1169691Skan/*- 2169691Skan * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved. 3169691Skan * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved. 4169691Skan * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved. 5169691Skan * 6169691Skan * Redistribution and use in source and binary forms, with or without 7169691Skan * modification, are permitted provided that the following conditions are met: 8169691Skan * 9169691Skan * a) Redistributions of source code must retain the above copyright notice, 10169691Skan * this list of conditions and the following disclaimer. 11169691Skan * 12169691Skan * b) Redistributions in binary form must reproduce the above copyright 13169691Skan * notice, this list of conditions and the following disclaimer in 14169691Skan * the documentation and/or other materials provided with the distribution. 15169691Skan * 16169691Skan * c) Neither the name of Cisco Systems, Inc. nor the names of its 17169691Skan * contributors may be used to endorse or promote products derived 18169691Skan * from this software without specific prior written permission. 19169691Skan * 20169691Skan * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21169691Skan * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22169691Skan * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23169691Skan * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 24169691Skan * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25169691Skan * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26169691Skan * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27169691Skan * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28169691Skan * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29169691Skan * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 30169691Skan * THE POSSIBILITY OF SUCH DAMAGE. 31169691Skan */ 32169691Skan 33169691Skan#include <sys/cdefs.h> 34169691Skan__FBSDID("$FreeBSD$"); 35169691Skan 36169691Skan#ifndef _NETINET_SCTP_AUTH_H_ 37169691Skan#define _NETINET_SCTP_AUTH_H_ 38169691Skan 39169691Skan#include <netinet/sctp_os.h> 40169691Skan 41169691Skan/* digest lengths */ 42169691Skan#define SCTP_AUTH_DIGEST_LEN_SHA1 20 43169691Skan#define SCTP_AUTH_DIGEST_LEN_SHA256 32 44169691Skan#define SCTP_AUTH_DIGEST_LEN_MAX SCTP_AUTH_DIGEST_LEN_SHA256 45169691Skan 46169691Skan/* random sizes */ 47169691Skan#define SCTP_AUTH_RANDOM_SIZE_DEFAULT 32 48169691Skan#define SCTP_AUTH_RANDOM_SIZE_REQUIRED 32 49169691Skan 50169691Skan/* union of all supported HMAC algorithm contexts */ 51169691Skantypedef union sctp_hash_context { 52169691Skan SCTP_SHA1_CTX sha1; 53169691Skan SCTP_SHA256_CTX sha256; 54169691Skan} sctp_hash_context_t; 55169691Skan 56169691Skantypedef struct sctp_key { 57169691Skan uint32_t keylen; 58169691Skan uint8_t key[]; 59169691Skan} sctp_key_t; 60169691Skan 61169691Skantypedef struct sctp_shared_key { 62169691Skan LIST_ENTRY(sctp_shared_key) next; 63169691Skan sctp_key_t *key; /* key text */ 64169691Skan uint32_t refcount; /* reference count */ 65169691Skan uint16_t keyid; /* shared key ID */ 66169691Skan uint8_t deactivated; /* key is deactivated */ 67169691Skan} sctp_sharedkey_t; 68169691Skan 69169691SkanLIST_HEAD(sctp_keyhead, sctp_shared_key); 70169691Skan 71169691Skan/* authentication chunks list */ 72169691Skantypedef struct sctp_auth_chklist { 73169691Skan uint8_t chunks[256]; 74169691Skan uint8_t num_chunks; 75169691Skan} sctp_auth_chklist_t; 76169691Skan 77169691Skan/* hmac algos supported list */ 78169691Skantypedef struct sctp_hmaclist { 79169691Skan uint16_t max_algo; /* max algorithms allocated */ 80169691Skan uint16_t num_algo; /* num algorithms used */ 81169691Skan uint16_t hmac[]; 82169691Skan} sctp_hmaclist_t; 83169691Skan 84169691Skan/* authentication info */ 85169691Skantypedef struct sctp_authinformation { 86169691Skan sctp_key_t *random; /* local random key (concatenated) */ 87169691Skan uint32_t random_len; /* local random number length for param */ 88169691Skan sctp_key_t *peer_random;/* peer's random key (concatenated) */ 89169691Skan sctp_key_t *assoc_key; /* cached concatenated send key */ 90169691Skan sctp_key_t *recv_key; /* cached concatenated recv key */ 91169691Skan uint16_t active_keyid; /* active send keyid */ 92169691Skan uint16_t assoc_keyid; /* current send keyid (cached) */ 93169691Skan uint16_t recv_keyid; /* last recv keyid (cached) */ 94169691Skan} sctp_authinfo_t; 95169691Skan 96169691Skan 97169691Skan 98169691Skan/* 99169691Skan * Macros 100169691Skan */ 101169691Skan#define sctp_auth_is_required_chunk(chunk, list) ((list == NULL) ? (0) : (list->chunks[chunk] != 0)) 102169691Skan 103169691Skan/* 104169691Skan * function prototypes 105169691Skan */ 106169691Skan 107169691Skan/* socket option api functions */ 108169691Skanextern sctp_auth_chklist_t *sctp_alloc_chunklist(void); 109169691Skanextern void sctp_free_chunklist(sctp_auth_chklist_t * chklist); 110169691Skanextern void sctp_clear_chunklist(sctp_auth_chklist_t * chklist); 111169691Skanextern sctp_auth_chklist_t *sctp_copy_chunklist(sctp_auth_chklist_t * chklist); 112169691Skanextern int sctp_auth_add_chunk(uint8_t chunk, sctp_auth_chklist_t * list); 113169691Skanextern int sctp_auth_delete_chunk(uint8_t chunk, sctp_auth_chklist_t * list); 114169691Skanextern size_t sctp_auth_get_chklist_size(const sctp_auth_chklist_t * list); 115169691Skanextern int 116169691Skansctp_serialize_auth_chunks(const sctp_auth_chklist_t * list, 117169691Skan uint8_t * ptr); 118169691Skanextern int 119169691Skansctp_pack_auth_chunks(const sctp_auth_chklist_t * list, 120169691Skan uint8_t * ptr); 121169691Skanextern int 122169691Skansctp_unpack_auth_chunks(const uint8_t * ptr, uint8_t num_chunks, 123169691Skan sctp_auth_chklist_t * list); 124169691Skan 125169691Skan/* key handling */ 126169691Skanextern sctp_key_t *sctp_alloc_key(uint32_t keylen); 127169691Skanextern void sctp_free_key(sctp_key_t * key); 128169691Skanextern void sctp_print_key(sctp_key_t * key, const char *str); 129169691Skanextern void sctp_show_key(sctp_key_t * key, const char *str); 130169691Skanextern sctp_key_t *sctp_generate_random_key(uint32_t keylen); 131169691Skanextern sctp_key_t *sctp_set_key(uint8_t * key, uint32_t keylen); 132169691Skanextern sctp_key_t * 133169691Skansctp_compute_hashkey(sctp_key_t * key1, sctp_key_t * key2, 134169691Skan sctp_key_t * shared); 135169691Skan 136169691Skan/* shared key handling */ 137169691Skanextern sctp_sharedkey_t *sctp_alloc_sharedkey(void); 138169691Skanextern void sctp_free_sharedkey(sctp_sharedkey_t * skey); 139169691Skanextern sctp_sharedkey_t * 140169691Skansctp_find_sharedkey(struct sctp_keyhead *shared_keys, 141169691Skan uint16_t key_id); 142169691Skanextern int 143169691Skansctp_insert_sharedkey(struct sctp_keyhead *shared_keys, 144169691Skan sctp_sharedkey_t * new_skey); 145169691Skanextern int 146169691Skansctp_copy_skeylist(const struct sctp_keyhead *src, 147169691Skan struct sctp_keyhead *dest); 148169691Skan 149169691Skan/* ref counts on shared keys, by key id */ 150169691Skanextern void sctp_auth_key_acquire(struct sctp_tcb *stcb, uint16_t keyid); 151169691Skanextern void 152169691Skansctp_auth_key_release(struct sctp_tcb *stcb, uint16_t keyid, 153169691Skan int so_locked); 154169691Skan 155169691Skan 156169691Skan/* hmac list handling */ 157169691Skanextern sctp_hmaclist_t *sctp_alloc_hmaclist(uint16_t num_hmacs); 158169691Skanextern void sctp_free_hmaclist(sctp_hmaclist_t * list); 159169691Skanextern int sctp_auth_add_hmacid(sctp_hmaclist_t * list, uint16_t hmac_id); 160169691Skanextern sctp_hmaclist_t *sctp_copy_hmaclist(sctp_hmaclist_t * list); 161169691Skanextern sctp_hmaclist_t *sctp_default_supported_hmaclist(void); 162169691Skanextern uint16_t 163169691Skansctp_negotiate_hmacid(sctp_hmaclist_t * peer, 164 sctp_hmaclist_t * local); 165extern int sctp_serialize_hmaclist(sctp_hmaclist_t * list, uint8_t * ptr); 166extern int 167sctp_verify_hmac_param(struct sctp_auth_hmac_algo *hmacs, 168 uint32_t num_hmacs); 169 170extern sctp_authinfo_t *sctp_alloc_authinfo(void); 171extern void sctp_free_authinfo(sctp_authinfo_t * authinfo); 172 173/* keyed-HMAC functions */ 174extern uint32_t sctp_get_auth_chunk_len(uint16_t hmac_algo); 175extern uint32_t sctp_get_hmac_digest_len(uint16_t hmac_algo); 176extern uint32_t 177sctp_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen, 178 uint8_t * text, uint32_t textlen, uint8_t * digest); 179extern int 180sctp_verify_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen, 181 uint8_t * text, uint32_t textlen, uint8_t * digest, uint32_t digestlen); 182extern uint32_t 183sctp_compute_hmac(uint16_t hmac_algo, sctp_key_t * key, 184 uint8_t * text, uint32_t textlen, uint8_t * digest); 185extern int sctp_auth_is_supported_hmac(sctp_hmaclist_t * list, uint16_t id); 186 187/* mbuf versions */ 188extern uint32_t 189sctp_hmac_m(uint16_t hmac_algo, uint8_t * key, uint32_t keylen, 190 struct mbuf *m, uint32_t m_offset, uint8_t * digest, uint32_t trailer); 191extern uint32_t 192sctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t * key, 193 struct mbuf *m, uint32_t m_offset, uint8_t * digest); 194 195/* 196 * authentication routines 197 */ 198extern void sctp_clear_cachedkeys(struct sctp_tcb *stcb, uint16_t keyid); 199extern void sctp_clear_cachedkeys_ep(struct sctp_inpcb *inp, uint16_t keyid); 200extern int sctp_delete_sharedkey(struct sctp_tcb *stcb, uint16_t keyid); 201extern int sctp_delete_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid); 202extern int sctp_auth_setactivekey(struct sctp_tcb *stcb, uint16_t keyid); 203extern int sctp_auth_setactivekey_ep(struct sctp_inpcb *inp, uint16_t keyid); 204extern int sctp_deact_sharedkey(struct sctp_tcb *stcb, uint16_t keyid); 205extern int sctp_deact_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid); 206 207extern void 208sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, 209 uint32_t offset, uint32_t length); 210extern void 211sctp_fill_hmac_digest_m(struct mbuf *m, uint32_t auth_offset, 212 struct sctp_auth_chunk *auth, struct sctp_tcb *stcb, uint16_t key_id); 213extern struct mbuf * 214sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end, 215 struct sctp_auth_chunk **auth_ret, uint32_t * offset, 216 struct sctp_tcb *stcb, uint8_t chunk); 217extern int 218sctp_handle_auth(struct sctp_tcb *stcb, struct sctp_auth_chunk *ch, 219 struct mbuf *m, uint32_t offset); 220extern void 221sctp_notify_authentication(struct sctp_tcb *stcb, 222 uint32_t indication, uint16_t keyid, uint16_t alt_keyid, int so_locked); 223extern int 224sctp_validate_init_auth_params(struct mbuf *m, int offset, 225 int limit); 226extern void 227sctp_initialize_auth_params(struct sctp_inpcb *inp, 228 struct sctp_tcb *stcb); 229 230/* test functions */ 231#endif /* __SCTP_AUTH_H__ */ 232