1 /* $OpenBSD: cryptodev.c,v 1.52 2002/06/19 07:22:46 deraadt Exp $ */
4 * Copyright (c) 2001 Theo de Raadt
5 * Copyright (c) 2002-2006 Sam Leffler, Errno Consulting
6 * Copyright (c) 2014-2021 The FreeBSD Foundation
9 * Portions of this software were developed by John-Mark Gurney
10 * under sponsorship of the FreeBSD Foundation and
11 * Rubicon Communications, LLC (Netgate).
13 * Portions of this software were developed by Ararat River
14 * Consulting, LLC under sponsorship of the FreeBSD Foundation.
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in the
24 * documentation and/or other materials provided with the distribution.
25 * 3. The name of the author may not be used to endorse or promote products
26 * derived from this software without specific prior written permission.
28 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
29 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
31 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
32 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
33 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 * Effort sponsored in part by the Defense Advanced Research Projects
40 * Agency (DARPA) and Air Force Research Laboratory, Air Force
41 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
44 #include <sys/cdefs.h>
45 __FBSDID("$FreeBSD$");
47 #include <sys/param.h>
48 #include <sys/systm.h>
49 #include <sys/malloc.h>
52 #include <sys/mutex.h>
54 #include <sys/sysctl.h>
55 #include <sys/errno.h>
56 #include <sys/random.h>
58 #include <sys/kernel.h>
59 #include <sys/module.h>
60 #include <sys/fcntl.h>
63 #include <sys/syscallsubr.h>
65 #include <opencrypto/cryptodev.h>
66 #include <opencrypto/xform.h>
68 SDT_PROVIDER_DECLARE(opencrypto);
70 SDT_PROBE_DEFINE1(opencrypto, dev, ioctl, error, "int"/*line number*/);
72 #ifdef COMPAT_FREEBSD12
74 * Previously, most ioctls were performed against a cloned descriptor
75 * of /dev/crypto obtained via CRIOGET. Now all ioctls are performed
76 * against /dev/crypto directly.
78 #define CRIOGET _IOWR('c', 100, uint32_t)
81 /* the following are done against the cloned descriptor */
83 #ifdef COMPAT_FREEBSD32
84 #include <sys/mount.h>
85 #include <compat/freebsd32/freebsd32.h>
97 struct session2_op32 {
121 struct crypt_aead32 {
135 #define CIOCGSESSION32 _IOWR('c', 101, struct session_op32)
136 #define CIOCCRYPT32 _IOWR('c', 103, struct crypt_op32)
137 #define CIOCGSESSION232 _IOWR('c', 106, struct session2_op32)
138 #define CIOCCRYPTAEAD32 _IOWR('c', 109, struct crypt_aead32)
141 session_op_from_32(const struct session_op32 *from, struct session2_op *to)
144 memset(to, 0, sizeof(*to));
145 CP(*from, *to, cipher);
147 CP(*from, *to, keylen);
148 PTRIN_CP(*from, *to, key);
149 CP(*from, *to, mackeylen);
150 PTRIN_CP(*from, *to, mackey);
152 to->crid = CRYPTOCAP_F_HARDWARE;
156 session2_op_from_32(const struct session2_op32 *from, struct session2_op *to)
159 session_op_from_32((const struct session_op32 *)from, to);
160 CP(*from, *to, crid);
161 CP(*from, *to, ivlen);
162 CP(*from, *to, maclen);
166 session_op_to_32(const struct session2_op *from, struct session_op32 *to)
169 CP(*from, *to, cipher);
171 CP(*from, *to, keylen);
172 PTROUT_CP(*from, *to, key);
173 CP(*from, *to, mackeylen);
174 PTROUT_CP(*from, *to, mackey);
179 session2_op_to_32(const struct session2_op *from, struct session2_op32 *to)
182 session_op_to_32(from, (struct session_op32 *)to);
183 CP(*from, *to, crid);
187 crypt_op_from_32(const struct crypt_op32 *from, struct crypt_op *to)
192 CP(*from, *to, flags);
194 PTRIN_CP(*from, *to, src);
195 PTRIN_CP(*from, *to, dst);
196 PTRIN_CP(*from, *to, mac);
197 PTRIN_CP(*from, *to, iv);
201 crypt_op_to_32(const struct crypt_op *from, struct crypt_op32 *to)
206 CP(*from, *to, flags);
208 PTROUT_CP(*from, *to, src);
209 PTROUT_CP(*from, *to, dst);
210 PTROUT_CP(*from, *to, mac);
211 PTROUT_CP(*from, *to, iv);
215 crypt_aead_from_32(const struct crypt_aead32 *from, struct crypt_aead *to)
220 CP(*from, *to, flags);
222 CP(*from, *to, aadlen);
223 CP(*from, *to, ivlen);
224 PTRIN_CP(*from, *to, src);
225 PTRIN_CP(*from, *to, dst);
226 PTRIN_CP(*from, *to, aad);
227 PTRIN_CP(*from, *to, tag);
228 PTRIN_CP(*from, *to, iv);
232 crypt_aead_to_32(const struct crypt_aead *from, struct crypt_aead32 *to)
237 CP(*from, *to, flags);
239 CP(*from, *to, aadlen);
240 CP(*from, *to, ivlen);
241 PTROUT_CP(*from, *to, src);
242 PTROUT_CP(*from, *to, dst);
243 PTROUT_CP(*from, *to, aad);
244 PTROUT_CP(*from, *to, tag);
245 PTROUT_CP(*from, *to, iv);
250 session2_op_from_op(const struct session_op *from, struct session2_op *to)
253 memset(to, 0, sizeof(*to));
254 memcpy(to, from, sizeof(*from));
255 to->crid = CRYPTOCAP_F_HARDWARE;
259 session2_op_to_op(const struct session2_op *from, struct session_op *to)
262 memcpy(to, from, sizeof(*to));
266 TAILQ_ENTRY(csession) next;
267 crypto_session_t cses;
270 struct mtx lock; /* for op submission */
272 const struct enc_xform *txform;
280 struct cryptop_data {
281 struct csession *cse;
290 TAILQ_HEAD(csessionlist, csession) csessions;
295 static bool use_outputbuffers;
296 SYSCTL_BOOL(_kern_crypto, OID_AUTO, cryptodev_use_output, CTLFLAG_RW,
297 &use_outputbuffers, 0,
298 "Use separate output buffers for /dev/crypto requests.");
300 static bool use_separate_aad;
301 SYSCTL_BOOL(_kern_crypto, OID_AUTO, cryptodev_separate_aad, CTLFLAG_RW,
302 &use_separate_aad, 0,
303 "Use separate AAD buffer for /dev/crypto requests.");
306 * Check a crypto identifier to see if it requested
307 * a software device/driver. This can be done either
308 * by device name/class or through search constraints.
311 checkforsoftware(int *cridp)
317 if (!crypto_devallowsoft) {
318 if (crid & CRYPTOCAP_F_SOFTWARE) {
319 if (crid & CRYPTOCAP_F_HARDWARE) {
320 *cridp = CRYPTOCAP_F_HARDWARE;
325 if ((crid & CRYPTOCAP_F_HARDWARE) == 0 &&
326 (crypto_getcaps(crid) & CRYPTOCAP_F_HARDWARE) == 0)
333 cse_create(struct fcrypt *fcr, struct session2_op *sop)
335 struct crypto_session_params csp;
336 struct csession *cse;
337 const struct enc_xform *txform;
338 const struct auth_hash *thash;
341 crypto_session_t cses;
344 switch (sop->cipher) {
349 txform = &enc_xform_aes_cbc;
352 txform = &enc_xform_aes_xts;
354 case CRYPTO_NULL_CBC:
355 txform = &enc_xform_null;
357 case CRYPTO_CAMELLIA_CBC:
358 txform = &enc_xform_camellia;
361 txform = &enc_xform_aes_icm;
363 case CRYPTO_AES_NIST_GCM_16:
364 txform = &enc_xform_aes_nist_gcm;
366 case CRYPTO_CHACHA20:
367 txform = &enc_xform_chacha20;
369 case CRYPTO_AES_CCM_16:
370 txform = &enc_xform_ccm;
372 case CRYPTO_CHACHA20_POLY1305:
373 txform = &enc_xform_chacha20_poly1305;
376 CRYPTDEB("invalid cipher");
377 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
385 case CRYPTO_POLY1305:
386 thash = &auth_hash_poly1305;
388 case CRYPTO_SHA1_HMAC:
389 thash = &auth_hash_hmac_sha1;
391 case CRYPTO_SHA2_224_HMAC:
392 thash = &auth_hash_hmac_sha2_224;
394 case CRYPTO_SHA2_256_HMAC:
395 thash = &auth_hash_hmac_sha2_256;
397 case CRYPTO_SHA2_384_HMAC:
398 thash = &auth_hash_hmac_sha2_384;
400 case CRYPTO_SHA2_512_HMAC:
401 thash = &auth_hash_hmac_sha2_512;
403 case CRYPTO_RIPEMD160_HMAC:
404 thash = &auth_hash_hmac_ripemd_160;
406 #ifdef COMPAT_FREEBSD12
407 case CRYPTO_AES_128_NIST_GMAC:
408 case CRYPTO_AES_192_NIST_GMAC:
409 case CRYPTO_AES_256_NIST_GMAC:
410 /* Should always be paired with GCM. */
411 if (sop->cipher != CRYPTO_AES_NIST_GCM_16) {
412 CRYPTDEB("GMAC without GCM");
413 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
418 case CRYPTO_AES_NIST_GMAC:
419 switch (sop->mackeylen * 8) {
421 thash = &auth_hash_nist_gmac_aes_128;
424 thash = &auth_hash_nist_gmac_aes_192;
427 thash = &auth_hash_nist_gmac_aes_256;
430 CRYPTDEB("invalid GMAC key length");
431 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
435 case CRYPTO_AES_CCM_CBC_MAC:
436 switch (sop->mackeylen) {
438 thash = &auth_hash_ccm_cbc_mac_128;
441 thash = &auth_hash_ccm_cbc_mac_192;
444 thash = &auth_hash_ccm_cbc_mac_256;
447 CRYPTDEB("Invalid CBC MAC key size %d", sop->keylen);
448 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
452 case CRYPTO_RIPEMD160:
453 thash = &auth_hash_ripemd_160;
456 thash = &auth_hash_sha1;
458 case CRYPTO_SHA2_224:
459 thash = &auth_hash_sha2_224;
461 case CRYPTO_SHA2_256:
462 thash = &auth_hash_sha2_256;
464 case CRYPTO_SHA2_384:
465 thash = &auth_hash_sha2_384;
467 case CRYPTO_SHA2_512:
468 thash = &auth_hash_sha2_512;
471 case CRYPTO_NULL_HMAC:
472 thash = &auth_hash_null;
476 thash = &auth_hash_blake2b;
479 thash = &auth_hash_blake2s;
483 CRYPTDEB("invalid mac");
484 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
488 if (txform == NULL && thash == NULL) {
489 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
493 memset(&csp, 0, sizeof(csp));
494 if (use_outputbuffers)
495 csp.csp_flags |= CSP_F_SEPARATE_OUTPUT;
497 if (sop->cipher == CRYPTO_AES_NIST_GCM_16) {
499 #ifdef COMPAT_FREEBSD12
500 case CRYPTO_AES_128_NIST_GMAC:
501 case CRYPTO_AES_192_NIST_GMAC:
502 case CRYPTO_AES_256_NIST_GMAC:
503 if (sop->keylen != sop->mackeylen) {
504 SDT_PROBE1(opencrypto, dev, ioctl, error,
513 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
516 csp.csp_mode = CSP_MODE_AEAD;
517 } else if (sop->cipher == CRYPTO_AES_CCM_16) {
519 #ifdef COMPAT_FREEBSD12
520 case CRYPTO_AES_CCM_CBC_MAC:
521 if (sop->keylen != sop->mackeylen) {
522 SDT_PROBE1(opencrypto, dev, ioctl, error,
532 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
535 csp.csp_mode = CSP_MODE_AEAD;
536 } else if (sop->cipher == CRYPTO_CHACHA20_POLY1305) {
538 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
541 csp.csp_mode = CSP_MODE_AEAD;
542 } else if (txform != NULL && thash != NULL)
543 csp.csp_mode = CSP_MODE_ETA;
544 else if (txform != NULL)
545 csp.csp_mode = CSP_MODE_CIPHER;
547 csp.csp_mode = CSP_MODE_DIGEST;
549 switch (csp.csp_mode) {
552 if (use_separate_aad)
553 csp.csp_flags |= CSP_F_SEPARATE_AAD;
557 if (txform != NULL) {
558 csp.csp_cipher_alg = txform->type;
559 csp.csp_cipher_klen = sop->keylen;
560 if (sop->keylen > txform->maxkey ||
561 sop->keylen < txform->minkey) {
562 CRYPTDEB("invalid cipher parameters");
564 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
568 key = malloc(csp.csp_cipher_klen, M_XDATA, M_WAITOK);
569 error = copyin(sop->key, key, csp.csp_cipher_klen);
571 CRYPTDEB("invalid key");
572 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
575 csp.csp_cipher_key = key;
576 csp.csp_ivlen = txform->ivsize;
580 csp.csp_auth_alg = thash->type;
581 csp.csp_auth_klen = sop->mackeylen;
582 if (sop->mackeylen > thash->keysize || sop->mackeylen < 0) {
583 CRYPTDEB("invalid mac key length");
585 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
589 if (csp.csp_auth_klen != 0) {
590 mackey = malloc(csp.csp_auth_klen, M_XDATA, M_WAITOK);
591 error = copyin(sop->mackey, mackey, csp.csp_auth_klen);
593 CRYPTDEB("invalid mac key");
594 SDT_PROBE1(opencrypto, dev, ioctl, error,
598 csp.csp_auth_key = mackey;
601 if (csp.csp_auth_alg == CRYPTO_AES_NIST_GMAC)
602 csp.csp_ivlen = AES_GCM_IV_LEN;
603 if (csp.csp_auth_alg == CRYPTO_AES_CCM_CBC_MAC)
604 csp.csp_ivlen = AES_CCM_IV_LEN;
607 if (sop->ivlen != 0) {
608 if (csp.csp_ivlen == 0) {
609 CRYPTDEB("does not support an IV");
611 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
614 csp.csp_ivlen = sop->ivlen;
616 if (sop->maclen != 0) {
617 if (!(thash != NULL || csp.csp_mode == CSP_MODE_AEAD)) {
618 CRYPTDEB("does not support a MAC");
620 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
623 csp.csp_auth_mlen = sop->maclen;
627 error = checkforsoftware(&crid);
629 CRYPTDEB("checkforsoftware");
630 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
633 error = crypto_newsession(&cses, &csp, crid);
635 CRYPTDEB("crypto_newsession");
636 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
640 cse = malloc(sizeof(struct csession), M_XDATA, M_WAITOK | M_ZERO);
641 mtx_init(&cse->lock, "cryptodev", "crypto session lock", MTX_DEF);
642 refcount_init(&cse->refs, 1);
644 cse->mackey = mackey;
646 cse->txform = txform;
647 if (sop->maclen != 0)
648 cse->hashsize = sop->maclen;
649 else if (thash != NULL)
650 cse->hashsize = thash->hashsize;
651 else if (csp.csp_mode == CSP_MODE_AEAD)
652 cse->hashsize = txform->macsize;
653 cse->ivsize = csp.csp_ivlen;
655 mtx_lock(&fcr->lock);
656 TAILQ_INSERT_TAIL(&fcr->csessions, cse, next);
657 cse->ses = fcr->sesn++;
658 mtx_unlock(&fcr->lock);
662 /* return hardware/driver id */
663 sop->crid = crypto_ses2hid(cse->cses);
667 free(mackey, M_XDATA);
672 static struct csession *
673 cse_find(struct fcrypt *fcr, u_int ses)
675 struct csession *cse;
677 mtx_lock(&fcr->lock);
678 TAILQ_FOREACH(cse, &fcr->csessions, next) {
679 if (cse->ses == ses) {
680 refcount_acquire(&cse->refs);
681 mtx_unlock(&fcr->lock);
685 mtx_unlock(&fcr->lock);
690 cse_free(struct csession *cse)
693 if (!refcount_release(&cse->refs))
695 crypto_freesession(cse->cses);
696 mtx_destroy(&cse->lock);
698 free(cse->key, M_XDATA);
700 free(cse->mackey, M_XDATA);
705 cse_delete(struct fcrypt *fcr, u_int ses)
707 struct csession *cse;
709 mtx_lock(&fcr->lock);
710 TAILQ_FOREACH(cse, &fcr->csessions, next) {
711 if (cse->ses == ses) {
712 TAILQ_REMOVE(&fcr->csessions, cse, next);
713 mtx_unlock(&fcr->lock);
718 mtx_unlock(&fcr->lock);
722 static struct cryptop_data *
723 cod_alloc(struct csession *cse, size_t aad_len, size_t len)
725 struct cryptop_data *cod;
727 cod = malloc(sizeof(struct cryptop_data), M_XDATA, M_WAITOK | M_ZERO);
730 if (crypto_get_params(cse->cses)->csp_flags & CSP_F_SEPARATE_AAD) {
732 cod->aad = malloc(aad_len, M_XDATA, M_WAITOK);
733 cod->buf = malloc(len, M_XDATA, M_WAITOK);
735 cod->buf = malloc(aad_len + len, M_XDATA, M_WAITOK);
736 if (crypto_get_params(cse->cses)->csp_flags & CSP_F_SEPARATE_OUTPUT)
737 cod->obuf = malloc(len, M_XDATA, M_WAITOK);
742 cod_free(struct cryptop_data *cod)
745 free(cod->aad, M_XDATA);
746 free(cod->obuf, M_XDATA);
747 free(cod->buf, M_XDATA);
752 cryptodev_cb(struct cryptop *crp)
754 struct cryptop_data *cod = crp->crp_opaque;
757 * Lock to ensure the wakeup() is not missed by the loops
758 * waiting on cod->done in cryptodev_op() and
761 mtx_lock(&cod->cse->lock);
763 mtx_unlock(&cod->cse->lock);
769 cryptodev_op(struct csession *cse, const struct crypt_op *cop)
771 const struct crypto_session_params *csp;
772 struct cryptop_data *cod = NULL;
773 struct cryptop *crp = NULL;
777 if (cop->len > 256*1024-4) {
778 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
783 if ((cop->len % cse->txform->blocksize) != 0) {
784 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
789 if (cop->mac && cse->hashsize == 0) {
790 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
795 * The COP_F_CIPHER_FIRST flag predates explicit session
796 * modes, but the only way it was used was for EtA so allow it
797 * as long as it is consistent with EtA.
799 if (cop->flags & COP_F_CIPHER_FIRST) {
800 if (cop->op != COP_ENCRYPT) {
801 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
806 cod = cod_alloc(cse, 0, cop->len + cse->hashsize);
809 crp = crypto_getreq(cse->cses, M_WAITOK);
811 error = copyin(cop->src, cod->buf, cop->len);
813 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
816 crp->crp_payload_start = 0;
817 crp->crp_payload_length = cop->len;
819 crp->crp_digest_start = cop->len;
821 csp = crypto_get_params(cse->cses);
822 switch (csp->csp_mode) {
823 case CSP_MODE_COMPRESS:
826 crp->crp_op = CRYPTO_OP_COMPRESS;
829 crp->crp_op = CRYPTO_OP_DECOMPRESS;
832 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
837 case CSP_MODE_CIPHER:
839 (cop->iv == NULL && cop->len == cse->ivsize)) {
840 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
846 crp->crp_op = CRYPTO_OP_ENCRYPT;
849 crp->crp_op = CRYPTO_OP_DECRYPT;
852 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
857 case CSP_MODE_DIGEST:
862 crp->crp_op = CRYPTO_OP_COMPUTE_DIGEST;
863 if (cod->obuf != NULL)
864 crp->crp_digest_start = 0;
867 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
873 if (cse->ivsize != 0 && cop->iv == NULL) {
874 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
882 crp->crp_op = CRYPTO_OP_ENCRYPT |
883 CRYPTO_OP_COMPUTE_DIGEST;
886 crp->crp_op = CRYPTO_OP_DECRYPT |
887 CRYPTO_OP_VERIFY_DIGEST;
890 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
896 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
901 crp->crp_flags = CRYPTO_F_CBIMM | (cop->flags & COP_F_BATCH);
902 crypto_use_buf(crp, cod->buf, cop->len + cse->hashsize);
904 crypto_use_output_buf(crp, cod->obuf, cop->len + cse->hashsize);
905 crp->crp_callback = cryptodev_cb;
906 crp->crp_opaque = cod;
909 if (cse->ivsize == 0) {
910 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
914 error = copyin(cop->iv, crp->crp_iv, cse->ivsize);
916 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
919 crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
920 } else if (cse->ivsize != 0) {
921 if (crp->crp_payload_length < cse->ivsize) {
922 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
926 crp->crp_iv_start = 0;
927 crp->crp_payload_length -= cse->ivsize;
928 if (crp->crp_payload_length != 0)
929 crp->crp_payload_start = cse->ivsize;
933 if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) {
934 error = copyin(cop->mac, cod->buf + crp->crp_digest_start,
937 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
943 * Let the dispatch run unlocked, then, interlock against the
944 * callback before checking if the operation completed and going
945 * to sleep. This insures drivers don't inherit our lock which
946 * results in a lock order reversal between crypto_dispatch forced
947 * entry and the crypto_done callback into us.
949 error = crypto_dispatch(crp);
951 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
955 mtx_lock(&cse->lock);
957 mtx_sleep(cod, &cse->lock, PWAIT, "crydev", 0);
958 mtx_unlock(&cse->lock);
960 if (crp->crp_etype == EAGAIN) {
962 crp->crp_flags &= ~CRYPTO_F_DONE;
967 if (crp->crp_etype != 0) {
968 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
969 error = crp->crp_etype;
973 if (cop->dst != NULL) {
974 error = copyout(cod->obuf != NULL ? cod->obuf :
975 cod->buf + crp->crp_payload_start, dst,
976 crp->crp_payload_length);
978 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
983 if (cop->mac != NULL && (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) == 0) {
984 error = copyout((cod->obuf != NULL ? cod->obuf : cod->buf) +
985 crp->crp_digest_start, cop->mac, cse->hashsize);
987 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1000 cryptodev_aead(struct csession *cse, struct crypt_aead *caead)
1002 const struct crypto_session_params *csp;
1003 struct cryptop_data *cod = NULL;
1004 struct cryptop *crp = NULL;
1008 if (caead->len > 256*1024-4 || caead->aadlen > 256*1024-4) {
1009 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1013 if (cse->txform == NULL || cse->hashsize == 0 || caead->tag == NULL ||
1014 (caead->len % cse->txform->blocksize) != 0) {
1015 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1020 * The COP_F_CIPHER_FIRST flag predates explicit session
1021 * modes, but the only way it was used was for EtA so allow it
1022 * as long as it is consistent with EtA.
1024 if (caead->flags & COP_F_CIPHER_FIRST) {
1025 if (caead->op != COP_ENCRYPT) {
1026 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1031 cod = cod_alloc(cse, caead->aadlen, caead->len + cse->hashsize);
1034 crp = crypto_getreq(cse->cses, M_WAITOK);
1036 if (cod->aad != NULL)
1037 error = copyin(caead->aad, cod->aad, caead->aadlen);
1039 error = copyin(caead->aad, cod->buf, caead->aadlen);
1041 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1044 crp->crp_aad = cod->aad;
1045 crp->crp_aad_start = 0;
1046 crp->crp_aad_length = caead->aadlen;
1048 if (cod->aad != NULL)
1049 crp->crp_payload_start = 0;
1051 crp->crp_payload_start = caead->aadlen;
1052 error = copyin(caead->src, cod->buf + crp->crp_payload_start,
1055 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1058 crp->crp_payload_length = caead->len;
1059 if (caead->op == COP_ENCRYPT && cod->obuf != NULL)
1060 crp->crp_digest_start = crp->crp_payload_output_start +
1063 crp->crp_digest_start = crp->crp_payload_start + caead->len;
1065 csp = crypto_get_params(cse->cses);
1066 switch (csp->csp_mode) {
1069 switch (caead->op) {
1071 crp->crp_op = CRYPTO_OP_ENCRYPT |
1072 CRYPTO_OP_COMPUTE_DIGEST;
1075 crp->crp_op = CRYPTO_OP_DECRYPT |
1076 CRYPTO_OP_VERIFY_DIGEST;
1079 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1085 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1090 crp->crp_flags = CRYPTO_F_CBIMM | (caead->flags & COP_F_BATCH);
1091 crypto_use_buf(crp, cod->buf, crp->crp_payload_start + caead->len +
1093 if (cod->obuf != NULL)
1094 crypto_use_output_buf(crp, cod->obuf, caead->len +
1096 crp->crp_callback = cryptodev_cb;
1097 crp->crp_opaque = cod;
1101 * Permit a 16-byte IV for AES-XTS, but only use the
1102 * first 8 bytes as a block number.
1104 if (csp->csp_mode == CSP_MODE_ETA &&
1105 csp->csp_cipher_alg == CRYPTO_AES_XTS &&
1106 caead->ivlen == AES_BLOCK_LEN)
1107 caead->ivlen = AES_XTS_IV_LEN;
1109 if (cse->ivsize == 0) {
1110 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1114 if (caead->ivlen != cse->ivsize) {
1116 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1120 error = copyin(caead->iv, crp->crp_iv, cse->ivsize);
1122 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1125 crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
1128 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1132 if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) {
1133 error = copyin(caead->tag, cod->buf + crp->crp_digest_start,
1136 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1142 * Let the dispatch run unlocked, then, interlock against the
1143 * callback before checking if the operation completed and going
1144 * to sleep. This insures drivers don't inherit our lock which
1145 * results in a lock order reversal between crypto_dispatch forced
1146 * entry and the crypto_done callback into us.
1148 error = crypto_dispatch(crp);
1150 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1154 mtx_lock(&cse->lock);
1156 mtx_sleep(cod, &cse->lock, PWAIT, "crydev", 0);
1157 mtx_unlock(&cse->lock);
1159 if (crp->crp_etype == EAGAIN) {
1161 crp->crp_flags &= ~CRYPTO_F_DONE;
1166 if (crp->crp_etype != 0) {
1167 error = crp->crp_etype;
1168 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1172 if (caead->dst != NULL) {
1173 error = copyout(cod->obuf != NULL ? cod->obuf :
1174 cod->buf + crp->crp_payload_start, dst,
1175 crp->crp_payload_length);
1177 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1182 if ((crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) == 0) {
1183 error = copyout((cod->obuf != NULL ? cod->obuf : cod->buf) +
1184 crp->crp_digest_start, caead->tag, cse->hashsize);
1186 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1192 crypto_freereq(crp);
1199 cryptodev_find(struct crypt_find_op *find)
1202 size_t fnlen = sizeof find->name;
1204 if (find->crid != -1) {
1205 dev = crypto_find_device_byhid(find->crid);
1208 strncpy(find->name, device_get_nameunit(dev), fnlen);
1209 find->name[fnlen - 1] = '\x0';
1211 find->name[fnlen - 1] = '\x0';
1212 find->crid = crypto_find_driver(find->name);
1213 if (find->crid == -1)
1220 fcrypt_dtor(void *data)
1222 struct fcrypt *fcr = data;
1223 struct csession *cse;
1225 while ((cse = TAILQ_FIRST(&fcr->csessions))) {
1226 TAILQ_REMOVE(&fcr->csessions, cse, next);
1227 KASSERT(refcount_load(&cse->refs) == 1,
1228 ("%s: crypto session %p with %d refs", __func__, cse,
1229 refcount_load(&cse->refs)));
1232 mtx_destroy(&fcr->lock);
1237 crypto_open(struct cdev *dev, int oflags, int devtype, struct thread *td)
1242 fcr = malloc(sizeof(struct fcrypt), M_XDATA, M_WAITOK | M_ZERO);
1243 TAILQ_INIT(&fcr->csessions);
1244 mtx_init(&fcr->lock, "fcrypt", NULL, MTX_DEF);
1245 error = devfs_set_cdevpriv(fcr, fcrypt_dtor);
1252 crypto_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag,
1256 struct csession *cse;
1257 struct session2_op *sop;
1258 struct crypt_op *cop;
1259 struct crypt_aead *caead;
1263 struct session2_op sopc;
1264 #ifdef COMPAT_FREEBSD32
1265 struct crypt_op copc;
1266 struct crypt_aead aeadc;
1269 #ifdef COMPAT_FREEBSD32
1276 case CIOCGSESSION32:
1280 data = (void *)&thunk.sopc;
1281 session_op_from_32((struct session_op32 *)data32, &thunk.sopc);
1283 case CIOCGSESSION232:
1286 cmd = CIOCGSESSION2;
1287 data = (void *)&thunk.sopc;
1288 session2_op_from_32((struct session2_op32 *)data32,
1295 data = (void *)&thunk.copc;
1296 crypt_op_from_32((struct crypt_op32 *)data32, &thunk.copc);
1298 case CIOCCRYPTAEAD32:
1301 cmd = CIOCCRYPTAEAD;
1302 data = (void *)&thunk.aeadc;
1303 crypt_aead_from_32((struct crypt_aead32 *)data32, &thunk.aeadc);
1308 devfs_get_cdevpriv((void **)&fcr);
1311 #ifdef COMPAT_FREEBSD12
1314 * NB: This may fail in cases that the old
1315 * implementation did not if the current process has
1316 * restricted filesystem access (e.g. running in a
1317 * jail that does not expose /dev/crypto or in
1320 error = kern_openat(td, AT_FDCWD, "/dev/crypto", UIO_SYSSPACE,
1323 *(uint32_t *)data = td->td_retval[0];
1328 if (cmd == CIOCGSESSION) {
1329 session2_op_from_op((void *)data, &thunk.sopc);
1332 sop = (struct session2_op *)data;
1334 error = cse_create(fcr, sop);
1335 if (cmd == CIOCGSESSION && error == 0)
1336 session2_op_to_op(sop, (void *)data);
1339 ses = *(uint32_t *)data;
1340 if (!cse_delete(fcr, ses)) {
1341 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1346 cop = (struct crypt_op *)data;
1347 cse = cse_find(fcr, cop->ses);
1349 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1352 error = cryptodev_op(cse, cop);
1356 error = cryptodev_find((struct crypt_find_op *)data);
1359 caead = (struct crypt_aead *)data;
1360 cse = cse_find(fcr, caead->ses);
1362 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1365 error = cryptodev_aead(cse, caead);
1370 SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
1374 #ifdef COMPAT_FREEBSD32
1376 case CIOCGSESSION32:
1378 session_op_to_32((void *)data, data32);
1380 case CIOCGSESSION232:
1382 session2_op_to_32((void *)data, data32);
1386 crypt_op_to_32((void *)data, data32);
1388 case CIOCCRYPTAEAD32:
1390 crypt_aead_to_32((void *)data, data32);
1397 static struct cdevsw crypto_cdevsw = {
1398 .d_version = D_VERSION,
1399 .d_open = crypto_open,
1400 .d_ioctl = crypto_ioctl,
1403 static struct cdev *crypto_dev;
1406 * Initialization code, both for static and dynamic loading.
1409 cryptodev_modevent(module_t mod, int type, void *unused)
1414 printf("crypto: <crypto device>\n");
1415 crypto_dev = make_dev(&crypto_cdevsw, 0,
1416 UID_ROOT, GID_WHEEL, 0666,
1420 /*XXX disallow if active sessions */
1421 destroy_dev(crypto_dev);
1427 static moduledata_t cryptodev_mod = {
1432 MODULE_VERSION(cryptodev, 1);
1433 DECLARE_MODULE(cryptodev, cryptodev_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
1434 MODULE_DEPEND(cryptodev, crypto, 1, 1, 1);
1435 MODULE_DEPEND(cryptodev, zlib, 1, 1, 1);