1.\" $OpenBSD: crypto.9,v 1.25 2003/07/11 13:47:41 jmc Exp $ 2.\" $NetBSD: opencrypto.9,v 1.12 2011/09/16 22:27:36 jym Exp $ 3.\" 4.\" The author of this man page is Angelos D. Keromytis (angelos@cis.upenn.edu) 5.\" 6.\" Copyright (c) 2000, 2001 Angelos D. Keromytis 7.\" 8.\" Permission to use, copy, and modify this software with or without fee 9.\" is hereby granted, provided that this entire notice is included in 10.\" all source code copies of any software which is or includes a copy or 11.\" modification of this software. 12.\" 13.\" THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 14.\" IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 15.\" REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 16.\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 17.\" PURPOSE. 18.\" 19.Dd September 17, 2011 20.Dt OPENCRYPTO 9 21.Os 22.Sh NAME 23.Nm opencrypto , 24.Nm crypto_get_driverid , 25.Nm crypto_register , 26.Nm crypto_kregister , 27.Nm crypto_unregister , 28.Nm crypto_done , 29.Nm crypto_kdone , 30.Nm crypto_newsession , 31.Nm crypto_freesession , 32.Nm crypto_dispatch , 33.Nm crypto_kdispatch , 34.Nm crypto_getreq , 35.Nm crypto_freereq 36.Nd API for cryptographic services in the kernel 37.Sh SYNOPSIS 38.In opencrypto/cryptodev.h 39.Ft int32_t 40.Fn crypto_get_driverid "u_int32_t" 41.Ft int 42.Fn crypto_register "u_int32_t" "int" "u_int16_t" "u_int32_t" "int (*)(void *, u_int32_t *, struct cryptoini *)" "int (*)(void *, u_int32_t *)" "int (*)(u_int64_t)" "int (*)(struct cryptop *)" "void *" 43.Ft int 44.Fn crypto_kregister "u_int32_t" "int" "u_int32_t" "int (*)(void *, struct cryptkop *, int)" "void *" 45.Ft int 46.Fn crypto_unregister "u_int32_t" "int" 47.Ft void 48.Fn crypto_done "struct cryptop *" 49.Ft void 50.Fn crypto_kdone "struct cryptkop *" 51.Ft int 52.Fn crypto_newsession "u_int64_t *" "struct cryptoini *" "int" 53.Ft int 54.Fn crypto_freesession "u_int64_t" 55.Ft int 56.Fn crypto_dispatch "struct cryptop *" 57.Ft int 58.Fn crypto_kdispatch "struct cryptkop *" 59.Ft struct cryptop * 60.Fn crypto_getreq "int" 61.Ft void 62.Fn crypto_freereq "struct cryptop *" 63.Bd -literal 64 65#define EALG_MAX_BLOCK_LEN 16 66 67struct cryptoini { 68 int cri_alg; 69 int cri_klen; 70 int cri_rnd; 71 void *cri_key; 72 u_int8_t cri_iv[EALG_MAX_BLOCK_LEN]; 73 struct cryptoini *cri_next; 74}; 75 76struct cryptodesc { 77 int crd_skip; 78 int crd_len; 79 int crd_inject; 80 int crd_flags; 81 struct cryptoini CRD_INI; 82 struct cryptodesc *crd_next; 83}; 84 85struct cryptop { 86 TAILQ_ENTRY(cryptop) crp_next; 87 u_int64_t crp_sid; 88 int crp_ilen; 89 int crp_olen; 90 int crp_etype; 91 int crp_flags; 92 void *crp_buf; 93 void *crp_opaque; 94 struct cryptodesc *crp_desc; 95 int (*crp_callback)(struct cryptop *); 96 void *crp_mac; 97}; 98 99struct crparam { 100 void *crp_p; 101 u_int crp_nbits; 102}; 103 104#define CRK_MAXPARAM 8 105 106struct cryptkop { 107 TAILQ_ENTRY(cryptkop) krp_next; 108 u_int krp_op; /* i.e. CRK_MOD_EXP or other */ 109 u_int krp_status; /* return status */ 110 u_short krp_iparams; /* # of input parameters */ 111 u_short krp_oparams; /* # of output parameters */ 112 u_int32_t krp_hid; 113 struct crparam krp_param[CRK_MAXPARAM]; /* kvm */ 114 int (*krp_callback)(struct cryptkop *); 115}; 116.Ed 117.Sh DESCRIPTION 118.Nm 119is a framework for drivers of cryptographic hardware to register with 120the kernel so 121.Dq consumers 122(other kernel subsystems, and eventually 123users through an appropriate device) are able to make use of it. 124Drivers register with the framework the algorithms they support, 125and provide entry points (functions) the framework may call to 126establish, use, and tear down sessions. 127Sessions are used to cache cryptographic information in a particular driver 128(or associated hardware), so initialization is not needed with every request. 129Consumers of cryptographic services pass a set of 130descriptors that instruct the framework (and the drivers registered 131with it) of the operations that should be applied on the data (more 132than one cryptographic operation can be requested). 133.Pp 134Keying operations are supported as well. 135Unlike the symmetric operators described above, 136these sessionless commands perform mathematical operations using 137input and output parameters. 138.Pp 139Since the consumers may not be associated with a process, drivers may 140not use condition variables: 141.Xr condvar 9 . 142The same holds for the framework. 143Thus, a callback mechanism is used 144to notify a consumer that a request has been completed (the 145callback is specified by the consumer on an per-request basis). 146The callback is invoked by the framework whether the request was 147successfully completed or not. 148An error indication is provided in the latter case. 149A specific error code, 150.Er EAGAIN , 151is used to indicate that a session number has changed and that the 152request may be re-submitted immediately with the new session number. 153Errors are only returned to the invoking function if not 154enough information to call the callback is available (meaning, there 155was a fatal error in verifying the arguments). 156No callback mechanism is used for session initialization and teardown. 157.Pp 158The 159.Fn crypto_newsession 160routine is called by consumers of cryptographic services (such as the 161.Xr ipsec 4 162stack) that wish to establish a new session with the framework. 163On success, the first argument will contain the Session Identifier (SID). 164The second argument contains all the necessary information for 165the driver to establish the session. 166The third argument indicates whether a 167hardware driver should be used (1) or not (0). 168The various fields in the 169.Fa cryptoini 170structure are: 171.Bl -tag -width foobarmoocow 172.It Fa cri_alg 173Contains an algorithm identifier. 174Currently supported algorithms are: 175.Bd -literal 176CRYPTO_DES_CBC 177CRYPTO_3DES_CBC 178CRYPTO_BLF_CBC 179CRYPTO_CAST_CBC 180CRYPTO_CAMELLIA_CBC 181CRYPTO_SKIPJACK_CBC 182CRYPTO_ARC4 183CRYPTO_AES_CBC 184CRYPTO_AES_CTR 185CRYPTO_AES_GCM_16 186CRYPTO_AES_GMAC 187CRYPTO_AES_128_GMAC 188CRYPTO_AES_192_GMAC 189CRYPTO_AES_256_GMAC 190CRYPTO_AES_XCBC_MAC_96 191CRYPTO_MD5 192CRYPTO_MD5_HMAC 193CRYPTO_MD5_HMAC_96 194CRYPTO_MD5_KPDK 195CRYPTO_NULL_CBC 196CRYPTO_NULL_HMAC 197CRYPTO_SHA1 198CRYPTO_SHA1_HMAC 199CRYPTO_SHA1_HMAC_96 200CRYPTO_SHA1_KPDK 201CRYPTO_SHA2_256_HMAC 202CRYPTO_SHA2_384_HMAC 203CRYPTO_SHA2_512_HMAC 204CRYPTO_RIPEMD160_HMAC 205CRYPTO_RIPEMD160_HMAC_96 206CRYPTO_DEFLATE_COMP 207CRYPTO_DEFLATE_COMP_NOGROW 208CRYPTO_GZIP_COMP 209.Ed 210.Pp 211.It Fa cri_klen 212Specifies the length of the key in bits, for variable-size key 213algorithms. 214.It Fa cri_rnd 215Specifies the number of rounds to be used with the algorithm, for 216variable-round algorithms. 217.It Fa cri_key 218Contains the key to be used with the algorithm. 219.It Fa cri_iv 220Contains an explicit initialization vector (IV), if it does not prefix 221the data. 222This field is ignored during initialization. 223If no IV is explicitly passed (see below on details), a random IV is used 224by the device driver processing the request. 225.It Fa cri_next 226Contains a pointer to another 227.Fa cryptoini 228structure. 229Multiple such structures may be linked to establish multi-algorithm sessions 230.Pf ( Xr ipsec 4 231is an example consumer of such a feature). 232.El 233.Pp 234The 235.Fa cryptoini 236structure and its contents will not be modified by the framework (or 237the drivers used). 238Subsequent requests for processing that use the 239SID returned will avoid the cost of re-initializing the hardware (in 240essence, SID acts as an index in the session cache of the driver). 241.Pp 242.Fn crypto_freesession 243is called with the SID returned by 244.Fn crypto_newsession 245to disestablish the session. 246.Pp 247.Fn crypto_dispatch 248is called to process a request. 249The various fields in the 250.Fa cryptop 251structure are: 252.Bl -tag -width crp_callback 253.It Fa crp_sid 254Contains the SID. 255.It Fa crp_ilen 256Indicates the total length in bytes of the buffer to be processed. 257.It Fa crp_olen 258On return, contains the length of the result, not including 259.Fa crd_skip . 260For symmetric crypto operations, this will be the same as the input length. 261.It Fa crp_alloctype 262Indicates the type of buffer, as used in the kernel 263.Xr malloc 9 264routine. 265This will be used if the framework needs to allocate a new 266buffer for the result (or for re-formatting the input). 267.It Fa crp_callback 268This routine is invoked upon completion of the request, whether 269successful or not. 270It is invoked through the 271.Fn crypto_done 272routine. 273If the request was not successful, an error code is set in the 274.Fa crp_etype 275field. 276It is the responsibility of the callback routine to set the appropriate 277.Xr spl 9 278level. 279.It Fa crp_etype 280Contains the error type, if any errors were encountered, or zero if 281the request was successfully processed. 282If the 283.Er EAGAIN 284error code is returned, the SID has changed (and has been recorded in the 285.Fa crp_sid 286field). 287The consumer should record the new SID and use it in all subsequent requests. 288In this case, the request may be re-submitted immediately. 289This mechanism is used by the framework to perform 290session migration (move a session from one driver to another, because 291of availability, performance, or other considerations). 292.Pp 293Note that this field only makes sense when examined by 294the callback routine specified in 295.Fa crp_callback . 296Errors are returned to the invoker of 297.Fn crypto_process 298only when enough information is not present to call the callback 299routine (i.e., if the pointer passed is 300.Dv NULL 301or if no callback routine was specified). 302.It Fa crp_flags 303Is a bitmask of flags associated with this request. 304Currently defined flags are: 305.Bl -tag -width CRYPTO_F_IMBUF 306.It Dv CRYPTO_F_IMBUF 307The buffer pointed to by 308.Fa crp_buf 309is an mbuf chain. 310.El 311.Pp 312.It Fa crp_buf 313Points to the input buffer. 314On return (when the callback is invoked), 315it contains the result of the request. 316The input buffer may be an mbuf 317chain or a contiguous buffer (of a type identified by 318.Fa crp_alloctype ) , 319depending on 320.Fa crp_flags . 321.It Fa crp_opaque 322This is passed through the crypto framework untouched and is 323intended for the invoking application's use. 324.It Fa crp_desc 325This is a linked list of descriptors. 326Each descriptor provides 327information about what type of cryptographic operation should be done 328on the input buffer. 329The various fields are: 330.Bl -tag -width ".Fa crd_inject" 331.It Fa crd_skip 332The offset in the input buffer where processing should start. 333.It Fa crd_len 334How many bytes, after 335.Fa crd_skip , 336should be processed. 337.It Fa crd_inject 338Offset from the beginning of the buffer to insert any results. 339For encryption algorithms, this is where the initialization vector 340(IV) will be inserted when encrypting or where it can be found when 341decrypting (subject to 342.Fa crd_flags ) . 343For MAC algorithms, this is where the result of the keyed hash will be 344inserted. 345.It Fa crd_flags 346For adjusting general operation from userland, 347the following flags are defined: 348.Bl -tag -width CRD_F_IV_EXPLICIT 349.It Dv CRD_F_ENCRYPT 350For encryption algorithms, this bit is set when encryption is required 351(when not set, decryption is performed). 352.It Dv CRD_F_IV_PRESENT 353For encryption algorithms, this bit is set when the IV already 354precedes the data, so the 355.Fa crd_inject 356value will be ignored and no IV will be written in the buffer. 357Otherwise, the IV used to encrypt the packet will be written 358at the location pointed to by 359.Fa crd_inject . 360Some applications that do special 361.Dq IV cooking , 362such as the half-IV mode in 363.Xr ipsec 4 , 364can use this flag to indicate that the IV should not be written on the packet. 365This flag is typically used in conjunction with the 366.Dv CRD_F_IV_EXPLICIT 367flag. 368.It Dv CRD_F_IV_EXPLICIT 369For encryption algorithms, this bit is set when the IV is explicitly 370provided by the consumer in the 371.Fa crd_iv 372fields. 373Otherwise, for encryption operations the IV is provided for by 374the driver used to perform the operation, whereas for decryption 375operations it is pointed to by the 376.Fa crd_inject 377field. 378This flag is typically used when the IV is calculated 379.Dq on the fly 380by the consumer, and does not precede the data (some 381.Xr ipsec 4 382configurations, and the encrypted swap are two such examples). 383.It Dv CRD_F_COMP 384For compression algorithms, this bit is set when compression is required (when 385not set, decompression is performed). 386.El 387.It Fa CRD_INI 388This 389.Fa cryptoini 390structure will not be modified by the framework or the device drivers. 391Since this information accompanies every cryptographic 392operation request, drivers may re-initialize state on-demand 393(typically an expensive operation). 394Furthermore, the cryptographic 395framework may re-route requests as a result of full queues or hardware 396failure, as described above. 397.It Fa crd_next 398Point to the next descriptor. 399Linked operations are useful in protocols such as 400.Xr ipsec 4 , 401where multiple cryptographic transforms may be applied on the same 402block of data. 403.El 404.El 405.Pp 406.Fn crypto_getreq 407allocates a 408.Fa cryptop 409structure with a linked list of as many 410.Fa cryptodesc 411structures as were specified in the argument passed to it. 412.Pp 413.Fn crypto_freereq 414deallocates a structure 415.Fa cryptop 416and any 417.Fa cryptodesc 418structures linked to it. 419Note that it is the responsibility of the 420callback routine to do the necessary cleanups associated with the 421opaque field in the 422.Fa cryptop 423structure. 424.Pp 425.Fn crypto_kdispatch 426is called to perform a keying operation. 427The various fields in the 428.Fa crytokop 429structure are: 430.Bl -tag -width crp_alloctype 431.It Fa krp_op 432Operation code, such as CRK_MOD_EXP. 433.It Fa krp_status 434Return code. 435This errno-style variable indicates whether there were lower level reasons 436for operation failure. 437.It Fa krp_iparams 438Number of input parameters to the specified operation. 439Note that each operation has a (typically hardwired) number of such parameters. 440.It Fa krp_oparams 441Number of output parameters from the specified operation. 442Note that each operation has a (typically hardwired) number of such parameters. 443.It Fa krp_kvp 444An array of kernel memory blocks containing the parameters. 445.It Fa krp_hid 446Identifier specifying which low-level driver is being used. 447.It Fa krp_callback 448Callback called on completion of a keying operation. 449.El 450.Pp 451The following sysctl entries exist to adjust 452the behaviour of the system from userland: 453.Bl -tag -width kern.cryptodevallowsoft 454.It kern.usercrypto 455Allow (1) or forbid (0) userland access to 456.Pa /dev/crypto . 457.It kern.userasymcrypto 458Allow (1) or forbid (0) userland access to 459do asymmetric crypto requests. 460.It kern.cryptodevallowsoft 461Enable/disable access to hardware versus software operations: 462.Bl -tag -width xxx 463.It \*[Lt] 0 464Force userlevel requests to use software operations, always. 465.It = 0 466Use hardware if present, grant userlevel requests for non-accelerated 467operations (handling the latter in software). 468.It \*[Gt] 0 469Allow user requests only for operations which are hardware-accelerated. 470.El 471.El 472.Sh DRIVER-SIDE API 473The 474.Fn crypto_get_driverid , 475.Fn crypto_register , 476.Fn crypto_kregister , 477.Fn crypto_unregister , 478and 479.Fn crypto_done 480routines are used by drivers that provide support for cryptographic 481primitives to register and unregister with the kernel crypto services 482framework. 483Drivers must first use the 484.Fn crypto_get_driverid 485function to acquire a driver identifier, specifying the 486.Fa flags 487as an argument (normally 0, but software-only drivers should specify 488.Dv CRYPTOCAP_F_SOFTWARE ) . 489For each algorithm the driver supports, it must then call 490.Fn crypto_register . 491The first argument is the driver identifier. 492The second argument is an array of 493.Dv CRYPTO_ALGORITHM_MAX + 1 494elements, indicating which algorithms are supported. 495The last three arguments are pointers to three 496driver-provided functions that the framework may call to establish new 497cryptographic context with the driver, free already established 498context, and ask for a request to be processed (encrypt, decrypt, 499etc.) 500.Fn crypto_unregister 501is called by drivers that wish to withdraw support for an algorithm. 502The two arguments are the driver and algorithm identifiers, respectively. 503Typically, drivers for 504.Xr pcmcia 4 505crypto cards that are being ejected will invoke this routine for all 506algorithms supported by the card. 507If called with 508.Dv CRYPTO_ALGORITHM_ALL , 509all algorithms registered for a driver will be unregistered in one go 510and the driver will be disabled (no new sessions will be allocated on 511that driver, and any existing sessions will be migrated to other 512drivers). 513The same will be done if all algorithms associated with a driver are 514unregistered one by one. 515.Pp 516The calling convention for the three driver-supplied routines is: 517.Bd -literal 518int (*newsession) (void *, u_int32_t *, struct cryptoini *); 519int (*freesession) (void *, u_int64_t); 520int (*process) (void *, struct cryptop *, int); 521.Ed 522.Pp 523On invocation, the first argument to 524.Fn newsession 525contains the driver identifier obtained via 526.Fn crypto_get_driverid . 527On successfully returning, it should contain a driver-specific session 528identifier. 529The second argument is identical to that of 530.Fn crypto_newsession . 531.Pp 532The 533.Fn freesession 534routine takes as argument the SID (which is the concatenation of the 535driver identifier and the driver-specific session identifier). 536It should clear any context associated with the session (clear hardware 537registers, memory, etc.). 538.Pp 539The 540.Fn process 541routine is invoked with a request to perform crypto processing. 542This routine must not block, but should queue the request and return 543immediately. 544Upon processing the request, the callback routine should be invoked. 545In case of error, the error indication must be placed in the 546.Fa crp_etype 547field of the 548.Fa cryptop 549structure. 550The 551.Fa hint 552argument can be set to 553.Dv CRYPTO_HINT_MORE 554when there will be more request right after this request. 555When the request is completed, or an error is detected, the 556.Fn process 557routine should invoke 558.Fn crypto_done . 559Session migration may be performed, as mentioned previously. 560.Pp 561The 562.Fn kprocess 563routine is invoked with a request to perform crypto key processing. 564This routine must not block, but should queue the request and return 565immediately. 566Upon processing the request, the callback routine should be invoked. 567In case of error, the error indication must be placed in the 568.Fa krp_status 569field of the 570.Fa cryptkop 571structure. 572When the request is completed, or an error is detected, the 573.Fn kprocess 574routine should invoke 575.Fn crypto_kdone . 576.Sh RETURN VALUES 577.Fn crypto_register , 578.Fn crypto_kregister , 579.Fn crypto_unregister , 580.Fn crypto_newsession , 581and 582.Fn crypto_freesession 583return 0 on success, or an error code on failure. 584.Fn crypto_get_driverid 585returns a non-negative value on error, and \-1 on failure. 586.Fn crypto_getreq 587returns a pointer to a 588.Fa cryptop 589structure and 590.Dv NULL 591on failure. 592.Fn crypto_dispatch 593returns 594.Er EINVAL 595if its argument or the callback function was 596.Dv NULL , 597and 0 otherwise. 598The callback is provided with an error code in case of failure, in the 599.Fa crp_etype 600field. 601.Sh FILES 602.Bl -tag -width sys/opencrypto/crypto.c 603.It Pa sys/opencrypto/crypto.c 604most of the framework code 605.It Pa sys/crypto 606crypto algorithm implementations 607.El 608.Sh SEE ALSO 609.Xr ipsec 4 , 610.Xr pcmcia 4 , 611.Xr condvar 9 , 612.Xr malloc 9 613.Rs 614.%A "Angelos D. Keromytis" 615.%A "Jason L. Wright" 616.%A "Theo de Raadt" 617.%T "The Design of the OpenBSD Cryptographic Framework" 618.%I "Usenix" 619.%N "2003" 620.%D "June 2003" 621.Re 622.Sh HISTORY 623The cryptographic framework first appeared in 624.Ox 2.7 625and was written by 626.An Angelos D. Keromytis Aq angelos@openbsd.org . 627.Pp 628.An Sam Leffler 629ported the crypto framework to 630.Fx 631and made performance improvements. 632.Pp 633.An Jonathan Stone Aq jonathan@NetBSD.org 634ported the cryptoframe from 635.Fx 636to 637.Nx . 638.Nm opencrypto 639first appeared in 640.Nx 2.0 . 641.Sh BUGS 642The framework currently assumes that all the algorithms in a 643.Fn crypto_newsession 644operation must be available by the same driver. 645If that's not the case, session initialization will fail. 646.Pp 647The framework also needs a mechanism for determining which driver is 648best for a specific set of algorithms associated with a session. 649Some type of benchmarking is in order here. 650.Pp 651Multiple instances of the same algorithm in the same session are not 652supported. 653Note that 3DES is considered one algorithm (and not three 654instances of DES). 655Thus, 3DES and DES could be mixed in the same request. 656.Pp 657A queue for completed operations should be implemented and processed 658at some software 659.Xr spl 9 660level, to avoid overall system latency issues, and potential kernel 661stack exhaustion while processing a callback. 662.Pp 663When SMP time comes, we will support use of a second processor (or 664more) as a crypto device (this is actually AMP, but we need the same 665basic support). 666