1b2e60773SJohn Baldwin /*- 2b2e60773SJohn Baldwin * SPDX-License-Identifier: BSD-2-Clause 3b2e60773SJohn Baldwin * 4b2e60773SJohn Baldwin * Copyright (c) 2019 Netflix Inc. 5b2e60773SJohn Baldwin * All rights reserved. 6b2e60773SJohn Baldwin * 7b2e60773SJohn Baldwin * Redistribution and use in source and binary forms, with or without 8b2e60773SJohn Baldwin * modification, are permitted provided that the following conditions 9b2e60773SJohn Baldwin * are met: 10b2e60773SJohn Baldwin * 1. Redistributions of source code must retain the above copyright 11b2e60773SJohn Baldwin * notice, this list of conditions and the following disclaimer. 12b2e60773SJohn Baldwin * 2. Redistributions in binary form must reproduce the above copyright 13b2e60773SJohn Baldwin * notice, this list of conditions and the following disclaimer in the 14b2e60773SJohn Baldwin * documentation and/or other materials provided with the distribution. 15b2e60773SJohn Baldwin * 16b2e60773SJohn Baldwin * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17b2e60773SJohn Baldwin * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18b2e60773SJohn Baldwin * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19b2e60773SJohn Baldwin * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20b2e60773SJohn Baldwin * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21b2e60773SJohn Baldwin * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22b2e60773SJohn Baldwin * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23b2e60773SJohn Baldwin * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24b2e60773SJohn Baldwin * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25b2e60773SJohn Baldwin * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26b2e60773SJohn Baldwin * SUCH DAMAGE. 27b2e60773SJohn Baldwin */ 28b2e60773SJohn Baldwin 29b2e60773SJohn Baldwin #include <sys/cdefs.h> 30b2e60773SJohn Baldwin __FBSDID("$FreeBSD$"); 31b2e60773SJohn Baldwin 32b2e60773SJohn Baldwin #include <sys/param.h> 33b2e60773SJohn Baldwin #include <sys/systm.h> 34b2e60773SJohn Baldwin #include <sys/counter.h> 35b2e60773SJohn Baldwin #include <sys/endian.h> 36b2e60773SJohn Baldwin #include <sys/kernel.h> 37b2e60773SJohn Baldwin #include <sys/ktls.h> 38b2e60773SJohn Baldwin #include <sys/lock.h> 39b2e60773SJohn Baldwin #include <sys/malloc.h> 40b2e60773SJohn Baldwin #include <sys/module.h> 41b2e60773SJohn Baldwin #include <sys/mutex.h> 42b2e60773SJohn Baldwin #include <sys/sysctl.h> 43b2e60773SJohn Baldwin #include <sys/uio.h> 44b2e60773SJohn Baldwin #include <opencrypto/cryptodev.h> 45b2e60773SJohn Baldwin 46b2e60773SJohn Baldwin struct ocf_session { 47b2e60773SJohn Baldwin crypto_session_t sid; 48*47e2650eSJohn Baldwin crypto_session_t mac_sid; 49*47e2650eSJohn Baldwin int mac_len; 50b2e60773SJohn Baldwin struct mtx lock; 51*47e2650eSJohn Baldwin bool implicit_iv; 52*47e2650eSJohn Baldwin 53*47e2650eSJohn Baldwin /* Only used for TLS 1.0 with the implicit IV. */ 54*47e2650eSJohn Baldwin #ifdef INVARIANTS 55*47e2650eSJohn Baldwin bool in_progress; 56*47e2650eSJohn Baldwin uint64_t next_seqno; 57*47e2650eSJohn Baldwin #endif 58*47e2650eSJohn Baldwin char iv[AES_BLOCK_LEN]; 59b2e60773SJohn Baldwin }; 60b2e60773SJohn Baldwin 61b2e60773SJohn Baldwin struct ocf_operation { 62b2e60773SJohn Baldwin struct ocf_session *os; 63b2e60773SJohn Baldwin bool done; 64b2e60773SJohn Baldwin }; 65b2e60773SJohn Baldwin 66b2e60773SJohn Baldwin static MALLOC_DEFINE(M_KTLS_OCF, "ktls_ocf", "OCF KTLS"); 67b2e60773SJohn Baldwin 68b2e60773SJohn Baldwin SYSCTL_DECL(_kern_ipc_tls); 69b2e60773SJohn Baldwin SYSCTL_DECL(_kern_ipc_tls_stats); 70b2e60773SJohn Baldwin 717029da5cSPawel Biernacki static SYSCTL_NODE(_kern_ipc_tls_stats, OID_AUTO, ocf, 727029da5cSPawel Biernacki CTLFLAG_RD | CTLFLAG_MPSAFE, 0, 7355b7a0e1SJohn Baldwin "Kernel TLS offload via OCF stats"); 7455b7a0e1SJohn Baldwin 75*47e2650eSJohn Baldwin static counter_u64_t ocf_tls10_cbc_crypts; 76*47e2650eSJohn Baldwin SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls10_cbc_crypts, 77*47e2650eSJohn Baldwin CTLFLAG_RD, &ocf_tls10_cbc_crypts, 78*47e2650eSJohn Baldwin "Total number of OCF TLS 1.0 CBC encryption operations"); 79*47e2650eSJohn Baldwin 80*47e2650eSJohn Baldwin static counter_u64_t ocf_tls11_cbc_crypts; 81*47e2650eSJohn Baldwin SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls11_cbc_crypts, 82*47e2650eSJohn Baldwin CTLFLAG_RD, &ocf_tls11_cbc_crypts, 83*47e2650eSJohn Baldwin "Total number of OCF TLS 1.1/1.2 CBC encryption operations"); 84*47e2650eSJohn Baldwin 8555b7a0e1SJohn Baldwin static counter_u64_t ocf_tls12_gcm_crypts; 8655b7a0e1SJohn Baldwin SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls12_gcm_crypts, 8755b7a0e1SJohn Baldwin CTLFLAG_RD, &ocf_tls12_gcm_crypts, 8855b7a0e1SJohn Baldwin "Total number of OCF TLS 1.2 GCM encryption operations"); 8955b7a0e1SJohn Baldwin 9055b7a0e1SJohn Baldwin static counter_u64_t ocf_tls13_gcm_crypts; 9155b7a0e1SJohn Baldwin SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls13_gcm_crypts, 9255b7a0e1SJohn Baldwin CTLFLAG_RD, &ocf_tls13_gcm_crypts, 9355b7a0e1SJohn Baldwin "Total number of OCF TLS 1.3 GCM encryption operations"); 94b2e60773SJohn Baldwin 95080933c0SJohn Baldwin static counter_u64_t ocf_inplace; 96080933c0SJohn Baldwin SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, inplace, 97080933c0SJohn Baldwin CTLFLAG_RD, &ocf_inplace, 98080933c0SJohn Baldwin "Total number of OCF in-place operations"); 99080933c0SJohn Baldwin 100080933c0SJohn Baldwin static counter_u64_t ocf_separate_output; 101080933c0SJohn Baldwin SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, separate_output, 102080933c0SJohn Baldwin CTLFLAG_RD, &ocf_separate_output, 103080933c0SJohn Baldwin "Total number of OCF operations with a separate output buffer"); 104080933c0SJohn Baldwin 105b2e60773SJohn Baldwin static counter_u64_t ocf_retries; 10655b7a0e1SJohn Baldwin SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, retries, CTLFLAG_RD, 107b2e60773SJohn Baldwin &ocf_retries, 108b2e60773SJohn Baldwin "Number of OCF encryption operation retries"); 109b2e60773SJohn Baldwin 110b2e60773SJohn Baldwin static int 111b2e60773SJohn Baldwin ktls_ocf_callback(struct cryptop *crp) 112b2e60773SJohn Baldwin { 113b2e60773SJohn Baldwin struct ocf_operation *oo; 114b2e60773SJohn Baldwin 115b2e60773SJohn Baldwin oo = crp->crp_opaque; 116b2e60773SJohn Baldwin mtx_lock(&oo->os->lock); 117b2e60773SJohn Baldwin oo->done = true; 118b2e60773SJohn Baldwin mtx_unlock(&oo->os->lock); 119b2e60773SJohn Baldwin wakeup(oo); 120b2e60773SJohn Baldwin return (0); 121b2e60773SJohn Baldwin } 122b2e60773SJohn Baldwin 123b2e60773SJohn Baldwin static int 12470d1a435SJohn Baldwin ktls_ocf_dispatch(struct ocf_session *os, struct cryptop *crp) 12570d1a435SJohn Baldwin { 12670d1a435SJohn Baldwin struct ocf_operation oo; 12770d1a435SJohn Baldwin int error; 12870d1a435SJohn Baldwin 12970d1a435SJohn Baldwin oo.os = os; 13070d1a435SJohn Baldwin oo.done = false; 13170d1a435SJohn Baldwin 13270d1a435SJohn Baldwin crp->crp_opaque = &oo; 13370d1a435SJohn Baldwin crp->crp_callback = ktls_ocf_callback; 13470d1a435SJohn Baldwin for (;;) { 13570d1a435SJohn Baldwin error = crypto_dispatch(crp); 13670d1a435SJohn Baldwin if (error) 13770d1a435SJohn Baldwin break; 13870d1a435SJohn Baldwin 13970d1a435SJohn Baldwin mtx_lock(&os->lock); 14070d1a435SJohn Baldwin while (!oo.done) 14170d1a435SJohn Baldwin mtx_sleep(&oo, &os->lock, 0, "ocfktls", 0); 14270d1a435SJohn Baldwin mtx_unlock(&os->lock); 14370d1a435SJohn Baldwin 14470d1a435SJohn Baldwin if (crp->crp_etype != EAGAIN) { 14570d1a435SJohn Baldwin error = crp->crp_etype; 14670d1a435SJohn Baldwin break; 14770d1a435SJohn Baldwin } 14870d1a435SJohn Baldwin 14970d1a435SJohn Baldwin crp->crp_etype = 0; 15070d1a435SJohn Baldwin crp->crp_flags &= ~CRYPTO_F_DONE; 15170d1a435SJohn Baldwin oo.done = false; 15270d1a435SJohn Baldwin counter_u64_add(ocf_retries, 1); 15370d1a435SJohn Baldwin } 15470d1a435SJohn Baldwin return (error); 15570d1a435SJohn Baldwin } 15670d1a435SJohn Baldwin 15770d1a435SJohn Baldwin static int 158*47e2650eSJohn Baldwin ktls_ocf_tls_cbc_encrypt(struct ktls_session *tls, 159*47e2650eSJohn Baldwin const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov, 160*47e2650eSJohn Baldwin struct iovec *outiov, int iovcnt, uint64_t seqno, 161*47e2650eSJohn Baldwin uint8_t record_type __unused) 162*47e2650eSJohn Baldwin { 163*47e2650eSJohn Baldwin struct uio uio, out_uio; 164*47e2650eSJohn Baldwin struct tls_mac_data ad; 165*47e2650eSJohn Baldwin struct cryptop crp; 166*47e2650eSJohn Baldwin struct ocf_session *os; 167*47e2650eSJohn Baldwin struct iovec iov[iovcnt + 2]; 168*47e2650eSJohn Baldwin struct iovec out_iov[iovcnt + 1]; 169*47e2650eSJohn Baldwin int i, error; 170*47e2650eSJohn Baldwin uint16_t tls_comp_len; 171*47e2650eSJohn Baldwin uint8_t pad; 172*47e2650eSJohn Baldwin bool inplace; 173*47e2650eSJohn Baldwin 174*47e2650eSJohn Baldwin os = tls->cipher; 175*47e2650eSJohn Baldwin 176*47e2650eSJohn Baldwin #ifdef INVARIANTS 177*47e2650eSJohn Baldwin if (os->implicit_iv) { 178*47e2650eSJohn Baldwin mtx_lock(&os->lock); 179*47e2650eSJohn Baldwin KASSERT(!os->in_progress, 180*47e2650eSJohn Baldwin ("concurrent implicit IV encryptions")); 181*47e2650eSJohn Baldwin if (os->next_seqno != seqno) { 182*47e2650eSJohn Baldwin printf("KTLS CBC: TLS records out of order. " 183*47e2650eSJohn Baldwin "Expected %ju, got %ju\n", 184*47e2650eSJohn Baldwin (uintmax_t)os->next_seqno, (uintmax_t)seqno); 185*47e2650eSJohn Baldwin mtx_unlock(&os->lock); 186*47e2650eSJohn Baldwin return (EINVAL); 187*47e2650eSJohn Baldwin } 188*47e2650eSJohn Baldwin os->in_progress = true; 189*47e2650eSJohn Baldwin mtx_unlock(&os->lock); 190*47e2650eSJohn Baldwin } 191*47e2650eSJohn Baldwin #endif 192*47e2650eSJohn Baldwin 193*47e2650eSJohn Baldwin /* 194*47e2650eSJohn Baldwin * Compute the payload length. 195*47e2650eSJohn Baldwin * 196*47e2650eSJohn Baldwin * XXX: This could be easily computed O(1) from the mbuf 197*47e2650eSJohn Baldwin * fields, but we don't have those accessible here. Can 198*47e2650eSJohn Baldwin * at least compute inplace as well while we are here. 199*47e2650eSJohn Baldwin */ 200*47e2650eSJohn Baldwin tls_comp_len = 0; 201*47e2650eSJohn Baldwin inplace = true; 202*47e2650eSJohn Baldwin for (i = 0; i < iovcnt; i++) { 203*47e2650eSJohn Baldwin tls_comp_len += iniov[i].iov_len; 204*47e2650eSJohn Baldwin if (iniov[i].iov_base != outiov[i].iov_base) 205*47e2650eSJohn Baldwin inplace = false; 206*47e2650eSJohn Baldwin } 207*47e2650eSJohn Baldwin 208*47e2650eSJohn Baldwin /* Initialize the AAD. */ 209*47e2650eSJohn Baldwin ad.seq = htobe64(seqno); 210*47e2650eSJohn Baldwin ad.type = hdr->tls_type; 211*47e2650eSJohn Baldwin ad.tls_vmajor = hdr->tls_vmajor; 212*47e2650eSJohn Baldwin ad.tls_vminor = hdr->tls_vminor; 213*47e2650eSJohn Baldwin ad.tls_length = htons(tls_comp_len); 214*47e2650eSJohn Baldwin 215*47e2650eSJohn Baldwin /* First, compute the MAC. */ 216*47e2650eSJohn Baldwin iov[0].iov_base = &ad; 217*47e2650eSJohn Baldwin iov[0].iov_len = sizeof(ad); 218*47e2650eSJohn Baldwin memcpy(&iov[1], iniov, sizeof(*iniov) * iovcnt); 219*47e2650eSJohn Baldwin iov[iovcnt + 1].iov_base = trailer; 220*47e2650eSJohn Baldwin iov[iovcnt + 1].iov_len = os->mac_len; 221*47e2650eSJohn Baldwin uio.uio_iov = iov; 222*47e2650eSJohn Baldwin uio.uio_iovcnt = iovcnt + 2; 223*47e2650eSJohn Baldwin uio.uio_offset = 0; 224*47e2650eSJohn Baldwin uio.uio_segflg = UIO_SYSSPACE; 225*47e2650eSJohn Baldwin uio.uio_td = curthread; 226*47e2650eSJohn Baldwin uio.uio_resid = sizeof(ad) + tls_comp_len + os->mac_len; 227*47e2650eSJohn Baldwin 228*47e2650eSJohn Baldwin crypto_initreq(&crp, os->mac_sid); 229*47e2650eSJohn Baldwin crp.crp_payload_start = 0; 230*47e2650eSJohn Baldwin crp.crp_payload_length = sizeof(ad) + tls_comp_len; 231*47e2650eSJohn Baldwin crp.crp_digest_start = crp.crp_payload_length; 232*47e2650eSJohn Baldwin crp.crp_op = CRYPTO_OP_COMPUTE_DIGEST; 233*47e2650eSJohn Baldwin crp.crp_flags = CRYPTO_F_CBIMM; 234*47e2650eSJohn Baldwin crypto_use_uio(&crp, &uio); 235*47e2650eSJohn Baldwin error = ktls_ocf_dispatch(os, &crp); 236*47e2650eSJohn Baldwin 237*47e2650eSJohn Baldwin crypto_destroyreq(&crp); 238*47e2650eSJohn Baldwin if (error) { 239*47e2650eSJohn Baldwin #ifdef INVARIANTS 240*47e2650eSJohn Baldwin if (os->implicit_iv) { 241*47e2650eSJohn Baldwin mtx_lock(&os->lock); 242*47e2650eSJohn Baldwin os->in_progress = false; 243*47e2650eSJohn Baldwin mtx_unlock(&os->lock); 244*47e2650eSJohn Baldwin } 245*47e2650eSJohn Baldwin #endif 246*47e2650eSJohn Baldwin return (error); 247*47e2650eSJohn Baldwin } 248*47e2650eSJohn Baldwin 249*47e2650eSJohn Baldwin /* Second, add the padding. */ 250*47e2650eSJohn Baldwin pad = (unsigned)(AES_BLOCK_LEN - (tls_comp_len + os->mac_len + 1)) % 251*47e2650eSJohn Baldwin AES_BLOCK_LEN; 252*47e2650eSJohn Baldwin for (i = 0; i < pad + 1; i++) 253*47e2650eSJohn Baldwin trailer[os->mac_len + i] = pad; 254*47e2650eSJohn Baldwin 255*47e2650eSJohn Baldwin /* Finally, encrypt the record. */ 256*47e2650eSJohn Baldwin 257*47e2650eSJohn Baldwin /* 258*47e2650eSJohn Baldwin * Don't recopy the input iovec, instead just adjust the 259*47e2650eSJohn Baldwin * trailer length and skip over the AAD vector in the uio. 260*47e2650eSJohn Baldwin */ 261*47e2650eSJohn Baldwin iov[iovcnt + 1].iov_len += pad + 1; 262*47e2650eSJohn Baldwin uio.uio_iov = iov + 1; 263*47e2650eSJohn Baldwin uio.uio_iovcnt = iovcnt + 1; 264*47e2650eSJohn Baldwin uio.uio_resid = tls_comp_len + iov[iovcnt + 1].iov_len; 265*47e2650eSJohn Baldwin KASSERT(uio.uio_resid % AES_BLOCK_LEN == 0, 266*47e2650eSJohn Baldwin ("invalid encryption size")); 267*47e2650eSJohn Baldwin 268*47e2650eSJohn Baldwin crypto_initreq(&crp, os->sid); 269*47e2650eSJohn Baldwin crp.crp_payload_start = 0; 270*47e2650eSJohn Baldwin crp.crp_payload_length = uio.uio_resid; 271*47e2650eSJohn Baldwin crp.crp_op = CRYPTO_OP_ENCRYPT; 272*47e2650eSJohn Baldwin crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE; 273*47e2650eSJohn Baldwin if (os->implicit_iv) 274*47e2650eSJohn Baldwin memcpy(crp.crp_iv, os->iv, AES_BLOCK_LEN); 275*47e2650eSJohn Baldwin else 276*47e2650eSJohn Baldwin memcpy(crp.crp_iv, hdr + 1, AES_BLOCK_LEN); 277*47e2650eSJohn Baldwin crypto_use_uio(&crp, &uio); 278*47e2650eSJohn Baldwin if (!inplace) { 279*47e2650eSJohn Baldwin memcpy(out_iov, outiov, sizeof(*iniov) * iovcnt); 280*47e2650eSJohn Baldwin out_iov[iovcnt] = iov[iovcnt + 1]; 281*47e2650eSJohn Baldwin out_uio.uio_iov = out_iov; 282*47e2650eSJohn Baldwin out_uio.uio_iovcnt = iovcnt + 1; 283*47e2650eSJohn Baldwin out_uio.uio_offset = 0; 284*47e2650eSJohn Baldwin out_uio.uio_segflg = UIO_SYSSPACE; 285*47e2650eSJohn Baldwin out_uio.uio_td = curthread; 286*47e2650eSJohn Baldwin out_uio.uio_resid = uio.uio_resid; 287*47e2650eSJohn Baldwin crypto_use_output_uio(&crp, &out_uio); 288*47e2650eSJohn Baldwin } 289*47e2650eSJohn Baldwin 290*47e2650eSJohn Baldwin if (os->implicit_iv) 291*47e2650eSJohn Baldwin counter_u64_add(ocf_tls10_cbc_crypts, 1); 292*47e2650eSJohn Baldwin else 293*47e2650eSJohn Baldwin counter_u64_add(ocf_tls11_cbc_crypts, 1); 294*47e2650eSJohn Baldwin if (inplace) 295*47e2650eSJohn Baldwin counter_u64_add(ocf_inplace, 1); 296*47e2650eSJohn Baldwin else 297*47e2650eSJohn Baldwin counter_u64_add(ocf_separate_output, 1); 298*47e2650eSJohn Baldwin error = ktls_ocf_dispatch(os, &crp); 299*47e2650eSJohn Baldwin 300*47e2650eSJohn Baldwin crypto_destroyreq(&crp); 301*47e2650eSJohn Baldwin 302*47e2650eSJohn Baldwin if (os->implicit_iv) { 303*47e2650eSJohn Baldwin KASSERT(os->mac_len + pad + 1 >= AES_BLOCK_LEN, 304*47e2650eSJohn Baldwin ("trailer too short to read IV")); 305*47e2650eSJohn Baldwin memcpy(os->iv, trailer + os->mac_len + pad + 1 - AES_BLOCK_LEN, 306*47e2650eSJohn Baldwin AES_BLOCK_LEN); 307*47e2650eSJohn Baldwin #ifdef INVARIANTS 308*47e2650eSJohn Baldwin mtx_lock(&os->lock); 309*47e2650eSJohn Baldwin os->next_seqno = seqno + 1; 310*47e2650eSJohn Baldwin os->in_progress = false; 311*47e2650eSJohn Baldwin mtx_unlock(&os->lock); 312*47e2650eSJohn Baldwin #endif 313*47e2650eSJohn Baldwin } 314*47e2650eSJohn Baldwin return (error); 315*47e2650eSJohn Baldwin } 316*47e2650eSJohn Baldwin 317*47e2650eSJohn Baldwin static int 31855b7a0e1SJohn Baldwin ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls, 31955b7a0e1SJohn Baldwin const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov, 32055b7a0e1SJohn Baldwin struct iovec *outiov, int iovcnt, uint64_t seqno, 32155b7a0e1SJohn Baldwin uint8_t record_type __unused) 322b2e60773SJohn Baldwin { 323080933c0SJohn Baldwin struct uio uio, out_uio, *tag_uio; 324b2e60773SJohn Baldwin struct tls_aead_data ad; 32533a1a488SJohn Baldwin struct cryptop crp; 326b2e60773SJohn Baldwin struct ocf_session *os; 32733a1a488SJohn Baldwin struct iovec iov[iovcnt + 1]; 328b2e60773SJohn Baldwin int i, error; 329b2e60773SJohn Baldwin uint16_t tls_comp_len; 330080933c0SJohn Baldwin bool inplace; 331b2e60773SJohn Baldwin 332b2e60773SJohn Baldwin os = tls->cipher; 333b2e60773SJohn Baldwin 3345b750b9aSJohn Baldwin uio.uio_iov = iniov; 3355b750b9aSJohn Baldwin uio.uio_iovcnt = iovcnt; 336080933c0SJohn Baldwin uio.uio_offset = 0; 337080933c0SJohn Baldwin uio.uio_segflg = UIO_SYSSPACE; 338080933c0SJohn Baldwin uio.uio_td = curthread; 339080933c0SJohn Baldwin 3405b750b9aSJohn Baldwin out_uio.uio_iov = outiov; 3415b750b9aSJohn Baldwin out_uio.uio_iovcnt = iovcnt; 342080933c0SJohn Baldwin out_uio.uio_offset = 0; 343080933c0SJohn Baldwin out_uio.uio_segflg = UIO_SYSSPACE; 344080933c0SJohn Baldwin out_uio.uio_td = curthread; 345b2e60773SJohn Baldwin 34633a1a488SJohn Baldwin crypto_initreq(&crp, os->sid); 347b2e60773SJohn Baldwin 348b2e60773SJohn Baldwin /* Setup the IV. */ 34933a1a488SJohn Baldwin memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN); 35033a1a488SJohn Baldwin memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); 351b2e60773SJohn Baldwin 352b2e60773SJohn Baldwin /* Setup the AAD. */ 353b2e60773SJohn Baldwin tls_comp_len = ntohs(hdr->tls_length) - 354c0341432SJohn Baldwin (AES_GMAC_HASH_LEN + sizeof(uint64_t)); 355b2e60773SJohn Baldwin ad.seq = htobe64(seqno); 356b2e60773SJohn Baldwin ad.type = hdr->tls_type; 357b2e60773SJohn Baldwin ad.tls_vmajor = hdr->tls_vmajor; 358b2e60773SJohn Baldwin ad.tls_vminor = hdr->tls_vminor; 359b2e60773SJohn Baldwin ad.tls_length = htons(tls_comp_len); 36033a1a488SJohn Baldwin crp.crp_aad = &ad; 36133a1a488SJohn Baldwin crp.crp_aad_length = sizeof(ad); 362b2e60773SJohn Baldwin 363080933c0SJohn Baldwin /* Compute payload length and determine if encryption is in place. */ 364080933c0SJohn Baldwin inplace = true; 36533a1a488SJohn Baldwin crp.crp_payload_start = 0; 366b2e60773SJohn Baldwin for (i = 0; i < iovcnt; i++) { 367b2e60773SJohn Baldwin if (iniov[i].iov_base != outiov[i].iov_base) 368080933c0SJohn Baldwin inplace = false; 36933a1a488SJohn Baldwin crp.crp_payload_length += iniov[i].iov_len; 370b2e60773SJohn Baldwin } 37133a1a488SJohn Baldwin uio.uio_resid = crp.crp_payload_length; 37233a1a488SJohn Baldwin out_uio.uio_resid = crp.crp_payload_length; 373b2e60773SJohn Baldwin 374080933c0SJohn Baldwin if (inplace) 375080933c0SJohn Baldwin tag_uio = &uio; 376080933c0SJohn Baldwin else 377080933c0SJohn Baldwin tag_uio = &out_uio; 378b2e60773SJohn Baldwin 3795b750b9aSJohn Baldwin /* Duplicate iovec and append vector for tag. */ 38033a1a488SJohn Baldwin memcpy(iov, tag_uio->uio_iov, iovcnt * sizeof(struct iovec)); 38133a1a488SJohn Baldwin iov[iovcnt].iov_base = trailer; 38233a1a488SJohn Baldwin iov[iovcnt].iov_len = AES_GMAC_HASH_LEN; 38333a1a488SJohn Baldwin tag_uio->uio_iov = iov; 384080933c0SJohn Baldwin tag_uio->uio_iovcnt++; 38533a1a488SJohn Baldwin crp.crp_digest_start = tag_uio->uio_resid; 386080933c0SJohn Baldwin tag_uio->uio_resid += AES_GMAC_HASH_LEN; 387b2e60773SJohn Baldwin 38833a1a488SJohn Baldwin crp.crp_op = CRYPTO_OP_ENCRYPT | CRYPTO_OP_COMPUTE_DIGEST; 38933a1a488SJohn Baldwin crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE; 39033a1a488SJohn Baldwin crypto_use_uio(&crp, &uio); 391080933c0SJohn Baldwin if (!inplace) 39233a1a488SJohn Baldwin crypto_use_output_uio(&crp, &out_uio); 393b2e60773SJohn Baldwin 39455b7a0e1SJohn Baldwin counter_u64_add(ocf_tls12_gcm_crypts, 1); 395080933c0SJohn Baldwin if (inplace) 396080933c0SJohn Baldwin counter_u64_add(ocf_inplace, 1); 397080933c0SJohn Baldwin else 398080933c0SJohn Baldwin counter_u64_add(ocf_separate_output, 1); 39970d1a435SJohn Baldwin error = ktls_ocf_dispatch(os, &crp); 40055b7a0e1SJohn Baldwin 40133a1a488SJohn Baldwin crypto_destroyreq(&crp); 40255b7a0e1SJohn Baldwin return (error); 40355b7a0e1SJohn Baldwin } 40455b7a0e1SJohn Baldwin 40555b7a0e1SJohn Baldwin static int 4063c0e5685SJohn Baldwin ktls_ocf_tls12_gcm_decrypt(struct ktls_session *tls, 4073c0e5685SJohn Baldwin const struct tls_record_layer *hdr, struct mbuf *m, uint64_t seqno, 4083c0e5685SJohn Baldwin int *trailer_len) 4093c0e5685SJohn Baldwin { 4103c0e5685SJohn Baldwin struct tls_aead_data ad; 4113c0e5685SJohn Baldwin struct cryptop crp; 4123c0e5685SJohn Baldwin struct ocf_session *os; 4133c0e5685SJohn Baldwin struct ocf_operation oo; 4143c0e5685SJohn Baldwin int error; 4153c0e5685SJohn Baldwin uint16_t tls_comp_len; 4163c0e5685SJohn Baldwin 4173c0e5685SJohn Baldwin os = tls->cipher; 4183c0e5685SJohn Baldwin 4193c0e5685SJohn Baldwin oo.os = os; 4203c0e5685SJohn Baldwin oo.done = false; 4213c0e5685SJohn Baldwin 4223c0e5685SJohn Baldwin crypto_initreq(&crp, os->sid); 4233c0e5685SJohn Baldwin 4243c0e5685SJohn Baldwin /* Setup the IV. */ 4253c0e5685SJohn Baldwin memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN); 4263c0e5685SJohn Baldwin memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); 4273c0e5685SJohn Baldwin 4283c0e5685SJohn Baldwin /* Setup the AAD. */ 4293c0e5685SJohn Baldwin tls_comp_len = ntohs(hdr->tls_length) - 4303c0e5685SJohn Baldwin (AES_GMAC_HASH_LEN + sizeof(uint64_t)); 4313c0e5685SJohn Baldwin ad.seq = htobe64(seqno); 4323c0e5685SJohn Baldwin ad.type = hdr->tls_type; 4333c0e5685SJohn Baldwin ad.tls_vmajor = hdr->tls_vmajor; 4343c0e5685SJohn Baldwin ad.tls_vminor = hdr->tls_vminor; 4353c0e5685SJohn Baldwin ad.tls_length = htons(tls_comp_len); 4363c0e5685SJohn Baldwin crp.crp_aad = &ad; 4373c0e5685SJohn Baldwin crp.crp_aad_length = sizeof(ad); 4383c0e5685SJohn Baldwin 4393c0e5685SJohn Baldwin crp.crp_payload_start = tls->params.tls_hlen; 4403c0e5685SJohn Baldwin crp.crp_payload_length = tls_comp_len; 4413c0e5685SJohn Baldwin crp.crp_digest_start = crp.crp_payload_start + crp.crp_payload_length; 4423c0e5685SJohn Baldwin 4433c0e5685SJohn Baldwin crp.crp_op = CRYPTO_OP_DECRYPT | CRYPTO_OP_VERIFY_DIGEST; 4443c0e5685SJohn Baldwin crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE; 4453c0e5685SJohn Baldwin crypto_use_mbuf(&crp, m); 4463c0e5685SJohn Baldwin 4473c0e5685SJohn Baldwin counter_u64_add(ocf_tls12_gcm_crypts, 1); 4483c0e5685SJohn Baldwin error = ktls_ocf_dispatch(os, &crp); 4493c0e5685SJohn Baldwin 4503c0e5685SJohn Baldwin crypto_destroyreq(&crp); 4513c0e5685SJohn Baldwin *trailer_len = AES_GMAC_HASH_LEN; 4523c0e5685SJohn Baldwin return (error); 4533c0e5685SJohn Baldwin } 4543c0e5685SJohn Baldwin 4553c0e5685SJohn Baldwin static int 45655b7a0e1SJohn Baldwin ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls, 45755b7a0e1SJohn Baldwin const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov, 45855b7a0e1SJohn Baldwin struct iovec *outiov, int iovcnt, uint64_t seqno, uint8_t record_type) 45955b7a0e1SJohn Baldwin { 460080933c0SJohn Baldwin struct uio uio, out_uio; 46155b7a0e1SJohn Baldwin struct tls_aead_data_13 ad; 46255b7a0e1SJohn Baldwin char nonce[12]; 46333a1a488SJohn Baldwin struct cryptop crp; 46455b7a0e1SJohn Baldwin struct ocf_session *os; 46533a1a488SJohn Baldwin struct iovec iov[iovcnt + 1], out_iov[iovcnt + 1]; 46655b7a0e1SJohn Baldwin int i, error; 467080933c0SJohn Baldwin bool inplace; 46855b7a0e1SJohn Baldwin 46955b7a0e1SJohn Baldwin os = tls->cipher; 47055b7a0e1SJohn Baldwin 47133a1a488SJohn Baldwin crypto_initreq(&crp, os->sid); 47255b7a0e1SJohn Baldwin 47355b7a0e1SJohn Baldwin /* Setup the nonce. */ 47455b7a0e1SJohn Baldwin memcpy(nonce, tls->params.iv, tls->params.iv_len); 47555b7a0e1SJohn Baldwin *(uint64_t *)(nonce + 4) ^= htobe64(seqno); 47655b7a0e1SJohn Baldwin 47755b7a0e1SJohn Baldwin /* Setup the AAD. */ 47855b7a0e1SJohn Baldwin ad.type = hdr->tls_type; 47955b7a0e1SJohn Baldwin ad.tls_vmajor = hdr->tls_vmajor; 48055b7a0e1SJohn Baldwin ad.tls_vminor = hdr->tls_vminor; 48155b7a0e1SJohn Baldwin ad.tls_length = hdr->tls_length; 48233a1a488SJohn Baldwin crp.crp_aad = &ad; 48333a1a488SJohn Baldwin crp.crp_aad_length = sizeof(ad); 484080933c0SJohn Baldwin 485080933c0SJohn Baldwin /* Compute payload length and determine if encryption is in place. */ 486080933c0SJohn Baldwin inplace = true; 48733a1a488SJohn Baldwin crp.crp_payload_start = 0; 488080933c0SJohn Baldwin for (i = 0; i < iovcnt; i++) { 489080933c0SJohn Baldwin if (iniov[i].iov_base != outiov[i].iov_base) 490080933c0SJohn Baldwin inplace = false; 49133a1a488SJohn Baldwin crp.crp_payload_length += iniov[i].iov_len; 492080933c0SJohn Baldwin } 49355b7a0e1SJohn Baldwin 4945b750b9aSJohn Baldwin /* Store the record type as the first byte of the trailer. */ 49555b7a0e1SJohn Baldwin trailer[0] = record_type; 49633a1a488SJohn Baldwin crp.crp_payload_length++; 49733a1a488SJohn Baldwin crp.crp_digest_start = crp.crp_payload_length; 4985b750b9aSJohn Baldwin 4995b750b9aSJohn Baldwin /* 5005b750b9aSJohn Baldwin * Duplicate the input iov to append the trailer. Always 5015b750b9aSJohn Baldwin * include the full trailer as input to get the record_type 5025b750b9aSJohn Baldwin * even if only the first byte is used. 5035b750b9aSJohn Baldwin */ 5045b750b9aSJohn Baldwin memcpy(iov, iniov, iovcnt * sizeof(*iov)); 5055b750b9aSJohn Baldwin iov[iovcnt].iov_base = trailer; 5065b750b9aSJohn Baldwin iov[iovcnt].iov_len = AES_GMAC_HASH_LEN + 1; 5075b750b9aSJohn Baldwin uio.uio_iov = iov; 5085b750b9aSJohn Baldwin uio.uio_iovcnt = iovcnt + 1; 5095b750b9aSJohn Baldwin uio.uio_offset = 0; 51033a1a488SJohn Baldwin uio.uio_resid = crp.crp_payload_length + AES_GMAC_HASH_LEN; 5115b750b9aSJohn Baldwin uio.uio_segflg = UIO_SYSSPACE; 5125b750b9aSJohn Baldwin uio.uio_td = curthread; 51333a1a488SJohn Baldwin crypto_use_uio(&crp, &uio); 5145b750b9aSJohn Baldwin 5155b750b9aSJohn Baldwin if (!inplace) { 5165b750b9aSJohn Baldwin /* Duplicate the output iov to append the trailer. */ 5175b750b9aSJohn Baldwin memcpy(out_iov, outiov, iovcnt * sizeof(*out_iov)); 5185b750b9aSJohn Baldwin out_iov[iovcnt] = iov[iovcnt]; 5195b750b9aSJohn Baldwin 5205b750b9aSJohn Baldwin out_uio.uio_iov = out_iov; 5215b750b9aSJohn Baldwin out_uio.uio_iovcnt = iovcnt + 1; 5225b750b9aSJohn Baldwin out_uio.uio_offset = 0; 52333a1a488SJohn Baldwin out_uio.uio_resid = crp.crp_payload_length + 5245b750b9aSJohn Baldwin AES_GMAC_HASH_LEN; 5255b750b9aSJohn Baldwin out_uio.uio_segflg = UIO_SYSSPACE; 5265b750b9aSJohn Baldwin out_uio.uio_td = curthread; 52733a1a488SJohn Baldwin crypto_use_output_uio(&crp, &out_uio); 528080933c0SJohn Baldwin } 52955b7a0e1SJohn Baldwin 53033a1a488SJohn Baldwin crp.crp_op = CRYPTO_OP_ENCRYPT | CRYPTO_OP_COMPUTE_DIGEST; 53133a1a488SJohn Baldwin crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE; 53255b7a0e1SJohn Baldwin 53333a1a488SJohn Baldwin memcpy(crp.crp_iv, nonce, sizeof(nonce)); 53455b7a0e1SJohn Baldwin 53555b7a0e1SJohn Baldwin counter_u64_add(ocf_tls13_gcm_crypts, 1); 536080933c0SJohn Baldwin if (inplace) 537080933c0SJohn Baldwin counter_u64_add(ocf_inplace, 1); 538080933c0SJohn Baldwin else 539080933c0SJohn Baldwin counter_u64_add(ocf_separate_output, 1); 54070d1a435SJohn Baldwin error = ktls_ocf_dispatch(os, &crp); 541b2e60773SJohn Baldwin 54233a1a488SJohn Baldwin crypto_destroyreq(&crp); 543b2e60773SJohn Baldwin return (error); 544b2e60773SJohn Baldwin } 545b2e60773SJohn Baldwin 546b2e60773SJohn Baldwin static void 547b2e60773SJohn Baldwin ktls_ocf_free(struct ktls_session *tls) 548b2e60773SJohn Baldwin { 549b2e60773SJohn Baldwin struct ocf_session *os; 550b2e60773SJohn Baldwin 551b2e60773SJohn Baldwin os = tls->cipher; 552c0341432SJohn Baldwin crypto_freesession(os->sid); 553b2e60773SJohn Baldwin mtx_destroy(&os->lock); 5544a711b8dSJohn Baldwin zfree(os, M_KTLS_OCF); 555b2e60773SJohn Baldwin } 556b2e60773SJohn Baldwin 557b2e60773SJohn Baldwin static int 5583c0e5685SJohn Baldwin ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction) 559b2e60773SJohn Baldwin { 560*47e2650eSJohn Baldwin struct crypto_session_params csp, mac_csp; 561b2e60773SJohn Baldwin struct ocf_session *os; 562*47e2650eSJohn Baldwin int error, mac_len; 563b2e60773SJohn Baldwin 564c0341432SJohn Baldwin memset(&csp, 0, sizeof(csp)); 565*47e2650eSJohn Baldwin memset(&mac_csp, 0, sizeof(mac_csp)); 566*47e2650eSJohn Baldwin mac_csp.csp_mode = CSP_MODE_NONE; 567*47e2650eSJohn Baldwin mac_len = 0; 568b2e60773SJohn Baldwin 569b2e60773SJohn Baldwin switch (tls->params.cipher_algorithm) { 570b2e60773SJohn Baldwin case CRYPTO_AES_NIST_GCM_16: 571b2e60773SJohn Baldwin switch (tls->params.cipher_key_len) { 572b2e60773SJohn Baldwin case 128 / 8: 573b2e60773SJohn Baldwin case 256 / 8: 574b2e60773SJohn Baldwin break; 575b2e60773SJohn Baldwin default: 576b2e60773SJohn Baldwin return (EINVAL); 577b2e60773SJohn Baldwin } 578b2e60773SJohn Baldwin 57955b7a0e1SJohn Baldwin /* Only TLS 1.2 and 1.3 are supported. */ 580b2e60773SJohn Baldwin if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE || 58155b7a0e1SJohn Baldwin tls->params.tls_vminor < TLS_MINOR_VER_TWO || 58255b7a0e1SJohn Baldwin tls->params.tls_vminor > TLS_MINOR_VER_THREE) 583b2e60773SJohn Baldwin return (EPROTONOSUPPORT); 584b2e60773SJohn Baldwin 5853c0e5685SJohn Baldwin /* TLS 1.3 is not yet supported for receive. */ 5863c0e5685SJohn Baldwin if (direction == KTLS_RX && 5873c0e5685SJohn Baldwin tls->params.tls_vminor == TLS_MINOR_VER_THREE) 5883c0e5685SJohn Baldwin return (EPROTONOSUPPORT); 5893c0e5685SJohn Baldwin 590*47e2650eSJohn Baldwin csp.csp_flags |= CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD; 591*47e2650eSJohn Baldwin csp.csp_mode = CSP_MODE_AEAD; 592*47e2650eSJohn Baldwin csp.csp_cipher_alg = CRYPTO_AES_NIST_GCM_16; 593*47e2650eSJohn Baldwin csp.csp_cipher_key = tls->params.cipher_key; 594*47e2650eSJohn Baldwin csp.csp_cipher_klen = tls->params.cipher_key_len; 595*47e2650eSJohn Baldwin csp.csp_ivlen = AES_GCM_IV_LEN; 596*47e2650eSJohn Baldwin break; 597*47e2650eSJohn Baldwin case CRYPTO_AES_CBC: 598*47e2650eSJohn Baldwin switch (tls->params.cipher_key_len) { 599*47e2650eSJohn Baldwin case 128 / 8: 600*47e2650eSJohn Baldwin case 256 / 8: 601*47e2650eSJohn Baldwin break; 602*47e2650eSJohn Baldwin default: 603*47e2650eSJohn Baldwin return (EINVAL); 604*47e2650eSJohn Baldwin } 605*47e2650eSJohn Baldwin 606*47e2650eSJohn Baldwin switch (tls->params.auth_algorithm) { 607*47e2650eSJohn Baldwin case CRYPTO_SHA1_HMAC: 608*47e2650eSJohn Baldwin mac_len = SHA1_HASH_LEN; 609*47e2650eSJohn Baldwin break; 610*47e2650eSJohn Baldwin case CRYPTO_SHA2_256_HMAC: 611*47e2650eSJohn Baldwin mac_len = SHA2_256_HASH_LEN; 612*47e2650eSJohn Baldwin break; 613*47e2650eSJohn Baldwin case CRYPTO_SHA2_384_HMAC: 614*47e2650eSJohn Baldwin mac_len = SHA2_384_HASH_LEN; 615*47e2650eSJohn Baldwin break; 616*47e2650eSJohn Baldwin default: 617*47e2650eSJohn Baldwin return (EINVAL); 618*47e2650eSJohn Baldwin } 619*47e2650eSJohn Baldwin 620*47e2650eSJohn Baldwin /* Only TLS 1.0-1.2 are supported. */ 621*47e2650eSJohn Baldwin if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE || 622*47e2650eSJohn Baldwin tls->params.tls_vminor < TLS_MINOR_VER_ZERO || 623*47e2650eSJohn Baldwin tls->params.tls_vminor > TLS_MINOR_VER_TWO) 624*47e2650eSJohn Baldwin return (EPROTONOSUPPORT); 625*47e2650eSJohn Baldwin 626*47e2650eSJohn Baldwin /* AES-CBC is not supported for receive. */ 627*47e2650eSJohn Baldwin if (direction == KTLS_RX) 628*47e2650eSJohn Baldwin return (EPROTONOSUPPORT); 629*47e2650eSJohn Baldwin 630*47e2650eSJohn Baldwin csp.csp_flags |= CSP_F_SEPARATE_OUTPUT; 631*47e2650eSJohn Baldwin csp.csp_mode = CSP_MODE_CIPHER; 632*47e2650eSJohn Baldwin csp.csp_cipher_alg = CRYPTO_AES_CBC; 633*47e2650eSJohn Baldwin csp.csp_cipher_key = tls->params.cipher_key; 634*47e2650eSJohn Baldwin csp.csp_cipher_klen = tls->params.cipher_key_len; 635*47e2650eSJohn Baldwin csp.csp_ivlen = AES_BLOCK_LEN; 636*47e2650eSJohn Baldwin 637*47e2650eSJohn Baldwin mac_csp.csp_flags |= CSP_F_SEPARATE_OUTPUT; 638*47e2650eSJohn Baldwin mac_csp.csp_mode = CSP_MODE_DIGEST; 639*47e2650eSJohn Baldwin mac_csp.csp_auth_alg = tls->params.auth_algorithm; 640*47e2650eSJohn Baldwin mac_csp.csp_auth_key = tls->params.auth_key; 641*47e2650eSJohn Baldwin mac_csp.csp_auth_klen = tls->params.auth_key_len; 642*47e2650eSJohn Baldwin break; 643*47e2650eSJohn Baldwin default: 644*47e2650eSJohn Baldwin return (EPROTONOSUPPORT); 645*47e2650eSJohn Baldwin } 646*47e2650eSJohn Baldwin 647b2e60773SJohn Baldwin os = malloc(sizeof(*os), M_KTLS_OCF, M_NOWAIT | M_ZERO); 648b2e60773SJohn Baldwin if (os == NULL) 649b2e60773SJohn Baldwin return (ENOMEM); 650b2e60773SJohn Baldwin 651c0341432SJohn Baldwin error = crypto_newsession(&os->sid, &csp, 652b2e60773SJohn Baldwin CRYPTO_FLAG_HARDWARE | CRYPTO_FLAG_SOFTWARE); 653b2e60773SJohn Baldwin if (error) { 654b2e60773SJohn Baldwin free(os, M_KTLS_OCF); 655b2e60773SJohn Baldwin return (error); 656b2e60773SJohn Baldwin } 657b2e60773SJohn Baldwin 658*47e2650eSJohn Baldwin if (mac_csp.csp_mode != CSP_MODE_NONE) { 659*47e2650eSJohn Baldwin error = crypto_newsession(&os->mac_sid, &mac_csp, 660*47e2650eSJohn Baldwin CRYPTO_FLAG_HARDWARE | CRYPTO_FLAG_SOFTWARE); 661*47e2650eSJohn Baldwin if (error) { 662*47e2650eSJohn Baldwin crypto_freesession(os->sid); 663*47e2650eSJohn Baldwin free(os, M_KTLS_OCF); 664*47e2650eSJohn Baldwin return (error); 665*47e2650eSJohn Baldwin } 666*47e2650eSJohn Baldwin os->mac_len = mac_len; 667*47e2650eSJohn Baldwin } 668*47e2650eSJohn Baldwin 669b2e60773SJohn Baldwin mtx_init(&os->lock, "ktls_ocf", NULL, MTX_DEF); 670b2e60773SJohn Baldwin tls->cipher = os; 671*47e2650eSJohn Baldwin if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) { 6723c0e5685SJohn Baldwin if (direction == KTLS_TX) { 67355b7a0e1SJohn Baldwin if (tls->params.tls_vminor == TLS_MINOR_VER_THREE) 67455b7a0e1SJohn Baldwin tls->sw_encrypt = ktls_ocf_tls13_gcm_encrypt; 67555b7a0e1SJohn Baldwin else 67655b7a0e1SJohn Baldwin tls->sw_encrypt = ktls_ocf_tls12_gcm_encrypt; 6773c0e5685SJohn Baldwin } else { 6783c0e5685SJohn Baldwin tls->sw_decrypt = ktls_ocf_tls12_gcm_decrypt; 6793c0e5685SJohn Baldwin } 680*47e2650eSJohn Baldwin } else { 681*47e2650eSJohn Baldwin tls->sw_encrypt = ktls_ocf_tls_cbc_encrypt; 682*47e2650eSJohn Baldwin if (tls->params.tls_vminor == TLS_MINOR_VER_ZERO) { 683*47e2650eSJohn Baldwin os->implicit_iv = true; 684*47e2650eSJohn Baldwin memcpy(os->iv, tls->params.iv, AES_BLOCK_LEN); 685*47e2650eSJohn Baldwin } 686*47e2650eSJohn Baldwin } 687b2e60773SJohn Baldwin tls->free = ktls_ocf_free; 688b2e60773SJohn Baldwin return (0); 689b2e60773SJohn Baldwin } 690b2e60773SJohn Baldwin 691b2e60773SJohn Baldwin struct ktls_crypto_backend ocf_backend = { 692b2e60773SJohn Baldwin .name = "OCF", 693b2e60773SJohn Baldwin .prio = 5, 694b2e60773SJohn Baldwin .api_version = KTLS_API_VERSION, 695b2e60773SJohn Baldwin .try = ktls_ocf_try, 696b2e60773SJohn Baldwin }; 697b2e60773SJohn Baldwin 698b2e60773SJohn Baldwin static int 699b2e60773SJohn Baldwin ktls_ocf_modevent(module_t mod, int what, void *arg) 700b2e60773SJohn Baldwin { 701b2e60773SJohn Baldwin int error; 702b2e60773SJohn Baldwin 703b2e60773SJohn Baldwin switch (what) { 704b2e60773SJohn Baldwin case MOD_LOAD: 705*47e2650eSJohn Baldwin ocf_tls10_cbc_crypts = counter_u64_alloc(M_WAITOK); 706*47e2650eSJohn Baldwin ocf_tls11_cbc_crypts = counter_u64_alloc(M_WAITOK); 70755b7a0e1SJohn Baldwin ocf_tls12_gcm_crypts = counter_u64_alloc(M_WAITOK); 70855b7a0e1SJohn Baldwin ocf_tls13_gcm_crypts = counter_u64_alloc(M_WAITOK); 709080933c0SJohn Baldwin ocf_inplace = counter_u64_alloc(M_WAITOK); 710080933c0SJohn Baldwin ocf_separate_output = counter_u64_alloc(M_WAITOK); 711b2e60773SJohn Baldwin ocf_retries = counter_u64_alloc(M_WAITOK); 712b2e60773SJohn Baldwin return (ktls_crypto_backend_register(&ocf_backend)); 713b2e60773SJohn Baldwin case MOD_UNLOAD: 714b2e60773SJohn Baldwin error = ktls_crypto_backend_deregister(&ocf_backend); 715b2e60773SJohn Baldwin if (error) 716b2e60773SJohn Baldwin return (error); 717*47e2650eSJohn Baldwin counter_u64_free(ocf_tls10_cbc_crypts); 718*47e2650eSJohn Baldwin counter_u64_free(ocf_tls11_cbc_crypts); 71955b7a0e1SJohn Baldwin counter_u64_free(ocf_tls12_gcm_crypts); 72055b7a0e1SJohn Baldwin counter_u64_free(ocf_tls13_gcm_crypts); 721080933c0SJohn Baldwin counter_u64_free(ocf_inplace); 722080933c0SJohn Baldwin counter_u64_free(ocf_separate_output); 723b2e60773SJohn Baldwin counter_u64_free(ocf_retries); 724b2e60773SJohn Baldwin return (0); 725b2e60773SJohn Baldwin default: 726b2e60773SJohn Baldwin return (EOPNOTSUPP); 727b2e60773SJohn Baldwin } 728b2e60773SJohn Baldwin } 729b2e60773SJohn Baldwin 730b2e60773SJohn Baldwin static moduledata_t ktls_ocf_moduledata = { 731b2e60773SJohn Baldwin "ktls_ocf", 732b2e60773SJohn Baldwin ktls_ocf_modevent, 733b2e60773SJohn Baldwin NULL 734b2e60773SJohn Baldwin }; 735b2e60773SJohn Baldwin 736b2e60773SJohn Baldwin DECLARE_MODULE(ktls_ocf, ktls_ocf_moduledata, SI_SUB_PROTO_END, SI_ORDER_ANY); 737