1 /*- 2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved. 3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved. 4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions are met: 8 * 9 * a) Redistributions of source code must retain the above copyright notice, 10 * this list of conditions and the following disclaimer. 11 * 12 * b) Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the distribution. 15 * 16 * c) Neither the name of Cisco Systems, Inc. nor the names of its 17 * contributors may be used to endorse or promote products derived 18 * from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 30 * THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 36 #ifndef _NETINET_SCTP_AUTH_H_ 37 #define _NETINET_SCTP_AUTH_H_ 38 39 40 /* digest lengths */ 41 #define SCTP_AUTH_DIGEST_LEN_SHA1 20 42 #define SCTP_AUTH_DIGEST_LEN_SHA224 28 43 #define SCTP_AUTH_DIGEST_LEN_SHA256 32 44 #define SCTP_AUTH_DIGEST_LEN_SHA384 48 45 #define SCTP_AUTH_DIGEST_LEN_SHA512 64 46 #define SCTP_AUTH_DIGEST_LEN_MAX 64 47 48 /* random sizes */ 49 #define SCTP_AUTH_RANDOM_SIZE_DEFAULT 32 50 #define SCTP_AUTH_RANDOM_SIZE_REQUIRED 32 51 #define SCTP_AUTH_RANDOM_SIZE_MAX 256 52 53 /* union of all supported HMAC algorithm contexts */ 54 typedef union sctp_hash_context { 55 SHA1_CTX sha1; 56 #ifdef HAVE_SHA2 57 SHA256_CTX sha256; 58 SHA384_CTX sha384; 59 SHA512_CTX sha512; 60 #endif 61 } sctp_hash_context_t; 62 63 typedef struct sctp_key { 64 uint32_t keylen; 65 uint8_t key[]; 66 } sctp_key_t; 67 68 typedef struct sctp_shared_key { 69 LIST_ENTRY(sctp_shared_key) next; 70 sctp_key_t *key; /* key text */ 71 uint32_t refcount; /* reference count */ 72 uint16_t keyid; /* shared key ID */ 73 uint8_t deactivated; /* key is deactivated */ 74 } sctp_sharedkey_t; 75 76 LIST_HEAD(sctp_keyhead, sctp_shared_key); 77 78 /* authentication chunks list */ 79 typedef struct sctp_auth_chklist { 80 uint8_t chunks[256]; 81 uint8_t num_chunks; 82 } sctp_auth_chklist_t; 83 84 /* hmac algos supported list */ 85 typedef struct sctp_hmaclist { 86 uint16_t max_algo; /* max algorithms allocated */ 87 uint16_t num_algo; /* num algorithms used */ 88 uint16_t hmac[]; 89 } sctp_hmaclist_t; 90 91 /* authentication info */ 92 typedef struct sctp_authinformation { 93 sctp_key_t *random; /* local random key (concatenated) */ 94 uint32_t random_len; /* local random number length for param */ 95 sctp_key_t *peer_random;/* peer's random key (concatenated) */ 96 sctp_key_t *assoc_key; /* cached concatenated send key */ 97 sctp_key_t *recv_key; /* cached concatenated recv key */ 98 uint16_t active_keyid; /* active send keyid */ 99 uint16_t assoc_keyid; /* current send keyid (cached) */ 100 uint16_t recv_keyid; /* last recv keyid (cached) */ 101 } sctp_authinfo_t; 102 103 104 105 /* 106 * Macros 107 */ 108 #define sctp_auth_is_required_chunk(chunk, list) ((list == NULL) ? (0) : (list->chunks[chunk] != 0)) 109 110 /* 111 * function prototypes 112 */ 113 114 /* socket option api functions */ 115 extern sctp_auth_chklist_t *sctp_alloc_chunklist(void); 116 extern void sctp_free_chunklist(sctp_auth_chklist_t * chklist); 117 extern void sctp_clear_chunklist(sctp_auth_chklist_t * chklist); 118 extern sctp_auth_chklist_t *sctp_copy_chunklist(sctp_auth_chklist_t * chklist); 119 extern int sctp_auth_add_chunk(uint8_t chunk, sctp_auth_chklist_t * list); 120 extern int sctp_auth_delete_chunk(uint8_t chunk, sctp_auth_chklist_t * list); 121 extern size_t sctp_auth_get_chklist_size(const sctp_auth_chklist_t * list); 122 extern void sctp_auth_set_default_chunks(sctp_auth_chklist_t * list); 123 extern int 124 sctp_serialize_auth_chunks(const sctp_auth_chklist_t * list, 125 uint8_t * ptr); 126 extern int 127 sctp_pack_auth_chunks(const sctp_auth_chklist_t * list, 128 uint8_t * ptr); 129 extern int 130 sctp_unpack_auth_chunks(const uint8_t * ptr, uint8_t num_chunks, 131 sctp_auth_chklist_t * list); 132 133 /* key handling */ 134 extern sctp_key_t *sctp_alloc_key(uint32_t keylen); 135 extern void sctp_free_key(sctp_key_t * key); 136 extern void sctp_print_key(sctp_key_t * key, const char *str); 137 extern void sctp_show_key(sctp_key_t * key, const char *str); 138 extern sctp_key_t *sctp_generate_random_key(uint32_t keylen); 139 extern sctp_key_t *sctp_set_key(uint8_t * key, uint32_t keylen); 140 extern sctp_key_t * 141 sctp_compute_hashkey(sctp_key_t * key1, sctp_key_t * key2, 142 sctp_key_t * shared); 143 144 /* shared key handling */ 145 extern sctp_sharedkey_t *sctp_alloc_sharedkey(void); 146 extern void sctp_free_sharedkey(sctp_sharedkey_t * skey); 147 extern sctp_sharedkey_t * 148 sctp_find_sharedkey(struct sctp_keyhead *shared_keys, 149 uint16_t key_id); 150 extern int 151 sctp_insert_sharedkey(struct sctp_keyhead *shared_keys, 152 sctp_sharedkey_t * new_skey); 153 extern int 154 sctp_copy_skeylist(const struct sctp_keyhead *src, 155 struct sctp_keyhead *dest); 156 157 /* ref counts on shared keys, by key id */ 158 extern void sctp_auth_key_acquire(struct sctp_tcb *stcb, uint16_t keyid); 159 extern void 160 sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t keyid, 161 int so_locked); 162 163 164 /* hmac list handling */ 165 extern sctp_hmaclist_t *sctp_alloc_hmaclist(uint8_t num_hmacs); 166 extern void sctp_free_hmaclist(sctp_hmaclist_t * list); 167 extern int sctp_auth_add_hmacid(sctp_hmaclist_t * list, uint16_t hmac_id); 168 extern sctp_hmaclist_t *sctp_copy_hmaclist(sctp_hmaclist_t * list); 169 extern sctp_hmaclist_t *sctp_default_supported_hmaclist(void); 170 extern uint16_t 171 sctp_negotiate_hmacid(sctp_hmaclist_t * peer, 172 sctp_hmaclist_t * local); 173 extern int sctp_serialize_hmaclist(sctp_hmaclist_t * list, uint8_t * ptr); 174 extern int 175 sctp_verify_hmac_param(struct sctp_auth_hmac_algo *hmacs, 176 uint32_t num_hmacs); 177 178 extern sctp_authinfo_t *sctp_alloc_authinfo(void); 179 extern void sctp_free_authinfo(sctp_authinfo_t * authinfo); 180 181 /* keyed-HMAC functions */ 182 extern uint32_t sctp_get_auth_chunk_len(uint16_t hmac_algo); 183 extern uint32_t sctp_get_hmac_digest_len(uint16_t hmac_algo); 184 extern uint32_t 185 sctp_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen, 186 uint8_t * text, uint32_t textlen, uint8_t * digest); 187 extern int 188 sctp_verify_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen, 189 uint8_t * text, uint32_t textlen, uint8_t * digest, uint32_t digestlen); 190 extern uint32_t 191 sctp_compute_hmac(uint16_t hmac_algo, sctp_key_t * key, 192 uint8_t * text, uint32_t textlen, uint8_t * digest); 193 extern int sctp_auth_is_supported_hmac(sctp_hmaclist_t * list, uint16_t id); 194 195 /* mbuf versions */ 196 extern uint32_t 197 sctp_hmac_m(uint16_t hmac_algo, uint8_t * key, uint32_t keylen, 198 struct mbuf *m, uint32_t m_offset, uint8_t * digest, uint32_t trailer); 199 extern uint32_t 200 sctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t * key, 201 struct mbuf *m, uint32_t m_offset, uint8_t * digest); 202 203 /* 204 * authentication routines 205 */ 206 extern void sctp_clear_cachedkeys(struct sctp_tcb *stcb, uint16_t keyid); 207 extern void sctp_clear_cachedkeys_ep(struct sctp_inpcb *inp, uint16_t keyid); 208 extern int sctp_delete_sharedkey(struct sctp_tcb *stcb, uint16_t keyid); 209 extern int sctp_delete_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid); 210 extern int sctp_auth_setactivekey(struct sctp_tcb *stcb, uint16_t keyid); 211 extern int sctp_auth_setactivekey_ep(struct sctp_inpcb *inp, uint16_t keyid); 212 extern int sctp_deact_sharedkey(struct sctp_tcb *stcb, uint16_t keyid); 213 extern int sctp_deact_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid); 214 215 extern void 216 sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, 217 uint32_t offset, uint32_t length); 218 extern void 219 sctp_fill_hmac_digest_m(struct mbuf *m, uint32_t auth_offset, 220 struct sctp_auth_chunk *auth, struct sctp_tcb *stcb, uint16_t key_id); 221 extern struct mbuf * 222 sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end, 223 struct sctp_auth_chunk **auth_ret, uint32_t * offset, 224 struct sctp_tcb *stcb, uint8_t chunk); 225 extern int 226 sctp_handle_auth(struct sctp_tcb *stcb, struct sctp_auth_chunk *ch, 227 struct mbuf *m, uint32_t offset); 228 extern void 229 sctp_notify_authentication(struct sctp_tcb *stcb, 230 uint32_t indication, uint16_t keyid, uint16_t alt_keyid, int so_locked); 231 extern int 232 sctp_validate_init_auth_params(struct mbuf *m, int offset, 233 int limit); 234 extern void 235 sctp_initialize_auth_params(struct sctp_inpcb *inp, 236 struct sctp_tcb *stcb); 237 238 /* test functions */ 239 #endif /* __SCTP_AUTH_H__ */ 240