From owner-svn-src-stable@freebsd.org Mon Mar 11 21:35:58 2019 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EDA29152F7A2; Mon, 11 Mar 2019 21:35:57 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 813F884EB4; Mon, 11 Mar 2019 21:35:57 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6CFA918A60; Mon, 11 Mar 2019 21:35:57 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x2BLZvAf039143; Mon, 11 Mar 2019 21:35:57 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x2BLZuA8039141; Mon, 11 Mar 2019 21:35:56 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <201903112135.x2BLZuA8039141@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Mon, 11 Mar 2019 21:35:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r345027 - in stable/11: share/man/man4 sys/opencrypto X-SVN-Group: stable-11 X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: in stable/11: share/man/man4 sys/opencrypto X-SVN-Commit-Revision: 345027 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 813F884EB4 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_SHORT(-0.97)[-0.975,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_MEDIUM(-0.99)[-0.995,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Mar 2019 21:35:58 -0000 Author: jhb Date: Mon Mar 11 21:35:56 2019 New Revision: 345027 URL: https://svnweb.freebsd.org/changeset/base/345027 Log: MFC 323891,323892: Support EtA requests via /dev/crypto. 323891: Add a new COP_F_CIPHER_FIRST flag for struct crypt_op. This requests that the cipher be performed before rather than after the HMAC when both are specified for a single operation. 323892: Support AEAD requests with non-GCM algorithms. In particular, support chaining an AES cipher with an HMAC for a request including AAD. This permits submitting requests from userland to encrypt objects like IPSec packets using these algorithms. In the non-GCM case, the authentication crypto descriptor covers both the AAD and the ciphertext. The GCM case remains unchanged. This matches the requests created internally in IPSec. For the non-GCM case, the COP_F_CIPHER_FIRST is also supported since the ordering matters. Note that while this can be used to simulate IPSec requests from userland, this ioctl cannot currently be used to perform TLS requests using AES-CBC and MAC-before-encrypt. Sponsored by: Chelsio Communications Modified: stable/11/share/man/man4/crypto.4 stable/11/sys/opencrypto/cryptodev.c stable/11/sys/opencrypto/cryptodev.h Directory Properties: stable/11/ (props changed) Modified: stable/11/share/man/man4/crypto.4 ============================================================================== --- stable/11/share/man/man4/crypto.4 Mon Mar 11 21:00:58 2019 (r345026) +++ stable/11/share/man/man4/crypto.4 Mon Mar 11 21:35:56 2019 (r345027) @@ -60,7 +60,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 15, 2015 +.Dd September 21, 2017 .Dt CRYPTO 4 .Os .Sh NAME @@ -127,7 +127,9 @@ Asymmetric operations do not use sessions. .It Submit requests, synchronously with .Dv CIOCCRYPT -(symmetric) +(symmetric), +.Dv CIOCCRYPTAEAD +(symmetric), or .Dv CIOCKEY (asymmetric). @@ -279,6 +281,16 @@ supplies the length of the input buffer; the fields .Fa cr_op-\*[Gt]iv supply the addresses of the input buffer, output buffer, one-way hash, and initialization vector, respectively. +If a session is using both a privacy algorithm and a hash algorithm, +the request will generate a hash of the input buffer before +generating the output buffer by default. +If the +.Dv COP_F_CIPHER_FIRST +flag is included in the +.Fa cr_op-\*[Gt]flags +field, +then the request will generate a hash of the output buffer after +executing the privacy algorithm. .It Dv CIOCCRYPTAEAD Fa struct crypt_aead *cr_aead .Bd -literal struct crypt_aead { Modified: stable/11/sys/opencrypto/cryptodev.c ============================================================================== --- stable/11/sys/opencrypto/cryptodev.c Mon Mar 11 21:00:58 2019 (r345026) +++ stable/11/sys/opencrypto/cryptodev.c Mon Mar 11 21:35:56 2019 (r345027) @@ -755,18 +755,22 @@ cryptodev_op( goto bail; } - if (cse->thash) { - crda = crp->crp_desc; - if (cse->txform) - crde = crda->crd_next; - } else { - if (cse->txform) + if (cse->thash && cse->txform) { + if (cop->flags & COP_F_CIPHER_FIRST) { crde = crp->crp_desc; - else { - SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); - error = EINVAL; - goto bail; + crda = crde->crd_next; + } else { + crda = crp->crp_desc; + crde = crda->crd_next; } + } else if (cse->thash) { + crda = crp->crp_desc; + } else if (cse->txform) { + crde = crp->crp_desc; + } else { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); + error = EINVAL; + goto bail; } if ((error = copyin(cop->src, cse->uio.uio_iov[0].iov_base, @@ -941,8 +945,13 @@ cryptodev_aead( goto bail; } - crda = crp->crp_desc; - crde = crda->crd_next; + if (caead->flags & COP_F_CIPHER_FIRST) { + crde = crp->crp_desc; + crda = crde->crd_next; + } else { + crda = crp->crp_desc; + crde = crda->crd_next; + } if ((error = copyin(caead->aad, cse->uio.uio_iov[0].iov_base, caead->aadlen))) { @@ -956,8 +965,16 @@ cryptodev_aead( goto bail; } + /* + * For GCM, crd_len covers only the AAD. For other ciphers + * chained with an HMAC, crd_len covers both the AAD and the + * cipher text. + */ crda->crd_skip = 0; - crda->crd_len = caead->aadlen; + if (cse->cipher == CRYPTO_AES_NIST_GCM_16) + crda->crd_len = caead->aadlen; + else + crda->crd_len = caead->aadlen + caead->len; crda->crd_inject = caead->aadlen + caead->len; crda->crd_alg = cse->mac; Modified: stable/11/sys/opencrypto/cryptodev.h ============================================================================== --- stable/11/sys/opencrypto/cryptodev.h Mon Mar 11 21:00:58 2019 (r345026) +++ stable/11/sys/opencrypto/cryptodev.h Mon Mar 11 21:35:56 2019 (r345027) @@ -238,7 +238,8 @@ struct crypt_op { #define COP_ENCRYPT 1 #define COP_DECRYPT 2 u_int16_t flags; -#define COP_F_BATCH 0x0008 /* Batch op if possible */ +#define COP_F_CIPHER_FIRST 0x0001 /* Cipher before MAC. */ +#define COP_F_BATCH 0x0008 /* Batch op if possible */ u_int len; c_caddr_t src; /* become iov[] inside kernel */ caddr_t dst;