Date: Tue, 23 Nov 2021 23:12:47 GMT From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 98641c00a3ae - stable/13 - Add Chacha20-Poly1305 support in the OCF backend for KTLS. Message-ID: <202111232312.1ANNClBV037536@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=98641c00a3aef5d82da653b9a50c734fb4b08d87 commit 98641c00a3aef5d82da653b9a50c734fb4b08d87 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2021-02-18 17:24:26 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2021-11-23 23:11:44 +0000 Add Chacha20-Poly1305 support in the OCF backend for KTLS. This supports Chacha20-Poly1305 for both send and receive for TLS 1.2 and for send in TLS 1.3. Reviewed by: gallatin Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D27841 (cherry picked from commit 4dd6800e22b08fa1f756115600e9436818abb168) --- sys/opencrypto/ktls_ocf.c | 116 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 95 insertions(+), 21 deletions(-) diff --git a/sys/opencrypto/ktls_ocf.c b/sys/opencrypto/ktls_ocf.c index 7f9ece99ccb1..1d5dce83b376 100644 --- a/sys/opencrypto/ktls_ocf.c +++ b/sys/opencrypto/ktls_ocf.c @@ -87,11 +87,21 @@ SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls12_gcm_crypts, CTLFLAG_RD, &ocf_tls12_gcm_crypts, "Total number of OCF TLS 1.2 GCM encryption operations"); +static COUNTER_U64_DEFINE_EARLY(ocf_tls12_chacha20_crypts); +SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls12_chacha20_crypts, + CTLFLAG_RD, &ocf_tls12_chacha20_crypts, + "Total number of OCF TLS 1.2 Chacha20-Poly1305 encryption operations"); + static COUNTER_U64_DEFINE_EARLY(ocf_tls13_gcm_crypts); SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls13_gcm_crypts, CTLFLAG_RD, &ocf_tls13_gcm_crypts, "Total number of OCF TLS 1.3 GCM encryption operations"); +static COUNTER_U64_DEFINE_EARLY(ocf_tls13_chacha20_crypts); +SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls13_chacha20_crypts, + CTLFLAG_RD, &ocf_tls13_chacha20_crypts, + "Total number of OCF TLS 1.3 Chacha20-Poly1305 encryption operations"); + static COUNTER_U64_DEFINE_EARLY(ocf_inplace); SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, inplace, CTLFLAG_RD, &ocf_inplace, @@ -315,7 +325,7 @@ ktls_ocf_tls_cbc_encrypt(struct ktls_session *tls, } static int -ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls, +ktls_ocf_tls12_aead_encrypt(struct ktls_session *tls, const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov, struct iovec *outiov, int iovcnt, uint64_t seqno, uint8_t record_type __unused) @@ -346,12 +356,26 @@ ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls, crypto_initreq(&crp, os->sid); /* Setup the IV. */ - memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN); - memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); + if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) { + memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN); + memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, + sizeof(uint64_t)); + } else { + /* + * Chacha20-Poly1305 constructs the IV for TLS 1.2 + * identically to constructing the IV for AEAD in TLS + * 1.3. + */ + memcpy(crp.crp_iv, tls->params.iv, tls->params.iv_len); + *(uint64_t *)(crp.crp_iv + 4) ^= htobe64(seqno); + } /* Setup the AAD. */ - tls_comp_len = ntohs(hdr->tls_length) - - (AES_GMAC_HASH_LEN + sizeof(uint64_t)); + if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) + tls_comp_len = ntohs(hdr->tls_length) - + (AES_GMAC_HASH_LEN + sizeof(uint64_t)); + else + tls_comp_len = ntohs(hdr->tls_length) - POLY1305_HASH_LEN; ad.seq = htobe64(seqno); ad.type = hdr->tls_type; ad.tls_vmajor = hdr->tls_vmajor; @@ -391,7 +415,10 @@ ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls, if (!inplace) crypto_use_output_uio(&crp, &out_uio); - counter_u64_add(ocf_tls12_gcm_crypts, 1); + if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) + counter_u64_add(ocf_tls12_gcm_crypts, 1); + else + counter_u64_add(ocf_tls12_chacha20_crypts, 1); if (inplace) counter_u64_add(ocf_inplace, 1); else @@ -403,7 +430,7 @@ ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls, } static int -ktls_ocf_tls12_gcm_decrypt(struct ktls_session *tls, +ktls_ocf_tls12_aead_decrypt(struct ktls_session *tls, const struct tls_record_layer *hdr, struct mbuf *m, uint64_t seqno, int *trailer_len) { @@ -422,12 +449,26 @@ ktls_ocf_tls12_gcm_decrypt(struct ktls_session *tls, crypto_initreq(&crp, os->sid); /* Setup the IV. */ - memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN); - memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); + if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) { + memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN); + memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, + sizeof(uint64_t)); + } else { + /* + * Chacha20-Poly1305 constructs the IV for TLS 1.2 + * identically to constructing the IV for AEAD in TLS + * 1.3. + */ + memcpy(crp.crp_iv, tls->params.iv, tls->params.iv_len); + *(uint64_t *)(crp.crp_iv + 4) ^= htobe64(seqno); + } /* Setup the AAD. */ - tls_comp_len = ntohs(hdr->tls_length) - - (AES_GMAC_HASH_LEN + sizeof(uint64_t)); + if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) + tls_comp_len = ntohs(hdr->tls_length) - + (AES_GMAC_HASH_LEN + sizeof(uint64_t)); + else + tls_comp_len = ntohs(hdr->tls_length) - POLY1305_HASH_LEN; ad.seq = htobe64(seqno); ad.type = hdr->tls_type; ad.tls_vmajor = hdr->tls_vmajor; @@ -444,7 +485,10 @@ ktls_ocf_tls12_gcm_decrypt(struct ktls_session *tls, crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE; crypto_use_mbuf(&crp, m); - counter_u64_add(ocf_tls12_gcm_crypts, 1); + if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) + counter_u64_add(ocf_tls12_gcm_crypts, 1); + else + counter_u64_add(ocf_tls12_chacha20_crypts, 1); error = ktls_ocf_dispatch(os, &crp); crypto_destroyreq(&crp); @@ -453,7 +497,7 @@ ktls_ocf_tls12_gcm_decrypt(struct ktls_session *tls, } static int -ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls, +ktls_ocf_tls13_aead_encrypt(struct ktls_session *tls, const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov, struct iovec *outiov, int iovcnt, uint64_t seqno, uint8_t record_type) { @@ -503,11 +547,11 @@ ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls, */ memcpy(iov, iniov, iovcnt * sizeof(*iov)); iov[iovcnt].iov_base = trailer; - iov[iovcnt].iov_len = AES_GMAC_HASH_LEN + 1; + iov[iovcnt].iov_len = tls->params.tls_tlen; uio.uio_iov = iov; uio.uio_iovcnt = iovcnt + 1; uio.uio_offset = 0; - uio.uio_resid = crp.crp_payload_length + AES_GMAC_HASH_LEN; + uio.uio_resid = crp.crp_payload_length + tls->params.tls_tlen - 1; uio.uio_segflg = UIO_SYSSPACE; uio.uio_td = curthread; crypto_use_uio(&crp, &uio); @@ -521,7 +565,7 @@ ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls, out_uio.uio_iovcnt = iovcnt + 1; out_uio.uio_offset = 0; out_uio.uio_resid = crp.crp_payload_length + - AES_GMAC_HASH_LEN; + tls->params.tls_tlen - 1; out_uio.uio_segflg = UIO_SYSSPACE; out_uio.uio_td = curthread; crypto_use_output_uio(&crp, &out_uio); @@ -532,7 +576,10 @@ ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls, memcpy(crp.crp_iv, nonce, sizeof(nonce)); - counter_u64_add(ocf_tls13_gcm_crypts, 1); + if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) + counter_u64_add(ocf_tls13_gcm_crypts, 1); + else + counter_u64_add(ocf_tls13_chacha20_crypts, 1); if (inplace) counter_u64_add(ocf_inplace, 1); else @@ -640,6 +687,32 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction) mac_csp.csp_auth_key = tls->params.auth_key; mac_csp.csp_auth_klen = tls->params.auth_key_len; break; + case CRYPTO_CHACHA20_POLY1305: + switch (tls->params.cipher_key_len) { + case 256 / 8: + break; + default: + return (EINVAL); + } + + /* Only TLS 1.2 and 1.3 are supported. */ + if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE || + tls->params.tls_vminor < TLS_MINOR_VER_TWO || + tls->params.tls_vminor > TLS_MINOR_VER_THREE) + return (EPROTONOSUPPORT); + + /* TLS 1.3 is not yet supported for receive. */ + if (direction == KTLS_RX && + tls->params.tls_vminor == TLS_MINOR_VER_THREE) + return (EPROTONOSUPPORT); + + csp.csp_flags |= CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD; + csp.csp_mode = CSP_MODE_AEAD; + csp.csp_cipher_alg = CRYPTO_CHACHA20_POLY1305; + csp.csp_cipher_key = tls->params.cipher_key; + csp.csp_cipher_klen = tls->params.cipher_key_len; + csp.csp_ivlen = CHACHA20_POLY1305_IV_LEN; + break; default: return (EPROTONOSUPPORT); } @@ -668,14 +741,15 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction) mtx_init(&os->lock, "ktls_ocf", NULL, MTX_DEF); tls->cipher = os; - if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) { + if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16 || + tls->params.cipher_algorithm == CRYPTO_CHACHA20_POLY1305) { if (direction == KTLS_TX) { if (tls->params.tls_vminor == TLS_MINOR_VER_THREE) - tls->sw_encrypt = ktls_ocf_tls13_gcm_encrypt; + tls->sw_encrypt = ktls_ocf_tls13_aead_encrypt; else - tls->sw_encrypt = ktls_ocf_tls12_gcm_encrypt; + tls->sw_encrypt = ktls_ocf_tls12_aead_encrypt; } else { - tls->sw_decrypt = ktls_ocf_tls12_gcm_decrypt; + tls->sw_decrypt = ktls_ocf_tls12_aead_decrypt; } } else { tls->sw_encrypt = ktls_ocf_tls_cbc_encrypt;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202111232312.1ANNClBV037536>