From d98ef0df5f29c8da3ab7253fc7b86e0fb69a5831 Mon Sep 17 00:00:00 2001 From: Mark Linimon Date: Sun, 6 Oct 2019 01:42:14 +0000 Subject: [PATCH] Rework the TLS 1.3 support in ISA-L to move the nonce work out of the seal routine and into the encrypt routine. Also obtain the nd.seqno in the TLS 1.2 case from the TLS record itself, as if we change to use a random starting value, this will prevent things from breaking due to the value on the wire being different from the passed in seqno. Submitted by:u jhb Approved by:u gallatin Differential Revision: D21857 --- security/ktls_isa-l_crypto-kmod/Makefile | 1 + .../files/intelisa_kern.c | 76 ++++++++----------- 2 files changed, 32 insertions(+), 45 deletions(-) diff --git a/security/ktls_isa-l_crypto-kmod/Makefile b/security/ktls_isa-l_crypto-kmod/Makefile index 32719c632a65..03c6cb90a3fb 100644 --- a/security/ktls_isa-l_crypto-kmod/Makefile +++ b/security/ktls_isa-l_crypto-kmod/Makefile @@ -4,6 +4,7 @@ PORTNAME= isa-l_crypto PORTVERSION= 2.21.0 DISTVERSIONPREFIX= v +PORTREVISION= 1 CATEGORIES= security PKGNAMEPREFIX= ktls_ PKGNAMESUFFIX= -kmod diff --git a/security/ktls_isa-l_crypto-kmod/files/intelisa_kern.c b/security/ktls_isa-l_crypto-kmod/files/intelisa_kern.c index fd846724a00d..f533b8cd0061 100644 --- a/security/ktls_isa-l_crypto-kmod/files/intelisa_kern.c +++ b/security/ktls_isa-l_crypto-kmod/files/intelisa_kern.c @@ -125,7 +125,7 @@ static MALLOC_DEFINE(M_INTEL_ISA, "isal_tls", "Intel ISA-L TLS"); static int intel_isa_seal(struct isa_gcm_struct *isa, struct iovec *outiov, int numiovs, - uint8_t *static_iv, int iv_len, uint64_t seq, + uint8_t * iv, struct iovec *iniov, uint8_t * ad, int adlen, uint8_t * tagout, size_t *taglen, @@ -135,36 +135,10 @@ intel_isa_seal(struct isa_gcm_struct *isa, bool nt = true; bool misaligned_len, misaligned_start; int fixup = 0; - size_t offset; uint8_t *in; uint8_t *out; uint64_t len; - uint8_t iv[32]; - uint8_t seq_num[sizeof(seq)]; - if (iv_len > 32 - sizeof(seq)) { - return (-1); - } - - if (tls_13) { - /* - * RFC 8446 5.3: left pad the 64b seqno - * with 0s, and xor with the IV - * - * gcm_init does not provde a way to specify the - * length of the iv, so we have hard-coded it to 12 in - * openssl - */ - memcpy(seq_num, &seq, sizeof(seq)); - - offset = iv_len - sizeof(seq); - memcpy(iv, static_iv, offset); - for (i = 0; i < sizeof(seq); i++) - iv[i + offset] = static_iv[i + offset] ^ seq_num[i]; - } else { - memcpy(iv, static_iv, iv_len); - memcpy(iv + iv_len, &seq, sizeof(seq)); - } isa->gcm_init(&isa->key_data, &isa->ctx_data, iv, ad, (size_t)adlen); for (i = 0; i < numiovs; i++) { in = iniov[i].iov_base; @@ -236,31 +210,43 @@ ktls_intelisa_aead_encrypt(struct ktls_session *tls, counter_u64_add(ktls_offload_isa_aead, 1); taglen = KTLS_INTELISA_AEAD_TAGLEN; - if (tls->params.tls_vminor == TLS_MINOR_VER_THREE) { - tls_13 = true; - counter_u64_add(ktls_offload_isa_tls_13, 1); - adlen = sizeof(ad) - sizeof(ad.seq); - adptr = &ad.type; - ad.tls_length = hdr->tls_length; + /* Setup the nonce */ + memcpy(&nd, tls->params.iv, tls->params.iv_len); - } else { - tls_13 = false; - counter_u64_add(ktls_offload_isa_tls_12, 1); - tls_comp_len = ntohs(hdr->tls_length) - - (KTLS_INTELISA_AEAD_TAGLEN + sizeof(nd.seq)); - adlen = sizeof(ad); - adptr = (uint8_t *)&ad; - ad.tls_length = htons(tls_comp_len); - } /* Setup the associated data */ ad.seq = htobe64(seqno); ad.type = hdr->tls_type; ad.tls_vmajor = hdr->tls_vmajor; ad.tls_vminor = hdr->tls_vminor; - ret = intel_isa_seal(isa, outiov, iovcnt, - tls->params.iv, tls->params.iv_len, - htobe64(seqno), iniov, + /* Version-specific nonce and AAD. */ + if (tls->params.tls_vminor == TLS_MINOR_VER_THREE) { + tls_13 = true; + counter_u64_add(ktls_offload_isa_tls_13, 1); + + adlen = sizeof(ad) - sizeof(ad.seq); + adptr = &ad.type; + ad.tls_length = hdr->tls_length; + + /* + * RFC 8446 5.3: left pad the 64b seqno + * with 0s, and xor with the IV. + */ + nd.seq ^= htobe64(seqno); + } else { + tls_13 = false; + counter_u64_add(ktls_offload_isa_tls_12, 1); + + tls_comp_len = ntohs(hdr->tls_length) - + (KTLS_INTELISA_AEAD_TAGLEN + sizeof(nd.seq)); + adlen = sizeof(ad); + adptr = (uint8_t *)&ad; + ad.tls_length = htons(tls_comp_len); + + memcpy(&nd.seq, hdr + 1, sizeof(nd.seq)); + } + + ret = intel_isa_seal(isa, outiov, iovcnt, (uint8_t *)&nd, iniov, adptr, adlen, trailer, &taglen, tls_13, tls_rtype);