xref: /freebsd/share/man/man4/crypto.4 (revision e9b261f297cac146f0c9f895c16debe1c4cf8978)
1.\"	$NetBSD: crypto.4,v 1.24 2014/01/27 21:23:59 pgoyette Exp $
2.\"
3.\" Copyright (c) 2008 The NetBSD Foundation, Inc.
4.\" Copyright (c) 2014-2021 The FreeBSD Foundation
5.\" All rights reserved.
6.\"
7.\" Portions of this documentation were written by John-Mark Gurney
8.\" under sponsorship of the FreeBSD Foundation and
9.\" Rubicon Communications, LLC (Netgate).
10.\"
11.\" Portions of this documentation were written by Ararat River
12.\" Consulting, LLC under sponsorship of the FreeBSD Foundation.
13.\"
14.\" This code is derived from software contributed to The NetBSD Foundation
15.\" by Coyote Point Systems, Inc.
16.\"
17.\" Redistribution and use in source and binary forms, with or without
18.\" modification, are permitted provided that the following conditions
19.\" are met:
20.\" 1. Redistributions of source code must retain the above copyright
21.\"    notice, this list of conditions and the following disclaimer.
22.\" 2. Redistributions in binary form must reproduce the above copyright
23.\"    notice, this list of conditions and the following disclaimer in the
24.\"    documentation and/or other materials provided with the distribution.
25.\"
26.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
27.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
28.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
29.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
30.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
31.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
32.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
33.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
34.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
35.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
36.\" POSSIBILITY OF SUCH DAMAGE.
37.\"
38.\"
39.\"
40.\" Copyright (c) 2004
41.\"	Jonathan Stone <jonathan@dsg.stanford.edu>. All rights reserved.
42.\"
43.\" Redistribution and use in source and binary forms, with or without
44.\" modification, are permitted provided that the following conditions
45.\" are met:
46.\" 1. Redistributions of source code must retain the above copyright
47.\"    notice, this list of conditions and the following disclaimer.
48.\" 2. Redistributions in binary form must reproduce the above copyright
49.\"    notice, this list of conditions and the following disclaimer in the
50.\"    documentation and/or other materials provided with the distribution.
51.\"
52.\" THIS SOFTWARE IS PROVIDED BY Jonathan Stone AND CONTRIBUTORS ``AS IS'' AND
53.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
55.\" ARE DISCLAIMED.  IN NO EVENT SHALL Jonathan Stone OR THE VOICES IN HIS HEAD
56.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
57.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
58.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
59.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
60.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
61.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
62.\" THE POSSIBILITY OF SUCH DAMAGE.
63.\"
64.Dd October 6, 2021
65.Dt CRYPTO 4
66.Os
67.Sh NAME
68.Nm crypto ,
69.Nm cryptodev
70.Nd user-mode access to hardware-accelerated cryptography
71.Sh SYNOPSIS
72.Cd device crypto
73.Cd device cryptodev
74.Pp
75.In sys/ioctl.h
76.In sys/time.h
77.In crypto/cryptodev.h
78.Sh DESCRIPTION
79The
80.Nm
81driver gives user-mode applications access to hardware-accelerated
82cryptographic transforms as implemented by the
83.Xr crypto 9
84in-kernel interface.
85.Pp
86The
87.Pa /dev/crypto
88special device provides an
89.Xr ioctl 2
90based interface.
91User-mode applications open the special device and
92then issue
93.Xr ioctl 2
94calls on the descriptor.
95User-mode access to
96.Pa /dev/crypto
97is controlled by the
98.Ic kern.cryptodevallowsoft
99.Xr sysctl 8
100variable.
101If this variable is zero,
102then user-mode sessions are only permitted to use cryptography coprocessors.
103.Sh THEORY OF OPERATION
104Use of the device requires a basic series of steps:
105.Bl -enum
106.It
107Open the
108.Pa /dev/crypto
109device.
110.It
111Create a session with
112.Dv CIOCGSESSION
113or
114.Dv CIOCGSESSION2 .
115Applications will require at least one symmetric session.
116Since cipher and MAC keys are tied to sessions, many
117applications will require more.
118.It
119Submit requests, synchronously with
120.Dv CIOCCRYPT
121or
122.Dv CIOCCRYPTAEAD .
123.It
124Optionally destroy a session with
125.Dv CIOCFSESSION .
126.It
127Close the
128.Pa /dev/crypto
129device.
130This will automatically close any remaining sessions associated with the
131file descriptor.
132.El
133.Sh SYMMETRIC-KEY OPERATION
134.Nm cryptodev
135provides a context-based API
136to traditional symmetric-key encryption (or privacy) algorithms,
137keyed and unkeyed one-way hash (HMAC and MAC) algorithms,
138encrypt-then-authenticate (ETA) fused operations,
139and authenticated encryption with additional data (AEAD) operations.
140For ETA operations,
141drivers perform both a privacy algorithm and an integrity-check
142algorithm in a single pass over the data: either a fused
143encrypt/HMAC-generate operation, or a fused HMAC-verify/decrypt operation.
144Similarly, for AEAD operations,
145drivers perform either an encrypt/MAC-generate operation
146or a MAC-verify/decrypt operation.
147.Pp
148The algorithm(s) and key(s) to use are specified when a session is
149created.
150Individual requests are able to specify per-request initialization vectors
151or nonces.
152.Ss Algorithms
153For a list of supported algorithms, see
154.Xr crypto 7 .
155.Ss IOCTL Request Descriptions
156.\"
157.Bl -tag -width CIOCGSESSION
158.\"
159.It Dv CIOCFINDDEV Fa struct crypt_find_op *fop
160.Bd -literal
161struct crypt_find_op {
162    int     crid;       /* driver id + flags */
163    char    name[32];   /* device/driver name */
164};
165
166.Ed
167If
168.Fa crid
169is -1, then find the driver named
170.Fa name
171and return the id in
172.Fa crid .
173If
174.Fa crid
175is not -1, return the name of the driver with
176.Fa crid
177in
178.Fa name .
179In either case, if the driver is not found,
180.Dv ENOENT
181is returned.
182.It Dv CIOCGSESSION Fa struct session_op *sessp
183.Bd -literal
184struct session_op {
185    uint32_t cipher;	/* e.g. CRYPTO_AES_CBC */
186    uint32_t mac;	/* e.g. CRYPTO_SHA2_256_HMAC */
187
188    uint32_t keylen;	/* cipher key */
189    const void *key;
190    int mackeylen;	/* mac key */
191    const void *mackey;
192
193    uint32_t ses;	/* returns: ses # */
194};
195
196.Ed
197Create a new cryptographic session on a file descriptor for the device;
198that is, a persistent object specific to the chosen
199privacy algorithm, integrity algorithm, and keys specified in
200.Fa sessp .
201The special value 0 for either privacy or integrity
202is reserved to indicate that the indicated operation (privacy or integrity)
203is not desired for this session.
204ETA sessions specify both privacy and integrity algorithms.
205AEAD sessions specify only a privacy algorithm.
206.Pp
207Multiple sessions may be bound to a single file descriptor.
208The session ID returned in
209.Fa sessp-\*[Gt]ses
210is supplied as a required field in the operation structure
211.Fa crypt_op
212for future encryption or hashing requests.
213.\" .Pp
214.\" This implementation will never return a session ID of 0 for a successful
215.\" creation of a session, which is a
216.\" .Nx
217.\" extension.
218.Pp
219For non-zero privacy algorithms, the privacy algorithm
220must be specified in
221.Fa sessp-\*[Gt]cipher ,
222the key length in
223.Fa sessp-\*[Gt]keylen ,
224and the key value in the octets addressed by
225.Fa sessp-\*[Gt]key .
226.Pp
227For keyed one-way hash algorithms, the one-way hash must be specified
228in
229.Fa sessp-\*[Gt]mac ,
230the key length in
231.Fa sessp-\*[Gt]mackey ,
232and the key value in the octets addressed by
233.Fa sessp-\*[Gt]mackeylen .
234.\"
235.Pp
236Support for a specific combination of fused privacy and
237integrity-check algorithms depends on whether the underlying
238hardware supports that combination.
239Not all combinations are supported
240by all hardware, even if the hardware supports each operation as a
241stand-alone non-fused operation.
242.It Dv CIOCGSESSION2 Fa struct session2_op *sessp
243.Bd -literal
244struct session2_op {
245    uint32_t cipher;	/* e.g. CRYPTO_AES_CBC */
246    uint32_t mac;	/* e.g. CRYPTO_SHA2_256_HMAC */
247
248    uint32_t keylen;	/* cipher key */
249    const void *key;
250    int mackeylen;	/* mac key */
251    const void *mackey;
252
253    uint32_t ses;	/* returns: ses # */
254    int	crid;		/* driver id + flags (rw) */
255    int ivlen;		/* length of nonce/IV */
256    int maclen;		/* length of MAC/tag */
257    int	pad[2];		/* for future expansion */
258};
259
260.Ed
261This request is similar to CIOGSESSION but adds additional fields.
262.Pp
263.Fa sessp-\*[Gt]crid
264requests either a specific crypto device or a class of devices (software vs
265hardware).
266.Pp
267.Fa sessp-\*[Gt]ivlen
268specifies the length of the IV or nonce supplied with each request.
269If this field is set to zero, the default IV or nonce length is used.
270.Pp
271.Fa sessp-\*[Gt]maclen
272specifies the length of the MAC or authentication tag supplied or computed by
273each request.
274If this field is set to zero, the full MAC is used.
275.Pp
276The
277.Fa sessp-\*[Gt]pad
278field must be initialized to zero.
279.It Dv CIOCCRYPT Fa struct crypt_op *cr_op
280.Bd -literal
281struct crypt_op {
282    uint32_t ses;
283    uint16_t op;	/* e.g. COP_ENCRYPT */
284    uint16_t flags;
285    u_int len;
286    const void *src;
287    void *dst;
288    void *mac;		/* must be large enough for result */
289    const void *iv;
290};
291
292.Ed
293Request an encryption/decryption (or hash) operation.
294To encrypt, set
295.Fa cr_op-\*[Gt]op
296to
297.Dv COP_ENCRYPT .
298To decrypt, set
299.Fa cr_op-\*[Gt]op
300to
301.Dv COP_DECRYPT .
302The field
303.Fa cr_op-\*[Gt]len
304supplies the length of the input buffer; the fields
305.Fa cr_op-\*[Gt]src ,
306.Fa cr_op-\*[Gt]dst ,
307.Fa cr_op-\*[Gt]mac ,
308.Fa cr_op-\*[Gt]iv
309supply the addresses of the input buffer, output buffer,
310one-way hash, and initialization vector, respectively.
311.Pp
312If a session is using either fused encrypt-then-authenticate or
313an AEAD algorithm,
314decryption operations require the associated hash as an input.
315If the hash is incorrect, the
316operation will fail with
317.Dv EBADMSG
318and the output buffer will remain unchanged.
319.It Dv CIOCCRYPTAEAD Fa struct crypt_aead *cr_aead
320.Bd -literal
321struct crypt_aead {
322    uint32_t ses;
323    uint16_t op;	/* e.g. COP_ENCRYPT */
324    uint16_t flags;
325    u_int len;
326    u_int aadlen;
327    u_int ivlen;
328    const void *src;
329    void *dst;
330    const void *aad;	/* additional authenticated data */
331    void *tag;		/* must fit for chosen TAG length */
332    const void *iv;
333};
334
335.Ed
336The
337.Dv CIOCCRYPTAEAD
338is similar to the
339.Dv CIOCCRYPT
340but provides additional data in
341.Fa cr_aead-\*[Gt]aad
342to include in the authentication mode.
343.It Dv CIOCFSESSION Fa u_int32_t ses_id
344Destroys the session identified by
345.Fa ses_id .
346.El
347.Sh SEE ALSO
348.Xr aesni 4 ,
349.Xr hifn 4 ,
350.Xr ipsec 4 ,
351.Xr padlock 4 ,
352.Xr safe 4 ,
353.Xr crypto 7 ,
354.Xr geli 8 ,
355.Xr crypto 9
356.Sh HISTORY
357The
358.Nm
359driver first appeared in
360.Ox 3.0 .
361The
362.Nm
363driver was imported to
364.Fx 5.0 .
365.Sh BUGS
366Error checking and reporting is weak.
367.Pp
368The values specified for symmetric-key key sizes to
369.Dv CIOCGSESSION
370must exactly match the values expected by
371.Xr opencrypto 9 .
372The output buffer and MAC buffers supplied to
373.Dv CIOCCRYPT
374must follow whether privacy or integrity algorithms were specified for
375session: if you request a
376.No non- Ns Dv NULL
377algorithm, you must supply a suitably-sized buffer.
378