1.\" $OpenBSD: crypto.9,v 1.19 2002/07/16 06:31:57 angelos Exp $ 2.\" 3.\" The author of this manual page is Angelos D. Keromytis (angelos@cis.upenn.edu) 4.\" 5.\" Copyright (c) 2000, 2001 Angelos D. Keromytis 6.\" 7.\" Permission to use, copy, and modify this software with or without fee 8.\" is hereby granted, provided that this entire notice is included in 9.\" all source code copies of any software which is or includes a copy or 10.\" modification of this software. 11.\" 12.\" THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 13.\" IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 14.\" REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 15.\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 16.\" PURPOSE. 17.\" 18.\" $FreeBSD: src/share/man/man9/crypto.9,v 1.14 2007/09/19 16:28:46 brueffer Exp $ 19.\" 20.Dd April 21, 2018 21.Dt CRYPTO 9 22.Os 23.Sh NAME 24.Nm crypto 25.Nd API for cryptographic services in the kernel 26.Sh SYNOPSIS 27.In sys/malloc.h 28.In sys/time.h 29.In opencrypto/cryptodev.h 30.Ft int32_t 31.Fn crypto_get_driverid "device_t dev" "int flags" 32.Ft int 33.Fn crypto_find_driver "const char *match" 34.Ft device_t 35.Fn crypto_find_device_byhid "int hid" 36.Ft int 37.Fn crypto_getcaps "int hid" 38.Ft int 39.Fn crypto_register "u_int32_t driverid" "int alg" "u_int16_t maxoplen" "u_int32_t flags" 40.Ft int 41.Fn crypto_kregister "u_int32_t driverid" "int kalg" "u_int32_t flags" 42.Ft int 43.Fn crypto_unregister "u_int32_t driverid" "int alg" 44.Ft int 45.Fn crypto_unregister_all "u_int32_t driverid" 46.Ft void 47.Fn crypto_done "struct cryptop *crp" 48.Ft void 49.Fn crypto_kdone "struct cryptkop *krp" 50.Ft int 51.Fn crypto_newsession "u_int64_t *sid" "struct cryptoini *cri" "int crid" 52.Ft int 53.Fn crypto_freesession "u_int64_t sid" 54.Ft int 55.Fn crypto_dispatch "struct cryptop *crp" 56.Ft int 57.Fn crypto_kdispatch "struct cryptkop *krp" 58.Ft int 59.Fn crypto_unblock "u_int32_t driverid" "int what" 60.Ft "struct cryptop *" 61.Fn crypto_getreq "int num" 62.Ft void 63.Fn crypto_freereq "struct cryptop *crp" 64.Bd -literal 65#define CRYPTO_SYMQ 0x1 66#define CRYPTO_ASYMQ 0x2 67 68#define EALG_MAX_BLOCK_LEN 16 69 70struct cryptoini { 71 int cri_alg; 72 int cri_klen; 73 int cri_mlen; 74 caddr_t cri_key; 75 u_int8_t cri_iv[EALG_MAX_BLOCK_LEN]; 76 struct cryptoini *cri_next; 77}; 78 79struct cryptodesc { 80 int crd_skip; 81 int crd_len; 82 int crd_inject; 83 int crd_flags; 84 struct cryptoini CRD_INI; 85#define crd_iv CRD_INI.cri_iv 86#define crd_key CRD_INI.cri_key 87#define crd_alg CRD_INI.cri_alg 88#define crd_klen CRD_INI.cri_klen 89 struct cryptodesc *crd_next; 90}; 91 92struct cryptop { 93 TAILQ_ENTRY(cryptop) crp_next; 94 u_int64_t crp_sid; 95 int crp_ilen; 96 int crp_olen; 97 int crp_etype; 98 int crp_flags; 99 caddr_t crp_buf; 100 caddr_t crp_opaque; 101 struct cryptodesc *crp_desc; 102 int (*crp_callback) (struct cryptop *); 103 caddr_t crp_mac; 104}; 105 106struct crparam { 107 caddr_t crp_p; 108 u_int crp_nbits; 109}; 110 111#define CRK_MAXPARAM 8 112 113struct cryptkop { 114 TAILQ_ENTRY(cryptkop) krp_next; 115 u_int krp_op; /* ie. CRK_MOD_EXP or other */ 116 u_int krp_status; /* return status */ 117 u_short krp_iparams; /* # of input parameters */ 118 u_short krp_oparams; /* # of output parameters */ 119 u_int32_t krp_hid; 120 struct crparam krp_param[CRK_MAXPARAM]; 121 int (*krp_callback)(struct cryptkop *); 122}; 123.Ed 124.Sh DESCRIPTION 125.Nm 126is a framework for drivers of cryptographic hardware to register with 127the kernel so 128.Dq consumers 129(other kernel subsystems, and 130users through the 131.Pa /dev/crypto 132device) are able to make use of it. 133Drivers register with the framework the algorithms they support, 134and provide entry points (functions) the framework may call to 135establish, use, and tear down sessions. 136Sessions are used to cache cryptographic information in a particular driver 137(or associated hardware), so initialization is not needed with every request. 138Consumers of cryptographic services pass a set of 139descriptors that instruct the framework (and the drivers registered 140with it) of the operations that should be applied on the data (more 141than one cryptographic operation can be requested). 142.Pp 143Keying operations are supported as well. 144Unlike the symmetric operators described above, 145these sessionless commands perform mathematical operations using 146input and output parameters. 147.Pp 148Since the consumers may not be associated with a process, drivers may 149not 150.Xr sleep 9 . 151The same holds for the framework. 152Thus, a callback mechanism is used 153to notify a consumer that a request has been completed (the 154callback is specified by the consumer on an per-request basis). 155The callback is invoked by the framework whether the request was 156successfully completed or not. 157An error indication is provided in the latter case. 158A specific error code, 159.Er EAGAIN , 160is used to indicate that a session number has changed and that the 161request may be re-submitted immediately with the new session number. 162Errors are only returned to the invoking function if not 163enough information to call the callback is available (meaning, there 164was a fatal error in verifying the arguments). 165For session initialization and teardown there is no callback mechanism used. 166.Pp 167The 168.Fn crypto_newsession 169routine is called by consumers of cryptographic services 170that wish to establish a new session with the framework. 171On success, the first argument will contain the Session Identifier (SID). 172The second argument contains all the necessary information for 173the driver to establish the session. 174The third argument indicates whether a 175hardware driver (1) should be used or not (0). 176The various fields in the 177.Vt cryptoini 178structure are: 179.Bl -tag -width ".Va cri_next" 180.It Va cri_alg 181Contains an algorithm identifier. 182Currently supported algorithms are: 183.Pp 184.Bl -tag -width ".Dv CRYPTO_RIPEMD160_HMAC" -compact 185.It Dv CRYPTO_AES_CBC 186.It Dv CRYPTO_AES_XTS 187.It Dv CRYPTO_AES_CTR 188.It Dv CRYPTO_AES_GCM_16 189.It Dv CRYPTO_AES_GMAC 190.It Dv CRYPTO_AES_128_GMAC 191.It Dv CRYPTO_AES_192_GMAC 192.It Dv CRYPTO_AES_256_GMAC 193.It Dv CRYPTO_TWOFISH_CBC 194.It Dv CRYPTO_TWOFISH_XTS 195.It Dv CRYPTO_SERPENT_CBC 196.It Dv CRYPTO_SERPENT_XTS 197.It Dv CRYPTO_ARC4 198.It Dv CRYPTO_BLF_CBC 199.It Dv CRYPTO_CAMELLIA_CBC 200.It Dv CRYPTO_CAST_CBC 201.It Dv CRYPTO_DES_CBC 202.It Dv CRYPTO_3DES_CBC 203.It Dv CRYPTO_SKIPJACK_CBC 204.It Dv CRYPTO_MD5 205.It Dv CRYPTO_MD5_HMAC 206.It Dv CRYPTO_MD5_KPDK 207.It Dv CRYPTO_RIPEMD160_HMAC 208.It Dv CRYPTO_SHA1 209.It Dv CRYPTO_SHA1_HMAC 210.It Dv CRYPTO_SHA1_KPDK 211.It Dv CRYPTO_SHA2_256_HMAC 212.It Dv CRYPTO_SHA2_384_HMAC 213.It Dv CRYPTO_SHA2_512_HMAC 214.It Dv CRYPTO_NULL_HMAC 215.It Dv CRYPTO_NULL_CBC 216.El 217.It Va cri_klen 218Specifies the length of the key in bits, for variable-size key 219algorithms. 220.It Va cri_mlen 221Specifies how many bytes from the calculated hash should be copied back. 2220 means entire hash. 223.It Va cri_key 224Contains the key to be used with the algorithm. 225.It Va cri_iv 226Contains an explicit initialization vector (IV), if it does not prefix 227the data. 228This field is ignored during initialization. 229If no IV is explicitly passed (see below on details), a random IV is used 230by the device driver processing the request. 231.It Va cri_next 232Contains a pointer to another 233.Vt cryptoini 234structure. 235Multiple such structures may be linked to establish multi-algorithm sessions. 236.El 237.Pp 238The 239.Vt cryptoini 240structure and its contents will not be modified by the framework (or 241the drivers used). 242Subsequent requests for processing that use the 243SID returned will avoid the cost of re-initializing the hardware (in 244essence, SID acts as an index in the session cache of the driver). 245.Pp 246.Fn crypto_freesession 247is called with the SID returned by 248.Fn crypto_newsession 249to disestablish the session. 250.Pp 251.Fn crypto_dispatch 252is called to process a request. 253The various fields in the 254.Vt cryptop 255structure are: 256.Bl -tag -width ".Va crp_callback" 257.It Va crp_sid 258Contains the SID. 259.It Va crp_ilen 260Indicates the total length in bytes of the buffer to be processed. 261.It Va crp_olen 262On return, contains the total length of the result. 263For symmetric crypto operations, this will be the same as the input length. 264This will be used if the framework needs to allocate a new 265buffer for the result (or for re-formatting the input). 266.It Va crp_callback 267This routine is invoked upon completion of the request, whether 268successful or not. 269It is invoked through the 270.Fn crypto_done 271routine. 272If the request was not successful, an error code is set in the 273.Va crp_etype 274field. 275It is the responsibility of the callback routine to enter a critical 276section. 277.It Va crp_etype 278Contains the error type, if any errors were encountered, or zero if 279the request was successfully processed. 280If the 281.Er EAGAIN 282error code is returned, the SID has changed (and has been recorded in the 283.Va crp_sid 284field). 285The consumer should record the new SID and use it in all subsequent requests. 286In this case, the request may be re-submitted immediately. 287This mechanism is used by the framework to perform 288session migration (move a session from one driver to another, because 289of availability, performance, or other considerations). 290.Pp 291Note that this field only makes sense when examined by 292the callback routine specified in 293.Va crp_callback . 294Errors are returned to the invoker of 295.Fn crypto_process 296only when enough information is not present to call the callback 297routine (i.e., if the pointer passed is 298.Dv NULL 299or if no callback routine was specified). 300.It Va crp_flags 301Is a bitmask of flags associated with this request. 302Currently defined flags are: 303.Bl -tag -width ".Dv CRYPTO_F_CBIFSYNC" 304.It Dv CRYPTO_F_IMBUF 305The buffer pointed to by 306.Va crp_buf 307is an mbuf chain. 308.It Dv CRYPTO_F_IOV 309The buffer pointed to by 310.Va crp_buf 311is an 312.Vt uio 313structure. 314.It Dv CRYPTO_F_REL 315Must return data in the same place. 316.It Dv CRYPTO_F_BATCH 317Batch operation if possible. 318.It Dv CRYPTO_F_CBIMM 319Do callback immediately instead of doing it from a dedicated kernel thread. 320.It Dv CRYPTO_F_DONE 321Operation completed. 322.It Dv CRYPTO_F_CBIFSYNC 323Do callback immediately if operation is synchronous. 324.El 325.It Va crp_buf 326Points to the input buffer. 327On return (when the callback is invoked), 328it contains the result of the request. 329The input buffer may be an mbuf 330chain or a contiguous buffer, 331depending on 332.Va crp_flags . 333.It Va crp_opaque 334This is passed through the crypto framework untouched and is 335intended for the invoking application's use. 336.It Va crp_desc 337This is a linked list of descriptors. 338Each descriptor provides 339information about what type of cryptographic operation should be done 340on the input buffer. 341The various fields are: 342.Bl -tag -width ".Va crd_inject" 343.It Va crd_iv 344The field where IV should be provided when the 345.Dv CRD_F_IV_EXPLICIT 346flag is given. 347.It Va crd_key 348When the 349.Dv CRD_F_KEY_EXPLICIT 350flag is given, the 351.Va crd_key 352points to a buffer with encryption or authentication key. 353.It Va crd_alg 354An algorithm to use. 355Must be the same as the one given at newsession time. 356.It Va crd_klen 357The 358.Va crd_key 359key length. 360.It Va crd_skip 361The offset in the input buffer where processing should start. 362.It Va crd_len 363How many bytes, after 364.Va crd_skip , 365should be processed. 366.It Va crd_inject 367Offset from the beginning of the buffer to insert any results. 368For encryption algorithms, this is where the initialization vector 369(IV) will be inserted when encrypting or where it can be found when 370decrypting (subject to 371.Va crd_flags ) . 372For MAC algorithms, this is where the result of the keyed hash will be 373inserted. 374.It Va crd_flags 375The following flags are defined: 376.Bl -tag -width 3n 377.It Dv CRD_F_ENCRYPT 378For encryption algorithms, this bit is set when encryption is required 379(when not set, decryption is performed). 380.It Dv CRD_F_IV_PRESENT 381For encryption algorithms, this bit is set when the IV already 382precedes the data, so the 383.Va crd_inject 384value will be ignored and no IV will be written in the buffer. 385Otherwise, the IV used to encrypt the packet will be written 386at the location pointed to by 387.Va crd_inject . 388The IV length is assumed to be equal to the blocksize of the 389encryption algorithm. 390Some applications that do special 391.Dq "IV cooking" 392can use this flag to indicate that the IV should not be written on the packet. 393This flag is typically used in conjunction with the 394.Dv CRD_F_IV_EXPLICIT 395flag. 396.It Dv CRD_F_IV_EXPLICIT 397For encryption algorithms, this bit is set when the IV is explicitly 398provided by the consumer in the 399.Va crd_iv 400field. 401Otherwise, for encryption operations the IV is provided for by 402the driver used to perform the operation, whereas for decryption 403operations it is pointed to by the 404.Va crd_inject 405field. 406This flag is typically used when the IV is calculated 407.Dq "on the fly" 408by the consumer, and does not precede the data 409(encrypted swap being an example). 410.It Dv CRD_F_KEY_EXPLICIT 411For encryption and authentication (MAC) algorithms, this bit is set when the key 412is explicitly provided by the consumer in the 413.Va crd_key 414field for the given operation. 415Otherwise, the key is taken at newsession time from the 416.Va cri_key 417field. 418.It Dv CRD_F_COMP 419For compression algorithms, this bit is set when compression is required (when 420not set, decompression is performed). 421.El 422.It Va CRD_INI 423This 424.Vt cryptoini 425structure will not be modified by the framework or the device drivers. 426Since this information accompanies every cryptographic 427operation request, drivers may re-initialize state on-demand 428(typically an expensive operation). 429Furthermore, the cryptographic 430framework may re-route requests as a result of full queues or hardware 431failure, as described above. 432.It Va crd_next 433Point to the next descriptor. 434Linked operations are useful in protocols 435where multiple cryptographic transforms may be applied on the same 436block of data. 437.El 438.El 439.Pp 440.Fn crypto_getreq 441allocates a 442.Vt cryptop 443structure with a linked list of as many 444.Vt cryptodesc 445structures as were specified in the argument passed to it. 446.Pp 447.Fn crypto_freereq 448deallocates a structure 449.Vt cryptop 450and any 451.Vt cryptodesc 452structures linked to it. 453Note that it is the responsibility of the 454callback routine to do the necessary cleanups associated with the 455opaque field in the 456.Vt cryptop 457structure. 458.Pp 459.Fn crypto_kdispatch 460is called to perform a keying operation. 461The various fields in the 462.Vt cryptkop 463structure are: 464.Bl -tag -width ".Va krp_callback" 465.It Va krp_op 466Operation code, such as 467.Dv CRK_MOD_EXP . 468.It Va krp_status 469Return code. 470This 471.Va errno Ns -style 472variable indicates whether lower level reasons 473for operation failure. 474.It Va krp_iparams 475Number if input parameters to the specified operation. 476Note that each operation has a (typically hardwired) number of such parameters. 477.It Va krp_oparams 478Number if output parameters from the specified operation. 479Note that each operation has a (typically hardwired) number of such parameters. 480.It Va krp_kvp 481An array of kernel memory blocks containing the parameters. 482.It Va krp_hid 483Identifier specifying which low-level driver is being used. 484.It Va krp_callback 485Callback called on completion of a keying operation. 486.El 487.Sh DRIVER-SIDE API 488The 489.Fn crypto_get_driverid , 490.Fn crypto_register , 491.Fn crypto_kregister , 492.Fn crypto_unregister , 493.Fn crypto_unblock , 494and 495.Fn crypto_done 496routines are used by drivers that provide support for cryptographic 497primitives to register and unregister with the kernel crypto services 498framework. 499Drivers must first use the 500.Fn crypto_get_driverid 501function to acquire a driver identifier, specifying the 502.Fa cc_flags 503as an argument (normally 0, but software-only drivers should specify 504.Dv CRYPTOCAP_F_SOFTWARE ) . 505For each algorithm the driver supports, it must then call 506.Fn crypto_register . 507The first two arguments are the driver and algorithm identifiers. 508The next two arguments specify the largest possible operator length (in bits, 509important for public key operations) and flags for this algorithm. 510The last four arguments must be provided in the first call to 511.Fn crypto_register 512and are ignored in all subsequent calls. 513They are pointers to three 514driver-provided functions that the framework may call to establish new 515cryptographic context with the driver, free already established 516context, and ask for a request to be processed (encrypt, decrypt, 517etc.); and an opaque parameter to pass when calling each of these routines. 518.Fn crypto_unregister 519is called by drivers that wish to withdraw support for an algorithm. 520The two arguments are the driver and algorithm identifiers, respectively. 521Typically, drivers for 522PCMCIA 523crypto cards that are being ejected will invoke this routine for all 524algorithms supported by the card. 525.Fn crypto_unregister_all 526will unregister all algorithms registered by a driver 527and the driver will be disabled (no new sessions will be allocated on 528that driver, and any existing sessions will be migrated to other 529drivers). 530The same will be done if all algorithms associated with a driver are 531unregistered one by one. 532.Pp 533The calling convention for the three driver-supplied routines is: 534.Pp 535.Bl -item -compact 536.It 537.Ft int 538.Fn (*newsession) "void *" "u_int32_t *" "struct cryptoini *" ; 539.It 540.Ft int 541.Fn (*freesession) "void *" "u_int64_t" ; 542.It 543.Ft int 544.Fn (*process) "void *" "struct cryptop *" ; 545.It 546.Ft int 547.Fn (*kprocess) "void *" "struct cryptkop *" ; 548.El 549.Pp 550On invocation, the first argument to 551all routines is an opaque data value supplied when the algorithm 552is registered with 553.Fn crypto_register . 554The second argument to 555.Fn newsession 556contains the driver identifier obtained via 557.Fn crypto_get_driverid . 558On successful return, it should contain a driver-specific session 559identifier. 560The third argument is identical to that of 561.Fn crypto_newsession . 562.Pp 563The 564.Fn freesession 565routine takes as arguments the opaque data value and the SID 566(which is the concatenation of the 567driver identifier and the driver-specific session identifier). 568It should clear any context associated with the session (clear hardware 569registers, memory, etc.). 570.Pp 571The 572.Fn process 573routine is invoked with a request to perform crypto processing. 574This routine must not block, but should queue the request and return 575immediately. 576Upon processing the request, the callback routine should be invoked. 577In case of an unrecoverable error, the error indication must be placed in the 578.Va crp_etype 579field of the 580.Vt cryptop 581structure. 582When the request is completed, or an error is detected, the 583.Fn process 584routine should invoke 585.Fn crypto_done . 586Session migration may be performed, as mentioned previously. 587.Pp 588In case of a temporary resource exhaustion, the 589.Fn process 590routine may return 591.Er ERESTART 592in which case the crypto services will requeue the request, mark the driver 593as 594.Dq blocked , 595and stop submitting requests for processing. 596The driver is then responsible for notifying the crypto services 597when it is again able to process requests through the 598.Fn crypto_unblock 599routine. 600This simple flow control mechanism should only be used for short-lived 601resource exhaustion as it causes operations to be queued in the crypto 602layer. 603Doing so is preferable to returning an error in such cases as 604it can cause network protocols to degrade performance by treating the 605failure much like a lost packet. 606.Pp 607The 608.Fn kprocess 609routine is invoked with a request to perform crypto key processing. 610This routine must not block, but should queue the request and return 611immediately. 612Upon processing the request, the callback routine should be invoked. 613In case of an unrecoverable error, the error indication must be placed in the 614.Va krp_status 615field of the 616.Vt cryptkop 617structure. 618When the request is completed, or an error is detected, the 619.Fn kprocess 620routine should invoked 621.Fn crypto_kdone . 622.Sh RETURN VALUES 623.Fn crypto_register , 624.Fn crypto_kregister , 625.Fn crypto_unregister , 626.Fn crypto_newsession , 627.Fn crypto_freesession , 628and 629.Fn crypto_unblock 630return 0 on success, or an error code on failure. 631.Fn crypto_get_driverid 632returns a non-negative value on error, and \-1 on failure. 633.Fn crypto_getreq 634returns a pointer to a 635.Vt cryptop 636structure and 637.Dv NULL 638on failure. 639.Fn crypto_dispatch 640returns 641.Er EINVAL 642if its argument or the callback function was 643.Dv NULL , 644and 0 otherwise. 645The callback is provided with an error code in case of failure, in the 646.Va crp_etype 647field. 648.Sh FILES 649.Bl -tag -width ".Pa sys/opencrypto/crypto.c" 650.It Pa sys/opencrypto/crypto.c 651most of the framework code 652.El 653.Sh SEE ALSO 654.Xr kmalloc 9 , 655.Xr sleep 9 656.Sh HISTORY 657The cryptographic framework first appeared in 658.Ox 2.7 659and was written by 660.An Angelos D. Keromytis Aq Mt angelos@openbsd.org . 661.Sh BUGS 662The framework currently assumes that all the algorithms in a 663.Fn crypto_newsession 664operation must be available by the same driver. 665If that is not the case, session initialization will fail. 666.Pp 667The framework also needs a mechanism for determining which driver is 668best for a specific set of algorithms associated with a session. 669Some type of benchmarking is in order here. 670.Pp 671Multiple instances of the same algorithm in the same session are not 672supported. 673Note that 3DES is considered one algorithm (and not three 674instances of DES). 675Thus, 3DES and DES could be mixed in the same request. 676