net/tls/tls_main.c

   1 /*
   2  * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
   3  * Copyright (c) 2016-2017, Dave Watson <davejwatson@fb.com>. All rights reserved.
   4  *
   5  * This software is available to you under a choice of one of two
   6  * licenses.  You may choose to be licensed under the terms of the GNU
   7  * General Public License (GPL) Version 2, available from the file
   8  * COPYING in the main directory of this source tree, or the
   9  * OpenIB.org BSD license below:
  10  *
  11  *     Redistribution and use in source and binary forms, with or
  12  *     without modification, are permitted provided that the following
  13  *     conditions are met:
  14  *
  15  *      - Redistributions of source code must retain the above
  16  *        copyright notice, this list of conditions and the following
  17  *        disclaimer.
  18  *
  19  *      - Redistributions in binary form must reproduce the above
  20  *        copyright notice, this list of conditions and the following
  21  *        disclaimer in the documentation and/or other materials
  22  *        provided with the distribution.
  23  *
  24  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  25  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  26  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  27  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
  28  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
  29  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  30  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  31  * SOFTWARE.
  32  */
  33
  34 #include <linux/module.h>
  35
  36 #include <net/tcp.h>
  37 #include <net/inet_common.h>
  38 #include <linux/highmem.h>
  39 #include <linux/netdevice.h>
  40 #include <linux/sched/signal.h>
  41 #include <linux/inetdevice.h>
  42
  43 #include <net/tls.h>
  44
  45 MODULE_AUTHOR("Mellanox Technologies");
  46 MODULE_DESCRIPTION("Transport Layer Security Support");
  47 MODULE_LICENSE("Dual BSD/GPL");
  48 MODULE_ALIAS_TCP_ULP("tls");
  49
  50 enum {
  51         TLSV4,
  52         TLSV6,
  53         TLS_NUM_PROTS,
  54 };
  55
  56 static struct proto *saved_tcpv6_prot;
  57 static DEFINE_MUTEX(tcpv6_prot_mutex);
  58 static LIST_HEAD(device_list);
  59 static DEFINE_MUTEX(device_mutex);
  60 static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG][TLS_NUM_CONFIG];
  61 static struct proto_ops tls_sw_proto_ops;
  62
  63 static void update_sk_prot(struct sock *sk, struct tls_context *ctx)
  64 {
  65         int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
  66
  67         sk->sk_prot = &tls_prots[ip_ver][ctx->tx_conf][ctx->rx_conf];
  68 }
  69
  70 int wait_on_pending_writer(struct sock *sk, long *timeo)
  71 {
  72         int rc = 0;
  73         DEFINE_WAIT_FUNC(wait, woken_wake_function);
  74
  75         add_wait_queue(sk_sleep(sk), &wait);
  76         while (1) {
  77                 if (!*timeo) {
  78                         rc = -EAGAIN;
  79                         break;
  80                 }
  81
  82                 if (signal_pending(current)) {
  83                         rc = sock_intr_errno(*timeo);
  84                         break;
  85                 }
  86
  87                 if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
  88                         break;
  89         }
  90         remove_wait_queue(sk_sleep(sk), &wait);
  91         return rc;
  92 }
  93
  94 int tls_push_sg(struct sock *sk,
  95                 struct tls_context *ctx,
  96                 struct scatterlist *sg,
  97                 u16 first_offset,
  98                 int flags)
  99 {
 100         int sendpage_flags = flags | MSG_SENDPAGE_NOTLAST;
 101         int ret = 0;
 102         struct page *p;
 103         size_t size;
 104         int offset = first_offset;
 105
 106         size = sg->length - offset;
 107         offset += sg->offset;
 108
 109         ctx->in_tcp_sendpages = true;
 110         while (1) {
 111                 if (sg_is_last(sg))
 112                         sendpage_flags = flags;
 113
 114                 /* is sending application-limited? */
 115                 tcp_rate_check_app_limited(sk);
 116                 p = sg_page(sg);
 117 retry:
 118                 ret = do_tcp_sendpages(sk, p, offset, size, sendpage_flags);
 119
 120                 if (ret != size) {
 121                         if (ret > 0) {
 122                                 offset += ret;
 123                                 size -= ret;
 124                                 goto retry;
 125                         }
 126
 127                         offset -= sg->offset;
 128                         ctx->partially_sent_offset = offset;
 129                         ctx->partially_sent_record = (void *)sg;
 130                         ctx->in_tcp_sendpages = false;
 131                         return ret;
 132                 }
 133
 134                 put_page(p);
 135                 sk_mem_uncharge(sk, sg->length);
 136                 sg = sg_next(sg);
 137                 if (!sg)
 138                         break;
 139
 140                 offset = sg->offset;
 141                 size = sg->length;
 142         }
 143
 144         clear_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);
 145         ctx->in_tcp_sendpages = false;
 146         ctx->sk_write_space(sk);
 147
 148         return 0;
 149 }
 150
 151 static int tls_handle_open_record(struct sock *sk, int flags)
 152 {
 153         struct tls_context *ctx = tls_get_ctx(sk);
 154
 155         if (tls_is_pending_open_record(ctx))
 156                 return ctx->push_pending_record(sk, flags);
 157
 158         return 0;
 159 }
 160
 161 int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg,
 162                       unsigned char *record_type)
 163 {
 164         struct cmsghdr *cmsg;
 165         int rc = -EINVAL;
 166
 167         for_each_cmsghdr(cmsg, msg) {
 168                 if (!CMSG_OK(msg, cmsg))
 169                         return -EINVAL;
 170                 if (cmsg->cmsg_level != SOL_TLS)
 171                         continue;
 172
 173                 switch (cmsg->cmsg_type) {
 174                 case TLS_SET_RECORD_TYPE:
 175                         if (cmsg->cmsg_len < CMSG_LEN(sizeof(*record_type)))
 176                                 return -EINVAL;
 177
 178                         if (msg->msg_flags & MSG_MORE)
 179                                 return -EINVAL;
 180
 181                         rc = tls_handle_open_record(sk, msg->msg_flags);
 182                         if (rc)
 183                                 return rc;
 184
 185                         *record_type = *(unsigned char *)CMSG_DATA(cmsg);
 186                         rc = 0;
 187                         break;
 188                 default:
 189                         return -EINVAL;
 190                 }
 191         }
 192
 193         return rc;
 194 }
 195
 196 int tls_push_pending_closed_record(struct sock *sk, struct tls_context *ctx,
 197                                    int flags, long *timeo)
 198 {
 199         struct scatterlist *sg;
 200         u16 offset;
 201
 202         if (!tls_is_partially_sent_record(ctx))
 203                 return ctx->push_pending_record(sk, flags);
 204
 205         sg = ctx->partially_sent_record;
 206         offset = ctx->partially_sent_offset;
 207
 208         ctx->partially_sent_record = NULL;
 209         return tls_push_sg(sk, ctx, sg, offset, flags);
 210 }
 211
 212 static void tls_write_space(struct sock *sk)
 213 {
 214         struct tls_context *ctx = tls_get_ctx(sk);
 215
 216         /* If in_tcp_sendpages call lower protocol write space handler
 217          * to ensure we wake up any waiting operations there. For example
 218          * if do_tcp_sendpages where to call sk_wait_event.
 219          */
 220         if (ctx->in_tcp_sendpages) {
 221                 ctx->sk_write_space(sk);
 222                 return;
 223         }
 224
 225         if (!sk->sk_write_pending && tls_is_pending_closed_record(ctx)) {
 226                 gfp_t sk_allocation = sk->sk_allocation;
 227                 int rc;
 228                 long timeo = 0;
 229
 230                 sk->sk_allocation = GFP_ATOMIC;
 231                 rc = tls_push_pending_closed_record(sk, ctx,
 232                                                     MSG_DONTWAIT |
 233                                                     MSG_NOSIGNAL,
 234                                                     &timeo);
 235                 sk->sk_allocation = sk_allocation;
 236
 237                 if (rc < 0)
 238                         return;
 239         }
 240
 241         ctx->sk_write_space(sk);
 242 }
 243
 244 static void tls_sk_proto_close(struct sock *sk, long timeout)
 245 {
 246         struct tls_context *ctx = tls_get_ctx(sk);
 247         long timeo = sock_sndtimeo(sk, 0);
 248         void (*sk_proto_close)(struct sock *sk, long timeout);
 249         bool free_ctx = false;
 250
 251         lock_sock(sk);
 252         sk_proto_close = ctx->sk_proto_close;
 253
 254         if ((ctx->tx_conf == TLS_HW_RECORD && ctx->rx_conf == TLS_HW_RECORD) ||
 255             (ctx->tx_conf == TLS_BASE && ctx->rx_conf == TLS_BASE)) {
 256                 free_ctx = true;
 257                 goto skip_tx_cleanup;
 258         }
 259
 260         if (!tls_complete_pending_work(sk, ctx, 0, &timeo))
 261                 tls_handle_open_record(sk, 0);
 262
 263         if (ctx->partially_sent_record) {
 264                 struct scatterlist *sg = ctx->partially_sent_record;
 265
 266                 while (1) {
 267                         put_page(sg_page(sg));
 268                         sk_mem_uncharge(sk, sg->length);
 269
 270                         if (sg_is_last(sg))
 271                                 break;
 272                         sg++;
 273                 }
 274         }
 275
 276         /* We need these for tls_sw_fallback handling of other packets */
 277         if (ctx->tx_conf == TLS_SW) {
 278                 kfree(ctx->tx.rec_seq);
 279                 kfree(ctx->tx.iv);
 280                 tls_sw_free_resources_tx(sk);
 281         }
 282
 283         if (ctx->rx_conf == TLS_SW) {
 284                 kfree(ctx->rx.rec_seq);
 285                 kfree(ctx->rx.iv);
 286                 tls_sw_free_resources_rx(sk);
 287         }
 288
 289 #ifdef CONFIG_TLS_DEVICE
 290         if (ctx->rx_conf == TLS_HW)
 291                 tls_device_offload_cleanup_rx(sk);
 292
 293         if (ctx->tx_conf != TLS_HW && ctx->rx_conf != TLS_HW) {
 294 #else
 295         {
 296 #endif
 297                 kfree(ctx);
 298                 ctx = NULL;
 299         }
 300
 301 skip_tx_cleanup:
 302         release_sock(sk);
 303         sk_proto_close(sk, timeout);
 304         /* free ctx for TLS_HW_RECORD, used by tcp_set_state
 305          * for sk->sk_prot->unhash [tls_hw_unhash]
 306          */
 307         if (free_ctx)
 308                 kfree(ctx);
 309 }
 310
 311 static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
 312                                 int __user *optlen)
 313 {
 314         int rc = 0;
 315         struct tls_context *ctx = tls_get_ctx(sk);
 316         struct tls_crypto_info *crypto_info;
 317         int len;
 318
 319         if (get_user(len, optlen))
 320                 return -EFAULT;
 321
 322         if (!optval || (len < sizeof(*crypto_info))) {
 323                 rc = -EINVAL;
 324                 goto out;
 325         }
 326
 327         if (!ctx) {
 328                 rc = -EBUSY;
 329                 goto out;
 330         }
 331
 332         /* get user crypto info */
 333         crypto_info = &ctx->crypto_send;
 334
 335         if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
 336                 rc = -EBUSY;
 337                 goto out;
 338         }
 339
 340         if (len == sizeof(*crypto_info)) {
 341                 if (copy_to_user(optval, crypto_info, sizeof(*crypto_info)))
 342                         rc = -EFAULT;
 343                 goto out;
 344         }
 345
 346         switch (crypto_info->cipher_type) {
 347         case TLS_CIPHER_AES_GCM_128: {
 348                 struct tls12_crypto_info_aes_gcm_128 *
 349                   crypto_info_aes_gcm_128 =
 350                   container_of(crypto_info,
 351                                struct tls12_crypto_info_aes_gcm_128,
 352                                info);
 353
 354                 if (len != sizeof(*crypto_info_aes_gcm_128)) {
 355                         rc = -EINVAL;
 356                         goto out;
 357                 }
 358                 lock_sock(sk);
 359                 memcpy(crypto_info_aes_gcm_128->iv,
 360                        ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
 361                        TLS_CIPHER_AES_GCM_128_IV_SIZE);
 362                 memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq,
 363                        TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
 364                 release_sock(sk);
 365                 if (copy_to_user(optval,
 366                                  crypto_info_aes_gcm_128,
 367                                  sizeof(*crypto_info_aes_gcm_128)))
 368                         rc = -EFAULT;
 369                 break;
 370         }
 371         default:
 372                 rc = -EINVAL;
 373         }
 374
 375 out:
 376         return rc;
 377 }
 378
 379 static int do_tls_getsockopt(struct sock *sk, int optname,
 380                              char __user *optval, int __user *optlen)
 381 {
 382         int rc = 0;
 383
 384         switch (optname) {
 385         case TLS_TX:
 386                 rc = do_tls_getsockopt_tx(sk, optval, optlen);
 387                 break;
 388         default:
 389                 rc = -ENOPROTOOPT;
 390                 break;
 391         }
 392         return rc;
 393 }
 394
 395 static int tls_getsockopt(struct sock *sk, int level, int optname,
 396                           char __user *optval, int __user *optlen)
 397 {
 398         struct tls_context *ctx = tls_get_ctx(sk);
 399
 400         if (level != SOL_TLS)
 401                 return ctx->getsockopt(sk, level, optname, optval, optlen);
 402
 403         return do_tls_getsockopt(sk, optname, optval, optlen);
 404 }
 405
 406 static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
 407                                   unsigned int optlen, int tx)
 408 {
 409         struct tls_crypto_info *crypto_info;
 410         struct tls_context *ctx = tls_get_ctx(sk);
 411         int rc = 0;
 412         int conf;
 413
 414         if (!optval || (optlen < sizeof(*crypto_info))) {
 415                 rc = -EINVAL;
 416                 goto out;
 417         }
 418
 419         if (tx)
 420                 crypto_info = &ctx->crypto_send;
 421         else
 422                 crypto_info = &ctx->crypto_recv;
 423
 424         /* Currently we don't support set crypto info more than one time */
 425         if (TLS_CRYPTO_INFO_READY(crypto_info)) {
 426                 rc = -EBUSY;
 427                 goto out;
 428         }
 429
 430         rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
 431         if (rc) {
 432                 rc = -EFAULT;
 433                 goto err_crypto_info;
 434         }
 435
 436         /* check version */
 437         if (crypto_info->version != TLS_1_2_VERSION) {
 438                 rc = -ENOTSUPP;
 439                 goto err_crypto_info;
 440         }
 441
 442         switch (crypto_info->cipher_type) {
 443         case TLS_CIPHER_AES_GCM_128: {
 444                 if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
 445                         rc = -EINVAL;
 446                         goto err_crypto_info;
 447                 }
 448                 rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
 449                                     optlen - sizeof(*crypto_info));
 450                 if (rc) {
 451                         rc = -EFAULT;
 452                         goto err_crypto_info;
 453                 }
 454                 break;
 455         }
 456         default:
 457                 rc = -EINVAL;
 458                 goto err_crypto_info;
 459         }
 460
 461         if (tx) {
 462 #ifdef CONFIG_TLS_DEVICE
 463                 rc = tls_set_device_offload(sk, ctx);
 464                 conf = TLS_HW;
 465                 if (rc) {
 466 #else
 467                 {
 468 #endif
 469                         rc = tls_set_sw_offload(sk, ctx, 1);
 470                         conf = TLS_SW;
 471                 }
 472         } else {
 473 #ifdef CONFIG_TLS_DEVICE
 474                 rc = tls_set_device_offload_rx(sk, ctx);
 475                 conf = TLS_HW;
 476                 if (rc) {
 477 #else
 478                 {
 479 #endif
 480                         rc = tls_set_sw_offload(sk, ctx, 0);
 481                         conf = TLS_SW;
 482                 }
 483         }
 484
 485         if (rc)
 486                 goto err_crypto_info;
 487
 488         if (tx)
 489                 ctx->tx_conf = conf;
 490         else
 491                 ctx->rx_conf = conf;
 492         update_sk_prot(sk, ctx);
 493         if (tx) {
 494                 ctx->sk_write_space = sk->sk_write_space;
 495                 sk->sk_write_space = tls_write_space;
 496         } else {
 497                 sk->sk_socket->ops = &tls_sw_proto_ops;
 498         }
 499         goto out;
 500
 501 err_crypto_info:
 502         memset(crypto_info, 0, sizeof(*crypto_info));
 503 out:
 504         return rc;
 505 }
 506
 507 static int do_tls_setsockopt(struct sock *sk, int optname,
 508                              char __user *optval, unsigned int optlen)
 509 {
 510         int rc = 0;
 511
 512         switch (optname) {
 513         case TLS_TX:
 514         case TLS_RX:
 515                 lock_sock(sk);
 516                 rc = do_tls_setsockopt_conf(sk, optval, optlen,
 517                                             optname == TLS_TX);
 518                 release_sock(sk);
 519                 break;
 520         default:
 521                 rc = -ENOPROTOOPT;
 522                 break;
 523         }
 524         return rc;
 525 }
 526
 527 static int tls_setsockopt(struct sock *sk, int level, int optname,
 528                           char __user *optval, unsigned int optlen)
 529 {
 530         struct tls_context *ctx = tls_get_ctx(sk);
 531
 532         if (level != SOL_TLS)
 533                 return ctx->setsockopt(sk, level, optname, optval, optlen);
 534
 535         return do_tls_setsockopt(sk, optname, optval, optlen);
 536 }
 537
 538 static struct tls_context *create_ctx(struct sock *sk)
 539 {
 540         struct inet_connection_sock *icsk = inet_csk(sk);
 541         struct tls_context *ctx;
 542
 543         ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
 544         if (!ctx)
 545                 return NULL;
 546
 547         icsk->icsk_ulp_data = ctx;
 548         return ctx;
 549 }
 550
 551 static int tls_hw_prot(struct sock *sk)
 552 {
 553         struct tls_context *ctx;
 554         struct tls_device *dev;
 555         int rc = 0;
 556
 557         mutex_lock(&device_mutex);
 558         list_for_each_entry(dev, &device_list, dev_list) {
 559                 if (dev->feature && dev->feature(dev)) {
 560                         ctx = create_ctx(sk);
 561                         if (!ctx)
 562                                 goto out;
 563
 564                         ctx->hash = sk->sk_prot->hash;
 565                         ctx->unhash = sk->sk_prot->unhash;
 566                         ctx->sk_proto_close = sk->sk_prot->close;
 567                         ctx->rx_conf = TLS_HW_RECORD;
 568                         ctx->tx_conf = TLS_HW_RECORD;
 569                         update_sk_prot(sk, ctx);
 570                         rc = 1;
 571                         break;
 572                 }
 573         }
 574 out:
 575         mutex_unlock(&device_mutex);
 576         return rc;
 577 }
 578
 579 static void tls_hw_unhash(struct sock *sk)
 580 {
 581         struct tls_context *ctx = tls_get_ctx(sk);
 582         struct tls_device *dev;
 583
 584         mutex_lock(&device_mutex);
 585         list_for_each_entry(dev, &device_list, dev_list) {
 586                 if (dev->unhash)
 587                         dev->unhash(dev, sk);
 588         }
 589         mutex_unlock(&device_mutex);
 590         ctx->unhash(sk);
 591 }
 592
 593 static int tls_hw_hash(struct sock *sk)
 594 {
 595         struct tls_context *ctx = tls_get_ctx(sk);
 596         struct tls_device *dev;
 597         int err;
 598
 599         err = ctx->hash(sk);
 600         mutex_lock(&device_mutex);
 601         list_for_each_entry(dev, &device_list, dev_list) {
 602                 if (dev->hash)
 603                         err |= dev->hash(dev, sk);
 604         }
 605         mutex_unlock(&device_mutex);
 606
 607         if (err)
 608                 tls_hw_unhash(sk);
 609         return err;
 610 }
 611
 612 static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
 613                          struct proto *base)
 614 {
 615         prot[TLS_BASE][TLS_BASE] = *base;
 616         prot[TLS_BASE][TLS_BASE].setsockopt     = tls_setsockopt;
 617         prot[TLS_BASE][TLS_BASE].getsockopt     = tls_getsockopt;
 618         prot[TLS_BASE][TLS_BASE].close          = tls_sk_proto_close;
 619
 620         prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
 621         prot[TLS_SW][TLS_BASE].sendmsg          = tls_sw_sendmsg;
 622         prot[TLS_SW][TLS_BASE].sendpage         = tls_sw_sendpage;
 623
 624         prot[TLS_BASE][TLS_SW] = prot[TLS_BASE][TLS_BASE];
 625         prot[TLS_BASE][TLS_SW].recvmsg          = tls_sw_recvmsg;
 626         prot[TLS_BASE][TLS_SW].close            = tls_sk_proto_close;
 627
 628         prot[TLS_SW][TLS_SW] = prot[TLS_SW][TLS_BASE];
 629         prot[TLS_SW][TLS_SW].recvmsg    = tls_sw_recvmsg;
 630         prot[TLS_SW][TLS_SW].close      = tls_sk_proto_close;
 631
 632 #ifdef CONFIG_TLS_DEVICE
 633         prot[TLS_HW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
 634         prot[TLS_HW][TLS_BASE].sendmsg          = tls_device_sendmsg;
 635         prot[TLS_HW][TLS_BASE].sendpage         = tls_device_sendpage;
 636
 637         prot[TLS_HW][TLS_SW] = prot[TLS_BASE][TLS_SW];
 638         prot[TLS_HW][TLS_SW].sendmsg            = tls_device_sendmsg;
 639         prot[TLS_HW][TLS_SW].sendpage           = tls_device_sendpage;
 640
 641         prot[TLS_BASE][TLS_HW] = prot[TLS_BASE][TLS_SW];
 642
 643         prot[TLS_SW][TLS_HW] = prot[TLS_SW][TLS_SW];
 644
 645         prot[TLS_HW][TLS_HW] = prot[TLS_HW][TLS_SW];
 646 #endif
 647
 648         prot[TLS_HW_RECORD][TLS_HW_RECORD] = *base;
 649         prot[TLS_HW_RECORD][TLS_HW_RECORD].hash         = tls_hw_hash;
 650         prot[TLS_HW_RECORD][TLS_HW_RECORD].unhash       = tls_hw_unhash;
 651         prot[TLS_HW_RECORD][TLS_HW_RECORD].close        = tls_sk_proto_close;
 652 }
 653
 654 static int tls_init(struct sock *sk)
 655 {
 656         int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
 657         struct tls_context *ctx;
 658         int rc = 0;
 659
 660         if (tls_hw_prot(sk))
 661                 goto out;
 662
 663         /* The TLS ulp is currently supported only for TCP sockets
 664          * in ESTABLISHED state.
 665          * Supporting sockets in LISTEN state will require us
 666          * to modify the accept implementation to clone rather then
 667          * share the ulp context.
 668          */
 669         if (sk->sk_state != TCP_ESTABLISHED)
 670                 return -ENOTSUPP;
 671
 672         /* allocate tls context */
 673         ctx = create_ctx(sk);
 674         if (!ctx) {
 675                 rc = -ENOMEM;
 676                 goto out;
 677         }
 678         ctx->setsockopt = sk->sk_prot->setsockopt;
 679         ctx->getsockopt = sk->sk_prot->getsockopt;
 680         ctx->sk_proto_close = sk->sk_prot->close;
 681
 682         /* Build IPv6 TLS whenever the address of tcpv6 _prot changes */
 683         if (ip_ver == TLSV6 &&
 684             unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv6_prot))) {
 685                 mutex_lock(&tcpv6_prot_mutex);
 686                 if (likely(sk->sk_prot != saved_tcpv6_prot)) {
 687                         build_protos(tls_prots[TLSV6], sk->sk_prot);
 688                         smp_store_release(&saved_tcpv6_prot, sk->sk_prot);
 689                 }
 690                 mutex_unlock(&tcpv6_prot_mutex);
 691         }
 692
 693         ctx->tx_conf = TLS_BASE;
 694         ctx->rx_conf = TLS_BASE;
 695         update_sk_prot(sk, ctx);
 696 out:
 697         return rc;
 698 }
 699
 700 void tls_register_device(struct tls_device *device)
 701 {
 702         mutex_lock(&device_mutex);
 703         list_add_tail(&device->dev_list, &device_list);
 704         mutex_unlock(&device_mutex);
 705 }
 706 EXPORT_SYMBOL(tls_register_device);
 707
 708 void tls_unregister_device(struct tls_device *device)
 709 {
 710         mutex_lock(&device_mutex);
 711         list_del(&device->dev_list);
 712         mutex_unlock(&device_mutex);
 713 }
 714 EXPORT_SYMBOL(tls_unregister_device);
 715
 716 static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
 717         .name                   = "tls",
 718         .uid                    = TCP_ULP_TLS,
 719         .user_visible           = true,
 720         .owner                  = THIS_MODULE,
 721         .init                   = tls_init,
 722 };
 723
 724 static int __init tls_register(void)
 725 {
 726         build_protos(tls_prots[TLSV4], &tcp_prot);
 727
 728         tls_sw_proto_ops = inet_stream_ops;
 729         tls_sw_proto_ops.poll = tls_sw_poll;
 730         tls_sw_proto_ops.splice_read = tls_sw_splice_read;
 731
 732 #ifdef CONFIG_TLS_DEVICE
 733         tls_device_init();
 734 #endif
 735         tcp_register_ulp(&tcp_tls_ulp_ops);
 736
 737         return 0;
 738 }
 739
 740 static void __exit tls_unregister(void)
 741 {
 742         tcp_unregister_ulp(&tcp_tls_ulp_ops);
 743 #ifdef CONFIG_TLS_DEVICE
 744         tls_device_cleanup();
 745 #endif
 746 }
 747
 748 module_init(tls_register);
 749 module_exit(tls_unregister);