1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <sys/systm.h> 31 #include <sys/stream.h> 32 #include <sys/cmn_err.h> 33 #include <sys/md5.h> 34 #include <sys/kmem.h> 35 #include <sys/strsubr.h> 36 #include <sys/random.h> 37 38 #include <netinet/in.h> 39 #include <netinet/ip6.h> 40 41 #include <inet/common.h> 42 #include <inet/ip.h> 43 #include <inet/ip6.h> 44 #include <inet/sctp_ip.h> 45 #include <inet/ipclassifier.h> 46 #include "sctp_impl.h" 47 48 /* 49 * From RFC 2104. This should probably go into libmd5 (and while 50 * we're at it, maybe we should make a libdigest so we can later 51 * add SHA1 and others, esp. since some weaknesses have been found 52 * with MD5). 53 * 54 * text IN pointer to data stream 55 * text_len IN length of data stream 56 * key IN pointer to authentication key 57 * key_len IN length of authentication key 58 * digest OUT caller digest to be filled in 59 */ 60 static void 61 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 62 uchar_t *digest) 63 { 64 MD5_CTX context; 65 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 66 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 67 uchar_t tk[16]; 68 int i; 69 70 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 71 if (key_len > 64) { 72 MD5_CTX tctx; 73 74 MD5Init(&tctx); 75 MD5Update(&tctx, key, key_len); 76 MD5Final(tk, &tctx); 77 78 key = tk; 79 key_len = 16; 80 } 81 82 /* 83 * the HMAC_MD5 transform looks like: 84 * 85 * MD5(K XOR opad, MD5(K XOR ipad, text)) 86 * 87 * where K is an n byte key 88 * ipad is the byte 0x36 repeated 64 times 89 * opad is the byte 0x5c repeated 64 times 90 * and text is the data being protected 91 */ 92 93 /* start out by storing key in pads */ 94 bzero(k_ipad, sizeof (k_ipad)); 95 bzero(k_opad, sizeof (k_opad)); 96 bcopy(key, k_ipad, key_len); 97 bcopy(key, k_opad, key_len); 98 99 /* XOR key with ipad and opad values */ 100 for (i = 0; i < 64; i++) { 101 k_ipad[i] ^= 0x36; 102 k_opad[i] ^= 0x5c; 103 } 104 /* 105 * perform inner MD5 106 */ 107 MD5Init(&context); /* init context for 1st */ 108 /* pass */ 109 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 110 MD5Update(&context, text, text_len); /* then text of datagram */ 111 MD5Final(digest, &context); /* finish up 1st pass */ 112 /* 113 * perform outer MD5 114 */ 115 MD5Init(&context); /* init context for 2nd */ 116 /* pass */ 117 MD5Update(&context, k_opad, 64); /* start with outer pad */ 118 MD5Update(&context, digest, 16); /* then results of 1st */ 119 /* hash */ 120 MD5Final(digest, &context); /* finish up 2nd pass */ 121 } 122 123 /* 124 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 125 * info in initmp to send the abort. Otherwise, no abort will be sent. 126 * If errmp is non-NULL, a chain of unrecognized parameters will 127 * be created and returned via *errmp. 128 * 129 * Returns 1 if the parameters are OK (or there are no parameters), or 130 * 0 if not. 131 */ 132 static int 133 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 134 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 135 mblk_t **errmp, int *supp_af, uint_t *sctp_options) 136 { 137 sctp_parm_hdr_t *cph; 138 sctp_init_chunk_t *ic; 139 ssize_t remaining; 140 uint16_t serror = 0; 141 char *details = NULL; 142 size_t errlen = 0; 143 boolean_t got_cookie = B_FALSE; 144 uint16_t ptype; 145 146 *supp_af = 0; 147 148 if (sctp_options != NULL) 149 *sctp_options = 0; 150 151 /* First validate stream parameters */ 152 if (init->sic_instr == 0 || init->sic_outstr == 0) { 153 serror = SCTP_ERR_BAD_MANDPARM; 154 dprint(1, 155 ("validate_init_params: bad sid, is=%d os=%d\n", 156 htons(init->sic_instr), htons(init->sic_outstr))); 157 goto abort; 158 } 159 if (ntohl(init->sic_inittag) == 0) { 160 serror = SCTP_ERR_BAD_MANDPARM; 161 dprint(1, ("validate_init_params: inittag = 0\n")); 162 goto abort; 163 } 164 165 remaining = ntohs(ch->sch_len) - sizeof (*ch); 166 ic = (sctp_init_chunk_t *)(ch + 1); 167 remaining -= sizeof (*ic); 168 if (remaining < sizeof (*cph)) { 169 /* Nothing to validate */ 170 if (want_cookie != NULL) 171 goto cookie_abort; 172 return (1); 173 } 174 175 cph = (sctp_parm_hdr_t *)(ic + 1); 176 177 while (cph != NULL) { 178 ptype = ntohs(cph->sph_type); 179 switch (ptype) { 180 case PARM_HBINFO: 181 case PARM_UNRECOGNIZED: 182 case PARM_ECN: 183 /* just ignore them */ 184 break; 185 case PARM_FORWARD_TSN: 186 if (sctp_options != NULL) 187 *sctp_options |= SCTP_PRSCTP_OPTION; 188 break; 189 case PARM_COOKIE: 190 got_cookie = B_TRUE; 191 if (want_cookie != NULL) { 192 *want_cookie = cph; 193 } 194 break; 195 case PARM_ADDR4: 196 case PARM_ADDR6: 197 case PARM_COOKIE_PRESERVE: 198 case PARM_ADAPT_LAYER_IND: 199 /* These are OK */ 200 break; 201 case PARM_ADDR_HOST_NAME: 202 /* Don't support this; abort the association */ 203 serror = SCTP_ERR_BAD_ADDR; 204 details = (char *)cph; 205 errlen = ntohs(cph->sph_len); 206 dprint(1, ("sctp:validate_init_params: host addr\n")); 207 goto abort; 208 case PARM_SUPP_ADDRS: { 209 /* Make sure we have a supported addr intersection */ 210 uint16_t *p, addrtype; 211 int plen; 212 213 plen = ntohs(cph->sph_len); 214 p = (uint16_t *)(cph + 1); 215 while (plen > 0) { 216 addrtype = ntohs(*p); 217 switch (addrtype) { 218 case PARM_ADDR6: 219 *supp_af |= PARM_SUPP_V6; 220 break; 221 case PARM_ADDR4: 222 *supp_af |= PARM_SUPP_V4; 223 break; 224 default: 225 /* 226 * Do nothing, silently ignore hostname 227 * address. 228 */ 229 break; 230 } 231 p++; 232 plen -= sizeof (*p); 233 } 234 /* 235 * Some sanity checks. The following should not 236 * fail unless the other side is broken. 237 * 238 * 1. If there is no supported address type yet the 239 * supported address parameter is present, abort. 240 * 2. If this is a V4 endpoint but V4 address is not 241 * supported, abort. 242 * 3. If this is a V6 only endpoint but V6 address is 243 * not supported, abort. This assumes that a V6 244 * endpoint can use both V4 and V6 addresses. 245 */ 246 if (*supp_af == 0 || 247 (sctp->sctp_family == AF_INET && 248 !(*supp_af & PARM_SUPP_V4)) || 249 (sctp->sctp_family == AF_INET6 && 250 !(*supp_af & PARM_SUPP_V6) && 251 sctp->sctp_connp->conn_ipv6_v6only)) { 252 dprint(1, 253 ("sctp:validate_init_params: no supp addr\n")); 254 serror = SCTP_ERR_BAD_ADDR; 255 goto abort; 256 } 257 break; 258 } 259 default: 260 /* Unrecognized param; check the high order bits */ 261 if ((ptype & 0xc000) == 0xc000) { 262 /* 263 * report unrecognized param, and 264 * keep processing 265 */ 266 if (errmp != NULL) { 267 if (want_cookie != NULL) { 268 *errmp = sctp_make_err(sctp, 269 PARM_UNRECOGNIZED, 270 (void *)cph, 271 ntohs(cph->sph_len)); 272 } else { 273 sctp_add_unrec_parm(cph, errmp); 274 } 275 } 276 break; 277 } 278 if (ptype & 0x4000) { 279 /* 280 * Stop processing and drop; report 281 * unrecognized param 282 */ 283 serror = SCTP_ERR_UNREC_PARM; 284 details = (char *)cph; 285 errlen = ntohs(cph->sph_len); 286 goto abort; 287 } 288 if (ptype & 0x8000) { 289 /* skip and continue processing */ 290 break; 291 } 292 293 /* 294 * 2 high bits are clear; stop processing and 295 * drop packet 296 */ 297 return (0); 298 } 299 300 cph = sctp_next_parm(cph, &remaining); 301 } 302 303 if (want_cookie != NULL && !got_cookie) { 304 cookie_abort: 305 dprint(1, ("validate_init_params: cookie absent\n")); 306 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 307 details, errlen, inmp, 0, B_FALSE); 308 return (0); 309 } 310 311 /* OK */ 312 return (1); 313 314 abort: 315 if (want_cookie != NULL) 316 return (0); 317 318 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 319 errlen, inmp, 0, B_FALSE); 320 return (0); 321 } 322 323 /* 324 * Initialize params from the INIT and INIT-ACK when the assoc. is 325 * established. 326 */ 327 boolean_t 328 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 329 sctp_init_chunk_t *iack) 330 { 331 /* Get initial TSN */ 332 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 333 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 334 335 /* Serial number is initialized to the same value as the TSN */ 336 sctp->sctp_fcsn = sctp->sctp_lastacked; 337 338 /* 339 * Get verification tags; no byteordering is necessary, since 340 * verfication tags are never processed except for byte-by-byte 341 * comparisons. 342 */ 343 sctp->sctp_fvtag = init->sic_inittag; 344 sctp->sctp_sctph->sh_verf = init->sic_inittag; 345 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 346 sctp->sctp_lvtag = iack->sic_inittag; 347 348 /* Get the peer's rwnd */ 349 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 350 351 /* Allocate the in/out-stream counters */ 352 sctp->sctp_num_ostr = iack->sic_outstr; 353 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 354 sctp->sctp_num_ostr, KM_NOSLEEP); 355 if (sctp->sctp_ostrcntrs == NULL) 356 return (B_FALSE); 357 358 sctp->sctp_num_istr = iack->sic_instr; 359 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 360 sctp->sctp_num_istr, KM_NOSLEEP); 361 if (sctp->sctp_instr == NULL) { 362 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 363 sctp->sctp_num_ostr); 364 sctp->sctp_ostrcntrs = NULL; 365 return (B_FALSE); 366 } 367 return (B_TRUE); 368 } 369 370 #define SCTP_CALC_COOKIE_LEN(initcp) \ 371 sizeof (int64_t) + /* timestamp */ \ 372 sizeof (uint32_t) + /* cookie lifetime */ \ 373 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 374 sizeof (in6_addr_t) + /* peer's original source */ \ 375 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 376 sizeof (uint32_t) + /* local tie-tag */ \ 377 sizeof (uint32_t) + /* peer tie-tag */ \ 378 sizeof (sctp_parm_hdr_t) + /* param header */ \ 379 16 /* MD5 hash */ 380 381 void 382 sctp_send_initack(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *initmp) 383 { 384 ipha_t *initiph; 385 ip6_t *initip6h; 386 ipha_t *iackiph; 387 ip6_t *iackip6h; 388 sctp_chunk_hdr_t *iack_ch; 389 sctp_init_chunk_t *iack; 390 sctp_init_chunk_t *init; 391 sctp_hdr_t *iacksh; 392 sctp_hdr_t *initsh; 393 size_t cookielen; 394 size_t iacklen; 395 size_t ipsctplen; 396 size_t errlen = 0; 397 sctp_parm_hdr_t *cookieph; 398 mblk_t *iackmp; 399 uint32_t itag; 400 uint32_t itsn; 401 int64_t *now; 402 int64_t nowt; 403 uint32_t *lifetime; 404 char *p; 405 boolean_t isv4; 406 int supp_af; 407 uint_t sctp_options; 408 uint32_t *ttag; 409 int pad; 410 mblk_t *errmp = NULL; 411 boolean_t initcollision = B_FALSE; 412 413 BUMP_LOCAL(sctp->sctp_ibchunks); 414 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 415 416 /* Extract the INIT chunk */ 417 if (isv4) { 418 initiph = (ipha_t *)initmp->b_rptr; 419 initsh = (sctp_hdr_t *)((char *)initiph + 420 IPH_HDR_LENGTH(initmp->b_rptr)); 421 ipsctplen = sctp->sctp_ip_hdr_len; 422 } else { 423 initip6h = (ip6_t *)initmp->b_rptr; 424 initsh = (sctp_hdr_t *)(initip6h + 1); 425 ipsctplen = sctp->sctp_ip_hdr6_len; 426 } 427 ASSERT(OK_32PTR(initsh)); 428 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 429 430 /* Make sure we like the peer's parameters */ 431 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 432 &supp_af, &sctp_options) == 0) { 433 return; 434 } 435 if (errmp != NULL) 436 errlen = msgdsize(errmp); 437 if (sctp->sctp_family == AF_INET) { 438 /* 439 * Irregardless of the supported address in the INIT, v4 440 * must be supported. 441 */ 442 supp_af = PARM_SUPP_V4; 443 } else { 444 /* 445 * No supported addresses parameter in INIT. Assume 446 * both v4 and v6 are supported. 447 */ 448 if (supp_af == 0) { 449 supp_af = PARM_SUPP_V6 | PARM_SUPP_V4; 450 } 451 } 452 if (sctp->sctp_state <= SCTPS_LISTEN) { 453 /* normal, expected INIT: generate new vtag and itsn */ 454 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 455 if (itag == 0) 456 itag = (uint32_t)gethrtime(); 457 itsn = itag + 1; 458 itag = htonl(itag); 459 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 460 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 461 /* init collision; copy vtag and itsn from sctp */ 462 itag = sctp->sctp_lvtag; 463 itsn = sctp->sctp_ltsn; 464 /* 465 * In addition we need to send all the params that was sent 466 * in our INIT chunk. Essentially, it is only the supported 467 * address params that we need to add. 468 */ 469 initcollision = B_TRUE; 470 } else { 471 /* peer restart; generate new vtag but keep everything else */ 472 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 473 if (itag == 0) 474 itag = (uint32_t)gethrtime(); 475 itag = htonl(itag); 476 itsn = sctp->sctp_ltsn; 477 } 478 479 /* 480 * Allocate a mblk for the INIT ACK, consisting of the link layer 481 * header, the IP header, the SCTP common header, and INIT ACK chunk, 482 * and finally the COOKIE parameter. 483 */ 484 cookielen = SCTP_CALC_COOKIE_LEN(ch); 485 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 486 if (sctp->sctp_send_adaption) 487 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 488 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 489 sctp->sctp_prsctp_aware && sctp_prsctp_enabled) { 490 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 491 } 492 if (initcollision) 493 iacklen += sctp_supaddr_param_len(sctp); 494 iacklen += sctp_addr_params_len(sctp, supp_af); 495 ipsctplen += sizeof (*iacksh) + iacklen; 496 iacklen += errlen; 497 if ((pad = ipsctplen % 4) != 0) { 498 pad = 4 - pad; 499 ipsctplen += pad; 500 } 501 iackmp = allocb(ipsctplen + sctp_wroff_xtra, BPRI_MED); 502 if (iackmp == NULL) { 503 sctp_send_abort(sctp, sctp_init2vtag(ch), 504 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 505 return; 506 } 507 508 /* Copy in the [imcomplete] IP/SCTP composite header */ 509 p = (char *)(iackmp->b_rptr + sctp_wroff_xtra); 510 iackmp->b_rptr = (uchar_t *)p; 511 if (isv4) { 512 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 513 iackiph = (ipha_t *)p; 514 515 /* Copy the peer's IP addr */ 516 iackiph->ipha_dst = initiph->ipha_src; 517 iackiph->ipha_src = initiph->ipha_dst; 518 iackiph->ipha_length = htons(ipsctplen + errlen); 519 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 520 } else { 521 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 522 iackip6h = (ip6_t *)p; 523 524 /* Copy the peer's IP addr */ 525 iackip6h->ip6_dst = initip6h->ip6_src; 526 iackip6h->ip6_src = initip6h->ip6_dst; 527 iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) + 528 errlen); 529 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 530 } 531 ASSERT(OK_32PTR(iacksh)); 532 533 /* Fill in the holes in the SCTP common header */ 534 iacksh->sh_sport = initsh->sh_dport; 535 iacksh->sh_dport = initsh->sh_sport; 536 iacksh->sh_verf = init->sic_inittag; 537 538 /* INIT ACK chunk header */ 539 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 540 iack_ch->sch_id = CHUNK_INIT_ACK; 541 iack_ch->sch_flags = 0; 542 iack_ch->sch_len = htons(iacklen); 543 544 /* The INIT ACK itself */ 545 iack = (sctp_init_chunk_t *)(iack_ch + 1); 546 iack->sic_inittag = itag; /* already in network byteorder */ 547 iack->sic_inittsn = htonl(itsn); 548 549 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 550 /* Advertise what we would want to have as stream #'s */ 551 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 552 ntohs(init->sic_instr))); 553 iack->sic_instr = htons(sctp->sctp_num_istr); 554 555 p = (char *)(iack + 1); 556 p += sctp_adaption_code_param(sctp, (uchar_t *)p); 557 if (initcollision) 558 p += sctp_supaddr_param(sctp, (uchar_t *)p); 559 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p); 560 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 561 sctp->sctp_prsctp_aware && sctp_prsctp_enabled) { 562 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 563 } 564 /* 565 * Generate and lay in the COOKIE parameter. 566 * 567 * The cookie consists of: 568 * 1. The relative timestamp for the cookie (lbolt64) 569 * 2. The cookie lifetime (uint32_t) in tick 570 * 3. The local tie-tag 571 * 4. The peer tie-tag 572 * 5. Peer's original src, used to confirm the validity of address. 573 * 6. Our INIT ACK chunk, less any parameters 574 * 7. The INIT chunk (may contain parameters) 575 * 8. 128-bit MD5 signature. 576 * 577 * Since the timestamp values will only be evaluated locally, we 578 * don't need to worry about byte-ordering them. 579 */ 580 cookieph = (sctp_parm_hdr_t *)p; 581 cookieph->sph_type = htons(PARM_COOKIE); 582 cookieph->sph_len = htons(cookielen); 583 584 /* timestamp */ 585 now = (int64_t *)(cookieph + 1); 586 nowt = lbolt64; 587 bcopy(&nowt, now, sizeof (*now)); 588 589 /* cookie lifetime -- need configuration */ 590 lifetime = (uint32_t *)(now + 1); 591 *lifetime = sctp->sctp_cookie_lifetime; 592 593 /* Set the tie-tags */ 594 ttag = (uint32_t *)(lifetime + 1); 595 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 596 *ttag = 0; 597 ttag++; 598 *ttag = 0; 599 ttag++; 600 } else { 601 /* local tie-tag (network byte-order) */ 602 *ttag = sctp->sctp_lvtag; 603 ttag++; 604 /* peer tie-tag (network byte-order) */ 605 *ttag = sctp->sctp_fvtag; 606 ttag++; 607 } 608 /* 609 * Copy in peer's original source address so that we can confirm 610 * the reachability later. 611 */ 612 p = (char *)ttag; 613 if (isv4) { 614 in6_addr_t peer_addr; 615 616 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 617 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 618 } else { 619 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 620 } 621 p += sizeof (in6_addr_t); 622 /* Copy in our INIT ACK chunk */ 623 bcopy(iack, p, sizeof (*iack)); 624 iack = (sctp_init_chunk_t *)p; 625 /* Set the # of streams we'll end up using */ 626 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 627 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 628 p += sizeof (*iack); 629 630 /* Copy in the peer's INIT chunk */ 631 bcopy(ch, p, ntohs(ch->sch_len)); 632 p += ntohs(ch->sch_len); 633 634 /* 635 * Calculate the HMAC ICV into the digest slot in buf. 636 * First, generate a new secret if the current secret is 637 * older than the new secret lifetime parameter permits, 638 * copying the current secret to sctp_old_secret. 639 */ 640 if (sctp_new_secret_interval > 0 && 641 (sctp->sctp_last_secret_update + 642 MSEC_TO_TICK(sctp_new_secret_interval)) <= nowt) { 643 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 644 SCTP_SECRET_LEN); 645 (void) random_get_pseudo_bytes(sctp->sctp_secret, 646 SCTP_SECRET_LEN); 647 sctp->sctp_last_secret_update = nowt; 648 } 649 650 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 651 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 652 653 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 654 iackmp->b_cont = errmp; /* OK if NULL */ 655 656 /* 657 * Stash the conn ptr info. for IP only as e don't have any 658 * cached IRE. 659 */ 660 SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL); 661 662 /* XXX sctp == sctp_g_q, so using its obchunks is valid */ 663 BUMP_LOCAL(sctp->sctp_opkts); 664 BUMP_LOCAL(sctp->sctp_obchunks); 665 666 /* OK to call IP_PUT() here instead of sctp_add_sendq(). */ 667 CONN_INC_REF(sctp->sctp_connp); 668 iackmp->b_flag |= MSGHASREF; 669 IP_PUT(iackmp, sctp->sctp_connp, isv4); 670 } 671 672 void 673 sctp_send_cookie_ack(sctp_t *sctp) 674 { 675 sctp_chunk_hdr_t *cach; 676 mblk_t *camp; 677 678 camp = sctp_make_mp(sctp, NULL, sizeof (*cach)); 679 if (camp == NULL) { 680 /* XXX should abort, but don't have the inmp anymore */ 681 return; 682 } 683 684 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 685 camp->b_wptr = (uchar_t *)(cach + 1); 686 cach->sch_id = CHUNK_COOKIE_ACK; 687 cach->sch_flags = 0; 688 cach->sch_len = htons(sizeof (*cach)); 689 690 sctp_set_iplen(sctp, camp); 691 692 BUMP_LOCAL(sctp->sctp_obchunks); 693 694 sctp_add_sendq(sctp, camp); 695 } 696 697 static int 698 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaption_code) 699 { 700 701 if (len < sizeof (*sph)) 702 return (-1); 703 while (sph != NULL) { 704 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 705 ntohs(sph->sph_len) >= (sizeof (*sph) + 706 sizeof (uint32_t))) { 707 *adaption_code = *(uint32_t *)(sph + 1); 708 return (0); 709 } 710 sph = sctp_next_parm(sph, &len); 711 } 712 return (-1); 713 } 714 715 void 716 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp) 717 { 718 mblk_t *cemp; 719 mblk_t *mp = NULL; 720 mblk_t *head; 721 mblk_t *meta; 722 sctp_faddr_t *fp; 723 sctp_chunk_hdr_t *cech; 724 sctp_init_chunk_t *iack; 725 int32_t cansend; 726 int32_t seglen; 727 size_t ceclen; 728 sctp_parm_hdr_t *cph; 729 sctp_data_hdr_t *sdc; 730 sctp_tf_t *tf; 731 int pad; 732 int hdrlen; 733 mblk_t *errmp = NULL; 734 uint_t sctp_options; 735 int error; 736 uint16_t old_num_str; 737 738 iack = (sctp_init_chunk_t *)(iackch + 1); 739 740 cph = NULL; 741 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 742 &pad, &sctp_options) == 0) { /* result in 'pad' ignored */ 743 BUMP_MIB(&sctp_mib, sctpAborted); 744 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 745 sctp_clean_death(sctp, ECONNABORTED); 746 return; 747 } 748 ASSERT(cph != NULL); 749 750 ASSERT(sctp->sctp_cookie_mp == NULL); 751 752 /* Got a cookie to echo back; allocate an mblk */ 753 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 754 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 755 pad = SCTP_ALIGN - pad; 756 757 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 758 hdrlen = sctp->sctp_hdr_len; 759 else 760 hdrlen = sctp->sctp_hdr6_len; 761 762 cemp = allocb(sctp_wroff_xtra + hdrlen + ceclen + pad, BPRI_MED); 763 if (cemp == NULL) { 764 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 765 sctp->sctp_current->rto); 766 if (errmp != NULL) 767 freeb(errmp); 768 return; 769 } 770 cemp->b_rptr += (sctp_wroff_xtra + hdrlen); 771 772 /* Process the INIT ACK */ 773 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 774 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 775 sctp->sctp_fvtag = iack->sic_inittag; 776 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 777 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 778 sctp->sctp_fcsn = sctp->sctp_lastacked; 779 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 780 781 /* 782 * Populate sctp with addresses given in the INIT ACK or IP header. 783 * Need to set the df bit in the current fp as it has been cleared 784 * in sctp_connect(). 785 */ 786 sctp->sctp_current->df = B_TRUE; 787 /* 788 * Since IP uses this info during the fanout process, we need to hold 789 * the lock for this hash line while performing this operation. 790 */ 791 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctp->sctp_ports); */ 792 ASSERT(sctp->sctp_conn_tfp != NULL); 793 tf = sctp->sctp_conn_tfp; 794 /* sctp isn't a listener so only need to hold conn fanout lock */ 795 mutex_enter(&tf->tf_lock); 796 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 797 mutex_exit(&tf->tf_lock); 798 freeb(cemp); 799 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 800 sctp->sctp_current->rto); 801 if (errmp != NULL) 802 freeb(errmp); 803 return; 804 } 805 mutex_exit(&tf->tf_lock); 806 807 fp = sctp->sctp_current; 808 809 /* 810 * There could be a case when we get an INIT-ACK again, if the INIT 811 * is re-transmitted, for e.g., which means we would have already 812 * allocated this resource earlier (also for sctp_instr). In this 813 * case we check and re-allocate, if necessary. 814 */ 815 old_num_str = sctp->sctp_num_ostr; 816 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 817 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 818 if (sctp->sctp_ostrcntrs == NULL) { 819 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 820 sctp->sctp_num_ostr, KM_NOSLEEP); 821 } else { 822 ASSERT(old_num_str > 0); 823 if (old_num_str != sctp->sctp_num_ostr) { 824 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 825 old_num_str); 826 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 827 sctp->sctp_num_ostr, KM_NOSLEEP); 828 } 829 } 830 if (sctp->sctp_ostrcntrs == NULL) { 831 freeb(cemp); 832 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 833 if (errmp != NULL) 834 freeb(errmp); 835 return; 836 } 837 838 /* 839 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 840 * hold here too. 841 */ 842 old_num_str = sctp->sctp_num_istr; 843 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 844 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 845 if (sctp->sctp_instr == NULL) { 846 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 847 sctp->sctp_num_istr, KM_NOSLEEP); 848 } else { 849 ASSERT(old_num_str > 0); 850 if (old_num_str != sctp->sctp_num_istr) { 851 kmem_free(sctp->sctp_instr, 852 sizeof (*sctp->sctp_instr) * old_num_str); 853 sctp->sctp_instr = kmem_zalloc( 854 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 855 KM_NOSLEEP); 856 } 857 } 858 if (sctp->sctp_instr == NULL) { 859 kmem_free(sctp->sctp_ostrcntrs, 860 sizeof (uint16_t) * sctp->sctp_num_ostr); 861 freeb(cemp); 862 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 863 if (errmp != NULL) 864 freeb(errmp); 865 return; 866 } 867 868 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 869 sctp->sctp_prsctp_aware = B_FALSE; 870 871 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 872 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 873 &sctp->sctp_rx_adaption_code) == 0) { 874 sctp->sctp_recv_adaption = 1; 875 } 876 877 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 878 ASSERT(OK_32PTR(cech)); 879 cech->sch_id = CHUNK_COOKIE; 880 cech->sch_flags = 0; 881 cech->sch_len = htons(ceclen); 882 883 /* Copy the cookie (less the parm hdr) to the chunk */ 884 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 885 886 cemp->b_wptr = cemp->b_rptr + ceclen; 887 888 if (sctp->sctp_unsent > 0) { 889 sctp_msg_hdr_t *smh; 890 mblk_t *prev = NULL; 891 uint32_t unsent = 0; 892 893 mp = sctp->sctp_xmit_unsent; 894 do { 895 smh = (sctp_msg_hdr_t *)mp->b_rptr; 896 if (smh->smh_sid >= sctp->sctp_num_ostr) { 897 unsent += smh->smh_msglen; 898 if (prev != NULL) 899 prev->b_next = mp->b_next; 900 else 901 sctp->sctp_xmit_unsent = mp->b_next; 902 mp->b_next = NULL; 903 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 904 B_FALSE); 905 if (prev != NULL) 906 mp = prev->b_next; 907 else 908 mp = sctp->sctp_xmit_unsent; 909 } else { 910 prev = mp; 911 mp = mp->b_next; 912 } 913 } while (mp != NULL); 914 if (unsent > 0) { 915 ASSERT(sctp->sctp_unsent >= unsent); 916 sctp->sctp_unsent -= unsent; 917 /* 918 * Update ULP the amount of queued data, which is 919 * sent-unack'ed + unsent. 920 * This is not necessary, but doesn't harm, we 921 * just use unsent instead of sent-unack'ed + 922 * unsent, since there won't be any sent-unack'ed 923 * here. 924 */ 925 if (!SCTP_IS_DETACHED(sctp)) { 926 sctp->sctp_ulp_xmitted(sctp->sctp_ulpd, 927 sctp->sctp_unsent); 928 } 929 } 930 if (sctp->sctp_xmit_unsent == NULL) 931 sctp->sctp_xmit_unsent_tail = NULL; 932 } 933 ceclen += pad; 934 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 935 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 936 cansend, NULL); 937 /* 938 * The error cannot be anything else since we could have an non-zero 939 * error only if sctp_get_msg_to_send() tries to send a Forward 940 * TSN which will not happen here. 941 */ 942 ASSERT(error == 0); 943 if (meta == NULL) 944 goto sendcookie; 945 sctp->sctp_xmit_tail = meta; 946 sdc = (sctp_data_hdr_t *)mp->b_rptr; 947 seglen = ntohs(sdc->sdh_len); 948 if ((ceclen + seglen) > fp->sfa_pmss || 949 (seglen - sizeof (*sdc)) > cansend) { 950 goto sendcookie; 951 } 952 /* OK, if this fails */ 953 cemp->b_cont = dupmsg(mp); 954 sendcookie: 955 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 956 if (head == NULL) { 957 freemsg(cemp); 958 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 959 if (errmp != NULL) 960 freeb(errmp); 961 return; 962 } 963 /* 964 * Even if cookie-echo exceeds MTU for one of the hops, it'll 965 * have a chance of getting there. 966 */ 967 if (fp->isv4) { 968 ipha_t *iph = (ipha_t *)head->b_rptr; 969 iph->ipha_fragment_offset_and_flags = 0; 970 } 971 BUMP_LOCAL(sctp->sctp_obchunks); 972 973 sctp->sctp_cookie_mp = dupmsg(head); 974 /* Don't bundle, we will just resend init if this cookie is lost. */ 975 if (sctp->sctp_cookie_mp == NULL) { 976 if (cemp->b_cont != NULL) { 977 freemsg(cemp->b_cont); 978 cemp->b_cont = NULL; 979 } 980 } else if (cemp->b_cont != NULL) { 981 ASSERT(mp != NULL && mp == meta->b_cont); 982 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 983 cemp->b_wptr += pad; 984 seglen -= sizeof (*sdc); 985 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 986 } 987 if (errmp != NULL) 988 linkb(head, errmp); 989 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 990 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 991 992 sctp_set_iplen(sctp, head); 993 sctp_add_sendq(sctp, head); 994 } 995 996 int 997 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 998 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaption, 999 in6_addr_t *peer_addr) 1000 { 1001 int32_t clen; 1002 size_t initplen; 1003 uchar_t *p; 1004 uchar_t *given_hash; 1005 uchar_t needed_hash[16]; 1006 int64_t ts; 1007 int64_t diff; 1008 uint32_t *lt; 1009 sctp_init_chunk_t *iack; 1010 sctp_chunk_hdr_t *initch; 1011 sctp_init_chunk_t *init; 1012 uint32_t *lttag; 1013 uint32_t *fttag; 1014 uint32_t ports; 1015 1016 BUMP_LOCAL(sctp->sctp_ibchunks); 1017 /* Verify the ICV */ 1018 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1019 if (clen < 0) { 1020 dprint(1, ("invalid cookie chunk length %d\n", 1021 ntohs(ch->sch_len))); 1022 1023 return (-1); 1024 } 1025 p = (uchar_t *)(ch + 1); 1026 1027 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1028 needed_hash); 1029 1030 /* The given hash follows the cookie data */ 1031 given_hash = p + clen; 1032 1033 if (bcmp(given_hash, needed_hash, 16) != 0) { 1034 /* The secret may have changed; try the old secret */ 1035 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1036 SCTP_SECRET_LEN, needed_hash); 1037 if (bcmp(given_hash, needed_hash, 16) != 0) { 1038 return (-1); 1039 } 1040 } 1041 1042 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1043 bcopy(p, &ts, sizeof (ts)); 1044 /* Cookie life time, int32_t */ 1045 lt = (uint32_t *)(p + sizeof (ts)); 1046 1047 /* 1048 * To quote PRC, "this is our baby", so let's continue. 1049 * We need to pull out the encapsulated INIT ACK and 1050 * INIT chunks. Note that we don't process these until 1051 * we have verified the timestamp, but we need them before 1052 * processing the timestamp since if the time check fails, 1053 * we need to get the verification tag from the INIT in order 1054 * to send a stale cookie error. 1055 */ 1056 lttag = (uint32_t *)(lt + 1); 1057 fttag = lttag + 1; 1058 if (peer_addr != NULL) 1059 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1060 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1061 initch = (sctp_chunk_hdr_t *)(iack + 1); 1062 init = (sctp_init_chunk_t *)(initch + 1); 1063 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1064 *iackpp = iack; 1065 *recv_adaption = 0; 1066 1067 /* Check the timestamp */ 1068 diff = lbolt64 - ts; 1069 if (diff > *lt && (init->sic_inittag != sctp->sctp_fvtag || 1070 iack->sic_inittag != sctp->sctp_lvtag)) { 1071 1072 uint32_t staleness; 1073 1074 staleness = TICK_TO_USEC(diff); 1075 staleness = htonl(staleness); 1076 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1077 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE); 1078 1079 dprint(1, ("stale cookie %d\n", staleness)); 1080 1081 return (-1); 1082 } 1083 1084 /* Check for attack by adding addresses to a restart */ 1085 bcopy(insctph, &ports, sizeof (ports)); 1086 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP) != 1) { 1087 return (-1); 1088 } 1089 1090 /* Look for adaptation code if there any parms in the INIT chunk */ 1091 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1092 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1093 &sctp->sctp_rx_adaption_code) == 0)) { 1094 *recv_adaption = 1; 1095 } 1096 1097 /* Examine tie-tags */ 1098 1099 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1100 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1101 init->sic_inittag == sctp->sctp_fvtag && 1102 iack->sic_inittag == sctp->sctp_lvtag && 1103 *fttag == 0 && *lttag == 0) { 1104 1105 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1106 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1107 (int)(sctp->sctp_fport))); 1108 return (-1); 1109 } 1110 1111 if (init->sic_inittag != sctp->sctp_fvtag && 1112 iack->sic_inittag != sctp->sctp_lvtag && 1113 *fttag == sctp->sctp_fvtag && 1114 *lttag == sctp->sctp_lvtag) { 1115 int i; 1116 1117 /* Section 5.2.4 case A: restart */ 1118 sctp->sctp_fvtag = init->sic_inittag; 1119 sctp->sctp_lvtag = iack->sic_inittag; 1120 1121 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1122 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1123 1124 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1125 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1126 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1127 sctp->sctp_fcsn = sctp->sctp_lastacked; 1128 1129 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1130 sctp->sctp_state = SCTPS_ESTABLISHED; 1131 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1132 } 1133 1134 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1135 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1136 (int)(sctp->sctp_fport))); 1137 /* reset parameters */ 1138 sctp_congest_reset(sctp); 1139 1140 /* reset stream bookkeeping */ 1141 sctp_instream_cleanup(sctp, B_FALSE); 1142 1143 sctp->sctp_istr_nmsgs = 0; 1144 sctp->sctp_rxqueued = 0; 1145 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1146 sctp->sctp_ostrcntrs[i] = 0; 1147 } 1148 /* XXX flush xmit_list? */ 1149 1150 return (0); 1151 } else if (init->sic_inittag != sctp->sctp_fvtag && 1152 iack->sic_inittag == sctp->sctp_lvtag) { 1153 1154 /* Section 5.2.4 case B: INIT collision */ 1155 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1156 if (!sctp_initialize_params(sctp, init, iack)) 1157 return (-1); /* Drop? */ 1158 sctp->sctp_state = SCTPS_ESTABLISHED; 1159 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1160 } 1161 1162 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1163 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1164 (int)(sctp->sctp_fport))); 1165 1166 return (0); 1167 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1168 init->sic_inittag == sctp->sctp_fvtag && 1169 *fttag == 0 && *lttag == 0) { 1170 1171 /* Section 5.2.4 case C: late COOKIE */ 1172 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1173 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1174 (int)(sctp->sctp_fport))); 1175 return (-1); 1176 } else if (init->sic_inittag == sctp->sctp_fvtag && 1177 iack->sic_inittag == sctp->sctp_lvtag) { 1178 1179 /* 1180 * Section 5.2.4 case D: COOKIE ECHO retransmit 1181 * Don't check cookie lifetime 1182 */ 1183 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1184 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1185 (int)(sctp->sctp_fport))); 1186 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1187 if (!sctp_initialize_params(sctp, init, iack)) 1188 return (-1); /* Drop? */ 1189 sctp->sctp_state = SCTPS_ESTABLISHED; 1190 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1191 } 1192 return (0); 1193 } else { 1194 /* unrecognized case -- silently drop it */ 1195 return (-1); 1196 } 1197 } 1198 1199 return (0); 1200 } 1201 1202 /* 1203 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1204 * from address parameters in an INIT ACK's address list. This 1205 * function is used when an INIT ACK is received but IP's fanout 1206 * function could not find a sctp via the normal lookup routine. 1207 * This can happen when a host sends an INIT ACK from a different 1208 * address than the INIT was sent to. 1209 * 1210 * Returns the sctp_t if found, or NULL if not found. 1211 */ 1212 sctp_t * 1213 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1214 uint_t ipif_seqid, zoneid_t zoneid) 1215 { 1216 int isv4; 1217 ipha_t *iph; 1218 ip6_t *ip6h; 1219 in6_addr_t dst; 1220 in6_addr_t src; 1221 sctp_parm_hdr_t *ph; 1222 ssize_t remaining; 1223 sctp_init_chunk_t *iack; 1224 uint32_t ports; 1225 sctp_t *sctp = NULL; 1226 1227 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1228 1229 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1230 if (isv4) { 1231 iph = (ipha_t *)mp->b_rptr; 1232 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1233 } else { 1234 ip6h = (ip6_t *)mp->b_rptr; 1235 dst = ip6h->ip6_dst; 1236 } 1237 1238 ports = *(uint32_t *)sctph; 1239 1240 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1241 ports, SCTP_PRINTADDR(dst))); 1242 1243 /* pull out any address parameters */ 1244 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1245 if (remaining < sizeof (*ph)) { 1246 return (NULL); 1247 } 1248 1249 iack = (sctp_init_chunk_t *)(ich + 1); 1250 ph = (sctp_parm_hdr_t *)(iack + 1); 1251 1252 while (ph != NULL) { 1253 /* 1254 * params have been put in host byteorder by 1255 * sctp_check_input() 1256 */ 1257 if (ph->sph_type == PARM_ADDR4) { 1258 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1259 &src); 1260 1261 sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid, 1262 zoneid); 1263 1264 dprint(1, 1265 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1266 SCTP_PRINTADDR(src), sctp)); 1267 1268 1269 if (sctp != NULL) { 1270 return (sctp); 1271 } 1272 } else if (ph->sph_type == PARM_ADDR6) { 1273 src = *(in6_addr_t *)(ph + 1); 1274 sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid, 1275 zoneid); 1276 1277 dprint(1, 1278 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1279 SCTP_PRINTADDR(src), sctp)); 1280 1281 if (sctp != NULL) { 1282 return (sctp); 1283 } 1284 } 1285 1286 ph = sctp_next_parm(ph, &remaining); 1287 } 1288 1289 return (NULL); 1290 } 1291