1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #include <sys/types.h> 28 #include <sys/systm.h> 29 #include <sys/stream.h> 30 #include <sys/cmn_err.h> 31 #include <sys/md5.h> 32 #include <sys/kmem.h> 33 #include <sys/strsubr.h> 34 #include <sys/random.h> 35 #include <sys/tsol/tnet.h> 36 37 #include <netinet/in.h> 38 #include <netinet/ip6.h> 39 40 #include <inet/common.h> 41 #include <inet/ip.h> 42 #include <inet/ip6.h> 43 #include <inet/sctp_ip.h> 44 #include <inet/ipclassifier.h> 45 #include "sctp_impl.h" 46 47 /* 48 * Helper function for SunCluster (PSARC/2005/602) to get the original source 49 * address from the COOKIE 50 */ 51 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *); 52 53 /* 54 * From RFC 2104. This should probably go into libmd5 (and while 55 * we're at it, maybe we should make a libdigest so we can later 56 * add SHA1 and others, esp. since some weaknesses have been found 57 * with MD5). 58 * 59 * text IN pointer to data stream 60 * text_len IN length of data stream 61 * key IN pointer to authentication key 62 * key_len IN length of authentication key 63 * digest OUT caller digest to be filled in 64 */ 65 static void 66 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 67 uchar_t *digest) 68 { 69 MD5_CTX context; 70 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 71 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 72 uchar_t tk[16]; 73 int i; 74 75 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 76 if (key_len > 64) { 77 MD5_CTX tctx; 78 79 MD5Init(&tctx); 80 MD5Update(&tctx, key, key_len); 81 MD5Final(tk, &tctx); 82 83 key = tk; 84 key_len = 16; 85 } 86 87 /* 88 * the HMAC_MD5 transform looks like: 89 * 90 * MD5(K XOR opad, MD5(K XOR ipad, text)) 91 * 92 * where K is an n byte key 93 * ipad is the byte 0x36 repeated 64 times 94 * opad is the byte 0x5c repeated 64 times 95 * and text is the data being protected 96 */ 97 98 /* start out by storing key in pads */ 99 bzero(k_ipad, sizeof (k_ipad)); 100 bzero(k_opad, sizeof (k_opad)); 101 bcopy(key, k_ipad, key_len); 102 bcopy(key, k_opad, key_len); 103 104 /* XOR key with ipad and opad values */ 105 for (i = 0; i < 64; i++) { 106 k_ipad[i] ^= 0x36; 107 k_opad[i] ^= 0x5c; 108 } 109 /* 110 * perform inner MD5 111 */ 112 MD5Init(&context); /* init context for 1st */ 113 /* pass */ 114 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 115 MD5Update(&context, text, text_len); /* then text of datagram */ 116 MD5Final(digest, &context); /* finish up 1st pass */ 117 /* 118 * perform outer MD5 119 */ 120 MD5Init(&context); /* init context for 2nd */ 121 /* pass */ 122 MD5Update(&context, k_opad, 64); /* start with outer pad */ 123 MD5Update(&context, digest, 16); /* then results of 1st */ 124 /* hash */ 125 MD5Final(digest, &context); /* finish up 2nd pass */ 126 } 127 128 /* 129 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 130 * info in initmp to send the abort. Otherwise, no abort will be sent. 131 * 132 * When called from stcp_send_initack() while processing parameters 133 * from a received INIT_CHUNK want_cookie will be NULL. 134 * 135 * When called from sctp_send_cookie_echo() while processing an INIT_ACK, 136 * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t. 137 * However, this last pointer will be NULL until the cookie is processed 138 * at which time it will be set to point to a sctp_parm_hdr_t that contains 139 * the cookie info. 140 * 141 * Note: an INIT_ACK is expected to contain a cookie. 142 * 143 * When processing an INIT_ACK, an ERROR chunk and chain of one or more 144 * error CAUSE blocks will be created if unrecognized parameters marked by 145 * the sender as reportable are found. 146 * 147 * When processing an INIT chunk, a chain of one or more error CAUSE blocks 148 * will be created if unrecognized parameters marked by the sender as 149 * reportable are found. These are appended directly to the INIT_ACK chunk. 150 * 151 * In both cases the error chain is visible to the caller via *errmp. 152 * 153 * Returns 1 if the parameters are OK (or if there are no optional 154 * parameters), returns 0 otherwise. 155 */ 156 static int 157 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 158 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 159 mblk_t **errmp, int *supp_af, uint_t *sctp_options) 160 { 161 sctp_parm_hdr_t *cph; 162 sctp_init_chunk_t *ic; 163 ssize_t remaining; 164 uint16_t serror = 0; 165 char *details = NULL; 166 size_t errlen = 0; 167 boolean_t got_cookie = B_FALSE; 168 boolean_t got_errchunk = B_FALSE; 169 uint16_t ptype; 170 sctp_mpc_t mpc; 171 172 173 ASSERT(errmp != NULL); 174 175 if (sctp_options != NULL) 176 *sctp_options = 0; 177 178 /* First validate stream parameters */ 179 if (init->sic_instr == 0 || init->sic_outstr == 0) { 180 serror = SCTP_ERR_BAD_MANDPARM; 181 dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n", 182 htons(init->sic_instr), htons(init->sic_outstr))); 183 goto abort; 184 } 185 if (ntohl(init->sic_inittag) == 0) { 186 serror = SCTP_ERR_BAD_MANDPARM; 187 dprint(1, ("validate_init_params: inittag = 0\n")); 188 goto abort; 189 } 190 191 remaining = ntohs(ch->sch_len) - sizeof (*ch); 192 ic = (sctp_init_chunk_t *)(ch + 1); 193 remaining -= sizeof (*ic); 194 if (remaining < sizeof (*cph)) { 195 /* 196 * When processing a received INIT_ACK, a cookie is 197 * expected, if missing there is nothing to validate. 198 */ 199 if (want_cookie != NULL) 200 goto cookie_abort; 201 return (1); 202 } 203 204 cph = (sctp_parm_hdr_t *)(ic + 1); 205 206 while (cph != NULL) { 207 ptype = ntohs(cph->sph_type); 208 switch (ptype) { 209 case PARM_HBINFO: 210 case PARM_UNRECOGNIZED: 211 case PARM_ECN: 212 /* just ignore them */ 213 break; 214 case PARM_FORWARD_TSN: 215 if (sctp_options != NULL) 216 *sctp_options |= SCTP_PRSCTP_OPTION; 217 break; 218 case PARM_COOKIE: 219 got_cookie = B_TRUE; 220 /* 221 * Processing a received INIT_ACK, we have a cookie 222 * and a valid pointer in our caller to attach it to. 223 */ 224 if (want_cookie != NULL) { 225 *want_cookie = cph; 226 } 227 break; 228 case PARM_ADDR4: 229 *supp_af |= PARM_SUPP_V4; 230 break; 231 case PARM_ADDR6: 232 *supp_af |= PARM_SUPP_V6; 233 break; 234 case PARM_COOKIE_PRESERVE: 235 case PARM_ADAPT_LAYER_IND: 236 /* These are OK */ 237 break; 238 case PARM_ADDR_HOST_NAME: 239 /* Don't support this; abort the association */ 240 serror = SCTP_ERR_BAD_ADDR; 241 details = (char *)cph; 242 errlen = ntohs(cph->sph_len); 243 dprint(1, ("sctp:validate_init_params: host addr\n")); 244 goto abort; 245 case PARM_SUPP_ADDRS: { 246 /* Make sure we have a supported addr intersection */ 247 uint16_t *p, addrtype; 248 int plen; 249 250 plen = ntohs(cph->sph_len); 251 p = (uint16_t *)(cph + 1); 252 while (plen > 0) { 253 addrtype = ntohs(*p); 254 switch (addrtype) { 255 case PARM_ADDR6: 256 *supp_af |= PARM_SUPP_V6; 257 break; 258 case PARM_ADDR4: 259 *supp_af |= PARM_SUPP_V4; 260 break; 261 default: 262 /* 263 * Do nothing, silently ignore hostname 264 * address. 265 */ 266 break; 267 } 268 p++; 269 plen -= sizeof (*p); 270 } 271 break; 272 } 273 default: 274 /* 275 * Handle any unrecognized params, the two high order 276 * bits of ptype define how the remote wants them 277 * handled. 278 * Top bit: 279 * 1. Continue processing other params in the chunk 280 * 0. Stop processing params after this one. 281 * 2nd bit: 282 * 1. Must report this unrecognized param to remote 283 * 0. Obey the top bit silently. 284 */ 285 if (ptype & SCTP_REPORT_THIS_PARAM) { 286 if (!got_errchunk && want_cookie != NULL) { 287 /* 288 * Processing an INIT_ACK, this is the 289 * first reportable param, create an 290 * ERROR chunk and populate it with a 291 * CAUSE block for this parameter. 292 */ 293 *errmp = sctp_make_err(sctp, 294 PARM_UNRECOGNIZED, 295 (void *)cph, 296 ntohs(cph->sph_len)); 297 got_errchunk = B_TRUE; 298 } else { 299 /* 300 * If processing an INIT chunk add 301 * an additional CAUSE block to an 302 * INIT_ACK, got_errchunk is B_FALSE. 303 */ 304 sctp_add_unrec_parm(cph, errmp, 305 got_errchunk); 306 } 307 } 308 if (ptype & SCTP_CONT_PROC_PARAMS) { 309 /* 310 * Continue processing params after this 311 * parameter. 312 */ 313 break; 314 } 315 316 /* 317 * Stop processing params, report any reportable 318 * unrecognized params found so far. 319 */ 320 goto done; 321 } 322 323 cph = sctp_next_parm(cph, &remaining); 324 } 325 done: 326 /* 327 * Some sanity checks. The following should not fail unless the 328 * other side is broken. 329 * 330 * 1. If this is a V4 endpoint but V4 address is not 331 * supported, abort. 332 * 2. If this is a V6 only endpoint but V6 address is 333 * not supported, abort. This assumes that a V6 334 * endpoint can use both V4 and V6 addresses. 335 * We only care about supp_af when processing INIT, i.e want_cookie 336 * is NULL. 337 */ 338 if (want_cookie == NULL && 339 ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 340 (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 341 sctp->sctp_connp->conn_ipv6_v6only))) { 342 dprint(1, ("sctp:validate_init_params: supp addr\n")); 343 serror = SCTP_ERR_BAD_ADDR; 344 goto abort; 345 } 346 347 if (want_cookie != NULL && !got_cookie) { 348 cookie_abort: 349 /* Will populate the CAUSE block in the ABORT chunk. */ 350 mpc.mpc_num = htons(1); 351 mpc.mpc_param = htons(PARM_COOKIE); 352 mpc.mpc_pad = 0; 353 354 dprint(1, ("validate_init_params: cookie absent\n")); 355 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 356 (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE); 357 return (0); 358 } 359 360 /* OK */ 361 return (1); 362 363 abort: 364 if (want_cookie != NULL) 365 return (0); 366 367 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 368 errlen, inmp, 0, B_FALSE); 369 return (0); 370 } 371 372 /* 373 * Initialize params from the INIT and INIT-ACK when the assoc. is 374 * established. 375 */ 376 boolean_t 377 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 378 sctp_init_chunk_t *iack) 379 { 380 /* Get initial TSN */ 381 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 382 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 383 384 /* Serial number is initialized to the same value as the TSN */ 385 sctp->sctp_fcsn = sctp->sctp_lastacked; 386 387 /* 388 * Get verification tags; no byteordering is necessary, since 389 * verfication tags are never processed except for byte-by-byte 390 * comparisons. 391 */ 392 sctp->sctp_fvtag = init->sic_inittag; 393 sctp->sctp_sctph->sh_verf = init->sic_inittag; 394 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 395 sctp->sctp_lvtag = iack->sic_inittag; 396 397 /* Get the peer's rwnd */ 398 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 399 400 /* Allocate the in/out-stream counters */ 401 sctp->sctp_num_ostr = iack->sic_outstr; 402 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 403 sctp->sctp_num_ostr, KM_NOSLEEP); 404 if (sctp->sctp_ostrcntrs == NULL) 405 return (B_FALSE); 406 407 sctp->sctp_num_istr = iack->sic_instr; 408 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 409 sctp->sctp_num_istr, KM_NOSLEEP); 410 if (sctp->sctp_instr == NULL) { 411 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 412 sctp->sctp_num_ostr); 413 sctp->sctp_ostrcntrs = NULL; 414 return (B_FALSE); 415 } 416 return (B_TRUE); 417 } 418 419 /* 420 * Copy the peer's original source address into addr. This relies on the 421 * following format (see sctp_send_initack() below): 422 * relative timestamp for the cookie (int64_t) + 423 * cookie lifetime (uint32_t) + 424 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) + 425 * Peer's original src ... 426 */ 427 int 428 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr) 429 { 430 uchar_t *off; 431 432 ASSERT(addr != NULL); 433 434 if (ch->sch_id != CHUNK_COOKIE) 435 return (EINVAL); 436 437 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) + 438 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t); 439 440 bcopy(off, addr, sizeof (*addr)); 441 442 return (0); 443 } 444 445 #define SCTP_CALC_COOKIE_LEN(initcp) \ 446 sizeof (int64_t) + /* timestamp */ \ 447 sizeof (uint32_t) + /* cookie lifetime */ \ 448 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 449 sizeof (in6_addr_t) + /* peer's original source */ \ 450 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 451 sizeof (uint32_t) + /* local tie-tag */ \ 452 sizeof (uint32_t) + /* peer tie-tag */ \ 453 sizeof (sctp_parm_hdr_t) + /* param header */ \ 454 16 /* MD5 hash */ 455 456 void 457 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch, 458 mblk_t *initmp) 459 { 460 ipha_t *initiph; 461 ip6_t *initip6h; 462 ipha_t *iackiph; 463 ip6_t *iackip6h; 464 sctp_chunk_hdr_t *iack_ch; 465 sctp_init_chunk_t *iack; 466 sctp_init_chunk_t *init; 467 sctp_hdr_t *iacksh; 468 size_t cookielen; 469 size_t iacklen; 470 size_t ipsctplen; 471 size_t errlen = 0; 472 sctp_parm_hdr_t *cookieph; 473 mblk_t *iackmp; 474 uint32_t itag; 475 uint32_t itsn; 476 int64_t *now; 477 int64_t nowt; 478 uint32_t *lifetime; 479 char *p; 480 boolean_t isv4; 481 int supp_af = 0; 482 uint_t sctp_options; 483 uint32_t *ttag; 484 int pad; 485 mblk_t *errmp = NULL; 486 boolean_t initcollision = B_FALSE; 487 boolean_t linklocal = B_FALSE; 488 cred_t *cr; 489 pid_t pid; 490 ts_label_t *initlabel; 491 sctp_stack_t *sctps = sctp->sctp_sctps; 492 493 BUMP_LOCAL(sctp->sctp_ibchunks); 494 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 495 496 /* Extract the INIT chunk */ 497 if (isv4) { 498 initiph = (ipha_t *)initmp->b_rptr; 499 ipsctplen = sctp->sctp_ip_hdr_len; 500 supp_af |= PARM_SUPP_V4; 501 } else { 502 initip6h = (ip6_t *)initmp->b_rptr; 503 ipsctplen = sctp->sctp_ip_hdr6_len; 504 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src)) 505 linklocal = B_TRUE; 506 supp_af |= PARM_SUPP_V6; 507 } 508 ASSERT(OK_32PTR(initsh)); 509 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 510 511 /* Make sure we like the peer's parameters */ 512 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 513 &supp_af, &sctp_options) == 0) { 514 return; 515 } 516 if (errmp != NULL) 517 errlen = msgdsize(errmp); 518 if (sctp->sctp_family == AF_INET) { 519 /* 520 * Irregardless of the supported address in the INIT, v4 521 * must be supported. 522 */ 523 supp_af = PARM_SUPP_V4; 524 } 525 if (sctp->sctp_state <= SCTPS_LISTEN) { 526 /* normal, expected INIT: generate new vtag and itsn */ 527 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 528 if (itag == 0) 529 itag = (uint32_t)gethrtime(); 530 itsn = itag + 1; 531 itag = htonl(itag); 532 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 533 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 534 /* init collision; copy vtag and itsn from sctp */ 535 itag = sctp->sctp_lvtag; 536 itsn = sctp->sctp_ltsn; 537 /* 538 * In addition we need to send all the params that was sent 539 * in our INIT chunk. Essentially, it is only the supported 540 * address params that we need to add. 541 */ 542 initcollision = B_TRUE; 543 /* 544 * When we sent the INIT, we should have set linklocal in 545 * the sctp which should be good enough. 546 */ 547 if (linklocal) 548 linklocal = B_FALSE; 549 } else { 550 /* peer restart; generate new vtag but keep everything else */ 551 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 552 if (itag == 0) 553 itag = (uint32_t)gethrtime(); 554 itag = htonl(itag); 555 itsn = sctp->sctp_ltsn; 556 } 557 558 /* 559 * Allocate a mblk for the INIT ACK, consisting of the link layer 560 * header, the IP header, the SCTP common header, and INIT ACK chunk, 561 * and finally the COOKIE parameter. 562 */ 563 cookielen = SCTP_CALC_COOKIE_LEN(ch); 564 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 565 if (sctp->sctp_send_adaptation) 566 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 567 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 568 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 569 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 570 } 571 if (initcollision) 572 iacklen += sctp_supaddr_param_len(sctp); 573 if (!linklocal) 574 iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE); 575 ipsctplen += sizeof (*iacksh) + iacklen; 576 iacklen += errlen; 577 if ((pad = ipsctplen % 4) != 0) { 578 pad = 4 - pad; 579 ipsctplen += pad; 580 } 581 582 /* 583 * If the listen socket is bound to a trusted extensions 584 * multi-label port, attach a copy of the listener's cred 585 * to the new INITACK mblk. Modify the cred to contain 586 * the security label of the received INIT packet. 587 * If not a multi-label port, attach the unmodified 588 * listener's cred directly. 589 * 590 * We expect Sun developed kernel modules to properly set 591 * cred labels for sctp connections. We can't be so sure this 592 * will be done correctly when 3rd party kernel modules 593 * directly use sctp. The initlabel panic guard logic was 594 * added to cover this possibility. 595 */ 596 if (sctp->sctp_connp->conn_mlp_type != mlptSingle) { 597 cr = msg_getcred(initmp, &pid); 598 if (cr == NULL || (initlabel = crgetlabel(cr)) == NULL) { 599 sctp_send_abort(sctp, sctp_init2vtag(ch), 600 SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, B_FALSE); 601 return; 602 } 603 cr = copycred_from_bslabel(CONN_CRED(sctp->sctp_connp), 604 &initlabel->tsl_label, initlabel->tsl_doi, KM_NOSLEEP); 605 if (cr == NULL) { 606 sctp_send_abort(sctp, sctp_init2vtag(ch), 607 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 608 return; 609 } 610 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, 611 cr, pid); 612 crfree(cr); 613 } else { 614 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, 615 CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid); 616 } 617 if (iackmp == NULL) { 618 sctp_send_abort(sctp, sctp_init2vtag(ch), 619 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 620 return; 621 } 622 623 /* Copy in the [imcomplete] IP/SCTP composite header */ 624 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra); 625 iackmp->b_rptr = (uchar_t *)p; 626 if (isv4) { 627 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 628 iackiph = (ipha_t *)p; 629 630 /* Copy the peer's IP addr */ 631 iackiph->ipha_dst = initiph->ipha_src; 632 iackiph->ipha_src = initiph->ipha_dst; 633 iackiph->ipha_length = htons(ipsctplen + errlen); 634 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 635 } else { 636 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 637 iackip6h = (ip6_t *)p; 638 639 /* Copy the peer's IP addr */ 640 iackip6h->ip6_dst = initip6h->ip6_src; 641 iackip6h->ip6_src = initip6h->ip6_dst; 642 iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) + 643 errlen); 644 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 645 } 646 ASSERT(OK_32PTR(iacksh)); 647 648 /* Fill in the holes in the SCTP common header */ 649 iacksh->sh_sport = initsh->sh_dport; 650 iacksh->sh_dport = initsh->sh_sport; 651 iacksh->sh_verf = init->sic_inittag; 652 653 /* INIT ACK chunk header */ 654 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 655 iack_ch->sch_id = CHUNK_INIT_ACK; 656 iack_ch->sch_flags = 0; 657 iack_ch->sch_len = htons(iacklen); 658 659 /* The INIT ACK itself */ 660 iack = (sctp_init_chunk_t *)(iack_ch + 1); 661 iack->sic_inittag = itag; /* already in network byteorder */ 662 iack->sic_inittsn = htonl(itsn); 663 664 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 665 /* Advertise what we would want to have as stream #'s */ 666 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 667 ntohs(init->sic_instr))); 668 iack->sic_instr = htons(sctp->sctp_num_istr); 669 670 p = (char *)(iack + 1); 671 p += sctp_adaptation_code_param(sctp, (uchar_t *)p); 672 if (initcollision) 673 p += sctp_supaddr_param(sctp, (uchar_t *)p); 674 if (!linklocal) 675 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE); 676 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 677 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 678 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 679 } 680 /* 681 * Generate and lay in the COOKIE parameter. 682 * 683 * Any change here that results in a change of location for 684 * the peer's orig source address must be propagated to the fn 685 * cl_sctp_cookie_paddr() above. 686 * 687 * The cookie consists of: 688 * 1. The relative timestamp for the cookie (lbolt64) 689 * 2. The cookie lifetime (uint32_t) in tick 690 * 3. The local tie-tag 691 * 4. The peer tie-tag 692 * 5. Peer's original src, used to confirm the validity of address. 693 * 6. Our INIT ACK chunk, less any parameters 694 * 7. The INIT chunk (may contain parameters) 695 * 8. 128-bit MD5 signature. 696 * 697 * Since the timestamp values will only be evaluated locally, we 698 * don't need to worry about byte-ordering them. 699 */ 700 cookieph = (sctp_parm_hdr_t *)p; 701 cookieph->sph_type = htons(PARM_COOKIE); 702 cookieph->sph_len = htons(cookielen); 703 704 /* timestamp */ 705 now = (int64_t *)(cookieph + 1); 706 nowt = lbolt64; 707 bcopy(&nowt, now, sizeof (*now)); 708 709 /* cookie lifetime -- need configuration */ 710 lifetime = (uint32_t *)(now + 1); 711 *lifetime = sctp->sctp_cookie_lifetime; 712 713 /* Set the tie-tags */ 714 ttag = (uint32_t *)(lifetime + 1); 715 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 716 *ttag = 0; 717 ttag++; 718 *ttag = 0; 719 ttag++; 720 } else { 721 /* local tie-tag (network byte-order) */ 722 *ttag = sctp->sctp_lvtag; 723 ttag++; 724 /* peer tie-tag (network byte-order) */ 725 *ttag = sctp->sctp_fvtag; 726 ttag++; 727 } 728 /* 729 * Copy in peer's original source address so that we can confirm 730 * the reachability later. 731 */ 732 p = (char *)ttag; 733 if (isv4) { 734 in6_addr_t peer_addr; 735 736 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 737 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 738 } else { 739 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 740 } 741 p += sizeof (in6_addr_t); 742 /* Copy in our INIT ACK chunk */ 743 bcopy(iack, p, sizeof (*iack)); 744 iack = (sctp_init_chunk_t *)p; 745 /* Set the # of streams we'll end up using */ 746 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 747 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 748 p += sizeof (*iack); 749 750 /* Copy in the peer's INIT chunk */ 751 bcopy(ch, p, ntohs(ch->sch_len)); 752 p += ntohs(ch->sch_len); 753 754 /* 755 * Calculate the HMAC ICV into the digest slot in buf. 756 * First, generate a new secret if the current secret is 757 * older than the new secret lifetime parameter permits, 758 * copying the current secret to sctp_old_secret. 759 */ 760 if (sctps->sctps_new_secret_interval > 0 && 761 (sctp->sctp_last_secret_update + 762 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) { 763 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 764 SCTP_SECRET_LEN); 765 (void) random_get_pseudo_bytes(sctp->sctp_secret, 766 SCTP_SECRET_LEN); 767 sctp->sctp_last_secret_update = nowt; 768 } 769 770 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 771 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 772 773 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 774 if (pad != 0) 775 bzero((iackmp->b_wptr - pad), pad); 776 777 iackmp->b_cont = errmp; /* OK if NULL */ 778 779 if (is_system_labeled() && (cr = msg_getcred(iackmp, &pid)) != NULL && 780 crgetlabel(cr) != NULL) { 781 conn_t *connp = sctp->sctp_connp; 782 int err; 783 784 if (isv4) 785 err = tsol_check_label(cr, &iackmp, 786 connp->conn_mac_exempt, 787 sctps->sctps_netstack->netstack_ip, pid); 788 else 789 err = tsol_check_label_v6(cr, &iackmp, 790 connp->conn_mac_exempt, 791 sctps->sctps_netstack->netstack_ip, pid); 792 if (err != 0) { 793 sctp_send_abort(sctp, sctp_init2vtag(ch), 794 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE); 795 freemsg(iackmp); 796 return; 797 } 798 } 799 800 /* 801 * Stash the conn ptr info. for IP only as e don't have any 802 * cached IRE. 803 */ 804 SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL); 805 806 /* XXX sctp == sctp_g_q, so using its obchunks is valid */ 807 BUMP_LOCAL(sctp->sctp_opkts); 808 BUMP_LOCAL(sctp->sctp_obchunks); 809 810 /* OK to call IP_PUT() here instead of sctp_add_sendq(). */ 811 CONN_INC_REF(sctp->sctp_connp); 812 iackmp->b_flag |= MSGHASREF; 813 IP_PUT(iackmp, sctp->sctp_connp, isv4); 814 } 815 816 void 817 sctp_send_cookie_ack(sctp_t *sctp) 818 { 819 sctp_chunk_hdr_t *cach; 820 mblk_t *camp; 821 sctp_stack_t *sctps = sctp->sctp_sctps; 822 823 camp = sctp_make_mp(sctp, NULL, sizeof (*cach)); 824 if (camp == NULL) { 825 /* XXX should abort, but don't have the inmp anymore */ 826 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed); 827 return; 828 } 829 830 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 831 camp->b_wptr = (uchar_t *)(cach + 1); 832 cach->sch_id = CHUNK_COOKIE_ACK; 833 cach->sch_flags = 0; 834 cach->sch_len = htons(sizeof (*cach)); 835 836 sctp_set_iplen(sctp, camp); 837 838 BUMP_LOCAL(sctp->sctp_obchunks); 839 840 sctp_add_sendq(sctp, camp); 841 } 842 843 static int 844 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code) 845 { 846 847 if (len < sizeof (*sph)) 848 return (-1); 849 while (sph != NULL) { 850 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 851 ntohs(sph->sph_len) >= (sizeof (*sph) + 852 sizeof (uint32_t))) { 853 *adaptation_code = *(uint32_t *)(sph + 1); 854 return (0); 855 } 856 sph = sctp_next_parm(sph, &len); 857 } 858 return (-1); 859 } 860 861 void 862 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp) 863 { 864 mblk_t *cemp; 865 mblk_t *mp = NULL; 866 mblk_t *head; 867 mblk_t *meta; 868 sctp_faddr_t *fp; 869 sctp_chunk_hdr_t *cech; 870 sctp_init_chunk_t *iack; 871 int32_t cansend; 872 int32_t seglen; 873 size_t ceclen; 874 sctp_parm_hdr_t *cph; 875 sctp_data_hdr_t *sdc; 876 sctp_tf_t *tf; 877 int pad = 0; 878 int hdrlen; 879 mblk_t *errmp = NULL; 880 uint_t sctp_options; 881 int error; 882 uint16_t old_num_str; 883 sctp_stack_t *sctps = sctp->sctp_sctps; 884 885 iack = (sctp_init_chunk_t *)(iackch + 1); 886 887 cph = NULL; 888 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 889 &pad, &sctp_options) == 0) { /* result in 'pad' ignored */ 890 BUMP_MIB(&sctps->sctps_mib, sctpAborted); 891 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 892 sctp_clean_death(sctp, ECONNABORTED); 893 return; 894 } 895 ASSERT(cph != NULL); 896 897 ASSERT(sctp->sctp_cookie_mp == NULL); 898 899 /* Got a cookie to echo back; allocate an mblk */ 900 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 901 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 902 pad = SCTP_ALIGN - pad; 903 904 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 905 hdrlen = sctp->sctp_hdr_len; 906 else 907 hdrlen = sctp->sctp_hdr6_len; 908 909 cemp = allocb_cred(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad, 910 CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid); 911 if (cemp == NULL) { 912 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 913 sctp->sctp_current->rto); 914 if (errmp != NULL) 915 freeb(errmp); 916 return; 917 } 918 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen); 919 920 /* Process the INIT ACK */ 921 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 922 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 923 sctp->sctp_fvtag = iack->sic_inittag; 924 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 925 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 926 sctp->sctp_fcsn = sctp->sctp_lastacked; 927 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 928 929 /* 930 * Populate sctp with addresses given in the INIT ACK or IP header. 931 * Need to set the df bit in the current fp as it has been cleared 932 * in sctp_connect(). 933 */ 934 sctp->sctp_current->df = B_TRUE; 935 /* 936 * Since IP uses this info during the fanout process, we need to hold 937 * the lock for this hash line while performing this operation. 938 */ 939 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, sctp->sctp_ports); */ 940 ASSERT(sctp->sctp_conn_tfp != NULL); 941 tf = sctp->sctp_conn_tfp; 942 /* sctp isn't a listener so only need to hold conn fanout lock */ 943 mutex_enter(&tf->tf_lock); 944 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 945 mutex_exit(&tf->tf_lock); 946 freeb(cemp); 947 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 948 sctp->sctp_current->rto); 949 if (errmp != NULL) 950 freeb(errmp); 951 return; 952 } 953 mutex_exit(&tf->tf_lock); 954 955 fp = sctp->sctp_current; 956 957 /* 958 * There could be a case when we get an INIT-ACK again, if the INIT 959 * is re-transmitted, for e.g., which means we would have already 960 * allocated this resource earlier (also for sctp_instr). In this 961 * case we check and re-allocate, if necessary. 962 */ 963 old_num_str = sctp->sctp_num_ostr; 964 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 965 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 966 if (sctp->sctp_ostrcntrs == NULL) { 967 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 968 sctp->sctp_num_ostr, KM_NOSLEEP); 969 } else { 970 ASSERT(old_num_str > 0); 971 if (old_num_str != sctp->sctp_num_ostr) { 972 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 973 old_num_str); 974 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 975 sctp->sctp_num_ostr, KM_NOSLEEP); 976 } 977 } 978 if (sctp->sctp_ostrcntrs == NULL) { 979 freeb(cemp); 980 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 981 if (errmp != NULL) 982 freeb(errmp); 983 return; 984 } 985 986 /* 987 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 988 * hold here too. 989 */ 990 old_num_str = sctp->sctp_num_istr; 991 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 992 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 993 if (sctp->sctp_instr == NULL) { 994 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 995 sctp->sctp_num_istr, KM_NOSLEEP); 996 } else { 997 ASSERT(old_num_str > 0); 998 if (old_num_str != sctp->sctp_num_istr) { 999 kmem_free(sctp->sctp_instr, 1000 sizeof (*sctp->sctp_instr) * old_num_str); 1001 sctp->sctp_instr = kmem_zalloc( 1002 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 1003 KM_NOSLEEP); 1004 } 1005 } 1006 if (sctp->sctp_instr == NULL) { 1007 kmem_free(sctp->sctp_ostrcntrs, 1008 sizeof (uint16_t) * sctp->sctp_num_ostr); 1009 freeb(cemp); 1010 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1011 if (errmp != NULL) 1012 freeb(errmp); 1013 return; 1014 } 1015 1016 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 1017 sctp->sctp_prsctp_aware = B_FALSE; 1018 1019 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 1020 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 1021 &sctp->sctp_rx_adaptation_code) == 0) { 1022 sctp->sctp_recv_adaptation = 1; 1023 } 1024 1025 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 1026 ASSERT(OK_32PTR(cech)); 1027 cech->sch_id = CHUNK_COOKIE; 1028 cech->sch_flags = 0; 1029 cech->sch_len = htons(ceclen); 1030 1031 /* Copy the cookie (less the parm hdr) to the chunk */ 1032 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 1033 1034 cemp->b_wptr = cemp->b_rptr + ceclen; 1035 1036 if (sctp->sctp_unsent > 0) { 1037 sctp_msg_hdr_t *smh; 1038 mblk_t *prev = NULL; 1039 uint32_t unsent = 0; 1040 1041 mp = sctp->sctp_xmit_unsent; 1042 do { 1043 smh = (sctp_msg_hdr_t *)mp->b_rptr; 1044 if (smh->smh_sid >= sctp->sctp_num_ostr) { 1045 unsent += smh->smh_msglen; 1046 if (prev != NULL) 1047 prev->b_next = mp->b_next; 1048 else 1049 sctp->sctp_xmit_unsent = mp->b_next; 1050 mp->b_next = NULL; 1051 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 1052 B_FALSE); 1053 if (prev != NULL) 1054 mp = prev->b_next; 1055 else 1056 mp = sctp->sctp_xmit_unsent; 1057 } else { 1058 prev = mp; 1059 mp = mp->b_next; 1060 } 1061 } while (mp != NULL); 1062 if (unsent > 0) { 1063 ASSERT(sctp->sctp_unsent >= unsent); 1064 sctp->sctp_unsent -= unsent; 1065 /* 1066 * Update ULP the amount of queued data, which is 1067 * sent-unack'ed + unsent. 1068 * This is not necessary, but doesn't harm, we 1069 * just use unsent instead of sent-unack'ed + 1070 * unsent, since there won't be any sent-unack'ed 1071 * here. 1072 */ 1073 if (!SCTP_IS_DETACHED(sctp)) 1074 SCTP_TXQ_UPDATE(sctp); 1075 } 1076 if (sctp->sctp_xmit_unsent == NULL) 1077 sctp->sctp_xmit_unsent_tail = NULL; 1078 } 1079 ceclen += pad; 1080 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 1081 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 1082 cansend, NULL); 1083 /* 1084 * The error cannot be anything else since we could have an non-zero 1085 * error only if sctp_get_msg_to_send() tries to send a Forward 1086 * TSN which will not happen here. 1087 */ 1088 ASSERT(error == 0); 1089 if (meta == NULL) 1090 goto sendcookie; 1091 sctp->sctp_xmit_tail = meta; 1092 sdc = (sctp_data_hdr_t *)mp->b_rptr; 1093 seglen = ntohs(sdc->sdh_len); 1094 if ((ceclen + seglen) > fp->sfa_pmss || 1095 (seglen - sizeof (*sdc)) > cansend) { 1096 goto sendcookie; 1097 } 1098 /* OK, if this fails */ 1099 cemp->b_cont = dupmsg(mp); 1100 sendcookie: 1101 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 1102 if (head == NULL) { 1103 freemsg(cemp); 1104 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1105 if (errmp != NULL) 1106 freeb(errmp); 1107 SCTP_KSTAT(sctps, sctp_send_cookie_failed); 1108 return; 1109 } 1110 /* 1111 * Even if cookie-echo exceeds MTU for one of the hops, it'll 1112 * have a chance of getting there. 1113 */ 1114 if (fp->isv4) { 1115 ipha_t *iph = (ipha_t *)head->b_rptr; 1116 iph->ipha_fragment_offset_and_flags = 0; 1117 } 1118 BUMP_LOCAL(sctp->sctp_obchunks); 1119 1120 sctp->sctp_cookie_mp = dupmsg(head); 1121 /* Don't bundle, we will just resend init if this cookie is lost. */ 1122 if (sctp->sctp_cookie_mp == NULL) { 1123 if (cemp->b_cont != NULL) { 1124 freemsg(cemp->b_cont); 1125 cemp->b_cont = NULL; 1126 } 1127 } else if (cemp->b_cont != NULL) { 1128 ASSERT(mp != NULL && mp == meta->b_cont); 1129 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 1130 cemp->b_wptr += pad; 1131 seglen -= sizeof (*sdc); 1132 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 1133 } 1134 if (errmp != NULL) { 1135 if (cemp->b_cont == NULL) 1136 cemp->b_wptr += pad; 1137 linkb(head, errmp); 1138 } 1139 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 1140 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1141 1142 sctp_set_iplen(sctp, head); 1143 sctp_add_sendq(sctp, head); 1144 } 1145 1146 int 1147 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 1148 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation, 1149 in6_addr_t *peer_addr) 1150 { 1151 int32_t clen; 1152 size_t initplen; 1153 uchar_t *p; 1154 uchar_t *given_hash; 1155 uchar_t needed_hash[16]; 1156 int64_t ts; 1157 int64_t diff; 1158 uint32_t *lt; 1159 sctp_init_chunk_t *iack; 1160 sctp_chunk_hdr_t *initch; 1161 sctp_init_chunk_t *init; 1162 uint32_t *lttag; 1163 uint32_t *fttag; 1164 uint32_t ports; 1165 sctp_stack_t *sctps = sctp->sctp_sctps; 1166 1167 BUMP_LOCAL(sctp->sctp_ibchunks); 1168 /* Verify the ICV */ 1169 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1170 if (clen < 0) { 1171 dprint(1, ("invalid cookie chunk length %d\n", 1172 ntohs(ch->sch_len))); 1173 1174 return (-1); 1175 } 1176 p = (uchar_t *)(ch + 1); 1177 1178 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1179 needed_hash); 1180 1181 /* The given hash follows the cookie data */ 1182 given_hash = p + clen; 1183 1184 if (bcmp(given_hash, needed_hash, 16) != 0) { 1185 /* The secret may have changed; try the old secret */ 1186 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1187 SCTP_SECRET_LEN, needed_hash); 1188 if (bcmp(given_hash, needed_hash, 16) != 0) { 1189 return (-1); 1190 } 1191 } 1192 1193 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1194 bcopy(p, &ts, sizeof (ts)); 1195 /* Cookie life time, uint32_t */ 1196 lt = (uint32_t *)(p + sizeof (ts)); 1197 1198 /* 1199 * To quote PRC, "this is our baby", so let's continue. 1200 * We need to pull out the encapsulated INIT ACK and 1201 * INIT chunks. Note that we don't process these until 1202 * we have verified the timestamp, but we need them before 1203 * processing the timestamp since if the time check fails, 1204 * we need to get the verification tag from the INIT in order 1205 * to send a stale cookie error. 1206 */ 1207 lttag = (uint32_t *)(lt + 1); 1208 fttag = lttag + 1; 1209 if (peer_addr != NULL) 1210 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1211 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1212 initch = (sctp_chunk_hdr_t *)(iack + 1); 1213 init = (sctp_init_chunk_t *)(initch + 1); 1214 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1215 *iackpp = iack; 1216 *recv_adaptation = 0; 1217 1218 /* 1219 * Check the staleness of the Cookie, specified in 3.3.10.3 of 1220 * RFC 2960. 1221 * 1222 * The mesaure of staleness is the difference, in microseconds, 1223 * between the current time and the time the State Cookie expires. 1224 * So it is lbolt64 - (ts + *lt). If it is positive, it means 1225 * that the Cookie has expired. 1226 */ 1227 diff = lbolt64 - (ts + *lt); 1228 if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag || 1229 iack->sic_inittag != sctp->sctp_lvtag)) { 1230 uint32_t staleness; 1231 1232 staleness = TICK_TO_USEC(diff); 1233 staleness = htonl(staleness); 1234 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1235 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE); 1236 1237 dprint(1, ("stale cookie %d\n", staleness)); 1238 1239 return (-1); 1240 } 1241 1242 /* Check for attack by adding addresses to a restart */ 1243 bcopy(insctph, &ports, sizeof (ports)); 1244 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP, 1245 sctps) != 1) { 1246 return (-1); 1247 } 1248 1249 /* Look for adaptation code if there any parms in the INIT chunk */ 1250 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1251 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1252 &sctp->sctp_rx_adaptation_code) == 0)) { 1253 *recv_adaptation = 1; 1254 } 1255 1256 /* Examine tie-tags */ 1257 1258 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1259 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1260 init->sic_inittag == sctp->sctp_fvtag && 1261 iack->sic_inittag == sctp->sctp_lvtag && 1262 *fttag == 0 && *lttag == 0) { 1263 1264 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1265 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1266 (int)(sctp->sctp_fport))); 1267 return (-1); 1268 } 1269 1270 if (init->sic_inittag != sctp->sctp_fvtag && 1271 iack->sic_inittag != sctp->sctp_lvtag && 1272 *fttag == sctp->sctp_fvtag && 1273 *lttag == sctp->sctp_lvtag) { 1274 int i; 1275 1276 /* Section 5.2.4 case A: restart */ 1277 sctp->sctp_fvtag = init->sic_inittag; 1278 sctp->sctp_lvtag = iack->sic_inittag; 1279 1280 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1281 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1282 1283 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1284 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1285 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1286 sctp->sctp_fcsn = sctp->sctp_lastacked; 1287 1288 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1289 sctp->sctp_state = SCTPS_ESTABLISHED; 1290 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1291 } 1292 1293 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1294 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1295 (int)(sctp->sctp_fport))); 1296 /* reset parameters */ 1297 sctp_congest_reset(sctp); 1298 1299 /* reset stream bookkeeping */ 1300 sctp_instream_cleanup(sctp, B_FALSE); 1301 1302 sctp->sctp_istr_nmsgs = 0; 1303 sctp->sctp_rxqueued = 0; 1304 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1305 sctp->sctp_ostrcntrs[i] = 0; 1306 } 1307 /* XXX flush xmit_list? */ 1308 1309 return (0); 1310 } else if (init->sic_inittag != sctp->sctp_fvtag && 1311 iack->sic_inittag == sctp->sctp_lvtag) { 1312 1313 /* Section 5.2.4 case B: INIT collision */ 1314 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1315 if (!sctp_initialize_params(sctp, init, iack)) 1316 return (-1); /* Drop? */ 1317 sctp->sctp_state = SCTPS_ESTABLISHED; 1318 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1319 } 1320 1321 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1322 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1323 (int)(sctp->sctp_fport))); 1324 1325 return (0); 1326 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1327 init->sic_inittag == sctp->sctp_fvtag && 1328 *fttag == 0 && *lttag == 0) { 1329 1330 /* Section 5.2.4 case C: late COOKIE */ 1331 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1332 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1333 (int)(sctp->sctp_fport))); 1334 return (-1); 1335 } else if (init->sic_inittag == sctp->sctp_fvtag && 1336 iack->sic_inittag == sctp->sctp_lvtag) { 1337 1338 /* 1339 * Section 5.2.4 case D: COOKIE ECHO retransmit 1340 * Don't check cookie lifetime 1341 */ 1342 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1343 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1344 (int)(sctp->sctp_fport))); 1345 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1346 if (!sctp_initialize_params(sctp, init, iack)) 1347 return (-1); /* Drop? */ 1348 sctp->sctp_state = SCTPS_ESTABLISHED; 1349 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1350 } 1351 return (0); 1352 } else { 1353 /* unrecognized case -- silently drop it */ 1354 return (-1); 1355 } 1356 } 1357 1358 return (0); 1359 } 1360 1361 /* 1362 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1363 * from address parameters in an INIT ACK's address list. This 1364 * function is used when an INIT ACK is received but IP's fanout 1365 * function could not find a sctp via the normal lookup routine. 1366 * This can happen when a host sends an INIT ACK from a different 1367 * address than the INIT was sent to. 1368 * 1369 * Returns the sctp_t if found, or NULL if not found. 1370 */ 1371 sctp_t * 1372 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1373 zoneid_t zoneid, sctp_stack_t *sctps) 1374 { 1375 int isv4; 1376 ipha_t *iph; 1377 ip6_t *ip6h; 1378 in6_addr_t dst; 1379 in6_addr_t src; 1380 sctp_parm_hdr_t *ph; 1381 ssize_t remaining; 1382 sctp_init_chunk_t *iack; 1383 uint32_t ports; 1384 sctp_t *sctp = NULL; 1385 1386 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1387 1388 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1389 if (isv4) { 1390 iph = (ipha_t *)mp->b_rptr; 1391 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1392 } else { 1393 ip6h = (ip6_t *)mp->b_rptr; 1394 dst = ip6h->ip6_dst; 1395 } 1396 1397 ports = *(uint32_t *)sctph; 1398 1399 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1400 ports, SCTP_PRINTADDR(dst))); 1401 1402 /* pull out any address parameters */ 1403 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1404 if (remaining < sizeof (*ph)) { 1405 return (NULL); 1406 } 1407 1408 iack = (sctp_init_chunk_t *)(ich + 1); 1409 ph = (sctp_parm_hdr_t *)(iack + 1); 1410 1411 while (ph != NULL) { 1412 /* 1413 * params have been put in host byteorder by 1414 * sctp_check_input() 1415 */ 1416 if (ph->sph_type == PARM_ADDR4) { 1417 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1418 &src); 1419 1420 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1421 sctps); 1422 1423 dprint(1, 1424 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1425 SCTP_PRINTADDR(src), (void *)sctp)); 1426 1427 1428 if (sctp != NULL) { 1429 return (sctp); 1430 } 1431 } else if (ph->sph_type == PARM_ADDR6) { 1432 src = *(in6_addr_t *)(ph + 1); 1433 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1434 sctps); 1435 1436 dprint(1, 1437 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1438 SCTP_PRINTADDR(src), (void *)sctp)); 1439 1440 if (sctp != NULL) { 1441 return (sctp); 1442 } 1443 } 1444 1445 ph = sctp_next_parm(ph, &remaining); 1446 } 1447 1448 return (NULL); 1449 } 1450