1178825Sdfr/* 2178825Sdfr * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. 3178825Sdfr * 4178825Sdfr * Licensed under the Apache License 2.0 (the "License"). You may not use 5178825Sdfr * this file except in compliance with the License. You can obtain a copy 6178825Sdfr * in the file LICENSE in the source distribution or at 7178825Sdfr * https://www.openssl.org/source/license.html 8178825Sdfr */ 9178825Sdfr 10178825Sdfr#if defined(OPENSSL_SYS_LINUX) 11178825Sdfr# ifndef OPENSSL_NO_KTLS 12178825Sdfr# include <linux/version.h> 13178825Sdfr# if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) 14178825Sdfr# define OPENSSL_NO_KTLS 15178825Sdfr# ifndef PEDANTIC 16178825Sdfr# warning "KTLS requires Kernel Headers >= 4.13.0" 17178825Sdfr# warning "Skipping Compilation of KTLS" 18178825Sdfr# endif 19178825Sdfr# endif 20178825Sdfr# endif 21178825Sdfr#endif 22178825Sdfr 23178825Sdfr#ifndef HEADER_INTERNAL_KTLS 24178825Sdfr# define HEADER_INTERNAL_KTLS 25178825Sdfr# pragma once 26178825Sdfr 27178825Sdfr# ifndef OPENSSL_NO_KTLS 28178825Sdfr 29178825Sdfr# if defined(__FreeBSD__) 30178825Sdfr# include <sys/types.h> 31178825Sdfr# include <sys/socket.h> 32178825Sdfr# include <sys/ktls.h> 33178825Sdfr# include <netinet/in.h> 34178825Sdfr# include <netinet/tcp.h> 35178825Sdfr# include <openssl/ssl3.h> 36178825Sdfr 37178825Sdfr# ifndef TCP_RXTLS_ENABLE 38178825Sdfr# define OPENSSL_NO_KTLS_RX 39178825Sdfr# endif 40178825Sdfr# define OPENSSL_KTLS_AES_GCM_128 41178825Sdfr# define OPENSSL_KTLS_AES_GCM_256 42178825Sdfr# define OPENSSL_KTLS_TLS13 43178825Sdfr# ifdef TLS_CHACHA20_IV_LEN 44178825Sdfr# ifndef OPENSSL_NO_CHACHA 45178825Sdfr# define OPENSSL_KTLS_CHACHA20_POLY1305 46178825Sdfr# endif 47178825Sdfr# endif 48178825Sdfr 49178825Sdfrtypedef struct tls_enable ktls_crypto_info_t; 50178825Sdfr 51178825Sdfr/* 52178825Sdfr * FreeBSD does not require any additional steps to enable KTLS before 53178825Sdfr * setting keys. 54178825Sdfr */ 55178825Sdfrstatic ossl_inline int ktls_enable(int fd) 56178825Sdfr{ 57178825Sdfr return 1; 58178825Sdfr} 59178825Sdfr 60178825Sdfr/* 61178825Sdfr * The TCP_TXTLS_ENABLE socket option marks the outgoing socket buffer 62178825Sdfr * as using TLS. If successful, then data sent using this socket will 63178825Sdfr * be encrypted and encapsulated in TLS records using the tls_en 64178825Sdfr * provided here. 65178825Sdfr * 66178825Sdfr * The TCP_RXTLS_ENABLE socket option marks the incoming socket buffer 67178825Sdfr * as using TLS. If successful, then data received for this socket will 68178825Sdfr * be authenticated and decrypted using the tls_en provided here. 69178825Sdfr */ 70178825Sdfrstatic ossl_inline int ktls_start(int fd, ktls_crypto_info_t *tls_en, int is_tx) 71178825Sdfr{ 72178825Sdfr if (is_tx) 73178825Sdfr return setsockopt(fd, IPPROTO_TCP, TCP_TXTLS_ENABLE, 74178825Sdfr tls_en, sizeof(*tls_en)) ? 0 : 1; 75178825Sdfr# ifndef OPENSSL_NO_KTLS_RX 76178825Sdfr return setsockopt(fd, IPPROTO_TCP, TCP_RXTLS_ENABLE, tls_en, 77178825Sdfr sizeof(*tls_en)) ? 0 : 1; 78178825Sdfr# else 79178825Sdfr return 0; 80178825Sdfr# endif 81178825Sdfr} 82178825Sdfr 83178825Sdfr/* 84178825Sdfr * Send a TLS record using the tls_en provided in ktls_start and use 85178825Sdfr * record_type instead of the default SSL3_RT_APPLICATION_DATA. 86178825Sdfr * When the socket is non-blocking, then this call either returns EAGAIN or 87178825Sdfr * the entire record is pushed to TCP. It is impossible to send a partial 88178825Sdfr * record using this control message. 89178825Sdfr */ 90178825Sdfrstatic ossl_inline int ktls_send_ctrl_message(int fd, unsigned char record_type, 91178825Sdfr const void *data, size_t length) 92178825Sdfr{ 93178825Sdfr struct msghdr msg = { 0 }; 94178825Sdfr int cmsg_len = sizeof(record_type); 95178825Sdfr struct cmsghdr *cmsg; 96178825Sdfr char buf[CMSG_SPACE(cmsg_len)]; 97178825Sdfr struct iovec msg_iov; /* Vector of data to send/receive into */ 98178825Sdfr 99178825Sdfr msg.msg_control = buf; 100178825Sdfr msg.msg_controllen = sizeof(buf); 101178825Sdfr cmsg = CMSG_FIRSTHDR(&msg); 102178825Sdfr cmsg->cmsg_level = IPPROTO_TCP; 103178825Sdfr cmsg->cmsg_type = TLS_SET_RECORD_TYPE; 104178825Sdfr cmsg->cmsg_len = CMSG_LEN(cmsg_len); 105178825Sdfr *((unsigned char *)CMSG_DATA(cmsg)) = record_type; 106178825Sdfr msg.msg_controllen = cmsg->cmsg_len; 107178825Sdfr 108178825Sdfr msg_iov.iov_base = (void *)data; 109178825Sdfr msg_iov.iov_len = length; 110178825Sdfr msg.msg_iov = &msg_iov; 111178825Sdfr msg.msg_iovlen = 1; 112178825Sdfr 113178825Sdfr return sendmsg(fd, &msg, 0); 114178825Sdfr} 115178825Sdfr 116178825Sdfr# ifdef OPENSSL_NO_KTLS_RX 117178825Sdfr 118178825Sdfrstatic ossl_inline int ktls_read_record(int fd, void *data, size_t length) 119178825Sdfr{ 120178825Sdfr return -1; 121178825Sdfr} 122178825Sdfr 123178825Sdfr# else /* !defined(OPENSSL_NO_KTLS_RX) */ 124178825Sdfr 125178825Sdfr/* 126178825Sdfr * Receive a TLS record using the tls_en provided in ktls_start. The 127178825Sdfr * kernel strips any explicit IV and authentication tag, but provides 128178825Sdfr * the TLS record header via a control message. If there is an error 129178825Sdfr * with the TLS record such as an invalid header, invalid padding, or 130178825Sdfr * authentication failure recvmsg() will fail with an error. 131178825Sdfr */ 132178825Sdfrstatic ossl_inline int ktls_read_record(int fd, void *data, size_t length) 133178825Sdfr{ 134178825Sdfr struct msghdr msg = { 0 }; 135178825Sdfr int cmsg_len = sizeof(struct tls_get_record); 136178825Sdfr struct tls_get_record *tgr; 137178825Sdfr struct cmsghdr *cmsg; 138178825Sdfr char buf[CMSG_SPACE(cmsg_len)]; 139178825Sdfr struct iovec msg_iov; /* Vector of data to send/receive into */ 140178825Sdfr int ret; 141178825Sdfr unsigned char *p = data; 142178825Sdfr const size_t prepend_length = SSL3_RT_HEADER_LENGTH; 143178825Sdfr 144178825Sdfr if (length <= prepend_length) { 145178825Sdfr errno = EINVAL; 146178825Sdfr return -1; 147178825Sdfr } 148178825Sdfr 149178825Sdfr msg.msg_control = buf; 150178825Sdfr msg.msg_controllen = sizeof(buf); 151178825Sdfr 152178825Sdfr msg_iov.iov_base = p + prepend_length; 153178825Sdfr msg_iov.iov_len = length - prepend_length; 154178825Sdfr msg.msg_iov = &msg_iov; 155178825Sdfr msg.msg_iovlen = 1; 156178825Sdfr 157178825Sdfr ret = recvmsg(fd, &msg, 0); 158178825Sdfr if (ret <= 0) 159178825Sdfr return ret; 160178825Sdfr 161178825Sdfr if ((msg.msg_flags & (MSG_EOR | MSG_CTRUNC)) != MSG_EOR) { 162178825Sdfr errno = EMSGSIZE; 163178825Sdfr return -1; 164178825Sdfr } 165178825Sdfr 166178825Sdfr if (msg.msg_controllen == 0) { 167178825Sdfr errno = EBADMSG; 168178825Sdfr return -1; 169178825Sdfr } 170178825Sdfr 171178825Sdfr cmsg = CMSG_FIRSTHDR(&msg); 172178825Sdfr if (cmsg->cmsg_level != IPPROTO_TCP || cmsg->cmsg_type != TLS_GET_RECORD 173178825Sdfr || cmsg->cmsg_len != CMSG_LEN(cmsg_len)) { 174178825Sdfr errno = EBADMSG; 175178825Sdfr return -1; 176178825Sdfr } 177178825Sdfr 178178825Sdfr tgr = (struct tls_get_record *)CMSG_DATA(cmsg); 179178825Sdfr p[0] = tgr->tls_type; 180178825Sdfr p[1] = tgr->tls_vmajor; 181178825Sdfr p[2] = tgr->tls_vminor; 182178825Sdfr *(uint16_t *)(p + 3) = htons(ret); 183178825Sdfr 184178825Sdfr return ret + prepend_length; 185178825Sdfr} 186178825Sdfr 187178825Sdfr# endif /* OPENSSL_NO_KTLS_RX */ 188178825Sdfr 189178825Sdfr/* 190178825Sdfr * KTLS enables the sendfile system call to send data from a file over 191178825Sdfr * TLS. 192178825Sdfr */ 193178825Sdfrstatic ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, 194178825Sdfr size_t size, int flags) 195178825Sdfr{ 196178825Sdfr off_t sbytes = 0; 197178825Sdfr int ret; 198178825Sdfr 199178825Sdfr ret = sendfile(fd, s, off, size, NULL, &sbytes, flags); 200178825Sdfr if (ret == -1 && sbytes == 0) 201178825Sdfr return -1; 202178825Sdfr return sbytes; 203178825Sdfr} 204178825Sdfr 205178825Sdfr# endif /* __FreeBSD__ */ 206178825Sdfr 207178825Sdfr# if defined(OPENSSL_SYS_LINUX) 208178825Sdfr 209178825Sdfr# include <linux/tls.h> 210178825Sdfr# if LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0) 211178825Sdfr# define OPENSSL_NO_KTLS_RX 212178825Sdfr# ifndef PEDANTIC 213178825Sdfr# warning "KTLS requires Kernel Headers >= 4.17.0 for receiving" 214178825Sdfr# warning "Skipping Compilation of KTLS receive data path" 215178825Sdfr# endif 216178825Sdfr# endif 217178825Sdfr# define OPENSSL_KTLS_AES_GCM_128 218178825Sdfr# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0) 219178825Sdfr# define OPENSSL_KTLS_AES_GCM_256 220178825Sdfr# define OPENSSL_KTLS_TLS13 221178825Sdfr# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) 222178825Sdfr# define OPENSSL_KTLS_AES_CCM_128 223178825Sdfr# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0) 224178825Sdfr# ifndef OPENSSL_NO_CHACHA 225178825Sdfr# define OPENSSL_KTLS_CHACHA20_POLY1305 226178825Sdfr# endif 227178825Sdfr# endif 228178825Sdfr# endif 229178825Sdfr# endif 230178825Sdfr 231178825Sdfr# include <sys/sendfile.h> 232178825Sdfr# include <netinet/tcp.h> 233178825Sdfr# include <linux/socket.h> 234178825Sdfr# include <openssl/ssl3.h> 235178825Sdfr# include <openssl/tls1.h> 236178825Sdfr# include <openssl/evp.h> 237178825Sdfr 238178825Sdfr# ifndef SOL_TLS 239# define SOL_TLS 282 240# endif 241 242# ifndef TCP_ULP 243# define TCP_ULP 31 244# endif 245 246# ifndef TLS_RX 247# define TLS_RX 2 248# endif 249 250struct tls_crypto_info_all { 251 union { 252# ifdef OPENSSL_KTLS_AES_GCM_128 253 struct tls12_crypto_info_aes_gcm_128 gcm128; 254# endif 255# ifdef OPENSSL_KTLS_AES_GCM_256 256 struct tls12_crypto_info_aes_gcm_256 gcm256; 257# endif 258# ifdef OPENSSL_KTLS_AES_CCM_128 259 struct tls12_crypto_info_aes_ccm_128 ccm128; 260# endif 261# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 262 struct tls12_crypto_info_chacha20_poly1305 chacha20poly1305; 263# endif 264 }; 265 size_t tls_crypto_info_len; 266}; 267 268typedef struct tls_crypto_info_all ktls_crypto_info_t; 269 270/* 271 * When successful, this socket option doesn't change the behaviour of the 272 * TCP socket, except changing the TCP setsockopt handler to enable the 273 * processing of SOL_TLS socket options. All other functionality remains the 274 * same. 275 */ 276static ossl_inline int ktls_enable(int fd) 277{ 278 return setsockopt(fd, SOL_TCP, TCP_ULP, "tls", sizeof("tls")) ? 0 : 1; 279} 280 281/* 282 * The TLS_TX socket option changes the send/sendmsg handlers of the TCP socket. 283 * If successful, then data sent using this socket will be encrypted and 284 * encapsulated in TLS records using the crypto_info provided here. 285 * The TLS_RX socket option changes the recv/recvmsg handlers of the TCP socket. 286 * If successful, then data received using this socket will be decrypted, 287 * authenticated and decapsulated using the crypto_info provided here. 288 */ 289static ossl_inline int ktls_start(int fd, ktls_crypto_info_t *crypto_info, 290 int is_tx) 291{ 292 return setsockopt(fd, SOL_TLS, is_tx ? TLS_TX : TLS_RX, 293 crypto_info, crypto_info->tls_crypto_info_len) ? 0 : 1; 294} 295 296/* 297 * Send a TLS record using the crypto_info provided in ktls_start and use 298 * record_type instead of the default SSL3_RT_APPLICATION_DATA. 299 * When the socket is non-blocking, then this call either returns EAGAIN or 300 * the entire record is pushed to TCP. It is impossible to send a partial 301 * record using this control message. 302 */ 303static ossl_inline int ktls_send_ctrl_message(int fd, unsigned char record_type, 304 const void *data, size_t length) 305{ 306 struct msghdr msg; 307 int cmsg_len = sizeof(record_type); 308 struct cmsghdr *cmsg; 309 union { 310 struct cmsghdr hdr; 311 char buf[CMSG_SPACE(sizeof(unsigned char))]; 312 } cmsgbuf; 313 struct iovec msg_iov; /* Vector of data to send/receive into */ 314 315 memset(&msg, 0, sizeof(msg)); 316 msg.msg_control = cmsgbuf.buf; 317 msg.msg_controllen = sizeof(cmsgbuf.buf); 318 cmsg = CMSG_FIRSTHDR(&msg); 319 cmsg->cmsg_level = SOL_TLS; 320 cmsg->cmsg_type = TLS_SET_RECORD_TYPE; 321 cmsg->cmsg_len = CMSG_LEN(cmsg_len); 322 *((unsigned char *)CMSG_DATA(cmsg)) = record_type; 323 msg.msg_controllen = cmsg->cmsg_len; 324 325 msg_iov.iov_base = (void *)data; 326 msg_iov.iov_len = length; 327 msg.msg_iov = &msg_iov; 328 msg.msg_iovlen = 1; 329 330 return sendmsg(fd, &msg, 0); 331} 332 333/* 334 * KTLS enables the sendfile system call to send data from a file over TLS. 335 * @flags are ignored on Linux. (placeholder for FreeBSD sendfile) 336 * */ 337static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, size_t size, int flags) 338{ 339 return sendfile(s, fd, &off, size); 340} 341 342# ifdef OPENSSL_NO_KTLS_RX 343 344 345static ossl_inline int ktls_read_record(int fd, void *data, size_t length) 346{ 347 return -1; 348} 349 350# else /* !defined(OPENSSL_NO_KTLS_RX) */ 351 352/* 353 * Receive a TLS record using the crypto_info provided in ktls_start. 354 * The kernel strips the TLS record header, IV and authentication tag, 355 * returning only the plaintext data or an error on failure. 356 * We add the TLS record header here to satisfy routines in rec_layer_s3.c 357 */ 358static ossl_inline int ktls_read_record(int fd, void *data, size_t length) 359{ 360 struct msghdr msg; 361 struct cmsghdr *cmsg; 362 union { 363 struct cmsghdr hdr; 364 char buf[CMSG_SPACE(sizeof(unsigned char))]; 365 } cmsgbuf; 366 struct iovec msg_iov; 367 int ret; 368 unsigned char *p = data; 369 const size_t prepend_length = SSL3_RT_HEADER_LENGTH; 370 371 if (length < prepend_length + EVP_GCM_TLS_TAG_LEN) { 372 errno = EINVAL; 373 return -1; 374 } 375 376 memset(&msg, 0, sizeof(msg)); 377 msg.msg_control = cmsgbuf.buf; 378 msg.msg_controllen = sizeof(cmsgbuf.buf); 379 380 msg_iov.iov_base = p + prepend_length; 381 msg_iov.iov_len = length - prepend_length - EVP_GCM_TLS_TAG_LEN; 382 msg.msg_iov = &msg_iov; 383 msg.msg_iovlen = 1; 384 385 ret = recvmsg(fd, &msg, 0); 386 if (ret < 0) 387 return ret; 388 389 if (msg.msg_controllen > 0) { 390 cmsg = CMSG_FIRSTHDR(&msg); 391 if (cmsg->cmsg_type == TLS_GET_RECORD_TYPE) { 392 p[0] = *((unsigned char *)CMSG_DATA(cmsg)); 393 p[1] = TLS1_2_VERSION_MAJOR; 394 p[2] = TLS1_2_VERSION_MINOR; 395 /* returned length is limited to msg_iov.iov_len above */ 396 p[3] = (ret >> 8) & 0xff; 397 p[4] = ret & 0xff; 398 ret += prepend_length; 399 } 400 } 401 402 return ret; 403} 404 405# endif /* OPENSSL_NO_KTLS_RX */ 406 407# endif /* OPENSSL_SYS_LINUX */ 408# endif /* OPENSSL_NO_KTLS */ 409#endif /* HEADER_INTERNAL_KTLS */ 410