search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Provide the correct principal name to verify_flags() for user2user tickets
[heimdal.git] / lib / hcrypto / evp-pkcs11.c
blobb44871fa4c4d3b7b6fe6359fdeb709759ebdb946
1 /*
2 * Copyright (c) 2015-2016, Secure Endpoints Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * - Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * - Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
18 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
20 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
21 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
22 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
28 * OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 /* PKCS#11 provider */
32
33 #include <config.h>
34 #include <roken.h>
35 #include <assert.h>
36
37 #ifndef HAVE_DLFCN_H
38 #error PKCS11 support requires dlfcn.h
39 #endif
40
41 #include <heimbase.h>
42
43 #include <evp.h>
44 #include <evp-hcrypto.h>
45 #include <evp-pkcs11.h>
46
47 #include <ref/pkcs11.h>
48
49 #if __sun && !defined(PKCS11_MODULE_PATH)
50 # ifdef _LP64
51 # define PKCS11_MODULE_PATH "/usr/lib/64/libpkcs11.so"
52 # else
53 # define PKCS11_MODULE_PATH "/usr/lib/libpkcs11.so"
54 # endif
55 #elif defined(__linux__)
56 /*
57 * XXX We should have an autoconf check for OpenCryptoki and such
58 * things. However, there's no AC_CHECK_OBJECT(), and we'd have to
59 * write one. Today I'm feeling lazy. Another possibility would be to
60 * have a symlink from the libdir we'll install into, and then we could
61 * dlopen() that on all platforms.
62 *
63 * XXX Also, we should pick an appropriate shared object based on 32- vs
64 * 64-bits.
65 */
66 # define PKCS11_MODULE_PATH "/usr/lib/pkcs11/PKCS11_API.so"
67 #endif
68
69 static CK_FUNCTION_LIST_PTR p11_module;
70
71 static int
72 p11_cleanup(EVP_CIPHER_CTX *ctx);
73
74 struct pkcs11_cipher_ctx {
75 CK_SESSION_HANDLE hSession;
76 CK_OBJECT_HANDLE hSecret;
77 };
78
79 struct pkcs11_md_ctx {
80 CK_SESSION_HANDLE hSession;
81 };
82
83 static void *pkcs11_module_handle;
84
85 static CK_RV
86 p11_module_load(CK_FUNCTION_LIST_PTR_PTR ppFunctionList)
87 {
88 CK_RV rv;
89 CK_RV (*C_GetFunctionList_fn)(CK_FUNCTION_LIST_PTR_PTR);
90 char *pkcs11ModulePath = secure_getenv("PKCS11_MODULE_PATH");
91
92 *ppFunctionList = NULL;
93
94 if (pkcs11ModulePath != NULL) {
95 pkcs11_module_handle =
96 dlopen(pkcs11ModulePath,
97 RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP | RTLD_NODELETE);
98 if (pkcs11_module_handle == NULL)
99 fprintf(stderr, "p11_module_load(%s): %s\n", pkcs11ModulePath, dlerror());
100 }
101 #ifdef PKCS11_MODULE_PATH
102 if (pkcs11_module_handle == NULL) {
103 pkcs11_module_handle =
104 dlopen(PKCS11_MODULE_PATH,
105 RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP | RTLD_NODELETE);
106 if (pkcs11_module_handle == NULL)
107 fprintf(stderr, "p11_module_load(%s): %s\n", PKCS11_MODULE_PATH, dlerror());
108 }
109 #endif
110 if (pkcs11_module_handle == NULL)
111 return CKR_LIBRARY_LOAD_FAILED;
112
113 C_GetFunctionList_fn = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR))
114 dlsym(pkcs11_module_handle, "C_GetFunctionList");
115 if (C_GetFunctionList_fn == NULL) {
116 dlclose(pkcs11_module_handle);
117 return CKR_LIBRARY_LOAD_FAILED;
118 }
119
120 rv = C_GetFunctionList_fn(ppFunctionList);
121 if (rv != CKR_OK) {
122 dlclose(pkcs11_module_handle);
123 return rv;
124 }
125
126 return CKR_OK;
127 }
128
129 static void
130 p11_module_load_once(void *context)
131 {
132 p11_module_load((CK_FUNCTION_LIST_PTR_PTR)context);
133 }
134
135 static CK_RV
136 p11_module_init(void)
137 {
138 static heim_base_once_t once = HEIM_BASE_ONCE_INIT;
139 CK_RV rv;
140
141 heim_base_once_f(&once, &p11_module, p11_module_load_once);
142
143 if (p11_module == NULL)
144 return CKR_LIBRARY_LOAD_FAILED;
145
146 /*
147 * Call C_Initialize() on every call, because it will be invalid after fork().
148 * Caching the initialization status using a once control and invalidating it
149 * on fork provided no measurable performance benefit on Solaris 11. Other
150 * approaches would not be thread-safe or would involve more intrusive code
151 * changes, such as exposing heimbase's atomics.
152 */
153 rv = p11_module->C_Initialize(NULL);
154 if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED)
155 rv = CKR_OK;
156
157 return rv;
158 }
159
160 static CK_RV
161 p11_session_init(CK_MECHANISM_TYPE mechanismType,
162 CK_SESSION_HANDLE_PTR phSession,
163 CK_FLAGS *pFlags)
164 {
165 CK_RV rv;
166 CK_ULONG i, ulSlotCount = 0;
167 CK_SLOT_ID_PTR pSlotList = NULL;
168 CK_MECHANISM_INFO info;
169
170 if (phSession != NULL)
171 *phSession = CK_INVALID_HANDLE;
172
173 *pFlags = 0;
174
175 rv = p11_module_init();
176 if (rv != CKR_OK)
177 goto cleanup;
178
179 assert(p11_module != NULL);
180
181 rv = p11_module->C_GetSlotList(CK_FALSE, NULL, &ulSlotCount);
182 if (rv != CKR_OK)
183 goto cleanup;
184
185 pSlotList = (CK_SLOT_ID_PTR)calloc(ulSlotCount, sizeof(CK_SLOT_ID));
186 if (pSlotList == NULL) {
187 rv = CKR_HOST_MEMORY;
188 goto cleanup;
189 }
190
191 rv = p11_module->C_GetSlotList(CK_FALSE, pSlotList, &ulSlotCount);
192 if (rv != CKR_OK)
193 goto cleanup;
194
195 /*
196 * Note that this approach of using the first slot that supports the desired
197 * mechanism may not always be what the user wants (for example it may prefer
198 * software to hardware crypto). We're going to assume that this code will be
199 * principally used on Solaris (which has a meta-slot provider that sorts by
200 * hardware first) or in situations where the user can configure the slots in
201 * order of provider preference. In the future we should make this configurable.
202 */
203 for (i = 0; i < ulSlotCount; i++) {
204 rv = p11_module->C_GetMechanismInfo(pSlotList[i], mechanismType, &info);
205 if (rv == CKR_OK) {
206 *pFlags = info.flags;
207 break;
208 }
209 }
210
211 if (i == ulSlotCount) {
212 rv = CKR_MECHANISM_INVALID;
213 goto cleanup;
214 }
215
216 if (phSession != NULL) {
217 rv = p11_module->C_OpenSession(pSlotList[i], CKF_SERIAL_SESSION, NULL, NULL, phSession);
218 if (rv != CKR_OK)
219 goto cleanup;
220 }
221
222 cleanup:
223 free(pSlotList);
224
225 return rv;
226 }
227
228 static int
229 p11_mech_available_p(CK_MECHANISM_TYPE mechanismType, CK_FLAGS reqFlags)
230 {
231 CK_RV rv;
232 CK_FLAGS flags;
233
234 rv = p11_session_init(mechanismType, NULL, &flags);
235 if (rv != CKR_OK)
236 return 0;
237
238 return (flags & reqFlags) == reqFlags;
239 }
240
241 static CK_KEY_TYPE
242 p11_key_type_for_mech(CK_MECHANISM_TYPE mechanismType)
243 {
244 CK_KEY_TYPE keyType = 0;
245
246 switch (mechanismType) {
247 case CKM_RC2_CBC:
248 keyType = CKK_RC2;
249 break;
250 case CKM_RC4:
251 keyType = CKK_RC4;
252 break;
253 case CKM_DES_CBC:
254 keyType = CKK_DES;
255 break;
256 case CKM_DES3_CBC:
257 keyType = CKK_DES3;
258 break;
259 case CKM_AES_CBC:
260 case CKM_AES_CFB8:
261 keyType = CKK_AES;
262 break;
263 case CKM_CAMELLIA_CBC:
264 keyType = CKK_CAMELLIA;
265 break;
266 default:
267 assert(0 && "Unknown PKCS#11 mechanism type");
268 break;
269 }
270
271 return keyType;
272 }
273
274 static int
275 p11_key_init(EVP_CIPHER_CTX *ctx,
276 const unsigned char *key,
277 const unsigned char *iv,
278 int encp)
279 {
280 CK_RV rv;
281 CK_BBOOL bFalse = CK_FALSE;
282 CK_BBOOL bTrue = CK_TRUE;
283 CK_MECHANISM_TYPE mechanismType = (CK_MECHANISM_TYPE)ctx->cipher->app_data;
284 CK_KEY_TYPE keyType = p11_key_type_for_mech(mechanismType);
285 CK_OBJECT_CLASS objectClass = CKO_SECRET_KEY;
286 CK_ATTRIBUTE_TYPE op = encp ? CKA_ENCRYPT : CKA_DECRYPT;
287 CK_ATTRIBUTE attributes[] = {
288 { CKA_EXTRACTABLE, &bFalse, sizeof(bFalse) },
289 { CKA_CLASS, &objectClass, sizeof(objectClass) },
290 { CKA_KEY_TYPE, &keyType, sizeof(keyType) },
291 { CKA_TOKEN, &bFalse, sizeof(bFalse) },
292 { CKA_PRIVATE, &bFalse, sizeof(bFalse) },
293 { CKA_SENSITIVE, &bTrue, sizeof(bTrue) },
294 { CKA_VALUE, (void *)key, ctx->key_len },
295 { op, &bTrue, sizeof(bTrue) }
296 };
297 CK_MECHANISM mechanism = {
298 mechanismType,
299 ctx->cipher->iv_len ? ctx->iv : NULL,
300 ctx->cipher->iv_len
301 };
302 struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data;
303 CK_FLAGS flags;
304
305 rv = CKR_OK;
306
307 if (p11ctx->hSession != CK_INVALID_HANDLE && key != NULL)
308 p11_cleanup(ctx); /* refresh session with new key */
309
310 if (p11ctx->hSession == CK_INVALID_HANDLE) {
311 rv = p11_session_init(mechanismType, &p11ctx->hSession, &flags);
312 if (rv != CKR_OK)
313 goto cleanup;
314
315 if ((flags & (CKF_ENCRYPT|CKF_DECRYPT)) != (CKF_ENCRYPT|CKF_DECRYPT)) {
316 rv = CKR_MECHANISM_INVALID;
317 goto cleanup;
318 }
319 }
320
321 if (key != NULL) {
322 assert(p11_module != NULL);
323 assert(p11ctx->hSecret == CK_INVALID_HANDLE);
324
325 rv = p11_module->C_CreateObject(p11ctx->hSession, attributes,
326 sizeof(attributes) / sizeof(attributes[0]),
327 &p11ctx->hSecret);
328 if (rv != CKR_OK)
329 goto cleanup;
330 }
331
332 if (p11ctx->hSecret != CK_INVALID_HANDLE) {
333 if (op == CKA_ENCRYPT)
334 rv = p11_module->C_EncryptInit(p11ctx->hSession, &mechanism, p11ctx->hSecret);
335 else
336 rv = p11_module->C_DecryptInit(p11ctx->hSession, &mechanism, p11ctx->hSecret);
337 if (rv != CKR_OK)
338 goto cleanup;
339 }
340
341 cleanup:
342 if (rv != CKR_OK)
343 p11_cleanup(ctx);
344
345 return rv == CKR_OK;
346 }
347
348 static int
349 p11_do_cipher(EVP_CIPHER_CTX *ctx,
350 unsigned char *out,
351 const unsigned char *in,
352 unsigned int size)
353 {
354 struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data;
355 CK_RV rv;
356 CK_ULONG ulCipherTextLen = size;
357
358 assert(p11_module != NULL);
359 assert(EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_STREAM_CIPHER ||
360 (size % ctx->cipher->block_size) == 0);
361
362 if (ctx->encrypt)
363 rv = p11_module->C_EncryptUpdate(p11ctx->hSession, (unsigned char *)in, size, out, &ulCipherTextLen);
364 else
365 rv = p11_module->C_DecryptUpdate(p11ctx->hSession, (unsigned char *)in, size, out, &ulCipherTextLen);
366
367 return rv == CKR_OK;
368 }
369
370 static int
371 p11_cleanup(EVP_CIPHER_CTX *ctx)
372 {
373 struct pkcs11_cipher_ctx *p11ctx = (struct pkcs11_cipher_ctx *)ctx->cipher_data;
374
375 if (p11ctx->hSecret != CK_INVALID_HANDLE) {
376 p11_module->C_DestroyObject(p11ctx->hSession, p11ctx->hSecret);
377 p11ctx->hSecret = CK_INVALID_HANDLE;
378 }
379 if (p11ctx->hSession != CK_INVALID_HANDLE) {
380 p11_module->C_CloseSession(p11ctx->hSession);
381 p11ctx->hSession = CK_INVALID_HANDLE;
382 }
383
384 return 1;
385 }
386
387 static int
388 p11_md_cleanup(EVP_MD_CTX *ctx);
389
390 static int
391 p11_md_hash_init(CK_MECHANISM_TYPE mechanismType, EVP_MD_CTX *ctx)
392 {
393 struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx;
394 CK_RV rv;
395 CK_FLAGS flags;
396 CK_MECHANISM mechanism = { mechanismType, NULL, 0 };
397
398 if (p11ctx->hSession != CK_INVALID_HANDLE)
399 p11_md_cleanup(ctx);
400
401 rv = p11_session_init(mechanismType, &p11ctx->hSession, &flags);
402 if (rv != CKR_OK)
403 goto cleanup;
404
405 if ((flags & CKF_DIGEST) != CKF_DIGEST) {
406 rv = CKR_MECHANISM_INVALID;
407 goto cleanup;
408 }
409
410 assert(p11_module != NULL);
411
412 rv = p11_module->C_DigestInit(p11ctx->hSession, &mechanism);
413
414 cleanup:
415 return rv == CKR_OK;
416 }
417
418 static int
419 p11_md_update(EVP_MD_CTX *ctx, const void *data, size_t length)
420 {
421 struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx;
422 CK_RV rv;
423
424 assert(p11_module != NULL);
425 assert(data != NULL || length == 0);
426
427 rv = p11_module->C_DigestUpdate(p11ctx->hSession,
428 data ? (CK_BYTE_PTR)data : (CK_BYTE_PTR)"",
429 length);
430
431 return rv == CKR_OK;
432 }
433
434 static int
435 p11_md_final(void *digest, EVP_MD_CTX *ctx)
436 {
437 struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx;
438 CK_RV rv;
439 CK_ULONG digestLen = 0;
440
441 assert(p11_module != NULL);
442
443 rv = p11_module->C_DigestFinal(p11ctx->hSession, NULL, &digestLen);
444 if (rv == CKR_OK)
445 rv = p11_module->C_DigestFinal(p11ctx->hSession, digest, &digestLen);
446
447 return rv == CKR_OK;
448 }
449
450 static int
451 p11_md_cleanup(EVP_MD_CTX *ctx)
452 {
453 struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx;
454 CK_RV rv;
455
456 assert(p11_module != NULL);
457
458 rv = p11_module->C_CloseSession(p11ctx->hSession);
459 if (rv == CKR_OK)
460 p11ctx->hSession = CK_INVALID_HANDLE;
461
462 return rv == CKR_OK;
463 }
464
465 #define PKCS11_CIPHER_ALGORITHM(name, mechanismType, block_size, \
466 key_len, iv_len, flags) \
467 \
468 static EVP_CIPHER \
469 pkcs11_##name = { \
470 0, \
471 block_size, \
472 key_len, \
473 iv_len, \
474 (flags) | EVP_CIPH_ALWAYS_CALL_INIT, \
475 p11_key_init, \
476 p11_do_cipher, \
477 p11_cleanup, \
478 sizeof(struct pkcs11_cipher_ctx), \
479 NULL, \
480 NULL, \
481 NULL, \
482 (void *)mechanismType \
483 }; \
484 \
485 const EVP_CIPHER * \
486 hc_EVP_pkcs11_##name(void) \
487 { \
488 if (p11_mech_available_p(mechanismType, CKF_ENCRYPT|CKF_DECRYPT)) \
489 return &pkcs11_##name; \
490 else \
491 return NULL; \
492 } \
493 \
494 static void \
495 pkcs11_hcrypto_##name##_init_once(void *context) \
496 { \
497 const EVP_CIPHER *cipher; \
498 \
499 cipher = hc_EVP_pkcs11_ ##name(); \
500 if (cipher == NULL && HCRYPTO_FALLBACK) \
501 cipher = hc_EVP_hcrypto_ ##name(); \
502 \
503 *((const EVP_CIPHER **)context) = cipher; \
504 } \
505 \
506 const EVP_CIPHER * \
507 hc_EVP_pkcs11_hcrypto_##name(void) \
508 { \
509 static const EVP_CIPHER *__cipher; \
510 static heim_base_once_t __init = HEIM_BASE_ONCE_INIT; \
511 \
512 heim_base_once_f(&__init, &__cipher, \
513 pkcs11_hcrypto_##name##_init_once); \
514 \
515 return __cipher; \
516 }
517
518 #define PKCS11_MD_ALGORITHM(name, mechanismType, hash_size, block_size) \
519 \
520 static int p11_##name##_init(EVP_MD_CTX *ctx) \
521 { \
522 return p11_md_hash_init(mechanismType, ctx); \
523 } \
524 \
525 const EVP_MD * \
526 hc_EVP_pkcs11_##name(void) \
527 { \
528 static struct hc_evp_md name = { \
529 hash_size, \
530 block_size, \
531 sizeof(struct pkcs11_md_ctx), \
532 p11_##name##_init, \
533 p11_md_update, \
534 p11_md_final, \
535 p11_md_cleanup \
536 }; \
537 \
538 if (p11_mech_available_p(mechanismType, CKF_DIGEST)) \
539 return &name; \
540 else \
541 return NULL; \
542 } \
543 \
544 static void \
545 pkcs11_hcrypto_##name##_init_once(void *context) \
546 { \
547 const EVP_MD *md; \
548 \
549 md = hc_EVP_pkcs11_ ##name(); \
550 if (md == NULL && HCRYPTO_FALLBACK) \
551 md = hc_EVP_hcrypto_ ##name(); \
552 \
553 *((const EVP_MD **)context) = md; \
554 } \
555 \
556 const EVP_MD * \
557 hc_EVP_pkcs11_hcrypto_##name(void) \
558 { \
559 static const EVP_MD *__md; \
560 static heim_base_once_t __init = HEIM_BASE_ONCE_INIT; \
561 \
562 heim_base_once_f(&__init, &__md, \
563 pkcs11_hcrypto_##name##_init_once); \
564 \
565 return __md; \
566 }
567
568 #define PKCS11_MD_ALGORITHM_UNAVAILABLE(name) \
569 \
570 const EVP_MD * \
571 hc_EVP_pkcs11_##name(void) \
572 { \
573 return NULL; \
574 } \
575 \
576 const EVP_MD * \
577 hc_EVP_pkcs11_hcrypto_##name(void) \
578 { \
579 return hc_EVP_hcrypto_ ##name(); \
580 }
581
582 /**
583 * The triple DES cipher type (PKCS#11 provider)
584 *
585 * @return the DES-EDE3-CBC EVP_CIPHER pointer.
586 *
587 * @ingroup hcrypto_evp
588 */
589
590 PKCS11_CIPHER_ALGORITHM(des_ede3_cbc,
591 CKM_DES3_CBC,
592 8,
593 24,
594 8,
595 EVP_CIPH_CBC_MODE)
596
597 /**
598 * The DES cipher type (PKCS#11 provider)
599 *
600 * @return the DES-CBC EVP_CIPHER pointer.
601 *
602 * @ingroup hcrypto_evp
603 */
604
605 PKCS11_CIPHER_ALGORITHM(des_cbc,
606 CKM_DES_CBC,
607 8,
608 8,
609 8,
610 EVP_CIPH_CBC_MODE)
611
612 /**
613 * The AES-128 cipher type (PKCS#11 provider)
614 *
615 * @return the AES-128-CBC EVP_CIPHER pointer.
616 *
617 * @ingroup hcrypto_evp
618 */
619
620 PKCS11_CIPHER_ALGORITHM(aes_128_cbc,
621 CKM_AES_CBC,
622 16,
623 16,
624 16,
625 EVP_CIPH_CBC_MODE)
626
627 /**
628 * The AES-192 cipher type (PKCS#11 provider)
629 *
630 * @return the AES-192-CBC EVP_CIPHER pointer.
631 *
632 * @ingroup hcrypto_evp
633 */
634
635 PKCS11_CIPHER_ALGORITHM(aes_192_cbc,
636 CKM_AES_CBC,
637 16,
638 24,
639 16,
640 EVP_CIPH_CBC_MODE)
641
642 /**
643 * The AES-256 cipher type (PKCS#11 provider)
644 *
645 * @return the AES-256-CBC EVP_CIPHER pointer.
646 *
647 * @ingroup hcrypto_evp
648 */
649
650 PKCS11_CIPHER_ALGORITHM(aes_256_cbc,
651 CKM_AES_CBC,
652 16,
653 32,
654 16,
655 EVP_CIPH_CBC_MODE)
656
657 /**
658 * The AES-128 CFB8 cipher type (PKCS#11 provider)
659 *
660 * @return the AES-128-CFB8 EVP_CIPHER pointer.
661 *
662 * @ingroup hcrypto_evp
663 */
664
665 PKCS11_CIPHER_ALGORITHM(aes_128_cfb8,
666 CKM_AES_CFB8,
667 16,
668 16,
669 16,
670 EVP_CIPH_CFB8_MODE)
671
672 /**
673 * The AES-192 CFB8 cipher type (PKCS#11 provider)
674 *
675 * @return the AES-192-CFB8 EVP_CIPHER pointer.
676 *
677 * @ingroup hcrypto_evp
678 */
679
680 PKCS11_CIPHER_ALGORITHM(aes_192_cfb8,
681 CKM_AES_CFB8,
682 16,
683 24,
684 16,
685 EVP_CIPH_CFB8_MODE)
686
687 /**
688 * The AES-256 CFB8 cipher type (PKCS#11 provider)
689 *
690 * @return the AES-256-CFB8 EVP_CIPHER pointer.
691 *
692 * @ingroup hcrypto_evp
693 */
694
695 PKCS11_CIPHER_ALGORITHM(aes_256_cfb8,
696 CKM_AES_CFB8,
697 16,
698 32,
699 16,
700 EVP_CIPH_CFB8_MODE)
701
702 /**
703 * The RC2 cipher type - PKCS#11
704 *
705 * @return the RC2 EVP_CIPHER pointer.
706 *
707 * @ingroup hcrypto_evp
708 */
709
710 PKCS11_CIPHER_ALGORITHM(rc2_cbc,
711 CKM_RC2_CBC,
712 8,
713 16,
714 8,
715 EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH)
716
717 /**
718 * The RC2-40 cipher type - PKCS#11
719 *
720 * @return the RC2-40 EVP_CIPHER pointer.
721 *
722 * @ingroup hcrypto_evp
723 */
724
725 PKCS11_CIPHER_ALGORITHM(rc2_40_cbc,
726 CKM_RC2_CBC,
727 8,
728 5,
729 8,
730 EVP_CIPH_CBC_MODE)
731
732 /**
733 * The RC2-64 cipher type - PKCS#11
734 *
735 * @return the RC2-64 EVP_CIPHER pointer.
736 *
737 * @ingroup hcrypto_evp
738 */
739
740 PKCS11_CIPHER_ALGORITHM(rc2_64_cbc,
741 CKM_RC2_CBC,
742 8,
743 8,
744 8,
745 EVP_CIPH_CBC_MODE)
746
747 /**
748 * The Camellia-128 cipher type - PKCS#11
749 *
750 * @return the Camellia-128 EVP_CIPHER pointer.
751 *
752 * @ingroup hcrypto_evp
753 */
754
755 PKCS11_CIPHER_ALGORITHM(camellia_128_cbc,
756 CKM_CAMELLIA_CBC,
757 16,
758 16,
759 16,
760 EVP_CIPH_CBC_MODE)
761
762 /**
763 * The Camellia-198 cipher type - PKCS#11
764 *
765 * @return the Camellia-198 EVP_CIPHER pointer.
766 *
767 * @ingroup hcrypto_evp
768 */
769
770 PKCS11_CIPHER_ALGORITHM(camellia_192_cbc,
771 CKM_CAMELLIA_CBC,
772 16,
773 24,
774 16,
775 EVP_CIPH_CBC_MODE)
776
777 /**
778 * The Camellia-256 cipher type - PKCS#11
779 *
780 * @return the Camellia-256 EVP_CIPHER pointer.
781 *
782 * @ingroup hcrypto_evp
783 */
784
785 PKCS11_CIPHER_ALGORITHM(camellia_256_cbc,
786 CKM_CAMELLIA_CBC,
787 16,
788 32,
789 16,
790 EVP_CIPH_CBC_MODE)
791
792 /**
793 * The RC4 cipher type (PKCS#11 provider)
794 *
795 * @return the RC4 EVP_CIPHER pointer.
796 *
797 * @ingroup hcrypto_evp
798 */
799
800 PKCS11_CIPHER_ALGORITHM(rc4,
801 CKM_RC4,
802 1,
803 16,
804 0,
805 EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH)
806
807 /**
808 * The RC4-40 cipher type (PKCS#11 provider)
809 *
810 * @return the RC4 EVP_CIPHER pointer.
811 *
812 * @ingroup hcrypto_evp
813 */
814
815 PKCS11_CIPHER_ALGORITHM(rc4_40,
816 CKM_RC4,
817 1,
818 5,
819 0,
820 EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH)
821
822 PKCS11_MD_ALGORITHM(md2, CKM_MD2, 16, 16)
823 #ifdef CKM_MD4 /* non-standard extension */
824 PKCS11_MD_ALGORITHM(md4, CKM_MD4, 16, 64)
825 #else
826 PKCS11_MD_ALGORITHM_UNAVAILABLE(md4)
827 #endif
828 PKCS11_MD_ALGORITHM(md5, CKM_MD5, 16, 64)
829 PKCS11_MD_ALGORITHM(sha1, CKM_SHA_1, 20, 64)
830 PKCS11_MD_ALGORITHM(sha256, CKM_SHA256, 32, 64)
831 PKCS11_MD_ALGORITHM(sha384, CKM_SHA384, 48, 128)
832 PKCS11_MD_ALGORITHM(sha512, CKM_SHA512, 64, 128)
Heimdal