1 files changed, 216 insertions, 37 deletions
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index e9b4b53ab53e..cc03e00785c7 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -38,6 +38,7 @@
 #include <linux/highmem.h>
 #include <linux/netdevice.h>
 #include <linux/sched/signal.h>
+#include <linux/inetdevice.h>
 #include <net/tls.h>
@@ -46,16 +47,32 @@ MODULE_DESCRIPTION("Transport Layer Security Support");
 MODULE_LICENSE("Dual BSD/GPL");
 enum {
-        TLS_BASE_TX,
+        TLSV4,
+        TLSV6,
+        TLS_NUM_PROTS,
+};
+enum {
+        TLS_BASE,
        TLS_SW_TX,
+        TLS_SW_RX,
+        TLS_SW_RXTX,
+        TLS_HW_RECORD,
        TLS_NUM_CONFIG,
 };
-static struct proto tls_prots[TLS_NUM_CONFIG];
+static struct proto *saved_tcpv6_prot;
+static DEFINE_MUTEX(tcpv6_prot_mutex);
+static LIST_HEAD(device_list);
+static DEFINE_MUTEX(device_mutex);
+static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG];
+static struct proto_ops tls_sw_proto_ops;
 static inline void update_sk_prot(struct sock *sk, struct tls_context *ctx)
 {
-        sk->sk_prot = &tls_prots[ctx->tx_conf];
+        int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
+        sk->sk_prot = &tls_prots[ip_ver][ctx->conf];
 }
 int wait_on_pending_writer(struct sock *sk, long *timeo)
@@ -97,6 +114,7 @@ int tls_push_sg(struct sock *sk,
        size = sg->length - offset;
        offset += sg->offset;
+        ctx->in_tcp_sendpages = true;
        while (1) {
                if (sg_is_last(sg))
                        sendpage_flags = flags;
@@ -131,6 +149,8 @@ retry:
        }
        clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);
+        ctx->in_tcp_sendpages = false;
+        ctx->sk_write_space(sk);
        return 0;
 }
@@ -200,6 +220,10 @@ static void tls_write_space(struct sock *sk)
 {
        struct tls_context *ctx = tls_get_ctx(sk);
+        /* We are already sending pages, ignore notification */
+        if (ctx->in_tcp_sendpages)
+                return;
        if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) {
                gfp_t sk_allocation = sk->sk_allocation;
                int rc;
@@ -228,8 +252,12 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
        lock_sock(sk);
        sk_proto_close = ctx->sk_proto_close;
-        if (ctx->tx_conf == TLS_BASE_TX) {
+        if (ctx->conf == TLS_HW_RECORD)
+                goto skip_tx_cleanup;
+        if (ctx->conf == TLS_BASE) {
                kfree(ctx);
+                ctx = NULL;
                goto skip_tx_cleanup;
        }
@@ -249,15 +277,25 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
                }
        }
-        kfree(ctx->rec_seq);
+        kfree(ctx->tx.rec_seq);
-        kfree(ctx->iv);
+        kfree(ctx->tx.iv);
+        kfree(ctx->rx.rec_seq);
+        kfree(ctx->rx.iv);
-        if (ctx->tx_conf == TLS_SW_TX)
+        if (ctx->conf == TLS_SW_TX ||
-                tls_sw_free_tx_resources(sk);
+            ctx->conf == TLS_SW_RX ||
+            ctx->conf == TLS_SW_RXTX) {
+                tls_sw_free_resources(sk);
+        }
 skip_tx_cleanup:
        release_sock(sk);
        sk_proto_close(sk, timeout);
+        /* free ctx for TLS_HW_RECORD, used by tcp_set_state
+         * for sk->sk_prot->unhash [tls_hw_unhash]
+         */
+        if (ctx && ctx->conf == TLS_HW_RECORD)
+                kfree(ctx);
 }
 static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
@@ -309,9 +347,9 @@ static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
                }
                lock_sock(sk);
                memcpy(crypto_info_aes_gcm_128->iv,
-                       ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
+                       ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
                       TLS_CIPHER_AES_GCM_128_IV_SIZE);
-                memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->rec_seq,
+                memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq,
                       TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
                release_sock(sk);
                if (copy_to_user(optval,
@@ -355,20 +393,24 @@ static int tls_getsockopt(struct sock *sk, int level, int optname,
        return do_tls_getsockopt(sk, optname, optval, optlen);
 }
-static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
+static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
-                                unsigned int optlen)
+                                  unsigned int optlen, int tx)
 {
        struct tls_crypto_info *crypto_info;
        struct tls_context *ctx = tls_get_ctx(sk);
        int rc = 0;
-        int tx_conf;
+        int conf;
        if (!optval || (optlen < sizeof(*crypto_info))) {
                rc = -EINVAL;
                goto out;
        }
-        crypto_info = &ctx->crypto_send;
+        if (tx)
+                crypto_info = &ctx->crypto_send;
+        else
+                crypto_info = &ctx->crypto_recv;
        /* Currently we don't support set crypto info more than one time */
        if (TLS_CRYPTO_INFO_READY(crypto_info)) {
                rc = -EBUSY;
@@ -407,15 +449,31 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
        }
        /* currently SW is default, we will have ethtool in future */
-        rc = tls_set_sw_offload(sk, ctx);
+        if (tx) {
-        tx_conf = TLS_SW_TX;
+                rc = tls_set_sw_offload(sk, ctx, 1);
+                if (ctx->conf == TLS_SW_RX)
+                        conf = TLS_SW_RXTX;
+                else
+                        conf = TLS_SW_TX;
+        } else {
+                rc = tls_set_sw_offload(sk, ctx, 0);
+                if (ctx->conf == TLS_SW_TX)
+                        conf = TLS_SW_RXTX;
+                else
+                        conf = TLS_SW_RX;
+        }
        if (rc)
                goto err_crypto_info;
-        ctx->tx_conf = tx_conf;
+        ctx->conf = conf;
        update_sk_prot(sk, ctx);
-        ctx->sk_write_space = sk->sk_write_space;
+        if (tx) {
-        sk->sk_write_space = tls_write_space;
+                ctx->sk_write_space = sk->sk_write_space;
+                sk->sk_write_space = tls_write_space;
+        } else {
+                sk->sk_socket->ops = &tls_sw_proto_ops;
+        }
        goto out;
 err_crypto_info:
@@ -431,8 +489,10 @@ static int do_tls_setsockopt(struct sock *sk, int optname,
        switch (optname) {
        case TLS_TX:
+        case TLS_RX:
                lock_sock(sk);
-                rc = do_tls_setsockopt_tx(sk, optval, optlen);
+                rc = do_tls_setsockopt_conf(sk, optval, optlen,
+                                            optname == TLS_TX);
                release_sock(sk);
                break;
        default:
@@ -453,12 +513,113 @@ static int tls_setsockopt(struct sock *sk, int level, int optname,
        return do_tls_setsockopt(sk, optname, optval, optlen);
 }
-static int tls_init(struct sock *sk)
+static struct tls_context *create_ctx(struct sock *sk)
 {
        struct inet_connection_sock *icsk = inet_csk(sk);
        struct tls_context *ctx;
+        ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+        if (!ctx)
+                return NULL;
+        icsk->icsk_ulp_data = ctx;
+        return ctx;
+}
+static int tls_hw_prot(struct sock *sk)
+{
+        struct tls_context *ctx;
+        struct tls_device *dev;
+        int rc = 0;
+        mutex_lock(&device_mutex);
+        list_for_each_entry(dev, &device_list, dev_list) {
+                if (dev->feature && dev->feature(dev)) {
+                        ctx = create_ctx(sk);
+                        if (!ctx)
+                                goto out;
+                        ctx->hash = sk->sk_prot->hash;
+                        ctx->unhash = sk->sk_prot->unhash;
+                        ctx->sk_proto_close = sk->sk_prot->close;
+                        ctx->conf = TLS_HW_RECORD;
+                        update_sk_prot(sk, ctx);
+                        rc = 1;
+                        break;
+                }
+        }
+out:
+        mutex_unlock(&device_mutex);
+        return rc;
+}
+static void tls_hw_unhash(struct sock *sk)
+{
+        struct tls_context *ctx = tls_get_ctx(sk);
+        struct tls_device *dev;
+        mutex_lock(&device_mutex);
+        list_for_each_entry(dev, &device_list, dev_list) {
+                if (dev->unhash)
+                        dev->unhash(dev, sk);
+        }
+        mutex_unlock(&device_mutex);
+        ctx->unhash(sk);
+}
+static int tls_hw_hash(struct sock *sk)
+{
+        struct tls_context *ctx = tls_get_ctx(sk);
+        struct tls_device *dev;
+        int err;
+        err = ctx->hash(sk);
+        mutex_lock(&device_mutex);
+        list_for_each_entry(dev, &device_list, dev_list) {
+                if (dev->hash)
+                        err |= dev->hash(dev, sk);
+        }
+        mutex_unlock(&device_mutex);
+        if (err)
+                tls_hw_unhash(sk);
+        return err;
+}
+static void build_protos(struct proto *prot, struct proto *base)
+{
+        prot[TLS_BASE] = *base;
+        prot[TLS_BASE].setsockopt       = tls_setsockopt;
+        prot[TLS_BASE].getsockopt       = tls_getsockopt;
+        prot[TLS_BASE].close            = tls_sk_proto_close;
+        prot[TLS_SW_TX] = prot[TLS_BASE];
+        prot[TLS_SW_TX].sendmsg         = tls_sw_sendmsg;
+        prot[TLS_SW_TX].sendpage        = tls_sw_sendpage;
+        prot[TLS_SW_RX] = prot[TLS_BASE];
+        prot[TLS_SW_RX].recvmsg         = tls_sw_recvmsg;
+        prot[TLS_SW_RX].close           = tls_sk_proto_close;
+        prot[TLS_SW_RXTX] = prot[TLS_SW_TX];
+        prot[TLS_SW_RXTX].recvmsg       = tls_sw_recvmsg;
+        prot[TLS_SW_RXTX].close         = tls_sk_proto_close;
+        prot[TLS_HW_RECORD] = *base;
+        prot[TLS_HW_RECORD].hash        = tls_hw_hash;
+        prot[TLS_HW_RECORD].unhash      = tls_hw_unhash;
+        prot[TLS_HW_RECORD].close       = tls_sk_proto_close;
+}
+static int tls_init(struct sock *sk)
+{
+        int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
+        struct tls_context *ctx;
        int rc = 0;
+        if (tls_hw_prot(sk))
+                goto out;
        /* The TLS ulp is currently supported only for TCP sockets
         * in ESTABLISHED state.
         * Supporting sockets in LISTEN state will require us
@@ -469,22 +630,48 @@ static int tls_init(struct sock *sk)
                return -ENOTSUPP;
        /* allocate tls context */
-        ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+        ctx = create_ctx(sk);
        if (!ctx) {
                rc = -ENOMEM;
                goto out;
        }
-        icsk->icsk_ulp_data = ctx;
        ctx->setsockopt = sk->sk_prot->setsockopt;
        ctx->getsockopt = sk->sk_prot->getsockopt;
        ctx->sk_proto_close = sk->sk_prot->close;
-        ctx->tx_conf = TLS_BASE_TX;
+        /* Build IPv6 TLS whenever the address of tcpv6_prot changes */
+        if (ip_ver == TLSV6 &&
+            unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv6_prot))) {
+                mutex_lock(&tcpv6_prot_mutex);
+                if (likely(sk->sk_prot != saved_tcpv6_prot)) {
+                        build_protos(tls_prots[TLSV6], sk->sk_prot);
+                        smp_store_release(&saved_tcpv6_prot, sk->sk_prot);
+                }
+                mutex_unlock(&tcpv6_prot_mutex);
+        }
+        ctx->conf = TLS_BASE;
        update_sk_prot(sk, ctx);
 out:
        return rc;
 }
+void tls_register_device(struct tls_device *device)
+{
+        mutex_lock(&device_mutex);
+        list_add_tail(&device->dev_list, &device_list);
+        mutex_unlock(&device_mutex);
+}
+EXPORT_SYMBOL(tls_register_device);
+void tls_unregister_device(struct tls_device *device)
+{
+        mutex_lock(&device_mutex);
+        list_del(&device->dev_list);
+        mutex_unlock(&device_mutex);
+}
+EXPORT_SYMBOL(tls_unregister_device);
 static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
        .name                   = "tls",
        .uid                    = TCP_ULP_TLS,
@@ -493,21 +680,13 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
        .init                   = tls_init,
 };
-static void build_protos(struct proto *prot, struct proto *base)
-{
-        prot[TLS_BASE_TX] = *base;
-        prot[TLS_BASE_TX].setsockopt    = tls_setsockopt;
-        prot[TLS_BASE_TX].getsockopt    = tls_getsockopt;
-        prot[TLS_BASE_TX].close         = tls_sk_proto_close;
-        prot[TLS_SW_TX] = prot[TLS_BASE_TX];
-        prot[TLS_SW_TX].sendmsg         = tls_sw_sendmsg;
-        prot[TLS_SW_TX].sendpage        = tls_sw_sendpage;
-}
 static int __init tls_register(void)
 {
-        build_protos(tls_prots, &tcp_prot);
+        build_protos(tls_prots[TLSV4], &tcp_prot);
+        tls_sw_proto_ops = inet_stream_ops;
+        tls_sw_proto_ops.poll = tls_sw_poll;
+        tls_sw_proto_ops.splice_read = tls_sw_splice_read;
        tcp_register_ulp(&tcp_tls_ulp_ops);

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index e9b4b53ab53e..cc03e00785c7 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c
@@ -38,6 +38,7 @@
38	#include <linux/highmem.h>	38	#include <linux/highmem.h>
39	#include <linux/netdevice.h>	39	#include <linux/netdevice.h>
40	#include <linux/sched/signal.h>	40	#include <linux/sched/signal.h>
		41	#include <linux/inetdevice.h>
41		42
42	#include <net/tls.h>	43	#include <net/tls.h>
43		44
@@ -46,16 +47,32 @@ MODULE_DESCRIPTION("Transport Layer Security Support");
46	MODULE_LICENSE("Dual BSD/GPL");	47	MODULE_LICENSE("Dual BSD/GPL");
47		48
48	enum {	49	enum {
49	TLS_BASE_TX,	50	TLSV4,
		51	TLSV6,
		52	TLS_NUM_PROTS,
		53	};
		54
		55	enum {
		56	TLS_BASE,
50	TLS_SW_TX,	57	TLS_SW_TX,
		58	TLS_SW_RX,
		59	TLS_SW_RXTX,
		60	TLS_HW_RECORD,
51	TLS_NUM_CONFIG,	61	TLS_NUM_CONFIG,
52	};	62	};
53		63
54	static struct proto tls_prots[TLS_NUM_CONFIG];	64	static struct proto *saved_tcpv6_prot;
		65	static DEFINE_MUTEX(tcpv6_prot_mutex);
		66	static LIST_HEAD(device_list);
		67	static DEFINE_MUTEX(device_mutex);
		68	static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG];
		69	static struct proto_ops tls_sw_proto_ops;
55		70
56	static inline void update_sk_prot(struct sock sk, struct tls_context ctx)	71	static inline void update_sk_prot(struct sock sk, struct tls_context ctx)
57	{	72	{
58	sk->sk_prot = &tls_prots[ctx->tx_conf];	73	int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
		74
		75	sk->sk_prot = &tls_prots[ip_ver][ctx->conf];
59	}	76	}
60		77
61	int wait_on_pending_writer(struct sock sk, long timeo)	78	int wait_on_pending_writer(struct sock sk, long timeo)
@@ -97,6 +114,7 @@ int tls_push_sg(struct sock *sk,
97	size = sg->length - offset;	114	size = sg->length - offset;
98	offset += sg->offset;	115	offset += sg->offset;
99		116
		117	ctx->in_tcp_sendpages = true;
100	while (1) {	118	while (1) {
101	if (sg_is_last(sg))	119	if (sg_is_last(sg))
102	sendpage_flags = flags;	120	sendpage_flags = flags;
@@ -131,6 +149,8 @@ retry:
131	}	149	}
132		150
133	clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);	151	clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);
		152	ctx->in_tcp_sendpages = false;
		153	ctx->sk_write_space(sk);
134		154
135	return 0;	155	return 0;
136	}	156	}
@@ -200,6 +220,10 @@ static void tls_write_space(struct sock *sk)
200	{	220	{
201	struct tls_context *ctx = tls_get_ctx(sk);	221	struct tls_context *ctx = tls_get_ctx(sk);
202		222
		223	/* We are already sending pages, ignore notification */
		224	if (ctx->in_tcp_sendpages)
		225	return;
		226
203	if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) {	227	if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) {
204	gfp_t sk_allocation = sk->sk_allocation;	228	gfp_t sk_allocation = sk->sk_allocation;
205	int rc;	229	int rc;
@@ -228,8 +252,12 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
228	lock_sock(sk);	252	lock_sock(sk);
229	sk_proto_close = ctx->sk_proto_close;	253	sk_proto_close = ctx->sk_proto_close;
230		254
231	if (ctx->tx_conf == TLS_BASE_TX) {	255	if (ctx->conf == TLS_HW_RECORD)
		256	goto skip_tx_cleanup;
		257
		258	if (ctx->conf == TLS_BASE) {
232	kfree(ctx);	259	kfree(ctx);
		260	ctx = NULL;
233	goto skip_tx_cleanup;	261	goto skip_tx_cleanup;
234	}	262	}
235		263
@@ -249,15 +277,25 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
249	}	277	}
250	}	278	}
251		279
252	kfree(ctx->rec_seq);	280	kfree(ctx->tx.rec_seq);
253	kfree(ctx->iv);	281	kfree(ctx->tx.iv);
		282	kfree(ctx->rx.rec_seq);
		283	kfree(ctx->rx.iv);
254		284
255	if (ctx->tx_conf == TLS_SW_TX)	285	if (ctx->conf == TLS_SW_TX \|\|
256	tls_sw_free_tx_resources(sk);	286	ctx->conf == TLS_SW_RX \|\|
		287	ctx->conf == TLS_SW_RXTX) {
		288	tls_sw_free_resources(sk);
		289	}
257		290
258	skip_tx_cleanup:	291	skip_tx_cleanup:
259	release_sock(sk);	292	release_sock(sk);
260	sk_proto_close(sk, timeout);	293	sk_proto_close(sk, timeout);
		294	/* free ctx for TLS_HW_RECORD, used by tcp_set_state
		295	* for sk->sk_prot->unhash [tls_hw_unhash]
		296	*/
		297	if (ctx && ctx->conf == TLS_HW_RECORD)
		298	kfree(ctx);
261	}	299	}
262		300
263	static int do_tls_getsockopt_tx(struct sock sk, char __user optval,	301	static int do_tls_getsockopt_tx(struct sock sk, char __user optval,
@@ -309,9 +347,9 @@ static int do_tls_getsockopt_tx(struct sock sk, char __user optval,
309	}	347	}
310	lock_sock(sk);	348	lock_sock(sk);
311	memcpy(crypto_info_aes_gcm_128->iv,	349	memcpy(crypto_info_aes_gcm_128->iv,
312	ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,	350	ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
313	TLS_CIPHER_AES_GCM_128_IV_SIZE);	351	TLS_CIPHER_AES_GCM_128_IV_SIZE);
314	memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->rec_seq,	352	memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq,
315	TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);	353	TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
316	release_sock(sk);	354	release_sock(sk);
317	if (copy_to_user(optval,	355	if (copy_to_user(optval,
@@ -355,20 +393,24 @@ static int tls_getsockopt(struct sock *sk, int level, int optname,
355	return do_tls_getsockopt(sk, optname, optval, optlen);	393	return do_tls_getsockopt(sk, optname, optval, optlen);
356	}	394	}
357		395
358	static int do_tls_setsockopt_tx(struct sock sk, char __user optval,	396	static int do_tls_setsockopt_conf(struct sock sk, char __user optval,
359	unsigned int optlen)	397	unsigned int optlen, int tx)
360	{	398	{
361	struct tls_crypto_info *crypto_info;	399	struct tls_crypto_info *crypto_info;
362	struct tls_context *ctx = tls_get_ctx(sk);	400	struct tls_context *ctx = tls_get_ctx(sk);
363	int rc = 0;	401	int rc = 0;
364	int tx_conf;	402	int conf;
365		403
366	if (!optval \|\| (optlen < sizeof(*crypto_info))) {	404	if (!optval \|\| (optlen < sizeof(*crypto_info))) {
367	rc = -EINVAL;	405	rc = -EINVAL;
368	goto out;	406	goto out;
369	}	407	}
370		408
371	crypto_info = &ctx->crypto_send;	409	if (tx)
		410	crypto_info = &ctx->crypto_send;
		411	else
		412	crypto_info = &ctx->crypto_recv;
		413
372	/* Currently we don't support set crypto info more than one time */	414	/* Currently we don't support set crypto info more than one time */
373	if (TLS_CRYPTO_INFO_READY(crypto_info)) {	415	if (TLS_CRYPTO_INFO_READY(crypto_info)) {
374	rc = -EBUSY;	416	rc = -EBUSY;
@@ -407,15 +449,31 @@ static int do_tls_setsockopt_tx(struct sock sk, char __user optval,
407	}	449	}
408		450
409	/* currently SW is default, we will have ethtool in future */	451	/* currently SW is default, we will have ethtool in future */
410	rc = tls_set_sw_offload(sk, ctx);	452	if (tx) {
411	tx_conf = TLS_SW_TX;	453	rc = tls_set_sw_offload(sk, ctx, 1);
		454	if (ctx->conf == TLS_SW_RX)
		455	conf = TLS_SW_RXTX;
		456	else
		457	conf = TLS_SW_TX;
		458	} else {
		459	rc = tls_set_sw_offload(sk, ctx, 0);
		460	if (ctx->conf == TLS_SW_TX)
		461	conf = TLS_SW_RXTX;
		462	else
		463	conf = TLS_SW_RX;
		464	}
		465
412	if (rc)	466	if (rc)
413	goto err_crypto_info;	467	goto err_crypto_info;
414		468
415	ctx->tx_conf = tx_conf;	469	ctx->conf = conf;
416	update_sk_prot(sk, ctx);	470	update_sk_prot(sk, ctx);
417	ctx->sk_write_space = sk->sk_write_space;	471	if (tx) {
418	sk->sk_write_space = tls_write_space;	472	ctx->sk_write_space = sk->sk_write_space;
		473	sk->sk_write_space = tls_write_space;
		474	} else {
		475	sk->sk_socket->ops = &tls_sw_proto_ops;
		476	}
419	goto out;	477	goto out;
420		478
421	err_crypto_info:	479	err_crypto_info:
@@ -431,8 +489,10 @@ static int do_tls_setsockopt(struct sock *sk, int optname,
431		489
432	switch (optname) {	490	switch (optname) {
433	case TLS_TX:	491	case TLS_TX:
		492	case TLS_RX:
434	lock_sock(sk);	493	lock_sock(sk);
435	rc = do_tls_setsockopt_tx(sk, optval, optlen);	494	rc = do_tls_setsockopt_conf(sk, optval, optlen,
		495	optname == TLS_TX);
436	release_sock(sk);	496	release_sock(sk);
437	break;	497	break;
438	default:	498	default:
@@ -453,12 +513,113 @@ static int tls_setsockopt(struct sock *sk, int level, int optname,
453	return do_tls_setsockopt(sk, optname, optval, optlen);	513	return do_tls_setsockopt(sk, optname, optval, optlen);
454	}	514	}
455		515
456	static int tls_init(struct sock *sk)	516	static struct tls_context create_ctx(struct sock sk)
457	{	517	{
458	struct inet_connection_sock *icsk = inet_csk(sk);	518	struct inet_connection_sock *icsk = inet_csk(sk);
459	struct tls_context *ctx;	519	struct tls_context *ctx;
		520
		521	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
		522	if (!ctx)
		523	return NULL;
		524
		525	icsk->icsk_ulp_data = ctx;
		526	return ctx;
		527	}
		528
		529	static int tls_hw_prot(struct sock *sk)
		530	{
		531	struct tls_context *ctx;
		532	struct tls_device *dev;
		533	int rc = 0;
		534
		535	mutex_lock(&device_mutex);
		536	list_for_each_entry(dev, &device_list, dev_list) {
		537	if (dev->feature && dev->feature(dev)) {
		538	ctx = create_ctx(sk);
		539	if (!ctx)
		540	goto out;
		541
		542	ctx->hash = sk->sk_prot->hash;
		543	ctx->unhash = sk->sk_prot->unhash;
		544	ctx->sk_proto_close = sk->sk_prot->close;
		545	ctx->conf = TLS_HW_RECORD;
		546	update_sk_prot(sk, ctx);
		547	rc = 1;
		548	break;
		549	}
		550	}
		551	out:
		552	mutex_unlock(&device_mutex);
		553	return rc;
		554	}
		555
		556	static void tls_hw_unhash(struct sock *sk)
		557	{
		558	struct tls_context *ctx = tls_get_ctx(sk);
		559	struct tls_device *dev;
		560
		561	mutex_lock(&device_mutex);
		562	list_for_each_entry(dev, &device_list, dev_list) {
		563	if (dev->unhash)
		564	dev->unhash(dev, sk);
		565	}
		566	mutex_unlock(&device_mutex);
		567	ctx->unhash(sk);
		568	}
		569
		570	static int tls_hw_hash(struct sock *sk)
		571	{
		572	struct tls_context *ctx = tls_get_ctx(sk);
		573	struct tls_device *dev;
		574	int err;
		575
		576	err = ctx->hash(sk);
		577	mutex_lock(&device_mutex);
		578	list_for_each_entry(dev, &device_list, dev_list) {
		579	if (dev->hash)
		580	err \|= dev->hash(dev, sk);
		581	}
		582	mutex_unlock(&device_mutex);
		583
		584	if (err)
		585	tls_hw_unhash(sk);
		586	return err;
		587	}
		588
		589	static void build_protos(struct proto prot, struct proto base)
		590	{
		591	prot[TLS_BASE] = *base;
		592	prot[TLS_BASE].setsockopt = tls_setsockopt;
		593	prot[TLS_BASE].getsockopt = tls_getsockopt;
		594	prot[TLS_BASE].close = tls_sk_proto_close;
		595
		596	prot[TLS_SW_TX] = prot[TLS_BASE];
		597	prot[TLS_SW_TX].sendmsg = tls_sw_sendmsg;
		598	prot[TLS_SW_TX].sendpage = tls_sw_sendpage;
		599
		600	prot[TLS_SW_RX] = prot[TLS_BASE];
		601	prot[TLS_SW_RX].recvmsg = tls_sw_recvmsg;
		602	prot[TLS_SW_RX].close = tls_sk_proto_close;
		603
		604	prot[TLS_SW_RXTX] = prot[TLS_SW_TX];
		605	prot[TLS_SW_RXTX].recvmsg = tls_sw_recvmsg;
		606	prot[TLS_SW_RXTX].close = tls_sk_proto_close;
		607
		608	prot[TLS_HW_RECORD] = *base;
		609	prot[TLS_HW_RECORD].hash = tls_hw_hash;
		610	prot[TLS_HW_RECORD].unhash = tls_hw_unhash;
		611	prot[TLS_HW_RECORD].close = tls_sk_proto_close;
		612	}
		613
		614	static int tls_init(struct sock *sk)
		615	{
		616	int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
		617	struct tls_context *ctx;
460	int rc = 0;	618	int rc = 0;
461		619
		620	if (tls_hw_prot(sk))
		621	goto out;
		622
462	/* The TLS ulp is currently supported only for TCP sockets	623	/* The TLS ulp is currently supported only for TCP sockets
463	* in ESTABLISHED state.	624	* in ESTABLISHED state.
464	* Supporting sockets in LISTEN state will require us	625	* Supporting sockets in LISTEN state will require us
@@ -469,22 +630,48 @@ static int tls_init(struct sock *sk)
469	return -ENOTSUPP;	630	return -ENOTSUPP;
470		631
471	/* allocate tls context */	632	/* allocate tls context */
472	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);	633	ctx = create_ctx(sk);
473	if (!ctx) {	634	if (!ctx) {
474	rc = -ENOMEM;	635	rc = -ENOMEM;
475	goto out;	636	goto out;
476	}	637	}
477	icsk->icsk_ulp_data = ctx;
478	ctx->setsockopt = sk->sk_prot->setsockopt;	638	ctx->setsockopt = sk->sk_prot->setsockopt;
479	ctx->getsockopt = sk->sk_prot->getsockopt;	639	ctx->getsockopt = sk->sk_prot->getsockopt;
480	ctx->sk_proto_close = sk->sk_prot->close;	640	ctx->sk_proto_close = sk->sk_prot->close;
481		641
482	ctx->tx_conf = TLS_BASE_TX;	642	/* Build IPv6 TLS whenever the address of tcpv6_prot changes */
		643	if (ip_ver == TLSV6 &&
		644	unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv6_prot))) {
		645	mutex_lock(&tcpv6_prot_mutex);
		646	if (likely(sk->sk_prot != saved_tcpv6_prot)) {
		647	build_protos(tls_prots[TLSV6], sk->sk_prot);
		648	smp_store_release(&saved_tcpv6_prot, sk->sk_prot);
		649	}
		650	mutex_unlock(&tcpv6_prot_mutex);
		651	}
		652
		653	ctx->conf = TLS_BASE;
483	update_sk_prot(sk, ctx);	654	update_sk_prot(sk, ctx);
484	out:	655	out:
485	return rc;	656	return rc;
486	}	657	}
487		658
		659	void tls_register_device(struct tls_device *device)
		660	{
		661	mutex_lock(&device_mutex);
		662	list_add_tail(&device->dev_list, &device_list);
		663	mutex_unlock(&device_mutex);
		664	}
		665	EXPORT_SYMBOL(tls_register_device);
		666
		667	void tls_unregister_device(struct tls_device *device)
		668	{
		669	mutex_lock(&device_mutex);
		670	list_del(&device->dev_list);
		671	mutex_unlock(&device_mutex);
		672	}
		673	EXPORT_SYMBOL(tls_unregister_device);
		674
488	static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {	675	static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
489	.name = "tls",	676	.name = "tls",
490	.uid = TCP_ULP_TLS,	677	.uid = TCP_ULP_TLS,
@@ -493,21 +680,13 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
493	.init = tls_init,	680	.init = tls_init,
494	};	681	};
495		682
496	static void build_protos(struct proto prot, struct proto base)
497	{
498	prot[TLS_BASE_TX] = *base;
499	prot[TLS_BASE_TX].setsockopt = tls_setsockopt;
500	prot[TLS_BASE_TX].getsockopt = tls_getsockopt;
501	prot[TLS_BASE_TX].close = tls_sk_proto_close;
502
503	prot[TLS_SW_TX] = prot[TLS_BASE_TX];
504	prot[TLS_SW_TX].sendmsg = tls_sw_sendmsg;
505	prot[TLS_SW_TX].sendpage = tls_sw_sendpage;
506	}
507
508	static int __init tls_register(void)	683	static int __init tls_register(void)
509	{	684	{
510	build_protos(tls_prots, &tcp_prot);	685	build_protos(tls_prots[TLSV4], &tcp_prot);
		686
		687	tls_sw_proto_ops = inet_stream_ops;
		688	tls_sw_proto_ops.poll = tls_sw_poll;
		689	tls_sw_proto_ops.splice_read = tls_sw_splice_read;
511		690
512	tcp_register_ulp(&tcp_tls_ulp_ops);	691	tcp_register_ulp(&tcp_tls_ulp_ops);
513		692