From cc05c7d2567cb3f1ac1012e3347db88ad363818c Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Fri, 22 Sep 2017 00:34:46 +0000 Subject: [PATCH] Support AEAD requests with non-GCM algorithms. In particular, support chaining an AES cipher with an HMAC for a request including AAD. This permits submitting requests from userland to encrypt objects like IPSec packets using these algorithms. In the non-GCM case, the authentication crypto descriptor covers both the AAD and the ciphertext. The GCM case remains unchanged. This matches the requests created internally in IPSec. For the non-GCM case, the COP_F_CIPHER_FIRST is also supported since the ordering matters. Note that while this can be used to simulate IPSec requests from userland, this ioctl cannot currently be used to perform TLS requests using AES-CBC and MAC-before-encrypt. Reviewed by: cem Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D11759 --- sys/opencrypto/cryptodev.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/sys/opencrypto/cryptodev.c b/sys/opencrypto/cryptodev.c index 78d5deb05721..6e8bf192b85d 100644 --- a/sys/opencrypto/cryptodev.c +++ b/sys/opencrypto/cryptodev.c @@ -917,8 +917,13 @@ cryptodev_aead( goto bail; } - crda = crp->crp_desc; - crde = crda->crd_next; + if (caead->flags & COP_F_CIPHER_FIRST) { + crde = crp->crp_desc; + crda = crde->crd_next; + } else { + crda = crp->crp_desc; + crde = crda->crd_next; + } if ((error = copyin(caead->aad, cse->uio.uio_iov[0].iov_base, caead->aadlen))) @@ -928,8 +933,16 @@ cryptodev_aead( caead->aadlen, caead->len))) goto bail; + /* + * For GCM, crd_len covers only the AAD. For other ciphers + * chained with an HMAC, crd_len covers both the AAD and the + * cipher text. + */ crda->crd_skip = 0; - crda->crd_len = caead->aadlen; + if (cse->cipher == CRYPTO_AES_NIST_GCM_16) + crda->crd_len = caead->aadlen; + else + crda->crd_len = caead->aadlen + caead->len; crda->crd_inject = caead->aadlen + caead->len; crda->crd_alg = cse->mac;