xref: /freebsd/sys/opencrypto/crypto.c (revision 77a1348b3c1cfe8547be49a121b56299a1e18b69)
1 /*-
2  * Copyright (c) 2002-2006 Sam Leffler.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  */
24 
25 #include <sys/cdefs.h>
26 __FBSDID("$FreeBSD$");
27 
28 /*
29  * Cryptographic Subsystem.
30  *
31  * This code is derived from the Openbsd Cryptographic Framework (OCF)
32  * that has the copyright shown below.  Very little of the original
33  * code remains.
34  */
35 
36 /*-
37  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
38  *
39  * This code was written by Angelos D. Keromytis in Athens, Greece, in
40  * February 2000. Network Security Technologies Inc. (NSTI) kindly
41  * supported the development of this code.
42  *
43  * Copyright (c) 2000, 2001 Angelos D. Keromytis
44  *
45  * Permission to use, copy, and modify this software with or without fee
46  * is hereby granted, provided that this entire notice is included in
47  * all source code copies of any software which is or includes a copy or
48  * modification of this software.
49  *
50  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
51  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
52  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
53  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
54  * PURPOSE.
55  */
56 
57 #define	CRYPTO_TIMING				/* enable timing support */
58 
59 #include "opt_compat.h"
60 #include "opt_ddb.h"
61 
62 #include <sys/param.h>
63 #include <sys/systm.h>
64 #include <sys/eventhandler.h>
65 #include <sys/kernel.h>
66 #include <sys/kthread.h>
67 #include <sys/linker.h>
68 #include <sys/lock.h>
69 #include <sys/module.h>
70 #include <sys/mutex.h>
71 #include <sys/malloc.h>
72 #include <sys/proc.h>
73 #include <sys/refcount.h>
74 #include <sys/sdt.h>
75 #include <sys/smp.h>
76 #include <sys/sysctl.h>
77 #include <sys/taskqueue.h>
78 
79 #include <ddb/ddb.h>
80 
81 #include <vm/uma.h>
82 #include <crypto/intake.h>
83 #include <opencrypto/cryptodev.h>
84 #include <opencrypto/xform_auth.h>
85 #include <opencrypto/xform_enc.h>
86 
87 #include <sys/kobj.h>
88 #include <sys/bus.h>
89 #include "cryptodev_if.h"
90 
91 #if defined(__i386__) || defined(__amd64__) || defined(__aarch64__)
92 #include <machine/pcb.h>
93 #endif
94 
95 SDT_PROVIDER_DEFINE(opencrypto);
96 
97 /*
98  * Crypto drivers register themselves by allocating a slot in the
99  * crypto_drivers table with crypto_get_driverid() and then registering
100  * each asym algorithm they support with crypto_kregister().
101  */
102 static	struct mtx crypto_drivers_mtx;		/* lock on driver table */
103 #define	CRYPTO_DRIVER_LOCK()	mtx_lock(&crypto_drivers_mtx)
104 #define	CRYPTO_DRIVER_UNLOCK()	mtx_unlock(&crypto_drivers_mtx)
105 #define	CRYPTO_DRIVER_ASSERT()	mtx_assert(&crypto_drivers_mtx, MA_OWNED)
106 
107 /*
108  * Crypto device/driver capabilities structure.
109  *
110  * Synchronization:
111  * (d) - protected by CRYPTO_DRIVER_LOCK()
112  * (q) - protected by CRYPTO_Q_LOCK()
113  * Not tagged fields are read-only.
114  */
115 struct cryptocap {
116 	device_t	cc_dev;
117 	uint32_t	cc_hid;
118 	u_int32_t	cc_sessions;		/* (d) # of sessions */
119 	u_int32_t	cc_koperations;		/* (d) # os asym operations */
120 	u_int8_t	cc_kalg[CRK_ALGORITHM_MAX + 1];
121 
122 	int		cc_flags;		/* (d) flags */
123 #define CRYPTOCAP_F_CLEANUP	0x80000000	/* needs resource cleanup */
124 	int		cc_qblocked;		/* (q) symmetric q blocked */
125 	int		cc_kqblocked;		/* (q) asymmetric q blocked */
126 	size_t		cc_session_size;
127 	volatile int	cc_refs;
128 };
129 
130 static	struct cryptocap **crypto_drivers = NULL;
131 static	int crypto_drivers_size = 0;
132 
133 struct crypto_session {
134 	struct cryptocap *cap;
135 	void *softc;
136 	struct crypto_session_params csp;
137 };
138 
139 /*
140  * There are two queues for crypto requests; one for symmetric (e.g.
141  * cipher) operations and one for asymmetric (e.g. MOD)operations.
142  * A single mutex is used to lock access to both queues.  We could
143  * have one per-queue but having one simplifies handling of block/unblock
144  * operations.
145  */
146 static	int crp_sleep = 0;
147 static	TAILQ_HEAD(cryptop_q ,cryptop) crp_q;		/* request queues */
148 static	TAILQ_HEAD(,cryptkop) crp_kq;
149 static	struct mtx crypto_q_mtx;
150 #define	CRYPTO_Q_LOCK()		mtx_lock(&crypto_q_mtx)
151 #define	CRYPTO_Q_UNLOCK()	mtx_unlock(&crypto_q_mtx)
152 
153 static SYSCTL_NODE(_kern, OID_AUTO, crypto, CTLFLAG_RW, 0,
154     "In-kernel cryptography");
155 
156 /*
157  * Taskqueue used to dispatch the crypto requests
158  * that have the CRYPTO_F_ASYNC flag
159  */
160 static struct taskqueue *crypto_tq;
161 
162 /*
163  * Crypto seq numbers are operated on with modular arithmetic
164  */
165 #define	CRYPTO_SEQ_GT(a,b)	((int)((a)-(b)) > 0)
166 
167 struct crypto_ret_worker {
168 	struct mtx crypto_ret_mtx;
169 
170 	TAILQ_HEAD(,cryptop) crp_ordered_ret_q;	/* ordered callback queue for symetric jobs */
171 	TAILQ_HEAD(,cryptop) crp_ret_q;		/* callback queue for symetric jobs */
172 	TAILQ_HEAD(,cryptkop) crp_ret_kq;	/* callback queue for asym jobs */
173 
174 	u_int32_t reorder_ops;		/* total ordered sym jobs received */
175 	u_int32_t reorder_cur_seq;	/* current sym job dispatched */
176 
177 	struct proc *cryptoretproc;
178 };
179 static struct crypto_ret_worker *crypto_ret_workers = NULL;
180 
181 #define CRYPTO_RETW(i)		(&crypto_ret_workers[i])
182 #define CRYPTO_RETW_ID(w)	((w) - crypto_ret_workers)
183 #define FOREACH_CRYPTO_RETW(w) \
184 	for (w = crypto_ret_workers; w < crypto_ret_workers + crypto_workers_num; ++w)
185 
186 #define	CRYPTO_RETW_LOCK(w)	mtx_lock(&w->crypto_ret_mtx)
187 #define	CRYPTO_RETW_UNLOCK(w)	mtx_unlock(&w->crypto_ret_mtx)
188 #define	CRYPTO_RETW_EMPTY(w) \
189 	(TAILQ_EMPTY(&w->crp_ret_q) && TAILQ_EMPTY(&w->crp_ret_kq) && TAILQ_EMPTY(&w->crp_ordered_ret_q))
190 
191 static int crypto_workers_num = 0;
192 SYSCTL_INT(_kern_crypto, OID_AUTO, num_workers, CTLFLAG_RDTUN,
193 	   &crypto_workers_num, 0,
194 	   "Number of crypto workers used to dispatch crypto jobs");
195 #ifdef COMPAT_FREEBSD12
196 SYSCTL_INT(_kern, OID_AUTO, crypto_workers_num, CTLFLAG_RDTUN,
197 	   &crypto_workers_num, 0,
198 	   "Number of crypto workers used to dispatch crypto jobs");
199 #endif
200 
201 static	uma_zone_t cryptop_zone;
202 static	uma_zone_t cryptoses_zone;
203 
204 int	crypto_userasymcrypto = 1;
205 SYSCTL_INT(_kern_crypto, OID_AUTO, asym_enable, CTLFLAG_RW,
206 	   &crypto_userasymcrypto, 0,
207 	   "Enable user-mode access to asymmetric crypto support");
208 #ifdef COMPAT_FREEBSD12
209 SYSCTL_INT(_kern, OID_AUTO, userasymcrypto, CTLFLAG_RW,
210 	   &crypto_userasymcrypto, 0,
211 	   "Enable/disable user-mode access to asymmetric crypto support");
212 #endif
213 
214 int	crypto_devallowsoft = 0;
215 SYSCTL_INT(_kern_crypto, OID_AUTO, allow_soft, CTLFLAG_RW,
216 	   &crypto_devallowsoft, 0,
217 	   "Enable use of software crypto by /dev/crypto");
218 #ifdef COMPAT_FREEBSD12
219 SYSCTL_INT(_kern, OID_AUTO, cryptodevallowsoft, CTLFLAG_RW,
220 	   &crypto_devallowsoft, 0,
221 	   "Enable/disable use of software crypto by /dev/crypto");
222 #endif
223 
224 MALLOC_DEFINE(M_CRYPTO_DATA, "crypto", "crypto session records");
225 
226 static	void crypto_proc(void);
227 static	struct proc *cryptoproc;
228 static	void crypto_ret_proc(struct crypto_ret_worker *ret_worker);
229 static	void crypto_destroy(void);
230 static	int crypto_invoke(struct cryptocap *cap, struct cryptop *crp, int hint);
231 static	int crypto_kinvoke(struct cryptkop *krp);
232 static	void crypto_task_invoke(void *ctx, int pending);
233 static void crypto_batch_enqueue(struct cryptop *crp);
234 
235 static	struct cryptostats cryptostats;
236 SYSCTL_STRUCT(_kern_crypto, OID_AUTO, stats, CTLFLAG_RW, &cryptostats,
237 	    cryptostats, "Crypto system statistics");
238 
239 #ifdef CRYPTO_TIMING
240 static	int crypto_timing = 0;
241 SYSCTL_INT(_debug, OID_AUTO, crypto_timing, CTLFLAG_RW,
242 	   &crypto_timing, 0, "Enable/disable crypto timing support");
243 #endif
244 
245 /* Try to avoid directly exposing the key buffer as a symbol */
246 static struct keybuf *keybuf;
247 
248 static struct keybuf empty_keybuf = {
249         .kb_nents = 0
250 };
251 
252 /* Obtain the key buffer from boot metadata */
253 static void
254 keybuf_init(void)
255 {
256 	caddr_t kmdp;
257 
258 	kmdp = preload_search_by_type("elf kernel");
259 
260 	if (kmdp == NULL)
261 		kmdp = preload_search_by_type("elf64 kernel");
262 
263 	keybuf = (struct keybuf *)preload_search_info(kmdp,
264 	    MODINFO_METADATA | MODINFOMD_KEYBUF);
265 
266         if (keybuf == NULL)
267                 keybuf = &empty_keybuf;
268 }
269 
270 /* It'd be nice if we could store these in some kind of secure memory... */
271 struct keybuf * get_keybuf(void) {
272 
273         return (keybuf);
274 }
275 
276 static struct cryptocap *
277 cap_ref(struct cryptocap *cap)
278 {
279 
280 	refcount_acquire(&cap->cc_refs);
281 	return (cap);
282 }
283 
284 static void
285 cap_rele(struct cryptocap *cap)
286 {
287 
288 	if (refcount_release(&cap->cc_refs) == 0)
289 		return;
290 
291 	KASSERT(cap->cc_sessions == 0,
292 	    ("freeing crypto driver with active sessions"));
293 	KASSERT(cap->cc_koperations == 0,
294 	    ("freeing crypto driver with active key operations"));
295 
296 	free(cap, M_CRYPTO_DATA);
297 }
298 
299 static int
300 crypto_init(void)
301 {
302 	struct crypto_ret_worker *ret_worker;
303 	int error;
304 
305 	mtx_init(&crypto_drivers_mtx, "crypto", "crypto driver table",
306 		MTX_DEF|MTX_QUIET);
307 
308 	TAILQ_INIT(&crp_q);
309 	TAILQ_INIT(&crp_kq);
310 	mtx_init(&crypto_q_mtx, "crypto", "crypto op queues", MTX_DEF);
311 
312 	cryptop_zone = uma_zcreate("cryptop", sizeof (struct cryptop),
313 				    0, 0, 0, 0,
314 				    UMA_ALIGN_PTR, UMA_ZONE_ZINIT);
315 	cryptoses_zone = uma_zcreate("crypto_session",
316 	    sizeof(struct crypto_session), NULL, NULL, NULL, NULL,
317 	    UMA_ALIGN_PTR, UMA_ZONE_ZINIT);
318 
319 	if (cryptop_zone == NULL || cryptoses_zone == NULL) {
320 		printf("crypto_init: cannot setup crypto zones\n");
321 		error = ENOMEM;
322 		goto bad;
323 	}
324 
325 	crypto_drivers_size = CRYPTO_DRIVERS_INITIAL;
326 	crypto_drivers = malloc(crypto_drivers_size *
327 	    sizeof(struct cryptocap), M_CRYPTO_DATA, M_NOWAIT | M_ZERO);
328 	if (crypto_drivers == NULL) {
329 		printf("crypto_init: cannot setup crypto drivers\n");
330 		error = ENOMEM;
331 		goto bad;
332 	}
333 
334 	if (crypto_workers_num < 1 || crypto_workers_num > mp_ncpus)
335 		crypto_workers_num = mp_ncpus;
336 
337 	crypto_tq = taskqueue_create("crypto", M_WAITOK|M_ZERO,
338 				taskqueue_thread_enqueue, &crypto_tq);
339 	if (crypto_tq == NULL) {
340 		printf("crypto init: cannot setup crypto taskqueue\n");
341 		error = ENOMEM;
342 		goto bad;
343 	}
344 
345 	taskqueue_start_threads(&crypto_tq, crypto_workers_num, PRI_MIN_KERN,
346 		"crypto");
347 
348 	error = kproc_create((void (*)(void *)) crypto_proc, NULL,
349 		    &cryptoproc, 0, 0, "crypto");
350 	if (error) {
351 		printf("crypto_init: cannot start crypto thread; error %d",
352 			error);
353 		goto bad;
354 	}
355 
356 	crypto_ret_workers = malloc(crypto_workers_num * sizeof(struct crypto_ret_worker),
357 			M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
358 	if (crypto_ret_workers == NULL) {
359 		error = ENOMEM;
360 		printf("crypto_init: cannot allocate ret workers\n");
361 		goto bad;
362 	}
363 
364 
365 	FOREACH_CRYPTO_RETW(ret_worker) {
366 		TAILQ_INIT(&ret_worker->crp_ordered_ret_q);
367 		TAILQ_INIT(&ret_worker->crp_ret_q);
368 		TAILQ_INIT(&ret_worker->crp_ret_kq);
369 
370 		ret_worker->reorder_ops = 0;
371 		ret_worker->reorder_cur_seq = 0;
372 
373 		mtx_init(&ret_worker->crypto_ret_mtx, "crypto", "crypto return queues", MTX_DEF);
374 
375 		error = kproc_create((void (*)(void *)) crypto_ret_proc, ret_worker,
376 				&ret_worker->cryptoretproc, 0, 0, "crypto returns %td", CRYPTO_RETW_ID(ret_worker));
377 		if (error) {
378 			printf("crypto_init: cannot start cryptoret thread; error %d",
379 				error);
380 			goto bad;
381 		}
382 	}
383 
384 	keybuf_init();
385 
386 	return 0;
387 bad:
388 	crypto_destroy();
389 	return error;
390 }
391 
392 /*
393  * Signal a crypto thread to terminate.  We use the driver
394  * table lock to synchronize the sleep/wakeups so that we
395  * are sure the threads have terminated before we release
396  * the data structures they use.  See crypto_finis below
397  * for the other half of this song-and-dance.
398  */
399 static void
400 crypto_terminate(struct proc **pp, void *q)
401 {
402 	struct proc *p;
403 
404 	mtx_assert(&crypto_drivers_mtx, MA_OWNED);
405 	p = *pp;
406 	*pp = NULL;
407 	if (p) {
408 		wakeup_one(q);
409 		PROC_LOCK(p);		/* NB: insure we don't miss wakeup */
410 		CRYPTO_DRIVER_UNLOCK();	/* let crypto_finis progress */
411 		msleep(p, &p->p_mtx, PWAIT, "crypto_destroy", 0);
412 		PROC_UNLOCK(p);
413 		CRYPTO_DRIVER_LOCK();
414 	}
415 }
416 
417 static void
418 hmac_init_pad(struct auth_hash *axf, const char *key, int klen, void *auth_ctx,
419     uint8_t padval)
420 {
421 	uint8_t hmac_key[HMAC_MAX_BLOCK_LEN];
422 	u_int i;
423 
424 	KASSERT(axf->blocksize <= sizeof(hmac_key),
425 	    ("Invalid HMAC block size %d", axf->blocksize));
426 
427 	/*
428 	 * If the key is larger than the block size, use the digest of
429 	 * the key as the key instead.
430 	 */
431 	memset(hmac_key, 0, sizeof(hmac_key));
432 	if (klen > axf->blocksize) {
433 		axf->Init(auth_ctx);
434 		axf->Update(auth_ctx, key, klen);
435 		axf->Final(hmac_key, auth_ctx);
436 		klen = axf->hashsize;
437 	} else
438 		memcpy(hmac_key, key, klen);
439 
440 	for (i = 0; i < axf->blocksize; i++)
441 		hmac_key[i] ^= padval;
442 
443 	axf->Init(auth_ctx);
444 	axf->Update(auth_ctx, hmac_key, axf->blocksize);
445 }
446 
447 void
448 hmac_init_ipad(struct auth_hash *axf, const char *key, int klen,
449     void *auth_ctx)
450 {
451 
452 	hmac_init_pad(axf, key, klen, auth_ctx, HMAC_IPAD_VAL);
453 }
454 
455 void
456 hmac_init_opad(struct auth_hash *axf, const char *key, int klen,
457     void *auth_ctx)
458 {
459 
460 	hmac_init_pad(axf, key, klen, auth_ctx, HMAC_OPAD_VAL);
461 }
462 
463 static void
464 crypto_destroy(void)
465 {
466 	struct crypto_ret_worker *ret_worker;
467 	int i;
468 
469 	/*
470 	 * Terminate any crypto threads.
471 	 */
472 	if (crypto_tq != NULL)
473 		taskqueue_drain_all(crypto_tq);
474 	CRYPTO_DRIVER_LOCK();
475 	crypto_terminate(&cryptoproc, &crp_q);
476 	FOREACH_CRYPTO_RETW(ret_worker)
477 		crypto_terminate(&ret_worker->cryptoretproc, &ret_worker->crp_ret_q);
478 	CRYPTO_DRIVER_UNLOCK();
479 
480 	/* XXX flush queues??? */
481 
482 	/*
483 	 * Reclaim dynamically allocated resources.
484 	 */
485 	for (i = 0; i < crypto_drivers_size; i++) {
486 		if (crypto_drivers[i] != NULL)
487 			cap_rele(crypto_drivers[i]);
488 	}
489 	free(crypto_drivers, M_CRYPTO_DATA);
490 
491 	if (cryptoses_zone != NULL)
492 		uma_zdestroy(cryptoses_zone);
493 	if (cryptop_zone != NULL)
494 		uma_zdestroy(cryptop_zone);
495 	mtx_destroy(&crypto_q_mtx);
496 	FOREACH_CRYPTO_RETW(ret_worker)
497 		mtx_destroy(&ret_worker->crypto_ret_mtx);
498 	free(crypto_ret_workers, M_CRYPTO_DATA);
499 	if (crypto_tq != NULL)
500 		taskqueue_free(crypto_tq);
501 	mtx_destroy(&crypto_drivers_mtx);
502 }
503 
504 uint32_t
505 crypto_ses2hid(crypto_session_t crypto_session)
506 {
507 	return (crypto_session->cap->cc_hid);
508 }
509 
510 uint32_t
511 crypto_ses2caps(crypto_session_t crypto_session)
512 {
513 	return (crypto_session->cap->cc_flags & 0xff000000);
514 }
515 
516 void *
517 crypto_get_driver_session(crypto_session_t crypto_session)
518 {
519 	return (crypto_session->softc);
520 }
521 
522 const struct crypto_session_params *
523 crypto_get_params(crypto_session_t crypto_session)
524 {
525 	return (&crypto_session->csp);
526 }
527 
528 struct auth_hash *
529 crypto_auth_hash(const struct crypto_session_params *csp)
530 {
531 
532 	switch (csp->csp_auth_alg) {
533 	case CRYPTO_MD5_HMAC:
534 		return (&auth_hash_hmac_md5);
535 	case CRYPTO_SHA1_HMAC:
536 		return (&auth_hash_hmac_sha1);
537 	case CRYPTO_SHA2_224_HMAC:
538 		return (&auth_hash_hmac_sha2_224);
539 	case CRYPTO_SHA2_256_HMAC:
540 		return (&auth_hash_hmac_sha2_256);
541 	case CRYPTO_SHA2_384_HMAC:
542 		return (&auth_hash_hmac_sha2_384);
543 	case CRYPTO_SHA2_512_HMAC:
544 		return (&auth_hash_hmac_sha2_512);
545 	case CRYPTO_NULL_HMAC:
546 		return (&auth_hash_null);
547 	case CRYPTO_RIPEMD160_HMAC:
548 		return (&auth_hash_hmac_ripemd_160);
549 	case CRYPTO_MD5_KPDK:
550 		return (&auth_hash_key_md5);
551 	case CRYPTO_SHA1_KPDK:
552 		return (&auth_hash_key_sha1);
553 #ifdef notyet
554 	case CRYPTO_MD5:
555 		return (&auth_hash_md5);
556 #endif
557 	case CRYPTO_SHA1:
558 		return (&auth_hash_sha1);
559 	case CRYPTO_SHA2_224:
560 		return (&auth_hash_sha2_224);
561 	case CRYPTO_SHA2_256:
562 		return (&auth_hash_sha2_256);
563 	case CRYPTO_SHA2_384:
564 		return (&auth_hash_sha2_384);
565 	case CRYPTO_SHA2_512:
566 		return (&auth_hash_sha2_512);
567 	case CRYPTO_AES_NIST_GMAC:
568 		switch (csp->csp_auth_klen) {
569 		case 128 / 8:
570 			return (&auth_hash_nist_gmac_aes_128);
571 		case 192 / 8:
572 			return (&auth_hash_nist_gmac_aes_192);
573 		case 256 / 8:
574 			return (&auth_hash_nist_gmac_aes_256);
575 		default:
576 			return (NULL);
577 		}
578 	case CRYPTO_BLAKE2B:
579 		return (&auth_hash_blake2b);
580 	case CRYPTO_BLAKE2S:
581 		return (&auth_hash_blake2s);
582 	case CRYPTO_POLY1305:
583 		return (&auth_hash_poly1305);
584 	case CRYPTO_AES_CCM_CBC_MAC:
585 		switch (csp->csp_auth_klen) {
586 		case 128 / 8:
587 			return (&auth_hash_ccm_cbc_mac_128);
588 		case 192 / 8:
589 			return (&auth_hash_ccm_cbc_mac_192);
590 		case 256 / 8:
591 			return (&auth_hash_ccm_cbc_mac_256);
592 		default:
593 			return (NULL);
594 		}
595 	default:
596 		return (NULL);
597 	}
598 }
599 
600 struct enc_xform *
601 crypto_cipher(const struct crypto_session_params *csp)
602 {
603 
604 	switch (csp->csp_cipher_alg) {
605 	case CRYPTO_DES_CBC:
606 		return (&enc_xform_des);
607 	case CRYPTO_3DES_CBC:
608 		return (&enc_xform_3des);
609 	case CRYPTO_BLF_CBC:
610 		return (&enc_xform_blf);
611 	case CRYPTO_CAST_CBC:
612 		return (&enc_xform_cast5);
613 	case CRYPTO_SKIPJACK_CBC:
614 		return (&enc_xform_skipjack);
615 	case CRYPTO_RIJNDAEL128_CBC:
616 		return (&enc_xform_rijndael128);
617 	case CRYPTO_AES_XTS:
618 		return (&enc_xform_aes_xts);
619 	case CRYPTO_AES_ICM:
620 		return (&enc_xform_aes_icm);
621 	case CRYPTO_AES_NIST_GCM_16:
622 		return (&enc_xform_aes_nist_gcm);
623 	case CRYPTO_CAMELLIA_CBC:
624 		return (&enc_xform_camellia);
625 	case CRYPTO_NULL_CBC:
626 		return (&enc_xform_null);
627 	case CRYPTO_CHACHA20:
628 		return (&enc_xform_chacha20);
629 	case CRYPTO_AES_CCM_16:
630 		return (&enc_xform_ccm);
631 	default:
632 		return (NULL);
633 	}
634 }
635 
636 static struct cryptocap *
637 crypto_checkdriver(u_int32_t hid)
638 {
639 
640 	return (hid >= crypto_drivers_size ? NULL : crypto_drivers[hid]);
641 }
642 
643 /*
644  * Select a driver for a new session that supports the specified
645  * algorithms and, optionally, is constrained according to the flags.
646  */
647 static struct cryptocap *
648 crypto_select_driver(const struct crypto_session_params *csp, int flags)
649 {
650 	struct cryptocap *cap, *best;
651 	int best_match, error, hid;
652 
653 	CRYPTO_DRIVER_ASSERT();
654 
655 	best = NULL;
656 	for (hid = 0; hid < crypto_drivers_size; hid++) {
657 		/*
658 		 * If there is no driver for this slot, or the driver
659 		 * is not appropriate (hardware or software based on
660 		 * match), then skip.
661 		 */
662 		cap = crypto_drivers[hid];
663 		if (cap == NULL ||
664 		    (cap->cc_flags & flags) == 0)
665 			continue;
666 
667 		error = CRYPTODEV_PROBESESSION(cap->cc_dev, csp);
668 		if (error >= 0)
669 			continue;
670 
671 		/*
672 		 * Use the driver with the highest probe value.
673 		 * Hardware drivers use a higher probe value than
674 		 * software.  In case of a tie, prefer the driver with
675 		 * the fewest active sessions.
676 		 */
677 		if (best == NULL || error > best_match ||
678 		    (error == best_match &&
679 		    cap->cc_sessions < best->cc_sessions)) {
680 			best = cap;
681 			best_match = error;
682 		}
683 	}
684 	return best;
685 }
686 
687 static bool
688 alg_is_compression(int alg)
689 {
690 
691 	if (alg == CRYPTO_DEFLATE_COMP)
692 		return (true);
693 	return (false);
694 }
695 
696 static bool
697 alg_is_cipher(int alg)
698 {
699 
700 	if (alg >= CRYPTO_DES_CBC && alg <= CRYPTO_SKIPJACK_CBC)
701 		return (true);
702 	if (alg >= CRYPTO_AES_CBC && alg <= CRYPTO_ARC4)
703 		return (true);
704 	if (alg == CRYPTO_NULL_CBC)
705 		return (true);
706 	if (alg >= CRYPTO_CAMELLIA_CBC && alg <= CRYPTO_AES_ICM)
707 		return (true);
708 	if (alg == CRYPTO_CHACHA20)
709 		return (true);
710 	return (false);
711 }
712 
713 static bool
714 alg_is_digest(int alg)
715 {
716 
717 	if (alg >= CRYPTO_MD5_HMAC && alg <= CRYPTO_SHA1_KPDK)
718 		return (true);
719 	if (alg >= CRYPTO_MD5 && alg <= CRYPTO_SHA1)
720 		return (true);
721 	if (alg == CRYPTO_NULL_HMAC)
722 		return (true);
723 	if (alg >= CRYPTO_SHA2_256_HMAC && alg <= CRYPTO_SHA2_512_HMAC)
724 		return (true);
725 	if (alg == CRYPTO_AES_NIST_GMAC)
726 		return (true);
727 	if (alg >= CRYPTO_BLAKE2B && alg <= CRYPTO_BLAKE2S)
728 		return (true);
729 	if (alg >= CRYPTO_SHA2_224_HMAC && alg <= CRYPTO_POLY1305)
730 		return (true);
731 	if (alg == CRYPTO_AES_CCM_CBC_MAC)
732 		return (true);
733 	return (false);
734 }
735 
736 static bool
737 alg_is_keyed_digest(int alg)
738 {
739 
740 	if (alg >= CRYPTO_MD5_HMAC && alg <= CRYPTO_SHA1_KPDK)
741 		return (true);
742 	if (alg >= CRYPTO_SHA2_256_HMAC && alg <= CRYPTO_SHA2_512_HMAC)
743 		return (true);
744 	if (alg == CRYPTO_AES_NIST_GMAC)
745 		return (true);
746 	if (alg >= CRYPTO_BLAKE2B && alg <= CRYPTO_BLAKE2S)
747 		return (true);
748 	if (alg == CRYPTO_SHA2_224_HMAC)
749 		return (true);
750 	if (alg == CRYPTO_POLY1305)
751 		return (true);
752 	if (alg == CRYPTO_AES_CCM_CBC_MAC)
753 		return (true);
754 	return (false);
755 }
756 
757 static bool
758 alg_is_aead(int alg)
759 {
760 
761 	if (alg == CRYPTO_AES_NIST_GCM_16)
762 		return (true);
763 	if (alg == CRYPTO_AES_CCM_16)
764 		return (true);
765 	return (false);
766 }
767 
768 /* Various sanity checks on crypto session parameters. */
769 static bool
770 check_csp(const struct crypto_session_params *csp)
771 {
772 	struct auth_hash *axf;
773 
774 	/* Mode-independent checks. */
775 	if (csp->csp_flags != 0)
776 		return (false);
777 	if (csp->csp_ivlen < 0 || csp->csp_cipher_klen < 0 ||
778 	    csp->csp_auth_klen < 0 || csp->csp_auth_mlen < 0)
779 		return (false);
780 	if (csp->csp_auth_key != NULL && csp->csp_auth_klen == 0)
781 		return (false);
782 	if (csp->csp_cipher_key != NULL && csp->csp_cipher_klen == 0)
783 		return (false);
784 
785 	switch (csp->csp_mode) {
786 	case CSP_MODE_COMPRESS:
787 		if (!alg_is_compression(csp->csp_cipher_alg))
788 			return (false);
789 		if (csp->csp_flags != 0)
790 			return (false);
791 		if (csp->csp_cipher_klen != 0 || csp->csp_ivlen != 0 ||
792 		    csp->csp_auth_alg != 0 || csp->csp_auth_klen != 0 ||
793 		    csp->csp_auth_mlen != 0)
794 			return (false);
795 		break;
796 	case CSP_MODE_CIPHER:
797 		if (!alg_is_cipher(csp->csp_cipher_alg))
798 			return (false);
799 		if (csp->csp_cipher_alg != CRYPTO_NULL_CBC) {
800 			if (csp->csp_cipher_klen == 0)
801 				return (false);
802 			if (csp->csp_cipher_alg != CRYPTO_ARC4) {
803 				if (csp->csp_ivlen == 0)
804 					return (false);
805 			}
806 		}
807 		if (csp->csp_ivlen >= EALG_MAX_BLOCK_LEN)
808 			return (false);
809 		if (csp->csp_auth_alg != 0 || csp->csp_auth_klen != 0 ||
810 		    csp->csp_auth_mlen != 0)
811 			return (false);
812 		break;
813 	case CSP_MODE_DIGEST:
814 		if (csp->csp_cipher_alg != 0 || csp->csp_cipher_klen != 0)
815 			return (false);
816 
817 		/* IV is optional for digests (e.g. GMAC). */
818 		if (csp->csp_ivlen >= EALG_MAX_BLOCK_LEN)
819 			return (false);
820 		if (!alg_is_digest(csp->csp_auth_alg))
821 			return (false);
822 
823 		/* Key is optional for BLAKE2 digests. */
824 		if (csp->csp_auth_alg == CRYPTO_BLAKE2B ||
825 		    csp->csp_auth_alg == CRYPTO_BLAKE2S)
826 			;
827 		else if (alg_is_keyed_digest(csp->csp_auth_alg)) {
828 			if (csp->csp_auth_klen == 0)
829 				return (false);
830 		} else {
831 			if (csp->csp_auth_klen != 0)
832 				return (false);
833 		}
834 		if (csp->csp_auth_mlen != 0) {
835 			axf = crypto_auth_hash(csp);
836 			if (axf == NULL || csp->csp_auth_mlen > axf->hashsize)
837 				return (false);
838 		}
839 		break;
840 	case CSP_MODE_AEAD:
841 		if (!alg_is_aead(csp->csp_cipher_alg))
842 			return (false);
843 		if (csp->csp_cipher_klen == 0)
844 			return (false);
845 		if (csp->csp_ivlen == 0 ||
846 		    csp->csp_ivlen >= EALG_MAX_BLOCK_LEN)
847 			return (false);
848 		if (csp->csp_auth_alg != 0 || csp->csp_auth_klen != 0)
849 			return (false);
850 
851 		/*
852 		 * XXX: Would be nice to have a better way to get this
853 		 * value.
854 		 */
855 		switch (csp->csp_cipher_alg) {
856 		case CRYPTO_AES_NIST_GCM_16:
857 		case CRYPTO_AES_CCM_16:
858 			if (csp->csp_auth_mlen > 16)
859 				return (false);
860 			break;
861 		}
862 		break;
863 	case CSP_MODE_ETA:
864 		if (!alg_is_cipher(csp->csp_cipher_alg))
865 			return (false);
866 		if (csp->csp_cipher_alg != CRYPTO_NULL_CBC) {
867 			if (csp->csp_cipher_klen == 0)
868 				return (false);
869 			if (csp->csp_cipher_alg != CRYPTO_ARC4) {
870 				if (csp->csp_ivlen == 0)
871 					return (false);
872 			}
873 		}
874 		if (csp->csp_ivlen >= EALG_MAX_BLOCK_LEN)
875 			return (false);
876 		if (!alg_is_digest(csp->csp_auth_alg))
877 			return (false);
878 
879 		/* Key is optional for BLAKE2 digests. */
880 		if (csp->csp_auth_alg == CRYPTO_BLAKE2B ||
881 		    csp->csp_auth_alg == CRYPTO_BLAKE2S)
882 			;
883 		else if (alg_is_keyed_digest(csp->csp_auth_alg)) {
884 			if (csp->csp_auth_klen == 0)
885 				return (false);
886 		} else {
887 			if (csp->csp_auth_klen != 0)
888 				return (false);
889 		}
890 		if (csp->csp_auth_mlen != 0) {
891 			axf = crypto_auth_hash(csp);
892 			if (axf == NULL || csp->csp_auth_mlen > axf->hashsize)
893 				return (false);
894 		}
895 		break;
896 	default:
897 		return (false);
898 	}
899 
900 	return (true);
901 }
902 
903 /*
904  * Delete a session after it has been detached from its driver.
905  */
906 static void
907 crypto_deletesession(crypto_session_t cses)
908 {
909 	struct cryptocap *cap;
910 
911 	cap = cses->cap;
912 
913 	explicit_bzero(cses->softc, cap->cc_session_size);
914 	free(cses->softc, M_CRYPTO_DATA);
915 	uma_zfree(cryptoses_zone, cses);
916 
917 	CRYPTO_DRIVER_LOCK();
918 	cap->cc_sessions--;
919 	if (cap->cc_sessions == 0 && cap->cc_flags & CRYPTOCAP_F_CLEANUP)
920 		wakeup(cap);
921 	CRYPTO_DRIVER_UNLOCK();
922 	cap_rele(cap);
923 }
924 
925 /*
926  * Create a new session.  The crid argument specifies a crypto
927  * driver to use or constraints on a driver to select (hardware
928  * only, software only, either).  Whatever driver is selected
929  * must be capable of the requested crypto algorithms.
930  */
931 int
932 crypto_newsession(crypto_session_t *cses,
933     const struct crypto_session_params *csp, int crid)
934 {
935 	crypto_session_t res;
936 	struct cryptocap *cap;
937 	int err;
938 
939 	if (!check_csp(csp))
940 		return (EINVAL);
941 
942 	res = NULL;
943 
944 	CRYPTO_DRIVER_LOCK();
945 	if ((crid & (CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE)) == 0) {
946 		/*
947 		 * Use specified driver; verify it is capable.
948 		 */
949 		cap = crypto_checkdriver(crid);
950 		if (cap != NULL && CRYPTODEV_PROBESESSION(cap->cc_dev, csp) > 0)
951 			cap = NULL;
952 	} else {
953 		/*
954 		 * No requested driver; select based on crid flags.
955 		 */
956 		cap = crypto_select_driver(csp, crid);
957 	}
958 	if (cap == NULL) {
959 		CRYPTO_DRIVER_UNLOCK();
960 		CRYPTDEB("no driver");
961 		return (EOPNOTSUPP);
962 	}
963 	cap_ref(cap);
964 	cap->cc_sessions++;
965 	CRYPTO_DRIVER_UNLOCK();
966 
967 	res = uma_zalloc(cryptoses_zone, M_WAITOK | M_ZERO);
968 	res->cap = cap;
969 	res->softc = malloc(cap->cc_session_size, M_CRYPTO_DATA, M_WAITOK |
970 	    M_ZERO);
971 	res->csp = *csp;
972 
973 	/* Call the driver initialization routine. */
974 	err = CRYPTODEV_NEWSESSION(cap->cc_dev, res, csp);
975 	if (err != 0) {
976 		CRYPTDEB("dev newsession failed: %d", err);
977 		crypto_deletesession(res);
978 		return (err);
979 	}
980 
981 	*cses = res;
982 	return (0);
983 }
984 
985 /*
986  * Delete an existing session (or a reserved session on an unregistered
987  * driver).
988  */
989 void
990 crypto_freesession(crypto_session_t cses)
991 {
992 	struct cryptocap *cap;
993 
994 	if (cses == NULL)
995 		return;
996 
997 	cap = cses->cap;
998 
999 	/* Call the driver cleanup routine, if available. */
1000 	CRYPTODEV_FREESESSION(cap->cc_dev, cses);
1001 
1002 	crypto_deletesession(cses);
1003 }
1004 
1005 /*
1006  * Return a new driver id.  Registers a driver with the system so that
1007  * it can be probed by subsequent sessions.
1008  */
1009 int32_t
1010 crypto_get_driverid(device_t dev, size_t sessionsize, int flags)
1011 {
1012 	struct cryptocap *cap, **newdrv;
1013 	int i;
1014 
1015 	if ((flags & (CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE)) == 0) {
1016 		device_printf(dev,
1017 		    "no flags specified when registering driver\n");
1018 		return -1;
1019 	}
1020 
1021 	cap = malloc(sizeof(*cap), M_CRYPTO_DATA, M_WAITOK | M_ZERO);
1022 	cap->cc_dev = dev;
1023 	cap->cc_session_size = sessionsize;
1024 	cap->cc_flags = flags;
1025 	refcount_init(&cap->cc_refs, 1);
1026 
1027 	CRYPTO_DRIVER_LOCK();
1028 	for (;;) {
1029 		for (i = 0; i < crypto_drivers_size; i++) {
1030 			if (crypto_drivers[i] == NULL)
1031 				break;
1032 		}
1033 
1034 		if (i < crypto_drivers_size)
1035 			break;
1036 
1037 		/* Out of entries, allocate some more. */
1038 
1039 		if (2 * crypto_drivers_size <= crypto_drivers_size) {
1040 			CRYPTO_DRIVER_UNLOCK();
1041 			printf("crypto: driver count wraparound!\n");
1042 			cap_rele(cap);
1043 			return (-1);
1044 		}
1045 		CRYPTO_DRIVER_UNLOCK();
1046 
1047 		newdrv = malloc(2 * crypto_drivers_size *
1048 		    sizeof(*crypto_drivers), M_CRYPTO_DATA, M_WAITOK | M_ZERO);
1049 
1050 		CRYPTO_DRIVER_LOCK();
1051 		memcpy(newdrv, crypto_drivers,
1052 		    crypto_drivers_size * sizeof(*crypto_drivers));
1053 
1054 		crypto_drivers_size *= 2;
1055 
1056 		free(crypto_drivers, M_CRYPTO_DATA);
1057 		crypto_drivers = newdrv;
1058 	}
1059 
1060 	cap->cc_hid = i;
1061 	crypto_drivers[i] = cap;
1062 	CRYPTO_DRIVER_UNLOCK();
1063 
1064 	if (bootverbose)
1065 		printf("crypto: assign %s driver id %u, flags 0x%x\n",
1066 		    device_get_nameunit(dev), i, flags);
1067 
1068 	return i;
1069 }
1070 
1071 /*
1072  * Lookup a driver by name.  We match against the full device
1073  * name and unit, and against just the name.  The latter gives
1074  * us a simple widlcarding by device name.  On success return the
1075  * driver/hardware identifier; otherwise return -1.
1076  */
1077 int
1078 crypto_find_driver(const char *match)
1079 {
1080 	struct cryptocap *cap;
1081 	int i, len = strlen(match);
1082 
1083 	CRYPTO_DRIVER_LOCK();
1084 	for (i = 0; i < crypto_drivers_size; i++) {
1085 		if (crypto_drivers[i] == NULL)
1086 			continue;
1087 		cap = crypto_drivers[i];
1088 		if (strncmp(match, device_get_nameunit(cap->cc_dev), len) == 0 ||
1089 		    strncmp(match, device_get_name(cap->cc_dev), len) == 0) {
1090 			CRYPTO_DRIVER_UNLOCK();
1091 			return (i);
1092 		}
1093 	}
1094 	CRYPTO_DRIVER_UNLOCK();
1095 	return (-1);
1096 }
1097 
1098 /*
1099  * Return the device_t for the specified driver or NULL
1100  * if the driver identifier is invalid.
1101  */
1102 device_t
1103 crypto_find_device_byhid(int hid)
1104 {
1105 	struct cryptocap *cap;
1106 	device_t dev;
1107 
1108 	dev = NULL;
1109 	CRYPTO_DRIVER_LOCK();
1110 	cap = crypto_checkdriver(hid);
1111 	if (cap != NULL)
1112 		dev = cap->cc_dev;
1113 	CRYPTO_DRIVER_UNLOCK();
1114 	return (dev);
1115 }
1116 
1117 /*
1118  * Return the device/driver capabilities.
1119  */
1120 int
1121 crypto_getcaps(int hid)
1122 {
1123 	struct cryptocap *cap;
1124 	int flags;
1125 
1126 	flags = 0;
1127 	CRYPTO_DRIVER_LOCK();
1128 	cap = crypto_checkdriver(hid);
1129 	if (cap != NULL)
1130 		flags = cap->cc_flags;
1131 	CRYPTO_DRIVER_UNLOCK();
1132 	return (flags);
1133 }
1134 
1135 /*
1136  * Register support for a key-related algorithm.  This routine
1137  * is called once for each algorithm supported a driver.
1138  */
1139 int
1140 crypto_kregister(u_int32_t driverid, int kalg, u_int32_t flags)
1141 {
1142 	struct cryptocap *cap;
1143 	int err;
1144 
1145 	CRYPTO_DRIVER_LOCK();
1146 
1147 	cap = crypto_checkdriver(driverid);
1148 	if (cap != NULL &&
1149 	    (CRK_ALGORITM_MIN <= kalg && kalg <= CRK_ALGORITHM_MAX)) {
1150 		/*
1151 		 * XXX Do some performance testing to determine placing.
1152 		 * XXX We probably need an auxiliary data structure that
1153 		 * XXX describes relative performances.
1154 		 */
1155 
1156 		cap->cc_kalg[kalg] = flags | CRYPTO_ALG_FLAG_SUPPORTED;
1157 		if (bootverbose)
1158 			printf("crypto: %s registers key alg %u flags %u\n"
1159 				, device_get_nameunit(cap->cc_dev)
1160 				, kalg
1161 				, flags
1162 			);
1163 		err = 0;
1164 	} else
1165 		err = EINVAL;
1166 
1167 	CRYPTO_DRIVER_UNLOCK();
1168 	return err;
1169 }
1170 
1171 /*
1172  * Unregister all algorithms associated with a crypto driver.
1173  * If there are pending sessions using it, leave enough information
1174  * around so that subsequent calls using those sessions will
1175  * correctly detect the driver has been unregistered and reroute
1176  * requests.
1177  */
1178 int
1179 crypto_unregister_all(u_int32_t driverid)
1180 {
1181 	struct cryptocap *cap;
1182 
1183 	CRYPTO_DRIVER_LOCK();
1184 	cap = crypto_checkdriver(driverid);
1185 	if (cap == NULL) {
1186 		CRYPTO_DRIVER_UNLOCK();
1187 		return (EINVAL);
1188 	}
1189 
1190 	cap->cc_flags |= CRYPTOCAP_F_CLEANUP;
1191 	crypto_drivers[driverid] = NULL;
1192 
1193 	/*
1194 	 * XXX: This doesn't do anything to kick sessions that
1195 	 * have no pending operations.
1196 	 */
1197 	while (cap->cc_sessions != 0 || cap->cc_koperations != 0)
1198 		mtx_sleep(cap, &crypto_drivers_mtx, 0, "cryunreg", 0);
1199 	CRYPTO_DRIVER_UNLOCK();
1200 	cap_rele(cap);
1201 
1202 	return (0);
1203 }
1204 
1205 /*
1206  * Clear blockage on a driver.  The what parameter indicates whether
1207  * the driver is now ready for cryptop's and/or cryptokop's.
1208  */
1209 int
1210 crypto_unblock(u_int32_t driverid, int what)
1211 {
1212 	struct cryptocap *cap;
1213 	int err;
1214 
1215 	CRYPTO_Q_LOCK();
1216 	cap = crypto_checkdriver(driverid);
1217 	if (cap != NULL) {
1218 		if (what & CRYPTO_SYMQ)
1219 			cap->cc_qblocked = 0;
1220 		if (what & CRYPTO_ASYMQ)
1221 			cap->cc_kqblocked = 0;
1222 		if (crp_sleep)
1223 			wakeup_one(&crp_q);
1224 		err = 0;
1225 	} else
1226 		err = EINVAL;
1227 	CRYPTO_Q_UNLOCK();
1228 
1229 	return err;
1230 }
1231 
1232 #ifdef INVARIANTS
1233 /* Various sanity checks on crypto requests. */
1234 static void
1235 crp_sanity(struct cryptop *crp)
1236 {
1237 	struct crypto_session_params *csp;
1238 
1239 	KASSERT(crp->crp_session != NULL, ("incoming crp without a session"));
1240 	KASSERT(crp->crp_ilen >= 0, ("incoming crp with -ve input length"));
1241 	KASSERT(crp->crp_etype == 0, ("incoming crp with error"));
1242 	KASSERT(!(crp->crp_flags & CRYPTO_F_DONE),
1243 	    ("incoming crp already done"));
1244 
1245 	csp = &crp->crp_session->csp;
1246 	switch (csp->csp_mode) {
1247 	case CSP_MODE_COMPRESS:
1248 		KASSERT(crp->crp_op == CRYPTO_OP_COMPRESS ||
1249 		    crp->crp_op == CRYPTO_OP_DECOMPRESS,
1250 		    ("invalid compression op %x", crp->crp_op));
1251 		break;
1252 	case CSP_MODE_CIPHER:
1253 		KASSERT(crp->crp_op == CRYPTO_OP_ENCRYPT ||
1254 		    crp->crp_op == CRYPTO_OP_DECRYPT,
1255 		    ("invalid cipher op %x", crp->crp_op));
1256 		break;
1257 	case CSP_MODE_DIGEST:
1258 		KASSERT(crp->crp_op == CRYPTO_OP_COMPUTE_DIGEST ||
1259 		    crp->crp_op == CRYPTO_OP_VERIFY_DIGEST,
1260 		    ("invalid digest op %x", crp->crp_op));
1261 		break;
1262 	case CSP_MODE_AEAD:
1263 		KASSERT(crp->crp_op ==
1264 		    (CRYPTO_OP_ENCRYPT | CRYPTO_OP_COMPUTE_DIGEST) ||
1265 		    crp->crp_op ==
1266 		    (CRYPTO_OP_DECRYPT | CRYPTO_OP_VERIFY_DIGEST),
1267 		    ("invalid AEAD op %x", crp->crp_op));
1268 		if (csp->csp_cipher_alg == CRYPTO_AES_NIST_GCM_16)
1269 			KASSERT(crp->crp_flags & CRYPTO_F_IV_SEPARATE,
1270 			    ("GCM without a separate IV"));
1271 		if (csp->csp_cipher_alg == CRYPTO_AES_CCM_16)
1272 			KASSERT(crp->crp_flags & CRYPTO_F_IV_SEPARATE,
1273 			    ("CCM without a separate IV"));
1274 		break;
1275 	case CSP_MODE_ETA:
1276 		KASSERT(crp->crp_op ==
1277 		    (CRYPTO_OP_ENCRYPT | CRYPTO_OP_COMPUTE_DIGEST) ||
1278 		    crp->crp_op ==
1279 		    (CRYPTO_OP_DECRYPT | CRYPTO_OP_VERIFY_DIGEST),
1280 		    ("invalid ETA op %x", crp->crp_op));
1281 		break;
1282 	}
1283 	KASSERT((crp->crp_flags & CRYPTO_F_IV_GENERATE) == 0 ||
1284 	    crp->crp_op == CRYPTO_OP_ENCRYPT ||
1285 	    crp->crp_op == (CRYPTO_OP_ENCRYPT | CRYPTO_OP_COMPUTE_DIGEST),
1286 	    ("IV_GENERATE set for non-encryption operation %x", crp->crp_op));
1287 	KASSERT((crp->crp_flags &
1288 	    (CRYPTO_F_IV_SEPARATE | CRYPTO_F_IV_GENERATE)) !=
1289 	    (CRYPTO_F_IV_SEPARATE | CRYPTO_F_IV_GENERATE),
1290 	    ("crp with both IV_SEPARATE and IV_GENERATE set"));
1291 	KASSERT(crp->crp_buf_type >= CRYPTO_BUF_CONTIG &&
1292 	    crp->crp_buf_type <= CRYPTO_BUF_MBUF,
1293 	    ("invalid crp buffer type %d", crp->crp_buf_type));
1294 	if (csp->csp_mode == CSP_MODE_AEAD || csp->csp_mode == CSP_MODE_ETA) {
1295 		KASSERT(crp->crp_aad_start == 0 ||
1296 		    crp->crp_aad_start < crp->crp_ilen,
1297 		    ("invalid AAD start"));
1298 		KASSERT(crp->crp_aad_length != 0 || crp->crp_aad_start == 0,
1299 		    ("AAD with zero length and non-zero start"));
1300 		KASSERT(crp->crp_aad_length == 0 ||
1301 		    crp->crp_aad_start + crp->crp_aad_length <= crp->crp_ilen,
1302 		    ("AAD outside input length"));
1303 	} else {
1304 		KASSERT(crp->crp_aad_start == 0 && crp->crp_aad_length == 0,
1305 		    ("AAD region in request not supporting AAD"));
1306 	}
1307 	if (csp->csp_ivlen == 0) {
1308 		KASSERT((crp->crp_flags &
1309 		    (CRYPTO_F_IV_SEPARATE | CRYPTO_F_IV_GENERATE)) == 0,
1310 		    ("IV_GENERATE or IV_SEPARATE set when IV isn't used"));
1311 		KASSERT(crp->crp_iv_start == 0,
1312 		    ("crp_iv_start set when IV isn't used"));
1313 	} else if (crp->crp_flags & CRYPTO_F_IV_SEPARATE) {
1314 		KASSERT(crp->crp_iv_start == 0,
1315 		    ("IV_SEPARATE used with non-zero IV start"));
1316 	} else {
1317 		KASSERT(crp->crp_iv_start < crp->crp_ilen,
1318 		    ("invalid IV start"));
1319 		KASSERT(crp->crp_iv_start + csp->csp_ivlen <= crp->crp_ilen,
1320 		    ("IV outside input length"));
1321 	}
1322 	KASSERT(crp->crp_payload_start == 0 ||
1323 	    crp->crp_payload_start < crp->crp_ilen,
1324 	    ("invalid payload start"));
1325 	KASSERT(crp->crp_payload_start + crp->crp_payload_length <=
1326 	    crp->crp_ilen, ("payload outside input length"));
1327 	if (csp->csp_mode == CSP_MODE_DIGEST ||
1328 	    csp->csp_mode == CSP_MODE_AEAD || csp->csp_mode == CSP_MODE_ETA) {
1329 		KASSERT(crp->crp_digest_start == 0 ||
1330 		    crp->crp_digest_start < crp->crp_ilen,
1331 		    ("invalid digest start"));
1332 		/* XXX: For the mlen == 0 case this check isn't perfect. */
1333 		KASSERT(crp->crp_digest_start + csp->csp_auth_mlen <=
1334 		    crp->crp_ilen,
1335 		    ("digest outside input length"));
1336 	} else {
1337 		KASSERT(crp->crp_digest_start == 0,
1338 		    ("non-zero digest start for request without a digest"));
1339 	}
1340 	if (csp->csp_cipher_klen != 0)
1341 		KASSERT(csp->csp_cipher_key != NULL ||
1342 		    crp->crp_cipher_key != NULL,
1343 		    ("cipher request without a key"));
1344 	if (csp->csp_auth_klen != 0)
1345 		KASSERT(csp->csp_auth_key != NULL || crp->crp_auth_key != NULL,
1346 		    ("auth request without a key"));
1347 	KASSERT(crp->crp_callback != NULL, ("incoming crp without callback"));
1348 }
1349 #endif
1350 
1351 /*
1352  * Add a crypto request to a queue, to be processed by the kernel thread.
1353  */
1354 int
1355 crypto_dispatch(struct cryptop *crp)
1356 {
1357 	struct cryptocap *cap;
1358 	int result;
1359 
1360 #ifdef INVARIANTS
1361 	crp_sanity(crp);
1362 #endif
1363 
1364 	/* TODO: Handle CRYPTO_F_IV_GENERATE so drivers don't have to. */
1365 
1366 	cryptostats.cs_ops++;
1367 
1368 #ifdef CRYPTO_TIMING
1369 	if (crypto_timing)
1370 		binuptime(&crp->crp_tstamp);
1371 #endif
1372 
1373 	crp->crp_retw_id = ((uintptr_t)crp->crp_session) % crypto_workers_num;
1374 
1375 	if (CRYPTOP_ASYNC(crp)) {
1376 		if (crp->crp_flags & CRYPTO_F_ASYNC_KEEPORDER) {
1377 			struct crypto_ret_worker *ret_worker;
1378 
1379 			ret_worker = CRYPTO_RETW(crp->crp_retw_id);
1380 
1381 			CRYPTO_RETW_LOCK(ret_worker);
1382 			crp->crp_seq = ret_worker->reorder_ops++;
1383 			CRYPTO_RETW_UNLOCK(ret_worker);
1384 		}
1385 
1386 		TASK_INIT(&crp->crp_task, 0, crypto_task_invoke, crp);
1387 		taskqueue_enqueue(crypto_tq, &crp->crp_task);
1388 		return (0);
1389 	}
1390 
1391 	if ((crp->crp_flags & CRYPTO_F_BATCH) == 0) {
1392 		/*
1393 		 * Caller marked the request to be processed
1394 		 * immediately; dispatch it directly to the
1395 		 * driver unless the driver is currently blocked.
1396 		 */
1397 		cap = crp->crp_session->cap;
1398 		if (!cap->cc_qblocked) {
1399 			result = crypto_invoke(cap, crp, 0);
1400 			if (result != ERESTART)
1401 				return (result);
1402 			/*
1403 			 * The driver ran out of resources, put the request on
1404 			 * the queue.
1405 			 */
1406 		}
1407 	}
1408 	crypto_batch_enqueue(crp);
1409 	return 0;
1410 }
1411 
1412 void
1413 crypto_batch_enqueue(struct cryptop *crp)
1414 {
1415 
1416 	CRYPTO_Q_LOCK();
1417 	TAILQ_INSERT_TAIL(&crp_q, crp, crp_next);
1418 	if (crp_sleep)
1419 		wakeup_one(&crp_q);
1420 	CRYPTO_Q_UNLOCK();
1421 }
1422 
1423 /*
1424  * Add an asymetric crypto request to a queue,
1425  * to be processed by the kernel thread.
1426  */
1427 int
1428 crypto_kdispatch(struct cryptkop *krp)
1429 {
1430 	int error;
1431 
1432 	cryptostats.cs_kops++;
1433 
1434 	krp->krp_cap = NULL;
1435 	error = crypto_kinvoke(krp);
1436 	if (error == ERESTART) {
1437 		CRYPTO_Q_LOCK();
1438 		TAILQ_INSERT_TAIL(&crp_kq, krp, krp_next);
1439 		if (crp_sleep)
1440 			wakeup_one(&crp_q);
1441 		CRYPTO_Q_UNLOCK();
1442 		error = 0;
1443 	}
1444 	return error;
1445 }
1446 
1447 /*
1448  * Verify a driver is suitable for the specified operation.
1449  */
1450 static __inline int
1451 kdriver_suitable(const struct cryptocap *cap, const struct cryptkop *krp)
1452 {
1453 	return (cap->cc_kalg[krp->krp_op] & CRYPTO_ALG_FLAG_SUPPORTED) != 0;
1454 }
1455 
1456 /*
1457  * Select a driver for an asym operation.  The driver must
1458  * support the necessary algorithm.  The caller can constrain
1459  * which device is selected with the flags parameter.  The
1460  * algorithm we use here is pretty stupid; just use the first
1461  * driver that supports the algorithms we need. If there are
1462  * multiple suitable drivers we choose the driver with the
1463  * fewest active operations.  We prefer hardware-backed
1464  * drivers to software ones when either may be used.
1465  */
1466 static struct cryptocap *
1467 crypto_select_kdriver(const struct cryptkop *krp, int flags)
1468 {
1469 	struct cryptocap *cap, *best;
1470 	int match, hid;
1471 
1472 	CRYPTO_DRIVER_ASSERT();
1473 
1474 	/*
1475 	 * Look first for hardware crypto devices if permitted.
1476 	 */
1477 	if (flags & CRYPTOCAP_F_HARDWARE)
1478 		match = CRYPTOCAP_F_HARDWARE;
1479 	else
1480 		match = CRYPTOCAP_F_SOFTWARE;
1481 	best = NULL;
1482 again:
1483 	for (hid = 0; hid < crypto_drivers_size; hid++) {
1484 		/*
1485 		 * If there is no driver for this slot, or the driver
1486 		 * is not appropriate (hardware or software based on
1487 		 * match), then skip.
1488 		 */
1489 		cap = crypto_drivers[hid];
1490 		if (cap->cc_dev == NULL ||
1491 		    (cap->cc_flags & match) == 0)
1492 			continue;
1493 
1494 		/* verify all the algorithms are supported. */
1495 		if (kdriver_suitable(cap, krp)) {
1496 			if (best == NULL ||
1497 			    cap->cc_koperations < best->cc_koperations)
1498 				best = cap;
1499 		}
1500 	}
1501 	if (best != NULL)
1502 		return best;
1503 	if (match == CRYPTOCAP_F_HARDWARE && (flags & CRYPTOCAP_F_SOFTWARE)) {
1504 		/* sort of an Algol 68-style for loop */
1505 		match = CRYPTOCAP_F_SOFTWARE;
1506 		goto again;
1507 	}
1508 	return best;
1509 }
1510 
1511 /*
1512  * Choose a driver for an asymmetric crypto request.
1513  */
1514 static struct cryptocap *
1515 crypto_lookup_kdriver(struct cryptkop *krp)
1516 {
1517 	struct cryptocap *cap;
1518 	uint32_t crid;
1519 
1520 	/* If this request is requeued, it might already have a driver. */
1521 	cap = krp->krp_cap;
1522 	if (cap != NULL)
1523 		return (cap);
1524 
1525 	/* Use krp_crid to choose a driver. */
1526 	crid = krp->krp_crid;
1527 	if ((crid & (CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE)) == 0) {
1528 		cap = crypto_checkdriver(crid);
1529 		if (cap != NULL) {
1530 			/*
1531 			 * Driver present, it must support the
1532 			 * necessary algorithm and, if s/w drivers are
1533 			 * excluded, it must be registered as
1534 			 * hardware-backed.
1535 			 */
1536 			if (!kdriver_suitable(cap, krp) ||
1537 			    (!crypto_devallowsoft &&
1538 			    (cap->cc_flags & CRYPTOCAP_F_HARDWARE) == 0))
1539 				cap = NULL;
1540 		}
1541 	} else {
1542 		/*
1543 		 * No requested driver; select based on crid flags.
1544 		 */
1545 		if (!crypto_devallowsoft)	/* NB: disallow s/w drivers */
1546 			crid &= ~CRYPTOCAP_F_SOFTWARE;
1547 		cap = crypto_select_kdriver(krp, crid);
1548 	}
1549 
1550 	if (cap != NULL) {
1551 		krp->krp_cap = cap_ref(cap);
1552 		krp->krp_hid = cap->cc_hid;
1553 	}
1554 	return (cap);
1555 }
1556 
1557 /*
1558  * Dispatch an asymmetric crypto request.
1559  */
1560 static int
1561 crypto_kinvoke(struct cryptkop *krp)
1562 {
1563 	struct cryptocap *cap = NULL;
1564 	int error;
1565 
1566 	KASSERT(krp != NULL, ("%s: krp == NULL", __func__));
1567 	KASSERT(krp->krp_callback != NULL,
1568 	    ("%s: krp->crp_callback == NULL", __func__));
1569 
1570 	CRYPTO_DRIVER_LOCK();
1571 	cap = crypto_lookup_kdriver(krp);
1572 	if (cap == NULL) {
1573 		CRYPTO_DRIVER_UNLOCK();
1574 		krp->krp_status = ENODEV;
1575 		crypto_kdone(krp);
1576 		return (0);
1577 	}
1578 
1579 	/*
1580 	 * If the device is blocked, return ERESTART to requeue it.
1581 	 */
1582 	if (cap->cc_kqblocked) {
1583 		/*
1584 		 * XXX: Previously this set krp_status to ERESTART and
1585 		 * invoked crypto_kdone but the caller would still
1586 		 * requeue it.
1587 		 */
1588 		CRYPTO_DRIVER_UNLOCK();
1589 		return (ERESTART);
1590 	}
1591 
1592 	cap->cc_koperations++;
1593 	CRYPTO_DRIVER_UNLOCK();
1594 	error = CRYPTODEV_KPROCESS(cap->cc_dev, krp, 0);
1595 	if (error == ERESTART) {
1596 		CRYPTO_DRIVER_LOCK();
1597 		cap->cc_koperations--;
1598 		CRYPTO_DRIVER_UNLOCK();
1599 		return (error);
1600 	}
1601 
1602 	KASSERT(error == 0, ("error %d returned from crypto_kprocess", error));
1603 	return (0);
1604 }
1605 
1606 #ifdef CRYPTO_TIMING
1607 static void
1608 crypto_tstat(struct cryptotstat *ts, struct bintime *bt)
1609 {
1610 	struct bintime now, delta;
1611 	struct timespec t;
1612 	uint64_t u;
1613 
1614 	binuptime(&now);
1615 	u = now.frac;
1616 	delta.frac = now.frac - bt->frac;
1617 	delta.sec = now.sec - bt->sec;
1618 	if (u < delta.frac)
1619 		delta.sec--;
1620 	bintime2timespec(&delta, &t);
1621 	timespecadd(&ts->acc, &t, &ts->acc);
1622 	if (timespeccmp(&t, &ts->min, <))
1623 		ts->min = t;
1624 	if (timespeccmp(&t, &ts->max, >))
1625 		ts->max = t;
1626 	ts->count++;
1627 
1628 	*bt = now;
1629 }
1630 #endif
1631 
1632 static void
1633 crypto_task_invoke(void *ctx, int pending)
1634 {
1635 	struct cryptocap *cap;
1636 	struct cryptop *crp;
1637 	int result;
1638 
1639 	crp = (struct cryptop *)ctx;
1640 	cap = crp->crp_session->cap;
1641 	result = crypto_invoke(cap, crp, 0);
1642 	if (result == ERESTART)
1643 		crypto_batch_enqueue(crp);
1644 }
1645 
1646 /*
1647  * Dispatch a crypto request to the appropriate crypto devices.
1648  */
1649 static int
1650 crypto_invoke(struct cryptocap *cap, struct cryptop *crp, int hint)
1651 {
1652 
1653 	KASSERT(crp != NULL, ("%s: crp == NULL", __func__));
1654 	KASSERT(crp->crp_callback != NULL,
1655 	    ("%s: crp->crp_callback == NULL", __func__));
1656 	KASSERT(crp->crp_session != NULL,
1657 	    ("%s: crp->crp_session == NULL", __func__));
1658 
1659 #ifdef CRYPTO_TIMING
1660 	if (crypto_timing)
1661 		crypto_tstat(&cryptostats.cs_invoke, &crp->crp_tstamp);
1662 #endif
1663 	if (cap->cc_flags & CRYPTOCAP_F_CLEANUP) {
1664 		struct crypto_session_params csp;
1665 		crypto_session_t nses;
1666 
1667 		/*
1668 		 * Driver has unregistered; migrate the session and return
1669 		 * an error to the caller so they'll resubmit the op.
1670 		 *
1671 		 * XXX: What if there are more already queued requests for this
1672 		 *      session?
1673 		 *
1674 		 * XXX: Real solution is to make sessions refcounted
1675 		 * and force callers to hold a reference when
1676 		 * assigning to crp_session.  Could maybe change
1677 		 * crypto_getreq to accept a session pointer to make
1678 		 * that work.  Alternatively, we could abandon the
1679 		 * notion of rewriting crp_session in requests forcing
1680 		 * the caller to deal with allocating a new session.
1681 		 * Perhaps provide a method to allow a crp's session to
1682 		 * be swapped that callers could use.
1683 		 */
1684 		csp = crp->crp_session->csp;
1685 		crypto_freesession(crp->crp_session);
1686 
1687 		/*
1688 		 * XXX: Key pointers may no longer be valid.  If we
1689 		 * really want to support this we need to define the
1690 		 * KPI such that 'csp' is required to be valid for the
1691 		 * duration of a session by the caller perhaps.
1692 		 *
1693 		 * XXX: If the keys have been changed this will reuse
1694 		 * the old keys.  This probably suggests making
1695 		 * rekeying more explicit and updating the key
1696 		 * pointers in 'csp' when the keys change.
1697 		 */
1698 		if (crypto_newsession(&nses, &csp,
1699 		    CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE) == 0)
1700 			crp->crp_session = nses;
1701 
1702 		crp->crp_etype = EAGAIN;
1703 		crypto_done(crp);
1704 		return 0;
1705 	} else {
1706 		/*
1707 		 * Invoke the driver to process the request.
1708 		 */
1709 		return CRYPTODEV_PROCESS(cap->cc_dev, crp, hint);
1710 	}
1711 }
1712 
1713 void
1714 crypto_freereq(struct cryptop *crp)
1715 {
1716 
1717 	if (crp == NULL)
1718 		return;
1719 
1720 #ifdef DIAGNOSTIC
1721 	{
1722 		struct cryptop *crp2;
1723 		struct crypto_ret_worker *ret_worker;
1724 
1725 		CRYPTO_Q_LOCK();
1726 		TAILQ_FOREACH(crp2, &crp_q, crp_next) {
1727 			KASSERT(crp2 != crp,
1728 			    ("Freeing cryptop from the crypto queue (%p).",
1729 			    crp));
1730 		}
1731 		CRYPTO_Q_UNLOCK();
1732 
1733 		FOREACH_CRYPTO_RETW(ret_worker) {
1734 			CRYPTO_RETW_LOCK(ret_worker);
1735 			TAILQ_FOREACH(crp2, &ret_worker->crp_ret_q, crp_next) {
1736 				KASSERT(crp2 != crp,
1737 				    ("Freeing cryptop from the return queue (%p).",
1738 				    crp));
1739 			}
1740 			CRYPTO_RETW_UNLOCK(ret_worker);
1741 		}
1742 	}
1743 #endif
1744 
1745 	uma_zfree(cryptop_zone, crp);
1746 }
1747 
1748 struct cryptop *
1749 crypto_getreq(crypto_session_t cses, int how)
1750 {
1751 	struct cryptop *crp;
1752 
1753 	MPASS(how == M_WAITOK || how == M_NOWAIT);
1754 	crp = uma_zalloc(cryptop_zone, how | M_ZERO);
1755 	crp->crp_session = cses;
1756 	return (crp);
1757 }
1758 
1759 /*
1760  * Invoke the callback on behalf of the driver.
1761  */
1762 void
1763 crypto_done(struct cryptop *crp)
1764 {
1765 	KASSERT((crp->crp_flags & CRYPTO_F_DONE) == 0,
1766 		("crypto_done: op already done, flags 0x%x", crp->crp_flags));
1767 	crp->crp_flags |= CRYPTO_F_DONE;
1768 	if (crp->crp_etype != 0)
1769 		cryptostats.cs_errs++;
1770 #ifdef CRYPTO_TIMING
1771 	if (crypto_timing)
1772 		crypto_tstat(&cryptostats.cs_done, &crp->crp_tstamp);
1773 #endif
1774 	/*
1775 	 * CBIMM means unconditionally do the callback immediately;
1776 	 * CBIFSYNC means do the callback immediately only if the
1777 	 * operation was done synchronously.  Both are used to avoid
1778 	 * doing extraneous context switches; the latter is mostly
1779 	 * used with the software crypto driver.
1780 	 */
1781 	if (!CRYPTOP_ASYNC_KEEPORDER(crp) &&
1782 	    ((crp->crp_flags & CRYPTO_F_CBIMM) ||
1783 	    ((crp->crp_flags & CRYPTO_F_CBIFSYNC) &&
1784 	     (crypto_ses2caps(crp->crp_session) & CRYPTOCAP_F_SYNC)))) {
1785 		/*
1786 		 * Do the callback directly.  This is ok when the
1787 		 * callback routine does very little (e.g. the
1788 		 * /dev/crypto callback method just does a wakeup).
1789 		 */
1790 #ifdef CRYPTO_TIMING
1791 		if (crypto_timing) {
1792 			/*
1793 			 * NB: We must copy the timestamp before
1794 			 * doing the callback as the cryptop is
1795 			 * likely to be reclaimed.
1796 			 */
1797 			struct bintime t = crp->crp_tstamp;
1798 			crypto_tstat(&cryptostats.cs_cb, &t);
1799 			crp->crp_callback(crp);
1800 			crypto_tstat(&cryptostats.cs_finis, &t);
1801 		} else
1802 #endif
1803 			crp->crp_callback(crp);
1804 	} else {
1805 		struct crypto_ret_worker *ret_worker;
1806 		bool wake;
1807 
1808 		ret_worker = CRYPTO_RETW(crp->crp_retw_id);
1809 		wake = false;
1810 
1811 		/*
1812 		 * Normal case; queue the callback for the thread.
1813 		 */
1814 		CRYPTO_RETW_LOCK(ret_worker);
1815 		if (CRYPTOP_ASYNC_KEEPORDER(crp)) {
1816 			struct cryptop *tmp;
1817 
1818 			TAILQ_FOREACH_REVERSE(tmp, &ret_worker->crp_ordered_ret_q,
1819 					cryptop_q, crp_next) {
1820 				if (CRYPTO_SEQ_GT(crp->crp_seq, tmp->crp_seq)) {
1821 					TAILQ_INSERT_AFTER(&ret_worker->crp_ordered_ret_q,
1822 							tmp, crp, crp_next);
1823 					break;
1824 				}
1825 			}
1826 			if (tmp == NULL) {
1827 				TAILQ_INSERT_HEAD(&ret_worker->crp_ordered_ret_q,
1828 						crp, crp_next);
1829 			}
1830 
1831 			if (crp->crp_seq == ret_worker->reorder_cur_seq)
1832 				wake = true;
1833 		}
1834 		else {
1835 			if (CRYPTO_RETW_EMPTY(ret_worker))
1836 				wake = true;
1837 
1838 			TAILQ_INSERT_TAIL(&ret_worker->crp_ret_q, crp, crp_next);
1839 		}
1840 
1841 		if (wake)
1842 			wakeup_one(&ret_worker->crp_ret_q);	/* shared wait channel */
1843 		CRYPTO_RETW_UNLOCK(ret_worker);
1844 	}
1845 }
1846 
1847 /*
1848  * Invoke the callback on behalf of the driver.
1849  */
1850 void
1851 crypto_kdone(struct cryptkop *krp)
1852 {
1853 	struct crypto_ret_worker *ret_worker;
1854 	struct cryptocap *cap;
1855 
1856 	if (krp->krp_status != 0)
1857 		cryptostats.cs_kerrs++;
1858 	CRYPTO_DRIVER_LOCK();
1859 	cap = krp->krp_cap;
1860 	KASSERT(cap->cc_koperations > 0, ("cc_koperations == 0"));
1861 	cap->cc_koperations--;
1862 	if (cap->cc_koperations == 0 && cap->cc_flags & CRYPTOCAP_F_CLEANUP)
1863 		wakeup(cap);
1864 	CRYPTO_DRIVER_UNLOCK();
1865 	krp->krp_cap = NULL;
1866 	cap_rele(cap);
1867 
1868 	ret_worker = CRYPTO_RETW(0);
1869 
1870 	CRYPTO_RETW_LOCK(ret_worker);
1871 	if (CRYPTO_RETW_EMPTY(ret_worker))
1872 		wakeup_one(&ret_worker->crp_ret_q);		/* shared wait channel */
1873 	TAILQ_INSERT_TAIL(&ret_worker->crp_ret_kq, krp, krp_next);
1874 	CRYPTO_RETW_UNLOCK(ret_worker);
1875 }
1876 
1877 int
1878 crypto_getfeat(int *featp)
1879 {
1880 	int hid, kalg, feat = 0;
1881 
1882 	CRYPTO_DRIVER_LOCK();
1883 	for (hid = 0; hid < crypto_drivers_size; hid++) {
1884 		const struct cryptocap *cap = crypto_drivers[hid];
1885 
1886 		if (cap == NULL ||
1887 		    ((cap->cc_flags & CRYPTOCAP_F_SOFTWARE) &&
1888 		    !crypto_devallowsoft)) {
1889 			continue;
1890 		}
1891 		for (kalg = 0; kalg < CRK_ALGORITHM_MAX; kalg++)
1892 			if (cap->cc_kalg[kalg] & CRYPTO_ALG_FLAG_SUPPORTED)
1893 				feat |=  1 << kalg;
1894 	}
1895 	CRYPTO_DRIVER_UNLOCK();
1896 	*featp = feat;
1897 	return (0);
1898 }
1899 
1900 /*
1901  * Terminate a thread at module unload.  The process that
1902  * initiated this is waiting for us to signal that we're gone;
1903  * wake it up and exit.  We use the driver table lock to insure
1904  * we don't do the wakeup before they're waiting.  There is no
1905  * race here because the waiter sleeps on the proc lock for the
1906  * thread so it gets notified at the right time because of an
1907  * extra wakeup that's done in exit1().
1908  */
1909 static void
1910 crypto_finis(void *chan)
1911 {
1912 	CRYPTO_DRIVER_LOCK();
1913 	wakeup_one(chan);
1914 	CRYPTO_DRIVER_UNLOCK();
1915 	kproc_exit(0);
1916 }
1917 
1918 /*
1919  * Crypto thread, dispatches crypto requests.
1920  */
1921 static void
1922 crypto_proc(void)
1923 {
1924 	struct cryptop *crp, *submit;
1925 	struct cryptkop *krp;
1926 	struct cryptocap *cap;
1927 	int result, hint;
1928 
1929 #if defined(__i386__) || defined(__amd64__) || defined(__aarch64__)
1930 	fpu_kern_thread(FPU_KERN_NORMAL);
1931 #endif
1932 
1933 	CRYPTO_Q_LOCK();
1934 	for (;;) {
1935 		/*
1936 		 * Find the first element in the queue that can be
1937 		 * processed and look-ahead to see if multiple ops
1938 		 * are ready for the same driver.
1939 		 */
1940 		submit = NULL;
1941 		hint = 0;
1942 		TAILQ_FOREACH(crp, &crp_q, crp_next) {
1943 			cap = crp->crp_session->cap;
1944 			/*
1945 			 * Driver cannot disappeared when there is an active
1946 			 * session.
1947 			 */
1948 			KASSERT(cap != NULL, ("%s:%u Driver disappeared.",
1949 			    __func__, __LINE__));
1950 			if (cap->cc_flags & CRYPTOCAP_F_CLEANUP) {
1951 				/* Op needs to be migrated, process it. */
1952 				if (submit == NULL)
1953 					submit = crp;
1954 				break;
1955 			}
1956 			if (!cap->cc_qblocked) {
1957 				if (submit != NULL) {
1958 					/*
1959 					 * We stop on finding another op,
1960 					 * regardless whether its for the same
1961 					 * driver or not.  We could keep
1962 					 * searching the queue but it might be
1963 					 * better to just use a per-driver
1964 					 * queue instead.
1965 					 */
1966 					if (submit->crp_session->cap == cap)
1967 						hint = CRYPTO_HINT_MORE;
1968 					break;
1969 				} else {
1970 					submit = crp;
1971 					if ((submit->crp_flags & CRYPTO_F_BATCH) == 0)
1972 						break;
1973 					/* keep scanning for more are q'd */
1974 				}
1975 			}
1976 		}
1977 		if (submit != NULL) {
1978 			TAILQ_REMOVE(&crp_q, submit, crp_next);
1979 			cap = submit->crp_session->cap;
1980 			KASSERT(cap != NULL, ("%s:%u Driver disappeared.",
1981 			    __func__, __LINE__));
1982 			CRYPTO_Q_UNLOCK();
1983 			result = crypto_invoke(cap, submit, hint);
1984 			CRYPTO_Q_LOCK();
1985 			if (result == ERESTART) {
1986 				/*
1987 				 * The driver ran out of resources, mark the
1988 				 * driver ``blocked'' for cryptop's and put
1989 				 * the request back in the queue.  It would
1990 				 * best to put the request back where we got
1991 				 * it but that's hard so for now we put it
1992 				 * at the front.  This should be ok; putting
1993 				 * it at the end does not work.
1994 				 */
1995 				cap->cc_qblocked = 1;
1996 				TAILQ_INSERT_HEAD(&crp_q, submit, crp_next);
1997 				cryptostats.cs_blocks++;
1998 			}
1999 		}
2000 
2001 		/* As above, but for key ops */
2002 		TAILQ_FOREACH(krp, &crp_kq, krp_next) {
2003 			cap = krp->krp_cap;
2004 			if (cap->cc_flags & CRYPTOCAP_F_CLEANUP) {
2005 				/*
2006 				 * Operation needs to be migrated,
2007 				 * clear krp_cap so a new driver is
2008 				 * selected.
2009 				 */
2010 				krp->krp_cap = NULL;
2011 				cap_rele(cap);
2012 				break;
2013 			}
2014 			if (!cap->cc_kqblocked)
2015 				break;
2016 		}
2017 		if (krp != NULL) {
2018 			TAILQ_REMOVE(&crp_kq, krp, krp_next);
2019 			CRYPTO_Q_UNLOCK();
2020 			result = crypto_kinvoke(krp);
2021 			CRYPTO_Q_LOCK();
2022 			if (result == ERESTART) {
2023 				/*
2024 				 * The driver ran out of resources, mark the
2025 				 * driver ``blocked'' for cryptkop's and put
2026 				 * the request back in the queue.  It would
2027 				 * best to put the request back where we got
2028 				 * it but that's hard so for now we put it
2029 				 * at the front.  This should be ok; putting
2030 				 * it at the end does not work.
2031 				 */
2032 				krp->krp_cap->cc_kqblocked = 1;
2033 				TAILQ_INSERT_HEAD(&crp_kq, krp, krp_next);
2034 				cryptostats.cs_kblocks++;
2035 			}
2036 		}
2037 
2038 		if (submit == NULL && krp == NULL) {
2039 			/*
2040 			 * Nothing more to be processed.  Sleep until we're
2041 			 * woken because there are more ops to process.
2042 			 * This happens either by submission or by a driver
2043 			 * becoming unblocked and notifying us through
2044 			 * crypto_unblock.  Note that when we wakeup we
2045 			 * start processing each queue again from the
2046 			 * front. It's not clear that it's important to
2047 			 * preserve this ordering since ops may finish
2048 			 * out of order if dispatched to different devices
2049 			 * and some become blocked while others do not.
2050 			 */
2051 			crp_sleep = 1;
2052 			msleep(&crp_q, &crypto_q_mtx, PWAIT, "crypto_wait", 0);
2053 			crp_sleep = 0;
2054 			if (cryptoproc == NULL)
2055 				break;
2056 			cryptostats.cs_intrs++;
2057 		}
2058 	}
2059 	CRYPTO_Q_UNLOCK();
2060 
2061 	crypto_finis(&crp_q);
2062 }
2063 
2064 /*
2065  * Crypto returns thread, does callbacks for processed crypto requests.
2066  * Callbacks are done here, rather than in the crypto drivers, because
2067  * callbacks typically are expensive and would slow interrupt handling.
2068  */
2069 static void
2070 crypto_ret_proc(struct crypto_ret_worker *ret_worker)
2071 {
2072 	struct cryptop *crpt;
2073 	struct cryptkop *krpt;
2074 
2075 	CRYPTO_RETW_LOCK(ret_worker);
2076 	for (;;) {
2077 		/* Harvest return q's for completed ops */
2078 		crpt = TAILQ_FIRST(&ret_worker->crp_ordered_ret_q);
2079 		if (crpt != NULL) {
2080 			if (crpt->crp_seq == ret_worker->reorder_cur_seq) {
2081 				TAILQ_REMOVE(&ret_worker->crp_ordered_ret_q, crpt, crp_next);
2082 				ret_worker->reorder_cur_seq++;
2083 			} else {
2084 				crpt = NULL;
2085 			}
2086 		}
2087 
2088 		if (crpt == NULL) {
2089 			crpt = TAILQ_FIRST(&ret_worker->crp_ret_q);
2090 			if (crpt != NULL)
2091 				TAILQ_REMOVE(&ret_worker->crp_ret_q, crpt, crp_next);
2092 		}
2093 
2094 		krpt = TAILQ_FIRST(&ret_worker->crp_ret_kq);
2095 		if (krpt != NULL)
2096 			TAILQ_REMOVE(&ret_worker->crp_ret_kq, krpt, krp_next);
2097 
2098 		if (crpt != NULL || krpt != NULL) {
2099 			CRYPTO_RETW_UNLOCK(ret_worker);
2100 			/*
2101 			 * Run callbacks unlocked.
2102 			 */
2103 			if (crpt != NULL) {
2104 #ifdef CRYPTO_TIMING
2105 				if (crypto_timing) {
2106 					/*
2107 					 * NB: We must copy the timestamp before
2108 					 * doing the callback as the cryptop is
2109 					 * likely to be reclaimed.
2110 					 */
2111 					struct bintime t = crpt->crp_tstamp;
2112 					crypto_tstat(&cryptostats.cs_cb, &t);
2113 					crpt->crp_callback(crpt);
2114 					crypto_tstat(&cryptostats.cs_finis, &t);
2115 				} else
2116 #endif
2117 					crpt->crp_callback(crpt);
2118 			}
2119 			if (krpt != NULL)
2120 				krpt->krp_callback(krpt);
2121 			CRYPTO_RETW_LOCK(ret_worker);
2122 		} else {
2123 			/*
2124 			 * Nothing more to be processed.  Sleep until we're
2125 			 * woken because there are more returns to process.
2126 			 */
2127 			msleep(&ret_worker->crp_ret_q, &ret_worker->crypto_ret_mtx, PWAIT,
2128 				"crypto_ret_wait", 0);
2129 			if (ret_worker->cryptoretproc == NULL)
2130 				break;
2131 			cryptostats.cs_rets++;
2132 		}
2133 	}
2134 	CRYPTO_RETW_UNLOCK(ret_worker);
2135 
2136 	crypto_finis(&ret_worker->crp_ret_q);
2137 }
2138 
2139 #ifdef DDB
2140 static void
2141 db_show_drivers(void)
2142 {
2143 	int hid;
2144 
2145 	db_printf("%12s %4s %4s %8s %2s %2s\n"
2146 		, "Device"
2147 		, "Ses"
2148 		, "Kops"
2149 		, "Flags"
2150 		, "QB"
2151 		, "KB"
2152 	);
2153 	for (hid = 0; hid < crypto_drivers_size; hid++) {
2154 		const struct cryptocap *cap = crypto_drivers[hid];
2155 		if (cap == NULL)
2156 			continue;
2157 		db_printf("%-12s %4u %4u %08x %2u %2u\n"
2158 		    , device_get_nameunit(cap->cc_dev)
2159 		    , cap->cc_sessions
2160 		    , cap->cc_koperations
2161 		    , cap->cc_flags
2162 		    , cap->cc_qblocked
2163 		    , cap->cc_kqblocked
2164 		);
2165 	}
2166 }
2167 
2168 DB_SHOW_COMMAND(crypto, db_show_crypto)
2169 {
2170 	struct cryptop *crp;
2171 	struct crypto_ret_worker *ret_worker;
2172 
2173 	db_show_drivers();
2174 	db_printf("\n");
2175 
2176 	db_printf("%4s %8s %4s %4s %4s %4s %8s %8s\n",
2177 	    "HID", "Caps", "Ilen", "Olen", "Etype", "Flags",
2178 	    "Device", "Callback");
2179 	TAILQ_FOREACH(crp, &crp_q, crp_next) {
2180 		db_printf("%4u %08x %4u %4u %4u %04x %8p %8p\n"
2181 		    , crp->crp_session->cap->cc_hid
2182 		    , (int) crypto_ses2caps(crp->crp_session)
2183 		    , crp->crp_ilen, crp->crp_olen
2184 		    , crp->crp_etype
2185 		    , crp->crp_flags
2186 		    , device_get_nameunit(crp->crp_session->cap->cc_dev)
2187 		    , crp->crp_callback
2188 		);
2189 	}
2190 	FOREACH_CRYPTO_RETW(ret_worker) {
2191 		db_printf("\n%8s %4s %4s %4s %8s\n",
2192 		    "ret_worker", "HID", "Etype", "Flags", "Callback");
2193 		if (!TAILQ_EMPTY(&ret_worker->crp_ret_q)) {
2194 			TAILQ_FOREACH(crp, &ret_worker->crp_ret_q, crp_next) {
2195 				db_printf("%8td %4u %4u %04x %8p\n"
2196 				    , CRYPTO_RETW_ID(ret_worker)
2197 				    , crp->crp_session->cap->cc_hid
2198 				    , crp->crp_etype
2199 				    , crp->crp_flags
2200 				    , crp->crp_callback
2201 				);
2202 			}
2203 		}
2204 	}
2205 }
2206 
2207 DB_SHOW_COMMAND(kcrypto, db_show_kcrypto)
2208 {
2209 	struct cryptkop *krp;
2210 	struct crypto_ret_worker *ret_worker;
2211 
2212 	db_show_drivers();
2213 	db_printf("\n");
2214 
2215 	db_printf("%4s %5s %4s %4s %8s %4s %8s\n",
2216 	    "Op", "Status", "#IP", "#OP", "CRID", "HID", "Callback");
2217 	TAILQ_FOREACH(krp, &crp_kq, krp_next) {
2218 		db_printf("%4u %5u %4u %4u %08x %4u %8p\n"
2219 		    , krp->krp_op
2220 		    , krp->krp_status
2221 		    , krp->krp_iparams, krp->krp_oparams
2222 		    , krp->krp_crid, krp->krp_hid
2223 		    , krp->krp_callback
2224 		);
2225 	}
2226 
2227 	ret_worker = CRYPTO_RETW(0);
2228 	if (!TAILQ_EMPTY(&ret_worker->crp_ret_q)) {
2229 		db_printf("%4s %5s %8s %4s %8s\n",
2230 		    "Op", "Status", "CRID", "HID", "Callback");
2231 		TAILQ_FOREACH(krp, &ret_worker->crp_ret_kq, krp_next) {
2232 			db_printf("%4u %5u %08x %4u %8p\n"
2233 			    , krp->krp_op
2234 			    , krp->krp_status
2235 			    , krp->krp_crid, krp->krp_hid
2236 			    , krp->krp_callback
2237 			);
2238 		}
2239 	}
2240 }
2241 #endif
2242 
2243 int crypto_modevent(module_t mod, int type, void *unused);
2244 
2245 /*
2246  * Initialization code, both for static and dynamic loading.
2247  * Note this is not invoked with the usual MODULE_DECLARE
2248  * mechanism but instead is listed as a dependency by the
2249  * cryptosoft driver.  This guarantees proper ordering of
2250  * calls on module load/unload.
2251  */
2252 int
2253 crypto_modevent(module_t mod, int type, void *unused)
2254 {
2255 	int error = EINVAL;
2256 
2257 	switch (type) {
2258 	case MOD_LOAD:
2259 		error = crypto_init();
2260 		if (error == 0 && bootverbose)
2261 			printf("crypto: <crypto core>\n");
2262 		break;
2263 	case MOD_UNLOAD:
2264 		/*XXX disallow if active sessions */
2265 		error = 0;
2266 		crypto_destroy();
2267 		return 0;
2268 	}
2269 	return error;
2270 }
2271 MODULE_VERSION(crypto, 1);
2272 MODULE_DEPEND(crypto, zlib, 1, 1, 1);
2273