From de0ec5e7dfe9adc893440cf114cb719c043fe5f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Mon, 27 Dec 2021 02:53:32 +0100 Subject: [PATCH] module: icp: remove vestigia of crypto sessions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Brian Behlendorf Signed-off-by: Ahelenia ZiemiaƄska Closes #12901 --- include/sys/crypto/common.h | 2 - module/icp/api/kcf_cipher.c | 4 +- module/icp/api/kcf_mac.c | 2 +- module/icp/include/sys/crypto/impl.h | 63 +++------------------------- module/icp/include/sys/crypto/spi.h | 23 ++++------ module/icp/io/aes.c | 39 +++++++---------- module/icp/io/sha2_mod.c | 26 +++++------- module/icp/io/skein_mod.c | 17 ++++---- 8 files changed, 50 insertions(+), 126 deletions(-) diff --git a/include/sys/crypto/common.h b/include/sys/crypto/common.h index 238bfb593e..45a95d7eed 100644 --- a/include/sys/crypto/common.h +++ b/include/sys/crypto/common.h @@ -154,8 +154,6 @@ typedef uint32_t crypto_provider_id_t; /* session data structure opaque to the consumer */ typedef void *crypto_session_t; -typedef uint_t crypto_session_id_t; - #define PROVIDER_OWNS_KEY_SCHEDULE 0x00000001 /* diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index e192a6e19f..34023f9843 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -89,7 +89,7 @@ retry: crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - error = KCF_PROV_ENCRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key, + error = KCF_PROV_ENCRYPT_ATOMIC(pd, &lmech, key, plaintext, ciphertext, spi_ctx_tmpl); KCF_PROV_INCRSTATS(pd, error); @@ -162,7 +162,7 @@ retry: crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - error = KCF_PROV_DECRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key, + error = KCF_PROV_DECRYPT_ATOMIC(pd, &lmech, key, ciphertext, plaintext, spi_ctx_tmpl); KCF_PROV_INCRSTATS(pd, error); diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 6766c61cfa..36db2cbb57 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -105,7 +105,7 @@ retry: crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); - error = KCF_PROV_MAC_ATOMIC(pd, pd->pd_sid, &lmech, key, data, + error = KCF_PROV_MAC_ATOMIC(pd, &lmech, key, data, mac, spi_ctx_tmpl); KCF_PROV_INCRSTATS(pd, error); diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index 2194af8644..c15e263c4a 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -140,8 +140,6 @@ typedef enum { * provider. It is allocated and initialized at registration time and * freed when the provider unregisters. * - * pd_sid: Session ID of the provider used by kernel clients. - * This is valid only for session-oriented providers. * pd_refcnt: Reference counter to this provider descriptor * pd_irefcnt: References held by the framework internal structs * pd_lock: lock protects pd_state @@ -164,7 +162,6 @@ typedef enum { * pd_ks_data: kstat data */ typedef struct kcf_provider_desc { - crypto_session_id_t pd_sid; uint_t pd_refcnt; uint_t pd_irefcnt; kmutex_t pd_lock; @@ -312,54 +309,6 @@ extern const kcf_mech_entry_tab_t kcf_mech_tabs_tab[]; #define KCF_TO_PROV_MECHNUM(pd, mech_type) \ (KCF_TO_PROV_MECHINFO(pd, mech_type).cm_mech_number) -/* ps_refcnt is protected by cm_lock in the crypto_minor structure */ -typedef struct crypto_provider_session { - struct crypto_provider_session *ps_next; - crypto_session_id_t ps_session; - kcf_provider_desc_t *ps_provider; - kcf_provider_desc_t *ps_real_provider; - uint_t ps_refcnt; -} crypto_provider_session_t; - -typedef struct crypto_session_data { - kmutex_t sd_lock; - kcondvar_t sd_cv; - uint32_t sd_flags; - int sd_pre_approved_amount; - crypto_ctx_t *sd_digest_ctx; - crypto_ctx_t *sd_encr_ctx; - crypto_ctx_t *sd_decr_ctx; - crypto_ctx_t *sd_sign_ctx; - crypto_ctx_t *sd_verify_ctx; - crypto_ctx_t *sd_sign_recover_ctx; - crypto_ctx_t *sd_verify_recover_ctx; - kcf_provider_desc_t *sd_provider; - void *sd_find_init_cookie; - crypto_provider_session_t *sd_provider_session; -} crypto_session_data_t; - -#define CRYPTO_SESSION_IN_USE 0x00000001 -#define CRYPTO_SESSION_IS_BUSY 0x00000002 -#define CRYPTO_SESSION_IS_CLOSED 0x00000004 - -#define KCF_MAX_PIN_LEN 1024 - -/* - * Per-minor info. - * - * cm_lock protects everything in this structure except for cm_refcnt. - */ -typedef struct crypto_minor { - uint_t cm_refcnt; - kmutex_t cm_lock; - kcondvar_t cm_cv; - crypto_session_data_t **cm_session_table; - uint_t cm_session_table_count; - kcf_provider_desc_t **cm_provider_array; - uint_t cm_provider_count; - crypto_provider_session_t *cm_provider_session; -} crypto_minor_t; - /* * Return codes for internal functions */ @@ -399,18 +348,18 @@ typedef struct crypto_minor { KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_ENCRYPT_ATOMIC(pd, session, mech, key, plaintext, ciphertext, \ +#define KCF_PROV_ENCRYPT_ATOMIC(pd, mech, key, plaintext, ciphertext, \ template) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \ KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic( \ - session, mech, key, plaintext, ciphertext, template) : \ + mech, key, plaintext, ciphertext, template) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \ +#define KCF_PROV_DECRYPT_ATOMIC(pd, mech, key, ciphertext, plaintext, \ template) ( \ (KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \ KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic( \ - session, mech, key, ciphertext, plaintext, template) : \ + mech, key, ciphertext, plaintext, template) : \ CRYPTO_NOT_SUPPORTED) /* @@ -436,10 +385,10 @@ typedef struct crypto_minor { KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac) : \ CRYPTO_NOT_SUPPORTED) -#define KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template) ( \ +#define KCF_PROV_MAC_ATOMIC(pd, mech, key, data, mac, template) ( \ (KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_atomic) ? \ KCF_PROV_MAC_OPS(pd)->mac_atomic( \ - session, mech, key, data, mac, template) : \ + mech, key, data, mac, template) : \ CRYPTO_NOT_SUPPORTED) /* diff --git a/module/icp/include/sys/crypto/spi.h b/module/icp/include/sys/crypto/spi.h index 156fdabe4c..ef52526574 100644 --- a/module/icp/include/sys/crypto/spi.h +++ b/module/icp/include/sys/crypto/spi.h @@ -78,8 +78,7 @@ typedef struct crypto_digest_ops { int (*digest_update)(crypto_ctx_t *, crypto_data_t *); int (*digest_key)(crypto_ctx_t *, crypto_key_t *); int (*digest_final)(crypto_ctx_t *, crypto_data_t *); - int (*digest_atomic)(crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, + int (*digest_atomic)(crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); } __no_const crypto_digest_ops_t; @@ -99,9 +98,8 @@ typedef struct crypto_cipher_ops { crypto_data_t *, crypto_data_t *); int (*encrypt_final)(crypto_ctx_t *, crypto_data_t *); - int (*encrypt_atomic)(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); + int (*encrypt_atomic)(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); int (*decrypt_init)(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, @@ -112,9 +110,8 @@ typedef struct crypto_cipher_ops { crypto_data_t *, crypto_data_t *); int (*decrypt_final)(crypto_ctx_t *, crypto_data_t *); - int (*decrypt_atomic)(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); + int (*decrypt_atomic)(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); } __no_const crypto_cipher_ops_t; /* @@ -133,12 +130,10 @@ typedef struct crypto_mac_ops { crypto_data_t *); int (*mac_final)(crypto_ctx_t *, crypto_data_t *); - int (*mac_atomic)(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); - int (*mac_verify_atomic)(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); + int (*mac_atomic)(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); + int (*mac_verify_atomic)(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); } __no_const crypto_mac_ops_t; /* diff --git a/module/icp/io/aes.c b/module/icp/io/aes.c index f7f3bcc2be..b0f51262dd 100644 --- a/module/icp/io/aes.c +++ b/module/icp/io/aes.c @@ -81,16 +81,14 @@ static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *); static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); -static int aes_encrypt_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); +static int aes_encrypt_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); -static int aes_decrypt_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, - crypto_data_t *, crypto_spi_ctx_template_t); +static int aes_decrypt_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static const crypto_cipher_ops_t aes_cipher_ops = { .encrypt_init = aes_encrypt_init, @@ -105,12 +103,10 @@ static const crypto_cipher_ops_t aes_cipher_ops = { .decrypt_atomic = aes_decrypt_atomic }; -static int aes_mac_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t); -static int aes_mac_verify_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t); +static int aes_mac_atomic(crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, + crypto_data_t *, crypto_spi_ctx_template_t); +static int aes_mac_verify_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static const crypto_mac_ops_t aes_mac_ops = { .mac_init = NULL, @@ -832,12 +828,10 @@ aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data) } static int -aes_encrypt_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, +aes_encrypt_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, crypto_spi_ctx_template_t template) { - (void) session_id; aes_ctx_t aes_ctx; /* on the stack */ off_t saved_offset; size_t saved_length; @@ -968,12 +962,10 @@ out: } static int -aes_decrypt_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, +aes_decrypt_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, crypto_spi_ctx_template_t template) { - (void) session_id; aes_ctx_t aes_ctx; /* on the stack */ off_t saved_offset; size_t saved_length; @@ -1308,7 +1300,7 @@ process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data, } static int -aes_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +aes_mac_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t template) { @@ -1324,14 +1316,13 @@ aes_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); gcm_mech.cm_param = (char *)&gcm_params; - return (aes_encrypt_atomic(session_id, &gcm_mech, + return (aes_encrypt_atomic(&gcm_mech, key, &null_crypto_data, mac, template)); } static int -aes_mac_verify_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, - crypto_data_t *mac, crypto_spi_ctx_template_t template) +aes_mac_verify_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, + crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t template) { CK_AES_GCM_PARAMS gcm_params; crypto_mechanism_t gcm_mech; @@ -1345,6 +1336,6 @@ aes_mac_verify_atomic(crypto_session_id_t session_id, gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); gcm_mech.cm_param = (char *)&gcm_params; - return (aes_decrypt_atomic(session_id, &gcm_mech, + return (aes_decrypt_atomic(&gcm_mech, key, mac, &null_crypto_data, template)); } diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index cac9771dd5..c586c32726 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -94,8 +94,8 @@ static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *); static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *); static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *); -static int sha2_digest_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); +static int sha2_digest_atomic(crypto_mechanism_t *, crypto_data_t *, + crypto_data_t *); static const crypto_digest_ops_t sha2_digest_ops = { .digest_init = sha2_digest_init, @@ -109,12 +109,10 @@ static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t); static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *); static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *); -static int sha2_mac_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t); -static int sha2_mac_verify_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t); +static int sha2_mac_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); +static int sha2_mac_verify_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static const crypto_mac_ops_t sha2_mac_ops = { .mac_init = sha2_mac_init, @@ -537,10 +535,9 @@ sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest) } static int -sha2_digest_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, crypto_data_t *data, crypto_data_t *digest) +sha2_digest_atomic(crypto_mechanism_t *mechanism, crypto_data_t *data, + crypto_data_t *digest) { - (void) session_id; int ret = CRYPTO_SUCCESS; SHA2_CTX sha2_ctx; uint32_t sha_digest_len; @@ -898,11 +895,10 @@ sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac) } static int -sha2_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +sha2_mac_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t ctx_template) { - (void) session_id; int ret = CRYPTO_SUCCESS; uchar_t digest[SHA512_DIGEST_LENGTH]; sha2_hmac_ctx_t sha2_hmac_ctx; @@ -1031,12 +1027,10 @@ bail: } static int -sha2_mac_verify_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, +sha2_mac_verify_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t ctx_template) { - (void) session_id; int ret = CRYPTO_SUCCESS; uchar_t digest[SHA512_DIGEST_LENGTH]; sha2_hmac_ctx_t sha2_hmac_ctx; diff --git a/module/icp/io/skein_mod.c b/module/icp/io/skein_mod.c index 97cfd52b9e..1d6969e688 100644 --- a/module/icp/io/skein_mod.c +++ b/module/icp/io/skein_mod.c @@ -49,8 +49,8 @@ static int skein_digest_init(crypto_ctx_t *, crypto_mechanism_t *); static int skein_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); static int skein_update(crypto_ctx_t *, crypto_data_t *); static int skein_final(crypto_ctx_t *, crypto_data_t *); -static int skein_digest_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_data_t *, crypto_data_t *); +static int skein_digest_atomic(crypto_mechanism_t *, crypto_data_t *, + crypto_data_t *); static const crypto_digest_ops_t skein_digest_ops = { .digest_init = skein_digest_init, @@ -62,9 +62,8 @@ static const crypto_digest_ops_t skein_digest_ops = { static int skein_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t); -static int skein_mac_atomic(crypto_session_id_t, - crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, - crypto_spi_ctx_template_t); +static int skein_mac_atomic(crypto_mechanism_t *, crypto_key_t *, + crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); static const crypto_mac_ops_t skein_mac_ops = { .mac_init = skein_mac_init, @@ -467,10 +466,9 @@ skein_final(crypto_ctx_t *ctx, crypto_data_t *digest) * Supported input/output formats are raw, uio and mblk. */ static int -skein_digest_atomic(crypto_session_id_t session_id, - crypto_mechanism_t *mechanism, crypto_data_t *data, crypto_data_t *digest) +skein_digest_atomic(crypto_mechanism_t *mechanism, crypto_data_t *data, + crypto_data_t *digest) { - (void) session_id; int error; skein_ctx_t skein_ctx; crypto_ctx_t ctx; @@ -570,12 +568,11 @@ errout: * function as to those of the partial operations above. */ static int -skein_mac_atomic(crypto_session_id_t session_id, crypto_mechanism_t *mechanism, +skein_mac_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t ctx_template) { /* faux crypto context just for skein_digest_{update,final} */ - (void) session_id; int error; crypto_ctx_t ctx; skein_ctx_t skein_ctx;