]> err.no Git - linux-2.6/commitdiff
[SCTP]: Implement SCTP-AUTH initializations.
authorVlad Yasevich <vladislav.yasevich@hp.com>
Mon, 17 Sep 2007 02:31:35 +0000 (19:31 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Wed, 10 Oct 2007 23:51:30 +0000 (16:51 -0700)
The patch initializes AUTH related members of the generic SCTP
structures and provides a way to enable/disable auth extension.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sctp/associola.c
net/sctp/endpointola.c
net/sctp/output.c
net/sctp/protocol.c
net/sctp/sysctl.c

index 9bad8ba0feda9610d55c088153d3921ff8b69156..ee4b212e66b1412b1c63f0e4eb274f846a2f110e 100644 (file)
@@ -74,6 +74,8 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
 {
        struct sctp_sock *sp;
        int i;
+       sctp_paramhdr_t *p;
+       int err;
 
        /* Retrieve the SCTP per socket area.  */
        sp = sctp_sk((struct sock *)sk);
@@ -298,6 +300,30 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
        asoc->default_timetolive = sp->default_timetolive;
        asoc->default_rcv_context = sp->default_rcv_context;
 
+       /* AUTH related initializations */
+       INIT_LIST_HEAD(&asoc->endpoint_shared_keys);
+       err = sctp_auth_asoc_copy_shkeys(ep, asoc, gfp);
+       if (err)
+               goto fail_init;
+
+       asoc->active_key_id = ep->active_key_id;
+       asoc->asoc_shared_key = NULL;
+
+       asoc->default_hmac_id = 0;
+       /* Save the hmacs and chunks list into this association */
+       if (ep->auth_hmacs_list)
+               memcpy(asoc->c.auth_hmacs, ep->auth_hmacs_list,
+                       ntohs(ep->auth_hmacs_list->param_hdr.length));
+       if (ep->auth_chunk_list)
+               memcpy(asoc->c.auth_chunks, ep->auth_chunk_list,
+                       ntohs(ep->auth_chunk_list->param_hdr.length));
+
+       /* Get the AUTH random number for this association */
+       p = (sctp_paramhdr_t *)asoc->c.auth_random;
+       p->type = SCTP_PARAM_RANDOM;
+       p->length = htons(sizeof(sctp_paramhdr_t) + SCTP_AUTH_RANDOM_LENGTH);
+       get_random_bytes(p+1, SCTP_AUTH_RANDOM_LENGTH);
+
        return asoc;
 
 fail_init:
@@ -407,6 +433,12 @@ void sctp_association_free(struct sctp_association *asoc)
        if (asoc->addip_last_asconf)
                sctp_chunk_free(asoc->addip_last_asconf);
 
+       /* AUTH - Free the endpoint shared keys */
+       sctp_auth_destroy_keys(&asoc->endpoint_shared_keys);
+
+       /* AUTH - Free the association shared key */
+       sctp_auth_key_put(asoc->asoc_shared_key);
+
        sctp_association_put(asoc);
 }
 
@@ -1112,6 +1144,8 @@ void sctp_assoc_update(struct sctp_association *asoc,
                        sctp_assoc_set_id(asoc, GFP_ATOMIC);
                }
        }
+
+       /* SCTP-AUTH: XXX something needs to be done here*/
 }
 
 /* Update the retran path for sending a retransmitted packet.
index 22371185efb64bebfc669126ba7ee24606c9f546..c8d5023606a56d1aae65237d5fc99cf1cc00dd69 100644 (file)
@@ -69,12 +69,56 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
                                                struct sock *sk,
                                                gfp_t gfp)
 {
+       struct sctp_hmac_algo_param *auth_hmacs = NULL;
+       struct sctp_chunks_param *auth_chunks = NULL;
+       struct sctp_shared_key *null_key;
+       int err;
+
        memset(ep, 0, sizeof(struct sctp_endpoint));
 
        ep->digest = kzalloc(SCTP_SIGNATURE_SIZE, gfp);
        if (!ep->digest)
                return NULL;
 
+       if (sctp_auth_enable) {
+               /* Allocate space for HMACS and CHUNKS authentication
+                * variables.  There are arrays that we encode directly
+                * into parameters to make the rest of the operations easier.
+                */
+               auth_hmacs = kzalloc(sizeof(sctp_hmac_algo_param_t) +
+                               sizeof(__u16) * SCTP_AUTH_NUM_HMACS, gfp);
+               if (!auth_hmacs)
+                       goto nomem;
+
+               auth_chunks = kzalloc(sizeof(sctp_chunks_param_t) +
+                                       SCTP_NUM_CHUNK_TYPES, gfp);
+               if (!auth_chunks)
+                       goto nomem;
+
+               /* Initialize the HMACS parameter.
+                * SCTP-AUTH: Section 3.3
+                *    Every endpoint supporting SCTP chunk authentication MUST
+                *    support the HMAC based on the SHA-1 algorithm.
+                */
+               auth_hmacs->param_hdr.type = SCTP_PARAM_HMAC_ALGO;
+               auth_hmacs->param_hdr.length =
+                                       htons(sizeof(sctp_paramhdr_t) + 2);
+               auth_hmacs->hmac_ids[0] = htons(SCTP_AUTH_HMAC_ID_SHA1);
+
+               /* Initialize the CHUNKS parameter */
+               auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS;
+
+               /* If the Add-IP functionality is enabled, we must
+                * authenticate, ASCONF and ASCONF-ACK chunks
+                */
+               if (sctp_addip_enable) {
+                       auth_chunks->chunks[0] = SCTP_CID_ASCONF;
+                       auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK;
+                       auth_chunks->param_hdr.length =
+                                       htons(sizeof(sctp_paramhdr_t) + 2);
+               }
+       }
+
        /* Initialize the base structure. */
        /* What type of endpoint are we?  */
        ep->base.type = SCTP_EP_TYPE_SOCKET;
@@ -114,7 +158,36 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
        ep->last_key = ep->current_key = 0;
        ep->key_changed_at = jiffies;
 
+       /* SCTP-AUTH extensions*/
+       INIT_LIST_HEAD(&ep->endpoint_shared_keys);
+       null_key = sctp_auth_shkey_create(0, GFP_KERNEL);
+       if (!null_key)
+               goto nomem;
+
+       list_add(&null_key->key_list, &ep->endpoint_shared_keys);
+
+       /* Allocate and initialize transorms arrays for suported HMACs. */
+       err = sctp_auth_init_hmacs(ep, gfp);
+       if (err)
+               goto nomem_hmacs;
+
+       /* Add the null key to the endpoint shared keys list and
+        * set the hmcas and chunks pointers.
+        */
+       ep->auth_hmacs_list = auth_hmacs;
+       ep->auth_chunk_list = auth_chunks;
+
        return ep;
+
+nomem_hmacs:
+       sctp_auth_destroy_keys(&ep->endpoint_shared_keys);
+nomem:
+       /* Free all allocations */
+       kfree(auth_hmacs);
+       kfree(auth_chunks);
+       kfree(ep->digest);
+       return NULL;
+
 }
 
 /* Create a sctp_endpoint with all that boring stuff initialized.
@@ -187,6 +260,16 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
        /* Free the digest buffer */
        kfree(ep->digest);
 
+       /* SCTP-AUTH: Free up AUTH releated data such as shared keys
+        * chunks and hmacs arrays that were allocated
+        */
+       sctp_auth_destroy_keys(&ep->endpoint_shared_keys);
+       kfree(ep->auth_hmacs_list);
+       kfree(ep->auth_chunk_list);
+
+       /* AUTH - Free any allocated HMAC transform containers */
+       sctp_auth_destroy_hmacs(ep->auth_hmacs);
+
        /* Cleanup. */
        sctp_inq_free(&ep->base.inqueue);
        sctp_bind_addr_free(&ep->base.bind_addr);
index d85543def75474d1c55750c882e0253652d178e3..49b9f5f031a43199a68a462f2db7bff3c008ce15 100644 (file)
@@ -79,7 +79,9 @@ struct sctp_packet *sctp_packet_config(struct sctp_packet *packet,
        packet->vtag = vtag;
        packet->has_cookie_echo = 0;
        packet->has_sack = 0;
+       packet->has_auth = 0;
        packet->ipfragok = 0;
+       packet->auth = NULL;
 
        if (ecn_capable && sctp_packet_empty(packet)) {
                chunk = sctp_get_ecne_prepend(packet->transport->asoc);
@@ -121,8 +123,10 @@ struct sctp_packet *sctp_packet_init(struct sctp_packet *packet,
        packet->vtag = 0;
        packet->has_cookie_echo = 0;
        packet->has_sack = 0;
+       packet->has_auth = 0;
        packet->ipfragok = 0;
        packet->malloced = 0;
+       packet->auth = NULL;
        return packet;
 }
 
index 3ec8b12b6da458c74a75fc4e746a33cf58ba034a..4e6b59e8b6954bea3bba59dbe3291c94eb5ebae0 100644 (file)
@@ -1185,6 +1185,9 @@ SCTP_STATIC __init int sctp_init(void)
        /* Enable PR-SCTP by default. */
        sctp_prsctp_enable = 1;
 
+       /* Disable AUTH by default. */
+       sctp_auth_enable = 0;
+
        sctp_sysctl_register();
 
        INIT_LIST_HEAD(&sctp_address_families);
index 39b10ee2f0178941b318ec783c661e96f766a74a..0669778e4335aeb22911315882084b6189612ff5 100644 (file)
@@ -254,6 +254,15 @@ static ctl_table sctp_table[] = {
                .mode           = 0644,
                .proc_handler   = &proc_dointvec,
        },
+       {
+               .ctl_name       = CTL_UNNUMBERED,
+               .procname       = "auth_enable",
+               .data           = &sctp_auth_enable,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec,
+               .strategy       = &sysctl_intvec
+       },
        { .ctl_name = 0 }
 };