From nobody Wed Oct 25 00:41:47 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFVVg5DY0z4xlFy; Wed, 25 Oct 2023 00:41:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SFVVg2FYSz3Rt8; Wed, 25 Oct 2023 00:41:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698194507; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+k8bpUA+jG51KXZ3IwtUFrn/WxC8dnAwcb9z9EmPGdw=; b=RW5Ngr69DbRZvxsC9Cawckr1H9QJRaCDzbhwtqeJ6UGS5g6xLF0jlSEpRa/suS4y5yXjyB 1cTOxxkWwJhoOslEPLJUqvyTraXToFykREawKBdRgQ41fqZXNnAnYuxzgDhFgbczmJrsur avBheHHBon/39JyfvGER4G8oH1FL1H/gLaQdbsFqjsAhVPNMhquVTWO3+NNuctauZ+s40S 2CENhZkb8AhxVHBMmfyElTuAMDiA/3wIBgG+22vU/zGkKH4qVnMto3hc960+S84US6Bf8/ mpnIVjAi6XKBs8s3v5AS+0t2pCeLaEz78VuaXf43XzWo+e9aCZntTkxkxUYwZQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1698194507; a=rsa-sha256; cv=none; b=rqJiTgj5IMmpxu8iTVJvylTCeprkvfdgLnl18K9noBCnK0mni03lptEsrNfxRsQuzcA396 rEHyOoLMhatnxIov2Um6IcpjNENJ20rfqbhQMQRfNQIjDq/fvvlDgaD8W2FJ/thW/B4RTZ grqVtvY38bUIgXUNVunmtIkGNeNJiBYSgCa0vDQVycQrWjQvbg1wqrF+1ezigRRZzBHcXr yydhV/u20Ep6nzAig1LbnGUopzaOo6PmzdX5Hqww8CwNtpFBvuzIH1vX+eJoqj3hyGs5vS Bkdkrg3z0qO3wCWAfaulxIT73ItB/O3QN8QkMG6CsXxYncOOZBLjM8eipXN/aw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698194507; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+k8bpUA+jG51KXZ3IwtUFrn/WxC8dnAwcb9z9EmPGdw=; b=yRNrcuK/TIgMoEigHvoRZ1nQh31+iVixzCGNZPX2iiCifSj5LPJ9NAEK2CuXgQrBJPa6HG SnUQ4LOJZ0TKzUw09jU4QO/tR6hx0HYbXIgyU6F+j7/xUt1iXLqOBxsn6B2m5g0l/kxCbQ kfnjbYj7zKUS4ckCi2LPcDOVWQKh21RwQ6FTfukstcH68K8BpBwcGguTF49JmcR8GCsFid 5ACKigmleOGZoDjb3mL/1MH1alBMioDOhu7ddee2yDfIg/HPF1W5oHceNhvkNwfwfqVRdC rxaYYIZR6xKnY99TxPF0u8wLwuXrZf2piKkIlUqKGVjU2SAOabA4HHNsOqFv+g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SFVVg1LqQzkkC; Wed, 25 Oct 2023 00:41:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39P0flgJ005765; Wed, 25 Oct 2023 00:41:47 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39P0flTm005762; Wed, 25 Oct 2023 00:41:47 GMT (envelope-from git) Date: Wed, 25 Oct 2023 00:41:47 GMT Message-Id: <202310250041.39P0flTm005762@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: 1c8967e3bd76 - releng/14.0 - KTLS: Check for unprocessed receive records in ktls_configure_crypto. List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.0 X-Git-Reftype: branch X-Git-Commit: 1c8967e3bd769c377907f7cf246150e870bd79d8 Auto-Submitted: auto-generated The branch releng/14.0 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=1c8967e3bd769c377907f7cf246150e870bd79d8 commit 1c8967e3bd769c377907f7cf246150e870bd79d8 Author: John Baldwin AuthorDate: 2022-02-24 18:12:07 +0000 Commit: John Baldwin CommitDate: 2023-10-24 19:28:28 +0000 KTLS: Check for unprocessed receive records in ktls_configure_crypto. KTLS implementations currently assume that the start of the in-kernel socket buffer is aligned with the start of a TLS record for the receive side. The socket option to enable KTLS specifies the TLS sequence number of this initial record. When read ahead is enabled, data can be pending in the SSL read buffer after negotiating session keys. This pending data must be examined to ensurs that the kernel's socket buffer does not contain a partial TLS record as well as to determine the correct sequence number of the first TLS record to be processed by the kernel. In preparation for enabling receive kernel offload for TLS 1.3, move the existing logic to handle read ahead from t1_enc.c into ktls.c and invoke it from ktls_configure_crypto(). Obtained from: OpenSSL commit 85773128d0e80cd8dcc772a6931d385b8cf4acd1 (cherry picked from commit eee55a22b20214ca41cd6b1bbea79b863c8c11ac) (cherry picked from commit 400229e8d97cda4e198c5640dca6a0a6b70a659e) Approved by: re (gjb) --- crypto/openssl/ssl/ktls.c | 100 ++++++++++++++++++++++++++++++++++------- crypto/openssl/ssl/ssl_local.h | 4 +- crypto/openssl/ssl/t1_enc.c | 66 ++------------------------- crypto/openssl/ssl/tls13_enc.c | 3 +- 4 files changed, 91 insertions(+), 82 deletions(-) diff --git a/crypto/openssl/ssl/ktls.c b/crypto/openssl/ssl/ktls.c index daa758294a4c..28bb62d236ab 100644 --- a/crypto/openssl/ssl/ktls.c +++ b/crypto/openssl/ssl/ktls.c @@ -10,6 +10,67 @@ #include "ssl_local.h" #include "internal/ktls.h" +#ifndef OPENSSL_NO_KTLS_RX + /* + * Count the number of records that were not processed yet from record boundary. + * + * This function assumes that there are only fully formed records read in the + * record layer. If read_ahead is enabled, then this might be false and this + * function will fail. + */ +static int count_unprocessed_records(SSL *s) +{ + SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); + PACKET pkt, subpkt; + int count = 0; + + if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) + return -1; + + while (PACKET_remaining(&pkt) > 0) { + /* Skip record type and version */ + if (!PACKET_forward(&pkt, 3)) + return -1; + + /* Read until next record */ + if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) + return -1; + + count += 1; + } + + return count; +} + +/* + * The kernel cannot offload receive if a partial TLS record has been read. + * Check the read buffer for unprocessed records. If the buffer contains a + * partial record, fail and return 0. Otherwise, update the sequence + * number at *rec_seq for the count of unprocessed records and return 1. + */ +static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq) +{ + int bit, count_unprocessed; + + count_unprocessed = count_unprocessed_records(s); + if (count_unprocessed < 0) + return 0; + + /* increment the crypto_info record sequence */ + while (count_unprocessed) { + for (bit = 7; bit >= 0; bit--) { /* increment */ + ++rec_seq[bit]; + if (rec_seq[bit] != 0) + break; + } + count_unprocessed--; + + } + + return 1; +} +#endif + #if defined(__FreeBSD__) # include "crypto/cryptodev.h" @@ -59,9 +120,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, } /* Function to configure kernel TLS structure */ -int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, +int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, void *rl_sequence, ktls_crypto_info_t *crypto_info, - unsigned char **rec_seq, unsigned char *iv, + int is_tx, unsigned char *iv, unsigned char *key, unsigned char *mac_key, size_t mac_secret_size) { @@ -114,11 +175,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, crypto_info->tls_vminor = (s->version & 0x000000ff); # ifdef TCP_RXTLS_ENABLE memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq)); - if (rec_seq != NULL) - *rec_seq = crypto_info->rec_seq; + if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq)) + return 0; # else - if (rec_seq != NULL) - *rec_seq = NULL; + if (!is_tx) + return 0; # endif return 1; }; @@ -167,15 +228,20 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, } /* Function to configure kernel TLS structure */ -int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, +int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, void *rl_sequence, ktls_crypto_info_t *crypto_info, - unsigned char **rec_seq, unsigned char *iv, + int is_tx, unsigned char *iv, unsigned char *key, unsigned char *mac_key, size_t mac_secret_size) { unsigned char geniv[12]; unsigned char *iiv = iv; +# ifdef OPENSSL_NO_KTLS_RX + if (!is_tx) + return 0; +# endif + if (s->version == TLS1_2_VERSION && EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv, @@ -199,8 +265,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c)); memcpy(crypto_info->gcm128.rec_seq, rl_sequence, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); - if (rec_seq != NULL) - *rec_seq = crypto_info->gcm128.rec_seq; + if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq)) + return 0; return 1; # endif # ifdef OPENSSL_KTLS_AES_GCM_256 @@ -214,8 +280,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c)); memcpy(crypto_info->gcm256.rec_seq, rl_sequence, TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); - if (rec_seq != NULL) - *rec_seq = crypto_info->gcm256.rec_seq; + if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq)) + return 0; return 1; # endif # ifdef OPENSSL_KTLS_AES_CCM_128 @@ -229,8 +295,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c)); memcpy(crypto_info->ccm128.rec_seq, rl_sequence, TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); - if (rec_seq != NULL) - *rec_seq = crypto_info->ccm128.rec_seq; + if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq)) + return 0; return 1; # endif # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 @@ -244,8 +310,10 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, EVP_CIPHER_get_key_length(c)); memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); - if (rec_seq != NULL) - *rec_seq = crypto_info->chacha20poly1305.rec_seq; + if (!is_tx + && !check_rx_read_ahead(s, + crypto_info->chacha20poly1305.rec_seq)) + return 0; return 1; # endif default: diff --git a/crypto/openssl/ssl/ssl_local.h b/crypto/openssl/ssl/ssl_local.h index 5fb1feb80163..bb5816024a17 100644 --- a/crypto/openssl/ssl/ssl_local.h +++ b/crypto/openssl/ssl/ssl_local.h @@ -2762,9 +2762,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, /* ktls.c */ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, const EVP_CIPHER_CTX *dd); -int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, +int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, void *rl_sequence, ktls_crypto_info_t *crypto_info, - unsigned char **rec_seq, unsigned char *iv, + int is_tx, unsigned char *iv, unsigned char *key, unsigned char *mac_key, size_t mac_secret_size); # endif diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c index 91238e6457b8..26182a1cd6eb 100644 --- a/crypto/openssl/ssl/t1_enc.c +++ b/crypto/openssl/ssl/t1_enc.c @@ -98,42 +98,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) return ret; } -#ifndef OPENSSL_NO_KTLS - /* - * Count the number of records that were not processed yet from record boundary. - * - * This function assumes that there are only fully formed records read in the - * record layer. If read_ahead is enabled, then this might be false and this - * function will fail. - */ -# ifndef OPENSSL_NO_KTLS_RX -static int count_unprocessed_records(SSL *s) -{ - SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); - PACKET pkt, subpkt; - int count = 0; - - if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) - return -1; - - while (PACKET_remaining(&pkt) > 0) { - /* Skip record type and version */ - if (!PACKET_forward(&pkt, 3)) - return -1; - - /* Read until next record */ - if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) - return -1; - - count += 1; - } - - return count; -} -# endif -#endif - - int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, const EVP_CIPHER *ciph, const EVP_MD *md) @@ -201,12 +165,7 @@ int tls1_change_cipher_state(SSL *s, int which) int reuse_dd = 0; #ifndef OPENSSL_NO_KTLS ktls_crypto_info_t crypto_info; - unsigned char *rec_seq; void *rl_sequence; -# ifndef OPENSSL_NO_KTLS_RX - int count_unprocessed; - int bit; -# endif BIO *bio; #endif @@ -473,30 +432,11 @@ int tls1_change_cipher_state(SSL *s, int which) else rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); - if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq, - iv, key, ms, *mac_secret_size)) + if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, + which & SSL3_CC_WRITE, iv, key, ms, + *mac_secret_size)) goto skip_ktls; - if (which & SSL3_CC_READ) { -# ifndef OPENSSL_NO_KTLS_RX - count_unprocessed = count_unprocessed_records(s); - if (count_unprocessed < 0) - goto skip_ktls; - - /* increment the crypto_info record sequence */ - while (count_unprocessed) { - for (bit = 7; bit >= 0; bit--) { /* increment */ - ++rec_seq[bit]; - if (rec_seq[bit] != 0) - break; - } - count_unprocessed--; - } -# else - goto skip_ktls; -# endif - } - /* ktls works with user provided buffers directly */ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { if (which & SSL3_CC_WRITE) diff --git a/crypto/openssl/ssl/tls13_enc.c b/crypto/openssl/ssl/tls13_enc.c index ddcff5eb8911..861ecdf91701 100644 --- a/crypto/openssl/ssl/tls13_enc.c +++ b/crypto/openssl/ssl/tls13_enc.c @@ -723,7 +723,8 @@ int tls13_change_cipher_state(SSL *s, int which) /* configure kernel crypto structure */ if (!ktls_configure_crypto(s, cipher, ciph_ctx, RECORD_LAYER_get_write_sequence(&s->rlayer), - &crypto_info, NULL, iv, key, NULL, 0)) + &crypto_info, which & SSL3_CC_WRITE, iv, key, + NULL, 0)) goto skip_ktls; /* ktls works with user provided buffers directly */