| @@ -1,32 +1,32 @@ | | | @@ -1,32 +1,32 @@ |
1 | .\" $OpenBSD: crypto.9,v 1.25 2003/07/11 13:47:41 jmc Exp $ | | 1 | .\" $OpenBSD: crypto.9,v 1.25 2003/07/11 13:47:41 jmc Exp $ |
2 | .\" $NetBSD: opencrypto.9,v 1.8 2009/12/08 09:23:06 mbalmer Exp $ | | 2 | .\" $NetBSD: opencrypto.9,v 1.9 2010/01/22 09:18:07 hubertf Exp $ |
3 | .\" | | 3 | .\" |
4 | .\" The author of this man page is Angelos D. Keromytis (angelos@cis.upenn.edu) | | 4 | .\" The author of this man page is Angelos D. Keromytis (angelos@cis.upenn.edu) |
5 | .\" | | 5 | .\" |
6 | .\" Copyright (c) 2000, 2001 Angelos D. Keromytis | | 6 | .\" Copyright (c) 2000, 2001 Angelos D. Keromytis |
7 | .\" | | 7 | .\" |
8 | .\" Permission to use, copy, and modify this software with or without fee | | 8 | .\" Permission to use, copy, and modify this software with or without fee |
9 | .\" is hereby granted, provided that this entire notice is included in | | 9 | .\" is hereby granted, provided that this entire notice is included in |
10 | .\" all source code copies of any software which is or includes a copy or | | 10 | .\" all source code copies of any software which is or includes a copy or |
11 | .\" modification of this software. | | 11 | .\" modification of this software. |
12 | .\" | | 12 | .\" |
13 | .\" THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR | | 13 | .\" THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR |
14 | .\" IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY | | 14 | .\" IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY |
15 | .\" REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE | | 15 | .\" REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE |
16 | .\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR | | 16 | .\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR |
17 | .\" PURPOSE. | | 17 | .\" PURPOSE. |
18 | .\" | | 18 | .\" |
19 | .Dd December 20, 2003 | | 19 | .Dd January 1, 2010 |
20 | .Dt OPENCRYPTO 9 | | 20 | .Dt OPENCRYPTO 9 |
21 | .Os | | 21 | .Os |
22 | .Sh NAME | | 22 | .Sh NAME |
23 | .Nm opencrypto , | | 23 | .Nm opencrypto , |
24 | .Nm crypto_get_driverid , | | 24 | .Nm crypto_get_driverid , |
25 | .Nm crypto_register , | | 25 | .Nm crypto_register , |
26 | .Nm crypto_kregister , | | 26 | .Nm crypto_kregister , |
27 | .Nm crypto_unregister , | | 27 | .Nm crypto_unregister , |
28 | .Nm crypto_done , | | 28 | .Nm crypto_done , |
29 | .Nm crypto_kdone , | | 29 | .Nm crypto_kdone , |
30 | .Nm crypto_newsession , | | 30 | .Nm crypto_newsession , |
31 | .Nm crypto_freesession , | | 31 | .Nm crypto_freesession , |
32 | .Nm crypto_dispatch , | | 32 | .Nm crypto_dispatch , |
| @@ -314,27 +314,28 @@ The offset in the input buffer where pro | | | @@ -314,27 +314,28 @@ The offset in the input buffer where pro |
314 | .It Fa crd_len | | 314 | .It Fa crd_len |
315 | How many bytes, after | | 315 | How many bytes, after |
316 | .Fa crd_skip , | | 316 | .Fa crd_skip , |
317 | should be processed. | | 317 | should be processed. |
318 | .It Fa crd_inject | | 318 | .It Fa crd_inject |
319 | Offset from the beginning of the buffer to insert any results. | | 319 | Offset from the beginning of the buffer to insert any results. |
320 | For encryption algorithms, this is where the initialization vector | | 320 | For encryption algorithms, this is where the initialization vector |
321 | (IV) will be inserted when encrypting or where it can be found when | | 321 | (IV) will be inserted when encrypting or where it can be found when |
322 | decrypting (subject to | | 322 | decrypting (subject to |
323 | .Fa crd_flags ) . | | 323 | .Fa crd_flags ) . |
324 | For MAC algorithms, this is where the result of the keyed hash will be | | 324 | For MAC algorithms, this is where the result of the keyed hash will be |
325 | inserted. | | 325 | inserted. |
326 | .It Fa crd_flags | | 326 | .It Fa crd_flags |
327 | The following flags are defined: | | 327 | For adjusting general operation from userland, |
| | | 328 | the following flags are defined: |
328 | .Bl -tag -width CRD_F_IV_EXPLICIT | | 329 | .Bl -tag -width CRD_F_IV_EXPLICIT |
329 | .It Dv CRD_F_ENCRYPT | | 330 | .It Dv CRD_F_ENCRYPT |
330 | For encryption algorithms, this bit is set when encryption is required | | 331 | For encryption algorithms, this bit is set when encryption is required |
331 | (when not set, decryption is performed). | | 332 | (when not set, decryption is performed). |
332 | .It Dv CRD_F_IV_PRESENT | | 333 | .It Dv CRD_F_IV_PRESENT |
333 | For encryption algorithms, this bit is set when the IV already | | 334 | For encryption algorithms, this bit is set when the IV already |
334 | precedes the data, so the | | 335 | precedes the data, so the |
335 | .Fa crd_inject | | 336 | .Fa crd_inject |
336 | value will be ignored and no IV will be written in the buffer. | | 337 | value will be ignored and no IV will be written in the buffer. |
337 | Otherwise, the IV used to encrypt the packet will be written | | 338 | Otherwise, the IV used to encrypt the packet will be written |
338 | at the location pointed to by | | 339 | at the location pointed to by |
339 | .Fa crd_inject . | | 340 | .Fa crd_inject . |
340 | The IV length is assumed to be equal to the blocksize of the | | 341 | The IV length is assumed to be equal to the blocksize of the |
| @@ -419,26 +420,48 @@ for operation failure. | | | @@ -419,26 +420,48 @@ for operation failure. |
419 | .It Fa krp_iparams | | 420 | .It Fa krp_iparams |
420 | Number of input parameters to the specified operation. | | 421 | Number of input parameters to the specified operation. |
421 | Note that each operation has a (typically hardwired) number of such parameters. | | 422 | Note that each operation has a (typically hardwired) number of such parameters. |
422 | .It Fa krp_oparams | | 423 | .It Fa krp_oparams |
423 | Number of output parameters from the specified operation. | | 424 | Number of output parameters from the specified operation. |
424 | Note that each operation has a (typically hardwired) number of such parameters. | | 425 | Note that each operation has a (typically hardwired) number of such parameters. |
425 | .It Fa krp_kvp | | 426 | .It Fa krp_kvp |
426 | An array of kernel memory blocks containing the parameters. | | 427 | An array of kernel memory blocks containing the parameters. |
427 | .It Fa krp_hid | | 428 | .It Fa krp_hid |
428 | Identifier specifying which low-level driver is being used. | | 429 | Identifier specifying which low-level driver is being used. |
429 | .It Fa krp_callback | | 430 | .It Fa krp_callback |
430 | Callback called on completion of a keying operation. | | 431 | Callback called on completion of a keying operation. |
431 | .El | | 432 | .El |
| | | 433 | .Pp |
| | | 434 | The following sysctl entries exist to adjust |
| | | 435 | the behaviour of the system from userland: |
| | | 436 | .Bl -tag -width kern.cryptodevallowsoft |
| | | 437 | .It kern.usercrypto |
| | | 438 | Allow (1) or forbid (0) userland acces to |
| | | 439 | .Pa /dev/crypto . |
| | | 440 | .It kern.userasymcrypto |
| | | 441 | Allow (1) or forbid (0) userland acces to |
| | | 442 | do asymmetric crypto requests. |
| | | 443 | .It kern.cryptodevallowsoft |
| | | 444 | Enable/disable access to hardware versus software operations: |
| | | 445 | .Bl -tag -width xxx |
| | | 446 | .It < 0 |
| | | 447 | Force userlevel requests to use software operations, always. |
| | | 448 | .It = 0 |
| | | 449 | Use hardware if present, grant userlevel requests for non-accelerated |
| | | 450 | operations (handling the latter in software). |
| | | 451 | .It > 0 |
| | | 452 | Allow user requests only for operations which are hardware-accelerated. |
| | | 453 | .El |
| | | 454 | .El |
432 | .Sh DRIVER-SIDE API | | 455 | .Sh DRIVER-SIDE API |
433 | The | | 456 | The |
434 | .Fn crypto_get_driverid , | | 457 | .Fn crypto_get_driverid , |
435 | .Fn crypto_register , | | 458 | .Fn crypto_register , |
436 | .Fn crypto_kregister , | | 459 | .Fn crypto_kregister , |
437 | .Fn crypto_unregister , | | 460 | .Fn crypto_unregister , |
438 | and | | 461 | and |
439 | .Fn crypto_done | | 462 | .Fn crypto_done |
440 | routines are used by drivers that provide support for cryptographic | | 463 | routines are used by drivers that provide support for cryptographic |
441 | primitives to register and unregister with the kernel crypto services | | 464 | primitives to register and unregister with the kernel crypto services |
442 | framework. | | 465 | framework. |
443 | Drivers must first use the | | 466 | Drivers must first use the |
444 | .Fn crypto_get_driverid | | 467 | .Fn crypto_get_driverid |
| @@ -549,29 +572,31 @@ returns a pointer to a | | | @@ -549,29 +572,31 @@ returns a pointer to a |
549 | structure and | | 572 | structure and |
550 | .Dv NULL | | 573 | .Dv NULL |
551 | on failure. | | 574 | on failure. |
552 | .Fn crypto_dispatch | | 575 | .Fn crypto_dispatch |
553 | returns | | 576 | returns |
554 | .Er EINVAL | | 577 | .Er EINVAL |
555 | if its argument or the callback function was | | 578 | if its argument or the callback function was |
556 | .Dv NULL , | | 579 | .Dv NULL , |
557 | and 0 otherwise. | | 580 | and 0 otherwise. |
558 | The callback is provided with an error code in case of failure, in the | | 581 | The callback is provided with an error code in case of failure, in the |
559 | .Fa crp_etype | | 582 | .Fa crp_etype |
560 | field. | | 583 | field. |
561 | .Sh FILES | | 584 | .Sh FILES |
562 | .Bl -tag -width sys/crypto/crypto.c | | 585 | .Bl -tag -width sys/opencrypto/crypto.c |
563 | .It Pa sys/crypto/crypto.c | | 586 | .It Pa sys/opencrypto/crypto.c |
564 | most of the framework code | | 587 | most of the framework code |
| | | 588 | .It Pa sys/crypto |
| | | 589 | crypto algorithm implementations |
565 | .El | | 590 | .El |
566 | .Sh SEE ALSO | | 591 | .Sh SEE ALSO |
567 | .Xr ipsec 4 , | | 592 | .Xr ipsec 4 , |
568 | .Xr pcmcia 4 , | | 593 | .Xr pcmcia 4 , |
569 | .Xr condvar 9 , | | 594 | .Xr condvar 9 , |
570 | .Xr malloc 9 | | 595 | .Xr malloc 9 |
571 | .Rs | | 596 | .Rs |
572 | .%A "Angelos D. Keromytis" | | 597 | .%A "Angelos D. Keromytis" |
573 | .%A "Jason L. Wright" | | 598 | .%A "Jason L. Wright" |
574 | .%A "Theo de Raadt" | | 599 | .%A "Theo de Raadt" |
575 | .%T "The Design of the OpenBSD Cryptographic Framework" | | 600 | .%T "The Design of the OpenBSD Cryptographic Framework" |
576 | .%I "Usenix" | | 601 | .%I "Usenix" |
577 | .%N "2003" | | 602 | .%N "2003" |