[mirror_ubuntu-hirsute-kernel.git] / net / tls / tls_main.c

/*
 * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
 * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
 *
 * This software is available to you under a choice of one of two
 * licenses.  You may choose to be licensed under the terms of the GNU
 * General Public License (GPL) Version 2, available from the file
 * COPYING in the main directory of this source tree, or the
 * OpenIB.org BSD license below:
 *
 *     Redistribution and use in source and binary forms, with or
 *     without modification, are permitted provided that the following
 *     conditions are met:
 *
 *      - Redistributions of source code must retain the above
 *        copyright notice, this list of conditions and the following
 *        disclaimer.
 *
 *      - Redistributions in binary form must reproduce the above
 *        copyright notice, this list of conditions and the following
 *        disclaimer in the documentation and/or other materials
 *        provided with the distribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

#include <linux/module.h>

#include <net/tcp.h>
#include <net/inet_common.h>
#include <linux/highmem.h>
#include <linux/netdevice.h>
#include <linux/sched/signal.h>
#include <linux/inetdevice.h>

#include <net/tls.h>

MODULE_AUTHOR("Mellanox Technologies");
MODULE_DESCRIPTION("Transport Layer Security Support");
MODULE_LICENSE("Dual BSD/GPL");
MODULE_ALIAS_TCP_ULP("tls");

enum {
	TLSV4,
	TLSV6,
	TLS_NUM_PROTS,
};

static struct proto *saved_tcpv6_prot;
static DEFINE_MUTEX(tcpv6_prot_mutex);
static LIST_HEAD(device_list);
static DEFINE_MUTEX(device_mutex);
static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG][TLS_NUM_CONFIG];
static struct proto_ops tls_sw_proto_ops;

static void update_sk_prot(struct sock *sk, struct tls_context *ctx)
{
	int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;

	sk->sk_prot = &tls_prots[ip_ver][ctx->tx_conf][ctx->rx_conf];
}

int wait_on_pending_writer(struct sock *sk, long *timeo)
{
	int rc = 0;
	DEFINE_WAIT_FUNC(wait, woken_wake_function);

	add_wait_queue(sk_sleep(sk), &wait);
	while (1) {
		if (!*timeo) {
			rc = -EAGAIN;
			break;
		}

		if (signal_pending(current)) {
			rc = sock_intr_errno(*timeo);
			break;
		}

		if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
			break;
	}
	remove_wait_queue(sk_sleep(sk), &wait);
	return rc;
}

int tls_push_sg(struct sock *sk,
		struct tls_context *ctx,
		struct scatterlist *sg,
		u16 first_offset,
		int flags)
{
	int sendpage_flags = flags | MSG_SENDPAGE_NOTLAST;
	int ret = 0;
	struct page *p;
	size_t size;
	int offset = first_offset;

	size = sg->length - offset;
	offset += sg->offset;

	ctx->in_tcp_sendpages = true;
	while (1) {
		if (sg_is_last(sg))
			sendpage_flags = flags;

		/* is sending application-limited? */
		tcp_rate_check_app_limited(sk);
		p = sg_page(sg);
retry:
		ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags);

		if (ret != size) {
			if (ret > 0) {
				offset += ret;
				size -= ret;
				goto retry;
			}

			offset -= sg->offset;
			ctx->partially_sent_offset = offset;
			ctx->partially_sent_record = (void *)sg;
			ctx->in_tcp_sendpages = false;
			return ret;
		}

		put_page(p);
		sk_mem_uncharge(sk, sg->length);
		sg = sg_next(sg);
		if (!sg)
			break;

		offset = sg->offset;
		size = sg->length;
	}

	clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);
	ctx->in_tcp_sendpages = false;
	ctx->sk_write_space(sk);

	return 0;
}

static int tls_handle_open_record(struct sock *sk, int flags)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (tls_is_pending_open_record(ctx))
		return ctx->push_pending_record(sk, flags);

	return 0;
}

int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg,
		      unsigned char *record_type)
{
	struct cmsghdr *cmsg;
	int rc = -EINVAL;

	for_each_cmsghdr(cmsg, msg) {
		if (!CMSG_OK(msg, cmsg))
			return -EINVAL;
		if (cmsg->cmsg_level != SOL_TLS)
			continue;

		switch (cmsg->cmsg_type) {
		case TLS_SET_RECORD_TYPE:
			if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type)))
				return -EINVAL;

			if (msg->msg_flags & MSG_MORE)
				return -EINVAL;

			rc = tls_handle_open_record(sk, msg->msg_flags);
			if (rc)
				return rc;

			*record_type = *(unsigned char *)CMSG_DATA(cmsg);
			rc = 0;
			break;
		default:
			return -EINVAL;
		}
	}

	return rc;
}

int tls_push_pending_closed_record(struct sock *sk, struct tls_context *ctx,
				   int flags, long *timeo)
{
	struct scatterlist *sg;
	u16 offset;

	if (!tls_is_partially_sent_record(ctx))
		return ctx->push_pending_record(sk, flags);

	sg = ctx->partially_sent_record;
	offset = ctx->partially_sent_offset;

	ctx->partially_sent_record = NULL;
	return tls_push_sg(sk, ctx, sg, offset, flags);
}

static void tls_write_space(struct sock *sk)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	/* If in_tcp_sendpages call lower protocol write space handler
	 * to ensure we wake up any waiting operations there. For example
	 * if do_tcp_sendpages where to call sk_wait_event.
	 */
	if (ctx->in_tcp_sendpages) {
		ctx->sk_write_space(sk);
		return;
	}

	if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) {
		gfp_t sk_allocation = sk->sk_allocation;
		int rc;
		long timeo = 0;

		sk->sk_allocation = GFP_ATOMIC;
		rc = tls_push_pending_closed_record(sk, ctx,
						    MSG_DONTWAIT |
						    MSG_NOSIGNAL,
						    &timeo);
		sk->sk_allocation = sk_allocation;

		if (rc < 0)
			return;
	}

	ctx->sk_write_space(sk);
}

static void tls_sk_proto_close(struct sock *sk, long timeout)
{
	struct tls_context *ctx = tls_get_ctx(sk);
	long timeo = sock_sndtimeo(sk, 0);
	void (*sk_proto_close)(struct sock *sk, long timeout);
	bool free_ctx = false;

	lock_sock(sk);
	sk_proto_close = ctx->sk_proto_close;

	if ((ctx->tx_conf == TLS_HW_RECORD && ctx->rx_conf == TLS_HW_RECORD) ||
	    (ctx->tx_conf == TLS_BASE && ctx->rx_conf == TLS_BASE)) {
		free_ctx = true;
		goto skip_tx_cleanup;
	}

	if (!tls_complete_pending_work(sk, ctx, 0, &timeo))
		tls_handle_open_record(sk, 0);

	if (ctx->partially_sent_record) {
		struct scatterlist *sg = ctx->partially_sent_record;

		while (1) {
			put_page(sg_page(sg));
			sk_mem_uncharge(sk, sg->length);

			if (sg_is_last(sg))
				break;
			sg++;
		}
	}

	/* We need these for tls_sw_fallback handling of other packets */
	if (ctx->tx_conf == TLS_SW) {
		kfree(ctx->tx.rec_seq);
		kfree(ctx->tx.iv);
		tls_sw_free_resources_tx(sk);
	}

	if (ctx->rx_conf == TLS_SW) {
		kfree(ctx->rx.rec_seq);
		kfree(ctx->rx.iv);
		tls_sw_free_resources_rx(sk);
	}

#ifdef CONFIG_TLS_DEVICE
	if (ctx->rx_conf == TLS_HW)
		tls_device_offload_cleanup_rx(sk);

	if (ctx->tx_conf != TLS_HW && ctx->rx_conf != TLS_HW) {
#else
	{
#endif
		kfree(ctx);
		ctx = NULL;
	}

skip_tx_cleanup:
	release_sock(sk);
	sk_proto_close(sk, timeout);
	/* free ctx for TLS_HW_RECORD, used by tcp_set_state
	 * for sk->sk_prot->unhash [tls_hw_unhash]
	 */
	if (free_ctx)
		kfree(ctx);
}

static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
				int __user *optlen)
{
	int rc = 0;
	struct tls_context *ctx = tls_get_ctx(sk);
	struct tls_crypto_info *crypto_info;
	int len;

	if (get_user(len, optlen))
		return -EFAULT;

	if (!optval || (len < sizeof(*crypto_info))) {
		rc = -EINVAL;
		goto out;
	}

	if (!ctx) {
		rc = -EBUSY;
		goto out;
	}

	/* get user crypto info */
	crypto_info = &ctx->crypto_send;

	if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
		rc = -EBUSY;
		goto out;
	}

	if (len == sizeof(*crypto_info)) {
		if (copy_to_user(optval, crypto_info, sizeof(*crypto_info)))
			rc = -EFAULT;
		goto out;
	}

	switch (crypto_info->cipher_type) {
	case TLS_CIPHER_AES_GCM_128: {
		struct tls12_crypto_info_aes_gcm_128 *
		  crypto_info_aes_gcm_128 =
		  container_of(crypto_info,
			       struct tls12_crypto_info_aes_gcm_128,
			       info);

		if (len != sizeof(*crypto_info_aes_gcm_128)) {
			rc = -EINVAL;
			goto out;
		}
		lock_sock(sk);
		memcpy(crypto_info_aes_gcm_128->iv,
		       ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
		       TLS_CIPHER_AES_GCM_128_IV_SIZE);
		memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq,
		       TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
		release_sock(sk);
		if (copy_to_user(optval,
				 crypto_info_aes_gcm_128,
				 sizeof(*crypto_info_aes_gcm_128)))
			rc = -EFAULT;
		break;
	}
	default:
		rc = -EINVAL;
	}

out:
	return rc;
}

static int do_tls_getsockopt(struct sock *sk, int optname,
			     char __user *optval, int __user *optlen)
{
	int rc = 0;

	switch (optname) {
	case TLS_TX:
		rc = do_tls_getsockopt_tx(sk, optval, optlen);
		break;
	default:
		rc = -ENOPROTOOPT;
		break;
	}
	return rc;
}

static int tls_getsockopt(struct sock *sk, int level, int optname,
			  char __user *optval, int __user *optlen)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (level != SOL_TLS)
		return ctx->getsockopt(sk, level, optname, optval, optlen);

	return do_tls_getsockopt(sk, optname, optval, optlen);
}

static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
				  unsigned int optlen, int tx)
{
	struct tls_crypto_info *crypto_info;
	struct tls_context *ctx = tls_get_ctx(sk);
	int rc = 0;
	int conf;

	if (!optval || (optlen < sizeof(*crypto_info))) {
		rc = -EINVAL;
		goto out;
	}

	if (tx)
		crypto_info = &ctx->crypto_send;
	else
		crypto_info = &ctx->crypto_recv;

	/* Currently we don't support set crypto info more than one time */
	if (TLS_CRYPTO_INFO_READY(crypto_info)) {
		rc = -EBUSY;
		goto out;
	}

	rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
	if (rc) {
		rc = -EFAULT;
		goto err_crypto_info;
	}

	/* check version */
	if (crypto_info->version != TLS_1_2_VERSION) {
		rc = -ENOTSUPP;
		goto err_crypto_info;
	}

	switch (crypto_info->cipher_type) {
	case TLS_CIPHER_AES_GCM_128: {
		if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
			rc = -EINVAL;
			goto err_crypto_info;
		}
		rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
				    optlen - sizeof(*crypto_info));
		if (rc) {
			rc = -EFAULT;
			goto err_crypto_info;
		}
		break;
	}
	default:
		rc = -EINVAL;
		goto err_crypto_info;
	}

	if (tx) {
#ifdef CONFIG_TLS_DEVICE
		rc = tls_set_device_offload(sk, ctx);
		conf = TLS_HW;
		if (rc) {
#else
		{
#endif
			rc = tls_set_sw_offload(sk, ctx, 1);
			conf = TLS_SW;
		}
	} else {
#ifdef CONFIG_TLS_DEVICE
		rc = tls_set_device_offload_rx(sk, ctx);
		conf = TLS_HW;
		if (rc) {
#else
		{
#endif
			rc = tls_set_sw_offload(sk, ctx, 0);
			conf = TLS_SW;
		}
	}

	if (rc)
		goto err_crypto_info;

	if (tx)
		ctx->tx_conf = conf;
	else
		ctx->rx_conf = conf;
	update_sk_prot(sk, ctx);
	if (tx) {
		ctx->sk_write_space = sk->sk_write_space;
		sk->sk_write_space = tls_write_space;
	} else {
		sk->sk_socket->ops = &tls_sw_proto_ops;
	}
	goto out;

err_crypto_info:
	memset(crypto_info, 0, sizeof(*crypto_info));
out:
	return rc;
}

static int do_tls_setsockopt(struct sock *sk, int optname,
			     char __user *optval, unsigned int optlen)
{
	int rc = 0;

	switch (optname) {
	case TLS_TX:
	case TLS_RX:
		lock_sock(sk);
		rc = do_tls_setsockopt_conf(sk, optval, optlen,
					    optname == TLS_TX);
		release_sock(sk);
		break;
	default:
		rc = -ENOPROTOOPT;
		break;
	}
	return rc;
}

static int tls_setsockopt(struct sock *sk, int level, int optname,
			  char __user *optval, unsigned int optlen)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (level != SOL_TLS)
		return ctx->setsockopt(sk, level, optname, optval, optlen);

	return do_tls_setsockopt(sk, optname, optval, optlen);
}

static struct tls_context *create_ctx(struct sock *sk)
{
	struct inet_connection_sock *icsk = inet_csk(sk);
	struct tls_context *ctx;

	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
	if (!ctx)
		return NULL;

	icsk->icsk_ulp_data = ctx;
	return ctx;
}

static int tls_hw_prot(struct sock *sk)
{
	struct tls_context *ctx;
	struct tls_device *dev;
	int rc = 0;

	mutex_lock(&device_mutex);
	list_for_each_entry(dev, &device_list, dev_list) {
		if (dev->feature && dev->feature(dev)) {
			ctx = create_ctx(sk);
			if (!ctx)
				goto out;

			ctx->hash = sk->sk_prot->hash;
			ctx->unhash = sk->sk_prot->unhash;
			ctx->sk_proto_close = sk->sk_prot->close;
			ctx->rx_conf = TLS_HW_RECORD;
			ctx->tx_conf = TLS_HW_RECORD;
			update_sk_prot(sk, ctx);
			rc = 1;
			break;
		}
	}
out:
	mutex_unlock(&device_mutex);
	return rc;
}

static void tls_hw_unhash(struct sock *sk)
{
	struct tls_context *ctx = tls_get_ctx(sk);
	struct tls_device *dev;

	mutex_lock(&device_mutex);
	list_for_each_entry(dev, &device_list, dev_list) {
		if (dev->unhash)
			dev->unhash(dev, sk);
	}
	mutex_unlock(&device_mutex);
	ctx->unhash(sk);
}

static int tls_hw_hash(struct sock *sk)
{
	struct tls_context *ctx = tls_get_ctx(sk);
	struct tls_device *dev;
	int err;

	err = ctx->hash(sk);
	mutex_lock(&device_mutex);
	list_for_each_entry(dev, &device_list, dev_list) {
		if (dev->hash)
			err |= dev->hash(dev, sk);
	}
	mutex_unlock(&device_mutex);

	if (err)
		tls_hw_unhash(sk);
	return err;
}

static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
			 struct proto *base)
{
	prot[TLS_BASE][TLS_BASE] = *base;
	prot[TLS_BASE][TLS_BASE].setsockopt	= tls_setsockopt;
	prot[TLS_BASE][TLS_BASE].getsockopt	= tls_getsockopt;
	prot[TLS_BASE][TLS_BASE].close		= tls_sk_proto_close;

	prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
	prot[TLS_SW][TLS_BASE].sendmsg		= tls_sw_sendmsg;
	prot[TLS_SW][TLS_BASE].sendpage		= tls_sw_sendpage;

	prot[TLS_BASE][TLS_SW] = prot[TLS_BASE][TLS_BASE];
	prot[TLS_BASE][TLS_SW].recvmsg		= tls_sw_recvmsg;
	prot[TLS_BASE][TLS_SW].close		= tls_sk_proto_close;

	prot[TLS_SW][TLS_SW] = prot[TLS_SW][TLS_BASE];
	prot[TLS_SW][TLS_SW].recvmsg	= tls_sw_recvmsg;
	prot[TLS_SW][TLS_SW].close	= tls_sk_proto_close;

#ifdef CONFIG_TLS_DEVICE
	prot[TLS_HW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
	prot[TLS_HW][TLS_BASE].sendmsg		= tls_device_sendmsg;
	prot[TLS_HW][TLS_BASE].sendpage		= tls_device_sendpage;

	prot[TLS_HW][TLS_SW] = prot[TLS_BASE][TLS_SW];
	prot[TLS_HW][TLS_SW].sendmsg		= tls_device_sendmsg;
	prot[TLS_HW][TLS_SW].sendpage		= tls_device_sendpage;

	prot[TLS_BASE][TLS_HW] = prot[TLS_BASE][TLS_SW];

	prot[TLS_SW][TLS_HW] = prot[TLS_SW][TLS_SW];

	prot[TLS_HW][TLS_HW] = prot[TLS_HW][TLS_SW];
#endif

	prot[TLS_HW_RECORD][TLS_HW_RECORD] = *base;
	prot[TLS_HW_RECORD][TLS_HW_RECORD].hash		= tls_hw_hash;
	prot[TLS_HW_RECORD][TLS_HW_RECORD].unhash	= tls_hw_unhash;
	prot[TLS_HW_RECORD][TLS_HW_RECORD].close	= tls_sk_proto_close;
}

static int tls_init(struct sock *sk)
{
	int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
	struct tls_context *ctx;
	int rc = 0;

	if (tls_hw_prot(sk))
		goto out;

	/* The TLS ulp is currently supported only for TCP sockets
	 * in ESTABLISHED state.
	 * Supporting sockets in LISTEN state will require us
	 * to modify the accept implementation to clone rather then
	 * share the ulp context.
	 */
	if (sk->sk_state != TCP_ESTABLISHED)
		return -ENOTSUPP;

	/* allocate tls context */
	ctx = create_ctx(sk);
	if (!ctx) {
		rc = -ENOMEM;
		goto out;
	}
	ctx->setsockopt = sk->sk_prot->setsockopt;
	ctx->getsockopt = sk->sk_prot->getsockopt;
	ctx->sk_proto_close = sk->sk_prot->close;

	/* Build IPv6 TLS whenever the address of tcpv6	_prot changes */
	if (ip_ver == TLSV6 &&
	    unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv6_prot))) {
		mutex_lock(&tcpv6_prot_mutex);
		if (likely(sk->sk_prot != saved_tcpv6_prot)) {
			build_protos(tls_prots[TLSV6], sk->sk_prot);
			smp_store_release(&saved_tcpv6_prot, sk->sk_prot);
		}
		mutex_unlock(&tcpv6_prot_mutex);
	}

	ctx->tx_conf = TLS_BASE;
	ctx->rx_conf = TLS_BASE;
	update_sk_prot(sk, ctx);
out:
	return rc;
}

void tls_register_device(struct tls_device *device)
{
	mutex_lock(&device_mutex);
	list_add_tail(&device->dev_list, &device_list);
	mutex_unlock(&device_mutex);
}
EXPORT_SYMBOL(tls_register_device);

void tls_unregister_device(struct tls_device *device)
{
	mutex_lock(&device_mutex);
	list_del(&device->dev_list);
	mutex_unlock(&device_mutex);
}
EXPORT_SYMBOL(tls_unregister_device);

static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
	.name			= "tls",
	.uid			= TCP_ULP_TLS,
	.user_visible		= true,
	.owner			= THIS_MODULE,
	.init			= tls_init,
};

static int __init tls_register(void)
{
	build_protos(tls_prots[TLSV4], &tcp_prot);

	tls_sw_proto_ops = inet_stream_ops;
	tls_sw_proto_ops.poll = tls_sw_poll;
	tls_sw_proto_ops.splice_read = tls_sw_splice_read;

#ifdef CONFIG_TLS_DEVICE
	tls_device_init();
#endif
	tcp_register_ulp(&tcp_tls_ulp_ops);

	return 0;
}

static void __exit tls_unregister(void)
{
	tcp_unregister_ulp(&tcp_tls_ulp_ops);
#ifdef CONFIG_TLS_DEVICE
	tls_device_cleanup();
#endif
}

module_init(tls_register);
module_exit(tls_unregister);
Commit	Line	Data
3c4d7559 DW	1	/*
	2	* Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
	3	* Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
	4	*
	5	* This software is available to you under a choice of one of two
	6	* licenses. You may choose to be licensed under the terms of the GNU
	7	* General Public License (GPL) Version 2, available from the file
	8	* COPYING in the main directory of this source tree, or the
	9	* OpenIB.org BSD license below:
	10	*
	11	* Redistribution and use in source and binary forms, with or
	12	* without modification, are permitted provided that the following
	13	* conditions are met:
	14	*
	15	* - Redistributions of source code must retain the above
	16	* copyright notice, this list of conditions and the following
	17	* disclaimer.
	18	*
	19	* - Redistributions in binary form must reproduce the above
	20	* copyright notice, this list of conditions and the following
	21	* disclaimer in the documentation and/or other materials
	22	* provided with the distribution.
	23	*
	24	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
	25	* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
	26	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
	27	* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
	28	* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
	29	* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
	30	* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	31	* SOFTWARE.
	32	*/
	33
	34	#include <linux/module.h>
	35
	36	#include <net/tcp.h>
	37	#include <net/inet_common.h>
	38	#include <linux/highmem.h>
	39	#include <linux/netdevice.h>
	40	#include <linux/sched/signal.h>
dd0bed16	41	#include <linux/inetdevice.h>
3c4d7559 DW	42
	43	#include <net/tls.h>
	44
	45	MODULE_AUTHOR("Mellanox Technologies");
	46	MODULE_DESCRIPTION("Transport Layer Security Support");
	47	MODULE_LICENSE("Dual BSD/GPL");
037b0b86	48	MODULE_ALIAS_TCP_ULP("tls");
3c4d7559	49
c113187d BP	50	enum {
	51	TLSV4,
	52	TLSV6,
	53	TLS_NUM_PROTS,
	54	};
6d88207f	55
c113187d BP	56	static struct proto *saved_tcpv6_prot;
c113187d BP	57	static DEFINE_MUTEX(tcpv6_prot_mutex);
dd0bed16 AG	58	static LIST_HEAD(device_list);
dd0bed16 AG	59	static DEFINE_MUTEX(device_mutex);
f66de3ee	60	static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG][TLS_NUM_CONFIG];
c46234eb	61	static struct proto_ops tls_sw_proto_ops;
6d88207f	62
f66de3ee	63	static void update_sk_prot(struct sock sk, struct tls_context ctx)
6d88207f	64	{
c113187d BP	65	int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
c113187d BP	66
f66de3ee	67	sk->sk_prot = &tls_prots[ip_ver][ctx->tx_conf][ctx->rx_conf];
6d88207f	68	}
3c4d7559 DW	69
	70	int wait_on_pending_writer(struct sock sk, long timeo)
	71	{
	72	int rc = 0;
	73	DEFINE_WAIT_FUNC(wait, woken_wake_function);
	74
	75	add_wait_queue(sk_sleep(sk), &wait);
	76	while (1) {
	77	if (!*timeo) {
	78	rc = -EAGAIN;
	79	break;
	80	}
	81
	82	if (signal_pending(current)) {
	83	rc = sock_intr_errno(*timeo);
	84	break;
	85	}
	86
	87	if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
	88	break;
	89	}
	90	remove_wait_queue(sk_sleep(sk), &wait);
	91	return rc;
	92	}
	93
	94	int tls_push_sg(struct sock *sk,
	95	struct tls_context *ctx,
	96	struct scatterlist *sg,
	97	u16 first_offset,
	98	int flags)
	99	{
	100	int sendpage_flags = flags \| MSG_SENDPAGE_NOTLAST;
	101	int ret = 0;
	102	struct page *p;
	103	size_t size;
	104	int offset = first_offset;
	105
	106	size = sg->length - offset;
	107	offset += sg->offset;
	108
c212d2c7	109	ctx->in_tcp_sendpages = true;
3c4d7559 DW	110	while (1) {
	111	if (sg_is_last(sg))
	112	sendpage_flags = flags;
	113
	114	/* is sending application-limited? */
	115	tcp_rate_check_app_limited(sk);
	116	p = sg_page(sg);
	117	retry:
	118	ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags);
	119
	120	if (ret != size) {
	121	if (ret > 0) {
	122	offset += ret;
	123	size -= ret;
	124	goto retry;
	125	}
	126
	127	offset -= sg->offset;
	128	ctx->partially_sent_offset = offset;
	129	ctx->partially_sent_record = (void *)sg;
080324c3	130	ctx->in_tcp_sendpages = false;
3c4d7559 DW	131	return ret;
	132	}
	133
	134	put_page(p);
	135	sk_mem_uncharge(sk, sg->length);
	136	sg = sg_next(sg);
	137	if (!sg)
	138	break;
	139
	140	offset = sg->offset;
	141	size = sg->length;
	142	}
	143
	144	clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);
c212d2c7 DW	145	ctx->in_tcp_sendpages = false;
c212d2c7 DW	146	ctx->sk_write_space(sk);
3c4d7559 DW	147
	148	return 0;
	149	}
	150
	151	static int tls_handle_open_record(struct sock *sk, int flags)
	152	{
	153	struct tls_context *ctx = tls_get_ctx(sk);
	154
	155	if (tls_is_pending_open_record(ctx))
	156	return ctx->push_pending_record(sk, flags);
	157
	158	return 0;
	159	}
	160
	161	int tls_proccess_cmsg(struct sock sk, struct msghdr msg,
	162	unsigned char *record_type)
	163	{
	164	struct cmsghdr *cmsg;
	165	int rc = -EINVAL;
	166
	167	for_each_cmsghdr(cmsg, msg) {
	168	if (!CMSG_OK(msg, cmsg))
	169	return -EINVAL;
	170	if (cmsg->cmsg_level != SOL_TLS)
	171	continue;
	172
	173	switch (cmsg->cmsg_type) {
	174	case TLS_SET_RECORD_TYPE:
	175	if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type)))
	176	return -EINVAL;
	177
	178	if (msg->msg_flags & MSG_MORE)
	179	return -EINVAL;
	180
	181	rc = tls_handle_open_record(sk, msg->msg_flags);
	182	if (rc)
	183	return rc;
	184
	185	record_type = (unsigned char *)CMSG_DATA(cmsg);
	186	rc = 0;
	187	break;
	188	default:
	189	return -EINVAL;
	190	}
	191	}
	192
	193	return rc;
	194	}
	195
	196	int tls_push_pending_closed_record(struct sock sk, struct tls_context ctx,
	197	int flags, long *timeo)
	198	{
	199	struct scatterlist *sg;
	200	u16 offset;
	201
	202	if (!tls_is_partially_sent_record(ctx))
	203	return ctx->push_pending_record(sk, flags);
	204
	205	sg = ctx->partially_sent_record;
	206	offset = ctx->partially_sent_offset;
	207
	208	ctx->partially_sent_record = NULL;
	209	return tls_push_sg(sk, ctx, sg, offset, flags);
	210	}
211
212	static void tls_write_space(struct sock *sk)
213	{
214	struct tls_context *ctx = tls_get_ctx(sk);
215
67db7cd2 JF	216	/* If in_tcp_sendpages call lower protocol write space handler
	217	* to ensure we wake up any waiting operations there. For example
	218	* if do_tcp_sendpages where to call sk_wait_event.
	219	*/
	220	if (ctx->in_tcp_sendpages) {
	221	ctx->sk_write_space(sk);
c212d2c7	222	return;
67db7cd2	223	}
c212d2c7	224
3c4d7559 DW	225	if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) {
	226	gfp_t sk_allocation = sk->sk_allocation;
	227	int rc;
	228	long timeo = 0;
	229
	230	sk->sk_allocation = GFP_ATOMIC;
	231	rc = tls_push_pending_closed_record(sk, ctx,
	232	MSG_DONTWAIT \|
	233	MSG_NOSIGNAL,
	234	&timeo);
	235	sk->sk_allocation = sk_allocation;
	236
	237	if (rc < 0)
	238	return;
	239	}
	240
	241	ctx->sk_write_space(sk);
	242	}
	243
	244	static void tls_sk_proto_close(struct sock *sk, long timeout)
	245	{
	246	struct tls_context *ctx = tls_get_ctx(sk);
	247	long timeo = sock_sndtimeo(sk, 0);
	248	void (sk_proto_close)(struct sock sk, long timeout);
98f0a395	249	bool free_ctx = false;
3c4d7559 DW	250
3c4d7559 DW	251	lock_sock(sk);
ff45d820 IL	252	sk_proto_close = ctx->sk_proto_close;
ff45d820 IL	253
b2d6cee1 DM	254	if ((ctx->tx_conf == TLS_HW_RECORD && ctx->rx_conf == TLS_HW_RECORD) \|\|
b2d6cee1 DM	255	(ctx->tx_conf == TLS_BASE && ctx->rx_conf == TLS_BASE)) {
98f0a395	256	free_ctx = true;
ff45d820 IL	257	goto skip_tx_cleanup;
ff45d820 IL	258	}
3c4d7559 DW	259
	260	if (!tls_complete_pending_work(sk, ctx, 0, &timeo))
	261	tls_handle_open_record(sk, 0);
	262
	263	if (ctx->partially_sent_record) {
	264	struct scatterlist *sg = ctx->partially_sent_record;
	265
	266	while (1) {
	267	put_page(sg_page(sg));
	268	sk_mem_uncharge(sk, sg->length);
	269
	270	if (sg_is_last(sg))
	271	break;
	272	sg++;
	273	}
	274	}
ff45d820	275
f66de3ee BP	276	/* We need these for tls_sw_fallback handling of other packets */
	277	if (ctx->tx_conf == TLS_SW) {
	278	kfree(ctx->tx.rec_seq);
	279	kfree(ctx->tx.iv);
	280	tls_sw_free_resources_tx(sk);
	281	}
3c4d7559	282
f66de3ee BP	283	if (ctx->rx_conf == TLS_SW) {
	284	kfree(ctx->rx.rec_seq);
	285	kfree(ctx->rx.iv);
	286	tls_sw_free_resources_rx(sk);
c46234eb	287	}
3c4d7559	288
e8f69799	289	#ifdef CONFIG_TLS_DEVICE
4799ac81 BP	290	if (ctx->rx_conf == TLS_HW)
	291	tls_device_offload_cleanup_rx(sk);
	292
	293	if (ctx->tx_conf != TLS_HW && ctx->rx_conf != TLS_HW) {
e8f69799 IL	294	#else
	295	{
	296	#endif
	297	kfree(ctx);
	298	ctx = NULL;
	299	}
	300
ff45d820	301	skip_tx_cleanup:
3c4d7559 DW	302	release_sock(sk);
3c4d7559 DW	303	sk_proto_close(sk, timeout);
dd0bed16 AG	304	/* free ctx for TLS_HW_RECORD, used by tcp_set_state
	305	* for sk->sk_prot->unhash [tls_hw_unhash]
	306	*/
98f0a395	307	if (free_ctx)
dd0bed16	308	kfree(ctx);
3c4d7559 DW	309	}
	310
	311	static int do_tls_getsockopt_tx(struct sock sk, char __user optval,
	312	int __user *optlen)
	313	{
	314	int rc = 0;
	315	struct tls_context *ctx = tls_get_ctx(sk);
	316	struct tls_crypto_info *crypto_info;
	317	int len;
	318
	319	if (get_user(len, optlen))
	320	return -EFAULT;
	321
	322	if (!optval \|\| (len < sizeof(*crypto_info))) {
	323	rc = -EINVAL;
	324	goto out;
	325	}
	326
	327	if (!ctx) {
	328	rc = -EBUSY;
	329	goto out;
	330	}
	331
	332	/* get user crypto info */
	333	crypto_info = &ctx->crypto_send;
	334
	335	if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
	336	rc = -EBUSY;
	337	goto out;
	338	}
	339
5a3b886c	340	if (len == sizeof(*crypto_info)) {
ac55cd61 DC	341	if (copy_to_user(optval, crypto_info, sizeof(*crypto_info)))
ac55cd61 DC	342	rc = -EFAULT;
3c4d7559 DW	343	goto out;
	344	}
	345
	346	switch (crypto_info->cipher_type) {
	347	case TLS_CIPHER_AES_GCM_128: {
	348	struct tls12_crypto_info_aes_gcm_128 *
	349	crypto_info_aes_gcm_128 =
	350	container_of(crypto_info,
	351	struct tls12_crypto_info_aes_gcm_128,
	352	info);
	353
	354	if (len != sizeof(*crypto_info_aes_gcm_128)) {
	355	rc = -EINVAL;
	356	goto out;
	357	}
	358	lock_sock(sk);
a1dfa681	359	memcpy(crypto_info_aes_gcm_128->iv,
dbe42559	360	ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
3c4d7559	361	TLS_CIPHER_AES_GCM_128_IV_SIZE);
dbe42559	362	memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq,
c410c196	363	TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
3c4d7559	364	release_sock(sk);
ac55cd61 DC	365	if (copy_to_user(optval,
	366	crypto_info_aes_gcm_128,
	367	sizeof(*crypto_info_aes_gcm_128)))
	368	rc = -EFAULT;
3c4d7559 DW	369	break;
	370	}
	371	default:
	372	rc = -EINVAL;
	373	}
	374
	375	out:
	376	return rc;
	377	}
	378
	379	static int do_tls_getsockopt(struct sock *sk, int optname,
	380	char __user optval, int __user optlen)
	381	{
	382	int rc = 0;
	383
	384	switch (optname) {
	385	case TLS_TX:
	386	rc = do_tls_getsockopt_tx(sk, optval, optlen);
	387	break;
	388	default:
	389	rc = -ENOPROTOOPT;
	390	break;
	391	}
	392	return rc;
	393	}
	394
	395	static int tls_getsockopt(struct sock *sk, int level, int optname,
	396	char __user optval, int __user optlen)
	397	{
	398	struct tls_context *ctx = tls_get_ctx(sk);
	399
	400	if (level != SOL_TLS)
	401	return ctx->getsockopt(sk, level, optname, optval, optlen);
	402
	403	return do_tls_getsockopt(sk, optname, optval, optlen);
	404	}
	405
c46234eb DW	406	static int do_tls_setsockopt_conf(struct sock sk, char __user optval,
c46234eb DW	407	unsigned int optlen, int tx)
3c4d7559	408	{
196c31b4	409	struct tls_crypto_info *crypto_info;
3c4d7559	410	struct tls_context *ctx = tls_get_ctx(sk);
3c4d7559	411	int rc = 0;
58371585	412	int conf;
3c4d7559 DW	413
	414	if (!optval \|\| (optlen < sizeof(*crypto_info))) {
	415	rc = -EINVAL;
	416	goto out;
	417	}
	418
c46234eb DW	419	if (tx)
	420	crypto_info = &ctx->crypto_send;
	421	else
	422	crypto_info = &ctx->crypto_recv;
	423
196c31b4	424	/* Currently we don't support set crypto info more than one time */
877d17c7 SD	425	if (TLS_CRYPTO_INFO_READY(crypto_info)) {
877d17c7 SD	426	rc = -EBUSY;
196c31b4	427	goto out;
877d17c7	428	}
196c31b4 IL	429
196c31b4 IL	430	rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
3c4d7559 DW	431	if (rc) {
3c4d7559 DW	432	rc = -EFAULT;
257082e6	433	goto err_crypto_info;
3c4d7559 DW	434	}
	435
	436	/* check version */
196c31b4	437	if (crypto_info->version != TLS_1_2_VERSION) {
3c4d7559	438	rc = -ENOTSUPP;
196c31b4	439	goto err_crypto_info;
3c4d7559 DW	440	}
3c4d7559 DW	441
196c31b4	442	switch (crypto_info->cipher_type) {
3c4d7559 DW	443	case TLS_CIPHER_AES_GCM_128: {
	444	if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
	445	rc = -EINVAL;
6db959c8	446	goto err_crypto_info;
3c4d7559	447	}
196c31b4 IL	448	rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
196c31b4 IL	449	optlen - sizeof(*crypto_info));
3c4d7559 DW	450	if (rc) {
	451	rc = -EFAULT;
	452	goto err_crypto_info;
	453	}
	454	break;
	455	}
	456	default:
	457	rc = -EINVAL;
6db959c8	458	goto err_crypto_info;
3c4d7559 DW	459	}
3c4d7559 DW	460
c46234eb	461	if (tx) {
e8f69799 IL	462	#ifdef CONFIG_TLS_DEVICE
	463	rc = tls_set_device_offload(sk, ctx);
	464	conf = TLS_HW;
	465	if (rc) {
	466	#else
	467	{
	468	#endif
	469	rc = tls_set_sw_offload(sk, ctx, 1);
	470	conf = TLS_SW;
	471	}
c46234eb	472	} else {
4799ac81 BP	473	#ifdef CONFIG_TLS_DEVICE
	474	rc = tls_set_device_offload_rx(sk, ctx);
	475	conf = TLS_HW;
	476	if (rc) {
	477	#else
	478	{
	479	#endif
	480	rc = tls_set_sw_offload(sk, ctx, 0);
	481	conf = TLS_SW;
	482	}
c46234eb DW	483	}
c46234eb DW	484
3c4d7559 DW	485	if (rc)
	486	goto err_crypto_info;
	487
f66de3ee BP	488	if (tx)
	489	ctx->tx_conf = conf;
	490	else
	491	ctx->rx_conf = conf;
6d88207f	492	update_sk_prot(sk, ctx);
c46234eb DW	493	if (tx) {
	494	ctx->sk_write_space = sk->sk_write_space;
	495	sk->sk_write_space = tls_write_space;
	496	} else {
	497	sk->sk_socket->ops = &tls_sw_proto_ops;
	498	}
3c4d7559 DW	499	goto out;
	500
	501	err_crypto_info:
	502	memset(crypto_info, 0, sizeof(*crypto_info));
	503	out:
	504	return rc;
	505	}
	506
	507	static int do_tls_setsockopt(struct sock *sk, int optname,
	508	char __user *optval, unsigned int optlen)
	509	{
	510	int rc = 0;
	511
	512	switch (optname) {
	513	case TLS_TX:
c46234eb	514	case TLS_RX:
3c4d7559	515	lock_sock(sk);
c46234eb DW	516	rc = do_tls_setsockopt_conf(sk, optval, optlen,
c46234eb DW	517	optname == TLS_TX);
3c4d7559 DW	518	release_sock(sk);
	519	break;
	520	default:
	521	rc = -ENOPROTOOPT;
	522	break;
	523	}
	524	return rc;
	525	}
	526
	527	static int tls_setsockopt(struct sock *sk, int level, int optname,
	528	char __user *optval, unsigned int optlen)
	529	{
	530	struct tls_context *ctx = tls_get_ctx(sk);
	531
	532	if (level != SOL_TLS)
	533	return ctx->setsockopt(sk, level, optname, optval, optlen);
	534
	535	return do_tls_setsockopt(sk, optname, optval, optlen);
	536	}
	537
dd0bed16 AG	538	static struct tls_context create_ctx(struct sock sk)
	539	{
	540	struct inet_connection_sock *icsk = inet_csk(sk);
	541	struct tls_context *ctx;
	542
	543	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
	544	if (!ctx)
	545	return NULL;
	546
	547	icsk->icsk_ulp_data = ctx;
	548	return ctx;
	549	}
	550
	551	static int tls_hw_prot(struct sock *sk)
	552	{
	553	struct tls_context *ctx;
	554	struct tls_device *dev;
	555	int rc = 0;
	556
	557	mutex_lock(&device_mutex);
	558	list_for_each_entry(dev, &device_list, dev_list) {
	559	if (dev->feature && dev->feature(dev)) {
	560	ctx = create_ctx(sk);
	561	if (!ctx)
	562	goto out;
	563
	564	ctx->hash = sk->sk_prot->hash;
	565	ctx->unhash = sk->sk_prot->unhash;
	566	ctx->sk_proto_close = sk->sk_prot->close;
f66de3ee BP	567	ctx->rx_conf = TLS_HW_RECORD;
f66de3ee BP	568	ctx->tx_conf = TLS_HW_RECORD;
dd0bed16 AG	569	update_sk_prot(sk, ctx);
	570	rc = 1;
	571	break;
	572	}
	573	}
	574	out:
	575	mutex_unlock(&device_mutex);
	576	return rc;
	577	}
	578
	579	static void tls_hw_unhash(struct sock *sk)
	580	{
	581	struct tls_context *ctx = tls_get_ctx(sk);
	582	struct tls_device *dev;
	583
	584	mutex_lock(&device_mutex);
	585	list_for_each_entry(dev, &device_list, dev_list) {
	586	if (dev->unhash)
	587	dev->unhash(dev, sk);
	588	}
	589	mutex_unlock(&device_mutex);
	590	ctx->unhash(sk);
	591	}
	592
	593	static int tls_hw_hash(struct sock *sk)
	594	{
	595	struct tls_context *ctx = tls_get_ctx(sk);
	596	struct tls_device *dev;
	597	int err;
	598
	599	err = ctx->hash(sk);
	600	mutex_lock(&device_mutex);
	601	list_for_each_entry(dev, &device_list, dev_list) {
	602	if (dev->hash)
	603	err \|= dev->hash(dev, sk);
	604	}
	605	mutex_unlock(&device_mutex);
	606
	607	if (err)
	608	tls_hw_unhash(sk);
	609	return err;
	610	}
	611
f66de3ee BP	612	static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
f66de3ee BP	613	struct proto *base)
c113187d	614	{
f66de3ee BP	615	prot[TLS_BASE][TLS_BASE] = *base;
	616	prot[TLS_BASE][TLS_BASE].setsockopt = tls_setsockopt;
	617	prot[TLS_BASE][TLS_BASE].getsockopt = tls_getsockopt;
	618	prot[TLS_BASE][TLS_BASE].close = tls_sk_proto_close;
	619
	620	prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
	621	prot[TLS_SW][TLS_BASE].sendmsg = tls_sw_sendmsg;
	622	prot[TLS_SW][TLS_BASE].sendpage = tls_sw_sendpage;
	623
	624	prot[TLS_BASE][TLS_SW] = prot[TLS_BASE][TLS_BASE];
	625	prot[TLS_BASE][TLS_SW].recvmsg = tls_sw_recvmsg;
	626	prot[TLS_BASE][TLS_SW].close = tls_sk_proto_close;
	627
	628	prot[TLS_SW][TLS_SW] = prot[TLS_SW][TLS_BASE];
	629	prot[TLS_SW][TLS_SW].recvmsg = tls_sw_recvmsg;
	630	prot[TLS_SW][TLS_SW].close = tls_sk_proto_close;
	631
e8f69799 IL	632	#ifdef CONFIG_TLS_DEVICE
	633	prot[TLS_HW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
	634	prot[TLS_HW][TLS_BASE].sendmsg = tls_device_sendmsg;
	635	prot[TLS_HW][TLS_BASE].sendpage = tls_device_sendpage;
	636
	637	prot[TLS_HW][TLS_SW] = prot[TLS_BASE][TLS_SW];
	638	prot[TLS_HW][TLS_SW].sendmsg = tls_device_sendmsg;
	639	prot[TLS_HW][TLS_SW].sendpage = tls_device_sendpage;
4799ac81 BP	640
	641	prot[TLS_BASE][TLS_HW] = prot[TLS_BASE][TLS_SW];
	642
	643	prot[TLS_SW][TLS_HW] = prot[TLS_SW][TLS_SW];
	644
	645	prot[TLS_HW][TLS_HW] = prot[TLS_HW][TLS_SW];
e8f69799 IL	646	#endif
e8f69799 IL	647
f66de3ee BP	648	prot[TLS_HW_RECORD][TLS_HW_RECORD] = *base;
	649	prot[TLS_HW_RECORD][TLS_HW_RECORD].hash = tls_hw_hash;
	650	prot[TLS_HW_RECORD][TLS_HW_RECORD].unhash = tls_hw_unhash;
	651	prot[TLS_HW_RECORD][TLS_HW_RECORD].close = tls_sk_proto_close;
c113187d BP	652	}
c113187d BP	653
3c4d7559 DW	654	static int tls_init(struct sock *sk)
3c4d7559 DW	655	{
c113187d	656	int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
3c4d7559 DW	657	struct tls_context *ctx;
	658	int rc = 0;
	659
dd0bed16 AG	660	if (tls_hw_prot(sk))
	661	goto out;
	662
d91c3e17 IL	663	/* The TLS ulp is currently supported only for TCP sockets
	664	* in ESTABLISHED state.
	665	* Supporting sockets in LISTEN state will require us
	666	* to modify the accept implementation to clone rather then
	667	* share the ulp context.
	668	*/
	669	if (sk->sk_state != TCP_ESTABLISHED)
	670	return -ENOTSUPP;
	671
3c4d7559	672	/* allocate tls context */
dd0bed16	673	ctx = create_ctx(sk);
3c4d7559 DW	674	if (!ctx) {
	675	rc = -ENOMEM;
	676	goto out;
	677	}
3c4d7559 DW	678	ctx->setsockopt = sk->sk_prot->setsockopt;
3c4d7559 DW	679	ctx->getsockopt = sk->sk_prot->getsockopt;
ff45d820	680	ctx->sk_proto_close = sk->sk_prot->close;
6d88207f	681
e8f69799	682	/* Build IPv6 TLS whenever the address of tcpv6 _prot changes */
c113187d BP	683	if (ip_ver == TLSV6 &&
	684	unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv6_prot))) {
	685	mutex_lock(&tcpv6_prot_mutex);
	686	if (likely(sk->sk_prot != saved_tcpv6_prot)) {
	687	build_protos(tls_prots[TLSV6], sk->sk_prot);
	688	smp_store_release(&saved_tcpv6_prot, sk->sk_prot);
	689	}
	690	mutex_unlock(&tcpv6_prot_mutex);
	691	}
	692
f66de3ee BP	693	ctx->tx_conf = TLS_BASE;
f66de3ee BP	694	ctx->rx_conf = TLS_BASE;
6d88207f	695	update_sk_prot(sk, ctx);
3c4d7559 DW	696	out:
	697	return rc;
	698	}
	699
dd0bed16 AG	700	void tls_register_device(struct tls_device *device)
	701	{
	702	mutex_lock(&device_mutex);
	703	list_add_tail(&device->dev_list, &device_list);
	704	mutex_unlock(&device_mutex);
	705	}
	706	EXPORT_SYMBOL(tls_register_device);
	707
	708	void tls_unregister_device(struct tls_device *device)
	709	{
	710	mutex_lock(&device_mutex);
	711	list_del(&device->dev_list);
	712	mutex_unlock(&device_mutex);
	713	}
	714	EXPORT_SYMBOL(tls_unregister_device);
	715
3c4d7559 DW	716	static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
3c4d7559 DW	717	.name = "tls",
b11a632c JF	718	.uid = TCP_ULP_TLS,
b11a632c JF	719	.user_visible = true,
3c4d7559 DW	720	.owner = THIS_MODULE,
	721	.init = tls_init,
	722	};
	723
	724	static int __init tls_register(void)
	725	{
c113187d	726	build_protos(tls_prots[TLSV4], &tcp_prot);
3c4d7559	727
c46234eb	728	tls_sw_proto_ops = inet_stream_ops;
a11e1d43	729	tls_sw_proto_ops.poll = tls_sw_poll;
c46234eb DW	730	tls_sw_proto_ops.splice_read = tls_sw_splice_read;
c46234eb DW	731
e8f69799 IL	732	#ifdef CONFIG_TLS_DEVICE
	733	tls_device_init();
	734	#endif
3c4d7559 DW	735	tcp_register_ulp(&tcp_tls_ulp_ops);
	736
	737	return 0;
	738	}
	739
	740	static void __exit tls_unregister(void)
	741	{
	742	tcp_unregister_ulp(&tcp_tls_ulp_ops);
e8f69799 IL	743	#ifdef CONFIG_TLS_DEVICE
	744	tls_device_cleanup();
	745	#endif
3c4d7559 DW	746	}
	747
	748	module_init(tls_register);
	749	module_exit(tls_unregister);