Merge branch 'sctp-support-per-endpoint-auth-and-asconf-flags'

			 struct sctp_association *asoc, __u16 key_id);

int sctp_auth_deact_key_id(struct sctp_endpoint *ep,

			   struct sctp_association *asoc, __u16 key_id);

int sctp_auth_init(struct sctp_endpoint *ep, gfp_t gfp);

void sctp_auth_free(struct sctp_endpoint *ep);

#endif

	__u8  auth_enable:1,

	      intl_enable:1,

	      prsctp_enable:1,

	      asconf_enable:1,

	      reconf_enable:1;

	__u8  strreset_enable;

#define SCTP_INTERLEAVING_SUPPORTED	125

#define SCTP_SENDMSG_CONNECT	126

#define SCTP_EVENT	127

#define SCTP_ASCONF_SUPPORTED	128

#define SCTP_AUTH_SUPPORTED	129

/* PR-SCTP policies */

#define SCTP_PR_SCTP_NONE	0x0000

					const struct sock *sk,

					enum sctp_scope scope, gfp_t gfp)

{

	struct net *net = sock_net(sk);

	struct sctp_sock *sp;

	struct sctp_paramhdr *p;

	int i;

	asoc->peer.sack_needed = 1;

	asoc->peer.sack_generation = 1;

	/* Assume that the peer will tell us if he recognizes ASCONF

	 * as part of INIT exchange.

	 * The sctp_addip_noauth option is there for backward compatibility

	 * and will revert old behavior.

	 */

	if (net->sctp.addip_noauth)

		asoc->peer.asconf_capable = 1;

	/* Create an input queue.  */

	sctp_inq_init(&asoc->base.inqueue);

	sctp_inq_set_th_handler(&asoc->base.inqueue, sctp_assoc_bh_rcv);

	/* If we don't support AUTH, or peer is not capable

	 * we don't need to do anything.

	 */

	if (!asoc->ep->auth_enable || !asoc->peer.auth_capable)

	if (!asoc->peer.auth_capable)

		return 0;

	/* If the key_id is non-zero and we couldn't find an

	if (!asoc)

		return 0;

	if (!asoc->ep->auth_enable || !asoc->peer.auth_capable)

	if (!asoc->peer.auth_capable)

		return 0;

	return __sctp_auth_cid(chunk, asoc->peer.peer_chunks);

	if (!asoc)

		return 0;

	if (!asoc->ep->auth_enable)

	if (!asoc->peer.auth_capable)

		return 0;

	return __sctp_auth_cid(chunk,

	/* Try to find the given key id to see if

	 * we are doing a replace, or adding a new key

	 */

	if (asoc)

	if (asoc) {

		if (!asoc->peer.auth_capable)

			return -EACCES;

		sh_keys = &asoc->endpoint_shared_keys;

	else

	} else {

		if (!ep->auth_enable)

			return -EACCES;

		sh_keys = &ep->endpoint_shared_keys;

	}

	key_for_each(shkey, sh_keys) {

		if (shkey->key_id == auth_key->sca_keynumber) {

	int found = 0;

	/* The key identifier MUST correst to an existing key */

	if (asoc)

	if (asoc) {

		if (!asoc->peer.auth_capable)

			return -EACCES;

		sh_keys = &asoc->endpoint_shared_keys;

	else

	} else {

		if (!ep->auth_enable)

			return -EACCES;

		sh_keys = &ep->endpoint_shared_keys;

	}

	key_for_each(key, sh_keys) {

		if (key->key_id == key_id) {

	 * The key identifier MUST correst to an existing key

	 */

	if (asoc) {

		if (!asoc->peer.auth_capable)

			return -EACCES;

		if (asoc->active_key_id == key_id)

			return -EINVAL;

		sh_keys = &asoc->endpoint_shared_keys;

	} else {

		if (!ep->auth_enable)

			return -EACCES;

		if (ep->active_key_id == key_id)

			return -EINVAL;

	 * The key identifier MUST correst to an existing key

	 */

	if (asoc) {

		if (!asoc->peer.auth_capable)

			return -EACCES;

		if (asoc->active_key_id == key_id)

			return -EINVAL;

		sh_keys = &asoc->endpoint_shared_keys;

	} else {

		if (!ep->auth_enable)

			return -EACCES;

		if (ep->active_key_id == key_id)

			return -EINVAL;

	return 0;

}

int sctp_auth_init(struct sctp_endpoint *ep, gfp_t gfp)

{

	int err = -ENOMEM;

	/* Allocate space for HMACS and CHUNKS authentication

	 * variables.  There are arrays that we encode directly

	 * into parameters to make the rest of the operations easier.

	 */

	if (!ep->auth_hmacs_list) {

		struct sctp_hmac_algo_param *auth_hmacs;

		auth_hmacs = kzalloc(struct_size(auth_hmacs, hmac_ids,

						 SCTP_AUTH_NUM_HMACS), gfp);

		if (!auth_hmacs)

			goto nomem;

		/* Initialize the HMACS parameter.

		 * SCTP-AUTH: Section 3.3

		 *    Every endpoint supporting SCTP chunk authentication MUST

		 *    support the HMAC based on the SHA-1 algorithm.

		 */

		auth_hmacs->param_hdr.type = SCTP_PARAM_HMAC_ALGO;

		auth_hmacs->param_hdr.length =

				htons(sizeof(struct sctp_paramhdr) + 2);

		auth_hmacs->hmac_ids[0] = htons(SCTP_AUTH_HMAC_ID_SHA1);

		ep->auth_hmacs_list = auth_hmacs;

	}

	if (!ep->auth_chunk_list) {

		struct sctp_chunks_param *auth_chunks;

		auth_chunks = kzalloc(sizeof(*auth_chunks) +

				      SCTP_NUM_CHUNK_TYPES, gfp);

		if (!auth_chunks)

			goto nomem;

		/* Initialize the CHUNKS parameter */

		auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS;

		auth_chunks->param_hdr.length =

				htons(sizeof(struct sctp_paramhdr));

		ep->auth_chunk_list = auth_chunks;

	}

	/* Allocate and initialize transorms arrays for supported

	 * HMACs.

	 */

	err = sctp_auth_init_hmacs(ep, gfp);

	if (err)

		goto nomem;

	return 0;

nomem:

	/* Free all allocations */

	kfree(ep->auth_hmacs_list);

	kfree(ep->auth_chunk_list);

	ep->auth_hmacs_list = NULL;

	ep->auth_chunk_list = NULL;

	return err;

}

void sctp_auth_free(struct sctp_endpoint *ep)

{

	kfree(ep->auth_hmacs_list);

	kfree(ep->auth_chunk_list);

	ep->auth_hmacs_list = NULL;

	ep->auth_chunk_list = NULL;

	sctp_auth_destroy_hmacs(ep->auth_hmacs);

	ep->auth_hmacs = NULL;

}