1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #include <sys/types.h> 28 #include <sys/systm.h> 29 #include <sys/stream.h> 30 #include <sys/cmn_err.h> 31 #include <sys/md5.h> 32 #include <sys/kmem.h> 33 #include <sys/strsubr.h> 34 #include <sys/random.h> 35 #include <sys/tsol/tnet.h> 36 37 #include <netinet/in.h> 38 #include <netinet/ip6.h> 39 40 #include <inet/common.h> 41 #include <inet/ip.h> 42 #include <inet/ip6.h> 43 #include <inet/sctp_ip.h> 44 #include <inet/ipclassifier.h> 45 #include "sctp_impl.h" 46 47 /* 48 * Helper function for SunCluster (PSARC/2005/602) to get the original source 49 * address from the COOKIE 50 */ 51 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *); 52 53 /* 54 * From RFC 2104. This should probably go into libmd5 (and while 55 * we're at it, maybe we should make a libdigest so we can later 56 * add SHA1 and others, esp. since some weaknesses have been found 57 * with MD5). 58 * 59 * text IN pointer to data stream 60 * text_len IN length of data stream 61 * key IN pointer to authentication key 62 * key_len IN length of authentication key 63 * digest OUT caller digest to be filled in 64 */ 65 static void 66 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 67 uchar_t *digest) 68 { 69 MD5_CTX context; 70 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 71 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 72 uchar_t tk[16]; 73 int i; 74 75 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 76 if (key_len > 64) { 77 MD5_CTX tctx; 78 79 MD5Init(&tctx); 80 MD5Update(&tctx, key, key_len); 81 MD5Final(tk, &tctx); 82 83 key = tk; 84 key_len = 16; 85 } 86 87 /* 88 * the HMAC_MD5 transform looks like: 89 * 90 * MD5(K XOR opad, MD5(K XOR ipad, text)) 91 * 92 * where K is an n byte key 93 * ipad is the byte 0x36 repeated 64 times 94 * opad is the byte 0x5c repeated 64 times 95 * and text is the data being protected 96 */ 97 98 /* start out by storing key in pads */ 99 bzero(k_ipad, sizeof (k_ipad)); 100 bzero(k_opad, sizeof (k_opad)); 101 bcopy(key, k_ipad, key_len); 102 bcopy(key, k_opad, key_len); 103 104 /* XOR key with ipad and opad values */ 105 for (i = 0; i < 64; i++) { 106 k_ipad[i] ^= 0x36; 107 k_opad[i] ^= 0x5c; 108 } 109 /* 110 * perform inner MD5 111 */ 112 MD5Init(&context); /* init context for 1st */ 113 /* pass */ 114 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 115 MD5Update(&context, text, text_len); /* then text of datagram */ 116 MD5Final(digest, &context); /* finish up 1st pass */ 117 /* 118 * perform outer MD5 119 */ 120 MD5Init(&context); /* init context for 2nd */ 121 /* pass */ 122 MD5Update(&context, k_opad, 64); /* start with outer pad */ 123 MD5Update(&context, digest, 16); /* then results of 1st */ 124 /* hash */ 125 MD5Final(digest, &context); /* finish up 2nd pass */ 126 } 127 128 /* 129 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 130 * info in initmp to send the abort. Otherwise, no abort will be sent. 131 * 132 * When called from stcp_send_initack() while processing parameters 133 * from a received INIT_CHUNK want_cookie will be NULL. 134 * 135 * When called from sctp_send_cookie_echo() while processing an INIT_ACK, 136 * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t. 137 * However, this last pointer will be NULL until the cookie is processed 138 * at which time it will be set to point to a sctp_parm_hdr_t that contains 139 * the cookie info. 140 * 141 * Note: an INIT_ACK is expected to contain a cookie. 142 * 143 * When processing an INIT_ACK, an ERROR chunk and chain of one or more 144 * error CAUSE blocks will be created if unrecognized parameters marked by 145 * the sender as reportable are found. 146 * 147 * When processing an INIT chunk, a chain of one or more error CAUSE blocks 148 * will be created if unrecognized parameters marked by the sender as 149 * reportable are found. These are appended directly to the INIT_ACK chunk. 150 * 151 * In both cases the error chain is visible to the caller via *errmp. 152 * 153 * Returns 1 if the parameters are OK (or if there are no optional 154 * parameters), returns 0 otherwise. 155 */ 156 static int 157 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 158 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 159 mblk_t **errmp, int *supp_af, uint_t *sctp_options) 160 { 161 sctp_parm_hdr_t *cph; 162 sctp_init_chunk_t *ic; 163 ssize_t remaining; 164 uint16_t serror = 0; 165 char *details = NULL; 166 size_t errlen = 0; 167 boolean_t got_cookie = B_FALSE; 168 boolean_t got_errchunk = B_FALSE; 169 uint16_t ptype; 170 171 ASSERT(errmp != NULL); 172 173 if (sctp_options != NULL) 174 *sctp_options = 0; 175 176 /* First validate stream parameters */ 177 if (init->sic_instr == 0 || init->sic_outstr == 0) { 178 serror = SCTP_ERR_BAD_MANDPARM; 179 dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n", 180 htons(init->sic_instr), htons(init->sic_outstr))); 181 goto abort; 182 } 183 if (ntohl(init->sic_inittag) == 0) { 184 serror = SCTP_ERR_BAD_MANDPARM; 185 dprint(1, ("validate_init_params: inittag = 0\n")); 186 goto abort; 187 } 188 189 remaining = ntohs(ch->sch_len) - sizeof (*ch); 190 ic = (sctp_init_chunk_t *)(ch + 1); 191 remaining -= sizeof (*ic); 192 if (remaining < sizeof (*cph)) { 193 /* 194 * When processing a received INIT_ACK, a cookie is 195 * expected, if missing there is nothing to validate. 196 */ 197 if (want_cookie != NULL) 198 goto cookie_abort; 199 return (1); 200 } 201 202 cph = (sctp_parm_hdr_t *)(ic + 1); 203 204 while (cph != NULL) { 205 ptype = ntohs(cph->sph_type); 206 switch (ptype) { 207 case PARM_HBINFO: 208 case PARM_UNRECOGNIZED: 209 case PARM_ECN: 210 /* just ignore them */ 211 break; 212 case PARM_FORWARD_TSN: 213 if (sctp_options != NULL) 214 *sctp_options |= SCTP_PRSCTP_OPTION; 215 break; 216 case PARM_COOKIE: 217 got_cookie = B_TRUE; 218 /* 219 * Processing a received INIT_ACK, we have a cookie 220 * and a valid pointer in our caller to attach it to. 221 */ 222 if (want_cookie != NULL) { 223 *want_cookie = cph; 224 } 225 break; 226 case PARM_ADDR4: 227 *supp_af |= PARM_SUPP_V4; 228 break; 229 case PARM_ADDR6: 230 *supp_af |= PARM_SUPP_V6; 231 break; 232 case PARM_COOKIE_PRESERVE: 233 case PARM_ADAPT_LAYER_IND: 234 /* These are OK */ 235 break; 236 case PARM_ADDR_HOST_NAME: 237 /* Don't support this; abort the association */ 238 serror = SCTP_ERR_BAD_ADDR; 239 details = (char *)cph; 240 errlen = ntohs(cph->sph_len); 241 dprint(1, ("sctp:validate_init_params: host addr\n")); 242 goto abort; 243 case PARM_SUPP_ADDRS: { 244 /* Make sure we have a supported addr intersection */ 245 uint16_t *p, addrtype; 246 int plen; 247 248 plen = ntohs(cph->sph_len); 249 p = (uint16_t *)(cph + 1); 250 while (plen > 0) { 251 addrtype = ntohs(*p); 252 switch (addrtype) { 253 case PARM_ADDR6: 254 *supp_af |= PARM_SUPP_V6; 255 break; 256 case PARM_ADDR4: 257 *supp_af |= PARM_SUPP_V4; 258 break; 259 default: 260 /* 261 * Do nothing, silently ignore hostname 262 * address. 263 */ 264 break; 265 } 266 p++; 267 plen -= sizeof (*p); 268 } 269 break; 270 } 271 default: 272 /* 273 * Handle any unrecognized params, the two high order 274 * bits of ptype define how the remote wants them 275 * handled. 276 * Top bit: 277 * 1. Continue processing other params in the chunk 278 * 0. Stop processing params after this one. 279 * 2nd bit: 280 * 1. Must report this unrecognized param to remote 281 * 0. Obey the top bit silently. 282 */ 283 if (ptype & SCTP_REPORT_THIS_PARAM) { 284 if (!got_errchunk && want_cookie != NULL) { 285 /* 286 * Processing an INIT_ACK, this is the 287 * first reportable param, create an 288 * ERROR chunk and populate it with a 289 * CAUSE block for this parameter. 290 */ 291 *errmp = sctp_make_err(sctp, 292 PARM_UNRECOGNIZED, 293 (void *)cph, 294 ntohs(cph->sph_len)); 295 got_errchunk = B_TRUE; 296 } else { 297 /* 298 * If processing an INIT chunk add 299 * an additional CAUSE block to an 300 * INIT_ACK, got_errchunk is B_FALSE. 301 */ 302 sctp_add_unrec_parm(cph, errmp, 303 got_errchunk); 304 } 305 } 306 if (ptype & SCTP_CONT_PROC_PARAMS) { 307 /* 308 * Continue processing params after this 309 * parameter. 310 */ 311 break; 312 } 313 314 /* 315 * Stop processing params, report any reportable 316 * unrecognized params found so far. 317 */ 318 goto done; 319 } 320 321 cph = sctp_next_parm(cph, &remaining); 322 } 323 done: 324 /* 325 * Some sanity checks. The following should not fail unless the 326 * other side is broken. 327 * 328 * 1. If this is a V4 endpoint but V4 address is not 329 * supported, abort. 330 * 2. If this is a V6 only endpoint but V6 address is 331 * not supported, abort. This assumes that a V6 332 * endpoint can use both V4 and V6 addresses. 333 * We only care about supp_af when processing INIT, i.e want_cookie 334 * is NULL. 335 */ 336 if (want_cookie == NULL && 337 ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 338 (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 339 sctp->sctp_connp->conn_ipv6_v6only))) { 340 dprint(1, ("sctp:validate_init_params: supp addr\n")); 341 serror = SCTP_ERR_BAD_ADDR; 342 goto abort; 343 } 344 345 if (want_cookie != NULL && !got_cookie) { 346 cookie_abort: 347 dprint(1, ("validate_init_params: cookie absent\n")); 348 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 349 details, errlen, inmp, 0, B_FALSE); 350 return (0); 351 } 352 353 /* OK */ 354 return (1); 355 356 abort: 357 if (want_cookie != NULL) 358 return (0); 359 360 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 361 errlen, inmp, 0, B_FALSE); 362 return (0); 363 } 364 365 /* 366 * Initialize params from the INIT and INIT-ACK when the assoc. is 367 * established. 368 */ 369 boolean_t 370 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 371 sctp_init_chunk_t *iack) 372 { 373 /* Get initial TSN */ 374 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 375 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 376 377 /* Serial number is initialized to the same value as the TSN */ 378 sctp->sctp_fcsn = sctp->sctp_lastacked; 379 380 /* 381 * Get verification tags; no byteordering is necessary, since 382 * verfication tags are never processed except for byte-by-byte 383 * comparisons. 384 */ 385 sctp->sctp_fvtag = init->sic_inittag; 386 sctp->sctp_sctph->sh_verf = init->sic_inittag; 387 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 388 sctp->sctp_lvtag = iack->sic_inittag; 389 390 /* Get the peer's rwnd */ 391 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 392 393 /* Allocate the in/out-stream counters */ 394 sctp->sctp_num_ostr = iack->sic_outstr; 395 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 396 sctp->sctp_num_ostr, KM_NOSLEEP); 397 if (sctp->sctp_ostrcntrs == NULL) 398 return (B_FALSE); 399 400 sctp->sctp_num_istr = iack->sic_instr; 401 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 402 sctp->sctp_num_istr, KM_NOSLEEP); 403 if (sctp->sctp_instr == NULL) { 404 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 405 sctp->sctp_num_ostr); 406 sctp->sctp_ostrcntrs = NULL; 407 return (B_FALSE); 408 } 409 return (B_TRUE); 410 } 411 412 /* 413 * Copy the peer's original source address into addr. This relies on the 414 * following format (see sctp_send_initack() below): 415 * relative timestamp for the cookie (int64_t) + 416 * cookie lifetime (uint32_t) + 417 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) + 418 * Peer's original src ... 419 */ 420 int 421 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr) 422 { 423 uchar_t *off; 424 425 ASSERT(addr != NULL); 426 427 if (ch->sch_id != CHUNK_COOKIE) 428 return (EINVAL); 429 430 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) + 431 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t); 432 433 bcopy(off, addr, sizeof (*addr)); 434 435 return (0); 436 } 437 438 #define SCTP_CALC_COOKIE_LEN(initcp) \ 439 sizeof (int64_t) + /* timestamp */ \ 440 sizeof (uint32_t) + /* cookie lifetime */ \ 441 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 442 sizeof (in6_addr_t) + /* peer's original source */ \ 443 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 444 sizeof (uint32_t) + /* local tie-tag */ \ 445 sizeof (uint32_t) + /* peer tie-tag */ \ 446 sizeof (sctp_parm_hdr_t) + /* param header */ \ 447 16 /* MD5 hash */ 448 449 void 450 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch, 451 mblk_t *initmp) 452 { 453 ipha_t *initiph; 454 ip6_t *initip6h; 455 ipha_t *iackiph; 456 ip6_t *iackip6h; 457 sctp_chunk_hdr_t *iack_ch; 458 sctp_init_chunk_t *iack; 459 sctp_init_chunk_t *init; 460 sctp_hdr_t *iacksh; 461 size_t cookielen; 462 size_t iacklen; 463 size_t ipsctplen; 464 size_t errlen = 0; 465 sctp_parm_hdr_t *cookieph; 466 mblk_t *iackmp; 467 uint32_t itag; 468 uint32_t itsn; 469 int64_t *now; 470 int64_t nowt; 471 uint32_t *lifetime; 472 char *p; 473 boolean_t isv4; 474 int supp_af = 0; 475 uint_t sctp_options; 476 uint32_t *ttag; 477 int pad; 478 mblk_t *errmp = NULL; 479 boolean_t initcollision = B_FALSE; 480 boolean_t linklocal = B_FALSE; 481 cred_t *cr; 482 ts_label_t *initlabel; 483 sctp_stack_t *sctps = sctp->sctp_sctps; 484 485 BUMP_LOCAL(sctp->sctp_ibchunks); 486 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 487 488 /* Extract the INIT chunk */ 489 if (isv4) { 490 initiph = (ipha_t *)initmp->b_rptr; 491 ipsctplen = sctp->sctp_ip_hdr_len; 492 supp_af |= PARM_SUPP_V4; 493 } else { 494 initip6h = (ip6_t *)initmp->b_rptr; 495 ipsctplen = sctp->sctp_ip_hdr6_len; 496 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src)) 497 linklocal = B_TRUE; 498 supp_af |= PARM_SUPP_V6; 499 } 500 ASSERT(OK_32PTR(initsh)); 501 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 502 503 /* Make sure we like the peer's parameters */ 504 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 505 &supp_af, &sctp_options) == 0) { 506 return; 507 } 508 if (errmp != NULL) 509 errlen = msgdsize(errmp); 510 if (sctp->sctp_family == AF_INET) { 511 /* 512 * Irregardless of the supported address in the INIT, v4 513 * must be supported. 514 */ 515 supp_af = PARM_SUPP_V4; 516 } 517 if (sctp->sctp_state <= SCTPS_LISTEN) { 518 /* normal, expected INIT: generate new vtag and itsn */ 519 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 520 if (itag == 0) 521 itag = (uint32_t)gethrtime(); 522 itsn = itag + 1; 523 itag = htonl(itag); 524 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 525 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 526 /* init collision; copy vtag and itsn from sctp */ 527 itag = sctp->sctp_lvtag; 528 itsn = sctp->sctp_ltsn; 529 /* 530 * In addition we need to send all the params that was sent 531 * in our INIT chunk. Essentially, it is only the supported 532 * address params that we need to add. 533 */ 534 initcollision = B_TRUE; 535 /* 536 * When we sent the INIT, we should have set linklocal in 537 * the sctp which should be good enough. 538 */ 539 if (linklocal) 540 linklocal = B_FALSE; 541 } else { 542 /* peer restart; generate new vtag but keep everything else */ 543 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 544 if (itag == 0) 545 itag = (uint32_t)gethrtime(); 546 itag = htonl(itag); 547 itsn = sctp->sctp_ltsn; 548 } 549 550 /* 551 * Allocate a mblk for the INIT ACK, consisting of the link layer 552 * header, the IP header, the SCTP common header, and INIT ACK chunk, 553 * and finally the COOKIE parameter. 554 */ 555 cookielen = SCTP_CALC_COOKIE_LEN(ch); 556 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 557 if (sctp->sctp_send_adaptation) 558 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 559 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 560 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 561 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 562 } 563 if (initcollision) 564 iacklen += sctp_supaddr_param_len(sctp); 565 if (!linklocal) 566 iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE); 567 ipsctplen += sizeof (*iacksh) + iacklen; 568 iacklen += errlen; 569 if ((pad = ipsctplen % 4) != 0) { 570 pad = 4 - pad; 571 ipsctplen += pad; 572 } 573 574 /* 575 * If the listen socket is bound to a trusted extensions 576 * multi-label port, attach a copy of the listener's cred 577 * to the new INITACK mblk. Modify the cred to contain 578 * the security label of the received INIT packet. 579 * If not a multi-label port, attach the unmodified 580 * listener's cred directly. 581 * 582 * We expect Sun developed kernel modules to properly set 583 * cred labels for sctp connections. We can't be so sure this 584 * will be done correctly when 3rd party kernel modules 585 * directly use sctp. The initlabel panic guard logic was 586 * added to cover this possibility. 587 */ 588 if (sctp->sctp_connp->conn_mlp_type != mlptSingle) { 589 initlabel = MBLK_GETLABEL(initmp); 590 if (initlabel == NULL) { 591 sctp_send_abort(sctp, sctp_init2vtag(ch), 592 SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, B_FALSE); 593 return; 594 } 595 cr = copycred_from_bslabel(CONN_CRED(sctp->sctp_connp), 596 &initlabel->tsl_label, initlabel->tsl_doi, KM_NOSLEEP); 597 if (cr == NULL) { 598 sctp_send_abort(sctp, sctp_init2vtag(ch), 599 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 600 return; 601 } 602 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, cr); 603 crfree(cr); 604 } else { 605 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, 606 CONN_CRED(sctp->sctp_connp)); 607 } 608 if (iackmp == NULL) { 609 sctp_send_abort(sctp, sctp_init2vtag(ch), 610 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 611 return; 612 } 613 614 /* Copy in the [imcomplete] IP/SCTP composite header */ 615 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra); 616 iackmp->b_rptr = (uchar_t *)p; 617 if (isv4) { 618 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 619 iackiph = (ipha_t *)p; 620 621 /* Copy the peer's IP addr */ 622 iackiph->ipha_dst = initiph->ipha_src; 623 iackiph->ipha_src = initiph->ipha_dst; 624 iackiph->ipha_length = htons(ipsctplen + errlen); 625 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 626 } else { 627 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 628 iackip6h = (ip6_t *)p; 629 630 /* Copy the peer's IP addr */ 631 iackip6h->ip6_dst = initip6h->ip6_src; 632 iackip6h->ip6_src = initip6h->ip6_dst; 633 iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) + 634 errlen); 635 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 636 } 637 ASSERT(OK_32PTR(iacksh)); 638 639 /* Fill in the holes in the SCTP common header */ 640 iacksh->sh_sport = initsh->sh_dport; 641 iacksh->sh_dport = initsh->sh_sport; 642 iacksh->sh_verf = init->sic_inittag; 643 644 /* INIT ACK chunk header */ 645 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 646 iack_ch->sch_id = CHUNK_INIT_ACK; 647 iack_ch->sch_flags = 0; 648 iack_ch->sch_len = htons(iacklen); 649 650 /* The INIT ACK itself */ 651 iack = (sctp_init_chunk_t *)(iack_ch + 1); 652 iack->sic_inittag = itag; /* already in network byteorder */ 653 iack->sic_inittsn = htonl(itsn); 654 655 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 656 /* Advertise what we would want to have as stream #'s */ 657 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 658 ntohs(init->sic_instr))); 659 iack->sic_instr = htons(sctp->sctp_num_istr); 660 661 p = (char *)(iack + 1); 662 p += sctp_adaptation_code_param(sctp, (uchar_t *)p); 663 if (initcollision) 664 p += sctp_supaddr_param(sctp, (uchar_t *)p); 665 if (!linklocal) 666 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE); 667 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 668 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 669 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 670 } 671 /* 672 * Generate and lay in the COOKIE parameter. 673 * 674 * Any change here that results in a change of location for 675 * the peer's orig source address must be propagated to the fn 676 * cl_sctp_cookie_paddr() above. 677 * 678 * The cookie consists of: 679 * 1. The relative timestamp for the cookie (lbolt64) 680 * 2. The cookie lifetime (uint32_t) in tick 681 * 3. The local tie-tag 682 * 4. The peer tie-tag 683 * 5. Peer's original src, used to confirm the validity of address. 684 * 6. Our INIT ACK chunk, less any parameters 685 * 7. The INIT chunk (may contain parameters) 686 * 8. 128-bit MD5 signature. 687 * 688 * Since the timestamp values will only be evaluated locally, we 689 * don't need to worry about byte-ordering them. 690 */ 691 cookieph = (sctp_parm_hdr_t *)p; 692 cookieph->sph_type = htons(PARM_COOKIE); 693 cookieph->sph_len = htons(cookielen); 694 695 /* timestamp */ 696 now = (int64_t *)(cookieph + 1); 697 nowt = lbolt64; 698 bcopy(&nowt, now, sizeof (*now)); 699 700 /* cookie lifetime -- need configuration */ 701 lifetime = (uint32_t *)(now + 1); 702 *lifetime = sctp->sctp_cookie_lifetime; 703 704 /* Set the tie-tags */ 705 ttag = (uint32_t *)(lifetime + 1); 706 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 707 *ttag = 0; 708 ttag++; 709 *ttag = 0; 710 ttag++; 711 } else { 712 /* local tie-tag (network byte-order) */ 713 *ttag = sctp->sctp_lvtag; 714 ttag++; 715 /* peer tie-tag (network byte-order) */ 716 *ttag = sctp->sctp_fvtag; 717 ttag++; 718 } 719 /* 720 * Copy in peer's original source address so that we can confirm 721 * the reachability later. 722 */ 723 p = (char *)ttag; 724 if (isv4) { 725 in6_addr_t peer_addr; 726 727 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 728 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 729 } else { 730 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 731 } 732 p += sizeof (in6_addr_t); 733 /* Copy in our INIT ACK chunk */ 734 bcopy(iack, p, sizeof (*iack)); 735 iack = (sctp_init_chunk_t *)p; 736 /* Set the # of streams we'll end up using */ 737 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 738 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 739 p += sizeof (*iack); 740 741 /* Copy in the peer's INIT chunk */ 742 bcopy(ch, p, ntohs(ch->sch_len)); 743 p += ntohs(ch->sch_len); 744 745 /* 746 * Calculate the HMAC ICV into the digest slot in buf. 747 * First, generate a new secret if the current secret is 748 * older than the new secret lifetime parameter permits, 749 * copying the current secret to sctp_old_secret. 750 */ 751 if (sctps->sctps_new_secret_interval > 0 && 752 (sctp->sctp_last_secret_update + 753 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) { 754 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 755 SCTP_SECRET_LEN); 756 (void) random_get_pseudo_bytes(sctp->sctp_secret, 757 SCTP_SECRET_LEN); 758 sctp->sctp_last_secret_update = nowt; 759 } 760 761 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 762 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 763 764 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 765 if (pad != 0) 766 bzero((iackmp->b_wptr - pad), pad); 767 768 iackmp->b_cont = errmp; /* OK if NULL */ 769 770 if (is_system_labeled() && (cr = DB_CRED(iackmp)) != NULL && 771 crgetlabel(cr) != NULL) { 772 conn_t *connp = sctp->sctp_connp; 773 int err; 774 775 if (isv4) 776 err = tsol_check_label(cr, &iackmp, 777 connp->conn_mac_exempt, 778 sctps->sctps_netstack->netstack_ip); 779 else 780 err = tsol_check_label_v6(cr, &iackmp, 781 connp->conn_mac_exempt, 782 sctps->sctps_netstack->netstack_ip); 783 if (err != 0) { 784 sctp_send_abort(sctp, sctp_init2vtag(ch), 785 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE); 786 freemsg(iackmp); 787 return; 788 } 789 } 790 791 /* 792 * Stash the conn ptr info. for IP only as e don't have any 793 * cached IRE. 794 */ 795 SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL); 796 797 /* XXX sctp == sctp_g_q, so using its obchunks is valid */ 798 BUMP_LOCAL(sctp->sctp_opkts); 799 BUMP_LOCAL(sctp->sctp_obchunks); 800 801 /* OK to call IP_PUT() here instead of sctp_add_sendq(). */ 802 CONN_INC_REF(sctp->sctp_connp); 803 iackmp->b_flag |= MSGHASREF; 804 IP_PUT(iackmp, sctp->sctp_connp, isv4); 805 } 806 807 void 808 sctp_send_cookie_ack(sctp_t *sctp) 809 { 810 sctp_chunk_hdr_t *cach; 811 mblk_t *camp; 812 sctp_stack_t *sctps = sctp->sctp_sctps; 813 814 camp = sctp_make_mp(sctp, NULL, sizeof (*cach)); 815 if (camp == NULL) { 816 /* XXX should abort, but don't have the inmp anymore */ 817 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed); 818 return; 819 } 820 821 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 822 camp->b_wptr = (uchar_t *)(cach + 1); 823 cach->sch_id = CHUNK_COOKIE_ACK; 824 cach->sch_flags = 0; 825 cach->sch_len = htons(sizeof (*cach)); 826 827 sctp_set_iplen(sctp, camp); 828 829 BUMP_LOCAL(sctp->sctp_obchunks); 830 831 sctp_add_sendq(sctp, camp); 832 } 833 834 static int 835 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code) 836 { 837 838 if (len < sizeof (*sph)) 839 return (-1); 840 while (sph != NULL) { 841 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 842 ntohs(sph->sph_len) >= (sizeof (*sph) + 843 sizeof (uint32_t))) { 844 *adaptation_code = *(uint32_t *)(sph + 1); 845 return (0); 846 } 847 sph = sctp_next_parm(sph, &len); 848 } 849 return (-1); 850 } 851 852 void 853 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp) 854 { 855 mblk_t *cemp; 856 mblk_t *mp = NULL; 857 mblk_t *head; 858 mblk_t *meta; 859 sctp_faddr_t *fp; 860 sctp_chunk_hdr_t *cech; 861 sctp_init_chunk_t *iack; 862 int32_t cansend; 863 int32_t seglen; 864 size_t ceclen; 865 sctp_parm_hdr_t *cph; 866 sctp_data_hdr_t *sdc; 867 sctp_tf_t *tf; 868 int pad = 0; 869 int hdrlen; 870 mblk_t *errmp = NULL; 871 uint_t sctp_options; 872 int error; 873 uint16_t old_num_str; 874 sctp_stack_t *sctps = sctp->sctp_sctps; 875 876 iack = (sctp_init_chunk_t *)(iackch + 1); 877 878 cph = NULL; 879 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 880 &pad, &sctp_options) == 0) { /* result in 'pad' ignored */ 881 BUMP_MIB(&sctps->sctps_mib, sctpAborted); 882 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 883 sctp_clean_death(sctp, ECONNABORTED); 884 return; 885 } 886 ASSERT(cph != NULL); 887 888 ASSERT(sctp->sctp_cookie_mp == NULL); 889 890 /* Got a cookie to echo back; allocate an mblk */ 891 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 892 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 893 pad = SCTP_ALIGN - pad; 894 895 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 896 hdrlen = sctp->sctp_hdr_len; 897 else 898 hdrlen = sctp->sctp_hdr6_len; 899 900 cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad, 901 BPRI_MED); 902 if (cemp == NULL) { 903 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 904 sctp->sctp_current->rto); 905 if (errmp != NULL) 906 freeb(errmp); 907 return; 908 } 909 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen); 910 911 /* Process the INIT ACK */ 912 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 913 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 914 sctp->sctp_fvtag = iack->sic_inittag; 915 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 916 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 917 sctp->sctp_fcsn = sctp->sctp_lastacked; 918 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 919 920 /* 921 * Populate sctp with addresses given in the INIT ACK or IP header. 922 * Need to set the df bit in the current fp as it has been cleared 923 * in sctp_connect(). 924 */ 925 sctp->sctp_current->df = B_TRUE; 926 /* 927 * Since IP uses this info during the fanout process, we need to hold 928 * the lock for this hash line while performing this operation. 929 */ 930 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, sctp->sctp_ports); */ 931 ASSERT(sctp->sctp_conn_tfp != NULL); 932 tf = sctp->sctp_conn_tfp; 933 /* sctp isn't a listener so only need to hold conn fanout lock */ 934 mutex_enter(&tf->tf_lock); 935 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 936 mutex_exit(&tf->tf_lock); 937 freeb(cemp); 938 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 939 sctp->sctp_current->rto); 940 if (errmp != NULL) 941 freeb(errmp); 942 return; 943 } 944 mutex_exit(&tf->tf_lock); 945 946 fp = sctp->sctp_current; 947 948 /* 949 * There could be a case when we get an INIT-ACK again, if the INIT 950 * is re-transmitted, for e.g., which means we would have already 951 * allocated this resource earlier (also for sctp_instr). In this 952 * case we check and re-allocate, if necessary. 953 */ 954 old_num_str = sctp->sctp_num_ostr; 955 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 956 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 957 if (sctp->sctp_ostrcntrs == NULL) { 958 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 959 sctp->sctp_num_ostr, KM_NOSLEEP); 960 } else { 961 ASSERT(old_num_str > 0); 962 if (old_num_str != sctp->sctp_num_ostr) { 963 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 964 old_num_str); 965 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 966 sctp->sctp_num_ostr, KM_NOSLEEP); 967 } 968 } 969 if (sctp->sctp_ostrcntrs == NULL) { 970 freeb(cemp); 971 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 972 if (errmp != NULL) 973 freeb(errmp); 974 return; 975 } 976 977 /* 978 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 979 * hold here too. 980 */ 981 old_num_str = sctp->sctp_num_istr; 982 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 983 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 984 if (sctp->sctp_instr == NULL) { 985 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 986 sctp->sctp_num_istr, KM_NOSLEEP); 987 } else { 988 ASSERT(old_num_str > 0); 989 if (old_num_str != sctp->sctp_num_istr) { 990 kmem_free(sctp->sctp_instr, 991 sizeof (*sctp->sctp_instr) * old_num_str); 992 sctp->sctp_instr = kmem_zalloc( 993 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 994 KM_NOSLEEP); 995 } 996 } 997 if (sctp->sctp_instr == NULL) { 998 kmem_free(sctp->sctp_ostrcntrs, 999 sizeof (uint16_t) * sctp->sctp_num_ostr); 1000 freeb(cemp); 1001 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1002 if (errmp != NULL) 1003 freeb(errmp); 1004 return; 1005 } 1006 1007 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 1008 sctp->sctp_prsctp_aware = B_FALSE; 1009 1010 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 1011 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 1012 &sctp->sctp_rx_adaptation_code) == 0) { 1013 sctp->sctp_recv_adaptation = 1; 1014 } 1015 1016 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 1017 ASSERT(OK_32PTR(cech)); 1018 cech->sch_id = CHUNK_COOKIE; 1019 cech->sch_flags = 0; 1020 cech->sch_len = htons(ceclen); 1021 1022 /* Copy the cookie (less the parm hdr) to the chunk */ 1023 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 1024 1025 cemp->b_wptr = cemp->b_rptr + ceclen; 1026 1027 if (sctp->sctp_unsent > 0) { 1028 sctp_msg_hdr_t *smh; 1029 mblk_t *prev = NULL; 1030 uint32_t unsent = 0; 1031 1032 mp = sctp->sctp_xmit_unsent; 1033 do { 1034 smh = (sctp_msg_hdr_t *)mp->b_rptr; 1035 if (smh->smh_sid >= sctp->sctp_num_ostr) { 1036 unsent += smh->smh_msglen; 1037 if (prev != NULL) 1038 prev->b_next = mp->b_next; 1039 else 1040 sctp->sctp_xmit_unsent = mp->b_next; 1041 mp->b_next = NULL; 1042 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 1043 B_FALSE); 1044 if (prev != NULL) 1045 mp = prev->b_next; 1046 else 1047 mp = sctp->sctp_xmit_unsent; 1048 } else { 1049 prev = mp; 1050 mp = mp->b_next; 1051 } 1052 } while (mp != NULL); 1053 if (unsent > 0) { 1054 ASSERT(sctp->sctp_unsent >= unsent); 1055 sctp->sctp_unsent -= unsent; 1056 /* 1057 * Update ULP the amount of queued data, which is 1058 * sent-unack'ed + unsent. 1059 * This is not necessary, but doesn't harm, we 1060 * just use unsent instead of sent-unack'ed + 1061 * unsent, since there won't be any sent-unack'ed 1062 * here. 1063 */ 1064 if (!SCTP_IS_DETACHED(sctp)) 1065 SCTP_TXQ_UPDATE(sctp); 1066 } 1067 if (sctp->sctp_xmit_unsent == NULL) 1068 sctp->sctp_xmit_unsent_tail = NULL; 1069 } 1070 ceclen += pad; 1071 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 1072 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 1073 cansend, NULL); 1074 /* 1075 * The error cannot be anything else since we could have an non-zero 1076 * error only if sctp_get_msg_to_send() tries to send a Forward 1077 * TSN which will not happen here. 1078 */ 1079 ASSERT(error == 0); 1080 if (meta == NULL) 1081 goto sendcookie; 1082 sctp->sctp_xmit_tail = meta; 1083 sdc = (sctp_data_hdr_t *)mp->b_rptr; 1084 seglen = ntohs(sdc->sdh_len); 1085 if ((ceclen + seglen) > fp->sfa_pmss || 1086 (seglen - sizeof (*sdc)) > cansend) { 1087 goto sendcookie; 1088 } 1089 /* OK, if this fails */ 1090 cemp->b_cont = dupmsg(mp); 1091 sendcookie: 1092 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 1093 if (head == NULL) { 1094 freemsg(cemp); 1095 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1096 if (errmp != NULL) 1097 freeb(errmp); 1098 SCTP_KSTAT(sctps, sctp_send_cookie_failed); 1099 return; 1100 } 1101 /* 1102 * Even if cookie-echo exceeds MTU for one of the hops, it'll 1103 * have a chance of getting there. 1104 */ 1105 if (fp->isv4) { 1106 ipha_t *iph = (ipha_t *)head->b_rptr; 1107 iph->ipha_fragment_offset_and_flags = 0; 1108 } 1109 BUMP_LOCAL(sctp->sctp_obchunks); 1110 1111 sctp->sctp_cookie_mp = dupmsg(head); 1112 /* Don't bundle, we will just resend init if this cookie is lost. */ 1113 if (sctp->sctp_cookie_mp == NULL) { 1114 if (cemp->b_cont != NULL) { 1115 freemsg(cemp->b_cont); 1116 cemp->b_cont = NULL; 1117 } 1118 } else if (cemp->b_cont != NULL) { 1119 ASSERT(mp != NULL && mp == meta->b_cont); 1120 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 1121 cemp->b_wptr += pad; 1122 seglen -= sizeof (*sdc); 1123 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 1124 } 1125 if (errmp != NULL) { 1126 if (cemp->b_cont == NULL) 1127 cemp->b_wptr += pad; 1128 linkb(head, errmp); 1129 } 1130 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 1131 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1132 1133 sctp_set_iplen(sctp, head); 1134 sctp_add_sendq(sctp, head); 1135 } 1136 1137 int 1138 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 1139 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation, 1140 in6_addr_t *peer_addr) 1141 { 1142 int32_t clen; 1143 size_t initplen; 1144 uchar_t *p; 1145 uchar_t *given_hash; 1146 uchar_t needed_hash[16]; 1147 int64_t ts; 1148 int64_t diff; 1149 uint32_t *lt; 1150 sctp_init_chunk_t *iack; 1151 sctp_chunk_hdr_t *initch; 1152 sctp_init_chunk_t *init; 1153 uint32_t *lttag; 1154 uint32_t *fttag; 1155 uint32_t ports; 1156 sctp_stack_t *sctps = sctp->sctp_sctps; 1157 1158 BUMP_LOCAL(sctp->sctp_ibchunks); 1159 /* Verify the ICV */ 1160 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1161 if (clen < 0) { 1162 dprint(1, ("invalid cookie chunk length %d\n", 1163 ntohs(ch->sch_len))); 1164 1165 return (-1); 1166 } 1167 p = (uchar_t *)(ch + 1); 1168 1169 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1170 needed_hash); 1171 1172 /* The given hash follows the cookie data */ 1173 given_hash = p + clen; 1174 1175 if (bcmp(given_hash, needed_hash, 16) != 0) { 1176 /* The secret may have changed; try the old secret */ 1177 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1178 SCTP_SECRET_LEN, needed_hash); 1179 if (bcmp(given_hash, needed_hash, 16) != 0) { 1180 return (-1); 1181 } 1182 } 1183 1184 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1185 bcopy(p, &ts, sizeof (ts)); 1186 /* Cookie life time, uint32_t */ 1187 lt = (uint32_t *)(p + sizeof (ts)); 1188 1189 /* 1190 * To quote PRC, "this is our baby", so let's continue. 1191 * We need to pull out the encapsulated INIT ACK and 1192 * INIT chunks. Note that we don't process these until 1193 * we have verified the timestamp, but we need them before 1194 * processing the timestamp since if the time check fails, 1195 * we need to get the verification tag from the INIT in order 1196 * to send a stale cookie error. 1197 */ 1198 lttag = (uint32_t *)(lt + 1); 1199 fttag = lttag + 1; 1200 if (peer_addr != NULL) 1201 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1202 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1203 initch = (sctp_chunk_hdr_t *)(iack + 1); 1204 init = (sctp_init_chunk_t *)(initch + 1); 1205 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1206 *iackpp = iack; 1207 *recv_adaptation = 0; 1208 1209 /* 1210 * Check the staleness of the Cookie, specified in 3.3.10.3 of 1211 * RFC 2960. 1212 * 1213 * The mesaure of staleness is the difference, in microseconds, 1214 * between the current time and the time the State Cookie expires. 1215 * So it is lbolt64 - (ts + *lt). If it is positive, it means 1216 * that the Cookie has expired. 1217 */ 1218 diff = lbolt64 - (ts + *lt); 1219 if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag || 1220 iack->sic_inittag != sctp->sctp_lvtag)) { 1221 uint32_t staleness; 1222 1223 staleness = TICK_TO_USEC(diff); 1224 staleness = htonl(staleness); 1225 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1226 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE); 1227 1228 dprint(1, ("stale cookie %d\n", staleness)); 1229 1230 return (-1); 1231 } 1232 1233 /* Check for attack by adding addresses to a restart */ 1234 bcopy(insctph, &ports, sizeof (ports)); 1235 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP, 1236 sctps) != 1) { 1237 return (-1); 1238 } 1239 1240 /* Look for adaptation code if there any parms in the INIT chunk */ 1241 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1242 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1243 &sctp->sctp_rx_adaptation_code) == 0)) { 1244 *recv_adaptation = 1; 1245 } 1246 1247 /* Examine tie-tags */ 1248 1249 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1250 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1251 init->sic_inittag == sctp->sctp_fvtag && 1252 iack->sic_inittag == sctp->sctp_lvtag && 1253 *fttag == 0 && *lttag == 0) { 1254 1255 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1256 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1257 (int)(sctp->sctp_fport))); 1258 return (-1); 1259 } 1260 1261 if (init->sic_inittag != sctp->sctp_fvtag && 1262 iack->sic_inittag != sctp->sctp_lvtag && 1263 *fttag == sctp->sctp_fvtag && 1264 *lttag == sctp->sctp_lvtag) { 1265 int i; 1266 1267 /* Section 5.2.4 case A: restart */ 1268 sctp->sctp_fvtag = init->sic_inittag; 1269 sctp->sctp_lvtag = iack->sic_inittag; 1270 1271 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1272 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1273 1274 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1275 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1276 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1277 sctp->sctp_fcsn = sctp->sctp_lastacked; 1278 1279 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1280 sctp->sctp_state = SCTPS_ESTABLISHED; 1281 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1282 } 1283 1284 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1285 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1286 (int)(sctp->sctp_fport))); 1287 /* reset parameters */ 1288 sctp_congest_reset(sctp); 1289 1290 /* reset stream bookkeeping */ 1291 sctp_instream_cleanup(sctp, B_FALSE); 1292 1293 sctp->sctp_istr_nmsgs = 0; 1294 sctp->sctp_rxqueued = 0; 1295 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1296 sctp->sctp_ostrcntrs[i] = 0; 1297 } 1298 /* XXX flush xmit_list? */ 1299 1300 return (0); 1301 } else if (init->sic_inittag != sctp->sctp_fvtag && 1302 iack->sic_inittag == sctp->sctp_lvtag) { 1303 1304 /* Section 5.2.4 case B: INIT collision */ 1305 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1306 if (!sctp_initialize_params(sctp, init, iack)) 1307 return (-1); /* Drop? */ 1308 sctp->sctp_state = SCTPS_ESTABLISHED; 1309 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1310 } 1311 1312 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1313 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1314 (int)(sctp->sctp_fport))); 1315 1316 return (0); 1317 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1318 init->sic_inittag == sctp->sctp_fvtag && 1319 *fttag == 0 && *lttag == 0) { 1320 1321 /* Section 5.2.4 case C: late COOKIE */ 1322 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1323 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1324 (int)(sctp->sctp_fport))); 1325 return (-1); 1326 } else if (init->sic_inittag == sctp->sctp_fvtag && 1327 iack->sic_inittag == sctp->sctp_lvtag) { 1328 1329 /* 1330 * Section 5.2.4 case D: COOKIE ECHO retransmit 1331 * Don't check cookie lifetime 1332 */ 1333 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1334 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1335 (int)(sctp->sctp_fport))); 1336 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1337 if (!sctp_initialize_params(sctp, init, iack)) 1338 return (-1); /* Drop? */ 1339 sctp->sctp_state = SCTPS_ESTABLISHED; 1340 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1341 } 1342 return (0); 1343 } else { 1344 /* unrecognized case -- silently drop it */ 1345 return (-1); 1346 } 1347 } 1348 1349 return (0); 1350 } 1351 1352 /* 1353 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1354 * from address parameters in an INIT ACK's address list. This 1355 * function is used when an INIT ACK is received but IP's fanout 1356 * function could not find a sctp via the normal lookup routine. 1357 * This can happen when a host sends an INIT ACK from a different 1358 * address than the INIT was sent to. 1359 * 1360 * Returns the sctp_t if found, or NULL if not found. 1361 */ 1362 sctp_t * 1363 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1364 zoneid_t zoneid, sctp_stack_t *sctps) 1365 { 1366 int isv4; 1367 ipha_t *iph; 1368 ip6_t *ip6h; 1369 in6_addr_t dst; 1370 in6_addr_t src; 1371 sctp_parm_hdr_t *ph; 1372 ssize_t remaining; 1373 sctp_init_chunk_t *iack; 1374 uint32_t ports; 1375 sctp_t *sctp = NULL; 1376 1377 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1378 1379 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1380 if (isv4) { 1381 iph = (ipha_t *)mp->b_rptr; 1382 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1383 } else { 1384 ip6h = (ip6_t *)mp->b_rptr; 1385 dst = ip6h->ip6_dst; 1386 } 1387 1388 ports = *(uint32_t *)sctph; 1389 1390 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1391 ports, SCTP_PRINTADDR(dst))); 1392 1393 /* pull out any address parameters */ 1394 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1395 if (remaining < sizeof (*ph)) { 1396 return (NULL); 1397 } 1398 1399 iack = (sctp_init_chunk_t *)(ich + 1); 1400 ph = (sctp_parm_hdr_t *)(iack + 1); 1401 1402 while (ph != NULL) { 1403 /* 1404 * params have been put in host byteorder by 1405 * sctp_check_input() 1406 */ 1407 if (ph->sph_type == PARM_ADDR4) { 1408 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1409 &src); 1410 1411 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1412 sctps); 1413 1414 dprint(1, 1415 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1416 SCTP_PRINTADDR(src), (void *)sctp)); 1417 1418 1419 if (sctp != NULL) { 1420 return (sctp); 1421 } 1422 } else if (ph->sph_type == PARM_ADDR6) { 1423 src = *(in6_addr_t *)(ph + 1); 1424 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1425 sctps); 1426 1427 dprint(1, 1428 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1429 SCTP_PRINTADDR(src), (void *)sctp)); 1430 1431 if (sctp != NULL) { 1432 return (sctp); 1433 } 1434 } 1435 1436 ph = sctp_next_parm(ph, &remaining); 1437 } 1438 1439 return (NULL); 1440 } 1441