diff options
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/sctp/auth.h | 112 | ||||
-rw-r--r-- | include/net/sctp/constants.h | 49 | ||||
-rw-r--r-- | include/net/sctp/sctp.h | 1 | ||||
-rw-r--r-- | include/net/sctp/structs.h | 71 |
4 files changed, 227 insertions, 6 deletions
diff --git a/include/net/sctp/auth.h b/include/net/sctp/auth.h new file mode 100644 index 000000000000..10c8010552ff --- /dev/null +++ b/include/net/sctp/auth.h | |||
@@ -0,0 +1,112 @@ | |||
1 | /* SCTP kernel reference Implementation | ||
2 | * (C) Copyright 2007 Hewlett-Packard Development Company, L.P. | ||
3 | * | ||
4 | * This file is part of the SCTP kernel reference Implementation | ||
5 | * | ||
6 | * The SCTP reference implementation is free software; | ||
7 | * you can redistribute it and/or modify it under the terms of | ||
8 | * the GNU General Public License as published by | ||
9 | * the Free Software Foundation; either version 2, or (at your option) | ||
10 | * any later version. | ||
11 | * | ||
12 | * The SCTP reference implementation is distributed in the hope that it | ||
13 | * will be useful, but WITHOUT ANY WARRANTY; without even the implied | ||
14 | * ************************ | ||
15 | * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
16 | * See the GNU General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU General Public License | ||
19 | * along with GNU CC; see the file COPYING. If not, write to | ||
20 | * the Free Software Foundation, 59 Temple Place - Suite 330, | ||
21 | * Boston, MA 02111-1307, USA. | ||
22 | * | ||
23 | * Please send any bug reports or fixes you make to the | ||
24 | * email address(es): | ||
25 | * lksctp developers <lksctp-developers@lists.sourceforge.net> | ||
26 | * | ||
27 | * Or submit a bug report through the following website: | ||
28 | * http://www.sf.net/projects/lksctp | ||
29 | * | ||
30 | * Written or modified by: | ||
31 | * Vlad Yasevich <vladislav.yasevich@hp.com> | ||
32 | * | ||
33 | * Any bugs reported given to us we will try to fix... any fixes shared will | ||
34 | * be incorporated into the next SCTP release. | ||
35 | */ | ||
36 | |||
37 | #ifndef __sctp_auth_h__ | ||
38 | #define __sctp_auth_h__ | ||
39 | |||
40 | #include <linux/list.h> | ||
41 | #include <linux/crypto.h> | ||
42 | |||
43 | struct sctp_endpoint; | ||
44 | struct sctp_association; | ||
45 | struct sctp_authkey; | ||
46 | |||
47 | /* | ||
48 | * Define a generic struct that will hold all the info | ||
49 | * necessary for an HMAC transform | ||
50 | */ | ||
51 | struct sctp_hmac { | ||
52 | __u16 hmac_id; /* one of the above ids */ | ||
53 | char *hmac_name; /* name for loading */ | ||
54 | __u16 hmac_len; /* length of the signature */ | ||
55 | }; | ||
56 | |||
57 | /* This is generic structure that containst authentication bytes used | ||
58 | * as keying material. It's a what is referred to as byte-vector all | ||
59 | * over SCTP-AUTH | ||
60 | */ | ||
61 | struct sctp_auth_bytes { | ||
62 | atomic_t refcnt; | ||
63 | __u32 len; | ||
64 | __u8 data[]; | ||
65 | }; | ||
66 | |||
67 | /* Definition for a shared key, weather endpoint or association */ | ||
68 | struct sctp_shared_key { | ||
69 | struct list_head key_list; | ||
70 | __u16 key_id; | ||
71 | struct sctp_auth_bytes *key; | ||
72 | }; | ||
73 | |||
74 | #define key_for_each(__key, __list_head) \ | ||
75 | list_for_each_entry(__key, __list_head, key_list) | ||
76 | |||
77 | #define key_for_each_safe(__key, __tmp, __list_head) \ | ||
78 | list_for_each_entry_safe(__key, __tmp, __list_head, key_list) | ||
79 | |||
80 | static inline void sctp_auth_key_hold(struct sctp_auth_bytes *key) | ||
81 | { | ||
82 | if (!key) | ||
83 | return; | ||
84 | |||
85 | atomic_inc(&key->refcnt); | ||
86 | } | ||
87 | |||
88 | void sctp_auth_key_put(struct sctp_auth_bytes *key); | ||
89 | struct sctp_shared_key *sctp_auth_shkey_create(__u16 key_id, gfp_t gfp); | ||
90 | void sctp_auth_shkey_free(struct sctp_shared_key *sh_key); | ||
91 | void sctp_auth_destroy_keys(struct list_head *keys); | ||
92 | int sctp_auth_asoc_init_active_key(struct sctp_association *asoc, gfp_t gfp); | ||
93 | struct sctp_shared_key *sctp_auth_get_shkey( | ||
94 | const struct sctp_association *asoc, | ||
95 | __u16 key_id); | ||
96 | int sctp_auth_asoc_copy_shkeys(const struct sctp_endpoint *ep, | ||
97 | struct sctp_association *asoc, | ||
98 | gfp_t gfp); | ||
99 | int sctp_auth_init_hmacs(struct sctp_endpoint *ep, gfp_t gfp); | ||
100 | void sctp_auth_destroy_hmacs(struct crypto_hash *auth_hmacs[]); | ||
101 | struct sctp_hmac *sctp_auth_get_hmac(__u16 hmac_id); | ||
102 | struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc); | ||
103 | void sctp_auth_asoc_set_default_hmac(struct sctp_association *asoc, | ||
104 | struct sctp_hmac_algo_param *hmacs); | ||
105 | int sctp_auth_asoc_verify_hmac_id(const struct sctp_association *asoc, | ||
106 | __u16 hmac_id); | ||
107 | int sctp_auth_send_cid(sctp_cid_t chunk, const struct sctp_association *asoc); | ||
108 | int sctp_auth_recv_cid(sctp_cid_t chunk, const struct sctp_association *asoc); | ||
109 | void sctp_auth_calculate_hmac(const struct sctp_association *asoc, | ||
110 | struct sk_buff *skb, | ||
111 | struct sctp_auth_chunk *auth, gfp_t gfp); | ||
112 | #endif | ||
diff --git a/include/net/sctp/constants.h b/include/net/sctp/constants.h index bb37724495a5..777118f06dba 100644 --- a/include/net/sctp/constants.h +++ b/include/net/sctp/constants.h | |||
@@ -64,12 +64,18 @@ enum { SCTP_DEFAULT_INSTREAMS = SCTP_MAX_STREAM }; | |||
64 | #define SCTP_CID_MAX SCTP_CID_ASCONF_ACK | 64 | #define SCTP_CID_MAX SCTP_CID_ASCONF_ACK |
65 | 65 | ||
66 | #define SCTP_NUM_BASE_CHUNK_TYPES (SCTP_CID_BASE_MAX + 1) | 66 | #define SCTP_NUM_BASE_CHUNK_TYPES (SCTP_CID_BASE_MAX + 1) |
67 | #define SCTP_NUM_CHUNK_TYPES (SCTP_NUM_BASE_CHUNKTYPES + 2) | ||
68 | 67 | ||
69 | #define SCTP_NUM_ADDIP_CHUNK_TYPES 2 | 68 | #define SCTP_NUM_ADDIP_CHUNK_TYPES 2 |
70 | 69 | ||
71 | #define SCTP_NUM_PRSCTP_CHUNK_TYPES 1 | 70 | #define SCTP_NUM_PRSCTP_CHUNK_TYPES 1 |
72 | 71 | ||
72 | #define SCTP_NUM_AUTH_CHUNK_TYPES 1 | ||
73 | |||
74 | #define SCTP_NUM_CHUNK_TYPES (SCTP_NUM_BASE_CHUNK_TYPES + \ | ||
75 | SCTP_NUM_ADDIP_CHUNK_TYPES +\ | ||
76 | SCTP_NUM_PRSCTP_CHUNK_TYPES +\ | ||
77 | SCTP_NUM_AUTH_CHUNK_TYPES) | ||
78 | |||
73 | /* These are the different flavours of event. */ | 79 | /* These are the different flavours of event. */ |
74 | typedef enum { | 80 | typedef enum { |
75 | 81 | ||
@@ -409,4 +415,45 @@ typedef enum { | |||
409 | SCTP_LOWER_CWND_INACTIVE, | 415 | SCTP_LOWER_CWND_INACTIVE, |
410 | } sctp_lower_cwnd_t; | 416 | } sctp_lower_cwnd_t; |
411 | 417 | ||
418 | |||
419 | /* SCTP-AUTH Necessary constants */ | ||
420 | |||
421 | /* SCTP-AUTH, Section 3.3 | ||
422 | * | ||
423 | * The following Table 2 shows the currently defined values for HMAC | ||
424 | * identifiers. | ||
425 | * | ||
426 | * +-----------------+--------------------------+ | ||
427 | * | HMAC Identifier | Message Digest Algorithm | | ||
428 | * +-----------------+--------------------------+ | ||
429 | * | 0 | Reserved | | ||
430 | * | 1 | SHA-1 defined in [8] | | ||
431 | * | 2 | Reserved | | ||
432 | * | 3 | SHA-256 defined in [8] | | ||
433 | * +-----------------+--------------------------+ | ||
434 | */ | ||
435 | enum { | ||
436 | SCTP_AUTH_HMAC_ID_RESERVED_0, | ||
437 | SCTP_AUTH_HMAC_ID_SHA1, | ||
438 | SCTP_AUTH_HMAC_ID_RESERVED_2, | ||
439 | SCTP_AUTH_HMAC_ID_SHA256 | ||
440 | }; | ||
441 | |||
442 | #define SCTP_AUTH_HMAC_ID_MAX SCTP_AUTH_HMAC_ID_SHA256 | ||
443 | #define SCTP_AUTH_NUM_HMACS (SCTP_AUTH_HMAC_ID_SHA256 + 1) | ||
444 | #define SCTP_SHA1_SIG_SIZE 20 | ||
445 | #define SCTP_SHA256_SIG_SIZE 32 | ||
446 | |||
447 | /* SCTP-AUTH, Section 3.2 | ||
448 | * The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE and AUTH chunks | ||
449 | * MUST NOT be listed in the CHUNKS parameter | ||
450 | */ | ||
451 | #define SCTP_NUM_NOAUTH_CHUNKS 4 | ||
452 | #define SCTP_AUTH_MAX_CHUNKS (SCTP_NUM_CHUNK_TYPES - SCTP_NUM_NOAUTH_CHUNKS) | ||
453 | |||
454 | /* SCTP-AUTH Section 6.1 | ||
455 | * The RANDOM parameter MUST contain a 32 byte random number. | ||
456 | */ | ||
457 | #define SCTP_AUTH_RANDOM_LENGTH 32 | ||
458 | |||
412 | #endif /* __sctp_constants_h__ */ | 459 | #endif /* __sctp_constants_h__ */ |
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index d5a1ddc7483f..119f5a1ed499 100644 --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h | |||
@@ -341,6 +341,7 @@ extern atomic_t sctp_dbg_objcnt_bind_bucket; | |||
341 | extern atomic_t sctp_dbg_objcnt_addr; | 341 | extern atomic_t sctp_dbg_objcnt_addr; |
342 | extern atomic_t sctp_dbg_objcnt_ssnmap; | 342 | extern atomic_t sctp_dbg_objcnt_ssnmap; |
343 | extern atomic_t sctp_dbg_objcnt_datamsg; | 343 | extern atomic_t sctp_dbg_objcnt_datamsg; |
344 | extern atomic_t sctp_dbg_objcnt_keys; | ||
344 | 345 | ||
345 | /* Macros to atomically increment/decrement objcnt counters. */ | 346 | /* Macros to atomically increment/decrement objcnt counters. */ |
346 | #define SCTP_DBG_OBJCNT_INC(name) \ | 347 | #define SCTP_DBG_OBJCNT_INC(name) \ |
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index b4812a2d3bb0..18b06afacea0 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h | |||
@@ -64,6 +64,7 @@ | |||
64 | #include <linux/skbuff.h> /* We need sk_buff_head. */ | 64 | #include <linux/skbuff.h> /* We need sk_buff_head. */ |
65 | #include <linux/workqueue.h> /* We need tq_struct. */ | 65 | #include <linux/workqueue.h> /* We need tq_struct. */ |
66 | #include <linux/sctp.h> /* We need sctp* header structs. */ | 66 | #include <linux/sctp.h> /* We need sctp* header structs. */ |
67 | #include <net/sctp/auth.h> /* We need auth specific structs */ | ||
67 | 68 | ||
68 | /* A convenience structure for handling sockaddr structures. | 69 | /* A convenience structure for handling sockaddr structures. |
69 | * We should wean ourselves off this. | 70 | * We should wean ourselves off this. |
@@ -216,6 +217,9 @@ extern struct sctp_globals { | |||
216 | 217 | ||
217 | /* Flag to indicate if PR-SCTP is enabled. */ | 218 | /* Flag to indicate if PR-SCTP is enabled. */ |
218 | int prsctp_enable; | 219 | int prsctp_enable; |
220 | |||
221 | /* Flag to idicate if SCTP-AUTH is enabled */ | ||
222 | int auth_enable; | ||
219 | } sctp_globals; | 223 | } sctp_globals; |
220 | 224 | ||
221 | #define sctp_rto_initial (sctp_globals.rto_initial) | 225 | #define sctp_rto_initial (sctp_globals.rto_initial) |
@@ -248,6 +252,7 @@ extern struct sctp_globals { | |||
248 | #define sctp_local_addr_lock (sctp_globals.addr_list_lock) | 252 | #define sctp_local_addr_lock (sctp_globals.addr_list_lock) |
249 | #define sctp_addip_enable (sctp_globals.addip_enable) | 253 | #define sctp_addip_enable (sctp_globals.addip_enable) |
250 | #define sctp_prsctp_enable (sctp_globals.prsctp_enable) | 254 | #define sctp_prsctp_enable (sctp_globals.prsctp_enable) |
255 | #define sctp_auth_enable (sctp_globals.auth_enable) | ||
251 | 256 | ||
252 | /* SCTP Socket type: UDP or TCP style. */ | 257 | /* SCTP Socket type: UDP or TCP style. */ |
253 | typedef enum { | 258 | typedef enum { |
@@ -397,6 +402,9 @@ struct sctp_cookie { | |||
397 | 402 | ||
398 | __u32 adaptation_ind; | 403 | __u32 adaptation_ind; |
399 | 404 | ||
405 | __u8 auth_random[sizeof(sctp_paramhdr_t) + SCTP_AUTH_RANDOM_LENGTH]; | ||
406 | __u8 auth_hmacs[SCTP_AUTH_NUM_HMACS + 2]; | ||
407 | __u8 auth_chunks[sizeof(sctp_paramhdr_t) + SCTP_AUTH_MAX_CHUNKS]; | ||
400 | 408 | ||
401 | /* This is a shim for my peer's INIT packet, followed by | 409 | /* This is a shim for my peer's INIT packet, followed by |
402 | * a copy of the raw address list of the association. | 410 | * a copy of the raw address list of the association. |
@@ -441,6 +449,9 @@ union sctp_params { | |||
441 | union sctp_addr_param *addr; | 449 | union sctp_addr_param *addr; |
442 | struct sctp_adaptation_ind_param *aind; | 450 | struct sctp_adaptation_ind_param *aind; |
443 | struct sctp_supported_ext_param *ext; | 451 | struct sctp_supported_ext_param *ext; |
452 | struct sctp_random_param *random; | ||
453 | struct sctp_chunks_param *chunks; | ||
454 | struct sctp_hmac_algo_param *hmac_algo; | ||
444 | }; | 455 | }; |
445 | 456 | ||
446 | /* RFC 2960. Section 3.3.5 Heartbeat. | 457 | /* RFC 2960. Section 3.3.5 Heartbeat. |
@@ -679,6 +690,7 @@ struct sctp_chunk { | |||
679 | struct sctp_errhdr *err_hdr; | 690 | struct sctp_errhdr *err_hdr; |
680 | struct sctp_addiphdr *addip_hdr; | 691 | struct sctp_addiphdr *addip_hdr; |
681 | struct sctp_fwdtsn_hdr *fwdtsn_hdr; | 692 | struct sctp_fwdtsn_hdr *fwdtsn_hdr; |
693 | struct sctp_authhdr *auth_hdr; | ||
682 | } subh; | 694 | } subh; |
683 | 695 | ||
684 | __u8 *chunk_end; | 696 | __u8 *chunk_end; |
@@ -724,6 +736,7 @@ struct sctp_chunk { | |||
724 | __s8 fast_retransmit; /* Is this chunk fast retransmitted? */ | 736 | __s8 fast_retransmit; /* Is this chunk fast retransmitted? */ |
725 | __u8 tsn_missing_report; /* Data chunk missing counter. */ | 737 | __u8 tsn_missing_report; /* Data chunk missing counter. */ |
726 | __u8 data_accepted; /* At least 1 chunk in this packet accepted */ | 738 | __u8 data_accepted; /* At least 1 chunk in this packet accepted */ |
739 | __u8 auth; /* IN: was auth'ed | OUT: needs auth */ | ||
727 | }; | 740 | }; |
728 | 741 | ||
729 | void sctp_chunk_hold(struct sctp_chunk *); | 742 | void sctp_chunk_hold(struct sctp_chunk *); |
@@ -773,16 +786,22 @@ struct sctp_packet { | |||
773 | */ | 786 | */ |
774 | struct sctp_transport *transport; | 787 | struct sctp_transport *transport; |
775 | 788 | ||
789 | /* pointer to the auth chunk for this packet */ | ||
790 | struct sctp_chunk *auth; | ||
791 | |||
776 | /* This packet contains a COOKIE-ECHO chunk. */ | 792 | /* This packet contains a COOKIE-ECHO chunk. */ |
777 | char has_cookie_echo; | 793 | __u8 has_cookie_echo; |
794 | |||
795 | /* This packet contains a SACK chunk. */ | ||
796 | __u8 has_sack; | ||
778 | 797 | ||
779 | /* This packet containsa SACK chunk. */ | 798 | /* This packet contains an AUTH chunk */ |
780 | char has_sack; | 799 | __u8 has_auth; |
781 | 800 | ||
782 | /* SCTP cannot fragment this packet. So let ip fragment it. */ | 801 | /* SCTP cannot fragment this packet. So let ip fragment it. */ |
783 | char ipfragok; | 802 | __u8 ipfragok; |
784 | 803 | ||
785 | int malloced; | 804 | __u8 malloced; |
786 | }; | 805 | }; |
787 | 806 | ||
788 | struct sctp_packet *sctp_packet_init(struct sctp_packet *, | 807 | struct sctp_packet *sctp_packet_init(struct sctp_packet *, |
@@ -1291,6 +1310,21 @@ struct sctp_endpoint { | |||
1291 | 1310 | ||
1292 | /* rcvbuf acct. policy. */ | 1311 | /* rcvbuf acct. policy. */ |
1293 | __u32 rcvbuf_policy; | 1312 | __u32 rcvbuf_policy; |
1313 | |||
1314 | /* SCTP AUTH: array of the HMACs that will be allocated | ||
1315 | * we need this per association so that we don't serialize | ||
1316 | */ | ||
1317 | struct crypto_hash **auth_hmacs; | ||
1318 | |||
1319 | /* SCTP-AUTH: hmacs for the endpoint encoded into parameter */ | ||
1320 | struct sctp_hmac_algo_param *auth_hmacs_list; | ||
1321 | |||
1322 | /* SCTP-AUTH: chunks to authenticate encoded into parameter */ | ||
1323 | struct sctp_chunks_param *auth_chunk_list; | ||
1324 | |||
1325 | /* SCTP-AUTH: endpoint shared keys */ | ||
1326 | struct list_head endpoint_shared_keys; | ||
1327 | __u16 active_key_id; | ||
1294 | }; | 1328 | }; |
1295 | 1329 | ||
1296 | /* Recover the outter endpoint structure. */ | 1330 | /* Recover the outter endpoint structure. */ |
@@ -1497,6 +1531,7 @@ struct sctp_association { | |||
1497 | __u8 hostname_address;/* Peer understands DNS addresses? */ | 1531 | __u8 hostname_address;/* Peer understands DNS addresses? */ |
1498 | __u8 asconf_capable; /* Does peer support ADDIP? */ | 1532 | __u8 asconf_capable; /* Does peer support ADDIP? */ |
1499 | __u8 prsctp_capable; /* Can peer do PR-SCTP? */ | 1533 | __u8 prsctp_capable; /* Can peer do PR-SCTP? */ |
1534 | __u8 auth_capable; /* Is peer doing SCTP-AUTH? */ | ||
1500 | 1535 | ||
1501 | __u32 adaptation_ind; /* Adaptation Code point. */ | 1536 | __u32 adaptation_ind; /* Adaptation Code point. */ |
1502 | 1537 | ||
@@ -1514,6 +1549,14 @@ struct sctp_association { | |||
1514 | * Initial TSN Value minus 1 | 1549 | * Initial TSN Value minus 1 |
1515 | */ | 1550 | */ |
1516 | __u32 addip_serial; | 1551 | __u32 addip_serial; |
1552 | |||
1553 | /* SCTP-AUTH: We need to know pears random number, hmac list | ||
1554 | * and authenticated chunk list. All that is part of the | ||
1555 | * cookie and these are just pointers to those locations | ||
1556 | */ | ||
1557 | sctp_random_param_t *peer_random; | ||
1558 | sctp_chunks_param_t *peer_chunks; | ||
1559 | sctp_hmac_algo_param_t *peer_hmacs; | ||
1517 | } peer; | 1560 | } peer; |
1518 | 1561 | ||
1519 | /* State : A state variable indicating what state the | 1562 | /* State : A state variable indicating what state the |
@@ -1797,6 +1840,24 @@ struct sctp_association { | |||
1797 | */ | 1840 | */ |
1798 | __u32 addip_serial; | 1841 | __u32 addip_serial; |
1799 | 1842 | ||
1843 | /* SCTP AUTH: list of the endpoint shared keys. These | ||
1844 | * keys are provided out of band by the user applicaton | ||
1845 | * and can't change during the lifetime of the association | ||
1846 | */ | ||
1847 | struct list_head endpoint_shared_keys; | ||
1848 | |||
1849 | /* SCTP AUTH: | ||
1850 | * The current generated assocaition shared key (secret) | ||
1851 | */ | ||
1852 | struct sctp_auth_bytes *asoc_shared_key; | ||
1853 | |||
1854 | /* SCTP AUTH: hmac id of the first peer requested algorithm | ||
1855 | * that we support. | ||
1856 | */ | ||
1857 | __u16 default_hmac_id; | ||
1858 | |||
1859 | __u16 active_key_id; | ||
1860 | |||
1800 | /* Need to send an ECNE Chunk? */ | 1861 | /* Need to send an ECNE Chunk? */ |
1801 | char need_ecne; | 1862 | char need_ecne; |
1802 | 1863 | ||