tls: zero the crypto information from tls_context before freeing

BugLink: https://bugs.launchpad.net/bugs/1836287
[ Upstream commit 86029d10af18381814881d6cce2dd6872163b59f ]

This contains key material in crypto_send_aes_gcm_128 and
crypto_recv_aes_gcm_128.

Introduce union tls_crypto_context, and replace the two identical
unions directly embedded in struct tls_context with it. We can then
use this union to clean up the memory in the new tls_ctx_free()
function.

Fixes: 3c4d7559159b ("tls: kernel TLS support")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/include/net/tls.h b/include/net/tls.h
index 7841bd70c70db8d6fa97b6d228d5ed74f56fe136..18a937407427bd83440b4797b3beb18a9ac96fa2 100644 (file)
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -79,11 +79,13 @@ enum {
        TLS_PENDING_CLOSED_RECORD
 };
 
+union tls_crypto_context {
+       struct tls_crypto_info info;
+       struct tls12_crypto_info_aes_gcm_128 aes_gcm_128;
+};
+
 struct tls_context {
-       union {
-               struct tls_crypto_info crypto_send;
-               struct tls12_crypto_info_aes_gcm_128 crypto_send_aes_gcm_128;
-       };
+       union tls_crypto_context crypto_send;
 
        void *priv_ctx;
 
@@ -210,8 +212,8 @@ static inline void tls_fill_prepend(struct tls_context *ctx,
         * size KTLS_DTLS_HEADER_SIZE + KTLS_DTLS_NONCE_EXPLICIT_SIZE
         */
        buf[0] = record_type;
-       buf[1] = TLS_VERSION_MINOR(ctx->crypto_send.version);
-       buf[2] = TLS_VERSION_MAJOR(ctx->crypto_send.version);
+       buf[1] = TLS_VERSION_MINOR(ctx->crypto_send.info.version);
+       buf[2] = TLS_VERSION_MAJOR(ctx->crypto_send.info.version);
        /* we can use IV for nonce explicit according to spec */
        buf[3] = pkt_len >> 8;
        buf[4] = pkt_len & 0xFF;

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index e0863060d3b2f70ee9c603cc52fa84b844d1890f..ecce00288560a76da86896067ed6509a1777a22b 100644 (file)
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -238,6 +238,15 @@ static void tls_write_space(struct sock *sk)
        ctx->sk_write_space(sk);
 }
 
+static void tls_ctx_free(struct tls_context *ctx)
+{
+       if (!ctx)
+               return;
+
+       memzero_explicit(&ctx->crypto_send, sizeof(ctx->crypto_send));
+       kfree(ctx);
+}
+
 static void tls_sk_proto_close(struct sock *sk, long timeout)
 {
        struct tls_context *ctx = tls_get_ctx(sk);
@@ -248,7 +257,7 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
        sk_proto_close = ctx->sk_proto_close;
 
        if (ctx->tx_conf == TLS_BASE_TX) {
-               kfree(ctx);
+               tls_ctx_free(ctx);
                goto skip_tx_cleanup;
        }
 
@@ -301,7 +310,7 @@ static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
        }
 
        /* get user crypto info */
-       crypto_info = &ctx->crypto_send;
+       crypto_info = &ctx->crypto_send.info;
 
        if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
                rc = -EBUSY;
@@ -385,7 +394,9 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
                goto out;
        }
 
-       crypto_info = &ctx->crypto_send;
+       /* get user crypto info */
+       crypto_info = &ctx->crypto_send.info;
+
        /* Currently we don't support set crypto info more than one time */
        if (TLS_CRYPTO_INFO_READY(crypto_info)) {
                rc = -EBUSY;

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index c02a02995331d7ff6e687c22d65fab38dffc8ae4..496e11408eaf99c73e577318e911e68999d86c3e 100644 (file)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -673,7 +673,7 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx)
 
        ctx->priv_ctx = (struct tls_offload_context *)sw_ctx;
 
-       crypto_info = &ctx->crypto_send;
+       crypto_info = &ctx->crypto_send.info;
        switch (crypto_info->cipher_type) {
        case TLS_CIPHER_AES_GCM_128: {
                nonce_size = TLS_CIPHER_AES_GCM_128_IV_SIZE;