From owner-svn-src-all@freebsd.org  Tue Oct 13 18:04:20 2020
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 09595447895;
 Tue, 13 Oct 2020 18:04:20 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4C9k2W6VG8z41fx;
 Tue, 13 Oct 2020 18:04:19 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C34A0214F8;
 Tue, 13 Oct 2020 18:04:19 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09DI4JSu040082;
 Tue, 13 Oct 2020 18:04:19 GMT (envelope-from jhb@FreeBSD.org)
Received: (from jhb@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09DI4JR3040081;
 Tue, 13 Oct 2020 18:04:19 GMT (envelope-from jhb@FreeBSD.org)
Message-Id: <202010131804.09DI4JR3040081@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org
 using -f
From: John Baldwin <jhb@FreeBSD.org>
Date: Tue, 13 Oct 2020 18:04:19 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r366677 - head/sys/opencrypto
X-SVN-Group: head
X-SVN-Commit-Author: jhb
X-SVN-Commit-Paths: head/sys/opencrypto
X-SVN-Commit-Revision: 366677
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2020 18:04:20 -0000

Author: jhb
Date: Tue Oct 13 18:04:19 2020
New Revision: 366677
URL: https://svnweb.freebsd.org/changeset/base/366677

Log:
  Add support to the KTLS OCF module for AES-CBC MTE ciphersuites.
  
  This is a simplistic approach which encrypts each TLS record in two
  separate passes: one to generate the MAC and a second to encrypt.
  This supports TLS 1.0 connections with implicit IVs as well as TLS
  1.1+ with explicit IVs.
  
  Reviewed by:	gallatin
  Sponsored by:	Netflix
  Differential Revision:	https://reviews.freebsd.org/D26730

Modified:
  head/sys/opencrypto/ktls_ocf.c

Modified: head/sys/opencrypto/ktls_ocf.c
==============================================================================
--- head/sys/opencrypto/ktls_ocf.c	Tue Oct 13 18:00:23 2020	(r366676)
+++ head/sys/opencrypto/ktls_ocf.c	Tue Oct 13 18:04:19 2020	(r366677)
@@ -45,7 +45,17 @@ __FBSDID("$FreeBSD$");
 
 struct ocf_session {
 	crypto_session_t sid;
+	crypto_session_t mac_sid;
+	int mac_len;
 	struct mtx lock;
+	bool implicit_iv;
+
+	/* Only used for TLS 1.0 with the implicit IV. */
+#ifdef INVARIANTS
+	bool in_progress;
+	uint64_t next_seqno;
+#endif
+	char iv[AES_BLOCK_LEN];
 };
 
 struct ocf_operation {
@@ -62,6 +72,16 @@ static SYSCTL_NODE(_kern_ipc_tls_stats, OID_AUTO, ocf,
     CTLFLAG_RD | CTLFLAG_MPSAFE, 0,
     "Kernel TLS offload via OCF stats");
 
+static counter_u64_t ocf_tls10_cbc_crypts;
+SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls10_cbc_crypts,
+    CTLFLAG_RD, &ocf_tls10_cbc_crypts,
+    "Total number of OCF TLS 1.0 CBC encryption operations");
+
+static counter_u64_t ocf_tls11_cbc_crypts;
+SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls11_cbc_crypts,
+    CTLFLAG_RD, &ocf_tls11_cbc_crypts,
+    "Total number of OCF TLS 1.1/1.2 CBC encryption operations");
+
 static counter_u64_t ocf_tls12_gcm_crypts;
 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls12_gcm_crypts,
     CTLFLAG_RD, &ocf_tls12_gcm_crypts,
@@ -135,6 +155,166 @@ ktls_ocf_dispatch(struct ocf_session *os, struct crypt
 }
 
 static int
+ktls_ocf_tls_cbc_encrypt(struct ktls_session *tls,
+    const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov,
+    struct iovec *outiov, int iovcnt, uint64_t seqno,
+    uint8_t record_type __unused)
+{
+	struct uio uio, out_uio;
+	struct tls_mac_data ad;
+	struct cryptop crp;
+	struct ocf_session *os;
+	struct iovec iov[iovcnt + 2];
+	struct iovec out_iov[iovcnt + 1];
+	int i, error;
+	uint16_t tls_comp_len;
+	uint8_t pad;
+	bool inplace;
+
+	os = tls->cipher;
+
+#ifdef INVARIANTS
+	if (os->implicit_iv) {
+		mtx_lock(&os->lock);
+		KASSERT(!os->in_progress,
+		    ("concurrent implicit IV encryptions"));
+		if (os->next_seqno != seqno) {
+			printf("KTLS CBC: TLS records out of order.  "
+			    "Expected %ju, got %ju\n",
+			    (uintmax_t)os->next_seqno, (uintmax_t)seqno);
+			mtx_unlock(&os->lock);
+			return (EINVAL);
+		}
+		os->in_progress = true;
+		mtx_unlock(&os->lock);
+	}
+#endif
+
+	/*
+	 * Compute the payload length.
+	 *
+	 * XXX: This could be easily computed O(1) from the mbuf
+	 * fields, but we don't have those accessible here.  Can
+	 * at least compute inplace as well while we are here.
+	 */
+	tls_comp_len = 0;
+	inplace = true;
+	for (i = 0; i < iovcnt; i++) {
+		tls_comp_len += iniov[i].iov_len;
+		if (iniov[i].iov_base != outiov[i].iov_base)
+			inplace = false;
+	}
+
+	/* Initialize the AAD. */
+	ad.seq = htobe64(seqno);
+	ad.type = hdr->tls_type;
+	ad.tls_vmajor = hdr->tls_vmajor;
+	ad.tls_vminor = hdr->tls_vminor;
+	ad.tls_length = htons(tls_comp_len);
+
+	/* First, compute the MAC. */
+	iov[0].iov_base = &ad;
+	iov[0].iov_len = sizeof(ad);
+	memcpy(&iov[1], iniov, sizeof(*iniov) * iovcnt);
+	iov[iovcnt + 1].iov_base = trailer;
+	iov[iovcnt + 1].iov_len = os->mac_len;
+	uio.uio_iov = iov;
+	uio.uio_iovcnt = iovcnt + 2;
+	uio.uio_offset = 0;
+	uio.uio_segflg = UIO_SYSSPACE;
+	uio.uio_td = curthread;
+	uio.uio_resid = sizeof(ad) + tls_comp_len + os->mac_len;
+
+	crypto_initreq(&crp, os->mac_sid);
+	crp.crp_payload_start = 0;
+	crp.crp_payload_length = sizeof(ad) + tls_comp_len;
+	crp.crp_digest_start = crp.crp_payload_length;
+	crp.crp_op = CRYPTO_OP_COMPUTE_DIGEST;
+	crp.crp_flags = CRYPTO_F_CBIMM;
+	crypto_use_uio(&crp, &uio);
+	error = ktls_ocf_dispatch(os, &crp);
+
+	crypto_destroyreq(&crp);
+	if (error) {
+#ifdef INVARIANTS
+		if (os->implicit_iv) {
+			mtx_lock(&os->lock);
+			os->in_progress = false;
+			mtx_unlock(&os->lock);
+		}
+#endif
+		return (error);
+	}
+
+	/* Second, add the padding. */
+	pad = (unsigned)(AES_BLOCK_LEN - (tls_comp_len + os->mac_len + 1)) %
+	    AES_BLOCK_LEN;
+	for (i = 0; i < pad + 1; i++)
+		trailer[os->mac_len + i] = pad;
+
+	/* Finally, encrypt the record. */
+
+	/*
+	 * Don't recopy the input iovec, instead just adjust the
+	 * trailer length and skip over the AAD vector in the uio.
+	 */
+	iov[iovcnt + 1].iov_len += pad + 1;
+	uio.uio_iov = iov + 1;
+	uio.uio_iovcnt = iovcnt + 1;
+	uio.uio_resid = tls_comp_len + iov[iovcnt + 1].iov_len;
+	KASSERT(uio.uio_resid % AES_BLOCK_LEN == 0,
+	    ("invalid encryption size"));
+
+	crypto_initreq(&crp, os->sid);
+	crp.crp_payload_start = 0;
+	crp.crp_payload_length = uio.uio_resid;
+	crp.crp_op = CRYPTO_OP_ENCRYPT;
+	crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE;
+	if (os->implicit_iv)
+		memcpy(crp.crp_iv, os->iv, AES_BLOCK_LEN);
+	else
+		memcpy(crp.crp_iv, hdr + 1, AES_BLOCK_LEN);
+	crypto_use_uio(&crp, &uio);
+	if (!inplace) {
+		memcpy(out_iov, outiov, sizeof(*iniov) * iovcnt);
+		out_iov[iovcnt] = iov[iovcnt + 1];
+		out_uio.uio_iov = out_iov;
+		out_uio.uio_iovcnt = iovcnt + 1;
+		out_uio.uio_offset = 0;
+		out_uio.uio_segflg = UIO_SYSSPACE;
+		out_uio.uio_td = curthread;
+		out_uio.uio_resid = uio.uio_resid;
+		crypto_use_output_uio(&crp, &out_uio);
+	}
+
+	if (os->implicit_iv)
+		counter_u64_add(ocf_tls10_cbc_crypts, 1);
+	else
+		counter_u64_add(ocf_tls11_cbc_crypts, 1);
+	if (inplace)
+		counter_u64_add(ocf_inplace, 1);
+	else
+		counter_u64_add(ocf_separate_output, 1);
+	error = ktls_ocf_dispatch(os, &crp);
+
+	crypto_destroyreq(&crp);
+
+	if (os->implicit_iv) {
+		KASSERT(os->mac_len + pad + 1 >= AES_BLOCK_LEN,
+		    ("trailer too short to read IV"));
+		memcpy(os->iv, trailer + os->mac_len + pad + 1 - AES_BLOCK_LEN,
+		    AES_BLOCK_LEN);
+#ifdef INVARIANTS
+		mtx_lock(&os->lock);
+		os->next_seqno = seqno + 1;
+		os->in_progress = false;
+		mtx_unlock(&os->lock);
+#endif
+	}
+	return (error);
+}
+
+static int
 ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls,
     const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov,
     struct iovec *outiov, int iovcnt, uint64_t seqno,
@@ -377,12 +557,14 @@ ktls_ocf_free(struct ktls_session *tls)
 static int
 ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction)
 {
-	struct crypto_session_params csp;
+	struct crypto_session_params csp, mac_csp;
 	struct ocf_session *os;
-	int error;
+	int error, mac_len;
 
 	memset(&csp, 0, sizeof(csp));
-	csp.csp_flags |= CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD;
+	memset(&mac_csp, 0, sizeof(mac_csp));
+	mac_csp.csp_mode = CSP_MODE_NONE;
+	mac_len = 0;
 
 	switch (tls->params.cipher_algorithm) {
 	case CRYPTO_AES_NIST_GCM_16:
@@ -393,27 +575,75 @@ ktls_ocf_try(struct socket *so, struct ktls_session *t
 		default:
 			return (EINVAL);
 		}
+
+		/* Only TLS 1.2 and 1.3 are supported. */
+		if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE ||
+		    tls->params.tls_vminor < TLS_MINOR_VER_TWO ||
+		    tls->params.tls_vminor > TLS_MINOR_VER_THREE)
+			return (EPROTONOSUPPORT);
+
+		/* TLS 1.3 is not yet supported for receive. */
+		if (direction == KTLS_RX &&
+		    tls->params.tls_vminor == TLS_MINOR_VER_THREE)
+			return (EPROTONOSUPPORT);
+
+		csp.csp_flags |= CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD;
 		csp.csp_mode = CSP_MODE_AEAD;
 		csp.csp_cipher_alg = CRYPTO_AES_NIST_GCM_16;
 		csp.csp_cipher_key = tls->params.cipher_key;
 		csp.csp_cipher_klen = tls->params.cipher_key_len;
 		csp.csp_ivlen = AES_GCM_IV_LEN;
 		break;
+	case CRYPTO_AES_CBC:
+		switch (tls->params.cipher_key_len) {
+		case 128 / 8:
+		case 256 / 8:
+			break;
+		default:
+			return (EINVAL);
+		}
+
+		switch (tls->params.auth_algorithm) {
+		case CRYPTO_SHA1_HMAC:
+			mac_len = SHA1_HASH_LEN;
+			break;
+		case CRYPTO_SHA2_256_HMAC:
+			mac_len = SHA2_256_HASH_LEN;
+			break;
+		case CRYPTO_SHA2_384_HMAC:
+			mac_len = SHA2_384_HASH_LEN;
+			break;
+		default:
+			return (EINVAL);
+		}
+
+		/* Only TLS 1.0-1.2 are supported. */
+		if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE ||
+		    tls->params.tls_vminor < TLS_MINOR_VER_ZERO ||
+		    tls->params.tls_vminor > TLS_MINOR_VER_TWO)
+			return (EPROTONOSUPPORT);
+
+		/* AES-CBC is not supported for receive. */
+		if (direction == KTLS_RX)
+			return (EPROTONOSUPPORT);
+
+		csp.csp_flags |= CSP_F_SEPARATE_OUTPUT;
+		csp.csp_mode = CSP_MODE_CIPHER;
+		csp.csp_cipher_alg = CRYPTO_AES_CBC;
+		csp.csp_cipher_key = tls->params.cipher_key;
+		csp.csp_cipher_klen = tls->params.cipher_key_len;
+		csp.csp_ivlen = AES_BLOCK_LEN;
+
+		mac_csp.csp_flags |= CSP_F_SEPARATE_OUTPUT;
+		mac_csp.csp_mode = CSP_MODE_DIGEST;
+		mac_csp.csp_auth_alg = tls->params.auth_algorithm;
+		mac_csp.csp_auth_key = tls->params.auth_key;
+		mac_csp.csp_auth_klen = tls->params.auth_key_len;
+		break;
 	default:
 		return (EPROTONOSUPPORT);
 	}
 
-	/* Only TLS 1.2 and 1.3 are supported. */
-	if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE ||
-	    tls->params.tls_vminor < TLS_MINOR_VER_TWO ||
-	    tls->params.tls_vminor > TLS_MINOR_VER_THREE)
-		return (EPROTONOSUPPORT);
-
-	/* TLS 1.3 is not yet supported for receive. */
-	if (direction == KTLS_RX &&
-	    tls->params.tls_vminor == TLS_MINOR_VER_THREE)
-		return (EPROTONOSUPPORT);
-
 	os = malloc(sizeof(*os), M_KTLS_OCF, M_NOWAIT | M_ZERO);
 	if (os == NULL)
 		return (ENOMEM);
@@ -425,15 +655,34 @@ ktls_ocf_try(struct socket *so, struct ktls_session *t
 		return (error);
 	}
 
+	if (mac_csp.csp_mode != CSP_MODE_NONE) {
+		error = crypto_newsession(&os->mac_sid, &mac_csp,
+		    CRYPTO_FLAG_HARDWARE | CRYPTO_FLAG_SOFTWARE);
+		if (error) {
+			crypto_freesession(os->sid);
+			free(os, M_KTLS_OCF);
+			return (error);
+		}
+		os->mac_len = mac_len;
+	}
+
 	mtx_init(&os->lock, "ktls_ocf", NULL, MTX_DEF);
 	tls->cipher = os;
-	if (direction == KTLS_TX) {
-		if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)
-			tls->sw_encrypt = ktls_ocf_tls13_gcm_encrypt;
-		else
-			tls->sw_encrypt = ktls_ocf_tls12_gcm_encrypt;
+	if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) {
+		if (direction == KTLS_TX) {
+			if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)
+				tls->sw_encrypt = ktls_ocf_tls13_gcm_encrypt;
+			else
+				tls->sw_encrypt = ktls_ocf_tls12_gcm_encrypt;
+		} else {
+			tls->sw_decrypt = ktls_ocf_tls12_gcm_decrypt;
+		}
 	} else {
-		tls->sw_decrypt = ktls_ocf_tls12_gcm_decrypt;
+		tls->sw_encrypt = ktls_ocf_tls_cbc_encrypt;
+		if (tls->params.tls_vminor == TLS_MINOR_VER_ZERO) {
+			os->implicit_iv = true;
+			memcpy(os->iv, tls->params.iv, AES_BLOCK_LEN);
+		}
 	}
 	tls->free = ktls_ocf_free;
 	return (0);
@@ -453,6 +702,8 @@ ktls_ocf_modevent(module_t mod, int what, void *arg)
 
 	switch (what) {
 	case MOD_LOAD:
+		ocf_tls10_cbc_crypts = counter_u64_alloc(M_WAITOK);
+		ocf_tls11_cbc_crypts = counter_u64_alloc(M_WAITOK);
 		ocf_tls12_gcm_crypts = counter_u64_alloc(M_WAITOK);
 		ocf_tls13_gcm_crypts = counter_u64_alloc(M_WAITOK);
 		ocf_inplace = counter_u64_alloc(M_WAITOK);
@@ -463,6 +714,8 @@ ktls_ocf_modevent(module_t mod, int what, void *arg)
 		error = ktls_crypto_backend_deregister(&ocf_backend);
 		if (error)
 			return (error);
+		counter_u64_free(ocf_tls10_cbc_crypts);
+		counter_u64_free(ocf_tls11_cbc_crypts);
 		counter_u64_free(ocf_tls12_gcm_crypts);
 		counter_u64_free(ocf_tls13_gcm_crypts);
 		counter_u64_free(ocf_inplace);