tls: zero the crypto information from tls_context before freeing

[ Upstream commit 86029d10af18381814881d6cce2dd6872163b59f ]

This contains key material in crypto_send_aes_gcm_128 and
crypto_recv_aes_gcm_128.

Introduce union tls_crypto_context, and replace the two identical
unions directly embedded in struct tls_context with it. We can then
use this union to clean up the memory in the new tls_ctx_free()
function.

Fixes: 3c4d7559159b ("tls: kernel TLS support")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/include/net/tls.h b/include/net/tls.h
index 48940a8..86ed3dd 100644 (file)
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -79,11 +79,13 @@ enum {
        TLS_PENDING_CLOSED_RECORD
 };
 
+union tls_crypto_context {
+       struct tls_crypto_info info;
+       struct tls12_crypto_info_aes_gcm_128 aes_gcm_128;
+};
+
 struct tls_context {
-       union {
-               struct tls_crypto_info crypto_send;
-               struct tls12_crypto_info_aes_gcm_128 crypto_send_aes_gcm_128;
-       };
+       union tls_crypto_context crypto_send;
 
        void *priv_ctx;
 
@@ -208,8 +210,8 @@ static inline void tls_fill_prepend(struct tls_context *ctx,
         * size KTLS_DTLS_HEADER_SIZE + KTLS_DTLS_NONCE_EXPLICIT_SIZE
         */
        buf[0] = record_type;
-       buf[1] = TLS_VERSION_MINOR(ctx->crypto_send.version);
-       buf[2] = TLS_VERSION_MAJOR(ctx->crypto_send.version);
+       buf[1] = TLS_VERSION_MINOR(ctx->crypto_send.info.version);
+       buf[2] = TLS_VERSION_MAJOR(ctx->crypto_send.info.version);
        /* we can use IV for nonce explicit according to spec */
        buf[3] = pkt_len >> 8;
        buf[4] = pkt_len & 0xFF;

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 055b999..a66c6a3 100644 (file)
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -218,6 +218,15 @@ static void tls_write_space(struct sock *sk)
        ctx->sk_write_space(sk);
 }
 
+static void tls_ctx_free(struct tls_context *ctx)
+{
+       if (!ctx)
+               return;
+
+       memzero_explicit(&ctx->crypto_send, sizeof(ctx->crypto_send));
+       kfree(ctx);
+}
+
 static void tls_sk_proto_close(struct sock *sk, long timeout)
 {
        struct tls_context *ctx = tls_get_ctx(sk);
@@ -246,7 +255,7 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
        kfree(ctx->iv);
 
        sk_proto_close = ctx->sk_proto_close;
-       kfree(ctx);
+       tls_ctx_free(ctx);
 
        release_sock(sk);
        sk_proto_close(sk, timeout);
@@ -274,7 +283,7 @@ static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
        }
 
        /* get user crypto info */
-       crypto_info = &ctx->crypto_send;
+       crypto_info = &ctx->crypto_send.info;
 
        if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
                rc = -EBUSY;
@@ -371,7 +380,7 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
        }
 
        /* get user crypto info */
-       crypto_info = &ctx->crypto_send;
+       crypto_info = &ctx->crypto_send.info;
 
        /* Currently we don't support set crypto info more than one time */
        if (TLS_CRYPTO_INFO_READY(crypto_info)) {

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 7fd5e04..6ae9ca5 100644 (file)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -687,7 +687,7 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx)
        ctx->priv_ctx = (struct tls_offload_context *)sw_ctx;
        ctx->free_resources = tls_sw_free_resources;
 
-       crypto_info = &ctx->crypto_send;
+       crypto_info = &ctx->crypto_send.info;
        switch (crypto_info->cipher_type) {
        case TLS_CIPHER_AES_GCM_128: {
                nonce_size = TLS_CIPHER_AES_GCM_128_IV_SIZE;