xref: /freebsd/sys/netinet/sctp_auth.h (revision 38f0b757fd84d17d0fc24739a7cda160c4516d81)
1 /*-
2  * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3  * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4  * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions are met:
8  *
9  * a) Redistributions of source code must retain the above copyright notice,
10  *    this list of conditions and the following disclaimer.
11  *
12  * b) Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in
14  *    the documentation and/or other materials provided with the distribution.
15  *
16  * c) Neither the name of Cisco Systems, Inc. nor the names of its
17  *    contributors may be used to endorse or promote products derived
18  *    from this software without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30  * THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 #ifndef _NETINET_SCTP_AUTH_H_
37 #define _NETINET_SCTP_AUTH_H_
38 
39 #include <netinet/sctp_os.h>
40 
41 /* digest lengths */
42 #define SCTP_AUTH_DIGEST_LEN_SHA1	20
43 #define SCTP_AUTH_DIGEST_LEN_SHA256	32
44 #define SCTP_AUTH_DIGEST_LEN_MAX	SCTP_AUTH_DIGEST_LEN_SHA256
45 
46 /* random sizes */
47 #define SCTP_AUTH_RANDOM_SIZE_DEFAULT	32
48 #define SCTP_AUTH_RANDOM_SIZE_REQUIRED	32
49 
50 /* union of all supported HMAC algorithm contexts */
51 typedef union sctp_hash_context {
52 	SCTP_SHA1_CTX sha1;
53 	SCTP_SHA256_CTX sha256;
54 }                 sctp_hash_context_t;
55 
56 typedef struct sctp_key {
57 	uint32_t keylen;
58 	uint8_t key[];
59 }        sctp_key_t;
60 
61 typedef struct sctp_shared_key {
62 	LIST_ENTRY(sctp_shared_key) next;
63 	sctp_key_t *key;	/* key text */
64 	uint32_t refcount;	/* reference count */
65 	uint16_t keyid;		/* shared key ID */
66 	uint8_t deactivated;	/* key is deactivated */
67 }               sctp_sharedkey_t;
68 
69 LIST_HEAD(sctp_keyhead, sctp_shared_key);
70 
71 /* authentication chunks list */
72 typedef struct sctp_auth_chklist {
73 	uint8_t chunks[256];
74 	uint8_t num_chunks;
75 }                 sctp_auth_chklist_t;
76 
77 /* hmac algos supported list */
78 typedef struct sctp_hmaclist {
79 	uint16_t max_algo;	/* max algorithms allocated */
80 	uint16_t num_algo;	/* num algorithms used */
81 	uint16_t hmac[];
82 }             sctp_hmaclist_t;
83 
84 /* authentication info */
85 typedef struct sctp_authinformation {
86 	sctp_key_t *random;	/* local random key (concatenated) */
87 	uint32_t random_len;	/* local random number length for param */
88 	sctp_key_t *peer_random;/* peer's random key (concatenated) */
89 	sctp_key_t *assoc_key;	/* cached concatenated send key */
90 	sctp_key_t *recv_key;	/* cached concatenated recv key */
91 	uint16_t active_keyid;	/* active send keyid */
92 	uint16_t assoc_keyid;	/* current send keyid (cached) */
93 	uint16_t recv_keyid;	/* last recv keyid (cached) */
94 }                    sctp_authinfo_t;
95 
96 
97 
98 /*
99  * Macros
100  */
101 #define sctp_auth_is_required_chunk(chunk, list) ((list == NULL) ? (0) : (list->chunks[chunk] != 0))
102 
103 /*
104  * function prototypes
105  */
106 
107 /* socket option api functions */
108 extern sctp_auth_chklist_t *sctp_alloc_chunklist(void);
109 extern void sctp_free_chunklist(sctp_auth_chklist_t * chklist);
110 extern void sctp_clear_chunklist(sctp_auth_chklist_t * chklist);
111 extern sctp_auth_chklist_t *sctp_copy_chunklist(sctp_auth_chklist_t * chklist);
112 extern int sctp_auth_add_chunk(uint8_t chunk, sctp_auth_chklist_t * list);
113 extern int sctp_auth_delete_chunk(uint8_t chunk, sctp_auth_chklist_t * list);
114 extern size_t sctp_auth_get_chklist_size(const sctp_auth_chklist_t * list);
115 extern void sctp_auth_set_default_chunks(sctp_auth_chklist_t * list);
116 extern int
117 sctp_serialize_auth_chunks(const sctp_auth_chklist_t * list,
118     uint8_t * ptr);
119 extern int
120 sctp_pack_auth_chunks(const sctp_auth_chklist_t * list,
121     uint8_t * ptr);
122 extern int
123 sctp_unpack_auth_chunks(const uint8_t * ptr, uint8_t num_chunks,
124     sctp_auth_chklist_t * list);
125 
126 /* key handling */
127 extern sctp_key_t *sctp_alloc_key(uint32_t keylen);
128 extern void sctp_free_key(sctp_key_t * key);
129 extern void sctp_print_key(sctp_key_t * key, const char *str);
130 extern void sctp_show_key(sctp_key_t * key, const char *str);
131 extern sctp_key_t *sctp_generate_random_key(uint32_t keylen);
132 extern sctp_key_t *sctp_set_key(uint8_t * key, uint32_t keylen);
133 extern sctp_key_t *
134 sctp_compute_hashkey(sctp_key_t * key1, sctp_key_t * key2,
135     sctp_key_t * shared);
136 
137 /* shared key handling */
138 extern sctp_sharedkey_t *sctp_alloc_sharedkey(void);
139 extern void sctp_free_sharedkey(sctp_sharedkey_t * skey);
140 extern sctp_sharedkey_t *
141 sctp_find_sharedkey(struct sctp_keyhead *shared_keys,
142     uint16_t key_id);
143 extern int
144 sctp_insert_sharedkey(struct sctp_keyhead *shared_keys,
145     sctp_sharedkey_t * new_skey);
146 extern int
147 sctp_copy_skeylist(const struct sctp_keyhead *src,
148     struct sctp_keyhead *dest);
149 
150 /* ref counts on shared keys, by key id */
151 extern void sctp_auth_key_acquire(struct sctp_tcb *stcb, uint16_t keyid);
152 extern void
153 sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t keyid,
154     int so_locked);
155 
156 
157 /* hmac list handling */
158 extern sctp_hmaclist_t *sctp_alloc_hmaclist(uint8_t num_hmacs);
159 extern void sctp_free_hmaclist(sctp_hmaclist_t * list);
160 extern int sctp_auth_add_hmacid(sctp_hmaclist_t * list, uint16_t hmac_id);
161 extern sctp_hmaclist_t *sctp_copy_hmaclist(sctp_hmaclist_t * list);
162 extern sctp_hmaclist_t *sctp_default_supported_hmaclist(void);
163 extern uint16_t
164 sctp_negotiate_hmacid(sctp_hmaclist_t * peer,
165     sctp_hmaclist_t * local);
166 extern int sctp_serialize_hmaclist(sctp_hmaclist_t * list, uint8_t * ptr);
167 extern int
168 sctp_verify_hmac_param(struct sctp_auth_hmac_algo *hmacs,
169     uint32_t num_hmacs);
170 
171 extern sctp_authinfo_t *sctp_alloc_authinfo(void);
172 extern void sctp_free_authinfo(sctp_authinfo_t * authinfo);
173 
174 /* keyed-HMAC functions */
175 extern uint32_t sctp_get_auth_chunk_len(uint16_t hmac_algo);
176 extern uint32_t sctp_get_hmac_digest_len(uint16_t hmac_algo);
177 extern uint32_t
178 sctp_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen,
179     uint8_t * text, uint32_t textlen, uint8_t * digest);
180 extern int
181 sctp_verify_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen,
182     uint8_t * text, uint32_t textlen, uint8_t * digest, uint32_t digestlen);
183 extern uint32_t
184 sctp_compute_hmac(uint16_t hmac_algo, sctp_key_t * key,
185     uint8_t * text, uint32_t textlen, uint8_t * digest);
186 extern int sctp_auth_is_supported_hmac(sctp_hmaclist_t * list, uint16_t id);
187 
188 /* mbuf versions */
189 extern uint32_t
190 sctp_hmac_m(uint16_t hmac_algo, uint8_t * key, uint32_t keylen,
191     struct mbuf *m, uint32_t m_offset, uint8_t * digest, uint32_t trailer);
192 extern uint32_t
193 sctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t * key,
194     struct mbuf *m, uint32_t m_offset, uint8_t * digest);
195 
196 /*
197  * authentication routines
198  */
199 extern void sctp_clear_cachedkeys(struct sctp_tcb *stcb, uint16_t keyid);
200 extern void sctp_clear_cachedkeys_ep(struct sctp_inpcb *inp, uint16_t keyid);
201 extern int sctp_delete_sharedkey(struct sctp_tcb *stcb, uint16_t keyid);
202 extern int sctp_delete_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid);
203 extern int sctp_auth_setactivekey(struct sctp_tcb *stcb, uint16_t keyid);
204 extern int sctp_auth_setactivekey_ep(struct sctp_inpcb *inp, uint16_t keyid);
205 extern int sctp_deact_sharedkey(struct sctp_tcb *stcb, uint16_t keyid);
206 extern int sctp_deact_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid);
207 
208 extern void
209 sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m,
210     uint32_t offset, uint32_t length);
211 extern void
212 sctp_fill_hmac_digest_m(struct mbuf *m, uint32_t auth_offset,
213     struct sctp_auth_chunk *auth, struct sctp_tcb *stcb, uint16_t key_id);
214 extern struct mbuf *
215 sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
216     struct sctp_auth_chunk **auth_ret, uint32_t * offset,
217     struct sctp_tcb *stcb, uint8_t chunk);
218 extern int
219 sctp_handle_auth(struct sctp_tcb *stcb, struct sctp_auth_chunk *ch,
220     struct mbuf *m, uint32_t offset);
221 extern void
222 sctp_notify_authentication(struct sctp_tcb *stcb,
223     uint32_t indication, uint16_t keyid, uint16_t alt_keyid, int so_locked);
224 extern int
225 sctp_validate_init_auth_params(struct mbuf *m, int offset,
226     int limit);
227 extern void
228 sctp_initialize_auth_params(struct sctp_inpcb *inp,
229     struct sctp_tcb *stcb);
230 
231 /* test functions */
232 #endif				/* __SCTP_AUTH_H__ */
233