1.\" $OpenBSD: crypto.9,v 1.20 2002/11/21 19:42:39 jason Exp $ 2.\" 3.\" The author of this man page is Angelos D. Keromytis (angelos@cis.upenn.edu) 4.\" 5.\" Copyright (c) 2000, 2001 Angelos D. Keromytis 6.\" 7.\" Permission to use, copy, and modify this software with or without fee 8.\" is hereby granted, provided that this entire notice is included in 9.\" all source code copies of any software which is or includes a copy or 10.\" modification of this software. 11.\" 12.\" THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 13.\" IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 14.\" REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 15.\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 16.\" PURPOSE. 17.\" 18.Dd April 21, 2000 19.Dt CRYPTO 9 20.Os 21.Sh NAME 22.Nm crypto 23.Nd API for cryptographic services in the kernel 24.Sh SYNOPSIS 25.Fd #include <crypto/cryptodev.h> 26.Ft int32_t 27.Fn crypto_get_driverid "u_int8_t" 28.Ft int 29.Fn crypto_register "u_int32_t" "int *" "int (*)(u_int32_t *, struct cryptoini *)" "int (*)(u_int64_t)" "int (*)(struct cryptop *)" 30.Ft int 31.Fn crypto_kregister "u_int32_t" "int *" "int (*)(struct cryptkop *)" 32.Ft int 33.Fn crypto_unregister "u_int32_t" "int" 34.Ft void 35.Fn crypto_done "struct cryptop *" 36.Ft void 37.Fn crypto_kdone "struct cryptkop *" 38.Ft int 39.Fn crypto_newsession "u_int64_t *" "struct cryptoini *" "int" 40.Ft int 41.Fn crypto_freesession "u_int64_t" 42.Ft int 43.Fn crypto_dispatch "struct cryptop *" 44.Ft int 45.Fn crypto_kdispatch "struct cryptkop *" 46.Ft struct cryptop * 47.Fn crypto_getreq "int" 48.Ft void 49.Fn crypto_freereq "void" 50.Bd -literal 51 52#define EALG_MAX_BLOCK_LEN 16 53 54struct cryptoini { 55 int cri_alg; 56 int cri_klen; 57 int cri_rnd; 58 caddr_t cri_key; 59 u_int8_t cri_iv[EALG_MAX_BLOCK_LEN]; 60 struct cryptoini *cri_next; 61}; 62 63struct cryptodesc { 64 int crd_skip; 65 int crd_len; 66 int crd_inject; 67 int crd_flags; 68 struct cryptoini CRD_INI; 69 struct cryptodesc *crd_next; 70}; 71 72struct cryptop { 73 u_int64_t crp_sid; 74 int crp_ilen; 75 int crp_olen; 76 int crp_alloctype; 77 int crp_etype; 78 int crp_flags; 79 caddr_t crp_buf; 80 caddr_t crp_opaque; 81 struct cryptodesc *crp_desc; 82 int (*crp_callback) (struct cryptop *); 83 struct cryptop *crp_next; 84 caddr_t crp_mac; 85}; 86 87struct crparam { 88 caddr_t crp_p; 89 u_int crp_nbits; 90}; 91 92#define CRK_MAXPARAM 8 93 94struct cryptkop { 95 u_int krp_op; /* ie. CRK_MOD_EXP or other */ 96 u_int krp_status; /* return status */ 97 u_short krp_iparams; /* # of input parameters */ 98 u_short krp_oparams; /* # of output parameters */ 99 u_int krp_pad1; 100 struct crparam krp_param[CRK_MAXPARAM]; 101 struct crparam krp_kvp[CRK_MAXPARAM]; 102 103 u_int32_t krp_hid; 104 int (*krp_callback)(struct cryptkop *); 105 struct cryptkop *krp_next; 106}; 107.Ed 108.br 109.Sh DESCRIPTION 110.Nm 111is a framework for drivers of cryptographic hardware to register with 112the kernel so 113.Dq consumers 114(other kernel subsystems, and eventually 115users through an appropriate device) are able to make use of it. 116Drivers register with the framework the algorithms they support, 117and provide entry points (functions) the framework may call to 118establish, use, and tear down sessions. 119Sessions are used to cache cryptographic information in a particular driver 120(or associated hardware), so initialization is not needed with every request. 121Consumers of cryptographic services pass a set of 122descriptors that instruct the framework (and the drivers registered 123with it) of the operations that should be applied on the data (more 124than one cryptographic operation can be requested). 125.Pp 126Keying operations are supported as well. 127Unlike the symmetric operators described above, 128these sessionless commands perform mathematical operations using 129input and output parameters. 130.Pp 131Since the consumers may not be associated with a process, drivers may 132not use 133.Xr tsleep 9 . 134The same holds for the framework. 135Thus, a callback mechanism is used 136to notify a consumer that a request has been completed (the 137callback is specified by the consumer on an per-request basis). 138The callback is invoked by the framework whether the request was 139successfully completed or not. 140An error indication is provided in the latter case. 141A specific error code, 142.Er EAGAIN , 143is used to indicate that a session number has changed and that the 144request may be re-submitted immediately with the new session number. 145Errors are only returned to the invoking function if not 146enough information to call the callback is available (meaning, there 147was a fatal error in verifying the arguments). 148For session initialization and teardown there is no callback mechanism used. 149.br 150.Pp 151The 152.Fn crypto_newsession 153routine is called by consumers of cryptographic services (such as the 154.Xr ipsec 4 155stack) that wish to establish a new session with the framework. 156On success, the first argument will contain the Session Identifier (SID). 157The second argument contains all the necessary information for 158the driver to establish the session. 159The third argument indicates whether a 160hardware driver (1) should be used or not (0). 161The various fields in the 162.Fa cryptoini 163structure are: 164.Bl -tag -width foobarmoocow 165.It Fa cri_alg 166Contains an algorithm identifier. 167Currently supported algorithms are: 168.Bd -literal 169CRYPTO_DES_CBC 170CRYPTO_3DES_CBC 171CRYPTO_BLF_CBC 172CRYPTO_CAST_CBC 173CRYPTO_SKIPJACK_CBC 174CRYPTO_MD5_HMAC 175CRYPTO_SHA1_HMAC 176CRYPTO_RIPEMD160_HMAC 177CRYPTO_MD5_KPDK 178CRYPTO_SHA1_KPDK 179CRYPTO_AES_CBC 180CRYPTO_ARC4 181CRYPTO_MD5 182CRYPTO_SHA1 183.Ed 184.Pp 185.It Fa cri_klen 186Specifies the length of the key in bits, for variable-size key 187algorithms. 188.It Fa cri_rnd 189Specifies the number of rounds to be used with the algorithm, for 190variable-round algorithms. 191.It Fa cri_key 192Contains the key to be used with the algorithm. 193.It Fa cri_iv 194Contains an explicit initialization vector (IV), if it does not prefix 195the data. 196This field is ignored during initialization. 197If no IV is explicitly passed (see below on details), a random IV is used 198by the device driver processing the request. 199.It Fa cri_next 200Contains a pointer to another 201.Fa cryptoini 202structure. 203Multiple such structures may be linked to establish multi-algorithm sessions 204.Pf ( Xr ipsec 4 205is an example consumer of such a feature). 206.El 207.Pp 208The 209.Fa cryptoini 210structure and its contents will not be modified by the framework (or 211the drivers used). 212Subsequent requests for processing that use the 213SID returned will avoid the cost of re-initializing the hardware (in 214essence, SID acts as an index in the session cache of the driver). 215.Pp 216.Fn crypto_freesession 217is called with the SID returned by 218.Fn crypto_newsession 219to disestablish the session. 220.Pp 221.Fn crypto_dispatch 222is called to process a request. 223The various fields in the 224.Fa cryptop 225structure are: 226.Bl -tag -width crp_alloctype 227.It Fa crp_sid 228Contains the SID. 229.It Fa crp_ilen 230Indicates the total length in bytes of the buffer to be processed. 231.It Fa crp_olen 232On return, contains the total length of the result. 233For symmetric crypto operations, this will be the same as the input length. 234.It Fa crp_alloctype 235Indicates the type of buffer, as used in the kernel 236.Xr malloc 9 237routine. 238This will be used if the framework needs to allocate a new 239buffer for the result (or for re-formatting the input). 240.It Fa crp_callback 241This routine is invoked upon completion of the request, whether 242successful or not. 243It is invoked through the 244.Fn crypto_done 245routine. 246If the request was not successful, an error code is set in the 247.Fa crp_etype 248field. 249It is the responsibility of the callback routine to set the appropriate 250.Xr spl 9 251level. 252.It Fa crp_etype 253Contains the error type, if any errors were encountered, or zero if 254the request was successfully processed. 255If the 256.Er EAGAIN 257error code is returned, the SID has changed (and has been recorded in the 258.Fa crp_sid 259field). 260The consumer should record the new SID and use it in all subsequent requests. 261In this case, the request may be re-submitted immediately. 262This mechanism is used by the framework to perform 263session migration (move a session from one driver to another, because 264of availability, performance, or other considerations). 265.Pp 266Note that this field only makes sense when examined by 267the callback routine specified in 268.Fa crp_callback . 269Errors are returned to the invoker of 270.Fn crypto_process 271only when enough information is not present to call the callback 272routine (i.e., if the pointer passed is 273.Dv NULL 274or if no callback routine was specified). 275.It Fa crp_flags 276Is a bitmask of flags associated with this request. 277Currently defined flags are: 278.Bl -tag -width CRYPTO_F_IMBUF 279.It Dv CRYPTO_F_IMBUF 280The buffer pointed to by 281.Fa crp_buf 282is an mbuf chain. 283.El 284.Pp 285.It Fa crp_buf 286Points to the input buffer. 287On return (when the callback is invoked), 288it contains the result of the request. 289The input buffer may be an mbuf 290chain or a contiguous buffer (of a type identified by 291.Fa crp_alloctype ) , 292depending on 293.Fa crp_flags . 294.It Fa crp_opaque 295This is passed through the crypto framework untouched and is 296intended for the invoking application's use. 297.It Fa crp_desc 298This is a linked list of descriptors. 299Each descriptor provides 300information about what type of cryptographic operation should be done 301on the input buffer. 302The various fields are: 303.Bl -tag -width=crd_inject 304.It Fa crd_skip 305The offset in the input buffer where processing should start. 306.It Fa crd_len 307How many bytes, after 308.Fa Fa crd_skip , 309should be processed. 310.It Fa crd_inject 311Offset from the beginning of the buffer to insert any results. 312For encryption algorithms, this is where the initialization vector 313(IV) will be inserted when encrypting or where it can be found when 314decrypting (subject to 315.Fa Fa crd_flags ) . 316For MAC algorithms, this is where the result of the keyed hash will be 317inserted. 318.It Fa crd_flags 319The following flags are defined: 320.Bl -tag -width CRD_F_IV_EXPLICIT 321.It Dv CRD_F_ENCRYPT 322For encryption algorithms, this bit is set when encryption is required 323(when not set, decryption is performed). 324.It Dv CRD_F_IV_PRESENT 325For encryption algorithms, this bit is set when the IV already 326precedes the data, so the 327.Fa crd_inject 328value will be ignored and no IV will be written in the buffer. 329Otherwise, the IV used to encrypt the packet will be written 330at the location pointed to by 331.Fa crd_inject . 332The IV length is assumed to be equal to the blocksize of the 333encryption algorithm. 334Some applications that do special 335.Dq IV cooking , 336such as the half-IV mode in 337.Xr ipsec 4 , 338can use this flag to indicate that the IV should not be written on the packet. 339This flag is typically used in conjunction with the 340.Dv CRD_F_IV_EXPLICIT 341flag. 342.It Dv CRD_F_IV_EXPLICIT 343For encryption algorithms, this bit is set when the IV is explicitly 344provided by the consumer in the 345.Fa crd_iv 346fields. 347Otherwise, for encryption operations the IV is provided for by 348the driver used to perform the operation, whereas for decryption 349operations it is pointed to by the 350.Fa crd_inject 351field. 352This flag is typically used when the IV is calculated 353.Dq on the fly 354by the consumer, and does not precede the data (some 355.Xr ipsec 4 356configurations, and the encrypted swap are two such examples). 357.It Dv CRD_F_COMP 358For compression algorithms, this bit is set when compression is required (when 359not set, decompression is performed). 360.El 361.It Fa CRD_INI 362This 363.Fa cryptoini 364structure will not be modified by the framework or the device drivers. 365Since this information accompanies every cryptographic 366operation request, drivers may re-initialize state on-demand 367(typically an expensive operation). 368Furthermore, the cryptographic 369framework may re-route requests as a result of full queues or hardware 370failure, as described above. 371.It Fa crd_next 372Point to the next descriptor. 373Linked operations are useful in protocols such as 374.Xr ipsec 4 , 375where multiple cryptographic transforms may be applied on the same 376block of data. 377.El 378.El 379.Pp 380.Fn crypto_getreq 381allocates a 382.Fa cryptop 383structure with a linked list of as many 384.Fa cryptodesc 385structures as were specified in the argument passed to it. 386.Pp 387.Fn crypto_freereq 388deallocates a structure 389.Fa cryptop 390and any 391.Fa cryptodesc 392structures linked to it. 393Note that it is the responsibility of the 394callback routine to do the necessary cleanups associated with the 395opaque field in the 396.Fa cryptop 397structure. 398.Pp 399.Fn crypto_kdispatch 400is called to perform a keying operation. 401The various fields in the 402.Fa crytokop 403structure are: 404.Bl -tag -width crp_alloctype 405.It Fa krp_op 406Operation code, such as CRK_MOD_EXP. 407.It Fa krp_status 408Return code. 409This errno-style variable indicates whether lower level reasons 410for operation failure. 411.It Fa krp_iparams 412Number if input parameters to the specified operation. 413Note that each operation has a (typically hardwired) number of such parameters. 414.It Fa krp_oparams 415Number if output parameters from the specified operation. 416Note that each operation has a (typically hardwired) number of such parameters. 417.It Fa krp_kvp 418An array of kernel memory blocks containing the parameters. 419.It Fa krp_hid 420Identifier specifying which low-level driver is being used. 421.It Fa krp_callback 422Callback called on completion of a keying operation. 423.El 424.Sh DRIVER-SIDE API 425The 426.Fn crypto_get_driverid , 427.Fn crypto_register , 428.Fn crypto_kregister , 429.Fn crypto_unregister , 430and 431.Fn crypto_done 432routines are used by drivers that provide support for cryptographic 433primitives to register and unregister with the kernel crypto services 434framework. 435Drivers must first use the 436.Fn crypto_get_driverid 437function to acquire a driver identifier, specifying the 438.Fa cc_flags 439as an argument (normally 0, but software-only drivers should specify 440.Dv CRYPTOCAP_F_SOFTWARE Ns ). 441For each algorithm the driver supports, it must then call 442.Fn crypto_register . 443The first argument is the driver identifier. 444The second argument is an array of 445.Dv CRYPTO_ALGORITHM_MAX + 1 446elements, indicating which algorithms are supported. 447The last three arguments are pointers to three 448driver-provided functions that the framework may call to establish new 449cryptographic context with the driver, free already established 450context, and ask for a request to be processed (encrypt, decrypt, 451etc.) 452.Fn crypto_unregister 453is called by drivers that wish to withdraw support for an algorithm. 454The two arguments are the driver and algorithm identifiers, respectively. 455Typically, drivers for 456.Xr pcmcia 4 457crypto cards that are being ejected will invoke this routine for all 458algorithms supported by the card. 459If called with 460.Dv CRYPTO_ALGORITHM_ALL , 461all algorithms registered for a driver will be unregistered in one go 462and the driver will be disabled (no new sessions will be allocated on 463that driver, and any existing sessions will be migrated to other 464drivers). 465The same will be done if all algorithms associated with a driver are 466unregistered one by one. 467.Pp 468The calling convention for the three driver-supplied routines is: 469.Bd -literal 470int (*newsession) (u_int32_t *, struct cryptoini *); 471int (*freesession) (u_int64_t); 472int (*process) (struct cryptop *); 473int (*kprocess) (struct cryptkop *); 474.Ed 475.Pp 476On invocation, the first argument to 477.Fn newsession 478contains the driver identifier obtained via 479.Fn crypto_get_driverid . 480On successfully returning, it should contain a driver-specific session 481identifier. 482The second argument is identical to that of 483.Fn crypto_newsession . 484.Pp 485The 486.Fn freesession 487routine takes as argument the SID (which is the concatenation of the 488driver identifier and the driver-specific session identifier). 489It should clear any context associated with the session (clear hardware 490registers, memory, etc.). 491.Pp 492The 493.Fn process 494routine is invoked with a request to perform crypto processing. 495This routine must not block, but should queue the request and return 496immediately. 497Upon processing the request, the callback routine should be invoked. 498In case of error, the error indication must be placed in the 499.Fa crp_etype 500field of the 501.Fa cryptop 502structure. 503When the request is completed, or an error is detected, the 504.Fn process 505routine should invoked 506.Fn crypto_done . 507Session migration may be performed, as mentioned previously. 508.Pp 509The 510.Fn kprocess 511routine is invoked with a request to perform crypto key processing. 512This routine must not block, but should queue the request and return 513immediately. 514Upon processing the request, the callback routine should be invoked. 515In case of error, the error indication must be placed in the 516.Fa krp_status 517field of the 518.Fa cryptkop 519structure. 520When the request is completed, or an error is detected, the 521.Fn kprocess 522routine should invoked 523.Fn crypto_kdone . 524.Sh RETURN VALUES 525.Fn crypto_register , 526.Fn crypto_kregister , 527.Fn crypto_unregister , 528.Fn crypto_newsession , 529and 530.Fn crypto_freesession 531return 0 on success, or an error code on failure. 532.Fn crypto_get_driverid 533returns a non-negative value on error, and \-1 on failure. 534.Fn crypto_getreq 535returns a pointer to a 536.Fa cryptop 537structure and 538.Dv NULL 539on failure. 540.Fn crypto_dispatch 541returns 542.Er EINVAL 543is its argument or the callback function was 544.Dv NULL , 545and 0 otherwise. 546The callback is provided with an error code in case of failure, in the 547.Fa crp_etype 548field. 549.Sh FILES 550.Bl -tag -width sys/crypto/crypto.c 551.It Pa sys/crypto/crypto.c 552most of the framework code 553.El 554.Sh SEE ALSO 555.Xr ipsec 4 , 556.Xr pcmcia 4 , 557.Xr malloc 9 , 558.Xr tsleep 9 559.Sh HISTORY 560The cryptographic framework first appeared in 561.Ox 2.7 562and was written by Angelos D. Keromytis <angelos@openbsd.org>. 563.Sh BUGS 564The framework currently assumes that all the algorithms in a 565.Fn crypto_newsession 566operation must be available by the same driver. 567If that's not the case, session initialization will fail. 568.Pp 569The framework also needs a mechanism for determining which driver is 570best for a specific set of algorithms associated with a session. 571Some type of benchmarking is in order here. 572.Pp 573Multiple instances of the same algorithm in the same session are not 574supported. 575Note that 3DES is considered one algorithm (and not three 576instances of DES). 577Thus, 3DES and DES could be mixed in the same request. 578.Pp 579A queue for completed operations should be implemented and processed 580at some software 581.Xr spl 9 582level, to avoid overall system latency issues, and potential kernel 583stack exhaustion while processing a callback. 584.Pp 585When SMP time comes, we will support use of a second processor (or 586more) as a crypto device (this is actually AMP, but we need the same 587basic support). 588