2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include <openssl/rand.h>
13 #include "../../ssl_local.h"
14 #include "../record_local.h"
15 #include "recmethod_local.h"
16 #include "internal/ktls.h"
18 static struct record_functions_st ossl_ktls_funcs
;
20 #if defined(__FreeBSD__)
21 # include "crypto/cryptodev.h"
24 * Check if a given cipher is supported by the KTLS interface.
25 * The kernel might still fail the setsockopt() if no suitable
26 * provider is found, but this checks if the socket option
27 * supports the cipher suite used at all.
29 static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER
*rl
,
34 switch (rl
->version
) {
38 #ifdef OPENSSL_KTLS_TLS13
46 if (EVP_CIPHER_is_a(c
, "AES-128-GCM")
47 || EVP_CIPHER_is_a(c
, "AES-256-GCM")
48 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
49 || EVP_CIPHER_is_a(c
, "CHACHA20-POLY1305")
54 if (!EVP_CIPHER_is_a(c
, "AES-128-CBC")
55 && !EVP_CIPHER_is_a(c
, "AES-256-CBC"))
64 if (EVP_MD_is_a(md
, "SHA1")
65 || EVP_MD_is_a(md
, "SHA2-256")
66 || EVP_MD_is_a(md
, "SHA2-384"))
72 /* Function to configure kernel TLS structure */
74 int ktls_configure_crypto(OSSL_LIB_CTX
*libctx
, int version
, const EVP_CIPHER
*c
,
75 EVP_MD
*md
, void *rl_sequence
,
76 ktls_crypto_info_t
*crypto_info
, int is_tx
,
77 unsigned char *iv
, size_t ivlen
,
78 unsigned char *key
, size_t keylen
,
79 unsigned char *mac_key
, size_t mac_secret_size
)
81 memset(crypto_info
, 0, sizeof(*crypto_info
));
82 if (EVP_CIPHER_is_a(c
, "AES-128-GCM")
83 || EVP_CIPHER_is_a(c
, "AES-256-GCM")) {
84 crypto_info
->cipher_algorithm
= CRYPTO_AES_NIST_GCM_16
;
85 crypto_info
->iv_len
= ivlen
;
87 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
88 if (EVP_CIPHER_is_a(c
, "CHACHA20-POLY1305")) {
89 crypto_info
->cipher_algorithm
= CRYPTO_CHACHA20_POLY1305
;
90 crypto_info
->iv_len
= ivlen
;
93 if (EVP_CIPHER_is_a(c
, "AES-128-CBC") || EVP_CIPHER_is_a(c
, "AES-256-CBC")) {
96 if (EVP_MD_is_a(md
, "SHA1"))
97 crypto_info
->auth_algorithm
= CRYPTO_SHA1_HMAC
;
98 else if (EVP_MD_is_a(md
, "SHA2-256")) {
99 crypto_info
->auth_algorithm
= CRYPTO_SHA2_256_HMAC
;
100 else if (EVP_MD_is_a(md
, "SHA2-384"))
101 crypto_info
->auth_algorithm
= CRYPTO_SHA2_384_HMAC
;
104 crypto_info
->cipher_algorithm
= CRYPTO_AES_CBC
;
105 crypto_info
->iv_len
= ivlen
;
106 crypto_info
->auth_key
= mac_key
;
107 crypto_info
->auth_key_len
= mac_secret_size
;
111 crypto_info
->cipher_key
= key
;
112 crypto_info
->cipher_key_len
= keylen
;
113 crypto_info
->iv
= iv
;
114 crypto_info
->tls_vmajor
= (version
>> 8) & 0x000000ff;
115 crypto_info
->tls_vminor
= (version
& 0x000000ff);
116 # ifdef TCP_RXTLS_ENABLE
117 memcpy(crypto_info
->rec_seq
, rl_sequence
, sizeof(crypto_info
->rec_seq
));
125 #endif /* __FreeBSD__ */
127 #if defined(OPENSSL_SYS_LINUX)
128 /* Function to check supported ciphers in Linux */
129 static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER
*rl
,
134 switch (rl
->version
) {
136 #ifdef OPENSSL_KTLS_TLS13
145 * Check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128
146 * or Chacha20-Poly1305
148 # ifdef OPENSSL_KTLS_AES_CCM_128
149 if (EVP_CIPHER_is_a(c
, "AES-128-CCM")) {
150 if (rl
->version
== TLS_1_3_VERSION
/* broken on 5.x kernels */
151 || taglen
!= EVP_CCM_TLS_TAG_LEN
)
157 # ifdef OPENSSL_KTLS_AES_GCM_128
158 || EVP_CIPHER_is_a(c
, "AES-128-GCM")
160 # ifdef OPENSSL_KTLS_AES_GCM_256
161 || EVP_CIPHER_is_a(c
, "AES-256-GCM")
163 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
164 || EVP_CIPHER_is_a(c
, "ChaCha20-Poly1305")
172 /* Function to configure kernel TLS structure */
174 int ktls_configure_crypto(OSSL_LIB_CTX
*libctx
, int version
, const EVP_CIPHER
*c
,
175 const EVP_MD
*md
, void *rl_sequence
,
176 ktls_crypto_info_t
*crypto_info
, int is_tx
,
177 unsigned char *iv
, size_t ivlen
,
178 unsigned char *key
, size_t keylen
,
179 unsigned char *mac_key
, size_t mac_secret_size
)
181 unsigned char geniv
[EVP_GCM_TLS_EXPLICIT_IV_LEN
];
182 unsigned char *eiv
= NULL
;
184 # ifdef OPENSSL_NO_KTLS_RX
189 if (EVP_CIPHER_get_mode(c
) == EVP_CIPH_GCM_MODE
190 || EVP_CIPHER_get_mode(c
) == EVP_CIPH_CCM_MODE
) {
191 if (!ossl_assert(EVP_GCM_TLS_FIXED_IV_LEN
== EVP_CCM_TLS_FIXED_IV_LEN
)
192 || !ossl_assert(EVP_GCM_TLS_EXPLICIT_IV_LEN
193 == EVP_CCM_TLS_EXPLICIT_IV_LEN
))
195 if (version
== TLS1_2_VERSION
) {
196 if (!ossl_assert(ivlen
== EVP_GCM_TLS_FIXED_IV_LEN
))
199 if (RAND_bytes_ex(libctx
, geniv
,
200 EVP_GCM_TLS_EXPLICIT_IV_LEN
, 0) <= 0)
203 memset(geniv
, 0, EVP_GCM_TLS_EXPLICIT_IV_LEN
);
207 if (!ossl_assert(ivlen
== EVP_GCM_TLS_FIXED_IV_LEN
208 + EVP_GCM_TLS_EXPLICIT_IV_LEN
))
210 eiv
= iv
+ TLS_CIPHER_AES_GCM_128_SALT_SIZE
;
214 memset(crypto_info
, 0, sizeof(*crypto_info
));
215 switch (EVP_CIPHER_get_nid(c
)) {
216 # ifdef OPENSSL_KTLS_AES_GCM_128
217 case NID_aes_128_gcm
:
218 if (!ossl_assert(TLS_CIPHER_AES_GCM_128_SALT_SIZE
219 == EVP_GCM_TLS_FIXED_IV_LEN
)
220 || !ossl_assert(TLS_CIPHER_AES_GCM_128_IV_SIZE
221 == EVP_GCM_TLS_EXPLICIT_IV_LEN
))
223 crypto_info
->gcm128
.info
.cipher_type
= TLS_CIPHER_AES_GCM_128
;
224 crypto_info
->gcm128
.info
.version
= version
;
225 crypto_info
->tls_crypto_info_len
= sizeof(crypto_info
->gcm128
);
226 memcpy(crypto_info
->gcm128
.iv
, eiv
, TLS_CIPHER_AES_GCM_128_IV_SIZE
);
227 memcpy(crypto_info
->gcm128
.salt
, iv
, TLS_CIPHER_AES_GCM_128_SALT_SIZE
);
228 memcpy(crypto_info
->gcm128
.key
, key
, keylen
);
229 memcpy(crypto_info
->gcm128
.rec_seq
, rl_sequence
,
230 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE
);
233 # ifdef OPENSSL_KTLS_AES_GCM_256
234 case NID_aes_256_gcm
:
235 if (!ossl_assert(TLS_CIPHER_AES_GCM_256_SALT_SIZE
236 == EVP_GCM_TLS_FIXED_IV_LEN
)
237 || !ossl_assert(TLS_CIPHER_AES_GCM_256_IV_SIZE
238 == EVP_GCM_TLS_EXPLICIT_IV_LEN
))
240 crypto_info
->gcm256
.info
.cipher_type
= TLS_CIPHER_AES_GCM_256
;
241 crypto_info
->gcm256
.info
.version
= version
;
242 crypto_info
->tls_crypto_info_len
= sizeof(crypto_info
->gcm256
);
243 memcpy(crypto_info
->gcm256
.iv
, eiv
, TLS_CIPHER_AES_GCM_256_IV_SIZE
);
244 memcpy(crypto_info
->gcm256
.salt
, iv
, TLS_CIPHER_AES_GCM_256_SALT_SIZE
);
245 memcpy(crypto_info
->gcm256
.key
, key
, keylen
);
246 memcpy(crypto_info
->gcm256
.rec_seq
, rl_sequence
,
247 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE
);
251 # ifdef OPENSSL_KTLS_AES_CCM_128
252 case NID_aes_128_ccm
:
253 if (!ossl_assert(TLS_CIPHER_AES_CCM_128_SALT_SIZE
254 == EVP_CCM_TLS_FIXED_IV_LEN
)
255 || !ossl_assert(TLS_CIPHER_AES_CCM_128_IV_SIZE
256 == EVP_CCM_TLS_EXPLICIT_IV_LEN
))
258 crypto_info
->ccm128
.info
.cipher_type
= TLS_CIPHER_AES_CCM_128
;
259 crypto_info
->ccm128
.info
.version
= version
;
260 crypto_info
->tls_crypto_info_len
= sizeof(crypto_info
->ccm128
);
261 memcpy(crypto_info
->ccm128
.iv
, eiv
, TLS_CIPHER_AES_CCM_128_IV_SIZE
);
262 memcpy(crypto_info
->ccm128
.salt
, iv
, TLS_CIPHER_AES_CCM_128_SALT_SIZE
);
263 memcpy(crypto_info
->ccm128
.key
, key
, keylen
);
264 memcpy(crypto_info
->ccm128
.rec_seq
, rl_sequence
,
265 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE
);
268 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
269 case NID_chacha20_poly1305
:
270 if (!ossl_assert(ivlen
== TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE
))
272 crypto_info
->chacha20poly1305
.info
.cipher_type
273 = TLS_CIPHER_CHACHA20_POLY1305
;
274 crypto_info
->chacha20poly1305
.info
.version
= version
;
275 crypto_info
->tls_crypto_info_len
= sizeof(crypto_info
->chacha20poly1305
);
276 memcpy(crypto_info
->chacha20poly1305
.iv
, iv
, ivlen
);
277 memcpy(crypto_info
->chacha20poly1305
.key
, key
, keylen
);
278 memcpy(crypto_info
->chacha20poly1305
.rec_seq
, rl_sequence
,
279 TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE
);
288 #endif /* OPENSSL_SYS_LINUX */
290 static int ktls_set_crypto_state(OSSL_RECORD_LAYER
*rl
, int level
,
291 unsigned char *key
, size_t keylen
,
292 unsigned char *iv
, size_t ivlen
,
293 unsigned char *mackey
, size_t mackeylen
,
294 const EVP_CIPHER
*ciph
,
300 ktls_crypto_info_t crypto_info
;
303 * Check if we are suitable for KTLS. If not suitable we return
304 * OSSL_RECORD_RETURN_NON_FATAL_ERR so that other record layers can be tried
309 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
311 /* ktls supports only the maximum fragment size */
312 if (rl
->max_frag_len
!= SSL3_RT_MAX_PLAIN_LENGTH
)
313 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
315 /* check that cipher is supported */
316 if (!ktls_int_check_supported_cipher(rl
, ciph
, md
, taglen
))
317 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
319 /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */
320 if (rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
) {
321 if (BIO_flush(rl
->bio
) <= 0)
322 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
324 /* KTLS does not support record padding */
325 if (rl
->padding
!= NULL
|| rl
->block_padding
> 0)
326 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
329 if (!ktls_configure_crypto(rl
->libctx
, rl
->version
, ciph
, md
, rl
->sequence
,
331 rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
,
332 iv
, ivlen
, key
, keylen
, mackey
, mackeylen
))
333 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
335 if (!BIO_set_ktls(rl
->bio
, &crypto_info
, rl
->direction
))
336 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
338 return OSSL_RECORD_RETURN_SUCCESS
;
341 static int ktls_read_n(OSSL_RECORD_LAYER
*rl
, size_t n
, size_t max
, int extend
,
342 int clearold
, size_t *readbytes
)
346 ret
= tls_default_read_n(rl
, n
, max
, extend
, clearold
, readbytes
);
348 if (ret
< OSSL_RECORD_RETURN_RETRY
) {
351 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
352 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
355 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
356 SSL_R_PACKET_LENGTH_TOO_LONG
);
359 RLAYERfatal(rl
, SSL_AD_PROTOCOL_VERSION
,
360 SSL_R_WRONG_VERSION_NUMBER
);
370 static int ktls_cipher(OSSL_RECORD_LAYER
*rl
, TLS_RL_RECORD
*inrecs
,
371 size_t n_recs
, int sending
, SSL_MAC_BUF
*mac
,
377 static int ktls_validate_record_header(OSSL_RECORD_LAYER
*rl
, TLS_RL_RECORD
*rec
)
379 if (rec
->rec_version
!= TLS1_2_VERSION
) {
380 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, SSL_R_WRONG_VERSION_NUMBER
);
387 static int ktls_post_process_record(OSSL_RECORD_LAYER
*rl
, TLS_RL_RECORD
*rec
)
389 if (rl
->version
== TLS1_3_VERSION
)
390 return tls13_common_post_process_record(rl
, rec
);
396 ktls_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
397 int role
, int direction
, int level
, uint16_t epoch
,
398 unsigned char *key
, size_t keylen
, unsigned char *iv
,
399 size_t ivlen
, unsigned char *mackey
, size_t mackeylen
,
400 const EVP_CIPHER
*ciph
, size_t taglen
,
402 const EVP_MD
*md
, COMP_METHOD
*comp
, BIO
*prev
,
403 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
, BIO_ADDR
*peer
,
404 const OSSL_PARAM
*settings
, const OSSL_PARAM
*options
,
405 const OSSL_DISPATCH
*fns
, void *cbarg
,
406 OSSL_RECORD_LAYER
**retrl
)
410 ret
= tls_int_new_record_layer(libctx
, propq
, vers
, role
, direction
, level
,
411 key
, keylen
, iv
, ivlen
, mackey
, mackeylen
,
412 ciph
, taglen
, mactype
, md
, comp
, prev
,
413 transport
, next
, local
, peer
, settings
,
414 options
, fns
, cbarg
, retrl
);
416 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
419 (*retrl
)->funcs
= &ossl_ktls_funcs
;
421 ret
= (*retrl
)->funcs
->set_crypto_state(*retrl
, level
, key
, keylen
, iv
,
422 ivlen
, mackey
, mackeylen
, ciph
,
423 taglen
, mactype
, md
, comp
);
425 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
) {
426 OPENSSL_free(*retrl
);
430 * With KTLS we always try and read as much as possible and fill the
433 (*retrl
)->read_ahead
= 1;
438 static int ktls_allocate_write_buffers(OSSL_RECORD_LAYER
*rl
,
439 OSSL_RECORD_TEMPLATE
*templates
,
440 size_t numtempl
, size_t *prefix
)
442 if (!ossl_assert(numtempl
== 1))
446 * We just use the end application buffer in the case of KTLS, so nothing
447 * to do. We pretend we set up one buffer.
454 static int ktls_initialise_write_packets(OSSL_RECORD_LAYER
*rl
,
455 OSSL_RECORD_TEMPLATE
*templates
,
457 OSSL_RECORD_TEMPLATE
*prefixtempl
,
465 * We just use the application buffer directly and don't use any WPACKET
469 wb
->type
= templates
[0].type
;
472 * ktls doesn't modify the buffer, but to avoid a warning we need
473 * to discard the const qualifier.
474 * This doesn't leak memory because the buffers have never been allocated
477 TLS_BUFFER_set_buf(wb
, (unsigned char *)templates
[0].buf
);
478 TLS_BUFFER_set_offset(wb
, 0);
479 TLS_BUFFER_set_app_buffer(wb
, 1);
484 static int ktls_prepare_record_header(OSSL_RECORD_LAYER
*rl
,
486 OSSL_RECORD_TEMPLATE
*templ
,
487 unsigned int rectype
,
488 unsigned char **recdata
)
490 /* The kernel writes the record header, so nothing to do */
496 static int ktls_prepare_for_encryption(OSSL_RECORD_LAYER
*rl
,
499 TLS_RL_RECORD
*thiswr
)
501 /* No encryption, so nothing to do */
505 static int ktls_post_encryption_processing(OSSL_RECORD_LAYER
*rl
,
507 OSSL_RECORD_TEMPLATE
*templ
,
509 TLS_RL_RECORD
*thiswr
)
511 /* The kernel does anything that is needed, so nothing to do here */
515 static int ktls_prepare_write_bio(OSSL_RECORD_LAYER
*rl
, int type
)
518 * To prevent coalescing of control and data messages,
519 * such as in buffer_write, we flush the BIO
521 if (type
!= SSL3_RT_APPLICATION_DATA
) {
522 int ret
, i
= BIO_flush(rl
->bio
);
525 if (BIO_should_retry(rl
->bio
))
526 ret
= OSSL_RECORD_RETURN_RETRY
;
528 ret
= OSSL_RECORD_RETURN_FATAL
;
531 BIO_set_ktls_ctrl_msg(rl
->bio
, type
);
534 return OSSL_RECORD_RETURN_SUCCESS
;
537 static int ktls_alloc_buffers(OSSL_RECORD_LAYER
*rl
)
539 /* We use the application buffer directly for writing */
540 if (rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
)
543 return tls_alloc_buffers(rl
);
546 static int ktls_free_buffers(OSSL_RECORD_LAYER
*rl
)
548 /* We use the application buffer directly for writing */
549 if (rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
)
552 return tls_free_buffers(rl
);
555 static struct record_functions_st ossl_ktls_funcs
= {
556 ktls_set_crypto_state
,
559 tls_default_set_protocol_version
,
561 tls_get_more_records
,
562 ktls_validate_record_header
,
563 ktls_post_process_record
,
564 tls_get_max_records_default
,
565 tls_write_records_default
,
566 ktls_allocate_write_buffers
,
567 ktls_initialise_write_packets
,
569 ktls_prepare_record_header
,
571 ktls_prepare_for_encryption
,
572 ktls_post_encryption_processing
,
573 ktls_prepare_write_bio
576 const OSSL_RECORD_METHOD ossl_ktls_record_method
= {
577 ktls_new_record_layer
,
580 tls_unprocessed_read_pending
,
581 tls_processed_read_pending
,
582 tls_app_data_pending
,
585 tls_retry_write_records
,
590 tls_set_protocol_version
,
591 tls_set_plain_alerts
,
592 tls_set_first_handshake
,
593 tls_set_max_pipelines
,
598 tls_set_max_frag_len
,
600 tls_increment_sequence_ctr
,