2002-10-16 02:10:08 +00:00
|
|
|
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
|
2005-01-07 01:45:51 +00:00
|
|
|
/*-
|
2002-10-16 02:10:08 +00:00
|
|
|
* The authors of this code are John Ioannidis (ji@tla.org),
|
|
|
|
|
* Angelos D. Keromytis (kermit@csd.uch.gr) and
|
|
|
|
|
* Niels Provos (provos@physnet.uni-hamburg.de).
|
|
|
|
|
*
|
|
|
|
|
* The original version of this code was written by John Ioannidis
|
|
|
|
|
* for BSD/OS in Athens, Greece, in November 1995.
|
|
|
|
|
*
|
|
|
|
|
* Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
|
|
|
|
|
* by Angelos D. Keromytis.
|
|
|
|
|
*
|
|
|
|
|
* Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
|
|
|
|
|
* and Niels Provos.
|
|
|
|
|
*
|
|
|
|
|
* Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
|
|
|
|
|
*
|
|
|
|
|
* Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
|
|
|
|
|
* Angelos D. Keromytis and Niels Provos.
|
|
|
|
|
* Copyright (c) 1999 Niklas Hallqvist.
|
|
|
|
|
* Copyright (c) 2001 Angelos D. Keromytis.
|
|
|
|
|
*
|
|
|
|
|
* Permission to use, copy, and modify this software with or without fee
|
|
|
|
|
* is hereby granted, provided that this entire notice is included in
|
|
|
|
|
* all copies of any software which is or includes a copy or
|
|
|
|
|
* modification of this software.
|
|
|
|
|
* You may use this code under the GNU public license if you so wish. Please
|
|
|
|
|
* contribute changes back to the authors under this freer than GPL license
|
|
|
|
|
* so that we may further the use of strong encryption without limitations to
|
|
|
|
|
* all.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
|
|
|
|
|
* IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
|
|
|
|
|
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
|
|
|
|
|
* MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
|
|
|
|
|
* PURPOSE.
|
|
|
|
|
*/
|
|
|
|
|
#include "opt_inet.h"
|
|
|
|
|
#include "opt_inet6.h"
|
2020-05-29 19:22:40 +00:00
|
|
|
#include "opt_ipsec.h"
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
#include <sys/param.h>
|
|
|
|
|
#include <sys/systm.h>
|
2022-01-24 23:27:39 +00:00
|
|
|
#include <sys/malloc.h>
|
2002-10-16 02:10:08 +00:00
|
|
|
#include <sys/mbuf.h>
|
|
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#include <sys/syslog.h>
|
|
|
|
|
#include <sys/kernel.h>
|
2013-10-26 18:18:50 +00:00
|
|
|
#include <sys/lock.h>
|
2017-02-06 08:49:57 +00:00
|
|
|
#include <sys/mutex.h>
|
2002-10-16 02:10:08 +00:00
|
|
|
#include <sys/sysctl.h>
|
|
|
|
|
|
|
|
|
|
#include <net/if.h>
|
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator
(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator. Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...). This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack. Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory. Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy. Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address. When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz
Reviewed by: bz, zec
Discussed with: gnn, jamie, jeff, jhb, julian, sam
Suggested by: peter
Approved by: re (kensmith)
2009-07-14 22:48:30 +00:00
|
|
|
#include <net/vnet.h>
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
#include <netinet/in_systm.h>
|
|
|
|
|
#include <netinet/ip.h>
|
|
|
|
|
#include <netinet/ip_ecn.h>
|
|
|
|
|
#include <netinet/ip6.h>
|
|
|
|
|
|
|
|
|
|
#include <netipsec/ipsec.h>
|
|
|
|
|
#include <netipsec/ah.h>
|
|
|
|
|
#include <netipsec/ah_var.h>
|
|
|
|
|
#include <netipsec/xform.h>
|
|
|
|
|
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
#include <netinet6/ip6_var.h>
|
|
|
|
|
#include <netipsec/ipsec6.h>
|
|
|
|
|
#include <netinet6/ip6_ecn.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include <netipsec/key.h>
|
|
|
|
|
#include <netipsec/key_debug.h>
|
|
|
|
|
|
|
|
|
|
#include <opencrypto/cryptodev.h>
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Return header size in bytes. The old protocol did not support
|
|
|
|
|
* the replay counter; the new protocol always includes the counter.
|
|
|
|
|
*/
|
|
|
|
|
#define HDRSIZE(sav) \
|
|
|
|
|
(((sav)->flags & SADB_X_EXT_OLD) ? \
|
|
|
|
|
sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
|
|
|
|
|
/*
|
2015-07-09 18:16:35 +00:00
|
|
|
* Return authenticator size in bytes, based on a field in the
|
|
|
|
|
* algorithm descriptor.
|
2002-10-16 02:10:08 +00:00
|
|
|
*/
|
2015-07-29 07:15:16 +00:00
|
|
|
#define AUTHSIZE(sav) ((sav->flags & SADB_X_EXT_OLD) ? 16 : \
|
|
|
|
|
xform_ah_authsize((sav)->tdb_authalgxform))
|
2002-10-16 02:10:08 +00:00
|
|
|
|
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator
(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator. Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...). This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack. Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory. Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy. Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address. When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz
Reviewed by: bz, zec
Discussed with: gnn, jamie, jeff, jhb, julian, sam
Suggested by: peter
Approved by: re (kensmith)
2009-07-14 22:48:30 +00:00
|
|
|
VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */
|
|
|
|
|
VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */
|
2013-07-09 10:08:13 +00:00
|
|
|
VNET_PCPUSTAT_DEFINE(struct ahstat, ahstat);
|
|
|
|
|
VNET_PCPUSTAT_SYSINIT(ahstat);
|
|
|
|
|
|
|
|
|
|
#ifdef VIMAGE
|
|
|
|
|
VNET_PCPUSTAT_SYSUNINIT(ahstat);
|
|
|
|
|
#endif /* VIMAGE */
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2011-04-27 19:28:42 +00:00
|
|
|
#ifdef INET
|
2002-10-16 02:10:08 +00:00
|
|
|
SYSCTL_DECL(_net_inet_ah);
|
2014-11-07 09:39:05 +00:00
|
|
|
SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_enable,
|
|
|
|
|
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_enable), 0, "");
|
|
|
|
|
SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_cleartos,
|
|
|
|
|
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "");
|
2013-07-09 10:08:13 +00:00
|
|
|
SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
|
|
|
|
|
ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)");
|
2011-04-27 19:28:42 +00:00
|
|
|
#endif
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2022-01-24 23:27:39 +00:00
|
|
|
static MALLOC_DEFINE(M_AH, "ah", "IPsec AH");
|
|
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
|
|
|
|
|
|
|
|
|
|
static int ah_input_cb(struct cryptop*);
|
|
|
|
|
static int ah_output_cb(struct cryptop*);
|
|
|
|
|
|
2015-07-29 07:15:16 +00:00
|
|
|
int
|
2017-02-06 08:49:57 +00:00
|
|
|
xform_ah_authsize(const struct auth_hash *esph)
|
2015-07-29 07:15:16 +00:00
|
|
|
{
|
|
|
|
|
int alen;
|
|
|
|
|
|
|
|
|
|
if (esph == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
switch (esph->type) {
|
|
|
|
|
case CRYPTO_SHA2_256_HMAC:
|
|
|
|
|
case CRYPTO_SHA2_384_HMAC:
|
|
|
|
|
case CRYPTO_SHA2_512_HMAC:
|
|
|
|
|
alen = esph->hashsize / 2; /* RFC4868 2.3 */
|
|
|
|
|
break;
|
|
|
|
|
|
2022-10-18 16:31:02 +00:00
|
|
|
case CRYPTO_POLY1305:
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
case CRYPTO_AES_NIST_GMAC:
|
2015-07-29 07:15:16 +00:00
|
|
|
alen = esph->hashsize;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
alen = AH_HMAC_HASHLEN;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return alen;
|
|
|
|
|
}
|
|
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
size_t
|
|
|
|
|
ah_hdrsiz(struct secasvar *sav)
|
|
|
|
|
{
|
|
|
|
|
size_t size;
|
|
|
|
|
|
|
|
|
|
if (sav != NULL) {
|
2018-06-04 18:51:06 +00:00
|
|
|
int authsize, rplen, align;
|
|
|
|
|
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform"));
|
2002-10-16 02:10:08 +00:00
|
|
|
/*XXX not right for null algorithm--does it matter??*/
|
2018-06-04 18:51:06 +00:00
|
|
|
|
|
|
|
|
/* RFC4302: use the correct alignment. */
|
|
|
|
|
align = sizeof(uint32_t);
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
if (sav->sah->saidx.dst.sa.sa_family == AF_INET6) {
|
|
|
|
|
align = sizeof(uint64_t);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
rplen = HDRSIZE(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
authsize = AUTHSIZE(sav);
|
2018-06-04 18:51:06 +00:00
|
|
|
size = roundup(rplen + authsize, align);
|
2002-10-16 02:10:08 +00:00
|
|
|
} else {
|
|
|
|
|
/* default guess */
|
|
|
|
|
size = sizeof (struct ah) + sizeof (u_int32_t) + 16;
|
|
|
|
|
}
|
|
|
|
|
return size;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* NB: public for use by esp_init.
|
|
|
|
|
*/
|
|
|
|
|
int
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
ah_init0(struct secasvar *sav, struct xformsw *xsp,
|
|
|
|
|
struct crypto_session_params *csp)
|
2002-10-16 02:10:08 +00:00
|
|
|
{
|
2017-02-06 08:49:57 +00:00
|
|
|
const struct auth_hash *thash;
|
2002-10-16 02:10:08 +00:00
|
|
|
int keylen;
|
|
|
|
|
|
2017-02-06 08:49:57 +00:00
|
|
|
thash = auth_algorithm_lookup(sav->alg_auth);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (thash == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: unsupported authentication algorithm %u\n",
|
|
|
|
|
__func__, sav->alg_auth));
|
2002-10-16 02:10:08 +00:00
|
|
|
return EINVAL;
|
|
|
|
|
}
|
2019-05-23 22:06:57 +00:00
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
/*
|
|
|
|
|
* Verify the replay state block allocation is consistent with
|
|
|
|
|
* the protocol type. We check here so we can make assumptions
|
|
|
|
|
* later during protocol processing.
|
|
|
|
|
*/
|
|
|
|
|
/* NB: replay state is setup elsewhere (sigh) */
|
|
|
|
|
if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: replay state block inconsistency, "
|
|
|
|
|
"%s algorithm %s replay state\n", __func__,
|
2002-10-16 02:10:08 +00:00
|
|
|
(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
|
|
|
|
|
sav->replay == NULL ? "without" : "with"));
|
|
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
if (sav->key_auth == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: no authentication key for %s algorithm\n",
|
|
|
|
|
__func__, thash->name));
|
2002-10-16 02:10:08 +00:00
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
keylen = _KEYLEN(sav->key_auth);
|
2017-09-26 16:18:10 +00:00
|
|
|
if (keylen > thash->keysize && thash->keysize != 0) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
|
2017-09-26 16:18:10 +00:00
|
|
|
"keysize less than %d\n", __func__,
|
2002-10-16 02:10:08 +00:00
|
|
|
keylen, thash->name, thash->keysize));
|
|
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sav->tdb_xform = xsp;
|
|
|
|
|
sav->tdb_authalgxform = thash;
|
|
|
|
|
|
|
|
|
|
/* Initialize crypto session. */
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
csp->csp_auth_alg = sav->tdb_authalgxform->type;
|
2020-05-02 01:00:29 +00:00
|
|
|
if (csp->csp_auth_alg != CRYPTO_NULL_HMAC) {
|
|
|
|
|
csp->csp_auth_klen = _KEYBITS(sav->key_auth) / 8;
|
|
|
|
|
csp->csp_auth_key = sav->key_auth->key_data;
|
|
|
|
|
};
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
csp->csp_auth_mlen = AUTHSIZE(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* ah_init() is called when an SPI is being set up.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
ah_init(struct secasvar *sav, struct xformsw *xsp)
|
|
|
|
|
{
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
struct crypto_session_params csp;
|
2002-10-16 02:10:08 +00:00
|
|
|
int error;
|
|
|
|
|
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
memset(&csp, 0, sizeof(csp));
|
|
|
|
|
csp.csp_mode = CSP_MODE_DIGEST;
|
2020-10-16 11:25:45 +00:00
|
|
|
|
|
|
|
|
if (sav->flags & SADB_X_SAFLAGS_ESN)
|
|
|
|
|
csp.csp_flags |= CSP_F_ESN;
|
|
|
|
|
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
error = ah_init0(sav, xsp, &csp);
|
2002-10-16 02:10:08 +00:00
|
|
|
return error ? error :
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
2020-06-25 23:59:16 +00:00
|
|
|
static void
|
|
|
|
|
ah_cleanup(struct secasvar *sav)
|
2002-10-16 02:10:08 +00:00
|
|
|
{
|
|
|
|
|
|
2018-07-18 00:56:25 +00:00
|
|
|
crypto_freesession(sav->tdb_cryptoid);
|
|
|
|
|
sav->tdb_cryptoid = NULL;
|
2002-10-16 02:10:08 +00:00
|
|
|
sav->tdb_authalgxform = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Massage IPv4/IPv6 headers for AH processing.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
|
|
|
|
|
{
|
|
|
|
|
struct mbuf *m = *m0;
|
|
|
|
|
unsigned char *ptr;
|
|
|
|
|
int off, count;
|
|
|
|
|
|
|
|
|
|
#ifdef INET
|
|
|
|
|
struct ip *ip;
|
|
|
|
|
#endif /* INET */
|
|
|
|
|
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
struct ip6_ext *ip6e;
|
|
|
|
|
struct ip6_hdr ip6;
|
2018-01-24 19:48:25 +00:00
|
|
|
int ad, alloc, nxt, noff;
|
2002-10-16 02:10:08 +00:00
|
|
|
#endif /* INET6 */
|
|
|
|
|
|
|
|
|
|
switch (proto) {
|
|
|
|
|
#ifdef INET
|
|
|
|
|
case AF_INET:
|
|
|
|
|
/*
|
|
|
|
|
* This is the least painful way of dealing with IPv4 header
|
|
|
|
|
* and option processing -- just make sure they're in
|
|
|
|
|
* contiguous memory.
|
|
|
|
|
*/
|
|
|
|
|
*m0 = m = m_pullup(m, skip);
|
|
|
|
|
if (m == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: m_pullup failed\n", __func__));
|
2002-10-16 02:10:08 +00:00
|
|
|
return ENOBUFS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Fix the IP header */
|
|
|
|
|
ip = mtod(m, struct ip *);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if (V_ah_cleartos)
|
2002-10-16 02:10:08 +00:00
|
|
|
ip->ip_tos = 0;
|
|
|
|
|
ip->ip_ttl = 0;
|
|
|
|
|
ip->ip_sum = 0;
|
2020-05-02 00:06:58 +00:00
|
|
|
ip->ip_off = htons(0);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2018-01-24 19:06:44 +00:00
|
|
|
ptr = mtod(m, unsigned char *);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* IPv4 option processing */
|
|
|
|
|
for (off = sizeof(struct ip); off < skip;) {
|
|
|
|
|
if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
|
|
|
|
|
off + 1 < skip)
|
|
|
|
|
;
|
|
|
|
|
else {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: illegal IPv4 option length for "
|
|
|
|
|
"option %d\n", __func__, ptr[off]));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
m_freem(m);
|
|
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (ptr[off]) {
|
|
|
|
|
case IPOPT_EOL:
|
|
|
|
|
off = skip; /* End the loop. */
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case IPOPT_NOP:
|
|
|
|
|
off++;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case IPOPT_SECURITY: /* 0x82 */
|
|
|
|
|
case 0x85: /* Extended security. */
|
|
|
|
|
case 0x86: /* Commercial security. */
|
|
|
|
|
case 0x94: /* Router alert */
|
|
|
|
|
case 0x95: /* RFC1770 */
|
|
|
|
|
/* Sanity check for option length. */
|
|
|
|
|
if (ptr[off + 1] < 2) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: illegal IPv4 option "
|
|
|
|
|
"length for option %d\n",
|
|
|
|
|
__func__, ptr[off]));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
m_freem(m);
|
|
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
off += ptr[off + 1];
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case IPOPT_LSRR:
|
|
|
|
|
case IPOPT_SSRR:
|
|
|
|
|
/* Sanity check for option length. */
|
|
|
|
|
if (ptr[off + 1] < 2) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: illegal IPv4 option "
|
|
|
|
|
"length for option %d\n",
|
|
|
|
|
__func__, ptr[off]));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
m_freem(m);
|
|
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* On output, if we have either of the
|
|
|
|
|
* source routing options, we should
|
|
|
|
|
* swap the destination address of the
|
|
|
|
|
* IP header with the last address
|
|
|
|
|
* specified in the option, as that is
|
|
|
|
|
* what the destination's IP header
|
|
|
|
|
* will look like.
|
|
|
|
|
*/
|
|
|
|
|
if (out)
|
|
|
|
|
bcopy(ptr + off + ptr[off + 1] -
|
|
|
|
|
sizeof(struct in_addr),
|
|
|
|
|
&(ip->ip_dst), sizeof(struct in_addr));
|
|
|
|
|
|
|
|
|
|
/* Fall through */
|
|
|
|
|
default:
|
|
|
|
|
/* Sanity check for option length. */
|
|
|
|
|
if (ptr[off + 1] < 2) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: illegal IPv4 option "
|
|
|
|
|
"length for option %d\n",
|
|
|
|
|
__func__, ptr[off]));
|
2002-10-16 02:10:08 +00:00
|
|
|
m_freem(m);
|
|
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Zeroize all other options. */
|
|
|
|
|
count = ptr[off + 1];
|
2018-01-24 19:06:44 +00:00
|
|
|
bcopy(ipseczeroes, ptr + off, count);
|
2002-10-16 02:10:08 +00:00
|
|
|
off += count;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Sanity check. */
|
|
|
|
|
if (off > skip) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: malformed IPv4 options header\n",
|
|
|
|
|
__func__));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
m_freem(m);
|
|
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
#endif /* INET */
|
|
|
|
|
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
case AF_INET6: /* Ugly... */
|
|
|
|
|
/* Copy and "cook" the IPv6 header. */
|
|
|
|
|
m_copydata(m, 0, sizeof(ip6), (caddr_t) &ip6);
|
|
|
|
|
|
|
|
|
|
/* We don't do IPv6 Jumbograms. */
|
|
|
|
|
if (ip6.ip6_plen == 0) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__));
|
2002-10-16 02:10:08 +00:00
|
|
|
m_freem(m);
|
|
|
|
|
return EMSGSIZE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ip6.ip6_flow = 0;
|
|
|
|
|
ip6.ip6_hlim = 0;
|
|
|
|
|
ip6.ip6_vfc &= ~IPV6_VERSION_MASK;
|
|
|
|
|
ip6.ip6_vfc |= IPV6_VERSION;
|
|
|
|
|
|
|
|
|
|
/* Scoped address handling. */
|
|
|
|
|
if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_src))
|
|
|
|
|
ip6.ip6_src.s6_addr16[1] = 0;
|
|
|
|
|
if (IN6_IS_SCOPE_LINKLOCAL(&ip6.ip6_dst))
|
|
|
|
|
ip6.ip6_dst.s6_addr16[1] = 0;
|
|
|
|
|
|
|
|
|
|
/* Done with IPv6 header. */
|
|
|
|
|
m_copyback(m, 0, sizeof(struct ip6_hdr), (caddr_t) &ip6);
|
|
|
|
|
|
|
|
|
|
/* Let's deal with the remaining headers (if any). */
|
|
|
|
|
if (skip - sizeof(struct ip6_hdr) > 0) {
|
|
|
|
|
if (m->m_len <= skip) {
|
|
|
|
|
ptr = (unsigned char *) malloc(
|
|
|
|
|
skip - sizeof(struct ip6_hdr),
|
2022-01-24 23:27:39 +00:00
|
|
|
M_AH, M_NOWAIT);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (ptr == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: failed to allocate memory"
|
|
|
|
|
"for IPv6 headers\n",__func__));
|
2002-10-16 02:10:08 +00:00
|
|
|
m_freem(m);
|
|
|
|
|
return ENOBUFS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copy all the protocol headers after
|
|
|
|
|
* the IPv6 header.
|
|
|
|
|
*/
|
|
|
|
|
m_copydata(m, sizeof(struct ip6_hdr),
|
|
|
|
|
skip - sizeof(struct ip6_hdr), ptr);
|
|
|
|
|
alloc = 1;
|
|
|
|
|
} else {
|
|
|
|
|
/* No need to allocate memory. */
|
|
|
|
|
ptr = mtod(m, unsigned char *) +
|
|
|
|
|
sizeof(struct ip6_hdr);
|
|
|
|
|
alloc = 0;
|
|
|
|
|
}
|
|
|
|
|
} else
|
|
|
|
|
break;
|
|
|
|
|
|
2018-01-24 19:48:25 +00:00
|
|
|
nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2018-01-24 19:48:25 +00:00
|
|
|
for (off = 0; off < skip - sizeof(struct ip6_hdr);)
|
|
|
|
|
switch (nxt) {
|
2002-10-16 02:10:08 +00:00
|
|
|
case IPPROTO_HOPOPTS:
|
|
|
|
|
case IPPROTO_DSTOPTS:
|
2018-01-24 19:48:25 +00:00
|
|
|
ip6e = (struct ip6_ext *)(ptr + off);
|
|
|
|
|
noff = off + ((ip6e->ip6e_len + 1) << 3);
|
|
|
|
|
|
|
|
|
|
/* Sanity check. */
|
|
|
|
|
if (noff > skip - sizeof(struct ip6_hdr))
|
|
|
|
|
goto error6;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/*
|
2018-01-24 19:48:25 +00:00
|
|
|
* Zero out mutable options.
|
2002-10-16 02:10:08 +00:00
|
|
|
*/
|
2018-01-24 19:48:25 +00:00
|
|
|
for (count = off + sizeof(struct ip6_ext);
|
|
|
|
|
count < noff;) {
|
2002-10-16 02:10:08 +00:00
|
|
|
if (ptr[count] == IP6OPT_PAD1) {
|
|
|
|
|
count++;
|
|
|
|
|
continue; /* Skip padding. */
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-24 19:48:25 +00:00
|
|
|
ad = ptr[count + 1] + 2;
|
|
|
|
|
if (count + ad > noff)
|
|
|
|
|
goto error6;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
if (ptr[count] & IP6OPT_MUTABLE)
|
2018-01-24 19:48:25 +00:00
|
|
|
memset(ptr + count, 0, ad);
|
2002-10-16 02:10:08 +00:00
|
|
|
count += ad;
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-24 19:48:25 +00:00
|
|
|
if (count != noff)
|
|
|
|
|
goto error6;
|
|
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
/* Advance. */
|
2018-01-24 19:48:25 +00:00
|
|
|
off += ((ip6e->ip6e_len + 1) << 3);
|
|
|
|
|
nxt = ip6e->ip6e_nxt;
|
2002-10-16 02:10:08 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case IPPROTO_ROUTING:
|
|
|
|
|
/*
|
|
|
|
|
* Always include routing headers in
|
|
|
|
|
* computation.
|
|
|
|
|
*/
|
2018-01-24 19:48:25 +00:00
|
|
|
ip6e = (struct ip6_ext *) (ptr + off);
|
|
|
|
|
off += ((ip6e->ip6e_len + 1) << 3);
|
|
|
|
|
nxt = ip6e->ip6e_nxt;
|
2002-10-16 02:10:08 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: unexpected IPv6 header type %d",
|
|
|
|
|
__func__, off));
|
2018-01-24 19:48:25 +00:00
|
|
|
error6:
|
2002-10-16 02:10:08 +00:00
|
|
|
if (alloc)
|
2022-01-24 23:27:39 +00:00
|
|
|
free(ptr, M_AH);
|
2002-10-16 02:10:08 +00:00
|
|
|
m_freem(m);
|
|
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Copyback and free, if we allocated. */
|
|
|
|
|
if (alloc) {
|
|
|
|
|
m_copyback(m, sizeof(struct ip6_hdr),
|
|
|
|
|
skip - sizeof(struct ip6_hdr), ptr);
|
2022-01-24 23:27:39 +00:00
|
|
|
free(ptr, M_AH);
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* ah_input() gets called to verify that an input packet
|
|
|
|
|
* passes authentication.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
|
|
|
|
{
|
2017-05-29 09:30:38 +00:00
|
|
|
IPSEC_DEBUG_DECLARE(char buf[128]);
|
2017-02-06 08:49:57 +00:00
|
|
|
const struct auth_hash *ahx;
|
2002-10-16 02:10:08 +00:00
|
|
|
struct cryptop *crp;
|
2017-02-06 08:49:57 +00:00
|
|
|
struct xform_data *xd;
|
|
|
|
|
struct newah *ah;
|
2018-07-13 23:46:07 +00:00
|
|
|
crypto_session_t cryptoid;
|
2018-06-04 18:51:06 +00:00
|
|
|
int hl, rplen, authsize, ahsize, error;
|
2020-10-16 11:24:12 +00:00
|
|
|
uint32_t seqh;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RLOCK_TRACKER;
|
|
|
|
|
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(sav != NULL, ("null SA"));
|
|
|
|
|
IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
|
|
|
|
|
IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
|
|
|
|
|
("null authentication xform"));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Figure out header size. */
|
|
|
|
|
rplen = HDRSIZE(sav);
|
|
|
|
|
|
2019-12-01 00:22:04 +00:00
|
|
|
if (m->m_len < skip + rplen) {
|
|
|
|
|
m = m_pullup(m, skip + rplen);
|
|
|
|
|
if (m == NULL) {
|
|
|
|
|
DPRINTF(("ah_input: cannot pullup header\n"));
|
|
|
|
|
AHSTAT_INC(ahs_hdrops); /*XXX*/
|
|
|
|
|
error = ENOBUFS;
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
2019-11-15 21:44:17 +00:00
|
|
|
ah = (struct newah *)(mtod(m, caddr_t) + skip);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Check replay window, if applicable. */
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RLOCK(sav);
|
2017-02-06 08:49:57 +00:00
|
|
|
if (sav->replay != NULL && sav->replay->wsize != 0 &&
|
2020-10-16 11:24:12 +00:00
|
|
|
ipsec_chkreplay(ntohl(ah->ah_seq), &seqh, sav) == 0) {
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RUNLOCK(sav);
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_replay);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: packet replay failure: %s\n", __func__,
|
2017-02-06 08:49:57 +00:00
|
|
|
ipsec_sa2str(sav, buf, sizeof(buf))));
|
2017-05-23 09:01:48 +00:00
|
|
|
error = EACCES;
|
|
|
|
|
goto bad;
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
2017-02-06 08:49:57 +00:00
|
|
|
cryptoid = sav->tdb_cryptoid;
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RUNLOCK(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Verify AH header length. */
|
2018-06-04 18:51:06 +00:00
|
|
|
hl = sizeof(struct ah) + (ah->ah_len * sizeof (u_int32_t));
|
2002-10-16 02:10:08 +00:00
|
|
|
ahx = sav->tdb_authalgxform;
|
|
|
|
|
authsize = AUTHSIZE(sav);
|
2018-06-04 18:51:06 +00:00
|
|
|
ahsize = ah_hdrsiz(sav);
|
|
|
|
|
if (hl != ahsize) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
|
2015-04-18 16:58:33 +00:00
|
|
|
" for packet in SA %s/%08lx\n", __func__, hl,
|
2018-06-04 18:51:06 +00:00
|
|
|
(u_long)ahsize,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
|
|
|
|
|
(u_long) ntohl(sav->spi)));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_badauthl);
|
2017-05-23 09:01:48 +00:00
|
|
|
error = EACCES;
|
|
|
|
|
goto bad;
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
2018-06-04 18:51:06 +00:00
|
|
|
if (skip + ahsize > m->m_pkthdr.len) {
|
2018-02-19 11:14:38 +00:00
|
|
|
DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
|
|
|
|
|
" for packet in SA %s/%08lx\n", __func__,
|
2018-06-04 18:51:06 +00:00
|
|
|
m->m_pkthdr.len, (u_long)(skip + ahsize),
|
2018-02-19 11:14:38 +00:00
|
|
|
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
|
|
|
|
|
(u_long) ntohl(sav->spi)));
|
|
|
|
|
AHSTAT_INC(ahs_badauthl);
|
|
|
|
|
error = EACCES;
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Get crypto descriptors. */
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
crp = crypto_getreq(cryptoid, M_NOWAIT);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (crp == NULL) {
|
2017-02-06 08:49:57 +00:00
|
|
|
DPRINTF(("%s: failed to acquire crypto descriptor\n",
|
|
|
|
|
__func__));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_crypto);
|
2017-05-23 09:01:48 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
|
goto bad;
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
crp->crp_payload_start = 0;
|
|
|
|
|
crp->crp_payload_length = m->m_pkthdr.len;
|
|
|
|
|
crp->crp_digest_start = skip + rplen;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Allocate IPsec-specific opaque crypto info. */
|
2022-01-24 23:27:39 +00:00
|
|
|
xd = malloc(sizeof(*xd) + skip + rplen + authsize, M_AH,
|
2017-02-06 08:49:57 +00:00
|
|
|
M_NOWAIT | M_ZERO);
|
|
|
|
|
if (xd == NULL) {
|
|
|
|
|
DPRINTF(("%s: failed to allocate xform_data\n", __func__));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_crypto);
|
2002-10-16 02:10:08 +00:00
|
|
|
crypto_freereq(crp);
|
2017-05-23 09:01:48 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
|
goto bad;
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
2014-12-11 17:07:21 +00:00
|
|
|
/*
|
|
|
|
|
* Save the authenticator, the skipped portion of the packet,
|
|
|
|
|
* and the AH header.
|
|
|
|
|
*/
|
2017-02-06 08:49:57 +00:00
|
|
|
m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(xd + 1));
|
2014-12-11 17:07:21 +00:00
|
|
|
|
|
|
|
|
/* Zeroize the authenticator on the packet. */
|
|
|
|
|
m_copyback(m, skip + rplen, authsize, ipseczeroes);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2018-02-19 11:14:38 +00:00
|
|
|
/* Save ah_nxt, since ah pointer can become invalid after "massage" */
|
|
|
|
|
hl = ah->ah_nxt;
|
|
|
|
|
|
2014-12-11 17:07:21 +00:00
|
|
|
/* "Massage" the packet headers for crypto processing. */
|
|
|
|
|
error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
|
|
|
|
|
skip, ahx->type, 0);
|
|
|
|
|
if (error != 0) {
|
|
|
|
|
/* NB: mbuf is free'd by ah_massage_headers */
|
|
|
|
|
AHSTAT_INC(ahs_hdrops);
|
2022-01-24 23:27:39 +00:00
|
|
|
free(xd, M_AH);
|
2014-12-11 17:07:21 +00:00
|
|
|
crypto_freereq(crp);
|
2017-05-23 09:01:48 +00:00
|
|
|
key_freesav(&sav);
|
2014-12-11 17:07:21 +00:00
|
|
|
return (error);
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Crypto operation descriptor. */
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
crp->crp_op = CRYPTO_OP_COMPUTE_DIGEST;
|
|
|
|
|
crp->crp_flags = CRYPTO_F_CBIFSYNC;
|
Add support for optional separate output buffers to in-kernel crypto.
Some crypto consumers such as GELI and KTLS for file-backed sendfile
need to store their output in a separate buffer from the input.
Currently these consumers copy the contents of the input buffer into
the output buffer and queue an in-place crypto operation on the output
buffer. Using a separate output buffer avoids this copy.
- Create a new 'struct crypto_buffer' describing a crypto buffer
containing a type and type-specific fields. crp_ilen is gone,
instead buffers that use a flat kernel buffer have a cb_buf_len
field for their length. The length of other buffer types is
inferred from the backing store (e.g. uio_resid for a uio).
Requests now have two such structures: crp_buf for the input buffer,
and crp_obuf for the output buffer.
- Consumers now use helper functions (crypto_use_*,
e.g. crypto_use_mbuf()) to configure the input buffer. If an output
buffer is not configured, the request still modifies the input
buffer in-place. A consumer uses a second set of helper functions
(crypto_use_output_*) to configure an output buffer.
- Consumers must request support for separate output buffers when
creating a crypto session via the CSP_F_SEPARATE_OUTPUT flag and are
only permitted to queue a request with a separate output buffer on
sessions with this flag set. Existing drivers already reject
sessions with unknown flags, so this permits drivers to be modified
to support this extension without requiring all drivers to change.
- Several data-related functions now have matching versions that
operate on an explicit buffer (e.g. crypto_apply_buf,
crypto_contiguous_subsegment_buf, bus_dma_load_crp_buf).
- Most of the existing data-related functions operate on the input
buffer. However crypto_copyback always writes to the output buffer
if a request uses a separate output buffer.
- For the regions in input/output buffers, the following conventions
are followed:
- AAD and IV are always present in input only and their
fields are offsets into the input buffer.
- payload is always present in both buffers. If a request uses a
separate output buffer, it must set a new crp_payload_start_output
field to the offset of the payload in the output buffer.
- digest is in the input buffer for verify operations, and in the
output buffer for compute operations. crp_digest_start is relative
to the appropriate buffer.
- Add a crypto buffer cursor abstraction. This is a more general form
of some bits in the cryptosoft driver that tried to always use uio's.
However, compared to the original code, this avoids rewalking the uio
iovec array for requests with multiple vectors. It also avoids
allocate an iovec array for mbufs and populating it by instead walking
the mbuf chain directly.
- Update the cryptosoft(4) driver to support separate output buffers
making use of the cursor abstraction.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D24545
2020-05-25 22:12:04 +00:00
|
|
|
crypto_use_mbuf(crp, m);
|
2002-10-16 02:10:08 +00:00
|
|
|
crp->crp_callback = ah_input_cb;
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
crp->crp_opaque = xd;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2020-10-16 11:25:45 +00:00
|
|
|
if (sav->flags & SADB_X_SAFLAGS_ESN &&
|
|
|
|
|
sav->replay != NULL && sav->replay->wsize != 0) {
|
|
|
|
|
seqh = htonl(seqh);
|
|
|
|
|
memcpy(crp->crp_esn, &seqh, sizeof(seqh));
|
|
|
|
|
}
|
|
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
/* These are passed as-is to the callback. */
|
2017-02-06 08:49:57 +00:00
|
|
|
xd->sav = sav;
|
2018-02-19 11:14:38 +00:00
|
|
|
xd->nxt = hl;
|
2017-02-06 08:49:57 +00:00
|
|
|
xd->protoff = protoff;
|
|
|
|
|
xd->skip = skip;
|
|
|
|
|
xd->cryptoid = cryptoid;
|
2018-03-20 17:05:23 +00:00
|
|
|
xd->vnet = curvnet;
|
opencrypto: Introduce crypto_dispatch_async()
Currently, OpenCrypto consumers can request asynchronous dispatch by
setting a flag in the cryptop. (Currently only IPSec may do this.) I
think this is a bit confusing: we (conditionally) set cryptop flags to
request async dispatch, and then crypto_dispatch() immediately examines
those flags to see if the consumer wants async dispatch. The flag names
are also confusing since they don't specify what "async" applies to:
dispatch or completion.
Add a new KPI, crypto_dispatch_async(), rather than encoding the
requested dispatch type in each cryptop. crypto_dispatch_async() falls
back to crypto_dispatch() if the session's driver provides asynchronous
dispatch. Get rid of CRYPTOP_ASYNC() and CRYPTOP_ASYNC_KEEPORDER().
Similarly, add crypto_dispatch_batch() to request processing of a tailq
of cryptops, rather than encoding the scheduling policy using cryptop
flags. Convert GELI, the only user of this interface (disabled by
default) to use the new interface.
Add CRYPTO_SESS_SYNC(), which can be used by consumers to determine
whether crypto requests will be dispatched synchronously. This is just
a helper macro. Use it instead of looking at cap flags directly.
Fix style in crypto_done(). Also get rid of CRYPTO_RETW_EMPTY() and
just check the relevant queues directly. This could result in some
unnecessary wakeups but I think it's very uncommon to be using more than
one queue per worker in a given workload, so checking all three queues
is a waste of cycles.
Reviewed by: jhb
Sponsored by: Ampere Computing
Submitted by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D28194
2021-02-08 14:19:19 +00:00
|
|
|
if (V_async_crypto)
|
|
|
|
|
return (crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED));
|
|
|
|
|
else
|
|
|
|
|
return (crypto_dispatch(crp));
|
2017-05-23 09:01:48 +00:00
|
|
|
bad:
|
|
|
|
|
m_freem(m);
|
|
|
|
|
key_freesav(&sav);
|
|
|
|
|
return (error);
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* AH input callback from the crypto driver.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
ah_input_cb(struct cryptop *crp)
|
|
|
|
|
{
|
2017-05-29 09:30:38 +00:00
|
|
|
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
|
2002-10-16 02:10:08 +00:00
|
|
|
unsigned char calc[AH_ALEN_MAX];
|
|
|
|
|
struct mbuf *m;
|
2017-02-06 08:49:57 +00:00
|
|
|
struct xform_data *xd;
|
2002-10-16 02:10:08 +00:00
|
|
|
struct secasvar *sav;
|
|
|
|
|
struct secasindex *saidx;
|
|
|
|
|
caddr_t ptr;
|
2018-07-13 23:46:07 +00:00
|
|
|
crypto_session_t cryptoid;
|
2018-06-04 18:51:06 +00:00
|
|
|
int authsize, rplen, ahsize, error, skip, protoff;
|
2017-02-06 08:49:57 +00:00
|
|
|
uint8_t nxt;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RLOCK_TRACKER;
|
|
|
|
|
|
Add support for optional separate output buffers to in-kernel crypto.
Some crypto consumers such as GELI and KTLS for file-backed sendfile
need to store their output in a separate buffer from the input.
Currently these consumers copy the contents of the input buffer into
the output buffer and queue an in-place crypto operation on the output
buffer. Using a separate output buffer avoids this copy.
- Create a new 'struct crypto_buffer' describing a crypto buffer
containing a type and type-specific fields. crp_ilen is gone,
instead buffers that use a flat kernel buffer have a cb_buf_len
field for their length. The length of other buffer types is
inferred from the backing store (e.g. uio_resid for a uio).
Requests now have two such structures: crp_buf for the input buffer,
and crp_obuf for the output buffer.
- Consumers now use helper functions (crypto_use_*,
e.g. crypto_use_mbuf()) to configure the input buffer. If an output
buffer is not configured, the request still modifies the input
buffer in-place. A consumer uses a second set of helper functions
(crypto_use_output_*) to configure an output buffer.
- Consumers must request support for separate output buffers when
creating a crypto session via the CSP_F_SEPARATE_OUTPUT flag and are
only permitted to queue a request with a separate output buffer on
sessions with this flag set. Existing drivers already reject
sessions with unknown flags, so this permits drivers to be modified
to support this extension without requiring all drivers to change.
- Several data-related functions now have matching versions that
operate on an explicit buffer (e.g. crypto_apply_buf,
crypto_contiguous_subsegment_buf, bus_dma_load_crp_buf).
- Most of the existing data-related functions operate on the input
buffer. However crypto_copyback always writes to the output buffer
if a request uses a separate output buffer.
- For the regions in input/output buffers, the following conventions
are followed:
- AAD and IV are always present in input only and their
fields are offsets into the input buffer.
- payload is always present in both buffers. If a request uses a
separate output buffer, it must set a new crp_payload_start_output
field to the offset of the payload in the output buffer.
- digest is in the input buffer for verify operations, and in the
output buffer for compute operations. crp_digest_start is relative
to the appropriate buffer.
- Add a crypto buffer cursor abstraction. This is a more general form
of some bits in the cryptosoft driver that tried to always use uio's.
However, compared to the original code, this avoids rewalking the uio
iovec array for requests with multiple vectors. It also avoids
allocate an iovec array for mbufs and populating it by instead walking
the mbuf chain directly.
- Update the cryptosoft(4) driver to support separate output buffers
making use of the cursor abstraction.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D24545
2020-05-25 22:12:04 +00:00
|
|
|
m = crp->crp_buf.cb_mbuf;
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
xd = crp->crp_opaque;
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_SET(xd->vnet);
|
2017-02-06 08:49:57 +00:00
|
|
|
sav = xd->sav;
|
|
|
|
|
skip = xd->skip;
|
|
|
|
|
nxt = xd->nxt;
|
|
|
|
|
protoff = xd->protoff;
|
|
|
|
|
cryptoid = xd->cryptoid;
|
2002-10-16 02:10:08 +00:00
|
|
|
saidx = &sav->sah->saidx;
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
|
2002-10-16 02:10:08 +00:00
|
|
|
saidx->dst.sa.sa_family == AF_INET6,
|
2003-09-29 22:57:43 +00:00
|
|
|
("unexpected protocol family %u", saidx->dst.sa.sa_family));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Check for crypto errors. */
|
|
|
|
|
if (crp->crp_etype) {
|
2017-02-06 08:49:57 +00:00
|
|
|
if (crp->crp_etype == EAGAIN) {
|
|
|
|
|
/* Reset the session ID */
|
2018-07-18 00:56:25 +00:00
|
|
|
if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
|
2017-02-06 08:49:57 +00:00
|
|
|
crypto_freesession(cryptoid);
|
2018-07-18 00:56:25 +00:00
|
|
|
xd->cryptoid = crp->crp_session;
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2011-11-26 23:13:30 +00:00
|
|
|
return (crypto_dispatch(crp));
|
2017-02-06 08:49:57 +00:00
|
|
|
}
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_noxform);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = crp->crp_etype;
|
|
|
|
|
goto bad;
|
|
|
|
|
} else {
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_hist[sav->alg_auth]);
|
2002-10-16 02:10:08 +00:00
|
|
|
crypto_freereq(crp); /* No longer needed. */
|
|
|
|
|
crp = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Shouldn't happen... */
|
|
|
|
|
if (m == NULL) {
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_crypto);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EINVAL;
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Figure out header size. */
|
|
|
|
|
rplen = HDRSIZE(sav);
|
|
|
|
|
authsize = AUTHSIZE(sav);
|
2018-06-04 18:51:06 +00:00
|
|
|
ahsize = ah_hdrsiz(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Copy authenticator off the packet. */
|
|
|
|
|
m_copydata(m, skip + rplen, authsize, calc);
|
|
|
|
|
|
2014-12-11 17:07:21 +00:00
|
|
|
/* Verify authenticator. */
|
2017-02-06 08:49:57 +00:00
|
|
|
ptr = (caddr_t) (xd + 1);
|
2015-07-31 00:31:52 +00:00
|
|
|
if (timingsafe_bcmp(ptr + skip + rplen, calc, authsize)) {
|
2014-12-11 17:07:21 +00:00
|
|
|
DPRINTF(("%s: authentication hash mismatch for packet "
|
|
|
|
|
"in SA %s/%08lx\n", __func__,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&saidx->dst, buf, sizeof(buf)),
|
2014-12-11 17:07:21 +00:00
|
|
|
(u_long) ntohl(sav->spi)));
|
|
|
|
|
AHSTAT_INC(ahs_badauth);
|
|
|
|
|
error = EACCES;
|
|
|
|
|
goto bad;
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
2014-12-11 17:07:21 +00:00
|
|
|
/* Fix the Next Protocol field. */
|
2017-02-06 08:49:57 +00:00
|
|
|
((uint8_t *) ptr)[protoff] = nxt;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2014-12-11 17:07:21 +00:00
|
|
|
/* Copyback the saved (uncooked) network headers. */
|
|
|
|
|
m_copyback(m, 0, skip, ptr);
|
2022-01-24 23:27:39 +00:00
|
|
|
free(xd, M_AH), xd = NULL; /* No longer needed */
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Header is now authenticated.
|
|
|
|
|
*/
|
|
|
|
|
m->m_flags |= M_AUTHIPHDR|M_AUTHIPDGM;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Update replay sequence number, if appropriate.
|
|
|
|
|
*/
|
|
|
|
|
if (sav->replay) {
|
|
|
|
|
u_int32_t seq;
|
|
|
|
|
|
|
|
|
|
m_copydata(m, skip + offsetof(struct newah, ah_seq),
|
|
|
|
|
sizeof (seq), (caddr_t) &seq);
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RLOCK(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (ipsec_updatereplay(ntohl(seq), sav)) {
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RUNLOCK(sav);
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_replay);
|
2017-02-06 08:49:57 +00:00
|
|
|
error = EACCES;
|
2002-10-16 02:10:08 +00:00
|
|
|
goto bad;
|
|
|
|
|
}
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RUNLOCK(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Remove the AH header and authenticator from the mbuf.
|
|
|
|
|
*/
|
2018-06-04 18:51:06 +00:00
|
|
|
error = m_striphdr(m, skip, ahsize);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (error) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&saidx->dst, buf, sizeof(buf)),
|
|
|
|
|
(u_long) ntohl(sav->spi)));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_hdrops);
|
2002-10-16 02:10:08 +00:00
|
|
|
goto bad;
|
|
|
|
|
}
|
|
|
|
|
|
2011-04-27 19:28:42 +00:00
|
|
|
switch (saidx->dst.sa.sa_family) {
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
case AF_INET6:
|
2014-12-11 17:14:49 +00:00
|
|
|
error = ipsec6_common_input_cb(m, sav, skip, protoff);
|
2011-04-27 19:28:42 +00:00
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef INET
|
|
|
|
|
case AF_INET:
|
2014-12-11 17:14:49 +00:00
|
|
|
error = ipsec4_common_input_cb(m, sav, skip, protoff);
|
2011-04-27 19:28:42 +00:00
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
default:
|
|
|
|
|
panic("%s: Unexpected address family: %d saidx=%p", __func__,
|
|
|
|
|
saidx->dst.sa.sa_family, saidx);
|
|
|
|
|
}
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2002-10-16 02:10:08 +00:00
|
|
|
return error;
|
|
|
|
|
bad:
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2002-10-16 02:10:08 +00:00
|
|
|
if (sav)
|
2017-02-06 08:49:57 +00:00
|
|
|
key_freesav(&sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (m != NULL)
|
|
|
|
|
m_freem(m);
|
2017-02-06 08:49:57 +00:00
|
|
|
if (xd != NULL)
|
2022-01-24 23:27:39 +00:00
|
|
|
free(xd, M_AH);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (crp != NULL)
|
|
|
|
|
crypto_freereq(crp);
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2017-02-06 08:49:57 +00:00
|
|
|
* AH output routine, called by ipsec[46]_perform_request().
|
2002-10-16 02:10:08 +00:00
|
|
|
*/
|
|
|
|
|
static int
|
2017-02-06 08:49:57 +00:00
|
|
|
ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
|
|
|
|
u_int idx, int skip, int protoff)
|
2002-10-16 02:10:08 +00:00
|
|
|
{
|
2017-05-29 09:30:38 +00:00
|
|
|
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
|
2017-02-06 08:49:57 +00:00
|
|
|
const struct auth_hash *ahx;
|
|
|
|
|
struct xform_data *xd;
|
2002-10-16 02:10:08 +00:00
|
|
|
struct mbuf *mi;
|
|
|
|
|
struct cryptop *crp;
|
|
|
|
|
struct newah *ah;
|
2018-07-13 23:46:07 +00:00
|
|
|
crypto_session_t cryptoid;
|
2017-02-06 08:49:57 +00:00
|
|
|
uint16_t iplen;
|
2018-06-04 18:51:06 +00:00
|
|
|
int error, rplen, authsize, ahsize, maxpacketsize, roff;
|
2017-02-06 08:49:57 +00:00
|
|
|
uint8_t prot;
|
2020-10-16 11:25:45 +00:00
|
|
|
uint32_t seqh;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RLOCK_TRACKER;
|
|
|
|
|
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(sav != NULL, ("null SA"));
|
2002-10-16 02:10:08 +00:00
|
|
|
ahx = sav->tdb_authalgxform;
|
2003-09-29 22:57:43 +00:00
|
|
|
IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_output);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Figure out header size. */
|
|
|
|
|
rplen = HDRSIZE(sav);
|
2018-06-04 18:51:06 +00:00
|
|
|
authsize = AUTHSIZE(sav);
|
|
|
|
|
ahsize = ah_hdrsiz(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Check for maximum packet size violations. */
|
|
|
|
|
switch (sav->sah->saidx.dst.sa.sa_family) {
|
|
|
|
|
#ifdef INET
|
|
|
|
|
case AF_INET:
|
|
|
|
|
maxpacketsize = IP_MAXPACKET;
|
|
|
|
|
break;
|
|
|
|
|
#endif /* INET */
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
case AF_INET6:
|
|
|
|
|
maxpacketsize = IPV6_MAXPACKET;
|
|
|
|
|
break;
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
default:
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: unknown/unsupported protocol family %u, "
|
|
|
|
|
"SA %s/%08lx\n", __func__,
|
2002-10-16 02:10:08 +00:00
|
|
|
sav->sah->saidx.dst.sa.sa_family,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
|
2002-10-16 02:10:08 +00:00
|
|
|
(u_long) ntohl(sav->spi)));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_nopf);
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EPFNOSUPPORT;
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
2018-06-04 18:51:06 +00:00
|
|
|
if (ahsize + m->m_pkthdr.len > maxpacketsize) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: packet in SA %s/%08lx got too big "
|
|
|
|
|
"(len %u, max len %u)\n", __func__,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
|
2002-10-16 02:10:08 +00:00
|
|
|
(u_long) ntohl(sav->spi),
|
2018-06-04 18:51:06 +00:00
|
|
|
ahsize + m->m_pkthdr.len, maxpacketsize));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_toobig);
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EMSGSIZE;
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Update the counters. */
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2006-03-15 21:11:11 +00:00
|
|
|
m = m_unshare(m, M_NOWAIT);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (m == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
|
2002-10-16 02:10:08 +00:00
|
|
|
(u_long) ntohl(sav->spi)));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_hdrops);
|
2002-10-16 02:10:08 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Inject AH header. */
|
2018-06-04 18:51:06 +00:00
|
|
|
mi = m_makespace(m, skip, ahsize, &roff);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (mi == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: failed to inject %u byte AH header for SA "
|
2018-06-04 18:51:06 +00:00
|
|
|
"%s/%08lx\n", __func__, ahsize,
|
2015-04-18 16:58:33 +00:00
|
|
|
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
|
2002-10-16 02:10:08 +00:00
|
|
|
(u_long) ntohl(sav->spi)));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_hdrops); /*XXX differs from openbsd */
|
2002-10-16 02:10:08 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The AH header is guaranteed by m_makespace() to be in
|
|
|
|
|
* contiguous memory, at roff bytes offset into the returned mbuf.
|
|
|
|
|
*/
|
|
|
|
|
ah = (struct newah *)(mtod(mi, caddr_t) + roff);
|
|
|
|
|
|
|
|
|
|
/* Initialize the AH header. */
|
|
|
|
|
m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt);
|
2018-06-04 18:51:06 +00:00
|
|
|
ah->ah_len = (ahsize - sizeof(struct ah)) / sizeof(u_int32_t);
|
2002-10-16 02:10:08 +00:00
|
|
|
ah->ah_reserve = 0;
|
|
|
|
|
ah->ah_spi = sav->spi;
|
|
|
|
|
|
|
|
|
|
/* Zeroize authenticator. */
|
|
|
|
|
m_copyback(m, skip + rplen, authsize, ipseczeroes);
|
|
|
|
|
|
2018-06-04 18:51:06 +00:00
|
|
|
/* Zeroize padding */
|
|
|
|
|
m_copyback(m, skip + rplen + authsize, ahsize - (rplen + authsize),
|
|
|
|
|
ipseczeroes);
|
|
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
/* Insert packet replay counter, as requested. */
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RLOCK(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (sav->replay) {
|
2022-06-23 20:35:29 +00:00
|
|
|
SECREPLAY_LOCK(sav->replay);
|
2020-10-16 11:24:12 +00:00
|
|
|
if ((sav->replay->count == ~0 ||
|
|
|
|
|
(!(sav->flags & SADB_X_SAFLAGS_ESN) &&
|
|
|
|
|
((uint32_t)sav->replay->count) == ~0)) &&
|
2002-10-16 02:10:08 +00:00
|
|
|
(sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
|
2022-06-23 20:35:29 +00:00
|
|
|
SECREPLAY_UNLOCK(sav->replay);
|
|
|
|
|
SECASVAR_RUNLOCK(sav);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
|
2015-04-18 16:58:33 +00:00
|
|
|
__func__, ipsec_address(&sav->sah->saidx.dst, buf,
|
|
|
|
|
sizeof(buf)), (u_long) ntohl(sav->spi)));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_wrap);
|
2017-02-06 08:49:57 +00:00
|
|
|
error = EACCES;
|
2002-10-16 02:10:08 +00:00
|
|
|
goto bad;
|
|
|
|
|
}
|
2006-04-10 15:04:36 +00:00
|
|
|
#ifdef REGRESSION
|
2006-04-09 19:11:45 +00:00
|
|
|
/* Emulate replay attack when ipsec_replay is TRUE. */
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if (!V_ipsec_replay)
|
2006-04-10 15:04:36 +00:00
|
|
|
#endif
|
2006-04-09 19:11:45 +00:00
|
|
|
sav->replay->count++;
|
2020-10-16 11:24:12 +00:00
|
|
|
ah->ah_seq = htonl((uint32_t)sav->replay->count);
|
2022-06-23 20:35:29 +00:00
|
|
|
SECREPLAY_UNLOCK(sav->replay);
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
2017-02-06 08:49:57 +00:00
|
|
|
cryptoid = sav->tdb_cryptoid;
|
2022-06-23 20:35:29 +00:00
|
|
|
SECASVAR_RUNLOCK(sav);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Get crypto descriptors. */
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
crp = crypto_getreq(cryptoid, M_NOWAIT);
|
2002-10-16 02:10:08 +00:00
|
|
|
if (crp == NULL) {
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: failed to acquire crypto descriptors\n",
|
|
|
|
|
__func__));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_crypto);
|
2002-10-16 02:10:08 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
|
|
|
|
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
crp->crp_payload_start = 0;
|
|
|
|
|
crp->crp_payload_length = m->m_pkthdr.len;
|
|
|
|
|
crp->crp_digest_start = skip + rplen;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Allocate IPsec-specific opaque crypto info. */
|
2022-01-24 23:27:39 +00:00
|
|
|
xd = malloc(sizeof(struct xform_data) + skip, M_AH,
|
2017-02-06 08:49:57 +00:00
|
|
|
M_NOWAIT | M_ZERO);
|
|
|
|
|
if (xd == NULL) {
|
2002-10-16 02:10:08 +00:00
|
|
|
crypto_freereq(crp);
|
2017-02-06 08:49:57 +00:00
|
|
|
DPRINTF(("%s: failed to allocate xform_data\n", __func__));
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_crypto);
|
2002-10-16 02:10:08 +00:00
|
|
|
error = ENOBUFS;
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Save the skipped portion of the packet. */
|
2017-02-06 08:49:57 +00:00
|
|
|
m_copydata(m, 0, skip, (caddr_t) (xd + 1));
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Fix IP header length on the header used for
|
|
|
|
|
* authentication. We don't need to fix the original
|
|
|
|
|
* header length as it will be fixed by our caller.
|
|
|
|
|
*/
|
|
|
|
|
switch (sav->sah->saidx.dst.sa.sa_family) {
|
|
|
|
|
#ifdef INET
|
|
|
|
|
case AF_INET:
|
2017-02-06 08:49:57 +00:00
|
|
|
bcopy(((caddr_t)(xd + 1)) +
|
2002-10-16 02:10:08 +00:00
|
|
|
offsetof(struct ip, ip_len),
|
|
|
|
|
(caddr_t) &iplen, sizeof(u_int16_t));
|
2018-06-04 18:51:06 +00:00
|
|
|
iplen = htons(ntohs(iplen) + ahsize);
|
2002-10-16 02:10:08 +00:00
|
|
|
m_copyback(m, offsetof(struct ip, ip_len),
|
|
|
|
|
sizeof(u_int16_t), (caddr_t) &iplen);
|
|
|
|
|
break;
|
|
|
|
|
#endif /* INET */
|
|
|
|
|
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
case AF_INET6:
|
2017-02-06 08:49:57 +00:00
|
|
|
bcopy(((caddr_t)(xd + 1)) +
|
2002-10-16 02:10:08 +00:00
|
|
|
offsetof(struct ip6_hdr, ip6_plen),
|
2017-02-06 08:49:57 +00:00
|
|
|
(caddr_t) &iplen, sizeof(uint16_t));
|
2018-06-04 18:51:06 +00:00
|
|
|
iplen = htons(ntohs(iplen) + ahsize);
|
2002-10-16 02:10:08 +00:00
|
|
|
m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
|
2017-02-06 08:49:57 +00:00
|
|
|
sizeof(uint16_t), (caddr_t) &iplen);
|
2002-10-16 02:10:08 +00:00
|
|
|
break;
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Fix the Next Header field in saved header. */
|
2017-02-06 08:49:57 +00:00
|
|
|
((uint8_t *) (xd + 1))[protoff] = IPPROTO_AH;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Update the Next Protocol field in the IP header. */
|
|
|
|
|
prot = IPPROTO_AH;
|
2017-02-06 08:49:57 +00:00
|
|
|
m_copyback(m, protoff, sizeof(uint8_t), (caddr_t) &prot);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* "Massage" the packet headers for crypto processing. */
|
|
|
|
|
error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
|
|
|
|
|
skip, ahx->type, 1);
|
|
|
|
|
if (error != 0) {
|
|
|
|
|
m = NULL; /* mbuf was free'd by ah_massage_headers. */
|
2022-01-24 23:27:39 +00:00
|
|
|
free(xd, M_AH);
|
2002-10-16 02:10:08 +00:00
|
|
|
crypto_freereq(crp);
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Crypto operation descriptor. */
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
crp->crp_op = CRYPTO_OP_COMPUTE_DIGEST;
|
|
|
|
|
crp->crp_flags = CRYPTO_F_CBIFSYNC;
|
Add support for optional separate output buffers to in-kernel crypto.
Some crypto consumers such as GELI and KTLS for file-backed sendfile
need to store their output in a separate buffer from the input.
Currently these consumers copy the contents of the input buffer into
the output buffer and queue an in-place crypto operation on the output
buffer. Using a separate output buffer avoids this copy.
- Create a new 'struct crypto_buffer' describing a crypto buffer
containing a type and type-specific fields. crp_ilen is gone,
instead buffers that use a flat kernel buffer have a cb_buf_len
field for their length. The length of other buffer types is
inferred from the backing store (e.g. uio_resid for a uio).
Requests now have two such structures: crp_buf for the input buffer,
and crp_obuf for the output buffer.
- Consumers now use helper functions (crypto_use_*,
e.g. crypto_use_mbuf()) to configure the input buffer. If an output
buffer is not configured, the request still modifies the input
buffer in-place. A consumer uses a second set of helper functions
(crypto_use_output_*) to configure an output buffer.
- Consumers must request support for separate output buffers when
creating a crypto session via the CSP_F_SEPARATE_OUTPUT flag and are
only permitted to queue a request with a separate output buffer on
sessions with this flag set. Existing drivers already reject
sessions with unknown flags, so this permits drivers to be modified
to support this extension without requiring all drivers to change.
- Several data-related functions now have matching versions that
operate on an explicit buffer (e.g. crypto_apply_buf,
crypto_contiguous_subsegment_buf, bus_dma_load_crp_buf).
- Most of the existing data-related functions operate on the input
buffer. However crypto_copyback always writes to the output buffer
if a request uses a separate output buffer.
- For the regions in input/output buffers, the following conventions
are followed:
- AAD and IV are always present in input only and their
fields are offsets into the input buffer.
- payload is always present in both buffers. If a request uses a
separate output buffer, it must set a new crp_payload_start_output
field to the offset of the payload in the output buffer.
- digest is in the input buffer for verify operations, and in the
output buffer for compute operations. crp_digest_start is relative
to the appropriate buffer.
- Add a crypto buffer cursor abstraction. This is a more general form
of some bits in the cryptosoft driver that tried to always use uio's.
However, compared to the original code, this avoids rewalking the uio
iovec array for requests with multiple vectors. It also avoids
allocate an iovec array for mbufs and populating it by instead walking
the mbuf chain directly.
- Update the cryptosoft(4) driver to support separate output buffers
making use of the cursor abstraction.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D24545
2020-05-25 22:12:04 +00:00
|
|
|
crypto_use_mbuf(crp, m);
|
2002-10-16 02:10:08 +00:00
|
|
|
crp->crp_callback = ah_output_cb;
|
Refactor driver and consumer interfaces for OCF (in-kernel crypto).
- The linked list of cryptoini structures used in session
initialization is replaced with a new flat structure: struct
crypto_session_params. This session includes a new mode to define
how the other fields should be interpreted. Available modes
include:
- COMPRESS (for compression/decompression)
- CIPHER (for simply encryption/decryption)
- DIGEST (computing and verifying digests)
- AEAD (combined auth and encryption such as AES-GCM and AES-CCM)
- ETA (combined auth and encryption using encrypt-then-authenticate)
Additional modes could be added in the future (e.g. if we wanted to
support TLS MtE for AES-CBC in the kernel we could add a new mode
for that. TLS modes might also affect how AAD is interpreted, etc.)
The flat structure also includes the key lengths and algorithms as
before. However, code doesn't have to walk the linked list and
switch on the algorithm to determine which key is the auth key vs
encryption key. The 'csp_auth_*' fields are always used for auth
keys and settings and 'csp_cipher_*' for cipher. (Compression
algorithms are stored in csp_cipher_alg.)
- Drivers no longer register a list of supported algorithms. This
doesn't quite work when you factor in modes (e.g. a driver might
support both AES-CBC and SHA2-256-HMAC separately but not combined
for ETA). Instead, a new 'crypto_probesession' method has been
added to the kobj interface for symmteric crypto drivers. This
method returns a negative value on success (similar to how
device_probe works) and the crypto framework uses this value to pick
the "best" driver. There are three constants for hardware
(e.g. ccr), accelerated software (e.g. aesni), and plain software
(cryptosoft) that give preference in that order. One effect of this
is that if you request only hardware when creating a new session,
you will no longer get a session using accelerated software.
Another effect is that the default setting to disallow software
crypto via /dev/crypto now disables accelerated software.
Once a driver is chosen, 'crypto_newsession' is invoked as before.
- Crypto operations are now solely described by the flat 'cryptop'
structure. The linked list of descriptors has been removed.
A separate enum has been added to describe the type of data buffer
in use instead of using CRYPTO_F_* flags to make it easier to add
more types in the future if needed (e.g. wired userspace buffers for
zero-copy). It will also make it easier to re-introduce separate
input and output buffers (in-kernel TLS would benefit from this).
Try to make the flags related to IV handling less insane:
- CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv'
member of the operation structure. If this flag is not set, the
IV is stored in the data buffer at the 'crp_iv_start' offset.
- CRYPTO_F_IV_GENERATE means that a random IV should be generated
and stored into the data buffer. This cannot be used with
CRYPTO_F_IV_SEPARATE.
If a consumer wants to deal with explicit vs implicit IVs, etc. it
can always generate the IV however it needs and store partial IVs in
the buffer and the full IV/nonce in crp_iv and set
CRYPTO_F_IV_SEPARATE.
The layout of the buffer is now described via fields in cryptop.
crp_aad_start and crp_aad_length define the boundaries of any AAD.
Previously with GCM and CCM you defined an auth crd with this range,
but for ETA your auth crd had to span both the AAD and plaintext
(and they had to be adjacent).
crp_payload_start and crp_payload_length define the boundaries of
the plaintext/ciphertext. Modes that only do a single operation
(COMPRESS, CIPHER, DIGEST) should only use this region and leave the
AAD region empty.
If a digest is present (or should be generated), it's starting
location is marked by crp_digest_start.
Instead of using the CRD_F_ENCRYPT flag to determine the direction
of the operation, cryptop now includes an 'op' field defining the
operation to perform. For digests I've added a new VERIFY digest
mode which assumes a digest is present in the input and fails the
request with EBADMSG if it doesn't match the internally-computed
digest. GCM and CCM already assumed this, and the new AEAD mode
requires this for decryption. The new ETA mode now also requires
this for decryption, so IPsec and GELI no longer do their own
authentication verification. Simple DIGEST operations can also do
this, though there are no in-tree consumers.
To eventually support some refcounting to close races, the session
cookie is now passed to crypto_getop() and clients should no longer
set crp_sesssion directly.
- Assymteric crypto operation structures should be allocated via
crypto_getkreq() and freed via crypto_freekreq(). This permits the
crypto layer to track open asym requests and close races with a
driver trying to unregister while asym requests are in flight.
- crypto_copyback, crypto_copydata, crypto_apply, and
crypto_contiguous_subsegment now accept the 'crp' object as the
first parameter instead of individual members. This makes it easier
to deal with different buffer types in the future as well as
separate input and output buffers. It's also simpler for driver
writers to use.
- bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer.
This understands the various types of buffers so that drivers that
use DMA do not have to be aware of different buffer types.
- Helper routines now exist to build an auth context for HMAC IPAD
and OPAD. This reduces some duplicated work among drivers.
- Key buffers are now treated as const throughout the framework and in
device drivers. However, session key buffers provided when a session
is created are expected to remain alive for the duration of the
session.
- GCM and CCM sessions now only specify a cipher algorithm and a cipher
key. The redundant auth information is not needed or used.
- For cryptosoft, split up the code a bit such that the 'process'
callback now invokes a function pointer in the session. This
function pointer is set based on the mode (in effect) though it
simplifies a few edge cases that would otherwise be in the switch in
'process'.
It does split up GCM vs CCM which I think is more readable even if there
is some duplication.
- I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC
as an auth algorithm and updated cryptocheck to work with it.
- Combined cipher and auth sessions via /dev/crypto now always use ETA
mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored.
This was actually documented as being true in crypto(4) before, but
the code had not implemented this before I added the CIPHER_FIRST
flag.
- I have not yet updated /dev/crypto to be aware of explicit modes for
sessions. I will probably do that at some point in the future as well
as teach it about IV/nonce and tag lengths for AEAD so we can support
all of the NIST KAT tests for GCM and CCM.
- I've split up the exising crypto.9 manpage into several pages
of which many are written from scratch.
- I have converted all drivers and consumers in the tree and verified
that they compile, but I have not tested all of them. I have tested
the following drivers:
- cryptosoft
- aesni (AES only)
- blake2
- ccr
and the following consumers:
- cryptodev
- IPsec
- ktls_ocf
- GELI (lightly)
I have not tested the following:
- ccp
- aesni with sha
- hifn
- kgssapi_krb5
- ubsec
- padlock
- safe
- armv8_crypto (aarch64)
- glxsb (i386)
- sec (ppc)
- cesa (armv7)
- cryptocteon (mips64)
- nlmsec (mips64)
Discussed with: cem
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D23677
2020-03-27 18:25:23 +00:00
|
|
|
crp->crp_opaque = xd;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
2020-10-16 11:25:45 +00:00
|
|
|
if (sav->flags & SADB_X_SAFLAGS_ESN && sav->replay != NULL) {
|
2022-06-23 20:35:29 +00:00
|
|
|
SECREPLAY_LOCK(sav->replay);
|
2020-10-16 11:25:45 +00:00
|
|
|
seqh = htonl((uint32_t)(sav->replay->count >> IPSEC_SEQH_SHIFT));
|
|
|
|
|
memcpy(crp->crp_esn, &seqh, sizeof(seqh));
|
2022-06-23 20:35:29 +00:00
|
|
|
SECREPLAY_UNLOCK(sav->replay);
|
2020-10-16 11:25:45 +00:00
|
|
|
}
|
|
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
/* These are passed as-is to the callback. */
|
2017-02-06 08:49:57 +00:00
|
|
|
xd->sp = sp;
|
|
|
|
|
xd->sav = sav;
|
|
|
|
|
xd->skip = skip;
|
|
|
|
|
xd->idx = idx;
|
|
|
|
|
xd->cryptoid = cryptoid;
|
2018-03-20 17:05:23 +00:00
|
|
|
xd->vnet = curvnet;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
opencrypto: Introduce crypto_dispatch_async()
Currently, OpenCrypto consumers can request asynchronous dispatch by
setting a flag in the cryptop. (Currently only IPSec may do this.) I
think this is a bit confusing: we (conditionally) set cryptop flags to
request async dispatch, and then crypto_dispatch() immediately examines
those flags to see if the consumer wants async dispatch. The flag names
are also confusing since they don't specify what "async" applies to:
dispatch or completion.
Add a new KPI, crypto_dispatch_async(), rather than encoding the
requested dispatch type in each cryptop. crypto_dispatch_async() falls
back to crypto_dispatch() if the session's driver provides asynchronous
dispatch. Get rid of CRYPTOP_ASYNC() and CRYPTOP_ASYNC_KEEPORDER().
Similarly, add crypto_dispatch_batch() to request processing of a tailq
of cryptops, rather than encoding the scheduling policy using cryptop
flags. Convert GELI, the only user of this interface (disabled by
default) to use the new interface.
Add CRYPTO_SESS_SYNC(), which can be used by consumers to determine
whether crypto requests will be dispatched synchronously. This is just
a helper macro. Use it instead of looking at cap flags directly.
Fix style in crypto_done(). Also get rid of CRYPTO_RETW_EMPTY() and
just check the relevant queues directly. This could result in some
unnecessary wakeups but I think it's very uncommon to be using more than
one queue per worker in a given workload, so checking all three queues
is a waste of cycles.
Reviewed by: jhb
Sponsored by: Ampere Computing
Submitted by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D28194
2021-02-08 14:19:19 +00:00
|
|
|
if (V_async_crypto)
|
|
|
|
|
return (crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED));
|
|
|
|
|
else
|
|
|
|
|
return (crypto_dispatch(crp));
|
2002-10-16 02:10:08 +00:00
|
|
|
bad:
|
|
|
|
|
if (m)
|
|
|
|
|
m_freem(m);
|
2017-05-23 09:32:26 +00:00
|
|
|
key_freesav(&sav);
|
|
|
|
|
key_freesp(&sp);
|
2002-10-16 02:10:08 +00:00
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* AH output callback from the crypto driver.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
ah_output_cb(struct cryptop *crp)
|
|
|
|
|
{
|
2017-02-06 08:49:57 +00:00
|
|
|
struct xform_data *xd;
|
|
|
|
|
struct secpolicy *sp;
|
2002-10-16 02:10:08 +00:00
|
|
|
struct secasvar *sav;
|
|
|
|
|
struct mbuf *m;
|
2018-07-13 23:46:07 +00:00
|
|
|
crypto_session_t cryptoid;
|
2002-10-16 02:10:08 +00:00
|
|
|
caddr_t ptr;
|
2017-02-06 08:49:57 +00:00
|
|
|
u_int idx;
|
|
|
|
|
int skip, error;
|
2002-10-16 02:10:08 +00:00
|
|
|
|
Add support for optional separate output buffers to in-kernel crypto.
Some crypto consumers such as GELI and KTLS for file-backed sendfile
need to store their output in a separate buffer from the input.
Currently these consumers copy the contents of the input buffer into
the output buffer and queue an in-place crypto operation on the output
buffer. Using a separate output buffer avoids this copy.
- Create a new 'struct crypto_buffer' describing a crypto buffer
containing a type and type-specific fields. crp_ilen is gone,
instead buffers that use a flat kernel buffer have a cb_buf_len
field for their length. The length of other buffer types is
inferred from the backing store (e.g. uio_resid for a uio).
Requests now have two such structures: crp_buf for the input buffer,
and crp_obuf for the output buffer.
- Consumers now use helper functions (crypto_use_*,
e.g. crypto_use_mbuf()) to configure the input buffer. If an output
buffer is not configured, the request still modifies the input
buffer in-place. A consumer uses a second set of helper functions
(crypto_use_output_*) to configure an output buffer.
- Consumers must request support for separate output buffers when
creating a crypto session via the CSP_F_SEPARATE_OUTPUT flag and are
only permitted to queue a request with a separate output buffer on
sessions with this flag set. Existing drivers already reject
sessions with unknown flags, so this permits drivers to be modified
to support this extension without requiring all drivers to change.
- Several data-related functions now have matching versions that
operate on an explicit buffer (e.g. crypto_apply_buf,
crypto_contiguous_subsegment_buf, bus_dma_load_crp_buf).
- Most of the existing data-related functions operate on the input
buffer. However crypto_copyback always writes to the output buffer
if a request uses a separate output buffer.
- For the regions in input/output buffers, the following conventions
are followed:
- AAD and IV are always present in input only and their
fields are offsets into the input buffer.
- payload is always present in both buffers. If a request uses a
separate output buffer, it must set a new crp_payload_start_output
field to the offset of the payload in the output buffer.
- digest is in the input buffer for verify operations, and in the
output buffer for compute operations. crp_digest_start is relative
to the appropriate buffer.
- Add a crypto buffer cursor abstraction. This is a more general form
of some bits in the cryptosoft driver that tried to always use uio's.
However, compared to the original code, this avoids rewalking the uio
iovec array for requests with multiple vectors. It also avoids
allocate an iovec array for mbufs and populating it by instead walking
the mbuf chain directly.
- Update the cryptosoft(4) driver to support separate output buffers
making use of the cursor abstraction.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D24545
2020-05-25 22:12:04 +00:00
|
|
|
m = crp->crp_buf.cb_mbuf;
|
2017-02-06 08:49:57 +00:00
|
|
|
xd = (struct xform_data *) crp->crp_opaque;
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_SET(xd->vnet);
|
2017-02-06 08:49:57 +00:00
|
|
|
sp = xd->sp;
|
|
|
|
|
sav = xd->sav;
|
|
|
|
|
skip = xd->skip;
|
|
|
|
|
idx = xd->idx;
|
|
|
|
|
cryptoid = xd->cryptoid;
|
|
|
|
|
ptr = (caddr_t) (xd + 1);
|
2002-10-16 02:10:08 +00:00
|
|
|
|
|
|
|
|
/* Check for crypto errors. */
|
|
|
|
|
if (crp->crp_etype) {
|
|
|
|
|
if (crp->crp_etype == EAGAIN) {
|
2017-02-06 08:49:57 +00:00
|
|
|
/* Reset the session ID */
|
2018-07-18 00:56:25 +00:00
|
|
|
if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
|
2017-02-06 08:49:57 +00:00
|
|
|
crypto_freesession(cryptoid);
|
2018-07-18 00:56:25 +00:00
|
|
|
xd->cryptoid = crp->crp_session;
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2011-11-26 23:13:30 +00:00
|
|
|
return (crypto_dispatch(crp));
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_noxform);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = crp->crp_etype;
|
2017-02-06 08:49:57 +00:00
|
|
|
m_freem(m);
|
2002-10-16 02:10:08 +00:00
|
|
|
goto bad;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Shouldn't happen... */
|
|
|
|
|
if (m == NULL) {
|
2013-06-20 11:44:16 +00:00
|
|
|
AHSTAT_INC(ahs_crypto);
|
2003-09-29 22:57:43 +00:00
|
|
|
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
|
2002-10-16 02:10:08 +00:00
|
|
|
error = EINVAL;
|
|
|
|
|
goto bad;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Copy original headers (with the new protocol number) back
|
|
|
|
|
* in place.
|
|
|
|
|
*/
|
|
|
|
|
m_copyback(m, 0, skip, ptr);
|
|
|
|
|
|
2022-01-24 23:27:39 +00:00
|
|
|
free(xd, M_AH);
|
2002-10-16 02:10:08 +00:00
|
|
|
crypto_freereq(crp);
|
2017-02-06 08:49:57 +00:00
|
|
|
AHSTAT_INC(ahs_hist[sav->alg_auth]);
|
2006-04-10 15:04:36 +00:00
|
|
|
#ifdef REGRESSION
|
2006-04-09 19:11:45 +00:00
|
|
|
/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if (V_ipsec_integrity) {
|
2006-04-09 19:11:45 +00:00
|
|
|
int alen;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Corrupt HMAC if we want to test integrity verification of
|
|
|
|
|
* the other side.
|
|
|
|
|
*/
|
|
|
|
|
alen = AUTHSIZE(sav);
|
|
|
|
|
m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes);
|
|
|
|
|
}
|
2006-04-10 15:04:36 +00:00
|
|
|
#endif
|
2006-04-09 19:11:45 +00:00
|
|
|
|
2002-10-16 02:10:08 +00:00
|
|
|
/* NB: m is reclaimed by ipsec_process_done. */
|
2017-02-06 08:49:57 +00:00
|
|
|
error = ipsec_process_done(m, sp, sav, idx);
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2015-04-27 00:55:56 +00:00
|
|
|
return (error);
|
2002-10-16 02:10:08 +00:00
|
|
|
bad:
|
2018-03-20 17:05:23 +00:00
|
|
|
CURVNET_RESTORE();
|
2022-01-24 23:27:39 +00:00
|
|
|
free(xd, M_AH);
|
2002-10-16 02:10:08 +00:00
|
|
|
crypto_freereq(crp);
|
2017-02-06 08:49:57 +00:00
|
|
|
key_freesav(&sav);
|
|
|
|
|
key_freesp(&sp);
|
2015-04-27 00:55:56 +00:00
|
|
|
return (error);
|
2002-10-16 02:10:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct xformsw ah_xformsw = {
|
2017-02-06 08:49:57 +00:00
|
|
|
.xf_type = XF_AH,
|
|
|
|
|
.xf_name = "IPsec AH",
|
|
|
|
|
.xf_init = ah_init,
|
2020-06-25 23:59:16 +00:00
|
|
|
.xf_cleanup = ah_cleanup,
|
2017-02-06 08:49:57 +00:00
|
|
|
.xf_input = ah_input,
|
|
|
|
|
.xf_output = ah_output,
|
2002-10-16 02:10:08 +00:00
|
|
|
};
|
|
|
|
|
|
2017-02-06 08:49:57 +00:00
|
|
|
SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
|
|
|
|
|
xform_attach, &ah_xformsw);
|
|
|
|
|
SYSUNINIT(ah_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
|
|
|
|
|
xform_detach, &ah_xformsw);
|