Fri Jan 22 09:18:07 2010 UTC ()
Document sysctls


(hubertf)
diff -r1.8 -r1.9 src/share/man/man9/opencrypto.9
cvs diff -r1.8 -r1.9 src/share/man/man9/opencrypto.9 (expand / switch to unified diff)

--- src/share/man/man9/opencrypto.9 2009/12/08 09:23:06 1.8
+++ src/share/man/man9/opencrypto.9 2010/01/22 09:18:07 1.9
@@ -1,32 +1,32 @@ @@ -1,32 +1,32 @@
1.\" $OpenBSD: crypto.9,v 1.25 2003/07/11 13:47:41 jmc Exp $ 1.\" $OpenBSD: crypto.9,v 1.25 2003/07/11 13:47:41 jmc Exp $
2.\" $NetBSD: opencrypto.9,v 1.8 2009/12/08 09:23:06 mbalmer Exp $ 2.\" $NetBSD: opencrypto.9,v 1.9 2010/01/22 09:18:07 hubertf Exp $
3.\" 3.\"
4.\" The author of this man page is Angelos D. Keromytis (angelos@cis.upenn.edu) 4.\" The author of this man page is Angelos D. Keromytis (angelos@cis.upenn.edu)
5.\" 5.\"
6.\" Copyright (c) 2000, 2001 Angelos D. Keromytis 6.\" Copyright (c) 2000, 2001 Angelos D. Keromytis
7.\" 7.\"
8.\" Permission to use, copy, and modify this software with or without fee 8.\" Permission to use, copy, and modify this software with or without fee
9.\" is hereby granted, provided that this entire notice is included in 9.\" is hereby granted, provided that this entire notice is included in
10.\" all source code copies of any software which is or includes a copy or 10.\" all source code copies of any software which is or includes a copy or
11.\" modification of this software. 11.\" modification of this software.
12.\" 12.\"
13.\" THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 13.\" THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
14.\" IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 14.\" IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
15.\" REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 15.\" REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
16.\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 16.\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
17.\" PURPOSE. 17.\" PURPOSE.
18.\" 18.\"
19.Dd December 20, 2003 19.Dd January 1, 2010
20.Dt OPENCRYPTO 9 20.Dt OPENCRYPTO 9
21.Os 21.Os
22.Sh NAME 22.Sh NAME
23.Nm opencrypto , 23.Nm opencrypto ,
24.Nm crypto_get_driverid , 24.Nm crypto_get_driverid ,
25.Nm crypto_register , 25.Nm crypto_register ,
26.Nm crypto_kregister , 26.Nm crypto_kregister ,
27.Nm crypto_unregister , 27.Nm crypto_unregister ,
28.Nm crypto_done , 28.Nm crypto_done ,
29.Nm crypto_kdone , 29.Nm crypto_kdone ,
30.Nm crypto_newsession , 30.Nm crypto_newsession ,
31.Nm crypto_freesession , 31.Nm crypto_freesession ,
32.Nm crypto_dispatch , 32.Nm crypto_dispatch ,
@@ -314,27 +314,28 @@ The offset in the input buffer where pro @@ -314,27 +314,28 @@ The offset in the input buffer where pro
314.It Fa crd_len 314.It Fa crd_len
315How many bytes, after 315How many bytes, after
316.Fa crd_skip , 316.Fa crd_skip ,
317should be processed. 317should be processed.
318.It Fa crd_inject 318.It Fa crd_inject
319Offset from the beginning of the buffer to insert any results. 319Offset from the beginning of the buffer to insert any results.
320For encryption algorithms, this is where the initialization vector 320For encryption algorithms, this is where the initialization vector
321(IV) will be inserted when encrypting or where it can be found when 321(IV) will be inserted when encrypting or where it can be found when
322decrypting (subject to 322decrypting (subject to
323.Fa crd_flags ) . 323.Fa crd_flags ) .
324For MAC algorithms, this is where the result of the keyed hash will be 324For MAC algorithms, this is where the result of the keyed hash will be
325inserted. 325inserted.
326.It Fa crd_flags 326.It Fa crd_flags
327The following flags are defined: 327For adjusting general operation from userland,
 328the following flags are defined:
328.Bl -tag -width CRD_F_IV_EXPLICIT 329.Bl -tag -width CRD_F_IV_EXPLICIT
329.It Dv CRD_F_ENCRYPT 330.It Dv CRD_F_ENCRYPT
330For encryption algorithms, this bit is set when encryption is required 331For encryption algorithms, this bit is set when encryption is required
331(when not set, decryption is performed). 332(when not set, decryption is performed).
332.It Dv CRD_F_IV_PRESENT 333.It Dv CRD_F_IV_PRESENT
333For encryption algorithms, this bit is set when the IV already 334For encryption algorithms, this bit is set when the IV already
334precedes the data, so the 335precedes the data, so the
335.Fa crd_inject 336.Fa crd_inject
336value will be ignored and no IV will be written in the buffer. 337value will be ignored and no IV will be written in the buffer.
337Otherwise, the IV used to encrypt the packet will be written 338Otherwise, the IV used to encrypt the packet will be written
338at the location pointed to by 339at the location pointed to by
339.Fa crd_inject . 340.Fa crd_inject .
340The IV length is assumed to be equal to the blocksize of the 341The IV length is assumed to be equal to the blocksize of the
@@ -419,26 +420,48 @@ for operation failure. @@ -419,26 +420,48 @@ for operation failure.
419.It Fa krp_iparams 420.It Fa krp_iparams
420Number of input parameters to the specified operation. 421Number of input parameters to the specified operation.
421Note that each operation has a (typically hardwired) number of such parameters. 422Note that each operation has a (typically hardwired) number of such parameters.
422.It Fa krp_oparams 423.It Fa krp_oparams
423Number of output parameters from the specified operation. 424Number of output parameters from the specified operation.
424Note that each operation has a (typically hardwired) number of such parameters. 425Note that each operation has a (typically hardwired) number of such parameters.
425.It Fa krp_kvp 426.It Fa krp_kvp
426An array of kernel memory blocks containing the parameters. 427An array of kernel memory blocks containing the parameters.
427.It Fa krp_hid 428.It Fa krp_hid
428Identifier specifying which low-level driver is being used. 429Identifier specifying which low-level driver is being used.
429.It Fa krp_callback 430.It Fa krp_callback
430Callback called on completion of a keying operation. 431Callback called on completion of a keying operation.
431.El 432.El
 433.Pp
 434The following sysctl entries exist to adjust
 435the behaviour of the system from userland:
 436.Bl -tag -width kern.cryptodevallowsoft
 437.It kern.usercrypto
 438Allow (1) or forbid (0) userland acces to
 439.Pa /dev/crypto .
 440.It kern.userasymcrypto
 441Allow (1) or forbid (0) userland acces to
 442do asymmetric crypto requests.
 443.It kern.cryptodevallowsoft
 444Enable/disable access to hardware versus software operations:
 445.Bl -tag -width xxx
 446.It < 0
 447Force userlevel requests to use software operations, always.
 448.It = 0
 449Use hardware if present, grant userlevel requests for non-accelerated
 450operations (handling the latter in software).
 451.It > 0
 452Allow user requests only for operations which are hardware-accelerated.
 453.El
 454.El
432.Sh DRIVER-SIDE API 455.Sh DRIVER-SIDE API
433The 456The
434.Fn crypto_get_driverid , 457.Fn crypto_get_driverid ,
435.Fn crypto_register , 458.Fn crypto_register ,
436.Fn crypto_kregister , 459.Fn crypto_kregister ,
437.Fn crypto_unregister , 460.Fn crypto_unregister ,
438and 461and
439.Fn crypto_done 462.Fn crypto_done
440routines are used by drivers that provide support for cryptographic 463routines are used by drivers that provide support for cryptographic
441primitives to register and unregister with the kernel crypto services 464primitives to register and unregister with the kernel crypto services
442framework. 465framework.
443Drivers must first use the 466Drivers must first use the
444.Fn crypto_get_driverid 467.Fn crypto_get_driverid
@@ -549,29 +572,31 @@ returns a pointer to a @@ -549,29 +572,31 @@ returns a pointer to a
549structure and 572structure and
550.Dv NULL 573.Dv NULL
551on failure. 574on failure.
552.Fn crypto_dispatch 575.Fn crypto_dispatch
553returns 576returns
554.Er EINVAL 577.Er EINVAL
555if its argument or the callback function was 578if its argument or the callback function was
556.Dv NULL , 579.Dv NULL ,
557and 0 otherwise. 580and 0 otherwise.
558The callback is provided with an error code in case of failure, in the 581The callback is provided with an error code in case of failure, in the
559.Fa crp_etype 582.Fa crp_etype
560field. 583field.
561.Sh FILES 584.Sh FILES
562.Bl -tag -width sys/crypto/crypto.c 585.Bl -tag -width sys/opencrypto/crypto.c
563.It Pa sys/crypto/crypto.c 586.It Pa sys/opencrypto/crypto.c
564most of the framework code 587most of the framework code
 588.It Pa sys/crypto
 589crypto algorithm implementations
565.El 590.El
566.Sh SEE ALSO 591.Sh SEE ALSO
567.Xr ipsec 4 , 592.Xr ipsec 4 ,
568.Xr pcmcia 4 , 593.Xr pcmcia 4 ,
569.Xr condvar 9 , 594.Xr condvar 9 ,
570.Xr malloc 9 595.Xr malloc 9
571.Rs 596.Rs
572.%A "Angelos D. Keromytis" 597.%A "Angelos D. Keromytis"
573.%A "Jason L. Wright" 598.%A "Jason L. Wright"
574.%A "Theo de Raadt" 599.%A "Theo de Raadt"
575.%T "The Design of the OpenBSD Cryptographic Framework" 600.%T "The Design of the OpenBSD Cryptographic Framework"
576.%I "Usenix" 601.%I "Usenix"
577.%N "2003" 602.%N "2003"