xref: /freebsd/share/man/man9/crypto_request.9 (revision 0d66206fff44f864ea8a4b220c3a53b4caa959a0)
1.\" Copyright (c) 2020, Chelsio Inc
2.\"
3.\" Redistribution and use in source and binary forms, with or without
4.\" modification, are permitted provided that the following conditions are met:
5.\"
6.\" 1. Redistributions of source code must retain the above copyright notice,
7.\"    this list of conditions and the following disclaimer.
8.\"
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" 3. Neither the name of the Chelsio Inc nor the names of its
14.\"    contributors may be used to endorse or promote products derived from
15.\"    this software without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
18.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
21.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27.\" POSSIBILITY OF SUCH DAMAGE.
28.\"
29.\" * Other names and brands may be claimed as the property of others.
30.\"
31.\" $FreeBSD$
32.\"
33.Dd November 2, 2022
34.Dt CRYPTO_REQUEST 9
35.Os
36.Sh NAME
37.Nm crypto_request
38.Nd symmetric cryptographic operations
39.Sh SYNOPSIS
40.In opencrypto/cryptodev.h
41.Ft "struct cryptop *"
42.Fn crypto_clonereq "crypto_session_t cses" "struct cryptop *crp" "int how"
43.Ft int
44.Fn crypto_dispatch "struct cryptop *crp"
45.Ft int
46.Fn crypto_dispatch_async "struct cryptop *crp" "int flags"
47.Ft void
48.Fn crypto_dispatch_batch "struct cryptopq *crpq" "int flags"
49.Ft void
50.Fn crypto_destroyreq "struct cryptop *crp"
51.Ft void
52.Fn crypto_freereq "struct cryptop *crp"
53.Ft "struct cryptop *"
54.Fn crypto_getreq "crypto_session_t cses" "int how"
55.Ft void
56.Fn crypto_initreq "crypto_session_t cses" "int how"
57.Ft void
58.Fn crypto_use_buf "struct cryptop *crp" "void *buf" "int len"
59.Ft void
60.Fn crypto_use_mbuf "struct cryptop *crp" "struct mbuf *m"
61.Ft void
62.Fn crypto_use_uio "struct cryptop *crp" "struct uio *uio"
63.Ft void
64.Fn crypto_use_vmpage "struct cryptop *crp" "vm_page_t *pages" "int len" "int offset"
65.Ft void
66.Fn crypto_use_output_buf "struct cryptop *crp" "void *buf" "int len"
67.Ft void
68.Fn crypto_use_output_mbuf "struct cryptop *crp" "struct mbuf *m"
69.Ft void
70.Fn crypto_use_output_uio "struct cryptop *crp" "struct uio *uio"
71.Ft void
72.Fn crypto_use_output_vmpage "struct cryptop *crp" "vm_page_t *pages" "int len" "int offset"
73.Sh DESCRIPTION
74Each symmetric cryptographic operation in the kernel is described by
75an instance of
76.Vt struct cryptop
77and is associated with an active session.
78.Pp
79Requests can either be allocated dynamically or use caller-supplied
80storage.
81Dynamically allocated requests should be allocated by either
82.Fn crypto_getreq
83or
84.Fn crypto_clonereq ,
85and freed by
86.Fn crypto_freereq
87once the request has completed.
88Requests using caller-supplied storage should be initialized by
89.Fn crypto_initreq
90at the start of each operation and destroyed by
91.Fn crypto_destroyreq
92once the request has completed.
93.Pp
94For
95.Fn crypto_clonereq ,
96.Fn crypto_getreq ,
97and
98.Fn crypto_initreq ,
99.Fa cses
100is a reference to an active session.
101For
102.Fn crypto_clonereq
103and
104.Fn crypto_getreq ,
105.Fa how
106is passed to
107.Xr malloc 9
108and should be set to either
109.Dv M_NOWAIT
110or
111.Dv M_WAITOK .
112.Pp
113.Fn crypto_clonereq
114allocates a new request that inherits request inputs such as request buffers
115from the original
116.Fa crp
117request.
118However, the new request is associated with the
119.Fa cses
120session rather than inheriting the session from
121.Fa crp .
122.Fa crp
123must not be a completed request.
124.Pp
125Once a request has been initialized,
126the caller should set fields in the structure to describe
127request-specific parameters.
128Unused fields should be left as-is.
129.Pp
130The
131.Fn crypto_dispatch ,
132.Fn crypto_dispatch_async ,
133and
134.Fn crypto_dispatch_batch
135functions pass one or more crypto requests to the driver attached to the
136request's session.
137If there are errors in the request's fields, these functions may return an
138error to the caller.
139If errors are encountered while servicing the request, they will instead
140be reported to the request's callback function
141.Pq Fa crp_callback
142via
143.Fa crp_etype .
144.Pp
145Note that a request's callback function may be invoked before
146.Fn crypto_dispatch
147returns.
148.Pp
149Once a request has signaled completion by invoking its callback function,
150it should be freed via
151.Fn crypto_destroyreq
152or
153.Fn crypto_freereq .
154.Pp
155Cryptographic operations include several fields to describe the request.
156.Ss Request Buffers
157Requests can either specify a single data buffer that is modified in place
158.Po
159.Fa crp_buf
160.Pc
161or separate input
162.Po
163.Fa crp_buf
164.Pc
165and output
166.Po
167.Fa crp_obuf
168.Pc
169buffers.
170Note that separate input and output buffers are not supported for compression
171mode requests.
172.Pp
173All requests must have a valid
174.Fa crp_buf
175initialized by one of the following functions:
176.Bl -tag -width "Fn crypto_use_vmpage"
177.It Fn crypto_use_buf
178Uses an array of
179.Fa len
180bytes pointed to by
181.Fa buf
182as the data buffer.
183.It Fn crypto_use_mbuf
184Uses the network memory buffer
185.Fa m
186as the data buffer.
187.It Fn crypto_use_uio
188Uses the scatter/gather list
189.Fa uio
190as the data buffer.
191.It Fn crypto_use_vmpage
192Uses the array of
193.Vt vm_page_t
194structures as the data buffer.
195.El
196.Pp
197One of the following functions should be used to initialize
198.Fa crp_obuf
199for requests that use separate input and output buffers:
200.Bl -tag -width "Fn crypto_use_output_vmpage"
201.It Fn crypto_use_output_buf
202Uses an array of
203.Fa len
204bytes pointed to by
205.Fa buf
206as the output buffer.
207.It Fn crypto_use_output_mbuf
208Uses the network memory buffer
209.Fa m
210as the output buffer.
211.It Fn crypto_use_output_uio
212Uses the scatter/gather list
213.Fa uio
214as the output buffer.
215.It Fn crypto_use_output_vmpage
216Uses the array of
217.Vt vm_page_t
218structures as the output buffer.
219.El
220.Ss Request Regions
221Each request describes one or more regions in the data buffers.
222Each region is described by an offset relative to the start of a
223data buffer and a length.
224The length of some regions is the same for all requests belonging to
225a session.
226Those lengths are set in the session parameters of the associated
227session.
228All requests must define a payload region.
229Other regions are only required for specific session modes.
230.Pp
231For requests with separate input and output data buffers,
232the AAD, IV, and payload regions are always defined as regions in the
233input buffer,
234and a separate payload output region is defined to hold the output of
235encryption or decryption in the output buffer.
236The digest region describes a region in the input data buffer for
237requests that verify an existing digest.
238For requests that compute a digest,
239the digest region describes a region in the output data buffer.
240Note that the only data written to the output buffer is the encryption
241or decryption result and any computed digest.
242AAD and IV regions are not copied from the input buffer into the output
243buffer but are only used as inputs.
244.Pp
245The following regions are defined:
246.Bl -column "Payload Output" "Input/Output"
247.It Sy Region Ta Sy Buffer Ta Sy Description
248.It AAD Ta Input Ta
249Embedded Additional Authenticated Data
250.It IV Ta Input Ta
251Embedded IV or nonce
252.It Payload Ta Input Ta
253Data to encrypt, decrypt, compress, or decompress
254.It Payload Output Ta Output Ta
255Encrypted or decrypted data
256.It Digest Ta Input/Output Ta
257Authentication digest, hash, or tag
258.El
259.Bl -column "Payload Output" ".Fa crp_payload_output_start"
260.It Sy Region Ta Sy Start Ta Sy Length
261.It AAD Ta Fa crp_aad_start Ta Fa crp_aad_length
262.It IV Ta Fa crp_iv_start Ta Fa csp_ivlen
263.It Payload Ta Fa crp_payload_start Ta Fa crp_payload_length
264.It Payload Output Ta Fa crp_payload_output_start Ta Fa crp_payload_length
265.It Digest Ta Fa crp_digest_start Ta Fa csp_auth_mlen
266.El
267.Pp
268Requests are permitted to operate on only a subset of the data buffer.
269For example,
270requests from IPsec operate on network packets that include headers not
271used as either additional authentication data (AAD) or payload data.
272.Ss Request Operations
273All requests must specify the type of operation to perform in
274.Fa crp_op .
275Available operations depend on the session's mode.
276.Pp
277Compression requests support the following operations:
278.Bl -tag -width CRYPTO_OP_DECOMPRESS
279.It Dv CRYPTO_OP_COMPRESS
280Compress the data in the payload region of the data buffer.
281.It Dv CRYPTO_OP_DECOMPRESS
282Decompress the data in the payload region of the data buffer.
283.El
284.Pp
285Cipher requests support the following operations:
286.Bl -tag -width CRYPTO_OP_DECRYPT
287.It Dv CRYPTO_OP_ENCRYPT
288Encrypt the data in the payload region of the data buffer.
289.It Dv CRYPTO_OP_DECRYPT
290Decrypt the data in the payload region of the data buffer.
291.El
292.Pp
293Digest requests support the following operations:
294.Bl -tag -width CRYPTO_OP_COMPUTE_DIGEST
295.It Dv CRYPTO_OP_COMPUTE_DIGEST
296Calculate a digest over the payload region of the data buffer
297and store the result in the digest region.
298.It Dv CRYPTO_OP_VERIFY_DIGEST
299Calculate a digest over the payload region of the data buffer.
300Compare the calculated digest to the existing digest from the digest region.
301If the digests match,
302complete the request successfully.
303If the digests do not match,
304fail the request with
305.Er EBADMSG .
306.El
307.Pp
308AEAD and Encrypt-then-Authenticate requests support the following
309operations:
310.Bl -tag -width CRYPTO_OP
311.It Dv CRYPTO_OP_ENCRYPT | Dv CRYPTO_OP_COMPUTE_DIGEST
312Encrypt the data in the payload region of the data buffer.
313Calculate a digest over the AAD and payload regions and store the
314result in the data buffer.
315.It Dv CRYPTO_OP_DECRYPT | Dv CRYPTO_OP_VERIFY_DIGEST
316Calculate a digest over the AAD and payload regions of the data buffer.
317Compare the calculated digest to the existing digest from the digest region.
318If the digests match,
319decrypt the payload region.
320If the digests do not match,
321fail the request with
322.Er EBADMSG .
323.El
324.Ss Request AAD
325AEAD and Encrypt-then-Authenticate requests may optionally include
326Additional Authenticated Data.
327AAD may either be supplied in the AAD region of the input buffer or
328as a single buffer pointed to by
329.Fa crp_aad .
330In either case,
331.Fa crp_aad_length
332always indicates the amount of AAD in bytes.
333.Ss Request ESN
334IPsec requests may optionally include Extended Sequence Numbers (ESN).
335ESN may either be supplied in
336.Fa crp_esn
337or as part of the AAD pointed to by
338.Fa crp_aad .
339.Pp
340If the ESN is stored in
341.Fa crp_esn ,
342.Dv CSP_F_ESN
343should be set in
344.Fa csp_flags .
345This use case is dedicated for encrypt and authenticate mode, since the
346high-order 32 bits of the sequence number are appended after the Next Header
347(RFC 4303).
348.Pp
349AEAD modes supply the ESN in a separate AAD buffer (see e.g. RFC 4106, Chapter 5
350AAD Construction).
351.Ss Request IV and/or Nonce
352Some cryptographic operations require an IV or nonce as an input.
353An IV may be stored either in the IV region of the data buffer or in
354.Fa crp_iv .
355By default,
356the IV is assumed to be stored in the IV region.
357If the IV is stored in
358.Fa crp_iv ,
359.Dv CRYPTO_F_IV_SEPARATE
360should be set in
361.Fa crp_flags
362and
363.Fa crp_iv_start
364should be left as zero.
365.Pp
366Requests that store part, but not all, of the IV in the data buffer should
367store the partial IV in the data buffer and pass the full IV separately in
368.Fa crp_iv .
369.Ss Request and Callback Scheduling
370The crypto framework provides multiple methods of scheduling the dispatch
371of requests to drivers along with the processing of driver callbacks.
372The
373.Fn crypto_dispatch ,
374.Fn crypto_dispatch_async ,
375and
376.Fn crypto_dispatch_batch
377functions can be used to request different dispatch scheduling policies.
378.Pp
379.Fn crypto_dispatch
380synchronously passes the request to the driver.
381The driver itself may process the request synchronously or asynchronously
382depending on whether the driver is implemented by software or hardware.
383.Pp
384.Fn crypto_dispatch_async
385dispatches the request asynchronously.
386If the driver is inherently synchronous, the request is queued to a taskqueue
387backed by a pool of worker threads.
388This can increase througput by allowing requests from a single producer to be
389processed in parallel.
390By default the pool is sized to provide one thread for each CPU.
391Worker threads dequeue requests and pass them to the driver asynchronously.
392.Fn crypto_dispatch_async
393additionally takes a
394.Va flags
395parameter.
396The
397.Dv CRYPTO_ASYNC_ORDERED
398flag indicates that completion callbacks for requests must be called in the
399same order as requests were dispatched.
400If the driver is asynchronous, the behavior of
401.Fn crypto_dispatch_async
402is identical to that of
403.Fn crypto_dispatch .
404.Pp
405.Fn crypto_dispatch_batch
406allows the caller to collect a batch of requests and submit them to the driver
407at the same time.
408This allows hardware drivers to optimize the scheduling of request processing
409and batch completion interrupts.
410A batch is submitted to the driver by invoking the driver's process method on
411each request, specifying
412.Dv CRYPTO_HINT_MORE
413with each request except for the last.
414The
415.Fa flags
416parameter to
417.Fn crypto_dispatch_batch
418is currently ignored.
419.Pp
420Callback function scheduling is simpler than request scheduling.
421Callbacks can either be invoked synchronously from
422.Fn crypto_done ,
423or they can be queued to a pool of worker threads.
424This pool of worker threads is also sized to provide one worker thread
425for each CPU by default.
426Note that a callback function invoked synchronously from
427.Fn crypto_done
428must follow the same restrictions placed on threaded interrupt handlers.
429.Pp
430By default,
431callbacks are invoked asynchronously by a worker thread.
432If
433.Dv CRYPTO_F_CBIMM
434is set,
435the callback is always invoked synchronously from
436.Fn crypto_done .
437If
438.Dv CRYPTO_F_CBIFSYNC
439is set,
440the callback is invoked synchronously if the request was processed by a
441software driver or asynchronously if the request was processed by a
442hardware driver.
443.Pp
444If a request was scheduled to the taskqueue with
445.Dv CRYPTO_ASYNC_ORDERED ,
446callbacks are always invoked asynchronously ignoring
447.Dv CRYPTO_F_CBIMM
448and
449.Dv CRYPTO_F_CBIFSYNC .
450This flag is used by IPsec to ensure that decrypted network packets are
451passed up the network stack in roughly the same order they were received.
452.Ss Other Request Fields
453In addition to the fields and flags enumerated above,
454.Vt struct cryptop
455includes the following:
456.Bl -tag -width crp_payload_length
457.It Fa crp_session
458A reference to the active session.
459This is set when the request is created by
460.Fn crypto_getreq
461and should not be modified.
462Drivers can use this to fetch driver-specific session state or
463session parameters.
464.It Fa crp_etype
465Error status.
466Either zero on success, or an error if a request fails.
467Set by drivers prior to completing a request via
468.Fn crypto_done .
469.It Fa crp_flags
470A bitmask of flags.
471The following flags are available in addition to flags discussed previously:
472.Bl -tag -width CRYPTO_F_DONE
473.It Dv CRYPTO_F_DONE
474Set by
475.Fa crypto_done
476before calling
477.Fa crp_callback .
478This flag is not very useful and will likely be removed in the future.
479It can only be safely checked from the callback routine at which point
480it is always set.
481.El
482.It Fa crp_cipher_key
483Pointer to a request-specific encryption key.
484If this value is not set,
485the request uses the session encryption key.
486.It Fa crp_auth_key
487Pointer to a request-specific authentication key.
488If this value is not set,
489the request uses the session authentication key.
490.It Fa crp_opaque
491An opaque pointer.
492This pointer permits users of the cryptographic framework to store
493information about a request to be used in the callback.
494.It Fa crp_callback
495Callback function.
496This must point to a callback function of type
497.Vt void (*)(struct cryptop *) .
498The callback function should inspect
499.Fa crp_etype
500to determine the status of the completed operation.
501It should also arrange for the request to be freed via
502.Fn crypto_freereq .
503.It Fa crp_olen
504Used with compression and decompression requests to describe the updated
505length of the payload region in the data buffer.
506.Pp
507If a compression request increases the size of the payload,
508then the data buffer is unmodified, the request completes successfully,
509and
510.Fa crp_olen
511is set to the size the compressed data would have used.
512Callers can compare this to the payload region length to determine if
513the compressed data was discarded.
514.El
515.Sh RETURN VALUES
516.Fn crypto_dispatch
517returns an error if the request contained invalid fields,
518or zero if the request was valid.
519.Fn crypto_getreq
520returns a pointer to a new request structure on success,
521or
522.Dv NULL
523on failure.
524.Dv NULL
525can only be returned if
526.Dv M_NOWAIT
527was passed in
528.Fa how .
529.Sh SEE ALSO
530.Xr ipsec 4 ,
531.Xr crypto 7 ,
532.Xr crypto 9 ,
533.Xr crypto_session 9 ,
534.Xr mbuf 9 ,
535.Xr uio 9
536.Sh BUGS
537Not all drivers properly handle mixing session and per-request keys
538within a single session.
539Consumers should either use a single key for a session specified in
540the session parameters or always use per-request keys.
541