diff --git a/share/man/man4/crypto.4 b/share/man/man4/crypto.4 --- a/share/man/man4/crypto.4 +++ b/share/man/man4/crypto.4 @@ -1,13 +1,16 @@ .\" $NetBSD: crypto.4,v 1.24 2014/01/27 21:23:59 pgoyette Exp $ .\" .\" Copyright (c) 2008 The NetBSD Foundation, Inc. -.\" Copyright (c) 2014 The FreeBSD Foundation +.\" Copyright (c) 2014-2021 The FreeBSD Foundation .\" All rights reserved. .\" .\" Portions of this documentation were written by John-Mark Gurney .\" under sponsorship of the FreeBSD Foundation and .\" Rubicon Communications, LLC (Netgate). .\" +.\" Portions of this documentation were written by Ararat River +.\" Consulting, LLC under sponsorship of the FreeBSD Foundation. +.\" .\" This code is derived from software contributed to The NetBSD Foundation .\" by Coyote Point Systems, Inc. .\" @@ -60,7 +63,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 12, 2021 +.Dd October 6, 2021 .Dt CRYPTO 4 .Os .Sh NAME @@ -251,14 +254,27 @@ uint32_t ses; /* returns: ses # */ int crid; /* driver id + flags (rw) */ - int pad[4]; /* for future expansion */ + int ivlen; /* length of nonce/IV */ + int maclen; /* length of MAC/tag */ + int pad[2]; /* for future expansion */ }; .Ed -This request is similar to CIOGSESSION except that +This request is similar to CIOGSESSION but adds additional fields. +.Pp .Fa sessp-\*[Gt]crid requests either a specific crypto device or a class of devices (software vs hardware). +.Pp +.Fa sessp-\*[Gt]ivlen +specifies the length of the IV or nonce supplied with each request. +If this field is set to zero, the default IV or nonce length is used. +.Pp +.Fa sessp-\*[Gt]maclen +specifies the length of the MAC or authentication tag supplied or computed by +each request. +If this field is set to zero, the full MAC is used. +.Pp The .Fa sessp-\*[Gt]pad field must be initialized to zero. diff --git a/sys/opencrypto/cryptodev.h b/sys/opencrypto/cryptodev.h --- a/sys/opencrypto/cryptodev.h +++ b/sys/opencrypto/cryptodev.h @@ -23,13 +23,16 @@ * PURPOSE. * * Copyright (c) 2001 Theo de Raadt - * Copyright (c) 2014 The FreeBSD Foundation + * Copyright (c) 2014-2021 The FreeBSD Foundation * All rights reserved. * * Portions of this software were developed by John-Mark Gurney * under sponsorship of the FreeBSD Foundation and * Rubicon Communications, LLC (Netgate). * + * Portions of this software were developed by Ararat River + * Consulting, LLC under sponsorship of the FreeBSD Foundation. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -241,7 +244,9 @@ uint32_t ses; /* returns: session # */ int crid; /* driver id + flags (rw) */ - int pad[4]; /* for future expansion */ + int ivlen; /* length of nonce/IV */ + int maclen; /* length of MAC/tag */ + int pad[2]; /* for future expansion */ }; struct crypt_op { diff --git a/sys/opencrypto/cryptodev.c b/sys/opencrypto/cryptodev.c --- a/sys/opencrypto/cryptodev.c +++ b/sys/opencrypto/cryptodev.c @@ -103,7 +103,9 @@ uint32_t mackey; uint32_t ses; int crid; - int pad[4]; + int ivlen; + int maclen; + int pad[2]; }; struct crypt_op32 { @@ -156,6 +158,8 @@ session_op_from_32((const struct session_op32 *)from, to); CP(*from, *to, crid); + CP(*from, *to, ivlen); + CP(*from, *to, maclen); } static void @@ -597,6 +601,25 @@ csp.csp_ivlen = AES_CCM_IV_LEN; } + if (sop->ivlen != 0) { + if (csp.csp_ivlen == 0) { + CRYPTDEB("does not support an IV"); + error = EINVAL; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); + goto bail; + } + csp.csp_ivlen = sop->ivlen; + } + if (sop->maclen != 0) { + if (!(thash != NULL || csp.csp_mode == CSP_MODE_AEAD)) { + CRYPTDEB("does not support a MAC"); + error = EINVAL; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); + goto bail; + } + csp.csp_auth_mlen = sop->maclen; + } + crid = sop->crid; error = checkforsoftware(&crid); if (error) { @@ -618,7 +641,9 @@ cse->mackey = mackey; cse->cses = cses; cse->txform = txform; - if (thash != NULL) + if (sop->maclen != 0) + cse->hashsize = sop->maclen; + else if (thash != NULL) cse->hashsize = thash->hashsize; else if (csp.csp_cipher_alg == CRYPTO_AES_NIST_GCM_16) cse->hashsize = AES_GMAC_HASH_LEN;