From owner-svn-src-stable@freebsd.org  Thu Jun  7 17:43:33 2018
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DFF71FE5DE9;
 Thu,  7 Jun 2018 17:43:32 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 92DC17620F;
 Thu,  7 Jun 2018 17:43:32 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 758CB2368D;
 Thu,  7 Jun 2018 17:43:32 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w57HhWhM064442;
 Thu, 7 Jun 2018 17:43:32 GMT (envelope-from tuexen@FreeBSD.org)
Received: (from tuexen@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w57HhVv1064440;
 Thu, 7 Jun 2018 17:43:31 GMT (envelope-from tuexen@FreeBSD.org)
Message-Id: <201806071743.w57HhVv1064440@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tuexen set sender to
 tuexen@FreeBSD.org using -f
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Thu, 7 Jun 2018 17:43:31 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r334801 - stable/11/sys/netinet
X-SVN-Group: stable-11
X-SVN-Commit-Author: tuexen
X-SVN-Commit-Paths: stable/11/sys/netinet
X-SVN-Commit-Revision: 334801
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>, 
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2018 17:43:33 -0000

Author: tuexen
Date: Thu Jun  7 17:43:31 2018
New Revision: 334801
URL: https://svnweb.freebsd.org/changeset/base/334801

Log:
  MFC r334725:
  
  Improve compliance with RFC 4895 and RFC 6458.
  
  Silently dicard SCTP chunks which have been requested to be
  authenticated but are received unauthenticated no matter if support
  for SCTP authentication has been negotiated. This improves compliance
  with RFC 4895.
  
  When the application uses the SCTP_AUTH_CHUNK socket option to
  request a chunk to be received in an authenticated way, enable
  the SCTP authentication extension for the end-point. This improves
  compliance with RFC 6458.
  
  Discussed with:		Peter Lei
  Approved by:		re (gjb, early MFC)

Modified:
  stable/11/sys/netinet/sctp_input.c
  stable/11/sys/netinet/sctp_usrreq.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet/sctp_input.c
==============================================================================
--- stable/11/sys/netinet/sctp_input.c	Thu Jun  7 17:08:36 2018	(r334800)
+++ stable/11/sys/netinet/sctp_input.c	Thu Jun  7 17:43:31 2018	(r334801)
@@ -4810,7 +4810,6 @@ process_control_chunks:
 
 		/* check to see if this chunk required auth, but isn't */
 		if ((stcb != NULL) &&
-		    (stcb->asoc.auth_supported == 1) &&
 		    sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) &&
 		    !stcb->asoc.authenticated) {
 			/* "silently" ignore */
@@ -5687,7 +5686,6 @@ sctp_common_input_processing(struct mbuf **mm, int iph
 		 * chunks
 		 */
 		if ((stcb != NULL) &&
-		    (stcb->asoc.auth_supported == 1) &&
 		    sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) {
 			/* "silently" ignore */
 			SCTP_STAT_INCR(sctps_recvauthmissing);
@@ -5729,7 +5727,6 @@ sctp_common_input_processing(struct mbuf **mm, int iph
 	 */
 	if ((length > offset) &&
 	    (stcb != NULL) &&
-	    (stcb->asoc.auth_supported == 1) &&
 	    sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) &&
 	    !stcb->asoc.authenticated) {
 		/* "silently" ignore */

Modified: stable/11/sys/netinet/sctp_usrreq.c
==============================================================================
--- stable/11/sys/netinet/sctp_usrreq.c	Thu Jun  7 17:08:36 2018	(r334800)
+++ stable/11/sys/netinet/sctp_usrreq.c	Thu Jun  7 17:43:31 2018	(r334801)
@@ -4248,6 +4248,8 @@ sctp_setopt(struct socket *so, int optname, void *optv
 			if (sctp_auth_add_chunk(sauth->sauth_chunk, inp->sctp_ep.local_auth_chunks)) {
 				SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
 				error = EINVAL;
+			} else {
+				inp->auth_supported = 1;
 			}
 			SCTP_INP_WUNLOCK(inp);
 			break;