[SCTP]: Implement SCTP-AUTH initializations.
The patch initializes AUTH related members of the generic SCTP structures and provides a way to enable/disable auth extension. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
1f485649f5
commit
a29a5bd4f5
5 changed files with 133 additions and 0 deletions
|
@ -74,6 +74,8 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
|
||||||
{
|
{
|
||||||
struct sctp_sock *sp;
|
struct sctp_sock *sp;
|
||||||
int i;
|
int i;
|
||||||
|
sctp_paramhdr_t *p;
|
||||||
|
int err;
|
||||||
|
|
||||||
/* Retrieve the SCTP per socket area. */
|
/* Retrieve the SCTP per socket area. */
|
||||||
sp = sctp_sk((struct sock *)sk);
|
sp = sctp_sk((struct sock *)sk);
|
||||||
|
@ -298,6 +300,30 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
|
||||||
asoc->default_timetolive = sp->default_timetolive;
|
asoc->default_timetolive = sp->default_timetolive;
|
||||||
asoc->default_rcv_context = sp->default_rcv_context;
|
asoc->default_rcv_context = sp->default_rcv_context;
|
||||||
|
|
||||||
|
/* AUTH related initializations */
|
||||||
|
INIT_LIST_HEAD(&asoc->endpoint_shared_keys);
|
||||||
|
err = sctp_auth_asoc_copy_shkeys(ep, asoc, gfp);
|
||||||
|
if (err)
|
||||||
|
goto fail_init;
|
||||||
|
|
||||||
|
asoc->active_key_id = ep->active_key_id;
|
||||||
|
asoc->asoc_shared_key = NULL;
|
||||||
|
|
||||||
|
asoc->default_hmac_id = 0;
|
||||||
|
/* Save the hmacs and chunks list into this association */
|
||||||
|
if (ep->auth_hmacs_list)
|
||||||
|
memcpy(asoc->c.auth_hmacs, ep->auth_hmacs_list,
|
||||||
|
ntohs(ep->auth_hmacs_list->param_hdr.length));
|
||||||
|
if (ep->auth_chunk_list)
|
||||||
|
memcpy(asoc->c.auth_chunks, ep->auth_chunk_list,
|
||||||
|
ntohs(ep->auth_chunk_list->param_hdr.length));
|
||||||
|
|
||||||
|
/* Get the AUTH random number for this association */
|
||||||
|
p = (sctp_paramhdr_t *)asoc->c.auth_random;
|
||||||
|
p->type = SCTP_PARAM_RANDOM;
|
||||||
|
p->length = htons(sizeof(sctp_paramhdr_t) + SCTP_AUTH_RANDOM_LENGTH);
|
||||||
|
get_random_bytes(p+1, SCTP_AUTH_RANDOM_LENGTH);
|
||||||
|
|
||||||
return asoc;
|
return asoc;
|
||||||
|
|
||||||
fail_init:
|
fail_init:
|
||||||
|
@ -407,6 +433,12 @@ void sctp_association_free(struct sctp_association *asoc)
|
||||||
if (asoc->addip_last_asconf)
|
if (asoc->addip_last_asconf)
|
||||||
sctp_chunk_free(asoc->addip_last_asconf);
|
sctp_chunk_free(asoc->addip_last_asconf);
|
||||||
|
|
||||||
|
/* AUTH - Free the endpoint shared keys */
|
||||||
|
sctp_auth_destroy_keys(&asoc->endpoint_shared_keys);
|
||||||
|
|
||||||
|
/* AUTH - Free the association shared key */
|
||||||
|
sctp_auth_key_put(asoc->asoc_shared_key);
|
||||||
|
|
||||||
sctp_association_put(asoc);
|
sctp_association_put(asoc);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1112,6 +1144,8 @@ void sctp_assoc_update(struct sctp_association *asoc,
|
||||||
sctp_assoc_set_id(asoc, GFP_ATOMIC);
|
sctp_assoc_set_id(asoc, GFP_ATOMIC);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* SCTP-AUTH: XXX something needs to be done here*/
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Update the retran path for sending a retransmitted packet.
|
/* Update the retran path for sending a retransmitted packet.
|
||||||
|
|
|
@ -69,12 +69,56 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
|
||||||
struct sock *sk,
|
struct sock *sk,
|
||||||
gfp_t gfp)
|
gfp_t gfp)
|
||||||
{
|
{
|
||||||
|
struct sctp_hmac_algo_param *auth_hmacs = NULL;
|
||||||
|
struct sctp_chunks_param *auth_chunks = NULL;
|
||||||
|
struct sctp_shared_key *null_key;
|
||||||
|
int err;
|
||||||
|
|
||||||
memset(ep, 0, sizeof(struct sctp_endpoint));
|
memset(ep, 0, sizeof(struct sctp_endpoint));
|
||||||
|
|
||||||
ep->digest = kzalloc(SCTP_SIGNATURE_SIZE, gfp);
|
ep->digest = kzalloc(SCTP_SIGNATURE_SIZE, gfp);
|
||||||
if (!ep->digest)
|
if (!ep->digest)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
|
if (sctp_auth_enable) {
|
||||||
|
/* Allocate space for HMACS and CHUNKS authentication
|
||||||
|
* variables. There are arrays that we encode directly
|
||||||
|
* into parameters to make the rest of the operations easier.
|
||||||
|
*/
|
||||||
|
auth_hmacs = kzalloc(sizeof(sctp_hmac_algo_param_t) +
|
||||||
|
sizeof(__u16) * SCTP_AUTH_NUM_HMACS, gfp);
|
||||||
|
if (!auth_hmacs)
|
||||||
|
goto nomem;
|
||||||
|
|
||||||
|
auth_chunks = kzalloc(sizeof(sctp_chunks_param_t) +
|
||||||
|
SCTP_NUM_CHUNK_TYPES, gfp);
|
||||||
|
if (!auth_chunks)
|
||||||
|
goto nomem;
|
||||||
|
|
||||||
|
/* Initialize the HMACS parameter.
|
||||||
|
* SCTP-AUTH: Section 3.3
|
||||||
|
* Every endpoint supporting SCTP chunk authentication MUST
|
||||||
|
* support the HMAC based on the SHA-1 algorithm.
|
||||||
|
*/
|
||||||
|
auth_hmacs->param_hdr.type = SCTP_PARAM_HMAC_ALGO;
|
||||||
|
auth_hmacs->param_hdr.length =
|
||||||
|
htons(sizeof(sctp_paramhdr_t) + 2);
|
||||||
|
auth_hmacs->hmac_ids[0] = htons(SCTP_AUTH_HMAC_ID_SHA1);
|
||||||
|
|
||||||
|
/* Initialize the CHUNKS parameter */
|
||||||
|
auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS;
|
||||||
|
|
||||||
|
/* If the Add-IP functionality is enabled, we must
|
||||||
|
* authenticate, ASCONF and ASCONF-ACK chunks
|
||||||
|
*/
|
||||||
|
if (sctp_addip_enable) {
|
||||||
|
auth_chunks->chunks[0] = SCTP_CID_ASCONF;
|
||||||
|
auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK;
|
||||||
|
auth_chunks->param_hdr.length =
|
||||||
|
htons(sizeof(sctp_paramhdr_t) + 2);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* Initialize the base structure. */
|
/* Initialize the base structure. */
|
||||||
/* What type of endpoint are we? */
|
/* What type of endpoint are we? */
|
||||||
ep->base.type = SCTP_EP_TYPE_SOCKET;
|
ep->base.type = SCTP_EP_TYPE_SOCKET;
|
||||||
|
@ -114,7 +158,36 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
|
||||||
ep->last_key = ep->current_key = 0;
|
ep->last_key = ep->current_key = 0;
|
||||||
ep->key_changed_at = jiffies;
|
ep->key_changed_at = jiffies;
|
||||||
|
|
||||||
|
/* SCTP-AUTH extensions*/
|
||||||
|
INIT_LIST_HEAD(&ep->endpoint_shared_keys);
|
||||||
|
null_key = sctp_auth_shkey_create(0, GFP_KERNEL);
|
||||||
|
if (!null_key)
|
||||||
|
goto nomem;
|
||||||
|
|
||||||
|
list_add(&null_key->key_list, &ep->endpoint_shared_keys);
|
||||||
|
|
||||||
|
/* Allocate and initialize transorms arrays for suported HMACs. */
|
||||||
|
err = sctp_auth_init_hmacs(ep, gfp);
|
||||||
|
if (err)
|
||||||
|
goto nomem_hmacs;
|
||||||
|
|
||||||
|
/* Add the null key to the endpoint shared keys list and
|
||||||
|
* set the hmcas and chunks pointers.
|
||||||
|
*/
|
||||||
|
ep->auth_hmacs_list = auth_hmacs;
|
||||||
|
ep->auth_chunk_list = auth_chunks;
|
||||||
|
|
||||||
return ep;
|
return ep;
|
||||||
|
|
||||||
|
nomem_hmacs:
|
||||||
|
sctp_auth_destroy_keys(&ep->endpoint_shared_keys);
|
||||||
|
nomem:
|
||||||
|
/* Free all allocations */
|
||||||
|
kfree(auth_hmacs);
|
||||||
|
kfree(auth_chunks);
|
||||||
|
kfree(ep->digest);
|
||||||
|
return NULL;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Create a sctp_endpoint with all that boring stuff initialized.
|
/* Create a sctp_endpoint with all that boring stuff initialized.
|
||||||
|
@ -187,6 +260,16 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
|
||||||
/* Free the digest buffer */
|
/* Free the digest buffer */
|
||||||
kfree(ep->digest);
|
kfree(ep->digest);
|
||||||
|
|
||||||
|
/* SCTP-AUTH: Free up AUTH releated data such as shared keys
|
||||||
|
* chunks and hmacs arrays that were allocated
|
||||||
|
*/
|
||||||
|
sctp_auth_destroy_keys(&ep->endpoint_shared_keys);
|
||||||
|
kfree(ep->auth_hmacs_list);
|
||||||
|
kfree(ep->auth_chunk_list);
|
||||||
|
|
||||||
|
/* AUTH - Free any allocated HMAC transform containers */
|
||||||
|
sctp_auth_destroy_hmacs(ep->auth_hmacs);
|
||||||
|
|
||||||
/* Cleanup. */
|
/* Cleanup. */
|
||||||
sctp_inq_free(&ep->base.inqueue);
|
sctp_inq_free(&ep->base.inqueue);
|
||||||
sctp_bind_addr_free(&ep->base.bind_addr);
|
sctp_bind_addr_free(&ep->base.bind_addr);
|
||||||
|
|
|
@ -79,7 +79,9 @@ struct sctp_packet *sctp_packet_config(struct sctp_packet *packet,
|
||||||
packet->vtag = vtag;
|
packet->vtag = vtag;
|
||||||
packet->has_cookie_echo = 0;
|
packet->has_cookie_echo = 0;
|
||||||
packet->has_sack = 0;
|
packet->has_sack = 0;
|
||||||
|
packet->has_auth = 0;
|
||||||
packet->ipfragok = 0;
|
packet->ipfragok = 0;
|
||||||
|
packet->auth = NULL;
|
||||||
|
|
||||||
if (ecn_capable && sctp_packet_empty(packet)) {
|
if (ecn_capable && sctp_packet_empty(packet)) {
|
||||||
chunk = sctp_get_ecne_prepend(packet->transport->asoc);
|
chunk = sctp_get_ecne_prepend(packet->transport->asoc);
|
||||||
|
@ -121,8 +123,10 @@ struct sctp_packet *sctp_packet_init(struct sctp_packet *packet,
|
||||||
packet->vtag = 0;
|
packet->vtag = 0;
|
||||||
packet->has_cookie_echo = 0;
|
packet->has_cookie_echo = 0;
|
||||||
packet->has_sack = 0;
|
packet->has_sack = 0;
|
||||||
|
packet->has_auth = 0;
|
||||||
packet->ipfragok = 0;
|
packet->ipfragok = 0;
|
||||||
packet->malloced = 0;
|
packet->malloced = 0;
|
||||||
|
packet->auth = NULL;
|
||||||
return packet;
|
return packet;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1185,6 +1185,9 @@ SCTP_STATIC __init int sctp_init(void)
|
||||||
/* Enable PR-SCTP by default. */
|
/* Enable PR-SCTP by default. */
|
||||||
sctp_prsctp_enable = 1;
|
sctp_prsctp_enable = 1;
|
||||||
|
|
||||||
|
/* Disable AUTH by default. */
|
||||||
|
sctp_auth_enable = 0;
|
||||||
|
|
||||||
sctp_sysctl_register();
|
sctp_sysctl_register();
|
||||||
|
|
||||||
INIT_LIST_HEAD(&sctp_address_families);
|
INIT_LIST_HEAD(&sctp_address_families);
|
||||||
|
|
|
@ -254,6 +254,15 @@ static ctl_table sctp_table[] = {
|
||||||
.mode = 0644,
|
.mode = 0644,
|
||||||
.proc_handler = &proc_dointvec,
|
.proc_handler = &proc_dointvec,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
.ctl_name = CTL_UNNUMBERED,
|
||||||
|
.procname = "auth_enable",
|
||||||
|
.data = &sctp_auth_enable,
|
||||||
|
.maxlen = sizeof(int),
|
||||||
|
.mode = 0644,
|
||||||
|
.proc_handler = &proc_dointvec,
|
||||||
|
.strategy = &sysctl_intvec
|
||||||
|
},
|
||||||
{ .ctl_name = 0 }
|
{ .ctl_name = 0 }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue