From owner-dev-commits-src-all@freebsd.org Thu Feb 18 17:54:40 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7BA0F54175A; Thu, 18 Feb 2021 17:54:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DhMmG1Xvnz4sld; Thu, 18 Feb 2021 17:54:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E0F3D1CC92; Thu, 18 Feb 2021 17:54:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 11IHsbvH033908; Thu, 18 Feb 2021 17:54:37 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 11IHsb4G033907; Thu, 18 Feb 2021 17:54:37 GMT (envelope-from git) Date: Thu, 18 Feb 2021 17:54:37 GMT Message-Id: <202102181754.11IHsb4G033907@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: 9c64fc40290e - main - Add Chacha20-Poly1305 as a KTLS cipher suite. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9c64fc40290e08f6dc6b75aa04084b04e48a61af Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2021 17:54:40 -0000 The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=9c64fc40290e08f6dc6b75aa04084b04e48a61af commit 9c64fc40290e08f6dc6b75aa04084b04e48a61af Author: John Baldwin AuthorDate: 2021-02-18 17:23:59 +0000 Commit: John Baldwin CommitDate: 2021-02-18 17:26:32 +0000 Add Chacha20-Poly1305 as a KTLS cipher suite. Chacha20-Poly1305 for TLS is an AEAD cipher suite for both TLS 1.2 and TLS 1.3 (RFCs 7905 and 8446). For both versions, Chacha20 uses the server and client IVs as implicit nonces xored with the record sequence number to generate the per-record nonce matching the construction used with AES-GCM for TLS 1.3. Reviewed by: gallatin Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D27839 --- sys/kern/uipc_ktls.c | 76 ++++++++++++++++++++++++++++++++++++++++++---------- sys/sys/ktls.h | 1 + 2 files changed, 63 insertions(+), 14 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 26912e410239..f92314d9c607 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -199,6 +199,11 @@ static COUNTER_U64_DEFINE_EARLY(ktls_sw_gcm); SYSCTL_COUNTER_U64(_kern_ipc_tls_sw, OID_AUTO, gcm, CTLFLAG_RD, &ktls_sw_gcm, "Active number of software TLS sessions using AES-GCM"); +static COUNTER_U64_DEFINE_EARLY(ktls_sw_chacha20); +SYSCTL_COUNTER_U64(_kern_ipc_tls_sw, OID_AUTO, chacha20, CTLFLAG_RD, + &ktls_sw_chacha20, + "Active number of software TLS sessions using Chacha20-Poly1305"); + static COUNTER_U64_DEFINE_EARLY(ktls_ifnet_cbc); SYSCTL_COUNTER_U64(_kern_ipc_tls_ifnet, OID_AUTO, cbc, CTLFLAG_RD, &ktls_ifnet_cbc, @@ -209,6 +214,11 @@ SYSCTL_COUNTER_U64(_kern_ipc_tls_ifnet, OID_AUTO, gcm, CTLFLAG_RD, &ktls_ifnet_gcm, "Active number of ifnet TLS sessions using AES-GCM"); +static COUNTER_U64_DEFINE_EARLY(ktls_ifnet_chacha20); +SYSCTL_COUNTER_U64(_kern_ipc_tls_ifnet, OID_AUTO, chacha20, CTLFLAG_RD, + &ktls_ifnet_chacha20, + "Active number of ifnet TLS sessions using Chacha20-Poly1305"); + static COUNTER_U64_DEFINE_EARLY(ktls_ifnet_reset); SYSCTL_COUNTER_U64(_kern_ipc_tls_ifnet, OID_AUTO, reset, CTLFLAG_RD, &ktls_ifnet_reset, "TLS sessions updated to a new ifnet send tag"); @@ -238,6 +248,11 @@ static COUNTER_U64_DEFINE_EARLY(ktls_toe_gcm); SYSCTL_COUNTER_U64(_kern_ipc_tls_toe, OID_AUTO, gcm, CTLFLAG_RD, &ktls_toe_gcm, "Active number of TOE TLS sessions using AES-GCM"); + +static counter_u64_t ktls_toe_chacha20; +SYSCTL_COUNTER_U64(_kern_ipc_tls_toe, OID_AUTO, chacha20, CTLFLAG_RD, + &ktls_toe_chacha20, + "Active number of TOE TLS sessions using Chacha20-Poly1305"); #endif static MALLOC_DEFINE(M_KTLS, "ktls", "Kernel TLS"); @@ -507,6 +522,15 @@ ktls_create_session(struct socket *so, struct tls_enable *en, if (en->auth_key_len == 0) return (EINVAL); break; + case CRYPTO_CHACHA20_POLY1305: + if (en->auth_algorithm != 0 || en->auth_key_len != 0) + return (EINVAL); + if (en->tls_vminor != TLS_MINOR_VER_TWO && + en->tls_vminor != TLS_MINOR_VER_THREE) + return (EINVAL); + if (en->iv_len != TLS_CHACHA20_IV_LEN) + return (EINVAL); + break; default: return (EINVAL); } @@ -538,15 +562,6 @@ ktls_create_session(struct socket *so, struct tls_enable *en, if (en->tls_vminor < TLS_MINOR_VER_THREE) tls->params.tls_hlen += sizeof(uint64_t); tls->params.tls_tlen = AES_GMAC_HASH_LEN; - - /* - * TLS 1.3 includes optional padding which we - * do not support, and also puts the "real" record - * type at the end of the encrypted data. - */ - if (en->tls_vminor == TLS_MINOR_VER_THREE) - tls->params.tls_tlen += sizeof(uint8_t); - tls->params.tls_bs = 1; break; case CRYPTO_AES_CBC: @@ -575,10 +590,25 @@ ktls_create_session(struct socket *so, struct tls_enable *en, } tls->params.tls_bs = AES_BLOCK_LEN; break; + case CRYPTO_CHACHA20_POLY1305: + /* + * Chacha20 uses a 12 byte implicit IV. + */ + tls->params.tls_tlen = POLY1305_HASH_LEN; + tls->params.tls_bs = 1; + break; default: panic("invalid cipher"); } + /* + * TLS 1.3 includes optional padding which we do not support, + * and also puts the "real" record type at the end of the + * encrypted data. + */ + if (en->tls_vminor == TLS_MINOR_VER_THREE) + tls->params.tls_tlen += sizeof(uint8_t); + KASSERT(tls->params.tls_hlen <= MBUF_PEXT_HDR_LEN, ("TLS header length too long: %d", tls->params.tls_hlen)); KASSERT(tls->params.tls_tlen <= MBUF_PEXT_TRAIL_LEN, @@ -602,9 +632,9 @@ ktls_create_session(struct socket *so, struct tls_enable *en, goto out; /* - * This holds the implicit portion of the nonce for GCM and - * the initial implicit IV for TLS 1.0. The explicit portions - * of the IV are generated in ktls_frame(). + * This holds the implicit portion of the nonce for AEAD + * ciphers and the initial implicit IV for TLS 1.0. The + * explicit portions of the IV are generated in ktls_frame(). */ if (en->iv_len != 0) { tls->params.iv_len = en->iv_len; @@ -613,8 +643,8 @@ ktls_create_session(struct socket *so, struct tls_enable *en, goto out; /* - * For TLS 1.2, generate an 8-byte nonce as a counter - * to generate unique explicit IVs. + * For TLS 1.2 with GCM, generate an 8-byte nonce as a + * counter to generate unique explicit IVs. * * Store this counter in the last 8 bytes of the IV * array so that it is 8-byte aligned. @@ -679,6 +709,9 @@ ktls_cleanup(struct ktls_session *tls) case CRYPTO_AES_NIST_GCM_16: counter_u64_add(ktls_sw_gcm, -1); break; + case CRYPTO_CHACHA20_POLY1305: + counter_u64_add(ktls_sw_chacha20, -1); + break; } tls->free(tls); break; @@ -690,6 +723,9 @@ ktls_cleanup(struct ktls_session *tls) case CRYPTO_AES_NIST_GCM_16: counter_u64_add(ktls_ifnet_gcm, -1); break; + case CRYPTO_CHACHA20_POLY1305: + counter_u64_add(ktls_ifnet_chacha20, -1); + break; } if (tls->snd_tag != NULL) m_snd_tag_rele(tls->snd_tag); @@ -703,6 +739,9 @@ ktls_cleanup(struct ktls_session *tls) case CRYPTO_AES_NIST_GCM_16: counter_u64_add(ktls_toe_gcm, -1); break; + case CRYPTO_CHACHA20_POLY1305: + counter_u64_add(ktls_toe_chacha20, -1); + break; } break; #endif @@ -761,6 +800,9 @@ ktls_try_toe(struct socket *so, struct ktls_session *tls, int direction) case CRYPTO_AES_NIST_GCM_16: counter_u64_add(ktls_toe_gcm, 1); break; + case CRYPTO_CHACHA20_POLY1305: + counter_u64_add(ktls_toe_chacha20, 1); + break; } } return (error); @@ -883,6 +925,9 @@ ktls_try_ifnet(struct socket *so, struct ktls_session *tls, bool force) case CRYPTO_AES_NIST_GCM_16: counter_u64_add(ktls_ifnet_gcm, 1); break; + case CRYPTO_CHACHA20_POLY1305: + counter_u64_add(ktls_ifnet_chacha20, 1); + break; } } return (error); @@ -926,6 +971,9 @@ ktls_try_sw(struct socket *so, struct ktls_session *tls, int direction) case CRYPTO_AES_NIST_GCM_16: counter_u64_add(ktls_sw_gcm, 1); break; + case CRYPTO_CHACHA20_POLY1305: + counter_u64_add(ktls_sw_chacha20, 1); + break; } return (0); } diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index 8d591888466c..d3da1286403c 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -44,6 +44,7 @@ struct tls_record_layer { #define TLS_MAX_PARAM_SIZE 1024 /* Max key/mac/iv in sockopt */ #define TLS_AEAD_GCM_LEN 4 #define TLS_1_3_GCM_IV_LEN 12 +#define TLS_CHACHA20_IV_LEN 12 #define TLS_CBC_IMPLICIT_IV_LEN 16 /* Type values for the record layer */