xref: /freebsd/sys/opencrypto/cryptodev.c (revision ec0ea6efa1ad229d75c394c1a9b9cac33af2b1d3)
1 /*	$OpenBSD: cryptodev.c,v 1.52 2002/06/19 07:22:46 deraadt Exp $	*/
2 
3 /*-
4  * Copyright (c) 2001 Theo de Raadt
5  * Copyright (c) 2002-2006 Sam Leffler, Errno Consulting
6  * Copyright (c) 2014-2021 The FreeBSD Foundation
7  * All rights reserved.
8  *
9  * Portions of this software were developed by John-Mark Gurney
10  * under sponsorship of the FreeBSD Foundation and
11  * Rubicon Communications, LLC (Netgate).
12  *
13  * Portions of this software were developed by Ararat River
14  * Consulting, LLC under sponsorship of the FreeBSD Foundation.
15  *
16  * Redistribution and use in source and binary forms, with or without
17  * modification, are permitted provided that the following conditions
18  * are met:
19  *
20  * 1. Redistributions of source code must retain the above copyright
21  *   notice, this list of conditions and the following disclaimer.
22  * 2. Redistributions in binary form must reproduce the above copyright
23  *   notice, this list of conditions and the following disclaimer in the
24  *   documentation and/or other materials provided with the distribution.
25  * 3. The name of the author may not be used to endorse or promote products
26  *   derived from this software without specific prior written permission.
27  *
28  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
29  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
31  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
32  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
33  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38  *
39  * Effort sponsored in part by the Defense Advanced Research Projects
40  * Agency (DARPA) and Air Force Research Laboratory, Air Force
41  * Materiel Command, USAF, under agreement number F30602-01-2-0537.
42  */
43 
44 #include <sys/cdefs.h>
45 __FBSDID("$FreeBSD$");
46 
47 #include <sys/param.h>
48 #include <sys/systm.h>
49 #include <sys/malloc.h>
50 #include <sys/mbuf.h>
51 #include <sys/lock.h>
52 #include <sys/mutex.h>
53 #include <sys/proc.h>
54 #include <sys/sysctl.h>
55 #include <sys/errno.h>
56 #include <sys/random.h>
57 #include <sys/conf.h>
58 #include <sys/kernel.h>
59 #include <sys/module.h>
60 #include <sys/fcntl.h>
61 #include <sys/bus.h>
62 #include <sys/sdt.h>
63 #include <sys/syscallsubr.h>
64 
65 #include <opencrypto/cryptodev.h>
66 #include <opencrypto/xform.h>
67 
68 SDT_PROVIDER_DECLARE(opencrypto);
69 
70 SDT_PROBE_DEFINE1(opencrypto, dev, ioctl, error, "int"/*line number*/);
71 
72 #ifdef COMPAT_FREEBSD12
73 /*
74  * Previously, most ioctls were performed against a cloned descriptor
75  * of /dev/crypto obtained via CRIOGET.  Now all ioctls are performed
76  * against /dev/crypto directly.
77  */
78 #define	CRIOGET		_IOWR('c', 100, uint32_t)
79 #endif
80 
81 /* the following are done against the cloned descriptor */
82 
83 #ifdef COMPAT_FREEBSD32
84 #include <sys/mount.h>
85 #include <compat/freebsd32/freebsd32.h>
86 
87 struct session_op32 {
88 	uint32_t	cipher;
89 	uint32_t	mac;
90 	uint32_t	keylen;
91 	uint32_t	key;
92 	int		mackeylen;
93 	uint32_t	mackey;
94 	uint32_t	ses;
95 };
96 
97 struct session2_op32 {
98 	uint32_t	cipher;
99 	uint32_t	mac;
100 	uint32_t	keylen;
101 	uint32_t	key;
102 	int		mackeylen;
103 	uint32_t	mackey;
104 	uint32_t	ses;
105 	int		crid;
106 	int		ivlen;
107 	int		maclen;
108 	int		pad[2];
109 };
110 
111 struct crypt_op32 {
112 	uint32_t	ses;
113 	uint16_t	op;
114 	uint16_t	flags;
115 	u_int		len;
116 	uint32_t	src, dst;
117 	uint32_t	mac;
118 	uint32_t	iv;
119 };
120 
121 struct crypt_aead32 {
122 	uint32_t	ses;
123 	uint16_t	op;
124 	uint16_t	flags;
125 	u_int		len;
126 	u_int		aadlen;
127 	u_int		ivlen;
128 	uint32_t	src;
129 	uint32_t	dst;
130 	uint32_t	aad;
131 	uint32_t	tag;
132 	uint32_t	iv;
133 };
134 
135 #define	CIOCGSESSION32	_IOWR('c', 101, struct session_op32)
136 #define	CIOCCRYPT32	_IOWR('c', 103, struct crypt_op32)
137 #define	CIOCGSESSION232	_IOWR('c', 106, struct session2_op32)
138 #define	CIOCCRYPTAEAD32	_IOWR('c', 109, struct crypt_aead32)
139 
140 static void
141 session_op_from_32(const struct session_op32 *from, struct session2_op *to)
142 {
143 
144 	memset(to, 0, sizeof(*to));
145 	CP(*from, *to, cipher);
146 	CP(*from, *to, mac);
147 	CP(*from, *to, keylen);
148 	PTRIN_CP(*from, *to, key);
149 	CP(*from, *to, mackeylen);
150 	PTRIN_CP(*from, *to, mackey);
151 	CP(*from, *to, ses);
152 	to->crid = CRYPTOCAP_F_HARDWARE;
153 }
154 
155 static void
156 session2_op_from_32(const struct session2_op32 *from, struct session2_op *to)
157 {
158 
159 	session_op_from_32((const struct session_op32 *)from, to);
160 	CP(*from, *to, crid);
161 	CP(*from, *to, ivlen);
162 	CP(*from, *to, maclen);
163 }
164 
165 static void
166 session_op_to_32(const struct session2_op *from, struct session_op32 *to)
167 {
168 
169 	CP(*from, *to, cipher);
170 	CP(*from, *to, mac);
171 	CP(*from, *to, keylen);
172 	PTROUT_CP(*from, *to, key);
173 	CP(*from, *to, mackeylen);
174 	PTROUT_CP(*from, *to, mackey);
175 	CP(*from, *to, ses);
176 }
177 
178 static void
179 session2_op_to_32(const struct session2_op *from, struct session2_op32 *to)
180 {
181 
182 	session_op_to_32(from, (struct session_op32 *)to);
183 	CP(*from, *to, crid);
184 }
185 
186 static void
187 crypt_op_from_32(const struct crypt_op32 *from, struct crypt_op *to)
188 {
189 
190 	CP(*from, *to, ses);
191 	CP(*from, *to, op);
192 	CP(*from, *to, flags);
193 	CP(*from, *to, len);
194 	PTRIN_CP(*from, *to, src);
195 	PTRIN_CP(*from, *to, dst);
196 	PTRIN_CP(*from, *to, mac);
197 	PTRIN_CP(*from, *to, iv);
198 }
199 
200 static void
201 crypt_op_to_32(const struct crypt_op *from, struct crypt_op32 *to)
202 {
203 
204 	CP(*from, *to, ses);
205 	CP(*from, *to, op);
206 	CP(*from, *to, flags);
207 	CP(*from, *to, len);
208 	PTROUT_CP(*from, *to, src);
209 	PTROUT_CP(*from, *to, dst);
210 	PTROUT_CP(*from, *to, mac);
211 	PTROUT_CP(*from, *to, iv);
212 }
213 
214 static void
215 crypt_aead_from_32(const struct crypt_aead32 *from, struct crypt_aead *to)
216 {
217 
218 	CP(*from, *to, ses);
219 	CP(*from, *to, op);
220 	CP(*from, *to, flags);
221 	CP(*from, *to, len);
222 	CP(*from, *to, aadlen);
223 	CP(*from, *to, ivlen);
224 	PTRIN_CP(*from, *to, src);
225 	PTRIN_CP(*from, *to, dst);
226 	PTRIN_CP(*from, *to, aad);
227 	PTRIN_CP(*from, *to, tag);
228 	PTRIN_CP(*from, *to, iv);
229 }
230 
231 static void
232 crypt_aead_to_32(const struct crypt_aead *from, struct crypt_aead32 *to)
233 {
234 
235 	CP(*from, *to, ses);
236 	CP(*from, *to, op);
237 	CP(*from, *to, flags);
238 	CP(*from, *to, len);
239 	CP(*from, *to, aadlen);
240 	CP(*from, *to, ivlen);
241 	PTROUT_CP(*from, *to, src);
242 	PTROUT_CP(*from, *to, dst);
243 	PTROUT_CP(*from, *to, aad);
244 	PTROUT_CP(*from, *to, tag);
245 	PTROUT_CP(*from, *to, iv);
246 }
247 #endif
248 
249 static void
250 session2_op_from_op(const struct session_op *from, struct session2_op *to)
251 {
252 
253 	memset(to, 0, sizeof(*to));
254 	memcpy(to, from, sizeof(*from));
255 	to->crid = CRYPTOCAP_F_HARDWARE;
256 }
257 
258 static void
259 session2_op_to_op(const struct session2_op *from, struct session_op *to)
260 {
261 
262 	memcpy(to, from, sizeof(*to));
263 }
264 
265 struct csession {
266 	TAILQ_ENTRY(csession) next;
267 	crypto_session_t cses;
268 	volatile u_int	refs;
269 	uint32_t	ses;
270 	struct mtx	lock;		/* for op submission */
271 
272 	const struct enc_xform *txform;
273 	int		hashsize;
274 	int		ivsize;
275 
276 	void		*key;
277 	void		*mackey;
278 };
279 
280 struct cryptop_data {
281 	struct csession *cse;
282 
283 	char		*buf;
284 	char		*obuf;
285 	char		*aad;
286 	bool		done;
287 };
288 
289 struct fcrypt {
290 	TAILQ_HEAD(csessionlist, csession) csessions;
291 	int		sesn;
292 	struct mtx	lock;
293 };
294 
295 static bool use_outputbuffers;
296 SYSCTL_BOOL(_kern_crypto, OID_AUTO, cryptodev_use_output, CTLFLAG_RW,
297     &use_outputbuffers, 0,
298     "Use separate output buffers for /dev/crypto requests.");
299 
300 static bool use_separate_aad;
301 SYSCTL_BOOL(_kern_crypto, OID_AUTO, cryptodev_separate_aad, CTLFLAG_RW,
302     &use_separate_aad, 0,
303     "Use separate AAD buffer for /dev/crypto requests.");
304 
305 /*
306  * Check a crypto identifier to see if it requested
307  * a software device/driver.  This can be done either
308  * by device name/class or through search constraints.
309  */
310 static int
311 checkforsoftware(int *cridp)
312 {
313 	int crid;
314 
315 	crid = *cridp;
316 
317 	if (!crypto_devallowsoft) {
318 		if (crid & CRYPTOCAP_F_SOFTWARE) {
319 			if (crid & CRYPTOCAP_F_HARDWARE) {
320 				*cridp = CRYPTOCAP_F_HARDWARE;
321 				return 0;
322 			}
323 			return EINVAL;
324 		}
325 		if ((crid & CRYPTOCAP_F_HARDWARE) == 0 &&
326 		    (crypto_getcaps(crid) & CRYPTOCAP_F_HARDWARE) == 0)
327 			return EINVAL;
328 	}
329 	return 0;
330 }
331 
332 static int
333 cse_create(struct fcrypt *fcr, struct session2_op *sop)
334 {
335 	struct crypto_session_params csp;
336 	struct csession *cse;
337 	const struct enc_xform *txform;
338 	const struct auth_hash *thash;
339 	void *key = NULL;
340 	void *mackey = NULL;
341 	crypto_session_t cses;
342 	int crid, error;
343 
344 	switch (sop->cipher) {
345 	case 0:
346 		txform = NULL;
347 		break;
348 	case CRYPTO_AES_CBC:
349 		txform = &enc_xform_aes_cbc;
350 		break;
351 	case CRYPTO_AES_XTS:
352 		txform = &enc_xform_aes_xts;
353 		break;
354 	case CRYPTO_NULL_CBC:
355 		txform = &enc_xform_null;
356 		break;
357 	case CRYPTO_CAMELLIA_CBC:
358 		txform = &enc_xform_camellia;
359 		break;
360 	case CRYPTO_AES_ICM:
361 		txform = &enc_xform_aes_icm;
362 		break;
363 	case CRYPTO_AES_NIST_GCM_16:
364 		txform = &enc_xform_aes_nist_gcm;
365 		break;
366 	case CRYPTO_CHACHA20:
367 		txform = &enc_xform_chacha20;
368 		break;
369 	case CRYPTO_AES_CCM_16:
370 		txform = &enc_xform_ccm;
371 		break;
372 	case CRYPTO_CHACHA20_POLY1305:
373 		txform = &enc_xform_chacha20_poly1305;
374 		break;
375 	default:
376 		CRYPTDEB("invalid cipher");
377 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
378 		return (EINVAL);
379 	}
380 
381 	switch (sop->mac) {
382 	case 0:
383 		thash = NULL;
384 		break;
385 	case CRYPTO_POLY1305:
386 		thash = &auth_hash_poly1305;
387 		break;
388 	case CRYPTO_SHA1_HMAC:
389 		thash = &auth_hash_hmac_sha1;
390 		break;
391 	case CRYPTO_SHA2_224_HMAC:
392 		thash = &auth_hash_hmac_sha2_224;
393 		break;
394 	case CRYPTO_SHA2_256_HMAC:
395 		thash = &auth_hash_hmac_sha2_256;
396 		break;
397 	case CRYPTO_SHA2_384_HMAC:
398 		thash = &auth_hash_hmac_sha2_384;
399 		break;
400 	case CRYPTO_SHA2_512_HMAC:
401 		thash = &auth_hash_hmac_sha2_512;
402 		break;
403 	case CRYPTO_RIPEMD160_HMAC:
404 		thash = &auth_hash_hmac_ripemd_160;
405 		break;
406 #ifdef COMPAT_FREEBSD12
407 	case CRYPTO_AES_128_NIST_GMAC:
408 	case CRYPTO_AES_192_NIST_GMAC:
409 	case CRYPTO_AES_256_NIST_GMAC:
410 		/* Should always be paired with GCM. */
411 		if (sop->cipher != CRYPTO_AES_NIST_GCM_16) {
412 			CRYPTDEB("GMAC without GCM");
413 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
414 			return (EINVAL);
415 		}
416 		break;
417 #endif
418 	case CRYPTO_AES_NIST_GMAC:
419 		switch (sop->mackeylen * 8) {
420 		case 128:
421 			thash = &auth_hash_nist_gmac_aes_128;
422 			break;
423 		case 192:
424 			thash = &auth_hash_nist_gmac_aes_192;
425 			break;
426 		case 256:
427 			thash = &auth_hash_nist_gmac_aes_256;
428 			break;
429 		default:
430 			CRYPTDEB("invalid GMAC key length");
431 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
432 			return (EINVAL);
433 		}
434 		break;
435 	case CRYPTO_AES_CCM_CBC_MAC:
436 		switch (sop->mackeylen) {
437 		case 16:
438 			thash = &auth_hash_ccm_cbc_mac_128;
439 			break;
440 		case 24:
441 			thash = &auth_hash_ccm_cbc_mac_192;
442 			break;
443 		case 32:
444 			thash = &auth_hash_ccm_cbc_mac_256;
445 			break;
446 		default:
447 			CRYPTDEB("Invalid CBC MAC key size %d", sop->keylen);
448 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
449 			return (EINVAL);
450 		}
451 		break;
452 	case CRYPTO_SHA1:
453 		thash = &auth_hash_sha1;
454 		break;
455 	case CRYPTO_SHA2_224:
456 		thash = &auth_hash_sha2_224;
457 		break;
458 	case CRYPTO_SHA2_256:
459 		thash = &auth_hash_sha2_256;
460 		break;
461 	case CRYPTO_SHA2_384:
462 		thash = &auth_hash_sha2_384;
463 		break;
464 	case CRYPTO_SHA2_512:
465 		thash = &auth_hash_sha2_512;
466 		break;
467 
468 	case CRYPTO_NULL_HMAC:
469 		thash = &auth_hash_null;
470 		break;
471 
472 	case CRYPTO_BLAKE2B:
473 		thash = &auth_hash_blake2b;
474 		break;
475 	case CRYPTO_BLAKE2S:
476 		thash = &auth_hash_blake2s;
477 		break;
478 
479 	default:
480 		CRYPTDEB("invalid mac");
481 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
482 		return (EINVAL);
483 	}
484 
485 	if (txform == NULL && thash == NULL) {
486 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
487 		return (EINVAL);
488 	}
489 
490 	memset(&csp, 0, sizeof(csp));
491 	if (use_outputbuffers)
492 		csp.csp_flags |= CSP_F_SEPARATE_OUTPUT;
493 
494 	if (sop->cipher == CRYPTO_AES_NIST_GCM_16) {
495 		switch (sop->mac) {
496 #ifdef COMPAT_FREEBSD12
497 		case CRYPTO_AES_128_NIST_GMAC:
498 		case CRYPTO_AES_192_NIST_GMAC:
499 		case CRYPTO_AES_256_NIST_GMAC:
500 			if (sop->keylen != sop->mackeylen) {
501 				SDT_PROBE1(opencrypto, dev, ioctl, error,
502 				    __LINE__);
503 				return (EINVAL);
504 			}
505 			break;
506 #endif
507 		case 0:
508 			break;
509 		default:
510 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
511 			return (EINVAL);
512 		}
513 		csp.csp_mode = CSP_MODE_AEAD;
514 	} else if (sop->cipher == CRYPTO_AES_CCM_16) {
515 		switch (sop->mac) {
516 #ifdef COMPAT_FREEBSD12
517 		case CRYPTO_AES_CCM_CBC_MAC:
518 			if (sop->keylen != sop->mackeylen) {
519 				SDT_PROBE1(opencrypto, dev, ioctl, error,
520 				    __LINE__);
521 				return (EINVAL);
522 			}
523 			thash = NULL;
524 			break;
525 #endif
526 		case 0:
527 			break;
528 		default:
529 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
530 			return (EINVAL);
531 		}
532 		csp.csp_mode = CSP_MODE_AEAD;
533 	} else if (sop->cipher == CRYPTO_CHACHA20_POLY1305) {
534 		if (sop->mac != 0) {
535 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
536 			return (EINVAL);
537 		}
538 		csp.csp_mode = CSP_MODE_AEAD;
539 	} else if (txform != NULL && thash != NULL)
540 		csp.csp_mode = CSP_MODE_ETA;
541 	else if (txform != NULL)
542 		csp.csp_mode = CSP_MODE_CIPHER;
543 	else
544 		csp.csp_mode = CSP_MODE_DIGEST;
545 
546 	switch (csp.csp_mode) {
547 	case CSP_MODE_AEAD:
548 	case CSP_MODE_ETA:
549 		if (use_separate_aad)
550 			csp.csp_flags |= CSP_F_SEPARATE_AAD;
551 		break;
552 	}
553 
554 	if (txform != NULL) {
555 		csp.csp_cipher_alg = txform->type;
556 		csp.csp_cipher_klen = sop->keylen;
557 		if (sop->keylen > txform->maxkey ||
558 		    sop->keylen < txform->minkey) {
559 			CRYPTDEB("invalid cipher parameters");
560 			error = EINVAL;
561 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
562 			goto bail;
563 		}
564 
565 		key = malloc(csp.csp_cipher_klen, M_XDATA, M_WAITOK);
566 		error = copyin(sop->key, key, csp.csp_cipher_klen);
567 		if (error) {
568 			CRYPTDEB("invalid key");
569 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
570 			goto bail;
571 		}
572 		csp.csp_cipher_key = key;
573 		csp.csp_ivlen = txform->ivsize;
574 	}
575 
576 	if (thash != NULL) {
577 		csp.csp_auth_alg = thash->type;
578 		csp.csp_auth_klen = sop->mackeylen;
579 		if (sop->mackeylen > thash->keysize || sop->mackeylen < 0) {
580 			CRYPTDEB("invalid mac key length");
581 			error = EINVAL;
582 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
583 			goto bail;
584 		}
585 
586 		if (csp.csp_auth_klen != 0) {
587 			mackey = malloc(csp.csp_auth_klen, M_XDATA, M_WAITOK);
588 			error = copyin(sop->mackey, mackey, csp.csp_auth_klen);
589 			if (error) {
590 				CRYPTDEB("invalid mac key");
591 				SDT_PROBE1(opencrypto, dev, ioctl, error,
592 				    __LINE__);
593 				goto bail;
594 			}
595 			csp.csp_auth_key = mackey;
596 		}
597 
598 		if (csp.csp_auth_alg == CRYPTO_AES_NIST_GMAC)
599 			csp.csp_ivlen = AES_GCM_IV_LEN;
600 		if (csp.csp_auth_alg == CRYPTO_AES_CCM_CBC_MAC)
601 			csp.csp_ivlen = AES_CCM_IV_LEN;
602 	}
603 
604 	if (sop->ivlen != 0) {
605 		if (csp.csp_ivlen == 0) {
606 			CRYPTDEB("does not support an IV");
607 			error = EINVAL;
608 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
609 			goto bail;
610 		}
611 		csp.csp_ivlen = sop->ivlen;
612 	}
613 	if (sop->maclen != 0) {
614 		if (!(thash != NULL || csp.csp_mode == CSP_MODE_AEAD)) {
615 			CRYPTDEB("does not support a MAC");
616 			error = EINVAL;
617 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
618 			goto bail;
619 		}
620 		csp.csp_auth_mlen = sop->maclen;
621 	}
622 
623 	crid = sop->crid;
624 	error = checkforsoftware(&crid);
625 	if (error) {
626 		CRYPTDEB("checkforsoftware");
627 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
628 		goto bail;
629 	}
630 	error = crypto_newsession(&cses, &csp, crid);
631 	if (error) {
632 		CRYPTDEB("crypto_newsession");
633 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
634 		goto bail;
635 	}
636 
637 	cse = malloc(sizeof(struct csession), M_XDATA, M_WAITOK | M_ZERO);
638 	mtx_init(&cse->lock, "cryptodev", "crypto session lock", MTX_DEF);
639 	refcount_init(&cse->refs, 1);
640 	cse->key = key;
641 	cse->mackey = mackey;
642 	cse->cses = cses;
643 	cse->txform = txform;
644 	if (sop->maclen != 0)
645 		cse->hashsize = sop->maclen;
646 	else if (thash != NULL)
647 		cse->hashsize = thash->hashsize;
648 	else if (csp.csp_mode == CSP_MODE_AEAD)
649 		cse->hashsize = txform->macsize;
650 	cse->ivsize = csp.csp_ivlen;
651 
652 	mtx_lock(&fcr->lock);
653 	TAILQ_INSERT_TAIL(&fcr->csessions, cse, next);
654 	cse->ses = fcr->sesn++;
655 	mtx_unlock(&fcr->lock);
656 
657 	sop->ses = cse->ses;
658 
659 	/* return hardware/driver id */
660 	sop->crid = crypto_ses2hid(cse->cses);
661 bail:
662 	if (error) {
663 		free(key, M_XDATA);
664 		free(mackey, M_XDATA);
665 	}
666 	return (error);
667 }
668 
669 static struct csession *
670 cse_find(struct fcrypt *fcr, u_int ses)
671 {
672 	struct csession *cse;
673 
674 	mtx_lock(&fcr->lock);
675 	TAILQ_FOREACH(cse, &fcr->csessions, next) {
676 		if (cse->ses == ses) {
677 			refcount_acquire(&cse->refs);
678 			mtx_unlock(&fcr->lock);
679 			return (cse);
680 		}
681 	}
682 	mtx_unlock(&fcr->lock);
683 	return (NULL);
684 }
685 
686 static void
687 cse_free(struct csession *cse)
688 {
689 
690 	if (!refcount_release(&cse->refs))
691 		return;
692 	crypto_freesession(cse->cses);
693 	mtx_destroy(&cse->lock);
694 	if (cse->key)
695 		free(cse->key, M_XDATA);
696 	if (cse->mackey)
697 		free(cse->mackey, M_XDATA);
698 	free(cse, M_XDATA);
699 }
700 
701 static bool
702 cse_delete(struct fcrypt *fcr, u_int ses)
703 {
704 	struct csession *cse;
705 
706 	mtx_lock(&fcr->lock);
707 	TAILQ_FOREACH(cse, &fcr->csessions, next) {
708 		if (cse->ses == ses) {
709 			TAILQ_REMOVE(&fcr->csessions, cse, next);
710 			mtx_unlock(&fcr->lock);
711 			cse_free(cse);
712 			return (true);
713 		}
714 	}
715 	mtx_unlock(&fcr->lock);
716 	return (false);
717 }
718 
719 static struct cryptop_data *
720 cod_alloc(struct csession *cse, size_t aad_len, size_t len)
721 {
722 	struct cryptop_data *cod;
723 
724 	cod = malloc(sizeof(struct cryptop_data), M_XDATA, M_WAITOK | M_ZERO);
725 
726 	cod->cse = cse;
727 	if (crypto_get_params(cse->cses)->csp_flags & CSP_F_SEPARATE_AAD) {
728 		if (aad_len != 0)
729 			cod->aad = malloc(aad_len, M_XDATA, M_WAITOK);
730 		cod->buf = malloc(len, M_XDATA, M_WAITOK);
731 	} else
732 		cod->buf = malloc(aad_len + len, M_XDATA, M_WAITOK);
733 	if (crypto_get_params(cse->cses)->csp_flags & CSP_F_SEPARATE_OUTPUT)
734 		cod->obuf = malloc(len, M_XDATA, M_WAITOK);
735 	return (cod);
736 }
737 
738 static void
739 cod_free(struct cryptop_data *cod)
740 {
741 
742 	free(cod->aad, M_XDATA);
743 	free(cod->obuf, M_XDATA);
744 	free(cod->buf, M_XDATA);
745 	free(cod, M_XDATA);
746 }
747 
748 static int
749 cryptodev_cb(struct cryptop *crp)
750 {
751 	struct cryptop_data *cod = crp->crp_opaque;
752 
753 	/*
754 	 * Lock to ensure the wakeup() is not missed by the loops
755 	 * waiting on cod->done in cryptodev_op() and
756 	 * cryptodev_aead().
757 	 */
758 	mtx_lock(&cod->cse->lock);
759 	cod->done = true;
760 	mtx_unlock(&cod->cse->lock);
761 	wakeup(cod);
762 	return (0);
763 }
764 
765 static int
766 cryptodev_op(struct csession *cse, const struct crypt_op *cop)
767 {
768 	const struct crypto_session_params *csp;
769 	struct cryptop_data *cod = NULL;
770 	struct cryptop *crp = NULL;
771 	char *dst;
772 	int error;
773 
774 	if (cop->len > 256*1024-4) {
775 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
776 		return (E2BIG);
777 	}
778 
779 	if (cse->txform) {
780 		if ((cop->len % cse->txform->blocksize) != 0) {
781 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
782 			return (EINVAL);
783 		}
784 	}
785 
786 	if (cop->mac && cse->hashsize == 0) {
787 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
788 		return (EINVAL);
789 	}
790 
791 	/*
792 	 * The COP_F_CIPHER_FIRST flag predates explicit session
793 	 * modes, but the only way it was used was for EtA so allow it
794 	 * as long as it is consistent with EtA.
795 	 */
796 	if (cop->flags & COP_F_CIPHER_FIRST) {
797 		if (cop->op != COP_ENCRYPT) {
798 			SDT_PROBE1(opencrypto, dev, ioctl, error,  __LINE__);
799 			return (EINVAL);
800 		}
801 	}
802 
803 	cod = cod_alloc(cse, 0, cop->len + cse->hashsize);
804 	dst = cop->dst;
805 
806 	crp = crypto_getreq(cse->cses, M_WAITOK);
807 
808 	error = copyin(cop->src, cod->buf, cop->len);
809 	if (error) {
810 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
811 		goto bail;
812 	}
813 	crp->crp_payload_start = 0;
814 	crp->crp_payload_length = cop->len;
815 	if (cse->hashsize)
816 		crp->crp_digest_start = cop->len;
817 
818 	csp = crypto_get_params(cse->cses);
819 	switch (csp->csp_mode) {
820 	case CSP_MODE_COMPRESS:
821 		switch (cop->op) {
822 		case COP_ENCRYPT:
823 			crp->crp_op = CRYPTO_OP_COMPRESS;
824 			break;
825 		case COP_DECRYPT:
826 			crp->crp_op = CRYPTO_OP_DECOMPRESS;
827 			break;
828 		default:
829 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
830 			error = EINVAL;
831 			goto bail;
832 		}
833 		break;
834 	case CSP_MODE_CIPHER:
835 		if (cop->len == 0 ||
836 		    (cop->iv == NULL && cop->len == cse->ivsize)) {
837 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
838 			error = EINVAL;
839 			goto bail;
840 		}
841 		switch (cop->op) {
842 		case COP_ENCRYPT:
843 			crp->crp_op = CRYPTO_OP_ENCRYPT;
844 			break;
845 		case COP_DECRYPT:
846 			crp->crp_op = CRYPTO_OP_DECRYPT;
847 			break;
848 		default:
849 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
850 			error = EINVAL;
851 			goto bail;
852 		}
853 		break;
854 	case CSP_MODE_DIGEST:
855 		switch (cop->op) {
856 		case 0:
857 		case COP_ENCRYPT:
858 		case COP_DECRYPT:
859 			crp->crp_op = CRYPTO_OP_COMPUTE_DIGEST;
860 			if (cod->obuf != NULL)
861 				crp->crp_digest_start = 0;
862 			break;
863 		default:
864 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
865 			error = EINVAL;
866 			goto bail;
867 		}
868 		break;
869 	case CSP_MODE_AEAD:
870 		if (cse->ivsize != 0 && cop->iv == NULL) {
871 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
872 			error = EINVAL;
873 			goto bail;
874 		}
875 		/* FALLTHROUGH */
876 	case CSP_MODE_ETA:
877 		switch (cop->op) {
878 		case COP_ENCRYPT:
879 			crp->crp_op = CRYPTO_OP_ENCRYPT |
880 			    CRYPTO_OP_COMPUTE_DIGEST;
881 			break;
882 		case COP_DECRYPT:
883 			crp->crp_op = CRYPTO_OP_DECRYPT |
884 			    CRYPTO_OP_VERIFY_DIGEST;
885 			break;
886 		default:
887 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
888 			error = EINVAL;
889 			goto bail;
890 		}
891 		break;
892 	default:
893 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
894 		error = EINVAL;
895 		goto bail;
896 	}
897 
898 	crp->crp_flags = CRYPTO_F_CBIMM | (cop->flags & COP_F_BATCH);
899 	crypto_use_buf(crp, cod->buf, cop->len + cse->hashsize);
900 	if (cod->obuf)
901 		crypto_use_output_buf(crp, cod->obuf, cop->len + cse->hashsize);
902 	crp->crp_callback = cryptodev_cb;
903 	crp->crp_opaque = cod;
904 
905 	if (cop->iv) {
906 		if (cse->ivsize == 0) {
907 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
908 			error = EINVAL;
909 			goto bail;
910 		}
911 		error = copyin(cop->iv, crp->crp_iv, cse->ivsize);
912 		if (error) {
913 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
914 			goto bail;
915 		}
916 		crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
917 	} else if (cse->ivsize != 0) {
918 		if (crp->crp_payload_length < cse->ivsize) {
919 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
920 			error = EINVAL;
921 			goto bail;
922 		}
923 		crp->crp_iv_start = 0;
924 		crp->crp_payload_length -= cse->ivsize;
925 		if (crp->crp_payload_length != 0)
926 			crp->crp_payload_start = cse->ivsize;
927 		dst += cse->ivsize;
928 	}
929 
930 	if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) {
931 		error = copyin(cop->mac, cod->buf + crp->crp_digest_start,
932 		    cse->hashsize);
933 		if (error) {
934 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
935 			goto bail;
936 		}
937 	}
938 again:
939 	/*
940 	 * Let the dispatch run unlocked, then, interlock against the
941 	 * callback before checking if the operation completed and going
942 	 * to sleep.  This insures drivers don't inherit our lock which
943 	 * results in a lock order reversal between crypto_dispatch forced
944 	 * entry and the crypto_done callback into us.
945 	 */
946 	error = crypto_dispatch(crp);
947 	if (error != 0) {
948 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
949 		goto bail;
950 	}
951 
952 	mtx_lock(&cse->lock);
953 	while (!cod->done)
954 		mtx_sleep(cod, &cse->lock, PWAIT, "crydev", 0);
955 	mtx_unlock(&cse->lock);
956 
957 	if (crp->crp_etype == EAGAIN) {
958 		crp->crp_etype = 0;
959 		crp->crp_flags &= ~CRYPTO_F_DONE;
960 		cod->done = false;
961 		goto again;
962 	}
963 
964 	if (crp->crp_etype != 0) {
965 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
966 		error = crp->crp_etype;
967 		goto bail;
968 	}
969 
970 	if (cop->dst != NULL) {
971 		error = copyout(cod->obuf != NULL ? cod->obuf :
972 		    cod->buf + crp->crp_payload_start, dst,
973 		    crp->crp_payload_length);
974 		if (error) {
975 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
976 			goto bail;
977 		}
978 	}
979 
980 	if (cop->mac != NULL && (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) == 0) {
981 		error = copyout((cod->obuf != NULL ? cod->obuf : cod->buf) +
982 		    crp->crp_digest_start, cop->mac, cse->hashsize);
983 		if (error) {
984 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
985 			goto bail;
986 		}
987 	}
988 
989 bail:
990 	crypto_freereq(crp);
991 	cod_free(cod);
992 
993 	return (error);
994 }
995 
996 static int
997 cryptodev_aead(struct csession *cse, struct crypt_aead *caead)
998 {
999 	const struct crypto_session_params *csp;
1000 	struct cryptop_data *cod = NULL;
1001 	struct cryptop *crp = NULL;
1002 	char *dst;
1003 	int error;
1004 
1005 	if (caead->len > 256*1024-4 || caead->aadlen > 256*1024-4) {
1006 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1007 		return (E2BIG);
1008 	}
1009 
1010 	if (cse->txform == NULL || cse->hashsize == 0 || caead->tag == NULL ||
1011 	    (caead->len % cse->txform->blocksize) != 0) {
1012 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1013 		return (EINVAL);
1014 	}
1015 
1016 	/*
1017 	 * The COP_F_CIPHER_FIRST flag predates explicit session
1018 	 * modes, but the only way it was used was for EtA so allow it
1019 	 * as long as it is consistent with EtA.
1020 	 */
1021 	if (caead->flags & COP_F_CIPHER_FIRST) {
1022 		if (caead->op != COP_ENCRYPT) {
1023 			SDT_PROBE1(opencrypto, dev, ioctl, error,  __LINE__);
1024 			return (EINVAL);
1025 		}
1026 	}
1027 
1028 	cod = cod_alloc(cse, caead->aadlen, caead->len + cse->hashsize);
1029 	dst = caead->dst;
1030 
1031 	crp = crypto_getreq(cse->cses, M_WAITOK);
1032 
1033 	if (cod->aad != NULL)
1034 		error = copyin(caead->aad, cod->aad, caead->aadlen);
1035 	else
1036 		error = copyin(caead->aad, cod->buf, caead->aadlen);
1037 	if (error) {
1038 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1039 		goto bail;
1040 	}
1041 	crp->crp_aad = cod->aad;
1042 	crp->crp_aad_start = 0;
1043 	crp->crp_aad_length = caead->aadlen;
1044 
1045 	if (cod->aad != NULL)
1046 		crp->crp_payload_start = 0;
1047 	else
1048 		crp->crp_payload_start = caead->aadlen;
1049 	error = copyin(caead->src, cod->buf + crp->crp_payload_start,
1050 	    caead->len);
1051 	if (error) {
1052 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1053 		goto bail;
1054 	}
1055 	crp->crp_payload_length = caead->len;
1056 	if (caead->op == COP_ENCRYPT && cod->obuf != NULL)
1057 		crp->crp_digest_start = crp->crp_payload_output_start +
1058 		    caead->len;
1059 	else
1060 		crp->crp_digest_start = crp->crp_payload_start + caead->len;
1061 
1062 	csp = crypto_get_params(cse->cses);
1063 	switch (csp->csp_mode) {
1064 	case CSP_MODE_AEAD:
1065 	case CSP_MODE_ETA:
1066 		switch (caead->op) {
1067 		case COP_ENCRYPT:
1068 			crp->crp_op = CRYPTO_OP_ENCRYPT |
1069 			    CRYPTO_OP_COMPUTE_DIGEST;
1070 			break;
1071 		case COP_DECRYPT:
1072 			crp->crp_op = CRYPTO_OP_DECRYPT |
1073 			    CRYPTO_OP_VERIFY_DIGEST;
1074 			break;
1075 		default:
1076 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1077 			error = EINVAL;
1078 			goto bail;
1079 		}
1080 		break;
1081 	default:
1082 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1083 		error = EINVAL;
1084 		goto bail;
1085 	}
1086 
1087 	crp->crp_flags = CRYPTO_F_CBIMM | (caead->flags & COP_F_BATCH);
1088 	crypto_use_buf(crp, cod->buf, crp->crp_payload_start + caead->len +
1089 	    cse->hashsize);
1090 	if (cod->obuf != NULL)
1091 		crypto_use_output_buf(crp, cod->obuf, caead->len +
1092 		    cse->hashsize);
1093 	crp->crp_callback = cryptodev_cb;
1094 	crp->crp_opaque = cod;
1095 
1096 	if (caead->iv) {
1097 		/*
1098 		 * Permit a 16-byte IV for AES-XTS, but only use the
1099 		 * first 8 bytes as a block number.
1100 		 */
1101 		if (csp->csp_mode == CSP_MODE_ETA &&
1102 		    csp->csp_cipher_alg == CRYPTO_AES_XTS &&
1103 		    caead->ivlen == AES_BLOCK_LEN)
1104 			caead->ivlen = AES_XTS_IV_LEN;
1105 
1106 		if (cse->ivsize == 0) {
1107 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1108 			error = EINVAL;
1109 			goto bail;
1110 		}
1111 		if (caead->ivlen != cse->ivsize) {
1112 			error = EINVAL;
1113 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1114 			goto bail;
1115 		}
1116 
1117 		error = copyin(caead->iv, crp->crp_iv, cse->ivsize);
1118 		if (error) {
1119 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1120 			goto bail;
1121 		}
1122 		crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
1123 	} else {
1124 		error = EINVAL;
1125 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1126 		goto bail;
1127 	}
1128 
1129 	if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) {
1130 		error = copyin(caead->tag, cod->buf + crp->crp_digest_start,
1131 		    cse->hashsize);
1132 		if (error) {
1133 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1134 			goto bail;
1135 		}
1136 	}
1137 again:
1138 	/*
1139 	 * Let the dispatch run unlocked, then, interlock against the
1140 	 * callback before checking if the operation completed and going
1141 	 * to sleep.  This insures drivers don't inherit our lock which
1142 	 * results in a lock order reversal between crypto_dispatch forced
1143 	 * entry and the crypto_done callback into us.
1144 	 */
1145 	error = crypto_dispatch(crp);
1146 	if (error != 0) {
1147 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1148 		goto bail;
1149 	}
1150 
1151 	mtx_lock(&cse->lock);
1152 	while (!cod->done)
1153 		mtx_sleep(cod, &cse->lock, PWAIT, "crydev", 0);
1154 	mtx_unlock(&cse->lock);
1155 
1156 	if (crp->crp_etype == EAGAIN) {
1157 		crp->crp_etype = 0;
1158 		crp->crp_flags &= ~CRYPTO_F_DONE;
1159 		cod->done = false;
1160 		goto again;
1161 	}
1162 
1163 	if (crp->crp_etype != 0) {
1164 		error = crp->crp_etype;
1165 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1166 		goto bail;
1167 	}
1168 
1169 	if (caead->dst != NULL) {
1170 		error = copyout(cod->obuf != NULL ? cod->obuf :
1171 		    cod->buf + crp->crp_payload_start, dst,
1172 		    crp->crp_payload_length);
1173 		if (error) {
1174 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1175 			goto bail;
1176 		}
1177 	}
1178 
1179 	if ((crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) == 0) {
1180 		error = copyout((cod->obuf != NULL ? cod->obuf : cod->buf) +
1181 		    crp->crp_digest_start, caead->tag, cse->hashsize);
1182 		if (error) {
1183 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1184 			goto bail;
1185 		}
1186 	}
1187 
1188 bail:
1189 	crypto_freereq(crp);
1190 	cod_free(cod);
1191 
1192 	return (error);
1193 }
1194 
1195 static int
1196 cryptodev_find(struct crypt_find_op *find)
1197 {
1198 	device_t dev;
1199 	size_t fnlen = sizeof find->name;
1200 
1201 	if (find->crid != -1) {
1202 		dev = crypto_find_device_byhid(find->crid);
1203 		if (dev == NULL)
1204 			return (ENOENT);
1205 		strncpy(find->name, device_get_nameunit(dev), fnlen);
1206 		find->name[fnlen - 1] = '\x0';
1207 	} else {
1208 		find->name[fnlen - 1] = '\x0';
1209 		find->crid = crypto_find_driver(find->name);
1210 		if (find->crid == -1)
1211 			return (ENOENT);
1212 	}
1213 	return (0);
1214 }
1215 
1216 static void
1217 fcrypt_dtor(void *data)
1218 {
1219 	struct fcrypt *fcr = data;
1220 	struct csession *cse;
1221 
1222 	while ((cse = TAILQ_FIRST(&fcr->csessions))) {
1223 		TAILQ_REMOVE(&fcr->csessions, cse, next);
1224 		KASSERT(refcount_load(&cse->refs) == 1,
1225 		    ("%s: crypto session %p with %d refs", __func__, cse,
1226 		    refcount_load(&cse->refs)));
1227 		cse_free(cse);
1228 	}
1229 	mtx_destroy(&fcr->lock);
1230 	free(fcr, M_XDATA);
1231 }
1232 
1233 static int
1234 crypto_open(struct cdev *dev, int oflags, int devtype, struct thread *td)
1235 {
1236 	struct fcrypt *fcr;
1237 	int error;
1238 
1239 	fcr = malloc(sizeof(struct fcrypt), M_XDATA, M_WAITOK | M_ZERO);
1240 	TAILQ_INIT(&fcr->csessions);
1241 	mtx_init(&fcr->lock, "fcrypt", NULL, MTX_DEF);
1242 	error = devfs_set_cdevpriv(fcr, fcrypt_dtor);
1243 	if (error)
1244 		fcrypt_dtor(fcr);
1245 	return (error);
1246 }
1247 
1248 static int
1249 crypto_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag,
1250     struct thread *td)
1251 {
1252 	struct fcrypt *fcr;
1253 	struct csession *cse;
1254 	struct session2_op *sop;
1255 	struct crypt_op *cop;
1256 	struct crypt_aead *caead;
1257 	uint32_t ses;
1258 	int error = 0;
1259 	union {
1260 		struct session2_op sopc;
1261 #ifdef COMPAT_FREEBSD32
1262 		struct crypt_op copc;
1263 		struct crypt_aead aeadc;
1264 #endif
1265 	} thunk;
1266 #ifdef COMPAT_FREEBSD32
1267 	u_long cmd32;
1268 	void *data32;
1269 
1270 	cmd32 = 0;
1271 	data32 = NULL;
1272 	switch (cmd) {
1273 	case CIOCGSESSION32:
1274 		cmd32 = cmd;
1275 		data32 = data;
1276 		cmd = CIOCGSESSION;
1277 		data = (void *)&thunk.sopc;
1278 		session_op_from_32((struct session_op32 *)data32, &thunk.sopc);
1279 		break;
1280 	case CIOCGSESSION232:
1281 		cmd32 = cmd;
1282 		data32 = data;
1283 		cmd = CIOCGSESSION2;
1284 		data = (void *)&thunk.sopc;
1285 		session2_op_from_32((struct session2_op32 *)data32,
1286 		    &thunk.sopc);
1287 		break;
1288 	case CIOCCRYPT32:
1289 		cmd32 = cmd;
1290 		data32 = data;
1291 		cmd = CIOCCRYPT;
1292 		data = (void *)&thunk.copc;
1293 		crypt_op_from_32((struct crypt_op32 *)data32, &thunk.copc);
1294 		break;
1295 	case CIOCCRYPTAEAD32:
1296 		cmd32 = cmd;
1297 		data32 = data;
1298 		cmd = CIOCCRYPTAEAD;
1299 		data = (void *)&thunk.aeadc;
1300 		crypt_aead_from_32((struct crypt_aead32 *)data32, &thunk.aeadc);
1301 		break;
1302 	}
1303 #endif
1304 
1305 	devfs_get_cdevpriv((void **)&fcr);
1306 
1307 	switch (cmd) {
1308 #ifdef COMPAT_FREEBSD12
1309 	case CRIOGET:
1310 		/*
1311 		 * NB: This may fail in cases that the old
1312 		 * implementation did not if the current process has
1313 		 * restricted filesystem access (e.g. running in a
1314 		 * jail that does not expose /dev/crypto or in
1315 		 * capability mode).
1316 		 */
1317 		error = kern_openat(td, AT_FDCWD, "/dev/crypto", UIO_SYSSPACE,
1318 		    O_RDWR, 0);
1319 		if (error == 0)
1320 			*(uint32_t *)data = td->td_retval[0];
1321 		break;
1322 #endif
1323 	case CIOCGSESSION:
1324 	case CIOCGSESSION2:
1325 		if (cmd == CIOCGSESSION) {
1326 			session2_op_from_op((void *)data, &thunk.sopc);
1327 			sop = &thunk.sopc;
1328 		} else
1329 			sop = (struct session2_op *)data;
1330 
1331 		error = cse_create(fcr, sop);
1332 		if (cmd == CIOCGSESSION && error == 0)
1333 			session2_op_to_op(sop, (void *)data);
1334 		break;
1335 	case CIOCFSESSION:
1336 		ses = *(uint32_t *)data;
1337 		if (!cse_delete(fcr, ses)) {
1338 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1339 			return (EINVAL);
1340 		}
1341 		break;
1342 	case CIOCCRYPT:
1343 		cop = (struct crypt_op *)data;
1344 		cse = cse_find(fcr, cop->ses);
1345 		if (cse == NULL) {
1346 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1347 			return (EINVAL);
1348 		}
1349 		error = cryptodev_op(cse, cop);
1350 		cse_free(cse);
1351 		break;
1352 	case CIOCFINDDEV:
1353 		error = cryptodev_find((struct crypt_find_op *)data);
1354 		break;
1355 	case CIOCCRYPTAEAD:
1356 		caead = (struct crypt_aead *)data;
1357 		cse = cse_find(fcr, caead->ses);
1358 		if (cse == NULL) {
1359 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1360 			return (EINVAL);
1361 		}
1362 		error = cryptodev_aead(cse, caead);
1363 		cse_free(cse);
1364 		break;
1365 	default:
1366 		error = EINVAL;
1367 		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1368 		break;
1369 	}
1370 
1371 #ifdef COMPAT_FREEBSD32
1372 	switch (cmd32) {
1373 	case CIOCGSESSION32:
1374 		if (error == 0)
1375 			session_op_to_32((void *)data, data32);
1376 		break;
1377 	case CIOCGSESSION232:
1378 		if (error == 0)
1379 			session2_op_to_32((void *)data, data32);
1380 		break;
1381 	case CIOCCRYPT32:
1382 		if (error == 0)
1383 			crypt_op_to_32((void *)data, data32);
1384 		break;
1385 	case CIOCCRYPTAEAD32:
1386 		if (error == 0)
1387 			crypt_aead_to_32((void *)data, data32);
1388 		break;
1389 	}
1390 #endif
1391 	return (error);
1392 }
1393 
1394 static struct cdevsw crypto_cdevsw = {
1395 	.d_version =	D_VERSION,
1396 	.d_open =	crypto_open,
1397 	.d_ioctl =	crypto_ioctl,
1398 	.d_name =	"crypto",
1399 };
1400 static struct cdev *crypto_dev;
1401 
1402 /*
1403  * Initialization code, both for static and dynamic loading.
1404  */
1405 static int
1406 cryptodev_modevent(module_t mod, int type, void *unused)
1407 {
1408 	switch (type) {
1409 	case MOD_LOAD:
1410 		if (bootverbose)
1411 			printf("crypto: <crypto device>\n");
1412 		crypto_dev = make_dev(&crypto_cdevsw, 0,
1413 				      UID_ROOT, GID_WHEEL, 0666,
1414 				      "crypto");
1415 		return 0;
1416 	case MOD_UNLOAD:
1417 		/*XXX disallow if active sessions */
1418 		destroy_dev(crypto_dev);
1419 		return 0;
1420 	}
1421 	return EINVAL;
1422 }
1423 
1424 static moduledata_t cryptodev_mod = {
1425 	"cryptodev",
1426 	cryptodev_modevent,
1427 	0
1428 };
1429 MODULE_VERSION(cryptodev, 1);
1430 DECLARE_MODULE(cryptodev, cryptodev_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
1431 MODULE_DEPEND(cryptodev, crypto, 1, 1, 1);
1432 MODULE_DEPEND(cryptodev, zlib, 1, 1, 1);
1433