git: 76681661be28 - main - OCF: Remove support for asymmetric cryptographic operations.
John Baldwin
jhb at FreeBSD.org
Mon Apr 12 21:35:09 UTC 2021
The branch main has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=76681661be2859622872c3a8a1bd68260403ddd0
commit 76681661be2859622872c3a8a1bd68260403ddd0
Author: John Baldwin <jhb at FreeBSD.org>
AuthorDate: 2021-04-12 21:27:42 +0000
Commit: John Baldwin <jhb at FreeBSD.org>
CommitDate: 2021-04-12 21:28:43 +0000
OCF: Remove support for asymmetric cryptographic operations.
There haven't been any non-obscure drivers that supported this
functionality and it has been impossible to test to ensure that it
still works. The only known consumer of this interface was the engine
in OpenSSL < 1.1. Modern OpenSSL versions do not include support for
this interface as it was not well-documented.
Reviewed by: cem
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D29736
---
ObsoleteFiles.inc | 7 +
share/man/man4/crypto.4 | 145 +++----------
share/man/man9/Makefile | 5 -
share/man/man9/crypto.9 | 32 +--
share/man/man9/crypto_asym.9 | 178 ----------------
share/man/man9/crypto_driver.9 | 7 +-
sys/dev/hifn/hifn7751.c | 2 +-
sys/dev/safe/safe.c | 4 +-
sys/mips/nlm/dev/sec/nlmsec.c | 2 +-
sys/opencrypto/crypto.c | 404 +------------------------------------
sys/opencrypto/cryptodev.c | 248 -----------------------
sys/opencrypto/cryptodev.h | 58 ------
sys/opencrypto/cryptodev_if.m | 36 +---
tools/tools/crypto/Makefile | 5 +-
tools/tools/crypto/cryptokeytest.c | 270 -------------------------
15 files changed, 56 insertions(+), 1347 deletions(-)
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index 1019436f1e28..39cb638129e9 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -40,6 +40,13 @@
# xargs -n1 | sort | uniq -d;
# done
+# 20210412: Remove kernel asymmetric crypto
+OLD_FILES+=usr/share/man/man9/crypto_asym.9
+OLD_FILES+=usr/share/man/man9/crypto_kdispatch.9
+OLD_FILES+=usr/share/man/man9/crypto_kdone.9
+OLD_FILES+=usr/share/man/man9/crypto_kregister.9
+OLD_FILES+=usr/share/man/man9/CRYPTODEV_KPROCESS.9
+
# 20210410: remove unused libexec/rc.d/archdep
OLD_FILES+=etc/rc.d/archdep
diff --git a/share/man/man4/crypto.4 b/share/man/man4/crypto.4
index f146b50ecd4b..56fd4f484c3b 100644
--- a/share/man/man4/crypto.4
+++ b/share/man/man4/crypto.4
@@ -60,7 +60,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd November 24, 2020
+.Dd April 12, 2021
.Dt CRYPTO 4
.Os
.Sh NAME
@@ -93,53 +93,32 @@ then issue
calls on the descriptor.
User-mode access to
.Pa /dev/crypto
-is controlled by two
+is controlled by the
+.Ic kern.cryptodevallowsoft
.Xr sysctl 8
-variables:
-.Ic kern.userasymcrypto
-and
-.Ic kern.cryptodevallowsoft .
-.Pp
-The
-.Nm
-device provides two distinct modes of operation: one mode for
-symmetric-keyed cryptographic requests and digests, and a second mode for
-both asymmetric-key (public-key/private-key) requests and
-modular arithmetic (for Diffie-Hellman key exchange and other
-cryptographic protocols).
-The two modes are described separately below.
-.Sh DEPRECATION NOTICE
-The asymmetric-key operations supported by this interface will not be
-present in
-.Fx 14.0
-and later.
+variable.
+If this variable is zero,
+then user-mode sessions are only permitted to use cryptography coprocessors.
.Sh THEORY OF OPERATION
-Regardless of whether symmetric-key or asymmetric-key operations are
-to be performed, use of the device requires a basic series of steps:
+Use of the device requires a basic series of steps:
.Bl -enum
.It
Open the
.Pa /dev/crypto
device.
.It
-If any symmetric-keyed cryptographic or digest operations will be performed,
-create a session with
+Create a session with
.Dv CIOCGSESSION
or
.Dv CIOCGSESSION2 .
-Most applications will require at least one symmetric session.
+Applications will require at least one symmetric session.
Since cipher and MAC keys are tied to sessions, many
applications will require more.
-Asymmetric operations do not use sessions.
.It
Submit requests, synchronously with
.Dv CIOCCRYPT
-(symmetric),
-.Dv CIOCCRYPTAEAD
-(symmetric),
or
-.Dv CIOCKEY
-(asymmetric).
+.Dv CIOCCRYPTAEAD .
.It
Optionally destroy a session with
.Dv CIOCFSESSION .
@@ -151,22 +130,27 @@ This will automatically close any remaining sessions associated with the
file desriptor.
.El
.Sh SYMMETRIC-KEY OPERATION
-The symmetric-key operation mode provides a context-based API
+.Nm cryptodev
+provides a context-based API
to traditional symmetric-key encryption (or privacy) algorithms,
-or to keyed and unkeyed one-way hash (HMAC and MAC) algorithms.
-The symmetric-key mode also permits encrypt-then-authenticate fused operation,
-where the hardware performs both a privacy algorithm and an integrity-check
+keyed and unkeyed one-way hash (HMAC and MAC) algorithms,
+encrypt-then-authenticate (ETA) fused operations,
+and authenticated encryption with additional data (AEAD) operations.
+For ETA operations,
+drivers perform both a privacy algorithm and an integrity-check
algorithm in a single pass over the data: either a fused
encrypt/HMAC-generate operation, or a fused HMAC-verify/decrypt operation.
+Similarly, for AEAD operations,
+drivers perform either an encrypt/MAC-generate operation
+or a MAC-verify/decrypt operation.
.Pp
-To use symmetric mode, you must first create a session specifying
-the algorithm(s) and key(s) to use; then issue encrypt or decrypt
-requests against the session.
+The algorithm(s) and key(s) to use are specified when a session is
+created.
+Individual requests are able to specify per-request initialization vectors
+or nonces.
.Ss Algorithms
For a list of supported algorithms, see
-.Xr crypto 7
-and
-.Xr crypto 9 .
+.Xr crypto 7 .
.Ss IOCTL Request Descriptions
.\"
.Bl -tag -width CIOCGSESSION
@@ -216,11 +200,13 @@ privacy algorithm, integrity algorithm, and keys specified in
The special value 0 for either privacy or integrity
is reserved to indicate that the indicated operation (privacy or integrity)
is not desired for this session.
+ETA sessions specify both privacy and integrity algorithms.
+AEAD sessions specify only a privacy algorithm.
.Pp
Multiple sessions may be bound to a single file descriptor.
The session ID returned in
.Fa sessp-\*[Gt]ses
-is supplied as a required field in the symmetric-operation structure
+is supplied as a required field in the operation structure
.Fa crypt_op
for future encryption or hashing requests.
.\" .Pp
@@ -229,7 +215,7 @@ for future encryption or hashing requests.
.\" .Nx
.\" extension.
.Pp
-For non-zero symmetric-key privacy algorithms, the privacy algorithm
+For non-zero privacy algorithms, the privacy algorithm
must be specified in
.Fa sessp-\*[Gt]cipher ,
the key length in
@@ -290,7 +276,7 @@ struct crypt_op {
};
.Ed
-Request a symmetric-key (or hash) operation.
+Request an encryption/decryption (or hash) operation.
To encrypt, set
.Fa cr_op-\*[Gt]op
to
@@ -344,75 +330,6 @@ to include in the authentication mode.
Destroys the session identified by
.Fa ses_id .
.El
-.\"
-.Sh ASYMMETRIC-KEY OPERATION
-.Ss Asymmetric-key algorithms
-Contingent upon hardware support, the following asymmetric
-(public-key/private-key; or key-exchange subroutine) operations may
-also be available:
-.Pp
-.Bl -column "CRK_DH_COMPUTE_KEY" "Input parameter" "Output parameter" -offset indent -compact
-.It Em "Algorithm" Ta "Input parameter" Ta "Output parameter"
-.It Em " " Ta "Count" Ta "Count"
-.It Dv CRK_MOD_EXP Ta 3 Ta 1
-.It Dv CRK_MOD_EXP_CRT Ta 6 Ta 1
-.It Dv CRK_DSA_SIGN Ta 5 Ta 2
-.It Dv CRK_DSA_VERIFY Ta 7 Ta 0
-.It Dv CRK_DH_COMPUTE_KEY Ta 3 Ta 1
-.El
-.Pp
-See below for discussion of the input and output parameter counts.
-.Ss Asymmetric-key commands
-.Bl -tag -width CIOCKEY
-.It Dv CIOCASYMFEAT Fa int *feature_mask
-Returns a bitmask of supported asymmetric-key operations.
-Each of the above-listed asymmetric operations is present
-if and only if the bit position numbered by the code for that operation
-is set.
-For example,
-.Dv CRK_MOD_EXP
-is available if and only if the bit
-.Pq 1 \*[Lt]\*[Lt] Dv CRK_MOD_EXP
-is set.
-.It Dv CIOCKEY Fa struct crypt_kop *kop
-.Bd -literal
-struct crypt_kop {
- u_int crk_op; /* e.g. CRK_MOD_EXP */
- u_int crk_status; /* return status */
- u_short crk_iparams; /* # of input params */
- u_short crk_oparams; /* # of output params */
- u_int crk_pad1;
- struct crparam crk_param[CRK_MAXPARAM];
-};
-
-/* Bignum parameter, in packed bytes. */
-struct crparam {
- void * crp_p;
- u_int crp_nbits;
-};
-
-.Ed
-Performs an asymmetric-key operation from the list above.
-The specific operation is supplied in
-.Fa kop-\*[Gt]crk_op ;
-final status for the operation is returned in
-.Fa kop-\*[Gt]crk_status .
-The number of input arguments and the number of output arguments
-is specified in
-.Fa kop-\*[Gt]crk_iparams
-and
-.Fa kop-\*[Gt]crk_iparams ,
-respectively.
-The field
-.Fa crk_param[]
-must be filled in with exactly
-.Fa kop-\*[Gt]crk_iparams + kop-\*[Gt]crk_oparams
-arguments, each encoded as a
-.Fa struct crparam
-(address, bitlength) pair.
-.Pp
-The semantics of these arguments are currently undocumented.
-.El
.Sh SEE ALSO
.Xr aesni 4 ,
.Xr hifn 4 ,
@@ -444,5 +361,3 @@ must follow whether privacy or integrity algorithms were specified for
session: if you request a
.No non- Ns Dv NULL
algorithm, you must supply a suitably-sized buffer.
-.Pp
-The scheme for passing arguments for asymmetric requests is baroque.
diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index efdd8b2f6e9c..1a68b1f80882 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -72,7 +72,6 @@ MAN= accept_filter.9 \
cr_seeothergids.9 \
cr_seeotheruids.9 \
crypto.9 \
- crypto_asym.9 \
crypto_buffer.9 \
crypto_driver.9 \
crypto_request.9 \
@@ -913,10 +912,6 @@ MLINKS+=cpuset.9 CPUSET_T_INITIALIZER.9 \
cpuset.9 CPU_COPY_STORE_REL.9
MLINKS+=critical_enter.9 critical.9 \
critical_enter.9 critical_exit.9
-MLINKS+=crypto_asym.9 crypto_kdispatch.9 \
- crypto_asym.9 crypto_kdone.9 \
- crypto_asym.9 crypto_kregister.9 \
- crypto_asym.9 CRYPTODEV_KPROCESS.9
MLINKS+=crypto_buffer.9 crypto_apply.9 \
crypto_buffer.9 crypto_apply_buf.9 \
crypto_buffer.9 crypto_buffer_contiguous_segment.9 \
diff --git a/share/man/man9/crypto.9 b/share/man/man9/crypto.9
index 69fe3339a757..d78daa253945 100644
--- a/share/man/man9/crypto.9
+++ b/share/man/man9/crypto.9
@@ -17,7 +17,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 18, 2021
+.Dd April 12, 2021
.Dt CRYPTO 9
.Os
.Sh NAME
@@ -35,15 +35,10 @@ through the
device.
.Pp
.Nm
-supports two modes of operation:
-one mode for symmetric-keyed cryptographic requests and digest,
-and a second mode for asymmetric-key requests and modular arithmetic.
-.Ss Symmetric-Key Mode
-Symmetric-key operations include encryption and decryption operations
+supports encryption and decryption operations
using block and stream ciphers as well as computation and verification
of message authentication codes (MACs).
-In this mode,
-consumers allocate sessions to describe a transform as discussed in
+Consumers allocate sessions to describe a transform as discussed in
.Xr crypto_session 9 .
Consumers then allocate request objects to describe each transformation
such as encrypting a network packet or decrypting a disk sector.
@@ -56,18 +51,6 @@ consumers.
describes the interfaces drivers use to register with the framework,
helper routines the framework provides to faciliate request processing,
and the interfaces drivers are required to provide.
-.Ss Asymmetric-Key Mode
-Assymteric-key operations do not use sessions.
-Instead,
-these operations perform individual mathematical operations using a set
-of input and output parameters.
-These operations are described in
-.Xr crypto_asym 9 .
-Drivers that support asymmetric operations use additional interfaces
-described in
-.Xr crypto_asym 9
-in addition to the base interfaces described in
-.Xr crypto_driver 9 .
.Ss Callbacks
Since the consumers may not be associated with a process, drivers may
not
@@ -83,10 +66,9 @@ Errors are reported to the callback function.
Session initialization does not use callbacks and returns errors
synchronously.
.Ss Session Migration
-For symmetric-key operations,
-a specific error code,
+Operations may fail with a specific error code,
.Er EAGAIN ,
-is used to indicate that a session handle has changed and that the
+to indicate that a session handle has changed and that the
request may be re-submitted immediately with the new session.
The consumer should update its saved copy of the session handle
to the value of
@@ -95,9 +77,6 @@ so that future requests use the new session.
.Ss Supported Algorithms
More details on some algorithms may be found in
.Xr crypto 7 .
-These algorithms are used for symmetric-mode operations.
-Asymmetric-mode operations support operations described in
-.Xr crypto_asym 9 .
.Pp
The following authentication algorithms are supported:
.Pp
@@ -156,7 +135,6 @@ most of the framework code
.Xr crypto 4 ,
.Xr ipsec 4 ,
.Xr crypto 7 ,
-.Xr crypto_asym 9 ,
.Xr crypto_driver 9 ,
.Xr crypto_request 9 ,
.Xr crypto_session 9 ,
diff --git a/share/man/man9/crypto_asym.9 b/share/man/man9/crypto_asym.9
deleted file mode 100644
index c21a72f8d1c4..000000000000
--- a/share/man/man9/crypto_asym.9
+++ /dev/null
@@ -1,178 +0,0 @@
-.\" Copyright (c) 2020, Chelsio Inc
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright notice,
-.\" this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\"
-.\" 3. Neither the name of the Chelsio Inc nor the names of its
-.\" contributors may be used to endorse or promote products derived from
-.\" this software without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-.\" POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" * Other names and brands may be claimed as the property of others.
-.\"
-.\" $FreeBSD$
-.\"
-.Dd March 27, 2020
-.Dt CRYPTO_ASYM 9
-.Os
-.Sh NAME
-.Nm crypto_asym
-.Nd asymmetric cryptographic operations
-.Sh SYNOPSIS
-.In opencrypto/cryptodev.h
-.Ft int
-.Fn crypto_kdispatch "struct cryptkop *krp"
-.Ft void
-.Fn crypto_kdone "struct cryptkop *krp"
-.Ft int
-.Fn crypto_kregister "uint32_t driverid" "int kalg" "uint32_t flags"
-.Ft int
-.Fn CRYPTODEV_KPROCESS "device_t dev" "struct cryptop *krp" "int flags"
-.Sh DESCRIPTION
-The in-kernel cryptographic kernel framework supports asymmetric
-requests (keying requests) in addition to symmetric operations.
-There are currently no in-kernel users of these requests,
-but applications can make requests of hardware drivers via the
-.Pa /dev/crypto
-device .
-.Pp
-Some APIs are shared with the framework's symmetric request support.
-This manual describes the APIs and data structures unique to
-asymmetric requests.
-.Pp
-.Ss Request Objects
-A request is described by a
-.Vt struct cryptkop
-containing the following fields:
-.Bl -tag -width "krp_callback"
-.It Fa krp_op
-Operation to perform.
-Available operations include
-.Dv CRK_MOD_EXP ,
-.Dv CRK_MOD_EXP_CRT ,
-.Dv CRK_DSA_SIGN ,
-.Dv CRK_DSA_VERIFY ,
-and
-.Dv CRK_DH_COMPUTE_KEY .
-.It Fa krp_status
-Error status.
-Either zero on success,
-or an error if an operation fails.
-Set by drivers prior to completing a request via
-.Fn crypto_kdone .
-.It Fa krp_iparams
-Count of input parameters.
-.It Fa krp_oparams
-Count of output parameters.
-.It Fa krp_crid
-Requested device.
-.It Fa krp_hid
-Device used to complete the request.
-.It Fa krp_param
-Array of parameters.
-The array contains the input parameters first followed by the output
-parameters.
-Each parameter is stored as a bignum.
-Each bignum is described by a
-.Vt struct crparam
-containing the following fields:
-.Bl -tag -width "crp_nbits"
-.It Fa crp_p
-Pointer to array of packed bytes.
-.It Fa crp_nbits
-Size of bignum in bits.
-.El
-.It Fa krp_callback
-Callback function.
-This must point to a callback function of type
-.Vt void (*)(struct cryptkop *) .
-The callback function should inspect
-.Fa krp_status
-to determine the status of the completed operation.
-.El
-.Pp
-New requests should be initialized to zero before setting fields to
-appropriate values.
-Once the request has been populated,
-it should be passed to
-.Fn crypto_kdispatch .
-.Pp
-.Fn crypto_kdispatch
-will choose a device driver to perform the operation described by
-.Fa krp
-and invoke that driver's
-.Fn CRYPTO_KPROCESS
-method.
-.Ss Driver API
-Drivers register support for asymmetric operations by calling
-.Fn crypto_kregister
-for each supported algorithm.
-.Fa driverid
-should be the value returned by an earlier call to
-.Fn crypto_get_driverid .
-.Fa kalg
-should list one of the operations that can be set in
-.Fa krp_op .
-.Fa flags
-is a bitmask of zero or more of the following values:
-.Bl -tag -width "CRYPTO_ALG_FLAG_RNG_ENABLE"
-.It Dv CRYPTO_ALG_FLAG_RNG_ENABLE
-Device has a hardware RNG for DH/DSA.
-.It Dv CRYPTO_ALG_FLAG_DSA_SHA
-Device can compute a SHA digest of a message.
-.El
-.Pp
-Drivers unregister with the framework via
-.Fn crypto_unregister_all .
-.Pp
-Similar to
-.Fn CRYPTO_PROCESS ,
-.Fn CRYPTO_KPROCESS
-should complete the request or schedule it for asynchronous
-completion.
-If this method is not able to complete a request due to insufficient
-resources,
-it can defer the request (and future asymmetric requests) by returning
-.Dv ERESTART .
-Once resources are available,
-the driver should invoke
-.Fn crypto_unblock
-with
-.Dv CRYPTO_ASYMQ
-to resume processing of asymmetric requests.
-.Pp
-Once a request is completed,
-the driver should set
-.Fa krp_status
-and then call
-.Fn crypto_kdone .
-.Sh RETURN VALUES
-.Fn crypto_kdispatch ,
-.Fn crypto_kregister ,
-and
-.Fn CRYPTODEV_KPROCESS
-return zero on success or an error on failure.
-.Sh SEE ALSO
-.Xr crypto 7 ,
-.Xr crypto 9 ,
-.Xr crypto_driver 9 ,
-.Xr crypto_request 9 ,
-.Xr crypto_session 9
diff --git a/share/man/man9/crypto_driver.9 b/share/man/man9/crypto_driver.9
index 930cc0d8bde4..b0032e7fa385 100644
--- a/share/man/man9/crypto_driver.9
+++ b/share/man/man9/crypto_driver.9
@@ -30,7 +30,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd June 9, 2020
+.Dd April 12, 2021
.Dt CRYPTO_DRIVER 9
.Os
.Sh NAME
@@ -285,13 +285,10 @@ is the value returned by
.Fn crypto_get_driverid .
.Fa what
indicates which types of requests the driver is able to handle again:
-.Bl -tag -width "CRYPTO_ASYMQ"
+.Bl -tag -width "CRYPTO_SYMQ"
.It Dv CRYPTO_SYMQ
indicates that the driver is able to handle symmetric requests passed to
.Fn CRYPTODEV_PROCESS .
-.It Dv CRYPTO_ASYMQ
-indicates that the driver is able to handle asymmetric requests passed to
-.Fn CRYPTODEV_KPROCESS .
.El
.Pp
.Pp
diff --git a/sys/dev/hifn/hifn7751.c b/sys/dev/hifn/hifn7751.c
index 240d801e5b12..033ef7edf10d 100644
--- a/sys/dev/hifn/hifn7751.c
+++ b/sys/dev/hifn/hifn7751.c
@@ -2252,7 +2252,7 @@ hifn_intr(void *arg)
HIFN_UNLOCK(sc);
if (sc->sc_needwakeup) { /* XXX check high watermark */
- int wakeup = sc->sc_needwakeup & (CRYPTO_SYMQ|CRYPTO_ASYMQ);
+ int wakeup = sc->sc_needwakeup & CRYPTO_SYMQ;
#ifdef HIFN_DEBUG
if (hifn_debug)
device_printf(sc->sc_dev,
diff --git a/sys/dev/safe/safe.c b/sys/dev/safe/safe.c
index 46cd8e1b6147..cc1f16fc9ed3 100644
--- a/sys/dev/safe/safe.c
+++ b/sys/dev/safe/safe.c
@@ -385,8 +385,6 @@ safe_attach(device_t dev)
#if 0
printf(" key");
sc->sc_flags |= SAFE_FLAGS_KEY;
- crypto_kregister(sc->sc_cid, CRK_MOD_EXP, 0);
- crypto_kregister(sc->sc_cid, CRK_MOD_EXP_CRT, 0);
#endif
}
if (sc->sc_devinfo & SAFE_DEVINFO_DES) {
@@ -584,7 +582,7 @@ safe_intr(void *arg)
}
if (sc->sc_needwakeup) { /* XXX check high watermark */
- int wakeup = sc->sc_needwakeup & (CRYPTO_SYMQ|CRYPTO_ASYMQ);
+ int wakeup = sc->sc_needwakeup & CRYPTO_SYMQ;
DPRINTF(("%s: wakeup crypto %x\n", __func__,
sc->sc_needwakeup));
sc->sc_needwakeup &= ~wakeup;
diff --git a/sys/mips/nlm/dev/sec/nlmsec.c b/sys/mips/nlm/dev/sec/nlmsec.c
index c28eaf334613..9318206a04fd 100644
--- a/sys/mips/nlm/dev/sec/nlmsec.c
+++ b/sys/mips/nlm/dev/sec/nlmsec.c
@@ -281,7 +281,7 @@ nlm_xlpsec_msgring_handler(int vc, int size, int code, int src_id,
atomic_add_int(&creditleft, sc->sec_msgsz);
if (creditleft >= (NLM_CRYPTO_LEFT_REQS)) {
crypto_unblock(sc->sc_cid, sc->sc_needwakeup);
- sc->sc_needwakeup &= (~(CRYPTO_SYMQ | CRYPTO_ASYMQ));
+ sc->sc_needwakeup &= ~CRYPTO_SYMQ;
}
}
if (cmd->hash_dst_len != 0) {
diff --git a/sys/opencrypto/crypto.c b/sys/opencrypto/crypto.c
index 1c9d79af8c91..b56d0fb70698 100644
--- a/sys/opencrypto/crypto.c
+++ b/sys/opencrypto/crypto.c
@@ -98,8 +98,7 @@ SDT_PROVIDER_DEFINE(opencrypto);
/*
* Crypto drivers register themselves by allocating a slot in the
- * crypto_drivers table with crypto_get_driverid() and then registering
- * each asym algorithm they support with crypto_kregister().
+ * crypto_drivers table with crypto_get_driverid().
*/
static struct mtx crypto_drivers_mtx; /* lock on driver table */
#define CRYPTO_DRIVER_LOCK() mtx_lock(&crypto_drivers_mtx)
@@ -118,13 +117,10 @@ struct cryptocap {
device_t cc_dev;
uint32_t cc_hid;
uint32_t cc_sessions; /* (d) # of sessions */
- uint32_t cc_koperations; /* (d) # os asym operations */
- uint8_t cc_kalg[CRK_ALGORITHM_MAX + 1];
int cc_flags; /* (d) flags */
#define CRYPTOCAP_F_CLEANUP 0x80000000 /* needs resource cleanup */
int cc_qblocked; /* (q) symmetric q blocked */
- int cc_kqblocked; /* (q) asymmetric q blocked */
size_t cc_session_size;
volatile int cc_refs;
};
@@ -139,16 +135,8 @@ struct crypto_session {
/* Driver softc follows. */
};
-/*
- * There are two queues for crypto requests; one for symmetric (e.g.
- * cipher) operations and one for asymmetric (e.g. MOD)operations.
- * A single mutex is used to lock access to both queues. We could
- * have one per-queue but having one simplifies handling of block/unblock
- * operations.
- */
static int crp_sleep = 0;
static TAILQ_HEAD(cryptop_q ,cryptop) crp_q; /* request queues */
-static TAILQ_HEAD(,cryptkop) crp_kq;
static struct mtx crypto_q_mtx;
#define CRYPTO_Q_LOCK() mtx_lock(&crypto_q_mtx)
#define CRYPTO_Q_UNLOCK() mtx_unlock(&crypto_q_mtx)
@@ -172,7 +160,6 @@ struct crypto_ret_worker {
TAILQ_HEAD(,cryptop) crp_ordered_ret_q; /* ordered callback queue for symetric jobs */
TAILQ_HEAD(,cryptop) crp_ret_q; /* callback queue for symetric jobs */
- TAILQ_HEAD(,cryptkop) crp_ret_kq; /* callback queue for asym jobs */
uint32_t reorder_ops; /* total ordered sym jobs received */
uint32_t reorder_cur_seq; /* current sym job dispatched */
@@ -201,16 +188,6 @@ SYSCTL_INT(_kern, OID_AUTO, crypto_workers_num, CTLFLAG_RDTUN,
static uma_zone_t cryptop_zone;
-int crypto_userasymcrypto = 1;
-SYSCTL_INT(_kern_crypto, OID_AUTO, asym_enable, CTLFLAG_RW,
- &crypto_userasymcrypto, 0,
- "Enable user-mode access to asymmetric crypto support");
-#ifdef COMPAT_FREEBSD12
-SYSCTL_INT(_kern, OID_AUTO, userasymcrypto, CTLFLAG_RW,
- &crypto_userasymcrypto, 0,
- "Enable/disable user-mode access to asymmetric crypto support");
-#endif
-
int crypto_devallowsoft = 0;
SYSCTL_INT(_kern_crypto, OID_AUTO, allow_soft, CTLFLAG_RW,
&crypto_devallowsoft, 0,
@@ -228,7 +205,6 @@ static struct proc *cryptoproc;
static void crypto_ret_proc(struct crypto_ret_worker *ret_worker);
static void crypto_destroy(void);
static int crypto_invoke(struct cryptocap *cap, struct cryptop *crp, int hint);
-static int crypto_kinvoke(struct cryptkop *krp);
static void crypto_task_invoke(void *ctx, int pending);
static void crypto_batch_enqueue(struct cryptop *crp);
@@ -308,8 +284,6 @@ cap_rele(struct cryptocap *cap)
KASSERT(cap->cc_sessions == 0,
("freeing crypto driver with active sessions"));
- KASSERT(cap->cc_koperations == 0,
- ("freeing crypto driver with active key operations"));
free(cap, M_CRYPTO_DATA);
}
@@ -324,7 +298,6 @@ crypto_init(void)
MTX_DEF|MTX_QUIET);
TAILQ_INIT(&crp_q);
- TAILQ_INIT(&crp_kq);
mtx_init(&crypto_q_mtx, "crypto", "crypto op queues", MTX_DEF);
cryptop_zone = uma_zcreate("cryptop",
@@ -358,7 +331,6 @@ crypto_init(void)
FOREACH_CRYPTO_RETW(ret_worker) {
TAILQ_INIT(&ret_worker->crp_ordered_ret_q);
TAILQ_INIT(&ret_worker->crp_ret_q);
- TAILQ_INIT(&ret_worker->crp_ret_kq);
ret_worker->reorder_ops = 0;
ret_worker->reorder_cur_seq = 0;
@@ -1114,43 +1086,6 @@ crypto_getcaps(int hid)
return (flags);
}
-/*
- * Register support for a key-related algorithm. This routine
- * is called once for each algorithm supported a driver.
- */
-int
-crypto_kregister(uint32_t driverid, int kalg, uint32_t flags)
-{
- struct cryptocap *cap;
- int err;
-
- CRYPTO_DRIVER_LOCK();
-
- cap = crypto_checkdriver(driverid);
- if (cap != NULL &&
- (CRK_ALGORITM_MIN <= kalg && kalg <= CRK_ALGORITHM_MAX)) {
- /*
- * XXX Do some performance testing to determine placing.
- * XXX We probably need an auxiliary data structure that
- * XXX describes relative performances.
- */
-
- cap->cc_kalg[kalg] = flags | CRYPTO_ALG_FLAG_SUPPORTED;
- if (bootverbose)
- printf("crypto: %s registers key alg %u flags %u\n"
- , device_get_nameunit(cap->cc_dev)
- , kalg
- , flags
- );
- gone_in_dev(cap->cc_dev, 14, "asymmetric crypto");
- err = 0;
- } else
- err = EINVAL;
-
- CRYPTO_DRIVER_UNLOCK();
- return err;
-}
-
/*
* Unregister all algorithms associated with a crypto driver.
* If there are pending sessions using it, leave enough information
@@ -1177,7 +1112,7 @@ crypto_unregister_all(uint32_t driverid)
* XXX: This doesn't do anything to kick sessions that
* have no pending operations.
*/
- while (cap->cc_sessions != 0 || cap->cc_koperations != 0)
+ while (cap->cc_sessions != 0)
mtx_sleep(cap, &crypto_drivers_mtx, 0, "cryunreg", 0);
CRYPTO_DRIVER_UNLOCK();
cap_rele(cap);
@@ -1200,8 +1135,6 @@ crypto_unblock(uint32_t driverid, int what)
if (cap != NULL) {
if (what & CRYPTO_SYMQ)
cap->cc_qblocked = 0;
- if (what & CRYPTO_ASYMQ)
- cap->cc_kqblocked = 0;
if (crp_sleep)
wakeup_one(&crp_q);
err = 0;
@@ -1499,189 +1432,6 @@ crypto_batch_enqueue(struct cryptop *crp)
CRYPTO_Q_UNLOCK();
}
-/*
- * Add an asymetric crypto request to a queue,
- * to be processed by the kernel thread.
- */
-int
-crypto_kdispatch(struct cryptkop *krp)
-{
- int error;
-
- CRYPTOSTAT_INC(cs_kops);
-
- krp->krp_cap = NULL;
- error = crypto_kinvoke(krp);
- if (error == ERESTART) {
- CRYPTO_Q_LOCK();
- TAILQ_INSERT_TAIL(&crp_kq, krp, krp_next);
- if (crp_sleep)
- wakeup_one(&crp_q);
- CRYPTO_Q_UNLOCK();
- error = 0;
- }
- return error;
-}
-
-/*
- * Verify a driver is suitable for the specified operation.
- */
-static __inline int
-kdriver_suitable(const struct cryptocap *cap, const struct cryptkop *krp)
-{
- return (cap->cc_kalg[krp->krp_op] & CRYPTO_ALG_FLAG_SUPPORTED) != 0;
-}
-
-/*
- * Select a driver for an asym operation. The driver must
- * support the necessary algorithm. The caller can constrain
- * which device is selected with the flags parameter. The
- * algorithm we use here is pretty stupid; just use the first
- * driver that supports the algorithms we need. If there are
- * multiple suitable drivers we choose the driver with the
- * fewest active operations. We prefer hardware-backed
- * drivers to software ones when either may be used.
- */
-static struct cryptocap *
-crypto_select_kdriver(const struct cryptkop *krp, int flags)
-{
- struct cryptocap *cap, *best;
- int match, hid;
-
- CRYPTO_DRIVER_ASSERT();
-
- /*
- * Look first for hardware crypto devices if permitted.
- */
- if (flags & CRYPTOCAP_F_HARDWARE)
- match = CRYPTOCAP_F_HARDWARE;
- else
- match = CRYPTOCAP_F_SOFTWARE;
- best = NULL;
-again:
- for (hid = 0; hid < crypto_drivers_size; hid++) {
- /*
- * If there is no driver for this slot, or the driver
- * is not appropriate (hardware or software based on
- * match), then skip.
- */
- cap = crypto_drivers[hid];
- if (cap == NULL ||
- (cap->cc_flags & match) == 0)
- continue;
-
- /* verify all the algorithms are supported. */
- if (kdriver_suitable(cap, krp)) {
- if (best == NULL ||
- cap->cc_koperations < best->cc_koperations)
- best = cap;
- }
- }
- if (best != NULL)
- return best;
- if (match == CRYPTOCAP_F_HARDWARE && (flags & CRYPTOCAP_F_SOFTWARE)) {
- /* sort of an Algol 68-style for loop */
- match = CRYPTOCAP_F_SOFTWARE;
- goto again;
- }
- return best;
-}
-
-/*
- * Choose a driver for an asymmetric crypto request.
- */
-static struct cryptocap *
-crypto_lookup_kdriver(struct cryptkop *krp)
-{
- struct cryptocap *cap;
- uint32_t crid;
-
- /* If this request is requeued, it might already have a driver. */
- cap = krp->krp_cap;
- if (cap != NULL)
- return (cap);
-
- /* Use krp_crid to choose a driver. */
- crid = krp->krp_crid;
- if ((crid & (CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE)) == 0) {
- cap = crypto_checkdriver(crid);
- if (cap != NULL) {
- /*
- * Driver present, it must support the
- * necessary algorithm and, if s/w drivers are
- * excluded, it must be registered as
- * hardware-backed.
- */
- if (!kdriver_suitable(cap, krp) ||
- (!crypto_devallowsoft &&
- (cap->cc_flags & CRYPTOCAP_F_HARDWARE) == 0))
- cap = NULL;
- }
- } else {
- /*
- * No requested driver; select based on crid flags.
- */
- if (!crypto_devallowsoft) /* NB: disallow s/w drivers */
- crid &= ~CRYPTOCAP_F_SOFTWARE;
- cap = crypto_select_kdriver(krp, crid);
- }
-
- if (cap != NULL) {
- krp->krp_cap = cap_ref(cap);
- krp->krp_hid = cap->cc_hid;
- }
- return (cap);
-}
-
-/*
- * Dispatch an asymmetric crypto request.
- */
-static int
-crypto_kinvoke(struct cryptkop *krp)
-{
- struct cryptocap *cap = NULL;
- int error;
-
- KASSERT(krp != NULL, ("%s: krp == NULL", __func__));
- KASSERT(krp->krp_callback != NULL,
- ("%s: krp->crp_callback == NULL", __func__));
-
- CRYPTO_DRIVER_LOCK();
- cap = crypto_lookup_kdriver(krp);
- if (cap == NULL) {
- CRYPTO_DRIVER_UNLOCK();
- krp->krp_status = ENODEV;
- crypto_kdone(krp);
- return (0);
- }
-
- /*
- * If the device is blocked, return ERESTART to requeue it.
- */
- if (cap->cc_kqblocked) {
- /*
- * XXX: Previously this set krp_status to ERESTART and
- * invoked crypto_kdone but the caller would still
- * requeue it.
- */
- CRYPTO_DRIVER_UNLOCK();
- return (ERESTART);
- }
*** 1019 LINES SKIPPED ***
More information about the dev-commits-src-all
mailing list