Merge branch 'sctp-add-support-for-some-sctp-auth-APIs-from-RFC6458'

Xin Long says: ==================== sctp: add support for some sctp auth APIs from RFC6458 This patchset mainly adds support for SCTP AUTH Information for sendmsg, described in RFC6458: 5.3.8. SCTP AUTH Information Structure (SCTP_AUTHINFO) and also adds a sockopt described in RFC6458: 8.3.4. Deactivate a Shared Key (SCTP_AUTH_DEACTIVATE_KEY) and two types of events for AUTHENTICATION_EVENT described in RFC6458: 6.1.8. SCTP_AUTHENTICATION_EVENT: - SCTP_AUTH_NO_AUTH - SCTP_AUTH_FREE_KEY After this patchset, we have fully support for sctp_sendv in kernel. Note that this patchset won't touch that sctp options merge conflict. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2024-12-28 11:18:45 +07:00 · 2018-03-14 13:48:28 -04:00 · 2018-03-14 13:48:28 -04:00 · c292566a77
commit c292566a77
parent c469012729 30f6ebf65b
12 changed files with 343 additions and 73 deletions
--- a/include/net/sctp/auth.h
+++ b/include/net/sctp/auth.h
@ -62,8 +62,10 @@ struct sctp_auth_bytes {
 /* Definition for a shared key, weather endpoint or association */
 struct sctp_shared_key {
 	struct list_head key_list;
 	__u16 key_id;
 	struct sctp_auth_bytes *key;
 	refcount_t refcnt;
 	__u16 key_id;
 	__u8 deactivated;
 };
 #define key_for_each(__key, __list_head) \
@ -103,21 +105,22 @@ int sctp_auth_send_cid(enum sctp_cid chunk,
 int sctp_auth_recv_cid(enum sctp_cid chunk,
 		       const struct sctp_association *asoc);
 void sctp_auth_calculate_hmac(const struct sctp_association *asoc,
-			    struct sk_buff *skb,
+			      struct sk_buff *skb, struct sctp_auth_chunk *auth,
-			    struct sctp_auth_chunk *auth, gfp_t gfp);
+			      struct sctp_shared_key *ep_key, gfp_t gfp);
 void sctp_auth_shkey_release(struct sctp_shared_key *sh_key);
 void sctp_auth_shkey_hold(struct sctp_shared_key *sh_key);
 /* API Helpers */
 int sctp_auth_ep_add_chunkid(struct sctp_endpoint *ep, __u8 chunk_id);
 int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
 			    struct sctp_hmacalgo *hmacs);
-int sctp_auth_set_key(struct sctp_endpoint *ep,
+int sctp_auth_set_key(struct sctp_endpoint *ep, struct sctp_association *asoc,
 		      struct sctp_association *asoc,
 		      struct sctp_authkey *auth_key);
 int sctp_auth_set_active_key(struct sctp_endpoint *ep,
-		      struct sctp_association *asoc,
+			     struct sctp_association *asoc, __u16 key_id);
 		      __u16 key_id);
 int sctp_auth_del_key_id(struct sctp_endpoint *ep,
-		      struct sctp_association *asoc,
+			 struct sctp_association *asoc, __u16 key_id);
-		      __u16 key_id);
+int sctp_auth_deact_key_id(struct sctp_endpoint *ep,
 			   struct sctp_association *asoc, __u16 key_id);
 #endif
--- a/include/net/sctp/command.h
+++ b/include/net/sctp/command.h
@ -100,6 +100,7 @@ enum sctp_verb {
 	SCTP_CMD_SET_SK_ERR,	 /* Set sk_err */
 	SCTP_CMD_ASSOC_CHANGE,	 /* generate and send assoc_change event */
 	SCTP_CMD_ADAPTATION_IND, /* generate and send adaptation event */
 	SCTP_CMD_PEER_NO_AUTH,   /* generate and send authentication event */
 	SCTP_CMD_ASSOC_SHKEY,    /* generate the association shared keys */
 	SCTP_CMD_T1_RETRAN,	 /* Mark for retransmission after T1 timeout  */
 	SCTP_CMD_UPDATE_INITTAG, /* Update peer inittag */
--- a/include/net/sctp/sm.h
+++ b/include/net/sctp/sm.h
@ -263,7 +263,8 @@ int sctp_process_asconf_ack(struct sctp_association *asoc,
 struct sctp_chunk *sctp_make_fwdtsn(const struct sctp_association *asoc,
 				    __u32 new_cum_tsn, size_t nstreams,
 				    struct sctp_fwdtsn_skip *skiplist);
-struct sctp_chunk *sctp_make_auth(const struct sctp_association *asoc);
+struct sctp_chunk *sctp_make_auth(const struct sctp_association *asoc,
 				  __u16 key_id);
 struct sctp_chunk *sctp_make_strreset_req(const struct sctp_association *asoc,
 					  __u16 stream_num, __be16 *stream_list,
 					  bool out, bool in);
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@ -577,8 +577,12 @@ struct sctp_chunk {
 	/* This points to the sk_buff containing the actual data.  */
 	struct sk_buff *skb;
-	/* In case of GSO packets, this will store the head one */
+	union {
-	struct sk_buff *head_skb;
+		/* In case of GSO packets, this will store the head one */
 		struct sk_buff *head_skb;
 		/* In case of auth enabled, this will point to the shkey */
 		struct sctp_shared_key *shkey;
 	};
 	/* These are the SCTP headers by reverse order in a packet.
 	 * Note that some of these may happen more than once.  In that
@ -1995,6 +1999,7 @@ struct sctp_association {
 	 * The current generated assocaition shared key (secret)
 	 */
 	struct sctp_auth_bytes *asoc_shared_key;
 	struct sctp_shared_key *shkey;
 	/* SCTP AUTH: hmac id of the first peer requested algorithm
 	 * that we support.
@ -2113,6 +2118,7 @@ struct sctp_cmsgs {
 	struct sctp_sndrcvinfo *srinfo;
 	struct sctp_sndinfo *sinfo;
 	struct sctp_prinfo *prinfo;
 	struct sctp_authinfo *authinfo;
 	struct msghdr *addrs_msg;
 };
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@ -99,6 +99,7 @@ typedef __s32 sctp_assoc_t;
 #define SCTP_RECVRCVINFO	32
 #define SCTP_RECVNXTINFO	33
 #define SCTP_DEFAULT_SNDINFO	34
 #define SCTP_AUTH_DEACTIVATE_KEY	35
 /* Internal Socket Options. Some of the sctp library functions are
 * implemented using these socket options.
@ -273,6 +274,18 @@ struct sctp_prinfo {
 	__u32 pr_value;
 };
 /* 5.3.8 SCTP AUTH Information Structure (SCTP_AUTHINFO)
 *
 *   This cmsghdr structure specifies SCTP options for sendmsg().
 *
 *   cmsg_level    cmsg_type      cmsg_data[]
 *   ------------  ------------   -------------------
 *   IPPROTO_SCTP  SCTP_AUTHINFO  struct sctp_authinfo
 */
 struct sctp_authinfo {
 	__u16 auth_keynumber;
 };
 /*
 *  sinfo_flags: 16 bits (unsigned integer)
 *
@ -310,7 +323,7 @@ typedef enum sctp_cmsg_type {
 #define SCTP_NXTINFO	SCTP_NXTINFO
 	SCTP_PRINFO,		/* 5.3.7 SCTP PR-SCTP Information Structure */
 #define SCTP_PRINFO	SCTP_PRINFO
-	SCTP_AUTHINFO,		/* 5.3.8 SCTP AUTH Information Structure (RESERVED) */
+	SCTP_AUTHINFO,		/* 5.3.8 SCTP AUTH Information Structure */
 #define SCTP_AUTHINFO	SCTP_AUTHINFO
 	SCTP_DSTADDRV4,		/* 5.3.9 SCTP Destination IPv4 Address Structure */
 #define SCTP_DSTADDRV4	SCTP_DSTADDRV4
@ -505,7 +518,12 @@ struct sctp_authkey_event {
 	sctp_assoc_t auth_assoc_id;
 };
-enum { SCTP_AUTH_NEWKEY = 0, };
+enum {
 	SCTP_AUTH_NEW_KEY,
 #define	SCTP_AUTH_NEWKEY	SCTP_AUTH_NEW_KEY /* compatible with before */
 	SCTP_AUTH_FREE_KEY,
 	SCTP_AUTH_NO_AUTH,
 };
 /*
 * 6.1.9. SCTP_SENDER_DRY_EVENT
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@ -101,13 +101,14 @@ struct sctp_shared_key *sctp_auth_shkey_create(__u16 key_id, gfp_t gfp)
 		return NULL;
 	INIT_LIST_HEAD(&new->key_list);
 	refcount_set(&new->refcnt, 1);
 	new->key_id = key_id;
 	return new;
 }
 /* Free the shared key structure */
-static void sctp_auth_shkey_free(struct sctp_shared_key *sh_key)
+static void sctp_auth_shkey_destroy(struct sctp_shared_key *sh_key)
 {
 	BUG_ON(!list_empty(&sh_key->key_list));
 	sctp_auth_key_put(sh_key->key);
@ -115,6 +116,17 @@ static void sctp_auth_shkey_free(struct sctp_shared_key *sh_key)
 	kfree(sh_key);
 }
 void sctp_auth_shkey_release(struct sctp_shared_key *sh_key)
 {
 	if (refcount_dec_and_test(&sh_key->refcnt))
 		sctp_auth_shkey_destroy(sh_key);
 }
 void sctp_auth_shkey_hold(struct sctp_shared_key *sh_key)
 {
 	refcount_inc(&sh_key->refcnt);
 }
 /* Destroy the entire key list.  This is done during the
 * associon and endpoint free process.
 */
@ -128,7 +140,7 @@ void sctp_auth_destroy_keys(struct list_head *keys)
 	key_for_each_safe(ep_key, tmp, keys) {
 		list_del_init(&ep_key->key_list);
-		sctp_auth_shkey_free(ep_key);
+		sctp_auth_shkey_release(ep_key);
 	}
 }
@ -409,13 +421,19 @@ int sctp_auth_asoc_init_active_key(struct sctp_association *asoc, gfp_t gfp)
 	sctp_auth_key_put(asoc->asoc_shared_key);
 	asoc->asoc_shared_key = secret;
 	asoc->shkey = ep_key;
 	/* Update send queue in case any chunk already in there now
 	 * needs authenticating
 	 */
 	list_for_each_entry(chunk, &asoc->outqueue.out_chunk_list, list) {
-		if (sctp_auth_send_cid(chunk->chunk_hdr->type, asoc))
+		if (sctp_auth_send_cid(chunk->chunk_hdr->type, asoc)) {
 			chunk->auth = 1;
 			if (!chunk->shkey) {
 				chunk->shkey = asoc->shkey;
 				sctp_auth_shkey_hold(chunk->shkey);
 			}
 		}
 	}
 	return 0;
@ -431,8 +449,11 @@ struct sctp_shared_key *sctp_auth_get_shkey(
 	/* First search associations set of endpoint pair shared keys */
 	key_for_each(key, &asoc->endpoint_shared_keys) {
-		if (key->key_id == key_id)
+		if (key->key_id == key_id) {
-			return key;
+			if (!key->deactivated)
 				return key;
 			break;
 		}
 	}
 	return NULL;
@ -703,16 +724,15 @@ int sctp_auth_recv_cid(enum sctp_cid chunk, const struct sctp_association *asoc)
 *    after the AUTH chunk in the SCTP packet.
 */
 void sctp_auth_calculate_hmac(const struct sctp_association *asoc,
-			      struct sk_buff *skb,
+			      struct sk_buff *skb, struct sctp_auth_chunk *auth,
-			      struct sctp_auth_chunk *auth,
+			      struct sctp_shared_key *ep_key, gfp_t gfp)
 			      gfp_t gfp)
 {
 	struct crypto_shash *tfm;
 	struct sctp_auth_bytes *asoc_key;
 	struct crypto_shash *tfm;
 	__u16 key_id, hmac_id;
 	__u8 *digest;
 	unsigned char *end;
 	int free_key = 0;
 	__u8 *digest;
 	/* Extract the info we need:
 	 * - hmac id
@ -724,12 +744,7 @@ void sctp_auth_calculate_hmac(const struct sctp_association *asoc,
 	if (key_id == asoc->active_key_id)
 		asoc_key = asoc->asoc_shared_key;
 	else {
-		struct sctp_shared_key *ep_key;
+		/* ep_key can't be NULL here */
 		ep_key = sctp_auth_get_shkey(asoc, key_id);
 		if (!ep_key)
 			return;
 		asoc_key = sctp_auth_asoc_create_secret(asoc, ep_key, gfp);
 		if (!asoc_key)
 			return;
@ -829,7 +844,7 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
 		      struct sctp_association *asoc,
 		      struct sctp_authkey *auth_key)
 {
-	struct sctp_shared_key *cur_key = NULL;
+	struct sctp_shared_key *cur_key, *shkey;
 	struct sctp_auth_bytes *key;
 	struct list_head *sh_keys;
 	int replace = 0;
@ -842,46 +857,34 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
 	else
 		sh_keys = &ep->endpoint_shared_keys;
-	key_for_each(cur_key, sh_keys) {
+	key_for_each(shkey, sh_keys) {
-		if (cur_key->key_id == auth_key->sca_keynumber) {
+		if (shkey->key_id == auth_key->sca_keynumber) {
 			replace = 1;
 			break;
 		}
 	}
-	/* If we are not replacing a key id, we need to allocate
+	cur_key = sctp_auth_shkey_create(auth_key->sca_keynumber, GFP_KERNEL);
-	 * a shared key.
+	if (!cur_key)
-	 */
+		return -ENOMEM;
 	if (!replace) {
 		cur_key = sctp_auth_shkey_create(auth_key->sca_keynumber,
 						 GFP_KERNEL);
 		if (!cur_key)
 			return -ENOMEM;
 	}
 	/* Create a new key data based on the info passed in */
 	key = sctp_auth_create_key(auth_key->sca_keylength, GFP_KERNEL);
-	if (!key)
+	if (!key) {
-		goto nomem;
+		kfree(cur_key);
 		return -ENOMEM;
 	}
 	memcpy(key->data, &auth_key->sca_key[0], auth_key->sca_keylength);
 	/* If we are replacing, remove the old keys data from the
 	 * key id.  If we are adding new key id, add it to the
 	 * list.
 	 */
 	if (replace)
 		sctp_auth_key_put(cur_key->key);
 	else
 		list_add(&cur_key->key_list, sh_keys);
 	cur_key->key = key;
 	return 0;
 nomem:
 	if (!replace)
 		sctp_auth_shkey_free(cur_key);
-	return -ENOMEM;
+	if (replace) {
 		list_del_init(&shkey->key_list);
 		sctp_auth_shkey_release(shkey);
 	}
 	list_add(&cur_key->key_list, sh_keys);
 	return 0;
 }
 int sctp_auth_set_active_key(struct sctp_endpoint *ep,
@ -905,7 +908,7 @@ int sctp_auth_set_active_key(struct sctp_endpoint *ep,
 		}
 	}
-	if (!found)
+	if (!found || key->deactivated)
 		return -EINVAL;
 	if (asoc) {
@ -952,7 +955,58 @@ int sctp_auth_del_key_id(struct sctp_endpoint *ep,
 	/* Delete the shared key */
 	list_del_init(&key->key_list);
-	sctp_auth_shkey_free(key);
+	sctp_auth_shkey_release(key);
 	return 0;
 }
 int sctp_auth_deact_key_id(struct sctp_endpoint *ep,
 			   struct sctp_association *asoc, __u16  key_id)
 {
 	struct sctp_shared_key *key;
 	struct list_head *sh_keys;
 	int found = 0;
 	/* The key identifier MUST NOT be the current active key
 	 * The key identifier MUST correst to an existing key
 	 */
 	if (asoc) {
 		if (asoc->active_key_id == key_id)
 			return -EINVAL;
 		sh_keys = &asoc->endpoint_shared_keys;
 	} else {
 		if (ep->active_key_id == key_id)
 			return -EINVAL;
 		sh_keys = &ep->endpoint_shared_keys;
 	}
 	key_for_each(key, sh_keys) {
 		if (key->key_id == key_id) {
 			found = 1;
 			break;
 		}
 	}
 	if (!found)
 		return -EINVAL;
 	/* refcnt == 1 and !list_empty mean it's not being used anywhere
 	 * and deactivated will be set, so it's time to notify userland
 	 * that this shkey can be freed.
 	 */
 	if (asoc && !list_empty(&key->key_list) &&
 	    refcount_read(&key->refcnt) == 1) {
 		struct sctp_ulpevent *ev;
 		ev = sctp_ulpevent_make_authkey(asoc, key->key_id,
 						SCTP_AUTH_FREE_KEY, GFP_KERNEL);
 		if (ev)
 			asoc->stream.si->enqueue_event(&asoc->ulpq, ev);
 	}
 	key->deactivated = 1;
 	return 0;
 }
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@ -168,6 +168,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
 {
 	size_t len, first_len, max_data, remaining;
 	size_t msg_len = iov_iter_count(from);
 	struct sctp_shared_key *shkey = NULL;
 	struct list_head *pos, *temp;
 	struct sctp_chunk *chunk;
 	struct sctp_datamsg *msg;
@ -204,6 +205,17 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
 		if (hmac_desc)
 			max_data -= SCTP_PAD4(sizeof(struct sctp_auth_chunk) +
 					      hmac_desc->hmac_len);
 		if (sinfo->sinfo_tsn &&
 		    sinfo->sinfo_ssn != asoc->active_key_id) {
 			shkey = sctp_auth_get_shkey(asoc, sinfo->sinfo_ssn);
 			if (!shkey) {
 				err = -EINVAL;
 				goto errout;
 			}
 		} else {
 			shkey = asoc->shkey;
 		}
 	}
 	/* Check what's our max considering the above */
@ -275,6 +287,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
 		if (err < 0)
 			goto errout_chunk_free;
 		chunk->shkey = shkey;
 		/* Put the chunk->skb back into the form expected by send.  */
 		__skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr -
 				       chunk->skb->data);
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@ -241,10 +241,13 @@ static enum sctp_xmit sctp_packet_bundle_auth(struct sctp_packet *pkt,
 	if (!chunk->auth)
 		return retval;
-	auth = sctp_make_auth(asoc);
+	auth = sctp_make_auth(asoc, chunk->shkey->key_id);
 	if (!auth)
 		return retval;
 	auth->shkey = chunk->shkey;
 	sctp_auth_shkey_hold(auth->shkey);
 	retval = __sctp_packet_append_chunk(pkt, auth);
 	if (retval != SCTP_XMIT_OK)
@ -490,7 +493,8 @@ static int sctp_packet_pack(struct sctp_packet *packet,
 		}
 		if (auth) {
-			sctp_auth_calculate_hmac(tp->asoc, nskb, auth, gfp);
+			sctp_auth_calculate_hmac(tp->asoc, nskb, auth,
 						 packet->auth->shkey, gfp);
 			/* free auth if no more chunks, or add it back */
 			if (list_empty(&packet->chunk_list))
 				sctp_chunk_free(packet->auth);
@ -770,6 +774,16 @@ static enum sctp_xmit sctp_packet_will_fit(struct sctp_packet *packet,
 	enum sctp_xmit retval = SCTP_XMIT_OK;
 	size_t psize, pmtu, maxsize;
 	/* Don't bundle in this packet if this chunk's auth key doesn't
 	 * match other chunks already enqueued on this packet. Also,
 	 * don't bundle the chunk with auth key if other chunks in this
 	 * packet don't have auth key.
 	 */
 	if ((packet->auth && chunk->shkey != packet->auth->shkey) ||
 	    (!packet->auth && chunk->shkey &&
 	     chunk->chunk_hdr->type != SCTP_CID_AUTH))
 		return SCTP_XMIT_PMTU_FULL;
 	psize = packet->size;
 	if (packet->transport->asoc)
 		pmtu = packet->transport->asoc->pathmtu;
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@ -87,7 +87,28 @@ static void  *sctp_addto_chunk_fixed(struct sctp_chunk *, int len,
 /* Control chunk destructor */
 static void sctp_control_release_owner(struct sk_buff *skb)
 {
-	/*TODO: do memory release */
+	struct sctp_chunk *chunk = skb_shinfo(skb)->destructor_arg;
 	if (chunk->shkey) {
 		struct sctp_shared_key *shkey = chunk->shkey;
 		struct sctp_association *asoc = chunk->asoc;
 		/* refcnt == 2 and !list_empty mean after this release, it's
 		 * not being used anywhere, and it's time to notify userland
 		 * that this shkey can be freed if it's been deactivated.
 		 */
 		if (shkey->deactivated && !list_empty(&shkey->key_list) &&
 		    refcount_read(&shkey->refcnt) == 2) {
 			struct sctp_ulpevent *ev;
 			ev = sctp_ulpevent_make_authkey(asoc, shkey->key_id,
 							SCTP_AUTH_FREE_KEY,
 							GFP_KERNEL);
 			if (ev)
 				asoc->stream.si->enqueue_event(&asoc->ulpq, ev);
 		}
 		sctp_auth_shkey_release(chunk->shkey);
 	}
 }
 static void sctp_control_set_owner_w(struct sctp_chunk *chunk)
@ -102,7 +123,12 @@ static void sctp_control_set_owner_w(struct sctp_chunk *chunk)
 	 *
 	 *  For now don't do anything for now.
 	 */
 	if (chunk->auth) {
 		chunk->shkey = asoc->shkey;
 		sctp_auth_shkey_hold(chunk->shkey);
 	}
 	skb->sk = asoc ? asoc->base.sk : NULL;
 	skb_shinfo(skb)->destructor_arg = chunk;
 	skb->destructor = sctp_control_release_owner;
 }
@ -1271,7 +1297,8 @@ struct sctp_chunk *sctp_make_op_error(const struct sctp_association *asoc,
 	return retval;
 }
-struct sctp_chunk *sctp_make_auth(const struct sctp_association *asoc)
+struct sctp_chunk *sctp_make_auth(const struct sctp_association *asoc,
 				  __u16 key_id)
 {
 	struct sctp_authhdr auth_hdr;
 	struct sctp_hmac *hmac_desc;
@ -1289,7 +1316,7 @@ struct sctp_chunk *sctp_make_auth(const struct sctp_association *asoc)
 		return NULL;
 	auth_hdr.hmac_id = htons(hmac_desc->hmac_id);
-	auth_hdr.shkey_id = htons(asoc->active_key_id);
+	auth_hdr.shkey_id = htons(key_id);
 	retval->subh.auth_hdr = sctp_addto_chunk(retval, sizeof(auth_hdr),
 						 &auth_hdr);
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@ -1049,6 +1049,16 @@ static void sctp_cmd_assoc_change(struct sctp_cmd_seq *commands,
 		asoc->stream.si->enqueue_event(&asoc->ulpq, ev);
 }
 static void sctp_cmd_peer_no_auth(struct sctp_cmd_seq *commands,
 				  struct sctp_association *asoc)
 {
 	struct sctp_ulpevent *ev;
 	ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH, GFP_ATOMIC);
 	if (ev)
 		asoc->stream.si->enqueue_event(&asoc->ulpq, ev);
 }
 /* Helper function to generate an adaptation indication event */
 static void sctp_cmd_adaptation_ind(struct sctp_cmd_seq *commands,
 				    struct sctp_association *asoc)
@ -1755,6 +1765,9 @@ static int sctp_cmd_interpreter(enum sctp_event event_type,
 		case SCTP_CMD_ADAPTATION_IND:
 			sctp_cmd_adaptation_ind(commands, asoc);
 			break;
 		case SCTP_CMD_PEER_NO_AUTH:
 			sctp_cmd_peer_no_auth(commands, asoc);
 			break;
 		case SCTP_CMD_ASSOC_SHKEY:
 			error = sctp_auth_asoc_init_active_key(asoc,
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@ -659,7 +659,7 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
 					 void *arg,
 					 struct sctp_cmd_seq *commands)
 {
-	struct sctp_ulpevent *ev, *ai_ev = NULL;
+	struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL;
 	struct sctp_association *new_asoc;
 	struct sctp_init_chunk *peer_init;
 	struct sctp_chunk *chunk = arg;
@ -820,6 +820,14 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
 			goto nomem_aiev;
 	}
 	if (!new_asoc->peer.auth_capable) {
 		auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0,
 						     SCTP_AUTH_NO_AUTH,
 						     GFP_ATOMIC);
 		if (!auth_ev)
 			goto nomem_authev;
 	}
 	/* Add all the state machine commands now since we've created
 	 * everything.  This way we don't introduce memory corruptions
 	 * during side-effect processing and correclty count established
@ -847,8 +855,14 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 				SCTP_ULPEVENT(ai_ev));
 	if (auth_ev)
 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 				SCTP_ULPEVENT(auth_ev));
 	return SCTP_DISPOSITION_CONSUME;
 nomem_authev:
 	sctp_ulpevent_free(ai_ev);
 nomem_aiev:
 	sctp_ulpevent_free(ev);
 nomem_ev:
@ -953,6 +967,15 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
 				SCTP_ULPEVENT(ev));
 	}
 	if (!asoc->peer.auth_capable) {
 		ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH,
 						GFP_ATOMIC);
 		if (!ev)
 			goto nomem;
 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 				SCTP_ULPEVENT(ev));
 	}
 	return SCTP_DISPOSITION_CONSUME;
 nomem:
 	return SCTP_DISPOSITION_NOMEM;
@ -1908,6 +1931,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
 	if (asoc->peer.adaptation_ind)
 		sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
 	if (!asoc->peer.auth_capable)
 		sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL());
 	return SCTP_DISPOSITION_CONSUME;
 nomem:
@ -1954,7 +1980,7 @@ static enum sctp_disposition sctp_sf_do_dupcook_d(
 					struct sctp_cmd_seq *commands,
 					struct sctp_association *new_asoc)
 {
-	struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;
+	struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL;
 	struct sctp_chunk *repl;
 	/* Clarification from Implementor's Guide:
@ -2001,6 +2027,14 @@ static enum sctp_disposition sctp_sf_do_dupcook_d(
 				goto nomem;
 		}
 		if (!asoc->peer.auth_capable) {
 			auth_ev = sctp_ulpevent_make_authkey(asoc, 0,
 							     SCTP_AUTH_NO_AUTH,
 							     GFP_ATOMIC);
 			if (!auth_ev)
 				goto nomem;
 		}
 	}
 	repl = sctp_make_cookie_ack(new_asoc, chunk);
@ -2015,10 +2049,15 @@ static enum sctp_disposition sctp_sf_do_dupcook_d(
 	if (ai_ev)
 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 					SCTP_ULPEVENT(ai_ev));
 	if (auth_ev)
 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 				SCTP_ULPEVENT(auth_ev));
 	return SCTP_DISPOSITION_CONSUME;
 nomem:
 	if (auth_ev)
 		sctp_ulpevent_free(auth_ev);
 	if (ai_ev)
 		sctp_ulpevent_free(ai_ev);
 	if (ev)
@ -4114,6 +4153,7 @@ static enum sctp_ierror sctp_sf_authenticate(
 					const union sctp_subtype type,
 					struct sctp_chunk *chunk)
 {
 	struct sctp_shared_key *sh_key = NULL;
 	struct sctp_authhdr *auth_hdr;
 	__u8 *save_digest, *digest;
 	struct sctp_hmac *hmac;
@ -4135,9 +4175,11 @@ static enum sctp_ierror sctp_sf_authenticate(
 	 * configured
 	 */
 	key_id = ntohs(auth_hdr->shkey_id);
-	if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id))
+	if (key_id != asoc->active_key_id) {
-		return SCTP_IERROR_AUTH_BAD_KEYID;
+		sh_key = sctp_auth_get_shkey(asoc, key_id);
-
+		if (!sh_key)
 			return SCTP_IERROR_AUTH_BAD_KEYID;
 	}
 	/* Make sure that the length of the signature matches what
 	 * we expect.
@ -4166,7 +4208,7 @@ static enum sctp_ierror sctp_sf_authenticate(
 	sctp_auth_calculate_hmac(asoc, chunk->skb,
 				 (struct sctp_auth_chunk *)chunk->chunk_hdr,
-				 GFP_ATOMIC);
+				 sh_key, GFP_ATOMIC);
 	/* Discard the packet if the digests do not match */
 	if (memcmp(save_digest, digest, sig_len)) {
@ -4243,7 +4285,7 @@ enum sctp_disposition sctp_sf_eat_auth(struct net *net,
 		struct sctp_ulpevent *ev;
 		ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
-				    SCTP_AUTH_NEWKEY, GFP_ATOMIC);
+				    SCTP_AUTH_NEW_KEY, GFP_ATOMIC);
 		if (!ev)
 			return -ENOMEM;
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@ -156,6 +156,9 @@ static inline void sctp_set_owner_w(struct sctp_chunk *chunk)
 	/* The sndbuf space is tracked per association.  */
 	sctp_association_hold(asoc);
 	if (chunk->shkey)
 		sctp_auth_shkey_hold(chunk->shkey);
 	skb_set_owner_w(chunk->skb, sk);
 	chunk->skb->destructor = sctp_wfree;
@ -1984,6 +1987,14 @@ static void sctp_sendmsg_update_sinfo(struct sctp_association *asoc,
 	if (!cmsgs->srinfo && !cmsgs->prinfo)
 		sinfo->sinfo_timetolive = asoc->default_timetolive;
 	if (cmsgs->authinfo) {
 		/* Reuse sinfo_tsn to indicate that authinfo was set and
 		 * sinfo_ssn to save the keyid on tx path.
 		 */
 		sinfo->sinfo_tsn = 1;
 		sinfo->sinfo_ssn = cmsgs->authinfo->auth_keynumber;
 	}
 }
 static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
@ -3635,6 +3646,33 @@ static int sctp_setsockopt_del_key(struct sock *sk,
 }
 /*
 * 8.3.4  Deactivate a Shared Key (SCTP_AUTH_DEACTIVATE_KEY)
 *
 * This set option will deactivate a shared secret key.
 */
 static int sctp_setsockopt_deactivate_key(struct sock *sk, char __user *optval,
 					  unsigned int optlen)
 {
 	struct sctp_endpoint *ep = sctp_sk(sk)->ep;
 	struct sctp_authkeyid val;
 	struct sctp_association *asoc;
 	if (!ep->auth_enable)
 		return -EACCES;
 	if (optlen != sizeof(struct sctp_authkeyid))
 		return -EINVAL;
 	if (copy_from_user(&val, optval, optlen))
 		return -EFAULT;
 	asoc = sctp_id2assoc(sk, val.scact_assoc_id);
 	if (!asoc && val.scact_assoc_id && sctp_style(sk, UDP))
 		return -EINVAL;
 	return sctp_auth_deact_key_id(ep, asoc, val.scact_keynumber);
 }
 /*
 * 8.1.23 SCTP_AUTO_ASCONF
 *
@ -4227,6 +4265,9 @@ static int sctp_setsockopt(struct sock *sk, int level, int optname,
 	case SCTP_AUTH_DELETE_KEY:
 		retval = sctp_setsockopt_del_key(sk, optval, optlen);
 		break;
 	case SCTP_AUTH_DEACTIVATE_KEY:
 		retval = sctp_setsockopt_deactivate_key(sk, optval, optlen);
 		break;
 	case SCTP_AUTO_ASCONF:
 		retval = sctp_setsockopt_auto_asconf(sk, optval, optlen);
 		break;
@ -7201,6 +7242,7 @@ static int sctp_getsockopt(struct sock *sk, int level, int optname,
 	case SCTP_AUTH_KEY:
 	case SCTP_AUTH_CHUNK:
 	case SCTP_AUTH_DELETE_KEY:
 	case SCTP_AUTH_DEACTIVATE_KEY:
 		retval = -EOPNOTSUPP;
 		break;
 	case SCTP_HMAC_IDENT:
@ -7871,6 +7913,21 @@ static int sctp_msghdr_parse(const struct msghdr *msg, struct sctp_cmsgs *cmsgs)
 			if (cmsgs->prinfo->pr_policy == SCTP_PR_SCTP_NONE)
 				cmsgs->prinfo->pr_value = 0;
 			break;
 		case SCTP_AUTHINFO:
 			/* SCTP Socket API Extension
 			 * 5.3.8 SCTP AUTH Information Structure (SCTP_AUTHINFO)
 			 *
 			 * This cmsghdr structure specifies SCTP options for sendmsg().
 			 *
 			 * cmsg_level    cmsg_type      cmsg_data[]
 			 * ------------  ------------   ---------------------
 			 * IPPROTO_SCTP  SCTP_AUTHINFO  struct sctp_authinfo
 			 */
 			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct sctp_authinfo)))
 				return -EINVAL;
 			cmsgs->authinfo = CMSG_DATA(cmsg);
 			break;
 		case SCTP_DSTADDRV4:
 		case SCTP_DSTADDRV6:
 			/* SCTP Socket API Extension
@ -8109,6 +8166,26 @@ static void sctp_wfree(struct sk_buff *skb)
 	sk->sk_wmem_queued   -= skb->truesize;
 	sk_mem_uncharge(sk, skb->truesize);
 	if (chunk->shkey) {
 		struct sctp_shared_key *shkey = chunk->shkey;
 		/* refcnt == 2 and !list_empty mean after this release, it's
 		 * not being used anywhere, and it's time to notify userland
 		 * that this shkey can be freed if it's been deactivated.
 		 */
 		if (shkey->deactivated && !list_empty(&shkey->key_list) &&
 		    refcount_read(&shkey->refcnt) == 2) {
 			struct sctp_ulpevent *ev;
 			ev = sctp_ulpevent_make_authkey(asoc, shkey->key_id,
 							SCTP_AUTH_FREE_KEY,
 							GFP_KERNEL);
 			if (ev)
 				asoc->stream.si->enqueue_event(&asoc->ulpq, ev);
 		}
 		sctp_auth_shkey_release(chunk->shkey);
 	}
 	sock_wfree(skb);
 	sctp_wake_up_waiters(sk, asoc);