INTRO (9) NetBSD Kernel Developer's Manual INTRO (9) NAME ...

OPENCRYPTO(9) NetBSD Kernel Developer’s Manual OPENCRYPTO(9)operation can be requested).Keying operations are supported as well. Unlike the symmetric operators described above, these sessionlesscommands perform mathematical operations using input and output parameters.Since the consumers may not be associated with a process, drivers may not use condition variables:condvar(9). The same holds for the framework. Thus, acallback mechanism is used to notify a consumerthat a request has been completed (the callback is specified by the consumer on an per-request basis). Thecallback is invoked bythe framework whether the request was successfully completed or not. An error indicationis provided in the latter case. Aspecific error code, EAGAIN, isused to indicate that a session numberhas changed and that the request may be re-submitted immediately with the new session number. Errors areonly returned to the invoking function if not enough information to call the callback is available (meaning,there was a fatal error in verifying the arguments). No callback mechanism is used for session initializationand teardown.The crypto_newsession() routine is called by consumers of cryptographic services (such as theipsec(4) stack) that wish to establish a new session with the framework. On success, the first argumentwill contain the Session Identifier (SID). The second argument contains all the necessary information for thedriver toestablish the session. The third argument indicates whether a hardware driver should be used (1) ornot (0). The various fields in the cryptoini structure are:cri_algcri_klencri_rndcri_keycri_ivcri_nextContains an algorithm identifier. Currently supported algorithms are:CRYPTO_DES_CBCCRYPTO_3DES_CBCCRYPTO_BLF_CBCCRYPTO_CAST_CBCCRYPTO_SKIPJACK_CBCCRYPTO_MD5_HMACCRYPTO_SHA1_HMACCRYPTO_RIPEMD160_HMACCRYPTO_MD5_KPDKCRYPTO_SHA1_KPDKCRYPTO_AES_CBCCRYPTO_ARC4CRYPTO_MD5CRYPTO_SHA1Specifies the length of the key in bits, for variable-size key algorithms.Specifies the number of rounds to be used with the algorithm, for variable-round algorithms.Contains the key to beused with the algorithm.Contains an explicit initialization vector (IV), if it does not prefix the data. This field isignored during initialization. If no IV is explicitly passed (see below ondetails), a randomIV is used by the device driver processing the request.Contains a pointer to another cryptoini structure. Multiple such structures may belinked to establish multi-algorithm sessions (ipsec(4) is an example consumer of such afeature).The cryptoini structure and its contents will not be modified by the framework (or the drivers used).Subsequent requests for processing that use the SID returned will avoid the cost of re-initializing the hardware(in essence, SID acts as an index inthe session cache of the driver).NetBSD 3.0 December 20, 2003 3