[linux-block.git] / net / tls / tls_main.c

/*
 * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
 * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
 *
 * This software is available to you under a choice of one of two
 * licenses.  You may choose to be licensed under the terms of the GNU
 * General Public License (GPL) Version 2, available from the file
 * COPYING in the main directory of this source tree, or the
 * OpenIB.org BSD license below:
 *
 *     Redistribution and use in source and binary forms, with or
 *     without modification, are permitted provided that the following
 *     conditions are met:
 *
 *      - Redistributions of source code must retain the above
 *        copyright notice, this list of conditions and the following
 *        disclaimer.
 *
 *      - Redistributions in binary form must reproduce the above
 *        copyright notice, this list of conditions and the following
 *        disclaimer in the documentation and/or other materials
 *        provided with the distribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

#include <linux/module.h>

#include <net/tcp.h>
#include <net/inet_common.h>
#include <linux/highmem.h>
#include <linux/netdevice.h>
#include <linux/sched/signal.h>

#include <net/tls.h>

MODULE_AUTHOR("Mellanox Technologies");
MODULE_DESCRIPTION("Transport Layer Security Support");
MODULE_LICENSE("Dual BSD/GPL");

enum {
	TLS_BASE_TX,
	TLS_SW_TX,
	TLS_NUM_CONFIG,
};

static struct proto tls_prots[TLS_NUM_CONFIG];

static inline void update_sk_prot(struct sock *sk, struct tls_context *ctx)
{
	sk->sk_prot = &tls_prots[ctx->tx_conf];
}

int wait_on_pending_writer(struct sock *sk, long *timeo)
{
	int rc = 0;
	DEFINE_WAIT_FUNC(wait, woken_wake_function);

	add_wait_queue(sk_sleep(sk), &wait);
	while (1) {
		if (!*timeo) {
			rc = -EAGAIN;
			break;
		}

		if (signal_pending(current)) {
			rc = sock_intr_errno(*timeo);
			break;
		}

		if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
			break;
	}
	remove_wait_queue(sk_sleep(sk), &wait);
	return rc;
}

int tls_push_sg(struct sock *sk,
		struct tls_context *ctx,
		struct scatterlist *sg,
		u16 first_offset,
		int flags)
{
	int sendpage_flags = flags | MSG_SENDPAGE_NOTLAST;
	int ret = 0;
	struct page *p;
	size_t size;
	int offset = first_offset;

	size = sg->length - offset;
	offset += sg->offset;

	while (1) {
		if (sg_is_last(sg))
			sendpage_flags = flags;

		/* is sending application-limited? */
		tcp_rate_check_app_limited(sk);
		p = sg_page(sg);
retry:
		ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags);

		if (ret != size) {
			if (ret > 0) {
				offset += ret;
				size -= ret;
				goto retry;
			}

			offset -= sg->offset;
			ctx->partially_sent_offset = offset;
			ctx->partially_sent_record = (void *)sg;
			return ret;
		}

		put_page(p);
		sk_mem_uncharge(sk, sg->length);
		sg = sg_next(sg);
		if (!sg)
			break;

		offset = sg->offset;
		size = sg->length;
	}

	clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);

	return 0;
}

static int tls_handle_open_record(struct sock *sk, int flags)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (tls_is_pending_open_record(ctx))
		return ctx->push_pending_record(sk, flags);

	return 0;
}

int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg,
		      unsigned char *record_type)
{
	struct cmsghdr *cmsg;
	int rc = -EINVAL;

	for_each_cmsghdr(cmsg, msg) {
		if (!CMSG_OK(msg, cmsg))
			return -EINVAL;
		if (cmsg->cmsg_level != SOL_TLS)
			continue;

		switch (cmsg->cmsg_type) {
		case TLS_SET_RECORD_TYPE:
			if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type)))
				return -EINVAL;

			if (msg->msg_flags & MSG_MORE)
				return -EINVAL;

			rc = tls_handle_open_record(sk, msg->msg_flags);
			if (rc)
				return rc;

			*record_type = *(unsigned char *)CMSG_DATA(cmsg);
			rc = 0;
			break;
		default:
			return -EINVAL;
		}
	}

	return rc;
}

int tls_push_pending_closed_record(struct sock *sk, struct tls_context *ctx,
				   int flags, long *timeo)
{
	struct scatterlist *sg;
	u16 offset;

	if (!tls_is_partially_sent_record(ctx))
		return ctx->push_pending_record(sk, flags);

	sg = ctx->partially_sent_record;
	offset = ctx->partially_sent_offset;

	ctx->partially_sent_record = NULL;
	return tls_push_sg(sk, ctx, sg, offset, flags);
}

static void tls_write_space(struct sock *sk)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) {
		gfp_t sk_allocation = sk->sk_allocation;
		int rc;
		long timeo = 0;

		sk->sk_allocation = GFP_ATOMIC;
		rc = tls_push_pending_closed_record(sk, ctx,
						    MSG_DONTWAIT |
						    MSG_NOSIGNAL,
						    &timeo);
		sk->sk_allocation = sk_allocation;

		if (rc < 0)
			return;
	}

	ctx->sk_write_space(sk);
}

static void tls_sk_proto_close(struct sock *sk, long timeout)
{
	struct tls_context *ctx = tls_get_ctx(sk);
	long timeo = sock_sndtimeo(sk, 0);
	void (*sk_proto_close)(struct sock *sk, long timeout);

	lock_sock(sk);
	sk_proto_close = ctx->sk_proto_close;

	if (ctx->tx_conf == TLS_BASE_TX) {
		kfree(ctx);
		goto skip_tx_cleanup;
	}

	if (!tls_complete_pending_work(sk, ctx, 0, &timeo))
		tls_handle_open_record(sk, 0);

	if (ctx->partially_sent_record) {
		struct scatterlist *sg = ctx->partially_sent_record;

		while (1) {
			put_page(sg_page(sg));
			sk_mem_uncharge(sk, sg->length);

			if (sg_is_last(sg))
				break;
			sg++;
		}
	}

	kfree(ctx->rec_seq);
	kfree(ctx->iv);

	if (ctx->tx_conf == TLS_SW_TX)
		tls_sw_free_tx_resources(sk);

skip_tx_cleanup:
	release_sock(sk);
	sk_proto_close(sk, timeout);
}

static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
				int __user *optlen)
{
	int rc = 0;
	struct tls_context *ctx = tls_get_ctx(sk);
	struct tls_crypto_info *crypto_info;
	int len;

	if (get_user(len, optlen))
		return -EFAULT;

	if (!optval || (len < sizeof(*crypto_info))) {
		rc = -EINVAL;
		goto out;
	}

	if (!ctx) {
		rc = -EBUSY;
		goto out;
	}

	/* get user crypto info */
	crypto_info = &ctx->crypto_send;

	if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
		rc = -EBUSY;
		goto out;
	}

	if (len == sizeof(*crypto_info)) {
		if (copy_to_user(optval, crypto_info, sizeof(*crypto_info)))
			rc = -EFAULT;
		goto out;
	}

	switch (crypto_info->cipher_type) {
	case TLS_CIPHER_AES_GCM_128: {
		struct tls12_crypto_info_aes_gcm_128 *
		  crypto_info_aes_gcm_128 =
		  container_of(crypto_info,
			       struct tls12_crypto_info_aes_gcm_128,
			       info);

		if (len != sizeof(*crypto_info_aes_gcm_128)) {
			rc = -EINVAL;
			goto out;
		}
		lock_sock(sk);
		memcpy(crypto_info_aes_gcm_128->iv, ctx->iv,
		       TLS_CIPHER_AES_GCM_128_IV_SIZE);
		release_sock(sk);
		if (copy_to_user(optval,
				 crypto_info_aes_gcm_128,
				 sizeof(*crypto_info_aes_gcm_128)))
			rc = -EFAULT;
		break;
	}
	default:
		rc = -EINVAL;
	}

out:
	return rc;
}

static int do_tls_getsockopt(struct sock *sk, int optname,
			     char __user *optval, int __user *optlen)
{
	int rc = 0;

	switch (optname) {
	case TLS_TX:
		rc = do_tls_getsockopt_tx(sk, optval, optlen);
		break;
	default:
		rc = -ENOPROTOOPT;
		break;
	}
	return rc;
}

static int tls_getsockopt(struct sock *sk, int level, int optname,
			  char __user *optval, int __user *optlen)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (level != SOL_TLS)
		return ctx->getsockopt(sk, level, optname, optval, optlen);

	return do_tls_getsockopt(sk, optname, optval, optlen);
}

static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
				unsigned int optlen)
{
	struct tls_crypto_info *crypto_info;
	struct tls_context *ctx = tls_get_ctx(sk);
	int rc = 0;
	int tx_conf;

	if (!optval || (optlen < sizeof(*crypto_info))) {
		rc = -EINVAL;
		goto out;
	}

	crypto_info = &ctx->crypto_send;
	/* Currently we don't support set crypto info more than one time */
	if (TLS_CRYPTO_INFO_READY(crypto_info))
		goto out;

	rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
	if (rc) {
		rc = -EFAULT;
		goto out;
	}

	/* check version */
	if (crypto_info->version != TLS_1_2_VERSION) {
		rc = -ENOTSUPP;
		goto err_crypto_info;
	}

	switch (crypto_info->cipher_type) {
	case TLS_CIPHER_AES_GCM_128: {
		if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
			rc = -EINVAL;
			goto out;
		}
		rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
				    optlen - sizeof(*crypto_info));
		if (rc) {
			rc = -EFAULT;
			goto err_crypto_info;
		}
		break;
	}
	default:
		rc = -EINVAL;
		goto out;
	}

	/* currently SW is default, we will have ethtool in future */
	rc = tls_set_sw_offload(sk, ctx);
	tx_conf = TLS_SW_TX;
	if (rc)
		goto err_crypto_info;

	ctx->tx_conf = tx_conf;
	update_sk_prot(sk, ctx);
	ctx->sk_write_space = sk->sk_write_space;
	sk->sk_write_space = tls_write_space;
	goto out;

err_crypto_info:
	memset(crypto_info, 0, sizeof(*crypto_info));
out:
	return rc;
}

static int do_tls_setsockopt(struct sock *sk, int optname,
			     char __user *optval, unsigned int optlen)
{
	int rc = 0;

	switch (optname) {
	case TLS_TX:
		lock_sock(sk);
		rc = do_tls_setsockopt_tx(sk, optval, optlen);
		release_sock(sk);
		break;
	default:
		rc = -ENOPROTOOPT;
		break;
	}
	return rc;
}

static int tls_setsockopt(struct sock *sk, int level, int optname,
			  char __user *optval, unsigned int optlen)
{
	struct tls_context *ctx = tls_get_ctx(sk);

	if (level != SOL_TLS)
		return ctx->setsockopt(sk, level, optname, optval, optlen);

	return do_tls_setsockopt(sk, optname, optval, optlen);
}

static int tls_init(struct sock *sk)
{
	struct inet_connection_sock *icsk = inet_csk(sk);
	struct tls_context *ctx;
	int rc = 0;

	/* The TLS ulp is currently supported only for TCP sockets
	 * in ESTABLISHED state.
	 * Supporting sockets in LISTEN state will require us
	 * to modify the accept implementation to clone rather then
	 * share the ulp context.
	 */
	if (sk->sk_state != TCP_ESTABLISHED)
		return -ENOTSUPP;

	/* allocate tls context */
	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
	if (!ctx) {
		rc = -ENOMEM;
		goto out;
	}
	icsk->icsk_ulp_data = ctx;
	ctx->setsockopt = sk->sk_prot->setsockopt;
	ctx->getsockopt = sk->sk_prot->getsockopt;
	ctx->sk_proto_close = sk->sk_prot->close;

	ctx->tx_conf = TLS_BASE_TX;
	update_sk_prot(sk, ctx);
out:
	return rc;
}

static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
	.name			= "tls",
	.owner			= THIS_MODULE,
	.init			= tls_init,
};

static void build_protos(struct proto *prot, struct proto *base)
{
	prot[TLS_BASE_TX] = *base;
	prot[TLS_BASE_TX].setsockopt	= tls_setsockopt;
	prot[TLS_BASE_TX].getsockopt	= tls_getsockopt;
	prot[TLS_BASE_TX].close		= tls_sk_proto_close;

	prot[TLS_SW_TX] = prot[TLS_BASE_TX];
	prot[TLS_SW_TX].sendmsg		= tls_sw_sendmsg;
	prot[TLS_SW_TX].sendpage	= tls_sw_sendpage;
}

static int __init tls_register(void)
{
	build_protos(tls_prots, &tcp_prot);

	tcp_register_ulp(&tcp_tls_ulp_ops);

	return 0;
}

static void __exit tls_unregister(void)
{
	tcp_unregister_ulp(&tcp_tls_ulp_ops);
}

module_init(tls_register);
module_exit(tls_unregister);
Commit	Line	Data
3c4d7559 DW	1	/*
	2	* Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
	3	* Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
	4	*
	5	* This software is available to you under a choice of one of two
	6	* licenses. You may choose to be licensed under the terms of the GNU
	7	* General Public License (GPL) Version 2, available from the file
	8	* COPYING in the main directory of this source tree, or the
	9	* OpenIB.org BSD license below:
	10	*
	11	* Redistribution and use in source and binary forms, with or
	12	* without modification, are permitted provided that the following
	13	* conditions are met:
	14	*
	15	* - Redistributions of source code must retain the above
	16	* copyright notice, this list of conditions and the following
	17	* disclaimer.
	18	*
	19	* - Redistributions in binary form must reproduce the above
	20	* copyright notice, this list of conditions and the following
	21	* disclaimer in the documentation and/or other materials
	22	* provided with the distribution.
	23	*
	24	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
	25	* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
	26	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
	27	* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
	28	* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
	29	* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
	30	* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	31	* SOFTWARE.
	32	*/
	33
	34	#include <linux/module.h>
	35
	36	#include <net/tcp.h>
	37	#include <net/inet_common.h>
	38	#include <linux/highmem.h>
	39	#include <linux/netdevice.h>
	40	#include <linux/sched/signal.h>
	41
	42	#include <net/tls.h>
	43
	44	MODULE_AUTHOR("Mellanox Technologies");
	45	MODULE_DESCRIPTION("Transport Layer Security Support");
	46	MODULE_LICENSE("Dual BSD/GPL");
	47
6d88207f IL	48	enum {
	49	TLS_BASE_TX,
	50	TLS_SW_TX,
	51	TLS_NUM_CONFIG,
	52	};
	53
	54	static struct proto tls_prots[TLS_NUM_CONFIG];
	55
	56	static inline void update_sk_prot(struct sock sk, struct tls_context ctx)
	57	{
	58	sk->sk_prot = &tls_prots[ctx->tx_conf];
	59	}
3c4d7559 DW	60
	61	int wait_on_pending_writer(struct sock sk, long timeo)
	62	{
	63	int rc = 0;
	64	DEFINE_WAIT_FUNC(wait, woken_wake_function);
	65
	66	add_wait_queue(sk_sleep(sk), &wait);
	67	while (1) {
	68	if (!*timeo) {
	69	rc = -EAGAIN;
	70	break;
	71	}
	72
	73	if (signal_pending(current)) {
	74	rc = sock_intr_errno(*timeo);
	75	break;
	76	}
	77
	78	if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
	79	break;
	80	}
	81	remove_wait_queue(sk_sleep(sk), &wait);
	82	return rc;
	83	}
	84
	85	int tls_push_sg(struct sock *sk,
	86	struct tls_context *ctx,
	87	struct scatterlist *sg,
	88	u16 first_offset,
	89	int flags)
	90	{
	91	int sendpage_flags = flags \| MSG_SENDPAGE_NOTLAST;
	92	int ret = 0;
	93	struct page *p;
	94	size_t size;
	95	int offset = first_offset;
	96
	97	size = sg->length - offset;
	98	offset += sg->offset;
	99
	100	while (1) {
	101	if (sg_is_last(sg))
	102	sendpage_flags = flags;
	103
	104	/* is sending application-limited? */
	105	tcp_rate_check_app_limited(sk);
	106	p = sg_page(sg);
	107	retry:
	108	ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags);
	109
	110	if (ret != size) {
	111	if (ret > 0) {
	112	offset += ret;
	113	size -= ret;
	114	goto retry;
	115	}
	116
	117	offset -= sg->offset;
	118	ctx->partially_sent_offset = offset;
	119	ctx->partially_sent_record = (void *)sg;
	120	return ret;
	121	}
	122
	123	put_page(p);
124	sk_mem_uncharge(sk, sg->length);
125	sg = sg_next(sg);
126	if (!sg)
127	break;
128
129	offset = sg->offset;
130	size = sg->length;
131	}
132
133	clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);
134
135	return 0;
136	}
137
138	static int tls_handle_open_record(struct sock *sk, int flags)
139	{
140	struct tls_context *ctx = tls_get_ctx(sk);
141
142	if (tls_is_pending_open_record(ctx))
143	return ctx->push_pending_record(sk, flags);
144
145	return 0;
146	}
147
148	int tls_proccess_cmsg(struct sock sk, struct msghdr msg,
149	unsigned char *record_type)
150	{
151	struct cmsghdr *cmsg;
152	int rc = -EINVAL;
153
154	for_each_cmsghdr(cmsg, msg) {
155	if (!CMSG_OK(msg, cmsg))
156	return -EINVAL;
157	if (cmsg->cmsg_level != SOL_TLS)
158	continue;
159
160	switch (cmsg->cmsg_type) {
161	case TLS_SET_RECORD_TYPE:
162	if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type)))
163	return -EINVAL;
164
165	if (msg->msg_flags & MSG_MORE)
166	return -EINVAL;
167
168	rc = tls_handle_open_record(sk, msg->msg_flags);
169	if (rc)
170	return rc;
171
172	record_type = (unsigned char *)CMSG_DATA(cmsg);
173	rc = 0;
174	break;
175	default:
176	return -EINVAL;
177	}
178	}
179
180	return rc;
181	}
182
183	int tls_push_pending_closed_record(struct sock sk, struct tls_context ctx,
184	int flags, long *timeo)
185	{
186	struct scatterlist *sg;
187	u16 offset;
188
189	if (!tls_is_partially_sent_record(ctx))
190	return ctx->push_pending_record(sk, flags);
191
192	sg = ctx->partially_sent_record;
193	offset = ctx->partially_sent_offset;
194
195	ctx->partially_sent_record = NULL;
196	return tls_push_sg(sk, ctx, sg, offset, flags);
197	}
198
199	static void tls_write_space(struct sock *sk)
200	{
201	struct tls_context *ctx = tls_get_ctx(sk);
202
203	if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) {
204	gfp_t sk_allocation = sk->sk_allocation;
205	int rc;
206	long timeo = 0;
207
208	sk->sk_allocation = GFP_ATOMIC;
209	rc = tls_push_pending_closed_record(sk, ctx,
210	MSG_DONTWAIT \|
211	MSG_NOSIGNAL,
212	&timeo);
213	sk->sk_allocation = sk_allocation;
214
215	if (rc < 0)
216	return;
217	}
218
219	ctx->sk_write_space(sk);
220	}
221
222	static void tls_sk_proto_close(struct sock *sk, long timeout)
223	{
224	struct tls_context *ctx = tls_get_ctx(sk);
225	long timeo = sock_sndtimeo(sk, 0);
226	void (sk_proto_close)(struct sock sk, long timeout);
227
228	lock_sock(sk);
ff45d820 IL	229	sk_proto_close = ctx->sk_proto_close;
	230
	231	if (ctx->tx_conf == TLS_BASE_TX) {
	232	kfree(ctx);
	233	goto skip_tx_cleanup;
	234	}
3c4d7559 DW	235
	236	if (!tls_complete_pending_work(sk, ctx, 0, &timeo))
	237	tls_handle_open_record(sk, 0);
	238
	239	if (ctx->partially_sent_record) {
	240	struct scatterlist *sg = ctx->partially_sent_record;
	241
	242	while (1) {
	243	put_page(sg_page(sg));
	244	sk_mem_uncharge(sk, sg->length);
	245
	246	if (sg_is_last(sg))
	247	break;
	248	sg++;
	249	}
	250	}
ff45d820	251
3c4d7559 DW	252	kfree(ctx->rec_seq);
	253	kfree(ctx->iv);
	254
ff45d820 IL	255	if (ctx->tx_conf == TLS_SW_TX)
ff45d820 IL	256	tls_sw_free_tx_resources(sk);
3c4d7559	257
ff45d820	258	skip_tx_cleanup:
3c4d7559 DW	259	release_sock(sk);
	260	sk_proto_close(sk, timeout);
	261	}
	262
	263	static int do_tls_getsockopt_tx(struct sock sk, char __user optval,
	264	int __user *optlen)
	265	{
	266	int rc = 0;
	267	struct tls_context *ctx = tls_get_ctx(sk);
	268	struct tls_crypto_info *crypto_info;
	269	int len;
	270
	271	if (get_user(len, optlen))
	272	return -EFAULT;
	273
	274	if (!optval \|\| (len < sizeof(*crypto_info))) {
	275	rc = -EINVAL;
	276	goto out;
	277	}
	278
	279	if (!ctx) {
	280	rc = -EBUSY;
	281	goto out;
	282	}
	283
	284	/* get user crypto info */
	285	crypto_info = &ctx->crypto_send;
	286
	287	if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
	288	rc = -EBUSY;
	289	goto out;
	290	}
	291
5a3b886c	292	if (len == sizeof(*crypto_info)) {
ac55cd61 DC	293	if (copy_to_user(optval, crypto_info, sizeof(*crypto_info)))
ac55cd61 DC	294	rc = -EFAULT;
3c4d7559 DW	295	goto out;
	296	}
	297
	298	switch (crypto_info->cipher_type) {
	299	case TLS_CIPHER_AES_GCM_128: {
	300	struct tls12_crypto_info_aes_gcm_128 *
	301	crypto_info_aes_gcm_128 =
	302	container_of(crypto_info,
	303	struct tls12_crypto_info_aes_gcm_128,
	304	info);
	305
	306	if (len != sizeof(*crypto_info_aes_gcm_128)) {
	307	rc = -EINVAL;
	308	goto out;
	309	}
	310	lock_sock(sk);
	311	memcpy(crypto_info_aes_gcm_128->iv, ctx->iv,
	312	TLS_CIPHER_AES_GCM_128_IV_SIZE);
	313	release_sock(sk);
ac55cd61 DC	314	if (copy_to_user(optval,
	315	crypto_info_aes_gcm_128,
	316	sizeof(*crypto_info_aes_gcm_128)))
	317	rc = -EFAULT;
3c4d7559 DW	318	break;
	319	}
	320	default:
	321	rc = -EINVAL;
	322	}
	323
	324	out:
	325	return rc;
	326	}
	327
	328	static int do_tls_getsockopt(struct sock *sk, int optname,
	329	char __user optval, int __user optlen)
	330	{
	331	int rc = 0;
	332
	333	switch (optname) {
	334	case TLS_TX:
	335	rc = do_tls_getsockopt_tx(sk, optval, optlen);
	336	break;
	337	default:
	338	rc = -ENOPROTOOPT;
	339	break;
	340	}
	341	return rc;
	342	}
	343
	344	static int tls_getsockopt(struct sock *sk, int level, int optname,
	345	char __user optval, int __user optlen)
	346	{
	347	struct tls_context *ctx = tls_get_ctx(sk);
	348
	349	if (level != SOL_TLS)
	350	return ctx->getsockopt(sk, level, optname, optval, optlen);
	351
	352	return do_tls_getsockopt(sk, optname, optval, optlen);
	353	}
	354
	355	static int do_tls_setsockopt_tx(struct sock sk, char __user optval,
	356	unsigned int optlen)
	357	{
196c31b4	358	struct tls_crypto_info *crypto_info;
3c4d7559	359	struct tls_context *ctx = tls_get_ctx(sk);
3c4d7559	360	int rc = 0;
6d88207f	361	int tx_conf;
3c4d7559 DW	362
	363	if (!optval \|\| (optlen < sizeof(*crypto_info))) {
	364	rc = -EINVAL;
	365	goto out;
	366	}
	367
196c31b4 IL	368	crypto_info = &ctx->crypto_send;
	369	/* Currently we don't support set crypto info more than one time */
	370	if (TLS_CRYPTO_INFO_READY(crypto_info))
	371	goto out;
	372
	373	rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
3c4d7559 DW	374	if (rc) {
	375	rc = -EFAULT;
	376	goto out;
	377	}
	378
	379	/* check version */
196c31b4	380	if (crypto_info->version != TLS_1_2_VERSION) {
3c4d7559	381	rc = -ENOTSUPP;
196c31b4	382	goto err_crypto_info;
3c4d7559 DW	383	}
3c4d7559 DW	384
196c31b4	385	switch (crypto_info->cipher_type) {
3c4d7559 DW	386	case TLS_CIPHER_AES_GCM_128: {
	387	if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
	388	rc = -EINVAL;
	389	goto out;
	390	}
196c31b4 IL	391	rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
196c31b4 IL	392	optlen - sizeof(*crypto_info));
3c4d7559 DW	393	if (rc) {
	394	rc = -EFAULT;
	395	goto err_crypto_info;
	396	}
	397	break;
	398	}
	399	default:
	400	rc = -EINVAL;
	401	goto out;
	402	}
	403
3c4d7559 DW	404	/* currently SW is default, we will have ethtool in future */
3c4d7559 DW	405	rc = tls_set_sw_offload(sk, ctx);
6d88207f	406	tx_conf = TLS_SW_TX;
3c4d7559 DW	407	if (rc)
	408	goto err_crypto_info;
	409
6d88207f IL	410	ctx->tx_conf = tx_conf;
6d88207f IL	411	update_sk_prot(sk, ctx);
ee181e52 IL	412	ctx->sk_write_space = sk->sk_write_space;
ee181e52 IL	413	sk->sk_write_space = tls_write_space;
3c4d7559 DW	414	goto out;
	415
	416	err_crypto_info:
	417	memset(crypto_info, 0, sizeof(*crypto_info));
	418	out:
	419	return rc;
	420	}
	421
	422	static int do_tls_setsockopt(struct sock *sk, int optname,
	423	char __user *optval, unsigned int optlen)
	424	{
	425	int rc = 0;
	426
	427	switch (optname) {
	428	case TLS_TX:
	429	lock_sock(sk);
	430	rc = do_tls_setsockopt_tx(sk, optval, optlen);
	431	release_sock(sk);
	432	break;
	433	default:
	434	rc = -ENOPROTOOPT;
	435	break;
	436	}
	437	return rc;
	438	}
	439
	440	static int tls_setsockopt(struct sock *sk, int level, int optname,
	441	char __user *optval, unsigned int optlen)
	442	{
	443	struct tls_context *ctx = tls_get_ctx(sk);
	444
	445	if (level != SOL_TLS)
	446	return ctx->setsockopt(sk, level, optname, optval, optlen);
	447
	448	return do_tls_setsockopt(sk, optname, optval, optlen);
	449	}
	450
	451	static int tls_init(struct sock *sk)
	452	{
	453	struct inet_connection_sock *icsk = inet_csk(sk);
	454	struct tls_context *ctx;
	455	int rc = 0;
	456
d91c3e17 IL	457	/* The TLS ulp is currently supported only for TCP sockets
	458	* in ESTABLISHED state.
	459	* Supporting sockets in LISTEN state will require us
	460	* to modify the accept implementation to clone rather then
	461	* share the ulp context.
	462	*/
	463	if (sk->sk_state != TCP_ESTABLISHED)
	464	return -ENOTSUPP;
	465
3c4d7559 DW	466	/* allocate tls context */
	467	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
	468	if (!ctx) {
	469	rc = -ENOMEM;
	470	goto out;
	471	}
	472	icsk->icsk_ulp_data = ctx;
	473	ctx->setsockopt = sk->sk_prot->setsockopt;
	474	ctx->getsockopt = sk->sk_prot->getsockopt;
ff45d820	475	ctx->sk_proto_close = sk->sk_prot->close;
6d88207f IL	476
	477	ctx->tx_conf = TLS_BASE_TX;
	478	update_sk_prot(sk, ctx);
3c4d7559 DW	479	out:
	480	return rc;
	481	}
	482
	483	static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
	484	.name = "tls",
	485	.owner = THIS_MODULE,
	486	.init = tls_init,
	487	};
	488
6d88207f IL	489	static void build_protos(struct proto prot, struct proto base)
	490	{
	491	prot[TLS_BASE_TX] = *base;
ff45d820 IL	492	prot[TLS_BASE_TX].setsockopt = tls_setsockopt;
	493	prot[TLS_BASE_TX].getsockopt = tls_getsockopt;
	494	prot[TLS_BASE_TX].close = tls_sk_proto_close;
6d88207f IL	495
6d88207f IL	496	prot[TLS_SW_TX] = prot[TLS_BASE_TX];
6d88207f IL	497	prot[TLS_SW_TX].sendmsg = tls_sw_sendmsg;
	498	prot[TLS_SW_TX].sendpage = tls_sw_sendpage;
	499	}
	500
3c4d7559 DW	501	static int __init tls_register(void)
3c4d7559 DW	502	{
6d88207f	503	build_protos(tls_prots, &tcp_prot);
3c4d7559 DW	504
	505	tcp_register_ulp(&tcp_tls_ulp_ops);
	506
	507	return 0;
	508	}
	509
	510	static void __exit tls_unregister(void)
	511	{
	512	tcp_unregister_ulp(&tcp_tls_ulp_ops);
	513	}
	514
	515	module_init(tls_register);
	516	module_exit(tls_unregister);