From patchwork Mon Nov 23 17:43:02 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Watson X-Patchwork-Id: 7684541 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Original-To: patchwork-linux-crypto@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 30DDD9F1D3 for ; Mon, 23 Nov 2015 17:43:25 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id DA2BE207BF for ; Mon, 23 Nov 2015 17:43:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 70870207B5 for ; Mon, 23 Nov 2015 17:43:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753911AbbKWRnT (ORCPT ); Mon, 23 Nov 2015 12:43:19 -0500 Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:35595 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752813AbbKWRnR (ORCPT ); Mon, 23 Nov 2015 12:43:17 -0500 Received: from pps.filterd (m0044008.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id tANHY5dJ029321; Mon, 23 Nov 2015 09:43:06 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=facebook; bh=NgmGmDBOGzZ+r227CQTZiRMfmk3yB/mD4Sh0lBXNbX8=; b=P0T+H+fGHyxjbdM2VAc7BtsVWvDotcMnRfURszUwtmDhczfYaGB9sfnURgg4HGrmrIZY RuOTgqaZVxcNYVrpFWLOeTrBno3DSTyVFmBo79Fjm4Vdo1EmWW1ra3HsRp7xSXpFl397 TTFzRAQS9RBnNipPkqcXzmsPOVRoXJmlxs0= Received: from mail.thefacebook.com ([199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 1yc75y02u0-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 23 Nov 2015 09:43:06 -0800 Received: from devbig217.prn1.facebook.com (192.168.52.123) by mail.thefacebook.com (192.168.16.16) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 23 Nov 2015 09:43:02 -0800 Date: Mon, 23 Nov 2015 09:43:02 -0800 From: Dave Watson To: Tom Herbert , , , Sowmini Varadhan , Herbert Xu , CC: , Subject: [RFC PATCH 2/2] Crypto kernel tls socket Message-ID: Mail-Followup-To: Tom Herbert , netdev@vger.kernel.org, davem@davemloft.net, Sowmini Varadhan , Herbert Xu , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@fb.com References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-12-10) X-Originating-IP: [192.168.52.123] X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-11-23_08:, , signatures=0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Userspace crypto interface for TLS. Currently supports gcm(aes) 128bit only, however the interface is the same as the rest of the SOCK_ALG interface, so it should be possible to add more without any user interface changes. Currently gcm(aes) represents ~80% of our SSL connections. Userspace interface: 1) A transform and op socket are created using the userspace crypto interface 2) Setsockopt ALG_SET_AUTHSIZE is called 3) Setsockopt ALG_SET_KEY is called twice, since we need both send/recv keys 4) ALG_SET_IV cmsgs are sent twice, since we need both send/recv IVs. To support userspace heartbeats, changeciphersuite, etc, we would also need to get these back out, use them, then reset them via CMSG. 5) ALG_SET_OP cmsg is overloaded to mean FD to read/write from. Example program: https://github.com/djwatson/ktls At a high level, this could be implemented on TCP sockets directly instead with various tradeoffs. The userspace crypto interface might benefit from some interface tweaking to deal with multiple keys / ivs better. The crypto accept() op socket interface isn't a great fit, since there are never multiple parallel operations. There's also some questions around using skbuffs instead of scatterlists for send/recv, and if we are buffering on recv, when we should be decrypting the data. --- crypto/Kconfig | 12 + crypto/Makefile | 1 + crypto/algif_tls.c | 1233 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 1246 insertions(+) create mode 100644 crypto/algif_tls.c -- 2.4.6 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/crypto/Kconfig b/crypto/Kconfig index 7240821..c15638a 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -1639,6 +1639,18 @@ config CRYPTO_USER_API_AEAD This option enables the user-spaces interface for AEAD cipher algorithms. +config CRYPTO_USER_API_TLS + tristate "User-space interface for TLS net sockets" + depends on NET + select CRYPTO_AEAD + select CRYPTO_USER_API + help + This option enables kernel TLS socket framing + cipher algorithms. TLS framing is added/removed and + chained to a TCP socket. Handshake is done in + userspace. + + config CRYPTO_HASH_INFO bool diff --git a/crypto/Makefile b/crypto/Makefile index f7aba92..fc26012 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -121,6 +121,7 @@ obj-$(CONFIG_CRYPTO_USER_API_HASH) += algif_hash.o obj-$(CONFIG_CRYPTO_USER_API_SKCIPHER) += algif_skcipher.o obj-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o obj-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o +obj-$(CONFIG_CRYPTO_USER_API_TLS) += algif_tls.o # # generic algorithms and the async_tx api diff --git a/crypto/algif_tls.c b/crypto/algif_tls.c new file mode 100644 index 0000000..123ade3 --- /dev/null +++ b/crypto/algif_tls.c @@ -0,0 +1,1233 @@ +/* + * algif_tls: User-space interface for TLS + * + * Copyright (C) 2015, Dave Watson + * + * This file provides the user-space API for AEAD ciphers. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define TLS_HEADER_SIZE 13 +#define TLS_TAG_SIZE 16 +#define TLS_IV_SIZE 8 +#define TLS_PADDED_AADLEN 16 +#define TLS_MAX_MESSAGE_LEN (1 << 14) + +/* Bytes not included in tls msg size field */ +#define TLS_FRAMING_SIZE 5 + +#define TLS_APPLICATION_DATA_MSG 0x17 +#define TLS_VERSION 3 + +struct tls_tfm_pair { + struct crypto_aead *tfm_send; + struct crypto_aead *tfm_recv; + int cur_setkey; +}; + +static struct workqueue_struct *tls_wq; + +struct tls_sg_list { + unsigned int cur; + struct scatterlist sg[ALG_MAX_PAGES]; +}; + +#define RSGL_MAX_ENTRIES ALG_MAX_PAGES + +struct tls_ctx { + /* Send and encrypted transmit buffers */ + struct tls_sg_list tsgl; + struct scatterlist tcsgl[ALG_MAX_PAGES]; + + /* Encrypted receive and receive buffers. */ + struct tls_sg_list rcsgl; + struct af_alg_sgl rsgl[RSGL_MAX_ENTRIES]; + + /* Sequence numbers. */ + int iv_set; + void *iv_send; + void *iv_recv; + + struct af_alg_completion completion; + + /* Bytes to send */ + unsigned long used; + + /* padded */ + size_t aead_assoclen; + /* unpadded */ + size_t assoclen; + struct aead_request aead_req; + struct aead_request aead_resp; + + bool more; + bool merge; + + /* Chained TCP socket */ + struct sock *sock; + struct socket *socket; + + void (*save_data_ready)(struct sock *sk); + void (*save_write_space)(struct sock *sk); + void (*save_state_change)(struct sock *sk); + struct work_struct tx_work; + struct work_struct rx_work; + + /* This socket for use with above callbacks */ + struct sock *alg_sock; + + /* Send buffer tracking */ + int page_to_send; + int tcsgl_size; + + /* Recv buffer tracking */ + int recv_wanted; + int recved_len; + + /* Receive AAD. */ + unsigned char buf[24]; +}; + +static void increment_seqno(u64 *seqno) +{ + u64 seq_h = be64_to_cpu(*seqno); + + seq_h++; + *seqno = cpu_to_be64(seq_h); +} + +static int do_tls_kernel_sendpage(struct sock *sk); + +static int tls_wait_for_data(struct sock *sk, unsigned flags) +{ + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + long timeout; + DEFINE_WAIT(wait); + int err = -ERESTARTSYS; + + if (flags & MSG_DONTWAIT) + return -EAGAIN; + + set_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); + + for (;;) { + if (signal_pending(current)) + break; + prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + timeout = MAX_SCHEDULE_TIMEOUT; + if (sk_wait_event(sk, &timeout, + ctx->recved_len == ctx->recv_wanted)) { + err = 0; + break; + } + } + finish_wait(sk_sleep(sk), &wait); + + clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); + + return err; +} + +static int tls_wait_for_write_space(struct sock *sk, unsigned flags) +{ + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + long timeout; + DEFINE_WAIT(wait); + int err = -ERESTARTSYS; + + if (flags & MSG_DONTWAIT) + return -EAGAIN; + + set_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); + + for (;;) { + if (signal_pending(current)) + break; + prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + timeout = MAX_SCHEDULE_TIMEOUT; + if (sk_wait_event(sk, &timeout, !ctx->page_to_send)) { + err = 0; + break; + } + } + finish_wait(sk_sleep(sk), &wait); + + clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); + + return err; +} + +static inline int tls_sndbuf(struct sock *sk) +{ + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + + return max_t(int, max_t(int, sk->sk_sndbuf & PAGE_MASK, PAGE_SIZE) - + ctx->used, 0); +} + +static inline bool tls_writable(struct sock *sk) +{ + return tls_sndbuf(sk) >= PAGE_SIZE; +} + + +static void tls_put_sgl(struct sock *sk) +{ + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + struct tls_sg_list *sgl = &ctx->tsgl; + struct scatterlist *sg = sgl->sg; + unsigned int i; + + for (i = 0; i < sgl->cur; i++) { + if (!sg_page(sg + i)) + continue; + + put_page(sg_page(sg + i)); + sg_assign_page(sg + i, NULL); + } + sg_init_table(sg, ALG_MAX_PAGES); + sgl->cur = 0; + ctx->used = 0; + ctx->more = 0; + ctx->merge = 0; +} + +static void tls_wmem_wakeup(struct sock *sk) +{ + struct socket_wq *wq; + + if (!tls_writable(sk)) + return; + + rcu_read_lock(); + wq = rcu_dereference(sk->sk_wq); + if (wq_has_sleeper(wq)) + wake_up_interruptible_sync_poll(&wq->wait, POLLIN | + POLLRDNORM | + POLLRDBAND); + sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); + rcu_read_unlock(); +} + +static void tls_put_rcsgl(struct sock *sk) +{ + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + struct tls_sg_list *sgl = &ctx->rcsgl; + int i; + + for (i = 0; i < sgl->cur; i++) + put_page(sg_page(&sgl->sg[i])); + sgl->cur = 0; + sg_init_table(&sgl->sg[0], ALG_MAX_PAGES); +} + + +static void tls_sock_state_change(struct sock *sk) +{ + struct tls_ctx *ctx; + + ctx = (struct tls_ctx *)sk->sk_user_data; + + switch (sk->sk_state) { + case TCP_CLOSE: + case TCP_CLOSE_WAIT: + case TCP_ESTABLISHED: + ctx->alg_sock->sk_state = sk->sk_state; + ctx->alg_sock->sk_state_change(ctx->alg_sock); + tls_wmem_wakeup(ctx->alg_sock); + + break; + default: /* Everything else is uninteresting */ + break; + } +} + +/* Both socket lock held */ +static ssize_t tls_socket_splice(struct sock *sk, + struct pipe_inode_info *pipe, + struct splice_pipe_desc *spd) { + struct tls_ctx *ctx = (struct tls_ctx *)pipe; + struct tls_sg_list *sgl = &ctx->rcsgl; + + unsigned int spd_pages = spd->nr_pages; + int ret = 0; + int page_nr = 0; + + while (spd->nr_pages > 0) { + if (sgl->cur < ALG_MAX_PAGES) { + struct scatterlist *sg = &sgl->sg[sgl->cur]; + + sg_assign_page(sg, spd->pages[page_nr]); + sg->offset = spd->partial[page_nr].offset; + sg->length = spd->partial[page_nr].len; + sgl->cur++; + + ret += spd->partial[page_nr].len; + page_nr++; + + --spd->nr_pages; + } else { + sk->sk_err = -ENOMEM; + break; + } + } + + while (page_nr < spd_pages) + spd->spd_release(spd, page_nr++); + + ctx->recved_len += ret; + + if (ctx->recved_len == ctx->recv_wanted || sk->sk_err) + tls_wmem_wakeup(ctx->alg_sock); + + return ret; +} + +/* Both socket lock held */ +static int tls_tcp_recv(read_descriptor_t *desc, struct sk_buff *skb, + unsigned int offset, size_t len) +{ + int ret; + + ret = skb_splice_bits(skb, skb->sk, offset, desc->arg.data, + min(desc->count, len), + 0, tls_socket_splice); + if (ret > 0) + desc->count -= ret; + + return ret; +} + +static int tls_tcp_read_sock(struct tls_ctx *ctx) +{ + struct sock *sk = ctx->alg_sock; + + struct msghdr msg = {}; + struct kvec iov; + read_descriptor_t desc; + + desc.arg.data = ctx; + desc.error = 0; + + lock_sock(sk); + + iov.iov_base = ctx->buf; + iov.iov_len = TLS_HEADER_SIZE; + + if (ctx->recv_wanted == -1) { + unsigned int encrypted_size = 0; + + /* Peek at framing. + * + * We only handle TLS message type 0x17, application_data. + * + * Otherwise set an error on the socket and let + * userspace handle the message types + * change_cipher_spec, alert, handshake + * + */ + int bytes = kernel_recvmsg(ctx->socket, &msg, &iov, 1, + iov.iov_len, MSG_PEEK | MSG_DONTWAIT); + + if (bytes <= 0) + goto unlock; + + if (ctx->buf[0] != TLS_APPLICATION_DATA_MSG) { + sk->sk_err = -EBADMSG; + desc.error = sk->sk_err; + goto unlock; + } + + if (bytes < TLS_HEADER_SIZE) + goto unlock; + + + encrypted_size = ctx->buf[4] | (ctx->buf[3] << 8); + + /* Verify encrypted size looks sane */ + if (encrypted_size > TLS_MAX_MESSAGE_LEN + TLS_TAG_SIZE + + TLS_HEADER_SIZE - TLS_FRAMING_SIZE) { + sk->sk_err = -EINVAL; + desc.error = sk->sk_err; + goto unlock; + } + /* encrypted_size field doesn't include 5 bytes of framing */ + ctx->recv_wanted = encrypted_size + TLS_FRAMING_SIZE; + + /* Flush header bytes. We peeked at before, we will + * handle this message type + */ + bytes = kernel_recvmsg(ctx->socket, &msg, &iov, 1, + iov.iov_len, MSG_DONTWAIT); + WARN_ON(bytes != TLS_HEADER_SIZE); + ctx->recved_len = TLS_HEADER_SIZE; + } + + if (ctx->recv_wanted <= 0) + goto unlock; + + desc.count = ctx->recv_wanted - ctx->recved_len; + + if (desc.count > 0) { + lock_sock(ctx->sock); + + tcp_read_sock(ctx->sock, &desc, tls_tcp_recv); + + release_sock(ctx->sock); + } + +unlock: + if (desc.error) + tls_wmem_wakeup(ctx->alg_sock); + + release_sock(sk); + + return desc.error; +} + +static void tls_tcp_data_ready(struct sock *sk) +{ + struct tls_ctx *ctx; + + read_lock_bh(&sk->sk_callback_lock); + + ctx = (struct tls_ctx *)sk->sk_user_data; + + queue_work(tls_wq, &ctx->rx_work); + + read_unlock_bh(&sk->sk_callback_lock); +} + +static void tls_tcp_write_space(struct sock *sk) +{ + struct tls_ctx *ctx; + + read_lock_bh(&sk->sk_callback_lock); + + ctx = (struct tls_ctx *)sk->sk_user_data; + + queue_work(tls_wq, &ctx->tx_work); + + read_unlock_bh(&sk->sk_callback_lock); +} + +static void tls_rx_work(struct work_struct *w) +{ + struct tls_ctx *ctx = container_of(w, struct tls_ctx, rx_work); + + tls_tcp_read_sock(ctx); +} + +static void tls_tx_work(struct work_struct *w) +{ + struct tls_ctx *ctx = container_of(w, struct tls_ctx, tx_work); + struct sock *sk = ctx->alg_sock; + int err; + + lock_sock(sk); + + err = do_tls_kernel_sendpage(sk); + if (err < 0) { + /* Hard failure in write, report error on KCM socket */ + pr_warn("TLS: Hard failure on do_tls_sendpage %d\n", err); + sk->sk_err = -err; + tls_wmem_wakeup(sk); + goto out; + } + +out: + release_sock(sk); +} + +static int do_tls_kernel_sendpage(struct sock *sk) +{ + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + int err = 0; + int i; + + if (ctx->page_to_send == 0) + return err; + for (; ctx->page_to_send < ctx->tcsgl_size; ctx->page_to_send++) { + int flags = MSG_DONTWAIT; + + if (ctx->page_to_send != ctx->tcsgl_size - 1) + flags |= MSG_MORE; + err = kernel_sendpage(ctx->sock->sk_socket, + sg_page(&ctx->tcsgl[ctx->page_to_send]), + ctx->tcsgl[ctx->page_to_send].offset, + ctx->tcsgl[ctx->page_to_send].length, + flags); + if (err <= 0) { + if (err == -EAGAIN) { + /* Don't forward EAGAIN */ + err = 0; + goto out; + } + goto out; + } + } + + ctx->page_to_send = 0; + + increment_seqno(ctx->iv_send); + + + for (i = 1; i < ctx->tcsgl_size; i++) + put_page(sg_page(&ctx->tcsgl[i])); + + tls_wmem_wakeup(sk); +out: + + return err; +} + +static int do_tls_sendpage(struct sock *sk) +{ + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + struct tls_sg_list *sgl = &ctx->tsgl; + + int used = ctx->used; + + unsigned ivsize = + crypto_aead_ivsize(crypto_aead_reqtfm(&ctx->aead_req)); + int encrypted_size = ivsize + used + + crypto_aead_authsize(crypto_aead_reqtfm(&ctx->aead_req)); + + /* Ensure enough space in sg list for tag. */ + struct scatterlist *sg = &ctx->tcsgl[1]; + int bytes_needed = used + TLS_HEADER_SIZE + TLS_TAG_SIZE; + int err = -ENOMEM; + + struct page *p; + unsigned char *framing; + unsigned char aad[ctx->aead_assoclen]; + struct scatterlist sgaad[2]; + + WARN_ON(used > TLS_MAX_MESSAGE_LEN); + + /* Framing will be put in first sg */ + ctx->tcsgl_size = 1; + + do { + sg_assign_page(sg, alloc_page(GFP_KERNEL)); + if (!sg_page(sg)) + goto unlock; + + sg_unmark_end(sg); + sg->offset = 0; + sg->length = PAGE_SIZE; + if (bytes_needed < PAGE_SIZE) + sg->length = bytes_needed; + + ctx->tcsgl_size++; + sg = &ctx->tcsgl[ctx->tcsgl_size]; + bytes_needed -= PAGE_SIZE; + } while (bytes_needed > 0); + + p = sg_page(&ctx->tcsgl[1]); + + sg = &ctx->tcsgl[0]; + + sg->offset = 0; + sg->length = TLS_PADDED_AADLEN + TLS_IV_SIZE; + sg_assign_page(sg, p); + + sg = &ctx->tcsgl[1]; + sg->offset = TLS_HEADER_SIZE; + sg->length = sg->length - TLS_HEADER_SIZE; + + sg_mark_end(&ctx->tcsgl[ctx->tcsgl_size - 1]); + framing = page_address(p); + + /* Hardcoded to TLS 1.2 */ + memset(framing, 0, ctx->aead_assoclen); + framing[0] = TLS_APPLICATION_DATA_MSG; + framing[1] = TLS_VERSION; + framing[2] = TLS_VERSION; + framing[3] = encrypted_size >> 8; + framing[4] = encrypted_size & 0xff; + /* Per spec, iv_send can be used as nonce */ + memcpy(framing + 5, ctx->iv_send, TLS_IV_SIZE); + + memset(aad, 0, ctx->aead_assoclen); + memcpy(aad, ctx->iv_send, TLS_IV_SIZE); + + aad[8] = TLS_APPLICATION_DATA_MSG; + aad[9] = TLS_VERSION; + aad[10] = TLS_VERSION; + aad[11] = used >> 8; + aad[12] = used & 0xff; + + sg_set_buf(&sgaad[0], aad, ctx->aead_assoclen); + sg_unmark_end(sgaad); + sg_chain(sgaad, 2, sgl->sg); + + sg_mark_end(sgl->sg + sgl->cur - 1); + aead_request_set_crypt(&ctx->aead_req, sgaad, ctx->tcsgl, + used, ctx->iv_send); + aead_request_set_ad(&ctx->aead_req, ctx->assoclen); + + err = af_alg_wait_for_completion(crypto_aead_encrypt(&ctx->aead_req), + &ctx->completion); + + if (err) { + /* EBADMSG implies a valid cipher operation took place */ + if (err == -EBADMSG) + tls_put_sgl(sk); + goto unlock; + } + + ctx->tcsgl[1].length += TLS_HEADER_SIZE; + ctx->tcsgl[1].offset = 0; + + ctx->page_to_send = 1; + + tls_put_sgl(sk); + + err = do_tls_kernel_sendpage(sk); + +unlock: + + return err; +} + +static int tls_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) +{ + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + struct tls_sg_list *sgl = &ctx->tsgl; + unsigned ivsize = + crypto_aead_ivsize(crypto_aead_reqtfm(&ctx->aead_req)); + struct af_alg_control con = {}; + long copied = 0; + bool init = 0; + int err = -EINVAL; + + struct socket *csock = NULL; + struct sock *csk = NULL; + + if (msg->msg_controllen) { + init = 1; + err = af_alg_cmsg_send(msg, &con); + if (err) + return err; + + if (!ctx->sock) { + if (!con.op) { + err = -EINVAL; + return err; + } + csock = sockfd_lookup(con.op, &err); + if (!csock) + return -ENOENT; + csk = csock->sk; + ctx->sock = csk; + ctx->socket = csock; + ctx->alg_sock = sk; + if (!ctx->sock) { + err = -EINVAL; + fput(csock->file); + return err; + } + } + + if (con.iv && con.iv->ivlen != ivsize) + return -EINVAL; + } + + lock_sock(sk); + + if (!ctx->more && ctx->used) + goto unlock; + + if (init) { + if (con.iv) { + if (ctx->iv_set == 0) { + ctx->iv_set = 1; + memcpy(ctx->iv_send, con.iv->iv, ivsize); + } else { + memcpy(ctx->iv_recv, con.iv->iv, ivsize); + } + } + + if (con.aead_assoclen) { + ctx->assoclen = con.aead_assoclen; + /* Pad out assoclen to 4-byte boundary */ + ctx->aead_assoclen = (con.aead_assoclen + 3) & ~3; + } + + if (csk) { + write_lock_bh(&csk->sk_callback_lock); + ctx->save_data_ready = csk->sk_data_ready; + ctx->save_write_space = csk->sk_write_space; + ctx->save_state_change = csk->sk_state_change; + csk->sk_user_data = ctx; + csk->sk_data_ready = tls_tcp_data_ready; + csk->sk_write_space = tls_tcp_write_space; + csk->sk_state_change = tls_sock_state_change; + write_unlock_bh(&csk->sk_callback_lock); + } + } + + if (sk->sk_err) + goto out_error; + + while (size) { + unsigned long len = size; + struct scatterlist *sg = NULL; + + /* use the existing memory in an allocated page */ + if (ctx->merge) { + sg = sgl->sg + sgl->cur - 1; + len = min_t(unsigned long, len, + PAGE_SIZE - sg->offset - sg->length); + + if (ctx->page_to_send != 0) { + err = tls_wait_for_write_space( + sk, msg->msg_flags); + if (err) + goto unlock; + } + + if (ctx->used + len > TLS_MAX_MESSAGE_LEN) { + err = do_tls_sendpage(sk); + if (err < 0) + goto unlock; + + continue; + } + + err = memcpy_from_msg(page_address(sg_page(sg)) + + sg->offset + sg->length, + msg, len); + if (err) + goto unlock; + + sg->length += len; + ctx->merge = (sg->offset + sg->length) & + (PAGE_SIZE - 1); + + ctx->used += len; + copied += len; + size -= len; + continue; + } + + if (!tls_writable(sk)) { + /* user space sent too much data */ + tls_put_sgl(sk); + err = -EMSGSIZE; + goto unlock; + } + + /* allocate a new page */ + len = min_t(unsigned long, size, tls_sndbuf(sk)); + while (len) { + int plen = 0; + + if (sgl->cur >= ALG_MAX_PAGES) { + tls_put_sgl(sk); + err = -E2BIG; + goto unlock; + } + + sg = sgl->sg + sgl->cur; + plen = min_t(int, len, PAGE_SIZE); + + if (ctx->page_to_send != 0) { + err = tls_wait_for_write_space( + sk, msg->msg_flags); + if (err) + goto unlock; + } + + if (ctx->used + plen > TLS_MAX_MESSAGE_LEN) { + err = do_tls_sendpage(sk); + if (err < 0) + goto unlock; + continue; + } + + sg_assign_page(sg, alloc_page(GFP_KERNEL)); + err = -ENOMEM; + if (!sg_page(sg)) + goto unlock; + + err = memcpy_from_msg(page_address(sg_page(sg)), + msg, plen); + if (err) { + __free_page(sg_page(sg)); + sg_assign_page(sg, NULL); + goto unlock; + } + + sg->offset = 0; + sg->length = plen; + len -= plen; + ctx->used += plen; + copied += plen; + sgl->cur++; + size -= plen; + ctx->merge = plen & (PAGE_SIZE - 1); + } + } + + err = 0; + + ctx->more = msg->msg_flags & MSG_MORE; + + if (ctx->more && ctx->used < TLS_MAX_MESSAGE_LEN) + goto unlock; + + if (ctx->page_to_send != 0) { + err = tls_wait_for_write_space(sk, msg->msg_flags); + if (err) + goto unlock; + } + + err = do_tls_sendpage(sk); + +unlock: + release_sock(sk); + + return err ?: copied; + +out_error: + err = sk_stream_error(sk, msg->msg_flags, err); + release_sock(sk); + + return err; +} + +static ssize_t tls_sendpage(struct socket *sock, struct page *page, + int offset, size_t size, int flags) +{ + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + struct tls_sg_list *sgl = &ctx->tsgl; + int err = -EINVAL; + + if (flags & MSG_SENDPAGE_NOTLAST) + flags |= MSG_MORE; + + if (sgl->cur >= ALG_MAX_PAGES) + return -E2BIG; + + lock_sock(sk); + + if (sk->sk_err) + goto out_error; + + if (ctx->page_to_send != 0) { + err = tls_wait_for_write_space(sk, flags); + if (err) + goto unlock; + } + + if (size + ctx->used > TLS_MAX_MESSAGE_LEN) { + err = do_tls_sendpage(sk); + if (err < 0) + goto unlock; + err = -EINVAL; + } + + if (!ctx->more && ctx->used) + goto unlock; + + if (!size) + goto done; + + if (!tls_writable(sk)) { + /* user space sent too much data */ + tls_put_sgl(sk); + err = -EMSGSIZE; + goto unlock; + } + + ctx->merge = 0; + + get_page(page); + sg_set_page(sgl->sg + sgl->cur, page, size, offset); + sgl->cur++; + ctx->used += size; + + err = 0; + +done: + ctx->more = flags & MSG_MORE; + + if (ctx->more && ctx->used < TLS_MAX_MESSAGE_LEN) + goto unlock; + + err = do_tls_sendpage(sk); + +unlock: + release_sock(sk); + + return err < 0 ? err : size; + +out_error: + err = sk_stream_error(sk, flags, err); + release_sock(sk); + + return err; +} + +static int tls_recvmsg(struct socket *sock, struct msghdr *msg, + size_t ignored, int flags) +{ + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + unsigned int i = 0; + int err = -EINVAL; + size_t outlen = 0; + size_t usedpages = 0; + unsigned int cnt = 0; + + char aad_unneeded[ctx->aead_assoclen]; + struct scatterlist outaad[2]; + + struct tls_sg_list *sgl = &ctx->rcsgl; + struct scatterlist aadsg[2]; + + char buf[11]; + int used; + char *aad; + + char nonce[TLS_IV_SIZE]; + + /* Limit number of IOV blocks to be accessed below */ + if (msg->msg_iter.nr_segs > RSGL_MAX_ENTRIES) + return -ENOMSG; + + tls_tcp_read_sock(ctx); + + lock_sock(sk); + + if (sk->sk_err) + goto out_error; + + if (ctx->recved_len != ctx->recv_wanted) { + err = tls_wait_for_data(sk, flags); + if (err) + goto unlock; + } + + sg_set_buf(outaad, aad_unneeded, ctx->aead_assoclen); + sg_unmark_end(outaad); + sg_chain(outaad, 2, &ctx->rsgl[0].sg[0]); + + outlen = ctx->recv_wanted - TLS_FRAMING_SIZE - ctx->aead_assoclen; + + /* convert iovecs of output buffers into scatterlists */ + while (iov_iter_count(&msg->msg_iter)) { + size_t seglen = min_t(size_t, iov_iter_count(&msg->msg_iter), + (outlen - usedpages)); + + /* make one iovec available as scatterlist */ + err = af_alg_make_sg(&ctx->rsgl[cnt], &msg->msg_iter, + seglen); + if (err < 0) + goto unlock; + usedpages += err; + /* chain the new scatterlist with previous one */ + if (cnt) + af_alg_link_sg(&ctx->rsgl[cnt-1], &ctx->rsgl[cnt]); + + /* we do not need more iovecs as we have sufficient memory */ + if (outlen <= usedpages) + break; + iov_iter_advance(&msg->msg_iter, err); + cnt++; + } + + err = -EINVAL; + + /* ensure output buffer is sufficiently large */ + if (usedpages < outlen) + goto unlock; + + memset(buf, 0, sizeof(buf)); + + used = ctx->recv_wanted - ctx->aead_assoclen - TLS_FRAMING_SIZE; + + aad = ctx->buf; + + sg_set_buf(aadsg, ctx->buf, ctx->aead_assoclen); + sg_unmark_end(aadsg); + sg_chain(aadsg, 2, sgl->sg); + + memcpy(nonce, aad + TLS_FRAMING_SIZE, TLS_IV_SIZE); + memcpy(aad, ctx->iv_recv, TLS_IV_SIZE); + + aad[8] = TLS_APPLICATION_DATA_MSG; + aad[9] = TLS_VERSION; + aad[10] = TLS_VERSION; + aad[11] = used >> 8; + aad[12] = used & 0xff; + + sg_mark_end(sgl->sg + sgl->cur - 1); + aead_request_set_crypt(&ctx->aead_resp, aadsg, outaad, + ctx->recv_wanted + TLS_TAG_SIZE + - TLS_FRAMING_SIZE - ctx->aead_assoclen, + nonce); + aead_request_set_ad(&ctx->aead_resp, ctx->assoclen); + + err = af_alg_wait_for_completion(crypto_aead_decrypt(&ctx->aead_resp), + &ctx->completion); + + if (err) { + /* EBADMSG implies a valid cipher operation took place */ + goto unlock; + } else { + ctx->recv_wanted = -1; + ctx->recved_len = 0; + } + + increment_seqno(ctx->iv_recv); + + err = 0; + +unlock: + tls_put_rcsgl(sk); + + for (i = 0; i < cnt; i++) + af_alg_free_sg(&ctx->rsgl[i]); + + queue_work(tls_wq, &ctx->rx_work); + release_sock(sk); + + return err ? err : outlen; + +out_error: + err = sk_stream_error(sk, msg->msg_flags, err); + release_sock(sk); + + return err; +} + + +static struct proto_ops algif_tls_ops = { + .family = PF_ALG, + + .connect = sock_no_connect, + .socketpair = sock_no_socketpair, + .getname = sock_no_getname, + .ioctl = sock_no_ioctl, + .listen = sock_no_listen, + .shutdown = sock_no_shutdown, + .getsockopt = sock_no_getsockopt, + .mmap = sock_no_mmap, + .bind = sock_no_bind, + .accept = sock_no_accept, + .setsockopt = sock_no_setsockopt, + + .release = af_alg_release, + .sendmsg = tls_sendmsg, + .sendpage = tls_sendpage, + .recvmsg = tls_recvmsg, + .poll = sock_no_poll, +}; + +static void *tls_bind(const char *name, u32 type, u32 mask) +{ + struct tls_tfm_pair *pair = kmalloc(sizeof(struct tls_tfm_pair), + GFP_KERNEL); + + if (!pair) + return NULL; + pair->tfm_send = crypto_alloc_aead(name, type, mask); + if (!pair->tfm_send) + goto error; + pair->tfm_recv = crypto_alloc_aead(name, type, mask); + if (!pair->tfm_recv) + goto error; + + pair->cur_setkey = 0; + + return pair; + +error: + if (pair->tfm_send) + crypto_free_aead(pair->tfm_send); + if (pair->tfm_recv) + crypto_free_aead(pair->tfm_recv); + kfree(pair); + + return NULL; +} + +static void tls_release(void *private) +{ + struct tls_tfm_pair *pair = private; + + if (pair) { + if (pair->tfm_send) + crypto_free_aead(pair->tfm_send); + if (pair->tfm_recv) + crypto_free_aead(pair->tfm_recv); + kfree(private); + } +} + +static int tls_setauthsize(void *private, unsigned int authsize) +{ + struct tls_tfm_pair *pair = private; + + crypto_aead_setauthsize(pair->tfm_recv, authsize); + return crypto_aead_setauthsize(pair->tfm_send, authsize); +} + +static int tls_setkey(void *private, const u8 *key, unsigned int keylen) +{ + struct tls_tfm_pair *pair = private; + + if (pair->cur_setkey == 0) { + pair->cur_setkey = 1; + return crypto_aead_setkey(pair->tfm_send, key, keylen); + } else { + return crypto_aead_setkey(pair->tfm_recv, key, keylen); + } +} + +static void tls_sock_destruct(struct sock *sk) +{ + struct alg_sock *ask = alg_sk(sk); + struct tls_ctx *ctx = ask->private; + unsigned int ivlen = crypto_aead_ivsize( + crypto_aead_reqtfm(&ctx->aead_req)); + + + + cancel_work_sync(&ctx->tx_work); + cancel_work_sync(&ctx->rx_work); + + /* Stop getting callbacks from TCP socket. */ + write_lock_bh(&ctx->sock->sk_callback_lock); + if (ctx->sock->sk_user_data) { + ctx->sock->sk_user_data = NULL; + ctx->sock->sk_data_ready = ctx->save_data_ready; + ctx->sock->sk_write_space = ctx->save_write_space; + ctx->sock->sk_state_change = ctx->save_state_change; + } + write_unlock_bh(&ctx->sock->sk_callback_lock); + + tls_put_sgl(sk); + sock_kzfree_s(sk, ctx->iv_send, ivlen); + sock_kzfree_s(sk, ctx->iv_recv, ivlen); + sock_kfree_s(sk, ctx, sizeof(*ctx)); + af_alg_release_parent(sk); +} + +static int tls_accept_parent(void *private, struct sock *sk) +{ + struct tls_ctx *ctx; + struct alg_sock *ask = alg_sk(sk); + struct tls_tfm_pair *pair = private; + + unsigned int len = sizeof(*ctx); + unsigned int ivlen = crypto_aead_ivsize(pair->tfm_send); + + ctx = sock_kmalloc(sk, len, GFP_KERNEL); + if (!ctx) + return -ENOMEM; + memset(ctx, 0, len); + + ctx->iv_send = sock_kmalloc(sk, ivlen, GFP_KERNEL); + if (!ctx->iv_send) { + sock_kfree_s(sk, ctx, len); + return -ENOMEM; + } + memset(ctx->iv_send, 0, ivlen); + + ctx->iv_recv = sock_kmalloc(sk, ivlen, GFP_KERNEL); + if (!ctx->iv_recv) { + sock_kfree_s(sk, ctx, len); + return -ENOMEM; + } + memset(ctx->iv_recv, 0, ivlen); + + ctx->aead_assoclen = 0; + ctx->recv_wanted = -1; + af_alg_init_completion(&ctx->completion); + INIT_WORK(&ctx->tx_work, tls_tx_work); + INIT_WORK(&ctx->rx_work, tls_rx_work); + + ask->private = ctx; + + aead_request_set_tfm(&ctx->aead_req, pair->tfm_send); + aead_request_set_tfm(&ctx->aead_resp, pair->tfm_recv); + aead_request_set_callback(&ctx->aead_req, CRYPTO_TFM_REQ_MAY_BACKLOG, + af_alg_complete, &ctx->completion); + + sk->sk_destruct = tls_sock_destruct; + + return 0; +} + +static const struct af_alg_type algif_type_tls = { + .bind = tls_bind, + .release = tls_release, + .setkey = tls_setkey, + .setauthsize = tls_setauthsize, + .accept = tls_accept_parent, + .ops = &algif_tls_ops, + .name = "tls", + .owner = THIS_MODULE +}; + +static int __init algif_tls_init(void) +{ + int err = -ENOMEM; + + tls_wq = create_singlethread_workqueue("ktlsd"); + if (!tls_wq) + goto error; + + err = af_alg_register_type(&algif_type_tls); + + if (!err) + return 0; +error: + if (tls_wq) + destroy_workqueue(tls_wq); + return err; +} + +static void __exit algif_tls_exit(void) +{ + af_alg_unregister_type(&algif_type_tls); + destroy_workqueue(tls_wq); +} + +module_init(algif_tls_init); +module_exit(algif_tls_exit); +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Dave Watson "); +MODULE_DESCRIPTION("TLS kernel crypto API net interface");