1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 #include <sys/types.h>
27 #include <sys/systm.h>
28 #include <sys/stream.h>
29 #include <sys/cmn_err.h>
30 #include <sys/md5.h>
31 #include <sys/kmem.h>
32 #include <sys/strsubr.h>
33 #include <sys/random.h>
34 #include <sys/tsol/tnet.h>
35
36 #include <netinet/in.h>
37 #include <netinet/ip6.h>
38
39 #include <inet/common.h>
40 #include <inet/ip.h>
41 #include <inet/ip6.h>
42 #include <inet/ipsec_impl.h>
43 #include <inet/sctp_ip.h>
44 #include <inet/ipclassifier.h>
45 #include "sctp_impl.h"
46
47 /*
48 * Helper function for SunCluster (PSARC/2005/602) to get the original source
49 * address from the COOKIE
50 */
51 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *);
52
53 /*
54 * From RFC 2104. This should probably go into libmd5 (and while
55 * we're at it, maybe we should make a libdigest so we can later
56 * add SHA1 and others, esp. since some weaknesses have been found
57 * with MD5).
58 *
59 * text IN pointer to data stream
60 * text_len IN length of data stream
61 * key IN pointer to authentication key
62 * key_len IN length of authentication key
63 * digest OUT caller digest to be filled in
64 */
65 static void
hmac_md5(uchar_t * text,size_t text_len,uchar_t * key,size_t key_len,uchar_t * digest)66 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len,
67 uchar_t *digest)
68 {
69 MD5_CTX context;
70 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */
71 uchar_t k_opad[65]; /* outer padding - key XORd with opad */
72 uchar_t tk[16];
73 int i;
74
75 /* if key is longer than 64 bytes reset it to key=MD5(key) */
76 if (key_len > 64) {
77 MD5_CTX tctx;
78
79 MD5Init(&tctx);
80 MD5Update(&tctx, key, key_len);
81 MD5Final(tk, &tctx);
82
83 key = tk;
84 key_len = 16;
85 }
86
87 /*
88 * the HMAC_MD5 transform looks like:
89 *
90 * MD5(K XOR opad, MD5(K XOR ipad, text))
91 *
92 * where K is an n byte key
93 * ipad is the byte 0x36 repeated 64 times
94 * opad is the byte 0x5c repeated 64 times
95 * and text is the data being protected
96 */
97
98 /* start out by storing key in pads */
99 bzero(k_ipad, sizeof (k_ipad));
100 bzero(k_opad, sizeof (k_opad));
101 bcopy(key, k_ipad, key_len);
102 bcopy(key, k_opad, key_len);
103
104 /* XOR key with ipad and opad values */
105 for (i = 0; i < 64; i++) {
106 k_ipad[i] ^= 0x36;
107 k_opad[i] ^= 0x5c;
108 }
109 /*
110 * perform inner MD5
111 */
112 MD5Init(&context); /* init context for 1st */
113 /* pass */
114 MD5Update(&context, k_ipad, 64); /* start with inner pad */
115 MD5Update(&context, text, text_len); /* then text of datagram */
116 MD5Final(digest, &context); /* finish up 1st pass */
117 /*
118 * perform outer MD5
119 */
120 MD5Init(&context); /* init context for 2nd */
121 /* pass */
122 MD5Update(&context, k_opad, 64); /* start with outer pad */
123 MD5Update(&context, digest, 16); /* then results of 1st */
124 /* hash */
125 MD5Final(digest, &context); /* finish up 2nd pass */
126 }
127
128 /*
129 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP
130 * info in initmp to send the abort. Otherwise, no abort will be sent.
131 *
132 * When called from stcp_send_initack() while processing parameters
133 * from a received INIT_CHUNK want_cookie will be NULL.
134 *
135 * When called from sctp_send_cookie_echo() while processing an INIT_ACK,
136 * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t.
137 * However, this last pointer will be NULL until the cookie is processed
138 * at which time it will be set to point to a sctp_parm_hdr_t that contains
139 * the cookie info.
140 *
141 * Note: an INIT_ACK is expected to contain a cookie.
142 *
143 * When processing an INIT_ACK, an ERROR chunk and chain of one or more
144 * error CAUSE blocks will be created if unrecognized parameters marked by
145 * the sender as reportable are found.
146 *
147 * When processing an INIT chunk, a chain of one or more error CAUSE blocks
148 * will be created if unrecognized parameters marked by the sender as
149 * reportable are found. These are appended directly to the INIT_ACK chunk.
150 *
151 * In both cases the error chain is visible to the caller via *errmp.
152 *
153 * Returns 1 if the parameters are OK (or if there are no optional
154 * parameters), returns 0 otherwise.
155 */
156 static int
validate_init_params(sctp_t * sctp,sctp_chunk_hdr_t * ch,sctp_init_chunk_t * init,mblk_t * inmp,sctp_parm_hdr_t ** want_cookie,mblk_t ** errmp,int * supp_af,uint_t * sctp_options,ip_recv_attr_t * ira)157 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
158 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie,
159 mblk_t **errmp, int *supp_af, uint_t *sctp_options, ip_recv_attr_t *ira)
160 {
161 sctp_parm_hdr_t *cph;
162 sctp_init_chunk_t *ic;
163 ssize_t remaining;
164 uint16_t serror = 0;
165 char *details = NULL;
166 size_t errlen = 0;
167 boolean_t got_cookie = B_FALSE;
168 boolean_t got_errchunk = B_FALSE;
169 uint16_t ptype;
170 sctp_mpc_t mpc;
171 conn_t *connp = sctp->sctp_connp;
172
173
174 ASSERT(errmp != NULL);
175
176 if (sctp_options != NULL)
177 *sctp_options = 0;
178
179 /* First validate stream parameters */
180 if (init->sic_instr == 0 || init->sic_outstr == 0) {
181 serror = SCTP_ERR_BAD_MANDPARM;
182 dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n",
183 htons(init->sic_instr), htons(init->sic_outstr)));
184 goto abort;
185 }
186 if (ntohl(init->sic_inittag) == 0) {
187 serror = SCTP_ERR_BAD_MANDPARM;
188 dprint(1, ("validate_init_params: inittag = 0\n"));
189 goto abort;
190 }
191
192 remaining = ntohs(ch->sch_len) - sizeof (*ch);
193 ic = (sctp_init_chunk_t *)(ch + 1);
194 remaining -= sizeof (*ic);
195 if (remaining < sizeof (*cph)) {
196 /*
197 * When processing a received INIT_ACK, a cookie is
198 * expected, if missing there is nothing to validate.
199 */
200 if (want_cookie != NULL)
201 goto cookie_abort;
202 return (1);
203 }
204
205 cph = (sctp_parm_hdr_t *)(ic + 1);
206
207 while (cph != NULL) {
208 ptype = ntohs(cph->sph_type);
209 switch (ptype) {
210 case PARM_HBINFO:
211 case PARM_UNRECOGNIZED:
212 case PARM_ECN:
213 /* just ignore them */
214 break;
215 case PARM_FORWARD_TSN:
216 if (sctp_options != NULL)
217 *sctp_options |= SCTP_PRSCTP_OPTION;
218 break;
219 case PARM_COOKIE:
220 got_cookie = B_TRUE;
221 /*
222 * Processing a received INIT_ACK, we have a cookie
223 * and a valid pointer in our caller to attach it to.
224 */
225 if (want_cookie != NULL) {
226 *want_cookie = cph;
227 }
228 break;
229 case PARM_ADDR4:
230 *supp_af |= PARM_SUPP_V4;
231 break;
232 case PARM_ADDR6:
233 *supp_af |= PARM_SUPP_V6;
234 break;
235 case PARM_COOKIE_PRESERVE:
236 case PARM_ADAPT_LAYER_IND:
237 /* These are OK */
238 break;
239 case PARM_ADDR_HOST_NAME:
240 /* Don't support this; abort the association */
241 serror = SCTP_ERR_BAD_ADDR;
242 details = (char *)cph;
243 errlen = ntohs(cph->sph_len);
244 dprint(1, ("sctp:validate_init_params: host addr\n"));
245 goto abort;
246 case PARM_SUPP_ADDRS: {
247 /* Make sure we have a supported addr intersection */
248 uint16_t *p, addrtype;
249 int plen;
250
251 plen = ntohs(cph->sph_len);
252 p = (uint16_t *)(cph + 1);
253 while (plen > 0) {
254 addrtype = ntohs(*p);
255 switch (addrtype) {
256 case PARM_ADDR6:
257 *supp_af |= PARM_SUPP_V6;
258 break;
259 case PARM_ADDR4:
260 *supp_af |= PARM_SUPP_V4;
261 break;
262 default:
263 /*
264 * Do nothing, silently ignore hostname
265 * address.
266 */
267 break;
268 }
269 p++;
270 plen -= sizeof (*p);
271 }
272 break;
273 }
274 default:
275 /*
276 * Handle any unrecognized params, the two high order
277 * bits of ptype define how the remote wants them
278 * handled.
279 * Top bit:
280 * 1. Continue processing other params in the chunk
281 * 0. Stop processing params after this one.
282 * 2nd bit:
283 * 1. Must report this unrecognized param to remote
284 * 0. Obey the top bit silently.
285 */
286 if (ptype & SCTP_REPORT_THIS_PARAM) {
287 if (!got_errchunk && want_cookie != NULL) {
288 /*
289 * The incoming pointer want_cookie is
290 * NULL so processing an INIT_ACK.
291 * This is the first reportable param,
292 * create an ERROR chunk and populate
293 * it with a CAUSE block for this parm.
294 */
295 *errmp = sctp_make_err(sctp,
296 PARM_UNRECOGNIZED,
297 (void *)cph,
298 ntohs(cph->sph_len));
299 got_errchunk = B_TRUE;
300 } else {
301 /*
302 * If processing an INIT_ACK, we already
303 * have an ERROR chunk, just add a new
304 * CAUSE block and update ERROR chunk
305 * length.
306 * If processing an INIT chunk add a new
307 * CAUSE block to the INIT_ACK, in this
308 * case there is no ERROR chunk thus
309 * got_errchunk will be B_FALSE. Chunk
310 * length is computed by our caller.
311 */
312 sctp_add_unrec_parm(cph, errmp,
313 got_errchunk);
314 }
315 }
316 if (ptype & SCTP_CONT_PROC_PARAMS) {
317 /*
318 * Continue processing params after this
319 * parameter.
320 */
321 break;
322 }
323
324 /*
325 * Stop processing params, report any reportable
326 * unrecognized params found so far.
327 */
328 goto done;
329 }
330
331 cph = sctp_next_parm(cph, &remaining);
332 }
333 done:
334 /*
335 * Some sanity checks. The following should not fail unless the
336 * other side is broken.
337 *
338 * 1. If this is a V4 endpoint but V4 address is not
339 * supported, abort.
340 * 2. If this is a V6 only endpoint but V6 address is
341 * not supported, abort. This assumes that a V6
342 * endpoint can use both V4 and V6 addresses.
343 * We only care about supp_af when processing INIT, i.e want_cookie
344 * is NULL.
345 */
346 if (want_cookie == NULL &&
347 ((connp->conn_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
348 (connp->conn_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
349 sctp->sctp_connp->conn_ipv6_v6only))) {
350 dprint(1, ("sctp:validate_init_params: supp addr\n"));
351 serror = SCTP_ERR_BAD_ADDR;
352 goto abort;
353 }
354
355 if (want_cookie != NULL && !got_cookie) {
356 cookie_abort:
357 /* Will populate the CAUSE block in the ABORT chunk. */
358 mpc.mpc_num = htons(1);
359 mpc.mpc_param = htons(PARM_COOKIE);
360 mpc.mpc_pad = 0;
361
362 dprint(1, ("validate_init_params: cookie absent\n"));
363 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM,
364 (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE, ira);
365 return (0);
366 }
367
368 /* OK */
369 return (1);
370
371 abort:
372 if (want_cookie != NULL)
373 return (0);
374
375 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details,
376 errlen, inmp, 0, B_FALSE, ira);
377 return (0);
378 }
379
380 /*
381 * Initialize params from the INIT and INIT-ACK when the assoc. is
382 * established.
383 */
384 boolean_t
sctp_initialize_params(sctp_t * sctp,sctp_init_chunk_t * init,sctp_init_chunk_t * iack)385 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init,
386 sctp_init_chunk_t *iack)
387 {
388 /* Get initial TSN */
389 sctp->sctp_ftsn = ntohl(init->sic_inittsn);
390 sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
391
392 /* Serial number is initialized to the same value as the TSN */
393 sctp->sctp_fcsn = sctp->sctp_lastacked;
394
395 /*
396 * Get verification tags; no byteordering is necessary, since
397 * verfication tags are never processed except for byte-by-byte
398 * comparisons.
399 */
400 sctp->sctp_fvtag = init->sic_inittag;
401 sctp->sctp_sctph->sh_verf = init->sic_inittag;
402 sctp->sctp_sctph6->sh_verf = init->sic_inittag;
403 sctp->sctp_lvtag = iack->sic_inittag;
404
405 /* Get the peer's rwnd */
406 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
407
408 /* Allocate the in/out-stream counters */
409 sctp->sctp_num_ostr = iack->sic_outstr;
410 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
411 sctp->sctp_num_ostr, KM_NOSLEEP);
412 if (sctp->sctp_ostrcntrs == NULL)
413 return (B_FALSE);
414
415 sctp->sctp_num_istr = iack->sic_instr;
416 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
417 sctp->sctp_num_istr, KM_NOSLEEP);
418 if (sctp->sctp_instr == NULL) {
419 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
420 sctp->sctp_num_ostr);
421 sctp->sctp_ostrcntrs = NULL;
422 return (B_FALSE);
423 }
424 return (B_TRUE);
425 }
426
427 /*
428 * Copy the peer's original source address into addr. This relies on the
429 * following format (see sctp_send_initack() below):
430 * relative timestamp for the cookie (int64_t) +
431 * cookie lifetime (uint32_t) +
432 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) +
433 * Peer's original src ...
434 */
435 int
cl_sctp_cookie_paddr(sctp_chunk_hdr_t * ch,in6_addr_t * addr)436 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr)
437 {
438 uchar_t *off;
439
440 ASSERT(addr != NULL);
441
442 if (ch->sch_id != CHUNK_COOKIE)
443 return (EINVAL);
444
445 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) +
446 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t);
447
448 bcopy(off, addr, sizeof (*addr));
449
450 return (0);
451 }
452
453 #define SCTP_CALC_COOKIE_LEN(initcp) \
454 sizeof (int64_t) + /* timestamp */ \
455 sizeof (uint32_t) + /* cookie lifetime */ \
456 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \
457 sizeof (in6_addr_t) + /* peer's original source */ \
458 ntohs((initcp)->sch_len) + /* peer's INIT */ \
459 sizeof (uint32_t) + /* local tie-tag */ \
460 sizeof (uint32_t) + /* peer tie-tag */ \
461 sizeof (sctp_parm_hdr_t) + /* param header */ \
462 16 /* MD5 hash */
463
464 /*
465 * Note that sctp is the listener, hence we shouldn't modify it.
466 */
467 void
sctp_send_initack(sctp_t * sctp,sctp_hdr_t * initsh,sctp_chunk_hdr_t * ch,mblk_t * initmp,ip_recv_attr_t * ira)468 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
469 mblk_t *initmp, ip_recv_attr_t *ira)
470 {
471 ipha_t *initiph;
472 ip6_t *initip6h;
473 ipha_t *iackiph = NULL;
474 ip6_t *iackip6h = NULL;
475 sctp_chunk_hdr_t *iack_ch;
476 sctp_init_chunk_t *iack;
477 sctp_init_chunk_t *init;
478 sctp_hdr_t *iacksh;
479 size_t cookielen;
480 size_t iacklen;
481 size_t ipsctplen;
482 size_t errlen = 0;
483 sctp_parm_hdr_t *cookieph;
484 mblk_t *iackmp;
485 uint32_t itag;
486 uint32_t itsn;
487 int64_t *now;
488 int64_t nowt;
489 uint32_t *lifetime;
490 char *p;
491 boolean_t isv4;
492 int supp_af = 0;
493 uint_t sctp_options;
494 uint32_t *ttag;
495 int pad;
496 mblk_t *errmp = NULL;
497 boolean_t initcollision = B_FALSE;
498 boolean_t linklocal = B_FALSE;
499 sctp_stack_t *sctps = sctp->sctp_sctps;
500 conn_t *connp = sctp->sctp_connp;
501 int err;
502 ip_xmit_attr_t *ixa = NULL;
503
504 BUMP_LOCAL(sctp->sctp_ibchunks);
505 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION);
506
507 /* Extract the INIT chunk */
508 if (isv4) {
509 initiph = (ipha_t *)initmp->b_rptr;
510 ipsctplen = sctp->sctp_ip_hdr_len;
511 supp_af |= PARM_SUPP_V4;
512 } else {
513 initip6h = (ip6_t *)initmp->b_rptr;
514 ipsctplen = sctp->sctp_ip_hdr6_len;
515 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src) ||
516 IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_dst))
517 linklocal = B_TRUE;
518 supp_af |= PARM_SUPP_V6;
519 if (!sctp->sctp_connp->conn_ipv6_v6only)
520 supp_af |= PARM_SUPP_V4;
521 }
522 ASSERT(OK_32PTR(initsh));
523 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch));
524
525 /* Make sure we like the peer's parameters */
526 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp,
527 &supp_af, &sctp_options, ira) == 0) {
528 return;
529 }
530 if (errmp != NULL)
531 errlen = msgdsize(errmp);
532 if (connp->conn_family == AF_INET) {
533 /*
534 * Regardless of the supported address in the INIT, v4
535 * must be supported.
536 */
537 supp_af = PARM_SUPP_V4;
538 }
539 if (sctp->sctp_state <= SCTPS_LISTEN) {
540 /* normal, expected INIT: generate new vtag and itsn */
541 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
542 if (itag == 0)
543 itag = (uint32_t)gethrtime();
544 itsn = itag + 1;
545 itag = htonl(itag);
546 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT ||
547 sctp->sctp_state == SCTPS_COOKIE_ECHOED) {
548 /* init collision; copy vtag and itsn from sctp */
549 itag = sctp->sctp_lvtag;
550 itsn = sctp->sctp_ltsn;
551 /*
552 * In addition we need to send all the params that was sent
553 * in our INIT chunk. Essentially, it is only the supported
554 * address params that we need to add.
555 */
556 initcollision = B_TRUE;
557 /*
558 * When we sent the INIT, we should have set linklocal in
559 * the sctp which should be good enough.
560 */
561 if (linklocal)
562 linklocal = B_FALSE;
563 } else {
564 /* peer restart; generate new vtag but keep everything else */
565 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
566 if (itag == 0)
567 itag = (uint32_t)gethrtime();
568 itag = htonl(itag);
569 itsn = sctp->sctp_ltsn;
570 }
571
572 /*
573 * Allocate a mblk for the INIT ACK, consisting of the link layer
574 * header, the IP header, the SCTP common header, and INIT ACK chunk,
575 * and finally the COOKIE parameter.
576 */
577 cookielen = SCTP_CALC_COOKIE_LEN(ch);
578 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen;
579 if (sctp->sctp_send_adaptation)
580 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t));
581 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
582 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
583 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION);
584 }
585 if (initcollision)
586 iacklen += sctp_supaddr_param_len(sctp);
587 if (!linklocal)
588 iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE);
589 ipsctplen += sizeof (*iacksh) + iacklen;
590 iacklen += errlen;
591 /*
592 * Padding is applied after the cookie which is the end of chunk
593 * unless CAUSE blocks are appended when the pad must also be
594 * accounted for in iacklen.
595 */
596 if ((pad = ipsctplen % SCTP_ALIGN) != 0) {
597 pad = SCTP_ALIGN - pad;
598 ipsctplen += pad;
599 if (errmp != NULL)
600 iacklen += pad;
601 }
602
603 /*
604 * Base the transmission on any routing-related socket options
605 * that have been set on the listener.
606 */
607 ixa = conn_get_ixa_exclusive(connp);
608 if (ixa == NULL) {
609 sctp_send_abort(sctp, sctp_init2vtag(ch),
610 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
611 return;
612 }
613 ixa->ixa_flags &= ~IXAF_VERIFY_PMTU;
614
615 if (isv4)
616 ixa->ixa_flags |= IXAF_IS_IPV4;
617 else
618 ixa->ixa_flags &= ~IXAF_IS_IPV4;
619
620 /*
621 * If the listen socket is bound to a trusted extensions multi-label
622 * port, a MAC-Exempt connection with an unlabeled node, we use the
623 * the security label of the received INIT packet.
624 * If not a multi-label port, attach the unmodified
625 * listener's label directly.
626 *
627 * We expect Sun developed kernel modules to properly set
628 * cred labels for sctp connections. We can't be so sure this
629 * will be done correctly when 3rd party kernel modules
630 * directly use sctp. We check for a NULL ira_tsl to cover this
631 * possibility.
632 */
633 if (is_system_labeled()) {
634 /* Discard any old label */
635 if (ixa->ixa_free_flags & IXA_FREE_TSL) {
636 ASSERT(ixa->ixa_tsl != NULL);
637 label_rele(ixa->ixa_tsl);
638 ixa->ixa_free_flags &= ~IXA_FREE_TSL;
639 ixa->ixa_tsl = NULL;
640 }
641
642 if (connp->conn_mlp_type != mlptSingle ||
643 connp->conn_mac_mode != CONN_MAC_DEFAULT) {
644 if (ira->ira_tsl == NULL) {
645 sctp_send_abort(sctp, sctp_init2vtag(ch),
646 SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0,
647 B_FALSE, ira);
648 ixa_refrele(ixa);
649 return;
650 }
651 label_hold(ira->ira_tsl);
652 ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl);
653 } else {
654 ixa->ixa_tsl = crgetlabel(connp->conn_cred);
655 }
656 }
657
658 iackmp = allocb(ipsctplen + sctps->sctps_wroff_xtra, BPRI_MED);
659 if (iackmp == NULL) {
660 sctp_send_abort(sctp, sctp_init2vtag(ch),
661 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
662 ixa_refrele(ixa);
663 return;
664 }
665
666 /* Copy in the [imcomplete] IP/SCTP composite header */
667 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra);
668 iackmp->b_rptr = (uchar_t *)p;
669 if (isv4) {
670 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len);
671 iackiph = (ipha_t *)p;
672
673 /* Copy the peer's IP addr */
674 iackiph->ipha_dst = initiph->ipha_src;
675 iackiph->ipha_src = initiph->ipha_dst;
676 iackiph->ipha_length = htons(ipsctplen + errlen);
677 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
678 ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len;
679 } else {
680 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
681 iackip6h = (ip6_t *)p;
682
683 /* Copy the peer's IP addr */
684 iackip6h->ip6_dst = initip6h->ip6_src;
685 iackip6h->ip6_src = initip6h->ip6_dst;
686 iackip6h->ip6_plen = htons(ipsctplen + errlen - IPV6_HDR_LEN);
687 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
688 ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len;
689 }
690 ixa->ixa_pktlen = ipsctplen + errlen;
691
692 ASSERT(OK_32PTR(iacksh));
693
694 /* Fill in the holes in the SCTP common header */
695 iacksh->sh_sport = initsh->sh_dport;
696 iacksh->sh_dport = initsh->sh_sport;
697 iacksh->sh_verf = init->sic_inittag;
698
699 /* INIT ACK chunk header */
700 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1);
701 iack_ch->sch_id = CHUNK_INIT_ACK;
702 iack_ch->sch_flags = 0;
703 iack_ch->sch_len = htons(iacklen);
704
705 /* The INIT ACK itself */
706 iack = (sctp_init_chunk_t *)(iack_ch + 1);
707 iack->sic_inittag = itag; /* already in network byteorder */
708 iack->sic_inittsn = htonl(itsn);
709
710 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd);
711 /* Advertise what we would want to have as stream #'s */
712 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr,
713 ntohs(init->sic_instr)));
714 iack->sic_instr = htons(sctp->sctp_num_istr);
715
716 p = (char *)(iack + 1);
717 p += sctp_adaptation_code_param(sctp, (uchar_t *)p);
718 if (initcollision)
719 p += sctp_supaddr_param(sctp, (uchar_t *)p);
720 if (!linklocal)
721 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE);
722 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
723 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
724 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION);
725 }
726 /*
727 * Generate and lay in the COOKIE parameter.
728 *
729 * Any change here that results in a change of location for
730 * the peer's orig source address must be propagated to the fn
731 * cl_sctp_cookie_paddr() above.
732 *
733 * The cookie consists of:
734 * 1. The relative timestamp for the cookie (lbolt64)
735 * 2. The cookie lifetime (uint32_t) in tick
736 * 3. The local tie-tag
737 * 4. The peer tie-tag
738 * 5. Peer's original src, used to confirm the validity of address.
739 * 6. Our INIT ACK chunk, less any parameters
740 * 7. The INIT chunk (may contain parameters)
741 * 8. 128-bit MD5 signature.
742 *
743 * Since the timestamp values will only be evaluated locally, we
744 * don't need to worry about byte-ordering them.
745 */
746 cookieph = (sctp_parm_hdr_t *)p;
747 cookieph->sph_type = htons(PARM_COOKIE);
748 cookieph->sph_len = htons(cookielen);
749
750 /* timestamp */
751 now = (int64_t *)(cookieph + 1);
752 nowt = LBOLT_FASTPATH64;
753 bcopy(&nowt, now, sizeof (*now));
754
755 /* cookie lifetime -- need configuration */
756 lifetime = (uint32_t *)(now + 1);
757 *lifetime = sctp->sctp_cookie_lifetime;
758
759 /* Set the tie-tags */
760 ttag = (uint32_t *)(lifetime + 1);
761 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) {
762 *ttag = 0;
763 ttag++;
764 *ttag = 0;
765 ttag++;
766 } else {
767 /* local tie-tag (network byte-order) */
768 *ttag = sctp->sctp_lvtag;
769 ttag++;
770 /* peer tie-tag (network byte-order) */
771 *ttag = sctp->sctp_fvtag;
772 ttag++;
773 }
774 /*
775 * Copy in peer's original source address so that we can confirm
776 * the reachability later.
777 */
778 p = (char *)ttag;
779 if (isv4) {
780 in6_addr_t peer_addr;
781
782 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr);
783 bcopy(&peer_addr, p, sizeof (in6_addr_t));
784 } else {
785 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t));
786 }
787 p += sizeof (in6_addr_t);
788 /* Copy in our INIT ACK chunk */
789 bcopy(iack, p, sizeof (*iack));
790 iack = (sctp_init_chunk_t *)p;
791 /* Set the # of streams we'll end up using */
792 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr));
793 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr));
794 p += sizeof (*iack);
795
796 /* Copy in the peer's INIT chunk */
797 bcopy(ch, p, ntohs(ch->sch_len));
798 p += ntohs(ch->sch_len);
799
800 /*
801 * Calculate the HMAC ICV into the digest slot in buf.
802 * First, generate a new secret if the current secret is
803 * older than the new secret lifetime parameter permits,
804 * copying the current secret to sctp_old_secret.
805 */
806 if (sctps->sctps_new_secret_interval > 0 &&
807 (sctp->sctp_last_secret_update +
808 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) {
809 bcopy(sctp->sctp_secret, sctp->sctp_old_secret,
810 SCTP_SECRET_LEN);
811 (void) random_get_pseudo_bytes(sctp->sctp_secret,
812 SCTP_SECRET_LEN);
813 sctp->sctp_last_secret_update = nowt;
814 }
815
816 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16,
817 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p);
818
819 iackmp->b_wptr = iackmp->b_rptr + ipsctplen;
820 if (pad != 0)
821 bzero((iackmp->b_wptr - pad), pad);
822
823 iackmp->b_cont = errmp; /* OK if NULL */
824
825 if (is_system_labeled()) {
826 ts_label_t *effective_tsl = NULL;
827
828 ASSERT(ira->ira_tsl != NULL);
829
830 /* Discard any old label */
831 if (ixa->ixa_free_flags & IXA_FREE_TSL) {
832 ASSERT(ixa->ixa_tsl != NULL);
833 label_rele(ixa->ixa_tsl);
834 ixa->ixa_free_flags &= ~IXA_FREE_TSL;
835 }
836 ixa->ixa_tsl = ira->ira_tsl; /* A multi-level responder */
837
838 /*
839 * We need to check for label-related failures which implies
840 * an extra call to tsol_check_dest (as ip_output_simple
841 * also does a tsol_check_dest as part of computing the
842 * label for the packet, but ip_output_simple doesn't return
843 * a specific errno for that case so we can't rely on its
844 * check.)
845 */
846 if (isv4) {
847 err = tsol_check_dest(ixa->ixa_tsl, &iackiph->ipha_dst,
848 IPV4_VERSION, connp->conn_mac_mode,
849 connp->conn_zone_is_global, &effective_tsl);
850 } else {
851 err = tsol_check_dest(ixa->ixa_tsl, &iackip6h->ip6_dst,
852 IPV6_VERSION, connp->conn_mac_mode,
853 connp->conn_zone_is_global, &effective_tsl);
854 }
855 if (err != 0) {
856 sctp_send_abort(sctp, sctp_init2vtag(ch),
857 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE,
858 ira);
859 ixa_refrele(ixa);
860 freemsg(iackmp);
861 return;
862 }
863 if (effective_tsl != NULL) {
864 /*
865 * Since ip_output_simple will redo the
866 * tsol_check_dest, we just drop the ref.
867 */
868 label_rele(effective_tsl);
869 }
870 }
871
872 BUMP_LOCAL(sctp->sctp_opkts);
873 BUMP_LOCAL(sctp->sctp_obchunks);
874
875 (void) ip_output_simple(iackmp, ixa);
876 ixa_refrele(ixa);
877 }
878
879 void
sctp_send_cookie_ack(sctp_t * sctp)880 sctp_send_cookie_ack(sctp_t *sctp)
881 {
882 sctp_chunk_hdr_t *cach;
883 mblk_t *camp;
884 sctp_stack_t *sctps = sctp->sctp_sctps;
885
886 camp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*cach));
887 if (camp == NULL) {
888 /* XXX should abort, but don't have the inmp anymore */
889 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed);
890 return;
891 }
892
893 cach = (sctp_chunk_hdr_t *)camp->b_wptr;
894 camp->b_wptr = (uchar_t *)(cach + 1);
895 cach->sch_id = CHUNK_COOKIE_ACK;
896 cach->sch_flags = 0;
897 cach->sch_len = htons(sizeof (*cach));
898
899 BUMP_LOCAL(sctp->sctp_obchunks);
900
901 sctp_set_iplen(sctp, camp, sctp->sctp_current->sf_ixa);
902 (void) conn_ip_output(camp, sctp->sctp_current->sf_ixa);
903 BUMP_LOCAL(sctp->sctp_opkts);
904 }
905
906 static int
sctp_find_al_ind(sctp_parm_hdr_t * sph,ssize_t len,uint32_t * adaptation_code)907 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code)
908 {
909
910 if (len < sizeof (*sph))
911 return (-1);
912 while (sph != NULL) {
913 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) &&
914 ntohs(sph->sph_len) >= (sizeof (*sph) +
915 sizeof (uint32_t))) {
916 *adaptation_code = *(uint32_t *)(sph + 1);
917 return (0);
918 }
919 sph = sctp_next_parm(sph, &len);
920 }
921 return (-1);
922 }
923
924 void
sctp_send_cookie_echo(sctp_t * sctp,sctp_chunk_hdr_t * iackch,mblk_t * iackmp,ip_recv_attr_t * ira)925 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp,
926 ip_recv_attr_t *ira)
927 {
928 mblk_t *cemp;
929 mblk_t *mp = NULL;
930 mblk_t *head;
931 mblk_t *meta;
932 sctp_faddr_t *fp;
933 sctp_chunk_hdr_t *cech;
934 sctp_init_chunk_t *iack;
935 int32_t cansend;
936 int32_t seglen;
937 size_t ceclen;
938 sctp_parm_hdr_t *cph;
939 sctp_data_hdr_t *sdc;
940 sctp_tf_t *tf;
941 int pad = 0;
942 int hdrlen;
943 mblk_t *errmp = NULL;
944 uint_t sctp_options;
945 int error;
946 uint16_t old_num_str;
947 sctp_stack_t *sctps = sctp->sctp_sctps;
948
949 iack = (sctp_init_chunk_t *)(iackch + 1);
950
951 cph = NULL;
952 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp,
953 &pad, &sctp_options, ira) == 0) { /* result in 'pad' ignored */
954 SCTPS_BUMP_MIB(sctps, sctpAborted);
955 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL);
956 sctp_clean_death(sctp, ECONNABORTED);
957 return;
958 }
959 ASSERT(cph != NULL);
960
961 ASSERT(sctp->sctp_cookie_mp == NULL);
962
963 /* Got a cookie to echo back; allocate an mblk */
964 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph);
965 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0)
966 pad = SCTP_ALIGN - pad;
967
968 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION)
969 hdrlen = sctp->sctp_hdr_len;
970 else
971 hdrlen = sctp->sctp_hdr6_len;
972
973 cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad,
974 BPRI_MED);
975 if (cemp == NULL) {
976 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
977 sctp->sctp_current->sf_rto);
978 if (errmp != NULL)
979 freeb(errmp);
980 return;
981 }
982 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen);
983
984 /* Process the INIT ACK */
985 sctp->sctp_sctph->sh_verf = iack->sic_inittag;
986 sctp->sctp_sctph6->sh_verf = iack->sic_inittag;
987 sctp->sctp_fvtag = iack->sic_inittag;
988 sctp->sctp_ftsn = ntohl(iack->sic_inittsn);
989 sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
990 sctp->sctp_fcsn = sctp->sctp_lastacked;
991 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd);
992
993 /*
994 * Populate sctp with addresses given in the INIT ACK or IP header.
995 * Need to set the df bit in the current fp as it has been cleared
996 * in sctp_connect().
997 */
998 sctp->sctp_current->sf_df = B_TRUE;
999 sctp->sctp_ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;
1000
1001 /*
1002 * Since IP uses this info during the fanout process, we need to hold
1003 * the lock for this hash line while performing this operation.
1004 */
1005 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, connp->conn_ports); */
1006 ASSERT(sctp->sctp_conn_tfp != NULL);
1007 tf = sctp->sctp_conn_tfp;
1008 /* sctp isn't a listener so only need to hold conn fanout lock */
1009 mutex_enter(&tf->tf_lock);
1010 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) {
1011 mutex_exit(&tf->tf_lock);
1012 freeb(cemp);
1013 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
1014 sctp->sctp_current->sf_rto);
1015 if (errmp != NULL)
1016 freeb(errmp);
1017 return;
1018 }
1019 mutex_exit(&tf->tf_lock);
1020
1021 fp = sctp->sctp_current;
1022
1023 /*
1024 * There could be a case when we get an INIT-ACK again, if the INIT
1025 * is re-transmitted, for e.g., which means we would have already
1026 * allocated this resource earlier (also for sctp_instr). In this
1027 * case we check and re-allocate, if necessary.
1028 */
1029 old_num_str = sctp->sctp_num_ostr;
1030 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr)
1031 sctp->sctp_num_ostr = ntohs(iack->sic_instr);
1032 if (sctp->sctp_ostrcntrs == NULL) {
1033 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
1034 sctp->sctp_num_ostr, KM_NOSLEEP);
1035 } else {
1036 ASSERT(old_num_str > 0);
1037 if (old_num_str != sctp->sctp_num_ostr) {
1038 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
1039 old_num_str);
1040 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
1041 sctp->sctp_num_ostr, KM_NOSLEEP);
1042 }
1043 }
1044 if (sctp->sctp_ostrcntrs == NULL) {
1045 freeb(cemp);
1046 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
1047 if (errmp != NULL)
1048 freeb(errmp);
1049 return;
1050 }
1051
1052 /*
1053 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs
1054 * hold here too.
1055 */
1056 old_num_str = sctp->sctp_num_istr;
1057 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr)
1058 sctp->sctp_num_istr = ntohs(iack->sic_outstr);
1059 if (sctp->sctp_instr == NULL) {
1060 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
1061 sctp->sctp_num_istr, KM_NOSLEEP);
1062 } else {
1063 ASSERT(old_num_str > 0);
1064 if (old_num_str != sctp->sctp_num_istr) {
1065 kmem_free(sctp->sctp_instr,
1066 sizeof (*sctp->sctp_instr) * old_num_str);
1067 sctp->sctp_instr = kmem_zalloc(
1068 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr,
1069 KM_NOSLEEP);
1070 }
1071 }
1072 if (sctp->sctp_instr == NULL) {
1073 kmem_free(sctp->sctp_ostrcntrs,
1074 sizeof (uint16_t) * sctp->sctp_num_ostr);
1075 freeb(cemp);
1076 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
1077 if (errmp != NULL)
1078 freeb(errmp);
1079 return;
1080 }
1081
1082 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware)
1083 sctp->sctp_prsctp_aware = B_FALSE;
1084
1085 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1),
1086 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)),
1087 &sctp->sctp_rx_adaptation_code) == 0) {
1088 sctp->sctp_recv_adaptation = 1;
1089 }
1090
1091 cech = (sctp_chunk_hdr_t *)cemp->b_rptr;
1092 ASSERT(OK_32PTR(cech));
1093 cech->sch_id = CHUNK_COOKIE;
1094 cech->sch_flags = 0;
1095 cech->sch_len = htons(ceclen);
1096
1097 /* Copy the cookie (less the parm hdr) to the chunk */
1098 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph));
1099
1100 cemp->b_wptr = cemp->b_rptr + ceclen;
1101
1102 if (sctp->sctp_unsent > 0) {
1103 sctp_msg_hdr_t *smh;
1104 mblk_t *prev = NULL;
1105 uint32_t unsent = 0;
1106
1107 mp = sctp->sctp_xmit_unsent;
1108 do {
1109 smh = (sctp_msg_hdr_t *)mp->b_rptr;
1110 if (smh->smh_sid >= sctp->sctp_num_ostr) {
1111 unsent += smh->smh_msglen;
1112 if (prev != NULL)
1113 prev->b_next = mp->b_next;
1114 else
1115 sctp->sctp_xmit_unsent = mp->b_next;
1116 mp->b_next = NULL;
1117 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID,
1118 B_FALSE);
1119 if (prev != NULL)
1120 mp = prev->b_next;
1121 else
1122 mp = sctp->sctp_xmit_unsent;
1123 } else {
1124 prev = mp;
1125 mp = mp->b_next;
1126 }
1127 } while (mp != NULL);
1128 if (unsent > 0) {
1129 ASSERT(sctp->sctp_unsent >= unsent);
1130 sctp->sctp_unsent -= unsent;
1131 /*
1132 * Update ULP the amount of queued data, which is
1133 * sent-unack'ed + unsent.
1134 * This is not necessary, but doesn't harm, we
1135 * just use unsent instead of sent-unack'ed +
1136 * unsent, since there won't be any sent-unack'ed
1137 * here.
1138 */
1139 if (!SCTP_IS_DETACHED(sctp))
1140 SCTP_TXQ_UPDATE(sctp);
1141 }
1142 if (sctp->sctp_xmit_unsent == NULL)
1143 sctp->sctp_xmit_unsent_tail = NULL;
1144 }
1145 ceclen += pad;
1146 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd);
1147 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen,
1148 cansend, NULL);
1149 /*
1150 * The error cannot be anything else since we could have an non-zero
1151 * error only if sctp_get_msg_to_send() tries to send a Forward
1152 * TSN which will not happen here.
1153 */
1154 ASSERT(error == 0);
1155 if (meta == NULL)
1156 goto sendcookie;
1157 sctp->sctp_xmit_tail = meta;
1158 sdc = (sctp_data_hdr_t *)mp->b_rptr;
1159 seglen = ntohs(sdc->sdh_len);
1160 if ((ceclen + seglen) > fp->sf_pmss ||
1161 (seglen - sizeof (*sdc)) > cansend) {
1162 goto sendcookie;
1163 }
1164 /* OK, if this fails */
1165 cemp->b_cont = dupmsg(mp);
1166 sendcookie:
1167 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL);
1168 if (head == NULL) {
1169 freemsg(cemp);
1170 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
1171 if (errmp != NULL)
1172 freeb(errmp);
1173 SCTP_KSTAT(sctps, sctp_send_cookie_failed);
1174 return;
1175 }
1176 /*
1177 * Even if cookie-echo exceeds MTU for one of the hops, it'll
1178 * have a chance of getting there.
1179 */
1180 if (fp->sf_isv4) {
1181 ipha_t *iph = (ipha_t *)head->b_rptr;
1182 iph->ipha_fragment_offset_and_flags = 0;
1183 }
1184 BUMP_LOCAL(sctp->sctp_obchunks);
1185
1186 sctp->sctp_cookie_mp = dupmsg(head);
1187 /* Don't bundle, we will just resend init if this cookie is lost. */
1188 if (sctp->sctp_cookie_mp == NULL) {
1189 if (cemp->b_cont != NULL) {
1190 freemsg(cemp->b_cont);
1191 cemp->b_cont = NULL;
1192 }
1193 } else if (cemp->b_cont != NULL) {
1194 ASSERT(mp != NULL && mp == meta->b_cont);
1195 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont);
1196 cemp->b_wptr += pad;
1197 seglen -= sizeof (*sdc);
1198 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta);
1199 }
1200 if (errmp != NULL) {
1201 if (cemp->b_cont == NULL)
1202 cemp->b_wptr += pad;
1203 linkb(head, errmp);
1204 }
1205 sctp->sctp_state = SCTPS_COOKIE_ECHOED;
1206 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
1207
1208 sctp_set_iplen(sctp, head, fp->sf_ixa);
1209 (void) conn_ip_output(head, fp->sf_ixa);
1210 BUMP_LOCAL(sctp->sctp_opkts);
1211 }
1212
1213 int
sctp_process_cookie(sctp_t * sctp,sctp_chunk_hdr_t * ch,mblk_t * cmp,sctp_init_chunk_t ** iackpp,sctp_hdr_t * insctph,int * recv_adaptation,in6_addr_t * peer_addr,ip_recv_attr_t * ira)1214 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
1215 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation,
1216 in6_addr_t *peer_addr, ip_recv_attr_t *ira)
1217 {
1218 int32_t clen;
1219 size_t initplen;
1220 uchar_t *p;
1221 uchar_t *given_hash;
1222 uchar_t needed_hash[16];
1223 int64_t ts;
1224 int64_t diff;
1225 uint32_t *lt;
1226 sctp_init_chunk_t *iack;
1227 sctp_chunk_hdr_t *initch;
1228 sctp_init_chunk_t *init;
1229 uint32_t *lttag;
1230 uint32_t *fttag;
1231 uint32_t ports;
1232 sctp_stack_t *sctps = sctp->sctp_sctps;
1233 conn_t *connp = sctp->sctp_connp;
1234
1235 BUMP_LOCAL(sctp->sctp_ibchunks);
1236 /* Verify the ICV */
1237 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16;
1238 if (clen < 0) {
1239 dprint(1, ("invalid cookie chunk length %d\n",
1240 ntohs(ch->sch_len)));
1241
1242 return (-1);
1243 }
1244 p = (uchar_t *)(ch + 1);
1245
1246 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN,
1247 needed_hash);
1248
1249 /* The given hash follows the cookie data */
1250 given_hash = p + clen;
1251
1252 if (bcmp(given_hash, needed_hash, 16) != 0) {
1253 /* The secret may have changed; try the old secret */
1254 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret,
1255 SCTP_SECRET_LEN, needed_hash);
1256 if (bcmp(given_hash, needed_hash, 16) != 0) {
1257 return (-1);
1258 }
1259 }
1260
1261 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */
1262 bcopy(p, &ts, sizeof (ts));
1263 /* Cookie life time, uint32_t */
1264 lt = (uint32_t *)(p + sizeof (ts));
1265
1266 /*
1267 * To quote PRC, "this is our baby", so let's continue.
1268 * We need to pull out the encapsulated INIT ACK and
1269 * INIT chunks. Note that we don't process these until
1270 * we have verified the timestamp, but we need them before
1271 * processing the timestamp since if the time check fails,
1272 * we need to get the verification tag from the INIT in order
1273 * to send a stale cookie error.
1274 */
1275 lttag = (uint32_t *)(lt + 1);
1276 fttag = lttag + 1;
1277 if (peer_addr != NULL)
1278 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t));
1279 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t));
1280 initch = (sctp_chunk_hdr_t *)(iack + 1);
1281 init = (sctp_init_chunk_t *)(initch + 1);
1282 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch));
1283 *iackpp = iack;
1284 *recv_adaptation = 0;
1285
1286 /*
1287 * Check the staleness of the Cookie, specified in 3.3.10.3 of
1288 * RFC 2960.
1289 *
1290 * The mesaure of staleness is the difference, in microseconds,
1291 * between the current time and the time the State Cookie expires.
1292 * So it is lbolt64 - (ts + *lt). If it is positive, it means
1293 * that the Cookie has expired.
1294 */
1295 diff = LBOLT_FASTPATH64 - (ts + *lt);
1296 if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag ||
1297 iack->sic_inittag != sctp->sctp_lvtag)) {
1298 uint32_t staleness;
1299
1300 staleness = TICK_TO_USEC(diff);
1301 staleness = htonl(staleness);
1302 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE,
1303 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE,
1304 ira);
1305
1306 dprint(1, ("stale cookie %d\n", staleness));
1307
1308 return (-1);
1309 }
1310
1311 /* Check for attack by adding addresses to a restart */
1312 bcopy(insctph, &ports, sizeof (ports));
1313 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP,
1314 sctps, ira) != 1) {
1315 return (-1);
1316 }
1317
1318 /* Look for adaptation code if there any parms in the INIT chunk */
1319 if ((initplen >= sizeof (sctp_parm_hdr_t)) &&
1320 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen,
1321 &sctp->sctp_rx_adaptation_code) == 0)) {
1322 *recv_adaptation = 1;
1323 }
1324
1325 /* Examine tie-tags */
1326
1327 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) {
1328 if (sctp->sctp_state == SCTPS_ESTABLISHED &&
1329 init->sic_inittag == sctp->sctp_fvtag &&
1330 iack->sic_inittag == sctp->sctp_lvtag &&
1331 *fttag == 0 && *lttag == 0) {
1332
1333 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n",
1334 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1335 (int)(connp->conn_fport)));
1336 return (-1);
1337 }
1338
1339 if (init->sic_inittag != sctp->sctp_fvtag &&
1340 iack->sic_inittag != sctp->sctp_lvtag &&
1341 *fttag == sctp->sctp_fvtag &&
1342 *lttag == sctp->sctp_lvtag) {
1343 int i;
1344
1345 /* Section 5.2.4 case A: restart */
1346 sctp->sctp_fvtag = init->sic_inittag;
1347 sctp->sctp_lvtag = iack->sic_inittag;
1348
1349 sctp->sctp_sctph->sh_verf = init->sic_inittag;
1350 sctp->sctp_sctph6->sh_verf = init->sic_inittag;
1351
1352 sctp->sctp_ftsn = ntohl(init->sic_inittsn);
1353 sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1354 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
1355 sctp->sctp_fcsn = sctp->sctp_lastacked;
1356
1357 if (sctp->sctp_state < SCTPS_ESTABLISHED)
1358 SCTP_ASSOC_EST(sctps, sctp);
1359
1360 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n",
1361 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1362 (int)(connp->conn_fport)));
1363 /* reset parameters */
1364 sctp_congest_reset(sctp);
1365
1366 /* reset stream bookkeeping */
1367 sctp_instream_cleanup(sctp, B_FALSE);
1368
1369 sctp->sctp_istr_nmsgs = 0;
1370 sctp->sctp_rxqueued = 0;
1371 for (i = 0; i < sctp->sctp_num_ostr; i++) {
1372 sctp->sctp_ostrcntrs[i] = 0;
1373 }
1374 /* XXX flush xmit_list? */
1375
1376 return (0);
1377 } else if (init->sic_inittag != sctp->sctp_fvtag &&
1378 iack->sic_inittag == sctp->sctp_lvtag) {
1379
1380 /* Section 5.2.4 case B: INIT collision */
1381 if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1382 if (!sctp_initialize_params(sctp, init, iack))
1383 return (-1); /* Drop? */
1384 SCTP_ASSOC_EST(sctps, sctp);
1385 }
1386
1387 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n",
1388 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1389 (int)(connp->conn_fport)));
1390
1391 return (0);
1392 } else if (iack->sic_inittag != sctp->sctp_lvtag &&
1393 init->sic_inittag == sctp->sctp_fvtag &&
1394 *fttag == 0 && *lttag == 0) {
1395
1396 /* Section 5.2.4 case C: late COOKIE */
1397 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n",
1398 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1399 (int)(connp->conn_fport)));
1400 return (-1);
1401 } else if (init->sic_inittag == sctp->sctp_fvtag &&
1402 iack->sic_inittag == sctp->sctp_lvtag) {
1403
1404 /*
1405 * Section 5.2.4 case D: COOKIE ECHO retransmit
1406 * Don't check cookie lifetime
1407 */
1408 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n",
1409 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1410 (int)(connp->conn_fport)));
1411 if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1412 if (!sctp_initialize_params(sctp, init, iack))
1413 return (-1); /* Drop? */
1414 SCTP_ASSOC_EST(sctps, sctp);
1415 }
1416 return (0);
1417 } else {
1418 /* unrecognized case -- silently drop it */
1419 return (-1);
1420 }
1421 }
1422
1423 return (0);
1424 }
1425
1426 /*
1427 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn
1428 * from address parameters in an INIT ACK's address list. This
1429 * function is used when an INIT ACK is received but IP's fanout
1430 * function could not find a sctp via the normal lookup routine.
1431 * This can happen when a host sends an INIT ACK from a different
1432 * address than the INIT was sent to.
1433 *
1434 * Returns the sctp_t if found, or NULL if not found.
1435 */
1436 sctp_t *
sctp_addrlist2sctp(mblk_t * mp,sctp_hdr_t * sctph,sctp_chunk_hdr_t * ich,zoneid_t zoneid,sctp_stack_t * sctps)1437 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
1438 zoneid_t zoneid, sctp_stack_t *sctps)
1439 {
1440 int isv4;
1441 ipha_t *iph;
1442 ip6_t *ip6h;
1443 in6_addr_t dst;
1444 in6_addr_t src, *srcp = &src;
1445 sctp_parm_hdr_t *ph;
1446 ssize_t remaining;
1447 sctp_init_chunk_t *iack;
1448 uint32_t ports;
1449 sctp_t *sctp = NULL;
1450
1451 ASSERT(ich->sch_id == CHUNK_INIT_ACK);
1452
1453 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
1454 if (isv4) {
1455 iph = (ipha_t *)mp->b_rptr;
1456 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst);
1457 } else {
1458 ip6h = (ip6_t *)mp->b_rptr;
1459 dst = ip6h->ip6_dst;
1460 }
1461
1462 ports = *(uint32_t *)sctph;
1463
1464 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n",
1465 ports, SCTP_PRINTADDR(dst)));
1466
1467 /* pull out any address parameters */
1468 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack);
1469 if (remaining < sizeof (*ph)) {
1470 return (NULL);
1471 }
1472
1473 iack = (sctp_init_chunk_t *)(ich + 1);
1474 ph = (sctp_parm_hdr_t *)(iack + 1);
1475
1476 while (ph != NULL) {
1477 /*
1478 * params have been verified in sctp_check_input(),
1479 * so no need to do it again here.
1480 *
1481 * For labeled systems, there's no need to check the
1482 * label here. It's known to be good as we checked
1483 * before allowing the connection to become bound.
1484 *
1485 * According to RFC4960 :
1486 * All integer fields in an SCTP packet MUST be transmitted
1487 * in network byte order, unless otherwise stated.
1488 * Therefore convert the param type to network byte order.
1489 */
1490 if (ph->sph_type == htons(PARM_ADDR4)) {
1491 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1),
1492 srcp);
1493
1494 sctp = sctp_conn_match(&srcp, 1, &dst, ports, zoneid,
1495 0, sctps);
1496
1497 dprint(1,
1498 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1499 SCTP_PRINTADDR(src), (void *)sctp));
1500
1501
1502 if (sctp != NULL) {
1503 return (sctp);
1504 }
1505 } else if (ph->sph_type == htons(PARM_ADDR6)) {
1506 srcp = (in6_addr_t *)(ph + 1);
1507 sctp = sctp_conn_match(&srcp, 1, &dst, ports, zoneid,
1508 0, sctps);
1509
1510 dprint(1,
1511 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1512 SCTP_PRINTADDR(src), (void *)sctp));
1513
1514 if (sctp != NULL) {
1515 return (sctp);
1516 }
1517 }
1518
1519 ph = sctp_next_parm(ph, &remaining);
1520 }
1521
1522 return (NULL);
1523 }
1524