svn commit: r345027 - in stable/11: share/man/man4 sys/opencrypto

Mon Mar 11 21:35:58 UTC 2019

Author: jhb
Date: Mon Mar 11 21:35:56 2019
New Revision: 345027
URL: https://svnweb.freebsd.org/changeset/base/345027

Log:
  MFC 323891,323892: Support EtA requests via /dev/crypto.
  
  323891:
  Add a new COP_F_CIPHER_FIRST flag for struct crypt_op.
  
  This requests that the cipher be performed before rather than after
  the HMAC when both are specified for a single operation.
  
  323892:
  Support AEAD requests with non-GCM algorithms.
  
  In particular, support chaining an AES cipher with an HMAC for a request
  including AAD.  This permits submitting requests from userland to encrypt
  objects like IPSec packets using these algorithms.
  
  In the non-GCM case, the authentication crypto descriptor covers both the
  AAD and the ciphertext.  The GCM case remains unchanged.  This matches
  the requests created internally in IPSec.  For the non-GCM case, the
  COP_F_CIPHER_FIRST is also supported since the ordering matters.
  
  Note that while this can be used to simulate IPSec requests from userland,
  this ioctl cannot currently be used to perform TLS requests using AES-CBC
  and MAC-before-encrypt.
  
  Sponsored by:	Chelsio Communications

Modified:
  stable/11/share/man/man4/crypto.4
  stable/11/sys/opencrypto/cryptodev.c
  stable/11/sys/opencrypto/cryptodev.h
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/share/man/man4/crypto.4
==============================================================================

--- stable/11/share/man/man4/crypto.4	Mon Mar 11 21:00:58 2019	(r345026)
+++ stable/11/share/man/man4/crypto.4	Mon Mar 11 21:35:56 2019	(r345027)
@@ -60,7 +60,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd December 15, 2015
+.Dd September 21, 2017
 .Dt CRYPTO 4
 .Os
 .Sh NAME
@@ -127,7 +127,9 @@ Asymmetric operations do not use sessions.
 .It
 Submit requests, synchronously with
 .Dv CIOCCRYPT
-(symmetric)
+(symmetric),
+.Dv CIOCCRYPTAEAD
+(symmetric),
 or
 .Dv CIOCKEY
 (asymmetric).
@@ -279,6 +281,16 @@ supplies the length of the input buffer; the fields
 .Fa cr_op-\*[Gt]iv
 supply the addresses of the input buffer, output buffer,
 one-way hash, and initialization vector, respectively.
+If a session is using both a privacy algorithm and a hash algorithm,
+the request will generate a hash of the input buffer before
+generating the output buffer by default.
+If the
+.Dv COP_F_CIPHER_FIRST
+flag is included in the
+.Fa cr_op-\*[Gt]flags
+field,
+then the request will generate a hash of the output buffer after
+executing the privacy algorithm.
 .It Dv CIOCCRYPTAEAD Fa struct crypt_aead *cr_aead
 .Bd -literal
 struct crypt_aead {

Modified: stable/11/sys/opencrypto/cryptodev.c
==============================================================================
--- stable/11/sys/opencrypto/cryptodev.c	Mon Mar 11 21:00:58 2019	(r345026)
+++ stable/11/sys/opencrypto/cryptodev.c	Mon Mar 11 21:35:56 2019	(r345027)
@@ -755,18 +755,22 @@ cryptodev_op(
 		goto bail;
 	}
 
-	if (cse->thash) {
-		crda = crp->crp_desc;
-		if (cse->txform)
-			crde = crda->crd_next;
-	} else {
-		if (cse->txform)
+	if (cse->thash && cse->txform) {
+		if (cop->flags & COP_F_CIPHER_FIRST) {
 			crde = crp->crp_desc;
-		else {
-			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
-			error = EINVAL;
-			goto bail;
+			crda = crde->crd_next;
+		} else {
+			crda = crp->crp_desc;
+			crde = crda->crd_next;
 		}
+	} else if (cse->thash) {
+		crda = crp->crp_desc;
+	} else if (cse->txform) {
+		crde = crp->crp_desc;
+	} else {
+		SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
+		error = EINVAL;
+		goto bail;
 	}
 
 	if ((error = copyin(cop->src, cse->uio.uio_iov[0].iov_base,
@@ -941,8 +945,13 @@ cryptodev_aead(
 		goto bail;
 	}
 
-	crda = crp->crp_desc;
-	crde = crda->crd_next;
+	if (caead->flags & COP_F_CIPHER_FIRST) {
+		crde = crp->crp_desc;
+		crda = crde->crd_next;
+	} else {
+		crda = crp->crp_desc;
+		crde = crda->crd_next;
+	}
 
 	if ((error = copyin(caead->aad, cse->uio.uio_iov[0].iov_base,
 	    caead->aadlen))) {
@@ -956,8 +965,16 @@ cryptodev_aead(
 		goto bail;
 	}
 
+	/*
+	 * For GCM, crd_len covers only the AAD.  For other ciphers
+	 * chained with an HMAC, crd_len covers both the AAD and the
+	 * cipher text.
+	 */
 	crda->crd_skip = 0;
-	crda->crd_len = caead->aadlen;
+	if (cse->cipher == CRYPTO_AES_NIST_GCM_16)
+		crda->crd_len = caead->aadlen;
+	else
+		crda->crd_len = caead->aadlen + caead->len;
 	crda->crd_inject = caead->aadlen + caead->len;
 
 	crda->crd_alg = cse->mac;

Modified: stable/11/sys/opencrypto/cryptodev.h
==============================================================================
--- stable/11/sys/opencrypto/cryptodev.h	Mon Mar 11 21:00:58 2019	(r345026)
+++ stable/11/sys/opencrypto/cryptodev.h	Mon Mar 11 21:35:56 2019	(r345027)
@@ -238,7 +238,8 @@ struct crypt_op {
 #define COP_ENCRYPT	1
 #define COP_DECRYPT	2
 	u_int16_t	flags;
-#define	COP_F_BATCH	0x0008		/* Batch op if possible */
+#define	COP_F_CIPHER_FIRST	0x0001	/* Cipher before MAC. */
+#define	COP_F_BATCH		0x0008	/* Batch op if possible */
 	u_int		len;
 	c_caddr_t	src;		/* become iov[] inside kernel */
 	caddr_t		dst;
