Support AEAD requests with non-GCM algorithms.

In particular, support chaining an AES cipher with an HMAC for a request
including AAD.  This permits submitting requests from userland to encrypt
objects like IPSec packets using these algorithms.

In the non-GCM case, the authentication crypto descriptor covers both the
AAD and the ciphertext.  The GCM case remains unchanged.  This matches
the requests created internally in IPSec.  For the non-GCM case, the
COP_F_CIPHER_FIRST is also supported since the ordering matters.

Note that while this can be used to simulate IPSec requests from userland,
this ioctl cannot currently be used to perform TLS requests using AES-CBC
and MAC-before-encrypt.

Reviewed by:	cem
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D11759
This commit is contained in:
John Baldwin 2017-09-22 00:34:46 +00:00
parent 2c907637bc
commit cc05c7d256

View File

@ -917,8 +917,13 @@ cryptodev_aead(
goto bail; goto bail;
} }
crda = crp->crp_desc; if (caead->flags & COP_F_CIPHER_FIRST) {
crde = crda->crd_next; crde = crp->crp_desc;
crda = crde->crd_next;
} else {
crda = crp->crp_desc;
crde = crda->crd_next;
}
if ((error = copyin(caead->aad, cse->uio.uio_iov[0].iov_base, if ((error = copyin(caead->aad, cse->uio.uio_iov[0].iov_base,
caead->aadlen))) caead->aadlen)))
@ -928,8 +933,16 @@ cryptodev_aead(
caead->aadlen, caead->len))) caead->aadlen, caead->len)))
goto bail; goto bail;
/*
* For GCM, crd_len covers only the AAD. For other ciphers
* chained with an HMAC, crd_len covers both the AAD and the
* cipher text.
*/
crda->crd_skip = 0; crda->crd_skip = 0;
crda->crd_len = caead->aadlen; if (cse->cipher == CRYPTO_AES_NIST_GCM_16)
crda->crd_len = caead->aadlen;
else
crda->crd_len = caead->aadlen + caead->len;
crda->crd_inject = caead->aadlen + caead->len; crda->crd_inject = caead->aadlen + caead->len;
crda->crd_alg = cse->mac; crda->crd_alg = cse->mac;