1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2019 Netflix Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/cdefs.h> 30 __FBSDID("$FreeBSD$"); 31 32 #include <sys/param.h> 33 #include <sys/systm.h> 34 #include <sys/counter.h> 35 #include <sys/endian.h> 36 #include <sys/kernel.h> 37 #include <sys/ktls.h> 38 #include <sys/lock.h> 39 #include <sys/malloc.h> 40 #include <sys/module.h> 41 #include <sys/mutex.h> 42 #include <sys/sysctl.h> 43 #include <sys/uio.h> 44 #include <opencrypto/cryptodev.h> 45 46 struct ocf_session { 47 crypto_session_t sid; 48 crypto_session_t mac_sid; 49 int mac_len; 50 struct mtx lock; 51 bool implicit_iv; 52 53 /* Only used for TLS 1.0 with the implicit IV. */ 54 #ifdef INVARIANTS 55 bool in_progress; 56 uint64_t next_seqno; 57 #endif 58 char iv[AES_BLOCK_LEN]; 59 }; 60 61 struct ocf_operation { 62 struct ocf_session *os; 63 bool done; 64 }; 65 66 static MALLOC_DEFINE(M_KTLS_OCF, "ktls_ocf", "OCF KTLS"); 67 68 SYSCTL_DECL(_kern_ipc_tls); 69 SYSCTL_DECL(_kern_ipc_tls_stats); 70 71 static SYSCTL_NODE(_kern_ipc_tls_stats, OID_AUTO, ocf, 72 CTLFLAG_RD | CTLFLAG_MPSAFE, 0, 73 "Kernel TLS offload via OCF stats"); 74 75 static COUNTER_U64_DEFINE_EARLY(ocf_tls10_cbc_crypts); 76 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls10_cbc_crypts, 77 CTLFLAG_RD, &ocf_tls10_cbc_crypts, 78 "Total number of OCF TLS 1.0 CBC encryption operations"); 79 80 static COUNTER_U64_DEFINE_EARLY(ocf_tls11_cbc_crypts); 81 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls11_cbc_crypts, 82 CTLFLAG_RD, &ocf_tls11_cbc_crypts, 83 "Total number of OCF TLS 1.1/1.2 CBC encryption operations"); 84 85 static COUNTER_U64_DEFINE_EARLY(ocf_tls12_gcm_crypts); 86 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls12_gcm_crypts, 87 CTLFLAG_RD, &ocf_tls12_gcm_crypts, 88 "Total number of OCF TLS 1.2 GCM encryption operations"); 89 90 static COUNTER_U64_DEFINE_EARLY(ocf_tls13_gcm_crypts); 91 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls13_gcm_crypts, 92 CTLFLAG_RD, &ocf_tls13_gcm_crypts, 93 "Total number of OCF TLS 1.3 GCM encryption operations"); 94 95 static COUNTER_U64_DEFINE_EARLY(ocf_inplace); 96 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, inplace, 97 CTLFLAG_RD, &ocf_inplace, 98 "Total number of OCF in-place operations"); 99 100 static COUNTER_U64_DEFINE_EARLY(ocf_separate_output); 101 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, separate_output, 102 CTLFLAG_RD, &ocf_separate_output, 103 "Total number of OCF operations with a separate output buffer"); 104 105 static COUNTER_U64_DEFINE_EARLY(ocf_retries); 106 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, retries, CTLFLAG_RD, 107 &ocf_retries, 108 "Number of OCF encryption operation retries"); 109 110 static int 111 ktls_ocf_callback(struct cryptop *crp) 112 { 113 struct ocf_operation *oo; 114 115 oo = crp->crp_opaque; 116 mtx_lock(&oo->os->lock); 117 oo->done = true; 118 mtx_unlock(&oo->os->lock); 119 wakeup(oo); 120 return (0); 121 } 122 123 static int 124 ktls_ocf_dispatch(struct ocf_session *os, struct cryptop *crp) 125 { 126 struct ocf_operation oo; 127 int error; 128 129 oo.os = os; 130 oo.done = false; 131 132 crp->crp_opaque = &oo; 133 crp->crp_callback = ktls_ocf_callback; 134 for (;;) { 135 error = crypto_dispatch(crp); 136 if (error) 137 break; 138 139 mtx_lock(&os->lock); 140 while (!oo.done) 141 mtx_sleep(&oo, &os->lock, 0, "ocfktls", 0); 142 mtx_unlock(&os->lock); 143 144 if (crp->crp_etype != EAGAIN) { 145 error = crp->crp_etype; 146 break; 147 } 148 149 crp->crp_etype = 0; 150 crp->crp_flags &= ~CRYPTO_F_DONE; 151 oo.done = false; 152 counter_u64_add(ocf_retries, 1); 153 } 154 return (error); 155 } 156 157 static int 158 ktls_ocf_tls_cbc_encrypt(struct ktls_session *tls, 159 const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov, 160 struct iovec *outiov, int iovcnt, uint64_t seqno, 161 uint8_t record_type __unused) 162 { 163 struct uio uio, out_uio; 164 struct tls_mac_data ad; 165 struct cryptop crp; 166 struct ocf_session *os; 167 struct iovec iov[iovcnt + 2]; 168 struct iovec out_iov[iovcnt + 1]; 169 int i, error; 170 uint16_t tls_comp_len; 171 uint8_t pad; 172 bool inplace; 173 174 os = tls->cipher; 175 176 #ifdef INVARIANTS 177 if (os->implicit_iv) { 178 mtx_lock(&os->lock); 179 KASSERT(!os->in_progress, 180 ("concurrent implicit IV encryptions")); 181 if (os->next_seqno != seqno) { 182 printf("KTLS CBC: TLS records out of order. " 183 "Expected %ju, got %ju\n", 184 (uintmax_t)os->next_seqno, (uintmax_t)seqno); 185 mtx_unlock(&os->lock); 186 return (EINVAL); 187 } 188 os->in_progress = true; 189 mtx_unlock(&os->lock); 190 } 191 #endif 192 193 /* 194 * Compute the payload length. 195 * 196 * XXX: This could be easily computed O(1) from the mbuf 197 * fields, but we don't have those accessible here. Can 198 * at least compute inplace as well while we are here. 199 */ 200 tls_comp_len = 0; 201 inplace = true; 202 for (i = 0; i < iovcnt; i++) { 203 tls_comp_len += iniov[i].iov_len; 204 if (iniov[i].iov_base != outiov[i].iov_base) 205 inplace = false; 206 } 207 208 /* Initialize the AAD. */ 209 ad.seq = htobe64(seqno); 210 ad.type = hdr->tls_type; 211 ad.tls_vmajor = hdr->tls_vmajor; 212 ad.tls_vminor = hdr->tls_vminor; 213 ad.tls_length = htons(tls_comp_len); 214 215 /* First, compute the MAC. */ 216 iov[0].iov_base = &ad; 217 iov[0].iov_len = sizeof(ad); 218 memcpy(&iov[1], iniov, sizeof(*iniov) * iovcnt); 219 iov[iovcnt + 1].iov_base = trailer; 220 iov[iovcnt + 1].iov_len = os->mac_len; 221 uio.uio_iov = iov; 222 uio.uio_iovcnt = iovcnt + 2; 223 uio.uio_offset = 0; 224 uio.uio_segflg = UIO_SYSSPACE; 225 uio.uio_td = curthread; 226 uio.uio_resid = sizeof(ad) + tls_comp_len + os->mac_len; 227 228 crypto_initreq(&crp, os->mac_sid); 229 crp.crp_payload_start = 0; 230 crp.crp_payload_length = sizeof(ad) + tls_comp_len; 231 crp.crp_digest_start = crp.crp_payload_length; 232 crp.crp_op = CRYPTO_OP_COMPUTE_DIGEST; 233 crp.crp_flags = CRYPTO_F_CBIMM; 234 crypto_use_uio(&crp, &uio); 235 error = ktls_ocf_dispatch(os, &crp); 236 237 crypto_destroyreq(&crp); 238 if (error) { 239 #ifdef INVARIANTS 240 if (os->implicit_iv) { 241 mtx_lock(&os->lock); 242 os->in_progress = false; 243 mtx_unlock(&os->lock); 244 } 245 #endif 246 return (error); 247 } 248 249 /* Second, add the padding. */ 250 pad = (unsigned)(AES_BLOCK_LEN - (tls_comp_len + os->mac_len + 1)) % 251 AES_BLOCK_LEN; 252 for (i = 0; i < pad + 1; i++) 253 trailer[os->mac_len + i] = pad; 254 255 /* Finally, encrypt the record. */ 256 257 /* 258 * Don't recopy the input iovec, instead just adjust the 259 * trailer length and skip over the AAD vector in the uio. 260 */ 261 iov[iovcnt + 1].iov_len += pad + 1; 262 uio.uio_iov = iov + 1; 263 uio.uio_iovcnt = iovcnt + 1; 264 uio.uio_resid = tls_comp_len + iov[iovcnt + 1].iov_len; 265 KASSERT(uio.uio_resid % AES_BLOCK_LEN == 0, 266 ("invalid encryption size")); 267 268 crypto_initreq(&crp, os->sid); 269 crp.crp_payload_start = 0; 270 crp.crp_payload_length = uio.uio_resid; 271 crp.crp_op = CRYPTO_OP_ENCRYPT; 272 crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE; 273 if (os->implicit_iv) 274 memcpy(crp.crp_iv, os->iv, AES_BLOCK_LEN); 275 else 276 memcpy(crp.crp_iv, hdr + 1, AES_BLOCK_LEN); 277 crypto_use_uio(&crp, &uio); 278 if (!inplace) { 279 memcpy(out_iov, outiov, sizeof(*iniov) * iovcnt); 280 out_iov[iovcnt] = iov[iovcnt + 1]; 281 out_uio.uio_iov = out_iov; 282 out_uio.uio_iovcnt = iovcnt + 1; 283 out_uio.uio_offset = 0; 284 out_uio.uio_segflg = UIO_SYSSPACE; 285 out_uio.uio_td = curthread; 286 out_uio.uio_resid = uio.uio_resid; 287 crypto_use_output_uio(&crp, &out_uio); 288 } 289 290 if (os->implicit_iv) 291 counter_u64_add(ocf_tls10_cbc_crypts, 1); 292 else 293 counter_u64_add(ocf_tls11_cbc_crypts, 1); 294 if (inplace) 295 counter_u64_add(ocf_inplace, 1); 296 else 297 counter_u64_add(ocf_separate_output, 1); 298 error = ktls_ocf_dispatch(os, &crp); 299 300 crypto_destroyreq(&crp); 301 302 if (os->implicit_iv) { 303 KASSERT(os->mac_len + pad + 1 >= AES_BLOCK_LEN, 304 ("trailer too short to read IV")); 305 memcpy(os->iv, trailer + os->mac_len + pad + 1 - AES_BLOCK_LEN, 306 AES_BLOCK_LEN); 307 #ifdef INVARIANTS 308 mtx_lock(&os->lock); 309 os->next_seqno = seqno + 1; 310 os->in_progress = false; 311 mtx_unlock(&os->lock); 312 #endif 313 } 314 return (error); 315 } 316 317 static int 318 ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls, 319 const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov, 320 struct iovec *outiov, int iovcnt, uint64_t seqno, 321 uint8_t record_type __unused) 322 { 323 struct uio uio, out_uio, *tag_uio; 324 struct tls_aead_data ad; 325 struct cryptop crp; 326 struct ocf_session *os; 327 struct iovec iov[iovcnt + 1]; 328 int i, error; 329 uint16_t tls_comp_len; 330 bool inplace; 331 332 os = tls->cipher; 333 334 uio.uio_iov = iniov; 335 uio.uio_iovcnt = iovcnt; 336 uio.uio_offset = 0; 337 uio.uio_segflg = UIO_SYSSPACE; 338 uio.uio_td = curthread; 339 340 out_uio.uio_iov = outiov; 341 out_uio.uio_iovcnt = iovcnt; 342 out_uio.uio_offset = 0; 343 out_uio.uio_segflg = UIO_SYSSPACE; 344 out_uio.uio_td = curthread; 345 346 crypto_initreq(&crp, os->sid); 347 348 /* Setup the IV. */ 349 memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN); 350 memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); 351 352 /* Setup the AAD. */ 353 tls_comp_len = ntohs(hdr->tls_length) - 354 (AES_GMAC_HASH_LEN + sizeof(uint64_t)); 355 ad.seq = htobe64(seqno); 356 ad.type = hdr->tls_type; 357 ad.tls_vmajor = hdr->tls_vmajor; 358 ad.tls_vminor = hdr->tls_vminor; 359 ad.tls_length = htons(tls_comp_len); 360 crp.crp_aad = &ad; 361 crp.crp_aad_length = sizeof(ad); 362 363 /* Compute payload length and determine if encryption is in place. */ 364 inplace = true; 365 crp.crp_payload_start = 0; 366 for (i = 0; i < iovcnt; i++) { 367 if (iniov[i].iov_base != outiov[i].iov_base) 368 inplace = false; 369 crp.crp_payload_length += iniov[i].iov_len; 370 } 371 uio.uio_resid = crp.crp_payload_length; 372 out_uio.uio_resid = crp.crp_payload_length; 373 374 if (inplace) 375 tag_uio = &uio; 376 else 377 tag_uio = &out_uio; 378 379 /* Duplicate iovec and append vector for tag. */ 380 memcpy(iov, tag_uio->uio_iov, iovcnt * sizeof(struct iovec)); 381 iov[iovcnt].iov_base = trailer; 382 iov[iovcnt].iov_len = AES_GMAC_HASH_LEN; 383 tag_uio->uio_iov = iov; 384 tag_uio->uio_iovcnt++; 385 crp.crp_digest_start = tag_uio->uio_resid; 386 tag_uio->uio_resid += AES_GMAC_HASH_LEN; 387 388 crp.crp_op = CRYPTO_OP_ENCRYPT | CRYPTO_OP_COMPUTE_DIGEST; 389 crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE; 390 crypto_use_uio(&crp, &uio); 391 if (!inplace) 392 crypto_use_output_uio(&crp, &out_uio); 393 394 counter_u64_add(ocf_tls12_gcm_crypts, 1); 395 if (inplace) 396 counter_u64_add(ocf_inplace, 1); 397 else 398 counter_u64_add(ocf_separate_output, 1); 399 error = ktls_ocf_dispatch(os, &crp); 400 401 crypto_destroyreq(&crp); 402 return (error); 403 } 404 405 static int 406 ktls_ocf_tls12_gcm_decrypt(struct ktls_session *tls, 407 const struct tls_record_layer *hdr, struct mbuf *m, uint64_t seqno, 408 int *trailer_len) 409 { 410 struct tls_aead_data ad; 411 struct cryptop crp; 412 struct ocf_session *os; 413 struct ocf_operation oo; 414 int error; 415 uint16_t tls_comp_len; 416 417 os = tls->cipher; 418 419 oo.os = os; 420 oo.done = false; 421 422 crypto_initreq(&crp, os->sid); 423 424 /* Setup the IV. */ 425 memcpy(crp.crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN); 426 memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); 427 428 /* Setup the AAD. */ 429 tls_comp_len = ntohs(hdr->tls_length) - 430 (AES_GMAC_HASH_LEN + sizeof(uint64_t)); 431 ad.seq = htobe64(seqno); 432 ad.type = hdr->tls_type; 433 ad.tls_vmajor = hdr->tls_vmajor; 434 ad.tls_vminor = hdr->tls_vminor; 435 ad.tls_length = htons(tls_comp_len); 436 crp.crp_aad = &ad; 437 crp.crp_aad_length = sizeof(ad); 438 439 crp.crp_payload_start = tls->params.tls_hlen; 440 crp.crp_payload_length = tls_comp_len; 441 crp.crp_digest_start = crp.crp_payload_start + crp.crp_payload_length; 442 443 crp.crp_op = CRYPTO_OP_DECRYPT | CRYPTO_OP_VERIFY_DIGEST; 444 crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE; 445 crypto_use_mbuf(&crp, m); 446 447 counter_u64_add(ocf_tls12_gcm_crypts, 1); 448 error = ktls_ocf_dispatch(os, &crp); 449 450 crypto_destroyreq(&crp); 451 *trailer_len = AES_GMAC_HASH_LEN; 452 return (error); 453 } 454 455 static int 456 ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls, 457 const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov, 458 struct iovec *outiov, int iovcnt, uint64_t seqno, uint8_t record_type) 459 { 460 struct uio uio, out_uio; 461 struct tls_aead_data_13 ad; 462 char nonce[12]; 463 struct cryptop crp; 464 struct ocf_session *os; 465 struct iovec iov[iovcnt + 1], out_iov[iovcnt + 1]; 466 int i, error; 467 bool inplace; 468 469 os = tls->cipher; 470 471 crypto_initreq(&crp, os->sid); 472 473 /* Setup the nonce. */ 474 memcpy(nonce, tls->params.iv, tls->params.iv_len); 475 *(uint64_t *)(nonce + 4) ^= htobe64(seqno); 476 477 /* Setup the AAD. */ 478 ad.type = hdr->tls_type; 479 ad.tls_vmajor = hdr->tls_vmajor; 480 ad.tls_vminor = hdr->tls_vminor; 481 ad.tls_length = hdr->tls_length; 482 crp.crp_aad = &ad; 483 crp.crp_aad_length = sizeof(ad); 484 485 /* Compute payload length and determine if encryption is in place. */ 486 inplace = true; 487 crp.crp_payload_start = 0; 488 for (i = 0; i < iovcnt; i++) { 489 if (iniov[i].iov_base != outiov[i].iov_base) 490 inplace = false; 491 crp.crp_payload_length += iniov[i].iov_len; 492 } 493 494 /* Store the record type as the first byte of the trailer. */ 495 trailer[0] = record_type; 496 crp.crp_payload_length++; 497 crp.crp_digest_start = crp.crp_payload_length; 498 499 /* 500 * Duplicate the input iov to append the trailer. Always 501 * include the full trailer as input to get the record_type 502 * even if only the first byte is used. 503 */ 504 memcpy(iov, iniov, iovcnt * sizeof(*iov)); 505 iov[iovcnt].iov_base = trailer; 506 iov[iovcnt].iov_len = AES_GMAC_HASH_LEN + 1; 507 uio.uio_iov = iov; 508 uio.uio_iovcnt = iovcnt + 1; 509 uio.uio_offset = 0; 510 uio.uio_resid = crp.crp_payload_length + AES_GMAC_HASH_LEN; 511 uio.uio_segflg = UIO_SYSSPACE; 512 uio.uio_td = curthread; 513 crypto_use_uio(&crp, &uio); 514 515 if (!inplace) { 516 /* Duplicate the output iov to append the trailer. */ 517 memcpy(out_iov, outiov, iovcnt * sizeof(*out_iov)); 518 out_iov[iovcnt] = iov[iovcnt]; 519 520 out_uio.uio_iov = out_iov; 521 out_uio.uio_iovcnt = iovcnt + 1; 522 out_uio.uio_offset = 0; 523 out_uio.uio_resid = crp.crp_payload_length + 524 AES_GMAC_HASH_LEN; 525 out_uio.uio_segflg = UIO_SYSSPACE; 526 out_uio.uio_td = curthread; 527 crypto_use_output_uio(&crp, &out_uio); 528 } 529 530 crp.crp_op = CRYPTO_OP_ENCRYPT | CRYPTO_OP_COMPUTE_DIGEST; 531 crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE; 532 533 memcpy(crp.crp_iv, nonce, sizeof(nonce)); 534 535 counter_u64_add(ocf_tls13_gcm_crypts, 1); 536 if (inplace) 537 counter_u64_add(ocf_inplace, 1); 538 else 539 counter_u64_add(ocf_separate_output, 1); 540 error = ktls_ocf_dispatch(os, &crp); 541 542 crypto_destroyreq(&crp); 543 return (error); 544 } 545 546 static void 547 ktls_ocf_free(struct ktls_session *tls) 548 { 549 struct ocf_session *os; 550 551 os = tls->cipher; 552 crypto_freesession(os->sid); 553 mtx_destroy(&os->lock); 554 zfree(os, M_KTLS_OCF); 555 } 556 557 static int 558 ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction) 559 { 560 struct crypto_session_params csp, mac_csp; 561 struct ocf_session *os; 562 int error, mac_len; 563 564 memset(&csp, 0, sizeof(csp)); 565 memset(&mac_csp, 0, sizeof(mac_csp)); 566 mac_csp.csp_mode = CSP_MODE_NONE; 567 mac_len = 0; 568 569 switch (tls->params.cipher_algorithm) { 570 case CRYPTO_AES_NIST_GCM_16: 571 switch (tls->params.cipher_key_len) { 572 case 128 / 8: 573 case 256 / 8: 574 break; 575 default: 576 return (EINVAL); 577 } 578 579 /* Only TLS 1.2 and 1.3 are supported. */ 580 if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE || 581 tls->params.tls_vminor < TLS_MINOR_VER_TWO || 582 tls->params.tls_vminor > TLS_MINOR_VER_THREE) 583 return (EPROTONOSUPPORT); 584 585 /* TLS 1.3 is not yet supported for receive. */ 586 if (direction == KTLS_RX && 587 tls->params.tls_vminor == TLS_MINOR_VER_THREE) 588 return (EPROTONOSUPPORT); 589 590 csp.csp_flags |= CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD; 591 csp.csp_mode = CSP_MODE_AEAD; 592 csp.csp_cipher_alg = CRYPTO_AES_NIST_GCM_16; 593 csp.csp_cipher_key = tls->params.cipher_key; 594 csp.csp_cipher_klen = tls->params.cipher_key_len; 595 csp.csp_ivlen = AES_GCM_IV_LEN; 596 break; 597 case CRYPTO_AES_CBC: 598 switch (tls->params.cipher_key_len) { 599 case 128 / 8: 600 case 256 / 8: 601 break; 602 default: 603 return (EINVAL); 604 } 605 606 switch (tls->params.auth_algorithm) { 607 case CRYPTO_SHA1_HMAC: 608 mac_len = SHA1_HASH_LEN; 609 break; 610 case CRYPTO_SHA2_256_HMAC: 611 mac_len = SHA2_256_HASH_LEN; 612 break; 613 case CRYPTO_SHA2_384_HMAC: 614 mac_len = SHA2_384_HASH_LEN; 615 break; 616 default: 617 return (EINVAL); 618 } 619 620 /* Only TLS 1.0-1.2 are supported. */ 621 if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE || 622 tls->params.tls_vminor < TLS_MINOR_VER_ZERO || 623 tls->params.tls_vminor > TLS_MINOR_VER_TWO) 624 return (EPROTONOSUPPORT); 625 626 /* AES-CBC is not supported for receive. */ 627 if (direction == KTLS_RX) 628 return (EPROTONOSUPPORT); 629 630 csp.csp_flags |= CSP_F_SEPARATE_OUTPUT; 631 csp.csp_mode = CSP_MODE_CIPHER; 632 csp.csp_cipher_alg = CRYPTO_AES_CBC; 633 csp.csp_cipher_key = tls->params.cipher_key; 634 csp.csp_cipher_klen = tls->params.cipher_key_len; 635 csp.csp_ivlen = AES_BLOCK_LEN; 636 637 mac_csp.csp_flags |= CSP_F_SEPARATE_OUTPUT; 638 mac_csp.csp_mode = CSP_MODE_DIGEST; 639 mac_csp.csp_auth_alg = tls->params.auth_algorithm; 640 mac_csp.csp_auth_key = tls->params.auth_key; 641 mac_csp.csp_auth_klen = tls->params.auth_key_len; 642 break; 643 default: 644 return (EPROTONOSUPPORT); 645 } 646 647 os = malloc(sizeof(*os), M_KTLS_OCF, M_NOWAIT | M_ZERO); 648 if (os == NULL) 649 return (ENOMEM); 650 651 error = crypto_newsession(&os->sid, &csp, 652 CRYPTO_FLAG_HARDWARE | CRYPTO_FLAG_SOFTWARE); 653 if (error) { 654 free(os, M_KTLS_OCF); 655 return (error); 656 } 657 658 if (mac_csp.csp_mode != CSP_MODE_NONE) { 659 error = crypto_newsession(&os->mac_sid, &mac_csp, 660 CRYPTO_FLAG_HARDWARE | CRYPTO_FLAG_SOFTWARE); 661 if (error) { 662 crypto_freesession(os->sid); 663 free(os, M_KTLS_OCF); 664 return (error); 665 } 666 os->mac_len = mac_len; 667 } 668 669 mtx_init(&os->lock, "ktls_ocf", NULL, MTX_DEF); 670 tls->cipher = os; 671 if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) { 672 if (direction == KTLS_TX) { 673 if (tls->params.tls_vminor == TLS_MINOR_VER_THREE) 674 tls->sw_encrypt = ktls_ocf_tls13_gcm_encrypt; 675 else 676 tls->sw_encrypt = ktls_ocf_tls12_gcm_encrypt; 677 } else { 678 tls->sw_decrypt = ktls_ocf_tls12_gcm_decrypt; 679 } 680 } else { 681 tls->sw_encrypt = ktls_ocf_tls_cbc_encrypt; 682 if (tls->params.tls_vminor == TLS_MINOR_VER_ZERO) { 683 os->implicit_iv = true; 684 memcpy(os->iv, tls->params.iv, AES_BLOCK_LEN); 685 } 686 } 687 tls->free = ktls_ocf_free; 688 return (0); 689 } 690 691 struct ktls_crypto_backend ocf_backend = { 692 .name = "OCF", 693 .prio = 5, 694 .api_version = KTLS_API_VERSION, 695 .try = ktls_ocf_try, 696 }; 697 698 static int 699 ktls_ocf_modevent(module_t mod, int what, void *arg) 700 { 701 switch (what) { 702 case MOD_LOAD: 703 return (ktls_crypto_backend_register(&ocf_backend)); 704 case MOD_UNLOAD: 705 return (ktls_crypto_backend_deregister(&ocf_backend)); 706 default: 707 return (EOPNOTSUPP); 708 } 709 } 710 711 static moduledata_t ktls_ocf_moduledata = { 712 "ktls_ocf", 713 ktls_ocf_modevent, 714 NULL 715 }; 716 717 DECLARE_MODULE(ktls_ocf, ktls_ocf_moduledata, SI_SUB_PROTO_END, SI_ORDER_ANY); 718