1.\" Copyright (c) 2020, Chelsio Inc 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions are met: 5.\" 6.\" 1. Redistributions of source code must retain the above copyright notice, 7.\" this list of conditions and the following disclaimer. 8.\" 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" 3. Neither the name of the Chelsio Inc nor the names of its 14.\" contributors may be used to endorse or promote products derived from 15.\" this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 21.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27.\" POSSIBILITY OF SUCH DAMAGE. 28.\" 29.\" * Other names and brands may be claimed as the property of others. 30.\" 31.\" $FreeBSD$ 32.\" 33.Dd November 2, 2022 34.Dt CRYPTO_REQUEST 9 35.Os 36.Sh NAME 37.Nm crypto_request 38.Nd symmetric cryptographic operations 39.Sh SYNOPSIS 40.In opencrypto/cryptodev.h 41.Ft "struct cryptop *" 42.Fn crypto_clonereq "crypto_session_t cses" "struct cryptop *crp" "int how" 43.Ft int 44.Fn crypto_dispatch "struct cryptop *crp" 45.Ft int 46.Fn crypto_dispatch_async "struct cryptop *crp" "int flags" 47.Ft void 48.Fn crypto_dispatch_batch "struct cryptopq *crpq" "int flags" 49.Ft void 50.Fn crypto_destroyreq "struct cryptop *crp" 51.Ft void 52.Fn crypto_freereq "struct cryptop *crp" 53.Ft "struct cryptop *" 54.Fn crypto_getreq "crypto_session_t cses" "int how" 55.Ft void 56.Fn crypto_initreq "crypto_session_t cses" "int how" 57.Ft void 58.Fn crypto_use_buf "struct cryptop *crp" "void *buf" "int len" 59.Ft void 60.Fn crypto_use_mbuf "struct cryptop *crp" "struct mbuf *m" 61.Ft void 62.Fn crypto_use_uio "struct cryptop *crp" "struct uio *uio" 63.Ft void 64.Fn crypto_use_vmpage "struct cryptop *crp" "vm_page_t *pages" "int len" "int offset" 65.Ft void 66.Fn crypto_use_output_buf "struct cryptop *crp" "void *buf" "int len" 67.Ft void 68.Fn crypto_use_output_mbuf "struct cryptop *crp" "struct mbuf *m" 69.Ft void 70.Fn crypto_use_output_uio "struct cryptop *crp" "struct uio *uio" 71.Ft void 72.Fn crypto_use_output_vmpage "struct cryptop *crp" "vm_page_t *pages" "int len" "int offset" 73.Sh DESCRIPTION 74Each symmetric cryptographic operation in the kernel is described by 75an instance of 76.Vt struct cryptop 77and is associated with an active session. 78.Pp 79Requests can either be allocated dynamically or use caller-supplied 80storage. 81Dynamically allocated requests should be allocated by either 82.Fn crypto_getreq 83or 84.Fn crypto_clonereq , 85and freed by 86.Fn crypto_freereq 87once the request has completed. 88Requests using caller-supplied storage should be initialized by 89.Fn crypto_initreq 90at the start of each operation and destroyed by 91.Fn crypto_destroyreq 92once the request has completed. 93.Pp 94For 95.Fn crypto_clonereq , 96.Fn crypto_getreq , 97and 98.Fn crypto_initreq , 99.Fa cses 100is a reference to an active session. 101For 102.Fn crypto_clonereq 103and 104.Fn crypto_getreq , 105.Fa how 106is passed to 107.Xr malloc 9 108and should be set to either 109.Dv M_NOWAIT 110or 111.Dv M_WAITOK . 112.Pp 113.Fn crypto_clonereq 114allocates a new request that inherits request inputs such as request buffers 115from the original 116.Fa crp 117request. 118However, the new request is associated with the 119.Fa cses 120session rather than inheriting the session from 121.Fa crp . 122.Fa crp 123must not be a completed request. 124.Pp 125Once a request has been initialized, 126the caller should set fields in the structure to describe 127request-specific parameters. 128Unused fields should be left as-is. 129.Pp 130The 131.Fn crypto_dispatch , 132.Fn crypto_dispatch_async , 133and 134.Fn crypto_dispatch_batch 135functions pass one or more crypto requests to the driver attached to the 136request's session. 137If there are errors in the request's fields, these functions may return an 138error to the caller. 139If errors are encountered while servicing the request, they will instead 140be reported to the request's callback function 141.Pq Fa crp_callback 142via 143.Fa crp_etype . 144.Pp 145Note that a request's callback function may be invoked before 146.Fn crypto_dispatch 147returns. 148.Pp 149Once a request has signaled completion by invoking its callback function, 150it should be freed via 151.Fn crypto_destroyreq 152or 153.Fn crypto_freereq . 154.Pp 155Cryptographic operations include several fields to describe the request. 156.Ss Request Buffers 157Requests can either specify a single data buffer that is modified in place 158.Po 159.Fa crp_buf 160.Pc 161or separate input 162.Po 163.Fa crp_buf 164.Pc 165and output 166.Po 167.Fa crp_obuf 168.Pc 169buffers. 170Note that separate input and output buffers are not supported for compression 171mode requests. 172.Pp 173All requests must have a valid 174.Fa crp_buf 175initialized by one of the following functions: 176.Bl -tag -width "Fn crypto_use_vmpage" 177.It Fn crypto_use_buf 178Uses an array of 179.Fa len 180bytes pointed to by 181.Fa buf 182as the data buffer. 183.It Fn crypto_use_mbuf 184Uses the network memory buffer 185.Fa m 186as the data buffer. 187.It Fn crypto_use_uio 188Uses the scatter/gather list 189.Fa uio 190as the data buffer. 191.It Fn crypto_use_vmpage 192Uses the array of 193.Vt vm_page_t 194structures as the data buffer. 195.El 196.Pp 197One of the following functions should be used to initialize 198.Fa crp_obuf 199for requests that use separate input and output buffers: 200.Bl -tag -width "Fn crypto_use_output_vmpage" 201.It Fn crypto_use_output_buf 202Uses an array of 203.Fa len 204bytes pointed to by 205.Fa buf 206as the output buffer. 207.It Fn crypto_use_output_mbuf 208Uses the network memory buffer 209.Fa m 210as the output buffer. 211.It Fn crypto_use_output_uio 212Uses the scatter/gather list 213.Fa uio 214as the output buffer. 215.It Fn crypto_use_output_vmpage 216Uses the array of 217.Vt vm_page_t 218structures as the output buffer. 219.El 220.Ss Request Regions 221Each request describes one or more regions in the data buffers. 222Each region is described by an offset relative to the start of a 223data buffer and a length. 224The length of some regions is the same for all requests belonging to 225a session. 226Those lengths are set in the session parameters of the associated 227session. 228All requests must define a payload region. 229Other regions are only required for specific session modes. 230.Pp 231For requests with separate input and output data buffers, 232the AAD, IV, and payload regions are always defined as regions in the 233input buffer, 234and a separate payload output region is defined to hold the output of 235encryption or decryption in the output buffer. 236The digest region describes a region in the input data buffer for 237requests that verify an existing digest. 238For requests that compute a digest, 239the digest region describes a region in the output data buffer. 240Note that the only data written to the output buffer is the encryption 241or decryption result and any computed digest. 242AAD and IV regions are not copied from the input buffer into the output 243buffer but are only used as inputs. 244.Pp 245The following regions are defined: 246.Bl -column "Payload Output" "Input/Output" 247.It Sy Region Ta Sy Buffer Ta Sy Description 248.It AAD Ta Input Ta 249Embedded Additional Authenticated Data 250.It IV Ta Input Ta 251Embedded IV or nonce 252.It Payload Ta Input Ta 253Data to encrypt, decrypt, compress, or decompress 254.It Payload Output Ta Output Ta 255Encrypted or decrypted data 256.It Digest Ta Input/Output Ta 257Authentication digest, hash, or tag 258.El 259.Bl -column "Payload Output" ".Fa crp_payload_output_start" 260.It Sy Region Ta Sy Start Ta Sy Length 261.It AAD Ta Fa crp_aad_start Ta Fa crp_aad_length 262.It IV Ta Fa crp_iv_start Ta Fa csp_ivlen 263.It Payload Ta Fa crp_payload_start Ta Fa crp_payload_length 264.It Payload Output Ta Fa crp_payload_output_start Ta Fa crp_payload_length 265.It Digest Ta Fa crp_digest_start Ta Fa csp_auth_mlen 266.El 267.Pp 268Requests are permitted to operate on only a subset of the data buffer. 269For example, 270requests from IPsec operate on network packets that include headers not 271used as either additional authentication data (AAD) or payload data. 272.Ss Request Operations 273All requests must specify the type of operation to perform in 274.Fa crp_op . 275Available operations depend on the session's mode. 276.Pp 277Compression requests support the following operations: 278.Bl -tag -width CRYPTO_OP_DECOMPRESS 279.It Dv CRYPTO_OP_COMPRESS 280Compress the data in the payload region of the data buffer. 281.It Dv CRYPTO_OP_DECOMPRESS 282Decompress the data in the payload region of the data buffer. 283.El 284.Pp 285Cipher requests support the following operations: 286.Bl -tag -width CRYPTO_OP_DECRYPT 287.It Dv CRYPTO_OP_ENCRYPT 288Encrypt the data in the payload region of the data buffer. 289.It Dv CRYPTO_OP_DECRYPT 290Decrypt the data in the payload region of the data buffer. 291.El 292.Pp 293Digest requests support the following operations: 294.Bl -tag -width CRYPTO_OP_COMPUTE_DIGEST 295.It Dv CRYPTO_OP_COMPUTE_DIGEST 296Calculate a digest over the payload region of the data buffer 297and store the result in the digest region. 298.It Dv CRYPTO_OP_VERIFY_DIGEST 299Calculate a digest over the payload region of the data buffer. 300Compare the calculated digest to the existing digest from the digest region. 301If the digests match, 302complete the request successfully. 303If the digests do not match, 304fail the request with 305.Er EBADMSG . 306.El 307.Pp 308AEAD and Encrypt-then-Authenticate requests support the following 309operations: 310.Bl -tag -width CRYPTO_OP 311.It Dv CRYPTO_OP_ENCRYPT | Dv CRYPTO_OP_COMPUTE_DIGEST 312Encrypt the data in the payload region of the data buffer. 313Calculate a digest over the AAD and payload regions and store the 314result in the data buffer. 315.It Dv CRYPTO_OP_DECRYPT | Dv CRYPTO_OP_VERIFY_DIGEST 316Calculate a digest over the AAD and payload regions of the data buffer. 317Compare the calculated digest to the existing digest from the digest region. 318If the digests match, 319decrypt the payload region. 320If the digests do not match, 321fail the request with 322.Er EBADMSG . 323.El 324.Ss Request AAD 325AEAD and Encrypt-then-Authenticate requests may optionally include 326Additional Authenticated Data. 327AAD may either be supplied in the AAD region of the input buffer or 328as a single buffer pointed to by 329.Fa crp_aad . 330In either case, 331.Fa crp_aad_length 332always indicates the amount of AAD in bytes. 333.Ss Request ESN 334IPsec requests may optionally include Extended Sequence Numbers (ESN). 335ESN may either be supplied in 336.Fa crp_esn 337or as part of the AAD pointed to by 338.Fa crp_aad . 339.Pp 340If the ESN is stored in 341.Fa crp_esn , 342.Dv CSP_F_ESN 343should be set in 344.Fa csp_flags . 345This use case is dedicated for encrypt and authenticate mode, since the 346high-order 32 bits of the sequence number are appended after the Next Header 347(RFC 4303). 348.Pp 349AEAD modes supply the ESN in a separate AAD buffer (see e.g. RFC 4106, Chapter 5 350AAD Construction). 351.Ss Request IV and/or Nonce 352Some cryptographic operations require an IV or nonce as an input. 353An IV may be stored either in the IV region of the data buffer or in 354.Fa crp_iv . 355By default, 356the IV is assumed to be stored in the IV region. 357If the IV is stored in 358.Fa crp_iv , 359.Dv CRYPTO_F_IV_SEPARATE 360should be set in 361.Fa crp_flags 362and 363.Fa crp_iv_start 364should be left as zero. 365.Pp 366Requests that store part, but not all, of the IV in the data buffer should 367store the partial IV in the data buffer and pass the full IV separately in 368.Fa crp_iv . 369.Ss Request and Callback Scheduling 370The crypto framework provides multiple methods of scheduling the dispatch 371of requests to drivers along with the processing of driver callbacks. 372The 373.Fn crypto_dispatch , 374.Fn crypto_dispatch_async , 375and 376.Fn crypto_dispatch_batch 377functions can be used to request different dispatch scheduling policies. 378.Pp 379.Fn crypto_dispatch 380synchronously passes the request to the driver. 381The driver itself may process the request synchronously or asynchronously 382depending on whether the driver is implemented by software or hardware. 383.Pp 384.Fn crypto_dispatch_async 385dispatches the request asynchronously. 386If the driver is inherently synchronous, the request is queued to a taskqueue 387backed by a pool of worker threads. 388This can increase througput by allowing requests from a single producer to be 389processed in parallel. 390By default the pool is sized to provide one thread for each CPU. 391Worker threads dequeue requests and pass them to the driver asynchronously. 392.Fn crypto_dispatch_async 393additionally takes a 394.Va flags 395parameter. 396The 397.Dv CRYPTO_ASYNC_ORDERED 398flag indicates that completion callbacks for requests must be called in the 399same order as requests were dispatched. 400If the driver is asynchronous, the behavior of 401.Fn crypto_dispatch_async 402is identical to that of 403.Fn crypto_dispatch . 404.Pp 405.Fn crypto_dispatch_batch 406allows the caller to collect a batch of requests and submit them to the driver 407at the same time. 408This allows hardware drivers to optimize the scheduling of request processing 409and batch completion interrupts. 410A batch is submitted to the driver by invoking the driver's process method on 411each request, specifying 412.Dv CRYPTO_HINT_MORE 413with each request except for the last. 414The 415.Fa flags 416parameter to 417.Fn crypto_dispatch_batch 418is currently ignored. 419.Pp 420Callback function scheduling is simpler than request scheduling. 421Callbacks can either be invoked synchronously from 422.Fn crypto_done , 423or they can be queued to a pool of worker threads. 424This pool of worker threads is also sized to provide one worker thread 425for each CPU by default. 426Note that a callback function invoked synchronously from 427.Fn crypto_done 428must follow the same restrictions placed on threaded interrupt handlers. 429.Pp 430By default, 431callbacks are invoked asynchronously by a worker thread. 432If 433.Dv CRYPTO_F_CBIMM 434is set, 435the callback is always invoked synchronously from 436.Fn crypto_done . 437If 438.Dv CRYPTO_F_CBIFSYNC 439is set, 440the callback is invoked synchronously if the request was processed by a 441software driver or asynchronously if the request was processed by a 442hardware driver. 443.Pp 444If a request was scheduled to the taskqueue with 445.Dv CRYPTO_ASYNC_ORDERED , 446callbacks are always invoked asynchronously ignoring 447.Dv CRYPTO_F_CBIMM 448and 449.Dv CRYPTO_F_CBIFSYNC . 450This flag is used by IPsec to ensure that decrypted network packets are 451passed up the network stack in roughly the same order they were received. 452.Ss Other Request Fields 453In addition to the fields and flags enumerated above, 454.Vt struct cryptop 455includes the following: 456.Bl -tag -width crp_payload_length 457.It Fa crp_session 458A reference to the active session. 459This is set when the request is created by 460.Fn crypto_getreq 461and should not be modified. 462Drivers can use this to fetch driver-specific session state or 463session parameters. 464.It Fa crp_etype 465Error status. 466Either zero on success, or an error if a request fails. 467Set by drivers prior to completing a request via 468.Fn crypto_done . 469.It Fa crp_flags 470A bitmask of flags. 471The following flags are available in addition to flags discussed previously: 472.Bl -tag -width CRYPTO_F_DONE 473.It Dv CRYPTO_F_DONE 474Set by 475.Fa crypto_done 476before calling 477.Fa crp_callback . 478This flag is not very useful and will likely be removed in the future. 479It can only be safely checked from the callback routine at which point 480it is always set. 481.El 482.It Fa crp_cipher_key 483Pointer to a request-specific encryption key. 484If this value is not set, 485the request uses the session encryption key. 486.It Fa crp_auth_key 487Pointer to a request-specific authentication key. 488If this value is not set, 489the request uses the session authentication key. 490.It Fa crp_opaque 491An opaque pointer. 492This pointer permits users of the cryptographic framework to store 493information about a request to be used in the callback. 494.It Fa crp_callback 495Callback function. 496This must point to a callback function of type 497.Vt void (*)(struct cryptop *) . 498The callback function should inspect 499.Fa crp_etype 500to determine the status of the completed operation. 501It should also arrange for the request to be freed via 502.Fn crypto_freereq . 503.It Fa crp_olen 504Used with compression and decompression requests to describe the updated 505length of the payload region in the data buffer. 506.Pp 507If a compression request increases the size of the payload, 508then the data buffer is unmodified, the request completes successfully, 509and 510.Fa crp_olen 511is set to the size the compressed data would have used. 512Callers can compare this to the payload region length to determine if 513the compressed data was discarded. 514.El 515.Sh RETURN VALUES 516.Fn crypto_dispatch 517returns an error if the request contained invalid fields, 518or zero if the request was valid. 519.Fn crypto_getreq 520returns a pointer to a new request structure on success, 521or 522.Dv NULL 523on failure. 524.Dv NULL 525can only be returned if 526.Dv M_NOWAIT 527was passed in 528.Fa how . 529.Sh SEE ALSO 530.Xr ipsec 4 , 531.Xr crypto 7 , 532.Xr crypto 9 , 533.Xr crypto_session 9 , 534.Xr mbuf 9 , 535.Xr uio 9 536.Sh BUGS 537Not all drivers properly handle mixing session and per-request keys 538within a single session. 539Consumers should either use a single key for a session specified in 540the session parameters or always use per-request keys. 541