Browse Source

Add support for TLS 1.3 using AES-GCM to the OCF backend for KTLS.

Reviewed by:	gallatin
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D22802
freebsd/current/master
jhb 6 months ago
parent
commit
6572d0ba22
1 changed files with 142 additions and 18 deletions
  1. +142
    -18
      sys/opencrypto/ktls_ocf.c

+ 142
- 18
sys/opencrypto/ktls_ocf.c View File

@@ -60,13 +60,21 @@ static MALLOC_DEFINE(M_KTLS_OCF, "ktls_ocf", "OCF KTLS");
SYSCTL_DECL(_kern_ipc_tls);
SYSCTL_DECL(_kern_ipc_tls_stats);

static counter_u64_t ocf_gcm_crypts;
SYSCTL_COUNTER_U64(_kern_ipc_tls_stats, OID_AUTO, ocf_gcm_crypts, CTLFLAG_RD,
&ocf_gcm_crypts,
"Total number of OCF GCM encryption operations");
static SYSCTL_NODE(_kern_ipc_tls_stats, OID_AUTO, ocf, CTLFLAG_RD, 0,
"Kernel TLS offload via OCF stats");

static counter_u64_t ocf_tls12_gcm_crypts;
SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls12_gcm_crypts,
CTLFLAG_RD, &ocf_tls12_gcm_crypts,
"Total number of OCF TLS 1.2 GCM encryption operations");

static counter_u64_t ocf_tls13_gcm_crypts;
SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls13_gcm_crypts,
CTLFLAG_RD, &ocf_tls13_gcm_crypts,
"Total number of OCF TLS 1.3 GCM encryption operations");

static counter_u64_t ocf_retries;
SYSCTL_COUNTER_U64(_kern_ipc_tls_stats, OID_AUTO, ocf_retries, CTLFLAG_RD,
SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, retries, CTLFLAG_RD,
&ocf_retries,
"Number of OCF encryption operation retries");

@@ -84,9 +92,10 @@ ktls_ocf_callback(struct cryptop *crp)
}

static int
ktls_ocf_encrypt(struct ktls_session *tls, const struct tls_record_layer *hdr,
uint8_t *trailer, struct iovec *iniov, struct iovec *outiov, int iovcnt,
uint64_t seqno, uint8_t record_type __unused)
ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls,
const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov,
struct iovec *outiov, int iovcnt, uint64_t seqno,
uint8_t record_type __unused)
{
struct uio uio;
struct tls_aead_data ad;
@@ -127,7 +136,7 @@ ktls_ocf_encrypt(struct ktls_session *tls, const struct tls_record_layer *hdr,
iov[0].iov_base = &ad;
iov[0].iov_len = sizeof(ad);
uio.uio_resid = sizeof(ad);
/*
* OCF always does encryption in place, so copy the data if
* needed. Ugh.
@@ -171,7 +180,119 @@ ktls_ocf_encrypt(struct ktls_session *tls, const struct tls_record_layer *hdr,
crde->crd_flags = CRD_F_ENCRYPT | CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
memcpy(crde->crd_iv, &nd, sizeof(nd));

counter_u64_add(ocf_gcm_crypts, 1);
counter_u64_add(ocf_tls12_gcm_crypts, 1);
for (;;) {
error = crypto_dispatch(crp);
if (error)
break;

mtx_lock(&os->lock);
while (!oo->done)
mtx_sleep(oo, &os->lock, 0, "ocfktls", 0);
mtx_unlock(&os->lock);

if (crp->crp_etype != EAGAIN) {
error = crp->crp_etype;
break;
}

crp->crp_etype = 0;
crp->crp_flags &= ~CRYPTO_F_DONE;
oo->done = false;
counter_u64_add(ocf_retries, 1);
}

crypto_freereq(crp);
free(oo, M_KTLS_OCF);
return (error);
}

static int
ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls,
const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov,
struct iovec *outiov, int iovcnt, uint64_t seqno, uint8_t record_type)
{
struct uio uio;
struct tls_aead_data_13 ad;
char nonce[12];
struct cryptodesc *crde, *crda;
struct cryptop *crp;
struct ocf_session *os;
struct ocf_operation *oo;
struct iovec *iov;
int i, error;

os = tls->cipher;

oo = malloc(sizeof(*oo) + (iovcnt + 2) * sizeof(*iov), M_KTLS_OCF,
M_WAITOK | M_ZERO);
oo->os = os;
iov = oo->iov;

crp = crypto_getreq(2);
if (crp == NULL) {
free(oo, M_KTLS_OCF);
return (ENOMEM);
}

/* Setup the nonce. */
memcpy(nonce, tls->params.iv, tls->params.iv_len);
*(uint64_t *)(nonce + 4) ^= htobe64(seqno);

/* Setup the AAD. */
ad.type = hdr->tls_type;
ad.tls_vmajor = hdr->tls_vmajor;
ad.tls_vminor = hdr->tls_vminor;
ad.tls_length = hdr->tls_length;
iov[0].iov_base = &ad;
iov[0].iov_len = sizeof(ad);
uio.uio_resid = sizeof(ad);

/*
* OCF always does encryption in place, so copy the data if
* needed. Ugh.
*/
for (i = 0; i < iovcnt; i++) {
iov[i + 1] = outiov[i];
if (iniov[i].iov_base != outiov[i].iov_base)
memcpy(outiov[i].iov_base, iniov[i].iov_base,
outiov[i].iov_len);
uio.uio_resid += outiov[i].iov_len;
}

trailer[0] = record_type;
iov[iovcnt + 1].iov_base = trailer;
iov[iovcnt + 1].iov_len = AES_GMAC_HASH_LEN + 1;
uio.uio_resid += AES_GMAC_HASH_LEN + 1;

uio.uio_iov = iov;
uio.uio_iovcnt = iovcnt + 2;
uio.uio_offset = 0;
uio.uio_segflg = UIO_SYSSPACE;
uio.uio_td = curthread;

crp->crp_session = os->sid;
crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIMM;
crp->crp_uio = &uio;
crp->crp_ilen = uio.uio_resid;
crp->crp_opaque = oo;
crp->crp_callback = ktls_ocf_callback;

crde = crp->crp_desc;
crda = crde->crd_next;

crda->crd_alg = os->crda_alg;
crda->crd_skip = 0;
crda->crd_len = sizeof(ad);
crda->crd_inject = crp->crp_ilen - AES_GMAC_HASH_LEN;

crde->crd_alg = CRYPTO_AES_NIST_GCM_16;
crde->crd_skip = sizeof(ad);
crde->crd_len = crp->crp_ilen - (sizeof(ad) + AES_GMAC_HASH_LEN);
crde->crd_flags = CRD_F_ENCRYPT | CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
memcpy(crde->crd_iv, nonce, sizeof(nonce));

counter_u64_add(ocf_tls13_gcm_crypts, 1);
for (;;) {
error = crypto_dispatch(crp);
if (error)
@@ -221,8 +342,6 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls)

switch (tls->params.cipher_algorithm) {
case CRYPTO_AES_NIST_GCM_16:
if (tls->params.iv_len != TLS_AEAD_GCM_LEN)
return (EINVAL);
switch (tls->params.cipher_key_len) {
case 128 / 8:
cria.cri_alg = CRYPTO_AES_128_NIST_GMAC;
@@ -240,10 +359,10 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls)
return (EPROTONOSUPPORT);
}

/* Only TLS 1.1 and TLS 1.2 are currently supported. */
/* Only TLS 1.2 and 1.3 are supported. */
if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE ||
tls->params.tls_vminor < TLS_MINOR_VER_ONE ||
tls->params.tls_vminor > TLS_MINOR_VER_TWO)
tls->params.tls_vminor < TLS_MINOR_VER_TWO ||
tls->params.tls_vminor > TLS_MINOR_VER_THREE)
return (EPROTONOSUPPORT);

os = malloc(sizeof(*os), M_KTLS_OCF, M_NOWAIT | M_ZERO);
@@ -265,7 +384,10 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls)
os->crda_alg = cria.cri_alg;
mtx_init(&os->lock, "ktls_ocf", NULL, MTX_DEF);
tls->cipher = os;
tls->sw_encrypt = ktls_ocf_encrypt;
if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)
tls->sw_encrypt = ktls_ocf_tls13_gcm_encrypt;
else
tls->sw_encrypt = ktls_ocf_tls12_gcm_encrypt;
tls->free = ktls_ocf_free;
return (0);
}
@@ -284,14 +406,16 @@ ktls_ocf_modevent(module_t mod, int what, void *arg)

switch (what) {
case MOD_LOAD:
ocf_gcm_crypts = counter_u64_alloc(M_WAITOK);
ocf_tls12_gcm_crypts = counter_u64_alloc(M_WAITOK);
ocf_tls13_gcm_crypts = counter_u64_alloc(M_WAITOK);
ocf_retries = counter_u64_alloc(M_WAITOK);
return (ktls_crypto_backend_register(&ocf_backend));
case MOD_UNLOAD:
error = ktls_crypto_backend_deregister(&ocf_backend);
if (error)
return (error);
counter_u64_free(ocf_gcm_crypts);
counter_u64_free(ocf_tls12_gcm_crypts);
counter_u64_free(ocf_tls13_gcm_crypts);
counter_u64_free(ocf_retries);
return (0);
default:

Loading…
Cancel
Save