[mirror_ubuntu-artful-kernel.git] / net / tls / tls_sw.c

/*
 * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
 * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
 * Copyright (c) 2016-2017, Lance Chao <lancerchao@fb.com>. All rights reserved.
 * Copyright (c) 2016, Fridolin Pokorny <fridolin.pokorny@gmail.com>. All rights reserved.
 * Copyright (c) 2016, Nikos Mavrogiannopoulos <nmav@gnutls.org>. All rights reserved.
 *
 * This software is available to you under a choice of one of two
 * licenses.  You may choose to be licensed under the terms of the GNU
 * General Public License (GPL) Version 2, available from the file
 * COPYING in the main directory of this source tree, or the
 * OpenIB.org BSD license below:
 *
 *     Redistribution and use in source and binary forms, with or
 *     without modification, are permitted provided that the following
 *     conditions are met:
 *
 *      - Redistributions of source code must retain the above
 *        copyright notice, this list of conditions and the following
 *        disclaimer.
 *
 *      - Redistributions in binary form must reproduce the above
 *        copyright notice, this list of conditions and the following
 *        disclaimer in the documentation and/or other materials
 *        provided with the distribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

#include <linux/module.h>
#include <crypto/aead.h>

#include <net/tls.h>

static inline void tls_make_aad(int recv,
				char *buf,
				size_t size,
				char *record_sequence,
				int record_sequence_size,
				unsigned char record_type)
{
	memcpy(buf, record_sequence, record_sequence_size);

	buf[8] = record_type;
	buf[9] = TLS_1_2_VERSION_MAJOR;
	buf[10] = TLS_1_2_VERSION_MINOR;
	buf[11] = size >> 8;
	buf[12] = size & 0xFF;
}

static void trim_sg(struct sock *sk, struct scatterlist *sg,
		    int *sg_num_elem, unsigned int *sg_size, int target_size)
{
	int i = *sg_num_elem - 1;
	int trim = *sg_size - target_size;

	if (trim <= 0) {
		WARN_ON(trim < 0);
		return;
	}

	*sg_size = target_size;
	while (trim >= sg[i].length) {
		trim -= sg[i].length;
		sk_mem_uncharge(sk, sg[i].length);
		put_page(sg_page(&sg[i]));
		i--;

		if (i < 0)
			goto out;
	}

	sg[i].length -= trim;
	sk_mem_uncharge(sk, trim);

out:
	*sg_num_elem = i + 1;
}

static void trim_both_sgl(struct sock *sk, int target_size)
{
	struct tls_context *tls_ctx = tls_get_ctx(sk);
	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);

	trim_sg(sk, ctx->sg_plaintext_data,
		&ctx->sg_plaintext_num_elem,
		&ctx->sg_plaintext_size,
		target_size);

	if (target_size > 0)
		target_size += tls_ctx->overhead_size;

	trim_sg(sk, ctx->sg_encrypted_data,
		&ctx->sg_encrypted_num_elem,
		&ctx->sg_encrypted_size,
		target_size);
}

static int alloc_sg(struct sock *sk, int len, struct scatterlist *sg,
		    int *sg_num_elem, unsigned int *sg_size,
		    int first_coalesce)
{
	struct page_frag *pfrag;
	unsigned int size = *sg_size;
	int num_elem = *sg_num_elem, use = 0, rc = 0;
	struct scatterlist *sge;
	unsigned int orig_offset;

	len -= size;
	pfrag = sk_page_frag(sk);

	while (len > 0) {
		if (!sk_page_frag_refill(sk, pfrag)) {
			rc = -ENOMEM;
			goto out;
		}

		use = min_t(int, len, pfrag->size - pfrag->offset);

		if (!sk_wmem_schedule(sk, use)) {
			rc = -ENOMEM;
			goto out;
		}

		sk_mem_charge(sk, use);
		size += use;
		orig_offset = pfrag->offset;
		pfrag->offset += use;

		sge = sg + num_elem - 1;
		if (num_elem > first_coalesce && sg_page(sg) == pfrag->page &&
		    sg->offset + sg->length == orig_offset) {
			sg->length += use;
		} else {
			sge++;
			sg_unmark_end(sge);
			sg_set_page(sge, pfrag->page, use, orig_offset);
			get_page(pfrag->page);
			++num_elem;
			if (num_elem == MAX_SKB_FRAGS) {
				rc = -ENOSPC;
				break;
			}
		}

		len -= use;
	}
	goto out;

out:
	*sg_size = size;
	*sg_num_elem = num_elem;
	return rc;
}

static int alloc_encrypted_sg(struct sock *sk, int len)
{
	struct tls_context *tls_ctx = tls_get_ctx(sk);
	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
	int rc = 0;

	rc = alloc_sg(sk, len, ctx->sg_encrypted_data,
		      &ctx->sg_encrypted_num_elem, &ctx->sg_encrypted_size, 0);

	return rc;
}

static int alloc_plaintext_sg(struct sock *sk, int len)
{
	struct tls_context *tls_ctx = tls_get_ctx(sk);
	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
	int rc = 0;

	rc = alloc_sg(sk, len, ctx->sg_plaintext_data,
		      &ctx->sg_plaintext_num_elem, &ctx->sg_plaintext_size,
		      tls_ctx->pending_open_record_frags);

	return rc;
}

static void free_sg(struct sock *sk, struct scatterlist *sg,
		    int *sg_num_elem, unsigned int *sg_size)
{
	int i, n = *sg_num_elem;

	for (i = 0; i < n; ++i) {
		sk_mem_uncharge(sk, sg[i].length);
		put_page(sg_page(&sg[i]));
	}
	*sg_num_elem = 0;
	*sg_size = 0;
}

static void tls_free_both_sg(struct sock *sk)
{
	struct tls_context *tls_ctx = tls_get_ctx(sk);
	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);

	free_sg(sk, ctx->sg_encrypted_data, &ctx->sg_encrypted_num_elem,
		&ctx->sg_encrypted_size);

	free_sg(sk, ctx->sg_plaintext_data, &ctx->sg_plaintext_num_elem,
		&ctx->sg_plaintext_size);
}

static int tls_do_encryption(struct tls_context *tls_ctx,
			     struct tls_sw_context *ctx, size_t data_len,
			     gfp_t flags)
{
	unsigned int req_size = sizeof(struct aead_request) +
		crypto_aead_reqsize(ctx->aead_send);
	struct aead_request *aead_req;
	int rc;

	aead_req = kmalloc(req_size, flags);
	if (!aead_req)
		return -ENOMEM;

	ctx->sg_encrypted_data[0].offset += tls_ctx->prepend_size;
	ctx->sg_encrypted_data[0].length -= tls_ctx->prepend_size;

	aead_request_set_tfm(aead_req, ctx->aead_send);
	aead_request_set_ad(aead_req, TLS_AAD_SPACE_SIZE);
	aead_request_set_crypt(aead_req, ctx->sg_aead_in, ctx->sg_aead_out,
			       data_len, tls_ctx->iv);
	rc = crypto_aead_encrypt(aead_req);

	ctx->sg_encrypted_data[0].offset -= tls_ctx->prepend_size;
	ctx->sg_encrypted_data[0].length += tls_ctx->prepend_size;

	kfree(aead_req);
	return rc;
}

static int tls_push_record(struct sock *sk, int flags,
			   unsigned char record_type)
{
	struct tls_context *tls_ctx = tls_get_ctx(sk);
	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
	int rc;

	sg_mark_end(ctx->sg_plaintext_data + ctx->sg_plaintext_num_elem - 1);
	sg_mark_end(ctx->sg_encrypted_data + ctx->sg_encrypted_num_elem - 1);

	tls_make_aad(0, ctx->aad_space, ctx->sg_plaintext_size,
		     tls_ctx->rec_seq, tls_ctx->rec_seq_size,
		     record_type);

	tls_fill_prepend(tls_ctx,
			 page_address(sg_page(&ctx->sg_encrypted_data[0])) +
			 ctx->sg_encrypted_data[0].offset,
			 ctx->sg_plaintext_size, record_type);

	tls_ctx->pending_open_record_frags = 0;
	set_bit(TLS_PENDING_CLOSED_RECORD, &tls_ctx->flags);

	rc = tls_do_encryption(tls_ctx, ctx, ctx->sg_plaintext_size,
			       sk->sk_allocation);
	if (rc < 0) {
		/* If we are called from write_space and
		 * we fail, we need to set this SOCK_NOSPACE
		 * to trigger another write_space in the future.
		 */
		set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
		return rc;
	}

	free_sg(sk, ctx->sg_plaintext_data, &ctx->sg_plaintext_num_elem,
		&ctx->sg_plaintext_size);

	ctx->sg_encrypted_num_elem = 0;
	ctx->sg_encrypted_size = 0;

	/* Only pass through MSG_DONTWAIT and MSG_NOSIGNAL flags */
	rc = tls_push_sg(sk, tls_ctx, ctx->sg_encrypted_data, 0, flags);
	if (rc < 0 && rc != -EAGAIN)
		tls_err_abort(sk);

	tls_advance_record_sn(sk, tls_ctx);
	return rc;
}

static int tls_sw_push_pending_record(struct sock *sk, int flags)
{
	return tls_push_record(sk, flags, TLS_RECORD_TYPE_DATA);
}

static int zerocopy_from_iter(struct sock *sk, struct iov_iter *from,
			      int length)
{
	struct tls_context *tls_ctx = tls_get_ctx(sk);
	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
	struct page *pages[MAX_SKB_FRAGS];

	size_t offset;
	ssize_t copied, use;
	int i = 0;
	unsigned int size = ctx->sg_plaintext_size;
	int num_elem = ctx->sg_plaintext_num_elem;
	int rc = 0;
	int maxpages;

	while (length > 0) {
		i = 0;
		maxpages = ARRAY_SIZE(ctx->sg_plaintext_data) - num_elem;
		if (maxpages == 0) {
			rc = -EFAULT;
			goto out;
		}
		copied = iov_iter_get_pages(from, pages,
					    length,
					    maxpages, &offset);
		if (copied <= 0) {
			rc = -EFAULT;
			goto out;
		}

		iov_iter_advance(from, copied);

		length -= copied;
		size += copied;
		while (copied) {
			use = min_t(int, copied, PAGE_SIZE - offset);

			sg_set_page(&ctx->sg_plaintext_data[num_elem],
				    pages[i], use, offset);
			sg_unmark_end(&ctx->sg_plaintext_data[num_elem]);
			sk_mem_charge(sk, use);

			offset = 0;
			copied -= use;

			++i;
			++num_elem;
		}
	}

out:
	ctx->sg_plaintext_size = size;
	ctx->sg_plaintext_num_elem = num_elem;
	return rc;
}

static int memcopy_from_iter(struct sock *sk, struct iov_iter *from,
			     int bytes)
{
	struct tls_context *tls_ctx = tls_get_ctx(sk);
	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
	struct scatterlist *sg = ctx->sg_plaintext_data;
	int copy, i, rc = 0;

	for (i = tls_ctx->pending_open_record_frags;
	     i < ctx->sg_plaintext_num_elem; ++i) {
		copy = sg[i].length;
		if (copy_from_iter(
				page_address(sg_page(&sg[i])) + sg[i].offset,
				copy, from) != copy) {
			rc = -EFAULT;
			goto out;
		}
		bytes -= copy;

		++tls_ctx->pending_open_record_frags;

		if (!bytes)
			break;
	}

out:
	return rc;
}

int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
{
	struct tls_context *tls_ctx = tls_get_ctx(sk);
	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
	int ret = 0;
	int required_size;
	long timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
	bool eor = !(msg->msg_flags & MSG_MORE);
	size_t try_to_copy, copied = 0;
	unsigned char record_type = TLS_RECORD_TYPE_DATA;
	int record_room;
	bool full_record;
	int orig_size;

	if (msg->msg_flags & ~(MSG_MORE | MSG_DONTWAIT | MSG_NOSIGNAL))
		return -ENOTSUPP;

	lock_sock(sk);

	if (tls_complete_pending_work(sk, tls_ctx, msg->msg_flags, &timeo))
		goto send_end;

	if (unlikely(msg->msg_controllen)) {
		ret = tls_proccess_cmsg(sk, msg, &record_type);
		if (ret)
			goto send_end;
	}

	while (msg_data_left(msg)) {
		if (sk->sk_err) {
			ret = sk->sk_err;
			goto send_end;
		}

		orig_size = ctx->sg_plaintext_size;
		full_record = false;
		try_to_copy = msg_data_left(msg);
		record_room = TLS_MAX_PAYLOAD_SIZE - ctx->sg_plaintext_size;
		if (try_to_copy >= record_room) {
			try_to_copy = record_room;
			full_record = true;
		}

		required_size = ctx->sg_plaintext_size + try_to_copy +
				tls_ctx->overhead_size;

		if (!sk_stream_memory_free(sk))
			goto wait_for_sndbuf;
alloc_encrypted:
		ret = alloc_encrypted_sg(sk, required_size);
		if (ret) {
			if (ret != -ENOSPC)
				goto wait_for_memory;

			/* Adjust try_to_copy according to the amount that was
			 * actually allocated. The difference is due
			 * to max sg elements limit
			 */
			try_to_copy -= required_size - ctx->sg_encrypted_size;
			full_record = true;
		}

		if (full_record || eor) {
			ret = zerocopy_from_iter(sk, &msg->msg_iter,
						 try_to_copy);
			if (ret)
				goto fallback_to_reg_send;

			copied += try_to_copy;
			ret = tls_push_record(sk, msg->msg_flags, record_type);
			if (!ret)
				continue;
			if (ret == -EAGAIN)
				goto send_end;

			copied -= try_to_copy;
fallback_to_reg_send:
			iov_iter_revert(&msg->msg_iter,
					ctx->sg_plaintext_size - orig_size);
			trim_sg(sk, ctx->sg_plaintext_data,
				&ctx->sg_plaintext_num_elem,
				&ctx->sg_plaintext_size,
				orig_size);
		}

		required_size = ctx->sg_plaintext_size + try_to_copy;
alloc_plaintext:
		ret = alloc_plaintext_sg(sk, required_size);
		if (ret) {
			if (ret != -ENOSPC)
				goto wait_for_memory;

			/* Adjust try_to_copy according to the amount that was
			 * actually allocated. The difference is due
			 * to max sg elements limit
			 */
			try_to_copy -= required_size - ctx->sg_plaintext_size;
			full_record = true;

			trim_sg(sk, ctx->sg_encrypted_data,
				&ctx->sg_encrypted_num_elem,
				&ctx->sg_encrypted_size,
				ctx->sg_plaintext_size +
				tls_ctx->overhead_size);
		}

		ret = memcopy_from_iter(sk, &msg->msg_iter, try_to_copy);
		if (ret)
			goto trim_sgl;

		copied += try_to_copy;
		if (full_record || eor) {
push_record:
			ret = tls_push_record(sk, msg->msg_flags, record_type);
			if (ret) {
				if (ret == -ENOMEM)
					goto wait_for_memory;

				goto send_end;
			}
		}

		continue;

wait_for_sndbuf:
		set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
wait_for_memory:
		ret = sk_stream_wait_memory(sk, &timeo);
		if (ret) {
trim_sgl:
			trim_both_sgl(sk, orig_size);
			goto send_end;
		}

		if (tls_is_pending_closed_record(tls_ctx))
			goto push_record;

		if (ctx->sg_encrypted_size < required_size)
			goto alloc_encrypted;

		goto alloc_plaintext;
	}

send_end:
	ret = sk_stream_error(sk, msg->msg_flags, ret);

	release_sock(sk);
	return copied ? copied : ret;
}

int tls_sw_sendpage(struct sock *sk, struct page *page,
		    int offset, size_t size, int flags)
{
	struct tls_context *tls_ctx = tls_get_ctx(sk);
	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
	int ret = 0;
	long timeo = sock_sndtimeo(sk, flags & MSG_DONTWAIT);
	bool eor;
	size_t orig_size = size;
	unsigned char record_type = TLS_RECORD_TYPE_DATA;
	struct scatterlist *sg;
	bool full_record;
	int record_room;

	if (flags & ~(MSG_MORE | MSG_DONTWAIT | MSG_NOSIGNAL |
		      MSG_SENDPAGE_NOTLAST))
		return -ENOTSUPP;

	/* No MSG_EOR from splice, only look at MSG_MORE */
	eor = !(flags & (MSG_MORE | MSG_SENDPAGE_NOTLAST));

	lock_sock(sk);

	sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk);

	if (tls_complete_pending_work(sk, tls_ctx, flags, &timeo))
		goto sendpage_end;

	/* Call the sk_stream functions to manage the sndbuf mem. */
	while (size > 0) {
		size_t copy, required_size;

		if (sk->sk_err) {
			ret = sk->sk_err;
			goto sendpage_end;
		}

		full_record = false;
		record_room = TLS_MAX_PAYLOAD_SIZE - ctx->sg_plaintext_size;
		copy = size;
		if (copy >= record_room) {
			copy = record_room;
			full_record = true;
		}
		required_size = ctx->sg_plaintext_size + copy +
			      tls_ctx->overhead_size;

		if (!sk_stream_memory_free(sk))
			goto wait_for_sndbuf;
alloc_payload:
		ret = alloc_encrypted_sg(sk, required_size);
		if (ret) {
			if (ret != -ENOSPC)
				goto wait_for_memory;

			/* Adjust copy according to the amount that was
			 * actually allocated. The difference is due
			 * to max sg elements limit
			 */
			copy -= required_size - ctx->sg_plaintext_size;
			full_record = true;
		}

		get_page(page);
		sg = ctx->sg_plaintext_data + ctx->sg_plaintext_num_elem;
		sg_set_page(sg, page, copy, offset);
		ctx->sg_plaintext_num_elem++;

		sk_mem_charge(sk, copy);
		offset += copy;
		size -= copy;
		ctx->sg_plaintext_size += copy;
		tls_ctx->pending_open_record_frags = ctx->sg_plaintext_num_elem;

		if (full_record || eor ||
		    ctx->sg_plaintext_num_elem ==
		    ARRAY_SIZE(ctx->sg_plaintext_data)) {
push_record:
			ret = tls_push_record(sk, flags, record_type);
			if (ret) {
				if (ret == -ENOMEM)
					goto wait_for_memory;

				goto sendpage_end;
			}
		}
		continue;
wait_for_sndbuf:
		set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
wait_for_memory:
		ret = sk_stream_wait_memory(sk, &timeo);
		if (ret) {
			trim_both_sgl(sk, ctx->sg_plaintext_size);
			goto sendpage_end;
		}

		if (tls_is_pending_closed_record(tls_ctx))
			goto push_record;

		goto alloc_payload;
	}

sendpage_end:
	if (orig_size > size)
		ret = orig_size - size;
	else
		ret = sk_stream_error(sk, flags, ret);

	release_sock(sk);
	return ret;
}

void tls_sw_free_resources(struct sock *sk)
{
	struct tls_context *tls_ctx = tls_get_ctx(sk);
	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);

	if (ctx->aead_send)
		crypto_free_aead(ctx->aead_send);

	tls_free_both_sg(sk);

	kfree(ctx);
}

int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx)
{
	char keyval[TLS_CIPHER_AES_GCM_128_KEY_SIZE];
	struct tls_crypto_info *crypto_info;
	struct tls12_crypto_info_aes_gcm_128 *gcm_128_info;
	struct tls_sw_context *sw_ctx;
	u16 nonce_size, tag_size, iv_size, rec_seq_size;
	char *iv, *rec_seq;
	int rc = 0;

	if (!ctx) {
		rc = -EINVAL;
		goto out;
	}

	if (ctx->priv_ctx) {
		rc = -EEXIST;
		goto out;
	}

	sw_ctx = kzalloc(sizeof(*sw_ctx), GFP_KERNEL);
	if (!sw_ctx) {
		rc = -ENOMEM;
		goto out;
	}

	ctx->priv_ctx = (struct tls_offload_context *)sw_ctx;
	ctx->free_resources = tls_sw_free_resources;

	crypto_info = &ctx->crypto_send;
	switch (crypto_info->cipher_type) {
	case TLS_CIPHER_AES_GCM_128: {
		nonce_size = TLS_CIPHER_AES_GCM_128_IV_SIZE;
		tag_size = TLS_CIPHER_AES_GCM_128_TAG_SIZE;
		iv_size = TLS_CIPHER_AES_GCM_128_IV_SIZE;
		iv = ((struct tls12_crypto_info_aes_gcm_128 *)crypto_info)->iv;
		rec_seq_size = TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE;
		rec_seq =
		 ((struct tls12_crypto_info_aes_gcm_128 *)crypto_info)->rec_seq;
		gcm_128_info =
			(struct tls12_crypto_info_aes_gcm_128 *)crypto_info;
		break;
	}
	default:
		rc = -EINVAL;
		goto out;
	}

	ctx->prepend_size = TLS_HEADER_SIZE + nonce_size;
	ctx->tag_size = tag_size;
	ctx->overhead_size = ctx->prepend_size + ctx->tag_size;
	ctx->iv_size = iv_size;
	ctx->iv = kmalloc(iv_size + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
			  GFP_KERNEL);
	if (!ctx->iv) {
		rc = -ENOMEM;
		goto out;
	}
	memcpy(ctx->iv, gcm_128_info->salt, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
	memcpy(ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, iv, iv_size);
	ctx->rec_seq_size = rec_seq_size;
	ctx->rec_seq = kmalloc(rec_seq_size, GFP_KERNEL);
	if (!ctx->rec_seq) {
		rc = -ENOMEM;
		goto free_iv;
	}
	memcpy(ctx->rec_seq, rec_seq, rec_seq_size);

	sg_init_table(sw_ctx->sg_encrypted_data,
		      ARRAY_SIZE(sw_ctx->sg_encrypted_data));
	sg_init_table(sw_ctx->sg_plaintext_data,
		      ARRAY_SIZE(sw_ctx->sg_plaintext_data));

	sg_init_table(sw_ctx->sg_aead_in, 2);
	sg_set_buf(&sw_ctx->sg_aead_in[0], sw_ctx->aad_space,
		   sizeof(sw_ctx->aad_space));
	sg_unmark_end(&sw_ctx->sg_aead_in[1]);
	sg_chain(sw_ctx->sg_aead_in, 2, sw_ctx->sg_plaintext_data);
	sg_init_table(sw_ctx->sg_aead_out, 2);
	sg_set_buf(&sw_ctx->sg_aead_out[0], sw_ctx->aad_space,
		   sizeof(sw_ctx->aad_space));
	sg_unmark_end(&sw_ctx->sg_aead_out[1]);
	sg_chain(sw_ctx->sg_aead_out, 2, sw_ctx->sg_encrypted_data);

	if (!sw_ctx->aead_send) {
		sw_ctx->aead_send = crypto_alloc_aead("gcm(aes)", 0, 0);
		if (IS_ERR(sw_ctx->aead_send)) {
			rc = PTR_ERR(sw_ctx->aead_send);
			sw_ctx->aead_send = NULL;
			goto free_rec_seq;
		}
	}

	ctx->push_pending_record = tls_sw_push_pending_record;

	memcpy(keyval, gcm_128_info->key, TLS_CIPHER_AES_GCM_128_KEY_SIZE);

	rc = crypto_aead_setkey(sw_ctx->aead_send, keyval,
				TLS_CIPHER_AES_GCM_128_KEY_SIZE);
	if (rc)
		goto free_aead;

	rc = crypto_aead_setauthsize(sw_ctx->aead_send, ctx->tag_size);
	if (!rc)
		goto out;

free_aead:
	crypto_free_aead(sw_ctx->aead_send);
	sw_ctx->aead_send = NULL;
free_rec_seq:
	kfree(ctx->rec_seq);
	ctx->rec_seq = NULL;
free_iv:
	kfree(ctx->iv);
	ctx->iv = NULL;
out:
	return rc;
}
Commit	Line	Data
3c4d7559 DW	1	/*
	2	* Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
	3	* Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
	4	* Copyright (c) 2016-2017, Lance Chao <lancerchao@fb.com>. All rights reserved.
	5	* Copyright (c) 2016, Fridolin Pokorny <fridolin.pokorny@gmail.com>. All rights reserved.
	6	* Copyright (c) 2016, Nikos Mavrogiannopoulos <nmav@gnutls.org>. All rights reserved.
	7	*
	8	* This software is available to you under a choice of one of two
	9	* licenses. You may choose to be licensed under the terms of the GNU
	10	* General Public License (GPL) Version 2, available from the file
	11	* COPYING in the main directory of this source tree, or the
	12	* OpenIB.org BSD license below:
	13	*
	14	* Redistribution and use in source and binary forms, with or
	15	* without modification, are permitted provided that the following
	16	* conditions are met:
	17	*
	18	* - Redistributions of source code must retain the above
	19	* copyright notice, this list of conditions and the following
	20	* disclaimer.
	21	*
	22	* - Redistributions in binary form must reproduce the above
	23	* copyright notice, this list of conditions and the following
	24	* disclaimer in the documentation and/or other materials
	25	* provided with the distribution.
	26	*
	27	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
	28	* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
	29	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
	30	* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
	31	* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
	32	* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
	33	* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	34	* SOFTWARE.
	35	*/
	36
	37	#include <linux/module.h>
	38	#include <crypto/aead.h>
	39
	40	#include <net/tls.h>
	41
	42	static inline void tls_make_aad(int recv,
	43	char *buf,
	44	size_t size,
	45	char *record_sequence,
	46	int record_sequence_size,
	47	unsigned char record_type)
	48	{
	49	memcpy(buf, record_sequence, record_sequence_size);
	50
	51	buf[8] = record_type;
	52	buf[9] = TLS_1_2_VERSION_MAJOR;
	53	buf[10] = TLS_1_2_VERSION_MINOR;
	54	buf[11] = size >> 8;
	55	buf[12] = size & 0xFF;
	56	}
	57
	58	static void trim_sg(struct sock sk, struct scatterlist sg,
	59	int sg_num_elem, unsigned int sg_size, int target_size)
	60	{
	61	int i = *sg_num_elem - 1;
	62	int trim = *sg_size - target_size;
	63
	64	if (trim <= 0) {
65	WARN_ON(trim < 0);
66	return;
67	}
68
69	*sg_size = target_size;
70	while (trim >= sg[i].length) {
71	trim -= sg[i].length;
72	sk_mem_uncharge(sk, sg[i].length);
73	put_page(sg_page(&sg[i]));
74	i--;
75
76	if (i < 0)
77	goto out;
78	}
79
80	sg[i].length -= trim;
81	sk_mem_uncharge(sk, trim);
82
83	out:
84	*sg_num_elem = i + 1;
85	}
86
87	static void trim_both_sgl(struct sock *sk, int target_size)
88	{
89	struct tls_context *tls_ctx = tls_get_ctx(sk);
90	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
91
92	trim_sg(sk, ctx->sg_plaintext_data,
93	&ctx->sg_plaintext_num_elem,
94	&ctx->sg_plaintext_size,
95	target_size);
96
97	if (target_size > 0)
98	target_size += tls_ctx->overhead_size;
99
100	trim_sg(sk, ctx->sg_encrypted_data,
101	&ctx->sg_encrypted_num_elem,
102	&ctx->sg_encrypted_size,
103	target_size);
104	}
105
106	static int alloc_sg(struct sock sk, int len, struct scatterlist sg,
107	int sg_num_elem, unsigned int sg_size,
108	int first_coalesce)
109	{
110	struct page_frag *pfrag;
111	unsigned int size = *sg_size;
112	int num_elem = *sg_num_elem, use = 0, rc = 0;
113	struct scatterlist *sge;
114	unsigned int orig_offset;
115
116	len -= size;
117	pfrag = sk_page_frag(sk);
118
119	while (len > 0) {
120	if (!sk_page_frag_refill(sk, pfrag)) {
121	rc = -ENOMEM;
122	goto out;
123	}
124
125	use = min_t(int, len, pfrag->size - pfrag->offset);
126
127	if (!sk_wmem_schedule(sk, use)) {
128	rc = -ENOMEM;
129	goto out;
130	}
131
132	sk_mem_charge(sk, use);
133	size += use;
134	orig_offset = pfrag->offset;
135	pfrag->offset += use;
136
137	sge = sg + num_elem - 1;
138	if (num_elem > first_coalesce && sg_page(sg) == pfrag->page &&
139	sg->offset + sg->length == orig_offset) {
140	sg->length += use;
141	} else {
142	sge++;
143	sg_unmark_end(sge);
144	sg_set_page(sge, pfrag->page, use, orig_offset);
145	get_page(pfrag->page);
146	++num_elem;
147	if (num_elem == MAX_SKB_FRAGS) {
148	rc = -ENOSPC;
149	break;
150	}
151	}
152
153	len -= use;
154	}
155	goto out;
156
157	out:
158	*sg_size = size;
159	*sg_num_elem = num_elem;
160	return rc;
161	}
162
163	static int alloc_encrypted_sg(struct sock *sk, int len)
164	{
165	struct tls_context *tls_ctx = tls_get_ctx(sk);
166	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
167	int rc = 0;
168
169	rc = alloc_sg(sk, len, ctx->sg_encrypted_data,
170	&ctx->sg_encrypted_num_elem, &ctx->sg_encrypted_size, 0);
171
172	return rc;
173	}
174
175	static int alloc_plaintext_sg(struct sock *sk, int len)
176	{
177	struct tls_context *tls_ctx = tls_get_ctx(sk);
178	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
179	int rc = 0;
180
181	rc = alloc_sg(sk, len, ctx->sg_plaintext_data,
182	&ctx->sg_plaintext_num_elem, &ctx->sg_plaintext_size,
183	tls_ctx->pending_open_record_frags);
184
185	return rc;
186	}
187
188	static void free_sg(struct sock sk, struct scatterlist sg,
189	int sg_num_elem, unsigned int sg_size)
190	{
191	int i, n = *sg_num_elem;
192
193	for (i = 0; i < n; ++i) {
194	sk_mem_uncharge(sk, sg[i].length);
195	put_page(sg_page(&sg[i]));
196	}
197	*sg_num_elem = 0;
198	*sg_size = 0;
199	}
200
201	static void tls_free_both_sg(struct sock *sk)
202	{
203	struct tls_context *tls_ctx = tls_get_ctx(sk);
204	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
205
206	free_sg(sk, ctx->sg_encrypted_data, &ctx->sg_encrypted_num_elem,
207	&ctx->sg_encrypted_size);
208
209	free_sg(sk, ctx->sg_plaintext_data, &ctx->sg_plaintext_num_elem,
210	&ctx->sg_plaintext_size);
211	}
212
213	static int tls_do_encryption(struct tls_context *tls_ctx,
214	struct tls_sw_context *ctx, size_t data_len,
215	gfp_t flags)
216	{
217	unsigned int req_size = sizeof(struct aead_request) +
218	crypto_aead_reqsize(ctx->aead_send);
219	struct aead_request *aead_req;
220	int rc;
221
222	aead_req = kmalloc(req_size, flags);
223	if (!aead_req)
224	return -ENOMEM;
225
226	ctx->sg_encrypted_data[0].offset += tls_ctx->prepend_size;
227	ctx->sg_encrypted_data[0].length -= tls_ctx->prepend_size;
228
229	aead_request_set_tfm(aead_req, ctx->aead_send);
230	aead_request_set_ad(aead_req, TLS_AAD_SPACE_SIZE);
231	aead_request_set_crypt(aead_req, ctx->sg_aead_in, ctx->sg_aead_out,
232	data_len, tls_ctx->iv);
233	rc = crypto_aead_encrypt(aead_req);
234
235	ctx->sg_encrypted_data[0].offset -= tls_ctx->prepend_size;
236	ctx->sg_encrypted_data[0].length += tls_ctx->prepend_size;
237
238	kfree(aead_req);
239	return rc;
240	}
241
242	static int tls_push_record(struct sock *sk, int flags,
243	unsigned char record_type)
244	{
245	struct tls_context *tls_ctx = tls_get_ctx(sk);
246	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
247	int rc;
248
249	sg_mark_end(ctx->sg_plaintext_data + ctx->sg_plaintext_num_elem - 1);
250	sg_mark_end(ctx->sg_encrypted_data + ctx->sg_encrypted_num_elem - 1);
251
252	tls_make_aad(0, ctx->aad_space, ctx->sg_plaintext_size,
253	tls_ctx->rec_seq, tls_ctx->rec_seq_size,
254	record_type);
255
256	tls_fill_prepend(tls_ctx,
257	page_address(sg_page(&ctx->sg_encrypted_data[0])) +
258	ctx->sg_encrypted_data[0].offset,
259	ctx->sg_plaintext_size, record_type);
260
261	tls_ctx->pending_open_record_frags = 0;
262	set_bit(TLS_PENDING_CLOSED_RECORD, &tls_ctx->flags);
263
264	rc = tls_do_encryption(tls_ctx, ctx, ctx->sg_plaintext_size,
265	sk->sk_allocation);
266	if (rc < 0) {
267	/* If we are called from write_space and
268	* we fail, we need to set this SOCK_NOSPACE
269	* to trigger another write_space in the future.
270	*/
271	set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
272	return rc;
273	}
274
275	free_sg(sk, ctx->sg_plaintext_data, &ctx->sg_plaintext_num_elem,
276	&ctx->sg_plaintext_size);
277
278	ctx->sg_encrypted_num_elem = 0;
279	ctx->sg_encrypted_size = 0;
280
281	/* Only pass through MSG_DONTWAIT and MSG_NOSIGNAL flags */
282	rc = tls_push_sg(sk, tls_ctx, ctx->sg_encrypted_data, 0, flags);
283	if (rc < 0 && rc != -EAGAIN)
284	tls_err_abort(sk);
285
286	tls_advance_record_sn(sk, tls_ctx);
287	return rc;
288	}
289
290	static int tls_sw_push_pending_record(struct sock *sk, int flags)
291	{
292	return tls_push_record(sk, flags, TLS_RECORD_TYPE_DATA);
293	}
294
295	static int zerocopy_from_iter(struct sock sk, struct iov_iter from,
296	int length)
297	{
298	struct tls_context *tls_ctx = tls_get_ctx(sk);
299	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
300	struct page *pages[MAX_SKB_FRAGS];
301
302	size_t offset;
303	ssize_t copied, use;
304	int i = 0;
305	unsigned int size = ctx->sg_plaintext_size;
306	int num_elem = ctx->sg_plaintext_num_elem;
307	int rc = 0;
308	int maxpages;
309
310	while (length > 0) {
311	i = 0;
312	maxpages = ARRAY_SIZE(ctx->sg_plaintext_data) - num_elem;
313	if (maxpages == 0) {
314	rc = -EFAULT;
315	goto out;
316	}
317	copied = iov_iter_get_pages(from, pages,
318	length,
319	maxpages, &offset);
320	if (copied <= 0) {
321	rc = -EFAULT;
322	goto out;
323	}
324
325	iov_iter_advance(from, copied);
326
327	length -= copied;
328	size += copied;
329	while (copied) {
330	use = min_t(int, copied, PAGE_SIZE - offset);
331
332	sg_set_page(&ctx->sg_plaintext_data[num_elem],
333	pages[i], use, offset);
334	sg_unmark_end(&ctx->sg_plaintext_data[num_elem]);
335	sk_mem_charge(sk, use);
336
337	offset = 0;
338	copied -= use;
339
340	++i;
341	++num_elem;
342	}
343	}
344
345	out:
346	ctx->sg_plaintext_size = size;
347	ctx->sg_plaintext_num_elem = num_elem;
348	return rc;
349	}
350
351	static int memcopy_from_iter(struct sock sk, struct iov_iter from,
352	int bytes)
353	{
354	struct tls_context *tls_ctx = tls_get_ctx(sk);
355	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
356	struct scatterlist *sg = ctx->sg_plaintext_data;
357	int copy, i, rc = 0;
358
359	for (i = tls_ctx->pending_open_record_frags;
360	i < ctx->sg_plaintext_num_elem; ++i) {
361	copy = sg[i].length;
362	if (copy_from_iter(
363	page_address(sg_page(&sg[i])) + sg[i].offset,
364	copy, from) != copy) {
365	rc = -EFAULT;
366	goto out;
367	}
368	bytes -= copy;
369
370	++tls_ctx->pending_open_record_frags;
371
372	if (!bytes)
373	break;
374	}
375
376	out:
377	return rc;
378	}
379
380	int tls_sw_sendmsg(struct sock sk, struct msghdr msg, size_t size)
381	{
382	struct tls_context *tls_ctx = tls_get_ctx(sk);
383	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
384	int ret = 0;
385	int required_size;
386	long timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
387	bool eor = !(msg->msg_flags & MSG_MORE);
388	size_t try_to_copy, copied = 0;
389	unsigned char record_type = TLS_RECORD_TYPE_DATA;
390	int record_room;
391	bool full_record;
392	int orig_size;
393
394	if (msg->msg_flags & ~(MSG_MORE \| MSG_DONTWAIT \| MSG_NOSIGNAL))
395	return -ENOTSUPP;
396
397	lock_sock(sk);
398
399	if (tls_complete_pending_work(sk, tls_ctx, msg->msg_flags, &timeo))
400	goto send_end;
401
402	if (unlikely(msg->msg_controllen)) {
403	ret = tls_proccess_cmsg(sk, msg, &record_type);
404	if (ret)
405	goto send_end;
406	}
407
408	while (msg_data_left(msg)) {
409	if (sk->sk_err) {
410	ret = sk->sk_err;
411	goto send_end;
412	}
413
414	orig_size = ctx->sg_plaintext_size;
415	full_record = false;
416	try_to_copy = msg_data_left(msg);
417	record_room = TLS_MAX_PAYLOAD_SIZE - ctx->sg_plaintext_size;
418	if (try_to_copy >= record_room) {
419	try_to_copy = record_room;
420	full_record = true;
421	}
422
423	required_size = ctx->sg_plaintext_size + try_to_copy +
424	tls_ctx->overhead_size;
425
426	if (!sk_stream_memory_free(sk))
427	goto wait_for_sndbuf;
428	alloc_encrypted:
429	ret = alloc_encrypted_sg(sk, required_size);
430	if (ret) {
431	if (ret != -ENOSPC)
432	goto wait_for_memory;
433
434	/* Adjust try_to_copy according to the amount that was
435	* actually allocated. The difference is due
436	* to max sg elements limit
437	*/
438	try_to_copy -= required_size - ctx->sg_encrypted_size;
439	full_record = true;
440	}
441
442	if (full_record \|\| eor) {
443	ret = zerocopy_from_iter(sk, &msg->msg_iter,
444	try_to_copy);
445	if (ret)
446	goto fallback_to_reg_send;
447
448	copied += try_to_copy;
449	ret = tls_push_record(sk, msg->msg_flags, record_type);
450	if (!ret)
451	continue;
452	if (ret == -EAGAIN)
453	goto send_end;
454
455	copied -= try_to_copy;
456	fallback_to_reg_send:
457	iov_iter_revert(&msg->msg_iter,
458	ctx->sg_plaintext_size - orig_size);
459	trim_sg(sk, ctx->sg_plaintext_data,
460	&ctx->sg_plaintext_num_elem,
461	&ctx->sg_plaintext_size,
462	orig_size);
463	}
464
465	required_size = ctx->sg_plaintext_size + try_to_copy;
466	alloc_plaintext:
467	ret = alloc_plaintext_sg(sk, required_size);
468	if (ret) {
469	if (ret != -ENOSPC)
470	goto wait_for_memory;
471
472	/* Adjust try_to_copy according to the amount that was
473	* actually allocated. The difference is due
474	* to max sg elements limit
475	*/
476	try_to_copy -= required_size - ctx->sg_plaintext_size;
477	full_record = true;
478
479	trim_sg(sk, ctx->sg_encrypted_data,
480	&ctx->sg_encrypted_num_elem,
481	&ctx->sg_encrypted_size,
482	ctx->sg_plaintext_size +
483	tls_ctx->overhead_size);
484	}
485
486	ret = memcopy_from_iter(sk, &msg->msg_iter, try_to_copy);
487	if (ret)
488	goto trim_sgl;
489
490	copied += try_to_copy;
491	if (full_record \|\| eor) {
492	push_record:
493	ret = tls_push_record(sk, msg->msg_flags, record_type);
494	if (ret) {
495	if (ret == -ENOMEM)
496	goto wait_for_memory;
497
498	goto send_end;
499	}
500	}
501
502	continue;
503
504	wait_for_sndbuf:
505	set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
506	wait_for_memory:
507	ret = sk_stream_wait_memory(sk, &timeo);
508	if (ret) {
509	trim_sgl:
510	trim_both_sgl(sk, orig_size);
511	goto send_end;
512	}
513
514	if (tls_is_pending_closed_record(tls_ctx))
515	goto push_record;
516
517	if (ctx->sg_encrypted_size < required_size)
518	goto alloc_encrypted;
519
520	goto alloc_plaintext;
521	}
522
523	send_end:
524	ret = sk_stream_error(sk, msg->msg_flags, ret);
525
526	release_sock(sk);
527	return copied ? copied : ret;
528	}
529
530	int tls_sw_sendpage(struct sock sk, struct page page,
531	int offset, size_t size, int flags)
532	{
533	struct tls_context *tls_ctx = tls_get_ctx(sk);
534	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
535	int ret = 0;
536	long timeo = sock_sndtimeo(sk, flags & MSG_DONTWAIT);
537	bool eor;
538	size_t orig_size = size;
539	unsigned char record_type = TLS_RECORD_TYPE_DATA;
540	struct scatterlist *sg;
541	bool full_record;
542	int record_room;
543
544	if (flags & ~(MSG_MORE \| MSG_DONTWAIT \| MSG_NOSIGNAL \|
545	MSG_SENDPAGE_NOTLAST))
546	return -ENOTSUPP;
547
548	/* No MSG_EOR from splice, only look at MSG_MORE */
549	eor = !(flags & (MSG_MORE \| MSG_SENDPAGE_NOTLAST));
550
551	lock_sock(sk);
552
553	sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk);
554
555	if (tls_complete_pending_work(sk, tls_ctx, flags, &timeo))
556	goto sendpage_end;
557
558	/* Call the sk_stream functions to manage the sndbuf mem. */
559	while (size > 0) {
560	size_t copy, required_size;
561
562	if (sk->sk_err) {
563	ret = sk->sk_err;
564	goto sendpage_end;
565	}
566
567	full_record = false;
568	record_room = TLS_MAX_PAYLOAD_SIZE - ctx->sg_plaintext_size;
569	copy = size;
570	if (copy >= record_room) {
571	copy = record_room;
572	full_record = true;
573	}
574	required_size = ctx->sg_plaintext_size + copy +
575	tls_ctx->overhead_size;
576
577	if (!sk_stream_memory_free(sk))
578	goto wait_for_sndbuf;
579	alloc_payload:
580	ret = alloc_encrypted_sg(sk, required_size);
581	if (ret) {
582	if (ret != -ENOSPC)
583	goto wait_for_memory;
584
585	/* Adjust copy according to the amount that was
586	* actually allocated. The difference is due
587	* to max sg elements limit
588	*/
589	copy -= required_size - ctx->sg_plaintext_size;
590	full_record = true;
591	}
592
593	get_page(page);
594	sg = ctx->sg_plaintext_data + ctx->sg_plaintext_num_elem;
595	sg_set_page(sg, page, copy, offset);
596	ctx->sg_plaintext_num_elem++;
597
598	sk_mem_charge(sk, copy);
599	offset += copy;
600	size -= copy;
601	ctx->sg_plaintext_size += copy;
602	tls_ctx->pending_open_record_frags = ctx->sg_plaintext_num_elem;
603
604	if (full_record \|\| eor \|\|
605	ctx->sg_plaintext_num_elem ==
606	ARRAY_SIZE(ctx->sg_plaintext_data)) {
607	push_record:
608	ret = tls_push_record(sk, flags, record_type);
609	if (ret) {
610	if (ret == -ENOMEM)
611	goto wait_for_memory;
612
613	goto sendpage_end;
614	}
615	}
616	continue;
617	wait_for_sndbuf:
618	set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
619	wait_for_memory:
620	ret = sk_stream_wait_memory(sk, &timeo);
621	if (ret) {
622	trim_both_sgl(sk, ctx->sg_plaintext_size);
623	goto sendpage_end;
624	}
625
626	if (tls_is_pending_closed_record(tls_ctx))
627	goto push_record;
628
629	goto alloc_payload;
630	}
631
632	sendpage_end:
633	if (orig_size > size)
634	ret = orig_size - size;
635	else
636	ret = sk_stream_error(sk, flags, ret);
637
638	release_sock(sk);
639	return ret;
640	}
641
642	void tls_sw_free_resources(struct sock *sk)
643	{
644	struct tls_context *tls_ctx = tls_get_ctx(sk);
645	struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
646
647	if (ctx->aead_send)
648	crypto_free_aead(ctx->aead_send);
649
650	tls_free_both_sg(sk);
651
652	kfree(ctx);
653	}
654
655	int tls_set_sw_offload(struct sock sk, struct tls_context ctx)
656	{
657	char keyval[TLS_CIPHER_AES_GCM_128_KEY_SIZE];
658	struct tls_crypto_info *crypto_info;
659	struct tls12_crypto_info_aes_gcm_128 *gcm_128_info;
660	struct tls_sw_context *sw_ctx;
661	u16 nonce_size, tag_size, iv_size, rec_seq_size;
662	char iv, rec_seq;
663	int rc = 0;
664
665	if (!ctx) {
666	rc = -EINVAL;
667	goto out;
668	}
669
670	if (ctx->priv_ctx) {
671	rc = -EEXIST;
672	goto out;
673	}
674
675	sw_ctx = kzalloc(sizeof(*sw_ctx), GFP_KERNEL);
676	if (!sw_ctx) {
677	rc = -ENOMEM;
678	goto out;
679	}
680
681	ctx->priv_ctx = (struct tls_offload_context *)sw_ctx;
682	ctx->free_resources = tls_sw_free_resources;
683
684	crypto_info = &ctx->crypto_send;
685	switch (crypto_info->cipher_type) {
686	case TLS_CIPHER_AES_GCM_128: {
687	nonce_size = TLS_CIPHER_AES_GCM_128_IV_SIZE;
688	tag_size = TLS_CIPHER_AES_GCM_128_TAG_SIZE;
689	iv_size = TLS_CIPHER_AES_GCM_128_IV_SIZE;
690	iv = ((struct tls12_crypto_info_aes_gcm_128 *)crypto_info)->iv;
691	rec_seq_size = TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE;
692	rec_seq =
693	((struct tls12_crypto_info_aes_gcm_128 *)crypto_info)->rec_seq;
694	gcm_128_info =
695	(struct tls12_crypto_info_aes_gcm_128 *)crypto_info;
696	break;
697	}
698	default:
699	rc = -EINVAL;
700	goto out;
701	}
702
703	ctx->prepend_size = TLS_HEADER_SIZE + nonce_size;
704	ctx->tag_size = tag_size;
705	ctx->overhead_size = ctx->prepend_size + ctx->tag_size;
706	ctx->iv_size = iv_size;
707	ctx->iv = kmalloc(iv_size + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
708	GFP_KERNEL);
709	if (!ctx->iv) {
710	rc = -ENOMEM;
711	goto out;
712	}
713	memcpy(ctx->iv, gcm_128_info->salt, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
714	memcpy(ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, iv, iv_size);
715	ctx->rec_seq_size = rec_seq_size;
716	ctx->rec_seq = kmalloc(rec_seq_size, GFP_KERNEL);
717	if (!ctx->rec_seq) {
718	rc = -ENOMEM;
719	goto free_iv;
720	}
721	memcpy(ctx->rec_seq, rec_seq, rec_seq_size);
722
723	sg_init_table(sw_ctx->sg_encrypted_data,
724	ARRAY_SIZE(sw_ctx->sg_encrypted_data));
725	sg_init_table(sw_ctx->sg_plaintext_data,
726	ARRAY_SIZE(sw_ctx->sg_plaintext_data));
727
728	sg_init_table(sw_ctx->sg_aead_in, 2);
729	sg_set_buf(&sw_ctx->sg_aead_in[0], sw_ctx->aad_space,
730	sizeof(sw_ctx->aad_space));
731	sg_unmark_end(&sw_ctx->sg_aead_in[1]);
732	sg_chain(sw_ctx->sg_aead_in, 2, sw_ctx->sg_plaintext_data);
733	sg_init_table(sw_ctx->sg_aead_out, 2);
734	sg_set_buf(&sw_ctx->sg_aead_out[0], sw_ctx->aad_space,
735	sizeof(sw_ctx->aad_space));
736	sg_unmark_end(&sw_ctx->sg_aead_out[1]);
737	sg_chain(sw_ctx->sg_aead_out, 2, sw_ctx->sg_encrypted_data);
738
739	if (!sw_ctx->aead_send) {
740	sw_ctx->aead_send = crypto_alloc_aead("gcm(aes)", 0, 0);
741	if (IS_ERR(sw_ctx->aead_send)) {
742	rc = PTR_ERR(sw_ctx->aead_send);
743	sw_ctx->aead_send = NULL;
744	goto free_rec_seq;
745	}
746	}
747
748	ctx->push_pending_record = tls_sw_push_pending_record;
749
750	memcpy(keyval, gcm_128_info->key, TLS_CIPHER_AES_GCM_128_KEY_SIZE);
751
752	rc = crypto_aead_setkey(sw_ctx->aead_send, keyval,
753	TLS_CIPHER_AES_GCM_128_KEY_SIZE);
754	if (rc)
755	goto free_aead;
756
757	rc = crypto_aead_setauthsize(sw_ctx->aead_send, ctx->tag_size);
758	if (!rc)
759	goto out;
760
761	free_aead:
762	crypto_free_aead(sw_ctx->aead_send);
763	sw_ctx->aead_send = NULL;
764	free_rec_seq:
765	kfree(ctx->rec_seq);
766	ctx->rec_seq = NULL;
767	free_iv:
768	kfree(ctx->iv);
769	ctx->iv = NULL;
770	out:
771	return rc;
772	}