Decrypting data in RX path

Decrypting data in RX path

[Gadre Nayan]

Hi,

I am able to encrypt data using the asynchronous kernel crypto API's.
I can observe the encrypted data on the protocol analyzer.

I wanted to decry-pt the data now on the receiver side, So I have
following questions.

1. What is the best place to decrypt the data, in kernel space (module
(pre-routing hook) or driver) OR user space using (maybe using raw
sockets or after socket recv).

What precautions should be taken in terms of locking while using
crypto api's in kernel space in RX path (Softirq context) --> Can
someone point to existing sample in kernel where decryption is done in
RX path.


2. If I encrypt data in kernel space can I decrypt it in User-space
using same encryption methods and Keys.

Thanks.

Re: Decrypting data in RX path

[Catalin Vasile]

Inline comments.

________________________________________
From: linux-crypto-owner@vger.kernel.org <linux-crypto-owner@vger.kernel.org> on behalf of Gadre Nayan <gadrenayan@gmail.com>
Sent: Monday, May 16, 2016 2:54 PM
To: linux-crypto@vger.kernel.org
Subject: Decrypting data in RX path

Hi,

I am able to encrypt data using the asynchronous kernel crypto API's.
I can observe the encrypted data on the protocol analyzer.

I wanted to decry-pt the data now on the receiver side, So I have
following questions.

1. What is the best place to decrypt the data, in kernel space (module
(pre-routing hook) or driver) OR user space using (maybe using raw
sockets or after socket recv).

What precautions should be taken in terms of locking while using
crypto api's in kernel space in RX path (Softirq context) --> Can
someone point to existing sample in kernel where decryption is done in
RX path.
[Catalin Vasile] Look into net/ipv6/esp6.c. It's related to IPsec.

2. If I encrypt data in kernel space can I decrypt it in User-space
using same encryption methods and Keys.
[Catalin Vasile] What do you mean by "using same encryption methods" ?

Thanks.

Re: Decrypting data in RX path

[Gadre Nayan]

Hi,

[Catalin Vasile] What do you mean by "using same encryption methods" ?

What I meant was, in the module If I use "cbc(aes)" With say 16 blocks
of data to be encrypted with 16 bytes of iv-data and so on, are there
user space Api's to use in decryption which will take such arguments,
otherwise data won't be decrypted properly ?

On Mon, May 16, 2016 at 5:34 PM, Catalin Vasile <cata.vasile@nxp.com> wrote:
> Inline comments.
>
> ________________________________________
> From: linux-crypto-owner@vger.kernel.org <linux-crypto-owner@vger.kernel.org> on behalf of Gadre Nayan <gadrenayan@gmail.com>
> Sent: Monday, May 16, 2016 2:54 PM
> To: linux-crypto@vger.kernel.org
> Subject: Decrypting data in RX path
>
> Hi,
>
> I am able to encrypt data using the asynchronous kernel crypto API's.
> I can observe the encrypted data on the protocol analyzer.
>
> I wanted to decry-pt the data now on the receiver side, So I have
> following questions.
>
> 1. What is the best place to decrypt the data, in kernel space (module
> (pre-routing hook) or driver) OR user space using (maybe using raw
> sockets or after socket recv).
>
> What precautions should be taken in terms of locking while using
> crypto api's in kernel space in RX path (Softirq context) --> Can
> someone point to existing sample in kernel where decryption is done in
> RX path.
> [Catalin Vasile] Look into net/ipv6/esp6.c. It's related to IPsec.
>
> 2. If I encrypt data in kernel space can I decrypt it in User-space
> using same encryption methods and Keys.
> [Catalin Vasile] What do you mean by "using same encryption methods" ?
>
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Decrypting data in RX path

[Stephan Mueller]

Am Montag, 16. Mai 2016, 17:24:12 schrieb Gadre Nayan:

Hi Gadre,

> Hi,
> 
> I am able to encrypt data using the asynchronous kernel crypto API's.
> I can observe the encrypted data on the protocol analyzer.
> 
> I wanted to decry-pt the data now on the receiver side, So I have
> following questions.
> 
> 1. What is the best place to decrypt the data, in kernel space (module
> (pre-routing hook) or driver) OR user space using (maybe using raw
> sockets or after socket recv).

This is a very broad question and cannot be answered without knowning the 
context.
> 
> What precautions should be taken in terms of locking while using
> crypto api's in kernel space in RX path (Softirq context) --> Can
> someone point to existing sample in kernel where decryption is done in
> RX path.

net/ipv4/esp4.c:esp_input for rx and esp_output for tx.
> 
> 
> 2. If I encrypt data in kernel space can I decrypt it in User-space
> using same encryption methods and Keys.

Sure, if you have the keys and all information about the used crypto.
> 
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


Ciao
Stephan

Re: Decrypting data in RX path

[Gadre Nayan]

Hi,

1. The context of the question "best place to decrypt in
kernel(module/driver)" is I want to encrypt network packets sent from
my system and decrypt them back to work with crypto apis. So the
encryption part I have done in  a Kernel thread, decryption part could
be either in driver or a pre-routing hook. Which is appropriate.

2. I went through the esp_input function for rx.

As I understand, It allocates a decrypt request and and calls
crypto_aead_decrypt(req).

A. Since this request is asynchronous, it would be handled through
condition variables, Am i right on this?
B. Also the IPSEC routines like input and output would run in softirq context ?
C. esp_input_done() is a callback for decrypt, so as soon as
crypto_aead_decrypt(req) is called and the encryption does not happen
immediately, it will return the error _EINPROGRESS. Now this will
cause the esp_input function to return immediately. So then when is
the deferred decryption checked. I see esp_input_done2 as well. How is
the flow and call of these callbacks happening.

Apologize for being so verbose.

Thanks.





On Mon, May 16, 2016 at 6:02 PM, Stephan Mueller <smueller@chronox.de> wrote:
> Am Montag, 16. Mai 2016, 17:24:12 schrieb Gadre Nayan:
>
> Hi Gadre,
>
>> Hi,
>>
>> I am able to encrypt data using the asynchronous kernel crypto API's.
>> I can observe the encrypted data on the protocol analyzer.
>>
>> I wanted to decry-pt the data now on the receiver side, So I have
>> following questions.
>>
>> 1. What is the best place to decrypt the data, in kernel space (module
>> (pre-routing hook) or driver) OR user space using (maybe using raw
>> sockets or after socket recv).
>
> This is a very broad question and cannot be answered without knowning the
> context.
>>
>> What precautions should be taken in terms of locking while using
>> crypto api's in kernel space in RX path (Softirq context) --> Can
>> someone point to existing sample in kernel where decryption is done in
>> RX path.
>
> net/ipv4/esp4.c:esp_input for rx and esp_output for tx.
>>
>>
>> 2. If I encrypt data in kernel space can I decrypt it in User-space
>> using same encryption methods and Keys.
>
> Sure, if you have the keys and all information about the used crypto.
>>
>> Thanks.
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
> Ciao
> Stephan

Re: Decrypting data in RX path

[Catalin Vasile]

Inline Comments
________________________________________
From: linux-crypto-owner@vger.kernel.org <linux-crypto-owner@vger.kernel.org> on behalf of Gadre Nayan <gadrenayan@gmail.com>
Sent: Monday, May 16, 2016 5:40 PM
To: Stephan Mueller; linux-crypto@vger.kernel.org
Subject: Re: Decrypting data in RX path

Hi,

1. The context of the question "best place to decrypt in
kernel(module/driver)" is I want to encrypt network packets sent from
my system and decrypt them back to work with crypto apis. So the
encryption part I have done in  a Kernel thread, decryption part could
be either in driver or a pre-routing hook. Which is appropriate.

2. I went through the esp_input function for rx.

As I understand, It allocates a decrypt request and and calls
crypto_aead_decrypt(req).

A. Since this request is asynchronous, it would be handled through
condition variables, Am i right on this?
B. Also the IPSEC routines like input and output would run in softirq context ?
C. esp_input_done() is a callback for decrypt, so as soon as
crypto_aead_decrypt(req) is called and the encryption does not happen
immediately, it will return the error _EINPROGRESS. Now this will
cause the esp_input function to return immediately. So then when is
the deferred decryption checked. I see esp_input_done2 as well. How is
the flow and call of these callbacks happening.

[Catalin Vasile]
"aead_request_set_callback(req, 0, esp_output_done_esn, skb);"
This piece of code sets into the request structure a callback.
After the job is queued, you will receive an -EINPROGRESS and your current
context will just return till it ends the current context (having nothing other to do).
Later, the device will trigger an interrupt in the Kernel to announce it
that a job has been done. The interrupt usually starts a kthread or a softirq
which will process what jobs have ended. One of the processing part thingies
is triggering the callback you have set. Although the context that sent the job
no longer exist, the hardware driver uses its own contexts to run some custom
you have sent (that code is represented by your callback).

Apologize for being so verbose.

Thanks.





On Mon, May 16, 2016 at 6:02 PM, Stephan Mueller <smueller@chronox.de> wrote:
> Am Montag, 16. Mai 2016, 17:24:12 schrieb Gadre Nayan:
>
> Hi Gadre,
>
>> Hi,
>>
>> I am able to encrypt data using the asynchronous kernel crypto API's.
>> I can observe the encrypted data on the protocol analyzer.
>>
>> I wanted to decry-pt the data now on the receiver side, So I have
>> following questions.
>>
>> 1. What is the best place to decrypt the data, in kernel space (module
>> (pre-routing hook) or driver) OR user space using (maybe using raw
>> sockets or after socket recv).
>
> This is a very broad question and cannot be answered without knowning the
> context.
>>
>> What precautions should be taken in terms of locking while using
>> crypto api's in kernel space in RX path (Softirq context) --> Can
>> someone point to existing sample in kernel where decryption is done in
>> RX path.
>
> net/ipv4/esp4.c:esp_input for rx and esp_output for tx.
>>
>>
>> 2. If I encrypt data in kernel space can I decrypt it in User-space
>> using same encryption methods and Keys.
>
> Sure, if you have the keys and all information about the used crypto.
>>
>> Thanks.
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
> Ciao
> Stephan

Re: Decrypting data in RX path

[Stephan Mueller]

Am Mittwoch, 18. Mai 2016, 07:01:18 schrieb Catalin Vasile:

Hi Catalin,

> Inline Comments
> ________________________________________
> From: linux-crypto-owner@vger.kernel.org
> <linux-crypto-owner@vger.kernel.org> on behalf of Gadre Nayan
> <gadrenayan@gmail.com> Sent: Monday, May 16, 2016 5:40 PM
> To: Stephan Mueller; linux-crypto@vger.kernel.org
> Subject: Re: Decrypting data in RX path
> 
> Hi,
> 
> 1. The context of the question "best place to decrypt in
> kernel(module/driver)" is I want to encrypt network packets sent from
> my system and decrypt them back to work with crypto apis. So the
> encryption part I have done in  a Kernel thread, decryption part could
> be either in driver or a pre-routing hook. Which is appropriate.
> 
> 2. I went through the esp_input function for rx.
> 
> As I understand, It allocates a decrypt request and and calls
> crypto_aead_decrypt(req).
> 
> A. Since this request is asynchronous, it would be handled through
> condition variables, Am i right on this?

I am not sure I understand your term "condition variables". The async handling 
is implemented by invoking the callback esp_input_done once the cipher 
operation completes.

So, esp_input invokes the cipher operation. The invocation will return 
immediately. Once the operation completes, the callback is triggered where the 
callback must perform the appropriate post-operation handling.

See the kernel crypto API documentation for async handling.

> B. Also the IPSEC routines like input and output would run in softirq
> context ?

I am not sure about whether it runs in softirq, but at least it is not in 
process context.

> C. esp_input_done() is a callback for decrypt, so as soon as
> crypto_aead_decrypt(req) is called and the encryption does not happen
> immediately, it will return the error _EINPROGRESS. Now this will
> cause the esp_input function to return immediately. So then when is
> the deferred decryption checked. I see esp_input_done2 as well. How is
> the flow and call of these callbacks happening.

Please read the kernel crypto API documentation at [1]

[1] http://www.chronox.de/crypto-API/index.html
> 
> [Catalin Vasile]
> "aead_request_set_callback(req, 0, esp_output_done_esn, skb);"
> This piece of code sets into the request structure a callback.
> After the job is queued, you will receive an -EINPROGRESS and your current
> context will just return till it ends the current context (having nothing
> other to do). Later, the device will trigger an interrupt in the Kernel to
> announce it that a job has been done. The interrupt usually starts a
> kthread or a softirq which will process what jobs have ended. One of the
> processing part thingies is triggering the callback you have set. Although
> the context that sent the job no longer exist, the hardware driver uses its
> own contexts to run some custom you have sent (that code is represented by
> your callback).
> 
> Apologize for being so verbose.
> 
> Thanks.
> 
> On Mon, May 16, 2016 at 6:02 PM, Stephan Mueller <smueller@chronox.de> 
wrote:
> > Am Montag, 16. Mai 2016, 17:24:12 schrieb Gadre Nayan:
> > 
> > Hi Gadre,
> > 
> >> Hi,
> >> 
> >> I am able to encrypt data using the asynchronous kernel crypto API's.
> >> I can observe the encrypted data on the protocol analyzer.
> >> 
> >> I wanted to decry-pt the data now on the receiver side, So I have
> >> following questions.
> >> 
> >> 1. What is the best place to decrypt the data, in kernel space (module
> >> (pre-routing hook) or driver) OR user space using (maybe using raw
> >> sockets or after socket recv).
> > 
> > This is a very broad question and cannot be answered without knowning the
> > context.
> > 
> >> What precautions should be taken in terms of locking while using
> >> crypto api's in kernel space in RX path (Softirq context) --> Can
> >> someone point to existing sample in kernel where decryption is done in
> >> RX path.
> > 
> > net/ipv4/esp4.c:esp_input for rx and esp_output for tx.
> > 
> >> 2. If I encrypt data in kernel space can I decrypt it in User-space
> >> using same encryption methods and Keys.
> > 
> > Sure, if you have the keys and all information about the used crypto.
> > 
> >> Thanks.
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe linux-crypto"
> >> in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> > Ciao
> > Stephan
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


Ciao
Stephan