michael@0: /*- michael@0: * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved. michael@0: * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved. michael@0: * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved. michael@0: * michael@0: * Redistribution and use in source and binary forms, with or without michael@0: * modification, are permitted provided that the following conditions are met: michael@0: * michael@0: * a) Redistributions of source code must retain the above copyright notice, michael@0: * this list of conditions and the following disclaimer. michael@0: * michael@0: * b) Redistributions in binary form must reproduce the above copyright michael@0: * notice, this list of conditions and the following disclaimer in michael@0: * the documentation and/or other materials provided with the distribution. michael@0: * michael@0: * c) Neither the name of Cisco Systems, Inc. nor the names of its michael@0: * contributors may be used to endorse or promote products derived michael@0: * from this software without specific prior written permission. michael@0: * michael@0: * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS michael@0: * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, michael@0: * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE michael@0: * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE michael@0: * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR michael@0: * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF michael@0: * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS michael@0: * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN michael@0: * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) michael@0: * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF michael@0: * THE POSSIBILITY OF SUCH DAMAGE. michael@0: */ michael@0: michael@0: #ifdef __FreeBSD__ michael@0: #include michael@0: __FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.h 257804 2013-11-07 18:50:11Z tuexen $"); michael@0: #endif michael@0: michael@0: #ifndef _NETINET_SCTP_AUTH_H_ michael@0: #define _NETINET_SCTP_AUTH_H_ michael@0: michael@0: #include michael@0: michael@0: /* digest lengths */ michael@0: #define SCTP_AUTH_DIGEST_LEN_SHA1 20 michael@0: #define SCTP_AUTH_DIGEST_LEN_SHA256 32 michael@0: #define SCTP_AUTH_DIGEST_LEN_MAX SCTP_AUTH_DIGEST_LEN_SHA256 michael@0: michael@0: /* random sizes */ michael@0: #define SCTP_AUTH_RANDOM_SIZE_DEFAULT 32 michael@0: #define SCTP_AUTH_RANDOM_SIZE_REQUIRED 32 michael@0: michael@0: /* union of all supported HMAC algorithm contexts */ michael@0: typedef union sctp_hash_context { michael@0: SCTP_SHA1_CTX sha1; michael@0: #if defined(SCTP_SUPPORT_HMAC_SHA256) michael@0: SCTP_SHA256_CTX sha256; michael@0: #endif michael@0: } sctp_hash_context_t; michael@0: michael@0: typedef struct sctp_key { michael@0: uint32_t keylen; michael@0: uint8_t key[]; michael@0: } sctp_key_t; michael@0: michael@0: typedef struct sctp_shared_key { michael@0: LIST_ENTRY(sctp_shared_key) next; michael@0: sctp_key_t *key; /* key text */ michael@0: uint32_t refcount; /* reference count */ michael@0: uint16_t keyid; /* shared key ID */ michael@0: uint8_t deactivated; /* key is deactivated */ michael@0: } sctp_sharedkey_t; michael@0: michael@0: LIST_HEAD(sctp_keyhead, sctp_shared_key); michael@0: michael@0: /* authentication chunks list */ michael@0: typedef struct sctp_auth_chklist { michael@0: uint8_t chunks[256]; michael@0: uint8_t num_chunks; michael@0: } sctp_auth_chklist_t; michael@0: michael@0: /* hmac algos supported list */ michael@0: typedef struct sctp_hmaclist { michael@0: uint16_t max_algo; /* max algorithms allocated */ michael@0: uint16_t num_algo; /* num algorithms used */ michael@0: uint16_t hmac[]; michael@0: } sctp_hmaclist_t; michael@0: michael@0: /* authentication info */ michael@0: typedef struct sctp_authinformation { michael@0: sctp_key_t *random; /* local random key (concatenated) */ michael@0: uint32_t random_len; /* local random number length for param */ michael@0: sctp_key_t *peer_random;/* peer's random key (concatenated) */ michael@0: sctp_key_t *assoc_key; /* cached concatenated send key */ michael@0: sctp_key_t *recv_key; /* cached concatenated recv key */ michael@0: uint16_t active_keyid; /* active send keyid */ michael@0: uint16_t assoc_keyid; /* current send keyid (cached) */ michael@0: uint16_t recv_keyid; /* last recv keyid (cached) */ michael@0: } sctp_authinfo_t; michael@0: michael@0: michael@0: michael@0: /* michael@0: * Macros michael@0: */ michael@0: #define sctp_auth_is_required_chunk(chunk, list) ((list == NULL) ? (0) : (list->chunks[chunk] != 0)) michael@0: michael@0: /* michael@0: * function prototypes michael@0: */ michael@0: michael@0: /* socket option api functions */ michael@0: extern sctp_auth_chklist_t *sctp_alloc_chunklist(void); michael@0: extern void sctp_free_chunklist(sctp_auth_chklist_t *chklist); michael@0: extern void sctp_clear_chunklist(sctp_auth_chklist_t *chklist); michael@0: extern sctp_auth_chklist_t *sctp_copy_chunklist(sctp_auth_chklist_t *chklist); michael@0: extern int sctp_auth_add_chunk(uint8_t chunk, sctp_auth_chklist_t *list); michael@0: extern int sctp_auth_delete_chunk(uint8_t chunk, sctp_auth_chklist_t *list); michael@0: extern size_t sctp_auth_get_chklist_size(const sctp_auth_chklist_t *list); michael@0: extern void sctp_auth_set_default_chunks(sctp_auth_chklist_t *list); michael@0: extern int sctp_serialize_auth_chunks(const sctp_auth_chklist_t *list, michael@0: uint8_t *ptr); michael@0: extern int sctp_pack_auth_chunks(const sctp_auth_chklist_t *list, michael@0: uint8_t *ptr); michael@0: extern int sctp_unpack_auth_chunks(const uint8_t *ptr, uint8_t num_chunks, michael@0: sctp_auth_chklist_t *list); michael@0: michael@0: /* key handling */ michael@0: extern sctp_key_t *sctp_alloc_key(uint32_t keylen); michael@0: extern void sctp_free_key(sctp_key_t *key); michael@0: extern void sctp_print_key(sctp_key_t *key, const char *str); michael@0: extern void sctp_show_key(sctp_key_t *key, const char *str); michael@0: extern sctp_key_t *sctp_generate_random_key(uint32_t keylen); michael@0: extern sctp_key_t *sctp_set_key(uint8_t *key, uint32_t keylen); michael@0: extern sctp_key_t *sctp_compute_hashkey(sctp_key_t *key1, sctp_key_t *key2, michael@0: sctp_key_t *shared); michael@0: michael@0: /* shared key handling */ michael@0: extern sctp_sharedkey_t *sctp_alloc_sharedkey(void); michael@0: extern void sctp_free_sharedkey(sctp_sharedkey_t *skey); michael@0: extern sctp_sharedkey_t *sctp_find_sharedkey(struct sctp_keyhead *shared_keys, michael@0: uint16_t key_id); michael@0: extern int sctp_insert_sharedkey(struct sctp_keyhead *shared_keys, michael@0: sctp_sharedkey_t *new_skey); michael@0: extern int sctp_copy_skeylist(const struct sctp_keyhead *src, michael@0: struct sctp_keyhead *dest); michael@0: /* ref counts on shared keys, by key id */ michael@0: extern void sctp_auth_key_acquire(struct sctp_tcb *stcb, uint16_t keyid); michael@0: extern void sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t keyid, michael@0: int so_locked); michael@0: michael@0: michael@0: /* hmac list handling */ michael@0: extern sctp_hmaclist_t *sctp_alloc_hmaclist(uint8_t num_hmacs); michael@0: extern void sctp_free_hmaclist(sctp_hmaclist_t *list); michael@0: extern int sctp_auth_add_hmacid(sctp_hmaclist_t *list, uint16_t hmac_id); michael@0: extern sctp_hmaclist_t *sctp_copy_hmaclist(sctp_hmaclist_t *list); michael@0: extern sctp_hmaclist_t *sctp_default_supported_hmaclist(void); michael@0: extern uint16_t sctp_negotiate_hmacid(sctp_hmaclist_t *peer, michael@0: sctp_hmaclist_t *local); michael@0: extern int sctp_serialize_hmaclist(sctp_hmaclist_t *list, uint8_t *ptr); michael@0: extern int sctp_verify_hmac_param(struct sctp_auth_hmac_algo *hmacs, michael@0: uint32_t num_hmacs); michael@0: michael@0: extern sctp_authinfo_t *sctp_alloc_authinfo(void); michael@0: extern void sctp_free_authinfo(sctp_authinfo_t *authinfo); michael@0: michael@0: /* keyed-HMAC functions */ michael@0: extern uint32_t sctp_get_auth_chunk_len(uint16_t hmac_algo); michael@0: extern uint32_t sctp_get_hmac_digest_len(uint16_t hmac_algo); michael@0: extern uint32_t sctp_hmac(uint16_t hmac_algo, uint8_t *key, uint32_t keylen, michael@0: uint8_t *text, uint32_t textlen, uint8_t *digest); michael@0: extern int sctp_verify_hmac(uint16_t hmac_algo, uint8_t *key, uint32_t keylen, michael@0: uint8_t *text, uint32_t textlen, uint8_t *digest, uint32_t digestlen); michael@0: extern uint32_t sctp_compute_hmac(uint16_t hmac_algo, sctp_key_t *key, michael@0: uint8_t *text, uint32_t textlen, uint8_t *digest); michael@0: extern int sctp_auth_is_supported_hmac(sctp_hmaclist_t *list, uint16_t id); michael@0: michael@0: /* mbuf versions */ michael@0: extern uint32_t sctp_hmac_m(uint16_t hmac_algo, uint8_t *key, uint32_t keylen, michael@0: struct mbuf *m, uint32_t m_offset, uint8_t *digest, uint32_t trailer); michael@0: extern uint32_t sctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t *key, michael@0: struct mbuf *m, uint32_t m_offset, uint8_t *digest); michael@0: michael@0: /* michael@0: * authentication routines michael@0: */ michael@0: extern void sctp_clear_cachedkeys(struct sctp_tcb *stcb, uint16_t keyid); michael@0: extern void sctp_clear_cachedkeys_ep(struct sctp_inpcb *inp, uint16_t keyid); michael@0: extern int sctp_delete_sharedkey(struct sctp_tcb *stcb, uint16_t keyid); michael@0: extern int sctp_delete_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid); michael@0: extern int sctp_auth_setactivekey(struct sctp_tcb *stcb, uint16_t keyid); michael@0: extern int sctp_auth_setactivekey_ep(struct sctp_inpcb *inp, uint16_t keyid); michael@0: extern int sctp_deact_sharedkey(struct sctp_tcb *stcb, uint16_t keyid); michael@0: extern int sctp_deact_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid); michael@0: michael@0: extern void sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, michael@0: uint32_t offset, uint32_t length); michael@0: extern void sctp_fill_hmac_digest_m(struct mbuf *m, uint32_t auth_offset, michael@0: struct sctp_auth_chunk *auth, struct sctp_tcb *stcb, uint16_t key_id); michael@0: extern struct mbuf *sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end, michael@0: struct sctp_auth_chunk **auth_ret, uint32_t *offset, michael@0: struct sctp_tcb *stcb, uint8_t chunk); michael@0: extern int sctp_handle_auth(struct sctp_tcb *stcb, struct sctp_auth_chunk *ch, michael@0: struct mbuf *m, uint32_t offset); michael@0: extern void sctp_notify_authentication(struct sctp_tcb *stcb, michael@0: uint32_t indication, uint16_t keyid, uint16_t alt_keyid, int so_locked); michael@0: extern int sctp_validate_init_auth_params(struct mbuf *m, int offset, michael@0: int limit); michael@0: extern void sctp_initialize_auth_params(struct sctp_inpcb *inp, michael@0: struct sctp_tcb *stcb); michael@0: michael@0: /* test functions */ michael@0: #ifdef SCTP_HMAC_TEST michael@0: extern void sctp_test_hmac_sha1(void); michael@0: extern void sctp_test_authkey(void); michael@0: #endif michael@0: #endif /* __SCTP_AUTH_H__ */