1/*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
5 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
6 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
10 *
11 * a) Redistributions of source code must retain the above copyright notice,
12 *    this list of conditions and the following disclaimer.
13 *
14 * b) Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in
16 *    the documentation and/or other materials provided with the distribution.
17 *
18 * c) Neither the name of Cisco Systems, Inc. nor the names of its
19 *    contributors may be used to endorse or promote products derived
20 *    from this software without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
26 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
27 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
32 * THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35#ifndef _NETINET_SCTP_AUTH_H_
36#define _NETINET_SCTP_AUTH_H_
37
38#include <netinet/sctp_os.h>
39
40/* digest lengths */
41#define SCTP_AUTH_DIGEST_LEN_SHA1	20
42#define SCTP_AUTH_DIGEST_LEN_SHA256	32
43#define SCTP_AUTH_DIGEST_LEN_MAX	SCTP_AUTH_DIGEST_LEN_SHA256
44
45/* random sizes */
46#define SCTP_AUTH_RANDOM_SIZE_DEFAULT	32
47#define SCTP_AUTH_RANDOM_SIZE_REQUIRED	32
48
49/* union of all supported HMAC algorithm contexts */
50typedef union sctp_hash_context {
51	SCTP_SHA1_CTX sha1;
52	SCTP_SHA256_CTX sha256;
53} sctp_hash_context_t;
54
55typedef struct sctp_key {
56	uint32_t keylen;
57	uint8_t key[];
58} sctp_key_t;
59
60typedef struct sctp_shared_key {
61	LIST_ENTRY(sctp_shared_key) next;
62	sctp_key_t *key;	/* key text */
63	uint32_t refcount;	/* reference count */
64	uint16_t keyid;		/* shared key ID */
65	uint8_t deactivated;	/* key is deactivated */
66} sctp_sharedkey_t;
67
68LIST_HEAD(sctp_keyhead, sctp_shared_key);
69
70/* authentication chunks list */
71typedef struct sctp_auth_chklist {
72	uint8_t chunks[256];
73	uint8_t num_chunks;
74} sctp_auth_chklist_t;
75
76/* hmac algos supported list */
77typedef struct sctp_hmaclist {
78	uint16_t max_algo;	/* max algorithms allocated */
79	uint16_t num_algo;	/* num algorithms used */
80	uint16_t hmac[];
81} sctp_hmaclist_t;
82
83/* authentication info */
84typedef struct sctp_authinformation {
85	sctp_key_t *random;	/* local random key (concatenated) */
86	uint32_t random_len;	/* local random number length for param */
87	sctp_key_t *peer_random;	/* peer's random key (concatenated) */
88	sctp_key_t *assoc_key;	/* cached concatenated send key */
89	sctp_key_t *recv_key;	/* cached concatenated recv key */
90	uint16_t active_keyid;	/* active send keyid */
91	uint16_t assoc_keyid;	/* current send keyid (cached) */
92	uint16_t recv_keyid;	/* last recv keyid (cached) */
93} sctp_authinfo_t;
94
95/*
96 * Macros
97 */
98#define sctp_auth_is_required_chunk(chunk, list) ((list == NULL) ? (0) : (list->chunks[chunk] != 0))
99
100/*
101 * function prototypes
102 */
103
104/* socket option api functions */
105extern sctp_auth_chklist_t *sctp_alloc_chunklist(void);
106extern void sctp_free_chunklist(sctp_auth_chklist_t *chklist);
107extern void sctp_clear_chunklist(sctp_auth_chklist_t *chklist);
108extern sctp_auth_chklist_t *sctp_copy_chunklist(sctp_auth_chklist_t *chklist);
109extern int sctp_auth_add_chunk(uint8_t chunk, sctp_auth_chklist_t *list);
110extern int sctp_auth_delete_chunk(uint8_t chunk, sctp_auth_chklist_t *list);
111extern size_t sctp_auth_get_chklist_size(const sctp_auth_chklist_t *list);
112extern int
113sctp_serialize_auth_chunks(const sctp_auth_chklist_t *list,
114    uint8_t *ptr);
115extern int
116sctp_pack_auth_chunks(const sctp_auth_chklist_t *list,
117    uint8_t *ptr);
118extern int
119sctp_unpack_auth_chunks(const uint8_t *ptr, uint8_t num_chunks,
120    sctp_auth_chklist_t *list);
121
122/* key handling */
123extern sctp_key_t *sctp_alloc_key(uint32_t keylen);
124extern void sctp_free_key(sctp_key_t *key);
125extern void sctp_print_key(sctp_key_t *key, const char *str);
126extern void sctp_show_key(sctp_key_t *key, const char *str);
127extern sctp_key_t *sctp_generate_random_key(uint32_t keylen);
128extern sctp_key_t *sctp_set_key(uint8_t *key, uint32_t keylen);
129extern sctp_key_t *
130sctp_compute_hashkey(sctp_key_t *key1, sctp_key_t *key2,
131    sctp_key_t *shared);
132
133/* shared key handling */
134extern sctp_sharedkey_t *sctp_alloc_sharedkey(void);
135extern void sctp_free_sharedkey(sctp_sharedkey_t *skey);
136extern sctp_sharedkey_t *
137sctp_find_sharedkey(struct sctp_keyhead *shared_keys,
138    uint16_t key_id);
139extern int
140sctp_insert_sharedkey(struct sctp_keyhead *shared_keys,
141    sctp_sharedkey_t *new_skey);
142extern int
143sctp_copy_skeylist(const struct sctp_keyhead *src,
144    struct sctp_keyhead *dest);
145
146/* ref counts on shared keys, by key id */
147extern void sctp_auth_key_acquire(struct sctp_tcb *stcb, uint16_t keyid);
148extern void
149sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t keyid,
150    int so_locked);
151
152/* hmac list handling */
153extern sctp_hmaclist_t *sctp_alloc_hmaclist(uint16_t num_hmacs);
154extern void sctp_free_hmaclist(sctp_hmaclist_t *list);
155extern int sctp_auth_add_hmacid(sctp_hmaclist_t *list, uint16_t hmac_id);
156extern sctp_hmaclist_t *sctp_copy_hmaclist(sctp_hmaclist_t *list);
157extern sctp_hmaclist_t *sctp_default_supported_hmaclist(void);
158extern uint16_t
159sctp_negotiate_hmacid(sctp_hmaclist_t *peer,
160    sctp_hmaclist_t *local);
161extern int sctp_serialize_hmaclist(sctp_hmaclist_t *list, uint8_t *ptr);
162extern int
163sctp_verify_hmac_param(struct sctp_auth_hmac_algo *hmacs,
164    uint32_t num_hmacs);
165
166extern sctp_authinfo_t *sctp_alloc_authinfo(void);
167extern void sctp_free_authinfo(sctp_authinfo_t *authinfo);
168
169/* keyed-HMAC functions */
170extern uint32_t sctp_get_auth_chunk_len(uint16_t hmac_algo);
171extern uint32_t sctp_get_hmac_digest_len(uint16_t hmac_algo);
172extern uint32_t
173sctp_hmac(uint16_t hmac_algo, uint8_t *key, uint32_t keylen,
174    uint8_t *text, uint32_t textlen, uint8_t *digest);
175extern uint32_t
176sctp_compute_hmac(uint16_t hmac_algo, sctp_key_t *key,
177    uint8_t *text, uint32_t textlen, uint8_t *digest);
178extern int sctp_auth_is_supported_hmac(sctp_hmaclist_t *list, uint16_t id);
179
180/* mbuf versions */
181extern uint32_t
182sctp_hmac_m(uint16_t hmac_algo, uint8_t *key, uint32_t keylen,
183    struct mbuf *m, uint32_t m_offset, uint8_t *digest, uint32_t trailer);
184extern uint32_t
185sctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t *key,
186    struct mbuf *m, uint32_t m_offset, uint8_t *digest);
187
188/*
189 * authentication routines
190 */
191extern void sctp_clear_cachedkeys(struct sctp_tcb *stcb, uint16_t keyid);
192extern void sctp_clear_cachedkeys_ep(struct sctp_inpcb *inp, uint16_t keyid);
193extern int sctp_delete_sharedkey(struct sctp_tcb *stcb, uint16_t keyid);
194extern int sctp_delete_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid);
195extern int sctp_auth_setactivekey(struct sctp_tcb *stcb, uint16_t keyid);
196extern int sctp_auth_setactivekey_ep(struct sctp_inpcb *inp, uint16_t keyid);
197extern int sctp_deact_sharedkey(struct sctp_tcb *stcb, uint16_t keyid);
198extern int sctp_deact_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid);
199
200extern void
201sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m,
202    uint32_t offset, uint32_t length);
203extern void
204sctp_fill_hmac_digest_m(struct mbuf *m, uint32_t auth_offset,
205    struct sctp_auth_chunk *auth, struct sctp_tcb *stcb, uint16_t key_id);
206extern struct mbuf *
207sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
208    struct sctp_auth_chunk **auth_ret, uint32_t *offset,
209    struct sctp_tcb *stcb, uint8_t chunk);
210extern int
211sctp_handle_auth(struct sctp_tcb *stcb, struct sctp_auth_chunk *ch,
212    struct mbuf *m, uint32_t offset);
213extern void
214sctp_notify_authentication(struct sctp_tcb *stcb,
215    uint32_t indication, uint16_t keyid, int so_locked);
216extern int
217sctp_validate_init_auth_params(struct mbuf *m, int offset,
218    int limit);
219extern void
220sctp_initialize_auth_params(struct sctp_inpcb *inp,
221    struct sctp_tcb *stcb);
222
223/* test functions */
224#endif				/* __SCTP_AUTH_H__ */
225