Commit Graph

393 Commits

Author SHA1 Message Date
Mark Johnston
5dfca6c375 ktls: Remove the socket parameter to ktls_ocf_try()
The socket is unused, and not passing it means that there's less to
think about when considering how KTLS is synchronized with the rest of
the socket code.  No functional change intended.

Reviewed by:	gallatin
MFC after:	2 weeks
Sponsored by:	Klara, Inc.
Sponsored by:	Stormshield
Differential Revision:	https://reviews.freebsd.org/D45675
2024-07-08 12:10:48 -04:00
Warner Losh
fdafd315ad sys: Automated cleanup of cdefs and other formatting
Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by:		Netflix
2023-11-26 22:24:00 -07:00
Warner Losh
031beb4e23 sys: Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
2023-08-16 11:54:58 -06:00
Warner Losh
685dc743dc sys: Remove $FreeBSD$: one-line .c pattern
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
2023-08-16 11:54:36 -06:00
Warner Losh
71625ec9ad sys: Remove $FreeBSD$: one-line .c comment pattern
Remove /^/[*/]\s*\$FreeBSD\$.*\n/
2023-08-16 11:54:24 -06:00
Warner Losh
2ff63af9b8 sys: Remove $FreeBSD$: one-line .h pattern
Remove /^\s*\*+\s*\$FreeBSD\$.*$\n/
2023-08-16 11:54:18 -06:00
Warner Losh
95ee2897e9 sys: Remove $FreeBSD$: two-line .h pattern
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
2023-08-16 11:54:11 -06:00
Mark Johnston
96c2538121 opencrypto: Respect alignment constraints in xor_and_encrypt()
Copy operands to an aligned buffer before performing operations which
require alignment.  Otherwise it's possible for this code to trigger an
alignment fault on armv7.

Reviewed by:	jhb
MFC after:	2 weeks
Sponsored by:	Klara, Inc.
Sponsored by:	Stormshield
Differential Revision:	https://reviews.freebsd.org/D41211
2023-07-27 15:44:52 -04:00
Mark Johnston
9f7fdd8c1a crypto: Advance the correct pointer in crypto_cursor_copydata()
PR:		271766
Reported by:	Michael Laß <bevan@bi-co.net>
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D40468
2023-06-12 12:52:24 -04:00
Mark Johnston
718d4a1d56 opencrypto: Handle end-of-cursor conditions in crypto_cursor_segment()
Some consumers, e.g., swcr_encdec(), may call crypto_cursor_segment()
after having advanced the cursor to the end of the buffer.  In this case
I believe the right behaviour is to return NULL and a length of 0.

When this occurs with a CRYPTO_BUF_VMPAGE buffer, the cc_vmpage pointer
will point past the end of the page pointer array, so
crypto_cursor_segment() ends up dereferencing a random pointer before
the function returns a length of 0.  The uio-backed cursor has
a similar problem.

Address this by keeping track of the residual buffer length and
returning immediately once the length is zero.

PR:		271766
Reported by:	Andrew "RhodiumToad" Gierth <andrew@tao11.riddles.org.uk>
Reviewed by:	jhb
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D40428
2023-06-12 12:52:24 -04:00
Warner Losh
4d846d260e spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with:		pfg
MFC After:		3 days
Sponsored by:		Netflix
2023-05-12 10:44:03 -06:00
Dmitry Chagin
06c07e1203 Complete removal of opt_compat.h
Since Linux emulation layer build options was removed there is no reason
to keep opt_compat.h.

Reviewed by:		emaste
Differential Revision:	https://reviews.freebsd.org/D38548
MFC after:		2 weeks
2023-02-13 19:07:38 +03:00
Mateusz Guzik
517547573a crypto: move all zeroing into crypto_getreq
Reviewed by:	jhb, markj
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D36774
2022-11-22 12:28:07 +00:00
John Baldwin
4e47414648 ktls_ocf: Reject encrypted TLS records using AEAD that are too small.
If a TLS record is too small to contain the required explicit IV,
record_type (TLS 1.3), and MAC, reject attempts to decrypt it with
EMSGSIZE without submitting it to OCF.  OCF drivers may not properly
detect that regions in the crypto request are outside the bounds of
the mbuf chain.  The caller isn't supposed to submit such requests.

Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D37372
2022-11-15 12:02:57 -08:00
John Baldwin
9a673b7158 ktls: Add software support for AES-CBC decryption for TLS 1.1+.
This is mainly intended to provide a fallback for TOE TLS which may
need to use software decryption for an initial record at the start
of a connection.

Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D37370
2022-11-15 12:02:03 -08:00
Alan Somers
002c47bade [skip ci] Remove obsolete references in crypto_request(9)
They were missed by 68f6800ce0.

Sponsored by:	Axcient
MFC with:	68f6800ce0
Reviewed by:	markj
Differential Revision: https://reviews.freebsd.org/D37239
2022-11-02 11:09:06 -06:00
Konstantin Belousov
fd6dd33dc0 opencrypto: fix null esp crypt
Fixes:	3e9470482a
Reviewed by:	jhb
Sponsored by:	Nvidia networking
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D37113
2022-10-25 03:24:43 +03:00
Ed Maste
3471fcf3a4 opencrypto: mark INVARIANTS variables as __diagused
Fixes INVARIANTS build with Clang 15, which previously failed due to
set-but-not-used variable warnings.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-08-10 15:35:29 -04:00
Mitchell Horne
c84c5e00ac ddb: annotate some commands with DB_CMD_MEMSAFE
This is not completely exhaustive, but covers a large majority of
commands in the tree.

Reviewed by:	markj
Sponsored by:	Juniper Networks, Inc.
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D35583
2022-07-18 22:06:09 +00:00
Mark Johnston
99df914899 crypto: Validate return values from CRYPTODEV_PROCESS()
Errors are always handled by the completion callback, so we should check
that they're not also passed back to the caller.

No functional change intended.

Reviewed by:	kp, mav, jhb
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D35382
2022-07-01 11:09:39 -04:00
Mark Johnston
8179db52c2 crypto: Fix the NULL_HMAC finalizer
The current implementation leaves the digest buffer partially
uninitialized.

Reported by:	syzkaller
Reviewed by:	jhb
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D35547
2022-07-01 11:04:15 -04:00
John Baldwin
c71f2370c5 crypto: Fix assertions for digest-only sessions with separate output.
Digest-only sessions do not generate modified payload as an output, so
don't bother asserting anything about the payload with respect to the
output buffer other than the payload output start being zero.

In addition, a verify request on a digest-only session doesn't
generate any output at all so should never have a separate output
buffer.

PR:		252316
Reviewed by:	markj
Co-authored-by:	Jeremy Faulkner <gldisater@gmail.com>
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D35578
2022-06-30 10:10:00 -07:00
John Baldwin
ab050b2b8f crypto: Remove unused devclass arguments to DRIVER_MODULE. 2022-05-06 15:46:58 -07:00
John Baldwin
a8280123e4 KTLS: Add a new recrypt operation to the software backend.
When using NIC TLS RX, packets that are dropped and retransmitted are
not decrypted by the NIC but are passed along as-is.  As a result, a
received TLS record might contain a mix of encrypted and decrypted
data.  If this occurs, the already-decrypted data needs to be
re-encrypted so that the resulting record can then be decrypted
normally.

Add support for this for sessions using AES-GCM with TLS 1.2 or TLS
1.3.  For the recrypt operation, allocate a temporary buffer and
encrypt the the payload portion of the TLS record with AES-CTR with an
initial IV constructed from the AES-GCM nonce.  Then fixup the
original mbuf chain by copying the results from the temporary buffer
back into the original mbufs for any mbufs containing decrypted data.

Once it has been recrypted, the mbuf chain can then be decrypted via
the normal software decryption path.

Co-authored by:	Hans Petter Selasky <hselasky@FreeBSD.org>
Reviewed by:	hselasky
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D35012
2022-04-22 15:52:50 -07:00
John Baldwin
663ae8f7f9 KTLS: Construct IV directly in crp.crp_iv for TLS 1.3 AEAD encryption.
Previously this used a temporary nonce[] buffer.  The decrypt hook for
TLS 1.3 as well as the hooks for TLS 1.2 already constructed the IV
directly in crp.crp_iv.

Reviewed by:	hselasky
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D35027
2022-04-22 15:52:27 -07:00
John Baldwin
a4c5d490f6 KTLS: Move OCF function pointers out of ktls_session.
Instead, create a switch structure private to ktls_ocf.c and store a
pointer to the switch in the ocf_session.  This will permit adding an
additional function pointer needed for NIC TLS RX without further
bloating ktls_session.

Reviewed by:	hselasky
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D35011
2022-04-22 15:52:12 -07:00
John Baldwin
4b337ada34 KTLS: Free the MAC session when destroying AES-CBC software sessions.
Reviewed by:	hselasky
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D35013
2022-04-21 13:49:40 -07:00
Mateusz Guzik
70439285ad crypto: hide crypto_destroyreq behind a tunable
Reviewed by:	jhb, markj
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D32084
2022-02-16 07:45:12 +00:00
Mark Johnston
09bfa5cf16 opencrypto: Add a routine to copy a crypto buffer cursor
This was useful in converting armv8crypto to use buffer cursors.  There
are some cases where one wants to make two passes over data, and this
provides a way to "reset" a cursor.

Reviewed by:	jhb
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D28949
2022-02-15 21:47:10 -05:00
John Baldwin
46f69eba96 opencrypto/xform_*.h: Trim scope of included headers.
Reviewed by:	markj, emaste
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34022
2022-01-25 15:21:22 -08:00
John Baldwin
f6459a7aa8 opencrypto/cryptodev.h: Add includes to make more self-contained.
Reviewed by:	markj, emaste
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34021
2022-01-25 15:20:46 -08:00
John Baldwin
16cf646a6f crypto: Remove xform.c and compile xform_*.c standalone.
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33995
2022-01-24 15:27:40 -08:00
John Baldwin
faf470ffdc xform_*.c: Add headers when needed to compile standalone.
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33994
2022-01-24 15:27:40 -08:00
John Baldwin
991b84eca9 Retire now-unused M_XDATA.
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33993
2022-01-24 15:27:39 -08:00
John Baldwin
8f3f3fdf73 cryptodev: Use a private malloc type (M_CRYPTODEV) instead of M_XDATA.
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33991
2022-01-24 15:27:39 -08:00
Mark Johnston
5072251428 cryptosoft: Avoid referencing end-of-buffer cursors
Once a crypto cursor has reached the end of its buffer, it is invalid to
call crypto_cursor_segment() for at least some crypto buffer types.
Reorganize loops to avoid this.

Fixes:	cfb7b942be ("cryptosoft: Use multi-block encrypt/decrypt for non-AEAD ciphers.")
Fixes:	a221a8f4a0 ("cryptosoft: Use multi-block encrypt/decrypt for AES-GCM.")
Fixes:	f8580fcaa1 ("cryptosoft: Use multi-block encrypt/decrypt for AES-CCM.")
Fixes:	5022c68732 ("cryptosoft: Use multi-block encrypt/decrypt for ChaCha20-Poly1305.")
Reported and tested by:	madpilot
Discussed with:	jhb
Sponsored by:	The FreeBSD Foundation
2022-01-17 19:01:24 -05:00
Warner Losh
8bb9cd271e stand: Fix KASSERT use
Explicitly include sys/systm.h to pull in KASSERT.

Sponsored by:		Netflix
Reviewed by:		jhb
Differential Revision:	https://reviews.freebsd.org/D33855
2022-01-11 16:43:18 -07:00
John Baldwin
5022c68732 cryptosoft: Use multi-block encrypt/decrypt for ChaCha20-Poly1305.
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33758
2022-01-11 14:21:31 -08:00
John Baldwin
f8580fcaa1 cryptosoft: Use multi-block encrypt/decrypt for AES-CCM.
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33757
2022-01-11 14:21:00 -08:00
John Baldwin
a221a8f4a0 cryptosoft: Use multi-block encrypt/decrypt for AES-GCM.
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33756
2022-01-11 14:20:32 -08:00
John Baldwin
69e533c3ff swcr_encdec: Rename blks to blksz.
This better reflects the variables purpose and matches other functions
in this file.

Requested by:	markj
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33755
2022-01-11 14:20:10 -08:00
John Baldwin
cfb7b942be cryptosoft: Use multi-block encrypt/decrypt for non-AEAD ciphers.
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33531
2022-01-11 14:18:57 -08:00
John Baldwin
d7f0b3ce6d crypto: Re-add encrypt/decrypt_multi hooks to enc_xform.
These callbacks allow multiple contiguous blocks to be manipulated in
a single call.  Note that any trailing partial block for a stream
cipher must still be passed to encrypt/decrypt_last.

While here, document the setkey and reinit hooks and reorder the hooks
in 'struct enc_xform' to better reflect the life cycle.

Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33529
2022-01-11 14:17:41 -08:00
John Baldwin
8f35841f1f crypto: Add support for the XChaCha20-Poly1305 AEAD cipher.
This cipher is a wrapper around the ChaCha20-Poly1305 AEAD cipher
which accepts a larger nonce.  Part of the nonce is used along with
the key as an input to HChaCha20 to generate a derived key used for
ChaCha20-Poly1305.

This cipher is used by WireGuard.

Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33523
2022-01-11 14:16:41 -08:00
John Baldwin
74d3f1b63d OCF: Add crypto_clonereq().
This function clones an existing crypto request, but associates the
new request with a specified session.  The intended use case is for
drivers to be able to fall back to software by cloning a request and
dispatch it to an internally allocated software session.

Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D33607
2022-01-04 14:22:12 -08:00
John Baldwin
61ff0a1f81 /dev/crypto: Store blocksize in cse rather than txform pointer.
Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D33614
2021-12-29 17:50:23 -08:00
John Baldwin
c3907ef482 /dev/crypto: Minimize cipher-specific logic.
Rather than duplicating the switches in crypto_auth_hash() and
crypto_cipher(), copy the algorithm constants from the new session
ioctl into a csp directly which permits using the functions in
crypto.c.

Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D33613
2021-12-29 17:50:03 -08:00
John Baldwin
c3a688ef4d OCF: Hook up plain RIPEMD160 in cryptosoft and /dev/crypto.
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33612
2021-12-29 16:46:48 -08:00
John Baldwin
d074adf18b cryptodev.h: Drop 'extern' from function prototypes.
Sponsored by:	Chelsio Communications
2021-12-21 12:33:49 -08:00
John Baldwin
33d56e57ec crypto: Encrypt the XORed input block for Camellia-CBC.
This fixes a regression in the previous change to move CBC chaining
into enc_xform_camellia which passed the raw input into the encrypt
function (thus not actually doing the chaining).  This still works
when using the same buffer for input and output which is why my
initial testing with cryptocheck didn't catch it.

Fixes:		f84d708b48 crypto: Move CBC handling into enc_xform_camellia.
Sponsored by:	The FreeBSD Foundation
2021-12-17 16:46:09 -08:00