tls.h 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512
  1. /*
  2. * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
  3. * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
  4. *
  5. * This software is available to you under a choice of one of two
  6. * licenses. You may choose to be licensed under the terms of the GNU
  7. * General Public License (GPL) Version 2, available from the file
  8. * COPYING in the main directory of this source tree, or the
  9. * OpenIB.org BSD license below:
  10. *
  11. * Redistribution and use in source and binary forms, with or
  12. * without modification, are permitted provided that the following
  13. * conditions are met:
  14. *
  15. * - Redistributions of source code must retain the above
  16. * copyright notice, this list of conditions and the following
  17. * disclaimer.
  18. *
  19. * - Redistributions in binary form must reproduce the above
  20. * copyright notice, this list of conditions and the following
  21. * disclaimer in the documentation and/or other materials
  22. * provided with the distribution.
  23. *
  24. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  25. * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  26. * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  27. * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
  28. * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
  29. * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  30. * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  31. * SOFTWARE.
  32. */
  33. #ifndef _TLS_OFFLOAD_H
  34. #define _TLS_OFFLOAD_H
  35. #include <linux/types.h>
  36. #include <asm/byteorder.h>
  37. #include <linux/crypto.h>
  38. #include <linux/socket.h>
  39. #include <linux/tcp.h>
  40. #include <linux/mutex.h>
  41. #include <linux/netdevice.h>
  42. #include <linux/rcupdate.h>
  43. #include <net/net_namespace.h>
  44. #include <net/tcp.h>
  45. #include <net/strparser.h>
  46. #include <crypto/aead.h>
  47. #include <uapi/linux/tls.h>
  48. struct tls_rec;
  49. /* Maximum data size carried in a TLS record */
  50. #define TLS_MAX_PAYLOAD_SIZE ((size_t)1 << 14)
  51. /* Minimum record size limit as per RFC8449 */
  52. #define TLS_MIN_RECORD_SIZE_LIM ((size_t)1 << 6)
  53. #define TLS_HEADER_SIZE 5
  54. #define TLS_NONCE_OFFSET TLS_HEADER_SIZE
  55. #define TLS_CRYPTO_INFO_READY(info) ((info)->cipher_type)
  56. #define TLS_HANDSHAKE_KEYUPDATE 24 /* rfc8446 B.3: Key update */
  57. #define TLS_AAD_SPACE_SIZE 13
  58. #define TLS_MAX_IV_SIZE 16
  59. #define TLS_MAX_SALT_SIZE 4
  60. #define TLS_TAG_SIZE 16
  61. #define TLS_MAX_REC_SEQ_SIZE 8
  62. #define TLS_MAX_AAD_SIZE TLS_AAD_SPACE_SIZE
  63. /* For CCM mode, the full 16-bytes of IV is made of '4' fields of given sizes.
  64. *
  65. * IV[16] = b0[1] || implicit nonce[4] || explicit nonce[8] || length[3]
  66. *
  67. * The field 'length' is encoded in field 'b0' as '(length width - 1)'.
  68. * Hence b0 contains (3 - 1) = 2.
  69. */
  70. #define TLS_AES_CCM_IV_B0_BYTE 2
  71. #define TLS_SM4_CCM_IV_B0_BYTE 2
  72. enum {
  73. TLS_BASE,
  74. TLS_SW,
  75. TLS_HW,
  76. TLS_HW_RECORD,
  77. TLS_NUM_CONFIG,
  78. };
  79. struct tx_work {
  80. struct delayed_work work;
  81. struct sock *sk;
  82. };
  83. struct tls_sw_context_tx {
  84. struct crypto_aead *aead_send;
  85. struct crypto_wait async_wait;
  86. struct tx_work tx_work;
  87. struct tls_rec *open_rec;
  88. struct list_head tx_list;
  89. atomic_t encrypt_pending;
  90. u8 async_capable:1;
  91. #define BIT_TX_SCHEDULED 0
  92. #define BIT_TX_CLOSING 1
  93. unsigned long tx_bitmask;
  94. };
  95. struct tls_strparser {
  96. struct sock *sk;
  97. u32 mark : 8;
  98. u32 stopped : 1;
  99. u32 copy_mode : 1;
  100. u32 mixed_decrypted : 1;
  101. bool msg_ready;
  102. struct strp_msg stm;
  103. struct sk_buff *anchor;
  104. struct work_struct work;
  105. };
  106. struct tls_sw_context_rx {
  107. struct crypto_aead *aead_recv;
  108. struct crypto_wait async_wait;
  109. struct sk_buff_head rx_list; /* list of decrypted 'data' records */
  110. void (*saved_data_ready)(struct sock *sk);
  111. u8 reader_present;
  112. u8 async_capable:1;
  113. u8 zc_capable:1;
  114. u8 reader_contended:1;
  115. bool key_update_pending;
  116. struct tls_strparser strp;
  117. atomic_t decrypt_pending;
  118. struct sk_buff_head async_hold;
  119. struct wait_queue_head wq;
  120. };
  121. struct tls_record_info {
  122. struct list_head list;
  123. u32 end_seq;
  124. int len;
  125. int num_frags;
  126. skb_frag_t frags[MAX_SKB_FRAGS];
  127. };
  128. #define TLS_DRIVER_STATE_SIZE_TX 16
  129. struct tls_offload_context_tx {
  130. struct crypto_aead *aead_send;
  131. spinlock_t lock; /* protects records list */
  132. struct list_head records_list;
  133. struct tls_record_info *open_record;
  134. struct tls_record_info *retransmit_hint;
  135. u64 hint_record_sn;
  136. u64 unacked_record_sn;
  137. struct scatterlist sg_tx_data[MAX_SKB_FRAGS];
  138. void (*sk_destruct)(struct sock *sk);
  139. struct work_struct destruct_work;
  140. struct tls_context *ctx;
  141. /* The TLS layer reserves room for driver specific state
  142. * Currently the belief is that there is not enough
  143. * driver specific state to justify another layer of indirection
  144. */
  145. u8 driver_state[TLS_DRIVER_STATE_SIZE_TX] __aligned(8);
  146. };
  147. enum tls_context_flags {
  148. /* tls_device_down was called after the netdev went down, device state
  149. * was released, and kTLS works in software, even though rx_conf is
  150. * still TLS_HW (needed for transition).
  151. */
  152. TLS_RX_DEV_DEGRADED = 0,
  153. /* Unlike RX where resync is driven entirely by the core in TX only
  154. * the driver knows when things went out of sync, so we need the flag
  155. * to be atomic.
  156. */
  157. TLS_TX_SYNC_SCHED = 1,
  158. /* tls_dev_del was called for the RX side, device state was released,
  159. * but tls_ctx->netdev might still be kept, because TX-side driver
  160. * resources might not be released yet. Used to prevent the second
  161. * tls_dev_del call in tls_device_down if it happens simultaneously.
  162. */
  163. TLS_RX_DEV_CLOSED = 2,
  164. };
  165. struct cipher_context {
  166. char iv[TLS_MAX_IV_SIZE + TLS_MAX_SALT_SIZE];
  167. char rec_seq[TLS_MAX_REC_SEQ_SIZE];
  168. };
  169. union tls_crypto_context {
  170. struct tls_crypto_info info;
  171. union {
  172. struct tls12_crypto_info_aes_gcm_128 aes_gcm_128;
  173. struct tls12_crypto_info_aes_gcm_256 aes_gcm_256;
  174. struct tls12_crypto_info_chacha20_poly1305 chacha20_poly1305;
  175. struct tls12_crypto_info_sm4_gcm sm4_gcm;
  176. struct tls12_crypto_info_sm4_ccm sm4_ccm;
  177. };
  178. };
  179. struct tls_prot_info {
  180. u16 version;
  181. u16 cipher_type;
  182. u16 prepend_size;
  183. u16 tag_size;
  184. u16 overhead_size;
  185. u16 iv_size;
  186. u16 salt_size;
  187. u16 rec_seq_size;
  188. u16 aad_size;
  189. u16 tail_size;
  190. };
  191. struct tls_context {
  192. /* read-only cache line */
  193. struct tls_prot_info prot_info;
  194. u8 tx_conf:3;
  195. u8 rx_conf:3;
  196. u8 zerocopy_sendfile:1;
  197. u8 rx_no_pad:1;
  198. u16 tx_max_payload_len;
  199. int (*push_pending_record)(struct sock *sk, int flags);
  200. void (*sk_write_space)(struct sock *sk);
  201. void *priv_ctx_tx;
  202. void *priv_ctx_rx;
  203. struct net_device __rcu *netdev;
  204. /* rw cache line */
  205. struct cipher_context tx;
  206. struct cipher_context rx;
  207. struct scatterlist *partially_sent_record;
  208. u16 partially_sent_offset;
  209. bool splicing_pages;
  210. bool pending_open_record_frags;
  211. struct mutex tx_lock; /* protects partially_sent_* fields and
  212. * per-type TX fields
  213. */
  214. unsigned long flags;
  215. /* cache cold stuff */
  216. struct proto *sk_proto;
  217. struct sock *sk;
  218. void (*sk_destruct)(struct sock *sk);
  219. union tls_crypto_context crypto_send;
  220. union tls_crypto_context crypto_recv;
  221. struct list_head list;
  222. refcount_t refcount;
  223. struct rcu_head rcu;
  224. };
  225. enum tls_offload_ctx_dir {
  226. TLS_OFFLOAD_CTX_DIR_RX,
  227. TLS_OFFLOAD_CTX_DIR_TX,
  228. };
  229. struct tlsdev_ops {
  230. int (*tls_dev_add)(struct net_device *netdev, struct sock *sk,
  231. enum tls_offload_ctx_dir direction,
  232. struct tls_crypto_info *crypto_info,
  233. u32 start_offload_tcp_sn);
  234. void (*tls_dev_del)(struct net_device *netdev,
  235. struct tls_context *ctx,
  236. enum tls_offload_ctx_dir direction);
  237. int (*tls_dev_resync)(struct net_device *netdev,
  238. struct sock *sk, u32 seq, u8 *rcd_sn,
  239. enum tls_offload_ctx_dir direction);
  240. };
  241. enum tls_offload_sync_type {
  242. TLS_OFFLOAD_SYNC_TYPE_DRIVER_REQ = 0,
  243. TLS_OFFLOAD_SYNC_TYPE_CORE_NEXT_HINT = 1,
  244. TLS_OFFLOAD_SYNC_TYPE_DRIVER_REQ_ASYNC = 2,
  245. };
  246. #define TLS_DEVICE_RESYNC_NH_START_IVAL 2
  247. #define TLS_DEVICE_RESYNC_NH_MAX_IVAL 128
  248. #define TLS_DEVICE_RESYNC_ASYNC_LOGMAX 13
  249. struct tls_offload_resync_async {
  250. atomic64_t req;
  251. u16 loglen;
  252. u16 rcd_delta;
  253. u32 log[TLS_DEVICE_RESYNC_ASYNC_LOGMAX];
  254. };
  255. #define TLS_DRIVER_STATE_SIZE_RX 8
  256. struct tls_offload_context_rx {
  257. /* sw must be the first member of tls_offload_context_rx */
  258. struct tls_sw_context_rx sw;
  259. enum tls_offload_sync_type resync_type;
  260. /* this member is set regardless of resync_type, to avoid branches */
  261. u8 resync_nh_reset:1;
  262. /* CORE_NEXT_HINT-only member, but use the hole here */
  263. u8 resync_nh_do_now:1;
  264. union {
  265. /* TLS_OFFLOAD_SYNC_TYPE_DRIVER_REQ */
  266. struct {
  267. atomic64_t resync_req;
  268. };
  269. /* TLS_OFFLOAD_SYNC_TYPE_CORE_NEXT_HINT */
  270. struct {
  271. u32 decrypted_failed;
  272. u32 decrypted_tgt;
  273. } resync_nh;
  274. /* TLS_OFFLOAD_SYNC_TYPE_DRIVER_REQ_ASYNC */
  275. struct {
  276. struct tls_offload_resync_async *resync_async;
  277. };
  278. };
  279. /* The TLS layer reserves room for driver specific state
  280. * Currently the belief is that there is not enough
  281. * driver specific state to justify another layer of indirection
  282. */
  283. u8 driver_state[TLS_DRIVER_STATE_SIZE_RX] __aligned(8);
  284. };
  285. struct tls_record_info *tls_get_record(struct tls_offload_context_tx *context,
  286. u32 seq, u64 *p_record_sn);
  287. static inline bool tls_record_is_start_marker(struct tls_record_info *rec)
  288. {
  289. return rec->len == 0;
  290. }
  291. static inline u32 tls_record_start_seq(struct tls_record_info *rec)
  292. {
  293. return rec->end_seq - rec->len;
  294. }
  295. struct sk_buff *
  296. tls_validate_xmit_skb(struct sock *sk, struct net_device *dev,
  297. struct sk_buff *skb);
  298. struct sk_buff *
  299. tls_validate_xmit_skb_sw(struct sock *sk, struct net_device *dev,
  300. struct sk_buff *skb);
  301. static inline bool tls_is_skb_tx_device_offloaded(const struct sk_buff *skb)
  302. {
  303. #ifdef CONFIG_TLS_DEVICE
  304. struct sock *sk = skb->sk;
  305. return sk && sk_fullsock(sk) &&
  306. (smp_load_acquire(&sk->sk_validate_xmit_skb) ==
  307. &tls_validate_xmit_skb);
  308. #else
  309. return false;
  310. #endif
  311. }
  312. static inline struct tls_context *tls_get_ctx(const struct sock *sk)
  313. {
  314. const struct inet_connection_sock *icsk = inet_csk(sk);
  315. /* Use RCU on icsk_ulp_data only for sock diag code,
  316. * TLS data path doesn't need rcu_dereference().
  317. */
  318. return (__force void *)icsk->icsk_ulp_data;
  319. }
  320. static inline struct tls_sw_context_rx *tls_sw_ctx_rx(
  321. const struct tls_context *tls_ctx)
  322. {
  323. return (struct tls_sw_context_rx *)tls_ctx->priv_ctx_rx;
  324. }
  325. static inline struct tls_sw_context_tx *tls_sw_ctx_tx(
  326. const struct tls_context *tls_ctx)
  327. {
  328. return (struct tls_sw_context_tx *)tls_ctx->priv_ctx_tx;
  329. }
  330. static inline struct tls_offload_context_tx *
  331. tls_offload_ctx_tx(const struct tls_context *tls_ctx)
  332. {
  333. return (struct tls_offload_context_tx *)tls_ctx->priv_ctx_tx;
  334. }
  335. static inline bool tls_sw_has_ctx_tx(const struct sock *sk)
  336. {
  337. struct tls_context *ctx;
  338. if (!sk_is_inet(sk) || !inet_test_bit(IS_ICSK, sk))
  339. return false;
  340. ctx = tls_get_ctx(sk);
  341. if (!ctx)
  342. return false;
  343. return !!tls_sw_ctx_tx(ctx);
  344. }
  345. static inline bool tls_sw_has_ctx_rx(const struct sock *sk)
  346. {
  347. struct tls_context *ctx;
  348. if (!sk_is_inet(sk) || !inet_test_bit(IS_ICSK, sk))
  349. return false;
  350. ctx = tls_get_ctx(sk);
  351. if (!ctx)
  352. return false;
  353. return !!tls_sw_ctx_rx(ctx);
  354. }
  355. static inline struct tls_offload_context_rx *
  356. tls_offload_ctx_rx(const struct tls_context *tls_ctx)
  357. {
  358. return (struct tls_offload_context_rx *)tls_ctx->priv_ctx_rx;
  359. }
  360. static inline void *__tls_driver_ctx(struct tls_context *tls_ctx,
  361. enum tls_offload_ctx_dir direction)
  362. {
  363. if (direction == TLS_OFFLOAD_CTX_DIR_TX)
  364. return tls_offload_ctx_tx(tls_ctx)->driver_state;
  365. else
  366. return tls_offload_ctx_rx(tls_ctx)->driver_state;
  367. }
  368. static inline void *
  369. tls_driver_ctx(const struct sock *sk, enum tls_offload_ctx_dir direction)
  370. {
  371. return __tls_driver_ctx(tls_get_ctx(sk), direction);
  372. }
  373. #define RESYNC_REQ BIT(0)
  374. #define RESYNC_REQ_ASYNC BIT(1)
  375. /* The TLS context is valid until sk_destruct is called */
  376. static inline void tls_offload_rx_resync_request(struct sock *sk, __be32 seq)
  377. {
  378. struct tls_context *tls_ctx = tls_get_ctx(sk);
  379. struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx);
  380. atomic64_set(&rx_ctx->resync_req, ((u64)ntohl(seq) << 32) | RESYNC_REQ);
  381. }
  382. /* Log all TLS record header TCP sequences in [seq, seq+len] */
  383. static inline void
  384. tls_offload_rx_resync_async_request_start(struct tls_offload_resync_async *resync_async,
  385. __be32 seq, u16 len)
  386. {
  387. atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) |
  388. ((u64)len << 16) | RESYNC_REQ | RESYNC_REQ_ASYNC);
  389. resync_async->loglen = 0;
  390. resync_async->rcd_delta = 0;
  391. }
  392. static inline void
  393. tls_offload_rx_resync_async_request_end(struct tls_offload_resync_async *resync_async,
  394. __be32 seq)
  395. {
  396. atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | RESYNC_REQ);
  397. }
  398. static inline void
  399. tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async)
  400. {
  401. atomic64_set(&resync_async->req, 0);
  402. }
  403. static inline void
  404. tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type)
  405. {
  406. struct tls_context *tls_ctx = tls_get_ctx(sk);
  407. tls_offload_ctx_rx(tls_ctx)->resync_type = type;
  408. }
  409. /* Driver's seq tracking has to be disabled until resync succeeded */
  410. static inline bool tls_offload_tx_resync_pending(struct sock *sk)
  411. {
  412. struct tls_context *tls_ctx = tls_get_ctx(sk);
  413. bool ret;
  414. ret = test_bit(TLS_TX_SYNC_SCHED, &tls_ctx->flags);
  415. smp_mb__after_atomic();
  416. return ret;
  417. }
  418. struct sk_buff *tls_encrypt_skb(struct sk_buff *skb);
  419. #ifdef CONFIG_TLS_DEVICE
  420. void tls_device_sk_destruct(struct sock *sk);
  421. void tls_offload_tx_resync_request(struct sock *sk, u32 got_seq, u32 exp_seq);
  422. static inline bool tls_is_sk_rx_device_offloaded(struct sock *sk)
  423. {
  424. if (!sk_fullsock(sk) ||
  425. smp_load_acquire(&sk->sk_destruct) != tls_device_sk_destruct)
  426. return false;
  427. return tls_get_ctx(sk)->rx_conf == TLS_HW;
  428. }
  429. #endif
  430. #endif /* _TLS_OFFLOAD_H */