tls_sw.c 72 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920
  1. /*
  2. * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
  3. * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
  4. * Copyright (c) 2016-2017, Lance Chao <lancerchao@fb.com>. All rights reserved.
  5. * Copyright (c) 2016, Fridolin Pokorny <fridolin.pokorny@gmail.com>. All rights reserved.
  6. * Copyright (c) 2016, Nikos Mavrogiannopoulos <nmav@gnutls.org>. All rights reserved.
  7. * Copyright (c) 2018, Covalent IO, Inc. http://covalent.io
  8. *
  9. * This software is available to you under a choice of one of two
  10. * licenses. You may choose to be licensed under the terms of the GNU
  11. * General Public License (GPL) Version 2, available from the file
  12. * COPYING in the main directory of this source tree, or the
  13. * OpenIB.org BSD license below:
  14. *
  15. * Redistribution and use in source and binary forms, with or
  16. * without modification, are permitted provided that the following
  17. * conditions are met:
  18. *
  19. * - Redistributions of source code must retain the above
  20. * copyright notice, this list of conditions and the following
  21. * disclaimer.
  22. *
  23. * - Redistributions in binary form must reproduce the above
  24. * copyright notice, this list of conditions and the following
  25. * disclaimer in the documentation and/or other materials
  26. * provided with the distribution.
  27. *
  28. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  29. * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  30. * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  31. * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
  32. * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
  33. * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  34. * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  35. * SOFTWARE.
  36. */
  37. #include <linux/bug.h>
  38. #include <linux/sched/signal.h>
  39. #include <linux/module.h>
  40. #include <linux/kernel.h>
  41. #include <linux/splice.h>
  42. #include <crypto/aead.h>
  43. #include <net/strparser.h>
  44. #include <net/tls.h>
  45. #include <trace/events/sock.h>
  46. #include "tls.h"
  47. struct tls_decrypt_arg {
  48. struct_group(inargs,
  49. bool zc;
  50. bool async;
  51. bool async_done;
  52. u8 tail;
  53. );
  54. struct sk_buff *skb;
  55. };
  56. struct tls_decrypt_ctx {
  57. struct sock *sk;
  58. u8 iv[TLS_MAX_IV_SIZE];
  59. u8 aad[TLS_MAX_AAD_SIZE];
  60. u8 tail;
  61. bool free_sgout;
  62. struct scatterlist sg[];
  63. };
  64. noinline void tls_err_abort(struct sock *sk, int err)
  65. {
  66. WARN_ON_ONCE(err >= 0);
  67. /* sk->sk_err should contain a positive error code. */
  68. WRITE_ONCE(sk->sk_err, -err);
  69. /* Paired with smp_rmb() in tcp_poll() */
  70. smp_wmb();
  71. sk_error_report(sk);
  72. }
  73. static int __skb_nsg(struct sk_buff *skb, int offset, int len,
  74. unsigned int recursion_level)
  75. {
  76. int start = skb_headlen(skb);
  77. int i, chunk = start - offset;
  78. struct sk_buff *frag_iter;
  79. int elt = 0;
  80. if (unlikely(recursion_level >= 24))
  81. return -EMSGSIZE;
  82. if (chunk > 0) {
  83. if (chunk > len)
  84. chunk = len;
  85. elt++;
  86. len -= chunk;
  87. if (len == 0)
  88. return elt;
  89. offset += chunk;
  90. }
  91. for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
  92. int end;
  93. WARN_ON(start > offset + len);
  94. end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
  95. chunk = end - offset;
  96. if (chunk > 0) {
  97. if (chunk > len)
  98. chunk = len;
  99. elt++;
  100. len -= chunk;
  101. if (len == 0)
  102. return elt;
  103. offset += chunk;
  104. }
  105. start = end;
  106. }
  107. if (unlikely(skb_has_frag_list(skb))) {
  108. skb_walk_frags(skb, frag_iter) {
  109. int end, ret;
  110. WARN_ON(start > offset + len);
  111. end = start + frag_iter->len;
  112. chunk = end - offset;
  113. if (chunk > 0) {
  114. if (chunk > len)
  115. chunk = len;
  116. ret = __skb_nsg(frag_iter, offset - start, chunk,
  117. recursion_level + 1);
  118. if (unlikely(ret < 0))
  119. return ret;
  120. elt += ret;
  121. len -= chunk;
  122. if (len == 0)
  123. return elt;
  124. offset += chunk;
  125. }
  126. start = end;
  127. }
  128. }
  129. BUG_ON(len);
  130. return elt;
  131. }
  132. /* Return the number of scatterlist elements required to completely map the
  133. * skb, or -EMSGSIZE if the recursion depth is exceeded.
  134. */
  135. static int skb_nsg(struct sk_buff *skb, int offset, int len)
  136. {
  137. return __skb_nsg(skb, offset, len, 0);
  138. }
  139. static int tls_padding_length(struct tls_prot_info *prot, struct sk_buff *skb,
  140. struct tls_decrypt_arg *darg)
  141. {
  142. struct strp_msg *rxm = strp_msg(skb);
  143. struct tls_msg *tlm = tls_msg(skb);
  144. int sub = 0;
  145. /* Determine zero-padding length */
  146. if (prot->version == TLS_1_3_VERSION) {
  147. int offset = rxm->full_len - TLS_TAG_SIZE - 1;
  148. char content_type = darg->zc ? darg->tail : 0;
  149. int err;
  150. while (content_type == 0) {
  151. if (offset < prot->prepend_size)
  152. return -EBADMSG;
  153. err = skb_copy_bits(skb, rxm->offset + offset,
  154. &content_type, 1);
  155. if (err)
  156. return err;
  157. if (content_type)
  158. break;
  159. sub++;
  160. offset--;
  161. }
  162. tlm->control = content_type;
  163. }
  164. return sub;
  165. }
  166. static void tls_decrypt_done(void *data, int err)
  167. {
  168. struct aead_request *aead_req = data;
  169. struct crypto_aead *aead = crypto_aead_reqtfm(aead_req);
  170. struct scatterlist *sgout = aead_req->dst;
  171. struct tls_sw_context_rx *ctx;
  172. struct tls_decrypt_ctx *dctx;
  173. struct tls_context *tls_ctx;
  174. struct scatterlist *sg;
  175. unsigned int pages;
  176. struct sock *sk;
  177. int aead_size;
  178. /* If requests get too backlogged crypto API returns -EBUSY and calls
  179. * ->complete(-EINPROGRESS) immediately followed by ->complete(0)
  180. * to make waiting for backlog to flush with crypto_wait_req() easier.
  181. * First wait converts -EBUSY -> -EINPROGRESS, and the second one
  182. * -EINPROGRESS -> 0.
  183. * We have a single struct crypto_async_request per direction, this
  184. * scheme doesn't help us, so just ignore the first ->complete().
  185. */
  186. if (err == -EINPROGRESS)
  187. return;
  188. aead_size = sizeof(*aead_req) + crypto_aead_reqsize(aead);
  189. aead_size = ALIGN(aead_size, __alignof__(*dctx));
  190. dctx = (void *)((u8 *)aead_req + aead_size);
  191. sk = dctx->sk;
  192. tls_ctx = tls_get_ctx(sk);
  193. ctx = tls_sw_ctx_rx(tls_ctx);
  194. /* Propagate if there was an err */
  195. if (err) {
  196. if (err == -EBADMSG)
  197. TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTERROR);
  198. ctx->async_wait.err = err;
  199. tls_err_abort(sk, err);
  200. }
  201. /* Free the destination pages if skb was not decrypted inplace */
  202. if (dctx->free_sgout) {
  203. /* Skip the first S/G entry as it points to AAD */
  204. for_each_sg(sg_next(sgout), sg, UINT_MAX, pages) {
  205. if (!sg)
  206. break;
  207. put_page(sg_page(sg));
  208. }
  209. }
  210. kfree(aead_req);
  211. if (atomic_dec_and_test(&ctx->decrypt_pending))
  212. complete(&ctx->async_wait.completion);
  213. }
  214. static int tls_decrypt_async_wait(struct tls_sw_context_rx *ctx)
  215. {
  216. if (!atomic_dec_and_test(&ctx->decrypt_pending))
  217. crypto_wait_req(-EINPROGRESS, &ctx->async_wait);
  218. atomic_inc(&ctx->decrypt_pending);
  219. __skb_queue_purge(&ctx->async_hold);
  220. return ctx->async_wait.err;
  221. }
  222. static int tls_do_decryption(struct sock *sk,
  223. struct scatterlist *sgin,
  224. struct scatterlist *sgout,
  225. char *iv_recv,
  226. size_t data_len,
  227. struct aead_request *aead_req,
  228. struct tls_decrypt_arg *darg)
  229. {
  230. struct tls_context *tls_ctx = tls_get_ctx(sk);
  231. struct tls_prot_info *prot = &tls_ctx->prot_info;
  232. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  233. int ret;
  234. aead_request_set_tfm(aead_req, ctx->aead_recv);
  235. aead_request_set_ad(aead_req, prot->aad_size);
  236. aead_request_set_crypt(aead_req, sgin, sgout,
  237. data_len + prot->tag_size,
  238. (u8 *)iv_recv);
  239. if (darg->async) {
  240. aead_request_set_callback(aead_req,
  241. CRYPTO_TFM_REQ_MAY_BACKLOG,
  242. tls_decrypt_done, aead_req);
  243. DEBUG_NET_WARN_ON_ONCE(atomic_read(&ctx->decrypt_pending) < 1);
  244. atomic_inc(&ctx->decrypt_pending);
  245. } else {
  246. DECLARE_CRYPTO_WAIT(wait);
  247. aead_request_set_callback(aead_req,
  248. CRYPTO_TFM_REQ_MAY_BACKLOG,
  249. crypto_req_done, &wait);
  250. ret = crypto_aead_decrypt(aead_req);
  251. if (ret == -EINPROGRESS || ret == -EBUSY)
  252. ret = crypto_wait_req(ret, &wait);
  253. return ret;
  254. }
  255. ret = crypto_aead_decrypt(aead_req);
  256. if (ret == -EINPROGRESS)
  257. return 0;
  258. if (ret == -EBUSY) {
  259. ret = tls_decrypt_async_wait(ctx);
  260. darg->async_done = true;
  261. /* all completions have run, we're not doing async anymore */
  262. darg->async = false;
  263. return ret;
  264. }
  265. atomic_dec(&ctx->decrypt_pending);
  266. darg->async = false;
  267. return ret;
  268. }
  269. static void tls_trim_both_msgs(struct sock *sk, int target_size)
  270. {
  271. struct tls_context *tls_ctx = tls_get_ctx(sk);
  272. struct tls_prot_info *prot = &tls_ctx->prot_info;
  273. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  274. struct tls_rec *rec = ctx->open_rec;
  275. sk_msg_trim(sk, &rec->msg_plaintext, target_size);
  276. if (target_size > 0)
  277. target_size += prot->overhead_size;
  278. sk_msg_trim(sk, &rec->msg_encrypted, target_size);
  279. }
  280. static int tls_alloc_encrypted_msg(struct sock *sk, int len)
  281. {
  282. struct tls_context *tls_ctx = tls_get_ctx(sk);
  283. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  284. struct tls_rec *rec = ctx->open_rec;
  285. struct sk_msg *msg_en = &rec->msg_encrypted;
  286. return sk_msg_alloc(sk, msg_en, len, 0);
  287. }
  288. static int tls_clone_plaintext_msg(struct sock *sk, int required)
  289. {
  290. struct tls_context *tls_ctx = tls_get_ctx(sk);
  291. struct tls_prot_info *prot = &tls_ctx->prot_info;
  292. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  293. struct tls_rec *rec = ctx->open_rec;
  294. struct sk_msg *msg_pl = &rec->msg_plaintext;
  295. struct sk_msg *msg_en = &rec->msg_encrypted;
  296. int skip, len;
  297. /* We add page references worth len bytes from encrypted sg
  298. * at the end of plaintext sg. It is guaranteed that msg_en
  299. * has enough required room (ensured by caller).
  300. */
  301. len = required - msg_pl->sg.size;
  302. /* Skip initial bytes in msg_en's data to be able to use
  303. * same offset of both plain and encrypted data.
  304. */
  305. skip = prot->prepend_size + msg_pl->sg.size;
  306. return sk_msg_clone(sk, msg_pl, msg_en, skip, len);
  307. }
  308. static struct tls_rec *tls_get_rec(struct sock *sk)
  309. {
  310. struct tls_context *tls_ctx = tls_get_ctx(sk);
  311. struct tls_prot_info *prot = &tls_ctx->prot_info;
  312. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  313. struct sk_msg *msg_pl, *msg_en;
  314. struct tls_rec *rec;
  315. int mem_size;
  316. mem_size = sizeof(struct tls_rec) + crypto_aead_reqsize(ctx->aead_send);
  317. rec = kzalloc(mem_size, sk->sk_allocation);
  318. if (!rec)
  319. return NULL;
  320. msg_pl = &rec->msg_plaintext;
  321. msg_en = &rec->msg_encrypted;
  322. sk_msg_init(msg_pl);
  323. sk_msg_init(msg_en);
  324. sg_init_table(rec->sg_aead_in, 2);
  325. sg_set_buf(&rec->sg_aead_in[0], rec->aad_space, prot->aad_size);
  326. sg_unmark_end(&rec->sg_aead_in[1]);
  327. sg_init_table(rec->sg_aead_out, 2);
  328. sg_set_buf(&rec->sg_aead_out[0], rec->aad_space, prot->aad_size);
  329. sg_unmark_end(&rec->sg_aead_out[1]);
  330. rec->sk = sk;
  331. return rec;
  332. }
  333. static void tls_free_rec(struct sock *sk, struct tls_rec *rec)
  334. {
  335. sk_msg_free(sk, &rec->msg_encrypted);
  336. sk_msg_free(sk, &rec->msg_plaintext);
  337. kfree(rec);
  338. }
  339. static void tls_free_open_rec(struct sock *sk)
  340. {
  341. struct tls_context *tls_ctx = tls_get_ctx(sk);
  342. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  343. struct tls_rec *rec = ctx->open_rec;
  344. if (rec) {
  345. tls_free_rec(sk, rec);
  346. ctx->open_rec = NULL;
  347. }
  348. }
  349. int tls_tx_records(struct sock *sk, int flags)
  350. {
  351. struct tls_context *tls_ctx = tls_get_ctx(sk);
  352. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  353. struct tls_rec *rec, *tmp;
  354. struct sk_msg *msg_en;
  355. int tx_flags, rc = 0;
  356. if (tls_is_partially_sent_record(tls_ctx)) {
  357. rec = list_first_entry(&ctx->tx_list,
  358. struct tls_rec, list);
  359. if (flags == -1)
  360. tx_flags = rec->tx_flags;
  361. else
  362. tx_flags = flags;
  363. rc = tls_push_partial_record(sk, tls_ctx, tx_flags);
  364. if (rc)
  365. goto tx_err;
  366. /* Full record has been transmitted.
  367. * Remove the head of tx_list
  368. */
  369. list_del(&rec->list);
  370. sk_msg_free(sk, &rec->msg_plaintext);
  371. kfree(rec);
  372. }
  373. /* Tx all ready records */
  374. list_for_each_entry_safe(rec, tmp, &ctx->tx_list, list) {
  375. if (READ_ONCE(rec->tx_ready)) {
  376. if (flags == -1)
  377. tx_flags = rec->tx_flags;
  378. else
  379. tx_flags = flags;
  380. msg_en = &rec->msg_encrypted;
  381. rc = tls_push_sg(sk, tls_ctx,
  382. &msg_en->sg.data[msg_en->sg.curr],
  383. 0, tx_flags);
  384. if (rc)
  385. goto tx_err;
  386. list_del(&rec->list);
  387. sk_msg_free(sk, &rec->msg_plaintext);
  388. kfree(rec);
  389. } else {
  390. break;
  391. }
  392. }
  393. tx_err:
  394. if (rc < 0 && rc != -EAGAIN)
  395. tls_err_abort(sk, rc);
  396. return rc;
  397. }
  398. static void tls_encrypt_done(void *data, int err)
  399. {
  400. struct tls_sw_context_tx *ctx;
  401. struct tls_context *tls_ctx;
  402. struct tls_prot_info *prot;
  403. struct tls_rec *rec = data;
  404. struct scatterlist *sge;
  405. struct sk_msg *msg_en;
  406. struct sock *sk;
  407. if (err == -EINPROGRESS) /* see the comment in tls_decrypt_done() */
  408. return;
  409. msg_en = &rec->msg_encrypted;
  410. sk = rec->sk;
  411. tls_ctx = tls_get_ctx(sk);
  412. prot = &tls_ctx->prot_info;
  413. ctx = tls_sw_ctx_tx(tls_ctx);
  414. sge = sk_msg_elem(msg_en, msg_en->sg.curr);
  415. sge->offset -= prot->prepend_size;
  416. sge->length += prot->prepend_size;
  417. /* Check if error is previously set on socket */
  418. if (err || sk->sk_err) {
  419. rec = NULL;
  420. /* If err is already set on socket, return the same code */
  421. if (sk->sk_err) {
  422. ctx->async_wait.err = -sk->sk_err;
  423. } else {
  424. ctx->async_wait.err = err;
  425. tls_err_abort(sk, err);
  426. }
  427. }
  428. if (rec) {
  429. struct tls_rec *first_rec;
  430. /* Mark the record as ready for transmission */
  431. smp_store_mb(rec->tx_ready, true);
  432. /* If received record is at head of tx_list, schedule tx */
  433. first_rec = list_first_entry(&ctx->tx_list,
  434. struct tls_rec, list);
  435. if (rec == first_rec) {
  436. /* Schedule the transmission */
  437. if (!test_and_set_bit(BIT_TX_SCHEDULED,
  438. &ctx->tx_bitmask))
  439. schedule_delayed_work(&ctx->tx_work.work, 1);
  440. }
  441. }
  442. if (atomic_dec_and_test(&ctx->encrypt_pending))
  443. complete(&ctx->async_wait.completion);
  444. }
  445. static int tls_encrypt_async_wait(struct tls_sw_context_tx *ctx)
  446. {
  447. if (!atomic_dec_and_test(&ctx->encrypt_pending))
  448. crypto_wait_req(-EINPROGRESS, &ctx->async_wait);
  449. atomic_inc(&ctx->encrypt_pending);
  450. return ctx->async_wait.err;
  451. }
  452. static int tls_do_encryption(struct sock *sk,
  453. struct tls_context *tls_ctx,
  454. struct tls_sw_context_tx *ctx,
  455. struct aead_request *aead_req,
  456. size_t data_len, u32 start)
  457. {
  458. struct tls_prot_info *prot = &tls_ctx->prot_info;
  459. struct tls_rec *rec = ctx->open_rec;
  460. struct sk_msg *msg_en = &rec->msg_encrypted;
  461. struct scatterlist *sge = sk_msg_elem(msg_en, start);
  462. int rc, iv_offset = 0;
  463. /* For CCM based ciphers, first byte of IV is a constant */
  464. switch (prot->cipher_type) {
  465. case TLS_CIPHER_AES_CCM_128:
  466. rec->iv_data[0] = TLS_AES_CCM_IV_B0_BYTE;
  467. iv_offset = 1;
  468. break;
  469. case TLS_CIPHER_SM4_CCM:
  470. rec->iv_data[0] = TLS_SM4_CCM_IV_B0_BYTE;
  471. iv_offset = 1;
  472. break;
  473. }
  474. memcpy(&rec->iv_data[iv_offset], tls_ctx->tx.iv,
  475. prot->iv_size + prot->salt_size);
  476. tls_xor_iv_with_seq(prot, rec->iv_data + iv_offset,
  477. tls_ctx->tx.rec_seq);
  478. sge->offset += prot->prepend_size;
  479. sge->length -= prot->prepend_size;
  480. msg_en->sg.curr = start;
  481. aead_request_set_tfm(aead_req, ctx->aead_send);
  482. aead_request_set_ad(aead_req, prot->aad_size);
  483. aead_request_set_crypt(aead_req, rec->sg_aead_in,
  484. rec->sg_aead_out,
  485. data_len, rec->iv_data);
  486. aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_BACKLOG,
  487. tls_encrypt_done, rec);
  488. /* Add the record in tx_list */
  489. list_add_tail((struct list_head *)&rec->list, &ctx->tx_list);
  490. DEBUG_NET_WARN_ON_ONCE(atomic_read(&ctx->encrypt_pending) < 1);
  491. atomic_inc(&ctx->encrypt_pending);
  492. rc = crypto_aead_encrypt(aead_req);
  493. if (rc == -EBUSY) {
  494. rc = tls_encrypt_async_wait(ctx);
  495. rc = rc ?: -EINPROGRESS;
  496. /*
  497. * The async callback tls_encrypt_done() has already
  498. * decremented encrypt_pending and restored the sge on
  499. * both success and error. Skip the synchronous cleanup
  500. * below on error, just remove the record and return.
  501. */
  502. if (rc != -EINPROGRESS) {
  503. list_del(&rec->list);
  504. return rc;
  505. }
  506. }
  507. if (!rc || rc != -EINPROGRESS) {
  508. atomic_dec(&ctx->encrypt_pending);
  509. sge->offset -= prot->prepend_size;
  510. sge->length += prot->prepend_size;
  511. }
  512. if (!rc) {
  513. WRITE_ONCE(rec->tx_ready, true);
  514. } else if (rc != -EINPROGRESS) {
  515. list_del(&rec->list);
  516. return rc;
  517. }
  518. /* Unhook the record from context if encryption is not failure */
  519. ctx->open_rec = NULL;
  520. tls_advance_record_sn(sk, prot, &tls_ctx->tx);
  521. return rc;
  522. }
  523. static int tls_split_open_record(struct sock *sk, struct tls_rec *from,
  524. struct tls_rec **to, struct sk_msg *msg_opl,
  525. struct sk_msg *msg_oen, u32 split_point,
  526. u32 tx_overhead_size, u32 *orig_end)
  527. {
  528. u32 i, j, bytes = 0, apply = msg_opl->apply_bytes;
  529. struct scatterlist *sge, *osge, *nsge;
  530. u32 orig_size = msg_opl->sg.size;
  531. struct scatterlist tmp = { };
  532. struct sk_msg *msg_npl;
  533. struct tls_rec *new;
  534. int ret;
  535. new = tls_get_rec(sk);
  536. if (!new)
  537. return -ENOMEM;
  538. ret = sk_msg_alloc(sk, &new->msg_encrypted, msg_opl->sg.size +
  539. tx_overhead_size, 0);
  540. if (ret < 0) {
  541. tls_free_rec(sk, new);
  542. return ret;
  543. }
  544. *orig_end = msg_opl->sg.end;
  545. i = msg_opl->sg.start;
  546. sge = sk_msg_elem(msg_opl, i);
  547. while (apply && sge->length) {
  548. if (sge->length > apply) {
  549. u32 len = sge->length - apply;
  550. get_page(sg_page(sge));
  551. sg_set_page(&tmp, sg_page(sge), len,
  552. sge->offset + apply);
  553. sge->length = apply;
  554. bytes += apply;
  555. apply = 0;
  556. } else {
  557. apply -= sge->length;
  558. bytes += sge->length;
  559. }
  560. sk_msg_iter_var_next(i);
  561. if (i == msg_opl->sg.end)
  562. break;
  563. sge = sk_msg_elem(msg_opl, i);
  564. }
  565. msg_opl->sg.end = i;
  566. msg_opl->sg.curr = i;
  567. msg_opl->sg.copybreak = 0;
  568. msg_opl->apply_bytes = 0;
  569. msg_opl->sg.size = bytes;
  570. msg_npl = &new->msg_plaintext;
  571. msg_npl->apply_bytes = apply;
  572. msg_npl->sg.size = orig_size - bytes;
  573. j = msg_npl->sg.start;
  574. nsge = sk_msg_elem(msg_npl, j);
  575. if (tmp.length) {
  576. memcpy(nsge, &tmp, sizeof(*nsge));
  577. sk_msg_iter_var_next(j);
  578. nsge = sk_msg_elem(msg_npl, j);
  579. }
  580. osge = sk_msg_elem(msg_opl, i);
  581. while (osge->length) {
  582. memcpy(nsge, osge, sizeof(*nsge));
  583. sg_unmark_end(nsge);
  584. sk_msg_iter_var_next(i);
  585. sk_msg_iter_var_next(j);
  586. if (i == *orig_end)
  587. break;
  588. osge = sk_msg_elem(msg_opl, i);
  589. nsge = sk_msg_elem(msg_npl, j);
  590. }
  591. msg_npl->sg.end = j;
  592. msg_npl->sg.curr = j;
  593. msg_npl->sg.copybreak = 0;
  594. *to = new;
  595. return 0;
  596. }
  597. static void tls_merge_open_record(struct sock *sk, struct tls_rec *to,
  598. struct tls_rec *from, u32 orig_end)
  599. {
  600. struct sk_msg *msg_npl = &from->msg_plaintext;
  601. struct sk_msg *msg_opl = &to->msg_plaintext;
  602. struct scatterlist *osge, *nsge;
  603. u32 i, j;
  604. i = msg_opl->sg.end;
  605. sk_msg_iter_var_prev(i);
  606. j = msg_npl->sg.start;
  607. osge = sk_msg_elem(msg_opl, i);
  608. nsge = sk_msg_elem(msg_npl, j);
  609. if (sg_page(osge) == sg_page(nsge) &&
  610. osge->offset + osge->length == nsge->offset) {
  611. osge->length += nsge->length;
  612. put_page(sg_page(nsge));
  613. }
  614. msg_opl->sg.end = orig_end;
  615. msg_opl->sg.curr = orig_end;
  616. msg_opl->sg.copybreak = 0;
  617. msg_opl->apply_bytes = msg_opl->sg.size + msg_npl->sg.size;
  618. msg_opl->sg.size += msg_npl->sg.size;
  619. sk_msg_free(sk, &to->msg_encrypted);
  620. sk_msg_xfer_full(&to->msg_encrypted, &from->msg_encrypted);
  621. kfree(from);
  622. }
  623. static int tls_push_record(struct sock *sk, int flags,
  624. unsigned char record_type)
  625. {
  626. struct tls_context *tls_ctx = tls_get_ctx(sk);
  627. struct tls_prot_info *prot = &tls_ctx->prot_info;
  628. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  629. struct tls_rec *rec = ctx->open_rec, *tmp = NULL;
  630. u32 i, split_point, orig_end;
  631. struct sk_msg *msg_pl, *msg_en;
  632. struct aead_request *req;
  633. bool split;
  634. int rc;
  635. if (!rec)
  636. return 0;
  637. msg_pl = &rec->msg_plaintext;
  638. msg_en = &rec->msg_encrypted;
  639. split_point = msg_pl->apply_bytes;
  640. split = split_point && split_point < msg_pl->sg.size;
  641. if (unlikely((!split &&
  642. msg_pl->sg.size +
  643. prot->overhead_size > msg_en->sg.size) ||
  644. (split &&
  645. split_point +
  646. prot->overhead_size > msg_en->sg.size))) {
  647. split = true;
  648. split_point = msg_en->sg.size;
  649. }
  650. if (split) {
  651. rc = tls_split_open_record(sk, rec, &tmp, msg_pl, msg_en,
  652. split_point, prot->overhead_size,
  653. &orig_end);
  654. if (rc < 0)
  655. return rc;
  656. /* This can happen if above tls_split_open_record allocates
  657. * a single large encryption buffer instead of two smaller
  658. * ones. In this case adjust pointers and continue without
  659. * split.
  660. */
  661. if (!msg_pl->sg.size) {
  662. tls_merge_open_record(sk, rec, tmp, orig_end);
  663. msg_pl = &rec->msg_plaintext;
  664. msg_en = &rec->msg_encrypted;
  665. split = false;
  666. }
  667. sk_msg_trim(sk, msg_en, msg_pl->sg.size +
  668. prot->overhead_size);
  669. }
  670. rec->tx_flags = flags;
  671. req = &rec->aead_req;
  672. i = msg_pl->sg.end;
  673. sk_msg_iter_var_prev(i);
  674. rec->content_type = record_type;
  675. if (prot->version == TLS_1_3_VERSION) {
  676. /* Add content type to end of message. No padding added */
  677. sg_set_buf(&rec->sg_content_type, &rec->content_type, 1);
  678. sg_mark_end(&rec->sg_content_type);
  679. sg_chain(msg_pl->sg.data, msg_pl->sg.end + 1,
  680. &rec->sg_content_type);
  681. } else {
  682. sg_mark_end(sk_msg_elem(msg_pl, i));
  683. }
  684. if (msg_pl->sg.end < msg_pl->sg.start) {
  685. sg_chain(&msg_pl->sg.data[msg_pl->sg.start],
  686. MAX_SKB_FRAGS - msg_pl->sg.start + 1,
  687. msg_pl->sg.data);
  688. }
  689. i = msg_pl->sg.start;
  690. sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]);
  691. i = msg_en->sg.end;
  692. sk_msg_iter_var_prev(i);
  693. sg_mark_end(sk_msg_elem(msg_en, i));
  694. i = msg_en->sg.start;
  695. sg_chain(rec->sg_aead_out, 2, &msg_en->sg.data[i]);
  696. tls_make_aad(rec->aad_space, msg_pl->sg.size + prot->tail_size,
  697. tls_ctx->tx.rec_seq, record_type, prot);
  698. tls_fill_prepend(tls_ctx,
  699. page_address(sg_page(&msg_en->sg.data[i])) +
  700. msg_en->sg.data[i].offset,
  701. msg_pl->sg.size + prot->tail_size,
  702. record_type);
  703. tls_ctx->pending_open_record_frags = false;
  704. rc = tls_do_encryption(sk, tls_ctx, ctx, req,
  705. msg_pl->sg.size + prot->tail_size, i);
  706. if (rc < 0) {
  707. if (rc != -EINPROGRESS) {
  708. tls_err_abort(sk, -EBADMSG);
  709. if (split) {
  710. tls_ctx->pending_open_record_frags = true;
  711. tls_merge_open_record(sk, rec, tmp, orig_end);
  712. }
  713. }
  714. ctx->async_capable = 1;
  715. return rc;
  716. } else if (split) {
  717. msg_pl = &tmp->msg_plaintext;
  718. msg_en = &tmp->msg_encrypted;
  719. sk_msg_trim(sk, msg_en, msg_pl->sg.size + prot->overhead_size);
  720. tls_ctx->pending_open_record_frags = true;
  721. ctx->open_rec = tmp;
  722. }
  723. return tls_tx_records(sk, flags);
  724. }
  725. static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
  726. bool full_record, u8 record_type,
  727. ssize_t *copied, int flags)
  728. {
  729. struct tls_context *tls_ctx = tls_get_ctx(sk);
  730. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  731. struct sk_msg msg_redir = { };
  732. struct sk_psock *psock;
  733. struct sock *sk_redir;
  734. struct tls_rec *rec;
  735. bool enospc, policy, redir_ingress;
  736. int err = 0, send;
  737. u32 delta = 0;
  738. policy = !(flags & MSG_SENDPAGE_NOPOLICY);
  739. psock = sk_psock_get(sk);
  740. if (!psock || !policy) {
  741. err = tls_push_record(sk, flags, record_type);
  742. if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) {
  743. *copied -= sk_msg_free(sk, msg);
  744. tls_free_open_rec(sk);
  745. err = -sk->sk_err;
  746. }
  747. if (psock)
  748. sk_psock_put(sk, psock);
  749. return err;
  750. }
  751. more_data:
  752. enospc = sk_msg_full(msg);
  753. if (psock->eval == __SK_NONE) {
  754. delta = msg->sg.size;
  755. psock->eval = sk_psock_msg_verdict(sk, psock, msg);
  756. delta -= msg->sg.size;
  757. if ((s32)delta > 0) {
  758. /* It indicates that we executed bpf_msg_pop_data(),
  759. * causing the plaintext data size to decrease.
  760. * Therefore the encrypted data size also needs to
  761. * correspondingly decrease. We only need to subtract
  762. * delta to calculate the new ciphertext length since
  763. * ktls does not support block encryption.
  764. */
  765. struct sk_msg *enc = &ctx->open_rec->msg_encrypted;
  766. sk_msg_trim(sk, enc, enc->sg.size - delta);
  767. }
  768. }
  769. if (msg->cork_bytes && msg->cork_bytes > msg->sg.size &&
  770. !enospc && !full_record) {
  771. err = -ENOSPC;
  772. goto out_err;
  773. }
  774. msg->cork_bytes = 0;
  775. send = msg->sg.size;
  776. if (msg->apply_bytes && msg->apply_bytes < send)
  777. send = msg->apply_bytes;
  778. switch (psock->eval) {
  779. case __SK_PASS:
  780. err = tls_push_record(sk, flags, record_type);
  781. if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) {
  782. *copied -= sk_msg_free(sk, msg);
  783. tls_free_open_rec(sk);
  784. err = -sk->sk_err;
  785. goto out_err;
  786. }
  787. break;
  788. case __SK_REDIRECT:
  789. redir_ingress = psock->redir_ingress;
  790. sk_redir = psock->sk_redir;
  791. memcpy(&msg_redir, msg, sizeof(*msg));
  792. if (msg->apply_bytes < send)
  793. msg->apply_bytes = 0;
  794. else
  795. msg->apply_bytes -= send;
  796. sk_msg_return_zero(sk, msg, send);
  797. msg->sg.size -= send;
  798. release_sock(sk);
  799. err = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress,
  800. &msg_redir, send, flags);
  801. lock_sock(sk);
  802. if (err < 0) {
  803. /* Regardless of whether the data represented by
  804. * msg_redir is sent successfully, we have already
  805. * uncharged it via sk_msg_return_zero(). The
  806. * msg->sg.size represents the remaining unprocessed
  807. * data, which needs to be uncharged here.
  808. */
  809. sk_mem_uncharge(sk, msg->sg.size);
  810. *copied -= sk_msg_free_nocharge(sk, &msg_redir);
  811. msg->sg.size = 0;
  812. }
  813. if (msg->sg.size == 0)
  814. tls_free_open_rec(sk);
  815. break;
  816. case __SK_DROP:
  817. default:
  818. sk_msg_free_partial(sk, msg, send);
  819. if (msg->apply_bytes < send)
  820. msg->apply_bytes = 0;
  821. else
  822. msg->apply_bytes -= send;
  823. if (msg->sg.size == 0)
  824. tls_free_open_rec(sk);
  825. *copied -= (send + delta);
  826. err = -EACCES;
  827. }
  828. if (likely(!err)) {
  829. bool reset_eval = !ctx->open_rec;
  830. rec = ctx->open_rec;
  831. if (rec) {
  832. msg = &rec->msg_plaintext;
  833. if (!msg->apply_bytes)
  834. reset_eval = true;
  835. }
  836. if (reset_eval) {
  837. psock->eval = __SK_NONE;
  838. if (psock->sk_redir) {
  839. sock_put(psock->sk_redir);
  840. psock->sk_redir = NULL;
  841. }
  842. }
  843. if (rec)
  844. goto more_data;
  845. }
  846. out_err:
  847. sk_psock_put(sk, psock);
  848. return err;
  849. }
  850. static int tls_sw_push_pending_record(struct sock *sk, int flags)
  851. {
  852. struct tls_context *tls_ctx = tls_get_ctx(sk);
  853. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  854. struct tls_rec *rec = ctx->open_rec;
  855. struct sk_msg *msg_pl;
  856. size_t copied;
  857. if (!rec)
  858. return 0;
  859. msg_pl = &rec->msg_plaintext;
  860. copied = msg_pl->sg.size;
  861. if (!copied)
  862. return 0;
  863. return bpf_exec_tx_verdict(msg_pl, sk, true, TLS_RECORD_TYPE_DATA,
  864. &copied, flags);
  865. }
  866. static int tls_sw_sendmsg_splice(struct sock *sk, struct msghdr *msg,
  867. struct sk_msg *msg_pl, size_t try_to_copy,
  868. ssize_t *copied)
  869. {
  870. struct page *page = NULL, **pages = &page;
  871. do {
  872. ssize_t part;
  873. size_t off;
  874. part = iov_iter_extract_pages(&msg->msg_iter, &pages,
  875. try_to_copy, 1, 0, &off);
  876. if (part <= 0)
  877. return part ?: -EIO;
  878. if (WARN_ON_ONCE(!sendpage_ok(page))) {
  879. iov_iter_revert(&msg->msg_iter, part);
  880. return -EIO;
  881. }
  882. sk_msg_page_add(msg_pl, page, part, off);
  883. msg_pl->sg.copybreak = 0;
  884. msg_pl->sg.curr = msg_pl->sg.end;
  885. sk_mem_charge(sk, part);
  886. *copied += part;
  887. try_to_copy -= part;
  888. } while (try_to_copy && !sk_msg_full(msg_pl));
  889. return 0;
  890. }
  891. static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
  892. size_t size)
  893. {
  894. long timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
  895. struct tls_context *tls_ctx = tls_get_ctx(sk);
  896. struct tls_prot_info *prot = &tls_ctx->prot_info;
  897. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  898. bool async_capable = ctx->async_capable;
  899. unsigned char record_type = TLS_RECORD_TYPE_DATA;
  900. bool is_kvec = iov_iter_is_kvec(&msg->msg_iter);
  901. bool eor = !(msg->msg_flags & MSG_MORE);
  902. size_t try_to_copy;
  903. ssize_t copied = 0;
  904. struct sk_msg *msg_pl, *msg_en;
  905. struct tls_rec *rec;
  906. int required_size;
  907. int num_async = 0;
  908. bool full_record;
  909. int record_room;
  910. int num_zc = 0;
  911. int orig_size;
  912. int ret = 0;
  913. if (!eor && (msg->msg_flags & MSG_EOR))
  914. return -EINVAL;
  915. if (unlikely(msg->msg_controllen)) {
  916. ret = tls_process_cmsg(sk, msg, &record_type);
  917. if (ret) {
  918. if (ret == -EINPROGRESS)
  919. num_async++;
  920. else if (ret != -EAGAIN)
  921. goto end;
  922. }
  923. }
  924. while (msg_data_left(msg)) {
  925. if (sk->sk_err) {
  926. ret = -sk->sk_err;
  927. goto send_end;
  928. }
  929. if (ctx->open_rec)
  930. rec = ctx->open_rec;
  931. else
  932. rec = ctx->open_rec = tls_get_rec(sk);
  933. if (!rec) {
  934. ret = -ENOMEM;
  935. goto send_end;
  936. }
  937. msg_pl = &rec->msg_plaintext;
  938. msg_en = &rec->msg_encrypted;
  939. orig_size = msg_pl->sg.size;
  940. full_record = false;
  941. try_to_copy = msg_data_left(msg);
  942. record_room = tls_ctx->tx_max_payload_len - msg_pl->sg.size;
  943. if (try_to_copy >= record_room) {
  944. try_to_copy = record_room;
  945. full_record = true;
  946. }
  947. required_size = msg_pl->sg.size + try_to_copy +
  948. prot->overhead_size;
  949. if (!sk_stream_memory_free(sk))
  950. goto wait_for_sndbuf;
  951. alloc_encrypted:
  952. ret = tls_alloc_encrypted_msg(sk, required_size);
  953. if (ret) {
  954. if (ret != -ENOSPC)
  955. goto wait_for_memory;
  956. /* Adjust try_to_copy according to the amount that was
  957. * actually allocated. The difference is due
  958. * to max sg elements limit
  959. */
  960. try_to_copy -= required_size - msg_en->sg.size;
  961. full_record = true;
  962. }
  963. if (try_to_copy && (msg->msg_flags & MSG_SPLICE_PAGES)) {
  964. ret = tls_sw_sendmsg_splice(sk, msg, msg_pl,
  965. try_to_copy, &copied);
  966. if (ret < 0)
  967. goto send_end;
  968. tls_ctx->pending_open_record_frags = true;
  969. if (sk_msg_full(msg_pl)) {
  970. full_record = true;
  971. sk_msg_trim(sk, msg_en,
  972. msg_pl->sg.size + prot->overhead_size);
  973. }
  974. if (full_record || eor)
  975. goto copied;
  976. continue;
  977. }
  978. if (!is_kvec && (full_record || eor) && !async_capable) {
  979. u32 first = msg_pl->sg.end;
  980. ret = sk_msg_zerocopy_from_iter(sk, &msg->msg_iter,
  981. msg_pl, try_to_copy);
  982. if (ret)
  983. goto fallback_to_reg_send;
  984. num_zc++;
  985. copied += try_to_copy;
  986. sk_msg_sg_copy_set(msg_pl, first);
  987. ret = bpf_exec_tx_verdict(msg_pl, sk, full_record,
  988. record_type, &copied,
  989. msg->msg_flags);
  990. if (ret) {
  991. if (ret == -EINPROGRESS)
  992. num_async++;
  993. else if (ret == -ENOMEM)
  994. goto wait_for_memory;
  995. else if (ctx->open_rec && ret == -ENOSPC) {
  996. if (msg_pl->cork_bytes) {
  997. ret = 0;
  998. goto send_end;
  999. }
  1000. goto rollback_iter;
  1001. } else if (ret != -EAGAIN)
  1002. goto send_end;
  1003. }
  1004. /* Transmit if any encryptions have completed */
  1005. if (test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) {
  1006. cancel_delayed_work(&ctx->tx_work.work);
  1007. tls_tx_records(sk, msg->msg_flags);
  1008. }
  1009. continue;
  1010. rollback_iter:
  1011. copied -= try_to_copy;
  1012. sk_msg_sg_copy_clear(msg_pl, first);
  1013. iov_iter_revert(&msg->msg_iter,
  1014. msg_pl->sg.size - orig_size);
  1015. fallback_to_reg_send:
  1016. sk_msg_trim(sk, msg_pl, orig_size);
  1017. }
  1018. required_size = msg_pl->sg.size + try_to_copy;
  1019. ret = tls_clone_plaintext_msg(sk, required_size);
  1020. if (ret) {
  1021. if (ret != -ENOSPC)
  1022. goto send_end;
  1023. /* Adjust try_to_copy according to the amount that was
  1024. * actually allocated. The difference is due
  1025. * to max sg elements limit
  1026. */
  1027. try_to_copy -= required_size - msg_pl->sg.size;
  1028. full_record = true;
  1029. sk_msg_trim(sk, msg_en,
  1030. msg_pl->sg.size + prot->overhead_size);
  1031. }
  1032. if (try_to_copy) {
  1033. ret = sk_msg_memcopy_from_iter(sk, &msg->msg_iter,
  1034. msg_pl, try_to_copy);
  1035. if (ret < 0)
  1036. goto trim_sgl;
  1037. }
  1038. /* Open records defined only if successfully copied, otherwise
  1039. * we would trim the sg but not reset the open record frags.
  1040. */
  1041. tls_ctx->pending_open_record_frags = true;
  1042. copied += try_to_copy;
  1043. copied:
  1044. if (full_record || eor) {
  1045. ret = bpf_exec_tx_verdict(msg_pl, sk, full_record,
  1046. record_type, &copied,
  1047. msg->msg_flags);
  1048. if (ret) {
  1049. if (ret == -EINPROGRESS)
  1050. num_async++;
  1051. else if (ret == -ENOMEM)
  1052. goto wait_for_memory;
  1053. else if (ret != -EAGAIN) {
  1054. if (ret == -ENOSPC)
  1055. ret = 0;
  1056. goto send_end;
  1057. }
  1058. }
  1059. /* Transmit if any encryptions have completed */
  1060. if (test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) {
  1061. cancel_delayed_work(&ctx->tx_work.work);
  1062. tls_tx_records(sk, msg->msg_flags);
  1063. }
  1064. }
  1065. continue;
  1066. wait_for_sndbuf:
  1067. set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
  1068. wait_for_memory:
  1069. ret = sk_stream_wait_memory(sk, &timeo);
  1070. if (ret) {
  1071. trim_sgl:
  1072. if (ctx->open_rec)
  1073. tls_trim_both_msgs(sk, orig_size);
  1074. goto send_end;
  1075. }
  1076. if (ctx->open_rec && msg_en->sg.size < required_size)
  1077. goto alloc_encrypted;
  1078. }
  1079. send_end:
  1080. if (!num_async) {
  1081. goto end;
  1082. } else if (num_zc || eor) {
  1083. int err;
  1084. /* Wait for pending encryptions to get completed */
  1085. err = tls_encrypt_async_wait(ctx);
  1086. if (err) {
  1087. ret = err;
  1088. copied = 0;
  1089. }
  1090. }
  1091. /* Transmit if any encryptions have completed */
  1092. if (test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) {
  1093. cancel_delayed_work(&ctx->tx_work.work);
  1094. tls_tx_records(sk, msg->msg_flags);
  1095. }
  1096. end:
  1097. ret = sk_stream_error(sk, msg->msg_flags, ret);
  1098. return copied > 0 ? copied : ret;
  1099. }
  1100. int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
  1101. {
  1102. struct tls_context *tls_ctx = tls_get_ctx(sk);
  1103. int ret;
  1104. if (msg->msg_flags & ~(MSG_MORE | MSG_DONTWAIT | MSG_NOSIGNAL |
  1105. MSG_CMSG_COMPAT | MSG_SPLICE_PAGES | MSG_EOR |
  1106. MSG_SENDPAGE_NOPOLICY))
  1107. return -EOPNOTSUPP;
  1108. ret = mutex_lock_interruptible(&tls_ctx->tx_lock);
  1109. if (ret)
  1110. return ret;
  1111. lock_sock(sk);
  1112. ret = tls_sw_sendmsg_locked(sk, msg, size);
  1113. release_sock(sk);
  1114. mutex_unlock(&tls_ctx->tx_lock);
  1115. return ret;
  1116. }
  1117. /*
  1118. * Handle unexpected EOF during splice without SPLICE_F_MORE set.
  1119. */
  1120. void tls_sw_splice_eof(struct socket *sock)
  1121. {
  1122. struct sock *sk = sock->sk;
  1123. struct tls_context *tls_ctx = tls_get_ctx(sk);
  1124. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  1125. struct tls_rec *rec;
  1126. struct sk_msg *msg_pl;
  1127. ssize_t copied = 0;
  1128. bool retrying = false;
  1129. int ret = 0;
  1130. if (!ctx->open_rec)
  1131. return;
  1132. mutex_lock(&tls_ctx->tx_lock);
  1133. lock_sock(sk);
  1134. retry:
  1135. /* same checks as in tls_sw_push_pending_record() */
  1136. rec = ctx->open_rec;
  1137. if (!rec)
  1138. goto unlock;
  1139. msg_pl = &rec->msg_plaintext;
  1140. if (msg_pl->sg.size == 0)
  1141. goto unlock;
  1142. /* Check the BPF advisor and perform transmission. */
  1143. ret = bpf_exec_tx_verdict(msg_pl, sk, false, TLS_RECORD_TYPE_DATA,
  1144. &copied, 0);
  1145. switch (ret) {
  1146. case 0:
  1147. case -EAGAIN:
  1148. if (retrying)
  1149. goto unlock;
  1150. retrying = true;
  1151. goto retry;
  1152. case -EINPROGRESS:
  1153. break;
  1154. default:
  1155. goto unlock;
  1156. }
  1157. /* Wait for pending encryptions to get completed */
  1158. if (tls_encrypt_async_wait(ctx))
  1159. goto unlock;
  1160. /* Transmit if any encryptions have completed */
  1161. if (test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) {
  1162. cancel_delayed_work(&ctx->tx_work.work);
  1163. tls_tx_records(sk, 0);
  1164. }
  1165. unlock:
  1166. release_sock(sk);
  1167. mutex_unlock(&tls_ctx->tx_lock);
  1168. }
  1169. static int
  1170. tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
  1171. bool released)
  1172. {
  1173. struct tls_context *tls_ctx = tls_get_ctx(sk);
  1174. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  1175. DEFINE_WAIT_FUNC(wait, woken_wake_function);
  1176. int ret = 0;
  1177. long timeo;
  1178. /* a rekey is pending, let userspace deal with it */
  1179. if (unlikely(ctx->key_update_pending))
  1180. return -EKEYEXPIRED;
  1181. timeo = sock_rcvtimeo(sk, nonblock);
  1182. while (!tls_strp_msg_ready(ctx)) {
  1183. if (!sk_psock_queue_empty(psock))
  1184. return 0;
  1185. if (sk->sk_err)
  1186. return sock_error(sk);
  1187. if (ret < 0)
  1188. return ret;
  1189. if (!skb_queue_empty(&sk->sk_receive_queue)) {
  1190. tls_strp_check_rcv(&ctx->strp);
  1191. if (tls_strp_msg_ready(ctx))
  1192. break;
  1193. }
  1194. if (sk->sk_shutdown & RCV_SHUTDOWN)
  1195. return 0;
  1196. if (sock_flag(sk, SOCK_DONE))
  1197. return 0;
  1198. if (!timeo)
  1199. return -EAGAIN;
  1200. released = true;
  1201. add_wait_queue(sk_sleep(sk), &wait);
  1202. sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
  1203. ret = sk_wait_event(sk, &timeo,
  1204. tls_strp_msg_ready(ctx) ||
  1205. !sk_psock_queue_empty(psock),
  1206. &wait);
  1207. sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
  1208. remove_wait_queue(sk_sleep(sk), &wait);
  1209. /* Handle signals */
  1210. if (signal_pending(current))
  1211. return sock_intr_errno(timeo);
  1212. }
  1213. if (unlikely(!tls_strp_msg_load(&ctx->strp, released)))
  1214. return tls_rx_rec_wait(sk, psock, nonblock, false);
  1215. return 1;
  1216. }
  1217. static int tls_setup_from_iter(struct iov_iter *from,
  1218. int length, int *pages_used,
  1219. struct scatterlist *to,
  1220. int to_max_pages)
  1221. {
  1222. int rc = 0, i = 0, num_elem = *pages_used, maxpages;
  1223. struct page *pages[MAX_SKB_FRAGS];
  1224. unsigned int size = 0;
  1225. ssize_t copied, use;
  1226. size_t offset;
  1227. while (length > 0) {
  1228. i = 0;
  1229. maxpages = to_max_pages - num_elem;
  1230. if (maxpages == 0) {
  1231. rc = -EFAULT;
  1232. goto out;
  1233. }
  1234. copied = iov_iter_get_pages2(from, pages,
  1235. length,
  1236. maxpages, &offset);
  1237. if (copied <= 0) {
  1238. rc = -EFAULT;
  1239. goto out;
  1240. }
  1241. length -= copied;
  1242. size += copied;
  1243. while (copied) {
  1244. use = min_t(int, copied, PAGE_SIZE - offset);
  1245. sg_set_page(&to[num_elem],
  1246. pages[i], use, offset);
  1247. sg_unmark_end(&to[num_elem]);
  1248. /* We do not uncharge memory from this API */
  1249. offset = 0;
  1250. copied -= use;
  1251. i++;
  1252. num_elem++;
  1253. }
  1254. }
  1255. /* Mark the end in the last sg entry if newly added */
  1256. if (num_elem > *pages_used)
  1257. sg_mark_end(&to[num_elem - 1]);
  1258. out:
  1259. if (rc)
  1260. iov_iter_revert(from, size);
  1261. *pages_used = num_elem;
  1262. return rc;
  1263. }
  1264. static struct sk_buff *
  1265. tls_alloc_clrtxt_skb(struct sock *sk, struct sk_buff *skb,
  1266. unsigned int full_len)
  1267. {
  1268. struct strp_msg *clr_rxm;
  1269. struct sk_buff *clr_skb;
  1270. int err;
  1271. clr_skb = alloc_skb_with_frags(0, full_len, TLS_PAGE_ORDER,
  1272. &err, sk->sk_allocation);
  1273. if (!clr_skb)
  1274. return NULL;
  1275. skb_copy_header(clr_skb, skb);
  1276. clr_skb->len = full_len;
  1277. clr_skb->data_len = full_len;
  1278. clr_rxm = strp_msg(clr_skb);
  1279. clr_rxm->offset = 0;
  1280. return clr_skb;
  1281. }
  1282. /* Decrypt handlers
  1283. *
  1284. * tls_decrypt_sw() and tls_decrypt_device() are decrypt handlers.
  1285. * They must transform the darg in/out argument are as follows:
  1286. * | Input | Output
  1287. * -------------------------------------------------------------------
  1288. * zc | Zero-copy decrypt allowed | Zero-copy performed
  1289. * async | Async decrypt allowed | Async crypto used / in progress
  1290. * skb | * | Output skb
  1291. *
  1292. * If ZC decryption was performed darg.skb will point to the input skb.
  1293. */
  1294. /* This function decrypts the input skb into either out_iov or in out_sg
  1295. * or in skb buffers itself. The input parameter 'darg->zc' indicates if
  1296. * zero-copy mode needs to be tried or not. With zero-copy mode, either
  1297. * out_iov or out_sg must be non-NULL. In case both out_iov and out_sg are
  1298. * NULL, then the decryption happens inside skb buffers itself, i.e.
  1299. * zero-copy gets disabled and 'darg->zc' is updated.
  1300. */
  1301. static int tls_decrypt_sg(struct sock *sk, struct iov_iter *out_iov,
  1302. struct scatterlist *out_sg,
  1303. struct tls_decrypt_arg *darg)
  1304. {
  1305. struct tls_context *tls_ctx = tls_get_ctx(sk);
  1306. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  1307. struct tls_prot_info *prot = &tls_ctx->prot_info;
  1308. int n_sgin, n_sgout, aead_size, err, pages = 0;
  1309. struct sk_buff *skb = tls_strp_msg(ctx);
  1310. const struct strp_msg *rxm = strp_msg(skb);
  1311. const struct tls_msg *tlm = tls_msg(skb);
  1312. struct aead_request *aead_req;
  1313. struct scatterlist *sgin = NULL;
  1314. struct scatterlist *sgout = NULL;
  1315. const int data_len = rxm->full_len - prot->overhead_size;
  1316. int tail_pages = !!prot->tail_size;
  1317. struct tls_decrypt_ctx *dctx;
  1318. struct sk_buff *clear_skb;
  1319. int iv_offset = 0;
  1320. u8 *mem;
  1321. n_sgin = skb_nsg(skb, rxm->offset + prot->prepend_size,
  1322. rxm->full_len - prot->prepend_size);
  1323. if (n_sgin < 1)
  1324. return n_sgin ?: -EBADMSG;
  1325. if (darg->zc && (out_iov || out_sg)) {
  1326. clear_skb = NULL;
  1327. if (out_iov)
  1328. n_sgout = 1 + tail_pages +
  1329. iov_iter_npages_cap(out_iov, INT_MAX, data_len);
  1330. else
  1331. n_sgout = sg_nents(out_sg);
  1332. } else {
  1333. darg->zc = false;
  1334. clear_skb = tls_alloc_clrtxt_skb(sk, skb, rxm->full_len);
  1335. if (!clear_skb)
  1336. return -ENOMEM;
  1337. n_sgout = 1 + skb_shinfo(clear_skb)->nr_frags;
  1338. }
  1339. /* Increment to accommodate AAD */
  1340. n_sgin = n_sgin + 1;
  1341. /* Allocate a single block of memory which contains
  1342. * aead_req || tls_decrypt_ctx.
  1343. * Both structs are variable length.
  1344. */
  1345. aead_size = sizeof(*aead_req) + crypto_aead_reqsize(ctx->aead_recv);
  1346. aead_size = ALIGN(aead_size, __alignof__(*dctx));
  1347. mem = kmalloc(aead_size + struct_size(dctx, sg, size_add(n_sgin, n_sgout)),
  1348. sk->sk_allocation);
  1349. if (!mem) {
  1350. err = -ENOMEM;
  1351. goto exit_free_skb;
  1352. }
  1353. /* Segment the allocated memory */
  1354. aead_req = (struct aead_request *)mem;
  1355. dctx = (struct tls_decrypt_ctx *)(mem + aead_size);
  1356. dctx->sk = sk;
  1357. sgin = &dctx->sg[0];
  1358. sgout = &dctx->sg[n_sgin];
  1359. /* For CCM based ciphers, first byte of nonce+iv is a constant */
  1360. switch (prot->cipher_type) {
  1361. case TLS_CIPHER_AES_CCM_128:
  1362. dctx->iv[0] = TLS_AES_CCM_IV_B0_BYTE;
  1363. iv_offset = 1;
  1364. break;
  1365. case TLS_CIPHER_SM4_CCM:
  1366. dctx->iv[0] = TLS_SM4_CCM_IV_B0_BYTE;
  1367. iv_offset = 1;
  1368. break;
  1369. }
  1370. /* Prepare IV */
  1371. if (prot->version == TLS_1_3_VERSION ||
  1372. prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305) {
  1373. memcpy(&dctx->iv[iv_offset], tls_ctx->rx.iv,
  1374. prot->iv_size + prot->salt_size);
  1375. } else {
  1376. err = skb_copy_bits(skb, rxm->offset + TLS_HEADER_SIZE,
  1377. &dctx->iv[iv_offset] + prot->salt_size,
  1378. prot->iv_size);
  1379. if (err < 0)
  1380. goto exit_free;
  1381. memcpy(&dctx->iv[iv_offset], tls_ctx->rx.iv, prot->salt_size);
  1382. }
  1383. tls_xor_iv_with_seq(prot, &dctx->iv[iv_offset], tls_ctx->rx.rec_seq);
  1384. /* Prepare AAD */
  1385. tls_make_aad(dctx->aad, rxm->full_len - prot->overhead_size +
  1386. prot->tail_size,
  1387. tls_ctx->rx.rec_seq, tlm->control, prot);
  1388. /* Prepare sgin */
  1389. sg_init_table(sgin, n_sgin);
  1390. sg_set_buf(&sgin[0], dctx->aad, prot->aad_size);
  1391. err = skb_to_sgvec(skb, &sgin[1],
  1392. rxm->offset + prot->prepend_size,
  1393. rxm->full_len - prot->prepend_size);
  1394. if (err < 0)
  1395. goto exit_free;
  1396. if (clear_skb) {
  1397. sg_init_table(sgout, n_sgout);
  1398. sg_set_buf(&sgout[0], dctx->aad, prot->aad_size);
  1399. err = skb_to_sgvec(clear_skb, &sgout[1], prot->prepend_size,
  1400. data_len + prot->tail_size);
  1401. if (err < 0)
  1402. goto exit_free;
  1403. } else if (out_iov) {
  1404. sg_init_table(sgout, n_sgout);
  1405. sg_set_buf(&sgout[0], dctx->aad, prot->aad_size);
  1406. err = tls_setup_from_iter(out_iov, data_len, &pages, &sgout[1],
  1407. (n_sgout - 1 - tail_pages));
  1408. if (err < 0)
  1409. goto exit_free_pages;
  1410. if (prot->tail_size) {
  1411. sg_unmark_end(&sgout[pages]);
  1412. sg_set_buf(&sgout[pages + 1], &dctx->tail,
  1413. prot->tail_size);
  1414. sg_mark_end(&sgout[pages + 1]);
  1415. }
  1416. } else if (out_sg) {
  1417. memcpy(sgout, out_sg, n_sgout * sizeof(*sgout));
  1418. }
  1419. dctx->free_sgout = !!pages;
  1420. /* Prepare and submit AEAD request */
  1421. err = tls_do_decryption(sk, sgin, sgout, dctx->iv,
  1422. data_len + prot->tail_size, aead_req, darg);
  1423. if (err) {
  1424. if (darg->async_done)
  1425. goto exit_free_skb;
  1426. goto exit_free_pages;
  1427. }
  1428. darg->skb = clear_skb ?: tls_strp_msg(ctx);
  1429. clear_skb = NULL;
  1430. if (unlikely(darg->async)) {
  1431. err = tls_strp_msg_hold(&ctx->strp, &ctx->async_hold);
  1432. if (err) {
  1433. err = tls_decrypt_async_wait(ctx);
  1434. darg->async = false;
  1435. }
  1436. return err;
  1437. }
  1438. if (unlikely(darg->async_done))
  1439. return 0;
  1440. if (prot->tail_size)
  1441. darg->tail = dctx->tail;
  1442. exit_free_pages:
  1443. /* Release the pages in case iov was mapped to pages */
  1444. for (; pages > 0; pages--)
  1445. put_page(sg_page(&sgout[pages]));
  1446. exit_free:
  1447. kfree(mem);
  1448. exit_free_skb:
  1449. consume_skb(clear_skb);
  1450. return err;
  1451. }
  1452. static int
  1453. tls_decrypt_sw(struct sock *sk, struct tls_context *tls_ctx,
  1454. struct msghdr *msg, struct tls_decrypt_arg *darg)
  1455. {
  1456. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  1457. struct tls_prot_info *prot = &tls_ctx->prot_info;
  1458. struct strp_msg *rxm;
  1459. int pad, err;
  1460. err = tls_decrypt_sg(sk, &msg->msg_iter, NULL, darg);
  1461. if (err < 0) {
  1462. if (err == -EBADMSG)
  1463. TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTERROR);
  1464. return err;
  1465. }
  1466. /* keep going even for ->async, the code below is TLS 1.3 */
  1467. /* If opportunistic TLS 1.3 ZC failed retry without ZC */
  1468. if (unlikely(darg->zc && prot->version == TLS_1_3_VERSION &&
  1469. darg->tail != TLS_RECORD_TYPE_DATA)) {
  1470. darg->zc = false;
  1471. if (!darg->tail)
  1472. TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXNOPADVIOL);
  1473. TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTRETRY);
  1474. return tls_decrypt_sw(sk, tls_ctx, msg, darg);
  1475. }
  1476. pad = tls_padding_length(prot, darg->skb, darg);
  1477. if (pad < 0) {
  1478. if (darg->skb != tls_strp_msg(ctx))
  1479. consume_skb(darg->skb);
  1480. return pad;
  1481. }
  1482. rxm = strp_msg(darg->skb);
  1483. rxm->full_len -= pad;
  1484. return 0;
  1485. }
  1486. static int
  1487. tls_decrypt_device(struct sock *sk, struct msghdr *msg,
  1488. struct tls_context *tls_ctx, struct tls_decrypt_arg *darg)
  1489. {
  1490. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  1491. struct tls_prot_info *prot = &tls_ctx->prot_info;
  1492. struct strp_msg *rxm;
  1493. int pad, err;
  1494. if (tls_ctx->rx_conf != TLS_HW)
  1495. return 0;
  1496. err = tls_device_decrypted(sk, tls_ctx);
  1497. if (err <= 0)
  1498. return err;
  1499. pad = tls_padding_length(prot, tls_strp_msg(ctx), darg);
  1500. if (pad < 0)
  1501. return pad;
  1502. darg->async = false;
  1503. darg->skb = tls_strp_msg(ctx);
  1504. /* ->zc downgrade check, in case TLS 1.3 gets here */
  1505. darg->zc &= !(prot->version == TLS_1_3_VERSION &&
  1506. tls_msg(darg->skb)->control != TLS_RECORD_TYPE_DATA);
  1507. rxm = strp_msg(darg->skb);
  1508. rxm->full_len -= pad;
  1509. if (!darg->zc) {
  1510. /* Non-ZC case needs a real skb */
  1511. darg->skb = tls_strp_msg_detach(ctx);
  1512. if (!darg->skb)
  1513. return -ENOMEM;
  1514. } else {
  1515. unsigned int off, len;
  1516. /* In ZC case nobody cares about the output skb.
  1517. * Just copy the data here. Note the skb is not fully trimmed.
  1518. */
  1519. off = rxm->offset + prot->prepend_size;
  1520. len = rxm->full_len - prot->overhead_size;
  1521. err = skb_copy_datagram_msg(darg->skb, off, msg, len);
  1522. if (err)
  1523. return err;
  1524. }
  1525. return 1;
  1526. }
  1527. static int tls_check_pending_rekey(struct sock *sk, struct tls_context *ctx,
  1528. struct sk_buff *skb)
  1529. {
  1530. const struct strp_msg *rxm = strp_msg(skb);
  1531. const struct tls_msg *tlm = tls_msg(skb);
  1532. char hs_type;
  1533. int err;
  1534. if (likely(tlm->control != TLS_RECORD_TYPE_HANDSHAKE))
  1535. return 0;
  1536. if (rxm->full_len < 1)
  1537. return 0;
  1538. err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
  1539. if (err < 0) {
  1540. DEBUG_NET_WARN_ON_ONCE(1);
  1541. return err;
  1542. }
  1543. if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {
  1544. struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;
  1545. WRITE_ONCE(rx_ctx->key_update_pending, true);
  1546. TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXREKEYRECEIVED);
  1547. }
  1548. return 0;
  1549. }
  1550. static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
  1551. struct tls_decrypt_arg *darg)
  1552. {
  1553. struct tls_context *tls_ctx = tls_get_ctx(sk);
  1554. struct tls_prot_info *prot = &tls_ctx->prot_info;
  1555. struct strp_msg *rxm;
  1556. int err;
  1557. err = tls_decrypt_device(sk, msg, tls_ctx, darg);
  1558. if (!err)
  1559. err = tls_decrypt_sw(sk, tls_ctx, msg, darg);
  1560. if (err < 0)
  1561. return err;
  1562. rxm = strp_msg(darg->skb);
  1563. rxm->offset += prot->prepend_size;
  1564. rxm->full_len -= prot->overhead_size;
  1565. tls_advance_record_sn(sk, prot, &tls_ctx->rx);
  1566. return tls_check_pending_rekey(sk, tls_ctx, darg->skb);
  1567. }
  1568. int decrypt_skb(struct sock *sk, struct scatterlist *sgout)
  1569. {
  1570. struct tls_decrypt_arg darg = { .zc = true, };
  1571. return tls_decrypt_sg(sk, NULL, sgout, &darg);
  1572. }
  1573. /* All records returned from a recvmsg() call must have the same type.
  1574. * 0 is not a valid content type. Use it as "no type reported, yet".
  1575. */
  1576. static int tls_record_content_type(struct msghdr *msg, struct tls_msg *tlm,
  1577. u8 *control)
  1578. {
  1579. int err;
  1580. if (!*control) {
  1581. *control = tlm->control;
  1582. if (!*control)
  1583. return -EBADMSG;
  1584. err = put_cmsg(msg, SOL_TLS, TLS_GET_RECORD_TYPE,
  1585. sizeof(*control), control);
  1586. if (*control != TLS_RECORD_TYPE_DATA) {
  1587. if (err || msg->msg_flags & MSG_CTRUNC)
  1588. return -EIO;
  1589. }
  1590. } else if (*control != tlm->control) {
  1591. return 0;
  1592. }
  1593. return 1;
  1594. }
  1595. static void tls_rx_rec_done(struct tls_sw_context_rx *ctx)
  1596. {
  1597. tls_strp_msg_done(&ctx->strp);
  1598. }
  1599. /* This function traverses the rx_list in tls receive context to copies the
  1600. * decrypted records into the buffer provided by caller zero copy is not
  1601. * true. Further, the records are removed from the rx_list if it is not a peek
  1602. * case and the record has been consumed completely.
  1603. */
  1604. static int process_rx_list(struct tls_sw_context_rx *ctx,
  1605. struct msghdr *msg,
  1606. u8 *control,
  1607. size_t skip,
  1608. size_t len,
  1609. bool is_peek,
  1610. bool *more)
  1611. {
  1612. struct sk_buff *skb = skb_peek(&ctx->rx_list);
  1613. struct tls_msg *tlm;
  1614. ssize_t copied = 0;
  1615. int err;
  1616. while (skip && skb) {
  1617. struct strp_msg *rxm = strp_msg(skb);
  1618. tlm = tls_msg(skb);
  1619. err = tls_record_content_type(msg, tlm, control);
  1620. if (err <= 0)
  1621. goto more;
  1622. if (skip < rxm->full_len)
  1623. break;
  1624. skip = skip - rxm->full_len;
  1625. skb = skb_peek_next(skb, &ctx->rx_list);
  1626. }
  1627. while (len && skb) {
  1628. struct sk_buff *next_skb;
  1629. struct strp_msg *rxm = strp_msg(skb);
  1630. int chunk = min_t(unsigned int, rxm->full_len - skip, len);
  1631. tlm = tls_msg(skb);
  1632. err = tls_record_content_type(msg, tlm, control);
  1633. if (err <= 0)
  1634. goto more;
  1635. err = skb_copy_datagram_msg(skb, rxm->offset + skip,
  1636. msg, chunk);
  1637. if (err < 0)
  1638. goto more;
  1639. len = len - chunk;
  1640. copied = copied + chunk;
  1641. /* Consume the data from record if it is non-peek case*/
  1642. if (!is_peek) {
  1643. rxm->offset = rxm->offset + chunk;
  1644. rxm->full_len = rxm->full_len - chunk;
  1645. /* Return if there is unconsumed data in the record */
  1646. if (rxm->full_len - skip)
  1647. break;
  1648. }
  1649. /* The remaining skip-bytes must lie in 1st record in rx_list.
  1650. * So from the 2nd record, 'skip' should be 0.
  1651. */
  1652. skip = 0;
  1653. if (msg)
  1654. msg->msg_flags |= MSG_EOR;
  1655. next_skb = skb_peek_next(skb, &ctx->rx_list);
  1656. if (!is_peek) {
  1657. __skb_unlink(skb, &ctx->rx_list);
  1658. consume_skb(skb);
  1659. }
  1660. skb = next_skb;
  1661. }
  1662. err = 0;
  1663. out:
  1664. return copied ? : err;
  1665. more:
  1666. if (more)
  1667. *more = true;
  1668. goto out;
  1669. }
  1670. static bool
  1671. tls_read_flush_backlog(struct sock *sk, struct tls_prot_info *prot,
  1672. size_t len_left, size_t decrypted, ssize_t done,
  1673. size_t *flushed_at)
  1674. {
  1675. size_t max_rec;
  1676. if (len_left <= decrypted)
  1677. return false;
  1678. max_rec = prot->overhead_size - prot->tail_size + TLS_MAX_PAYLOAD_SIZE;
  1679. if (done - *flushed_at < SZ_128K && tcp_inq(sk) > max_rec)
  1680. return false;
  1681. *flushed_at = done;
  1682. return sk_flush_backlog(sk);
  1683. }
  1684. static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx,
  1685. bool nonblock)
  1686. {
  1687. long timeo;
  1688. int ret;
  1689. timeo = sock_rcvtimeo(sk, nonblock);
  1690. while (unlikely(ctx->reader_present)) {
  1691. DEFINE_WAIT_FUNC(wait, woken_wake_function);
  1692. ctx->reader_contended = 1;
  1693. add_wait_queue(&ctx->wq, &wait);
  1694. ret = sk_wait_event(sk, &timeo,
  1695. !READ_ONCE(ctx->reader_present), &wait);
  1696. remove_wait_queue(&ctx->wq, &wait);
  1697. if (timeo <= 0)
  1698. return -EAGAIN;
  1699. if (signal_pending(current))
  1700. return sock_intr_errno(timeo);
  1701. if (ret < 0)
  1702. return ret;
  1703. }
  1704. WRITE_ONCE(ctx->reader_present, 1);
  1705. return 0;
  1706. }
  1707. static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx,
  1708. bool nonblock)
  1709. {
  1710. int err;
  1711. lock_sock(sk);
  1712. err = tls_rx_reader_acquire(sk, ctx, nonblock);
  1713. if (err)
  1714. release_sock(sk);
  1715. return err;
  1716. }
  1717. static void tls_rx_reader_release(struct sock *sk, struct tls_sw_context_rx *ctx)
  1718. {
  1719. if (unlikely(ctx->reader_contended)) {
  1720. if (wq_has_sleeper(&ctx->wq))
  1721. wake_up(&ctx->wq);
  1722. else
  1723. ctx->reader_contended = 0;
  1724. WARN_ON_ONCE(!ctx->reader_present);
  1725. }
  1726. WRITE_ONCE(ctx->reader_present, 0);
  1727. }
  1728. static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx)
  1729. {
  1730. tls_rx_reader_release(sk, ctx);
  1731. release_sock(sk);
  1732. }
  1733. int tls_sw_recvmsg(struct sock *sk,
  1734. struct msghdr *msg,
  1735. size_t len,
  1736. int flags,
  1737. int *addr_len)
  1738. {
  1739. struct tls_context *tls_ctx = tls_get_ctx(sk);
  1740. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  1741. struct tls_prot_info *prot = &tls_ctx->prot_info;
  1742. ssize_t decrypted = 0, async_copy_bytes = 0;
  1743. struct sk_psock *psock;
  1744. unsigned char control = 0;
  1745. size_t flushed_at = 0;
  1746. struct strp_msg *rxm;
  1747. struct tls_msg *tlm;
  1748. ssize_t copied = 0;
  1749. ssize_t peeked = 0;
  1750. bool async = false;
  1751. int target, err;
  1752. bool is_kvec = iov_iter_is_kvec(&msg->msg_iter);
  1753. bool is_peek = flags & MSG_PEEK;
  1754. bool rx_more = false;
  1755. bool released = true;
  1756. bool bpf_strp_enabled;
  1757. bool zc_capable;
  1758. if (unlikely(flags & MSG_ERRQUEUE))
  1759. return sock_recv_errqueue(sk, msg, len, SOL_IP, IP_RECVERR);
  1760. err = tls_rx_reader_lock(sk, ctx, flags & MSG_DONTWAIT);
  1761. if (err < 0)
  1762. return err;
  1763. psock = sk_psock_get(sk);
  1764. bpf_strp_enabled = sk_psock_strp_enabled(psock);
  1765. /* If crypto failed the connection is broken */
  1766. err = ctx->async_wait.err;
  1767. if (err)
  1768. goto end;
  1769. /* Process pending decrypted records. It must be non-zero-copy */
  1770. err = process_rx_list(ctx, msg, &control, 0, len, is_peek, &rx_more);
  1771. if (err < 0)
  1772. goto end;
  1773. /* process_rx_list() will set @control if it processed any records */
  1774. copied = err;
  1775. if (len <= copied || rx_more ||
  1776. (control && control != TLS_RECORD_TYPE_DATA))
  1777. goto end;
  1778. target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
  1779. len = len - copied;
  1780. zc_capable = !bpf_strp_enabled && !is_kvec && !is_peek &&
  1781. ctx->zc_capable;
  1782. decrypted = 0;
  1783. while (len && (decrypted + copied < target || tls_strp_msg_ready(ctx))) {
  1784. struct tls_decrypt_arg darg;
  1785. int to_decrypt, chunk;
  1786. err = tls_rx_rec_wait(sk, psock, flags & MSG_DONTWAIT,
  1787. released);
  1788. if (err <= 0) {
  1789. if (psock) {
  1790. chunk = sk_msg_recvmsg(sk, psock, msg, len,
  1791. flags);
  1792. if (chunk > 0) {
  1793. decrypted += chunk;
  1794. len -= chunk;
  1795. continue;
  1796. }
  1797. }
  1798. goto recv_end;
  1799. }
  1800. memset(&darg.inargs, 0, sizeof(darg.inargs));
  1801. rxm = strp_msg(tls_strp_msg(ctx));
  1802. tlm = tls_msg(tls_strp_msg(ctx));
  1803. to_decrypt = rxm->full_len - prot->overhead_size;
  1804. if (zc_capable && to_decrypt <= len &&
  1805. tlm->control == TLS_RECORD_TYPE_DATA)
  1806. darg.zc = true;
  1807. /* Do not use async mode if record is non-data */
  1808. if (tlm->control == TLS_RECORD_TYPE_DATA && !bpf_strp_enabled)
  1809. darg.async = ctx->async_capable;
  1810. else
  1811. darg.async = false;
  1812. err = tls_rx_one_record(sk, msg, &darg);
  1813. if (err < 0) {
  1814. tls_err_abort(sk, -EBADMSG);
  1815. goto recv_end;
  1816. }
  1817. async |= darg.async;
  1818. /* If the type of records being processed is not known yet,
  1819. * set it to record type just dequeued. If it is already known,
  1820. * but does not match the record type just dequeued, go to end.
  1821. * We always get record type here since for tls1.2, record type
  1822. * is known just after record is dequeued from stream parser.
  1823. * For tls1.3, we disable async.
  1824. */
  1825. err = tls_record_content_type(msg, tls_msg(darg.skb), &control);
  1826. if (err <= 0) {
  1827. DEBUG_NET_WARN_ON_ONCE(darg.zc);
  1828. tls_rx_rec_done(ctx);
  1829. put_on_rx_list_err:
  1830. __skb_queue_tail(&ctx->rx_list, darg.skb);
  1831. goto recv_end;
  1832. }
  1833. /* periodically flush backlog, and feed strparser */
  1834. released = tls_read_flush_backlog(sk, prot, len, to_decrypt,
  1835. decrypted + copied,
  1836. &flushed_at);
  1837. /* TLS 1.3 may have updated the length by more than overhead */
  1838. rxm = strp_msg(darg.skb);
  1839. chunk = rxm->full_len;
  1840. tls_rx_rec_done(ctx);
  1841. if (!darg.zc) {
  1842. bool partially_consumed = chunk > len;
  1843. struct sk_buff *skb = darg.skb;
  1844. DEBUG_NET_WARN_ON_ONCE(darg.skb == ctx->strp.anchor);
  1845. if (async) {
  1846. /* TLS 1.2-only, to_decrypt must be text len */
  1847. chunk = min_t(int, to_decrypt, len);
  1848. async_copy_bytes += chunk;
  1849. put_on_rx_list:
  1850. decrypted += chunk;
  1851. len -= chunk;
  1852. __skb_queue_tail(&ctx->rx_list, skb);
  1853. if (unlikely(control != TLS_RECORD_TYPE_DATA))
  1854. break;
  1855. continue;
  1856. }
  1857. if (bpf_strp_enabled) {
  1858. released = true;
  1859. err = sk_psock_tls_strp_read(psock, skb);
  1860. if (err != __SK_PASS) {
  1861. rxm->offset = rxm->offset + rxm->full_len;
  1862. rxm->full_len = 0;
  1863. if (err == __SK_DROP)
  1864. consume_skb(skb);
  1865. continue;
  1866. }
  1867. }
  1868. if (partially_consumed)
  1869. chunk = len;
  1870. err = skb_copy_datagram_msg(skb, rxm->offset,
  1871. msg, chunk);
  1872. if (err < 0)
  1873. goto put_on_rx_list_err;
  1874. if (is_peek) {
  1875. peeked += chunk;
  1876. goto put_on_rx_list;
  1877. }
  1878. if (partially_consumed) {
  1879. rxm->offset += chunk;
  1880. rxm->full_len -= chunk;
  1881. goto put_on_rx_list;
  1882. }
  1883. consume_skb(skb);
  1884. }
  1885. decrypted += chunk;
  1886. len -= chunk;
  1887. /* Return full control message to userspace before trying
  1888. * to parse another message type
  1889. */
  1890. msg->msg_flags |= MSG_EOR;
  1891. if (control != TLS_RECORD_TYPE_DATA)
  1892. break;
  1893. }
  1894. recv_end:
  1895. if (async) {
  1896. int ret;
  1897. /* Wait for all previously submitted records to be decrypted */
  1898. ret = tls_decrypt_async_wait(ctx);
  1899. if (ret) {
  1900. if (err >= 0 || err == -EINPROGRESS)
  1901. err = ret;
  1902. goto end;
  1903. }
  1904. /* Drain records from the rx_list & copy if required */
  1905. if (is_peek)
  1906. err = process_rx_list(ctx, msg, &control, copied + peeked,
  1907. decrypted - peeked, is_peek, NULL);
  1908. else
  1909. err = process_rx_list(ctx, msg, &control, 0,
  1910. async_copy_bytes, is_peek, NULL);
  1911. /* we could have copied less than we wanted, and possibly nothing */
  1912. decrypted += max(err, 0) - async_copy_bytes;
  1913. }
  1914. copied += decrypted;
  1915. end:
  1916. tls_rx_reader_unlock(sk, ctx);
  1917. if (psock)
  1918. sk_psock_put(sk, psock);
  1919. return copied ? : err;
  1920. }
  1921. ssize_t tls_sw_splice_read(struct socket *sock, loff_t *ppos,
  1922. struct pipe_inode_info *pipe,
  1923. size_t len, unsigned int flags)
  1924. {
  1925. struct tls_context *tls_ctx = tls_get_ctx(sock->sk);
  1926. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  1927. struct strp_msg *rxm = NULL;
  1928. struct sock *sk = sock->sk;
  1929. struct tls_msg *tlm;
  1930. struct sk_buff *skb;
  1931. ssize_t copied = 0;
  1932. int chunk;
  1933. int err;
  1934. err = tls_rx_reader_lock(sk, ctx, flags & SPLICE_F_NONBLOCK);
  1935. if (err < 0)
  1936. return err;
  1937. if (!skb_queue_empty(&ctx->rx_list)) {
  1938. skb = __skb_dequeue(&ctx->rx_list);
  1939. } else {
  1940. struct tls_decrypt_arg darg;
  1941. err = tls_rx_rec_wait(sk, NULL, flags & SPLICE_F_NONBLOCK,
  1942. true);
  1943. if (err <= 0)
  1944. goto splice_read_end;
  1945. memset(&darg.inargs, 0, sizeof(darg.inargs));
  1946. err = tls_rx_one_record(sk, NULL, &darg);
  1947. if (err < 0) {
  1948. tls_err_abort(sk, -EBADMSG);
  1949. goto splice_read_end;
  1950. }
  1951. tls_rx_rec_done(ctx);
  1952. skb = darg.skb;
  1953. }
  1954. rxm = strp_msg(skb);
  1955. tlm = tls_msg(skb);
  1956. /* splice does not support reading control messages */
  1957. if (tlm->control != TLS_RECORD_TYPE_DATA) {
  1958. err = -EINVAL;
  1959. goto splice_requeue;
  1960. }
  1961. chunk = min_t(unsigned int, rxm->full_len, len);
  1962. copied = skb_splice_bits(skb, sk, rxm->offset, pipe, chunk, flags);
  1963. if (copied < 0)
  1964. goto splice_requeue;
  1965. if (chunk < rxm->full_len) {
  1966. rxm->offset += len;
  1967. rxm->full_len -= len;
  1968. goto splice_requeue;
  1969. }
  1970. consume_skb(skb);
  1971. splice_read_end:
  1972. tls_rx_reader_unlock(sk, ctx);
  1973. return copied ? : err;
  1974. splice_requeue:
  1975. __skb_queue_head(&ctx->rx_list, skb);
  1976. goto splice_read_end;
  1977. }
  1978. int tls_sw_read_sock(struct sock *sk, read_descriptor_t *desc,
  1979. sk_read_actor_t read_actor)
  1980. {
  1981. struct tls_context *tls_ctx = tls_get_ctx(sk);
  1982. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  1983. struct tls_prot_info *prot = &tls_ctx->prot_info;
  1984. struct strp_msg *rxm = NULL;
  1985. struct sk_buff *skb = NULL;
  1986. struct sk_psock *psock;
  1987. size_t flushed_at = 0;
  1988. bool released = true;
  1989. struct tls_msg *tlm;
  1990. ssize_t copied = 0;
  1991. ssize_t decrypted;
  1992. int err, used;
  1993. psock = sk_psock_get(sk);
  1994. if (psock) {
  1995. sk_psock_put(sk, psock);
  1996. return -EINVAL;
  1997. }
  1998. err = tls_rx_reader_acquire(sk, ctx, true);
  1999. if (err < 0)
  2000. return err;
  2001. /* If crypto failed the connection is broken */
  2002. err = ctx->async_wait.err;
  2003. if (err)
  2004. goto read_sock_end;
  2005. decrypted = 0;
  2006. do {
  2007. if (!skb_queue_empty(&ctx->rx_list)) {
  2008. skb = __skb_dequeue(&ctx->rx_list);
  2009. rxm = strp_msg(skb);
  2010. tlm = tls_msg(skb);
  2011. } else {
  2012. struct tls_decrypt_arg darg;
  2013. err = tls_rx_rec_wait(sk, NULL, true, released);
  2014. if (err <= 0)
  2015. goto read_sock_end;
  2016. memset(&darg.inargs, 0, sizeof(darg.inargs));
  2017. err = tls_rx_one_record(sk, NULL, &darg);
  2018. if (err < 0) {
  2019. tls_err_abort(sk, -EBADMSG);
  2020. goto read_sock_end;
  2021. }
  2022. released = tls_read_flush_backlog(sk, prot, INT_MAX,
  2023. 0, decrypted,
  2024. &flushed_at);
  2025. skb = darg.skb;
  2026. rxm = strp_msg(skb);
  2027. tlm = tls_msg(skb);
  2028. decrypted += rxm->full_len;
  2029. tls_rx_rec_done(ctx);
  2030. }
  2031. /* read_sock does not support reading control messages */
  2032. if (tlm->control != TLS_RECORD_TYPE_DATA) {
  2033. err = -EINVAL;
  2034. goto read_sock_requeue;
  2035. }
  2036. used = read_actor(desc, skb, rxm->offset, rxm->full_len);
  2037. if (used <= 0) {
  2038. if (!copied)
  2039. err = used;
  2040. goto read_sock_requeue;
  2041. }
  2042. copied += used;
  2043. if (used < rxm->full_len) {
  2044. rxm->offset += used;
  2045. rxm->full_len -= used;
  2046. if (!desc->count)
  2047. goto read_sock_requeue;
  2048. } else {
  2049. consume_skb(skb);
  2050. if (!desc->count)
  2051. skb = NULL;
  2052. }
  2053. } while (skb);
  2054. read_sock_end:
  2055. tls_rx_reader_release(sk, ctx);
  2056. return copied ? : err;
  2057. read_sock_requeue:
  2058. __skb_queue_head(&ctx->rx_list, skb);
  2059. goto read_sock_end;
  2060. }
  2061. bool tls_sw_sock_is_readable(struct sock *sk)
  2062. {
  2063. struct tls_context *tls_ctx = tls_get_ctx(sk);
  2064. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  2065. bool ingress_empty = true;
  2066. struct sk_psock *psock;
  2067. rcu_read_lock();
  2068. psock = sk_psock(sk);
  2069. if (psock)
  2070. ingress_empty = list_empty(&psock->ingress_msg);
  2071. rcu_read_unlock();
  2072. return !ingress_empty || tls_strp_msg_ready(ctx) ||
  2073. !skb_queue_empty(&ctx->rx_list);
  2074. }
  2075. int tls_rx_msg_size(struct tls_strparser *strp, struct sk_buff *skb)
  2076. {
  2077. struct tls_context *tls_ctx = tls_get_ctx(strp->sk);
  2078. struct tls_prot_info *prot = &tls_ctx->prot_info;
  2079. char header[TLS_HEADER_SIZE + TLS_MAX_IV_SIZE];
  2080. size_t cipher_overhead;
  2081. size_t data_len = 0;
  2082. int ret;
  2083. /* Verify that we have a full TLS header, or wait for more data */
  2084. if (strp->stm.offset + prot->prepend_size > skb->len)
  2085. return 0;
  2086. /* Sanity-check size of on-stack buffer. */
  2087. if (WARN_ON(prot->prepend_size > sizeof(header))) {
  2088. ret = -EINVAL;
  2089. goto read_failure;
  2090. }
  2091. /* Linearize header to local buffer */
  2092. ret = skb_copy_bits(skb, strp->stm.offset, header, prot->prepend_size);
  2093. if (ret < 0)
  2094. goto read_failure;
  2095. strp->mark = header[0];
  2096. data_len = ((header[4] & 0xFF) | (header[3] << 8));
  2097. cipher_overhead = prot->tag_size;
  2098. if (prot->version != TLS_1_3_VERSION &&
  2099. prot->cipher_type != TLS_CIPHER_CHACHA20_POLY1305)
  2100. cipher_overhead += prot->iv_size;
  2101. if (data_len > TLS_MAX_PAYLOAD_SIZE + cipher_overhead +
  2102. prot->tail_size) {
  2103. ret = -EMSGSIZE;
  2104. goto read_failure;
  2105. }
  2106. if (data_len < cipher_overhead) {
  2107. ret = -EBADMSG;
  2108. goto read_failure;
  2109. }
  2110. /* Note that both TLS1.3 and TLS1.2 use TLS_1_2 version here */
  2111. if (header[1] != TLS_1_2_VERSION_MINOR ||
  2112. header[2] != TLS_1_2_VERSION_MAJOR) {
  2113. ret = -EINVAL;
  2114. goto read_failure;
  2115. }
  2116. tls_device_rx_resync_new_rec(strp->sk, data_len + TLS_HEADER_SIZE,
  2117. TCP_SKB_CB(skb)->seq + strp->stm.offset);
  2118. return data_len + TLS_HEADER_SIZE;
  2119. read_failure:
  2120. tls_strp_abort_strp(strp, ret);
  2121. return ret;
  2122. }
  2123. void tls_rx_msg_ready(struct tls_strparser *strp)
  2124. {
  2125. struct tls_sw_context_rx *ctx;
  2126. ctx = container_of(strp, struct tls_sw_context_rx, strp);
  2127. ctx->saved_data_ready(strp->sk);
  2128. }
  2129. static void tls_data_ready(struct sock *sk)
  2130. {
  2131. struct tls_context *tls_ctx = tls_get_ctx(sk);
  2132. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  2133. struct sk_psock *psock;
  2134. gfp_t alloc_save;
  2135. trace_sk_data_ready(sk);
  2136. alloc_save = sk->sk_allocation;
  2137. sk->sk_allocation = GFP_ATOMIC;
  2138. tls_strp_data_ready(&ctx->strp);
  2139. sk->sk_allocation = alloc_save;
  2140. psock = sk_psock_get(sk);
  2141. if (psock) {
  2142. if (!list_empty(&psock->ingress_msg))
  2143. ctx->saved_data_ready(sk);
  2144. sk_psock_put(sk, psock);
  2145. }
  2146. }
  2147. void tls_sw_cancel_work_tx(struct tls_context *tls_ctx)
  2148. {
  2149. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  2150. set_bit(BIT_TX_CLOSING, &ctx->tx_bitmask);
  2151. set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask);
  2152. disable_delayed_work_sync(&ctx->tx_work.work);
  2153. }
  2154. void tls_sw_release_resources_tx(struct sock *sk)
  2155. {
  2156. struct tls_context *tls_ctx = tls_get_ctx(sk);
  2157. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  2158. struct tls_rec *rec, *tmp;
  2159. /* Wait for any pending async encryptions to complete */
  2160. tls_encrypt_async_wait(ctx);
  2161. tls_tx_records(sk, -1);
  2162. /* Free up un-sent records in tx_list. First, free
  2163. * the partially sent record if any at head of tx_list.
  2164. */
  2165. if (tls_ctx->partially_sent_record) {
  2166. tls_free_partial_record(sk, tls_ctx);
  2167. rec = list_first_entry(&ctx->tx_list,
  2168. struct tls_rec, list);
  2169. list_del(&rec->list);
  2170. sk_msg_free(sk, &rec->msg_plaintext);
  2171. kfree(rec);
  2172. }
  2173. list_for_each_entry_safe(rec, tmp, &ctx->tx_list, list) {
  2174. list_del(&rec->list);
  2175. sk_msg_free(sk, &rec->msg_encrypted);
  2176. sk_msg_free(sk, &rec->msg_plaintext);
  2177. kfree(rec);
  2178. }
  2179. crypto_free_aead(ctx->aead_send);
  2180. tls_free_open_rec(sk);
  2181. }
  2182. void tls_sw_free_ctx_tx(struct tls_context *tls_ctx)
  2183. {
  2184. struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
  2185. kfree(ctx);
  2186. }
  2187. void tls_sw_release_resources_rx(struct sock *sk)
  2188. {
  2189. struct tls_context *tls_ctx = tls_get_ctx(sk);
  2190. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  2191. if (ctx->aead_recv) {
  2192. __skb_queue_purge(&ctx->rx_list);
  2193. crypto_free_aead(ctx->aead_recv);
  2194. tls_strp_stop(&ctx->strp);
  2195. /* If tls_sw_strparser_arm() was not called (cleanup paths)
  2196. * we still want to tls_strp_stop(), but sk->sk_data_ready was
  2197. * never swapped.
  2198. */
  2199. if (ctx->saved_data_ready) {
  2200. write_lock_bh(&sk->sk_callback_lock);
  2201. sk->sk_data_ready = ctx->saved_data_ready;
  2202. write_unlock_bh(&sk->sk_callback_lock);
  2203. }
  2204. }
  2205. }
  2206. void tls_sw_strparser_done(struct tls_context *tls_ctx)
  2207. {
  2208. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  2209. tls_strp_done(&ctx->strp);
  2210. }
  2211. void tls_sw_free_ctx_rx(struct tls_context *tls_ctx)
  2212. {
  2213. struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
  2214. kfree(ctx);
  2215. }
  2216. void tls_sw_free_resources_rx(struct sock *sk)
  2217. {
  2218. struct tls_context *tls_ctx = tls_get_ctx(sk);
  2219. tls_sw_release_resources_rx(sk);
  2220. tls_sw_free_ctx_rx(tls_ctx);
  2221. }
  2222. /* The work handler to transmitt the encrypted records in tx_list */
  2223. static void tx_work_handler(struct work_struct *work)
  2224. {
  2225. struct delayed_work *delayed_work = to_delayed_work(work);
  2226. struct tx_work *tx_work = container_of(delayed_work,
  2227. struct tx_work, work);
  2228. struct sock *sk = tx_work->sk;
  2229. struct tls_context *tls_ctx = tls_get_ctx(sk);
  2230. struct tls_sw_context_tx *ctx;
  2231. if (unlikely(!tls_ctx))
  2232. return;
  2233. ctx = tls_sw_ctx_tx(tls_ctx);
  2234. if (test_bit(BIT_TX_CLOSING, &ctx->tx_bitmask))
  2235. return;
  2236. if (!test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask))
  2237. return;
  2238. if (mutex_trylock(&tls_ctx->tx_lock)) {
  2239. lock_sock(sk);
  2240. tls_tx_records(sk, -1);
  2241. release_sock(sk);
  2242. mutex_unlock(&tls_ctx->tx_lock);
  2243. } else if (!test_and_set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) {
  2244. /* Someone is holding the tx_lock, they will likely run Tx
  2245. * and cancel the work on their way out of the lock section.
  2246. * Schedule a long delay just in case.
  2247. */
  2248. schedule_delayed_work(&ctx->tx_work.work, msecs_to_jiffies(10));
  2249. }
  2250. }
  2251. static bool tls_is_tx_ready(struct tls_sw_context_tx *ctx)
  2252. {
  2253. struct tls_rec *rec;
  2254. rec = list_first_entry_or_null(&ctx->tx_list, struct tls_rec, list);
  2255. if (!rec)
  2256. return false;
  2257. return READ_ONCE(rec->tx_ready);
  2258. }
  2259. void tls_sw_write_space(struct sock *sk, struct tls_context *ctx)
  2260. {
  2261. struct tls_sw_context_tx *tx_ctx = tls_sw_ctx_tx(ctx);
  2262. /* Schedule the transmission if tx list is ready */
  2263. if (tls_is_tx_ready(tx_ctx) &&
  2264. !test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask))
  2265. schedule_delayed_work(&tx_ctx->tx_work.work, 0);
  2266. }
  2267. void tls_sw_strparser_arm(struct sock *sk, struct tls_context *tls_ctx)
  2268. {
  2269. struct tls_sw_context_rx *rx_ctx = tls_sw_ctx_rx(tls_ctx);
  2270. write_lock_bh(&sk->sk_callback_lock);
  2271. rx_ctx->saved_data_ready = sk->sk_data_ready;
  2272. sk->sk_data_ready = tls_data_ready;
  2273. write_unlock_bh(&sk->sk_callback_lock);
  2274. }
  2275. void tls_update_rx_zc_capable(struct tls_context *tls_ctx)
  2276. {
  2277. struct tls_sw_context_rx *rx_ctx = tls_sw_ctx_rx(tls_ctx);
  2278. rx_ctx->zc_capable = tls_ctx->rx_no_pad ||
  2279. tls_ctx->prot_info.version != TLS_1_3_VERSION;
  2280. }
  2281. static struct tls_sw_context_tx *init_ctx_tx(struct tls_context *ctx, struct sock *sk)
  2282. {
  2283. struct tls_sw_context_tx *sw_ctx_tx;
  2284. if (!ctx->priv_ctx_tx) {
  2285. sw_ctx_tx = kzalloc_obj(*sw_ctx_tx);
  2286. if (!sw_ctx_tx)
  2287. return NULL;
  2288. } else {
  2289. sw_ctx_tx = ctx->priv_ctx_tx;
  2290. }
  2291. crypto_init_wait(&sw_ctx_tx->async_wait);
  2292. atomic_set(&sw_ctx_tx->encrypt_pending, 1);
  2293. INIT_LIST_HEAD(&sw_ctx_tx->tx_list);
  2294. INIT_DELAYED_WORK(&sw_ctx_tx->tx_work.work, tx_work_handler);
  2295. sw_ctx_tx->tx_work.sk = sk;
  2296. return sw_ctx_tx;
  2297. }
  2298. static struct tls_sw_context_rx *init_ctx_rx(struct tls_context *ctx)
  2299. {
  2300. struct tls_sw_context_rx *sw_ctx_rx;
  2301. if (!ctx->priv_ctx_rx) {
  2302. sw_ctx_rx = kzalloc_obj(*sw_ctx_rx);
  2303. if (!sw_ctx_rx)
  2304. return NULL;
  2305. } else {
  2306. sw_ctx_rx = ctx->priv_ctx_rx;
  2307. }
  2308. crypto_init_wait(&sw_ctx_rx->async_wait);
  2309. atomic_set(&sw_ctx_rx->decrypt_pending, 1);
  2310. init_waitqueue_head(&sw_ctx_rx->wq);
  2311. skb_queue_head_init(&sw_ctx_rx->rx_list);
  2312. skb_queue_head_init(&sw_ctx_rx->async_hold);
  2313. return sw_ctx_rx;
  2314. }
  2315. int init_prot_info(struct tls_prot_info *prot,
  2316. const struct tls_crypto_info *crypto_info,
  2317. const struct tls_cipher_desc *cipher_desc)
  2318. {
  2319. u16 nonce_size = cipher_desc->nonce;
  2320. if (crypto_info->version == TLS_1_3_VERSION) {
  2321. nonce_size = 0;
  2322. prot->aad_size = TLS_HEADER_SIZE;
  2323. prot->tail_size = 1;
  2324. } else {
  2325. prot->aad_size = TLS_AAD_SPACE_SIZE;
  2326. prot->tail_size = 0;
  2327. }
  2328. /* Sanity-check the sizes for stack allocations. */
  2329. if (nonce_size > TLS_MAX_IV_SIZE || prot->aad_size > TLS_MAX_AAD_SIZE)
  2330. return -EINVAL;
  2331. prot->version = crypto_info->version;
  2332. prot->cipher_type = crypto_info->cipher_type;
  2333. prot->prepend_size = TLS_HEADER_SIZE + nonce_size;
  2334. prot->tag_size = cipher_desc->tag;
  2335. prot->overhead_size = prot->prepend_size + prot->tag_size + prot->tail_size;
  2336. prot->iv_size = cipher_desc->iv;
  2337. prot->salt_size = cipher_desc->salt;
  2338. prot->rec_seq_size = cipher_desc->rec_seq;
  2339. return 0;
  2340. }
  2341. static void tls_finish_key_update(struct sock *sk, struct tls_context *tls_ctx)
  2342. {
  2343. struct tls_sw_context_rx *ctx = tls_ctx->priv_ctx_rx;
  2344. WRITE_ONCE(ctx->key_update_pending, false);
  2345. /* wake-up pre-existing poll() */
  2346. ctx->saved_data_ready(sk);
  2347. }
  2348. int tls_set_sw_offload(struct sock *sk, int tx,
  2349. struct tls_crypto_info *new_crypto_info)
  2350. {
  2351. struct tls_crypto_info *crypto_info, *src_crypto_info;
  2352. struct tls_sw_context_tx *sw_ctx_tx = NULL;
  2353. struct tls_sw_context_rx *sw_ctx_rx = NULL;
  2354. const struct tls_cipher_desc *cipher_desc;
  2355. char *iv, *rec_seq, *key, *salt;
  2356. struct cipher_context *cctx;
  2357. struct tls_prot_info *prot;
  2358. struct crypto_aead **aead;
  2359. struct tls_context *ctx;
  2360. struct crypto_tfm *tfm;
  2361. int rc = 0;
  2362. ctx = tls_get_ctx(sk);
  2363. prot = &ctx->prot_info;
  2364. /* new_crypto_info != NULL means rekey */
  2365. if (!new_crypto_info) {
  2366. if (tx) {
  2367. ctx->priv_ctx_tx = init_ctx_tx(ctx, sk);
  2368. if (!ctx->priv_ctx_tx)
  2369. return -ENOMEM;
  2370. } else {
  2371. ctx->priv_ctx_rx = init_ctx_rx(ctx);
  2372. if (!ctx->priv_ctx_rx)
  2373. return -ENOMEM;
  2374. }
  2375. }
  2376. if (tx) {
  2377. sw_ctx_tx = ctx->priv_ctx_tx;
  2378. crypto_info = &ctx->crypto_send.info;
  2379. cctx = &ctx->tx;
  2380. aead = &sw_ctx_tx->aead_send;
  2381. } else {
  2382. sw_ctx_rx = ctx->priv_ctx_rx;
  2383. crypto_info = &ctx->crypto_recv.info;
  2384. cctx = &ctx->rx;
  2385. aead = &sw_ctx_rx->aead_recv;
  2386. }
  2387. src_crypto_info = new_crypto_info ?: crypto_info;
  2388. cipher_desc = get_cipher_desc(src_crypto_info->cipher_type);
  2389. if (!cipher_desc) {
  2390. rc = -EINVAL;
  2391. goto free_priv;
  2392. }
  2393. rc = init_prot_info(prot, src_crypto_info, cipher_desc);
  2394. if (rc)
  2395. goto free_priv;
  2396. iv = crypto_info_iv(src_crypto_info, cipher_desc);
  2397. key = crypto_info_key(src_crypto_info, cipher_desc);
  2398. salt = crypto_info_salt(src_crypto_info, cipher_desc);
  2399. rec_seq = crypto_info_rec_seq(src_crypto_info, cipher_desc);
  2400. if (!*aead) {
  2401. *aead = crypto_alloc_aead(cipher_desc->cipher_name, 0, 0);
  2402. if (IS_ERR(*aead)) {
  2403. rc = PTR_ERR(*aead);
  2404. *aead = NULL;
  2405. goto free_priv;
  2406. }
  2407. }
  2408. ctx->push_pending_record = tls_sw_push_pending_record;
  2409. /* setkey is the last operation that could fail during a
  2410. * rekey. if it succeeds, we can start modifying the
  2411. * context.
  2412. */
  2413. rc = crypto_aead_setkey(*aead, key, cipher_desc->key);
  2414. if (rc) {
  2415. if (new_crypto_info)
  2416. goto out;
  2417. else
  2418. goto free_aead;
  2419. }
  2420. if (!new_crypto_info) {
  2421. rc = crypto_aead_setauthsize(*aead, prot->tag_size);
  2422. if (rc)
  2423. goto free_aead;
  2424. }
  2425. if (!tx && !new_crypto_info) {
  2426. tfm = crypto_aead_tfm(sw_ctx_rx->aead_recv);
  2427. tls_update_rx_zc_capable(ctx);
  2428. sw_ctx_rx->async_capable =
  2429. src_crypto_info->version != TLS_1_3_VERSION &&
  2430. !!(tfm->__crt_alg->cra_flags & CRYPTO_ALG_ASYNC);
  2431. rc = tls_strp_init(&sw_ctx_rx->strp, sk);
  2432. if (rc)
  2433. goto free_aead;
  2434. }
  2435. memcpy(cctx->iv, salt, cipher_desc->salt);
  2436. memcpy(cctx->iv + cipher_desc->salt, iv, cipher_desc->iv);
  2437. memcpy(cctx->rec_seq, rec_seq, cipher_desc->rec_seq);
  2438. if (new_crypto_info) {
  2439. unsafe_memcpy(crypto_info, new_crypto_info,
  2440. cipher_desc->crypto_info,
  2441. /* size was checked in do_tls_setsockopt_conf */);
  2442. memzero_explicit(new_crypto_info, cipher_desc->crypto_info);
  2443. if (!tx)
  2444. tls_finish_key_update(sk, ctx);
  2445. }
  2446. goto out;
  2447. free_aead:
  2448. crypto_free_aead(*aead);
  2449. *aead = NULL;
  2450. free_priv:
  2451. if (!new_crypto_info) {
  2452. if (tx) {
  2453. kfree(ctx->priv_ctx_tx);
  2454. ctx->priv_ctx_tx = NULL;
  2455. } else {
  2456. kfree(ctx->priv_ctx_rx);
  2457. ctx->priv_ctx_rx = NULL;
  2458. }
  2459. }
  2460. out:
  2461. return rc;
  2462. }