]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/record/methods/ktls_meth.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Remove some final references to the SSL object in the record layer
[thirdparty/openssl.git] / ssl / record / methods / ktls_meth.c
1 /*
2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/evp.h>
11 #include <openssl/core_names.h>
12 #include <openssl/rand.h>
13 #include "../../ssl_local.h"
14 #include "../record_local.h"
15 #include "recmethod_local.h"
16 #include "internal/ktls.h"
17
18 #if defined(__FreeBSD__)
19 # include "crypto/cryptodev.h"
20
21 /*
22 * TODO(RECLAYER): This is essentially a copy of ktls_int_check_supported_cipher
23 * but using an SSL object instead of an OSSL_RECORD_LAYER object. Once
24 * everything has been moved to the reocrd layer this can be deleted
25 */
26 int ktls_check_supported_cipher(const SSL_CONNECTION *s, const EVP_CIPHER *c,
27 const EVP_MD *md, size_t taglen)
28 {
29
30 switch (s->version) {
31 case TLS1_VERSION:
32 case TLS1_1_VERSION:
33 case TLS1_2_VERSION:
34 case TLS1_3_VERSION:
35 break;
36 default:
37 return 0;
38 }
39
40 if (EVP_CIPHER_is_a(c, "AES-128-GCM")
41 || EVP_CIPHER_is_a(c, "AES-256-GCM")
42 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
43 || EVP_CIPHER_is_a(c, "CHACHA20-POLY1305")
44 # endif
45 )
46 return 1;
47
48 if (!EVP_CIPHER_is_a(c, "AES-128-CBC")
49 && !EVP_CIPHER_is_a(c, "AES-256-CBC"))
50 return 0;
51
52 if (s->ext.use_etm)
53 return 0;
54
55 if (md == NULL
56 || EVP_MD_is_a(md, "SHA1")
57 || EVP_MD_is_a(md, "SHA2-256")
58 || EVP_MD_is_a(md, "SHA2-384"))
59 return 1;
60
61 return 0;
62 }
63
64 /*-
65 * Check if a given cipher is supported by the KTLS interface.
66 * The kernel might still fail the setsockopt() if no suitable
67 * provider is found, but this checks if the socket option
68 * supports the cipher suite used at all.
69 */
70 static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER *rl,
71 const EVP_CIPHER *c,
72 const EVP_MD *md,
73 size_t taglen)
74 {
75 switch (rl->version) {
76 case TLS1_VERSION:
77 case TLS1_1_VERSION:
78 case TLS1_2_VERSION:
79 case TLS1_3_VERSION:
80 break;
81 default:
82 return 0;
83 }
84
85 if (EVP_CIPHER_is_a(c, "AES-128-GCM")
86 || EVP_CIPHER_is_a(c, "AES-256-GCM")
87 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
88 || EVP_CIPHER_is_a(c, "CHACHA20-POLY1305")
89 # endif
90 )
91 return 1;
92
93 if (!EVP_CIPHER_is_a(c, "AES-128-CBC")
94 && !EVP_CIPHER_is_a(c, "AES-256-CBC"))
95 return 0;
96
97 if (rl->use_etm)
98 return 0;
99
100 if (md == NULL
101 || EVP_MD_is_a(md, "SHA1")
102 || EVP_MD_is_a(md, "SHA2-256")
103 || EVP_MD_is_a(md, "SHA2-384"))
104 return 1;
105
106 return 0;
107 }
108
109 /* Function to configure kernel TLS structure */
110 int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version, const EVP_CIPHER *c,
111 EVP_MD *md, void *rl_sequence,
112 ktls_crypto_info_t *crypto_info, int is_tx,
113 unsigned char *iv, size_t ivlen,
114 unsigned char *key, size_t keylen,
115 unsigned char *mac_key, size_t mac_secret_size)
116 {
117 memset(crypto_info, 0, sizeof(*crypto_info));
118 if (EVP_CIPHER_is_a(c, "AES-128-GCM")
119 || EVP_CIPHER_is_a(c, "AES-256-GCM")) {
120 crypto_info->cipher_algorithm = CRYPTO_AES_NIST_GCM_16;
121 crypto_info->iv_len = ivlen;
122 } else
123 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
124 if (EVP_CIPHER_is_a(c, "CHACHA20-POLY1305")) {
125 crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305;
126 crypto_info->iv_len = ivlen;
127 } else
128 # endif
129 if (EVP_CIPHER_is_a(c, "AES-128-CBC") || EVP_CIPHER_is_a(c, "AES-256-CBC")) {
130 if (EVP_MD_is_a(md, "SHA1"))
131 crypto_info->auth_algorithm = CRYPTO_SHA1_HMAC;
132 else if (EVP_MD_is_a(md, "SHA2-256")) {
133 crypto_info->auth_algorithm = CRYPTO_SHA2_256_HMAC;
134 else if (EVP_MD_is_a(md, "SHA2-384"))
135 crypto_info->auth_algorithm = CRYPTO_SHA2_384_HMAC;
136 else
137 return 0;
138 crypto_info->cipher_algorithm = CRYPTO_AES_CBC;
139 crypto_info->iv_len = ivlen;
140 crypto_info->auth_key = mac_key;
141 crypto_info->auth_key_len = mac_secret_size;
142 } else {
143 return 0;
144 }
145 crypto_info->cipher_key = key;
146 crypto_info->cipher_key_len = keylen;
147 crypto_info->iv = iv;
148 crypto_info->tls_vmajor = (version >> 8) & 0x000000ff;
149 crypto_info->tls_vminor = (version & 0x000000ff);
150 # ifdef TCP_RXTLS_ENABLE
151 memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq));
152 # else
153 if (!is_tx)
154 return 0;
155 # endif
156 return 1;
157 };
158
159 #endif /* __FreeBSD__ */
160
161 #if defined(OPENSSL_SYS_LINUX)
162
163 /*
164 * TODO(RECLAYER): This is essentially a copy of ktls_int_check_supported_cipher
165 * but using an SSL object instead of an OSSL_RECORD_LAYER object. Once
166 * everything has been moved to the reocrd layer this can be deleted
167 */
168 int ktls_check_supported_cipher(const SSL_CONNECTION *s, const EVP_CIPHER *c,
169 const EVP_MD *md, size_t taglen)
170 {
171 switch (s->version) {
172 case TLS1_2_VERSION:
173 case TLS1_3_VERSION:
174 break;
175 default:
176 return 0;
177 }
178
179 /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128
180 * or Chacha20-Poly1305
181 */
182 # ifdef OPENSSL_KTLS_AES_CCM_128
183 if (EVP_CIPHER_is_a(c, "AES-128-CCM")) {
184 if (s->version == TLS_1_3_VERSION /* broken on 5.x kernels */
185 || taglen != EVP_CCM_TLS_TAG_LEN)
186 return 0;
187 return 1;
188 } else
189 # endif
190 if (0
191 # ifdef OPENSSL_KTLS_AES_GCM_128
192 || EVP_CIPHER_is_a(c, "AES-128-GCM")
193 # endif
194 # ifdef OPENSSL_KTLS_AES_GCM_256
195 || EVP_CIPHER_is_a(c, "AES-256-GCM")
196 # endif
197 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
198 || EVP_CIPHER_is_a(c, "ChaCha20-Poly1305")
199 # endif
200 ) {
201 return 1;
202 }
203 return 0;
204 }
205
206 /* Function to check supported ciphers in Linux */
207 static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER *rl,
208 const EVP_CIPHER *c,
209 const EVP_MD *md,
210 size_t taglen)
211 {
212 switch (rl->version) {
213 case TLS1_2_VERSION:
214 case TLS1_3_VERSION:
215 break;
216 default:
217 return 0;
218 }
219
220 /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128
221 * or Chacha20-Poly1305
222 */
223 # ifdef OPENSSL_KTLS_AES_CCM_128
224 if (EVP_CIPHER_is_a(c, "AES-128-CCM")) {
225 if (rl->version == TLS_1_3_VERSION /* broken on 5.x kernels */
226 || taglen != EVP_CCM_TLS_TAG_LEN)
227 return 0;
228 return 1;
229 } else
230 # endif
231 if (0
232 # ifdef OPENSSL_KTLS_AES_GCM_128
233 || EVP_CIPHER_is_a(c, "AES-128-GCM")
234 # endif
235 # ifdef OPENSSL_KTLS_AES_GCM_256
236 || EVP_CIPHER_is_a(c, "AES-256-GCM")
237 # endif
238 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
239 || EVP_CIPHER_is_a(c, "ChaCha20-Poly1305")
240 # endif
241 ) {
242 return 1;
243 }
244 return 0;
245 }
246
247 /* Function to configure kernel TLS structure */
248 int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version, const EVP_CIPHER *c,
249 const EVP_MD *md, void *rl_sequence,
250 ktls_crypto_info_t *crypto_info, int is_tx,
251 unsigned char *iv, size_t ivlen,
252 unsigned char *key, size_t keylen,
253 unsigned char *mac_key, size_t mac_secret_size)
254 {
255 unsigned char geniv[EVP_GCM_TLS_EXPLICIT_IV_LEN];
256 unsigned char *eiv = NULL;
257
258 # ifdef OPENSSL_NO_KTLS_RX
259 if (!is_tx)
260 return 0;
261 # endif
262
263 if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE
264 || EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) {
265 if (!ossl_assert(EVP_GCM_TLS_FIXED_IV_LEN == EVP_CCM_TLS_FIXED_IV_LEN)
266 || !ossl_assert(EVP_GCM_TLS_EXPLICIT_IV_LEN
267 == EVP_CCM_TLS_EXPLICIT_IV_LEN))
268 return 0;
269 if (version == TLS1_2_VERSION) {
270 if (!ossl_assert(ivlen == EVP_GCM_TLS_FIXED_IV_LEN))
271 return 0;
272 if (is_tx) {
273 if (RAND_bytes_ex(libctx, geniv,
274 EVP_GCM_TLS_EXPLICIT_IV_LEN, 0) <= 0)
275 return 0;
276 } else {
277 memset(geniv, 0, EVP_GCM_TLS_EXPLICIT_IV_LEN);
278 }
279 eiv = geniv;
280 } else {
281 if (!ossl_assert(ivlen == EVP_GCM_TLS_FIXED_IV_LEN
282 + EVP_GCM_TLS_EXPLICIT_IV_LEN))
283 return 0;
284 eiv = iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE;
285 }
286 }
287
288 memset(crypto_info, 0, sizeof(*crypto_info));
289 switch (EVP_CIPHER_get_nid(c))
290 {
291 # ifdef OPENSSL_KTLS_AES_GCM_128
292 case NID_aes_128_gcm:
293 if (!ossl_assert(TLS_CIPHER_AES_GCM_128_SALT_SIZE == EVP_GCM_TLS_FIXED_IV_LEN)
294 || !ossl_assert(TLS_CIPHER_AES_GCM_128_IV_SIZE == EVP_GCM_TLS_EXPLICIT_IV_LEN))
295 return 0;
296 crypto_info->gcm128.info.cipher_type = TLS_CIPHER_AES_GCM_128;
297 crypto_info->gcm128.info.version = version;
298 crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm128);
299 memcpy(crypto_info->gcm128.iv, eiv, TLS_CIPHER_AES_GCM_128_IV_SIZE);
300 memcpy(crypto_info->gcm128.salt, iv, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
301 memcpy(crypto_info->gcm128.key, key, keylen);
302 memcpy(crypto_info->gcm128.rec_seq, rl_sequence,
303 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
304 return 1;
305 # endif
306 # ifdef OPENSSL_KTLS_AES_GCM_256
307 case NID_aes_256_gcm:
308 if (!ossl_assert(TLS_CIPHER_AES_GCM_256_SALT_SIZE == EVP_GCM_TLS_FIXED_IV_LEN)
309 || !ossl_assert(TLS_CIPHER_AES_GCM_256_IV_SIZE == EVP_GCM_TLS_EXPLICIT_IV_LEN))
310 return 0;
311 crypto_info->gcm256.info.cipher_type = TLS_CIPHER_AES_GCM_256;
312 crypto_info->gcm256.info.version = version;
313 crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm256);
314 memcpy(crypto_info->gcm256.iv, eiv, TLS_CIPHER_AES_GCM_256_IV_SIZE);
315 memcpy(crypto_info->gcm256.salt, iv, TLS_CIPHER_AES_GCM_256_SALT_SIZE);
316 memcpy(crypto_info->gcm256.key, key, keylen);
317 memcpy(crypto_info->gcm256.rec_seq, rl_sequence,
318 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
319
320 return 1;
321 # endif
322 # ifdef OPENSSL_KTLS_AES_CCM_128
323 case NID_aes_128_ccm:
324 if (!ossl_assert(TLS_CIPHER_AES_CCM_128_SALT_SIZE == EVP_CCM_TLS_FIXED_IV_LEN)
325 || !ossl_assert(TLS_CIPHER_AES_CCM_128_IV_SIZE == EVP_CCM_TLS_EXPLICIT_IV_LEN))
326 return 0;
327 crypto_info->ccm128.info.cipher_type = TLS_CIPHER_AES_CCM_128;
328 crypto_info->ccm128.info.version = version;
329 crypto_info->tls_crypto_info_len = sizeof(crypto_info->ccm128);
330 memcpy(crypto_info->ccm128.iv, eiv, TLS_CIPHER_AES_CCM_128_IV_SIZE);
331 memcpy(crypto_info->ccm128.salt, iv, TLS_CIPHER_AES_CCM_128_SALT_SIZE);
332 memcpy(crypto_info->ccm128.key, key, keylen);
333 memcpy(crypto_info->ccm128.rec_seq, rl_sequence,
334 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
335 return 1;
336 # endif
337 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
338 case NID_chacha20_poly1305:
339 if (!ossl_assert(ivlen == TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE))
340 return 0;
341 crypto_info->chacha20poly1305.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305;
342 crypto_info->chacha20poly1305.info.version = version;
343 crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305);
344 memcpy(crypto_info->chacha20poly1305.iv, iv, ivlen);
345 memcpy(crypto_info->chacha20poly1305.key, key, keylen);
346 memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence,
347 TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
348 return 1;
349 # endif
350 default:
351 return 0;
352 }
353
354 }
355
356 #endif /* OPENSSL_SYS_LINUX */
357
358 /* TODO(RECLAYER): Handle OPENSSL_NO_COMP */
359 static int ktls_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
360 unsigned char *key, size_t keylen,
361 unsigned char *iv, size_t ivlen,
362 unsigned char *mackey, size_t mackeylen,
363 const EVP_CIPHER *ciph,
364 size_t taglen,
365 /* TODO(RECLAYER): This probably should not be an int */
366 int mactype,
367 const EVP_MD *md,
368 const SSL_COMP *comp)
369 {
370 ktls_crypto_info_t crypto_info;
371
372 /*
373 * Check if we are suitable for KTLS. If not suitable we return
374 * OSSL_RECORD_RETURN_NON_FATAL_ERR so that other record layers can be tried
375 * instead
376 */
377
378 if (comp != NULL)
379 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
380
381 /* ktls supports only the maximum fragment size */
382 if (rl->max_frag_len > 0 && rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH)
383 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
384 #if 0
385 /*
386 * TODO(RECLAYER): We will need to reintroduce the check of the send
387 * fragment for KTLS once we do the record write side implementation
388 */
389 if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH)
390 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
391 #endif
392
393 /* check that cipher is supported */
394 if (!ktls_int_check_supported_cipher(rl, ciph, md, taglen))
395 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
396
397 /*
398 * TODO(RECLAYER): For the write side we need to add a check for
399 * use of s->record_padding_cb
400 */
401
402 /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */
403 if (rl->direction == OSSL_RECORD_DIRECTION_WRITE) {
404 if (BIO_flush(rl->bio) <= 0)
405 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
406 }
407
408 if (!ktls_configure_crypto(rl->libctx, rl->version, ciph, md, rl->sequence,
409 &crypto_info,
410 rl->direction == OSSL_RECORD_DIRECTION_WRITE,
411 iv, ivlen, key, keylen, mackey, mackeylen))
412 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
413
414 if (!BIO_set_ktls(rl->bio, &crypto_info, rl->direction))
415 return OSSL_RECORD_RETURN_NON_FATAL_ERR;
416
417 return OSSL_RECORD_RETURN_SUCCESS;
418 }
419
420 static int ktls_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
421 int clearold, size_t *readbytes)
422 {
423 int ret;
424
425 ret = tls_default_read_n(rl, n, max, extend, clearold, readbytes);
426
427 if (ret < OSSL_RECORD_RETURN_RETRY) {
428 switch (errno) {
429 case EBADMSG:
430 RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
431 SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
432 break;
433 case EMSGSIZE:
434 RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW,
435 SSL_R_PACKET_LENGTH_TOO_LONG);
436 break;
437 case EINVAL:
438 RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
439 SSL_R_WRONG_VERSION_NUMBER);
440 break;
441 default:
442 break;
443 }
444 }
445
446 return ret;
447 }
448
449 static int ktls_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *inrecs, size_t n_recs,
450 int sending, SSL_MAC_BUF *mac, size_t macsize)
451 {
452 return 1;
453 }
454
455 static int ktls_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
456 {
457 if (rec->rec_version != TLS1_2_VERSION) {
458 RLAYERfatal(rl, SSL_AD_DECODE_ERROR, SSL_R_WRONG_VERSION_NUMBER);
459 return 0;
460 }
461
462 return 1;
463 }
464
465 static int ktls_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
466 {
467 if (rl->version == TLS1_3_VERSION)
468 return tls13_common_post_process_record(rl, rec);
469
470 return 1;
471 }
472
473 static struct record_functions_st ossl_ktls_funcs = {
474 ktls_set_crypto_state,
475 ktls_read_n,
476 ktls_cipher,
477 NULL,
478 tls_default_set_protocol_version,
479 ktls_validate_record_header,
480 ktls_post_process_record
481 };
482
483 static int
484 ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
485 int role, int direction, int level, unsigned char *key,
486 size_t keylen, unsigned char *iv, size_t ivlen,
487 unsigned char *mackey, size_t mackeylen,
488 const EVP_CIPHER *ciph, size_t taglen,
489 /* TODO(RECLAYER): This probably should not be an int */
490 int mactype,
491 const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
492 BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
493 const OSSL_PARAM *settings, const OSSL_PARAM *options,
494 const OSSL_DISPATCH *fns, void *cbarg,
495 OSSL_RECORD_LAYER **retrl)
496 {
497 int ret;
498
499 ret = tls_int_new_record_layer(libctx, propq, vers, role, direction, level,
500 key, keylen, iv, ivlen, mackey, mackeylen,
501 ciph, taglen, mactype, md, comp, prev,
502 transport, next, local, peer, settings,
503 options, fns, cbarg, retrl);
504
505 if (ret != OSSL_RECORD_RETURN_SUCCESS)
506 return ret;
507
508 (*retrl)->funcs = &ossl_ktls_funcs;
509
510 ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
511 ivlen, mackey, mackeylen, ciph,
512 taglen, mactype, md, comp);
513
514 if (ret != OSSL_RECORD_RETURN_SUCCESS) {
515 OPENSSL_free(*retrl);
516 *retrl = NULL;
517 } else {
518 /*
519 * With KTLS we always try and read as much as possible and fill the
520 * buffer
521 */
522 (*retrl)->read_ahead = 1;
523 }
524 return ret;
525 }
526
527 const OSSL_RECORD_METHOD ossl_ktls_record_method = {
528 ktls_new_record_layer,
529 tls_free,
530 tls_reset,
531 tls_unprocessed_read_pending,
532 tls_processed_read_pending,
533 tls_app_data_pending,
534 tls_write_pending,
535 tls_get_max_record_len,
536 tls_get_max_records,
537 tls_write_records,
538 tls_retry_write_records,
539 tls_read_record,
540 tls_release_record,
541 tls_get_alert_code,
542 tls_set1_bio,
543 tls_set_protocol_version,
544 tls_set_plain_alerts,
545 tls_set_first_handshake,
546 tls_set_max_pipelines,
547
548 /*
549 * TODO(RECLAYER): Remove these. These function pointers are temporary hacks
550 * during the record layer refactoring. They need to be removed before the
551 * refactor is complete.
552 */
553 tls_default_read_n,
554 tls_get0_rbuf,
555 tls_get0_packet,
556 tls_set0_packet,
557 tls_get_packet_length,
558 tls_reset_packet_length
559 };
A mirror of the official openssl repository