Page MenuHomeFreeBSD
Files F152916211

D29736.diff
No OneTemporary
Actions

D29736.diff
View Options

Index: ObsoleteFiles.inc
===================================================================
--- ObsoleteFiles.inc
+++ ObsoleteFiles.inc
@@ -36,6 +36,13 @@
# xargs -n1 | sort | uniq -d;
# done
+# 2021xxxx: Remove kernel asymmetric crypto
+OLD_FILES+=usr/share/man/man9/crypto_asym.9
+OLD_FILES+=usr/share/man/man9/crypto_kdispatch.9
+OLD_FILES+=usr/share/man/man9/crypto_kdone.9
+OLD_FILES+=usr/share/man/man9/crypto_kregister.9
+OLD_FILES+=usr/share/man/man9/CRYPTODEV_KPROCESS.9
+
# 20210408: remove tcp_hostcache.h
OLD_FILES+=usr/include/netinet/tcp_hostcache.h
Index: share/man/man4/crypto.4
===================================================================
--- share/man/man4/crypto.4
+++ share/man/man4/crypto.4
@@ -93,53 +93,32 @@
calls on the descriptor.
User-mode access to
.Pa /dev/crypto
-is controlled by two
+is controlled by the
+.Ic kern.cryptodevallowsoft
.Xr sysctl 8
-variables:
-.Ic kern.userasymcrypto
-and
-.Ic kern.cryptodevallowsoft .
-.Pp
-The
-.Nm
-device provides two distinct modes of operation: one mode for
-symmetric-keyed cryptographic requests and digests, and a second mode for
-both asymmetric-key (public-key/private-key) requests and
-modular arithmetic (for Diffie-Hellman key exchange and other
-cryptographic protocols).
-The two modes are described separately below.
-.Sh DEPRECATION NOTICE
-The asymmetric-key operations supported by this interface will not be
-present in
-.Fx 14.0
-and later.
+variable.
+If this variable is zero,
+then user-mode sessions are only permitted to use cryptography coprocessors.
.Sh THEORY OF OPERATION
-Regardless of whether symmetric-key or asymmetric-key operations are
-to be performed, use of the device requires a basic series of steps:
+Use of the device requires a basic series of steps:
.Bl -enum
.It
Open the
.Pa /dev/crypto
device.
.It
-If any symmetric-keyed cryptographic or digest operations will be performed,
-create a session with
+Create a session with
.Dv CIOCGSESSION
or
.Dv CIOCGSESSION2 .
-Most applications will require at least one symmetric session.
+Applications will require at least one symmetric session.
Since cipher and MAC keys are tied to sessions, many
applications will require more.
-Asymmetric operations do not use sessions.
.It
Submit requests, synchronously with
.Dv CIOCCRYPT
-(symmetric),
-.Dv CIOCCRYPTAEAD
-(symmetric),
or
-.Dv CIOCKEY
-(asymmetric).
+.Dv CIOCCRYPTAEAD .
.It
Optionally destroy a session with
.Dv CIOCFSESSION .
@@ -151,22 +130,27 @@
file desriptor.
.El
.Sh SYMMETRIC-KEY OPERATION
-The symmetric-key operation mode provides a context-based API
+.Nm cryptodev
+provides a context-based API
to traditional symmetric-key encryption (or privacy) algorithms,
-or to keyed and unkeyed one-way hash (HMAC and MAC) algorithms.
-The symmetric-key mode also permits encrypt-then-authenticate fused operation,
-where the hardware performs both a privacy algorithm and an integrity-check
+keyed and unkeyed one-way hash (HMAC and MAC) algorithms,
+encrypt-then-authenticate (ETA) fused operations,
+and authenticated encryption with additional data (AEAD) operations.
+For ETA operations,
+drivers perform both a privacy algorithm and an integrity-check
algorithm in a single pass over the data: either a fused
encrypt/HMAC-generate operation, or a fused HMAC-verify/decrypt operation.
+Similarly, for AEAD operations,
+drivers perform either an encrypt/MAC-generate operation
+or a MAC-verify/decrypt operation.
.Pp
-To use symmetric mode, you must first create a session specifying
-the algorithm(s) and key(s) to use; then issue encrypt or decrypt
-requests against the session.
+The algorithm(s) and key(s) to use are specified when a session is
+created.
+Individual requests are able to specify per-request initialization vectors
+or nonces.
.Ss Algorithms
For a list of supported algorithms, see
-.Xr crypto 7
-and
-.Xr crypto 9 .
+.Xr crypto 7 .
.Ss IOCTL Request Descriptions
.\"
.Bl -tag -width CIOCGSESSION
@@ -216,11 +200,13 @@
The special value 0 for either privacy or integrity
is reserved to indicate that the indicated operation (privacy or integrity)
is not desired for this session.
+ETA sessions specify both privacy and integrity algorithms.
+AEAD sessions specify only a privacy algorithm.
.Pp
Multiple sessions may be bound to a single file descriptor.
The session ID returned in
.Fa sessp-\*[Gt]ses
-is supplied as a required field in the symmetric-operation structure
+is supplied as a required field in the operation structure
.Fa crypt_op
for future encryption or hashing requests.
.\" .Pp
@@ -229,7 +215,7 @@
.\" .Nx
.\" extension.
.Pp
-For non-zero symmetric-key privacy algorithms, the privacy algorithm
+For non-zero privacy algorithms, the privacy algorithm
must be specified in
.Fa sessp-\*[Gt]cipher ,
the key length in
@@ -290,7 +276,7 @@
};
.Ed
-Request a symmetric-key (or hash) operation.
+Request an encryption/decryption (or hash) operation.
To encrypt, set
.Fa cr_op-\*[Gt]op
to
@@ -344,75 +330,6 @@
Destroys the session identified by
.Fa ses_id .
.El
-.\"
-.Sh ASYMMETRIC-KEY OPERATION
-.Ss Asymmetric-key algorithms
-Contingent upon hardware support, the following asymmetric
-(public-key/private-key; or key-exchange subroutine) operations may
-also be available:
-.Pp
-.Bl -column "CRK_DH_COMPUTE_KEY" "Input parameter" "Output parameter" -offset indent -compact
-.It Em "Algorithm" Ta "Input parameter" Ta "Output parameter"
-.It Em " " Ta "Count" Ta "Count"
-.It Dv CRK_MOD_EXP Ta 3 Ta 1
-.It Dv CRK_MOD_EXP_CRT Ta 6 Ta 1
-.It Dv CRK_DSA_SIGN Ta 5 Ta 2
-.It Dv CRK_DSA_VERIFY Ta 7 Ta 0
-.It Dv CRK_DH_COMPUTE_KEY Ta 3 Ta 1
-.El
-.Pp
-See below for discussion of the input and output parameter counts.
-.Ss Asymmetric-key commands
-.Bl -tag -width CIOCKEY
-.It Dv CIOCASYMFEAT Fa int *feature_mask
-Returns a bitmask of supported asymmetric-key operations.
-Each of the above-listed asymmetric operations is present
-if and only if the bit position numbered by the code for that operation
-is set.
-For example,
-.Dv CRK_MOD_EXP
-is available if and only if the bit
-.Pq 1 \*[Lt]\*[Lt] Dv CRK_MOD_EXP
-is set.
-.It Dv CIOCKEY Fa struct crypt_kop *kop
-.Bd -literal
-struct crypt_kop {
- u_int crk_op; /* e.g. CRK_MOD_EXP */
- u_int crk_status; /* return status */
- u_short crk_iparams; /* # of input params */
- u_short crk_oparams; /* # of output params */
- u_int crk_pad1;
- struct crparam crk_param[CRK_MAXPARAM];
-};
-
-/* Bignum parameter, in packed bytes. */
-struct crparam {
- void * crp_p;
- u_int crp_nbits;
-};
-
-.Ed
-Performs an asymmetric-key operation from the list above.
-The specific operation is supplied in
-.Fa kop-\*[Gt]crk_op ;
-final status for the operation is returned in
-.Fa kop-\*[Gt]crk_status .
-The number of input arguments and the number of output arguments
-is specified in
-.Fa kop-\*[Gt]crk_iparams
-and
-.Fa kop-\*[Gt]crk_iparams ,
-respectively.
-The field
-.Fa crk_param[]
-must be filled in with exactly
-.Fa kop-\*[Gt]crk_iparams + kop-\*[Gt]crk_oparams
-arguments, each encoded as a
-.Fa struct crparam
-(address, bitlength) pair.
-.Pp
-The semantics of these arguments are currently undocumented.
-.El
.Sh SEE ALSO
.Xr aesni 4 ,
.Xr hifn 4 ,
@@ -444,5 +361,3 @@
session: if you request a
.No non- Ns Dv NULL
algorithm, you must supply a suitably-sized buffer.
-.Pp
-The scheme for passing arguments for asymmetric requests is baroque.
Index: share/man/man9/Makefile
===================================================================
--- share/man/man9/Makefile
+++ share/man/man9/Makefile
@@ -72,7 +72,6 @@
cr_seeothergids.9 \
cr_seeotheruids.9 \
crypto.9 \
- crypto_asym.9 \
crypto_buffer.9 \
crypto_driver.9 \
crypto_request.9 \
@@ -913,10 +912,6 @@
cpuset.9 CPU_COPY_STORE_REL.9
MLINKS+=critical_enter.9 critical.9 \
critical_enter.9 critical_exit.9
-MLINKS+=crypto_asym.9 crypto_kdispatch.9 \
- crypto_asym.9 crypto_kdone.9 \
- crypto_asym.9 crypto_kregister.9 \
- crypto_asym.9 CRYPTODEV_KPROCESS.9
MLINKS+=crypto_buffer.9 crypto_apply.9 \
crypto_buffer.9 crypto_apply_buf.9 \
crypto_buffer.9 crypto_buffer_contiguous_segment.9 \
Index: share/man/man9/crypto.9
===================================================================
--- share/man/man9/crypto.9
+++ share/man/man9/crypto.9
@@ -35,15 +35,10 @@
device.
.Pp
.Nm
-supports two modes of operation:
-one mode for symmetric-keyed cryptographic requests and digest,
-and a second mode for asymmetric-key requests and modular arithmetic.
-.Ss Symmetric-Key Mode
-Symmetric-key operations include encryption and decryption operations
+supports encryption and decryption operations
using block and stream ciphers as well as computation and verification
of message authentication codes (MACs).
-In this mode,
-consumers allocate sessions to describe a transform as discussed in
+Consumers allocate sessions to describe a transform as discussed in
.Xr crypto_session 9 .
Consumers then allocate request objects to describe each transformation
such as encrypting a network packet or decrypting a disk sector.
@@ -56,18 +51,6 @@
describes the interfaces drivers use to register with the framework,
helper routines the framework provides to faciliate request processing,
and the interfaces drivers are required to provide.
-.Ss Asymmetric-Key Mode
-Assymteric-key operations do not use sessions.
-Instead,
-these operations perform individual mathematical operations using a set
-of input and output parameters.
-These operations are described in
-.Xr crypto_asym 9 .
-Drivers that support asymmetric operations use additional interfaces
-described in
-.Xr crypto_asym 9
-in addition to the base interfaces described in
-.Xr crypto_driver 9 .
.Ss Callbacks
Since the consumers may not be associated with a process, drivers may
not
@@ -83,10 +66,9 @@
Session initialization does not use callbacks and returns errors
synchronously.
.Ss Session Migration
-For symmetric-key operations,
-a specific error code,
+Operations may fail with a specific error code,
.Er EAGAIN ,
-is used to indicate that a session handle has changed and that the
+to indicate that a session handle has changed and that the
request may be re-submitted immediately with the new session.
The consumer should update its saved copy of the session handle
to the value of
@@ -95,9 +77,6 @@
.Ss Supported Algorithms
More details on some algorithms may be found in
.Xr crypto 7 .
-These algorithms are used for symmetric-mode operations.
-Asymmetric-mode operations support operations described in
-.Xr crypto_asym 9 .
.Pp
The following authentication algorithms are supported:
.Pp
@@ -156,7 +135,6 @@
.Xr crypto 4 ,
.Xr ipsec 4 ,
.Xr crypto 7 ,
-.Xr crypto_asym 9 ,
.Xr crypto_driver 9 ,
.Xr crypto_request 9 ,
.Xr crypto_session 9 ,
Index: share/man/man9/crypto_asym.9
===================================================================
--- share/man/man9/crypto_asym.9
+++ /dev/null
@@ -1,178 +0,0 @@
-.\" Copyright (c) 2020, Chelsio Inc
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright notice,
-.\" this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\"
-.\" 3. Neither the name of the Chelsio Inc nor the names of its
-.\" contributors may be used to endorse or promote products derived from
-.\" this software without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-.\" POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" * Other names and brands may be claimed as the property of others.
-.\"
-.\" $FreeBSD$
-.\"
-.Dd March 27, 2020
-.Dt CRYPTO_ASYM 9
-.Os
-.Sh NAME
-.Nm crypto_asym
-.Nd asymmetric cryptographic operations
-.Sh SYNOPSIS
-.In opencrypto/cryptodev.h
-.Ft int
-.Fn crypto_kdispatch "struct cryptkop *krp"
-.Ft void
-.Fn crypto_kdone "struct cryptkop *krp"
-.Ft int
-.Fn crypto_kregister "uint32_t driverid" "int kalg" "uint32_t flags"
-.Ft int
-.Fn CRYPTODEV_KPROCESS "device_t dev" "struct cryptop *krp" "int flags"
-.Sh DESCRIPTION
-The in-kernel cryptographic kernel framework supports asymmetric
-requests (keying requests) in addition to symmetric operations.
-There are currently no in-kernel users of these requests,
-but applications can make requests of hardware drivers via the
-.Pa /dev/crypto
-device .
-.Pp
-Some APIs are shared with the framework's symmetric request support.
-This manual describes the APIs and data structures unique to
-asymmetric requests.
-.Pp
-.Ss Request Objects
-A request is described by a
-.Vt struct cryptkop
-containing the following fields:
-.Bl -tag -width "krp_callback"
-.It Fa krp_op
-Operation to perform.
-Available operations include
-.Dv CRK_MOD_EXP ,
-.Dv CRK_MOD_EXP_CRT ,
-.Dv CRK_DSA_SIGN ,
-.Dv CRK_DSA_VERIFY ,
-and
-.Dv CRK_DH_COMPUTE_KEY .
-.It Fa krp_status
-Error status.
-Either zero on success,
-or an error if an operation fails.
-Set by drivers prior to completing a request via
-.Fn crypto_kdone .
-.It Fa krp_iparams
-Count of input parameters.
-.It Fa krp_oparams
-Count of output parameters.
-.It Fa krp_crid
-Requested device.
-.It Fa krp_hid
-Device used to complete the request.
-.It Fa krp_param
-Array of parameters.
-The array contains the input parameters first followed by the output
-parameters.
-Each parameter is stored as a bignum.
-Each bignum is described by a
-.Vt struct crparam
-containing the following fields:
-.Bl -tag -width "crp_nbits"
-.It Fa crp_p
-Pointer to array of packed bytes.
-.It Fa crp_nbits
-Size of bignum in bits.
-.El
-.It Fa krp_callback
-Callback function.
-This must point to a callback function of type
-.Vt void (*)(struct cryptkop *) .
-The callback function should inspect
-.Fa krp_status
-to determine the status of the completed operation.
-.El
-.Pp
-New requests should be initialized to zero before setting fields to
-appropriate values.
-Once the request has been populated,
-it should be passed to
-.Fn crypto_kdispatch .
-.Pp
-.Fn crypto_kdispatch
-will choose a device driver to perform the operation described by
-.Fa krp
-and invoke that driver's
-.Fn CRYPTO_KPROCESS
-method.
-.Ss Driver API
-Drivers register support for asymmetric operations by calling
-.Fn crypto_kregister
-for each supported algorithm.
-.Fa driverid
-should be the value returned by an earlier call to
-.Fn crypto_get_driverid .
-.Fa kalg
-should list one of the operations that can be set in
-.Fa krp_op .
-.Fa flags
-is a bitmask of zero or more of the following values:
-.Bl -tag -width "CRYPTO_ALG_FLAG_RNG_ENABLE"
-.It Dv CRYPTO_ALG_FLAG_RNG_ENABLE
-Device has a hardware RNG for DH/DSA.
-.It Dv CRYPTO_ALG_FLAG_DSA_SHA
-Device can compute a SHA digest of a message.
-.El
-.Pp
-Drivers unregister with the framework via
-.Fn crypto_unregister_all .
-.Pp
-Similar to
-.Fn CRYPTO_PROCESS ,
-.Fn CRYPTO_KPROCESS
-should complete the request or schedule it for asynchronous
-completion.
-If this method is not able to complete a request due to insufficient
-resources,
-it can defer the request (and future asymmetric requests) by returning
-.Dv ERESTART .
-Once resources are available,
-the driver should invoke
-.Fn crypto_unblock
-with
-.Dv CRYPTO_ASYMQ
-to resume processing of asymmetric requests.
-.Pp
-Once a request is completed,
-the driver should set
-.Fa krp_status
-and then call
-.Fn crypto_kdone .
-.Sh RETURN VALUES
-.Fn crypto_kdispatch ,
-.Fn crypto_kregister ,
-and
-.Fn CRYPTODEV_KPROCESS
-return zero on success or an error on failure.
-.Sh SEE ALSO
-.Xr crypto 7 ,
-.Xr crypto 9 ,
-.Xr crypto_driver 9 ,
-.Xr crypto_request 9 ,
-.Xr crypto_session 9
Index: share/man/man9/crypto_driver.9
===================================================================
--- share/man/man9/crypto_driver.9
+++ share/man/man9/crypto_driver.9
@@ -285,13 +285,10 @@
.Fn crypto_get_driverid .
.Fa what
indicates which types of requests the driver is able to handle again:
-.Bl -tag -width "CRYPTO_ASYMQ"
+.Bl -tag -width "CRYPTO_SYMQ"
.It Dv CRYPTO_SYMQ
indicates that the driver is able to handle symmetric requests passed to
.Fn CRYPTODEV_PROCESS .
-.It Dv CRYPTO_ASYMQ
-indicates that the driver is able to handle asymmetric requests passed to
-.Fn CRYPTODEV_KPROCESS .
.El
.Pp
.Pp
Index: sys/dev/hifn/hifn7751.c
===================================================================
--- sys/dev/hifn/hifn7751.c
+++ sys/dev/hifn/hifn7751.c
@@ -2252,7 +2252,7 @@
HIFN_UNLOCK(sc);
if (sc->sc_needwakeup) { /* XXX check high watermark */
- int wakeup = sc->sc_needwakeup & (CRYPTO_SYMQ|CRYPTO_ASYMQ);
+ int wakeup = sc->sc_needwakeup & CRYPTO_SYMQ;
#ifdef HIFN_DEBUG
if (hifn_debug)
device_printf(sc->sc_dev,
Index: sys/dev/safe/safe.c
===================================================================
--- sys/dev/safe/safe.c
+++ sys/dev/safe/safe.c
@@ -385,8 +385,6 @@
#if 0
printf(" key");
sc->sc_flags |= SAFE_FLAGS_KEY;
- crypto_kregister(sc->sc_cid, CRK_MOD_EXP, 0);
- crypto_kregister(sc->sc_cid, CRK_MOD_EXP_CRT, 0);
#endif
}
if (sc->sc_devinfo & SAFE_DEVINFO_DES) {
@@ -584,7 +582,7 @@
}
if (sc->sc_needwakeup) { /* XXX check high watermark */
- int wakeup = sc->sc_needwakeup & (CRYPTO_SYMQ|CRYPTO_ASYMQ);
+ int wakeup = sc->sc_needwakeup & CRYPTO_SYMQ;
DPRINTF(("%s: wakeup crypto %x\n", __func__,
sc->sc_needwakeup));
sc->sc_needwakeup &= ~wakeup;
Index: sys/mips/nlm/dev/sec/nlmsec.c
===================================================================
--- sys/mips/nlm/dev/sec/nlmsec.c
+++ sys/mips/nlm/dev/sec/nlmsec.c
@@ -281,7 +281,7 @@
atomic_add_int(&creditleft, sc->sec_msgsz);
if (creditleft >= (NLM_CRYPTO_LEFT_REQS)) {
crypto_unblock(sc->sc_cid, sc->sc_needwakeup);
- sc->sc_needwakeup &= (~(CRYPTO_SYMQ | CRYPTO_ASYMQ));
+ sc->sc_needwakeup &= ~CRYPTO_SYMQ;
}
}
if (cmd->hash_dst_len != 0) {
Index: sys/opencrypto/crypto.c
===================================================================
--- sys/opencrypto/crypto.c
+++ sys/opencrypto/crypto.c
@@ -98,8 +98,7 @@
/*
* Crypto drivers register themselves by allocating a slot in the
- * crypto_drivers table with crypto_get_driverid() and then registering
- * each asym algorithm they support with crypto_kregister().
+ * crypto_drivers table with crypto_get_driverid().
*/
static struct mtx crypto_drivers_mtx; /* lock on driver table */
#define CRYPTO_DRIVER_LOCK() mtx_lock(&crypto_drivers_mtx)
@@ -118,13 +117,10 @@
device_t cc_dev;
uint32_t cc_hid;
uint32_t cc_sessions; /* (d) # of sessions */
- uint32_t cc_koperations; /* (d) # os asym operations */
- uint8_t cc_kalg[CRK_ALGORITHM_MAX + 1];
int cc_flags; /* (d) flags */
#define CRYPTOCAP_F_CLEANUP 0x80000000 /* needs resource cleanup */
int cc_qblocked; /* (q) symmetric q blocked */
- int cc_kqblocked; /* (q) asymmetric q blocked */
size_t cc_session_size;
volatile int cc_refs;
};
@@ -139,16 +135,8 @@
/* Driver softc follows. */
};
-/*
- * There are two queues for crypto requests; one for symmetric (e.g.
- * cipher) operations and one for asymmetric (e.g. MOD)operations.
- * A single mutex is used to lock access to both queues. We could
- * have one per-queue but having one simplifies handling of block/unblock
- * operations.
- */
static int crp_sleep = 0;
static TAILQ_HEAD(cryptop_q ,cryptop) crp_q; /* request queues */
-static TAILQ_HEAD(,cryptkop) crp_kq;
static struct mtx crypto_q_mtx;
#define CRYPTO_Q_LOCK() mtx_lock(&crypto_q_mtx)
#define CRYPTO_Q_UNLOCK() mtx_unlock(&crypto_q_mtx)
@@ -172,7 +160,6 @@
TAILQ_HEAD(,cryptop) crp_ordered_ret_q; /* ordered callback queue for symetric jobs */
TAILQ_HEAD(,cryptop) crp_ret_q; /* callback queue for symetric jobs */
- TAILQ_HEAD(,cryptkop) crp_ret_kq; /* callback queue for asym jobs */
uint32_t reorder_ops; /* total ordered sym jobs received */
uint32_t reorder_cur_seq; /* current sym job dispatched */
@@ -201,16 +188,6 @@
static uma_zone_t cryptop_zone;
-int crypto_userasymcrypto = 1;
-SYSCTL_INT(_kern_crypto, OID_AUTO, asym_enable, CTLFLAG_RW,
- &crypto_userasymcrypto, 0,
- "Enable user-mode access to asymmetric crypto support");
-#ifdef COMPAT_FREEBSD12
-SYSCTL_INT(_kern, OID_AUTO, userasymcrypto, CTLFLAG_RW,
- &crypto_userasymcrypto, 0,
- "Enable/disable user-mode access to asymmetric crypto support");
-#endif
-
int crypto_devallowsoft = 0;
SYSCTL_INT(_kern_crypto, OID_AUTO, allow_soft, CTLFLAG_RW,
&crypto_devallowsoft, 0,
@@ -228,7 +205,6 @@
static void crypto_ret_proc(struct crypto_ret_worker *ret_worker);
static void crypto_destroy(void);
static int crypto_invoke(struct cryptocap *cap, struct cryptop *crp, int hint);
-static int crypto_kinvoke(struct cryptkop *krp);
static void crypto_task_invoke(void *ctx, int pending);
static void crypto_batch_enqueue(struct cryptop *crp);
@@ -308,8 +284,6 @@
KASSERT(cap->cc_sessions == 0,
("freeing crypto driver with active sessions"));
- KASSERT(cap->cc_koperations == 0,
- ("freeing crypto driver with active key operations"));
free(cap, M_CRYPTO_DATA);
}
@@ -324,7 +298,6 @@
MTX_DEF|MTX_QUIET);
TAILQ_INIT(&crp_q);
- TAILQ_INIT(&crp_kq);
mtx_init(&crypto_q_mtx, "crypto", "crypto op queues", MTX_DEF);
cryptop_zone = uma_zcreate("cryptop",
@@ -358,7 +331,6 @@
FOREACH_CRYPTO_RETW(ret_worker) {
TAILQ_INIT(&ret_worker->crp_ordered_ret_q);
TAILQ_INIT(&ret_worker->crp_ret_q);
- TAILQ_INIT(&ret_worker->crp_ret_kq);
ret_worker->reorder_ops = 0;
ret_worker->reorder_cur_seq = 0;
@@ -1114,43 +1086,6 @@
return (flags);
}
-/*
- * Register support for a key-related algorithm. This routine
- * is called once for each algorithm supported a driver.
- */
-int
-crypto_kregister(uint32_t driverid, int kalg, uint32_t flags)
-{
- struct cryptocap *cap;
- int err;
-
- CRYPTO_DRIVER_LOCK();
-
- cap = crypto_checkdriver(driverid);
- if (cap != NULL &&
- (CRK_ALGORITM_MIN <= kalg && kalg <= CRK_ALGORITHM_MAX)) {
- /*
- * XXX Do some performance testing to determine placing.
- * XXX We probably need an auxiliary data structure that
- * XXX describes relative performances.
- */
-
- cap->cc_kalg[kalg] = flags | CRYPTO_ALG_FLAG_SUPPORTED;
- if (bootverbose)
- printf("crypto: %s registers key alg %u flags %u\n"
- , device_get_nameunit(cap->cc_dev)
- , kalg
- , flags
- );
- gone_in_dev(cap->cc_dev, 14, "asymmetric crypto");
- err = 0;
- } else
- err = EINVAL;
-
- CRYPTO_DRIVER_UNLOCK();
- return err;
-}
-
/*
* Unregister all algorithms associated with a crypto driver.
* If there are pending sessions using it, leave enough information
@@ -1177,7 +1112,7 @@
* XXX: This doesn't do anything to kick sessions that
* have no pending operations.
*/
- while (cap->cc_sessions != 0 || cap->cc_koperations != 0)
+ while (cap->cc_sessions != 0)
mtx_sleep(cap, &crypto_drivers_mtx, 0, "cryunreg", 0);
CRYPTO_DRIVER_UNLOCK();
cap_rele(cap);
@@ -1200,8 +1135,6 @@
if (cap != NULL) {
if (what & CRYPTO_SYMQ)
cap->cc_qblocked = 0;
- if (what & CRYPTO_ASYMQ)
- cap->cc_kqblocked = 0;
if (crp_sleep)
wakeup_one(&crp_q);
err = 0;
@@ -1499,189 +1432,6 @@
CRYPTO_Q_UNLOCK();
}
-/*
- * Add an asymetric crypto request to a queue,
- * to be processed by the kernel thread.
- */
-int
-crypto_kdispatch(struct cryptkop *krp)
-{
- int error;
-
- CRYPTOSTAT_INC(cs_kops);
-
- krp->krp_cap = NULL;
- error = crypto_kinvoke(krp);
- if (error == ERESTART) {
- CRYPTO_Q_LOCK();
- TAILQ_INSERT_TAIL(&crp_kq, krp, krp_next);
- if (crp_sleep)
- wakeup_one(&crp_q);
- CRYPTO_Q_UNLOCK();
- error = 0;
- }
- return error;
-}
-
-/*
- * Verify a driver is suitable for the specified operation.
- */
-static __inline int
-kdriver_suitable(const struct cryptocap *cap, const struct cryptkop *krp)
-{
- return (cap->cc_kalg[krp->krp_op] & CRYPTO_ALG_FLAG_SUPPORTED) != 0;
-}
-
-/*
- * Select a driver for an asym operation. The driver must
- * support the necessary algorithm. The caller can constrain
- * which device is selected with the flags parameter. The
- * algorithm we use here is pretty stupid; just use the first
- * driver that supports the algorithms we need. If there are
- * multiple suitable drivers we choose the driver with the
- * fewest active operations. We prefer hardware-backed
- * drivers to software ones when either may be used.
- */
-static struct cryptocap *
-crypto_select_kdriver(const struct cryptkop *krp, int flags)
-{
- struct cryptocap *cap, *best;
- int match, hid;
-
- CRYPTO_DRIVER_ASSERT();
-
- /*
- * Look first for hardware crypto devices if permitted.
- */
- if (flags & CRYPTOCAP_F_HARDWARE)
- match = CRYPTOCAP_F_HARDWARE;
- else
- match = CRYPTOCAP_F_SOFTWARE;
- best = NULL;
-again:
- for (hid = 0; hid < crypto_drivers_size; hid++) {
- /*
- * If there is no driver for this slot, or the driver
- * is not appropriate (hardware or software based on
- * match), then skip.
- */
- cap = crypto_drivers[hid];
- if (cap == NULL ||
- (cap->cc_flags & match) == 0)
- continue;
-
- /* verify all the algorithms are supported. */
- if (kdriver_suitable(cap, krp)) {
- if (best == NULL ||
- cap->cc_koperations < best->cc_koperations)
- best = cap;
- }
- }
- if (best != NULL)
- return best;
- if (match == CRYPTOCAP_F_HARDWARE && (flags & CRYPTOCAP_F_SOFTWARE)) {
- /* sort of an Algol 68-style for loop */
- match = CRYPTOCAP_F_SOFTWARE;
- goto again;
- }
- return best;
-}
-
-/*
- * Choose a driver for an asymmetric crypto request.
- */
-static struct cryptocap *
-crypto_lookup_kdriver(struct cryptkop *krp)
-{
- struct cryptocap *cap;
- uint32_t crid;
-
- /* If this request is requeued, it might already have a driver. */
- cap = krp->krp_cap;
- if (cap != NULL)
- return (cap);
-
- /* Use krp_crid to choose a driver. */
- crid = krp->krp_crid;
- if ((crid & (CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE)) == 0) {
- cap = crypto_checkdriver(crid);
- if (cap != NULL) {
- /*
- * Driver present, it must support the
- * necessary algorithm and, if s/w drivers are
- * excluded, it must be registered as
- * hardware-backed.
- */
- if (!kdriver_suitable(cap, krp) ||
- (!crypto_devallowsoft &&
- (cap->cc_flags & CRYPTOCAP_F_HARDWARE) == 0))
- cap = NULL;
- }
- } else {
- /*
- * No requested driver; select based on crid flags.
- */
- if (!crypto_devallowsoft) /* NB: disallow s/w drivers */
- crid &= ~CRYPTOCAP_F_SOFTWARE;
- cap = crypto_select_kdriver(krp, crid);
- }
-
- if (cap != NULL) {
- krp->krp_cap = cap_ref(cap);
- krp->krp_hid = cap->cc_hid;
- }
- return (cap);
-}
-
-/*
- * Dispatch an asymmetric crypto request.
- */
-static int
-crypto_kinvoke(struct cryptkop *krp)
-{
- struct cryptocap *cap = NULL;
- int error;
-
- KASSERT(krp != NULL, ("%s: krp == NULL", __func__));
- KASSERT(krp->krp_callback != NULL,
- ("%s: krp->crp_callback == NULL", __func__));
-
- CRYPTO_DRIVER_LOCK();
- cap = crypto_lookup_kdriver(krp);
- if (cap == NULL) {
- CRYPTO_DRIVER_UNLOCK();
- krp->krp_status = ENODEV;
- crypto_kdone(krp);
- return (0);
- }
-
- /*
- * If the device is blocked, return ERESTART to requeue it.
- */
- if (cap->cc_kqblocked) {
- /*
- * XXX: Previously this set krp_status to ERESTART and
- * invoked crypto_kdone but the caller would still
- * requeue it.
- */
- CRYPTO_DRIVER_UNLOCK();
- return (ERESTART);
- }
-
- cap->cc_koperations++;
- CRYPTO_DRIVER_UNLOCK();
- error = CRYPTODEV_KPROCESS(cap->cc_dev, krp, 0);
- if (error == ERESTART) {
- CRYPTO_DRIVER_LOCK();
- cap->cc_koperations--;
- CRYPTO_DRIVER_UNLOCK();
- return (error);
- }
-
- KASSERT(error == 0, ("error %d returned from crypto_kprocess", error));
- return (0);
-}
-
static void
crypto_task_invoke(void *ctx, int pending)
{
@@ -1894,62 +1644,6 @@
}
}
-/*
- * Invoke the callback on behalf of the driver.
- */
-void
-crypto_kdone(struct cryptkop *krp)
-{
- struct crypto_ret_worker *ret_worker;
- struct cryptocap *cap;
-
- if (krp->krp_status != 0)
- CRYPTOSTAT_INC(cs_kerrs);
- cap = krp->krp_cap;
- if (cap != NULL) {
- CRYPTO_DRIVER_LOCK();
- KASSERT(cap->cc_koperations > 0, ("cc_koperations == 0"));
- cap->cc_koperations--;
- if (cap->cc_koperations == 0 &&
- cap->cc_flags & CRYPTOCAP_F_CLEANUP)
- wakeup(cap);
- CRYPTO_DRIVER_UNLOCK();
- krp->krp_cap = NULL;
- cap_rele(cap);
- }
-
- ret_worker = CRYPTO_RETW(0);
-
- CRYPTO_RETW_LOCK(ret_worker);
- if (TAILQ_EMPTY(&ret_worker->crp_ret_kq))
- wakeup_one(&ret_worker->crp_ret_q); /* shared wait channel */
- TAILQ_INSERT_TAIL(&ret_worker->crp_ret_kq, krp, krp_next);
- CRYPTO_RETW_UNLOCK(ret_worker);
-}
-
-int
-crypto_getfeat(int *featp)
-{
- int hid, kalg, feat = 0;
-
- CRYPTO_DRIVER_LOCK();
- for (hid = 0; hid < crypto_drivers_size; hid++) {
- const struct cryptocap *cap = crypto_drivers[hid];
-
- if (cap == NULL ||
- ((cap->cc_flags & CRYPTOCAP_F_SOFTWARE) &&
- !crypto_devallowsoft)) {
- continue;
- }
- for (kalg = 0; kalg < CRK_ALGORITHM_MAX; kalg++)
- if (cap->cc_kalg[kalg] & CRYPTO_ALG_FLAG_SUPPORTED)
- feat |= 1 << kalg;
- }
- CRYPTO_DRIVER_UNLOCK();
- *featp = feat;
- return (0);
-}
-
/*
* Terminate a thread at module unload. The process that
* initiated this is waiting for us to signal that we're gone;
@@ -1975,7 +1669,6 @@
crypto_proc(void)
{
struct cryptop *crp, *submit;
- struct cryptkop *krp;
struct cryptocap *cap;
int result, hint;
@@ -2046,46 +1739,7 @@
TAILQ_INSERT_HEAD(&crp_q, submit, crp_next);
CRYPTOSTAT_INC(cs_blocks);
}
- }
-
- /* As above, but for key ops */
- TAILQ_FOREACH(krp, &crp_kq, krp_next) {
- cap = krp->krp_cap;
- if (cap->cc_flags & CRYPTOCAP_F_CLEANUP) {
- /*
- * Operation needs to be migrated,
- * clear krp_cap so a new driver is
- * selected.
- */
- krp->krp_cap = NULL;
- cap_rele(cap);
- break;
- }
- if (!cap->cc_kqblocked)
- break;
- }
- if (krp != NULL) {
- TAILQ_REMOVE(&crp_kq, krp, krp_next);
- CRYPTO_Q_UNLOCK();
- result = crypto_kinvoke(krp);
- CRYPTO_Q_LOCK();
- if (result == ERESTART) {
- /*
- * The driver ran out of resources, mark the
- * driver ``blocked'' for cryptkop's and put
- * the request back in the queue. It would
- * best to put the request back where we got
- * it but that's hard so for now we put it
- * at the front. This should be ok; putting
- * it at the end does not work.
- */
- krp->krp_cap->cc_kqblocked = 1;
- TAILQ_INSERT_HEAD(&crp_kq, krp, krp_next);
- CRYPTOSTAT_INC(cs_kblocks);
- }
- }
-
- if (submit == NULL && krp == NULL) {
+ } else {
/*
* Nothing more to be processed. Sleep until we're
* woken because there are more ops to process.
@@ -2120,7 +1774,6 @@
crypto_ret_proc(struct crypto_ret_worker *ret_worker)
{
struct cryptop *crpt;
- struct cryptkop *krpt;
CRYPTO_RETW_LOCK(ret_worker);
for (;;) {
@@ -2141,19 +1794,13 @@
TAILQ_REMOVE(&ret_worker->crp_ret_q, crpt, crp_next);
}
- krpt = TAILQ_FIRST(&ret_worker->crp_ret_kq);
- if (krpt != NULL)
- TAILQ_REMOVE(&ret_worker->crp_ret_kq, krpt, krp_next);
-
- if (crpt != NULL || krpt != NULL) {
+ if (crpt != NULL) {
CRYPTO_RETW_UNLOCK(ret_worker);
/*
* Run callbacks unlocked.
*/
if (crpt != NULL)
crpt->crp_callback(crpt);
- if (krpt != NULL)
- krpt->krp_callback(krpt);
CRYPTO_RETW_LOCK(ret_worker);
} else {
/*
@@ -2178,25 +1825,21 @@
{
int hid;
- db_printf("%12s %4s %4s %8s %2s %2s\n"
+ db_printf("%12s %4s %8s %2s\n"
, "Device"
, "Ses"
- , "Kops"
, "Flags"
, "QB"
- , "KB"
);
for (hid = 0; hid < crypto_drivers_size; hid++) {
const struct cryptocap *cap = crypto_drivers[hid];
if (cap == NULL)
continue;
- db_printf("%-12s %4u %4u %08x %2u %2u\n"
+ db_printf("%-12s %4u %08x %2u\n"
, device_get_nameunit(cap->cc_dev)
, cap->cc_sessions
- , cap->cc_koperations
, cap->cc_flags
, cap->cc_qblocked
- , cap->cc_kqblocked
);
}
}
@@ -2239,41 +1882,6 @@
}
}
}
-
-DB_SHOW_COMMAND(kcrypto, db_show_kcrypto)
-{
- struct cryptkop *krp;
- struct crypto_ret_worker *ret_worker;
-
- db_show_drivers();
- db_printf("\n");
-
- db_printf("%4s %5s %4s %4s %8s %4s %8s\n",
- "Op", "Status", "#IP", "#OP", "CRID", "HID", "Callback");
- TAILQ_FOREACH(krp, &crp_kq, krp_next) {
- db_printf("%4u %5u %4u %4u %08x %4u %8p\n"
- , krp->krp_op
- , krp->krp_status
- , krp->krp_iparams, krp->krp_oparams
- , krp->krp_crid, krp->krp_hid
- , krp->krp_callback
- );
- }
-
- ret_worker = CRYPTO_RETW(0);
- if (!TAILQ_EMPTY(&ret_worker->crp_ret_q)) {
- db_printf("%4s %5s %8s %4s %8s\n",
- "Op", "Status", "CRID", "HID", "Callback");
- TAILQ_FOREACH(krp, &ret_worker->crp_ret_kq, krp_next) {
- db_printf("%4u %5u %08x %4u %8p\n"
- , krp->krp_op
- , krp->krp_status
- , krp->krp_crid, krp->krp_hid
- , krp->krp_callback
- );
- }
- }
-}
#endif
int crypto_modevent(module_t mod, int type, void *unused);
Index: sys/opencrypto/cryptodev.h
===================================================================
--- sys/opencrypto/cryptodev.h
+++ sys/opencrypto/cryptodev.h
@@ -192,11 +192,6 @@
#define CRYPTO_ALGO_VALID(x) ((x) >= CRYPTO_ALGORITHM_MIN && \
(x) <= CRYPTO_ALGORITHM_MAX)
-/* Algorithm flags */
-#define CRYPTO_ALG_FLAG_SUPPORTED 0x01 /* Algorithm is supported */
-#define CRYPTO_ALG_FLAG_RNG_ENABLE 0x02 /* Has HW RNG for DH/DSA */
-#define CRYPTO_ALG_FLAG_DSA_SHA 0x04 /* Can do SHA on msg */
-
/*
* Crypto driver/device flags. They can set in the crid
* parameter when creating a session or submitting a key
@@ -289,43 +284,10 @@
char name[32]; /* device/driver name */
};
-/* bignum parameter, in packed bytes, ... */
-struct crparam {
- void *crp_p;
- u_int crp_nbits;
-};
-
-#define CRK_MAXPARAM 8
-
-struct crypt_kop {
- u_int crk_op; /* ie. CRK_MOD_EXP or other */
- u_int crk_status; /* return status */
- u_short crk_iparams; /* # of input parameters */
- u_short crk_oparams; /* # of output parameters */
- u_int crk_crid; /* NB: only used by CIOCKEY2 (rw) */
- struct crparam crk_param[CRK_MAXPARAM];
-};
-#define CRK_ALGORITM_MIN 0
-#define CRK_MOD_EXP 0
-#define CRK_MOD_EXP_CRT 1
-#define CRK_DSA_SIGN 2
-#define CRK_DSA_VERIFY 3
-#define CRK_DH_COMPUTE_KEY 4
-#define CRK_ALGORITHM_MAX 4 /* Keep updated - see below */
-
-#define CRF_MOD_EXP (1 << CRK_MOD_EXP)
-#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT)
-#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN)
-#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY)
-#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY)
-
#define CIOCGSESSION _IOWR('c', 101, struct session_op)
#define CIOCFSESSION _IOW('c', 102, uint32_t)
#define CIOCCRYPT _IOWR('c', 103, struct crypt_op)
-#define CIOCKEY _IOWR('c', 104, struct crypt_kop)
-#define CIOCASYMFEAT _IOR('c', 105, uint32_t)
#define CIOCGSESSION2 _IOWR('c', 106, struct session2_op)
-#define CIOCKEY2 _IOWR('c', 107, struct crypt_kop)
#define CIOCFINDDEV _IOWR('c', 108, struct crypt_find_op)
#define CIOCCRYPTAEAD _IOWR('c', 109, struct crypt_aead)
@@ -602,20 +564,6 @@
*/
#define CRYPTO_HINT_MORE 0x1 /* more ops coming shortly */
-struct cryptkop {
- TAILQ_ENTRY(cryptkop) krp_next;
-
- u_int krp_op; /* ie. CRK_MOD_EXP or other */
- u_int krp_status; /* return status */
- u_short krp_iparams; /* # of input parameters */
- u_short krp_oparams; /* # of output parameters */
- u_int krp_crid; /* desired device, etc. */
- uint32_t krp_hid; /* device used */
- struct crparam krp_param[CRK_MAXPARAM]; /* kvm */
- void (*krp_callback)(struct cryptkop *);
- struct cryptocap *krp_cap;
-};
-
uint32_t crypto_ses2hid(crypto_session_t crypto_session);
uint32_t crypto_ses2caps(crypto_session_t crypto_session);
void *crypto_get_driver_session(crypto_session_t crypto_session);
@@ -640,19 +588,14 @@
extern int crypto_find_driver(const char *);
extern device_t crypto_find_device_byhid(int hid);
extern int crypto_getcaps(int hid);
-extern int crypto_kregister(uint32_t, int, uint32_t);
extern int crypto_unregister_all(uint32_t driverid);
extern int crypto_dispatch(struct cryptop *crp);
#define CRYPTO_ASYNC_ORDERED 0x1 /* complete in order dispatched */
extern int crypto_dispatch_async(struct cryptop *crp, int flags);
extern void crypto_dispatch_batch(struct cryptopq *crpq, int flags);
-extern int crypto_kdispatch(struct cryptkop *);
#define CRYPTO_SYMQ 0x1
-#define CRYPTO_ASYMQ 0x2
extern int crypto_unblock(uint32_t, int);
extern void crypto_done(struct cryptop *crp);
-extern void crypto_kdone(struct cryptkop *);
-extern int crypto_getfeat(int *);
extern void crypto_destroyreq(struct cryptop *crp);
extern void crypto_initreq(struct cryptop *crp, crypto_session_t cses);
@@ -660,7 +603,6 @@
extern struct cryptop *crypto_getreq(crypto_session_t cses, int how);
extern int crypto_usercrypto; /* userland may do crypto requests */
-extern int crypto_userasymcrypto; /* userland may do asym crypto reqs */
extern int crypto_devallowsoft; /* only use hardware crypto */
#ifdef SYSCTL_DECL
Index: sys/opencrypto/cryptodev.c
===================================================================
--- sys/opencrypto/cryptodev.c
+++ sys/opencrypto/cryptodev.c
@@ -127,25 +127,9 @@
uint32_t iv;
};
-struct crparam32 {
- uint32_t crp_p;
- u_int crp_nbits;
-};
-
-struct crypt_kop32 {
- u_int crk_op;
- u_int crk_status;
- u_short crk_iparams;
- u_short crk_oparams;
- u_int crk_crid;
- struct crparam32 crk_param[CRK_MAXPARAM];
-};
-
#define CIOCGSESSION32 _IOWR('c', 101, struct session_op32)
#define CIOCCRYPT32 _IOWR('c', 103, struct crypt_op32)
-#define CIOCKEY32 _IOWR('c', 104, struct crypt_kop32)
#define CIOCGSESSION232 _IOWR('c', 106, struct session2_op32)
-#define CIOCKEY232 _IOWR('c', 107, struct crypt_kop32)
#define CIOCCRYPTAEAD32 _IOWR('c', 109, struct crypt_aead32)
static void
@@ -253,50 +237,6 @@
PTROUT_CP(*from, *to, tag);
PTROUT_CP(*from, *to, iv);
}
-
-static void
-crparam_from_32(const struct crparam32 *from, struct crparam *to)
-{
-
- PTRIN_CP(*from, *to, crp_p);
- CP(*from, *to, crp_nbits);
-}
-
-static void
-crparam_to_32(const struct crparam *from, struct crparam32 *to)
-{
-
- PTROUT_CP(*from, *to, crp_p);
- CP(*from, *to, crp_nbits);
-}
-
-static void
-crypt_kop_from_32(const struct crypt_kop32 *from, struct crypt_kop *to)
-{
- int i;
-
- CP(*from, *to, crk_op);
- CP(*from, *to, crk_status);
- CP(*from, *to, crk_iparams);
- CP(*from, *to, crk_oparams);
- CP(*from, *to, crk_crid);
- for (i = 0; i < CRK_MAXPARAM; i++)
- crparam_from_32(&from->crk_param[i], &to->crk_param[i]);
-}
-
-static void
-crypt_kop_to_32(const struct crypt_kop *from, struct crypt_kop32 *to)
-{
- int i;
-
- CP(*from, *to, crk_op);
- CP(*from, *to, crk_status);
- CP(*from, *to, crk_iparams);
- CP(*from, *to, crk_oparams);
- CP(*from, *to, crk_crid);
- for (i = 0; i < CRK_MAXPARAM; i++)
- crparam_to_32(&from->crk_param[i], &to->crk_param[i]);
-}
#endif
static void
@@ -356,11 +296,6 @@
&use_separate_aad, 0,
"Use separate AAD buffer for /dev/crypto requests.");
-static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
-SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, cryptodev_warn_interval, CTLFLAG_RW,
- &warninterval,
- "Delay in seconds between warnings of deprecated /dev/crypto algorithms");
-
/*
* Check a crypto identifier to see if it requested
* a software device/driver. This can be done either
@@ -1208,131 +1143,6 @@
return (error);
}
-static void
-cryptodevkey_cb(struct cryptkop *krp)
-{
-
- wakeup_one(krp);
-}
-
-static int
-cryptodev_key(struct crypt_kop *kop)
-{
- struct cryptkop *krp = NULL;
- int error = EINVAL;
- int in, out, size, i;
-
- if (kop->crk_iparams + kop->crk_oparams > CRK_MAXPARAM) {
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- return (EFBIG);
- }
-
- in = kop->crk_iparams;
- out = kop->crk_oparams;
- switch (kop->crk_op) {
- case CRK_MOD_EXP:
- if (in == 3 && out == 1)
- break;
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- return (EINVAL);
- case CRK_MOD_EXP_CRT:
- if (in == 6 && out == 1)
- break;
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- return (EINVAL);
- case CRK_DSA_SIGN:
- if (in == 5 && out == 2)
- break;
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- return (EINVAL);
- case CRK_DSA_VERIFY:
- if (in == 7 && out == 0)
- break;
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- return (EINVAL);
- case CRK_DH_COMPUTE_KEY:
- if (in == 3 && out == 1)
- break;
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- return (EINVAL);
- default:
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- return (EINVAL);
- }
-
- krp = malloc(sizeof(*krp), M_XDATA, M_WAITOK | M_ZERO);
- krp->krp_op = kop->crk_op;
- krp->krp_status = kop->crk_status;
- krp->krp_iparams = kop->crk_iparams;
- krp->krp_oparams = kop->crk_oparams;
- krp->krp_crid = kop->crk_crid;
- krp->krp_status = 0;
- krp->krp_callback = cryptodevkey_cb;
-
- for (i = 0; i < CRK_MAXPARAM; i++) {
- if (kop->crk_param[i].crp_nbits > 65536) {
- /* Limit is the same as in OpenBSD */
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- goto fail;
- }
- krp->krp_param[i].crp_nbits = kop->crk_param[i].crp_nbits;
- }
- for (i = 0; i < krp->krp_iparams + krp->krp_oparams; i++) {
- size = (krp->krp_param[i].crp_nbits + 7) / 8;
- if (size == 0)
- continue;
- krp->krp_param[i].crp_p = malloc(size, M_XDATA, M_WAITOK);
- if (i >= krp->krp_iparams)
- continue;
- error = copyin(kop->crk_param[i].crp_p, krp->krp_param[i].crp_p, size);
- if (error) {
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- goto fail;
- }
- }
-
- error = crypto_kdispatch(krp);
- if (error) {
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- goto fail;
- }
- error = tsleep(krp, PSOCK, "crydev", 0);
- if (error) {
- /* XXX can this happen? if so, how do we recover? */
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- goto fail;
- }
-
- kop->crk_crid = krp->krp_hid; /* device that did the work */
- if (krp->krp_status != 0) {
- error = krp->krp_status;
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- goto fail;
- }
-
- for (i = krp->krp_iparams; i < krp->krp_iparams + krp->krp_oparams; i++) {
- size = (krp->krp_param[i].crp_nbits + 7) / 8;
- if (size == 0)
- continue;
- error = copyout(krp->krp_param[i].crp_p, kop->crk_param[i].crp_p, size);
- if (error) {
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- goto fail;
- }
- }
-
-fail:
- if (krp) {
- kop->crk_status = krp->krp_status;
- for (i = 0; i < CRK_MAXPARAM; i++) {
- if (krp->krp_param[i].crp_p)
- free(krp->krp_param[i].crp_p, M_XDATA);
- }
- free(krp, M_XDATA);
- }
- return (error);
-}
-
static int
cryptodev_find(struct crypt_find_op *find)
{
@@ -1390,13 +1200,11 @@
crypto_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag,
struct thread *td)
{
- static struct timeval keywarn, featwarn;
struct fcrypt *fcr;
struct csession *cse;
struct session2_op *sop;
struct crypt_op *cop;
struct crypt_aead *caead;
- struct crypt_kop *kop;
uint32_t ses;
int error = 0;
union {
@@ -1404,7 +1212,6 @@
#ifdef COMPAT_FREEBSD32
struct crypt_op copc;
struct crypt_aead aeadc;
- struct crypt_kop kopc;
#endif
} thunk;
#ifdef COMPAT_FREEBSD32
@@ -1443,17 +1250,6 @@
data = (void *)&thunk.aeadc;
crypt_aead_from_32((struct crypt_aead32 *)data32, &thunk.aeadc);
break;
- case CIOCKEY32:
- case CIOCKEY232:
- cmd32 = cmd;
- data32 = data;
- if (cmd == CIOCKEY32)
- cmd = CIOCKEY;
- else
- cmd = CIOCKEY2;
- data = (void *)&thunk.kopc;
- crypt_kop_from_32((struct crypt_kop32 *)data32, &thunk.kopc);
- break;
}
#endif
@@ -1504,46 +1300,6 @@
error = cryptodev_op(cse, cop);
cse_free(cse);
break;
- case CIOCKEY:
- case CIOCKEY2:
- if (ratecheck(&keywarn, &warninterval))
- gone_in(14,
- "Asymmetric crypto operations via /dev/crypto");
-
- if (!crypto_userasymcrypto) {
- SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
- return (EPERM); /* XXX compat? */
- }
- kop = (struct crypt_kop *)data;
- if (cmd == CIOCKEY) {
- /* NB: crypto core enforces s/w driver use */
- kop->crk_crid =
- CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
- }
- mtx_lock(&Giant);
- error = cryptodev_key(kop);
- mtx_unlock(&Giant);
- break;
- case CIOCASYMFEAT:
- if (ratecheck(&featwarn, &warninterval))
- gone_in(14,
- "Asymmetric crypto features via /dev/crypto");
-
- if (!crypto_userasymcrypto) {
- /*
- * NB: if user asym crypto operations are
- * not permitted return "no algorithms"
- * so well-behaved applications will just
- * fallback to doing them in software.
- */
- *(int *)data = 0;
- } else {
- error = crypto_getfeat((int *)data);
- if (error)
- SDT_PROBE1(opencrypto, dev, ioctl, error,
- __LINE__);
- }
- break;
case CIOCFINDDEV:
error = cryptodev_find((struct crypt_find_op *)data);
break;
@@ -1581,10 +1337,6 @@
if (error == 0)
crypt_aead_to_32((void *)data, data32);
break;
- case CIOCKEY32:
- case CIOCKEY232:
- crypt_kop_to_32((void *)data, data32);
- break;
}
#endif
return (error);
Index: sys/opencrypto/cryptodev_if.m
===================================================================
--- sys/opencrypto/cryptodev_if.m
+++ sys/opencrypto/cryptodev_if.m
@@ -116,9 +116,9 @@
} DEFAULT null_freesession;
/**
- * @brief Perform a symmetric crypto operation
+ * @brief Perform a crypto operation
*
- * The crypto framework invokes this method for each symmetric crypto
+ * The crypto framework invokes this method for each crypto
* operation performed on a session. A reference to the containing
* session is stored as a member of 'struct cryptop'. This routine
* should not block, but queue the operation if necessary.
@@ -145,35 +145,3 @@
struct cryptop *op;
int flags;
};
-
-/**
- * @brief Perform an asymmetric crypto operation
- *
- * The crypto framework invokes this method for each asymmetric crypto
- * operation. Each asymmetric crypto operation should be
- * self-contained and is not assicated with any persistent session.
- * This routine should not block, but queue the operation if
- * necessary.
- *
- * This method may return ERESTART to indicate that any internal
- * queues are full so the operation should be queued in the crypto
- * framework and retried in the future.
- *
- * To report errors with a crypto operation, 'krp_status' should be set
- * and the operation completed by calling 'crypto_kdone'. This method
- * should then return zero.
- *
- * @param dev the crypto driver device
- * @param op crypto operation to perform
- * @param flags set to CRYPTO_HINT_MORE if additional asymmetric
- * crypto operations are queued for this driver;
- * otherwise set to zero.
- *
- * @retval 0 success
- * @retval ERESTART internal queue is full
- */
-METHOD int kprocess {
- device_t dev;
- struct cryptkop *op;
- int flags;
-};
Index: tools/tools/crypto/Makefile
===================================================================
--- tools/tools/crypto/Makefile
+++ tools/tools/crypto/Makefile
@@ -26,7 +26,7 @@
# SUCH DAMAGE.
#
-PROGS= cryptocheck cryptotest cryptokeytest cryptostats \
+PROGS= cryptocheck cryptotest cryptostats \
hifnstats ipsecstats safestats
MAN=
BINDIR?= /usr/local/bin
@@ -34,9 +34,6 @@
# cryptocheck: test symmetric crypto functions
LIBADD.cryptocheck+= crypto util
-# cryptokeytest: test asymmetric crypto functions
-LIBADD.cryptokeytest+= crypto
-
# cryptostats: dump statistics kept by the core crypto code
# hifnstats: print statistics kept by the HIFN driver
# safestats: statistics kept by the SafeNet driver
Index: tools/tools/crypto/cryptokeytest.c
===================================================================
--- tools/tools/crypto/cryptokeytest.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/* $FreeBSD$ */
-/*
- * The big num stuff is a bit broken at the moment and I've not yet fixed it.
- * The symtom is that odd size big nums will fail. Test code below (it only
- * uses modexp currently).
- *
- * --Jason L. Wright
- */
-#include <sys/types.h>
-#include <sys/endian.h>
-#include <sys/ioctl.h>
-#include <sys/time.h>
-#include <crypto/cryptodev.h>
-
-#include <err.h>
-#include <fcntl.h>
-#include <paths.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <openssl/bn.h>
-#include <openssl/err.h>
-
-int crid = CRYPTO_FLAG_HARDWARE;
-int verbose = 0;
-
-static int
-devcrypto(void)
-{
- static int fd = -1;
-
- if (fd < 0) {
- fd = open(_PATH_DEV "crypto", O_RDWR, 0);
- if (fd < 0)
- err(1, _PATH_DEV "crypto");
- if (fcntl(fd, F_SETFD, 1) == -1)
- err(1, "fcntl(F_SETFD) (devcrypto)");
- }
- return fd;
-}
-
-static int
-crlookup(const char *devname)
-{
- struct crypt_find_op find;
-
- find.crid = -1;
- strlcpy(find.name, devname, sizeof(find.name));
- if (ioctl(devcrypto(), CIOCFINDDEV, &find) == -1)
- err(1, "ioctl(CIOCFINDDEV)");
- return find.crid;
-}
-
-static const char *
-crfind(int crid)
-{
- static struct crypt_find_op find;
-
- bzero(&find, sizeof(find));
- find.crid = crid;
- if (ioctl(devcrypto(), CIOCFINDDEV, &find) == -1)
- err(1, "ioctl(CIOCFINDDEV)");
- return find.name;
-}
-
-/*
- * Convert a little endian byte string in 'p' that is 'plen' bytes long to a
- * BIGNUM. A new BIGNUM is allocated. Returns NULL on failure.
- */
-static BIGNUM *
-le_to_bignum(BIGNUM *res, const void *p, int plen)
-{
-
- res = BN_lebin2bn(p, plen, res);
- if (res == NULL)
- ERR_print_errors_fp(stderr);
-
- return (res);
-}
-
-/*
- * Convert a BIGNUM to a little endian byte string. Space for BN_num_bytes(n)
- * is allocated.
- * Returns NULL on failure.
- */
-static void *
-bignum_to_le(const BIGNUM *n)
-{
- int blen, error;
- void *rd;
-
- blen = BN_num_bytes(n);
- if (blen == 0)
- return (NULL);
-
- rd = malloc(blen);
- if (rd == NULL)
- return (NULL);
-
- error = BN_bn2lebinpad(n, rd, blen);
- if (error < 0) {
- ERR_print_errors_fp(stderr);
- free(rd);
- return (NULL);
- }
-
- return (rd);
-}
-
-static int
-UB_mod_exp(BIGNUM *res, const BIGNUM *a, const BIGNUM *b, const BIGNUM *c)
-{
- struct crypt_kop kop;
- void *ale, *ble, *cle;
- int crypto_fd = devcrypto();
-
- if ((ale = bignum_to_le(a)) == NULL)
- err(1, "bignum_to_le, a");
- if ((ble = bignum_to_le(b)) == NULL)
- err(1, "bignum_to_le, b");
- if ((cle = bignum_to_le(c)) == NULL)
- err(1, "bignum_to_le, c");
-
- bzero(&kop, sizeof(kop));
- kop.crk_op = CRK_MOD_EXP;
- kop.crk_iparams = 3;
- kop.crk_oparams = 1;
- kop.crk_crid = crid;
- kop.crk_param[0].crp_p = ale;
- kop.crk_param[0].crp_nbits = BN_num_bytes(a) * 8;
- kop.crk_param[1].crp_p = ble;
- kop.crk_param[1].crp_nbits = BN_num_bytes(b) * 8;
- kop.crk_param[2].crp_p = cle;
- kop.crk_param[2].crp_nbits = BN_num_bytes(c) * 8;
- kop.crk_param[3].crp_p = cle;
- kop.crk_param[3].crp_nbits = BN_num_bytes(c) * 8;
-
- if (ioctl(crypto_fd, CIOCKEY2, &kop) == -1)
- err(1, "CIOCKEY2");
- if (verbose)
- printf("device = %s\n", crfind(kop.crk_crid));
-
- explicit_bzero(ale, BN_num_bytes(a));
- free(ale);
- explicit_bzero(ble, BN_num_bytes(b));
- free(ble);
-
- if (kop.crk_status != 0) {
- printf("error %d\n", kop.crk_status);
- explicit_bzero(cle, BN_num_bytes(c));
- free(cle);
- return (-1);
- } else {
- res = le_to_bignum(res, cle, BN_num_bytes(c));
- explicit_bzero(cle, BN_num_bytes(c));
- free(cle);
- if (res == NULL)
- err(1, "le_to_bignum");
- return (0);
- }
- return (0);
-}
-
-static void
-show_result(const BIGNUM *a, const BIGNUM *b, const BIGNUM *c,
- const BIGNUM *sw, const BIGNUM *hw)
-{
- printf("\n");
-
- printf("A = ");
- BN_print_fp(stdout, a);
- printf("\n");
-
- printf("B = ");
- BN_print_fp(stdout, b);
- printf("\n");
-
- printf("C = ");
- BN_print_fp(stdout, c);
- printf("\n");
-
- printf("sw= ");
- BN_print_fp(stdout, sw);
- printf("\n");
-
- printf("hw= ");
- BN_print_fp(stdout, hw);
- printf("\n");
-
- printf("\n");
-}
-
-static void
-testit(void)
-{
- BIGNUM *a, *b, *c, *r1, *r2;
- BN_CTX *ctx;
-
- ctx = BN_CTX_new();
-
- a = BN_new();
- b = BN_new();
- c = BN_new();
- r1 = BN_new();
- r2 = BN_new();
-
- BN_pseudo_rand(a, 1023, 0, 0);
- BN_pseudo_rand(b, 1023, 0, 0);
- BN_pseudo_rand(c, 1024, 0, 0);
-
- if (BN_cmp(a, c) > 0) {
- BIGNUM *rem = BN_new();
-
- BN_mod(rem, a, c, ctx);
- UB_mod_exp(r2, rem, b, c);
- BN_free(rem);
- } else {
- UB_mod_exp(r2, a, b, c);
- }
- BN_mod_exp(r1, a, b, c, ctx);
-
- if (BN_cmp(r1, r2) != 0) {
- show_result(a, b, c, r1, r2);
- }
-
- BN_free(r2);
- BN_free(r1);
- BN_free(c);
- BN_free(b);
- BN_free(a);
- BN_CTX_free(ctx);
-}
-
-static void
-usage(const char* cmd)
-{
- printf("usage: %s [-d dev] [-v] [count]\n", cmd);
- printf("count is the number of bignum ops to do\n");
- printf("\n");
- printf("-d use specific device\n");
- printf("-v be verbose\n");
- exit(-1);
-}
-
-int
-main(int argc, char *argv[])
-{
- int c, i;
-
- while ((c = getopt(argc, argv, "d:v")) != -1) {
- switch (c) {
- case 'd':
- crid = crlookup(optarg);
- break;
- case 'v':
- verbose = 1;
- break;
- default:
- usage(argv[0]);
- }
- }
- argc -= optind, argv += optind;
-
- for (i = 0; i < 1000; i++) {
- fprintf(stderr, "test %d\n", i);
- testit();
- }
- return (0);
-}

File Metadata

Mime Type
text/plain
Expires
Sun, Apr 19, 12:46 AM (14 h, 14 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
31740140
Default Alt Text
D29736.diff (53 KB)

Event Timeline