PSARC 2005/576 Support for complex cryptographic mechanisms

PSARC 2005/630 session, object, and key management kernel crypto API
PSARC 2005/656 AES CTR mode for KCF
PSARC 2005/659 Hiding members of KCF logical providers
4721729 Support AES Counter mode for encryption
6243992 dprov stores attributes based on data model of application
6203141 Sessions and objects management kernel crypto API
6253484 Support mechanisms with complex mech_param structures across the EF stack
6314217 Hide underlying providers of logical providers

5 files changed, 260 insertions, 154 deletions

diff --git a/usr/src/uts/common/sys/crypto/api.h b/usr/src/uts/common/sys/crypto/api.h
index 7d95f45ed9..f73d5ad992 100644
--- a/usr/src/uts/common/sys/crypto/api.h
+++ b/usr/src/uts/common/sys/crypto/api.h
@@ -20,7 +20,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -78,8 +78,13 @@ extern void crypto_destroy_ctx_template(crypto_ctx_template_t tmpl);
  */
 extern int crypto_digest(crypto_mechanism_t *mech, crypto_data_t *data,
     crypto_data_t *digest, crypto_call_req_t *cr);
+extern int crypto_digest_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
+    crypto_call_req_t *);
 extern int crypto_digest_init(crypto_mechanism_t *mech, crypto_context_t *ctxp,
     crypto_call_req_t *cr);
+extern int crypto_digest_init_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_context_t *, crypto_call_req_t *);
 extern int crypto_digest_update(crypto_context_t ctx, crypto_data_t *data,
     crypto_call_req_t *cr);
 extern int crypto_digest_final(crypto_context_t ctx, crypto_data_t *digest,
@@ -91,11 +96,20 @@ extern int crypto_digest_final(crypto_context_t ctx, crypto_data_t *digest,
 extern int crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data,
     crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac,
     crypto_call_req_t *cr);
+extern int crypto_mac_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_data_t *, crypto_key_t *,
+    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);
 extern int crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data,
     crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac,
     crypto_call_req_t *cr);
+extern int crypto_mac_verify_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_data_t *, crypto_key_t *,
+    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);
 extern int crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key,
     crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr);
+extern int crypto_mac_init_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
+    crypto_context_t *, crypto_call_req_t *);
 extern int crypto_mac_update(crypto_context_t ctx, crypto_data_t *data,
     crypto_call_req_t *cr);
 extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data,
@@ -107,15 +121,27 @@ extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data,
 extern int crypto_sign(crypto_mechanism_t *mech, crypto_key_t *key,
     crypto_data_t *data, crypto_ctx_template_t tmpl,
     crypto_data_t *signature, crypto_call_req_t *cr);
+extern int crypto_sign_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
+    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);
 extern int crypto_sign_init(crypto_mechanism_t *mech, crypto_key_t *key,
     crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr);
+extern int crypto_sign_init_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
+    crypto_context_t *, crypto_call_req_t *);
 extern int crypto_sign_update(crypto_context_t ctx, crypto_data_t *data,
     crypto_call_req_t *cr);
 extern int crypto_sign_final(crypto_context_t ctx, crypto_data_t *signature,
     crypto_call_req_t *cr);
+extern int crypto_sign_recover_init_prov(crypto_provider_t,
+    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
+    crypto_ctx_template_t tmpl, crypto_context_t *, crypto_call_req_t *);
 extern int crypto_sign_recover(crypto_mechanism_t *mech, crypto_key_t *key,
     crypto_data_t *data, crypto_ctx_template_t tmpl, crypto_data_t *signature,
     crypto_call_req_t *cr);
+extern int crypto_sign_recover_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
+    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);
 
 /*
  * Single and multi-part verify with public key operations.
@@ -123,15 +149,27 @@ extern int crypto_sign_recover(crypto_mechanism_t *mech, crypto_key_t *key,
 extern int crypto_verify(crypto_mechanism_t *mech, crypto_key_t *key,
     crypto_data_t *data, crypto_ctx_template_t tmpl, crypto_data_t *signature,
     crypto_call_req_t *cr);
+extern int crypto_verify_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
+    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);
 extern int crypto_verify_init(crypto_mechanism_t *mech, crypto_key_t *key,
     crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr);
+extern int crypto_verify_init_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
+    crypto_context_t *, crypto_call_req_t *);
 extern int crypto_verify_update(crypto_context_t ctx, crypto_data_t *data,
     crypto_call_req_t *cr);
 extern int crypto_verify_final(crypto_context_t ctx, crypto_data_t *signature,
     crypto_call_req_t *cr);
+extern int crypto_verify_recover_init_prov(crypto_provider_t,
+    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
+    crypto_ctx_template_t tmpl, crypto_context_t *, crypto_call_req_t *);
 extern int crypto_verify_recover(crypto_mechanism_t *mech, crypto_key_t *key,
     crypto_data_t *signature, crypto_ctx_template_t tmpl, crypto_data_t *data,
     crypto_call_req_t *cr);
+extern int crypto_verify_recover_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
+    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);
 
 /*
  * Single and multi-part encryption operations.
@@ -139,8 +177,14 @@ extern int crypto_verify_recover(crypto_mechanism_t *mech, crypto_key_t *key,
 extern int crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext,
     crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext,
     crypto_call_req_t *cr);
+extern int crypto_encrypt_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_data_t *, crypto_key_t *,
+    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);
 extern int crypto_encrypt_init(crypto_mechanism_t *mech, crypto_key_t *key,
     crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr);
+extern int crypto_encrypt_init_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
+    crypto_context_t *, crypto_call_req_t *);
 extern int crypto_encrypt_update(crypto_context_t ctx,
     crypto_data_t *plaintext, crypto_data_t *ciphertext,
     crypto_call_req_t *cr);
@@ -153,9 +197,15 @@ extern int crypto_encrypt_final(crypto_context_t ctx,
 extern int crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext,
     crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext,
     crypto_call_req_t *cr);
+extern int crypto_decrypt_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_data_t *, crypto_key_t *,
+    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);
 extern int crypto_decrypt_init(crypto_mechanism_t *mech, crypto_key_t *key,
     crypto_ctx_template_t tmpl, crypto_context_t *ctxp,
     crypto_call_req_t *cr);
+extern int crypto_decrypt_init_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
+    crypto_context_t *, crypto_call_req_t *);
 extern int crypto_decrypt_update(crypto_context_t ctx,
     crypto_data_t *ciphertext, crypto_data_t *plaintext,
     crypto_call_req_t *cr);
@@ -170,11 +220,20 @@ extern int crypto_encrypt_mac(crypto_mechanism_t *encr_mech,
     crypto_key_t *encr_key, crypto_key_t *mac_key,
     crypto_ctx_template_t encr_tmpl, crypto_ctx_template_t mac_tmpl,
     crypto_dual_data_t *ct, crypto_data_t *mac, crypto_call_req_t *cr);
+extern int crypto_encrypt_mac_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_mechanism_t *, crypto_data_t *,
+    crypto_key_t *, crypto_key_t *, crypto_ctx_template_t,
+    crypto_ctx_template_t, crypto_dual_data_t *, crypto_data_t *,
+    crypto_call_req_t *);
 extern int crypto_encrypt_mac_init(crypto_mechanism_t *encr_mech,
     crypto_mechanism_t *mac_mech, crypto_key_t *encr_key,
     crypto_key_t *mac_key, crypto_ctx_template_t encr_tmpl,
     crypto_ctx_template_t mac_tmpl, crypto_context_t *ctxp,
     crypto_call_req_t *cr);
+extern int crypto_encrypt_mac_init_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_mechanism_t *, crypto_key_t *, crypto_key_t *,
+    crypto_ctx_template_t, crypto_ctx_template_t, crypto_context_t *,
+    crypto_call_req_t *);
 extern int crypto_encrypt_mac_update(crypto_context_t ctx,
     crypto_data_t *pt, crypto_dual_data_t *ct, crypto_call_req_t *cr);
 extern int crypto_encrypt_mac_final(crypto_context_t ctx,
@@ -188,21 +247,95 @@ extern int crypto_mac_decrypt(crypto_mechanism_t *mac_mech,
     crypto_key_t *mac_key, crypto_key_t *decr_key,
     crypto_ctx_template_t mac_tmpl, crypto_ctx_template_t decr_tmpl,
     crypto_data_t *mac, crypto_data_t *pt, crypto_call_req_t *cr);
+extern int crypto_mac_decrypt_prov(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *mac_mech, crypto_mechanism_t *decr_mech,
+    crypto_dual_data_t *ct, crypto_key_t *mac_key, crypto_key_t *decr_key,
+    crypto_ctx_template_t mac_tmpl, crypto_ctx_template_t decr_tmpl,
+    crypto_data_t *mac, crypto_data_t *pt, crypto_call_req_t *cr);
 extern int crypto_mac_verify_decrypt(crypto_mechanism_t *mac_mech,
     crypto_mechanism_t *decr_mech, crypto_dual_data_t *ct,
     crypto_key_t *mac_key, crypto_key_t *decr_key,
     crypto_ctx_template_t mac_tmpl, crypto_ctx_template_t decr_tmpl,
     crypto_data_t *mac, crypto_data_t *pt, crypto_call_req_t *cr);
+extern int crypto_mac_verify_decrypt_prov(crypto_provider_t,
+    crypto_session_id_t, crypto_mechanism_t *mac_mech,
+    crypto_mechanism_t *decr_mech, crypto_dual_data_t *ct,
+    crypto_key_t *mac_key, crypto_key_t *decr_key,
+    crypto_ctx_template_t mac_tmpl, crypto_ctx_template_t decr_tmpl,
+    crypto_data_t *mac, crypto_data_t *pt, crypto_call_req_t *cr);
 extern int crypto_mac_decrypt_init(crypto_mechanism_t *mac_mech,
     crypto_mechanism_t *decr_mech, crypto_key_t *mac_key,
     crypto_key_t *decr_key, crypto_ctx_template_t mac_tmpl,
     crypto_ctx_template_t decr_tmpl, crypto_context_t *ctxp,
     crypto_call_req_t *cr);
+extern int crypto_mac_decrypt_init_prov(crypto_provider_t,
+    crypto_session_id_t, crypto_mechanism_t *mac_mech,
+    crypto_mechanism_t *decr_mech, crypto_key_t *mac_key,
+    crypto_key_t *decr_key, crypto_ctx_template_t mac_tmpl,
+    crypto_ctx_template_t decr_tmpl, crypto_context_t *ctxp,
+    crypto_call_req_t *cr);
 extern int crypto_mac_decrypt_update(crypto_context_t ctx,
     crypto_dual_data_t *ct, crypto_data_t *pt, crypto_call_req_t *cr);
 extern int crypto_mac_decrypt_final(crypto_context_t ctx, crypto_data_t *mac,
     crypto_data_t *pt, crypto_call_req_t *cr);
 
+/* Session Management */
+extern int crypto_session_open(crypto_provider_t, crypto_session_id_t *,
+    crypto_call_req_t *);
+extern int crypto_session_close(crypto_provider_t, crypto_session_id_t,
+    crypto_call_req_t *);
+extern int crypto_session_login(crypto_provider_t, crypto_session_id_t,
+    crypto_user_type_t, char *, size_t, crypto_call_req_t *);
+extern int crypto_session_logout(crypto_provider_t, crypto_session_id_t,
+    crypto_call_req_t *);
+
+/* Object Management */
+extern int crypto_object_copy(crypto_provider_t, crypto_session_id_t,
+    crypto_object_id_t, crypto_object_attribute_t *, uint_t,
+    crypto_object_id_t *, crypto_call_req_t *);
+extern int crypto_object_create(crypto_provider_t, crypto_session_id_t,
+    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
+    crypto_call_req_t *);
+extern int crypto_object_destroy(crypto_provider_t, crypto_session_id_t,
+    crypto_object_id_t, crypto_call_req_t *);
+extern int crypto_object_get_attribute_value(crypto_provider_t,
+    crypto_session_id_t, crypto_object_id_t, crypto_object_attribute_t *,
+    uint_t, crypto_call_req_t *);
+extern int crypto_object_get_size(crypto_provider_t, crypto_session_id_t,
+    crypto_object_id_t, size_t *, crypto_call_req_t *);
+extern int crypto_object_find_final(crypto_provider_t, void *,
+    crypto_call_req_t *);
+extern int crypto_object_find_init(crypto_provider_t, crypto_session_id_t,
+    crypto_object_attribute_t *, uint_t, void **, crypto_call_req_t *);
+extern int crypto_object_find(crypto_provider_t, void *, crypto_object_id_t *,
+    uint_t *, uint_t, crypto_call_req_t *);
+extern int crypto_object_set_attribute_value(crypto_provider_t,
+    crypto_session_id_t, crypto_object_id_t, crypto_object_attribute_t *,
+    uint_t, crypto_call_req_t *);
+
+/* Key Management */
+extern int crypto_key_derive(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_object_attribute_t *,
+    uint_t, crypto_object_id_t *, crypto_call_req_t *);
+extern int crypto_key_generate(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
+    crypto_object_id_t *, crypto_call_req_t *);
+extern int crypto_key_generate_pair(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_object_attribute_t *, uint_t,
+    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
+    crypto_object_id_t *, crypto_call_req_t *);
+extern int crypto_key_unwrap(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, uchar_t *, size_t *,
+    crypto_object_attribute_t *, uint_t, crypto_object_id_t *,
+    crypto_call_req_t *);
+extern int crypto_key_wrap(crypto_provider_t, crypto_session_id_t,
+    crypto_mechanism_t *, crypto_key_t *, crypto_object_id_t *, uchar_t *,
+    size_t *, crypto_call_req_t *);
+extern int crypto_key_check_prov(crypto_provider_t, crypto_mechanism_t *mech,
+    crypto_key_t *key);
+extern int crypto_key_check(crypto_mechanism_t *mech, crypto_key_t *key);
+
+
 /*
  * Routines to cancel a single asynchronous request or all asynchronous
  * requests associated with a particular context.
@@ -218,6 +351,9 @@ extern crypto_mech_name_t *crypto_get_mech_list(uint_t *count, int kmflag);
 extern void crypto_free_mech_list(crypto_mech_name_t *mech_names,
     uint_t count);
 
+extern crypto_provider_t crypto_get_provider(char *, char *, char *);
+extern void crypto_release_provider(crypto_provider_t);
+
 /*
  * A kernel consumer can request to be notified when some particular event
  * occurs. The valid events, callback function type, and functions to
@@ -253,8 +389,6 @@ extern int crypto_bufcall_free(crypto_bc_t bc);
 extern int crypto_bufcall(crypto_bc_t bc, void (*func)(void *arg), void *arg);
 extern int crypto_unbufcall(crypto_bc_t bc);
 
-extern int crypto_key_check(crypto_mechanism_t *mech, crypto_key_t *key);
-
 /*
  * To obtain the list of key size ranges supported by a mechanism.
  */
diff --git a/usr/src/uts/common/sys/crypto/common.h b/usr/src/uts/common/sys/crypto/common.h
index c6ba225697..142f6b7b80 100644
--- a/usr/src/uts/common/sys/crypto/common.h
+++ b/usr/src/uts/common/sys/crypto/common.h
@@ -91,6 +91,7 @@ typedef uint32_t crypto_keysize_unit_t;
 #define	SUN_CKM_BLOWFISH_ECB		"CKM_BLOWFISH_ECB"
 #define	SUN_CKM_AES_CBC			"CKM_AES_CBC"
 #define	SUN_CKM_AES_ECB			"CKM_AES_ECB"
+#define	SUN_CKM_AES_CTR			"CKM_AES_CTR"
 #define	SUN_CKM_RC4			"CKM_RC4"
 #define	SUN_CKM_RSA_PKCS		"CKM_RSA_PKCS"
 #define	SUN_CKM_RSA_X_509		"CKM_RSA_X_509"
@@ -249,6 +250,8 @@ typedef struct crypto_version {
 /* session data structure opaque to the consumer */
 typedef void *crypto_session_t;
 
+typedef void *crypto_provider_t;
+
 typedef uint_t		crypto_session_id_t;
 
 /*
diff --git a/usr/src/uts/common/sys/crypto/impl.h b/usr/src/uts/common/sys/crypto/impl.h
index 26e4900d45..b240dc0a5a 100644
--- a/usr/src/uts/common/sys/crypto/impl.h
+++ b/usr/src/uts/common/sys/crypto/impl.h
@@ -220,6 +220,7 @@ typedef struct kcf_provider_desc {
 	kcondvar_t			pd_remove_cv;
 	boolean_t			pd_restricted;
 	struct kcf_provider_list	*pd_provider_list;
+	uint_t				pd_flags;
 } kcf_provider_desc_t;
 
 /* useful for making a list of providers */
@@ -503,21 +504,22 @@ extern rctl_hndl_t rc_project_crypto_mem;
  * of type kcf_prov_desc_t.
  */
 
-#define	KCF_PROV_CONTROL_OPS(pd)	((pd)->pd_ops_vector->control_ops)
-#define	KCF_PROV_CTX_OPS(pd)		((pd)->pd_ops_vector->ctx_ops)
-#define	KCF_PROV_DIGEST_OPS(pd)		((pd)->pd_ops_vector->digest_ops)
-#define	KCF_PROV_CIPHER_OPS(pd)		((pd)->pd_ops_vector->cipher_ops)
-#define	KCF_PROV_MAC_OPS(pd)		((pd)->pd_ops_vector->mac_ops)
-#define	KCF_PROV_SIGN_OPS(pd)		((pd)->pd_ops_vector->sign_ops)
-#define	KCF_PROV_VERIFY_OPS(pd)		((pd)->pd_ops_vector->verify_ops)
-#define	KCF_PROV_DUAL_OPS(pd)		((pd)->pd_ops_vector->dual_ops)
+#define	KCF_PROV_CONTROL_OPS(pd)	((pd)->pd_ops_vector->co_control_ops)
+#define	KCF_PROV_CTX_OPS(pd)		((pd)->pd_ops_vector->co_ctx_ops)
+#define	KCF_PROV_DIGEST_OPS(pd)		((pd)->pd_ops_vector->co_digest_ops)
+#define	KCF_PROV_CIPHER_OPS(pd)		((pd)->pd_ops_vector->co_cipher_ops)
+#define	KCF_PROV_MAC_OPS(pd)		((pd)->pd_ops_vector->co_mac_ops)
+#define	KCF_PROV_SIGN_OPS(pd)		((pd)->pd_ops_vector->co_sign_ops)
+#define	KCF_PROV_VERIFY_OPS(pd)		((pd)->pd_ops_vector->co_verify_ops)
+#define	KCF_PROV_DUAL_OPS(pd)		((pd)->pd_ops_vector->co_dual_ops)
 #define	KCF_PROV_DUAL_CIPHER_MAC_OPS(pd) \
-	((pd)->pd_ops_vector->dual_cipher_mac_ops)
-#define	KCF_PROV_RANDOM_OPS(pd)		((pd)->pd_ops_vector->random_ops)
-#define	KCF_PROV_SESSION_OPS(pd)	((pd)->pd_ops_vector->session_ops)
-#define	KCF_PROV_OBJECT_OPS(pd)		((pd)->pd_ops_vector->object_ops)
-#define	KCF_PROV_KEY_OPS(pd)		((pd)->pd_ops_vector->key_ops)
-#define	KCF_PROV_PROVIDER_OPS(pd)	((pd)->pd_ops_vector->provider_ops)
+	((pd)->pd_ops_vector->co_dual_cipher_mac_ops)
+#define	KCF_PROV_RANDOM_OPS(pd)		((pd)->pd_ops_vector->co_random_ops)
+#define	KCF_PROV_SESSION_OPS(pd)	((pd)->pd_ops_vector->co_session_ops)
+#define	KCF_PROV_OBJECT_OPS(pd)		((pd)->pd_ops_vector->co_object_ops)
+#define	KCF_PROV_KEY_OPS(pd)		((pd)->pd_ops_vector->co_key_ops)
+#define	KCF_PROV_PROVIDER_OPS(pd)	((pd)->pd_ops_vector->co_provider_ops)
+#define	KCF_PROV_MECH_OPS(pd)		((pd)->pd_ops_vector->co_mech_ops)
 
 /*
  * Wrappers for crypto_control_ops(9S) entry points.
@@ -544,6 +546,23 @@ extern rctl_hndl_t rc_project_crypto_mem;
 	(KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->free_context) ? \
 	KCF_PROV_CTX_OPS(pd)->free_context(ctx) : CRYPTO_NOT_SUPPORTED)
 
+#define	KCF_PROV_COPYIN_MECH(pd, umech, kmech, errorp, mode) ( \
+	(KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyin_mechanism) ? \
+	KCF_PROV_MECH_OPS(pd)->copyin_mechanism( \
+	    (pd)->pd_prov_handle, umech, kmech, errorp, mode) : \
+	CRYPTO_NOT_SUPPORTED)
+
+#define	KCF_PROV_COPYOUT_MECH(pd, kmech, umech, errorp, mode) ( \
+	(KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->copyout_mechanism) ? \
+	KCF_PROV_MECH_OPS(pd)->copyout_mechanism( \
+	    (pd)->pd_prov_handle, kmech, umech, errorp, mode) : \
+	CRYPTO_NOT_SUPPORTED)
+
+#define	KCF_PROV_FREE_MECH(pd, prov_mech) ( \
+	(KCF_PROV_MECH_OPS(pd) && KCF_PROV_MECH_OPS(pd)->free_mechanism) ? \
+	KCF_PROV_MECH_OPS(pd)->free_mechanism( \
+	    (pd)->pd_prov_handle, prov_mech) : CRYPTO_NOT_SUPPORTED)
+
 /*
  * Wrappers for crypto_digest_ops(9S) entry points.
  */
@@ -1125,41 +1144,15 @@ extern rctl_hndl_t rc_project_crypto_mem;
  */
 
 /* Digest/mac/cipher entry points that take a provider descriptor and session */
-extern int crypto_digest_prov(crypto_mechanism_t *, crypto_data_t *,
-    crypto_data_t *, crypto_call_req_t *, kcf_provider_desc_t *,
-    crypto_session_id_t);
-extern int crypto_digest_init_prov(kcf_provider_desc_t *, crypto_session_id_t,
-    crypto_mechanism_t *, crypto_context_t *, crypto_call_req_t *);
 extern int crypto_digest_single(crypto_context_t, crypto_data_t *,
     crypto_data_t *, crypto_call_req_t *);
 
-extern int crypto_mac_prov(crypto_mechanism_t *, crypto_data_t *,
-    crypto_key_t *, crypto_ctx_template_t, crypto_data_t *,
-    crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t);
-extern int crypto_mac_verify_prov(crypto_mechanism_t *, crypto_data_t *,
-    crypto_key_t *, crypto_ctx_template_t, crypto_data_t *,
-    crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t);
-extern int crypto_mac_init_prov(kcf_provider_desc_t *, crypto_session_id_t,
-    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
-    crypto_context_t *, crypto_call_req_t *);
 extern int crypto_mac_single(crypto_context_t, crypto_data_t *,
     crypto_data_t *, crypto_call_req_t *);
 
-extern int crypto_encrypt_prov(crypto_mechanism_t *, crypto_data_t *,
-    crypto_key_t *, crypto_ctx_template_t, crypto_data_t *,
-    crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t);
-extern int crypto_encrypt_init_prov(kcf_provider_desc_t *,
-    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
-    crypto_ctx_template_t, crypto_context_t *, crypto_call_req_t *);
 extern int crypto_encrypt_single(crypto_context_t, crypto_data_t *,
     crypto_data_t *, crypto_call_req_t *);
 
-extern int crypto_decrypt_prov(crypto_mechanism_t *, crypto_data_t *,
-    crypto_key_t *, crypto_ctx_template_t, crypto_data_t *,
-    crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t);
-extern int crypto_decrypt_init_prov(kcf_provider_desc_t *, crypto_session_id_t,
-    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
-    crypto_context_t *, crypto_call_req_t *);
 extern int crypto_decrypt_single(crypto_context_t, crypto_data_t *,
     crypto_data_t *, crypto_call_req_t *);
 
@@ -1169,44 +1162,18 @@ extern int crypto_digest_key_prov(crypto_context_t, crypto_key_t *,
     crypto_call_req_t *);
 
 /* Private sign entry points exported by KCF */
-extern int crypto_sign_init_prov(kcf_provider_desc_t *, crypto_session_id_t,
-    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
-    crypto_context_t *, crypto_call_req_t *);
 extern int crypto_sign_single(crypto_context_t, crypto_data_t *,
     crypto_data_t *, crypto_call_req_t *);
-extern int crypto_sign_prov(kcf_provider_desc_t *, crypto_session_id_t,
-    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
-    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);
 
-extern int crypto_sign_recover_init_prov(kcf_provider_desc_t *,
-    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
-    crypto_ctx_template_t tmpl, crypto_context_t *, crypto_call_req_t *);
 extern int crypto_sign_recover_single(crypto_context_t, crypto_data_t *,
     crypto_data_t *, crypto_call_req_t *);
-extern int crypto_sign_recover_prov(kcf_provider_desc_t *,
-    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
-    crypto_data_t *, crypto_ctx_template_t, crypto_data_t *,
-    crypto_call_req_t *);
 
 /* Private verify entry points exported by KCF */
-extern int crypto_verify_init_prov(kcf_provider_desc_t *, crypto_session_id_t,
-    crypto_mechanism_t *, crypto_key_t *, crypto_ctx_template_t,
-    crypto_context_t *, crypto_call_req_t *);
 extern int crypto_verify_single(crypto_context_t, crypto_data_t *,
     crypto_data_t *, crypto_call_req_t *);
-extern int crypto_verify_prov(kcf_provider_desc_t *, crypto_session_id_t,
-    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
-    crypto_ctx_template_t, crypto_data_t *, crypto_call_req_t *);
 
-extern int crypto_verify_recover_init_prov(kcf_provider_desc_t *,
-    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
-    crypto_ctx_template_t tmpl, crypto_context_t *, crypto_call_req_t *);
 extern int crypto_verify_recover_single(crypto_context_t, crypto_data_t *,
     crypto_data_t *, crypto_call_req_t *);
-extern int crypto_verify_recover_prov(kcf_provider_desc_t *,
-    crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
-    crypto_data_t *, crypto_ctx_template_t, crypto_data_t *,
-    crypto_call_req_t *);
 
 /* Private dual operations entry points exported by KCF */
 extern int crypto_digest_encrypt_update(crypto_context_t, crypto_context_t,
@@ -1224,72 +1191,6 @@ int crypto_seed_random(crypto_provider_handle_t provider, uchar_t *buf,
 int crypto_generate_random(crypto_provider_handle_t provider, uchar_t *buf,
     size_t len, crypto_call_req_t *req);
 
-/* Session Management */
-int crypto_session_open(crypto_provider_handle_t provider,
-    crypto_session_id_t *session_id, crypto_call_req_t *req);
-int crypto_session_close(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_call_req_t *req);
-int crypto_session_login(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_user_type_t user_type, char *pin,
-    size_t pin_len, crypto_call_req_t *req);
-int crypto_session_logout(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_call_req_t *req);
-
-/* Object Management */
-int crypto_object_create(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_object_attribute_t *template,
-    uint_t attribute_count, crypto_object_id_t *object_handle,
-    crypto_call_req_t *req);
-int crypto_object_copy(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_object_id_t object_handle,
-    crypto_object_attribute_t *template, uint_t attribute_count,
-    crypto_object_id_t *new_object_handle, crypto_call_req_t *req);
-int crypto_object_destroy(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_object_id_t object_handle,
-    crypto_call_req_t *req);
-int crypto_object_get_size(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_object_id_t object_handle,
-    size_t *size, crypto_call_req_t *req);
-int crypto_object_get_attribute_value(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_object_id_t object_handle,
-    crypto_object_attribute_t *template, uint_t attribute_count,
-    crypto_call_req_t *req);
-int crypto_object_set_attribute_value(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_object_id_t object_handle,
-    crypto_object_attribute_t *template, uint_t count, crypto_call_req_t *req);
-int crypto_object_find_init(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_object_attribute_t *template,
-    uint_t attribute_count, void **provider_private, crypto_call_req_t *req);
-int crypto_object_find(crypto_provider_handle_t provider,
-    void *provider_private, crypto_object_id_t *objects,
-    uint_t max_object_count, uint_t *object_count, crypto_call_req_t *req);
-int crypto_object_find_final(crypto_provider_handle_t provider,
-    void *provider_private, crypto_call_req_t *req);
-
-/* Key Generation */
-int crypto_generate_key(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_mechanism_t *mech,
-    crypto_object_attribute_t *key_attributes, uint_t attributes_count,
-    crypto_object_id_t *key_handle, crypto_call_req_t *req);
-int crypto_generate_key_pair(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_mechanism_t *mech,
-    crypto_object_attribute_t *public_attributes, uint_t public_count,
-    crypto_object_attribute_t *private_attributes, uint_t private_count,
-    crypto_object_id_t *public_handle, crypto_object_id_t *private_handle,
-    crypto_call_req_t *req);
-int crypto_wrap_key(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_mechanism_t *mech,
-    crypto_key_t *wrapping_key, crypto_object_id_t *key_handle,
-    uchar_t *wrapped_key, size_t wrapped_key_len, crypto_call_req_t *req);
-int crypto_unwrap_key(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_mechanism_t *mech, crypto_key_t *key,
-    uchar_t *wrapped_key, size_t wrapped_key_len,
-    crypto_object_id_t *key_handle, crypto_call_req_t *req);
-int crypto_derive_key(crypto_provider_handle_t provider,
-    crypto_session_id_t session_id, crypto_mechanism_t *mech, crypto_key_t *key,
-    crypto_object_attribute_t *attributes, uint_t attribute_count,
-    crypto_object_id_t *object_handle, crypto_call_req_t *req);
-
 /* Provider Management */
 int crypto_get_provider_info(crypto_provider_id_t id,
     crypto_provider_info_t **info, crypto_call_req_t *req);
@@ -1380,6 +1281,7 @@ extern int kcf_policy_load_soft_disabled(char *, uint_t, crypto_mech_name_t *,
     uint_t *, crypto_mech_name_t **);
 extern int kcf_policy_load_dev_disabled(char *, uint_t, uint_t,
     crypto_mech_name_t *, uint_t *, crypto_mech_name_t **);
+extern boolean_t in_soft_config_list(char *);
 
 #endif	/* _KERNEL */
 
diff --git a/usr/src/uts/common/sys/crypto/sched_impl.h b/usr/src/uts/common/sys/crypto/sched_impl.h
index b4a83ebe50..ebd40bedd5 100644
--- a/usr/src/uts/common/sys/crypto/sched_impl.h
+++ b/usr/src/uts/common/sys/crypto/sched_impl.h
@@ -65,6 +65,8 @@ typedef enum kcf_call_type {
 #define	CHECK_RESTRICT(crq) (crq != NULL &&	\
 	((crq)->cr_flag & CRYPTO_RESTRICTED))
 
+#define	CHECK_RESTRICT_FALSE	B_FALSE
+
 #define	CHECK_FASTPATH(crq, pd) ((crq) == NULL ||	\
 	!((crq)->cr_flag & CRYPTO_ALWAYS_QUEUE)) &&	\
 	(pd)->pd_prov_type == CRYPTO_SW_PROVIDER
@@ -484,10 +486,11 @@ extern kcondvar_t ntfy_list_cv;
 
 boolean_t kcf_get_next_logical_provider_member(kcf_provider_desc_t *,
     kcf_provider_desc_t *, kcf_provider_desc_t **);
-extern int kcf_get_hardware_provider(crypto_mech_type_t, offset_t, offset_t,
-    kcf_provider_desc_t *, kcf_provider_desc_t **);
+extern int kcf_get_hardware_provider(crypto_mech_type_t, crypto_mech_type_t,
+    offset_t, offset_t, boolean_t, kcf_provider_desc_t *,
+    kcf_provider_desc_t **);
 extern int kcf_get_hardware_provider_nomech(offset_t, offset_t,
-    kcf_provider_desc_t *, kcf_provider_desc_t **);
+    boolean_t, kcf_provider_desc_t *, kcf_provider_desc_t **);
 extern void kcf_free_triedlist(kcf_prov_tried_t *);
 extern kcf_prov_tried_t *kcf_insert_triedlist(kcf_prov_tried_t **,
     kcf_provider_desc_t *, int);
diff --git a/usr/src/uts/common/sys/crypto/spi.h b/usr/src/uts/common/sys/crypto/spi.h
index 2d40ada66f..e06f260d02 100644
--- a/usr/src/uts/common/sys/crypto/spi.h
+++ b/usr/src/uts/common/sys/crypto/spi.h
@@ -20,7 +20,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -46,6 +46,7 @@ extern "C" {
 #ifdef	_KERNEL
 
 #define	CRYPTO_SPI_VERSION_1	1
+#define	CRYPTO_SPI_VERSION_2	2
 
 /*
  * Provider-private handle. This handle is specified by a provider
@@ -484,6 +485,14 @@ typedef struct crypto_provider_management_ops {
 	    char *, size_t, char *, size_t, crypto_req_handle_t);
 } crypto_provider_management_ops_t;
 
+typedef struct crypto_mech_ops {
+	int (*copyin_mechanism)(crypto_provider_handle_t,
+	    crypto_mechanism_t *, crypto_mechanism_t *, int *, int);
+	int (*copyout_mechanism)(crypto_provider_handle_t,
+	    crypto_mechanism_t *, crypto_mechanism_t *, int *, int);
+	int (*free_mechanism)(crypto_provider_handle_t, crypto_mechanism_t *);
+} crypto_mech_ops_t;
+
 /*
  * The crypto_ops(9S) structure contains the structures containing
  * the pointers to functions implemented by cryptographic providers.
@@ -491,23 +500,51 @@ typedef struct crypto_provider_management_ops {
  * supplied by a provider when it registers with the kernel
  * by calling crypto_register_provider(9F).
  */
+typedef struct crypto_ops_v1 {
+	crypto_control_ops_t			*co_control_ops;
+	crypto_digest_ops_t			*co_digest_ops;
+	crypto_cipher_ops_t			*co_cipher_ops;
+	crypto_mac_ops_t			*co_mac_ops;
+	crypto_sign_ops_t			*co_sign_ops;
+	crypto_verify_ops_t			*co_verify_ops;
+	crypto_dual_ops_t			*co_dual_ops;
+	crypto_dual_cipher_mac_ops_t		*co_dual_cipher_mac_ops;
+	crypto_random_number_ops_t		*co_random_ops;
+	crypto_session_ops_t			*co_session_ops;
+	crypto_object_ops_t			*co_object_ops;
+	crypto_key_ops_t			*co_key_ops;
+	crypto_provider_management_ops_t	*co_provider_ops;
+	crypto_ctx_ops_t			*co_ctx_ops;
+} crypto_ops_v1_t;
+
+typedef struct crypto_ops_v2 {
+	crypto_ops_v1_t				v1_ops;
+	crypto_mech_ops_t			*co_mech_ops;
+} crypto_ops_v2_t;
+
 typedef struct crypto_ops {
-	crypto_control_ops_t			*control_ops;
-	crypto_digest_ops_t			*digest_ops;
-	crypto_cipher_ops_t			*cipher_ops;
-	crypto_mac_ops_t			*mac_ops;
-	crypto_sign_ops_t			*sign_ops;
-	crypto_verify_ops_t			*verify_ops;
-	crypto_dual_ops_t			*dual_ops;
-	crypto_dual_cipher_mac_ops_t		*dual_cipher_mac_ops;
-	crypto_random_number_ops_t		*random_ops;
-	crypto_session_ops_t			*session_ops;
-	crypto_object_ops_t			*object_ops;
-	crypto_key_ops_t			*key_ops;
-	crypto_provider_management_ops_t	*provider_ops;
-	crypto_ctx_ops_t			*ctx_ops;
+	union {
+		crypto_ops_v2_t	cou_v2;
+		crypto_ops_v1_t	cou_v1;
+	} cou;
 } crypto_ops_t;
 
+#define	co_control_ops			cou.cou_v1.co_control_ops
+#define	co_digest_ops			cou.cou_v1.co_digest_ops
+#define	co_cipher_ops			cou.cou_v1.co_cipher_ops
+#define	co_mac_ops			cou.cou_v1.co_mac_ops
+#define	co_sign_ops			cou.cou_v1.co_sign_ops
+#define	co_verify_ops			cou.cou_v1.co_verify_ops
+#define	co_dual_ops			cou.cou_v1.co_dual_ops
+#define	co_dual_cipher_mac_ops		cou.cou_v1.co_dual_cipher_mac_ops
+#define	co_random_ops			cou.cou_v1.co_random_ops
+#define	co_session_ops			cou.cou_v1.co_session_ops
+#define	co_object_ops			cou.cou_v1.co_object_ops
+#define	co_key_ops			cou.cou_v1.co_key_ops
+#define	co_provider_ops			cou.cou_v1.co_provider_ops
+#define	co_ctx_ops			cou.cou_v1.co_ctx_ops
+#define	co_mech_ops			cou.cou_v2.co_mech_ops
+
 /*
  * Provider device specification passed during registration.
  *
@@ -622,7 +659,7 @@ typedef uint_t crypto_kcf_provider_handle_t;
  * register for the same device instance. In this case, the same
  * pi_provider_dev must be specified with a different pi_provider_handle.
  */
-typedef struct crypto_provider_info {
+typedef struct crypto_provider_info_v1 {
 	uint_t				pi_interface_version;
 	char				*pi_provider_description;
 	crypto_provider_type_t		pi_provider_type;
@@ -633,8 +670,35 @@ typedef struct crypto_provider_info {
 	crypto_mech_info_t		*pi_mechanisms;
 	uint_t				pi_logical_provider_count;
 	crypto_kcf_provider_handle_t	*pi_logical_providers;
+} crypto_provider_info_v1_t;
+
+typedef struct crypto_provider_info_v2 {
+	crypto_provider_info_v1_t	v1_info;
+	uint_t				pi_flags;
+} crypto_provider_info_v2_t;
+
+typedef struct crypto_provider_info {
+	union {
+		crypto_provider_info_v2_t piu_v2;
+		crypto_provider_info_v1_t piu_v1;
+	} piu;
 } crypto_provider_info_t;
 
+#define	pi_interface_version		piu.piu_v1.pi_interface_version
+#define	pi_provider_description		piu.piu_v1.pi_provider_description
+#define	pi_provider_type		piu.piu_v1.pi_provider_type
+#define	pi_provider_dev			piu.piu_v1.pi_provider_dev
+#define	pi_provider_handle		piu.piu_v1.pi_provider_handle
+#define	pi_ops_vector			piu.piu_v1.pi_ops_vector
+#define	pi_mech_list_count		piu.piu_v1.pi_mech_list_count
+#define	pi_mechanisms			piu.piu_v1.pi_mechanisms
+#define	pi_logical_provider_count	piu.piu_v1.pi_logical_provider_count
+#define	pi_logical_providers		piu.piu_v1.pi_logical_providers
+#define	pi_flags			piu.piu_v2.pi_flags
+
+/* hidden providers can only be accessed via a logical provider */
+#define	CRYPTO_HIDE_PROVIDER		1
+
 /*
  * Provider status passed by a provider to crypto_provider_notification(9F)
  * and returned by the provider_stauts(9E) entry point.