2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2019 Netflix Inc.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
32 #include <sys/param.h>
33 #include <sys/systm.h>
34 #include <sys/counter.h>
35 #include <sys/endian.h>
36 #include <sys/kernel.h>
39 #include <sys/malloc.h>
40 #include <sys/module.h>
41 #include <sys/mutex.h>
42 #include <sys/sysctl.h>
44 #include <opencrypto/cryptodev.h>
51 struct ocf_operation {
52 struct ocf_session *os;
57 static MALLOC_DEFINE(M_KTLS_OCF, "ktls_ocf", "OCF KTLS");
59 SYSCTL_DECL(_kern_ipc_tls);
60 SYSCTL_DECL(_kern_ipc_tls_stats);
62 static SYSCTL_NODE(_kern_ipc_tls_stats, OID_AUTO, ocf,
63 CTLFLAG_RD | CTLFLAG_MPSAFE, 0,
64 "Kernel TLS offload via OCF stats");
66 static counter_u64_t ocf_tls12_gcm_crypts;
67 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls12_gcm_crypts,
68 CTLFLAG_RD, &ocf_tls12_gcm_crypts,
69 "Total number of OCF TLS 1.2 GCM encryption operations");
71 static counter_u64_t ocf_tls13_gcm_crypts;
72 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, tls13_gcm_crypts,
73 CTLFLAG_RD, &ocf_tls13_gcm_crypts,
74 "Total number of OCF TLS 1.3 GCM encryption operations");
76 static counter_u64_t ocf_retries;
77 SYSCTL_COUNTER_U64(_kern_ipc_tls_stats_ocf, OID_AUTO, retries, CTLFLAG_RD,
79 "Number of OCF encryption operation retries");
82 ktls_ocf_callback(struct cryptop *crp)
84 struct ocf_operation *oo;
87 mtx_lock(&oo->os->lock);
89 mtx_unlock(&oo->os->lock);
95 ktls_ocf_tls12_gcm_encrypt(struct ktls_session *tls,
96 const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov,
97 struct iovec *outiov, int iovcnt, uint64_t seqno,
98 uint8_t record_type __unused)
101 struct tls_aead_data ad;
103 struct ocf_session *os;
104 struct ocf_operation *oo;
107 uint16_t tls_comp_len;
111 oo = malloc(sizeof(*oo) + (iovcnt + 2) * sizeof(*iov), M_KTLS_OCF,
116 crp = crypto_getreq(os->sid, M_WAITOK);
119 memcpy(crp->crp_iv, tls->params.iv, TLS_AEAD_GCM_LEN);
120 memcpy(crp->crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t));
123 tls_comp_len = ntohs(hdr->tls_length) -
124 (AES_GMAC_HASH_LEN + sizeof(uint64_t));
125 ad.seq = htobe64(seqno);
126 ad.type = hdr->tls_type;
127 ad.tls_vmajor = hdr->tls_vmajor;
128 ad.tls_vminor = hdr->tls_vminor;
129 ad.tls_length = htons(tls_comp_len);
130 iov[0].iov_base = &ad;
131 iov[0].iov_len = sizeof(ad);
132 uio.uio_resid = sizeof(ad);
135 * OCF always does encryption in place, so copy the data if
138 for (i = 0; i < iovcnt; i++) {
139 iov[i + 1] = outiov[i];
140 if (iniov[i].iov_base != outiov[i].iov_base)
141 memcpy(outiov[i].iov_base, iniov[i].iov_base,
143 uio.uio_resid += outiov[i].iov_len;
146 iov[iovcnt + 1].iov_base = trailer;
147 iov[iovcnt + 1].iov_len = AES_GMAC_HASH_LEN;
148 uio.uio_resid += AES_GMAC_HASH_LEN;
151 uio.uio_iovcnt = iovcnt + 2;
153 uio.uio_segflg = UIO_SYSSPACE;
154 uio.uio_td = curthread;
156 crp->crp_op = CRYPTO_OP_ENCRYPT | CRYPTO_OP_COMPUTE_DIGEST;
157 crp->crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE;
158 crypto_use_uio(crp, &uio);
159 crp->crp_opaque = oo;
160 crp->crp_callback = ktls_ocf_callback;
162 crp->crp_aad_start = 0;
163 crp->crp_aad_length = sizeof(ad);
164 crp->crp_payload_start = sizeof(ad);
165 crp->crp_payload_length = uio.uio_resid -
166 (sizeof(ad) + AES_GMAC_HASH_LEN);
167 crp->crp_digest_start = uio.uio_resid - AES_GMAC_HASH_LEN;
169 counter_u64_add(ocf_tls12_gcm_crypts, 1);
171 error = crypto_dispatch(crp);
177 mtx_sleep(oo, &os->lock, 0, "ocfktls", 0);
178 mtx_unlock(&os->lock);
180 if (crp->crp_etype != EAGAIN) {
181 error = crp->crp_etype;
186 crp->crp_flags &= ~CRYPTO_F_DONE;
188 counter_u64_add(ocf_retries, 1);
192 free(oo, M_KTLS_OCF);
197 ktls_ocf_tls13_gcm_encrypt(struct ktls_session *tls,
198 const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *iniov,
199 struct iovec *outiov, int iovcnt, uint64_t seqno, uint8_t record_type)
202 struct tls_aead_data_13 ad;
205 struct ocf_session *os;
206 struct ocf_operation *oo;
212 oo = malloc(sizeof(*oo) + (iovcnt + 2) * sizeof(*iov), M_KTLS_OCF,
217 crp = crypto_getreq(os->sid, M_WAITOK);
219 /* Setup the nonce. */
220 memcpy(nonce, tls->params.iv, tls->params.iv_len);
221 *(uint64_t *)(nonce + 4) ^= htobe64(seqno);
224 ad.type = hdr->tls_type;
225 ad.tls_vmajor = hdr->tls_vmajor;
226 ad.tls_vminor = hdr->tls_vminor;
227 ad.tls_length = hdr->tls_length;
228 iov[0].iov_base = &ad;
229 iov[0].iov_len = sizeof(ad);
230 uio.uio_resid = sizeof(ad);
233 * OCF always does encryption in place, so copy the data if
236 for (i = 0; i < iovcnt; i++) {
237 iov[i + 1] = outiov[i];
238 if (iniov[i].iov_base != outiov[i].iov_base)
239 memcpy(outiov[i].iov_base, iniov[i].iov_base,
241 uio.uio_resid += outiov[i].iov_len;
244 trailer[0] = record_type;
245 iov[iovcnt + 1].iov_base = trailer;
246 iov[iovcnt + 1].iov_len = AES_GMAC_HASH_LEN + 1;
247 uio.uio_resid += AES_GMAC_HASH_LEN + 1;
250 uio.uio_iovcnt = iovcnt + 2;
252 uio.uio_segflg = UIO_SYSSPACE;
253 uio.uio_td = curthread;
255 crp->crp_op = CRYPTO_OP_ENCRYPT | CRYPTO_OP_COMPUTE_DIGEST;
256 crp->crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE;
257 crypto_use_uio(crp, &uio);
258 crp->crp_opaque = oo;
259 crp->crp_callback = ktls_ocf_callback;
261 crp->crp_aad_start = 0;
262 crp->crp_aad_length = sizeof(ad);
263 crp->crp_payload_start = sizeof(ad);
264 crp->crp_payload_length = uio.uio_resid -
265 (sizeof(ad) + AES_GMAC_HASH_LEN);
266 crp->crp_digest_start = uio.uio_resid - AES_GMAC_HASH_LEN;
267 memcpy(crp->crp_iv, nonce, sizeof(nonce));
269 counter_u64_add(ocf_tls13_gcm_crypts, 1);
271 error = crypto_dispatch(crp);
277 mtx_sleep(oo, &os->lock, 0, "ocfktls", 0);
278 mtx_unlock(&os->lock);
280 if (crp->crp_etype != EAGAIN) {
281 error = crp->crp_etype;
286 crp->crp_flags &= ~CRYPTO_F_DONE;
288 counter_u64_add(ocf_retries, 1);
292 free(oo, M_KTLS_OCF);
297 ktls_ocf_free(struct ktls_session *tls)
299 struct ocf_session *os;
302 crypto_freesession(os->sid);
303 mtx_destroy(&os->lock);
304 explicit_bzero(os, sizeof(*os));
305 free(os, M_KTLS_OCF);
309 ktls_ocf_try(struct socket *so, struct ktls_session *tls)
311 struct crypto_session_params csp;
312 struct ocf_session *os;
315 memset(&csp, 0, sizeof(csp));
317 switch (tls->params.cipher_algorithm) {
318 case CRYPTO_AES_NIST_GCM_16:
319 switch (tls->params.cipher_key_len) {
326 csp.csp_mode = CSP_MODE_AEAD;
327 csp.csp_cipher_alg = CRYPTO_AES_NIST_GCM_16;
328 csp.csp_cipher_key = tls->params.cipher_key;
329 csp.csp_cipher_klen = tls->params.cipher_key_len;
330 csp.csp_ivlen = AES_GCM_IV_LEN;
333 return (EPROTONOSUPPORT);
336 /* Only TLS 1.2 and 1.3 are supported. */
337 if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE ||
338 tls->params.tls_vminor < TLS_MINOR_VER_TWO ||
339 tls->params.tls_vminor > TLS_MINOR_VER_THREE)
340 return (EPROTONOSUPPORT);
342 os = malloc(sizeof(*os), M_KTLS_OCF, M_NOWAIT | M_ZERO);
346 error = crypto_newsession(&os->sid, &csp,
347 CRYPTO_FLAG_HARDWARE | CRYPTO_FLAG_SOFTWARE);
349 free(os, M_KTLS_OCF);
353 mtx_init(&os->lock, "ktls_ocf", NULL, MTX_DEF);
355 if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)
356 tls->sw_encrypt = ktls_ocf_tls13_gcm_encrypt;
358 tls->sw_encrypt = ktls_ocf_tls12_gcm_encrypt;
359 tls->free = ktls_ocf_free;
363 struct ktls_crypto_backend ocf_backend = {
366 .api_version = KTLS_API_VERSION,
371 ktls_ocf_modevent(module_t mod, int what, void *arg)
377 ocf_tls12_gcm_crypts = counter_u64_alloc(M_WAITOK);
378 ocf_tls13_gcm_crypts = counter_u64_alloc(M_WAITOK);
379 ocf_retries = counter_u64_alloc(M_WAITOK);
380 return (ktls_crypto_backend_register(&ocf_backend));
382 error = ktls_crypto_backend_deregister(&ocf_backend);
385 counter_u64_free(ocf_tls12_gcm_crypts);
386 counter_u64_free(ocf_tls13_gcm_crypts);
387 counter_u64_free(ocf_retries);
394 static moduledata_t ktls_ocf_moduledata = {
400 DECLARE_MODULE(ktls_ocf, ktls_ocf_moduledata, SI_SUB_PROTO_END, SI_ORDER_ANY);