t *, crypto_data_t *, crypto_call_req_t *); -extern int crypto_sign_encrypt_update(crypto_context_t, crypto_context_t, - crypto_data_t *, crypto_data_t *, crypto_call_req_t *); -extern int crypto_decrypt_verify_update(crypto_context_t, crypto_context_t, - crypto_data_t *, crypto_data_t *, crypto_call_req_t *); - -/* Random Number Generation */ -int crypto_seed_random(crypto_provider_handle_t provider, uchar_t *buf, - size_t len, crypto_call_req_t *req); -int crypto_generate_random(crypto_provider_handle_t provider, uchar_t *buf, - size_t len, crypto_call_req_t *req); - -/* Provider Management */ -int crypto_get_provider_info(crypto_provider_id_t id, - crypto_provider_info_t **info, crypto_call_req_t *req); -int crypto_get_provider_mechanisms(crypto_minor_t *, crypto_provider_id_t id, - uint_t *count, crypto_mech_name_t **list); -int crypto_init_token(crypto_provider_handle_t provider, char *pin, - size_t pin_len, char *label, crypto_call_req_t *); -int crypto_init_pin(crypto_provider_handle_t provider, char *pin, - size_t pin_len, crypto_call_req_t *req); -int crypto_set_pin(crypto_provider_handle_t provider, char *old_pin, - size_t old_len, char *new_pin, size_t new_len, crypto_call_req_t *req); -void crypto_free_provider_list(crypto_provider_entry_t *list, uint_t count); -void crypto_free_provider_info(crypto_provider_info_t *info); - -/* Administrative */ -int crypto_get_dev_list(uint_t *count, crypto_dev_list_entry_t **list); -int crypto_get_soft_list(uint_t *count, char **list, size_t *len); -int crypto_get_dev_info(char *name, uint_t instance, uint_t *count, - crypto_mech_name_t **list); -int crypto_get_soft_info(caddr_t name, uint_t *count, - crypto_mech_name_t **list); -int crypto_load_dev_disabled(char *name, uint_t instance, uint_t count, - crypto_mech_name_t *list); -int crypto_load_soft_disabled(caddr_t name, uint_t count, - crypto_mech_name_t *list); -int crypto_unload_soft_module(caddr_t path); -int crypto_load_soft_config(caddr_t name, uint_t count, - crypto_mech_name_t *list); -int crypto_load_door(uint_t did); -void crypto_free_mech_list(crypto_mech_name_t *list, uint_t count); -void crypto_free_dev_list(crypto_dev_list_entry_t *list, uint_t count); /* Miscellaneous */ -int crypto_get_mechanism_number(caddr_t name, crypto_mech_type_t *number); -int crypto_build_permitted_mech_names(kcf_provider_desc_t *, - crypto_mech_name_t **, uint_t *, int); extern void kcf_destroy_mech_tabs(void); extern void kcf_init_mech_tabs(void); extern int kcf_add_mech_provider(short, kcf_provider_desc_t *, @@ -1262,71 +675,27 @@ extern kcf_provider_desc_t *kcf_alloc_provider_desc( const crypto_provider_info_t *); extern void kcf_provider_zero_refcnt(kcf_provider_desc_t *); extern void kcf_free_provider_desc(kcf_provider_desc_t *); -extern void kcf_soft_config_init(void); -extern int get_sw_provider_for_mech(crypto_mech_name_t, char **); extern crypto_mech_type_t crypto_mech2id_common(const char *, boolean_t); extern void undo_register_provider(kcf_provider_desc_t *, boolean_t); -extern void redo_register_provider(kcf_provider_desc_t *); -extern void kcf_rnd_init(void); -extern boolean_t kcf_rngprov_check(void); -extern int kcf_rnd_get_pseudo_bytes(uint8_t *, size_t); -extern int kcf_rnd_get_bytes(uint8_t *, size_t, boolean_t, boolean_t); -extern int random_add_pseudo_entropy(uint8_t *, size_t, uint_t); -extern void kcf_rnd_schedule_timeout(boolean_t); extern int crypto_uio_data(crypto_data_t *, uchar_t *, int, cmd_type_t, void *, void (*update)(void)); -extern int crypto_mblk_data(crypto_data_t *, uchar_t *, int, cmd_type_t, - void *, void (*update)(void)); extern int crypto_put_output_data(uchar_t *, crypto_data_t *, int); -extern int crypto_get_input_data(crypto_data_t *, uchar_t **, uchar_t *); -extern int crypto_copy_key_to_ctx(crypto_key_t *, crypto_key_t **, size_t *, - int kmflag); -extern int crypto_digest_data(crypto_data_t *, void *, uchar_t *, - void (*update)(void), void (*final)(void), uchar_t); extern int crypto_update_iov(void *, crypto_data_t *, crypto_data_t *, int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), void (*copy_block)(uint8_t *, uint64_t *)); extern int crypto_update_uio(void *, crypto_data_t *, crypto_data_t *, int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), void (*copy_block)(uint8_t *, uint64_t *)); -extern int crypto_update_mp(void *, crypto_data_t *, crypto_data_t *, - int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), - void (*copy_block)(uint8_t *, uint64_t *)); -extern int crypto_get_key_attr(crypto_key_t *, crypto_attr_type_t, uchar_t **, - ssize_t *); /* Access to the provider's table */ extern void kcf_prov_tab_destroy(void); extern void kcf_prov_tab_init(void); extern int kcf_prov_tab_add_provider(kcf_provider_desc_t *); extern int kcf_prov_tab_rem_provider(crypto_provider_id_t); -extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_name(char *); -extern kcf_provider_desc_t *kcf_prov_tab_lookup_by_dev(char *, uint_t); -extern int kcf_get_hw_prov_tab(uint_t *, kcf_provider_desc_t ***, int, - char *, uint_t, boolean_t); -extern int kcf_get_slot_list(uint_t *, kcf_provider_desc_t ***, boolean_t); -extern void kcf_free_provider_tab(uint_t, kcf_provider_desc_t **); extern kcf_provider_desc_t *kcf_prov_tab_lookup(crypto_provider_id_t); extern int kcf_get_sw_prov(crypto_mech_type_t, kcf_provider_desc_t **, kcf_mech_entry_t **, boolean_t); -/* Access to the policy table */ -extern boolean_t is_mech_disabled(kcf_provider_desc_t *, crypto_mech_name_t); -extern boolean_t is_mech_disabled_byname(crypto_provider_type_t, char *, - uint_t, crypto_mech_name_t); -extern void kcf_policy_tab_init(void); -extern void kcf_policy_free_desc(kcf_policy_desc_t *); -extern void kcf_policy_remove_by_name(char *, uint_t *, crypto_mech_name_t **); -extern void kcf_policy_remove_by_dev(char *, uint_t, uint_t *, - crypto_mech_name_t **); -extern kcf_policy_desc_t *kcf_policy_lookup_by_name(char *); -extern kcf_policy_desc_t *kcf_policy_lookup_by_dev(char *, uint_t); -extern int kcf_policy_load_soft_disabled(char *, uint_t, crypto_mech_name_t *, - uint_t *, crypto_mech_name_t **); -extern int kcf_policy_load_dev_disabled(char *, uint_t, uint_t, - crypto_mech_name_t *, uint_t *, crypto_mech_name_t **); -extern boolean_t in_soft_config_list(char *); - #ifdef __cplusplus } diff --git a/module/icp/include/sys/crypto/ops_impl.h b/module/icp/include/sys/crypto/ops_impl.h index 230d74b063fc..9300e53bc5e8 100644 --- a/module/icp/include/sys/crypto/ops_impl.h +++ b/module/icp/include/sys/crypto/ops_impl.h @@ -87,141 +87,6 @@ typedef struct kcf_decrypt_ops_params { crypto_spi_ctx_template_t dop_templ; } kcf_decrypt_ops_params_t; -typedef struct kcf_sign_ops_params { - crypto_session_id_t so_sid; - crypto_mech_type_t so_framework_mechtype; - crypto_mechanism_t so_mech; - crypto_key_t *so_key; - crypto_data_t *so_data; - crypto_data_t *so_signature; - crypto_spi_ctx_template_t so_templ; -} kcf_sign_ops_params_t; - -typedef struct kcf_verify_ops_params { - crypto_session_id_t vo_sid; - crypto_mech_type_t vo_framework_mechtype; - crypto_mechanism_t vo_mech; - crypto_key_t *vo_key; - crypto_data_t *vo_data; - crypto_data_t *vo_signature; - crypto_spi_ctx_template_t vo_templ; -} kcf_verify_ops_params_t; - -typedef struct kcf_encrypt_mac_ops_params { - crypto_session_id_t em_sid; - crypto_mech_type_t em_framework_encr_mechtype; - crypto_mechanism_t em_encr_mech; - crypto_key_t *em_encr_key; - crypto_mech_type_t em_framework_mac_mechtype; - crypto_mechanism_t em_mac_mech; - crypto_key_t *em_mac_key; - crypto_data_t *em_plaintext; - crypto_dual_data_t *em_ciphertext; - crypto_data_t *em_mac; - crypto_spi_ctx_template_t em_encr_templ; - crypto_spi_ctx_template_t em_mac_templ; -} kcf_encrypt_mac_ops_params_t; - -typedef struct kcf_mac_decrypt_ops_params { - crypto_session_id_t md_sid; - crypto_mech_type_t md_framework_mac_mechtype; - crypto_mechanism_t md_mac_mech; - crypto_key_t *md_mac_key; - crypto_mech_type_t md_framework_decr_mechtype; - crypto_mechanism_t md_decr_mech; - crypto_key_t *md_decr_key; - crypto_dual_data_t *md_ciphertext; - crypto_data_t *md_mac; - crypto_data_t *md_plaintext; - crypto_spi_ctx_template_t md_mac_templ; - crypto_spi_ctx_template_t md_decr_templ; -} kcf_mac_decrypt_ops_params_t; - -typedef struct kcf_random_number_ops_params { - crypto_session_id_t rn_sid; - uchar_t *rn_buf; - size_t rn_buflen; - uint_t rn_entropy_est; - uint32_t rn_flags; -} kcf_random_number_ops_params_t; - -/* - * so_pd is useful when the provider descriptor (pd) supplying the - * provider handle is different from the pd supplying the ops vector. - * This is the case for session open/close where so_pd can be the pd - * of a logical provider. The pd supplying the ops vector is passed - * as an argument to kcf_submit_request(). - */ -typedef struct kcf_session_ops_params { - crypto_session_id_t *so_sid_ptr; - crypto_session_id_t so_sid; - crypto_user_type_t so_user_type; - char *so_pin; - size_t so_pin_len; - kcf_provider_desc_t *so_pd; -} kcf_session_ops_params_t; - -typedef struct kcf_object_ops_params { - crypto_session_id_t oo_sid; - crypto_object_id_t oo_object_id; - crypto_object_attribute_t *oo_template; - uint_t oo_attribute_count; - crypto_object_id_t *oo_object_id_ptr; - size_t *oo_object_size; - void **oo_find_init_pp_ptr; - void *oo_find_pp; - uint_t oo_max_object_count; - uint_t *oo_object_count_ptr; -} kcf_object_ops_params_t; - -/* - * ko_key is used to encode wrapping key in key_wrap() and - * unwrapping key in key_unwrap(). ko_key_template and - * ko_key_attribute_count are used to encode public template - * and public template attr count in key_generate_pair(). - * kops->ko_key_object_id_ptr is used to encode public key - * in key_generate_pair(). - */ -typedef struct kcf_key_ops_params { - crypto_session_id_t ko_sid; - crypto_mech_type_t ko_framework_mechtype; - crypto_mechanism_t ko_mech; - crypto_object_attribute_t *ko_key_template; - uint_t ko_key_attribute_count; - crypto_object_id_t *ko_key_object_id_ptr; - crypto_object_attribute_t *ko_private_key_template; - uint_t ko_private_key_attribute_count; - crypto_object_id_t *ko_private_key_object_id_ptr; - crypto_key_t *ko_key; - uchar_t *ko_wrapped_key; - size_t *ko_wrapped_key_len_ptr; - crypto_object_attribute_t *ko_out_template1; - crypto_object_attribute_t *ko_out_template2; - uint_t ko_out_attribute_count1; - uint_t ko_out_attribute_count2; -} kcf_key_ops_params_t; - -/* - * po_pin and po_pin_len are used to encode new_pin and new_pin_len - * when wrapping set_pin() function parameters. - * - * po_pd is useful when the provider descriptor (pd) supplying the - * provider handle is different from the pd supplying the ops vector. - * This is true for the ext_info provider entry point where po_pd - * can be the pd of a logical provider. The pd supplying the ops vector - * is passed as an argument to kcf_submit_request(). - */ -typedef struct kcf_provmgmt_ops_params { - crypto_session_id_t po_sid; - char *po_pin; - size_t po_pin_len; - char *po_old_pin; - size_t po_old_pin_len; - char *po_label; - crypto_provider_ext_info_t *po_ext_info; - kcf_provider_desc_t *po_pd; -} kcf_provmgmt_ops_params_t; - /* * The operation type within a function group. */ @@ -241,51 +106,6 @@ typedef enum kcf_op_type { /* mac/cipher specific op */ KCF_OP_MAC_VERIFY_DECRYPT_ATOMIC, - - /* sign_recover ops */ - KCF_OP_SIGN_RECOVER_INIT, - KCF_OP_SIGN_RECOVER, - KCF_OP_SIGN_RECOVER_ATOMIC, - - /* verify_recover ops */ - KCF_OP_VERIFY_RECOVER_INIT, - KCF_OP_VERIFY_RECOVER, - KCF_OP_VERIFY_RECOVER_ATOMIC, - - /* random number ops */ - KCF_OP_RANDOM_SEED, - KCF_OP_RANDOM_GENERATE, - - /* session management ops */ - KCF_OP_SESSION_OPEN, - KCF_OP_SESSION_CLOSE, - KCF_OP_SESSION_LOGIN, - KCF_OP_SESSION_LOGOUT, - - /* object management ops */ - KCF_OP_OBJECT_CREATE, - KCF_OP_OBJECT_COPY, - KCF_OP_OBJECT_DESTROY, - KCF_OP_OBJECT_GET_SIZE, - KCF_OP_OBJECT_GET_ATTRIBUTE_VALUE, - KCF_OP_OBJECT_SET_ATTRIBUTE_VALUE, - KCF_OP_OBJECT_FIND_INIT, - KCF_OP_OBJECT_FIND, - KCF_OP_OBJECT_FIND_FINAL, - - /* key management ops */ - KCF_OP_KEY_GENERATE, - KCF_OP_KEY_GENERATE_PAIR, - KCF_OP_KEY_WRAP, - KCF_OP_KEY_UNWRAP, - KCF_OP_KEY_DERIVE, - KCF_OP_KEY_CHECK, - - /* provider management ops */ - KCF_OP_MGMT_EXTINFO, - KCF_OP_MGMT_INITTOKEN, - KCF_OP_MGMT_INITPIN, - KCF_OP_MGMT_SETPIN } kcf_op_type_t; /* @@ -302,16 +122,6 @@ typedef enum kcf_op_group { KCF_OG_MAC, KCF_OG_ENCRYPT, KCF_OG_DECRYPT, - KCF_OG_SIGN, - KCF_OG_VERIFY, - KCF_OG_ENCRYPT_MAC, - KCF_OG_MAC_DECRYPT, - KCF_OG_RANDOM, - KCF_OG_SESSION, - KCF_OG_OBJECT, - KCF_OG_KEY, - KCF_OG_PROVMGMT, - KCF_OG_NOSTORE_KEY } kcf_op_group_t; /* @@ -323,10 +133,7 @@ typedef enum kcf_op_group { #define IS_UPDATE_OP(ftype) ((ftype) == KCF_OP_UPDATE) #define IS_FINAL_OP(ftype) ((ftype) == KCF_OP_FINAL) #define IS_ATOMIC_OP(ftype) ( \ - (ftype) == KCF_OP_ATOMIC || (ftype) == KCF_OP_MAC_VERIFY_ATOMIC || \ - (ftype) == KCF_OP_MAC_VERIFY_DECRYPT_ATOMIC || \ - (ftype) == KCF_OP_SIGN_RECOVER_ATOMIC || \ - (ftype) == KCF_OP_VERIFY_RECOVER_ATOMIC) + (ftype) == KCF_OP_ATOMIC || (ftype) == KCF_OP_MAC_VERIFY_ATOMIC) /* * Keep the parameters associated with a request around. @@ -341,15 +148,6 @@ typedef struct kcf_req_params { kcf_mac_ops_params_t mac_params; kcf_encrypt_ops_params_t encrypt_params; kcf_decrypt_ops_params_t decrypt_params; - kcf_sign_ops_params_t sign_params; - kcf_verify_ops_params_t verify_params; - kcf_encrypt_mac_ops_params_t encrypt_mac_params; - kcf_mac_decrypt_ops_params_t mac_decrypt_params; - kcf_random_number_ops_params_t random_number_params; - kcf_session_ops_params_t session_params; - kcf_object_ops_params_t object_params; - kcf_key_ops_params_t key_params; - kcf_provmgmt_ops_params_t provmgmt_params; } rp_u; } kcf_req_params_t; @@ -434,191 +232,6 @@ typedef struct kcf_req_params { cops->dop_templ = _templ; \ } -#define KCF_WRAP_SIGN_OPS_PARAMS(req, ftype, _sid, _mech, _key, \ - _data, _signature, _templ) { \ - kcf_sign_ops_params_t *sops = &(req)->rp_u.sign_params; \ - crypto_mechanism_t *mechp = _mech; \ - \ - (req)->rp_opgrp = KCF_OG_SIGN; \ - (req)->rp_optype = ftype; \ - sops->so_sid = _sid; \ - if (mechp != NULL) { \ - sops->so_mech = *mechp; \ - sops->so_framework_mechtype = mechp->cm_type; \ - } \ - sops->so_key = _key; \ - sops->so_data = _data; \ - sops->so_signature = _signature; \ - sops->so_templ = _templ; \ -} - -#define KCF_WRAP_VERIFY_OPS_PARAMS(req, ftype, _sid, _mech, _key, \ - _data, _signature, _templ) { \ - kcf_verify_ops_params_t *vops = &(req)->rp_u.verify_params; \ - crypto_mechanism_t *mechp = _mech; \ - \ - (req)->rp_opgrp = KCF_OG_VERIFY; \ - (req)->rp_optype = ftype; \ - vops->vo_sid = _sid; \ - if (mechp != NULL) { \ - vops->vo_mech = *mechp; \ - vops->vo_framework_mechtype = mechp->cm_type; \ - } \ - vops->vo_key = _key; \ - vops->vo_data = _data; \ - vops->vo_signature = _signature; \ - vops->vo_templ = _templ; \ -} - -#define KCF_WRAP_ENCRYPT_MAC_OPS_PARAMS(req, ftype, _sid, _encr_key, \ - _mac_key, _plaintext, _ciphertext, _mac, _encr_templ, _mac_templ) { \ - kcf_encrypt_mac_ops_params_t *cmops = &(req)->rp_u.encrypt_mac_params; \ - \ - (req)->rp_opgrp = KCF_OG_ENCRYPT_MAC; \ - (req)->rp_optype = ftype; \ - cmops->em_sid = _sid; \ - cmops->em_encr_key = _encr_key; \ - cmops->em_mac_key = _mac_key; \ - cmops->em_plaintext = _plaintext; \ - cmops->em_ciphertext = _ciphertext; \ - cmops->em_mac = _mac; \ - cmops->em_encr_templ = _encr_templ; \ - cmops->em_mac_templ = _mac_templ; \ -} - -#define KCF_WRAP_MAC_DECRYPT_OPS_PARAMS(req, ftype, _sid, _mac_key, \ - _decr_key, _ciphertext, _mac, _plaintext, _mac_templ, _decr_templ) { \ - kcf_mac_decrypt_ops_params_t *cmops = &(req)->rp_u.mac_decrypt_params; \ - \ - (req)->rp_opgrp = KCF_OG_MAC_DECRYPT; \ - (req)->rp_optype = ftype; \ - cmops->md_sid = _sid; \ - cmops->md_mac_key = _mac_key; \ - cmops->md_decr_key = _decr_key; \ - cmops->md_ciphertext = _ciphertext; \ - cmops->md_mac = _mac; \ - cmops->md_plaintext = _plaintext; \ - cmops->md_mac_templ = _mac_templ; \ - cmops->md_decr_templ = _decr_templ; \ -} - -#define KCF_WRAP_RANDOM_OPS_PARAMS(req, ftype, _sid, _buf, _buflen, \ - _est, _flags) { \ - kcf_random_number_ops_params_t *rops = \ - &(req)->rp_u.random_number_params; \ - \ - (req)->rp_opgrp = KCF_OG_RANDOM; \ - (req)->rp_optype = ftype; \ - rops->rn_sid = _sid; \ - rops->rn_buf = _buf; \ - rops->rn_buflen = _buflen; \ - rops->rn_entropy_est = _est; \ - rops->rn_flags = _flags; \ -} - -#define KCF_WRAP_SESSION_OPS_PARAMS(req, ftype, _sid_ptr, _sid, \ - _user_type, _pin, _pin_len, _pd) { \ - kcf_session_ops_params_t *sops = &(req)->rp_u.session_params; \ - \ - (req)->rp_opgrp = KCF_OG_SESSION; \ - (req)->rp_optype = ftype; \ - sops->so_sid_ptr = _sid_ptr; \ - sops->so_sid = _sid; \ - sops->so_user_type = _user_type; \ - sops->so_pin = _pin; \ - sops->so_pin_len = _pin_len; \ - sops->so_pd = _pd; \ -} - -#define KCF_WRAP_OBJECT_OPS_PARAMS(req, ftype, _sid, _object_id, \ - _template, _attribute_count, _object_id_ptr, _object_size, \ - _find_init_pp_ptr, _find_pp, _max_object_count, _object_count_ptr) { \ - kcf_object_ops_params_t *jops = &(req)->rp_u.object_params; \ - \ - (req)->rp_opgrp = KCF_OG_OBJECT; \ - (req)->rp_optype = ftype; \ - jops->oo_sid = _sid; \ - jops->oo_object_id = _object_id; \ - jops->oo_template = _template; \ - jops->oo_attribute_count = _attribute_count; \ - jops->oo_object_id_ptr = _object_id_ptr; \ - jops->oo_object_size = _object_size; \ - jops->oo_find_init_pp_ptr = _find_init_pp_ptr; \ - jops->oo_find_pp = _find_pp; \ - jops->oo_max_object_count = _max_object_count; \ - jops->oo_object_count_ptr = _object_count_ptr; \ -} - -#define KCF_WRAP_KEY_OPS_PARAMS(req, ftype, _sid, _mech, _key_template, \ - _key_attribute_count, _key_object_id_ptr, _private_key_template, \ - _private_key_attribute_count, _private_key_object_id_ptr, \ - _key, _wrapped_key, _wrapped_key_len_ptr) { \ - kcf_key_ops_params_t *kops = &(req)->rp_u.key_params; \ - crypto_mechanism_t *mechp = _mech; \ - \ - (req)->rp_opgrp = KCF_OG_KEY; \ - (req)->rp_optype = ftype; \ - kops->ko_sid = _sid; \ - if (mechp != NULL) { \ - kops->ko_mech = *mechp; \ - kops->ko_framework_mechtype = mechp->cm_type; \ - } \ - kops->ko_key_template = _key_template; \ - kops->ko_key_attribute_count = _key_attribute_count; \ - kops->ko_key_object_id_ptr = _key_object_id_ptr; \ - kops->ko_private_key_template = _private_key_template; \ - kops->ko_private_key_attribute_count = _private_key_attribute_count; \ - kops->ko_private_key_object_id_ptr = _private_key_object_id_ptr; \ - kops->ko_key = _key; \ - kops->ko_wrapped_key = _wrapped_key; \ - kops->ko_wrapped_key_len_ptr = _wrapped_key_len_ptr; \ -} - -#define KCF_WRAP_PROVMGMT_OPS_PARAMS(req, ftype, _sid, _old_pin, \ - _old_pin_len, _pin, _pin_len, _label, _ext_info, _pd) { \ - kcf_provmgmt_ops_params_t *pops = &(req)->rp_u.provmgmt_params; \ - \ - (req)->rp_opgrp = KCF_OG_PROVMGMT; \ - (req)->rp_optype = ftype; \ - pops->po_sid = _sid; \ - pops->po_pin = _pin; \ - pops->po_pin_len = _pin_len; \ - pops->po_old_pin = _old_pin; \ - pops->po_old_pin_len = _old_pin_len; \ - pops->po_label = _label; \ - pops->po_ext_info = _ext_info; \ - pops->po_pd = _pd; \ -} - -#define KCF_WRAP_NOSTORE_KEY_OPS_PARAMS(req, ftype, _sid, _mech, \ - _key_template, _key_attribute_count, _private_key_template, \ - _private_key_attribute_count, _key, _out_template1, \ - _out_attribute_count1, _out_template2, _out_attribute_count2) { \ - kcf_key_ops_params_t *kops = &(req)->rp_u.key_params; \ - crypto_mechanism_t *mechp = _mech; \ - \ - (req)->rp_opgrp = KCF_OG_NOSTORE_KEY; \ - (req)->rp_optype = ftype; \ - kops->ko_sid = _sid; \ - if (mechp != NULL) { \ - kops->ko_mech = *mechp; \ - kops->ko_framework_mechtype = mechp->cm_type; \ - } \ - kops->ko_key_template = _key_template; \ - kops->ko_key_attribute_count = _key_attribute_count; \ - kops->ko_key_object_id_ptr = NULL; \ - kops->ko_private_key_template = _private_key_template; \ - kops->ko_private_key_attribute_count = _private_key_attribute_count; \ - kops->ko_private_key_object_id_ptr = NULL; \ - kops->ko_key = _key; \ - kops->ko_wrapped_key = NULL; \ - kops->ko_wrapped_key_len_ptr = 0; \ - kops->ko_out_template1 = _out_template1; \ - kops->ko_out_template2 = _out_template2; \ - kops->ko_out_attribute_count1 = _out_attribute_count1; \ - kops->ko_out_attribute_count2 = _out_attribute_count2; \ -} - #define KCF_SET_PROVIDER_MECHNUM(fmtype, pd, mechp) \ (mechp)->cm_type = \ KCF_TO_PROV_MECHNUM(pd, fmtype); diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index 29ef8021f0fc..a5357dce35f3 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -87,13 +87,6 @@ extern ulong_t kcf_swprov_hndl; #define REQHNDL2_KMFLAG(rhndl) \ ((rhndl == &kcf_swprov_hndl) ? KM_NOSLEEP : KM_SLEEP) -/* Internal call_req flags. They start after the public ones in api.h */ - -#define CRYPTO_SETDUAL 0x00001000 /* Set the 'cont' boolean before */ - /* submitting the request */ -#define KCF_ISDUALREQ(crq) \ - (((crq) == NULL) ? B_FALSE : (crq->cr_flag & CRYPTO_SETDUAL)) - typedef struct kcf_prov_tried { kcf_provider_desc_t *pt_pd; struct kcf_prov_tried *pt_next; @@ -182,7 +175,6 @@ typedef struct kcf_areq_node { kcondvar_t an_turn_cv; boolean_t an_is_my_turn; - boolean_t an_isdual; /* for internal reuse */ /* * Next and previous nodes in the global software @@ -219,15 +211,6 @@ typedef struct kcf_areq_node { #define NOTIFY_CLIENT(areq, err) (*(areq)->an_reqarg.cr_callback_func)(\ (areq)->an_reqarg.cr_callback_arg, err); -/* For internally generated call requests for dual operations */ -typedef struct kcf_call_req { - crypto_call_req_t kr_callreq; /* external client call req */ - kcf_req_params_t kr_params; /* Params saved for next call */ - kcf_areq_node_t *kr_areq; /* Use this areq */ - off_t kr_saveoffset; - size_t kr_savelen; -} kcf_dual_req_t; - /* * The following are some what similar to macros in callo.h, which implement * callout tables. @@ -488,14 +471,10 @@ extern kcf_prov_tried_t *kcf_insert_triedlist(kcf_prov_tried_t **, extern kcf_provider_desc_t *kcf_get_mech_provider(crypto_mech_type_t, kcf_mech_entry_t **, int *, kcf_prov_tried_t *, crypto_func_group_t, boolean_t, size_t); -extern kcf_provider_desc_t *kcf_get_dual_provider(crypto_mechanism_t *, - crypto_mechanism_t *, kcf_mech_entry_t **, crypto_mech_type_t *, - crypto_mech_type_t *, int *, kcf_prov_tried_t *, - crypto_func_group_t, crypto_func_group_t, boolean_t, size_t); extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t); extern int kcf_submit_request(kcf_provider_desc_t *, crypto_ctx_t *, - crypto_call_req_t *, kcf_req_params_t *, boolean_t); + crypto_call_req_t *, kcf_req_params_t *); extern void kcf_sched_destroy(void); extern void kcf_sched_init(void); extern void kcf_sched_start(void); @@ -517,10 +496,6 @@ extern void crypto_bufcall_service(void); extern void kcf_walk_ntfylist(uint32_t, void *); extern void kcf_do_notify(kcf_provider_desc_t *, boolean_t); -extern kcf_dual_req_t *kcf_alloc_req(crypto_call_req_t *); -extern void kcf_next_req(void *, int); -extern void kcf_last_req(void *, int); - #ifdef __cplusplus } #endif diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index 7e265d3a903c..2993caa4fbcb 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -94,44 +94,6 @@ typedef struct crypto_ctx { void *cc_opstate; /* state */ } crypto_ctx_t; -/* - * Extended provider information. - */ - -/* - * valid values for ei_flags field of extended info structure - * They match the RSA Security, Inc PKCS#11 tokenInfo flags. - */ -#define CRYPTO_EXTF_RNG 0x00000001 -#define CRYPTO_EXTF_WRITE_PROTECTED 0x00000002 -#define CRYPTO_EXTF_LOGIN_REQUIRED 0x00000004 -#define CRYPTO_EXTF_USER_PIN_INITIALIZED 0x00000008 -#define CRYPTO_EXTF_CLOCK_ON_TOKEN 0x00000040 -#define CRYPTO_EXTF_PROTECTED_AUTHENTICATION_PATH 0x00000100 -#define CRYPTO_EXTF_DUAL_CRYPTO_OPERATIONS 0x00000200 -#define CRYPTO_EXTF_TOKEN_INITIALIZED 0x00000400 -#define CRYPTO_EXTF_USER_PIN_COUNT_LOW 0x00010000 -#define CRYPTO_EXTF_USER_PIN_FINAL_TRY 0x00020000 -#define CRYPTO_EXTF_USER_PIN_LOCKED 0x00040000 -#define CRYPTO_EXTF_USER_PIN_TO_BE_CHANGED 0x00080000 -#define CRYPTO_EXTF_SO_PIN_COUNT_LOW 0x00100000 -#define CRYPTO_EXTF_SO_PIN_FINAL_TRY 0x00200000 -#define CRYPTO_EXTF_SO_PIN_LOCKED 0x00400000 -#define CRYPTO_EXTF_SO_PIN_TO_BE_CHANGED 0x00800000 - -/* - * The crypto_ctx_ops structure contains points to context and context - * templates management operations for cryptographic providers. It is - * passed through the crypto_ops(9S) structure when providers register - * with the kernel using crypto_register_provider(9F). - */ -typedef struct crypto_ctx_ops { - int (*create_ctx_template)(crypto_provider_handle_t, - crypto_mechanism_t *, crypto_key_t *, - crypto_spi_ctx_template_t *, size_t *, crypto_req_handle_t); - int (*free_context)(crypto_ctx_t *); -} __no_const crypto_ctx_ops_t; - /* * The crypto_digest_ops structure contains pointers to digest * operations for cryptographic providers. It is passed through @@ -214,271 +176,17 @@ typedef struct crypto_mac_ops { } __no_const crypto_mac_ops_t; /* - * The crypto_sign_ops structure contains pointers to signing - * operations for cryptographic providers. It is passed through - * the crypto_ops(9S) structure when providers register with the - * kernel using crypto_register_provider(9F). - */ -typedef struct crypto_sign_ops { - int (*sign_init)(crypto_ctx_t *, - crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t, - crypto_req_handle_t); - int (*sign)(crypto_ctx_t *, - crypto_data_t *, crypto_data_t *, crypto_req_handle_t); - int (*sign_update)(crypto_ctx_t *, - crypto_data_t *, crypto_req_handle_t); - int (*sign_final)(crypto_ctx_t *, - crypto_data_t *, crypto_req_handle_t); - int (*sign_atomic)(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t, - crypto_req_handle_t); - int (*sign_recover_init)(crypto_ctx_t *, crypto_mechanism_t *, - crypto_key_t *, crypto_spi_ctx_template_t, - crypto_req_handle_t); - int (*sign_recover)(crypto_ctx_t *, - crypto_data_t *, crypto_data_t *, crypto_req_handle_t); - int (*sign_recover_atomic)(crypto_provider_handle_t, - crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, - crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, - crypto_req_handle_t); -} __no_const crypto_sign_ops_t; - -/* - * The crypto_verify_ops structure contains pointers to verify - * operations for cryptographic providers. It is passed through - * the crypto_ops(9S) structure when providers register with the - * kernel using crypto_register_provider(9F). - */ -typedef struct crypto_verify_ops { - int (*verify_init)(crypto_ctx_t *, - crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t, - crypto_req_handle_t); - int (*do_verify)(crypto_ctx_t *, - crypto_data_t *, crypto_data_t *, crypto_req_handle_t); - int (*verify_update)(crypto_ctx_t *, - crypto_data_t *, crypto_req_handle_t); - int (*verify_final)(crypto_ctx_t *, - crypto_data_t *, crypto_req_handle_t); - int (*verify_atomic)(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t, - crypto_req_handle_t); - int (*verify_recover_init)(crypto_ctx_t *, crypto_mechanism_t *, - crypto_key_t *, crypto_spi_ctx_template_t, - crypto_req_handle_t); - int (*verify_recover)(crypto_ctx_t *, - crypto_data_t *, crypto_data_t *, crypto_req_handle_t); - int (*verify_recover_atomic)(crypto_provider_handle_t, - crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, - crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, - crypto_req_handle_t); -} __no_const crypto_verify_ops_t; - -/* - * The crypto_dual_ops structure contains pointers to dual - * cipher and sign/verify operations for cryptographic providers. - * It is passed through the crypto_ops(9S) structure when - * providers register with the kernel using - * crypto_register_provider(9F). - */ -typedef struct crypto_dual_ops { - int (*digest_encrypt_update)( - crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *, - crypto_data_t *, crypto_req_handle_t); - int (*decrypt_digest_update)( - crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *, - crypto_data_t *, crypto_req_handle_t); - int (*sign_encrypt_update)( - crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *, - crypto_data_t *, crypto_req_handle_t); - int (*decrypt_verify_update)( - crypto_ctx_t *, crypto_ctx_t *, crypto_data_t *, - crypto_data_t *, crypto_req_handle_t); -} __no_const crypto_dual_ops_t; - -/* - * The crypto_dual_cipher_mac_ops structure contains pointers to dual - * cipher and MAC operations for cryptographic providers. - * It is passed through the crypto_ops(9S) structure when - * providers register with the kernel using - * crypto_register_provider(9F). - */ -typedef struct crypto_dual_cipher_mac_ops { - int (*encrypt_mac_init)(crypto_ctx_t *, - crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *, - crypto_key_t *, crypto_spi_ctx_template_t, - crypto_spi_ctx_template_t, crypto_req_handle_t); - int (*encrypt_mac)(crypto_ctx_t *, - crypto_data_t *, crypto_dual_data_t *, crypto_data_t *, - crypto_req_handle_t); - int (*encrypt_mac_update)(crypto_ctx_t *, - crypto_data_t *, crypto_dual_data_t *, crypto_req_handle_t); - int (*encrypt_mac_final)(crypto_ctx_t *, - crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t); - int (*encrypt_mac_atomic)(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *, - crypto_key_t *, crypto_data_t *, crypto_dual_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t, - crypto_spi_ctx_template_t, crypto_req_handle_t); - - int (*mac_decrypt_init)(crypto_ctx_t *, - crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *, - crypto_key_t *, crypto_spi_ctx_template_t, - crypto_spi_ctx_template_t, crypto_req_handle_t); - int (*mac_decrypt)(crypto_ctx_t *, - crypto_dual_data_t *, crypto_data_t *, crypto_data_t *, - crypto_req_handle_t); - int (*mac_decrypt_update)(crypto_ctx_t *, - crypto_dual_data_t *, crypto_data_t *, crypto_req_handle_t); - int (*mac_decrypt_final)(crypto_ctx_t *, - crypto_data_t *, crypto_data_t *, crypto_req_handle_t); - int (*mac_decrypt_atomic)(crypto_provider_handle_t, - crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, - crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *, - crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, - crypto_spi_ctx_template_t, crypto_req_handle_t); - int (*mac_verify_decrypt_atomic)(crypto_provider_handle_t, - crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, - crypto_mechanism_t *, crypto_key_t *, crypto_dual_data_t *, - crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, - crypto_spi_ctx_template_t, crypto_req_handle_t); -} __no_const crypto_dual_cipher_mac_ops_t; - -/* - * The crypto_random_number_ops structure contains pointers to random - * number operations for cryptographic providers. It is passed through - * the crypto_ops(9S) structure when providers register with the - * kernel using crypto_register_provider(9F). - */ -typedef struct crypto_random_number_ops { - int (*seed_random)(crypto_provider_handle_t, crypto_session_id_t, - uchar_t *, size_t, uint_t, uint32_t, crypto_req_handle_t); - int (*generate_random)(crypto_provider_handle_t, crypto_session_id_t, - uchar_t *, size_t, crypto_req_handle_t); -} __no_const crypto_random_number_ops_t; - -/* - * Flag values for seed_random. - */ -#define CRYPTO_SEED_NOW 0x00000001 - -/* - * The crypto_session_ops structure contains pointers to session - * operations for cryptographic providers. It is passed through - * the crypto_ops(9S) structure when providers register with the - * kernel using crypto_register_provider(9F). - */ -typedef struct crypto_session_ops { - int (*session_open)(crypto_provider_handle_t, crypto_session_id_t *, - crypto_req_handle_t); - int (*session_close)(crypto_provider_handle_t, crypto_session_id_t, - crypto_req_handle_t); - int (*session_login)(crypto_provider_handle_t, crypto_session_id_t, - crypto_user_type_t, char *, size_t, crypto_req_handle_t); - int (*session_logout)(crypto_provider_handle_t, crypto_session_id_t, - crypto_req_handle_t); -} __no_const crypto_session_ops_t; - -/* - * The crypto_object_ops structure contains pointers to object - * operations for cryptographic providers. It is passed through - * the crypto_ops(9S) structure when providers register with the - * kernel using crypto_register_provider(9F). - */ -typedef struct crypto_object_ops { - int (*object_create)(crypto_provider_handle_t, crypto_session_id_t, - crypto_object_attribute_t *, uint_t, crypto_object_id_t *, - crypto_req_handle_t); - int (*object_copy)(crypto_provider_handle_t, crypto_session_id_t, - crypto_object_id_t, crypto_object_attribute_t *, uint_t, - crypto_object_id_t *, crypto_req_handle_t); - int (*object_destroy)(crypto_provider_handle_t, crypto_session_id_t, - crypto_object_id_t, crypto_req_handle_t); - int (*object_get_size)(crypto_provider_handle_t, crypto_session_id_t, - crypto_object_id_t, size_t *, crypto_req_handle_t); - int (*object_get_attribute_value)(crypto_provider_handle_t, - crypto_session_id_t, crypto_object_id_t, - crypto_object_attribute_t *, uint_t, crypto_req_handle_t); - int (*object_set_attribute_value)(crypto_provider_handle_t, - crypto_session_id_t, crypto_object_id_t, - crypto_object_attribute_t *, uint_t, crypto_req_handle_t); - int (*object_find_init)(crypto_provider_handle_t, crypto_session_id_t, - crypto_object_attribute_t *, uint_t, void **, - crypto_req_handle_t); - int (*object_find)(crypto_provider_handle_t, void *, - crypto_object_id_t *, uint_t, uint_t *, crypto_req_handle_t); - int (*object_find_final)(crypto_provider_handle_t, void *, - crypto_req_handle_t); -} __no_const crypto_object_ops_t; - -/* - * The crypto_key_ops structure contains pointers to key - * operations for cryptographic providers. It is passed through - * the crypto_ops(9S) structure when providers register with the - * kernel using crypto_register_provider(9F). - */ -typedef struct crypto_key_ops { - int (*key_generate)(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_object_attribute_t *, uint_t, - crypto_object_id_t *, crypto_req_handle_t); - int (*key_generate_pair)(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_object_attribute_t *, uint_t, - crypto_object_attribute_t *, uint_t, crypto_object_id_t *, - crypto_object_id_t *, crypto_req_handle_t); - int (*key_wrap)(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_object_id_t *, - uchar_t *, size_t *, crypto_req_handle_t); - int (*key_unwrap)(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, uchar_t *, size_t *, - crypto_object_attribute_t *, uint_t, - crypto_object_id_t *, crypto_req_handle_t); - int (*key_derive)(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *, - uint_t, crypto_object_id_t *, crypto_req_handle_t); - int (*key_check)(crypto_provider_handle_t, crypto_mechanism_t *, - crypto_key_t *); -} __no_const crypto_key_ops_t; - -/* - * The crypto_provider_management_ops structure contains pointers - * to management operations for cryptographic providers. It is passed - * through the crypto_ops(9S) structure when providers register with the - * kernel using crypto_register_provider(9F). + * The crypto_ctx_ops structure contains points to context and context + * templates management operations for cryptographic providers. It is + * passed through the crypto_ops(9S) structure when providers register + * with the kernel using crypto_register_provider(9F). */ -typedef struct crypto_provider_management_ops { - int (*ext_info)(crypto_provider_handle_t, - crypto_provider_ext_info_t *, crypto_req_handle_t); - int (*init_token)(crypto_provider_handle_t, char *, size_t, - char *, crypto_req_handle_t); - int (*init_pin)(crypto_provider_handle_t, crypto_session_id_t, - char *, size_t, crypto_req_handle_t); - int (*set_pin)(crypto_provider_handle_t, crypto_session_id_t, - char *, size_t, char *, size_t, crypto_req_handle_t); -} __no_const crypto_provider_management_ops_t; - -typedef struct crypto_mech_ops { - int (*copyin_mechanism)(crypto_provider_handle_t, - crypto_mechanism_t *, crypto_mechanism_t *, int *, int); - int (*copyout_mechanism)(crypto_provider_handle_t, - crypto_mechanism_t *, crypto_mechanism_t *, int *, int); - int (*free_mechanism)(crypto_provider_handle_t, crypto_mechanism_t *); -} __no_const crypto_mech_ops_t; - -typedef struct crypto_nostore_key_ops { - int (*nostore_key_generate)(crypto_provider_handle_t, - crypto_session_id_t, crypto_mechanism_t *, - crypto_object_attribute_t *, uint_t, crypto_object_attribute_t *, - uint_t, crypto_req_handle_t); - int (*nostore_key_generate_pair)(crypto_provider_handle_t, - crypto_session_id_t, crypto_mechanism_t *, - crypto_object_attribute_t *, uint_t, crypto_object_attribute_t *, - uint_t, crypto_object_attribute_t *, uint_t, - crypto_object_attribute_t *, uint_t, crypto_req_handle_t); - int (*nostore_key_derive)(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *, - uint_t, crypto_object_attribute_t *, uint_t, crypto_req_handle_t); -} __no_const crypto_nostore_key_ops_t; +typedef struct crypto_ctx_ops { + int (*create_ctx_template)(crypto_provider_handle_t, + crypto_mechanism_t *, crypto_key_t *, + crypto_spi_ctx_template_t *, size_t *, crypto_req_handle_t); + int (*free_context)(crypto_ctx_t *); +} __no_const crypto_ctx_ops_t; /* * The crypto_ops(9S) structure contains the structures containing @@ -491,18 +199,7 @@ typedef struct crypto_ops { const crypto_digest_ops_t *co_digest_ops; const crypto_cipher_ops_t *co_cipher_ops; const crypto_mac_ops_t *co_mac_ops; - crypto_sign_ops_t *co_sign_ops; - crypto_verify_ops_t *co_verify_ops; - crypto_dual_ops_t *co_dual_ops; - crypto_dual_cipher_mac_ops_t *co_dual_cipher_mac_ops; - crypto_random_number_ops_t *co_random_ops; - crypto_session_ops_t *co_session_ops; - crypto_object_ops_t *co_object_ops; - crypto_key_ops_t *co_key_ops; - crypto_provider_management_ops_t *co_provider_ops; const crypto_ctx_ops_t *co_ctx_ops; - crypto_mech_ops_t *co_mech_ops; - crypto_nostore_key_ops_t *co_nostore_key_ops; } crypto_ops_t; /* @@ -518,29 +215,11 @@ typedef uint32_t crypto_func_group_t; #define CRYPTO_FG_ENCRYPT 0x00000001 /* encrypt_init() */ #define CRYPTO_FG_DECRYPT 0x00000002 /* decrypt_init() */ #define CRYPTO_FG_DIGEST 0x00000004 /* digest_init() */ -#define CRYPTO_FG_SIGN 0x00000008 /* sign_init() */ -#define CRYPTO_FG_SIGN_RECOVER 0x00000010 /* sign_recover_init() */ -#define CRYPTO_FG_VERIFY 0x00000020 /* verify_init() */ -#define CRYPTO_FG_VERIFY_RECOVER 0x00000040 /* verify_recover_init() */ -#define CRYPTO_FG_GENERATE 0x00000080 /* key_generate() */ -#define CRYPTO_FG_GENERATE_KEY_PAIR 0x00000100 /* key_generate_pair() */ -#define CRYPTO_FG_WRAP 0x00000200 /* key_wrap() */ -#define CRYPTO_FG_UNWRAP 0x00000400 /* key_unwrap() */ -#define CRYPTO_FG_DERIVE 0x00000800 /* key_derive() */ #define CRYPTO_FG_MAC 0x00001000 /* mac_init() */ -#define CRYPTO_FG_ENCRYPT_MAC 0x00002000 /* encrypt_mac_init() */ -#define CRYPTO_FG_MAC_DECRYPT 0x00004000 /* decrypt_mac_init() */ #define CRYPTO_FG_ENCRYPT_ATOMIC 0x00008000 /* encrypt_atomic() */ #define CRYPTO_FG_DECRYPT_ATOMIC 0x00010000 /* decrypt_atomic() */ #define CRYPTO_FG_MAC_ATOMIC 0x00020000 /* mac_atomic() */ #define CRYPTO_FG_DIGEST_ATOMIC 0x00040000 /* digest_atomic() */ -#define CRYPTO_FG_SIGN_ATOMIC 0x00080000 /* sign_atomic() */ -#define CRYPTO_FG_SIGN_RECOVER_ATOMIC 0x00100000 /* sign_recover_atomic() */ -#define CRYPTO_FG_VERIFY_ATOMIC 0x00200000 /* verify_atomic() */ -#define CRYPTO_FG_VERIFY_RECOVER_ATOMIC 0x00400000 /* verify_recover_atomic() */ -#define CRYPTO_FG_ENCRYPT_MAC_ATOMIC 0x00800000 /* encrypt_mac_atomic() */ -#define CRYPTO_FG_MAC_DECRYPT_ATOMIC 0x01000000 /* mac_decrypt_atomic() */ -#define CRYPTO_FG_RESERVED 0x80000000 /* * Maximum length of the pi_provider_description field of the @@ -549,21 +228,6 @@ typedef uint32_t crypto_func_group_t; #define CRYPTO_PROVIDER_DESCR_MAX_LEN 64 -/* Bit mask for all the simple operations */ -#define CRYPTO_FG_SIMPLEOP_MASK (CRYPTO_FG_ENCRYPT | CRYPTO_FG_DECRYPT | \ - CRYPTO_FG_DIGEST | CRYPTO_FG_SIGN | CRYPTO_FG_VERIFY | CRYPTO_FG_MAC | \ - CRYPTO_FG_ENCRYPT_ATOMIC | CRYPTO_FG_DECRYPT_ATOMIC | \ - CRYPTO_FG_MAC_ATOMIC | CRYPTO_FG_DIGEST_ATOMIC | CRYPTO_FG_SIGN_ATOMIC | \ - CRYPTO_FG_VERIFY_ATOMIC) - -/* Bit mask for all the dual operations */ -#define CRYPTO_FG_MAC_CIPHER_MASK (CRYPTO_FG_ENCRYPT_MAC | \ - CRYPTO_FG_MAC_DECRYPT | CRYPTO_FG_ENCRYPT_MAC_ATOMIC | \ - CRYPTO_FG_MAC_DECRYPT_ATOMIC) - -/* Add other combos to CRYPTO_FG_DUAL_MASK */ -#define CRYPTO_FG_DUAL_MASK CRYPTO_FG_MAC_CIPHER_MASK - /* * The crypto_mech_info structure specifies one of the mechanisms * supported by a cryptographic provider. The pi_mechanisms field of @@ -579,8 +243,6 @@ typedef struct crypto_mech_info { uint32_t cm_mech_flags; } crypto_mech_info_t; -/* Alias the old name to the new name for compatibility. */ -#define cm_keysize_unit cm_mech_flags /* * The following is used by a provider that sets diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index 1c412d9ee844..036bfeeaf823 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -69,9 +69,7 @@ static const crypto_mech_info_t aes_mech_info_tab[] = { {SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE, CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC | - CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | - CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES} }; @@ -147,16 +145,7 @@ static const crypto_ops_t aes_crypto_ops = { NULL, &aes_cipher_ops, &aes_mac_ops, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - &aes_ctx_ops + &aes_ctx_ops, }; static const crypto_provider_info_t aes_prov_info = { diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index 0c7f8a73d355..f7913359c28e 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -161,16 +161,7 @@ static const crypto_ops_t sha2_crypto_ops = { &sha2_digest_ops, NULL, &sha2_mac_ops, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - &sha2_ctx_ops + &sha2_ctx_ops, }; static const crypto_provider_info_t sha2_prov_info = { diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index cceea29d4f19..05307cbb2b8c 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -99,15 +99,6 @@ static const crypto_ops_t skein_crypto_ops = { &skein_digest_ops, NULL, &skein_mac_ops, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, &skein_ctx_ops, }; diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index 51670d5b9833..bf772ec335be 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -75,18 +75,7 @@ copy_ops_vector(const crypto_ops_t *src_ops, crypto_ops_t *dst_ops) KCF_SPI_COPY_OPS(src_ops, dst_ops, co_digest_ops); KCF_SPI_COPY_OPS(src_ops, dst_ops, co_cipher_ops); KCF_SPI_COPY_OPS(src_ops, dst_ops, co_mac_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_sign_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_verify_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_dual_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_dual_cipher_mac_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_random_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_session_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_object_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_key_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_provider_ops); KCF_SPI_COPY_OPS(src_ops, dst_ops, co_ctx_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_mech_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_nostore_key_ops); } /* @@ -150,12 +139,6 @@ crypto_register_provider(const crypto_provider_info_t *info, prov_desc->pd_flags = info->pi_flags; } - /* object_ops and nostore_key_ops are mutually exclusive */ - if (prov_desc->pd_ops_vector->co_object_ops && - prov_desc->pd_ops_vector->co_nostore_key_ops) { - goto bail; - } - /* process the mechanisms supported by the provider */ if ((ret = init_prov_mechs(info, prov_desc)) != CRYPTO_SUCCESS) goto bail; @@ -184,32 +167,6 @@ crypto_register_provider(const crypto_provider_info_t *info, else prov_desc->pd_sched_info.ks_taskq = NULL; - /* no kernel session to logical providers */ - if (prov_desc->pd_prov_type != CRYPTO_LOGICAL_PROVIDER) { - /* - * Open a session for session-oriented providers. This session - * is used for all kernel consumers. This is fine as a provider - * is required to support multiple thread access to a session. - * We can do this only after the taskq has been created as we - * do a kcf_submit_request() to open the session. - */ - if (KCF_PROV_SESSION_OPS(prov_desc) != NULL) { - kcf_req_params_t params; - - KCF_WRAP_SESSION_OPS_PARAMS(¶ms, - KCF_OP_SESSION_OPEN, &prov_desc->pd_sid, 0, - CRYPTO_USER, NULL, 0, prov_desc); - ret = kcf_submit_request(prov_desc, NULL, NULL, ¶ms, - B_FALSE); - - if (ret != CRYPTO_SUCCESS) { - undo_register_provider(prov_desc, B_TRUE); - ret = CRYPTO_FAILED; - goto bail; - } - } - } - if (prov_desc->pd_prov_type != CRYPTO_LOGICAL_PROVIDER) { /* * Create the kstat for this provider. There is a kstat @@ -434,29 +391,9 @@ init_prov_mechs(const crypto_provider_info_t *info, kcf_provider_desc_t *desc) * mechanism, SUN_RANDOM, in this case. */ if (info != NULL) { - if (info->pi_ops_vector->co_random_ops != NULL) { - crypto_mech_info_t *rand_mi; - - /* - * Need the following check as it is possible to have - * a provider that implements just random_ops and has - * pi_mechanisms == NULL. - */ - if (info->pi_mechanisms != NULL) { - bcopy(info->pi_mechanisms, desc->pd_mechanisms, - sizeof (crypto_mech_info_t) * (mcount - 1)); - } - rand_mi = &desc->pd_mechanisms[mcount - 1]; - - bzero(rand_mi, sizeof (crypto_mech_info_t)); - (void) strncpy(rand_mi->cm_mech_name, SUN_RANDOM, - CRYPTO_MAX_MECH_NAME); - rand_mi->cm_func_group_mask = CRYPTO_FG_RANDOM; - } else { - ASSERT(info->pi_mechanisms != NULL); - bcopy(info->pi_mechanisms, desc->pd_mechanisms, - sizeof (crypto_mech_info_t) * mcount); - } + ASSERT(info->pi_mechanisms != NULL); + bcopy(info->pi_mechanisms, desc->pd_mechanisms, + sizeof (crypto_mech_info_t) * mcount); } /* @@ -578,26 +515,6 @@ undo_register_provider(kcf_provider_desc_t *desc, boolean_t remove_prov) (void) kcf_prov_tab_rem_provider(desc->pd_prov_id); } -/* - * Utility routine called from crypto_load_soft_disabled(). Callers - * should have done a prior undo_register_provider(). - */ -void -redo_register_provider(kcf_provider_desc_t *pd) -{ - /* process the mechanisms supported by the provider */ - (void) init_prov_mechs(NULL, pd); - - /* - * Hold provider in providers table. We should not call - * kcf_prov_tab_add_provider() here as the provider descriptor - * is still valid which means it has an entry in the provider - * table. - */ - KCF_PROV_REFHOLD(pd); - KCF_PROV_IREFHOLD(pd); -} - /* * Add provider (p1) to another provider's array of providers (p2). * Hardware and logical providers use this array to cross-reference From facc4a7d4a085da8556c08ce99474e5e2e925150 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Thu, 23 Dec 2021 03:22:27 +0100 Subject: [PATCH 05/39] module: icp: have a static 8 providers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is currently twice the amount we actually have (sha[12], skein, aes), and 512 * sizeof(void*) = 4096: 128x more than we need and a waste of most of a page in the kernel address space Plus, there's no need to actually allocate it dynamically: it's always got a static size. Put it in .data Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_prov_tabs.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index a5e3f5891d02..b977a264499c 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -45,7 +45,7 @@ #include #include -#define KCF_MAX_PROVIDERS 512 /* max number of providers */ +#define KCF_MAX_PROVIDERS 8 /* max number of providers */ /* * Prov_tab is an array of providers which is updated when @@ -59,33 +59,25 @@ * * prov_tab entries are not updated from kcf.conf or by cryptoadm(1M). */ -static kcf_provider_desc_t **prov_tab = NULL; +static kcf_provider_desc_t *prov_tab[KCF_MAX_PROVIDERS]; static kmutex_t prov_tab_mutex; /* ensure exclusive access to the table */ static uint_t prov_tab_num = 0; /* number of providers in table */ -static uint_t prov_tab_max = KCF_MAX_PROVIDERS; void kcf_prov_tab_destroy(void) { mutex_destroy(&prov_tab_mutex); - - if (prov_tab) - kmem_free(prov_tab, prov_tab_max * - sizeof (kcf_provider_desc_t *)); } /* * Initialize a mutex and the KCF providers table, prov_tab. - * The providers table is dynamically allocated with prov_tab_max entries. + * The providers table is dynamically allocated with KCF_MAX_PROVIDERS entries. * Called from kcf module _init(). */ void kcf_prov_tab_init(void) { mutex_init(&prov_tab_mutex, NULL, MUTEX_DEFAULT, NULL); - - prov_tab = kmem_zalloc(prov_tab_max * sizeof (kcf_provider_desc_t *), - KM_SLEEP); } /* @@ -101,8 +93,6 @@ kcf_prov_tab_add_provider(kcf_provider_desc_t *prov_desc) { uint_t i; - ASSERT(prov_tab != NULL); - mutex_enter(&prov_tab_mutex); /* find free slot in providers table */ @@ -146,7 +136,6 @@ kcf_prov_tab_rem_provider(crypto_provider_id_t prov_id) { kcf_provider_desc_t *prov_desc; - ASSERT(prov_tab != NULL); ASSERT(prov_tab_num >= 0); /* From db534ed9d0a183e1f6ffba1bd3f5c571f9fae164 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Thu, 23 Dec 2021 18:27:44 +0100 Subject: [PATCH 06/39] module: icp: guarantee the ops vector is persistent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_prov_tabs.c | 57 ++------------------------------- module/icp/spi/kcf_spi.c | 27 ++-------------- 2 files changed, 4 insertions(+), 80 deletions(-) diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index b977a264499c..1a701ff03577 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -193,26 +193,6 @@ kcf_prov_tab_lookup(crypto_provider_id_t prov_id) return (prov_desc); } -static void -allocate_ops(const crypto_ops_t *src, crypto_ops_t *dst) -{ - if (src->co_digest_ops != NULL) - dst->co_digest_ops = kmem_alloc(sizeof (crypto_digest_ops_t), - KM_SLEEP); - - if (src->co_cipher_ops != NULL) - dst->co_cipher_ops = kmem_alloc(sizeof (crypto_cipher_ops_t), - KM_SLEEP); - - if (src->co_mac_ops != NULL) - dst->co_mac_ops = kmem_alloc(sizeof (crypto_mac_ops_t), - KM_SLEEP); - - if (src->co_ctx_ops != NULL) - dst->co_ctx_ops = kmem_alloc(sizeof (crypto_ctx_ops_t), - KM_SLEEP); -} - /* * Allocate a provider descriptor. mech_list_count specifies the * number of mechanisms supported by the providers, and is used @@ -223,10 +203,8 @@ allocate_ops(const crypto_ops_t *src, crypto_ops_t *dst) kcf_provider_desc_t * kcf_alloc_provider_desc(const crypto_provider_info_t *info) { - kcf_provider_desc_t *desc; - const crypto_ops_t *src_ops = info->pi_ops_vector; - - desc = kmem_zalloc(sizeof (kcf_provider_desc_t), KM_SLEEP); + kcf_provider_desc_t *desc = + kmem_zalloc(sizeof (kcf_provider_desc_t), KM_SLEEP); /* * pd_description serves two purposes @@ -246,17 +224,6 @@ kcf_alloc_provider_desc(const crypto_provider_info_t *info) CRYPTO_PROVIDER_DESCR_MAX_LEN); desc->pd_description[CRYPTO_PROVIDER_DESCR_MAX_LEN] = '\0'; - /* - * Since the framework does not require the ops vector specified - * by the providers during registration to be persistent, - * KCF needs to allocate storage where copies of the ops - * vectors are copied. - */ - crypto_ops_t *opvec = kmem_zalloc(sizeof (crypto_ops_t), KM_SLEEP); - if (info->pi_provider_type != CRYPTO_LOGICAL_PROVIDER) - allocate_ops(src_ops, opvec); - desc->pd_ops_vector = opvec; - desc->pd_mech_list_count = info->pi_mech_list_count; desc->pd_mechanisms = kmem_zalloc(sizeof (crypto_mech_info_t) * info->pi_mech_list_count, KM_SLEEP); @@ -327,26 +294,6 @@ kcf_free_provider_desc(kcf_provider_desc_t *desc) kmem_free(desc->pd_description, CRYPTO_PROVIDER_DESCR_MAX_LEN + 1); - if (desc->pd_ops_vector != NULL) { - if (desc->pd_ops_vector->co_digest_ops != NULL) - kmem_free(desc->pd_ops_vector->co_digest_ops, - sizeof (crypto_digest_ops_t)); - - if (desc->pd_ops_vector->co_cipher_ops != NULL) - kmem_free(desc->pd_ops_vector->co_cipher_ops, - sizeof (crypto_cipher_ops_t)); - - if (desc->pd_ops_vector->co_mac_ops != NULL) - kmem_free(desc->pd_ops_vector->co_mac_ops, - sizeof (crypto_mac_ops_t)); - - if (desc->pd_ops_vector->co_ctx_ops != NULL) - kmem_free(desc->pd_ops_vector->co_ctx_ops, - sizeof (crypto_ctx_ops_t)); - - kmem_free(desc->pd_ops_vector, sizeof (crypto_ops_t)); - } - if (desc->pd_mechanisms != NULL) /* free the memory associated with the mechanism info's */ kmem_free(desc->pd_mechanisms, sizeof (crypto_mech_info_t) * diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index bf772ec335be..284b56b85fa7 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -58,26 +58,6 @@ static const kcf_prov_stats_t kcf_stats_ks_data_template = { { "kcf_ops_returned_busy", KSTAT_DATA_UINT64 } }; -#define KCF_SPI_COPY_OPS(src, dst, ops) if ((src)->ops != NULL) \ - memcpy((void *) (dst)->ops, (src)->ops, sizeof (*(src)->ops)); - -/* - * Copy an ops vector from src to dst. Used during provider registration - * to copy the ops vector from the provider info structure to the - * provider descriptor maintained by KCF. - * Copying the ops vector specified by the provider is needed since the - * framework does not require the provider info structure to be - * persistent. - */ -static void -copy_ops_vector(const crypto_ops_t *src_ops, crypto_ops_t *dst_ops) -{ - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_digest_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_cipher_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_mac_ops); - KCF_SPI_COPY_OPS(src_ops, dst_ops, co_ctx_ops); -} - /* * This routine is used to add cryptographic providers to the KEF framework. * Providers pass a crypto_provider_info structure to crypto_register_provider() @@ -130,12 +110,9 @@ crypto_register_provider(const crypto_provider_info_t *info, (size_t)CRYPTO_PROVIDER_DESCR_MAX_LEN)); } + /* Change from Illumos: the ops vector is persistent. */ if (info->pi_provider_type != CRYPTO_LOGICAL_PROVIDER) { - if (info->pi_ops_vector == NULL) { - goto bail; - } - crypto_ops_t *pvec = (crypto_ops_t *)prov_desc->pd_ops_vector; - copy_ops_vector(info->pi_ops_vector, pvec); + prov_desc->pd_ops_vector = info->pi_ops_vector; prov_desc->pd_flags = info->pi_flags; } From 3d694aa244a07f3fb73d0443c0046c38800ec981 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Thu, 23 Dec 2021 18:34:23 +0100 Subject: [PATCH 07/39] module: icp: use original description MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_prov_tabs.c | 22 ---------------------- module/icp/include/sys/crypto/impl.h | 2 +- module/icp/include/sys/crypto/spi.h | 2 +- module/icp/spi/kcf_spi.c | 14 +------------- 4 files changed, 3 insertions(+), 37 deletions(-) diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index 1a701ff03577..474090095335 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -206,24 +206,6 @@ kcf_alloc_provider_desc(const crypto_provider_info_t *info) kcf_provider_desc_t *desc = kmem_zalloc(sizeof (kcf_provider_desc_t), KM_SLEEP); - /* - * pd_description serves two purposes - * - Appears as a blank padded PKCS#11 style string, that will be - * returned to applications in CK_SLOT_INFO.slotDescription. - * This means that we should not have a null character in the - * first CRYPTO_PROVIDER_DESCR_MAX_LEN bytes. - * - Appears as a null-terminated string that can be used by - * other kcf routines. - * - * So, we allocate enough room for one extra null terminator - * which keeps every one happy. - */ - desc->pd_description = kmem_alloc(CRYPTO_PROVIDER_DESCR_MAX_LEN + 1, - KM_SLEEP); - (void) memset(desc->pd_description, ' ', - CRYPTO_PROVIDER_DESCR_MAX_LEN); - desc->pd_description[CRYPTO_PROVIDER_DESCR_MAX_LEN] = '\0'; - desc->pd_mech_list_count = info->pi_mech_list_count; desc->pd_mechanisms = kmem_zalloc(sizeof (crypto_mech_info_t) * info->pi_mech_list_count, KM_SLEEP); @@ -290,10 +272,6 @@ kcf_free_provider_desc(kcf_provider_desc_t *desc) /* free the kernel memory associated with the provider descriptor */ - if (desc->pd_description != NULL) - kmem_free(desc->pd_description, - CRYPTO_PROVIDER_DESCR_MAX_LEN + 1); - if (desc->pd_mechanisms != NULL) /* free the memory associated with the mechanism info's */ kmem_free(desc->pd_mechanisms, sizeof (crypto_mech_info_t) * diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 3c8f4d37eeaf..39fa6dafed0b 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -221,7 +221,7 @@ typedef struct kcf_provider_desc { // int pd_module_id; // struct modctl *pd_mctlp; kcondvar_t pd_remove_cv; - char *pd_description; + const char *pd_description; uint_t pd_flags; uint_t pd_hash_limit; crypto_kcf_provider_handle_t pd_kcf_prov_handle; diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index 2993caa4fbcb..25fba6dda852 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -267,7 +267,7 @@ typedef uint_t crypto_kcf_provider_handle_t; * pi_provider_dev must be specified with a different pi_provider_handle. */ typedef struct crypto_provider_info { - char *pi_provider_description; + const char *pi_provider_description; crypto_provider_type_t pi_provider_type; crypto_provider_handle_t pi_provider_handle; const crypto_ops_t *pi_ops_vector; diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index 284b56b85fa7..3e661235088d 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -96,19 +96,7 @@ crypto_register_provider(const crypto_provider_info_t *info, prov_desc->pd_prov_handle = info->pi_provider_handle; /* copy provider description string */ - if (info->pi_provider_description != NULL) { - /* - * pi_provider_descriptor is a string that can contain - * up to CRYPTO_PROVIDER_DESCR_MAX_LEN + 1 characters - * INCLUDING the terminating null character. A bcopy() - * is necessary here as pd_description should not have - * a null character. See comments in kcf_alloc_provider_desc() - * for details on pd_description field. - */ - bcopy(info->pi_provider_description, prov_desc->pd_description, - MIN(strlen(info->pi_provider_description), - (size_t)CRYPTO_PROVIDER_DESCR_MAX_LEN)); - } + prov_desc->pd_description = info->pi_provider_description; /* Change from Illumos: the ops vector is persistent. */ if (info->pi_provider_type != CRYPTO_LOGICAL_PROVIDER) { From 7d0f30b0585b064afba345f58a1b4833ddf55585 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Thu, 23 Dec 2021 18:44:07 +0100 Subject: [PATCH 08/39] module: icp: use original mechanisms MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/api/kcf_cipher.c | 2 +- module/icp/core/kcf_mech_tabs.c | 6 +++--- module/icp/core/kcf_prov_tabs.c | 8 -------- module/icp/include/sys/crypto/impl.h | 4 ++-- module/icp/spi/kcf_spi.c | 11 +++++------ 5 files changed, 11 insertions(+), 20 deletions(-) diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index 60a0e189ccff..967d4f029263 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -159,7 +159,7 @@ crypto_cipher_init_prov(crypto_provider_t provider, crypto_session_id_t sid, KCF_CAN_SHARE_OPSTATE(pd, mech->cm_type)) { kcf_context_t *tctxp = (kcf_context_t *)ctx; kcf_provider_desc_t *tpd = NULL; - crypto_mech_info_t *sinfo; + const crypto_mech_info_t *sinfo; if ((kcf_get_sw_prov(mech->cm_type, &tpd, &tctxp->kc_mech, B_FALSE) == CRYPTO_SUCCESS)) { diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index 4f2e04e37347..3d551afed2ae 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -280,7 +280,7 @@ kcf_init_mech_tabs(void) * KCF_SUCCESS otherwise. */ static int -kcf_create_mech_entry(kcf_ops_class_t class, char *mechname) +kcf_create_mech_entry(kcf_ops_class_t class, const char *mechname) { crypto_mech_type_t mt; kcf_mech_entry_t *me_tab; @@ -365,7 +365,7 @@ kcf_add_mech_provider(short mech_indx, { int error; kcf_mech_entry_t *mech_entry = NULL; - crypto_mech_info_t *mech_info; + const crypto_mech_info_t *mech_info; crypto_mech_type_t kcf_mech_type; kcf_prov_mech_desc_t *prov_mech; @@ -491,7 +491,7 @@ kcf_add_mech_provider(short mech_indx, * User context only. */ void -kcf_remove_mech_provider(char *mech_name, kcf_provider_desc_t *prov_desc) +kcf_remove_mech_provider(const char *mech_name, kcf_provider_desc_t *prov_desc) { crypto_mech_type_t mech_type; kcf_prov_mech_desc_t *prov_mech = NULL, *prov_chain; diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index 474090095335..f84a390a27db 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -206,9 +206,6 @@ kcf_alloc_provider_desc(const crypto_provider_info_t *info) kcf_provider_desc_t *desc = kmem_zalloc(sizeof (kcf_provider_desc_t), KM_SLEEP); - desc->pd_mech_list_count = info->pi_mech_list_count; - desc->pd_mechanisms = kmem_zalloc(sizeof (crypto_mech_info_t) * - info->pi_mech_list_count, KM_SLEEP); for (int i = 0; i < KCF_OPS_CLASSSIZE; i++) for (int j = 0; j < KCF_MAXMECHTAB; j++) desc->pd_mech_indx[i][j] = KCF_INVALID_INDX; @@ -272,11 +269,6 @@ kcf_free_provider_desc(kcf_provider_desc_t *desc) /* free the kernel memory associated with the provider descriptor */ - if (desc->pd_mechanisms != NULL) - /* free the memory associated with the mechanism info's */ - kmem_free(desc->pd_mechanisms, sizeof (crypto_mech_info_t) * - desc->pd_mech_list_count); - if (desc->pd_sched_info.ks_taskq != NULL) taskq_destroy(desc->pd_sched_info.ks_taskq); diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 39fa6dafed0b..7877cf9d205e 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -213,7 +213,7 @@ typedef struct kcf_provider_desc { const crypto_ops_t *pd_ops_vector; ushort_t pd_mech_indx[KCF_OPS_CLASSSIZE]\ [KCF_MAXMECHTAB]; - crypto_mech_info_t *pd_mechanisms; + const crypto_mech_info_t *pd_mechanisms; kcf_sched_info_t pd_sched_info; uint_t pd_mech_list_count; // char *pd_name; @@ -669,7 +669,7 @@ extern void kcf_destroy_mech_tabs(void); extern void kcf_init_mech_tabs(void); extern int kcf_add_mech_provider(short, kcf_provider_desc_t *, kcf_prov_mech_desc_t **); -extern void kcf_remove_mech_provider(char *, kcf_provider_desc_t *); +extern void kcf_remove_mech_provider(const char *, kcf_provider_desc_t *); extern int kcf_get_mech_entry(crypto_mech_type_t, kcf_mech_entry_t **); extern kcf_provider_desc_t *kcf_alloc_provider_desc( const crypto_provider_info_t *); diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index 3e661235088d..a9e3d35bea37 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -338,13 +338,12 @@ init_prov_mechs(const crypto_provider_info_t *info, kcf_provider_desc_t *desc) int err = CRYPTO_SUCCESS; kcf_prov_mech_desc_t *pmd; int desc_use_count = 0; - int mcount = desc->pd_mech_list_count; if (desc->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { if (info != NULL) { ASSERT(info->pi_mechanisms != NULL); - bcopy(info->pi_mechanisms, desc->pd_mechanisms, - sizeof (crypto_mech_info_t) * mcount); + desc->pd_mech_list_count = info->pi_mech_list_count; + desc->pd_mechanisms = info->pi_mechanisms; } return (CRYPTO_SUCCESS); } @@ -357,8 +356,8 @@ init_prov_mechs(const crypto_provider_info_t *info, kcf_provider_desc_t *desc) */ if (info != NULL) { ASSERT(info->pi_mechanisms != NULL); - bcopy(info->pi_mechanisms, desc->pd_mechanisms, - sizeof (crypto_mech_info_t) * mcount); + desc->pd_mech_list_count = info->pi_mech_list_count; + desc->pd_mechanisms = info->pi_mechanisms; } /* @@ -366,7 +365,7 @@ init_prov_mechs(const crypto_provider_info_t *info, kcf_provider_desc_t *desc) * to the corresponding KCF mechanism mech_entry chain. */ for (mech_idx = 0; mech_idx < desc->pd_mech_list_count; mech_idx++) { - crypto_mech_info_t *mi = &desc->pd_mechanisms[mech_idx]; + const crypto_mech_info_t *mi = &desc->pd_mechanisms[mech_idx]; if ((mi->cm_mech_flags & CRYPTO_KEYSIZE_UNIT_IN_BITS) && (mi->cm_mech_flags & CRYPTO_KEYSIZE_UNIT_IN_BYTES)) { From ba363793134aad31e8a77eab6dcdcee97eaa64a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Thu, 23 Dec 2021 19:51:00 +0100 Subject: [PATCH 09/39] module: icp: remove other provider types MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/os/linux/spl/sys/taskq.h | 2 - include/sys/crypto/api.h | 1 - include/sys/crypto/common.h | 6 - include/sys/zfs_context.h | 1 - lib/libzpool/taskq.c | 6 - module/icp/api/kcf_cipher.c | 121 +------ module/icp/api/kcf_digest.c | 74 +---- module/icp/api/kcf_mac.c | 129 ++----- module/icp/api/kcf_miscapi.c | 4 +- module/icp/core/kcf_callprov.c | 214 +----------- module/icp/core/kcf_mech_tabs.c | 162 ++------- module/icp/core/kcf_prov_tabs.c | 37 +-- module/icp/core/kcf_sched.c | 352 +++----------------- module/icp/include/sys/crypto/impl.h | 111 +------ module/icp/include/sys/crypto/sched_impl.h | 43 +-- module/icp/include/sys/crypto/spi.h | 17 +- module/icp/io/aes.c | 1 - module/icp/io/sha2_mod.c | 1 - module/icp/io/skein_mod.c | 1 - module/icp/spi/kcf_spi.c | 370 +++++---------------- module/os/linux/spl/spl-taskq.c | 7 - 21 files changed, 237 insertions(+), 1423 deletions(-) diff --git a/include/os/linux/spl/sys/taskq.h b/include/os/linux/spl/sys/taskq.h index 5f8eb19dceb7..2a6cd8283d16 100644 --- a/include/os/linux/spl/sys/taskq.h +++ b/include/os/linux/spl/sys/taskq.h @@ -163,8 +163,6 @@ extern taskq_t *taskq_of_curthread(void); ((void) sizeof (dc), \ taskq_create(name, nthreads, maxclsyspri, min, max, flags)) -extern boolean_t taskq_empty(taskq_t *); - int spl_taskq_init(void); void spl_taskq_fini(void); diff --git a/include/sys/crypto/api.h b/include/sys/crypto/api.h index 3e27769e7a49..3f56a4bb15b0 100644 --- a/include/sys/crypto/api.h +++ b/include/sys/crypto/api.h @@ -168,7 +168,6 @@ typedef enum { /* The event_arg argument structure for CRYPTO_EVENT_PROVIDERS_CHANGE event */ typedef struct crypto_notify_event_change { crypto_mech_name_t ec_mech_name; - crypto_provider_type_t ec_provider_type; crypto_event_change_t ec_change; } crypto_notify_event_change_t; diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index fa4d05c6c6b9..557c3d4d1780 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -369,12 +369,6 @@ typedef struct crypto_key32 { /* Providers */ -typedef enum { - CRYPTO_HW_PROVIDER = 0, - CRYPTO_SW_PROVIDER, - CRYPTO_LOGICAL_PROVIDER -} crypto_provider_type_t; - typedef uint32_t crypto_provider_id_t; #define KCF_PROVID_INVALID ((uint32_t)-1) diff --git a/include/sys/zfs_context.h b/include/sys/zfs_context.h index d53b2c3a0baa..6d1fd83df522 100644 --- a/include/sys/zfs_context.h +++ b/include/sys/zfs_context.h @@ -509,7 +509,6 @@ extern taskq_t *taskq_of_curthread(void); extern int taskq_cancel_id(taskq_t *, taskqid_t); extern void system_taskq_init(void); extern void system_taskq_fini(void); -extern boolean_t taskq_empty(taskq_t *); #define XVA_MAPSIZE 3 #define XVA_MAGIC 0x78766174 diff --git a/lib/libzpool/taskq.c b/lib/libzpool/taskq.c index b72ca3d3996c..8a61130911c1 100644 --- a/lib/libzpool/taskq.c +++ b/lib/libzpool/taskq.c @@ -363,12 +363,6 @@ taskq_cancel_id(taskq_t *tq, taskqid_t id) return (ENOENT); } -boolean_t -taskq_empty(taskq_t *tq) -{ - return (tq->tq_task.tqent_next == &tq->tq_task || tq->tq_active == 0); -} - void system_taskq_init(void) { diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index 967d4f029263..1d582b7ad863 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -110,27 +110,9 @@ crypto_cipher_init_prov(crypto_provider_t provider, crypto_session_id_t sid, ASSERT(KCF_PROV_REFHELD(pd)); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - if (func == CRYPTO_FG_ENCRYPT) { - error = kcf_get_hardware_provider(mech->cm_type, - CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_ENCRYPT); - } else { - error = kcf_get_hardware_provider(mech->cm_type, - CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_DECRYPT); - } - - if (error != CRYPTO_SUCCESS) - return (error); - } - /* Allocate and initialize the canonical context */ - if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) { - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); + if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) return (CRYPTO_HOST_MEMORY); - } /* The fast path for SW providers. */ if (CHECK_FASTPATH(crq, pd)) { @@ -153,42 +135,6 @@ crypto_cipher_init_prov(crypto_provider_t provider, crypto_session_id_t sid, goto done; } - /* Check if context sharing is possible */ - if (pd->pd_prov_type == CRYPTO_HW_PROVIDER && - key->ck_format == CRYPTO_KEY_RAW && - KCF_CAN_SHARE_OPSTATE(pd, mech->cm_type)) { - kcf_context_t *tctxp = (kcf_context_t *)ctx; - kcf_provider_desc_t *tpd = NULL; - const crypto_mech_info_t *sinfo; - - if ((kcf_get_sw_prov(mech->cm_type, &tpd, &tctxp->kc_mech, - B_FALSE) == CRYPTO_SUCCESS)) { - int tlen; - - sinfo = &(KCF_TO_PROV_MECHINFO(tpd, mech->cm_type)); - /* - * key->ck_length from the consumer is always in bits. - * We convert it to be in the same unit registered by - * the provider in order to do a comparison. - */ - if (sinfo->cm_mech_flags & CRYPTO_KEYSIZE_UNIT_IN_BYTES) - tlen = key->ck_length >> 3; - else - tlen = key->ck_length; - /* - * Check if the software provider can support context - * sharing and support this key length. - */ - if ((sinfo->cm_mech_flags & CRYPTO_CAN_SHARE_OPSTATE) && - (tlen >= sinfo->cm_min_key_length) && - (tlen <= sinfo->cm_max_key_length)) { - ctx->cc_flags = CRYPTO_INIT_OPSTATE; - tctxp->kc_sw_prov_desc = tpd; - } else - KCF_PROV_REFRELE(tpd); - } - } - if (func == CRYPTO_FG_ENCRYPT) { KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_INIT, sid, mech, key, NULL, NULL, tmpl); @@ -200,9 +146,6 @@ crypto_cipher_init_prov(crypto_provider_t provider, crypto_session_id_t sid, error = kcf_submit_request(real_provider, ctx, crq, ¶ms); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); - done: if ((error == CRYPTO_SUCCESS) || (error == CRYPTO_QUEUED)) *ctxp = (crypto_context_t)ctx; @@ -234,7 +177,7 @@ crypto_cipher_init(crypto_mechanism_t *mech, crypto_key_t *key, retry: /* pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, func, CHECK_RESTRICT(crq), 0)) == NULL) { + list, func, CHECK_RESTRICT(crq))) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -247,8 +190,7 @@ crypto_cipher_init(crypto_mechanism_t *mech, crypto_key_t *key, * freeing this tmpl and create a new one for the key and new SW * provider */ - if ((pd->pd_prov_type == CRYPTO_SW_PROVIDER) && - ((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { if (ctx_tmpl->ct_generation != me->me_gen_swprov) { if (list != NULL) kcf_free_triedlist(list); @@ -321,21 +263,10 @@ crypto_encrypt_prov(crypto_provider_t provider, crypto_session_id_t sid, ASSERT(KCF_PROV_REFHELD(pd)); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - error = kcf_get_hardware_provider(mech->cm_type, - CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_ENCRYPT_ATOMIC); - - if (error != CRYPTO_SUCCESS) - return (error); - } - KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key, plaintext, ciphertext, tmpl); error = kcf_submit_request(real_provider, NULL, crq, ¶ms); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); return (error); } @@ -360,22 +291,19 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, retry: /* pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, CRYPTO_FG_ENCRYPT_ATOMIC, CHECK_RESTRICT(crq), - plaintext->cd_length)) == NULL) { + list, CRYPTO_FG_ENCRYPT_ATOMIC, CHECK_RESTRICT(crq))) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); } /* - * For SW providers, check the validity of the context template + * Check the validity of the context template * It is very rare that the generation number mis-matches, so * is acceptable to fail here, and let the consumer recover by - * freeing this tmpl and create a new one for the key and new SW - * provider + * freeing this tmpl and create a new one for the key and new provider */ - if ((pd->pd_prov_type == CRYPTO_SW_PROVIDER) && - ((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { if (ctx_tmpl->ct_generation != me->me_gen_swprov) { if (list != NULL) kcf_free_triedlist(list); @@ -480,8 +408,6 @@ crypto_encrypt_update(crypto_context_t context, crypto_data_t *plaintext, return (CRYPTO_INVALID_CONTEXT); } - ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - /* The fast path for SW providers. */ if (CHECK_FASTPATH(cr, pd)) { error = KCF_PROV_ENCRYPT_UPDATE(pd, ctx, plaintext, @@ -540,8 +466,6 @@ crypto_encrypt_final(crypto_context_t context, crypto_data_t *ciphertext, return (CRYPTO_INVALID_CONTEXT); } - ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - /* The fast path for SW providers. */ if (CHECK_FASTPATH(cr, pd)) { error = KCF_PROV_ENCRYPT_FINAL(pd, ctx, ciphertext, NULL); @@ -599,27 +523,13 @@ crypto_decrypt_prov(crypto_provider_t provider, crypto_session_id_t sid, kcf_req_params_t params; kcf_provider_desc_t *pd = provider; kcf_provider_desc_t *real_provider = pd; - int rv; ASSERT(KCF_PROV_REFHELD(pd)); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - rv = kcf_get_hardware_provider(mech->cm_type, - CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_DECRYPT_ATOMIC); - - if (rv != CRYPTO_SUCCESS) - return (rv); - } - KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key, ciphertext, plaintext, tmpl); - rv = kcf_submit_request(real_provider, NULL, crq, ¶ms); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); - - return (rv); + return (kcf_submit_request(real_provider, NULL, crq, ¶ms)); } /* @@ -643,22 +553,19 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, retry: /* pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, CRYPTO_FG_DECRYPT_ATOMIC, CHECK_RESTRICT(crq), - ciphertext->cd_length)) == NULL) { + list, CRYPTO_FG_DECRYPT_ATOMIC, CHECK_RESTRICT(crq))) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); } /* - * For SW providers, check the validity of the context template + * Check the validity of the context template * It is very rare that the generation number mis-matches, so * is acceptable to fail here, and let the consumer recover by - * freeing this tmpl and create a new one for the key and new SW - * provider + * freeing this tmpl and create a new one for the key and new provider */ - if ((pd->pd_prov_type == CRYPTO_SW_PROVIDER) && - ((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { if (ctx_tmpl->ct_generation != me->me_gen_swprov) { if (list != NULL) kcf_free_triedlist(list); @@ -763,8 +670,6 @@ crypto_decrypt_update(crypto_context_t context, crypto_data_t *ciphertext, return (CRYPTO_INVALID_CONTEXT); } - ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - /* The fast path for SW providers. */ if (CHECK_FASTPATH(cr, pd)) { error = KCF_PROV_DECRYPT_UPDATE(pd, ctx, ciphertext, @@ -823,8 +728,6 @@ crypto_decrypt_final(crypto_context_t context, crypto_data_t *plaintext, return (CRYPTO_INVALID_CONTEXT); } - ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - /* The fast path for SW providers. */ if (CHECK_FASTPATH(cr, pd)) { error = KCF_PROV_DECRYPT_FINAL(pd, ctx, plaintext, diff --git a/module/icp/api/kcf_digest.c b/module/icp/api/kcf_digest.c index a11edc968d9e..66101794933b 100644 --- a/module/icp/api/kcf_digest.c +++ b/module/icp/api/kcf_digest.c @@ -93,27 +93,14 @@ crypto_digest_prov(crypto_provider_t provider, crypto_session_id_t sid, kcf_req_params_t params; kcf_provider_desc_t *pd = provider; kcf_provider_desc_t *real_provider = pd; - int rv; ASSERT(KCF_PROV_REFHELD(pd)); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - rv = kcf_get_hardware_provider(mech->cm_type, - CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq), - pd, &real_provider, CRYPTO_FG_DIGEST_ATOMIC); - - if (rv != CRYPTO_SUCCESS) - return (rv); - } KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, NULL, data, digest); /* no crypto context to carry between multiple parts. */ - rv = kcf_submit_request(real_provider, NULL, crq, ¶ms); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); - - return (rv); + return (kcf_submit_request(real_provider, NULL, crq, ¶ms)); } @@ -133,8 +120,7 @@ crypto_digest(crypto_mechanism_t *mech, crypto_data_t *data, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, NULL, &error, list, - CRYPTO_FG_DIGEST_ATOMIC, CHECK_RESTRICT(crq), - data->cd_length)) == NULL) { + CRYPTO_FG_DIGEST_ATOMIC, CHECK_RESTRICT(crq))) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -150,17 +136,11 @@ crypto_digest(crypto_mechanism_t *mech, crypto_data_t *data, digest, KCF_SWFP_RHNDL(crq)); KCF_PROV_INCRSTATS(pd, error); } else { - if (pd->pd_prov_type == CRYPTO_HW_PROVIDER && - (pd->pd_flags & CRYPTO_HASH_NO_UPDATE) && - (data->cd_length > pd->pd_hash_limit)) { - error = CRYPTO_BUFFER_TOO_BIG; - } else { - KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, - pd->pd_sid, mech, NULL, data, digest); - - /* no crypto context to carry between multiple parts. */ - error = kcf_submit_request(pd, NULL, crq, ¶ms); - } + KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, + pd->pd_sid, mech, NULL, data, digest); + + /* no crypto context to carry between multiple parts. */ + error = kcf_submit_request(pd, NULL, crq, ¶ms); } if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && @@ -212,21 +192,9 @@ crypto_digest_init_prov(crypto_provider_t provider, crypto_session_id_t sid, ASSERT(KCF_PROV_REFHELD(pd)); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - error = kcf_get_hardware_provider(mech->cm_type, - CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_DIGEST); - - if (error != CRYPTO_SUCCESS) - return (error); - } - /* Allocate and initialize the canonical context */ - if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) { - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); + if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) return (CRYPTO_HOST_MEMORY); - } /* The fast path for SW providers. */ if (CHECK_FASTPATH(crq, pd)) { @@ -243,9 +211,6 @@ crypto_digest_init_prov(crypto_provider_t provider, crypto_session_id_t sid, error = kcf_submit_request(real_provider, ctx, crq, ¶ms); } - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); - if ((error == CRYPTO_SUCCESS) || (error == CRYPTO_QUEUED)) *ctxp = (crypto_context_t)ctx; else { @@ -272,27 +237,14 @@ crypto_digest_init(crypto_mechanism_t *mech, crypto_context_t *ctxp, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, NULL, &error, - list, CRYPTO_FG_DIGEST, CHECK_RESTRICT(crq), 0)) == NULL) { + list, CRYPTO_FG_DIGEST, CHECK_RESTRICT(crq))) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); } - if (pd->pd_prov_type == CRYPTO_HW_PROVIDER && - (pd->pd_flags & CRYPTO_HASH_NO_UPDATE)) { - /* - * The hardware provider has limited digest support. - * So, we fallback early here to using a software provider. - * - * XXX - need to enhance to do the fallback later in - * crypto_digest_update() if the size of accumulated input data - * exceeds the maximum size digestable by hardware provider. - */ - error = CRYPTO_BUFFER_TOO_BIG; - } else { - error = crypto_digest_init_prov(pd, pd->pd_sid, - mech, ctxp, crq); - } + error = crypto_digest_init_prov(pd, pd->pd_sid, + mech, ctxp, crq); if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && IS_RECOVERABLE(error)) { @@ -341,8 +293,6 @@ crypto_digest_update(crypto_context_t context, crypto_data_t *data, return (CRYPTO_INVALID_CONTEXT); } - ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - /* The fast path for SW providers. */ if (CHECK_FASTPATH(cr, pd)) { error = KCF_PROV_DIGEST_UPDATE(pd, ctx, data, NULL); @@ -390,8 +340,6 @@ crypto_digest_final(crypto_context_t context, crypto_data_t *digest, return (CRYPTO_INVALID_CONTEXT); } - ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - /* The fast path for SW providers. */ if (CHECK_FASTPATH(cr, pd)) { error = KCF_PROV_DIGEST_FINAL(pd, ctx, digest, NULL); diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 3636eea0e1f2..00cee069c891 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -98,20 +98,9 @@ crypto_mac_prov(crypto_provider_t provider, crypto_session_id_t sid, ASSERT(KCF_PROV_REFHELD(pd)); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - rv = kcf_get_hardware_provider(mech->cm_type, - CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_MAC_ATOMIC); - - if (rv != CRYPTO_SUCCESS) - return (rv); - } - KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key, data, mac, tmpl); rv = kcf_submit_request(real_provider, NULL, crq, ¶ms); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); return (rv); } @@ -136,22 +125,19 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, CRYPTO_FG_MAC_ATOMIC, CHECK_RESTRICT(crq), - data->cd_length)) == NULL) { + list, CRYPTO_FG_MAC_ATOMIC, CHECK_RESTRICT(crq))) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); } /* - * For SW providers, check the validity of the context template + * Check the validity of the context template * It is very rare that the generation number mis-matches, so * is acceptable to fail here, and let the consumer recover by - * freeing this tmpl and create a new one for the key and new SW - * provider + * freeing this tmpl and create a new one for the key and new provider */ - if ((pd->pd_prov_type == CRYPTO_SW_PROVIDER) && - ((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { if (ctx_tmpl->ct_generation != me->me_gen_swprov) { if (list != NULL) kcf_free_triedlist(list); @@ -173,22 +159,10 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, mac, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); KCF_PROV_INCRSTATS(pd, error); } else { - if (pd->pd_prov_type == CRYPTO_HW_PROVIDER && - (pd->pd_flags & CRYPTO_HASH_NO_UPDATE) && - (data->cd_length > pd->pd_hash_limit)) { - /* - * XXX - We need a check to see if this is indeed - * a HMAC. So far, all kernel clients use - * this interface only for HMAC. So, this is fine - * for now. - */ - error = CRYPTO_BUFFER_TOO_BIG; - } else { - KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, - pd->pd_sid, mech, key, data, mac, spi_ctx_tmpl); + KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, + pd->pd_sid, mech, key, data, mac, spi_ctx_tmpl); - error = kcf_submit_request(pd, NULL, crq, ¶ms); - } + error = kcf_submit_request(pd, NULL, crq, ¶ms); } if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && @@ -218,26 +192,13 @@ crypto_mac_verify_prov(crypto_provider_t provider, crypto_session_id_t sid, kcf_req_params_t params; kcf_provider_desc_t *pd = provider; kcf_provider_desc_t *real_provider = pd; - int rv; ASSERT(KCF_PROV_REFHELD(pd)); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - rv = kcf_get_hardware_provider(mech->cm_type, - CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_MAC_ATOMIC); - - if (rv != CRYPTO_SUCCESS) - return (rv); - } - KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_MAC_VERIFY_ATOMIC, sid, mech, key, data, mac, tmpl); - rv = kcf_submit_request(real_provider, NULL, crq, ¶ms); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); - return (rv); + return (kcf_submit_request(real_provider, NULL, crq, ¶ms)); } /* @@ -260,22 +221,19 @@ crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, CRYPTO_FG_MAC_ATOMIC, CHECK_RESTRICT(crq), - data->cd_length)) == NULL) { + list, CRYPTO_FG_MAC_ATOMIC, CHECK_RESTRICT(crq))) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); } /* - * For SW providers, check the validity of the context template + * Check the validity of the context template * It is very rare that the generation number mis-matches, so * is acceptable to fail here, and let the consumer recover by - * freeing this tmpl and create a new one for the key and new SW - * provider + * freeing this tmpl and create a new one for the key and new provider */ - if ((pd->pd_prov_type == CRYPTO_SW_PROVIDER) && - ((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { if (ctx_tmpl->ct_generation != me->me_gen_swprov) { if (list != NULL) kcf_free_triedlist(list); @@ -297,18 +255,11 @@ crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data, data, mac, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); KCF_PROV_INCRSTATS(pd, error); } else { - if (pd->pd_prov_type == CRYPTO_HW_PROVIDER && - (pd->pd_flags & CRYPTO_HASH_NO_UPDATE) && - (data->cd_length > pd->pd_hash_limit)) { - /* see comments in crypto_mac() */ - error = CRYPTO_BUFFER_TOO_BIG; - } else { - KCF_WRAP_MAC_OPS_PARAMS(¶ms, - KCF_OP_MAC_VERIFY_ATOMIC, pd->pd_sid, mech, - key, data, mac, spi_ctx_tmpl); + KCF_WRAP_MAC_OPS_PARAMS(¶ms, + KCF_OP_MAC_VERIFY_ATOMIC, pd->pd_sid, mech, + key, data, mac, spi_ctx_tmpl); - error = kcf_submit_request(pd, NULL, crq, ¶ms); - } + error = kcf_submit_request(pd, NULL, crq, ¶ms); } if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && @@ -374,21 +325,9 @@ crypto_mac_init_prov(crypto_provider_t provider, crypto_session_id_t sid, ASSERT(KCF_PROV_REFHELD(pd)); - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - rv = kcf_get_hardware_provider(mech->cm_type, - CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_MAC); - - if (rv != CRYPTO_SUCCESS) - return (rv); - } - /* Allocate and initialize the canonical context */ - if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) { - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); + if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) return (CRYPTO_HOST_MEMORY); - } /* The fast path for SW providers. */ if (CHECK_FASTPATH(crq, pd)) { @@ -405,9 +344,6 @@ crypto_mac_init_prov(crypto_provider_t provider, crypto_session_id_t sid, rv = kcf_submit_request(real_provider, ctx, crq, ¶ms); } - if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) - KCF_PROV_REFRELE(real_provider); - if ((rv == CRYPTO_SUCCESS) || (rv == CRYPTO_QUEUED)) *ctxp = (crypto_context_t)ctx; else { @@ -438,22 +374,20 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, CRYPTO_FG_MAC, CHECK_RESTRICT(crq), 0)) == NULL) { + list, CRYPTO_FG_MAC, CHECK_RESTRICT(crq))) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); } /* - * For SW providers, check the validity of the context template + * Check the validity of the context template * It is very rare that the generation number mis-matches, so * is acceptable to fail here, and let the consumer recover by - * freeing this tmpl and create a new one for the key and new SW - * provider + * freeing this tmpl and create a new one for the key and new provider */ - if ((pd->pd_prov_type == CRYPTO_SW_PROVIDER) && - ((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { if (ctx_tmpl->ct_generation != me->me_gen_swprov) { if (list != NULL) kcf_free_triedlist(list); @@ -464,21 +398,8 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, } } - if (pd->pd_prov_type == CRYPTO_HW_PROVIDER && - (pd->pd_flags & CRYPTO_HASH_NO_UPDATE)) { - /* - * The hardware provider has limited HMAC support. - * So, we fallback early here to using a software provider. - * - * XXX - need to enhance to do the fallback later in - * crypto_mac_update() if the size of accumulated input data - * exceeds the maximum size digestable by hardware provider. - */ - error = CRYPTO_BUFFER_TOO_BIG; - } else { - error = crypto_mac_init_prov(pd, pd->pd_sid, mech, key, - spi_ctx_tmpl, ctxp, crq); - } + error = crypto_mac_init_prov(pd, pd->pd_sid, mech, key, + spi_ctx_tmpl, ctxp, crq); if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ @@ -527,8 +448,6 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data, return (CRYPTO_INVALID_CONTEXT); } - ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - /* The fast path for SW providers. */ if (CHECK_FASTPATH(cr, pd)) { rv = KCF_PROV_MAC_UPDATE(pd, ctx, data, NULL); @@ -576,8 +495,6 @@ crypto_mac_final(crypto_context_t context, crypto_data_t *mac, return (CRYPTO_INVALID_CONTEXT); } - ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - /* The fast path for SW providers. */ if (CHECK_FASTPATH(cr, pd)) { rv = KCF_PROV_MAC_FINAL(pd, ctx, mac, NULL); diff --git a/module/icp/api/kcf_miscapi.c b/module/icp/api/kcf_miscapi.c index 5c0d60391f44..bb6c52946f4d 100644 --- a/module/icp/api/kcf_miscapi.c +++ b/module/icp/api/kcf_miscapi.c @@ -50,8 +50,8 @@ static kcf_ntfy_elem_t *ntfy_list_head; * Description: * Walks the mechanisms tables, looking for an entry that matches the * mechname. Once it find it, it builds the 64-bit mech_type and returns - * it. If there are no hardware or software providers for the mechanism, - * but there is an unloaded software provider, this routine will attempt + * it. If there are no providers for the mechanism, + * but there is an unloaded provider, this routine will attempt * to load it. * * Context: diff --git a/module/icp/core/kcf_callprov.c b/module/icp/core/kcf_callprov.c index 1468e0a1a00d..3fe6e3ebce3f 100644 --- a/module/icp/core/kcf_callprov.c +++ b/module/icp/core/kcf_callprov.c @@ -68,168 +68,6 @@ is_in_triedlist(kcf_provider_desc_t *pd, kcf_prov_tried_t *triedl) return (B_FALSE); } -/* - * Search a mech entry's hardware provider list for the specified - * provider. Return true if found. - */ -static boolean_t -is_valid_provider_for_mech(kcf_provider_desc_t *pd, kcf_mech_entry_t *me, - crypto_func_group_t fg) -{ - kcf_prov_mech_desc_t *prov_chain; - - prov_chain = me->me_hw_prov_chain; - if (prov_chain != NULL) { - ASSERT(me->me_num_hwprov > 0); - for (; prov_chain != NULL; prov_chain = prov_chain->pm_next) { - if (prov_chain->pm_prov_desc == pd && - IS_FG_SUPPORTED(prov_chain, fg)) { - return (B_TRUE); - } - } - } - return (B_FALSE); -} - -/* - * This routine, given a logical provider, returns the least loaded - * provider belonging to the logical provider. The provider must be - * able to do the specified mechanism, i.e. check that the mechanism - * hasn't been disabled. In addition, just in case providers are not - * entirely equivalent, the provider's entry point is checked for - * non-nullness. This is accomplished by having the caller pass, as - * arguments, the offset of the function group (offset_1), and the - * offset of the function within the function group (offset_2). - * Returns NULL if no provider can be found. - */ -int -kcf_get_hardware_provider(crypto_mech_type_t mech_type_1, - crypto_mech_type_t mech_type_2, boolean_t call_restrict, - kcf_provider_desc_t *old, kcf_provider_desc_t **new, crypto_func_group_t fg) -{ - kcf_provider_desc_t *provider, *real_pd = old; - kcf_provider_desc_t *gpd = NULL; /* good provider */ - kcf_provider_desc_t *bpd = NULL; /* busy provider */ - kcf_provider_list_t *p; - kcf_ops_class_t class; - kcf_mech_entry_t *me; - const kcf_mech_entry_tab_t *me_tab; - int index, len, gqlen = INT_MAX, rv = CRYPTO_SUCCESS; - - /* get the mech entry for the specified mechanism */ - class = KCF_MECH2CLASS(mech_type_1); - if ((class < KCF_FIRST_OPSCLASS) || (class > KCF_LAST_OPSCLASS)) { - return (CRYPTO_MECHANISM_INVALID); - } - - me_tab = &kcf_mech_tabs_tab[class]; - index = KCF_MECH2INDEX(mech_type_1); - if ((index < 0) || (index >= me_tab->met_size)) { - return (CRYPTO_MECHANISM_INVALID); - } - - me = &((me_tab->met_tab)[index]); - mutex_enter(&me->me_mutex); - - /* - * We assume the provider descriptor will not go away because - * it is being held somewhere, i.e. its reference count has been - * incremented. In the case of the crypto module, the provider - * descriptor is held by the session structure. - */ - if (old->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - if (old->pd_provider_list == NULL) { - real_pd = NULL; - rv = CRYPTO_DEVICE_ERROR; - goto out; - } - /* - * Find the least loaded real provider. KCF_PROV_LOAD gives - * the load (number of pending requests) of the provider. - */ - mutex_enter(&old->pd_lock); - p = old->pd_provider_list; - while (p != NULL) { - provider = p->pl_provider; - - ASSERT(provider->pd_prov_type != - CRYPTO_LOGICAL_PROVIDER); - - if (call_restrict && - (provider->pd_flags & KCF_PROV_RESTRICTED)) { - p = p->pl_next; - continue; - } - - if (!is_valid_provider_for_mech(provider, me, fg)) { - p = p->pl_next; - continue; - } - - /* provider does second mech */ - if (mech_type_2 != CRYPTO_MECH_INVALID) { - int i; - - i = KCF_TO_PROV_MECH_INDX(provider, - mech_type_2); - if (i == KCF_INVALID_INDX) { - p = p->pl_next; - continue; - } - } - - if (provider->pd_state != KCF_PROV_READY) { - /* choose BUSY if no READY providers */ - if (provider->pd_state == KCF_PROV_BUSY) - bpd = provider; - p = p->pl_next; - continue; - } - - len = KCF_PROV_LOAD(provider); - if (len < gqlen) { - gqlen = len; - gpd = provider; - } - - p = p->pl_next; - } - - if (gpd != NULL) { - real_pd = gpd; - KCF_PROV_REFHOLD(real_pd); - } else if (bpd != NULL) { - real_pd = bpd; - KCF_PROV_REFHOLD(real_pd); - } else { - /* can't find provider */ - real_pd = NULL; - rv = CRYPTO_MECHANISM_INVALID; - } - mutex_exit(&old->pd_lock); - - } else { - if (!KCF_IS_PROV_USABLE(old) || - (call_restrict && (old->pd_flags & KCF_PROV_RESTRICTED))) { - real_pd = NULL; - rv = CRYPTO_DEVICE_ERROR; - goto out; - } - - if (!is_valid_provider_for_mech(old, me, fg)) { - real_pd = NULL; - rv = CRYPTO_MECHANISM_INVALID; - goto out; - } - - KCF_PROV_REFHOLD(real_pd); - } -out: - mutex_exit(&me->me_mutex); - *new = real_pd; - return (rv); -} - /* * Return the best provider for the specified mechanism. The provider * is held and it is the caller's responsibility to release it when done. @@ -247,11 +85,10 @@ kcf_get_hardware_provider(crypto_mech_type_t mech_type_1, kcf_provider_desc_t * kcf_get_mech_provider(crypto_mech_type_t mech_type, kcf_mech_entry_t **mepp, int *error, kcf_prov_tried_t *triedl, crypto_func_group_t fg, - boolean_t call_restrict, size_t data_size) + boolean_t call_restrict) { - kcf_provider_desc_t *pd = NULL, *gpd = NULL; - kcf_prov_mech_desc_t *prov_chain, *mdesc; - int len, gqlen = INT_MAX; + kcf_provider_desc_t *pd = NULL; + kcf_prov_mech_desc_t *mdesc; kcf_ops_class_t class; int index; kcf_mech_entry_t *me; @@ -276,50 +113,7 @@ kcf_get_mech_provider(crypto_mech_type_t mech_type, kcf_mech_entry_t **mepp, mutex_enter(&me->me_mutex); - prov_chain = me->me_hw_prov_chain; - - /* - * We check for the threshold for using a hardware provider for - * this amount of data. If there is no software provider available - * for the mechanism, then the threshold is ignored. - */ - if ((prov_chain != NULL) && - ((data_size == 0) || (me->me_threshold == 0) || - (data_size >= me->me_threshold) || - ((mdesc = me->me_sw_prov) == NULL) || - (!IS_FG_SUPPORTED(mdesc, fg)) || - (!KCF_IS_PROV_USABLE(mdesc->pm_prov_desc)))) { - ASSERT(me->me_num_hwprov > 0); - /* there is at least one provider */ - - /* - * Find the least loaded real provider. KCF_PROV_LOAD gives - * the load (number of pending requests) of the provider. - */ - while (prov_chain != NULL) { - pd = prov_chain->pm_prov_desc; - - if (!IS_FG_SUPPORTED(prov_chain, fg) || - !KCF_IS_PROV_USABLE(pd) || - IS_PROVIDER_TRIED(pd, triedl) || - (call_restrict && - (pd->pd_flags & KCF_PROV_RESTRICTED))) { - prov_chain = prov_chain->pm_next; - continue; - } - - if ((len = KCF_PROV_LOAD(pd)) < gqlen) { - gqlen = len; - gpd = pd; - } - - prov_chain = prov_chain->pm_next; - } - - pd = gpd; - } - - /* No HW provider for this mech, is there a SW provider? */ + /* Is there a provider? */ if (pd == NULL && (mdesc = me->me_sw_prov) != NULL) { pd = mdesc->pm_prov_desc; if (!IS_FG_SUPPORTED(mdesc, fg) || diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index 3d551afed2ae..beed581a5523 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -369,8 +369,6 @@ kcf_add_mech_provider(short mech_indx, crypto_mech_type_t kcf_mech_type; kcf_prov_mech_desc_t *prov_mech; - ASSERT(prov_desc->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - mech_info = &prov_desc->pd_mechanisms[mech_indx]; /* @@ -425,50 +423,34 @@ kcf_add_mech_provider(short mech_indx, * Add new kcf_prov_mech_desc at the front of HW providers * chain. */ - switch (prov_desc->pd_prov_type) { - - case CRYPTO_HW_PROVIDER: - mutex_enter(&mech_entry->me_mutex); - prov_mech->pm_me = mech_entry; - prov_mech->pm_next = mech_entry->me_hw_prov_chain; - mech_entry->me_hw_prov_chain = prov_mech; - mech_entry->me_num_hwprov++; - mutex_exit(&mech_entry->me_mutex); - break; - - case CRYPTO_SW_PROVIDER: - mutex_enter(&mech_entry->me_mutex); - if (mech_entry->me_sw_prov != NULL) { - /* - * There is already a SW provider for this mechanism. - * Since we allow only one SW provider per mechanism, - * report this condition. - */ - cmn_err(CE_WARN, "The cryptographic software provider " - "\"%s\" will not be used for %s. The provider " - "\"%s\" will be used for this mechanism " - "instead.", prov_desc->pd_description, - mech_info->cm_mech_name, - mech_entry->me_sw_prov->pm_prov_desc-> - pd_description); - KCF_PROV_REFRELE(prov_desc); - kmem_free(prov_mech, sizeof (kcf_prov_mech_desc_t)); - prov_mech = NULL; - } else { - /* - * Set the provider as the software provider for - * this mechanism. - */ - mech_entry->me_sw_prov = prov_mech; + mutex_enter(&mech_entry->me_mutex); + if (mech_entry->me_sw_prov != NULL) { + /* + * There is already a provider for this mechanism. + * Since we allow only one provider per mechanism, + * report this condition. + */ + cmn_err(CE_WARN, "The cryptographic provider " + "\"%s\" will not be used for %s. The provider " + "\"%s\" will be used for this mechanism " + "instead.", prov_desc->pd_description, + mech_info->cm_mech_name, + mech_entry->me_sw_prov->pm_prov_desc-> + pd_description); + KCF_PROV_REFRELE(prov_desc); + kmem_free(prov_mech, sizeof (kcf_prov_mech_desc_t)); + prov_mech = NULL; + } else { + /* + * Set the provider as the provider for + * this mechanism. + */ + mech_entry->me_sw_prov = prov_mech; - /* We'll wrap around after 4 billion registrations! */ - mech_entry->me_gen_swprov = kcf_gen_swprov++; - } - mutex_exit(&mech_entry->me_mutex); - break; - default: - break; + /* We'll wrap around after 4 billion registrations! */ + mech_entry->me_gen_swprov = kcf_gen_swprov++; } + mutex_exit(&mech_entry->me_mutex); *pmdpp = prov_mech; @@ -494,12 +476,8 @@ void kcf_remove_mech_provider(const char *mech_name, kcf_provider_desc_t *prov_desc) { crypto_mech_type_t mech_type; - kcf_prov_mech_desc_t *prov_mech = NULL, *prov_chain; - kcf_prov_mech_desc_t **prev_entry_next; + kcf_prov_mech_desc_t *prov_mech = NULL; kcf_mech_entry_t *mech_entry; - crypto_mech_info_list_t *mil, *mil2, *next, **prev_next; - - ASSERT(prov_desc->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); /* get the KCF mech type that was assigned to the mechanism */ if ((mech_type = kcf_mech_hash_find(mech_name)) == @@ -521,88 +499,16 @@ kcf_remove_mech_provider(const char *mech_name, kcf_provider_desc_t *prov_desc) } mutex_enter(&mech_entry->me_mutex); - - switch (prov_desc->pd_prov_type) { - - case CRYPTO_HW_PROVIDER: - /* find the provider in the mech_entry chain */ - prev_entry_next = &mech_entry->me_hw_prov_chain; - prov_mech = mech_entry->me_hw_prov_chain; - while (prov_mech != NULL && - prov_mech->pm_prov_desc != prov_desc) { - prev_entry_next = &prov_mech->pm_next; - prov_mech = prov_mech->pm_next; - } - - if (prov_mech == NULL) { - /* entry not found, simply return */ - mutex_exit(&mech_entry->me_mutex); - return; - } - - /* remove provider entry from mech_entry chain */ - *prev_entry_next = prov_mech->pm_next; - ASSERT(mech_entry->me_num_hwprov > 0); - mech_entry->me_num_hwprov--; - break; - - case CRYPTO_SW_PROVIDER: - if (mech_entry->me_sw_prov == NULL || - mech_entry->me_sw_prov->pm_prov_desc != prov_desc) { - /* not the software provider for this mechanism */ - mutex_exit(&mech_entry->me_mutex); - return; - } - prov_mech = mech_entry->me_sw_prov; - mech_entry->me_sw_prov = NULL; - break; - default: - /* unexpected crypto_provider_type_t */ + if (mech_entry->me_sw_prov == NULL || + mech_entry->me_sw_prov->pm_prov_desc != prov_desc) { + /* not the provider for this mechanism */ mutex_exit(&mech_entry->me_mutex); return; } - + prov_mech = mech_entry->me_sw_prov; + mech_entry->me_sw_prov = NULL; mutex_exit(&mech_entry->me_mutex); - /* Free the dual ops cross-reference lists */ - mil = prov_mech->pm_mi_list; - while (mil != NULL) { - next = mil->ml_next; - if (kcf_get_mech_entry(mil->ml_kcf_mechid, - &mech_entry) != KCF_SUCCESS) { - mil = next; - continue; - } - - mutex_enter(&mech_entry->me_mutex); - if (prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER) - prov_chain = mech_entry->me_hw_prov_chain; - else - prov_chain = mech_entry->me_sw_prov; - - while (prov_chain != NULL) { - if (prov_chain->pm_prov_desc == prov_desc) { - prev_next = &prov_chain->pm_mi_list; - mil2 = prov_chain->pm_mi_list; - while (mil2 != NULL && - mil2->ml_kcf_mechid != mech_type) { - prev_next = &mil2->ml_next; - mil2 = mil2->ml_next; - } - if (mil2 != NULL) { - *prev_next = mil2->ml_next; - kmem_free(mil2, sizeof (*mil2)); - } - break; - } - prov_chain = prov_chain->pm_next; - } - - mutex_exit(&mech_entry->me_mutex); - kmem_free(mil, sizeof (crypto_mech_info_list_t)); - mil = next; - } - /* free entry */ KCF_PROV_REFRELE(prov_mech->pm_prov_desc); KCF_PROV_IREFRELE(prov_mech->pm_prov_desc); @@ -656,8 +562,8 @@ kcf_get_mech_entry(crypto_mech_type_t mech_type, kcf_mech_entry_t **mep) /* * Lookup the hash table for an entry that matches the mechname. - * If there are no hardware or software providers for the mechanism, - * but there is an unloaded software provider, this routine will attempt + * If there are no providers for the mechanism, + * but there is an unloaded provider, this routine will attempt * to load it. */ crypto_mech_type_t diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index f84a390a27db..25d9908d10ee 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -201,7 +201,7 @@ kcf_prov_tab_lookup(crypto_provider_id_t prov_id) * since it is invoked from user context during provider registration. */ kcf_provider_desc_t * -kcf_alloc_provider_desc(const crypto_provider_info_t *info) +kcf_alloc_provider_desc(void) { kcf_provider_desc_t *desc = kmem_zalloc(sizeof (kcf_provider_desc_t), KM_SLEEP); @@ -223,7 +223,7 @@ kcf_alloc_provider_desc(const crypto_provider_info_t *info) /* * Called by KCF_PROV_REFRELE when a provider's reference count drops * to zero. We free the descriptor when the last reference is released. - * However, for software providers, we do not free it when there is an + * However, for providers, we do not free it when there is an * unregister thread waiting. We signal that thread in this case and * that thread is responsible for freeing the descriptor. */ @@ -231,22 +231,16 @@ void kcf_provider_zero_refcnt(kcf_provider_desc_t *desc) { mutex_enter(&desc->pd_lock); - switch (desc->pd_prov_type) { - case CRYPTO_SW_PROVIDER: - if (desc->pd_state == KCF_PROV_REMOVED || - desc->pd_state == KCF_PROV_DISABLED) { - desc->pd_state = KCF_PROV_FREED; - cv_broadcast(&desc->pd_remove_cv); - mutex_exit(&desc->pd_lock); - break; - } - fallthrough; - - case CRYPTO_HW_PROVIDER: - case CRYPTO_LOGICAL_PROVIDER: + if (desc->pd_state == KCF_PROV_REMOVED || + desc->pd_state == KCF_PROV_DISABLED) { + desc->pd_state = KCF_PROV_FREED; + cv_broadcast(&desc->pd_remove_cv); mutex_exit(&desc->pd_lock); - kcf_free_provider_desc(desc); + return; } + + mutex_exit(&desc->pd_lock); + kcf_free_provider_desc(desc); } /* @@ -269,9 +263,6 @@ kcf_free_provider_desc(kcf_provider_desc_t *desc) /* free the kernel memory associated with the provider descriptor */ - if (desc->pd_sched_info.ks_taskq != NULL) - taskq_destroy(desc->pd_sched_info.ks_taskq); - mutex_destroy(&desc->pd_lock); cv_destroy(&desc->pd_resume_cv); cv_destroy(&desc->pd_remove_cv); @@ -281,7 +272,7 @@ kcf_free_provider_desc(kcf_provider_desc_t *desc) /* * Returns in the location pointed to by pd a pointer to the descriptor - * for the software provider for the specified mechanism. + * for the provider for the specified mechanism. * The provider descriptor is returned held and it is the caller's * responsibility to release it when done. The mechanism entry * is returned if the optional argument mep is non NULL. @@ -300,16 +291,16 @@ kcf_get_sw_prov(crypto_mech_type_t mech_type, kcf_provider_desc_t **pd, return (CRYPTO_MECHANISM_INVALID); /* - * Get the software provider for this mechanism. + * Get the provider for this mechanism. * Lock the mech_entry until we grab the 'pd'. */ mutex_enter(&me->me_mutex); if (me->me_sw_prov == NULL || (*pd = me->me_sw_prov->pm_prov_desc) == NULL) { - /* no SW provider for this mechanism */ + /* no provider for this mechanism */ if (log_warn) - cmn_err(CE_WARN, "no SW provider for \"%s\"\n", + cmn_err(CE_WARN, "no provider for \"%s\"\n", me->me_name); mutex_exit(&me->me_mutex); return (CRYPTO_MECH_NOT_SUPPORTED); diff --git a/module/icp/core/kcf_sched.c b/module/icp/core/kcf_sched.c index b50e80529c26..b1149072fdfc 100644 --- a/module/icp/core/kcf_sched.c +++ b/module/icp/core/kcf_sched.c @@ -35,7 +35,7 @@ #include #include -static kcf_global_swq_t *gswq; /* Global software queue */ +static kcf_global_swq_t *gswq; /* Global queue */ /* Thread pool related variables */ static kcf_pool_t *kcfpool; /* Thread pool of kcfd LWPs */ @@ -58,16 +58,13 @@ static kcf_stats_t kcf_ksdata = { { "max threads in pool", KSTAT_DATA_UINT32}, { "requests in gswq", KSTAT_DATA_UINT32}, { "max requests in gswq", KSTAT_DATA_UINT32}, - { "threads for HW taskq", KSTAT_DATA_UINT32}, - { "minalloc for HW taskq", KSTAT_DATA_UINT32}, - { "maxalloc for HW taskq", KSTAT_DATA_UINT32} + { "maxalloc for gwsq", KSTAT_DATA_UINT32} }; static kstat_t *kcf_misc_kstat = NULL; ulong_t kcf_swprov_hndl = 0; static int kcf_disp_sw_request(kcf_areq_node_t *); -static void process_req_hwp(void *); static int kcf_enqueue(kcf_areq_node_t *); static void kcfpool_alloc(void); static void kcf_reqid_delete(kcf_areq_node_t *areq); @@ -224,118 +221,6 @@ kcf_disp_sw_request(kcf_areq_node_t *areq) return (CRYPTO_QUEUED); } -/* - * This routine is called by the taskq associated with - * each hardware provider. We notify the kernel consumer - * via the callback routine in case of CRYPTO_SUCCESS or - * a failure. - * - * A request can be of type kcf_areq_node_t or of type - * kcf_sreq_node_t. - */ -static void -process_req_hwp(void *ireq) -{ - int error = 0; - crypto_ctx_t *ctx; - kcf_call_type_t ctype; - kcf_provider_desc_t *pd; - kcf_areq_node_t *areq = (kcf_areq_node_t *)ireq; - kcf_sreq_node_t *sreq = (kcf_sreq_node_t *)ireq; - - pd = ((ctype = GET_REQ_TYPE(ireq)) == CRYPTO_SYNCH) ? - sreq->sn_provider : areq->an_provider; - - /* - * Wait if flow control is in effect for the provider. A - * CRYPTO_PROVIDER_READY or CRYPTO_PROVIDER_FAILED - * notification will signal us. We also get signaled if - * the provider is unregistering. - */ - if (pd->pd_state == KCF_PROV_BUSY) { - mutex_enter(&pd->pd_lock); - while (pd->pd_state == KCF_PROV_BUSY) - cv_wait(&pd->pd_resume_cv, &pd->pd_lock); - mutex_exit(&pd->pd_lock); - } - - /* - * Bump the internal reference count while the request is being - * processed. This is how we know when it's safe to unregister - * a provider. This step must precede the pd_state check below. - */ - KCF_PROV_IREFHOLD(pd); - - /* - * Fail the request if the provider has failed. We return a - * recoverable error and the notified clients attempt any - * recovery. For async clients this is done in kcf_aop_done() - * and for sync clients it is done in the k-api routines. - */ - if (pd->pd_state >= KCF_PROV_FAILED) { - error = CRYPTO_DEVICE_ERROR; - goto bail; - } - - if (ctype == CRYPTO_SYNCH) { - mutex_enter(&sreq->sn_lock); - sreq->sn_state = REQ_INPROGRESS; - mutex_exit(&sreq->sn_lock); - - ctx = sreq->sn_context ? &sreq->sn_context->kc_glbl_ctx : NULL; - error = common_submit_request(sreq->sn_provider, ctx, - sreq->sn_params, sreq); - } else { - kcf_context_t *ictx; - ASSERT(ctype == CRYPTO_ASYNCH); - - /* - * We are in the per-hardware provider thread context and - * hence can sleep. Note that the caller would have done - * a taskq_dispatch(..., TQ_NOSLEEP) and would have returned. - */ - ctx = (ictx = areq->an_context) ? &ictx->kc_glbl_ctx : NULL; - - mutex_enter(&areq->an_lock); - /* - * We need to maintain ordering for multi-part requests. - * an_is_my_turn is set to B_TRUE initially for a request - * when it is enqueued and there are no other requests - * for that context. It is set later from kcf_aop_done() when - * the request before us in the chain of requests for the - * context completes. We get signaled at that point. - */ - if (ictx != NULL) { - ASSERT(ictx->kc_prov_desc == areq->an_provider); - - while (areq->an_is_my_turn == B_FALSE) { - cv_wait(&areq->an_turn_cv, &areq->an_lock); - } - } - areq->an_state = REQ_INPROGRESS; - mutex_exit(&areq->an_lock); - - error = common_submit_request(areq->an_provider, ctx, - &areq->an_params, areq); - } - -bail: - if (error == CRYPTO_QUEUED) { - /* - * The request is queued by the provider and we should - * get a crypto_op_notification() from the provider later. - * We notify the consumer at that time. - */ - return; - } else { /* CRYPTO_SUCCESS or other failure */ - KCF_PROV_IREFRELE(pd); - if (ctype == CRYPTO_SYNCH) - kcf_sop_done(sreq, error); - else - kcf_aop_done(areq, error); - } -} - /* * This routine checks if a request can be retried on another * provider. If true, mech1 is initialized to point to the mechanism @@ -441,7 +326,7 @@ kcf_resubmit_request(kcf_areq_node_t *areq) new_pd = kcf_get_mech_provider(mech1->cm_type, NULL, &error, areq->an_tried_plist, fg, - (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED), 0); + (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED)); if (new_pd == NULL) return (error); @@ -472,26 +357,7 @@ kcf_resubmit_request(kcf_areq_node_t *areq) areq->an_state = REQ_WAITING; mutex_exit(&areq->an_lock); - switch (new_pd->pd_prov_type) { - case CRYPTO_SW_PROVIDER: - error = kcf_disp_sw_request(areq); - break; - - case CRYPTO_HW_PROVIDER: { - taskq_t *taskq = new_pd->pd_sched_info.ks_taskq; - - if (taskq_dispatch(taskq, process_req_hwp, areq, TQ_NOSLEEP) == - TASKQID_INVALID) { - error = CRYPTO_HOST_MEMORY; - } else { - error = CRYPTO_QUEUED; - } - - break; - default: - break; - } - } + error = kcf_disp_sw_request(areq); return (error); } @@ -515,196 +381,58 @@ kcf_submit_request(kcf_provider_desc_t *pd, crypto_ctx_t *ctx, { int error = CRYPTO_SUCCESS; kcf_areq_node_t *areq; - kcf_sreq_node_t *sreq; kcf_context_t *kcf_ctx; - taskq_t *taskq = pd->pd_sched_info.ks_taskq; kcf_ctx = ctx ? (kcf_context_t *)ctx->cc_framework_private : NULL; - /* Synchronous cases */ + /* Synchronous */ if (crq == NULL) { - switch (pd->pd_prov_type) { - case CRYPTO_SW_PROVIDER: - error = common_submit_request(pd, ctx, params, - KCF_RHNDL(KM_SLEEP)); - break; - - case CRYPTO_HW_PROVIDER: + error = common_submit_request(pd, ctx, params, + KCF_RHNDL(KM_SLEEP)); + } else { /* Asynchronous */ + if (!(crq->cr_flag & CRYPTO_ALWAYS_QUEUE)) { /* - * Special case for CRYPTO_SYNCHRONOUS providers that - * never return a CRYPTO_QUEUED error. We skip any - * request allocation and call the SPI directly. + * This case has less overhead since there is + * no switching of context. */ - if ((pd->pd_flags & CRYPTO_SYNCHRONOUS) && - taskq_empty(taskq)) { - KCF_PROV_IREFHOLD(pd); - if (pd->pd_state == KCF_PROV_READY) { - error = common_submit_request(pd, ctx, - params, KCF_RHNDL(KM_SLEEP)); - KCF_PROV_IREFRELE(pd); - ASSERT(error != CRYPTO_QUEUED); - break; - } - KCF_PROV_IREFRELE(pd); - } - - sreq = kmem_cache_alloc(kcf_sreq_cache, KM_SLEEP); - sreq->sn_state = REQ_ALLOCATED; - sreq->sn_rv = CRYPTO_FAILED; - sreq->sn_params = params; - - /* - * Note that we do not need to hold the context - * for synchronous case as the context will never - * become invalid underneath us. We do not need to hold - * the provider here either as the caller has a hold. - */ - sreq->sn_context = kcf_ctx; - ASSERT(KCF_PROV_REFHELD(pd)); - sreq->sn_provider = pd; - - ASSERT(taskq != NULL); + error = common_submit_request(pd, ctx, params, + KCF_RHNDL(KM_NOSLEEP)); + } else { /* - * Call the SPI directly if the taskq is empty and the - * provider is not busy, else dispatch to the taskq. - * Calling directly is fine as this is the synchronous - * case. This is unlike the asynchronous case where we - * must always dispatch to the taskq. + * CRYPTO_ALWAYS_QUEUE is set. We need to + * queue the request and return. */ - if (taskq_empty(taskq) && - pd->pd_state == KCF_PROV_READY) { - process_req_hwp(sreq); - } else { + areq = kcf_areqnode_alloc(pd, kcf_ctx, crq, + params); + if (areq == NULL) + error = CRYPTO_HOST_MEMORY; + else { + if (!(crq->cr_flag + & CRYPTO_SKIP_REQID)) { /* - * We can not tell from taskq_dispatch() return - * value if we exceeded maxalloc. Hence the - * check here. Since we are allowed to wait in - * the synchronous case, we wait for the taskq - * to become empty. + * Set the request handle. We have to + * do this before dispatching the + * request. */ - if (taskq->tq_nalloc >= crypto_taskq_maxalloc) { - taskq_wait(taskq); + crq->cr_reqid = kcf_reqid_insert(areq); } - (void) taskq_dispatch(taskq, process_req_hwp, - sreq, TQ_SLEEP); - } - - /* - * Wait for the notification to arrive, - * if the operation is not done yet. - * Bug# 4722589 will make the wait a cv_wait_sig(). - */ - mutex_enter(&sreq->sn_lock); - while (sreq->sn_state < REQ_DONE) - cv_wait(&sreq->sn_cv, &sreq->sn_lock); - mutex_exit(&sreq->sn_lock); - - error = sreq->sn_rv; - kmem_cache_free(kcf_sreq_cache, sreq); - - break; - - default: - error = CRYPTO_FAILED; - break; - } - - } else { /* Asynchronous cases */ - switch (pd->pd_prov_type) { - case CRYPTO_SW_PROVIDER: - if (!(crq->cr_flag & CRYPTO_ALWAYS_QUEUE)) { + error = kcf_disp_sw_request(areq); /* - * This case has less overhead since there is - * no switching of context. + * There is an error processing this + * request. Remove the handle and + * release the request structure. */ - error = common_submit_request(pd, ctx, params, - KCF_RHNDL(KM_NOSLEEP)); - } else { - /* - * CRYPTO_ALWAYS_QUEUE is set. We need to - * queue the request and return. - */ - areq = kcf_areqnode_alloc(pd, kcf_ctx, crq, - params); - if (areq == NULL) - error = CRYPTO_HOST_MEMORY; - else { + if (error != CRYPTO_QUEUED) { if (!(crq->cr_flag - & CRYPTO_SKIP_REQID)) { - /* - * Set the request handle. We have to - * do this before dispatching the - * request. - */ - crq->cr_reqid = kcf_reqid_insert(areq); - } - - error = kcf_disp_sw_request(areq); - /* - * There is an error processing this - * request. Remove the handle and - * release the request structure. - */ - if (error != CRYPTO_QUEUED) { - if (!(crq->cr_flag - & CRYPTO_SKIP_REQID)) - kcf_reqid_delete(areq); - KCF_AREQ_REFRELE(areq); - } + & CRYPTO_SKIP_REQID)) + kcf_reqid_delete(areq); + KCF_AREQ_REFRELE(areq); } } - break; - - case CRYPTO_HW_PROVIDER: - /* - * We need to queue the request and return. - */ - areq = kcf_areqnode_alloc(pd, kcf_ctx, crq, params); - if (areq == NULL) { - error = CRYPTO_HOST_MEMORY; - goto done; - } - - ASSERT(taskq != NULL); - /* - * We can not tell from taskq_dispatch() return - * value if we exceeded maxalloc. Hence the check - * here. - */ - if (taskq->tq_nalloc >= crypto_taskq_maxalloc) { - error = CRYPTO_BUSY; - KCF_AREQ_REFRELE(areq); - goto done; - } - - if (!(crq->cr_flag & CRYPTO_SKIP_REQID)) { - /* - * Set the request handle. We have to do this - * before dispatching the request. - */ - crq->cr_reqid = kcf_reqid_insert(areq); - } - - if (taskq_dispatch(taskq, - process_req_hwp, areq, TQ_NOSLEEP) == - TASKQID_INVALID) { - error = CRYPTO_HOST_MEMORY; - if (!(crq->cr_flag & CRYPTO_SKIP_REQID)) - kcf_reqid_delete(areq); - KCF_AREQ_REFRELE(areq); - } else { - error = CRYPTO_QUEUED; - } - break; - - default: - error = CRYPTO_FAILED; - break; } } -done: return (error); } @@ -750,7 +478,7 @@ kcf_free_context(kcf_context_t *kcf_ctx) /* kcf_ctx->kc_prov_desc has a hold on pd */ KCF_PROV_REFRELE(kcf_ctx->kc_prov_desc); - /* check if this context is shared with a software provider */ + /* check if this context is shared with a provider */ if ((gctx->cc_flags & CRYPTO_INIT_OPSTATE) && kcf_ctx->kc_sw_prov_desc != NULL) { KCF_PROV_REFRELE(kcf_ctx->kc_sw_prov_desc); @@ -775,7 +503,7 @@ kcf_free_req(kcf_areq_node_t *areq) } /* - * Add the request node to the end of the global software queue. + * Add the request node to the end of the global queue. * * The caller should not hold the queue lock. Returns 0 if the * request is successfully queued. Returns CRYPTO_BUSY if the limit @@ -969,7 +697,7 @@ kcf_sched_init(void) mutex_init(&gswq->gs_lock, NULL, MUTEX_DEFAULT, NULL); cv_init(&gswq->gs_cv, NULL, CV_DEFAULT, NULL); gswq->gs_njobs = 0; - gswq->gs_maxjobs = kcf_maxthreads * crypto_taskq_maxalloc; + gswq->gs_maxjobs = kcf_maxthreads * CRYPTO_TASKQ_MAX; gswq->gs_first = gswq->gs_last = NULL; /* Initialize the global reqid table */ @@ -1216,9 +944,7 @@ kcf_misc_kstat_update(kstat_t *ksp, int rw) ks_data->ks_maxthrs.value.ui32 = kcf_maxthreads; ks_data->ks_swq_njobs.value.ui32 = gswq->gs_njobs; ks_data->ks_swq_maxjobs.value.ui32 = gswq->gs_maxjobs; - ks_data->ks_taskq_threads.value.ui32 = crypto_taskq_threads; - ks_data->ks_taskq_minalloc.value.ui32 = crypto_taskq_minalloc; - ks_data->ks_taskq_maxalloc.value.ui32 = crypto_taskq_maxalloc; + ks_data->ks_swq_maxalloc.value.ui32 = CRYPTO_TASKQ_MAX; return (0); } diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 7877cf9d205e..fd93ee508a74 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -62,9 +62,7 @@ typedef struct kcf_stats { kstat_named_t ks_maxthrs; kstat_named_t ks_swq_njobs; kstat_named_t ks_swq_maxjobs; - kstat_named_t ks_taskq_threads; - kstat_named_t ks_taskq_minalloc; - kstat_named_t ks_taskq_maxalloc; + kstat_named_t ks_swq_maxalloc; } kcf_stats_t; /* @@ -80,9 +78,6 @@ typedef struct kcf_sched_info { /* The number of operations that returned CRYPTO_BUSY. */ uint64_t ks_nbusy_rval; - - /* taskq used to dispatch crypto requests */ - taskq_t *ks_taskq; } kcf_sched_info_t; /* @@ -96,8 +91,7 @@ typedef struct kcf_sched_info { * acquire any locks here as it is not critical to get the exact number * and the lock contention may be too costly for this code path. */ -#define KCF_PROV_LOAD(pd) ((pd)->pd_state != KCF_PROV_BUSY ? \ - (pd)->pd_irefcnt : (pd)->pd_sched_info.ks_taskq->tq_nalloc) +#define KCF_PROV_LOAD(pd) ((pd)->pd_irefcnt) #define KCF_PROV_INCRSTATS(pd, error) { \ (pd)->pd_sched_info.ks_ndispatches++; \ @@ -125,21 +119,17 @@ typedef struct kcf_sched_info { * the elements is important. * * Routines which get a provider or the list of providers - * should pick only those that are either in KCF_PROV_READY state - * or in KCF_PROV_BUSY state. + * should pick only those that are in KCF_PROV_READY state. */ typedef enum { KCF_PROV_ALLOCATED = 1, - KCF_PROV_UNVERIFIED, - KCF_PROV_VERIFICATION_FAILED, /* * state < KCF_PROV_READY means the provider can not * be used at all. */ KCF_PROV_READY, - KCF_PROV_BUSY, /* - * state > KCF_PROV_BUSY means the provider can not + * state > KCF_PROV_READY means the provider can not * be used for new requests. */ KCF_PROV_FAILED, @@ -152,30 +142,23 @@ typedef enum { KCF_PROV_FREED } kcf_prov_state_t; -#define KCF_IS_PROV_UNVERIFIED(pd) ((pd)->pd_state == KCF_PROV_UNVERIFIED) -#define KCF_IS_PROV_USABLE(pd) ((pd)->pd_state == KCF_PROV_READY || \ - (pd)->pd_state == KCF_PROV_BUSY) +#define KCF_IS_PROV_USABLE(pd) ((pd)->pd_state == KCF_PROV_READY) #define KCF_IS_PROV_REMOVED(pd) ((pd)->pd_state >= KCF_PROV_REMOVED) /* Internal flags valid for pd_flags field */ #define KCF_PROV_RESTRICTED 0x40000000 -#define KCF_LPROV_MEMBER 0x80000000 /* is member of a logical provider */ /* * A provider descriptor structure. There is one such structure per * provider. It is allocated and initialized at registration time and * freed when the provider unregisters. * - * pd_prov_type: Provider type, hardware or software * pd_sid: Session ID of the provider used by kernel clients. * This is valid only for session-oriented providers. * pd_refcnt: Reference counter to this provider descriptor * pd_irefcnt: References held by the framework internal structs - * pd_lock: lock protects pd_state and pd_provider_list + * pd_lock: lock protects pd_state * pd_state: State value of the provider - * pd_provider_list: Used to cross-reference logical providers and their - * members. Not used for software providers. - * pd_resume_cv: cv to wait for state to change from KCF_PROV_BUSY * pd_prov_handle: Provider handle specified by provider * pd_ops_vector: The ops vector specified by Provider * pd_mech_indx: Lookup table which maps a core framework mechanism @@ -185,10 +168,6 @@ typedef enum { * pd_sched_info: Scheduling information associated with the provider * pd_mech_list_count: The number of entries in pi_mechanisms, specified * by the provider during registration - * pd_name: Device name or module name - * pd_instance: Device instance - * pd_module_id: Module ID returned by modload - * pd_mctlp: Pointer to modctl structure for this provider * pd_remove_cv: cv to wait on while the provider queue drains * pd_description: Provider description string * pd_flags bitwise OR of pi_flags from crypto_provider_info_t @@ -201,13 +180,11 @@ typedef enum { * pd_ks_data: kstat data */ typedef struct kcf_provider_desc { - crypto_provider_type_t pd_prov_type; crypto_session_id_t pd_sid; uint_t pd_refcnt; uint_t pd_irefcnt; kmutex_t pd_lock; kcf_prov_state_t pd_state; - struct kcf_provider_list *pd_provider_list; kcondvar_t pd_resume_cv; crypto_provider_handle_t pd_prov_handle; const crypto_ops_t *pd_ops_vector; @@ -216,10 +193,6 @@ typedef struct kcf_provider_desc { const crypto_mech_info_t *pd_mechanisms; kcf_sched_info_t pd_sched_info; uint_t pd_mech_list_count; - // char *pd_name; - // uint_t pd_instance; - // int pd_module_id; - // struct modctl *pd_mctlp; kcondvar_t pd_remove_cv; const char *pd_description; uint_t pd_flags; @@ -230,12 +203,6 @@ typedef struct kcf_provider_desc { kcf_prov_stats_t pd_ks_data; } kcf_provider_desc_t; -/* useful for making a list of providers */ -typedef struct kcf_provider_list { - struct kcf_provider_list *pl_next; - struct kcf_provider_desc *pl_provider; -} kcf_provider_list_t; - /* atomic operations in linux implicitly form a memory barrier */ #define membar_exit() @@ -273,14 +240,6 @@ typedef struct kcf_provider_list { } -/* list of crypto_mech_info_t valid as the second mech in a dual operation */ - -typedef struct crypto_mech_info_list { - struct crypto_mech_info_list *ml_next; - crypto_mech_type_t ml_kcf_mechid; /* KCF's id */ - crypto_mech_info_t ml_mech_info; -} crypto_mech_info_list_t; - /* * An element in a mechanism provider descriptors chain. * The kcf_prov_mech_desc_t is duplicated in every chain the provider belongs @@ -292,15 +251,9 @@ typedef struct kcf_prov_mech_desc { struct kcf_mech_entry *pm_me; /* Back to the head */ struct kcf_prov_mech_desc *pm_next; /* Next in the chain */ crypto_mech_info_t pm_mech_info; /* Provider mech info */ - crypto_mech_info_list_t *pm_mi_list; /* list for duals */ kcf_provider_desc_t *pm_prov_desc; /* Common desc. */ } kcf_prov_mech_desc_t; -/* and the notation shortcuts ... */ -#define pm_provider_type pm_prov_desc.pd_provider_type -#define pm_provider_handle pm_prov_desc.pd_provider_handle -#define pm_ops_vector pm_prov_desc.pd_ops_vector - /* * A mechanism entry in an xxx_mech_tab[]. me_pad was deemed * to be unnecessary and removed. @@ -309,16 +262,10 @@ typedef struct kcf_mech_entry { crypto_mech_name_t me_name; /* mechanism name */ crypto_mech_type_t me_mechid; /* Internal id for mechanism */ kmutex_t me_mutex; /* access protection */ - kcf_prov_mech_desc_t *me_hw_prov_chain; /* list of HW providers */ - kcf_prov_mech_desc_t *me_sw_prov; /* SW provider */ - /* - * Number of HW providers in the chain. There is only one - * SW provider. So, we need only a count of HW providers. - */ - int me_num_hwprov; + kcf_prov_mech_desc_t *me_sw_prov; /* provider */ /* - * When a SW provider is present, this is the generation number that - * ensures no objects from old SW providers are used in the new one + * When a provider is present, this is the generation number that + * ensures no objects from old providers are used in the new one */ uint32_t me_gen_swprov; /* @@ -327,28 +274,6 @@ typedef struct kcf_mech_entry { size_t me_threshold; } kcf_mech_entry_t; -/* - * A policy descriptor structure. It is allocated and initialized - * when administrative ioctls load disabled mechanisms. - * - * pd_prov_type: Provider type, hardware or software - * pd_name: Device name or module name. - * pd_instance: Device instance. - * pd_refcnt: Reference counter for this policy descriptor - * pd_mutex: Protects array and count of disabled mechanisms. - * pd_disabled_count: Count of disabled mechanisms. - * pd_disabled_mechs: Array of disabled mechanisms. - */ -typedef struct kcf_policy_desc { - crypto_provider_type_t pd_prov_type; - char *pd_name; - uint_t pd_instance; - uint_t pd_refcnt; - kmutex_t pd_mutex; - uint_t pd_disabled_count; - crypto_mech_name_t *pd_disabled_mechs; -} kcf_policy_desc_t; - /* * If a component has a reference to a kcf_policy_desc_t, * it REFHOLD()s. A new policy descriptor which is referenced only @@ -370,21 +295,6 @@ typedef struct kcf_policy_desc { kcf_policy_free_desc(desc); \ } -/* - * This entry stores the name of a software module and its - * mechanisms. The mechanisms are 'hints' that are used to - * trigger loading of the module. - */ -typedef struct kcf_soft_conf_entry { - struct kcf_soft_conf_entry *ce_next; - char *ce_name; - crypto_mech_name_t *ce_mechs; - uint_t ce_count; -} kcf_soft_conf_entry_t; - -extern kmutex_t soft_config_mutex; -extern kcf_soft_conf_entry_t *soft_config_list; - /* * Global tables. The sizes are from the predefined PKCS#11 v2.20 mechanisms, * with a margin of few extra empty entry points @@ -671,8 +581,7 @@ extern int kcf_add_mech_provider(short, kcf_provider_desc_t *, kcf_prov_mech_desc_t **); extern void kcf_remove_mech_provider(const char *, kcf_provider_desc_t *); extern int kcf_get_mech_entry(crypto_mech_type_t, kcf_mech_entry_t **); -extern kcf_provider_desc_t *kcf_alloc_provider_desc( - const crypto_provider_info_t *); +extern kcf_provider_desc_t *kcf_alloc_provider_desc(void); extern void kcf_provider_zero_refcnt(kcf_provider_desc_t *); extern void kcf_free_provider_desc(kcf_provider_desc_t *); extern crypto_mech_type_t crypto_mech2id_common(const char *, boolean_t); diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index a5357dce35f3..a524a5c6f46d 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -59,23 +59,20 @@ typedef enum kcf_call_type { #define CHECK_RESTRICT(crq) (crq != NULL && \ ((crq)->cr_flag & CRYPTO_RESTRICTED)) -#define CHECK_RESTRICT_FALSE B_FALSE - #define CHECK_FASTPATH(crq, pd) ((crq) == NULL || \ - !((crq)->cr_flag & CRYPTO_ALWAYS_QUEUE)) && \ - (pd)->pd_prov_type == CRYPTO_SW_PROVIDER + !((crq)->cr_flag & CRYPTO_ALWAYS_QUEUE)) #define KCF_KMFLAG(crq) (((crq) == NULL) ? KM_SLEEP : KM_NOSLEEP) /* * The framework keeps an internal handle to use in the adaptive * asynchronous case. This is the case when a client has the - * CRYPTO_ALWAYS_QUEUE bit clear and a software provider is used for + * CRYPTO_ALWAYS_QUEUE bit clear and a provider is used for * the request. The request is completed in the context of the calling * thread and kernel memory must be allocated with KM_NOSLEEP. * * The framework passes a pointer to the handle in crypto_req_handle_t - * argument when it calls the SPI of the software provider. The macros + * argument when it calls the SPI of the provider. The macros * KCF_RHNDL() and KCF_SWFP_RHNDL() are used to do this. * * When a provider asks the framework for kmflag value via @@ -146,7 +143,7 @@ typedef struct kcf_sreq_node { /* * Node structure for asynchronous requests. A node can be on * on a chain of requests hanging of the internal context - * structure and can be in the global software provider queue. + * structure and can be in the global provider queue. */ typedef struct kcf_areq_node { /* Should always be the first field in this structure */ @@ -176,11 +173,7 @@ typedef struct kcf_areq_node { kcondvar_t an_turn_cv; boolean_t an_is_my_turn; - /* - * Next and previous nodes in the global software - * queue. These fields are NULL for a hardware - * provider since we use a taskq there. - */ + /* Next and previous nodes in the global queue. */ struct kcf_areq_node *an_next; struct kcf_areq_node *an_prev; @@ -244,8 +237,8 @@ typedef struct kcf_reqid_table { } kcf_reqid_table_t; /* - * Global software provider queue structure. Requests to be - * handled by a SW provider and have the ALWAYS_QUEUE flag set + * Global provider queue structure. Requests to be + * handled by a provider and have the ALWAYS_QUEUE flag set * get queued here. */ typedef struct kcf_global_swq { @@ -339,11 +332,11 @@ typedef struct kcf_ctx_template { uint_t ct_generation; /* generation # */ size_t ct_size; /* for freeing */ crypto_spi_ctx_template_t ct_prov_tmpl; /* context template */ - /* from the SW prov */ + /* from the provider */ } kcf_ctx_template_t; /* - * Structure for pool of threads working on global software queue. + * Structure for pool of threads working on the global queue. */ typedef struct kcf_pool { uint32_t kp_threads; /* Number of threads in pool */ @@ -431,19 +424,12 @@ typedef struct kcf_ntfy_elem { * The following values are based on the assumption that it would * take around eight cpus to load a hardware provider (This is true for * at least one product) and a kernel client may come from different - * low-priority interrupt levels. We will have CRYPTO_TASKQ_MIN number - * of cached taskq entries. The CRYPTO_TASKQ_MAX number is based on + * low-priority interrupt levels. The CRYPTO_TASKQ_MAX number is based on * a throughput of 1GB/s using 512-byte buffers. These are just * reasonable estimates and might need to change in future. */ -#define CRYPTO_TASKQ_THREADS 8 -#define CRYPTO_TASKQ_MIN 64 #define CRYPTO_TASKQ_MAX 2 * 1024 * 1024 -extern const int crypto_taskq_threads; -extern const int crypto_taskq_minalloc; -extern const int crypto_taskq_maxalloc; - /* * All pending crypto bufcalls are put on a list. cbuf_list_lock * protects changes to this list. @@ -458,19 +444,12 @@ extern kcondvar_t cbuf_list_cv; extern kmutex_t ntfy_list_lock; extern kcondvar_t ntfy_list_cv; -boolean_t kcf_get_next_logical_provider_member(kcf_provider_desc_t *, - kcf_provider_desc_t *, kcf_provider_desc_t **); -extern int kcf_get_hardware_provider(crypto_mech_type_t, crypto_mech_type_t, - boolean_t, kcf_provider_desc_t *, kcf_provider_desc_t **, - crypto_func_group_t); -extern int kcf_get_hardware_provider_nomech(offset_t, offset_t, - boolean_t, kcf_provider_desc_t *, kcf_provider_desc_t **); extern void kcf_free_triedlist(kcf_prov_tried_t *); extern kcf_prov_tried_t *kcf_insert_triedlist(kcf_prov_tried_t **, kcf_provider_desc_t *, int); extern kcf_provider_desc_t *kcf_get_mech_provider(crypto_mech_type_t, kcf_mech_entry_t **, int *, kcf_prov_tried_t *, crypto_func_group_t, - boolean_t, size_t); + boolean_t); extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t); extern int kcf_submit_request(kcf_provider_desc_t *, crypto_ctx_t *, diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index 25fba6dda852..fdf8d8511462 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -43,10 +43,6 @@ extern "C" { #define __no_const #endif /* CONSTIFY_PLUGIN */ -#define CRYPTO_SPI_VERSION_1 1 -#define CRYPTO_SPI_VERSION_2 2 -#define CRYPTO_SPI_VERSION_3 3 - /* * Provider-private handle. This handle is specified by a provider * when it registers by means of the pi_provider_handle field of @@ -56,18 +52,16 @@ extern "C" { typedef void *crypto_provider_handle_t; /* - * Context templates can be used to by software providers to pre-process + * Context templates can be used to by providers to pre-process * keying material, such as key schedules. They are allocated by - * a software provider create_ctx_template(9E) entry point, and passed + * a provider create_ctx_template(9E) entry point, and passed * as argument to initialization and atomic provider entry points. */ typedef void *crypto_spi_ctx_template_t; /* * Request handles are used by the kernel to identify an asynchronous - * request being processed by a provider. It is passed by the kernel - * to a hardware provider when submitting a request, and must be - * specified by a provider when calling crypto_op_notification(9F) + * request being processed by a provider. */ typedef void *crypto_req_handle_t; @@ -268,18 +262,13 @@ typedef uint_t crypto_kcf_provider_handle_t; */ typedef struct crypto_provider_info { const char *pi_provider_description; - crypto_provider_type_t pi_provider_type; crypto_provider_handle_t pi_provider_handle; const crypto_ops_t *pi_ops_vector; uint_t pi_mech_list_count; const crypto_mech_info_t *pi_mechanisms; - uint_t pi_logical_provider_count; - crypto_kcf_provider_handle_t *pi_logical_providers; uint_t pi_flags; } crypto_provider_info_t; -/* hidden providers can only be accessed via a logical provider */ -#define CRYPTO_HIDE_PROVIDER 0x00000001 /* * provider can not do multi-part digest (updates) and has a limit * on maximum input data that it can digest. diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index 036bfeeaf823..9e99e1fa7bfb 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -150,7 +150,6 @@ static const crypto_ops_t aes_crypto_ops = { static const crypto_provider_info_t aes_prov_info = { "AES Software Provider", - CRYPTO_SW_PROVIDER, NULL, &aes_crypto_ops, sizeof (aes_mech_info_tab) / sizeof (crypto_mech_info_t), diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index f7913359c28e..545560990efa 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -166,7 +166,6 @@ static const crypto_ops_t sha2_crypto_ops = { static const crypto_provider_info_t sha2_prov_info = { "SHA2 Software Provider", - CRYPTO_SW_PROVIDER, NULL, &sha2_crypto_ops, sizeof (sha2_mech_info_tab) / sizeof (crypto_mech_info_t), diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index 05307cbb2b8c..22f1a0756974 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -104,7 +104,6 @@ static const crypto_ops_t skein_crypto_ops = { static const crypto_provider_info_t skein_prov_info = { "Skein Software Provider", - CRYPTO_SW_PROVIDER, NULL, &skein_crypto_ops, sizeof (skein_mech_info_tab) / sizeof (crypto_mech_info_t), diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index a9e3d35bea37..e40291a12945 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -36,16 +36,6 @@ #include #include -/* - * minalloc and maxalloc values to be used for taskq_create(). - */ -const int crypto_taskq_threads = CRYPTO_TASKQ_THREADS; -const int crypto_taskq_minalloc = CRYPTO_TASKQ_MIN; -const int crypto_taskq_maxalloc = CRYPTO_TASKQ_MAX; - -static void remove_provider(kcf_provider_desc_t *); -static void process_logical_providers(const crypto_provider_info_t *, - kcf_provider_desc_t *); static int init_prov_mechs(const crypto_provider_info_t *, kcf_provider_desc_t *); static int kcf_prov_kstat_update(kstat_t *, int); @@ -63,35 +53,22 @@ static const kcf_prov_stats_t kcf_stats_ks_data_template = { * Providers pass a crypto_provider_info structure to crypto_register_provider() * and get back a handle. The crypto_provider_info structure contains a * list of mechanisms supported by the provider and an ops vector containing - * provider entry points. Hardware providers call this routine in their attach - * routines. Software providers call this routine in their _init() routine. + * provider entry points. Providers call this routine in their _init() routine. */ int crypto_register_provider(const crypto_provider_info_t *info, crypto_kcf_provider_handle_t *handle) { - char *ks_name; - kcf_provider_desc_t *prov_desc = NULL; int ret = CRYPTO_ARGUMENTS_BAD; - /* - * Check provider type, must be software, hardware, or logical. - */ - if (info->pi_provider_type != CRYPTO_HW_PROVIDER && - info->pi_provider_type != CRYPTO_SW_PROVIDER && - info->pi_provider_type != CRYPTO_LOGICAL_PROVIDER) - return (CRYPTO_ARGUMENTS_BAD); - /* * Allocate and initialize a new provider descriptor. We also * hold it and release it when done. */ - prov_desc = kcf_alloc_provider_desc(info); + prov_desc = kcf_alloc_provider_desc(); KCF_PROV_REFHOLD(prov_desc); - prov_desc->pd_prov_type = info->pi_provider_type; - /* provider-private handle, opaque to KCF */ prov_desc->pd_prov_handle = info->pi_provider_handle; @@ -99,10 +76,8 @@ crypto_register_provider(const crypto_provider_info_t *info, prov_desc->pd_description = info->pi_provider_description; /* Change from Illumos: the ops vector is persistent. */ - if (info->pi_provider_type != CRYPTO_LOGICAL_PROVIDER) { - prov_desc->pd_ops_vector = info->pi_ops_vector; - prov_desc->pd_flags = info->pi_flags; - } + prov_desc->pd_ops_vector = info->pi_ops_vector; + prov_desc->pd_flags = info->pi_flags; /* process the mechanisms supported by the provider */ if ((ret = init_prov_mechs(info, prov_desc)) != CRYPTO_SUCCESS) @@ -118,56 +93,33 @@ crypto_register_provider(const crypto_provider_info_t *info, } /* - * We create a taskq only for a hardware provider. The global - * software queue is used for software providers. We handle ordering + * The global queue is used for providers. We handle ordering * of multi-part requests in the taskq routine. So, it is safe to * have multiple threads for the taskq. We pass TASKQ_PREPOPULATE flag * to keep some entries cached to improve performance. */ - if (prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER) - prov_desc->pd_sched_info.ks_taskq = taskq_create("kcf_taskq", - CRYPTO_TASKQ_THREADS, minclsyspri, - CRYPTO_TASKQ_MIN, CRYPTO_TASKQ_MAX, - TASKQ_PREPOPULATE); - else - prov_desc->pd_sched_info.ks_taskq = NULL; - - if (prov_desc->pd_prov_type != CRYPTO_LOGICAL_PROVIDER) { - /* - * Create the kstat for this provider. There is a kstat - * installed for each successfully registered provider. - * This kstat is deleted, when the provider unregisters. - */ - if (prov_desc->pd_prov_type == CRYPTO_SW_PROVIDER) { - ks_name = kmem_asprintf("%s_%s", - "NONAME", "provider_stats"); - } else { - ks_name = kmem_asprintf("%s_%d_%u_%s", - "NONAME", 0, prov_desc->pd_prov_id, - "provider_stats"); - } - prov_desc->pd_kstat = kstat_create("kcf", 0, ks_name, "crypto", - KSTAT_TYPE_NAMED, sizeof (kcf_prov_stats_t) / - sizeof (kstat_named_t), KSTAT_FLAG_VIRTUAL); - - if (prov_desc->pd_kstat != NULL) { - bcopy(&kcf_stats_ks_data_template, - &prov_desc->pd_ks_data, - sizeof (kcf_stats_ks_data_template)); - prov_desc->pd_kstat->ks_data = &prov_desc->pd_ks_data; - KCF_PROV_REFHOLD(prov_desc); - KCF_PROV_IREFHOLD(prov_desc); - prov_desc->pd_kstat->ks_private = prov_desc; - prov_desc->pd_kstat->ks_update = kcf_prov_kstat_update; - kstat_install(prov_desc->pd_kstat); - } - kmem_strfree(ks_name); + /* + * Create the kstat for this provider. There is a kstat + * installed for each successfully registered provider. + * This kstat is deleted, when the provider unregisters. + */ + prov_desc->pd_kstat = kstat_create("kcf", 0, "NONAME_provider_stats", + "crypto", KSTAT_TYPE_NAMED, sizeof (kcf_prov_stats_t) / + sizeof (kstat_named_t), KSTAT_FLAG_VIRTUAL); + + if (prov_desc->pd_kstat != NULL) { + bcopy(&kcf_stats_ks_data_template, + &prov_desc->pd_ks_data, + sizeof (kcf_stats_ks_data_template)); + prov_desc->pd_kstat->ks_data = &prov_desc->pd_ks_data; + KCF_PROV_REFHOLD(prov_desc); + KCF_PROV_IREFHOLD(prov_desc); + prov_desc->pd_kstat->ks_private = prov_desc; + prov_desc->pd_kstat->ks_update = kcf_prov_kstat_update; + kstat_install(prov_desc->pd_kstat); } - if (prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER) - process_logical_providers(info, prov_desc); - mutex_enter(&prov_desc->pd_lock); prov_desc->pd_state = KCF_PROV_READY; mutex_exit(&prov_desc->pd_lock); @@ -183,8 +135,7 @@ crypto_register_provider(const crypto_provider_info_t *info, /* * This routine is used to notify the framework when a provider is being - * removed. Hardware providers call this routine in their detach routines. - * Software providers call this routine in their _fini() routine. + * removed. Providers call this routine in their _fini() routine. */ int crypto_unregister_provider(crypto_kcf_provider_handle_t handle) @@ -212,46 +163,30 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle) saved_state = desc->pd_state; desc->pd_state = KCF_PROV_REMOVED; - if (saved_state == KCF_PROV_BUSY) { - /* - * The per-provider taskq threads may be waiting. We - * signal them so that they can start failing requests. - */ - cv_broadcast(&desc->pd_resume_cv); - } - - if (desc->pd_prov_type == CRYPTO_SW_PROVIDER) { + /* + * Check if this provider is currently being used. + * pd_irefcnt is the number of holds from the internal + * structures. We add one to account for the above lookup. + */ + if (desc->pd_refcnt > desc->pd_irefcnt + 1) { + desc->pd_state = saved_state; + mutex_exit(&desc->pd_lock); + /* Release reference held by kcf_prov_tab_lookup(). */ + KCF_PROV_REFRELE(desc); /* - * Check if this provider is currently being used. - * pd_irefcnt is the number of holds from the internal - * structures. We add one to account for the above lookup. + * The administrator will presumably stop the clients, + * thus removing the holds, when they get the busy + * return value. Any retry will succeed then. */ - if (desc->pd_refcnt > desc->pd_irefcnt + 1) { - desc->pd_state = saved_state; - mutex_exit(&desc->pd_lock); - /* Release reference held by kcf_prov_tab_lookup(). */ - KCF_PROV_REFRELE(desc); - /* - * The administrator presumably will stop the clients - * thus removing the holds, when they get the busy - * return value. Any retry will succeed then. - */ - return (CRYPTO_BUSY); - } + return (CRYPTO_BUSY); } mutex_exit(&desc->pd_lock); - if (desc->pd_prov_type != CRYPTO_SW_PROVIDER) { - remove_provider(desc); - } - - if (desc->pd_prov_type != CRYPTO_LOGICAL_PROVIDER) { - /* remove the provider from the mechanisms tables */ - for (mech_idx = 0; mech_idx < desc->pd_mech_list_count; - mech_idx++) { - kcf_remove_mech_provider( - desc->pd_mechanisms[mech_idx].cm_mech_name, desc); - } + /* remove the provider from the mechanisms tables */ + for (mech_idx = 0; mech_idx < desc->pd_mech_list_count; + mech_idx++) { + kcf_remove_mech_provider( + desc->pd_mechanisms[mech_idx].cm_mech_name, desc); } /* remove provider from providers table */ @@ -264,51 +199,34 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle) delete_kstat(desc); - if (desc->pd_prov_type == CRYPTO_SW_PROVIDER) { - /* Release reference held by kcf_prov_tab_lookup(). */ - KCF_PROV_REFRELE(desc); + /* Release reference held by kcf_prov_tab_lookup(). */ + KCF_PROV_REFRELE(desc); - /* - * Wait till the existing requests complete. - */ - mutex_enter(&desc->pd_lock); - while (desc->pd_state != KCF_PROV_FREED) - cv_wait(&desc->pd_remove_cv, &desc->pd_lock); - mutex_exit(&desc->pd_lock); - } else { - /* - * Wait until requests that have been sent to the provider - * complete. - */ - mutex_enter(&desc->pd_lock); - while (desc->pd_irefcnt > 0) - cv_wait(&desc->pd_remove_cv, &desc->pd_lock); - mutex_exit(&desc->pd_lock); - } + /* + * Wait till the existing requests complete. + */ + mutex_enter(&desc->pd_lock); + while (desc->pd_state != KCF_PROV_FREED) + cv_wait(&desc->pd_remove_cv, &desc->pd_lock); + mutex_exit(&desc->pd_lock); kcf_do_notify(desc, B_FALSE); - if (desc->pd_prov_type == CRYPTO_SW_PROVIDER) { - /* - * This is the only place where kcf_free_provider_desc() - * is called directly. KCF_PROV_REFRELE() should free the - * structure in all other places. - */ - ASSERT(desc->pd_state == KCF_PROV_FREED && - desc->pd_refcnt == 0); - kcf_free_provider_desc(desc); - } else { - KCF_PROV_REFRELE(desc); - } + /* + * This is the only place where kcf_free_provider_desc() + * is called directly. KCF_PROV_REFRELE() should free the + * structure in all other places. + */ + ASSERT(desc->pd_state == KCF_PROV_FREED && + desc->pd_refcnt == 0); + kcf_free_provider_desc(desc); return (CRYPTO_SUCCESS); } /* - * This routine is used by software providers to determine + * This routine is used by providers to determine * whether to use KM_SLEEP or KM_NOSLEEP during memory allocation. - * Note that hardware providers can always use KM_SLEEP. So, - * they do not need to call this routine. * * This routine can be called from user or interrupt context. */ @@ -323,9 +241,6 @@ crypto_kmflag(crypto_req_handle_t handle) * during registration. A NULL crypto_provider_info_t indicates * an already initialized provider descriptor. * - * Mechanisms are not added to the kernel's mechanism table if the - * provider is a logical provider. - * * Returns CRYPTO_SUCCESS on success, CRYPTO_ARGUMENTS if one * of the specified mechanisms was malformed, or CRYPTO_HOST_MEMORY * if the table of mechanisms is full. @@ -339,15 +254,6 @@ init_prov_mechs(const crypto_provider_info_t *info, kcf_provider_desc_t *desc) kcf_prov_mech_desc_t *pmd; int desc_use_count = 0; - if (desc->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { - if (info != NULL) { - ASSERT(info->pi_mechanisms != NULL); - desc->pd_mech_list_count = info->pi_mech_list_count; - desc->pd_mechanisms = info->pi_mechanisms; - } - return (CRYPTO_SUCCESS); - } - /* * Copy the mechanism list from the provider info to the provider * descriptor. desc->pd_mechanisms has an extra crypto_mech_info_t @@ -403,12 +309,12 @@ init_prov_mechs(const crypto_provider_info_t *info, kcf_provider_desc_t *desc) } /* - * Don't allow multiple software providers with disabled mechanisms + * Don't allow multiple providers with disabled mechanisms * to register. Subsequent enabling of mechanisms will result in - * an unsupported configuration, i.e. multiple software providers + * an unsupported configuration, i.e. multiple providers * per mechanism. */ - if (desc_use_count == 0 && desc->pd_prov_type == CRYPTO_SW_PROVIDER) + if (desc_use_count == 0) return (CRYPTO_ARGUMENTS_BAD); if (err == KCF_SUCCESS) @@ -479,117 +385,6 @@ undo_register_provider(kcf_provider_desc_t *desc, boolean_t remove_prov) (void) kcf_prov_tab_rem_provider(desc->pd_prov_id); } -/* - * Add provider (p1) to another provider's array of providers (p2). - * Hardware and logical providers use this array to cross-reference - * each other. - */ -static void -add_provider_to_array(kcf_provider_desc_t *p1, kcf_provider_desc_t *p2) -{ - kcf_provider_list_t *new; - - new = kmem_alloc(sizeof (kcf_provider_list_t), KM_SLEEP); - mutex_enter(&p2->pd_lock); - new->pl_next = p2->pd_provider_list; - p2->pd_provider_list = new; - KCF_PROV_IREFHOLD(p1); - new->pl_provider = p1; - mutex_exit(&p2->pd_lock); -} - -/* - * Remove provider (p1) from another provider's array of providers (p2). - * Hardware and logical providers use this array to cross-reference - * each other. - */ -static void -remove_provider_from_array(kcf_provider_desc_t *p1, kcf_provider_desc_t *p2) -{ - - kcf_provider_list_t *pl = NULL, **prev; - - mutex_enter(&p2->pd_lock); - for (pl = p2->pd_provider_list, prev = &p2->pd_provider_list; - pl != NULL; prev = &pl->pl_next, pl = pl->pl_next) { - if (pl->pl_provider == p1) { - break; - } - } - - if (p1 == NULL) { - mutex_exit(&p2->pd_lock); - return; - } - - /* detach and free kcf_provider_list structure */ - KCF_PROV_IREFRELE(p1); - *prev = pl->pl_next; - kmem_free(pl, sizeof (*pl)); - mutex_exit(&p2->pd_lock); -} - -/* - * Convert an array of logical provider handles (crypto_provider_id) - * stored in a crypto_provider_info structure into an array of provider - * descriptors (kcf_provider_desc_t) attached to a logical provider. - */ -static void -process_logical_providers(const crypto_provider_info_t *info, - kcf_provider_desc_t *hp) -{ - kcf_provider_desc_t *lp; - crypto_provider_id_t handle; - int count = info->pi_logical_provider_count; - int i; - - /* add hardware provider to each logical provider */ - for (i = 0; i < count; i++) { - handle = info->pi_logical_providers[i]; - lp = kcf_prov_tab_lookup((crypto_provider_id_t)handle); - if (lp == NULL) { - continue; - } - add_provider_to_array(hp, lp); - hp->pd_flags |= KCF_LPROV_MEMBER; - - /* - * A hardware provider has to have the provider descriptor of - * every logical provider it belongs to, so it can be removed - * from the logical provider if the hardware provider - * unregisters from the framework. - */ - add_provider_to_array(lp, hp); - KCF_PROV_REFRELE(lp); - } -} - -/* - * This routine removes a provider from all of the logical or - * hardware providers it belongs to, and frees the provider's - * array of pointers to providers. - */ -static void -remove_provider(kcf_provider_desc_t *pp) -{ - kcf_provider_desc_t *p; - kcf_provider_list_t *e, *next; - - mutex_enter(&pp->pd_lock); - for (e = pp->pd_provider_list; e != NULL; e = next) { - p = e->pl_provider; - remove_provider_from_array(pp, p); - if (p->pd_prov_type == CRYPTO_HW_PROVIDER && - p->pd_provider_list == NULL) - p->pd_flags &= ~KCF_LPROV_MEMBER; - KCF_PROV_IREFRELE(p); - next = e->pl_next; - kmem_free(e, sizeof (*e)); - } - pp->pd_provider_list = NULL; - mutex_exit(&pp->pd_lock); -} - /* * Dispatch events as needed for a provider. is_added flag tells * whether the provider is registering or unregistering. @@ -600,36 +395,19 @@ kcf_do_notify(kcf_provider_desc_t *prov_desc, boolean_t is_added) int i; crypto_notify_event_change_t ec; - ASSERT(prov_desc->pd_state > KCF_PROV_VERIFICATION_FAILED); + ASSERT(prov_desc->pd_state > KCF_PROV_ALLOCATED); /* * Inform interested clients of the mechanisms becoming - * available/unavailable. We skip this for logical providers - * as they do not affect mechanisms. - */ - if (prov_desc->pd_prov_type != CRYPTO_LOGICAL_PROVIDER) { - ec.ec_provider_type = prov_desc->pd_prov_type; - ec.ec_change = is_added ? CRYPTO_MECH_ADDED : - CRYPTO_MECH_REMOVED; - for (i = 0; i < prov_desc->pd_mech_list_count; i++) { - (void) strlcpy(ec.ec_mech_name, - prov_desc->pd_mechanisms[i].cm_mech_name, - CRYPTO_MAX_MECH_NAME); - kcf_walk_ntfylist(CRYPTO_EVENT_MECHS_CHANGED, &ec); - } - - } - - /* - * Inform interested clients about the new or departing provider. - * In case of a logical provider, we need to notify the event only - * for the logical provider and not for the underlying - * providers which are known by the KCF_LPROV_MEMBER bit. + * available/unavailable. */ - if (prov_desc->pd_prov_type == CRYPTO_LOGICAL_PROVIDER || - (prov_desc->pd_flags & KCF_LPROV_MEMBER) == 0) { - kcf_walk_ntfylist(is_added ? CRYPTO_EVENT_PROVIDER_REGISTERED : - CRYPTO_EVENT_PROVIDER_UNREGISTERED, prov_desc); + ec.ec_change = is_added ? CRYPTO_MECH_ADDED : + CRYPTO_MECH_REMOVED; + for (i = 0; i < prov_desc->pd_mech_list_count; i++) { + (void) strlcpy(ec.ec_mech_name, + prov_desc->pd_mechanisms[i].cm_mech_name, + CRYPTO_MAX_MECH_NAME); + kcf_walk_ntfylist(CRYPTO_EVENT_MECHS_CHANGED, &ec); } } diff --git a/module/os/linux/spl/spl-taskq.c b/module/os/linux/spl/spl-taskq.c index bd0052e00de9..0aab148975aa 100644 --- a/module/os/linux/spl/spl-taskq.c +++ b/module/os/linux/spl/spl-taskq.c @@ -1229,13 +1229,6 @@ taskq_destroy(taskq_t *tq) } EXPORT_SYMBOL(taskq_destroy); -boolean_t -taskq_empty(taskq_t *tq) -{ - return (tq->tq_lowest_id == tq->tq_next_id); -} -EXPORT_SYMBOL(taskq_empty); - static unsigned int spl_taskq_kick = 0; /* From 167c64b718d3bb2fa5df5ec641705574e7cfaa08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Thu, 23 Dec 2021 20:06:22 +0100 Subject: [PATCH 10/39] module: icp: remove unused kcf_cipher operations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/api.h | 27 -- module/icp/api/kcf_cipher.c | 520 +----------------------------------- 2 files changed, 3 insertions(+), 544 deletions(-) diff --git a/include/sys/crypto/api.h b/include/sys/crypto/api.h index 3f56a4bb15b0..d1d708db8a73 100644 --- a/include/sys/crypto/api.h +++ b/include/sys/crypto/api.h @@ -115,19 +115,6 @@ extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data, extern int crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext, crypto_call_req_t *cr); -extern int crypto_encrypt_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_key_t *, - crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *); -extern int crypto_encrypt_init(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr); -extern int crypto_encrypt_init_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t, - crypto_context_t *, crypto_call_req_t *); -extern int crypto_encrypt_update(crypto_context_t ctx, - crypto_data_t *plaintext, crypto_data_t *ciphertext, - crypto_call_req_t *cr); -extern int crypto_encrypt_final(crypto_context_t ctx, - crypto_data_t *ciphertext, crypto_call_req_t *cr); /* * Single and multi-part decryption operations. @@ -135,20 +122,6 @@ extern int crypto_encrypt_final(crypto_context_t ctx, extern int crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext, crypto_call_req_t *cr); -extern int crypto_decrypt_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_key_t *, - crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *); -extern int crypto_decrypt_init(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, - crypto_call_req_t *cr); -extern int crypto_decrypt_init_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t, - crypto_context_t *, crypto_call_req_t *); -extern int crypto_decrypt_update(crypto_context_t ctx, - crypto_data_t *ciphertext, crypto_data_t *plaintext, - crypto_call_req_t *cr); -extern int crypto_decrypt_final(crypto_context_t ctx, crypto_data_t *plaintext, - crypto_call_req_t *cr); /* * A kernel consumer can request to be notified when some particular event diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index 1d582b7ad863..51cf86e97379 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -34,194 +34,11 @@ * Encryption and decryption routines. */ -/* - * The following are the possible returned values common to all the routines - * below. The applicability of some of these return values depends on the - * presence of the arguments. - * - * CRYPTO_SUCCESS: The operation completed successfully. - * CRYPTO_QUEUED: A request was submitted successfully. The callback - * routine will be called when the operation is done. - * CRYPTO_INVALID_MECH_NUMBER, CRYPTO_INVALID_MECH_PARAM, or - * CRYPTO_INVALID_MECH for problems with the 'mech'. - * CRYPTO_INVALID_DATA for bogus 'data' - * CRYPTO_HOST_MEMORY for failure to allocate memory to handle this work. - * CRYPTO_INVALID_CONTEXT: Not a valid context. - * CRYPTO_BUSY: Cannot process the request now. Schedule a - * crypto_bufcall(), or try later. - * CRYPTO_NOT_SUPPORTED and CRYPTO_MECH_NOT_SUPPORTED: No provider is - * capable of a function or a mechanism. - * CRYPTO_INVALID_KEY: bogus 'key' argument. - * CRYPTO_INVALID_PLAINTEXT: bogus 'plaintext' argument. - * CRYPTO_INVALID_CIPHERTEXT: bogus 'ciphertext' argument. - */ - -/* - * crypto_cipher_init_prov() - * - * Arguments: - * - * pd: provider descriptor - * sid: session id - * mech: crypto_mechanism_t pointer. - * mech_type is a valid value previously returned by - * crypto_mech2id(); - * When the mech's parameter is not NULL, its definition depends - * on the standard definition of the mechanism. - * key: pointer to a crypto_key_t structure. - * tmpl: a crypto_ctx_template_t, opaque template of a context of an - * encryption or decryption with the 'mech' using 'key'. - * 'tmpl' is created by a previous call to - * crypto_create_ctx_template(). - * ctxp: Pointer to a crypto_context_t. - * func: CRYPTO_FG_ENCRYPT or CRYPTO_FG_DECRYPT. - * cr: crypto_call_req_t calling conditions and call back info. - * - * Description: - * This is a common function invoked internally by both - * crypto_encrypt_init() and crypto_decrypt_init(). - * Asynchronously submits a request for, or synchronously performs the - * initialization of an encryption or a decryption operation. - * When possible and applicable, will internally use the pre-expanded key - * schedule from the context template, tmpl. - * When complete and successful, 'ctxp' will contain a crypto_context_t - * valid for later calls to encrypt_update() and encrypt_final(), or - * decrypt_update() and decrypt_final(). - * The caller should hold a reference on the specified provider - * descriptor before calling this function. - * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * - * Returns: - * See comment in the beginning of the file. - */ -static int -crypto_cipher_init_prov(crypto_provider_t provider, crypto_session_id_t sid, - crypto_mechanism_t *mech, crypto_key_t *key, - crypto_spi_ctx_template_t tmpl, crypto_context_t *ctxp, - crypto_call_req_t *crq, crypto_func_group_t func) -{ - int error; - crypto_ctx_t *ctx; - kcf_req_params_t params; - kcf_provider_desc_t *pd = provider; - kcf_provider_desc_t *real_provider = pd; - - ASSERT(KCF_PROV_REFHELD(pd)); - - /* Allocate and initialize the canonical context */ - if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) - return (CRYPTO_HOST_MEMORY); - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(crq, pd)) { - crypto_mechanism_t lmech; - - lmech = *mech; - KCF_SET_PROVIDER_MECHNUM(mech->cm_type, real_provider, &lmech); - - if (func == CRYPTO_FG_ENCRYPT) - error = KCF_PROV_ENCRYPT_INIT(real_provider, ctx, - &lmech, key, tmpl, KCF_SWFP_RHNDL(crq)); - else { - ASSERT(func == CRYPTO_FG_DECRYPT); - - error = KCF_PROV_DECRYPT_INIT(real_provider, ctx, - &lmech, key, tmpl, KCF_SWFP_RHNDL(crq)); - } - KCF_PROV_INCRSTATS(pd, error); - - goto done; - } - - if (func == CRYPTO_FG_ENCRYPT) { - KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_INIT, sid, - mech, key, NULL, NULL, tmpl); - } else { - ASSERT(func == CRYPTO_FG_DECRYPT); - KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_INIT, sid, - mech, key, NULL, NULL, tmpl); - } - - error = kcf_submit_request(real_provider, ctx, crq, ¶ms); - -done: - if ((error == CRYPTO_SUCCESS) || (error == CRYPTO_QUEUED)) - *ctxp = (crypto_context_t)ctx; - else { - /* Release the hold done in kcf_new_ctx(). */ - KCF_CONTEXT_REFRELE((kcf_context_t *)ctx->cc_framework_private); - } - - return (error); -} - -/* - * Same as crypto_cipher_init_prov(), but relies on the scheduler to pick - * an appropriate provider. See crypto_cipher_init_prov() comments for more - * details. - */ -static int -crypto_cipher_init(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, - crypto_call_req_t *crq, crypto_func_group_t func) -{ - int error; - kcf_mech_entry_t *me; - kcf_provider_desc_t *pd; - kcf_ctx_template_t *ctx_tmpl; - crypto_spi_ctx_template_t spi_ctx_tmpl = NULL; - kcf_prov_tried_t *list = NULL; - -retry: - /* pd is returned held */ - if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, func, CHECK_RESTRICT(crq))) == NULL) { - if (list != NULL) - kcf_free_triedlist(list); - return (error); - } - - /* - * For SW providers, check the validity of the context template - * It is very rare that the generation number mis-matches, so - * is acceptable to fail here, and let the consumer recover by - * freeing this tmpl and create a new one for the key and new SW - * provider - */ - if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { - if (ctx_tmpl->ct_generation != me->me_gen_swprov) { - if (list != NULL) - kcf_free_triedlist(list); - KCF_PROV_REFRELE(pd); - return (CRYPTO_OLD_CTX_TEMPLATE); - } else { - spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - } - } - - error = crypto_cipher_init_prov(pd, pd->pd_sid, mech, key, - spi_ctx_tmpl, ctxp, crq, func); - if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && - IS_RECOVERABLE(error)) { - /* Add pd to the linked list of providers tried. */ - if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) - goto retry; - } - - if (list != NULL) - kcf_free_triedlist(list); - - KCF_PROV_REFRELE(pd); - return (error); -} /* - * crypto_encrypt_prov() + * crypto_encrypt() * * Arguments: - * pd: provider descriptor * sid: session id * mech: crypto_mechanism_t pointer. * mech_type is a valid value previously returned by @@ -243,6 +60,7 @@ crypto_cipher_init(crypto_mechanism_t *mech, crypto_key_t *key, * the key 'key'. * When complete and successful, 'ciphertext' will contain the encrypted * message. + * Relies on the KCF scheduler to pick a provider. * * Context: * Process or interrupt, according to the semantics dictated by the 'cr'. @@ -251,31 +69,6 @@ crypto_cipher_init(crypto_mechanism_t *mech, crypto_key_t *key, * See comment in the beginning of the file. */ int -crypto_encrypt_prov(crypto_provider_t provider, crypto_session_id_t sid, - crypto_mechanism_t *mech, crypto_data_t *plaintext, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_data_t *ciphertext, - crypto_call_req_t *crq) -{ - kcf_req_params_t params; - kcf_provider_desc_t *pd = provider; - kcf_provider_desc_t *real_provider = pd; - int error; - - ASSERT(KCF_PROV_REFHELD(pd)); - - KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key, - plaintext, ciphertext, tmpl); - - error = kcf_submit_request(real_provider, NULL, crq, ¶ms); - - return (error); -} - -/* - * Same as crypto_encrypt_prov(), but relies on the scheduler to pick - * a provider. See crypto_encrypt_prov() for more details. - */ -int crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext, crypto_call_req_t *crq) @@ -344,143 +137,6 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, return (error); } -/* - * crypto_encrypt_init_prov() - * - * Calls crypto_cipher_init_prov() to initialize an encryption operation. - */ -int -crypto_encrypt_init_prov(crypto_provider_t pd, crypto_session_id_t sid, - crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, - crypto_call_req_t *crq) -{ - return (crypto_cipher_init_prov(pd, sid, mech, key, tmpl, ctxp, crq, - CRYPTO_FG_ENCRYPT)); -} - -/* - * crypto_encrypt_init() - * - * Calls crypto_cipher_init() to initialize an encryption operation - */ -int -crypto_encrypt_init(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, - crypto_call_req_t *crq) -{ - return (crypto_cipher_init(mech, key, tmpl, ctxp, crq, - CRYPTO_FG_ENCRYPT)); -} - -/* - * crypto_encrypt_update() - * - * Arguments: - * context: A crypto_context_t initialized by encrypt_init(). - * plaintext: The message part to be encrypted - * ciphertext: Storage for the encrypted message part. - * cr: crypto_call_req_t calling conditions and call back info. - * - * Description: - * Asynchronously submits a request for, or synchronously performs a - * part of an encryption operation. - * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * - * Returns: - * See comment in the beginning of the file. - */ -int -crypto_encrypt_update(crypto_context_t context, crypto_data_t *plaintext, - crypto_data_t *ciphertext, crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_ENCRYPT_UPDATE(pd, ctx, plaintext, - ciphertext, NULL); - KCF_PROV_INCRSTATS(pd, error); - return (error); - } - - /* Check if we should use a software provider for small jobs */ - if ((ctx->cc_flags & CRYPTO_USE_OPSTATE) && cr == NULL) { - if (plaintext->cd_length < kcf_ctx->kc_mech->me_threshold && - kcf_ctx->kc_sw_prov_desc != NULL && - KCF_IS_PROV_USABLE(kcf_ctx->kc_sw_prov_desc)) { - pd = kcf_ctx->kc_sw_prov_desc; - } - } - - KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_UPDATE, - ctx->cc_session, NULL, NULL, plaintext, ciphertext, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms); - - return (error); -} - -/* - * crypto_encrypt_final() - * - * Arguments: - * context: A crypto_context_t initialized by encrypt_init(). - * ciphertext: Storage for the last part of encrypted message - * cr: crypto_call_req_t calling conditions and call back info. - * - * Description: - * Asynchronously submits a request for, or synchronously performs the - * final part of an encryption operation. - * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * - * Returns: - * See comment in the beginning of the file. - */ -int -crypto_encrypt_final(crypto_context_t context, crypto_data_t *ciphertext, - crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_ENCRYPT_FINAL(pd, ctx, ciphertext, NULL); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_FINAL, - ctx->cc_session, NULL, NULL, NULL, ciphertext, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms); - } - - /* Release the hold done in kcf_new_ctx() during init step. */ - KCF_CONTEXT_COND_RELEASE(error, kcf_ctx); - return (error); -} - /* * crypto_decrypt_prov() * @@ -507,6 +163,7 @@ crypto_encrypt_final(crypto_context_t context, crypto_data_t *ciphertext, * the key 'key'. * When complete and successful, 'plaintext' will contain the decrypted * message. + * Relies on the KCF scheduler to choose a provider. * * Context: * Process or interrupt, according to the semantics dictated by the 'cr'. @@ -515,29 +172,6 @@ crypto_encrypt_final(crypto_context_t context, crypto_data_t *ciphertext, * See comment in the beginning of the file. */ int -crypto_decrypt_prov(crypto_provider_t provider, crypto_session_id_t sid, - crypto_mechanism_t *mech, crypto_data_t *ciphertext, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_data_t *plaintext, - crypto_call_req_t *crq) -{ - kcf_req_params_t params; - kcf_provider_desc_t *pd = provider; - kcf_provider_desc_t *real_provider = pd; - - ASSERT(KCF_PROV_REFHELD(pd)); - - KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key, - ciphertext, plaintext, tmpl); - - return (kcf_submit_request(real_provider, NULL, crq, ¶ms)); -} - -/* - * Same as crypto_decrypt_prov(), but relies on the KCF scheduler to - * choose a provider. See crypto_decrypt_prov() comments for more - * information. - */ -int crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext, crypto_call_req_t *crq) @@ -606,155 +240,7 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, return (error); } -/* - * crypto_decrypt_init_prov() - * - * Calls crypto_cipher_init_prov() to initialize a decryption operation - */ -int -crypto_decrypt_init_prov(crypto_provider_t pd, crypto_session_id_t sid, - crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, - crypto_call_req_t *crq) -{ - return (crypto_cipher_init_prov(pd, sid, mech, key, tmpl, ctxp, crq, - CRYPTO_FG_DECRYPT)); -} - -/* - * crypto_decrypt_init() - * - * Calls crypto_cipher_init() to initialize a decryption operation - */ -int -crypto_decrypt_init(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, - crypto_call_req_t *crq) -{ - return (crypto_cipher_init(mech, key, tmpl, ctxp, crq, - CRYPTO_FG_DECRYPT)); -} - -/* - * crypto_decrypt_update() - * - * Arguments: - * context: A crypto_context_t initialized by decrypt_init(). - * ciphertext: The message part to be decrypted - * plaintext: Storage for the decrypted message part. - * cr: crypto_call_req_t calling conditions and call back info. - * - * Description: - * Asynchronously submits a request for, or synchronously performs a - * part of an decryption operation. - * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * - * Returns: - * See comment in the beginning of the file. - */ -int -crypto_decrypt_update(crypto_context_t context, crypto_data_t *ciphertext, - crypto_data_t *plaintext, crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_DECRYPT_UPDATE(pd, ctx, ciphertext, - plaintext, NULL); - KCF_PROV_INCRSTATS(pd, error); - return (error); - } - - /* Check if we should use a software provider for small jobs */ - if ((ctx->cc_flags & CRYPTO_USE_OPSTATE) && cr == NULL) { - if (ciphertext->cd_length < kcf_ctx->kc_mech->me_threshold && - kcf_ctx->kc_sw_prov_desc != NULL && - KCF_IS_PROV_USABLE(kcf_ctx->kc_sw_prov_desc)) { - pd = kcf_ctx->kc_sw_prov_desc; - } - } - - KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_UPDATE, - ctx->cc_session, NULL, NULL, ciphertext, plaintext, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms); - - return (error); -} - -/* - * crypto_decrypt_final() - * - * Arguments: - * context: A crypto_context_t initialized by decrypt_init(). - * plaintext: Storage for the last part of the decrypted message - * cr: crypto_call_req_t calling conditions and call back info. - * - * Description: - * Asynchronously submits a request for, or synchronously performs the - * final part of a decryption operation. - * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * - * Returns: - * See comment in the beginning of the file. - */ -int -crypto_decrypt_final(crypto_context_t context, crypto_data_t *plaintext, - crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_DECRYPT_FINAL(pd, ctx, plaintext, - NULL); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_FINAL, - ctx->cc_session, NULL, NULL, NULL, plaintext, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms); - } - - /* Release the hold done in kcf_new_ctx() during init step. */ - KCF_CONTEXT_COND_RELEASE(error, kcf_ctx); - return (error); -} - #if defined(_KERNEL) -EXPORT_SYMBOL(crypto_encrypt_prov); EXPORT_SYMBOL(crypto_encrypt); -EXPORT_SYMBOL(crypto_encrypt_init_prov); -EXPORT_SYMBOL(crypto_encrypt_init); -EXPORT_SYMBOL(crypto_encrypt_update); -EXPORT_SYMBOL(crypto_encrypt_final); -EXPORT_SYMBOL(crypto_decrypt_prov); EXPORT_SYMBOL(crypto_decrypt); -EXPORT_SYMBOL(crypto_decrypt_init_prov); -EXPORT_SYMBOL(crypto_decrypt_init); -EXPORT_SYMBOL(crypto_decrypt_update); -EXPORT_SYMBOL(crypto_decrypt_final); #endif From 342b68bdcc25f8ca4caa9e14c8a88de452e2ed01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Thu, 23 Dec 2021 20:11:01 +0100 Subject: [PATCH 11/39] module: icp: remove unused kcf_mac operations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/api.h | 6 ----- module/icp/api/kcf_mac.c | 48 ++-------------------------------------- 2 files changed, 2 insertions(+), 52 deletions(-) diff --git a/include/sys/crypto/api.h b/include/sys/crypto/api.h index d1d708db8a73..76d862bb35c4 100644 --- a/include/sys/crypto/api.h +++ b/include/sys/crypto/api.h @@ -90,15 +90,9 @@ extern int crypto_digest_final(crypto_context_t ctx, crypto_data_t *digest, extern int crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac, crypto_call_req_t *cr); -extern int crypto_mac_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_key_t *, - crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *); extern int crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac, crypto_call_req_t *cr); -extern int crypto_mac_verify_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_key_t *, - crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *); extern int crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr); extern int crypto_mac_init_prov(crypto_provider_t, crypto_session_id_t, diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 00cee069c891..3238b4edf87a 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -79,6 +79,7 @@ * the specified session id. * When complete and successful, 'mac' will contain the message * authentication code. + * Relies on the KCF scheduler to choose a provider. * * Context: * Process or interrupt, according to the semantics dictated by the 'crq'. @@ -87,29 +88,6 @@ * See comment in the beginning of the file. */ int -crypto_mac_prov(crypto_provider_t provider, crypto_session_id_t sid, - crypto_mechanism_t *mech, crypto_data_t *data, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_data_t *mac, crypto_call_req_t *crq) -{ - kcf_req_params_t params; - kcf_provider_desc_t *pd = provider; - kcf_provider_desc_t *real_provider = pd; - int rv; - - ASSERT(KCF_PROV_REFHELD(pd)); - - KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, key, - data, mac, tmpl); - rv = kcf_submit_request(real_provider, NULL, crq, ¶ms); - - return (rv); -} - -/* - * Same as crypto_mac_prov(), but relies on the KCF scheduler to choose - * a provider. See crypto_mac() comments for more information. - */ -int crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac, crypto_call_req_t *crq) @@ -183,27 +161,7 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, * Single part operation to compute the MAC corresponding to the specified * 'data' and to verify that it matches the MAC specified by 'mac'. * The other arguments are the same as the function crypto_mac_prov(). - */ -int -crypto_mac_verify_prov(crypto_provider_t provider, crypto_session_id_t sid, - crypto_mechanism_t *mech, crypto_data_t *data, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_data_t *mac, crypto_call_req_t *crq) -{ - kcf_req_params_t params; - kcf_provider_desc_t *pd = provider; - kcf_provider_desc_t *real_provider = pd; - - ASSERT(KCF_PROV_REFHELD(pd)); - - KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_MAC_VERIFY_ATOMIC, sid, mech, - key, data, mac, tmpl); - - return (kcf_submit_request(real_provider, NULL, crq, ¶ms)); -} - -/* - * Same as crypto_mac_verify_prov(), but relies on the KCF scheduler to choose - * a provider. See crypto_mac_verify_prov() comments for more information. + * Relies on the KCF scheduler to choose a provider. */ int crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data, @@ -511,9 +469,7 @@ crypto_mac_final(crypto_context_t context, crypto_data_t *mac, } #if defined(_KERNEL) -EXPORT_SYMBOL(crypto_mac_prov); EXPORT_SYMBOL(crypto_mac); -EXPORT_SYMBOL(crypto_mac_verify_prov); EXPORT_SYMBOL(crypto_mac_verify); EXPORT_SYMBOL(crypto_mac_init_prov); EXPORT_SYMBOL(crypto_mac_init); From 40f0875337b6989bc958f7c9c55929d6893f9334 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Fri, 24 Dec 2021 15:39:47 +0100 Subject: [PATCH 12/39] module: icp: drop software provider generation numbers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We register all providers at once, before anything happens Signed-off-by: Ahelenia Ziemiańska --- module/icp/api/kcf_cipher.c | 36 +++------------------ module/icp/api/kcf_ctxops.c | 1 - module/icp/api/kcf_mac.c | 48 ++++------------------------ module/icp/core/kcf_mech_tabs.c | 4 --- module/icp/include/sys/crypto/impl.h | 5 --- 5 files changed, 10 insertions(+), 84 deletions(-) diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index 51cf86e97379..d515fa6da38d 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -90,22 +90,8 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, return (error); } - /* - * Check the validity of the context template - * It is very rare that the generation number mis-matches, so - * is acceptable to fail here, and let the consumer recover by - * freeing this tmpl and create a new one for the key and new provider - */ - if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { - if (ctx_tmpl->ct_generation != me->me_gen_swprov) { - if (list != NULL) - kcf_free_triedlist(list); - KCF_PROV_REFRELE(pd); - return (CRYPTO_OLD_CTX_TEMPLATE); - } else { - spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - } - } + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) + spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; /* The fast path for SW providers. */ if (CHECK_FASTPATH(crq, pd)) { @@ -193,22 +179,8 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, return (error); } - /* - * Check the validity of the context template - * It is very rare that the generation number mis-matches, so - * is acceptable to fail here, and let the consumer recover by - * freeing this tmpl and create a new one for the key and new provider - */ - if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { - if (ctx_tmpl->ct_generation != me->me_gen_swprov) { - if (list != NULL) - kcf_free_triedlist(list); - KCF_PROV_REFRELE(pd); - return (CRYPTO_OLD_CTX_TEMPLATE); - } else { - spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - } - } + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) + spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; /* The fast path for SW providers. */ if (CHECK_FASTPATH(crq, pd)) { diff --git a/module/icp/api/kcf_ctxops.c b/module/icp/api/kcf_ctxops.c index 21b0977d3634..85cc55c8a719 100644 --- a/module/icp/api/kcf_ctxops.c +++ b/module/icp/api/kcf_ctxops.c @@ -104,7 +104,6 @@ crypto_create_ctx_template(crypto_mechanism_t *mech, crypto_key_t *key, &(ctx_tmpl->ct_prov_tmpl), &(ctx_tmpl->ct_size), KCF_RHNDL(kmflag)); if (error == CRYPTO_SUCCESS) { - ctx_tmpl->ct_generation = me->me_gen_swprov; *ptmpl = ctx_tmpl; } else { kmem_free(ctx_tmpl, sizeof (kcf_ctx_template_t)); diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 3238b4edf87a..34f404aead66 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -109,22 +109,8 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, return (error); } - /* - * Check the validity of the context template - * It is very rare that the generation number mis-matches, so - * is acceptable to fail here, and let the consumer recover by - * freeing this tmpl and create a new one for the key and new provider - */ - if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { - if (ctx_tmpl->ct_generation != me->me_gen_swprov) { - if (list != NULL) - kcf_free_triedlist(list); - KCF_PROV_REFRELE(pd); - return (CRYPTO_OLD_CTX_TEMPLATE); - } else { - spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - } - } + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) + spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; /* The fast path for SW providers. */ if (CHECK_FASTPATH(crq, pd)) { @@ -185,22 +171,8 @@ crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data, return (error); } - /* - * Check the validity of the context template - * It is very rare that the generation number mis-matches, so - * is acceptable to fail here, and let the consumer recover by - * freeing this tmpl and create a new one for the key and new provider - */ - if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { - if (ctx_tmpl->ct_generation != me->me_gen_swprov) { - if (list != NULL) - kcf_free_triedlist(list); - KCF_PROV_REFRELE(pd); - return (CRYPTO_OLD_CTX_TEMPLATE); - } else { - spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - } - } + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) + spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; /* The fast path for SW providers. */ if (CHECK_FASTPATH(crq, pd)) { @@ -345,16 +317,8 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, * freeing this tmpl and create a new one for the key and new provider */ - if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) { - if (ctx_tmpl->ct_generation != me->me_gen_swprov) { - if (list != NULL) - kcf_free_triedlist(list); - KCF_PROV_REFRELE(pd); - return (CRYPTO_OLD_CTX_TEMPLATE); - } else { - spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - } - } + if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) + spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; error = crypto_mac_init_prov(pd, pd->pd_sid, mech, key, spi_ctx_tmpl, ctxp, crq); diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index beed581a5523..811db71365d0 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -111,7 +111,6 @@ static const int kcf_bf_threshold = 512; static const int kcf_rc4_threshold = 512; static kmutex_t kcf_mech_tabs_lock; -static uint32_t kcf_gen_swprov = 0; static const int kcf_mech_hash_size = 256; static mod_hash_t *kcf_mech_hash; /* mech name to id hash */ @@ -446,9 +445,6 @@ kcf_add_mech_provider(short mech_indx, * this mechanism. */ mech_entry->me_sw_prov = prov_mech; - - /* We'll wrap around after 4 billion registrations! */ - mech_entry->me_gen_swprov = kcf_gen_swprov++; } mutex_exit(&mech_entry->me_mutex); diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index fd93ee508a74..8b45c0536e94 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -263,11 +263,6 @@ typedef struct kcf_mech_entry { crypto_mech_type_t me_mechid; /* Internal id for mechanism */ kmutex_t me_mutex; /* access protection */ kcf_prov_mech_desc_t *me_sw_prov; /* provider */ - /* - * When a provider is present, this is the generation number that - * ensures no objects from old providers are used in the new one - */ - uint32_t me_gen_swprov; /* * threshold for using hardware providers for this mech */ From 3898649b428b6c2b2797ec7274a90f64d3a4dfad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Fri, 24 Dec 2021 16:26:25 +0100 Subject: [PATCH 13/39] module: icp: remove unused kcf_digest.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/api.h | 17 -- lib/libicp/Makefile.am | 1 - module/icp/Makefile.in | 1 - module/icp/api/kcf_digest.c | 365 ------------------------------------ 4 files changed, 384 deletions(-) delete mode 100644 module/icp/api/kcf_digest.c diff --git a/include/sys/crypto/api.h b/include/sys/crypto/api.h index 76d862bb35c4..1f22d2c85315 100644 --- a/include/sys/crypto/api.h +++ b/include/sys/crypto/api.h @@ -67,23 +67,6 @@ extern int crypto_create_ctx_template(crypto_mechanism_t *mech, crypto_key_t *key, crypto_ctx_template_t *tmpl, int kmflag); extern void crypto_destroy_ctx_template(crypto_ctx_template_t tmpl); -/* - * Single and multi-part digest operations. - */ -extern int crypto_digest(crypto_mechanism_t *mech, crypto_data_t *data, - crypto_data_t *digest, crypto_call_req_t *cr); -extern int crypto_digest_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_data_t *, - crypto_call_req_t *); -extern int crypto_digest_init(crypto_mechanism_t *mech, crypto_context_t *ctxp, - crypto_call_req_t *cr); -extern int crypto_digest_init_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_context_t *, crypto_call_req_t *); -extern int crypto_digest_update(crypto_context_t ctx, crypto_data_t *data, - crypto_call_req_t *cr); -extern int crypto_digest_final(crypto_context_t ctx, crypto_data_t *digest, - crypto_call_req_t *cr); - /* * Single and multi-part MAC operations. */ diff --git a/lib/libicp/Makefile.am b/lib/libicp/Makefile.am index 831d2fedff4d..4e8585f9217e 100644 --- a/lib/libicp/Makefile.am +++ b/lib/libicp/Makefile.am @@ -27,7 +27,6 @@ endif KERNEL_C = \ spi/kcf_spi.c \ api/kcf_ctxops.c \ - api/kcf_digest.c \ api/kcf_cipher.c \ api/kcf_miscapi.c \ api/kcf_mac.c \ diff --git a/module/icp/Makefile.in b/module/icp/Makefile.in index f51fcac6d9e1..d9f4ff2f8957 100644 --- a/module/icp/Makefile.in +++ b/module/icp/Makefile.in @@ -15,7 +15,6 @@ ccflags-y := -I$(icp_include) $(MODULE)-objs += illumos-crypto.o $(MODULE)-objs += api/kcf_cipher.o -$(MODULE)-objs += api/kcf_digest.o $(MODULE)-objs += api/kcf_mac.o $(MODULE)-objs += api/kcf_miscapi.o $(MODULE)-objs += api/kcf_ctxops.o diff --git a/module/icp/api/kcf_digest.c b/module/icp/api/kcf_digest.c deleted file mode 100644 index 66101794933b..000000000000 --- a/module/icp/api/kcf_digest.c +++ /dev/null @@ -1,365 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#include -#include -#include -#include -#include -#include - -/* - * Message digest routines - */ - -/* - * The following are the possible returned values common to all the routines - * below. The applicability of some of these return values depends on the - * presence of the arguments. - * - * CRYPTO_SUCCESS: The operation completed successfully. - * CRYPTO_QUEUED: A request was submitted successfully. The callback - * routine will be called when the operation is done. - * CRYPTO_MECHANISM_INVALID or CRYPTO_INVALID_MECH_PARAM - * for problems with the 'mech'. - * CRYPTO_INVALID_DATA for bogus 'data' - * CRYPTO_HOST_MEMORY for failure to allocate memory to handle this work. - * CRYPTO_INVALID_CONTEXT: Not a valid context. - * CRYPTO_BUSY: Cannot process the request now. Schedule a - * crypto_bufcall(), or try later. - * CRYPTO_NOT_SUPPORTED and CRYPTO_MECH_NOT_SUPPORTED: - * No provider is capable of a function or a mechanism. - */ - - -/* - * crypto_digest_prov() - * - * Arguments: - * pd: pointer to the descriptor of the provider to use for this - * operation. - * sid: provider session id. - * mech: crypto_mechanism_t pointer. - * mech_type is a valid value previously returned by - * crypto_mech2id(); - * When the mech's parameter is not NULL, its definition depends - * on the standard definition of the mechanism. - * data: The message to be digested. - * digest: Storage for the digest. The length needed depends on the - * mechanism. - * cr: crypto_call_req_t calling conditions and call back info. - * - * Description: - * Asynchronously submits a request for, or synchronously performs the - * digesting operation of 'data' on the specified - * provider with the specified session. - * When complete and successful, 'digest' will contain the digest value. - * The caller should hold a reference on the specified provider - * descriptor before calling this function. - * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * - * Returns: - * See comment in the beginning of the file. - */ -int -crypto_digest_prov(crypto_provider_t provider, crypto_session_id_t sid, - crypto_mechanism_t *mech, crypto_data_t *data, crypto_data_t *digest, - crypto_call_req_t *crq) -{ - kcf_req_params_t params; - kcf_provider_desc_t *pd = provider; - kcf_provider_desc_t *real_provider = pd; - - ASSERT(KCF_PROV_REFHELD(pd)); - - KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, sid, mech, NULL, - data, digest); - - /* no crypto context to carry between multiple parts. */ - return (kcf_submit_request(real_provider, NULL, crq, ¶ms)); -} - - -/* - * Same as crypto_digest_prov(), but relies on the KCF scheduler to - * choose a provider. See crypto_digest_prov() comments for more information. - */ -int -crypto_digest(crypto_mechanism_t *mech, crypto_data_t *data, - crypto_data_t *digest, crypto_call_req_t *crq) -{ - int error; - kcf_provider_desc_t *pd; - kcf_req_params_t params; - kcf_prov_tried_t *list = NULL; - -retry: - /* The pd is returned held */ - if ((pd = kcf_get_mech_provider(mech->cm_type, NULL, &error, list, - CRYPTO_FG_DIGEST_ATOMIC, CHECK_RESTRICT(crq))) == NULL) { - if (list != NULL) - kcf_free_triedlist(list); - return (error); - } - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(crq, pd)) { - crypto_mechanism_t lmech; - - lmech = *mech; - KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - error = KCF_PROV_DIGEST_ATOMIC(pd, pd->pd_sid, &lmech, data, - digest, KCF_SWFP_RHNDL(crq)); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, - pd->pd_sid, mech, NULL, data, digest); - - /* no crypto context to carry between multiple parts. */ - error = kcf_submit_request(pd, NULL, crq, ¶ms); - } - - if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && - IS_RECOVERABLE(error)) { - /* Add pd to the linked list of providers tried. */ - if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) - goto retry; - } - - if (list != NULL) - kcf_free_triedlist(list); - - KCF_PROV_REFRELE(pd); - return (error); -} - -/* - * crypto_digest_init_prov() - * - * pd: pointer to the descriptor of the provider to use for this - * operation. - * sid: provider session id. - * mech: crypto_mechanism_t pointer. - * mech_type is a valid value previously returned by - * crypto_mech2id(); - * When the mech's parameter is not NULL, its definition depends - * on the standard definition of the mechanism. - * ctxp: Pointer to a crypto_context_t. - * cr: crypto_call_req_t calling conditions and call back info. - * - * Description: - * Asynchronously submits a request for, or synchronously performs the - * initialization of a message digest operation on the specified - * provider with the specified session. - * When complete and successful, 'ctxp' will contain a crypto_context_t - * valid for later calls to digest_update() and digest_final(). - * The caller should hold a reference on the specified provider - * descriptor before calling this function. - */ -int -crypto_digest_init_prov(crypto_provider_t provider, crypto_session_id_t sid, - crypto_mechanism_t *mech, crypto_context_t *ctxp, crypto_call_req_t *crq) -{ - int error; - crypto_ctx_t *ctx; - kcf_req_params_t params; - kcf_provider_desc_t *pd = provider; - kcf_provider_desc_t *real_provider = pd; - - ASSERT(KCF_PROV_REFHELD(pd)); - - /* Allocate and initialize the canonical context */ - if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) - return (CRYPTO_HOST_MEMORY); - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(crq, pd)) { - crypto_mechanism_t lmech; - - lmech = *mech; - KCF_SET_PROVIDER_MECHNUM(mech->cm_type, real_provider, &lmech); - error = KCF_PROV_DIGEST_INIT(real_provider, ctx, &lmech, - KCF_SWFP_RHNDL(crq)); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_INIT, sid, - mech, NULL, NULL, NULL); - error = kcf_submit_request(real_provider, ctx, crq, ¶ms); - } - - if ((error == CRYPTO_SUCCESS) || (error == CRYPTO_QUEUED)) - *ctxp = (crypto_context_t)ctx; - else { - /* Release the hold done in kcf_new_ctx(). */ - KCF_CONTEXT_REFRELE((kcf_context_t *)ctx->cc_framework_private); - } - - return (error); -} - -/* - * Same as crypto_digest_init_prov(), but relies on the KCF scheduler - * to choose a provider. See crypto_digest_init_prov() comments for - * more information. - */ -int -crypto_digest_init(crypto_mechanism_t *mech, crypto_context_t *ctxp, - crypto_call_req_t *crq) -{ - int error; - kcf_provider_desc_t *pd; - kcf_prov_tried_t *list = NULL; - -retry: - /* The pd is returned held */ - if ((pd = kcf_get_mech_provider(mech->cm_type, NULL, &error, - list, CRYPTO_FG_DIGEST, CHECK_RESTRICT(crq))) == NULL) { - if (list != NULL) - kcf_free_triedlist(list); - return (error); - } - - error = crypto_digest_init_prov(pd, pd->pd_sid, - mech, ctxp, crq); - - if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && - IS_RECOVERABLE(error)) { - /* Add pd to the linked list of providers tried. */ - if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) - goto retry; - } - - if (list != NULL) - kcf_free_triedlist(list); - KCF_PROV_REFRELE(pd); - return (error); -} - -/* - * crypto_digest_update() - * - * Arguments: - * context: A crypto_context_t initialized by digest_init(). - * data: The part of message to be digested. - * cr: crypto_call_req_t calling conditions and call back info. - * - * Description: - * Asynchronously submits a request for, or synchronously performs a - * part of a message digest operation. - * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * - * Returns: - * See comment in the beginning of the file. - */ -int -crypto_digest_update(crypto_context_t context, crypto_data_t *data, - crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_DIGEST_UPDATE(pd, ctx, data, NULL); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_UPDATE, - ctx->cc_session, NULL, NULL, data, NULL); - error = kcf_submit_request(pd, ctx, cr, ¶ms); - } - - return (error); -} - -/* - * crypto_digest_final() - * - * Arguments: - * context: A crypto_context_t initialized by digest_init(). - * digest: The storage for the digest. - * cr: crypto_call_req_t calling conditions and call back info. - * - * Description: - * Asynchronously submits a request for, or synchronously performs the - * final part of a message digest operation. - * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * - * Returns: - * See comment in the beginning of the file. - */ -int -crypto_digest_final(crypto_context_t context, crypto_data_t *digest, - crypto_call_req_t *cr) -{ - crypto_ctx_t *ctx = (crypto_ctx_t *)context; - kcf_context_t *kcf_ctx; - kcf_provider_desc_t *pd; - int error; - kcf_req_params_t params; - - if ((ctx == NULL) || - ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || - ((pd = kcf_ctx->kc_prov_desc) == NULL)) { - return (CRYPTO_INVALID_CONTEXT); - } - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - error = KCF_PROV_DIGEST_FINAL(pd, ctx, digest, NULL); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_DIGEST_OPS_PARAMS(¶ms, KCF_OP_FINAL, - ctx->cc_session, NULL, NULL, NULL, digest); - error = kcf_submit_request(pd, ctx, cr, ¶ms); - } - - /* Release the hold done in kcf_new_ctx() during init step. */ - KCF_CONTEXT_COND_RELEASE(error, kcf_ctx); - return (error); -} - -#if defined(_KERNEL) -EXPORT_SYMBOL(crypto_digest_prov); -EXPORT_SYMBOL(crypto_digest); -EXPORT_SYMBOL(crypto_digest_init_prov); -EXPORT_SYMBOL(crypto_digest_init); -EXPORT_SYMBOL(crypto_digest_update); -EXPORT_SYMBOL(crypto_digest_final); -#endif From b056ac16042dfe47e9e44eecef29610ce1bb147b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Fri, 24 Dec 2021 16:26:11 +0100 Subject: [PATCH 14/39] module: icp: remove unused CRYPTO_ALWAYS_QUEUE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/api.h | 13 +- module/icp/api/kcf_cipher.c | 41 ++--- module/icp/api/kcf_mac.c | 150 +++--------------- module/icp/core/kcf_sched.c | 168 --------------------- module/icp/include/sys/crypto/sched_impl.h | 5 - module/os/linux/zfs/zio_crypt.c | 14 +- module/zfs/hkdf.c | 8 +- 7 files changed, 42 insertions(+), 357 deletions(-) diff --git a/include/sys/crypto/api.h b/include/sys/crypto/api.h index 1f22d2c85315..65f3237ba7c0 100644 --- a/include/sys/crypto/api.h +++ b/include/sys/crypto/api.h @@ -41,7 +41,6 @@ typedef void *crypto_ctx_template_t; typedef uint32_t crypto_call_flag_t; /* crypto_call_flag's values */ -#define CRYPTO_ALWAYS_QUEUE 0x00000001 /* ALWAYS queue the req. */ #define CRYPTO_NOTIFY_OPDONE 0x00000002 /* Notify intermediate steps */ #define CRYPTO_SKIP_REQID 0x00000004 /* Skip request ID generation */ #define CRYPTO_RESTRICTED 0x00000008 /* cannot use restricted prov */ @@ -73,18 +72,10 @@ extern void crypto_destroy_ctx_template(crypto_ctx_template_t tmpl); extern int crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac, crypto_call_req_t *cr); -extern int crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data, - crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac, - crypto_call_req_t *cr); extern int crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr); -extern int crypto_mac_init_prov(crypto_provider_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t, - crypto_context_t *, crypto_call_req_t *); -extern int crypto_mac_update(crypto_context_t ctx, crypto_data_t *data, - crypto_call_req_t *cr); -extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data, - crypto_call_req_t *cr); +extern int crypto_mac_update(crypto_context_t ctx, crypto_data_t *data); +extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data); /* * Single and multi-part encryption operations. diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index d515fa6da38d..61fb2208ba9c 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -75,7 +75,6 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, { int error; kcf_mech_entry_t *me; - kcf_req_params_t params; kcf_provider_desc_t *pd; kcf_ctx_template_t *ctx_tmpl; crypto_spi_ctx_template_t spi_ctx_tmpl = NULL; @@ -93,21 +92,11 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(crq, pd)) { - crypto_mechanism_t lmech; - - lmech = *mech; - KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - - error = KCF_PROV_ENCRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key, - plaintext, ciphertext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_ENCRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, pd->pd_sid, - mech, key, plaintext, ciphertext, spi_ctx_tmpl); - error = kcf_submit_request(pd, NULL, crq, ¶ms); - } + crypto_mechanism_t lmech = *mech; + KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); + error = KCF_PROV_ENCRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key, + plaintext, ciphertext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); + KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && IS_RECOVERABLE(error)) { @@ -164,7 +153,6 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, { int error; kcf_mech_entry_t *me; - kcf_req_params_t params; kcf_provider_desc_t *pd; kcf_ctx_template_t *ctx_tmpl; crypto_spi_ctx_template_t spi_ctx_tmpl = NULL; @@ -182,21 +170,12 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(crq, pd)) { - crypto_mechanism_t lmech; + crypto_mechanism_t lmech = *mech; + KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - lmech = *mech; - KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - - error = KCF_PROV_DECRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key, - ciphertext, plaintext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_DECRYPT_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, pd->pd_sid, - mech, key, ciphertext, plaintext, spi_ctx_tmpl); - error = kcf_submit_request(pd, NULL, crq, ¶ms); - } + error = KCF_PROV_DECRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key, + ciphertext, plaintext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); + KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && IS_RECOVERABLE(error)) { diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 34f404aead66..c2260b2b087b 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -94,7 +94,6 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, { int error; kcf_mech_entry_t *me; - kcf_req_params_t params; kcf_provider_desc_t *pd; kcf_ctx_template_t *ctx_tmpl; crypto_spi_ctx_template_t spi_ctx_tmpl = NULL; @@ -112,85 +111,11 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(crq, pd)) { - crypto_mechanism_t lmech; - - lmech = *mech; - KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - - error = KCF_PROV_MAC_ATOMIC(pd, pd->pd_sid, &lmech, key, data, - mac, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_ATOMIC, - pd->pd_sid, mech, key, data, mac, spi_ctx_tmpl); - - error = kcf_submit_request(pd, NULL, crq, ¶ms); - } - - if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && - IS_RECOVERABLE(error)) { - /* Add pd to the linked list of providers tried. */ - if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) - goto retry; - } - - if (list != NULL) - kcf_free_triedlist(list); - - KCF_PROV_REFRELE(pd); - return (error); -} - -/* - * Single part operation to compute the MAC corresponding to the specified - * 'data' and to verify that it matches the MAC specified by 'mac'. - * The other arguments are the same as the function crypto_mac_prov(). - * Relies on the KCF scheduler to choose a provider. - */ -int -crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data, - crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac, - crypto_call_req_t *crq) -{ - int error; - kcf_mech_entry_t *me; - kcf_req_params_t params; - kcf_provider_desc_t *pd; - kcf_ctx_template_t *ctx_tmpl; - crypto_spi_ctx_template_t spi_ctx_tmpl = NULL; - kcf_prov_tried_t *list = NULL; - -retry: - /* The pd is returned held */ - if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, CRYPTO_FG_MAC_ATOMIC, CHECK_RESTRICT(crq))) == NULL) { - if (list != NULL) - kcf_free_triedlist(list); - return (error); - } - - if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) - spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(crq, pd)) { - crypto_mechanism_t lmech; - - lmech = *mech; - KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - - error = KCF_PROV_MAC_VERIFY_ATOMIC(pd, pd->pd_sid, &lmech, key, - data, mac, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); - KCF_PROV_INCRSTATS(pd, error); - } else { - KCF_WRAP_MAC_OPS_PARAMS(¶ms, - KCF_OP_MAC_VERIFY_ATOMIC, pd->pd_sid, mech, - key, data, mac, spi_ctx_tmpl); - - error = kcf_submit_request(pd, NULL, crq, ¶ms); - } + crypto_mechanism_t lmech = *mech; + KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); + error = KCF_PROV_MAC_ATOMIC(pd, pd->pd_sid, &lmech, key, data, + mac, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); + KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && IS_RECOVERABLE(error)) { @@ -242,14 +167,13 @@ crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data, * Returns: * See comment in the beginning of the file. */ -int +static int crypto_mac_init_prov(crypto_provider_t provider, crypto_session_id_t sid, crypto_mechanism_t *mech, crypto_key_t *key, crypto_spi_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *crq) { int rv; crypto_ctx_t *ctx; - kcf_req_params_t params; kcf_provider_desc_t *pd = provider; kcf_provider_desc_t *real_provider = pd; @@ -259,20 +183,11 @@ crypto_mac_init_prov(crypto_provider_t provider, crypto_session_id_t sid, if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) return (CRYPTO_HOST_MEMORY); - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(crq, pd)) { - crypto_mechanism_t lmech; - - lmech = *mech; - KCF_SET_PROVIDER_MECHNUM(mech->cm_type, real_provider, &lmech); - rv = KCF_PROV_MAC_INIT(real_provider, ctx, &lmech, key, tmpl, - KCF_SWFP_RHNDL(crq)); - KCF_PROV_INCRSTATS(pd, rv); - } else { - KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_INIT, sid, mech, key, - NULL, NULL, tmpl); - rv = kcf_submit_request(real_provider, ctx, crq, ¶ms); - } + crypto_mechanism_t lmech = *mech; + KCF_SET_PROVIDER_MECHNUM(mech->cm_type, real_provider, &lmech); + rv = KCF_PROV_MAC_INIT(real_provider, ctx, &lmech, key, tmpl, + KCF_SWFP_RHNDL(crq)); + KCF_PROV_INCRSTATS(pd, rv); if ((rv == CRYPTO_SUCCESS) || (rv == CRYPTO_QUEUED)) *ctxp = (crypto_context_t)ctx; @@ -342,11 +257,9 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, * Arguments: * context: A crypto_context_t initialized by mac_init(). * data: The message part to be MAC'ed - * cr: crypto_call_req_t calling conditions and call back info. * * Description: - * Asynchronously submits a request for, or synchronously performs a - * part of a MAC operation. + * Synchronously performs a part of a MAC operation. * * Context: * Process or interrupt, according to the semantics dictated by the 'cr'. @@ -355,14 +268,11 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, * See comment in the beginning of the file. */ int -crypto_mac_update(crypto_context_t context, crypto_data_t *data, - crypto_call_req_t *cr) +crypto_mac_update(crypto_context_t context, crypto_data_t *data) { crypto_ctx_t *ctx = (crypto_ctx_t *)context; kcf_context_t *kcf_ctx; kcf_provider_desc_t *pd; - kcf_req_params_t params; - int rv; if ((ctx == NULL) || ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || @@ -370,16 +280,8 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data, return (CRYPTO_INVALID_CONTEXT); } - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - rv = KCF_PROV_MAC_UPDATE(pd, ctx, data, NULL); - KCF_PROV_INCRSTATS(pd, rv); - } else { - KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_UPDATE, - ctx->cc_session, NULL, NULL, data, NULL, NULL); - rv = kcf_submit_request(pd, ctx, cr, ¶ms); - } - + int rv = KCF_PROV_MAC_UPDATE(pd, ctx, data, NULL); + KCF_PROV_INCRSTATS(pd, rv); return (rv); } @@ -389,11 +291,9 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data, * Arguments: * context: A crypto_context_t initialized by mac_init(). * mac: Storage for the message authentication code. - * cr: crypto_call_req_t calling conditions and call back info. * * Description: - * Asynchronously submits a request for, or synchronously performs a - * part of a message authentication operation. + * Synchronously performs a part of a message authentication operation. * * Context: * Process or interrupt, according to the semantics dictated by the 'cr'. @@ -402,14 +302,11 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data, * See comment in the beginning of the file. */ int -crypto_mac_final(crypto_context_t context, crypto_data_t *mac, - crypto_call_req_t *cr) +crypto_mac_final(crypto_context_t context, crypto_data_t *mac) { crypto_ctx_t *ctx = (crypto_ctx_t *)context; kcf_context_t *kcf_ctx; kcf_provider_desc_t *pd; - kcf_req_params_t params; - int rv; if ((ctx == NULL) || ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) || @@ -417,15 +314,8 @@ crypto_mac_final(crypto_context_t context, crypto_data_t *mac, return (CRYPTO_INVALID_CONTEXT); } - /* The fast path for SW providers. */ - if (CHECK_FASTPATH(cr, pd)) { - rv = KCF_PROV_MAC_FINAL(pd, ctx, mac, NULL); - KCF_PROV_INCRSTATS(pd, rv); - } else { - KCF_WRAP_MAC_OPS_PARAMS(¶ms, KCF_OP_FINAL, - ctx->cc_session, NULL, NULL, NULL, mac, NULL); - rv = kcf_submit_request(pd, ctx, cr, ¶ms); - } + int rv = KCF_PROV_MAC_FINAL(pd, ctx, mac, NULL); + KCF_PROV_INCRSTATS(pd, rv); /* Release the hold done in kcf_new_ctx() during init step. */ KCF_CONTEXT_COND_RELEASE(rv, kcf_ctx); @@ -434,8 +324,6 @@ crypto_mac_final(crypto_context_t context, crypto_data_t *mac, #if defined(_KERNEL) EXPORT_SYMBOL(crypto_mac); -EXPORT_SYMBOL(crypto_mac_verify); -EXPORT_SYMBOL(crypto_mac_init_prov); EXPORT_SYMBOL(crypto_mac_init); EXPORT_SYMBOL(crypto_mac_update); EXPORT_SYMBOL(crypto_mac_final); diff --git a/module/icp/core/kcf_sched.c b/module/icp/core/kcf_sched.c index b1149072fdfc..9e66586a97fe 100644 --- a/module/icp/core/kcf_sched.c +++ b/module/icp/core/kcf_sched.c @@ -68,7 +68,6 @@ static int kcf_disp_sw_request(kcf_areq_node_t *); static int kcf_enqueue(kcf_areq_node_t *); static void kcfpool_alloc(void); static void kcf_reqid_delete(kcf_areq_node_t *areq); -static crypto_req_id_t kcf_reqid_insert(kcf_areq_node_t *areq); static int kcf_misc_kstat_update(kstat_t *ksp, int rw); /* @@ -107,65 +106,6 @@ kcf_new_ctx(crypto_call_req_t *crq, kcf_provider_desc_t *pd, return (ctx); } -/* - * Allocate a new async request node. - * - * ictx - Framework private context pointer - * crq - Has callback function and argument. Should be non NULL. - * req - The parameters to pass to the SPI - */ -static kcf_areq_node_t * -kcf_areqnode_alloc(kcf_provider_desc_t *pd, kcf_context_t *ictx, - crypto_call_req_t *crq, kcf_req_params_t *req) -{ - kcf_areq_node_t *arptr, *areq; - - ASSERT(crq != NULL); - arptr = kmem_cache_alloc(kcf_areq_cache, KM_NOSLEEP); - if (arptr == NULL) - return (NULL); - - arptr->an_state = REQ_ALLOCATED; - arptr->an_reqarg = *crq; - arptr->an_params = *req; - arptr->an_context = ictx; - - arptr->an_next = arptr->an_prev = NULL; - KCF_PROV_REFHOLD(pd); - arptr->an_provider = pd; - arptr->an_tried_plist = NULL; - arptr->an_refcnt = 1; - arptr->an_idnext = arptr->an_idprev = NULL; - - /* - * Requests for context-less operations do not use the - * fields - an_is_my_turn, and an_ctxchain_next. - */ - if (ictx == NULL) - return (arptr); - - KCF_CONTEXT_REFHOLD(ictx); - /* - * Chain this request to the context. - */ - mutex_enter(&ictx->kc_in_use_lock); - arptr->an_ctxchain_next = NULL; - if ((areq = ictx->kc_req_chain_last) == NULL) { - arptr->an_is_my_turn = B_TRUE; - ictx->kc_req_chain_last = - ictx->kc_req_chain_first = arptr; - } else { - ASSERT(ictx->kc_req_chain_first != NULL); - arptr->an_is_my_turn = B_FALSE; - /* Insert the new request to the end of the chain. */ - areq->an_ctxchain_next = arptr; - ictx->kc_req_chain_last = arptr; - } - mutex_exit(&ictx->kc_in_use_lock); - - return (arptr); -} - /* * Queue the request node and do one of the following: * - If there is an idle thread signal it to run. @@ -362,80 +302,6 @@ kcf_resubmit_request(kcf_areq_node_t *areq) return (error); } -/* - * Routine called by both ioctl and k-api. The consumer should - * bundle the parameters into a kcf_req_params_t structure. A bunch - * of macros are available in ops_impl.h for this bundling. They are: - * - * KCF_WRAP_DIGEST_OPS_PARAMS() - * KCF_WRAP_MAC_OPS_PARAMS() - * KCF_WRAP_ENCRYPT_OPS_PARAMS() - * KCF_WRAP_DECRYPT_OPS_PARAMS() ... etc. - * - * It is the caller's responsibility to free the ctx argument when - * appropriate. See the KCF_CONTEXT_COND_RELEASE macro for details. - */ -int -kcf_submit_request(kcf_provider_desc_t *pd, crypto_ctx_t *ctx, - crypto_call_req_t *crq, kcf_req_params_t *params) -{ - int error = CRYPTO_SUCCESS; - kcf_areq_node_t *areq; - kcf_context_t *kcf_ctx; - - kcf_ctx = ctx ? (kcf_context_t *)ctx->cc_framework_private : NULL; - - /* Synchronous */ - if (crq == NULL) { - error = common_submit_request(pd, ctx, params, - KCF_RHNDL(KM_SLEEP)); - } else { /* Asynchronous */ - if (!(crq->cr_flag & CRYPTO_ALWAYS_QUEUE)) { - /* - * This case has less overhead since there is - * no switching of context. - */ - error = common_submit_request(pd, ctx, params, - KCF_RHNDL(KM_NOSLEEP)); - } else { - /* - * CRYPTO_ALWAYS_QUEUE is set. We need to - * queue the request and return. - */ - areq = kcf_areqnode_alloc(pd, kcf_ctx, crq, - params); - if (areq == NULL) - error = CRYPTO_HOST_MEMORY; - else { - if (!(crq->cr_flag - & CRYPTO_SKIP_REQID)) { - /* - * Set the request handle. We have to - * do this before dispatching the - * request. - */ - crq->cr_reqid = kcf_reqid_insert(areq); - } - - error = kcf_disp_sw_request(areq); - /* - * There is an error processing this - * request. Remove the handle and - * release the request structure. - */ - if (error != CRYPTO_QUEUED) { - if (!(crq->cr_flag - & CRYPTO_SKIP_REQID)) - kcf_reqid_delete(areq); - KCF_AREQ_REFRELE(areq); - } - } - } - } - - return (error); -} - /* * We're done with this framework context, so free it. Note that freeing * framework context (kcf_context) frees the global context (crypto_ctx). @@ -852,40 +718,6 @@ kcfpool_alloc() cv_init(&kcfpool->kp_user_cv, NULL, CV_DEFAULT, NULL); } -/* - * Insert the async request in the hash table after assigning it - * an ID. Returns the ID. - * - * The ID is used by the caller to pass as an argument to a - * cancel_req() routine later. - */ -static crypto_req_id_t -kcf_reqid_insert(kcf_areq_node_t *areq) -{ - int indx; - crypto_req_id_t id; - kcf_areq_node_t *headp; - kcf_reqid_table_t *rt; - - rt = kcf_reqid_table[CPU_SEQID_UNSTABLE & REQID_TABLE_MASK]; - - mutex_enter(&rt->rt_lock); - - rt->rt_curid = id = - (rt->rt_curid - REQID_COUNTER_LOW) | REQID_COUNTER_HIGH; - SET_REQID(areq, id); - indx = REQID_HASH(id); - headp = areq->an_idnext = rt->rt_idhash[indx]; - areq->an_idprev = NULL; - if (headp != NULL) - headp->an_idprev = areq; - - rt->rt_idhash[indx] = areq; - mutex_exit(&rt->rt_lock); - - return (id); -} - /* * Delete the async request from the hash table. */ diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index a524a5c6f46d..6d70c65bfa46 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -59,9 +59,6 @@ typedef enum kcf_call_type { #define CHECK_RESTRICT(crq) (crq != NULL && \ ((crq)->cr_flag & CRYPTO_RESTRICTED)) -#define CHECK_FASTPATH(crq, pd) ((crq) == NULL || \ - !((crq)->cr_flag & CRYPTO_ALWAYS_QUEUE)) - #define KCF_KMFLAG(crq) (((crq) == NULL) ? KM_SLEEP : KM_NOSLEEP) /* @@ -452,8 +449,6 @@ extern kcf_provider_desc_t *kcf_get_mech_provider(crypto_mech_type_t, boolean_t); extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t); -extern int kcf_submit_request(kcf_provider_desc_t *, crypto_ctx_t *, - crypto_call_req_t *, kcf_req_params_t *); extern void kcf_sched_destroy(void); extern void kcf_sched_init(void); extern void kcf_sched_start(void); diff --git a/module/os/linux/zfs/zio_crypt.c b/module/os/linux/zfs/zio_crypt.c index f60767855c67..224fb84bada0 100644 --- a/module/os/linux/zfs/zio_crypt.c +++ b/module/os/linux/zfs/zio_crypt.c @@ -1004,7 +1004,7 @@ zio_crypt_bp_do_hmac_updates(crypto_context_t ctx, uint64_t version, cd.cd_raw.iov_base = (char *)&bab; cd.cd_raw.iov_len = cd.cd_length; - ret = crypto_mac_update(ctx, &cd, NULL); + ret = crypto_mac_update(ctx, &cd); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; @@ -1075,7 +1075,7 @@ zio_crypt_do_dnode_hmac_updates(crypto_context_t ctx, uint64_t version, cd.cd_raw.iov_base = (char *)adnp; cd.cd_raw.iov_len = cd.cd_length; - ret = crypto_mac_update(ctx, &cd, NULL); + ret = crypto_mac_update(ctx, &cd); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; @@ -1160,7 +1160,7 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen, cd.cd_raw.iov_base = (char *)&intval; cd.cd_raw.iov_len = cd.cd_length; - ret = crypto_mac_update(ctx, &cd, NULL); + ret = crypto_mac_update(ctx, &cd); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; @@ -1178,7 +1178,7 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen, cd.cd_raw.iov_base = (char *)&intval; cd.cd_raw.iov_len = cd.cd_length; - ret = crypto_mac_update(ctx, &cd, NULL); + ret = crypto_mac_update(ctx, &cd); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; @@ -1195,7 +1195,7 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen, cd.cd_raw.iov_base = (char *)raw_portable_mac; cd.cd_raw.iov_len = cd.cd_length; - ret = crypto_mac_final(ctx, &cd, NULL); + ret = crypto_mac_final(ctx, &cd); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; @@ -1253,7 +1253,7 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen, cd.cd_raw.iov_base = (char *)&intval; cd.cd_raw.iov_len = cd.cd_length; - ret = crypto_mac_update(ctx, &cd, NULL); + ret = crypto_mac_update(ctx, &cd); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; @@ -1287,7 +1287,7 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen, cd.cd_raw.iov_base = (char *)raw_local_mac; cd.cd_raw.iov_len = cd.cd_length; - ret = crypto_mac_final(ctx, &cd, NULL); + ret = crypto_mac_final(ctx, &cd); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; diff --git a/module/zfs/hkdf.c b/module/zfs/hkdf.c index 14265472df7d..49ad0a9fbe24 100644 --- a/module/zfs/hkdf.c +++ b/module/zfs/hkdf.c @@ -114,15 +114,15 @@ hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len, if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); - ret = crypto_mac_update(ctx, &T_cd, NULL); + ret = crypto_mac_update(ctx, &T_cd); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); - ret = crypto_mac_update(ctx, &info_cd, NULL); + ret = crypto_mac_update(ctx, &info_cd); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); - ret = crypto_mac_update(ctx, &c_cd, NULL); + ret = crypto_mac_update(ctx, &c_cd); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); @@ -130,7 +130,7 @@ hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len, T_cd.cd_length = T_len; T_cd.cd_raw.iov_len = T_cd.cd_length; - ret = crypto_mac_final(ctx, &T_cd, NULL); + ret = crypto_mac_final(ctx, &T_cd); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); From d95c4060eabffd527297f86770bde3ca9e32f02b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Fri, 24 Dec 2021 16:43:18 +0100 Subject: [PATCH 15/39] module: icp: remove unused CRYPTO_{NOTIFY_OPDONE,SKIP_REQID,RESTRICTED} MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/api.h | 8 -------- module/icp/api/kcf_cipher.c | 4 ++-- module/icp/api/kcf_mac.c | 4 ++-- module/icp/core/kcf_callprov.c | 8 ++------ module/icp/core/kcf_sched.c | 8 ++------ module/icp/include/sys/crypto/sched_impl.h | 6 +----- 6 files changed, 9 insertions(+), 29 deletions(-) diff --git a/include/sys/crypto/api.h b/include/sys/crypto/api.h index 65f3237ba7c0..f3101889261e 100644 --- a/include/sys/crypto/api.h +++ b/include/sys/crypto/api.h @@ -38,15 +38,7 @@ typedef void *crypto_bc_t; typedef void *crypto_context_t; typedef void *crypto_ctx_template_t; -typedef uint32_t crypto_call_flag_t; - -/* crypto_call_flag's values */ -#define CRYPTO_NOTIFY_OPDONE 0x00000002 /* Notify intermediate steps */ -#define CRYPTO_SKIP_REQID 0x00000004 /* Skip request ID generation */ -#define CRYPTO_RESTRICTED 0x00000008 /* cannot use restricted prov */ - typedef struct { - crypto_call_flag_t cr_flag; void (*cr_callback_func)(void *, int); void *cr_callback_arg; crypto_req_id_t cr_reqid; diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index 61fb2208ba9c..30fd0f3d198d 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -83,7 +83,7 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, retry: /* pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, CRYPTO_FG_ENCRYPT_ATOMIC, CHECK_RESTRICT(crq))) == NULL) { + list, CRYPTO_FG_ENCRYPT_ATOMIC)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -161,7 +161,7 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, retry: /* pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, CRYPTO_FG_DECRYPT_ATOMIC, CHECK_RESTRICT(crq))) == NULL) { + list, CRYPTO_FG_DECRYPT_ATOMIC)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index c2260b2b087b..cf805ee1cc39 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -102,7 +102,7 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, CRYPTO_FG_MAC_ATOMIC, CHECK_RESTRICT(crq))) == NULL) { + list, CRYPTO_FG_MAC_ATOMIC)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -219,7 +219,7 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, &me, &error, - list, CRYPTO_FG_MAC, CHECK_RESTRICT(crq))) == NULL) { + list, CRYPTO_FG_MAC)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); diff --git a/module/icp/core/kcf_callprov.c b/module/icp/core/kcf_callprov.c index 3fe6e3ebce3f..270579061f15 100644 --- a/module/icp/core/kcf_callprov.c +++ b/module/icp/core/kcf_callprov.c @@ -78,14 +78,10 @@ is_in_triedlist(kcf_provider_desc_t *pd, kcf_prov_tried_t *triedl) * search to find one. This is fine as we assume there are only a few * number of providers in this list. If this assumption ever changes, * we should revisit this. - * - * call_restrict represents if the caller should not be allowed to - * use restricted providers. */ kcf_provider_desc_t * kcf_get_mech_provider(crypto_mech_type_t mech_type, kcf_mech_entry_t **mepp, - int *error, kcf_prov_tried_t *triedl, crypto_func_group_t fg, - boolean_t call_restrict) + int *error, kcf_prov_tried_t *triedl, crypto_func_group_t fg) { kcf_provider_desc_t *pd = NULL; kcf_prov_mech_desc_t *mdesc; @@ -119,7 +115,7 @@ kcf_get_mech_provider(crypto_mech_type_t mech_type, kcf_mech_entry_t **mepp, if (!IS_FG_SUPPORTED(mdesc, fg) || !KCF_IS_PROV_USABLE(pd) || IS_PROVIDER_TRIED(pd, triedl) || - (call_restrict && (pd->pd_flags & KCF_PROV_RESTRICTED))) + (pd->pd_flags & KCF_PROV_RESTRICTED)) pd = NULL; } diff --git a/module/icp/core/kcf_sched.c b/module/icp/core/kcf_sched.c index 9e66586a97fe..5155b4710e36 100644 --- a/module/icp/core/kcf_sched.c +++ b/module/icp/core/kcf_sched.c @@ -265,8 +265,7 @@ kcf_resubmit_request(kcf_areq_node_t *areq) return (error); new_pd = kcf_get_mech_provider(mech1->cm_type, NULL, &error, - areq->an_tried_plist, fg, - (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED)); + areq->an_tried_plist, fg); if (new_pd == NULL) return (error); @@ -684,16 +683,13 @@ kcf_aop_done(kcf_areq_node_t *areq, int error) * atomic operations. */ skip_notify = (IS_UPDATE_OP(optype) || IS_INIT_OP(optype)) && - (!(areq->an_reqarg.cr_flag & CRYPTO_NOTIFY_OPDONE)) && (error == CRYPTO_SUCCESS); if (!skip_notify) { NOTIFY_CLIENT(areq, error); } - if (!(areq->an_reqarg.cr_flag & CRYPTO_SKIP_REQID)) - kcf_reqid_delete(areq); - + kcf_reqid_delete(areq); KCF_AREQ_REFRELE(areq); } diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index 6d70c65bfa46..eb08f57baa5e 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -56,9 +56,6 @@ typedef enum kcf_call_type { CRYPTO_ASYNCH } kcf_call_type_t; -#define CHECK_RESTRICT(crq) (crq != NULL && \ - ((crq)->cr_flag & CRYPTO_RESTRICTED)) - #define KCF_KMFLAG(crq) (((crq) == NULL) ? KM_SLEEP : KM_NOSLEEP) /* @@ -445,8 +442,7 @@ extern void kcf_free_triedlist(kcf_prov_tried_t *); extern kcf_prov_tried_t *kcf_insert_triedlist(kcf_prov_tried_t **, kcf_provider_desc_t *, int); extern kcf_provider_desc_t *kcf_get_mech_provider(crypto_mech_type_t, - kcf_mech_entry_t **, int *, kcf_prov_tried_t *, crypto_func_group_t, - boolean_t); + kcf_mech_entry_t **, int *, kcf_prov_tried_t *, crypto_func_group_t); extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t); extern void kcf_sched_destroy(void); From bf3ac8edf6d3f697f087cc258f9a0abddaec7358 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Fri, 24 Dec 2021 17:04:32 +0100 Subject: [PATCH 16/39] module: icp: remove unused p[di]_flags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_callprov.c | 3 +-- module/icp/include/sys/crypto/impl.h | 6 ------ module/icp/include/sys/crypto/spi.h | 20 -------------------- module/icp/spi/kcf_spi.c | 19 ------------------- 4 files changed, 1 insertion(+), 47 deletions(-) diff --git a/module/icp/core/kcf_callprov.c b/module/icp/core/kcf_callprov.c index 270579061f15..8059670a1cb0 100644 --- a/module/icp/core/kcf_callprov.c +++ b/module/icp/core/kcf_callprov.c @@ -114,8 +114,7 @@ kcf_get_mech_provider(crypto_mech_type_t mech_type, kcf_mech_entry_t **mepp, pd = mdesc->pm_prov_desc; if (!IS_FG_SUPPORTED(mdesc, fg) || !KCF_IS_PROV_USABLE(pd) || - IS_PROVIDER_TRIED(pd, triedl) || - (pd->pd_flags & KCF_PROV_RESTRICTED)) + IS_PROVIDER_TRIED(pd, triedl)) pd = NULL; } diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 8b45c0536e94..a2be8849c4b0 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -145,9 +145,6 @@ typedef enum { #define KCF_IS_PROV_USABLE(pd) ((pd)->pd_state == KCF_PROV_READY) #define KCF_IS_PROV_REMOVED(pd) ((pd)->pd_state >= KCF_PROV_REMOVED) -/* Internal flags valid for pd_flags field */ -#define KCF_PROV_RESTRICTED 0x40000000 - /* * A provider descriptor structure. There is one such structure per * provider. It is allocated and initialized at registration time and @@ -170,8 +167,6 @@ typedef enum { * by the provider during registration * pd_remove_cv: cv to wait on while the provider queue drains * pd_description: Provider description string - * pd_flags bitwise OR of pi_flags from crypto_provider_info_t - * and other internal flags defined above. * pd_hash_limit Maximum data size that hash mechanisms of this provider * can support. * pd_kcf_prov_handle: KCF-private handle assigned by KCF @@ -195,7 +190,6 @@ typedef struct kcf_provider_desc { uint_t pd_mech_list_count; kcondvar_t pd_remove_cv; const char *pd_description; - uint_t pd_flags; uint_t pd_hash_limit; crypto_kcf_provider_handle_t pd_kcf_prov_handle; crypto_provider_id_t pd_prov_id; diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index fdf8d8511462..a047a30a06b1 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -236,13 +236,6 @@ typedef struct crypto_mech_info { ssize_t cm_max_key_length; uint32_t cm_mech_flags; } crypto_mech_info_t; - - -/* - * The following is used by a provider that sets - * CRYPTO_HASH_NO_UPDATE. It needs to specify the maximum - * input data size it can digest in this field. - */ #define cm_max_input_length cm_max_key_length /* @@ -266,21 +259,8 @@ typedef struct crypto_provider_info { const crypto_ops_t *pi_ops_vector; uint_t pi_mech_list_count; const crypto_mech_info_t *pi_mechanisms; - uint_t pi_flags; } crypto_provider_info_t; -/* - * provider can not do multi-part digest (updates) and has a limit - * on maximum input data that it can digest. - */ -#define CRYPTO_HASH_NO_UPDATE 0x00000002 - -/* provider can handle the request without returning a CRYPTO_QUEUED */ -#define CRYPTO_SYNCHRONOUS 0x00000004 - -#define CRYPTO_PIFLAGS_RESERVED2 0x40000000 -#define CRYPTO_PIFLAGS_RESERVED1 0x80000000 - /* * Functions exported by Solaris to cryptographic providers. Providers * call these functions to register and unregister, notify the kernel diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index e40291a12945..89ecb4e41127 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -77,7 +77,6 @@ crypto_register_provider(const crypto_provider_info_t *info, /* Change from Illumos: the ops vector is persistent. */ prov_desc->pd_ops_vector = info->pi_ops_vector; - prov_desc->pd_flags = info->pi_flags; /* process the mechanisms supported by the provider */ if ((ret = init_prov_mechs(info, prov_desc)) != CRYPTO_SUCCESS) @@ -279,24 +278,6 @@ init_prov_mechs(const crypto_provider_info_t *info, kcf_provider_desc_t *desc) break; } - if (desc->pd_flags & CRYPTO_HASH_NO_UPDATE && - mi->cm_func_group_mask & CRYPTO_FG_DIGEST) { - /* - * We ask the provider to specify the limit - * per hash mechanism. But, in practice, a - * hardware limitation means all hash mechanisms - * will have the same maximum size allowed for - * input data. So, we make it a per provider - * limit to keep it simple. - */ - if (mi->cm_max_input_length == 0) { - err = CRYPTO_ARGUMENTS_BAD; - break; - } else { - desc->pd_hash_limit = mi->cm_max_input_length; - } - } - if ((err = kcf_add_mech_provider(mech_idx, desc, &pmd)) != KCF_SUCCESS) break; From e36ec49da21ca263e06af4ac129af9756a346ca2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Fri, 24 Dec 2021 17:34:19 +0100 Subject: [PATCH 17/39] module: icp: remove unused kcf_op_{group,type}, req_params, ... MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_callprov.c | 219 ------------ module/icp/core/kcf_sched.c | 369 --------------------- module/icp/include/sys/crypto/impl.h | 81 ----- module/icp/include/sys/crypto/ops_impl.h | 210 ------------ module/icp/include/sys/crypto/sched_impl.h | 16 - module/icp/io/sha2_mod.c | 1 - module/icp/io/skein_mod.c | 1 - 7 files changed, 897 deletions(-) diff --git a/module/icp/core/kcf_callprov.c b/module/icp/core/kcf_callprov.c index 8059670a1cb0..db8e33d5f9c2 100644 --- a/module/icp/core/kcf_callprov.c +++ b/module/icp/core/kcf_callprov.c @@ -133,222 +133,3 @@ kcf_get_mech_provider(crypto_mech_type_t mech_type, kcf_mech_entry_t **mepp, mutex_exit(&me->me_mutex); return (pd); } - -/* - * Do the actual work of calling the provider routines. - * - * pd - Provider structure - * ctx - Context for this operation - * params - Parameters for this operation - * rhndl - Request handle to use for notification - * - * The return values are the same as that of the respective SPI. - */ -int -common_submit_request(kcf_provider_desc_t *pd, crypto_ctx_t *ctx, - kcf_req_params_t *params, crypto_req_handle_t rhndl) -{ - int err = CRYPTO_ARGUMENTS_BAD; - kcf_op_type_t optype; - - optype = params->rp_optype; - - switch (params->rp_opgrp) { - case KCF_OG_DIGEST: { - kcf_digest_ops_params_t *dops = ¶ms->rp_u.digest_params; - - switch (optype) { - case KCF_OP_INIT: - /* - * We should do this only here and not in KCF_WRAP_* - * macros. This is because we may want to try other - * providers, in case we recover from a failure. - */ - KCF_SET_PROVIDER_MECHNUM(dops->do_framework_mechtype, - pd, &dops->do_mech); - - err = KCF_PROV_DIGEST_INIT(pd, ctx, &dops->do_mech, - rhndl); - break; - - case KCF_OP_SINGLE: - err = KCF_PROV_DIGEST(pd, ctx, dops->do_data, - dops->do_digest, rhndl); - break; - - case KCF_OP_UPDATE: - err = KCF_PROV_DIGEST_UPDATE(pd, ctx, - dops->do_data, rhndl); - break; - - case KCF_OP_FINAL: - err = KCF_PROV_DIGEST_FINAL(pd, ctx, - dops->do_digest, rhndl); - break; - - case KCF_OP_ATOMIC: - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(dops->do_framework_mechtype, - pd, &dops->do_mech); - err = KCF_PROV_DIGEST_ATOMIC(pd, dops->do_sid, - &dops->do_mech, dops->do_data, dops->do_digest, - rhndl); - break; - - case KCF_OP_DIGEST_KEY: - err = KCF_PROV_DIGEST_KEY(pd, ctx, dops->do_digest_key, - rhndl); - break; - - default: - break; - } - break; - } - - case KCF_OG_MAC: { - kcf_mac_ops_params_t *mops = ¶ms->rp_u.mac_params; - - switch (optype) { - case KCF_OP_INIT: - KCF_SET_PROVIDER_MECHNUM(mops->mo_framework_mechtype, - pd, &mops->mo_mech); - - err = KCF_PROV_MAC_INIT(pd, ctx, &mops->mo_mech, - mops->mo_key, mops->mo_templ, rhndl); - break; - - case KCF_OP_SINGLE: - err = KCF_PROV_MAC(pd, ctx, mops->mo_data, - mops->mo_mac, rhndl); - break; - - case KCF_OP_UPDATE: - err = KCF_PROV_MAC_UPDATE(pd, ctx, mops->mo_data, - rhndl); - break; - - case KCF_OP_FINAL: - err = KCF_PROV_MAC_FINAL(pd, ctx, mops->mo_mac, rhndl); - break; - - case KCF_OP_ATOMIC: - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(mops->mo_framework_mechtype, - pd, &mops->mo_mech); - - err = KCF_PROV_MAC_ATOMIC(pd, mops->mo_sid, - &mops->mo_mech, mops->mo_key, mops->mo_data, - mops->mo_mac, mops->mo_templ, rhndl); - break; - - case KCF_OP_MAC_VERIFY_ATOMIC: - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(mops->mo_framework_mechtype, - pd, &mops->mo_mech); - - err = KCF_PROV_MAC_VERIFY_ATOMIC(pd, mops->mo_sid, - &mops->mo_mech, mops->mo_key, mops->mo_data, - mops->mo_mac, mops->mo_templ, rhndl); - break; - - default: - break; - } - break; - } - - case KCF_OG_ENCRYPT: { - kcf_encrypt_ops_params_t *eops = ¶ms->rp_u.encrypt_params; - - switch (optype) { - case KCF_OP_INIT: - KCF_SET_PROVIDER_MECHNUM(eops->eo_framework_mechtype, - pd, &eops->eo_mech); - - err = KCF_PROV_ENCRYPT_INIT(pd, ctx, &eops->eo_mech, - eops->eo_key, eops->eo_templ, rhndl); - break; - - case KCF_OP_SINGLE: - err = KCF_PROV_ENCRYPT(pd, ctx, eops->eo_plaintext, - eops->eo_ciphertext, rhndl); - break; - - case KCF_OP_UPDATE: - err = KCF_PROV_ENCRYPT_UPDATE(pd, ctx, - eops->eo_plaintext, eops->eo_ciphertext, rhndl); - break; - - case KCF_OP_FINAL: - err = KCF_PROV_ENCRYPT_FINAL(pd, ctx, - eops->eo_ciphertext, rhndl); - break; - - case KCF_OP_ATOMIC: - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(eops->eo_framework_mechtype, - pd, &eops->eo_mech); - - err = KCF_PROV_ENCRYPT_ATOMIC(pd, eops->eo_sid, - &eops->eo_mech, eops->eo_key, eops->eo_plaintext, - eops->eo_ciphertext, eops->eo_templ, rhndl); - break; - - default: - break; - } - break; - } - - case KCF_OG_DECRYPT: { - kcf_decrypt_ops_params_t *dcrops = ¶ms->rp_u.decrypt_params; - - switch (optype) { - case KCF_OP_INIT: - KCF_SET_PROVIDER_MECHNUM(dcrops->dop_framework_mechtype, - pd, &dcrops->dop_mech); - - err = KCF_PROV_DECRYPT_INIT(pd, ctx, &dcrops->dop_mech, - dcrops->dop_key, dcrops->dop_templ, rhndl); - break; - - case KCF_OP_SINGLE: - err = KCF_PROV_DECRYPT(pd, ctx, dcrops->dop_ciphertext, - dcrops->dop_plaintext, rhndl); - break; - - case KCF_OP_UPDATE: - err = KCF_PROV_DECRYPT_UPDATE(pd, ctx, - dcrops->dop_ciphertext, dcrops->dop_plaintext, - rhndl); - break; - - case KCF_OP_FINAL: - err = KCF_PROV_DECRYPT_FINAL(pd, ctx, - dcrops->dop_plaintext, rhndl); - break; - - case KCF_OP_ATOMIC: - ASSERT(ctx == NULL); - KCF_SET_PROVIDER_MECHNUM(dcrops->dop_framework_mechtype, - pd, &dcrops->dop_mech); - - err = KCF_PROV_DECRYPT_ATOMIC(pd, dcrops->dop_sid, - &dcrops->dop_mech, dcrops->dop_key, - dcrops->dop_ciphertext, dcrops->dop_plaintext, - dcrops->dop_templ, rhndl); - break; - - default: - break; - } - break; - } - default: - break; - } /* end of switch(params->rp_opgrp) */ - - KCF_PROV_INCRSTATS(pd, err); - return (err); -} diff --git a/module/icp/core/kcf_sched.c b/module/icp/core/kcf_sched.c index 5155b4710e36..9dd1c39d4299 100644 --- a/module/icp/core/kcf_sched.c +++ b/module/icp/core/kcf_sched.c @@ -64,10 +64,7 @@ static kcf_stats_t kcf_ksdata = { static kstat_t *kcf_misc_kstat = NULL; ulong_t kcf_swprov_hndl = 0; -static int kcf_disp_sw_request(kcf_areq_node_t *); -static int kcf_enqueue(kcf_areq_node_t *); static void kcfpool_alloc(void); -static void kcf_reqid_delete(kcf_areq_node_t *areq); static int kcf_misc_kstat_update(kstat_t *ksp, int rw); /* @@ -106,201 +103,6 @@ kcf_new_ctx(crypto_call_req_t *crq, kcf_provider_desc_t *pd, return (ctx); } -/* - * Queue the request node and do one of the following: - * - If there is an idle thread signal it to run. - * - If there is no idle thread and max running threads is not - * reached, signal the creator thread for more threads. - * - * If the two conditions above are not met, we don't need to do - * anything. The request will be picked up by one of the - * worker threads when it becomes available. - */ -static int -kcf_disp_sw_request(kcf_areq_node_t *areq) -{ - int err; - int cnt = 0; - - if ((err = kcf_enqueue(areq)) != 0) - return (err); - - if (kcfpool->kp_idlethreads > 0) { - /* Signal an idle thread to run */ - mutex_enter(&gswq->gs_lock); - cv_signal(&gswq->gs_cv); - mutex_exit(&gswq->gs_lock); - - return (CRYPTO_QUEUED); - } - - /* - * We keep the number of running threads to be at - * kcf_minthreads to reduce gs_lock contention. - */ - cnt = kcf_minthreads - - (kcfpool->kp_threads - kcfpool->kp_blockedthreads); - if (cnt > 0) { - /* - * The following ensures the number of threads in pool - * does not exceed kcf_maxthreads. - */ - cnt = MIN(cnt, kcf_maxthreads - (int)kcfpool->kp_threads); - if (cnt > 0) { - /* Signal the creator thread for more threads */ - mutex_enter(&kcfpool->kp_user_lock); - if (!kcfpool->kp_signal_create_thread) { - kcfpool->kp_signal_create_thread = B_TRUE; - kcfpool->kp_nthrs = cnt; - cv_signal(&kcfpool->kp_user_cv); - } - mutex_exit(&kcfpool->kp_user_lock); - } - } - - return (CRYPTO_QUEUED); -} - -/* - * This routine checks if a request can be retried on another - * provider. If true, mech1 is initialized to point to the mechanism - * structure. fg is initialized to the correct crypto_func_group_t bit flag. - * They are initialized by this routine, so that the caller can pass them to - * kcf_get_mech_provider() with no further change. - * - * We check that the request is for a init or atomic routine and that - * it is for one of the operation groups used from k-api . - */ -static boolean_t -can_resubmit(kcf_areq_node_t *areq, crypto_mechanism_t **mech1, - crypto_func_group_t *fg) -{ - kcf_req_params_t *params; - kcf_op_type_t optype; - - params = &areq->an_params; - optype = params->rp_optype; - - if (!(IS_INIT_OP(optype) || IS_ATOMIC_OP(optype))) - return (B_FALSE); - - switch (params->rp_opgrp) { - case KCF_OG_DIGEST: { - kcf_digest_ops_params_t *dops = ¶ms->rp_u.digest_params; - - dops->do_mech.cm_type = dops->do_framework_mechtype; - *mech1 = &dops->do_mech; - *fg = (optype == KCF_OP_INIT) ? CRYPTO_FG_DIGEST : - CRYPTO_FG_DIGEST_ATOMIC; - break; - } - - case KCF_OG_MAC: { - kcf_mac_ops_params_t *mops = ¶ms->rp_u.mac_params; - - mops->mo_mech.cm_type = mops->mo_framework_mechtype; - *mech1 = &mops->mo_mech; - *fg = (optype == KCF_OP_INIT) ? CRYPTO_FG_MAC : - CRYPTO_FG_MAC_ATOMIC; - break; - } - - case KCF_OG_ENCRYPT: { - kcf_encrypt_ops_params_t *eops = ¶ms->rp_u.encrypt_params; - - eops->eo_mech.cm_type = eops->eo_framework_mechtype; - *mech1 = &eops->eo_mech; - *fg = (optype == KCF_OP_INIT) ? CRYPTO_FG_ENCRYPT : - CRYPTO_FG_ENCRYPT_ATOMIC; - break; - } - - case KCF_OG_DECRYPT: { - kcf_decrypt_ops_params_t *dcrops = ¶ms->rp_u.decrypt_params; - - dcrops->dop_mech.cm_type = dcrops->dop_framework_mechtype; - *mech1 = &dcrops->dop_mech; - *fg = (optype == KCF_OP_INIT) ? CRYPTO_FG_DECRYPT : - CRYPTO_FG_DECRYPT_ATOMIC; - break; - } - - default: - return (B_FALSE); - } - - return (B_TRUE); -} - -/* - * This routine is called when a request to a provider has failed - * with a recoverable error. This routine tries to find another provider - * and dispatches the request to the new provider, if one is available. - * We reuse the request structure. - * - * A return value of NULL from kcf_get_mech_provider() indicates - * we have tried the last provider. - */ -static int -kcf_resubmit_request(kcf_areq_node_t *areq) -{ - int error = CRYPTO_FAILED; - kcf_context_t *ictx; - kcf_provider_desc_t *old_pd; - kcf_provider_desc_t *new_pd; - crypto_mechanism_t *mech1 = NULL; - crypto_func_group_t fg = 0; - - if (!can_resubmit(areq, &mech1, &fg)) - return (error); - - old_pd = areq->an_provider; - /* - * Add old_pd to the list of providers already tried. We release - * the hold on old_pd (from the earlier kcf_get_mech_provider()) in - * kcf_free_triedlist(). - */ - if (kcf_insert_triedlist(&areq->an_tried_plist, old_pd, - KM_NOSLEEP) == NULL) - return (error); - - new_pd = kcf_get_mech_provider(mech1->cm_type, NULL, &error, - areq->an_tried_plist, fg); - - if (new_pd == NULL) - return (error); - - /* - * We reuse the old context by resetting provider specific - * fields in it. - */ - if ((ictx = areq->an_context) != NULL) { - crypto_ctx_t *ctx; - - ASSERT(old_pd == ictx->kc_prov_desc); - KCF_PROV_REFRELE(ictx->kc_prov_desc); - KCF_PROV_REFHOLD(new_pd); - ictx->kc_prov_desc = new_pd; - - ctx = &ictx->kc_glbl_ctx; - ctx->cc_provider = new_pd->pd_prov_handle; - ctx->cc_session = new_pd->pd_sid; - ctx->cc_provider_private = NULL; - } - - /* We reuse areq. by resetting the provider and context fields. */ - KCF_PROV_REFRELE(old_pd); - KCF_PROV_REFHOLD(new_pd); - areq->an_provider = new_pd; - mutex_enter(&areq->an_lock); - areq->an_state = REQ_WAITING; - mutex_exit(&areq->an_lock); - - error = kcf_disp_sw_request(areq); - - return (error); -} - /* * We're done with this framework context, so free it. Note that freeing * framework context (kcf_context) frees the global context (crypto_ctx). @@ -367,45 +169,6 @@ kcf_free_req(kcf_areq_node_t *areq) kmem_cache_free(kcf_areq_cache, areq); } -/* - * Add the request node to the end of the global queue. - * - * The caller should not hold the queue lock. Returns 0 if the - * request is successfully queued. Returns CRYPTO_BUSY if the limit - * on the number of jobs is exceeded. - */ -static int -kcf_enqueue(kcf_areq_node_t *node) -{ - kcf_areq_node_t *tnode; - - mutex_enter(&gswq->gs_lock); - - if (gswq->gs_njobs >= gswq->gs_maxjobs) { - mutex_exit(&gswq->gs_lock); - return (CRYPTO_BUSY); - } - - if (gswq->gs_last == NULL) { - gswq->gs_first = gswq->gs_last = node; - } else { - ASSERT(gswq->gs_last->an_next == NULL); - tnode = gswq->gs_last; - tnode->an_next = node; - gswq->gs_last = node; - node->an_prev = tnode; - } - - gswq->gs_njobs++; - - /* an_lock not needed here as we hold gs_lock */ - node->an_state = REQ_WAITING; - - mutex_exit(&gswq->gs_lock); - - return (0); -} - /* * kmem_cache_alloc constructor for sync request structure. */ @@ -592,107 +355,6 @@ kcf_sched_init(void) } } -/* - * Signal the waiting sync client. - */ -void -kcf_sop_done(kcf_sreq_node_t *sreq, int error) -{ - mutex_enter(&sreq->sn_lock); - sreq->sn_state = REQ_DONE; - sreq->sn_rv = error; - cv_signal(&sreq->sn_cv); - mutex_exit(&sreq->sn_lock); -} - -/* - * Callback the async client with the operation status. - * We free the async request node and possibly the context. - * We also handle any chain of requests hanging off of - * the context. - */ -void -kcf_aop_done(kcf_areq_node_t *areq, int error) -{ - kcf_op_type_t optype; - boolean_t skip_notify = B_FALSE; - kcf_context_t *ictx; - kcf_areq_node_t *nextreq; - - /* - * Handle recoverable errors. This has to be done first - * before doing anything else in this routine so that - * we do not change the state of the request. - */ - if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { - /* - * We try another provider, if one is available. Else - * we continue with the failure notification to the - * client. - */ - if (kcf_resubmit_request(areq) == CRYPTO_QUEUED) - return; - } - - mutex_enter(&areq->an_lock); - areq->an_state = REQ_DONE; - mutex_exit(&areq->an_lock); - - optype = (&areq->an_params)->rp_optype; - if ((ictx = areq->an_context) != NULL) { - /* - * A request after it is removed from the request - * queue, still stays on a chain of requests hanging - * of its context structure. It needs to be removed - * from this chain at this point. - */ - mutex_enter(&ictx->kc_in_use_lock); - nextreq = areq->an_ctxchain_next; - if (nextreq != NULL) { - mutex_enter(&nextreq->an_lock); - nextreq->an_is_my_turn = B_TRUE; - cv_signal(&nextreq->an_turn_cv); - mutex_exit(&nextreq->an_lock); - } - - ictx->kc_req_chain_first = nextreq; - if (nextreq == NULL) - ictx->kc_req_chain_last = NULL; - mutex_exit(&ictx->kc_in_use_lock); - - if (IS_SINGLE_OP(optype) || IS_FINAL_OP(optype)) { - ASSERT(nextreq == NULL); - KCF_CONTEXT_REFRELE(ictx); - } else if (error != CRYPTO_SUCCESS && IS_INIT_OP(optype)) { - /* - * NOTE - We do not release the context in case of update - * operations. We require the consumer to free it explicitly, - * in case it wants to abandon an update operation. This is done - * as there may be mechanisms in ECB mode that can continue - * even if an operation on a block fails. - */ - KCF_CONTEXT_REFRELE(ictx); - } - } - - /* - * If CRYPTO_NOTIFY_OPDONE flag is set, we should notify - * always. If this flag is clear, we skip the notification - * provided there are no errors. We check this flag for only - * init or update operations. It is ignored for single, final or - * atomic operations. - */ - skip_notify = (IS_UPDATE_OP(optype) || IS_INIT_OP(optype)) && - (error == CRYPTO_SUCCESS); - - if (!skip_notify) { - NOTIFY_CLIENT(areq, error); - } - - kcf_reqid_delete(areq); - KCF_AREQ_REFRELE(areq); -} - /* * Allocate the thread pool and initialize all the fields. */ @@ -714,37 +376,6 @@ kcfpool_alloc() cv_init(&kcfpool->kp_user_cv, NULL, CV_DEFAULT, NULL); } -/* - * Delete the async request from the hash table. - */ -static void -kcf_reqid_delete(kcf_areq_node_t *areq) -{ - int indx; - kcf_areq_node_t *nextp, *prevp; - crypto_req_id_t id = GET_REQID(areq); - kcf_reqid_table_t *rt; - - rt = kcf_reqid_table[id & REQID_TABLE_MASK]; - indx = REQID_HASH(id); - - mutex_enter(&rt->rt_lock); - - nextp = areq->an_idnext; - prevp = areq->an_idprev; - if (nextp != NULL) - nextp->an_idprev = prevp; - if (prevp != NULL) - prevp->an_idnext = nextp; - else - rt->rt_idhash[indx] = nextp; - - SET_REQID(areq, 0); - cv_broadcast(&areq->an_done); - - mutex_exit(&rt->rt_lock); -} - /* * Update kstats. */ diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index a2be8849c4b0..9f13866b7b99 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -410,36 +410,6 @@ typedef struct crypto_minor { KCF_PROV_DIGEST_OPS(pd)->digest_init(ctx, mech, req) : \ CRYPTO_NOT_SUPPORTED) -/* - * The _ (underscore) in _digest is needed to avoid replacing the - * function digest(). - */ -#define KCF_PROV_DIGEST(pd, ctx, data, _digest, req) ( \ - (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest) ? \ - KCF_PROV_DIGEST_OPS(pd)->digest(ctx, data, _digest, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_DIGEST_UPDATE(pd, ctx, data, req) ( \ - (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_update) ? \ - KCF_PROV_DIGEST_OPS(pd)->digest_update(ctx, data, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_DIGEST_KEY(pd, ctx, key, req) ( \ - (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_key) ? \ - KCF_PROV_DIGEST_OPS(pd)->digest_key(ctx, key, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_DIGEST_FINAL(pd, ctx, digest, req) ( \ - (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_final) ? \ - KCF_PROV_DIGEST_OPS(pd)->digest_final(ctx, digest, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_DIGEST_ATOMIC(pd, session, mech, data, digest, req) ( \ - (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_atomic) ? \ - KCF_PROV_DIGEST_OPS(pd)->digest_atomic( \ - (pd)->pd_prov_handle, session, mech, data, digest, req) : \ - CRYPTO_NOT_SUPPORTED) - /* * Wrappers for crypto_cipher_ops(9S) entry points. */ @@ -450,22 +420,6 @@ typedef struct crypto_minor { req) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_ENCRYPT(pd, ctx, plaintext, ciphertext, req) ( \ - (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt) ? \ - KCF_PROV_CIPHER_OPS(pd)->encrypt(ctx, plaintext, ciphertext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_ENCRYPT_UPDATE(pd, ctx, plaintext, ciphertext, req) ( \ - (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_update) ? \ - KCF_PROV_CIPHER_OPS(pd)->encrypt_update(ctx, plaintext, \ - ciphertext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_ENCRYPT_FINAL(pd, ctx, ciphertext, req) ( \ - (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_final) ? \ - KCF_PROV_CIPHER_OPS(pd)->encrypt_final(ctx, ciphertext, req) : \ - CRYPTO_NOT_SUPPORTED) - #define KCF_PROV_ENCRYPT_ATOMIC(pd, session, mech, key, plaintext, ciphertext, \ template, req) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \ @@ -474,28 +428,6 @@ typedef struct crypto_minor { template, req) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_DECRYPT_INIT(pd, ctx, mech, key, template, req) ( \ - (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_init) ? \ - KCF_PROV_CIPHER_OPS(pd)->decrypt_init(ctx, mech, key, template, \ - req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_DECRYPT(pd, ctx, ciphertext, plaintext, req) ( \ - (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt) ? \ - KCF_PROV_CIPHER_OPS(pd)->decrypt(ctx, ciphertext, plaintext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_DECRYPT_UPDATE(pd, ctx, ciphertext, plaintext, req) ( \ - (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_update) ? \ - KCF_PROV_CIPHER_OPS(pd)->decrypt_update(ctx, ciphertext, \ - plaintext, req) : \ - CRYPTO_NOT_SUPPORTED) - -#define KCF_PROV_DECRYPT_FINAL(pd, ctx, plaintext, req) ( \ - (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_final) ? \ - KCF_PROV_CIPHER_OPS(pd)->decrypt_final(ctx, plaintext, req) : \ - CRYPTO_NOT_SUPPORTED) - #define KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \ template, req) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \ @@ -517,11 +449,6 @@ typedef struct crypto_minor { * The _ (underscore) in _mac is needed to avoid replacing the * function mac(). */ -#define KCF_PROV_MAC(pd, ctx, data, _mac, req) ( \ - (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac) ? \ - KCF_PROV_MAC_OPS(pd)->mac(ctx, data, _mac, req) : \ - CRYPTO_NOT_SUPPORTED) - #define KCF_PROV_MAC_UPDATE(pd, ctx, data, req) ( \ (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_update) ? \ KCF_PROV_MAC_OPS(pd)->mac_update(ctx, data, req) : \ @@ -540,14 +467,6 @@ typedef struct crypto_minor { req) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_MAC_VERIFY_ATOMIC(pd, session, mech, key, data, mac, \ - template, req) ( \ - (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_verify_atomic) ? \ - KCF_PROV_MAC_OPS(pd)->mac_verify_atomic( \ - (pd)->pd_prov_handle, session, mech, key, data, mac, template, \ - req) : \ - CRYPTO_NOT_SUPPORTED) - /* * Wrappers for crypto_ctx_ops(9S) entry points. */ diff --git a/module/icp/include/sys/crypto/ops_impl.h b/module/icp/include/sys/crypto/ops_impl.h index 9300e53bc5e8..d41cb89b96a0 100644 --- a/module/icp/include/sys/crypto/ops_impl.h +++ b/module/icp/include/sys/crypto/ops_impl.h @@ -26,218 +26,8 @@ #ifndef _SYS_CRYPTO_OPS_IMPL_H #define _SYS_CRYPTO_OPS_IMPL_H -/* - * Scheduler internal structures. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -#include -#include -#include -#include -#include - -/* - * The parameters needed for each function group are batched - * in one structure. This is much simpler than having a - * separate structure for each function. - * - * In some cases, a field is generically named to keep the - * structure small. The comments indicate these cases. - */ -typedef struct kcf_digest_ops_params { - crypto_session_id_t do_sid; - crypto_mech_type_t do_framework_mechtype; - crypto_mechanism_t do_mech; - crypto_data_t *do_data; - crypto_data_t *do_digest; - crypto_key_t *do_digest_key; /* Argument for digest_key() */ -} kcf_digest_ops_params_t; - -typedef struct kcf_mac_ops_params { - crypto_session_id_t mo_sid; - crypto_mech_type_t mo_framework_mechtype; - crypto_mechanism_t mo_mech; - crypto_key_t *mo_key; - crypto_data_t *mo_data; - crypto_data_t *mo_mac; - crypto_spi_ctx_template_t mo_templ; -} kcf_mac_ops_params_t; - -typedef struct kcf_encrypt_ops_params { - crypto_session_id_t eo_sid; - crypto_mech_type_t eo_framework_mechtype; - crypto_mechanism_t eo_mech; - crypto_key_t *eo_key; - crypto_data_t *eo_plaintext; - crypto_data_t *eo_ciphertext; - crypto_spi_ctx_template_t eo_templ; -} kcf_encrypt_ops_params_t; - -typedef struct kcf_decrypt_ops_params { - crypto_session_id_t dop_sid; - crypto_mech_type_t dop_framework_mechtype; - crypto_mechanism_t dop_mech; - crypto_key_t *dop_key; - crypto_data_t *dop_ciphertext; - crypto_data_t *dop_plaintext; - crypto_spi_ctx_template_t dop_templ; -} kcf_decrypt_ops_params_t; - -/* - * The operation type within a function group. - */ -typedef enum kcf_op_type { - /* common ops for all mechanisms */ - KCF_OP_INIT = 1, - KCF_OP_SINGLE, /* pkcs11 sense. So, INIT is already done */ - KCF_OP_UPDATE, - KCF_OP_FINAL, - KCF_OP_ATOMIC, - - /* digest_key op */ - KCF_OP_DIGEST_KEY, - - /* mac specific op */ - KCF_OP_MAC_VERIFY_ATOMIC, - - /* mac/cipher specific op */ - KCF_OP_MAC_VERIFY_DECRYPT_ATOMIC, -} kcf_op_type_t; - -/* - * The operation groups that need wrapping of parameters. This is somewhat - * similar to the function group type in spi.h except that this also includes - * all the functions that don't have a mechanism. - * - * The wrapper macros should never take these enum values as an argument. - * Rather, they are assigned in the macro itself since they are known - * from the macro name. - */ -typedef enum kcf_op_group { - KCF_OG_DIGEST = 1, - KCF_OG_MAC, - KCF_OG_ENCRYPT, - KCF_OG_DECRYPT, -} kcf_op_group_t; - -/* - * The kcf_op_type_t enum values used here should be only for those - * operations for which there is a k-api routine in sys/crypto/api.h. - */ -#define IS_INIT_OP(ftype) ((ftype) == KCF_OP_INIT) -#define IS_SINGLE_OP(ftype) ((ftype) == KCF_OP_SINGLE) -#define IS_UPDATE_OP(ftype) ((ftype) == KCF_OP_UPDATE) -#define IS_FINAL_OP(ftype) ((ftype) == KCF_OP_FINAL) -#define IS_ATOMIC_OP(ftype) ( \ - (ftype) == KCF_OP_ATOMIC || (ftype) == KCF_OP_MAC_VERIFY_ATOMIC) - -/* - * Keep the parameters associated with a request around. - * We need to pass them to the SPI. - */ -typedef struct kcf_req_params { - kcf_op_group_t rp_opgrp; - kcf_op_type_t rp_optype; - - union { - kcf_digest_ops_params_t digest_params; - kcf_mac_ops_params_t mac_params; - kcf_encrypt_ops_params_t encrypt_params; - kcf_decrypt_ops_params_t decrypt_params; - } rp_u; -} kcf_req_params_t; - - -/* - * The ioctl/k-api code should bundle the parameters into a kcf_req_params_t - * structure before calling a scheduler routine. The following macros are - * available for that purpose. - * - * For the most part, the macro arguments closely correspond to the - * function parameters. In some cases, we use generic names. The comments - * for the structure should indicate these cases. - */ -#define KCF_WRAP_DIGEST_OPS_PARAMS(req, ftype, _sid, _mech, _key, \ - _data, _digest) { \ - kcf_digest_ops_params_t *dops = &(req)->rp_u.digest_params; \ - crypto_mechanism_t *mechp = _mech; \ - \ - (req)->rp_opgrp = KCF_OG_DIGEST; \ - (req)->rp_optype = ftype; \ - dops->do_sid = _sid; \ - if (mechp != NULL) { \ - dops->do_mech = *mechp; \ - dops->do_framework_mechtype = mechp->cm_type; \ - } \ - dops->do_digest_key = _key; \ - dops->do_data = _data; \ - dops->do_digest = _digest; \ -} - -#define KCF_WRAP_MAC_OPS_PARAMS(req, ftype, _sid, _mech, _key, \ - _data, _mac, _templ) { \ - kcf_mac_ops_params_t *mops = &(req)->rp_u.mac_params; \ - crypto_mechanism_t *mechp = _mech; \ - \ - (req)->rp_opgrp = KCF_OG_MAC; \ - (req)->rp_optype = ftype; \ - mops->mo_sid = _sid; \ - if (mechp != NULL) { \ - mops->mo_mech = *mechp; \ - mops->mo_framework_mechtype = mechp->cm_type; \ - } \ - mops->mo_key = _key; \ - mops->mo_data = _data; \ - mops->mo_mac = _mac; \ - mops->mo_templ = _templ; \ -} - -#define KCF_WRAP_ENCRYPT_OPS_PARAMS(req, ftype, _sid, _mech, _key, \ - _plaintext, _ciphertext, _templ) { \ - kcf_encrypt_ops_params_t *cops = &(req)->rp_u.encrypt_params; \ - crypto_mechanism_t *mechp = _mech; \ - \ - (req)->rp_opgrp = KCF_OG_ENCRYPT; \ - (req)->rp_optype = ftype; \ - cops->eo_sid = _sid; \ - if (mechp != NULL) { \ - cops->eo_mech = *mechp; \ - cops->eo_framework_mechtype = mechp->cm_type; \ - } \ - cops->eo_key = _key; \ - cops->eo_plaintext = _plaintext; \ - cops->eo_ciphertext = _ciphertext; \ - cops->eo_templ = _templ; \ -} - -#define KCF_WRAP_DECRYPT_OPS_PARAMS(req, ftype, _sid, _mech, _key, \ - _ciphertext, _plaintext, _templ) { \ - kcf_decrypt_ops_params_t *cops = &(req)->rp_u.decrypt_params; \ - crypto_mechanism_t *mechp = _mech; \ - \ - (req)->rp_opgrp = KCF_OG_DECRYPT; \ - (req)->rp_optype = ftype; \ - cops->dop_sid = _sid; \ - if (mechp != NULL) { \ - cops->dop_mech = *mechp; \ - cops->dop_framework_mechtype = mechp->cm_type; \ - } \ - cops->dop_key = _key; \ - cops->dop_ciphertext = _ciphertext; \ - cops->dop_plaintext = _plaintext; \ - cops->dop_templ = _templ; \ -} - #define KCF_SET_PROVIDER_MECHNUM(fmtype, pd, mechp) \ (mechp)->cm_type = \ KCF_TO_PROV_MECHNUM(pd, fmtype); -#ifdef __cplusplus -} -#endif - #endif /* _SYS_CRYPTO_OPS_IMPL_H */ diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index eb08f57baa5e..fe178ad51378 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -121,12 +121,6 @@ typedef struct kcf_sreq_node { */ int sn_rv; - /* - * parameters to call the SPI with. This can be - * a pointer as we know the caller context/stack stays. - */ - struct kcf_req_params *sn_params; - /* Internal context for this request */ struct kcf_context *sn_context; @@ -148,12 +142,6 @@ typedef struct kcf_areq_node { kcf_req_status_t an_state; crypto_call_req_t an_reqarg; - /* - * parameters to call the SPI with. We need to - * save the params since the caller stack can go away. - */ - struct kcf_req_params an_params; - /* * The next two fields should be NULL for operations that * don't need a context. @@ -448,10 +436,6 @@ extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t *, kcf_provider_desc_t *, extern void kcf_sched_destroy(void); extern void kcf_sched_init(void); extern void kcf_sched_start(void); -extern void kcf_sop_done(kcf_sreq_node_t *, int); -extern void kcf_aop_done(kcf_areq_node_t *, int); -extern int common_submit_request(kcf_provider_desc_t *, - crypto_ctx_t *, kcf_req_params_t *, crypto_req_handle_t); extern void kcf_free_context(kcf_context_t *); extern int kcf_svc_wait(int *); diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index 545560990efa..2ac57ebe58bc 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -121,7 +121,6 @@ static const crypto_digest_ops_t sha2_digest_ops = { .digest_init = sha2_digest_init, .digest = sha2_digest, .digest_update = sha2_digest_update, - .digest_key = NULL, .digest_final = sha2_digest_final, .digest_atomic = sha2_digest_atomic }; diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index 22f1a0756974..ab233e2b4edb 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -65,7 +65,6 @@ static const crypto_digest_ops_t skein_digest_ops = { .digest_init = skein_digest_init, .digest = skein_digest, .digest_update = skein_update, - .digest_key = NULL, .digest_final = skein_final, .digest_atomic = skein_digest_atomic }; From 4944a91e8335725b87185db9d0421b3fbc601429 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Fri, 24 Dec 2021 17:43:28 +0100 Subject: [PATCH 18/39] module: icp: remove unused notification framework MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- lib/libicp/Makefile.am | 1 - module/icp/Makefile.in | 1 - module/icp/api/kcf_miscapi.c | 127 --------------------- module/icp/core/kcf_mech_tabs.c | 27 ++++- module/icp/core/kcf_sched.c | 7 -- module/icp/include/sys/crypto/impl.h | 1 - module/icp/include/sys/crypto/sched_impl.h | 69 ----------- module/icp/spi/kcf_spi.c | 29 ----- 8 files changed, 25 insertions(+), 237 deletions(-) delete mode 100644 module/icp/api/kcf_miscapi.c diff --git a/lib/libicp/Makefile.am b/lib/libicp/Makefile.am index 4e8585f9217e..6ebcd4907161 100644 --- a/lib/libicp/Makefile.am +++ b/lib/libicp/Makefile.am @@ -28,7 +28,6 @@ KERNEL_C = \ spi/kcf_spi.c \ api/kcf_ctxops.c \ api/kcf_cipher.c \ - api/kcf_miscapi.c \ api/kcf_mac.c \ algs/aes/aes_impl_aesni.c \ algs/aes/aes_impl_generic.c \ diff --git a/module/icp/Makefile.in b/module/icp/Makefile.in index d9f4ff2f8957..eb807d0e519a 100644 --- a/module/icp/Makefile.in +++ b/module/icp/Makefile.in @@ -16,7 +16,6 @@ ccflags-y := -I$(icp_include) $(MODULE)-objs += illumos-crypto.o $(MODULE)-objs += api/kcf_cipher.o $(MODULE)-objs += api/kcf_mac.o -$(MODULE)-objs += api/kcf_miscapi.o $(MODULE)-objs += api/kcf_ctxops.o $(MODULE)-objs += core/kcf_callprov.o $(MODULE)-objs += core/kcf_prov_tabs.o diff --git a/module/icp/api/kcf_miscapi.c b/module/icp/api/kcf_miscapi.c deleted file mode 100644 index bb6c52946f4d..000000000000 --- a/module/icp/api/kcf_miscapi.c +++ /dev/null @@ -1,127 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#include -#include -#include -#include -#include - -/* - * All event subscribers are put on a list. kcf_notify_list_lock - * protects changes to this list. - * - * The following locking order is maintained in the code - The - * global kcf_notify_list_lock followed by the individual lock - * in a kcf_ntfy_elem structure (kn_lock). - */ -kmutex_t ntfy_list_lock; -kcondvar_t ntfy_list_cv; /* cv the service thread waits on */ -static kcf_ntfy_elem_t *ntfy_list_head; - -/* - * crypto_mech2id() - * - * Arguments: - * . mechname: A null-terminated string identifying the mechanism name. - * - * Description: - * Walks the mechanisms tables, looking for an entry that matches the - * mechname. Once it find it, it builds the 64-bit mech_type and returns - * it. If there are no providers for the mechanism, - * but there is an unloaded provider, this routine will attempt - * to load it. - * - * Context: - * Process and interruption. - * - * Returns: - * The unique mechanism identified by 'mechname', if found. - * CRYPTO_MECH_INVALID otherwise. - */ -crypto_mech_type_t -crypto_mech2id(const char *mechname) -{ - return (crypto_mech2id_common(mechname, B_TRUE)); -} - -/* - * We walk the notification list and do the callbacks. - */ -void -kcf_walk_ntfylist(uint32_t event, void *event_arg) -{ - kcf_ntfy_elem_t *nep; - int nelem = 0; - - mutex_enter(&ntfy_list_lock); - - /* - * Count how many clients are on the notification list. We need - * this count to ensure that clients which joined the list after we - * have started this walk, are not wrongly notified. - */ - for (nep = ntfy_list_head; nep != NULL; nep = nep->kn_next) - nelem++; - - for (nep = ntfy_list_head; (nep != NULL && nelem); nep = nep->kn_next) { - nelem--; - - /* - * Check if this client is interested in the - * event. - */ - if (!(nep->kn_event_mask & event)) - continue; - - mutex_enter(&nep->kn_lock); - nep->kn_state = NTFY_RUNNING; - mutex_exit(&nep->kn_lock); - mutex_exit(&ntfy_list_lock); - - /* - * We invoke the callback routine with no locks held. Another - * client could have joined the list meanwhile. This is fine - * as we maintain nelem as stated above. The NULL check in the - * for loop guards against shrinkage. Also, any callers of - * crypto_unnotify_events() at this point cv_wait till kn_state - * changes to NTFY_WAITING. Hence, nep is assured to be valid. - */ - (*nep->kn_func)(event, event_arg); - - mutex_enter(&nep->kn_lock); - nep->kn_state = NTFY_WAITING; - cv_broadcast(&nep->kn_cv); - mutex_exit(&nep->kn_lock); - - mutex_enter(&ntfy_list_lock); - } - - mutex_exit(&ntfy_list_lock); -} - -#if defined(_KERNEL) -EXPORT_SYMBOL(crypto_mech2id); -#endif diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index 811db71365d0..204cc178a4b5 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -556,6 +556,26 @@ kcf_get_mech_entry(crypto_mech_type_t mech_type, kcf_mech_entry_t **mep) return (KCF_SUCCESS); } +/* + * crypto_mech2id() + * + * Arguments: + * . mechname: A null-terminated string identifying the mechanism name. + * + * Description: + * Walks the mechanisms tables, looking for an entry that matches the + * mechname. Once it find it, it builds the 64-bit mech_type and returns + * it. If there are no providers for the mechanism, + * but there is an unloaded provider, this routine will attempt + * to load it. + * + * Context: + * Process and interruption. + * + * Returns: + * The unique mechanism identified by 'mechname', if found. + * CRYPTO_MECH_INVALID otherwise. + */ /* * Lookup the hash table for an entry that matches the mechname. * If there are no providers for the mechanism, @@ -563,8 +583,11 @@ kcf_get_mech_entry(crypto_mech_type_t mech_type, kcf_mech_entry_t **mep) * to load it. */ crypto_mech_type_t -crypto_mech2id_common(const char *mechname, boolean_t load_module) +crypto_mech2id(const char *mechname) { - (void) load_module; return (kcf_mech_hash_find(mechname)); } + +#if defined(_KERNEL) +EXPORT_SYMBOL(crypto_mech2id); +#endif diff --git a/module/icp/core/kcf_sched.c b/module/icp/core/kcf_sched.c index 9dd1c39d4299..9ed4f6fb2cf5 100644 --- a/module/icp/core/kcf_sched.c +++ b/module/icp/core/kcf_sched.c @@ -287,9 +287,6 @@ kcf_sched_destroy(void) kmem_cache_destroy(kcf_areq_cache); if (kcf_sreq_cache) kmem_cache_destroy(kcf_sreq_cache); - - mutex_destroy(&ntfy_list_lock); - cv_destroy(&ntfy_list_cv); } /* @@ -339,10 +336,6 @@ kcf_sched_init(void) /* Allocate and initialize the thread pool */ kcfpool_alloc(); - /* Initialize the event notification list variables */ - mutex_init(&ntfy_list_lock, NULL, MUTEX_DEFAULT, NULL); - cv_init(&ntfy_list_cv, NULL, CV_DEFAULT, NULL); - /* Create the kcf kstat */ kcf_misc_kstat = kstat_create("kcf", 0, "framework_stats", "crypto", KSTAT_TYPE_NAMED, sizeof (kcf_stats_t) / sizeof (kstat_named_t), diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 9f13866b7b99..c15ce05506ac 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -492,7 +492,6 @@ extern int kcf_get_mech_entry(crypto_mech_type_t, kcf_mech_entry_t **); extern kcf_provider_desc_t *kcf_alloc_provider_desc(void); extern void kcf_provider_zero_refcnt(kcf_provider_desc_t *); extern void kcf_free_provider_desc(kcf_provider_desc_t *); -extern crypto_mech_type_t crypto_mech2id_common(const char *, boolean_t); extern void undo_register_provider(kcf_provider_desc_t *, boolean_t); extern int crypto_uio_data(crypto_data_t *, uchar_t *, int, cmd_type_t, void *, void (*update)(void)); diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index fe178ad51378..ee64aad12123 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -346,61 +346,6 @@ typedef struct kcf_pool { } kcf_pool_t; -/* - * State of a crypto bufcall element. - */ -typedef enum cbuf_state { - CBUF_FREE = 1, - CBUF_WAITING, - CBUF_RUNNING -} cbuf_state_t; - -/* - * Structure of a crypto bufcall element. - */ -typedef struct kcf_cbuf_elem { - /* - * lock and cv to wait for CBUF_RUNNING to be done - * kc_lock also protects kc_state. - */ - kmutex_t kc_lock; - kcondvar_t kc_cv; - cbuf_state_t kc_state; - - struct kcf_cbuf_elem *kc_next; - struct kcf_cbuf_elem *kc_prev; - - void (*kc_func)(void *arg); - void *kc_arg; -} kcf_cbuf_elem_t; - -/* - * State of a notify element. - */ -typedef enum ntfy_elem_state { - NTFY_WAITING = 1, - NTFY_RUNNING -} ntfy_elem_state_t; - -/* - * Structure of a notify list element. - */ -typedef struct kcf_ntfy_elem { - /* - * lock and cv to wait for NTFY_RUNNING to be done. - * kn_lock also protects kn_state. - */ - kmutex_t kn_lock; - kcondvar_t kn_cv; - ntfy_elem_state_t kn_state; - - struct kcf_ntfy_elem *kn_next; - struct kcf_ntfy_elem *kn_prev; - - crypto_notify_callback_t kn_func; - uint32_t kn_event_mask; -} kcf_ntfy_elem_t; - /* * The following values are based on the assumption that it would @@ -412,19 +357,6 @@ typedef struct kcf_ntfy_elem { */ #define CRYPTO_TASKQ_MAX 2 * 1024 * 1024 -/* - * All pending crypto bufcalls are put on a list. cbuf_list_lock - * protects changes to this list. - */ -extern kmutex_t cbuf_list_lock; -extern kcondvar_t cbuf_list_cv; - -/* - * All event subscribers are put on a list. kcf_notify_list_lock - * protects changes to this list. - */ -extern kmutex_t ntfy_list_lock; -extern kcondvar_t ntfy_list_cv; extern void kcf_free_triedlist(kcf_prov_tried_t *); extern kcf_prov_tried_t *kcf_insert_triedlist(kcf_prov_tried_t **, @@ -447,7 +379,6 @@ extern void verify_unverified_providers(void); extern void kcf_free_req(kcf_areq_node_t *areq); extern void crypto_bufcall_service(void); -extern void kcf_walk_ntfylist(uint32_t, void *); extern void kcf_do_notify(kcf_provider_desc_t *, boolean_t); #ifdef __cplusplus diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index 89ecb4e41127..de9585514301 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -122,7 +122,6 @@ crypto_register_provider(const crypto_provider_info_t *info, mutex_enter(&prov_desc->pd_lock); prov_desc->pd_state = KCF_PROV_READY; mutex_exit(&prov_desc->pd_lock); - kcf_do_notify(prov_desc, B_TRUE); *handle = prov_desc->pd_kcf_prov_handle; ret = CRYPTO_SUCCESS; @@ -209,8 +208,6 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle) cv_wait(&desc->pd_remove_cv, &desc->pd_lock); mutex_exit(&desc->pd_lock); - kcf_do_notify(desc, B_FALSE); - /* * This is the only place where kcf_free_provider_desc() * is called directly. KCF_PROV_REFRELE() should free the @@ -366,32 +363,6 @@ undo_register_provider(kcf_provider_desc_t *desc, boolean_t remove_prov) (void) kcf_prov_tab_rem_provider(desc->pd_prov_id); } -/* - * Dispatch events as needed for a provider. is_added flag tells - * whether the provider is registering or unregistering. - */ -void -kcf_do_notify(kcf_provider_desc_t *prov_desc, boolean_t is_added) -{ - int i; - crypto_notify_event_change_t ec; - - ASSERT(prov_desc->pd_state > KCF_PROV_ALLOCATED); - - /* - * Inform interested clients of the mechanisms becoming - * available/unavailable. - */ - ec.ec_change = is_added ? CRYPTO_MECH_ADDED : - CRYPTO_MECH_REMOVED; - for (i = 0; i < prov_desc->pd_mech_list_count; i++) { - (void) strlcpy(ec.ec_mech_name, - prov_desc->pd_mechanisms[i].cm_mech_name, - CRYPTO_MAX_MECH_NAME); - kcf_walk_ntfylist(CRYPTO_EVENT_MECHS_CHANGED, &ec); - } -} - static void delete_kstat(kcf_provider_desc_t *desc) { From 101001f21b854c4eb4a3fa3ad9d25ccb4606abcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 00:10:57 +0100 Subject: [PATCH 19/39] module: icp: remove unused gswq, kcfpool, [as]req_cache, reqid_table, obsolete kstat MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_sched.c | 237 --------------------- module/icp/include/sys/crypto/impl.h | 11 - module/icp/include/sys/crypto/sched_impl.h | 216 ------------------- 3 files changed, 464 deletions(-) diff --git a/module/icp/core/kcf_sched.c b/module/icp/core/kcf_sched.c index 9ed4f6fb2cf5..7fe5381f94a2 100644 --- a/module/icp/core/kcf_sched.c +++ b/module/icp/core/kcf_sched.c @@ -35,38 +35,10 @@ #include #include -static kcf_global_swq_t *gswq; /* Global queue */ - -/* Thread pool related variables */ -static kcf_pool_t *kcfpool; /* Thread pool of kcfd LWPs */ -static const int kcf_maxthreads = 2; -static const int kcf_minthreads = 1; - /* kmem caches used by the scheduler */ -static kmem_cache_t *kcf_sreq_cache; -static kmem_cache_t *kcf_areq_cache; static kmem_cache_t *kcf_context_cache; - -/* Global request ID table */ -static kcf_reqid_table_t *kcf_reqid_table[REQID_TABLES]; - -/* KCF stats. Not protected. */ -static kcf_stats_t kcf_ksdata = { - { "total threads in pool", KSTAT_DATA_UINT32}, - { "idle threads in pool", KSTAT_DATA_UINT32}, - { "min threads in pool", KSTAT_DATA_UINT32}, - { "max threads in pool", KSTAT_DATA_UINT32}, - { "requests in gswq", KSTAT_DATA_UINT32}, - { "max requests in gswq", KSTAT_DATA_UINT32}, - { "maxalloc for gwsq", KSTAT_DATA_UINT32} -}; - -static kstat_t *kcf_misc_kstat = NULL; ulong_t kcf_swprov_hndl = 0; -static void kcfpool_alloc(void); -static int kcf_misc_kstat_update(kstat_t *ksp, int rw); - /* * Create a new context. */ @@ -84,13 +56,9 @@ kcf_new_ctx(crypto_call_req_t *crq, kcf_provider_desc_t *pd, /* initialize the context for the consumer */ kcf_ctx->kc_refcnt = 1; - kcf_ctx->kc_req_chain_first = NULL; - kcf_ctx->kc_req_chain_last = NULL; - kcf_ctx->kc_secondctx = NULL; KCF_PROV_REFHOLD(pd); kcf_ctx->kc_prov_desc = pd; kcf_ctx->kc_sw_prov_desc = NULL; - kcf_ctx->kc_mech = NULL; ctx = &kcf_ctx->kc_glbl_ctx; ctx->cc_provider = pd->pd_prov_handle; @@ -118,12 +86,6 @@ kcf_free_context(kcf_context_t *kcf_ctx) { kcf_provider_desc_t *pd = kcf_ctx->kc_prov_desc; crypto_ctx_t *gctx = &kcf_ctx->kc_glbl_ctx; - kcf_context_t *kcf_secondctx = kcf_ctx->kc_secondctx; - - /* Release the second context, if any */ - - if (kcf_secondctx != NULL) - KCF_CONTEXT_REFRELE(kcf_secondctx); if (gctx->cc_provider_private != NULL) { mutex_enter(&pd->pd_lock); @@ -154,77 +116,6 @@ kcf_free_context(kcf_context_t *kcf_ctx) kmem_cache_free(kcf_context_cache, kcf_ctx); } -/* - * Free the request after releasing all the holds. - */ -void -kcf_free_req(kcf_areq_node_t *areq) -{ - KCF_PROV_REFRELE(areq->an_provider); - if (areq->an_context != NULL) - KCF_CONTEXT_REFRELE(areq->an_context); - - if (areq->an_tried_plist != NULL) - kcf_free_triedlist(areq->an_tried_plist); - kmem_cache_free(kcf_areq_cache, areq); -} - -/* - * kmem_cache_alloc constructor for sync request structure. - */ -static int -kcf_sreq_cache_constructor(void *buf, void *cdrarg, int kmflags) -{ - (void) cdrarg, (void) kmflags; - kcf_sreq_node_t *sreq = (kcf_sreq_node_t *)buf; - - sreq->sn_type = CRYPTO_SYNCH; - cv_init(&sreq->sn_cv, NULL, CV_DEFAULT, NULL); - mutex_init(&sreq->sn_lock, NULL, MUTEX_DEFAULT, NULL); - - return (0); -} - -static void -kcf_sreq_cache_destructor(void *buf, void *cdrarg) -{ - (void) cdrarg; - kcf_sreq_node_t *sreq = (kcf_sreq_node_t *)buf; - - mutex_destroy(&sreq->sn_lock); - cv_destroy(&sreq->sn_cv); -} - -/* - * kmem_cache_alloc constructor for async request structure. - */ -static int -kcf_areq_cache_constructor(void *buf, void *cdrarg, int kmflags) -{ - (void) cdrarg, (void) kmflags; - kcf_areq_node_t *areq = (kcf_areq_node_t *)buf; - - areq->an_type = CRYPTO_ASYNCH; - areq->an_refcnt = 0; - mutex_init(&areq->an_lock, NULL, MUTEX_DEFAULT, NULL); - cv_init(&areq->an_done, NULL, CV_DEFAULT, NULL); - cv_init(&areq->an_turn_cv, NULL, CV_DEFAULT, NULL); - - return (0); -} - -static void -kcf_areq_cache_destructor(void *buf, void *cdrarg) -{ - (void) cdrarg; - kcf_areq_node_t *areq = (kcf_areq_node_t *)buf; - - ASSERT(areq->an_refcnt == 0); - mutex_destroy(&areq->an_lock); - cv_destroy(&areq->an_done); - cv_destroy(&areq->an_turn_cv); -} - /* * kmem_cache_alloc constructor for kcf_context structure. */ @@ -235,7 +126,6 @@ kcf_context_cache_constructor(void *buf, void *cdrarg, int kmflags) kcf_context_t *kctx = (kcf_context_t *)buf; kctx->kc_refcnt = 0; - mutex_init(&kctx->kc_in_use_lock, NULL, MUTEX_DEFAULT, NULL); return (0); } @@ -247,46 +137,13 @@ kcf_context_cache_destructor(void *buf, void *cdrarg) kcf_context_t *kctx = (kcf_context_t *)buf; ASSERT(kctx->kc_refcnt == 0); - mutex_destroy(&kctx->kc_in_use_lock); } void kcf_sched_destroy(void) { - int i; - - if (kcf_misc_kstat) - kstat_delete(kcf_misc_kstat); - - if (kcfpool) { - mutex_destroy(&kcfpool->kp_thread_lock); - cv_destroy(&kcfpool->kp_nothr_cv); - mutex_destroy(&kcfpool->kp_user_lock); - cv_destroy(&kcfpool->kp_user_cv); - - kmem_free(kcfpool, sizeof (kcf_pool_t)); - } - - for (i = 0; i < REQID_TABLES; i++) { - if (kcf_reqid_table[i]) { - mutex_destroy(&(kcf_reqid_table[i]->rt_lock)); - kmem_free(kcf_reqid_table[i], - sizeof (kcf_reqid_table_t)); - } - } - - if (gswq) { - mutex_destroy(&gswq->gs_lock); - cv_destroy(&gswq->gs_cv); - kmem_free(gswq, sizeof (kcf_global_swq_t)); - } - if (kcf_context_cache) kmem_cache_destroy(kcf_context_cache); - if (kcf_areq_cache) - kmem_cache_destroy(kcf_areq_cache); - if (kcf_sreq_cache) - kmem_cache_destroy(kcf_sreq_cache); } /* @@ -295,9 +152,6 @@ kcf_sched_destroy(void) void kcf_sched_init(void) { - int i; - kcf_reqid_table_t *rt; - /* * Create all the kmem caches needed by the framework. We set the * align argument to 64, to get a slab aligned to 64-byte as well as @@ -305,98 +159,7 @@ kcf_sched_init(void) * This helps to avoid false sharing as this is the size of the * CPU cache line. */ - kcf_sreq_cache = kmem_cache_create("kcf_sreq_cache", - sizeof (struct kcf_sreq_node), 64, kcf_sreq_cache_constructor, - kcf_sreq_cache_destructor, NULL, NULL, NULL, 0); - - kcf_areq_cache = kmem_cache_create("kcf_areq_cache", - sizeof (struct kcf_areq_node), 64, kcf_areq_cache_constructor, - kcf_areq_cache_destructor, NULL, NULL, NULL, 0); - kcf_context_cache = kmem_cache_create("kcf_context_cache", sizeof (struct kcf_context), 64, kcf_context_cache_constructor, kcf_context_cache_destructor, NULL, NULL, NULL, 0); - - gswq = kmem_alloc(sizeof (kcf_global_swq_t), KM_SLEEP); - - mutex_init(&gswq->gs_lock, NULL, MUTEX_DEFAULT, NULL); - cv_init(&gswq->gs_cv, NULL, CV_DEFAULT, NULL); - gswq->gs_njobs = 0; - gswq->gs_maxjobs = kcf_maxthreads * CRYPTO_TASKQ_MAX; - gswq->gs_first = gswq->gs_last = NULL; - - /* Initialize the global reqid table */ - for (i = 0; i < REQID_TABLES; i++) { - rt = kmem_zalloc(sizeof (kcf_reqid_table_t), KM_SLEEP); - kcf_reqid_table[i] = rt; - mutex_init(&rt->rt_lock, NULL, MUTEX_DEFAULT, NULL); - rt->rt_curid = i; - } - - /* Allocate and initialize the thread pool */ - kcfpool_alloc(); - - /* Create the kcf kstat */ - kcf_misc_kstat = kstat_create("kcf", 0, "framework_stats", "crypto", - KSTAT_TYPE_NAMED, sizeof (kcf_stats_t) / sizeof (kstat_named_t), - KSTAT_FLAG_VIRTUAL); - - if (kcf_misc_kstat != NULL) { - kcf_misc_kstat->ks_data = &kcf_ksdata; - kcf_misc_kstat->ks_update = kcf_misc_kstat_update; - kstat_install(kcf_misc_kstat); - } -} - -/* - * Allocate the thread pool and initialize all the fields. - */ -static void -kcfpool_alloc() -{ - kcfpool = kmem_alloc(sizeof (kcf_pool_t), KM_SLEEP); - - kcfpool->kp_threads = kcfpool->kp_idlethreads = 0; - kcfpool->kp_blockedthreads = 0; - kcfpool->kp_signal_create_thread = B_FALSE; - kcfpool->kp_nthrs = 0; - kcfpool->kp_user_waiting = B_FALSE; - - mutex_init(&kcfpool->kp_thread_lock, NULL, MUTEX_DEFAULT, NULL); - cv_init(&kcfpool->kp_nothr_cv, NULL, CV_DEFAULT, NULL); - - mutex_init(&kcfpool->kp_user_lock, NULL, MUTEX_DEFAULT, NULL); - cv_init(&kcfpool->kp_user_cv, NULL, CV_DEFAULT, NULL); -} - -/* - * Update kstats. - */ -static int -kcf_misc_kstat_update(kstat_t *ksp, int rw) -{ - uint_t tcnt; - kcf_stats_t *ks_data; - - if (rw == KSTAT_WRITE) - return (EACCES); - - ks_data = ksp->ks_data; - - ks_data->ks_thrs_in_pool.value.ui32 = kcfpool->kp_threads; - /* - * The failover thread is counted in kp_idlethreads in - * some corner cases. This is done to avoid doing more checks - * when submitting a request. We account for those cases below. - */ - if ((tcnt = kcfpool->kp_idlethreads) == (kcfpool->kp_threads + 1)) - tcnt--; - ks_data->ks_idle_thrs.value.ui32 = tcnt; - ks_data->ks_minthrs.value.ui32 = kcf_minthreads; - ks_data->ks_maxthrs.value.ui32 = kcf_maxthreads; - ks_data->ks_swq_njobs.value.ui32 = gswq->gs_njobs; - ks_data->ks_swq_maxjobs.value.ui32 = gswq->gs_maxjobs; - ks_data->ks_swq_maxalloc.value.ui32 = CRYPTO_TASKQ_MAX; - - return (0); } diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index c15ce05506ac..ed6f8d8d39c7 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -54,17 +54,6 @@ typedef struct kcf_prov_stats { kstat_named_t ps_ops_busy_rval; } kcf_prov_stats_t; -/* Various kcf stats. Not protected. */ -typedef struct kcf_stats { - kstat_named_t ks_thrs_in_pool; - kstat_named_t ks_idle_thrs; - kstat_named_t ks_minthrs; - kstat_named_t ks_maxthrs; - kstat_named_t ks_swq_njobs; - kstat_named_t ks_swq_maxjobs; - kstat_named_t ks_swq_maxalloc; -} kcf_stats_t; - /* * Keep all the information needed by the scheduler from * this provider. diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index ee64aad12123..b322bab5f725 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -41,21 +41,6 @@ extern "C" { #include #include -typedef void (kcf_func_t)(void *, int); - -typedef enum kcf_req_status { - REQ_ALLOCATED = 1, - REQ_WAITING, /* At the framework level */ - REQ_INPROGRESS, /* At the provider level */ - REQ_DONE, - REQ_CANCELED -} kcf_req_status_t; - -typedef enum kcf_call_type { - CRYPTO_SYNCH = 1, - CRYPTO_ASYNCH -} kcf_call_type_t; - #define KCF_KMFLAG(crq) (((crq) == NULL) ? KM_SLEEP : KM_NOSLEEP) /* @@ -100,143 +85,6 @@ typedef struct kcf_prov_tried { #define KCF_ATOMIC_INCR(x) atomic_add_32(&(x), 1) #define KCF_ATOMIC_DECR(x) atomic_add_32(&(x), -1) -/* - * Node structure for synchronous requests. - */ -typedef struct kcf_sreq_node { - /* Should always be the first field in this structure */ - kcf_call_type_t sn_type; - /* - * sn_cv and sr_lock are used to wait for the - * operation to complete. sn_lock also protects - * the sn_state field. - */ - kcondvar_t sn_cv; - kmutex_t sn_lock; - kcf_req_status_t sn_state; - - /* - * Return value from the operation. This will be - * one of the CRYPTO_* errors defined in common.h. - */ - int sn_rv; - - /* Internal context for this request */ - struct kcf_context *sn_context; - - /* Provider handling this request */ - kcf_provider_desc_t *sn_provider; -} kcf_sreq_node_t; - -/* - * Node structure for asynchronous requests. A node can be on - * on a chain of requests hanging of the internal context - * structure and can be in the global provider queue. - */ -typedef struct kcf_areq_node { - /* Should always be the first field in this structure */ - kcf_call_type_t an_type; - - /* an_lock protects the field an_state */ - kmutex_t an_lock; - kcf_req_status_t an_state; - crypto_call_req_t an_reqarg; - - /* - * The next two fields should be NULL for operations that - * don't need a context. - */ - /* Internal context for this request */ - struct kcf_context *an_context; - - /* next in chain of requests for context */ - struct kcf_areq_node *an_ctxchain_next; - - kcondvar_t an_turn_cv; - boolean_t an_is_my_turn; - - /* Next and previous nodes in the global queue. */ - struct kcf_areq_node *an_next; - struct kcf_areq_node *an_prev; - - /* Provider handling this request */ - kcf_provider_desc_t *an_provider; - kcf_prov_tried_t *an_tried_plist; - - struct kcf_areq_node *an_idnext; /* Next in ID hash */ - struct kcf_areq_node *an_idprev; /* Prev in ID hash */ - kcondvar_t an_done; /* Signal request completion */ - uint_t an_refcnt; -} kcf_areq_node_t; - -#define KCF_AREQ_REFHOLD(areq) { \ - atomic_add_32(&(areq)->an_refcnt, 1); \ - ASSERT((areq)->an_refcnt != 0); \ -} - -#define KCF_AREQ_REFRELE(areq) { \ - ASSERT((areq)->an_refcnt != 0); \ - membar_exit(); \ - if (atomic_add_32_nv(&(areq)->an_refcnt, -1) == 0) \ - kcf_free_req(areq); \ -} - -#define GET_REQ_TYPE(arg) *((kcf_call_type_t *)(arg)) - -#define NOTIFY_CLIENT(areq, err) (*(areq)->an_reqarg.cr_callback_func)(\ - (areq)->an_reqarg.cr_callback_arg, err); - -/* - * The following are some what similar to macros in callo.h, which implement - * callout tables. - * - * The lower four bits of the ID are used to encode the table ID to - * index in to. The REQID_COUNTER_HIGH bit is used to avoid any check for - * wrap around when generating ID. We assume that there won't be a request - * which takes more time than 2^^(sizeof (long) - 5) other requests submitted - * after it. This ensures there won't be any ID collision. - */ -#define REQID_COUNTER_HIGH (1UL << (8 * sizeof (long) - 1)) -#define REQID_COUNTER_SHIFT 4 -#define REQID_COUNTER_LOW (1 << REQID_COUNTER_SHIFT) -#define REQID_TABLES 16 -#define REQID_TABLE_MASK (REQID_TABLES - 1) - -#define REQID_BUCKETS 512 -#define REQID_BUCKET_MASK (REQID_BUCKETS - 1) -#define REQID_HASH(id) (((id) >> REQID_COUNTER_SHIFT) & REQID_BUCKET_MASK) - -#define GET_REQID(areq) (areq)->an_reqarg.cr_reqid -#define SET_REQID(areq, val) GET_REQID(areq) = val - -/* - * Hash table for async requests. - */ -typedef struct kcf_reqid_table { - kmutex_t rt_lock; - crypto_req_id_t rt_curid; - kcf_areq_node_t *rt_idhash[REQID_BUCKETS]; -} kcf_reqid_table_t; - -/* - * Global provider queue structure. Requests to be - * handled by a provider and have the ALWAYS_QUEUE flag set - * get queued here. - */ -typedef struct kcf_global_swq { - /* - * gs_cv and gs_lock are used to wait for new requests. - * gs_lock protects the changes to the queue. - */ - kcondvar_t gs_cv; - kmutex_t gs_lock; - uint_t gs_njobs; - uint_t gs_maxjobs; - kcf_areq_node_t *gs_first; - kcf_areq_node_t *gs_last; -} kcf_global_swq_t; - - /* * Internal representation of a canonical context. We contain crypto_ctx_t * structure in order to have just one memory allocation. The SPI @@ -245,18 +93,8 @@ typedef struct kcf_global_swq { typedef struct kcf_context { crypto_ctx_t kc_glbl_ctx; uint_t kc_refcnt; - kmutex_t kc_in_use_lock; - /* - * kc_req_chain_first and kc_req_chain_last are used to chain - * multiple async requests using the same context. They should be - * NULL for sync requests. - */ - kcf_areq_node_t *kc_req_chain_first; - kcf_areq_node_t *kc_req_chain_last; kcf_provider_desc_t *kc_prov_desc; /* Prov. descriptor */ kcf_provider_desc_t *kc_sw_prov_desc; /* Prov. descriptor */ - kcf_mech_entry_t *kc_mech; - struct kcf_context *kc_secondctx; /* for dual contexts */ } kcf_context_t; /* @@ -310,53 +148,11 @@ typedef struct kcf_context { * A crypto_ctx_template_t is internally a pointer to this struct */ typedef struct kcf_ctx_template { - crypto_kcf_provider_handle_t ct_prov_handle; /* provider handle */ - uint_t ct_generation; /* generation # */ size_t ct_size; /* for freeing */ crypto_spi_ctx_template_t ct_prov_tmpl; /* context template */ /* from the provider */ } kcf_ctx_template_t; -/* - * Structure for pool of threads working on the global queue. - */ -typedef struct kcf_pool { - uint32_t kp_threads; /* Number of threads in pool */ - uint32_t kp_idlethreads; /* Idle threads in pool */ - uint32_t kp_blockedthreads; /* Blocked threads in pool */ - - /* - * cv & lock to monitor the condition when no threads - * are around. In this case the failover thread kicks in. - */ - kcondvar_t kp_nothr_cv; - kmutex_t kp_thread_lock; - - /* Userspace thread creator variables. */ - boolean_t kp_signal_create_thread; /* Create requested flag */ - int kp_nthrs; /* # of threads to create */ - boolean_t kp_user_waiting; /* Thread waiting for work */ - - /* - * cv & lock for the condition where more threads need to be - * created. kp_user_lock also protects the three fields above. - */ - kcondvar_t kp_user_cv; /* Creator cond. variable */ - kmutex_t kp_user_lock; /* Creator lock */ -} kcf_pool_t; - - - -/* - * The following values are based on the assumption that it would - * take around eight cpus to load a hardware provider (This is true for - * at least one product) and a kernel client may come from different - * low-priority interrupt levels. The CRYPTO_TASKQ_MAX number is based on - * a throughput of 1GB/s using 512-byte buffers. These are just - * reasonable estimates and might need to change in future. - */ -#define CRYPTO_TASKQ_MAX 2 * 1024 * 1024 - extern void kcf_free_triedlist(kcf_prov_tried_t *); extern kcf_prov_tried_t *kcf_insert_triedlist(kcf_prov_tried_t **, @@ -367,20 +163,8 @@ extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t); extern void kcf_sched_destroy(void); extern void kcf_sched_init(void); -extern void kcf_sched_start(void); extern void kcf_free_context(kcf_context_t *); -extern int kcf_svc_wait(int *); -extern int kcf_svc_do_run(void); -extern int kcf_need_signature_verification(kcf_provider_desc_t *); -extern void kcf_verify_signature(void *); -extern struct modctl *kcf_get_modctl(crypto_provider_info_t *); -extern void verify_unverified_providers(void); -extern void kcf_free_req(kcf_areq_node_t *areq); -extern void crypto_bufcall_service(void); - -extern void kcf_do_notify(kcf_provider_desc_t *, boolean_t); - #ifdef __cplusplus } #endif From 06067869383edcc0acd2fb4a167e397c97400f33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 00:26:17 +0100 Subject: [PATCH 20/39] module: icp: remove unused struct crypto_ctx::cc_{session,flags,opstate} MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/api/kcf_mac.c | 7 +++---- module/icp/core/kcf_sched.c | 12 +----------- module/icp/include/sys/crypto/sched_impl.h | 16 +--------------- module/icp/include/sys/crypto/spi.h | 7 ------- 4 files changed, 5 insertions(+), 37 deletions(-) diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index cf805ee1cc39..369ba55cec70 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -137,7 +137,6 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, * Arguments: * pd: pointer to the descriptor of the provider to use for this * operation. - * sid: provider session id. * mech: crypto_mechanism_t pointer. * mech_type is a valid value previously returned by * crypto_mech2id(); @@ -168,7 +167,7 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, * See comment in the beginning of the file. */ static int -crypto_mac_init_prov(crypto_provider_t provider, crypto_session_id_t sid, +crypto_mac_init_prov(crypto_provider_t provider, crypto_mechanism_t *mech, crypto_key_t *key, crypto_spi_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *crq) { @@ -180,7 +179,7 @@ crypto_mac_init_prov(crypto_provider_t provider, crypto_session_id_t sid, ASSERT(KCF_PROV_REFHELD(pd)); /* Allocate and initialize the canonical context */ - if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) + if ((ctx = kcf_new_ctx(crq, real_provider)) == NULL) return (CRYPTO_HOST_MEMORY); crypto_mechanism_t lmech = *mech; @@ -235,7 +234,7 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, if (((ctx_tmpl = (kcf_ctx_template_t *)tmpl) != NULL)) spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; - error = crypto_mac_init_prov(pd, pd->pd_sid, mech, key, + error = crypto_mac_init_prov(pd, mech, key, spi_ctx_tmpl, ctxp, crq); if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && IS_RECOVERABLE(error)) { diff --git a/module/icp/core/kcf_sched.c b/module/icp/core/kcf_sched.c index 7fe5381f94a2..d074bab8527d 100644 --- a/module/icp/core/kcf_sched.c +++ b/module/icp/core/kcf_sched.c @@ -43,8 +43,7 @@ ulong_t kcf_swprov_hndl = 0; * Create a new context. */ crypto_ctx_t * -kcf_new_ctx(crypto_call_req_t *crq, kcf_provider_desc_t *pd, - crypto_session_id_t sid) +kcf_new_ctx(crypto_call_req_t *crq, kcf_provider_desc_t *pd) { crypto_ctx_t *ctx; kcf_context_t *kcf_ctx; @@ -62,11 +61,8 @@ kcf_new_ctx(crypto_call_req_t *crq, kcf_provider_desc_t *pd, ctx = &kcf_ctx->kc_glbl_ctx; ctx->cc_provider = pd->pd_prov_handle; - ctx->cc_session = sid; ctx->cc_provider_private = NULL; ctx->cc_framework_private = (void *)kcf_ctx; - ctx->cc_flags = 0; - ctx->cc_opstate = NULL; return (ctx); } @@ -107,12 +103,6 @@ kcf_free_context(kcf_context_t *kcf_ctx) /* kcf_ctx->kc_prov_desc has a hold on pd */ KCF_PROV_REFRELE(kcf_ctx->kc_prov_desc); - /* check if this context is shared with a provider */ - if ((gctx->cc_flags & CRYPTO_INIT_OPSTATE) && - kcf_ctx->kc_sw_prov_desc != NULL) { - KCF_PROV_REFRELE(kcf_ctx->kc_sw_prov_desc); - } - kmem_cache_free(kcf_context_cache, kcf_ctx); } diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index b322bab5f725..0f3961958336 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -82,9 +82,6 @@ typedef struct kcf_prov_tried { error == CRYPTO_KEY_SIZE_RANGE || \ error == CRYPTO_NO_PERMISSION) -#define KCF_ATOMIC_INCR(x) atomic_add_32(&(x), 1) -#define KCF_ATOMIC_DECR(x) atomic_add_32(&(x), -1) - /* * Internal representation of a canonical context. We contain crypto_ctx_t * structure in order to have just one memory allocation. The SPI @@ -97,16 +94,6 @@ typedef struct kcf_context { kcf_provider_desc_t *kc_sw_prov_desc; /* Prov. descriptor */ } kcf_context_t; -/* - * Bump up the reference count on the framework private context. A - * global context or a request that references this structure should - * do a hold. - */ -#define KCF_CONTEXT_REFHOLD(ictx) { \ - atomic_add_32(&(ictx)->kc_refcnt, 1); \ - ASSERT((ictx)->kc_refcnt != 0); \ -} - /* * Decrement the reference count on the framework private context. * When the last reference is released, the framework private @@ -159,8 +146,7 @@ extern kcf_prov_tried_t *kcf_insert_triedlist(kcf_prov_tried_t **, kcf_provider_desc_t *, int); extern kcf_provider_desc_t *kcf_get_mech_provider(crypto_mech_type_t, kcf_mech_entry_t **, int *, kcf_prov_tried_t *, crypto_func_group_t); -extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t *, kcf_provider_desc_t *, - crypto_session_id_t); +extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t *, kcf_provider_desc_t *); extern void kcf_sched_destroy(void); extern void kcf_sched_init(void); extern void kcf_free_context(kcf_context_t *); diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index a047a30a06b1..ba383a750ef3 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -65,10 +65,6 @@ typedef void *crypto_spi_ctx_template_t; */ typedef void *crypto_req_handle_t; -/* Values for cc_flags field */ -#define CRYPTO_INIT_OPSTATE 0x00000001 /* allocate and init cc_opstate */ -#define CRYPTO_USE_OPSTATE 0x00000002 /* .. start using it as context */ - /* * The context structure is passed from the kernel to a provider. * It contains the information needed to process a multi-part or @@ -81,11 +77,8 @@ typedef void *crypto_req_handle_t; */ typedef struct crypto_ctx { crypto_provider_handle_t cc_provider; - crypto_session_id_t cc_session; void *cc_provider_private; /* owned by provider */ void *cc_framework_private; /* owned by framework */ - uint32_t cc_flags; /* flags */ - void *cc_opstate; /* state */ } crypto_ctx_t; /* From b5f0c8d0ba6f181918973c76ea8f94eb6f35e062 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 01:32:06 +0100 Subject: [PATCH 21/39] module: icp: remove unused me_threshold MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_mech_tabs.c | 111 +++++---------------------- module/icp/include/sys/crypto/impl.h | 4 - 2 files changed, 21 insertions(+), 94 deletions(-) diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index 204cc178a4b5..ab932ae0bf68 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -82,9 +82,27 @@ /* RFE 4687834 Will deal with the extensibility of these tables later */ -static kcf_mech_entry_t kcf_digest_mechs_tab[KCF_MAXDIGEST]; -static kcf_mech_entry_t kcf_cipher_mechs_tab[KCF_MAXCIPHER]; -static kcf_mech_entry_t kcf_mac_mechs_tab[KCF_MAXMAC]; +static kcf_mech_entry_t kcf_digest_mechs_tab[KCF_MAXDIGEST] = { + { SUN_CKM_MD5 }, + { SUN_CKM_SHA1 }, +}; +static kcf_mech_entry_t kcf_cipher_mechs_tab[KCF_MAXCIPHER] = { + { SUN_CKM_DES_CBC }, + { SUN_CKM_DES3_CBC }, + { SUN_CKM_DES_ECB }, + { SUN_CKM_DES3_ECB }, + { SUN_CKM_BLOWFISH_CBC }, + { SUN_CKM_BLOWFISH_ECB }, + { SUN_CKM_AES_CBC }, + { SUN_CKM_AES_ECB }, + { SUN_CKM_RC4 }, +}; +static kcf_mech_entry_t kcf_mac_mechs_tab[KCF_MAXMAC] = { + { SUN_CKM_MD5_HMAC }, + { SUN_CKM_MD5_HMAC_GENERAL }, + { SUN_CKM_SHA1_HMAC }, + { SUN_CKM_SHA1_HMAC_GENERAL }, +}; const kcf_mech_entry_tab_t kcf_mech_tabs_tab[KCF_LAST_OPSCLASS + 1] = { {0, NULL}, /* No class zero */ @@ -93,23 +111,6 @@ const kcf_mech_entry_tab_t kcf_mech_tabs_tab[KCF_LAST_OPSCLASS + 1] = { {KCF_MAXMAC, kcf_mac_mechs_tab}, }; -/* - * Per-algorithm internal thresholds for the minimum input size of before - * offloading to hardware provider. - * Dispatching a crypto operation to a hardware provider entails paying the - * cost of an additional context switch. Measurements with Sun Accelerator 4000 - * shows that 512-byte jobs or smaller are better handled in software. - * There is room for refinement here. - * - */ -static const int kcf_md5_threshold = 512; -static const int kcf_sha1_threshold = 512; -static const int kcf_des_threshold = 512; -static const int kcf_des3_threshold = 512; -static const int kcf_aes_threshold = 512; -static const int kcf_bf_threshold = 512; -static const int kcf_rc4_threshold = 512; - static kmutex_t kcf_mech_tabs_lock; static const int kcf_mech_hash_size = 256; @@ -168,71 +169,6 @@ kcf_init_mech_tabs(void) /* Then the pre-defined mechanism entries */ - /* Two digests */ - (void) strncpy(kcf_digest_mechs_tab[0].me_name, SUN_CKM_MD5, - CRYPTO_MAX_MECH_NAME); - kcf_digest_mechs_tab[0].me_threshold = kcf_md5_threshold; - - (void) strncpy(kcf_digest_mechs_tab[1].me_name, SUN_CKM_SHA1, - CRYPTO_MAX_MECH_NAME); - kcf_digest_mechs_tab[1].me_threshold = kcf_sha1_threshold; - - /* The symmetric ciphers in various modes */ - (void) strncpy(kcf_cipher_mechs_tab[0].me_name, SUN_CKM_DES_CBC, - CRYPTO_MAX_MECH_NAME); - kcf_cipher_mechs_tab[0].me_threshold = kcf_des_threshold; - - (void) strncpy(kcf_cipher_mechs_tab[1].me_name, SUN_CKM_DES3_CBC, - CRYPTO_MAX_MECH_NAME); - kcf_cipher_mechs_tab[1].me_threshold = kcf_des3_threshold; - - (void) strncpy(kcf_cipher_mechs_tab[2].me_name, SUN_CKM_DES_ECB, - CRYPTO_MAX_MECH_NAME); - kcf_cipher_mechs_tab[2].me_threshold = kcf_des_threshold; - - (void) strncpy(kcf_cipher_mechs_tab[3].me_name, SUN_CKM_DES3_ECB, - CRYPTO_MAX_MECH_NAME); - kcf_cipher_mechs_tab[3].me_threshold = kcf_des3_threshold; - - (void) strncpy(kcf_cipher_mechs_tab[4].me_name, SUN_CKM_BLOWFISH_CBC, - CRYPTO_MAX_MECH_NAME); - kcf_cipher_mechs_tab[4].me_threshold = kcf_bf_threshold; - - (void) strncpy(kcf_cipher_mechs_tab[5].me_name, SUN_CKM_BLOWFISH_ECB, - CRYPTO_MAX_MECH_NAME); - kcf_cipher_mechs_tab[5].me_threshold = kcf_bf_threshold; - - (void) strncpy(kcf_cipher_mechs_tab[6].me_name, SUN_CKM_AES_CBC, - CRYPTO_MAX_MECH_NAME); - kcf_cipher_mechs_tab[6].me_threshold = kcf_aes_threshold; - - (void) strncpy(kcf_cipher_mechs_tab[7].me_name, SUN_CKM_AES_ECB, - CRYPTO_MAX_MECH_NAME); - kcf_cipher_mechs_tab[7].me_threshold = kcf_aes_threshold; - - (void) strncpy(kcf_cipher_mechs_tab[8].me_name, SUN_CKM_RC4, - CRYPTO_MAX_MECH_NAME); - kcf_cipher_mechs_tab[8].me_threshold = kcf_rc4_threshold; - - - /* 4 HMACs */ - (void) strncpy(kcf_mac_mechs_tab[0].me_name, SUN_CKM_MD5_HMAC, - CRYPTO_MAX_MECH_NAME); - kcf_mac_mechs_tab[0].me_threshold = kcf_md5_threshold; - - (void) strncpy(kcf_mac_mechs_tab[1].me_name, SUN_CKM_MD5_HMAC_GENERAL, - CRYPTO_MAX_MECH_NAME); - kcf_mac_mechs_tab[1].me_threshold = kcf_md5_threshold; - - (void) strncpy(kcf_mac_mechs_tab[2].me_name, SUN_CKM_SHA1_HMAC, - CRYPTO_MAX_MECH_NAME); - kcf_mac_mechs_tab[2].me_threshold = kcf_sha1_threshold; - - (void) strncpy(kcf_mac_mechs_tab[3].me_name, SUN_CKM_SHA1_HMAC_GENERAL, - CRYPTO_MAX_MECH_NAME); - kcf_mac_mechs_tab[3].me_threshold = kcf_sha1_threshold; - - kcf_mech_hash = mod_hash_create_strhash_nodtr("kcf mech2id hash", kcf_mech_hash_size, mod_hash_null_valdtor); @@ -313,11 +249,6 @@ kcf_create_mech_entry(kcf_ops_class_t class, const char *mechname) CRYPTO_MAX_MECH_NAME); me_tab[i].me_name[CRYPTO_MAX_MECH_NAME-1] = '\0'; me_tab[i].me_mechid = KCF_MECHID(class, i); - /* - * No a-priori information about the new mechanism, so - * the threshold is set to zero. - */ - me_tab[i].me_threshold = 0; mutex_exit(&(me_tab[i].me_mutex)); /* Add the new mechanism to the hash table */ diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index ed6f8d8d39c7..66ddcf43b7fb 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -246,10 +246,6 @@ typedef struct kcf_mech_entry { crypto_mech_type_t me_mechid; /* Internal id for mechanism */ kmutex_t me_mutex; /* access protection */ kcf_prov_mech_desc_t *me_sw_prov; /* provider */ - /* - * threshold for using hardware providers for this mech - */ - size_t me_threshold; } kcf_mech_entry_t; /* From 70992fe4349b3a08dfb13eef902157c6297f0055 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 01:51:28 +0100 Subject: [PATCH 22/39] module: icp: remove unused me_mutex MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It only needs to be locked if dynamic changes can occur. They can't. Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_callprov.c | 3 --- module/icp/core/kcf_mech_tabs.c | 12 ------------ module/icp/core/kcf_prov_tabs.c | 9 +-------- module/icp/include/sys/crypto/impl.h | 1 - 4 files changed, 1 insertion(+), 24 deletions(-) diff --git a/module/icp/core/kcf_callprov.c b/module/icp/core/kcf_callprov.c index db8e33d5f9c2..b5ef5f111d50 100644 --- a/module/icp/core/kcf_callprov.c +++ b/module/icp/core/kcf_callprov.c @@ -107,8 +107,6 @@ kcf_get_mech_provider(crypto_mech_type_t mech_type, kcf_mech_entry_t **mepp, if (mepp != NULL) *mepp = me; - mutex_enter(&me->me_mutex); - /* Is there a provider? */ if (pd == NULL && (mdesc = me->me_sw_prov) != NULL) { pd = mdesc->pm_prov_desc; @@ -130,6 +128,5 @@ kcf_get_mech_provider(crypto_mech_type_t mech_type, kcf_mech_entry_t **mepp, } else KCF_PROV_REFHOLD(pd); - mutex_exit(&me->me_mutex); return (pd); } diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index ab932ae0bf68..1cb19896a99a 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -146,8 +146,6 @@ kcf_destroy_mech_tabs(void) for (class = KCF_FIRST_OPSCLASS; class <= KCF_LAST_OPSCLASS; class++) { max = kcf_mech_tabs_tab[class].met_size; me_tab = kcf_mech_tabs_tab[class].met_tab; - for (i = 0; i < max; i++) - mutex_destroy(&(me_tab[i].me_mutex)); } } @@ -176,8 +174,6 @@ kcf_init_mech_tabs(void) int max = kcf_mech_tabs_tab[class].met_size; me_tab = kcf_mech_tabs_tab[class].met_tab; for (int i = 0; i < max; i++) { - mutex_init(&(me_tab[i].me_mutex), NULL, - MUTEX_DEFAULT, NULL); if (me_tab[i].me_name[0] != 0) { me_tab[i].me_mechid = KCF_MECHID(class, i); (void) mod_hash_insert(kcf_mech_hash, @@ -242,7 +238,6 @@ kcf_create_mech_entry(kcf_ops_class_t class, const char *mechname) size = kcf_mech_tabs_tab[class].met_size; while (i < size) { - mutex_enter(&(me_tab[i].me_mutex)); if (me_tab[i].me_name[0] == 0) { /* Found an empty spot */ (void) strlcpy(me_tab[i].me_name, mechname, @@ -250,14 +245,12 @@ kcf_create_mech_entry(kcf_ops_class_t class, const char *mechname) me_tab[i].me_name[CRYPTO_MAX_MECH_NAME-1] = '\0'; me_tab[i].me_mechid = KCF_MECHID(class, i); - mutex_exit(&(me_tab[i].me_mutex)); /* Add the new mechanism to the hash table */ (void) mod_hash_insert(kcf_mech_hash, (mod_hash_key_t)me_tab[i].me_name, (mod_hash_val_t)&(me_tab[i].me_mechid)); break; } - mutex_exit(&(me_tab[i].me_mutex)); i++; } @@ -353,7 +346,6 @@ kcf_add_mech_provider(short mech_indx, * Add new kcf_prov_mech_desc at the front of HW providers * chain. */ - mutex_enter(&mech_entry->me_mutex); if (mech_entry->me_sw_prov != NULL) { /* * There is already a provider for this mechanism. @@ -377,7 +369,6 @@ kcf_add_mech_provider(short mech_indx, */ mech_entry->me_sw_prov = prov_mech; } - mutex_exit(&mech_entry->me_mutex); *pmdpp = prov_mech; @@ -425,16 +416,13 @@ kcf_remove_mech_provider(const char *mech_name, kcf_provider_desc_t *prov_desc) return; } - mutex_enter(&mech_entry->me_mutex); if (mech_entry->me_sw_prov == NULL || mech_entry->me_sw_prov->pm_prov_desc != prov_desc) { /* not the provider for this mechanism */ - mutex_exit(&mech_entry->me_mutex); return; } prov_mech = mech_entry->me_sw_prov; mech_entry->me_sw_prov = NULL; - mutex_exit(&mech_entry->me_mutex); /* free entry */ KCF_PROV_REFRELE(prov_mech->pm_prov_desc); diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index 25d9908d10ee..b8016e0ce3fb 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -290,24 +290,17 @@ kcf_get_sw_prov(crypto_mech_type_t mech_type, kcf_provider_desc_t **pd, if (kcf_get_mech_entry(mech_type, &me) != KCF_SUCCESS) return (CRYPTO_MECHANISM_INVALID); - /* - * Get the provider for this mechanism. - * Lock the mech_entry until we grab the 'pd'. - */ - mutex_enter(&me->me_mutex); - + /* Get the provider for this mechanism. */ if (me->me_sw_prov == NULL || (*pd = me->me_sw_prov->pm_prov_desc) == NULL) { /* no provider for this mechanism */ if (log_warn) cmn_err(CE_WARN, "no provider for \"%s\"\n", me->me_name); - mutex_exit(&me->me_mutex); return (CRYPTO_MECH_NOT_SUPPORTED); } KCF_PROV_REFHOLD(*pd); - mutex_exit(&me->me_mutex); if (mep != NULL) *mep = me; diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 66ddcf43b7fb..78fe7eb64ebb 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -244,7 +244,6 @@ typedef struct kcf_prov_mech_desc { typedef struct kcf_mech_entry { crypto_mech_name_t me_name; /* mechanism name */ crypto_mech_type_t me_mechid; /* Internal id for mechanism */ - kmutex_t me_mutex; /* access protection */ kcf_prov_mech_desc_t *me_sw_prov; /* provider */ } kcf_mech_entry_t; From 962d9bff5da14703f8a745bf26fbba0280128522 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 01:07:58 +0100 Subject: [PATCH 23/39] module: icp: rip out modhash. Replace the one user with AVL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- lib/libicp/Makefile.am | 1 - module/icp/Makefile.in | 1 - module/icp/core/kcf_mech_tabs.c | 117 +--- module/icp/illumos-crypto.c | 5 - module/icp/include/sys/crypto/impl.h | 4 +- module/icp/include/sys/modhash.h | 147 ---- module/icp/include/sys/modhash_impl.h | 108 --- module/icp/os/modhash.c | 927 -------------------------- 8 files changed, 39 insertions(+), 1271 deletions(-) delete mode 100644 module/icp/include/sys/modhash.h delete mode 100644 module/icp/include/sys/modhash_impl.h delete mode 100644 module/icp/os/modhash.c diff --git a/lib/libicp/Makefile.am b/lib/libicp/Makefile.am index 6ebcd4907161..382253f6fa48 100644 --- a/lib/libicp/Makefile.am +++ b/lib/libicp/Makefile.am @@ -51,7 +51,6 @@ KERNEL_C = \ io/aes.c \ io/sha2_mod.c \ io/skein_mod.c \ - os/modhash.c \ core/kcf_sched.c \ core/kcf_prov_lib.c \ core/kcf_callprov.c \ diff --git a/module/icp/Makefile.in b/module/icp/Makefile.in index eb807d0e519a..72c9ab12adb7 100644 --- a/module/icp/Makefile.in +++ b/module/icp/Makefile.in @@ -26,7 +26,6 @@ $(MODULE)-objs += spi/kcf_spi.o $(MODULE)-objs += io/aes.o $(MODULE)-objs += io/sha2_mod.o $(MODULE)-objs += io/skein_mod.o -$(MODULE)-objs += os/modhash.o $(MODULE)-objs += algs/modes/cbc.o $(MODULE)-objs += algs/modes/ccm.o $(MODULE)-objs += algs/modes/ctr.o diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index 1cb19896a99a..aba3b43e85d6 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -27,7 +27,6 @@ #include #include #include -#include /* Cryptographic mechanisms tables and their access functions */ @@ -55,9 +54,6 @@ /* * Locking conventions: * -------------------- - * A global mutex, kcf_mech_tabs_lock, serializes writes to the - * mechanism table via kcf_create_mech_entry(). - * * A mutex is associated with every entry of the tables. * The mutex is acquired whenever the entry is accessed for * 1) retrieving the mech_id (comparing the mech name) @@ -72,9 +68,6 @@ * long enough to justify the cost of using rwlocks, so the per-mechanism * entry mutex won't be very *hot*. * - * When both kcf_mech_tabs_lock and a mech_entry mutex need to be held, - * kcf_mech_tabs_lock must always be acquired first. - * */ /* Mechanisms tables */ @@ -111,42 +104,22 @@ const kcf_mech_entry_tab_t kcf_mech_tabs_tab[KCF_LAST_OPSCLASS + 1] = { {KCF_MAXMAC, kcf_mac_mechs_tab}, }; -static kmutex_t kcf_mech_tabs_lock; +static avl_tree_t kcf_mech_hash; -static const int kcf_mech_hash_size = 256; -static mod_hash_t *kcf_mech_hash; /* mech name to id hash */ - -static crypto_mech_type_t -kcf_mech_hash_find(const char *mechname) +static int +kcf_mech_hash_compar(const void *lhs, const void *rhs) { - mod_hash_val_t hv; - crypto_mech_type_t mt; - - mt = CRYPTO_MECH_INVALID; - if (mod_hash_find(kcf_mech_hash, (mod_hash_key_t)mechname, &hv) == 0) { - mt = *(crypto_mech_type_t *)hv; - ASSERT(mt != CRYPTO_MECH_INVALID); - } - - return (mt); + const kcf_mech_entry_t *l = lhs, *r = rhs; + int cmp = strncmp(l->me_name, r->me_name, CRYPTO_MAX_MECH_NAME); + return ((0 < cmp) - (cmp < 0)); } void kcf_destroy_mech_tabs(void) { - int i, max; - kcf_ops_class_t class; - kcf_mech_entry_t *me_tab; - - if (kcf_mech_hash) - mod_hash_destroy_hash(kcf_mech_hash); - - mutex_destroy(&kcf_mech_tabs_lock); - - for (class = KCF_FIRST_OPSCLASS; class <= KCF_LAST_OPSCLASS; class++) { - max = kcf_mech_tabs_tab[class].met_size; - me_tab = kcf_mech_tabs_tab[class].met_tab; - } + for (void *cookie = NULL; avl_destroy_nodes(&kcf_mech_hash, &cookie); ) + ; + avl_destroy(&kcf_mech_hash); } /* @@ -161,14 +134,9 @@ kcf_init_mech_tabs(void) kcf_ops_class_t class; kcf_mech_entry_t *me_tab; - /* Initializes the mutex locks. */ - - mutex_init(&kcf_mech_tabs_lock, NULL, MUTEX_DEFAULT, NULL); - /* Then the pre-defined mechanism entries */ - - kcf_mech_hash = mod_hash_create_strhash_nodtr("kcf mech2id hash", - kcf_mech_hash_size, mod_hash_null_valdtor); + avl_create(&kcf_mech_hash, kcf_mech_hash_compar, + sizeof (kcf_mech_entry_t), offsetof(kcf_mech_entry_t, me_node)); for (class = KCF_FIRST_OPSCLASS; class <= KCF_LAST_OPSCLASS; class++) { int max = kcf_mech_tabs_tab[class].met_size; @@ -176,9 +144,7 @@ kcf_init_mech_tabs(void) for (int i = 0; i < max; i++) { if (me_tab[i].me_name[0] != 0) { me_tab[i].me_mechid = KCF_MECHID(class, i); - (void) mod_hash_insert(kcf_mech_hash, - (mod_hash_key_t)me_tab[i].me_name, - (mod_hash_val_t)&(me_tab[i].me_mechid)); + avl_add(&kcf_mech_hash, &me_tab[i]); } } } @@ -213,10 +179,6 @@ kcf_init_mech_tabs(void) static int kcf_create_mech_entry(kcf_ops_class_t class, const char *mechname) { - crypto_mech_type_t mt; - kcf_mech_entry_t *me_tab; - int i = 0, size; - if ((class < KCF_FIRST_OPSCLASS) || (class > KCF_LAST_OPSCLASS)) return (KCF_INVALID_MECH_CLASS); @@ -226,41 +188,28 @@ kcf_create_mech_entry(kcf_ops_class_t class, const char *mechname) * First check if the mechanism is already in one of the tables. * The mech_entry could be in another class. */ - mutex_enter(&kcf_mech_tabs_lock); - mt = kcf_mech_hash_find(mechname); - if (mt != CRYPTO_MECH_INVALID) { - /* Nothing to do, regardless the suggested class. */ - mutex_exit(&kcf_mech_tabs_lock); + avl_index_t where = 0; + kcf_mech_entry_t tmptab; + strlcpy(tmptab.me_name, mechname, CRYPTO_MAX_MECH_NAME); + if (avl_find(&kcf_mech_hash, &tmptab, &where) != NULL) return (KCF_SUCCESS); - } /* Now take the next unused mech entry in the class's tab */ - me_tab = kcf_mech_tabs_tab[class].met_tab; - size = kcf_mech_tabs_tab[class].met_size; + kcf_mech_entry_t *me_tab = kcf_mech_tabs_tab[class].met_tab; + int size = kcf_mech_tabs_tab[class].met_size; - while (i < size) { + for (int i = 0; i < size; ++i) if (me_tab[i].me_name[0] == 0) { /* Found an empty spot */ - (void) strlcpy(me_tab[i].me_name, mechname, + strlcpy(me_tab[i].me_name, mechname, CRYPTO_MAX_MECH_NAME); - me_tab[i].me_name[CRYPTO_MAX_MECH_NAME-1] = '\0'; me_tab[i].me_mechid = KCF_MECHID(class, i); /* Add the new mechanism to the hash table */ - (void) mod_hash_insert(kcf_mech_hash, - (mod_hash_key_t)me_tab[i].me_name, - (mod_hash_val_t)&(me_tab[i].me_mechid)); - break; + avl_insert(&kcf_mech_hash, &me_tab[i], where); + return (KCF_SUCCESS); } - i++; - } - mutex_exit(&kcf_mech_tabs_lock); - - if (i == size) { - return (KCF_MECH_TAB_FULL); - } - - return (KCF_SUCCESS); + return (KCF_MECH_TAB_FULL); } /* @@ -299,7 +248,7 @@ kcf_add_mech_provider(short mech_indx, * Find the class corresponding to the function group flag of * the mechanism. */ - kcf_mech_type = kcf_mech_hash_find(mech_info->cm_mech_name); + kcf_mech_type = crypto_mech2id(mech_info->cm_mech_name); if (kcf_mech_type == CRYPTO_MECH_INVALID) { crypto_func_group_t fg = mech_info->cm_func_group_mask; kcf_ops_class_t class; @@ -325,7 +274,7 @@ kcf_add_mech_provider(short mech_indx, return (error); } /* get the KCF mech type that was assigned to the mechanism */ - kcf_mech_type = kcf_mech_hash_find(mech_info->cm_mech_name); + kcf_mech_type = crypto_mech2id(mech_info->cm_mech_name); ASSERT(kcf_mech_type != CRYPTO_MECH_INVALID); } @@ -398,7 +347,7 @@ kcf_remove_mech_provider(const char *mech_name, kcf_provider_desc_t *prov_desc) kcf_mech_entry_t *mech_entry; /* get the KCF mech type that was assigned to the mechanism */ - if ((mech_type = kcf_mech_hash_find(mech_name)) == + if ((mech_type = crypto_mech2id(mech_name)) == CRYPTO_MECH_INVALID) { /* * Provider was not allowed for this mech due to policy or @@ -484,9 +433,7 @@ kcf_get_mech_entry(crypto_mech_type_t mech_type, kcf_mech_entry_t **mep) * Description: * Walks the mechanisms tables, looking for an entry that matches the * mechname. Once it find it, it builds the 64-bit mech_type and returns - * it. If there are no providers for the mechanism, - * but there is an unloaded provider, this routine will attempt - * to load it. + * it. * * Context: * Process and interruption. @@ -504,7 +451,15 @@ kcf_get_mech_entry(crypto_mech_type_t mech_type, kcf_mech_entry_t **mep) crypto_mech_type_t crypto_mech2id(const char *mechname) { - return (kcf_mech_hash_find(mechname)); + kcf_mech_entry_t tmptab, *found; + strlcpy(tmptab.me_name, mechname, CRYPTO_MAX_MECH_NAME); + + if ((found = avl_find(&kcf_mech_hash, &tmptab, NULL))) { + ASSERT(found->me_mechid != CRYPTO_MECH_INVALID); + return (found->me_mechid); + } + + return (CRYPTO_MECH_INVALID); } #if defined(_KERNEL) diff --git a/module/icp/illumos-crypto.c b/module/icp/illumos-crypto.c index 5b2820220f2c..f68f6bc765a2 100644 --- a/module/icp/illumos-crypto.c +++ b/module/icp/illumos-crypto.c @@ -36,7 +36,6 @@ #include #include #include -#include #include /* @@ -114,16 +113,12 @@ icp_fini(void) kcf_sched_destroy(); kcf_prov_tab_destroy(); kcf_destroy_mech_tabs(); - mod_hash_fini(); } /* roughly equivalent to kcf.c: _init() */ int __init icp_init(void) { - /* initialize the mod hash module */ - mod_hash_init(); - /* initialize the mechanisms tables supported out-of-the-box */ kcf_init_mech_tabs(); diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 78fe7eb64ebb..172661adc46d 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -34,6 +34,7 @@ #include #include #include +#include #ifdef __cplusplus extern "C" { @@ -245,6 +246,7 @@ typedef struct kcf_mech_entry { crypto_mech_name_t me_name; /* mechanism name */ crypto_mech_type_t me_mechid; /* Internal id for mechanism */ kcf_prov_mech_desc_t *me_sw_prov; /* provider */ + avl_node_t me_node; } kcf_mech_entry_t; /* @@ -300,7 +302,7 @@ extern const kcf_mech_entry_tab_t kcf_mech_tabs_tab[]; #define KCF_MECH2CLASS(mech_type) ((kcf_ops_class_t)((mech_type) >> 32)) -#define KCF_MECH2INDEX(mech_type) ((int)(mech_type)) +#define KCF_MECH2INDEX(mech_type) ((int)((mech_type) & 0xFFFFFFFF)) #define KCF_TO_PROV_MECH_INDX(pd, mech_type) \ ((pd)->pd_mech_indx[KCF_MECH2CLASS(mech_type)] \ diff --git a/module/icp/include/sys/modhash.h b/module/icp/include/sys/modhash.h deleted file mode 100644 index 06b52ff02604..000000000000 --- a/module/icp/include/sys/modhash.h +++ /dev/null @@ -1,147 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#ifndef _SYS_MODHASH_H -#define _SYS_MODHASH_H - -/* - * Generic hash implementation for the kernel. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -#include - -/* - * Opaque data types for storing keys and values - */ -typedef void *mod_hash_val_t; -typedef void *mod_hash_key_t; - -/* - * Opaque data type for reservation - */ -typedef void *mod_hash_hndl_t; - -/* - * Opaque type for hash itself. - */ -struct mod_hash; -typedef struct mod_hash mod_hash_t; - -/* - * String hash table - */ -mod_hash_t *mod_hash_create_strhash_nodtr(char *, size_t, - void (*)(mod_hash_val_t)); -mod_hash_t *mod_hash_create_strhash(char *, size_t, void (*)(mod_hash_val_t)); -void mod_hash_destroy_strhash(mod_hash_t *); -int mod_hash_strkey_cmp(mod_hash_key_t, mod_hash_key_t); -void mod_hash_strkey_dtor(mod_hash_key_t); -void mod_hash_strval_dtor(mod_hash_val_t); -uint_t mod_hash_bystr(void *, mod_hash_key_t); - -/* - * Pointer hash table - */ -mod_hash_t *mod_hash_create_ptrhash(char *, size_t, void (*)(mod_hash_val_t), - size_t); -void mod_hash_destroy_ptrhash(mod_hash_t *); -int mod_hash_ptrkey_cmp(mod_hash_key_t, mod_hash_key_t); -uint_t mod_hash_byptr(void *, mod_hash_key_t); - -/* - * ID hash table - */ -mod_hash_t *mod_hash_create_idhash(char *, size_t, void (*)(mod_hash_val_t)); -void mod_hash_destroy_idhash(mod_hash_t *); -int mod_hash_idkey_cmp(mod_hash_key_t, mod_hash_key_t); -uint_t mod_hash_byid(void *, mod_hash_key_t); -uint_t mod_hash_iddata_gen(size_t); - -/* - * Hash management functions - */ -mod_hash_t *mod_hash_create_extended(char *, size_t, void (*)(mod_hash_key_t), - void (*)(mod_hash_val_t), uint_t (*)(void *, mod_hash_key_t), void *, - int (*)(mod_hash_key_t, mod_hash_key_t), int); - -void mod_hash_destroy_hash(mod_hash_t *); -void mod_hash_clear(mod_hash_t *); - -/* - * Null key and value destructors - */ -void mod_hash_null_keydtor(mod_hash_key_t); -void mod_hash_null_valdtor(mod_hash_val_t); - -/* - * Basic hash operations - */ - -/* - * Error codes for insert, remove, find, destroy. - */ -#define MH_ERR_NOMEM -1 -#define MH_ERR_DUPLICATE -2 -#define MH_ERR_NOTFOUND -3 - -/* - * Return codes for hash walkers - */ -#define MH_WALK_CONTINUE 0 -#define MH_WALK_TERMINATE 1 - -/* - * Basic hash operations - */ -int mod_hash_insert(mod_hash_t *, mod_hash_key_t, mod_hash_val_t); -int mod_hash_replace(mod_hash_t *, mod_hash_key_t, mod_hash_val_t); -int mod_hash_remove(mod_hash_t *, mod_hash_key_t, mod_hash_val_t *); -int mod_hash_destroy(mod_hash_t *, mod_hash_key_t); -int mod_hash_find(mod_hash_t *, mod_hash_key_t, mod_hash_val_t *); -int mod_hash_find_cb(mod_hash_t *, mod_hash_key_t, mod_hash_val_t *, - void (*)(mod_hash_key_t, mod_hash_val_t)); -int mod_hash_find_cb_rval(mod_hash_t *, mod_hash_key_t, mod_hash_val_t *, - int (*)(mod_hash_key_t, mod_hash_val_t), int *); -void mod_hash_walk(mod_hash_t *, - uint_t (*)(mod_hash_key_t, mod_hash_val_t *, void *), void *); - -/* - * Reserving hash operations - */ -int mod_hash_reserve(mod_hash_t *, mod_hash_hndl_t *); -int mod_hash_reserve_nosleep(mod_hash_t *, mod_hash_hndl_t *); -void mod_hash_cancel(mod_hash_t *, mod_hash_hndl_t *); -int mod_hash_insert_reserve(mod_hash_t *, mod_hash_key_t, mod_hash_val_t, - mod_hash_hndl_t); - -#ifdef __cplusplus -} -#endif - -#endif /* _SYS_MODHASH_H */ diff --git a/module/icp/include/sys/modhash_impl.h b/module/icp/include/sys/modhash_impl.h deleted file mode 100644 index 3130773aa196..000000000000 --- a/module/icp/include/sys/modhash_impl.h +++ /dev/null @@ -1,108 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#ifndef _SYS_MODHASH_IMPL_H -#define _SYS_MODHASH_IMPL_H - -/* - * Internal details for the kernel's generic hash implementation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -#include -#include - -struct mod_hash_entry { - mod_hash_key_t mhe_key; /* stored hash key */ - mod_hash_val_t mhe_val; /* stored hash value */ - struct mod_hash_entry *mhe_next; /* next item in chain */ -}; - -struct mod_hash_stat { - ulong_t mhs_hit; /* tried a 'find' and it succeeded */ - ulong_t mhs_miss; /* tried a 'find' but it failed */ - ulong_t mhs_coll; /* occur when insert fails because of dup's */ - ulong_t mhs_nelems; /* total number of stored key/value pairs */ - ulong_t mhs_nomem; /* number of times kmem_alloc failed */ -}; - -struct mod_hash { - krwlock_t mh_contents; /* lock protecting contents */ - char *mh_name; /* hash name */ - int mh_sleep; /* kmem_alloc flag */ - size_t mh_nchains; /* # of elements in mh_entries */ - - /* key and val destructor */ - void (*mh_kdtor)(mod_hash_key_t); - void (*mh_vdtor)(mod_hash_val_t); - - /* key comparator */ - int (*mh_keycmp)(mod_hash_key_t, mod_hash_key_t); - - /* hash algorithm, and algorithm-private data */ - uint_t (*mh_hashalg)(void *, mod_hash_key_t); - void *mh_hashalg_data; - - struct mod_hash *mh_next; /* next hash in list */ - - struct mod_hash_stat mh_stat; - - struct mod_hash_entry *mh_entries[1]; -}; - -/* - * MH_SIZE() - * Compute the size of a mod_hash_t, in bytes, given the number of - * elements it contains. - */ -#define MH_SIZE(n) \ - (sizeof (mod_hash_t) + ((n) - 1) * (sizeof (struct mod_hash_entry *))) - -/* - * Module initialization; called once. - */ -void mod_hash_fini(void); -void mod_hash_init(void); - -/* - * Internal routines. Use directly with care. - */ -uint_t i_mod_hash(mod_hash_t *, mod_hash_key_t); -int i_mod_hash_insert_nosync(mod_hash_t *, mod_hash_key_t, mod_hash_val_t, - mod_hash_hndl_t); -int i_mod_hash_remove_nosync(mod_hash_t *, mod_hash_key_t, mod_hash_val_t *); -int i_mod_hash_find_nosync(mod_hash_t *, mod_hash_key_t, mod_hash_val_t *); -void i_mod_hash_walk_nosync(mod_hash_t *, uint_t (*)(mod_hash_key_t, - mod_hash_val_t *, void *), void *); -void i_mod_hash_clear_nosync(mod_hash_t *hash); - -#ifdef __cplusplus -} -#endif - -#endif /* _SYS_MODHASH_IMPL_H */ diff --git a/module/icp/os/modhash.c b/module/icp/os/modhash.c deleted file mode 100644 index 8bd06973eff1..000000000000 --- a/module/icp/os/modhash.c +++ /dev/null @@ -1,927 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -/* - * mod_hash: flexible hash table implementation. - * - * This is a reasonably fast, reasonably flexible hash table implementation - * which features pluggable hash algorithms to support storing arbitrary keys - * and values. It is designed to handle small (< 100,000 items) amounts of - * data. The hash uses chaining to resolve collisions, and does not feature a - * mechanism to grow the hash. Care must be taken to pick nchains to be large - * enough for the application at hand, or lots of time will be wasted searching - * hash chains. - * - * The client of the hash is required to supply a number of items to support - * the various hash functions: - * - * - Destructor functions for the key and value being hashed. - * A destructor is responsible for freeing an object when the hash - * table is no longer storing it. Since keys and values can be of - * arbitrary type, separate destructors for keys & values are used. - * These may be mod_hash_null_keydtor and mod_hash_null_valdtor if no - * destructor is needed for either a key or value. - * - * - A hashing algorithm which returns a uint_t representing a hash index - * The number returned need _not_ be between 0 and nchains. The mod_hash - * code will take care of doing that. The second argument (after the - * key) to the hashing function is a void * that represents - * hash_alg_data-- this is provided so that the hashing algorithm can - * maintain some state across calls, or keep algorithm-specific - * constants associated with the hash table. - * - * A pointer-hashing and a string-hashing algorithm are supplied in - * this file. - * - * - A key comparator (a la qsort). - * This is used when searching the hash chain. The key comparator - * determines if two keys match. It should follow the return value - * semantics of strcmp. - * - * string and pointer comparators are supplied in this file. - * - * mod_hash_create_strhash() and mod_hash_create_ptrhash() provide good - * examples of how to create a customized hash table. - * - * Basic hash operations: - * - * mod_hash_create_strhash(name, nchains, dtor), - * create a hash using strings as keys. - * NOTE: This create a hash which automatically cleans up the string - * values it is given for keys. - * - * mod_hash_create_ptrhash(name, nchains, dtor, key_elem_size): - * create a hash using pointers as keys. - * - * mod_hash_create_extended(name, nchains, kdtor, vdtor, - * hash_alg, hash_alg_data, - * keycmp, sleep) - * create a customized hash table. - * - * mod_hash_destroy_hash(hash): - * destroy the given hash table, calling the key and value destructors - * on each key-value pair stored in the hash. - * - * mod_hash_insert(hash, key, val): - * place a key, value pair into the given hash. - * duplicate keys are rejected. - * - * mod_hash_insert_reserve(hash, key, val, handle): - * place a key, value pair into the given hash, using handle to indicate - * the reserved storage for the pair. (no memory allocation is needed - * during a mod_hash_insert_reserve.) duplicate keys are rejected. - * - * mod_hash_reserve(hash, *handle): - * reserve storage for a key-value pair using the memory allocation - * policy of 'hash', returning the storage handle in 'handle'. - * - * mod_hash_reserve_nosleep(hash, *handle): reserve storage for a key-value - * pair ignoring the memory allocation policy of 'hash' and always without - * sleep, returning the storage handle in 'handle'. - * - * mod_hash_remove(hash, key, *val): - * remove a key-value pair with key 'key' from 'hash', destroying the - * stored key, and returning the value in val. - * - * mod_hash_replace(hash, key, val) - * atomically remove an existing key-value pair from a hash, and replace - * the key and value with the ones supplied. The removed key and value - * (if any) are destroyed. - * - * mod_hash_destroy(hash, key): - * remove a key-value pair with key 'key' from 'hash', destroying both - * stored key and stored value. - * - * mod_hash_find(hash, key, val): - * find a value in the hash table corresponding to the given key. - * - * mod_hash_find_cb(hash, key, val, found_callback) - * find a value in the hash table corresponding to the given key. - * If a value is found, call specified callback passing key and val to it. - * The callback is called with the hash lock held. - * It is intended to be used in situations where the act of locating the - * data must also modify it - such as in reference counting schemes. - * - * mod_hash_walk(hash, callback(key, elem, arg), arg) - * walks all the elements in the hashtable and invokes the callback - * function with the key/value pair for each element. the hashtable - * is locked for readers so the callback function should not attempt - * to do any updates to the hashable. the callback function should - * return MH_WALK_CONTINUE to continue walking the hashtable or - * MH_WALK_TERMINATE to abort the walk of the hashtable. - * - * mod_hash_clear(hash): - * clears the given hash table of entries, calling the key and value - * destructors for every element in the hash. - */ - -#include -#include -#include -#include - -/* - * MH_KEY_DESTROY() - * Invoke the key destructor. - */ -#define MH_KEY_DESTROY(hash, key) ((hash->mh_kdtor)(key)) - -/* - * MH_VAL_DESTROY() - * Invoke the value destructor. - */ -#define MH_VAL_DESTROY(hash, val) ((hash->mh_vdtor)(val)) - -/* - * MH_KEYCMP() - * Call the key comparator for the given hash keys. - */ -#define MH_KEYCMP(hash, key1, key2) ((hash->mh_keycmp)(key1, key2)) - -/* - * Cache for struct mod_hash_entry - */ -kmem_cache_t *mh_e_cache = NULL; -mod_hash_t *mh_head = NULL; -kmutex_t mh_head_lock; - -/* - * mod_hash_null_keydtor() - * mod_hash_null_valdtor() - * no-op key and value destructors. - */ -void -mod_hash_null_keydtor(mod_hash_key_t key) -{ - (void) key; -} - -void -mod_hash_null_valdtor(mod_hash_val_t val) -{ - (void) val; -} - -/* - * mod_hash_bystr() - * mod_hash_strkey_cmp() - * mod_hash_strkey_dtor() - * mod_hash_strval_dtor() - * Hash and key comparison routines for hashes with string keys. - * - * mod_hash_create_strhash() - * Create a hash using strings as keys - * - * The string hashing algorithm is from the "Dragon Book" -- - * "Compilers: Principles, Tools & Techniques", by Aho, Sethi, Ullman - */ - -uint_t -mod_hash_bystr(void *hash_data, mod_hash_key_t key) -{ - (void) hash_data; - uint_t hash = 0; - uint_t g; - char *p, *k = (char *)key; - - ASSERT(k); - for (p = k; *p != '\0'; p++) { - hash = (hash << 4) + *p; - if ((g = (hash & 0xf0000000)) != 0) { - hash ^= (g >> 24); - hash ^= g; - } - } - return (hash); -} - -int -mod_hash_strkey_cmp(mod_hash_key_t key1, mod_hash_key_t key2) -{ - return (strcmp((char *)key1, (char *)key2)); -} - -void -mod_hash_strkey_dtor(mod_hash_key_t key) -{ - char *c = (char *)key; - kmem_free(c, strlen(c) + 1); -} - -void -mod_hash_strval_dtor(mod_hash_val_t val) -{ - char *c = (char *)val; - kmem_free(c, strlen(c) + 1); -} - -mod_hash_t * -mod_hash_create_strhash_nodtr(char *name, size_t nchains, - void (*val_dtor)(mod_hash_val_t)) -{ - return mod_hash_create_extended(name, nchains, mod_hash_null_keydtor, - val_dtor, mod_hash_bystr, NULL, mod_hash_strkey_cmp, KM_SLEEP); -} - -mod_hash_t * -mod_hash_create_strhash(char *name, size_t nchains, - void (*val_dtor)(mod_hash_val_t)) -{ - return mod_hash_create_extended(name, nchains, mod_hash_strkey_dtor, - val_dtor, mod_hash_bystr, NULL, mod_hash_strkey_cmp, KM_SLEEP); -} - -void -mod_hash_destroy_strhash(mod_hash_t *strhash) -{ - ASSERT(strhash); - mod_hash_destroy_hash(strhash); -} - - -/* - * mod_hash_byptr() - * mod_hash_ptrkey_cmp() - * Hash and key comparison routines for hashes with pointer keys. - * - * mod_hash_create_ptrhash() - * mod_hash_destroy_ptrhash() - * Create a hash that uses pointers as keys. This hash algorithm - * picks an appropriate set of middle bits in the address to hash on - * based on the size of the hash table and a hint about the size of - * the items pointed at. - */ -uint_t -mod_hash_byptr(void *hash_data, mod_hash_key_t key) -{ - uintptr_t k = (uintptr_t)key; - k >>= (int)(uintptr_t)hash_data; - - return ((uint_t)k); -} - -int -mod_hash_ptrkey_cmp(mod_hash_key_t key1, mod_hash_key_t key2) -{ - uintptr_t k1 = (uintptr_t)key1; - uintptr_t k2 = (uintptr_t)key2; - if (k1 > k2) - return (-1); - else if (k1 < k2) - return (1); - else - return (0); -} - -mod_hash_t * -mod_hash_create_ptrhash(char *name, size_t nchains, - void (*val_dtor)(mod_hash_val_t), size_t key_elem_size) -{ - size_t rshift; - - /* - * We want to hash on the bits in the middle of the address word - * Bits far to the right in the word have little significance, and - * are likely to all look the same (for example, an array of - * 256-byte structures will have the bottom 8 bits of address - * words the same). So we want to right-shift each address to - * ignore the bottom bits. - * - * The high bits, which are also unused, will get taken out when - * mod_hash takes hashkey % nchains. - */ - rshift = highbit64(key_elem_size); - - return mod_hash_create_extended(name, nchains, mod_hash_null_keydtor, - val_dtor, mod_hash_byptr, (void *)rshift, mod_hash_ptrkey_cmp, - KM_SLEEP); -} - -void -mod_hash_destroy_ptrhash(mod_hash_t *hash) -{ - ASSERT(hash); - mod_hash_destroy_hash(hash); -} - -/* - * mod_hash_byid() - * mod_hash_idkey_cmp() - * Hash and key comparison routines for hashes with 32-bit unsigned keys. - * - * mod_hash_create_idhash() - * mod_hash_destroy_idhash() - * mod_hash_iddata_gen() - * Create a hash that uses numeric keys. - * - * The hash algorithm is documented in "Introduction to Algorithms" - * (Cormen, Leiserson, Rivest); when the hash table is created, it - * attempts to find the next largest prime above the number of hash - * slots. The hash index is then this number times the key modulo - * the hash size, or (key * prime) % nchains. - */ -uint_t -mod_hash_byid(void *hash_data, mod_hash_key_t key) -{ - uint_t kval = (uint_t)(uintptr_t)hash_data; - return ((uint_t)(uintptr_t)key * (uint_t)kval); -} - -int -mod_hash_idkey_cmp(mod_hash_key_t key1, mod_hash_key_t key2) -{ - return ((uint_t)(uintptr_t)key1 - (uint_t)(uintptr_t)key2); -} - -/* - * Generate the next largest prime number greater than nchains; this value - * is intended to be later passed in to mod_hash_create_extended() as the - * hash_data. - */ -uint_t -mod_hash_iddata_gen(size_t nchains) -{ - uint_t kval, i, prime; - - /* - * Pick the first (odd) prime greater than nchains. Make sure kval is - * odd (so start with nchains +1 or +2 as appropriate). - */ - kval = (nchains % 2 == 0) ? nchains + 1 : nchains + 2; - - for (;;) { - prime = 1; - for (i = 3; i * i <= kval; i += 2) { - if (kval % i == 0) - prime = 0; - } - if (prime == 1) - break; - kval += 2; - } - return (kval); -} - -mod_hash_t * -mod_hash_create_idhash(char *name, size_t nchains, - void (*val_dtor)(mod_hash_val_t)) -{ - uint_t kval = mod_hash_iddata_gen(nchains); - - return (mod_hash_create_extended(name, nchains, mod_hash_null_keydtor, - val_dtor, mod_hash_byid, (void *)(uintptr_t)kval, - mod_hash_idkey_cmp, KM_SLEEP)); -} - -void -mod_hash_destroy_idhash(mod_hash_t *hash) -{ - ASSERT(hash); - mod_hash_destroy_hash(hash); -} - -void -mod_hash_fini(void) -{ - mutex_destroy(&mh_head_lock); - - if (mh_e_cache) { - kmem_cache_destroy(mh_e_cache); - mh_e_cache = NULL; - } -} - -/* - * mod_hash_init() - * sets up globals, etc for mod_hash_* - */ -void -mod_hash_init(void) -{ - ASSERT(mh_e_cache == NULL); - mh_e_cache = kmem_cache_create("mod_hash_entries", - sizeof (struct mod_hash_entry), 0, NULL, NULL, NULL, NULL, - NULL, 0); - - mutex_init(&mh_head_lock, NULL, MUTEX_DEFAULT, NULL); -} - -/* - * mod_hash_create_extended() - * The full-blown hash creation function. - * - * notes: - * nchains - how many hash slots to create. More hash slots will - * result in shorter hash chains, but will consume - * slightly more memory up front. - * sleep - should be KM_SLEEP or KM_NOSLEEP, to indicate whether - * to sleep for memory, or fail in low-memory conditions. - * - * Fails only if KM_NOSLEEP was specified, and no memory was available. - */ -mod_hash_t * -mod_hash_create_extended( - char *hname, /* descriptive name for hash */ - size_t nchains, /* number of hash slots */ - void (*kdtor)(mod_hash_key_t), /* key destructor */ - void (*vdtor)(mod_hash_val_t), /* value destructor */ - uint_t (*hash_alg)(void *, mod_hash_key_t), /* hash algorithm */ - void *hash_alg_data, /* pass-thru arg for hash_alg */ - int (*keycmp)(mod_hash_key_t, mod_hash_key_t), /* key comparator */ - int sleep) /* whether to sleep for mem */ -{ - mod_hash_t *mod_hash; - size_t size; - ASSERT(hname && keycmp && hash_alg && vdtor && kdtor); - - if ((mod_hash = kmem_zalloc(MH_SIZE(nchains), sleep)) == NULL) - return (NULL); - - size = strlen(hname) + 1; - mod_hash->mh_name = kmem_alloc(size, sleep); - if (mod_hash->mh_name == NULL) { - kmem_free(mod_hash, MH_SIZE(nchains)); - return (NULL); - } - (void) strlcpy(mod_hash->mh_name, hname, size); - - rw_init(&mod_hash->mh_contents, NULL, RW_DEFAULT, NULL); - mod_hash->mh_sleep = sleep; - mod_hash->mh_nchains = nchains; - mod_hash->mh_kdtor = kdtor; - mod_hash->mh_vdtor = vdtor; - mod_hash->mh_hashalg = hash_alg; - mod_hash->mh_hashalg_data = hash_alg_data; - mod_hash->mh_keycmp = keycmp; - - /* - * Link the hash up on the list of hashes - */ - mutex_enter(&mh_head_lock); - mod_hash->mh_next = mh_head; - mh_head = mod_hash; - mutex_exit(&mh_head_lock); - - return (mod_hash); -} - -/* - * mod_hash_destroy_hash() - * destroy a hash table, destroying all of its stored keys and values - * as well. - */ -void -mod_hash_destroy_hash(mod_hash_t *hash) -{ - mod_hash_t *mhp, *mhpp; - - mutex_enter(&mh_head_lock); - /* - * Remove the hash from the hash list - */ - if (hash == mh_head) { /* removing 1st list elem */ - mh_head = mh_head->mh_next; - } else { - /* - * mhpp can start out NULL since we know the 1st elem isn't the - * droid we're looking for. - */ - mhpp = NULL; - for (mhp = mh_head; mhp != NULL; mhp = mhp->mh_next) { - if (mhp == hash) { - mhpp->mh_next = mhp->mh_next; - break; - } - mhpp = mhp; - } - } - mutex_exit(&mh_head_lock); - - /* - * Clean out keys and values. - */ - mod_hash_clear(hash); - - rw_destroy(&hash->mh_contents); - kmem_free(hash->mh_name, strlen(hash->mh_name) + 1); - kmem_free(hash, MH_SIZE(hash->mh_nchains)); -} - -/* - * i_mod_hash() - * Call the hashing algorithm for this hash table, with the given key. - */ -uint_t -i_mod_hash(mod_hash_t *hash, mod_hash_key_t key) -{ - uint_t h; - /* - * Prevent div by 0 problems; - * Also a nice shortcut when using a hash as a list - */ - if (hash->mh_nchains == 1) - return (0); - - h = (hash->mh_hashalg)(hash->mh_hashalg_data, key); - return (h % (hash->mh_nchains - 1)); -} - -/* - * i_mod_hash_insert_nosync() - * mod_hash_insert() - * mod_hash_insert_reserve() - * insert 'val' into the hash table, using 'key' as its key. If 'key' is - * already a key in the hash, an error will be returned, and the key-val - * pair will not be inserted. i_mod_hash_insert_nosync() supports a simple - * handle abstraction, allowing hash entry allocation to be separated from - * the hash insertion. this abstraction allows simple use of the mod_hash - * structure in situations where mod_hash_insert() with a KM_SLEEP - * allocation policy would otherwise be unsafe. - */ -int -i_mod_hash_insert_nosync(mod_hash_t *hash, mod_hash_key_t key, - mod_hash_val_t val, mod_hash_hndl_t handle) -{ - uint_t hashidx; - struct mod_hash_entry *entry; - - ASSERT(hash); - - /* - * If we've not been given reserved storage, allocate storage directly, - * using the hash's allocation policy. - */ - if (handle == (mod_hash_hndl_t)0) { - entry = kmem_cache_alloc(mh_e_cache, hash->mh_sleep); - if (entry == NULL) { - hash->mh_stat.mhs_nomem++; - return (MH_ERR_NOMEM); - } - } else { - entry = (struct mod_hash_entry *)handle; - } - - hashidx = i_mod_hash(hash, key); - entry->mhe_key = key; - entry->mhe_val = val; - entry->mhe_next = hash->mh_entries[hashidx]; - - hash->mh_entries[hashidx] = entry; - hash->mh_stat.mhs_nelems++; - - return (0); -} - -int -mod_hash_insert(mod_hash_t *hash, mod_hash_key_t key, mod_hash_val_t val) -{ - int res; - mod_hash_val_t v; - - rw_enter(&hash->mh_contents, RW_WRITER); - - /* - * Disallow duplicate keys in the hash - */ - if (i_mod_hash_find_nosync(hash, key, &v) == 0) { - rw_exit(&hash->mh_contents); - hash->mh_stat.mhs_coll++; - return (MH_ERR_DUPLICATE); - } - - res = i_mod_hash_insert_nosync(hash, key, val, (mod_hash_hndl_t)0); - rw_exit(&hash->mh_contents); - - return (res); -} - -int -mod_hash_insert_reserve(mod_hash_t *hash, mod_hash_key_t key, - mod_hash_val_t val, mod_hash_hndl_t handle) -{ - int res; - mod_hash_val_t v; - - rw_enter(&hash->mh_contents, RW_WRITER); - - /* - * Disallow duplicate keys in the hash - */ - if (i_mod_hash_find_nosync(hash, key, &v) == 0) { - rw_exit(&hash->mh_contents); - hash->mh_stat.mhs_coll++; - return (MH_ERR_DUPLICATE); - } - res = i_mod_hash_insert_nosync(hash, key, val, handle); - rw_exit(&hash->mh_contents); - - return (res); -} - -/* - * mod_hash_reserve() - * mod_hash_reserve_nosleep() - * mod_hash_cancel() - * Make or cancel a mod_hash_entry_t reservation. Reservations are used in - * mod_hash_insert_reserve() above. - */ -int -mod_hash_reserve(mod_hash_t *hash, mod_hash_hndl_t *handlep) -{ - *handlep = kmem_cache_alloc(mh_e_cache, hash->mh_sleep); - if (*handlep == NULL) { - hash->mh_stat.mhs_nomem++; - return (MH_ERR_NOMEM); - } - - return (0); -} - -int -mod_hash_reserve_nosleep(mod_hash_t *hash, mod_hash_hndl_t *handlep) -{ - *handlep = kmem_cache_alloc(mh_e_cache, KM_NOSLEEP); - if (*handlep == NULL) { - hash->mh_stat.mhs_nomem++; - return (MH_ERR_NOMEM); - } - - return (0); - -} - -void -mod_hash_cancel(mod_hash_t *hash, mod_hash_hndl_t *handlep) -{ - (void) hash; - kmem_cache_free(mh_e_cache, *handlep); - *handlep = (mod_hash_hndl_t)0; -} - -/* - * i_mod_hash_remove_nosync() - * mod_hash_remove() - * Remove an element from the hash table. - */ -int -i_mod_hash_remove_nosync(mod_hash_t *hash, mod_hash_key_t key, - mod_hash_val_t *val) -{ - int hashidx; - struct mod_hash_entry *e, *ep; - - hashidx = i_mod_hash(hash, key); - ep = NULL; /* e's parent */ - - for (e = hash->mh_entries[hashidx]; e != NULL; e = e->mhe_next) { - if (MH_KEYCMP(hash, e->mhe_key, key) == 0) - break; - ep = e; - } - - if (e == NULL) { /* not found */ - return (MH_ERR_NOTFOUND); - } - - if (ep == NULL) /* special case 1st element in bucket */ - hash->mh_entries[hashidx] = e->mhe_next; - else - ep->mhe_next = e->mhe_next; - - /* - * Clean up resources used by the node's key. - */ - MH_KEY_DESTROY(hash, e->mhe_key); - - *val = e->mhe_val; - kmem_cache_free(mh_e_cache, e); - hash->mh_stat.mhs_nelems--; - - return (0); -} - -int -mod_hash_remove(mod_hash_t *hash, mod_hash_key_t key, mod_hash_val_t *val) -{ - int res; - - rw_enter(&hash->mh_contents, RW_WRITER); - res = i_mod_hash_remove_nosync(hash, key, val); - rw_exit(&hash->mh_contents); - - return (res); -} - -/* - * mod_hash_replace() - * atomically remove an existing key-value pair from a hash, and replace - * the key and value with the ones supplied. The removed key and value - * (if any) are destroyed. - */ -int -mod_hash_replace(mod_hash_t *hash, mod_hash_key_t key, mod_hash_val_t val) -{ - int res; - mod_hash_val_t v; - - rw_enter(&hash->mh_contents, RW_WRITER); - - if (i_mod_hash_remove_nosync(hash, key, &v) == 0) { - /* - * mod_hash_remove() takes care of freeing up the key resources. - */ - MH_VAL_DESTROY(hash, v); - } - res = i_mod_hash_insert_nosync(hash, key, val, (mod_hash_hndl_t)0); - - rw_exit(&hash->mh_contents); - - return (res); -} - -/* - * mod_hash_destroy() - * Remove an element from the hash table matching 'key', and destroy it. - */ -int -mod_hash_destroy(mod_hash_t *hash, mod_hash_key_t key) -{ - mod_hash_val_t val; - int rv; - - rw_enter(&hash->mh_contents, RW_WRITER); - - if ((rv = i_mod_hash_remove_nosync(hash, key, &val)) == 0) { - /* - * mod_hash_remove() takes care of freeing up the key resources. - */ - MH_VAL_DESTROY(hash, val); - } - - rw_exit(&hash->mh_contents); - return (rv); -} - -/* - * i_mod_hash_find_nosync() - * mod_hash_find() - * Find a value in the hash table corresponding to the given key. - */ -int -i_mod_hash_find_nosync(mod_hash_t *hash, mod_hash_key_t key, - mod_hash_val_t *val) -{ - uint_t hashidx; - struct mod_hash_entry *e; - - hashidx = i_mod_hash(hash, key); - - for (e = hash->mh_entries[hashidx]; e != NULL; e = e->mhe_next) { - if (MH_KEYCMP(hash, e->mhe_key, key) == 0) { - *val = e->mhe_val; - hash->mh_stat.mhs_hit++; - return (0); - } - } - hash->mh_stat.mhs_miss++; - return (MH_ERR_NOTFOUND); -} - -int -mod_hash_find(mod_hash_t *hash, mod_hash_key_t key, mod_hash_val_t *val) -{ - int res; - - rw_enter(&hash->mh_contents, RW_READER); - res = i_mod_hash_find_nosync(hash, key, val); - rw_exit(&hash->mh_contents); - - return (res); -} - -int -mod_hash_find_cb(mod_hash_t *hash, mod_hash_key_t key, mod_hash_val_t *val, - void (*find_cb)(mod_hash_key_t, mod_hash_val_t)) -{ - int res; - - rw_enter(&hash->mh_contents, RW_READER); - res = i_mod_hash_find_nosync(hash, key, val); - if (res == 0) { - find_cb(key, *val); - } - rw_exit(&hash->mh_contents); - - return (res); -} - -int -mod_hash_find_cb_rval(mod_hash_t *hash, mod_hash_key_t key, mod_hash_val_t *val, - int (*find_cb)(mod_hash_key_t, mod_hash_val_t), int *cb_rval) -{ - int res; - - rw_enter(&hash->mh_contents, RW_READER); - res = i_mod_hash_find_nosync(hash, key, val); - if (res == 0) { - *cb_rval = find_cb(key, *val); - } - rw_exit(&hash->mh_contents); - - return (res); -} - -void -i_mod_hash_walk_nosync(mod_hash_t *hash, - uint_t (*callback)(mod_hash_key_t, mod_hash_val_t *, void *), void *arg) -{ - struct mod_hash_entry *e; - uint_t hashidx; - int res = MH_WALK_CONTINUE; - - for (hashidx = 0; - (hashidx < (hash->mh_nchains - 1)) && (res == MH_WALK_CONTINUE); - hashidx++) { - e = hash->mh_entries[hashidx]; - while ((e != NULL) && (res == MH_WALK_CONTINUE)) { - res = callback(e->mhe_key, e->mhe_val, arg); - e = e->mhe_next; - } - } -} - -/* - * mod_hash_walk() - * Walks all the elements in the hashtable and invokes the callback - * function with the key/value pair for each element. The hashtable - * is locked for readers so the callback function should not attempt - * to do any updates to the hashable. The callback function should - * return MH_WALK_CONTINUE to continue walking the hashtable or - * MH_WALK_TERMINATE to abort the walk of the hashtable. - */ -void -mod_hash_walk(mod_hash_t *hash, - uint_t (*callback)(mod_hash_key_t, mod_hash_val_t *, void *), void *arg) -{ - rw_enter(&hash->mh_contents, RW_READER); - i_mod_hash_walk_nosync(hash, callback, arg); - rw_exit(&hash->mh_contents); -} - - -/* - * i_mod_hash_clear_nosync() - * mod_hash_clear() - * Clears the given hash table by calling the destructor of every hash - * element and freeing up all mod_hash_entry's. - */ -void -i_mod_hash_clear_nosync(mod_hash_t *hash) -{ - int i; - struct mod_hash_entry *e, *old_e; - - for (i = 0; i < hash->mh_nchains; i++) { - e = hash->mh_entries[i]; - while (e != NULL) { - MH_KEY_DESTROY(hash, e->mhe_key); - MH_VAL_DESTROY(hash, e->mhe_val); - old_e = e; - e = e->mhe_next; - kmem_cache_free(mh_e_cache, old_e); - } - hash->mh_entries[i] = NULL; - } - hash->mh_stat.mhs_nelems = 0; -} - -void -mod_hash_clear(mod_hash_t *hash) -{ - ASSERT(hash); - rw_enter(&hash->mh_contents, RW_WRITER); - i_mod_hash_clear_nosync(hash); - rw_exit(&hash->mh_contents); -} From 8df68c53f13b4182cc2c602e029dedcf42f39534 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 02:50:25 +0100 Subject: [PATCH 24/39] module: icp: remove unused CRYPTO_* error codes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/common.h | 70 ---------------------- module/icp/api/kcf_cipher.c | 6 +- module/icp/api/kcf_mac.c | 10 +--- module/icp/include/sys/crypto/impl.h | 2 +- module/icp/include/sys/crypto/sched_impl.h | 18 ++---- 5 files changed, 12 insertions(+), 94 deletions(-) diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index 557c3d4d1780..a644a8e9a9db 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -436,95 +436,25 @@ typedef enum cmd_type { * Common cryptographic status and error codes. */ #define CRYPTO_SUCCESS 0x00000000 -#define CRYPTO_CANCEL 0x00000001 #define CRYPTO_HOST_MEMORY 0x00000002 -#define CRYPTO_GENERAL_ERROR 0x00000003 #define CRYPTO_FAILED 0x00000004 #define CRYPTO_ARGUMENTS_BAD 0x00000005 -#define CRYPTO_ATTRIBUTE_READ_ONLY 0x00000006 -#define CRYPTO_ATTRIBUTE_SENSITIVE 0x00000007 -#define CRYPTO_ATTRIBUTE_TYPE_INVALID 0x00000008 -#define CRYPTO_ATTRIBUTE_VALUE_INVALID 0x00000009 -#define CRYPTO_CANCELED 0x0000000A -#define CRYPTO_DATA_INVALID 0x0000000B #define CRYPTO_DATA_LEN_RANGE 0x0000000C -#define CRYPTO_DEVICE_ERROR 0x0000000D -#define CRYPTO_DEVICE_MEMORY 0x0000000E -#define CRYPTO_DEVICE_REMOVED 0x0000000F -#define CRYPTO_ENCRYPTED_DATA_INVALID 0x00000010 #define CRYPTO_ENCRYPTED_DATA_LEN_RANGE 0x00000011 -#define CRYPTO_KEY_HANDLE_INVALID 0x00000012 #define CRYPTO_KEY_SIZE_RANGE 0x00000013 #define CRYPTO_KEY_TYPE_INCONSISTENT 0x00000014 -#define CRYPTO_KEY_NOT_NEEDED 0x00000015 -#define CRYPTO_KEY_CHANGED 0x00000016 -#define CRYPTO_KEY_NEEDED 0x00000017 -#define CRYPTO_KEY_INDIGESTIBLE 0x00000018 -#define CRYPTO_KEY_FUNCTION_NOT_PERMITTED 0x00000019 -#define CRYPTO_KEY_NOT_WRAPPABLE 0x0000001A -#define CRYPTO_KEY_UNEXTRACTABLE 0x0000001B #define CRYPTO_MECHANISM_INVALID 0x0000001C #define CRYPTO_MECHANISM_PARAM_INVALID 0x0000001D -#define CRYPTO_OBJECT_HANDLE_INVALID 0x0000001E -#define CRYPTO_OPERATION_IS_ACTIVE 0x0000001F -#define CRYPTO_OPERATION_NOT_INITIALIZED 0x00000020 -#define CRYPTO_PIN_INCORRECT 0x00000021 -#define CRYPTO_PIN_INVALID 0x00000022 -#define CRYPTO_PIN_LEN_RANGE 0x00000023 -#define CRYPTO_PIN_EXPIRED 0x00000024 -#define CRYPTO_PIN_LOCKED 0x00000025 -#define CRYPTO_SESSION_CLOSED 0x00000026 -#define CRYPTO_SESSION_COUNT 0x00000027 -#define CRYPTO_SESSION_HANDLE_INVALID 0x00000028 -#define CRYPTO_SESSION_READ_ONLY 0x00000029 -#define CRYPTO_SESSION_EXISTS 0x0000002A -#define CRYPTO_SESSION_READ_ONLY_EXISTS 0x0000002B -#define CRYPTO_SESSION_READ_WRITE_SO_EXISTS 0x0000002C #define CRYPTO_SIGNATURE_INVALID 0x0000002D -#define CRYPTO_SIGNATURE_LEN_RANGE 0x0000002E -#define CRYPTO_TEMPLATE_INCOMPLETE 0x0000002F -#define CRYPTO_TEMPLATE_INCONSISTENT 0x00000030 -#define CRYPTO_UNWRAPPING_KEY_HANDLE_INVALID 0x00000031 -#define CRYPTO_UNWRAPPING_KEY_SIZE_RANGE 0x00000032 -#define CRYPTO_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x00000033 -#define CRYPTO_USER_ALREADY_LOGGED_IN 0x00000034 -#define CRYPTO_USER_NOT_LOGGED_IN 0x00000035 -#define CRYPTO_USER_PIN_NOT_INITIALIZED 0x00000036 -#define CRYPTO_USER_TYPE_INVALID 0x00000037 -#define CRYPTO_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000038 -#define CRYPTO_USER_TOO_MANY_TYPES 0x00000039 -#define CRYPTO_WRAPPED_KEY_INVALID 0x0000003A -#define CRYPTO_WRAPPED_KEY_LEN_RANGE 0x0000003B -#define CRYPTO_WRAPPING_KEY_HANDLE_INVALID 0x0000003C -#define CRYPTO_WRAPPING_KEY_SIZE_RANGE 0x0000003D -#define CRYPTO_WRAPPING_KEY_TYPE_INCONSISTENT 0x0000003E -#define CRYPTO_RANDOM_SEED_NOT_SUPPORTED 0x0000003F -#define CRYPTO_RANDOM_NO_RNG 0x00000040 -#define CRYPTO_DOMAIN_PARAMS_INVALID 0x00000041 #define CRYPTO_BUFFER_TOO_SMALL 0x00000042 -#define CRYPTO_INFORMATION_SENSITIVE 0x00000043 #define CRYPTO_NOT_SUPPORTED 0x00000044 -#define CRYPTO_QUEUED 0x00000045 -#define CRYPTO_BUFFER_TOO_BIG 0x00000046 #define CRYPTO_INVALID_CONTEXT 0x00000047 #define CRYPTO_INVALID_MAC 0x00000048 #define CRYPTO_MECH_NOT_SUPPORTED 0x00000049 -#define CRYPTO_INCONSISTENT_ATTRIBUTE 0x0000004A -#define CRYPTO_NO_PERMISSION 0x0000004B #define CRYPTO_INVALID_PROVIDER_ID 0x0000004C -#define CRYPTO_VERSION_MISMATCH 0x0000004D #define CRYPTO_BUSY 0x0000004E #define CRYPTO_UNKNOWN_PROVIDER 0x0000004F -#define CRYPTO_MODVERIFICATION_FAILED 0x00000050 -#define CRYPTO_OLD_CTX_TEMPLATE 0x00000051 -#define CRYPTO_WEAK_KEY 0x00000052 -#define CRYPTO_FIPS140_ERROR 0x00000053 -/* - * Don't forget to update CRYPTO_LAST_ERROR and the error_number_table[] - * in kernelUtil.c when new error code is added. - */ -#define CRYPTO_LAST_ERROR 0x00000053 #ifdef __cplusplus } diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index 30fd0f3d198d..963e94bfd3d4 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -98,8 +98,7 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, plaintext, ciphertext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); KCF_PROV_INCRSTATS(pd, error); - if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && - IS_RECOVERABLE(error)) { + if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) goto retry; @@ -177,8 +176,7 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, ciphertext, plaintext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); KCF_PROV_INCRSTATS(pd, error); - if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && - IS_RECOVERABLE(error)) { + if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) goto retry; diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 369ba55cec70..11102cdeaedd 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -40,8 +40,6 @@ * presence of the arguments. * * CRYPTO_SUCCESS: The operation completed successfully. - * CRYPTO_QUEUED: A request was submitted successfully. The callback - * routine will be called when the operation is done. * CRYPTO_INVALID_MECH_NUMBER, CRYPTO_INVALID_MECH_PARAM, or * CRYPTO_INVALID_MECH for problems with the 'mech'. * CRYPTO_INVALID_DATA for bogus 'data' @@ -117,8 +115,7 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, mac, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); KCF_PROV_INCRSTATS(pd, error); - if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && - IS_RECOVERABLE(error)) { + if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) goto retry; @@ -188,7 +185,7 @@ crypto_mac_init_prov(crypto_provider_t provider, KCF_SWFP_RHNDL(crq)); KCF_PROV_INCRSTATS(pd, rv); - if ((rv == CRYPTO_SUCCESS) || (rv == CRYPTO_QUEUED)) + if (rv == CRYPTO_SUCCESS) *ctxp = (crypto_context_t)ctx; else { /* Release the hold done in kcf_new_ctx(). */ @@ -236,8 +233,7 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, error = crypto_mac_init_prov(pd, mech, key, spi_ctx_tmpl, ctxp, crq); - if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED && - IS_RECOVERABLE(error)) { + if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) goto retry; diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 172661adc46d..c4b9d7dcadfb 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -87,7 +87,7 @@ typedef struct kcf_sched_info { (pd)->pd_sched_info.ks_ndispatches++; \ if (error == CRYPTO_BUSY) \ (pd)->pd_sched_info.ks_nbusy_rval++; \ - else if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED) \ + else if (error != CRYPTO_SUCCESS) \ (pd)->pd_sched_info.ks_nfails++; \ } diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index 0f3961958336..29e573800c71 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -75,12 +75,8 @@ typedef struct kcf_prov_tried { (tlist != NULL && is_in_triedlist(pd, tlist)) #define IS_RECOVERABLE(error) \ - (error == CRYPTO_BUFFER_TOO_BIG || \ - error == CRYPTO_BUSY || \ - error == CRYPTO_DEVICE_ERROR || \ - error == CRYPTO_DEVICE_MEMORY || \ - error == CRYPTO_KEY_SIZE_RANGE || \ - error == CRYPTO_NO_PERMISSION) + (error == CRYPTO_BUSY || \ + error == CRYPTO_KEY_SIZE_RANGE) /* * Internal representation of a canonical context. We contain crypto_ctx_t @@ -107,10 +103,9 @@ typedef struct kcf_context { } /* - * Check if we can release the context now. In case of CRYPTO_QUEUED - * we do not release it as we can do it only after the provider notified - * us. In case of CRYPTO_BUSY, the client can retry the request using - * the context, so we do not release the context. + * Check if we can release the context now. In case of CRYPTO_BUSY, + * the client can retry the request using the context, + * so we do not release the context. * * This macro should be called only from the final routine in * an init/update/final sequence. We do not release the context in case @@ -128,8 +123,7 @@ typedef struct kcf_context { * This macro determines whether we're done with a context. */ #define KCF_CONTEXT_DONE(rv) \ - ((rv) != CRYPTO_QUEUED && (rv) != CRYPTO_BUSY && \ - (rv) != CRYPTO_BUFFER_TOO_SMALL) + ((rv) != CRYPTO_BUSY && (rv) != CRYPTO_BUFFER_TOO_SMALL) /* * A crypto_ctx_template_t is internally a pointer to this struct From 6ea45cd5309671b2a29b37dd647d80fa6a6bf834 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 03:23:07 +0100 Subject: [PATCH 25/39] module: icp: fold away all key formats except CRYPTO_KEY_RAW MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's the only one actually used Signed-off-by: Ahelenia Ziemiańska --- include/os/freebsd/zfs/sys/freebsd_crypto.h | 7 +- include/sys/crypto/common.h | 157 +------------------- module/icp/api/kcf_mac.c | 3 +- module/icp/core/kcf_prov_lib.c | 44 ++---- module/icp/include/sys/crypto/impl.h | 2 - module/icp/io/aes.c | 30 +--- module/icp/io/sha2_mod.c | 15 -- module/icp/io/skein_mod.c | 2 - module/os/freebsd/zfs/crypto_os.c | 12 +- module/os/freebsd/zfs/hkdf.c | 2 - module/os/freebsd/zfs/zio_crypt.c | 7 - module/os/linux/zfs/zio_crypt.c | 8 - module/zfs/dsl_crypt.c | 1 - module/zfs/hkdf.c | 2 - 14 files changed, 28 insertions(+), 264 deletions(-) diff --git a/include/os/freebsd/zfs/sys/freebsd_crypto.h b/include/os/freebsd/zfs/sys/freebsd_crypto.h index a3ed4182656c..a61a6cd88c13 100644 --- a/include/os/freebsd/zfs/sys/freebsd_crypto.h +++ b/include/os/freebsd/zfs/sys/freebsd_crypto.h @@ -42,8 +42,6 @@ #define SUN_CKM_AES_GCM "CKM_AES_GCM" #define SUN_CKM_SHA512_HMAC "CKM_SHA512_HMAC" -#define CRYPTO_KEY_RAW 1 - #define CRYPTO_BITS2BYTES(n) ((n) == 0 ? 0 : (((n) - 1) >> 3) + 1) #define CRYPTO_BYTES2BITS(n) ((n) << 3) @@ -61,12 +59,11 @@ typedef struct freebsd_crypt_session { typedef void *crypto_mechanism_t; typedef void *crypto_ctx_template_t; /* - * Unlike the ICP crypto_key type, this only + * Like the ICP crypto_key type, this only * supports (the equivalent of - * CRYPTO_KEY_RAW). + * the former CRYPTO_KEY_RAW). */ typedef struct crypto_key { - int ck_format; /* Unused, but minimizes code diff */ void *ck_data; size_t ck_length; } crypto_key_t; diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index a644a8e9a9db..76be229520f1 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -255,109 +255,11 @@ typedef struct crypto_data { /* The keys, and their contents */ -typedef enum { - CRYPTO_KEY_RAW = 1, /* ck_data is a cleartext key */ - CRYPTO_KEY_REFERENCE, /* ck_obj_id is an opaque reference */ - CRYPTO_KEY_ATTR_LIST /* ck_attrs is a list of object attributes */ -} crypto_key_format_t; - -typedef uint64_t crypto_attr_type_t; - -/* Attribute types to use for passing a RSA public key or a private key. */ -#define SUN_CKA_MODULUS 0x00000120 -#define SUN_CKA_MODULUS_BITS 0x00000121 -#define SUN_CKA_PUBLIC_EXPONENT 0x00000122 -#define SUN_CKA_PRIVATE_EXPONENT 0x00000123 -#define SUN_CKA_PRIME_1 0x00000124 -#define SUN_CKA_PRIME_2 0x00000125 -#define SUN_CKA_EXPONENT_1 0x00000126 -#define SUN_CKA_EXPONENT_2 0x00000127 -#define SUN_CKA_COEFFICIENT 0x00000128 -#define SUN_CKA_PRIME 0x00000130 -#define SUN_CKA_SUBPRIME 0x00000131 -#define SUN_CKA_BASE 0x00000132 - -#define CKK_EC 0x00000003 -#define CKK_GENERIC_SECRET 0x00000010 -#define CKK_RC4 0x00000012 -#define CKK_AES 0x0000001F -#define CKK_DES 0x00000013 -#define CKK_DES2 0x00000014 -#define CKK_DES3 0x00000015 - -#define CKO_PUBLIC_KEY 0x00000002 -#define CKO_PRIVATE_KEY 0x00000003 -#define CKA_CLASS 0x00000000 -#define CKA_VALUE 0x00000011 -#define CKA_KEY_TYPE 0x00000100 -#define CKA_VALUE_LEN 0x00000161 -#define CKA_EC_PARAMS 0x00000180 -#define CKA_EC_POINT 0x00000181 - -typedef uint32_t crypto_object_id_t; - -typedef struct crypto_object_attribute { - crypto_attr_type_t oa_type; /* attribute type */ - caddr_t oa_value; /* attribute value */ - ssize_t oa_value_len; /* length of attribute value */ -} crypto_object_attribute_t; - -typedef struct crypto_key { - crypto_key_format_t ck_format; /* format identifier */ - union { - /* for CRYPTO_KEY_RAW ck_format */ - struct { - uint_t cku_v_length; /* # of bits in ck_data */ - void *cku_v_data; /* ptr to key value */ - } cku_key_value; - - /* for CRYPTO_KEY_REFERENCE ck_format */ - crypto_object_id_t cku_key_id; /* reference to object key */ - - /* for CRYPTO_KEY_ATTR_LIST ck_format */ - struct { - uint_t cku_a_count; /* number of attributes */ - crypto_object_attribute_t *cku_a_oattr; - } cku_key_attrs; - } cku_data; /* Crypto Key union */ +typedef struct { + uint_t ck_length; /* # of bits in ck_data */ + void *ck_data; /* ptr to key value */ } crypto_key_t; -#ifdef _SYSCALL32 - -typedef struct crypto_object_attribute32 { - uint64_t oa_type; /* attribute type */ - caddr32_t oa_value; /* attribute value */ - ssize32_t oa_value_len; /* length of attribute value */ -} crypto_object_attribute32_t; - -typedef struct crypto_key32 { - crypto_key_format_t ck_format; /* format identifier */ - union { - /* for CRYPTO_KEY_RAW ck_format */ - struct { - uint32_t cku_v_length; /* # of bytes in ck_data */ - caddr32_t cku_v_data; /* ptr to key value */ - } cku_key_value; - - /* for CRYPTO_KEY_REFERENCE ck_format */ - crypto_object_id_t cku_key_id; /* reference to object key */ - - /* for CRYPTO_KEY_ATTR_LIST ck_format */ - struct { - uint32_t cku_a_count; /* number of attributes */ - caddr32_t cku_a_oattr; - } cku_key_attrs; - } cku_data; /* Crypto Key union */ -} crypto_key32_t; - -#endif /* _SYSCALL32 */ - -#define ck_data cku_data.cku_key_value.cku_v_data -#define ck_length cku_data.cku_key_value.cku_v_length -#define ck_obj_id cku_data.cku_key_id -#define ck_count cku_data.cku_key_attrs.cku_a_count -#define ck_attrs cku_data.cku_key_attrs.cku_a_oattr - /* * Raw key lengths are expressed in number of bits. * The following macro returns the minimum number of @@ -372,64 +274,11 @@ typedef struct crypto_key32 { typedef uint32_t crypto_provider_id_t; #define KCF_PROVID_INVALID ((uint32_t)-1) -typedef struct crypto_provider_entry { - crypto_provider_id_t pe_provider_id; - uint_t pe_mechanism_count; -} crypto_provider_entry_t; - -typedef struct crypto_dev_list_entry { - char le_dev_name[MAXNAMELEN]; - uint_t le_dev_instance; - uint_t le_mechanism_count; -} crypto_dev_list_entry_t; - -/* User type for authentication ioctls and SPI entry points */ - -typedef enum crypto_user_type { - CRYPTO_SO = 0, - CRYPTO_USER -} crypto_user_type_t; - -/* Version for provider management ioctls and SPI entry points */ - -typedef struct crypto_version { - uchar_t cv_major; - uchar_t cv_minor; -} crypto_version_t; - /* session data structure opaque to the consumer */ typedef void *crypto_session_t; -/* provider data structure opaque to the consumer */ -typedef void *crypto_provider_t; - -/* Limits used by both consumers and providers */ -#define CRYPTO_EXT_SIZE_LABEL 32 -#define CRYPTO_EXT_SIZE_MANUF 32 -#define CRYPTO_EXT_SIZE_MODEL 16 -#define CRYPTO_EXT_SIZE_SERIAL 16 -#define CRYPTO_EXT_SIZE_TIME 16 - typedef uint_t crypto_session_id_t; -typedef enum cmd_type { - COPY_FROM_DATA, - COPY_TO_DATA, - COMPARE_TO_DATA, - MD5_DIGEST_DATA, - SHA1_DIGEST_DATA, - SHA2_DIGEST_DATA, - GHASH_DATA -} cmd_type_t; - -#define CRYPTO_DO_UPDATE 0x01 -#define CRYPTO_DO_FINAL 0x02 -#define CRYPTO_DO_MD5 0x04 -#define CRYPTO_DO_SHA1 0x08 -#define CRYPTO_DO_SIGN 0x10 -#define CRYPTO_DO_VERIFY 0x20 -#define CRYPTO_DO_SHA2 0x40 - #define PROVIDER_OWNS_KEY_SCHEDULE 0x00000001 /* diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 11102cdeaedd..7bf0c499e851 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -164,13 +164,12 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, * See comment in the beginning of the file. */ static int -crypto_mac_init_prov(crypto_provider_t provider, +crypto_mac_init_prov(kcf_provider_desc_t *pd, crypto_mechanism_t *mech, crypto_key_t *key, crypto_spi_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *crq) { int rv; crypto_ctx_t *ctx; - kcf_provider_desc_t *pd = provider; kcf_provider_desc_t *real_provider = pd; ASSERT(KCF_PROV_REFHELD(pd)); diff --git a/module/icp/core/kcf_prov_lib.c b/module/icp/core/kcf_prov_lib.c index 6e8853c56dc6..c65a9111a257 100644 --- a/module/icp/core/kcf_prov_lib.c +++ b/module/icp/core/kcf_prov_lib.c @@ -33,14 +33,12 @@ */ /* - * Utility routine to apply the command, 'cmd', to the + * Utility routine to apply the command COPY_TO_DATA to the * data in the uio structure. */ -int -crypto_uio_data(crypto_data_t *data, uchar_t *buf, int len, cmd_type_t cmd, - void *digest_ctx, void (*update)(void)) +static int +crypto_uio_copy_to_data(crypto_data_t *data, uchar_t *buf, int len) { - (void) digest_ctx, (void) update; zfs_uio_t *uiop = data->cd_uio; off_t offset = data->cd_offset; size_t length = len; @@ -72,26 +70,8 @@ crypto_uio_data(crypto_data_t *data, uchar_t *buf, int len, cmd_type_t cmd, offset, length); datap = (uchar_t *)(zfs_uio_iovbase(uiop, vec_idx) + offset); - switch (cmd) { - case COPY_FROM_DATA: - bcopy(datap, buf, cur_len); - buf += cur_len; - break; - case COPY_TO_DATA: - bcopy(buf, datap, cur_len); - buf += cur_len; - break; - case COMPARE_TO_DATA: - if (bcmp(datap, buf, cur_len)) - return (CRYPTO_SIGNATURE_INVALID); - buf += cur_len; - break; - case MD5_DIGEST_DATA: - case SHA1_DIGEST_DATA: - case SHA2_DIGEST_DATA: - case GHASH_DATA: - return (CRYPTO_ARGUMENTS_BAD); - } + bcopy(buf, datap, cur_len); + buf += cur_len; length -= cur_len; vec_idx++; @@ -100,16 +80,11 @@ crypto_uio_data(crypto_data_t *data, uchar_t *buf, int len, cmd_type_t cmd, if (vec_idx == zfs_uio_iovcnt(uiop) && length > 0) { /* - * The end of the specified iovec's was reached but + * The end of the specified iovecs was reached but * the length requested could not be processed. */ - switch (cmd) { - case COPY_TO_DATA: - data->cd_length = len; - return (CRYPTO_BUFFER_TOO_SMALL); - default: - return (CRYPTO_DATA_LEN_RANGE); - } + data->cd_length = len; + return (CRYPTO_BUFFER_TOO_SMALL); } return (CRYPTO_SUCCESS); @@ -129,8 +104,7 @@ crypto_put_output_data(uchar_t *buf, crypto_data_t *output, int len) break; case CRYPTO_DATA_UIO: - return (crypto_uio_data(output, buf, len, - COPY_TO_DATA, NULL, NULL)); + return (crypto_uio_copy_to_data(output, buf, len)); default: return (CRYPTO_ARGUMENTS_BAD); } diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index c4b9d7dcadfb..da00c4001b65 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -479,8 +479,6 @@ extern kcf_provider_desc_t *kcf_alloc_provider_desc(void); extern void kcf_provider_zero_refcnt(kcf_provider_desc_t *); extern void kcf_free_provider_desc(kcf_provider_desc_t *); extern void undo_register_provider(kcf_provider_desc_t *, boolean_t); -extern int crypto_uio_data(crypto_data_t *, uchar_t *, int, cmd_type_t, - void *, void (*update)(void)); extern int crypto_put_output_data(uchar_t *, crypto_data_t *, int); extern int crypto_update_iov(void *, crypto_data_t *, crypto_data_t *, int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index 9e99e1fa7bfb..48ec6709c24e 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -242,24 +242,15 @@ aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag) static int init_keysched(crypto_key_t *key, void *newbie) { - /* - * Only keys by value are supported by this module. - */ - switch (key->ck_format) { - case CRYPTO_KEY_RAW: - if (key->ck_length < AES_MINBITS || - key->ck_length > AES_MAXBITS) { - return (CRYPTO_KEY_SIZE_RANGE); - } - - /* key length must be either 128, 192, or 256 */ - if ((key->ck_length & 63) != 0) - return (CRYPTO_KEY_SIZE_RANGE); - break; - default: - return (CRYPTO_KEY_TYPE_INCONSISTENT); + if (key->ck_length < AES_MINBITS || + key->ck_length > AES_MAXBITS) { + return (CRYPTO_KEY_SIZE_RANGE); } + /* key length must be either 128, 192, or 256 */ + if ((key->ck_length & 63) != 0) + return (CRYPTO_KEY_SIZE_RANGE); + aes_init_keysched(key->ck_data, key->ck_length, newbie); return (CRYPTO_SUCCESS); } @@ -294,13 +285,6 @@ aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, int rv; int kmflag; - /* - * Only keys by value are supported by this module. - */ - if (key->ck_format != CRYPTO_KEY_RAW) { - return (CRYPTO_KEY_TYPE_INCONSISTENT); - } - kmflag = crypto_kmflag(req); if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag)) != CRYPTO_SUCCESS) diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index 2ac57ebe58bc..d5a8d5bb728c 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -737,9 +737,6 @@ sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, return (CRYPTO_MECHANISM_INVALID); } - if (key->ck_format != CRYPTO_KEY_RAW) - return (CRYPTO_ARGUMENTS_BAD); - ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t), crypto_kmflag(req)); if (ctx->cc_provider_private == NULL) @@ -971,10 +968,6 @@ sha2_mac_atomic(crypto_provider_handle_t provider, return (CRYPTO_MECHANISM_INVALID); } - /* Add support for key by attributes (RFE 4706552) */ - if (key->ck_format != CRYPTO_KEY_RAW) - return (CRYPTO_ARGUMENTS_BAD); - if (ctx_template != NULL) { /* reuse context template */ bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); @@ -1109,10 +1102,6 @@ sha2_mac_verify_atomic(crypto_provider_handle_t provider, return (CRYPTO_MECHANISM_INVALID); } - /* Add support for key by attributes (RFE 4706552) */ - if (key->ck_format != CRYPTO_KEY_RAW) - return (CRYPTO_ARGUMENTS_BAD); - if (ctx_template != NULL) { /* reuse context template */ bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); @@ -1287,10 +1276,6 @@ sha2_create_ctx_template(crypto_provider_handle_t provider, return (CRYPTO_MECHANISM_INVALID); } - /* Add support for key by attributes (RFE 4706552) */ - if (key->ck_format != CRYPTO_KEY_RAW) - return (CRYPTO_ARGUMENTS_BAD); - /* * Allocate and initialize SHA2 context. */ diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index ab233e2b4edb..48e4358b8d86 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -530,8 +530,6 @@ skein_mac_ctx_build(skein_ctx_t *ctx, crypto_mechanism_t *mechanism, if (!VALID_SKEIN_MAC_MECH(mechanism->cm_type)) return (CRYPTO_MECHANISM_INVALID); - if (key->ck_format != CRYPTO_KEY_RAW) - return (CRYPTO_ARGUMENTS_BAD); ctx->sc_mech_type = mechanism->cm_type; error = skein_get_digest_bitlen(mechanism, &ctx->sc_digest_bitlen); if (error != CRYPTO_SUCCESS) diff --git a/module/os/freebsd/zfs/crypto_os.c b/module/os/freebsd/zfs/crypto_os.c index f971b62bd124..73083f59f532 100644 --- a/module/os/freebsd/zfs/crypto_os.c +++ b/module/os/freebsd/zfs/crypto_os.c @@ -210,12 +210,12 @@ freebsd_crypt_uio_debug_log(boolean_t encrypt, uint8_t *p = NULL; size_t total = 0; - printf("%s(%s, %p, { %s, %d, %d, %s }, %p, { %d, %p, %u }, " + printf("%s(%s, %p, { %s, %d, %d, %s }, %p, { %p, %u }, " "%p, %u, %u)\n", __FUNCTION__, encrypt ? "encrypt" : "decrypt", input_sessionp, c_info->ci_algname, c_info->ci_crypt_type, (unsigned int)c_info->ci_keylen, c_info->ci_name, - data_uio, key->ck_format, key->ck_data, + data_uio, key->ck_data, (unsigned int)key->ck_length, ivbuf, (unsigned int)datalen, (unsigned int)auth_len); printf("\tkey = { "); @@ -247,11 +247,11 @@ freebsd_crypt_newsession(freebsd_crypt_session_t *sessp, int error = 0; #ifdef FCRYPTO_DEBUG - printf("%s(%p, { %s, %d, %d, %s }, { %d, %p, %u })\n", + printf("%s(%p, { %s, %d, %d, %s }, { %p, %u })\n", __FUNCTION__, sessp, c_info->ci_algname, c_info->ci_crypt_type, (unsigned int)c_info->ci_keylen, c_info->ci_name, - key->ck_format, key->ck_data, (unsigned int)key->ck_length); + key->ck_data, (unsigned int)key->ck_length); printf("\tkey = { "); for (int i = 0; i < key->ck_length / 8; i++) { uint8_t *b = (uint8_t *)key->ck_data; @@ -391,11 +391,11 @@ freebsd_crypt_newsession(freebsd_crypt_session_t *sessp, crypto_session_t sid; #ifdef FCRYPTO_DEBUG - printf("%s(%p, { %s, %d, %d, %s }, { %d, %p, %u })\n", + printf("%s(%p, { %s, %d, %d, %s }, { %p, %u })\n", __FUNCTION__, sessp, c_info->ci_algname, c_info->ci_crypt_type, (unsigned int)c_info->ci_keylen, c_info->ci_name, - key->ck_format, key->ck_data, (unsigned int)key->ck_length); + key->ck_data, (unsigned int)key->ck_length); printf("\tkey = { "); for (int i = 0; i < key->ck_length / 8; i++) { uint8_t *b = (uint8_t *)key->ck_data; diff --git a/module/os/freebsd/zfs/hkdf.c b/module/os/freebsd/zfs/hkdf.c index 8324ff2319b6..ad5d67541ad2 100644 --- a/module/os/freebsd/zfs/hkdf.c +++ b/module/os/freebsd/zfs/hkdf.c @@ -29,7 +29,6 @@ hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material, crypto_key_t key; /* initialize the salt as a crypto key */ - key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(salt_len); key.ck_data = salt; @@ -53,7 +52,6 @@ hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len, return (SET_ERROR(EINVAL)); /* initialize the salt as a crypto key */ - key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH); key.ck_data = extract_key; diff --git a/module/os/freebsd/zfs/zio_crypt.c b/module/os/freebsd/zfs/zio_crypt.c index fbde8063a280..a50b8058a945 100644 --- a/module/os/freebsd/zfs/zio_crypt.c +++ b/module/os/freebsd/zfs/zio_crypt.c @@ -270,11 +270,9 @@ zio_crypt_key_init(uint64_t crypt, zio_crypt_key_t *key) goto error; /* initialize keys for the ICP */ - key->zk_current_key.ck_format = CRYPTO_KEY_RAW; key->zk_current_key.ck_data = key->zk_current_keydata; key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len); - key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW; key->zk_hmac_key.ck_data = &key->zk_hmac_key; key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN); @@ -437,7 +435,6 @@ zio_crypt_key_wrap(crypto_key_t *cwkey, zio_crypt_key_t *key, uint8_t *iv, uint_t enc_len, keydata_len, aad_len; ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); - ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW); zfs_uio_init(&cuio, &cuio_s); @@ -518,7 +515,6 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version, uint_t enc_len, keydata_len, aad_len; ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); - ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW); keydata_len = zio_crypt_table[crypt].ci_keylen; rw_init(&key->zk_salt_lock, NULL, RW_DEFAULT, NULL); @@ -586,11 +582,9 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version, goto error; /* initialize keys for ICP */ - key->zk_current_key.ck_format = CRYPTO_KEY_RAW; key->zk_current_key.ck_data = key->zk_current_keydata; key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len); - key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW; key->zk_hmac_key.ck_data = key->zk_hmac_keydata; key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN); @@ -1727,7 +1721,6 @@ zio_do_crypt_data(boolean_t encrypt, zio_crypt_key_t *key, salt, ZIO_DATA_SALT_LEN, enc_keydata, keydata_len); if (ret != 0) goto error; - tmp_ckey.ck_format = CRYPTO_KEY_RAW; tmp_ckey.ck_data = enc_keydata; tmp_ckey.ck_length = CRYPTO_BYTES2BITS(keydata_len); diff --git a/module/os/linux/zfs/zio_crypt.c b/module/os/linux/zfs/zio_crypt.c index 224fb84bada0..909246f2038e 100644 --- a/module/os/linux/zfs/zio_crypt.c +++ b/module/os/linux/zfs/zio_crypt.c @@ -257,11 +257,9 @@ zio_crypt_key_init(uint64_t crypt, zio_crypt_key_t *key) goto error; /* initialize keys for the ICP */ - key->zk_current_key.ck_format = CRYPTO_KEY_RAW; key->zk_current_key.ck_data = key->zk_current_keydata; key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len); - key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW; key->zk_hmac_key.ck_data = &key->zk_hmac_key; key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN); @@ -387,7 +385,6 @@ zio_do_crypt_uio(boolean_t encrypt, uint64_t crypt, crypto_key_t *key, uint_t plain_full_len, maclen; ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); - ASSERT3U(key->ck_format, ==, CRYPTO_KEY_RAW); /* lookup the encryption info */ crypt_info = zio_crypt_table[crypt]; @@ -486,7 +483,6 @@ zio_crypt_key_wrap(crypto_key_t *cwkey, zio_crypt_key_t *key, uint8_t *iv, uint_t enc_len, keydata_len, aad_len; ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); - ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW); keydata_len = zio_crypt_table[crypt].ci_keylen; @@ -557,7 +553,6 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version, int ret; ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); - ASSERT3U(cwkey->ck_format, ==, CRYPTO_KEY_RAW); rw_init(&key->zk_salt_lock, NULL, RW_DEFAULT, NULL); @@ -614,11 +609,9 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version, goto error; /* initialize keys for ICP */ - key->zk_current_key.ck_format = CRYPTO_KEY_RAW; key->zk_current_key.ck_data = key->zk_current_keydata; key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len); - key->zk_hmac_key.ck_format = CRYPTO_KEY_RAW; key->zk_hmac_key.ck_data = key->zk_hmac_keydata; key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN); @@ -1921,7 +1914,6 @@ zio_do_crypt_data(boolean_t encrypt, zio_crypt_key_t *key, if (ret != 0) goto error; - tmp_ckey.ck_format = CRYPTO_KEY_RAW; tmp_ckey.ck_data = enc_keydata; tmp_ckey.ck_length = CRYPTO_BYTES2BITS(keydata_len); diff --git a/module/zfs/dsl_crypt.c b/module/zfs/dsl_crypt.c index 1ea184de338c..6330a44b4c39 100644 --- a/module/zfs/dsl_crypt.c +++ b/module/zfs/dsl_crypt.c @@ -119,7 +119,6 @@ dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat, /* allocate and initialize the underlying crypto key */ wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP); - wkey->wk_key.ck_format = CRYPTO_KEY_RAW; wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN); bcopy(wkeydata, wkey->wk_key.ck_data, WRAPPING_KEY_LEN); diff --git a/module/zfs/hkdf.c b/module/zfs/hkdf.c index 49ad0a9fbe24..9017727689af 100644 --- a/module/zfs/hkdf.c +++ b/module/zfs/hkdf.c @@ -36,7 +36,6 @@ hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material, mech.cm_param_len = 0; /* initialize the salt as a crypto key */ - key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(salt_len); key.ck_data = salt; @@ -83,7 +82,6 @@ hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len, mech.cm_param_len = 0; /* initialize the salt as a crypto key */ - key.ck_format = CRYPTO_KEY_RAW; key.ck_length = CRYPTO_BYTES2BITS(SHA512_DIGEST_LENGTH); key.ck_data = extract_key; From fbd829ed78440e0c68dace59497bad5a1f9a19e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 03:33:19 +0100 Subject: [PATCH 26/39] module: icp: remove set-but-unused cd_miscdata MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/common.h | 25 +++---------------------- module/icp/algs/modes/cbc.c | 17 +++++------------ module/icp/core/kcf_prov_lib.c | 24 ++++-------------------- module/icp/include/sys/crypto/impl.h | 6 ++---- module/icp/io/aes.c | 20 ++++++++------------ module/os/linux/zfs/zio_crypt.c | 2 -- 6 files changed, 22 insertions(+), 72 deletions(-) diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index 76be229520f1..7db5d87cb1b5 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -214,19 +214,6 @@ typedef uint32_t crypto_keysize_unit_t; #define SUN_CKM_ECDSA_SHA1 "CKM_ECDSA_SHA1" #define SUN_CKM_ECDSA "CKM_ECDSA" -/* Shared operation context format for CKM_RC4 */ -typedef struct { -#if defined(__amd64) - uint32_t i, j; - uint32_t arr[256]; - uint32_t flag; -#else - uchar_t arr[256]; - uchar_t i, j; -#endif /* __amd64 */ - uint64_t pad; /* For 64-bit alignment */ -} arcfour_state_t; - /* Data arguments of cryptographic operations */ typedef enum crypto_data_format { @@ -238,21 +225,15 @@ typedef struct crypto_data { crypto_data_format_t cd_format; /* Format identifier */ off_t cd_offset; /* Offset from the beginning */ size_t cd_length; /* # of bytes in use */ - caddr_t cd_miscdata; /* ancillary data */ union { /* Raw format */ - iovec_t cdu_raw; /* Pointer and length */ + iovec_t cd_raw; /* Pointer and length */ /* uio scatter-gather format */ - zfs_uio_t *cdu_uio; - - } cdu; /* Crypto Data Union */ + zfs_uio_t *cd_uio; + }; /* Crypto Data Union */ } crypto_data_t; -#define cd_raw cdu.cdu_raw -#define cd_uio cdu.cdu_uio -#define cd_mp cdu.cdu_mp - /* The keys, and their contents */ typedef struct { diff --git a/module/icp/algs/modes/cbc.c b/module/icp/algs/modes/cbc.c index bddb5b64ddd3..73605f04d858 100644 --- a/module/icp/algs/modes/cbc.c +++ b/module/icp/algs/modes/cbc.c @@ -242,19 +242,12 @@ int cbc_init_ctx(cbc_ctx_t *cbc_ctx, char *param, size_t param_len, size_t block_size, void (*copy_block)(uint8_t *, uint64_t *)) { - /* - * Copy IV into context. - * - * If cm_param == NULL then the IV comes from the - * cd_miscdata field in the crypto_data structure. - */ - if (param != NULL) { - ASSERT(param_len == block_size); - copy_block((uchar_t *)param, cbc_ctx->cbc_iv); - } + /* Copy IV into context. */ + ASSERT3P(param, !=, NULL); + ASSERT3U(param_len, ==, block_size); + + copy_block((uchar_t *)param, cbc_ctx->cbc_iv); - cbc_ctx->cbc_lastp = (uint8_t *)&cbc_ctx->cbc_iv[0]; - cbc_ctx->cbc_flags |= CBC_MODE; return (CRYPTO_SUCCESS); } diff --git a/module/icp/core/kcf_prov_lib.c b/module/icp/core/kcf_prov_lib.c index c65a9111a257..505dbec313de 100644 --- a/module/icp/core/kcf_prov_lib.c +++ b/module/icp/core/kcf_prov_lib.c @@ -114,33 +114,21 @@ crypto_put_output_data(uchar_t *buf, crypto_data_t *output, int len) int crypto_update_iov(void *ctx, crypto_data_t *input, crypto_data_t *output, - int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), - void (*copy_block)(uint8_t *, uint64_t *)) + int (*cipher)(void *, caddr_t, size_t, crypto_data_t *)) { - common_ctx_t *common_ctx = ctx; - int rv; - ASSERT(input != output); - if (input->cd_miscdata != NULL) { - copy_block((uint8_t *)input->cd_miscdata, - &common_ctx->cc_iv[0]); - } if (input->cd_raw.iov_len < input->cd_length) return (CRYPTO_ARGUMENTS_BAD); - rv = (cipher)(ctx, input->cd_raw.iov_base + input->cd_offset, - input->cd_length, output); - - return (rv); + return ((cipher)(ctx, input->cd_raw.iov_base + input->cd_offset, + input->cd_length, output)); } int crypto_update_uio(void *ctx, crypto_data_t *input, crypto_data_t *output, - int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), - void (*copy_block)(uint8_t *, uint64_t *)) + int (*cipher)(void *, caddr_t, size_t, crypto_data_t *)) { - common_ctx_t *common_ctx = ctx; zfs_uio_t *uiop = input->cd_uio; off_t offset = input->cd_offset; size_t length = input->cd_length; @@ -148,10 +136,6 @@ crypto_update_uio(void *ctx, crypto_data_t *input, crypto_data_t *output, size_t cur_len; ASSERT(input != output); - if (input->cd_miscdata != NULL) { - copy_block((uint8_t *)input->cd_miscdata, - &common_ctx->cc_iv[0]); - } if (zfs_uio_segflg(input->cd_uio) != UIO_SYSSPACE) { return (CRYPTO_ARGUMENTS_BAD); diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index da00c4001b65..03e7a67712b6 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -481,11 +481,9 @@ extern void kcf_free_provider_desc(kcf_provider_desc_t *); extern void undo_register_provider(kcf_provider_desc_t *, boolean_t); extern int crypto_put_output_data(uchar_t *, crypto_data_t *, int); extern int crypto_update_iov(void *, crypto_data_t *, crypto_data_t *, - int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), - void (*copy_block)(uint8_t *, uint64_t *)); + int (*cipher)(void *, caddr_t, size_t, crypto_data_t *)); extern int crypto_update_uio(void *, crypto_data_t *, crypto_data_t *, - int (*cipher)(void *, caddr_t, size_t, crypto_data_t *), - void (*copy_block)(uint8_t *, uint64_t *)); + int (*cipher)(void *, caddr_t, size_t, crypto_data_t *)); /* Access to the provider's table */ extern void kcf_prov_tab_destroy(void); diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index 48ec6709c24e..7e87f8da16ee 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -582,13 +582,11 @@ aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext, switch (plaintext->cd_format) { case CRYPTO_DATA_RAW: ret = crypto_update_iov(ctx->cc_provider_private, - plaintext, ciphertext, aes_encrypt_contiguous_blocks, - aes_copy_block64); + plaintext, ciphertext, aes_encrypt_contiguous_blocks); break; case CRYPTO_DATA_UIO: ret = crypto_update_uio(ctx->cc_provider_private, - plaintext, ciphertext, aes_encrypt_contiguous_blocks, - aes_copy_block64); + plaintext, ciphertext, aes_encrypt_contiguous_blocks); break; default: ret = CRYPTO_ARGUMENTS_BAD; @@ -661,13 +659,11 @@ aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext, switch (ciphertext->cd_format) { case CRYPTO_DATA_RAW: ret = crypto_update_iov(ctx->cc_provider_private, - ciphertext, plaintext, aes_decrypt_contiguous_blocks, - aes_copy_block64); + ciphertext, plaintext, aes_decrypt_contiguous_blocks); break; case CRYPTO_DATA_UIO: ret = crypto_update_uio(ctx->cc_provider_private, - ciphertext, plaintext, aes_decrypt_contiguous_blocks, - aes_copy_block64); + ciphertext, plaintext, aes_decrypt_contiguous_blocks); break; default: ret = CRYPTO_ARGUMENTS_BAD; @@ -930,11 +926,11 @@ aes_encrypt_atomic(crypto_provider_handle_t provider, switch (plaintext->cd_format) { case CRYPTO_DATA_RAW: ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext, - aes_encrypt_contiguous_blocks, aes_copy_block64); + aes_encrypt_contiguous_blocks); break; case CRYPTO_DATA_UIO: ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext, - aes_encrypt_contiguous_blocks, aes_copy_block64); + aes_encrypt_contiguous_blocks); break; default: ret = CRYPTO_ARGUMENTS_BAD; @@ -1071,11 +1067,11 @@ aes_decrypt_atomic(crypto_provider_handle_t provider, switch (ciphertext->cd_format) { case CRYPTO_DATA_RAW: ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext, - aes_decrypt_contiguous_blocks, aes_copy_block64); + aes_decrypt_contiguous_blocks); break; case CRYPTO_DATA_UIO: ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext, - aes_decrypt_contiguous_blocks, aes_copy_block64); + aes_decrypt_contiguous_blocks); break; default: ret = CRYPTO_ARGUMENTS_BAD; diff --git a/module/os/linux/zfs/zio_crypt.c b/module/os/linux/zfs/zio_crypt.c index 909246f2038e..31126a78bc2f 100644 --- a/module/os/linux/zfs/zio_crypt.c +++ b/module/os/linux/zfs/zio_crypt.c @@ -438,13 +438,11 @@ zio_do_crypt_uio(boolean_t encrypt, uint64_t crypt, crypto_key_t *key, plaindata.cd_format = CRYPTO_DATA_UIO; plaindata.cd_offset = 0; plaindata.cd_uio = puio; - plaindata.cd_miscdata = NULL; plaindata.cd_length = plain_full_len; cipherdata.cd_format = CRYPTO_DATA_UIO; cipherdata.cd_offset = 0; cipherdata.cd_uio = cuio; - cipherdata.cd_miscdata = NULL; cipherdata.cd_length = datalen + maclen; /* perform the actual encryption */ From fe81f162f27eabb87472196e1965537ca0499de6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 03:37:53 +0100 Subject: [PATCH 27/39] include: crypto: remove unused algorithm name defines MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/common.h | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index 7db5d87cb1b5..c1e800ef4368 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -170,7 +170,6 @@ typedef uint32_t crypto_keysize_unit_t; /* Mechanisms supported out-of-the-box */ -#define SUN_CKM_MD4 "CKM_MD4" #define SUN_CKM_MD5 "CKM_MD5" #define SUN_CKM_MD5_HMAC "CKM_MD5_HMAC" #define SUN_CKM_MD5_HMAC_GENERAL "CKM_MD5_HMAC_GENERAL" @@ -200,19 +199,7 @@ typedef uint32_t crypto_keysize_unit_t; #define SUN_CKM_AES_CCM "CKM_AES_CCM" #define SUN_CKM_AES_GCM "CKM_AES_GCM" #define SUN_CKM_AES_GMAC "CKM_AES_GMAC" -#define SUN_CKM_AES_CFB128 "CKM_AES_CFB128" #define SUN_CKM_RC4 "CKM_RC4" -#define SUN_CKM_RSA_PKCS "CKM_RSA_PKCS" -#define SUN_CKM_RSA_X_509 "CKM_RSA_X_509" -#define SUN_CKM_MD5_RSA_PKCS "CKM_MD5_RSA_PKCS" -#define SUN_CKM_SHA1_RSA_PKCS "CKM_SHA1_RSA_PKCS" -#define SUN_CKM_SHA256_RSA_PKCS "CKM_SHA256_RSA_PKCS" -#define SUN_CKM_SHA384_RSA_PKCS "CKM_SHA384_RSA_PKCS" -#define SUN_CKM_SHA512_RSA_PKCS "CKM_SHA512_RSA_PKCS" -#define SUN_CKM_EC_KEY_PAIR_GEN "CKM_EC_KEY_PAIR_GEN" -#define SUN_CKM_ECDH1_DERIVE "CKM_ECDH1_DERIVE" -#define SUN_CKM_ECDSA_SHA1 "CKM_ECDSA_SHA1" -#define SUN_CKM_ECDSA "CKM_ECDSA" /* Data arguments of cryptographic operations */ From 622a871f67b713d52eaef1c20e5867bbe10ba86e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 03:40:59 +0100 Subject: [PATCH 28/39] module: icp: remove algorithm name defines used only in the default mechtab MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/common.h | 13 ------------- module/icp/core/kcf_mech_tabs.c | 15 +-------------- 2 files changed, 1 insertion(+), 27 deletions(-) diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index c1e800ef4368..ff8d0a068309 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -170,12 +170,6 @@ typedef uint32_t crypto_keysize_unit_t; /* Mechanisms supported out-of-the-box */ -#define SUN_CKM_MD5 "CKM_MD5" -#define SUN_CKM_MD5_HMAC "CKM_MD5_HMAC" -#define SUN_CKM_MD5_HMAC_GENERAL "CKM_MD5_HMAC_GENERAL" -#define SUN_CKM_SHA1 "CKM_SHA_1" -#define SUN_CKM_SHA1_HMAC "CKM_SHA_1_HMAC" -#define SUN_CKM_SHA1_HMAC_GENERAL "CKM_SHA_1_HMAC_GENERAL" #define SUN_CKM_SHA256 "CKM_SHA256" #define SUN_CKM_SHA256_HMAC "CKM_SHA256_HMAC" #define SUN_CKM_SHA256_HMAC_GENERAL "CKM_SHA256_HMAC_GENERAL" @@ -187,19 +181,12 @@ typedef uint32_t crypto_keysize_unit_t; #define SUN_CKM_SHA512_HMAC_GENERAL "CKM_SHA512_HMAC_GENERAL" #define SUN_CKM_SHA512_224 "CKM_SHA512_224" #define SUN_CKM_SHA512_256 "CKM_SHA512_256" -#define SUN_CKM_DES_CBC "CKM_DES_CBC" -#define SUN_CKM_DES3_CBC "CKM_DES3_CBC" -#define SUN_CKM_DES_ECB "CKM_DES_ECB" -#define SUN_CKM_DES3_ECB "CKM_DES3_ECB" -#define SUN_CKM_BLOWFISH_CBC "CKM_BLOWFISH_CBC" -#define SUN_CKM_BLOWFISH_ECB "CKM_BLOWFISH_ECB" #define SUN_CKM_AES_CBC "CKM_AES_CBC" #define SUN_CKM_AES_ECB "CKM_AES_ECB" #define SUN_CKM_AES_CTR "CKM_AES_CTR" #define SUN_CKM_AES_CCM "CKM_AES_CCM" #define SUN_CKM_AES_GCM "CKM_AES_GCM" #define SUN_CKM_AES_GMAC "CKM_AES_GMAC" -#define SUN_CKM_RC4 "CKM_RC4" /* Data arguments of cryptographic operations */ diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index aba3b43e85d6..6121042ee063 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -76,26 +76,13 @@ /* RFE 4687834 Will deal with the extensibility of these tables later */ static kcf_mech_entry_t kcf_digest_mechs_tab[KCF_MAXDIGEST] = { - { SUN_CKM_MD5 }, { SUN_CKM_SHA1 }, }; static kcf_mech_entry_t kcf_cipher_mechs_tab[KCF_MAXCIPHER] = { - { SUN_CKM_DES_CBC }, - { SUN_CKM_DES3_CBC }, - { SUN_CKM_DES_ECB }, - { SUN_CKM_DES3_ECB }, - { SUN_CKM_BLOWFISH_CBC }, - { SUN_CKM_BLOWFISH_ECB }, { SUN_CKM_AES_CBC }, { SUN_CKM_AES_ECB }, - { SUN_CKM_RC4 }, -}; -static kcf_mech_entry_t kcf_mac_mechs_tab[KCF_MAXMAC] = { - { SUN_CKM_MD5_HMAC }, - { SUN_CKM_MD5_HMAC_GENERAL }, - { SUN_CKM_SHA1_HMAC }, - { SUN_CKM_SHA1_HMAC_GENERAL }, }; +static kcf_mech_entry_t kcf_mac_mechs_tab[KCF_MAXMAC]; const kcf_mech_entry_tab_t kcf_mech_tabs_tab[KCF_LAST_OPSCLASS + 1] = { {0, NULL}, /* No class zero */ From ca76115292adb55b45d3532ae36850208a39c667 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 03:44:06 +0100 Subject: [PATCH 29/39] include: crypto: clean out unused SYSCALL32 and flags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/common.h | 68 ---------------------------- module/icp/include/sys/crypto/impl.h | 4 -- 2 files changed, 72 deletions(-) diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index ff8d0a068309..0642409311b2 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -51,16 +51,6 @@ typedef struct crypto_mechanism { size_t cm_param_len; /* mech. parameter len */ } crypto_mechanism_t; -#ifdef _SYSCALL32 - -typedef struct crypto_mechanism32 { - crypto_mech_type_t cm_type; /* mechanism type */ - caddr32_t cm_param; /* mech. parameter */ - size32_t cm_param_len; /* mech. parameter len */ -} crypto_mechanism32_t; - -#endif /* _SYSCALL32 */ - /* CK_AES_CTR_PARAMS provides parameters to the CKM_AES_CTR mechanism */ typedef struct CK_AES_CTR_PARAMS { ulong_t ulCounterBits; @@ -94,63 +84,6 @@ typedef struct CK_AES_GMAC_PARAMS { ulong_t ulAADLen; } CK_AES_GMAC_PARAMS; -/* - * CK_ECDH1_DERIVE_PARAMS provides the parameters to the - * CKM_ECDH1_KEY_DERIVE mechanism - */ -typedef struct CK_ECDH1_DERIVE_PARAMS { - ulong_t kdf; - ulong_t ulSharedDataLen; - uchar_t *pSharedData; - ulong_t ulPublicDataLen; - uchar_t *pPublicData; -} CK_ECDH1_DERIVE_PARAMS; - -#ifdef _SYSCALL32 - -/* needed for 32-bit applications running on 64-bit kernels */ -typedef struct CK_AES_CTR_PARAMS32 { - uint32_t ulCounterBits; - uint8_t cb[16]; -} CK_AES_CTR_PARAMS32; - -/* needed for 32-bit applications running on 64-bit kernels */ -typedef struct CK_AES_CCM_PARAMS32 { - uint32_t ulMACSize; - uint32_t ulNonceSize; - uint32_t ulAuthDataSize; - uint32_t ulDataSize; - caddr32_t nonce; - caddr32_t authData; -} CK_AES_CCM_PARAMS32; - -/* needed for 32-bit applications running on 64-bit kernels */ -typedef struct CK_AES_GCM_PARAMS32 { - caddr32_t pIv; - uint32_t ulIvLen; - uint32_t ulIvBits; - caddr32_t pAAD; - uint32_t ulAADLen; - uint32_t ulTagBits; -} CK_AES_GCM_PARAMS32; - -/* needed for 32-bit applications running on 64-bit kernels */ -typedef struct CK_AES_GMAC_PARAMS32 { - caddr32_t pIv; - caddr32_t pAAD; - uint32_t ulAADLen; -} CK_AES_GMAC_PARAMS32; - -typedef struct CK_ECDH1_DERIVE_PARAMS32 { - uint32_t kdf; - uint32_t ulSharedDataLen; - caddr32_t pSharedData; - uint32_t ulPublicDataLen; - caddr32_t pPublicData; -} CK_ECDH1_DERIVE_PARAMS32; - -#endif /* _SYSCALL32 */ - /* * The measurement unit bit flag for a mechanism's minimum or maximum key size. * The unit are mechanism dependent. It can be in bits or in bytes. @@ -166,7 +99,6 @@ typedef uint32_t crypto_keysize_unit_t; */ #define CRYPTO_KEYSIZE_UNIT_IN_BITS 0x00000001 #define CRYPTO_KEYSIZE_UNIT_IN_BYTES 0x00000002 -#define CRYPTO_CAN_SHARE_OPSTATE 0x00000004 /* supports sharing */ /* Mechanisms supported out-of-the-box */ diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 03e7a67712b6..3e57233b6ad9 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -314,10 +314,6 @@ extern const kcf_mech_entry_tab_t kcf_mech_tabs_tab[]; #define KCF_TO_PROV_MECHNUM(pd, mech_type) \ (KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_number) -#define KCF_CAN_SHARE_OPSTATE(pd, mech_type) \ - ((KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_flags) & \ - CRYPTO_CAN_SHARE_OPSTATE) - /* ps_refcnt is protected by cm_lock in the crypto_minor structure */ typedef struct crypto_provider_session { struct crypto_provider_session *ps_next; From e7919dd0ae8ae105e5e450528c9759d5a2e641e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 03:50:01 +0100 Subject: [PATCH 30/39] module: icp: remove unused headers. Migrate {ops => sched}_impl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/include/sys/bitmap.h | 183 --------------------- module/icp/include/sys/crypto/elfsign.h | 137 --------------- module/icp/include/sys/crypto/ops_impl.h | 33 ---- module/icp/include/sys/crypto/sched_impl.h | 6 +- 4 files changed, 5 insertions(+), 354 deletions(-) delete mode 100644 module/icp/include/sys/bitmap.h delete mode 100644 module/icp/include/sys/crypto/elfsign.h delete mode 100644 module/icp/include/sys/crypto/ops_impl.h diff --git a/module/icp/include/sys/bitmap.h b/module/icp/include/sys/bitmap.h deleted file mode 100644 index 4e86ee70ed9e..000000000000 --- a/module/icp/include/sys/bitmap.h +++ /dev/null @@ -1,183 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -/* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ -/* All Rights Reserved */ - - -#ifndef _SYS_BITMAP_H -#define _SYS_BITMAP_H - -#ifdef __cplusplus -extern "C" { -#endif - -#if defined(__GNUC__) && defined(_ASM_INLINES) && \ - (defined(__i386) || defined(__amd64)) -#include -#endif - -/* - * Operations on bitmaps of arbitrary size - * A bitmap is a vector of 1 or more ulong_t's. - * The user of the package is responsible for range checks and keeping - * track of sizes. - */ - -#ifdef _LP64 -#define BT_ULSHIFT 6 /* log base 2 of BT_NBIPUL, to extract word index */ -#define BT_ULSHIFT32 5 /* log base 2 of BT_NBIPUL, to extract word index */ -#else -#define BT_ULSHIFT 5 /* log base 2 of BT_NBIPUL, to extract word index */ -#endif - -#define BT_NBIPUL (1 << BT_ULSHIFT) /* n bits per ulong_t */ -#define BT_ULMASK (BT_NBIPUL - 1) /* to extract bit index */ - -#ifdef _LP64 -#define BT_NBIPUL32 (1 << BT_ULSHIFT32) /* n bits per ulong_t */ -#define BT_ULMASK32 (BT_NBIPUL32 - 1) /* to extract bit index */ -#define BT_ULMAXMASK 0xffffffffffffffff /* used by bt_getlowbit */ -#else -#define BT_ULMAXMASK 0xffffffff -#endif - -/* - * bitmap is a ulong_t *, bitindex an index_t - * - * The macros BT_WIM and BT_BIW internal; there is no need - * for users of this package to use them. - */ - -/* - * word in map - */ -#define BT_WIM(bitmap, bitindex) \ - ((bitmap)[(bitindex) >> BT_ULSHIFT]) -/* - * bit in word - */ -#define BT_BIW(bitindex) \ - (1UL << ((bitindex) & BT_ULMASK)) - -#ifdef _LP64 -#define BT_WIM32(bitmap, bitindex) \ - ((bitmap)[(bitindex) >> BT_ULSHIFT32]) - -#define BT_BIW32(bitindex) \ - (1UL << ((bitindex) & BT_ULMASK32)) -#endif - -/* - * These are public macros - * - * BT_BITOUL == n bits to n ulong_t's - */ -#define BT_BITOUL(nbits) \ - (((nbits) + BT_NBIPUL - 1l) / BT_NBIPUL) -#define BT_SIZEOFMAP(nbits) \ - (BT_BITOUL(nbits) * sizeof (ulong_t)) -#define BT_TEST(bitmap, bitindex) \ - ((BT_WIM((bitmap), (bitindex)) & BT_BIW(bitindex)) ? 1 : 0) -#define BT_SET(bitmap, bitindex) \ - { BT_WIM((bitmap), (bitindex)) |= BT_BIW(bitindex); } -#define BT_CLEAR(bitmap, bitindex) \ - { BT_WIM((bitmap), (bitindex)) &= ~BT_BIW(bitindex); } - -#ifdef _LP64 -#define BT_BITOUL32(nbits) \ - (((nbits) + BT_NBIPUL32 - 1l) / BT_NBIPUL32) -#define BT_SIZEOFMAP32(nbits) \ - (BT_BITOUL32(nbits) * sizeof (uint_t)) -#define BT_TEST32(bitmap, bitindex) \ - ((BT_WIM32((bitmap), (bitindex)) & BT_BIW32(bitindex)) ? 1 : 0) -#define BT_SET32(bitmap, bitindex) \ - { BT_WIM32((bitmap), (bitindex)) |= BT_BIW32(bitindex); } -#define BT_CLEAR32(bitmap, bitindex) \ - { BT_WIM32((bitmap), (bitindex)) &= ~BT_BIW32(bitindex); } -#endif /* _LP64 */ - - -/* - * BIT_ONLYONESET is a private macro not designed for bitmaps of - * arbitrary size. u must be an unsigned integer/long. It returns - * true if one and only one bit is set in u. - */ -#define BIT_ONLYONESET(u) \ - ((((u) == 0) ? 0 : ((u) & ((u) - 1)) == 0)) - -#ifndef _ASM - -/* - * return next available bit index from map with specified number of bits - */ -extern index_t bt_availbit(ulong_t *bitmap, size_t nbits); -/* - * find the highest order bit that is on, and is within or below - * the word specified by wx - */ -extern int bt_gethighbit(ulong_t *mapp, int wx); -extern int bt_range(ulong_t *bitmap, size_t *pos1, size_t *pos2, - size_t end_pos); -extern int bt_getlowbit(ulong_t *bitmap, size_t start, size_t stop); -extern void bt_copy(ulong_t *, ulong_t *, ulong_t); - -/* - * find the parity - */ -extern int odd_parity(ulong_t); - -/* - * Atomically set/clear bits - * Atomic exclusive operations will set "result" to "-1" - * if the bit is already set/cleared. "result" will be set - * to 0 otherwise. - */ -#define BT_ATOMIC_SET(bitmap, bitindex) \ - { atomic_or_ulong(&(BT_WIM(bitmap, bitindex)), BT_BIW(bitindex)); } -#define BT_ATOMIC_CLEAR(bitmap, bitindex) \ - { atomic_and_ulong(&(BT_WIM(bitmap, bitindex)), ~BT_BIW(bitindex)); } - -#define BT_ATOMIC_SET_EXCL(bitmap, bitindex, result) \ - { result = atomic_set_long_excl(&(BT_WIM(bitmap, bitindex)), \ - (bitindex) % BT_NBIPUL); } -#define BT_ATOMIC_CLEAR_EXCL(bitmap, bitindex, result) \ - { result = atomic_clear_long_excl(&(BT_WIM(bitmap, bitindex)), \ - (bitindex) % BT_NBIPUL); } - -/* - * Extracts bits between index h (high, inclusive) and l (low, exclusive) from - * u, which must be an unsigned integer. - */ -#define BITX(u, h, l) (((u) >> (l)) & ((1LU << ((h) - (l) + 1LU)) - 1LU)) - -#endif /* _ASM */ - -#ifdef __cplusplus -} -#endif - -#endif /* _SYS_BITMAP_H */ diff --git a/module/icp/include/sys/crypto/elfsign.h b/module/icp/include/sys/crypto/elfsign.h deleted file mode 100644 index 5432f0c8d607..000000000000 --- a/module/icp/include/sys/crypto/elfsign.h +++ /dev/null @@ -1,137 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#ifndef _SYS_CRYPTO_ELFSIGN_H -#define _SYS_CRYPTO_ELFSIGN_H - -#ifdef __cplusplus -extern "C" { -#endif - -/* - * Consolidation Private Interface for elfsign/libpkcs11/kcfd - */ - -#include - -/* - * Project Private structures and types used for communication between kcfd - * and KCF over the door. - */ - -typedef enum ELFsign_status_e { - ELFSIGN_UNKNOWN, - ELFSIGN_SUCCESS, - ELFSIGN_FAILED, - ELFSIGN_NOTSIGNED, - ELFSIGN_INVALID_CERTPATH, - ELFSIGN_INVALID_ELFOBJ, - ELFSIGN_RESTRICTED -} ELFsign_status_t; - -#define KCF_KCFD_VERSION1 1 -#define SIG_MAX_LENGTH 1024 - -#define ELF_SIGNATURE_SECTION ".SUNW_signature" - -typedef struct kcf_door_arg_s { - short da_version; - boolean_t da_iskernel; - - union { - char filename[MAXPATHLEN]; /* For request */ - - struct kcf_door_result_s { /* For response */ - ELFsign_status_t status; - uint32_t siglen; - uchar_t signature[1]; - } result; - } da_u; -} kcf_door_arg_t; - -typedef uint32_t filesig_vers_t; - -/* - * File Signature Structure - * Applicable to ELF and other file formats - */ -struct filesignatures { - uint32_t filesig_cnt; /* count of signatures */ - uint32_t filesig_pad; /* unused */ - union { - char filesig_data[1]; - struct filesig { /* one of these for each signature */ - uint32_t filesig_size; - filesig_vers_t filesig_version; - union { - struct filesig_version1 { - uint32_t filesig_v1_dnsize; - uint32_t filesig_v1_sigsize; - uint32_t filesig_v1_oidsize; - char filesig_v1_data[1]; - } filesig_v1; - struct filesig_version3 { - uint64_t filesig_v3_time; - uint32_t filesig_v3_dnsize; - uint32_t filesig_v3_sigsize; - uint32_t filesig_v3_oidsize; - char filesig_v3_data[1]; - } filesig_v3; - } _u2; - } filesig_sig; - uint64_t filesig_align; - } _u1; -}; -#define filesig_sig _u1.filesig_sig - -#define filesig_v1_dnsize _u2.filesig_v1.filesig_v1_dnsize -#define filesig_v1_sigsize _u2.filesig_v1.filesig_v1_sigsize -#define filesig_v1_oidsize _u2.filesig_v1.filesig_v1_oidsize -#define filesig_v1_data _u2.filesig_v1.filesig_v1_data - -#define filesig_v3_time _u2.filesig_v3.filesig_v3_time -#define filesig_v3_dnsize _u2.filesig_v3.filesig_v3_dnsize -#define filesig_v3_sigsize _u2.filesig_v3.filesig_v3_sigsize -#define filesig_v3_oidsize _u2.filesig_v3.filesig_v3_oidsize -#define filesig_v3_data _u2.filesig_v3.filesig_v3_data - -#define filesig_ALIGN(s) (((s) + sizeof (uint64_t) - 1) & \ - (-sizeof (uint64_t))) -#define filesig_next(ptr) (struct filesig *)((void *)((char *)(ptr) + \ - filesig_ALIGN((ptr)->filesig_size))) - -#define FILESIG_UNKNOWN 0 /* unrecognized version */ -#define FILESIG_VERSION1 1 /* version1, all but sig section */ -#define FILESIG_VERSION2 2 /* version1 format, SHF_ALLOC only */ -#define FILESIG_VERSION3 3 /* version3, all but sig section */ -#define FILESIG_VERSION4 4 /* version3 format, SHF_ALLOC only */ - -#define _PATH_KCFD_DOOR "/etc/svc/volatile/kcfd_door" - -#ifdef __cplusplus -} -#endif - -#endif /* _SYS_CRYPTO_ELFSIGN_H */ diff --git a/module/icp/include/sys/crypto/ops_impl.h b/module/icp/include/sys/crypto/ops_impl.h deleted file mode 100644 index d41cb89b96a0..000000000000 --- a/module/icp/include/sys/crypto/ops_impl.h +++ /dev/null @@ -1,33 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#ifndef _SYS_CRYPTO_OPS_IMPL_H -#define _SYS_CRYPTO_OPS_IMPL_H - -#define KCF_SET_PROVIDER_MECHNUM(fmtype, pd, mechp) \ - (mechp)->cm_type = \ - KCF_TO_PROV_MECHNUM(pd, fmtype); - -#endif /* _SYS_CRYPTO_OPS_IMPL_H */ diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index 29e573800c71..6174c3aa1d0e 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -39,7 +39,6 @@ extern "C" { #include #include #include -#include #define KCF_KMFLAG(crq) (((crq) == NULL) ? KM_SLEEP : KM_NOSLEEP) @@ -125,6 +124,11 @@ typedef struct kcf_context { #define KCF_CONTEXT_DONE(rv) \ ((rv) != CRYPTO_BUSY && (rv) != CRYPTO_BUFFER_TOO_SMALL) + +#define KCF_SET_PROVIDER_MECHNUM(fmtype, pd, mechp) \ + (mechp)->cm_type = \ + KCF_TO_PROV_MECHNUM(pd, fmtype); + /* * A crypto_ctx_template_t is internally a pointer to this struct */ From 02af443cc5894fab17bbff657c51d2ecaae70647 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 04:00:34 +0100 Subject: [PATCH 31/39] include: crypto: clean out api.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/api.h | 83 +------------------------------------ include/sys/crypto/common.h | 3 -- module/icp/api/kcf_mac.c | 3 +- 3 files changed, 3 insertions(+), 86 deletions(-) diff --git a/include/sys/crypto/api.h b/include/sys/crypto/api.h index f3101889261e..b2106e0c8926 100644 --- a/include/sys/crypto/api.h +++ b/include/sys/crypto/api.h @@ -33,21 +33,14 @@ extern "C" { #include #include -typedef long crypto_req_id_t; -typedef void *crypto_bc_t; typedef void *crypto_context_t; typedef void *crypto_ctx_template_t; -typedef struct { - void (*cr_callback_func)(void *, int); - void *cr_callback_arg; - crypto_req_id_t cr_reqid; -} crypto_call_req_t; +typedef struct {} crypto_call_req_t; /* * Returns the mechanism type corresponding to a mechanism name. */ - #define CRYPTO_MECH_INVALID ((uint64_t)-1) extern crypto_mech_type_t crypto_mech2id(const char *name); @@ -70,87 +63,15 @@ extern int crypto_mac_update(crypto_context_t ctx, crypto_data_t *data); extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data); /* - * Single and multi-part encryption operations. + * Single-part encryption/decryption operations. */ extern int crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext, crypto_call_req_t *cr); - -/* - * Single and multi-part decryption operations. - */ extern int crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext, crypto_call_req_t *cr); -/* - * A kernel consumer can request to be notified when some particular event - * occurs. The valid events, callback function type, and functions to - * be called to register or unregister for notification are defined below. - */ - -#define CRYPTO_EVENT_MECHS_CHANGED 0x00000001 -#define CRYPTO_EVENT_PROVIDER_REGISTERED 0x00000002 -#define CRYPTO_EVENT_PROVIDER_UNREGISTERED 0x00000004 - -typedef enum { - CRYPTO_MECH_ADDED = 1, - CRYPTO_MECH_REMOVED -} crypto_event_change_t; - -/* The event_arg argument structure for CRYPTO_EVENT_PROVIDERS_CHANGE event */ -typedef struct crypto_notify_event_change { - crypto_mech_name_t ec_mech_name; - crypto_event_change_t ec_change; -} crypto_notify_event_change_t; - -typedef void *crypto_notify_handle_t; -typedef void (*crypto_notify_callback_t)(uint32_t event_mask, void *event_arg); - -extern crypto_notify_handle_t crypto_notify_events( - crypto_notify_callback_t nf, uint32_t event_mask); -extern void crypto_unnotify_events(crypto_notify_handle_t); - -/* - * crypto_bufcall(9F) group of routines. - */ -extern crypto_bc_t crypto_bufcall_alloc(void); -extern int crypto_bufcall_free(crypto_bc_t bc); -extern int crypto_bufcall(crypto_bc_t bc, void (*func)(void *arg), void *arg); -extern int crypto_unbufcall(crypto_bc_t bc); - -/* - * To obtain the list of key size ranges supported by a mechanism. - */ - -#define CRYPTO_MECH_USAGE_ENCRYPT 0x00000001 -#define CRYPTO_MECH_USAGE_DECRYPT 0x00000002 -#define CRYPTO_MECH_USAGE_MAC 0x00000004 - -typedef uint32_t crypto_mech_usage_t; - -typedef struct crypto_mechanism_info { - size_t mi_min_key_size; - size_t mi_max_key_size; - crypto_keysize_unit_t mi_keysize_unit; /* for mi_xxx_key_size */ - crypto_mech_usage_t mi_usage; -} crypto_mechanism_info_t; - -#ifdef _SYSCALL32 - -typedef struct crypto_mechanism_info32 { - size32_t mi_min_key_size; - size32_t mi_max_key_size; - crypto_keysize_unit_t mi_keysize_unit; /* for mi_xxx_key_size */ - crypto_mech_usage_t mi_usage; -} crypto_mechanism_info32_t; - -#endif /* _SYSCALL32 */ - -extern int crypto_get_all_mech_info(crypto_mech_type_t, - crypto_mechanism_info_t **, uint_t *, int); -extern void crypto_free_all_mech_info(crypto_mechanism_info_t *, uint_t); - #ifdef __cplusplus } #endif diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index 0642409311b2..e8d7f0e54a8e 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -93,9 +93,6 @@ typedef uint32_t crypto_keysize_unit_t; /* * The following bit flags are valid in cm_mech_flags field in * the crypto_mech_info_t structure of the SPI. - * - * Only the first two bit flags are valid in mi_keysize_unit - * field in the crypto_mechanism_info_t structure of the API. */ #define CRYPTO_KEYSIZE_UNIT_IN_BITS 0x00000001 #define CRYPTO_KEYSIZE_UNIT_IN_BYTES 0x00000002 diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 7bf0c499e851..0249fe87fc78 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -45,8 +45,7 @@ * CRYPTO_INVALID_DATA for bogus 'data' * CRYPTO_HOST_MEMORY for failure to allocate memory to handle this work. * CRYPTO_INVALID_CONTEXT: Not a valid context. - * CRYPTO_BUSY: Cannot process the request now. Schedule a - * crypto_bufcall(), or try later. + * CRYPTO_BUSY: Cannot process the request now. Try later. * CRYPTO_NOT_SUPPORTED and CRYPTO_MECH_NOT_SUPPORTED: No provider is * capable of a function or a mechanism. * CRYPTO_INVALID_KEY: bogus 'key' argument. From 71a948316e33206cbc4457064bd5b0af2bc74034 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 04:34:29 +0100 Subject: [PATCH 32/39] module: icp: rip out insane crypto_req_handle_t mechanism, inline KM_SLEEP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/api.h | 15 +-- module/icp/algs/modes/gcm.c | 14 +-- module/icp/api/kcf_cipher.c | 22 ++--- module/icp/api/kcf_ctxops.c | 7 +- module/icp/api/kcf_mac.c | 39 +++----- module/icp/core/kcf_sched.c | 6 +- module/icp/include/modes/modes.h | 6 -- module/icp/include/sys/crypto/impl.h | 41 ++++---- module/icp/include/sys/crypto/sched_impl.h | 24 +---- module/icp/include/sys/crypto/spi.h | 59 +++++------- module/icp/io/aes.c | 107 +++++++++------------ module/icp/io/sha2_mod.c | 79 ++++++--------- module/icp/io/skein_mod.c | 69 ++++++------- module/icp/spi/kcf_spi.c | 12 --- module/os/linux/zfs/zio_crypt.c | 22 ++--- module/zfs/hkdf.c | 4 +- 16 files changed, 187 insertions(+), 339 deletions(-) diff --git a/include/sys/crypto/api.h b/include/sys/crypto/api.h index b2106e0c8926..b3d6c9c071b9 100644 --- a/include/sys/crypto/api.h +++ b/include/sys/crypto/api.h @@ -36,8 +36,6 @@ extern "C" { typedef void *crypto_context_t; typedef void *crypto_ctx_template_t; -typedef struct {} crypto_call_req_t; - /* * Returns the mechanism type corresponding to a mechanism name. */ @@ -48,17 +46,16 @@ extern crypto_mech_type_t crypto_mech2id(const char *name); * Create and destroy context templates. */ extern int crypto_create_ctx_template(crypto_mechanism_t *mech, - crypto_key_t *key, crypto_ctx_template_t *tmpl, int kmflag); + crypto_key_t *key, crypto_ctx_template_t *tmpl); extern void crypto_destroy_ctx_template(crypto_ctx_template_t tmpl); /* * Single and multi-part MAC operations. */ extern int crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, - crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac, - crypto_call_req_t *cr); + crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac); extern int crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr); + crypto_ctx_template_t tmpl, crypto_context_t *ctxp); extern int crypto_mac_update(crypto_context_t ctx, crypto_data_t *data); extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data); @@ -66,11 +63,9 @@ extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data); * Single-part encryption/decryption operations. */ extern int crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, - crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext, - crypto_call_req_t *cr); + crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext); extern int crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, - crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext, - crypto_call_req_t *cr); + crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext); #ifdef __cplusplus } diff --git a/module/icp/algs/modes/gcm.c b/module/icp/algs/modes/gcm.c index 8b3793daa5cf..7d34c2b040f6 100644 --- a/module/icp/algs/modes/gcm.c +++ b/module/icp/algs/modes/gcm.c @@ -342,7 +342,7 @@ gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *ctx, char *data, size_t length, */ if (length > 0) { new_len = ctx->gcm_pt_buf_len + length; - new = vmem_alloc(new_len, ctx->gcm_kmflag); + new = vmem_alloc(new_len, KM_SLEEP); if (new == NULL) { vmem_free(ctx->gcm_pt_buf, ctx->gcm_pt_buf_len); ctx->gcm_pt_buf = NULL; @@ -654,7 +654,7 @@ gcm_init_ctx(gcm_ctx_t *gcm_ctx, char *param, size_t block_size, } gcm_ctx->gcm_htab_len = htab_len; gcm_ctx->gcm_Htable = - (uint64_t *)kmem_alloc(htab_len, gcm_ctx->gcm_kmflag); + (uint64_t *)kmem_alloc(htab_len, KM_SLEEP); if (gcm_ctx->gcm_Htable == NULL) { return (CRYPTO_HOST_MEMORY); @@ -729,7 +729,7 @@ gmac_init_ctx(gcm_ctx_t *gcm_ctx, char *param, size_t block_size, } gcm_ctx->gcm_htab_len = htab_len; gcm_ctx->gcm_Htable = - (uint64_t *)kmem_alloc(htab_len, gcm_ctx->gcm_kmflag); + (uint64_t *)kmem_alloc(htab_len, KM_SLEEP); if (gcm_ctx->gcm_Htable == NULL) { return (CRYPTO_HOST_MEMORY); @@ -780,12 +780,6 @@ gmac_alloc_ctx(int kmflag) return (gcm_ctx); } -void -gcm_set_kmflag(gcm_ctx_t *ctx, int kmflag) -{ - ctx->gcm_kmflag = kmflag; -} - /* GCM implementation that contains the fastest methods */ static gcm_impl_ops_t gcm_fastest_impl = { .name = "fastest" @@ -1212,7 +1206,7 @@ gcm_mode_encrypt_contiguous_blocks_avx(gcm_ctx_t *ctx, char *data, /* Allocate a buffer to encrypt to if there is enough input. */ if (bleft >= GCM_AVX_MIN_ENCRYPT_BYTES) { - ct_buf = vmem_alloc(chunk_size, ctx->gcm_kmflag); + ct_buf = vmem_alloc(chunk_size, KM_SLEEP); if (ct_buf == NULL) { return (CRYPTO_HOST_MEMORY); } diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index 963e94bfd3d4..e192a6e19f4e 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -52,7 +52,6 @@ * tmpl: a crypto_ctx_template_t, opaque template of a context of an * encryption with the 'mech' using 'key'. 'tmpl' is created by * a previous call to crypto_create_ctx_template(). - * cr: crypto_call_req_t calling conditions and call back info. * * Description: * Asynchronously submits a request for, or synchronously performs a @@ -62,16 +61,12 @@ * message. * Relies on the KCF scheduler to pick a provider. * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * * Returns: * See comment in the beginning of the file. */ int crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, - crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext, - crypto_call_req_t *crq) + crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext) { int error; kcf_mech_entry_t *me; @@ -95,12 +90,12 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); error = KCF_PROV_ENCRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key, - plaintext, ciphertext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); + plaintext, ciphertext, spi_ctx_tmpl); KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ - if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) + if (kcf_insert_triedlist(&list, pd, KM_SLEEP) != NULL) goto retry; } @@ -129,7 +124,6 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, * tmpl: a crypto_ctx_template_t, opaque template of a context of an * encryption with the 'mech' using 'key'. 'tmpl' is created by * a previous call to crypto_create_ctx_template(). - * cr: crypto_call_req_t calling conditions and call back info. * * Description: * Asynchronously submits a request for, or synchronously performs a @@ -139,16 +133,12 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, * message. * Relies on the KCF scheduler to choose a provider. * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * * Returns: * See comment in the beginning of the file. */ int crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, - crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext, - crypto_call_req_t *crq) + crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext) { int error; kcf_mech_entry_t *me; @@ -173,12 +163,12 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); error = KCF_PROV_DECRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key, - ciphertext, plaintext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); + ciphertext, plaintext, spi_ctx_tmpl); KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ - if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) + if (kcf_insert_triedlist(&list, pd, KM_SLEEP) != NULL) goto retry; } diff --git a/module/icp/api/kcf_ctxops.c b/module/icp/api/kcf_ctxops.c index 85cc55c8a719..67bf76a8f1fc 100644 --- a/module/icp/api/kcf_ctxops.c +++ b/module/icp/api/kcf_ctxops.c @@ -48,7 +48,6 @@ * ptmpl: a storage for the opaque crypto_ctx_template_t, allocated and * initialized by the software provider this routine is * dispatched to. - * kmflag: KM_SLEEP/KM_NOSLEEP mem. alloc. flag. * * Description: * Redirects the call to the software provider of the specified @@ -69,7 +68,7 @@ */ int crypto_create_ctx_template(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t *ptmpl, int kmflag) + crypto_ctx_template_t *ptmpl) { int error; kcf_mech_entry_t *me; @@ -90,7 +89,7 @@ crypto_create_ctx_template(crypto_mechanism_t *mech, crypto_key_t *key, return (error); if ((ctx_tmpl = (kcf_ctx_template_t *)kmem_alloc( - sizeof (kcf_ctx_template_t), kmflag)) == NULL) { + sizeof (kcf_ctx_template_t), KM_SLEEP)) == NULL) { KCF_PROV_REFRELE(pd); return (CRYPTO_HOST_MEMORY); } @@ -101,7 +100,7 @@ crypto_create_ctx_template(crypto_mechanism_t *mech, crypto_key_t *key, prov_mech.cm_param_len = mech->cm_param_len; error = KCF_PROV_CREATE_CTX_TEMPLATE(pd, &prov_mech, key, - &(ctx_tmpl->ct_prov_tmpl), &(ctx_tmpl->ct_size), KCF_RHNDL(kmflag)); + &(ctx_tmpl->ct_prov_tmpl), &(ctx_tmpl->ct_size)); if (error == CRYPTO_SUCCESS) { *ptmpl = ctx_tmpl; diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 0249fe87fc78..6766c61cfafc 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -67,7 +67,6 @@ * tmpl: a crypto_ctx_template_t, opaque template of a context of a * MAC with the 'mech' using 'key'. 'tmpl' is created by * a previous call to crypto_create_ctx_template(). - * cr: crypto_call_req_t calling conditions and call back info. * * Description: * Asynchronously submits a request for, or synchronously performs a @@ -78,16 +77,12 @@ * authentication code. * Relies on the KCF scheduler to choose a provider. * - * Context: - * Process or interrupt, according to the semantics dictated by the 'crq'. - * * Returns: * See comment in the beginning of the file. */ int crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, - crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac, - crypto_call_req_t *crq) + crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac) { int error; kcf_mech_entry_t *me; @@ -111,12 +106,12 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); error = KCF_PROV_MAC_ATOMIC(pd, pd->pd_sid, &lmech, key, data, - mac, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq)); + mac, spi_ctx_tmpl); KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ - if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) + if (kcf_insert_triedlist(&list, pd, KM_SLEEP) != NULL) goto retry; } @@ -143,7 +138,6 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, * MAC with the 'mech' using 'key'. 'tmpl' is created by * a previous call to crypto_create_ctx_template(). * ctxp: Pointer to a crypto_context_t. - * cr: crypto_call_req_t calling conditions and call back info. * * Description: * Asynchronously submits a request for, or synchronously performs the @@ -156,16 +150,13 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, * The caller should hold a reference on the specified provider * descriptor before calling this function. * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * * Returns: * See comment in the beginning of the file. */ static int crypto_mac_init_prov(kcf_provider_desc_t *pd, crypto_mechanism_t *mech, crypto_key_t *key, crypto_spi_ctx_template_t tmpl, - crypto_context_t *ctxp, crypto_call_req_t *crq) + crypto_context_t *ctxp) { int rv; crypto_ctx_t *ctx; @@ -174,13 +165,12 @@ crypto_mac_init_prov(kcf_provider_desc_t *pd, ASSERT(KCF_PROV_REFHELD(pd)); /* Allocate and initialize the canonical context */ - if ((ctx = kcf_new_ctx(crq, real_provider)) == NULL) + if ((ctx = kcf_new_ctx(real_provider)) == NULL) return (CRYPTO_HOST_MEMORY); crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, real_provider, &lmech); - rv = KCF_PROV_MAC_INIT(real_provider, ctx, &lmech, key, tmpl, - KCF_SWFP_RHNDL(crq)); + rv = KCF_PROV_MAC_INIT(real_provider, ctx, &lmech, key, tmpl); KCF_PROV_INCRSTATS(pd, rv); if (rv == CRYPTO_SUCCESS) @@ -200,8 +190,7 @@ crypto_mac_init_prov(kcf_provider_desc_t *pd, */ int crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, - crypto_ctx_template_t tmpl, crypto_context_t *ctxp, - crypto_call_req_t *crq) + crypto_ctx_template_t tmpl, crypto_context_t *ctxp) { int error; kcf_mech_entry_t *me; @@ -230,10 +219,10 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl; error = crypto_mac_init_prov(pd, mech, key, - spi_ctx_tmpl, ctxp, crq); + spi_ctx_tmpl, ctxp); if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ - if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL) + if (kcf_insert_triedlist(&list, pd, KM_SLEEP) != NULL) goto retry; } @@ -254,9 +243,6 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, * Description: * Synchronously performs a part of a MAC operation. * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * * Returns: * See comment in the beginning of the file. */ @@ -273,7 +259,7 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data) return (CRYPTO_INVALID_CONTEXT); } - int rv = KCF_PROV_MAC_UPDATE(pd, ctx, data, NULL); + int rv = KCF_PROV_MAC_UPDATE(pd, ctx, data); KCF_PROV_INCRSTATS(pd, rv); return (rv); } @@ -288,9 +274,6 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data) * Description: * Synchronously performs a part of a message authentication operation. * - * Context: - * Process or interrupt, according to the semantics dictated by the 'cr'. - * * Returns: * See comment in the beginning of the file. */ @@ -307,7 +290,7 @@ crypto_mac_final(crypto_context_t context, crypto_data_t *mac) return (CRYPTO_INVALID_CONTEXT); } - int rv = KCF_PROV_MAC_FINAL(pd, ctx, mac, NULL); + int rv = KCF_PROV_MAC_FINAL(pd, ctx, mac); KCF_PROV_INCRSTATS(pd, rv); /* Release the hold done in kcf_new_ctx() during init step. */ diff --git a/module/icp/core/kcf_sched.c b/module/icp/core/kcf_sched.c index d074bab8527d..4c689c20f3b7 100644 --- a/module/icp/core/kcf_sched.c +++ b/module/icp/core/kcf_sched.c @@ -37,19 +37,17 @@ /* kmem caches used by the scheduler */ static kmem_cache_t *kcf_context_cache; -ulong_t kcf_swprov_hndl = 0; /* * Create a new context. */ crypto_ctx_t * -kcf_new_ctx(crypto_call_req_t *crq, kcf_provider_desc_t *pd) +kcf_new_ctx(kcf_provider_desc_t *pd) { crypto_ctx_t *ctx; kcf_context_t *kcf_ctx; - kcf_ctx = kmem_cache_alloc(kcf_context_cache, - (crq == NULL) ? KM_SLEEP : KM_NOSLEEP); + kcf_ctx = kmem_cache_alloc(kcf_context_cache, KM_SLEEP); if (kcf_ctx == NULL) return (NULL); diff --git a/module/icp/include/modes/modes.h b/module/icp/include/modes/modes.h index ab71197542eb..aa88ea97e045 100644 --- a/module/icp/include/modes/modes.h +++ b/module/icp/include/modes/modes.h @@ -207,10 +207,6 @@ typedef struct ccm_ctx { * * gcm_len_a_len_c: 64-bit representations of the bit lengths of * AAD and ciphertext. - * - * gcm_kmflag: Current value of kmflag. Used for allocating - * the plaintext buffer during decryption and a - * gcm_avx_chunk_size'd buffer for avx enabled encryption. */ typedef struct gcm_ctx { struct common_ctx gcm_common; @@ -231,7 +227,6 @@ typedef struct gcm_ctx { uint64_t gcm_J0[2]; uint64_t gcm_len_a_len_c[2]; uint8_t *gcm_pt_buf; - int gcm_kmflag; #ifdef CAN_USE_GCM_ASM boolean_t gcm_use_avx; #endif @@ -402,7 +397,6 @@ extern void *ccm_alloc_ctx(int); extern void *gcm_alloc_ctx(int); extern void *gmac_alloc_ctx(int); extern void crypto_free_mode_ctx(void *); -extern void gcm_set_kmflag(gcm_ctx_t *, int); #ifdef __cplusplus } diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 3e57233b6ad9..ba37c99e966d 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -76,7 +76,7 @@ typedef struct kcf_sched_info { * other purposes, that base value is mostly same across all providers. * So, it is a good measure of the load on a provider when it is not * in a busy state. Once a provider notifies it is busy, requests - * backup in the taskq. So, we use tq_nalloc in that case which gives + * back up in the taskq. So, we use tq_nalloc in that case which gives * the number of task entries in the task queue. Note that we do not * acquire any locks here as it is not critical to get the exact number * and the lock contention may be too costly for this code path. @@ -387,76 +387,73 @@ typedef struct crypto_minor { * Wrappers for crypto_digest_ops(9S) entry points. */ -#define KCF_PROV_DIGEST_INIT(pd, ctx, mech, req) ( \ +#define KCF_PROV_DIGEST_INIT(pd, ctx, mech) ( \ (KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_init) ? \ - KCF_PROV_DIGEST_OPS(pd)->digest_init(ctx, mech, req) : \ + KCF_PROV_DIGEST_OPS(pd)->digest_init(ctx, mech) : \ CRYPTO_NOT_SUPPORTED) /* * Wrappers for crypto_cipher_ops(9S) entry points. */ -#define KCF_PROV_ENCRYPT_INIT(pd, ctx, mech, key, template, req) ( \ +#define KCF_PROV_ENCRYPT_INIT(pd, ctx, mech, key, template) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_init) ? \ - KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template, \ - req) : \ + KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template) : \ CRYPTO_NOT_SUPPORTED) #define KCF_PROV_ENCRYPT_ATOMIC(pd, session, mech, key, plaintext, ciphertext, \ - template, req) ( \ + template) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \ KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic( \ (pd)->pd_prov_handle, session, mech, key, plaintext, ciphertext, \ - template, req) : \ + template) : \ CRYPTO_NOT_SUPPORTED) #define KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \ - template, req) ( \ + template) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \ KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic( \ (pd)->pd_prov_handle, session, mech, key, ciphertext, plaintext, \ - template, req) : \ + template) : \ CRYPTO_NOT_SUPPORTED) /* * Wrappers for crypto_mac_ops(9S) entry points. */ -#define KCF_PROV_MAC_INIT(pd, ctx, mech, key, template, req) ( \ +#define KCF_PROV_MAC_INIT(pd, ctx, mech, key, template) ( \ (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_init) ? \ - KCF_PROV_MAC_OPS(pd)->mac_init(ctx, mech, key, template, req) \ + KCF_PROV_MAC_OPS(pd)->mac_init(ctx, mech, key, template) \ : CRYPTO_NOT_SUPPORTED) /* * The _ (underscore) in _mac is needed to avoid replacing the * function mac(). */ -#define KCF_PROV_MAC_UPDATE(pd, ctx, data, req) ( \ +#define KCF_PROV_MAC_UPDATE(pd, ctx, data) ( \ (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_update) ? \ - KCF_PROV_MAC_OPS(pd)->mac_update(ctx, data, req) : \ + KCF_PROV_MAC_OPS(pd)->mac_update(ctx, data) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_MAC_FINAL(pd, ctx, mac, req) ( \ +#define KCF_PROV_MAC_FINAL(pd, ctx, mac) ( \ (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_final) ? \ - KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac, req) : \ + KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template, \ - req) ( \ +#define KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template) ( \ (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_atomic) ? \ KCF_PROV_MAC_OPS(pd)->mac_atomic( \ - (pd)->pd_prov_handle, session, mech, key, data, mac, template, \ - req) : \ + (pd)->pd_prov_handle, session, mech, key, data, mac, template) : \ CRYPTO_NOT_SUPPORTED) /* * Wrappers for crypto_ctx_ops(9S) entry points. */ -#define KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size, req) ( \ +#define KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size) ( \ (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->create_ctx_template) ? \ KCF_PROV_CTX_OPS(pd)->create_ctx_template( \ - (pd)->pd_prov_handle, mech, key, template, size, req) : \ + (pd)->pd_prov_handle, mech, key, template, size) : \ CRYPTO_NOT_SUPPORTED) #define KCF_PROV_FREE_CONTEXT(pd, ctx) ( \ diff --git a/module/icp/include/sys/crypto/sched_impl.h b/module/icp/include/sys/crypto/sched_impl.h index 6174c3aa1d0e..1de4bd8b94f4 100644 --- a/module/icp/include/sys/crypto/sched_impl.h +++ b/module/icp/include/sys/crypto/sched_impl.h @@ -40,28 +40,6 @@ extern "C" { #include #include -#define KCF_KMFLAG(crq) (((crq) == NULL) ? KM_SLEEP : KM_NOSLEEP) - -/* - * The framework keeps an internal handle to use in the adaptive - * asynchronous case. This is the case when a client has the - * CRYPTO_ALWAYS_QUEUE bit clear and a provider is used for - * the request. The request is completed in the context of the calling - * thread and kernel memory must be allocated with KM_NOSLEEP. - * - * The framework passes a pointer to the handle in crypto_req_handle_t - * argument when it calls the SPI of the provider. The macros - * KCF_RHNDL() and KCF_SWFP_RHNDL() are used to do this. - * - * When a provider asks the framework for kmflag value via - * crypto_kmflag(9S) we use REQHNDL2_KMFLAG() macro. - */ -extern ulong_t kcf_swprov_hndl; -#define KCF_RHNDL(kmflag) (((kmflag) == KM_SLEEP) ? NULL : &kcf_swprov_hndl) -#define KCF_SWFP_RHNDL(crq) (((crq) == NULL) ? NULL : &kcf_swprov_hndl) -#define REQHNDL2_KMFLAG(rhndl) \ - ((rhndl == &kcf_swprov_hndl) ? KM_NOSLEEP : KM_SLEEP) - typedef struct kcf_prov_tried { kcf_provider_desc_t *pt_pd; struct kcf_prov_tried *pt_next; @@ -144,7 +122,7 @@ extern kcf_prov_tried_t *kcf_insert_triedlist(kcf_prov_tried_t **, kcf_provider_desc_t *, int); extern kcf_provider_desc_t *kcf_get_mech_provider(crypto_mech_type_t, kcf_mech_entry_t **, int *, kcf_prov_tried_t *, crypto_func_group_t); -extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t *, kcf_provider_desc_t *); +extern crypto_ctx_t *kcf_new_ctx(kcf_provider_desc_t *); extern void kcf_sched_destroy(void); extern void kcf_sched_init(void); extern void kcf_free_context(kcf_context_t *); diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index ba383a750ef3..6d656fef20d4 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -59,12 +59,6 @@ typedef void *crypto_provider_handle_t; */ typedef void *crypto_spi_ctx_template_t; -/* - * Request handles are used by the kernel to identify an asynchronous - * request being processed by a provider. - */ -typedef void *crypto_req_handle_t; - /* * The context structure is passed from the kernel to a provider. * It contains the information needed to process a multi-part or @@ -88,18 +82,14 @@ typedef struct crypto_ctx { * kernel using crypto_register_provider(9F). */ typedef struct crypto_digest_ops { - int (*digest_init)(crypto_ctx_t *, crypto_mechanism_t *, - crypto_req_handle_t); - int (*digest)(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, - crypto_req_handle_t); - int (*digest_update)(crypto_ctx_t *, crypto_data_t *, - crypto_req_handle_t); - int (*digest_key)(crypto_ctx_t *, crypto_key_t *, crypto_req_handle_t); - int (*digest_final)(crypto_ctx_t *, crypto_data_t *, - crypto_req_handle_t); + int (*digest_init)(crypto_ctx_t *, crypto_mechanism_t *); + int (*digest)(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); + int (*digest_update)(crypto_ctx_t *, crypto_data_t *); + int (*digest_key)(crypto_ctx_t *, crypto_key_t *); + int (*digest_final)(crypto_ctx_t *, crypto_data_t *); int (*digest_atomic)(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_data_t *, - crypto_data_t *, crypto_req_handle_t); + crypto_data_t *); } __no_const crypto_digest_ops_t; /* @@ -111,29 +101,29 @@ typedef struct crypto_digest_ops { typedef struct crypto_cipher_ops { int (*encrypt_init)(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, - crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_spi_ctx_template_t); int (*encrypt)(crypto_ctx_t *, - crypto_data_t *, crypto_data_t *, crypto_req_handle_t); + crypto_data_t *, crypto_data_t *); int (*encrypt_update)(crypto_ctx_t *, - crypto_data_t *, crypto_data_t *, crypto_req_handle_t); + crypto_data_t *, crypto_data_t *); int (*encrypt_final)(crypto_ctx_t *, - crypto_data_t *, crypto_req_handle_t); + crypto_data_t *); int (*encrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_data_t *, crypto_spi_ctx_template_t); int (*decrypt_init)(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, - crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_spi_ctx_template_t); int (*decrypt)(crypto_ctx_t *, - crypto_data_t *, crypto_data_t *, crypto_req_handle_t); + crypto_data_t *, crypto_data_t *); int (*decrypt_update)(crypto_ctx_t *, - crypto_data_t *, crypto_data_t *, crypto_req_handle_t); + crypto_data_t *, crypto_data_t *); int (*decrypt_final)(crypto_ctx_t *, - crypto_data_t *, crypto_req_handle_t); + crypto_data_t *); int (*decrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_data_t *, crypto_spi_ctx_template_t); } __no_const crypto_cipher_ops_t; /* @@ -145,21 +135,19 @@ typedef struct crypto_cipher_ops { typedef struct crypto_mac_ops { int (*mac_init)(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, - crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_spi_ctx_template_t); int (*mac)(crypto_ctx_t *, - crypto_data_t *, crypto_data_t *, crypto_req_handle_t); + crypto_data_t *, crypto_data_t *); int (*mac_update)(crypto_ctx_t *, - crypto_data_t *, crypto_req_handle_t); + crypto_data_t *); int (*mac_final)(crypto_ctx_t *, - crypto_data_t *, crypto_req_handle_t); + crypto_data_t *); int (*mac_atomic)(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t, - crypto_req_handle_t); + crypto_data_t *, crypto_spi_ctx_template_t); int (*mac_verify_atomic)(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t, - crypto_req_handle_t); + crypto_data_t *, crypto_spi_ctx_template_t); } __no_const crypto_mac_ops_t; /* @@ -171,7 +159,7 @@ typedef struct crypto_mac_ops { typedef struct crypto_ctx_ops { int (*create_ctx_template)(crypto_provider_handle_t, crypto_mechanism_t *, crypto_key_t *, - crypto_spi_ctx_template_t *, size_t *, crypto_req_handle_t); + crypto_spi_ctx_template_t *, size_t *); int (*free_context)(crypto_ctx_t *); } __no_const crypto_ctx_ops_t; @@ -263,7 +251,6 @@ typedef struct crypto_provider_info { extern int crypto_register_provider(const crypto_provider_info_t *, crypto_kcf_provider_handle_t *); extern int crypto_unregister_provider(crypto_kcf_provider_handle_t); -extern int crypto_kmflag(crypto_req_handle_t); #ifdef __cplusplus diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index 7e87f8da16ee..d91c897c00d0 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -74,33 +74,29 @@ static const crypto_mech_info_t aes_mech_info_tab[] = { }; static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *, - crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_key_t *, crypto_spi_ctx_template_t); static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *, - crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_key_t *, crypto_spi_ctx_template_t); static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *, - crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t); + crypto_key_t *, crypto_spi_ctx_template_t, boolean_t); static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *, crypto_mechanism_t *, crypto_key_t *, int, boolean_t); -static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *, - crypto_req_handle_t); -static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *, - crypto_req_handle_t); +static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *); +static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *); -static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, - crypto_req_handle_t); +static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *, - crypto_data_t *, crypto_req_handle_t); + crypto_data_t *); static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_data_t *, crypto_spi_ctx_template_t); -static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, - crypto_req_handle_t); +static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *, - crypto_data_t *, crypto_req_handle_t); + crypto_data_t *); static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_data_t *, crypto_spi_ctx_template_t); static const crypto_cipher_ops_t aes_cipher_ops = { .encrypt_init = aes_encrypt_init, @@ -117,10 +113,10 @@ static const crypto_cipher_ops_t aes_cipher_ops = { static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_spi_ctx_template_t); static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_spi_ctx_template_t); static const crypto_mac_ops_t aes_mac_ops = { .mac_init = NULL, @@ -133,7 +129,7 @@ static const crypto_mac_ops_t aes_mac_ops = { static int aes_create_ctx_template(crypto_provider_handle_t, crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, - size_t *, crypto_req_handle_t); + size_t *); static int aes_free_context(crypto_ctx_t *); static const crypto_ctx_ops_t aes_ctx_ops = { @@ -188,7 +184,7 @@ aes_mod_fini(void) } static int -aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag) +aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx) { void *p = NULL; boolean_t param_required = B_TRUE; @@ -230,7 +226,7 @@ aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag) rv = CRYPTO_MECHANISM_PARAM_INVALID; } if (ctx != NULL) { - p = (alloc_fun)(kmflag); + p = (alloc_fun)(KM_SLEEP); *ctx = p; } return (rv); @@ -257,18 +253,16 @@ init_keysched(crypto_key_t *key, void *newbie) static int aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, - crypto_key_t *key, crypto_spi_ctx_template_t template, - crypto_req_handle_t req) + crypto_key_t *key, crypto_spi_ctx_template_t template) { - return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE)); + return (aes_common_init(ctx, mechanism, key, template, B_TRUE)); } static int aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, - crypto_key_t *key, crypto_spi_ctx_template_t template, - crypto_req_handle_t req) + crypto_key_t *key, crypto_spi_ctx_template_t template) { - return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE)); + return (aes_common_init(ctx, mechanism, key, template, B_FALSE)); } @@ -279,18 +273,16 @@ aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, static int aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_spi_ctx_template_t template, - crypto_req_handle_t req, boolean_t is_encrypt_init) + boolean_t is_encrypt_init) { aes_ctx_t *aes_ctx; int rv; - int kmflag; - kmflag = crypto_kmflag(req); - if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag)) + if ((rv = aes_check_mech_param(mechanism, &aes_ctx)) != CRYPTO_SUCCESS) return (rv); - rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag, + rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, KM_SLEEP, is_encrypt_init); if (rv != CRYPTO_SUCCESS) { crypto_free_mode_ctx(aes_ctx); @@ -320,7 +312,7 @@ aes_copy_block64(uint8_t *in, uint64_t *out) static int aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, - crypto_data_t *ciphertext, crypto_req_handle_t req) + crypto_data_t *ciphertext) { int ret = CRYPTO_FAILED; @@ -372,7 +364,7 @@ aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, /* * Do an update on the specified input data. */ - ret = aes_encrypt_update(ctx, plaintext, ciphertext, req); + ret = aes_encrypt_update(ctx, plaintext, ciphertext); if (ret != CRYPTO_SUCCESS) { return (ret); } @@ -435,7 +427,7 @@ aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, static int aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, - crypto_data_t *plaintext, crypto_req_handle_t req) + crypto_data_t *plaintext) { int ret = CRYPTO_FAILED; @@ -493,7 +485,7 @@ aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, /* * Do an update on the specified input data. */ - ret = aes_decrypt_update(ctx, ciphertext, plaintext, req); + ret = aes_decrypt_update(ctx, ciphertext, plaintext); if (ret != CRYPTO_SUCCESS) { goto cleanup; } @@ -549,9 +541,8 @@ aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, static int aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext, - crypto_data_t *ciphertext, crypto_req_handle_t req) + crypto_data_t *ciphertext) { - (void) req; off_t saved_offset; size_t saved_length, out_len; int ret = CRYPTO_SUCCESS; @@ -618,7 +609,7 @@ aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext, static int aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext, - crypto_data_t *plaintext, crypto_req_handle_t req) + crypto_data_t *plaintext) { off_t saved_offset; size_t saved_length, out_len; @@ -650,9 +641,6 @@ aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext, saved_offset = plaintext->cd_offset; saved_length = plaintext->cd_length; - if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) - gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req)); - /* * Do the AES update on the specified input data. */ @@ -696,10 +684,8 @@ aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext, } static int -aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, - crypto_req_handle_t req) +aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data) { - (void) req; aes_ctx_t *aes_ctx; int ret; @@ -753,10 +739,8 @@ aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, } static int -aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, - crypto_req_handle_t req) +aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data) { - (void) req; aes_ctx_t *aes_ctx; int ret; off_t saved_offset; @@ -859,7 +843,7 @@ static int aes_encrypt_atomic(crypto_provider_handle_t provider, crypto_session_id_t session_id, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, - crypto_spi_ctx_template_t template, crypto_req_handle_t req) + crypto_spi_ctx_template_t template) { (void) provider, (void) session_id; aes_ctx_t aes_ctx; /* on the stack */ @@ -885,13 +869,13 @@ aes_encrypt_atomic(crypto_provider_handle_t provider, return (CRYPTO_DATA_LEN_RANGE); } - if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS) + if ((ret = aes_check_mech_param(mechanism, NULL)) != CRYPTO_SUCCESS) return (ret); bzero(&aes_ctx, sizeof (aes_ctx_t)); ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, - crypto_kmflag(req), B_TRUE); + KM_SLEEP, B_TRUE); if (ret != CRYPTO_SUCCESS) return (ret); @@ -995,7 +979,7 @@ static int aes_decrypt_atomic(crypto_provider_handle_t provider, crypto_session_id_t session_id, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, - crypto_spi_ctx_template_t template, crypto_req_handle_t req) + crypto_spi_ctx_template_t template) { (void) provider, (void) session_id; aes_ctx_t aes_ctx; /* on the stack */ @@ -1021,13 +1005,13 @@ aes_decrypt_atomic(crypto_provider_handle_t provider, return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); } - if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS) + if ((ret = aes_check_mech_param(mechanism, NULL)) != CRYPTO_SUCCESS) return (ret); bzero(&aes_ctx, sizeof (aes_ctx_t)); ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, - crypto_kmflag(req), B_FALSE); + KM_SLEEP, B_FALSE); if (ret != CRYPTO_SUCCESS) return (ret); @@ -1057,10 +1041,6 @@ aes_decrypt_atomic(crypto_provider_handle_t provider, saved_offset = plaintext->cd_offset; saved_length = plaintext->cd_length; - if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE || - mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) - gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req)); - /* * Do an update on the specified input data. */ @@ -1164,7 +1144,7 @@ aes_decrypt_atomic(crypto_provider_handle_t provider, static int aes_create_ctx_template(crypto_provider_handle_t provider, crypto_mechanism_t *mechanism, crypto_key_t *key, - crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req) + crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size) { (void) provider; void *keysched; @@ -1179,8 +1159,7 @@ aes_create_ctx_template(crypto_provider_handle_t provider, mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE) return (CRYPTO_MECHANISM_INVALID); - if ((keysched = aes_alloc_keysched(&size, - crypto_kmflag(req))) == NULL) { + if ((keysched = aes_alloc_keysched(&size, KM_SLEEP)) == NULL) { return (CRYPTO_HOST_MEMORY); } @@ -1342,7 +1321,7 @@ static int aes_mac_atomic(crypto_provider_handle_t provider, crypto_session_id_t session_id, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, - crypto_spi_ctx_template_t template, crypto_req_handle_t req) + crypto_spi_ctx_template_t template) { CK_AES_GCM_PARAMS gcm_params; crypto_mechanism_t gcm_mech; @@ -1357,14 +1336,14 @@ aes_mac_atomic(crypto_provider_handle_t provider, gcm_mech.cm_param = (char *)&gcm_params; return (aes_encrypt_atomic(provider, session_id, &gcm_mech, - key, &null_crypto_data, mac, template, req)); + key, &null_crypto_data, mac, template)); } static int aes_mac_verify_atomic(crypto_provider_handle_t provider, crypto_session_id_t session_id, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, - crypto_spi_ctx_template_t template, crypto_req_handle_t req) + crypto_spi_ctx_template_t template) { CK_AES_GCM_PARAMS gcm_params; crypto_mechanism_t gcm_mech; @@ -1379,5 +1358,5 @@ aes_mac_verify_atomic(crypto_provider_handle_t provider, gcm_mech.cm_param = (char *)&gcm_params; return (aes_decrypt_atomic(provider, session_id, &gcm_mech, - key, mac, &null_crypto_data, template, req)); + key, mac, &null_crypto_data, template)); } diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index d5a8d5bb728c..db6cc539c6e6 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -105,17 +105,12 @@ static const crypto_mech_info_t sha2_mech_info_tab[] = { CRYPTO_KEYSIZE_UNIT_IN_BYTES} }; -static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *, - crypto_req_handle_t); -static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, - crypto_req_handle_t); -static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *, - crypto_req_handle_t); -static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *, - crypto_req_handle_t); +static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *); +static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); +static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *); +static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *); static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_data_t *, - crypto_req_handle_t); + crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); static const crypto_digest_ops_t sha2_digest_ops = { .digest_init = sha2_digest_init, @@ -126,16 +121,15 @@ static const crypto_digest_ops_t sha2_digest_ops = { }; static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, - crypto_spi_ctx_template_t, crypto_req_handle_t); -static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *, - crypto_req_handle_t); -static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t); + crypto_spi_ctx_template_t); +static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *); +static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *); static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_spi_ctx_template_t); static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_spi_ctx_template_t); static const crypto_mac_ops_t sha2_mac_ops = { .mac_init = sha2_mac_init, @@ -148,7 +142,7 @@ static const crypto_mac_ops_t sha2_mac_ops = { static int sha2_create_ctx_template(crypto_provider_handle_t, crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, - size_t *, crypto_req_handle_t); + size_t *); static int sha2_free_context(crypto_ctx_t *); static const crypto_ctx_ops_t sha2_ctx_ops = { @@ -215,15 +209,13 @@ sha2_mod_fini(void) */ static int -sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, - crypto_req_handle_t req) +sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism) { /* * Allocate and initialize SHA2 context. */ - ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t), - crypto_kmflag(req)); + ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t), KM_SLEEP); if (ctx->cc_provider_private == NULL) return (CRYPTO_HOST_MEMORY); @@ -388,10 +380,8 @@ sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest, } static int -sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest, - crypto_req_handle_t req) +sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest) { - (void) req; int ret = CRYPTO_SUCCESS; uint_t sha_digest_len; @@ -476,10 +466,8 @@ sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest, } static int -sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data, - crypto_req_handle_t req) +sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data) { - (void) req; int ret = CRYPTO_SUCCESS; ASSERT(ctx->cc_provider_private != NULL); @@ -505,10 +493,8 @@ sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data, } static int -sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest, - crypto_req_handle_t req) +sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest) { - (void) req; int ret = CRYPTO_SUCCESS; uint_t sha_digest_len; @@ -570,10 +556,9 @@ sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest, static int sha2_digest_atomic(crypto_provider_handle_t provider, crypto_session_id_t session_id, crypto_mechanism_t *mechanism, - crypto_data_t *data, crypto_data_t *digest, - crypto_req_handle_t req) + crypto_data_t *data, crypto_data_t *digest) { - (void) provider, (void) session_id, (void) req; + (void) provider, (void) session_id; int ret = CRYPTO_SUCCESS; SHA2_CTX sha2_ctx; uint32_t sha_digest_len; @@ -709,8 +694,7 @@ sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes) */ static int sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, - crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, - crypto_req_handle_t req) + crypto_key_t *key, crypto_spi_ctx_template_t ctx_template) { int ret = CRYPTO_SUCCESS; uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); @@ -737,8 +721,8 @@ sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, return (CRYPTO_MECHANISM_INVALID); } - ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t), - crypto_kmflag(req)); + ctx->cc_provider_private = + kmem_alloc(sizeof (sha2_hmac_ctx_t), KM_SLEEP); if (ctx->cc_provider_private == NULL) return (CRYPTO_HOST_MEMORY); @@ -792,10 +776,8 @@ sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, } static int -sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data, - crypto_req_handle_t req) +sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data) { - (void) req; int ret = CRYPTO_SUCCESS; ASSERT(ctx->cc_provider_private != NULL); @@ -822,9 +804,8 @@ sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data, } static int -sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req) +sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac) { - (void) req; int ret = CRYPTO_SUCCESS; uchar_t digest[SHA512_DIGEST_LENGTH]; uint32_t digest_len, sha_digest_len; @@ -938,9 +919,9 @@ static int sha2_mac_atomic(crypto_provider_handle_t provider, crypto_session_id_t session_id, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, - crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) + crypto_spi_ctx_template_t ctx_template) { - (void) provider, (void) session_id, (void) req; + (void) provider, (void) session_id; int ret = CRYPTO_SUCCESS; uchar_t digest[SHA512_DIGEST_LENGTH]; sha2_hmac_ctx_t sha2_hmac_ctx; @@ -1072,9 +1053,9 @@ static int sha2_mac_verify_atomic(crypto_provider_handle_t provider, crypto_session_id_t session_id, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, - crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) + crypto_spi_ctx_template_t ctx_template) { - (void) provider, (void) session_id, (void) req; + (void) provider, (void) session_id; int ret = CRYPTO_SUCCESS; uchar_t digest[SHA512_DIGEST_LENGTH]; sha2_hmac_ctx_t sha2_hmac_ctx; @@ -1247,8 +1228,7 @@ sha2_mac_verify_atomic(crypto_provider_handle_t provider, static int sha2_create_ctx_template(crypto_provider_handle_t provider, crypto_mechanism_t *mechanism, crypto_key_t *key, - crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size, - crypto_req_handle_t req) + crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size) { (void) provider; sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl; @@ -1279,8 +1259,7 @@ sha2_create_ctx_template(crypto_provider_handle_t provider, /* * Allocate and initialize SHA2 context. */ - sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t), - crypto_kmflag(req)); + sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t), KM_SLEEP); if (sha2_hmac_ctx_tmpl == NULL) return (CRYPTO_HOST_MEMORY); diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index 48e4358b8d86..43d9c9db118f 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -51,15 +51,12 @@ static const crypto_mech_info_t skein_mech_info_tab[] = { CRYPTO_KEYSIZE_UNIT_IN_BYTES} }; -static int skein_digest_init(crypto_ctx_t *, crypto_mechanism_t *, - crypto_req_handle_t); -static int skein_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, - crypto_req_handle_t); -static int skein_update(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t); -static int skein_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t); +static int skein_digest_init(crypto_ctx_t *, crypto_mechanism_t *); +static int skein_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); +static int skein_update(crypto_ctx_t *, crypto_data_t *); +static int skein_final(crypto_ctx_t *, crypto_data_t *); static int skein_digest_atomic(crypto_provider_handle_t, crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_data_t *, - crypto_req_handle_t); + crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); static const crypto_digest_ops_t skein_digest_ops = { .digest_init = skein_digest_init, @@ -70,10 +67,10 @@ static const crypto_digest_ops_t skein_digest_ops = { }; static int skein_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, - crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_spi_ctx_template_t); static int skein_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t, crypto_req_handle_t); + crypto_spi_ctx_template_t); static const crypto_mac_ops_t skein_mac_ops = { .mac_init = skein_mac_init, @@ -86,7 +83,7 @@ static const crypto_mac_ops_t skein_mac_ops = { static int skein_create_ctx_template(crypto_provider_handle_t, crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, - size_t *, crypto_req_handle_t); + size_t *); static int skein_free_context(crypto_ctx_t *); static const crypto_ctx_ops_t skein_ctx_ops = { @@ -264,8 +261,7 @@ skein_digest_update_uio(skein_ctx_t *ctx, const crypto_data_t *data) * Performs a Final on a context and writes to a uio digest output. */ static int -skein_digest_final_uio(skein_ctx_t *ctx, crypto_data_t *digest, - crypto_req_handle_t req) +skein_digest_final_uio(skein_ctx_t *ctx, crypto_data_t *digest) { off_t offset = digest->cd_offset; uint_t vec_idx = 0; @@ -298,7 +294,7 @@ skein_digest_final_uio(skein_ctx_t *ctx, crypto_data_t *digest, size_t cur_len; digest_tmp = kmem_alloc(CRYPTO_BITS2BYTES( - ctx->sc_digest_bitlen), crypto_kmflag(req)); + ctx->sc_digest_bitlen), KM_SLEEP); if (digest_tmp == NULL) return (CRYPTO_HOST_MEMORY); SKEIN_OP(ctx, Final, digest_tmp); @@ -342,16 +338,14 @@ skein_digest_final_uio(skein_ctx_t *ctx, crypto_data_t *digest, * for Skein-1024). */ static int -skein_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, - crypto_req_handle_t req) +skein_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism) { int error = CRYPTO_SUCCESS; if (!VALID_SKEIN_DIGEST_MECH(mechanism->cm_type)) return (CRYPTO_MECHANISM_INVALID); - SKEIN_CTX_LVALUE(ctx) = kmem_alloc(sizeof (*SKEIN_CTX(ctx)), - crypto_kmflag(req)); + SKEIN_CTX_LVALUE(ctx) = kmem_alloc(sizeof (*SKEIN_CTX(ctx)), KM_SLEEP); if (SKEIN_CTX(ctx) == NULL) return (CRYPTO_HOST_MEMORY); @@ -376,8 +370,7 @@ skein_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, * see what to pass here. */ static int -skein_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest, - crypto_req_handle_t req) +skein_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest) { int error = CRYPTO_SUCCESS; @@ -390,7 +383,7 @@ skein_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest, return (CRYPTO_BUFFER_TOO_SMALL); } - error = skein_update(ctx, data, req); + error = skein_update(ctx, data); if (error != CRYPTO_SUCCESS) { bzero(SKEIN_CTX(ctx), sizeof (*SKEIN_CTX(ctx))); kmem_free(SKEIN_CTX(ctx), sizeof (*SKEIN_CTX(ctx))); @@ -398,7 +391,7 @@ skein_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest, digest->cd_length = 0; return (error); } - error = skein_final(ctx, digest, req); + error = skein_final(ctx, digest); return (error); } @@ -409,9 +402,8 @@ skein_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest, * Supported input data formats are raw, uio and mblk. */ static int -skein_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) +skein_update(crypto_ctx_t *ctx, crypto_data_t *data) { - (void) req; int error = CRYPTO_SUCCESS; ASSERT(SKEIN_CTX(ctx) != NULL); @@ -438,7 +430,7 @@ skein_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) * Supported output digest formats are raw, uio and mblk. */ static int -skein_final(crypto_ctx_t *ctx, crypto_data_t *digest, crypto_req_handle_t req) +skein_final(crypto_ctx_t *ctx, crypto_data_t *digest) { int error = CRYPTO_SUCCESS; @@ -457,7 +449,7 @@ skein_final(crypto_ctx_t *ctx, crypto_data_t *digest, crypto_req_handle_t req) (uint8_t *)digest->cd_raw.iov_base + digest->cd_offset); break; case CRYPTO_DATA_UIO: - error = skein_digest_final_uio(SKEIN_CTX(ctx), digest, req); + error = skein_digest_final_uio(SKEIN_CTX(ctx), digest); break; default: error = CRYPTO_ARGUMENTS_BAD; @@ -485,9 +477,9 @@ skein_final(crypto_ctx_t *ctx, crypto_data_t *digest, crypto_req_handle_t req) static int skein_digest_atomic(crypto_provider_handle_t provider, crypto_session_id_t session_id, crypto_mechanism_t *mechanism, - crypto_data_t *data, crypto_data_t *digest, crypto_req_handle_t req) + crypto_data_t *data, crypto_data_t *digest) { - (void) provider, (void) session_id, (void) req; + (void) provider, (void) session_id; int error; skein_ctx_t skein_ctx; crypto_ctx_t ctx; @@ -502,9 +494,9 @@ skein_digest_atomic(crypto_provider_handle_t provider, goto out; SKEIN_OP(&skein_ctx, Init, skein_ctx.sc_digest_bitlen); - if ((error = skein_update(&ctx, data, digest)) != CRYPTO_SUCCESS) + if ((error = skein_update(&ctx, data)) != CRYPTO_SUCCESS) goto out; - if ((error = skein_final(&ctx, data, digest)) != CRYPTO_SUCCESS) + if ((error = skein_final(&ctx, data)) != CRYPTO_SUCCESS) goto out; out: @@ -553,13 +545,11 @@ skein_mac_ctx_build(skein_ctx_t *ctx, crypto_mechanism_t *mechanism, */ static int skein_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, - crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, - crypto_req_handle_t req) + crypto_key_t *key, crypto_spi_ctx_template_t ctx_template) { int error; - SKEIN_CTX_LVALUE(ctx) = kmem_alloc(sizeof (*SKEIN_CTX(ctx)), - crypto_kmflag(req)); + SKEIN_CTX_LVALUE(ctx) = kmem_alloc(sizeof (*SKEIN_CTX(ctx)), KM_SLEEP); if (SKEIN_CTX(ctx) == NULL) return (CRYPTO_HOST_MEMORY); @@ -592,7 +582,7 @@ static int skein_mac_atomic(crypto_provider_handle_t provider, crypto_session_id_t session_id, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, - crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) + crypto_spi_ctx_template_t ctx_template) { /* faux crypto context just for skein_digest_{update,final} */ (void) provider, (void) session_id; @@ -609,9 +599,9 @@ skein_mac_atomic(crypto_provider_handle_t provider, goto errout; } - if ((error = skein_update(&ctx, data, req)) != CRYPTO_SUCCESS) + if ((error = skein_update(&ctx, data)) != CRYPTO_SUCCESS) goto errout; - if ((error = skein_final(&ctx, mac, req)) != CRYPTO_SUCCESS) + if ((error = skein_final(&ctx, mac)) != CRYPTO_SUCCESS) goto errout; return (CRYPTO_SUCCESS); @@ -632,14 +622,13 @@ skein_mac_atomic(crypto_provider_handle_t provider, static int skein_create_ctx_template(crypto_provider_handle_t provider, crypto_mechanism_t *mechanism, crypto_key_t *key, - crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size, - crypto_req_handle_t req) + crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size) { (void) provider; int error; skein_ctx_t *ctx_tmpl; - ctx_tmpl = kmem_alloc(sizeof (*ctx_tmpl), crypto_kmflag(req)); + ctx_tmpl = kmem_alloc(sizeof (*ctx_tmpl), KM_SLEEP); if (ctx_tmpl == NULL) return (CRYPTO_HOST_MEMORY); error = skein_mac_ctx_build(ctx_tmpl, mechanism, key); diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index de9585514301..bfcb353e5398 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -220,18 +220,6 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle) return (CRYPTO_SUCCESS); } -/* - * This routine is used by providers to determine - * whether to use KM_SLEEP or KM_NOSLEEP during memory allocation. - * - * This routine can be called from user or interrupt context. - */ -int -crypto_kmflag(crypto_req_handle_t handle) -{ - return (REQHNDL2_KMFLAG(handle)); -} - /* * Process the mechanism info structures specified by the provider * during registration. A NULL crypto_provider_info_t indicates diff --git a/module/os/linux/zfs/zio_crypt.c b/module/os/linux/zfs/zio_crypt.c index 31126a78bc2f..099d23484d32 100644 --- a/module/os/linux/zfs/zio_crypt.c +++ b/module/os/linux/zfs/zio_crypt.c @@ -269,13 +269,13 @@ zio_crypt_key_init(uint64_t crypt, zio_crypt_key_t *key) */ mech.cm_type = crypto_mech2id(zio_crypt_table[crypt].ci_mechname); ret = crypto_create_ctx_template(&mech, &key->zk_current_key, - &key->zk_current_tmpl, KM_SLEEP); + &key->zk_current_tmpl); if (ret != CRYPTO_SUCCESS) key->zk_current_tmpl = NULL; mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC); ret = crypto_create_ctx_template(&mech, &key->zk_hmac_key, - &key->zk_hmac_tmpl, KM_SLEEP); + &key->zk_hmac_tmpl); if (ret != CRYPTO_SUCCESS) key->zk_hmac_tmpl = NULL; @@ -323,7 +323,7 @@ zio_crypt_key_change_salt(zio_crypt_key_t *key) /* destroy the old context template and create the new one */ crypto_destroy_ctx_template(key->zk_current_tmpl); ret = crypto_create_ctx_template(&mech, &key->zk_current_key, - &key->zk_current_tmpl, KM_SLEEP); + &key->zk_current_tmpl); if (ret != CRYPTO_SUCCESS) key->zk_current_tmpl = NULL; @@ -447,15 +447,13 @@ zio_do_crypt_uio(boolean_t encrypt, uint64_t crypt, crypto_key_t *key, /* perform the actual encryption */ if (encrypt) { - ret = crypto_encrypt(&mech, &plaindata, key, tmpl, &cipherdata, - NULL); + ret = crypto_encrypt(&mech, &plaindata, key, tmpl, &cipherdata); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; } } else { - ret = crypto_decrypt(&mech, &cipherdata, key, tmpl, &plaindata, - NULL); + ret = crypto_decrypt(&mech, &cipherdata, key, tmpl, &plaindata); if (ret != CRYPTO_SUCCESS) { ASSERT3U(ret, ==, CRYPTO_INVALID_MAC); ret = SET_ERROR(ECKSUM); @@ -619,13 +617,13 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version, */ mech.cm_type = crypto_mech2id(zio_crypt_table[crypt].ci_mechname); ret = crypto_create_ctx_template(&mech, &key->zk_current_key, - &key->zk_current_tmpl, KM_SLEEP); + &key->zk_current_tmpl); if (ret != CRYPTO_SUCCESS) key->zk_current_tmpl = NULL; mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC); ret = crypto_create_ctx_template(&mech, &key->zk_hmac_key, - &key->zk_hmac_tmpl, KM_SLEEP); + &key->zk_hmac_tmpl); if (ret != CRYPTO_SUCCESS) key->zk_hmac_tmpl = NULL; @@ -689,7 +687,7 @@ zio_crypt_do_hmac(zio_crypt_key_t *key, uint8_t *data, uint_t datalen, /* generate the hmac */ ret = crypto_mac(&mech, &in_data, &key->zk_hmac_key, key->zk_hmac_tmpl, - &digest_data, NULL); + &digest_data); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; @@ -1139,7 +1137,7 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen, cd.cd_offset = 0; /* calculate the portable MAC from the portable fields and metadnode */ - ret = crypto_mac_init(&mech, &key->zk_hmac_key, NULL, &ctx, NULL); + ret = crypto_mac_init(&mech, &key->zk_hmac_key, NULL, &ctx); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; @@ -1226,7 +1224,7 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen, } /* calculate the local MAC from the userused and groupused dnodes */ - ret = crypto_mac_init(&mech, &key->zk_hmac_key, NULL, &ctx, NULL); + ret = crypto_mac_init(&mech, &key->zk_hmac_key, NULL, &ctx); if (ret != CRYPTO_SUCCESS) { ret = SET_ERROR(EIO); goto error; diff --git a/module/zfs/hkdf.c b/module/zfs/hkdf.c index 9017727689af..2c91401d5b4f 100644 --- a/module/zfs/hkdf.c +++ b/module/zfs/hkdf.c @@ -52,7 +52,7 @@ hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material, output_cd.cd_raw.iov_base = (char *)out_buf; output_cd.cd_raw.iov_len = output_cd.cd_length; - ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd, NULL); + ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); @@ -108,7 +108,7 @@ hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len, T_cd.cd_length = T_len; T_cd.cd_raw.iov_len = T_cd.cd_length; - ret = crypto_mac_init(&mech, &key, NULL, &ctx, NULL); + ret = crypto_mac_init(&mech, &key, NULL, &ctx); if (ret != CRYPTO_SUCCESS) return (SET_ERROR(EIO)); From 03181060051af08bca9a1b44e1a9cdd135a8c1bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sat, 25 Dec 2021 04:37:22 +0100 Subject: [PATCH 33/39] module: icp: remove pre-set entries from mechtabs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit They don't do anything except clogging up the AVL tree Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_mech_tabs.c | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index 6121042ee063..347190aa7f8b 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -75,13 +75,8 @@ /* RFE 4687834 Will deal with the extensibility of these tables later */ -static kcf_mech_entry_t kcf_digest_mechs_tab[KCF_MAXDIGEST] = { - { SUN_CKM_SHA1 }, -}; -static kcf_mech_entry_t kcf_cipher_mechs_tab[KCF_MAXCIPHER] = { - { SUN_CKM_AES_CBC }, - { SUN_CKM_AES_ECB }, -}; +static kcf_mech_entry_t kcf_digest_mechs_tab[KCF_MAXDIGEST]; +static kcf_mech_entry_t kcf_cipher_mechs_tab[KCF_MAXCIPHER]; static kcf_mech_entry_t kcf_mac_mechs_tab[KCF_MAXMAC]; const kcf_mech_entry_tab_t kcf_mech_tabs_tab[KCF_LAST_OPSCLASS + 1] = { @@ -118,23 +113,8 @@ kcf_destroy_mech_tabs(void) void kcf_init_mech_tabs(void) { - kcf_ops_class_t class; - kcf_mech_entry_t *me_tab; - - /* Then the pre-defined mechanism entries */ avl_create(&kcf_mech_hash, kcf_mech_hash_compar, sizeof (kcf_mech_entry_t), offsetof(kcf_mech_entry_t, me_node)); - - for (class = KCF_FIRST_OPSCLASS; class <= KCF_LAST_OPSCLASS; class++) { - int max = kcf_mech_tabs_tab[class].met_size; - me_tab = kcf_mech_tabs_tab[class].met_tab; - for (int i = 0; i < max; i++) { - if (me_tab[i].me_name[0] != 0) { - me_tab[i].me_mechid = KCF_MECHID(class, i); - avl_add(&kcf_mech_hash, &me_tab[i]); - } - } - } } /* From 49811439afa84fa2e8638029cd87e341b5bfb382 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Mon, 27 Dec 2021 02:32:37 +0100 Subject: [PATCH 34/39] module: icp: remove unused crypto_provider_handle_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_sched.c | 1 - module/icp/include/sys/crypto/impl.h | 12 +++----- module/icp/include/sys/crypto/spi.h | 27 +++++------------ module/icp/io/aes.c | 44 ++++++++++++---------------- module/icp/io/sha2_mod.c | 34 +++++++++------------ module/icp/io/skein_mod.c | 26 +++++++--------- module/icp/spi/kcf_spi.c | 3 -- 7 files changed, 54 insertions(+), 93 deletions(-) diff --git a/module/icp/core/kcf_sched.c b/module/icp/core/kcf_sched.c index 4c689c20f3b7..7d2b46a5f1f8 100644 --- a/module/icp/core/kcf_sched.c +++ b/module/icp/core/kcf_sched.c @@ -58,7 +58,6 @@ kcf_new_ctx(kcf_provider_desc_t *pd) kcf_ctx->kc_sw_prov_desc = NULL; ctx = &kcf_ctx->kc_glbl_ctx; - ctx->cc_provider = pd->pd_prov_handle; ctx->cc_provider_private = NULL; ctx->cc_framework_private = (void *)kcf_ctx; diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index ba37c99e966d..2194af8644bd 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -146,7 +146,6 @@ typedef enum { * pd_irefcnt: References held by the framework internal structs * pd_lock: lock protects pd_state * pd_state: State value of the provider - * pd_prov_handle: Provider handle specified by provider * pd_ops_vector: The ops vector specified by Provider * pd_mech_indx: Lookup table which maps a core framework mechanism * number to an index in pd_mechanisms array @@ -171,7 +170,6 @@ typedef struct kcf_provider_desc { kmutex_t pd_lock; kcf_prov_state_t pd_state; kcondvar_t pd_resume_cv; - crypto_provider_handle_t pd_prov_handle; const crypto_ops_t *pd_ops_vector; ushort_t pd_mech_indx[KCF_OPS_CLASSSIZE]\ [KCF_MAXMECHTAB]; @@ -405,16 +403,14 @@ typedef struct crypto_minor { template) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \ KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic( \ - (pd)->pd_prov_handle, session, mech, key, plaintext, ciphertext, \ - template) : \ + session, mech, key, plaintext, ciphertext, template) : \ CRYPTO_NOT_SUPPORTED) #define KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \ template) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \ KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic( \ - (pd)->pd_prov_handle, session, mech, key, ciphertext, plaintext, \ - template) : \ + session, mech, key, ciphertext, plaintext, template) : \ CRYPTO_NOT_SUPPORTED) /* @@ -443,7 +439,7 @@ typedef struct crypto_minor { #define KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template) ( \ (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_atomic) ? \ KCF_PROV_MAC_OPS(pd)->mac_atomic( \ - (pd)->pd_prov_handle, session, mech, key, data, mac, template) : \ + session, mech, key, data, mac, template) : \ CRYPTO_NOT_SUPPORTED) /* @@ -453,7 +449,7 @@ typedef struct crypto_minor { #define KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size) ( \ (KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->create_ctx_template) ? \ KCF_PROV_CTX_OPS(pd)->create_ctx_template( \ - (pd)->pd_prov_handle, mech, key, template, size) : \ + mech, key, template, size) : \ CRYPTO_NOT_SUPPORTED) #define KCF_PROV_FREE_CONTEXT(pd, ctx) ( \ diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index 6d656fef20d4..eb0d6bdc63ab 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -43,14 +43,6 @@ extern "C" { #define __no_const #endif /* CONSTIFY_PLUGIN */ -/* - * Provider-private handle. This handle is specified by a provider - * when it registers by means of the pi_provider_handle field of - * the crypto_provider_info structure, and passed to the provider - * when its entry points are invoked. - */ -typedef void *crypto_provider_handle_t; - /* * Context templates can be used to by providers to pre-process * keying material, such as key schedules. They are allocated by @@ -70,7 +62,6 @@ typedef void *crypto_spi_ctx_template_t; * as separate arguments to Provider routines. */ typedef struct crypto_ctx { - crypto_provider_handle_t cc_provider; void *cc_provider_private; /* owned by provider */ void *cc_framework_private; /* owned by framework */ } crypto_ctx_t; @@ -87,7 +78,7 @@ typedef struct crypto_digest_ops { int (*digest_update)(crypto_ctx_t *, crypto_data_t *); int (*digest_key)(crypto_ctx_t *, crypto_key_t *); int (*digest_final)(crypto_ctx_t *, crypto_data_t *); - int (*digest_atomic)(crypto_provider_handle_t, crypto_session_id_t, + int (*digest_atomic)(crypto_session_id_t, crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); } __no_const crypto_digest_ops_t; @@ -108,7 +99,7 @@ typedef struct crypto_cipher_ops { crypto_data_t *, crypto_data_t *); int (*encrypt_final)(crypto_ctx_t *, crypto_data_t *); - int (*encrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t, + int (*encrypt_atomic)(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); @@ -121,7 +112,7 @@ typedef struct crypto_cipher_ops { crypto_data_t *, crypto_data_t *); int (*decrypt_final)(crypto_ctx_t *, crypto_data_t *); - int (*decrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t, + int (*decrypt_atomic)(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); } __no_const crypto_cipher_ops_t; @@ -142,10 +133,10 @@ typedef struct crypto_mac_ops { crypto_data_t *); int (*mac_final)(crypto_ctx_t *, crypto_data_t *); - int (*mac_atomic)(crypto_provider_handle_t, crypto_session_id_t, + int (*mac_atomic)(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); - int (*mac_verify_atomic)(crypto_provider_handle_t, crypto_session_id_t, + int (*mac_verify_atomic)(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); } __no_const crypto_mac_ops_t; @@ -157,8 +148,7 @@ typedef struct crypto_mac_ops { * with the kernel using crypto_register_provider(9F). */ typedef struct crypto_ctx_ops { - int (*create_ctx_template)(crypto_provider_handle_t, - crypto_mechanism_t *, crypto_key_t *, + int (*create_ctx_template)(crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, size_t *); int (*free_context)(crypto_ctx_t *); } __no_const crypto_ctx_ops_t; @@ -230,13 +220,10 @@ typedef uint_t crypto_kcf_provider_handle_t; /* * Provider information. Passed as argument to crypto_register_provider(9F). - * Describes the provider and its capabilities. Multiple providers can - * register for the same device instance. In this case, the same - * pi_provider_dev must be specified with a different pi_provider_handle. + * Describes the provider and its capabilities. */ typedef struct crypto_provider_info { const char *pi_provider_description; - crypto_provider_handle_t pi_provider_handle; const crypto_ops_t *pi_ops_vector; uint_t pi_mech_list_count; const crypto_mech_info_t *pi_mechanisms; diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index d91c897c00d0..944f0dd05282 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -87,14 +87,14 @@ static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *); static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); -static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, +static int aes_encrypt_atomic(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); -static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, +static int aes_decrypt_atomic(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); @@ -111,10 +111,10 @@ static const crypto_cipher_ops_t aes_cipher_ops = { .decrypt_atomic = aes_decrypt_atomic }; -static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, +static int aes_mac_atomic(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); -static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, +static int aes_mac_verify_atomic(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); @@ -127,9 +127,8 @@ static const crypto_mac_ops_t aes_mac_ops = { .mac_verify_atomic = aes_mac_verify_atomic }; -static int aes_create_ctx_template(crypto_provider_handle_t, - crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, - size_t *); +static int aes_create_ctx_template(crypto_mechanism_t *, crypto_key_t *, + crypto_spi_ctx_template_t *, size_t *); static int aes_free_context(crypto_ctx_t *); static const crypto_ctx_ops_t aes_ctx_ops = { @@ -146,7 +145,6 @@ static const crypto_ops_t aes_crypto_ops = { static const crypto_provider_info_t aes_prov_info = { "AES Software Provider", - NULL, &aes_crypto_ops, sizeof (aes_mech_info_tab) / sizeof (crypto_mech_info_t), aes_mech_info_tab @@ -840,12 +838,12 @@ aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data) } static int -aes_encrypt_atomic(crypto_provider_handle_t provider, - crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +aes_encrypt_atomic(crypto_session_id_t session_id, + crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, crypto_spi_ctx_template_t template) { - (void) provider, (void) session_id; + (void) session_id; aes_ctx_t aes_ctx; /* on the stack */ off_t saved_offset; size_t saved_length; @@ -976,12 +974,12 @@ aes_encrypt_atomic(crypto_provider_handle_t provider, } static int -aes_decrypt_atomic(crypto_provider_handle_t provider, - crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +aes_decrypt_atomic(crypto_session_id_t session_id, + crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, crypto_spi_ctx_template_t template) { - (void) provider, (void) session_id; + (void) session_id; aes_ctx_t aes_ctx; /* on the stack */ off_t saved_offset; size_t saved_length; @@ -1142,11 +1140,9 @@ aes_decrypt_atomic(crypto_provider_handle_t provider, * KCF software provider context template entry points. */ static int -aes_create_ctx_template(crypto_provider_handle_t provider, - crypto_mechanism_t *mechanism, crypto_key_t *key, +aes_create_ctx_template(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size) { - (void) provider; void *keysched; size_t size; int rv; @@ -1318,8 +1314,7 @@ process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data, } static int -aes_mac_atomic(crypto_provider_handle_t provider, - crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +aes_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t template) { @@ -1335,15 +1330,14 @@ aes_mac_atomic(crypto_provider_handle_t provider, gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); gcm_mech.cm_param = (char *)&gcm_params; - return (aes_encrypt_atomic(provider, session_id, &gcm_mech, + return (aes_encrypt_atomic(session_id, &gcm_mech, key, &null_crypto_data, mac, template)); } static int -aes_mac_verify_atomic(crypto_provider_handle_t provider, - crypto_session_id_t session_id, crypto_mechanism_t *mechanism, - crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, - crypto_spi_ctx_template_t template) +aes_mac_verify_atomic(crypto_session_id_t session_id, + crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, + crypto_data_t *mac, crypto_spi_ctx_template_t template) { CK_AES_GCM_PARAMS gcm_params; crypto_mechanism_t gcm_mech; @@ -1357,6 +1351,6 @@ aes_mac_verify_atomic(crypto_provider_handle_t provider, gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); gcm_mech.cm_param = (char *)&gcm_params; - return (aes_decrypt_atomic(provider, session_id, &gcm_mech, + return (aes_decrypt_atomic(session_id, &gcm_mech, key, mac, &null_crypto_data, template)); } diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index db6cc539c6e6..2cb8e929f8fc 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -109,7 +109,7 @@ static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *); static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *); static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *); -static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t, +static int sha2_digest_atomic(crypto_session_id_t, crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); static const crypto_digest_ops_t sha2_digest_ops = { @@ -124,10 +124,10 @@ static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t); static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *); static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *); -static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, +static int sha2_mac_atomic(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); -static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, +static int sha2_mac_verify_atomic(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); @@ -140,9 +140,8 @@ static const crypto_mac_ops_t sha2_mac_ops = { .mac_verify_atomic = sha2_mac_verify_atomic }; -static int sha2_create_ctx_template(crypto_provider_handle_t, - crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, - size_t *); +static int sha2_create_ctx_template(crypto_mechanism_t *, crypto_key_t *, + crypto_spi_ctx_template_t *, size_t *); static int sha2_free_context(crypto_ctx_t *); static const crypto_ctx_ops_t sha2_ctx_ops = { @@ -159,7 +158,6 @@ static const crypto_ops_t sha2_crypto_ops = { static const crypto_provider_info_t sha2_prov_info = { "SHA2 Software Provider", - NULL, &sha2_crypto_ops, sizeof (sha2_mech_info_tab) / sizeof (crypto_mech_info_t), sha2_mech_info_tab @@ -554,11 +552,10 @@ sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest) } static int -sha2_digest_atomic(crypto_provider_handle_t provider, - crypto_session_id_t session_id, crypto_mechanism_t *mechanism, - crypto_data_t *data, crypto_data_t *digest) +sha2_digest_atomic(crypto_session_id_t session_id, + crypto_mechanism_t *mechanism, crypto_data_t *data, crypto_data_t *digest) { - (void) provider, (void) session_id; + (void) session_id; int ret = CRYPTO_SUCCESS; SHA2_CTX sha2_ctx; uint32_t sha_digest_len; @@ -916,12 +913,11 @@ sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac) } static int -sha2_mac_atomic(crypto_provider_handle_t provider, - crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +sha2_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t ctx_template) { - (void) provider, (void) session_id; + (void) session_id; int ret = CRYPTO_SUCCESS; uchar_t digest[SHA512_DIGEST_LENGTH]; sha2_hmac_ctx_t sha2_hmac_ctx; @@ -1050,12 +1046,12 @@ sha2_mac_atomic(crypto_provider_handle_t provider, } static int -sha2_mac_verify_atomic(crypto_provider_handle_t provider, - crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +sha2_mac_verify_atomic(crypto_session_id_t session_id, + crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t ctx_template) { - (void) provider, (void) session_id; + (void) session_id; int ret = CRYPTO_SUCCESS; uchar_t digest[SHA512_DIGEST_LENGTH]; sha2_hmac_ctx_t sha2_hmac_ctx; @@ -1226,11 +1222,9 @@ sha2_mac_verify_atomic(crypto_provider_handle_t provider, */ static int -sha2_create_ctx_template(crypto_provider_handle_t provider, - crypto_mechanism_t *mechanism, crypto_key_t *key, +sha2_create_ctx_template(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size) { - (void) provider; sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl; uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); uint32_t sha_digest_len, sha_hmac_block_size; diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index 43d9c9db118f..f791b400081a 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -55,7 +55,7 @@ static int skein_digest_init(crypto_ctx_t *, crypto_mechanism_t *); static int skein_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int skein_update(crypto_ctx_t *, crypto_data_t *); static int skein_final(crypto_ctx_t *, crypto_data_t *); -static int skein_digest_atomic(crypto_provider_handle_t, crypto_session_id_t, +static int skein_digest_atomic(crypto_session_id_t, crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); static const crypto_digest_ops_t skein_digest_ops = { @@ -68,7 +68,7 @@ static const crypto_digest_ops_t skein_digest_ops = { static int skein_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t); -static int skein_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, +static int skein_mac_atomic(crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); @@ -81,9 +81,8 @@ static const crypto_mac_ops_t skein_mac_ops = { .mac_verify_atomic = NULL }; -static int skein_create_ctx_template(crypto_provider_handle_t, - crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, - size_t *); +static int skein_create_ctx_template(crypto_mechanism_t *, crypto_key_t *, + crypto_spi_ctx_template_t *, size_t *); static int skein_free_context(crypto_ctx_t *); static const crypto_ctx_ops_t skein_ctx_ops = { @@ -100,7 +99,6 @@ static const crypto_ops_t skein_crypto_ops = { static const crypto_provider_info_t skein_prov_info = { "Skein Software Provider", - NULL, &skein_crypto_ops, sizeof (skein_mech_info_tab) / sizeof (crypto_mech_info_t), skein_mech_info_tab @@ -475,11 +473,10 @@ skein_final(crypto_ctx_t *ctx, crypto_data_t *digest) * Supported input/output formats are raw, uio and mblk. */ static int -skein_digest_atomic(crypto_provider_handle_t provider, - crypto_session_id_t session_id, crypto_mechanism_t *mechanism, - crypto_data_t *data, crypto_data_t *digest) +skein_digest_atomic(crypto_session_id_t session_id, + crypto_mechanism_t *mechanism, crypto_data_t *data, crypto_data_t *digest) { - (void) provider, (void) session_id; + (void) session_id; int error; skein_ctx_t skein_ctx; crypto_ctx_t ctx; @@ -579,13 +576,12 @@ skein_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, * function as to those of the partial operations above. */ static int -skein_mac_atomic(crypto_provider_handle_t provider, - crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +skein_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t ctx_template) { /* faux crypto context just for skein_digest_{update,final} */ - (void) provider, (void) session_id; + (void) session_id; int error; crypto_ctx_t ctx; skein_ctx_t skein_ctx; @@ -620,11 +616,9 @@ skein_mac_atomic(crypto_provider_handle_t provider, * skein_mac_init. */ static int -skein_create_ctx_template(crypto_provider_handle_t provider, - crypto_mechanism_t *mechanism, crypto_key_t *key, +skein_create_ctx_template(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size) { - (void) provider; int error; skein_ctx_t *ctx_tmpl; diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index bfcb353e5398..ae36df399d10 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -69,9 +69,6 @@ crypto_register_provider(const crypto_provider_info_t *info, prov_desc = kcf_alloc_provider_desc(); KCF_PROV_REFHOLD(prov_desc); - /* provider-private handle, opaque to KCF */ - prov_desc->pd_prov_handle = info->pi_provider_handle; - /* copy provider description string */ prov_desc->pd_description = info->pi_provider_description; From 8cc04e78c8ff36a90ca678c7153d9cec4e1312b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Mon, 27 Dec 2021 02:39:55 +0100 Subject: [PATCH 35/39] module: icp: remove unused (and mostly faked) cm_{{min,max}_key_length,mech_flags} MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/os/freebsd/zfs/sys/sha2.h | 3 --- include/os/linux/zfs/sys/sha2.h | 3 --- include/sys/crypto/common.h | 7 ------ lib/libspl/include/sys/sha2.h | 3 --- module/icp/include/aes/aes_impl.h | 7 ------ module/icp/include/sys/crypto/spi.h | 4 ---- module/icp/io/aes.c | 18 ++++++---------- module/icp/io/sha2_mod.c | 33 ++++++++--------------------- module/icp/io/skein_mod.c | 18 ++++++---------- module/icp/spi/kcf_spi.c | 8 ------- 10 files changed, 21 insertions(+), 83 deletions(-) diff --git a/include/os/freebsd/zfs/sys/sha2.h b/include/os/freebsd/zfs/sys/sha2.h index e3923e4ca37c..c3bc33d2f6bb 100644 --- a/include/os/freebsd/zfs/sys/sha2.h +++ b/include/os/freebsd/zfs/sys/sha2.h @@ -33,9 +33,6 @@ extern "C" { #endif -#define SHA2_HMAC_MIN_KEY_LEN 1 /* SHA2-HMAC min key length in bytes */ -#define SHA2_HMAC_MAX_KEY_LEN INT_MAX /* SHA2-HMAC max key length in bytes */ - #define SHA256_DIGEST_LENGTH 32 /* SHA256 digest length in bytes */ #define SHA384_DIGEST_LENGTH 48 /* SHA384 digest length in bytes */ #define SHA512_DIGEST_LENGTH 64 /* SHA512 digest length in bytes */ diff --git a/include/os/linux/zfs/sys/sha2.h b/include/os/linux/zfs/sys/sha2.h index 4dd966b6cab3..48ea0dc5d9d2 100644 --- a/include/os/linux/zfs/sys/sha2.h +++ b/include/os/linux/zfs/sys/sha2.h @@ -33,9 +33,6 @@ extern "C" { #endif -#define SHA2_HMAC_MIN_KEY_LEN 1 /* SHA2-HMAC min key length in bytes */ -#define SHA2_HMAC_MAX_KEY_LEN INT_MAX /* SHA2-HMAC max key length in bytes */ - #define SHA256_DIGEST_LENGTH 32 /* SHA256 digest length in bytes */ #define SHA384_DIGEST_LENGTH 48 /* SHA384 digest length in bytes */ #define SHA512_DIGEST_LENGTH 64 /* SHA512 digest length in bytes */ diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index e8d7f0e54a8e..238bfb593e84 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -90,13 +90,6 @@ typedef struct CK_AES_GMAC_PARAMS { */ typedef uint32_t crypto_keysize_unit_t; -/* - * The following bit flags are valid in cm_mech_flags field in - * the crypto_mech_info_t structure of the SPI. - */ -#define CRYPTO_KEYSIZE_UNIT_IN_BITS 0x00000001 -#define CRYPTO_KEYSIZE_UNIT_IN_BYTES 0x00000002 - /* Mechanisms supported out-of-the-box */ #define SUN_CKM_SHA256 "CKM_SHA256" diff --git a/lib/libspl/include/sys/sha2.h b/lib/libspl/include/sys/sha2.h index e2f66d225e25..8bdc23a5f61e 100644 --- a/lib/libspl/include/sys/sha2.h +++ b/lib/libspl/include/sys/sha2.h @@ -33,9 +33,6 @@ extern "C" { #endif -#define SHA2_HMAC_MIN_KEY_LEN 1 /* SHA2-HMAC min key length in bytes */ -#define SHA2_HMAC_MAX_KEY_LEN INT_MAX /* SHA2-HMAC max key length in bytes */ - #define SHA256_DIGEST_LENGTH 32 /* SHA256 digest length in bytes */ #define SHA384_DIGEST_LENGTH 48 /* SHA384 digest length in bytes */ #define SHA512_DIGEST_LENGTH 64 /* SHA512 digest length in bytes */ diff --git a/module/icp/include/aes/aes_impl.h b/module/icp/include/aes/aes_impl.h index 41dccaa3848a..b2348022e1db 100644 --- a/module/icp/include/aes/aes_impl.h +++ b/module/icp/include/aes/aes_impl.h @@ -83,14 +83,7 @@ extern "C" { /* AES key size definitions */ #define AES_MINBITS 128 -#define AES_MINBYTES ((AES_MINBITS) >> 3) #define AES_MAXBITS 256 -#define AES_MAXBYTES ((AES_MAXBITS) >> 3) - -#define AES_MIN_KEY_BYTES ((AES_MINBITS) >> 3) -#define AES_MAX_KEY_BYTES ((AES_MAXBITS) >> 3) -#define AES_192_KEY_BYTES 24 -#define AES_IV_LEN 16 /* AES key schedule may be implemented with 32- or 64-bit elements: */ #define AES_32BIT_KS 32 diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index eb0d6bdc63ab..156fdabe4c35 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -203,11 +203,7 @@ typedef struct crypto_mech_info { crypto_mech_name_t cm_mech_name; crypto_mech_type_t cm_mech_number; crypto_func_group_t cm_func_group_mask; - ssize_t cm_min_key_length; - ssize_t cm_max_key_length; - uint32_t cm_mech_flags; } crypto_mech_info_t; -#define cm_max_input_length cm_max_key_length /* * crypto_kcf_provider_handle_t is a handle allocated by the kernel. diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index 944f0dd05282..9483e3f2f704 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -43,34 +43,28 @@ static const crypto_mech_info_t aes_mech_info_tab[] = { /* AES_ECB */ {SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE, CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | - CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, - AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC}, /* AES_CBC */ {SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE, CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | - CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, - AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC}, /* AES_CTR */ {SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE, CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | - CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, - AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC}, /* AES_CCM */ {SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE, CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | - CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, - AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC}, /* AES_GCM */ {SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE, CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | - CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, - AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC}, /* AES_GMAC */ {SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE, CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, - AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES} + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, }; static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *, diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index 2cb8e929f8fc..cac9771dd5af 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -63,46 +63,31 @@ static const crypto_mech_info_t sha2_mech_info_tab[] = { /* SHA256 */ {SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE, - CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, - 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, + CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC}, /* SHA256-HMAC */ {SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE, - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, - SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, - CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, /* SHA256-HMAC GENERAL */ {SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE, - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, - SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, - CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, /* SHA384 */ {SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE, - CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, - 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, + CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC}, /* SHA384-HMAC */ {SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE, - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, - SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, - CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, /* SHA384-HMAC GENERAL */ {SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE, - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, - SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, - CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, /* SHA512 */ {SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE, - CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, - 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, + CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC}, /* SHA512-HMAC */ {SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE, - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, - SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, - CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, /* SHA512-HMAC GENERAL */ {SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE, - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, - SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, - CRYPTO_KEYSIZE_UNIT_IN_BYTES} + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, }; static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *); diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index f791b400081a..97cfd52b9e96 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -32,23 +32,17 @@ static const crypto_mech_info_t skein_mech_info_tab[] = { {CKM_SKEIN_256, SKEIN_256_MECH_INFO_TYPE, - CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, - 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, + CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC}, {CKM_SKEIN_256_MAC, SKEIN_256_MAC_MECH_INFO_TYPE, - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 1, INT_MAX, - CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, {CKM_SKEIN_512, SKEIN_512_MECH_INFO_TYPE, - CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, - 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, + CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC}, {CKM_SKEIN_512_MAC, SKEIN_512_MAC_MECH_INFO_TYPE, - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 1, INT_MAX, - CRYPTO_KEYSIZE_UNIT_IN_BYTES}, + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, {CKM_SKEIN1024, SKEIN1024_MECH_INFO_TYPE, - CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, - 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, + CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC}, {CKM_SKEIN1024_MAC, SKEIN1024_MAC_MECH_INFO_TYPE, - CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 1, INT_MAX, - CRYPTO_KEYSIZE_UNIT_IN_BYTES} + CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, }; static int skein_digest_init(crypto_ctx_t *, crypto_mechanism_t *); diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index ae36df399d10..62df15801f9f 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -252,14 +252,6 @@ init_prov_mechs(const crypto_provider_info_t *info, kcf_provider_desc_t *desc) * to the corresponding KCF mechanism mech_entry chain. */ for (mech_idx = 0; mech_idx < desc->pd_mech_list_count; mech_idx++) { - const crypto_mech_info_t *mi = &desc->pd_mechanisms[mech_idx]; - - if ((mi->cm_mech_flags & CRYPTO_KEYSIZE_UNIT_IN_BITS) && - (mi->cm_mech_flags & CRYPTO_KEYSIZE_UNIT_IN_BYTES)) { - err = CRYPTO_ARGUMENTS_BAD; - break; - } - if ((err = kcf_add_mech_provider(mech_idx, desc, &pmd)) != KCF_SUCCESS) break; From 3123ddd9100cc1c70446801e14b0d5f2edfc2326 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Mon, 27 Dec 2021 02:53:32 +0100 Subject: [PATCH 36/39] module: icp: remove vestigia of crypto sessions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- include/sys/crypto/common.h | 2 - module/icp/api/kcf_cipher.c | 4 +- module/icp/api/kcf_mac.c | 2 +- module/icp/include/sys/crypto/impl.h | 63 +++------------------------- module/icp/include/sys/crypto/spi.h | 23 ++++------ module/icp/io/aes.c | 39 +++++++---------- module/icp/io/sha2_mod.c | 26 +++++------- module/icp/io/skein_mod.c | 17 ++++---- 8 files changed, 50 insertions(+), 126 deletions(-) diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index 238bfb593e84..45a95d7eed71 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -154,8 +154,6 @@ typedef uint32_t crypto_provider_id_t; /* session data structure opaque to the consumer */ typedef void *crypto_session_t; -typedef uint_t crypto_session_id_t; - #define PROVIDER_OWNS_KEY_SCHEDULE 0x00000001 /* diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index e192a6e19f4e..34023f9843c2 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -89,7 +89,7 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - error = KCF_PROV_ENCRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key, + error = KCF_PROV_ENCRYPT_ATOMIC(pd, &lmech, key, plaintext, ciphertext, spi_ctx_tmpl); KCF_PROV_INCRSTATS(pd, error); @@ -162,7 +162,7 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - error = KCF_PROV_DECRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key, + error = KCF_PROV_DECRYPT_ATOMIC(pd, &lmech, key, ciphertext, plaintext, spi_ctx_tmpl); KCF_PROV_INCRSTATS(pd, error); diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 6766c61cfafc..36db2cbb57b8 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -105,7 +105,7 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - error = KCF_PROV_MAC_ATOMIC(pd, pd->pd_sid, &lmech, key, data, + error = KCF_PROV_MAC_ATOMIC(pd, &lmech, key, data, mac, spi_ctx_tmpl); KCF_PROV_INCRSTATS(pd, error); diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 2194af8644bd..c15e263c4a40 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -140,8 +140,6 @@ typedef enum { * provider. It is allocated and initialized at registration time and * freed when the provider unregisters. * - * pd_sid: Session ID of the provider used by kernel clients. - * This is valid only for session-oriented providers. * pd_refcnt: Reference counter to this provider descriptor * pd_irefcnt: References held by the framework internal structs * pd_lock: lock protects pd_state @@ -164,7 +162,6 @@ typedef enum { * pd_ks_data: kstat data */ typedef struct kcf_provider_desc { - crypto_session_id_t pd_sid; uint_t pd_refcnt; uint_t pd_irefcnt; kmutex_t pd_lock; @@ -312,54 +309,6 @@ extern const kcf_mech_entry_tab_t kcf_mech_tabs_tab[]; #define KCF_TO_PROV_MECHNUM(pd, mech_type) \ (KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_number) -/* ps_refcnt is protected by cm_lock in the crypto_minor structure */ -typedef struct crypto_provider_session { - struct crypto_provider_session *ps_next; - crypto_session_id_t ps_session; - kcf_provider_desc_t *ps_provider; - kcf_provider_desc_t *ps_real_provider; - uint_t ps_refcnt; -} crypto_provider_session_t; - -typedef struct crypto_session_data { - kmutex_t sd_lock; - kcondvar_t sd_cv; - uint32_t sd_flags; - int sd_pre_approved_amount; - crypto_ctx_t *sd_digest_ctx; - crypto_ctx_t *sd_encr_ctx; - crypto_ctx_t *sd_decr_ctx; - crypto_ctx_t *sd_sign_ctx; - crypto_ctx_t *sd_verify_ctx; - crypto_ctx_t *sd_sign_recover_ctx; - crypto_ctx_t *sd_verify_recover_ctx; - kcf_provider_desc_t *sd_provider; - void *sd_find_init_cookie; - crypto_provider_session_t *sd_provider_session; -} crypto_session_data_t; - -#define CRYPTO_SESSION_IN_USE 0x00000001 -#define CRYPTO_SESSION_IS_BUSY 0x00000002 -#define CRYPTO_SESSION_IS_CLOSED 0x00000004 - -#define KCF_MAX_PIN_LEN 1024 - -/* - * Per-minor info. - * - * cm_lock protects everything in this structure except for cm_refcnt. - */ -typedef struct crypto_minor { - uint_t cm_refcnt; - kmutex_t cm_lock; - kcondvar_t cm_cv; - crypto_session_data_t **cm_session_table; - uint_t cm_session_table_count; - kcf_provider_desc_t **cm_provider_array; - uint_t cm_provider_count; - crypto_provider_session_t *cm_provider_session; -} crypto_minor_t; - /* * Return codes for internal functions */ @@ -399,18 +348,18 @@ typedef struct crypto_minor { KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_ENCRYPT_ATOMIC(pd, session, mech, key, plaintext, ciphertext, \ +#define KCF_PROV_ENCRYPT_ATOMIC(pd, mech, key, plaintext, ciphertext, \ template) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \ KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic( \ - session, mech, key, plaintext, ciphertext, template) : \ + mech, key, plaintext, ciphertext, template) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \ +#define KCF_PROV_DECRYPT_ATOMIC(pd, mech, key, ciphertext, plaintext, \ template) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \ KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic( \ - session, mech, key, ciphertext, plaintext, template) : \ + mech, key, ciphertext, plaintext, template) : \ CRYPTO_NOT_SUPPORTED) /* @@ -436,10 +385,10 @@ typedef struct crypto_minor { KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template) ( \ +#define KCF_PROV_MAC_ATOMIC(pd, mech, key, data, mac, template) ( \ (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_atomic) ? \ KCF_PROV_MAC_OPS(pd)->mac_atomic( \ - session, mech, key, data, mac, template) : \ + mech, key, data, mac, template) : \ CRYPTO_NOT_SUPPORTED) /* diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index 156fdabe4c35..ef525265747e 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -78,8 +78,7 @@ typedef struct crypto_digest_ops { int (*digest_update)(crypto_ctx_t *, crypto_data_t *); int (*digest_key)(crypto_ctx_t *, crypto_key_t *); int (*digest_final)(crypto_ctx_t *, crypto_data_t *); - int (*digest_atomic)(crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, + int (*digest_atomic)(crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); } __no_const crypto_digest_ops_t; @@ -99,9 +98,8 @@ typedef struct crypto_cipher_ops { crypto_data_t *, crypto_data_t *); int (*encrypt_final)(crypto_ctx_t *, crypto_data_t *); - int (*encrypt_atomic)(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); + int (*encrypt_atomic)(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); int (*decrypt_init)(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, @@ -112,9 +110,8 @@ typedef struct crypto_cipher_ops { crypto_data_t *, crypto_data_t *); int (*decrypt_final)(crypto_ctx_t *, crypto_data_t *); - int (*decrypt_atomic)(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); + int (*decrypt_atomic)(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); } __no_const crypto_cipher_ops_t; /* @@ -133,12 +130,10 @@ typedef struct crypto_mac_ops { crypto_data_t *); int (*mac_final)(crypto_ctx_t *, crypto_data_t *); - int (*mac_atomic)(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); - int (*mac_verify_atomic)(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); + int (*mac_atomic)(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); + int (*mac_verify_atomic)(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); } __no_const crypto_mac_ops_t; /* diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index 9483e3f2f704..662f61187677 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -81,16 +81,14 @@ static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *); static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); -static int aes_encrypt_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); +static int aes_encrypt_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); -static int aes_decrypt_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); +static int aes_decrypt_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static const crypto_cipher_ops_t aes_cipher_ops = { .encrypt_init = aes_encrypt_init, @@ -105,12 +103,10 @@ static const crypto_cipher_ops_t aes_cipher_ops = { .decrypt_atomic = aes_decrypt_atomic }; -static int aes_mac_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t); -static int aes_mac_verify_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t); +static int aes_mac_atomic(crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, + crypto_data_t *, crypto_spi_ctx_template_t); +static int aes_mac_verify_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static const crypto_mac_ops_t aes_mac_ops = { .mac_init = NULL, @@ -832,12 +828,10 @@ aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data) } static int -aes_encrypt_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, +aes_encrypt_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, crypto_spi_ctx_template_t template) { - (void) session_id; aes_ctx_t aes_ctx; /* on the stack */ off_t saved_offset; size_t saved_length; @@ -968,12 +962,10 @@ aes_encrypt_atomic(crypto_session_id_t session_id, } static int -aes_decrypt_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, +aes_decrypt_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, crypto_spi_ctx_template_t template) { - (void) session_id; aes_ctx_t aes_ctx; /* on the stack */ off_t saved_offset; size_t saved_length; @@ -1308,7 +1300,7 @@ process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data, } static int -aes_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +aes_mac_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t template) { @@ -1324,14 +1316,13 @@ aes_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); gcm_mech.cm_param = (char *)&gcm_params; - return (aes_encrypt_atomic(session_id, &gcm_mech, + return (aes_encrypt_atomic(&gcm_mech, key, &null_crypto_data, mac, template)); } static int -aes_mac_verify_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, - crypto_data_t *mac, crypto_spi_ctx_template_t template) +aes_mac_verify_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, + crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t template) { CK_AES_GCM_PARAMS gcm_params; crypto_mechanism_t gcm_mech; @@ -1345,6 +1336,6 @@ aes_mac_verify_atomic(crypto_session_id_t session_id, gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); gcm_mech.cm_param = (char *)&gcm_params; - return (aes_decrypt_atomic(session_id, &gcm_mech, + return (aes_decrypt_atomic(&gcm_mech, key, mac, &null_crypto_data, template)); } diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index cac9771dd5af..c586c3272647 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -94,8 +94,8 @@ static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *); static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *); static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *); -static int sha2_digest_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); +static int sha2_digest_atomic(crypto_mechanism_t *, crypto_data_t *, + crypto_data_t *); static const crypto_digest_ops_t sha2_digest_ops = { .digest_init = sha2_digest_init, @@ -109,12 +109,10 @@ static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t); static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *); static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *); -static int sha2_mac_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t); -static int sha2_mac_verify_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t); +static int sha2_mac_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); +static int sha2_mac_verify_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static const crypto_mac_ops_t sha2_mac_ops = { .mac_init = sha2_mac_init, @@ -537,10 +535,9 @@ sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest) } static int -sha2_digest_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, crypto_data_t *data, crypto_data_t *digest) +sha2_digest_atomic(crypto_mechanism_t *mechanism, crypto_data_t *data, + crypto_data_t *digest) { - (void) session_id; int ret = CRYPTO_SUCCESS; SHA2_CTX sha2_ctx; uint32_t sha_digest_len; @@ -898,11 +895,10 @@ sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac) } static int -sha2_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +sha2_mac_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t ctx_template) { - (void) session_id; int ret = CRYPTO_SUCCESS; uchar_t digest[SHA512_DIGEST_LENGTH]; sha2_hmac_ctx_t sha2_hmac_ctx; @@ -1031,12 +1027,10 @@ sha2_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, } static int -sha2_mac_verify_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, +sha2_mac_verify_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t ctx_template) { - (void) session_id; int ret = CRYPTO_SUCCESS; uchar_t digest[SHA512_DIGEST_LENGTH]; sha2_hmac_ctx_t sha2_hmac_ctx; diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index 97cfd52b9e96..1d6969e68862 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -49,8 +49,8 @@ static int skein_digest_init(crypto_ctx_t *, crypto_mechanism_t *); static int skein_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int skein_update(crypto_ctx_t *, crypto_data_t *); static int skein_final(crypto_ctx_t *, crypto_data_t *); -static int skein_digest_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); +static int skein_digest_atomic(crypto_mechanism_t *, crypto_data_t *, + crypto_data_t *); static const crypto_digest_ops_t skein_digest_ops = { .digest_init = skein_digest_init, @@ -62,9 +62,8 @@ static const crypto_digest_ops_t skein_digest_ops = { static int skein_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t); -static int skein_mac_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t); +static int skein_mac_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static const crypto_mac_ops_t skein_mac_ops = { .mac_init = skein_mac_init, @@ -467,10 +466,9 @@ skein_final(crypto_ctx_t *ctx, crypto_data_t *digest) * Supported input/output formats are raw, uio and mblk. */ static int -skein_digest_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, crypto_data_t *data, crypto_data_t *digest) +skein_digest_atomic(crypto_mechanism_t *mechanism, crypto_data_t *data, + crypto_data_t *digest) { - (void) session_id; int error; skein_ctx_t skein_ctx; crypto_ctx_t ctx; @@ -570,12 +568,11 @@ skein_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, * function as to those of the partial operations above. */ static int -skein_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +skein_mac_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t ctx_template) { /* faux crypto context just for skein_digest_{update,final} */ - (void) session_id; int error; crypto_ctx_t ctx; skein_ctx_t skein_ctx; From 2ce940663a7a56aa62231f8c5c8100dcae791d7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Mon, 27 Dec 2021 03:02:17 +0100 Subject: [PATCH 37/39] module: icp: remove unused pd_{remove_cv,hash_limit} MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/core/kcf_prov_tabs.c | 2 -- module/icp/include/sys/crypto/impl.h | 6 ------ 2 files changed, 8 deletions(-) diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index b8016e0ce3fb..636c97f18252 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -214,7 +214,6 @@ kcf_alloc_provider_desc(void) desc->pd_state = KCF_PROV_ALLOCATED; mutex_init(&desc->pd_lock, NULL, MUTEX_DEFAULT, NULL); - cv_init(&desc->pd_resume_cv, NULL, CV_DEFAULT, NULL); cv_init(&desc->pd_remove_cv, NULL, CV_DEFAULT, NULL); return (desc); @@ -264,7 +263,6 @@ kcf_free_provider_desc(kcf_provider_desc_t *desc) /* free the kernel memory associated with the provider descriptor */ mutex_destroy(&desc->pd_lock); - cv_destroy(&desc->pd_resume_cv); cv_destroy(&desc->pd_remove_cv); kmem_free(desc, sizeof (kcf_provider_desc_t)); diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index c15e263c4a40..ce1075760212 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -81,8 +81,6 @@ typedef struct kcf_sched_info { * acquire any locks here as it is not critical to get the exact number * and the lock contention may be too costly for this code path. */ -#define KCF_PROV_LOAD(pd) ((pd)->pd_irefcnt) - #define KCF_PROV_INCRSTATS(pd, error) { \ (pd)->pd_sched_info.ks_ndispatches++; \ if (error == CRYPTO_BUSY) \ @@ -154,8 +152,6 @@ typedef enum { * by the provider during registration * pd_remove_cv: cv to wait on while the provider queue drains * pd_description: Provider description string - * pd_hash_limit Maximum data size that hash mechanisms of this provider - * can support. * pd_kcf_prov_handle: KCF-private handle assigned by KCF * pd_prov_id: Identification # assigned by KCF to provider * pd_kstat: kstat associated with the provider @@ -166,7 +162,6 @@ typedef struct kcf_provider_desc { uint_t pd_irefcnt; kmutex_t pd_lock; kcf_prov_state_t pd_state; - kcondvar_t pd_resume_cv; const crypto_ops_t *pd_ops_vector; ushort_t pd_mech_indx[KCF_OPS_CLASSSIZE]\ [KCF_MAXMECHTAB]; @@ -175,7 +170,6 @@ typedef struct kcf_provider_desc { uint_t pd_mech_list_count; kcondvar_t pd_remove_cv; const char *pd_description; - uint_t pd_hash_limit; crypto_kcf_provider_handle_t pd_kcf_prov_handle; crypto_provider_id_t pd_prov_id; kstat_t *pd_kstat; From 911d841a7151bfd0d4c37d4bd377ff054c03c9a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Fri, 7 Jan 2022 01:32:14 +0100 Subject: [PATCH 38/39] module: icp: enforce KCF_{OPS_CLASSSIZE,MAXMECHTAB} MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ahelenia Ziemiańska --- module/icp/include/sys/crypto/impl.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index ce1075760212..e440d5944567 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -265,9 +265,12 @@ typedef struct kcf_mech_entry { */ #define KCF_MAXDIGEST 16 /* Digests */ -#define KCF_MAXCIPHER 64 /* Ciphers */ +#define KCF_MAXCIPHER 32 /* Ciphers */ #define KCF_MAXMAC 40 /* Message authentication codes */ +_Static_assert(KCF_MAXCIPHER == KCF_MAXMECHTAB, + "KCF_MAXCIPHER != KCF_MAXMECHTAB"); /* See KCF_MAXMECHTAB comment */ + typedef enum { KCF_DIGEST_CLASS = 1, KCF_CIPHER_CLASS, @@ -276,6 +279,9 @@ typedef enum { #define KCF_FIRST_OPSCLASS KCF_DIGEST_CLASS #define KCF_LAST_OPSCLASS KCF_MAC_CLASS +_Static_assert( + KCF_OPS_CLASSSIZE == (KCF_LAST_OPSCLASS - KCF_FIRST_OPSCLASS + 2), + "KCF_OPS_CLASSSIZE doesn't match kcf_ops_class_t!"); /* The table of all the kcf_xxx_mech_tab[]s, indexed by kcf_ops_class */ From dd9adaecf0cfe399e58aa135cccdad9a293db1e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Wed, 2 Feb 2022 23:11:34 +0100 Subject: [PATCH 39/39] module: icp: remove provider stats MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These were all folded into a single kstat at /proc/spl/kstat/kcf/NONAME_provider_stats with no way to know which one it actually was, and only the AES and SHA (so not Skein) ones were ever updated Signed-off-by: Ahelenia Ziemiańska --- module/icp/api/kcf_cipher.c | 2 - module/icp/api/kcf_mac.c | 7 +-- module/icp/include/sys/crypto/impl.h | 50 ------------------ module/icp/spi/kcf_spi.c | 77 ---------------------------- 4 files changed, 1 insertion(+), 135 deletions(-) diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index 34023f9843c2..81c3b96b1509 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -91,7 +91,6 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); error = KCF_PROV_ENCRYPT_ATOMIC(pd, &lmech, key, plaintext, ciphertext, spi_ctx_tmpl); - KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ @@ -164,7 +163,6 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, error = KCF_PROV_DECRYPT_ATOMIC(pd, &lmech, key, ciphertext, plaintext, spi_ctx_tmpl); - KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 36db2cbb57b8..6a72811ea480 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -107,7 +107,6 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); error = KCF_PROV_MAC_ATOMIC(pd, &lmech, key, data, mac, spi_ctx_tmpl); - KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ @@ -171,7 +170,6 @@ crypto_mac_init_prov(kcf_provider_desc_t *pd, crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, real_provider, &lmech); rv = KCF_PROV_MAC_INIT(real_provider, ctx, &lmech, key, tmpl); - KCF_PROV_INCRSTATS(pd, rv); if (rv == CRYPTO_SUCCESS) *ctxp = (crypto_context_t)ctx; @@ -259,9 +257,7 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data) return (CRYPTO_INVALID_CONTEXT); } - int rv = KCF_PROV_MAC_UPDATE(pd, ctx, data); - KCF_PROV_INCRSTATS(pd, rv); - return (rv); + return (KCF_PROV_MAC_UPDATE(pd, ctx, data)); } /* @@ -291,7 +287,6 @@ crypto_mac_final(crypto_context_t context, crypto_data_t *mac) } int rv = KCF_PROV_MAC_FINAL(pd, ctx, mac); - KCF_PROV_INCRSTATS(pd, rv); /* Release the hold done in kcf_new_ctx() during init step. */ KCF_CONTEXT_COND_RELEASE(rv, kcf_ctx); diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index e440d5944567..dca7aa1b562f 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -40,55 +40,11 @@ extern "C" { #endif -#define KCF_MODULE "kcf" - /* * Prefixes convention: structures internal to the kernel cryptographic * framework start with 'kcf_'. Exposed structure start with 'crypto_'. */ -/* Provider stats. Not protected. */ -typedef struct kcf_prov_stats { - kstat_named_t ps_ops_total; - kstat_named_t ps_ops_passed; - kstat_named_t ps_ops_failed; - kstat_named_t ps_ops_busy_rval; -} kcf_prov_stats_t; - -/* - * Keep all the information needed by the scheduler from - * this provider. - */ -typedef struct kcf_sched_info { - /* The number of operations dispatched. */ - uint64_t ks_ndispatches; - - /* The number of operations that failed. */ - uint64_t ks_nfails; - - /* The number of operations that returned CRYPTO_BUSY. */ - uint64_t ks_nbusy_rval; -} kcf_sched_info_t; - -/* - * pd_irefcnt approximates the number of inflight requests to the - * provider. Though we increment this counter during registration for - * other purposes, that base value is mostly same across all providers. - * So, it is a good measure of the load on a provider when it is not - * in a busy state. Once a provider notifies it is busy, requests - * back up in the taskq. So, we use tq_nalloc in that case which gives - * the number of task entries in the task queue. Note that we do not - * acquire any locks here as it is not critical to get the exact number - * and the lock contention may be too costly for this code path. - */ -#define KCF_PROV_INCRSTATS(pd, error) { \ - (pd)->pd_sched_info.ks_ndispatches++; \ - if (error == CRYPTO_BUSY) \ - (pd)->pd_sched_info.ks_nbusy_rval++; \ - else if (error != CRYPTO_SUCCESS) \ - (pd)->pd_sched_info.ks_nfails++; \ -} - /* * The following two macros should be @@ -147,15 +103,12 @@ typedef enum { * number to an index in pd_mechanisms array * pd_mechanisms: Array of mechanisms supported by the provider, specified * by the provider during registration - * pd_sched_info: Scheduling information associated with the provider * pd_mech_list_count: The number of entries in pi_mechanisms, specified * by the provider during registration * pd_remove_cv: cv to wait on while the provider queue drains * pd_description: Provider description string * pd_kcf_prov_handle: KCF-private handle assigned by KCF * pd_prov_id: Identification # assigned by KCF to provider - * pd_kstat: kstat associated with the provider - * pd_ks_data: kstat data */ typedef struct kcf_provider_desc { uint_t pd_refcnt; @@ -166,14 +119,11 @@ typedef struct kcf_provider_desc { ushort_t pd_mech_indx[KCF_OPS_CLASSSIZE]\ [KCF_MAXMECHTAB]; const crypto_mech_info_t *pd_mechanisms; - kcf_sched_info_t pd_sched_info; uint_t pd_mech_list_count; kcondvar_t pd_remove_cv; const char *pd_description; crypto_kcf_provider_handle_t pd_kcf_prov_handle; crypto_provider_id_t pd_prov_id; - kstat_t *pd_kstat; - kcf_prov_stats_t pd_ks_data; } kcf_provider_desc_t; /* atomic operations in linux implicitly form a memory barrier */ diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index 62df15801f9f..87e765d4786c 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -38,15 +38,6 @@ static int init_prov_mechs(const crypto_provider_info_t *, kcf_provider_desc_t *); -static int kcf_prov_kstat_update(kstat_t *, int); -static void delete_kstat(kcf_provider_desc_t *); - -static const kcf_prov_stats_t kcf_stats_ks_data_template = { - { "kcf_ops_total", KSTAT_DATA_UINT64 }, - { "kcf_ops_passed", KSTAT_DATA_UINT64 }, - { "kcf_ops_failed", KSTAT_DATA_UINT64 }, - { "kcf_ops_returned_busy", KSTAT_DATA_UINT64 } -}; /* * This routine is used to add cryptographic providers to the KEF framework. @@ -95,27 +86,6 @@ crypto_register_provider(const crypto_provider_info_t *info, * to keep some entries cached to improve performance. */ - /* - * Create the kstat for this provider. There is a kstat - * installed for each successfully registered provider. - * This kstat is deleted, when the provider unregisters. - */ - prov_desc->pd_kstat = kstat_create("kcf", 0, "NONAME_provider_stats", - "crypto", KSTAT_TYPE_NAMED, sizeof (kcf_prov_stats_t) / - sizeof (kstat_named_t), KSTAT_FLAG_VIRTUAL); - - if (prov_desc->pd_kstat != NULL) { - bcopy(&kcf_stats_ks_data_template, - &prov_desc->pd_ks_data, - sizeof (kcf_stats_ks_data_template)); - prov_desc->pd_kstat->ks_data = &prov_desc->pd_ks_data; - KCF_PROV_REFHOLD(prov_desc); - KCF_PROV_IREFHOLD(prov_desc); - prov_desc->pd_kstat->ks_private = prov_desc; - prov_desc->pd_kstat->ks_update = kcf_prov_kstat_update; - kstat_install(prov_desc->pd_kstat); - } - mutex_enter(&prov_desc->pd_lock); prov_desc->pd_state = KCF_PROV_READY; mutex_exit(&prov_desc->pd_lock); @@ -192,8 +162,6 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle) return (CRYPTO_UNKNOWN_PROVIDER); } - delete_kstat(desc); - /* Release reference held by kcf_prov_tab_lookup(). */ KCF_PROV_REFRELE(desc); @@ -290,35 +258,6 @@ init_prov_mechs(const crypto_provider_info_t *info, kcf_provider_desc_t *desc) return (CRYPTO_ARGUMENTS_BAD); } -/* - * Update routine for kstat. Only privileged users are allowed to - * access this information, since this information is sensitive. - * There are some cryptographic attacks (e.g. traffic analysis) - * which can use this information. - */ -static int -kcf_prov_kstat_update(kstat_t *ksp, int rw) -{ - kcf_prov_stats_t *ks_data; - kcf_provider_desc_t *pd = (kcf_provider_desc_t *)ksp->ks_private; - - if (rw == KSTAT_WRITE) - return (EACCES); - - ks_data = ksp->ks_data; - - ks_data->ps_ops_total.value.ui64 = pd->pd_sched_info.ks_ndispatches; - ks_data->ps_ops_failed.value.ui64 = pd->pd_sched_info.ks_nfails; - ks_data->ps_ops_busy_rval.value.ui64 = pd->pd_sched_info.ks_nbusy_rval; - ks_data->ps_ops_passed.value.ui64 = - pd->pd_sched_info.ks_ndispatches - - pd->pd_sched_info.ks_nfails - - pd->pd_sched_info.ks_nbusy_rval; - - return (0); -} - - /* * Utility routine called from failure paths in crypto_register_provider() * and from crypto_load_soft_disabled(). @@ -339,19 +278,3 @@ undo_register_provider(kcf_provider_desc_t *desc, boolean_t remove_prov) if (remove_prov) (void) kcf_prov_tab_rem_provider(desc->pd_prov_id); } - -static void -delete_kstat(kcf_provider_desc_t *desc) -{ - /* destroy the kstat created for this provider */ - if (desc->pd_kstat != NULL) { - kcf_provider_desc_t *kspd = desc->pd_kstat->ks_private; - - /* release reference held by desc->pd_kstat->ks_private */ - ASSERT(desc == kspd); - kstat_delete(kspd->pd_kstat); - desc->pd_kstat = NULL; - KCF_PROV_REFRELE(kspd); - KCF_PROV_IREFRELE(kspd); - } -}