1.\" Copyright (c) 2020, Chelsio Inc 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions are met: 5.\" 6.\" 1. Redistributions of source code must retain the above copyright notice, 7.\" this list of conditions and the following disclaimer. 8.\" 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" 3. Neither the name of the Chelsio Inc nor the names of its 14.\" contributors may be used to endorse or promote products derived from 15.\" this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 21.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27.\" POSSIBILITY OF SUCH DAMAGE. 28.\" 29.\" * Other names and brands may be claimed as the property of others. 30.\" 31.\" $FreeBSD$ 32.\" 33.Dd March 27, 2020 34.Dt CRYPTO_REQUEST 9 35.Os 36.Sh NAME 37.Nm crypto_request 38.Nd symmetric cryptographic operations 39.Sh SYNOPSIS 40.In opencrypto/cryptodev.h 41.Ft int 42.Fn crypto_dispatch "struct cryptop *crp" 43.Ft void 44.Fn crypto_freereq "struct cryptop *crp" 45.Ft "struct cryptop *" 46.Fn crypto_getreq "crypto_session_t cses" "int how" 47.Sh DESCRIPTION 48Each symmetric cryptographic operation in the kernel is described by 49an instance of 50.Vt struct cryptop 51and is associated with an active session. 52.Pp 53New requests are allocated by 54.Fn crypto_getreq . 55.Fa cses 56is a reference to an active session. 57.Fa how 58is passed to 59.Xr malloc 9 60and should be set to either 61.Dv M_NOWAIT 62or 63.Dv M_WAITOK . 64The caller should then set fields in the returned structure to describe 65request-specific parameters. 66Unused fields should be left as-is. 67.Pp 68.Fn crypto_dispatch 69passes a crypto request to the driver attached to the request's session. 70If there are errors in the request's fields, this function may return 71an error to the caller. 72If errors are encountered while servicing the request, they will instead 73be reported to the request's callback function 74.Pq Fa crp_callback 75via 76.Fa crp_etype . 77.Pp 78Note that a request's callback function may be invoked before 79.Fn crypto_dispatch 80returns. 81.Pp 82Once a request has signaled completion by invoking its callback function, 83it should be feed via 84.Fn crypto_freereq . 85.Pp 86Cryptographic operations include several fields to describe the request. 87.Ss Buffer Types 88Requests are associated with a single data buffer that is modified in place. 89The type of the data buffer and the buffer itself are described by the 90following fields: 91.Bl -tag -width crp_buf_type 92.It Fa crp_buf_type 93The type of the data buffer. 94The following types are supported: 95.Bl -tag -width CRYPTO_BUF_CONTIG 96.It Dv CRYPTO_BUF_CONTIG 97An array of bytes mapped into the kernel's address space. 98.It Dv CRYPTO_BUF_UIO 99A scatter/gather list of kernel buffers as described in 100.Xr uio 9 . 101.It Dv CRYPTO_BUF_MBUF 102A network memory buffer as described in 103.Xr mbuf 9 . 104.El 105.It Fa crp_buf 106A pointer to the start of a 107.Dv CRYPTO_BUF_CONTIG 108data buffer. 109.It Fa crp_ilen 110The length of a 111.Dv CRYPTO_BUF_CONTIG 112data buffer 113.It Fa crp_mbuf 114A pointer to a 115.Vt struct mbuf 116for 117.Dv CRYPTO_BUF_MBUF . 118.It Fa crp_uio 119A pointer to a 120.Vt struct uio 121for 122.Dv CRYPTO_BUF_UIO . 123.It Fa crp_olen 124Used with compression and decompression requests to describe the updated 125length of the payload region in the data buffer. 126.Pp 127If a compression request increases the size of the payload, 128then the data buffer is unmodified, the request completes successfully, 129and 130.Fa crp_olen 131is set to the size the compressed data would have used. 132Callers can compare this to the payload region length to determine if 133the compressed data was discarded. 134.El 135.Ss Request Regions 136Each request describes one or more regions in the data buffer using. 137Each region is described by an offset relative to the start of the 138data buffer and a length. 139The length of some regions is the same for all requests belonging to 140a session. 141Those lengths are set in the session parameters of the associated 142session. 143All requests must define a payload region. 144Other regions are only required for specific session modes. 145The following regions are defined: 146.Bl -column "Payload" "crp_payload_start" "crp_payload_length" 147.It Sy Region Ta Sy Start Ta Sy Length Ta Sy Description 148.It AAD Ta Fa crp_aad_start Ta Fa crp_aad_length Ta 149Additional Authenticated Data 150.It IV Ta Fa crp_iv_start Ta Fa csp_ivlen Ta 151Embedded IV or nonce 152.It Payload Ta Fa crp_payload_start Ta Fa crp_payload_length Ta 153Data to encrypt, decrypt, compress, or decompress 154.It Digest Ta Fa crp_digest_start Ta Fa csp_auth_mlen Ta 155Authentication digest, hash, or tag 156.El 157.Pp 158Requests are permitted to operate on only a subset of the data buffer. 159For example, 160requests from IPsec operate on network packets that include headers not 161used as either additional authentication data (AAD) or payload data. 162.Ss Request Operations 163All requests must specify the type of operation to perform in 164.Fa crp_op . 165Available operations depend on the session's mode. 166.Pp 167Compression requests support the following operations: 168.Bl -tag -width CRYPTO_OP_DECOMPRESS 169.It Dv CRYPTO_OP_COMPRESS 170Compress the data in the payload region of the data buffer. 171.It Dv CRYPTO_OP_DECOMPRESS 172Decompress the data in the payload region of the data buffer. 173.El 174.Pp 175Cipher requests support the following operations: 176.Bl -tag -width CRYPTO_OP_DECRYPT 177.It Dv CRYPTO_OP_ENCRYPT 178Encrypt the data in the payload region of the data buffer. 179.It Dv CRYPTO_OP_DECRYPT 180Decrypt the data in the payload region of the data buffer. 181.El 182.Pp 183Digest requests support the following operations: 184.Bl -tag -width CRYPTO_OP_COMPUTE_DIGEST 185.It Dv CRYPTO_OP_COMPUTE_DIGEST 186Calculate a digest over the payload region of the data buffer 187and store the result in the digest region. 188.It Dv CRYPTO_OP_VERIFY_DIGEST 189Calculate a digest over the payload region of the data buffer. 190Compare the calculated digest to the existing digest from the digest region. 191If the digests match, 192complete the request successfully. 193If the digests do not match, 194fail the request with 195.Er EBADMSG . 196.El 197.Pp 198AEAD and Encrypt-then-Authenticate requests support the following 199operations: 200.Bl -tag -width CRYPTO_OP 201.It Dv CRYPTO_OP_ENCRYPT | Dv CRYPTO_OP_COMPUTE_DIGEST 202Encrypt the data in the payload region of the data buffer. 203Calculate a digest over the AAD and payload regions and store the 204result in the data buffer. 205.It Dv CRYPTO_OP_DECRYPT | Dv CRYPTO_OP_VERIFY_DIGEST 206Calculate a digest over the AAD and payload regions of the data buffer. 207Compare the calculated digest to the existing digest from the digest region. 208If the digests match, 209decrypt the payload region. 210If the digests do not match, 211fail the request with 212.Er EBADMSG . 213.El 214.Ss Request IV and/or Nonce 215Some cryptographic operations require an IV or nonce as an input. 216An IV may be stored either in the IV region of the data buffer or in 217.Fa crp_iv . 218By default, 219the IV is assumed to be stored in the IV region. 220If the IV is stored in 221.Fa crp_iv , 222.Dv CRYPTO_F_IV_SEPARATE 223should be set in 224.Fa crp_flags 225and 226.Fa crp_digest_start 227should be left as zero. 228.Pp 229An encryption request using an IV stored in the IV region may set 230.Dv CRYPTO_F_IV_GENERATE 231in 232.Fa crp_flags 233to request that the driver generate a random IV. 234Note that 235.Dv CRYPTO_F_IV_GENERATE 236cannot be used with decryption operations or in combination with 237.Dv CRYPTO_F_IV_SEPARATE . 238.Pp 239Requests that store part, but not all, of the IV in the data buffer should 240store the partial IV in the data buffer and pass the full IV separately in 241.Fa crp_iv . 242.Ss Request and Callback Scheduling 243The crypto framework provides multiple methods of scheduling the dispatch 244of requests to drivers along with the processing of driver callbacks. 245Requests use flags in 246.Fa crp_flags 247to select the desired scheduling methods. 248.Pp 249.Fn crypto_dispatch 250can pass the request to the session's driver via three different methods: 251.Bl -enum 252.It 253The request is queued to a taskqueue backed by a pool of worker threads. 254By default the pool is sized to provide one thread for each CPU. 255Worker threads dequeue requests and pass them to the driver 256asynchronously. 257.It 258The request is passed to the driver synchronously in the context of the 259thread invoking 260.Fn crypto_dispatch . 261.It 262The request is queued to a queue of pending requests. 263A single worker thread dequeues requests and passes them to the driver 264asynchronously. 265.El 266.Pp 267To select the first method (taskqueue backed by multiple threads), 268requests should set 269.Dv CRYPTO_F_ASYNC . 270To always use the third method (queue to single worker thread), 271requests should set 272.Dv CRYPTO_F_BATCH . 273If both flags are set, 274.Dv CRYPTO_F_ASYNC 275takes precedence. 276If neither flag is set, 277.Fn crypto_dispatch 278will first attempt the second method (invoke driver synchronously). 279If the driver is blocked, 280the request will be queued using the third method. 281One caveat is that the first method is only used for requests using software 282drivers which use host CPUs to process requests. 283Requests whose session is associated with a hardware driver will ignore 284.Dv CRYPTO_F_ASYNC 285and only use 286.Dv CRYPTO_F_BATCH 287to determine how requests should be scheduled. 288.Pp 289In addition to bypassing synchronous dispatch in 290.Fn crypto_dispatch , 291.Dv CRYPTO_F_BATCH 292requests additional changes aimed at optimizing batches of requests to 293the same driver. 294When the worker thread processes a request with 295.Dv CRYPTO_F_BATCH , 296it will search the pending request queue for any other requests for the same 297driver, 298including requests from different sessions. 299If any other requests are present, 300.Dv CRYPTO_HINT_MORE 301is passed to the driver's process method. 302Drivers may use this to batch completion interrupts. 303.Pp 304Callback function scheduling is simpler than request scheduling. 305Callbacks can either be invoked synchronously from 306.Fn crypto_done , 307or they can be queued to a pool of worker threads. 308This pool of worker threads is also sized to provide one worker thread 309for each CPU by default. 310Note that a callback function invoked synchronously from 311.Fn crypto_done 312must follow the same restrictions placed on threaded interrupt handlers. 313.Pp 314By default, 315callbacks are invoked asynchronously by a worker thread. 316If 317.Dv CRYPTO_F_CBIMM 318is set, 319the callback is always invoked synchronously from 320.Fn crypto_done . 321If 322.Dv CRYPTO_F_CBIFSYNC 323is set, 324the callback is invoked synchronously if the request was processed by a 325software driver or asynchronously if the request was processed by a 326hardware driver. 327.Pp 328If a request was scheduled to the taskqueue via 329.Dv CRYPTO_F_ASYNC , 330callbacks are always invoked asynchronously ignoring 331.Dv CRYPTO_F_CBIMM 332and 333.Dv CRYPTO_F_CBIFSYNC . 334In this case, 335.Dv CRYPTO_F_ASYNC_KEEPORDER 336may be set to ensure that callbacks for requests on a given session are 337invoked in the same order that requests were queued to the session via 338.Fn crypto_dispatch . 339This flag is used by IPsec to ensure that decrypted network packets are 340passed up the network stack in roughly the same order they were received. 341.Pp 342.Ss Other Request Fields 343In addition to the fields and flags enumerated above, 344.Vt struct cryptop 345includes the following: 346.Bl -tag -width crp_payload_length 347.It Fa crp_session 348A reference to the active session. 349This is set when the request is created by 350.Fn crypto_getreq 351and should not be modified. 352Drivers can use this to fetch driver-specific session state or 353session parameters. 354.It Fa crp_etype 355Error status. 356Either zero on success, or an error if a request fails. 357Set by drivers prior to completing a request via 358.Fn crypto_done . 359.It Fa crp_flags 360A bitmask of flags. 361The following flags are available in addition to flags discussed previously: 362.Bl -tag -width CRYPTO_F_DONE 363.It Dv CRYPTO_F_DONE 364Set by 365.Fa crypto_done 366before calling 367.Fa crp_callback . 368This flag is not very useful and will likely be removed in the future. 369It can only be safely checked from the callback routine at which point 370it is always set. 371.El 372.It Fa crp_cipher_key 373Pointer to a request-specific encryption key. 374If this value is not set, 375the request uses the session encryption key. 376.It Fa crp_auth_key 377Pointer to a request-specific authentication key. 378If this value is not set, 379the request uses the session authentication key. 380.It Fa crp_opaque 381An opaque pointer. 382This pointer permits users of the cryptographic framework to store 383information about a request to be used in the callback. 384.It Fa crp_callback 385Callback function. 386This must point to a callback function of type 387.Vt void (*)(struct cryptop *) . 388The callback function should inspect 389.Fa crp_etype 390to determine the status of the completed operation. 391It should also arrange for the request to be freed via 392.Fn crypto_freereq . 393.El 394.Sh RETURN VALUES 395.Fn crypto_dispatch 396returns an error if the request contained invalid fields, 397or zero if the request was valid. 398.Fn crypto_getreq 399returns a pointer to a new request structure on success, 400or 401.Dv NULL 402on failure. 403.Dv NULL 404can only be returned if 405.Dv M_NOWAIT 406was passed in 407.Fa how . 408.Sh SEE ALSO 409.Xr ipsec 4 , 410.Xr crypto 7 , 411.Xr crypto 9 , 412.Xr crypto_session 9 , 413.Xr mbuf 9 414.Xr uio 9 415.Sh BUGS 416Not all drivers properly handle mixing session and per-request keys 417within a single session. 418Consumers should either use a single key for a session specified in 419the session parameters or always use per-request keys. 420