1/*- 2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved. 3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved. 4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions are met: 8 * 9 * a) Redistributions of source code must retain the above copyright notice, 10 * this list of conditions and the following disclaimer. 11 * 12 * b) Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the distribution. 15 * 16 * c) Neither the name of Cisco Systems, Inc. nor the names of its 17 * contributors may be used to endorse or promote products derived 18 * from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 30 * THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#ifdef __FreeBSD__ 34#include <sys/cdefs.h> 35__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.h 269858 2014-08-12 11:30:16Z tuexen $"); 36#endif 37 38#ifndef _NETINET_SCTP_AUTH_H_ 39#define _NETINET_SCTP_AUTH_H_ 40 41#include <netinet/sctp_os.h> 42 43/* digest lengths */ 44#define SCTP_AUTH_DIGEST_LEN_SHA1 20 45#define SCTP_AUTH_DIGEST_LEN_SHA256 32 46#define SCTP_AUTH_DIGEST_LEN_MAX SCTP_AUTH_DIGEST_LEN_SHA256 47 48/* random sizes */ 49#define SCTP_AUTH_RANDOM_SIZE_DEFAULT 32 50#define SCTP_AUTH_RANDOM_SIZE_REQUIRED 32 51 52/* union of all supported HMAC algorithm contexts */ 53typedef union sctp_hash_context { 54 SCTP_SHA1_CTX sha1; 55#if defined(SCTP_SUPPORT_HMAC_SHA256) 56 SCTP_SHA256_CTX sha256; 57#endif 58} sctp_hash_context_t; 59 60typedef struct sctp_key { 61 uint32_t keylen; 62 uint8_t key[]; 63} sctp_key_t; 64 65typedef struct sctp_shared_key { 66 LIST_ENTRY(sctp_shared_key) next; 67 sctp_key_t *key; /* key text */ 68 uint32_t refcount; /* reference count */ 69 uint16_t keyid; /* shared key ID */ 70 uint8_t deactivated; /* key is deactivated */ 71} sctp_sharedkey_t; 72 73LIST_HEAD(sctp_keyhead, sctp_shared_key); 74 75/* authentication chunks list */ 76typedef struct sctp_auth_chklist { 77 uint8_t chunks[256]; 78 uint8_t num_chunks; 79} sctp_auth_chklist_t; 80 81/* hmac algos supported list */ 82typedef struct sctp_hmaclist { 83 uint16_t max_algo; /* max algorithms allocated */ 84 uint16_t num_algo; /* num algorithms used */ 85 uint16_t hmac[]; 86} sctp_hmaclist_t; 87 88/* authentication info */ 89typedef struct sctp_authinformation { 90 sctp_key_t *random; /* local random key (concatenated) */ 91 uint32_t random_len; /* local random number length for param */ 92 sctp_key_t *peer_random;/* peer's random key (concatenated) */ 93 sctp_key_t *assoc_key; /* cached concatenated send key */ 94 sctp_key_t *recv_key; /* cached concatenated recv key */ 95 uint16_t active_keyid; /* active send keyid */ 96 uint16_t assoc_keyid; /* current send keyid (cached) */ 97 uint16_t recv_keyid; /* last recv keyid (cached) */ 98} sctp_authinfo_t; 99 100 101 102/* 103 * Macros 104 */ 105#define sctp_auth_is_required_chunk(chunk, list) ((list == NULL) ? (0) : (list->chunks[chunk] != 0)) 106 107/* 108 * function prototypes 109 */ 110 111/* socket option api functions */ 112extern sctp_auth_chklist_t *sctp_alloc_chunklist(void); 113extern void sctp_free_chunklist(sctp_auth_chklist_t *chklist); 114extern void sctp_clear_chunklist(sctp_auth_chklist_t *chklist); 115extern sctp_auth_chklist_t *sctp_copy_chunklist(sctp_auth_chklist_t *chklist); 116extern int sctp_auth_add_chunk(uint8_t chunk, sctp_auth_chklist_t *list); 117extern int sctp_auth_delete_chunk(uint8_t chunk, sctp_auth_chklist_t *list); 118extern size_t sctp_auth_get_chklist_size(const sctp_auth_chklist_t *list); 119extern int sctp_serialize_auth_chunks(const sctp_auth_chklist_t *list, 120 uint8_t *ptr); 121extern int sctp_pack_auth_chunks(const sctp_auth_chklist_t *list, 122 uint8_t *ptr); 123extern int sctp_unpack_auth_chunks(const uint8_t *ptr, uint8_t num_chunks, 124 sctp_auth_chklist_t *list); 125 126/* key handling */ 127extern sctp_key_t *sctp_alloc_key(uint32_t keylen); 128extern void sctp_free_key(sctp_key_t *key); 129extern void sctp_print_key(sctp_key_t *key, const char *str); 130extern void sctp_show_key(sctp_key_t *key, const char *str); 131extern sctp_key_t *sctp_generate_random_key(uint32_t keylen); 132extern sctp_key_t *sctp_set_key(uint8_t *key, uint32_t keylen); 133extern sctp_key_t *sctp_compute_hashkey(sctp_key_t *key1, sctp_key_t *key2, 134 sctp_key_t *shared); 135 136/* shared key handling */ 137extern sctp_sharedkey_t *sctp_alloc_sharedkey(void); 138extern void sctp_free_sharedkey(sctp_sharedkey_t *skey); 139extern sctp_sharedkey_t *sctp_find_sharedkey(struct sctp_keyhead *shared_keys, 140 uint16_t key_id); 141extern int sctp_insert_sharedkey(struct sctp_keyhead *shared_keys, 142 sctp_sharedkey_t *new_skey); 143extern int sctp_copy_skeylist(const struct sctp_keyhead *src, 144 struct sctp_keyhead *dest); 145/* ref counts on shared keys, by key id */ 146extern void sctp_auth_key_acquire(struct sctp_tcb *stcb, uint16_t keyid); 147extern void sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t keyid, 148 int so_locked); 149 150 151/* hmac list handling */ 152extern sctp_hmaclist_t *sctp_alloc_hmaclist(uint8_t num_hmacs); 153extern void sctp_free_hmaclist(sctp_hmaclist_t *list); 154extern int sctp_auth_add_hmacid(sctp_hmaclist_t *list, uint16_t hmac_id); 155extern sctp_hmaclist_t *sctp_copy_hmaclist(sctp_hmaclist_t *list); 156extern sctp_hmaclist_t *sctp_default_supported_hmaclist(void); 157extern uint16_t sctp_negotiate_hmacid(sctp_hmaclist_t *peer, 158 sctp_hmaclist_t *local); 159extern int sctp_serialize_hmaclist(sctp_hmaclist_t *list, uint8_t *ptr); 160extern int sctp_verify_hmac_param(struct sctp_auth_hmac_algo *hmacs, 161 uint32_t num_hmacs); 162 163extern sctp_authinfo_t *sctp_alloc_authinfo(void); 164extern void sctp_free_authinfo(sctp_authinfo_t *authinfo); 165 166/* keyed-HMAC functions */ 167extern uint32_t sctp_get_auth_chunk_len(uint16_t hmac_algo); 168extern uint32_t sctp_get_hmac_digest_len(uint16_t hmac_algo); 169extern uint32_t sctp_hmac(uint16_t hmac_algo, uint8_t *key, uint32_t keylen, 170 uint8_t *text, uint32_t textlen, uint8_t *digest); 171extern int sctp_verify_hmac(uint16_t hmac_algo, uint8_t *key, uint32_t keylen, 172 uint8_t *text, uint32_t textlen, uint8_t *digest, uint32_t digestlen); 173extern uint32_t sctp_compute_hmac(uint16_t hmac_algo, sctp_key_t *key, 174 uint8_t *text, uint32_t textlen, uint8_t *digest); 175extern int sctp_auth_is_supported_hmac(sctp_hmaclist_t *list, uint16_t id); 176 177/* mbuf versions */ 178extern uint32_t sctp_hmac_m(uint16_t hmac_algo, uint8_t *key, uint32_t keylen, 179 struct mbuf *m, uint32_t m_offset, uint8_t *digest, uint32_t trailer); 180extern uint32_t sctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t *key, 181 struct mbuf *m, uint32_t m_offset, uint8_t *digest); 182 183/* 184 * authentication routines 185 */ 186extern void sctp_clear_cachedkeys(struct sctp_tcb *stcb, uint16_t keyid); 187extern void sctp_clear_cachedkeys_ep(struct sctp_inpcb *inp, uint16_t keyid); 188extern int sctp_delete_sharedkey(struct sctp_tcb *stcb, uint16_t keyid); 189extern int sctp_delete_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid); 190extern int sctp_auth_setactivekey(struct sctp_tcb *stcb, uint16_t keyid); 191extern int sctp_auth_setactivekey_ep(struct sctp_inpcb *inp, uint16_t keyid); 192extern int sctp_deact_sharedkey(struct sctp_tcb *stcb, uint16_t keyid); 193extern int sctp_deact_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid); 194 195extern void sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, 196 uint32_t offset, uint32_t length); 197extern void sctp_fill_hmac_digest_m(struct mbuf *m, uint32_t auth_offset, 198 struct sctp_auth_chunk *auth, struct sctp_tcb *stcb, uint16_t key_id); 199extern struct mbuf *sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end, 200 struct sctp_auth_chunk **auth_ret, uint32_t *offset, 201 struct sctp_tcb *stcb, uint8_t chunk); 202extern int sctp_handle_auth(struct sctp_tcb *stcb, struct sctp_auth_chunk *ch, 203 struct mbuf *m, uint32_t offset); 204extern void sctp_notify_authentication(struct sctp_tcb *stcb, 205 uint32_t indication, uint16_t keyid, uint16_t alt_keyid, int so_locked); 206extern int sctp_validate_init_auth_params(struct mbuf *m, int offset, 207 int limit); 208extern void sctp_initialize_auth_params(struct sctp_inpcb *inp, 209 struct sctp_tcb *stcb); 210 211/* test functions */ 212#ifdef SCTP_HMAC_TEST 213extern void sctp_test_hmac_sha1(void); 214extern void sctp_test_authkey(void); 215#endif 216#endif /* __SCTP_AUTH_H__ */ 217