~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/tls/tls_main.c

Version: ~ [ linux-5.16-rc3 ] ~ [ linux-5.15.5 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.82 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.162 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.218 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.256 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.291 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.293 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
  3  * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
  4  *
  5  * This software is available to you under a choice of one of two
  6  * licenses.  You may choose to be licensed under the terms of the GNU
  7  * General Public License (GPL) Version 2, available from the file
  8  * COPYING in the main directory of this source tree, or the
  9  * OpenIB.org BSD license below:
 10  *
 11  *     Redistribution and use in source and binary forms, with or
 12  *     without modification, are permitted provided that the following
 13  *     conditions are met:
 14  *
 15  *      - Redistributions of source code must retain the above
 16  *        copyright notice, this list of conditions and the following
 17  *        disclaimer.
 18  *
 19  *      - Redistributions in binary form must reproduce the above
 20  *        copyright notice, this list of conditions and the following
 21  *        disclaimer in the documentation and/or other materials
 22  *        provided with the distribution.
 23  *
 24  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 25  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 26  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 27  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 28  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 29  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 30  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 31  * SOFTWARE.
 32  */
 33 
 34 #include <linux/module.h>
 35 
 36 #include <net/tcp.h>
 37 #include <net/inet_common.h>
 38 #include <linux/highmem.h>
 39 #include <linux/netdevice.h>
 40 #include <linux/sched/signal.h>
 41 #include <linux/inetdevice.h>
 42 #include <linux/inet_diag.h>
 43 
 44 #include <net/snmp.h>
 45 #include <net/tls.h>
 46 #include <net/tls_toe.h>
 47 
 48 MODULE_AUTHOR("Mellanox Technologies");
 49 MODULE_DESCRIPTION("Transport Layer Security Support");
 50 MODULE_LICENSE("Dual BSD/GPL");
 51 MODULE_ALIAS_TCP_ULP("tls");
 52 
 53 enum {
 54         TLSV4,
 55         TLSV6,
 56         TLS_NUM_PROTS,
 57 };
 58 
 59 static struct proto *saved_tcpv6_prot;
 60 static DEFINE_MUTEX(tcpv6_prot_mutex);
 61 static struct proto *saved_tcpv4_prot;
 62 static DEFINE_MUTEX(tcpv4_prot_mutex);
 63 static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG][TLS_NUM_CONFIG];
 64 static struct proto_ops tls_sw_proto_ops;
 65 static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
 66                          struct proto *base);
 67 
 68 void update_sk_prot(struct sock *sk, struct tls_context *ctx)
 69 {
 70         int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
 71 
 72         sk->sk_prot = &tls_prots[ip_ver][ctx->tx_conf][ctx->rx_conf];
 73 }
 74 
 75 int wait_on_pending_writer(struct sock *sk, long *timeo)
 76 {
 77         int rc = 0;
 78         DEFINE_WAIT_FUNC(wait, woken_wake_function);
 79 
 80         add_wait_queue(sk_sleep(sk), &wait);
 81         while (1) {
 82                 if (!*timeo) {
 83                         rc = -EAGAIN;
 84                         break;
 85                 }
 86 
 87                 if (signal_pending(current)) {
 88                         rc = sock_intr_errno(*timeo);
 89                         break;
 90                 }
 91 
 92                 if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
 93                         break;
 94         }
 95         remove_wait_queue(sk_sleep(sk), &wait);
 96         return rc;
 97 }
 98 
 99 int tls_push_sg(struct sock *sk,
100                 struct tls_context *ctx,
101                 struct scatterlist *sg,
102                 u16 first_offset,
103                 int flags)
104 {
105         int sendpage_flags = flags | MSG_SENDPAGE_NOTLAST;
106         int ret = 0;
107         struct page *p;
108         size_t size;
109         int offset = first_offset;
110 
111         size = sg->length - offset;
112         offset += sg->offset;
113 
114         ctx->in_tcp_sendpages = true;
115         while (1) {
116                 if (sg_is_last(sg))
117                         sendpage_flags = flags;
118 
119                 /* is sending application-limited? */
120                 tcp_rate_check_app_limited(sk);
121                 p = sg_page(sg);
122 retry:
123                 ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags);
124 
125                 if (ret != size) {
126                         if (ret > 0) {
127                                 offset += ret;
128                                 size -= ret;
129                                 goto retry;
130                         }
131 
132                         offset -= sg->offset;
133                         ctx->partially_sent_offset = offset;
134                         ctx->partially_sent_record = (void *)sg;
135                         ctx->in_tcp_sendpages = false;
136                         return ret;
137                 }
138 
139                 put_page(p);
140                 sk_mem_uncharge(sk, sg->length);
141                 sg = sg_next(sg);
142                 if (!sg)
143                         break;
144 
145                 offset = sg->offset;
146                 size = sg->length;
147         }
148 
149         ctx->in_tcp_sendpages = false;
150 
151         return 0;
152 }
153 
154 static int tls_handle_open_record(struct sock *sk, int flags)
155 {
156         struct tls_context *ctx = tls_get_ctx(sk);
157 
158         if (tls_is_pending_open_record(ctx))
159                 return ctx->push_pending_record(sk, flags);
160 
161         return 0;
162 }
163 
164 int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg,
165                       unsigned char *record_type)
166 {
167         struct cmsghdr *cmsg;
168         int rc = -EINVAL;
169 
170         for_each_cmsghdr(cmsg, msg) {
171                 if (!CMSG_OK(msg, cmsg))
172                         return -EINVAL;
173                 if (cmsg->cmsg_level != SOL_TLS)
174                         continue;
175 
176                 switch (cmsg->cmsg_type) {
177                 case TLS_SET_RECORD_TYPE:
178                         if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type)))
179                                 return -EINVAL;
180 
181                         if (msg->msg_flags & MSG_MORE)
182                                 return -EINVAL;
183 
184                         rc = tls_handle_open_record(sk, msg->msg_flags);
185                         if (rc)
186                                 return rc;
187 
188                         *record_type = *(unsigned char *)CMSG_DATA(cmsg);
189                         rc = 0;
190                         break;
191                 default:
192                         return -EINVAL;
193                 }
194         }
195 
196         return rc;
197 }
198 
199 int tls_push_partial_record(struct sock *sk, struct tls_context *ctx,
200                             int flags)
201 {
202         struct scatterlist *sg;
203         u16 offset;
204 
205         sg = ctx->partially_sent_record;
206         offset = ctx->partially_sent_offset;
207 
208         ctx->partially_sent_record = NULL;
209         return tls_push_sg(sk, ctx, sg, offset, flags);
210 }
211 
212 void tls_free_partial_record(struct sock *sk, struct tls_context *ctx)
213 {
214         struct scatterlist *sg;
215 
216         for (sg = ctx->partially_sent_record; sg; sg = sg_next(sg)) {
217                 put_page(sg_page(sg));
218                 sk_mem_uncharge(sk, sg->length);
219         }
220         ctx->partially_sent_record = NULL;
221 }
222 
223 static void tls_write_space(struct sock *sk)
224 {
225         struct tls_context *ctx = tls_get_ctx(sk);
226 
227         /* If in_tcp_sendpages call lower protocol write space handler
228          * to ensure we wake up any waiting operations there. For example
229          * if do_tcp_sendpages where to call sk_wait_event.
230          */
231         if (ctx->in_tcp_sendpages) {
232                 ctx->sk_write_space(sk);
233                 return;
234         }
235 
236 #ifdef CONFIG_TLS_DEVICE
237         if (ctx->tx_conf == TLS_HW)
238                 tls_device_write_space(sk, ctx);
239         else
240 #endif
241                 tls_sw_write_space(sk, ctx);
242 
243         ctx->sk_write_space(sk);
244 }
245 
246 /**
247  * tls_ctx_free() - free TLS ULP context
248  * @sk:  socket to with @ctx is attached
249  * @ctx: TLS context structure
250  *
251  * Free TLS context. If @sk is %NULL caller guarantees that the socket
252  * to which @ctx was attached has no outstanding references.
253  */
254 void tls_ctx_free(struct sock *sk, struct tls_context *ctx)
255 {
256         if (!ctx)
257                 return;
258 
259         memzero_explicit(&ctx->crypto_send, sizeof(ctx->crypto_send));
260         memzero_explicit(&ctx->crypto_recv, sizeof(ctx->crypto_recv));
261         mutex_destroy(&ctx->tx_lock);
262 
263         if (sk)
264                 kfree_rcu(ctx, rcu);
265         else
266                 kfree(ctx);
267 }
268 
269 static void tls_sk_proto_cleanup(struct sock *sk,
270                                  struct tls_context *ctx, long timeo)
271 {
272         if (unlikely(sk->sk_write_pending) &&
273             !wait_on_pending_writer(sk, &timeo))
274                 tls_handle_open_record(sk, 0);
275 
276         /* We need these for tls_sw_fallback handling of other packets */
277         if (ctx->tx_conf == TLS_SW) {
278                 kfree(ctx->tx.rec_seq);
279                 kfree(ctx->tx.iv);
280                 tls_sw_release_resources_tx(sk);
281                 TLS_DEC_STATS(sock_net(sk), LINUX_MIB_TLSCURRTXSW);
282         } else if (ctx->tx_conf == TLS_HW) {
283                 tls_device_free_resources_tx(sk);
284                 TLS_DEC_STATS(sock_net(sk), LINUX_MIB_TLSCURRTXDEVICE);
285         }
286 
287         if (ctx->rx_conf == TLS_SW) {
288                 tls_sw_release_resources_rx(sk);
289                 TLS_DEC_STATS(sock_net(sk), LINUX_MIB_TLSCURRRXSW);
290         } else if (ctx->rx_conf == TLS_HW) {
291                 tls_device_offload_cleanup_rx(sk);
292                 TLS_DEC_STATS(sock_net(sk), LINUX_MIB_TLSCURRRXDEVICE);
293         }
294 }
295 
296 static void tls_sk_proto_close(struct sock *sk, long timeout)
297 {
298         struct inet_connection_sock *icsk = inet_csk(sk);
299         struct tls_context *ctx = tls_get_ctx(sk);
300         long timeo = sock_sndtimeo(sk, 0);
301         bool free_ctx;
302 
303         if (ctx->tx_conf == TLS_SW)
304                 tls_sw_cancel_work_tx(ctx);
305 
306         lock_sock(sk);
307         free_ctx = ctx->tx_conf != TLS_HW && ctx->rx_conf != TLS_HW;
308 
309         if (ctx->tx_conf != TLS_BASE || ctx->rx_conf != TLS_BASE)
310                 tls_sk_proto_cleanup(sk, ctx, timeo);
311 
312         write_lock_bh(&sk->sk_callback_lock);
313         if (free_ctx)
314                 rcu_assign_pointer(icsk->icsk_ulp_data, NULL);
315         sk->sk_prot = ctx->sk_proto;
316         if (sk->sk_write_space == tls_write_space)
317                 sk->sk_write_space = ctx->sk_write_space;
318         write_unlock_bh(&sk->sk_callback_lock);
319         release_sock(sk);
320         if (ctx->tx_conf == TLS_SW)
321                 tls_sw_free_ctx_tx(ctx);
322         if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW)
323                 tls_sw_strparser_done(ctx);
324         if (ctx->rx_conf == TLS_SW)
325                 tls_sw_free_ctx_rx(ctx);
326         ctx->sk_proto->close(sk, timeout);
327 
328         if (free_ctx)
329                 tls_ctx_free(sk, ctx);
330 }
331 
332 static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
333                                 int __user *optlen)
334 {
335         int rc = 0;
336         struct tls_context *ctx = tls_get_ctx(sk);
337         struct tls_crypto_info *crypto_info;
338         int len;
339 
340         if (get_user(len, optlen))
341                 return -EFAULT;
342 
343         if (!optval || (len < sizeof(*crypto_info))) {
344                 rc = -EINVAL;
345                 goto out;
346         }
347 
348         if (!ctx) {
349                 rc = -EBUSY;
350                 goto out;
351         }
352 
353         /* get user crypto info */
354         crypto_info = &ctx->crypto_send.info;
355 
356         if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
357                 rc = -EBUSY;
358                 goto out;
359         }
360 
361         if (len == sizeof(*crypto_info)) {
362                 if (copy_to_user(optval, crypto_info, sizeof(*crypto_info)))
363                         rc = -EFAULT;
364                 goto out;
365         }
366 
367         switch (crypto_info->cipher_type) {
368         case TLS_CIPHER_AES_GCM_128: {
369                 struct tls12_crypto_info_aes_gcm_128 *
370                   crypto_info_aes_gcm_128 =
371                   container_of(crypto_info,
372                                struct tls12_crypto_info_aes_gcm_128,
373                                info);
374 
375                 if (len != sizeof(*crypto_info_aes_gcm_128)) {
376                         rc = -EINVAL;
377                         goto out;
378                 }
379                 lock_sock(sk);
380                 memcpy(crypto_info_aes_gcm_128->iv,
381                        ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
382                        TLS_CIPHER_AES_GCM_128_IV_SIZE);
383                 memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq,
384                        TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
385                 release_sock(sk);
386                 if (copy_to_user(optval,
387                                  crypto_info_aes_gcm_128,
388                                  sizeof(*crypto_info_aes_gcm_128)))
389                         rc = -EFAULT;
390                 break;
391         }
392         case TLS_CIPHER_AES_GCM_256: {
393                 struct tls12_crypto_info_aes_gcm_256 *
394                   crypto_info_aes_gcm_256 =
395                   container_of(crypto_info,
396                                struct tls12_crypto_info_aes_gcm_256,
397                                info);
398 
399                 if (len != sizeof(*crypto_info_aes_gcm_256)) {
400                         rc = -EINVAL;
401                         goto out;
402                 }
403                 lock_sock(sk);
404                 memcpy(crypto_info_aes_gcm_256->iv,
405                        ctx->tx.iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
406                        TLS_CIPHER_AES_GCM_256_IV_SIZE);
407                 memcpy(crypto_info_aes_gcm_256->rec_seq, ctx->tx.rec_seq,
408                        TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
409                 release_sock(sk);
410                 if (copy_to_user(optval,
411                                  crypto_info_aes_gcm_256,
412                                  sizeof(*crypto_info_aes_gcm_256)))
413                         rc = -EFAULT;
414                 break;
415         }
416         default:
417                 rc = -EINVAL;
418         }
419 
420 out:
421         return rc;
422 }
423 
424 static int do_tls_getsockopt(struct sock *sk, int optname,
425                              char __user *optval, int __user *optlen)
426 {
427         int rc = 0;
428 
429         switch (optname) {
430         case TLS_TX:
431                 rc = do_tls_getsockopt_tx(sk, optval, optlen);
432                 break;
433         default:
434                 rc = -ENOPROTOOPT;
435                 break;
436         }
437         return rc;
438 }
439 
440 static int tls_getsockopt(struct sock *sk, int level, int optname,
441                           char __user *optval, int __user *optlen)
442 {
443         struct tls_context *ctx = tls_get_ctx(sk);
444 
445         if (level != SOL_TLS)
446                 return ctx->sk_proto->getsockopt(sk, level,
447                                                  optname, optval, optlen);
448 
449         return do_tls_getsockopt(sk, optname, optval, optlen);
450 }
451 
452 static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
453                                   unsigned int optlen, int tx)
454 {
455         struct tls_crypto_info *crypto_info;
456         struct tls_crypto_info *alt_crypto_info;
457         struct tls_context *ctx = tls_get_ctx(sk);
458         size_t optsize;
459         int rc = 0;
460         int conf;
461 
462         if (!optval || (optlen < sizeof(*crypto_info))) {
463                 rc = -EINVAL;
464                 goto out;
465         }
466 
467         if (tx) {
468                 crypto_info = &ctx->crypto_send.info;
469                 alt_crypto_info = &ctx->crypto_recv.info;
470         } else {
471                 crypto_info = &ctx->crypto_recv.info;
472                 alt_crypto_info = &ctx->crypto_send.info;
473         }
474 
475         /* Currently we don't support set crypto info more than one time */
476         if (TLS_CRYPTO_INFO_READY(crypto_info)) {
477                 rc = -EBUSY;
478                 goto out;
479         }
480 
481         rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
482         if (rc) {
483                 rc = -EFAULT;
484                 goto err_crypto_info;
485         }
486 
487         /* check version */
488         if (crypto_info->version != TLS_1_2_VERSION &&
489             crypto_info->version != TLS_1_3_VERSION) {
490                 rc = -EINVAL;
491                 goto err_crypto_info;
492         }
493 
494         /* Ensure that TLS version and ciphers are same in both directions */
495         if (TLS_CRYPTO_INFO_READY(alt_crypto_info)) {
496                 if (alt_crypto_info->version != crypto_info->version ||
497                     alt_crypto_info->cipher_type != crypto_info->cipher_type) {
498                         rc = -EINVAL;
499                         goto err_crypto_info;
500                 }
501         }
502 
503         switch (crypto_info->cipher_type) {
504         case TLS_CIPHER_AES_GCM_128:
505                 optsize = sizeof(struct tls12_crypto_info_aes_gcm_128);
506                 break;
507         case TLS_CIPHER_AES_GCM_256: {
508                 optsize = sizeof(struct tls12_crypto_info_aes_gcm_256);
509                 break;
510         }
511         case TLS_CIPHER_AES_CCM_128:
512                 optsize = sizeof(struct tls12_crypto_info_aes_ccm_128);
513                 break;
514         default:
515                 rc = -EINVAL;
516                 goto err_crypto_info;
517         }
518 
519         if (optlen != optsize) {
520                 rc = -EINVAL;
521                 goto err_crypto_info;
522         }
523 
524         rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
525                             optlen - sizeof(*crypto_info));
526         if (rc) {
527                 rc = -EFAULT;
528                 goto err_crypto_info;
529         }
530 
531         if (tx) {
532                 rc = tls_set_device_offload(sk, ctx);
533                 conf = TLS_HW;
534                 if (!rc) {
535                         TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSTXDEVICE);
536                         TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSCURRTXDEVICE);
537                 } else {
538                         rc = tls_set_sw_offload(sk, ctx, 1);
539                         if (rc)
540                                 goto err_crypto_info;
541                         TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSTXSW);
542                         TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSCURRTXSW);
543                         conf = TLS_SW;
544                 }
545         } else {
546                 rc = tls_set_device_offload_rx(sk, ctx);
547                 conf = TLS_HW;
548                 if (!rc) {
549                         TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXDEVICE);
550                         TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSCURRRXDEVICE);
551                 } else {
552                         rc = tls_set_sw_offload(sk, ctx, 0);
553                         if (rc)
554                                 goto err_crypto_info;
555                         TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXSW);
556                         TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSCURRRXSW);
557                         conf = TLS_SW;
558                 }
559                 tls_sw_strparser_arm(sk, ctx);
560         }
561 
562         if (tx)
563                 ctx->tx_conf = conf;
564         else
565                 ctx->rx_conf = conf;
566         update_sk_prot(sk, ctx);
567         if (tx) {
568                 ctx->sk_write_space = sk->sk_write_space;
569                 sk->sk_write_space = tls_write_space;
570         } else {
571                 sk->sk_socket->ops = &tls_sw_proto_ops;
572         }
573         goto out;
574 
575 err_crypto_info:
576         memzero_explicit(crypto_info, sizeof(union tls_crypto_context));
577 out:
578         return rc;
579 }
580 
581 static int do_tls_setsockopt(struct sock *sk, int optname,
582                              char __user *optval, unsigned int optlen)
583 {
584         int rc = 0;
585 
586         switch (optname) {
587         case TLS_TX:
588         case TLS_RX:
589                 lock_sock(sk);
590                 rc = do_tls_setsockopt_conf(sk, optval, optlen,
591                                             optname == TLS_TX);
592                 release_sock(sk);
593                 break;
594         default:
595                 rc = -ENOPROTOOPT;
596                 break;
597         }
598         return rc;
599 }
600 
601 static int tls_setsockopt(struct sock *sk, int level, int optname,
602                           char __user *optval, unsigned int optlen)
603 {
604         struct tls_context *ctx = tls_get_ctx(sk);
605 
606         if (level != SOL_TLS)
607                 return ctx->sk_proto->setsockopt(sk, level, optname, optval,
608                                                  optlen);
609 
610         return do_tls_setsockopt(sk, optname, optval, optlen);
611 }
612 
613 struct tls_context *tls_ctx_create(struct sock *sk)
614 {
615         struct inet_connection_sock *icsk = inet_csk(sk);
616         struct tls_context *ctx;
617 
618         ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
619         if (!ctx)
620                 return NULL;
621 
622         mutex_init(&ctx->tx_lock);
623         rcu_assign_pointer(icsk->icsk_ulp_data, ctx);
624         ctx->sk_proto = sk->sk_prot;
625         return ctx;
626 }
627 
628 static void tls_build_proto(struct sock *sk)
629 {
630         int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
631 
632         /* Build IPv6 TLS whenever the address of tcpv6 _prot changes */
633         if (ip_ver == TLSV6 &&
634             unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv6_prot))) {
635                 mutex_lock(&tcpv6_prot_mutex);
636                 if (likely(sk->sk_prot != saved_tcpv6_prot)) {
637                         build_protos(tls_prots[TLSV6], sk->sk_prot);
638                         smp_store_release(&saved_tcpv6_prot, sk->sk_prot);
639                 }
640                 mutex_unlock(&tcpv6_prot_mutex);
641         }
642 
643         if (ip_ver == TLSV4 &&
644             unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv4_prot))) {
645                 mutex_lock(&tcpv4_prot_mutex);
646                 if (likely(sk->sk_prot != saved_tcpv4_prot)) {
647                         build_protos(tls_prots[TLSV4], sk->sk_prot);
648                         smp_store_release(&saved_tcpv4_prot, sk->sk_prot);
649                 }
650                 mutex_unlock(&tcpv4_prot_mutex);
651         }
652 }
653 
654 static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
655                          struct proto *base)
656 {
657         prot[TLS_BASE][TLS_BASE] = *base;
658         prot[TLS_BASE][TLS_BASE].setsockopt     = tls_setsockopt;
659         prot[TLS_BASE][TLS_BASE].getsockopt     = tls_getsockopt;
660         prot[TLS_BASE][TLS_BASE].close          = tls_sk_proto_close;
661 
662         prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
663         prot[TLS_SW][TLS_BASE].sendmsg          = tls_sw_sendmsg;
664         prot[TLS_SW][TLS_BASE].sendpage         = tls_sw_sendpage;
665 
666         prot[TLS_BASE][TLS_SW] = prot[TLS_BASE][TLS_BASE];
667         prot[TLS_BASE][TLS_SW].recvmsg            = tls_sw_recvmsg;
668         prot[TLS_BASE][TLS_SW].stream_memory_read = tls_sw_stream_read;
669         prot[TLS_BASE][TLS_SW].close              = tls_sk_proto_close;
670 
671         prot[TLS_SW][TLS_SW] = prot[TLS_SW][TLS_BASE];
672         prot[TLS_SW][TLS_SW].recvmsg            = tls_sw_recvmsg;
673         prot[TLS_SW][TLS_SW].stream_memory_read = tls_sw_stream_read;
674         prot[TLS_SW][TLS_SW].close              = tls_sk_proto_close;
675 
676 #ifdef CONFIG_TLS_DEVICE
677         prot[TLS_HW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
678         prot[TLS_HW][TLS_BASE].sendmsg          = tls_device_sendmsg;
679         prot[TLS_HW][TLS_BASE].sendpage         = tls_device_sendpage;
680 
681         prot[TLS_HW][TLS_SW] = prot[TLS_BASE][TLS_SW];
682         prot[TLS_HW][TLS_SW].sendmsg            = tls_device_sendmsg;
683         prot[TLS_HW][TLS_SW].sendpage           = tls_device_sendpage;
684 
685         prot[TLS_BASE][TLS_HW] = prot[TLS_BASE][TLS_SW];
686 
687         prot[TLS_SW][TLS_HW] = prot[TLS_SW][TLS_SW];
688 
689         prot[TLS_HW][TLS_HW] = prot[TLS_HW][TLS_SW];
690 #endif
691 #ifdef CONFIG_TLS_TOE
692         prot[TLS_HW_RECORD][TLS_HW_RECORD] = *base;
693         prot[TLS_HW_RECORD][TLS_HW_RECORD].hash         = tls_toe_hash;
694         prot[TLS_HW_RECORD][TLS_HW_RECORD].unhash       = tls_toe_unhash;
695 #endif
696 }
697 
698 static int tls_init(struct sock *sk)
699 {
700         struct tls_context *ctx;
701         int rc = 0;
702 
703         tls_build_proto(sk);
704 
705 #ifdef CONFIG_TLS_TOE
706         if (tls_toe_bypass(sk))
707                 return 0;
708 #endif
709 
710         /* The TLS ulp is currently supported only for TCP sockets
711          * in ESTABLISHED state.
712          * Supporting sockets in LISTEN state will require us
713          * to modify the accept implementation to clone rather then
714          * share the ulp context.
715          */
716         if (sk->sk_state != TCP_ESTABLISHED)
717                 return -ENOTCONN;
718 
719         /* allocate tls context */
720         write_lock_bh(&sk->sk_callback_lock);
721         ctx = tls_ctx_create(sk);
722         if (!ctx) {
723                 rc = -ENOMEM;
724                 goto out;
725         }
726 
727         ctx->tx_conf = TLS_BASE;
728         ctx->rx_conf = TLS_BASE;
729         update_sk_prot(sk, ctx);
730 out:
731         write_unlock_bh(&sk->sk_callback_lock);
732         return rc;
733 }
734 
735 static void tls_update(struct sock *sk, struct proto *p,
736                        void (*write_space)(struct sock *sk))
737 {
738         struct tls_context *ctx;
739 
740         ctx = tls_get_ctx(sk);
741         if (likely(ctx)) {
742                 ctx->sk_write_space = write_space;
743                 ctx->sk_proto = p;
744         } else {
745                 sk->sk_prot = p;
746                 sk->sk_write_space = write_space;
747         }
748 }
749 
750 static int tls_get_info(const struct sock *sk, struct sk_buff *skb)
751 {
752         u16 version, cipher_type;
753         struct tls_context *ctx;
754         struct nlattr *start;
755         int err;
756 
757         start = nla_nest_start_noflag(skb, INET_ULP_INFO_TLS);
758         if (!start)
759                 return -EMSGSIZE;
760 
761         rcu_read_lock();
762         ctx = rcu_dereference(inet_csk(sk)->icsk_ulp_data);
763         if (!ctx) {
764                 err = 0;
765                 goto nla_failure;
766         }
767         version = ctx->prot_info.version;
768         if (version) {
769                 err = nla_put_u16(skb, TLS_INFO_VERSION, version);
770                 if (err)
771                         goto nla_failure;
772         }
773         cipher_type = ctx->prot_info.cipher_type;
774         if (cipher_type) {
775                 err = nla_put_u16(skb, TLS_INFO_CIPHER, cipher_type);
776                 if (err)
777                         goto nla_failure;
778         }
779         err = nla_put_u16(skb, TLS_INFO_TXCONF, tls_user_config(ctx, true));
780         if (err)
781                 goto nla_failure;
782 
783         err = nla_put_u16(skb, TLS_INFO_RXCONF, tls_user_config(ctx, false));
784         if (err)
785                 goto nla_failure;
786 
787         rcu_read_unlock();
788         nla_nest_end(skb, start);
789         return 0;
790 
791 nla_failure:
792         rcu_read_unlock();
793         nla_nest_cancel(skb, start);
794         return err;
795 }
796 
797 static size_t tls_get_info_size(const struct sock *sk)
798 {
799         size_t size = 0;
800 
801         size += nla_total_size(0) +             /* INET_ULP_INFO_TLS */
802                 nla_total_size(sizeof(u16)) +   /* TLS_INFO_VERSION */
803                 nla_total_size(sizeof(u16)) +   /* TLS_INFO_CIPHER */
804                 nla_total_size(sizeof(u16)) +   /* TLS_INFO_RXCONF */
805                 nla_total_size(sizeof(u16)) +   /* TLS_INFO_TXCONF */
806                 0;
807 
808         return size;
809 }
810 
811 static int __net_init tls_init_net(struct net *net)
812 {
813         int err;
814 
815         net->mib.tls_statistics = alloc_percpu(struct linux_tls_mib);
816         if (!net->mib.tls_statistics)
817                 return -ENOMEM;
818 
819         err = tls_proc_init(net);
820         if (err)
821                 goto err_free_stats;
822 
823         return 0;
824 err_free_stats:
825         free_percpu(net->mib.tls_statistics);
826         return err;
827 }
828 
829 static void __net_exit tls_exit_net(struct net *net)
830 {
831         tls_proc_fini(net);
832         free_percpu(net->mib.tls_statistics);
833 }
834 
835 static struct pernet_operations tls_proc_ops = {
836         .init = tls_init_net,
837         .exit = tls_exit_net,
838 };
839 
840 static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
841         .name                   = "tls",
842         .owner                  = THIS_MODULE,
843         .init                   = tls_init,
844         .update                 = tls_update,
845         .get_info               = tls_get_info,
846         .get_info_size          = tls_get_info_size,
847 };
848 
849 static int __init tls_register(void)
850 {
851         int err;
852 
853         err = register_pernet_subsys(&tls_proc_ops);
854         if (err)
855                 return err;
856 
857         tls_sw_proto_ops = inet_stream_ops;
858         tls_sw_proto_ops.splice_read = tls_sw_splice_read;
859         tls_sw_proto_ops.sendpage_locked   = tls_sw_sendpage_locked,
860 
861         tls_device_init();
862         tcp_register_ulp(&tcp_tls_ulp_ops);
863 
864         return 0;
865 }
866 
867 static void __exit tls_unregister(void)
868 {
869         tcp_unregister_ulp(&tcp_tls_ulp_ops);
870         tls_device_cleanup();
871         unregister_pernet_subsys(&tls_proc_ops);
872 }
873 
874 module_init(tls_register);
875 module_exit(tls_unregister);
876 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp