Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'sctp-convert-to-use-crypto-lib-and-upgrade-cookie-auth'
Eric Biggers says:
====================
sctp: Convert to use crypto lib, and upgrade cookie auth
This series converts SCTP chunk and cookie authentication to use the
crypto library API instead of crypto_shash. This is much simpler (the
diffstat should speak for itself), and also faster too. In addition,
this series upgrades the cookie authentication to use HMAC-SHA256.
I've tested that kernels with this series applied can continue to
communicate using SCTP with older ones, in either direction, using any
choice of None, HMAC-SHA1, or HMAC-SHA256 chunk authentication.
====================
Link: https://patch.msgid.link/20250818205426.30222-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+123
-361
+2
-8
Documentation/networking/ip-sysctl.rst
+2
-8
Documentation/networking/ip-sysctl.rst
···
3508
3508
a listening sctp socket to a connecting client in the INIT-ACK chunk.
3509
3509
Valid values are:
3510
3510
3511
-
* md5
3512
-
* sha1
3511
+
* sha256
3513
3512
* none
3514
3513
3515
-
Ability to assign md5 or sha1 as the selected alg is predicated on the
3516
-
configuration of those algorithms at build time (CONFIG_CRYPTO_MD5 and
3517
-
CONFIG_CRYPTO_SHA1).
3518
-
3519
-
Default: Dependent on configuration. MD5 if available, else SHA1 if
3520
-
available, else none.
3514
+
Default: sha256
3521
3515
3522
3516
rcvbuf_policy - INTEGER
3523
3517
Determines if the receive buffer is attributed to the socket or to
+2
-2
include/net/netns/sctp.h
+2
-2
include/net/netns/sctp.h
···
75
75
/* Whether Cookie Preservative is enabled(1) or not(0) */
76
76
int cookie_preserve_enable;
77
77
78
-
/* The namespace default hmac alg */
79
-
char *sctp_hmac_alg;
78
+
/* Whether cookie authentication is enabled(1) or not(0) */
79
+
int cookie_auth_enable;
80
80
81
81
/* Valid.Cookie.Life - 60 seconds */
82
82
unsigned int valid_cookie_life;
+6
-11
include/net/sctp/auth.h
+6
-11
include/net/sctp/auth.h
···
22
22
struct sctp_association;
23
23
struct sctp_authkey;
24
24
struct sctp_hmacalgo;
25
-
struct crypto_shash;
26
25
27
-
/*
28
-
* Define a generic struct that will hold all the info
29
-
* necessary for an HMAC transform
30
-
*/
26
+
/* Defines an HMAC algorithm supported by SCTP chunk authentication */
31
27
struct sctp_hmac {
32
-
__u16 hmac_id; /* one of the above ids */
33
-
char *hmac_name; /* name for loading */
34
-
__u16 hmac_len; /* length of the signature */
28
+
__u16 hmac_id; /* one of SCTP_AUTH_HMAC_ID_* */
29
+
__u16 hmac_len; /* length of the HMAC value in bytes */
35
30
};
36
31
37
32
/* This is generic structure that containst authentication bytes used
···
73
78
struct sctp_association *asoc,
74
79
gfp_t gfp);
75
80
int sctp_auth_init_hmacs(struct sctp_endpoint *ep, gfp_t gfp);
76
-
void sctp_auth_destroy_hmacs(struct crypto_shash *auth_hmacs[]);
77
-
struct sctp_hmac *sctp_auth_get_hmac(__u16 hmac_id);
78
-
struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc);
81
+
const struct sctp_hmac *sctp_auth_get_hmac(__u16 hmac_id);
82
+
const struct sctp_hmac *
83
+
sctp_auth_asoc_get_hmac(const struct sctp_association *asoc);
79
84
void sctp_auth_asoc_set_default_hmac(struct sctp_association *asoc,
80
85
struct sctp_hmac_algo_param *hmacs);
81
86
int sctp_auth_asoc_verify_hmac_id(const struct sctp_association *asoc,
+2
-7
include/net/sctp/constants.h
+2
-7
include/net/sctp/constants.h
···
296
296
*/
297
297
#define SCTP_DEFAULT_MINSEGMENT 512 /* MTU size ... if no mtu disc */
298
298
299
-
#define SCTP_SECRET_SIZE 32 /* Number of octets in a 256 bits. */
300
-
301
-
#define SCTP_SIGNATURE_SIZE 20 /* size of a SLA-1 signature */
299
+
#define SCTP_COOKIE_KEY_SIZE 32 /* size of cookie HMAC key */
300
+
#define SCTP_COOKIE_MAC_SIZE 32 /* size of HMAC field in cookies */
302
301
303
302
#define SCTP_COOKIE_MULTIPLE 32 /* Pad out our cookie to make our hash
304
303
* functions simpler to write.
···
416
417
SCTP_AUTH_HMAC_ID_RESERVED_0,
417
418
SCTP_AUTH_HMAC_ID_SHA1,
418
419
SCTP_AUTH_HMAC_ID_RESERVED_2,
419
-
#if defined (CONFIG_CRYPTO_SHA256) || defined (CONFIG_CRYPTO_SHA256_MODULE)
420
420
SCTP_AUTH_HMAC_ID_SHA256,
421
-
#endif
422
421
__SCTP_AUTH_HMAC_MAX
423
422
};
424
423
425
424
#define SCTP_AUTH_HMAC_ID_MAX __SCTP_AUTH_HMAC_MAX - 1
426
425
#define SCTP_AUTH_NUM_HMACS __SCTP_AUTH_HMAC_MAX
427
-
#define SCTP_SHA1_SIG_SIZE 20
428
-
#define SCTP_SHA256_SIG_SIZE 32
429
426
430
427
/* SCTP-AUTH, Section 3.2
431
428
* The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE and AUTH chunks
+6
-27
include/net/sctp/structs.h
+6
-27
include/net/sctp/structs.h
···
32
32
#ifndef __sctp_structs_h__
33
33
#define __sctp_structs_h__
34
34
35
+
#include <crypto/sha2.h>
35
36
#include <linux/ktime.h>
36
37
#include <linux/generic-radix-tree.h>
37
38
#include <linux/rhashtable-types.h>
···
69
68
struct sctp_bind_addr;
70
69
struct sctp_ulpq;
71
70
struct sctp_ep_common;
72
-
struct crypto_shash;
73
71
struct sctp_stream;
74
72
75
73
···
155
155
/* PF_ family specific functions. */
156
156
struct sctp_pf *pf;
157
157
158
-
/* Access to HMAC transform. */
159
-
struct crypto_shash *hmac;
160
-
char *sctp_hmac_alg;
161
-
162
158
/* What is our base endpointer? */
163
159
struct sctp_endpoint *ep;
164
160
···
223
227
frag_interleave:1,
224
228
recvrcvinfo:1,
225
229
recvnxtinfo:1,
226
-
data_ready_signalled:1;
230
+
data_ready_signalled:1,
231
+
cookie_auth_enable:1;
227
232
228
233
atomic_t pd_mode;
229
234
···
332
335
333
336
/* The format of our cookie that we send to our peer. */
334
337
struct sctp_signed_cookie {
335
-
__u8 signature[SCTP_SECRET_SIZE];
338
+
__u8 mac[SCTP_COOKIE_MAC_SIZE];
336
339
__u32 __pad; /* force sctp_cookie alignment to 64 bits */
337
340
struct sctp_cookie c;
338
341
} __packed;
···
1304
1307
/* This is really a list of struct sctp_association entries. */
1305
1308
struct list_head asocs;
1306
1309
1307
-
/* Secret Key: A secret key used by this endpoint to compute
1308
-
* the MAC. This SHOULD be a cryptographic quality
1309
-
* random number with a sufficient length.
1310
-
* Discussion in [RFC1750] can be helpful in
1311
-
* selection of the key.
1312
-
*/
1313
-
__u8 secret_key[SCTP_SECRET_SIZE];
1310
+
/* Cookie authentication key used by this endpoint */
1311
+
struct hmac_sha256_key cookie_auth_key;
1314
1312
1315
-
/* digest: This is a digest of the sctp cookie. This field is
1316
-
* only used on the receive path when we try to validate
1317
-
* that the cookie has not been tampered with. We put
1318
-
* this here so we pre-allocate this once and can re-use
1319
-
* on every receive.
1320
-
*/
1321
-
__u8 *digest;
1322
-
1323
1313
/* sendbuf acct. policy. */
1324
1314
__u32 sndbuf_policy;
1325
1315
1326
1316
/* rcvbuf acct. policy. */
1327
1317
__u32 rcvbuf_policy;
1328
-
1329
-
/* SCTP AUTH: array of the HMACs that will be allocated
1330
-
* we need this per association so that we don't serialize
1331
-
*/
1332
-
struct crypto_shash **auth_hmacs;
1333
1318
1334
1319
/* SCTP-AUTH: hmacs for the endpoint encoded into parameter */
1335
1320
struct sctp_hmac_algo_param *auth_hmacs_list;
+13
-34
net/sctp/Kconfig
+13
-34
net/sctp/Kconfig
···
7
7
tristate "The SCTP Protocol"
8
8
depends on INET
9
9
depends on IPV6 || IPV6=n
10
-
select CRYPTO
11
-
select CRYPTO_HMAC
12
-
select CRYPTO_SHA1
10
+
select CRYPTO_LIB_SHA1
11
+
select CRYPTO_LIB_SHA256
12
+
select CRYPTO_LIB_UTILS
13
13
select NET_CRC32C
14
14
select NET_UDP_TUNNEL
15
15
help
···
49
49
'cat /proc/net/sctp/sctp_dbg_objcnt'
50
50
51
51
If unsure, say N
52
+
52
53
choice
53
-
prompt "Default SCTP cookie HMAC encoding"
54
-
default SCTP_DEFAULT_COOKIE_HMAC_MD5
54
+
prompt "Default SCTP cookie authentication method"
55
+
default SCTP_DEFAULT_COOKIE_HMAC_SHA256
55
56
help
56
-
This option sets the default sctp cookie hmac algorithm
57
-
when in doubt select 'md5'
57
+
This option sets the default SCTP cookie authentication method, for
58
+
when a method hasn't been explicitly selected via the
59
+
net.sctp.cookie_hmac_alg sysctl.
58
60
59
-
config SCTP_DEFAULT_COOKIE_HMAC_MD5
60
-
bool "Enable optional MD5 hmac cookie generation"
61
-
help
62
-
Enable optional MD5 hmac based SCTP cookie generation
63
-
select SCTP_COOKIE_HMAC_MD5
61
+
If unsure, choose the default (HMAC-SHA256).
64
62
65
-
config SCTP_DEFAULT_COOKIE_HMAC_SHA1
66
-
bool "Enable optional SHA1 hmac cookie generation"
67
-
help
68
-
Enable optional SHA1 hmac based SCTP cookie generation
69
-
select SCTP_COOKIE_HMAC_SHA1
63
+
config SCTP_DEFAULT_COOKIE_HMAC_SHA256
64
+
bool "HMAC-SHA256"
70
65
71
66
config SCTP_DEFAULT_COOKIE_HMAC_NONE
72
-
bool "Use no hmac alg in SCTP cookie generation"
73
-
help
74
-
Use no hmac algorithm in SCTP cookie generation
67
+
bool "None"
75
68
76
69
endchoice
77
-
78
-
config SCTP_COOKIE_HMAC_MD5
79
-
bool "Enable optional MD5 hmac cookie generation"
80
-
help
81
-
Enable optional MD5 hmac based SCTP cookie generation
82
-
select CRYPTO_HMAC if SCTP_COOKIE_HMAC_MD5
83
-
select CRYPTO_MD5 if SCTP_COOKIE_HMAC_MD5
84
-
85
-
config SCTP_COOKIE_HMAC_SHA1
86
-
bool "Enable optional SHA1 hmac cookie generation"
87
-
help
88
-
Enable optional SHA1 hmac based SCTP cookie generation
89
-
select CRYPTO_HMAC if SCTP_COOKIE_HMAC_SHA1
90
-
select CRYPTO_SHA1 if SCTP_COOKIE_HMAC_SHA1
91
70
92
71
config INET_SCTP_DIAG
93
72
depends on INET_DIAG
+29
-137
net/sctp/auth.c
+29
-137
net/sctp/auth.c
···
12
12
* Vlad Yasevich <vladislav.yasevich@hp.com>
13
13
*/
14
14
15
-
#include <crypto/hash.h>
15
+
#include <crypto/sha1.h>
16
+
#include <crypto/sha2.h>
16
17
#include <linux/slab.h>
17
18
#include <linux/types.h>
18
-
#include <linux/scatterlist.h>
19
19
#include <net/sctp/sctp.h>
20
20
#include <net/sctp/auth.h>
21
21
22
-
static struct sctp_hmac sctp_hmac_list[SCTP_AUTH_NUM_HMACS] = {
22
+
static const struct sctp_hmac sctp_hmac_list[SCTP_AUTH_NUM_HMACS] = {
23
23
{
24
24
/* id 0 is reserved. as all 0 */
25
25
.hmac_id = SCTP_AUTH_HMAC_ID_RESERVED_0,
26
26
},
27
27
{
28
28
.hmac_id = SCTP_AUTH_HMAC_ID_SHA1,
29
-
.hmac_name = "hmac(sha1)",
30
-
.hmac_len = SCTP_SHA1_SIG_SIZE,
29
+
.hmac_len = SHA1_DIGEST_SIZE,
31
30
},
32
31
{
33
32
/* id 2 is reserved as well */
34
33
.hmac_id = SCTP_AUTH_HMAC_ID_RESERVED_2,
35
34
},
36
-
#if IS_ENABLED(CONFIG_CRYPTO_SHA256)
37
35
{
38
36
.hmac_id = SCTP_AUTH_HMAC_ID_SHA256,
39
-
.hmac_name = "hmac(sha256)",
40
-
.hmac_len = SCTP_SHA256_SIG_SIZE,
37
+
.hmac_len = SHA256_DIGEST_SIZE,
41
38
}
42
-
#endif
43
39
};
44
40
41
+
static bool sctp_hmac_supported(__u16 hmac_id)
42
+
{
43
+
return hmac_id < ARRAY_SIZE(sctp_hmac_list) &&
44
+
sctp_hmac_list[hmac_id].hmac_len != 0;
45
+
}
45
46
46
47
void sctp_auth_key_put(struct sctp_auth_bytes *key)
47
48
{
···
445
444
return NULL;
446
445
}
447
446
448
-
/*
449
-
* Initialize all the possible digest transforms that we can use. Right
450
-
* now, the supported digests are SHA1 and SHA256. We do this here once
451
-
* because of the restrictiong that transforms may only be allocated in
452
-
* user context. This forces us to pre-allocated all possible transforms
453
-
* at the endpoint init time.
454
-
*/
455
-
int sctp_auth_init_hmacs(struct sctp_endpoint *ep, gfp_t gfp)
456
-
{
457
-
struct crypto_shash *tfm = NULL;
458
-
__u16 id;
459
-
460
-
/* If the transforms are already allocated, we are done */
461
-
if (ep->auth_hmacs)
462
-
return 0;
463
-
464
-
/* Allocated the array of pointers to transorms */
465
-
ep->auth_hmacs = kcalloc(SCTP_AUTH_NUM_HMACS,
466
-
sizeof(struct crypto_shash *),
467
-
gfp);
468
-
if (!ep->auth_hmacs)
469
-
return -ENOMEM;
470
-
471
-
for (id = 0; id < SCTP_AUTH_NUM_HMACS; id++) {
472
-
473
-
/* See is we support the id. Supported IDs have name and
474
-
* length fields set, so that we can allocated and use
475
-
* them. We can safely just check for name, for without the
476
-
* name, we can't allocate the TFM.
477
-
*/
478
-
if (!sctp_hmac_list[id].hmac_name)
479
-
continue;
480
-
481
-
/* If this TFM has been allocated, we are all set */
482
-
if (ep->auth_hmacs[id])
483
-
continue;
484
-
485
-
/* Allocate the ID */
486
-
tfm = crypto_alloc_shash(sctp_hmac_list[id].hmac_name, 0, 0);
487
-
if (IS_ERR(tfm))
488
-
goto out_err;
489
-
490
-
ep->auth_hmacs[id] = tfm;
491
-
}
492
-
493
-
return 0;
494
-
495
-
out_err:
496
-
/* Clean up any successful allocations */
497
-
sctp_auth_destroy_hmacs(ep->auth_hmacs);
498
-
ep->auth_hmacs = NULL;
499
-
return -ENOMEM;
500
-
}
501
-
502
-
/* Destroy the hmac tfm array */
503
-
void sctp_auth_destroy_hmacs(struct crypto_shash *auth_hmacs[])
504
-
{
505
-
int i;
506
-
507
-
if (!auth_hmacs)
508
-
return;
509
-
510
-
for (i = 0; i < SCTP_AUTH_NUM_HMACS; i++) {
511
-
crypto_free_shash(auth_hmacs[i]);
512
-
}
513
-
kfree(auth_hmacs);
514
-
}
515
-
516
-
517
-
struct sctp_hmac *sctp_auth_get_hmac(__u16 hmac_id)
447
+
const struct sctp_hmac *sctp_auth_get_hmac(__u16 hmac_id)
518
448
{
519
449
return &sctp_hmac_list[hmac_id];
520
450
}
···
453
521
/* Get an hmac description information that we can use to build
454
522
* the AUTH chunk
455
523
*/
456
-
struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
524
+
const struct sctp_hmac *
525
+
sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
457
526
{
458
527
struct sctp_hmac_algo_param *hmacs;
459
528
__u16 n_elt;
···
476
543
sizeof(struct sctp_paramhdr)) >> 1;
477
544
for (i = 0; i < n_elt; i++) {
478
545
id = ntohs(hmacs->hmac_ids[i]);
479
-
480
-
/* Check the id is in the supported range. And
481
-
* see if we support the id. Supported IDs have name and
482
-
* length fields set, so that we can allocate and use
483
-
* them. We can safely just check for name, for without the
484
-
* name, we can't allocate the TFM.
485
-
*/
486
-
if (id > SCTP_AUTH_HMAC_ID_MAX ||
487
-
!sctp_hmac_list[id].hmac_name) {
488
-
id = 0;
489
-
continue;
490
-
}
491
-
492
-
break;
546
+
if (sctp_hmac_supported(id))
547
+
return &sctp_hmac_list[id];
493
548
}
494
-
495
-
if (id == 0)
496
-
return NULL;
497
-
498
-
return &sctp_hmac_list[id];
549
+
return NULL;
499
550
}
500
551
501
552
static int __sctp_auth_find_hmacid(__be16 *hmacs, int n_elts, __be16 hmac_id)
···
523
606
void sctp_auth_asoc_set_default_hmac(struct sctp_association *asoc,
524
607
struct sctp_hmac_algo_param *hmacs)
525
608
{
526
-
struct sctp_endpoint *ep;
527
609
__u16 id;
528
610
int i;
529
611
int n_params;
···
533
617
534
618
n_params = (ntohs(hmacs->param_hdr.length) -
535
619
sizeof(struct sctp_paramhdr)) >> 1;
536
-
ep = asoc->ep;
537
620
for (i = 0; i < n_params; i++) {
538
621
id = ntohs(hmacs->hmac_ids[i]);
539
-
540
-
/* Check the id is in the supported range */
541
-
if (id > SCTP_AUTH_HMAC_ID_MAX)
542
-
continue;
543
-
544
-
/* If this TFM has been allocated, use this id */
545
-
if (ep->auth_hmacs[id]) {
622
+
if (sctp_hmac_supported(id)) {
546
623
asoc->default_hmac_id = id;
547
624
break;
548
625
}
···
618
709
struct sctp_shared_key *ep_key, gfp_t gfp)
619
710
{
620
711
struct sctp_auth_bytes *asoc_key;
621
-
struct crypto_shash *tfm;
622
712
__u16 key_id, hmac_id;
623
-
unsigned char *end;
624
713
int free_key = 0;
714
+
size_t data_len;
625
715
__u8 *digest;
626
716
627
717
/* Extract the info we need:
···
641
733
free_key = 1;
642
734
}
643
735
644
-
/* set up scatter list */
645
-
end = skb_tail_pointer(skb);
646
-
647
-
tfm = asoc->ep->auth_hmacs[hmac_id];
648
-
736
+
data_len = skb_tail_pointer(skb) - (unsigned char *)auth;
649
737
digest = (u8 *)(&auth->auth_hdr + 1);
650
-
if (crypto_shash_setkey(tfm, &asoc_key->data[0], asoc_key->len))
651
-
goto free;
738
+
if (hmac_id == SCTP_AUTH_HMAC_ID_SHA1) {
739
+
hmac_sha1_usingrawkey(asoc_key->data, asoc_key->len,
740
+
(const u8 *)auth, data_len, digest);
741
+
} else {
742
+
WARN_ON_ONCE(hmac_id != SCTP_AUTH_HMAC_ID_SHA256);
743
+
hmac_sha256_usingrawkey(asoc_key->data, asoc_key->len,
744
+
(const u8 *)auth, data_len, digest);
745
+
}
652
746
653
-
crypto_shash_tfm_digest(tfm, (u8 *)auth, end - (unsigned char *)auth,
654
-
digest);
655
-
656
-
free:
657
747
if (free_key)
658
748
sctp_auth_key_put(asoc_key);
659
749
}
···
694
788
for (i = 0; i < hmacs->shmac_num_idents; i++) {
695
789
id = hmacs->shmac_idents[i];
696
790
697
-
if (id > SCTP_AUTH_HMAC_ID_MAX)
791
+
if (!sctp_hmac_supported(id))
698
792
return -EOPNOTSUPP;
699
793
700
794
if (SCTP_AUTH_HMAC_ID_SHA1 == id)
701
795
has_sha1 = 1;
702
-
703
-
if (!sctp_hmac_list[id].hmac_name)
704
-
return -EOPNOTSUPP;
705
796
}
706
797
707
798
if (!has_sha1)
···
924
1021
925
1022
int sctp_auth_init(struct sctp_endpoint *ep, gfp_t gfp)
926
1023
{
927
-
int err = -ENOMEM;
928
-
929
1024
/* Allocate space for HMACS and CHUNKS authentication
930
1025
* variables. There are arrays that we encode directly
931
1026
* into parameters to make the rest of the operations easier.
···
961
1060
ep->auth_chunk_list = auth_chunks;
962
1061
}
963
1062
964
-
/* Allocate and initialize transorms arrays for supported
965
-
* HMACs.
966
-
*/
967
-
err = sctp_auth_init_hmacs(ep, gfp);
968
-
if (err)
969
-
goto nomem;
970
-
971
1063
return 0;
972
1064
973
1065
nomem:
···
969
1075
kfree(ep->auth_chunk_list);
970
1076
ep->auth_hmacs_list = NULL;
971
1077
ep->auth_chunk_list = NULL;
972
-
return err;
1078
+
return -ENOMEM;
973
1079
}
974
1080
975
1081
void sctp_auth_free(struct sctp_endpoint *ep)
···
978
1084
kfree(ep->auth_chunk_list);
979
1085
ep->auth_hmacs_list = NULL;
980
1086
ep->auth_chunk_list = NULL;
981
-
sctp_auth_destroy_hmacs(ep->auth_hmacs);
982
-
ep->auth_hmacs = NULL;
983
1087
}
+2
-1
net/sctp/chunk.c
+2
-1
net/sctp/chunk.c
···
184
184
* DATA.
185
185
*/
186
186
if (sctp_auth_send_cid(SCTP_CID_DATA, asoc)) {
187
-
struct sctp_hmac *hmac_desc = sctp_auth_asoc_get_hmac(asoc);
187
+
const struct sctp_hmac *hmac_desc =
188
+
sctp_auth_asoc_get_hmac(asoc);
188
189
189
190
if (hmac_desc)
190
191
max_data -= SCTP_PAD4(sizeof(struct sctp_auth_chunk) +
+12
-11
net/sctp/endpointola.c
+12
-11
net/sctp/endpointola.c
···
35
35
/* Forward declarations for internal helpers. */
36
36
static void sctp_endpoint_bh_rcv(struct work_struct *work);
37
37
38
+
static void gen_cookie_auth_key(struct hmac_sha256_key *key)
39
+
{
40
+
u8 raw_key[SCTP_COOKIE_KEY_SIZE];
41
+
42
+
get_random_bytes(raw_key, sizeof(raw_key));
43
+
hmac_sha256_preparekey(key, raw_key, sizeof(raw_key));
44
+
memzero_explicit(raw_key, sizeof(raw_key));
45
+
}
46
+
38
47
/*
39
48
* Initialize the base fields of the endpoint structure.
40
49
*/
···
53
44
{
54
45
struct net *net = sock_net(sk);
55
46
struct sctp_shared_key *null_key;
56
-
57
-
ep->digest = kzalloc(SCTP_SIGNATURE_SIZE, gfp);
58
-
if (!ep->digest)
59
-
return NULL;
60
47
61
48
ep->asconf_enable = net->sctp.addip_enable;
62
49
ep->auth_enable = net->sctp.auth_enable;
···
95
90
/* Get the receive buffer policy for this endpoint */
96
91
ep->rcvbuf_policy = net->sctp.rcvbuf_policy;
97
92
98
-
/* Initialize the secret key used with cookie. */
99
-
get_random_bytes(ep->secret_key, sizeof(ep->secret_key));
93
+
/* Generate the cookie authentication key. */
94
+
gen_cookie_auth_key(&ep->cookie_auth_key);
100
95
101
96
/* SCTP-AUTH extensions*/
102
97
INIT_LIST_HEAD(&ep->endpoint_shared_keys);
···
123
118
nomem_shkey:
124
119
sctp_auth_free(ep);
125
120
nomem:
126
-
kfree(ep->digest);
127
121
return NULL;
128
122
129
123
}
···
209
205
return;
210
206
}
211
207
212
-
/* Free the digest buffer */
213
-
kfree(ep->digest);
214
-
215
208
/* SCTP-AUTH: Free up AUTH releated data such as shared keys
216
209
* chunks and hmacs arrays that were allocated
217
210
*/
···
219
218
sctp_inq_free(&ep->base.inqueue);
220
219
sctp_bind_addr_free(&ep->base.bind_addr);
221
220
222
-
memset(ep->secret_key, 0, sizeof(ep->secret_key));
221
+
memzero_explicit(&ep->cookie_auth_key, sizeof(ep->cookie_auth_key));
223
222
224
223
sk = ep->base.sk;
225
224
/* Remove and free the port */
+3
-8
net/sctp/protocol.c
+3
-8
net/sctp/protocol.c
···
1334
1334
/* Whether Cookie Preservative is enabled(1) or not(0) */
1335
1335
net->sctp.cookie_preserve_enable = 1;
1336
1336
1337
-
/* Default sctp sockets to use md5 as their hmac alg */
1338
-
#if defined (CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5)
1339
-
net->sctp.sctp_hmac_alg = "md5";
1340
-
#elif defined (CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1)
1341
-
net->sctp.sctp_hmac_alg = "sha1";
1342
-
#else
1343
-
net->sctp.sctp_hmac_alg = NULL;
1344
-
#endif
1337
+
/* Whether cookie authentication is enabled(1) or not(0) */
1338
+
net->sctp.cookie_auth_enable =
1339
+
!IS_ENABLED(CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE);
1345
1340
1346
1341
/* Max.Burst - 4 */
1347
1342
net->sctp.max_burst = SCTP_DEFAULT_MAX_BURST;
+19
-41
net/sctp/sm_make_chunk.c
+19
-41
net/sctp/sm_make_chunk.c
···
30
30
31
31
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
32
32
33
-
#include <crypto/hash.h>
33
+
#include <crypto/utils.h>
34
34
#include <linux/types.h>
35
35
#include <linux/kernel.h>
36
36
#include <linux/ip.h>
···
1319
1319
__u16 key_id)
1320
1320
{
1321
1321
struct sctp_authhdr auth_hdr;
1322
-
struct sctp_hmac *hmac_desc;
1322
+
const struct sctp_hmac *hmac_desc;
1323
1323
struct sctp_chunk *retval;
1324
1324
1325
1325
/* Get the first hmac that the peer told us to use */
···
1674
1674
* out on the network.
1675
1675
*/
1676
1676
retval = kzalloc(*cookie_len, GFP_ATOMIC);
1677
-
if (!retval)
1678
-
goto nodata;
1677
+
if (!retval) {
1678
+
*cookie_len = 0;
1679
+
return NULL;
1680
+
}
1679
1681
1680
1682
cookie = (struct sctp_signed_cookie *) retval->body;
1681
1683
···
1708
1706
memcpy((__u8 *)(cookie + 1) +
1709
1707
ntohs(init_chunk->chunk_hdr->length), raw_addrs, addrs_len);
1710
1708
1711
-
if (sctp_sk(ep->base.sk)->hmac) {
1712
-
struct crypto_shash *tfm = sctp_sk(ep->base.sk)->hmac;
1713
-
int err;
1714
-
1715
-
/* Sign the message. */
1716
-
err = crypto_shash_setkey(tfm, ep->secret_key,
1717
-
sizeof(ep->secret_key)) ?:
1718
-
crypto_shash_tfm_digest(tfm, (u8 *)&cookie->c, bodysize,
1719
-
cookie->signature);
1720
-
if (err)
1721
-
goto free_cookie;
1709
+
/* Sign the cookie, if cookie authentication is enabled. */
1710
+
if (sctp_sk(ep->base.sk)->cookie_auth_enable) {
1711
+
static_assert(sizeof(cookie->mac) == SHA256_DIGEST_SIZE);
1712
+
hmac_sha256(&ep->cookie_auth_key, (const u8 *)&cookie->c,
1713
+
bodysize, cookie->mac);
1722
1714
}
1723
1715
1724
1716
return retval;
1725
-
1726
-
free_cookie:
1727
-
kfree(retval);
1728
-
nodata:
1729
-
*cookie_len = 0;
1730
-
return NULL;
1731
1717
}
1732
1718
1733
1719
/* Unpack the cookie from COOKIE ECHO chunk, recreating the association. */
···
1730
1740
struct sctp_signed_cookie *cookie;
1731
1741
struct sk_buff *skb = chunk->skb;
1732
1742
struct sctp_cookie *bear_cookie;
1733
-
__u8 *digest = ep->digest;
1734
1743
enum sctp_scope scope;
1735
1744
unsigned int len;
1736
1745
ktime_t kt;
···
1759
1770
cookie = chunk->subh.cookie_hdr;
1760
1771
bear_cookie = &cookie->c;
1761
1772
1762
-
if (!sctp_sk(ep->base.sk)->hmac)
1763
-
goto no_hmac;
1773
+
/* Verify the cookie's MAC, if cookie authentication is enabled. */
1774
+
if (sctp_sk(ep->base.sk)->cookie_auth_enable) {
1775
+
u8 mac[SHA256_DIGEST_SIZE];
1764
1776
1765
-
/* Check the signature. */
1766
-
{
1767
-
struct crypto_shash *tfm = sctp_sk(ep->base.sk)->hmac;
1768
-
int err;
1769
-
1770
-
err = crypto_shash_setkey(tfm, ep->secret_key,
1771
-
sizeof(ep->secret_key)) ?:
1772
-
crypto_shash_tfm_digest(tfm, (u8 *)bear_cookie, bodysize,
1773
-
digest);
1774
-
if (err) {
1775
-
*error = -SCTP_IERROR_NOMEM;
1777
+
hmac_sha256(&ep->cookie_auth_key, (const u8 *)bear_cookie,
1778
+
bodysize, mac);
1779
+
static_assert(sizeof(cookie->mac) == sizeof(mac));
1780
+
if (crypto_memneq(mac, cookie->mac, sizeof(mac))) {
1781
+
*error = -SCTP_IERROR_BAD_SIG;
1776
1782
goto fail;
1777
1783
}
1778
1784
}
1779
1785
1780
-
if (memcmp(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) {
1781
-
*error = -SCTP_IERROR_BAD_SIG;
1782
-
goto fail;
1783
-
}
1784
-
1785
-
no_hmac:
1786
1786
/* IG Section 2.35.2:
1787
1787
* 3) Compare the port numbers and the verification tag contained
1788
1788
* within the COOKIE ECHO chunk to the actual port numbers and the
+3
-2
net/sctp/sm_statefuns.c
+3
-2
net/sctp/sm_statefuns.c
···
30
30
31
31
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
32
32
33
+
#include <crypto/utils.h>
33
34
#include <linux/types.h>
34
35
#include <linux/kernel.h>
35
36
#include <linux/ip.h>
···
4362
4361
struct sctp_shared_key *sh_key = NULL;
4363
4362
struct sctp_authhdr *auth_hdr;
4364
4363
__u8 *save_digest, *digest;
4365
-
struct sctp_hmac *hmac;
4364
+
const struct sctp_hmac *hmac;
4366
4365
unsigned int sig_len;
4367
4366
__u16 key_id;
4368
4367
···
4417
4416
sh_key, GFP_ATOMIC);
4418
4417
4419
4418
/* Discard the packet if the digests do not match */
4420
-
if (memcmp(save_digest, digest, sig_len)) {
4419
+
if (crypto_memneq(save_digest, digest, sig_len)) {
4421
4420
kfree(save_digest);
4422
4421
return SCTP_IERROR_BAD_SIG;
4423
4422
}
+1
-40
net/sctp/socket.c
+1
-40
net/sctp/socket.c
···
37
37
38
38
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
39
39
40
-
#include <crypto/hash.h>
41
40
#include <linux/types.h>
42
41
#include <linux/kernel.h>
43
42
#include <linux/wait.h>
···
4986
4987
sp->default_rcv_context = 0;
4987
4988
sp->max_burst = net->sctp.max_burst;
4988
4989
4989
-
sp->sctp_hmac_alg = net->sctp.sctp_hmac_alg;
4990
+
sp->cookie_auth_enable = net->sctp.cookie_auth_enable;
4990
4991
4991
4992
/* Initialize default setup parameters. These parameters
4992
4993
* can be modified with the SCTP_INITMSG socket option or
···
5078
5079
if (!sp->ep)
5079
5080
return -ENOMEM;
5080
5081
5081
-
sp->hmac = NULL;
5082
-
5083
5082
sk->sk_destruct = sctp_destruct_sock;
5084
5083
5085
5084
SCTP_DBG_OBJCNT_INC(sock);
···
5114
5117
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
5115
5118
}
5116
5119
5117
-
/* Triggered when there are no references on the socket anymore */
5118
-
static void sctp_destruct_common(struct sock *sk)
5119
-
{
5120
-
struct sctp_sock *sp = sctp_sk(sk);
5121
-
5122
-
/* Free up the HMAC transform. */
5123
-
crypto_free_shash(sp->hmac);
5124
-
}
5125
-
5126
5120
static void sctp_destruct_sock(struct sock *sk)
5127
5121
{
5128
-
sctp_destruct_common(sk);
5129
5122
inet_sock_destruct(sk);
5130
5123
}
5131
5124
···
8517
8530
{
8518
8531
struct sctp_sock *sp = sctp_sk(sk);
8519
8532
struct sctp_endpoint *ep = sp->ep;
8520
-
struct crypto_shash *tfm = NULL;
8521
-
char alg[32];
8522
8533
int err;
8523
-
8524
-
/* Allocate HMAC for generating cookie. */
8525
-
if (!sp->hmac && sp->sctp_hmac_alg) {
8526
-
sprintf(alg, "hmac(%s)", sp->sctp_hmac_alg);
8527
-
tfm = crypto_alloc_shash(alg, 0, 0);
8528
-
if (IS_ERR(tfm)) {
8529
-
net_info_ratelimited("failed to load transform for %s: %ld\n",
8530
-
sp->sctp_hmac_alg, PTR_ERR(tfm));
8531
-
return -ENOSYS;
8532
-
}
8533
-
sctp_sk(sk)->hmac = tfm;
8534
-
}
8535
8534
8536
8535
/*
8537
8536
* If a bind() or sctp_bindx() is not called prior to a listen()
···
9534
9561
* copy.
9535
9562
*/
9536
9563
newsp->ep = newep;
9537
-
newsp->hmac = NULL;
9538
9564
9539
9565
/* Hook this new socket in to the bind_hash list. */
9540
9566
head = &sctp_port_hashtable[sctp_phashfn(sock_net(oldsk),
···
9552
9580
&oldsp->ep->base.bind_addr, GFP_KERNEL);
9553
9581
if (err)
9554
9582
return err;
9555
-
9556
-
/* New ep's auth_hmacs should be set if old ep's is set, in case
9557
-
* that net->sctp.auth_enable has been changed to 0 by users and
9558
-
* new ep's auth_hmacs couldn't be set in sctp_endpoint_init().
9559
-
*/
9560
-
if (oldsp->ep->auth_hmacs) {
9561
-
err = sctp_auth_init_hmacs(newsp->ep, GFP_KERNEL);
9562
-
if (err)
9563
-
return err;
9564
-
}
9565
9583
9566
9584
sctp_auto_asconf_init(newsp);
9567
9585
···
9685
9723
9686
9724
static void sctp_v6_destruct_sock(struct sock *sk)
9687
9725
{
9688
-
sctp_destruct_common(sk);
9689
9726
inet6_sock_destruct(sk);
9690
9727
}
9691
9728
+21
-32
net/sctp/sysctl.c
+21
-32
net/sctp/sysctl.c
···
174
174
},
175
175
{
176
176
.procname = "cookie_hmac_alg",
177
-
.data = &init_net.sctp.sctp_hmac_alg,
177
+
.data = &init_net.sctp.cookie_auth_enable,
178
178
.maxlen = 8,
179
179
.mode = 0644,
180
180
.proc_handler = proc_sctp_do_hmac_alg,
···
388
388
void *buffer, size_t *lenp, loff_t *ppos)
389
389
{
390
390
struct net *net = container_of(ctl->data, struct net,
391
-
sctp.sctp_hmac_alg);
391
+
sctp.cookie_auth_enable);
392
392
struct ctl_table tbl;
393
-
bool changed = false;
394
-
char *none = "none";
395
393
char tmp[8] = {0};
396
394
int ret;
397
395
···
397
399
398
400
if (write) {
399
401
tbl.data = tmp;
400
-
tbl.maxlen = sizeof(tmp);
401
-
} else {
402
-
tbl.data = net->sctp.sctp_hmac_alg ? : none;
403
-
tbl.maxlen = strlen(tbl.data);
402
+
tbl.maxlen = sizeof(tmp) - 1;
403
+
ret = proc_dostring(&tbl, 1, buffer, lenp, ppos);
404
+
if (ret)
405
+
return ret;
406
+
if (!strcmp(tmp, "sha256")) {
407
+
net->sctp.cookie_auth_enable = 1;
408
+
return 0;
409
+
}
410
+
if (!strcmp(tmp, "none")) {
411
+
net->sctp.cookie_auth_enable = 0;
412
+
return 0;
413
+
}
414
+
return -EINVAL;
404
415
}
405
-
406
-
ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
407
-
if (write && ret == 0) {
408
-
#ifdef CONFIG_CRYPTO_MD5
409
-
if (!strncmp(tmp, "md5", 3)) {
410
-
net->sctp.sctp_hmac_alg = "md5";
411
-
changed = true;
412
-
}
413
-
#endif
414
-
#ifdef CONFIG_CRYPTO_SHA1
415
-
if (!strncmp(tmp, "sha1", 4)) {
416
-
net->sctp.sctp_hmac_alg = "sha1";
417
-
changed = true;
418
-
}
419
-
#endif
420
-
if (!strncmp(tmp, "none", 4)) {
421
-
net->sctp.sctp_hmac_alg = NULL;
422
-
changed = true;
423
-
}
424
-
if (!changed)
425
-
ret = -EINVAL;
426
-
}
427
-
428
-
return ret;
416
+
if (net->sctp.cookie_auth_enable)
417
+
tbl.data = (char *)"sha256";
418
+
else
419
+
tbl.data = (char *)"none";
420
+
tbl.maxlen = strlen(tbl.data);
421
+
return proc_dostring(&tbl, 0, buffer, lenp, ppos);
429
422
}
430
423
431
424
static int proc_sctp_do_rto_min(const struct ctl_table *ctl, int write,
+1
tools/testing/selftests/net/config
+1
tools/testing/selftests/net/config