Print this page
6414175 kcf.conf's supportedlist not providing much usefulness
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/crypto/core/kcf_prov_tabs.c
+++ new/usr/src/uts/common/crypto/core/kcf_prov_tabs.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
|
↓ open down ↓ |
11 lines elided |
↑ open up ↑ |
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 - * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
22 + * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 -#pragma ident "%Z%%M% %I% %E% SMI"
27 -
28 26 /*
29 27 * This file is part of the core Kernel Cryptographic Framework.
30 28 * It implements the management of tables of Providers. Entries to
31 29 * added and removed when cryptographic providers register with
32 30 * and unregister from the framework, respectively. The KCF scheduler
33 31 * and ioctl pseudo driver call this function to obtain the list
34 32 * of available providers.
35 33 *
36 34 * The provider table is indexed by crypto_provider_id_t. Each
37 35 * element of the table contains a pointer to a provider descriptor,
38 36 * or NULL if the entry is free.
39 37 *
40 38 * This file also implements helper functions to allocate and free
41 39 * provider descriptors.
42 40 */
43 41
44 42 #include <sys/types.h>
45 43 #include <sys/kmem.h>
46 44 #include <sys/cmn_err.h>
|
↓ open down ↓ |
9 lines elided |
↑ open up ↑ |
47 45 #include <sys/ddi.h>
48 46 #include <sys/sunddi.h>
49 47 #include <sys/ksynch.h>
50 48 #include <sys/crypto/common.h>
51 49 #include <sys/crypto/impl.h>
52 50 #include <sys/crypto/sched_impl.h>
53 51 #include <sys/crypto/spi.h>
54 52
55 53 #define KCF_MAX_PROVIDERS 512 /* max number of providers */
56 54
57 -static kmutex_t prov_tab_mutex; /* ensure exclusive access to the table */
55 +/*
56 + * Prov_tab is an array of providers which is updated when
57 + * a crypto provider registers with kcf. The provider calls the
58 + * SPI routine, crypto_register_provider(), which in turn calls
59 + * kcf_prov_tab_add_provider().
60 + *
61 + * A provider unregisters by calling crypto_unregister_provider()
62 + * which triggers the removal of the prov_tab entry.
63 + * It also calls kcf_remove_mech_provider().
64 + *
65 + * prov_tab entries are not updated from kcf.conf or by cryptoadm(1M).
66 + */
58 67 static kcf_provider_desc_t **prov_tab = NULL;
68 +static kmutex_t prov_tab_mutex; /* ensure exclusive access to the table */
59 69 static uint_t prov_tab_num = 0; /* number of providers in table */
60 70 static uint_t prov_tab_max = KCF_MAX_PROVIDERS;
61 71
62 72 #if DEBUG
63 73 extern int kcf_frmwrk_debug;
64 -static void kcf_prov_tab_dump(void);
74 +static void kcf_prov_tab_dump(char *message);
65 75 #endif /* DEBUG */
66 76
77 +
67 78 /*
68 - * Initialize the providers table. The providers table is dynamically
69 - * allocated with prov_tab_max entries.
79 + * Initialize a mutex and the KCF providers table, prov_tab.
80 + * The providers table is dynamically allocated with prov_tab_max entries.
81 + * Called from kcf module _init().
70 82 */
71 83 void
72 84 kcf_prov_tab_init(void)
73 85 {
74 86 mutex_init(&prov_tab_mutex, NULL, MUTEX_DRIVER, NULL);
75 87
76 88 prov_tab = kmem_zalloc(prov_tab_max * sizeof (kcf_provider_desc_t *),
77 89 KM_SLEEP);
78 90 }
79 91
80 92 /*
81 93 * Add a provider to the provider table. If no free entry can be found
82 94 * for the new provider, returns CRYPTO_HOST_MEMORY. Otherwise, add
83 95 * the provider to the table, initialize the pd_prov_id field
84 96 * of the specified provider descriptor to the index in that table,
85 97 * and return CRYPTO_SUCCESS. Note that a REFHOLD is done on the
86 98 * provider when pointed to by a table entry.
87 99 */
88 100 int
89 101 kcf_prov_tab_add_provider(kcf_provider_desc_t *prov_desc)
90 102 {
91 103 uint_t i;
92 104
93 105 ASSERT(prov_tab != NULL);
94 106
95 107 mutex_enter(&prov_tab_mutex);
96 108
97 109 /* find free slot in providers table */
98 110 for (i = 0; i < KCF_MAX_PROVIDERS && prov_tab[i] != NULL; i++)
99 111 ;
100 112 if (i == KCF_MAX_PROVIDERS) {
101 113 /* ran out of providers entries */
102 114 mutex_exit(&prov_tab_mutex);
103 115 cmn_err(CE_WARN, "out of providers entries");
104 116 return (CRYPTO_HOST_MEMORY);
105 117 }
106 118
107 119 /* initialize entry */
108 120 prov_tab[i] = prov_desc;
109 121 KCF_PROV_REFHOLD(prov_desc);
110 122 KCF_PROV_IREFHOLD(prov_desc);
111 123 prov_tab_num++;
112 124
113 125 mutex_exit(&prov_tab_mutex);
114 126
115 127 /* update provider descriptor */
116 128 prov_desc->pd_prov_id = i;
|
↓ open down ↓ |
37 lines elided |
↑ open up ↑ |
117 129
118 130 /*
119 131 * The KCF-private provider handle is defined as the internal
120 132 * provider id.
121 133 */
122 134 prov_desc->pd_kcf_prov_handle =
123 135 (crypto_kcf_provider_handle_t)prov_desc->pd_prov_id;
124 136
125 137 #if DEBUG
126 138 if (kcf_frmwrk_debug >= 1)
127 - kcf_prov_tab_dump();
139 + kcf_prov_tab_dump("kcf_prov_tab_add_provider");
128 140 #endif /* DEBUG */
129 141
130 142 return (CRYPTO_SUCCESS);
131 143 }
132 144
133 145 /*
134 146 * Remove the provider specified by its id. A REFRELE is done on the
135 147 * corresponding provider descriptor before this function returns.
136 148 * Returns CRYPTO_UNKNOWN_PROVIDER if the provider id is not valid.
137 149 */
138 150 int
139 151 kcf_prov_tab_rem_provider(crypto_provider_id_t prov_id)
140 152 {
141 153 kcf_provider_desc_t *prov_desc;
142 154
143 155 ASSERT(prov_tab != NULL);
144 156 ASSERT(prov_tab_num >= 0);
145 157
146 158 /*
147 159 * Validate provider id, since it can be specified by a 3rd-party
148 160 * provider.
149 161 */
150 162
151 163 mutex_enter(&prov_tab_mutex);
152 164 if (prov_id >= KCF_MAX_PROVIDERS ||
153 165 ((prov_desc = prov_tab[prov_id]) == NULL)) {
154 166 mutex_exit(&prov_tab_mutex);
155 167 return (CRYPTO_INVALID_PROVIDER_ID);
156 168 }
157 169 mutex_exit(&prov_tab_mutex);
158 170
159 171 /*
160 172 * The provider id must remain valid until the associated provider
161 173 * descriptor is freed. For this reason, we simply release our
162 174 * reference to the descriptor here. When the reference count
|
↓ open down ↓ |
25 lines elided |
↑ open up ↑ |
163 175 * reaches zero, kcf_free_provider_desc() will be invoked and
164 176 * the associated entry in the providers table will be released
165 177 * at that time.
166 178 */
167 179
168 180 KCF_PROV_REFRELE(prov_desc);
169 181 KCF_PROV_IREFRELE(prov_desc);
170 182
171 183 #if DEBUG
172 184 if (kcf_frmwrk_debug >= 1)
173 - kcf_prov_tab_dump();
185 + kcf_prov_tab_dump("kcf_prov_tab_rem_provider");
174 186 #endif /* DEBUG */
175 187
176 188 return (CRYPTO_SUCCESS);
177 189 }
178 190
179 191 /*
180 192 * Returns the provider descriptor corresponding to the specified
181 193 * provider id. A REFHOLD is done on the descriptor before it is
182 194 * returned to the caller. It is the responsibility of the caller
183 195 * to do a REFRELE once it is done with the provider descriptor.
184 196 */
185 197 kcf_provider_desc_t *
186 198 kcf_prov_tab_lookup(crypto_provider_id_t prov_id)
187 199 {
188 200 kcf_provider_desc_t *prov_desc;
189 201
190 202 mutex_enter(&prov_tab_mutex);
191 203
192 204 prov_desc = prov_tab[prov_id];
193 205
194 206 if (prov_desc == NULL) {
195 207 mutex_exit(&prov_tab_mutex);
196 208 return (NULL);
197 209 }
198 210
199 211 KCF_PROV_REFHOLD(prov_desc);
200 212
201 213 mutex_exit(&prov_tab_mutex);
202 214
203 215 return (prov_desc);
204 216 }
205 217
206 218 static void
207 219 allocate_ops_v1(crypto_ops_t *src, crypto_ops_t *dst, uint_t *mech_list_count)
208 220 {
209 221 if (src->co_control_ops != NULL)
210 222 dst->co_control_ops = kmem_alloc(sizeof (crypto_control_ops_t),
211 223 KM_SLEEP);
212 224
213 225 if (src->co_digest_ops != NULL)
214 226 dst->co_digest_ops = kmem_alloc(sizeof (crypto_digest_ops_t),
215 227 KM_SLEEP);
216 228
217 229 if (src->co_cipher_ops != NULL)
218 230 dst->co_cipher_ops = kmem_alloc(sizeof (crypto_cipher_ops_t),
219 231 KM_SLEEP);
220 232
221 233 if (src->co_mac_ops != NULL)
222 234 dst->co_mac_ops = kmem_alloc(sizeof (crypto_mac_ops_t),
223 235 KM_SLEEP);
224 236
225 237 if (src->co_sign_ops != NULL)
226 238 dst->co_sign_ops = kmem_alloc(sizeof (crypto_sign_ops_t),
227 239 KM_SLEEP);
228 240
229 241 if (src->co_verify_ops != NULL)
230 242 dst->co_verify_ops = kmem_alloc(sizeof (crypto_verify_ops_t),
231 243 KM_SLEEP);
232 244
233 245 if (src->co_dual_ops != NULL)
234 246 dst->co_dual_ops = kmem_alloc(sizeof (crypto_dual_ops_t),
235 247 KM_SLEEP);
236 248
237 249 if (src->co_dual_cipher_mac_ops != NULL)
238 250 dst->co_dual_cipher_mac_ops = kmem_alloc(
239 251 sizeof (crypto_dual_cipher_mac_ops_t), KM_SLEEP);
240 252
241 253 if (src->co_random_ops != NULL) {
242 254 dst->co_random_ops = kmem_alloc(
243 255 sizeof (crypto_random_number_ops_t), KM_SLEEP);
244 256
245 257 /*
246 258 * Allocate storage to store the array of supported mechanisms
247 259 * specified by provider. We allocate extra mechanism storage
248 260 * if the provider has random_ops since we keep an internal
249 261 * mechanism, SUN_RANDOM, in this case.
250 262 */
251 263 (*mech_list_count)++;
252 264 }
253 265
254 266 if (src->co_session_ops != NULL)
255 267 dst->co_session_ops = kmem_alloc(sizeof (crypto_session_ops_t),
256 268 KM_SLEEP);
257 269
258 270 if (src->co_object_ops != NULL)
259 271 dst->co_object_ops = kmem_alloc(sizeof (crypto_object_ops_t),
260 272 KM_SLEEP);
261 273
262 274 if (src->co_key_ops != NULL)
263 275 dst->co_key_ops = kmem_alloc(sizeof (crypto_key_ops_t),
264 276 KM_SLEEP);
265 277
266 278 if (src->co_provider_ops != NULL)
267 279 dst->co_provider_ops = kmem_alloc(
268 280 sizeof (crypto_provider_management_ops_t), KM_SLEEP);
269 281
270 282 if (src->co_ctx_ops != NULL)
271 283 dst->co_ctx_ops = kmem_alloc(sizeof (crypto_ctx_ops_t),
272 284 KM_SLEEP);
273 285 }
274 286
275 287 static void
276 288 allocate_ops_v2(crypto_ops_t *src, crypto_ops_t *dst)
277 289 {
278 290 if (src->co_mech_ops != NULL)
279 291 dst->co_mech_ops = kmem_alloc(sizeof (crypto_mech_ops_t),
280 292 KM_SLEEP);
281 293 }
282 294
283 295 static void
284 296 allocate_ops_v3(crypto_ops_t *src, crypto_ops_t *dst)
285 297 {
286 298 if (src->co_nostore_key_ops != NULL)
287 299 dst->co_nostore_key_ops =
288 300 kmem_alloc(sizeof (crypto_nostore_key_ops_t), KM_SLEEP);
289 301 }
290 302
291 303 /*
292 304 * Allocate a provider descriptor. mech_list_count specifies the
293 305 * number of mechanisms supported by the providers, and is used
294 306 * to allocate storage for the mechanism table.
295 307 * This function may sleep while allocating memory, which is OK
296 308 * since it is invoked from user context during provider registration.
297 309 */
298 310 kcf_provider_desc_t *
299 311 kcf_alloc_provider_desc(crypto_provider_info_t *info)
300 312 {
301 313 int i, j;
302 314 kcf_provider_desc_t *desc;
303 315 uint_t mech_list_count = info->pi_mech_list_count;
304 316 crypto_ops_t *src_ops = info->pi_ops_vector;
305 317
306 318 desc = kmem_zalloc(sizeof (kcf_provider_desc_t), KM_SLEEP);
307 319
308 320 /*
309 321 * pd_description serves two purposes
310 322 * - Appears as a blank padded PKCS#11 style string, that will be
311 323 * returned to applications in CK_SLOT_INFO.slotDescription.
312 324 * This means that we should not have a null character in the
313 325 * first CRYPTO_PROVIDER_DESCR_MAX_LEN bytes.
314 326 * - Appears as a null-terminated string that can be used by
315 327 * other kcf routines.
316 328 *
317 329 * So, we allocate enough room for one extra null terminator
318 330 * which keeps every one happy.
319 331 */
320 332 desc->pd_description = kmem_alloc(CRYPTO_PROVIDER_DESCR_MAX_LEN + 1,
321 333 KM_SLEEP);
322 334 (void) memset(desc->pd_description, ' ',
323 335 CRYPTO_PROVIDER_DESCR_MAX_LEN);
324 336 desc->pd_description[CRYPTO_PROVIDER_DESCR_MAX_LEN] = '\0';
325 337
326 338 /*
327 339 * Since the framework does not require the ops vector specified
328 340 * by the providers during registration to be persistent,
329 341 * KCF needs to allocate storage where copies of the ops
330 342 * vectors are copied.
331 343 */
332 344 desc->pd_ops_vector = kmem_zalloc(sizeof (crypto_ops_t), KM_SLEEP);
333 345
334 346 if (info->pi_provider_type != CRYPTO_LOGICAL_PROVIDER) {
335 347 allocate_ops_v1(src_ops, desc->pd_ops_vector, &mech_list_count);
336 348 if (info->pi_interface_version >= CRYPTO_SPI_VERSION_2)
337 349 allocate_ops_v2(src_ops, desc->pd_ops_vector);
338 350 if (info->pi_interface_version == CRYPTO_SPI_VERSION_3)
339 351 allocate_ops_v3(src_ops, desc->pd_ops_vector);
340 352 }
341 353
342 354 desc->pd_mech_list_count = mech_list_count;
343 355 desc->pd_mechanisms = kmem_zalloc(sizeof (crypto_mech_info_t) *
344 356 mech_list_count, KM_SLEEP);
345 357 for (i = 0; i < KCF_OPS_CLASSSIZE; i++)
346 358 for (j = 0; j < KCF_MAXMECHTAB; j++)
347 359 desc->pd_mech_indx[i][j] = KCF_INVALID_INDX;
348 360
349 361 desc->pd_prov_id = KCF_PROVID_INVALID;
350 362 desc->pd_state = KCF_PROV_ALLOCATED;
351 363
352 364 mutex_init(&desc->pd_lock, NULL, MUTEX_DEFAULT, NULL);
353 365 cv_init(&desc->pd_resume_cv, NULL, CV_DEFAULT, NULL);
354 366 cv_init(&desc->pd_remove_cv, NULL, CV_DEFAULT, NULL);
355 367
356 368 return (desc);
357 369 }
358 370
359 371 /*
360 372 * Called by KCF_PROV_REFRELE when a provider's reference count drops
361 373 * to zero. We free the descriptor when the last reference is released.
362 374 * However, for software providers, we do not free it when there is an
363 375 * unregister thread waiting. We signal that thread in this case and
364 376 * that thread is responsible for freeing the descriptor.
365 377 */
366 378 void
367 379 kcf_provider_zero_refcnt(kcf_provider_desc_t *desc)
368 380 {
369 381 mutex_enter(&desc->pd_lock);
370 382 switch (desc->pd_prov_type) {
371 383 case CRYPTO_SW_PROVIDER:
372 384 if (desc->pd_state == KCF_PROV_REMOVED ||
373 385 desc->pd_state == KCF_PROV_DISABLED) {
374 386 desc->pd_state = KCF_PROV_FREED;
375 387 cv_broadcast(&desc->pd_remove_cv);
376 388 mutex_exit(&desc->pd_lock);
377 389 break;
378 390 }
379 391 /* FALLTHRU */
380 392
381 393 case CRYPTO_HW_PROVIDER:
382 394 case CRYPTO_LOGICAL_PROVIDER:
383 395 mutex_exit(&desc->pd_lock);
384 396 kcf_free_provider_desc(desc);
385 397 }
386 398 }
387 399
388 400 /*
389 401 * Free a provider descriptor.
390 402 */
391 403 void
392 404 kcf_free_provider_desc(kcf_provider_desc_t *desc)
393 405 {
394 406 if (desc == NULL)
395 407 return;
396 408
397 409 mutex_enter(&prov_tab_mutex);
398 410 if (desc->pd_prov_id != KCF_PROVID_INVALID) {
399 411 /* release the associated providers table entry */
400 412 ASSERT(prov_tab[desc->pd_prov_id] != NULL);
401 413 prov_tab[desc->pd_prov_id] = NULL;
402 414 prov_tab_num--;
403 415 }
404 416 mutex_exit(&prov_tab_mutex);
405 417
406 418 /* free the kernel memory associated with the provider descriptor */
407 419
408 420 if (desc->pd_description != NULL)
409 421 kmem_free(desc->pd_description,
410 422 CRYPTO_PROVIDER_DESCR_MAX_LEN + 1);
411 423
412 424 if (desc->pd_ops_vector != NULL) {
413 425
414 426 if (desc->pd_ops_vector->co_control_ops != NULL)
415 427 kmem_free(desc->pd_ops_vector->co_control_ops,
416 428 sizeof (crypto_control_ops_t));
417 429
418 430 if (desc->pd_ops_vector->co_digest_ops != NULL)
419 431 kmem_free(desc->pd_ops_vector->co_digest_ops,
420 432 sizeof (crypto_digest_ops_t));
421 433
422 434 if (desc->pd_ops_vector->co_cipher_ops != NULL)
423 435 kmem_free(desc->pd_ops_vector->co_cipher_ops,
424 436 sizeof (crypto_cipher_ops_t));
425 437
426 438 if (desc->pd_ops_vector->co_mac_ops != NULL)
427 439 kmem_free(desc->pd_ops_vector->co_mac_ops,
428 440 sizeof (crypto_mac_ops_t));
429 441
430 442 if (desc->pd_ops_vector->co_sign_ops != NULL)
431 443 kmem_free(desc->pd_ops_vector->co_sign_ops,
432 444 sizeof (crypto_sign_ops_t));
433 445
434 446 if (desc->pd_ops_vector->co_verify_ops != NULL)
435 447 kmem_free(desc->pd_ops_vector->co_verify_ops,
436 448 sizeof (crypto_verify_ops_t));
437 449
438 450 if (desc->pd_ops_vector->co_dual_ops != NULL)
439 451 kmem_free(desc->pd_ops_vector->co_dual_ops,
440 452 sizeof (crypto_dual_ops_t));
441 453
442 454 if (desc->pd_ops_vector->co_dual_cipher_mac_ops != NULL)
443 455 kmem_free(desc->pd_ops_vector->co_dual_cipher_mac_ops,
444 456 sizeof (crypto_dual_cipher_mac_ops_t));
445 457
446 458 if (desc->pd_ops_vector->co_random_ops != NULL)
447 459 kmem_free(desc->pd_ops_vector->co_random_ops,
448 460 sizeof (crypto_random_number_ops_t));
449 461
450 462 if (desc->pd_ops_vector->co_session_ops != NULL)
451 463 kmem_free(desc->pd_ops_vector->co_session_ops,
452 464 sizeof (crypto_session_ops_t));
453 465
454 466 if (desc->pd_ops_vector->co_object_ops != NULL)
455 467 kmem_free(desc->pd_ops_vector->co_object_ops,
456 468 sizeof (crypto_object_ops_t));
457 469
458 470 if (desc->pd_ops_vector->co_key_ops != NULL)
459 471 kmem_free(desc->pd_ops_vector->co_key_ops,
460 472 sizeof (crypto_key_ops_t));
461 473
462 474 if (desc->pd_ops_vector->co_provider_ops != NULL)
463 475 kmem_free(desc->pd_ops_vector->co_provider_ops,
464 476 sizeof (crypto_provider_management_ops_t));
465 477
466 478 if (desc->pd_ops_vector->co_ctx_ops != NULL)
467 479 kmem_free(desc->pd_ops_vector->co_ctx_ops,
468 480 sizeof (crypto_ctx_ops_t));
469 481
470 482 if (desc->pd_ops_vector->co_mech_ops != NULL)
471 483 kmem_free(desc->pd_ops_vector->co_mech_ops,
472 484 sizeof (crypto_mech_ops_t));
473 485
474 486 if (desc->pd_ops_vector->co_nostore_key_ops != NULL)
475 487 kmem_free(desc->pd_ops_vector->co_nostore_key_ops,
476 488 sizeof (crypto_nostore_key_ops_t));
477 489
478 490 kmem_free(desc->pd_ops_vector, sizeof (crypto_ops_t));
479 491 }
480 492
481 493 if (desc->pd_mechanisms != NULL)
482 494 /* free the memory associated with the mechanism info's */
483 495 kmem_free(desc->pd_mechanisms, sizeof (crypto_mech_info_t) *
484 496 desc->pd_mech_list_count);
485 497
486 498 if (desc->pd_name != NULL) {
487 499 kmem_free(desc->pd_name, strlen(desc->pd_name) + 1);
488 500 }
489 501
490 502 if (desc->pd_sched_info.ks_taskq != NULL)
491 503 taskq_destroy(desc->pd_sched_info.ks_taskq);
492 504
493 505 kmem_free(desc, sizeof (kcf_provider_desc_t));
494 506 }
495 507
496 508 /*
497 509 * Returns the provider descriptor corresponding to the specified
498 510 * module name. A REFHOLD is done on the descriptor before it is
499 511 * returned to the caller. It is the responsibility of the caller
500 512 * to do a REFRELE once it is done with the provider descriptor.
501 513 * Only software providers are returned by this function.
502 514 */
503 515 kcf_provider_desc_t *
504 516 kcf_prov_tab_lookup_by_name(char *module_name)
505 517 {
506 518 kcf_provider_desc_t *prov_desc;
507 519 uint_t i;
508 520
509 521 mutex_enter(&prov_tab_mutex);
510 522
511 523 for (i = 0; i < KCF_MAX_PROVIDERS; i++) {
512 524 if ((prov_desc = prov_tab[i]) != NULL &&
513 525 (!KCF_IS_PROV_REMOVED(prov_desc)) &&
514 526 prov_desc->pd_prov_type == CRYPTO_SW_PROVIDER) {
515 527 ASSERT(prov_desc->pd_name != NULL);
516 528 if (strncmp(module_name, prov_desc->pd_name,
517 529 MAXNAMELEN) == 0) {
518 530 KCF_PROV_REFHOLD(prov_desc);
519 531 mutex_exit(&prov_tab_mutex);
520 532 return (prov_desc);
521 533 }
522 534 }
523 535 }
524 536
525 537 mutex_exit(&prov_tab_mutex);
526 538 return (NULL);
527 539 }
528 540
529 541 /*
530 542 * Returns the provider descriptor corresponding to the specified
531 543 * device name and instance. A REFHOLD is done on the descriptor
532 544 * before it is returned to the caller. It is the responsibility
533 545 * of the caller to do a REFRELE once it is done with the provider
534 546 * descriptor. Only hardware providers are returned by this function.
535 547 */
536 548 kcf_provider_desc_t *
537 549 kcf_prov_tab_lookup_by_dev(char *name, uint_t instance)
538 550 {
539 551 kcf_provider_desc_t *prov_desc;
540 552 uint_t i;
541 553
542 554 mutex_enter(&prov_tab_mutex);
543 555
544 556 for (i = 0; i < KCF_MAX_PROVIDERS; i++) {
545 557 if ((prov_desc = prov_tab[i]) != NULL &&
546 558 (!KCF_IS_PROV_REMOVED(prov_desc)) &&
547 559 prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER) {
548 560 ASSERT(prov_desc->pd_name != NULL);
549 561 if (strncmp(prov_desc->pd_name, name,
550 562 MAXNAMELEN) == 0 &&
551 563 prov_desc->pd_instance == instance) {
552 564 KCF_PROV_REFHOLD(prov_desc);
553 565 mutex_exit(&prov_tab_mutex);
554 566 return (prov_desc);
555 567 }
556 568 }
557 569 }
558 570
559 571 mutex_exit(&prov_tab_mutex);
560 572 return (NULL);
561 573 }
562 574
563 575 /*
564 576 * Returns an array of hardware and logical provider descriptors,
565 577 * a.k.a the PKCS#11 slot list. A REFHOLD is done on each descriptor
566 578 * before the array is returned. The entire table can be freed by
567 579 * calling kcf_free_provider_tab().
568 580 */
569 581 int
570 582 kcf_get_slot_list(uint_t *count, kcf_provider_desc_t ***array,
571 583 boolean_t unverified)
572 584 {
573 585 kcf_provider_desc_t *prov_desc;
574 586 kcf_provider_desc_t **p = NULL;
575 587 char *last;
576 588 uint_t cnt = 0;
577 589 uint_t i, j;
578 590 int rval = CRYPTO_SUCCESS;
579 591 size_t n, final_size;
580 592
581 593 /* count the providers */
582 594 mutex_enter(&prov_tab_mutex);
583 595 for (i = 0; i < KCF_MAX_PROVIDERS; i++) {
584 596 if ((prov_desc = prov_tab[i]) != NULL &&
585 597 ((prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER &&
586 598 (prov_desc->pd_flags & CRYPTO_HIDE_PROVIDER) == 0) ||
587 599 prov_desc->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)) {
588 600 if (KCF_IS_PROV_USABLE(prov_desc) ||
589 601 (unverified && KCF_IS_PROV_UNVERIFIED(prov_desc))) {
590 602 cnt++;
591 603 }
592 604 }
593 605 }
594 606 mutex_exit(&prov_tab_mutex);
595 607
596 608 if (cnt == 0)
597 609 goto out;
598 610
599 611 n = cnt * sizeof (kcf_provider_desc_t *);
600 612 again:
601 613 p = kmem_zalloc(n, KM_SLEEP);
602 614
603 615 /* pointer to last entry in the array */
604 616 last = (char *)&p[cnt-1];
605 617
606 618 mutex_enter(&prov_tab_mutex);
607 619 /* fill the slot list */
608 620 for (i = 0, j = 0; i < KCF_MAX_PROVIDERS; i++) {
609 621 if ((prov_desc = prov_tab[i]) != NULL &&
610 622 ((prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER &&
611 623 (prov_desc->pd_flags & CRYPTO_HIDE_PROVIDER) == 0) ||
612 624 prov_desc->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)) {
613 625 if (KCF_IS_PROV_USABLE(prov_desc) ||
614 626 (unverified && KCF_IS_PROV_UNVERIFIED(prov_desc))) {
615 627 if ((char *)&p[j] > last) {
616 628 mutex_exit(&prov_tab_mutex);
617 629 kcf_free_provider_tab(cnt, p);
618 630 n = n << 1;
619 631 cnt = cnt << 1;
620 632 goto again;
621 633 }
622 634 p[j++] = prov_desc;
623 635 KCF_PROV_REFHOLD(prov_desc);
624 636 }
625 637 }
626 638 }
627 639 mutex_exit(&prov_tab_mutex);
628 640
629 641 final_size = j * sizeof (kcf_provider_desc_t *);
630 642 cnt = j;
631 643 ASSERT(final_size <= n);
632 644
633 645 /* check if buffer we allocated is too large */
634 646 if (final_size < n) {
635 647 char *final_buffer = NULL;
636 648
637 649 if (final_size > 0) {
638 650 final_buffer = kmem_alloc(final_size, KM_SLEEP);
639 651 bcopy(p, final_buffer, final_size);
640 652 }
641 653 kmem_free(p, n);
642 654 p = (kcf_provider_desc_t **)final_buffer;
643 655 }
644 656 out:
645 657 *count = cnt;
646 658 *array = p;
647 659 return (rval);
648 660 }
649 661
650 662 /*
651 663 * Returns an array of hardware provider descriptors. This routine
652 664 * used by cryptoadm(1M). A REFHOLD is done on each descriptor before
653 665 * the array is returned. The entire table can be freed by calling
654 666 * kcf_free_provider_tab().
655 667 *
656 668 * A NULL name argument puts all hardware providers in the array.
657 669 * A non-NULL name argument puts only those providers in the array
658 670 * which match the name and instance arguments.
659 671 */
660 672 int
661 673 kcf_get_hw_prov_tab(uint_t *count, kcf_provider_desc_t ***array, int kmflag,
662 674 char *name, uint_t instance, boolean_t unverified)
663 675 {
664 676 kcf_provider_desc_t *prov_desc;
665 677 kcf_provider_desc_t **p = NULL;
666 678 char *last;
667 679 uint_t cnt = 0;
668 680 uint_t i, j;
669 681 int rval = CRYPTO_SUCCESS;
670 682 size_t n, final_size;
671 683
672 684 /* count the providers */
673 685 mutex_enter(&prov_tab_mutex);
674 686 for (i = 0; i < KCF_MAX_PROVIDERS; i++) {
675 687 if ((prov_desc = prov_tab[i]) != NULL &&
676 688 prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER) {
677 689 if (KCF_IS_PROV_USABLE(prov_desc) ||
678 690 (unverified && KCF_IS_PROV_UNVERIFIED(prov_desc))) {
679 691 if (name == NULL ||
680 692 (strncmp(prov_desc->pd_name, name,
681 693 MAXNAMELEN) == 0 &&
682 694 prov_desc->pd_instance == instance)) {
683 695 cnt++;
684 696 }
685 697 }
686 698 }
687 699 }
688 700 mutex_exit(&prov_tab_mutex);
689 701
690 702 if (cnt == 0)
691 703 goto out;
692 704
693 705 n = cnt * sizeof (kcf_provider_desc_t *);
694 706 again:
695 707 p = kmem_zalloc(n, kmflag);
696 708 if (p == NULL) {
697 709 rval = CRYPTO_HOST_MEMORY;
698 710 goto out;
699 711 }
700 712 /* pointer to last entry in the array */
701 713 last = (char *)&p[cnt-1];
702 714
703 715 mutex_enter(&prov_tab_mutex);
704 716 for (i = 0, j = 0; i < KCF_MAX_PROVIDERS; i++) {
705 717 if ((prov_desc = prov_tab[i]) != NULL &&
706 718 prov_desc->pd_prov_type == CRYPTO_HW_PROVIDER) {
707 719 if (KCF_IS_PROV_USABLE(prov_desc) ||
708 720 (unverified && KCF_IS_PROV_UNVERIFIED(prov_desc))) {
709 721 if (name == NULL ||
710 722 (strncmp(prov_desc->pd_name, name,
711 723 MAXNAMELEN) == 0 &&
712 724 prov_desc->pd_instance == instance)) {
713 725 if ((char *)&p[j] > last) {
714 726 mutex_exit(&prov_tab_mutex);
715 727 kcf_free_provider_tab(cnt, p);
716 728 n = n << 1;
717 729 cnt = cnt << 1;
718 730 goto again;
719 731 }
720 732 p[j++] = prov_desc;
721 733 KCF_PROV_REFHOLD(prov_desc);
722 734 }
723 735 }
724 736 }
725 737 }
726 738 mutex_exit(&prov_tab_mutex);
727 739
728 740 final_size = j * sizeof (kcf_provider_desc_t *);
729 741 ASSERT(final_size <= n);
730 742
731 743 /* check if buffer we allocated is too large */
732 744 if (final_size < n) {
733 745 char *final_buffer = NULL;
734 746
735 747 if (final_size > 0) {
736 748 final_buffer = kmem_alloc(final_size, kmflag);
737 749 if (final_buffer == NULL) {
738 750 kcf_free_provider_tab(cnt, p);
739 751 cnt = 0;
740 752 p = NULL;
741 753 rval = CRYPTO_HOST_MEMORY;
742 754 goto out;
743 755 }
744 756 bcopy(p, final_buffer, final_size);
745 757 }
746 758 kmem_free(p, n);
747 759 p = (kcf_provider_desc_t **)final_buffer;
748 760 }
749 761 cnt = j;
750 762 out:
751 763 *count = cnt;
752 764 *array = p;
753 765 return (rval);
754 766 }
755 767
756 768 /*
757 769 * Free an array of hardware provider descriptors. A REFRELE
758 770 * is done on each descriptor before the table is freed.
759 771 */
760 772 void
761 773 kcf_free_provider_tab(uint_t count, kcf_provider_desc_t **array)
762 774 {
763 775 kcf_provider_desc_t *prov_desc;
764 776 int i;
765 777
766 778 for (i = 0; i < count; i++) {
767 779 if ((prov_desc = array[i]) != NULL) {
768 780 KCF_PROV_REFRELE(prov_desc);
769 781 }
770 782 }
771 783 kmem_free(array, count * sizeof (kcf_provider_desc_t *));
772 784 }
773 785
774 786 /*
775 787 * Returns in the location pointed to by pd a pointer to the descriptor
776 788 * for the software provider for the specified mechanism.
777 789 * The provider descriptor is returned held and it is the caller's
778 790 * responsibility to release it when done. The mechanism entry
779 791 * is returned if the optional argument mep is non NULL.
780 792 *
781 793 * Returns one of the CRYPTO_ * error codes on failure, and
782 794 * CRYPTO_SUCCESS on success.
783 795 */
784 796 int
785 797 kcf_get_sw_prov(crypto_mech_type_t mech_type, kcf_provider_desc_t **pd,
786 798 kcf_mech_entry_t **mep, boolean_t log_warn)
787 799 {
788 800 kcf_mech_entry_t *me;
789 801
790 802 /* get the mechanism entry for this mechanism */
791 803 if (kcf_get_mech_entry(mech_type, &me) != KCF_SUCCESS)
792 804 return (CRYPTO_MECHANISM_INVALID);
793 805
794 806 /*
795 807 * Get the software provider for this mechanism.
796 808 * Lock the mech_entry until we grab the 'pd'.
797 809 */
798 810 mutex_enter(&me->me_mutex);
799 811
800 812 if (me->me_sw_prov == NULL ||
801 813 (*pd = me->me_sw_prov->pm_prov_desc) == NULL) {
802 814 /* no SW provider for this mechanism */
803 815 if (log_warn)
804 816 cmn_err(CE_WARN, "no SW provider for \"%s\"\n",
805 817 me->me_name);
806 818 mutex_exit(&me->me_mutex);
807 819 return (CRYPTO_MECH_NOT_SUPPORTED);
808 820 }
809 821
|
↓ open down ↓ |
626 lines elided |
↑ open up ↑ |
810 822 KCF_PROV_REFHOLD(*pd);
811 823 mutex_exit(&me->me_mutex);
812 824
813 825 if (mep != NULL)
814 826 *mep = me;
815 827
816 828 return (CRYPTO_SUCCESS);
817 829 }
818 830
819 831 #if DEBUG
820 -
832 +/*
833 + * Dump the Kernel crypto providers table, prov_tab.
834 + * If kcf_frmwrk_debug is >=2, also dump the mechanism lists.
835 + */
821 836 static void
822 -kcf_prov_tab_dump(void)
837 +kcf_prov_tab_dump(char *message)
823 838 {
824 - uint_t i;
839 + uint_t i, j;
825 840
826 841 mutex_enter(&prov_tab_mutex);
842 + printf("Providers table prov_tab at %s:\n",
843 + message != NULL ? message : "");
827 844
828 - printf("Providers table:\n");
829 845 for (i = 0; i < KCF_MAX_PROVIDERS; i++) {
830 - if (prov_tab[i] != NULL) {
831 - printf("[%d]: (%s) %s\n",
832 - i, (prov_tab[i]->pd_prov_type ==
833 - CRYPTO_HW_PROVIDER) ? "HW" : "SW",
834 - prov_tab[i]->pd_description);
846 + kcf_provider_desc_t *p = prov_tab[i];
847 + if (p != NULL) {
848 + printf("[%d]: (%s) %d mechanisms, %s\n", i,
849 + (p->pd_prov_type == CRYPTO_HW_PROVIDER) ?
850 + "HW" : "SW",
851 + p->pd_mech_list_count, p->pd_description);
852 + if (kcf_frmwrk_debug >= 2) {
853 + printf("\tpd_mechanisms: ");
854 + for (j = 0; j < p->pd_mech_list_count; ++j) {
855 + printf("%s \n",
856 + p->pd_mechanisms[j].cm_mech_name);
857 + }
858 + printf("\n");
859 + }
835 860 }
836 861 }
837 862 printf("(end of providers table)\n");
838 863
839 864 mutex_exit(&prov_tab_mutex);
840 865 }
841 866
842 867 #endif /* DEBUG */
843 868
844 869 /*
845 870 * This function goes through the provider table and verifies
846 871 * any unverified providers.
847 872 *
848 873 * This is called when kcfd is up and the door handle is ready.
849 874 */
850 875 void
851 876 verify_unverified_providers()
852 877 {
853 878 int i;
854 879 kcf_provider_desc_t *pd;
855 880 boolean_t need_verify;
856 881
857 882 ASSERT(kcf_dh != NULL);
858 883 mutex_enter(&prov_tab_mutex);
859 884
860 885 for (i = 0; i < KCF_MAX_PROVIDERS; i++) {
861 886 if ((pd = prov_tab[i]) == NULL)
862 887 continue;
863 888
864 889 if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)
865 890 continue;
866 891
867 892 mutex_enter(&pd->pd_lock);
868 893 need_verify = pd->pd_state == KCF_PROV_UNVERIFIED;
869 894 mutex_exit(&pd->pd_lock);
870 895
871 896 if (!need_verify)
872 897 continue;
873 898
874 899 KCF_PROV_REFHOLD(pd);
875 900 KCF_PROV_IREFHOLD(pd);
876 901
877 902 /*
878 903 * We need to drop this lock, since it could be
879 904 * acquired by kcf_verify_signature().
880 905 * This is safe, as any providers that are
881 906 * added to the table after we dropped the
882 907 * lock *will see* a non NULL kcf_dh and hence
883 908 * would have been verified by other means.
884 909 */
885 910 mutex_exit(&prov_tab_mutex);
886 911 /* This routine will release the above holds */
887 912 kcf_verify_signature(pd);
888 913 mutex_enter(&prov_tab_mutex);
889 914 }
890 915
891 916 mutex_exit(&prov_tab_mutex);
892 917 }
|
↓ open down ↓ |
48 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX