SCTP: Allow ADD_IP to work with AUTH for backward compatibility.

This patch adds a tunable that will allow ADD_IP to work without AUTH for backward compatibility. The default value is off since the default value for ADD_IP is off as well. People who need to use ADD-IP with older implementations take risks of connection hijacking and should consider upgrading or turning this tunable on. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

SCTP: Allow ADD_IP to work with AUTH for backward compatibility.
This patch adds a tunable that will allow ADD_IP to work without AUTH for backward compatibility. The default value is off since the default value for ADD_IP is off as well. People who need to use ADD-IP with older implementations take risks of connection hijacking and should consider upgrading or turning this tunable on. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Vlad Yasevich
1 parent 88799fe5ec
Showing 5 changed files with 21 additions and 3 deletions Side-by-side Diff
include/net/sctp/structs.h
net/sctp/associola.c
net/sctp/protocol.c
net/sctp/sm_make_chunk.c
net/sctp/sysctl.c
@@ -212,6 +212,7 @@
  
 	/* Flag to indicate if addip is enabled. */
 	int addip_enable;
+	int addip_noauth_enable;
  
 	/* Flag to indicate if PR-SCTP is enabled. */
 	int prsctp_enable;
@@ -249,6 +250,7 @@
 #define sctp_local_addr_list		(sctp_globals.local_addr_list)
 #define sctp_local_addr_lock		(sctp_globals.addr_list_lock)
 #define sctp_addip_enable		(sctp_globals.addip_enable)
+#define sctp_addip_noauth		(sctp_globals.addip_noauth_enable)
 #define sctp_prsctp_enable		(sctp_globals.prsctp_enable)
 #define sctp_auth_enable		(sctp_globals.auth_enable)
  
@@ -262,10 +262,14 @@
 	 */
 	asoc->peer.sack_needed = 1;
  
-	/* Assume that the peer recongizes ASCONF until reported otherwise
-	 * via an ERROR chunk.
+	/* Assume that the peer will tell us if he recognizes ASCONF
+	 * as part of INIT exchange.
+	 * The sctp_addip_noauth option is there for backward compatibilty
+	 * and will revert old behavior.
 	 */
 	asoc->peer.asconf_capable = 0;
+	if (sctp_addip_noauth)
+		asoc->peer.asconf_capable = 1;
  
 	/* Create an input queue.  */
 	sctp_inq_init(&asoc->base.inqueue);
@@ -1179,6 +1179,7 @@
  
 	/* Disable ADDIP by default. */
 	sctp_addip_enable = 0;
+	sctp_addip_noauth = 0;
  
 	/* Enable PR-SCTP by default. */
 	sctp_prsctp_enable = 1;
@@ -2137,8 +2137,10 @@
  
 	/* If the peer claims support for ADD-IP without support
 	 * for AUTH, disable support for ADD-IP.
+	 * Do this only if backward compatible mode is turned off.
 	 */
-	if (asoc->peer.asconf_capable && !asoc->peer.auth_capable) {
+	if (!sctp_addip_noauth &&
+	     (asoc->peer.asconf_capable && !asoc->peer.auth_capable)) {
 		asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP |
 						  SCTP_PARAM_DEL_IP |
 						  SCTP_PARAM_SET_PRIMARY);
@@ -263,6 +263,15 @@
 		.proc_handler	= &proc_dointvec,
 		.strategy	= &sysctl_intvec
 	},
+	{
+		.ctl_name	= CTL_UNNUMBERED,
+		.procname	= "addip_noauth_enable",
+		.data		= &sctp_addip_noauth,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec,
+		.strategy	= &sysctl_intvec
+	},
 	{ .ctl_name = 0 }
 };
...	...	@@ -212,6 +212,7 @@
212	212
213	213	/* Flag to indicate if addip is enabled. */
214	214	int addip_enable;
	215	+ int addip_noauth_enable;
215	216
216	217	/* Flag to indicate if PR-SCTP is enabled. */
217	218	int prsctp_enable;
...	...	@@ -249,6 +250,7 @@
249	250	#define sctp_local_addr_list (sctp_globals.local_addr_list)
250	251	#define sctp_local_addr_lock (sctp_globals.addr_list_lock)
251	252	#define sctp_addip_enable (sctp_globals.addip_enable)
	253	+#define sctp_addip_noauth (sctp_globals.addip_noauth_enable)
252	254	#define sctp_prsctp_enable (sctp_globals.prsctp_enable)
253	255	#define sctp_auth_enable (sctp_globals.auth_enable)
254	256
...	...	@@ -262,10 +262,14 @@
262	262	*/
263	263	asoc->peer.sack_needed = 1;
264	264
265		- /* Assume that the peer recongizes ASCONF until reported otherwise
266		- * via an ERROR chunk.
	265	+ /* Assume that the peer will tell us if he recognizes ASCONF
	266	+ * as part of INIT exchange.
	267	+ * The sctp_addip_noauth option is there for backward compatibilty
	268	+ * and will revert old behavior.
267	269	*/
268	270	asoc->peer.asconf_capable = 0;
	271	+ if (sctp_addip_noauth)
	272	+ asoc->peer.asconf_capable = 1;
269	273
270	274	/* Create an input queue. */
271	275	sctp_inq_init(&asoc->base.inqueue);
...	...	@@ -1179,6 +1179,7 @@
1179	1179
1180	1180	/* Disable ADDIP by default. */
1181	1181	sctp_addip_enable = 0;
	1182	+ sctp_addip_noauth = 0;
1182	1183
1183	1184	/* Enable PR-SCTP by default. */
1184	1185	sctp_prsctp_enable = 1;
...	...	@@ -2137,8 +2137,10 @@
2137	2137
2138	2138	/* If the peer claims support for ADD-IP without support
2139	2139	* for AUTH, disable support for ADD-IP.
	2140	+ * Do this only if backward compatible mode is turned off.
2140	2141	*/
2141		- if (asoc->peer.asconf_capable && !asoc->peer.auth_capable) {
	2142	+ if (!sctp_addip_noauth &&
	2143	+ (asoc->peer.asconf_capable && !asoc->peer.auth_capable)) {
2142	2144	asoc->peer.addip_disabled_mask \|= (SCTP_PARAM_ADD_IP \|
2143	2145	SCTP_PARAM_DEL_IP \|
2144	2146	SCTP_PARAM_SET_PRIMARY);
...	...	@@ -263,6 +263,15 @@
263	263	.proc_handler = &proc_dointvec,
264	264	.strategy = &sysctl_intvec
265	265	},
	266	+ {
	267	+ .ctl_name = CTL_UNNUMBERED,
	268	+ .procname = "addip_noauth_enable",
	269	+ .data = &sctp_addip_noauth,
	270	+ .maxlen = sizeof(int),
	271	+ .mode = 0644,
	272	+ .proc_handler = &proc_dointvec,
	273	+ .strategy = &sysctl_intvec
	274	+ },
266	275	{ .ctl_name = 0 }
267	276	};
268	277