1.\" Copyright (c) 2020, Chelsio Inc 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions are met: 5.\" 6.\" 1. Redistributions of source code must retain the above copyright notice, 7.\" this list of conditions and the following disclaimer. 8.\" 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" 3. Neither the name of the Chelsio Inc nor the names of its 14.\" contributors may be used to endorse or promote products derived from 15.\" this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 21.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27.\" POSSIBILITY OF SUCH DAMAGE. 28.\" 29.\" * Other names and brands may be claimed as the property of others. 30.\" 31.Dd November 2, 2022 32.Dt CRYPTO_REQUEST 9 33.Os 34.Sh NAME 35.Nm crypto_request 36.Nd symmetric cryptographic operations 37.Sh SYNOPSIS 38.In opencrypto/cryptodev.h 39.Ft "struct cryptop *" 40.Fn crypto_clonereq "crypto_session_t cses" "struct cryptop *crp" "int how" 41.Ft int 42.Fn crypto_dispatch "struct cryptop *crp" 43.Ft int 44.Fn crypto_dispatch_async "struct cryptop *crp" "int flags" 45.Ft void 46.Fn crypto_dispatch_batch "struct cryptopq *crpq" "int flags" 47.Ft void 48.Fn crypto_destroyreq "struct cryptop *crp" 49.Ft void 50.Fn crypto_freereq "struct cryptop *crp" 51.Ft "struct cryptop *" 52.Fn crypto_getreq "crypto_session_t cses" "int how" 53.Ft void 54.Fn crypto_initreq "crypto_session_t cses" "int how" 55.Ft void 56.Fn crypto_use_buf "struct cryptop *crp" "void *buf" "int len" 57.Ft void 58.Fn crypto_use_mbuf "struct cryptop *crp" "struct mbuf *m" 59.Ft void 60.Fn crypto_use_uio "struct cryptop *crp" "struct uio *uio" 61.Ft void 62.Fn crypto_use_vmpage "struct cryptop *crp" "vm_page_t *pages" "int len" "int offset" 63.Ft void 64.Fn crypto_use_output_buf "struct cryptop *crp" "void *buf" "int len" 65.Ft void 66.Fn crypto_use_output_mbuf "struct cryptop *crp" "struct mbuf *m" 67.Ft void 68.Fn crypto_use_output_uio "struct cryptop *crp" "struct uio *uio" 69.Ft void 70.Fn crypto_use_output_vmpage "struct cryptop *crp" "vm_page_t *pages" "int len" "int offset" 71.Sh DESCRIPTION 72Each symmetric cryptographic operation in the kernel is described by 73an instance of 74.Vt struct cryptop 75and is associated with an active session. 76.Pp 77Requests can either be allocated dynamically or use caller-supplied 78storage. 79Dynamically allocated requests should be allocated by either 80.Fn crypto_getreq 81or 82.Fn crypto_clonereq , 83and freed by 84.Fn crypto_freereq 85once the request has completed. 86Requests using caller-supplied storage should be initialized by 87.Fn crypto_initreq 88at the start of each operation and destroyed by 89.Fn crypto_destroyreq 90once the request has completed. 91.Pp 92For 93.Fn crypto_clonereq , 94.Fn crypto_getreq , 95and 96.Fn crypto_initreq , 97.Fa cses 98is a reference to an active session. 99For 100.Fn crypto_clonereq 101and 102.Fn crypto_getreq , 103.Fa how 104is passed to 105.Xr malloc 9 106and should be set to either 107.Dv M_NOWAIT 108or 109.Dv M_WAITOK . 110.Pp 111.Fn crypto_clonereq 112allocates a new request that inherits request inputs such as request buffers 113from the original 114.Fa crp 115request. 116However, the new request is associated with the 117.Fa cses 118session rather than inheriting the session from 119.Fa crp . 120.Fa crp 121must not be a completed request. 122.Pp 123Once a request has been initialized, 124the caller should set fields in the structure to describe 125request-specific parameters. 126Unused fields should be left as-is. 127.Pp 128The 129.Fn crypto_dispatch , 130.Fn crypto_dispatch_async , 131and 132.Fn crypto_dispatch_batch 133functions pass one or more crypto requests to the driver attached to the 134request's session. 135If there are errors in the request's fields, these functions may return an 136error to the caller. 137If errors are encountered while servicing the request, they will instead 138be reported to the request's callback function 139.Pq Fa crp_callback 140via 141.Fa crp_etype . 142.Pp 143Note that a request's callback function may be invoked before 144.Fn crypto_dispatch 145returns. 146.Pp 147Once a request has signaled completion by invoking its callback function, 148it should be freed via 149.Fn crypto_destroyreq 150or 151.Fn crypto_freereq . 152.Pp 153Cryptographic operations include several fields to describe the request. 154.Ss Request Buffers 155Requests can either specify a single data buffer that is modified in place 156.Po 157.Fa crp_buf 158.Pc 159or separate input 160.Po 161.Fa crp_buf 162.Pc 163and output 164.Po 165.Fa crp_obuf 166.Pc 167buffers. 168Note that separate input and output buffers are not supported for compression 169mode requests. 170.Pp 171All requests must have a valid 172.Fa crp_buf 173initialized by one of the following functions: 174.Bl -tag -width "Fn crypto_use_vmpage" 175.It Fn crypto_use_buf 176Uses an array of 177.Fa len 178bytes pointed to by 179.Fa buf 180as the data buffer. 181.It Fn crypto_use_mbuf 182Uses the network memory buffer 183.Fa m 184as the data buffer. 185.It Fn crypto_use_uio 186Uses the scatter/gather list 187.Fa uio 188as the data buffer. 189.It Fn crypto_use_vmpage 190Uses the array of 191.Vt vm_page_t 192structures as the data buffer. 193.El 194.Pp 195One of the following functions should be used to initialize 196.Fa crp_obuf 197for requests that use separate input and output buffers: 198.Bl -tag -width "Fn crypto_use_output_vmpage" 199.It Fn crypto_use_output_buf 200Uses an array of 201.Fa len 202bytes pointed to by 203.Fa buf 204as the output buffer. 205.It Fn crypto_use_output_mbuf 206Uses the network memory buffer 207.Fa m 208as the output buffer. 209.It Fn crypto_use_output_uio 210Uses the scatter/gather list 211.Fa uio 212as the output buffer. 213.It Fn crypto_use_output_vmpage 214Uses the array of 215.Vt vm_page_t 216structures as the output buffer. 217.El 218.Ss Request Regions 219Each request describes one or more regions in the data buffers. 220Each region is described by an offset relative to the start of a 221data buffer and a length. 222The length of some regions is the same for all requests belonging to 223a session. 224Those lengths are set in the session parameters of the associated 225session. 226All requests must define a payload region. 227Other regions are only required for specific session modes. 228.Pp 229For requests with separate input and output data buffers, 230the AAD, IV, and payload regions are always defined as regions in the 231input buffer, 232and a separate payload output region is defined to hold the output of 233encryption or decryption in the output buffer. 234The digest region describes a region in the input data buffer for 235requests that verify an existing digest. 236For requests that compute a digest, 237the digest region describes a region in the output data buffer. 238Note that the only data written to the output buffer is the encryption 239or decryption result and any computed digest. 240AAD and IV regions are not copied from the input buffer into the output 241buffer but are only used as inputs. 242.Pp 243The following regions are defined: 244.Bl -column "Payload Output" "Input/Output" 245.It Sy Region Ta Sy Buffer Ta Sy Description 246.It AAD Ta Input Ta 247Embedded Additional Authenticated Data 248.It IV Ta Input Ta 249Embedded IV or nonce 250.It Payload Ta Input Ta 251Data to encrypt, decrypt, compress, or decompress 252.It Payload Output Ta Output Ta 253Encrypted or decrypted data 254.It Digest Ta Input/Output Ta 255Authentication digest, hash, or tag 256.El 257.Bl -column "Payload Output" ".Fa crp_payload_output_start" 258.It Sy Region Ta Sy Start Ta Sy Length 259.It AAD Ta Fa crp_aad_start Ta Fa crp_aad_length 260.It IV Ta Fa crp_iv_start Ta Fa csp_ivlen 261.It Payload Ta Fa crp_payload_start Ta Fa crp_payload_length 262.It Payload Output Ta Fa crp_payload_output_start Ta Fa crp_payload_length 263.It Digest Ta Fa crp_digest_start Ta Fa csp_auth_mlen 264.El 265.Pp 266Requests are permitted to operate on only a subset of the data buffer. 267For example, 268requests from IPsec operate on network packets that include headers not 269used as either additional authentication data (AAD) or payload data. 270.Ss Request Operations 271All requests must specify the type of operation to perform in 272.Fa crp_op . 273Available operations depend on the session's mode. 274.Pp 275Compression requests support the following operations: 276.Bl -tag -width CRYPTO_OP_DECOMPRESS 277.It Dv CRYPTO_OP_COMPRESS 278Compress the data in the payload region of the data buffer. 279.It Dv CRYPTO_OP_DECOMPRESS 280Decompress the data in the payload region of the data buffer. 281.El 282.Pp 283Cipher requests support the following operations: 284.Bl -tag -width CRYPTO_OP_DECRYPT 285.It Dv CRYPTO_OP_ENCRYPT 286Encrypt the data in the payload region of the data buffer. 287.It Dv CRYPTO_OP_DECRYPT 288Decrypt the data in the payload region of the data buffer. 289.El 290.Pp 291Digest requests support the following operations: 292.Bl -tag -width CRYPTO_OP_COMPUTE_DIGEST 293.It Dv CRYPTO_OP_COMPUTE_DIGEST 294Calculate a digest over the payload region of the data buffer 295and store the result in the digest region. 296.It Dv CRYPTO_OP_VERIFY_DIGEST 297Calculate a digest over the payload region of the data buffer. 298Compare the calculated digest to the existing digest from the digest region. 299If the digests match, 300complete the request successfully. 301If the digests do not match, 302fail the request with 303.Er EBADMSG . 304.El 305.Pp 306AEAD and Encrypt-then-Authenticate requests support the following 307operations: 308.Bl -tag -width CRYPTO_OP 309.It Dv CRYPTO_OP_ENCRYPT | Dv CRYPTO_OP_COMPUTE_DIGEST 310Encrypt the data in the payload region of the data buffer. 311Calculate a digest over the AAD and payload regions and store the 312result in the data buffer. 313.It Dv CRYPTO_OP_DECRYPT | Dv CRYPTO_OP_VERIFY_DIGEST 314Calculate a digest over the AAD and payload regions of the data buffer. 315Compare the calculated digest to the existing digest from the digest region. 316If the digests match, 317decrypt the payload region. 318If the digests do not match, 319fail the request with 320.Er EBADMSG . 321.El 322.Ss Request AAD 323AEAD and Encrypt-then-Authenticate requests may optionally include 324Additional Authenticated Data. 325AAD may either be supplied in the AAD region of the input buffer or 326as a single buffer pointed to by 327.Fa crp_aad . 328In either case, 329.Fa crp_aad_length 330always indicates the amount of AAD in bytes. 331.Ss Request ESN 332IPsec requests may optionally include Extended Sequence Numbers (ESN). 333ESN may either be supplied in 334.Fa crp_esn 335or as part of the AAD pointed to by 336.Fa crp_aad . 337.Pp 338If the ESN is stored in 339.Fa crp_esn , 340.Dv CSP_F_ESN 341should be set in 342.Fa csp_flags . 343This use case is dedicated for encrypt and authenticate mode, since the 344high-order 32 bits of the sequence number are appended after the Next Header 345(RFC 4303). 346.Pp 347AEAD modes supply the ESN in a separate AAD buffer (see e.g. RFC 4106, Chapter 5 348AAD Construction). 349.Ss Request IV and/or Nonce 350Some cryptographic operations require an IV or nonce as an input. 351An IV may be stored either in the IV region of the data buffer or in 352.Fa crp_iv . 353By default, 354the IV is assumed to be stored in the IV region. 355If the IV is stored in 356.Fa crp_iv , 357.Dv CRYPTO_F_IV_SEPARATE 358should be set in 359.Fa crp_flags 360and 361.Fa crp_iv_start 362should be left as zero. 363.Pp 364Requests that store part, but not all, of the IV in the data buffer should 365store the partial IV in the data buffer and pass the full IV separately in 366.Fa crp_iv . 367.Ss Request and Callback Scheduling 368The crypto framework provides multiple methods of scheduling the dispatch 369of requests to drivers along with the processing of driver callbacks. 370The 371.Fn crypto_dispatch , 372.Fn crypto_dispatch_async , 373and 374.Fn crypto_dispatch_batch 375functions can be used to request different dispatch scheduling policies. 376.Pp 377.Fn crypto_dispatch 378synchronously passes the request to the driver. 379The driver itself may process the request synchronously or asynchronously 380depending on whether the driver is implemented by software or hardware. 381.Pp 382.Fn crypto_dispatch_async 383dispatches the request asynchronously. 384If the driver is inherently synchronous, the request is queued to a taskqueue 385backed by a pool of worker threads. 386This can increase througput by allowing requests from a single producer to be 387processed in parallel. 388By default the pool is sized to provide one thread for each CPU. 389Worker threads dequeue requests and pass them to the driver asynchronously. 390.Fn crypto_dispatch_async 391additionally takes a 392.Va flags 393parameter. 394The 395.Dv CRYPTO_ASYNC_ORDERED 396flag indicates that completion callbacks for requests must be called in the 397same order as requests were dispatched. 398If the driver is asynchronous, the behavior of 399.Fn crypto_dispatch_async 400is identical to that of 401.Fn crypto_dispatch . 402.Pp 403.Fn crypto_dispatch_batch 404allows the caller to collect a batch of requests and submit them to the driver 405at the same time. 406This allows hardware drivers to optimize the scheduling of request processing 407and batch completion interrupts. 408A batch is submitted to the driver by invoking the driver's process method on 409each request, specifying 410.Dv CRYPTO_HINT_MORE 411with each request except for the last. 412The 413.Fa flags 414parameter to 415.Fn crypto_dispatch_batch 416is currently ignored. 417.Pp 418Callback function scheduling is simpler than request scheduling. 419Callbacks can either be invoked synchronously from 420.Fn crypto_done , 421or they can be queued to a pool of worker threads. 422This pool of worker threads is also sized to provide one worker thread 423for each CPU by default. 424Note that a callback function invoked synchronously from 425.Fn crypto_done 426must follow the same restrictions placed on threaded interrupt handlers. 427.Pp 428By default, 429callbacks are invoked asynchronously by a worker thread. 430If 431.Dv CRYPTO_F_CBIMM 432is set, 433the callback is always invoked synchronously from 434.Fn crypto_done . 435If 436.Dv CRYPTO_F_CBIFSYNC 437is set, 438the callback is invoked synchronously if the request was processed by a 439software driver or asynchronously if the request was processed by a 440hardware driver. 441.Pp 442If a request was scheduled to the taskqueue with 443.Dv CRYPTO_ASYNC_ORDERED , 444callbacks are always invoked asynchronously ignoring 445.Dv CRYPTO_F_CBIMM 446and 447.Dv CRYPTO_F_CBIFSYNC . 448This flag is used by IPsec to ensure that decrypted network packets are 449passed up the network stack in roughly the same order they were received. 450.Ss Other Request Fields 451In addition to the fields and flags enumerated above, 452.Vt struct cryptop 453includes the following: 454.Bl -tag -width crp_payload_length 455.It Fa crp_session 456A reference to the active session. 457This is set when the request is created by 458.Fn crypto_getreq 459and should not be modified. 460Drivers can use this to fetch driver-specific session state or 461session parameters. 462.It Fa crp_etype 463Error status. 464Either zero on success, or an error if a request fails. 465Set by drivers prior to completing a request via 466.Fn crypto_done . 467.It Fa crp_flags 468A bitmask of flags. 469The following flags are available in addition to flags discussed previously: 470.Bl -tag -width CRYPTO_F_DONE 471.It Dv CRYPTO_F_DONE 472Set by 473.Fa crypto_done 474before calling 475.Fa crp_callback . 476This flag is not very useful and will likely be removed in the future. 477It can only be safely checked from the callback routine at which point 478it is always set. 479.El 480.It Fa crp_cipher_key 481Pointer to a request-specific encryption key. 482If this value is not set, 483the request uses the session encryption key. 484.It Fa crp_auth_key 485Pointer to a request-specific authentication key. 486If this value is not set, 487the request uses the session authentication key. 488.It Fa crp_opaque 489An opaque pointer. 490This pointer permits users of the cryptographic framework to store 491information about a request to be used in the callback. 492.It Fa crp_callback 493Callback function. 494This must point to a callback function of type 495.Vt void (*)(struct cryptop *) . 496The callback function should inspect 497.Fa crp_etype 498to determine the status of the completed operation. 499It should also arrange for the request to be freed via 500.Fn crypto_freereq . 501.It Fa crp_olen 502Used with compression and decompression requests to describe the updated 503length of the payload region in the data buffer. 504.Pp 505If a compression request increases the size of the payload, 506then the data buffer is unmodified, the request completes successfully, 507and 508.Fa crp_olen 509is set to the size the compressed data would have used. 510Callers can compare this to the payload region length to determine if 511the compressed data was discarded. 512.El 513.Sh RETURN VALUES 514.Fn crypto_dispatch 515returns an error if the request contained invalid fields, 516or zero if the request was valid. 517.Fn crypto_getreq 518returns a pointer to a new request structure on success, 519or 520.Dv NULL 521on failure. 522.Dv NULL 523can only be returned if 524.Dv M_NOWAIT 525was passed in 526.Fa how . 527.Sh SEE ALSO 528.Xr ipsec 4 , 529.Xr crypto 7 , 530.Xr crypto 9 , 531.Xr crypto_session 9 , 532.Xr mbuf 9 , 533.Xr uio 9 534.Sh BUGS 535Not all drivers properly handle mixing session and per-request keys 536within a single session. 537Consumers should either use a single key for a session specified in 538the session parameters or always use per-request keys. 539