From nobody Tue Nov 23 23:12:46 2021
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EB63818A14DF;
	Tue, 23 Nov 2021 23:12:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HzKg420Yrz3vXm;
	Tue, 23 Nov 2021 23:12:48 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 79C511F54D;
	Tue, 23 Nov 2021 23:12:46 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1ANNCkm0037513;
	Tue, 23 Nov 2021 23:12:46 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1ANNCkLH037512;
	Tue, 23 Nov 2021 23:12:46 GMT
	(envelope-from git)
Date: Tue, 23 Nov 2021 23:12:46 GMT
Message-Id: <202111232312.1ANNCkLH037512@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: b7f27a60ac72 - stable/13 - Add Chacha20-Poly1305 as a KTLS cipher suite.
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: b7f27a60ac72c4d0f7740a6d48356c3fc68360d5
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1637709168;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=k8ojffiWCme8afONt7qfcIKg1qQaH13OjTqLgkm24ZA=;
	b=reEj94sAYT7jq8vU2+hGUySN1yGqL0ZDRggAHx/DwmEn7ldXPKOiCwwH99HKK0A06Vbi52
	dOkAb8dGkxZp9kjSuWTkJRy9ADVP8JkWg6k1ZjAq2XdvXwbyS6nLw0IwEeSSwjg+0sFCyw
	IU/U+UWKWtwQA27xNpbAaElWLIb2Cxq9rCO92ateuKAdKsn7r7o41oDKKVM1AV357HEbYJ
	wuODUUj/eusy9O9OEvfaqKtH2N61MpgJ/p5Zg4gyZKtW4Aj+5InQ8UvIOUBswouU/m8Igz
	niEk+QVzKg/eKB1FEU84jqc7ybMFkYzWjriBmcBwCGCMqs+Ije+3Bw8b0e2erw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1637709168; a=rsa-sha256; cv=none;
	b=c03z5K9mcBwxNFnEr76+4xTeKujfUgHG6iIJJ3Guj0M6vPUXD0bUN2VdQnk1t8q6eQqoOl
	hmM9cIULZd85e0vmltnwfnGwP/dZhAWuQBozCQeVPG5B8JdkgL2cp3Z6tdfY91PRdLNfCD
	TsAeg2KFuuA7c9d7pkSENNmPpznl3EAMAsp6/Sa87+w33ZFrkiY6Oh9k3bk40lVc/HWc0E
	rYsWhj7AEIIhQ35EmpK/LX2yPUOk+1NCMa+hD0zh8+Xetz6HqtYifksXWjG9/QMun7IzGe
	puEuvD91xN4dzIdU2LrAr49Qh26k5UnS6FvYnmiC9lfdMdYCt19Wu5vQJ1K/CA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=b7f27a60ac72c4d0f7740a6d48356c3fc68360d5

commit b7f27a60ac72c4d0f7740a6d48356c3fc68360d5
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-02-18 17:23:59 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-11-23 23:11:44 +0000

    Add Chacha20-Poly1305 as a KTLS cipher suite.
    
    Chacha20-Poly1305 for TLS is an AEAD cipher suite for both TLS 1.2 and
    TLS 1.3 (RFCs 7905 and 8446).  For both versions, Chacha20 uses the
    server and client IVs as implicit nonces xored with the record
    sequence number to generate the per-record nonce matching the
    construction used with AES-GCM for TLS 1.3.
    
    Reviewed by:    gallatin
    Sponsored by:   Netflix
    Differential Revision:  https://reviews.freebsd.org/D27839
    
    (cherry picked from commit 9c64fc40290e08f6dc6b75aa04084b04e48a61af)
---
 sys/kern/uipc_ktls.c | 76 ++++++++++++++++++++++++++++++++++++++++++----------
 sys/sys/ktls.h       |  1 +
 2 files changed, 63 insertions(+), 14 deletions(-)

diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index 17c199230d0a..567d3d04a6f0 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -199,6 +199,11 @@ static COUNTER_U64_DEFINE_EARLY(ktls_sw_gcm);
 SYSCTL_COUNTER_U64(_kern_ipc_tls_sw, OID_AUTO, gcm, CTLFLAG_RD, &ktls_sw_gcm,
     "Active number of software TLS sessions using AES-GCM");
 
+static COUNTER_U64_DEFINE_EARLY(ktls_sw_chacha20);
+SYSCTL_COUNTER_U64(_kern_ipc_tls_sw, OID_AUTO, chacha20, CTLFLAG_RD,
+    &ktls_sw_chacha20,
+    "Active number of software TLS sessions using Chacha20-Poly1305");
+
 static COUNTER_U64_DEFINE_EARLY(ktls_ifnet_cbc);
 SYSCTL_COUNTER_U64(_kern_ipc_tls_ifnet, OID_AUTO, cbc, CTLFLAG_RD,
     &ktls_ifnet_cbc,
@@ -209,6 +214,11 @@ SYSCTL_COUNTER_U64(_kern_ipc_tls_ifnet, OID_AUTO, gcm, CTLFLAG_RD,
     &ktls_ifnet_gcm,
     "Active number of ifnet TLS sessions using AES-GCM");
 
+static COUNTER_U64_DEFINE_EARLY(ktls_ifnet_chacha20);
+SYSCTL_COUNTER_U64(_kern_ipc_tls_ifnet, OID_AUTO, chacha20, CTLFLAG_RD,
+    &ktls_ifnet_chacha20,
+    "Active number of ifnet TLS sessions using Chacha20-Poly1305");
+
 static COUNTER_U64_DEFINE_EARLY(ktls_ifnet_reset);
 SYSCTL_COUNTER_U64(_kern_ipc_tls_ifnet, OID_AUTO, reset, CTLFLAG_RD,
     &ktls_ifnet_reset, "TLS sessions updated to a new ifnet send tag");
@@ -238,6 +248,11 @@ static COUNTER_U64_DEFINE_EARLY(ktls_toe_gcm);
 SYSCTL_COUNTER_U64(_kern_ipc_tls_toe, OID_AUTO, gcm, CTLFLAG_RD,
     &ktls_toe_gcm,
     "Active number of TOE TLS sessions using AES-GCM");
+
+static counter_u64_t ktls_toe_chacha20;
+SYSCTL_COUNTER_U64(_kern_ipc_tls_toe, OID_AUTO, chacha20, CTLFLAG_RD,
+    &ktls_toe_chacha20,
+    "Active number of TOE TLS sessions using Chacha20-Poly1305");
 #endif
 
 static MALLOC_DEFINE(M_KTLS, "ktls", "Kernel TLS");
@@ -508,6 +523,15 @@ ktls_create_session(struct socket *so, struct tls_enable *en,
 		if (en->auth_key_len == 0)
 			return (EINVAL);
 		break;
+	case CRYPTO_CHACHA20_POLY1305:
+		if (en->auth_algorithm != 0 || en->auth_key_len != 0)
+			return (EINVAL);
+		if (en->tls_vminor != TLS_MINOR_VER_TWO &&
+		    en->tls_vminor != TLS_MINOR_VER_THREE)
+			return (EINVAL);
+		if (en->iv_len != TLS_CHACHA20_IV_LEN)
+			return (EINVAL);
+		break;
 	default:
 		return (EINVAL);
 	}
@@ -539,15 +563,6 @@ ktls_create_session(struct socket *so, struct tls_enable *en,
 		if (en->tls_vminor < TLS_MINOR_VER_THREE)
 			tls->params.tls_hlen += sizeof(uint64_t);
 		tls->params.tls_tlen = AES_GMAC_HASH_LEN;
-
-		/*
-		 * TLS 1.3 includes optional padding which we
-		 * do not support, and also puts the "real" record
-		 * type at the end of the encrypted data.
-		 */
-		if (en->tls_vminor == TLS_MINOR_VER_THREE)
-			tls->params.tls_tlen += sizeof(uint8_t);
-
 		tls->params.tls_bs = 1;
 		break;
 	case CRYPTO_AES_CBC:
@@ -576,10 +591,25 @@ ktls_create_session(struct socket *so, struct tls_enable *en,
 		}
 		tls->params.tls_bs = AES_BLOCK_LEN;
 		break;
+	case CRYPTO_CHACHA20_POLY1305:
+		/*
+		 * Chacha20 uses a 12 byte implicit IV.
+		 */
+		tls->params.tls_tlen = POLY1305_HASH_LEN;
+		tls->params.tls_bs = 1;
+		break;
 	default:
 		panic("invalid cipher");
 	}
 
+	/*
+	 * TLS 1.3 includes optional padding which we do not support,
+	 * and also puts the "real" record type at the end of the
+	 * encrypted data.
+	 */
+	if (en->tls_vminor == TLS_MINOR_VER_THREE)
+		tls->params.tls_tlen += sizeof(uint8_t);
+
 	KASSERT(tls->params.tls_hlen <= MBUF_PEXT_HDR_LEN,
 	    ("TLS header length too long: %d", tls->params.tls_hlen));
 	KASSERT(tls->params.tls_tlen <= MBUF_PEXT_TRAIL_LEN,
@@ -603,9 +633,9 @@ ktls_create_session(struct socket *so, struct tls_enable *en,
 		goto out;
 
 	/*
-	 * This holds the implicit portion of the nonce for GCM and
-	 * the initial implicit IV for TLS 1.0.  The explicit portions
-	 * of the IV are generated in ktls_frame().
+	 * This holds the implicit portion of the nonce for AEAD
+	 * ciphers and the initial implicit IV for TLS 1.0.  The
+	 * explicit portions of the IV are generated in ktls_frame().
 	 */
 	if (en->iv_len != 0) {
 		tls->params.iv_len = en->iv_len;
@@ -614,8 +644,8 @@ ktls_create_session(struct socket *so, struct tls_enable *en,
 			goto out;
 
 		/*
-		 * For TLS 1.2, generate an 8-byte nonce as a counter
-		 * to generate unique explicit IVs.
+		 * For TLS 1.2 with GCM, generate an 8-byte nonce as a
+		 * counter to generate unique explicit IVs.
 		 *
 		 * Store this counter in the last 8 bytes of the IV
 		 * array so that it is 8-byte aligned.
@@ -681,6 +711,9 @@ ktls_cleanup(struct ktls_session *tls)
 		case CRYPTO_AES_NIST_GCM_16:
 			counter_u64_add(ktls_sw_gcm, -1);
 			break;
+		case CRYPTO_CHACHA20_POLY1305:
+			counter_u64_add(ktls_sw_chacha20, -1);
+			break;
 		}
 		tls->free(tls);
 		break;
@@ -692,6 +725,9 @@ ktls_cleanup(struct ktls_session *tls)
 		case CRYPTO_AES_NIST_GCM_16:
 			counter_u64_add(ktls_ifnet_gcm, -1);
 			break;
+		case CRYPTO_CHACHA20_POLY1305:
+			counter_u64_add(ktls_ifnet_chacha20, -1);
+			break;
 		}
 		if (tls->snd_tag != NULL)
 			m_snd_tag_rele(tls->snd_tag);
@@ -705,6 +741,9 @@ ktls_cleanup(struct ktls_session *tls)
 		case CRYPTO_AES_NIST_GCM_16:
 			counter_u64_add(ktls_toe_gcm, -1);
 			break;
+		case CRYPTO_CHACHA20_POLY1305:
+			counter_u64_add(ktls_toe_chacha20, -1);
+			break;
 		}
 		break;
 #endif
@@ -763,6 +802,9 @@ ktls_try_toe(struct socket *so, struct ktls_session *tls, int direction)
 		case CRYPTO_AES_NIST_GCM_16:
 			counter_u64_add(ktls_toe_gcm, 1);
 			break;
+		case CRYPTO_CHACHA20_POLY1305:
+			counter_u64_add(ktls_toe_chacha20, 1);
+			break;
 		}
 	}
 	return (error);
@@ -885,6 +927,9 @@ ktls_try_ifnet(struct socket *so, struct ktls_session *tls, bool force)
 		case CRYPTO_AES_NIST_GCM_16:
 			counter_u64_add(ktls_ifnet_gcm, 1);
 			break;
+		case CRYPTO_CHACHA20_POLY1305:
+			counter_u64_add(ktls_ifnet_chacha20, 1);
+			break;
 		}
 	}
 	return (error);
@@ -928,6 +973,9 @@ ktls_try_sw(struct socket *so, struct ktls_session *tls, int direction)
 	case CRYPTO_AES_NIST_GCM_16:
 		counter_u64_add(ktls_sw_gcm, 1);
 		break;
+	case CRYPTO_CHACHA20_POLY1305:
+		counter_u64_add(ktls_sw_chacha20, 1);
+		break;
 	}
 	return (0);
 }
diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h
index 2f15cce3fc55..3cde75f9edf6 100644
--- a/sys/sys/ktls.h
+++ b/sys/sys/ktls.h
@@ -46,6 +46,7 @@ struct tls_record_layer {
 #define	TLS_MAX_PARAM_SIZE	1024	/* Max key/mac/iv in sockopt */
 #define	TLS_AEAD_GCM_LEN	4
 #define	TLS_1_3_GCM_IV_LEN	12
+#define	TLS_CHACHA20_IV_LEN	12
 #define	TLS_CBC_IMPLICIT_IV_LEN	16
 
 /* Type values for the record layer */