1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/systm.h> 28 #include <sys/stream.h> 29 #include <sys/cmn_err.h> 30 #include <sys/md5.h> 31 #include <sys/kmem.h> 32 #include <sys/strsubr.h> 33 #include <sys/random.h> 34 #include <sys/tsol/tnet.h> 35 36 #include <netinet/in.h> 37 #include <netinet/ip6.h> 38 39 #include <inet/common.h> 40 #include <inet/ip.h> 41 #include <inet/ip6.h> 42 #include <inet/ipsec_impl.h> 43 #include <inet/sctp_ip.h> 44 #include <inet/ipclassifier.h> 45 #include "sctp_impl.h" 46 47 /* 48 * Helper function for SunCluster (PSARC/2005/602) to get the original source 49 * address from the COOKIE 50 */ 51 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *); 52 53 /* 54 * From RFC 2104. This should probably go into libmd5 (and while 55 * we're at it, maybe we should make a libdigest so we can later 56 * add SHA1 and others, esp. since some weaknesses have been found 57 * with MD5). 58 * 59 * text IN pointer to data stream 60 * text_len IN length of data stream 61 * key IN pointer to authentication key 62 * key_len IN length of authentication key 63 * digest OUT caller digest to be filled in 64 */ 65 static void 66 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 67 uchar_t *digest) 68 { 69 MD5_CTX context; 70 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 71 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 72 uchar_t tk[16]; 73 int i; 74 75 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 76 if (key_len > 64) { 77 MD5_CTX tctx; 78 79 MD5Init(&tctx); 80 MD5Update(&tctx, key, key_len); 81 MD5Final(tk, &tctx); 82 83 key = tk; 84 key_len = 16; 85 } 86 87 /* 88 * the HMAC_MD5 transform looks like: 89 * 90 * MD5(K XOR opad, MD5(K XOR ipad, text)) 91 * 92 * where K is an n byte key 93 * ipad is the byte 0x36 repeated 64 times 94 * opad is the byte 0x5c repeated 64 times 95 * and text is the data being protected 96 */ 97 98 /* start out by storing key in pads */ 99 bzero(k_ipad, sizeof (k_ipad)); 100 bzero(k_opad, sizeof (k_opad)); 101 bcopy(key, k_ipad, key_len); 102 bcopy(key, k_opad, key_len); 103 104 /* XOR key with ipad and opad values */ 105 for (i = 0; i < 64; i++) { 106 k_ipad[i] ^= 0x36; 107 k_opad[i] ^= 0x5c; 108 } 109 /* 110 * perform inner MD5 111 */ 112 MD5Init(&context); /* init context for 1st */ 113 /* pass */ 114 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 115 MD5Update(&context, text, text_len); /* then text of datagram */ 116 MD5Final(digest, &context); /* finish up 1st pass */ 117 /* 118 * perform outer MD5 119 */ 120 MD5Init(&context); /* init context for 2nd */ 121 /* pass */ 122 MD5Update(&context, k_opad, 64); /* start with outer pad */ 123 MD5Update(&context, digest, 16); /* then results of 1st */ 124 /* hash */ 125 MD5Final(digest, &context); /* finish up 2nd pass */ 126 } 127 128 /* 129 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 130 * info in initmp to send the abort. Otherwise, no abort will be sent. 131 * 132 * When called from stcp_send_initack() while processing parameters 133 * from a received INIT_CHUNK want_cookie will be NULL. 134 * 135 * When called from sctp_send_cookie_echo() while processing an INIT_ACK, 136 * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t. 137 * However, this last pointer will be NULL until the cookie is processed 138 * at which time it will be set to point to a sctp_parm_hdr_t that contains 139 * the cookie info. 140 * 141 * Note: an INIT_ACK is expected to contain a cookie. 142 * 143 * When processing an INIT_ACK, an ERROR chunk and chain of one or more 144 * error CAUSE blocks will be created if unrecognized parameters marked by 145 * the sender as reportable are found. 146 * 147 * When processing an INIT chunk, a chain of one or more error CAUSE blocks 148 * will be created if unrecognized parameters marked by the sender as 149 * reportable are found. These are appended directly to the INIT_ACK chunk. 150 * 151 * In both cases the error chain is visible to the caller via *errmp. 152 * 153 * Returns 1 if the parameters are OK (or if there are no optional 154 * parameters), returns 0 otherwise. 155 */ 156 static int 157 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 158 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 159 mblk_t **errmp, int *supp_af, uint_t *sctp_options, ip_recv_attr_t *ira) 160 { 161 sctp_parm_hdr_t *cph; 162 sctp_init_chunk_t *ic; 163 ssize_t remaining; 164 uint16_t serror = 0; 165 char *details = NULL; 166 size_t errlen = 0; 167 boolean_t got_cookie = B_FALSE; 168 boolean_t got_errchunk = B_FALSE; 169 uint16_t ptype; 170 sctp_mpc_t mpc; 171 conn_t *connp = sctp->sctp_connp; 172 173 174 ASSERT(errmp != NULL); 175 176 if (sctp_options != NULL) 177 *sctp_options = 0; 178 179 /* First validate stream parameters */ 180 if (init->sic_instr == 0 || init->sic_outstr == 0) { 181 serror = SCTP_ERR_BAD_MANDPARM; 182 dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n", 183 htons(init->sic_instr), htons(init->sic_outstr))); 184 goto abort; 185 } 186 if (ntohl(init->sic_inittag) == 0) { 187 serror = SCTP_ERR_BAD_MANDPARM; 188 dprint(1, ("validate_init_params: inittag = 0\n")); 189 goto abort; 190 } 191 192 remaining = ntohs(ch->sch_len) - sizeof (*ch); 193 ic = (sctp_init_chunk_t *)(ch + 1); 194 remaining -= sizeof (*ic); 195 if (remaining < sizeof (*cph)) { 196 /* 197 * When processing a received INIT_ACK, a cookie is 198 * expected, if missing there is nothing to validate. 199 */ 200 if (want_cookie != NULL) 201 goto cookie_abort; 202 return (1); 203 } 204 205 cph = (sctp_parm_hdr_t *)(ic + 1); 206 207 while (cph != NULL) { 208 ptype = ntohs(cph->sph_type); 209 switch (ptype) { 210 case PARM_HBINFO: 211 case PARM_UNRECOGNIZED: 212 case PARM_ECN: 213 /* just ignore them */ 214 break; 215 case PARM_FORWARD_TSN: 216 if (sctp_options != NULL) 217 *sctp_options |= SCTP_PRSCTP_OPTION; 218 break; 219 case PARM_COOKIE: 220 got_cookie = B_TRUE; 221 /* 222 * Processing a received INIT_ACK, we have a cookie 223 * and a valid pointer in our caller to attach it to. 224 */ 225 if (want_cookie != NULL) { 226 *want_cookie = cph; 227 } 228 break; 229 case PARM_ADDR4: 230 *supp_af |= PARM_SUPP_V4; 231 break; 232 case PARM_ADDR6: 233 *supp_af |= PARM_SUPP_V6; 234 break; 235 case PARM_COOKIE_PRESERVE: 236 case PARM_ADAPT_LAYER_IND: 237 /* These are OK */ 238 break; 239 case PARM_ADDR_HOST_NAME: 240 /* Don't support this; abort the association */ 241 serror = SCTP_ERR_BAD_ADDR; 242 details = (char *)cph; 243 errlen = ntohs(cph->sph_len); 244 dprint(1, ("sctp:validate_init_params: host addr\n")); 245 goto abort; 246 case PARM_SUPP_ADDRS: { 247 /* Make sure we have a supported addr intersection */ 248 uint16_t *p, addrtype; 249 int plen; 250 251 plen = ntohs(cph->sph_len); 252 p = (uint16_t *)(cph + 1); 253 while (plen > 0) { 254 addrtype = ntohs(*p); 255 switch (addrtype) { 256 case PARM_ADDR6: 257 *supp_af |= PARM_SUPP_V6; 258 break; 259 case PARM_ADDR4: 260 *supp_af |= PARM_SUPP_V4; 261 break; 262 default: 263 /* 264 * Do nothing, silently ignore hostname 265 * address. 266 */ 267 break; 268 } 269 p++; 270 plen -= sizeof (*p); 271 } 272 break; 273 } 274 default: 275 /* 276 * Handle any unrecognized params, the two high order 277 * bits of ptype define how the remote wants them 278 * handled. 279 * Top bit: 280 * 1. Continue processing other params in the chunk 281 * 0. Stop processing params after this one. 282 * 2nd bit: 283 * 1. Must report this unrecognized param to remote 284 * 0. Obey the top bit silently. 285 */ 286 if (ptype & SCTP_REPORT_THIS_PARAM) { 287 if (!got_errchunk && want_cookie != NULL) { 288 /* 289 * The incoming pointer want_cookie is 290 * NULL so processing an INIT_ACK. 291 * This is the first reportable param, 292 * create an ERROR chunk and populate 293 * it with a CAUSE block for this parm. 294 */ 295 *errmp = sctp_make_err(sctp, 296 PARM_UNRECOGNIZED, 297 (void *)cph, 298 ntohs(cph->sph_len)); 299 got_errchunk = B_TRUE; 300 } else { 301 /* 302 * If processing an INIT_ACK, we already 303 * have an ERROR chunk, just add a new 304 * CAUSE block and update ERROR chunk 305 * length. 306 * If processing an INIT chunk add a new 307 * CAUSE block to the INIT_ACK, in this 308 * case there is no ERROR chunk thus 309 * got_errchunk will be B_FALSE. Chunk 310 * length is computed by our caller. 311 */ 312 sctp_add_unrec_parm(cph, errmp, 313 got_errchunk); 314 } 315 } 316 if (ptype & SCTP_CONT_PROC_PARAMS) { 317 /* 318 * Continue processing params after this 319 * parameter. 320 */ 321 break; 322 } 323 324 /* 325 * Stop processing params, report any reportable 326 * unrecognized params found so far. 327 */ 328 goto done; 329 } 330 331 cph = sctp_next_parm(cph, &remaining); 332 } 333 done: 334 /* 335 * Some sanity checks. The following should not fail unless the 336 * other side is broken. 337 * 338 * 1. If this is a V4 endpoint but V4 address is not 339 * supported, abort. 340 * 2. If this is a V6 only endpoint but V6 address is 341 * not supported, abort. This assumes that a V6 342 * endpoint can use both V4 and V6 addresses. 343 * We only care about supp_af when processing INIT, i.e want_cookie 344 * is NULL. 345 */ 346 if (want_cookie == NULL && 347 ((connp->conn_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 348 (connp->conn_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 349 sctp->sctp_connp->conn_ipv6_v6only))) { 350 dprint(1, ("sctp:validate_init_params: supp addr\n")); 351 serror = SCTP_ERR_BAD_ADDR; 352 goto abort; 353 } 354 355 if (want_cookie != NULL && !got_cookie) { 356 cookie_abort: 357 /* Will populate the CAUSE block in the ABORT chunk. */ 358 mpc.mpc_num = htons(1); 359 mpc.mpc_param = htons(PARM_COOKIE); 360 mpc.mpc_pad = 0; 361 362 dprint(1, ("validate_init_params: cookie absent\n")); 363 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 364 (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE, ira); 365 return (0); 366 } 367 368 /* OK */ 369 return (1); 370 371 abort: 372 if (want_cookie != NULL) 373 return (0); 374 375 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 376 errlen, inmp, 0, B_FALSE, ira); 377 return (0); 378 } 379 380 /* 381 * Initialize params from the INIT and INIT-ACK when the assoc. is 382 * established. 383 */ 384 boolean_t 385 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 386 sctp_init_chunk_t *iack) 387 { 388 /* Get initial TSN */ 389 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 390 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 391 392 /* Serial number is initialized to the same value as the TSN */ 393 sctp->sctp_fcsn = sctp->sctp_lastacked; 394 395 /* 396 * Get verification tags; no byteordering is necessary, since 397 * verfication tags are never processed except for byte-by-byte 398 * comparisons. 399 */ 400 sctp->sctp_fvtag = init->sic_inittag; 401 sctp->sctp_sctph->sh_verf = init->sic_inittag; 402 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 403 sctp->sctp_lvtag = iack->sic_inittag; 404 405 /* Get the peer's rwnd */ 406 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 407 408 /* Allocate the in/out-stream counters */ 409 sctp->sctp_num_ostr = iack->sic_outstr; 410 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 411 sctp->sctp_num_ostr, KM_NOSLEEP); 412 if (sctp->sctp_ostrcntrs == NULL) 413 return (B_FALSE); 414 415 sctp->sctp_num_istr = iack->sic_instr; 416 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 417 sctp->sctp_num_istr, KM_NOSLEEP); 418 if (sctp->sctp_instr == NULL) { 419 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 420 sctp->sctp_num_ostr); 421 sctp->sctp_ostrcntrs = NULL; 422 return (B_FALSE); 423 } 424 return (B_TRUE); 425 } 426 427 /* 428 * Copy the peer's original source address into addr. This relies on the 429 * following format (see sctp_send_initack() below): 430 * relative timestamp for the cookie (int64_t) + 431 * cookie lifetime (uint32_t) + 432 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) + 433 * Peer's original src ... 434 */ 435 int 436 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr) 437 { 438 uchar_t *off; 439 440 ASSERT(addr != NULL); 441 442 if (ch->sch_id != CHUNK_COOKIE) 443 return (EINVAL); 444 445 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) + 446 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t); 447 448 bcopy(off, addr, sizeof (*addr)); 449 450 return (0); 451 } 452 453 #define SCTP_CALC_COOKIE_LEN(initcp) \ 454 sizeof (int64_t) + /* timestamp */ \ 455 sizeof (uint32_t) + /* cookie lifetime */ \ 456 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 457 sizeof (in6_addr_t) + /* peer's original source */ \ 458 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 459 sizeof (uint32_t) + /* local tie-tag */ \ 460 sizeof (uint32_t) + /* peer tie-tag */ \ 461 sizeof (sctp_parm_hdr_t) + /* param header */ \ 462 16 /* MD5 hash */ 463 464 /* 465 * Note that sctp is the listener, hence we shouldn't modify it. 466 */ 467 void 468 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch, 469 mblk_t *initmp, ip_recv_attr_t *ira) 470 { 471 ipha_t *initiph; 472 ip6_t *initip6h; 473 ipha_t *iackiph = NULL; 474 ip6_t *iackip6h = NULL; 475 sctp_chunk_hdr_t *iack_ch; 476 sctp_init_chunk_t *iack; 477 sctp_init_chunk_t *init; 478 sctp_hdr_t *iacksh; 479 size_t cookielen; 480 size_t iacklen; 481 size_t ipsctplen; 482 size_t errlen = 0; 483 sctp_parm_hdr_t *cookieph; 484 mblk_t *iackmp; 485 uint32_t itag; 486 uint32_t itsn; 487 int64_t *now; 488 int64_t nowt; 489 uint32_t *lifetime; 490 char *p; 491 boolean_t isv4; 492 int supp_af = 0; 493 uint_t sctp_options; 494 uint32_t *ttag; 495 int pad; 496 mblk_t *errmp = NULL; 497 boolean_t initcollision = B_FALSE; 498 boolean_t linklocal = B_FALSE; 499 sctp_stack_t *sctps = sctp->sctp_sctps; 500 conn_t *connp = sctp->sctp_connp; 501 int err; 502 ip_xmit_attr_t *ixa = NULL; 503 504 BUMP_LOCAL(sctp->sctp_ibchunks); 505 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 506 507 /* Extract the INIT chunk */ 508 if (isv4) { 509 initiph = (ipha_t *)initmp->b_rptr; 510 ipsctplen = sctp->sctp_ip_hdr_len; 511 supp_af |= PARM_SUPP_V4; 512 } else { 513 initip6h = (ip6_t *)initmp->b_rptr; 514 ipsctplen = sctp->sctp_ip_hdr6_len; 515 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src) || 516 IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_dst)) 517 linklocal = B_TRUE; 518 supp_af |= PARM_SUPP_V6; 519 if (!sctp->sctp_connp->conn_ipv6_v6only) 520 supp_af |= PARM_SUPP_V4; 521 } 522 ASSERT(OK_32PTR(initsh)); 523 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 524 525 /* Make sure we like the peer's parameters */ 526 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 527 &supp_af, &sctp_options, ira) == 0) { 528 return; 529 } 530 if (errmp != NULL) 531 errlen = msgdsize(errmp); 532 if (connp->conn_family == AF_INET) { 533 /* 534 * Regardless of the supported address in the INIT, v4 535 * must be supported. 536 */ 537 supp_af = PARM_SUPP_V4; 538 } 539 if (sctp->sctp_state <= SCTPS_LISTEN) { 540 /* normal, expected INIT: generate new vtag and itsn */ 541 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 542 if (itag == 0) 543 itag = (uint32_t)gethrtime(); 544 itsn = itag + 1; 545 itag = htonl(itag); 546 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 547 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 548 /* init collision; copy vtag and itsn from sctp */ 549 itag = sctp->sctp_lvtag; 550 itsn = sctp->sctp_ltsn; 551 /* 552 * In addition we need to send all the params that was sent 553 * in our INIT chunk. Essentially, it is only the supported 554 * address params that we need to add. 555 */ 556 initcollision = B_TRUE; 557 /* 558 * When we sent the INIT, we should have set linklocal in 559 * the sctp which should be good enough. 560 */ 561 if (linklocal) 562 linklocal = B_FALSE; 563 } else { 564 /* peer restart; generate new vtag but keep everything else */ 565 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 566 if (itag == 0) 567 itag = (uint32_t)gethrtime(); 568 itag = htonl(itag); 569 itsn = sctp->sctp_ltsn; 570 } 571 572 /* 573 * Allocate a mblk for the INIT ACK, consisting of the link layer 574 * header, the IP header, the SCTP common header, and INIT ACK chunk, 575 * and finally the COOKIE parameter. 576 */ 577 cookielen = SCTP_CALC_COOKIE_LEN(ch); 578 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 579 if (sctp->sctp_send_adaptation) 580 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 581 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 582 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 583 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 584 } 585 if (initcollision) 586 iacklen += sctp_supaddr_param_len(sctp); 587 if (!linklocal) 588 iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE); 589 ipsctplen += sizeof (*iacksh) + iacklen; 590 iacklen += errlen; 591 /* 592 * Padding is applied after the cookie which is the end of chunk 593 * unless CAUSE blocks are appended when the pad must also be 594 * accounted for in iacklen. 595 */ 596 if ((pad = ipsctplen % SCTP_ALIGN) != 0) { 597 pad = SCTP_ALIGN - pad; 598 ipsctplen += pad; 599 if (errmp != NULL) 600 iacklen += pad; 601 } 602 603 /* 604 * Base the transmission on any routing-related socket options 605 * that have been set on the listener. 606 */ 607 ixa = conn_get_ixa_exclusive(connp); 608 if (ixa == NULL) { 609 sctp_send_abort(sctp, sctp_init2vtag(ch), 610 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira); 611 return; 612 } 613 ixa->ixa_flags &= ~IXAF_VERIFY_PMTU; 614 615 if (isv4) 616 ixa->ixa_flags |= IXAF_IS_IPV4; 617 else 618 ixa->ixa_flags &= ~IXAF_IS_IPV4; 619 620 /* 621 * If the listen socket is bound to a trusted extensions multi-label 622 * port, a MAC-Exempt connection with an unlabeled node, we use the 623 * the security label of the received INIT packet. 624 * If not a multi-label port, attach the unmodified 625 * listener's label directly. 626 * 627 * We expect Sun developed kernel modules to properly set 628 * cred labels for sctp connections. We can't be so sure this 629 * will be done correctly when 3rd party kernel modules 630 * directly use sctp. We check for a NULL ira_tsl to cover this 631 * possibility. 632 */ 633 if (is_system_labeled()) { 634 /* Discard any old label */ 635 if (ixa->ixa_free_flags & IXA_FREE_TSL) { 636 ASSERT(ixa->ixa_tsl != NULL); 637 label_rele(ixa->ixa_tsl); 638 ixa->ixa_free_flags &= ~IXA_FREE_TSL; 639 ixa->ixa_tsl = NULL; 640 } 641 642 if (connp->conn_mlp_type != mlptSingle || 643 connp->conn_mac_mode != CONN_MAC_DEFAULT) { 644 if (ira->ira_tsl == NULL) { 645 sctp_send_abort(sctp, sctp_init2vtag(ch), 646 SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, 647 B_FALSE, ira); 648 ixa_refrele(ixa); 649 return; 650 } 651 label_hold(ira->ira_tsl); 652 ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl); 653 } else { 654 ixa->ixa_tsl = crgetlabel(connp->conn_cred); 655 } 656 } 657 658 iackmp = allocb(ipsctplen + sctps->sctps_wroff_xtra, BPRI_MED); 659 if (iackmp == NULL) { 660 sctp_send_abort(sctp, sctp_init2vtag(ch), 661 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira); 662 ixa_refrele(ixa); 663 return; 664 } 665 666 /* Copy in the [imcomplete] IP/SCTP composite header */ 667 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra); 668 iackmp->b_rptr = (uchar_t *)p; 669 if (isv4) { 670 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 671 iackiph = (ipha_t *)p; 672 673 /* Copy the peer's IP addr */ 674 iackiph->ipha_dst = initiph->ipha_src; 675 iackiph->ipha_src = initiph->ipha_dst; 676 iackiph->ipha_length = htons(ipsctplen + errlen); 677 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 678 ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len; 679 } else { 680 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 681 iackip6h = (ip6_t *)p; 682 683 /* Copy the peer's IP addr */ 684 iackip6h->ip6_dst = initip6h->ip6_src; 685 iackip6h->ip6_src = initip6h->ip6_dst; 686 iackip6h->ip6_plen = htons(ipsctplen + errlen - IPV6_HDR_LEN); 687 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 688 ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len; 689 } 690 ixa->ixa_pktlen = ipsctplen + errlen; 691 692 ASSERT(OK_32PTR(iacksh)); 693 694 /* Fill in the holes in the SCTP common header */ 695 iacksh->sh_sport = initsh->sh_dport; 696 iacksh->sh_dport = initsh->sh_sport; 697 iacksh->sh_verf = init->sic_inittag; 698 699 /* INIT ACK chunk header */ 700 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 701 iack_ch->sch_id = CHUNK_INIT_ACK; 702 iack_ch->sch_flags = 0; 703 iack_ch->sch_len = htons(iacklen); 704 705 /* The INIT ACK itself */ 706 iack = (sctp_init_chunk_t *)(iack_ch + 1); 707 iack->sic_inittag = itag; /* already in network byteorder */ 708 iack->sic_inittsn = htonl(itsn); 709 710 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 711 /* Advertise what we would want to have as stream #'s */ 712 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 713 ntohs(init->sic_instr))); 714 iack->sic_instr = htons(sctp->sctp_num_istr); 715 716 p = (char *)(iack + 1); 717 p += sctp_adaptation_code_param(sctp, (uchar_t *)p); 718 if (initcollision) 719 p += sctp_supaddr_param(sctp, (uchar_t *)p); 720 if (!linklocal) 721 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE); 722 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 723 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 724 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 725 } 726 /* 727 * Generate and lay in the COOKIE parameter. 728 * 729 * Any change here that results in a change of location for 730 * the peer's orig source address must be propagated to the fn 731 * cl_sctp_cookie_paddr() above. 732 * 733 * The cookie consists of: 734 * 1. The relative timestamp for the cookie (lbolt64) 735 * 2. The cookie lifetime (uint32_t) in tick 736 * 3. The local tie-tag 737 * 4. The peer tie-tag 738 * 5. Peer's original src, used to confirm the validity of address. 739 * 6. Our INIT ACK chunk, less any parameters 740 * 7. The INIT chunk (may contain parameters) 741 * 8. 128-bit MD5 signature. 742 * 743 * Since the timestamp values will only be evaluated locally, we 744 * don't need to worry about byte-ordering them. 745 */ 746 cookieph = (sctp_parm_hdr_t *)p; 747 cookieph->sph_type = htons(PARM_COOKIE); 748 cookieph->sph_len = htons(cookielen); 749 750 /* timestamp */ 751 now = (int64_t *)(cookieph + 1); 752 nowt = LBOLT_FASTPATH64; 753 bcopy(&nowt, now, sizeof (*now)); 754 755 /* cookie lifetime -- need configuration */ 756 lifetime = (uint32_t *)(now + 1); 757 *lifetime = sctp->sctp_cookie_lifetime; 758 759 /* Set the tie-tags */ 760 ttag = (uint32_t *)(lifetime + 1); 761 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 762 *ttag = 0; 763 ttag++; 764 *ttag = 0; 765 ttag++; 766 } else { 767 /* local tie-tag (network byte-order) */ 768 *ttag = sctp->sctp_lvtag; 769 ttag++; 770 /* peer tie-tag (network byte-order) */ 771 *ttag = sctp->sctp_fvtag; 772 ttag++; 773 } 774 /* 775 * Copy in peer's original source address so that we can confirm 776 * the reachability later. 777 */ 778 p = (char *)ttag; 779 if (isv4) { 780 in6_addr_t peer_addr; 781 782 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 783 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 784 } else { 785 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 786 } 787 p += sizeof (in6_addr_t); 788 /* Copy in our INIT ACK chunk */ 789 bcopy(iack, p, sizeof (*iack)); 790 iack = (sctp_init_chunk_t *)p; 791 /* Set the # of streams we'll end up using */ 792 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 793 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 794 p += sizeof (*iack); 795 796 /* Copy in the peer's INIT chunk */ 797 bcopy(ch, p, ntohs(ch->sch_len)); 798 p += ntohs(ch->sch_len); 799 800 /* 801 * Calculate the HMAC ICV into the digest slot in buf. 802 * First, generate a new secret if the current secret is 803 * older than the new secret lifetime parameter permits, 804 * copying the current secret to sctp_old_secret. 805 */ 806 if (sctps->sctps_new_secret_interval > 0 && 807 (sctp->sctp_last_secret_update + 808 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) { 809 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 810 SCTP_SECRET_LEN); 811 (void) random_get_pseudo_bytes(sctp->sctp_secret, 812 SCTP_SECRET_LEN); 813 sctp->sctp_last_secret_update = nowt; 814 } 815 816 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 817 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 818 819 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 820 if (pad != 0) 821 bzero((iackmp->b_wptr - pad), pad); 822 823 iackmp->b_cont = errmp; /* OK if NULL */ 824 825 if (is_system_labeled()) { 826 ts_label_t *effective_tsl = NULL; 827 828 ASSERT(ira->ira_tsl != NULL); 829 830 /* Discard any old label */ 831 if (ixa->ixa_free_flags & IXA_FREE_TSL) { 832 ASSERT(ixa->ixa_tsl != NULL); 833 label_rele(ixa->ixa_tsl); 834 ixa->ixa_free_flags &= ~IXA_FREE_TSL; 835 } 836 ixa->ixa_tsl = ira->ira_tsl; /* A multi-level responder */ 837 838 /* 839 * We need to check for label-related failures which implies 840 * an extra call to tsol_check_dest (as ip_output_simple 841 * also does a tsol_check_dest as part of computing the 842 * label for the packet, but ip_output_simple doesn't return 843 * a specific errno for that case so we can't rely on its 844 * check.) 845 */ 846 if (isv4) { 847 err = tsol_check_dest(ixa->ixa_tsl, &iackiph->ipha_dst, 848 IPV4_VERSION, connp->conn_mac_mode, 849 connp->conn_zone_is_global, &effective_tsl); 850 } else { 851 err = tsol_check_dest(ixa->ixa_tsl, &iackip6h->ip6_dst, 852 IPV6_VERSION, connp->conn_mac_mode, 853 connp->conn_zone_is_global, &effective_tsl); 854 } 855 if (err != 0) { 856 sctp_send_abort(sctp, sctp_init2vtag(ch), 857 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE, 858 ira); 859 ixa_refrele(ixa); 860 freemsg(iackmp); 861 return; 862 } 863 if (effective_tsl != NULL) { 864 /* 865 * Since ip_output_simple will redo the 866 * tsol_check_dest, we just drop the ref. 867 */ 868 label_rele(effective_tsl); 869 } 870 } 871 872 BUMP_LOCAL(sctp->sctp_opkts); 873 BUMP_LOCAL(sctp->sctp_obchunks); 874 875 (void) ip_output_simple(iackmp, ixa); 876 ixa_refrele(ixa); 877 } 878 879 void 880 sctp_send_cookie_ack(sctp_t *sctp) 881 { 882 sctp_chunk_hdr_t *cach; 883 mblk_t *camp; 884 sctp_stack_t *sctps = sctp->sctp_sctps; 885 886 camp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*cach)); 887 if (camp == NULL) { 888 /* XXX should abort, but don't have the inmp anymore */ 889 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed); 890 return; 891 } 892 893 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 894 camp->b_wptr = (uchar_t *)(cach + 1); 895 cach->sch_id = CHUNK_COOKIE_ACK; 896 cach->sch_flags = 0; 897 cach->sch_len = htons(sizeof (*cach)); 898 899 BUMP_LOCAL(sctp->sctp_obchunks); 900 901 sctp_set_iplen(sctp, camp, sctp->sctp_current->sf_ixa); 902 (void) conn_ip_output(camp, sctp->sctp_current->sf_ixa); 903 BUMP_LOCAL(sctp->sctp_opkts); 904 } 905 906 static int 907 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code) 908 { 909 910 if (len < sizeof (*sph)) 911 return (-1); 912 while (sph != NULL) { 913 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 914 ntohs(sph->sph_len) >= (sizeof (*sph) + 915 sizeof (uint32_t))) { 916 *adaptation_code = *(uint32_t *)(sph + 1); 917 return (0); 918 } 919 sph = sctp_next_parm(sph, &len); 920 } 921 return (-1); 922 } 923 924 void 925 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp, 926 ip_recv_attr_t *ira) 927 { 928 mblk_t *cemp; 929 mblk_t *mp = NULL; 930 mblk_t *head; 931 mblk_t *meta; 932 sctp_faddr_t *fp; 933 sctp_chunk_hdr_t *cech; 934 sctp_init_chunk_t *iack; 935 int32_t cansend; 936 int32_t seglen; 937 size_t ceclen; 938 sctp_parm_hdr_t *cph; 939 sctp_data_hdr_t *sdc; 940 sctp_tf_t *tf; 941 int pad = 0; 942 int hdrlen; 943 mblk_t *errmp = NULL; 944 uint_t sctp_options; 945 int error; 946 uint16_t old_num_str; 947 sctp_stack_t *sctps = sctp->sctp_sctps; 948 949 sdc = NULL; 950 seglen = 0; 951 iack = (sctp_init_chunk_t *)(iackch + 1); 952 953 cph = NULL; 954 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 955 &pad, &sctp_options, ira) == 0) { /* result in 'pad' ignored */ 956 SCTPS_BUMP_MIB(sctps, sctpAborted); 957 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 958 sctp_clean_death(sctp, ECONNABORTED); 959 return; 960 } 961 ASSERT(cph != NULL); 962 963 ASSERT(sctp->sctp_cookie_mp == NULL); 964 965 /* Got a cookie to echo back; allocate an mblk */ 966 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 967 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 968 pad = SCTP_ALIGN - pad; 969 970 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 971 hdrlen = sctp->sctp_hdr_len; 972 else 973 hdrlen = sctp->sctp_hdr6_len; 974 975 cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad, 976 BPRI_MED); 977 if (cemp == NULL) { 978 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 979 sctp->sctp_current->sf_rto); 980 if (errmp != NULL) 981 freeb(errmp); 982 return; 983 } 984 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen); 985 986 /* Process the INIT ACK */ 987 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 988 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 989 sctp->sctp_fvtag = iack->sic_inittag; 990 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 991 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 992 sctp->sctp_fcsn = sctp->sctp_lastacked; 993 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 994 995 /* 996 * Populate sctp with addresses given in the INIT ACK or IP header. 997 * Need to set the df bit in the current fp as it has been cleared 998 * in sctp_connect(). 999 */ 1000 sctp->sctp_current->sf_df = B_TRUE; 1001 sctp->sctp_ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS; 1002 1003 /* 1004 * Since IP uses this info during the fanout process, we need to hold 1005 * the lock for this hash line while performing this operation. 1006 */ 1007 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, connp->conn_ports); */ 1008 ASSERT(sctp->sctp_conn_tfp != NULL); 1009 tf = sctp->sctp_conn_tfp; 1010 /* sctp isn't a listener so only need to hold conn fanout lock */ 1011 mutex_enter(&tf->tf_lock); 1012 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 1013 mutex_exit(&tf->tf_lock); 1014 freeb(cemp); 1015 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 1016 sctp->sctp_current->sf_rto); 1017 if (errmp != NULL) 1018 freeb(errmp); 1019 return; 1020 } 1021 mutex_exit(&tf->tf_lock); 1022 1023 fp = sctp->sctp_current; 1024 1025 /* 1026 * There could be a case when we get an INIT-ACK again, if the INIT 1027 * is re-transmitted, for e.g., which means we would have already 1028 * allocated this resource earlier (also for sctp_instr). In this 1029 * case we check and re-allocate, if necessary. 1030 */ 1031 old_num_str = sctp->sctp_num_ostr; 1032 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 1033 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 1034 if (sctp->sctp_ostrcntrs == NULL) { 1035 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 1036 sctp->sctp_num_ostr, KM_NOSLEEP); 1037 } else { 1038 ASSERT(old_num_str > 0); 1039 if (old_num_str != sctp->sctp_num_ostr) { 1040 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 1041 old_num_str); 1042 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 1043 sctp->sctp_num_ostr, KM_NOSLEEP); 1044 } 1045 } 1046 if (sctp->sctp_ostrcntrs == NULL) { 1047 freeb(cemp); 1048 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto); 1049 if (errmp != NULL) 1050 freeb(errmp); 1051 return; 1052 } 1053 1054 /* 1055 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 1056 * hold here too. 1057 */ 1058 old_num_str = sctp->sctp_num_istr; 1059 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 1060 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 1061 if (sctp->sctp_instr == NULL) { 1062 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 1063 sctp->sctp_num_istr, KM_NOSLEEP); 1064 } else { 1065 ASSERT(old_num_str > 0); 1066 if (old_num_str != sctp->sctp_num_istr) { 1067 kmem_free(sctp->sctp_instr, 1068 sizeof (*sctp->sctp_instr) * old_num_str); 1069 sctp->sctp_instr = kmem_zalloc( 1070 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 1071 KM_NOSLEEP); 1072 } 1073 } 1074 if (sctp->sctp_instr == NULL) { 1075 kmem_free(sctp->sctp_ostrcntrs, 1076 sizeof (uint16_t) * sctp->sctp_num_ostr); 1077 freeb(cemp); 1078 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto); 1079 if (errmp != NULL) 1080 freeb(errmp); 1081 return; 1082 } 1083 1084 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 1085 sctp->sctp_prsctp_aware = B_FALSE; 1086 1087 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 1088 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 1089 &sctp->sctp_rx_adaptation_code) == 0) { 1090 sctp->sctp_recv_adaptation = 1; 1091 } 1092 1093 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 1094 ASSERT(OK_32PTR(cech)); 1095 cech->sch_id = CHUNK_COOKIE; 1096 cech->sch_flags = 0; 1097 cech->sch_len = htons(ceclen); 1098 1099 /* Copy the cookie (less the parm hdr) to the chunk */ 1100 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 1101 1102 cemp->b_wptr = cemp->b_rptr + ceclen; 1103 1104 if (sctp->sctp_unsent > 0) { 1105 sctp_msg_hdr_t *smh; 1106 mblk_t *prev = NULL; 1107 uint32_t unsent = 0; 1108 1109 mp = sctp->sctp_xmit_unsent; 1110 do { 1111 smh = (sctp_msg_hdr_t *)mp->b_rptr; 1112 if (smh->smh_sid >= sctp->sctp_num_ostr) { 1113 unsent += smh->smh_msglen; 1114 if (prev != NULL) 1115 prev->b_next = mp->b_next; 1116 else 1117 sctp->sctp_xmit_unsent = mp->b_next; 1118 mp->b_next = NULL; 1119 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 1120 B_FALSE); 1121 if (prev != NULL) 1122 mp = prev->b_next; 1123 else 1124 mp = sctp->sctp_xmit_unsent; 1125 } else { 1126 prev = mp; 1127 mp = mp->b_next; 1128 } 1129 } while (mp != NULL); 1130 if (unsent > 0) { 1131 ASSERT(sctp->sctp_unsent >= unsent); 1132 sctp->sctp_unsent -= unsent; 1133 /* 1134 * Update ULP the amount of queued data, which is 1135 * sent-unack'ed + unsent. 1136 * This is not necessary, but doesn't harm, we 1137 * just use unsent instead of sent-unack'ed + 1138 * unsent, since there won't be any sent-unack'ed 1139 * here. 1140 */ 1141 if (!SCTP_IS_DETACHED(sctp)) 1142 SCTP_TXQ_UPDATE(sctp); 1143 } 1144 if (sctp->sctp_xmit_unsent == NULL) 1145 sctp->sctp_xmit_unsent_tail = NULL; 1146 } 1147 ceclen += pad; 1148 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 1149 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 1150 cansend, NULL); 1151 /* 1152 * The error cannot be anything else since we could have an non-zero 1153 * error only if sctp_get_msg_to_send() tries to send a Forward 1154 * TSN which will not happen here. 1155 */ 1156 ASSERT(error == 0); 1157 if (meta == NULL) 1158 goto sendcookie; 1159 sctp->sctp_xmit_tail = meta; 1160 sdc = (sctp_data_hdr_t *)mp->b_rptr; 1161 seglen = ntohs(sdc->sdh_len); 1162 if ((ceclen + seglen) > fp->sf_pmss || 1163 (seglen - sizeof (*sdc)) > cansend) { 1164 goto sendcookie; 1165 } 1166 /* OK, if this fails */ 1167 cemp->b_cont = dupmsg(mp); 1168 sendcookie: 1169 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 1170 if (head == NULL) { 1171 freemsg(cemp); 1172 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto); 1173 if (errmp != NULL) 1174 freeb(errmp); 1175 SCTP_KSTAT(sctps, sctp_send_cookie_failed); 1176 return; 1177 } 1178 /* 1179 * Even if cookie-echo exceeds MTU for one of the hops, it'll 1180 * have a chance of getting there. 1181 */ 1182 if (fp->sf_isv4) { 1183 ipha_t *iph = (ipha_t *)head->b_rptr; 1184 iph->ipha_fragment_offset_and_flags = 0; 1185 } 1186 BUMP_LOCAL(sctp->sctp_obchunks); 1187 1188 sctp->sctp_cookie_mp = dupmsg(head); 1189 /* Don't bundle, we will just resend init if this cookie is lost. */ 1190 if (sctp->sctp_cookie_mp == NULL) { 1191 if (cemp->b_cont != NULL) { 1192 freemsg(cemp->b_cont); 1193 cemp->b_cont = NULL; 1194 } 1195 } else if (cemp->b_cont != NULL) { 1196 ASSERT(mp != NULL && mp == meta->b_cont); 1197 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 1198 cemp->b_wptr += pad; 1199 seglen -= sizeof (*sdc); 1200 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 1201 } 1202 if (errmp != NULL) { 1203 if (cemp->b_cont == NULL) 1204 cemp->b_wptr += pad; 1205 linkb(head, errmp); 1206 } 1207 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 1208 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto); 1209 1210 sctp_set_iplen(sctp, head, fp->sf_ixa); 1211 (void) conn_ip_output(head, fp->sf_ixa); 1212 BUMP_LOCAL(sctp->sctp_opkts); 1213 } 1214 1215 int 1216 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 1217 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation, 1218 in6_addr_t *peer_addr, ip_recv_attr_t *ira) 1219 { 1220 int32_t clen; 1221 size_t initplen; 1222 uchar_t *p; 1223 uchar_t *given_hash; 1224 uchar_t needed_hash[16]; 1225 int64_t ts; 1226 int64_t diff; 1227 uint32_t *lt; 1228 sctp_init_chunk_t *iack; 1229 sctp_chunk_hdr_t *initch; 1230 sctp_init_chunk_t *init; 1231 uint32_t *lttag; 1232 uint32_t *fttag; 1233 uint32_t ports; 1234 sctp_stack_t *sctps = sctp->sctp_sctps; 1235 conn_t *connp = sctp->sctp_connp; 1236 1237 BUMP_LOCAL(sctp->sctp_ibchunks); 1238 /* Verify the ICV */ 1239 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1240 if (clen < 0) { 1241 dprint(1, ("invalid cookie chunk length %d\n", 1242 ntohs(ch->sch_len))); 1243 1244 return (-1); 1245 } 1246 p = (uchar_t *)(ch + 1); 1247 1248 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1249 needed_hash); 1250 1251 /* The given hash follows the cookie data */ 1252 given_hash = p + clen; 1253 1254 if (bcmp(given_hash, needed_hash, 16) != 0) { 1255 /* The secret may have changed; try the old secret */ 1256 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1257 SCTP_SECRET_LEN, needed_hash); 1258 if (bcmp(given_hash, needed_hash, 16) != 0) { 1259 return (-1); 1260 } 1261 } 1262 1263 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1264 bcopy(p, &ts, sizeof (ts)); 1265 /* Cookie life time, uint32_t */ 1266 lt = (uint32_t *)(p + sizeof (ts)); 1267 1268 /* 1269 * To quote PRC, "this is our baby", so let's continue. 1270 * We need to pull out the encapsulated INIT ACK and 1271 * INIT chunks. Note that we don't process these until 1272 * we have verified the timestamp, but we need them before 1273 * processing the timestamp since if the time check fails, 1274 * we need to get the verification tag from the INIT in order 1275 * to send a stale cookie error. 1276 */ 1277 lttag = (uint32_t *)(lt + 1); 1278 fttag = lttag + 1; 1279 if (peer_addr != NULL) 1280 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1281 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1282 initch = (sctp_chunk_hdr_t *)(iack + 1); 1283 init = (sctp_init_chunk_t *)(initch + 1); 1284 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1285 *iackpp = iack; 1286 *recv_adaptation = 0; 1287 1288 /* 1289 * Check the staleness of the Cookie, specified in 3.3.10.3 of 1290 * RFC 2960. 1291 * 1292 * The mesaure of staleness is the difference, in microseconds, 1293 * between the current time and the time the State Cookie expires. 1294 * So it is lbolt64 - (ts + *lt). If it is positive, it means 1295 * that the Cookie has expired. 1296 */ 1297 diff = LBOLT_FASTPATH64 - (ts + *lt); 1298 if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag || 1299 iack->sic_inittag != sctp->sctp_lvtag)) { 1300 uint32_t staleness; 1301 1302 staleness = TICK_TO_USEC(diff); 1303 staleness = htonl(staleness); 1304 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1305 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE, 1306 ira); 1307 1308 dprint(1, ("stale cookie %d\n", staleness)); 1309 1310 return (-1); 1311 } 1312 1313 /* Check for attack by adding addresses to a restart */ 1314 bcopy(insctph, &ports, sizeof (ports)); 1315 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP, 1316 sctps, ira) != 1) { 1317 return (-1); 1318 } 1319 1320 /* Look for adaptation code if there any parms in the INIT chunk */ 1321 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1322 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1323 &sctp->sctp_rx_adaptation_code) == 0)) { 1324 *recv_adaptation = 1; 1325 } 1326 1327 /* Examine tie-tags */ 1328 1329 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1330 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1331 init->sic_inittag == sctp->sctp_fvtag && 1332 iack->sic_inittag == sctp->sctp_lvtag && 1333 *fttag == 0 && *lttag == 0) { 1334 1335 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1336 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr), 1337 (int)(connp->conn_fport))); 1338 return (-1); 1339 } 1340 1341 if (init->sic_inittag != sctp->sctp_fvtag && 1342 iack->sic_inittag != sctp->sctp_lvtag && 1343 *fttag == sctp->sctp_fvtag && 1344 *lttag == sctp->sctp_lvtag) { 1345 int i; 1346 1347 /* Section 5.2.4 case A: restart */ 1348 sctp->sctp_fvtag = init->sic_inittag; 1349 sctp->sctp_lvtag = iack->sic_inittag; 1350 1351 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1352 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1353 1354 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1355 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1356 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1357 sctp->sctp_fcsn = sctp->sctp_lastacked; 1358 1359 if (sctp->sctp_state < SCTPS_ESTABLISHED) 1360 SCTP_ASSOC_EST(sctps, sctp); 1361 1362 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1363 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr), 1364 (int)(connp->conn_fport))); 1365 /* reset parameters */ 1366 sctp_congest_reset(sctp); 1367 1368 /* reset stream bookkeeping */ 1369 sctp_instream_cleanup(sctp, B_FALSE); 1370 1371 sctp->sctp_istr_nmsgs = 0; 1372 sctp->sctp_rxqueued = 0; 1373 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1374 sctp->sctp_ostrcntrs[i] = 0; 1375 } 1376 /* XXX flush xmit_list? */ 1377 1378 return (0); 1379 } else if (init->sic_inittag != sctp->sctp_fvtag && 1380 iack->sic_inittag == sctp->sctp_lvtag) { 1381 1382 /* Section 5.2.4 case B: INIT collision */ 1383 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1384 if (!sctp_initialize_params(sctp, init, iack)) 1385 return (-1); /* Drop? */ 1386 SCTP_ASSOC_EST(sctps, sctp); 1387 } 1388 1389 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1390 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr), 1391 (int)(connp->conn_fport))); 1392 1393 return (0); 1394 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1395 init->sic_inittag == sctp->sctp_fvtag && 1396 *fttag == 0 && *lttag == 0) { 1397 1398 /* Section 5.2.4 case C: late COOKIE */ 1399 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1400 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr), 1401 (int)(connp->conn_fport))); 1402 return (-1); 1403 } else if (init->sic_inittag == sctp->sctp_fvtag && 1404 iack->sic_inittag == sctp->sctp_lvtag) { 1405 1406 /* 1407 * Section 5.2.4 case D: COOKIE ECHO retransmit 1408 * Don't check cookie lifetime 1409 */ 1410 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1411 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr), 1412 (int)(connp->conn_fport))); 1413 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1414 if (!sctp_initialize_params(sctp, init, iack)) 1415 return (-1); /* Drop? */ 1416 SCTP_ASSOC_EST(sctps, sctp); 1417 } 1418 return (0); 1419 } else { 1420 /* unrecognized case -- silently drop it */ 1421 return (-1); 1422 } 1423 } 1424 1425 return (0); 1426 } 1427 1428 /* 1429 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1430 * from address parameters in an INIT ACK's address list. This 1431 * function is used when an INIT ACK is received but IP's fanout 1432 * function could not find a sctp via the normal lookup routine. 1433 * This can happen when a host sends an INIT ACK from a different 1434 * address than the INIT was sent to. 1435 * 1436 * Returns the sctp_t if found, or NULL if not found. 1437 */ 1438 sctp_t * 1439 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1440 zoneid_t zoneid, sctp_stack_t *sctps) 1441 { 1442 int isv4; 1443 ipha_t *iph; 1444 ip6_t *ip6h; 1445 in6_addr_t dst; 1446 in6_addr_t src, *srcp = &src; 1447 sctp_parm_hdr_t *ph; 1448 ssize_t remaining; 1449 sctp_init_chunk_t *iack; 1450 uint32_t ports; 1451 sctp_t *sctp = NULL; 1452 1453 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1454 1455 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1456 if (isv4) { 1457 iph = (ipha_t *)mp->b_rptr; 1458 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1459 } else { 1460 ip6h = (ip6_t *)mp->b_rptr; 1461 dst = ip6h->ip6_dst; 1462 } 1463 1464 ports = *(uint32_t *)sctph; 1465 1466 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1467 ports, SCTP_PRINTADDR(dst))); 1468 1469 /* pull out any address parameters */ 1470 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1471 if (remaining < sizeof (*ph)) { 1472 return (NULL); 1473 } 1474 1475 iack = (sctp_init_chunk_t *)(ich + 1); 1476 ph = (sctp_parm_hdr_t *)(iack + 1); 1477 1478 while (ph != NULL) { 1479 /* 1480 * params have been verified in sctp_check_input(), 1481 * so no need to do it again here. 1482 * 1483 * For labeled systems, there's no need to check the 1484 * label here. It's known to be good as we checked 1485 * before allowing the connection to become bound. 1486 * 1487 * According to RFC4960 : 1488 * All integer fields in an SCTP packet MUST be transmitted 1489 * in network byte order, unless otherwise stated. 1490 * Therefore convert the param type to network byte order. 1491 */ 1492 if (ph->sph_type == htons(PARM_ADDR4)) { 1493 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1494 srcp); 1495 1496 sctp = sctp_conn_match(&srcp, 1, &dst, ports, zoneid, 1497 0, sctps); 1498 1499 dprint(1, 1500 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1501 SCTP_PRINTADDR(src), (void *)sctp)); 1502 1503 1504 if (sctp != NULL) { 1505 return (sctp); 1506 } 1507 } else if (ph->sph_type == htons(PARM_ADDR6)) { 1508 srcp = (in6_addr_t *)(ph + 1); 1509 sctp = sctp_conn_match(&srcp, 1, &dst, ports, zoneid, 1510 0, sctps); 1511 1512 dprint(1, 1513 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1514 SCTP_PRINTADDR(src), (void *)sctp)); 1515 1516 if (sctp != NULL) { 1517 return (sctp); 1518 } 1519 } 1520 1521 ph = sctp_next_parm(ph, &remaining); 1522 } 1523 1524 return (NULL); 1525 } 1526