From owner-svn-src-all@freebsd.org  Thu Jun  7 18:01:32 2018
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B92E9FE677D;
 Thu,  7 Jun 2018 18:01:32 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 65D2076DA8;
 Thu,  7 Jun 2018 18:01:32 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4792023967;
 Thu,  7 Jun 2018 18:01:32 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w57I1WUW072646;
 Thu, 7 Jun 2018 18:01:32 GMT (envelope-from tuexen@FreeBSD.org)
Received: (from tuexen@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w57I1VlW072644;
 Thu, 7 Jun 2018 18:01:31 GMT (envelope-from tuexen@FreeBSD.org)
Message-Id: <201806071801.w57I1VlW072644@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tuexen set sender to
 tuexen@FreeBSD.org using -f
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Thu, 7 Jun 2018 18:01:31 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r334802 - releng/11.2/sys/netinet
X-SVN-Group: releng
X-SVN-Commit-Author: tuexen
X-SVN-Commit-Paths: releng/11.2/sys/netinet
X-SVN-Commit-Revision: 334802
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2018 18:01:33 -0000

Author: tuexen
Date: Thu Jun  7 18:01:31 2018
New Revision: 334802
URL: https://svnweb.freebsd.org/changeset/base/334802

Log:
  MFstable/11 334801
  
  Improve compliance with RFC 4895 and RFC 6458.
  
  Silently dicard SCTP chunks which have been requested to be
  authenticated but are received unauthenticated no matter if support
  for SCTP authentication has been negotiated. This improves compliance
  with RFC 4895.
  
  When the application uses the SCTP_AUTH_CHUNK socket option to
  request a chunk to be received in an authenticated way, enable
  the SCTP authentication extension for the end-point. This improves
  compliance with RFC 6458.
  
  Discussed with:	Peter Lei
  Approved by:	re (marius@)

Modified:
  releng/11.2/sys/netinet/sctp_input.c
  releng/11.2/sys/netinet/sctp_usrreq.c
Directory Properties:
  releng/11.2/   (props changed)

Modified: releng/11.2/sys/netinet/sctp_input.c
==============================================================================
--- releng/11.2/sys/netinet/sctp_input.c	Thu Jun  7 17:43:31 2018	(r334801)
+++ releng/11.2/sys/netinet/sctp_input.c	Thu Jun  7 18:01:31 2018	(r334802)
@@ -4810,7 +4810,6 @@ process_control_chunks:
 
 		/* check to see if this chunk required auth, but isn't */
 		if ((stcb != NULL) &&
-		    (stcb->asoc.auth_supported == 1) &&
 		    sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) &&
 		    !stcb->asoc.authenticated) {
 			/* "silently" ignore */
@@ -5687,7 +5686,6 @@ sctp_common_input_processing(struct mbuf **mm, int iph
 		 * chunks
 		 */
 		if ((stcb != NULL) &&
-		    (stcb->asoc.auth_supported == 1) &&
 		    sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) {
 			/* "silently" ignore */
 			SCTP_STAT_INCR(sctps_recvauthmissing);
@@ -5729,7 +5727,6 @@ sctp_common_input_processing(struct mbuf **mm, int iph
 	 */
 	if ((length > offset) &&
 	    (stcb != NULL) &&
-	    (stcb->asoc.auth_supported == 1) &&
 	    sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) &&
 	    !stcb->asoc.authenticated) {
 		/* "silently" ignore */

Modified: releng/11.2/sys/netinet/sctp_usrreq.c
==============================================================================
--- releng/11.2/sys/netinet/sctp_usrreq.c	Thu Jun  7 17:43:31 2018	(r334801)
+++ releng/11.2/sys/netinet/sctp_usrreq.c	Thu Jun  7 18:01:31 2018	(r334802)
@@ -4248,6 +4248,8 @@ sctp_setopt(struct socket *so, int optname, void *optv
 			if (sctp_auth_add_chunk(sauth->sauth_chunk, inp->sctp_ep.local_auth_chunks)) {
 				SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
 				error = EINVAL;
+			} else {
+				inp->auth_supported = 1;
 			}
 			SCTP_INP_WUNLOCK(inp);
 			break;