1 /* 2 * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved. 3 * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved. 4 * Copyright (c) 2016-2017, Lance Chao <lancerchao@fb.com>. All rights reserved. 5 * Copyright (c) 2016, Fridolin Pokorny <fridolin.pokorny@gmail.com>. All rights reserved. 6 * Copyright (c) 2016, Nikos Mavrogiannopoulos <nmav@gnutls.org>. All rights reserved. 7 * Copyright (c) 2018, Covalent IO, Inc. http://covalent.io 8 * 9 * This software is available to you under a choice of one of two 10 * licenses. You may choose to be licensed under the terms of the GNU 11 * General Public License (GPL) Version 2, available from the file 12 * COPYING in the main directory of this source tree, or the 13 * OpenIB.org BSD license below: 14 * 15 * Redistribution and use in source and binary forms, with or 16 * without modification, are permitted provided that the following 17 * conditions are met: 18 * 19 * - Redistributions of source code must retain the above 20 * copyright notice, this list of conditions and the following 21 * disclaimer. 22 * 23 * - Redistributions in binary form must reproduce the above 24 * copyright notice, this list of conditions and the following 25 * disclaimer in the documentation and/or other materials 26 * provided with the distribution. 27 * 28 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 29 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 30 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 31 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 32 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 33 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 34 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 35 * SOFTWARE. 36 */ 37 38 #include <linux/bug.h> 39 #include <linux/sched/signal.h> 40 #include <linux/module.h> 41 #include <linux/kernel.h> 42 #include <linux/splice.h> 43 #include <crypto/aead.h> 44 45 #include <net/strparser.h> 46 #include <net/tls.h> 47 #include <trace/events/sock.h> 48 49 #include "tls.h" 50 51 struct tls_decrypt_arg { 52 struct_group(inargs, 53 bool zc; 54 bool async; 55 bool async_done; 56 u8 tail; 57 ); 58 59 struct sk_buff *skb; 60 }; 61 62 struct tls_decrypt_ctx { 63 struct sock *sk; 64 u8 iv[TLS_MAX_IV_SIZE]; 65 u8 aad[TLS_MAX_AAD_SIZE]; 66 u8 tail; 67 bool free_sgout; 68 struct scatterlist sg[]; 69 }; 70 71 noinline void tls_err_abort(struct sock *sk, int err) 72 { 73 WARN_ON_ONCE(err >= 0); 74 /* sk->sk_err should contain a positive error code. */ 75 WRITE_ONCE(sk->sk_err, -err); 76 /* Paired with smp_rmb() in tcp_poll() */ 77 smp_wmb(); 78 sk_error_report(sk); 79 } 80 81 static int __skb_nsg(struct sk_buff *skb, int offset, int len, 82 unsigned int recursion_level) 83 { 84 int start = skb_headlen(skb); 85 int i, chunk = start - offset; 86 struct sk_buff *frag_iter; 87 int elt = 0; 88 89 if (unlikely(recursion_level >= 24)) 90 return -EMSGSIZE; 91 92 if (chunk > 0) { 93 if (chunk > len) 94 chunk = len; 95 elt++; 96 len -= chunk; 97 if (len == 0) 98 return elt; 99 offset += chunk; 100 } 101 102 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { 103 int end; 104 105 WARN_ON(start > offset + len); 106 107 end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]); 108 chunk = end - offset; 109 if (chunk > 0) { 110 if (chunk > len) 111 chunk = len; 112 elt++; 113 len -= chunk; 114 if (len == 0) 115 return elt; 116 offset += chunk; 117 } 118 start = end; 119 } 120 121 if (unlikely(skb_has_frag_list(skb))) { 122 skb_walk_frags(skb, frag_iter) { 123 int end, ret; 124 125 WARN_ON(start > offset + len); 126 127 end = start + frag_iter->len; 128 chunk = end - offset; 129 if (chunk > 0) { 130 if (chunk > len) 131 chunk = len; 132 ret = __skb_nsg(frag_iter, offset - start, chunk, 133 recursion_level + 1); 134 if (unlikely(ret < 0)) 135 return ret; 136 elt += ret; 137 len -= chunk; 138 if (len == 0) 139 return elt; 140 offset += chunk; 141 } 142 start = end; 143 } 144 } 145 BUG_ON(len); 146 return elt; 147 } 148 149 /* Return the number of scatterlist elements required to completely map the 150 * skb, or -EMSGSIZE if the recursion depth is exceeded. 151 */ 152 static int skb_nsg(struct sk_buff *skb, int offset, int len) 153 { 154 return __skb_nsg(skb, offset, len, 0); 155 } 156 157 static int tls_padding_length(struct tls_prot_info *prot, struct sk_buff *skb, 158 struct tls_decrypt_arg *darg) 159 { 160 struct strp_msg *rxm = strp_msg(skb); 161 struct tls_msg *tlm = tls_msg(skb); 162 int sub = 0; 163 164 /* Determine zero-padding length */ 165 if (prot->version == TLS_1_3_VERSION) { 166 int offset = rxm->full_len - TLS_TAG_SIZE - 1; 167 char content_type = darg->zc ? darg->tail : 0; 168 int err; 169 170 while (content_type == 0) { 171 if (offset < prot->prepend_size) 172 return -EBADMSG; 173 err = skb_copy_bits(skb, rxm->offset + offset, 174 &content_type, 1); 175 if (err) 176 return err; 177 if (content_type) 178 break; 179 sub++; 180 offset--; 181 } 182 tlm->control = content_type; 183 } 184 return sub; 185 } 186 187 static void tls_decrypt_done(void *data, int err) 188 { 189 struct aead_request *aead_req = data; 190 struct crypto_aead *aead = crypto_aead_reqtfm(aead_req); 191 struct scatterlist *sgout = aead_req->dst; 192 struct tls_sw_context_rx *ctx; 193 struct tls_decrypt_ctx *dctx; 194 struct tls_context *tls_ctx; 195 struct scatterlist *sg; 196 unsigned int pages; 197 struct sock *sk; 198 int aead_size; 199 200 /* If requests get too backlogged crypto API returns -EBUSY and calls 201 * ->complete(-EINPROGRESS) immediately followed by ->complete(0) 202 * to make waiting for backlog to flush with crypto_wait_req() easier. 203 * First wait converts -EBUSY -> -EINPROGRESS, and the second one 204 * -EINPROGRESS -> 0. 205 * We have a single struct crypto_async_request per direction, this 206 * scheme doesn't help us, so just ignore the first ->complete(). 207 */ 208 if (err == -EINPROGRESS) 209 return; 210 211 aead_size = sizeof(*aead_req) + crypto_aead_reqsize(aead); 212 aead_size = ALIGN(aead_size, __alignof__(*dctx)); 213 dctx = (void *)((u8 *)aead_req + aead_size); 214 215 sk = dctx->sk; 216 tls_ctx = tls_get_ctx(sk); 217 ctx = tls_sw_ctx_rx(tls_ctx); 218 219 /* Propagate if there was an err */ 220 if (err) { 221 if (err == -EBADMSG) 222 TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTERROR); 223 ctx->async_wait.err = err; 224 tls_err_abort(sk, err); 225 } 226 227 /* Free the destination pages if skb was not decrypted inplace */ 228 if (dctx->free_sgout) { 229 /* Skip the first S/G entry as it points to AAD */ 230 for_each_sg(sg_next(sgout), sg, UINT_MAX, pages) { 231 if (!sg) 232 break; 233 put_page(sg_page(sg)); 234 } 235 } 236 237 kfree(aead_req); 238 239 if (atomic_dec_and_test(&ctx->decrypt_pending)) 240 complete(&ctx->async_wait.completion); 241 } 242 243 static int tls_decrypt_async_wait(struct tls_sw_context_rx *ctx) 244 { 245 if (!atomic_dec_and_test(&ctx->decrypt_pending)) 246 crypto_wait_req(-EINPROGRESS, &ctx->async_wait); 247 atomic_inc(&ctx->decrypt_pending); 248 249 __skb_queue_purge(&ctx->async_hold); 250 return ctx->async_wait.err; 251 } 252 253 static int tls_do_decryption(struct sock *sk, 254 struct scatterlist *sgin, 255 struct scatterlist *sgout, 256 char *iv_recv, 257 size_t data_len, 258 struct aead_request *aead_req, 259 struct tls_decrypt_arg *darg) 260 { 261 struct tls_context *tls_ctx = tls_get_ctx(sk); 262 struct tls_prot_info *prot = &tls_ctx->prot_info; 263 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 264 int ret; 265 266 aead_request_set_tfm(aead_req, ctx->aead_recv); 267 aead_request_set_ad(aead_req, prot->aad_size); 268 aead_request_set_crypt(aead_req, sgin, sgout, 269 data_len + prot->tag_size, 270 (u8 *)iv_recv); 271 272 if (darg->async) { 273 aead_request_set_callback(aead_req, 274 CRYPTO_TFM_REQ_MAY_BACKLOG, 275 tls_decrypt_done, aead_req); 276 DEBUG_NET_WARN_ON_ONCE(atomic_read(&ctx->decrypt_pending) < 1); 277 atomic_inc(&ctx->decrypt_pending); 278 } else { 279 DECLARE_CRYPTO_WAIT(wait); 280 281 aead_request_set_callback(aead_req, 282 CRYPTO_TFM_REQ_MAY_BACKLOG, 283 crypto_req_done, &wait); 284 ret = crypto_aead_decrypt(aead_req); 285 if (ret == -EINPROGRESS || ret == -EBUSY) 286 ret = crypto_wait_req(ret, &wait); 287 return ret; 288 } 289 290 ret = crypto_aead_decrypt(aead_req); 291 if (ret == -EINPROGRESS) 292 return 0; 293 294 if (ret == -EBUSY) { 295 ret = tls_decrypt_async_wait(ctx); 296 darg->async_done = true; 297 /* all completions have run, we're not doing async anymore */ 298 darg->async = false; 299 return ret; 300 } 301 302 atomic_dec(&ctx->decrypt_pending); 303 darg->async = false; 304 305 return ret; 306 } 307 308 static void tls_trim_both_msgs(struct sock *sk, int target_size) 309 { 310 struct tls_context *tls_ctx = tls_get_ctx(sk); 311 struct tls_prot_info *prot = &tls_ctx->prot_info; 312 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 313 struct tls_rec *rec = ctx->open_rec; 314 315 sk_msg_trim(sk, &rec->msg_plaintext, target_size); 316 if (target_size > 0) 317 target_size += prot->overhead_size; 318 sk_msg_trim(sk, &rec->msg_encrypted, target_size); 319 } 320 321 static int tls_alloc_encrypted_msg(struct sock *sk, int len) 322 { 323 struct tls_context *tls_ctx = tls_get_ctx(sk); 324 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 325 struct tls_rec *rec = ctx->open_rec; 326 struct sk_msg *msg_en = &rec->msg_encrypted; 327 328 return sk_msg_alloc(sk, msg_en, len, 0); 329 } 330 331 static int tls_clone_plaintext_msg(struct sock *sk, int required) 332 { 333 struct tls_context *tls_ctx = tls_get_ctx(sk); 334 struct tls_prot_info *prot = &tls_ctx->prot_info; 335 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 336 struct tls_rec *rec = ctx->open_rec; 337 struct sk_msg *msg_pl = &rec->msg_plaintext; 338 struct sk_msg *msg_en = &rec->msg_encrypted; 339 int skip, len; 340 341 /* We add page references worth len bytes from encrypted sg 342 * at the end of plaintext sg. It is guaranteed that msg_en 343 * has enough required room (ensured by caller). 344 */ 345 len = required - msg_pl->sg.size; 346 347 /* Skip initial bytes in msg_en's data to be able to use 348 * same offset of both plain and encrypted data. 349 */ 350 skip = prot->prepend_size + msg_pl->sg.size; 351 352 return sk_msg_clone(sk, msg_pl, msg_en, skip, len); 353 } 354 355 static struct tls_rec *tls_get_rec(struct sock *sk) 356 { 357 struct tls_context *tls_ctx = tls_get_ctx(sk); 358 struct tls_prot_info *prot = &tls_ctx->prot_info; 359 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 360 struct sk_msg *msg_pl, *msg_en; 361 struct tls_rec *rec; 362 int mem_size; 363 364 mem_size = sizeof(struct tls_rec) + crypto_aead_reqsize(ctx->aead_send); 365 366 rec = kzalloc(mem_size, sk->sk_allocation); 367 if (!rec) 368 return NULL; 369 370 msg_pl = &rec->msg_plaintext; 371 msg_en = &rec->msg_encrypted; 372 373 sk_msg_init(msg_pl); 374 sk_msg_init(msg_en); 375 376 sg_init_table(rec->sg_aead_in, 2); 377 sg_set_buf(&rec->sg_aead_in[0], rec->aad_space, prot->aad_size); 378 sg_unmark_end(&rec->sg_aead_in[1]); 379 380 sg_init_table(rec->sg_aead_out, 2); 381 sg_set_buf(&rec->sg_aead_out[0], rec->aad_space, prot->aad_size); 382 sg_unmark_end(&rec->sg_aead_out[1]); 383 384 rec->sk = sk; 385 386 return rec; 387 } 388 389 static void tls_free_rec(struct sock *sk, struct tls_rec *rec) 390 { 391 sk_msg_free(sk, &rec->msg_encrypted); 392 sk_msg_free(sk, &rec->msg_plaintext); 393 kfree(rec); 394 } 395 396 static void tls_free_open_rec(struct sock *sk) 397 { 398 struct tls_context *tls_ctx = tls_get_ctx(sk); 399 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 400 struct tls_rec *rec = ctx->open_rec; 401 402 if (rec) { 403 tls_free_rec(sk, rec); 404 ctx->open_rec = NULL; 405 } 406 } 407 408 int tls_tx_records(struct sock *sk, int flags) 409 { 410 struct tls_context *tls_ctx = tls_get_ctx(sk); 411 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 412 struct tls_rec *rec, *tmp; 413 struct sk_msg *msg_en; 414 int tx_flags, rc = 0; 415 416 if (tls_is_partially_sent_record(tls_ctx)) { 417 rec = list_first_entry(&ctx->tx_list, 418 struct tls_rec, list); 419 420 if (flags == -1) 421 tx_flags = rec->tx_flags; 422 else 423 tx_flags = flags; 424 425 rc = tls_push_partial_record(sk, tls_ctx, tx_flags); 426 if (rc) 427 goto tx_err; 428 429 /* Full record has been transmitted. 430 * Remove the head of tx_list 431 */ 432 list_del(&rec->list); 433 sk_msg_free(sk, &rec->msg_plaintext); 434 kfree(rec); 435 } 436 437 /* Tx all ready records */ 438 list_for_each_entry_safe(rec, tmp, &ctx->tx_list, list) { 439 if (READ_ONCE(rec->tx_ready)) { 440 if (flags == -1) 441 tx_flags = rec->tx_flags; 442 else 443 tx_flags = flags; 444 445 msg_en = &rec->msg_encrypted; 446 rc = tls_push_sg(sk, tls_ctx, 447 &msg_en->sg.data[msg_en->sg.curr], 448 0, tx_flags); 449 if (rc) 450 goto tx_err; 451 452 list_del(&rec->list); 453 sk_msg_free(sk, &rec->msg_plaintext); 454 kfree(rec); 455 } else { 456 break; 457 } 458 } 459 460 tx_err: 461 if (rc < 0 && rc != -EAGAIN) 462 tls_err_abort(sk, rc); 463 464 return rc; 465 } 466 467 static void tls_encrypt_done(void *data, int err) 468 { 469 struct tls_sw_context_tx *ctx; 470 struct tls_context *tls_ctx; 471 struct tls_prot_info *prot; 472 struct tls_rec *rec = data; 473 struct scatterlist *sge; 474 struct sk_msg *msg_en; 475 struct sock *sk; 476 477 if (err == -EINPROGRESS) /* see the comment in tls_decrypt_done() */ 478 return; 479 480 msg_en = &rec->msg_encrypted; 481 482 sk = rec->sk; 483 tls_ctx = tls_get_ctx(sk); 484 prot = &tls_ctx->prot_info; 485 ctx = tls_sw_ctx_tx(tls_ctx); 486 487 sge = sk_msg_elem(msg_en, msg_en->sg.curr); 488 sge->offset -= prot->prepend_size; 489 sge->length += prot->prepend_size; 490 491 /* Check if error is previously set on socket */ 492 if (err || sk->sk_err) { 493 rec = NULL; 494 495 /* If err is already set on socket, return the same code */ 496 if (sk->sk_err) { 497 ctx->async_wait.err = -sk->sk_err; 498 } else { 499 ctx->async_wait.err = err; 500 tls_err_abort(sk, err); 501 } 502 } 503 504 if (rec) { 505 struct tls_rec *first_rec; 506 507 /* Mark the record as ready for transmission */ 508 smp_store_mb(rec->tx_ready, true); 509 510 /* If received record is at head of tx_list, schedule tx */ 511 first_rec = list_first_entry(&ctx->tx_list, 512 struct tls_rec, list); 513 if (rec == first_rec) { 514 /* Schedule the transmission */ 515 if (!test_and_set_bit(BIT_TX_SCHEDULED, 516 &ctx->tx_bitmask)) 517 schedule_delayed_work(&ctx->tx_work.work, 1); 518 } 519 } 520 521 if (atomic_dec_and_test(&ctx->encrypt_pending)) 522 complete(&ctx->async_wait.completion); 523 } 524 525 static int tls_encrypt_async_wait(struct tls_sw_context_tx *ctx) 526 { 527 if (!atomic_dec_and_test(&ctx->encrypt_pending)) 528 crypto_wait_req(-EINPROGRESS, &ctx->async_wait); 529 atomic_inc(&ctx->encrypt_pending); 530 531 return ctx->async_wait.err; 532 } 533 534 static int tls_do_encryption(struct sock *sk, 535 struct tls_context *tls_ctx, 536 struct tls_sw_context_tx *ctx, 537 struct aead_request *aead_req, 538 size_t data_len, u32 start) 539 { 540 struct tls_prot_info *prot = &tls_ctx->prot_info; 541 struct tls_rec *rec = ctx->open_rec; 542 struct sk_msg *msg_en = &rec->msg_encrypted; 543 struct scatterlist *sge = sk_msg_elem(msg_en, start); 544 int rc, iv_offset = 0; 545 546 /* For CCM based ciphers, first byte of IV is a constant */ 547 switch (prot->cipher_type) { 548 case TLS_CIPHER_AES_CCM_128: 549 rec->iv_data[0] = TLS_AES_CCM_IV_B0_BYTE; 550 iv_offset = 1; 551 break; 552 case TLS_CIPHER_SM4_CCM: 553 rec->iv_data[0] = TLS_SM4_CCM_IV_B0_BYTE; 554 iv_offset = 1; 555 break; 556 } 557 558 memcpy(&rec->iv_data[iv_offset], tls_ctx->tx.iv, 559 prot->iv_size + prot->salt_size); 560 561 tls_xor_iv_with_seq(prot, rec->iv_data + iv_offset, 562 tls_ctx->tx.rec_seq); 563 564 sge->offset += prot->prepend_size; 565 sge->length -= prot->prepend_size; 566 567 msg_en->sg.curr = start; 568 569 aead_request_set_tfm(aead_req, ctx->aead_send); 570 aead_request_set_ad(aead_req, prot->aad_size); 571 aead_request_set_crypt(aead_req, rec->sg_aead_in, 572 rec->sg_aead_out, 573 data_len, rec->iv_data); 574 575 aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_BACKLOG, 576 tls_encrypt_done, rec); 577 578 /* Add the record in tx_list */ 579 list_add_tail((struct list_head *)&rec->list, &ctx->tx_list); 580 DEBUG_NET_WARN_ON_ONCE(atomic_read(&ctx->encrypt_pending) < 1); 581 atomic_inc(&ctx->encrypt_pending); 582 583 rc = crypto_aead_encrypt(aead_req); 584 if (rc == -EBUSY) { 585 rc = tls_encrypt_async_wait(ctx); 586 rc = rc ?: -EINPROGRESS; 587 /* 588 * The async callback tls_encrypt_done() has already 589 * decremented encrypt_pending and restored the sge on 590 * both success and error. Skip the synchronous cleanup 591 * below on error, just remove the record and return. 592 */ 593 if (rc != -EINPROGRESS) { 594 list_del(&rec->list); 595 return rc; 596 } 597 } 598 if (!rc || rc != -EINPROGRESS) { 599 atomic_dec(&ctx->encrypt_pending); 600 sge->offset -= prot->prepend_size; 601 sge->length += prot->prepend_size; 602 } 603 604 if (!rc) { 605 WRITE_ONCE(rec->tx_ready, true); 606 } else if (rc != -EINPROGRESS) { 607 list_del(&rec->list); 608 return rc; 609 } 610 611 /* Unhook the record from context if encryption is not failure */ 612 ctx->open_rec = NULL; 613 tls_advance_record_sn(sk, prot, &tls_ctx->tx); 614 return rc; 615 } 616 617 static int tls_push_record(struct sock *sk, int flags, 618 unsigned char record_type) 619 { 620 struct tls_context *tls_ctx = tls_get_ctx(sk); 621 struct tls_prot_info *prot = &tls_ctx->prot_info; 622 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 623 struct tls_rec *rec = ctx->open_rec; 624 struct sk_msg *msg_pl, *msg_en; 625 struct aead_request *req; 626 int rc; 627 u32 i; 628 629 if (!rec) 630 return 0; 631 632 msg_pl = &rec->msg_plaintext; 633 msg_en = &rec->msg_encrypted; 634 635 rec->tx_flags = flags; 636 req = &rec->aead_req; 637 638 i = msg_pl->sg.end; 639 sk_msg_iter_var_prev(i); 640 641 /* msg_pl->sg.data is a ring; data[MAX+1] is reserved for the wrap 642 * link (frags won't use it). 'i' is now the last filled entry: 643 * 644 * i end start 645 * v v v [ rsv ] 646 * [ d ][ d ][ ][ ]...[ ][ d ][ d ][ d ][chain] 647 * ^ END v 648 * `-----------------------------------------' 649 * 650 * Note that SGL does not allow chain-after-chain, so for TLS 1.3, 651 * we must make sure we don't create the wrap entry and then chain 652 * link to content_type immediately at index 0. 653 */ 654 if (i < msg_pl->sg.start) 655 sg_chain(msg_pl->sg.data, ARRAY_SIZE(msg_pl->sg.data), 656 msg_pl->sg.data); 657 658 rec->content_type = record_type; 659 if (prot->version == TLS_1_3_VERSION) { 660 /* Add content type to end of message. No padding added */ 661 sg_set_buf(&rec->sg_content_type, &rec->content_type, 1); 662 sg_mark_end(&rec->sg_content_type); 663 sg_chain(msg_pl->sg.data, i + 2, &rec->sg_content_type); 664 } else { 665 sg_mark_end(sk_msg_elem(msg_pl, i)); 666 } 667 668 i = msg_pl->sg.start; 669 sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]); 670 671 i = msg_en->sg.end; 672 sk_msg_iter_var_prev(i); 673 sg_mark_end(sk_msg_elem(msg_en, i)); 674 675 i = msg_en->sg.start; 676 sg_chain(rec->sg_aead_out, 2, &msg_en->sg.data[i]); 677 678 tls_make_aad(rec->aad_space, msg_pl->sg.size + prot->tail_size, 679 tls_ctx->tx.rec_seq, record_type, prot); 680 681 tls_fill_prepend(tls_ctx, 682 page_address(sg_page(&msg_en->sg.data[i])) + 683 msg_en->sg.data[i].offset, 684 msg_pl->sg.size + prot->tail_size, 685 record_type); 686 687 tls_ctx->pending_open_record_frags = false; 688 689 rc = tls_do_encryption(sk, tls_ctx, ctx, req, 690 msg_pl->sg.size + prot->tail_size, i); 691 if (rc < 0) { 692 if (rc != -EINPROGRESS) 693 tls_err_abort(sk, -EBADMSG); 694 ctx->async_capable = 1; 695 return rc; 696 } 697 698 return tls_tx_records(sk, flags); 699 } 700 701 static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, 702 u8 record_type, ssize_t *copied, int flags) 703 { 704 int err; 705 706 err = tls_push_record(sk, flags, record_type); 707 if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) { 708 *copied -= sk_msg_free(sk, msg); 709 tls_free_open_rec(sk); 710 err = -sk->sk_err; 711 } 712 return err; 713 } 714 715 static int tls_sw_push_pending_record(struct sock *sk, int flags) 716 { 717 struct tls_context *tls_ctx = tls_get_ctx(sk); 718 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 719 struct tls_rec *rec = ctx->open_rec; 720 struct sk_msg *msg_pl; 721 size_t copied; 722 723 if (!rec) 724 return 0; 725 726 msg_pl = &rec->msg_plaintext; 727 copied = msg_pl->sg.size; 728 if (!copied) 729 return 0; 730 731 return bpf_exec_tx_verdict(msg_pl, sk, TLS_RECORD_TYPE_DATA, 732 &copied, flags); 733 } 734 735 static int tls_sw_sendmsg_splice(struct sock *sk, struct msghdr *msg, 736 struct sk_msg *msg_pl, size_t try_to_copy, 737 ssize_t *copied) 738 { 739 struct page *page = NULL, **pages = &page; 740 741 do { 742 ssize_t part; 743 size_t off; 744 745 part = iov_iter_extract_pages(&msg->msg_iter, &pages, 746 try_to_copy, 1, 0, &off); 747 if (part <= 0) 748 return part ?: -EIO; 749 750 if (WARN_ON_ONCE(!sendpage_ok(page))) { 751 iov_iter_revert(&msg->msg_iter, part); 752 return -EIO; 753 } 754 755 sk_msg_page_add(msg_pl, page, part, off); 756 msg_pl->sg.copybreak = 0; 757 msg_pl->sg.curr = msg_pl->sg.end; 758 sk_mem_charge(sk, part); 759 *copied += part; 760 try_to_copy -= part; 761 } while (try_to_copy && !sk_msg_full(msg_pl)); 762 763 return 0; 764 } 765 766 static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, 767 size_t size) 768 { 769 long timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); 770 struct tls_context *tls_ctx = tls_get_ctx(sk); 771 struct tls_prot_info *prot = &tls_ctx->prot_info; 772 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 773 bool async_capable = ctx->async_capable; 774 unsigned char record_type = TLS_RECORD_TYPE_DATA; 775 bool is_kvec = iov_iter_is_kvec(&msg->msg_iter); 776 bool eor = !(msg->msg_flags & MSG_MORE); 777 size_t try_to_copy; 778 ssize_t copied = 0; 779 struct sk_msg *msg_pl, *msg_en; 780 struct tls_rec *rec; 781 int required_size; 782 int num_async = 0; 783 bool full_record; 784 int record_room; 785 int num_zc = 0; 786 int orig_size; 787 int ret = 0; 788 789 if (!eor && (msg->msg_flags & MSG_EOR)) 790 return -EINVAL; 791 792 if (unlikely(msg->msg_controllen)) { 793 ret = tls_process_cmsg(sk, msg, &record_type); 794 if (ret) { 795 if (ret == -EINPROGRESS) 796 num_async++; 797 else if (ret != -EAGAIN) 798 goto end; 799 } 800 } 801 802 while (msg_data_left(msg)) { 803 if (sk->sk_err) { 804 ret = -sk->sk_err; 805 goto send_end; 806 } 807 808 if (ctx->open_rec) 809 rec = ctx->open_rec; 810 else 811 rec = ctx->open_rec = tls_get_rec(sk); 812 if (!rec) { 813 ret = -ENOMEM; 814 goto send_end; 815 } 816 817 msg_pl = &rec->msg_plaintext; 818 msg_en = &rec->msg_encrypted; 819 820 orig_size = msg_pl->sg.size; 821 full_record = false; 822 try_to_copy = msg_data_left(msg); 823 record_room = tls_ctx->tx_max_payload_len - msg_pl->sg.size; 824 if (try_to_copy >= record_room) { 825 try_to_copy = record_room; 826 full_record = true; 827 } 828 829 required_size = msg_pl->sg.size + try_to_copy + 830 prot->overhead_size; 831 832 if (!sk_stream_memory_free(sk)) 833 goto wait_for_sndbuf; 834 835 alloc_encrypted: 836 ret = tls_alloc_encrypted_msg(sk, required_size); 837 if (ret) { 838 if (ret != -ENOSPC) 839 goto wait_for_memory; 840 841 /* Adjust try_to_copy according to the amount that was 842 * actually allocated. The difference is due 843 * to max sg elements limit 844 */ 845 try_to_copy -= required_size - msg_en->sg.size; 846 full_record = true; 847 } 848 849 if (try_to_copy && (msg->msg_flags & MSG_SPLICE_PAGES)) { 850 ret = tls_sw_sendmsg_splice(sk, msg, msg_pl, 851 try_to_copy, &copied); 852 if (ret < 0) 853 goto send_end; 854 tls_ctx->pending_open_record_frags = true; 855 856 if (sk_msg_full(msg_pl)) { 857 full_record = true; 858 sk_msg_trim(sk, msg_en, 859 msg_pl->sg.size + prot->overhead_size); 860 } 861 862 if (full_record || eor) 863 goto copied; 864 continue; 865 } 866 867 if (!is_kvec && (full_record || eor) && !async_capable) { 868 u32 first = msg_pl->sg.end; 869 870 ret = sk_msg_zerocopy_from_iter(sk, &msg->msg_iter, 871 msg_pl, try_to_copy); 872 if (ret) 873 goto fallback_to_reg_send; 874 875 num_zc++; 876 copied += try_to_copy; 877 878 sk_msg_sg_copy_set(msg_pl, first); 879 ret = bpf_exec_tx_verdict(msg_pl, sk, 880 record_type, &copied, 881 msg->msg_flags); 882 if (ret) { 883 if (ret == -EINPROGRESS) 884 num_async++; 885 else if (ret == -ENOMEM) 886 goto wait_for_memory; 887 else if (ret != -EAGAIN) 888 goto send_end; 889 } 890 891 /* Transmit if any encryptions have completed */ 892 if (test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) { 893 cancel_delayed_work(&ctx->tx_work.work); 894 tls_tx_records(sk, msg->msg_flags); 895 } 896 897 continue; 898 fallback_to_reg_send: 899 sk_msg_trim(sk, msg_pl, orig_size); 900 } 901 902 required_size = msg_pl->sg.size + try_to_copy; 903 904 ret = tls_clone_plaintext_msg(sk, required_size); 905 if (ret) { 906 if (ret != -ENOSPC) 907 goto send_end; 908 909 /* Adjust try_to_copy according to the amount that was 910 * actually allocated. The difference is due 911 * to max sg elements limit 912 */ 913 try_to_copy -= required_size - msg_pl->sg.size; 914 full_record = true; 915 sk_msg_trim(sk, msg_en, 916 msg_pl->sg.size + prot->overhead_size); 917 } 918 919 if (try_to_copy) { 920 ret = sk_msg_memcopy_from_iter(sk, &msg->msg_iter, 921 msg_pl, try_to_copy); 922 if (ret < 0) 923 goto trim_sgl; 924 } 925 926 /* Open records defined only if successfully copied, otherwise 927 * we would trim the sg but not reset the open record frags. 928 */ 929 tls_ctx->pending_open_record_frags = true; 930 copied += try_to_copy; 931 copied: 932 if (full_record || eor) { 933 ret = bpf_exec_tx_verdict(msg_pl, sk, 934 record_type, &copied, 935 msg->msg_flags); 936 if (ret) { 937 if (ret == -EINPROGRESS) 938 num_async++; 939 else if (ret == -ENOMEM) 940 goto wait_for_memory; 941 else if (ret != -EAGAIN) 942 goto send_end; 943 } 944 945 /* Transmit if any encryptions have completed */ 946 if (test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) { 947 cancel_delayed_work(&ctx->tx_work.work); 948 tls_tx_records(sk, msg->msg_flags); 949 } 950 } 951 952 continue; 953 954 wait_for_sndbuf: 955 set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); 956 wait_for_memory: 957 ret = sk_stream_wait_memory(sk, &timeo); 958 if (ret) { 959 trim_sgl: 960 if (ctx->open_rec) 961 tls_trim_both_msgs(sk, orig_size); 962 goto send_end; 963 } 964 965 if (ctx->open_rec && msg_en->sg.size < required_size) 966 goto alloc_encrypted; 967 } 968 969 send_end: 970 if (!num_async) { 971 goto end; 972 } else if (num_zc || eor) { 973 int err; 974 975 /* Wait for pending encryptions to get completed */ 976 err = tls_encrypt_async_wait(ctx); 977 if (err) { 978 ret = err; 979 copied = 0; 980 } 981 } 982 983 /* Transmit if any encryptions have completed */ 984 if (test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) { 985 cancel_delayed_work(&ctx->tx_work.work); 986 tls_tx_records(sk, msg->msg_flags); 987 } 988 989 end: 990 ret = sk_stream_error(sk, msg->msg_flags, ret); 991 return copied > 0 ? copied : ret; 992 } 993 994 int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) 995 { 996 struct tls_context *tls_ctx = tls_get_ctx(sk); 997 int ret; 998 999 if (msg->msg_flags & ~(MSG_MORE | MSG_DONTWAIT | MSG_NOSIGNAL | 1000 MSG_CMSG_COMPAT | MSG_SPLICE_PAGES | MSG_EOR | 1001 MSG_SENDPAGE_NOPOLICY)) 1002 return -EOPNOTSUPP; 1003 1004 ret = mutex_lock_interruptible(&tls_ctx->tx_lock); 1005 if (ret) 1006 return ret; 1007 lock_sock(sk); 1008 ret = tls_sw_sendmsg_locked(sk, msg, size); 1009 release_sock(sk); 1010 mutex_unlock(&tls_ctx->tx_lock); 1011 return ret; 1012 } 1013 1014 /* 1015 * Handle unexpected EOF during splice without SPLICE_F_MORE set. 1016 */ 1017 void tls_sw_splice_eof(struct socket *sock) 1018 { 1019 struct sock *sk = sock->sk; 1020 struct tls_context *tls_ctx = tls_get_ctx(sk); 1021 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 1022 struct tls_rec *rec; 1023 struct sk_msg *msg_pl; 1024 ssize_t copied = 0; 1025 bool retrying = false; 1026 int ret = 0; 1027 1028 if (!ctx->open_rec) 1029 return; 1030 1031 mutex_lock(&tls_ctx->tx_lock); 1032 lock_sock(sk); 1033 1034 retry: 1035 /* same checks as in tls_sw_push_pending_record() */ 1036 rec = ctx->open_rec; 1037 if (!rec) 1038 goto unlock; 1039 1040 msg_pl = &rec->msg_plaintext; 1041 if (msg_pl->sg.size == 0) 1042 goto unlock; 1043 1044 /* Perform transmission. */ 1045 ret = bpf_exec_tx_verdict(msg_pl, sk, TLS_RECORD_TYPE_DATA, 1046 &copied, 0); 1047 switch (ret) { 1048 case 0: 1049 case -EAGAIN: 1050 if (retrying) 1051 goto unlock; 1052 retrying = true; 1053 goto retry; 1054 case -EINPROGRESS: 1055 break; 1056 default: 1057 goto unlock; 1058 } 1059 1060 /* Wait for pending encryptions to get completed */ 1061 if (tls_encrypt_async_wait(ctx)) 1062 goto unlock; 1063 1064 /* Transmit if any encryptions have completed */ 1065 if (test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) { 1066 cancel_delayed_work(&ctx->tx_work.work); 1067 tls_tx_records(sk, 0); 1068 } 1069 1070 unlock: 1071 release_sock(sk); 1072 mutex_unlock(&tls_ctx->tx_lock); 1073 } 1074 1075 /* When has_copied is true the caller has already moved bytes to 1076 * userspace. Report sk_err but leave it set so the next read 1077 * surfaces it instead of a spurious EOF, otherwise sk_err is 1078 * consumed via sock_error(). 1079 */ 1080 static int 1081 tls_rx_rec_wait(struct sock *sk, bool nonblock, bool released, bool has_copied) 1082 { 1083 struct tls_context *tls_ctx = tls_get_ctx(sk); 1084 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 1085 DEFINE_WAIT_FUNC(wait, woken_wake_function); 1086 int ret = 0; 1087 long timeo; 1088 1089 /* a rekey is pending, let userspace deal with it */ 1090 if (unlikely(ctx->key_update_pending)) 1091 return -EKEYEXPIRED; 1092 1093 timeo = sock_rcvtimeo(sk, nonblock); 1094 1095 while (!tls_strp_msg_ready(ctx)) { 1096 if (sk->sk_err) { 1097 if (has_copied) 1098 return -READ_ONCE(sk->sk_err); 1099 return sock_error(sk); 1100 } 1101 1102 if (ret < 0) 1103 return ret; 1104 1105 if (sk_flush_backlog(sk)) 1106 released = true; 1107 if (!skb_queue_empty(&sk->sk_receive_queue)) { 1108 /* Defer notification to the exit point; this thread 1109 * will consume the record directly. 1110 */ 1111 tls_strp_check_rcv(&ctx->strp, false); 1112 if (tls_strp_msg_ready(ctx)) 1113 break; 1114 } 1115 1116 /* sk_flush_backlog() can run tcp_reset(), which sets 1117 * sk_err and then sk_shutdown via tcp_done(). Recheck 1118 * sk_err here so a connection abort surfaces as the 1119 * actual error rather than a clean EOF. 1120 */ 1121 if (sk->sk_err) { 1122 if (has_copied) 1123 return -READ_ONCE(sk->sk_err); 1124 return sock_error(sk); 1125 } 1126 if (sk->sk_shutdown & RCV_SHUTDOWN) 1127 return 0; 1128 1129 if (sock_flag(sk, SOCK_DONE)) 1130 return 0; 1131 1132 if (!timeo) 1133 return -EAGAIN; 1134 1135 released = true; 1136 add_wait_queue(sk_sleep(sk), &wait); 1137 sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk); 1138 ret = sk_wait_event(sk, &timeo, 1139 tls_strp_msg_ready(ctx), &wait); 1140 sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk); 1141 remove_wait_queue(sk_sleep(sk), &wait); 1142 1143 /* Handle signals */ 1144 if (signal_pending(current)) 1145 return sock_intr_errno(timeo); 1146 } 1147 1148 if (unlikely(!tls_strp_msg_load(&ctx->strp, released))) 1149 return tls_rx_rec_wait(sk, nonblock, false, has_copied); 1150 1151 return 1; 1152 } 1153 1154 static int tls_setup_from_iter(struct iov_iter *from, 1155 int length, int *pages_used, 1156 struct scatterlist *to, 1157 int to_max_pages) 1158 { 1159 int rc = 0, i = 0, num_elem = *pages_used, maxpages; 1160 struct page *pages[MAX_SKB_FRAGS]; 1161 unsigned int size = 0; 1162 ssize_t copied, use; 1163 size_t offset; 1164 1165 while (length > 0) { 1166 i = 0; 1167 maxpages = to_max_pages - num_elem; 1168 if (maxpages == 0) { 1169 rc = -EFAULT; 1170 goto out; 1171 } 1172 copied = iov_iter_get_pages2(from, pages, 1173 length, 1174 maxpages, &offset); 1175 if (copied <= 0) { 1176 rc = -EFAULT; 1177 goto out; 1178 } 1179 1180 length -= copied; 1181 size += copied; 1182 while (copied) { 1183 use = min_t(int, copied, PAGE_SIZE - offset); 1184 1185 sg_set_page(&to[num_elem], 1186 pages[i], use, offset); 1187 sg_unmark_end(&to[num_elem]); 1188 /* We do not uncharge memory from this API */ 1189 1190 offset = 0; 1191 copied -= use; 1192 1193 i++; 1194 num_elem++; 1195 } 1196 } 1197 /* Mark the end in the last sg entry if newly added */ 1198 if (num_elem > *pages_used) 1199 sg_mark_end(&to[num_elem - 1]); 1200 out: 1201 if (rc) 1202 iov_iter_revert(from, size); 1203 *pages_used = num_elem; 1204 1205 return rc; 1206 } 1207 1208 static struct sk_buff * 1209 tls_alloc_clrtxt_skb(struct sock *sk, struct sk_buff *skb, 1210 unsigned int full_len) 1211 { 1212 struct strp_msg *clr_rxm; 1213 struct sk_buff *clr_skb; 1214 int err; 1215 1216 clr_skb = alloc_skb_with_frags(0, full_len, TLS_PAGE_ORDER, 1217 &err, sk->sk_allocation); 1218 if (!clr_skb) 1219 return NULL; 1220 1221 skb_copy_header(clr_skb, skb); 1222 clr_skb->len = full_len; 1223 clr_skb->data_len = full_len; 1224 1225 clr_rxm = strp_msg(clr_skb); 1226 clr_rxm->offset = 0; 1227 1228 return clr_skb; 1229 } 1230 1231 /* Decrypt handlers 1232 * 1233 * tls_decrypt_sw() and tls_decrypt_device() are decrypt handlers. 1234 * They must transform the darg in/out argument are as follows: 1235 * | Input | Output 1236 * ------------------------------------------------------------------- 1237 * zc | Zero-copy decrypt allowed | Zero-copy performed 1238 * async | Async decrypt allowed | Async crypto used / in progress 1239 * skb | * | Output skb 1240 * 1241 * If ZC decryption was performed darg.skb will point to the input skb. 1242 */ 1243 1244 /* This function decrypts the input skb into either out_iov or in out_sg 1245 * or in skb buffers itself. The input parameter 'darg->zc' indicates if 1246 * zero-copy mode needs to be tried or not. With zero-copy mode, either 1247 * out_iov or out_sg must be non-NULL. In case both out_iov and out_sg are 1248 * NULL, then the decryption happens inside skb buffers itself, i.e. 1249 * zero-copy gets disabled and 'darg->zc' is updated. 1250 */ 1251 static int tls_decrypt_sg(struct sock *sk, struct iov_iter *out_iov, 1252 struct scatterlist *out_sg, 1253 struct tls_decrypt_arg *darg) 1254 { 1255 struct tls_context *tls_ctx = tls_get_ctx(sk); 1256 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 1257 struct tls_prot_info *prot = &tls_ctx->prot_info; 1258 int n_sgin, n_sgout, aead_size, err, pages = 0; 1259 struct sk_buff *skb = tls_strp_msg(ctx); 1260 const struct strp_msg *rxm = strp_msg(skb); 1261 const struct tls_msg *tlm = tls_msg(skb); 1262 struct aead_request *aead_req; 1263 struct scatterlist *sgin = NULL; 1264 struct scatterlist *sgout = NULL; 1265 const int data_len = rxm->full_len - prot->overhead_size; 1266 int tail_pages = !!prot->tail_size; 1267 struct tls_decrypt_ctx *dctx; 1268 struct sk_buff *clear_skb; 1269 int iv_offset = 0; 1270 u8 *mem; 1271 1272 n_sgin = skb_nsg(skb, rxm->offset + prot->prepend_size, 1273 rxm->full_len - prot->prepend_size); 1274 if (n_sgin < 1) 1275 return n_sgin ?: -EBADMSG; 1276 1277 if (darg->zc && (out_iov || out_sg)) { 1278 clear_skb = NULL; 1279 1280 if (out_iov) 1281 n_sgout = 1 + tail_pages + 1282 iov_iter_npages_cap(out_iov, INT_MAX, data_len); 1283 else 1284 n_sgout = sg_nents(out_sg); 1285 } else { 1286 darg->zc = false; 1287 1288 clear_skb = tls_alloc_clrtxt_skb(sk, skb, rxm->full_len); 1289 if (!clear_skb) 1290 return -ENOMEM; 1291 1292 n_sgout = 1 + skb_shinfo(clear_skb)->nr_frags; 1293 } 1294 1295 /* Increment to accommodate AAD */ 1296 n_sgin = n_sgin + 1; 1297 1298 /* Allocate a single block of memory which contains 1299 * aead_req || tls_decrypt_ctx. 1300 * Both structs are variable length. 1301 */ 1302 aead_size = sizeof(*aead_req) + crypto_aead_reqsize(ctx->aead_recv); 1303 aead_size = ALIGN(aead_size, __alignof__(*dctx)); 1304 mem = kmalloc(aead_size + struct_size(dctx, sg, size_add(n_sgin, n_sgout)), 1305 sk->sk_allocation); 1306 if (!mem) { 1307 err = -ENOMEM; 1308 goto exit_free_skb; 1309 } 1310 1311 /* Segment the allocated memory */ 1312 aead_req = (struct aead_request *)mem; 1313 dctx = (struct tls_decrypt_ctx *)(mem + aead_size); 1314 dctx->sk = sk; 1315 sgin = &dctx->sg[0]; 1316 sgout = &dctx->sg[n_sgin]; 1317 1318 /* For CCM based ciphers, first byte of nonce+iv is a constant */ 1319 switch (prot->cipher_type) { 1320 case TLS_CIPHER_AES_CCM_128: 1321 dctx->iv[0] = TLS_AES_CCM_IV_B0_BYTE; 1322 iv_offset = 1; 1323 break; 1324 case TLS_CIPHER_SM4_CCM: 1325 dctx->iv[0] = TLS_SM4_CCM_IV_B0_BYTE; 1326 iv_offset = 1; 1327 break; 1328 } 1329 1330 /* Prepare IV */ 1331 if (prot->version == TLS_1_3_VERSION || 1332 prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305) { 1333 memcpy(&dctx->iv[iv_offset], tls_ctx->rx.iv, 1334 prot->iv_size + prot->salt_size); 1335 } else { 1336 err = skb_copy_bits(skb, rxm->offset + TLS_HEADER_SIZE, 1337 &dctx->iv[iv_offset] + prot->salt_size, 1338 prot->iv_size); 1339 if (err < 0) 1340 goto exit_free; 1341 memcpy(&dctx->iv[iv_offset], tls_ctx->rx.iv, prot->salt_size); 1342 } 1343 tls_xor_iv_with_seq(prot, &dctx->iv[iv_offset], tls_ctx->rx.rec_seq); 1344 1345 /* Prepare AAD */ 1346 tls_make_aad(dctx->aad, rxm->full_len - prot->overhead_size + 1347 prot->tail_size, 1348 tls_ctx->rx.rec_seq, tlm->control, prot); 1349 1350 /* Prepare sgin */ 1351 sg_init_table(sgin, n_sgin); 1352 sg_set_buf(&sgin[0], dctx->aad, prot->aad_size); 1353 err = skb_to_sgvec(skb, &sgin[1], 1354 rxm->offset + prot->prepend_size, 1355 rxm->full_len - prot->prepend_size); 1356 if (err < 0) 1357 goto exit_free; 1358 1359 if (clear_skb) { 1360 sg_init_table(sgout, n_sgout); 1361 sg_set_buf(&sgout[0], dctx->aad, prot->aad_size); 1362 1363 err = skb_to_sgvec(clear_skb, &sgout[1], prot->prepend_size, 1364 data_len + prot->tail_size); 1365 if (err < 0) 1366 goto exit_free; 1367 } else if (out_iov) { 1368 sg_init_table(sgout, n_sgout); 1369 sg_set_buf(&sgout[0], dctx->aad, prot->aad_size); 1370 1371 err = tls_setup_from_iter(out_iov, data_len, &pages, &sgout[1], 1372 (n_sgout - 1 - tail_pages)); 1373 if (err < 0) 1374 goto exit_free_pages; 1375 1376 if (prot->tail_size) { 1377 sg_unmark_end(&sgout[pages]); 1378 sg_set_buf(&sgout[pages + 1], &dctx->tail, 1379 prot->tail_size); 1380 sg_mark_end(&sgout[pages + 1]); 1381 } 1382 } else if (out_sg) { 1383 memcpy(sgout, out_sg, n_sgout * sizeof(*sgout)); 1384 } 1385 dctx->free_sgout = !!pages; 1386 1387 /* Prepare and submit AEAD request */ 1388 err = tls_do_decryption(sk, sgin, sgout, dctx->iv, 1389 data_len + prot->tail_size, aead_req, darg); 1390 if (err) { 1391 if (darg->async_done) 1392 goto exit_free_skb; 1393 goto exit_free_pages; 1394 } 1395 1396 darg->skb = clear_skb ?: tls_strp_msg(ctx); 1397 clear_skb = NULL; 1398 1399 if (unlikely(darg->async)) { 1400 err = tls_strp_msg_hold(&ctx->strp, &ctx->async_hold); 1401 if (err) { 1402 err = tls_decrypt_async_wait(ctx); 1403 darg->async = false; 1404 } 1405 return err; 1406 } 1407 1408 if (unlikely(darg->async_done)) 1409 return 0; 1410 1411 if (prot->tail_size) 1412 darg->tail = dctx->tail; 1413 1414 exit_free_pages: 1415 /* Release the pages in case iov was mapped to pages */ 1416 for (; pages > 0; pages--) 1417 put_page(sg_page(&sgout[pages])); 1418 exit_free: 1419 kfree(mem); 1420 exit_free_skb: 1421 consume_skb(clear_skb); 1422 return err; 1423 } 1424 1425 static int 1426 tls_decrypt_sw(struct sock *sk, struct tls_context *tls_ctx, 1427 struct msghdr *msg, struct tls_decrypt_arg *darg) 1428 { 1429 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 1430 struct tls_prot_info *prot = &tls_ctx->prot_info; 1431 struct strp_msg *rxm; 1432 int pad, err; 1433 1434 err = tls_decrypt_sg(sk, &msg->msg_iter, NULL, darg); 1435 if (err < 0) { 1436 if (err == -EBADMSG) 1437 TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTERROR); 1438 return err; 1439 } 1440 /* keep going even for ->async, the code below is TLS 1.3 */ 1441 1442 /* If opportunistic TLS 1.3 ZC failed retry without ZC */ 1443 if (unlikely(darg->zc && prot->version == TLS_1_3_VERSION && 1444 darg->tail != TLS_RECORD_TYPE_DATA)) { 1445 darg->zc = false; 1446 if (!darg->tail) 1447 TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXNOPADVIOL); 1448 TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTRETRY); 1449 return tls_decrypt_sw(sk, tls_ctx, msg, darg); 1450 } 1451 1452 pad = tls_padding_length(prot, darg->skb, darg); 1453 if (pad < 0) { 1454 if (darg->skb != tls_strp_msg(ctx)) 1455 consume_skb(darg->skb); 1456 return pad; 1457 } 1458 1459 rxm = strp_msg(darg->skb); 1460 rxm->full_len -= pad; 1461 1462 return 0; 1463 } 1464 1465 static int 1466 tls_decrypt_device(struct sock *sk, struct msghdr *msg, 1467 struct tls_context *tls_ctx, struct tls_decrypt_arg *darg) 1468 { 1469 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 1470 struct tls_prot_info *prot = &tls_ctx->prot_info; 1471 struct strp_msg *rxm; 1472 int pad, err; 1473 1474 if (tls_ctx->rx_conf != TLS_HW) 1475 return 0; 1476 1477 err = tls_device_decrypted(sk, tls_ctx); 1478 if (err <= 0) 1479 return err; 1480 1481 pad = tls_padding_length(prot, tls_strp_msg(ctx), darg); 1482 if (pad < 0) 1483 return pad; 1484 1485 darg->async = false; 1486 darg->skb = tls_strp_msg(ctx); 1487 /* ->zc downgrade check, in case TLS 1.3 gets here */ 1488 darg->zc &= !(prot->version == TLS_1_3_VERSION && 1489 tls_msg(darg->skb)->control != TLS_RECORD_TYPE_DATA); 1490 1491 rxm = strp_msg(darg->skb); 1492 rxm->full_len -= pad; 1493 1494 if (!darg->zc) { 1495 /* Non-ZC case needs a real skb */ 1496 darg->skb = tls_strp_msg_detach(ctx); 1497 if (!darg->skb) 1498 return -ENOMEM; 1499 } else { 1500 unsigned int off, len; 1501 1502 /* In ZC case nobody cares about the output skb. 1503 * Just copy the data here. Note the skb is not fully trimmed. 1504 */ 1505 off = rxm->offset + prot->prepend_size; 1506 len = rxm->full_len - prot->overhead_size; 1507 1508 err = skb_copy_datagram_msg(darg->skb, off, msg, len); 1509 if (err) 1510 return err; 1511 } 1512 return 1; 1513 } 1514 1515 static int tls_check_pending_rekey(struct sock *sk, struct tls_context *ctx, 1516 struct sk_buff *skb) 1517 { 1518 const struct strp_msg *rxm = strp_msg(skb); 1519 const struct tls_msg *tlm = tls_msg(skb); 1520 char hs_type; 1521 int err; 1522 1523 if (likely(tlm->control != TLS_RECORD_TYPE_HANDSHAKE)) 1524 return 0; 1525 1526 if (rxm->full_len < 1) 1527 return 0; 1528 1529 err = skb_copy_bits(skb, rxm->offset, &hs_type, 1); 1530 if (err < 0) { 1531 DEBUG_NET_WARN_ON_ONCE(1); 1532 return err; 1533 } 1534 1535 if (hs_type == TLS_HANDSHAKE_KEYUPDATE) { 1536 struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx; 1537 1538 WRITE_ONCE(rx_ctx->key_update_pending, true); 1539 TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXREKEYRECEIVED); 1540 } 1541 1542 return 0; 1543 } 1544 1545 /* On decrypt failure the connection is aborted (sk_err set) before 1546 * returning a negative errno. 1547 */ 1548 static int tls_rx_one_record(struct sock *sk, struct msghdr *msg, 1549 struct tls_decrypt_arg *darg) 1550 { 1551 struct tls_context *tls_ctx = tls_get_ctx(sk); 1552 struct tls_prot_info *prot = &tls_ctx->prot_info; 1553 struct strp_msg *rxm; 1554 int err; 1555 1556 err = tls_decrypt_device(sk, msg, tls_ctx, darg); 1557 if (!err) 1558 err = tls_decrypt_sw(sk, tls_ctx, msg, darg); 1559 if (err < 0) { 1560 tls_err_abort(sk, -EBADMSG); 1561 return err; 1562 } 1563 1564 rxm = strp_msg(darg->skb); 1565 rxm->offset += prot->prepend_size; 1566 rxm->full_len -= prot->overhead_size; 1567 tls_advance_record_sn(sk, prot, &tls_ctx->rx); 1568 1569 return tls_check_pending_rekey(sk, tls_ctx, darg->skb); 1570 } 1571 1572 int decrypt_skb(struct sock *sk, struct scatterlist *sgout) 1573 { 1574 struct tls_decrypt_arg darg = { .zc = true, }; 1575 1576 return tls_decrypt_sg(sk, NULL, sgout, &darg); 1577 } 1578 1579 /* All records returned from a recvmsg() call must have the same type. 1580 * 0 is not a valid content type. Use it as "no type reported, yet". 1581 */ 1582 static int tls_record_content_type(struct msghdr *msg, struct tls_msg *tlm, 1583 u8 *control) 1584 { 1585 int err; 1586 1587 if (!*control) { 1588 *control = tlm->control; 1589 if (!*control) 1590 return -EBADMSG; 1591 1592 err = put_cmsg(msg, SOL_TLS, TLS_GET_RECORD_TYPE, 1593 sizeof(*control), control); 1594 if (*control != TLS_RECORD_TYPE_DATA) { 1595 if (err || msg->msg_flags & MSG_CTRUNC) 1596 return -EIO; 1597 } 1598 } else if (*control != tlm->control) { 1599 return 0; 1600 } 1601 1602 return 1; 1603 } 1604 1605 /* The deferred announce is fired once on reader exit by 1606 * tls_rx_reader_release(). 1607 */ 1608 static void tls_rx_rec_done(struct tls_sw_context_rx *ctx) 1609 { 1610 tls_strp_msg_consume(&ctx->strp); 1611 tls_strp_check_rcv(&ctx->strp, false); 1612 } 1613 1614 /* This function traverses the rx_list in tls receive context to copies the 1615 * decrypted records into the buffer provided by caller zero copy is not 1616 * true. Further, the records are removed from the rx_list if it is not a peek 1617 * case and the record has been consumed completely. 1618 */ 1619 static int process_rx_list(struct tls_sw_context_rx *ctx, 1620 struct msghdr *msg, 1621 u8 *control, 1622 size_t skip, 1623 size_t len, 1624 bool is_peek, 1625 bool *more) 1626 { 1627 struct sk_buff *skb = skb_peek(&ctx->rx_list); 1628 struct tls_msg *tlm; 1629 ssize_t copied = 0; 1630 int err; 1631 1632 while (skip && skb) { 1633 struct strp_msg *rxm = strp_msg(skb); 1634 tlm = tls_msg(skb); 1635 1636 err = tls_record_content_type(msg, tlm, control); 1637 if (err <= 0) 1638 goto more; 1639 1640 if (skip < rxm->full_len) 1641 break; 1642 1643 skip = skip - rxm->full_len; 1644 skb = skb_peek_next(skb, &ctx->rx_list); 1645 } 1646 1647 while (len && skb) { 1648 struct sk_buff *next_skb; 1649 struct strp_msg *rxm = strp_msg(skb); 1650 int chunk = min_t(unsigned int, rxm->full_len - skip, len); 1651 1652 tlm = tls_msg(skb); 1653 1654 err = tls_record_content_type(msg, tlm, control); 1655 if (err <= 0) 1656 goto more; 1657 1658 err = skb_copy_datagram_msg(skb, rxm->offset + skip, 1659 msg, chunk); 1660 if (err < 0) 1661 goto more; 1662 1663 len = len - chunk; 1664 copied = copied + chunk; 1665 1666 /* Consume the data from record if it is non-peek case*/ 1667 if (!is_peek) { 1668 rxm->offset = rxm->offset + chunk; 1669 rxm->full_len = rxm->full_len - chunk; 1670 1671 /* Return if there is unconsumed data in the record */ 1672 if (rxm->full_len - skip) 1673 break; 1674 } 1675 1676 /* The remaining skip-bytes must lie in 1st record in rx_list. 1677 * So from the 2nd record, 'skip' should be 0. 1678 */ 1679 skip = 0; 1680 1681 if (msg) 1682 msg->msg_flags |= MSG_EOR; 1683 1684 next_skb = skb_peek_next(skb, &ctx->rx_list); 1685 1686 if (!is_peek) { 1687 __skb_unlink(skb, &ctx->rx_list); 1688 consume_skb(skb); 1689 } 1690 1691 skb = next_skb; 1692 } 1693 err = 0; 1694 1695 out: 1696 return copied ? : err; 1697 more: 1698 if (more) 1699 *more = true; 1700 goto out; 1701 } 1702 1703 static bool 1704 tls_read_flush_backlog(struct sock *sk, struct tls_prot_info *prot, 1705 size_t len_left, size_t decrypted, ssize_t done, 1706 size_t *flushed_at) 1707 { 1708 size_t max_rec; 1709 1710 if (len_left <= decrypted) 1711 return false; 1712 1713 max_rec = prot->overhead_size - prot->tail_size + TLS_MAX_PAYLOAD_SIZE; 1714 if (done - *flushed_at < SZ_128K && tcp_inq(sk) > max_rec) 1715 return false; 1716 1717 *flushed_at = done; 1718 return sk_flush_backlog(sk); 1719 } 1720 1721 static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx, 1722 bool nonblock) 1723 { 1724 long timeo; 1725 int ret; 1726 1727 timeo = sock_rcvtimeo(sk, nonblock); 1728 1729 while (unlikely(ctx->reader_present)) { 1730 DEFINE_WAIT_FUNC(wait, woken_wake_function); 1731 1732 ctx->reader_contended = 1; 1733 1734 add_wait_queue(&ctx->wq, &wait); 1735 ret = sk_wait_event(sk, &timeo, 1736 !READ_ONCE(ctx->reader_present), &wait); 1737 remove_wait_queue(&ctx->wq, &wait); 1738 1739 if (timeo <= 0) 1740 return -EAGAIN; 1741 if (signal_pending(current)) 1742 return sock_intr_errno(timeo); 1743 if (ret < 0) 1744 return ret; 1745 } 1746 1747 WRITE_ONCE(ctx->reader_present, 1); 1748 1749 return 0; 1750 } 1751 1752 static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx, 1753 bool nonblock) 1754 { 1755 int err; 1756 1757 lock_sock(sk); 1758 err = tls_rx_reader_acquire(sk, ctx, nonblock); 1759 if (err) 1760 release_sock(sk); 1761 return err; 1762 } 1763 1764 static void tls_rx_reader_release(struct sock *sk, struct tls_sw_context_rx *ctx) 1765 { 1766 /* Fire any deferred announce once per reader so that a record 1767 * parsed but not yet announced becomes visible to the next 1768 * reader. The call is idempotent through msg_announced. 1769 */ 1770 tls_rx_msg_maybe_announce(&ctx->strp); 1771 1772 if (unlikely(ctx->reader_contended)) { 1773 if (wq_has_sleeper(&ctx->wq)) 1774 wake_up(&ctx->wq); 1775 else 1776 ctx->reader_contended = 0; 1777 1778 WARN_ON_ONCE(!ctx->reader_present); 1779 } 1780 1781 WRITE_ONCE(ctx->reader_present, 0); 1782 } 1783 1784 static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx) 1785 { 1786 tls_rx_reader_release(sk, ctx); 1787 release_sock(sk); 1788 } 1789 1790 int tls_sw_recvmsg(struct sock *sk, 1791 struct msghdr *msg, 1792 size_t len, 1793 int flags) 1794 { 1795 struct tls_context *tls_ctx = tls_get_ctx(sk); 1796 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 1797 struct tls_prot_info *prot = &tls_ctx->prot_info; 1798 ssize_t decrypted = 0, async_copy_bytes = 0; 1799 unsigned char control = 0; 1800 size_t flushed_at = 0; 1801 struct strp_msg *rxm; 1802 struct tls_msg *tlm; 1803 ssize_t copied = 0; 1804 ssize_t peeked = 0; 1805 bool async = false; 1806 int target, err; 1807 bool is_kvec = iov_iter_is_kvec(&msg->msg_iter); 1808 bool is_peek = flags & MSG_PEEK; 1809 bool rx_more = false; 1810 bool released = true; 1811 bool zc_capable; 1812 1813 if (unlikely(flags & MSG_ERRQUEUE)) 1814 return sock_recv_errqueue(sk, msg, len, SOL_IP, IP_RECVERR); 1815 1816 err = tls_rx_reader_lock(sk, ctx, flags & MSG_DONTWAIT); 1817 if (err < 0) 1818 return err; 1819 1820 /* If crypto failed the connection is broken */ 1821 err = ctx->async_wait.err; 1822 if (err) 1823 goto end; 1824 1825 /* Process pending decrypted records. It must be non-zero-copy */ 1826 err = process_rx_list(ctx, msg, &control, 0, len, is_peek, &rx_more); 1827 if (err < 0) 1828 goto end; 1829 1830 /* process_rx_list() will set @control if it processed any records */ 1831 copied = err; 1832 if (len <= copied || rx_more || 1833 (control && control != TLS_RECORD_TYPE_DATA)) 1834 goto end; 1835 1836 target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); 1837 len = len - copied; 1838 1839 zc_capable = !is_kvec && !is_peek && ctx->zc_capable; 1840 decrypted = 0; 1841 while (len && (decrypted + copied < target || tls_strp_msg_ready(ctx))) { 1842 struct tls_decrypt_arg darg; 1843 int to_decrypt, chunk; 1844 1845 err = tls_rx_rec_wait(sk, flags & MSG_DONTWAIT, 1846 released, !!(decrypted + copied)); 1847 if (err <= 0) 1848 goto recv_end; 1849 1850 memset(&darg.inargs, 0, sizeof(darg.inargs)); 1851 1852 rxm = strp_msg(tls_strp_msg(ctx)); 1853 tlm = tls_msg(tls_strp_msg(ctx)); 1854 1855 to_decrypt = rxm->full_len - prot->overhead_size; 1856 1857 if (zc_capable && to_decrypt <= len && 1858 tlm->control == TLS_RECORD_TYPE_DATA) 1859 darg.zc = true; 1860 1861 /* Do not use async mode if record is non-data */ 1862 if (tlm->control == TLS_RECORD_TYPE_DATA) 1863 darg.async = ctx->async_capable; 1864 else 1865 darg.async = false; 1866 1867 err = tls_rx_one_record(sk, msg, &darg); 1868 if (err < 0) 1869 goto recv_end; 1870 1871 async |= darg.async; 1872 1873 /* If the type of records being processed is not known yet, 1874 * set it to record type just dequeued. If it is already known, 1875 * but does not match the record type just dequeued, go to end. 1876 * We always get record type here since for tls1.2, record type 1877 * is known just after record is dequeued from stream parser. 1878 * For tls1.3, we disable async. 1879 */ 1880 err = tls_record_content_type(msg, tls_msg(darg.skb), &control); 1881 if (err <= 0) { 1882 DEBUG_NET_WARN_ON_ONCE(darg.zc); 1883 tls_rx_rec_done(ctx); 1884 put_on_rx_list_err: 1885 __skb_queue_tail(&ctx->rx_list, darg.skb); 1886 goto recv_end; 1887 } 1888 1889 /* periodically flush backlog, and feed strparser */ 1890 released = tls_read_flush_backlog(sk, prot, len, to_decrypt, 1891 decrypted + copied, 1892 &flushed_at); 1893 1894 /* TLS 1.3 may have updated the length by more than overhead */ 1895 rxm = strp_msg(darg.skb); 1896 chunk = rxm->full_len; 1897 tls_rx_rec_done(ctx); 1898 1899 if (!darg.zc) { 1900 bool partially_consumed = chunk > len; 1901 struct sk_buff *skb = darg.skb; 1902 1903 DEBUG_NET_WARN_ON_ONCE(darg.skb == ctx->strp.anchor); 1904 1905 if (async) { 1906 /* TLS 1.2-only, to_decrypt must be text len */ 1907 chunk = min_t(int, to_decrypt, len); 1908 async_copy_bytes += chunk; 1909 put_on_rx_list: 1910 decrypted += chunk; 1911 len -= chunk; 1912 __skb_queue_tail(&ctx->rx_list, skb); 1913 if (unlikely(control != TLS_RECORD_TYPE_DATA)) 1914 break; 1915 continue; 1916 } 1917 1918 if (partially_consumed) 1919 chunk = len; 1920 1921 err = skb_copy_datagram_msg(skb, rxm->offset, 1922 msg, chunk); 1923 if (err < 0) 1924 goto put_on_rx_list_err; 1925 1926 if (is_peek) { 1927 peeked += chunk; 1928 goto put_on_rx_list; 1929 } 1930 1931 if (partially_consumed) { 1932 rxm->offset += chunk; 1933 rxm->full_len -= chunk; 1934 goto put_on_rx_list; 1935 } 1936 1937 consume_skb(skb); 1938 } 1939 1940 decrypted += chunk; 1941 len -= chunk; 1942 1943 /* Return full control message to userspace before trying 1944 * to parse another message type 1945 */ 1946 msg->msg_flags |= MSG_EOR; 1947 if (control != TLS_RECORD_TYPE_DATA) 1948 break; 1949 } 1950 1951 recv_end: 1952 if (async) { 1953 int ret; 1954 1955 /* Wait for all previously submitted records to be decrypted */ 1956 ret = tls_decrypt_async_wait(ctx); 1957 1958 if (ret) { 1959 if (err >= 0 || err == -EINPROGRESS) 1960 err = ret; 1961 goto end; 1962 } 1963 1964 /* Drain records from the rx_list & copy if required */ 1965 if (is_peek) 1966 err = process_rx_list(ctx, msg, &control, copied + peeked, 1967 decrypted - peeked, is_peek, NULL); 1968 else 1969 err = process_rx_list(ctx, msg, &control, 0, 1970 async_copy_bytes, is_peek, NULL); 1971 1972 /* we could have copied less than we wanted, and possibly nothing */ 1973 decrypted += max(err, 0) - async_copy_bytes; 1974 } 1975 1976 copied += decrypted; 1977 1978 end: 1979 tls_rx_reader_unlock(sk, ctx); 1980 return copied ? : err; 1981 } 1982 1983 ssize_t tls_sw_splice_read(struct socket *sock, loff_t *ppos, 1984 struct pipe_inode_info *pipe, 1985 size_t len, unsigned int flags) 1986 { 1987 struct tls_context *tls_ctx = tls_get_ctx(sock->sk); 1988 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 1989 struct strp_msg *rxm = NULL; 1990 struct sock *sk = sock->sk; 1991 struct tls_msg *tlm; 1992 struct sk_buff *skb; 1993 ssize_t copied = 0; 1994 int chunk; 1995 int err; 1996 1997 err = tls_rx_reader_lock(sk, ctx, flags & SPLICE_F_NONBLOCK); 1998 if (err < 0) 1999 return err; 2000 2001 if (!skb_queue_empty(&ctx->rx_list)) { 2002 skb = __skb_dequeue(&ctx->rx_list); 2003 } else { 2004 struct tls_decrypt_arg darg; 2005 2006 err = tls_rx_rec_wait(sk, flags & SPLICE_F_NONBLOCK, 2007 true, false); 2008 if (err <= 0) 2009 goto splice_read_end; 2010 2011 memset(&darg.inargs, 0, sizeof(darg.inargs)); 2012 2013 err = tls_rx_one_record(sk, NULL, &darg); 2014 if (err < 0) 2015 goto splice_read_end; 2016 2017 tls_rx_rec_done(ctx); 2018 skb = darg.skb; 2019 } 2020 2021 rxm = strp_msg(skb); 2022 tlm = tls_msg(skb); 2023 2024 /* splice does not support reading control messages */ 2025 if (tlm->control != TLS_RECORD_TYPE_DATA) { 2026 err = -EINVAL; 2027 goto splice_requeue; 2028 } 2029 2030 chunk = min_t(unsigned int, rxm->full_len, len); 2031 copied = skb_splice_bits(skb, sk, rxm->offset, pipe, chunk, flags); 2032 if (copied < 0) 2033 goto splice_requeue; 2034 2035 if (copied < rxm->full_len) { 2036 rxm->offset += copied; 2037 rxm->full_len -= copied; 2038 goto splice_requeue; 2039 } 2040 2041 consume_skb(skb); 2042 2043 splice_read_end: 2044 tls_rx_reader_unlock(sk, ctx); 2045 return copied ? : err; 2046 2047 splice_requeue: 2048 __skb_queue_head(&ctx->rx_list, skb); 2049 goto splice_read_end; 2050 } 2051 2052 int tls_sw_read_sock(struct sock *sk, read_descriptor_t *desc, 2053 sk_read_actor_t read_actor) 2054 { 2055 struct tls_context *tls_ctx = tls_get_ctx(sk); 2056 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 2057 struct tls_prot_info *prot = &tls_ctx->prot_info; 2058 struct strp_msg *rxm = NULL; 2059 struct sk_buff *skb = NULL; 2060 struct sk_psock *psock; 2061 size_t flushed_at = 0; 2062 bool released = true; 2063 struct tls_msg *tlm; 2064 ssize_t copied = 0; 2065 ssize_t decrypted; 2066 int err, used; 2067 2068 psock = sk_psock_get(sk); 2069 if (psock) { 2070 sk_psock_put(sk, psock); 2071 return -EINVAL; 2072 } 2073 err = tls_rx_reader_acquire(sk, ctx, true); 2074 if (err < 0) 2075 return err; 2076 2077 /* If crypto failed the connection is broken */ 2078 err = ctx->async_wait.err; 2079 if (err) 2080 goto read_sock_end; 2081 2082 decrypted = 0; 2083 while (desc->count) { 2084 if (!skb_queue_empty(&ctx->rx_list)) { 2085 skb = __skb_dequeue(&ctx->rx_list); 2086 rxm = strp_msg(skb); 2087 tlm = tls_msg(skb); 2088 } else { 2089 struct tls_decrypt_arg darg; 2090 2091 err = tls_rx_rec_wait(sk, true, released, !!copied); 2092 if (err <= 0) 2093 goto read_sock_end; 2094 2095 memset(&darg.inargs, 0, sizeof(darg.inargs)); 2096 2097 err = tls_rx_one_record(sk, NULL, &darg); 2098 if (err < 0) 2099 goto read_sock_end; 2100 2101 released = tls_read_flush_backlog(sk, prot, INT_MAX, 2102 0, decrypted, 2103 &flushed_at); 2104 skb = darg.skb; 2105 rxm = strp_msg(skb); 2106 tlm = tls_msg(skb); 2107 decrypted += rxm->full_len; 2108 2109 tls_rx_rec_done(ctx); 2110 } 2111 2112 /* read_sock does not support reading control messages */ 2113 if (tlm->control != TLS_RECORD_TYPE_DATA) { 2114 err = -EINVAL; 2115 goto read_sock_requeue; 2116 } 2117 2118 used = read_actor(desc, skb, rxm->offset, rxm->full_len); 2119 if (used <= 0) { 2120 if (!copied) 2121 err = used; 2122 goto read_sock_requeue; 2123 } 2124 copied += used; 2125 if (used < rxm->full_len) { 2126 rxm->offset += used; 2127 rxm->full_len -= used; 2128 __skb_queue_head(&ctx->rx_list, skb); 2129 } else { 2130 consume_skb(skb); 2131 } 2132 } 2133 2134 read_sock_end: 2135 tls_rx_reader_release(sk, ctx); 2136 return copied ? : err; 2137 2138 read_sock_requeue: 2139 __skb_queue_head(&ctx->rx_list, skb); 2140 goto read_sock_end; 2141 } 2142 2143 bool tls_sw_sock_is_readable(struct sock *sk) 2144 { 2145 struct tls_context *tls_ctx = tls_get_ctx(sk); 2146 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 2147 2148 return tls_strp_msg_ready(ctx) || 2149 !skb_queue_empty(&ctx->rx_list); 2150 } 2151 2152 int tls_rx_msg_size(struct tls_strparser *strp, struct sk_buff *skb) 2153 { 2154 struct tls_context *tls_ctx = tls_get_ctx(strp->sk); 2155 struct tls_prot_info *prot = &tls_ctx->prot_info; 2156 char header[TLS_HEADER_SIZE + TLS_MAX_IV_SIZE]; 2157 size_t cipher_overhead; 2158 size_t data_len = 0; 2159 int ret; 2160 2161 /* Verify that we have a full TLS header, or wait for more data */ 2162 if (strp->stm.offset + prot->prepend_size > skb->len) 2163 return 0; 2164 2165 /* Sanity-check size of on-stack buffer. */ 2166 if (WARN_ON(prot->prepend_size > sizeof(header))) { 2167 ret = -EINVAL; 2168 goto read_failure; 2169 } 2170 2171 /* Linearize header to local buffer */ 2172 ret = skb_copy_bits(skb, strp->stm.offset, header, prot->prepend_size); 2173 if (ret < 0) 2174 goto read_failure; 2175 2176 strp->mark = header[0]; 2177 2178 data_len = ((header[4] & 0xFF) | (header[3] << 8)); 2179 2180 cipher_overhead = prot->tag_size; 2181 if (prot->version != TLS_1_3_VERSION && 2182 prot->cipher_type != TLS_CIPHER_CHACHA20_POLY1305) 2183 cipher_overhead += prot->iv_size; 2184 2185 if (data_len > TLS_MAX_PAYLOAD_SIZE + cipher_overhead + 2186 prot->tail_size) { 2187 ret = -EMSGSIZE; 2188 goto read_failure; 2189 } 2190 if (data_len < cipher_overhead) { 2191 ret = -EBADMSG; 2192 goto read_failure; 2193 } 2194 2195 /* Note that both TLS1.3 and TLS1.2 use TLS_1_2 version here */ 2196 if (header[1] != TLS_1_2_VERSION_MINOR || 2197 header[2] != TLS_1_2_VERSION_MAJOR) { 2198 ret = -EINVAL; 2199 goto read_failure; 2200 } 2201 2202 tls_device_rx_resync_new_rec(strp->sk, data_len + TLS_HEADER_SIZE, 2203 TCP_SKB_CB(skb)->seq + strp->stm.offset); 2204 return data_len + TLS_HEADER_SIZE; 2205 2206 read_failure: 2207 tls_strp_abort_strp(strp, ret); 2208 return ret; 2209 } 2210 2211 /* Fire saved_data_ready() at most once per parsed record. The 2212 * msg_announced bit is cleared by tls_strp_msg_consume() when the 2213 * record is consumed, arming the next announcement. 2214 */ 2215 void tls_rx_msg_maybe_announce(struct tls_strparser *strp) 2216 { 2217 struct tls_sw_context_rx *ctx; 2218 2219 if (!READ_ONCE(strp->msg_ready) || strp->msg_announced) 2220 return; 2221 strp->msg_announced = 1; 2222 2223 ctx = container_of(strp, struct tls_sw_context_rx, strp); 2224 ctx->saved_data_ready(strp->sk); 2225 } 2226 2227 static void tls_data_ready(struct sock *sk) 2228 { 2229 struct tls_context *tls_ctx = tls_get_ctx(sk); 2230 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 2231 gfp_t alloc_save; 2232 2233 trace_sk_data_ready(sk); 2234 2235 alloc_save = sk->sk_allocation; 2236 sk->sk_allocation = GFP_ATOMIC; 2237 tls_strp_data_ready(&ctx->strp); 2238 sk->sk_allocation = alloc_save; 2239 } 2240 2241 void tls_sw_cancel_work_tx(struct tls_context *tls_ctx) 2242 { 2243 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 2244 2245 set_bit(BIT_TX_CLOSING, &ctx->tx_bitmask); 2246 set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); 2247 disable_delayed_work_sync(&ctx->tx_work.work); 2248 } 2249 2250 void tls_sw_release_resources_tx(struct sock *sk) 2251 { 2252 struct tls_context *tls_ctx = tls_get_ctx(sk); 2253 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 2254 struct tls_rec *rec, *tmp; 2255 2256 /* Wait for any pending async encryptions to complete */ 2257 tls_encrypt_async_wait(ctx); 2258 2259 tls_tx_records(sk, -1); 2260 2261 /* Free up un-sent records in tx_list. First, free 2262 * the partially sent record if any at head of tx_list. 2263 */ 2264 if (tls_ctx->partially_sent_record) { 2265 tls_free_partial_record(sk, tls_ctx); 2266 rec = list_first_entry(&ctx->tx_list, 2267 struct tls_rec, list); 2268 list_del(&rec->list); 2269 sk_msg_free(sk, &rec->msg_plaintext); 2270 kfree(rec); 2271 } 2272 2273 list_for_each_entry_safe(rec, tmp, &ctx->tx_list, list) { 2274 list_del(&rec->list); 2275 sk_msg_free(sk, &rec->msg_encrypted); 2276 sk_msg_free(sk, &rec->msg_plaintext); 2277 kfree(rec); 2278 } 2279 2280 crypto_free_aead(ctx->aead_send); 2281 tls_free_open_rec(sk); 2282 } 2283 2284 void tls_sw_free_ctx_tx(struct tls_context *tls_ctx) 2285 { 2286 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 2287 2288 kfree(ctx); 2289 } 2290 2291 void tls_sw_release_resources_rx(struct sock *sk) 2292 { 2293 struct tls_context *tls_ctx = tls_get_ctx(sk); 2294 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 2295 2296 if (ctx->aead_recv) { 2297 __skb_queue_purge(&ctx->rx_list); 2298 crypto_free_aead(ctx->aead_recv); 2299 tls_strp_stop(&ctx->strp); 2300 /* If tls_sw_strparser_arm() was not called (cleanup paths) 2301 * we still want to tls_strp_stop(), but sk->sk_data_ready was 2302 * never swapped. 2303 */ 2304 if (ctx->saved_data_ready) { 2305 write_lock_bh(&sk->sk_callback_lock); 2306 sk->sk_data_ready = ctx->saved_data_ready; 2307 write_unlock_bh(&sk->sk_callback_lock); 2308 } 2309 } 2310 } 2311 2312 void tls_sw_strparser_done(struct tls_context *tls_ctx) 2313 { 2314 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 2315 2316 tls_strp_done(&ctx->strp); 2317 } 2318 2319 void tls_sw_free_ctx_rx(struct tls_context *tls_ctx) 2320 { 2321 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 2322 2323 kfree(ctx); 2324 } 2325 2326 void tls_sw_free_resources_rx(struct sock *sk) 2327 { 2328 struct tls_context *tls_ctx = tls_get_ctx(sk); 2329 struct tls_sw_context_rx *ctx; 2330 2331 ctx = tls_sw_ctx_rx(tls_ctx); 2332 2333 tls_sw_release_resources_rx(sk); 2334 __tls_strp_done(&ctx->strp); 2335 tls_sw_free_ctx_rx(tls_ctx); 2336 } 2337 2338 /* The work handler to transmitt the encrypted records in tx_list */ 2339 static void tx_work_handler(struct work_struct *work) 2340 { 2341 struct delayed_work *delayed_work = to_delayed_work(work); 2342 struct tx_work *tx_work = container_of(delayed_work, 2343 struct tx_work, work); 2344 struct sock *sk = tx_work->sk; 2345 struct tls_context *tls_ctx = tls_get_ctx(sk); 2346 struct tls_sw_context_tx *ctx; 2347 2348 if (unlikely(!tls_ctx)) 2349 return; 2350 2351 ctx = tls_sw_ctx_tx(tls_ctx); 2352 if (test_bit(BIT_TX_CLOSING, &ctx->tx_bitmask)) 2353 return; 2354 2355 if (!test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) 2356 return; 2357 2358 if (mutex_trylock(&tls_ctx->tx_lock)) { 2359 lock_sock(sk); 2360 tls_tx_records(sk, -1); 2361 release_sock(sk); 2362 mutex_unlock(&tls_ctx->tx_lock); 2363 } else if (!test_and_set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) { 2364 /* Someone is holding the tx_lock, they will likely run Tx 2365 * and cancel the work on their way out of the lock section. 2366 * Schedule a long delay just in case. 2367 */ 2368 schedule_delayed_work(&ctx->tx_work.work, msecs_to_jiffies(10)); 2369 } 2370 } 2371 2372 static bool tls_is_tx_ready(struct tls_sw_context_tx *ctx) 2373 { 2374 struct tls_rec *rec; 2375 2376 rec = list_first_entry_or_null(&ctx->tx_list, struct tls_rec, list); 2377 if (!rec) 2378 return false; 2379 2380 return READ_ONCE(rec->tx_ready); 2381 } 2382 2383 void tls_sw_write_space(struct sock *sk, struct tls_context *ctx) 2384 { 2385 struct tls_sw_context_tx *tx_ctx = tls_sw_ctx_tx(ctx); 2386 2387 /* Schedule the transmission if tx list is ready */ 2388 if (tls_is_tx_ready(tx_ctx) && 2389 !test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) 2390 schedule_delayed_work(&tx_ctx->tx_work.work, 0); 2391 } 2392 2393 void tls_sw_strparser_arm(struct sock *sk, struct tls_context *tls_ctx) 2394 { 2395 struct tls_sw_context_rx *rx_ctx = tls_sw_ctx_rx(tls_ctx); 2396 2397 write_lock_bh(&sk->sk_callback_lock); 2398 rx_ctx->saved_data_ready = sk->sk_data_ready; 2399 sk->sk_data_ready = tls_data_ready; 2400 write_unlock_bh(&sk->sk_callback_lock); 2401 } 2402 2403 void tls_update_rx_zc_capable(struct tls_context *tls_ctx) 2404 { 2405 struct tls_sw_context_rx *rx_ctx = tls_sw_ctx_rx(tls_ctx); 2406 2407 rx_ctx->zc_capable = tls_ctx->rx_no_pad || 2408 tls_ctx->prot_info.version != TLS_1_3_VERSION; 2409 } 2410 2411 static struct tls_sw_context_tx *init_ctx_tx(struct tls_context *ctx, struct sock *sk) 2412 { 2413 struct tls_sw_context_tx *sw_ctx_tx; 2414 2415 if (!ctx->priv_ctx_tx) { 2416 sw_ctx_tx = kzalloc_obj(*sw_ctx_tx); 2417 if (!sw_ctx_tx) 2418 return NULL; 2419 } else { 2420 sw_ctx_tx = ctx->priv_ctx_tx; 2421 } 2422 2423 crypto_init_wait(&sw_ctx_tx->async_wait); 2424 atomic_set(&sw_ctx_tx->encrypt_pending, 1); 2425 INIT_LIST_HEAD(&sw_ctx_tx->tx_list); 2426 INIT_DELAYED_WORK(&sw_ctx_tx->tx_work.work, tx_work_handler); 2427 sw_ctx_tx->tx_work.sk = sk; 2428 2429 return sw_ctx_tx; 2430 } 2431 2432 static struct tls_sw_context_rx *init_ctx_rx(struct tls_context *ctx) 2433 { 2434 struct tls_sw_context_rx *sw_ctx_rx; 2435 2436 if (!ctx->priv_ctx_rx) { 2437 sw_ctx_rx = kzalloc_obj(*sw_ctx_rx); 2438 if (!sw_ctx_rx) 2439 return NULL; 2440 } else { 2441 sw_ctx_rx = ctx->priv_ctx_rx; 2442 } 2443 2444 crypto_init_wait(&sw_ctx_rx->async_wait); 2445 atomic_set(&sw_ctx_rx->decrypt_pending, 1); 2446 init_waitqueue_head(&sw_ctx_rx->wq); 2447 skb_queue_head_init(&sw_ctx_rx->rx_list); 2448 skb_queue_head_init(&sw_ctx_rx->async_hold); 2449 2450 return sw_ctx_rx; 2451 } 2452 2453 int init_prot_info(struct tls_prot_info *prot, 2454 const struct tls_crypto_info *crypto_info, 2455 const struct tls_cipher_desc *cipher_desc) 2456 { 2457 u16 nonce_size = cipher_desc->nonce; 2458 2459 if (crypto_info->version == TLS_1_3_VERSION) { 2460 nonce_size = 0; 2461 prot->aad_size = TLS_HEADER_SIZE; 2462 prot->tail_size = 1; 2463 } else { 2464 prot->aad_size = TLS_AAD_SPACE_SIZE; 2465 prot->tail_size = 0; 2466 } 2467 2468 /* Sanity-check the sizes for stack allocations. */ 2469 if (nonce_size > TLS_MAX_IV_SIZE || prot->aad_size > TLS_MAX_AAD_SIZE) 2470 return -EINVAL; 2471 2472 prot->version = crypto_info->version; 2473 prot->cipher_type = crypto_info->cipher_type; 2474 prot->prepend_size = TLS_HEADER_SIZE + nonce_size; 2475 prot->tag_size = cipher_desc->tag; 2476 prot->overhead_size = prot->prepend_size + prot->tag_size + prot->tail_size; 2477 prot->iv_size = cipher_desc->iv; 2478 prot->salt_size = cipher_desc->salt; 2479 prot->rec_seq_size = cipher_desc->rec_seq; 2480 2481 return 0; 2482 } 2483 2484 static void tls_finish_key_update(struct sock *sk, struct tls_context *tls_ctx) 2485 { 2486 struct tls_sw_context_rx *ctx = tls_ctx->priv_ctx_rx; 2487 2488 WRITE_ONCE(ctx->key_update_pending, false); 2489 /* wake-up pre-existing poll() */ 2490 ctx->saved_data_ready(sk); 2491 } 2492 2493 int tls_set_sw_offload(struct sock *sk, int tx, 2494 struct tls_crypto_info *new_crypto_info) 2495 { 2496 struct tls_crypto_info *crypto_info, *src_crypto_info; 2497 struct tls_sw_context_tx *sw_ctx_tx = NULL; 2498 struct tls_sw_context_rx *sw_ctx_rx = NULL; 2499 const struct tls_cipher_desc *cipher_desc; 2500 char *iv, *rec_seq, *key, *salt; 2501 struct cipher_context *cctx; 2502 struct tls_prot_info *prot; 2503 struct crypto_aead **aead; 2504 struct tls_context *ctx; 2505 struct crypto_tfm *tfm; 2506 int rc = 0; 2507 2508 ctx = tls_get_ctx(sk); 2509 prot = &ctx->prot_info; 2510 2511 /* new_crypto_info != NULL means rekey */ 2512 if (!new_crypto_info) { 2513 if (tx) { 2514 ctx->priv_ctx_tx = init_ctx_tx(ctx, sk); 2515 if (!ctx->priv_ctx_tx) 2516 return -ENOMEM; 2517 } else { 2518 ctx->priv_ctx_rx = init_ctx_rx(ctx); 2519 if (!ctx->priv_ctx_rx) 2520 return -ENOMEM; 2521 } 2522 } 2523 2524 if (tx) { 2525 sw_ctx_tx = ctx->priv_ctx_tx; 2526 crypto_info = &ctx->crypto_send.info; 2527 cctx = &ctx->tx; 2528 aead = &sw_ctx_tx->aead_send; 2529 } else { 2530 sw_ctx_rx = ctx->priv_ctx_rx; 2531 crypto_info = &ctx->crypto_recv.info; 2532 cctx = &ctx->rx; 2533 aead = &sw_ctx_rx->aead_recv; 2534 } 2535 2536 src_crypto_info = new_crypto_info ?: crypto_info; 2537 2538 cipher_desc = get_cipher_desc(src_crypto_info->cipher_type); 2539 if (!cipher_desc) { 2540 rc = -EINVAL; 2541 goto free_priv; 2542 } 2543 2544 rc = init_prot_info(prot, src_crypto_info, cipher_desc); 2545 if (rc) 2546 goto free_priv; 2547 2548 iv = crypto_info_iv(src_crypto_info, cipher_desc); 2549 key = crypto_info_key(src_crypto_info, cipher_desc); 2550 salt = crypto_info_salt(src_crypto_info, cipher_desc); 2551 rec_seq = crypto_info_rec_seq(src_crypto_info, cipher_desc); 2552 2553 if (!*aead) { 2554 *aead = crypto_alloc_aead(cipher_desc->cipher_name, 0, 0); 2555 if (IS_ERR(*aead)) { 2556 rc = PTR_ERR(*aead); 2557 *aead = NULL; 2558 goto free_priv; 2559 } 2560 } 2561 2562 ctx->push_pending_record = tls_sw_push_pending_record; 2563 2564 /* setkey is the last operation that could fail during a 2565 * rekey. if it succeeds, we can start modifying the 2566 * context. 2567 */ 2568 rc = crypto_aead_setkey(*aead, key, cipher_desc->key); 2569 if (rc) { 2570 if (new_crypto_info) 2571 goto out; 2572 else 2573 goto free_aead; 2574 } 2575 2576 if (!new_crypto_info) { 2577 rc = crypto_aead_setauthsize(*aead, prot->tag_size); 2578 if (rc) 2579 goto free_aead; 2580 } 2581 2582 if (!tx && !new_crypto_info) { 2583 tfm = crypto_aead_tfm(sw_ctx_rx->aead_recv); 2584 2585 tls_update_rx_zc_capable(ctx); 2586 sw_ctx_rx->async_capable = 2587 src_crypto_info->version != TLS_1_3_VERSION && 2588 !!(tfm->__crt_alg->cra_flags & CRYPTO_ALG_ASYNC); 2589 2590 rc = tls_strp_init(&sw_ctx_rx->strp, sk); 2591 if (rc) 2592 goto free_aead; 2593 } 2594 2595 memcpy(cctx->iv, salt, cipher_desc->salt); 2596 memcpy(cctx->iv + cipher_desc->salt, iv, cipher_desc->iv); 2597 memcpy(cctx->rec_seq, rec_seq, cipher_desc->rec_seq); 2598 2599 if (new_crypto_info) { 2600 unsafe_memcpy(crypto_info, new_crypto_info, 2601 cipher_desc->crypto_info, 2602 /* size was checked in do_tls_setsockopt_conf */); 2603 memzero_explicit(new_crypto_info, cipher_desc->crypto_info); 2604 if (!tx) 2605 tls_finish_key_update(sk, ctx); 2606 } 2607 2608 goto out; 2609 2610 free_aead: 2611 crypto_free_aead(*aead); 2612 *aead = NULL; 2613 free_priv: 2614 if (!new_crypto_info) { 2615 if (tx) { 2616 kfree(ctx->priv_ctx_tx); 2617 ctx->priv_ctx_tx = NULL; 2618 } else { 2619 kfree(ctx->priv_ctx_rx); 2620 ctx->priv_ctx_rx = NULL; 2621 } 2622 } 2623 out: 2624 return rc; 2625 } 2626