1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
|
#ifndef L_NCR_H
#define L_NCR_H
#include <linux/types.h>
#ifndef __KERNEL__
#define __user
#endif
#define NCR_CIPHER_MAX_BLOCK_LEN 32
#define NCR_HASH_MAX_OUTPUT_SIZE 64
typedef enum {
NCR_ALG_NONE,
NCR_ALG_NULL,
NCR_ALG_3DES_CBC,
NCR_ALG_AES_CBC,
NCR_ALG_CAMELLIA_CBC,
NCR_ALG_ARCFOUR,
NCR_ALG_AES_ECB,
NCR_ALG_CAMELLIA_ECB,
NCR_ALG_AES_CTR,
NCR_ALG_CAMELLIA_CTR,
NCR_ALG_SHA1=40,
NCR_ALG_MD5,
NCR_ALG_SHA2_224,
NCR_ALG_SHA2_256,
NCR_ALG_SHA2_384,
NCR_ALG_SHA2_512,
NCR_ALG_HMAC_SHA1=80,
NCR_ALG_HMAC_MD5,
NCR_ALG_HMAC_SHA2_224,
NCR_ALG_HMAC_SHA2_256,
NCR_ALG_HMAC_SHA2_384,
NCR_ALG_HMAC_SHA2_512,
NCR_ALG_RSA=140,
NCR_ALG_DSA,
NCR_ALG_DH, /* DH as in PKCS #3 */
} ncr_algorithm_t;
typedef enum {
NCR_WALG_AES_RFC3394, /* for secret keys only */
NCR_WALG_AES_RFC5649, /* can wrap arbitrary key */
} ncr_wrap_algorithm_t;
typedef enum {
NCR_KEY_TYPE_INVALID,
NCR_KEY_TYPE_SECRET=1,
NCR_KEY_TYPE_PUBLIC=2,
NCR_KEY_TYPE_PRIVATE=3,
} ncr_key_type_t;
/* Key handling
*/
typedef int ncr_key_t;
#define NCR_KEY_INVALID ((ncr_key_t)-1)
#define NCR_KEY_FLAG_EXPORTABLE 1
#define NCR_KEY_FLAG_WRAPPABLE (1<<1)
/* when generating a pair the flags correspond to private
* and public key usage is implicit. For example when private
* key can decrypt then public key can encrypt. If private key
* can sign then public key can verify.
*/
#define NCR_KEY_FLAG_DECRYPT (1<<2)
#define NCR_KEY_FLAG_SIGN (1<<3)
struct ncr_key_generate_params_st {
ncr_algorithm_t algorithm; /* just a cipher algorithm when
* generating secret keys
*/
unsigned int keyflags;
union {
struct {
unsigned int bits;
} secret;
struct {
unsigned int bits;
unsigned long e; /* use zero for default */
} rsa;
struct {
/* For DSS standard allowed values
* are: p:1024 q: 160
* p:2048 q: 224
* p:2048 q: 256
* p:3072 q: 256
*/
unsigned int p_bits;
unsigned int q_bits;
} dsa;
struct {
__u8 __user *p; /* prime */
__kernel_size_t p_size;
__u8 __user *g; /* generator */
__kernel_size_t g_size;
} dh;
} params;
};
/* used in generation
*/
struct ncr_key_generate_st {
ncr_key_t desc;
ncr_key_t desc2; /* public key when called with GENERATE_PAIR */
struct ncr_key_generate_params_st params;
};
typedef enum {
RSA_PKCS1_V1_5, /* both signatures and encryption */
RSA_PKCS1_OAEP, /* for encryption only */
RSA_PKCS1_PSS, /* for signatures only */
} ncr_rsa_type_t;
/* used in derivation/encryption
*/
struct ncr_key_params_st {
/* this structure always corresponds to a key. Hence the
* parameters of the union selected are based on the corresponding
* key */
union {
struct {
__u8 iv[NCR_CIPHER_MAX_BLOCK_LEN];
__kernel_size_t iv_size;
} cipher;
struct {
__u8 __user *pub;
__kernel_size_t pub_size;
} dh;
struct {
ncr_rsa_type_t type;
ncr_algorithm_t oaep_hash; /* for OAEP */
ncr_algorithm_t sign_hash; /* for signatures */
unsigned int pss_salt; /* PSS signatures */
} rsa;
struct {
ncr_algorithm_t sign_hash; /* for signatures */
} dsa;
} params;
};
typedef enum {
NCR_DERIVE_DH=1,
} ncr_derive_t;
struct ncr_key_derivation_params_st {
ncr_derive_t derive; /* the derivation algorithm */
ncr_key_t newkey;
unsigned int keyflags; /* for new key */
ncr_key_t key;
struct ncr_key_params_st params;
};
#define MAX_KEY_ID_SIZE 20
struct ncr_key_info_st {
ncr_key_t key; /* input */
unsigned int flags;
ncr_key_type_t type;
ncr_algorithm_t algorithm; /* valid for public/private keys */
__u8 key_id[MAX_KEY_ID_SIZE];
__kernel_size_t key_id_size;
};
struct ncr_key_data_st {
ncr_key_t key;
void __user *idata;
__kernel_size_t idata_size; /* rw in get */
/* in case of import this will be used as key id */
__u8 key_id[MAX_KEY_ID_SIZE];
__kernel_size_t key_id_size;
ncr_key_type_t type;
unsigned int flags;
ncr_algorithm_t algorithm; /* valid for public/private keys */
};
#define NCRIO_KEY_INIT _IOW ('c', 204, ncr_key_t)
/* generate a secret key */
#define NCRIO_KEY_GENERATE _IOR ('c', 205, struct ncr_key_generate_st)
/* generate a public key pair */
#define NCRIO_KEY_GENERATE_PAIR _IOR ('c', 206, struct ncr_key_generate_st)
/* derive a new key from an old one */
#define NCRIO_KEY_DERIVE _IOR ('c', 207, struct ncr_key_derivation_params_st)
/* return information on a key */
#define NCRIO_KEY_GET_INFO _IOWR('c', 208, struct ncr_key_info_st)
/* export a secret key */
#define NCRIO_KEY_EXPORT _IOWR('c', 209, struct ncr_key_data_st)
/* import a secret key */
#define NCRIO_KEY_IMPORT _IOWR('c', 210, struct ncr_key_data_st)
#define NCRIO_KEY_DEINIT _IOR ('c', 215, ncr_key_t)
/* Key wrap ioctls
*/
struct ncr_key_wrap_st {
ncr_wrap_algorithm_t algorithm;
ncr_key_t keytowrap;
ncr_key_t key;
struct ncr_key_params_st params;
void __user * io; /* encrypted keytowrap */
/* this will be updated by the actual size on wrap */
__kernel_size_t io_size;
};
#define NCRIO_KEY_WRAP _IOWR ('c', 250, struct ncr_key_wrap_st)
#define NCRIO_KEY_UNWRAP _IOR ('c', 251, struct ncr_key_wrap_st)
/* Internal ops */
struct ncr_master_key_st {
__u8 __user * key;
__u16 key_size;
};
#define NCRIO_MASTER_KEY_SET _IOR ('c', 260, struct ncr_master_key_st)
/* These are similar to key_wrap and unwrap except that will store some extra
* fields to be able to recover a key */
struct ncr_key_storage_wrap_st {
ncr_key_t keytowrap;
void __user * io; /* encrypted keytowrap */
/* this will be updated by the actual size on wrap */
__kernel_size_t io_size;
};
#define NCRIO_KEY_STORAGE_WRAP _IOWR ('c', 261, struct ncr_key_storage_wrap_st)
#define NCRIO_KEY_STORAGE_UNWRAP _IOR ('c', 262, struct ncr_key_storage_wrap_st)
/* Crypto Operations ioctls
*/
typedef enum {
NCR_OP_ENCRYPT=1,
NCR_OP_DECRYPT,
NCR_OP_SIGN,
NCR_OP_VERIFY,
} ncr_crypto_op_t;
typedef int ncr_session_t;
#define NCR_SESSION_INVALID ((ncr_session_t)-1)
/* input of CIOCGSESSION */
struct ncr_session_st {
/* input */
ncr_algorithm_t algorithm;
ncr_key_t key;
struct ncr_key_params_st params;
ncr_crypto_op_t op;
/* output */
ncr_session_t ses; /* session identifier */
};
typedef enum {
NCR_SUCCESS = 0,
NCR_ERROR_GENERIC = -1,
NCR_VERIFICATION_FAILED = -2,
} ncr_error_t;
typedef enum {
NCR_KEY_DATA,
NCR_DIRECT_DATA,
} ncr_data_type_t;
struct ncr_session_op_st {
/* input */
ncr_session_t ses;
union {
struct {
ncr_key_t input;
void __user * output; /* when verifying signature this is
* the place of the signature.
*/
__kernel_size_t output_size;
} kdata; /* NCR_KEY_DATA */
struct {
void __user * input;
__kernel_size_t input_size;
void __user * output;
__kernel_size_t output_size;
} udata; /* NCR_DIRECT_DATA */
} data;
ncr_data_type_t type;
/* output of verification */
ncr_error_t err;
};
struct ncr_session_once_op_st {
struct ncr_session_st init;
struct ncr_session_op_st op;
};
#define NCRIO_SESSION_INIT _IOR ('c', 300, struct ncr_session_st)
#define NCRIO_SESSION_UPDATE _IOWR ('c', 301, struct ncr_session_op_st)
#define NCRIO_SESSION_FINAL _IOWR ('c', 302, struct ncr_session_op_st)
/* everything in one call */
#define NCRIO_SESSION_ONCE _IOWR ('c', 303, struct ncr_session_once_op_st)
#endif
|