Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'tls-pad-strparser-internal-header-decrypt_ctx-etc'

Jakub Kicinski says:

====================
tls: pad strparser, internal header, decrypt_ctx etc.

A grab bag of non-functional refactoring to make the series
which will let us decrypt into a fresh skb smaller.

Patches in this series are not strictly required to get the
decryption into a fresh skb going, they are more in the "things
which had been annoying me for a while" category.
====================

Link: https://lore.kernel.org/r/20220708010314.1451462-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

+418 -359
+8 -4
include/net/strparser.h
··· 65 65 struct sk_skb_cb { 66 66 #define SK_SKB_CB_PRIV_LEN 20 67 67 unsigned char data[SK_SKB_CB_PRIV_LEN]; 68 + /* align strp on cache line boundary within skb->cb[] */ 69 + unsigned char pad[4]; 68 70 struct _strp_msg strp; 69 - /* temp_reg is a temporary register used for bpf_convert_data_end_access 70 - * when dst_reg == src_reg. 71 - */ 72 - u64 temp_reg; 71 + 72 + /* strp users' data follows */ 73 73 struct tls_msg { 74 74 u8 control; 75 75 u8 decrypted; 76 76 } tls; 77 + /* temp_reg is a temporary register used for bpf_convert_data_end_access 78 + * when dst_reg == src_reg. 79 + */ 80 + u64 temp_reg; 77 81 }; 78 82 79 83 static inline struct strp_msg *strp_msg(struct sk_buff *skb)
+2 -276
include/net/tls.h
··· 39 39 #include <linux/crypto.h> 40 40 #include <linux/socket.h> 41 41 #include <linux/tcp.h> 42 - #include <linux/skmsg.h> 43 42 #include <linux/mutex.h> 44 43 #include <linux/netdevice.h> 45 44 #include <linux/rcupdate.h> ··· 49 50 #include <crypto/aead.h> 50 51 #include <uapi/linux/tls.h> 51 52 53 + struct tls_rec; 52 54 53 55 /* Maximum data size carried in a TLS record */ 54 56 #define TLS_MAX_PAYLOAD_SIZE ((size_t)1 << 14) ··· 66 66 #define MAX_IV_SIZE 16 67 67 #define TLS_TAG_SIZE 16 68 68 #define TLS_MAX_REC_SEQ_SIZE 8 69 + #define TLS_MAX_AAD_SIZE TLS_AAD_SPACE_SIZE 69 70 70 71 /* For CCM mode, the full 16-bytes of IV is made of '4' fields of given sizes. 71 72 * ··· 78 77 #define TLS_AES_CCM_IV_B0_BYTE 2 79 78 #define TLS_SM4_CCM_IV_B0_BYTE 2 80 79 81 - #define __TLS_INC_STATS(net, field) \ 82 - __SNMP_INC_STATS((net)->mib.tls_statistics, field) 83 - #define TLS_INC_STATS(net, field) \ 84 - SNMP_INC_STATS((net)->mib.tls_statistics, field) 85 - #define TLS_DEC_STATS(net, field) \ 86 - SNMP_DEC_STATS((net)->mib.tls_statistics, field) 87 - 88 80 enum { 89 81 TLS_BASE, 90 82 TLS_SW, 91 83 TLS_HW, 92 84 TLS_HW_RECORD, 93 85 TLS_NUM_CONFIG, 94 - }; 95 - 96 - /* TLS records are maintained in 'struct tls_rec'. It stores the memory pages 97 - * allocated or mapped for each TLS record. After encryption, the records are 98 - * stores in a linked list. 99 - */ 100 - struct tls_rec { 101 - struct list_head list; 102 - int tx_ready; 103 - int tx_flags; 104 - 105 - struct sk_msg msg_plaintext; 106 - struct sk_msg msg_encrypted; 107 - 108 - /* AAD | msg_plaintext.sg.data | sg_tag */ 109 - struct scatterlist sg_aead_in[2]; 110 - /* AAD | msg_encrypted.sg.data (data contains overhead for hdr & iv & tag) */ 111 - struct scatterlist sg_aead_out[2]; 112 - 113 - char content_type; 114 - struct scatterlist sg_content_type; 115 - 116 - char aad_space[TLS_AAD_SPACE_SIZE]; 117 - u8 iv_data[MAX_IV_SIZE]; 118 - struct aead_request aead_req; 119 - u8 aead_req_ctx[]; 120 86 }; 121 87 122 88 struct tx_work { ··· 316 348 #define TLS_OFFLOAD_CONTEXT_SIZE_RX \ 317 349 (sizeof(struct tls_offload_context_rx) + TLS_DRIVER_STATE_SIZE_RX) 318 350 319 - struct tls_context *tls_ctx_create(struct sock *sk); 320 - void tls_ctx_free(struct sock *sk, struct tls_context *ctx); 321 - void update_sk_prot(struct sock *sk, struct tls_context *ctx); 322 - 323 - int wait_on_pending_writer(struct sock *sk, long *timeo); 324 - int tls_sk_query(struct sock *sk, int optname, char __user *optval, 325 - int __user *optlen); 326 - int tls_sk_attach(struct sock *sk, int optname, char __user *optval, 327 - unsigned int optlen); 328 - void tls_err_abort(struct sock *sk, int err); 329 - 330 - int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx); 331 - void tls_update_rx_zc_capable(struct tls_context *tls_ctx); 332 - void tls_sw_strparser_arm(struct sock *sk, struct tls_context *ctx); 333 - void tls_sw_strparser_done(struct tls_context *tls_ctx); 334 - int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size); 335 - int tls_sw_sendpage_locked(struct sock *sk, struct page *page, 336 - int offset, size_t size, int flags); 337 - int tls_sw_sendpage(struct sock *sk, struct page *page, 338 - int offset, size_t size, int flags); 339 - void tls_sw_cancel_work_tx(struct tls_context *tls_ctx); 340 - void tls_sw_release_resources_tx(struct sock *sk); 341 - void tls_sw_free_ctx_tx(struct tls_context *tls_ctx); 342 - void tls_sw_free_resources_rx(struct sock *sk); 343 - void tls_sw_release_resources_rx(struct sock *sk); 344 - void tls_sw_free_ctx_rx(struct tls_context *tls_ctx); 345 - int tls_sw_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, 346 - int flags, int *addr_len); 347 - bool tls_sw_sock_is_readable(struct sock *sk); 348 - ssize_t tls_sw_splice_read(struct socket *sock, loff_t *ppos, 349 - struct pipe_inode_info *pipe, 350 - size_t len, unsigned int flags); 351 - 352 - int tls_device_sendmsg(struct sock *sk, struct msghdr *msg, size_t size); 353 - int tls_device_sendpage(struct sock *sk, struct page *page, 354 - int offset, size_t size, int flags); 355 - int tls_tx_records(struct sock *sk, int flags); 356 - 357 351 struct tls_record_info *tls_get_record(struct tls_offload_context_tx *context, 358 352 u32 seq, u64 *p_record_sn); 359 353 ··· 327 397 static inline u32 tls_record_start_seq(struct tls_record_info *rec) 328 398 { 329 399 return rec->end_seq - rec->len; 330 - } 331 - 332 - int tls_push_sg(struct sock *sk, struct tls_context *ctx, 333 - struct scatterlist *sg, u16 first_offset, 334 - int flags); 335 - int tls_push_partial_record(struct sock *sk, struct tls_context *ctx, 336 - int flags); 337 - void tls_free_partial_record(struct sock *sk, struct tls_context *ctx); 338 - 339 - static inline struct tls_msg *tls_msg(struct sk_buff *skb) 340 - { 341 - struct sk_skb_cb *scb = (struct sk_skb_cb *)skb->cb; 342 - 343 - return &scb->tls; 344 - } 345 - 346 - static inline bool tls_is_partially_sent_record(struct tls_context *ctx) 347 - { 348 - return !!ctx->partially_sent_record; 349 - } 350 - 351 - static inline bool tls_is_pending_open_record(struct tls_context *tls_ctx) 352 - { 353 - return tls_ctx->pending_open_record_frags; 354 - } 355 - 356 - static inline bool is_tx_ready(struct tls_sw_context_tx *ctx) 357 - { 358 - struct tls_rec *rec; 359 - 360 - rec = list_first_entry(&ctx->tx_list, struct tls_rec, list); 361 - if (!rec) 362 - return false; 363 - 364 - return READ_ONCE(rec->tx_ready); 365 - } 366 - 367 - static inline u16 tls_user_config(struct tls_context *ctx, bool tx) 368 - { 369 - u16 config = tx ? ctx->tx_conf : ctx->rx_conf; 370 - 371 - switch (config) { 372 - case TLS_BASE: 373 - return TLS_CONF_BASE; 374 - case TLS_SW: 375 - return TLS_CONF_SW; 376 - case TLS_HW: 377 - return TLS_CONF_HW; 378 - case TLS_HW_RECORD: 379 - return TLS_CONF_HW_RECORD; 380 - } 381 - return 0; 382 400 } 383 401 384 402 struct sk_buff * ··· 347 469 #endif 348 470 } 349 471 350 - static inline bool tls_bigint_increment(unsigned char *seq, int len) 351 - { 352 - int i; 353 - 354 - for (i = len - 1; i >= 0; i--) { 355 - ++seq[i]; 356 - if (seq[i] != 0) 357 - break; 358 - } 359 - 360 - return (i == -1); 361 - } 362 - 363 - static inline void tls_bigint_subtract(unsigned char *seq, int n) 364 - { 365 - u64 rcd_sn; 366 - __be64 *p; 367 - 368 - BUILD_BUG_ON(TLS_MAX_REC_SEQ_SIZE != 8); 369 - 370 - p = (__be64 *)seq; 371 - rcd_sn = be64_to_cpu(*p); 372 - *p = cpu_to_be64(rcd_sn - n); 373 - } 374 - 375 472 static inline struct tls_context *tls_get_ctx(const struct sock *sk) 376 473 { 377 474 struct inet_connection_sock *icsk = inet_csk(sk); ··· 356 503 */ 357 504 return (__force void *)icsk->icsk_ulp_data; 358 505 } 359 - 360 - static inline void tls_advance_record_sn(struct sock *sk, 361 - struct tls_prot_info *prot, 362 - struct cipher_context *ctx) 363 - { 364 - if (tls_bigint_increment(ctx->rec_seq, prot->rec_seq_size)) 365 - tls_err_abort(sk, -EBADMSG); 366 - 367 - if (prot->version != TLS_1_3_VERSION && 368 - prot->cipher_type != TLS_CIPHER_CHACHA20_POLY1305) 369 - tls_bigint_increment(ctx->iv + prot->salt_size, 370 - prot->iv_size); 371 - } 372 - 373 - static inline void tls_fill_prepend(struct tls_context *ctx, 374 - char *buf, 375 - size_t plaintext_len, 376 - unsigned char record_type) 377 - { 378 - struct tls_prot_info *prot = &ctx->prot_info; 379 - size_t pkt_len, iv_size = prot->iv_size; 380 - 381 - pkt_len = plaintext_len + prot->tag_size; 382 - if (prot->version != TLS_1_3_VERSION && 383 - prot->cipher_type != TLS_CIPHER_CHACHA20_POLY1305) { 384 - pkt_len += iv_size; 385 - 386 - memcpy(buf + TLS_NONCE_OFFSET, 387 - ctx->tx.iv + prot->salt_size, iv_size); 388 - } 389 - 390 - /* we cover nonce explicit here as well, so buf should be of 391 - * size KTLS_DTLS_HEADER_SIZE + KTLS_DTLS_NONCE_EXPLICIT_SIZE 392 - */ 393 - buf[0] = prot->version == TLS_1_3_VERSION ? 394 - TLS_RECORD_TYPE_DATA : record_type; 395 - /* Note that VERSION must be TLS_1_2 for both TLS1.2 and TLS1.3 */ 396 - buf[1] = TLS_1_2_VERSION_MINOR; 397 - buf[2] = TLS_1_2_VERSION_MAJOR; 398 - /* we can use IV for nonce explicit according to spec */ 399 - buf[3] = pkt_len >> 8; 400 - buf[4] = pkt_len & 0xFF; 401 - } 402 - 403 - static inline void tls_make_aad(char *buf, 404 - size_t size, 405 - char *record_sequence, 406 - unsigned char record_type, 407 - struct tls_prot_info *prot) 408 - { 409 - if (prot->version != TLS_1_3_VERSION) { 410 - memcpy(buf, record_sequence, prot->rec_seq_size); 411 - buf += 8; 412 - } else { 413 - size += prot->tag_size; 414 - } 415 - 416 - buf[0] = prot->version == TLS_1_3_VERSION ? 417 - TLS_RECORD_TYPE_DATA : record_type; 418 - buf[1] = TLS_1_2_VERSION_MAJOR; 419 - buf[2] = TLS_1_2_VERSION_MINOR; 420 - buf[3] = size >> 8; 421 - buf[4] = size & 0xFF; 422 - } 423 - 424 - static inline void xor_iv_with_seq(struct tls_prot_info *prot, char *iv, char *seq) 425 - { 426 - int i; 427 - 428 - if (prot->version == TLS_1_3_VERSION || 429 - prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305) { 430 - for (i = 0; i < 8; i++) 431 - iv[i + 4] ^= seq[i]; 432 - } 433 - } 434 - 435 506 436 507 static inline struct tls_sw_context_rx *tls_sw_ctx_rx( 437 508 const struct tls_context *tls_ctx) ··· 392 615 return false; 393 616 return !!tls_sw_ctx_rx(ctx); 394 617 } 395 - 396 - void tls_sw_write_space(struct sock *sk, struct tls_context *ctx); 397 - void tls_device_write_space(struct sock *sk, struct tls_context *ctx); 398 618 399 619 static inline struct tls_offload_context_rx * 400 620 tls_offload_ctx_rx(const struct tls_context *tls_ctx) ··· 467 693 return ret; 468 694 } 469 695 470 - int __net_init tls_proc_init(struct net *net); 471 - void __net_exit tls_proc_fini(struct net *net); 472 - 473 - int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg, 474 - unsigned char *record_type); 475 - int decrypt_skb(struct sock *sk, struct sk_buff *skb, 476 - struct scatterlist *sgout); 477 696 struct sk_buff *tls_encrypt_skb(struct sk_buff *skb); 478 697 479 - int tls_sw_fallback_init(struct sock *sk, 480 - struct tls_offload_context_tx *offload_ctx, 481 - struct tls_crypto_info *crypto_info); 482 - 483 698 #ifdef CONFIG_TLS_DEVICE 484 - void tls_device_init(void); 485 - void tls_device_cleanup(void); 486 699 void tls_device_sk_destruct(struct sock *sk); 487 - int tls_set_device_offload(struct sock *sk, struct tls_context *ctx); 488 - void tls_device_free_resources_tx(struct sock *sk); 489 - int tls_set_device_offload_rx(struct sock *sk, struct tls_context *ctx); 490 - void tls_device_offload_cleanup_rx(struct sock *sk); 491 - void tls_device_rx_resync_new_rec(struct sock *sk, u32 rcd_len, u32 seq); 492 700 void tls_offload_tx_resync_request(struct sock *sk, u32 got_seq, u32 exp_seq); 493 - int tls_device_decrypted(struct sock *sk, struct tls_context *tls_ctx, 494 - struct sk_buff *skb, struct strp_msg *rxm); 495 701 496 702 static inline bool tls_is_sk_rx_device_offloaded(struct sock *sk) 497 703 { ··· 479 725 smp_load_acquire(&sk->sk_destruct) != tls_device_sk_destruct) 480 726 return false; 481 727 return tls_get_ctx(sk)->rx_conf == TLS_HW; 482 - } 483 - #else 484 - static inline void tls_device_init(void) {} 485 - static inline void tls_device_cleanup(void) {} 486 - 487 - static inline int 488 - tls_set_device_offload(struct sock *sk, struct tls_context *ctx) 489 - { 490 - return -EOPNOTSUPP; 491 - } 492 - 493 - static inline void tls_device_free_resources_tx(struct sock *sk) {} 494 - 495 - static inline int 496 - tls_set_device_offload_rx(struct sock *sk, struct tls_context *ctx) 497 - { 498 - return -EOPNOTSUPP; 499 - } 500 - 501 - static inline void tls_device_offload_cleanup_rx(struct sock *sk) {} 502 - static inline void 503 - tls_device_rx_resync_new_rec(struct sock *sk, u32 rcd_len, u32 seq) {} 504 - 505 - static inline int 506 - tls_device_decrypted(struct sock *sk, struct tls_context *tls_ctx, 507 - struct sk_buff *skb, struct strp_msg *rxm) 508 - { 509 - return 0; 510 728 } 511 729 #endif 512 730 #endif /* _TLS_OFFLOAD_H */
+3
net/strparser/strparser.c
··· 533 533 534 534 static int __init strp_dev_init(void) 535 535 { 536 + BUILD_BUG_ON(sizeof(struct sk_skb_cb) > 537 + sizeof_field(struct sk_buff, cb)); 538 + 536 539 strp_wq = create_singlethread_workqueue("kstrp"); 537 540 if (unlikely(!strp_wq)) 538 541 return -ENOMEM;
+290
net/tls/tls.h
··· 1 + /* 2 + * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved. 3 + * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved. 4 + * 5 + * This software is available to you under a choice of one of two 6 + * licenses. You may choose to be licensed under the terms of the GNU 7 + * General Public License (GPL) Version 2, available from the file 8 + * COPYING in the main directory of this source tree, or the 9 + * OpenIB.org BSD license below: 10 + * 11 + * Redistribution and use in source and binary forms, with or 12 + * without modification, are permitted provided that the following 13 + * conditions are met: 14 + * 15 + * - Redistributions of source code must retain the above 16 + * copyright notice, this list of conditions and the following 17 + * disclaimer. 18 + * 19 + * - Redistributions in binary form must reproduce the above 20 + * copyright notice, this list of conditions and the following 21 + * disclaimer in the documentation and/or other materials 22 + * provided with the distribution. 23 + * 24 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 25 + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 26 + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 27 + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 28 + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 29 + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 30 + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 31 + * SOFTWARE. 32 + */ 33 + 34 + #ifndef _TLS_INT_H 35 + #define _TLS_INT_H 36 + 37 + #include <asm/byteorder.h> 38 + #include <linux/types.h> 39 + #include <linux/skmsg.h> 40 + #include <net/tls.h> 41 + 42 + #define __TLS_INC_STATS(net, field) \ 43 + __SNMP_INC_STATS((net)->mib.tls_statistics, field) 44 + #define TLS_INC_STATS(net, field) \ 45 + SNMP_INC_STATS((net)->mib.tls_statistics, field) 46 + #define TLS_DEC_STATS(net, field) \ 47 + SNMP_DEC_STATS((net)->mib.tls_statistics, field) 48 + 49 + /* TLS records are maintained in 'struct tls_rec'. It stores the memory pages 50 + * allocated or mapped for each TLS record. After encryption, the records are 51 + * stores in a linked list. 52 + */ 53 + struct tls_rec { 54 + struct list_head list; 55 + int tx_ready; 56 + int tx_flags; 57 + 58 + struct sk_msg msg_plaintext; 59 + struct sk_msg msg_encrypted; 60 + 61 + /* AAD | msg_plaintext.sg.data | sg_tag */ 62 + struct scatterlist sg_aead_in[2]; 63 + /* AAD | msg_encrypted.sg.data (data contains overhead for hdr & iv & tag) */ 64 + struct scatterlist sg_aead_out[2]; 65 + 66 + char content_type; 67 + struct scatterlist sg_content_type; 68 + 69 + char aad_space[TLS_AAD_SPACE_SIZE]; 70 + u8 iv_data[MAX_IV_SIZE]; 71 + struct aead_request aead_req; 72 + u8 aead_req_ctx[]; 73 + }; 74 + 75 + int __net_init tls_proc_init(struct net *net); 76 + void __net_exit tls_proc_fini(struct net *net); 77 + 78 + struct tls_context *tls_ctx_create(struct sock *sk); 79 + void tls_ctx_free(struct sock *sk, struct tls_context *ctx); 80 + void update_sk_prot(struct sock *sk, struct tls_context *ctx); 81 + 82 + int wait_on_pending_writer(struct sock *sk, long *timeo); 83 + int tls_sk_query(struct sock *sk, int optname, char __user *optval, 84 + int __user *optlen); 85 + int tls_sk_attach(struct sock *sk, int optname, char __user *optval, 86 + unsigned int optlen); 87 + void tls_err_abort(struct sock *sk, int err); 88 + 89 + int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx); 90 + void tls_update_rx_zc_capable(struct tls_context *tls_ctx); 91 + void tls_sw_strparser_arm(struct sock *sk, struct tls_context *ctx); 92 + void tls_sw_strparser_done(struct tls_context *tls_ctx); 93 + int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size); 94 + int tls_sw_sendpage_locked(struct sock *sk, struct page *page, 95 + int offset, size_t size, int flags); 96 + int tls_sw_sendpage(struct sock *sk, struct page *page, 97 + int offset, size_t size, int flags); 98 + void tls_sw_cancel_work_tx(struct tls_context *tls_ctx); 99 + void tls_sw_release_resources_tx(struct sock *sk); 100 + void tls_sw_free_ctx_tx(struct tls_context *tls_ctx); 101 + void tls_sw_free_resources_rx(struct sock *sk); 102 + void tls_sw_release_resources_rx(struct sock *sk); 103 + void tls_sw_free_ctx_rx(struct tls_context *tls_ctx); 104 + int tls_sw_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, 105 + int flags, int *addr_len); 106 + bool tls_sw_sock_is_readable(struct sock *sk); 107 + ssize_t tls_sw_splice_read(struct socket *sock, loff_t *ppos, 108 + struct pipe_inode_info *pipe, 109 + size_t len, unsigned int flags); 110 + 111 + int tls_device_sendmsg(struct sock *sk, struct msghdr *msg, size_t size); 112 + int tls_device_sendpage(struct sock *sk, struct page *page, 113 + int offset, size_t size, int flags); 114 + int tls_tx_records(struct sock *sk, int flags); 115 + 116 + void tls_sw_write_space(struct sock *sk, struct tls_context *ctx); 117 + void tls_device_write_space(struct sock *sk, struct tls_context *ctx); 118 + 119 + int tls_process_cmsg(struct sock *sk, struct msghdr *msg, 120 + unsigned char *record_type); 121 + int decrypt_skb(struct sock *sk, struct sk_buff *skb, 122 + struct scatterlist *sgout); 123 + 124 + int tls_sw_fallback_init(struct sock *sk, 125 + struct tls_offload_context_tx *offload_ctx, 126 + struct tls_crypto_info *crypto_info); 127 + 128 + static inline struct tls_msg *tls_msg(struct sk_buff *skb) 129 + { 130 + struct sk_skb_cb *scb = (struct sk_skb_cb *)skb->cb; 131 + 132 + return &scb->tls; 133 + } 134 + 135 + #ifdef CONFIG_TLS_DEVICE 136 + void tls_device_init(void); 137 + void tls_device_cleanup(void); 138 + int tls_set_device_offload(struct sock *sk, struct tls_context *ctx); 139 + void tls_device_free_resources_tx(struct sock *sk); 140 + int tls_set_device_offload_rx(struct sock *sk, struct tls_context *ctx); 141 + void tls_device_offload_cleanup_rx(struct sock *sk); 142 + void tls_device_rx_resync_new_rec(struct sock *sk, u32 rcd_len, u32 seq); 143 + int tls_device_decrypted(struct sock *sk, struct tls_context *tls_ctx, 144 + struct sk_buff *skb, struct strp_msg *rxm); 145 + #else 146 + static inline void tls_device_init(void) {} 147 + static inline void tls_device_cleanup(void) {} 148 + 149 + static inline int 150 + tls_set_device_offload(struct sock *sk, struct tls_context *ctx) 151 + { 152 + return -EOPNOTSUPP; 153 + } 154 + 155 + static inline void tls_device_free_resources_tx(struct sock *sk) {} 156 + 157 + static inline int 158 + tls_set_device_offload_rx(struct sock *sk, struct tls_context *ctx) 159 + { 160 + return -EOPNOTSUPP; 161 + } 162 + 163 + static inline void tls_device_offload_cleanup_rx(struct sock *sk) {} 164 + static inline void 165 + tls_device_rx_resync_new_rec(struct sock *sk, u32 rcd_len, u32 seq) {} 166 + 167 + static inline int 168 + tls_device_decrypted(struct sock *sk, struct tls_context *tls_ctx, 169 + struct sk_buff *skb, struct strp_msg *rxm) 170 + { 171 + return 0; 172 + } 173 + #endif 174 + 175 + int tls_push_sg(struct sock *sk, struct tls_context *ctx, 176 + struct scatterlist *sg, u16 first_offset, 177 + int flags); 178 + int tls_push_partial_record(struct sock *sk, struct tls_context *ctx, 179 + int flags); 180 + void tls_free_partial_record(struct sock *sk, struct tls_context *ctx); 181 + 182 + static inline bool tls_is_partially_sent_record(struct tls_context *ctx) 183 + { 184 + return !!ctx->partially_sent_record; 185 + } 186 + 187 + static inline bool tls_is_pending_open_record(struct tls_context *tls_ctx) 188 + { 189 + return tls_ctx->pending_open_record_frags; 190 + } 191 + 192 + static inline bool tls_bigint_increment(unsigned char *seq, int len) 193 + { 194 + int i; 195 + 196 + for (i = len - 1; i >= 0; i--) { 197 + ++seq[i]; 198 + if (seq[i] != 0) 199 + break; 200 + } 201 + 202 + return (i == -1); 203 + } 204 + 205 + static inline void tls_bigint_subtract(unsigned char *seq, int n) 206 + { 207 + u64 rcd_sn; 208 + __be64 *p; 209 + 210 + BUILD_BUG_ON(TLS_MAX_REC_SEQ_SIZE != 8); 211 + 212 + p = (__be64 *)seq; 213 + rcd_sn = be64_to_cpu(*p); 214 + *p = cpu_to_be64(rcd_sn - n); 215 + } 216 + 217 + static inline void 218 + tls_advance_record_sn(struct sock *sk, struct tls_prot_info *prot, 219 + struct cipher_context *ctx) 220 + { 221 + if (tls_bigint_increment(ctx->rec_seq, prot->rec_seq_size)) 222 + tls_err_abort(sk, -EBADMSG); 223 + 224 + if (prot->version != TLS_1_3_VERSION && 225 + prot->cipher_type != TLS_CIPHER_CHACHA20_POLY1305) 226 + tls_bigint_increment(ctx->iv + prot->salt_size, 227 + prot->iv_size); 228 + } 229 + 230 + static inline void 231 + tls_xor_iv_with_seq(struct tls_prot_info *prot, char *iv, char *seq) 232 + { 233 + int i; 234 + 235 + if (prot->version == TLS_1_3_VERSION || 236 + prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305) { 237 + for (i = 0; i < 8; i++) 238 + iv[i + 4] ^= seq[i]; 239 + } 240 + } 241 + 242 + static inline void 243 + tls_fill_prepend(struct tls_context *ctx, char *buf, size_t plaintext_len, 244 + unsigned char record_type) 245 + { 246 + struct tls_prot_info *prot = &ctx->prot_info; 247 + size_t pkt_len, iv_size = prot->iv_size; 248 + 249 + pkt_len = plaintext_len + prot->tag_size; 250 + if (prot->version != TLS_1_3_VERSION && 251 + prot->cipher_type != TLS_CIPHER_CHACHA20_POLY1305) { 252 + pkt_len += iv_size; 253 + 254 + memcpy(buf + TLS_NONCE_OFFSET, 255 + ctx->tx.iv + prot->salt_size, iv_size); 256 + } 257 + 258 + /* we cover nonce explicit here as well, so buf should be of 259 + * size KTLS_DTLS_HEADER_SIZE + KTLS_DTLS_NONCE_EXPLICIT_SIZE 260 + */ 261 + buf[0] = prot->version == TLS_1_3_VERSION ? 262 + TLS_RECORD_TYPE_DATA : record_type; 263 + /* Note that VERSION must be TLS_1_2 for both TLS1.2 and TLS1.3 */ 264 + buf[1] = TLS_1_2_VERSION_MINOR; 265 + buf[2] = TLS_1_2_VERSION_MAJOR; 266 + /* we can use IV for nonce explicit according to spec */ 267 + buf[3] = pkt_len >> 8; 268 + buf[4] = pkt_len & 0xFF; 269 + } 270 + 271 + static inline 272 + void tls_make_aad(char *buf, size_t size, char *record_sequence, 273 + unsigned char record_type, struct tls_prot_info *prot) 274 + { 275 + if (prot->version != TLS_1_3_VERSION) { 276 + memcpy(buf, record_sequence, prot->rec_seq_size); 277 + buf += 8; 278 + } else { 279 + size += prot->tag_size; 280 + } 281 + 282 + buf[0] = prot->version == TLS_1_3_VERSION ? 283 + TLS_RECORD_TYPE_DATA : record_type; 284 + buf[1] = TLS_1_2_VERSION_MAJOR; 285 + buf[2] = TLS_1_2_VERSION_MINOR; 286 + buf[3] = size >> 8; 287 + buf[4] = size & 0xFF; 288 + } 289 + 290 + #endif
+2 -1
net/tls/tls_device.c
··· 38 38 #include <net/tcp.h> 39 39 #include <net/tls.h> 40 40 41 + #include "tls.h" 41 42 #include "trace.h" 42 43 43 44 /* device_offload_lock is used to synchronize tls_dev_add ··· 563 562 lock_sock(sk); 564 563 565 564 if (unlikely(msg->msg_controllen)) { 566 - rc = tls_proccess_cmsg(sk, msg, &record_type); 565 + rc = tls_process_cmsg(sk, msg, &record_type); 567 566 if (rc) 568 567 goto out; 569 568 }
+2
net/tls/tls_device_fallback.c
··· 34 34 #include <crypto/scatterwalk.h> 35 35 #include <net/ip6_checksum.h> 36 36 37 + #include "tls.h" 38 + 37 39 static void chain_to_walk(struct scatterlist *sg, struct scatter_walk *walk) 38 40 { 39 41 struct scatterlist *src = walk->sg;
+21 -2
net/tls/tls_main.c
··· 45 45 #include <net/tls.h> 46 46 #include <net/tls_toe.h> 47 47 48 + #include "tls.h" 49 + 48 50 MODULE_AUTHOR("Mellanox Technologies"); 49 51 MODULE_DESCRIPTION("Transport Layer Security Support"); 50 52 MODULE_LICENSE("Dual BSD/GPL"); ··· 166 164 return 0; 167 165 } 168 166 169 - int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg, 170 - unsigned char *record_type) 167 + int tls_process_cmsg(struct sock *sk, struct msghdr *msg, 168 + unsigned char *record_type) 171 169 { 172 170 struct cmsghdr *cmsg; 173 171 int rc = -EINVAL; ··· 1003 1001 WRITE_ONCE(sk->sk_prot, p); 1004 1002 sk->sk_write_space = write_space; 1005 1003 } 1004 + } 1005 + 1006 + static u16 tls_user_config(struct tls_context *ctx, bool tx) 1007 + { 1008 + u16 config = tx ? ctx->tx_conf : ctx->rx_conf; 1009 + 1010 + switch (config) { 1011 + case TLS_BASE: 1012 + return TLS_CONF_BASE; 1013 + case TLS_SW: 1014 + return TLS_CONF_SW; 1015 + case TLS_HW: 1016 + return TLS_CONF_HW; 1017 + case TLS_HW_RECORD: 1018 + return TLS_CONF_HW_RECORD; 1019 + } 1020 + return 0; 1006 1021 } 1007 1022 1008 1023 static int tls_get_info(const struct sock *sk, struct sk_buff *skb)
+2
net/tls/tls_proc.c
··· 6 6 #include <net/snmp.h> 7 7 #include <net/tls.h> 8 8 9 + #include "tls.h" 10 + 9 11 #ifdef CONFIG_PROC_FS 10 12 static const struct snmp_mib tls_mib_list[] = { 11 13 SNMP_MIB_ITEM("TlsCurrTxSw", LINUX_MIB_TLSCURRTXSW),
+86 -76
net/tls/tls_sw.c
··· 44 44 #include <net/strparser.h> 45 45 #include <net/tls.h> 46 46 47 + #include "tls.h" 48 + 47 49 struct tls_decrypt_arg { 48 50 bool zc; 49 51 bool async; 50 52 u8 tail; 53 + }; 54 + 55 + struct tls_decrypt_ctx { 56 + u8 iv[MAX_IV_SIZE]; 57 + u8 aad[TLS_MAX_AAD_SIZE]; 58 + u8 tail; 59 + struct scatterlist sg[]; 51 60 }; 52 61 53 62 noinline void tls_err_abort(struct sock *sk, int err) ··· 526 517 memcpy(&rec->iv_data[iv_offset], tls_ctx->tx.iv, 527 518 prot->iv_size + prot->salt_size); 528 519 529 - xor_iv_with_seq(prot, rec->iv_data + iv_offset, tls_ctx->tx.rec_seq); 520 + tls_xor_iv_with_seq(prot, rec->iv_data + iv_offset, 521 + tls_ctx->tx.rec_seq); 530 522 531 523 sge->offset += prot->prepend_size; 532 524 sge->length -= prot->prepend_size; ··· 964 954 lock_sock(sk); 965 955 966 956 if (unlikely(msg->msg_controllen)) { 967 - ret = tls_proccess_cmsg(sk, msg, &record_type); 957 + ret = tls_process_cmsg(sk, msg, &record_type); 968 958 if (ret) { 969 959 if (ret == -EINPROGRESS) 970 960 num_async++; ··· 1302 1292 return ret; 1303 1293 } 1304 1294 1305 - static struct sk_buff *tls_wait_data(struct sock *sk, struct sk_psock *psock, 1306 - bool nonblock, long timeo, int *err) 1295 + static int 1296 + tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock, 1297 + long timeo) 1307 1298 { 1308 1299 struct tls_context *tls_ctx = tls_get_ctx(sk); 1309 1300 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 1310 - struct sk_buff *skb; 1311 1301 DEFINE_WAIT_FUNC(wait, woken_wake_function); 1312 1302 1313 - while (!(skb = ctx->recv_pkt) && sk_psock_queue_empty(psock)) { 1314 - if (sk->sk_err) { 1315 - *err = sock_error(sk); 1316 - return NULL; 1317 - } 1303 + while (!ctx->recv_pkt) { 1304 + if (!sk_psock_queue_empty(psock)) 1305 + return 0; 1306 + 1307 + if (sk->sk_err) 1308 + return sock_error(sk); 1318 1309 1319 1310 if (!skb_queue_empty(&sk->sk_receive_queue)) { 1320 1311 __strp_unpause(&ctx->strp); 1321 1312 if (ctx->recv_pkt) 1322 - return ctx->recv_pkt; 1313 + break; 1323 1314 } 1324 1315 1325 1316 if (sk->sk_shutdown & RCV_SHUTDOWN) 1326 - return NULL; 1317 + return 0; 1327 1318 1328 1319 if (sock_flag(sk, SOCK_DONE)) 1329 - return NULL; 1320 + return 0; 1330 1321 1331 - if (nonblock || !timeo) { 1332 - *err = -EAGAIN; 1333 - return NULL; 1334 - } 1322 + if (nonblock || !timeo) 1323 + return -EAGAIN; 1335 1324 1336 1325 add_wait_queue(sk_sleep(sk), &wait); 1337 1326 sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk); 1338 1327 sk_wait_event(sk, &timeo, 1339 - ctx->recv_pkt != skb || 1340 - !sk_psock_queue_empty(psock), 1328 + ctx->recv_pkt || !sk_psock_queue_empty(psock), 1341 1329 &wait); 1342 1330 sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk); 1343 1331 remove_wait_queue(sk_sleep(sk), &wait); 1344 1332 1345 1333 /* Handle signals */ 1346 - if (signal_pending(current)) { 1347 - *err = sock_intr_errno(timeo); 1348 - return NULL; 1349 - } 1334 + if (signal_pending(current)) 1335 + return sock_intr_errno(timeo); 1350 1336 } 1351 1337 1352 - return skb; 1338 + return 1; 1353 1339 } 1354 1340 1355 1341 static int tls_setup_from_iter(struct iov_iter *from, ··· 1420 1414 struct tls_context *tls_ctx = tls_get_ctx(sk); 1421 1415 struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 1422 1416 struct tls_prot_info *prot = &tls_ctx->prot_info; 1417 + int n_sgin, n_sgout, aead_size, err, pages = 0; 1423 1418 struct strp_msg *rxm = strp_msg(skb); 1424 1419 struct tls_msg *tlm = tls_msg(skb); 1425 - int n_sgin, n_sgout, nsg, mem_size, aead_size, err, pages = 0; 1426 - u8 *aad, *iv, *tail, *mem = NULL; 1427 1420 struct aead_request *aead_req; 1428 1421 struct sk_buff *unused; 1429 1422 struct scatterlist *sgin = NULL; 1430 1423 struct scatterlist *sgout = NULL; 1431 1424 const int data_len = rxm->full_len - prot->overhead_size; 1432 1425 int tail_pages = !!prot->tail_size; 1426 + struct tls_decrypt_ctx *dctx; 1433 1427 int iv_offset = 0; 1428 + u8 *mem; 1434 1429 1435 1430 if (darg->zc && (out_iov || out_sg)) { 1436 1431 if (out_iov) ··· 1453 1446 /* Increment to accommodate AAD */ 1454 1447 n_sgin = n_sgin + 1; 1455 1448 1456 - nsg = n_sgin + n_sgout; 1457 - 1458 - aead_size = sizeof(*aead_req) + crypto_aead_reqsize(ctx->aead_recv); 1459 - mem_size = aead_size + (nsg * sizeof(struct scatterlist)); 1460 - mem_size = mem_size + prot->aad_size; 1461 - mem_size = mem_size + MAX_IV_SIZE; 1462 - mem_size = mem_size + prot->tail_size; 1463 - 1464 1449 /* Allocate a single block of memory which contains 1465 - * aead_req || sgin[] || sgout[] || aad || iv || tail. 1466 - * This order achieves correct alignment for aead_req, sgin, sgout. 1450 + * aead_req || tls_decrypt_ctx. 1451 + * Both structs are variable length. 1467 1452 */ 1468 - mem = kmalloc(mem_size, sk->sk_allocation); 1453 + aead_size = sizeof(*aead_req) + crypto_aead_reqsize(ctx->aead_recv); 1454 + mem = kmalloc(aead_size + struct_size(dctx, sg, n_sgin + n_sgout), 1455 + sk->sk_allocation); 1469 1456 if (!mem) 1470 1457 return -ENOMEM; 1471 1458 1472 1459 /* Segment the allocated memory */ 1473 1460 aead_req = (struct aead_request *)mem; 1474 - sgin = (struct scatterlist *)(mem + aead_size); 1475 - sgout = sgin + n_sgin; 1476 - aad = (u8 *)(sgout + n_sgout); 1477 - iv = aad + prot->aad_size; 1478 - tail = iv + MAX_IV_SIZE; 1461 + dctx = (struct tls_decrypt_ctx *)(mem + aead_size); 1462 + sgin = &dctx->sg[0]; 1463 + sgout = &dctx->sg[n_sgin]; 1479 1464 1480 1465 /* For CCM based ciphers, first byte of nonce+iv is a constant */ 1481 1466 switch (prot->cipher_type) { 1482 1467 case TLS_CIPHER_AES_CCM_128: 1483 - iv[0] = TLS_AES_CCM_IV_B0_BYTE; 1468 + dctx->iv[0] = TLS_AES_CCM_IV_B0_BYTE; 1484 1469 iv_offset = 1; 1485 1470 break; 1486 1471 case TLS_CIPHER_SM4_CCM: 1487 - iv[0] = TLS_SM4_CCM_IV_B0_BYTE; 1472 + dctx->iv[0] = TLS_SM4_CCM_IV_B0_BYTE; 1488 1473 iv_offset = 1; 1489 1474 break; 1490 1475 } ··· 1484 1485 /* Prepare IV */ 1485 1486 if (prot->version == TLS_1_3_VERSION || 1486 1487 prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305) { 1487 - memcpy(iv + iv_offset, tls_ctx->rx.iv, 1488 + memcpy(&dctx->iv[iv_offset], tls_ctx->rx.iv, 1488 1489 prot->iv_size + prot->salt_size); 1489 1490 } else { 1490 1491 err = skb_copy_bits(skb, rxm->offset + TLS_HEADER_SIZE, 1491 - iv + iv_offset + prot->salt_size, 1492 + &dctx->iv[iv_offset] + prot->salt_size, 1492 1493 prot->iv_size); 1493 - if (err < 0) { 1494 - kfree(mem); 1495 - return err; 1496 - } 1497 - memcpy(iv + iv_offset, tls_ctx->rx.iv, prot->salt_size); 1494 + if (err < 0) 1495 + goto exit_free; 1496 + memcpy(&dctx->iv[iv_offset], tls_ctx->rx.iv, prot->salt_size); 1498 1497 } 1499 - xor_iv_with_seq(prot, iv + iv_offset, tls_ctx->rx.rec_seq); 1498 + tls_xor_iv_with_seq(prot, &dctx->iv[iv_offset], tls_ctx->rx.rec_seq); 1500 1499 1501 1500 /* Prepare AAD */ 1502 - tls_make_aad(aad, rxm->full_len - prot->overhead_size + 1501 + tls_make_aad(dctx->aad, rxm->full_len - prot->overhead_size + 1503 1502 prot->tail_size, 1504 1503 tls_ctx->rx.rec_seq, tlm->control, prot); 1505 1504 1506 1505 /* Prepare sgin */ 1507 1506 sg_init_table(sgin, n_sgin); 1508 - sg_set_buf(&sgin[0], aad, prot->aad_size); 1507 + sg_set_buf(&sgin[0], dctx->aad, prot->aad_size); 1509 1508 err = skb_to_sgvec(skb, &sgin[1], 1510 1509 rxm->offset + prot->prepend_size, 1511 1510 rxm->full_len - prot->prepend_size); 1512 - if (err < 0) { 1513 - kfree(mem); 1514 - return err; 1515 - } 1511 + if (err < 0) 1512 + goto exit_free; 1516 1513 1517 1514 if (n_sgout) { 1518 1515 if (out_iov) { 1519 1516 sg_init_table(sgout, n_sgout); 1520 - sg_set_buf(&sgout[0], aad, prot->aad_size); 1517 + sg_set_buf(&sgout[0], dctx->aad, prot->aad_size); 1521 1518 1522 1519 err = tls_setup_from_iter(out_iov, data_len, 1523 1520 &pages, &sgout[1], ··· 1523 1528 1524 1529 if (prot->tail_size) { 1525 1530 sg_unmark_end(&sgout[pages]); 1526 - sg_set_buf(&sgout[pages + 1], tail, 1531 + sg_set_buf(&sgout[pages + 1], &dctx->tail, 1527 1532 prot->tail_size); 1528 1533 sg_mark_end(&sgout[pages + 1]); 1529 1534 } ··· 1540 1545 } 1541 1546 1542 1547 /* Prepare and submit AEAD request */ 1543 - err = tls_do_decryption(sk, skb, sgin, sgout, iv, 1548 + err = tls_do_decryption(sk, skb, sgin, sgout, dctx->iv, 1544 1549 data_len + prot->tail_size, aead_req, darg); 1545 1550 if (darg->async) 1546 1551 return 0; 1547 1552 1548 1553 if (prot->tail_size) 1549 - darg->tail = *tail; 1554 + darg->tail = dctx->tail; 1550 1555 1551 1556 /* Release the pages in case iov was mapped to pages */ 1552 1557 for (; pages > 0; pages--) 1553 1558 put_page(sg_page(&sgout[pages])); 1554 - 1559 + exit_free: 1555 1560 kfree(mem); 1556 1561 return err; 1557 1562 } ··· 1808 1813 struct tls_decrypt_arg darg = {}; 1809 1814 int to_decrypt, chunk; 1810 1815 1811 - skb = tls_wait_data(sk, psock, flags & MSG_DONTWAIT, timeo, &err); 1812 - if (!skb) { 1816 + err = tls_rx_rec_wait(sk, psock, flags & MSG_DONTWAIT, timeo); 1817 + if (err <= 0) { 1813 1818 if (psock) { 1814 1819 chunk = sk_msg_recvmsg(sk, psock, msg, len, 1815 1820 flags); ··· 1819 1824 goto recv_end; 1820 1825 } 1821 1826 1827 + skb = ctx->recv_pkt; 1822 1828 rxm = strp_msg(skb); 1823 1829 tlm = tls_msg(skb); 1824 1830 ··· 1986 1990 } else { 1987 1991 struct tls_decrypt_arg darg = {}; 1988 1992 1989 - skb = tls_wait_data(sk, NULL, flags & SPLICE_F_NONBLOCK, timeo, 1990 - &err); 1991 - if (!skb) 1993 + err = tls_rx_rec_wait(sk, NULL, flags & SPLICE_F_NONBLOCK, 1994 + timeo); 1995 + if (err <= 0) 1992 1996 goto splice_read_end; 1997 + 1998 + skb = ctx->recv_pkt; 1993 1999 1994 2000 err = decrypt_skb_update(sk, skb, NULL, &darg); 1995 2001 if (err < 0) { ··· 2269 2271 mutex_unlock(&tls_ctx->tx_lock); 2270 2272 } 2271 2273 2274 + static bool tls_is_tx_ready(struct tls_sw_context_tx *ctx) 2275 + { 2276 + struct tls_rec *rec; 2277 + 2278 + rec = list_first_entry(&ctx->tx_list, struct tls_rec, list); 2279 + if (!rec) 2280 + return false; 2281 + 2282 + return READ_ONCE(rec->tx_ready); 2283 + } 2284 + 2272 2285 void tls_sw_write_space(struct sock *sk, struct tls_context *ctx) 2273 2286 { 2274 2287 struct tls_sw_context_tx *tx_ctx = tls_sw_ctx_tx(ctx); 2275 2288 2276 2289 /* Schedule the transmission if tx list is ready */ 2277 - if (is_tx_ready(tx_ctx) && 2290 + if (tls_is_tx_ready(tx_ctx) && 2278 2291 !test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) 2279 2292 schedule_delayed_work(&tx_ctx->tx_work.work, 0); 2280 2293 } ··· 2483 2474 goto free_priv; 2484 2475 } 2485 2476 2486 - /* Sanity-check the sizes for stack allocations. */ 2487 - if (iv_size > MAX_IV_SIZE || nonce_size > MAX_IV_SIZE || 2488 - rec_seq_size > TLS_MAX_REC_SEQ_SIZE || tag_size != TLS_TAG_SIZE) { 2489 - rc = -EINVAL; 2490 - goto free_priv; 2491 - } 2492 - 2493 2477 if (crypto_info->version == TLS_1_3_VERSION) { 2494 2478 nonce_size = 0; 2495 2479 prot->aad_size = TLS_HEADER_SIZE; ··· 2490 2488 } else { 2491 2489 prot->aad_size = TLS_AAD_SPACE_SIZE; 2492 2490 prot->tail_size = 0; 2491 + } 2492 + 2493 + /* Sanity-check the sizes for stack allocations. */ 2494 + if (iv_size > MAX_IV_SIZE || nonce_size > MAX_IV_SIZE || 2495 + rec_seq_size > TLS_MAX_REC_SEQ_SIZE || tag_size != TLS_TAG_SIZE || 2496 + prot->aad_size > TLS_MAX_AAD_SIZE) { 2497 + rc = -EINVAL; 2498 + goto free_priv; 2493 2499 } 2494 2500 2495 2501 prot->version = crypto_info->version;
+2
net/tls/tls_toe.c
··· 38 38 #include <net/tls.h> 39 39 #include <net/tls_toe.h> 40 40 41 + #include "tls.h" 42 + 41 43 static LIST_HEAD(device_list); 42 44 static DEFINE_SPINLOCK(device_spinlock); 43 45