1.\" Copyright (c) 2014-2021 The FreeBSD Foundation 2.\" 3.\" Portions of this documentation were written by John-Mark Gurney 4.\" under the sponsorship of the FreeBSD Foundation and 5.\" Rubicon Communications, LLC (Netgate). 6.\" 7.\" Portions of this documentation were written by Ararat River 8.\" Consulting, LLC under sponsorship of the FreeBSD Foundation. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd January 11, 2022 32.Dt CRYPTO 7 33.Os 34.Sh NAME 35.Nm crypto 36.Nd OpenCrypto algorithms 37.Sh DESCRIPTION 38The in-kernel OpenCrypto framework supports several different encryption 39and authentication algorithms. 40This document describes the parameters and requirements of these algorithms. 41Unless otherwise noted, all sizes listed below are in bytes. 42.Ss Authenticators 43Authenticators compute a value (also known as a digest, hash, or tag) 44over an input of bytes. 45In-kernel requests can either compute the value for a given input, 46or verify if a given tag matches the computed tag for a given input. 47The following authentication algorithms are supported: 48.Bl -column "CRYPTO_AES_CCM_CBC_MAC" "XXX" "16, 24, 32" "Digest" 49.It Sy Name Ta Sy Nonce Ta Sy Key Sizes Ta Sy Digest Ta Sy Description 50.It Dv CRYPTO_AES_CCM_CBC_MAC Ta 12 Ta 16, 24, 32 Ta 16 Ta 51Authentication-only mode of AES-CCM 52.It Dv CRYPTO_AES_NIST_GMAC Ta 12 Ta 16, 24, 32 Ta 16 Ta 53Galois message authentication code 54.It Dv CRYPTO_BLAKE2B Ta Ta 0, 64 Ta 64 Ta 55Blake2b 56.It Dv CRYPTO_BLAKE2S Ta Ta 0, 32 Ta 32 Ta 57Blake2s 58.It Dv CRYPTO_NULL_HMAC Ta Ta Ta 12 Ta 59IPsec NULL HMAC 60.It Dv CRYPTO_POLY1305 Ta Ta 32 Ta 16 Ta 61Poly1305 authenticator 62.It Dv CRYPTO_RIPEMD160 Ta Ta Ta 20 Ta 63RIPE Message Digest-160 64.It Dv CRYPTO_RIPEMD160_HMAC Ta Ta 64 Ta 20 Ta 65RIPE Message Digest-160 HMAC 66.It Dv CRYPTO_SHA1 Ta Ta Ta 20 Ta 67SHA-1 68.It Dv CRYPTO_SHA1_HMAC Ta Ta 64 Ta 20 Ta 69SHA-1 HMAC 70.It Dv CRYPTO_SHA2_224 Ta Ta Ta 28 Ta 71SHA-2 224 72.It Dv CRYPTO_SHA2_224_HMAC Ta Ta 64 Ta 28 Ta 73SHA-2 224 HMAC 74.It Dv CRYPTO_SHA2_256 Ta Ta Ta 32 Ta 75SHA-2 256 76.It Dv CRYPTO_SHA2_256_HMAC Ta Ta 64 Ta 32 Ta 77SHA-2 256 HMAC 78.It Dv CRYPTO_SHA2_384 Ta Ta Ta 48 Ta 79SHA-2 384 80.It Dv CRYPTO_SHA2_384_HMAC Ta Ta 128 Ta 48 Ta 81SHA-2 384 HMAC 82.It Dv CRYPTO_SHA2_512 Ta Ta Ta 64 Ta 83SHA-2 512 84.It Dv CRYPTO_SHA2_512_HMAC Ta Ta 128 Ta 64 Ta 85SHA-2 512 HMAC 86.El 87.Ss Block Ciphers 88Block ciphers in OCF can only operate on messages whose length is an 89exact multiple of the cipher's block size. 90OCF supports the following block ciphers: 91.Bl -column "CRYPTO_CAMELLIA_CBC" "IV Size" "Block Size" "16, 24, 32" 92.It Sy Name Ta Sy IV Size Ta Sy Block Size Ta Sy Key Sizes Ta Sy Description 93.It Dv CRYPTO_AES_CBC Ta 16 Ta 16 Ta 16, 24, 32 Ta 94AES-CBC 95.It Dv CRYPTO_AES_XTS Ta 8 Ta 16 Ta 32, 64 Ta 96AES-XTS 97.It Dv CRYPTO_CAMELLIA_CBC Ta 16 Ta 16 Ta 16, 24, 32 Ta 98Camellia CBC 99.It Dv CRYPTO_NULL_CBC Ta 0 Ta 4 Ta 0-256 Ta 100IPsec NULL cipher 101.El 102.Pp 103.Dv CRYPTO_AES_XTS 104implements XEX Tweakable Block Cipher with Ciphertext Stealing 105as defined in NIST SP 800-38E. 106OCF consumers provide the first 8 bytes of the IV. 107The remaining 8 bytes are defined to be a block counter beginning at 0. 108.Pp 109NOTE: The ciphertext stealing part is not implemented in all backends 110which is why this cipher requires input that is a multiple of the block 111size. 112.Ss Stream Ciphers 113Stream ciphers can operate on messages with arbitrary lengths. 114OCF supports the following stream ciphers: 115.Bl -column "CRYPTO_CHACHA20" "IV Size" "16, 24, 32" 116.It Sy Name Ta Sy IV Size Ta Sy Key Sizes Ta Sy Description 117.It Dv CRYPTO_AES_ICM Ta 16 Ta 16, 24, 32 Ta 118AES Counter Mode 119.It Dv CRYPTO_CHACHA20 Ta 16 Ta 16, 32 Ta 120ChaCha20 121.El 122.Pp 123The IV for each request must be provided in 124.Fa crp_iv 125via the 126.Dv CRYPTO_F_IV_SEPARATE 127flag. 128.Pp 129.Dv CRYPTO_AES_ICM 130uses the entire IV as a 128-bit big endian block counter. 131The IV sets the initial counter value for a message. 132If a consumer wishes to use an IV whose value is split into 133separate nonce and counter fields (e.g., IPsec), 134the consumer is responsible for splitting requests to handle 135counter rollover. 136.Pp 137.Dv CRYPTO_CHACHA20 138accepts a 16 byte IV. 139The first 8 bytes are used as a nonce. 140The last 8 bytes are used as a 64-bit little-endian block counter. 141.Ss Authenticated Encryption with Associated Data Algorithms 142AEAD algorithms in OCF combine a stream cipher with an authentication 143algorithm to provide both secrecy and authentication. 144AEAD algorithms accept additional authentication data (AAD) 145in addition to the ciphertext or plaintext. 146AAD is passed to the authentication algorithm as input in a method 147defined by the specific AEAD algorithm. 148.Pp 149AEAD algorithms in OCF accept a nonce that is combined with an 150algorithm-defined counter to construct the IV for the underlying 151stream cipher. 152This nonce must be provided in 153.Fa crp_iv 154via the 155.Dv CRYPTO_F_IV_SEPARATE 156flag. 157Some AEAD algorithms support multiple nonce sizes. 158The first size listed is the default nonce size. 159.Pp 160The following AEAD algorithms are supported: 161.Bl -column "CRYPTO_AES_NIST_GCM_16" "12, 7-13" "16, 24, 32" "Tag" 162.It Sy Name Ta Sy Nonce Ta Sy Key Sizes Ta Sy Tag Ta Sy Description 163.It Dv CRYPTO_AES_NIST_GCM_16 Ta 12 Ta 16, 24, 32 Ta 16 Ta 164AES Galois/Counter Mode 165.It Dv CRYPTO_AES_CCM_16 Ta 12, 7-13 Ta 16, 24, 32 Ta 16 Ta 166AES Counter with CBC-MAC 167.It Dv CRYPTO_CHACHA20_POLY1305 Ta 12, 8 Ta 32 Ta 16 Ta 168ChaCha20-Poly1305 169.It Dv CRYPTO_XCHACHA20_POLY1305 Ta 24 Ta 32 Ta 16 Ta 170XChaCha20-Poly1305 171.El 172.Sh SEE ALSO 173.Xr crypto 4 , 174.Xr crypto 9 175.Sh HISTORY 176The 177.Nm 178manual page first appeared in 179.Fx 10.1 . 180