[mirror_ubuntu-hirsute-kernel.git] / net / tls / tls_main.c

/*
 * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
 * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
 *
 * This software is available to you under a choice of one of two
 * licenses.  You may choose to be licensed under the terms of the GNU
 * General Public License (GPL) Version 2, available from the file
 * COPYING in the main directory of this source tree, or the
 * OpenIB.org BSD license below:
 *
 *     Redistribution and use in source and binary forms, with or
 *     without modification, are permitted provided that the following
 *     conditions are met:
 *
 *      - Redistributions of source code must retain the above
 *        copyright notice, this list of conditions and the following
 *        disclaimer.
 *
 *      - Redistributions in binary form must reproduce the above
 *        copyright notice, this list of conditions and the following
 *        disclaimer in the documentation and/or other materials
 *        provided with the distribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

#include <linux/module.h>

#include <net/tcp.h>
#include <net/inet_common.h>
#include <linux/highmem.h>
#include <linux/netdevice.h>
#include <linux/sched/signal.h>

#include <net/tls.h>

MODULE_AUTHOR("Mellanox Technologies");
MODULE_DESCRIPTION("Transport Layer Security Support");
MODULE_LICENSE("Dual BSD/GPL");

enum {
	TLS_BASE_TX,
	TLS_SW_TX,
	TLS_NUM_CONFIG,
};

static struct proto tls_prots[TLS_NUM_CONFIG];

static inline void update_sk_prot(struct sock *sk, struct tls_context *ctx)
{
	sk->sk_prot = &tls_prots[ctx->tx_conf];
}

int wait_on_pending_writer(struct sock *sk, long *timeo)
{
	int rc = 0;
	DEFINE_WAIT_FUNC(wait, woken_wake_function);

	add_wait_queue(sk_sleep(sk), &wait);
	while (1) {
		if (!*timeo) {
			rc = -EAGAIN;
			break;
		}

		if (signal_pending(current)) {
			rc = sock_intr_errno(*timeo);
			break;
		}

		if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
			break;
	}
	remove_wait_queue(sk_sleep(sk), &wait);
	return rc;
}

int tls_push_sg(struct sock *sk,
		struct tls_context *ctx,
		struct scatterlist *sg,
		u16 first_offset,
		int flags)
{
	int sendpage_flags = flags | MSG_SENDPAGE_NOTLAST;
	int ret = 0;
	struct page *p;
	size_t size;
	int offset = first_offset;

	size = sg->length - offset;
	offset += sg->offset;

	while (1) {
		if (sg_is_last(sg))
			sendpage_flags = flags;

		/* is sending application-limited? */
		tcp_rate_check_app_limited(sk);
		p = sg_page(sg);
retry:
		ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags);

		if (ret != size) {
			if (ret > 0) {
				offset += ret;
				size -= ret;
				goto retry;
			}

			offset -= sg->offset;
			ctx->partially_sent_offset = offset;
			ctx->partially_sent_record = (void *)sg;
			return ret;
		}

		put_page(p);
		sk_mem_uncharge(sk, sg->length);
		sg = sg_next(sg);
		if (!sg)
			break;

		offset = sg->offset;
		size = sg->length;
	}

	clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);

	return 0;
}

static int tls_handle_open_record(struct sock *sk, int flags)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (tls_is_pending_open_record(ctx))
		return ctx->push_pending_record(sk, flags);

	return 0;
}

int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg,
		      unsigned char *record_type)
{
	struct cmsghdr *cmsg;
	int rc = -EINVAL;

	for_each_cmsghdr(cmsg, msg) {
		if (!CMSG_OK(msg, cmsg))
			return -EINVAL;
		if (cmsg->cmsg_level != SOL_TLS)
			continue;

		switch (cmsg->cmsg_type) {
		case TLS_SET_RECORD_TYPE:
			if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type)))
				return -EINVAL;

			if (msg->msg_flags & MSG_MORE)
				return -EINVAL;

			rc = tls_handle_open_record(sk, msg->msg_flags);
			if (rc)
				return rc;

			*record_type = *(unsigned char *)CMSG_DATA(cmsg);
			rc = 0;
			break;
		default:
			return -EINVAL;
		}
	}

	return rc;
}

int tls_push_pending_closed_record(struct sock *sk, struct tls_context *ctx,
				   int flags, long *timeo)
{
	struct scatterlist *sg;
	u16 offset;

	if (!tls_is_partially_sent_record(ctx))
		return ctx->push_pending_record(sk, flags);

	sg = ctx->partially_sent_record;
	offset = ctx->partially_sent_offset;

	ctx->partially_sent_record = NULL;
	return tls_push_sg(sk, ctx, sg, offset, flags);
}

static void tls_write_space(struct sock *sk)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) {
		gfp_t sk_allocation = sk->sk_allocation;
		int rc;
		long timeo = 0;

		sk->sk_allocation = GFP_ATOMIC;
		rc = tls_push_pending_closed_record(sk, ctx,
						    MSG_DONTWAIT |
						    MSG_NOSIGNAL,
						    &timeo);
		sk->sk_allocation = sk_allocation;

		if (rc < 0)
			return;
	}

	ctx->sk_write_space(sk);
}

static void tls_sk_proto_close(struct sock *sk, long timeout)
{
	struct tls_context *ctx = tls_get_ctx(sk);
	long timeo = sock_sndtimeo(sk, 0);
	void (*sk_proto_close)(struct sock *sk, long timeout);

	lock_sock(sk);
	sk_proto_close = ctx->sk_proto_close;

	if (ctx->tx_conf == TLS_BASE_TX) {
		kfree(ctx);
		goto skip_tx_cleanup;
	}

	if (!tls_complete_pending_work(sk, ctx, 0, &timeo))
		tls_handle_open_record(sk, 0);

	if (ctx->partially_sent_record) {
		struct scatterlist *sg = ctx->partially_sent_record;

		while (1) {
			put_page(sg_page(sg));
			sk_mem_uncharge(sk, sg->length);

			if (sg_is_last(sg))
				break;
			sg++;
		}
	}

	kfree(ctx->rec_seq);
	kfree(ctx->iv);

	if (ctx->tx_conf == TLS_SW_TX)
		tls_sw_free_tx_resources(sk);

skip_tx_cleanup:
	release_sock(sk);
	sk_proto_close(sk, timeout);
}

static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
				int __user *optlen)
{
	int rc = 0;
	struct tls_context *ctx = tls_get_ctx(sk);
	struct tls_crypto_info *crypto_info;
	int len;

	if (get_user(len, optlen))
		return -EFAULT;

	if (!optval || (len < sizeof(*crypto_info))) {
		rc = -EINVAL;
		goto out;
	}

	if (!ctx) {
		rc = -EBUSY;
		goto out;
	}

	/* get user crypto info */
	crypto_info = &ctx->crypto_send;

	if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
		rc = -EBUSY;
		goto out;
	}

	if (len == sizeof(*crypto_info)) {
		if (copy_to_user(optval, crypto_info, sizeof(*crypto_info)))
			rc = -EFAULT;
		goto out;
	}

	switch (crypto_info->cipher_type) {
	case TLS_CIPHER_AES_GCM_128: {
		struct tls12_crypto_info_aes_gcm_128 *
		  crypto_info_aes_gcm_128 =
		  container_of(crypto_info,
			       struct tls12_crypto_info_aes_gcm_128,
			       info);

		if (len != sizeof(*crypto_info_aes_gcm_128)) {
			rc = -EINVAL;
			goto out;
		}
		lock_sock(sk);
		memcpy(crypto_info_aes_gcm_128->iv,
		       ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
		       TLS_CIPHER_AES_GCM_128_IV_SIZE);
		release_sock(sk);
		if (copy_to_user(optval,
				 crypto_info_aes_gcm_128,
				 sizeof(*crypto_info_aes_gcm_128)))
			rc = -EFAULT;
		break;
	}
	default:
		rc = -EINVAL;
	}

out:
	return rc;
}

static int do_tls_getsockopt(struct sock *sk, int optname,
			     char __user *optval, int __user *optlen)
{
	int rc = 0;

	switch (optname) {
	case TLS_TX:
		rc = do_tls_getsockopt_tx(sk, optval, optlen);
		break;
	default:
		rc = -ENOPROTOOPT;
		break;
	}
	return rc;
}

static int tls_getsockopt(struct sock *sk, int level, int optname,
			  char __user *optval, int __user *optlen)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (level != SOL_TLS)
		return ctx->getsockopt(sk, level, optname, optval, optlen);

	return do_tls_getsockopt(sk, optname, optval, optlen);
}

static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
				unsigned int optlen)
{
	struct tls_crypto_info *crypto_info;
	struct tls_context *ctx = tls_get_ctx(sk);
	int rc = 0;
	int tx_conf;

	if (!optval || (optlen < sizeof(*crypto_info))) {
		rc = -EINVAL;
		goto out;
	}

	crypto_info = &ctx->crypto_send;
	/* Currently we don't support set crypto info more than one time */
	if (TLS_CRYPTO_INFO_READY(crypto_info)) {
		rc = -EBUSY;
		goto out;
	}

	rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
	if (rc) {
		rc = -EFAULT;
		goto out;
	}

	/* check version */
	if (crypto_info->version != TLS_1_2_VERSION) {
		rc = -ENOTSUPP;
		goto err_crypto_info;
	}

	switch (crypto_info->cipher_type) {
	case TLS_CIPHER_AES_GCM_128: {
		if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
			rc = -EINVAL;
			goto err_crypto_info;
		}
		rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
				    optlen - sizeof(*crypto_info));
		if (rc) {
			rc = -EFAULT;
			goto err_crypto_info;
		}
		break;
	}
	default:
		rc = -EINVAL;
		goto err_crypto_info;
	}

	/* currently SW is default, we will have ethtool in future */
	rc = tls_set_sw_offload(sk, ctx);
	tx_conf = TLS_SW_TX;
	if (rc)
		goto err_crypto_info;

	ctx->tx_conf = tx_conf;
	update_sk_prot(sk, ctx);
	ctx->sk_write_space = sk->sk_write_space;
	sk->sk_write_space = tls_write_space;
	goto out;

err_crypto_info:
	memset(crypto_info, 0, sizeof(*crypto_info));
out:
	return rc;
}

static int do_tls_setsockopt(struct sock *sk, int optname,
			     char __user *optval, unsigned int optlen)
{
	int rc = 0;

	switch (optname) {
	case TLS_TX:
		lock_sock(sk);
		rc = do_tls_setsockopt_tx(sk, optval, optlen);
		release_sock(sk);
		break;
	default:
		rc = -ENOPROTOOPT;
		break;
	}
	return rc;
}

static int tls_setsockopt(struct sock *sk, int level, int optname,
			  char __user *optval, unsigned int optlen)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (level != SOL_TLS)
		return ctx->setsockopt(sk, level, optname, optval, optlen);

	return do_tls_setsockopt(sk, optname, optval, optlen);
}

static int tls_init(struct sock *sk)
{
	struct inet_connection_sock *icsk = inet_csk(sk);
	struct tls_context *ctx;
	int rc = 0;

	/* The TLS ulp is currently supported only for TCP sockets
	 * in ESTABLISHED state.
	 * Supporting sockets in LISTEN state will require us
	 * to modify the accept implementation to clone rather then
	 * share the ulp context.
	 */
	if (sk->sk_state != TCP_ESTABLISHED)
		return -ENOTSUPP;

	/* allocate tls context */
	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
	if (!ctx) {
		rc = -ENOMEM;
		goto out;
	}
	icsk->icsk_ulp_data = ctx;
	ctx->setsockopt = sk->sk_prot->setsockopt;
	ctx->getsockopt = sk->sk_prot->getsockopt;
	ctx->sk_proto_close = sk->sk_prot->close;

	ctx->tx_conf = TLS_BASE_TX;
	update_sk_prot(sk, ctx);
out:
	return rc;
}

static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
	.name			= "tls",
	.uid			= TCP_ULP_TLS,
	.user_visible		= true,
	.owner			= THIS_MODULE,
	.init			= tls_init,
};

static void build_protos(struct proto *prot, struct proto *base)
{
	prot[TLS_BASE_TX] = *base;
	prot[TLS_BASE_TX].setsockopt	= tls_setsockopt;
	prot[TLS_BASE_TX].getsockopt	= tls_getsockopt;
	prot[TLS_BASE_TX].close		= tls_sk_proto_close;

	prot[TLS_SW_TX] = prot[TLS_BASE_TX];
	prot[TLS_SW_TX].sendmsg		= tls_sw_sendmsg;
	prot[TLS_SW_TX].sendpage	= tls_sw_sendpage;
}

static int __init tls_register(void)
{
	build_protos(tls_prots, &tcp_prot);

	tcp_register_ulp(&tcp_tls_ulp_ops);

	return 0;
}

static void __exit tls_unregister(void)
{
	tcp_unregister_ulp(&tcp_tls_ulp_ops);
}

module_init(tls_register);
module_exit(tls_unregister);
Commit	Line	Data
3c4d7559 DW	1	/*
	2	* Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
	3	* Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
	4	*
	5	* This software is available to you under a choice of one of two
	6	* licenses. You may choose to be licensed under the terms of the GNU
	7	* General Public License (GPL) Version 2, available from the file
	8	* COPYING in the main directory of this source tree, or the
	9	* OpenIB.org BSD license below:
	10	*
	11	* Redistribution and use in source and binary forms, with or
	12	* without modification, are permitted provided that the following
	13	* conditions are met:
	14	*
	15	* - Redistributions of source code must retain the above
	16	* copyright notice, this list of conditions and the following
	17	* disclaimer.
	18	*
	19	* - Redistributions in binary form must reproduce the above
	20	* copyright notice, this list of conditions and the following
	21	* disclaimer in the documentation and/or other materials
	22	* provided with the distribution.
	23	*
	24	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
	25	* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
	26	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
	27	* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
	28	* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
	29	* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
	30	* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	31	* SOFTWARE.
	32	*/
	33
	34	#include <linux/module.h>
	35
	36	#include <net/tcp.h>
	37	#include <net/inet_common.h>
	38	#include <linux/highmem.h>
	39	#include <linux/netdevice.h>
	40	#include <linux/sched/signal.h>
	41
	42	#include <net/tls.h>
	43
	44	MODULE_AUTHOR("Mellanox Technologies");
	45	MODULE_DESCRIPTION("Transport Layer Security Support");
	46	MODULE_LICENSE("Dual BSD/GPL");
	47
6d88207f IL	48	enum {
	49	TLS_BASE_TX,
	50	TLS_SW_TX,
	51	TLS_NUM_CONFIG,
	52	};
	53
	54	static struct proto tls_prots[TLS_NUM_CONFIG];
	55
	56	static inline void update_sk_prot(struct sock sk, struct tls_context ctx)
	57	{
	58	sk->sk_prot = &tls_prots[ctx->tx_conf];
	59	}
3c4d7559 DW	60
	61	int wait_on_pending_writer(struct sock sk, long timeo)
	62	{
	63	int rc = 0;
	64	DEFINE_WAIT_FUNC(wait, woken_wake_function);
	65
	66	add_wait_queue(sk_sleep(sk), &wait);
	67	while (1) {
	68	if (!*timeo) {
	69	rc = -EAGAIN;
	70	break;
	71	}
	72
	73	if (signal_pending(current)) {
	74	rc = sock_intr_errno(*timeo);
	75	break;
	76	}
	77
	78	if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
	79	break;
	80	}
	81	remove_wait_queue(sk_sleep(sk), &wait);
	82	return rc;
	83	}
	84
	85	int tls_push_sg(struct sock *sk,
	86	struct tls_context *ctx,
	87	struct scatterlist *sg,
	88	u16 first_offset,
	89	int flags)
	90	{
	91	int sendpage_flags = flags \| MSG_SENDPAGE_NOTLAST;
	92	int ret = 0;
	93	struct page *p;
	94	size_t size;
	95	int offset = first_offset;
	96
	97	size = sg->length - offset;
	98	offset += sg->offset;
	99
	100	while (1) {
	101	if (sg_is_last(sg))
	102	sendpage_flags = flags;
	103
	104	/* is sending application-limited? */
	105	tcp_rate_check_app_limited(sk);
	106	p = sg_page(sg);
	107	retry:
	108	ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags);
	109
	110	if (ret != size) {
	111	if (ret > 0) {
	112	offset += ret;
	113	size -= ret;
	114	goto retry;
	115	}
	116
	117	offset -= sg->offset;
	118	ctx->partially_sent_offset = offset;
	119	ctx->partially_sent_record = (void *)sg;
	120	return ret;
	121	}
	122
	123	put_page(p);
124	sk_mem_uncharge(sk, sg->length);
125	sg = sg_next(sg);
126	if (!sg)
127	break;
128
129	offset = sg->offset;
130	size = sg->length;
131	}
132
133	clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);
134
135	return 0;
136	}
137
138	static int tls_handle_open_record(struct sock *sk, int flags)
139	{
140	struct tls_context *ctx = tls_get_ctx(sk);
141
142	if (tls_is_pending_open_record(ctx))
143	return ctx->push_pending_record(sk, flags);
144
145	return 0;
146	}
147
148	int tls_proccess_cmsg(struct sock sk, struct msghdr msg,
149	unsigned char *record_type)
150	{
151	struct cmsghdr *cmsg;
152	int rc = -EINVAL;
153
154	for_each_cmsghdr(cmsg, msg) {
155	if (!CMSG_OK(msg, cmsg))
156	return -EINVAL;
157	if (cmsg->cmsg_level != SOL_TLS)
158	continue;
159
160	switch (cmsg->cmsg_type) {
161	case TLS_SET_RECORD_TYPE:
162	if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type)))
163	return -EINVAL;
164
165	if (msg->msg_flags & MSG_MORE)
166	return -EINVAL;
167
168	rc = tls_handle_open_record(sk, msg->msg_flags);
169	if (rc)
170	return rc;
171
172	record_type = (unsigned char *)CMSG_DATA(cmsg);
173	rc = 0;
174	break;
175	default:
176	return -EINVAL;
177	}
178	}
179
180	return rc;
181	}
182
183	int tls_push_pending_closed_record(struct sock sk, struct tls_context ctx,
184	int flags, long *timeo)
185	{
186	struct scatterlist *sg;
187	u16 offset;
188
189	if (!tls_is_partially_sent_record(ctx))
190	return ctx->push_pending_record(sk, flags);
191
192	sg = ctx->partially_sent_record;
193	offset = ctx->partially_sent_offset;
194
195	ctx->partially_sent_record = NULL;
196	return tls_push_sg(sk, ctx, sg, offset, flags);
197	}
198
199	static void tls_write_space(struct sock *sk)
200	{
201	struct tls_context *ctx = tls_get_ctx(sk);
202
203	if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) {
204	gfp_t sk_allocation = sk->sk_allocation;
205	int rc;
206	long timeo = 0;
207
208	sk->sk_allocation = GFP_ATOMIC;
209	rc = tls_push_pending_closed_record(sk, ctx,
210	MSG_DONTWAIT \|
211	MSG_NOSIGNAL,
212	&timeo);
213	sk->sk_allocation = sk_allocation;
214
215	if (rc < 0)
216	return;
217	}
218
219	ctx->sk_write_space(sk);
220	}
221
222	static void tls_sk_proto_close(struct sock *sk, long timeout)
223	{
224	struct tls_context *ctx = tls_get_ctx(sk);
225	long timeo = sock_sndtimeo(sk, 0);
226	void (sk_proto_close)(struct sock sk, long timeout);
227
228	lock_sock(sk);
ff45d820 IL	229	sk_proto_close = ctx->sk_proto_close;
	230
	231	if (ctx->tx_conf == TLS_BASE_TX) {
	232	kfree(ctx);
	233	goto skip_tx_cleanup;
	234	}
3c4d7559 DW	235
	236	if (!tls_complete_pending_work(sk, ctx, 0, &timeo))
	237	tls_handle_open_record(sk, 0);
	238
	239	if (ctx->partially_sent_record) {
	240	struct scatterlist *sg = ctx->partially_sent_record;
	241
	242	while (1) {
	243	put_page(sg_page(sg));
	244	sk_mem_uncharge(sk, sg->length);
	245
	246	if (sg_is_last(sg))
	247	break;
	248	sg++;
	249	}
	250	}
ff45d820	251
3c4d7559 DW	252	kfree(ctx->rec_seq);
	253	kfree(ctx->iv);
	254
ff45d820 IL	255	if (ctx->tx_conf == TLS_SW_TX)
ff45d820 IL	256	tls_sw_free_tx_resources(sk);
3c4d7559	257
ff45d820	258	skip_tx_cleanup:
3c4d7559 DW	259	release_sock(sk);
	260	sk_proto_close(sk, timeout);
	261	}
	262
	263	static int do_tls_getsockopt_tx(struct sock sk, char __user optval,
	264	int __user *optlen)
	265	{
	266	int rc = 0;
	267	struct tls_context *ctx = tls_get_ctx(sk);
	268	struct tls_crypto_info *crypto_info;
	269	int len;
	270
	271	if (get_user(len, optlen))
	272	return -EFAULT;
	273
	274	if (!optval \|\| (len < sizeof(*crypto_info))) {
	275	rc = -EINVAL;
	276	goto out;
	277	}
	278
	279	if (!ctx) {
	280	rc = -EBUSY;
	281	goto out;
	282	}
	283
	284	/* get user crypto info */
	285	crypto_info = &ctx->crypto_send;
	286
	287	if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
	288	rc = -EBUSY;
	289	goto out;
	290	}
	291
5a3b886c	292	if (len == sizeof(*crypto_info)) {
ac55cd61 DC	293	if (copy_to_user(optval, crypto_info, sizeof(*crypto_info)))
ac55cd61 DC	294	rc = -EFAULT;
3c4d7559 DW	295	goto out;
	296	}
	297
	298	switch (crypto_info->cipher_type) {
	299	case TLS_CIPHER_AES_GCM_128: {
	300	struct tls12_crypto_info_aes_gcm_128 *
	301	crypto_info_aes_gcm_128 =
	302	container_of(crypto_info,
	303	struct tls12_crypto_info_aes_gcm_128,
	304	info);
	305
	306	if (len != sizeof(*crypto_info_aes_gcm_128)) {
	307	rc = -EINVAL;
	308	goto out;
	309	}
	310	lock_sock(sk);
a1dfa681 BP	311	memcpy(crypto_info_aes_gcm_128->iv,
a1dfa681 BP	312	ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
3c4d7559 DW	313	TLS_CIPHER_AES_GCM_128_IV_SIZE);
3c4d7559 DW	314	release_sock(sk);
ac55cd61 DC	315	if (copy_to_user(optval,
	316	crypto_info_aes_gcm_128,
	317	sizeof(*crypto_info_aes_gcm_128)))
	318	rc = -EFAULT;
3c4d7559 DW	319	break;
	320	}
	321	default:
	322	rc = -EINVAL;
	323	}
	324
	325	out:
	326	return rc;
	327	}
	328
	329	static int do_tls_getsockopt(struct sock *sk, int optname,
	330	char __user optval, int __user optlen)
	331	{
	332	int rc = 0;
	333
	334	switch (optname) {
	335	case TLS_TX:
	336	rc = do_tls_getsockopt_tx(sk, optval, optlen);
	337	break;
	338	default:
	339	rc = -ENOPROTOOPT;
	340	break;
	341	}
	342	return rc;
	343	}
	344
	345	static int tls_getsockopt(struct sock *sk, int level, int optname,
	346	char __user optval, int __user optlen)
	347	{
	348	struct tls_context *ctx = tls_get_ctx(sk);
	349
	350	if (level != SOL_TLS)
	351	return ctx->getsockopt(sk, level, optname, optval, optlen);
	352
	353	return do_tls_getsockopt(sk, optname, optval, optlen);
	354	}
	355
	356	static int do_tls_setsockopt_tx(struct sock sk, char __user optval,
	357	unsigned int optlen)
	358	{
196c31b4	359	struct tls_crypto_info *crypto_info;
3c4d7559	360	struct tls_context *ctx = tls_get_ctx(sk);
3c4d7559	361	int rc = 0;
6d88207f	362	int tx_conf;
3c4d7559 DW	363
	364	if (!optval \|\| (optlen < sizeof(*crypto_info))) {
	365	rc = -EINVAL;
	366	goto out;
	367	}
	368
196c31b4 IL	369	crypto_info = &ctx->crypto_send;
196c31b4 IL	370	/* Currently we don't support set crypto info more than one time */
877d17c7 SD	371	if (TLS_CRYPTO_INFO_READY(crypto_info)) {
877d17c7 SD	372	rc = -EBUSY;
196c31b4	373	goto out;
877d17c7	374	}
196c31b4 IL	375
196c31b4 IL	376	rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
3c4d7559 DW	377	if (rc) {
	378	rc = -EFAULT;
	379	goto out;
	380	}
	381
	382	/* check version */
196c31b4	383	if (crypto_info->version != TLS_1_2_VERSION) {
3c4d7559	384	rc = -ENOTSUPP;
196c31b4	385	goto err_crypto_info;
3c4d7559 DW	386	}
3c4d7559 DW	387
196c31b4	388	switch (crypto_info->cipher_type) {
3c4d7559 DW	389	case TLS_CIPHER_AES_GCM_128: {
	390	if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
	391	rc = -EINVAL;
6db959c8	392	goto err_crypto_info;
3c4d7559	393	}
196c31b4 IL	394	rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
196c31b4 IL	395	optlen - sizeof(*crypto_info));
3c4d7559 DW	396	if (rc) {
	397	rc = -EFAULT;
	398	goto err_crypto_info;
	399	}
	400	break;
	401	}
	402	default:
	403	rc = -EINVAL;
6db959c8	404	goto err_crypto_info;
3c4d7559 DW	405	}
3c4d7559 DW	406
3c4d7559 DW	407	/* currently SW is default, we will have ethtool in future */
3c4d7559 DW	408	rc = tls_set_sw_offload(sk, ctx);
6d88207f	409	tx_conf = TLS_SW_TX;
3c4d7559 DW	410	if (rc)
	411	goto err_crypto_info;
	412
6d88207f IL	413	ctx->tx_conf = tx_conf;
6d88207f IL	414	update_sk_prot(sk, ctx);
ee181e52 IL	415	ctx->sk_write_space = sk->sk_write_space;
ee181e52 IL	416	sk->sk_write_space = tls_write_space;
3c4d7559 DW	417	goto out;
	418
	419	err_crypto_info:
	420	memset(crypto_info, 0, sizeof(*crypto_info));
	421	out:
	422	return rc;
	423	}
	424
	425	static int do_tls_setsockopt(struct sock *sk, int optname,
	426	char __user *optval, unsigned int optlen)
	427	{
	428	int rc = 0;
	429
	430	switch (optname) {
	431	case TLS_TX:
	432	lock_sock(sk);
	433	rc = do_tls_setsockopt_tx(sk, optval, optlen);
	434	release_sock(sk);
	435	break;
	436	default:
	437	rc = -ENOPROTOOPT;
	438	break;
	439	}
	440	return rc;
	441	}
	442
	443	static int tls_setsockopt(struct sock *sk, int level, int optname,
	444	char __user *optval, unsigned int optlen)
	445	{
	446	struct tls_context *ctx = tls_get_ctx(sk);
	447
	448	if (level != SOL_TLS)
	449	return ctx->setsockopt(sk, level, optname, optval, optlen);
	450
	451	return do_tls_setsockopt(sk, optname, optval, optlen);
	452	}
	453
	454	static int tls_init(struct sock *sk)
	455	{
	456	struct inet_connection_sock *icsk = inet_csk(sk);
	457	struct tls_context *ctx;
	458	int rc = 0;
	459
d91c3e17 IL	460	/* The TLS ulp is currently supported only for TCP sockets
	461	* in ESTABLISHED state.
	462	* Supporting sockets in LISTEN state will require us
	463	* to modify the accept implementation to clone rather then
	464	* share the ulp context.
	465	*/
	466	if (sk->sk_state != TCP_ESTABLISHED)
	467	return -ENOTSUPP;
	468
3c4d7559 DW	469	/* allocate tls context */
	470	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
	471	if (!ctx) {
	472	rc = -ENOMEM;
	473	goto out;
	474	}
	475	icsk->icsk_ulp_data = ctx;
	476	ctx->setsockopt = sk->sk_prot->setsockopt;
	477	ctx->getsockopt = sk->sk_prot->getsockopt;
ff45d820	478	ctx->sk_proto_close = sk->sk_prot->close;
6d88207f IL	479
	480	ctx->tx_conf = TLS_BASE_TX;
	481	update_sk_prot(sk, ctx);
3c4d7559 DW	482	out:
	483	return rc;
	484	}
	485
	486	static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
	487	.name = "tls",
b11a632c JF	488	.uid = TCP_ULP_TLS,
b11a632c JF	489	.user_visible = true,
3c4d7559 DW	490	.owner = THIS_MODULE,
	491	.init = tls_init,
	492	};
	493
6d88207f IL	494	static void build_protos(struct proto prot, struct proto base)
	495	{
	496	prot[TLS_BASE_TX] = *base;
ff45d820 IL	497	prot[TLS_BASE_TX].setsockopt = tls_setsockopt;
	498	prot[TLS_BASE_TX].getsockopt = tls_getsockopt;
	499	prot[TLS_BASE_TX].close = tls_sk_proto_close;
6d88207f IL	500
6d88207f IL	501	prot[TLS_SW_TX] = prot[TLS_BASE_TX];
6d88207f IL	502	prot[TLS_SW_TX].sendmsg = tls_sw_sendmsg;
	503	prot[TLS_SW_TX].sendpage = tls_sw_sendpage;
	504	}
	505
3c4d7559 DW	506	static int __init tls_register(void)
3c4d7559 DW	507	{
6d88207f	508	build_protos(tls_prots, &tcp_prot);
3c4d7559 DW	509
	510	tcp_register_ulp(&tcp_tls_ulp_ops);
	511
	512	return 0;
	513	}
	514
	515	static void __exit tls_unregister(void)
	516	{
	517	tcp_unregister_ulp(&tcp_tls_ulp_ops);
	518	}
	519
	520	module_init(tls_register);
	521	module_exit(tls_unregister);