drivers/net/ovpn/crypto.c

root/drivers/net/ovpn/crypto.c
// SPDX-License-Identifier: GPL-2.0
/*  OpenVPN data channel offload
 *
 *  Copyright (C) 2020-2025 OpenVPN, Inc.
 *
 *  Author:     James Yonan <james@openvpn.net>
 *              Antonio Quartulli <antonio@openvpn.net>
 */

#include <linux/types.h>
#include <linux/net.h>
#include <linux/netdevice.h>
#include <uapi/linux/ovpn.h>

#include "ovpnpriv.h"
#include "main.h"
#include "pktid.h"
#include "crypto_aead.h"
#include "crypto.h"

static void ovpn_ks_destroy_rcu(struct rcu_head *head)
{
        struct ovpn_crypto_key_slot *ks;

        ks = container_of(head, struct ovpn_crypto_key_slot, rcu);
        ovpn_aead_crypto_key_slot_destroy(ks);
}

void ovpn_crypto_key_slot_release(struct kref *kref)
{
        struct ovpn_crypto_key_slot *ks;

        ks = container_of(kref, struct ovpn_crypto_key_slot, refcount);
        call_rcu(&ks->rcu, ovpn_ks_destroy_rcu);
}

/* can only be invoked when all peer references have been dropped (i.e. RCU
 * release routine)
 */
void ovpn_crypto_state_release(struct ovpn_crypto_state *cs)
{
        struct ovpn_crypto_key_slot *ks;

        ks = rcu_access_pointer(cs->slots[0]);
        if (ks) {
                RCU_INIT_POINTER(cs->slots[0], NULL);
                ovpn_crypto_key_slot_put(ks);
        }

        ks = rcu_access_pointer(cs->slots[1]);
        if (ks) {
                RCU_INIT_POINTER(cs->slots[1], NULL);
                ovpn_crypto_key_slot_put(ks);
        }
}

/* removes the key matching the specified id from the crypto context */
bool ovpn_crypto_kill_key(struct ovpn_crypto_state *cs, u8 key_id)
{
        struct ovpn_crypto_key_slot *ks = NULL;

        spin_lock_bh(&cs->lock);
        if (rcu_access_pointer(cs->slots[0])->key_id == key_id) {
                ks = rcu_replace_pointer(cs->slots[0], NULL,
                                         lockdep_is_held(&cs->lock));
        } else if (rcu_access_pointer(cs->slots[1])->key_id == key_id) {
                ks = rcu_replace_pointer(cs->slots[1], NULL,
                                         lockdep_is_held(&cs->lock));
        }
        spin_unlock_bh(&cs->lock);

        if (ks)
                ovpn_crypto_key_slot_put(ks);

        /* let the caller know if a key was actually killed */
        return ks;
}

/* Reset the ovpn_crypto_state object in a way that is atomic
 * to RCU readers.
 */
int ovpn_crypto_state_reset(struct ovpn_crypto_state *cs,
                            const struct ovpn_peer_key_reset *pkr)
{
        struct ovpn_crypto_key_slot *old = NULL, *new;
        u8 idx;

        if (pkr->slot != OVPN_KEY_SLOT_PRIMARY &&
            pkr->slot != OVPN_KEY_SLOT_SECONDARY)
                return -EINVAL;

        new = ovpn_aead_crypto_key_slot_new(&pkr->key);
        if (IS_ERR(new))
                return PTR_ERR(new);

        spin_lock_bh(&cs->lock);
        idx = cs->primary_idx;
        switch (pkr->slot) {
        case OVPN_KEY_SLOT_PRIMARY:
                old = rcu_replace_pointer(cs->slots[idx], new,
                                          lockdep_is_held(&cs->lock));
                break;
        case OVPN_KEY_SLOT_SECONDARY:
                old = rcu_replace_pointer(cs->slots[!idx], new,
                                          lockdep_is_held(&cs->lock));
                break;
        }
        spin_unlock_bh(&cs->lock);

        if (old)
                ovpn_crypto_key_slot_put(old);

        return 0;
}

void ovpn_crypto_key_slot_delete(struct ovpn_crypto_state *cs,
                                 enum ovpn_key_slot slot)
{
        struct ovpn_crypto_key_slot *ks = NULL;
        u8 idx;

        if (slot != OVPN_KEY_SLOT_PRIMARY &&
            slot != OVPN_KEY_SLOT_SECONDARY) {
                pr_warn("Invalid slot to release: %u\n", slot);
                return;
        }

        spin_lock_bh(&cs->lock);
        idx = cs->primary_idx;
        switch (slot) {
        case OVPN_KEY_SLOT_PRIMARY:
                ks = rcu_replace_pointer(cs->slots[idx], NULL,
                                         lockdep_is_held(&cs->lock));
                break;
        case OVPN_KEY_SLOT_SECONDARY:
                ks = rcu_replace_pointer(cs->slots[!idx], NULL,
                                         lockdep_is_held(&cs->lock));
                break;
        }
        spin_unlock_bh(&cs->lock);

        if (!ks) {
                pr_debug("Key slot already released: %u\n", slot);
                return;
        }

        pr_debug("deleting key slot %u, key_id=%u\n", slot, ks->key_id);
        ovpn_crypto_key_slot_put(ks);
}

void ovpn_crypto_key_slots_swap(struct ovpn_crypto_state *cs)
{
        const struct ovpn_crypto_key_slot *old_primary, *old_secondary;
        u8 idx;

        spin_lock_bh(&cs->lock);
        idx = cs->primary_idx;
        old_primary = rcu_dereference_protected(cs->slots[idx],
                                                lockdep_is_held(&cs->lock));
        old_secondary = rcu_dereference_protected(cs->slots[!idx],
                                                  lockdep_is_held(&cs->lock));
        /* perform real swap by switching the index of the primary key */
        WRITE_ONCE(cs->primary_idx, !cs->primary_idx);

        pr_debug("key swapped: (old primary) %d <-> (new primary) %d\n",
                 old_primary ? old_primary->key_id : -1,
                 old_secondary ? old_secondary->key_id : -1);

        spin_unlock_bh(&cs->lock);
}

/**
 * ovpn_crypto_config_get - populate keyconf object with non-sensible key data
 * @cs: the crypto state to extract the key data from
 * @slot: the specific slot to inspect
 * @keyconf: the output object to populate
 *
 * Return: 0 on success or a negative error code otherwise
 */
int ovpn_crypto_config_get(struct ovpn_crypto_state *cs,
                           enum ovpn_key_slot slot,
                           struct ovpn_key_config *keyconf)
{
        struct ovpn_crypto_key_slot *ks;
        int idx;

        switch (slot) {
        case OVPN_KEY_SLOT_PRIMARY:
                idx = cs->primary_idx;
                break;
        case OVPN_KEY_SLOT_SECONDARY:
                idx = !cs->primary_idx;
                break;
        default:
                return -EINVAL;
        }

        rcu_read_lock();
        ks = rcu_dereference(cs->slots[idx]);
        if (!ks) {
                rcu_read_unlock();
                return -ENOENT;
        }

        keyconf->cipher_alg = ovpn_aead_crypto_alg(ks);
        keyconf->key_id = ks->key_id;
        rcu_read_unlock();

        return 0;
}
Linux
