]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - net/tls/tls_main.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
hv_netvsc: Fix a warning of suspicious RCU usage
[mirror_ubuntu-hirsute-kernel.git] / net / tls / tls_main.c
CommitLineData
3c4d7559
DW		 1/*
2 * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
3 * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
4 *
5 * This software is available to you under a choice of one of two
6 * licenses. You may choose to be licensed under the terms of the GNU
7 * General Public License (GPL) Version 2, available from the file
8 * COPYING in the main directory of this source tree, or the
9 * OpenIB.org BSD license below:
10 *
11 * Redistribution and use in source and binary forms, with or
12 * without modification, are permitted provided that the following
13 * conditions are met:
14 *
15 * - Redistributions of source code must retain the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer.
18 *
19 * - Redistributions in binary form must reproduce the above
20 * copyright notice, this list of conditions and the following
21 * disclaimer in the documentation and/or other materials
22 * provided with the distribution.
23 *
24 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
25 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
26 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
27 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
28 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
29 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
30 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
31 * SOFTWARE.
32 */
33
34#include <linux/module.h>
35
36#include <net/tcp.h>
37#include <net/inet_common.h>
38#include <linux/highmem.h>
39#include <linux/netdevice.h>
40#include <linux/sched/signal.h>
dd0bed16 41#include <linux/inetdevice.h>
3c4d7559
DW		 42
43#include <net/tls.h>
44
45MODULE_AUTHOR("Mellanox Technologies");
46MODULE_DESCRIPTION("Transport Layer Security Support");
47MODULE_LICENSE("Dual BSD/GPL");
037b0b86 48MODULE_ALIAS_TCP_ULP("tls");
3c4d7559 49
c113187d
BP		 50enum {
51 TLSV4,
52 TLSV6,
53 TLS_NUM_PROTS,
54};
6d88207f 55
c113187d
BP		 56static struct proto *saved_tcpv6_prot;
57static DEFINE_MUTEX(tcpv6_prot_mutex);
28cb6f1e
JF		 58static struct proto *saved_tcpv4_prot;
59static DEFINE_MUTEX(tcpv4_prot_mutex);
dd0bed16 60static LIST_HEAD(device_list);
df9d4a17 61static DEFINE_SPINLOCK(device_spinlock);
f66de3ee 62static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG][TLS_NUM_CONFIG];
c46234eb 63static struct proto_ops tls_sw_proto_ops;
63a6b3fe
AG		 64static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
65 struct proto *base);
6d88207f 66
f66de3ee 67static void update_sk_prot(struct sock *sk, struct tls_context *ctx)
6d88207f 68{
c113187d
BP		 69 int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
70
f66de3ee 71 sk->sk_prot = &tls_prots[ip_ver][ctx->tx_conf][ctx->rx_conf];
6d88207f 72}
3c4d7559
DW		 73
74int wait_on_pending_writer(struct sock *sk, long *timeo)
75{
76 int rc = 0;
77 DEFINE_WAIT_FUNC(wait, woken_wake_function);
78
79 add_wait_queue(sk_sleep(sk), &wait);
80 while (1) {
81 if (!*timeo) {
82 rc = -EAGAIN;
83 break;
84 }
85
86 if (signal_pending(current)) {
87 rc = sock_intr_errno(*timeo);
88 break;
89 }
90
91 if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
92 break;
93 }
94 remove_wait_queue(sk_sleep(sk), &wait);
95 return rc;
96}
97
98int tls_push_sg(struct sock *sk,
99 struct tls_context *ctx,
100 struct scatterlist *sg,
101 u16 first_offset,
102 int flags)
103{
104 int sendpage_flags = flags | MSG_SENDPAGE_NOTLAST;
105 int ret = 0;
106 struct page *p;
107 size_t size;
108 int offset = first_offset;
109
110 size = sg->length - offset;
111 offset += sg->offset;
112
c212d2c7 113 ctx->in_tcp_sendpages = true;
3c4d7559
DW		 114 while (1) {
115 if (sg_is_last(sg))
116 sendpage_flags = flags;
117
118 /* is sending application-limited? */
119 tcp_rate_check_app_limited(sk);
120 p = sg_page(sg);
121retry:
122 ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags);
123
124 if (ret != size) {
125 if (ret > 0) {
126 offset += ret;
127 size -= ret;
128 goto retry;
129 }
130
131 offset -= sg->offset;
132 ctx->partially_sent_offset = offset;
133 ctx->partially_sent_record = (void *)sg;
080324c3 134 ctx->in_tcp_sendpages = false;
3c4d7559
DW		 135 return ret;
136 }
137
138 put_page(p);
139 sk_mem_uncharge(sk, sg->length);
140 sg = sg_next(sg);
141 if (!sg)
142 break;
143
144 offset = sg->offset;
145 size = sg->length;
146 }
147
c212d2c7 148 ctx->in_tcp_sendpages = false;
3c4d7559
DW		 149
150 return 0;
151}
152
153static int tls_handle_open_record(struct sock *sk, int flags)
154{
155 struct tls_context *ctx = tls_get_ctx(sk);
156
157 if (tls_is_pending_open_record(ctx))
158 return ctx->push_pending_record(sk, flags);
159
160 return 0;
161}
162
163int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg,
164 unsigned char *record_type)
165{
166 struct cmsghdr *cmsg;
167 int rc = -EINVAL;
168
169 for_each_cmsghdr(cmsg, msg) {
170 if (!CMSG_OK(msg, cmsg))
171 return -EINVAL;
172 if (cmsg->cmsg_level != SOL_TLS)
173 continue;
174
175 switch (cmsg->cmsg_type) {
176 case TLS_SET_RECORD_TYPE:
177 if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type)))
178 return -EINVAL;
179
180 if (msg->msg_flags & MSG_MORE)
181 return -EINVAL;
182
183 rc = tls_handle_open_record(sk, msg->msg_flags);
184 if (rc)
185 return rc;
186
187 *record_type = *(unsigned char *)CMSG_DATA(cmsg);
188 rc = 0;
189 break;
190 default:
191 return -EINVAL;
192 }
193 }
194
195 return rc;
196}
197
a42055e8
VG		 198int tls_push_partial_record(struct sock *sk, struct tls_context *ctx,
199 int flags)
3c4d7559
DW		 200{
201 struct scatterlist *sg;
202 u16 offset;
203
3c4d7559
DW		 204 sg = ctx->partially_sent_record;
205 offset = ctx->partially_sent_offset;
206
207 ctx->partially_sent_record = NULL;
208 return tls_push_sg(sk, ctx, sg, offset, flags);
209}
210
35b71a34
JK		 211bool tls_free_partial_record(struct sock *sk, struct tls_context *ctx)
212{
213 struct scatterlist *sg;
214
215 sg = ctx->partially_sent_record;
216 if (!sg)
217 return false;
218
219 while (1) {
220 put_page(sg_page(sg));
221 sk_mem_uncharge(sk, sg->length);
222
223 if (sg_is_last(sg))
224 break;
225 sg++;
226 }
227 ctx->partially_sent_record = NULL;
228 return true;
229}
230
3c4d7559
DW		 231static void tls_write_space(struct sock *sk)
232{
233 struct tls_context *ctx = tls_get_ctx(sk);
234
67db7cd2
JF		 235 /* If in_tcp_sendpages call lower protocol write space handler
236 * to ensure we wake up any waiting operations there. For example
237 * if do_tcp_sendpages where to call sk_wait_event.
238 */
239 if (ctx->in_tcp_sendpages) {
240 ctx->sk_write_space(sk);
c212d2c7 241 return;
67db7cd2 242 }
c212d2c7 243
7463d3a2
BP		 244#ifdef CONFIG_TLS_DEVICE
245 if (ctx->tx_conf == TLS_HW)
246 tls_device_write_space(sk, ctx);
247 else
248#endif
249 tls_sw_write_space(sk, ctx);
4504ab0e
VG		 250
251 ctx->sk_write_space(sk);
3c4d7559
DW		 252}
253
acd3e96d 254void tls_ctx_free(struct tls_context *ctx)
86029d10
SD		 255{
256 if (!ctx)
257 return;
258
259 memzero_explicit(&ctx->crypto_send, sizeof(ctx->crypto_send));
260 memzero_explicit(&ctx->crypto_recv, sizeof(ctx->crypto_recv));
261 kfree(ctx);
262}
263
313ab004
JF		 264static void tls_sk_proto_cleanup(struct sock *sk,
265 struct tls_context *ctx, long timeo)
3c4d7559 266{
9354544c
DM		 267 if (unlikely(sk->sk_write_pending) &&
268 !wait_on_pending_writer(sk, &timeo))
3c4d7559
DW		 269 tls_handle_open_record(sk, 0);
270
f66de3ee
BP		 271 /* We need these for tls_sw_fallback handling of other packets */
272 if (ctx->tx_conf == TLS_SW) {
273 kfree(ctx->tx.rec_seq);
274 kfree(ctx->tx.iv);
313ab004 275 tls_sw_release_resources_tx(sk);
903f1a18 276#ifdef CONFIG_TLS_DEVICE
35b71a34
JK		 277 } else if (ctx->tx_conf == TLS_HW) {
278 tls_device_free_resources_tx(sk);
903f1a18 279#endif
f66de3ee 280 }
3c4d7559 281
12c76861 282 if (ctx->rx_conf == TLS_SW)
313ab004 283 tls_sw_release_resources_rx(sk);
3c4d7559 284
e8f69799 285#ifdef CONFIG_TLS_DEVICE
4799ac81
BP		 286 if (ctx->rx_conf == TLS_HW)
287 tls_device_offload_cleanup_rx(sk);
e8f69799 288#endif
313ab004
JF		 289}
290
291static void tls_sk_proto_close(struct sock *sk, long timeout)
292{
95fa1454 293 struct inet_connection_sock *icsk = inet_csk(sk);
313ab004
JF		 294 struct tls_context *ctx = tls_get_ctx(sk);
295 long timeo = sock_sndtimeo(sk, 0);
296 bool free_ctx;
297
298 if (ctx->tx_conf == TLS_SW)
299 tls_sw_cancel_work_tx(ctx);
300
301 lock_sock(sk);
302 free_ctx = ctx->tx_conf != TLS_HW && ctx->rx_conf != TLS_HW;
313ab004
JF		 303
304 if (ctx->tx_conf != TLS_BASE || ctx->rx_conf != TLS_BASE)
305 tls_sk_proto_cleanup(sk, ctx, timeo);
e8f69799 306
95fa1454
JF		 307 write_lock_bh(&sk->sk_callback_lock);
308 if (free_ctx)
309 icsk->icsk_ulp_data = NULL;
32857cf5 310 sk->sk_prot = ctx->sk_proto;
95fa1454 311 write_unlock_bh(&sk->sk_callback_lock);
3c4d7559 312 release_sock(sk);
313ab004
JF		 313 if (ctx->tx_conf == TLS_SW)
314 tls_sw_free_ctx_tx(ctx);
315 if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW)
316 tls_sw_strparser_done(ctx);
317 if (ctx->rx_conf == TLS_SW)
318 tls_sw_free_ctx_rx(ctx);
95fa1454 319 ctx->sk_proto_close(sk, timeout);
313ab004 320
98f0a395 321 if (free_ctx)
86029d10 322 tls_ctx_free(ctx);
3c4d7559
DW		 323}
324
325static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
326 int __user *optlen)
327{
328 int rc = 0;
329 struct tls_context *ctx = tls_get_ctx(sk);
330 struct tls_crypto_info *crypto_info;
331 int len;
332
333 if (get_user(len, optlen))
334 return -EFAULT;
335
336 if (!optval || (len < sizeof(*crypto_info))) {
337 rc = -EINVAL;
338 goto out;
339 }
340
341 if (!ctx) {
342 rc = -EBUSY;
343 goto out;
344 }
345
346 /* get user crypto info */
86029d10 347 crypto_info = &ctx->crypto_send.info;
3c4d7559
DW		 348
349 if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
350 rc = -EBUSY;
351 goto out;
352 }
353
5a3b886c 354 if (len == sizeof(*crypto_info)) {
ac55cd61
DC		 355 if (copy_to_user(optval, crypto_info, sizeof(*crypto_info)))
356 rc = -EFAULT;
3c4d7559
DW		 357 goto out;
358 }
359
360 switch (crypto_info->cipher_type) {
361 case TLS_CIPHER_AES_GCM_128: {
362 struct tls12_crypto_info_aes_gcm_128 *
363 crypto_info_aes_gcm_128 =
364 container_of(crypto_info,
365 struct tls12_crypto_info_aes_gcm_128,
366 info);
367
368 if (len != sizeof(*crypto_info_aes_gcm_128)) {
369 rc = -EINVAL;
370 goto out;
371 }
372 lock_sock(sk);
a1dfa681 373 memcpy(crypto_info_aes_gcm_128->iv,
dbe42559 374 ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
3c4d7559 375 TLS_CIPHER_AES_GCM_128_IV_SIZE);
dbe42559 376 memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq,
c410c196 377 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
3c4d7559 378 release_sock(sk);
ac55cd61
DC		 379 if (copy_to_user(optval,
380 crypto_info_aes_gcm_128,
381 sizeof(*crypto_info_aes_gcm_128)))
382 rc = -EFAULT;
3c4d7559
DW		 383 break;
384 }
fb99bce7
DW		 385 case TLS_CIPHER_AES_GCM_256: {
386 struct tls12_crypto_info_aes_gcm_256 *
387 crypto_info_aes_gcm_256 =
388 container_of(crypto_info,
389 struct tls12_crypto_info_aes_gcm_256,
390 info);
391
392 if (len != sizeof(*crypto_info_aes_gcm_256)) {
393 rc = -EINVAL;
394 goto out;
395 }
396 lock_sock(sk);
397 memcpy(crypto_info_aes_gcm_256->iv,
398 ctx->tx.iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
399 TLS_CIPHER_AES_GCM_256_IV_SIZE);
400 memcpy(crypto_info_aes_gcm_256->rec_seq, ctx->tx.rec_seq,
401 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
402 release_sock(sk);
403 if (copy_to_user(optval,
404 crypto_info_aes_gcm_256,
405 sizeof(*crypto_info_aes_gcm_256)))
406 rc = -EFAULT;
407 break;
408 }
3c4d7559
DW		 409 default:
410 rc = -EINVAL;
411 }
412
413out:
414 return rc;
415}
416
417static int do_tls_getsockopt(struct sock *sk, int optname,
418 char __user *optval, int __user *optlen)
419{
420 int rc = 0;
421
422 switch (optname) {
423 case TLS_TX:
424 rc = do_tls_getsockopt_tx(sk, optval, optlen);
425 break;
426 default:
427 rc = -ENOPROTOOPT;
428 break;
429 }
430 return rc;
431}
432
433static int tls_getsockopt(struct sock *sk, int level, int optname,
434 char __user *optval, int __user *optlen)
435{
436 struct tls_context *ctx = tls_get_ctx(sk);
437
438 if (level != SOL_TLS)
439 return ctx->getsockopt(sk, level, optname, optval, optlen);
440
441 return do_tls_getsockopt(sk, optname, optval, optlen);
442}
443
c46234eb
DW		 444static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
445 unsigned int optlen, int tx)
3c4d7559 446{
196c31b4 447 struct tls_crypto_info *crypto_info;
4509de14 448 struct tls_crypto_info *alt_crypto_info;
3c4d7559 449 struct tls_context *ctx = tls_get_ctx(sk);
fb99bce7 450 size_t optsize;
3c4d7559 451 int rc = 0;
58371585 452 int conf;
3c4d7559
DW		 453
454 if (!optval || (optlen < sizeof(*crypto_info))) {
455 rc = -EINVAL;
456 goto out;
457 }
458
4509de14 459 if (tx) {
86029d10 460 crypto_info = &ctx->crypto_send.info;
4509de14
VG		 461 alt_crypto_info = &ctx->crypto_recv.info;
462 } else {
86029d10 463 crypto_info = &ctx->crypto_recv.info;
4509de14
VG		 464 alt_crypto_info = &ctx->crypto_send.info;
465 }
c46234eb 466
196c31b4 467 /* Currently we don't support set crypto info more than one time */
877d17c7
SD		 468 if (TLS_CRYPTO_INFO_READY(crypto_info)) {
469 rc = -EBUSY;
196c31b4 470 goto out;
877d17c7 471 }
196c31b4
IL		 472
473 rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
3c4d7559
DW		 474 if (rc) {
475 rc = -EFAULT;
257082e6 476 goto err_crypto_info;
3c4d7559
DW		 477 }
478
479 /* check version */
130b392c
DW		 480 if (crypto_info->version != TLS_1_2_VERSION &&
481 crypto_info->version != TLS_1_3_VERSION) {
3c4d7559 482 rc = -ENOTSUPP;
196c31b4 483 goto err_crypto_info;
3c4d7559
DW		 484 }
485
4509de14
VG		 486 /* Ensure that TLS version and ciphers are same in both directions */
487 if (TLS_CRYPTO_INFO_READY(alt_crypto_info)) {
488 if (alt_crypto_info->version != crypto_info->version ||
489 alt_crypto_info->cipher_type != crypto_info->cipher_type) {
490 rc = -EINVAL;
491 goto err_crypto_info;
492 }
493 }
494
196c31b4 495 switch (crypto_info->cipher_type) {
fb99bce7 496 case TLS_CIPHER_AES_GCM_128:
f295b3ae
VG		 497 optsize = sizeof(struct tls12_crypto_info_aes_gcm_128);
498 break;
fb99bce7 499 case TLS_CIPHER_AES_GCM_256: {
f295b3ae 500 optsize = sizeof(struct tls12_crypto_info_aes_gcm_256);
3c4d7559
DW		 501 break;
502 }
f295b3ae
VG		 503 case TLS_CIPHER_AES_CCM_128:
504 optsize = sizeof(struct tls12_crypto_info_aes_ccm_128);
505 break;
3c4d7559
DW		 506 default:
507 rc = -EINVAL;
6db959c8 508 goto err_crypto_info;
3c4d7559
DW		 509 }
510
f295b3ae
VG		 511 if (optlen != optsize) {
512 rc = -EINVAL;
513 goto err_crypto_info;
514 }
515
516 rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
517 optlen - sizeof(*crypto_info));
518 if (rc) {
519 rc = -EFAULT;
520 goto err_crypto_info;
521 }
522
c46234eb 523 if (tx) {
e8f69799
IL		 524#ifdef CONFIG_TLS_DEVICE
525 rc = tls_set_device_offload(sk, ctx);
526 conf = TLS_HW;
527 if (rc) {
528#else
529 {
530#endif
531 rc = tls_set_sw_offload(sk, ctx, 1);
318892ac
JK		 532 if (rc)
533 goto err_crypto_info;
e8f69799
IL		 534 conf = TLS_SW;
535 }
c46234eb 536 } else {
4799ac81
BP		 537#ifdef CONFIG_TLS_DEVICE
538 rc = tls_set_device_offload_rx(sk, ctx);
539 conf = TLS_HW;
540 if (rc) {
541#else
542 {
543#endif
544 rc = tls_set_sw_offload(sk, ctx, 0);
318892ac
JK		 545 if (rc)
546 goto err_crypto_info;
4799ac81
BP		 547 conf = TLS_SW;
548 }
313ab004 549 tls_sw_strparser_arm(sk, ctx);
c46234eb
DW		 550 }
551
f66de3ee
BP		 552 if (tx)
553 ctx->tx_conf = conf;
554 else
555 ctx->rx_conf = conf;
6d88207f 556 update_sk_prot(sk, ctx);
c46234eb
DW		 557 if (tx) {
558 ctx->sk_write_space = sk->sk_write_space;
559 sk->sk_write_space = tls_write_space;
560 } else {
561 sk->sk_socket->ops = &tls_sw_proto_ops;
562 }
3c4d7559
DW		 563 goto out;
564
565err_crypto_info:
c844eb46 566 memzero_explicit(crypto_info, sizeof(union tls_crypto_context));
3c4d7559
DW		 567out:
568 return rc;
569}
570
571static int do_tls_setsockopt(struct sock *sk, int optname,
572 char __user *optval, unsigned int optlen)
573{
574 int rc = 0;
575
576 switch (optname) {
577 case TLS_TX:
c46234eb 578 case TLS_RX:
3c4d7559 579 lock_sock(sk);
c46234eb
DW		 580 rc = do_tls_setsockopt_conf(sk, optval, optlen,
581 optname == TLS_TX);
3c4d7559
DW		 582 release_sock(sk);
583 break;
584 default:
585 rc = -ENOPROTOOPT;
586 break;
587 }
588 return rc;
589}
590
591static int tls_setsockopt(struct sock *sk, int level, int optname,
592 char __user *optval, unsigned int optlen)
593{
594 struct tls_context *ctx = tls_get_ctx(sk);
595
596 if (level != SOL_TLS)
597 return ctx->setsockopt(sk, level, optname, optval, optlen);
598
599 return do_tls_setsockopt(sk, optname, optval, optlen);
600}
601
dd0bed16
AG		 602static struct tls_context *create_ctx(struct sock *sk)
603{
604 struct inet_connection_sock *icsk = inet_csk(sk);
605 struct tls_context *ctx;
606
c6ec179a 607 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
dd0bed16
AG		 608 if (!ctx)
609 return NULL;
610
611 icsk->icsk_ulp_data = ctx;
6c0563e4
AG		 612 ctx->setsockopt = sk->sk_prot->setsockopt;
613 ctx->getsockopt = sk->sk_prot->getsockopt;
614 ctx->sk_proto_close = sk->sk_prot->close;
32857cf5 615 ctx->unhash = sk->sk_prot->unhash;
dd0bed16
AG		 616 return ctx;
617}
618
63a6b3fe
AG		 619static void tls_build_proto(struct sock *sk)
620{
621 int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
622
623 /* Build IPv6 TLS whenever the address of tcpv6 _prot changes */
624 if (ip_ver == TLSV6 &&
625 unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv6_prot))) {
626 mutex_lock(&tcpv6_prot_mutex);
627 if (likely(sk->sk_prot != saved_tcpv6_prot)) {
628 build_protos(tls_prots[TLSV6], sk->sk_prot);
629 smp_store_release(&saved_tcpv6_prot, sk->sk_prot);
630 }
631 mutex_unlock(&tcpv6_prot_mutex);
632 }
633
634 if (ip_ver == TLSV4 &&
635 unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv4_prot))) {
636 mutex_lock(&tcpv4_prot_mutex);
637 if (likely(sk->sk_prot != saved_tcpv4_prot)) {
638 build_protos(tls_prots[TLSV4], sk->sk_prot);
639 smp_store_release(&saved_tcpv4_prot, sk->sk_prot);
640 }
641 mutex_unlock(&tcpv4_prot_mutex);
642 }
643}
644
76f7164d
AG		 645static void tls_hw_sk_destruct(struct sock *sk)
646{
647 struct tls_context *ctx = tls_get_ctx(sk);
648 struct inet_connection_sock *icsk = inet_csk(sk);
649
650 ctx->sk_destruct(sk);
651 /* Free ctx */
acd3e96d 652 tls_ctx_free(ctx);
76f7164d
AG		 653 icsk->icsk_ulp_data = NULL;
654}
655
dd0bed16
AG		 656static int tls_hw_prot(struct sock *sk)
657{
658 struct tls_context *ctx;
659 struct tls_device *dev;
660 int rc = 0;
661
df9d4a17 662 spin_lock_bh(&device_spinlock);
dd0bed16
AG		 663 list_for_each_entry(dev, &device_list, dev_list) {
664 if (dev->feature && dev->feature(dev)) {
665 ctx = create_ctx(sk);
666 if (!ctx)
667 goto out;
668
63a6b3fe
AG		 669 spin_unlock_bh(&device_spinlock);
670 tls_build_proto(sk);
dd0bed16
AG		 671 ctx->hash = sk->sk_prot->hash;
672 ctx->unhash = sk->sk_prot->unhash;
673 ctx->sk_proto_close = sk->sk_prot->close;
76f7164d
AG		 674 ctx->sk_destruct = sk->sk_destruct;
675 sk->sk_destruct = tls_hw_sk_destruct;
f66de3ee
BP		 676 ctx->rx_conf = TLS_HW_RECORD;
677 ctx->tx_conf = TLS_HW_RECORD;
dd0bed16 678 update_sk_prot(sk, ctx);
63a6b3fe 679 spin_lock_bh(&device_spinlock);
dd0bed16
AG		 680 rc = 1;
681 break;
682 }
683 }
684out:
df9d4a17 685 spin_unlock_bh(&device_spinlock);
dd0bed16
AG		 686 return rc;
687}
688
689static void tls_hw_unhash(struct sock *sk)
690{
691 struct tls_context *ctx = tls_get_ctx(sk);
692 struct tls_device *dev;
693
df9d4a17 694 spin_lock_bh(&device_spinlock);
dd0bed16 695 list_for_each_entry(dev, &device_list, dev_list) {
df9d4a17
AG		 696 if (dev->unhash) {
697 kref_get(&dev->kref);
698 spin_unlock_bh(&device_spinlock);
dd0bed16 699 dev->unhash(dev, sk);
df9d4a17
AG		 700 kref_put(&dev->kref, dev->release);
701 spin_lock_bh(&device_spinlock);
702 }
dd0bed16 703 }
df9d4a17 704 spin_unlock_bh(&device_spinlock);
dd0bed16
AG		 705 ctx->unhash(sk);
706}
707
708static int tls_hw_hash(struct sock *sk)
709{
710 struct tls_context *ctx = tls_get_ctx(sk);
711 struct tls_device *dev;
712 int err;
713
714 err = ctx->hash(sk);
df9d4a17 715 spin_lock_bh(&device_spinlock);
dd0bed16 716 list_for_each_entry(dev, &device_list, dev_list) {
df9d4a17
AG		 717 if (dev->hash) {
718 kref_get(&dev->kref);
719 spin_unlock_bh(&device_spinlock);
dd0bed16 720 err |= dev->hash(dev, sk);
df9d4a17
AG		 721 kref_put(&dev->kref, dev->release);
722 spin_lock_bh(&device_spinlock);
723 }
dd0bed16 724 }
df9d4a17 725 spin_unlock_bh(&device_spinlock);
dd0bed16
AG		 726
727 if (err)
728 tls_hw_unhash(sk);
729 return err;
730}
731
f66de3ee
BP		 732static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
733 struct proto *base)
c113187d 734{
f66de3ee
BP		 735 prot[TLS_BASE][TLS_BASE] = *base;
736 prot[TLS_BASE][TLS_BASE].setsockopt = tls_setsockopt;
737 prot[TLS_BASE][TLS_BASE].getsockopt = tls_getsockopt;
738 prot[TLS_BASE][TLS_BASE].close = tls_sk_proto_close;
739
740 prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
741 prot[TLS_SW][TLS_BASE].sendmsg = tls_sw_sendmsg;
742 prot[TLS_SW][TLS_BASE].sendpage = tls_sw_sendpage;
743
744 prot[TLS_BASE][TLS_SW] = prot[TLS_BASE][TLS_BASE];
924ad65e
JF		 745 prot[TLS_BASE][TLS_SW].recvmsg = tls_sw_recvmsg;
746 prot[TLS_BASE][TLS_SW].stream_memory_read = tls_sw_stream_read;
747 prot[TLS_BASE][TLS_SW].close = tls_sk_proto_close;
f66de3ee
BP		 748
749 prot[TLS_SW][TLS_SW] = prot[TLS_SW][TLS_BASE];
924ad65e
JF		 750 prot[TLS_SW][TLS_SW].recvmsg = tls_sw_recvmsg;
751 prot[TLS_SW][TLS_SW].stream_memory_read = tls_sw_stream_read;
752 prot[TLS_SW][TLS_SW].close = tls_sk_proto_close;
f66de3ee 753
e8f69799
IL		 754#ifdef CONFIG_TLS_DEVICE
755 prot[TLS_HW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
756 prot[TLS_HW][TLS_BASE].sendmsg = tls_device_sendmsg;
757 prot[TLS_HW][TLS_BASE].sendpage = tls_device_sendpage;
758
759 prot[TLS_HW][TLS_SW] = prot[TLS_BASE][TLS_SW];
760 prot[TLS_HW][TLS_SW].sendmsg = tls_device_sendmsg;
761 prot[TLS_HW][TLS_SW].sendpage = tls_device_sendpage;
4799ac81
BP		 762
763 prot[TLS_BASE][TLS_HW] = prot[TLS_BASE][TLS_SW];
764
765 prot[TLS_SW][TLS_HW] = prot[TLS_SW][TLS_SW];
766
767 prot[TLS_HW][TLS_HW] = prot[TLS_HW][TLS_SW];
e8f69799
IL		 768#endif
769
f66de3ee
BP		 770 prot[TLS_HW_RECORD][TLS_HW_RECORD] = *base;
771 prot[TLS_HW_RECORD][TLS_HW_RECORD].hash = tls_hw_hash;
772 prot[TLS_HW_RECORD][TLS_HW_RECORD].unhash = tls_hw_unhash;
c113187d
BP		 773}
774
3c4d7559
DW		 775static int tls_init(struct sock *sk)
776{
3c4d7559
DW		 777 struct tls_context *ctx;
778 int rc = 0;
779
dd0bed16 780 if (tls_hw_prot(sk))
95fa1454 781 return 0;
dd0bed16 782
d91c3e17
IL		 783 /* The TLS ulp is currently supported only for TCP sockets
784 * in ESTABLISHED state.
785 * Supporting sockets in LISTEN state will require us
786 * to modify the accept implementation to clone rather then
787 * share the ulp context.
788 */
789 if (sk->sk_state != TCP_ESTABLISHED)
790 return -ENOTSUPP;
791
95fa1454
JF		 792 tls_build_proto(sk);
793
3c4d7559 794 /* allocate tls context */
95fa1454 795 write_lock_bh(&sk->sk_callback_lock);
dd0bed16 796 ctx = create_ctx(sk);
3c4d7559
DW		 797 if (!ctx) {
798 rc = -ENOMEM;
799 goto out;
800 }
6d88207f 801
f66de3ee
BP		 802 ctx->tx_conf = TLS_BASE;
803 ctx->rx_conf = TLS_BASE;
32857cf5 804 ctx->sk_proto = sk->sk_prot;
6d88207f 805 update_sk_prot(sk, ctx);
3c4d7559 806out:
95fa1454 807 write_unlock_bh(&sk->sk_callback_lock);
3c4d7559
DW		 808 return rc;
809}
810
95fa1454
JF		 811static void tls_update(struct sock *sk, struct proto *p)
812{
813 struct tls_context *ctx;
814
815 ctx = tls_get_ctx(sk);
816 if (likely(ctx)) {
817 ctx->sk_proto_close = p->close;
818 ctx->sk_proto = p;
819 } else {
820 sk->sk_prot = p;
821 }
822}
823
dd0bed16
AG		 824void tls_register_device(struct tls_device *device)
825{
df9d4a17 826 spin_lock_bh(&device_spinlock);
dd0bed16 827 list_add_tail(&device->dev_list, &device_list);
df9d4a17 828 spin_unlock_bh(&device_spinlock);
dd0bed16
AG		 829}
830EXPORT_SYMBOL(tls_register_device);
831
832void tls_unregister_device(struct tls_device *device)
833{
df9d4a17 834 spin_lock_bh(&device_spinlock);
dd0bed16 835 list_del(&device->dev_list);
df9d4a17 836 spin_unlock_bh(&device_spinlock);
dd0bed16
AG		 837}
838EXPORT_SYMBOL(tls_unregister_device);
839
3c4d7559
DW		 840static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
841 .name = "tls",
842 .owner = THIS_MODULE,
843 .init = tls_init,
95fa1454 844 .update = tls_update,
3c4d7559
DW		 845};
846
847static int __init tls_register(void)
848{
c46234eb 849 tls_sw_proto_ops = inet_stream_ops;
c46234eb
DW		 850 tls_sw_proto_ops.splice_read = tls_sw_splice_read;
851
e8f69799
IL		 852#ifdef CONFIG_TLS_DEVICE
853 tls_device_init();
854#endif
3c4d7559
DW		 855 tcp_register_ulp(&tcp_tls_ulp_ops);
856
857 return 0;
858}
859
860static void __exit tls_unregister(void)
861{
862 tcp_unregister_ulp(&tcp_tls_ulp_ops);
e8f69799
IL		 863#ifdef CONFIG_TLS_DEVICE
864 tls_device_cleanup();
865#endif
3c4d7559
DW		 866}
867
868module_init(tls_register);
869module_exit(tls_unregister);
Ubuntu Hirsute Linux kernel mirror