1 .\" $NetBSD: crypto.4,v 1.24 2014/01/27 21:23:59 pgoyette Exp $
3 .\" Copyright (c) 2008 The NetBSD Foundation, Inc.
4 .\" Copyright (c) 2014 The FreeBSD Foundation
5 .\" All rights reserved.
7 .\" Portions of this documentation were written by John-Mark Gurney
8 .\" under sponsorship of the FreeBSD Foundation and
9 .\" Rubicon Communications, LLC (Netgate).
11 .\" This code is derived from software contributed to The NetBSD Foundation
12 .\" by Coyote Point Systems, Inc.
14 .\" Redistribution and use in source and binary forms, with or without
15 .\" modification, are permitted provided that the following conditions
17 .\" 1. Redistributions of source code must retain the above copyright
18 .\" notice, this list of conditions and the following disclaimer.
19 .\" 2. Redistributions in binary form must reproduce the above copyright
20 .\" notice, this list of conditions and the following disclaimer in the
21 .\" documentation and/or other materials provided with the distribution.
23 .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
24 .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25 .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26 .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
27 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 .\" POSSIBILITY OF SUCH DAMAGE.
37 .\" Copyright (c) 2004
38 .\" Jonathan Stone <jonathan@dsg.stanford.edu>. All rights reserved.
40 .\" Redistribution and use in source and binary forms, with or without
41 .\" modification, are permitted provided that the following conditions
43 .\" 1. Redistributions of source code must retain the above copyright
44 .\" notice, this list of conditions and the following disclaimer.
45 .\" 2. Redistributions in binary form must reproduce the above copyright
46 .\" notice, this list of conditions and the following disclaimer in the
47 .\" documentation and/or other materials provided with the distribution.
49 .\" THIS SOFTWARE IS PROVIDED BY Jonathan Stone AND CONTRIBUTORS ``AS IS'' AND
50 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
51 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
52 .\" ARE DISCLAIMED. IN NO EVENT SHALL Jonathan Stone OR THE VOICES IN HIS HEAD
53 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
54 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
55 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
56 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
57 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
58 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
59 .\" THE POSSIBILITY OF SUCH DAMAGE.
69 .Nd user-mode access to hardware-accelerated cryptography
76 .In crypto/cryptodev.h
80 driver gives user-mode applications access to hardware-accelerated
81 cryptographic transforms as implemented by the
87 special device provides an
90 User-mode applications open the special device and
93 calls on the descriptor.
99 .Ic kern.userasymcrypto
101 .Ic kern.cryptodevallowsoft .
105 device provides two distinct modes of operation: one mode for
106 symmetric-keyed cryptographic requests and digests, and a second mode for
107 both asymmetric-key (public-key/private-key) requests and
108 modular arithmetic (for Diffie-Hellman key exchange and other
109 cryptographic protocols).
110 The two modes are described separately below.
111 .Sh DEPRECATION NOTICE
112 The asymmetric-key operations supported by this interface will not be
116 .Sh THEORY OF OPERATION
117 Regardless of whether symmetric-key or asymmetric-key operations are
118 to be performed, use of the device requires a basic series of steps:
125 Create a new cryptography file descriptor via
127 to use for all subsequent
135 If any symmetric-keyed cryptographic or digest operations will be performed,
136 create a session with
138 Most applications will require at least one symmetric session.
139 Since cipher and MAC keys are tied to sessions, many
140 applications will require more.
141 Asymmetric operations do not use sessions.
143 Submit requests, synchronously with
152 Optionally destroy a session with
155 Close the cryptography file descriptor with
157 This will automatically close any remaining sessions associated with the
160 .Sh SYMMETRIC-KEY OPERATION
161 The symmetric-key operation mode provides a context-based API
162 to traditional symmetric-key encryption (or privacy) algorithms,
163 or to keyed and unkeyed one-way hash (HMAC and MAC) algorithms.
164 The symmetric-key mode also permits encrypt-then-authenticate fused operation,
165 where the hardware performs both a privacy algorithm and an integrity-check
166 algorithm in a single pass over the data: either a fused
167 encrypt/HMAC-generate operation, or a fused HMAC-verify/decrypt operation.
169 To use symmetric mode, you must first create a session specifying
170 the algorithm(s) and key(s) to use; then issue encrypt or decrypt
171 requests against the session.
173 For a list of supported algorithms, see
177 .Ss IOCTL Request Descriptions
179 .Bl -tag -width CIOCGSESSION
181 .It Dv CRIOGET Fa int *fd
182 Clone the fd argument to
184 yielding a new file descriptor for the creation of sessions.
186 .It Dv CIOCFINDDEV Fa struct crypt_find_op *fop
188 struct crypt_find_op {
189 int crid; /* driver id + flags */
190 char name[32]; /* device/driver name */
196 is -1, then find the driver named
202 is not -1, return the name of the driver with
206 In either case, if the driver is not found,
209 .It Dv CIOCGSESSION Fa struct session_op *sessp
212 uint32_t cipher; /* e.g. CRYPTO_AES_CBC */
213 uint32_t mac; /* e.g. CRYPTO_SHA2_256_HMAC */
215 uint32_t keylen; /* cipher key */
217 int mackeylen; /* mac key */
220 uint32_t ses; /* returns: ses # */
224 Create a new cryptographic session on a file descriptor for the device;
225 that is, a persistent object specific to the chosen
226 privacy algorithm, integrity algorithm, and keys specified in
228 The special value 0 for either privacy or integrity
229 is reserved to indicate that the indicated operation (privacy or integrity)
230 is not desired for this session.
232 Multiple sessions may be bound to a single file descriptor.
233 The session ID returned in
235 is supplied as a required field in the symmetric-operation structure
237 for future encryption or hashing requests.
239 .\" This implementation will never return a session ID of 0 for a successful
240 .\" creation of a session, which is a
244 For non-zero symmetric-key privacy algorithms, the privacy algorithm
246 .Fa sessp-\*[Gt]cipher ,
248 .Fa sessp-\*[Gt]keylen ,
249 and the key value in the octets addressed by
250 .Fa sessp-\*[Gt]key .
252 For keyed one-way hash algorithms, the one-way hash must be specified
254 .Fa sessp-\*[Gt]mac ,
256 .Fa sessp-\*[Gt]mackey ,
257 and the key value in the octets addressed by
258 .Fa sessp-\*[Gt]mackeylen .
261 Support for a specific combination of fused privacy and
262 integrity-check algorithms depends on whether the underlying
263 hardware supports that combination.
264 Not all combinations are supported
265 by all hardware, even if the hardware supports each operation as a
266 stand-alone non-fused operation.
267 .It Dv CIOCGSESSION2 Fa struct session2_op *sessp
270 uint32_t cipher; /* e.g. CRYPTO_AES_CBC */
271 uint32_t mac; /* e.g. CRYPTO_SHA2_256_HMAC */
273 uint32_t keylen; /* cipher key */
275 int mackeylen; /* mac key */
278 uint32_t ses; /* returns: ses # */
279 int crid; /* driver id + flags (rw) */
280 int pad[4]; /* for future expansion */
284 This request is similar to CIOGSESSION except that
286 requests either a specific crypto device or a class of devices (software vs
290 field must be initialized to zero.
291 .It Dv CIOCCRYPT Fa struct crypt_op *cr_op
295 uint16_t op; /* e.g. COP_ENCRYPT */
300 void *mac; /* must be large enough for result */
305 Request a symmetric-key (or hash) operation.
316 supplies the length of the input buffer; the fields
317 .Fa cr_op-\*[Gt]src ,
318 .Fa cr_op-\*[Gt]dst ,
319 .Fa cr_op-\*[Gt]mac ,
321 supply the addresses of the input buffer, output buffer,
322 one-way hash, and initialization vector, respectively.
324 If a session is using either fused encrypt-then-authenticate or
326 decryption operations require the associated hash as an input.
327 If the hash is incorrect, the
328 operation will fail with
330 and the output buffer will remain unchanged.
331 .It Dv CIOCCRYPTAEAD Fa struct crypt_aead *cr_aead
335 uint16_t op; /* e.g. COP_ENCRYPT */
342 const void *aad; /* additional authenticated data */
343 void *tag; /* must fit for chosen TAG length */
352 but provides additional data in
353 .Fa cr_aead-\*[Gt]aad
354 to include in the authentication mode.
355 .It Dv CIOCFSESSION Fa u_int32_t ses_id
356 Destroys the session identified by
360 .Sh ASYMMETRIC-KEY OPERATION
361 .Ss Asymmetric-key algorithms
362 Contingent upon hardware support, the following asymmetric
363 (public-key/private-key; or key-exchange subroutine) operations may
366 .Bl -column "CRK_DH_COMPUTE_KEY" "Input parameter" "Output parameter" -offset indent -compact
367 .It Em "Algorithm" Ta "Input parameter" Ta "Output parameter"
368 .It Em " " Ta "Count" Ta "Count"
369 .It Dv CRK_MOD_EXP Ta 3 Ta 1
370 .It Dv CRK_MOD_EXP_CRT Ta 6 Ta 1
371 .It Dv CRK_DSA_SIGN Ta 5 Ta 2
372 .It Dv CRK_DSA_VERIFY Ta 7 Ta 0
373 .It Dv CRK_DH_COMPUTE_KEY Ta 3 Ta 1
376 See below for discussion of the input and output parameter counts.
377 .Ss Asymmetric-key commands
378 .Bl -tag -width CIOCKEY
379 .It Dv CIOCASYMFEAT Fa int *feature_mask
380 Returns a bitmask of supported asymmetric-key operations.
381 Each of the above-listed asymmetric operations is present
382 if and only if the bit position numbered by the code for that operation
386 is available if and only if the bit
387 .Pq 1 \*[Lt]\*[Lt] Dv CRK_MOD_EXP
389 .It Dv CIOCKEY Fa struct crypt_kop *kop
392 u_int crk_op; /* e.g. CRK_MOD_EXP */
393 u_int crk_status; /* return status */
394 u_short crk_iparams; /* # of input params */
395 u_short crk_oparams; /* # of output params */
397 struct crparam crk_param[CRK_MAXPARAM];
400 /* Bignum parameter, in packed bytes. */
407 Performs an asymmetric-key operation from the list above.
408 The specific operation is supplied in
409 .Fa kop-\*[Gt]crk_op ;
410 final status for the operation is returned in
411 .Fa kop-\*[Gt]crk_status .
412 The number of input arguments and the number of output arguments
414 .Fa kop-\*[Gt]crk_iparams
416 .Fa kop-\*[Gt]crk_iparams ,
420 must be filled in with exactly
421 .Fa kop-\*[Gt]crk_iparams + kop-\*[Gt]crk_oparams
422 arguments, each encoded as a
424 (address, bitlength) pair.
426 The semantics of these arguments are currently undocumented.
440 driver first appeared in
444 driver was imported to
447 Error checking and reporting is weak.
449 The values specified for symmetric-key key sizes to
451 must exactly match the values expected by
453 The output buffer and MAC buffers supplied to
455 must follow whether privacy or integrity algorithms were specified for
456 session: if you request a
458 algorithm, you must supply a suitably-sized buffer.
460 The scheme for passing arguments for asymmetric requests is baroque.
464 It should be possible to use the
466 commands directly on a