Skip to content

Commit 130b392

Browse files
Dave Watsondavem330
Dave Watson
authored and
davem330
committed
net: tls: Add tls 1.3 support
TLS 1.3 has minor changes from TLS 1.2 at the record layer. * Header now hardcodes the same version and application content type in the header. * The real content type is appended after the data, before encryption (or after decryption). * The IV is xored with the sequence number, instead of concatinating four bytes of IV with the explicit IV. * Zero-padding: No exlicit length is given, we search backwards from the end of the decrypted data for the first non-zero byte, which is the content type. Currently recv supports reading zero-padding, but there is no way for send to add zero padding. Signed-off-by: Dave Watson <davejwatson@fb.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent fedf201 commit 130b392

File tree

6 files changed

+154
-43
lines changed

6 files changed

+154
-43
lines changed

include/net/tls.h

Lines changed: 49 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -119,6 +119,9 @@ struct tls_rec {
119119
/* AAD | msg_encrypted.sg.data (data contains overhead for hdr & iv & tag) */
120120
struct scatterlist sg_aead_out[2];
121121

122+
char content_type;
123+
struct scatterlist sg_content_type;
124+
122125
char aad_space[TLS_AAD_SPACE_SIZE];
123126
u8 iv_data[TLS_CIPHER_AES_GCM_128_IV_SIZE +
124127
TLS_CIPHER_AES_GCM_128_SALT_SIZE];
@@ -203,6 +206,7 @@ struct cipher_context {
203206
u16 rec_seq_size;
204207
char *rec_seq;
205208
u16 aad_size;
209+
u16 tail_size;
206210
};
207211

208212
union tls_crypto_context {
@@ -397,49 +401,77 @@ static inline bool tls_bigint_increment(unsigned char *seq, int len)
397401
}
398402

399403
static inline void tls_advance_record_sn(struct sock *sk,
400-
struct cipher_context *ctx)
404+
struct cipher_context *ctx,
405+
int version)
401406
{
402407
if (tls_bigint_increment(ctx->rec_seq, ctx->rec_seq_size))
403408
tls_err_abort(sk, EBADMSG);
404-
tls_bigint_increment(ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
405-
ctx->iv_size);
409+
410+
if (version != TLS_1_3_VERSION) {
411+
tls_bigint_increment(ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
412+
ctx->iv_size);
413+
}
406414
}
407415

408416
static inline void tls_fill_prepend(struct tls_context *ctx,
409417
char *buf,
410418
size_t plaintext_len,
411-
unsigned char record_type)
419+
unsigned char record_type,
420+
int version)
412421
{
413422
size_t pkt_len, iv_size = ctx->tx.iv_size;
414423

415-
pkt_len = plaintext_len + iv_size + ctx->tx.tag_size;
424+
pkt_len = plaintext_len + ctx->tx.tag_size;
425+
if (version != TLS_1_3_VERSION) {
426+
pkt_len += iv_size;
427+
428+
memcpy(buf + TLS_NONCE_OFFSET,
429+
ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, iv_size);
430+
}
416431

417432
/* we cover nonce explicit here as well, so buf should be of
418433
* size KTLS_DTLS_HEADER_SIZE + KTLS_DTLS_NONCE_EXPLICIT_SIZE
419434
*/
420-
buf[0] = record_type;
421-
buf[1] = TLS_VERSION_MINOR(ctx->crypto_send.info.version);
422-
buf[2] = TLS_VERSION_MAJOR(ctx->crypto_send.info.version);
435+
buf[0] = version == TLS_1_3_VERSION ?
436+
TLS_RECORD_TYPE_DATA : record_type;
437+
/* Note that VERSION must be TLS_1_2 for both TLS1.2 and TLS1.3 */
438+
buf[1] = TLS_1_2_VERSION_MINOR;
439+
buf[2] = TLS_1_2_VERSION_MAJOR;
423440
/* we can use IV for nonce explicit according to spec */
424441
buf[3] = pkt_len >> 8;
425442
buf[4] = pkt_len & 0xFF;
426-
memcpy(buf + TLS_NONCE_OFFSET,
427-
ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, iv_size);
428443
}
429444

430445
static inline void tls_make_aad(char *buf,
431446
size_t size,
432447
char *record_sequence,
433448
int record_sequence_size,
434-
unsigned char record_type)
449+
unsigned char record_type,
450+
int version)
451+
{
452+
if (version != TLS_1_3_VERSION) {
453+
memcpy(buf, record_sequence, record_sequence_size);
454+
buf += 8;
455+
} else {
456+
size += TLS_CIPHER_AES_GCM_128_TAG_SIZE;
457+
}
458+
459+
buf[0] = version == TLS_1_3_VERSION ?
460+
TLS_RECORD_TYPE_DATA : record_type;
461+
buf[1] = TLS_1_2_VERSION_MAJOR;
462+
buf[2] = TLS_1_2_VERSION_MINOR;
463+
buf[3] = size >> 8;
464+
buf[4] = size & 0xFF;
465+
}
466+
467+
static inline void xor_iv_with_seq(int version, char *iv, char *seq)
435468
{
436-
memcpy(buf, record_sequence, record_sequence_size);
469+
int i;
437470

438-
buf[8] = record_type;
439-
buf[9] = TLS_1_2_VERSION_MAJOR;
440-
buf[10] = TLS_1_2_VERSION_MINOR;
441-
buf[11] = size >> 8;
442-
buf[12] = size & 0xFF;
471+
if (version == TLS_1_3_VERSION) {
472+
for (i = 0; i < 8; i++)
473+
iv[i + 4] ^= seq[i];
474+
}
443475
}
444476

445477
static inline struct tls_context *tls_get_ctx(const struct sock *sk)

include/uapi/linux/tls.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,10 @@
5151
#define TLS_1_2_VERSION_MINOR 0x3
5252
#define TLS_1_2_VERSION TLS_VERSION_NUMBER(TLS_1_2)
5353

54+
#define TLS_1_3_VERSION_MAJOR 0x3
55+
#define TLS_1_3_VERSION_MINOR 0x4
56+
#define TLS_1_3_VERSION TLS_VERSION_NUMBER(TLS_1_3)
57+
5458
/* Supported ciphers */
5559
#define TLS_CIPHER_AES_GCM_128 51
5660
#define TLS_CIPHER_AES_GCM_128_IV_SIZE 8

net/tls/tls_device.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -257,7 +257,8 @@ static int tls_push_record(struct sock *sk,
257257
tls_fill_prepend(ctx,
258258
skb_frag_address(frag),
259259
record->len - ctx->tx.prepend_size,
260-
record_type);
260+
record_type,
261+
ctx->crypto_send.info.version);
261262

262263
/* HW doesn't care about the data in the tag, because it fills it. */
263264
dummy_tag_frag.page = skb_frag_page(frag);
@@ -270,7 +271,7 @@ static int tls_push_record(struct sock *sk,
270271
spin_unlock_irq(&offload_ctx->lock);
271272
offload_ctx->open_record = NULL;
272273
set_bit(TLS_PENDING_CLOSED_RECORD, &ctx->flags);
273-
tls_advance_record_sn(sk, &ctx->tx);
274+
tls_advance_record_sn(sk, &ctx->tx, ctx->crypto_send.info.version);
274275

275276
for (i = 0; i < record->num_frags; i++) {
276277
frag = &record->frags[i];

net/tls/tls_device_fallback.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,8 @@ static int tls_enc_record(struct aead_request *aead_req,
7373
len -= TLS_CIPHER_AES_GCM_128_IV_SIZE;
7474

7575
tls_make_aad(aad, len - TLS_CIPHER_AES_GCM_128_TAG_SIZE,
76-
(char *)&rcd_sn, sizeof(rcd_sn), buf[0]);
76+
(char *)&rcd_sn, sizeof(rcd_sn), buf[0],
77+
TLS_1_2_VERSION);
7778

7879
memcpy(iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, buf + TLS_HEADER_SIZE,
7980
TLS_CIPHER_AES_GCM_128_IV_SIZE);

net/tls/tls_main.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -463,7 +463,8 @@ static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
463463
}
464464

465465
/* check version */
466-
if (crypto_info->version != TLS_1_2_VERSION) {
466+
if (crypto_info->version != TLS_1_2_VERSION &&
467+
crypto_info->version != TLS_1_3_VERSION) {
467468
rc = -ENOTSUPP;
468469
goto err_crypto_info;
469470
}

net/tls/tls_sw.c

Lines changed: 94 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,34 @@ static int skb_nsg(struct sk_buff *skb, int offset, int len)
120120
return __skb_nsg(skb, offset, len, 0);
121121
}
122122

123+
static int padding_length(struct tls_sw_context_rx *ctx,
124+
struct tls_context *tls_ctx, struct sk_buff *skb)
125+
{
126+
struct strp_msg *rxm = strp_msg(skb);
127+
int sub = 0;
128+
129+
/* Determine zero-padding length */
130+
if (tls_ctx->crypto_recv.info.version == TLS_1_3_VERSION) {
131+
char content_type = 0;
132+
int err;
133+
int back = 17;
134+
135+
while (content_type == 0) {
136+
if (back > rxm->full_len)
137+
return -EBADMSG;
138+
err = skb_copy_bits(skb,
139+
rxm->offset + rxm->full_len - back,
140+
&content_type, 1);
141+
if (content_type)
142+
break;
143+
sub++;
144+
back++;
145+
}
146+
ctx->control = content_type;
147+
}
148+
return sub;
149+
}
150+
123151
static void tls_decrypt_done(struct crypto_async_request *req, int err)
124152
{
125153
struct aead_request *aead_req = (struct aead_request *)req;
@@ -142,7 +170,7 @@ static void tls_decrypt_done(struct crypto_async_request *req, int err)
142170
tls_err_abort(skb->sk, err);
143171
} else {
144172
struct strp_msg *rxm = strp_msg(skb);
145-
173+
rxm->full_len -= padding_length(ctx, tls_ctx, skb);
146174
rxm->offset += tls_ctx->rx.prepend_size;
147175
rxm->full_len -= tls_ctx->rx.overhead_size;
148176
}
@@ -448,6 +476,8 @@ static int tls_do_encryption(struct sock *sk,
448476
int rc;
449477

450478
memcpy(rec->iv_data, tls_ctx->tx.iv, sizeof(rec->iv_data));
479+
xor_iv_with_seq(tls_ctx->crypto_send.info.version, rec->iv_data,
480+
tls_ctx->tx.rec_seq);
451481

452482
sge->offset += tls_ctx->tx.prepend_size;
453483
sge->length -= tls_ctx->tx.prepend_size;
@@ -483,7 +513,8 @@ static int tls_do_encryption(struct sock *sk,
483513

484514
/* Unhook the record from context if encryption is not failure */
485515
ctx->open_rec = NULL;
486-
tls_advance_record_sn(sk, &tls_ctx->tx);
516+
tls_advance_record_sn(sk, &tls_ctx->tx,
517+
tls_ctx->crypto_send.info.version);
487518
return rc;
488519
}
489520

@@ -640,7 +671,17 @@ static int tls_push_record(struct sock *sk, int flags,
640671

641672
i = msg_pl->sg.end;
642673
sk_msg_iter_var_prev(i);
643-
sg_mark_end(sk_msg_elem(msg_pl, i));
674+
675+
rec->content_type = record_type;
676+
if (tls_ctx->crypto_send.info.version == TLS_1_3_VERSION) {
677+
/* Add content type to end of message. No padding added */
678+
sg_set_buf(&rec->sg_content_type, &rec->content_type, 1);
679+
sg_mark_end(&rec->sg_content_type);
680+
sg_chain(msg_pl->sg.data, msg_pl->sg.end + 1,
681+
&rec->sg_content_type);
682+
} else {
683+
sg_mark_end(sk_msg_elem(msg_pl, i));
684+
}
644685

645686
i = msg_pl->sg.start;
646687
sg_chain(rec->sg_aead_in, 2, rec->inplace_crypto ?
@@ -653,18 +694,22 @@ static int tls_push_record(struct sock *sk, int flags,
653694
i = msg_en->sg.start;
654695
sg_chain(rec->sg_aead_out, 2, &msg_en->sg.data[i]);
655696

656-
tls_make_aad(rec->aad_space, msg_pl->sg.size,
697+
tls_make_aad(rec->aad_space, msg_pl->sg.size + tls_ctx->tx.tail_size,
657698
tls_ctx->tx.rec_seq, tls_ctx->tx.rec_seq_size,
658-
record_type);
699+
record_type,
700+
tls_ctx->crypto_send.info.version);
659701

660702
tls_fill_prepend(tls_ctx,
661703
page_address(sg_page(&msg_en->sg.data[i])) +
662-
msg_en->sg.data[i].offset, msg_pl->sg.size,
663-
record_type);
704+
msg_en->sg.data[i].offset,
705+
msg_pl->sg.size + tls_ctx->tx.tail_size,
706+
record_type,
707+
tls_ctx->crypto_send.info.version);
664708

665709
tls_ctx->pending_open_record_frags = false;
666710

667-
rc = tls_do_encryption(sk, tls_ctx, ctx, req, msg_pl->sg.size, i);
711+
rc = tls_do_encryption(sk, tls_ctx, ctx, req,
712+
msg_pl->sg.size + tls_ctx->tx.tail_size, i);
668713
if (rc < 0) {
669714
if (rc != -EINPROGRESS) {
670715
tls_err_abort(sk, EBADMSG);
@@ -1292,7 +1337,8 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
12921337
u8 *aad, *iv, *mem = NULL;
12931338
struct scatterlist *sgin = NULL;
12941339
struct scatterlist *sgout = NULL;
1295-
const int data_len = rxm->full_len - tls_ctx->rx.overhead_size;
1340+
const int data_len = rxm->full_len - tls_ctx->rx.overhead_size +
1341+
tls_ctx->rx.tail_size;
12961342

12971343
if (*zc && (out_iov || out_sg)) {
12981344
if (out_iov)
@@ -1343,12 +1389,20 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
13431389
kfree(mem);
13441390
return err;
13451391
}
1346-
memcpy(iv, tls_ctx->rx.iv, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
1392+
if (tls_ctx->crypto_recv.info.version == TLS_1_3_VERSION)
1393+
memcpy(iv, tls_ctx->rx.iv, crypto_aead_ivsize(ctx->aead_recv));
1394+
else
1395+
memcpy(iv, tls_ctx->rx.iv, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
1396+
1397+
xor_iv_with_seq(tls_ctx->crypto_recv.info.version, iv,
1398+
tls_ctx->rx.rec_seq);
13471399

13481400
/* Prepare AAD */
1349-
tls_make_aad(aad, rxm->full_len - tls_ctx->rx.overhead_size,
1401+
tls_make_aad(aad, rxm->full_len - tls_ctx->rx.overhead_size +
1402+
tls_ctx->rx.tail_size,
13501403
tls_ctx->rx.rec_seq, tls_ctx->rx.rec_seq_size,
1351-
ctx->control);
1404+
ctx->control,
1405+
tls_ctx->crypto_recv.info.version);
13521406

13531407
/* Prepare sgin */
13541408
sg_init_table(sgin, n_sgin);
@@ -1405,6 +1459,7 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
14051459
{
14061460
struct tls_context *tls_ctx = tls_get_ctx(sk);
14071461
struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
1462+
int version = tls_ctx->crypto_recv.info.version;
14081463
struct strp_msg *rxm = strp_msg(skb);
14091464
int err = 0;
14101465

@@ -1417,13 +1472,17 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
14171472
err = decrypt_internal(sk, skb, dest, NULL, chunk, zc, async);
14181473
if (err < 0) {
14191474
if (err == -EINPROGRESS)
1420-
tls_advance_record_sn(sk, &tls_ctx->rx);
1475+
tls_advance_record_sn(sk, &tls_ctx->rx,
1476+
version);
14211477

14221478
return err;
14231479
}
1480+
1481+
rxm->full_len -= padding_length(ctx, tls_ctx, skb);
1482+
14241483
rxm->offset += tls_ctx->rx.prepend_size;
14251484
rxm->full_len -= tls_ctx->rx.overhead_size;
1426-
tls_advance_record_sn(sk, &tls_ctx->rx);
1485+
tls_advance_record_sn(sk, &tls_ctx->rx, version);
14271486
ctx->decrypted = true;
14281487
ctx->saved_data_ready(sk);
14291488
} else {
@@ -1611,7 +1670,8 @@ int tls_sw_recvmsg(struct sock *sk,
16111670
to_decrypt = rxm->full_len - tls_ctx->rx.overhead_size;
16121671

16131672
if (to_decrypt <= len && !is_kvec && !is_peek &&
1614-
ctx->control == TLS_RECORD_TYPE_DATA)
1673+
ctx->control == TLS_RECORD_TYPE_DATA &&
1674+
tls_ctx->crypto_recv.info.version != TLS_1_3_VERSION)
16151675
zc = true;
16161676

16171677
err = decrypt_skb_update(sk, skb, &msg->msg_iter,
@@ -1835,9 +1895,12 @@ static int tls_read_size(struct strparser *strp, struct sk_buff *skb)
18351895

18361896
data_len = ((header[4] & 0xFF) | (header[3] << 8));
18371897

1838-
cipher_overhead = tls_ctx->rx.tag_size + tls_ctx->rx.iv_size;
1898+
cipher_overhead = tls_ctx->rx.tag_size;
1899+
if (tls_ctx->crypto_recv.info.version != TLS_1_3_VERSION)
1900+
cipher_overhead += tls_ctx->rx.iv_size;
18391901

1840-
if (data_len > TLS_MAX_PAYLOAD_SIZE + cipher_overhead) {
1902+
if (data_len > TLS_MAX_PAYLOAD_SIZE + cipher_overhead +
1903+
tls_ctx->rx.tail_size) {
18411904
ret = -EMSGSIZE;
18421905
goto read_failure;
18431906
}
@@ -1846,12 +1909,12 @@ static int tls_read_size(struct strparser *strp, struct sk_buff *skb)
18461909
goto read_failure;
18471910
}
18481911

1849-
if (header[1] != TLS_VERSION_MINOR(tls_ctx->crypto_recv.info.version) ||
1850-
header[2] != TLS_VERSION_MAJOR(tls_ctx->crypto_recv.info.version)) {
1912+
/* Note that both TLS1.3 and TLS1.2 use TLS_1_2 version here */
1913+
if (header[1] != TLS_1_2_VERSION_MINOR ||
1914+
header[2] != TLS_1_2_VERSION_MAJOR) {
18511915
ret = -EINVAL;
18521916
goto read_failure;
18531917
}
1854-
18551918
#ifdef CONFIG_TLS_DEVICE
18561919
handle_device_resync(strp->sk, TCP_SKB_CB(skb)->seq + rxm->offset,
18571920
*(u64*)tls_ctx->rx.rec_seq);
@@ -2100,10 +2163,19 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx)
21002163
goto free_priv;
21012164
}
21022165

2103-
cctx->aad_size = TLS_AAD_SPACE_SIZE;
2166+
if (crypto_info->version == TLS_1_3_VERSION) {
2167+
nonce_size = 0;
2168+
cctx->aad_size = TLS_HEADER_SIZE;
2169+
cctx->tail_size = 1;
2170+
} else {
2171+
cctx->aad_size = TLS_AAD_SPACE_SIZE;
2172+
cctx->tail_size = 0;
2173+
}
2174+
21042175
cctx->prepend_size = TLS_HEADER_SIZE + nonce_size;
21052176
cctx->tag_size = tag_size;
2106-
cctx->overhead_size = cctx->prepend_size + cctx->tag_size;
2177+
cctx->overhead_size = cctx->prepend_size + cctx->tag_size +
2178+
cctx->tail_size;
21072179
cctx->iv_size = iv_size;
21082180
cctx->iv = kmalloc(iv_size + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
21092181
GFP_KERNEL);

0 commit comments

Comments
 (0)