[SCTP]: Implement SCTP-AUTH initializations.
The patch initializes AUTH related members of the generic SCTP
structures and provides a way to enable/disable auth extension.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 9bad8ba..ee4b212 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -74,6 +74,8 @@
{
struct sctp_sock *sp;
int i;
+ sctp_paramhdr_t *p;
+ int err;
/* Retrieve the SCTP per socket area. */
sp = sctp_sk((struct sock *)sk);
@@ -298,6 +300,30 @@
asoc->default_timetolive = sp->default_timetolive;
asoc->default_rcv_context = sp->default_rcv_context;
+ /* AUTH related initializations */
+ INIT_LIST_HEAD(&asoc->endpoint_shared_keys);
+ err = sctp_auth_asoc_copy_shkeys(ep, asoc, gfp);
+ if (err)
+ goto fail_init;
+
+ asoc->active_key_id = ep->active_key_id;
+ asoc->asoc_shared_key = NULL;
+
+ asoc->default_hmac_id = 0;
+ /* Save the hmacs and chunks list into this association */
+ if (ep->auth_hmacs_list)
+ memcpy(asoc->c.auth_hmacs, ep->auth_hmacs_list,
+ ntohs(ep->auth_hmacs_list->param_hdr.length));
+ if (ep->auth_chunk_list)
+ memcpy(asoc->c.auth_chunks, ep->auth_chunk_list,
+ ntohs(ep->auth_chunk_list->param_hdr.length));
+
+ /* Get the AUTH random number for this association */
+ p = (sctp_paramhdr_t *)asoc->c.auth_random;
+ p->type = SCTP_PARAM_RANDOM;
+ p->length = htons(sizeof(sctp_paramhdr_t) + SCTP_AUTH_RANDOM_LENGTH);
+ get_random_bytes(p+1, SCTP_AUTH_RANDOM_LENGTH);
+
return asoc;
fail_init:
@@ -407,6 +433,12 @@
if (asoc->addip_last_asconf)
sctp_chunk_free(asoc->addip_last_asconf);
+ /* AUTH - Free the endpoint shared keys */
+ sctp_auth_destroy_keys(&asoc->endpoint_shared_keys);
+
+ /* AUTH - Free the association shared key */
+ sctp_auth_key_put(asoc->asoc_shared_key);
+
sctp_association_put(asoc);
}
@@ -1112,6 +1144,8 @@
sctp_assoc_set_id(asoc, GFP_ATOMIC);
}
}
+
+ /* SCTP-AUTH: XXX something needs to be done here*/
}
/* Update the retran path for sending a retransmitted packet.
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index 22371185..c8d5023 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -69,12 +69,56 @@
struct sock *sk,
gfp_t gfp)
{
+ struct sctp_hmac_algo_param *auth_hmacs = NULL;
+ struct sctp_chunks_param *auth_chunks = NULL;
+ struct sctp_shared_key *null_key;
+ int err;
+
memset(ep, 0, sizeof(struct sctp_endpoint));
ep->digest = kzalloc(SCTP_SIGNATURE_SIZE, gfp);
if (!ep->digest)
return NULL;
+ if (sctp_auth_enable) {
+ /* Allocate space for HMACS and CHUNKS authentication
+ * variables. There are arrays that we encode directly
+ * into parameters to make the rest of the operations easier.
+ */
+ auth_hmacs = kzalloc(sizeof(sctp_hmac_algo_param_t) +
+ sizeof(__u16) * SCTP_AUTH_NUM_HMACS, gfp);
+ if (!auth_hmacs)
+ goto nomem;
+
+ auth_chunks = kzalloc(sizeof(sctp_chunks_param_t) +
+ SCTP_NUM_CHUNK_TYPES, gfp);
+ if (!auth_chunks)
+ goto nomem;
+
+ /* Initialize the HMACS parameter.
+ * SCTP-AUTH: Section 3.3
+ * Every endpoint supporting SCTP chunk authentication MUST
+ * support the HMAC based on the SHA-1 algorithm.
+ */
+ auth_hmacs->param_hdr.type = SCTP_PARAM_HMAC_ALGO;
+ auth_hmacs->param_hdr.length =
+ htons(sizeof(sctp_paramhdr_t) + 2);
+ auth_hmacs->hmac_ids[0] = htons(SCTP_AUTH_HMAC_ID_SHA1);
+
+ /* Initialize the CHUNKS parameter */
+ auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS;
+
+ /* If the Add-IP functionality is enabled, we must
+ * authenticate, ASCONF and ASCONF-ACK chunks
+ */
+ if (sctp_addip_enable) {
+ auth_chunks->chunks[0] = SCTP_CID_ASCONF;
+ auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK;
+ auth_chunks->param_hdr.length =
+ htons(sizeof(sctp_paramhdr_t) + 2);
+ }
+ }
+
/* Initialize the base structure. */
/* What type of endpoint are we? */
ep->base.type = SCTP_EP_TYPE_SOCKET;
@@ -114,7 +158,36 @@
ep->last_key = ep->current_key = 0;
ep->key_changed_at = jiffies;
+ /* SCTP-AUTH extensions*/
+ INIT_LIST_HEAD(&ep->endpoint_shared_keys);
+ null_key = sctp_auth_shkey_create(0, GFP_KERNEL);
+ if (!null_key)
+ goto nomem;
+
+ list_add(&null_key->key_list, &ep->endpoint_shared_keys);
+
+ /* Allocate and initialize transorms arrays for suported HMACs. */
+ err = sctp_auth_init_hmacs(ep, gfp);
+ if (err)
+ goto nomem_hmacs;
+
+ /* Add the null key to the endpoint shared keys list and
+ * set the hmcas and chunks pointers.
+ */
+ ep->auth_hmacs_list = auth_hmacs;
+ ep->auth_chunk_list = auth_chunks;
+
return ep;
+
+nomem_hmacs:
+ sctp_auth_destroy_keys(&ep->endpoint_shared_keys);
+nomem:
+ /* Free all allocations */
+ kfree(auth_hmacs);
+ kfree(auth_chunks);
+ kfree(ep->digest);
+ return NULL;
+
}
/* Create a sctp_endpoint with all that boring stuff initialized.
@@ -187,6 +260,16 @@
/* Free the digest buffer */
kfree(ep->digest);
+ /* SCTP-AUTH: Free up AUTH releated data such as shared keys
+ * chunks and hmacs arrays that were allocated
+ */
+ sctp_auth_destroy_keys(&ep->endpoint_shared_keys);
+ kfree(ep->auth_hmacs_list);
+ kfree(ep->auth_chunk_list);
+
+ /* AUTH - Free any allocated HMAC transform containers */
+ sctp_auth_destroy_hmacs(ep->auth_hmacs);
+
/* Cleanup. */
sctp_inq_free(&ep->base.inqueue);
sctp_bind_addr_free(&ep->base.bind_addr);
diff --git a/net/sctp/output.c b/net/sctp/output.c
index d85543d..49b9f5f 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -79,7 +79,9 @@
packet->vtag = vtag;
packet->has_cookie_echo = 0;
packet->has_sack = 0;
+ packet->has_auth = 0;
packet->ipfragok = 0;
+ packet->auth = NULL;
if (ecn_capable && sctp_packet_empty(packet)) {
chunk = sctp_get_ecne_prepend(packet->transport->asoc);
@@ -121,8 +123,10 @@
packet->vtag = 0;
packet->has_cookie_echo = 0;
packet->has_sack = 0;
+ packet->has_auth = 0;
packet->ipfragok = 0;
packet->malloced = 0;
+ packet->auth = NULL;
return packet;
}
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 3ec8b12b..4e6b59e 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -1185,6 +1185,9 @@
/* Enable PR-SCTP by default. */
sctp_prsctp_enable = 1;
+ /* Disable AUTH by default. */
+ sctp_auth_enable = 0;
+
sctp_sysctl_register();
INIT_LIST_HEAD(&sctp_address_families);
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index 39b10ee..0669778 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -254,6 +254,15 @@
.mode = 0644,
.proc_handler = &proc_dointvec,
},
+ {
+ .ctl_name = CTL_UNNUMBERED,
+ .procname = "auth_enable",
+ .data = &sctp_auth_enable,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec,
+ .strategy = &sysctl_intvec
+ },
{ .ctl_name = 0 }
};