Software implementation of transport layer security, implemented using ULP
infrastructure. tcp proto_ops are replaced with tls equivalents of sendmsg and
sendpage.
Only symmetric crypto is done in the kernel, keys are passed by setsockopt
after the handshake is complete. All control messages are supported via CMSG
data - the actual symmetric encryption is the same, just the message type needs
to be passed separately.
For user API, please see Documentation patch.
Pieces that can be shared between hw and sw implementation
are in tls_main.c
Signed-off-by: Boris Pismenny
Signed-off-by: Ilya Lesokhin
Signed-off-by: Aviad Yehezkel
Signed-off-by: Dave Watson
---
MAINTAINERS | 10 +
include/linux/socket.h | 1 +
include/net/tls.h| 223 ++
include/uapi/linux/tls.h | 79 +
net/Kconfig | 1 +
net/Makefile | 1 +
net/tls/Kconfig | 12 +
net/tls/Makefile | 7 +
net/tls/tls_main.c | 450 +++
net/tls/tls_sw.c | 788 +++
10 files changed, 1572 insertions(+)
create mode 100644 include/net/tls.h
create mode 100644 include/uapi/linux/tls.h
create mode 100644 net/tls/Kconfig
create mode 100644 net/tls/Makefile
create mode 100644 net/tls/tls_main.c
create mode 100644 net/tls/tls_sw.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 9e98464..94bdbe8 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8944,6 +8944,16 @@ F: net/ipv6/
F: include/net/ip*
F: arch/x86/net/*
+NETWORKING [TLS]
+M: Ilya Lesokhin
+M: Aviad Yehezkel
+M: Dave Watson
+L: netdev@vger.kernel.org
+S: Maintained
+F: net/tls/*
+F: include/uapi/linux/tls.h
+F: include/net/tls.h
+
NETWORKING [IPSEC]
M: Steffen Klassert
M: Herbert Xu
diff --git a/include/linux/socket.h b/include/linux/socket.h
index 0820274..8b13db5 100644
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -334,6 +334,7 @@ struct ucred {
#define SOL_ALG279
#define SOL_NFC280
#define SOL_KCM281
+#define SOL_TLS282
/* IPX options */
#define IPX_TYPE 1
diff --git a/include/net/tls.h b/include/net/tls.h
new file mode 100644
index 000..eee6ddf
--- /dev/null
+++ b/include/net/tls.h
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
+ * Copyright (c) 2016-2017, Dave Watson . All rights
reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses. You may choose to be licensed under the terms of the GNU
+ * General Public License (GPL) Version 2, available from the file
+ * COPYING in the main directory of this source tree, or the
+ * OpenIB.org BSD license below:
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ * - Redistributions of source code must retain the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above
+ *copyright notice, this list of conditions and the following
+ *disclaimer in the documentation and/or other materials
+ *provided with the distribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef _TLS_OFFLOAD_H
+#define _TLS_OFFLOAD_H
+
+#include
+
+#include
+
+
+/* Maximum data size carried in a TLS record */
+#define TLS_MAX_PAYLOAD_SIZE ((size_t)1 << 14)
+
+#define TLS_HEADER_SIZE5
+#define TLS_NONCE_OFFSET TLS_HEADER_SIZE
+
+#define TLS_CRYPTO_INFO_READY(info)((info)->cipher_type)
+
+#define TLS_RECORD_TYPE_DATA 0x17
+
+#define TLS_AAD_SPACE_SIZE 13
+
+struct tls_sw_context {
+ struct crypto_aead *aead_send;
+
+ /* Sending context */
+ char aad_space[TLS_AAD_SPACE_SIZE];
+
+ unsigned int sg_plaintext_size;
+ int sg_plaintext_num_elem;
+ struct scatterlist sg_plaintext_data[MAX_SKB_FRAGS];
+
+ unsigned int sg_encrypted_size;
+ int sg_encrypted_num_elem;
+ struct scatterlist sg_encrypted_data[MAX_SKB_FRAGS];
+
+ /* AAD | sg_plaintext_data | sg_tag */
+ struct scatterlist sg_aead_in[2];
+ /* AAD | sg_encrypted_data (data contain overhead for hdr&iv&tag) */
+ struct scatterlist sg_aead_out[2];
+};
+
+