1.\" $OpenBSD: crypto.9,v 1.41 2015/11/23 17:53:57 jmc Exp $ 2.\" 3.\" The author of this man page is Angelos D. Keromytis (angelos@cis.upenn.edu) 4.\" 5.\" Copyright (c) 2000, 2001 Angelos D. Keromytis 6.\" 7.\" Permission to use, copy, and modify this software with or without fee 8.\" is hereby granted, provided that this entire notice is included in 9.\" all source code copies of any software which is or includes a copy or 10.\" modification of this software. 11.\" 12.\" THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 13.\" IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 14.\" REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 15.\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 16.\" PURPOSE. 17.\" 18.Dd $Mdocdate: November 23 2015 $ 19.Dt CRYPTO_GET_DRIVERID 9 20.Os 21.Sh NAME 22.Nm crypto_get_driverid , 23.Nm crypto_register , 24.Nm crypto_unregister , 25.Nm crypto_done , 26.Nm crypto_newsession , 27.Nm crypto_freesession , 28.Nm crypto_dispatch , 29.Nm crypto_getreq , 30.Nm crypto_freereq 31.Nd API for cryptographic services in the kernel 32.Sh SYNOPSIS 33.In crypto/cryptodev.h 34.Ft int32_t 35.Fn crypto_get_driverid "u_int8_t" 36.Ft int 37.Fn crypto_register "u_int32_t" "int *" "int (*)(u_int32_t *, struct cryptoini *)" "int (*)(u_int64_t)" "int (*)(struct cryptop *)" 38.Ft int 39.Fn crypto_unregister "u_int32_t" "int" 40.Ft void 41.Fn crypto_done "struct cryptop *" 42.Ft int 43.Fn crypto_newsession "u_int64_t *" "struct cryptoini *" "int" 44.Ft int 45.Fn crypto_freesession "u_int64_t" 46.Ft int 47.Fn crypto_dispatch "struct cryptop *" 48.Ft struct cryptop * 49.Fn crypto_getreq "int" 50.Ft void 51.Fn crypto_freereq "struct cryptop *" 52.Bd -literal 53 54#define EALG_MAX_BLOCK_LEN 16 55 56struct cryptoini { 57 int cri_alg; 58 int cri_klen; 59 int cri_rnd; 60 caddr_t cri_key; 61 u_int8_t cri_iv[EALG_MAX_BLOCK_LEN]; 62 struct cryptoini *cri_next; 63}; 64 65struct cryptodesc { 66 int crd_skip; 67 int crd_len; 68 int crd_inject; 69 int crd_flags; 70 struct cryptoini CRD_INI; 71 struct cryptodesc *crd_next; 72}; 73 74struct cryptop { 75 u_int64_t crp_sid; 76 int crp_ilen; 77 int crp_olen; 78 int crp_alloctype; 79 int crp_etype; 80 int crp_flags; 81 void *crp_buf; 82 void *crp_opaque; 83 struct cryptodesc *crp_desc; 84 int (*crp_callback)(struct cryptop *); 85 struct cryptop *crp_next; 86 caddr_t crp_mac; 87}; 88.Ed 89.Sh DESCRIPTION 90.Nm 91is a framework for drivers of cryptographic hardware to register with 92the kernel so 93.Dq consumers 94(other kernel subsystems, and eventually 95users through an appropriate device) are able to make use of it. 96Drivers register with the framework the algorithms they support, 97and provide entry points (functions) the framework may call to 98establish, use, and tear down sessions. 99Sessions are used to cache cryptographic information in a particular driver 100(or associated hardware), so initialization is not needed with every request. 101Consumers of cryptographic services pass a set of 102descriptors that instruct the framework (and the drivers registered 103with it) of the operations that should be applied on the data (more 104than one cryptographic operation can be requested). 105.Pp 106Since the consumers may not be associated with a process, drivers may 107not use 108.Xr tsleep 9 . 109The same holds for the framework. 110Thus, a callback mechanism is used 111to notify a consumer that a request has been completed (the 112callback is specified by the consumer on a per-request basis). 113The callback is invoked by the framework whether the request was 114successfully completed or not. 115An error indication is provided in the latter case. 116A specific error code, 117.Er EAGAIN , 118is used to indicate that a session number has changed and that the 119request may be re-submitted immediately with the new session number. 120Errors are only returned to the invoking function if not 121enough information to call the callback is available (meaning, there 122was a fatal error in verifying the arguments). 123For session initialization and teardown there is no callback mechanism used. 124.Pp 125The 126.Fn crypto_newsession 127routine is called by consumers of cryptographic services (such as the 128.Xr ipsec 4 129stack) that wish to establish a new session with the framework. 130On success, the first argument will contain the Session Identifier (SID). 131The second argument contains all the necessary information for 132the driver to establish the session. 133The third argument indicates whether a 134hardware driver should be used (1) or not (0). 135The various fields in the 136.Fa cryptoini 137structure are: 138.Bl -tag -width foobarmoocow 139.It Fa cri_alg 140Contains an algorithm identifier. 141Currently supported encryption algorithms are: 142.Bd -literal 143CRYPTO_DES_CBC 144CRYPTO_3DES_CBC 145CRYPTO_BLF_CBC 146CRYPTO_CAST_CBC 147CRYPTO_AES_CBC 148CRYPTO_AES_CTR 149CRYPTO_AES_XTS 150.Ed 151.Pp 152Authentication algorithms are: 153.Bd -literal 154CRYPTO_MD5_HMAC 155CRYPTO_SHA1_HMAC 156CRYPTO_RIPEMD160_HMAC 157CRYPTO_SHA2_256_HMAC 158CRYPTO_SHA2_384_HMAC 159CRYPTO_SHA2_512_HMAC 160.Ed 161.Pp 162Algorithms performing authenticated encryption are: 163.Bd -literal 164CRYPTO_AES_GCM_16 165CRYPTO_AES_GMAC 166CRYPTO_CHACHA20_POLY1305 167.Ed 168.It Fa cri_klen 169Specifies the length of the key in bits, for variable-size key 170algorithms. 171.It Fa cri_rnd 172Specifies the number of rounds to be used with the algorithm, for 173variable-round algorithms. 174.It Fa cri_key 175Contains the key to be used with the algorithm. 176.It Fa cri_iv 177Contains an explicit initialization vector (IV), if it does not prefix 178the data. 179This field is ignored during initialization. 180If no IV is explicitly passed (see below on details), a random IV is used 181by the device driver processing the request. 182.Pp 183In the case of the CRYPTO_AES_XTS transform, the IV should be provided 184as a 64-bit block number in host byte order. 185.It Fa cri_next 186Contains a pointer to another 187.Fa cryptoini 188structure. 189Multiple such structures may be linked to establish multi-algorithm sessions 190.Pf ( Xr ipsec 4 191is an example consumer of such a feature). 192.El 193.Pp 194The 195.Fa cryptoini 196structure and its contents will not be modified by the framework (or 197the drivers used). 198Subsequent requests for processing that use the 199SID returned will avoid the cost of re-initializing the hardware (in 200essence, SID acts as an index in the session cache of the driver). 201.Pp 202.Fn crypto_freesession 203is called with the SID returned by 204.Fn crypto_newsession 205to disestablish the session. 206.Pp 207.Fn crypto_dispatch 208is called to process a request. 209The various fields in the 210.Fa cryptop 211structure are: 212.Bl -tag -width crp_alloctype 213.It Fa crp_sid 214Contains the SID. 215.It Fa crp_ilen 216Indicates the total length in bytes of the buffer to be processed. 217.It Fa crp_olen 218On return, contains the length of the result, not including 219.Fa crd_skip . 220For symmetric crypto operations, this will be the same as the input length. 221.It Fa crp_alloctype 222Indicates the type of buffer, as used in the kernel 223.Xr malloc 9 224routine. 225This will be used if the framework needs to allocate a new 226buffer for the result (or for re-formatting the input). 227.It Fa crp_callback 228This routine is invoked upon completion of the request, whether 229successful or not. 230It is invoked through the 231.Fn crypto_done 232routine. 233If the request was not successful, an error code is set in the 234.Fa crp_etype 235field. 236It is the responsibility of the callback routine to set the appropriate 237.Xr spl 9 238level. 239.It Fa crp_etype 240Contains the error type, if any errors were encountered, or zero if 241the request was successfully processed. 242If the 243.Er EAGAIN 244error code is returned, the SID has changed (and has been recorded in the 245.Fa crp_sid 246field). 247The consumer should record the new SID and use it in all subsequent requests. 248In this case, the request may be re-submitted immediately. 249This mechanism is used by the framework to perform 250session migration (move a session from one driver to another, because 251of availability, performance, or other considerations). 252.Pp 253Note that this field only makes sense when examined by 254the callback routine specified in 255.Fa crp_callback . 256Errors are returned to the invoker of 257.Fn crypto_process 258only when enough information is not present to call the callback 259routine (i.e., if the pointer passed is 260.Dv NULL 261or if no callback routine was specified). 262.It Fa crp_flags 263Is a bitmask of flags associated with this request. 264Currently defined flags are: 265.Bl -tag -width CRYPTO_F_IMBUF 266.It Dv CRYPTO_F_IMBUF 267The buffer pointed to by 268.Fa crp_buf 269is an mbuf chain. 270.El 271.It Fa crp_buf 272Points to the input buffer. 273On return (when the callback is invoked), 274it contains the result of the request. 275The input buffer may be an mbuf 276chain or a struct uio depending on 277.Fa crp_flags . 278.It Fa crp_opaque 279This is passed through the crypto framework untouched and is 280intended for the invoking application's use. 281.It Fa crp_desc 282This is a linked list of descriptors. 283Each descriptor provides 284information about what type of cryptographic operation should be done 285on the input buffer. 286The various fields are: 287.Bl -tag -width "crd_inject" 288.It Fa crd_skip 289The offset in the input buffer where processing should start. 290.It Fa crd_len 291How many bytes, after 292.Fa crd_skip , 293should be processed. 294.It Fa crd_inject 295Offset from the beginning of the buffer to insert any results. 296For encryption algorithms, this is where the initialization vector 297(IV) will be inserted when encrypting or where it can be found when 298decrypting (subject to 299.Fa crd_flags ) . 300For MAC algorithms, this is where the result of the keyed hash will be 301inserted. 302.It Fa crd_flags 303The following flags are defined: 304.Bl -tag -width CRD_F_IV_EXPLICIT 305.It Dv CRD_F_ENCRYPT 306For encryption algorithms, this bit is set when encryption is required 307(when not set, decryption is performed). 308.It Dv CRD_F_IV_PRESENT 309For encryption algorithms, this bit is set when the IV already 310precedes the data, so the 311.Fa crd_inject 312value will be ignored and no IV will be written in the buffer. 313Otherwise, the IV used to encrypt the packet will be written 314at the location pointed to by 315.Fa crd_inject . 316The IV length is assumed to be equal to the blocksize of the 317encryption algorithm. 318Some applications that do special 319.Dq IV cooking , 320such as the half-IV mode in 321.Xr ipsec 4 , 322can use this flag to indicate that the IV should not be written on the packet. 323This flag is typically used in conjunction with the 324.Dv CRD_F_IV_EXPLICIT 325flag. 326.It Dv CRD_F_IV_EXPLICIT 327For encryption algorithms, this bit is set when the IV is explicitly 328provided by the consumer in the 329.Fa crd_iv 330fields. 331Otherwise, for encryption operations the IV is provided for by 332the driver used to perform the operation, whereas for decryption 333operations it is pointed to by the 334.Fa crd_inject 335field. 336This flag is typically used when the IV is calculated 337.Dq on the fly 338by the consumer, and does not precede the data (some 339.Xr ipsec 4 340configurations, and the encrypted swap are two such examples). 341.It Dv CRD_F_COMP 342For compression algorithms, this bit is set when compression is required (when 343not set, decompression is performed). 344.El 345.It Fa CRD_INI 346This 347.Fa cryptoini 348structure will not be modified by the framework or the device drivers. 349Since this information accompanies every cryptographic 350operation request, drivers may re-initialize state on-demand 351(typically an expensive operation). 352Furthermore, the cryptographic 353framework may re-route requests as a result of full queues or hardware 354failure, as described above. 355.It Fa crd_next 356Point to the next descriptor. 357Linked operations are useful in protocols such as 358.Xr ipsec 4 , 359where multiple cryptographic transforms may be applied on the same 360block of data. 361.El 362.El 363.Pp 364.Fn crypto_getreq 365allocates a 366.Fa cryptop 367structure with a linked list of as many 368.Fa cryptodesc 369structures as were specified in the argument passed to it. 370.Pp 371.Fn crypto_freereq 372deallocates a structure 373.Fa cryptop 374and any 375.Fa cryptodesc 376structures linked to it. 377Note that it is the responsibility of the 378callback routine to do the necessary cleanups associated with the 379opaque field in the 380.Fa cryptop 381structure. 382.Sh DRIVER-SIDE API 383The 384.Fn crypto_get_driverid , 385.Fn crypto_register , 386.Fn crypto_unregister , 387and 388.Fn crypto_done 389routines are used by drivers that provide support for cryptographic 390primitives to register and unregister with the kernel crypto services 391framework. 392Drivers must first use the 393.Fn crypto_get_driverid 394function to acquire a driver identifier, specifying the 395.Fa cc_flags 396as an argument (normally 0, but software-only drivers should specify 397.Dv CRYPTOCAP_F_SOFTWARE ) . 398For each algorithm the driver supports, it must then call 399.Fn crypto_register . 400The first argument is the driver identifier. 401The second argument is an array of 402.Dv CRYPTO_ALGORITHM_MAX + 1 403elements, indicating which algorithms are supported. 404The last three arguments are pointers to three 405driver-provided functions that the framework may call to establish new 406cryptographic context with the driver, free already established 407context, and ask for a request to be processed (encrypt, decrypt, etc.\&) 408.Fn crypto_unregister 409is called by drivers that wish to withdraw support for an algorithm. 410The two arguments are the driver and algorithm identifiers, respectively. 411Typically, drivers for 412.Xr pcmcia 4 413crypto cards that are being ejected will invoke this routine for all 414algorithms supported by the card. 415If called with 416.Dv CRYPTO_ALGORITHM_ALL , 417all algorithms registered for a driver will be unregistered in one go 418and the driver will be disabled (no new sessions will be allocated on 419that driver, and any existing sessions will be migrated to other 420drivers). 421The same will be done if all algorithms associated with a driver are 422unregistered one by one. 423.Pp 424The calling convention for the three driver-supplied routines is: 425.Bd -literal 426int (*newsession) (u_int32_t *, struct cryptoini *); 427int (*freesession) (u_int64_t); 428int (*process) (struct cryptop *); 429.Ed 430.Pp 431On invocation, the first argument to 432.Fn newsession 433contains the driver identifier obtained via 434.Fn crypto_get_driverid . 435On successfully returning, it should contain a driver-specific session 436identifier. 437The second argument is identical to that of 438.Fn crypto_newsession . 439.Pp 440The 441.Fn freesession 442routine takes as argument the SID (which is the concatenation of the 443driver identifier and the driver-specific session identifier). 444It should clear any context associated with the session (clear hardware 445registers, memory, etc.). 446.Pp 447The 448.Fn process 449routine is invoked with a request to perform crypto processing. 450This routine must not block, but should queue the request and return 451immediately. 452Upon processing the request, the callback routine should be invoked. 453In case of error, the error indication must be placed in the 454.Fa crp_etype 455field of the 456.Fa cryptop 457structure. 458When the request is completed, or an error is detected, the 459.Fn process 460routine should invoke 461.Fn crypto_done . 462Session migration may be performed, as mentioned previously. 463.Sh RETURN VALUES 464.Fn crypto_register , 465.Fn crypto_unregister , 466.Fn crypto_newsession , 467and 468.Fn crypto_freesession 469return 0 on success, or an error code on failure. 470.Fn crypto_get_driverid 471returns a non-negative value on error, and \-1 on failure. 472.Fn crypto_getreq 473returns a pointer to a 474.Fa cryptop 475structure and 476.Dv NULL 477on failure. 478.Fn crypto_dispatch 479returns 480.Er EINVAL 481if its argument or the callback function was 482.Dv NULL , 483and 0 otherwise. 484The callback is provided with an error code in case of failure, in the 485.Fa crp_etype 486field. 487.Sh FILES 488.Bl -tag -width sys/crypto/crypto.c 489.It Pa sys/crypto/crypto.c 490most of the framework code 491.El 492.Sh SEE ALSO 493.Xr ipsec 4 , 494.Xr pcmcia 4 , 495.Xr malloc 9 , 496.Xr tsleep 9 497.Sh HISTORY 498The cryptographic framework first appeared in 499.Ox 2.7 500and was written by 501.An Angelos D. Keromytis Aq Mt angelos@openbsd.org . 502.Sh BUGS 503The framework currently assumes that all the algorithms in a 504.Fn crypto_newsession 505operation must be available by the same driver. 506If that's not the case, session initialization will fail. 507.Pp 508The framework also needs a mechanism for determining which driver is 509best for a specific set of algorithms associated with a session. 510Some type of benchmarking is in order here. 511.Pp 512Multiple instances of the same algorithm in the same session are not 513supported. 514Note that 3DES is considered one algorithm (and not three 515instances of DES). 516Thus, 3DES and DES could be mixed in the same request. 517.Pp 518A queue for completed operations should be implemented and processed 519at some software 520.Xr spl 9 521level, to avoid overall system latency issues, and potential kernel 522stack exhaustion while processing a callback. 523