From e7c630f8417b6f4e1bf2466e545ffe04af2eff00 Mon Sep 17 00:00:00 2001 From: Cristian Stoica Date: Thu, 29 Aug 2013 16:51:18 +0300 Subject: [PATCH 02/48] eng_cryptodev: add support for TLS algorithms offload - aes-128-cbc-hmac-sha1 - aes-256-cbc-hmac-sha1 Requires TLS patches on cryptodev and TLS algorithm support in Linux kernel driver. Signed-off-by: Cristian Stoica --- crypto/engine/eng_cryptodev.c | 226 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 215 insertions(+), 11 deletions(-) diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 8fb9c33..4d783d4 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -71,6 +71,9 @@ void ENGINE_load_cryptodev(void) struct dev_crypto_state { struct session_op d_sess; int d_fd; + unsigned char *aad; + unsigned int aad_len; + unsigned int len; # ifdef USE_CRYPTODEV_DIGESTS char dummy_mac_key[HASH_MAX_LEN]; unsigned char digest_res[HASH_MAX_LEN]; @@ -141,24 +144,25 @@ static struct { int nid; int ivmax; int keylen; + int mackeylen; } ciphers[] = { { - CRYPTO_ARC4, NID_rc4, 0, 16, + CRYPTO_ARC4, NID_rc4, 0, 16, 0 }, { - CRYPTO_DES_CBC, NID_des_cbc, 8, 8, + CRYPTO_DES_CBC, NID_des_cbc, 8, 8, 0 }, { - CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, + CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, 0 }, { - CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, + CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, 0 }, { - CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24, + CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24, 0 }, { - CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32, + CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32, 0 }, # ifdef CRYPTO_AES_CTR { @@ -172,16 +176,22 @@ static struct { }, # endif { - CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, + CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, 0 }, { - CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, + CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, 0 }, { - CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, + CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, 0 }, { - 0, NID_undef, 0, 0, + CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_128_cbc_hmac_sha1, 16, 16, 20 + }, + { + CRYPTO_TLS10_AES_CBC_HMAC_SHA1, NID_aes_256_cbc_hmac_sha1, 16, 32, 20 + }, + { + 0, NID_undef, 0, 0, 0 }, }; @@ -295,13 +305,15 @@ static int get_cryptodev_ciphers(const int **cnids) } memset(&sess, 0, sizeof(sess)); sess.key = (caddr_t) "123456789abcdefghijklmno"; + sess.mackey = (caddr_t) "123456789ABCDEFGHIJKLMNO"; for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { if (ciphers[i].nid == NID_undef) continue; sess.cipher = ciphers[i].id; sess.keylen = ciphers[i].keylen; - sess.mac = 0; + sess.mackeylen = ciphers[i].mackeylen; + if (ioctl(fd, CIOCGSESSION, &sess) != -1 && ioctl(fd, CIOCFSESSION, &sess.ses) != -1) nids[count++] = ciphers[i].nid; @@ -457,6 +469,66 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return (1); } +static int cryptodev_aead_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len) +{ + struct crypt_auth_op cryp; + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; + const void *iiv; + unsigned char save_iv[EVP_MAX_IV_LENGTH]; + + if (state->d_fd < 0) + return (0); + if (!len) + return (1); + if ((len % ctx->cipher->block_size) != 0) + return (0); + + memset(&cryp, 0, sizeof(cryp)); + + /* TODO: make a seamless integration with cryptodev flags */ + switch (ctx->cipher->nid) { + case NID_aes_128_cbc_hmac_sha1: + case NID_aes_256_cbc_hmac_sha1: + cryp.flags = COP_FLAG_AEAD_TLS_TYPE; + } + cryp.ses = sess->ses; + cryp.len = state->len; + cryp.src = (caddr_t) in; + cryp.dst = (caddr_t) out; + cryp.auth_src = state->aad; + cryp.auth_len = state->aad_len; + + cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; + + if (ctx->cipher->iv_len) { + cryp.iv = (caddr_t) ctx->iv; + if (!ctx->encrypt) { + iiv = in + len - ctx->cipher->iv_len; + memcpy(save_iv, iiv, ctx->cipher->iv_len); + } + } else + cryp.iv = NULL; + + if (ioctl(state->d_fd, CIOCAUTHCRYPT, &cryp) == -1) { + /* + * XXX need better errror handling this can fail for a number of + * different reasons. + */ + return (0); + } + + if (ctx->cipher->iv_len) { + if (ctx->encrypt) + iiv = out + len - ctx->cipher->iv_len; + else + iiv = save_iv; + memcpy(ctx->iv, iiv, ctx->cipher->iv_len); + } + return (1); +} + static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) @@ -496,6 +568,45 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, } /* + * Save the encryption key provided by upper layers. This function is called + * by EVP_CipherInit_ex to initialize the algorithm's extra data. We can't do + * much here because the mac key is not available. The next call should/will + * be to cryptodev_cbc_hmac_sha1_ctrl with parameter + * EVP_CTRL_AEAD_SET_MAC_KEY, to set the hmac key. There we call CIOCGSESSION + * with both the crypto and hmac keys. + */ +static int cryptodev_init_aead_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, int enc) +{ + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; + int cipher = -1, i; + + for (i = 0; ciphers[i].id; i++) + if (ctx->cipher->nid == ciphers[i].nid && + ctx->cipher->iv_len <= ciphers[i].ivmax && + ctx->key_len == ciphers[i].keylen) { + cipher = ciphers[i].id; + break; + } + + if (!ciphers[i].id) { + state->d_fd = -1; + return (0); + } + + memset(sess, 0, sizeof(struct session_op)); + + sess->key = (caddr_t) key; + sess->keylen = ctx->key_len; + sess->cipher = cipher; + + /* for whatever reason, (1) means success */ + return (1); +} + +/* * free anything we allocated earlier when initting a * session, and close the session. */ @@ -529,6 +640,63 @@ static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx) return (ret); } +static int cryptodev_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, + int arg, void *ptr) +{ + switch (type) { + case EVP_CTRL_AEAD_SET_MAC_KEY: + { + /* TODO: what happens with hmac keys larger than 64 bytes? */ + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; + + if ((state->d_fd = get_dev_crypto()) < 0) + return (0); + + /* the rest should have been set in cryptodev_init_aead_key */ + sess->mackey = ptr; + sess->mackeylen = arg; + + if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { + put_dev_crypto(state->d_fd); + state->d_fd = -1; + return (0); + } + return (1); + } + case EVP_CTRL_AEAD_TLS1_AAD: + { + /* ptr points to the associated data buffer of 13 bytes */ + struct dev_crypto_state *state = ctx->cipher_data; + unsigned char *p = ptr; + unsigned int cryptlen = p[arg - 2] << 8 | p[arg - 1]; + unsigned int maclen, padlen; + unsigned int bs = ctx->cipher->block_size; + + state->aad = ptr; + state->aad_len = arg; + state->len = cryptlen; + + /* TODO: this should be an extension of EVP_CIPHER struct */ + switch (ctx->cipher->nid) { + case NID_aes_128_cbc_hmac_sha1: + case NID_aes_256_cbc_hmac_sha1: + maclen = SHA_DIGEST_LENGTH; + } + + /* space required for encryption (not only TLS padding) */ + padlen = maclen; + if (ctx->encrypt) { + cryptlen += maclen; + padlen += bs - (cryptlen % bs); + } + return padlen; + } + default: + return -1; + } +} + /* * libcrypto EVP stuff - this is how we get wired to EVP so the engine * gets called when libcrypto requests a cipher NID. @@ -641,6 +809,34 @@ const EVP_CIPHER cryptodev_aes_256_cbc = { NULL }; +const EVP_CIPHER cryptodev_aes_128_cbc_hmac_sha1 = { + NID_aes_128_cbc_hmac_sha1, + 16, 16, 16, + EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, + cryptodev_init_aead_key, + cryptodev_aead_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + cryptodev_cbc_hmac_sha1_ctrl, + NULL +}; + +const EVP_CIPHER cryptodev_aes_256_cbc_hmac_sha1 = { + NID_aes_256_cbc_hmac_sha1, + 16, 32, 16, + EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER, + cryptodev_init_aead_key, + cryptodev_aead_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + cryptodev_cbc_hmac_sha1_ctrl, + NULL +}; + # ifdef CRYPTO_AES_CTR const EVP_CIPHER cryptodev_aes_ctr = { NID_aes_128_ctr, @@ -729,6 +925,12 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, *cipher = &cryptodev_aes_ctr_256; break; # endif + case NID_aes_128_cbc_hmac_sha1: + *cipher = &cryptodev_aes_128_cbc_hmac_sha1; + break; + case NID_aes_256_cbc_hmac_sha1: + *cipher = &cryptodev_aes_256_cbc_hmac_sha1; + break; default: *cipher = NULL; break; @@ -1472,6 +1674,8 @@ void ENGINE_load_cryptodev(void) } put_dev_crypto(fd); + EVP_add_cipher(&cryptodev_aes_128_cbc_hmac_sha1); + EVP_add_cipher(&cryptodev_aes_256_cbc_hmac_sha1); if (!ENGINE_set_id(engine, "cryptodev") || !ENGINE_set_name(engine, "BSD cryptodev engine") || !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || -- 2.7.0