tlshd.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Establish a TLS session for a kernel socket consumer
  4. * using the tlshd user space handler.
  5. *
  6. * Author: Chuck Lever <chuck.lever@oracle.com>
  7. *
  8. * Copyright (c) 2021-2023, Oracle and/or its affiliates.
  9. */
  10. #include <linux/types.h>
  11. #include <linux/socket.h>
  12. #include <linux/kernel.h>
  13. #include <linux/module.h>
  14. #include <linux/slab.h>
  15. #include <linux/key.h>
  16. #include <net/sock.h>
  17. #include <net/handshake.h>
  18. #include <net/genetlink.h>
  19. #include <net/tls_prot.h>
  20. #include <uapi/linux/keyctl.h>
  21. #include <uapi/linux/handshake.h>
  22. #include "handshake.h"
  23. struct tls_handshake_req {
  24. void (*th_consumer_done)(void *data, int status,
  25. key_serial_t peerid);
  26. void *th_consumer_data;
  27. int th_type;
  28. unsigned int th_timeout_ms;
  29. int th_auth_mode;
  30. const char *th_peername;
  31. key_serial_t th_keyring;
  32. key_serial_t th_certificate;
  33. key_serial_t th_privkey;
  34. unsigned int th_num_peerids;
  35. key_serial_t th_peerid[5];
  36. };
  37. static struct tls_handshake_req *
  38. tls_handshake_req_init(struct handshake_req *req,
  39. const struct tls_handshake_args *args)
  40. {
  41. struct tls_handshake_req *treq = handshake_req_private(req);
  42. treq->th_timeout_ms = args->ta_timeout_ms;
  43. treq->th_consumer_done = args->ta_done;
  44. treq->th_consumer_data = args->ta_data;
  45. treq->th_peername = args->ta_peername;
  46. treq->th_keyring = args->ta_keyring;
  47. treq->th_num_peerids = 0;
  48. treq->th_certificate = TLS_NO_CERT;
  49. treq->th_privkey = TLS_NO_PRIVKEY;
  50. return treq;
  51. }
  52. static void tls_handshake_remote_peerids(struct tls_handshake_req *treq,
  53. struct genl_info *info)
  54. {
  55. struct nlattr *head = nlmsg_attrdata(info->nlhdr, GENL_HDRLEN);
  56. int rem, len = nlmsg_attrlen(info->nlhdr, GENL_HDRLEN);
  57. struct nlattr *nla;
  58. unsigned int i;
  59. i = 0;
  60. nla_for_each_attr(nla, head, len, rem) {
  61. if (nla_type(nla) == HANDSHAKE_A_DONE_REMOTE_AUTH)
  62. i++;
  63. }
  64. if (!i)
  65. return;
  66. treq->th_num_peerids = min_t(unsigned int, i,
  67. ARRAY_SIZE(treq->th_peerid));
  68. i = 0;
  69. nla_for_each_attr(nla, head, len, rem) {
  70. if (nla_type(nla) == HANDSHAKE_A_DONE_REMOTE_AUTH)
  71. treq->th_peerid[i++] = nla_get_u32(nla);
  72. if (i >= treq->th_num_peerids)
  73. break;
  74. }
  75. }
  76. /**
  77. * tls_handshake_done - callback to handle a CMD_DONE request
  78. * @req: socket on which the handshake was performed
  79. * @status: session status code
  80. * @info: full results of session establishment
  81. *
  82. */
  83. static void tls_handshake_done(struct handshake_req *req,
  84. unsigned int status, struct genl_info *info)
  85. {
  86. struct tls_handshake_req *treq = handshake_req_private(req);
  87. treq->th_peerid[0] = TLS_NO_PEERID;
  88. if (info)
  89. tls_handshake_remote_peerids(treq, info);
  90. if (!status)
  91. set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags);
  92. treq->th_consumer_done(treq->th_consumer_data, -status,
  93. treq->th_peerid[0]);
  94. }
  95. #if IS_ENABLED(CONFIG_KEYS)
  96. static int tls_handshake_private_keyring(struct tls_handshake_req *treq)
  97. {
  98. key_ref_t process_keyring_ref, keyring_ref;
  99. int ret;
  100. if (treq->th_keyring == TLS_NO_KEYRING)
  101. return 0;
  102. process_keyring_ref = lookup_user_key(KEY_SPEC_PROCESS_KEYRING,
  103. KEY_LOOKUP_CREATE,
  104. KEY_NEED_WRITE);
  105. if (IS_ERR(process_keyring_ref)) {
  106. ret = PTR_ERR(process_keyring_ref);
  107. goto out;
  108. }
  109. keyring_ref = lookup_user_key(treq->th_keyring, KEY_LOOKUP_CREATE,
  110. KEY_NEED_LINK);
  111. if (IS_ERR(keyring_ref)) {
  112. ret = PTR_ERR(keyring_ref);
  113. goto out_put_key;
  114. }
  115. ret = key_link(key_ref_to_ptr(process_keyring_ref),
  116. key_ref_to_ptr(keyring_ref));
  117. key_ref_put(keyring_ref);
  118. out_put_key:
  119. key_ref_put(process_keyring_ref);
  120. out:
  121. return ret;
  122. }
  123. #else
  124. static int tls_handshake_private_keyring(struct tls_handshake_req *treq)
  125. {
  126. return 0;
  127. }
  128. #endif
  129. static int tls_handshake_put_peer_identity(struct sk_buff *msg,
  130. struct tls_handshake_req *treq)
  131. {
  132. unsigned int i;
  133. for (i = 0; i < treq->th_num_peerids; i++)
  134. if (nla_put_u32(msg, HANDSHAKE_A_ACCEPT_PEER_IDENTITY,
  135. treq->th_peerid[i]) < 0)
  136. return -EMSGSIZE;
  137. return 0;
  138. }
  139. static int tls_handshake_put_certificate(struct sk_buff *msg,
  140. struct tls_handshake_req *treq)
  141. {
  142. struct nlattr *entry_attr;
  143. if (treq->th_certificate == TLS_NO_CERT &&
  144. treq->th_privkey == TLS_NO_PRIVKEY)
  145. return 0;
  146. entry_attr = nla_nest_start(msg, HANDSHAKE_A_ACCEPT_CERTIFICATE);
  147. if (!entry_attr)
  148. return -EMSGSIZE;
  149. if (nla_put_s32(msg, HANDSHAKE_A_X509_CERT,
  150. treq->th_certificate) ||
  151. nla_put_s32(msg, HANDSHAKE_A_X509_PRIVKEY,
  152. treq->th_privkey)) {
  153. nla_nest_cancel(msg, entry_attr);
  154. return -EMSGSIZE;
  155. }
  156. nla_nest_end(msg, entry_attr);
  157. return 0;
  158. }
  159. /**
  160. * tls_handshake_accept - callback to construct a CMD_ACCEPT response
  161. * @req: handshake parameters to return
  162. * @info: generic netlink message context
  163. * @fd: file descriptor to be returned
  164. *
  165. * Returns zero on success, or a negative errno on failure.
  166. */
  167. static int tls_handshake_accept(struct handshake_req *req,
  168. struct genl_info *info, int fd)
  169. {
  170. struct tls_handshake_req *treq = handshake_req_private(req);
  171. struct nlmsghdr *hdr;
  172. struct sk_buff *msg;
  173. int ret;
  174. ret = tls_handshake_private_keyring(treq);
  175. if (ret < 0)
  176. goto out;
  177. ret = -ENOMEM;
  178. msg = genlmsg_new(GENLMSG_DEFAULT_SIZE, GFP_KERNEL);
  179. if (!msg)
  180. goto out;
  181. hdr = handshake_genl_put(msg, info);
  182. if (!hdr)
  183. goto out_cancel;
  184. ret = nla_put_s32(msg, HANDSHAKE_A_ACCEPT_SOCKFD, fd);
  185. if (ret < 0)
  186. goto out_cancel;
  187. ret = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_MESSAGE_TYPE, treq->th_type);
  188. if (ret < 0)
  189. goto out_cancel;
  190. if (treq->th_peername) {
  191. ret = nla_put_string(msg, HANDSHAKE_A_ACCEPT_PEERNAME,
  192. treq->th_peername);
  193. if (ret < 0)
  194. goto out_cancel;
  195. }
  196. if (treq->th_timeout_ms) {
  197. ret = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_TIMEOUT, treq->th_timeout_ms);
  198. if (ret < 0)
  199. goto out_cancel;
  200. }
  201. if (treq->th_keyring) {
  202. ret = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_KEYRING,
  203. treq->th_keyring);
  204. if (ret < 0)
  205. goto out_cancel;
  206. }
  207. ret = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_AUTH_MODE,
  208. treq->th_auth_mode);
  209. if (ret < 0)
  210. goto out_cancel;
  211. switch (treq->th_auth_mode) {
  212. case HANDSHAKE_AUTH_PSK:
  213. ret = tls_handshake_put_peer_identity(msg, treq);
  214. if (ret < 0)
  215. goto out_cancel;
  216. break;
  217. case HANDSHAKE_AUTH_X509:
  218. ret = tls_handshake_put_certificate(msg, treq);
  219. if (ret < 0)
  220. goto out_cancel;
  221. break;
  222. }
  223. genlmsg_end(msg, hdr);
  224. return genlmsg_reply(msg, info);
  225. out_cancel:
  226. genlmsg_cancel(msg, hdr);
  227. nlmsg_free(msg);
  228. out:
  229. return ret;
  230. }
  231. static const struct handshake_proto tls_handshake_proto = {
  232. .hp_handler_class = HANDSHAKE_HANDLER_CLASS_TLSHD,
  233. .hp_privsize = sizeof(struct tls_handshake_req),
  234. .hp_flags = BIT(HANDSHAKE_F_PROTO_NOTIFY),
  235. .hp_accept = tls_handshake_accept,
  236. .hp_done = tls_handshake_done,
  237. };
  238. /**
  239. * tls_client_hello_anon - request an anonymous TLS handshake on a socket
  240. * @args: socket and handshake parameters for this request
  241. * @flags: memory allocation control flags
  242. *
  243. * Return values:
  244. * %0: Handshake request enqueue; ->done will be called when complete
  245. * %-ESRCH: No user agent is available
  246. * %-ENOMEM: Memory allocation failed
  247. */
  248. int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t flags)
  249. {
  250. struct tls_handshake_req *treq;
  251. struct handshake_req *req;
  252. req = handshake_req_alloc(&tls_handshake_proto, flags);
  253. if (!req)
  254. return -ENOMEM;
  255. treq = tls_handshake_req_init(req, args);
  256. treq->th_type = HANDSHAKE_MSG_TYPE_CLIENTHELLO;
  257. treq->th_auth_mode = HANDSHAKE_AUTH_UNAUTH;
  258. return handshake_req_submit(args->ta_sock, req, flags);
  259. }
  260. EXPORT_SYMBOL(tls_client_hello_anon);
  261. /**
  262. * tls_client_hello_x509 - request an x.509-based TLS handshake on a socket
  263. * @args: socket and handshake parameters for this request
  264. * @flags: memory allocation control flags
  265. *
  266. * Return values:
  267. * %0: Handshake request enqueue; ->done will be called when complete
  268. * %-ESRCH: No user agent is available
  269. * %-ENOMEM: Memory allocation failed
  270. */
  271. int tls_client_hello_x509(const struct tls_handshake_args *args, gfp_t flags)
  272. {
  273. struct tls_handshake_req *treq;
  274. struct handshake_req *req;
  275. req = handshake_req_alloc(&tls_handshake_proto, flags);
  276. if (!req)
  277. return -ENOMEM;
  278. treq = tls_handshake_req_init(req, args);
  279. treq->th_type = HANDSHAKE_MSG_TYPE_CLIENTHELLO;
  280. treq->th_auth_mode = HANDSHAKE_AUTH_X509;
  281. treq->th_certificate = args->ta_my_cert;
  282. treq->th_privkey = args->ta_my_privkey;
  283. return handshake_req_submit(args->ta_sock, req, flags);
  284. }
  285. EXPORT_SYMBOL(tls_client_hello_x509);
  286. /**
  287. * tls_client_hello_psk - request a PSK-based TLS handshake on a socket
  288. * @args: socket and handshake parameters for this request
  289. * @flags: memory allocation control flags
  290. *
  291. * Return values:
  292. * %0: Handshake request enqueue; ->done will be called when complete
  293. * %-EINVAL: Wrong number of local peer IDs
  294. * %-ESRCH: No user agent is available
  295. * %-ENOMEM: Memory allocation failed
  296. */
  297. int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flags)
  298. {
  299. struct tls_handshake_req *treq;
  300. struct handshake_req *req;
  301. unsigned int i;
  302. if (!args->ta_num_peerids ||
  303. args->ta_num_peerids > ARRAY_SIZE(treq->th_peerid))
  304. return -EINVAL;
  305. req = handshake_req_alloc(&tls_handshake_proto, flags);
  306. if (!req)
  307. return -ENOMEM;
  308. treq = tls_handshake_req_init(req, args);
  309. treq->th_type = HANDSHAKE_MSG_TYPE_CLIENTHELLO;
  310. treq->th_auth_mode = HANDSHAKE_AUTH_PSK;
  311. treq->th_num_peerids = args->ta_num_peerids;
  312. for (i = 0; i < args->ta_num_peerids; i++)
  313. treq->th_peerid[i] = args->ta_my_peerids[i];
  314. return handshake_req_submit(args->ta_sock, req, flags);
  315. }
  316. EXPORT_SYMBOL(tls_client_hello_psk);
  317. /**
  318. * tls_server_hello_x509 - request a server TLS handshake on a socket
  319. * @args: socket and handshake parameters for this request
  320. * @flags: memory allocation control flags
  321. *
  322. * Return values:
  323. * %0: Handshake request enqueue; ->done will be called when complete
  324. * %-ESRCH: No user agent is available
  325. * %-ENOMEM: Memory allocation failed
  326. */
  327. int tls_server_hello_x509(const struct tls_handshake_args *args, gfp_t flags)
  328. {
  329. struct tls_handshake_req *treq;
  330. struct handshake_req *req;
  331. req = handshake_req_alloc(&tls_handshake_proto, flags);
  332. if (!req)
  333. return -ENOMEM;
  334. treq = tls_handshake_req_init(req, args);
  335. treq->th_type = HANDSHAKE_MSG_TYPE_SERVERHELLO;
  336. treq->th_auth_mode = HANDSHAKE_AUTH_X509;
  337. treq->th_certificate = args->ta_my_cert;
  338. treq->th_privkey = args->ta_my_privkey;
  339. return handshake_req_submit(args->ta_sock, req, flags);
  340. }
  341. EXPORT_SYMBOL(tls_server_hello_x509);
  342. /**
  343. * tls_server_hello_psk - request a server TLS handshake on a socket
  344. * @args: socket and handshake parameters for this request
  345. * @flags: memory allocation control flags
  346. *
  347. * Return values:
  348. * %0: Handshake request enqueue; ->done will be called when complete
  349. * %-ESRCH: No user agent is available
  350. * %-ENOMEM: Memory allocation failed
  351. */
  352. int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flags)
  353. {
  354. struct tls_handshake_req *treq;
  355. struct handshake_req *req;
  356. req = handshake_req_alloc(&tls_handshake_proto, flags);
  357. if (!req)
  358. return -ENOMEM;
  359. treq = tls_handshake_req_init(req, args);
  360. treq->th_type = HANDSHAKE_MSG_TYPE_SERVERHELLO;
  361. treq->th_auth_mode = HANDSHAKE_AUTH_PSK;
  362. treq->th_num_peerids = 1;
  363. treq->th_peerid[0] = args->ta_my_peerids[0];
  364. return handshake_req_submit(args->ta_sock, req, flags);
  365. }
  366. EXPORT_SYMBOL(tls_server_hello_psk);
  367. /**
  368. * tls_handshake_cancel - cancel a pending handshake
  369. * @sk: socket on which there is an ongoing handshake
  370. *
  371. * Request cancellation races with request completion. To determine
  372. * who won, callers examine the return value from this function.
  373. *
  374. * Return values:
  375. * %true - Uncompleted handshake request was canceled
  376. * %false - Handshake request already completed or not found
  377. */
  378. bool tls_handshake_cancel(struct sock *sk)
  379. {
  380. return handshake_req_cancel(sk);
  381. }
  382. EXPORT_SYMBOL(tls_handshake_cancel);
  383. /**
  384. * tls_handshake_close - send a Closure alert
  385. * @sock: an open socket
  386. *
  387. */
  388. void tls_handshake_close(struct socket *sock)
  389. {
  390. struct handshake_req *req;
  391. req = handshake_req_hash_lookup(sock->sk);
  392. if (!req)
  393. return;
  394. if (!test_and_clear_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags))
  395. return;
  396. tls_alert_send(sock, TLS_ALERT_LEVEL_WARNING,
  397. TLS_ALERT_DESC_CLOSE_NOTIFY);
  398. }
  399. EXPORT_SYMBOL(tls_handshake_close);