xref: /freebsd/share/man/man9/crypto_request.9 (revision eab56f7f65498f895951f305cce77a2a8af1eceb) 
1.\" Copyright (c) 2020, Chelsio Inc
2.\"
3.\" Redistribution and use in source and binary forms, with or without
4.\" modification, are permitted provided that the following conditions are met:
5.\"
6.\" 1. Redistributions of source code must retain the above copyright notice,
7.\"    this list of conditions and the following disclaimer.
8.\"
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" 3. Neither the name of the Chelsio Inc nor the names of its
14.\"    contributors may be used to endorse or promote products derived from
15.\"    this software without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
18.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
21.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27.\" POSSIBILITY OF SUCH DAMAGE.
28.\"
29.\" * Other names and brands may be claimed as the property of others.
30.\"
31.\" $FreeBSD$
32.\"
33.Dd June 22, 2020
34.Dt CRYPTO_REQUEST 9
35.Os
36.Sh NAME
37.Nm crypto_request
38.Nd symmetric cryptographic operations
39.Sh SYNOPSIS
40.In opencrypto/cryptodev.h
41.Ft int
42.Fn crypto_dispatch "struct cryptop *crp"
43.Ft void
44.Fn crypto_freereq "struct cryptop *crp"
45.Ft "struct cryptop *"
46.Fn crypto_getreq "crypto_session_t cses" "int how"
47.Ft void
48.Fn crypto_use_buf "struct cryptop *crp" "void *buf" "int len"
49.Ft void
50.Fn crypto_use_mbuf "struct cryptop *crp" "struct mbuf *m"
51.Ft void
52.Fn crypto_use_uio "struct cryptop *crp" "struct uio *uio"
53.Ft void
54.Fn crypto_use_output_buf "struct cryptop *crp" "void *buf" "int len"
55.Ft void
56.Fn crypto_use_output_mbuf "struct cryptop *crp" "struct mbuf *m"
57.Ft void
58.Fn crypto_use_output_uio "struct cryptop *crp" "struct uio *uio"
59.Sh DESCRIPTION
60Each symmetric cryptographic operation in the kernel is described by
61an instance of
62.Vt struct cryptop
63and is associated with an active session.
64.Pp
65New requests are allocated by
66.Fn crypto_getreq .
67.Fa cses
68is a reference to an active session.
69.Fa how
70is passed to
71.Xr malloc 9
72and should be set to either
73.Dv M_NOWAIT
74or
75.Dv M_WAITOK .
76The caller should then set fields in the returned structure to describe
77request-specific parameters.
78Unused fields should be left as-is.
79.Pp
80.Fn crypto_dispatch
81passes a crypto request to the driver attached to the request's session.
82If there are errors in the request's fields, this function may return
83an error to the caller.
84If errors are encountered while servicing the request, they will instead
85be reported to the request's callback function
86.Pq Fa crp_callback
87via
88.Fa crp_etype .
89.Pp
90Note that a request's callback function may be invoked before
91.Fn crypto_dispatch
92returns.
93.Pp
94Once a request has signaled completion by invoking its callback function,
95it should be feed via
96.Fn crypto_freereq .
97.Pp
98Cryptographic operations include several fields to describe the request.
99.Ss Request Buffers
100Requests can either specify a single data buffer that is modified in place
101.Po
102.Fa crp_buf
103.Pc
104or separate input
105.Po
106.Fa crp_buf
107.Pc
108and output
109.Po
110.Fa crp_obuf
111.Pc
112buffers.
113Note that separate input and output buffers are not supported for compression
114mode requests.
115.Pp
116All requests must have a valid
117.Fa crp_buf
118initialized by one of the following functions:
119.Bl -tag -width "Fn crypto_use_mbuf"
120.It Fn crypto_use_buf
121Uses an array of
122.Fa len
123bytes pointed to by
124.Fa buf
125as the data buffer.
126.It Fn crypto_use_mbuf
127Uses the network memory buffer
128.Fa m
129as the data buffer.
130.It Fn crypto_use_uio
131Uses the scatter/gather list
132.Fa uio
133as the data buffer.
134.El
135.Pp
136One of the following functions should be used to initialize
137.Fa crp_obuf
138for requests that use separate input and output buffers:
139.Bl -tag -width "Fn crypto_use_output_mbuf"
140.It Fn crypto_use_output_buf
141Uses an array of
142.Fa len
143bytes pointed to by
144.Fa buf
145as the output buffer.
146.It Fn crypto_use_output_mbuf
147Uses the network memory buffer
148.Fa m
149as the output buffer.
150.It Fn crypto_use_output_uio
151Uses the scatter/gather list
152.Fa uio
153as the output buffer.
154.El
155.Ss Request Regions
156Each request describes one or more regions in the data buffers.
157Each region is described by an offset relative to the start of a
158data buffer and a length.
159The length of some regions is the same for all requests belonging to
160a session.
161Those lengths are set in the session parameters of the associated
162session.
163All requests must define a payload region.
164Other regions are only required for specific session modes.
165.Pp
166For requests with separate input and output data buffers,
167the AAD, IV, and payload regions are always defined as regions in the
168input buffer,
169and a separate payload output region is defined to hold the output of
170encryption or decryption in the output buffer.
171The digest region describes a region in the input data buffer for
172requests that verify an existing digest.
173For requests that compute a digest,
174the digest region describes a region in the output data buffer.
175Note that the only data written to the output buffer is the encryption
176or decryption result and any computed digest.
177AAD and IV regions are not copied from the input buffer into the output
178buffer but are only used as inputs.
179.Pp
180The following regions are defined:
181.Bl -column "Payload Output" "Input/Output"
182.It Sy Region Ta Sy Buffer Ta Sy Description
183.It AAD Ta Input Ta
184Embedded Additional Authenticated Data
185.It IV Ta Input Ta
186Embedded IV or nonce
187.It Payload Ta Input Ta
188Data to encrypt, decrypt, compress, or decompress
189.It Payload Output Ta Output Ta
190Encrypted or decrypted data
191.It Digest Ta Input/Output Ta
192Authentication digest, hash, or tag
193.El
194.Bl -column "Payload Output" ".Fa crp_payload_output_start"
195.It Sy Region Ta Sy Start Ta Sy Length
196.It AAD Ta Fa crp_aad_start Ta Fa crp_aad_length
197.It IV Ta Fa crp_iv_start Ta Fa csp_ivlen
198.It Payload Ta Fa crp_payload_start Ta Fa crp_payload_length
199.It Payload Output Ta Fa crp_payload_output_start Ta Fa crp_payload_length
200.It Digest Ta Fa crp_digest_start Ta Fa csp_auth_mlen
201.El
202.Pp
203Requests are permitted to operate on only a subset of the data buffer.
204For example,
205requests from IPsec operate on network packets that include headers not
206used as either additional authentication data (AAD) or payload data.
207.Ss Request Operations
208All requests must specify the type of operation to perform in
209.Fa crp_op .
210Available operations depend on the session's mode.
211.Pp
212Compression requests support the following operations:
213.Bl -tag -width CRYPTO_OP_DECOMPRESS
214.It Dv CRYPTO_OP_COMPRESS
215Compress the data in the payload region of the data buffer.
216.It Dv CRYPTO_OP_DECOMPRESS
217Decompress the data in the payload region of the data buffer.
218.El
219.Pp
220Cipher requests support the following operations:
221.Bl -tag -width CRYPTO_OP_DECRYPT
222.It Dv CRYPTO_OP_ENCRYPT
223Encrypt the data in the payload region of the data buffer.
224.It Dv CRYPTO_OP_DECRYPT
225Decrypt the data in the payload region of the data buffer.
226.El
227.Pp
228Digest requests support the following operations:
229.Bl -tag -width CRYPTO_OP_COMPUTE_DIGEST
230.It Dv CRYPTO_OP_COMPUTE_DIGEST
231Calculate a digest over the payload region of the data buffer
232and store the result in the digest region.
233.It Dv CRYPTO_OP_VERIFY_DIGEST
234Calculate a digest over the payload region of the data buffer.
235Compare the calculated digest to the existing digest from the digest region.
236If the digests match,
237complete the request successfully.
238If the digests do not match,
239fail the request with
240.Er EBADMSG .
241.El
242.Pp
243AEAD and Encrypt-then-Authenticate requests support the following
244operations:
245.Bl -tag -width CRYPTO_OP
246.It Dv CRYPTO_OP_ENCRYPT | Dv CRYPTO_OP_COMPUTE_DIGEST
247Encrypt the data in the payload region of the data buffer.
248Calculate a digest over the AAD and payload regions and store the
249result in the data buffer.
250.It Dv CRYPTO_OP_DECRYPT | Dv CRYPTO_OP_VERIFY_DIGEST
251Calculate a digest over the AAD and payload regions of the data buffer.
252Compare the calculated digest to the existing digest from the digest region.
253If the digests match,
254decrypt the payload region.
255If the digests do not match,
256fail the request with
257.Er EBADMSG .
258.El
259.Ss Request AAD
260AEAD and Encrypt-then-Authenticate requests may optionally include
261Additional Authenticated Data.
262AAD may either be supplied in the AAD region of the input buffer or
263as a single buffer pointed to by
264.Fa crp_aad .
265In either case,
266.Fa crp_aad_length
267always indicates the amount of AAD in bytes.
268.Ss Request IV and/or Nonce
269Some cryptographic operations require an IV or nonce as an input.
270An IV may be stored either in the IV region of the data buffer or in
271.Fa crp_iv .
272By default,
273the IV is assumed to be stored in the IV region.
274If the IV is stored in
275.Fa crp_iv ,
276.Dv CRYPTO_F_IV_SEPARATE
277should be set in
278.Fa crp_flags
279and
280.Fa crp_iv_start
281should be left as zero.
282.Pp
283Requests that store part, but not all, of the IV in the data buffer should
284store the partial IV in the data buffer and pass the full IV separately in
285.Fa crp_iv .
286.Ss Request and Callback Scheduling
287The crypto framework provides multiple methods of scheduling the dispatch
288of requests to drivers along with the processing of driver callbacks.
289Requests use flags in
290.Fa crp_flags
291to select the desired scheduling methods.
292.Pp
293.Fn crypto_dispatch
294can pass the request to the session's driver via three different methods:
295.Bl -enum
296.It
297The request is queued to a taskqueue backed by a pool of worker threads.
298By default the pool is sized to provide one thread for each CPU.
299Worker threads dequeue requests and pass them to the driver
300asynchronously.
301.It
302The request is passed to the driver synchronously in the context of the
303thread invoking
304.Fn crypto_dispatch .
305.It
306The request is queued to a queue of pending requests.
307A single worker thread dequeues requests and passes them to the driver
308asynchronously.
309.El
310.Pp
311To select the first method (taskqueue backed by multiple threads),
312requests should set
313.Dv CRYPTO_F_ASYNC .
314To always use the third method (queue to single worker thread),
315requests should set
316.Dv CRYPTO_F_BATCH .
317If both flags are set,
318.Dv CRYPTO_F_ASYNC
319takes precedence.
320If neither flag is set,
321.Fn crypto_dispatch
322will first attempt the second method (invoke driver synchronously).
323If the driver is blocked,
324the request will be queued using the third method.
325One caveat is that the first method is only used for requests using software
326drivers which use host CPUs to process requests.
327Requests whose session is associated with a hardware driver will ignore
328.Dv CRYPTO_F_ASYNC
329and only use
330.Dv CRYPTO_F_BATCH
331to determine how requests should be scheduled.
332.Pp
333In addition to bypassing synchronous dispatch in
334.Fn crypto_dispatch ,
335.Dv CRYPTO_F_BATCH
336requests additional changes aimed at optimizing batches of requests to
337the same driver.
338When the worker thread processes a request with
339.Dv CRYPTO_F_BATCH ,
340it will search the pending request queue for any other requests for the same
341driver,
342including requests from different sessions.
343If any other requests are present,
344.Dv CRYPTO_HINT_MORE
345is passed to the driver's process method.
346Drivers may use this to batch completion interrupts.
347.Pp
348Callback function scheduling is simpler than request scheduling.
349Callbacks can either be invoked synchronously from
350.Fn crypto_done ,
351or they can be queued to a pool of worker threads.
352This pool of worker threads is also sized to provide one worker thread
353for each CPU by default.
354Note that a callback function invoked synchronously from
355.Fn crypto_done
356must follow the same restrictions placed on threaded interrupt handlers.
357.Pp
358By default,
359callbacks are invoked asynchronously by a worker thread.
360If
361.Dv CRYPTO_F_CBIMM
362is set,
363the callback is always invoked synchronously from
364.Fn crypto_done .
365If
366.Dv CRYPTO_F_CBIFSYNC
367is set,
368the callback is invoked synchronously if the request was processed by a
369software driver or asynchronously if the request was processed by a
370hardware driver.
371.Pp
372If a request was scheduled to the taskqueue via
373.Dv CRYPTO_F_ASYNC ,
374callbacks are always invoked asynchronously ignoring
375.Dv CRYPTO_F_CBIMM
376and
377.Dv CRYPTO_F_CBIFSYNC .
378In this case,
379.Dv CRYPTO_F_ASYNC_KEEPORDER
380may be set to ensure that callbacks for requests on a given session are
381invoked in the same order that requests were queued to the session via
382.Fn crypto_dispatch .
383This flag is used by IPsec to ensure that decrypted network packets are
384passed up the network stack in roughly the same order they were received.
385.Pp
386.Ss Other Request Fields
387In addition to the fields and flags enumerated above,
388.Vt struct cryptop
389includes the following:
390.Bl -tag -width crp_payload_length
391.It Fa crp_session
392A reference to the active session.
393This is set when the request is created by
394.Fn crypto_getreq
395and should not be modified.
396Drivers can use this to fetch driver-specific session state or
397session parameters.
398.It Fa crp_etype
399Error status.
400Either zero on success, or an error if a request fails.
401Set by drivers prior to completing a request via
402.Fn crypto_done .
403.It Fa crp_flags
404A bitmask of flags.
405The following flags are available in addition to flags discussed previously:
406.Bl -tag -width CRYPTO_F_DONE
407.It Dv CRYPTO_F_DONE
408Set by
409.Fa crypto_done
410before calling
411.Fa crp_callback .
412This flag is not very useful and will likely be removed in the future.
413It can only be safely checked from the callback routine at which point
414it is always set.
415.El
416.It Fa crp_cipher_key
417Pointer to a request-specific encryption key.
418If this value is not set,
419the request uses the session encryption key.
420.It Fa crp_auth_key
421Pointer to a request-specific authentication key.
422If this value is not set,
423the request uses the session authentication key.
424.It Fa crp_opaque
425An opaque pointer.
426This pointer permits users of the cryptographic framework to store
427information about a request to be used in the callback.
428.It Fa crp_callback
429Callback function.
430This must point to a callback function of type
431.Vt void (*)(struct cryptop *) .
432The callback function should inspect
433.Fa crp_etype
434to determine the status of the completed operation.
435It should also arrange for the request to be freed via
436.Fn crypto_freereq .
437.It Fa crp_olen
438Used with compression and decompression requests to describe the updated
439length of the payload region in the data buffer.
440.Pp
441If a compression request increases the size of the payload,
442then the data buffer is unmodified, the request completes successfully,
443and
444.Fa crp_olen
445is set to the size the compressed data would have used.
446Callers can compare this to the payload region length to determine if
447the compressed data was discarded.
448.El
449.Sh RETURN VALUES
450.Fn crypto_dispatch
451returns an error if the request contained invalid fields,
452or zero if the request was valid.
453.Fn crypto_getreq
454returns a pointer to a new request structure on success,
455or
456.Dv NULL
457on failure.
458.Dv NULL
459can only be returned if
460.Dv M_NOWAIT
461was passed in
462.Fa how .
463.Sh SEE ALSO
464.Xr ipsec 4 ,
465.Xr crypto 7 ,
466.Xr crypto 9 ,
467.Xr crypto_session 9 ,
468.Xr mbuf 9
469.Xr uio 9
470.Sh BUGS
471Not all drivers properly handle mixing session and per-request keys
472within a single session.
473Consumers should either use a single key for a session specified in
474the session parameters or always use per-request keys.
475