From 6572d0ba22d38b3b0e218c48047a5a1cf58539cc Mon Sep 17 00:00:00 2001 From: jhb Date: Wed, 18 Dec 2019 01:37:00 +0000 Subject: [PATCH] Add support for TLS 1.3 using AES-GCM to the OCF backend for KTLS. Reviewed by: gallatin Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D22802 --- sys/opencrypto/ktls_ocf.c | 160 +++++++++++++++++++++++++++++++++----- 1 file changed, 142 insertions(+), 18 deletions(-) diff --git a/sys/opencrypto/ktls_ocf.c b/sys/opencrypto/ktls_ocf.c index d9e76e1d0ffd..3e5fdabe7a88 100644 --- a/sys/opencrypto/ktls_ocf.c +++ b/sys/opencrypto/ktls_ocf.c @@ -60,13 +60,21 @@ static MALLOC_DEFINE(M_KTLS_OCF, "ktls_ocf", "OCF KTLS"); SYSCTL_DECL(_kern_ipc_tls); SYSCTL_DECL(_kern_ipc_tls_stats); -static counter_u64_t ocf_gcm_crypts; -SYSCTL_COUNTER_U64(_kern_ipc_tls_stats, OID_AUTO, ocf_gcm_crypts, CTLFLAG_RD, - &ocf_gcm_crypts, - "Total number of OCF GCM encryption operations"); +static SYSCTL_NODE(_kern_ipc_tls_stats, OID_AUTO, ocf, CTLFLAG_RD, 0, + "Kernel TLS offload via OCF stats"); + +static counter_u64_t ocf_tls12_gcm_crypts; +SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls12_gcm_crypts, + CTLFLAG_RD, &ocf_tls12_gcm_crypts, + "Total number of OCF TLS 1.2 GCM encryption operations"); + +static counter_u64_t ocf_tls13_gcm_crypts; +SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls13_gcm_crypts, + CTLFLAG_RD, &ocf_tls13_gcm_crypts, + "Total number of OCF TLS 1.3 GCM encryption operations"); static counter_u64_t ocf_retries; -SYSCTL_COUNTER_U64(_kern_ipc_tls_stats, OID_AUTO, ocf_retries, CTLFLAG_RD, +SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, retries, CTLFLAG_RD, &ocf_retries, "Number of OCF encryption operation retries"); @@ -84,9 +92,10 @@ ktls_ocf_callback(struct cryptop *crp) } static int -ktls_ocf_encrypt(struct ktls_session *tls, const struct tls_record_layer *hdr, - uint8_t *trailer, struct iovec *iniov, struct iovec *outiov, int iovcnt, - uint64_t seqno, uint8_t record_type __unused) +ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls, + const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov, + struct iovec *outiov, int iovcnt, uint64_t seqno, + uint8_t record_type __unused) { struct uio uio; struct tls_aead_data ad; @@ -127,7 +136,7 @@ ktls_ocf_encrypt(struct ktls_session *tls, const struct tls_record_layer *hdr, iov[0].iov_base = &ad; iov[0].iov_len = sizeof(ad); uio.uio_resid = sizeof(ad); - + /* * OCF always does encryption in place, so copy the data if * needed. Ugh. @@ -171,7 +180,119 @@ ktls_ocf_encrypt(struct ktls_session *tls, const struct tls_record_layer *hdr, crde->crd_flags = CRD_F_ENCRYPT | CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT; memcpy(crde->crd_iv, &nd, sizeof(nd)); - counter_u64_add(ocf_gcm_crypts, 1); + counter_u64_add(ocf_tls12_gcm_crypts, 1); + for (;;) { + error = crypto_dispatch(crp); + if (error) + break; + + mtx_lock(&os->lock); + while (!oo->done) + mtx_sleep(oo, &os->lock, 0, "ocfktls", 0); + mtx_unlock(&os->lock); + + if (crp->crp_etype != EAGAIN) { + error = crp->crp_etype; + break; + } + + crp->crp_etype = 0; + crp->crp_flags &= ~CRYPTO_F_DONE; + oo->done = false; + counter_u64_add(ocf_retries, 1); + } + + crypto_freereq(crp); + free(oo, M_KTLS_OCF); + return (error); +} + +static int +ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls, + const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov, + struct iovec *outiov, int iovcnt, uint64_t seqno, uint8_t record_type) +{ + struct uio uio; + struct tls_aead_data_13 ad; + char nonce[12]; + struct cryptodesc *crde, *crda; + struct cryptop *crp; + struct ocf_session *os; + struct ocf_operation *oo; + struct iovec *iov; + int i, error; + + os = tls->cipher; + + oo = malloc(sizeof(*oo) + (iovcnt + 2) * sizeof(*iov), M_KTLS_OCF, + M_WAITOK | M_ZERO); + oo->os = os; + iov = oo->iov; + + crp = crypto_getreq(2); + if (crp == NULL) { + free(oo, M_KTLS_OCF); + return (ENOMEM); + } + + /* Setup the nonce. */ + memcpy(nonce, tls->params.iv, tls->params.iv_len); + *(uint64_t *)(nonce + 4) ^= htobe64(seqno); + + /* Setup the AAD. */ + ad.type = hdr->tls_type; + ad.tls_vmajor = hdr->tls_vmajor; + ad.tls_vminor = hdr->tls_vminor; + ad.tls_length = hdr->tls_length; + iov[0].iov_base = &ad; + iov[0].iov_len = sizeof(ad); + uio.uio_resid = sizeof(ad); + + /* + * OCF always does encryption in place, so copy the data if + * needed. Ugh. + */ + for (i = 0; i < iovcnt; i++) { + iov[i + 1] = outiov[i]; + if (iniov[i].iov_base != outiov[i].iov_base) + memcpy(outiov[i].iov_base, iniov[i].iov_base, + outiov[i].iov_len); + uio.uio_resid += outiov[i].iov_len; + } + + trailer[0] = record_type; + iov[iovcnt + 1].iov_base = trailer; + iov[iovcnt + 1].iov_len = AES_GMAC_HASH_LEN + 1; + uio.uio_resid += AES_GMAC_HASH_LEN + 1; + + uio.uio_iov = iov; + uio.uio_iovcnt = iovcnt + 2; + uio.uio_offset = 0; + uio.uio_segflg = UIO_SYSSPACE; + uio.uio_td = curthread; + + crp->crp_session = os->sid; + crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIMM; + crp->crp_uio = &uio; + crp->crp_ilen = uio.uio_resid; + crp->crp_opaque = oo; + crp->crp_callback = ktls_ocf_callback; + + crde = crp->crp_desc; + crda = crde->crd_next; + + crda->crd_alg = os->crda_alg; + crda->crd_skip = 0; + crda->crd_len = sizeof(ad); + crda->crd_inject = crp->crp_ilen - AES_GMAC_HASH_LEN; + + crde->crd_alg = CRYPTO_AES_NIST_GCM_16; + crde->crd_skip = sizeof(ad); + crde->crd_len = crp->crp_ilen - (sizeof(ad) + AES_GMAC_HASH_LEN); + crde->crd_flags = CRD_F_ENCRYPT | CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT; + memcpy(crde->crd_iv, nonce, sizeof(nonce)); + + counter_u64_add(ocf_tls13_gcm_crypts, 1); for (;;) { error = crypto_dispatch(crp); if (error) @@ -221,8 +342,6 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls) switch (tls->params.cipher_algorithm) { case CRYPTO_AES_NIST_GCM_16: - if (tls->params.iv_len != TLS_AEAD_GCM_LEN) - return (EINVAL); switch (tls->params.cipher_key_len) { case 128 / 8: cria.cri_alg = CRYPTO_AES_128_NIST_GMAC; @@ -240,10 +359,10 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls) return (EPROTONOSUPPORT); } - /* Only TLS 1.1 and TLS 1.2 are currently supported. */ + /* Only TLS 1.2 and 1.3 are supported. */ if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE || - tls->params.tls_vminor < TLS_MINOR_VER_ONE || - tls->params.tls_vminor > TLS_MINOR_VER_TWO) + tls->params.tls_vminor < TLS_MINOR_VER_TWO || + tls->params.tls_vminor > TLS_MINOR_VER_THREE) return (EPROTONOSUPPORT); os = malloc(sizeof(*os), M_KTLS_OCF, M_NOWAIT | M_ZERO); @@ -265,7 +384,10 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls) os->crda_alg = cria.cri_alg; mtx_init(&os->lock, "ktls_ocf", NULL, MTX_DEF); tls->cipher = os; - tls->sw_encrypt = ktls_ocf_encrypt; + if (tls->params.tls_vminor == TLS_MINOR_VER_THREE) + tls->sw_encrypt = ktls_ocf_tls13_gcm_encrypt; + else + tls->sw_encrypt = ktls_ocf_tls12_gcm_encrypt; tls->free = ktls_ocf_free; return (0); } @@ -284,14 +406,16 @@ ktls_ocf_modevent(module_t mod, int what, void *arg) switch (what) { case MOD_LOAD: - ocf_gcm_crypts = counter_u64_alloc(M_WAITOK); + ocf_tls12_gcm_crypts = counter_u64_alloc(M_WAITOK); + ocf_tls13_gcm_crypts = counter_u64_alloc(M_WAITOK); ocf_retries = counter_u64_alloc(M_WAITOK); return (ktls_crypto_backend_register(&ocf_backend)); case MOD_UNLOAD: error = ktls_crypto_backend_deregister(&ocf_backend); if (error) return (error); - counter_u64_free(ocf_gcm_crypts); + counter_u64_free(ocf_tls12_gcm_crypts); + counter_u64_free(ocf_tls13_gcm_crypts); counter_u64_free(ocf_retries); return (0); default: