xref: /freebsd/share/man/man9/crypto_request.9 (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1.\" Copyright (c) 2020, Chelsio Inc
2.\"
3.\" Redistribution and use in source and binary forms, with or without
4.\" modification, are permitted provided that the following conditions are met:
5.\"
6.\" 1. Redistributions of source code must retain the above copyright notice,
7.\"    this list of conditions and the following disclaimer.
8.\"
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" 3. Neither the name of the Chelsio Inc nor the names of its
14.\"    contributors may be used to endorse or promote products derived from
15.\"    this software without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
18.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
21.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27.\" POSSIBILITY OF SUCH DAMAGE.
28.\"
29.\" * Other names and brands may be claimed as the property of others.
30.\"
31.Dd November 2, 2022
32.Dt CRYPTO_REQUEST 9
33.Os
34.Sh NAME
35.Nm crypto_request
36.Nd symmetric cryptographic operations
37.Sh SYNOPSIS
38.In opencrypto/cryptodev.h
39.Ft "struct cryptop *"
40.Fn crypto_clonereq "crypto_session_t cses" "struct cryptop *crp" "int how"
41.Ft int
42.Fn crypto_dispatch "struct cryptop *crp"
43.Ft int
44.Fn crypto_dispatch_async "struct cryptop *crp" "int flags"
45.Ft void
46.Fn crypto_dispatch_batch "struct cryptopq *crpq" "int flags"
47.Ft void
48.Fn crypto_destroyreq "struct cryptop *crp"
49.Ft void
50.Fn crypto_freereq "struct cryptop *crp"
51.Ft "struct cryptop *"
52.Fn crypto_getreq "crypto_session_t cses" "int how"
53.Ft void
54.Fn crypto_initreq "crypto_session_t cses" "int how"
55.Ft void
56.Fn crypto_use_buf "struct cryptop *crp" "void *buf" "int len"
57.Ft void
58.Fn crypto_use_mbuf "struct cryptop *crp" "struct mbuf *m"
59.Ft void
60.Fn crypto_use_uio "struct cryptop *crp" "struct uio *uio"
61.Ft void
62.Fn crypto_use_vmpage "struct cryptop *crp" "vm_page_t *pages" "int len" "int offset"
63.Ft void
64.Fn crypto_use_output_buf "struct cryptop *crp" "void *buf" "int len"
65.Ft void
66.Fn crypto_use_output_mbuf "struct cryptop *crp" "struct mbuf *m"
67.Ft void
68.Fn crypto_use_output_uio "struct cryptop *crp" "struct uio *uio"
69.Ft void
70.Fn crypto_use_output_vmpage "struct cryptop *crp" "vm_page_t *pages" "int len" "int offset"
71.Sh DESCRIPTION
72Each symmetric cryptographic operation in the kernel is described by
73an instance of
74.Vt struct cryptop
75and is associated with an active session.
76.Pp
77Requests can either be allocated dynamically or use caller-supplied
78storage.
79Dynamically allocated requests should be allocated by either
80.Fn crypto_getreq
81or
82.Fn crypto_clonereq ,
83and freed by
84.Fn crypto_freereq
85once the request has completed.
86Requests using caller-supplied storage should be initialized by
87.Fn crypto_initreq
88at the start of each operation and destroyed by
89.Fn crypto_destroyreq
90once the request has completed.
91.Pp
92For
93.Fn crypto_clonereq ,
94.Fn crypto_getreq ,
95and
96.Fn crypto_initreq ,
97.Fa cses
98is a reference to an active session.
99For
100.Fn crypto_clonereq
101and
102.Fn crypto_getreq ,
103.Fa how
104is passed to
105.Xr malloc 9
106and should be set to either
107.Dv M_NOWAIT
108or
109.Dv M_WAITOK .
110.Pp
111.Fn crypto_clonereq
112allocates a new request that inherits request inputs such as request buffers
113from the original
114.Fa crp
115request.
116However, the new request is associated with the
117.Fa cses
118session rather than inheriting the session from
119.Fa crp .
120.Fa crp
121must not be a completed request.
122.Pp
123Once a request has been initialized,
124the caller should set fields in the structure to describe
125request-specific parameters.
126Unused fields should be left as-is.
127.Pp
128The
129.Fn crypto_dispatch ,
130.Fn crypto_dispatch_async ,
131and
132.Fn crypto_dispatch_batch
133functions pass one or more crypto requests to the driver attached to the
134request's session.
135If there are errors in the request's fields, these functions may return an
136error to the caller.
137If errors are encountered while servicing the request, they will instead
138be reported to the request's callback function
139.Pq Fa crp_callback
140via
141.Fa crp_etype .
142.Pp
143Note that a request's callback function may be invoked before
144.Fn crypto_dispatch
145returns.
146.Pp
147Once a request has signaled completion by invoking its callback function,
148it should be freed via
149.Fn crypto_destroyreq
150or
151.Fn crypto_freereq .
152.Pp
153Cryptographic operations include several fields to describe the request.
154.Ss Request Buffers
155Requests can either specify a single data buffer that is modified in place
156.Po
157.Fa crp_buf
158.Pc
159or separate input
160.Po
161.Fa crp_buf
162.Pc
163and output
164.Po
165.Fa crp_obuf
166.Pc
167buffers.
168Note that separate input and output buffers are not supported for compression
169mode requests.
170.Pp
171All requests must have a valid
172.Fa crp_buf
173initialized by one of the following functions:
174.Bl -tag -width "Fn crypto_use_vmpage"
175.It Fn crypto_use_buf
176Uses an array of
177.Fa len
178bytes pointed to by
179.Fa buf
180as the data buffer.
181.It Fn crypto_use_mbuf
182Uses the network memory buffer
183.Fa m
184as the data buffer.
185.It Fn crypto_use_uio
186Uses the scatter/gather list
187.Fa uio
188as the data buffer.
189.It Fn crypto_use_vmpage
190Uses the array of
191.Vt vm_page_t
192structures as the data buffer.
193.El
194.Pp
195One of the following functions should be used to initialize
196.Fa crp_obuf
197for requests that use separate input and output buffers:
198.Bl -tag -width "Fn crypto_use_output_vmpage"
199.It Fn crypto_use_output_buf
200Uses an array of
201.Fa len
202bytes pointed to by
203.Fa buf
204as the output buffer.
205.It Fn crypto_use_output_mbuf
206Uses the network memory buffer
207.Fa m
208as the output buffer.
209.It Fn crypto_use_output_uio
210Uses the scatter/gather list
211.Fa uio
212as the output buffer.
213.It Fn crypto_use_output_vmpage
214Uses the array of
215.Vt vm_page_t
216structures as the output buffer.
217.El
218.Ss Request Regions
219Each request describes one or more regions in the data buffers.
220Each region is described by an offset relative to the start of a
221data buffer and a length.
222The length of some regions is the same for all requests belonging to
223a session.
224Those lengths are set in the session parameters of the associated
225session.
226All requests must define a payload region.
227Other regions are only required for specific session modes.
228.Pp
229For requests with separate input and output data buffers,
230the AAD, IV, and payload regions are always defined as regions in the
231input buffer,
232and a separate payload output region is defined to hold the output of
233encryption or decryption in the output buffer.
234The digest region describes a region in the input data buffer for
235requests that verify an existing digest.
236For requests that compute a digest,
237the digest region describes a region in the output data buffer.
238Note that the only data written to the output buffer is the encryption
239or decryption result and any computed digest.
240AAD and IV regions are not copied from the input buffer into the output
241buffer but are only used as inputs.
242.Pp
243The following regions are defined:
244.Bl -column "Payload Output" "Input/Output"
245.It Sy Region Ta Sy Buffer Ta Sy Description
246.It AAD Ta Input Ta
247Embedded Additional Authenticated Data
248.It IV Ta Input Ta
249Embedded IV or nonce
250.It Payload Ta Input Ta
251Data to encrypt, decrypt, compress, or decompress
252.It Payload Output Ta Output Ta
253Encrypted or decrypted data
254.It Digest Ta Input/Output Ta
255Authentication digest, hash, or tag
256.El
257.Bl -column "Payload Output" ".Fa crp_payload_output_start"
258.It Sy Region Ta Sy Start Ta Sy Length
259.It AAD Ta Fa crp_aad_start Ta Fa crp_aad_length
260.It IV Ta Fa crp_iv_start Ta Fa csp_ivlen
261.It Payload Ta Fa crp_payload_start Ta Fa crp_payload_length
262.It Payload Output Ta Fa crp_payload_output_start Ta Fa crp_payload_length
263.It Digest Ta Fa crp_digest_start Ta Fa csp_auth_mlen
264.El
265.Pp
266Requests are permitted to operate on only a subset of the data buffer.
267For example,
268requests from IPsec operate on network packets that include headers not
269used as either additional authentication data (AAD) or payload data.
270.Ss Request Operations
271All requests must specify the type of operation to perform in
272.Fa crp_op .
273Available operations depend on the session's mode.
274.Pp
275Compression requests support the following operations:
276.Bl -tag -width CRYPTO_OP_DECOMPRESS
277.It Dv CRYPTO_OP_COMPRESS
278Compress the data in the payload region of the data buffer.
279.It Dv CRYPTO_OP_DECOMPRESS
280Decompress the data in the payload region of the data buffer.
281.El
282.Pp
283Cipher requests support the following operations:
284.Bl -tag -width CRYPTO_OP_DECRYPT
285.It Dv CRYPTO_OP_ENCRYPT
286Encrypt the data in the payload region of the data buffer.
287.It Dv CRYPTO_OP_DECRYPT
288Decrypt the data in the payload region of the data buffer.
289.El
290.Pp
291Digest requests support the following operations:
292.Bl -tag -width CRYPTO_OP_COMPUTE_DIGEST
293.It Dv CRYPTO_OP_COMPUTE_DIGEST
294Calculate a digest over the payload region of the data buffer
295and store the result in the digest region.
296.It Dv CRYPTO_OP_VERIFY_DIGEST
297Calculate a digest over the payload region of the data buffer.
298Compare the calculated digest to the existing digest from the digest region.
299If the digests match,
300complete the request successfully.
301If the digests do not match,
302fail the request with
303.Er EBADMSG .
304.El
305.Pp
306AEAD and Encrypt-then-Authenticate requests support the following
307operations:
308.Bl -tag -width CRYPTO_OP
309.It Dv CRYPTO_OP_ENCRYPT | Dv CRYPTO_OP_COMPUTE_DIGEST
310Encrypt the data in the payload region of the data buffer.
311Calculate a digest over the AAD and payload regions and store the
312result in the data buffer.
313.It Dv CRYPTO_OP_DECRYPT | Dv CRYPTO_OP_VERIFY_DIGEST
314Calculate a digest over the AAD and payload regions of the data buffer.
315Compare the calculated digest to the existing digest from the digest region.
316If the digests match,
317decrypt the payload region.
318If the digests do not match,
319fail the request with
320.Er EBADMSG .
321.El
322.Ss Request AAD
323AEAD and Encrypt-then-Authenticate requests may optionally include
324Additional Authenticated Data.
325AAD may either be supplied in the AAD region of the input buffer or
326as a single buffer pointed to by
327.Fa crp_aad .
328In either case,
329.Fa crp_aad_length
330always indicates the amount of AAD in bytes.
331.Ss Request ESN
332IPsec requests may optionally include Extended Sequence Numbers (ESN).
333ESN may either be supplied in
334.Fa crp_esn
335or as part of the AAD pointed to by
336.Fa crp_aad .
337.Pp
338If the ESN is stored in
339.Fa crp_esn ,
340.Dv CSP_F_ESN
341should be set in
342.Fa csp_flags .
343This use case is dedicated for encrypt and authenticate mode, since the
344high-order 32 bits of the sequence number are appended after the Next Header
345(RFC 4303).
346.Pp
347AEAD modes supply the ESN in a separate AAD buffer (see e.g. RFC 4106, Chapter 5
348AAD Construction).
349.Ss Request IV and/or Nonce
350Some cryptographic operations require an IV or nonce as an input.
351An IV may be stored either in the IV region of the data buffer or in
352.Fa crp_iv .
353By default,
354the IV is assumed to be stored in the IV region.
355If the IV is stored in
356.Fa crp_iv ,
357.Dv CRYPTO_F_IV_SEPARATE
358should be set in
359.Fa crp_flags
360and
361.Fa crp_iv_start
362should be left as zero.
363.Pp
364Requests that store part, but not all, of the IV in the data buffer should
365store the partial IV in the data buffer and pass the full IV separately in
366.Fa crp_iv .
367.Ss Request and Callback Scheduling
368The crypto framework provides multiple methods of scheduling the dispatch
369of requests to drivers along with the processing of driver callbacks.
370The
371.Fn crypto_dispatch ,
372.Fn crypto_dispatch_async ,
373and
374.Fn crypto_dispatch_batch
375functions can be used to request different dispatch scheduling policies.
376.Pp
377.Fn crypto_dispatch
378synchronously passes the request to the driver.
379The driver itself may process the request synchronously or asynchronously
380depending on whether the driver is implemented by software or hardware.
381.Pp
382.Fn crypto_dispatch_async
383dispatches the request asynchronously.
384If the driver is inherently synchronous, the request is queued to a taskqueue
385backed by a pool of worker threads.
386This can increase througput by allowing requests from a single producer to be
387processed in parallel.
388By default the pool is sized to provide one thread for each CPU.
389Worker threads dequeue requests and pass them to the driver asynchronously.
390.Fn crypto_dispatch_async
391additionally takes a
392.Va flags
393parameter.
394The
395.Dv CRYPTO_ASYNC_ORDERED
396flag indicates that completion callbacks for requests must be called in the
397same order as requests were dispatched.
398If the driver is asynchronous, the behavior of
399.Fn crypto_dispatch_async
400is identical to that of
401.Fn crypto_dispatch .
402.Pp
403.Fn crypto_dispatch_batch
404allows the caller to collect a batch of requests and submit them to the driver
405at the same time.
406This allows hardware drivers to optimize the scheduling of request processing
407and batch completion interrupts.
408A batch is submitted to the driver by invoking the driver's process method on
409each request, specifying
410.Dv CRYPTO_HINT_MORE
411with each request except for the last.
412The
413.Fa flags
414parameter to
415.Fn crypto_dispatch_batch
416is currently ignored.
417.Pp
418Callback function scheduling is simpler than request scheduling.
419Callbacks can either be invoked synchronously from
420.Fn crypto_done ,
421or they can be queued to a pool of worker threads.
422This pool of worker threads is also sized to provide one worker thread
423for each CPU by default.
424Note that a callback function invoked synchronously from
425.Fn crypto_done
426must follow the same restrictions placed on threaded interrupt handlers.
427.Pp
428By default,
429callbacks are invoked asynchronously by a worker thread.
430If
431.Dv CRYPTO_F_CBIMM
432is set,
433the callback is always invoked synchronously from
434.Fn crypto_done .
435If
436.Dv CRYPTO_F_CBIFSYNC
437is set,
438the callback is invoked synchronously if the request was processed by a
439software driver or asynchronously if the request was processed by a
440hardware driver.
441.Pp
442If a request was scheduled to the taskqueue with
443.Dv CRYPTO_ASYNC_ORDERED ,
444callbacks are always invoked asynchronously ignoring
445.Dv CRYPTO_F_CBIMM
446and
447.Dv CRYPTO_F_CBIFSYNC .
448This flag is used by IPsec to ensure that decrypted network packets are
449passed up the network stack in roughly the same order they were received.
450.Ss Other Request Fields
451In addition to the fields and flags enumerated above,
452.Vt struct cryptop
453includes the following:
454.Bl -tag -width crp_payload_length
455.It Fa crp_session
456A reference to the active session.
457This is set when the request is created by
458.Fn crypto_getreq
459and should not be modified.
460Drivers can use this to fetch driver-specific session state or
461session parameters.
462.It Fa crp_etype
463Error status.
464Either zero on success, or an error if a request fails.
465Set by drivers prior to completing a request via
466.Fn crypto_done .
467.It Fa crp_flags
468A bitmask of flags.
469The following flags are available in addition to flags discussed previously:
470.Bl -tag -width CRYPTO_F_DONE
471.It Dv CRYPTO_F_DONE
472Set by
473.Fa crypto_done
474before calling
475.Fa crp_callback .
476This flag is not very useful and will likely be removed in the future.
477It can only be safely checked from the callback routine at which point
478it is always set.
479.El
480.It Fa crp_cipher_key
481Pointer to a request-specific encryption key.
482If this value is not set,
483the request uses the session encryption key.
484.It Fa crp_auth_key
485Pointer to a request-specific authentication key.
486If this value is not set,
487the request uses the session authentication key.
488.It Fa crp_opaque
489An opaque pointer.
490This pointer permits users of the cryptographic framework to store
491information about a request to be used in the callback.
492.It Fa crp_callback
493Callback function.
494This must point to a callback function of type
495.Vt void (*)(struct cryptop *) .
496The callback function should inspect
497.Fa crp_etype
498to determine the status of the completed operation.
499It should also arrange for the request to be freed via
500.Fn crypto_freereq .
501.It Fa crp_olen
502Used with compression and decompression requests to describe the updated
503length of the payload region in the data buffer.
504.Pp
505If a compression request increases the size of the payload,
506then the data buffer is unmodified, the request completes successfully,
507and
508.Fa crp_olen
509is set to the size the compressed data would have used.
510Callers can compare this to the payload region length to determine if
511the compressed data was discarded.
512.El
513.Sh RETURN VALUES
514.Fn crypto_dispatch
515returns an error if the request contained invalid fields,
516or zero if the request was valid.
517.Fn crypto_getreq
518returns a pointer to a new request structure on success,
519or
520.Dv NULL
521on failure.
522.Dv NULL
523can only be returned if
524.Dv M_NOWAIT
525was passed in
526.Fa how .
527.Sh SEE ALSO
528.Xr ipsec 4 ,
529.Xr crypto 7 ,
530.Xr crypto 9 ,
531.Xr crypto_session 9 ,
532.Xr mbuf 9 ,
533.Xr uio 9
534.Sh BUGS
535Not all drivers properly handle mixing session and per-request keys
536within a single session.
537Consumers should either use a single key for a session specified in
538the session parameters or always use per-request keys.
539