2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include <openssl/rand.h>
13 #include "../../ssl_local.h"
14 #include "../record_local.h"
15 #include "recmethod_local.h"
16 #include "internal/ktls.h"
18 #if defined(__FreeBSD__)
19 # include "crypto/cryptodev.h"
22 * TODO(RECLAYER): This is essentially a copy of ktls_int_check_supported_cipher
23 * but using an SSL object instead of an OSSL_RECORD_LAYER object. Once
24 * everything has been moved to the reocrd layer this can be deleted
26 int ktls_check_supported_cipher(const SSL_CONNECTION
*s
, const EVP_CIPHER
*c
,
27 const EVP_MD
*md
, size_t taglen
)
40 if (EVP_CIPHER_is_a(c
, "AES-128-GCM")
41 || EVP_CIPHER_is_a(c
, "AES-256-GCM")
42 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
43 || EVP_CIPHER_is_a(c
, "CHACHA20-POLY1305")
48 if (!EVP_CIPHER_is_a(c
, "AES-128-CBC")
49 && !EVP_CIPHER_is_a(c
, "AES-256-CBC"))
56 || EVP_MD_is_a(md
, "SHA1")
57 || EVP_MD_is_a(md
, "SHA2-256")
58 || EVP_MD_is_a(md
, "SHA2-384"))
65 * Check if a given cipher is supported by the KTLS interface.
66 * The kernel might still fail the setsockopt() if no suitable
67 * provider is found, but this checks if the socket option
68 * supports the cipher suite used at all.
70 static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER
*rl
,
75 switch (rl
->version
) {
85 if (EVP_CIPHER_is_a(c
, "AES-128-GCM")
86 || EVP_CIPHER_is_a(c
, "AES-256-GCM")
87 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
88 || EVP_CIPHER_is_a(c
, "CHACHA20-POLY1305")
93 if (!EVP_CIPHER_is_a(c
, "AES-128-CBC")
94 && !EVP_CIPHER_is_a(c
, "AES-256-CBC"))
101 || EVP_MD_is_a(md
, "SHA1")
102 || EVP_MD_is_a(md
, "SHA2-256")
103 || EVP_MD_is_a(md
, "SHA2-384"))
109 /* Function to configure kernel TLS structure */
110 int ktls_configure_crypto(OSSL_LIB_CTX
*libctx
, int version
, const EVP_CIPHER
*c
,
111 EVP_MD
*md
, void *rl_sequence
,
112 ktls_crypto_info_t
*crypto_info
, int is_tx
,
113 unsigned char *iv
, size_t ivlen
,
114 unsigned char *key
, size_t keylen
,
115 unsigned char *mac_key
, size_t mac_secret_size
)
117 memset(crypto_info
, 0, sizeof(*crypto_info
));
118 if (EVP_CIPHER_is_a(c
, "AES-128-GCM")
119 || EVP_CIPHER_is_a(c
, "AES-256-GCM")) {
120 crypto_info
->cipher_algorithm
= CRYPTO_AES_NIST_GCM_16
;
121 crypto_info
->iv_len
= ivlen
;
123 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
124 if (EVP_CIPHER_is_a(c
, "CHACHA20-POLY1305")) {
125 crypto_info
->cipher_algorithm
= CRYPTO_CHACHA20_POLY1305
;
126 crypto_info
->iv_len
= ivlen
;
129 if (EVP_CIPHER_is_a(c
, "AES-128-CBC") || EVP_CIPHER_is_a(c
, "AES-256-CBC")) {
130 if (EVP_MD_is_a(md
, "SHA1"))
131 crypto_info
->auth_algorithm
= CRYPTO_SHA1_HMAC
;
132 else if (EVP_MD_is_a(md
, "SHA2-256")) {
133 crypto_info
->auth_algorithm
= CRYPTO_SHA2_256_HMAC
;
134 else if (EVP_MD_is_a(md
, "SHA2-384"))
135 crypto_info
->auth_algorithm
= CRYPTO_SHA2_384_HMAC
;
138 crypto_info
->cipher_algorithm
= CRYPTO_AES_CBC
;
139 crypto_info
->iv_len
= ivlen
;
140 crypto_info
->auth_key
= mac_key
;
141 crypto_info
->auth_key_len
= mac_secret_size
;
145 crypto_info
->cipher_key
= key
;
146 crypto_info
->cipher_key_len
= keylen
;
147 crypto_info
->iv
= iv
;
148 crypto_info
->tls_vmajor
= (version
>> 8) & 0x000000ff;
149 crypto_info
->tls_vminor
= (version
& 0x000000ff);
150 # ifdef TCP_RXTLS_ENABLE
151 memcpy(crypto_info
->rec_seq
, rl_sequence
, sizeof(crypto_info
->rec_seq
));
159 #endif /* __FreeBSD__ */
161 #if defined(OPENSSL_SYS_LINUX)
164 * TODO(RECLAYER): This is essentially a copy of ktls_int_check_supported_cipher
165 * but using an SSL object instead of an OSSL_RECORD_LAYER object. Once
166 * everything has been moved to the reocrd layer this can be deleted
168 int ktls_check_supported_cipher(const SSL_CONNECTION
*s
, const EVP_CIPHER
*c
,
169 const EVP_MD
*md
, size_t taglen
)
171 switch (s
->version
) {
179 /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128
180 * or Chacha20-Poly1305
182 # ifdef OPENSSL_KTLS_AES_CCM_128
183 if (EVP_CIPHER_is_a(c
, "AES-128-CCM")) {
184 if (s
->version
== TLS_1_3_VERSION
/* broken on 5.x kernels */
185 || taglen
!= EVP_CCM_TLS_TAG_LEN
)
191 # ifdef OPENSSL_KTLS_AES_GCM_128
192 || EVP_CIPHER_is_a(c
, "AES-128-GCM")
194 # ifdef OPENSSL_KTLS_AES_GCM_256
195 || EVP_CIPHER_is_a(c
, "AES-256-GCM")
197 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
198 || EVP_CIPHER_is_a(c
, "ChaCha20-Poly1305")
206 /* Function to check supported ciphers in Linux */
207 static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER
*rl
,
212 switch (rl
->version
) {
220 /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128
221 * or Chacha20-Poly1305
223 # ifdef OPENSSL_KTLS_AES_CCM_128
224 if (EVP_CIPHER_is_a(c
, "AES-128-CCM")) {
225 if (rl
->version
== TLS_1_3_VERSION
/* broken on 5.x kernels */
226 || taglen
!= EVP_CCM_TLS_TAG_LEN
)
232 # ifdef OPENSSL_KTLS_AES_GCM_128
233 || EVP_CIPHER_is_a(c
, "AES-128-GCM")
235 # ifdef OPENSSL_KTLS_AES_GCM_256
236 || EVP_CIPHER_is_a(c
, "AES-256-GCM")
238 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
239 || EVP_CIPHER_is_a(c
, "ChaCha20-Poly1305")
247 /* Function to configure kernel TLS structure */
248 int ktls_configure_crypto(OSSL_LIB_CTX
*libctx
, int version
, const EVP_CIPHER
*c
,
249 const EVP_MD
*md
, void *rl_sequence
,
250 ktls_crypto_info_t
*crypto_info
, int is_tx
,
251 unsigned char *iv
, size_t ivlen
,
252 unsigned char *key
, size_t keylen
,
253 unsigned char *mac_key
, size_t mac_secret_size
)
255 unsigned char geniv
[EVP_GCM_TLS_EXPLICIT_IV_LEN
];
256 unsigned char *eiv
= NULL
;
258 # ifdef OPENSSL_NO_KTLS_RX
263 if (EVP_CIPHER_get_mode(c
) == EVP_CIPH_GCM_MODE
264 || EVP_CIPHER_get_mode(c
) == EVP_CIPH_CCM_MODE
) {
265 if (!ossl_assert(EVP_GCM_TLS_FIXED_IV_LEN
== EVP_CCM_TLS_FIXED_IV_LEN
)
266 || !ossl_assert(EVP_GCM_TLS_EXPLICIT_IV_LEN
267 == EVP_CCM_TLS_EXPLICIT_IV_LEN
))
269 if (version
== TLS1_2_VERSION
) {
270 if (!ossl_assert(ivlen
== EVP_GCM_TLS_FIXED_IV_LEN
))
273 if (RAND_bytes_ex(libctx
, geniv
,
274 EVP_GCM_TLS_EXPLICIT_IV_LEN
, 0) <= 0)
277 memset(geniv
, 0, EVP_GCM_TLS_EXPLICIT_IV_LEN
);
281 if (!ossl_assert(ivlen
== EVP_GCM_TLS_FIXED_IV_LEN
282 + EVP_GCM_TLS_EXPLICIT_IV_LEN
))
284 eiv
= iv
+ TLS_CIPHER_AES_GCM_128_SALT_SIZE
;
288 memset(crypto_info
, 0, sizeof(*crypto_info
));
289 switch (EVP_CIPHER_get_nid(c
))
291 # ifdef OPENSSL_KTLS_AES_GCM_128
292 case NID_aes_128_gcm
:
293 if (!ossl_assert(TLS_CIPHER_AES_GCM_128_SALT_SIZE
== EVP_GCM_TLS_FIXED_IV_LEN
)
294 || !ossl_assert(TLS_CIPHER_AES_GCM_128_IV_SIZE
== EVP_GCM_TLS_EXPLICIT_IV_LEN
))
296 crypto_info
->gcm128
.info
.cipher_type
= TLS_CIPHER_AES_GCM_128
;
297 crypto_info
->gcm128
.info
.version
= version
;
298 crypto_info
->tls_crypto_info_len
= sizeof(crypto_info
->gcm128
);
299 memcpy(crypto_info
->gcm128
.iv
, eiv
, TLS_CIPHER_AES_GCM_128_IV_SIZE
);
300 memcpy(crypto_info
->gcm128
.salt
, iv
, TLS_CIPHER_AES_GCM_128_SALT_SIZE
);
301 memcpy(crypto_info
->gcm128
.key
, key
, keylen
);
302 memcpy(crypto_info
->gcm128
.rec_seq
, rl_sequence
,
303 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE
);
306 # ifdef OPENSSL_KTLS_AES_GCM_256
307 case NID_aes_256_gcm
:
308 if (!ossl_assert(TLS_CIPHER_AES_GCM_256_SALT_SIZE
== EVP_GCM_TLS_FIXED_IV_LEN
)
309 || !ossl_assert(TLS_CIPHER_AES_GCM_256_IV_SIZE
== EVP_GCM_TLS_EXPLICIT_IV_LEN
))
311 crypto_info
->gcm256
.info
.cipher_type
= TLS_CIPHER_AES_GCM_256
;
312 crypto_info
->gcm256
.info
.version
= version
;
313 crypto_info
->tls_crypto_info_len
= sizeof(crypto_info
->gcm256
);
314 memcpy(crypto_info
->gcm256
.iv
, eiv
, TLS_CIPHER_AES_GCM_256_IV_SIZE
);
315 memcpy(crypto_info
->gcm256
.salt
, iv
, TLS_CIPHER_AES_GCM_256_SALT_SIZE
);
316 memcpy(crypto_info
->gcm256
.key
, key
, keylen
);
317 memcpy(crypto_info
->gcm256
.rec_seq
, rl_sequence
,
318 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE
);
322 # ifdef OPENSSL_KTLS_AES_CCM_128
323 case NID_aes_128_ccm
:
324 if (!ossl_assert(TLS_CIPHER_AES_CCM_128_SALT_SIZE
== EVP_CCM_TLS_FIXED_IV_LEN
)
325 || !ossl_assert(TLS_CIPHER_AES_CCM_128_IV_SIZE
== EVP_CCM_TLS_EXPLICIT_IV_LEN
))
327 crypto_info
->ccm128
.info
.cipher_type
= TLS_CIPHER_AES_CCM_128
;
328 crypto_info
->ccm128
.info
.version
= version
;
329 crypto_info
->tls_crypto_info_len
= sizeof(crypto_info
->ccm128
);
330 memcpy(crypto_info
->ccm128
.iv
, eiv
, TLS_CIPHER_AES_CCM_128_IV_SIZE
);
331 memcpy(crypto_info
->ccm128
.salt
, iv
, TLS_CIPHER_AES_CCM_128_SALT_SIZE
);
332 memcpy(crypto_info
->ccm128
.key
, key
, keylen
);
333 memcpy(crypto_info
->ccm128
.rec_seq
, rl_sequence
,
334 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE
);
337 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
338 case NID_chacha20_poly1305
:
339 if (!ossl_assert(ivlen
== TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE
))
341 crypto_info
->chacha20poly1305
.info
.cipher_type
= TLS_CIPHER_CHACHA20_POLY1305
;
342 crypto_info
->chacha20poly1305
.info
.version
= version
;
343 crypto_info
->tls_crypto_info_len
= sizeof(crypto_info
->chacha20poly1305
);
344 memcpy(crypto_info
->chacha20poly1305
.iv
, iv
, ivlen
);
345 memcpy(crypto_info
->chacha20poly1305
.key
, key
, keylen
);
346 memcpy(crypto_info
->chacha20poly1305
.rec_seq
, rl_sequence
,
347 TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE
);
356 #endif /* OPENSSL_SYS_LINUX */
358 /* TODO(RECLAYER): Handle OPENSSL_NO_COMP */
359 static int ktls_set_crypto_state(OSSL_RECORD_LAYER
*rl
, int level
,
360 unsigned char *key
, size_t keylen
,
361 unsigned char *iv
, size_t ivlen
,
362 unsigned char *mackey
, size_t mackeylen
,
363 const EVP_CIPHER
*ciph
,
365 /* TODO(RECLAYER): This probably should not be an int */
368 const SSL_COMP
*comp
)
370 ktls_crypto_info_t crypto_info
;
373 * Check if we are suitable for KTLS. If not suitable we return
374 * OSSL_RECORD_RETURN_NON_FATAL_ERR so that other record layers can be tried
379 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
381 /* ktls supports only the maximum fragment size */
382 if (rl
->max_frag_len
> 0 && rl
->max_frag_len
!= SSL3_RT_MAX_PLAIN_LENGTH
)
383 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
386 * TODO(RECLAYER): We will need to reintroduce the check of the send
387 * fragment for KTLS once we do the record write side implementation
389 if (ssl_get_max_send_fragment(s
) != SSL3_RT_MAX_PLAIN_LENGTH
)
390 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
393 /* check that cipher is supported */
394 if (!ktls_int_check_supported_cipher(rl
, ciph
, md
, taglen
))
395 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
398 * TODO(RECLAYER): For the write side we need to add a check for
399 * use of s->record_padding_cb
402 /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */
403 if (rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
) {
404 if (BIO_flush(rl
->bio
) <= 0)
405 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
408 if (!ktls_configure_crypto(rl
->libctx
, rl
->version
, ciph
, md
, rl
->sequence
,
410 rl
->direction
== OSSL_RECORD_DIRECTION_WRITE
,
411 iv
, ivlen
, key
, keylen
, mackey
, mackeylen
))
412 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
414 if (!BIO_set_ktls(rl
->bio
, &crypto_info
, rl
->direction
))
415 return OSSL_RECORD_RETURN_NON_FATAL_ERR
;
417 return OSSL_RECORD_RETURN_SUCCESS
;
420 static int ktls_read_n(OSSL_RECORD_LAYER
*rl
, size_t n
, size_t max
, int extend
,
421 int clearold
, size_t *readbytes
)
425 ret
= tls_default_read_n(rl
, n
, max
, extend
, clearold
, readbytes
);
427 if (ret
< OSSL_RECORD_RETURN_RETRY
) {
430 RLAYERfatal(rl
, SSL_AD_BAD_RECORD_MAC
,
431 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC
);
434 RLAYERfatal(rl
, SSL_AD_RECORD_OVERFLOW
,
435 SSL_R_PACKET_LENGTH_TOO_LONG
);
438 RLAYERfatal(rl
, SSL_AD_PROTOCOL_VERSION
,
439 SSL_R_WRONG_VERSION_NUMBER
);
449 static int ktls_cipher(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*inrecs
, size_t n_recs
,
450 int sending
, SSL_MAC_BUF
*mac
, size_t macsize
)
455 static int ktls_validate_record_header(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
457 if (rec
->rec_version
!= TLS1_2_VERSION
) {
458 RLAYERfatal(rl
, SSL_AD_DECODE_ERROR
, SSL_R_WRONG_VERSION_NUMBER
);
465 static int ktls_post_process_record(OSSL_RECORD_LAYER
*rl
, SSL3_RECORD
*rec
)
467 if (rl
->version
== TLS1_3_VERSION
)
468 return tls13_common_post_process_record(rl
, rec
);
473 static struct record_functions_st ossl_ktls_funcs
= {
474 ktls_set_crypto_state
,
478 tls_default_set_protocol_version
,
479 ktls_validate_record_header
,
480 ktls_post_process_record
484 ktls_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
485 int role
, int direction
, int level
, unsigned char *key
,
486 size_t keylen
, unsigned char *iv
, size_t ivlen
,
487 unsigned char *mackey
, size_t mackeylen
,
488 const EVP_CIPHER
*ciph
, size_t taglen
,
489 /* TODO(RECLAYER): This probably should not be an int */
491 const EVP_MD
*md
, const SSL_COMP
*comp
, BIO
*prev
,
492 BIO
*transport
, BIO
*next
, BIO_ADDR
*local
, BIO_ADDR
*peer
,
493 const OSSL_PARAM
*settings
, const OSSL_PARAM
*options
,
494 const OSSL_DISPATCH
*fns
, void *cbarg
,
495 OSSL_RECORD_LAYER
**retrl
)
499 ret
= tls_int_new_record_layer(libctx
, propq
, vers
, role
, direction
, level
,
500 key
, keylen
, iv
, ivlen
, mackey
, mackeylen
,
501 ciph
, taglen
, mactype
, md
, comp
, prev
,
502 transport
, next
, local
, peer
, settings
,
503 options
, fns
, cbarg
, retrl
);
505 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
)
508 (*retrl
)->funcs
= &ossl_ktls_funcs
;
510 ret
= (*retrl
)->funcs
->set_crypto_state(*retrl
, level
, key
, keylen
, iv
,
511 ivlen
, mackey
, mackeylen
, ciph
,
512 taglen
, mactype
, md
, comp
);
514 if (ret
!= OSSL_RECORD_RETURN_SUCCESS
) {
515 OPENSSL_free(*retrl
);
519 * With KTLS we always try and read as much as possible and fill the
522 (*retrl
)->read_ahead
= 1;
527 const OSSL_RECORD_METHOD ossl_ktls_record_method
= {
528 ktls_new_record_layer
,
531 tls_unprocessed_read_pending
,
532 tls_processed_read_pending
,
533 tls_app_data_pending
,
535 tls_get_max_record_len
,
538 tls_retry_write_records
,
543 tls_set_protocol_version
,
544 tls_set_plain_alerts
,
545 tls_set_first_handshake
,
546 tls_set_max_pipelines
,
549 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
550 * during the record layer refactoring. They need to be removed before the
551 * refactor is complete.
557 tls_get_packet_length
,
558 tls_reset_packet_length