1169691Skan/*-
2169691Skan * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3169691Skan * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4169691Skan * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5169691Skan *
6169691Skan * Redistribution and use in source and binary forms, with or without
7169691Skan * modification, are permitted provided that the following conditions are met:
8169691Skan *
9169691Skan * a) Redistributions of source code must retain the above copyright notice,
10169691Skan *    this list of conditions and the following disclaimer.
11169691Skan *
12169691Skan * b) Redistributions in binary form must reproduce the above copyright
13169691Skan *    notice, this list of conditions and the following disclaimer in
14169691Skan *    the documentation and/or other materials provided with the distribution.
15169691Skan *
16169691Skan * c) Neither the name of Cisco Systems, Inc. nor the names of its
17169691Skan *    contributors may be used to endorse or promote products derived
18169691Skan *    from this software without specific prior written permission.
19169691Skan *
20169691Skan * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21169691Skan * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22169691Skan * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23169691Skan * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24169691Skan * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25169691Skan * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26169691Skan * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27169691Skan * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28169691Skan * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29169691Skan * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30169691Skan * THE POSSIBILITY OF SUCH DAMAGE.
31169691Skan */
32169691Skan
33169691Skan#include <sys/cdefs.h>
34169691Skan__FBSDID("$FreeBSD$");
35169691Skan
36169691Skan#ifndef _NETINET_SCTP_AUTH_H_
37169691Skan#define _NETINET_SCTP_AUTH_H_
38169691Skan
39169691Skan#include <netinet/sctp_os.h>
40169691Skan
41169691Skan/* digest lengths */
42169691Skan#define SCTP_AUTH_DIGEST_LEN_SHA1	20
43169691Skan#define SCTP_AUTH_DIGEST_LEN_SHA256	32
44169691Skan#define SCTP_AUTH_DIGEST_LEN_MAX	SCTP_AUTH_DIGEST_LEN_SHA256
45169691Skan
46169691Skan/* random sizes */
47169691Skan#define SCTP_AUTH_RANDOM_SIZE_DEFAULT	32
48169691Skan#define SCTP_AUTH_RANDOM_SIZE_REQUIRED	32
49169691Skan
50169691Skan/* union of all supported HMAC algorithm contexts */
51169691Skantypedef union sctp_hash_context {
52169691Skan	SCTP_SHA1_CTX sha1;
53169691Skan	SCTP_SHA256_CTX sha256;
54169691Skan}                 sctp_hash_context_t;
55169691Skan
56169691Skantypedef struct sctp_key {
57169691Skan	uint32_t keylen;
58169691Skan	uint8_t key[];
59169691Skan}        sctp_key_t;
60169691Skan
61169691Skantypedef struct sctp_shared_key {
62169691Skan	LIST_ENTRY(sctp_shared_key) next;
63169691Skan	sctp_key_t *key;	/* key text */
64169691Skan	uint32_t refcount;	/* reference count */
65169691Skan	uint16_t keyid;		/* shared key ID */
66169691Skan	uint8_t deactivated;	/* key is deactivated */
67169691Skan}               sctp_sharedkey_t;
68169691Skan
69169691SkanLIST_HEAD(sctp_keyhead, sctp_shared_key);
70169691Skan
71169691Skan/* authentication chunks list */
72169691Skantypedef struct sctp_auth_chklist {
73169691Skan	uint8_t chunks[256];
74169691Skan	uint8_t num_chunks;
75169691Skan}                 sctp_auth_chklist_t;
76169691Skan
77169691Skan/* hmac algos supported list */
78169691Skantypedef struct sctp_hmaclist {
79169691Skan	uint16_t max_algo;	/* max algorithms allocated */
80169691Skan	uint16_t num_algo;	/* num algorithms used */
81169691Skan	uint16_t hmac[];
82169691Skan}             sctp_hmaclist_t;
83169691Skan
84169691Skan/* authentication info */
85169691Skantypedef struct sctp_authinformation {
86169691Skan	sctp_key_t *random;	/* local random key (concatenated) */
87169691Skan	uint32_t random_len;	/* local random number length for param */
88169691Skan	sctp_key_t *peer_random;/* peer's random key (concatenated) */
89169691Skan	sctp_key_t *assoc_key;	/* cached concatenated send key */
90169691Skan	sctp_key_t *recv_key;	/* cached concatenated recv key */
91169691Skan	uint16_t active_keyid;	/* active send keyid */
92169691Skan	uint16_t assoc_keyid;	/* current send keyid (cached) */
93169691Skan	uint16_t recv_keyid;	/* last recv keyid (cached) */
94169691Skan}                    sctp_authinfo_t;
95169691Skan
96169691Skan
97169691Skan
98169691Skan/*
99169691Skan * Macros
100169691Skan */
101169691Skan#define sctp_auth_is_required_chunk(chunk, list) ((list == NULL) ? (0) : (list->chunks[chunk] != 0))
102169691Skan
103169691Skan/*
104169691Skan * function prototypes
105169691Skan */
106169691Skan
107169691Skan/* socket option api functions */
108169691Skanextern sctp_auth_chklist_t *sctp_alloc_chunklist(void);
109169691Skanextern void sctp_free_chunklist(sctp_auth_chklist_t * chklist);
110169691Skanextern void sctp_clear_chunklist(sctp_auth_chklist_t * chklist);
111169691Skanextern sctp_auth_chklist_t *sctp_copy_chunklist(sctp_auth_chklist_t * chklist);
112169691Skanextern int sctp_auth_add_chunk(uint8_t chunk, sctp_auth_chklist_t * list);
113169691Skanextern int sctp_auth_delete_chunk(uint8_t chunk, sctp_auth_chklist_t * list);
114169691Skanextern size_t sctp_auth_get_chklist_size(const sctp_auth_chklist_t * list);
115169691Skanextern int
116169691Skansctp_serialize_auth_chunks(const sctp_auth_chklist_t * list,
117169691Skan    uint8_t * ptr);
118169691Skanextern int
119169691Skansctp_pack_auth_chunks(const sctp_auth_chklist_t * list,
120169691Skan    uint8_t * ptr);
121169691Skanextern int
122169691Skansctp_unpack_auth_chunks(const uint8_t * ptr, uint8_t num_chunks,
123169691Skan    sctp_auth_chklist_t * list);
124169691Skan
125169691Skan/* key handling */
126169691Skanextern sctp_key_t *sctp_alloc_key(uint32_t keylen);
127169691Skanextern void sctp_free_key(sctp_key_t * key);
128169691Skanextern void sctp_print_key(sctp_key_t * key, const char *str);
129169691Skanextern void sctp_show_key(sctp_key_t * key, const char *str);
130169691Skanextern sctp_key_t *sctp_generate_random_key(uint32_t keylen);
131169691Skanextern sctp_key_t *sctp_set_key(uint8_t * key, uint32_t keylen);
132169691Skanextern sctp_key_t *
133169691Skansctp_compute_hashkey(sctp_key_t * key1, sctp_key_t * key2,
134169691Skan    sctp_key_t * shared);
135169691Skan
136169691Skan/* shared key handling */
137169691Skanextern sctp_sharedkey_t *sctp_alloc_sharedkey(void);
138169691Skanextern void sctp_free_sharedkey(sctp_sharedkey_t * skey);
139169691Skanextern sctp_sharedkey_t *
140169691Skansctp_find_sharedkey(struct sctp_keyhead *shared_keys,
141169691Skan    uint16_t key_id);
142169691Skanextern int
143169691Skansctp_insert_sharedkey(struct sctp_keyhead *shared_keys,
144169691Skan    sctp_sharedkey_t * new_skey);
145169691Skanextern int
146169691Skansctp_copy_skeylist(const struct sctp_keyhead *src,
147169691Skan    struct sctp_keyhead *dest);
148169691Skan
149169691Skan/* ref counts on shared keys, by key id */
150169691Skanextern void sctp_auth_key_acquire(struct sctp_tcb *stcb, uint16_t keyid);
151169691Skanextern void
152169691Skansctp_auth_key_release(struct sctp_tcb *stcb, uint16_t keyid,
153169691Skan    int so_locked);
154169691Skan
155169691Skan
156169691Skan/* hmac list handling */
157169691Skanextern sctp_hmaclist_t *sctp_alloc_hmaclist(uint16_t num_hmacs);
158169691Skanextern void sctp_free_hmaclist(sctp_hmaclist_t * list);
159169691Skanextern int sctp_auth_add_hmacid(sctp_hmaclist_t * list, uint16_t hmac_id);
160169691Skanextern sctp_hmaclist_t *sctp_copy_hmaclist(sctp_hmaclist_t * list);
161169691Skanextern sctp_hmaclist_t *sctp_default_supported_hmaclist(void);
162169691Skanextern uint16_t
163169691Skansctp_negotiate_hmacid(sctp_hmaclist_t * peer,
164    sctp_hmaclist_t * local);
165extern int sctp_serialize_hmaclist(sctp_hmaclist_t * list, uint8_t * ptr);
166extern int
167sctp_verify_hmac_param(struct sctp_auth_hmac_algo *hmacs,
168    uint32_t num_hmacs);
169
170extern sctp_authinfo_t *sctp_alloc_authinfo(void);
171extern void sctp_free_authinfo(sctp_authinfo_t * authinfo);
172
173/* keyed-HMAC functions */
174extern uint32_t sctp_get_auth_chunk_len(uint16_t hmac_algo);
175extern uint32_t sctp_get_hmac_digest_len(uint16_t hmac_algo);
176extern uint32_t
177sctp_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen,
178    uint8_t * text, uint32_t textlen, uint8_t * digest);
179extern int
180sctp_verify_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen,
181    uint8_t * text, uint32_t textlen, uint8_t * digest, uint32_t digestlen);
182extern uint32_t
183sctp_compute_hmac(uint16_t hmac_algo, sctp_key_t * key,
184    uint8_t * text, uint32_t textlen, uint8_t * digest);
185extern int sctp_auth_is_supported_hmac(sctp_hmaclist_t * list, uint16_t id);
186
187/* mbuf versions */
188extern uint32_t
189sctp_hmac_m(uint16_t hmac_algo, uint8_t * key, uint32_t keylen,
190    struct mbuf *m, uint32_t m_offset, uint8_t * digest, uint32_t trailer);
191extern uint32_t
192sctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t * key,
193    struct mbuf *m, uint32_t m_offset, uint8_t * digest);
194
195/*
196 * authentication routines
197 */
198extern void sctp_clear_cachedkeys(struct sctp_tcb *stcb, uint16_t keyid);
199extern void sctp_clear_cachedkeys_ep(struct sctp_inpcb *inp, uint16_t keyid);
200extern int sctp_delete_sharedkey(struct sctp_tcb *stcb, uint16_t keyid);
201extern int sctp_delete_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid);
202extern int sctp_auth_setactivekey(struct sctp_tcb *stcb, uint16_t keyid);
203extern int sctp_auth_setactivekey_ep(struct sctp_inpcb *inp, uint16_t keyid);
204extern int sctp_deact_sharedkey(struct sctp_tcb *stcb, uint16_t keyid);
205extern int sctp_deact_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid);
206
207extern void
208sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m,
209    uint32_t offset, uint32_t length);
210extern void
211sctp_fill_hmac_digest_m(struct mbuf *m, uint32_t auth_offset,
212    struct sctp_auth_chunk *auth, struct sctp_tcb *stcb, uint16_t key_id);
213extern struct mbuf *
214sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
215    struct sctp_auth_chunk **auth_ret, uint32_t * offset,
216    struct sctp_tcb *stcb, uint8_t chunk);
217extern int
218sctp_handle_auth(struct sctp_tcb *stcb, struct sctp_auth_chunk *ch,
219    struct mbuf *m, uint32_t offset);
220extern void
221sctp_notify_authentication(struct sctp_tcb *stcb,
222    uint32_t indication, uint16_t keyid, uint16_t alt_keyid, int so_locked);
223extern int
224sctp_validate_init_auth_params(struct mbuf *m, int offset,
225    int limit);
226extern void
227sctp_initialize_auth_params(struct sctp_inpcb *inp,
228    struct sctp_tcb *stcb);
229
230/* test functions */
231#endif				/* __SCTP_AUTH_H__ */
232