kernel/include/net/tls.h, branch linux-4.16.y Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-4.16.y 2018-05-19T08:19:32Z net/tls: Don't recursively call push_record during tls_write_space callbacks 2018-05-19T08:19:32Z Dave Watson davejwatson@fb.com 2018-05-01T20:05:39Z urn:sha1:d12769e4658007edb3b917f04e67f57caae42bf7 [ Upstream commit c212d2c7fc4736d49be102fb7a1a545cdc2f1fea ] It is reported that in some cases, write_space may be called in do_tcp_sendpages, such that we recursively invoke do_tcp_sendpages again: [ 660.468802] ? do_tcp_sendpages+0x8d/0x580 [ 660.468826] ? tls_push_sg+0x74/0x130 [tls] [ 660.468852] ? tls_push_record+0x24a/0x390 [tls] [ 660.468880] ? tls_write_space+0x6a/0x80 [tls] ... tls_push_sg already does a loop over all sending sg's, so ignore any tls_write_space notifications until we are done sending. We then have to call the previous write_space to wake up poll() waiters after we are done with the send loop. Reported-by: Andre Tomt <andre@tomt.net> Signed-off-by: Dave Watson <davejwatson@fb.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> tls: Add support for encryption using async offload accelerator 2018-01-31T15:26:30Z Vakul Garg vakul.garg@nxp.com 2018-01-31T16:04:37Z urn:sha1:a54667f6728c2714a400f3c884727da74b6d1717 Async crypto accelerators (e.g. drivers/crypto/caam) support offloading GCM operation. If they are enabled, crypto_aead_encrypt() return error code -EINPROGRESS. In this case tls_do_encryption() needs to wait on a completion till the time the response for crypto offload request is received. Signed-off-by: Vakul Garg <vakul.garg@nxp.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/tls: Fix inverted error codes to avoid endless loop 2018-01-15T19:21:57Z r.hering@avm.de r.hering@avm.de 2018-01-12T14:42:06Z urn:sha1:30be8f8dba1bd2aff73e8447d59228471233a3d4 sendfile() calls can hang endless with using Kernel TLS if a socket error occurs. Socket error codes must be inverted by Kernel TLS before returning because they are stored with positive sign. If returned non-inverted they are interpreted as number of bytes sent, causing endless looping of the splice mechanic behind sendfile(). Signed-off-by: Robert Hering <r.hering@avm.de> Signed-off-by: David S. Miller <davem@davemloft.net> uapi: fix linux/tls.h userspace compilation error 2017-11-15T04:54:18Z Dmitry V. Levin ldv@altlinux.org 2017-11-14T03:30:11Z urn:sha1:b9f3eb499d84f8d4adcb2f9212ec655700b28228 Move inclusion of a private kernel header <net/tcp.h> from uapi/linux/tls.h to its only user - net/tls.h, to fix the following linux/tls.h userspace compilation error: /usr/include/linux/tls.h:41:21: fatal error: net/tcp.h: No such file or directory As to this point uapi/linux/tls.h was totaly unusuable for userspace, cleanup this header file further by moving other redundant includes to net/tls.h. Fixes: 3c4d7559159b ("tls: kernel TLS support") Cc: <stable@vger.kernel.org> # v4.13+ Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: David S. Miller <davem@davemloft.net> tls: Move tls_make_aad to header to allow sharing 2017-11-14T07:26:34Z Ilya Lesokhin ilyal@mellanox.com 2017-11-13T08:22:47Z urn:sha1:213ef6e7c9c063c482d77f12cc438872628d48ec move tls_make_aad as it is going to be reused by the device offload code and rx path. Remove unused recv parameter. Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> tls: Fix TLS ulp context leak, when TLS_TX setsockopt is not used. 2017-11-14T07:26:34Z Ilya Lesokhin ilyal@mellanox.com 2017-11-13T08:22:46Z urn:sha1:ff45d820a2df163957ad8ab459b6eb6976144c18 Previously the TLS ulp context would leak if we attached a TLS ulp to a socket but did not use the TLS_TX setsockopt, or did use it but it failed. This patch solves the issue by overriding prot[TLS_BASE_TX].close and fixing tls_sk_proto_close to work properly when its called with ctx->tx_conf == TLS_BASE_TX. This patch also removes ctx->free_resources as we can use ctx->tx_conf to obtain the relevant information. Fixes: 3c4d7559159b ('tls: kernel TLS support') Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> tls: Add function to update the TLS socket configuration 2017-11-14T07:26:34Z Ilya Lesokhin ilyal@mellanox.com 2017-11-13T08:22:45Z urn:sha1:6d88207fcfddc002afe3e2e4a455e5201089d5d9 The tx configuration is now stored in ctx->tx_conf. And sk->sk_prot is updated trough a function This will simplify things when we add rx and support for different possible tx and rx cross configurations. Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> tls: kernel TLS support 2017-06-15T16:12:40Z Dave Watson davejwatson@fb.com 2017-06-14T18:37:39Z urn:sha1:3c4d7559159bfe1e3b94df3a657b2cda3a34e218 Software implementation of transport layer security, implemented using ULP infrastructure. tcp proto_ops are replaced with tls equivalents of sendmsg and sendpage. Only symmetric crypto is done in the kernel, keys are passed by setsockopt after the handshake is complete. All control messages are supported via CMSG data - the actual symmetric encryption is the same, just the message type needs to be passed separately. For user API, please see Documentation patch. Pieces that can be shared between hw and sw implementation are in tls_main.c Signed-off-by: Boris Pismenny <borisp@mellanox.com> Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Signed-off-by: Dave Watson <davejwatson@fb.com> Signed-off-by: David S. Miller <davem@davemloft.net>