Commit Graph

270 Commits

Author SHA1 Message Date
John Baldwin
1c09320d58 ossl: Use crypto_cursor_segment().
Reviewed by:	markj
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D30447
2021-05-25 16:59:19 -07:00
John Baldwin
883a0196b6 crypto: Add a new type of crypto buffer for a single mbuf.
This is intended for use in KTLS transmit where each TLS record is
described by a single mbuf that is itself queued in the socket buffer.
Using the existing CRYPTO_BUF_MBUF would result in
bus_dmamap_load_crp() walking additional mbufs in the socket buffer
that are not relevant, but generating a S/G list that potentially
exceeds the limit of the tag (while also wasting CPU cycles).

Reviewed by:	markj
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D30136
2021-05-25 16:59:18 -07:00
John Baldwin
d2e076c37b ossl: Don't encryt/decrypt too much data for chacha20.
The loops for Chacha20 and Chacha20+Poly1305 which encrypted/decrypted
full blocks of data used the minimum of the input and output segment
lengths to determine the size of the next chunk ('todo') to pass to
Chacha20_ctr32().  However, the input and output segments could extend
past the end of the ciphertext region into the tag (e.g.  if a "plain"
single mbuf contained an entire TLS record).  If the length of the tag
plus the length of the last partial block together were at least as
large as a full Chacha20 block (64 bytes), then an extra block was
encrypted/decrypted overlapping with the tag.  Fix this by also
capping the amount of data to encrypt/decrypt by the amount of
remaining data in the ciphertext region ('resid').

Reported by:	gallatin
Reviewed by:	cem, gallatin, markj
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D29517
2021-04-01 15:49:07 -07:00
Mitchell Horne
da45b46266 armv8crypto: note derivation in armv8_crypto_wrap.c
This file inherits some boilerplate and structure from the analogous
file in aesni(4), aesni_wrap.c. Note the derivation and the copyright
holders of that file.

For example, the AES-XTS bits added in 4979620ece were ported from
aesni(4).

Requested by:	jmg
Reviewed by:	imp, gnn
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D29268
2021-03-19 10:53:49 -03:00
Oleksandr Tymoshenko
748be78e60 armv8crypto: fix AES-XTS regression introduced by ed9b7f44
Initialization of the XTS key schedule was accidentally dropped
when adding AES-GCM support so all-zero schedule was used instead.
This rendered previously created GELI partitions unusable.
This change restores proper XTS key schedule initialization.

Reported by:	Peter Jeremy <peter@rulingia.com>
MFC after:	immediately
2021-03-07 12:03:47 -08:00
John Baldwin
78991a93eb ossl: Add support for the ChaCha20 + Poly1305 AEAD cipher from RFC 8439
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D28757
2021-03-03 15:20:57 -08:00
John Baldwin
92aecd1e6f ossl: Add ChaCha20 cipher support.
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D28756
2021-03-03 15:20:57 -08:00
John Baldwin
a079e38b08 ossl: Add Poly1305 digest support.
Reviewed by:	cem
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D28754
2021-03-03 15:20:57 -08:00
Elliott Mitchell
530d38441d armv8crypto: add missing newline
The missing newline mildly garbles boot-time messages and this can be
troublesome if you need those.

Fixes:		a520f5ca58 ("armv8crypto: print a message on probe failure")
Reported by:	Mike Karels (mike@karels.net)
Reviewed By:	gonzo
Differential Revision:	https://reviews.freebsd.org/D28988
2021-02-28 16:03:55 -04:00
Jung-uk Kim
3396647c8d OpenSSL: Regen assembly files for OpenSSL 1.1.1j 2021-02-17 00:35:11 -05:00
Mark Johnston
7509b677b4 armv8crypto: Extract GCM state into a structure
This makes it easier to refactor the GCM code to operate on
crypto_buffer_cursors rather than plain contiguous buffers, with the aim
of minimizing the amount of copying and zeroing done today.

No functional change intended.

Reviewed by:	jhb
MFC after:	1 week
Sponsored by:	Ampere Computing
Submitted by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D28500
2021-02-08 09:19:10 -05:00
Mark Johnston
0dc7076037 armv8crypto: Fix some edge cases in the AES-GCM implementation
- We were only hashing up to the first 16 bytes of the AAD.
- When computing the digest during decryption, handle the case where
  len == trailer, i.e., len < AES_BLOCK_LEN, properly.

While here:

- trailer is always smaller than AES_BLOCK_LEN, so remove a pair of
  unnecessary modulus operations.
- Replace some byte-by-byte loops with memcpy() and memset() calls.
  In particular, zero the full block before copying a partial block into
  it since we do that elsewhere and it means that the memset() length is
  known at compile time.

Reviewed by:	jhb
Sponsored by:	Ampere Computing
Submitted by:	Klara, Inc.
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D28501
2021-02-08 09:19:07 -05:00
Oleksandr Tymoshenko
ed9b7f4414 armv8crypto: add AES-GCM support
Add support for AES-GCM using OpenSSL's accelerated routines.

Reviewed by:	jhb
Differential Revision:	https://reviews.freebsd.org/D27454
Sponsored by:	Ampere Computing
Submitted by:	Klara, Inc.
2021-01-21 21:41:27 -08:00
Mark Johnston
098c902b52 aesni: Ensure that key schedules are aligned
Rather than depending on malloc() returning 16-byte aligned chunks,
allocate some extra pad bytes and ensure that key schedules are
appropriately aligned.

Reviewed by:	kib
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC (Netgate)
Differential Revision:	https://reviews.freebsd.org/D28157
2021-01-18 17:07:56 -05:00
Mitchell Horne
a520f5ca58 armv8crypto: print a message on probe failure
Similar to the message printed by aesni(4), let the user know if the
driver is unsupported by their CPU.

PR:		252543
Reported by:	gbe
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-01-18 16:59:21 -04:00
Mitchell Horne
4979620ece armv8crypto: add AES-XTS support
A straightforward(ish) port from aesni(4). This implementation does not
perform loop unrolling on the input blocks, so this is left as a future
performance improvement.

Submitted by:	Greg V <greg AT unrelenting.technology>
Looks good:	jhb, jmg
Tested by:	mhorne
Differential Revision:	https://reviews.freebsd.org/D21017
2021-01-07 15:35:20 -04:00
Jung-uk Kim
d7b665dfd7 Revert r366943. It did not work as expected. 2020-12-11 00:42:53 +00:00
Jung-uk Kim
c3c73b4f0a Merge OpenSSL 1.1.1i. 2020-12-09 02:05:14 +00:00
Conrad Meyer
78599c32ef Add CFI start/end proc directives to arm64, i386, and ppc
Follow-up to r353959 and r368070: do the same for other architectures.

arm32 already seems to use its own .fnstart/.fnend directives, which
appear to be ARM-specific variants of the same thing.  Likewise, MIPS
uses .frame directives.

Reviewed by:	arichardson
Differential Revision:	https://reviews.freebsd.org/D27387
2020-12-05 00:33:28 +00:00
Mitchell Horne
22bd0c9731 ossl: port to arm64
Enable in-kernel acceleration of SHA1 and SHA2 operations on arm64 by adding
support for the ossl(4) crypto driver. This uses OpenSSL's assembly routines
under the hood, which will detect and use SHA intrinsics if they are
supported by the CPU.

Reviewed by:	jhb
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D27390
2020-12-04 21:12:17 +00:00
Mitchell Horne
fd86ae6800 ossl: split out x86 bits to x86/ossl_cpuid.c
Make room for adding arm64 support to this driver by moving the
x86-specific feature parsing to a separate file.

Reviewed by:	jhb
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D27388
2020-12-04 20:54:20 +00:00
John Baldwin
195105254f Check cipher key lengths during probesession.
OCF drivers in general should perform as many session parameter checks
as possible during probesession rather than when creating a new
session.  I got this wrong for aesni(4) in r359374.  In addition,
aesni(4) was performing the check for digest-only requests and failing
to create digest-only sessions as a result.

Reported by:	jkim
Tested by:	jkim
Sponsored by:	Chelsio Communications
2020-11-05 23:31:58 +00:00
John Baldwin
9038e6a1e4 Replace some K&R function definitions with ANSI C.
Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D27062
2020-11-03 22:32:30 +00:00
John Baldwin
d3d79e968b Consistently use C99 fixed-width types in the in-kernel crypto code.
Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D27061
2020-11-03 22:27:54 +00:00
Jung-uk Kim
7cda7375e6 Add a new CCP device ID found on my Ryzen 5 3600XT.
MFC after:	1 week
2020-10-22 17:46:55 +00:00
Oleksandr Tymoshenko
d2112ab098 [armv8crypto] Fix cryptodev probe logic in armv8crypto
Add missing break to prevent falling through to the default case statement
and returning EINVAL for all session configs.

Sponsored by:	Ampere Computing
Submitted by:	Klara, Inc.
2020-10-22 04:49:14 +00:00
John Baldwin
ba610be90a Add a kernel crypto driver using assembly routines from OpenSSL.
Currently, this supports SHA1 and SHA2-{224,256,384,512} both as plain
hashes and in HMAC mode on both amd64 and i386.  It uses the SHA
intrinsics when present similar to aesni(4), but uses SSE/AVX
instructions when they are not.

Note that some files from OpenSSL that normally wrap the assembly
routines have been adapted to export methods usable by 'struct
auth_xform' as is used by existing software crypto routines.

Reviewed by:	gallatin, jkim, delphij, gnn
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D26821
2020-10-20 17:50:18 +00:00
John Baldwin
bc3d569800 Move generated OpenSSL assembly routines into the kernel sources.
Sponsored by:	Netflix
2020-10-20 17:00:43 +00:00
Marcin Wojtas
efac54cb2f Add support for ESN in AES-NI crypto driver
This patch adds support for IPsec ESN (Extended Sequence Numbers) in
encrypt and authenticate mode (eg. AES-CBC and SHA256) and combined mode
(eg. AES-GCM).

For the encrypt and authenticate mode the ESN is stored in separate
crp_esn buffer because the high-order 32 bits of the sequence number are
appended after the Next Header (RFC 4303).

For the combined modes the high-order 32 bits of the sequence number
[e.g.  RFC 4106, Chapter 5 AAD Construction] are part of crp_aad
(prepared by netipsec layer in case of ESN support enabled), therefore
non visible diff around combined modes.

Submitted by:           Grzegorz Jaszczyk <jaz@semihalf.com>
                        Patryk Duda <pdk@semihalf.com>
Reviewed by:            jhb
Differential revision:  https://reviews.freebsd.org/D22365
Obtained from:          Semihalf
Sponsored by:           Stormshield
2020-10-16 11:21:56 +00:00
Adrian Chadd
58958a74f2 [skein] Fix compile issue with unknown symbol SKEIN_ASM_UNROLL1024
Weirdly, I needed to sprinkle more parens here to get gcc-as in 6.4
to correctly generate things.

Without them, I'd get an unknown variable reference to SKEIN_ASM_UNROLL1024.

This at least links now, but I haven't run any test cases against it.
It may be worthwhile doing it in case gcc-as demands we liberally sprinkle
more brackets around variables in .if statements.

Thanks to ed for the suggestion of just sprinkling more brackets to
see if that helped.

Reviewed by:	emaste
2020-10-14 20:55:31 +00:00
Adrian Chadd
cffe0e0f9d [skein] Fix compilation on gnu assembler with gcc-6 and gcc-9
For some reason I don't want to really understand, the following
happens with gnu as.

/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S: Assembler messages:
/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S:466: Error: found '(', expected: ')'
/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S:466: Error: junk at end of line, first unrecognized character is `('
/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S:795: Error: found '(', expected: ')'
/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S:795: Error: junk at end of line, first unrecognized character is `('
/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S:885: Error: non-constant expression in ".if" statement
/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S:885: Error: non-constant expression in ".if" statement
/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S:885: Error: non-constant expression in ".if" statement
/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S:885: Error: non-constant expression in ".if" statement
/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S:885: Error: non-constant expression in ".if" statement
/home/adrian/git/freebsd/src/sys/crypto/skein/amd64/skein_block_asm.S:885: Error: non-constant expression in ".if" statement

After an exhaustive search and experimentation at 11pm, I discovered that
putting them in parentheses fixes the compilation.

Ed pointed out that I could likely fix this in a bunch of other
locations but I'd rather leave these alone until other options
are enabled.

Tested:

* gcc-6, amd64

Reviewed by:	emaste
2020-10-14 14:29:56 +00:00
John Baldwin
4ef6ea38fc Add a <machine/fpu.h> for i386 that includes <machine/npx.h>.
arm64 has a similar wrapper.  This permits defining <machine/fpu.h> as
the standard header for fpu_kern_*.

Reviewed by:	kib
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D26753
2020-10-13 17:26:12 +00:00
Ed Maste
36972ee3e0 libmd: fix assembly optimized skein implementation
The assembly implementation incorrectly used logical AND instead of
bitwise AND. Fix, and re-enable in libmd.

Submitted by:	Yang Zhong <yzhong@freebsdfoundation.org>
Reviewed by:	cem (earlier)
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D26614
2020-10-01 21:05:50 +00:00
John Baldwin
895c98cc29 Don't return errors from the cryptodev_process() method.
The cryptodev_process() method should either return 0 if it has
completed a request, or ERESTART to defer the request until later.  If
a request encounters an error, the error should be reported via
crp_etype before completing the request via crypto_done().

Fix a few more drivers noticed by asomers@ similar to the fix in
r365389.  This is an old bug, but went unnoticed since crypto requests
did not start failing as a normal part of operation until digest
verification was introduced which can fail requests with EBADMSG.

PR:		247986
Reported by:	asomers
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D26361
2020-09-08 22:41:35 +00:00
Alan Somers
dbc973ca7a padlock(4): fix instapanics with geli authentication
cryptodev_process implementations are supposed to return 0

PR:		247986
Submitted by:	jhb
MFC after:	1 week
2020-09-06 19:25:31 +00:00
Alan Somers
e6f6d0c9bc crypto(9): add CRYPTO_BUF_VMPAGE
crypto(9) functions can now be used on buffers composed of an array of
vm_page_t structures, such as those stored in an unmapped struct bio.  It
requires the running to kernel to support the direct memory map, so not all
architectures can use it.

Reviewed by:	markj, kib, jhb, mjg, mat, bcr (manpages)
MFC after:	1 week
Sponsored by:	Axcient
Differential Revision:	https://reviews.freebsd.org/D25671
2020-08-26 02:37:42 +00:00
Alan Somers
b4fef8d068 padlock: fix Via Padlock with 192-bit keys
It's been broken since a typo in r359374

Reviewed by:	jhb
MFC after:	2 weeks
Sponsored by:	Axcient
Differential Revision:	https://reviews.freebsd.org/D25710
2020-07-20 16:12:14 +00:00
Conrad Meyer
c74a3041f0 Add domain policy allocation for amd64 fpu_kern_ctx
Like other types of allocation, fpu_kern_ctx are frequently allocated per-cpu.
Provide the API and sketch some example consumers.

fpu_kern_alloc_ctx_domain() preferentially allocates memory from the
provided domain, and falls back to other domains if that one is empty
(DOMAINSET_PREF(domain) policy).

Maybe it makes more sense to just shove one of these in the DPCPU area
sooner or later -- left for future work.

Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D22053
2020-07-03 14:54:46 +00:00
John Baldwin
b172f23dd7 Use zfree() instead of bzero() and free().
These bzero's should have been explicit_bzero's.

Reviewed by:	cem, delphij
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D25437
2020-06-25 20:20:22 +00:00
John Baldwin
4a711b8d04 Use zfree() instead of explicit_bzero() and free().
In addition to reducing lines of code, this also ensures that the full
allocation is always zeroed avoiding possible bugs with incorrect
lengths passed to explicit_bzero().

Suggested by:	cem
Reviewed by:	cem, delphij
Approved by:	csprng (cem)
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D25435
2020-06-25 20:17:34 +00:00
John Baldwin
604b021795 Add support for requests with separate AAD to aesni(4).
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D25289
2020-06-22 23:22:13 +00:00
John Baldwin
b0b2161ce4 Fix AES-CCM requests with an AAD size smaller than a single block.
The amount to copy for the first block is the minimum of the size of
the AAD region or the remaining space in the first block.

Reported by:	cryptocheck -z
MFC after:	2 weeks
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D25140
2020-06-12 21:33:02 +00:00
John Baldwin
9b6b2f8608 Adjust crypto_apply function callbacks for OCF.
- crypto_apply() is only used for reading a buffer to compute a
  digest, so change the data pointer to a const pointer.

- To better match m_apply(), change the data pointer type to void *
  and the length from uint16_t to u_int.  The length field in
  particular matters as none of the apply logic was splitting requests
  larger than UINT16_MAX.

- Adjust the auth_xform Update callback to match the function
  prototype passed to crypto_apply() and crypto_apply_buf().  This
  removes the needs for casts when using the Update callback.

- Change the Reinit and Setkey callbacks to also use a u_int length
  instead of uint16_t.

- Update auth transforms for the changes.  While here, use C99
  initializers for auth_hash structures and avoid casts on callbacks.

Reviewed by:	cem
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D25171
2020-06-10 21:18:19 +00:00
John Baldwin
a3d565a118 Add a crypto capability flag for accelerated software drivers.
Use this in GELI to print out a different message when accelerated
software such as AESNI is used vs plain software crypto.

While here, simplify the logic in GELI a bit for determing which type
of crypto driver was chosen the first time by examining the
capabilities of the matched driver after a single call to
crypto_newsession rather than making separate calls with different
flags.

Reviewed by:	delphij
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D25126
2020-06-09 22:26:07 +00:00
John Baldwin
cea399ec0e Mark padlock(4) and cryptocteon(4) as software drivers.
Both already return the accelerated software priority from
cryptodev_probesession.

Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D25125
2020-06-09 22:19:36 +00:00
Ed Maste
24ed6f550a Rename skein_block_asm.s to .S and assemble using Clang IAS
Comparing the object files produced by GNU as 2.17.50 and Clang IAS
shows many immaterial changes in strtab etc., and one material change
in .text:

   1bac:  4c 8b 4f 18             mov    0x18(%rdi),%r9
   1bb0:  eb 0e                   jmp    1bc0 <Skein1024_block_loop>
-  1bb2:  66 66 2e 0f 1f 84 00    data16 nopw %cs:0x0(%rax,%rax,1)
-  1bb9:  00 00 00 00
-  1bbd:  0f 1f 00                nopl   (%rax)
+  1bb2:  66 2e 0f 1f 84 00 00    nopw   %cs:0x0(%rax,%rax,1)
+  1bb9:  00 00 00
+  1bbc:  0f 1f 40 00             nopl   0x0(%rax)

 0000000000001bc0 <Skein1024_block_loop>:
 Skein1024_block_loop():
   1bc0:  4c 8b 47 10             mov    0x10(%rdi),%r8
   1bc4:  4c 03 85 c0 00 00 00    add    0xc0(%rbp),%r8

That is, GNU as and Clang's integrated assembler use different multi-
byte NOPs for alignment (GNU as emits an 11 byte NOP + a 3 byte NOP,
while Clang IAS emits a 10 byte NOP + a 4 byte NOP).

Dependency cleanup hacks are not required, because we do not create
.depend files from GNU as.

Reviewed by:	allanjude, arichardson, cem, tsoome
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D8434
2020-06-06 00:35:41 +00:00
Ed Maste
16c0b6eef9 skein_block_asm.S: use #ifdef not .ifdef, for Clang IAS
Clang IAS does not support the --defsym argument, and

.ifndef SKEIN_USE_ASM

gets turned into

.ifndef 1792

by the preprocessor, which results in

error: expected identifier after '.ifdef'
.ifndef 1792
        ^

Use #ifdef instead, which still works with GNU as.

Reviewed by:	cem
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25154
2020-06-05 18:37:04 +00:00
Alex Richardson
7de010f2ee Allow assembling skein_block_asm.s with clang
GNU as seems to allow macro arguments without the '\' but clang is more
strict in that regard.
This change makes the source code compatible with LLVM's but does not yet
change the build system or rename it to .S.

The new code assembles identically with GNU as 2.17.50.

Reviewed By:	emaste
Differential Revision: https://reviews.freebsd.org/D25143
2020-06-05 13:54:13 +00:00
John Baldwin
66f2e4b620 Explicitly zero on-stack IVs, tags, and HMAC keys.
Reviewed by:	delphij
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D25057
2020-06-03 22:15:11 +00:00
Marcin Wojtas
ccbaa67d8b Change return types of hash update functions in SHA-NI
r359374 introduced crypto_apply function which takes as argument a function pointer
that is expected to return an int, however aesni hash update functions
return void.
Because of that the function pointer passed was simply cast with
its return value changed.
This resulted in undefined behavior, in particular when mbuf is used, (ipsec)
m_apply checks return value of function pointer passed to it
and in our case bogusly fails after calculating hash of the first mbuf
in chain.
Fix it by changing signatures of sha update routines in aesni and
dropping the casts.

Submitted by: Kornel Duleba
Reviewed by: jhb, cem
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D25030
2020-05-28 09:13:20 +00:00