diff options
| author | Sabrina Dubroca <sd@queasysnail.net> | 2023-08-25 23:35:11 +0200 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2023-08-27 17:17:41 -0700 |
| commit | 037303d6760751fdb95ba62cf448ecbc1ac29c98 (patch) | |
| tree | 65f0a5591fe99e40bbc767a6e5bcc7efce6993ae /net/tls | |
| parent | 200e23165109a173ffde3310dffa5ef5e502d97f (diff) | |
tls: reduce size of tls_cipher_size_desc
tls_cipher_size_desc indexes ciphers by their type, but we're not
using indices 0..50 of the array. Each struct tls_cipher_size_desc is
20B, so that's a lot of unused memory. We can reindex the array
starting at the lowest used cipher_type.
Introduce the get_cipher_size_desc helper to find the right item and
avoid out-of-bounds accesses, and make tls_cipher_size_desc's size
explicit so that gcc reminds us to update TLS_CIPHER_MIN/MAX when we
add a new cipher.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://lore.kernel.org/r/5e054e370e240247a5d37881a1cd93a67c15f4ca.1692977948.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/tls')
| -rw-r--r-- | net/tls/tls.h | 13 | ||||
| -rw-r--r-- | net/tls/tls_device.c | 4 | ||||
| -rw-r--r-- | net/tls/tls_device_fallback.c | 8 | ||||
| -rw-r--r-- | net/tls/tls_main.c | 4 |
4 files changed, 20 insertions, 9 deletions
diff --git a/net/tls/tls.h b/net/tls/tls.h index 7aae92972e00..ea799ef77bf8 100644 --- a/net/tls/tls.h +++ b/net/tls/tls.h @@ -59,7 +59,18 @@ struct tls_cipher_size_desc { unsigned int rec_seq; }; -extern const struct tls_cipher_size_desc tls_cipher_size_desc[]; +#define TLS_CIPHER_MIN TLS_CIPHER_AES_GCM_128 +#define TLS_CIPHER_MAX TLS_CIPHER_ARIA_GCM_256 +extern const struct tls_cipher_size_desc tls_cipher_size_desc[TLS_CIPHER_MAX + 1 - TLS_CIPHER_MIN]; + +static inline const struct tls_cipher_size_desc *get_cipher_size_desc(u16 cipher_type) +{ + if (cipher_type < TLS_CIPHER_MIN || cipher_type > TLS_CIPHER_MAX) + return NULL; + + return &tls_cipher_size_desc[cipher_type - TLS_CIPHER_MIN]; +} + /* TLS records are maintained in 'struct tls_rec'. It stores the memory pages * allocated or mapped for each TLS record. After encryption, the records are diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index 2392d06845aa..9bc42041c2ce 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -898,7 +898,7 @@ tls_device_reencrypt(struct sock *sk, struct tls_context *tls_ctx) default: return -EINVAL; } - cipher_sz = &tls_cipher_size_desc[tls_ctx->crypto_recv.info.cipher_type]; + cipher_sz = get_cipher_size_desc(tls_ctx->crypto_recv.info.cipher_type); rxm = strp_msg(tls_strp_msg(sw_ctx)); orig_buf = kmalloc(rxm->full_len + TLS_HEADER_SIZE + cipher_sz->iv, @@ -1094,7 +1094,7 @@ int tls_set_device_offload(struct sock *sk, struct tls_context *ctx) rc = -EINVAL; goto release_netdev; } - cipher_sz = &tls_cipher_size_desc[crypto_info->cipher_type]; + cipher_sz = get_cipher_size_desc(crypto_info->cipher_type); /* Sanity-check the rec_seq_size for stack allocations */ if (cipher_sz->rec_seq > TLS_MAX_REC_SEQ_SIZE) { diff --git a/net/tls/tls_device_fallback.c b/net/tls/tls_device_fallback.c index b28c5e296dfd..dd21fa4961b6 100644 --- a/net/tls/tls_device_fallback.c +++ b/net/tls/tls_device_fallback.c @@ -69,7 +69,7 @@ static int tls_enc_record(struct aead_request *aead_req, default: return -EINVAL; } - cipher_sz = &tls_cipher_size_desc[prot->cipher_type]; + cipher_sz = get_cipher_size_desc(prot->cipher_type); buf_size = TLS_HEADER_SIZE + cipher_sz->iv; len = min_t(int, *in_len, buf_size); @@ -310,7 +310,7 @@ static void fill_sg_out(struct scatterlist sg_out[3], void *buf, void *dummy_buf) { const struct tls_cipher_size_desc *cipher_sz = - &tls_cipher_size_desc[tls_ctx->crypto_send.info.cipher_type]; + get_cipher_size_desc(tls_ctx->crypto_send.info.cipher_type); sg_set_buf(&sg_out[0], dummy_buf, sync_size); sg_set_buf(&sg_out[1], nskb->data + tcp_payload_offset, payload_len); @@ -348,7 +348,7 @@ static struct sk_buff *tls_enc_skb(struct tls_context *tls_ctx, default: goto free_req; } - cipher_sz = &tls_cipher_size_desc[tls_ctx->crypto_send.info.cipher_type]; + cipher_sz = get_cipher_size_desc(tls_ctx->crypto_send.info.cipher_type); buf_len = cipher_sz->salt + cipher_sz->iv + TLS_AAD_SPACE_SIZE + sync_size + cipher_sz->tag; buf = kmalloc(buf_len, GFP_ATOMIC); @@ -495,7 +495,7 @@ int tls_sw_fallback_init(struct sock *sk, rc = -EINVAL; goto free_aead; } - cipher_sz = &tls_cipher_size_desc[crypto_info->cipher_type]; + cipher_sz = get_cipher_size_desc(crypto_info->cipher_type); rc = crypto_aead_setkey(offload_ctx->aead_send, key, cipher_sz->key); if (rc) diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index 9843c2af994f..1bf04636948d 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -58,7 +58,7 @@ enum { TLS_NUM_PROTS, }; -#define CIPHER_SIZE_DESC(cipher) [cipher] = { \ +#define CIPHER_SIZE_DESC(cipher) [cipher - TLS_CIPHER_MIN] = { \ .iv = cipher ## _IV_SIZE, \ .key = cipher ## _KEY_SIZE, \ .salt = cipher ## _SALT_SIZE, \ @@ -66,7 +66,7 @@ enum { .rec_seq = cipher ## _REC_SEQ_SIZE, \ } -const struct tls_cipher_size_desc tls_cipher_size_desc[] = { +const struct tls_cipher_size_desc tls_cipher_size_desc[TLS_CIPHER_MAX + 1 - TLS_CIPHER_MIN] = { CIPHER_SIZE_DESC(TLS_CIPHER_AES_GCM_128), CIPHER_SIZE_DESC(TLS_CIPHER_AES_GCM_256), CIPHER_SIZE_DESC(TLS_CIPHER_AES_CCM_128), |