xref: /illumos-gate/usr/src/uts/common/inet/sctp/sctp_cookie.c (revision e86372a01d2d16a5dd4a64e144ed978ba17fe7dd)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/systm.h>
28 #include <sys/stream.h>
29 #include <sys/cmn_err.h>
30 #include <sys/md5.h>
31 #include <sys/kmem.h>
32 #include <sys/strsubr.h>
33 #include <sys/random.h>
34 #include <sys/tsol/tnet.h>
35 
36 #include <netinet/in.h>
37 #include <netinet/ip6.h>
38 
39 #include <inet/common.h>
40 #include <inet/ip.h>
41 #include <inet/ip6.h>
42 #include <inet/ipsec_impl.h>
43 #include <inet/sctp_ip.h>
44 #include <inet/ipclassifier.h>
45 #include "sctp_impl.h"
46 
47 /*
48  * Helper function for SunCluster (PSARC/2005/602) to get the original source
49  * address from the COOKIE
50  */
51 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *);
52 
53 /*
54  * From RFC 2104. This should probably go into libmd5 (and while
55  * we're at it, maybe we should make a libdigest so we can later
56  * add SHA1 and others, esp. since some weaknesses have been found
57  * with MD5).
58  *
59  * text		IN			pointer to data stream
60  * text_len	IN			length of data stream
61  * key		IN			pointer to authentication key
62  * key_len	IN			length of authentication key
63  * digest	OUT			caller digest to be filled in
64  */
65 static void
66 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len,
67     uchar_t *digest)
68 {
69 	MD5_CTX context;
70 	uchar_t k_ipad[65];	/* inner padding - key XORd with ipad */
71 	uchar_t k_opad[65];	/* outer padding - key XORd with opad */
72 	uchar_t tk[16];
73 	int i;
74 
75 	/* if key is longer than 64 bytes reset it to key=MD5(key) */
76 	if (key_len > 64) {
77 		MD5_CTX tctx;
78 
79 		MD5Init(&tctx);
80 		MD5Update(&tctx, key, key_len);
81 		MD5Final(tk, &tctx);
82 
83 		key = tk;
84 		key_len = 16;
85 	}
86 
87 	/*
88 	 * the HMAC_MD5 transform looks like:
89 	 *
90 	 * MD5(K XOR opad, MD5(K XOR ipad, text))
91 	 *
92 	 * where K is an n byte key
93 	 * ipad is the byte 0x36 repeated 64 times
94 	 * opad is the byte 0x5c repeated 64 times
95 	 * and text is the data being protected
96 	 */
97 
98 	/* start out by storing key in pads */
99 	bzero(k_ipad, sizeof (k_ipad));
100 	bzero(k_opad, sizeof (k_opad));
101 	bcopy(key, k_ipad, key_len);
102 	bcopy(key, k_opad, key_len);
103 
104 	/* XOR key with ipad and opad values */
105 	for (i = 0; i < 64; i++) {
106 		k_ipad[i] ^= 0x36;
107 		k_opad[i] ^= 0x5c;
108 	}
109 	/*
110 	 * perform inner MD5
111 	 */
112 	MD5Init(&context);			/* init context for 1st */
113 						/* pass */
114 	MD5Update(&context, k_ipad, 64);	/* start with inner pad */
115 	MD5Update(&context, text, text_len);	/* then text of datagram */
116 	MD5Final(digest, &context);		/* finish up 1st pass */
117 	/*
118 	 * perform outer MD5
119 	 */
120 	MD5Init(&context);			/* init context for 2nd */
121 						/* pass */
122 	MD5Update(&context, k_opad, 64);	/* start with outer pad */
123 	MD5Update(&context, digest, 16);	/* then results of 1st */
124 						/* hash */
125 	MD5Final(digest, &context);		/* finish up 2nd pass */
126 }
127 
128 /*
129  * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP
130  * info in initmp to send the abort. Otherwise, no abort will be sent.
131  *
132  * When called from stcp_send_initack() while processing parameters
133  * from a received INIT_CHUNK want_cookie will be NULL.
134  *
135  * When called from sctp_send_cookie_echo() while processing an INIT_ACK,
136  * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t.
137  * However, this last pointer will be NULL until the cookie is processed
138  * at which time it will be set to point to a sctp_parm_hdr_t that contains
139  * the cookie info.
140  *
141  * Note: an INIT_ACK is expected to contain a cookie.
142  *
143  * When processing an INIT_ACK, an ERROR chunk and chain of one or more
144  * error CAUSE blocks will be created if unrecognized parameters marked by
145  * the sender as reportable are found.
146  *
147  * When processing an INIT chunk, a chain of one or more error CAUSE blocks
148  * will be created if unrecognized parameters marked by the sender as
149  * reportable are found. These are appended directly to the INIT_ACK chunk.
150  *
151  * In both cases the error chain is visible to the caller via *errmp.
152  *
153  * Returns 1 if the parameters are OK (or if there are no optional
154  * parameters), returns 0 otherwise.
155  */
156 static int
157 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
158     sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie,
159     mblk_t **errmp, int *supp_af, uint_t *sctp_options, ip_recv_attr_t *ira)
160 {
161 	sctp_parm_hdr_t		*cph;
162 	sctp_init_chunk_t	*ic;
163 	ssize_t			remaining;
164 	uint16_t		serror = 0;
165 	char			*details = NULL;
166 	size_t			errlen = 0;
167 	boolean_t		got_cookie = B_FALSE;
168 	boolean_t		got_errchunk = B_FALSE;
169 	uint16_t		ptype;
170 	sctp_mpc_t		mpc;
171 	conn_t			*connp = sctp->sctp_connp;
172 
173 
174 	ASSERT(errmp != NULL);
175 
176 	if (sctp_options != NULL)
177 		*sctp_options = 0;
178 
179 	/* First validate stream parameters */
180 	if (init->sic_instr == 0 || init->sic_outstr == 0) {
181 		serror = SCTP_ERR_BAD_MANDPARM;
182 		dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n",
183 		    htons(init->sic_instr), htons(init->sic_outstr)));
184 		goto abort;
185 	}
186 	if (ntohl(init->sic_inittag) == 0) {
187 		serror = SCTP_ERR_BAD_MANDPARM;
188 		dprint(1, ("validate_init_params: inittag = 0\n"));
189 		goto abort;
190 	}
191 
192 	remaining = ntohs(ch->sch_len) - sizeof (*ch);
193 	ic = (sctp_init_chunk_t *)(ch + 1);
194 	remaining -= sizeof (*ic);
195 	if (remaining < sizeof (*cph)) {
196 		/*
197 		 * When processing a received INIT_ACK, a cookie is
198 		 * expected, if missing there is nothing to validate.
199 		 */
200 		if (want_cookie != NULL)
201 			goto cookie_abort;
202 		return (1);
203 	}
204 
205 	cph = (sctp_parm_hdr_t *)(ic + 1);
206 
207 	while (cph != NULL) {
208 		ptype = ntohs(cph->sph_type);
209 		switch (ptype) {
210 		case PARM_HBINFO:
211 		case PARM_UNRECOGNIZED:
212 		case PARM_ECN:
213 			/* just ignore them */
214 			break;
215 		case PARM_FORWARD_TSN:
216 			if (sctp_options != NULL)
217 				*sctp_options |= SCTP_PRSCTP_OPTION;
218 			break;
219 		case PARM_COOKIE:
220 			got_cookie = B_TRUE;
221 			/*
222 			 * Processing a received INIT_ACK, we have a cookie
223 			 * and a valid pointer in our caller to attach it to.
224 			 */
225 			if (want_cookie != NULL) {
226 				*want_cookie = cph;
227 			}
228 			break;
229 		case PARM_ADDR4:
230 			*supp_af |= PARM_SUPP_V4;
231 			break;
232 		case PARM_ADDR6:
233 			*supp_af |= PARM_SUPP_V6;
234 			break;
235 		case PARM_COOKIE_PRESERVE:
236 		case PARM_ADAPT_LAYER_IND:
237 			/* These are OK */
238 			break;
239 		case PARM_ADDR_HOST_NAME:
240 			/* Don't support this; abort the association */
241 			serror = SCTP_ERR_BAD_ADDR;
242 			details = (char *)cph;
243 			errlen = ntohs(cph->sph_len);
244 			dprint(1, ("sctp:validate_init_params: host addr\n"));
245 			goto abort;
246 		case PARM_SUPP_ADDRS: {
247 			/* Make sure we have a supported addr intersection */
248 			uint16_t *p, addrtype;
249 			int plen;
250 
251 			plen = ntohs(cph->sph_len);
252 			p = (uint16_t *)(cph + 1);
253 			while (plen > 0) {
254 				addrtype = ntohs(*p);
255 				switch (addrtype) {
256 				case PARM_ADDR6:
257 					*supp_af |= PARM_SUPP_V6;
258 					break;
259 				case PARM_ADDR4:
260 					*supp_af |= PARM_SUPP_V4;
261 					break;
262 				default:
263 					/*
264 					 * Do nothing, silently ignore hostname
265 					 * address.
266 					 */
267 					break;
268 				}
269 				p++;
270 				plen -= sizeof (*p);
271 			}
272 			break;
273 		}
274 		default:
275 			/*
276 			 * Handle any unrecognized params, the two high order
277 			 * bits of ptype define how the remote wants them
278 			 * handled.
279 			 * Top bit:
280 			 *    1. Continue processing other params in the chunk
281 			 *    0. Stop processing params after this one.
282 			 * 2nd bit:
283 			 *    1. Must report this unrecognized param to remote
284 			 *    0. Obey the top bit silently.
285 			 */
286 			if (ptype & SCTP_REPORT_THIS_PARAM) {
287 				if (!got_errchunk && want_cookie != NULL) {
288 					/*
289 					 * The incoming pointer want_cookie is
290 					 * NULL so processing an INIT_ACK.
291 					 * This is the first reportable param,
292 					 * create an ERROR chunk and populate
293 					 * it with a CAUSE block for this parm.
294 					 */
295 					*errmp = sctp_make_err(sctp,
296 					    PARM_UNRECOGNIZED,
297 					    (void *)cph,
298 					    ntohs(cph->sph_len));
299 					got_errchunk = B_TRUE;
300 				} else {
301 					/*
302 					 * If processing an INIT_ACK, we already
303 					 * have an ERROR chunk, just add a new
304 					 * CAUSE block and update ERROR chunk
305 					 * length.
306 					 * If processing an INIT chunk add a new
307 					 * CAUSE block to the INIT_ACK, in this
308 					 * case there is no ERROR chunk thus
309 					 * got_errchunk will be B_FALSE. Chunk
310 					 * length is computed by our caller.
311 					 */
312 					sctp_add_unrec_parm(cph, errmp,
313 					    got_errchunk);
314 				}
315 			}
316 			if (ptype & SCTP_CONT_PROC_PARAMS) {
317 				/*
318 				 * Continue processing params after this
319 				 * parameter.
320 				 */
321 				break;
322 			}
323 
324 			/*
325 			 * Stop processing params, report any reportable
326 			 * unrecognized params found so far.
327 			 */
328 			goto done;
329 		}
330 
331 		cph = sctp_next_parm(cph, &remaining);
332 	}
333 done:
334 	/*
335 	 * Some sanity checks.  The following should not fail unless the
336 	 * other side is broken.
337 	 *
338 	 * 1. If this is a V4 endpoint but V4 address is not
339 	 * supported, abort.
340 	 * 2. If this is a V6 only endpoint but V6 address is
341 	 * not supported, abort.  This assumes that a V6
342 	 * endpoint can use both V4 and V6 addresses.
343 	 * We only care about supp_af when processing INIT, i.e want_cookie
344 	 * is NULL.
345 	 */
346 	if (want_cookie == NULL &&
347 	    ((connp->conn_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
348 	    (connp->conn_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
349 	    sctp->sctp_connp->conn_ipv6_v6only))) {
350 		dprint(1, ("sctp:validate_init_params: supp addr\n"));
351 		serror = SCTP_ERR_BAD_ADDR;
352 		goto abort;
353 	}
354 
355 	if (want_cookie != NULL && !got_cookie) {
356 cookie_abort:
357 		/* Will populate the CAUSE block in the ABORT chunk. */
358 		mpc.mpc_num =  htons(1);
359 		mpc.mpc_param = htons(PARM_COOKIE);
360 		mpc.mpc_pad = 0;
361 
362 		dprint(1, ("validate_init_params: cookie absent\n"));
363 		sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM,
364 		    (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE, ira);
365 		return (0);
366 	}
367 
368 	/* OK */
369 	return (1);
370 
371 abort:
372 	if (want_cookie != NULL)
373 		return (0);
374 
375 	sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details,
376 	    errlen, inmp, 0, B_FALSE, ira);
377 	return (0);
378 }
379 
380 /*
381  * Initialize params from the INIT and INIT-ACK when the assoc. is
382  * established.
383  */
384 boolean_t
385 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init,
386     sctp_init_chunk_t *iack)
387 {
388 	/* Get initial TSN */
389 	sctp->sctp_ftsn = ntohl(init->sic_inittsn);
390 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
391 
392 	/* Serial number is initialized to the same value as the TSN */
393 	sctp->sctp_fcsn = sctp->sctp_lastacked;
394 
395 	/*
396 	 * Get verification tags; no byteordering is necessary, since
397 	 * verfication tags are never processed except for byte-by-byte
398 	 * comparisons.
399 	 */
400 	sctp->sctp_fvtag = init->sic_inittag;
401 	sctp->sctp_sctph->sh_verf = init->sic_inittag;
402 	sctp->sctp_sctph6->sh_verf = init->sic_inittag;
403 	sctp->sctp_lvtag = iack->sic_inittag;
404 
405 	/* Get the peer's rwnd */
406 	sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
407 
408 	/* Allocate the in/out-stream counters */
409 	sctp->sctp_num_ostr = iack->sic_outstr;
410 	sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
411 	    sctp->sctp_num_ostr, KM_NOSLEEP);
412 	if (sctp->sctp_ostrcntrs == NULL)
413 		return (B_FALSE);
414 
415 	sctp->sctp_num_istr = iack->sic_instr;
416 	sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
417 	    sctp->sctp_num_istr, KM_NOSLEEP);
418 	if (sctp->sctp_instr == NULL) {
419 		kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
420 		    sctp->sctp_num_ostr);
421 		sctp->sctp_ostrcntrs = NULL;
422 		return (B_FALSE);
423 	}
424 	return (B_TRUE);
425 }
426 
427 /*
428  * Copy the peer's original source address into addr. This relies on the
429  * following format (see sctp_send_initack() below):
430  *	relative timestamp for the cookie (int64_t) +
431  *	cookie lifetime (uint32_t) +
432  *	local tie-tag (uint32_t) +  peer tie-tag (uint32_t) +
433  *	Peer's original src ...
434  */
435 int
436 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr)
437 {
438 	uchar_t	*off;
439 
440 	ASSERT(addr != NULL);
441 
442 	if (ch->sch_id != CHUNK_COOKIE)
443 		return (EINVAL);
444 
445 	off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) +
446 	    sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t);
447 
448 	bcopy(off, addr, sizeof (*addr));
449 
450 	return (0);
451 }
452 
453 #define	SCTP_CALC_COOKIE_LEN(initcp) \
454 	sizeof (int64_t) +		/* timestamp */			\
455 	sizeof (uint32_t) +		/* cookie lifetime */		\
456 	sizeof (sctp_init_chunk_t) +	/* INIT ACK */			\
457 	sizeof (in6_addr_t) +		/* peer's original source */	\
458 	ntohs((initcp)->sch_len) +	/* peer's INIT */		\
459 	sizeof (uint32_t) +		/* local tie-tag */		\
460 	sizeof (uint32_t) +		/* peer tie-tag */		\
461 	sizeof (sctp_parm_hdr_t) +	/* param header */		\
462 	16				/* MD5 hash */
463 
464 /*
465  * Note that sctp is the listener, hence we shouldn't modify it.
466  */
467 void
468 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
469     mblk_t *initmp, ip_recv_attr_t *ira)
470 {
471 	ipha_t			*initiph;
472 	ip6_t			*initip6h;
473 	ipha_t			*iackiph = NULL;
474 	ip6_t			*iackip6h = NULL;
475 	sctp_chunk_hdr_t	*iack_ch;
476 	sctp_init_chunk_t	*iack;
477 	sctp_init_chunk_t	*init;
478 	sctp_hdr_t		*iacksh;
479 	size_t			cookielen;
480 	size_t			iacklen;
481 	size_t			ipsctplen;
482 	size_t			errlen = 0;
483 	sctp_parm_hdr_t		*cookieph;
484 	mblk_t			*iackmp;
485 	uint32_t		itag;
486 	uint32_t		itsn;
487 	int64_t			*now;
488 	int64_t			nowt;
489 	uint32_t		*lifetime;
490 	char			*p;
491 	boolean_t		 isv4;
492 	int			supp_af = 0;
493 	uint_t			sctp_options;
494 	uint32_t		*ttag;
495 	int			pad;
496 	mblk_t			*errmp = NULL;
497 	boolean_t		initcollision = B_FALSE;
498 	boolean_t		linklocal = B_FALSE;
499 	sctp_stack_t		*sctps = sctp->sctp_sctps;
500 	conn_t			*connp = sctp->sctp_connp;
501 	int			err;
502 	ip_xmit_attr_t		*ixa = NULL;
503 
504 	BUMP_LOCAL(sctp->sctp_ibchunks);
505 	isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION);
506 
507 	/* Extract the INIT chunk */
508 	if (isv4) {
509 		initiph = (ipha_t *)initmp->b_rptr;
510 		ipsctplen = sctp->sctp_ip_hdr_len;
511 		supp_af |= PARM_SUPP_V4;
512 	} else {
513 		initip6h = (ip6_t *)initmp->b_rptr;
514 		ipsctplen = sctp->sctp_ip_hdr6_len;
515 		if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src) ||
516 		    IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_dst))
517 			linklocal = B_TRUE;
518 		supp_af |= PARM_SUPP_V6;
519 		if (!sctp->sctp_connp->conn_ipv6_v6only)
520 			supp_af |= PARM_SUPP_V4;
521 	}
522 	ASSERT(OK_32PTR(initsh));
523 	init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch));
524 
525 	/* Make sure we like the peer's parameters */
526 	if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp,
527 	    &supp_af, &sctp_options, ira) == 0) {
528 		return;
529 	}
530 	if (errmp != NULL)
531 		errlen = msgdsize(errmp);
532 	if (connp->conn_family == AF_INET) {
533 		/*
534 		 * Regardless of the supported address in the INIT, v4
535 		 * must be supported.
536 		 */
537 		supp_af = PARM_SUPP_V4;
538 	}
539 	if (sctp->sctp_state <= SCTPS_LISTEN) {
540 		/* normal, expected INIT: generate new vtag and itsn */
541 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
542 		if (itag == 0)
543 			itag = (uint32_t)gethrtime();
544 		itsn = itag + 1;
545 		itag = htonl(itag);
546 	} else if (sctp->sctp_state == SCTPS_COOKIE_WAIT ||
547 	    sctp->sctp_state == SCTPS_COOKIE_ECHOED) {
548 		/* init collision; copy vtag and itsn from sctp */
549 		itag = sctp->sctp_lvtag;
550 		itsn = sctp->sctp_ltsn;
551 		/*
552 		 * In addition we need to send all the params that was sent
553 		 * in our INIT chunk. Essentially, it is only the supported
554 		 * address params that we need to add.
555 		 */
556 		initcollision = B_TRUE;
557 		/*
558 		 * When we sent the INIT, we should have set linklocal in
559 		 * the sctp which should be good enough.
560 		 */
561 		if (linklocal)
562 			linklocal = B_FALSE;
563 	} else {
564 		/* peer restart; generate new vtag but keep everything else */
565 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
566 		if (itag == 0)
567 			itag = (uint32_t)gethrtime();
568 		itag = htonl(itag);
569 		itsn = sctp->sctp_ltsn;
570 	}
571 
572 	/*
573 	 * Allocate a mblk for the INIT ACK, consisting of the link layer
574 	 * header, the IP header, the SCTP common header, and INIT ACK chunk,
575 	 * and finally the COOKIE parameter.
576 	 */
577 	cookielen = SCTP_CALC_COOKIE_LEN(ch);
578 	iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen;
579 	if (sctp->sctp_send_adaptation)
580 		iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t));
581 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
582 	    sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
583 		iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION);
584 	}
585 	if (initcollision)
586 		iacklen += sctp_supaddr_param_len(sctp);
587 	if (!linklocal)
588 		iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE);
589 	ipsctplen += sizeof (*iacksh) + iacklen;
590 	iacklen += errlen;
591 	/*
592 	 * Padding is applied after the cookie which is the end of chunk
593 	 * unless CAUSE blocks are appended when the pad must also be
594 	 * accounted for in iacklen.
595 	 */
596 	if ((pad = ipsctplen % SCTP_ALIGN) != 0) {
597 		pad = SCTP_ALIGN - pad;
598 		ipsctplen += pad;
599 		if (errmp != NULL)
600 			iacklen += pad;
601 	}
602 
603 	/*
604 	 * Base the transmission on any routing-related socket options
605 	 * that have been set on the listener.
606 	 */
607 	ixa = conn_get_ixa_exclusive(connp);
608 	if (ixa == NULL) {
609 		sctp_send_abort(sctp, sctp_init2vtag(ch),
610 		    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
611 		return;
612 	}
613 	ixa->ixa_flags &= ~IXAF_VERIFY_PMTU;
614 
615 	if (isv4)
616 		ixa->ixa_flags |= IXAF_IS_IPV4;
617 	else
618 		ixa->ixa_flags &= ~IXAF_IS_IPV4;
619 
620 	/*
621 	 * If the listen socket is bound to a trusted extensions multi-label
622 	 * port, a MAC-Exempt connection with an unlabeled node, we use the
623 	 * the security label of the received INIT packet.
624 	 * If not a multi-label port, attach the unmodified
625 	 * listener's label directly.
626 	 *
627 	 * We expect Sun developed kernel modules to properly set
628 	 * cred labels for sctp connections. We can't be so sure this
629 	 * will be done correctly when 3rd party kernel modules
630 	 * directly use sctp. We check for a NULL ira_tsl to cover this
631 	 * possibility.
632 	 */
633 	if (is_system_labeled()) {
634 		/* Discard any old label */
635 		if (ixa->ixa_free_flags & IXA_FREE_TSL) {
636 			ASSERT(ixa->ixa_tsl != NULL);
637 			label_rele(ixa->ixa_tsl);
638 			ixa->ixa_free_flags &= ~IXA_FREE_TSL;
639 			ixa->ixa_tsl = NULL;
640 		}
641 
642 		if (connp->conn_mlp_type != mlptSingle ||
643 		    connp->conn_mac_mode != CONN_MAC_DEFAULT) {
644 			if (ira->ira_tsl == NULL) {
645 				sctp_send_abort(sctp, sctp_init2vtag(ch),
646 				    SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0,
647 				    B_FALSE, ira);
648 				ixa_refrele(ixa);
649 				return;
650 			}
651 			label_hold(ira->ira_tsl);
652 			ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl);
653 		} else {
654 			ixa->ixa_tsl = crgetlabel(connp->conn_cred);
655 		}
656 	}
657 
658 	iackmp = allocb(ipsctplen + sctps->sctps_wroff_xtra, BPRI_MED);
659 	if (iackmp == NULL) {
660 		sctp_send_abort(sctp, sctp_init2vtag(ch),
661 		    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
662 		ixa_refrele(ixa);
663 		return;
664 	}
665 
666 	/* Copy in the [imcomplete] IP/SCTP composite header */
667 	p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra);
668 	iackmp->b_rptr = (uchar_t *)p;
669 	if (isv4) {
670 		bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len);
671 		iackiph = (ipha_t *)p;
672 
673 		/* Copy the peer's IP addr */
674 		iackiph->ipha_dst = initiph->ipha_src;
675 		iackiph->ipha_src = initiph->ipha_dst;
676 		iackiph->ipha_length = htons(ipsctplen + errlen);
677 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
678 		ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len;
679 	} else {
680 		bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
681 		iackip6h = (ip6_t *)p;
682 
683 		/* Copy the peer's IP addr */
684 		iackip6h->ip6_dst = initip6h->ip6_src;
685 		iackip6h->ip6_src = initip6h->ip6_dst;
686 		iackip6h->ip6_plen = htons(ipsctplen + errlen - IPV6_HDR_LEN);
687 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
688 		ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len;
689 	}
690 	ixa->ixa_pktlen = ipsctplen + errlen;
691 
692 	ASSERT(OK_32PTR(iacksh));
693 
694 	/* Fill in the holes in the SCTP common header */
695 	iacksh->sh_sport = initsh->sh_dport;
696 	iacksh->sh_dport = initsh->sh_sport;
697 	iacksh->sh_verf = init->sic_inittag;
698 
699 	/* INIT ACK chunk header */
700 	iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1);
701 	iack_ch->sch_id = CHUNK_INIT_ACK;
702 	iack_ch->sch_flags = 0;
703 	iack_ch->sch_len = htons(iacklen);
704 
705 	/* The INIT ACK itself */
706 	iack = (sctp_init_chunk_t *)(iack_ch + 1);
707 	iack->sic_inittag = itag;	/* already in network byteorder */
708 	iack->sic_inittsn = htonl(itsn);
709 
710 	iack->sic_a_rwnd = htonl(sctp->sctp_rwnd);
711 	/* Advertise what we would want to have as stream #'s */
712 	iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr,
713 	    ntohs(init->sic_instr)));
714 	iack->sic_instr = htons(sctp->sctp_num_istr);
715 
716 	p = (char *)(iack + 1);
717 	p += sctp_adaptation_code_param(sctp, (uchar_t *)p);
718 	if (initcollision)
719 		p += sctp_supaddr_param(sctp, (uchar_t *)p);
720 	if (!linklocal)
721 		p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE);
722 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
723 	    sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
724 		p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION);
725 	}
726 	/*
727 	 * Generate and lay in the COOKIE parameter.
728 	 *
729 	 * Any change here that results in a change of location for
730 	 * the peer's orig source address must be propagated to the fn
731 	 * cl_sctp_cookie_paddr() above.
732 	 *
733 	 * The cookie consists of:
734 	 * 1. The relative timestamp for the cookie (lbolt64)
735 	 * 2. The cookie lifetime (uint32_t) in tick
736 	 * 3. The local tie-tag
737 	 * 4. The peer tie-tag
738 	 * 5. Peer's original src, used to confirm the validity of address.
739 	 * 6. Our INIT ACK chunk, less any parameters
740 	 * 7. The INIT chunk (may contain parameters)
741 	 * 8. 128-bit MD5 signature.
742 	 *
743 	 * Since the timestamp values will only be evaluated locally, we
744 	 * don't need to worry about byte-ordering them.
745 	 */
746 	cookieph = (sctp_parm_hdr_t *)p;
747 	cookieph->sph_type = htons(PARM_COOKIE);
748 	cookieph->sph_len = htons(cookielen);
749 
750 	/* timestamp */
751 	now = (int64_t *)(cookieph + 1);
752 	nowt = LBOLT_FASTPATH64;
753 	bcopy(&nowt, now, sizeof (*now));
754 
755 	/* cookie lifetime -- need configuration */
756 	lifetime = (uint32_t *)(now + 1);
757 	*lifetime = sctp->sctp_cookie_lifetime;
758 
759 	/* Set the tie-tags */
760 	ttag = (uint32_t *)(lifetime + 1);
761 	if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) {
762 		*ttag = 0;
763 		ttag++;
764 		*ttag = 0;
765 		ttag++;
766 	} else {
767 		/* local tie-tag (network byte-order) */
768 		*ttag = sctp->sctp_lvtag;
769 		ttag++;
770 		/* peer tie-tag (network byte-order) */
771 		*ttag = sctp->sctp_fvtag;
772 		ttag++;
773 	}
774 	/*
775 	 * Copy in peer's original source address so that we can confirm
776 	 * the reachability later.
777 	 */
778 	p = (char *)ttag;
779 	if (isv4) {
780 		in6_addr_t peer_addr;
781 
782 		IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr);
783 		bcopy(&peer_addr, p, sizeof (in6_addr_t));
784 	} else {
785 		bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t));
786 	}
787 	p += sizeof (in6_addr_t);
788 	/* Copy in our INIT ACK chunk */
789 	bcopy(iack, p, sizeof (*iack));
790 	iack = (sctp_init_chunk_t *)p;
791 	/* Set the # of streams we'll end up using */
792 	iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr));
793 	iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr));
794 	p += sizeof (*iack);
795 
796 	/* Copy in the peer's INIT chunk */
797 	bcopy(ch, p, ntohs(ch->sch_len));
798 	p += ntohs(ch->sch_len);
799 
800 	/*
801 	 * Calculate the HMAC ICV into the digest slot in buf.
802 	 * First, generate a new secret if the current secret is
803 	 * older than the new secret lifetime parameter permits,
804 	 * copying the current secret to sctp_old_secret.
805 	 */
806 	if (sctps->sctps_new_secret_interval > 0 &&
807 	    (sctp->sctp_last_secret_update +
808 	    MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) {
809 		bcopy(sctp->sctp_secret, sctp->sctp_old_secret,
810 		    SCTP_SECRET_LEN);
811 		(void) random_get_pseudo_bytes(sctp->sctp_secret,
812 		    SCTP_SECRET_LEN);
813 		sctp->sctp_last_secret_update = nowt;
814 	}
815 
816 	hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16,
817 	    (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p);
818 
819 	iackmp->b_wptr = iackmp->b_rptr + ipsctplen;
820 	if (pad != 0)
821 		bzero((iackmp->b_wptr - pad), pad);
822 
823 	iackmp->b_cont = errmp;		/*  OK if NULL */
824 
825 	if (is_system_labeled()) {
826 		ts_label_t *effective_tsl = NULL;
827 
828 		ASSERT(ira->ira_tsl != NULL);
829 
830 		/* Discard any old label */
831 		if (ixa->ixa_free_flags & IXA_FREE_TSL) {
832 			ASSERT(ixa->ixa_tsl != NULL);
833 			label_rele(ixa->ixa_tsl);
834 			ixa->ixa_free_flags &= ~IXA_FREE_TSL;
835 		}
836 		ixa->ixa_tsl = ira->ira_tsl;	/* A multi-level responder */
837 
838 		/*
839 		 * We need to check for label-related failures which implies
840 		 * an extra call to tsol_check_dest (as ip_output_simple
841 		 * also does a tsol_check_dest as part of computing the
842 		 * label for the packet, but ip_output_simple doesn't return
843 		 * a specific errno for that case so we can't rely on its
844 		 * check.)
845 		 */
846 		if (isv4) {
847 			err = tsol_check_dest(ixa->ixa_tsl, &iackiph->ipha_dst,
848 			    IPV4_VERSION, connp->conn_mac_mode,
849 			    connp->conn_zone_is_global, &effective_tsl);
850 		} else {
851 			err = tsol_check_dest(ixa->ixa_tsl, &iackip6h->ip6_dst,
852 			    IPV6_VERSION, connp->conn_mac_mode,
853 			    connp->conn_zone_is_global, &effective_tsl);
854 		}
855 		if (err != 0) {
856 			sctp_send_abort(sctp, sctp_init2vtag(ch),
857 			    SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE,
858 			    ira);
859 			ixa_refrele(ixa);
860 			freemsg(iackmp);
861 			return;
862 		}
863 		if (effective_tsl != NULL) {
864 			/*
865 			 * Since ip_output_simple will redo the
866 			 * tsol_check_dest, we just drop the ref.
867 			 */
868 			label_rele(effective_tsl);
869 		}
870 	}
871 
872 	BUMP_LOCAL(sctp->sctp_opkts);
873 	BUMP_LOCAL(sctp->sctp_obchunks);
874 
875 	(void) ip_output_simple(iackmp, ixa);
876 	ixa_refrele(ixa);
877 }
878 
879 void
880 sctp_send_cookie_ack(sctp_t *sctp)
881 {
882 	sctp_chunk_hdr_t *cach;
883 	mblk_t *camp;
884 	sctp_stack_t	*sctps = sctp->sctp_sctps;
885 
886 	camp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*cach));
887 	if (camp == NULL) {
888 		/* XXX should abort, but don't have the inmp anymore */
889 		SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed);
890 		return;
891 	}
892 
893 	cach = (sctp_chunk_hdr_t *)camp->b_wptr;
894 	camp->b_wptr = (uchar_t *)(cach + 1);
895 	cach->sch_id = CHUNK_COOKIE_ACK;
896 	cach->sch_flags = 0;
897 	cach->sch_len = htons(sizeof (*cach));
898 
899 	BUMP_LOCAL(sctp->sctp_obchunks);
900 
901 	sctp_set_iplen(sctp, camp, sctp->sctp_current->sf_ixa);
902 	(void) conn_ip_output(camp, sctp->sctp_current->sf_ixa);
903 	BUMP_LOCAL(sctp->sctp_opkts);
904 }
905 
906 static int
907 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code)
908 {
909 
910 	if (len < sizeof (*sph))
911 		return (-1);
912 	while (sph != NULL) {
913 		if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) &&
914 		    ntohs(sph->sph_len) >= (sizeof (*sph) +
915 		    sizeof (uint32_t))) {
916 			*adaptation_code = *(uint32_t *)(sph + 1);
917 			return (0);
918 		}
919 		sph = sctp_next_parm(sph, &len);
920 	}
921 	return (-1);
922 }
923 
924 void
925 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp,
926     ip_recv_attr_t *ira)
927 {
928 	mblk_t			*cemp;
929 	mblk_t			*mp = NULL;
930 	mblk_t			*head;
931 	mblk_t			*meta;
932 	sctp_faddr_t		*fp;
933 	sctp_chunk_hdr_t	*cech;
934 	sctp_init_chunk_t	 *iack;
935 	int32_t			cansend;
936 	int32_t			seglen;
937 	size_t			ceclen;
938 	sctp_parm_hdr_t		*cph;
939 	sctp_data_hdr_t		*sdc;
940 	sctp_tf_t		*tf;
941 	int			pad = 0;
942 	int			hdrlen;
943 	mblk_t			*errmp = NULL;
944 	uint_t			sctp_options;
945 	int			error;
946 	uint16_t		old_num_str;
947 	sctp_stack_t		*sctps = sctp->sctp_sctps;
948 
949 	sdc = NULL;
950 	seglen = 0;
951 	iack = (sctp_init_chunk_t *)(iackch + 1);
952 
953 	cph = NULL;
954 	if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp,
955 	    &pad, &sctp_options, ira) == 0) { /* result in 'pad' ignored */
956 		SCTPS_BUMP_MIB(sctps, sctpAborted);
957 		sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL);
958 		sctp_clean_death(sctp, ECONNABORTED);
959 		return;
960 	}
961 	ASSERT(cph != NULL);
962 
963 	ASSERT(sctp->sctp_cookie_mp == NULL);
964 
965 	/* Got a cookie to echo back; allocate an mblk */
966 	ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph);
967 	if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0)
968 		pad = SCTP_ALIGN - pad;
969 
970 	if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION)
971 		hdrlen = sctp->sctp_hdr_len;
972 	else
973 		hdrlen = sctp->sctp_hdr6_len;
974 
975 	cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad,
976 	    BPRI_MED);
977 	if (cemp == NULL) {
978 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
979 		    sctp->sctp_current->sf_rto);
980 		if (errmp != NULL)
981 			freeb(errmp);
982 		return;
983 	}
984 	cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen);
985 
986 	/* Process the INIT ACK */
987 	sctp->sctp_sctph->sh_verf = iack->sic_inittag;
988 	sctp->sctp_sctph6->sh_verf = iack->sic_inittag;
989 	sctp->sctp_fvtag = iack->sic_inittag;
990 	sctp->sctp_ftsn = ntohl(iack->sic_inittsn);
991 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
992 	sctp->sctp_fcsn = sctp->sctp_lastacked;
993 	sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd);
994 
995 	/*
996 	 * Populate sctp with addresses given in the INIT ACK or IP header.
997 	 * Need to set the df bit in the current fp as it has been cleared
998 	 * in sctp_connect().
999 	 */
1000 	sctp->sctp_current->sf_df = B_TRUE;
1001 	sctp->sctp_ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;
1002 
1003 	/*
1004 	 * Since IP uses this info during the fanout process, we need to hold
1005 	 * the lock for this hash line while performing this operation.
1006 	 */
1007 	/* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, connp->conn_ports); */
1008 	ASSERT(sctp->sctp_conn_tfp != NULL);
1009 	tf = sctp->sctp_conn_tfp;
1010 	/* sctp isn't a listener so only need to hold conn fanout lock */
1011 	mutex_enter(&tf->tf_lock);
1012 	if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) {
1013 		mutex_exit(&tf->tf_lock);
1014 		freeb(cemp);
1015 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
1016 		    sctp->sctp_current->sf_rto);
1017 		if (errmp != NULL)
1018 			freeb(errmp);
1019 		return;
1020 	}
1021 	mutex_exit(&tf->tf_lock);
1022 
1023 	fp = sctp->sctp_current;
1024 
1025 	/*
1026 	 * There could be a case when we get an INIT-ACK again, if the INIT
1027 	 * is re-transmitted, for e.g., which means we would have already
1028 	 * allocated this resource earlier (also for sctp_instr). In this
1029 	 * case we check and re-allocate, if necessary.
1030 	 */
1031 	old_num_str = sctp->sctp_num_ostr;
1032 	if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr)
1033 		sctp->sctp_num_ostr = ntohs(iack->sic_instr);
1034 	if (sctp->sctp_ostrcntrs == NULL) {
1035 		sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
1036 		    sctp->sctp_num_ostr, KM_NOSLEEP);
1037 	} else {
1038 		ASSERT(old_num_str > 0);
1039 		if (old_num_str != sctp->sctp_num_ostr) {
1040 			kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
1041 			    old_num_str);
1042 			sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
1043 			    sctp->sctp_num_ostr, KM_NOSLEEP);
1044 		}
1045 	}
1046 	if (sctp->sctp_ostrcntrs == NULL) {
1047 		freeb(cemp);
1048 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
1049 		if (errmp != NULL)
1050 			freeb(errmp);
1051 		return;
1052 	}
1053 
1054 	/*
1055 	 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs
1056 	 * hold here too.
1057 	 */
1058 	old_num_str = sctp->sctp_num_istr;
1059 	if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr)
1060 		sctp->sctp_num_istr = ntohs(iack->sic_outstr);
1061 	if (sctp->sctp_instr == NULL) {
1062 		sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
1063 		    sctp->sctp_num_istr, KM_NOSLEEP);
1064 	} else {
1065 		ASSERT(old_num_str > 0);
1066 		if (old_num_str != sctp->sctp_num_istr) {
1067 			kmem_free(sctp->sctp_instr,
1068 			    sizeof (*sctp->sctp_instr) * old_num_str);
1069 			sctp->sctp_instr = kmem_zalloc(
1070 			    sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr,
1071 			    KM_NOSLEEP);
1072 		}
1073 	}
1074 	if (sctp->sctp_instr == NULL) {
1075 		kmem_free(sctp->sctp_ostrcntrs,
1076 		    sizeof (uint16_t) * sctp->sctp_num_ostr);
1077 		freeb(cemp);
1078 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
1079 		if (errmp != NULL)
1080 			freeb(errmp);
1081 		return;
1082 	}
1083 
1084 	if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware)
1085 		sctp->sctp_prsctp_aware = B_FALSE;
1086 
1087 	if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1),
1088 	    ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)),
1089 	    &sctp->sctp_rx_adaptation_code) == 0) {
1090 		sctp->sctp_recv_adaptation = 1;
1091 	}
1092 
1093 	cech = (sctp_chunk_hdr_t *)cemp->b_rptr;
1094 	ASSERT(OK_32PTR(cech));
1095 	cech->sch_id = CHUNK_COOKIE;
1096 	cech->sch_flags = 0;
1097 	cech->sch_len = htons(ceclen);
1098 
1099 	/* Copy the cookie (less the parm hdr) to the chunk */
1100 	bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph));
1101 
1102 	cemp->b_wptr = cemp->b_rptr + ceclen;
1103 
1104 	if (sctp->sctp_unsent > 0) {
1105 		sctp_msg_hdr_t	*smh;
1106 		mblk_t		*prev = NULL;
1107 		uint32_t	unsent = 0;
1108 
1109 		mp = sctp->sctp_xmit_unsent;
1110 		do {
1111 			smh = (sctp_msg_hdr_t *)mp->b_rptr;
1112 			if (smh->smh_sid >= sctp->sctp_num_ostr) {
1113 				unsent += smh->smh_msglen;
1114 				if (prev != NULL)
1115 					prev->b_next = mp->b_next;
1116 				else
1117 					sctp->sctp_xmit_unsent = mp->b_next;
1118 				mp->b_next = NULL;
1119 				sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID,
1120 				    B_FALSE);
1121 				if (prev != NULL)
1122 					mp = prev->b_next;
1123 				else
1124 					mp = sctp->sctp_xmit_unsent;
1125 			} else {
1126 				prev = mp;
1127 				mp = mp->b_next;
1128 			}
1129 		} while (mp != NULL);
1130 		if (unsent > 0) {
1131 			ASSERT(sctp->sctp_unsent >= unsent);
1132 			sctp->sctp_unsent -= unsent;
1133 			/*
1134 			 * Update ULP the amount of queued data, which is
1135 			 * sent-unack'ed + unsent.
1136 			 * This is not necessary, but doesn't harm, we
1137 			 * just use unsent instead of sent-unack'ed +
1138 			 * unsent, since there won't be any sent-unack'ed
1139 			 * here.
1140 			 */
1141 			if (!SCTP_IS_DETACHED(sctp))
1142 				SCTP_TXQ_UPDATE(sctp);
1143 		}
1144 		if (sctp->sctp_xmit_unsent == NULL)
1145 			sctp->sctp_xmit_unsent_tail = NULL;
1146 	}
1147 	ceclen += pad;
1148 	cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd);
1149 	meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen,
1150 	    cansend,  NULL);
1151 	/*
1152 	 * The error cannot be anything else since we could have an non-zero
1153 	 * error only if sctp_get_msg_to_send() tries to send a Forward
1154 	 * TSN which will not happen here.
1155 	 */
1156 	ASSERT(error == 0);
1157 	if (meta == NULL)
1158 		goto sendcookie;
1159 	sctp->sctp_xmit_tail = meta;
1160 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
1161 	seglen = ntohs(sdc->sdh_len);
1162 	if ((ceclen + seglen) > fp->sf_pmss ||
1163 	    (seglen - sizeof (*sdc)) > cansend) {
1164 		goto sendcookie;
1165 	}
1166 	/* OK, if this fails */
1167 	cemp->b_cont = dupmsg(mp);
1168 sendcookie:
1169 	head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL);
1170 	if (head == NULL) {
1171 		freemsg(cemp);
1172 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
1173 		if (errmp != NULL)
1174 			freeb(errmp);
1175 		SCTP_KSTAT(sctps, sctp_send_cookie_failed);
1176 		return;
1177 	}
1178 	/*
1179 	 * Even if cookie-echo exceeds MTU for one of the hops, it'll
1180 	 * have a chance of getting there.
1181 	 */
1182 	if (fp->sf_isv4) {
1183 		ipha_t *iph = (ipha_t *)head->b_rptr;
1184 		iph->ipha_fragment_offset_and_flags = 0;
1185 	}
1186 	BUMP_LOCAL(sctp->sctp_obchunks);
1187 
1188 	sctp->sctp_cookie_mp = dupmsg(head);
1189 	/* Don't bundle, we will just resend init if this cookie is lost. */
1190 	if (sctp->sctp_cookie_mp == NULL) {
1191 		if (cemp->b_cont != NULL) {
1192 			freemsg(cemp->b_cont);
1193 			cemp->b_cont = NULL;
1194 		}
1195 	} else if (cemp->b_cont != NULL) {
1196 		ASSERT(mp != NULL && mp == meta->b_cont);
1197 		SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont);
1198 		cemp->b_wptr += pad;
1199 		seglen -= sizeof (*sdc);
1200 		SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta);
1201 	}
1202 	if (errmp != NULL) {
1203 		if (cemp->b_cont == NULL)
1204 			cemp->b_wptr += pad;
1205 		linkb(head, errmp);
1206 	}
1207 	sctp->sctp_state = SCTPS_COOKIE_ECHOED;
1208 	SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
1209 
1210 	sctp_set_iplen(sctp, head, fp->sf_ixa);
1211 	(void) conn_ip_output(head, fp->sf_ixa);
1212 	BUMP_LOCAL(sctp->sctp_opkts);
1213 }
1214 
1215 int
1216 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
1217     sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation,
1218     in6_addr_t *peer_addr, ip_recv_attr_t *ira)
1219 {
1220 	int32_t			clen;
1221 	size_t			initplen;
1222 	uchar_t			*p;
1223 	uchar_t			*given_hash;
1224 	uchar_t			needed_hash[16];
1225 	int64_t			ts;
1226 	int64_t			diff;
1227 	uint32_t		*lt;
1228 	sctp_init_chunk_t	*iack;
1229 	sctp_chunk_hdr_t	*initch;
1230 	sctp_init_chunk_t	*init;
1231 	uint32_t		*lttag;
1232 	uint32_t		*fttag;
1233 	uint32_t		ports;
1234 	sctp_stack_t		*sctps = sctp->sctp_sctps;
1235 	conn_t			*connp = sctp->sctp_connp;
1236 
1237 	BUMP_LOCAL(sctp->sctp_ibchunks);
1238 	/* Verify the ICV */
1239 	clen = ntohs(ch->sch_len) - sizeof (*ch) - 16;
1240 	if (clen < 0) {
1241 		dprint(1, ("invalid cookie chunk length %d\n",
1242 		    ntohs(ch->sch_len)));
1243 
1244 		return (-1);
1245 	}
1246 	p = (uchar_t *)(ch + 1);
1247 
1248 	hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN,
1249 	    needed_hash);
1250 
1251 	/* The given hash follows the cookie data */
1252 	given_hash = p + clen;
1253 
1254 	if (bcmp(given_hash, needed_hash, 16) != 0) {
1255 		/* The secret may have changed; try the old secret */
1256 		hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret,
1257 		    SCTP_SECRET_LEN, needed_hash);
1258 		if (bcmp(given_hash, needed_hash, 16) != 0) {
1259 			return (-1);
1260 		}
1261 	}
1262 
1263 	/* Timestamp is int64_t, and we only guarantee 32-bit alignment */
1264 	bcopy(p, &ts, sizeof (ts));
1265 	/* Cookie life time, uint32_t */
1266 	lt = (uint32_t *)(p + sizeof (ts));
1267 
1268 	/*
1269 	 * To quote PRC, "this is our baby", so let's continue.
1270 	 * We need to pull out the encapsulated INIT ACK and
1271 	 * INIT chunks. Note that we don't process these until
1272 	 * we have verified the timestamp, but we need them before
1273 	 * processing the timestamp since if the time check fails,
1274 	 * we need to get the verification tag from the INIT in order
1275 	 * to send a stale cookie error.
1276 	 */
1277 	lttag = (uint32_t *)(lt + 1);
1278 	fttag = lttag + 1;
1279 	if (peer_addr != NULL)
1280 		bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t));
1281 	iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t));
1282 	initch = (sctp_chunk_hdr_t *)(iack + 1);
1283 	init = (sctp_init_chunk_t *)(initch + 1);
1284 	initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch));
1285 	*iackpp = iack;
1286 	*recv_adaptation = 0;
1287 
1288 	/*
1289 	 * Check the staleness of the Cookie, specified in 3.3.10.3 of
1290 	 * RFC 2960.
1291 	 *
1292 	 * The mesaure of staleness is the difference, in microseconds,
1293 	 * between the current time and the time the State Cookie expires.
1294 	 * So it is lbolt64 - (ts + *lt).  If it is positive, it means
1295 	 * that the Cookie has expired.
1296 	 */
1297 	diff = LBOLT_FASTPATH64 - (ts + *lt);
1298 	if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag ||
1299 	    iack->sic_inittag != sctp->sctp_lvtag)) {
1300 		uint32_t staleness;
1301 
1302 		staleness = TICK_TO_USEC(diff);
1303 		staleness = htonl(staleness);
1304 		sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE,
1305 		    (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE,
1306 		    ira);
1307 
1308 		dprint(1, ("stale cookie %d\n", staleness));
1309 
1310 		return (-1);
1311 	}
1312 
1313 	/* Check for attack by adding addresses to a restart */
1314 	bcopy(insctph, &ports, sizeof (ports));
1315 	if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP,
1316 	    sctps, ira) != 1) {
1317 		return (-1);
1318 	}
1319 
1320 	/* Look for adaptation code if there any parms in the INIT chunk */
1321 	if ((initplen >= sizeof (sctp_parm_hdr_t)) &&
1322 	    (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen,
1323 	    &sctp->sctp_rx_adaptation_code) == 0)) {
1324 		*recv_adaptation = 1;
1325 	}
1326 
1327 	/* Examine tie-tags */
1328 
1329 	if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) {
1330 		if (sctp->sctp_state == SCTPS_ESTABLISHED &&
1331 		    init->sic_inittag == sctp->sctp_fvtag &&
1332 		    iack->sic_inittag == sctp->sctp_lvtag &&
1333 		    *fttag == 0 && *lttag == 0) {
1334 
1335 			dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n",
1336 			    SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1337 			    (int)(connp->conn_fport)));
1338 			return (-1);
1339 		}
1340 
1341 		if (init->sic_inittag != sctp->sctp_fvtag &&
1342 		    iack->sic_inittag != sctp->sctp_lvtag &&
1343 		    *fttag == sctp->sctp_fvtag &&
1344 		    *lttag == sctp->sctp_lvtag) {
1345 			int i;
1346 
1347 			/* Section 5.2.4 case A: restart */
1348 			sctp->sctp_fvtag = init->sic_inittag;
1349 			sctp->sctp_lvtag = iack->sic_inittag;
1350 
1351 			sctp->sctp_sctph->sh_verf = init->sic_inittag;
1352 			sctp->sctp_sctph6->sh_verf = init->sic_inittag;
1353 
1354 			sctp->sctp_ftsn = ntohl(init->sic_inittsn);
1355 			sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1356 			sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
1357 			sctp->sctp_fcsn = sctp->sctp_lastacked;
1358 
1359 			if (sctp->sctp_state < SCTPS_ESTABLISHED)
1360 				SCTP_ASSOC_EST(sctps, sctp);
1361 
1362 			dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n",
1363 			    SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1364 			    (int)(connp->conn_fport)));
1365 			/* reset parameters */
1366 			sctp_congest_reset(sctp);
1367 
1368 			/* reset stream bookkeeping */
1369 			sctp_instream_cleanup(sctp, B_FALSE);
1370 
1371 			sctp->sctp_istr_nmsgs = 0;
1372 			sctp->sctp_rxqueued = 0;
1373 			for (i = 0; i < sctp->sctp_num_ostr; i++) {
1374 				sctp->sctp_ostrcntrs[i] = 0;
1375 			}
1376 			/* XXX flush xmit_list? */
1377 
1378 			return (0);
1379 		} else if (init->sic_inittag != sctp->sctp_fvtag &&
1380 		    iack->sic_inittag == sctp->sctp_lvtag) {
1381 
1382 			/* Section 5.2.4 case B: INIT collision */
1383 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1384 				if (!sctp_initialize_params(sctp, init, iack))
1385 					return (-1);	/* Drop? */
1386 				SCTP_ASSOC_EST(sctps, sctp);
1387 			}
1388 
1389 			dprint(1, ("init collision with %x:%x:%x:%x (%d)\n",
1390 			    SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1391 			    (int)(connp->conn_fport)));
1392 
1393 			return (0);
1394 		} else if (iack->sic_inittag != sctp->sctp_lvtag &&
1395 		    init->sic_inittag == sctp->sctp_fvtag &&
1396 		    *fttag == 0 && *lttag == 0) {
1397 
1398 			/* Section 5.2.4 case C: late COOKIE */
1399 			dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n",
1400 			    SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1401 			    (int)(connp->conn_fport)));
1402 			return (-1);
1403 		} else if (init->sic_inittag == sctp->sctp_fvtag &&
1404 		    iack->sic_inittag == sctp->sctp_lvtag) {
1405 
1406 			/*
1407 			 * Section 5.2.4 case D: COOKIE ECHO retransmit
1408 			 * Don't check cookie lifetime
1409 			 */
1410 			dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n",
1411 			    SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1412 			    (int)(connp->conn_fport)));
1413 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1414 				if (!sctp_initialize_params(sctp, init, iack))
1415 					return (-1);	/* Drop? */
1416 				SCTP_ASSOC_EST(sctps, sctp);
1417 			}
1418 			return (0);
1419 		} else {
1420 			/* unrecognized case -- silently drop it */
1421 			return (-1);
1422 		}
1423 	}
1424 
1425 	return (0);
1426 }
1427 
1428 /*
1429  * Similar to ip_fanout_sctp, except that the src addr(s) are drawn
1430  * from address parameters in an INIT ACK's address list. This
1431  * function is used when an INIT ACK is received but IP's fanout
1432  * function could not find a sctp via the normal lookup routine.
1433  * This can happen when a host sends an INIT ACK from a different
1434  * address than the INIT was sent to.
1435  *
1436  * Returns the sctp_t if found, or NULL if not found.
1437  */
1438 sctp_t *
1439 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
1440     zoneid_t zoneid, sctp_stack_t *sctps)
1441 {
1442 	int isv4;
1443 	ipha_t *iph;
1444 	ip6_t *ip6h;
1445 	in6_addr_t dst;
1446 	in6_addr_t src, *srcp = &src;
1447 	sctp_parm_hdr_t *ph;
1448 	ssize_t remaining;
1449 	sctp_init_chunk_t *iack;
1450 	uint32_t ports;
1451 	sctp_t *sctp = NULL;
1452 
1453 	ASSERT(ich->sch_id == CHUNK_INIT_ACK);
1454 
1455 	isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
1456 	if (isv4) {
1457 		iph = (ipha_t *)mp->b_rptr;
1458 		IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst);
1459 	} else {
1460 		ip6h = (ip6_t *)mp->b_rptr;
1461 		dst = ip6h->ip6_dst;
1462 	}
1463 
1464 	ports = *(uint32_t *)sctph;
1465 
1466 	dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n",
1467 	    ports, SCTP_PRINTADDR(dst)));
1468 
1469 	/* pull out any address parameters */
1470 	remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack);
1471 	if (remaining < sizeof (*ph)) {
1472 		return (NULL);
1473 	}
1474 
1475 	iack = (sctp_init_chunk_t *)(ich + 1);
1476 	ph = (sctp_parm_hdr_t *)(iack + 1);
1477 
1478 	while (ph != NULL) {
1479 		/*
1480 		 * params have been verified in sctp_check_input(),
1481 		 * so no need to do it again here.
1482 		 *
1483 		 * For labeled systems, there's no need to check the
1484 		 * label here.  It's known to be good as we checked
1485 		 * before allowing the connection to become bound.
1486 		 *
1487 		 * According to RFC4960 :
1488 		 * All integer fields in an SCTP packet MUST be transmitted
1489 		 * in network byte order, unless otherwise stated.
1490 		 * Therefore convert the param type to network byte order.
1491 		 */
1492 		if (ph->sph_type == htons(PARM_ADDR4)) {
1493 			IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1),
1494 			    srcp);
1495 
1496 			sctp = sctp_conn_match(&srcp, 1, &dst, ports, zoneid,
1497 			    0, sctps);
1498 
1499 			dprint(1,
1500 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1501 			    SCTP_PRINTADDR(src), (void *)sctp));
1502 
1503 
1504 			if (sctp != NULL) {
1505 				return (sctp);
1506 			}
1507 		} else if (ph->sph_type == htons(PARM_ADDR6)) {
1508 			srcp = (in6_addr_t *)(ph + 1);
1509 			sctp = sctp_conn_match(&srcp, 1, &dst, ports, zoneid,
1510 			    0, sctps);
1511 
1512 			dprint(1,
1513 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1514 			    SCTP_PRINTADDR(src), (void *)sctp));
1515 
1516 			if (sctp != NULL) {
1517 				return (sctp);
1518 			}
1519 		}
1520 
1521 		ph = sctp_next_parm(ph, &remaining);
1522 	}
1523 
1524 	return (NULL);
1525 }
1526