diff options
Diffstat (limited to 'include/internal/ktls.h')
| -rw-r--r-- | include/internal/ktls.h | 230 |
1 files changed, 122 insertions, 108 deletions
diff --git a/include/internal/ktls.h b/include/internal/ktls.h index 072653dc5eeb..83f66b9dba93 100644 --- a/include/internal/ktls.h +++ b/include/internal/ktls.h @@ -8,43 +8,43 @@ */ #if defined(OPENSSL_SYS_LINUX) -# ifndef OPENSSL_NO_KTLS -# include <linux/version.h> -# if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) -# define OPENSSL_NO_KTLS -# ifndef PEDANTIC -# warning "KTLS requires Kernel Headers >= 4.13.0" -# warning "Skipping Compilation of KTLS" -# endif -# endif -# endif +#ifndef OPENSSL_NO_KTLS +#include <linux/version.h> +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) +#define OPENSSL_NO_KTLS +#ifndef PEDANTIC +#warning "KTLS requires Kernel Headers >= 4.13.0" +#warning "Skipping Compilation of KTLS" +#endif +#endif +#endif #endif #ifndef HEADER_INTERNAL_KTLS -# define HEADER_INTERNAL_KTLS -# pragma once +#define HEADER_INTERNAL_KTLS +#pragma once -# ifndef OPENSSL_NO_KTLS +#ifndef OPENSSL_NO_KTLS -# if defined(__FreeBSD__) -# include <sys/types.h> -# include <sys/socket.h> -# include <sys/ktls.h> -# include <netinet/in.h> -# include <netinet/tcp.h> -# include <openssl/ssl3.h> +#if defined(__FreeBSD__) +#include <sys/types.h> +#include <sys/socket.h> +#include <sys/ktls.h> +#include <netinet/in.h> +#include <netinet/tcp.h> +#include <openssl/ssl3.h> -# ifndef TCP_RXTLS_ENABLE -# define OPENSSL_NO_KTLS_RX -# endif -# define OPENSSL_KTLS_AES_GCM_128 -# define OPENSSL_KTLS_AES_GCM_256 -# define OPENSSL_KTLS_TLS13 -# ifdef TLS_CHACHA20_IV_LEN -# ifndef OPENSSL_NO_CHACHA -# define OPENSSL_KTLS_CHACHA20_POLY1305 -# endif -# endif +#ifndef TCP_RXTLS_ENABLE +#define OPENSSL_NO_KTLS_RX +#endif +#define OPENSSL_KTLS_AES_GCM_128 +#define OPENSSL_KTLS_AES_GCM_256 +#define OPENSSL_KTLS_TLS13 +#ifdef TLS_CHACHA20_IV_LEN +#ifndef OPENSSL_NO_CHACHA +#define OPENSSL_KTLS_CHACHA20_POLY1305 +#endif +#endif typedef struct tls_enable ktls_crypto_info_t; @@ -71,13 +71,17 @@ static ossl_inline int ktls_start(int fd, ktls_crypto_info_t *tls_en, int is_tx) { if (is_tx) return setsockopt(fd, IPPROTO_TCP, TCP_TXTLS_ENABLE, - tls_en, sizeof(*tls_en)) ? 0 : 1; -# ifndef OPENSSL_NO_KTLS_RX + tls_en, sizeof(*tls_en)) + ? 0 + : 1; +#ifndef OPENSSL_NO_KTLS_RX return setsockopt(fd, IPPROTO_TCP, TCP_RXTLS_ENABLE, tls_en, - sizeof(*tls_en)) ? 0 : 1; -# else + sizeof(*tls_en)) + ? 0 + : 1; +#else return 0; -# endif +#endif } /* Not supported on FreeBSD */ @@ -94,13 +98,13 @@ static ossl_inline int ktls_enable_tx_zerocopy_sendfile(int fd) * record using this control message. */ static ossl_inline int ktls_send_ctrl_message(int fd, unsigned char record_type, - const void *data, size_t length) + const void *data, size_t length) { struct msghdr msg = { 0 }; int cmsg_len = sizeof(record_type); struct cmsghdr *cmsg; char buf[CMSG_SPACE(cmsg_len)]; - struct iovec msg_iov; /* Vector of data to send/receive into */ + struct iovec msg_iov; /* Vector of data to send/receive into */ msg.msg_control = buf; msg.msg_controllen = sizeof(buf); @@ -119,14 +123,14 @@ static ossl_inline int ktls_send_ctrl_message(int fd, unsigned char record_type, return sendmsg(fd, &msg, 0); } -# ifdef OPENSSL_NO_KTLS_RX +#ifdef OPENSSL_NO_KTLS_RX static ossl_inline int ktls_read_record(int fd, void *data, size_t length) { return -1; } -# else /* !defined(OPENSSL_NO_KTLS_RX) */ +#else /* !defined(OPENSSL_NO_KTLS_RX) */ /* * Receive a TLS record using the tls_en provided in ktls_start. The @@ -142,7 +146,7 @@ static ossl_inline int ktls_read_record(int fd, void *data, size_t length) struct tls_get_record *tgr; struct cmsghdr *cmsg; char buf[CMSG_SPACE(cmsg_len)]; - struct iovec msg_iov; /* Vector of data to send/receive into */ + struct iovec msg_iov; /* Vector of data to send/receive into */ int ret; unsigned char *p = data; const size_t prepend_length = SSL3_RT_HEADER_LENGTH; @@ -185,19 +189,20 @@ static ossl_inline int ktls_read_record(int fd, void *data, size_t length) p[0] = tgr->tls_type; p[1] = tgr->tls_vmajor; p[2] = tgr->tls_vminor; - *(uint16_t *)(p + 3) = htons(ret); + p[3] = (ret >> 8) & 0xff; + p[4] = ret & 0xff; return ret + prepend_length; } -# endif /* OPENSSL_NO_KTLS_RX */ +#endif /* OPENSSL_NO_KTLS_RX */ /* * KTLS enables the sendfile system call to send data from a file over * TLS. */ static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, - size_t size, int flags) + size_t size, int flags) { off_t sbytes = 0; int ret; @@ -208,72 +213,72 @@ static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, return sbytes; } -# endif /* __FreeBSD__ */ +#endif /* __FreeBSD__ */ -# if defined(OPENSSL_SYS_LINUX) +#if defined(OPENSSL_SYS_LINUX) -# include <linux/tls.h> -# if LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0) -# define OPENSSL_NO_KTLS_RX -# ifndef PEDANTIC -# warning "KTLS requires Kernel Headers >= 4.17.0 for receiving" -# warning "Skipping Compilation of KTLS receive data path" -# endif -# endif -# if LINUX_VERSION_CODE < KERNEL_VERSION(5, 19, 0) -# define OPENSSL_NO_KTLS_ZC_TX -# ifndef PEDANTIC -# warning "KTLS requires Kernel Headers >= 5.19.0 for zerocopy sendfile" -# warning "Skipping Compilation of KTLS zerocopy sendfile" -# endif -# endif -# define OPENSSL_KTLS_AES_GCM_128 -# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0) -# define OPENSSL_KTLS_AES_GCM_256 -# define OPENSSL_KTLS_TLS13 -# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) -# define OPENSSL_KTLS_AES_CCM_128 -# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0) -# ifndef OPENSSL_NO_CHACHA -# define OPENSSL_KTLS_CHACHA20_POLY1305 -# endif -# endif -# endif -# endif +#include <linux/tls.h> +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0) +#define OPENSSL_NO_KTLS_RX +#ifndef PEDANTIC +#warning "KTLS requires Kernel Headers >= 4.17.0 for receiving" +#warning "Skipping Compilation of KTLS receive data path" +#endif +#endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 19, 0) +#define OPENSSL_NO_KTLS_ZC_TX +#ifndef PEDANTIC +#warning "KTLS requires Kernel Headers >= 5.19.0 for zerocopy sendfile" +#warning "Skipping Compilation of KTLS zerocopy sendfile" +#endif +#endif +#define OPENSSL_KTLS_AES_GCM_128 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0) +#define OPENSSL_KTLS_AES_GCM_256 +#define OPENSSL_KTLS_TLS13 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) +#define OPENSSL_KTLS_AES_CCM_128 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0) +#ifndef OPENSSL_NO_CHACHA +#define OPENSSL_KTLS_CHACHA20_POLY1305 +#endif +#endif +#endif +#endif -# include <sys/sendfile.h> -# include <netinet/tcp.h> -# include <linux/socket.h> -# include <openssl/ssl3.h> -# include <openssl/tls1.h> -# include <openssl/evp.h> +#include <sys/sendfile.h> +#include <netinet/tcp.h> +#include <linux/socket.h> +#include <openssl/ssl3.h> +#include <openssl/tls1.h> +#include <openssl/evp.h> -# ifndef SOL_TLS -# define SOL_TLS 282 -# endif +#ifndef SOL_TLS +#define SOL_TLS 282 +#endif -# ifndef TCP_ULP -# define TCP_ULP 31 -# endif +#ifndef TCP_ULP +#define TCP_ULP 31 +#endif -# ifndef TLS_RX -# define TLS_RX 2 -# endif +#ifndef TLS_RX +#define TLS_RX 2 +#endif struct tls_crypto_info_all { union { -# ifdef OPENSSL_KTLS_AES_GCM_128 +#ifdef OPENSSL_KTLS_AES_GCM_128 struct tls12_crypto_info_aes_gcm_128 gcm128; -# endif -# ifdef OPENSSL_KTLS_AES_GCM_256 +#endif +#ifdef OPENSSL_KTLS_AES_GCM_256 struct tls12_crypto_info_aes_gcm_256 gcm256; -# endif -# ifdef OPENSSL_KTLS_AES_CCM_128 +#endif +#ifdef OPENSSL_KTLS_AES_CCM_128 struct tls12_crypto_info_aes_ccm_128 ccm128; -# endif -# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 +#endif +#ifdef OPENSSL_KTLS_CHACHA20_POLY1305 struct tls12_crypto_info_chacha20_poly1305 chacha20poly1305; -# endif +#endif }; size_t tls_crypto_info_len; }; @@ -300,10 +305,18 @@ static ossl_inline int ktls_enable(int fd) * authenticated and decapsulated using the crypto_info provided here. */ static ossl_inline int ktls_start(int fd, ktls_crypto_info_t *crypto_info, - int is_tx) + int is_tx) { + /* + * Socket must be in TCP established state to enable KTLS. + * Further calls to enable ktls will return EEXIST + */ + ktls_enable(fd); + return setsockopt(fd, SOL_TLS, is_tx ? TLS_TX : TLS_RX, - crypto_info, crypto_info->tls_crypto_info_len) ? 0 : 1; + crypto_info, crypto_info->tls_crypto_info_len) + ? 0 + : 1; } static ossl_inline int ktls_enable_tx_zerocopy_sendfile(int fd) @@ -312,7 +325,9 @@ static ossl_inline int ktls_enable_tx_zerocopy_sendfile(int fd) int enable = 1; return setsockopt(fd, SOL_TLS, TLS_TX_ZEROCOPY_RO, - &enable, sizeof(enable)) ? 0 : 1; + &enable, sizeof(enable)) + ? 0 + : 1; #else return 0; #endif @@ -326,7 +341,7 @@ static ossl_inline int ktls_enable_tx_zerocopy_sendfile(int fd) * record using this control message. */ static ossl_inline int ktls_send_ctrl_message(int fd, unsigned char record_type, - const void *data, size_t length) + const void *data, size_t length) { struct msghdr msg; int cmsg_len = sizeof(record_type); @@ -335,7 +350,7 @@ static ossl_inline int ktls_send_ctrl_message(int fd, unsigned char record_type, struct cmsghdr hdr; char buf[CMSG_SPACE(sizeof(unsigned char))]; } cmsgbuf; - struct iovec msg_iov; /* Vector of data to send/receive into */ + struct iovec msg_iov; /* Vector of data to send/receive into */ memset(&msg, 0, sizeof(msg)); msg.msg_control = cmsgbuf.buf; @@ -364,15 +379,14 @@ static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, size_t s return sendfile(s, fd, &off, size); } -# ifdef OPENSSL_NO_KTLS_RX - +#ifdef OPENSSL_NO_KTLS_RX static ossl_inline int ktls_read_record(int fd, void *data, size_t length) { return -1; } -# else /* !defined(OPENSSL_NO_KTLS_RX) */ +#else /* !defined(OPENSSL_NO_KTLS_RX) */ /* * Receive a TLS record using the crypto_info provided in ktls_start. @@ -427,8 +441,8 @@ static ossl_inline int ktls_read_record(int fd, void *data, size_t length) return ret; } -# endif /* OPENSSL_NO_KTLS_RX */ +#endif /* OPENSSL_NO_KTLS_RX */ -# endif /* OPENSSL_SYS_LINUX */ -# endif /* OPENSSL_NO_KTLS */ +#endif /* OPENSSL_SYS_LINUX */ +#endif /* OPENSSL_NO_KTLS */ #endif /* HEADER_INTERNAL_KTLS */ |