diff options
-rw-r--r-- | include/net/sctp/auth.h | 112 | ||||
-rw-r--r-- | include/net/sctp/constants.h | 49 | ||||
-rw-r--r-- | include/net/sctp/sctp.h | 1 | ||||
-rw-r--r-- | include/net/sctp/structs.h | 71 | ||||
-rw-r--r-- | net/sctp/Makefile | 3 | ||||
-rw-r--r-- | net/sctp/auth.c | 745 | ||||
-rw-r--r-- | net/sctp/objcnt.c | 2 |
7 files changed, 976 insertions, 7 deletions
diff --git a/include/net/sctp/auth.h b/include/net/sctp/auth.h new file mode 100644 index 000000000000..10c8010552ff --- /dev/null +++ b/include/net/sctp/auth.h | |||
@@ -0,0 +1,112 @@ | |||
1 | /* SCTP kernel reference Implementation | ||
2 | * (C) Copyright 2007 Hewlett-Packard Development Company, L.P. | ||
3 | * | ||
4 | * This file is part of the SCTP kernel reference Implementation | ||
5 | * | ||
6 | * The SCTP reference implementation is free software; | ||
7 | * you can redistribute it and/or modify it under the terms of | ||
8 | * the GNU General Public License as published by | ||
9 | * the Free Software Foundation; either version 2, or (at your option) | ||
10 | * any later version. | ||
11 | * | ||
12 | * The SCTP reference implementation is distributed in the hope that it | ||
13 | * will be useful, but WITHOUT ANY WARRANTY; without even the implied | ||
14 | * ************************ | ||
15 | * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
16 | * See the GNU General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU General Public License | ||
19 | * along with GNU CC; see the file COPYING. If not, write to | ||
20 | * the Free Software Foundation, 59 Temple Place - Suite 330, | ||
21 | * Boston, MA 02111-1307, USA. | ||
22 | * | ||
23 | * Please send any bug reports or fixes you make to the | ||
24 | * email address(es): | ||
25 | * lksctp developers <lksctp-developers@lists.sourceforge.net> | ||
26 | * | ||
27 | * Or submit a bug report through the following website: | ||
28 | * http://www.sf.net/projects/lksctp | ||
29 | * | ||
30 | * Written or modified by: | ||
31 | * Vlad Yasevich <vladislav.yasevich@hp.com> | ||
32 | * | ||
33 | * Any bugs reported given to us we will try to fix... any fixes shared will | ||
34 | * be incorporated into the next SCTP release. | ||
35 | */ | ||
36 | |||
37 | #ifndef __sctp_auth_h__ | ||
38 | #define __sctp_auth_h__ | ||
39 | |||
40 | #include <linux/list.h> | ||
41 | #include <linux/crypto.h> | ||
42 | |||
43 | struct sctp_endpoint; | ||
44 | struct sctp_association; | ||
45 | struct sctp_authkey; | ||
46 | |||
47 | /* | ||
48 | * Define a generic struct that will hold all the info | ||
49 | * necessary for an HMAC transform | ||
50 | */ | ||
51 | struct sctp_hmac { | ||
52 | __u16 hmac_id; /* one of the above ids */ | ||
53 | char *hmac_name; /* name for loading */ | ||
54 | __u16 hmac_len; /* length of the signature */ | ||
55 | }; | ||
56 | |||
57 | /* This is generic structure that containst authentication bytes used | ||
58 | * as keying material. It's a what is referred to as byte-vector all | ||
59 | * over SCTP-AUTH | ||
60 | */ | ||
61 | struct sctp_auth_bytes { | ||
62 | atomic_t refcnt; | ||
63 | __u32 len; | ||
64 | __u8 data[]; | ||
65 | }; | ||
66 | |||
67 | /* Definition for a shared key, weather endpoint or association */ | ||
68 | struct sctp_shared_key { | ||
69 | struct list_head key_list; | ||
70 | __u16 key_id; | ||
71 | struct sctp_auth_bytes *key; | ||
72 | }; | ||
73 | |||
74 | #define key_for_each(__key, __list_head) \ | ||
75 | list_for_each_entry(__key, __list_head, key_list) | ||
76 | |||
77 | #define key_for_each_safe(__key, __tmp, __list_head) \ | ||
78 | list_for_each_entry_safe(__key, __tmp, __list_head, key_list) | ||
79 | |||
80 | static inline void sctp_auth_key_hold(struct sctp_auth_bytes *key) | ||
81 | { | ||
82 | if (!key) | ||
83 | return; | ||
84 | |||
85 | atomic_inc(&key->refcnt); | ||
86 | } | ||
87 | |||
88 | void sctp_auth_key_put(struct sctp_auth_bytes *key); | ||
89 | struct sctp_shared_key *sctp_auth_shkey_create(__u16 key_id, gfp_t gfp); | ||
90 | void sctp_auth_shkey_free(struct sctp_shared_key *sh_key); | ||
91 | void sctp_auth_destroy_keys(struct list_head *keys); | ||
92 | int sctp_auth_asoc_init_active_key(struct sctp_association *asoc, gfp_t gfp); | ||
93 | struct sctp_shared_key *sctp_auth_get_shkey( | ||
94 | const struct sctp_association *asoc, | ||
95 | __u16 key_id); | ||
96 | int sctp_auth_asoc_copy_shkeys(const struct sctp_endpoint *ep, | ||
97 | struct sctp_association *asoc, | ||
98 | gfp_t gfp); | ||
99 | int sctp_auth_init_hmacs(struct sctp_endpoint *ep, gfp_t gfp); | ||
100 | void sctp_auth_destroy_hmacs(struct crypto_hash *auth_hmacs[]); | ||
101 | struct sctp_hmac *sctp_auth_get_hmac(__u16 hmac_id); | ||
102 | struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc); | ||
103 | void sctp_auth_asoc_set_default_hmac(struct sctp_association *asoc, | ||
104 | struct sctp_hmac_algo_param *hmacs); | ||
105 | int sctp_auth_asoc_verify_hmac_id(const struct sctp_association *asoc, | ||
106 | __u16 hmac_id); | ||
107 | int sctp_auth_send_cid(sctp_cid_t chunk, const struct sctp_association *asoc); | ||
108 | int sctp_auth_recv_cid(sctp_cid_t chunk, const struct sctp_association *asoc); | ||
109 | void sctp_auth_calculate_hmac(const struct sctp_association *asoc, | ||
110 | struct sk_buff *skb, | ||
111 | struct sctp_auth_chunk *auth, gfp_t gfp); | ||
112 | #endif | ||
diff --git a/include/net/sctp/constants.h b/include/net/sctp/constants.h index bb37724495a5..777118f06dba 100644 --- a/include/net/sctp/constants.h +++ b/include/net/sctp/constants.h | |||
@@ -64,12 +64,18 @@ enum { SCTP_DEFAULT_INSTREAMS = SCTP_MAX_STREAM }; | |||
64 | #define SCTP_CID_MAX SCTP_CID_ASCONF_ACK | 64 | #define SCTP_CID_MAX SCTP_CID_ASCONF_ACK |
65 | 65 | ||
66 | #define SCTP_NUM_BASE_CHUNK_TYPES (SCTP_CID_BASE_MAX + 1) | 66 | #define SCTP_NUM_BASE_CHUNK_TYPES (SCTP_CID_BASE_MAX + 1) |
67 | #define SCTP_NUM_CHUNK_TYPES (SCTP_NUM_BASE_CHUNKTYPES + 2) | ||
68 | 67 | ||
69 | #define SCTP_NUM_ADDIP_CHUNK_TYPES 2 | 68 | #define SCTP_NUM_ADDIP_CHUNK_TYPES 2 |
70 | 69 | ||
71 | #define SCTP_NUM_PRSCTP_CHUNK_TYPES 1 | 70 | #define SCTP_NUM_PRSCTP_CHUNK_TYPES 1 |
72 | 71 | ||
72 | #define SCTP_NUM_AUTH_CHUNK_TYPES 1 | ||
73 | |||
74 | #define SCTP_NUM_CHUNK_TYPES (SCTP_NUM_BASE_CHUNK_TYPES + \ | ||
75 | SCTP_NUM_ADDIP_CHUNK_TYPES +\ | ||
76 | SCTP_NUM_PRSCTP_CHUNK_TYPES +\ | ||
77 | SCTP_NUM_AUTH_CHUNK_TYPES) | ||
78 | |||
73 | /* These are the different flavours of event. */ | 79 | /* These are the different flavours of event. */ |
74 | typedef enum { | 80 | typedef enum { |
75 | 81 | ||
@@ -409,4 +415,45 @@ typedef enum { | |||
409 | SCTP_LOWER_CWND_INACTIVE, | 415 | SCTP_LOWER_CWND_INACTIVE, |
410 | } sctp_lower_cwnd_t; | 416 | } sctp_lower_cwnd_t; |
411 | 417 | ||
418 | |||
419 | /* SCTP-AUTH Necessary constants */ | ||
420 | |||
421 | /* SCTP-AUTH, Section 3.3 | ||
422 | * | ||
423 | * The following Table 2 shows the currently defined values for HMAC | ||
424 | * identifiers. | ||
425 | * | ||
426 | * +-----------------+--------------------------+ | ||
427 | * | HMAC Identifier | Message Digest Algorithm | | ||
428 | * +-----------------+--------------------------+ | ||
429 | * | 0 | Reserved | | ||
430 | * | 1 | SHA-1 defined in [8] | | ||
431 | * | 2 | Reserved | | ||
432 | * | 3 | SHA-256 defined in [8] | | ||
433 | * +-----------------+--------------------------+ | ||
434 | */ | ||
435 | enum { | ||
436 | SCTP_AUTH_HMAC_ID_RESERVED_0, | ||
437 | SCTP_AUTH_HMAC_ID_SHA1, | ||
438 | SCTP_AUTH_HMAC_ID_RESERVED_2, | ||
439 | SCTP_AUTH_HMAC_ID_SHA256 | ||
440 | }; | ||
441 | |||
442 | #define SCTP_AUTH_HMAC_ID_MAX SCTP_AUTH_HMAC_ID_SHA256 | ||
443 | #define SCTP_AUTH_NUM_HMACS (SCTP_AUTH_HMAC_ID_SHA256 + 1) | ||
444 | #define SCTP_SHA1_SIG_SIZE 20 | ||
445 | #define SCTP_SHA256_SIG_SIZE 32 | ||
446 | |||
447 | /* SCTP-AUTH, Section 3.2 | ||
448 | * The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE and AUTH chunks | ||
449 | * MUST NOT be listed in the CHUNKS parameter | ||
450 | */ | ||
451 | #define SCTP_NUM_NOAUTH_CHUNKS 4 | ||
452 | #define SCTP_AUTH_MAX_CHUNKS (SCTP_NUM_CHUNK_TYPES - SCTP_NUM_NOAUTH_CHUNKS) | ||
453 | |||
454 | /* SCTP-AUTH Section 6.1 | ||
455 | * The RANDOM parameter MUST contain a 32 byte random number. | ||
456 | */ | ||
457 | #define SCTP_AUTH_RANDOM_LENGTH 32 | ||
458 | |||
412 | #endif /* __sctp_constants_h__ */ | 459 | #endif /* __sctp_constants_h__ */ |
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index d5a1ddc7483f..119f5a1ed499 100644 --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h | |||
@@ -341,6 +341,7 @@ extern atomic_t sctp_dbg_objcnt_bind_bucket; | |||
341 | extern atomic_t sctp_dbg_objcnt_addr; | 341 | extern atomic_t sctp_dbg_objcnt_addr; |
342 | extern atomic_t sctp_dbg_objcnt_ssnmap; | 342 | extern atomic_t sctp_dbg_objcnt_ssnmap; |
343 | extern atomic_t sctp_dbg_objcnt_datamsg; | 343 | extern atomic_t sctp_dbg_objcnt_datamsg; |
344 | extern atomic_t sctp_dbg_objcnt_keys; | ||
344 | 345 | ||
345 | /* Macros to atomically increment/decrement objcnt counters. */ | 346 | /* Macros to atomically increment/decrement objcnt counters. */ |
346 | #define SCTP_DBG_OBJCNT_INC(name) \ | 347 | #define SCTP_DBG_OBJCNT_INC(name) \ |
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index b4812a2d3bb0..18b06afacea0 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h | |||
@@ -64,6 +64,7 @@ | |||
64 | #include <linux/skbuff.h> /* We need sk_buff_head. */ | 64 | #include <linux/skbuff.h> /* We need sk_buff_head. */ |
65 | #include <linux/workqueue.h> /* We need tq_struct. */ | 65 | #include <linux/workqueue.h> /* We need tq_struct. */ |
66 | #include <linux/sctp.h> /* We need sctp* header structs. */ | 66 | #include <linux/sctp.h> /* We need sctp* header structs. */ |
67 | #include <net/sctp/auth.h> /* We need auth specific structs */ | ||
67 | 68 | ||
68 | /* A convenience structure for handling sockaddr structures. | 69 | /* A convenience structure for handling sockaddr structures. |
69 | * We should wean ourselves off this. | 70 | * We should wean ourselves off this. |
@@ -216,6 +217,9 @@ extern struct sctp_globals { | |||
216 | 217 | ||
217 | /* Flag to indicate if PR-SCTP is enabled. */ | 218 | /* Flag to indicate if PR-SCTP is enabled. */ |
218 | int prsctp_enable; | 219 | int prsctp_enable; |
220 | |||
221 | /* Flag to idicate if SCTP-AUTH is enabled */ | ||
222 | int auth_enable; | ||
219 | } sctp_globals; | 223 | } sctp_globals; |
220 | 224 | ||
221 | #define sctp_rto_initial (sctp_globals.rto_initial) | 225 | #define sctp_rto_initial (sctp_globals.rto_initial) |
@@ -248,6 +252,7 @@ extern struct sctp_globals { | |||
248 | #define sctp_local_addr_lock (sctp_globals.addr_list_lock) | 252 | #define sctp_local_addr_lock (sctp_globals.addr_list_lock) |
249 | #define sctp_addip_enable (sctp_globals.addip_enable) | 253 | #define sctp_addip_enable (sctp_globals.addip_enable) |
250 | #define sctp_prsctp_enable (sctp_globals.prsctp_enable) | 254 | #define sctp_prsctp_enable (sctp_globals.prsctp_enable) |
255 | #define sctp_auth_enable (sctp_globals.auth_enable) | ||
251 | 256 | ||
252 | /* SCTP Socket type: UDP or TCP style. */ | 257 | /* SCTP Socket type: UDP or TCP style. */ |
253 | typedef enum { | 258 | typedef enum { |
@@ -397,6 +402,9 @@ struct sctp_cookie { | |||
397 | 402 | ||
398 | __u32 adaptation_ind; | 403 | __u32 adaptation_ind; |
399 | 404 | ||
405 | __u8 auth_random[sizeof(sctp_paramhdr_t) + SCTP_AUTH_RANDOM_LENGTH]; | ||
406 | __u8 auth_hmacs[SCTP_AUTH_NUM_HMACS + 2]; | ||
407 | __u8 auth_chunks[sizeof(sctp_paramhdr_t) + SCTP_AUTH_MAX_CHUNKS]; | ||
400 | 408 | ||
401 | /* This is a shim for my peer's INIT packet, followed by | 409 | /* This is a shim for my peer's INIT packet, followed by |
402 | * a copy of the raw address list of the association. | 410 | * a copy of the raw address list of the association. |
@@ -441,6 +449,9 @@ union sctp_params { | |||
441 | union sctp_addr_param *addr; | 449 | union sctp_addr_param *addr; |
442 | struct sctp_adaptation_ind_param *aind; | 450 | struct sctp_adaptation_ind_param *aind; |
443 | struct sctp_supported_ext_param *ext; | 451 | struct sctp_supported_ext_param *ext; |
452 | struct sctp_random_param *random; | ||
453 | struct sctp_chunks_param *chunks; | ||
454 | struct sctp_hmac_algo_param *hmac_algo; | ||
444 | }; | 455 | }; |
445 | 456 | ||
446 | /* RFC 2960. Section 3.3.5 Heartbeat. | 457 | /* RFC 2960. Section 3.3.5 Heartbeat. |
@@ -679,6 +690,7 @@ struct sctp_chunk { | |||
679 | struct sctp_errhdr *err_hdr; | 690 | struct sctp_errhdr *err_hdr; |
680 | struct sctp_addiphdr *addip_hdr; | 691 | struct sctp_addiphdr *addip_hdr; |
681 | struct sctp_fwdtsn_hdr *fwdtsn_hdr; | 692 | struct sctp_fwdtsn_hdr *fwdtsn_hdr; |
693 | struct sctp_authhdr *auth_hdr; | ||
682 | } subh; | 694 | } subh; |
683 | 695 | ||
684 | __u8 *chunk_end; | 696 | __u8 *chunk_end; |
@@ -724,6 +736,7 @@ struct sctp_chunk { | |||
724 | __s8 fast_retransmit; /* Is this chunk fast retransmitted? */ | 736 | __s8 fast_retransmit; /* Is this chunk fast retransmitted? */ |
725 | __u8 tsn_missing_report; /* Data chunk missing counter. */ | 737 | __u8 tsn_missing_report; /* Data chunk missing counter. */ |
726 | __u8 data_accepted; /* At least 1 chunk in this packet accepted */ | 738 | __u8 data_accepted; /* At least 1 chunk in this packet accepted */ |
739 | __u8 auth; /* IN: was auth'ed | OUT: needs auth */ | ||
727 | }; | 740 | }; |
728 | 741 | ||
729 | void sctp_chunk_hold(struct sctp_chunk *); | 742 | void sctp_chunk_hold(struct sctp_chunk *); |
@@ -773,16 +786,22 @@ struct sctp_packet { | |||
773 | */ | 786 | */ |
774 | struct sctp_transport *transport; | 787 | struct sctp_transport *transport; |
775 | 788 | ||
789 | /* pointer to the auth chunk for this packet */ | ||
790 | struct sctp_chunk *auth; | ||
791 | |||
776 | /* This packet contains a COOKIE-ECHO chunk. */ | 792 | /* This packet contains a COOKIE-ECHO chunk. */ |
777 | char has_cookie_echo; | 793 | __u8 has_cookie_echo; |
794 | |||
795 | /* This packet contains a SACK chunk. */ | ||
796 | __u8 has_sack; | ||
778 | 797 | ||
779 | /* This packet containsa SACK chunk. */ | 798 | /* This packet contains an AUTH chunk */ |
780 | char has_sack; | 799 | __u8 has_auth; |
781 | 800 | ||
782 | /* SCTP cannot fragment this packet. So let ip fragment it. */ | 801 | /* SCTP cannot fragment this packet. So let ip fragment it. */ |
783 | char ipfragok; | 802 | __u8 ipfragok; |
784 | 803 | ||
785 | int malloced; | 804 | __u8 malloced; |
786 | }; | 805 | }; |
787 | 806 | ||
788 | struct sctp_packet *sctp_packet_init(struct sctp_packet *, | 807 | struct sctp_packet *sctp_packet_init(struct sctp_packet *, |
@@ -1291,6 +1310,21 @@ struct sctp_endpoint { | |||
1291 | 1310 | ||
1292 | /* rcvbuf acct. policy. */ | 1311 | /* rcvbuf acct. policy. */ |
1293 | __u32 rcvbuf_policy; | 1312 | __u32 rcvbuf_policy; |
1313 | |||
1314 | /* SCTP AUTH: array of the HMACs that will be allocated | ||
1315 | * we need this per association so that we don't serialize | ||
1316 | */ | ||
1317 | struct crypto_hash **auth_hmacs; | ||
1318 | |||
1319 | /* SCTP-AUTH: hmacs for the endpoint encoded into parameter */ | ||
1320 | struct sctp_hmac_algo_param *auth_hmacs_list; | ||
1321 | |||
1322 | /* SCTP-AUTH: chunks to authenticate encoded into parameter */ | ||
1323 | struct sctp_chunks_param *auth_chunk_list; | ||
1324 | |||
1325 | /* SCTP-AUTH: endpoint shared keys */ | ||
1326 | struct list_head endpoint_shared_keys; | ||
1327 | __u16 active_key_id; | ||
1294 | }; | 1328 | }; |
1295 | 1329 | ||
1296 | /* Recover the outter endpoint structure. */ | 1330 | /* Recover the outter endpoint structure. */ |
@@ -1497,6 +1531,7 @@ struct sctp_association { | |||
1497 | __u8 hostname_address;/* Peer understands DNS addresses? */ | 1531 | __u8 hostname_address;/* Peer understands DNS addresses? */ |
1498 | __u8 asconf_capable; /* Does peer support ADDIP? */ | 1532 | __u8 asconf_capable; /* Does peer support ADDIP? */ |
1499 | __u8 prsctp_capable; /* Can peer do PR-SCTP? */ | 1533 | __u8 prsctp_capable; /* Can peer do PR-SCTP? */ |
1534 | __u8 auth_capable; /* Is peer doing SCTP-AUTH? */ | ||
1500 | 1535 | ||
1501 | __u32 adaptation_ind; /* Adaptation Code point. */ | 1536 | __u32 adaptation_ind; /* Adaptation Code point. */ |
1502 | 1537 | ||
@@ -1514,6 +1549,14 @@ struct sctp_association { | |||
1514 | * Initial TSN Value minus 1 | 1549 | * Initial TSN Value minus 1 |
1515 | */ | 1550 | */ |
1516 | __u32 addip_serial; | 1551 | __u32 addip_serial; |
1552 | |||
1553 | /* SCTP-AUTH: We need to know pears random number, hmac list | ||
1554 | * and authenticated chunk list. All that is part of the | ||
1555 | * cookie and these are just pointers to those locations | ||
1556 | */ | ||
1557 | sctp_random_param_t *peer_random; | ||
1558 | sctp_chunks_param_t *peer_chunks; | ||
1559 | sctp_hmac_algo_param_t *peer_hmacs; | ||
1517 | } peer; | 1560 | } peer; |
1518 | 1561 | ||
1519 | /* State : A state variable indicating what state the | 1562 | /* State : A state variable indicating what state the |
@@ -1797,6 +1840,24 @@ struct sctp_association { | |||
1797 | */ | 1840 | */ |
1798 | __u32 addip_serial; | 1841 | __u32 addip_serial; |
1799 | 1842 | ||
1843 | /* SCTP AUTH: list of the endpoint shared keys. These | ||
1844 | * keys are provided out of band by the user applicaton | ||
1845 | * and can't change during the lifetime of the association | ||
1846 | */ | ||
1847 | struct list_head endpoint_shared_keys; | ||
1848 | |||
1849 | /* SCTP AUTH: | ||
1850 | * The current generated assocaition shared key (secret) | ||
1851 | */ | ||
1852 | struct sctp_auth_bytes *asoc_shared_key; | ||
1853 | |||
1854 | /* SCTP AUTH: hmac id of the first peer requested algorithm | ||
1855 | * that we support. | ||
1856 | */ | ||
1857 | __u16 default_hmac_id; | ||
1858 | |||
1859 | __u16 active_key_id; | ||
1860 | |||
1800 | /* Need to send an ECNE Chunk? */ | 1861 | /* Need to send an ECNE Chunk? */ |
1801 | char need_ecne; | 1862 | char need_ecne; |
1802 | 1863 | ||
diff --git a/net/sctp/Makefile b/net/sctp/Makefile index 70c828bbe444..1da7204d9b42 100644 --- a/net/sctp/Makefile +++ b/net/sctp/Makefile | |||
@@ -9,7 +9,8 @@ sctp-y := sm_statetable.o sm_statefuns.o sm_sideeffect.o \ | |||
9 | transport.o chunk.o sm_make_chunk.o ulpevent.o \ | 9 | transport.o chunk.o sm_make_chunk.o ulpevent.o \ |
10 | inqueue.o outqueue.o ulpqueue.o command.o \ | 10 | inqueue.o outqueue.o ulpqueue.o command.o \ |
11 | tsnmap.o bind_addr.o socket.o primitive.o \ | 11 | tsnmap.o bind_addr.o socket.o primitive.o \ |
12 | output.o input.o debug.o ssnmap.o proc.o crc32c.o | 12 | output.o input.o debug.o ssnmap.o proc.o crc32c.o \ |
13 | auth.o | ||
13 | 14 | ||
14 | sctp-$(CONFIG_SCTP_DBG_OBJCNT) += objcnt.o | 15 | sctp-$(CONFIG_SCTP_DBG_OBJCNT) += objcnt.o |
15 | sctp-$(CONFIG_SYSCTL) += sysctl.o | 16 | sctp-$(CONFIG_SYSCTL) += sysctl.o |
diff --git a/net/sctp/auth.c b/net/sctp/auth.c new file mode 100644 index 000000000000..2a29409a38d9 --- /dev/null +++ b/net/sctp/auth.c | |||
@@ -0,0 +1,745 @@ | |||
1 | /* SCTP kernel reference Implementation | ||
2 | * (C) Copyright 2007 Hewlett-Packard Development Company, L.P. | ||
3 | * | ||
4 | * This file is part of the SCTP kernel reference Implementation | ||
5 | * | ||
6 | * The SCTP reference implementation is free software; | ||
7 | * you can redistribute it and/or modify it under the terms of | ||
8 | * the GNU General Public License as published by | ||
9 | * the Free Software Foundation; either version 2, or (at your option) | ||
10 | * any later version. | ||
11 | * | ||
12 | * The SCTP reference implementation is distributed in the hope that it | ||
13 | * will be useful, but WITHOUT ANY WARRANTY; without even the implied | ||
14 | * ************************ | ||
15 | * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
16 | * See the GNU General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU General Public License | ||
19 | * along with GNU CC; see the file COPYING. If not, write to | ||
20 | * the Free Software Foundation, 59 Temple Place - Suite 330, | ||
21 | * Boston, MA 02111-1307, USA. | ||
22 | * | ||
23 | * Please send any bug reports or fixes you make to the | ||
24 | * email address(es): | ||
25 | * lksctp developers <lksctp-developers@lists.sourceforge.net> | ||
26 | * | ||
27 | * Or submit a bug report through the following website: | ||
28 | * http://www.sf.net/projects/lksctp | ||
29 | * | ||
30 | * Written or modified by: | ||
31 | * Vlad Yasevich <vladislav.yasevich@hp.com> | ||
32 | * | ||
33 | * Any bugs reported given to us we will try to fix... any fixes shared will | ||
34 | * be incorporated into the next SCTP release. | ||
35 | */ | ||
36 | |||
37 | #include <linux/types.h> | ||
38 | #include <linux/crypto.h> | ||
39 | #include <linux/scatterlist.h> | ||
40 | #include <net/sctp/sctp.h> | ||
41 | #include <net/sctp/auth.h> | ||
42 | |||
43 | static struct sctp_hmac sctp_hmac_list[SCTP_AUTH_NUM_HMACS] = { | ||
44 | { | ||
45 | /* id 0 is reserved. as all 0 */ | ||
46 | .hmac_id = SCTP_AUTH_HMAC_ID_RESERVED_0, | ||
47 | }, | ||
48 | { | ||
49 | .hmac_id = SCTP_AUTH_HMAC_ID_SHA1, | ||
50 | .hmac_name="hmac(sha1)", | ||
51 | .hmac_len = SCTP_SHA1_SIG_SIZE, | ||
52 | }, | ||
53 | { | ||
54 | /* id 2 is reserved as well */ | ||
55 | .hmac_id = SCTP_AUTH_HMAC_ID_RESERVED_2, | ||
56 | }, | ||
57 | { | ||
58 | .hmac_id = SCTP_AUTH_HMAC_ID_SHA256, | ||
59 | .hmac_name="hmac(sha256)", | ||
60 | .hmac_len = SCTP_SHA256_SIG_SIZE, | ||
61 | } | ||
62 | }; | ||
63 | |||
64 | |||
65 | void sctp_auth_key_put(struct sctp_auth_bytes *key) | ||
66 | { | ||
67 | if (!key) | ||
68 | return; | ||
69 | |||
70 | if (atomic_dec_and_test(&key->refcnt)) { | ||
71 | kfree(key); | ||
72 | SCTP_DBG_OBJCNT_DEC(keys); | ||
73 | } | ||
74 | } | ||
75 | |||
76 | /* Create a new key structure of a given length */ | ||
77 | static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp) | ||
78 | { | ||
79 | struct sctp_auth_bytes *key; | ||
80 | |||
81 | /* Allocate the shared key */ | ||
82 | key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp); | ||
83 | if (!key) | ||
84 | return NULL; | ||
85 | |||
86 | key->len = key_len; | ||
87 | atomic_set(&key->refcnt, 1); | ||
88 | SCTP_DBG_OBJCNT_INC(keys); | ||
89 | |||
90 | return key; | ||
91 | } | ||
92 | |||
93 | /* Create a new shared key container with a give key id */ | ||
94 | struct sctp_shared_key *sctp_auth_shkey_create(__u16 key_id, gfp_t gfp) | ||
95 | { | ||
96 | struct sctp_shared_key *new; | ||
97 | |||
98 | /* Allocate the shared key container */ | ||
99 | new = kzalloc(sizeof(struct sctp_shared_key), gfp); | ||
100 | if (!new) | ||
101 | return NULL; | ||
102 | |||
103 | INIT_LIST_HEAD(&new->key_list); | ||
104 | new->key_id = key_id; | ||
105 | |||
106 | return new; | ||
107 | } | ||
108 | |||
109 | /* Free the shared key stucture */ | ||
110 | void sctp_auth_shkey_free(struct sctp_shared_key *sh_key) | ||
111 | { | ||
112 | BUG_ON(!list_empty(&sh_key->key_list)); | ||
113 | sctp_auth_key_put(sh_key->key); | ||
114 | sh_key->key = NULL; | ||
115 | kfree(sh_key); | ||
116 | } | ||
117 | |||
118 | /* Destory the entire key list. This is done during the | ||
119 | * associon and endpoint free process. | ||
120 | */ | ||
121 | void sctp_auth_destroy_keys(struct list_head *keys) | ||
122 | { | ||
123 | struct sctp_shared_key *ep_key; | ||
124 | struct sctp_shared_key *tmp; | ||
125 | |||
126 | if (list_empty(keys)) | ||
127 | return; | ||
128 | |||
129 | key_for_each_safe(ep_key, tmp, keys) { | ||
130 | list_del_init(&ep_key->key_list); | ||
131 | sctp_auth_shkey_free(ep_key); | ||
132 | } | ||
133 | } | ||
134 | |||
135 | /* Compare two byte vectors as numbers. Return values | ||
136 | * are: | ||
137 | * 0 - vectors are equal | ||
138 | * < 0 - vector 1 is smaller then vector2 | ||
139 | * > 0 - vector 1 is greater then vector2 | ||
140 | * | ||
141 | * Algorithm is: | ||
142 | * This is performed by selecting the numerically smaller key vector... | ||
143 | * If the key vectors are equal as numbers but differ in length ... | ||
144 | * the shorter vector is considered smaller | ||
145 | * | ||
146 | * Examples (with small values): | ||
147 | * 000123456789 > 123456789 (first number is longer) | ||
148 | * 000123456789 < 234567891 (second number is larger numerically) | ||
149 | * 123456789 > 2345678 (first number is both larger & longer) | ||
150 | */ | ||
151 | static int sctp_auth_compare_vectors(struct sctp_auth_bytes *vector1, | ||
152 | struct sctp_auth_bytes *vector2) | ||
153 | { | ||
154 | int diff; | ||
155 | int i; | ||
156 | const __u8 *longer; | ||
157 | |||
158 | diff = vector1->len - vector2->len; | ||
159 | if (diff) { | ||
160 | longer = (diff > 0) ? vector1->data : vector2->data; | ||
161 | |||
162 | /* Check to see if the longer number is | ||
163 | * lead-zero padded. If it is not, it | ||
164 | * is automatically larger numerically. | ||
165 | */ | ||
166 | for (i = 0; i < abs(diff); i++ ) { | ||
167 | if (longer[i] != 0) | ||
168 | return diff; | ||
169 | } | ||
170 | } | ||
171 | |||
172 | /* lengths are the same, compare numbers */ | ||
173 | return memcmp(vector1->data, vector2->data, vector1->len); | ||
174 | } | ||
175 | |||
176 | /* | ||
177 | * Create a key vector as described in SCTP-AUTH, Section 6.1 | ||
178 | * The RANDOM parameter, the CHUNKS parameter and the HMAC-ALGO | ||
179 | * parameter sent by each endpoint are concatenated as byte vectors. | ||
180 | * These parameters include the parameter type, parameter length, and | ||
181 | * the parameter value, but padding is omitted; all padding MUST be | ||
182 | * removed from this concatenation before proceeding with further | ||
183 | * computation of keys. Parameters which were not sent are simply | ||
184 | * omitted from the concatenation process. The resulting two vectors | ||
185 | * are called the two key vectors. | ||
186 | */ | ||
187 | static struct sctp_auth_bytes *sctp_auth_make_key_vector( | ||
188 | sctp_random_param_t *random, | ||
189 | sctp_chunks_param_t *chunks, | ||
190 | sctp_hmac_algo_param_t *hmacs, | ||
191 | gfp_t gfp) | ||
192 | { | ||
193 | struct sctp_auth_bytes *new; | ||
194 | __u32 len; | ||
195 | __u32 offset = 0; | ||
196 | |||
197 | len = ntohs(random->param_hdr.length) + ntohs(hmacs->param_hdr.length); | ||
198 | if (chunks) | ||
199 | len += ntohs(chunks->param_hdr.length); | ||
200 | |||
201 | new = kmalloc(sizeof(struct sctp_auth_bytes) + len, gfp); | ||
202 | if (!new) | ||
203 | return NULL; | ||
204 | |||
205 | new->len = len; | ||
206 | |||
207 | memcpy(new->data, random, ntohs(random->param_hdr.length)); | ||
208 | offset += ntohs(random->param_hdr.length); | ||
209 | |||
210 | if (chunks) { | ||
211 | memcpy(new->data + offset, chunks, | ||
212 | ntohs(chunks->param_hdr.length)); | ||
213 | offset += ntohs(chunks->param_hdr.length); | ||
214 | } | ||
215 | |||
216 | memcpy(new->data + offset, hmacs, ntohs(hmacs->param_hdr.length)); | ||
217 | |||
218 | return new; | ||
219 | } | ||
220 | |||
221 | |||
222 | /* Make a key vector based on our local parameters */ | ||
223 | struct sctp_auth_bytes *sctp_auth_make_local_vector( | ||
224 | const struct sctp_association *asoc, | ||
225 | gfp_t gfp) | ||
226 | { | ||
227 | return sctp_auth_make_key_vector( | ||
228 | (sctp_random_param_t*)asoc->c.auth_random, | ||
229 | (sctp_chunks_param_t*)asoc->c.auth_chunks, | ||
230 | (sctp_hmac_algo_param_t*)asoc->c.auth_hmacs, | ||
231 | gfp); | ||
232 | } | ||
233 | |||
234 | /* Make a key vector based on peer's parameters */ | ||
235 | struct sctp_auth_bytes *sctp_auth_make_peer_vector( | ||
236 | const struct sctp_association *asoc, | ||
237 | gfp_t gfp) | ||
238 | { | ||
239 | return sctp_auth_make_key_vector(asoc->peer.peer_random, | ||
240 | asoc->peer.peer_chunks, | ||
241 | asoc->peer.peer_hmacs, | ||
242 | gfp); | ||
243 | } | ||
244 | |||
245 | |||
246 | /* Set the value of the association shared key base on the parameters | ||
247 | * given. The algorithm is: | ||
248 | * From the endpoint pair shared keys and the key vectors the | ||
249 | * association shared keys are computed. This is performed by selecting | ||
250 | * the numerically smaller key vector and concatenating it to the | ||
251 | * endpoint pair shared key, and then concatenating the numerically | ||
252 | * larger key vector to that. The result of the concatenation is the | ||
253 | * association shared key. | ||
254 | */ | ||
255 | static struct sctp_auth_bytes *sctp_auth_asoc_set_secret( | ||
256 | struct sctp_shared_key *ep_key, | ||
257 | struct sctp_auth_bytes *first_vector, | ||
258 | struct sctp_auth_bytes *last_vector, | ||
259 | gfp_t gfp) | ||
260 | { | ||
261 | struct sctp_auth_bytes *secret; | ||
262 | __u32 offset = 0; | ||
263 | __u32 auth_len; | ||
264 | |||
265 | auth_len = first_vector->len + last_vector->len; | ||
266 | if (ep_key->key) | ||
267 | auth_len += ep_key->key->len; | ||
268 | |||
269 | secret = sctp_auth_create_key(auth_len, gfp); | ||
270 | if (!secret) | ||
271 | return NULL; | ||
272 | |||
273 | if (ep_key->key) { | ||
274 | memcpy(secret->data, ep_key->key->data, ep_key->key->len); | ||
275 | offset += ep_key->key->len; | ||
276 | } | ||
277 | |||
278 | memcpy(secret->data + offset, first_vector->data, first_vector->len); | ||
279 | offset += first_vector->len; | ||
280 | |||
281 | memcpy(secret->data + offset, last_vector->data, last_vector->len); | ||
282 | |||
283 | return secret; | ||
284 | } | ||
285 | |||
286 | /* Create an association shared key. Follow the algorithm | ||
287 | * described in SCTP-AUTH, Section 6.1 | ||
288 | */ | ||
289 | static struct sctp_auth_bytes *sctp_auth_asoc_create_secret( | ||
290 | const struct sctp_association *asoc, | ||
291 | struct sctp_shared_key *ep_key, | ||
292 | gfp_t gfp) | ||
293 | { | ||
294 | struct sctp_auth_bytes *local_key_vector; | ||
295 | struct sctp_auth_bytes *peer_key_vector; | ||
296 | struct sctp_auth_bytes *first_vector, | ||
297 | *last_vector; | ||
298 | struct sctp_auth_bytes *secret = NULL; | ||
299 | int cmp; | ||
300 | |||
301 | |||
302 | /* Now we need to build the key vectors | ||
303 | * SCTP-AUTH , Section 6.1 | ||
304 | * The RANDOM parameter, the CHUNKS parameter and the HMAC-ALGO | ||
305 | * parameter sent by each endpoint are concatenated as byte vectors. | ||
306 | * These parameters include the parameter type, parameter length, and | ||
307 | * the parameter value, but padding is omitted; all padding MUST be | ||
308 | * removed from this concatenation before proceeding with further | ||
309 | * computation of keys. Parameters which were not sent are simply | ||
310 | * omitted from the concatenation process. The resulting two vectors | ||
311 | * are called the two key vectors. | ||
312 | */ | ||
313 | |||
314 | local_key_vector = sctp_auth_make_local_vector(asoc, gfp); | ||
315 | peer_key_vector = sctp_auth_make_peer_vector(asoc, gfp); | ||
316 | |||
317 | if (!peer_key_vector || !local_key_vector) | ||
318 | goto out; | ||
319 | |||
320 | /* Figure out the order in wich the key_vectors will be | ||
321 | * added to the endpoint shared key. | ||
322 | * SCTP-AUTH, Section 6.1: | ||
323 | * This is performed by selecting the numerically smaller key | ||
324 | * vector and concatenating it to the endpoint pair shared | ||
325 | * key, and then concatenating the numerically larger key | ||
326 | * vector to that. If the key vectors are equal as numbers | ||
327 | * but differ in length, then the concatenation order is the | ||
328 | * endpoint shared key, followed by the shorter key vector, | ||
329 | * followed by the longer key vector. Otherwise, the key | ||
330 | * vectors are identical, and may be concatenated to the | ||
331 | * endpoint pair key in any order. | ||
332 | */ | ||
333 | cmp = sctp_auth_compare_vectors(local_key_vector, | ||
334 | peer_key_vector); | ||
335 | if (cmp < 0) { | ||
336 | first_vector = local_key_vector; | ||
337 | last_vector = peer_key_vector; | ||
338 | } else { | ||
339 | first_vector = peer_key_vector; | ||
340 | last_vector = local_key_vector; | ||
341 | } | ||
342 | |||
343 | secret = sctp_auth_asoc_set_secret(ep_key, first_vector, last_vector, | ||
344 | gfp); | ||
345 | out: | ||
346 | kfree(local_key_vector); | ||
347 | kfree(peer_key_vector); | ||
348 | |||
349 | return secret; | ||
350 | } | ||
351 | |||
352 | /* | ||
353 | * Populate the association overlay list with the list | ||
354 | * from the endpoint. | ||
355 | */ | ||
356 | int sctp_auth_asoc_copy_shkeys(const struct sctp_endpoint *ep, | ||
357 | struct sctp_association *asoc, | ||
358 | gfp_t gfp) | ||
359 | { | ||
360 | struct sctp_shared_key *sh_key; | ||
361 | struct sctp_shared_key *new; | ||
362 | |||
363 | BUG_ON(!list_empty(&asoc->endpoint_shared_keys)); | ||
364 | |||
365 | key_for_each(sh_key, &ep->endpoint_shared_keys) { | ||
366 | new = sctp_auth_shkey_create(sh_key->key_id, gfp); | ||
367 | if (!new) | ||
368 | goto nomem; | ||
369 | |||
370 | new->key = sh_key->key; | ||
371 | sctp_auth_key_hold(new->key); | ||
372 | list_add(&new->key_list, &asoc->endpoint_shared_keys); | ||
373 | } | ||
374 | |||
375 | return 0; | ||
376 | |||
377 | nomem: | ||
378 | sctp_auth_destroy_keys(&asoc->endpoint_shared_keys); | ||
379 | return -ENOMEM; | ||
380 | } | ||
381 | |||
382 | |||
383 | /* Public interface to creat the association shared key. | ||
384 | * See code above for the algorithm. | ||
385 | */ | ||
386 | int sctp_auth_asoc_init_active_key(struct sctp_association *asoc, gfp_t gfp) | ||
387 | { | ||
388 | struct sctp_auth_bytes *secret; | ||
389 | struct sctp_shared_key *ep_key; | ||
390 | |||
391 | /* If we don't support AUTH, or peer is not capable | ||
392 | * we don't need to do anything. | ||
393 | */ | ||
394 | if (!sctp_auth_enable || !asoc->peer.auth_capable) | ||
395 | return 0; | ||
396 | |||
397 | /* If the key_id is non-zero and we couldn't find an | ||
398 | * endpoint pair shared key, we can't compute the | ||
399 | * secret. | ||
400 | * For key_id 0, endpoint pair shared key is a NULL key. | ||
401 | */ | ||
402 | ep_key = sctp_auth_get_shkey(asoc, asoc->active_key_id); | ||
403 | BUG_ON(!ep_key); | ||
404 | |||
405 | secret = sctp_auth_asoc_create_secret(asoc, ep_key, gfp); | ||
406 | if (!secret) | ||
407 | return -ENOMEM; | ||
408 | |||
409 | sctp_auth_key_put(asoc->asoc_shared_key); | ||
410 | asoc->asoc_shared_key = secret; | ||
411 | |||
412 | return 0; | ||
413 | } | ||
414 | |||
415 | |||
416 | /* Find the endpoint pair shared key based on the key_id */ | ||
417 | struct sctp_shared_key *sctp_auth_get_shkey( | ||
418 | const struct sctp_association *asoc, | ||
419 | __u16 key_id) | ||
420 | { | ||
421 | struct sctp_shared_key *key = NULL; | ||
422 | |||
423 | /* First search associations set of endpoint pair shared keys */ | ||
424 | key_for_each(key, &asoc->endpoint_shared_keys) { | ||
425 | if (key->key_id == key_id) | ||
426 | break; | ||
427 | } | ||
428 | |||
429 | return key; | ||
430 | } | ||
431 | |||
432 | /* | ||
433 | * Initialize all the possible digest transforms that we can use. Right now | ||
434 | * now, the supported digests are SHA1 and SHA256. We do this here once | ||
435 | * because of the restrictiong that transforms may only be allocated in | ||
436 | * user context. This forces us to pre-allocated all possible transforms | ||
437 | * at the endpoint init time. | ||
438 | */ | ||
439 | int sctp_auth_init_hmacs(struct sctp_endpoint *ep, gfp_t gfp) | ||
440 | { | ||
441 | struct crypto_hash *tfm = NULL; | ||
442 | __u16 id; | ||
443 | |||
444 | /* if the transforms are already allocted, we are done */ | ||
445 | if (!sctp_auth_enable) { | ||
446 | ep->auth_hmacs = NULL; | ||
447 | return 0; | ||
448 | } | ||
449 | |||
450 | if (ep->auth_hmacs) | ||
451 | return 0; | ||
452 | |||
453 | /* Allocated the array of pointers to transorms */ | ||
454 | ep->auth_hmacs = kzalloc( | ||
455 | sizeof(struct crypto_hash *) * SCTP_AUTH_NUM_HMACS, | ||
456 | gfp); | ||
457 | if (!ep->auth_hmacs) | ||
458 | return -ENOMEM; | ||
459 | |||
460 | for (id = 0; id < SCTP_AUTH_NUM_HMACS; id++) { | ||
461 | |||
462 | /* See is we support the id. Supported IDs have name and | ||
463 | * length fields set, so that we can allocated and use | ||
464 | * them. We can safely just check for name, for without the | ||
465 | * name, we can't allocate the TFM. | ||
466 | */ | ||
467 | if (!sctp_hmac_list[id].hmac_name) | ||
468 | continue; | ||
469 | |||
470 | /* If this TFM has been allocated, we are all set */ | ||
471 | if (ep->auth_hmacs[id]) | ||
472 | continue; | ||
473 | |||
474 | /* Allocate the ID */ | ||
475 | tfm = crypto_alloc_hash(sctp_hmac_list[id].hmac_name, 0, | ||
476 | CRYPTO_ALG_ASYNC); | ||
477 | if (IS_ERR(tfm)) | ||
478 | goto out_err; | ||
479 | |||
480 | ep->auth_hmacs[id] = tfm; | ||
481 | } | ||
482 | |||
483 | return 0; | ||
484 | |||
485 | out_err: | ||
486 | /* Clean up any successfull allocations */ | ||
487 | sctp_auth_destroy_hmacs(ep->auth_hmacs); | ||
488 | return -ENOMEM; | ||
489 | } | ||
490 | |||
491 | /* Destroy the hmac tfm array */ | ||
492 | void sctp_auth_destroy_hmacs(struct crypto_hash *auth_hmacs[]) | ||
493 | { | ||
494 | int i; | ||
495 | |||
496 | if (!auth_hmacs) | ||
497 | return; | ||
498 | |||
499 | for (i = 0; i < SCTP_AUTH_NUM_HMACS; i++) | ||
500 | { | ||
501 | if (auth_hmacs[i]) | ||
502 | crypto_free_hash(auth_hmacs[i]); | ||
503 | } | ||
504 | kfree(auth_hmacs); | ||
505 | } | ||
506 | |||
507 | |||
508 | struct sctp_hmac *sctp_auth_get_hmac(__u16 hmac_id) | ||
509 | { | ||
510 | return &sctp_hmac_list[hmac_id]; | ||
511 | } | ||
512 | |||
513 | /* Get an hmac description information that we can use to build | ||
514 | * the AUTH chunk | ||
515 | */ | ||
516 | struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc) | ||
517 | { | ||
518 | struct sctp_hmac_algo_param *hmacs; | ||
519 | __u16 n_elt; | ||
520 | __u16 id = 0; | ||
521 | int i; | ||
522 | |||
523 | /* If we have a default entry, use it */ | ||
524 | if (asoc->default_hmac_id) | ||
525 | return &sctp_hmac_list[asoc->default_hmac_id]; | ||
526 | |||
527 | /* Since we do not have a default entry, find the first entry | ||
528 | * we support and return that. Do not cache that id. | ||
529 | */ | ||
530 | hmacs = asoc->peer.peer_hmacs; | ||
531 | if (!hmacs) | ||
532 | return NULL; | ||
533 | |||
534 | n_elt = (ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t)) >> 1; | ||
535 | for (i = 0; i < n_elt; i++) { | ||
536 | id = ntohs(hmacs->hmac_ids[i]); | ||
537 | |||
538 | /* Check the id is in the supported range */ | ||
539 | if (id > SCTP_AUTH_HMAC_ID_MAX) | ||
540 | continue; | ||
541 | |||
542 | /* See is we support the id. Supported IDs have name and | ||
543 | * length fields set, so that we can allocated and use | ||
544 | * them. We can safely just check for name, for without the | ||
545 | * name, we can't allocate the TFM. | ||
546 | */ | ||
547 | if (!sctp_hmac_list[id].hmac_name) | ||
548 | continue; | ||
549 | |||
550 | break; | ||
551 | } | ||
552 | |||
553 | if (id == 0) | ||
554 | return NULL; | ||
555 | |||
556 | return &sctp_hmac_list[id]; | ||
557 | } | ||
558 | |||
559 | static int __sctp_auth_find_hmacid(__u16 *hmacs, int n_elts, __u16 hmac_id) | ||
560 | { | ||
561 | int found = 0; | ||
562 | int i; | ||
563 | |||
564 | for (i = 0; i < n_elts; i++) { | ||
565 | if (hmac_id == hmacs[i]) { | ||
566 | found = 1; | ||
567 | break; | ||
568 | } | ||
569 | } | ||
570 | |||
571 | return found; | ||
572 | } | ||
573 | |||
574 | /* See if the HMAC_ID is one that we claim as supported */ | ||
575 | int sctp_auth_asoc_verify_hmac_id(const struct sctp_association *asoc, | ||
576 | __u16 hmac_id) | ||
577 | { | ||
578 | struct sctp_hmac_algo_param *hmacs; | ||
579 | __u16 n_elt; | ||
580 | |||
581 | if (!asoc) | ||
582 | return 0; | ||
583 | |||
584 | hmacs = (struct sctp_hmac_algo_param *)asoc->c.auth_hmacs; | ||
585 | n_elt = (ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t)) >> 1; | ||
586 | |||
587 | return __sctp_auth_find_hmacid(hmacs->hmac_ids, n_elt, hmac_id); | ||
588 | } | ||
589 | |||
590 | |||
591 | /* Cache the default HMAC id. This to follow this text from SCTP-AUTH: | ||
592 | * Section 6.1: | ||
593 | * The receiver of a HMAC-ALGO parameter SHOULD use the first listed | ||
594 | * algorithm it supports. | ||
595 | */ | ||
596 | void sctp_auth_asoc_set_default_hmac(struct sctp_association *asoc, | ||
597 | struct sctp_hmac_algo_param *hmacs) | ||
598 | { | ||
599 | struct sctp_endpoint *ep; | ||
600 | __u16 id; | ||
601 | int i; | ||
602 | int n_params; | ||
603 | |||
604 | /* if the default id is already set, use it */ | ||
605 | if (asoc->default_hmac_id) | ||
606 | return; | ||
607 | |||
608 | n_params = (ntohs(hmacs->param_hdr.length) | ||
609 | - sizeof(sctp_paramhdr_t)) >> 1; | ||
610 | ep = asoc->ep; | ||
611 | for (i = 0; i < n_params; i++) { | ||
612 | id = ntohs(hmacs->hmac_ids[i]); | ||
613 | |||
614 | /* Check the id is in the supported range */ | ||
615 | if (id > SCTP_AUTH_HMAC_ID_MAX) | ||
616 | continue; | ||
617 | |||
618 | /* If this TFM has been allocated, use this id */ | ||
619 | if (ep->auth_hmacs[id]) { | ||
620 | asoc->default_hmac_id = id; | ||
621 | break; | ||
622 | } | ||
623 | } | ||
624 | } | ||
625 | |||
626 | |||
627 | /* Check to see if the given chunk is supposed to be authenticated */ | ||
628 | static int __sctp_auth_cid(sctp_cid_t chunk, struct sctp_chunks_param *param) | ||
629 | { | ||
630 | unsigned short len; | ||
631 | int found = 0; | ||
632 | int i; | ||
633 | |||
634 | if (!param) | ||
635 | return 0; | ||
636 | |||
637 | len = ntohs(param->param_hdr.length) - sizeof(sctp_paramhdr_t); | ||
638 | |||
639 | /* SCTP-AUTH, Section 3.2 | ||
640 | * The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE and AUTH | ||
641 | * chunks MUST NOT be listed in the CHUNKS parameter. However, if | ||
642 | * a CHUNKS parameter is received then the types for INIT, INIT-ACK, | ||
643 | * SHUTDOWN-COMPLETE and AUTH chunks MUST be ignored. | ||
644 | */ | ||
645 | for (i = 0; !found && i < len; i++) { | ||
646 | switch (param->chunks[i]) { | ||
647 | case SCTP_CID_INIT: | ||
648 | case SCTP_CID_INIT_ACK: | ||
649 | case SCTP_CID_SHUTDOWN_COMPLETE: | ||
650 | case SCTP_CID_AUTH: | ||
651 | break; | ||
652 | |||
653 | default: | ||
654 | if (param->chunks[i] == chunk) | ||
655 | found = 1; | ||
656 | break; | ||
657 | } | ||
658 | } | ||
659 | |||
660 | return found; | ||
661 | } | ||
662 | |||
663 | /* Check if peer requested that this chunk is authenticated */ | ||
664 | int sctp_auth_send_cid(sctp_cid_t chunk, const struct sctp_association *asoc) | ||
665 | { | ||
666 | if (!sctp_auth_enable || !asoc || !asoc->peer.auth_capable) | ||
667 | return 0; | ||
668 | |||
669 | return __sctp_auth_cid(chunk, asoc->peer.peer_chunks); | ||
670 | } | ||
671 | |||
672 | /* Check if we requested that peer authenticate this chunk. */ | ||
673 | int sctp_auth_recv_cid(sctp_cid_t chunk, const struct sctp_association *asoc) | ||
674 | { | ||
675 | if (!sctp_auth_enable || !asoc) | ||
676 | return 0; | ||
677 | |||
678 | return __sctp_auth_cid(chunk, | ||
679 | (struct sctp_chunks_param *)asoc->c.auth_chunks); | ||
680 | } | ||
681 | |||
682 | /* SCTP-AUTH: Section 6.2: | ||
683 | * The sender MUST calculate the MAC as described in RFC2104 [2] using | ||
684 | * the hash function H as described by the MAC Identifier and the shared | ||
685 | * association key K based on the endpoint pair shared key described by | ||
686 | * the shared key identifier. The 'data' used for the computation of | ||
687 | * the AUTH-chunk is given by the AUTH chunk with its HMAC field set to | ||
688 | * zero (as shown in Figure 6) followed by all chunks that are placed | ||
689 | * after the AUTH chunk in the SCTP packet. | ||
690 | */ | ||
691 | void sctp_auth_calculate_hmac(const struct sctp_association *asoc, | ||
692 | struct sk_buff *skb, | ||
693 | struct sctp_auth_chunk *auth, | ||
694 | gfp_t gfp) | ||
695 | { | ||
696 | struct scatterlist sg; | ||
697 | struct hash_desc desc; | ||
698 | struct sctp_auth_bytes *asoc_key; | ||
699 | __u16 key_id, hmac_id; | ||
700 | __u8 *digest; | ||
701 | unsigned char *end; | ||
702 | int free_key = 0; | ||
703 | |||
704 | /* Extract the info we need: | ||
705 | * - hmac id | ||
706 | * - key id | ||
707 | */ | ||
708 | key_id = ntohs(auth->auth_hdr.shkey_id); | ||
709 | hmac_id = ntohs(auth->auth_hdr.hmac_id); | ||
710 | |||
711 | if (key_id == asoc->active_key_id) | ||
712 | asoc_key = asoc->asoc_shared_key; | ||
713 | else { | ||
714 | struct sctp_shared_key *ep_key; | ||
715 | |||
716 | ep_key = sctp_auth_get_shkey(asoc, key_id); | ||
717 | if (!ep_key) | ||
718 | return; | ||
719 | |||
720 | asoc_key = sctp_auth_asoc_create_secret(asoc, ep_key, gfp); | ||
721 | if (!asoc_key) | ||
722 | return; | ||
723 | |||
724 | free_key = 1; | ||
725 | } | ||
726 | |||
727 | /* set up scatter list */ | ||
728 | end = skb_tail_pointer(skb); | ||
729 | sg.page = virt_to_page(auth); | ||
730 | sg.offset = (unsigned long)(auth) % PAGE_SIZE; | ||
731 | sg.length = end - (unsigned char *)auth; | ||
732 | |||
733 | desc.tfm = asoc->ep->auth_hmacs[hmac_id]; | ||
734 | desc.flags = 0; | ||
735 | |||
736 | digest = auth->auth_hdr.hmac; | ||
737 | if (crypto_hash_setkey(desc.tfm, &asoc_key->data[0], asoc_key->len)) | ||
738 | goto free; | ||
739 | |||
740 | crypto_hash_digest(&desc, &sg, sg.length, digest); | ||
741 | |||
742 | free: | ||
743 | if (free_key) | ||
744 | sctp_auth_key_put(asoc_key); | ||
745 | } | ||
diff --git a/net/sctp/objcnt.c b/net/sctp/objcnt.c index fcfb9d806de1..2cf6ad6ff8ce 100644 --- a/net/sctp/objcnt.c +++ b/net/sctp/objcnt.c | |||
@@ -58,6 +58,7 @@ SCTP_DBG_OBJCNT(chunk); | |||
58 | SCTP_DBG_OBJCNT(addr); | 58 | SCTP_DBG_OBJCNT(addr); |
59 | SCTP_DBG_OBJCNT(ssnmap); | 59 | SCTP_DBG_OBJCNT(ssnmap); |
60 | SCTP_DBG_OBJCNT(datamsg); | 60 | SCTP_DBG_OBJCNT(datamsg); |
61 | SCTP_DBG_OBJCNT(keys); | ||
61 | 62 | ||
62 | /* An array to make it easy to pretty print the debug information | 63 | /* An array to make it easy to pretty print the debug information |
63 | * to the proc fs. | 64 | * to the proc fs. |
@@ -73,6 +74,7 @@ static sctp_dbg_objcnt_entry_t sctp_dbg_objcnt[] = { | |||
73 | SCTP_DBG_OBJCNT_ENTRY(addr), | 74 | SCTP_DBG_OBJCNT_ENTRY(addr), |
74 | SCTP_DBG_OBJCNT_ENTRY(ssnmap), | 75 | SCTP_DBG_OBJCNT_ENTRY(ssnmap), |
75 | SCTP_DBG_OBJCNT_ENTRY(datamsg), | 76 | SCTP_DBG_OBJCNT_ENTRY(datamsg), |
77 | SCTP_DBG_OBJCNT_ENTRY(keys), | ||
76 | }; | 78 | }; |
77 | 79 | ||
78 | /* Callback from procfs to read out objcount information. | 80 | /* Callback from procfs to read out objcount information. |