1163953Srrs/*- 2185694Srrs * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved. 3235828Stuexen * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved. 4235828Stuexen * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved. 5163953Srrs * 6163953Srrs * Redistribution and use in source and binary forms, with or without 7163953Srrs * modification, are permitted provided that the following conditions are met: 8163953Srrs * 9163953Srrs * a) Redistributions of source code must retain the above copyright notice, 10228653Stuexen * this list of conditions and the following disclaimer. 11163953Srrs * 12163953Srrs * b) Redistributions in binary form must reproduce the above copyright 13163953Srrs * notice, this list of conditions and the following disclaimer in 14228653Stuexen * the documentation and/or other materials provided with the distribution. 15163953Srrs * 16163953Srrs * c) Neither the name of Cisco Systems, Inc. nor the names of its 17163953Srrs * contributors may be used to endorse or promote products derived 18163953Srrs * from this software without specific prior written permission. 19163953Srrs * 20163953Srrs * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21163953Srrs * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22163953Srrs * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23163953Srrs * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 24163953Srrs * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25163953Srrs * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26163953Srrs * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27163953Srrs * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28163953Srrs * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29163953Srrs * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 30163953Srrs * THE POSSIBILITY OF SUCH DAMAGE. 31163953Srrs */ 32163953Srrs 33163953Srrs#include <sys/cdefs.h> 34163953Srrs__FBSDID("$FreeBSD$"); 35163953Srrs 36235828Stuexen#ifndef _NETINET_SCTP_AUTH_H_ 37235828Stuexen#define _NETINET_SCTP_AUTH_H_ 38163953Srrs 39255160Stuexen#include <netinet/sctp_os.h> 40163953Srrs 41163953Srrs/* digest lengths */ 42163953Srrs#define SCTP_AUTH_DIGEST_LEN_SHA1 20 43163953Srrs#define SCTP_AUTH_DIGEST_LEN_SHA256 32 44255160Stuexen#define SCTP_AUTH_DIGEST_LEN_MAX SCTP_AUTH_DIGEST_LEN_SHA256 45163953Srrs 46163953Srrs/* random sizes */ 47163953Srrs#define SCTP_AUTH_RANDOM_SIZE_DEFAULT 32 48163953Srrs#define SCTP_AUTH_RANDOM_SIZE_REQUIRED 32 49163953Srrs 50163953Srrs/* union of all supported HMAC algorithm contexts */ 51163953Srrstypedef union sctp_hash_context { 52255160Stuexen SCTP_SHA1_CTX sha1; 53255160Stuexen SCTP_SHA256_CTX sha256; 54163953Srrs} sctp_hash_context_t; 55163953Srrs 56163953Srrstypedef struct sctp_key { 57163953Srrs uint32_t keylen; 58202782Stuexen uint8_t key[]; 59163953Srrs} sctp_key_t; 60163953Srrs 61163953Srrstypedef struct sctp_shared_key { 62163953Srrs LIST_ENTRY(sctp_shared_key) next; 63163953Srrs sctp_key_t *key; /* key text */ 64185694Srrs uint32_t refcount; /* reference count */ 65163953Srrs uint16_t keyid; /* shared key ID */ 66185694Srrs uint8_t deactivated; /* key is deactivated */ 67163953Srrs} sctp_sharedkey_t; 68163953Srrs 69163953SrrsLIST_HEAD(sctp_keyhead, sctp_shared_key); 70163953Srrs 71163953Srrs/* authentication chunks list */ 72163953Srrstypedef struct sctp_auth_chklist { 73163953Srrs uint8_t chunks[256]; 74163953Srrs uint8_t num_chunks; 75163953Srrs} sctp_auth_chklist_t; 76163953Srrs 77163953Srrs/* hmac algos supported list */ 78163953Srrstypedef struct sctp_hmaclist { 79163953Srrs uint16_t max_algo; /* max algorithms allocated */ 80163953Srrs uint16_t num_algo; /* num algorithms used */ 81202782Stuexen uint16_t hmac[]; 82163953Srrs} sctp_hmaclist_t; 83163953Srrs 84163953Srrs/* authentication info */ 85221549Stuexentypedef struct sctp_authinformation { 86163953Srrs sctp_key_t *random; /* local random key (concatenated) */ 87163953Srrs uint32_t random_len; /* local random number length for param */ 88163953Srrs sctp_key_t *peer_random;/* peer's random key (concatenated) */ 89185694Srrs sctp_key_t *assoc_key; /* cached concatenated send key */ 90185694Srrs sctp_key_t *recv_key; /* cached concatenated recv key */ 91185694Srrs uint16_t active_keyid; /* active send keyid */ 92163953Srrs uint16_t assoc_keyid; /* current send keyid (cached) */ 93163953Srrs uint16_t recv_keyid; /* last recv keyid (cached) */ 94221549Stuexen} sctp_authinfo_t; 95163953Srrs 96163953Srrs 97163953Srrs 98163953Srrs/* 99163953Srrs * Macros 100163953Srrs */ 101163953Srrs#define sctp_auth_is_required_chunk(chunk, list) ((list == NULL) ? (0) : (list->chunks[chunk] != 0)) 102163953Srrs 103163953Srrs/* 104163953Srrs * function prototypes 105163953Srrs */ 106163953Srrs 107163953Srrs/* socket option api functions */ 108163953Srrsextern sctp_auth_chklist_t *sctp_alloc_chunklist(void); 109163953Srrsextern void sctp_free_chunklist(sctp_auth_chklist_t * chklist); 110163953Srrsextern void sctp_clear_chunklist(sctp_auth_chklist_t * chklist); 111163953Srrsextern sctp_auth_chklist_t *sctp_copy_chunklist(sctp_auth_chklist_t * chklist); 112163953Srrsextern int sctp_auth_add_chunk(uint8_t chunk, sctp_auth_chklist_t * list); 113163953Srrsextern int sctp_auth_delete_chunk(uint8_t chunk, sctp_auth_chklist_t * list); 114166675Srrsextern size_t sctp_auth_get_chklist_size(const sctp_auth_chklist_t * list); 115185694Srrsextern int 116185694Srrssctp_serialize_auth_chunks(const sctp_auth_chklist_t * list, 117185694Srrs uint8_t * ptr); 118185694Srrsextern int 119185694Srrssctp_pack_auth_chunks(const sctp_auth_chklist_t * list, 120185694Srrs uint8_t * ptr); 121185694Srrsextern int 122163953Srrssctp_unpack_auth_chunks(const uint8_t * ptr, uint8_t num_chunks, 123163953Srrs sctp_auth_chklist_t * list); 124163953Srrs 125163953Srrs/* key handling */ 126163953Srrsextern sctp_key_t *sctp_alloc_key(uint32_t keylen); 127163953Srrsextern void sctp_free_key(sctp_key_t * key); 128163953Srrsextern void sctp_print_key(sctp_key_t * key, const char *str); 129163953Srrsextern void sctp_show_key(sctp_key_t * key, const char *str); 130163953Srrsextern sctp_key_t *sctp_generate_random_key(uint32_t keylen); 131163953Srrsextern sctp_key_t *sctp_set_key(uint8_t * key, uint32_t keylen); 132163953Srrsextern sctp_key_t * 133163953Srrssctp_compute_hashkey(sctp_key_t * key1, sctp_key_t * key2, 134163953Srrs sctp_key_t * shared); 135163953Srrs 136163953Srrs/* shared key handling */ 137163953Srrsextern sctp_sharedkey_t *sctp_alloc_sharedkey(void); 138163953Srrsextern void sctp_free_sharedkey(sctp_sharedkey_t * skey); 139163953Srrsextern sctp_sharedkey_t * 140185694Srrssctp_find_sharedkey(struct sctp_keyhead *shared_keys, 141185694Srrs uint16_t key_id); 142185694Srrsextern int 143163953Srrssctp_insert_sharedkey(struct sctp_keyhead *shared_keys, 144163953Srrs sctp_sharedkey_t * new_skey); 145185694Srrsextern int 146163953Srrssctp_copy_skeylist(const struct sctp_keyhead *src, 147163953Srrs struct sctp_keyhead *dest); 148163953Srrs 149185694Srrs/* ref counts on shared keys, by key id */ 150185694Srrsextern void sctp_auth_key_acquire(struct sctp_tcb *stcb, uint16_t keyid); 151221627Stuexenextern void 152221627Stuexensctp_auth_key_release(struct sctp_tcb *stcb, uint16_t keyid, 153221627Stuexen int so_locked); 154185694Srrs 155185694Srrs 156163953Srrs/* hmac list handling */ 157271750Stuexenextern sctp_hmaclist_t *sctp_alloc_hmaclist(uint16_t num_hmacs); 158163953Srrsextern void sctp_free_hmaclist(sctp_hmaclist_t * list); 159163953Srrsextern int sctp_auth_add_hmacid(sctp_hmaclist_t * list, uint16_t hmac_id); 160163953Srrsextern sctp_hmaclist_t *sctp_copy_hmaclist(sctp_hmaclist_t * list); 161163953Srrsextern sctp_hmaclist_t *sctp_default_supported_hmaclist(void); 162166675Srrsextern uint16_t 163163953Srrssctp_negotiate_hmacid(sctp_hmaclist_t * peer, 164163953Srrs sctp_hmaclist_t * local); 165163953Srrsextern int sctp_serialize_hmaclist(sctp_hmaclist_t * list, uint8_t * ptr); 166163953Srrsextern int 167163953Srrssctp_verify_hmac_param(struct sctp_auth_hmac_algo *hmacs, 168163953Srrs uint32_t num_hmacs); 169163953Srrs 170163953Srrsextern sctp_authinfo_t *sctp_alloc_authinfo(void); 171163953Srrsextern void sctp_free_authinfo(sctp_authinfo_t * authinfo); 172163953Srrs 173163953Srrs/* keyed-HMAC functions */ 174163953Srrsextern uint32_t sctp_get_auth_chunk_len(uint16_t hmac_algo); 175163953Srrsextern uint32_t sctp_get_hmac_digest_len(uint16_t hmac_algo); 176185694Srrsextern uint32_t 177163953Srrssctp_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen, 178166675Srrs uint8_t * text, uint32_t textlen, uint8_t * digest); 179185694Srrsextern int 180163953Srrssctp_verify_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen, 181185694Srrs uint8_t * text, uint32_t textlen, uint8_t * digest, uint32_t digestlen); 182185694Srrsextern uint32_t 183163953Srrssctp_compute_hmac(uint16_t hmac_algo, sctp_key_t * key, 184166675Srrs uint8_t * text, uint32_t textlen, uint8_t * digest); 185163953Srrsextern int sctp_auth_is_supported_hmac(sctp_hmaclist_t * list, uint16_t id); 186163953Srrs 187163953Srrs/* mbuf versions */ 188185694Srrsextern uint32_t 189163953Srrssctp_hmac_m(uint16_t hmac_algo, uint8_t * key, uint32_t keylen, 190170462Srrs struct mbuf *m, uint32_t m_offset, uint8_t * digest, uint32_t trailer); 191185694Srrsextern uint32_t 192185694Srrssctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t * key, 193185694Srrs struct mbuf *m, uint32_t m_offset, uint8_t * digest); 194163953Srrs 195163953Srrs/* 196163953Srrs * authentication routines 197163953Srrs */ 198163953Srrsextern void sctp_clear_cachedkeys(struct sctp_tcb *stcb, uint16_t keyid); 199163953Srrsextern void sctp_clear_cachedkeys_ep(struct sctp_inpcb *inp, uint16_t keyid); 200163953Srrsextern int sctp_delete_sharedkey(struct sctp_tcb *stcb, uint16_t keyid); 201163953Srrsextern int sctp_delete_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid); 202163953Srrsextern int sctp_auth_setactivekey(struct sctp_tcb *stcb, uint16_t keyid); 203163953Srrsextern int sctp_auth_setactivekey_ep(struct sctp_inpcb *inp, uint16_t keyid); 204185694Srrsextern int sctp_deact_sharedkey(struct sctp_tcb *stcb, uint16_t keyid); 205185694Srrsextern int sctp_deact_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid); 206163953Srrs 207185694Srrsextern void 208163953Srrssctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, 209163953Srrs uint32_t offset, uint32_t length); 210185694Srrsextern void 211163953Srrssctp_fill_hmac_digest_m(struct mbuf *m, uint32_t auth_offset, 212185694Srrs struct sctp_auth_chunk *auth, struct sctp_tcb *stcb, uint16_t key_id); 213163953Srrsextern struct mbuf * 214163953Srrssctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end, 215185694Srrs struct sctp_auth_chunk **auth_ret, uint32_t * offset, 216185694Srrs struct sctp_tcb *stcb, uint8_t chunk); 217185694Srrsextern int 218163953Srrssctp_handle_auth(struct sctp_tcb *stcb, struct sctp_auth_chunk *ch, 219163953Srrs struct mbuf *m, uint32_t offset); 220185694Srrsextern void 221163953Srrssctp_notify_authentication(struct sctp_tcb *stcb, 222185694Srrs uint32_t indication, uint16_t keyid, uint16_t alt_keyid, int so_locked); 223185694Srrsextern int 224185694Srrssctp_validate_init_auth_params(struct mbuf *m, int offset, 225185694Srrs int limit); 226185694Srrsextern void 227185694Srrssctp_initialize_auth_params(struct sctp_inpcb *inp, 228185694Srrs struct sctp_tcb *stcb); 229163953Srrs 230163953Srrs/* test functions */ 231163953Srrs#endif /* __SCTP_AUTH_H__ */ 232