xref: /freebsd/sys/netinet/sctp_auth.h (revision eb69d1f144a6fcc765d1b9d44a5ae8082353e70b)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
5  * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
6  * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions are met:
10  *
11  * a) Redistributions of source code must retain the above copyright notice,
12  *    this list of conditions and the following disclaimer.
13  *
14  * b) Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the distribution.
17  *
18  * c) Neither the name of Cisco Systems, Inc. nor the names of its
19  *    contributors may be used to endorse or promote products derived
20  *    from this software without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
26  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
27  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
32  * THE POSSIBILITY OF SUCH DAMAGE.
33  */
34 
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
37 
38 #ifndef _NETINET_SCTP_AUTH_H_
39 #define _NETINET_SCTP_AUTH_H_
40 
41 #include <netinet/sctp_os.h>
42 
43 /* digest lengths */
44 #define SCTP_AUTH_DIGEST_LEN_SHA1	20
45 #define SCTP_AUTH_DIGEST_LEN_SHA256	32
46 #define SCTP_AUTH_DIGEST_LEN_MAX	SCTP_AUTH_DIGEST_LEN_SHA256
47 
48 /* random sizes */
49 #define SCTP_AUTH_RANDOM_SIZE_DEFAULT	32
50 #define SCTP_AUTH_RANDOM_SIZE_REQUIRED	32
51 
52 /* union of all supported HMAC algorithm contexts */
53 typedef union sctp_hash_context {
54 	SCTP_SHA1_CTX sha1;
55 	SCTP_SHA256_CTX sha256;
56 } sctp_hash_context_t;
57 
58 typedef struct sctp_key {
59 	uint32_t keylen;
60 	uint8_t key[];
61 } sctp_key_t;
62 
63 typedef struct sctp_shared_key {
64 	LIST_ENTRY(sctp_shared_key) next;
65 	sctp_key_t *key;	/* key text */
66 	uint32_t refcount;	/* reference count */
67 	uint16_t keyid;		/* shared key ID */
68 	uint8_t deactivated;	/* key is deactivated */
69 } sctp_sharedkey_t;
70 
71 LIST_HEAD(sctp_keyhead, sctp_shared_key);
72 
73 /* authentication chunks list */
74 typedef struct sctp_auth_chklist {
75 	uint8_t chunks[256];
76 	uint8_t num_chunks;
77 } sctp_auth_chklist_t;
78 
79 /* hmac algos supported list */
80 typedef struct sctp_hmaclist {
81 	uint16_t max_algo;	/* max algorithms allocated */
82 	uint16_t num_algo;	/* num algorithms used */
83 	uint16_t hmac[];
84 } sctp_hmaclist_t;
85 
86 /* authentication info */
87 typedef struct sctp_authinformation {
88 	sctp_key_t *random;	/* local random key (concatenated) */
89 	uint32_t random_len;	/* local random number length for param */
90 	sctp_key_t *peer_random;/* peer's random key (concatenated) */
91 	sctp_key_t *assoc_key;	/* cached concatenated send key */
92 	sctp_key_t *recv_key;	/* cached concatenated recv key */
93 	uint16_t active_keyid;	/* active send keyid */
94 	uint16_t assoc_keyid;	/* current send keyid (cached) */
95 	uint16_t recv_keyid;	/* last recv keyid (cached) */
96 } sctp_authinfo_t;
97 
98 
99 
100 /*
101  * Macros
102  */
103 #define sctp_auth_is_required_chunk(chunk, list) ((list == NULL) ? (0) : (list->chunks[chunk] != 0))
104 
105 /*
106  * function prototypes
107  */
108 
109 /* socket option api functions */
110 extern sctp_auth_chklist_t *sctp_alloc_chunklist(void);
111 extern void sctp_free_chunklist(sctp_auth_chklist_t *chklist);
112 extern void sctp_clear_chunklist(sctp_auth_chklist_t *chklist);
113 extern sctp_auth_chklist_t *sctp_copy_chunklist(sctp_auth_chklist_t *chklist);
114 extern int sctp_auth_add_chunk(uint8_t chunk, sctp_auth_chklist_t *list);
115 extern int sctp_auth_delete_chunk(uint8_t chunk, sctp_auth_chklist_t *list);
116 extern size_t sctp_auth_get_chklist_size(const sctp_auth_chklist_t *list);
117 extern int
118 sctp_serialize_auth_chunks(const sctp_auth_chklist_t *list,
119     uint8_t *ptr);
120 extern int
121 sctp_pack_auth_chunks(const sctp_auth_chklist_t *list,
122     uint8_t *ptr);
123 extern int
124 sctp_unpack_auth_chunks(const uint8_t *ptr, uint8_t num_chunks,
125     sctp_auth_chklist_t *list);
126 
127 /* key handling */
128 extern sctp_key_t *sctp_alloc_key(uint32_t keylen);
129 extern void sctp_free_key(sctp_key_t *key);
130 extern void sctp_print_key(sctp_key_t *key, const char *str);
131 extern void sctp_show_key(sctp_key_t *key, const char *str);
132 extern sctp_key_t *sctp_generate_random_key(uint32_t keylen);
133 extern sctp_key_t *sctp_set_key(uint8_t *key, uint32_t keylen);
134 extern sctp_key_t *
135 sctp_compute_hashkey(sctp_key_t *key1, sctp_key_t *key2,
136     sctp_key_t *shared);
137 
138 /* shared key handling */
139 extern sctp_sharedkey_t *sctp_alloc_sharedkey(void);
140 extern void sctp_free_sharedkey(sctp_sharedkey_t *skey);
141 extern sctp_sharedkey_t *
142 sctp_find_sharedkey(struct sctp_keyhead *shared_keys,
143     uint16_t key_id);
144 extern int
145 sctp_insert_sharedkey(struct sctp_keyhead *shared_keys,
146     sctp_sharedkey_t *new_skey);
147 extern int
148 sctp_copy_skeylist(const struct sctp_keyhead *src,
149     struct sctp_keyhead *dest);
150 
151 /* ref counts on shared keys, by key id */
152 extern void sctp_auth_key_acquire(struct sctp_tcb *stcb, uint16_t keyid);
153 extern void
154 sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t keyid,
155     int so_locked);
156 
157 
158 /* hmac list handling */
159 extern sctp_hmaclist_t *sctp_alloc_hmaclist(uint16_t num_hmacs);
160 extern void sctp_free_hmaclist(sctp_hmaclist_t *list);
161 extern int sctp_auth_add_hmacid(sctp_hmaclist_t *list, uint16_t hmac_id);
162 extern sctp_hmaclist_t *sctp_copy_hmaclist(sctp_hmaclist_t *list);
163 extern sctp_hmaclist_t *sctp_default_supported_hmaclist(void);
164 extern uint16_t
165 sctp_negotiate_hmacid(sctp_hmaclist_t *peer,
166     sctp_hmaclist_t *local);
167 extern int sctp_serialize_hmaclist(sctp_hmaclist_t *list, uint8_t *ptr);
168 extern int
169 sctp_verify_hmac_param(struct sctp_auth_hmac_algo *hmacs,
170     uint32_t num_hmacs);
171 
172 extern sctp_authinfo_t *sctp_alloc_authinfo(void);
173 extern void sctp_free_authinfo(sctp_authinfo_t *authinfo);
174 
175 /* keyed-HMAC functions */
176 extern uint32_t sctp_get_auth_chunk_len(uint16_t hmac_algo);
177 extern uint32_t sctp_get_hmac_digest_len(uint16_t hmac_algo);
178 extern uint32_t
179 sctp_hmac(uint16_t hmac_algo, uint8_t *key, uint32_t keylen,
180     uint8_t *text, uint32_t textlen, uint8_t *digest);
181 extern int
182 sctp_verify_hmac(uint16_t hmac_algo, uint8_t *key, uint32_t keylen,
183     uint8_t *text, uint32_t textlen, uint8_t *digest, uint32_t digestlen);
184 extern uint32_t
185 sctp_compute_hmac(uint16_t hmac_algo, sctp_key_t *key,
186     uint8_t *text, uint32_t textlen, uint8_t *digest);
187 extern int sctp_auth_is_supported_hmac(sctp_hmaclist_t *list, uint16_t id);
188 
189 /* mbuf versions */
190 extern uint32_t
191 sctp_hmac_m(uint16_t hmac_algo, uint8_t *key, uint32_t keylen,
192     struct mbuf *m, uint32_t m_offset, uint8_t *digest, uint32_t trailer);
193 extern uint32_t
194 sctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t *key,
195     struct mbuf *m, uint32_t m_offset, uint8_t *digest);
196 
197 /*
198  * authentication routines
199  */
200 extern void sctp_clear_cachedkeys(struct sctp_tcb *stcb, uint16_t keyid);
201 extern void sctp_clear_cachedkeys_ep(struct sctp_inpcb *inp, uint16_t keyid);
202 extern int sctp_delete_sharedkey(struct sctp_tcb *stcb, uint16_t keyid);
203 extern int sctp_delete_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid);
204 extern int sctp_auth_setactivekey(struct sctp_tcb *stcb, uint16_t keyid);
205 extern int sctp_auth_setactivekey_ep(struct sctp_inpcb *inp, uint16_t keyid);
206 extern int sctp_deact_sharedkey(struct sctp_tcb *stcb, uint16_t keyid);
207 extern int sctp_deact_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid);
208 
209 extern void
210 sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m,
211     uint32_t offset, uint32_t length);
212 extern void
213 sctp_fill_hmac_digest_m(struct mbuf *m, uint32_t auth_offset,
214     struct sctp_auth_chunk *auth, struct sctp_tcb *stcb, uint16_t key_id);
215 extern struct mbuf *
216 sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
217     struct sctp_auth_chunk **auth_ret, uint32_t *offset,
218     struct sctp_tcb *stcb, uint8_t chunk);
219 extern int
220 sctp_handle_auth(struct sctp_tcb *stcb, struct sctp_auth_chunk *ch,
221     struct mbuf *m, uint32_t offset);
222 extern void
223 sctp_notify_authentication(struct sctp_tcb *stcb,
224     uint32_t indication, uint16_t keyid, uint16_t alt_keyid, int so_locked);
225 extern int
226 sctp_validate_init_auth_params(struct mbuf *m, int offset,
227     int limit);
228 extern void
229 sctp_initialize_auth_params(struct sctp_inpcb *inp,
230     struct sctp_tcb *stcb);
231 
232 /* test functions */
233 #endif				/* __SCTP_AUTH_H__ */
234