Support AEAD requests with non-GCM algorithms.

In particular, support chaining an AES cipher with an HMAC for a request including AAD. This permits submitting requests from userland to encrypt objects like IPSec packets using these algorithms. In the non-GCM case, the authentication crypto descriptor covers both the AAD and the ciphertext. The GCM case remains unchanged. This matches the requests created internally in IPSec. For the non-GCM case, the COP_F_CIPHER_FIRST is also supported since the ordering matters. Note that while this can be used to simulate IPSec requests from userland, this ioctl cannot currently be used to perform TLS requests using AES-CBC and MAC-before-encrypt. Reviewed by: cem Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D11759
svn path=/head/; revision=323892
2017-09-22 00:34:46 +00:00 · 2017-09-22 00:34:46 +00:00 · cc05c7d256 · 2020-12-20 02:59:44 +00:00
commit cc05c7d256
parent 2c907637bc
1 changed files with 16 additions and 3 deletions
--- a/sys/opencrypto/cryptodev.c
+++ b/sys/opencrypto/cryptodev.c
@ -917,8 +917,13 @@ cryptodev_aead(
 		goto bail;
 	}

-	crda = crp->crp_desc;
-	crde = crda->crd_next;
+	if (caead->flags & COP_F_CIPHER_FIRST) {
+		crde = crp->crp_desc;
+		crda = crde->crd_next;
+	} else {
+		crda = crp->crp_desc;
+		crde = crda->crd_next;
+	}

 	if ((error = copyin(caead->aad, cse->uio.uio_iov[0].iov_base,
 	    caead->aadlen)))
@ -928,8 +933,16 @@ cryptodev_aead(
 	    caead->aadlen, caead->len)))
 		goto bail;

+	/*
+	 * For GCM, crd_len covers only the AAD.  For other ciphers
+	 * chained with an HMAC, crd_len covers both the AAD and the
+	 * cipher text.
+	 */
 	crda->crd_skip = 0;
-	crda->crd_len = caead->aadlen;
+	if (cse->cipher == CRYPTO_AES_NIST_GCM_16)
+		crda->crd_len = caead->aadlen;
+	else
+		crda->crd_len = caead->aadlen + caead->len;
 	crda->crd_inject = caead->aadlen + caead->len;

 	crda->crd_alg = cse->mac;