1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <sys/systm.h> 31 #include <sys/stream.h> 32 #include <sys/cmn_err.h> 33 #include <sys/md5.h> 34 #include <sys/kmem.h> 35 #include <sys/strsubr.h> 36 #include <sys/random.h> 37 38 #include <netinet/in.h> 39 #include <netinet/ip6.h> 40 41 #include <inet/common.h> 42 #include <inet/ip.h> 43 #include <inet/ip6.h> 44 #include <inet/sctp_ip.h> 45 #include <inet/ipclassifier.h> 46 #include "sctp_impl.h" 47 48 /* 49 * From RFC 2104. This should probably go into libmd5 (and while 50 * we're at it, maybe we should make a libdigest so we can later 51 * add SHA1 and others, esp. since some weaknesses have been found 52 * with MD5). 53 * 54 * text IN pointer to data stream 55 * text_len IN length of data stream 56 * key IN pointer to authentication key 57 * key_len IN length of authentication key 58 * digest OUT caller digest to be filled in 59 */ 60 static void 61 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 62 uchar_t *digest) 63 { 64 MD5_CTX context; 65 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 66 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 67 uchar_t tk[16]; 68 int i; 69 70 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 71 if (key_len > 64) { 72 MD5_CTX tctx; 73 74 MD5Init(&tctx); 75 MD5Update(&tctx, key, key_len); 76 MD5Final(tk, &tctx); 77 78 key = tk; 79 key_len = 16; 80 } 81 82 /* 83 * the HMAC_MD5 transform looks like: 84 * 85 * MD5(K XOR opad, MD5(K XOR ipad, text)) 86 * 87 * where K is an n byte key 88 * ipad is the byte 0x36 repeated 64 times 89 * opad is the byte 0x5c repeated 64 times 90 * and text is the data being protected 91 */ 92 93 /* start out by storing key in pads */ 94 bzero(k_ipad, sizeof (k_ipad)); 95 bzero(k_opad, sizeof (k_opad)); 96 bcopy(key, k_ipad, key_len); 97 bcopy(key, k_opad, key_len); 98 99 /* XOR key with ipad and opad values */ 100 for (i = 0; i < 64; i++) { 101 k_ipad[i] ^= 0x36; 102 k_opad[i] ^= 0x5c; 103 } 104 /* 105 * perform inner MD5 106 */ 107 MD5Init(&context); /* init context for 1st */ 108 /* pass */ 109 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 110 MD5Update(&context, text, text_len); /* then text of datagram */ 111 MD5Final(digest, &context); /* finish up 1st pass */ 112 /* 113 * perform outer MD5 114 */ 115 MD5Init(&context); /* init context for 2nd */ 116 /* pass */ 117 MD5Update(&context, k_opad, 64); /* start with outer pad */ 118 MD5Update(&context, digest, 16); /* then results of 1st */ 119 /* hash */ 120 MD5Final(digest, &context); /* finish up 2nd pass */ 121 } 122 123 /* 124 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 125 * info in initmp to send the abort. Otherwise, no abort will be sent. 126 * If errmp is non-NULL, a chain of unrecognized parameters will 127 * be created and returned via *errmp. 128 * 129 * Returns 1 if the parameters are OK (or there are no parameters), or 130 * 0 if not. 131 */ 132 static int 133 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 134 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 135 mblk_t **errmp, int *supp_af, uint_t *sctp_options) 136 { 137 sctp_parm_hdr_t *cph; 138 sctp_init_chunk_t *ic; 139 ssize_t remaining; 140 uint16_t serror = 0; 141 char *details = NULL; 142 size_t errlen = 0; 143 boolean_t got_cookie = B_FALSE; 144 uint16_t ptype; 145 146 if (sctp_options != NULL) 147 *sctp_options = 0; 148 149 /* First validate stream parameters */ 150 if (init->sic_instr == 0 || init->sic_outstr == 0) { 151 serror = SCTP_ERR_BAD_MANDPARM; 152 dprint(1, 153 ("validate_init_params: bad sid, is=%d os=%d\n", 154 htons(init->sic_instr), htons(init->sic_outstr))); 155 goto abort; 156 } 157 if (ntohl(init->sic_inittag) == 0) { 158 serror = SCTP_ERR_BAD_MANDPARM; 159 dprint(1, ("validate_init_params: inittag = 0\n")); 160 goto abort; 161 } 162 163 remaining = ntohs(ch->sch_len) - sizeof (*ch); 164 ic = (sctp_init_chunk_t *)(ch + 1); 165 remaining -= sizeof (*ic); 166 if (remaining < sizeof (*cph)) { 167 /* Nothing to validate */ 168 if (want_cookie != NULL) 169 goto cookie_abort; 170 return (1); 171 } 172 173 cph = (sctp_parm_hdr_t *)(ic + 1); 174 175 while (cph != NULL) { 176 ptype = ntohs(cph->sph_type); 177 switch (ptype) { 178 case PARM_HBINFO: 179 case PARM_UNRECOGNIZED: 180 case PARM_ECN: 181 /* just ignore them */ 182 break; 183 case PARM_FORWARD_TSN: 184 if (sctp_options != NULL) 185 *sctp_options |= SCTP_PRSCTP_OPTION; 186 break; 187 case PARM_COOKIE: 188 got_cookie = B_TRUE; 189 if (want_cookie != NULL) { 190 *want_cookie = cph; 191 } 192 break; 193 case PARM_ADDR4: 194 *supp_af |= PARM_SUPP_V4; 195 break; 196 case PARM_ADDR6: 197 *supp_af |= PARM_SUPP_V6; 198 break; 199 case PARM_COOKIE_PRESERVE: 200 case PARM_ADAPT_LAYER_IND: 201 /* These are OK */ 202 break; 203 case PARM_ADDR_HOST_NAME: 204 /* Don't support this; abort the association */ 205 serror = SCTP_ERR_BAD_ADDR; 206 details = (char *)cph; 207 errlen = ntohs(cph->sph_len); 208 dprint(1, ("sctp:validate_init_params: host addr\n")); 209 goto abort; 210 case PARM_SUPP_ADDRS: { 211 /* Make sure we have a supported addr intersection */ 212 uint16_t *p, addrtype; 213 int plen; 214 215 plen = ntohs(cph->sph_len); 216 p = (uint16_t *)(cph + 1); 217 while (plen > 0) { 218 addrtype = ntohs(*p); 219 switch (addrtype) { 220 case PARM_ADDR6: 221 *supp_af |= PARM_SUPP_V6; 222 break; 223 case PARM_ADDR4: 224 *supp_af |= PARM_SUPP_V4; 225 break; 226 default: 227 /* 228 * Do nothing, silently ignore hostname 229 * address. 230 */ 231 break; 232 } 233 p++; 234 plen -= sizeof (*p); 235 } 236 break; 237 } 238 default: 239 /* Unrecognized param; check the high order bits */ 240 if ((ptype & 0xc000) == 0xc000) { 241 /* 242 * report unrecognized param, and 243 * keep processing 244 */ 245 if (errmp != NULL) { 246 if (want_cookie != NULL) { 247 *errmp = sctp_make_err(sctp, 248 PARM_UNRECOGNIZED, 249 (void *)cph, 250 ntohs(cph->sph_len)); 251 } else { 252 sctp_add_unrec_parm(cph, errmp); 253 } 254 } 255 break; 256 } 257 if (ptype & 0x4000) { 258 /* 259 * Stop processing and drop; report 260 * unrecognized param 261 */ 262 serror = SCTP_ERR_UNREC_PARM; 263 details = (char *)cph; 264 errlen = ntohs(cph->sph_len); 265 goto abort; 266 } 267 if (ptype & 0x8000) { 268 /* skip and continue processing */ 269 break; 270 } 271 272 /* 273 * 2 high bits are clear; stop processing and 274 * drop packet 275 */ 276 return (0); 277 } 278 279 cph = sctp_next_parm(cph, &remaining); 280 } 281 /* 282 * Some sanity checks. The following should not fail unless the 283 * other side is broken. 284 * 285 * 1. If this is a V4 endpoint but V4 address is not 286 * supported, abort. 287 * 2. If this is a V6 only endpoint but V6 address is 288 * not supported, abort. This assumes that a V6 289 * endpoint can use both V4 and V6 addresses. 290 * We only care about supp_af when processing INIT, i.e want_cookie 291 * is NULL. 292 */ 293 if (want_cookie == NULL && 294 ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 295 (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 296 sctp->sctp_connp->conn_ipv6_v6only))) { 297 dprint(1, ("sctp:validate_init_params: supp addr\n")); 298 serror = SCTP_ERR_BAD_ADDR; 299 goto abort; 300 } 301 302 if (want_cookie != NULL && !got_cookie) { 303 cookie_abort: 304 dprint(1, ("validate_init_params: cookie absent\n")); 305 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 306 details, errlen, inmp, 0, B_FALSE); 307 return (0); 308 } 309 310 /* OK */ 311 return (1); 312 313 abort: 314 if (want_cookie != NULL) 315 return (0); 316 317 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 318 errlen, inmp, 0, B_FALSE); 319 return (0); 320 } 321 322 /* 323 * Initialize params from the INIT and INIT-ACK when the assoc. is 324 * established. 325 */ 326 boolean_t 327 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 328 sctp_init_chunk_t *iack) 329 { 330 /* Get initial TSN */ 331 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 332 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 333 334 /* Serial number is initialized to the same value as the TSN */ 335 sctp->sctp_fcsn = sctp->sctp_lastacked; 336 337 /* 338 * Get verification tags; no byteordering is necessary, since 339 * verfication tags are never processed except for byte-by-byte 340 * comparisons. 341 */ 342 sctp->sctp_fvtag = init->sic_inittag; 343 sctp->sctp_sctph->sh_verf = init->sic_inittag; 344 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 345 sctp->sctp_lvtag = iack->sic_inittag; 346 347 /* Get the peer's rwnd */ 348 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 349 350 /* Allocate the in/out-stream counters */ 351 sctp->sctp_num_ostr = iack->sic_outstr; 352 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 353 sctp->sctp_num_ostr, KM_NOSLEEP); 354 if (sctp->sctp_ostrcntrs == NULL) 355 return (B_FALSE); 356 357 sctp->sctp_num_istr = iack->sic_instr; 358 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 359 sctp->sctp_num_istr, KM_NOSLEEP); 360 if (sctp->sctp_instr == NULL) { 361 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 362 sctp->sctp_num_ostr); 363 sctp->sctp_ostrcntrs = NULL; 364 return (B_FALSE); 365 } 366 return (B_TRUE); 367 } 368 369 #define SCTP_CALC_COOKIE_LEN(initcp) \ 370 sizeof (int64_t) + /* timestamp */ \ 371 sizeof (uint32_t) + /* cookie lifetime */ \ 372 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 373 sizeof (in6_addr_t) + /* peer's original source */ \ 374 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 375 sizeof (uint32_t) + /* local tie-tag */ \ 376 sizeof (uint32_t) + /* peer tie-tag */ \ 377 sizeof (sctp_parm_hdr_t) + /* param header */ \ 378 16 /* MD5 hash */ 379 380 void 381 sctp_send_initack(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *initmp) 382 { 383 ipha_t *initiph; 384 ip6_t *initip6h; 385 ipha_t *iackiph; 386 ip6_t *iackip6h; 387 sctp_chunk_hdr_t *iack_ch; 388 sctp_init_chunk_t *iack; 389 sctp_init_chunk_t *init; 390 sctp_hdr_t *iacksh; 391 sctp_hdr_t *initsh; 392 size_t cookielen; 393 size_t iacklen; 394 size_t ipsctplen; 395 size_t errlen = 0; 396 sctp_parm_hdr_t *cookieph; 397 mblk_t *iackmp; 398 uint32_t itag; 399 uint32_t itsn; 400 int64_t *now; 401 int64_t nowt; 402 uint32_t *lifetime; 403 char *p; 404 boolean_t isv4; 405 int supp_af = 0; 406 uint_t sctp_options; 407 uint32_t *ttag; 408 int pad; 409 mblk_t *errmp = NULL; 410 boolean_t initcollision = B_FALSE; 411 boolean_t linklocal = B_FALSE; 412 413 BUMP_LOCAL(sctp->sctp_ibchunks); 414 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 415 416 /* Extract the INIT chunk */ 417 if (isv4) { 418 initiph = (ipha_t *)initmp->b_rptr; 419 initsh = (sctp_hdr_t *)((char *)initiph + 420 IPH_HDR_LENGTH(initmp->b_rptr)); 421 ipsctplen = sctp->sctp_ip_hdr_len; 422 supp_af |= PARM_SUPP_V4; 423 } else { 424 initip6h = (ip6_t *)initmp->b_rptr; 425 initsh = (sctp_hdr_t *)(initip6h + 1); 426 ipsctplen = sctp->sctp_ip_hdr6_len; 427 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src)) 428 linklocal = B_TRUE; 429 supp_af |= PARM_SUPP_V6; 430 } 431 ASSERT(OK_32PTR(initsh)); 432 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 433 434 /* Make sure we like the peer's parameters */ 435 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 436 &supp_af, &sctp_options) == 0) { 437 return; 438 } 439 if (errmp != NULL) 440 errlen = msgdsize(errmp); 441 if (sctp->sctp_family == AF_INET) { 442 /* 443 * Irregardless of the supported address in the INIT, v4 444 * must be supported. 445 */ 446 supp_af = PARM_SUPP_V4; 447 } 448 if (sctp->sctp_state <= SCTPS_LISTEN) { 449 /* normal, expected INIT: generate new vtag and itsn */ 450 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 451 if (itag == 0) 452 itag = (uint32_t)gethrtime(); 453 itsn = itag + 1; 454 itag = htonl(itag); 455 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 456 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 457 /* init collision; copy vtag and itsn from sctp */ 458 itag = sctp->sctp_lvtag; 459 itsn = sctp->sctp_ltsn; 460 /* 461 * In addition we need to send all the params that was sent 462 * in our INIT chunk. Essentially, it is only the supported 463 * address params that we need to add. 464 */ 465 initcollision = B_TRUE; 466 /* 467 * When we sent the INIT, we should have set linklocal in 468 * the sctp which should be good enough. 469 */ 470 if (linklocal) 471 linklocal = B_FALSE; 472 } else { 473 /* peer restart; generate new vtag but keep everything else */ 474 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 475 if (itag == 0) 476 itag = (uint32_t)gethrtime(); 477 itag = htonl(itag); 478 itsn = sctp->sctp_ltsn; 479 } 480 481 /* 482 * Allocate a mblk for the INIT ACK, consisting of the link layer 483 * header, the IP header, the SCTP common header, and INIT ACK chunk, 484 * and finally the COOKIE parameter. 485 */ 486 cookielen = SCTP_CALC_COOKIE_LEN(ch); 487 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 488 if (sctp->sctp_send_adaption) 489 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 490 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 491 sctp->sctp_prsctp_aware && sctp_prsctp_enabled) { 492 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 493 } 494 if (initcollision) 495 iacklen += sctp_supaddr_param_len(sctp); 496 if (!linklocal) 497 iacklen += sctp_addr_params_len(sctp, supp_af, B_FALSE); 498 ipsctplen += sizeof (*iacksh) + iacklen; 499 iacklen += errlen; 500 if ((pad = ipsctplen % 4) != 0) { 501 pad = 4 - pad; 502 ipsctplen += pad; 503 } 504 iackmp = allocb(ipsctplen + sctp_wroff_xtra, BPRI_MED); 505 if (iackmp == NULL) { 506 sctp_send_abort(sctp, sctp_init2vtag(ch), 507 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 508 return; 509 } 510 511 /* Copy in the [imcomplete] IP/SCTP composite header */ 512 p = (char *)(iackmp->b_rptr + sctp_wroff_xtra); 513 iackmp->b_rptr = (uchar_t *)p; 514 if (isv4) { 515 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 516 iackiph = (ipha_t *)p; 517 518 /* Copy the peer's IP addr */ 519 iackiph->ipha_dst = initiph->ipha_src; 520 iackiph->ipha_src = initiph->ipha_dst; 521 iackiph->ipha_length = htons(ipsctplen + errlen); 522 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 523 } else { 524 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 525 iackip6h = (ip6_t *)p; 526 527 /* Copy the peer's IP addr */ 528 iackip6h->ip6_dst = initip6h->ip6_src; 529 iackip6h->ip6_src = initip6h->ip6_dst; 530 iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) + 531 errlen); 532 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 533 } 534 ASSERT(OK_32PTR(iacksh)); 535 536 /* Fill in the holes in the SCTP common header */ 537 iacksh->sh_sport = initsh->sh_dport; 538 iacksh->sh_dport = initsh->sh_sport; 539 iacksh->sh_verf = init->sic_inittag; 540 541 /* INIT ACK chunk header */ 542 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 543 iack_ch->sch_id = CHUNK_INIT_ACK; 544 iack_ch->sch_flags = 0; 545 iack_ch->sch_len = htons(iacklen); 546 547 /* The INIT ACK itself */ 548 iack = (sctp_init_chunk_t *)(iack_ch + 1); 549 iack->sic_inittag = itag; /* already in network byteorder */ 550 iack->sic_inittsn = htonl(itsn); 551 552 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 553 /* Advertise what we would want to have as stream #'s */ 554 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 555 ntohs(init->sic_instr))); 556 iack->sic_instr = htons(sctp->sctp_num_istr); 557 558 p = (char *)(iack + 1); 559 p += sctp_adaption_code_param(sctp, (uchar_t *)p); 560 if (initcollision) 561 p += sctp_supaddr_param(sctp, (uchar_t *)p); 562 if (!linklocal) 563 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p); 564 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 565 sctp->sctp_prsctp_aware && sctp_prsctp_enabled) { 566 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 567 } 568 /* 569 * Generate and lay in the COOKIE parameter. 570 * 571 * The cookie consists of: 572 * 1. The relative timestamp for the cookie (lbolt64) 573 * 2. The cookie lifetime (uint32_t) in tick 574 * 3. The local tie-tag 575 * 4. The peer tie-tag 576 * 5. Peer's original src, used to confirm the validity of address. 577 * 6. Our INIT ACK chunk, less any parameters 578 * 7. The INIT chunk (may contain parameters) 579 * 8. 128-bit MD5 signature. 580 * 581 * Since the timestamp values will only be evaluated locally, we 582 * don't need to worry about byte-ordering them. 583 */ 584 cookieph = (sctp_parm_hdr_t *)p; 585 cookieph->sph_type = htons(PARM_COOKIE); 586 cookieph->sph_len = htons(cookielen); 587 588 /* timestamp */ 589 now = (int64_t *)(cookieph + 1); 590 nowt = lbolt64; 591 bcopy(&nowt, now, sizeof (*now)); 592 593 /* cookie lifetime -- need configuration */ 594 lifetime = (uint32_t *)(now + 1); 595 *lifetime = sctp->sctp_cookie_lifetime; 596 597 /* Set the tie-tags */ 598 ttag = (uint32_t *)(lifetime + 1); 599 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 600 *ttag = 0; 601 ttag++; 602 *ttag = 0; 603 ttag++; 604 } else { 605 /* local tie-tag (network byte-order) */ 606 *ttag = sctp->sctp_lvtag; 607 ttag++; 608 /* peer tie-tag (network byte-order) */ 609 *ttag = sctp->sctp_fvtag; 610 ttag++; 611 } 612 /* 613 * Copy in peer's original source address so that we can confirm 614 * the reachability later. 615 */ 616 p = (char *)ttag; 617 if (isv4) { 618 in6_addr_t peer_addr; 619 620 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 621 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 622 } else { 623 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 624 } 625 p += sizeof (in6_addr_t); 626 /* Copy in our INIT ACK chunk */ 627 bcopy(iack, p, sizeof (*iack)); 628 iack = (sctp_init_chunk_t *)p; 629 /* Set the # of streams we'll end up using */ 630 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 631 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 632 p += sizeof (*iack); 633 634 /* Copy in the peer's INIT chunk */ 635 bcopy(ch, p, ntohs(ch->sch_len)); 636 p += ntohs(ch->sch_len); 637 638 /* 639 * Calculate the HMAC ICV into the digest slot in buf. 640 * First, generate a new secret if the current secret is 641 * older than the new secret lifetime parameter permits, 642 * copying the current secret to sctp_old_secret. 643 */ 644 if (sctp_new_secret_interval > 0 && 645 (sctp->sctp_last_secret_update + 646 MSEC_TO_TICK(sctp_new_secret_interval)) <= nowt) { 647 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 648 SCTP_SECRET_LEN); 649 (void) random_get_pseudo_bytes(sctp->sctp_secret, 650 SCTP_SECRET_LEN); 651 sctp->sctp_last_secret_update = nowt; 652 } 653 654 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 655 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 656 657 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 658 iackmp->b_cont = errmp; /* OK if NULL */ 659 660 /* 661 * Stash the conn ptr info. for IP only as e don't have any 662 * cached IRE. 663 */ 664 SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL); 665 666 /* XXX sctp == sctp_g_q, so using its obchunks is valid */ 667 BUMP_LOCAL(sctp->sctp_opkts); 668 BUMP_LOCAL(sctp->sctp_obchunks); 669 670 /* OK to call IP_PUT() here instead of sctp_add_sendq(). */ 671 CONN_INC_REF(sctp->sctp_connp); 672 iackmp->b_flag |= MSGHASREF; 673 IP_PUT(iackmp, sctp->sctp_connp, isv4); 674 } 675 676 void 677 sctp_send_cookie_ack(sctp_t *sctp) 678 { 679 sctp_chunk_hdr_t *cach; 680 mblk_t *camp; 681 682 camp = sctp_make_mp(sctp, NULL, sizeof (*cach)); 683 if (camp == NULL) { 684 /* XXX should abort, but don't have the inmp anymore */ 685 return; 686 } 687 688 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 689 camp->b_wptr = (uchar_t *)(cach + 1); 690 cach->sch_id = CHUNK_COOKIE_ACK; 691 cach->sch_flags = 0; 692 cach->sch_len = htons(sizeof (*cach)); 693 694 sctp_set_iplen(sctp, camp); 695 696 BUMP_LOCAL(sctp->sctp_obchunks); 697 698 sctp_add_sendq(sctp, camp); 699 } 700 701 static int 702 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaption_code) 703 { 704 705 if (len < sizeof (*sph)) 706 return (-1); 707 while (sph != NULL) { 708 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 709 ntohs(sph->sph_len) >= (sizeof (*sph) + 710 sizeof (uint32_t))) { 711 *adaption_code = *(uint32_t *)(sph + 1); 712 return (0); 713 } 714 sph = sctp_next_parm(sph, &len); 715 } 716 return (-1); 717 } 718 719 void 720 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp) 721 { 722 mblk_t *cemp; 723 mblk_t *mp = NULL; 724 mblk_t *head; 725 mblk_t *meta; 726 sctp_faddr_t *fp; 727 sctp_chunk_hdr_t *cech; 728 sctp_init_chunk_t *iack; 729 int32_t cansend; 730 int32_t seglen; 731 size_t ceclen; 732 sctp_parm_hdr_t *cph; 733 sctp_data_hdr_t *sdc; 734 sctp_tf_t *tf; 735 int pad = 0; 736 int hdrlen; 737 mblk_t *errmp = NULL; 738 uint_t sctp_options; 739 int error; 740 uint16_t old_num_str; 741 742 iack = (sctp_init_chunk_t *)(iackch + 1); 743 744 cph = NULL; 745 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 746 &pad, &sctp_options) == 0) { /* result in 'pad' ignored */ 747 BUMP_MIB(&sctp_mib, sctpAborted); 748 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 749 sctp_clean_death(sctp, ECONNABORTED); 750 return; 751 } 752 ASSERT(cph != NULL); 753 754 ASSERT(sctp->sctp_cookie_mp == NULL); 755 756 /* Got a cookie to echo back; allocate an mblk */ 757 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 758 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 759 pad = SCTP_ALIGN - pad; 760 761 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 762 hdrlen = sctp->sctp_hdr_len; 763 else 764 hdrlen = sctp->sctp_hdr6_len; 765 766 cemp = allocb(sctp_wroff_xtra + hdrlen + ceclen + pad, BPRI_MED); 767 if (cemp == NULL) { 768 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 769 sctp->sctp_current->rto); 770 if (errmp != NULL) 771 freeb(errmp); 772 return; 773 } 774 cemp->b_rptr += (sctp_wroff_xtra + hdrlen); 775 776 /* Process the INIT ACK */ 777 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 778 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 779 sctp->sctp_fvtag = iack->sic_inittag; 780 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 781 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 782 sctp->sctp_fcsn = sctp->sctp_lastacked; 783 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 784 785 /* 786 * Populate sctp with addresses given in the INIT ACK or IP header. 787 * Need to set the df bit in the current fp as it has been cleared 788 * in sctp_connect(). 789 */ 790 sctp->sctp_current->df = B_TRUE; 791 /* 792 * Since IP uses this info during the fanout process, we need to hold 793 * the lock for this hash line while performing this operation. 794 */ 795 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctp->sctp_ports); */ 796 ASSERT(sctp->sctp_conn_tfp != NULL); 797 tf = sctp->sctp_conn_tfp; 798 /* sctp isn't a listener so only need to hold conn fanout lock */ 799 mutex_enter(&tf->tf_lock); 800 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 801 mutex_exit(&tf->tf_lock); 802 freeb(cemp); 803 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 804 sctp->sctp_current->rto); 805 if (errmp != NULL) 806 freeb(errmp); 807 return; 808 } 809 mutex_exit(&tf->tf_lock); 810 811 fp = sctp->sctp_current; 812 813 /* 814 * There could be a case when we get an INIT-ACK again, if the INIT 815 * is re-transmitted, for e.g., which means we would have already 816 * allocated this resource earlier (also for sctp_instr). In this 817 * case we check and re-allocate, if necessary. 818 */ 819 old_num_str = sctp->sctp_num_ostr; 820 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 821 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 822 if (sctp->sctp_ostrcntrs == NULL) { 823 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 824 sctp->sctp_num_ostr, KM_NOSLEEP); 825 } else { 826 ASSERT(old_num_str > 0); 827 if (old_num_str != sctp->sctp_num_ostr) { 828 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 829 old_num_str); 830 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 831 sctp->sctp_num_ostr, KM_NOSLEEP); 832 } 833 } 834 if (sctp->sctp_ostrcntrs == NULL) { 835 freeb(cemp); 836 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 837 if (errmp != NULL) 838 freeb(errmp); 839 return; 840 } 841 842 /* 843 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 844 * hold here too. 845 */ 846 old_num_str = sctp->sctp_num_istr; 847 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 848 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 849 if (sctp->sctp_instr == NULL) { 850 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 851 sctp->sctp_num_istr, KM_NOSLEEP); 852 } else { 853 ASSERT(old_num_str > 0); 854 if (old_num_str != sctp->sctp_num_istr) { 855 kmem_free(sctp->sctp_instr, 856 sizeof (*sctp->sctp_instr) * old_num_str); 857 sctp->sctp_instr = kmem_zalloc( 858 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 859 KM_NOSLEEP); 860 } 861 } 862 if (sctp->sctp_instr == NULL) { 863 kmem_free(sctp->sctp_ostrcntrs, 864 sizeof (uint16_t) * sctp->sctp_num_ostr); 865 freeb(cemp); 866 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 867 if (errmp != NULL) 868 freeb(errmp); 869 return; 870 } 871 872 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 873 sctp->sctp_prsctp_aware = B_FALSE; 874 875 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 876 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 877 &sctp->sctp_rx_adaption_code) == 0) { 878 sctp->sctp_recv_adaption = 1; 879 } 880 881 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 882 ASSERT(OK_32PTR(cech)); 883 cech->sch_id = CHUNK_COOKIE; 884 cech->sch_flags = 0; 885 cech->sch_len = htons(ceclen); 886 887 /* Copy the cookie (less the parm hdr) to the chunk */ 888 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 889 890 cemp->b_wptr = cemp->b_rptr + ceclen; 891 892 if (sctp->sctp_unsent > 0) { 893 sctp_msg_hdr_t *smh; 894 mblk_t *prev = NULL; 895 uint32_t unsent = 0; 896 897 mp = sctp->sctp_xmit_unsent; 898 do { 899 smh = (sctp_msg_hdr_t *)mp->b_rptr; 900 if (smh->smh_sid >= sctp->sctp_num_ostr) { 901 unsent += smh->smh_msglen; 902 if (prev != NULL) 903 prev->b_next = mp->b_next; 904 else 905 sctp->sctp_xmit_unsent = mp->b_next; 906 mp->b_next = NULL; 907 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 908 B_FALSE); 909 if (prev != NULL) 910 mp = prev->b_next; 911 else 912 mp = sctp->sctp_xmit_unsent; 913 } else { 914 prev = mp; 915 mp = mp->b_next; 916 } 917 } while (mp != NULL); 918 if (unsent > 0) { 919 ASSERT(sctp->sctp_unsent >= unsent); 920 sctp->sctp_unsent -= unsent; 921 /* 922 * Update ULP the amount of queued data, which is 923 * sent-unack'ed + unsent. 924 * This is not necessary, but doesn't harm, we 925 * just use unsent instead of sent-unack'ed + 926 * unsent, since there won't be any sent-unack'ed 927 * here. 928 */ 929 if (!SCTP_IS_DETACHED(sctp)) { 930 sctp->sctp_ulp_xmitted(sctp->sctp_ulpd, 931 sctp->sctp_unsent); 932 } 933 } 934 if (sctp->sctp_xmit_unsent == NULL) 935 sctp->sctp_xmit_unsent_tail = NULL; 936 } 937 ceclen += pad; 938 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 939 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 940 cansend, NULL); 941 /* 942 * The error cannot be anything else since we could have an non-zero 943 * error only if sctp_get_msg_to_send() tries to send a Forward 944 * TSN which will not happen here. 945 */ 946 ASSERT(error == 0); 947 if (meta == NULL) 948 goto sendcookie; 949 sctp->sctp_xmit_tail = meta; 950 sdc = (sctp_data_hdr_t *)mp->b_rptr; 951 seglen = ntohs(sdc->sdh_len); 952 if ((ceclen + seglen) > fp->sfa_pmss || 953 (seglen - sizeof (*sdc)) > cansend) { 954 goto sendcookie; 955 } 956 /* OK, if this fails */ 957 cemp->b_cont = dupmsg(mp); 958 sendcookie: 959 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 960 if (head == NULL) { 961 freemsg(cemp); 962 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 963 if (errmp != NULL) 964 freeb(errmp); 965 return; 966 } 967 /* 968 * Even if cookie-echo exceeds MTU for one of the hops, it'll 969 * have a chance of getting there. 970 */ 971 if (fp->isv4) { 972 ipha_t *iph = (ipha_t *)head->b_rptr; 973 iph->ipha_fragment_offset_and_flags = 0; 974 } 975 BUMP_LOCAL(sctp->sctp_obchunks); 976 977 sctp->sctp_cookie_mp = dupmsg(head); 978 /* Don't bundle, we will just resend init if this cookie is lost. */ 979 if (sctp->sctp_cookie_mp == NULL) { 980 if (cemp->b_cont != NULL) { 981 freemsg(cemp->b_cont); 982 cemp->b_cont = NULL; 983 } 984 } else if (cemp->b_cont != NULL) { 985 ASSERT(mp != NULL && mp == meta->b_cont); 986 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 987 cemp->b_wptr += pad; 988 seglen -= sizeof (*sdc); 989 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 990 } 991 if (errmp != NULL) 992 linkb(head, errmp); 993 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 994 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 995 996 sctp_set_iplen(sctp, head); 997 sctp_add_sendq(sctp, head); 998 } 999 1000 int 1001 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 1002 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaption, 1003 in6_addr_t *peer_addr) 1004 { 1005 int32_t clen; 1006 size_t initplen; 1007 uchar_t *p; 1008 uchar_t *given_hash; 1009 uchar_t needed_hash[16]; 1010 int64_t ts; 1011 int64_t diff; 1012 uint32_t *lt; 1013 sctp_init_chunk_t *iack; 1014 sctp_chunk_hdr_t *initch; 1015 sctp_init_chunk_t *init; 1016 uint32_t *lttag; 1017 uint32_t *fttag; 1018 uint32_t ports; 1019 1020 BUMP_LOCAL(sctp->sctp_ibchunks); 1021 /* Verify the ICV */ 1022 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1023 if (clen < 0) { 1024 dprint(1, ("invalid cookie chunk length %d\n", 1025 ntohs(ch->sch_len))); 1026 1027 return (-1); 1028 } 1029 p = (uchar_t *)(ch + 1); 1030 1031 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1032 needed_hash); 1033 1034 /* The given hash follows the cookie data */ 1035 given_hash = p + clen; 1036 1037 if (bcmp(given_hash, needed_hash, 16) != 0) { 1038 /* The secret may have changed; try the old secret */ 1039 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1040 SCTP_SECRET_LEN, needed_hash); 1041 if (bcmp(given_hash, needed_hash, 16) != 0) { 1042 return (-1); 1043 } 1044 } 1045 1046 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1047 bcopy(p, &ts, sizeof (ts)); 1048 /* Cookie life time, int32_t */ 1049 lt = (uint32_t *)(p + sizeof (ts)); 1050 1051 /* 1052 * To quote PRC, "this is our baby", so let's continue. 1053 * We need to pull out the encapsulated INIT ACK and 1054 * INIT chunks. Note that we don't process these until 1055 * we have verified the timestamp, but we need them before 1056 * processing the timestamp since if the time check fails, 1057 * we need to get the verification tag from the INIT in order 1058 * to send a stale cookie error. 1059 */ 1060 lttag = (uint32_t *)(lt + 1); 1061 fttag = lttag + 1; 1062 if (peer_addr != NULL) 1063 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1064 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1065 initch = (sctp_chunk_hdr_t *)(iack + 1); 1066 init = (sctp_init_chunk_t *)(initch + 1); 1067 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1068 *iackpp = iack; 1069 *recv_adaption = 0; 1070 1071 /* Check the timestamp */ 1072 diff = lbolt64 - ts; 1073 if (diff > *lt && (init->sic_inittag != sctp->sctp_fvtag || 1074 iack->sic_inittag != sctp->sctp_lvtag)) { 1075 1076 uint32_t staleness; 1077 1078 staleness = TICK_TO_USEC(diff); 1079 staleness = htonl(staleness); 1080 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1081 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE); 1082 1083 dprint(1, ("stale cookie %d\n", staleness)); 1084 1085 return (-1); 1086 } 1087 1088 /* Check for attack by adding addresses to a restart */ 1089 bcopy(insctph, &ports, sizeof (ports)); 1090 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP) != 1) { 1091 return (-1); 1092 } 1093 1094 /* Look for adaptation code if there any parms in the INIT chunk */ 1095 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1096 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1097 &sctp->sctp_rx_adaption_code) == 0)) { 1098 *recv_adaption = 1; 1099 } 1100 1101 /* Examine tie-tags */ 1102 1103 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1104 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1105 init->sic_inittag == sctp->sctp_fvtag && 1106 iack->sic_inittag == sctp->sctp_lvtag && 1107 *fttag == 0 && *lttag == 0) { 1108 1109 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1110 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1111 (int)(sctp->sctp_fport))); 1112 return (-1); 1113 } 1114 1115 if (init->sic_inittag != sctp->sctp_fvtag && 1116 iack->sic_inittag != sctp->sctp_lvtag && 1117 *fttag == sctp->sctp_fvtag && 1118 *lttag == sctp->sctp_lvtag) { 1119 int i; 1120 1121 /* Section 5.2.4 case A: restart */ 1122 sctp->sctp_fvtag = init->sic_inittag; 1123 sctp->sctp_lvtag = iack->sic_inittag; 1124 1125 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1126 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1127 1128 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1129 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1130 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1131 sctp->sctp_fcsn = sctp->sctp_lastacked; 1132 1133 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1134 sctp->sctp_state = SCTPS_ESTABLISHED; 1135 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1136 } 1137 1138 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1139 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1140 (int)(sctp->sctp_fport))); 1141 /* reset parameters */ 1142 sctp_congest_reset(sctp); 1143 1144 /* reset stream bookkeeping */ 1145 sctp_instream_cleanup(sctp, B_FALSE); 1146 1147 sctp->sctp_istr_nmsgs = 0; 1148 sctp->sctp_rxqueued = 0; 1149 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1150 sctp->sctp_ostrcntrs[i] = 0; 1151 } 1152 /* XXX flush xmit_list? */ 1153 1154 return (0); 1155 } else if (init->sic_inittag != sctp->sctp_fvtag && 1156 iack->sic_inittag == sctp->sctp_lvtag) { 1157 1158 /* Section 5.2.4 case B: INIT collision */ 1159 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1160 if (!sctp_initialize_params(sctp, init, iack)) 1161 return (-1); /* Drop? */ 1162 sctp->sctp_state = SCTPS_ESTABLISHED; 1163 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1164 } 1165 1166 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1167 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1168 (int)(sctp->sctp_fport))); 1169 1170 return (0); 1171 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1172 init->sic_inittag == sctp->sctp_fvtag && 1173 *fttag == 0 && *lttag == 0) { 1174 1175 /* Section 5.2.4 case C: late COOKIE */ 1176 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1177 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1178 (int)(sctp->sctp_fport))); 1179 return (-1); 1180 } else if (init->sic_inittag == sctp->sctp_fvtag && 1181 iack->sic_inittag == sctp->sctp_lvtag) { 1182 1183 /* 1184 * Section 5.2.4 case D: COOKIE ECHO retransmit 1185 * Don't check cookie lifetime 1186 */ 1187 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1188 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1189 (int)(sctp->sctp_fport))); 1190 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1191 if (!sctp_initialize_params(sctp, init, iack)) 1192 return (-1); /* Drop? */ 1193 sctp->sctp_state = SCTPS_ESTABLISHED; 1194 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1195 } 1196 return (0); 1197 } else { 1198 /* unrecognized case -- silently drop it */ 1199 return (-1); 1200 } 1201 } 1202 1203 return (0); 1204 } 1205 1206 /* 1207 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1208 * from address parameters in an INIT ACK's address list. This 1209 * function is used when an INIT ACK is received but IP's fanout 1210 * function could not find a sctp via the normal lookup routine. 1211 * This can happen when a host sends an INIT ACK from a different 1212 * address than the INIT was sent to. 1213 * 1214 * Returns the sctp_t if found, or NULL if not found. 1215 */ 1216 sctp_t * 1217 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1218 uint_t ipif_seqid, zoneid_t zoneid) 1219 { 1220 int isv4; 1221 ipha_t *iph; 1222 ip6_t *ip6h; 1223 in6_addr_t dst; 1224 in6_addr_t src; 1225 sctp_parm_hdr_t *ph; 1226 ssize_t remaining; 1227 sctp_init_chunk_t *iack; 1228 uint32_t ports; 1229 sctp_t *sctp = NULL; 1230 1231 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1232 1233 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1234 if (isv4) { 1235 iph = (ipha_t *)mp->b_rptr; 1236 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1237 } else { 1238 ip6h = (ip6_t *)mp->b_rptr; 1239 dst = ip6h->ip6_dst; 1240 } 1241 1242 ports = *(uint32_t *)sctph; 1243 1244 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1245 ports, SCTP_PRINTADDR(dst))); 1246 1247 /* pull out any address parameters */ 1248 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1249 if (remaining < sizeof (*ph)) { 1250 return (NULL); 1251 } 1252 1253 iack = (sctp_init_chunk_t *)(ich + 1); 1254 ph = (sctp_parm_hdr_t *)(iack + 1); 1255 1256 while (ph != NULL) { 1257 /* 1258 * params have been put in host byteorder by 1259 * sctp_check_input() 1260 */ 1261 if (ph->sph_type == PARM_ADDR4) { 1262 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1263 &src); 1264 1265 sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid, 1266 zoneid); 1267 1268 dprint(1, 1269 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1270 SCTP_PRINTADDR(src), sctp)); 1271 1272 1273 if (sctp != NULL) { 1274 return (sctp); 1275 } 1276 } else if (ph->sph_type == PARM_ADDR6) { 1277 src = *(in6_addr_t *)(ph + 1); 1278 sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid, 1279 zoneid); 1280 1281 dprint(1, 1282 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1283 SCTP_PRINTADDR(src), sctp)); 1284 1285 if (sctp != NULL) { 1286 return (sctp); 1287 } 1288 } 1289 1290 ph = sctp_next_parm(ph, &remaining); 1291 } 1292 1293 return (NULL); 1294 } 1295