108 	 * A cipher without an iv requirement would look like this:
116 /* Preferred cipher, if one isn't specified on command line. */
366     mech_alias_t *cipher, const char *rkey, size_t rksz)
371 	if (cipher != NULL) {
374 		(void) strlcpy(li.li_cipher, cipher->name,
382 		li.li_iv_type = cipher->iv_type;
383 		li.li_iv_len = cipher->iv_len;	/* 0 when no iv needed */
384 		switch (cipher->iv_type) {
386 			(void) strlcpy(li.li_iv_cipher, cipher->iv_name,
536  * Verify the cipher selected by user.
551  * Verify user selected cipher is also available in kernel.
553  * While traversing kernel list of mechs, if the cipher is supported in the
558 kernel_cipher_check(mech_alias_t *cipher)
570 	/* if cipher doesn't need iv generating mech, bypass that check now */
571 	if (cipher->iv_name == NULL)
621 	 * it needs an iv generated using another cipher, also look for that
622 	 * additional cipher to be used for generating the iv
627 		    strcasecmp(cipher->name, kciphers->ml_list[i]) == 0)
630 		    strcasecmp(cipher->iv_name, kciphers->ml_list[i]) == 0)
638 		    cipher->name);
641 		    cipher->iv_name);
644 		/* Get the details about the user selected cipher */
654 		(void) strlcpy(kinfo->mi_mechanism_name, cipher->name,
675 			(void) strlcpy(kinfo->mi_mechanism_name, cipher->name,
704 			cipher->min_keysize = keymin;
705 			cipher->max_keysize = keymax;
716 			    cipher->name);
720 	/* Note: key min/max, unit size, usage for iv cipher are not checked. */
814 getkeyfromuser(mech_alias_t *cipher, char **raw_key, size_t *raw_key_sz)
826 	/* did init_crypto find a slot that supports this cipher? */
827 	if (cipher->slot == (CK_SLOT_ID)-1 || cipher->max_keysize == 0) {
832 	rv = pkcs11_mech2keytype(cipher->type, &ktype);
840 	rv = C_OpenSession(cipher->slot, CKF_SERIAL_SESSION, NULL, NULL, &sess);
857 	klen = cipher->max_keysize;
859 	    cipher->max_keysize, &kvalue, &klen);
867 	/* assert(klen == cipher->max_keysize); */
874 	    cipher->alias, pkcs11_strerror(rv));
881 getkeyfromfile(const char *pathname, mech_alias_t *cipher, char **key,
892 		*ksz = cipher->max_keysize;
906 	 * permissions and whether the key is within cipher min and max lengths,
924 		if (*ksz < cipher->min_keysize || cipher->max_keysize < *ksz) {
928 			    cipher->min_keysize, cipher->max_keysize);
931 		*ksz = cipher->max_keysize;
945 		 * get the maximum keysize of data possible for this cipher.
951 		if (nread == 0 && notplain && cursz >= cipher->min_keysize) {
952 			*ksz = (cursz / cipher->min_keysize) *
953 			    cipher->min_keysize;
967     token_spec_t *token, const char *keyfile, mech_alias_t *cipher,
973 	CK_KEY_TYPE ktype;		/* from selected cipher or CKK_RSA */
974 	CK_KEY_TYPE raw_ktype;		/* from selected cipher */
995 	/* did init_crypto find a slot that supports this cipher? */
996 	if (cipher->slot == (CK_SLOT_ID)-1 || cipher->max_keysize == 0) {
1014 	rv = pkcs11_mech2keytype(cipher->type, &raw_ktype);
1016 		die(gettext("failed to get key type for cipher %s: %s\n"),
1017 		    cipher->name, pkcs11_strerror(rv));
1090 		getkeyfromfile(keyfile, cipher, &rkey, &rksz);
1118 	if (rksz < cipher->min_keysize || cipher->max_keysize < rksz) {
1120 		die(gettext("\t%d <= keysize <= %d\n"), cipher->min_keysize,
1121 		    cipher->max_keysize);
1129  * Set up cipher key limits and verify PKCS#11 can be done
1137 	mech_alias_t *cipher;
1145 	 * - if the slot supports the PKCS#5 PBKD2 cipher
1149 	 *	-c cipher -T tok:mfr:ser:lab -k keyfile
1150 	 * the given cipher or the default cipher apply to keyfile,
1153 	 *	-c cipher -T tok:mfr:ser:lab
1155 	 * cipher or the default cipher.  In those cases, cipher will
1156 	 * be overridden with the actual cipher type of the key "lab".
1164 	cipher = (mech_alias_t *)args;
1165 	token = cipher->token;
1167 	if (C_GetMechanismInfo(slot_id, cipher->type, &mechinfo) != CKR_OK) {
1202 	cipher->slot = slot_id;
1217  * Set up crypto, opening session on slot that matches token and cipher
1220 init_crypto(token_spec_t *token, mech_alias_t *cipher,
1225 	cipher->token = token;
1232 	rv = pkcs11_GetCriteriaSession(match_token_cipher, (void *)cipher,
1798 	mech_alias_t *cipher = NULL;
1831 			/* is the chosen cipher allowed? */
1832 			if ((cipher = ciph2mech(optarg)) == NULL) {
1834 				warn(gettext("cipher %s not allowed\n"),
1971 	 * 1. cipher with no ephemeral key, key file, or token,
1973 	 * 2. token with an optional cipher or optional key file,
1975 	 * If only the cipher is specified, reconfirm the passphrase
1982 		/* pick a cipher if none specified */
1983 		if (cipher == NULL)
1984 			cipher = DEFAULT_CIPHER;
1986 		if (!kernel_cipher_check(cipher))
1991 		init_crypto(token, cipher, &sess);
1994 			getkeyfromuser(cipher, &rkey, &rksz);
1996 			getkeyfromtoken(sess, token, keyfile, cipher,
2000 			getkeyfromfile(keyfile, cipher, &rkey, &rksz);
2010 		add_mapping(lfd, devicename, filename, cipher, rkey, rksz);

Indexes created Sun Jul 07 21:00:45 MDT 2024