typhoon.h

IBM的Linux上的PKCS#11实现

    {
        CR_AUTH_CODE       auth_code ;
        CR_OP_CODE         crypto_code ;
        INT32              sa_flags ;
        hmac_key           *hmac_key ;

        union
        {
            des_key    *des_sym_key ;
            aes_key    *aes_sym_key ;
        } sym_key ;
    } ipsec_key ;

/* Data structures and defines for returning statistics into the library.
 * The same structure will be passed into the driver. 
 */

#ifndef CR7020_STATS_HDR
#define CR7020_STATS_HDR

#define CR7020_MAX_STATS             20 
#define CR7020_MAX_STAT_NAME_LEN     30 
 
typedef struct cr_key_value_pair
        {
                char              key[CR7020_MAX_STAT_NAME_LEN] ;
                unsigned long     value ;
        } cr_key_value_pair;
 
typedef struct cr_stat_table
        {
                union
                {
                        cr_key_value_pair       cr7020_stat[CR7020_MAX_STATS] ;
                } dev ;
        } cr_stat_table;
 
cr_stat_table    cr7020_stat_table ;

#endif /* CR7020_STATS_HDR */                                                                                      

#ifndef CR_DEVICE_INFO
#define CR_DEVICE_INFO

typedef struct cr_device_info_struct {
        unsigned char driver_version[8];
        unsigned int device;
        unsigned int device_status;
        unsigned char pci_bus_num;
        unsigned char pci_dev_num;
        unsigned char pci_func_num;
} cr_device_info;

#endif /* CR_DEVICE_INFO */                                                                                      

/* ##################################################################### */
/*                 Define Function Prototypes                            */
/* ##################################################################### */

/**************************************************************************
                         Numerical Functions
***************************************************************************/

/* The following function is used for retrieving a random number. The desired
   length of the random is specified in the size parameter.  The random number 
   is returned in result buffer, along with the byte size.               */
RC CR_get_random(token *result, INT32 size) ;
   
/* This function will be used for returning strong DES keys, each 8 byte in
   size. The number of keys is specified in the count parameter. The result
   token will be filled with the 'count' number of DES keys concatenated
   in one string. The result size component will contain the length of the
   DES key string in bytes.                                             */
RC CR_get_des_keys(token *result, INT32 count) ;

/* This function is used for returning a prime number of a desired length
   (in bytes). This length is specified in the size parameter. The prime 
   number is returned in the result buffer, along with the size in bytes */
RC CR_get_prime(token *result, INT32 size) ;

/* The following function is used for performing mod operations (a mod n) on the
   argument, and returns the result. The argument must be in the octet format. */
RC CR_mod(token *result, token *argument, token *modulus) ;

/* The following function is used for performing mod exp (a^e mod n) operations 
   on the argument, and returns the result. This uses Montgomery exponentiation
   method. The argument must be in the octet format and it DOES require a modulo
   reduction being already done. */
RC CR_mod_exp_mont(token *result, token *argument, token *modulus, token *exponent) ;

#ifdef TYPHOON_B
/* The following function is used for performing mod exp (a^e mod n) operations
   on the argument, and returns the result. This uses Montgomery exponentiation
   method. The argument must be in the octet format and DOES NOT require a 
   modulo reduction. */
RC CR_mod_exp_mont_with_reduction(token *result, token *argument, token *modulus,
                                  token *exponent) ;
#endif /* TYPHOON_B */

/* The following function is used for performing mod exp (a^e mod n) operations 
   using the Chinese Remainder Theorem. This operation may be used for the RSA
   private key decrypt, and RSA signing operations. The argument must be in 
   the octet format.                                                    */
RC CR_mod_exp_crt(token *result, token *argument, token *prime_p, token *prime_q, 
                  token *dmp1, token *dmq1, token *iqmp) ;

/* The following function is used for performing mod_add (a+b mod n) operations 
   on the arguments, and returns the result. The argument must be in the octet format. */
RC CR_mod_add(token *result, token *a_arg, token *b_arg, token *modulus) ;

/* The following function is used for performing mod_mult (a*b mod n) operations 
   on the arguments, and returns the result. This operation uses Montgomery 
   multiplication method. The argument must be in the octet format. */
RC CR_mod_mult_mont(token *result, token *a_arg, token *b_arg, token *modulus) ;

/* The following function will compute 'inv(k) mod n' operation on the
   argument (k) that is passed in along with the modulus (n). */
RC CR_inv_mod(token *result, token *k, token *modulus) ;

/* The following function will be used for computing the value of R^2 mod N,
   where R^2 = 2^(2*(k+8)) and 'k' is size of N in bytes */
RC CR_r_sqr_mod_n(token *result, token *modulus) ;

/**************************************************************************
                         Public-Key Crypto Functions
***************************************************************************/

/* The following function is used for performing RSA encrypt operations on the
   argument, and returns the result. The 'argument' is in the octet string 
   format. This function performs rsa_type operations to encrypt the argument.
   The exponent is the public key 'e' component of the recipient. 
   The trans_id is used for debug/error tracking and is optional (can be NULL) */
RC CR_rsa_encrypt(token *ciphertext, BYTE *trans_id, token *argument, CR_RSA_TYPE rsa_type,
                  rsa_key *key) ;

/* The following function is used for performing RSA decrypt operations on the
   argument, and returns the result. The 'argument' is the ciphertext in the octet 
   string format. This function performs rsa_type operations to decrypt the argument.
   The rsa_key->exponent is the private key 'd' of the recipient. 
   The trans_id is used for debug/error tracking and is optional (can be NULL) */
RC CR_rsa_decrypt(token *plaintext, BYTE *trans_id, token *argument, CR_RSA_TYPE rsa_type,
                  rsa_key *key) ;

/* The following function is used for performing RSA decrypt operations on the
   argument, and returns the result. The 'argument' is the ciphertext in the octet 
   string format. This function performs PKCS#1 operation, specified by rsa_type,
    to decrypt the argument. 
   The rsa_key->exponent is the private key 'd' of the recipient. 
   The trans_id is used for debug/error tracking and is optional (can be NULL) */
RC CR_rsa_decrypt_crt(token *plaintext, BYTE *trans_id, token *argument, 
                      CR_RSA_TYPE rsa_type, rsa_crt_key *key) ;

/* The following function is used for performing RSA private key decrypt ops on the
   argument, and returns the original msg that was encrypted. The 'argument' is 
   in the octet string format. This function does NOT perform any padding ops, and 
   is designed to be used by an external RSA_decrypt() function. The result is of 
   the same size as the modulus, which means that it may have leading zeros.
   The rsa_key->exponent is the private key 'd' of the recipient.
   The trans_id is used for debug/error tracking and is optional (can be NULL)  */
RC CR_rsa_private_decrypt(token *plaintext, BYTE *trans_id, token *argument, rsa_key *key) ;

/* The following function performs RSA private key decrypt operations, using CRT,
   on the argument, and returns the original msg. The 'argument' is in the octet string
   format. This function does not perform any padding operations, and will be used by an
   external RSA_decrypt function. The result is of the same size as the modulus, which 
   means that it may have leading zeros. 
   The trans_id is used for debug/error tracking and is optional (can be NULL) */
RC CR_rsa_private_decrypt_crt(token *plaintext, BYTE *trans_id, token *argument,
                              rsa_crt_key *key) ;

/* The following function is used for performing RSA signing operations on the
   argument, and returns the signature. The 'argument' is in the octet string 
   format. This function performs PKCS#1 encoding operations, as specified by
   rsa_type to generate the signature. The hash_code value depends on the 
   protocol requesting the signing.  
   The trans_id is used for debug/error tracking and is optional (can be NULL) */
RC CR_rsa_sign(token *signature, BYTE *trans_id, token *argument, CR_RSA_TYPE rsa_type,
               rsa_key *key, CR_AUTH_CODE hash_code) ;

/* The following function uses CRT for performing RSA signing operations on the
   argument, and returns the signature. The 'argument' is in the octet string 
   format. This function performs PKCS#1 encoding operations, as specified 
   by rsa_type, to generate the signature. The hash_code value depends on the
   the protocol requesting the signing.  
   The trans_id is used for debug/error tracking and is optional (can be NULL) */
RC CR_rsa_sign_crt(token *signature, BYTE *trans_id, token *argument, CR_RSA_TYPE rsa_type,
                   rsa_crt_key *key, CR_AUTH_CODE hash_code) ;

/* The following function is used for performing RSA signature verification operations 
   on the 'signature', and returns the message. The received signature is in the 
   octet string format. This function performs PKCS#1 operation, as specified by
   rsa_type, to generate the message signed by sender. The rsa_key->exponent is 
   the public key 'e' component of the sender. The computed message is in the 
   octet string format. This function also compares the computed 'message' with 
   the original message to verify the signature. This function returns SUCCESS 
   if the signatures are valid, and FAILURE otherwise. 
   The trans_id is used for debug/error tracking and is optional (can be NULL) */
RC CR_rsa_verify(token *message, BYTE *trans_id, token *signature, CR_RSA_TYPE rsa_type,
                 rsa_key *key, CR_AUTH_CODE hash_code) ;

/* The following function is used for performing RSA public key decrypt operation,
   which will be used by external RSA_verify function.
   The received signature is in the octet string format. This function performs
   PKCS#1 mod_exp operation, to generate the original encoded message which was 
   signed by sender. This function returns the PKCS#1 encoded original message 
   in sign_decrypted token.
 */
RC CR_rsa_public_decrypt(token *sign_decrypted, BYTE *trans_id, token *signature,
                         rsa_key *key) ;

/* The following function is used for signing the SHA-1 hashed message. If the passed
   random number pointer is NULL, then the library internally generates a random number.
   This function returns the signature components 'r' and 's' in dsa_sign struct. 
   The trans_id is used for debug/error tracking and is optional (can be NULL) */
RC CR_dsa_signature(dsa_sign_key *signature, BYTE *trans_id, token *msg_hash, 
                    dsa_key *key, token *random_k) ;

/* The following function is used for verifying the DSA signatures on the message
   (hash_msg_recd). The received signatures that were used to sign this hash_msg_recd
   must be passed.  This returns a value indicating if the signatures match (RC=SUCCESS) 
   or do not match (RC=FAILURE). 
   The trans_id is used for debug/error tracking and is optional (can be NULL) */
RC CR_dsa_verify(BYTE *trans_id, token *msg_hash_recd, dsa_sign_key *signature_recd, 
                 dsa_key *key) ;

/**************************************************************************
                         Symmetric Crypto Functions
***************************************************************************/

/* The following function is used for performing encryption operations 
   on the data (plaintext). The trans_id identifies key which contains information, 
   internal to the library, about the cipher algorithm.                         */  
RC CR_encrypt(token *ciphertext, BYTE *trans_id, token *plaintext) ;

/* The following function is used for performing decryption operations 
   on the data (ciphertext). The trans_id identifies key which contains information, 
   internal to the library, about the cipher algorithm.                         */  
RC CR_decrypt(token *plaintext, BYTE *trans_id, token *ciphertext) ;

/* The following function performs entire SSLv3 outbound record layer processing. The
   processing steps include SSLv3 record layer MAC generation (ignoring version
   field), padding (for block ciphers only), and encryption. The sequence number 
   is a 64-bit number that the application must pass as an 8-byte string.      */
RC CR_encrypt_sslv3_record(token *sslv3_ciphertext, BYTE *trans_id, BYTE *seq_num,
                           token *sslv3_compressed) ; 

/* The following function performs entire SSLv3 inbound record layer processing. The
   processing steps include SSLv3 record layer decryption, MAC generation w/o version
   field and verification, verification and removal of padding (for block ciphers only), 
   and update length field. The sequence number is a 64-bit number that the application 
   must pass as an 8 Byte string. RC=SUCCESS indicates that there was no error in
   decrypting the record, and RC=FAILURE indicates an error (MAC verify, Seq Number check,
   Pad verify, or system error) occurred while processing the record.            */
RC CR_decrypt_sslv3_record(token *sslv3_compressed, BYTE *trans_id, BYTE *seq_num,
                           token *sslv3_ciphertext) ; 

/* The following function performs entire TLS1.0 outbound record layer processing. The
   processing steps include TLS1.0 record layer MAC generation (using HMAC)
   padding (for block ciphers only), and encryption. The sequence number is a 
   64-bit number that the application must pass as an 8-byte string.             */
RC CR_encrypt_tlsv1_record(token *tlsv1_ciphertext, BYTE *trans_id, BYTE *seq_num,
                           token *tlsv1_compressed) ; 

/* The following function performs entire TLS1.0 inbound record layer processing. The
   processing steps include TLS1.0 record layer decryption, MAC generation 
   and verification, verification and removal of padding (for block ciphers only), 
   and update length field. The sequence number is a 64-bit number that the application 
   must pass as an 8 Byte string. RC=SUCCESS indicates that there was no error in
   decrypting the record, and RC=FAILURE indicates an error (MAC verify, Seq Number check,
   Pad verify, or system error) occurred while processing the record.            */
RC CR_decrypt_tlsv1_record(token *tlsv1_compressed, BYTE *trans_id, BYTE *seq_num,
                           token *tlsv1_ciphertext) ; 

/* The following function performs entire SSLv3 outbound record layer
   processing, which has a key passed along with the record.  This function is
   a combination of the CR_insert_sslv3_key() and CR_encrypt_sslv3_record(),
   which performs these 2 tasks using a single ioctl command. This function
   will also update the SA and chip numbers in the library.
   input: trans_id - The transaction identifier that identifies the key
                     and cipher/hash, inside the library
          sslv3_compressed - The compressed SSL record data and size