xref: /illumos-gate/usr/src/uts/common/inet/sctp/sctp_cookie.c (revision db874c57ae335a07060499f1492b0d0e2593e26c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <sys/types.h>
30 #include <sys/systm.h>
31 #include <sys/stream.h>
32 #include <sys/cmn_err.h>
33 #include <sys/md5.h>
34 #include <sys/kmem.h>
35 #include <sys/strsubr.h>
36 #include <sys/random.h>
37 
38 #include <netinet/in.h>
39 #include <netinet/ip6.h>
40 
41 #include <inet/common.h>
42 #include <inet/ip.h>
43 #include <inet/ip6.h>
44 #include <inet/sctp_ip.h>
45 #include <inet/ipclassifier.h>
46 #include "sctp_impl.h"
47 
48 /*
49  * Helper function for SunCluster (PSARC/2005/602) to get the original source
50  * address from the COOKIE
51  */
52 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *);
53 
54 /*
55  * From RFC 2104. This should probably go into libmd5 (and while
56  * we're at it, maybe we should make a libdigest so we can later
57  * add SHA1 and others, esp. since some weaknesses have been found
58  * with MD5).
59  *
60  * text		IN			pointer to data stream
61  * text_len	IN			length of data stream
62  * key		IN			pointer to authentication key
63  * key_len	IN			length of authentication key
64  * digest	OUT			caller digest to be filled in
65  */
66 static void
67 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len,
68     uchar_t *digest)
69 {
70 	MD5_CTX context;
71 	uchar_t k_ipad[65];	/* inner padding - key XORd with ipad */
72 	uchar_t k_opad[65];	/* outer padding - key XORd with opad */
73 	uchar_t tk[16];
74 	int i;
75 
76 	/* if key is longer than 64 bytes reset it to key=MD5(key) */
77 	if (key_len > 64) {
78 		MD5_CTX tctx;
79 
80 		MD5Init(&tctx);
81 		MD5Update(&tctx, key, key_len);
82 		MD5Final(tk, &tctx);
83 
84 		key = tk;
85 		key_len = 16;
86 	}
87 
88 	/*
89 	 * the HMAC_MD5 transform looks like:
90 	 *
91 	 * MD5(K XOR opad, MD5(K XOR ipad, text))
92 	 *
93 	 * where K is an n byte key
94 	 * ipad is the byte 0x36 repeated 64 times
95 	 * opad is the byte 0x5c repeated 64 times
96 	 * and text is the data being protected
97 	 */
98 
99 	/* start out by storing key in pads */
100 	bzero(k_ipad, sizeof (k_ipad));
101 	bzero(k_opad, sizeof (k_opad));
102 	bcopy(key, k_ipad, key_len);
103 	bcopy(key, k_opad, key_len);
104 
105 	/* XOR key with ipad and opad values */
106 	for (i = 0; i < 64; i++) {
107 		k_ipad[i] ^= 0x36;
108 		k_opad[i] ^= 0x5c;
109 	}
110 	/*
111 	 * perform inner MD5
112 	 */
113 	MD5Init(&context);			/* init context for 1st */
114 						/* pass */
115 	MD5Update(&context, k_ipad, 64);	/* start with inner pad */
116 	MD5Update(&context, text, text_len);	/* then text of datagram */
117 	MD5Final(digest, &context);		/* finish up 1st pass */
118 	/*
119 	 * perform outer MD5
120 	 */
121 	MD5Init(&context);			/* init context for 2nd */
122 						/* pass */
123 	MD5Update(&context, k_opad, 64);	/* start with outer pad */
124 	MD5Update(&context, digest, 16);	/* then results of 1st */
125 						/* hash */
126 	MD5Final(digest, &context);		/* finish up 2nd pass */
127 }
128 
129 /*
130  * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP
131  * info in initmp to send the abort. Otherwise, no abort will be sent.
132  * If errmp is non-NULL, a chain of unrecognized parameters will
133  * be created and returned via *errmp.
134  *
135  * Returns 1 if the parameters are OK (or there are no parameters), or
136  * 0 if not.
137  */
138 static int
139 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
140     sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie,
141     mblk_t **errmp, int *supp_af, uint_t *sctp_options)
142 {
143 	sctp_parm_hdr_t		*cph;
144 	sctp_init_chunk_t	*ic;
145 	ssize_t			remaining;
146 	uint16_t		serror = 0;
147 	char			*details = NULL;
148 	size_t			errlen = 0;
149 	boolean_t		got_cookie = B_FALSE;
150 	uint16_t		ptype;
151 
152 	if (sctp_options != NULL)
153 		*sctp_options = 0;
154 
155 	/* First validate stream parameters */
156 	if (init->sic_instr == 0 || init->sic_outstr == 0) {
157 		serror = SCTP_ERR_BAD_MANDPARM;
158 		dprint(1,
159 		    ("validate_init_params: bad sid, is=%d os=%d\n",
160 			htons(init->sic_instr), htons(init->sic_outstr)));
161 		goto abort;
162 	}
163 	if (ntohl(init->sic_inittag) == 0) {
164 		serror = SCTP_ERR_BAD_MANDPARM;
165 		dprint(1, ("validate_init_params: inittag = 0\n"));
166 		goto abort;
167 	}
168 
169 	remaining = ntohs(ch->sch_len) - sizeof (*ch);
170 	ic = (sctp_init_chunk_t *)(ch + 1);
171 	remaining -= sizeof (*ic);
172 	if (remaining < sizeof (*cph)) {
173 		/* Nothing to validate */
174 		if (want_cookie != NULL)
175 			goto cookie_abort;
176 		return (1);
177 	}
178 
179 	cph = (sctp_parm_hdr_t *)(ic + 1);
180 
181 	while (cph != NULL) {
182 		ptype = ntohs(cph->sph_type);
183 		switch (ptype) {
184 		case PARM_HBINFO:
185 		case PARM_UNRECOGNIZED:
186 		case PARM_ECN:
187 			/* just ignore them */
188 			break;
189 		case PARM_FORWARD_TSN:
190 			if (sctp_options != NULL)
191 				*sctp_options |= SCTP_PRSCTP_OPTION;
192 			break;
193 		case PARM_COOKIE:
194 			got_cookie = B_TRUE;
195 			if (want_cookie != NULL) {
196 				*want_cookie = cph;
197 			}
198 			break;
199 		case PARM_ADDR4:
200 			*supp_af |= PARM_SUPP_V4;
201 			break;
202 		case PARM_ADDR6:
203 			*supp_af |= PARM_SUPP_V6;
204 			break;
205 		case PARM_COOKIE_PRESERVE:
206 		case PARM_ADAPT_LAYER_IND:
207 			/* These are OK */
208 			break;
209 		case PARM_ADDR_HOST_NAME:
210 			/* Don't support this; abort the association */
211 			serror = SCTP_ERR_BAD_ADDR;
212 			details = (char *)cph;
213 			errlen = ntohs(cph->sph_len);
214 			dprint(1, ("sctp:validate_init_params: host addr\n"));
215 			goto abort;
216 		case PARM_SUPP_ADDRS: {
217 			/* Make sure we have a supported addr intersection */
218 			uint16_t *p, addrtype;
219 			int plen;
220 
221 			plen = ntohs(cph->sph_len);
222 			p = (uint16_t *)(cph + 1);
223 			while (plen > 0) {
224 				addrtype = ntohs(*p);
225 				switch (addrtype) {
226 				case PARM_ADDR6:
227 					*supp_af |= PARM_SUPP_V6;
228 					break;
229 				case PARM_ADDR4:
230 					*supp_af |= PARM_SUPP_V4;
231 					break;
232 				default:
233 					/*
234 					 * Do nothing, silently ignore hostname
235 					 * address.
236 					 */
237 					break;
238 				}
239 				p++;
240 				plen -= sizeof (*p);
241 			}
242 			break;
243 		}
244 		default:
245 			/* Unrecognized param; check the high order bits */
246 			if ((ptype & 0xc000) == 0xc000) {
247 				/*
248 				 * report unrecognized param, and
249 				 * keep processing
250 				 */
251 				if (errmp != NULL) {
252 					if (want_cookie != NULL) {
253 						*errmp = sctp_make_err(sctp,
254 						    PARM_UNRECOGNIZED,
255 						    (void *)cph,
256 						    ntohs(cph->sph_len));
257 					} else {
258 						sctp_add_unrec_parm(cph, errmp);
259 					}
260 				}
261 				break;
262 			}
263 			if (ptype & 0x4000) {
264 				/*
265 				 * Stop processing and drop; report
266 				 * unrecognized param
267 				 */
268 				serror = SCTP_ERR_UNREC_PARM;
269 				details = (char *)cph;
270 				errlen = ntohs(cph->sph_len);
271 				goto abort;
272 			}
273 			if (ptype & 0x8000) {
274 				/* skip and continue processing */
275 				break;
276 			}
277 
278 			/*
279 			 * 2 high bits are clear; stop processing and
280 			 * drop packet
281 			 */
282 			return (0);
283 		}
284 
285 		cph = sctp_next_parm(cph, &remaining);
286 	}
287 	/*
288 	 * Some sanity checks.  The following should not fail unless the
289 	 * other side is broken.
290 	 *
291 	 * 1. If this is a V4 endpoint but V4 address is not
292 	 * supported, abort.
293 	 * 2. If this is a V6 only endpoint but V6 address is
294 	 * not supported, abort.  This assumes that a V6
295 	 * endpoint can use both V4 and V6 addresses.
296 	 * We only care about supp_af when processing INIT, i.e want_cookie
297 	 * is NULL.
298 	 */
299 	if (want_cookie == NULL &&
300 	    ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
301 	    (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
302 	    sctp->sctp_connp->conn_ipv6_v6only))) {
303 		dprint(1, ("sctp:validate_init_params: supp addr\n"));
304 		serror = SCTP_ERR_BAD_ADDR;
305 		goto abort;
306 	}
307 
308 	if (want_cookie != NULL && !got_cookie) {
309 cookie_abort:
310 		dprint(1, ("validate_init_params: cookie absent\n"));
311 		sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM,
312 		    details, errlen, inmp, 0, B_FALSE);
313 		return (0);
314 	}
315 
316 	/* OK */
317 	return (1);
318 
319 abort:
320 	if (want_cookie != NULL)
321 		return (0);
322 
323 	sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details,
324 	    errlen, inmp, 0, B_FALSE);
325 	return (0);
326 }
327 
328 /*
329  * Initialize params from the INIT and INIT-ACK when the assoc. is
330  * established.
331  */
332 boolean_t
333 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init,
334     sctp_init_chunk_t *iack)
335 {
336 	/* Get initial TSN */
337 	sctp->sctp_ftsn = ntohl(init->sic_inittsn);
338 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
339 
340 	/* Serial number is initialized to the same value as the TSN */
341 	sctp->sctp_fcsn = sctp->sctp_lastacked;
342 
343 	/*
344 	 * Get verification tags; no byteordering is necessary, since
345 	 * verfication tags are never processed except for byte-by-byte
346 	 * comparisons.
347 	 */
348 	sctp->sctp_fvtag = init->sic_inittag;
349 	sctp->sctp_sctph->sh_verf = init->sic_inittag;
350 	sctp->sctp_sctph6->sh_verf = init->sic_inittag;
351 	sctp->sctp_lvtag = iack->sic_inittag;
352 
353 	/* Get the peer's rwnd */
354 	sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
355 
356 	/* Allocate the in/out-stream counters */
357 	sctp->sctp_num_ostr = iack->sic_outstr;
358 	sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
359 	    sctp->sctp_num_ostr, KM_NOSLEEP);
360 	if (sctp->sctp_ostrcntrs == NULL)
361 		return (B_FALSE);
362 
363 	sctp->sctp_num_istr = iack->sic_instr;
364 	sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
365 	    sctp->sctp_num_istr, KM_NOSLEEP);
366 	if (sctp->sctp_instr == NULL) {
367 		kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
368 		    sctp->sctp_num_ostr);
369 		sctp->sctp_ostrcntrs = NULL;
370 		return (B_FALSE);
371 	}
372 	return (B_TRUE);
373 }
374 
375 /*
376  * Copy the peer's original source address into addr. This relies on the
377  * following format (see sctp_send_initack() below):
378  * 	relative timestamp for the cookie (int64_t) +
379  * 	cookie lifetime (uint32_t) +
380  * 	local tie-tag (uint32_t) +  peer tie-tag (uint32_t) +
381  * 	Peer's original src ...
382  */
383 int
384 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr)
385 {
386 	uchar_t	*off;
387 
388 	ASSERT(addr != NULL);
389 
390 	if (ch->sch_id != CHUNK_COOKIE)
391 		return (EINVAL);
392 
393 	off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) +
394 	    sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t);
395 
396 	bcopy(off, addr, sizeof (*addr));
397 
398 	return (0);
399 }
400 
401 #define	SCTP_CALC_COOKIE_LEN(initcp) \
402 	sizeof (int64_t) +		/* timestamp */			\
403 	sizeof (uint32_t) +		/* cookie lifetime */		\
404 	sizeof (sctp_init_chunk_t) +	/* INIT ACK */			\
405 	sizeof (in6_addr_t) +		/* peer's original source */ 	\
406 	ntohs((initcp)->sch_len) +	/* peer's INIT */		\
407 	sizeof (uint32_t) +		/* local tie-tag */		\
408 	sizeof (uint32_t) +		/* peer tie-tag */		\
409 	sizeof (sctp_parm_hdr_t) +	/* param header */		\
410 	16				/* MD5 hash */
411 
412 void
413 sctp_send_initack(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *initmp)
414 {
415 	ipha_t			*initiph;
416 	ip6_t			*initip6h;
417 	ipha_t			*iackiph;
418 	ip6_t			*iackip6h;
419 	sctp_chunk_hdr_t	*iack_ch;
420 	sctp_init_chunk_t	*iack;
421 	sctp_init_chunk_t	*init;
422 	sctp_hdr_t		*iacksh;
423 	sctp_hdr_t		*initsh;
424 	size_t			cookielen;
425 	size_t			iacklen;
426 	size_t			ipsctplen;
427 	size_t			errlen = 0;
428 	sctp_parm_hdr_t		*cookieph;
429 	mblk_t			*iackmp;
430 	uint32_t		itag;
431 	uint32_t		itsn;
432 	int64_t			*now;
433 	int64_t			nowt;
434 	uint32_t		*lifetime;
435 	char			*p;
436 	boolean_t		 isv4;
437 	int			supp_af = 0;
438 	uint_t			sctp_options;
439 	uint32_t		*ttag;
440 	int			pad;
441 	mblk_t			*errmp = NULL;
442 	boolean_t		initcollision = B_FALSE;
443 	boolean_t		linklocal = B_FALSE;
444 
445 	BUMP_LOCAL(sctp->sctp_ibchunks);
446 	isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION);
447 
448 	/* Extract the INIT chunk */
449 	if (isv4) {
450 		initiph = (ipha_t *)initmp->b_rptr;
451 		initsh = (sctp_hdr_t *)((char *)initiph +
452 		    IPH_HDR_LENGTH(initmp->b_rptr));
453 		ipsctplen = sctp->sctp_ip_hdr_len;
454 		supp_af |= PARM_SUPP_V4;
455 	} else {
456 		initip6h = (ip6_t *)initmp->b_rptr;
457 		initsh = (sctp_hdr_t *)(initip6h + 1);
458 		ipsctplen = sctp->sctp_ip_hdr6_len;
459 		if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src))
460 			linklocal = B_TRUE;
461 		supp_af |= PARM_SUPP_V6;
462 	}
463 	ASSERT(OK_32PTR(initsh));
464 	init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch));
465 
466 	/* Make sure we like the peer's parameters */
467 	if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp,
468 		&supp_af, &sctp_options) == 0) {
469 		return;
470 	}
471 	if (errmp != NULL)
472 		errlen = msgdsize(errmp);
473 	if (sctp->sctp_family == AF_INET) {
474 		/*
475 		 * Irregardless of the supported address in the INIT, v4
476 		 * must be supported.
477 		 */
478 		supp_af = PARM_SUPP_V4;
479 	}
480 	if (sctp->sctp_state <= SCTPS_LISTEN) {
481 		/* normal, expected INIT: generate new vtag and itsn */
482 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
483 		if (itag == 0)
484 			itag = (uint32_t)gethrtime();
485 		itsn = itag + 1;
486 		itag = htonl(itag);
487 	} else if (sctp->sctp_state == SCTPS_COOKIE_WAIT ||
488 	    sctp->sctp_state == SCTPS_COOKIE_ECHOED) {
489 		/* init collision; copy vtag and itsn from sctp */
490 		itag = sctp->sctp_lvtag;
491 		itsn = sctp->sctp_ltsn;
492 		/*
493 		 * In addition we need to send all the params that was sent
494 		 * in our INIT chunk. Essentially, it is only the supported
495 		 * address params that we need to add.
496 		 */
497 		initcollision = B_TRUE;
498 		/*
499 		 * When we sent the INIT, we should have set linklocal in
500 		 * the sctp which should be good enough.
501 		 */
502 		if (linklocal)
503 			linklocal = B_FALSE;
504 	} else {
505 		/* peer restart; generate new vtag but keep everything else */
506 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
507 		if (itag == 0)
508 			itag = (uint32_t)gethrtime();
509 		itag = htonl(itag);
510 		itsn = sctp->sctp_ltsn;
511 	}
512 
513 	/*
514 	 * Allocate a mblk for the INIT ACK, consisting of the link layer
515 	 * header, the IP header, the SCTP common header, and INIT ACK chunk,
516 	 * and finally the COOKIE parameter.
517 	 */
518 	cookielen = SCTP_CALC_COOKIE_LEN(ch);
519 	iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen;
520 	if (sctp->sctp_send_adaption)
521 		iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t));
522 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
523 	    sctp->sctp_prsctp_aware && sctp_prsctp_enabled) {
524 		iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION);
525 	}
526 	if (initcollision)
527 		iacklen += sctp_supaddr_param_len(sctp);
528 	if (!linklocal)
529 		iacklen += sctp_addr_params_len(sctp, supp_af, B_FALSE);
530 	ipsctplen += sizeof (*iacksh) + iacklen;
531 	iacklen += errlen;
532 	if ((pad = ipsctplen % 4) != 0) {
533 		pad = 4 - pad;
534 		ipsctplen += pad;
535 	}
536 	iackmp = allocb(ipsctplen + sctp_wroff_xtra, BPRI_MED);
537 	if (iackmp == NULL) {
538 		sctp_send_abort(sctp, sctp_init2vtag(ch),
539 		    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE);
540 		return;
541 	}
542 
543 	/* Copy in the [imcomplete] IP/SCTP composite header */
544 	p = (char *)(iackmp->b_rptr + sctp_wroff_xtra);
545 	iackmp->b_rptr = (uchar_t *)p;
546 	if (isv4) {
547 		bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len);
548 		iackiph = (ipha_t *)p;
549 
550 		/* Copy the peer's IP addr */
551 		iackiph->ipha_dst = initiph->ipha_src;
552 		iackiph->ipha_src = initiph->ipha_dst;
553 		iackiph->ipha_length = htons(ipsctplen + errlen);
554 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
555 	} else {
556 		bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
557 		iackip6h = (ip6_t *)p;
558 
559 		/* Copy the peer's IP addr */
560 		iackip6h->ip6_dst = initip6h->ip6_src;
561 		iackip6h->ip6_src = initip6h->ip6_dst;
562 		iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) +
563 		    errlen);
564 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
565 	}
566 	ASSERT(OK_32PTR(iacksh));
567 
568 	/* Fill in the holes in the SCTP common header */
569 	iacksh->sh_sport = initsh->sh_dport;
570 	iacksh->sh_dport = initsh->sh_sport;
571 	iacksh->sh_verf = init->sic_inittag;
572 
573 	/* INIT ACK chunk header */
574 	iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1);
575 	iack_ch->sch_id = CHUNK_INIT_ACK;
576 	iack_ch->sch_flags = 0;
577 	iack_ch->sch_len = htons(iacklen);
578 
579 	/* The INIT ACK itself */
580 	iack = (sctp_init_chunk_t *)(iack_ch + 1);
581 	iack->sic_inittag = itag;	/* already in network byteorder */
582 	iack->sic_inittsn = htonl(itsn);
583 
584 	iack->sic_a_rwnd = htonl(sctp->sctp_rwnd);
585 	/* Advertise what we would want to have as stream #'s */
586 	iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr,
587 	    ntohs(init->sic_instr)));
588 	iack->sic_instr = htons(sctp->sctp_num_istr);
589 
590 	p = (char *)(iack + 1);
591 	p += sctp_adaption_code_param(sctp, (uchar_t *)p);
592 	if (initcollision)
593 		p += sctp_supaddr_param(sctp, (uchar_t *)p);
594 	if (!linklocal)
595 		p += sctp_addr_params(sctp, supp_af, (uchar_t *)p);
596 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
597 	    sctp->sctp_prsctp_aware && sctp_prsctp_enabled) {
598 		p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION);
599 	}
600 	/*
601 	 * Generate and lay in the COOKIE parameter.
602 	 *
603 	 * Any change here that results in a change of location for
604 	 * the peer's orig source address must be propagated to the fn
605 	 * cl_sctp_cookie_paddr() above.
606 	 *
607 	 * The cookie consists of:
608 	 * 1. The relative timestamp for the cookie (lbolt64)
609 	 * 2. The cookie lifetime (uint32_t) in tick
610 	 * 3. The local tie-tag
611 	 * 4. The peer tie-tag
612 	 * 5. Peer's original src, used to confirm the validity of address.
613 	 * 6. Our INIT ACK chunk, less any parameters
614 	 * 7. The INIT chunk (may contain parameters)
615 	 * 8. 128-bit MD5 signature.
616 	 *
617 	 * Since the timestamp values will only be evaluated locally, we
618 	 * don't need to worry about byte-ordering them.
619 	 */
620 	cookieph = (sctp_parm_hdr_t *)p;
621 	cookieph->sph_type = htons(PARM_COOKIE);
622 	cookieph->sph_len = htons(cookielen);
623 
624 	/* timestamp */
625 	now = (int64_t *)(cookieph + 1);
626 	nowt = lbolt64;
627 	bcopy(&nowt, now, sizeof (*now));
628 
629 	/* cookie lifetime -- need configuration */
630 	lifetime = (uint32_t *)(now + 1);
631 	*lifetime = sctp->sctp_cookie_lifetime;
632 
633 	/* Set the tie-tags */
634 	ttag = (uint32_t *)(lifetime + 1);
635 	if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) {
636 		*ttag = 0;
637 		ttag++;
638 		*ttag = 0;
639 		ttag++;
640 	} else {
641 		/* local tie-tag (network byte-order) */
642 		*ttag = sctp->sctp_lvtag;
643 		ttag++;
644 		/* peer tie-tag (network byte-order) */
645 		*ttag = sctp->sctp_fvtag;
646 		ttag++;
647 	}
648 	/*
649 	 * Copy in peer's original source address so that we can confirm
650 	 * the reachability later.
651 	 */
652 	p = (char *)ttag;
653 	if (isv4) {
654 		in6_addr_t peer_addr;
655 
656 		IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr);
657 		bcopy(&peer_addr, p, sizeof (in6_addr_t));
658 	} else {
659 		bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t));
660 	}
661 	p += sizeof (in6_addr_t);
662 	/* Copy in our INIT ACK chunk */
663 	bcopy(iack, p, sizeof (*iack));
664 	iack = (sctp_init_chunk_t *)p;
665 	/* Set the # of streams we'll end up using */
666 	iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr));
667 	iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr));
668 	p += sizeof (*iack);
669 
670 	/* Copy in the peer's INIT chunk */
671 	bcopy(ch, p, ntohs(ch->sch_len));
672 	p += ntohs(ch->sch_len);
673 
674 	/*
675 	 * Calculate the HMAC ICV into the digest slot in buf.
676 	 * First, generate a new secret if the current secret is
677 	 * older than the new secret lifetime parameter permits,
678 	 * copying the current secret to sctp_old_secret.
679 	 */
680 	if (sctp_new_secret_interval > 0 &&
681 	    (sctp->sctp_last_secret_update +
682 	    MSEC_TO_TICK(sctp_new_secret_interval)) <= nowt) {
683 		bcopy(sctp->sctp_secret, sctp->sctp_old_secret,
684 		    SCTP_SECRET_LEN);
685 		(void) random_get_pseudo_bytes(sctp->sctp_secret,
686 		    SCTP_SECRET_LEN);
687 		sctp->sctp_last_secret_update = nowt;
688 	}
689 
690 	hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16,
691 	    (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p);
692 
693 	iackmp->b_wptr = iackmp->b_rptr + ipsctplen;
694 	iackmp->b_cont = errmp;		/*  OK if NULL */
695 
696 	/*
697 	 * Stash the conn ptr info. for IP only as e don't have any
698 	 * cached IRE.
699 	 */
700 	SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL);
701 
702 	/* XXX sctp == sctp_g_q, so using its obchunks is valid */
703 	BUMP_LOCAL(sctp->sctp_opkts);
704 	BUMP_LOCAL(sctp->sctp_obchunks);
705 
706 	/* OK to call IP_PUT() here instead of sctp_add_sendq(). */
707 	CONN_INC_REF(sctp->sctp_connp);
708 	iackmp->b_flag |= MSGHASREF;
709 	IP_PUT(iackmp, sctp->sctp_connp, isv4);
710 }
711 
712 void
713 sctp_send_cookie_ack(sctp_t *sctp)
714 {
715 	sctp_chunk_hdr_t *cach;
716 	mblk_t *camp;
717 
718 	camp = sctp_make_mp(sctp, NULL, sizeof (*cach));
719 	if (camp == NULL) {
720 		/* XXX should abort, but don't have the inmp anymore */
721 		return;
722 	}
723 
724 	cach = (sctp_chunk_hdr_t *)camp->b_wptr;
725 	camp->b_wptr = (uchar_t *)(cach + 1);
726 	cach->sch_id = CHUNK_COOKIE_ACK;
727 	cach->sch_flags = 0;
728 	cach->sch_len = htons(sizeof (*cach));
729 
730 	sctp_set_iplen(sctp, camp);
731 
732 	BUMP_LOCAL(sctp->sctp_obchunks);
733 
734 	sctp_add_sendq(sctp, camp);
735 }
736 
737 static int
738 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaption_code)
739 {
740 
741 	if (len < sizeof (*sph))
742 		return (-1);
743 	while (sph != NULL) {
744 		if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) &&
745 		    ntohs(sph->sph_len) >= (sizeof (*sph) +
746 			sizeof (uint32_t))) {
747 			*adaption_code = *(uint32_t *)(sph + 1);
748 			return (0);
749 		}
750 		sph = sctp_next_parm(sph, &len);
751 	}
752 	return (-1);
753 }
754 
755 void
756 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp)
757 {
758 	mblk_t			*cemp;
759 	mblk_t			*mp = NULL;
760 	mblk_t			*head;
761 	mblk_t			*meta;
762 	sctp_faddr_t		*fp;
763 	sctp_chunk_hdr_t	*cech;
764 	sctp_init_chunk_t	 *iack;
765 	int32_t			cansend;
766 	int32_t			seglen;
767 	size_t			ceclen;
768 	sctp_parm_hdr_t		*cph;
769 	sctp_data_hdr_t		*sdc;
770 	sctp_tf_t		*tf;
771 	int			pad = 0;
772 	int			hdrlen;
773 	mblk_t			*errmp = NULL;
774 	uint_t			sctp_options;
775 	int			error;
776 	uint16_t		old_num_str;
777 
778 	iack = (sctp_init_chunk_t *)(iackch + 1);
779 
780 	cph = NULL;
781 	if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp,
782 	    &pad, &sctp_options) == 0) { /* result in 'pad' ignored */
783 		BUMP_MIB(&sctp_mib, sctpAborted);
784 		sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL);
785 		sctp_clean_death(sctp, ECONNABORTED);
786 		return;
787 	}
788 	ASSERT(cph != NULL);
789 
790 	ASSERT(sctp->sctp_cookie_mp == NULL);
791 
792 	/* Got a cookie to echo back; allocate an mblk */
793 	ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph);
794 	if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0)
795 		pad = SCTP_ALIGN - pad;
796 
797 	if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION)
798 		hdrlen = sctp->sctp_hdr_len;
799 	else
800 		hdrlen = sctp->sctp_hdr6_len;
801 
802 	cemp = allocb(sctp_wroff_xtra + hdrlen + ceclen + pad, BPRI_MED);
803 	if (cemp == NULL) {
804 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
805 		    sctp->sctp_current->rto);
806 		if (errmp != NULL)
807 			freeb(errmp);
808 		return;
809 	}
810 	cemp->b_rptr += (sctp_wroff_xtra + hdrlen);
811 
812 	/* Process the INIT ACK */
813 	sctp->sctp_sctph->sh_verf = iack->sic_inittag;
814 	sctp->sctp_sctph6->sh_verf = iack->sic_inittag;
815 	sctp->sctp_fvtag = iack->sic_inittag;
816 	sctp->sctp_ftsn = ntohl(iack->sic_inittsn);
817 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
818 	sctp->sctp_fcsn = sctp->sctp_lastacked;
819 	sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd);
820 
821 	/*
822 	 * Populate sctp with addresses given in the INIT ACK or IP header.
823 	 * Need to set the df bit in the current fp as it has been cleared
824 	 * in sctp_connect().
825 	 */
826 	sctp->sctp_current->df = B_TRUE;
827 	/*
828 	 * Since IP uses this info during the fanout process, we need to hold
829 	 * the lock for this hash line while performing this operation.
830 	 */
831 	/* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctp->sctp_ports); */
832 	ASSERT(sctp->sctp_conn_tfp != NULL);
833 	tf = sctp->sctp_conn_tfp;
834 	/* sctp isn't a listener so only need to hold conn fanout lock */
835 	mutex_enter(&tf->tf_lock);
836 	if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) {
837 		mutex_exit(&tf->tf_lock);
838 		freeb(cemp);
839 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
840 		    sctp->sctp_current->rto);
841 		if (errmp != NULL)
842 			freeb(errmp);
843 		return;
844 	}
845 	mutex_exit(&tf->tf_lock);
846 
847 	fp = sctp->sctp_current;
848 
849 	/*
850 	 * There could be a case when we get an INIT-ACK again, if the INIT
851 	 * is re-transmitted, for e.g., which means we would have already
852 	 * allocated this resource earlier (also for sctp_instr). In this
853 	 * case we check and re-allocate, if necessary.
854 	 */
855 	old_num_str = sctp->sctp_num_ostr;
856 	if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr)
857 		sctp->sctp_num_ostr = ntohs(iack->sic_instr);
858 	if (sctp->sctp_ostrcntrs == NULL) {
859 		sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
860 		    sctp->sctp_num_ostr, KM_NOSLEEP);
861 	} else {
862 		ASSERT(old_num_str > 0);
863 		if (old_num_str != sctp->sctp_num_ostr) {
864 			kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
865 			    old_num_str);
866 			sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
867 			    sctp->sctp_num_ostr, KM_NOSLEEP);
868 		}
869 	}
870 	if (sctp->sctp_ostrcntrs == NULL) {
871 		freeb(cemp);
872 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
873 		if (errmp != NULL)
874 			freeb(errmp);
875 		return;
876 	}
877 
878 	/*
879 	 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs
880 	 * hold here too.
881 	 */
882 	old_num_str = sctp->sctp_num_istr;
883 	if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr)
884 		sctp->sctp_num_istr = ntohs(iack->sic_outstr);
885 	if (sctp->sctp_instr == NULL) {
886 		sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
887 		    sctp->sctp_num_istr, KM_NOSLEEP);
888 	} else {
889 		ASSERT(old_num_str > 0);
890 		if (old_num_str != sctp->sctp_num_istr) {
891 			kmem_free(sctp->sctp_instr,
892 			    sizeof (*sctp->sctp_instr) * old_num_str);
893 			sctp->sctp_instr = kmem_zalloc(
894 			    sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr,
895 			    KM_NOSLEEP);
896 		}
897 	}
898 	if (sctp->sctp_instr == NULL) {
899 		kmem_free(sctp->sctp_ostrcntrs,
900 		    sizeof (uint16_t) * sctp->sctp_num_ostr);
901 		freeb(cemp);
902 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
903 		if (errmp != NULL)
904 			freeb(errmp);
905 		return;
906 	}
907 
908 	if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware)
909 		sctp->sctp_prsctp_aware = B_FALSE;
910 
911 	if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1),
912 		ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)),
913 		&sctp->sctp_rx_adaption_code) == 0) {
914 		sctp->sctp_recv_adaption = 1;
915 	}
916 
917 	cech = (sctp_chunk_hdr_t *)cemp->b_rptr;
918 	ASSERT(OK_32PTR(cech));
919 	cech->sch_id = CHUNK_COOKIE;
920 	cech->sch_flags = 0;
921 	cech->sch_len = htons(ceclen);
922 
923 	/* Copy the cookie (less the parm hdr) to the chunk */
924 	bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph));
925 
926 	cemp->b_wptr = cemp->b_rptr + ceclen;
927 
928 	if (sctp->sctp_unsent > 0) {
929 		sctp_msg_hdr_t	*smh;
930 		mblk_t		*prev = NULL;
931 		uint32_t	unsent = 0;
932 
933 		mp = sctp->sctp_xmit_unsent;
934 		do {
935 			smh = (sctp_msg_hdr_t *)mp->b_rptr;
936 			if (smh->smh_sid >= sctp->sctp_num_ostr) {
937 				unsent += smh->smh_msglen;
938 				if (prev != NULL)
939 					prev->b_next = mp->b_next;
940 				else
941 					sctp->sctp_xmit_unsent = mp->b_next;
942 				mp->b_next = NULL;
943 				sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID,
944 				    B_FALSE);
945 				if (prev != NULL)
946 					mp = prev->b_next;
947 				else
948 					mp = sctp->sctp_xmit_unsent;
949 			} else {
950 				prev = mp;
951 				mp = mp->b_next;
952 			}
953 		} while (mp != NULL);
954 		if (unsent > 0) {
955 			ASSERT(sctp->sctp_unsent >= unsent);
956 			sctp->sctp_unsent -= unsent;
957 			/*
958 			 * Update ULP the amount of queued data, which is
959 			 * sent-unack'ed + unsent.
960 			 * This is not necessary, but doesn't harm, we
961 			 * just use unsent instead of sent-unack'ed +
962 			 * unsent, since there won't be any sent-unack'ed
963 			 * here.
964 			 */
965 			if (!SCTP_IS_DETACHED(sctp)) {
966 				sctp->sctp_ulp_xmitted(sctp->sctp_ulpd,
967 				    sctp->sctp_unsent);
968 			}
969 		}
970 		if (sctp->sctp_xmit_unsent == NULL)
971 			sctp->sctp_xmit_unsent_tail = NULL;
972 	}
973 	ceclen += pad;
974 	cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd);
975 	meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen,
976 	    cansend,  NULL);
977 	/*
978 	 * The error cannot be anything else since we could have an non-zero
979 	 * error only if sctp_get_msg_to_send() tries to send a Forward
980 	 * TSN which will not happen here.
981 	 */
982 	ASSERT(error == 0);
983 	if (meta == NULL)
984 		goto sendcookie;
985 	sctp->sctp_xmit_tail = meta;
986 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
987 	seglen = ntohs(sdc->sdh_len);
988 	if ((ceclen + seglen) > fp->sfa_pmss ||
989 	    (seglen - sizeof (*sdc)) > cansend) {
990 		goto sendcookie;
991 	}
992 	/* OK, if this fails */
993 	cemp->b_cont = dupmsg(mp);
994 sendcookie:
995 	head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL);
996 	if (head == NULL) {
997 		freemsg(cemp);
998 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
999 		if (errmp != NULL)
1000 			freeb(errmp);
1001 		return;
1002 	}
1003 	/*
1004 	 * Even if cookie-echo exceeds MTU for one of the hops, it'll
1005 	 * have a chance of getting there.
1006 	 */
1007 	if (fp->isv4) {
1008 		ipha_t *iph = (ipha_t *)head->b_rptr;
1009 		iph->ipha_fragment_offset_and_flags = 0;
1010 	}
1011 	BUMP_LOCAL(sctp->sctp_obchunks);
1012 
1013 	sctp->sctp_cookie_mp = dupmsg(head);
1014 	/* Don't bundle, we will just resend init if this cookie is lost. */
1015 	if (sctp->sctp_cookie_mp == NULL) {
1016 		if (cemp->b_cont != NULL) {
1017 			freemsg(cemp->b_cont);
1018 			cemp->b_cont = NULL;
1019 		}
1020 	} else if (cemp->b_cont != NULL) {
1021 		ASSERT(mp != NULL && mp == meta->b_cont);
1022 		SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont);
1023 		cemp->b_wptr += pad;
1024 		seglen -= sizeof (*sdc);
1025 		SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta);
1026 	}
1027 	if (errmp != NULL)
1028 		linkb(head, errmp);
1029 	sctp->sctp_state = SCTPS_COOKIE_ECHOED;
1030 	SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1031 
1032 	sctp_set_iplen(sctp, head);
1033 	sctp_add_sendq(sctp, head);
1034 }
1035 
1036 int
1037 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
1038     sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaption,
1039     in6_addr_t *peer_addr)
1040 {
1041 	int32_t			clen;
1042 	size_t			initplen;
1043 	uchar_t			*p;
1044 	uchar_t			*given_hash;
1045 	uchar_t			needed_hash[16];
1046 	int64_t			ts;
1047 	int64_t			diff;
1048 	uint32_t		*lt;
1049 	sctp_init_chunk_t	*iack;
1050 	sctp_chunk_hdr_t	*initch;
1051 	sctp_init_chunk_t	*init;
1052 	uint32_t		*lttag;
1053 	uint32_t		*fttag;
1054 	uint32_t		ports;
1055 
1056 	BUMP_LOCAL(sctp->sctp_ibchunks);
1057 	/* Verify the ICV */
1058 	clen = ntohs(ch->sch_len) - sizeof (*ch) - 16;
1059 	if (clen < 0) {
1060 		dprint(1, ("invalid cookie chunk length %d\n",
1061 		    ntohs(ch->sch_len)));
1062 
1063 		return (-1);
1064 	}
1065 	p = (uchar_t *)(ch + 1);
1066 
1067 	hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN,
1068 	    needed_hash);
1069 
1070 	/* The given hash follows the cookie data */
1071 	given_hash = p + clen;
1072 
1073 	if (bcmp(given_hash, needed_hash, 16) != 0) {
1074 		/* The secret may have changed; try the old secret */
1075 		hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret,
1076 		    SCTP_SECRET_LEN, needed_hash);
1077 		if (bcmp(given_hash, needed_hash, 16) != 0) {
1078 			return (-1);
1079 		}
1080 	}
1081 
1082 	/* Timestamp is int64_t, and we only guarantee 32-bit alignment */
1083 	bcopy(p, &ts, sizeof (ts));
1084 	/* Cookie life time, int32_t */
1085 	lt = (uint32_t *)(p + sizeof (ts));
1086 
1087 	/*
1088 	 * To quote PRC, "this is our baby", so let's continue.
1089 	 * We need to pull out the encapsulated INIT ACK and
1090 	 * INIT chunks. Note that we don't process these until
1091 	 * we have verified the timestamp, but we need them before
1092 	 * processing the timestamp since if the time check fails,
1093 	 * we need to get the verification tag from the INIT in order
1094 	 * to send a stale cookie error.
1095 	 */
1096 	lttag = (uint32_t *)(lt + 1);
1097 	fttag = lttag + 1;
1098 	if (peer_addr != NULL)
1099 		bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t));
1100 	iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t));
1101 	initch = (sctp_chunk_hdr_t *)(iack + 1);
1102 	init = (sctp_init_chunk_t *)(initch + 1);
1103 	initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch));
1104 	*iackpp = iack;
1105 	*recv_adaption = 0;
1106 
1107 	/* Check the timestamp */
1108 	diff = lbolt64 - ts;
1109 	if (diff > *lt && (init->sic_inittag != sctp->sctp_fvtag ||
1110 	    iack->sic_inittag != sctp->sctp_lvtag)) {
1111 
1112 		uint32_t staleness;
1113 
1114 		staleness = TICK_TO_USEC(diff);
1115 		staleness = htonl(staleness);
1116 		sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE,
1117 		    (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE);
1118 
1119 		dprint(1, ("stale cookie %d\n", staleness));
1120 
1121 		return (-1);
1122 	}
1123 
1124 	/* Check for attack by adding addresses to a restart */
1125 	bcopy(insctph, &ports, sizeof (ports));
1126 	if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP) != 1) {
1127 		return (-1);
1128 	}
1129 
1130 	/* Look for adaptation code if there any parms in the INIT chunk */
1131 	if ((initplen >= sizeof (sctp_parm_hdr_t)) &&
1132 	    (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen,
1133 	    &sctp->sctp_rx_adaption_code) == 0)) {
1134 		*recv_adaption = 1;
1135 	}
1136 
1137 	/* Examine tie-tags */
1138 
1139 	if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) {
1140 		if (sctp->sctp_state == SCTPS_ESTABLISHED &&
1141 		    init->sic_inittag == sctp->sctp_fvtag &&
1142 		    iack->sic_inittag == sctp->sctp_lvtag &&
1143 		    *fttag == 0 && *lttag == 0) {
1144 
1145 			dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n",
1146 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1147 			    (int)(sctp->sctp_fport)));
1148 			return (-1);
1149 		}
1150 
1151 		if (init->sic_inittag != sctp->sctp_fvtag &&
1152 		    iack->sic_inittag != sctp->sctp_lvtag &&
1153 		    *fttag == sctp->sctp_fvtag &&
1154 		    *lttag == sctp->sctp_lvtag) {
1155 			int i;
1156 
1157 			/* Section 5.2.4 case A: restart */
1158 			sctp->sctp_fvtag = init->sic_inittag;
1159 			sctp->sctp_lvtag = iack->sic_inittag;
1160 
1161 			sctp->sctp_sctph->sh_verf = init->sic_inittag;
1162 			sctp->sctp_sctph6->sh_verf = init->sic_inittag;
1163 
1164 			sctp->sctp_ftsn = ntohl(init->sic_inittsn);
1165 			sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1166 			sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
1167 			sctp->sctp_fcsn = sctp->sctp_lastacked;
1168 
1169 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1170 				sctp->sctp_state = SCTPS_ESTABLISHED;
1171 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1172 			}
1173 
1174 			dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n",
1175 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1176 			    (int)(sctp->sctp_fport)));
1177 			/* reset parameters */
1178 			sctp_congest_reset(sctp);
1179 
1180 			/* reset stream bookkeeping */
1181 			sctp_instream_cleanup(sctp, B_FALSE);
1182 
1183 			sctp->sctp_istr_nmsgs = 0;
1184 			sctp->sctp_rxqueued = 0;
1185 			for (i = 0; i < sctp->sctp_num_ostr; i++) {
1186 				sctp->sctp_ostrcntrs[i] = 0;
1187 			}
1188 			/* XXX flush xmit_list? */
1189 
1190 			return (0);
1191 		} else if (init->sic_inittag != sctp->sctp_fvtag &&
1192 		    iack->sic_inittag == sctp->sctp_lvtag) {
1193 
1194 			/* Section 5.2.4 case B: INIT collision */
1195 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1196 				if (!sctp_initialize_params(sctp, init, iack))
1197 					return (-1);	/* Drop? */
1198 				sctp->sctp_state = SCTPS_ESTABLISHED;
1199 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1200 			}
1201 
1202 			dprint(1, ("init collision with %x:%x:%x:%x (%d)\n",
1203 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1204 			    (int)(sctp->sctp_fport)));
1205 
1206 			return (0);
1207 		} else if (iack->sic_inittag != sctp->sctp_lvtag &&
1208 		    init->sic_inittag == sctp->sctp_fvtag &&
1209 		    *fttag == 0 && *lttag == 0) {
1210 
1211 			/* Section 5.2.4 case C: late COOKIE */
1212 			dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n",
1213 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1214 			    (int)(sctp->sctp_fport)));
1215 			return (-1);
1216 		} else if (init->sic_inittag == sctp->sctp_fvtag &&
1217 		    iack->sic_inittag == sctp->sctp_lvtag) {
1218 
1219 			/*
1220 			 * Section 5.2.4 case D: COOKIE ECHO retransmit
1221 			 * Don't check cookie lifetime
1222 			 */
1223 			dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n",
1224 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1225 			    (int)(sctp->sctp_fport)));
1226 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1227 				if (!sctp_initialize_params(sctp, init, iack))
1228 					return (-1);	/* Drop? */
1229 				sctp->sctp_state = SCTPS_ESTABLISHED;
1230 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1231 			}
1232 			return (0);
1233 		} else {
1234 			/* unrecognized case -- silently drop it */
1235 			return (-1);
1236 		}
1237 	}
1238 
1239 	return (0);
1240 }
1241 
1242 /*
1243  * Similar to ip_fanout_sctp, except that the src addr(s) are drawn
1244  * from address parameters in an INIT ACK's address list. This
1245  * function is used when an INIT ACK is received but IP's fanout
1246  * function could not find a sctp via the normal lookup routine.
1247  * This can happen when a host sends an INIT ACK from a different
1248  * address than the INIT was sent to.
1249  *
1250  * Returns the sctp_t if found, or NULL if not found.
1251  */
1252 sctp_t *
1253 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
1254     uint_t ipif_seqid, zoneid_t zoneid)
1255 {
1256 	int isv4;
1257 	ipha_t *iph;
1258 	ip6_t *ip6h;
1259 	in6_addr_t dst;
1260 	in6_addr_t src;
1261 	sctp_parm_hdr_t *ph;
1262 	ssize_t remaining;
1263 	sctp_init_chunk_t *iack;
1264 	uint32_t ports;
1265 	sctp_t *sctp = NULL;
1266 
1267 	ASSERT(ich->sch_id == CHUNK_INIT_ACK);
1268 
1269 	isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
1270 	if (isv4) {
1271 		iph = (ipha_t *)mp->b_rptr;
1272 		IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst);
1273 	} else {
1274 		ip6h = (ip6_t *)mp->b_rptr;
1275 		dst = ip6h->ip6_dst;
1276 	}
1277 
1278 	ports = *(uint32_t *)sctph;
1279 
1280 	dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n",
1281 	    ports, SCTP_PRINTADDR(dst)));
1282 
1283 	/* pull out any address parameters */
1284 	remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack);
1285 	if (remaining < sizeof (*ph)) {
1286 		return (NULL);
1287 	}
1288 
1289 	iack = (sctp_init_chunk_t *)(ich + 1);
1290 	ph = (sctp_parm_hdr_t *)(iack + 1);
1291 
1292 	while (ph != NULL) {
1293 		/*
1294 		 * params have been put in host byteorder by
1295 		 * sctp_check_input()
1296 		 */
1297 		if (ph->sph_type == PARM_ADDR4) {
1298 			IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1),
1299 			    &src);
1300 
1301 			sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid,
1302 			    zoneid);
1303 
1304 			dprint(1,
1305 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1306 			    SCTP_PRINTADDR(src), sctp));
1307 
1308 
1309 			if (sctp != NULL) {
1310 				return (sctp);
1311 			}
1312 		} else if (ph->sph_type == PARM_ADDR6) {
1313 			src = *(in6_addr_t *)(ph + 1);
1314 			sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid,
1315 			    zoneid);
1316 
1317 			dprint(1,
1318 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1319 			    SCTP_PRINTADDR(src), sctp));
1320 
1321 			if (sctp != NULL) {
1322 				return (sctp);
1323 			}
1324 		}
1325 
1326 		ph = sctp_next_parm(ph, &remaining);
1327 	}
1328 
1329 	return (NULL);
1330 }
1331