From owner-svn-ports-head@freebsd.org  Sun Oct  6 01:42:16 2019
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 03E4C143714;
 Sun,  6 Oct 2019 01:42:16 +0000 (UTC)
 (envelope-from linimon@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46m5vW41xMz4Mkl;
 Sun,  6 Oct 2019 01:42:15 +0000 (UTC)
 (envelope-from linimon@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5556E1DF1E;
 Sun,  6 Oct 2019 01:42:15 +0000 (UTC)
 (envelope-from linimon@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x961gF6X057630;
 Sun, 6 Oct 2019 01:42:15 GMT (envelope-from linimon@FreeBSD.org)
Received: (from linimon@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x961gFJx057629;
 Sun, 6 Oct 2019 01:42:15 GMT (envelope-from linimon@FreeBSD.org)
Message-Id: <201910060142.x961gFJx057629@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: linimon set sender to
 linimon@FreeBSD.org using -f
From: Mark Linimon <linimon@FreeBSD.org>
Date: Sun, 6 Oct 2019 01:42:15 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r513860 - in head/security/ktls_isa-l_crypto-kmod: . files
X-SVN-Group: ports-head
X-SVN-Commit-Author: linimon
X-SVN-Commit-Paths: in head/security/ktls_isa-l_crypto-kmod: . files
X-SVN-Commit-Revision: 513860
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Oct 2019 01:42:16 -0000

Author: linimon
Date: Sun Oct  6 01:42:14 2019
New Revision: 513860
URL: https://svnweb.freebsd.org/changeset/ports/513860

Log:
  Rework the TLS 1.3 support in ISA-L to move the nonce work out of the
  seal routine and into the encrypt routine. Also obtain the nd.seqno in
  the TLS 1.2 case from the TLS record itself, as if we change to use a
  random starting value, this will prevent things from breaking due to
  the value on the wire being different from the passed in seqno.
  
  Submitted by:u		jhb
  Approved by:u		gallatin
  Differential Revision:	D21857

Modified:
  head/security/ktls_isa-l_crypto-kmod/Makefile
  head/security/ktls_isa-l_crypto-kmod/files/intelisa_kern.c

Modified: head/security/ktls_isa-l_crypto-kmod/Makefile
==============================================================================
--- head/security/ktls_isa-l_crypto-kmod/Makefile	Sun Oct  6 00:22:33 2019	(r513859)
+++ head/security/ktls_isa-l_crypto-kmod/Makefile	Sun Oct  6 01:42:14 2019	(r513860)
@@ -4,6 +4,7 @@
 PORTNAME=	isa-l_crypto
 PORTVERSION=	2.21.0
 DISTVERSIONPREFIX=	v
+PORTREVISION=	1
 CATEGORIES=	security
 PKGNAMEPREFIX=	ktls_
 PKGNAMESUFFIX=	-kmod

Modified: head/security/ktls_isa-l_crypto-kmod/files/intelisa_kern.c
==============================================================================
--- head/security/ktls_isa-l_crypto-kmod/files/intelisa_kern.c	Sun Oct  6 00:22:33 2019	(r513859)
+++ head/security/ktls_isa-l_crypto-kmod/files/intelisa_kern.c	Sun Oct  6 01:42:14 2019	(r513860)
@@ -125,7 +125,7 @@ static MALLOC_DEFINE(M_INTEL_ISA, "isal_tls", "Intel I
 static int
 intel_isa_seal(struct isa_gcm_struct *isa,
     struct iovec *outiov, int numiovs,
-    uint8_t *static_iv, int iv_len, uint64_t seq,
+    uint8_t * iv,
     struct iovec *iniov,
     uint8_t * ad, int adlen,
     uint8_t * tagout, size_t *taglen,
@@ -135,36 +135,10 @@ intel_isa_seal(struct isa_gcm_struct *isa,
 	bool nt = true;
 	bool misaligned_len, misaligned_start;
 	int fixup = 0;
-	size_t offset;
 	uint8_t *in;
 	uint8_t *out;
 	uint64_t len;
-	uint8_t iv[32];
-	uint8_t seq_num[sizeof(seq)];
 	
-	if (iv_len > 32 - sizeof(seq)) {
-		return (-1);
-	}
-
-	if (tls_13) {
-		/*
-		 * RFC 8446 5.3:  left pad the 64b seqno
-		 * with 0s, and xor with the IV
-		 *
-		 * gcm_init does not provde a way to specify the
-		 * length of the iv, so we have hard-coded it to 12 in
-		 * openssl
-		 */
-		memcpy(seq_num, &seq, sizeof(seq));
-
-		offset = iv_len - sizeof(seq);
-		memcpy(iv, static_iv, offset);
-		for (i = 0; i < sizeof(seq); i++)
-			iv[i + offset] = static_iv[i + offset] ^ seq_num[i];
-	} else {
-		memcpy(iv, static_iv, iv_len);
-		memcpy(iv + iv_len, &seq, sizeof(seq));
-	}
 	isa->gcm_init(&isa->key_data, &isa->ctx_data, iv, ad, (size_t)adlen);
 	for (i = 0; i < numiovs; i++) {
 		in = iniov[i].iov_base;
@@ -236,31 +210,43 @@ ktls_intelisa_aead_encrypt(struct ktls_session *tls,
 	counter_u64_add(ktls_offload_isa_aead, 1);
 	taglen = KTLS_INTELISA_AEAD_TAGLEN;
 
+	/* Setup the nonce */
+	memcpy(&nd, tls->params.iv, tls->params.iv_len);
+
+	/* Setup the associated data */
+	ad.seq = htobe64(seqno);
+	ad.type = hdr->tls_type;
+	ad.tls_vmajor = hdr->tls_vmajor;
+	ad.tls_vminor = hdr->tls_vminor;
+
+	/* Version-specific nonce and AAD. */
 	if (tls->params.tls_vminor == TLS_MINOR_VER_THREE) {
 		tls_13 = true;
 		counter_u64_add(ktls_offload_isa_tls_13, 1);
+
 		adlen = sizeof(ad) - sizeof(ad.seq);
 		adptr = &ad.type;
 		ad.tls_length = hdr->tls_length;
 
+		/*
+		 * RFC 8446 5.3:  left pad the 64b seqno
+		 * with 0s, and xor with the IV.
+		 */
+		nd.seq ^= htobe64(seqno);
 	} else {
 		tls_13 = false;
 		counter_u64_add(ktls_offload_isa_tls_12, 1);
+
 		tls_comp_len = ntohs(hdr->tls_length) -
 			(KTLS_INTELISA_AEAD_TAGLEN + sizeof(nd.seq));
 		adlen = sizeof(ad);
 		adptr = (uint8_t *)&ad;
 		ad.tls_length = htons(tls_comp_len);
+
+		memcpy(&nd.seq, hdr + 1, sizeof(nd.seq));
 	}
-	/* Setup the associated data */
-	ad.seq = htobe64(seqno);
-	ad.type = hdr->tls_type;
-	ad.tls_vmajor = hdr->tls_vmajor;
-	ad.tls_vminor = hdr->tls_vminor;
 
-	ret = intel_isa_seal(isa, outiov, iovcnt,
-	    tls->params.iv, tls->params.iv_len,
-	    htobe64(seqno), iniov,
+	ret = intel_isa_seal(isa, outiov, iovcnt, (uint8_t *)&nd, iniov,
 	    adptr, adlen, trailer, &taglen,
 	    tls_13, tls_rtype);