1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <sys/systm.h> 31 #include <sys/stream.h> 32 #include <sys/cmn_err.h> 33 #include <sys/md5.h> 34 #include <sys/kmem.h> 35 #include <sys/strsubr.h> 36 #include <sys/random.h> 37 #include <sys/tsol/tnet.h> 38 39 #include <netinet/in.h> 40 #include <netinet/ip6.h> 41 42 #include <inet/common.h> 43 #include <inet/ip.h> 44 #include <inet/ip6.h> 45 #include <inet/sctp_ip.h> 46 #include <inet/ipclassifier.h> 47 #include "sctp_impl.h" 48 49 /* 50 * Helper function for SunCluster (PSARC/2005/602) to get the original source 51 * address from the COOKIE 52 */ 53 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *); 54 55 /* 56 * From RFC 2104. This should probably go into libmd5 (and while 57 * we're at it, maybe we should make a libdigest so we can later 58 * add SHA1 and others, esp. since some weaknesses have been found 59 * with MD5). 60 * 61 * text IN pointer to data stream 62 * text_len IN length of data stream 63 * key IN pointer to authentication key 64 * key_len IN length of authentication key 65 * digest OUT caller digest to be filled in 66 */ 67 static void 68 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 69 uchar_t *digest) 70 { 71 MD5_CTX context; 72 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 73 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 74 uchar_t tk[16]; 75 int i; 76 77 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 78 if (key_len > 64) { 79 MD5_CTX tctx; 80 81 MD5Init(&tctx); 82 MD5Update(&tctx, key, key_len); 83 MD5Final(tk, &tctx); 84 85 key = tk; 86 key_len = 16; 87 } 88 89 /* 90 * the HMAC_MD5 transform looks like: 91 * 92 * MD5(K XOR opad, MD5(K XOR ipad, text)) 93 * 94 * where K is an n byte key 95 * ipad is the byte 0x36 repeated 64 times 96 * opad is the byte 0x5c repeated 64 times 97 * and text is the data being protected 98 */ 99 100 /* start out by storing key in pads */ 101 bzero(k_ipad, sizeof (k_ipad)); 102 bzero(k_opad, sizeof (k_opad)); 103 bcopy(key, k_ipad, key_len); 104 bcopy(key, k_opad, key_len); 105 106 /* XOR key with ipad and opad values */ 107 for (i = 0; i < 64; i++) { 108 k_ipad[i] ^= 0x36; 109 k_opad[i] ^= 0x5c; 110 } 111 /* 112 * perform inner MD5 113 */ 114 MD5Init(&context); /* init context for 1st */ 115 /* pass */ 116 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 117 MD5Update(&context, text, text_len); /* then text of datagram */ 118 MD5Final(digest, &context); /* finish up 1st pass */ 119 /* 120 * perform outer MD5 121 */ 122 MD5Init(&context); /* init context for 2nd */ 123 /* pass */ 124 MD5Update(&context, k_opad, 64); /* start with outer pad */ 125 MD5Update(&context, digest, 16); /* then results of 1st */ 126 /* hash */ 127 MD5Final(digest, &context); /* finish up 2nd pass */ 128 } 129 130 /* 131 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 132 * info in initmp to send the abort. Otherwise, no abort will be sent. 133 * If errmp is non-NULL, a chain of unrecognized parameters will 134 * be created and returned via *errmp. 135 * 136 * Returns 1 if the parameters are OK (or there are no parameters), or 137 * 0 if not. 138 */ 139 static int 140 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 141 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 142 mblk_t **errmp, int *supp_af, uint_t *sctp_options) 143 { 144 sctp_parm_hdr_t *cph; 145 sctp_init_chunk_t *ic; 146 ssize_t remaining; 147 uint16_t serror = 0; 148 char *details = NULL; 149 size_t errlen = 0; 150 boolean_t got_cookie = B_FALSE; 151 uint16_t ptype; 152 153 if (sctp_options != NULL) 154 *sctp_options = 0; 155 156 /* First validate stream parameters */ 157 if (init->sic_instr == 0 || init->sic_outstr == 0) { 158 serror = SCTP_ERR_BAD_MANDPARM; 159 dprint(1, 160 ("validate_init_params: bad sid, is=%d os=%d\n", 161 htons(init->sic_instr), htons(init->sic_outstr))); 162 goto abort; 163 } 164 if (ntohl(init->sic_inittag) == 0) { 165 serror = SCTP_ERR_BAD_MANDPARM; 166 dprint(1, ("validate_init_params: inittag = 0\n")); 167 goto abort; 168 } 169 170 remaining = ntohs(ch->sch_len) - sizeof (*ch); 171 ic = (sctp_init_chunk_t *)(ch + 1); 172 remaining -= sizeof (*ic); 173 if (remaining < sizeof (*cph)) { 174 /* Nothing to validate */ 175 if (want_cookie != NULL) 176 goto cookie_abort; 177 return (1); 178 } 179 180 cph = (sctp_parm_hdr_t *)(ic + 1); 181 182 while (cph != NULL) { 183 ptype = ntohs(cph->sph_type); 184 switch (ptype) { 185 case PARM_HBINFO: 186 case PARM_UNRECOGNIZED: 187 case PARM_ECN: 188 /* just ignore them */ 189 break; 190 case PARM_FORWARD_TSN: 191 if (sctp_options != NULL) 192 *sctp_options |= SCTP_PRSCTP_OPTION; 193 break; 194 case PARM_COOKIE: 195 got_cookie = B_TRUE; 196 if (want_cookie != NULL) { 197 *want_cookie = cph; 198 } 199 break; 200 case PARM_ADDR4: 201 *supp_af |= PARM_SUPP_V4; 202 break; 203 case PARM_ADDR6: 204 *supp_af |= PARM_SUPP_V6; 205 break; 206 case PARM_COOKIE_PRESERVE: 207 case PARM_ADAPT_LAYER_IND: 208 /* These are OK */ 209 break; 210 case PARM_ADDR_HOST_NAME: 211 /* Don't support this; abort the association */ 212 serror = SCTP_ERR_BAD_ADDR; 213 details = (char *)cph; 214 errlen = ntohs(cph->sph_len); 215 dprint(1, ("sctp:validate_init_params: host addr\n")); 216 goto abort; 217 case PARM_SUPP_ADDRS: { 218 /* Make sure we have a supported addr intersection */ 219 uint16_t *p, addrtype; 220 int plen; 221 222 plen = ntohs(cph->sph_len); 223 p = (uint16_t *)(cph + 1); 224 while (plen > 0) { 225 addrtype = ntohs(*p); 226 switch (addrtype) { 227 case PARM_ADDR6: 228 *supp_af |= PARM_SUPP_V6; 229 break; 230 case PARM_ADDR4: 231 *supp_af |= PARM_SUPP_V4; 232 break; 233 default: 234 /* 235 * Do nothing, silently ignore hostname 236 * address. 237 */ 238 break; 239 } 240 p++; 241 plen -= sizeof (*p); 242 } 243 break; 244 } 245 default: 246 /* Unrecognized param; check the high order bits */ 247 if ((ptype & 0xc000) == 0xc000) { 248 /* 249 * report unrecognized param, and 250 * keep processing 251 */ 252 if (errmp != NULL) { 253 if (want_cookie != NULL) { 254 *errmp = sctp_make_err(sctp, 255 PARM_UNRECOGNIZED, 256 (void *)cph, 257 ntohs(cph->sph_len)); 258 } else { 259 sctp_add_unrec_parm(cph, errmp); 260 } 261 } 262 break; 263 } 264 if (ptype & 0x4000) { 265 /* 266 * Stop processing and drop; report 267 * unrecognized param 268 */ 269 serror = SCTP_ERR_UNREC_PARM; 270 details = (char *)cph; 271 errlen = ntohs(cph->sph_len); 272 goto abort; 273 } 274 if (ptype & 0x8000) { 275 /* skip and continue processing */ 276 break; 277 } 278 279 /* 280 * 2 high bits are clear; stop processing and 281 * drop packet 282 */ 283 return (0); 284 } 285 286 cph = sctp_next_parm(cph, &remaining); 287 } 288 /* 289 * Some sanity checks. The following should not fail unless the 290 * other side is broken. 291 * 292 * 1. If this is a V4 endpoint but V4 address is not 293 * supported, abort. 294 * 2. If this is a V6 only endpoint but V6 address is 295 * not supported, abort. This assumes that a V6 296 * endpoint can use both V4 and V6 addresses. 297 * We only care about supp_af when processing INIT, i.e want_cookie 298 * is NULL. 299 */ 300 if (want_cookie == NULL && 301 ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 302 (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 303 sctp->sctp_connp->conn_ipv6_v6only))) { 304 dprint(1, ("sctp:validate_init_params: supp addr\n")); 305 serror = SCTP_ERR_BAD_ADDR; 306 goto abort; 307 } 308 309 if (want_cookie != NULL && !got_cookie) { 310 cookie_abort: 311 dprint(1, ("validate_init_params: cookie absent\n")); 312 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 313 details, errlen, inmp, 0, B_FALSE); 314 return (0); 315 } 316 317 /* OK */ 318 return (1); 319 320 abort: 321 if (want_cookie != NULL) 322 return (0); 323 324 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 325 errlen, inmp, 0, B_FALSE); 326 return (0); 327 } 328 329 /* 330 * Initialize params from the INIT and INIT-ACK when the assoc. is 331 * established. 332 */ 333 boolean_t 334 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 335 sctp_init_chunk_t *iack) 336 { 337 /* Get initial TSN */ 338 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 339 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 340 341 /* Serial number is initialized to the same value as the TSN */ 342 sctp->sctp_fcsn = sctp->sctp_lastacked; 343 344 /* 345 * Get verification tags; no byteordering is necessary, since 346 * verfication tags are never processed except for byte-by-byte 347 * comparisons. 348 */ 349 sctp->sctp_fvtag = init->sic_inittag; 350 sctp->sctp_sctph->sh_verf = init->sic_inittag; 351 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 352 sctp->sctp_lvtag = iack->sic_inittag; 353 354 /* Get the peer's rwnd */ 355 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 356 357 /* Allocate the in/out-stream counters */ 358 sctp->sctp_num_ostr = iack->sic_outstr; 359 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 360 sctp->sctp_num_ostr, KM_NOSLEEP); 361 if (sctp->sctp_ostrcntrs == NULL) 362 return (B_FALSE); 363 364 sctp->sctp_num_istr = iack->sic_instr; 365 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 366 sctp->sctp_num_istr, KM_NOSLEEP); 367 if (sctp->sctp_instr == NULL) { 368 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 369 sctp->sctp_num_ostr); 370 sctp->sctp_ostrcntrs = NULL; 371 return (B_FALSE); 372 } 373 return (B_TRUE); 374 } 375 376 /* 377 * Copy the peer's original source address into addr. This relies on the 378 * following format (see sctp_send_initack() below): 379 * relative timestamp for the cookie (int64_t) + 380 * cookie lifetime (uint32_t) + 381 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) + 382 * Peer's original src ... 383 */ 384 int 385 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr) 386 { 387 uchar_t *off; 388 389 ASSERT(addr != NULL); 390 391 if (ch->sch_id != CHUNK_COOKIE) 392 return (EINVAL); 393 394 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) + 395 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t); 396 397 bcopy(off, addr, sizeof (*addr)); 398 399 return (0); 400 } 401 402 #define SCTP_CALC_COOKIE_LEN(initcp) \ 403 sizeof (int64_t) + /* timestamp */ \ 404 sizeof (uint32_t) + /* cookie lifetime */ \ 405 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 406 sizeof (in6_addr_t) + /* peer's original source */ \ 407 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 408 sizeof (uint32_t) + /* local tie-tag */ \ 409 sizeof (uint32_t) + /* peer tie-tag */ \ 410 sizeof (sctp_parm_hdr_t) + /* param header */ \ 411 16 /* MD5 hash */ 412 413 void 414 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch, 415 mblk_t *initmp) 416 { 417 ipha_t *initiph; 418 ip6_t *initip6h; 419 ipha_t *iackiph; 420 ip6_t *iackip6h; 421 sctp_chunk_hdr_t *iack_ch; 422 sctp_init_chunk_t *iack; 423 sctp_init_chunk_t *init; 424 sctp_hdr_t *iacksh; 425 size_t cookielen; 426 size_t iacklen; 427 size_t ipsctplen; 428 size_t errlen = 0; 429 sctp_parm_hdr_t *cookieph; 430 mblk_t *iackmp; 431 uint32_t itag; 432 uint32_t itsn; 433 int64_t *now; 434 int64_t nowt; 435 uint32_t *lifetime; 436 char *p; 437 boolean_t isv4; 438 int supp_af = 0; 439 uint_t sctp_options; 440 uint32_t *ttag; 441 int pad; 442 mblk_t *errmp = NULL; 443 boolean_t initcollision = B_FALSE; 444 boolean_t linklocal = B_FALSE; 445 cred_t *cr; 446 ts_label_t *initlabel; 447 sctp_stack_t *sctps = sctp->sctp_sctps; 448 449 BUMP_LOCAL(sctp->sctp_ibchunks); 450 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 451 452 /* Extract the INIT chunk */ 453 if (isv4) { 454 initiph = (ipha_t *)initmp->b_rptr; 455 ipsctplen = sctp->sctp_ip_hdr_len; 456 supp_af |= PARM_SUPP_V4; 457 } else { 458 initip6h = (ip6_t *)initmp->b_rptr; 459 ipsctplen = sctp->sctp_ip_hdr6_len; 460 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src)) 461 linklocal = B_TRUE; 462 supp_af |= PARM_SUPP_V6; 463 } 464 ASSERT(OK_32PTR(initsh)); 465 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 466 467 /* Make sure we like the peer's parameters */ 468 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 469 &supp_af, &sctp_options) == 0) { 470 return; 471 } 472 if (errmp != NULL) 473 errlen = msgdsize(errmp); 474 if (sctp->sctp_family == AF_INET) { 475 /* 476 * Irregardless of the supported address in the INIT, v4 477 * must be supported. 478 */ 479 supp_af = PARM_SUPP_V4; 480 } 481 if (sctp->sctp_state <= SCTPS_LISTEN) { 482 /* normal, expected INIT: generate new vtag and itsn */ 483 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 484 if (itag == 0) 485 itag = (uint32_t)gethrtime(); 486 itsn = itag + 1; 487 itag = htonl(itag); 488 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 489 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 490 /* init collision; copy vtag and itsn from sctp */ 491 itag = sctp->sctp_lvtag; 492 itsn = sctp->sctp_ltsn; 493 /* 494 * In addition we need to send all the params that was sent 495 * in our INIT chunk. Essentially, it is only the supported 496 * address params that we need to add. 497 */ 498 initcollision = B_TRUE; 499 /* 500 * When we sent the INIT, we should have set linklocal in 501 * the sctp which should be good enough. 502 */ 503 if (linklocal) 504 linklocal = B_FALSE; 505 } else { 506 /* peer restart; generate new vtag but keep everything else */ 507 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 508 if (itag == 0) 509 itag = (uint32_t)gethrtime(); 510 itag = htonl(itag); 511 itsn = sctp->sctp_ltsn; 512 } 513 514 /* 515 * Allocate a mblk for the INIT ACK, consisting of the link layer 516 * header, the IP header, the SCTP common header, and INIT ACK chunk, 517 * and finally the COOKIE parameter. 518 */ 519 cookielen = SCTP_CALC_COOKIE_LEN(ch); 520 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 521 if (sctp->sctp_send_adaption) 522 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 523 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 524 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 525 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 526 } 527 if (initcollision) 528 iacklen += sctp_supaddr_param_len(sctp); 529 if (!linklocal) 530 iacklen += sctp_addr_params_len(sctp, supp_af, B_FALSE); 531 ipsctplen += sizeof (*iacksh) + iacklen; 532 iacklen += errlen; 533 if ((pad = ipsctplen % 4) != 0) { 534 pad = 4 - pad; 535 ipsctplen += pad; 536 } 537 538 /* 539 * If the listen socket is bound to a trusted extensions 540 * multi-label port, attach a copy of the listener's cred 541 * to the new INITACK mblk. Modify the cred to contain 542 * the security label of the received INIT packet. 543 * If not a multi-label port, attach the unmodified 544 * listener's cred directly. 545 * 546 * We expect Sun developed kernel modules to properly set 547 * cred labels for sctp connections. We can't be so sure this 548 * will be done correctly when 3rd party kernel modules 549 * directly use sctp. The initlabel panic guard logic was 550 * added to cover this possibility. 551 */ 552 if (sctp->sctp_connp->conn_mlp_type != mlptSingle) { 553 initlabel = MBLK_GETLABEL(initmp); 554 if (initlabel == NULL) { 555 sctp_send_abort(sctp, sctp_init2vtag(ch), 556 SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, B_FALSE); 557 return; 558 } 559 cr = copycred_from_bslabel(CONN_CRED(sctp->sctp_connp), 560 &initlabel->tsl_label, initlabel->tsl_doi, KM_NOSLEEP); 561 if (cr == NULL) { 562 sctp_send_abort(sctp, sctp_init2vtag(ch), 563 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 564 return; 565 } 566 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, cr); 567 crfree(cr); 568 } else { 569 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, 570 CONN_CRED(sctp->sctp_connp)); 571 } 572 if (iackmp == NULL) { 573 sctp_send_abort(sctp, sctp_init2vtag(ch), 574 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 575 return; 576 } 577 578 /* Copy in the [imcomplete] IP/SCTP composite header */ 579 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra); 580 iackmp->b_rptr = (uchar_t *)p; 581 if (isv4) { 582 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 583 iackiph = (ipha_t *)p; 584 585 /* Copy the peer's IP addr */ 586 iackiph->ipha_dst = initiph->ipha_src; 587 iackiph->ipha_src = initiph->ipha_dst; 588 iackiph->ipha_length = htons(ipsctplen + errlen); 589 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 590 } else { 591 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 592 iackip6h = (ip6_t *)p; 593 594 /* Copy the peer's IP addr */ 595 iackip6h->ip6_dst = initip6h->ip6_src; 596 iackip6h->ip6_src = initip6h->ip6_dst; 597 iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) + 598 errlen); 599 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 600 } 601 ASSERT(OK_32PTR(iacksh)); 602 603 /* Fill in the holes in the SCTP common header */ 604 iacksh->sh_sport = initsh->sh_dport; 605 iacksh->sh_dport = initsh->sh_sport; 606 iacksh->sh_verf = init->sic_inittag; 607 608 /* INIT ACK chunk header */ 609 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 610 iack_ch->sch_id = CHUNK_INIT_ACK; 611 iack_ch->sch_flags = 0; 612 iack_ch->sch_len = htons(iacklen); 613 614 /* The INIT ACK itself */ 615 iack = (sctp_init_chunk_t *)(iack_ch + 1); 616 iack->sic_inittag = itag; /* already in network byteorder */ 617 iack->sic_inittsn = htonl(itsn); 618 619 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 620 /* Advertise what we would want to have as stream #'s */ 621 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 622 ntohs(init->sic_instr))); 623 iack->sic_instr = htons(sctp->sctp_num_istr); 624 625 p = (char *)(iack + 1); 626 p += sctp_adaption_code_param(sctp, (uchar_t *)p); 627 if (initcollision) 628 p += sctp_supaddr_param(sctp, (uchar_t *)p); 629 if (!linklocal) 630 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p); 631 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 632 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 633 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 634 } 635 /* 636 * Generate and lay in the COOKIE parameter. 637 * 638 * Any change here that results in a change of location for 639 * the peer's orig source address must be propagated to the fn 640 * cl_sctp_cookie_paddr() above. 641 * 642 * The cookie consists of: 643 * 1. The relative timestamp for the cookie (lbolt64) 644 * 2. The cookie lifetime (uint32_t) in tick 645 * 3. The local tie-tag 646 * 4. The peer tie-tag 647 * 5. Peer's original src, used to confirm the validity of address. 648 * 6. Our INIT ACK chunk, less any parameters 649 * 7. The INIT chunk (may contain parameters) 650 * 8. 128-bit MD5 signature. 651 * 652 * Since the timestamp values will only be evaluated locally, we 653 * don't need to worry about byte-ordering them. 654 */ 655 cookieph = (sctp_parm_hdr_t *)p; 656 cookieph->sph_type = htons(PARM_COOKIE); 657 cookieph->sph_len = htons(cookielen); 658 659 /* timestamp */ 660 now = (int64_t *)(cookieph + 1); 661 nowt = lbolt64; 662 bcopy(&nowt, now, sizeof (*now)); 663 664 /* cookie lifetime -- need configuration */ 665 lifetime = (uint32_t *)(now + 1); 666 *lifetime = sctp->sctp_cookie_lifetime; 667 668 /* Set the tie-tags */ 669 ttag = (uint32_t *)(lifetime + 1); 670 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 671 *ttag = 0; 672 ttag++; 673 *ttag = 0; 674 ttag++; 675 } else { 676 /* local tie-tag (network byte-order) */ 677 *ttag = sctp->sctp_lvtag; 678 ttag++; 679 /* peer tie-tag (network byte-order) */ 680 *ttag = sctp->sctp_fvtag; 681 ttag++; 682 } 683 /* 684 * Copy in peer's original source address so that we can confirm 685 * the reachability later. 686 */ 687 p = (char *)ttag; 688 if (isv4) { 689 in6_addr_t peer_addr; 690 691 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 692 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 693 } else { 694 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 695 } 696 p += sizeof (in6_addr_t); 697 /* Copy in our INIT ACK chunk */ 698 bcopy(iack, p, sizeof (*iack)); 699 iack = (sctp_init_chunk_t *)p; 700 /* Set the # of streams we'll end up using */ 701 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 702 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 703 p += sizeof (*iack); 704 705 /* Copy in the peer's INIT chunk */ 706 bcopy(ch, p, ntohs(ch->sch_len)); 707 p += ntohs(ch->sch_len); 708 709 /* 710 * Calculate the HMAC ICV into the digest slot in buf. 711 * First, generate a new secret if the current secret is 712 * older than the new secret lifetime parameter permits, 713 * copying the current secret to sctp_old_secret. 714 */ 715 if (sctps->sctps_new_secret_interval > 0 && 716 (sctp->sctp_last_secret_update + 717 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) { 718 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 719 SCTP_SECRET_LEN); 720 (void) random_get_pseudo_bytes(sctp->sctp_secret, 721 SCTP_SECRET_LEN); 722 sctp->sctp_last_secret_update = nowt; 723 } 724 725 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 726 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 727 728 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 729 iackmp->b_cont = errmp; /* OK if NULL */ 730 731 if (is_system_labeled() && (cr = DB_CRED(iackmp)) != NULL && 732 crgetlabel(cr) != NULL) { 733 conn_t *connp = sctp->sctp_connp; 734 int err, adjust; 735 736 if (isv4) 737 err = tsol_check_label(cr, &iackmp, &adjust, 738 connp->conn_mac_exempt, 739 sctps->sctps_netstack->netstack_ip); 740 else 741 err = tsol_check_label_v6(cr, &iackmp, &adjust, 742 connp->conn_mac_exempt, 743 sctps->sctps_netstack->netstack_ip); 744 if (err != 0) { 745 sctp_send_abort(sctp, sctp_init2vtag(ch), 746 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE); 747 freemsg(iackmp); 748 return; 749 } 750 if (isv4) { 751 iackiph = (ipha_t *)iackmp->b_rptr; 752 adjust += ntohs(iackiph->ipha_length); 753 iackiph->ipha_length = htons(adjust); 754 } 755 } 756 757 /* 758 * Stash the conn ptr info. for IP only as e don't have any 759 * cached IRE. 760 */ 761 SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL); 762 763 /* XXX sctp == sctp_g_q, so using its obchunks is valid */ 764 BUMP_LOCAL(sctp->sctp_opkts); 765 BUMP_LOCAL(sctp->sctp_obchunks); 766 767 /* OK to call IP_PUT() here instead of sctp_add_sendq(). */ 768 CONN_INC_REF(sctp->sctp_connp); 769 iackmp->b_flag |= MSGHASREF; 770 IP_PUT(iackmp, sctp->sctp_connp, isv4); 771 } 772 773 void 774 sctp_send_cookie_ack(sctp_t *sctp) 775 { 776 sctp_chunk_hdr_t *cach; 777 mblk_t *camp; 778 sctp_stack_t *sctps = sctp->sctp_sctps; 779 780 camp = sctp_make_mp(sctp, NULL, sizeof (*cach)); 781 if (camp == NULL) { 782 /* XXX should abort, but don't have the inmp anymore */ 783 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed); 784 return; 785 } 786 787 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 788 camp->b_wptr = (uchar_t *)(cach + 1); 789 cach->sch_id = CHUNK_COOKIE_ACK; 790 cach->sch_flags = 0; 791 cach->sch_len = htons(sizeof (*cach)); 792 793 sctp_set_iplen(sctp, camp); 794 795 BUMP_LOCAL(sctp->sctp_obchunks); 796 797 sctp_add_sendq(sctp, camp); 798 } 799 800 static int 801 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaption_code) 802 { 803 804 if (len < sizeof (*sph)) 805 return (-1); 806 while (sph != NULL) { 807 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 808 ntohs(sph->sph_len) >= (sizeof (*sph) + 809 sizeof (uint32_t))) { 810 *adaption_code = *(uint32_t *)(sph + 1); 811 return (0); 812 } 813 sph = sctp_next_parm(sph, &len); 814 } 815 return (-1); 816 } 817 818 void 819 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp) 820 { 821 mblk_t *cemp; 822 mblk_t *mp = NULL; 823 mblk_t *head; 824 mblk_t *meta; 825 sctp_faddr_t *fp; 826 sctp_chunk_hdr_t *cech; 827 sctp_init_chunk_t *iack; 828 int32_t cansend; 829 int32_t seglen; 830 size_t ceclen; 831 sctp_parm_hdr_t *cph; 832 sctp_data_hdr_t *sdc; 833 sctp_tf_t *tf; 834 int pad = 0; 835 int hdrlen; 836 mblk_t *errmp = NULL; 837 uint_t sctp_options; 838 int error; 839 uint16_t old_num_str; 840 sctp_stack_t *sctps = sctp->sctp_sctps; 841 842 iack = (sctp_init_chunk_t *)(iackch + 1); 843 844 cph = NULL; 845 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 846 &pad, &sctp_options) == 0) { /* result in 'pad' ignored */ 847 BUMP_MIB(&sctps->sctps_mib, sctpAborted); 848 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 849 sctp_clean_death(sctp, ECONNABORTED); 850 return; 851 } 852 ASSERT(cph != NULL); 853 854 ASSERT(sctp->sctp_cookie_mp == NULL); 855 856 /* Got a cookie to echo back; allocate an mblk */ 857 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 858 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 859 pad = SCTP_ALIGN - pad; 860 861 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 862 hdrlen = sctp->sctp_hdr_len; 863 else 864 hdrlen = sctp->sctp_hdr6_len; 865 866 cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad, 867 BPRI_MED); 868 if (cemp == NULL) { 869 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 870 sctp->sctp_current->rto); 871 if (errmp != NULL) 872 freeb(errmp); 873 return; 874 } 875 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen); 876 877 /* Process the INIT ACK */ 878 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 879 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 880 sctp->sctp_fvtag = iack->sic_inittag; 881 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 882 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 883 sctp->sctp_fcsn = sctp->sctp_lastacked; 884 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 885 886 /* 887 * Populate sctp with addresses given in the INIT ACK or IP header. 888 * Need to set the df bit in the current fp as it has been cleared 889 * in sctp_connect(). 890 */ 891 sctp->sctp_current->df = B_TRUE; 892 /* 893 * Since IP uses this info during the fanout process, we need to hold 894 * the lock for this hash line while performing this operation. 895 */ 896 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, sctp->sctp_ports); */ 897 ASSERT(sctp->sctp_conn_tfp != NULL); 898 tf = sctp->sctp_conn_tfp; 899 /* sctp isn't a listener so only need to hold conn fanout lock */ 900 mutex_enter(&tf->tf_lock); 901 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 902 mutex_exit(&tf->tf_lock); 903 freeb(cemp); 904 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 905 sctp->sctp_current->rto); 906 if (errmp != NULL) 907 freeb(errmp); 908 return; 909 } 910 mutex_exit(&tf->tf_lock); 911 912 fp = sctp->sctp_current; 913 914 /* 915 * There could be a case when we get an INIT-ACK again, if the INIT 916 * is re-transmitted, for e.g., which means we would have already 917 * allocated this resource earlier (also for sctp_instr). In this 918 * case we check and re-allocate, if necessary. 919 */ 920 old_num_str = sctp->sctp_num_ostr; 921 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 922 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 923 if (sctp->sctp_ostrcntrs == NULL) { 924 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 925 sctp->sctp_num_ostr, KM_NOSLEEP); 926 } else { 927 ASSERT(old_num_str > 0); 928 if (old_num_str != sctp->sctp_num_ostr) { 929 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 930 old_num_str); 931 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 932 sctp->sctp_num_ostr, KM_NOSLEEP); 933 } 934 } 935 if (sctp->sctp_ostrcntrs == NULL) { 936 freeb(cemp); 937 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 938 if (errmp != NULL) 939 freeb(errmp); 940 return; 941 } 942 943 /* 944 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 945 * hold here too. 946 */ 947 old_num_str = sctp->sctp_num_istr; 948 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 949 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 950 if (sctp->sctp_instr == NULL) { 951 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 952 sctp->sctp_num_istr, KM_NOSLEEP); 953 } else { 954 ASSERT(old_num_str > 0); 955 if (old_num_str != sctp->sctp_num_istr) { 956 kmem_free(sctp->sctp_instr, 957 sizeof (*sctp->sctp_instr) * old_num_str); 958 sctp->sctp_instr = kmem_zalloc( 959 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 960 KM_NOSLEEP); 961 } 962 } 963 if (sctp->sctp_instr == NULL) { 964 kmem_free(sctp->sctp_ostrcntrs, 965 sizeof (uint16_t) * sctp->sctp_num_ostr); 966 freeb(cemp); 967 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 968 if (errmp != NULL) 969 freeb(errmp); 970 return; 971 } 972 973 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 974 sctp->sctp_prsctp_aware = B_FALSE; 975 976 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 977 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 978 &sctp->sctp_rx_adaption_code) == 0) { 979 sctp->sctp_recv_adaption = 1; 980 } 981 982 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 983 ASSERT(OK_32PTR(cech)); 984 cech->sch_id = CHUNK_COOKIE; 985 cech->sch_flags = 0; 986 cech->sch_len = htons(ceclen); 987 988 /* Copy the cookie (less the parm hdr) to the chunk */ 989 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 990 991 cemp->b_wptr = cemp->b_rptr + ceclen; 992 993 if (sctp->sctp_unsent > 0) { 994 sctp_msg_hdr_t *smh; 995 mblk_t *prev = NULL; 996 uint32_t unsent = 0; 997 998 mp = sctp->sctp_xmit_unsent; 999 do { 1000 smh = (sctp_msg_hdr_t *)mp->b_rptr; 1001 if (smh->smh_sid >= sctp->sctp_num_ostr) { 1002 unsent += smh->smh_msglen; 1003 if (prev != NULL) 1004 prev->b_next = mp->b_next; 1005 else 1006 sctp->sctp_xmit_unsent = mp->b_next; 1007 mp->b_next = NULL; 1008 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 1009 B_FALSE); 1010 if (prev != NULL) 1011 mp = prev->b_next; 1012 else 1013 mp = sctp->sctp_xmit_unsent; 1014 } else { 1015 prev = mp; 1016 mp = mp->b_next; 1017 } 1018 } while (mp != NULL); 1019 if (unsent > 0) { 1020 ASSERT(sctp->sctp_unsent >= unsent); 1021 sctp->sctp_unsent -= unsent; 1022 /* 1023 * Update ULP the amount of queued data, which is 1024 * sent-unack'ed + unsent. 1025 * This is not necessary, but doesn't harm, we 1026 * just use unsent instead of sent-unack'ed + 1027 * unsent, since there won't be any sent-unack'ed 1028 * here. 1029 */ 1030 if (!SCTP_IS_DETACHED(sctp)) { 1031 sctp->sctp_ulp_xmitted(sctp->sctp_ulpd, 1032 sctp->sctp_unsent); 1033 } 1034 } 1035 if (sctp->sctp_xmit_unsent == NULL) 1036 sctp->sctp_xmit_unsent_tail = NULL; 1037 } 1038 ceclen += pad; 1039 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 1040 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 1041 cansend, NULL); 1042 /* 1043 * The error cannot be anything else since we could have an non-zero 1044 * error only if sctp_get_msg_to_send() tries to send a Forward 1045 * TSN which will not happen here. 1046 */ 1047 ASSERT(error == 0); 1048 if (meta == NULL) 1049 goto sendcookie; 1050 sctp->sctp_xmit_tail = meta; 1051 sdc = (sctp_data_hdr_t *)mp->b_rptr; 1052 seglen = ntohs(sdc->sdh_len); 1053 if ((ceclen + seglen) > fp->sfa_pmss || 1054 (seglen - sizeof (*sdc)) > cansend) { 1055 goto sendcookie; 1056 } 1057 /* OK, if this fails */ 1058 cemp->b_cont = dupmsg(mp); 1059 sendcookie: 1060 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 1061 if (head == NULL) { 1062 freemsg(cemp); 1063 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1064 if (errmp != NULL) 1065 freeb(errmp); 1066 SCTP_KSTAT(sctps, sctp_send_cookie_failed); 1067 return; 1068 } 1069 /* 1070 * Even if cookie-echo exceeds MTU for one of the hops, it'll 1071 * have a chance of getting there. 1072 */ 1073 if (fp->isv4) { 1074 ipha_t *iph = (ipha_t *)head->b_rptr; 1075 iph->ipha_fragment_offset_and_flags = 0; 1076 } 1077 BUMP_LOCAL(sctp->sctp_obchunks); 1078 1079 sctp->sctp_cookie_mp = dupmsg(head); 1080 /* Don't bundle, we will just resend init if this cookie is lost. */ 1081 if (sctp->sctp_cookie_mp == NULL) { 1082 if (cemp->b_cont != NULL) { 1083 freemsg(cemp->b_cont); 1084 cemp->b_cont = NULL; 1085 } 1086 } else if (cemp->b_cont != NULL) { 1087 ASSERT(mp != NULL && mp == meta->b_cont); 1088 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 1089 cemp->b_wptr += pad; 1090 seglen -= sizeof (*sdc); 1091 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 1092 } 1093 if (errmp != NULL) 1094 linkb(head, errmp); 1095 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 1096 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1097 1098 sctp_set_iplen(sctp, head); 1099 sctp_add_sendq(sctp, head); 1100 } 1101 1102 int 1103 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 1104 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaption, 1105 in6_addr_t *peer_addr) 1106 { 1107 int32_t clen; 1108 size_t initplen; 1109 uchar_t *p; 1110 uchar_t *given_hash; 1111 uchar_t needed_hash[16]; 1112 int64_t ts; 1113 int64_t diff; 1114 uint32_t *lt; 1115 sctp_init_chunk_t *iack; 1116 sctp_chunk_hdr_t *initch; 1117 sctp_init_chunk_t *init; 1118 uint32_t *lttag; 1119 uint32_t *fttag; 1120 uint32_t ports; 1121 sctp_stack_t *sctps = sctp->sctp_sctps; 1122 1123 BUMP_LOCAL(sctp->sctp_ibchunks); 1124 /* Verify the ICV */ 1125 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1126 if (clen < 0) { 1127 dprint(1, ("invalid cookie chunk length %d\n", 1128 ntohs(ch->sch_len))); 1129 1130 return (-1); 1131 } 1132 p = (uchar_t *)(ch + 1); 1133 1134 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1135 needed_hash); 1136 1137 /* The given hash follows the cookie data */ 1138 given_hash = p + clen; 1139 1140 if (bcmp(given_hash, needed_hash, 16) != 0) { 1141 /* The secret may have changed; try the old secret */ 1142 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1143 SCTP_SECRET_LEN, needed_hash); 1144 if (bcmp(given_hash, needed_hash, 16) != 0) { 1145 return (-1); 1146 } 1147 } 1148 1149 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1150 bcopy(p, &ts, sizeof (ts)); 1151 /* Cookie life time, int32_t */ 1152 lt = (uint32_t *)(p + sizeof (ts)); 1153 1154 /* 1155 * To quote PRC, "this is our baby", so let's continue. 1156 * We need to pull out the encapsulated INIT ACK and 1157 * INIT chunks. Note that we don't process these until 1158 * we have verified the timestamp, but we need them before 1159 * processing the timestamp since if the time check fails, 1160 * we need to get the verification tag from the INIT in order 1161 * to send a stale cookie error. 1162 */ 1163 lttag = (uint32_t *)(lt + 1); 1164 fttag = lttag + 1; 1165 if (peer_addr != NULL) 1166 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1167 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1168 initch = (sctp_chunk_hdr_t *)(iack + 1); 1169 init = (sctp_init_chunk_t *)(initch + 1); 1170 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1171 *iackpp = iack; 1172 *recv_adaption = 0; 1173 1174 /* Check the timestamp */ 1175 diff = lbolt64 - ts; 1176 if (diff > *lt && (init->sic_inittag != sctp->sctp_fvtag || 1177 iack->sic_inittag != sctp->sctp_lvtag)) { 1178 1179 uint32_t staleness; 1180 1181 staleness = TICK_TO_USEC(diff); 1182 staleness = htonl(staleness); 1183 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1184 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE); 1185 1186 dprint(1, ("stale cookie %d\n", staleness)); 1187 1188 return (-1); 1189 } 1190 1191 /* Check for attack by adding addresses to a restart */ 1192 bcopy(insctph, &ports, sizeof (ports)); 1193 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP, 1194 sctps) != 1) { 1195 return (-1); 1196 } 1197 1198 /* Look for adaptation code if there any parms in the INIT chunk */ 1199 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1200 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1201 &sctp->sctp_rx_adaption_code) == 0)) { 1202 *recv_adaption = 1; 1203 } 1204 1205 /* Examine tie-tags */ 1206 1207 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1208 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1209 init->sic_inittag == sctp->sctp_fvtag && 1210 iack->sic_inittag == sctp->sctp_lvtag && 1211 *fttag == 0 && *lttag == 0) { 1212 1213 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1214 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1215 (int)(sctp->sctp_fport))); 1216 return (-1); 1217 } 1218 1219 if (init->sic_inittag != sctp->sctp_fvtag && 1220 iack->sic_inittag != sctp->sctp_lvtag && 1221 *fttag == sctp->sctp_fvtag && 1222 *lttag == sctp->sctp_lvtag) { 1223 int i; 1224 1225 /* Section 5.2.4 case A: restart */ 1226 sctp->sctp_fvtag = init->sic_inittag; 1227 sctp->sctp_lvtag = iack->sic_inittag; 1228 1229 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1230 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1231 1232 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1233 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1234 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1235 sctp->sctp_fcsn = sctp->sctp_lastacked; 1236 1237 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1238 sctp->sctp_state = SCTPS_ESTABLISHED; 1239 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1240 } 1241 1242 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1243 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1244 (int)(sctp->sctp_fport))); 1245 /* reset parameters */ 1246 sctp_congest_reset(sctp); 1247 1248 /* reset stream bookkeeping */ 1249 sctp_instream_cleanup(sctp, B_FALSE); 1250 1251 sctp->sctp_istr_nmsgs = 0; 1252 sctp->sctp_rxqueued = 0; 1253 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1254 sctp->sctp_ostrcntrs[i] = 0; 1255 } 1256 /* XXX flush xmit_list? */ 1257 1258 return (0); 1259 } else if (init->sic_inittag != sctp->sctp_fvtag && 1260 iack->sic_inittag == sctp->sctp_lvtag) { 1261 1262 /* Section 5.2.4 case B: INIT collision */ 1263 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1264 if (!sctp_initialize_params(sctp, init, iack)) 1265 return (-1); /* Drop? */ 1266 sctp->sctp_state = SCTPS_ESTABLISHED; 1267 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1268 } 1269 1270 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1271 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1272 (int)(sctp->sctp_fport))); 1273 1274 return (0); 1275 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1276 init->sic_inittag == sctp->sctp_fvtag && 1277 *fttag == 0 && *lttag == 0) { 1278 1279 /* Section 5.2.4 case C: late COOKIE */ 1280 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1281 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1282 (int)(sctp->sctp_fport))); 1283 return (-1); 1284 } else if (init->sic_inittag == sctp->sctp_fvtag && 1285 iack->sic_inittag == sctp->sctp_lvtag) { 1286 1287 /* 1288 * Section 5.2.4 case D: COOKIE ECHO retransmit 1289 * Don't check cookie lifetime 1290 */ 1291 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1292 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1293 (int)(sctp->sctp_fport))); 1294 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1295 if (!sctp_initialize_params(sctp, init, iack)) 1296 return (-1); /* Drop? */ 1297 sctp->sctp_state = SCTPS_ESTABLISHED; 1298 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1299 } 1300 return (0); 1301 } else { 1302 /* unrecognized case -- silently drop it */ 1303 return (-1); 1304 } 1305 } 1306 1307 return (0); 1308 } 1309 1310 /* 1311 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1312 * from address parameters in an INIT ACK's address list. This 1313 * function is used when an INIT ACK is received but IP's fanout 1314 * function could not find a sctp via the normal lookup routine. 1315 * This can happen when a host sends an INIT ACK from a different 1316 * address than the INIT was sent to. 1317 * 1318 * Returns the sctp_t if found, or NULL if not found. 1319 */ 1320 sctp_t * 1321 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1322 uint_t ipif_seqid, zoneid_t zoneid, sctp_stack_t *sctps) 1323 { 1324 int isv4; 1325 ipha_t *iph; 1326 ip6_t *ip6h; 1327 in6_addr_t dst; 1328 in6_addr_t src; 1329 sctp_parm_hdr_t *ph; 1330 ssize_t remaining; 1331 sctp_init_chunk_t *iack; 1332 uint32_t ports; 1333 sctp_t *sctp = NULL; 1334 1335 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1336 1337 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1338 if (isv4) { 1339 iph = (ipha_t *)mp->b_rptr; 1340 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1341 } else { 1342 ip6h = (ip6_t *)mp->b_rptr; 1343 dst = ip6h->ip6_dst; 1344 } 1345 1346 ports = *(uint32_t *)sctph; 1347 1348 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1349 ports, SCTP_PRINTADDR(dst))); 1350 1351 /* pull out any address parameters */ 1352 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1353 if (remaining < sizeof (*ph)) { 1354 return (NULL); 1355 } 1356 1357 iack = (sctp_init_chunk_t *)(ich + 1); 1358 ph = (sctp_parm_hdr_t *)(iack + 1); 1359 1360 while (ph != NULL) { 1361 /* 1362 * params have been put in host byteorder by 1363 * sctp_check_input() 1364 */ 1365 if (ph->sph_type == PARM_ADDR4) { 1366 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1367 &src); 1368 1369 sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid, 1370 zoneid, sctps); 1371 1372 dprint(1, 1373 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1374 SCTP_PRINTADDR(src), (void *)sctp)); 1375 1376 1377 if (sctp != NULL) { 1378 return (sctp); 1379 } 1380 } else if (ph->sph_type == PARM_ADDR6) { 1381 src = *(in6_addr_t *)(ph + 1); 1382 sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid, 1383 zoneid, sctps); 1384 1385 dprint(1, 1386 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1387 SCTP_PRINTADDR(src), (void *)sctp)); 1388 1389 if (sctp != NULL) { 1390 return (sctp); 1391 } 1392 } 1393 1394 ph = sctp_next_parm(ph, &remaining); 1395 } 1396 1397 return (NULL); 1398 } 1399