aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Baldwin <jhb@FreeBSD.org>2021-02-18 17:24:26 +0000
committerJohn Baldwin <jhb@FreeBSD.org>2021-02-18 17:30:13 +0000
commit4dd6800e22b08fa1f756115600e9436818abb168 (patch)
tree8f9e532c6d70829e08854ab6dd0967514f950c44
parent9c64fc40290e08f6dc6b75aa04084b04e48a61af (diff)
downloadsrc-4dd6800e22b08fa1f756115600e9436818abb168.tar.gz
src-4dd6800e22b08fa1f756115600e9436818abb168.zip
Add Chacha20-Poly1305 support in the OCF backend for KTLS.
This supports Chacha20-Poly1305 for both send and receive for TLS 1.2 and for send in TLS 1.3. Reviewed by: gallatin Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D27841
-rw-r--r--sys/opencrypto/ktls_ocf.c116
1 files changed, 95 insertions, 21 deletions
diff --git a/sys/opencrypto/ktls_ocf.c b/sys/opencrypto/ktls_ocf.c
index 28c55257b047..fd4a230fedea 100644
--- a/sys/opencrypto/ktls_ocf.c
+++ b/sys/opencrypto/ktls_ocf.c
@@ -87,11 +87,21 @@ SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls12_gcm_crypts,
CTLFLAG_RD, &ocf_tls12_gcm_crypts,
"Total number of OCF TLS 1.2 GCM encryption operations");
+static COUNTER_U64_DEFINE_EARLY(ocf_tls12_chacha20_crypts);
+SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls12_chacha20_crypts,
+ CTLFLAG_RD, &ocf_tls12_chacha20_crypts,
+ "Total number of OCF TLS 1.2 Chacha20-Poly1305 encryption operations");
+
static COUNTER_U64_DEFINE_EARLY(ocf_tls13_gcm_crypts);
SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls13_gcm_crypts,
CTLFLAG_RD, &ocf_tls13_gcm_crypts,
"Total number of OCF TLS 1.3 GCM encryption operations");
+static COUNTER_U64_DEFINE_EARLY(ocf_tls13_chacha20_crypts);
+SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls13_chacha20_crypts,
+ CTLFLAG_RD, &ocf_tls13_chacha20_crypts,
+ "Total number of OCF TLS 1.3 Chacha20-Poly1305 encryption operations");
+
static COUNTER_U64_DEFINE_EARLY(ocf_inplace);
SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, inplace,
CTLFLAG_RD, &ocf_inplace,
@@ -326,7 +336,7 @@ ktls_ocf_tls_cbc_encrypt(struct ktls_session *tls,
}
static int
-ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls,
+ktls_ocf_tls12_aead_encrypt(struct ktls_session *tls,
const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov,
struct iovec *outiov, int iovcnt, uint64_t seqno,
uint8_t record_type __unused)
@@ -357,12 +367,26 @@ ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls,
crypto_initreq(&crp, os->sid);
/* Setup the IV. */
- memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN);
- memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t));
+ if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) {
+ memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN);
+ memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1,
+ sizeof(uint64_t));
+ } else {
+ /*
+ * Chacha20-Poly1305 constructs the IV for TLS 1.2
+ * identically to constructing the IV for AEAD in TLS
+ * 1.3.
+ */
+ memcpy(crp.crp_iv, tls->params.iv, tls->params.iv_len);
+ *(uint64_t *)(crp.crp_iv + 4) ^= htobe64(seqno);
+ }
/* Setup the AAD. */
- tls_comp_len = ntohs(hdr->tls_length) -
- (AES_GMAC_HASH_LEN + sizeof(uint64_t));
+ if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
+ tls_comp_len = ntohs(hdr->tls_length) -
+ (AES_GMAC_HASH_LEN + sizeof(uint64_t));
+ else
+ tls_comp_len = ntohs(hdr->tls_length) - POLY1305_HASH_LEN;
ad.seq = htobe64(seqno);
ad.type = hdr->tls_type;
ad.tls_vmajor = hdr->tls_vmajor;
@@ -402,7 +426,10 @@ ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls,
if (!inplace)
crypto_use_output_uio(&crp, &out_uio);
- counter_u64_add(ocf_tls12_gcm_crypts, 1);
+ if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
+ counter_u64_add(ocf_tls12_gcm_crypts, 1);
+ else
+ counter_u64_add(ocf_tls12_chacha20_crypts, 1);
if (inplace)
counter_u64_add(ocf_inplace, 1);
else
@@ -414,7 +441,7 @@ ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls,
}
static int
-ktls_ocf_tls12_gcm_decrypt(struct ktls_session *tls,
+ktls_ocf_tls12_aead_decrypt(struct ktls_session *tls,
const struct tls_record_layer *hdr, struct mbuf *m, uint64_t seqno,
int *trailer_len)
{
@@ -433,12 +460,26 @@ ktls_ocf_tls12_gcm_decrypt(struct ktls_session *tls,
crypto_initreq(&crp, os->sid);
/* Setup the IV. */
- memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN);
- memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t));
+ if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) {
+ memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN);
+ memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1,
+ sizeof(uint64_t));
+ } else {
+ /*
+ * Chacha20-Poly1305 constructs the IV for TLS 1.2
+ * identically to constructing the IV for AEAD in TLS
+ * 1.3.
+ */
+ memcpy(crp.crp_iv, tls->params.iv, tls->params.iv_len);
+ *(uint64_t *)(crp.crp_iv + 4) ^= htobe64(seqno);
+ }
/* Setup the AAD. */
- tls_comp_len = ntohs(hdr->tls_length) -
- (AES_GMAC_HASH_LEN + sizeof(uint64_t));
+ if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
+ tls_comp_len = ntohs(hdr->tls_length) -
+ (AES_GMAC_HASH_LEN + sizeof(uint64_t));
+ else
+ tls_comp_len = ntohs(hdr->tls_length) - POLY1305_HASH_LEN;
ad.seq = htobe64(seqno);
ad.type = hdr->tls_type;
ad.tls_vmajor = hdr->tls_vmajor;
@@ -455,7 +496,10 @@ ktls_ocf_tls12_gcm_decrypt(struct ktls_session *tls,
crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE;
crypto_use_mbuf(&crp, m);
- counter_u64_add(ocf_tls12_gcm_crypts, 1);
+ if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
+ counter_u64_add(ocf_tls12_gcm_crypts, 1);
+ else
+ counter_u64_add(ocf_tls12_chacha20_crypts, 1);
error = ktls_ocf_dispatch(os, &crp);
crypto_destroyreq(&crp);
@@ -464,7 +508,7 @@ ktls_ocf_tls12_gcm_decrypt(struct ktls_session *tls,
}
static int
-ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls,
+ktls_ocf_tls13_aead_encrypt(struct ktls_session *tls,
const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov,
struct iovec *outiov, int iovcnt, uint64_t seqno, uint8_t record_type)
{
@@ -514,11 +558,11 @@ ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls,
*/
memcpy(iov, iniov, iovcnt * sizeof(*iov));
iov[iovcnt].iov_base = trailer;
- iov[iovcnt].iov_len = AES_GMAC_HASH_LEN + 1;
+ iov[iovcnt].iov_len = tls->params.tls_tlen;
uio.uio_iov = iov;
uio.uio_iovcnt = iovcnt + 1;
uio.uio_offset = 0;
- uio.uio_resid = crp.crp_payload_length + AES_GMAC_HASH_LEN;
+ uio.uio_resid = crp.crp_payload_length + tls->params.tls_tlen - 1;
uio.uio_segflg = UIO_SYSSPACE;
uio.uio_td = curthread;
crypto_use_uio(&crp, &uio);
@@ -532,7 +576,7 @@ ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls,
out_uio.uio_iovcnt = iovcnt + 1;
out_uio.uio_offset = 0;
out_uio.uio_resid = crp.crp_payload_length +
- AES_GMAC_HASH_LEN;
+ tls->params.tls_tlen - 1;
out_uio.uio_segflg = UIO_SYSSPACE;
out_uio.uio_td = curthread;
crypto_use_output_uio(&crp, &out_uio);
@@ -543,7 +587,10 @@ ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls,
memcpy(crp.crp_iv, nonce, sizeof(nonce));
- counter_u64_add(ocf_tls13_gcm_crypts, 1);
+ if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
+ counter_u64_add(ocf_tls13_gcm_crypts, 1);
+ else
+ counter_u64_add(ocf_tls13_chacha20_crypts, 1);
if (inplace)
counter_u64_add(ocf_inplace, 1);
else
@@ -651,6 +698,32 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction)
mac_csp.csp_auth_key = tls->params.auth_key;
mac_csp.csp_auth_klen = tls->params.auth_key_len;
break;
+ case CRYPTO_CHACHA20_POLY1305:
+ switch (tls->params.cipher_key_len) {
+ case 256 / 8:
+ break;
+ default:
+ return (EINVAL);
+ }
+
+ /* Only TLS 1.2 and 1.3 are supported. */
+ if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE ||
+ tls->params.tls_vminor < TLS_MINOR_VER_TWO ||
+ tls->params.tls_vminor > TLS_MINOR_VER_THREE)
+ return (EPROTONOSUPPORT);
+
+ /* TLS 1.3 is not yet supported for receive. */
+ if (direction == KTLS_RX &&
+ tls->params.tls_vminor == TLS_MINOR_VER_THREE)
+ return (EPROTONOSUPPORT);
+
+ csp.csp_flags |= CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD;
+ csp.csp_mode = CSP_MODE_AEAD;
+ csp.csp_cipher_alg = CRYPTO_CHACHA20_POLY1305;
+ csp.csp_cipher_key = tls->params.cipher_key;
+ csp.csp_cipher_klen = tls->params.cipher_key_len;
+ csp.csp_ivlen = CHACHA20_POLY1305_IV_LEN;
+ break;
default:
return (EPROTONOSUPPORT);
}
@@ -679,14 +752,15 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction)
mtx_init(&os->lock, "ktls_ocf", NULL, MTX_DEF);
tls->cipher = os;
- if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) {
+ if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16 ||
+ tls->params.cipher_algorithm == CRYPTO_CHACHA20_POLY1305) {
if (direction == KTLS_TX) {
if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)
- tls->sw_encrypt = ktls_ocf_tls13_gcm_encrypt;
+ tls->sw_encrypt = ktls_ocf_tls13_aead_encrypt;
else
- tls->sw_encrypt = ktls_ocf_tls12_gcm_encrypt;
+ tls->sw_encrypt = ktls_ocf_tls12_aead_encrypt;
} else {
- tls->sw_decrypt = ktls_ocf_tls12_gcm_decrypt;
+ tls->sw_decrypt = ktls_ocf_tls12_aead_decrypt;
}
} else {
tls->sw_encrypt = ktls_ocf_tls_cbc_encrypt;