1178825Sdfr/*
2178825Sdfr * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
3178825Sdfr *
4178825Sdfr * Licensed under the Apache License 2.0 (the "License").  You may not use
5178825Sdfr * this file except in compliance with the License.  You can obtain a copy
6178825Sdfr * in the file LICENSE in the source distribution or at
7178825Sdfr * https://www.openssl.org/source/license.html
8178825Sdfr */
9178825Sdfr
10178825Sdfr#if defined(OPENSSL_SYS_LINUX)
11178825Sdfr# ifndef OPENSSL_NO_KTLS
12178825Sdfr#  include <linux/version.h>
13178825Sdfr#  if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0)
14178825Sdfr#   define OPENSSL_NO_KTLS
15178825Sdfr#   ifndef PEDANTIC
16178825Sdfr#    warning "KTLS requires Kernel Headers >= 4.13.0"
17178825Sdfr#    warning "Skipping Compilation of KTLS"
18178825Sdfr#   endif
19178825Sdfr#  endif
20178825Sdfr# endif
21178825Sdfr#endif
22178825Sdfr
23178825Sdfr#ifndef HEADER_INTERNAL_KTLS
24178825Sdfr# define HEADER_INTERNAL_KTLS
25178825Sdfr# pragma once
26178825Sdfr
27178825Sdfr# ifndef OPENSSL_NO_KTLS
28178825Sdfr
29178825Sdfr#  if defined(__FreeBSD__)
30178825Sdfr#   include <sys/types.h>
31178825Sdfr#   include <sys/socket.h>
32178825Sdfr#   include <sys/ktls.h>
33178825Sdfr#   include <netinet/in.h>
34178825Sdfr#   include <netinet/tcp.h>
35178825Sdfr#   include <openssl/ssl3.h>
36178825Sdfr
37178825Sdfr#   ifndef TCP_RXTLS_ENABLE
38178825Sdfr#    define OPENSSL_NO_KTLS_RX
39178825Sdfr#   endif
40178825Sdfr#   define OPENSSL_KTLS_AES_GCM_128
41178825Sdfr#   define OPENSSL_KTLS_AES_GCM_256
42178825Sdfr#   define OPENSSL_KTLS_TLS13
43178825Sdfr#   ifdef TLS_CHACHA20_IV_LEN
44178825Sdfr#    ifndef OPENSSL_NO_CHACHA
45178825Sdfr#     define OPENSSL_KTLS_CHACHA20_POLY1305
46178825Sdfr#    endif
47178825Sdfr#   endif
48178825Sdfr
49178825Sdfrtypedef struct tls_enable ktls_crypto_info_t;
50178825Sdfr
51178825Sdfr/*
52178825Sdfr * FreeBSD does not require any additional steps to enable KTLS before
53178825Sdfr * setting keys.
54178825Sdfr */
55178825Sdfrstatic ossl_inline int ktls_enable(int fd)
56178825Sdfr{
57178825Sdfr    return 1;
58178825Sdfr}
59178825Sdfr
60178825Sdfr/*
61178825Sdfr * The TCP_TXTLS_ENABLE socket option marks the outgoing socket buffer
62178825Sdfr * as using TLS.  If successful, then data sent using this socket will
63178825Sdfr * be encrypted and encapsulated in TLS records using the tls_en
64178825Sdfr * provided here.
65178825Sdfr *
66178825Sdfr * The TCP_RXTLS_ENABLE socket option marks the incoming socket buffer
67178825Sdfr * as using TLS.  If successful, then data received for this socket will
68178825Sdfr * be authenticated and decrypted using the tls_en provided here.
69178825Sdfr */
70178825Sdfrstatic ossl_inline int ktls_start(int fd, ktls_crypto_info_t *tls_en, int is_tx)
71178825Sdfr{
72178825Sdfr    if (is_tx)
73178825Sdfr        return setsockopt(fd, IPPROTO_TCP, TCP_TXTLS_ENABLE,
74178825Sdfr                          tls_en, sizeof(*tls_en)) ? 0 : 1;
75178825Sdfr#   ifndef OPENSSL_NO_KTLS_RX
76178825Sdfr    return setsockopt(fd, IPPROTO_TCP, TCP_RXTLS_ENABLE, tls_en,
77178825Sdfr                      sizeof(*tls_en)) ? 0 : 1;
78178825Sdfr#   else
79178825Sdfr    return 0;
80178825Sdfr#   endif
81178825Sdfr}
82178825Sdfr
83178825Sdfr/*
84178825Sdfr * Send a TLS record using the tls_en provided in ktls_start and use
85178825Sdfr * record_type instead of the default SSL3_RT_APPLICATION_DATA.
86178825Sdfr * When the socket is non-blocking, then this call either returns EAGAIN or
87178825Sdfr * the entire record is pushed to TCP. It is impossible to send a partial
88178825Sdfr * record using this control message.
89178825Sdfr */
90178825Sdfrstatic ossl_inline int ktls_send_ctrl_message(int fd, unsigned char record_type,
91178825Sdfr                                              const void *data, size_t length)
92178825Sdfr{
93178825Sdfr    struct msghdr msg = { 0 };
94178825Sdfr    int cmsg_len = sizeof(record_type);
95178825Sdfr    struct cmsghdr *cmsg;
96178825Sdfr    char buf[CMSG_SPACE(cmsg_len)];
97178825Sdfr    struct iovec msg_iov;   /* Vector of data to send/receive into */
98178825Sdfr
99178825Sdfr    msg.msg_control = buf;
100178825Sdfr    msg.msg_controllen = sizeof(buf);
101178825Sdfr    cmsg = CMSG_FIRSTHDR(&msg);
102178825Sdfr    cmsg->cmsg_level = IPPROTO_TCP;
103178825Sdfr    cmsg->cmsg_type = TLS_SET_RECORD_TYPE;
104178825Sdfr    cmsg->cmsg_len = CMSG_LEN(cmsg_len);
105178825Sdfr    *((unsigned char *)CMSG_DATA(cmsg)) = record_type;
106178825Sdfr    msg.msg_controllen = cmsg->cmsg_len;
107178825Sdfr
108178825Sdfr    msg_iov.iov_base = (void *)data;
109178825Sdfr    msg_iov.iov_len = length;
110178825Sdfr    msg.msg_iov = &msg_iov;
111178825Sdfr    msg.msg_iovlen = 1;
112178825Sdfr
113178825Sdfr    return sendmsg(fd, &msg, 0);
114178825Sdfr}
115178825Sdfr
116178825Sdfr#   ifdef OPENSSL_NO_KTLS_RX
117178825Sdfr
118178825Sdfrstatic ossl_inline int ktls_read_record(int fd, void *data, size_t length)
119178825Sdfr{
120178825Sdfr    return -1;
121178825Sdfr}
122178825Sdfr
123178825Sdfr#   else /* !defined(OPENSSL_NO_KTLS_RX) */
124178825Sdfr
125178825Sdfr/*
126178825Sdfr * Receive a TLS record using the tls_en provided in ktls_start.  The
127178825Sdfr * kernel strips any explicit IV and authentication tag, but provides
128178825Sdfr * the TLS record header via a control message.  If there is an error
129178825Sdfr * with the TLS record such as an invalid header, invalid padding, or
130178825Sdfr * authentication failure recvmsg() will fail with an error.
131178825Sdfr */
132178825Sdfrstatic ossl_inline int ktls_read_record(int fd, void *data, size_t length)
133178825Sdfr{
134178825Sdfr    struct msghdr msg = { 0 };
135178825Sdfr    int cmsg_len = sizeof(struct tls_get_record);
136178825Sdfr    struct tls_get_record *tgr;
137178825Sdfr    struct cmsghdr *cmsg;
138178825Sdfr    char buf[CMSG_SPACE(cmsg_len)];
139178825Sdfr    struct iovec msg_iov;   /* Vector of data to send/receive into */
140178825Sdfr    int ret;
141178825Sdfr    unsigned char *p = data;
142178825Sdfr    const size_t prepend_length = SSL3_RT_HEADER_LENGTH;
143178825Sdfr
144178825Sdfr    if (length <= prepend_length) {
145178825Sdfr        errno = EINVAL;
146178825Sdfr        return -1;
147178825Sdfr    }
148178825Sdfr
149178825Sdfr    msg.msg_control = buf;
150178825Sdfr    msg.msg_controllen = sizeof(buf);
151178825Sdfr
152178825Sdfr    msg_iov.iov_base = p + prepend_length;
153178825Sdfr    msg_iov.iov_len = length - prepend_length;
154178825Sdfr    msg.msg_iov = &msg_iov;
155178825Sdfr    msg.msg_iovlen = 1;
156178825Sdfr
157178825Sdfr    ret = recvmsg(fd, &msg, 0);
158178825Sdfr    if (ret <= 0)
159178825Sdfr        return ret;
160178825Sdfr
161178825Sdfr    if ((msg.msg_flags & (MSG_EOR | MSG_CTRUNC)) != MSG_EOR) {
162178825Sdfr        errno = EMSGSIZE;
163178825Sdfr        return -1;
164178825Sdfr    }
165178825Sdfr
166178825Sdfr    if (msg.msg_controllen == 0) {
167178825Sdfr        errno = EBADMSG;
168178825Sdfr        return -1;
169178825Sdfr    }
170178825Sdfr
171178825Sdfr    cmsg = CMSG_FIRSTHDR(&msg);
172178825Sdfr    if (cmsg->cmsg_level != IPPROTO_TCP || cmsg->cmsg_type != TLS_GET_RECORD
173178825Sdfr        || cmsg->cmsg_len != CMSG_LEN(cmsg_len)) {
174178825Sdfr        errno = EBADMSG;
175178825Sdfr        return -1;
176178825Sdfr    }
177178825Sdfr
178178825Sdfr    tgr = (struct tls_get_record *)CMSG_DATA(cmsg);
179178825Sdfr    p[0] = tgr->tls_type;
180178825Sdfr    p[1] = tgr->tls_vmajor;
181178825Sdfr    p[2] = tgr->tls_vminor;
182178825Sdfr    *(uint16_t *)(p + 3) = htons(ret);
183178825Sdfr
184178825Sdfr    return ret + prepend_length;
185178825Sdfr}
186178825Sdfr
187178825Sdfr#   endif /* OPENSSL_NO_KTLS_RX */
188178825Sdfr
189178825Sdfr/*
190178825Sdfr * KTLS enables the sendfile system call to send data from a file over
191178825Sdfr * TLS.
192178825Sdfr */
193178825Sdfrstatic ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off,
194178825Sdfr                                              size_t size, int flags)
195178825Sdfr{
196178825Sdfr    off_t sbytes = 0;
197178825Sdfr    int ret;
198178825Sdfr
199178825Sdfr    ret = sendfile(fd, s, off, size, NULL, &sbytes, flags);
200178825Sdfr    if (ret == -1 && sbytes == 0)
201178825Sdfr        return -1;
202178825Sdfr    return sbytes;
203178825Sdfr}
204178825Sdfr
205178825Sdfr#  endif                         /* __FreeBSD__ */
206178825Sdfr
207178825Sdfr#  if defined(OPENSSL_SYS_LINUX)
208178825Sdfr
209178825Sdfr#   include <linux/tls.h>
210178825Sdfr#   if LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0)
211178825Sdfr#    define OPENSSL_NO_KTLS_RX
212178825Sdfr#    ifndef PEDANTIC
213178825Sdfr#     warning "KTLS requires Kernel Headers >= 4.17.0 for receiving"
214178825Sdfr#     warning "Skipping Compilation of KTLS receive data path"
215178825Sdfr#    endif
216178825Sdfr#   endif
217178825Sdfr#   define OPENSSL_KTLS_AES_GCM_128
218178825Sdfr#   if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
219178825Sdfr#    define OPENSSL_KTLS_AES_GCM_256
220178825Sdfr#    define OPENSSL_KTLS_TLS13
221178825Sdfr#    if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
222178825Sdfr#     define OPENSSL_KTLS_AES_CCM_128
223178825Sdfr#     if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
224178825Sdfr#      ifndef OPENSSL_NO_CHACHA
225178825Sdfr#       define OPENSSL_KTLS_CHACHA20_POLY1305
226178825Sdfr#      endif
227178825Sdfr#     endif
228178825Sdfr#    endif
229178825Sdfr#   endif
230178825Sdfr
231178825Sdfr#   include <sys/sendfile.h>
232178825Sdfr#   include <netinet/tcp.h>
233178825Sdfr#   include <linux/socket.h>
234178825Sdfr#   include <openssl/ssl3.h>
235178825Sdfr#   include <openssl/tls1.h>
236178825Sdfr#   include <openssl/evp.h>
237178825Sdfr
238178825Sdfr#   ifndef SOL_TLS
239#    define SOL_TLS 282
240#   endif
241
242#   ifndef TCP_ULP
243#    define TCP_ULP 31
244#   endif
245
246#   ifndef TLS_RX
247#    define TLS_RX                  2
248#   endif
249
250struct tls_crypto_info_all {
251    union {
252#   ifdef OPENSSL_KTLS_AES_GCM_128
253        struct tls12_crypto_info_aes_gcm_128 gcm128;
254#   endif
255#   ifdef OPENSSL_KTLS_AES_GCM_256
256        struct tls12_crypto_info_aes_gcm_256 gcm256;
257#   endif
258#   ifdef OPENSSL_KTLS_AES_CCM_128
259        struct tls12_crypto_info_aes_ccm_128 ccm128;
260#   endif
261#   ifdef OPENSSL_KTLS_CHACHA20_POLY1305
262        struct tls12_crypto_info_chacha20_poly1305 chacha20poly1305;
263#   endif
264    };
265    size_t tls_crypto_info_len;
266};
267
268typedef struct tls_crypto_info_all ktls_crypto_info_t;
269
270/*
271 * When successful, this socket option doesn't change the behaviour of the
272 * TCP socket, except changing the TCP setsockopt handler to enable the
273 * processing of SOL_TLS socket options. All other functionality remains the
274 * same.
275 */
276static ossl_inline int ktls_enable(int fd)
277{
278    return setsockopt(fd, SOL_TCP, TCP_ULP, "tls", sizeof("tls")) ? 0 : 1;
279}
280
281/*
282 * The TLS_TX socket option changes the send/sendmsg handlers of the TCP socket.
283 * If successful, then data sent using this socket will be encrypted and
284 * encapsulated in TLS records using the crypto_info provided here.
285 * The TLS_RX socket option changes the recv/recvmsg handlers of the TCP socket.
286 * If successful, then data received using this socket will be decrypted,
287 * authenticated and decapsulated using the crypto_info provided here.
288 */
289static ossl_inline int ktls_start(int fd, ktls_crypto_info_t *crypto_info,
290                                  int is_tx)
291{
292    return setsockopt(fd, SOL_TLS, is_tx ? TLS_TX : TLS_RX,
293                      crypto_info, crypto_info->tls_crypto_info_len) ? 0 : 1;
294}
295
296/*
297 * Send a TLS record using the crypto_info provided in ktls_start and use
298 * record_type instead of the default SSL3_RT_APPLICATION_DATA.
299 * When the socket is non-blocking, then this call either returns EAGAIN or
300 * the entire record is pushed to TCP. It is impossible to send a partial
301 * record using this control message.
302 */
303static ossl_inline int ktls_send_ctrl_message(int fd, unsigned char record_type,
304                                              const void *data, size_t length)
305{
306    struct msghdr msg;
307    int cmsg_len = sizeof(record_type);
308    struct cmsghdr *cmsg;
309    union {
310        struct cmsghdr hdr;
311        char buf[CMSG_SPACE(sizeof(unsigned char))];
312    } cmsgbuf;
313    struct iovec msg_iov;       /* Vector of data to send/receive into */
314
315    memset(&msg, 0, sizeof(msg));
316    msg.msg_control = cmsgbuf.buf;
317    msg.msg_controllen = sizeof(cmsgbuf.buf);
318    cmsg = CMSG_FIRSTHDR(&msg);
319    cmsg->cmsg_level = SOL_TLS;
320    cmsg->cmsg_type = TLS_SET_RECORD_TYPE;
321    cmsg->cmsg_len = CMSG_LEN(cmsg_len);
322    *((unsigned char *)CMSG_DATA(cmsg)) = record_type;
323    msg.msg_controllen = cmsg->cmsg_len;
324
325    msg_iov.iov_base = (void *)data;
326    msg_iov.iov_len = length;
327    msg.msg_iov = &msg_iov;
328    msg.msg_iovlen = 1;
329
330    return sendmsg(fd, &msg, 0);
331}
332
333/*
334 * KTLS enables the sendfile system call to send data from a file over TLS.
335 * @flags are ignored on Linux. (placeholder for FreeBSD sendfile)
336 * */
337static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, size_t size, int flags)
338{
339    return sendfile(s, fd, &off, size);
340}
341
342#   ifdef OPENSSL_NO_KTLS_RX
343
344
345static ossl_inline int ktls_read_record(int fd, void *data, size_t length)
346{
347    return -1;
348}
349
350#   else /* !defined(OPENSSL_NO_KTLS_RX) */
351
352/*
353 * Receive a TLS record using the crypto_info provided in ktls_start.
354 * The kernel strips the TLS record header, IV and authentication tag,
355 * returning only the plaintext data or an error on failure.
356 * We add the TLS record header here to satisfy routines in rec_layer_s3.c
357 */
358static ossl_inline int ktls_read_record(int fd, void *data, size_t length)
359{
360    struct msghdr msg;
361    struct cmsghdr *cmsg;
362    union {
363        struct cmsghdr hdr;
364        char buf[CMSG_SPACE(sizeof(unsigned char))];
365    } cmsgbuf;
366    struct iovec msg_iov;
367    int ret;
368    unsigned char *p = data;
369    const size_t prepend_length = SSL3_RT_HEADER_LENGTH;
370
371    if (length < prepend_length + EVP_GCM_TLS_TAG_LEN) {
372        errno = EINVAL;
373        return -1;
374    }
375
376    memset(&msg, 0, sizeof(msg));
377    msg.msg_control = cmsgbuf.buf;
378    msg.msg_controllen = sizeof(cmsgbuf.buf);
379
380    msg_iov.iov_base = p + prepend_length;
381    msg_iov.iov_len = length - prepend_length - EVP_GCM_TLS_TAG_LEN;
382    msg.msg_iov = &msg_iov;
383    msg.msg_iovlen = 1;
384
385    ret = recvmsg(fd, &msg, 0);
386    if (ret < 0)
387        return ret;
388
389    if (msg.msg_controllen > 0) {
390        cmsg = CMSG_FIRSTHDR(&msg);
391        if (cmsg->cmsg_type == TLS_GET_RECORD_TYPE) {
392            p[0] = *((unsigned char *)CMSG_DATA(cmsg));
393            p[1] = TLS1_2_VERSION_MAJOR;
394            p[2] = TLS1_2_VERSION_MINOR;
395            /* returned length is limited to msg_iov.iov_len above */
396            p[3] = (ret >> 8) & 0xff;
397            p[4] = ret & 0xff;
398            ret += prepend_length;
399        }
400    }
401
402    return ret;
403}
404
405#   endif /* OPENSSL_NO_KTLS_RX */
406
407#  endif /* OPENSSL_SYS_LINUX */
408# endif /* OPENSSL_NO_KTLS */
409#endif /* HEADER_INTERNAL_KTLS */
410