1
/*-
2
 * SPDX-License-Identifier: BSD-2-Clause
3
 *
4
 * Copyright (c) 2020 Netflix, Inc
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer,
11
 *    without modification.
12
 * 2. Redistributions in binary form must reproduce at minimum a disclaimer
13
 *    similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any
14
 *    redistribution must be conditioned upon including a substantially
15
 *    similar Disclaimer requirement for further binary redistribution.
16
 *
17
 * NO WARRANTY
18
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20
 * LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY
21
 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
22
 * THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY,
23
 * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
26
 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
28
 * THE POSSIBILITY OF SUCH DAMAGES.
29
 */
30

31
/*
32
 * A driver for the OpenCrypto framework which uses assembly routines
33
 * from OpenSSL.
34
 */
35

36
#include <sys/types.h>
37
#include <sys/bus.h>
38
#include <sys/kernel.h>
39
#include <sys/malloc.h>
40
#include <sys/module.h>
41

42
#include <machine/fpu.h>
43

44
#include <opencrypto/cryptodev.h>
45
#include <opencrypto/xform_auth.h>
46

47
#include <crypto/openssl/ossl.h>
48
#include <crypto/openssl/ossl_chacha.h>
49
#include <crypto/openssl/ossl_cipher.h>
50

51
#include "cryptodev_if.h"
52

53
static MALLOC_DEFINE(M_OSSL, "ossl", "OpenSSL crypto");
54

55
static void
56
ossl_identify(driver_t *driver, device_t parent)
57
{
58

59
	if (device_find_child(parent, "ossl", DEVICE_UNIT_ANY) == NULL)
60
		BUS_ADD_CHILD(parent, 10, "ossl", DEVICE_UNIT_ANY);
61
}
62

63
static int
64
ossl_probe(device_t dev)
65
{
66

67
	device_set_desc(dev, "OpenSSL crypto");
68
	return (BUS_PROBE_DEFAULT);
69
}
70

71
static int
72
ossl_attach(device_t dev)
73
{
74
	struct ossl_softc *sc;
75

76
	sc = device_get_softc(dev);
77

78
	sc->has_aes = sc->has_aes_gcm = false;
79

80
	ossl_cpuid(sc);
81
	sc->sc_cid = crypto_get_driverid(dev, sizeof(struct ossl_session),
82
	    CRYPTOCAP_F_SOFTWARE | CRYPTOCAP_F_SYNC |
83
	    CRYPTOCAP_F_ACCEL_SOFTWARE);
84
	if (sc->sc_cid < 0) {
85
		device_printf(dev, "failed to allocate crypto driver id\n");
86
		return (ENXIO);
87
	}
88

89
	return (0);
90
}
91

92
static int
93
ossl_detach(device_t dev)
94
{
95
	struct ossl_softc *sc;
96

97
	sc = device_get_softc(dev);
98

99
	crypto_unregister_all(sc->sc_cid);
100

101
	return (0);
102
}
103

104
static struct auth_hash *
105
ossl_lookup_hash(const struct crypto_session_params *csp)
106
{
107

108
	switch (csp->csp_auth_alg) {
109
	case CRYPTO_SHA1:
110
	case CRYPTO_SHA1_HMAC:
111
		return (&ossl_hash_sha1);
112
	case CRYPTO_SHA2_224:
113
	case CRYPTO_SHA2_224_HMAC:
114
		return (&ossl_hash_sha224);
115
	case CRYPTO_SHA2_256:
116
	case CRYPTO_SHA2_256_HMAC:
117
		return (&ossl_hash_sha256);
118
	case CRYPTO_SHA2_384:
119
	case CRYPTO_SHA2_384_HMAC:
120
		return (&ossl_hash_sha384);
121
	case CRYPTO_SHA2_512:
122
	case CRYPTO_SHA2_512_HMAC:
123
		return (&ossl_hash_sha512);
124
	case CRYPTO_POLY1305:
125
		return (&ossl_hash_poly1305);
126
	default:
127
		return (NULL);
128
	}
129
}
130

131
static struct ossl_cipher*
132
ossl_lookup_cipher(const struct crypto_session_params *csp)
133
{
134

135
	switch (csp->csp_cipher_alg) {
136
	case CRYPTO_AES_CBC:
137
		switch (csp->csp_cipher_klen * 8) {
138
		case 128:
139
		case 192:
140
		case 256:
141
			break;
142
		default:
143
			return (NULL);
144
		}
145
		return (&ossl_cipher_aes_cbc);
146
	case CRYPTO_AES_NIST_GCM_16:
147
		switch (csp->csp_cipher_klen * 8) {
148
		case 128:
149
		case 192:
150
		case 256:
151
			break;
152
		default:
153
			return (NULL);
154
		}
155
		return (&ossl_cipher_aes_gcm);
156
	case CRYPTO_CHACHA20:
157
		if (csp->csp_cipher_klen != CHACHA_KEY_SIZE)
158
			return (NULL);
159
		return (&ossl_cipher_chacha20);
160
	default:
161
		return (NULL);
162
	}
163
}
164

165
static int
166
ossl_probesession(device_t dev, const struct crypto_session_params *csp)
167
{
168
	struct ossl_softc *sc = device_get_softc(dev);
169

170
	if ((csp->csp_flags & ~(CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD)) !=
171
	    0)
172
		return (EINVAL);
173
	switch (csp->csp_mode) {
174
	case CSP_MODE_DIGEST:
175
		if (ossl_lookup_hash(csp) == NULL)
176
			return (EINVAL);
177
		break;
178
	case CSP_MODE_CIPHER:
179
		if (csp->csp_cipher_alg != CRYPTO_CHACHA20 && !sc->has_aes)
180
			return (EINVAL);
181
		if (ossl_lookup_cipher(csp) == NULL)
182
			return (EINVAL);
183
		break;
184
	case CSP_MODE_ETA:
185
		if (!sc->has_aes ||
186
		    csp->csp_cipher_alg == CRYPTO_CHACHA20 ||
187
		    ossl_lookup_hash(csp) == NULL ||
188
		    ossl_lookup_cipher(csp) == NULL)
189
			return (EINVAL);
190
		break;
191
	case CSP_MODE_AEAD:
192
		switch (csp->csp_cipher_alg) {
193
		case CRYPTO_CHACHA20_POLY1305:
194
			break;
195
		case CRYPTO_AES_NIST_GCM_16:
196
			if (!sc->has_aes_gcm || ossl_lookup_cipher(csp) == NULL)
197
				return (EINVAL);
198
			if (csp->csp_ivlen != AES_GCM_IV_LEN)
199
				return (EINVAL);
200
			if (csp->csp_auth_mlen != 0 &&
201
			    csp->csp_auth_mlen != GMAC_DIGEST_LEN)
202
				return (EINVAL);
203
			break;
204
		default:
205
			return (EINVAL);
206
		}
207
		break;
208
	default:
209
		return (EINVAL);
210
	}
211

212
	return (CRYPTODEV_PROBE_ACCEL_SOFTWARE);
213
}
214

215
static void
216
ossl_newsession_hash(struct ossl_session *s,
217
    const struct crypto_session_params *csp)
218
{
219
	struct auth_hash *axf;
220

221
	axf = ossl_lookup_hash(csp);
222
	s->hash.axf = axf;
223
	if (csp->csp_auth_mlen == 0)
224
		s->hash.mlen = axf->hashsize;
225
	else
226
		s->hash.mlen = csp->csp_auth_mlen;
227

228
	if (csp->csp_auth_klen == 0) {
229
		axf->Init(&s->hash.ictx);
230
	} else {
231
		if (csp->csp_auth_key != NULL) {
232
			fpu_kern_enter(curthread, NULL, FPU_KERN_NOCTX);
233
			if (axf->Setkey != NULL) {
234
				axf->Init(&s->hash.ictx);
235
				axf->Setkey(&s->hash.ictx, csp->csp_auth_key,
236
				    csp->csp_auth_klen);
237
			} else {
238
				hmac_init_ipad(axf, csp->csp_auth_key,
239
				    csp->csp_auth_klen, &s->hash.ictx);
240
				hmac_init_opad(axf, csp->csp_auth_key,
241
				    csp->csp_auth_klen, &s->hash.octx);
242
			}
243
			fpu_kern_leave(curthread, NULL);
244
		}
245
	}
246
}
247

248
static int
249
ossl_newsession_cipher(struct ossl_session *s,
250
    const struct crypto_session_params *csp)
251
{
252
	struct ossl_cipher *cipher;
253
	int error = 0;
254

255
	cipher = ossl_lookup_cipher(csp);
256
	if (cipher == NULL)
257
		return (EINVAL);
258

259
	s->cipher.cipher = cipher;
260

261
	if (csp->csp_cipher_key == NULL)
262
		return (0);
263

264
	fpu_kern_enter(curthread, NULL, FPU_KERN_NOCTX);
265
	if (cipher->set_encrypt_key != NULL) {
266
		error = cipher->set_encrypt_key(csp->csp_cipher_key,
267
		    8 * csp->csp_cipher_klen, &s->cipher.enc_ctx);
268
		if (error != 0) {
269
			fpu_kern_leave(curthread, NULL);
270
			return (error);
271
		}
272
	}
273
	if (cipher->set_decrypt_key != NULL)
274
		error = cipher->set_decrypt_key(csp->csp_cipher_key,
275
		    8 * csp->csp_cipher_klen, &s->cipher.dec_ctx);
276
	fpu_kern_leave(curthread, NULL);
277

278
	return (error);
279
}
280

281
static int
282
ossl_newsession(device_t dev, crypto_session_t cses,
283
    const struct crypto_session_params *csp)
284
{
285
	struct ossl_session *s;
286
	int error = 0;
287

288
	s = crypto_get_driver_session(cses);
289
	switch (csp->csp_mode) {
290
	case CSP_MODE_DIGEST:
291
		ossl_newsession_hash(s, csp);
292
		break;
293
	case CSP_MODE_CIPHER:
294
		error = ossl_newsession_cipher(s, csp);
295
		break;
296
	case CSP_MODE_ETA:
297
		ossl_newsession_hash(s, csp);
298
		error = ossl_newsession_cipher(s, csp);
299
		break;
300
	case CSP_MODE_AEAD:
301
		if (csp->csp_cipher_alg != CRYPTO_CHACHA20_POLY1305)
302
			error = ossl_newsession_cipher(s, csp);
303
		break;
304
	default:
305
		__assert_unreachable();
306
	}
307

308
	return (error);
309
}
310

311
static int
312
ossl_process_hash(struct ossl_session *s, struct cryptop *crp,
313
    const struct crypto_session_params *csp)
314
{
315
	struct ossl_hash_context ctx;
316
	char digest[HASH_MAX_LEN];
317
	struct auth_hash *axf;
318
	int error;
319

320
	axf = s->hash.axf;
321

322
	if (crp->crp_auth_key == NULL) {
323
		ctx = s->hash.ictx;
324
	} else {
325
		if (axf->Setkey != NULL) {
326
			axf->Init(&ctx);
327
			axf->Setkey(&ctx, crp->crp_auth_key,
328
			    csp->csp_auth_klen);
329
		} else {
330
			hmac_init_ipad(axf, crp->crp_auth_key,
331
			    csp->csp_auth_klen, &ctx);
332
		}
333
	}
334

335
	if (crp->crp_aad != NULL)
336
		error = axf->Update(&ctx, crp->crp_aad, crp->crp_aad_length);
337
	else
338
		error = crypto_apply(crp, crp->crp_aad_start,
339
		    crp->crp_aad_length, axf->Update, &ctx);
340
	if (error)
341
		goto out;
342

343
	error = crypto_apply(crp, crp->crp_payload_start,
344
	    crp->crp_payload_length, axf->Update, &ctx);
345
	if (error)
346
		goto out;
347

348
	axf->Final(digest, &ctx);
349

350
	if (csp->csp_auth_klen != 0 && axf->Setkey == NULL) {
351
		if (crp->crp_auth_key == NULL)
352
			ctx = s->hash.octx;
353
		else
354
			hmac_init_opad(axf, crp->crp_auth_key,
355
			    csp->csp_auth_klen, &ctx);
356
		axf->Update(&ctx, digest, axf->hashsize);
357
		axf->Final(digest, &ctx);
358
	}
359

360
	if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) {
361
		char digest2[HASH_MAX_LEN];
362

363
		crypto_copydata(crp, crp->crp_digest_start, s->hash.mlen,
364
		    digest2);
365
		if (timingsafe_bcmp(digest, digest2, s->hash.mlen) != 0)
366
			error = EBADMSG;
367
		explicit_bzero(digest2, sizeof(digest2));
368
	} else {
369
		crypto_copyback(crp, crp->crp_digest_start, s->hash.mlen,
370
		    digest);
371
	}
372
	explicit_bzero(digest, sizeof(digest));
373

374
out:
375
	explicit_bzero(&ctx, sizeof(ctx));
376
	return (error);
377
}
378

379
static int
380
ossl_process_cipher(struct ossl_session *s, struct cryptop *crp,
381
    const struct crypto_session_params *csp)
382
{
383
	return (s->cipher.cipher->process(&s->cipher, crp, csp));
384
}
385

386
static int
387
ossl_process_eta(struct ossl_session *s, struct cryptop *crp,
388
    const struct crypto_session_params *csp)
389
{
390
	int error;
391

392
	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
393
		error = s->cipher.cipher->process(&s->cipher, crp, csp);
394
		if (error == 0)
395
			error = ossl_process_hash(s, crp, csp);
396
	} else {
397
		error = ossl_process_hash(s, crp, csp);
398
		if (error == 0)
399
			error = s->cipher.cipher->process(&s->cipher, crp, csp);
400
	}
401

402
	return (error);
403
}
404

405
static int
406
ossl_process_aead(struct ossl_session *s, struct cryptop *crp,
407
    const struct crypto_session_params *csp)
408
{
409
	if (csp->csp_cipher_alg == CRYPTO_CHACHA20_POLY1305) {
410
		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
411
			return (ossl_chacha20_poly1305_encrypt(crp, csp));
412
		else
413
			return (ossl_chacha20_poly1305_decrypt(crp, csp));
414
	} else {
415
		return (s->cipher.cipher->process(&s->cipher, crp, csp));
416
	}
417
}
418

419
static int
420
ossl_process(device_t dev, struct cryptop *crp, int hint)
421
{
422
	const struct crypto_session_params *csp;
423
	struct ossl_session *s;
424
	int error;
425
	bool fpu_entered;
426

427
	s = crypto_get_driver_session(crp->crp_session);
428
	csp = crypto_get_params(crp->crp_session);
429

430
	if (is_fpu_kern_thread(0)) {
431
		fpu_entered = false;
432
	} else {
433
		fpu_kern_enter(curthread, NULL, FPU_KERN_NOCTX);
434
		fpu_entered = true;
435
	}
436

437
	switch (csp->csp_mode) {
438
	case CSP_MODE_DIGEST:
439
		error = ossl_process_hash(s, crp, csp);
440
		break;
441
	case CSP_MODE_CIPHER:
442
		error = ossl_process_cipher(s, crp, csp);
443
		break;
444
	case CSP_MODE_ETA:
445
		error = ossl_process_eta(s, crp, csp);
446
		break;
447
	case CSP_MODE_AEAD:
448
		error = ossl_process_aead(s, crp, csp);
449
		break;
450
	default:
451
		__assert_unreachable();
452
	}
453

454
	if (fpu_entered)
455
		fpu_kern_leave(curthread, NULL);
456

457
	crp->crp_etype = error;
458
	crypto_done(crp);
459

460
	return (0);
461
}
462

463
static device_method_t ossl_methods[] = {
464
	DEVMETHOD(device_identify,	ossl_identify),
465
	DEVMETHOD(device_probe,		ossl_probe),
466
	DEVMETHOD(device_attach,	ossl_attach),
467
	DEVMETHOD(device_detach,	ossl_detach),
468

469
	DEVMETHOD(cryptodev_probesession, ossl_probesession),
470
	DEVMETHOD(cryptodev_newsession,	ossl_newsession),
471
	DEVMETHOD(cryptodev_process,	ossl_process),
472

473
	DEVMETHOD_END
474
};
475

476
static driver_t ossl_driver = {
477
	"ossl",
478
	ossl_methods,
479
	sizeof(struct ossl_softc)
480
};
481

482
DRIVER_MODULE(ossl, nexus, ossl_driver, NULL, NULL);
483
MODULE_VERSION(ossl, 1);
484
MODULE_DEPEND(ossl, crypto, 1, 1, 1);
485

486