1 /* 2 * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved. 3 * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved. 4 * 5 * This software is available to you under a choice of one of two 6 * licenses. You may choose to be licensed under the terms of the GNU 7 * General Public License (GPL) Version 2, available from the file 8 * COPYING in the main directory of this source tree, or the 9 * OpenIB.org BSD license below: 10 * 11 * Redistribution and use in source and binary forms, with or 12 * without modification, are permitted provided that the following 13 * conditions are met: 14 * 15 * - Redistributions of source code must retain the above 16 * copyright notice, this list of conditions and the following 17 * disclaimer. 18 * 19 * - Redistributions in binary form must reproduce the above 20 * copyright notice, this list of conditions and the following 21 * disclaimer in the documentation and/or other materials 22 * provided with the distribution. 23 * 24 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 25 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 26 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 27 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 28 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 29 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 30 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 31 * SOFTWARE. 32 */ 33 34 #include <linux/module.h> 35 36 #include <net/tcp.h> 37 #include <net/inet_common.h> 38 #include <linux/highmem.h> 39 #include <linux/netdevice.h> 40 #include <linux/sched/signal.h> 41 42 #include <net/tls.h> 43 44 MODULE_AUTHOR("Mellanox Technologies"); 45 MODULE_DESCRIPTION("Transport Layer Security Support"); 46 MODULE_LICENSE("Dual BSD/GPL"); 47 48 enum { 49 TLS_BASE_TX, 50 TLS_SW_TX, 51 TLS_NUM_CONFIG, 52 }; 53 54 static struct proto tls_prots[TLS_NUM_CONFIG]; 55 56 static inline void update_sk_prot(struct sock *sk, struct tls_context *ctx) 57 { 58 sk->sk_prot = &tls_prots[ctx->tx_conf]; 59 } 60 61 int wait_on_pending_writer(struct sock *sk, long *timeo) 62 { 63 int rc = 0; 64 DEFINE_WAIT_FUNC(wait, woken_wake_function); 65 66 add_wait_queue(sk_sleep(sk), &wait); 67 while (1) { 68 if (!*timeo) { 69 rc = -EAGAIN; 70 break; 71 } 72 73 if (signal_pending(current)) { 74 rc = sock_intr_errno(*timeo); 75 break; 76 } 77 78 if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait)) 79 break; 80 } 81 remove_wait_queue(sk_sleep(sk), &wait); 82 return rc; 83 } 84 85 int tls_push_sg(struct sock *sk, 86 struct tls_context *ctx, 87 struct scatterlist *sg, 88 u16 first_offset, 89 int flags) 90 { 91 int sendpage_flags = flags | MSG_SENDPAGE_NOTLAST; 92 int ret = 0; 93 struct page *p; 94 size_t size; 95 int offset = first_offset; 96 97 size = sg->length - offset; 98 offset += sg->offset; 99 100 while (1) { 101 if (sg_is_last(sg)) 102 sendpage_flags = flags; 103 104 /* is sending application-limited? */ 105 tcp_rate_check_app_limited(sk); 106 p = sg_page(sg); 107 retry: 108 ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags); 109 110 if (ret != size) { 111 if (ret > 0) { 112 offset += ret; 113 size -= ret; 114 goto retry; 115 } 116 117 offset -= sg->offset; 118 ctx->partially_sent_offset = offset; 119 ctx->partially_sent_record = (void *)sg; 120 return ret; 121 } 122 123 put_page(p); 124 sk_mem_uncharge(sk, sg->length); 125 sg = sg_next(sg); 126 if (!sg) 127 break; 128 129 offset = sg->offset; 130 size = sg->length; 131 } 132 133 clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags); 134 135 return 0; 136 } 137 138 static int tls_handle_open_record(struct sock *sk, int flags) 139 { 140 struct tls_context *ctx = tls_get_ctx(sk); 141 142 if (tls_is_pending_open_record(ctx)) 143 return ctx->push_pending_record(sk, flags); 144 145 return 0; 146 } 147 148 int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg, 149 unsigned char *record_type) 150 { 151 struct cmsghdr *cmsg; 152 int rc = -EINVAL; 153 154 for_each_cmsghdr(cmsg, msg) { 155 if (!CMSG_OK(msg, cmsg)) 156 return -EINVAL; 157 if (cmsg->cmsg_level != SOL_TLS) 158 continue; 159 160 switch (cmsg->cmsg_type) { 161 case TLS_SET_RECORD_TYPE: 162 if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type))) 163 return -EINVAL; 164 165 if (msg->msg_flags & MSG_MORE) 166 return -EINVAL; 167 168 rc = tls_handle_open_record(sk, msg->msg_flags); 169 if (rc) 170 return rc; 171 172 *record_type = *(unsigned char *)CMSG_DATA(cmsg); 173 rc = 0; 174 break; 175 default: 176 return -EINVAL; 177 } 178 } 179 180 return rc; 181 } 182 183 int tls_push_pending_closed_record(struct sock *sk, struct tls_context *ctx, 184 int flags, long *timeo) 185 { 186 struct scatterlist *sg; 187 u16 offset; 188 189 if (!tls_is_partially_sent_record(ctx)) 190 return ctx->push_pending_record(sk, flags); 191 192 sg = ctx->partially_sent_record; 193 offset = ctx->partially_sent_offset; 194 195 ctx->partially_sent_record = NULL; 196 return tls_push_sg(sk, ctx, sg, offset, flags); 197 } 198 199 static void tls_write_space(struct sock *sk) 200 { 201 struct tls_context *ctx = tls_get_ctx(sk); 202 203 if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) { 204 gfp_t sk_allocation = sk->sk_allocation; 205 int rc; 206 long timeo = 0; 207 208 sk->sk_allocation = GFP_ATOMIC; 209 rc = tls_push_pending_closed_record(sk, ctx, 210 MSG_DONTWAIT | 211 MSG_NOSIGNAL, 212 &timeo); 213 sk->sk_allocation = sk_allocation; 214 215 if (rc < 0) 216 return; 217 } 218 219 ctx->sk_write_space(sk); 220 } 221 222 static void tls_sk_proto_close(struct sock *sk, long timeout) 223 { 224 struct tls_context *ctx = tls_get_ctx(sk); 225 long timeo = sock_sndtimeo(sk, 0); 226 void (*sk_proto_close)(struct sock *sk, long timeout); 227 228 lock_sock(sk); 229 sk_proto_close = ctx->sk_proto_close; 230 231 if (ctx->tx_conf == TLS_BASE_TX) { 232 kfree(ctx); 233 goto skip_tx_cleanup; 234 } 235 236 if (!tls_complete_pending_work(sk, ctx, 0, &timeo)) 237 tls_handle_open_record(sk, 0); 238 239 if (ctx->partially_sent_record) { 240 struct scatterlist *sg = ctx->partially_sent_record; 241 242 while (1) { 243 put_page(sg_page(sg)); 244 sk_mem_uncharge(sk, sg->length); 245 246 if (sg_is_last(sg)) 247 break; 248 sg++; 249 } 250 } 251 252 kfree(ctx->rec_seq); 253 kfree(ctx->iv); 254 255 if (ctx->tx_conf == TLS_SW_TX) 256 tls_sw_free_tx_resources(sk); 257 258 skip_tx_cleanup: 259 release_sock(sk); 260 sk_proto_close(sk, timeout); 261 } 262 263 static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval, 264 int __user *optlen) 265 { 266 int rc = 0; 267 struct tls_context *ctx = tls_get_ctx(sk); 268 struct tls_crypto_info *crypto_info; 269 int len; 270 271 if (get_user(len, optlen)) 272 return -EFAULT; 273 274 if (!optval || (len < sizeof(*crypto_info))) { 275 rc = -EINVAL; 276 goto out; 277 } 278 279 if (!ctx) { 280 rc = -EBUSY; 281 goto out; 282 } 283 284 /* get user crypto info */ 285 crypto_info = &ctx->crypto_send; 286 287 if (!TLS_CRYPTO_INFO_READY(crypto_info)) { 288 rc = -EBUSY; 289 goto out; 290 } 291 292 if (len == sizeof(*crypto_info)) { 293 if (copy_to_user(optval, crypto_info, sizeof(*crypto_info))) 294 rc = -EFAULT; 295 goto out; 296 } 297 298 switch (crypto_info->cipher_type) { 299 case TLS_CIPHER_AES_GCM_128: { 300 struct tls12_crypto_info_aes_gcm_128 * 301 crypto_info_aes_gcm_128 = 302 container_of(crypto_info, 303 struct tls12_crypto_info_aes_gcm_128, 304 info); 305 306 if (len != sizeof(*crypto_info_aes_gcm_128)) { 307 rc = -EINVAL; 308 goto out; 309 } 310 lock_sock(sk); 311 memcpy(crypto_info_aes_gcm_128->iv, ctx->iv, 312 TLS_CIPHER_AES_GCM_128_IV_SIZE); 313 release_sock(sk); 314 if (copy_to_user(optval, 315 crypto_info_aes_gcm_128, 316 sizeof(*crypto_info_aes_gcm_128))) 317 rc = -EFAULT; 318 break; 319 } 320 default: 321 rc = -EINVAL; 322 } 323 324 out: 325 return rc; 326 } 327 328 static int do_tls_getsockopt(struct sock *sk, int optname, 329 char __user *optval, int __user *optlen) 330 { 331 int rc = 0; 332 333 switch (optname) { 334 case TLS_TX: 335 rc = do_tls_getsockopt_tx(sk, optval, optlen); 336 break; 337 default: 338 rc = -ENOPROTOOPT; 339 break; 340 } 341 return rc; 342 } 343 344 static int tls_getsockopt(struct sock *sk, int level, int optname, 345 char __user *optval, int __user *optlen) 346 { 347 struct tls_context *ctx = tls_get_ctx(sk); 348 349 if (level != SOL_TLS) 350 return ctx->getsockopt(sk, level, optname, optval, optlen); 351 352 return do_tls_getsockopt(sk, optname, optval, optlen); 353 } 354 355 static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval, 356 unsigned int optlen) 357 { 358 struct tls_crypto_info *crypto_info; 359 struct tls_context *ctx = tls_get_ctx(sk); 360 int rc = 0; 361 int tx_conf; 362 363 if (!optval || (optlen < sizeof(*crypto_info))) { 364 rc = -EINVAL; 365 goto out; 366 } 367 368 crypto_info = &ctx->crypto_send; 369 /* Currently we don't support set crypto info more than one time */ 370 if (TLS_CRYPTO_INFO_READY(crypto_info)) 371 goto out; 372 373 rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info)); 374 if (rc) { 375 rc = -EFAULT; 376 goto out; 377 } 378 379 /* check version */ 380 if (crypto_info->version != TLS_1_2_VERSION) { 381 rc = -ENOTSUPP; 382 goto err_crypto_info; 383 } 384 385 switch (crypto_info->cipher_type) { 386 case TLS_CIPHER_AES_GCM_128: { 387 if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) { 388 rc = -EINVAL; 389 goto out; 390 } 391 rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info), 392 optlen - sizeof(*crypto_info)); 393 if (rc) { 394 rc = -EFAULT; 395 goto err_crypto_info; 396 } 397 break; 398 } 399 default: 400 rc = -EINVAL; 401 goto out; 402 } 403 404 /* currently SW is default, we will have ethtool in future */ 405 rc = tls_set_sw_offload(sk, ctx); 406 tx_conf = TLS_SW_TX; 407 if (rc) 408 goto err_crypto_info; 409 410 ctx->tx_conf = tx_conf; 411 update_sk_prot(sk, ctx); 412 ctx->sk_write_space = sk->sk_write_space; 413 sk->sk_write_space = tls_write_space; 414 goto out; 415 416 err_crypto_info: 417 memset(crypto_info, 0, sizeof(*crypto_info)); 418 out: 419 return rc; 420 } 421 422 static int do_tls_setsockopt(struct sock *sk, int optname, 423 char __user *optval, unsigned int optlen) 424 { 425 int rc = 0; 426 427 switch (optname) { 428 case TLS_TX: 429 lock_sock(sk); 430 rc = do_tls_setsockopt_tx(sk, optval, optlen); 431 release_sock(sk); 432 break; 433 default: 434 rc = -ENOPROTOOPT; 435 break; 436 } 437 return rc; 438 } 439 440 static int tls_setsockopt(struct sock *sk, int level, int optname, 441 char __user *optval, unsigned int optlen) 442 { 443 struct tls_context *ctx = tls_get_ctx(sk); 444 445 if (level != SOL_TLS) 446 return ctx->setsockopt(sk, level, optname, optval, optlen); 447 448 return do_tls_setsockopt(sk, optname, optval, optlen); 449 } 450 451 static int tls_init(struct sock *sk) 452 { 453 struct inet_connection_sock *icsk = inet_csk(sk); 454 struct tls_context *ctx; 455 int rc = 0; 456 457 /* allocate tls context */ 458 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 459 if (!ctx) { 460 rc = -ENOMEM; 461 goto out; 462 } 463 icsk->icsk_ulp_data = ctx; 464 ctx->setsockopt = sk->sk_prot->setsockopt; 465 ctx->getsockopt = sk->sk_prot->getsockopt; 466 ctx->sk_proto_close = sk->sk_prot->close; 467 468 ctx->tx_conf = TLS_BASE_TX; 469 update_sk_prot(sk, ctx); 470 out: 471 return rc; 472 } 473 474 static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = { 475 .name = "tls", 476 .owner = THIS_MODULE, 477 .init = tls_init, 478 }; 479 480 static void build_protos(struct proto *prot, struct proto *base) 481 { 482 prot[TLS_BASE_TX] = *base; 483 prot[TLS_BASE_TX].setsockopt = tls_setsockopt; 484 prot[TLS_BASE_TX].getsockopt = tls_getsockopt; 485 prot[TLS_BASE_TX].close = tls_sk_proto_close; 486 487 prot[TLS_SW_TX] = prot[TLS_BASE_TX]; 488 prot[TLS_SW_TX].sendmsg = tls_sw_sendmsg; 489 prot[TLS_SW_TX].sendpage = tls_sw_sendpage; 490 } 491 492 static int __init tls_register(void) 493 { 494 build_protos(tls_prots, &tcp_prot); 495 496 tcp_register_ulp(&tcp_tls_ulp_ops); 497 498 return 0; 499 } 500 501 static void __exit tls_unregister(void) 502 { 503 tcp_unregister_ulp(&tcp_tls_ulp_ops); 504 } 505 506 module_init(tls_register); 507 module_exit(tls_unregister); 508