2 * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * ModExp / RSA (with/without KM) plugin API
13 * The application will load a dynamic library which
14 * exports entrypoint(s) defined in this file.
16 * This set of entrypoints provides only a multithreaded,
17 * synchronous-within-each-thread, facility.
20 * This file is Copyright 1998-2000 nCipher Corporation Limited.
22 * Redistribution and use in source and binary forms, with opr without
23 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright notice,
27 * this list of conditions, and the following disclaimer.
29 * 2. Redistributions in binary form must reproduce the above
30 * copyright notice, this list of conditions, and the following
31 * disclaimer, in the documentation and/or other materials provided
32 * with the distribution
34 * IN NO EVENT SHALL NCIPHER CORPORATION LIMITED (`NCIPHER') AND/OR
35 * ANY OTHER AUTHORS OR DISTRIBUTORS OF THIS FILE BE LIABLE for any
36 * damages arising directly or indirectly from this file, its use or
37 * this licence. Without prejudice to the generality of the
38 * foregoing: all liability shall be excluded for direct, indirect,
39 * special, incidental, consequential or other damages or any loss of
40 * profits, business, revenue goodwill or anticipated savings;
41 * liability shall be excluded even if nCipher or anyone else has been
42 * advised of the possibility of damage. In any event, if the
43 * exclusion of liability is not effective, the liability of nCipher
44 * or any author or distributor shall be limited to the lesser of the
45 * price paid and 1,000 pounds sterling. This licence only fails to
46 * exclude or limit liability for death or personal injury arising out
47 * of negligence, and only to the extent that such an exclusion or
48 * limitation is not effective.
50 * NCIPHER AND THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ALL
51 * AND ANY WARRANTIES (WHETHER EXPRESS OR IMPLIED), including, but not
52 * limited to, any implied warranties of merchantability, fitness for
53 * a particular purpose, satisfactory quality, and/or non-infringement
54 * of any third party rights.
56 * US Government use: This software and documentation is Commercial
57 * Computer Software and Computer Software Documentation, as defined in
58 * sub-paragraphs (a)(1) and (a)(5) of DFAR 252.227-7014, "Rights in
59 * Noncommercial Computer Software and Noncommercial Computer Software
60 * Documentation." Use, duplication or disclosure by the Government is
61 * subject to the terms and conditions specified here.
63 * By using or distributing this file you will be accepting these
64 * terms and conditions, including the limitation of liability and
65 * lack of warranty. If you do not wish to accept these terms and
66 * conditions, DO NOT USE THE FILE.
69 * The actual dynamically loadable plugin, and the library files for
70 * static linking, which are also provided in some distributions, are
71 * not covered by the licence described above. You should have
72 * received a separate licence with terms and conditions for these
73 * library files; if you received the library files without a licence,
74 * please contact nCipher.
78 #ifndef HWCRYPTOHOOK_H
79 # define HWCRYPTOHOOK_H
81 # include <sys/types.h>
84 # ifndef HWCRYPTOHOOK_DECLARE_APPTYPES
85 # define HWCRYPTOHOOK_DECLARE_APPTYPES 1
88 # define HWCRYPTOHOOK_ERROR_FAILED -1
89 # define HWCRYPTOHOOK_ERROR_FALLBACK -2
90 # define HWCRYPTOHOOK_ERROR_MPISIZE -3
92 # if HWCRYPTOHOOK_DECLARE_APPTYPES
95 * These structs are defined by the application and opaque to the
96 * crypto plugin. The application may define these as it sees fit.
97 * Default declarations are provided here, but the application may
98 * #define HWCRYPTOHOOK_DECLARE_APPTYPES 0
99 * to prevent these declarations, and instead provide its own
100 * declarations of these types. (Pointers to them must still be
101 * ordinary pointers to structs or unions, or the resulting combined
102 * program will have a type inconsistency.)
104 typedef struct HWCryptoHook_MutexValue HWCryptoHook_Mutex;
105 typedef struct HWCryptoHook_CondVarValue HWCryptoHook_CondVar;
106 typedef struct HWCryptoHook_PassphraseContextValue
107 HWCryptoHook_PassphraseContext;
108 typedef struct HWCryptoHook_CallerContextValue HWCryptoHook_CallerContext;
110 # endif /* HWCRYPTOHOOK_DECLARE_APPTYPES */
113 * These next two structs are opaque to the application. The crypto
114 * plugin will return pointers to them; the caller simply manipulates
117 typedef struct HWCryptoHook_Context *HWCryptoHook_ContextHandle;
118 typedef struct HWCryptoHook_RSAKey *HWCryptoHook_RSAKeyHandle;
123 } HWCryptoHook_ErrMsgBuf;
125 * Used for error reporting. When a HWCryptoHook function fails it
126 * will return a sentinel value (0 for pointer-valued functions, or a
127 * negative number, usually HWCRYPTOHOOK_ERROR_FAILED, for
128 * integer-valued ones). It will, if an ErrMsgBuf is passed, also put
129 * an error message there.
131 * size is the size of the buffer, and will not be modified. If you
132 * pass 0 for size you must pass 0 for buf, and nothing will be
133 * recorded (just as if you passed 0 for the struct pointer).
134 * Messages written to the buffer will always be null-terminated, even
135 * when truncated to fit within size bytes.
137 * The contents of the buffer are not defined if there is no error.
140 typedef struct HWCryptoHook_MPIStruct {
145 * When one of these is returned, a pointer is passed to the function.
146 * At call, size is the space available. Afterwards it is updated to
147 * be set to the actual length (which may be more than the space available,
148 * if there was not enough room and the result was truncated).
149 * buf (the pointer) is not updated.
151 * size is in bytes and may be zero at call or return, but must be a
152 * multiple of the limb size. Zero limbs at the MS end are not
156 # define HWCryptoHook_InitFlags_FallbackModExp 0x0002UL
157 # define HWCryptoHook_InitFlags_FallbackRSAImmed 0x0004UL
159 * Enable requesting fallback to software in case of problems with the
160 * hardware support. This indicates to the crypto provider that the
161 * application is prepared to fall back to software operation if the
162 * ModExp* or RSAImmed* functions return HWCRYPTOHOOK_ERROR_FALLBACK.
163 * Without this flag those calls will never return
164 * HWCRYPTOHOOK_ERROR_FALLBACK. The flag will also cause the crypto
165 * provider to avoid repeatedly attempting to contact dead hardware
166 * within a short interval, if appropriate.
169 # define HWCryptoHook_InitFlags_SimpleForkCheck 0x0010UL
171 * Without _SimpleForkCheck the library is allowed to assume that the
172 * application will not fork and call the library in the child(ren).
174 * When it is specified, this is allowed. However, after a fork
175 * neither parent nor child may unload any loaded keys or call
176 * _Finish. Instead, they should call exit (or die with a signal)
177 * without calling _Finish. After all the children have died the
178 * parent may unload keys or call _Finish.
180 * This flag only has any effect on UN*X platforms.
185 void *logstream; /* usually a FILE*. See below. */
186 size_t limbsize; /* bignum format - size of radix type, must
188 int mslimbfirst; /* 0 or 1 */
189 int msbytefirst; /* 0 or 1; -1 = native */
191 * All the callback functions should return 0 on success, or a
192 * nonzero integer (whose value will be visible in the error message
193 * put in the buffer passed to the call).
195 * If a callback is not available pass a null function pointer.
197 * The callbacks may not call down again into the crypto plugin.
200 * For thread-safety. Set everything to 0 if you promise only to be
201 * singlethreaded. maxsimultaneous is the number of calls to
202 * ModExp[Crt]/RSAImmed{Priv,Pub}/RSA. If you don't know what to
203 * put there then say 0 and the hook library will use a default.
205 * maxmutexes is a small limit on the number of simultaneous mutexes
206 * which will be requested by the library. If there is no small
207 * limit, set it to 0. If the crypto plugin cannot create the
208 * advertised number of mutexes the calls to its functions may fail.
209 * If a low number of mutexes is advertised the plugin will try to
210 * do the best it can. Making larger numbers of mutexes available
211 * may improve performance and parallelism by reducing contention
212 * over critical sections. Unavailability of any mutexes, implying
213 * single-threaded operation, should be indicated by the setting
214 * mutex_init et al to 0.
219 int (*mutex_init) (HWCryptoHook_Mutex *,
220 HWCryptoHook_CallerContext * cactx);
221 int (*mutex_acquire) (HWCryptoHook_Mutex *);
222 void (*mutex_release) (HWCryptoHook_Mutex *);
223 void (*mutex_destroy) (HWCryptoHook_Mutex *);
225 * For greater efficiency, can use condition vars internally for
226 * synchronisation. In this case maxsimultaneous is ignored, but
227 * the other mutex stuff must be available. In singlethreaded
228 * programs, set everything to 0.
231 int (*condvar_init) (HWCryptoHook_CondVar *,
232 HWCryptoHook_CallerContext * cactx);
233 int (*condvar_wait) (HWCryptoHook_CondVar *, HWCryptoHook_Mutex *);
234 void (*condvar_signal) (HWCryptoHook_CondVar *);
235 void (*condvar_broadcast) (HWCryptoHook_CondVar *);
236 void (*condvar_destroy) (HWCryptoHook_CondVar *);
238 * The semantics of acquiring and releasing mutexes and broadcasting
239 * and waiting on condition variables are expected to be those from
240 * POSIX threads (pthreads). The mutexes may be (in pthread-speak)
241 * fast mutexes, recursive mutexes, or nonrecursive ones.
243 * The _release/_signal/_broadcast and _destroy functions must
244 * always succeed when given a valid argument; if they are given an
245 * invalid argument then the program (crypto plugin + application)
246 * has an internal error, and they should abort the program.
248 int (*getpassphrase) (const char *prompt_info,
249 int *len_io, char *buf,
250 HWCryptoHook_PassphraseContext * ppctx,
251 HWCryptoHook_CallerContext * cactx);
253 * Passphrases and the prompt_info, if they contain high-bit-set
254 * characters, are UTF-8. The prompt_info may be a null pointer if
255 * no prompt information is available (it should not be an empty
256 * string). It will not contain text like `enter passphrase';
257 * instead it might say something like `Operator Card for John
258 * Smith' or `SmartCard in nFast Module #1, Slot #1'.
260 * buf points to a buffer in which to return the passphrase; on
261 * entry *len_io is the length of the buffer. It should be updated
262 * by the callback. The returned passphrase should not be
263 * null-terminated by the callback.
265 int (*getphystoken) (const char *prompt_info,
266 const char *wrong_info,
267 HWCryptoHook_PassphraseContext * ppctx,
268 HWCryptoHook_CallerContext * cactx);
270 * Requests that the human user physically insert a different
271 * smartcard, DataKey, etc. The plugin should check whether the
272 * currently inserted token(s) are appropriate, and if they are it
273 * should not make this call.
275 * prompt_info is as before. wrong_info is a description of the
276 * currently inserted token(s) so that the user is told what
277 * something is. wrong_info, like prompt_info, may be null, but
278 * should not be an empty string. Its contents should be
279 * syntactically similar to that of prompt_info.
282 * Note that a single LoadKey operation might cause several calls to
283 * getpassphrase and/or requestphystoken. If requestphystoken is
284 * not provided (ie, a null pointer is passed) then the plugin may
285 * not support loading keys for which authorisation by several cards
286 * is required. If getpassphrase is not provided then cards with
287 * passphrases may not be supported.
289 * getpassphrase and getphystoken do not need to check that the
290 * passphrase has been entered correctly or the correct token
291 * inserted; the crypto plugin will do that. If this is not the
292 * case then the crypto plugin is responsible for calling these
293 * routines again as appropriate until the correct token(s) and
294 * passphrase(s) are supplied as required, or until any retry limits
295 * implemented by the crypto plugin are reached.
297 * In either case, the application must allow the user to say `no'
298 * or `cancel' to indicate that they do not know the passphrase or
299 * have the appropriate token; this should cause the callback to
300 * return nonzero indicating error.
302 void (*logmessage) (void *logstream, const char *message);
304 * A log message will be generated at least every time something goes
305 * wrong and an ErrMsgBuf is filled in (or would be if one was
306 * provided). Other diagnostic information may be written there too,
307 * including more detailed reasons for errors which are reported in an
310 * When a log message is generated, this callback is called. It
311 * should write a message to the relevant logging arrangements.
313 * The message string passed will be null-terminated and may be of arbitrary
314 * length. It will not be prefixed by the time and date, nor by the
315 * name of the library that is generating it - if this is required,
316 * the logmessage callback must do it. The message will not have a
317 * trailing newline (though it may contain internal newlines).
319 * If a null pointer is passed for logmessage a default function is
320 * used. The default function treats logstream as a FILE* which has
321 * been converted to a void*. If logstream is 0 it does nothing.
322 * Otherwise it prepends the date and time and library name and
323 * writes the message to logstream. Each line will be prefixed by a
324 * descriptive string containing the date, time and identity of the
325 * crypto plugin. Errors on the logstream are not reported
326 * anywhere, and the default function doesn't flush the stream, so
327 * the application must set the buffering how it wants it.
329 * The crypto plugin may also provide a facility to have copies of
330 * log messages sent elsewhere, and or for adjusting the verbosity
331 * of the log messages; any such facilities will be configured by
334 } HWCryptoHook_InitInfo;
337 HWCryptoHook_ContextHandle HWCryptoHook_Init_t(const HWCryptoHook_InitInfo *
338 initinfo, size_t initinfosize,
339 const HWCryptoHook_ErrMsgBuf *
341 HWCryptoHook_CallerContext *
343 extern HWCryptoHook_Init_t HWCryptoHook_Init;
346 * Caller should set initinfosize to the size of the HWCryptoHook struct,
347 * so it can be extended later.
349 * On success, a message for display or logging by the server,
350 * including the name and version number of the plugin, will be filled
351 * in into *errors; on failure *errors is used for error handling, as
356 * All these functions return 0 on success, HWCRYPTOHOOK_ERROR_FAILED
357 * on most failures. HWCRYPTOHOOK_ERROR_MPISIZE means at least one of
358 * the output MPI buffer(s) was too small; the sizes of all have been
359 * set to the desired size (and for those where the buffer was large
360 * enough, the value may have been copied in), and no error message
363 * You may pass 0 for the errors struct. In any case, unless you set
364 * _NoStderr at init time then messages may be reported to stderr.
368 * The RSAImmed* functions (and key managed RSA) only work with
369 * modules which have an RSA patent licence - currently that means KM
370 * units; the ModExp* ones work with all modules, so you need a patent
371 * licence in the software in the US. They are otherwise identical.
375 void HWCryptoHook_Finish_t(HWCryptoHook_ContextHandle hwctx);
376 extern HWCryptoHook_Finish_t HWCryptoHook_Finish;
377 /* You must not have any calls going or keys loaded when you call this. */
380 int HWCryptoHook_RandomBytes_t(HWCryptoHook_ContextHandle hwctx,
381 unsigned char *buf, size_t len,
382 const HWCryptoHook_ErrMsgBuf * errors);
383 extern HWCryptoHook_RandomBytes_t HWCryptoHook_RandomBytes;
386 int HWCryptoHook_ModExp_t(HWCryptoHook_ContextHandle hwctx,
390 HWCryptoHook_MPI * r,
391 const HWCryptoHook_ErrMsgBuf * errors);
392 extern HWCryptoHook_ModExp_t HWCryptoHook_ModExp;
395 int HWCryptoHook_RSAImmedPub_t(HWCryptoHook_ContextHandle hwctx,
399 HWCryptoHook_MPI * r,
400 const HWCryptoHook_ErrMsgBuf * errors);
401 extern HWCryptoHook_RSAImmedPub_t HWCryptoHook_RSAImmedPub;
404 int HWCryptoHook_ModExpCRT_t(HWCryptoHook_ContextHandle hwctx,
408 HWCryptoHook_MPI dmp1,
409 HWCryptoHook_MPI dmq1,
410 HWCryptoHook_MPI iqmp,
411 HWCryptoHook_MPI * r,
412 const HWCryptoHook_ErrMsgBuf * errors);
413 extern HWCryptoHook_ModExpCRT_t HWCryptoHook_ModExpCRT;
416 int HWCryptoHook_RSAImmedPriv_t(HWCryptoHook_ContextHandle hwctx,
420 HWCryptoHook_MPI dmp1,
421 HWCryptoHook_MPI dmq1,
422 HWCryptoHook_MPI iqmp,
423 HWCryptoHook_MPI * r,
424 const HWCryptoHook_ErrMsgBuf * errors);
425 extern HWCryptoHook_RSAImmedPriv_t HWCryptoHook_RSAImmedPriv;
428 * The RSAImmed* and ModExp* functions may return E_FAILED or
429 * E_FALLBACK for failure.
431 * E_FAILED means the failure is permanent and definite and there
432 * should be no attempt to fall back to software. (Eg, for some
433 * applications, which support only the acceleration-only
434 * functions, the `key material' may actually be an encoded key
435 * identifier, and doing the operation in software would give wrong
438 * E_FALLBACK means that doing the computation in software would seem
439 * reasonable. If an application pays attention to this and is
440 * able to fall back, it should also set the Fallback init flags.
444 int HWCryptoHook_RSALoadKey_t(HWCryptoHook_ContextHandle hwctx,
445 const char *key_ident,
446 HWCryptoHook_RSAKeyHandle * keyhandle_r,
447 const HWCryptoHook_ErrMsgBuf * errors,
448 HWCryptoHook_PassphraseContext * ppctx);
449 extern HWCryptoHook_RSALoadKey_t HWCryptoHook_RSALoadKey;
451 * The key_ident is a null-terminated string configured by the
452 * user via the application's usual configuration mechanisms.
453 * It is provided to the user by the crypto provider's key management
454 * system. The user must be able to enter at least any string of between
455 * 1 and 1023 characters inclusive, consisting of printable 7-bit
456 * ASCII characters. The provider should avoid using
457 * any characters except alphanumerics and the punctuation
458 * characters _ - + . / @ ~ (the user is expected to be able
459 * to enter these without quoting). The string may be case-sensitive.
460 * The application may allow the user to enter other NULL-terminated strings,
461 * and the provider must cope (returning an error if the string is not
464 * If the key does not exist, no error is recorded and 0 is returned;
465 * keyhandle_r will be set to 0 instead of to a key handle.
469 int HWCryptoHook_RSAGetPublicKey_t(HWCryptoHook_RSAKeyHandle k,
470 HWCryptoHook_MPI * n,
471 HWCryptoHook_MPI * e,
472 const HWCryptoHook_ErrMsgBuf * errors);
473 extern HWCryptoHook_RSAGetPublicKey_t HWCryptoHook_RSAGetPublicKey;
475 * The crypto plugin will not store certificates.
477 * Although this function for acquiring the public key value is
478 * provided, it is not the purpose of this API to deal fully with the
479 * handling of the public key.
481 * It is expected that the crypto supplier's key generation program
482 * will provide general facilities for producing X.509
483 * self-certificates and certificate requests in PEM format. These
484 * will be given to the user so that they can configure them in the
485 * application, send them to CAs, or whatever.
487 * In case this kind of certificate handling is not appropriate, the
488 * crypto supplier's key generation program should be able to be
489 * configured not to generate such a self-certificate or certificate
490 * request. Then the application will need to do all of this, and
491 * will need to store and handle the public key and certificates
496 int HWCryptoHook_RSAUnloadKey_t(HWCryptoHook_RSAKeyHandle k,
497 const HWCryptoHook_ErrMsgBuf * errors);
498 extern HWCryptoHook_RSAUnloadKey_t HWCryptoHook_RSAUnloadKey;
499 /* Might fail due to locking problems, or other serious internal problems. */
502 int HWCryptoHook_RSA_t(HWCryptoHook_MPI m,
503 HWCryptoHook_RSAKeyHandle k,
504 HWCryptoHook_MPI * r,
505 const HWCryptoHook_ErrMsgBuf * errors);
506 extern HWCryptoHook_RSA_t HWCryptoHook_RSA;
507 /* RSA private key operation (sign or decrypt) - raw, unpadded. */
509 #endif /* HWCRYPTOHOOK_H */