root/net/tls/tls_main.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. update_sk_prot
  2. wait_on_pending_writer
  3. tls_push_sg
  4. tls_handle_open_record
  5. tls_proccess_cmsg
  6. tls_push_partial_record
  7. tls_free_partial_record
  8. tls_write_space
  9. tls_ctx_free
  10. tls_sk_proto_cleanup
  11. tls_sk_proto_close
  12. do_tls_getsockopt_tx
  13. do_tls_getsockopt
  14. tls_getsockopt
  15. do_tls_setsockopt_conf
  16. do_tls_setsockopt
  17. tls_setsockopt
  18. create_ctx
  19. tls_build_proto
  20. tls_hw_sk_destruct
  21. tls_hw_prot
  22. tls_hw_unhash
  23. tls_hw_hash
  24. build_protos
  25. tls_init
  26. tls_update
  27. tls_get_info
  28. tls_get_info_size
  29. tls_register_device
  30. tls_unregister_device
  31. tls_register
  32. tls_unregister

   1 /*
   2  * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
   3  * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
   4  *
   5  * This software is available to you under a choice of one of two
   6  * licenses.  You may choose to be licensed under the terms of the GNU
   7  * General Public License (GPL) Version 2, available from the file
   8  * COPYING in the main directory of this source tree, or the
   9  * OpenIB.org BSD license below:
  10  *
  11  *     Redistribution and use in source and binary forms, with or
  12  *     without modification, are permitted provided that the following
  13  *     conditions are met:
  14  *
  15  *      - Redistributions of source code must retain the above
  16  *        copyright notice, this list of conditions and the following
  17  *        disclaimer.
  18  *
  19  *      - Redistributions in binary form must reproduce the above
  20  *        copyright notice, this list of conditions and the following
  21  *        disclaimer in the documentation and/or other materials
  22  *        provided with the distribution.
  23  *
  24  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  25  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  26  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  27  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
  28  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
  29  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  30  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  31  * SOFTWARE.
  32  */
  33 
  34 #include <linux/module.h>
  35 
  36 #include <net/tcp.h>
  37 #include <net/inet_common.h>
  38 #include <linux/highmem.h>
  39 #include <linux/netdevice.h>
  40 #include <linux/sched/signal.h>
  41 #include <linux/inetdevice.h>
  42 #include <linux/inet_diag.h>
  43 
  44 #include <net/tls.h>
  45 
  46 MODULE_AUTHOR("Mellanox Technologies");
  47 MODULE_DESCRIPTION("Transport Layer Security Support");
  48 MODULE_LICENSE("Dual BSD/GPL");
  49 MODULE_ALIAS_TCP_ULP("tls");
  50 
  51 enum {
  52         TLSV4,
  53         TLSV6,
  54         TLS_NUM_PROTS,
  55 };
  56 
  57 static struct proto *saved_tcpv6_prot;
  58 static DEFINE_MUTEX(tcpv6_prot_mutex);
  59 static struct proto *saved_tcpv4_prot;
  60 static DEFINE_MUTEX(tcpv4_prot_mutex);
  61 static LIST_HEAD(device_list);
  62 static DEFINE_SPINLOCK(device_spinlock);
  63 static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG][TLS_NUM_CONFIG];
  64 static struct proto_ops tls_sw_proto_ops;
  65 static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
  66                          struct proto *base);
  67 
  68 static void update_sk_prot(struct sock *sk, struct tls_context *ctx)
  69 {
  70         int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
  71 
  72         sk->sk_prot = &tls_prots[ip_ver][ctx->tx_conf][ctx->rx_conf];
  73 }
  74 
  75 int wait_on_pending_writer(struct sock *sk, long *timeo)
  76 {
  77         int rc = 0;
  78         DEFINE_WAIT_FUNC(wait, woken_wake_function);
  79 
  80         add_wait_queue(sk_sleep(sk), &wait);
  81         while (1) {
  82                 if (!*timeo) {
  83                         rc = -EAGAIN;
  84                         break;
  85                 }
  86 
  87                 if (signal_pending(current)) {
  88                         rc = sock_intr_errno(*timeo);
  89                         break;
  90                 }
  91 
  92                 if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
  93                         break;
  94         }
  95         remove_wait_queue(sk_sleep(sk), &wait);
  96         return rc;
  97 }
  98 
  99 int tls_push_sg(struct sock *sk,
 100                 struct tls_context *ctx,
 101                 struct scatterlist *sg,
 102                 u16 first_offset,
 103                 int flags)
 104 {
 105         int sendpage_flags = flags | MSG_SENDPAGE_NOTLAST;
 106         int ret = 0;
 107         struct page *p;
 108         size_t size;
 109         int offset = first_offset;
 110 
 111         size = sg->length - offset;
 112         offset += sg->offset;
 113 
 114         ctx->in_tcp_sendpages = true;
 115         while (1) {
 116                 if (sg_is_last(sg))
 117                         sendpage_flags = flags;
 118 
 119                 /* is sending application-limited? */
 120                 tcp_rate_check_app_limited(sk);
 121                 p = sg_page(sg);
 122 retry:
 123                 ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags);
 124 
 125                 if (ret != size) {
 126                         if (ret > 0) {
 127                                 offset += ret;
 128                                 size -= ret;
 129                                 goto retry;
 130                         }
 131 
 132                         offset -= sg->offset;
 133                         ctx->partially_sent_offset = offset;
 134                         ctx->partially_sent_record = (void *)sg;
 135                         ctx->in_tcp_sendpages = false;
 136                         return ret;
 137                 }
 138 
 139                 put_page(p);
 140                 sk_mem_uncharge(sk, sg->length);
 141                 sg = sg_next(sg);
 142                 if (!sg)
 143                         break;
 144 
 145                 offset = sg->offset;
 146                 size = sg->length;
 147         }
 148 
 149         ctx->in_tcp_sendpages = false;
 150 
 151         return 0;
 152 }
 153 
 154 static int tls_handle_open_record(struct sock *sk, int flags)
 155 {
 156         struct tls_context *ctx = tls_get_ctx(sk);
 157 
 158         if (tls_is_pending_open_record(ctx))
 159                 return ctx->push_pending_record(sk, flags);
 160 
 161         return 0;
 162 }
 163 
 164 int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg,
 165                       unsigned char *record_type)
 166 {
 167         struct cmsghdr *cmsg;
 168         int rc = -EINVAL;
 169 
 170         for_each_cmsghdr(cmsg, msg) {
 171                 if (!CMSG_OK(msg, cmsg))
 172                         return -EINVAL;
 173                 if (cmsg->cmsg_level != SOL_TLS)
 174                         continue;
 175 
 176                 switch (cmsg->cmsg_type) {
 177                 case TLS_SET_RECORD_TYPE:
 178                         if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type)))
 179                                 return -EINVAL;
 180 
 181                         if (msg->msg_flags & MSG_MORE)
 182                                 return -EINVAL;
 183 
 184                         rc = tls_handle_open_record(sk, msg->msg_flags);
 185                         if (rc)
 186                                 return rc;
 187 
 188                         *record_type = *(unsigned char *)CMSG_DATA(cmsg);
 189                         rc = 0;
 190                         break;
 191                 default:
 192                         return -EINVAL;
 193                 }
 194         }
 195 
 196         return rc;
 197 }
 198 
 199 int tls_push_partial_record(struct sock *sk, struct tls_context *ctx,
 200                             int flags)
 201 {
 202         struct scatterlist *sg;
 203         u16 offset;
 204 
 205         sg = ctx->partially_sent_record;
 206         offset = ctx->partially_sent_offset;
 207 
 208         ctx->partially_sent_record = NULL;
 209         return tls_push_sg(sk, ctx, sg, offset, flags);
 210 }
 211 
 212 void tls_free_partial_record(struct sock *sk, struct tls_context *ctx)
 213 {
 214         struct scatterlist *sg;
 215 
 216         for (sg = ctx->partially_sent_record; sg; sg = sg_next(sg)) {
 217                 put_page(sg_page(sg));
 218                 sk_mem_uncharge(sk, sg->length);
 219         }
 220         ctx->partially_sent_record = NULL;
 221 }
 222 
 223 static void tls_write_space(struct sock *sk)
 224 {
 225         struct tls_context *ctx = tls_get_ctx(sk);
 226 
 227         /* If in_tcp_sendpages call lower protocol write space handler
 228          * to ensure we wake up any waiting operations there. For example
 229          * if do_tcp_sendpages where to call sk_wait_event.
 230          */
 231         if (ctx->in_tcp_sendpages) {
 232                 ctx->sk_write_space(sk);
 233                 return;
 234         }
 235 
 236 #ifdef CONFIG_TLS_DEVICE
 237         if (ctx->tx_conf == TLS_HW)
 238                 tls_device_write_space(sk, ctx);
 239         else
 240 #endif
 241                 tls_sw_write_space(sk, ctx);
 242 
 243         ctx->sk_write_space(sk);
 244 }
 245 
 246 /**
 247  * tls_ctx_free() - free TLS ULP context
 248  * @sk:  socket to with @ctx is attached
 249  * @ctx: TLS context structure
 250  *
 251  * Free TLS context. If @sk is %NULL caller guarantees that the socket
 252  * to which @ctx was attached has no outstanding references.
 253  */
 254 void tls_ctx_free(struct sock *sk, struct tls_context *ctx)
 255 {
 256         if (!ctx)
 257                 return;
 258 
 259         memzero_explicit(&ctx->crypto_send, sizeof(ctx->crypto_send));
 260         memzero_explicit(&ctx->crypto_recv, sizeof(ctx->crypto_recv));
 261         mutex_destroy(&ctx->tx_lock);
 262 
 263         if (sk)
 264                 kfree_rcu(ctx, rcu);
 265         else
 266                 kfree(ctx);
 267 }
 268 
 269 static void tls_sk_proto_cleanup(struct sock *sk,
 270                                  struct tls_context *ctx, long timeo)
 271 {
 272         if (unlikely(sk->sk_write_pending) &&
 273             !wait_on_pending_writer(sk, &timeo))
 274                 tls_handle_open_record(sk, 0);
 275 
 276         /* We need these for tls_sw_fallback handling of other packets */
 277         if (ctx->tx_conf == TLS_SW) {
 278                 kfree(ctx->tx.rec_seq);
 279                 kfree(ctx->tx.iv);
 280                 tls_sw_release_resources_tx(sk);
 281         } else if (ctx->tx_conf == TLS_HW) {
 282                 tls_device_free_resources_tx(sk);
 283         }
 284 
 285         if (ctx->rx_conf == TLS_SW)
 286                 tls_sw_release_resources_rx(sk);
 287         else if (ctx->rx_conf == TLS_HW)
 288                 tls_device_offload_cleanup_rx(sk);
 289 }
 290 
 291 static void tls_sk_proto_close(struct sock *sk, long timeout)
 292 {
 293         struct inet_connection_sock *icsk = inet_csk(sk);
 294         struct tls_context *ctx = tls_get_ctx(sk);
 295         long timeo = sock_sndtimeo(sk, 0);
 296         bool free_ctx;
 297 
 298         if (ctx->tx_conf == TLS_SW)
 299                 tls_sw_cancel_work_tx(ctx);
 300 
 301         lock_sock(sk);
 302         free_ctx = ctx->tx_conf != TLS_HW && ctx->rx_conf != TLS_HW;
 303 
 304         if (ctx->tx_conf != TLS_BASE || ctx->rx_conf != TLS_BASE)
 305                 tls_sk_proto_cleanup(sk, ctx, timeo);
 306 
 307         write_lock_bh(&sk->sk_callback_lock);
 308         if (free_ctx)
 309                 rcu_assign_pointer(icsk->icsk_ulp_data, NULL);
 310         sk->sk_prot = ctx->sk_proto;
 311         if (sk->sk_write_space == tls_write_space)
 312                 sk->sk_write_space = ctx->sk_write_space;
 313         write_unlock_bh(&sk->sk_callback_lock);
 314         release_sock(sk);
 315         if (ctx->tx_conf == TLS_SW)
 316                 tls_sw_free_ctx_tx(ctx);
 317         if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW)
 318                 tls_sw_strparser_done(ctx);
 319         if (ctx->rx_conf == TLS_SW)
 320                 tls_sw_free_ctx_rx(ctx);
 321         ctx->sk_proto->close(sk, timeout);
 322 
 323         if (free_ctx)
 324                 tls_ctx_free(sk, ctx);
 325 }
 326 
 327 static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
 328                                 int __user *optlen)
 329 {
 330         int rc = 0;
 331         struct tls_context *ctx = tls_get_ctx(sk);
 332         struct tls_crypto_info *crypto_info;
 333         int len;
 334 
 335         if (get_user(len, optlen))
 336                 return -EFAULT;
 337 
 338         if (!optval || (len < sizeof(*crypto_info))) {
 339                 rc = -EINVAL;
 340                 goto out;
 341         }
 342 
 343         if (!ctx) {
 344                 rc = -EBUSY;
 345                 goto out;
 346         }
 347 
 348         /* get user crypto info */
 349         crypto_info = &ctx->crypto_send.info;
 350 
 351         if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
 352                 rc = -EBUSY;
 353                 goto out;
 354         }
 355 
 356         if (len == sizeof(*crypto_info)) {
 357                 if (copy_to_user(optval, crypto_info, sizeof(*crypto_info)))
 358                         rc = -EFAULT;
 359                 goto out;
 360         }
 361 
 362         switch (crypto_info->cipher_type) {
 363         case TLS_CIPHER_AES_GCM_128: {
 364                 struct tls12_crypto_info_aes_gcm_128 *
 365                   crypto_info_aes_gcm_128 =
 366                   container_of(crypto_info,
 367                                struct tls12_crypto_info_aes_gcm_128,
 368                                info);
 369 
 370                 if (len != sizeof(*crypto_info_aes_gcm_128)) {
 371                         rc = -EINVAL;
 372                         goto out;
 373                 }
 374                 lock_sock(sk);
 375                 memcpy(crypto_info_aes_gcm_128->iv,
 376                        ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
 377                        TLS_CIPHER_AES_GCM_128_IV_SIZE);
 378                 memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq,
 379                        TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
 380                 release_sock(sk);
 381                 if (copy_to_user(optval,
 382                                  crypto_info_aes_gcm_128,
 383                                  sizeof(*crypto_info_aes_gcm_128)))
 384                         rc = -EFAULT;
 385                 break;
 386         }
 387         case TLS_CIPHER_AES_GCM_256: {
 388                 struct tls12_crypto_info_aes_gcm_256 *
 389                   crypto_info_aes_gcm_256 =
 390                   container_of(crypto_info,
 391                                struct tls12_crypto_info_aes_gcm_256,
 392                                info);
 393 
 394                 if (len != sizeof(*crypto_info_aes_gcm_256)) {
 395                         rc = -EINVAL;
 396                         goto out;
 397                 }
 398                 lock_sock(sk);
 399                 memcpy(crypto_info_aes_gcm_256->iv,
 400                        ctx->tx.iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
 401                        TLS_CIPHER_AES_GCM_256_IV_SIZE);
 402                 memcpy(crypto_info_aes_gcm_256->rec_seq, ctx->tx.rec_seq,
 403                        TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
 404                 release_sock(sk);
 405                 if (copy_to_user(optval,
 406                                  crypto_info_aes_gcm_256,
 407                                  sizeof(*crypto_info_aes_gcm_256)))
 408                         rc = -EFAULT;
 409                 break;
 410         }
 411         default:
 412                 rc = -EINVAL;
 413         }
 414 
 415 out:
 416         return rc;
 417 }
 418 
 419 static int do_tls_getsockopt(struct sock *sk, int optname,
 420                              char __user *optval, int __user *optlen)
 421 {
 422         int rc = 0;
 423 
 424         switch (optname) {
 425         case TLS_TX:
 426                 rc = do_tls_getsockopt_tx(sk, optval, optlen);
 427                 break;
 428         default:
 429                 rc = -ENOPROTOOPT;
 430                 break;
 431         }
 432         return rc;
 433 }
 434 
 435 static int tls_getsockopt(struct sock *sk, int level, int optname,
 436                           char __user *optval, int __user *optlen)
 437 {
 438         struct tls_context *ctx = tls_get_ctx(sk);
 439 
 440         if (level != SOL_TLS)
 441                 return ctx->sk_proto->getsockopt(sk, level,
 442                                                  optname, optval, optlen);
 443 
 444         return do_tls_getsockopt(sk, optname, optval, optlen);
 445 }
 446 
 447 static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
 448                                   unsigned int optlen, int tx)
 449 {
 450         struct tls_crypto_info *crypto_info;
 451         struct tls_crypto_info *alt_crypto_info;
 452         struct tls_context *ctx = tls_get_ctx(sk);
 453         size_t optsize;
 454         int rc = 0;
 455         int conf;
 456 
 457         if (!optval || (optlen < sizeof(*crypto_info))) {
 458                 rc = -EINVAL;
 459                 goto out;
 460         }
 461 
 462         if (tx) {
 463                 crypto_info = &ctx->crypto_send.info;
 464                 alt_crypto_info = &ctx->crypto_recv.info;
 465         } else {
 466                 crypto_info = &ctx->crypto_recv.info;
 467                 alt_crypto_info = &ctx->crypto_send.info;
 468         }
 469 
 470         /* Currently we don't support set crypto info more than one time */
 471         if (TLS_CRYPTO_INFO_READY(crypto_info)) {
 472                 rc = -EBUSY;
 473                 goto out;
 474         }
 475 
 476         rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
 477         if (rc) {
 478                 rc = -EFAULT;
 479                 goto err_crypto_info;
 480         }
 481 
 482         /* check version */
 483         if (crypto_info->version != TLS_1_2_VERSION &&
 484             crypto_info->version != TLS_1_3_VERSION) {
 485                 rc = -EINVAL;
 486                 goto err_crypto_info;
 487         }
 488 
 489         /* Ensure that TLS version and ciphers are same in both directions */
 490         if (TLS_CRYPTO_INFO_READY(alt_crypto_info)) {
 491                 if (alt_crypto_info->version != crypto_info->version ||
 492                     alt_crypto_info->cipher_type != crypto_info->cipher_type) {
 493                         rc = -EINVAL;
 494                         goto err_crypto_info;
 495                 }
 496         }
 497 
 498         switch (crypto_info->cipher_type) {
 499         case TLS_CIPHER_AES_GCM_128:
 500                 optsize = sizeof(struct tls12_crypto_info_aes_gcm_128);
 501                 break;
 502         case TLS_CIPHER_AES_GCM_256: {
 503                 optsize = sizeof(struct tls12_crypto_info_aes_gcm_256);
 504                 break;
 505         }
 506         case TLS_CIPHER_AES_CCM_128:
 507                 optsize = sizeof(struct tls12_crypto_info_aes_ccm_128);
 508                 break;
 509         default:
 510                 rc = -EINVAL;
 511                 goto err_crypto_info;
 512         }
 513 
 514         if (optlen != optsize) {
 515                 rc = -EINVAL;
 516                 goto err_crypto_info;
 517         }
 518 
 519         rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
 520                             optlen - sizeof(*crypto_info));
 521         if (rc) {
 522                 rc = -EFAULT;
 523                 goto err_crypto_info;
 524         }
 525 
 526         if (tx) {
 527                 rc = tls_set_device_offload(sk, ctx);
 528                 conf = TLS_HW;
 529                 if (rc) {
 530                         rc = tls_set_sw_offload(sk, ctx, 1);
 531                         if (rc)
 532                                 goto err_crypto_info;
 533                         conf = TLS_SW;
 534                 }
 535         } else {
 536                 rc = tls_set_device_offload_rx(sk, ctx);
 537                 conf = TLS_HW;
 538                 if (rc) {
 539                         rc = tls_set_sw_offload(sk, ctx, 0);
 540                         if (rc)
 541                                 goto err_crypto_info;
 542                         conf = TLS_SW;
 543                 }
 544                 tls_sw_strparser_arm(sk, ctx);
 545         }
 546 
 547         if (tx)
 548                 ctx->tx_conf = conf;
 549         else
 550                 ctx->rx_conf = conf;
 551         update_sk_prot(sk, ctx);
 552         if (tx) {
 553                 ctx->sk_write_space = sk->sk_write_space;
 554                 sk->sk_write_space = tls_write_space;
 555         } else {
 556                 sk->sk_socket->ops = &tls_sw_proto_ops;
 557         }
 558         goto out;
 559 
 560 err_crypto_info:
 561         memzero_explicit(crypto_info, sizeof(union tls_crypto_context));
 562 out:
 563         return rc;
 564 }
 565 
 566 static int do_tls_setsockopt(struct sock *sk, int optname,
 567                              char __user *optval, unsigned int optlen)
 568 {
 569         int rc = 0;
 570 
 571         switch (optname) {
 572         case TLS_TX:
 573         case TLS_RX:
 574                 lock_sock(sk);
 575                 rc = do_tls_setsockopt_conf(sk, optval, optlen,
 576                                             optname == TLS_TX);
 577                 release_sock(sk);
 578                 break;
 579         default:
 580                 rc = -ENOPROTOOPT;
 581                 break;
 582         }
 583         return rc;
 584 }
 585 
 586 static int tls_setsockopt(struct sock *sk, int level, int optname,
 587                           char __user *optval, unsigned int optlen)
 588 {
 589         struct tls_context *ctx = tls_get_ctx(sk);
 590 
 591         if (level != SOL_TLS)
 592                 return ctx->sk_proto->setsockopt(sk, level, optname, optval,
 593                                                  optlen);
 594 
 595         return do_tls_setsockopt(sk, optname, optval, optlen);
 596 }
 597 
 598 static struct tls_context *create_ctx(struct sock *sk)
 599 {
 600         struct inet_connection_sock *icsk = inet_csk(sk);
 601         struct tls_context *ctx;
 602 
 603         ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
 604         if (!ctx)
 605                 return NULL;
 606 
 607         mutex_init(&ctx->tx_lock);
 608         rcu_assign_pointer(icsk->icsk_ulp_data, ctx);
 609         ctx->sk_proto = sk->sk_prot;
 610         return ctx;
 611 }
 612 
 613 static void tls_build_proto(struct sock *sk)
 614 {
 615         int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
 616 
 617         /* Build IPv6 TLS whenever the address of tcpv6 _prot changes */
 618         if (ip_ver == TLSV6 &&
 619             unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv6_prot))) {
 620                 mutex_lock(&tcpv6_prot_mutex);
 621                 if (likely(sk->sk_prot != saved_tcpv6_prot)) {
 622                         build_protos(tls_prots[TLSV6], sk->sk_prot);
 623                         smp_store_release(&saved_tcpv6_prot, sk->sk_prot);
 624                 }
 625                 mutex_unlock(&tcpv6_prot_mutex);
 626         }
 627 
 628         if (ip_ver == TLSV4 &&
 629             unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv4_prot))) {
 630                 mutex_lock(&tcpv4_prot_mutex);
 631                 if (likely(sk->sk_prot != saved_tcpv4_prot)) {
 632                         build_protos(tls_prots[TLSV4], sk->sk_prot);
 633                         smp_store_release(&saved_tcpv4_prot, sk->sk_prot);
 634                 }
 635                 mutex_unlock(&tcpv4_prot_mutex);
 636         }
 637 }
 638 
 639 static void tls_hw_sk_destruct(struct sock *sk)
 640 {
 641         struct tls_context *ctx = tls_get_ctx(sk);
 642         struct inet_connection_sock *icsk = inet_csk(sk);
 643 
 644         ctx->sk_destruct(sk);
 645         /* Free ctx */
 646         rcu_assign_pointer(icsk->icsk_ulp_data, NULL);
 647         tls_ctx_free(sk, ctx);
 648 }
 649 
 650 static int tls_hw_prot(struct sock *sk)
 651 {
 652         struct tls_context *ctx;
 653         struct tls_device *dev;
 654         int rc = 0;
 655 
 656         spin_lock_bh(&device_spinlock);
 657         list_for_each_entry(dev, &device_list, dev_list) {
 658                 if (dev->feature && dev->feature(dev)) {
 659                         ctx = create_ctx(sk);
 660                         if (!ctx)
 661                                 goto out;
 662 
 663                         spin_unlock_bh(&device_spinlock);
 664                         tls_build_proto(sk);
 665                         ctx->sk_destruct = sk->sk_destruct;
 666                         sk->sk_destruct = tls_hw_sk_destruct;
 667                         ctx->rx_conf = TLS_HW_RECORD;
 668                         ctx->tx_conf = TLS_HW_RECORD;
 669                         update_sk_prot(sk, ctx);
 670                         spin_lock_bh(&device_spinlock);
 671                         rc = 1;
 672                         break;
 673                 }
 674         }
 675 out:
 676         spin_unlock_bh(&device_spinlock);
 677         return rc;
 678 }
 679 
 680 static void tls_hw_unhash(struct sock *sk)
 681 {
 682         struct tls_context *ctx = tls_get_ctx(sk);
 683         struct tls_device *dev;
 684 
 685         spin_lock_bh(&device_spinlock);
 686         list_for_each_entry(dev, &device_list, dev_list) {
 687                 if (dev->unhash) {
 688                         kref_get(&dev->kref);
 689                         spin_unlock_bh(&device_spinlock);
 690                         dev->unhash(dev, sk);
 691                         kref_put(&dev->kref, dev->release);
 692                         spin_lock_bh(&device_spinlock);
 693                 }
 694         }
 695         spin_unlock_bh(&device_spinlock);
 696         ctx->sk_proto->unhash(sk);
 697 }
 698 
 699 static int tls_hw_hash(struct sock *sk)
 700 {
 701         struct tls_context *ctx = tls_get_ctx(sk);
 702         struct tls_device *dev;
 703         int err;
 704 
 705         err = ctx->sk_proto->hash(sk);
 706         spin_lock_bh(&device_spinlock);
 707         list_for_each_entry(dev, &device_list, dev_list) {
 708                 if (dev->hash) {
 709                         kref_get(&dev->kref);
 710                         spin_unlock_bh(&device_spinlock);
 711                         err |= dev->hash(dev, sk);
 712                         kref_put(&dev->kref, dev->release);
 713                         spin_lock_bh(&device_spinlock);
 714                 }
 715         }
 716         spin_unlock_bh(&device_spinlock);
 717 
 718         if (err)
 719                 tls_hw_unhash(sk);
 720         return err;
 721 }
 722 
 723 static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
 724                          struct proto *base)
 725 {
 726         prot[TLS_BASE][TLS_BASE] = *base;
 727         prot[TLS_BASE][TLS_BASE].setsockopt     = tls_setsockopt;
 728         prot[TLS_BASE][TLS_BASE].getsockopt     = tls_getsockopt;
 729         prot[TLS_BASE][TLS_BASE].close          = tls_sk_proto_close;
 730 
 731         prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
 732         prot[TLS_SW][TLS_BASE].sendmsg          = tls_sw_sendmsg;
 733         prot[TLS_SW][TLS_BASE].sendpage         = tls_sw_sendpage;
 734 
 735         prot[TLS_BASE][TLS_SW] = prot[TLS_BASE][TLS_BASE];
 736         prot[TLS_BASE][TLS_SW].recvmsg            = tls_sw_recvmsg;
 737         prot[TLS_BASE][TLS_SW].stream_memory_read = tls_sw_stream_read;
 738         prot[TLS_BASE][TLS_SW].close              = tls_sk_proto_close;
 739 
 740         prot[TLS_SW][TLS_SW] = prot[TLS_SW][TLS_BASE];
 741         prot[TLS_SW][TLS_SW].recvmsg            = tls_sw_recvmsg;
 742         prot[TLS_SW][TLS_SW].stream_memory_read = tls_sw_stream_read;
 743         prot[TLS_SW][TLS_SW].close              = tls_sk_proto_close;
 744 
 745 #ifdef CONFIG_TLS_DEVICE
 746         prot[TLS_HW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
 747         prot[TLS_HW][TLS_BASE].sendmsg          = tls_device_sendmsg;
 748         prot[TLS_HW][TLS_BASE].sendpage         = tls_device_sendpage;
 749 
 750         prot[TLS_HW][TLS_SW] = prot[TLS_BASE][TLS_SW];
 751         prot[TLS_HW][TLS_SW].sendmsg            = tls_device_sendmsg;
 752         prot[TLS_HW][TLS_SW].sendpage           = tls_device_sendpage;
 753 
 754         prot[TLS_BASE][TLS_HW] = prot[TLS_BASE][TLS_SW];
 755 
 756         prot[TLS_SW][TLS_HW] = prot[TLS_SW][TLS_SW];
 757 
 758         prot[TLS_HW][TLS_HW] = prot[TLS_HW][TLS_SW];
 759 #endif
 760 
 761         prot[TLS_HW_RECORD][TLS_HW_RECORD] = *base;
 762         prot[TLS_HW_RECORD][TLS_HW_RECORD].hash         = tls_hw_hash;
 763         prot[TLS_HW_RECORD][TLS_HW_RECORD].unhash       = tls_hw_unhash;
 764 }
 765 
 766 static int tls_init(struct sock *sk)
 767 {
 768         struct tls_context *ctx;
 769         int rc = 0;
 770 
 771         if (tls_hw_prot(sk))
 772                 return 0;
 773 
 774         /* The TLS ulp is currently supported only for TCP sockets
 775          * in ESTABLISHED state.
 776          * Supporting sockets in LISTEN state will require us
 777          * to modify the accept implementation to clone rather then
 778          * share the ulp context.
 779          */
 780         if (sk->sk_state != TCP_ESTABLISHED)
 781                 return -ENOTCONN;
 782 
 783         tls_build_proto(sk);
 784 
 785         /* allocate tls context */
 786         write_lock_bh(&sk->sk_callback_lock);
 787         ctx = create_ctx(sk);
 788         if (!ctx) {
 789                 rc = -ENOMEM;
 790                 goto out;
 791         }
 792 
 793         ctx->tx_conf = TLS_BASE;
 794         ctx->rx_conf = TLS_BASE;
 795         update_sk_prot(sk, ctx);
 796 out:
 797         write_unlock_bh(&sk->sk_callback_lock);
 798         return rc;
 799 }
 800 
 801 static void tls_update(struct sock *sk, struct proto *p,
 802                        void (*write_space)(struct sock *sk))
 803 {
 804         struct tls_context *ctx;
 805 
 806         ctx = tls_get_ctx(sk);
 807         if (likely(ctx)) {
 808                 ctx->sk_write_space = write_space;
 809                 ctx->sk_proto = p;
 810         } else {
 811                 sk->sk_prot = p;
 812                 sk->sk_write_space = write_space;
 813         }
 814 }
 815 
 816 static int tls_get_info(const struct sock *sk, struct sk_buff *skb)
 817 {
 818         u16 version, cipher_type;
 819         struct tls_context *ctx;
 820         struct nlattr *start;
 821         int err;
 822 
 823         start = nla_nest_start_noflag(skb, INET_ULP_INFO_TLS);
 824         if (!start)
 825                 return -EMSGSIZE;
 826 
 827         rcu_read_lock();
 828         ctx = rcu_dereference(inet_csk(sk)->icsk_ulp_data);
 829         if (!ctx) {
 830                 err = 0;
 831                 goto nla_failure;
 832         }
 833         version = ctx->prot_info.version;
 834         if (version) {
 835                 err = nla_put_u16(skb, TLS_INFO_VERSION, version);
 836                 if (err)
 837                         goto nla_failure;
 838         }
 839         cipher_type = ctx->prot_info.cipher_type;
 840         if (cipher_type) {
 841                 err = nla_put_u16(skb, TLS_INFO_CIPHER, cipher_type);
 842                 if (err)
 843                         goto nla_failure;
 844         }
 845         err = nla_put_u16(skb, TLS_INFO_TXCONF, tls_user_config(ctx, true));
 846         if (err)
 847                 goto nla_failure;
 848 
 849         err = nla_put_u16(skb, TLS_INFO_RXCONF, tls_user_config(ctx, false));
 850         if (err)
 851                 goto nla_failure;
 852 
 853         rcu_read_unlock();
 854         nla_nest_end(skb, start);
 855         return 0;
 856 
 857 nla_failure:
 858         rcu_read_unlock();
 859         nla_nest_cancel(skb, start);
 860         return err;
 861 }
 862 
 863 static size_t tls_get_info_size(const struct sock *sk)
 864 {
 865         size_t size = 0;
 866 
 867         size += nla_total_size(0) +             /* INET_ULP_INFO_TLS */
 868                 nla_total_size(sizeof(u16)) +   /* TLS_INFO_VERSION */
 869                 nla_total_size(sizeof(u16)) +   /* TLS_INFO_CIPHER */
 870                 nla_total_size(sizeof(u16)) +   /* TLS_INFO_RXCONF */
 871                 nla_total_size(sizeof(u16)) +   /* TLS_INFO_TXCONF */
 872                 0;
 873 
 874         return size;
 875 }
 876 
 877 void tls_register_device(struct tls_device *device)
 878 {
 879         spin_lock_bh(&device_spinlock);
 880         list_add_tail(&device->dev_list, &device_list);
 881         spin_unlock_bh(&device_spinlock);
 882 }
 883 EXPORT_SYMBOL(tls_register_device);
 884 
 885 void tls_unregister_device(struct tls_device *device)
 886 {
 887         spin_lock_bh(&device_spinlock);
 888         list_del(&device->dev_list);
 889         spin_unlock_bh(&device_spinlock);
 890 }
 891 EXPORT_SYMBOL(tls_unregister_device);
 892 
 893 static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
 894         .name                   = "tls",
 895         .owner                  = THIS_MODULE,
 896         .init                   = tls_init,
 897         .update                 = tls_update,
 898         .get_info               = tls_get_info,
 899         .get_info_size          = tls_get_info_size,
 900 };
 901 
 902 static int __init tls_register(void)
 903 {
 904         tls_sw_proto_ops = inet_stream_ops;
 905         tls_sw_proto_ops.splice_read = tls_sw_splice_read;
 906         tls_sw_proto_ops.sendpage_locked   = tls_sw_sendpage_locked,
 907 
 908         tls_device_init();
 909         tcp_register_ulp(&tcp_tls_ulp_ops);
 910 
 911         return 0;
 912 }
 913 
 914 static void __exit tls_unregister(void)
 915 {
 916         tcp_unregister_ulp(&tcp_tls_ulp_ops);
 917         tls_device_cleanup();
 918 }
 919 
 920 module_init(tls_register);
 921 module_exit(tls_unregister);

/* [<][>][^][v][top][bottom][index][help] */