tls_device_fallback.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474
  1. /* Copyright (c) 2018, Mellanox Technologies All rights reserved.
  2. *
  3. * This software is available to you under a choice of one of two
  4. * licenses. You may choose to be licensed under the terms of the GNU
  5. * General Public License (GPL) Version 2, available from the file
  6. * COPYING in the main directory of this source tree, or the
  7. * OpenIB.org BSD license below:
  8. *
  9. * Redistribution and use in source and binary forms, with or
  10. * without modification, are permitted provided that the following
  11. * conditions are met:
  12. *
  13. * - Redistributions of source code must retain the above
  14. * copyright notice, this list of conditions and the following
  15. * disclaimer.
  16. *
  17. * - Redistributions in binary form must reproduce the above
  18. * copyright notice, this list of conditions and the following
  19. * disclaimer in the documentation and/or other materials
  20. * provided with the distribution.
  21. *
  22. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  23. * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  24. * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  25. * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
  26. * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
  27. * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  28. * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  29. * SOFTWARE.
  30. */
  31. #include <net/tls.h>
  32. #include <crypto/aead.h>
  33. #include <crypto/scatterwalk.h>
  34. #include <net/ip6_checksum.h>
  35. #include <linux/skbuff_ref.h>
  36. #include "tls.h"
  37. static int tls_enc_record(struct aead_request *aead_req,
  38. struct crypto_aead *aead, char *aad,
  39. char *iv, __be64 rcd_sn,
  40. struct scatter_walk *in,
  41. struct scatter_walk *out, int *in_len,
  42. struct tls_prot_info *prot)
  43. {
  44. unsigned char buf[TLS_HEADER_SIZE + TLS_MAX_IV_SIZE];
  45. const struct tls_cipher_desc *cipher_desc;
  46. struct scatterlist sg_in[3];
  47. struct scatterlist sg_out[3];
  48. unsigned int buf_size;
  49. u16 len;
  50. int rc;
  51. cipher_desc = get_cipher_desc(prot->cipher_type);
  52. DEBUG_NET_WARN_ON_ONCE(!cipher_desc || !cipher_desc->offloadable);
  53. buf_size = TLS_HEADER_SIZE + cipher_desc->iv;
  54. len = min_t(int, *in_len, buf_size);
  55. memcpy_from_scatterwalk(buf, in, len);
  56. memcpy_to_scatterwalk(out, buf, len);
  57. *in_len -= len;
  58. if (!*in_len)
  59. return 0;
  60. len = buf[4] | (buf[3] << 8);
  61. len -= cipher_desc->iv;
  62. tls_make_aad(aad, len - cipher_desc->tag, (char *)&rcd_sn, buf[0], prot);
  63. memcpy(iv + cipher_desc->salt, buf + TLS_HEADER_SIZE, cipher_desc->iv);
  64. sg_init_table(sg_in, ARRAY_SIZE(sg_in));
  65. sg_init_table(sg_out, ARRAY_SIZE(sg_out));
  66. sg_set_buf(sg_in, aad, TLS_AAD_SPACE_SIZE);
  67. sg_set_buf(sg_out, aad, TLS_AAD_SPACE_SIZE);
  68. scatterwalk_get_sglist(in, sg_in + 1);
  69. scatterwalk_get_sglist(out, sg_out + 1);
  70. *in_len -= len;
  71. if (*in_len < 0) {
  72. *in_len += cipher_desc->tag;
  73. /* the input buffer doesn't contain the entire record.
  74. * trim len accordingly. The resulting authentication tag
  75. * will contain garbage, but we don't care, so we won't
  76. * include any of it in the output skb
  77. * Note that we assume the output buffer length
  78. * is larger then input buffer length + tag size
  79. */
  80. if (*in_len < 0)
  81. len += *in_len;
  82. *in_len = 0;
  83. }
  84. if (*in_len) {
  85. scatterwalk_skip(in, len);
  86. scatterwalk_skip(out, len);
  87. }
  88. len -= cipher_desc->tag;
  89. aead_request_set_crypt(aead_req, sg_in, sg_out, len, iv);
  90. rc = crypto_aead_encrypt(aead_req);
  91. return rc;
  92. }
  93. static void tls_init_aead_request(struct aead_request *aead_req,
  94. struct crypto_aead *aead)
  95. {
  96. aead_request_set_tfm(aead_req, aead);
  97. aead_request_set_ad(aead_req, TLS_AAD_SPACE_SIZE);
  98. }
  99. static struct aead_request *tls_alloc_aead_request(struct crypto_aead *aead,
  100. gfp_t flags)
  101. {
  102. unsigned int req_size = sizeof(struct aead_request) +
  103. crypto_aead_reqsize(aead);
  104. struct aead_request *aead_req;
  105. aead_req = kzalloc(req_size, flags);
  106. if (aead_req)
  107. tls_init_aead_request(aead_req, aead);
  108. return aead_req;
  109. }
  110. static int tls_enc_records(struct aead_request *aead_req,
  111. struct crypto_aead *aead, struct scatterlist *sg_in,
  112. struct scatterlist *sg_out, char *aad, char *iv,
  113. u64 rcd_sn, int len, struct tls_prot_info *prot)
  114. {
  115. struct scatter_walk out, in;
  116. int rc;
  117. scatterwalk_start(&in, sg_in);
  118. scatterwalk_start(&out, sg_out);
  119. do {
  120. rc = tls_enc_record(aead_req, aead, aad, iv,
  121. cpu_to_be64(rcd_sn), &in, &out, &len, prot);
  122. rcd_sn++;
  123. } while (rc == 0 && len);
  124. return rc;
  125. }
  126. /* Can't use icsk->icsk_af_ops->send_check here because the ip addresses
  127. * might have been changed by NAT.
  128. */
  129. static void update_chksum(struct sk_buff *skb, int headln)
  130. {
  131. struct tcphdr *th = tcp_hdr(skb);
  132. int datalen = skb->len - headln;
  133. const struct ipv6hdr *ipv6h;
  134. const struct iphdr *iph;
  135. /* We only changed the payload so if we are using partial we don't
  136. * need to update anything.
  137. */
  138. if (likely(skb->ip_summed == CHECKSUM_PARTIAL))
  139. return;
  140. skb->ip_summed = CHECKSUM_PARTIAL;
  141. skb->csum_start = skb_transport_header(skb) - skb->head;
  142. skb->csum_offset = offsetof(struct tcphdr, check);
  143. if (skb->sk->sk_family == AF_INET6) {
  144. ipv6h = ipv6_hdr(skb);
  145. th->check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
  146. datalen, IPPROTO_TCP, 0);
  147. } else {
  148. iph = ip_hdr(skb);
  149. th->check = ~csum_tcpudp_magic(iph->saddr, iph->daddr, datalen,
  150. IPPROTO_TCP, 0);
  151. }
  152. }
  153. static void complete_skb(struct sk_buff *nskb, struct sk_buff *skb, int headln)
  154. {
  155. struct sock *sk = skb->sk;
  156. int delta;
  157. skb_copy_header(nskb, skb);
  158. skb_put(nskb, skb->len);
  159. memcpy(nskb->data, skb->data, headln);
  160. nskb->destructor = skb->destructor;
  161. nskb->sk = sk;
  162. skb->destructor = NULL;
  163. skb->sk = NULL;
  164. update_chksum(nskb, headln);
  165. /* sock_efree means skb must gone through skb_orphan_partial() */
  166. if (nskb->destructor == sock_efree)
  167. return;
  168. delta = nskb->truesize - skb->truesize;
  169. if (likely(delta < 0))
  170. WARN_ON_ONCE(refcount_sub_and_test(-delta, &sk->sk_wmem_alloc));
  171. else if (delta)
  172. refcount_add(delta, &sk->sk_wmem_alloc);
  173. }
  174. /* This function may be called after the user socket is already
  175. * closed so make sure we don't use anything freed during
  176. * tls_sk_proto_close here
  177. */
  178. static int fill_sg_in(struct scatterlist *sg_in,
  179. struct sk_buff *skb,
  180. struct tls_offload_context_tx *ctx,
  181. u64 *rcd_sn,
  182. s32 *sync_size,
  183. int *resync_sgs)
  184. {
  185. int tcp_payload_offset = skb_tcp_all_headers(skb);
  186. int payload_len = skb->len - tcp_payload_offset;
  187. u32 tcp_seq = ntohl(tcp_hdr(skb)->seq);
  188. struct tls_record_info *record;
  189. unsigned long flags;
  190. int remaining;
  191. int i;
  192. spin_lock_irqsave(&ctx->lock, flags);
  193. record = tls_get_record(ctx, tcp_seq, rcd_sn);
  194. if (!record) {
  195. spin_unlock_irqrestore(&ctx->lock, flags);
  196. return -EINVAL;
  197. }
  198. *sync_size = tcp_seq - tls_record_start_seq(record);
  199. if (*sync_size < 0) {
  200. int is_start_marker = tls_record_is_start_marker(record);
  201. spin_unlock_irqrestore(&ctx->lock, flags);
  202. /* This should only occur if the relevant record was
  203. * already acked. In that case it should be ok
  204. * to drop the packet and avoid retransmission.
  205. *
  206. * There is a corner case where the packet contains
  207. * both an acked and a non-acked record.
  208. * We currently don't handle that case and rely
  209. * on TCP to retransmit a packet that doesn't contain
  210. * already acked payload.
  211. */
  212. if (!is_start_marker)
  213. *sync_size = 0;
  214. return -EINVAL;
  215. }
  216. remaining = *sync_size;
  217. for (i = 0; remaining > 0; i++) {
  218. skb_frag_t *frag = &record->frags[i];
  219. __skb_frag_ref(frag);
  220. sg_set_page(sg_in + i, skb_frag_page(frag),
  221. skb_frag_size(frag), skb_frag_off(frag));
  222. remaining -= skb_frag_size(frag);
  223. if (remaining < 0)
  224. sg_in[i].length += remaining;
  225. }
  226. *resync_sgs = i;
  227. spin_unlock_irqrestore(&ctx->lock, flags);
  228. if (skb_to_sgvec(skb, &sg_in[i], tcp_payload_offset, payload_len) < 0)
  229. return -EINVAL;
  230. return 0;
  231. }
  232. static void fill_sg_out(struct scatterlist sg_out[3], void *buf,
  233. struct tls_context *tls_ctx,
  234. struct sk_buff *nskb,
  235. int tcp_payload_offset,
  236. int payload_len,
  237. int sync_size,
  238. void *dummy_buf)
  239. {
  240. const struct tls_cipher_desc *cipher_desc =
  241. get_cipher_desc(tls_ctx->crypto_send.info.cipher_type);
  242. sg_set_buf(&sg_out[0], dummy_buf, sync_size);
  243. sg_set_buf(&sg_out[1], nskb->data + tcp_payload_offset, payload_len);
  244. /* Add room for authentication tag produced by crypto */
  245. dummy_buf += sync_size;
  246. sg_set_buf(&sg_out[2], dummy_buf, cipher_desc->tag);
  247. }
  248. static struct sk_buff *tls_enc_skb(struct tls_context *tls_ctx,
  249. struct scatterlist sg_out[3],
  250. struct scatterlist *sg_in,
  251. struct sk_buff *skb,
  252. s32 sync_size, u64 rcd_sn)
  253. {
  254. struct tls_offload_context_tx *ctx = tls_offload_ctx_tx(tls_ctx);
  255. int tcp_payload_offset = skb_tcp_all_headers(skb);
  256. int payload_len = skb->len - tcp_payload_offset;
  257. const struct tls_cipher_desc *cipher_desc;
  258. void *buf, *iv, *aad, *dummy_buf, *salt;
  259. struct aead_request *aead_req;
  260. struct sk_buff *nskb = NULL;
  261. int buf_len;
  262. aead_req = tls_alloc_aead_request(ctx->aead_send, GFP_ATOMIC);
  263. if (!aead_req)
  264. return NULL;
  265. cipher_desc = get_cipher_desc(tls_ctx->crypto_send.info.cipher_type);
  266. DEBUG_NET_WARN_ON_ONCE(!cipher_desc || !cipher_desc->offloadable);
  267. buf_len = cipher_desc->salt + cipher_desc->iv + TLS_AAD_SPACE_SIZE +
  268. sync_size + cipher_desc->tag;
  269. buf = kmalloc(buf_len, GFP_ATOMIC);
  270. if (!buf)
  271. goto free_req;
  272. iv = buf;
  273. salt = crypto_info_salt(&tls_ctx->crypto_send.info, cipher_desc);
  274. memcpy(iv, salt, cipher_desc->salt);
  275. aad = buf + cipher_desc->salt + cipher_desc->iv;
  276. dummy_buf = aad + TLS_AAD_SPACE_SIZE;
  277. nskb = alloc_skb(skb_headroom(skb) + skb->len, GFP_ATOMIC);
  278. if (!nskb)
  279. goto free_buf;
  280. skb_reserve(nskb, skb_headroom(skb));
  281. fill_sg_out(sg_out, buf, tls_ctx, nskb, tcp_payload_offset,
  282. payload_len, sync_size, dummy_buf);
  283. if (tls_enc_records(aead_req, ctx->aead_send, sg_in, sg_out, aad, iv,
  284. rcd_sn, sync_size + payload_len,
  285. &tls_ctx->prot_info) < 0)
  286. goto free_nskb;
  287. complete_skb(nskb, skb, tcp_payload_offset);
  288. /* validate_xmit_skb_list assumes that if the skb wasn't segmented
  289. * nskb->prev will point to the skb itself
  290. */
  291. nskb->prev = nskb;
  292. free_buf:
  293. kfree(buf);
  294. free_req:
  295. kfree(aead_req);
  296. return nskb;
  297. free_nskb:
  298. kfree_skb(nskb);
  299. nskb = NULL;
  300. goto free_buf;
  301. }
  302. static struct sk_buff *tls_sw_fallback(struct sock *sk, struct sk_buff *skb)
  303. {
  304. int tcp_payload_offset = skb_tcp_all_headers(skb);
  305. struct tls_context *tls_ctx = tls_get_ctx(sk);
  306. struct tls_offload_context_tx *ctx = tls_offload_ctx_tx(tls_ctx);
  307. int payload_len = skb->len - tcp_payload_offset;
  308. struct scatterlist *sg_in, sg_out[3];
  309. struct sk_buff *nskb = NULL;
  310. int sg_in_max_elements;
  311. int resync_sgs = 0;
  312. s32 sync_size = 0;
  313. u64 rcd_sn;
  314. /* worst case is:
  315. * MAX_SKB_FRAGS in tls_record_info
  316. * MAX_SKB_FRAGS + 1 in SKB head and frags.
  317. */
  318. sg_in_max_elements = 2 * MAX_SKB_FRAGS + 1;
  319. if (!payload_len)
  320. return skb;
  321. sg_in = kmalloc_objs(*sg_in, sg_in_max_elements, GFP_ATOMIC);
  322. if (!sg_in)
  323. goto free_orig;
  324. sg_init_table(sg_in, sg_in_max_elements);
  325. sg_init_table(sg_out, ARRAY_SIZE(sg_out));
  326. if (fill_sg_in(sg_in, skb, ctx, &rcd_sn, &sync_size, &resync_sgs)) {
  327. /* bypass packets before kernel TLS socket option was set */
  328. if (sync_size < 0 && payload_len <= -sync_size)
  329. nskb = skb_get(skb);
  330. goto put_sg;
  331. }
  332. nskb = tls_enc_skb(tls_ctx, sg_out, sg_in, skb, sync_size, rcd_sn);
  333. put_sg:
  334. while (resync_sgs)
  335. put_page(sg_page(&sg_in[--resync_sgs]));
  336. kfree(sg_in);
  337. free_orig:
  338. if (nskb)
  339. consume_skb(skb);
  340. else
  341. kfree_skb(skb);
  342. return nskb;
  343. }
  344. struct sk_buff *tls_validate_xmit_skb(struct sock *sk,
  345. struct net_device *dev,
  346. struct sk_buff *skb)
  347. {
  348. if (dev == rcu_dereference_bh(tls_get_ctx(sk)->netdev) ||
  349. netif_is_bond_master(dev))
  350. return skb;
  351. return tls_sw_fallback(sk, skb);
  352. }
  353. EXPORT_SYMBOL_GPL(tls_validate_xmit_skb);
  354. struct sk_buff *tls_validate_xmit_skb_sw(struct sock *sk,
  355. struct net_device *dev,
  356. struct sk_buff *skb)
  357. {
  358. return tls_sw_fallback(sk, skb);
  359. }
  360. struct sk_buff *tls_encrypt_skb(struct sk_buff *skb)
  361. {
  362. return tls_sw_fallback(skb->sk, skb);
  363. }
  364. EXPORT_SYMBOL_GPL(tls_encrypt_skb);
  365. int tls_sw_fallback_init(struct sock *sk,
  366. struct tls_offload_context_tx *offload_ctx,
  367. struct tls_crypto_info *crypto_info)
  368. {
  369. const struct tls_cipher_desc *cipher_desc;
  370. int rc;
  371. cipher_desc = get_cipher_desc(crypto_info->cipher_type);
  372. if (!cipher_desc || !cipher_desc->offloadable)
  373. return -EINVAL;
  374. offload_ctx->aead_send =
  375. crypto_alloc_aead(cipher_desc->cipher_name, 0, CRYPTO_ALG_ASYNC);
  376. if (IS_ERR(offload_ctx->aead_send)) {
  377. rc = PTR_ERR(offload_ctx->aead_send);
  378. pr_err_ratelimited("crypto_alloc_aead failed rc=%d\n", rc);
  379. offload_ctx->aead_send = NULL;
  380. goto err_out;
  381. }
  382. rc = crypto_aead_setkey(offload_ctx->aead_send,
  383. crypto_info_key(crypto_info, cipher_desc),
  384. cipher_desc->key);
  385. if (rc)
  386. goto free_aead;
  387. rc = crypto_aead_setauthsize(offload_ctx->aead_send, cipher_desc->tag);
  388. if (rc)
  389. goto free_aead;
  390. return 0;
  391. free_aead:
  392. crypto_free_aead(offload_ctx->aead_send);
  393. err_out:
  394. return rc;
  395. }