Code from the hack-session known as the IETF (and a

bit of debugging afterwards):
- Fix protection code for notification generation.
- Decouple associd from vtag
- Allow vtags to have less strigent requirements in non-uniqueness.
   o don't pre-hash them when you issue one in a cookie.
   o Allow duplicates and use addresses and ports to
     discriminate amongst the duplicates during lookup.
- Add support for the NAT draft draft-ietf-behave-sctpnat-00, this
  is still experimental and needs more extensive testing with the
  Jason Butt ipfw changes.
- Support for the SENDER_DRY event to get DTLS in OpenSSL working
  with a set of patches from Michael Tuexen (hopefully heading to OpenSSL soon).
- Update the support of SCTP-AUTH by Peter Lei.
- Use macros for refcounting.
- Fix MTU for UDP encapsulation.
- Fix reporting back of unsent data.
- Update assoc send counter handling to be consistent with endpoint sent counter.
- Fix a bug in PR-SCTP.
- Fix so we only send another FWD-TSN when a SACK arrives IF and only
  if the adv-peer-ack point progressed. However we still make sure
  a timer is running if we do have an adv_peer_ack point.
- Fix PR-SCTP bug where chunks were retransmitted if they are sent
  unreliable but not abandoned yet.

With the help of:	Michael Teuxen and Peter Lei :-)
MFC after:	 4 weeks

1 files changed, 46 insertions, 35 deletions

diff --git a/sys/netinet/sctp_auth.h b/sys/netinet/sctp_auth.h
index be7e6a0..8602c97 100644
--- a/sys/netinet/sctp_auth.h
+++ b/sys/netinet/sctp_auth.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved.
+ * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
@@ -68,7 +68,9 @@ typedef struct sctp_key {
 typedef struct sctp_shared_key {
 	LIST_ENTRY(sctp_shared_key) next;
 	sctp_key_t *key;	/* key text */
+	uint32_t refcount;	/* reference count */
 	uint16_t keyid;		/* shared key ID */
+	uint8_t deactivated;	/* key is deactivated */
 }               sctp_sharedkey_t;
 
 LIST_HEAD(sctp_keyhead, sctp_shared_key);
@@ -91,10 +93,11 @@ typedef struct sctp_authinfo {
 	sctp_key_t *random;	/* local random key (concatenated) */
 	uint32_t random_len;	/* local random number length for param */
 	sctp_key_t *peer_random;/* peer's random key (concatenated) */
+	sctp_key_t *assoc_key;	/* cached concatenated send key */
+	sctp_key_t *recv_key;	/* cached concatenated recv key */
+	uint16_t active_keyid;	/* active send keyid */
 	uint16_t assoc_keyid;	/* current send keyid (cached) */
 	uint16_t recv_keyid;	/* last recv keyid (cached) */
-	sctp_key_t *assoc_key;	/* cached send key */
-	sctp_key_t *recv_key;	/* cached recv key */
 }             sctp_authinfo_t;
 
 
@@ -117,10 +120,13 @@ extern int sctp_auth_add_chunk(uint8_t chunk, sctp_auth_chklist_t * list);
 extern int sctp_auth_delete_chunk(uint8_t chunk, sctp_auth_chklist_t * list);
 extern size_t sctp_auth_get_chklist_size(const sctp_auth_chklist_t * list);
 extern void sctp_auth_set_default_chunks(sctp_auth_chklist_t * list);
-extern int
-    sctp_serialize_auth_chunks(const sctp_auth_chklist_t * list, uint8_t * ptr);
-extern int sctp_pack_auth_chunks(const sctp_auth_chklist_t * list, uint8_t * ptr);
-extern int
+extern int 
+sctp_serialize_auth_chunks(const sctp_auth_chklist_t * list,
+    uint8_t * ptr);
+extern int 
+sctp_pack_auth_chunks(const sctp_auth_chklist_t * list,
+    uint8_t * ptr);
+extern int 
 sctp_unpack_auth_chunks(const uint8_t * ptr, uint8_t num_chunks,
     sctp_auth_chklist_t * list);
 
@@ -139,14 +145,20 @@ sctp_compute_hashkey(sctp_key_t * key1, sctp_key_t * key2,
 extern sctp_sharedkey_t *sctp_alloc_sharedkey(void);
 extern void sctp_free_sharedkey(sctp_sharedkey_t * skey);
 extern sctp_sharedkey_t *
-                 sctp_find_sharedkey(struct sctp_keyhead *shared_keys, uint16_t key_id);
-extern void
+sctp_find_sharedkey(struct sctp_keyhead *shared_keys,
+    uint16_t key_id);
+extern int 
 sctp_insert_sharedkey(struct sctp_keyhead *shared_keys,
     sctp_sharedkey_t * new_skey);
-extern int
+extern int 
 sctp_copy_skeylist(const struct sctp_keyhead *src,
     struct sctp_keyhead *dest);
 
+/* ref counts on shared keys, by key id */
+extern void sctp_auth_key_acquire(struct sctp_tcb *stcb, uint16_t keyid);
+extern void sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t keyid);
+
+
 /* hmac list handling */
 extern sctp_hmaclist_t *sctp_alloc_hmaclist(uint8_t num_hmacs);
 extern void sctp_free_hmaclist(sctp_hmaclist_t * list);
@@ -167,25 +179,24 @@ extern void sctp_free_authinfo(sctp_authinfo_t * authinfo);
 /* keyed-HMAC functions */
 extern uint32_t sctp_get_auth_chunk_len(uint16_t hmac_algo);
 extern uint32_t sctp_get_hmac_digest_len(uint16_t hmac_algo);
-extern uint32_t
+extern uint32_t 
 sctp_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen,
     uint8_t * text, uint32_t textlen, uint8_t * digest);
-extern int
+extern int 
 sctp_verify_hmac(uint16_t hmac_algo, uint8_t * key, uint32_t keylen,
-    uint8_t * text, uint32_t textlen, uint8_t * digest,
-    uint32_t digestlen);
-extern uint32_t
+    uint8_t * text, uint32_t textlen, uint8_t * digest, uint32_t digestlen);
+extern uint32_t 
 sctp_compute_hmac(uint16_t hmac_algo, sctp_key_t * key,
     uint8_t * text, uint32_t textlen, uint8_t * digest);
 extern int sctp_auth_is_supported_hmac(sctp_hmaclist_t * list, uint16_t id);
 
 /* mbuf versions */
-extern uint32_t
+extern uint32_t 
 sctp_hmac_m(uint16_t hmac_algo, uint8_t * key, uint32_t keylen,
     struct mbuf *m, uint32_t m_offset, uint8_t * digest, uint32_t trailer);
-extern uint32_t
-sctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t * key, struct mbuf *m,
-    uint32_t m_offset, uint8_t * digest);
+extern uint32_t 
+sctp_compute_hmac_m(uint16_t hmac_algo, sctp_key_t * key,
+    struct mbuf *m, uint32_t m_offset, uint8_t * digest);
 
 /*
  * authentication routines
@@ -196,31 +207,31 @@ extern int sctp_delete_sharedkey(struct sctp_tcb *stcb, uint16_t keyid);
 extern int sctp_delete_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid);
 extern int sctp_auth_setactivekey(struct sctp_tcb *stcb, uint16_t keyid);
 extern int sctp_auth_setactivekey_ep(struct sctp_inpcb *inp, uint16_t keyid);
+extern int sctp_deact_sharedkey(struct sctp_tcb *stcb, uint16_t keyid);
+extern int sctp_deact_sharedkey_ep(struct sctp_inpcb *inp, uint16_t keyid);
 
-extern void
+extern void 
 sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m,
     uint32_t offset, uint32_t length);
-extern void
+extern void 
 sctp_fill_hmac_digest_m(struct mbuf *m, uint32_t auth_offset,
-    struct sctp_auth_chunk *auth,
-    struct sctp_tcb *stcb);
+    struct sctp_auth_chunk *auth, struct sctp_tcb *stcb, uint16_t key_id);
 extern struct mbuf *
 sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
-    struct sctp_auth_chunk **auth_ret,
-    uint32_t * offset, struct sctp_tcb *stcb,
-    uint8_t chunk);
-extern int
+    struct sctp_auth_chunk **auth_ret, uint32_t * offset,
+    struct sctp_tcb *stcb, uint8_t chunk);
+extern int 
 sctp_handle_auth(struct sctp_tcb *stcb, struct sctp_auth_chunk *ch,
     struct mbuf *m, uint32_t offset);
-extern void
+extern void 
 sctp_notify_authentication(struct sctp_tcb *stcb,
-    uint32_t indication, uint16_t keyid,
-    uint16_t alt_keyid);
-extern int
-    sctp_validate_init_auth_params(struct mbuf *m, int offset, int limit);
-extern void
-     sctp_initialize_auth_params(struct sctp_inpcb *inp, struct sctp_tcb *stcb);
-
+    uint32_t indication, uint16_t keyid, uint16_t alt_keyid, int so_locked);
+extern int 
+sctp_validate_init_auth_params(struct mbuf *m, int offset,
+    int limit);
+extern void 
+sctp_initialize_auth_params(struct sctp_inpcb *inp,
+    struct sctp_tcb *stcb);
 
 /* test functions */
 extern void sctp_test_hmac_sha1(void);