1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #include <sys/types.h> 28 #include <sys/systm.h> 29 #include <sys/stream.h> 30 #include <sys/cmn_err.h> 31 #include <sys/md5.h> 32 #include <sys/kmem.h> 33 #include <sys/strsubr.h> 34 #include <sys/random.h> 35 #include <sys/tsol/tnet.h> 36 37 #include <netinet/in.h> 38 #include <netinet/ip6.h> 39 40 #include <inet/common.h> 41 #include <inet/ip.h> 42 #include <inet/ip6.h> 43 #include <inet/sctp_ip.h> 44 #include <inet/ipclassifier.h> 45 #include "sctp_impl.h" 46 47 /* 48 * Helper function for SunCluster (PSARC/2005/602) to get the original source 49 * address from the COOKIE 50 */ 51 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *); 52 53 /* 54 * From RFC 2104. This should probably go into libmd5 (and while 55 * we're at it, maybe we should make a libdigest so we can later 56 * add SHA1 and others, esp. since some weaknesses have been found 57 * with MD5). 58 * 59 * text IN pointer to data stream 60 * text_len IN length of data stream 61 * key IN pointer to authentication key 62 * key_len IN length of authentication key 63 * digest OUT caller digest to be filled in 64 */ 65 static void 66 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 67 uchar_t *digest) 68 { 69 MD5_CTX context; 70 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 71 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 72 uchar_t tk[16]; 73 int i; 74 75 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 76 if (key_len > 64) { 77 MD5_CTX tctx; 78 79 MD5Init(&tctx); 80 MD5Update(&tctx, key, key_len); 81 MD5Final(tk, &tctx); 82 83 key = tk; 84 key_len = 16; 85 } 86 87 /* 88 * the HMAC_MD5 transform looks like: 89 * 90 * MD5(K XOR opad, MD5(K XOR ipad, text)) 91 * 92 * where K is an n byte key 93 * ipad is the byte 0x36 repeated 64 times 94 * opad is the byte 0x5c repeated 64 times 95 * and text is the data being protected 96 */ 97 98 /* start out by storing key in pads */ 99 bzero(k_ipad, sizeof (k_ipad)); 100 bzero(k_opad, sizeof (k_opad)); 101 bcopy(key, k_ipad, key_len); 102 bcopy(key, k_opad, key_len); 103 104 /* XOR key with ipad and opad values */ 105 for (i = 0; i < 64; i++) { 106 k_ipad[i] ^= 0x36; 107 k_opad[i] ^= 0x5c; 108 } 109 /* 110 * perform inner MD5 111 */ 112 MD5Init(&context); /* init context for 1st */ 113 /* pass */ 114 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 115 MD5Update(&context, text, text_len); /* then text of datagram */ 116 MD5Final(digest, &context); /* finish up 1st pass */ 117 /* 118 * perform outer MD5 119 */ 120 MD5Init(&context); /* init context for 2nd */ 121 /* pass */ 122 MD5Update(&context, k_opad, 64); /* start with outer pad */ 123 MD5Update(&context, digest, 16); /* then results of 1st */ 124 /* hash */ 125 MD5Final(digest, &context); /* finish up 2nd pass */ 126 } 127 128 /* 129 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 130 * info in initmp to send the abort. Otherwise, no abort will be sent. 131 * 132 * When called from stcp_send_initack() while processing parameters 133 * from a received INIT_CHUNK want_cookie will be NULL. 134 * 135 * When called from sctp_send_cookie_echo() while processing an INIT_ACK, 136 * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t. 137 * However, this last pointer will be NULL until the cookie is processed 138 * at which time it will be set to point to a sctp_parm_hdr_t that contains 139 * the cookie info. 140 * 141 * Note: an INIT_ACK is expected to contain a cookie. 142 * 143 * When processing an INIT_ACK, an ERROR chunk and chain of one or more 144 * error CAUSE blocks will be created if unrecognized parameters marked by 145 * the sender as reportable are found. 146 * 147 * When processing an INIT chunk, a chain of one or more error CAUSE blocks 148 * will be created if unrecognized parameters marked by the sender as 149 * reportable are found. These are appended directly to the INIT_ACK chunk. 150 * 151 * In both cases the error chain is visible to the caller via *errmp. 152 * 153 * Returns 1 if the parameters are OK (or if there are no optional 154 * parameters), returns 0 otherwise. 155 */ 156 static int 157 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 158 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 159 mblk_t **errmp, int *supp_af, uint_t *sctp_options) 160 { 161 sctp_parm_hdr_t *cph; 162 sctp_init_chunk_t *ic; 163 ssize_t remaining; 164 uint16_t serror = 0; 165 char *details = NULL; 166 size_t errlen = 0; 167 boolean_t got_cookie = B_FALSE; 168 boolean_t got_errchunk = B_FALSE; 169 uint16_t ptype; 170 171 ASSERT(errmp != NULL); 172 173 if (sctp_options != NULL) 174 *sctp_options = 0; 175 176 /* First validate stream parameters */ 177 if (init->sic_instr == 0 || init->sic_outstr == 0) { 178 serror = SCTP_ERR_BAD_MANDPARM; 179 dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n", 180 htons(init->sic_instr), htons(init->sic_outstr))); 181 goto abort; 182 } 183 if (ntohl(init->sic_inittag) == 0) { 184 serror = SCTP_ERR_BAD_MANDPARM; 185 dprint(1, ("validate_init_params: inittag = 0\n")); 186 goto abort; 187 } 188 189 remaining = ntohs(ch->sch_len) - sizeof (*ch); 190 ic = (sctp_init_chunk_t *)(ch + 1); 191 remaining -= sizeof (*ic); 192 if (remaining < sizeof (*cph)) { 193 /* 194 * When processing a received INIT_ACK, a cookie is 195 * expected, if missing there is nothing to validate. 196 */ 197 if (want_cookie != NULL) 198 goto cookie_abort; 199 return (1); 200 } 201 202 cph = (sctp_parm_hdr_t *)(ic + 1); 203 204 while (cph != NULL) { 205 ptype = ntohs(cph->sph_type); 206 switch (ptype) { 207 case PARM_HBINFO: 208 case PARM_UNRECOGNIZED: 209 case PARM_ECN: 210 /* just ignore them */ 211 break; 212 case PARM_FORWARD_TSN: 213 if (sctp_options != NULL) 214 *sctp_options |= SCTP_PRSCTP_OPTION; 215 break; 216 case PARM_COOKIE: 217 got_cookie = B_TRUE; 218 /* 219 * Processing a received INIT_ACK, we have a cookie 220 * and a valid pointer in our caller to attach it to. 221 */ 222 if (want_cookie != NULL) { 223 *want_cookie = cph; 224 } 225 break; 226 case PARM_ADDR4: 227 *supp_af |= PARM_SUPP_V4; 228 break; 229 case PARM_ADDR6: 230 *supp_af |= PARM_SUPP_V6; 231 break; 232 case PARM_COOKIE_PRESERVE: 233 case PARM_ADAPT_LAYER_IND: 234 /* These are OK */ 235 break; 236 case PARM_ADDR_HOST_NAME: 237 /* Don't support this; abort the association */ 238 serror = SCTP_ERR_BAD_ADDR; 239 details = (char *)cph; 240 errlen = ntohs(cph->sph_len); 241 dprint(1, ("sctp:validate_init_params: host addr\n")); 242 goto abort; 243 case PARM_SUPP_ADDRS: { 244 /* Make sure we have a supported addr intersection */ 245 uint16_t *p, addrtype; 246 int plen; 247 248 plen = ntohs(cph->sph_len); 249 p = (uint16_t *)(cph + 1); 250 while (plen > 0) { 251 addrtype = ntohs(*p); 252 switch (addrtype) { 253 case PARM_ADDR6: 254 *supp_af |= PARM_SUPP_V6; 255 break; 256 case PARM_ADDR4: 257 *supp_af |= PARM_SUPP_V4; 258 break; 259 default: 260 /* 261 * Do nothing, silently ignore hostname 262 * address. 263 */ 264 break; 265 } 266 p++; 267 plen -= sizeof (*p); 268 } 269 break; 270 } 271 default: 272 /* 273 * Handle any unrecognized params, the two high order 274 * bits of ptype define how the remote wants them 275 * handled. 276 * Top bit: 277 * 1. Continue processing other params in the chunk 278 * 0. Stop processing params after this one. 279 * 2nd bit: 280 * 1. Must report this unrecognized param to remote 281 * 0. Obey the top bit silently. 282 */ 283 if (ptype & SCTP_REPORT_THIS_PARAM) { 284 if (!got_errchunk && want_cookie != NULL) { 285 /* 286 * Processing an INIT_ACK, this is the 287 * first reportable param, create an 288 * ERROR chunk and populate it with a 289 * CAUSE block for this parameter. 290 */ 291 *errmp = sctp_make_err(sctp, 292 PARM_UNRECOGNIZED, 293 (void *)cph, 294 ntohs(cph->sph_len)); 295 got_errchunk = B_TRUE; 296 } else { 297 /* 298 * If processing an INIT chunk add 299 * an additional CAUSE block to an 300 * INIT_ACK, got_errchunk is B_FALSE. 301 */ 302 sctp_add_unrec_parm(cph, errmp, 303 got_errchunk); 304 } 305 } 306 if (ptype & SCTP_CONT_PROC_PARAMS) { 307 /* 308 * Continue processing params after this 309 * parameter. 310 */ 311 break; 312 } 313 314 /* 315 * Stop processing params, report any reportable 316 * unrecognized params found so far. 317 */ 318 goto done; 319 } 320 321 cph = sctp_next_parm(cph, &remaining); 322 } 323 done: 324 /* 325 * Some sanity checks. The following should not fail unless the 326 * other side is broken. 327 * 328 * 1. If this is a V4 endpoint but V4 address is not 329 * supported, abort. 330 * 2. If this is a V6 only endpoint but V6 address is 331 * not supported, abort. This assumes that a V6 332 * endpoint can use both V4 and V6 addresses. 333 * We only care about supp_af when processing INIT, i.e want_cookie 334 * is NULL. 335 */ 336 if (want_cookie == NULL && 337 ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 338 (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 339 sctp->sctp_connp->conn_ipv6_v6only))) { 340 dprint(1, ("sctp:validate_init_params: supp addr\n")); 341 serror = SCTP_ERR_BAD_ADDR; 342 goto abort; 343 } 344 345 if (want_cookie != NULL && !got_cookie) { 346 cookie_abort: 347 dprint(1, ("validate_init_params: cookie absent\n")); 348 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 349 details, errlen, inmp, 0, B_FALSE); 350 return (0); 351 } 352 353 /* OK */ 354 return (1); 355 356 abort: 357 if (want_cookie != NULL) 358 return (0); 359 360 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 361 errlen, inmp, 0, B_FALSE); 362 return (0); 363 } 364 365 /* 366 * Initialize params from the INIT and INIT-ACK when the assoc. is 367 * established. 368 */ 369 boolean_t 370 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 371 sctp_init_chunk_t *iack) 372 { 373 /* Get initial TSN */ 374 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 375 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 376 377 /* Serial number is initialized to the same value as the TSN */ 378 sctp->sctp_fcsn = sctp->sctp_lastacked; 379 380 /* 381 * Get verification tags; no byteordering is necessary, since 382 * verfication tags are never processed except for byte-by-byte 383 * comparisons. 384 */ 385 sctp->sctp_fvtag = init->sic_inittag; 386 sctp->sctp_sctph->sh_verf = init->sic_inittag; 387 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 388 sctp->sctp_lvtag = iack->sic_inittag; 389 390 /* Get the peer's rwnd */ 391 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 392 393 /* Allocate the in/out-stream counters */ 394 sctp->sctp_num_ostr = iack->sic_outstr; 395 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 396 sctp->sctp_num_ostr, KM_NOSLEEP); 397 if (sctp->sctp_ostrcntrs == NULL) 398 return (B_FALSE); 399 400 sctp->sctp_num_istr = iack->sic_instr; 401 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 402 sctp->sctp_num_istr, KM_NOSLEEP); 403 if (sctp->sctp_instr == NULL) { 404 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 405 sctp->sctp_num_ostr); 406 sctp->sctp_ostrcntrs = NULL; 407 return (B_FALSE); 408 } 409 return (B_TRUE); 410 } 411 412 /* 413 * Copy the peer's original source address into addr. This relies on the 414 * following format (see sctp_send_initack() below): 415 * relative timestamp for the cookie (int64_t) + 416 * cookie lifetime (uint32_t) + 417 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) + 418 * Peer's original src ... 419 */ 420 int 421 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr) 422 { 423 uchar_t *off; 424 425 ASSERT(addr != NULL); 426 427 if (ch->sch_id != CHUNK_COOKIE) 428 return (EINVAL); 429 430 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) + 431 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t); 432 433 bcopy(off, addr, sizeof (*addr)); 434 435 return (0); 436 } 437 438 #define SCTP_CALC_COOKIE_LEN(initcp) \ 439 sizeof (int64_t) + /* timestamp */ \ 440 sizeof (uint32_t) + /* cookie lifetime */ \ 441 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 442 sizeof (in6_addr_t) + /* peer's original source */ \ 443 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 444 sizeof (uint32_t) + /* local tie-tag */ \ 445 sizeof (uint32_t) + /* peer tie-tag */ \ 446 sizeof (sctp_parm_hdr_t) + /* param header */ \ 447 16 /* MD5 hash */ 448 449 void 450 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch, 451 mblk_t *initmp) 452 { 453 ipha_t *initiph; 454 ip6_t *initip6h; 455 ipha_t *iackiph; 456 ip6_t *iackip6h; 457 sctp_chunk_hdr_t *iack_ch; 458 sctp_init_chunk_t *iack; 459 sctp_init_chunk_t *init; 460 sctp_hdr_t *iacksh; 461 size_t cookielen; 462 size_t iacklen; 463 size_t ipsctplen; 464 size_t errlen = 0; 465 sctp_parm_hdr_t *cookieph; 466 mblk_t *iackmp; 467 uint32_t itag; 468 uint32_t itsn; 469 int64_t *now; 470 int64_t nowt; 471 uint32_t *lifetime; 472 char *p; 473 boolean_t isv4; 474 int supp_af = 0; 475 uint_t sctp_options; 476 uint32_t *ttag; 477 int pad; 478 mblk_t *errmp = NULL; 479 boolean_t initcollision = B_FALSE; 480 boolean_t linklocal = B_FALSE; 481 cred_t *cr; 482 ts_label_t *initlabel; 483 sctp_stack_t *sctps = sctp->sctp_sctps; 484 485 BUMP_LOCAL(sctp->sctp_ibchunks); 486 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 487 488 /* Extract the INIT chunk */ 489 if (isv4) { 490 initiph = (ipha_t *)initmp->b_rptr; 491 ipsctplen = sctp->sctp_ip_hdr_len; 492 supp_af |= PARM_SUPP_V4; 493 } else { 494 initip6h = (ip6_t *)initmp->b_rptr; 495 ipsctplen = sctp->sctp_ip_hdr6_len; 496 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src)) 497 linklocal = B_TRUE; 498 supp_af |= PARM_SUPP_V6; 499 } 500 ASSERT(OK_32PTR(initsh)); 501 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 502 503 /* Make sure we like the peer's parameters */ 504 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 505 &supp_af, &sctp_options) == 0) { 506 return; 507 } 508 if (errmp != NULL) 509 errlen = msgdsize(errmp); 510 if (sctp->sctp_family == AF_INET) { 511 /* 512 * Irregardless of the supported address in the INIT, v4 513 * must be supported. 514 */ 515 supp_af = PARM_SUPP_V4; 516 } 517 if (sctp->sctp_state <= SCTPS_LISTEN) { 518 /* normal, expected INIT: generate new vtag and itsn */ 519 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 520 if (itag == 0) 521 itag = (uint32_t)gethrtime(); 522 itsn = itag + 1; 523 itag = htonl(itag); 524 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 525 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 526 /* init collision; copy vtag and itsn from sctp */ 527 itag = sctp->sctp_lvtag; 528 itsn = sctp->sctp_ltsn; 529 /* 530 * In addition we need to send all the params that was sent 531 * in our INIT chunk. Essentially, it is only the supported 532 * address params that we need to add. 533 */ 534 initcollision = B_TRUE; 535 /* 536 * When we sent the INIT, we should have set linklocal in 537 * the sctp which should be good enough. 538 */ 539 if (linklocal) 540 linklocal = B_FALSE; 541 } else { 542 /* peer restart; generate new vtag but keep everything else */ 543 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 544 if (itag == 0) 545 itag = (uint32_t)gethrtime(); 546 itag = htonl(itag); 547 itsn = sctp->sctp_ltsn; 548 } 549 550 /* 551 * Allocate a mblk for the INIT ACK, consisting of the link layer 552 * header, the IP header, the SCTP common header, and INIT ACK chunk, 553 * and finally the COOKIE parameter. 554 */ 555 cookielen = SCTP_CALC_COOKIE_LEN(ch); 556 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 557 if (sctp->sctp_send_adaptation) 558 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 559 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 560 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 561 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 562 } 563 if (initcollision) 564 iacklen += sctp_supaddr_param_len(sctp); 565 if (!linklocal) 566 iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE); 567 ipsctplen += sizeof (*iacksh) + iacklen; 568 iacklen += errlen; 569 if ((pad = ipsctplen % 4) != 0) { 570 pad = 4 - pad; 571 ipsctplen += pad; 572 } 573 574 /* 575 * If the listen socket is bound to a trusted extensions 576 * multi-label port, attach a copy of the listener's cred 577 * to the new INITACK mblk. Modify the cred to contain 578 * the security label of the received INIT packet. 579 * If not a multi-label port, attach the unmodified 580 * listener's cred directly. 581 * 582 * We expect Sun developed kernel modules to properly set 583 * cred labels for sctp connections. We can't be so sure this 584 * will be done correctly when 3rd party kernel modules 585 * directly use sctp. The initlabel panic guard logic was 586 * added to cover this possibility. 587 */ 588 if (sctp->sctp_connp->conn_mlp_type != mlptSingle) { 589 pid_t cpid; 590 591 cr = msg_getcred(initmp, &cpid); 592 if (cr == NULL || (initlabel = crgetlabel(cr)) == NULL) { 593 sctp_send_abort(sctp, sctp_init2vtag(ch), 594 SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, B_FALSE); 595 return; 596 } 597 cr = copycred_from_bslabel(CONN_CRED(sctp->sctp_connp), 598 &initlabel->tsl_label, initlabel->tsl_doi, KM_NOSLEEP); 599 if (cr == NULL) { 600 sctp_send_abort(sctp, sctp_init2vtag(ch), 601 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 602 return; 603 } 604 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, 605 cr, cpid); 606 crfree(cr); 607 } else { 608 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, 609 CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid); 610 } 611 if (iackmp == NULL) { 612 sctp_send_abort(sctp, sctp_init2vtag(ch), 613 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 614 return; 615 } 616 617 /* Copy in the [imcomplete] IP/SCTP composite header */ 618 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra); 619 iackmp->b_rptr = (uchar_t *)p; 620 if (isv4) { 621 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 622 iackiph = (ipha_t *)p; 623 624 /* Copy the peer's IP addr */ 625 iackiph->ipha_dst = initiph->ipha_src; 626 iackiph->ipha_src = initiph->ipha_dst; 627 iackiph->ipha_length = htons(ipsctplen + errlen); 628 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 629 } else { 630 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 631 iackip6h = (ip6_t *)p; 632 633 /* Copy the peer's IP addr */ 634 iackip6h->ip6_dst = initip6h->ip6_src; 635 iackip6h->ip6_src = initip6h->ip6_dst; 636 iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) + 637 errlen); 638 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 639 } 640 ASSERT(OK_32PTR(iacksh)); 641 642 /* Fill in the holes in the SCTP common header */ 643 iacksh->sh_sport = initsh->sh_dport; 644 iacksh->sh_dport = initsh->sh_sport; 645 iacksh->sh_verf = init->sic_inittag; 646 647 /* INIT ACK chunk header */ 648 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 649 iack_ch->sch_id = CHUNK_INIT_ACK; 650 iack_ch->sch_flags = 0; 651 iack_ch->sch_len = htons(iacklen); 652 653 /* The INIT ACK itself */ 654 iack = (sctp_init_chunk_t *)(iack_ch + 1); 655 iack->sic_inittag = itag; /* already in network byteorder */ 656 iack->sic_inittsn = htonl(itsn); 657 658 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 659 /* Advertise what we would want to have as stream #'s */ 660 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 661 ntohs(init->sic_instr))); 662 iack->sic_instr = htons(sctp->sctp_num_istr); 663 664 p = (char *)(iack + 1); 665 p += sctp_adaptation_code_param(sctp, (uchar_t *)p); 666 if (initcollision) 667 p += sctp_supaddr_param(sctp, (uchar_t *)p); 668 if (!linklocal) 669 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE); 670 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 671 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 672 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 673 } 674 /* 675 * Generate and lay in the COOKIE parameter. 676 * 677 * Any change here that results in a change of location for 678 * the peer's orig source address must be propagated to the fn 679 * cl_sctp_cookie_paddr() above. 680 * 681 * The cookie consists of: 682 * 1. The relative timestamp for the cookie (lbolt64) 683 * 2. The cookie lifetime (uint32_t) in tick 684 * 3. The local tie-tag 685 * 4. The peer tie-tag 686 * 5. Peer's original src, used to confirm the validity of address. 687 * 6. Our INIT ACK chunk, less any parameters 688 * 7. The INIT chunk (may contain parameters) 689 * 8. 128-bit MD5 signature. 690 * 691 * Since the timestamp values will only be evaluated locally, we 692 * don't need to worry about byte-ordering them. 693 */ 694 cookieph = (sctp_parm_hdr_t *)p; 695 cookieph->sph_type = htons(PARM_COOKIE); 696 cookieph->sph_len = htons(cookielen); 697 698 /* timestamp */ 699 now = (int64_t *)(cookieph + 1); 700 nowt = lbolt64; 701 bcopy(&nowt, now, sizeof (*now)); 702 703 /* cookie lifetime -- need configuration */ 704 lifetime = (uint32_t *)(now + 1); 705 *lifetime = sctp->sctp_cookie_lifetime; 706 707 /* Set the tie-tags */ 708 ttag = (uint32_t *)(lifetime + 1); 709 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 710 *ttag = 0; 711 ttag++; 712 *ttag = 0; 713 ttag++; 714 } else { 715 /* local tie-tag (network byte-order) */ 716 *ttag = sctp->sctp_lvtag; 717 ttag++; 718 /* peer tie-tag (network byte-order) */ 719 *ttag = sctp->sctp_fvtag; 720 ttag++; 721 } 722 /* 723 * Copy in peer's original source address so that we can confirm 724 * the reachability later. 725 */ 726 p = (char *)ttag; 727 if (isv4) { 728 in6_addr_t peer_addr; 729 730 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 731 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 732 } else { 733 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 734 } 735 p += sizeof (in6_addr_t); 736 /* Copy in our INIT ACK chunk */ 737 bcopy(iack, p, sizeof (*iack)); 738 iack = (sctp_init_chunk_t *)p; 739 /* Set the # of streams we'll end up using */ 740 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 741 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 742 p += sizeof (*iack); 743 744 /* Copy in the peer's INIT chunk */ 745 bcopy(ch, p, ntohs(ch->sch_len)); 746 p += ntohs(ch->sch_len); 747 748 /* 749 * Calculate the HMAC ICV into the digest slot in buf. 750 * First, generate a new secret if the current secret is 751 * older than the new secret lifetime parameter permits, 752 * copying the current secret to sctp_old_secret. 753 */ 754 if (sctps->sctps_new_secret_interval > 0 && 755 (sctp->sctp_last_secret_update + 756 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) { 757 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 758 SCTP_SECRET_LEN); 759 (void) random_get_pseudo_bytes(sctp->sctp_secret, 760 SCTP_SECRET_LEN); 761 sctp->sctp_last_secret_update = nowt; 762 } 763 764 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 765 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 766 767 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 768 if (pad != 0) 769 bzero((iackmp->b_wptr - pad), pad); 770 771 iackmp->b_cont = errmp; /* OK if NULL */ 772 773 if (is_system_labeled() && (cr = msg_getcred(iackmp, NULL)) != NULL && 774 crgetlabel(cr) != NULL) { 775 conn_t *connp = sctp->sctp_connp; 776 int err; 777 778 if (isv4) 779 err = tsol_check_label(cr, &iackmp, 780 connp->conn_mac_exempt, 781 sctps->sctps_netstack->netstack_ip); 782 else 783 err = tsol_check_label_v6(cr, &iackmp, 784 connp->conn_mac_exempt, 785 sctps->sctps_netstack->netstack_ip); 786 if (err != 0) { 787 sctp_send_abort(sctp, sctp_init2vtag(ch), 788 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE); 789 freemsg(iackmp); 790 return; 791 } 792 } 793 794 /* 795 * Stash the conn ptr info. for IP only as e don't have any 796 * cached IRE. 797 */ 798 SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL); 799 800 /* XXX sctp == sctp_g_q, so using its obchunks is valid */ 801 BUMP_LOCAL(sctp->sctp_opkts); 802 BUMP_LOCAL(sctp->sctp_obchunks); 803 804 /* OK to call IP_PUT() here instead of sctp_add_sendq(). */ 805 CONN_INC_REF(sctp->sctp_connp); 806 iackmp->b_flag |= MSGHASREF; 807 IP_PUT(iackmp, sctp->sctp_connp, isv4); 808 } 809 810 void 811 sctp_send_cookie_ack(sctp_t *sctp) 812 { 813 sctp_chunk_hdr_t *cach; 814 mblk_t *camp; 815 sctp_stack_t *sctps = sctp->sctp_sctps; 816 817 camp = sctp_make_mp(sctp, NULL, sizeof (*cach)); 818 if (camp == NULL) { 819 /* XXX should abort, but don't have the inmp anymore */ 820 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed); 821 return; 822 } 823 824 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 825 camp->b_wptr = (uchar_t *)(cach + 1); 826 cach->sch_id = CHUNK_COOKIE_ACK; 827 cach->sch_flags = 0; 828 cach->sch_len = htons(sizeof (*cach)); 829 830 sctp_set_iplen(sctp, camp); 831 832 BUMP_LOCAL(sctp->sctp_obchunks); 833 834 sctp_add_sendq(sctp, camp); 835 } 836 837 static int 838 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code) 839 { 840 841 if (len < sizeof (*sph)) 842 return (-1); 843 while (sph != NULL) { 844 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 845 ntohs(sph->sph_len) >= (sizeof (*sph) + 846 sizeof (uint32_t))) { 847 *adaptation_code = *(uint32_t *)(sph + 1); 848 return (0); 849 } 850 sph = sctp_next_parm(sph, &len); 851 } 852 return (-1); 853 } 854 855 void 856 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp) 857 { 858 mblk_t *cemp; 859 mblk_t *mp = NULL; 860 mblk_t *head; 861 mblk_t *meta; 862 sctp_faddr_t *fp; 863 sctp_chunk_hdr_t *cech; 864 sctp_init_chunk_t *iack; 865 int32_t cansend; 866 int32_t seglen; 867 size_t ceclen; 868 sctp_parm_hdr_t *cph; 869 sctp_data_hdr_t *sdc; 870 sctp_tf_t *tf; 871 int pad = 0; 872 int hdrlen; 873 mblk_t *errmp = NULL; 874 uint_t sctp_options; 875 int error; 876 uint16_t old_num_str; 877 sctp_stack_t *sctps = sctp->sctp_sctps; 878 879 iack = (sctp_init_chunk_t *)(iackch + 1); 880 881 cph = NULL; 882 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 883 &pad, &sctp_options) == 0) { /* result in 'pad' ignored */ 884 BUMP_MIB(&sctps->sctps_mib, sctpAborted); 885 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 886 sctp_clean_death(sctp, ECONNABORTED); 887 return; 888 } 889 ASSERT(cph != NULL); 890 891 ASSERT(sctp->sctp_cookie_mp == NULL); 892 893 /* Got a cookie to echo back; allocate an mblk */ 894 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 895 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 896 pad = SCTP_ALIGN - pad; 897 898 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 899 hdrlen = sctp->sctp_hdr_len; 900 else 901 hdrlen = sctp->sctp_hdr6_len; 902 903 cemp = allocb_cred(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad, 904 CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid); 905 if (cemp == NULL) { 906 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 907 sctp->sctp_current->rto); 908 if (errmp != NULL) 909 freeb(errmp); 910 return; 911 } 912 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen); 913 914 /* Process the INIT ACK */ 915 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 916 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 917 sctp->sctp_fvtag = iack->sic_inittag; 918 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 919 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 920 sctp->sctp_fcsn = sctp->sctp_lastacked; 921 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 922 923 /* 924 * Populate sctp with addresses given in the INIT ACK or IP header. 925 * Need to set the df bit in the current fp as it has been cleared 926 * in sctp_connect(). 927 */ 928 sctp->sctp_current->df = B_TRUE; 929 /* 930 * Since IP uses this info during the fanout process, we need to hold 931 * the lock for this hash line while performing this operation. 932 */ 933 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, sctp->sctp_ports); */ 934 ASSERT(sctp->sctp_conn_tfp != NULL); 935 tf = sctp->sctp_conn_tfp; 936 /* sctp isn't a listener so only need to hold conn fanout lock */ 937 mutex_enter(&tf->tf_lock); 938 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 939 mutex_exit(&tf->tf_lock); 940 freeb(cemp); 941 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 942 sctp->sctp_current->rto); 943 if (errmp != NULL) 944 freeb(errmp); 945 return; 946 } 947 mutex_exit(&tf->tf_lock); 948 949 fp = sctp->sctp_current; 950 951 /* 952 * There could be a case when we get an INIT-ACK again, if the INIT 953 * is re-transmitted, for e.g., which means we would have already 954 * allocated this resource earlier (also for sctp_instr). In this 955 * case we check and re-allocate, if necessary. 956 */ 957 old_num_str = sctp->sctp_num_ostr; 958 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 959 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 960 if (sctp->sctp_ostrcntrs == NULL) { 961 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 962 sctp->sctp_num_ostr, KM_NOSLEEP); 963 } else { 964 ASSERT(old_num_str > 0); 965 if (old_num_str != sctp->sctp_num_ostr) { 966 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 967 old_num_str); 968 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 969 sctp->sctp_num_ostr, KM_NOSLEEP); 970 } 971 } 972 if (sctp->sctp_ostrcntrs == NULL) { 973 freeb(cemp); 974 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 975 if (errmp != NULL) 976 freeb(errmp); 977 return; 978 } 979 980 /* 981 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 982 * hold here too. 983 */ 984 old_num_str = sctp->sctp_num_istr; 985 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 986 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 987 if (sctp->sctp_instr == NULL) { 988 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 989 sctp->sctp_num_istr, KM_NOSLEEP); 990 } else { 991 ASSERT(old_num_str > 0); 992 if (old_num_str != sctp->sctp_num_istr) { 993 kmem_free(sctp->sctp_instr, 994 sizeof (*sctp->sctp_instr) * old_num_str); 995 sctp->sctp_instr = kmem_zalloc( 996 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 997 KM_NOSLEEP); 998 } 999 } 1000 if (sctp->sctp_instr == NULL) { 1001 kmem_free(sctp->sctp_ostrcntrs, 1002 sizeof (uint16_t) * sctp->sctp_num_ostr); 1003 freeb(cemp); 1004 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1005 if (errmp != NULL) 1006 freeb(errmp); 1007 return; 1008 } 1009 1010 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 1011 sctp->sctp_prsctp_aware = B_FALSE; 1012 1013 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 1014 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 1015 &sctp->sctp_rx_adaptation_code) == 0) { 1016 sctp->sctp_recv_adaptation = 1; 1017 } 1018 1019 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 1020 ASSERT(OK_32PTR(cech)); 1021 cech->sch_id = CHUNK_COOKIE; 1022 cech->sch_flags = 0; 1023 cech->sch_len = htons(ceclen); 1024 1025 /* Copy the cookie (less the parm hdr) to the chunk */ 1026 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 1027 1028 cemp->b_wptr = cemp->b_rptr + ceclen; 1029 1030 if (sctp->sctp_unsent > 0) { 1031 sctp_msg_hdr_t *smh; 1032 mblk_t *prev = NULL; 1033 uint32_t unsent = 0; 1034 1035 mp = sctp->sctp_xmit_unsent; 1036 do { 1037 smh = (sctp_msg_hdr_t *)mp->b_rptr; 1038 if (smh->smh_sid >= sctp->sctp_num_ostr) { 1039 unsent += smh->smh_msglen; 1040 if (prev != NULL) 1041 prev->b_next = mp->b_next; 1042 else 1043 sctp->sctp_xmit_unsent = mp->b_next; 1044 mp->b_next = NULL; 1045 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 1046 B_FALSE); 1047 if (prev != NULL) 1048 mp = prev->b_next; 1049 else 1050 mp = sctp->sctp_xmit_unsent; 1051 } else { 1052 prev = mp; 1053 mp = mp->b_next; 1054 } 1055 } while (mp != NULL); 1056 if (unsent > 0) { 1057 ASSERT(sctp->sctp_unsent >= unsent); 1058 sctp->sctp_unsent -= unsent; 1059 /* 1060 * Update ULP the amount of queued data, which is 1061 * sent-unack'ed + unsent. 1062 * This is not necessary, but doesn't harm, we 1063 * just use unsent instead of sent-unack'ed + 1064 * unsent, since there won't be any sent-unack'ed 1065 * here. 1066 */ 1067 if (!SCTP_IS_DETACHED(sctp)) 1068 SCTP_TXQ_UPDATE(sctp); 1069 } 1070 if (sctp->sctp_xmit_unsent == NULL) 1071 sctp->sctp_xmit_unsent_tail = NULL; 1072 } 1073 ceclen += pad; 1074 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 1075 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 1076 cansend, NULL); 1077 /* 1078 * The error cannot be anything else since we could have an non-zero 1079 * error only if sctp_get_msg_to_send() tries to send a Forward 1080 * TSN which will not happen here. 1081 */ 1082 ASSERT(error == 0); 1083 if (meta == NULL) 1084 goto sendcookie; 1085 sctp->sctp_xmit_tail = meta; 1086 sdc = (sctp_data_hdr_t *)mp->b_rptr; 1087 seglen = ntohs(sdc->sdh_len); 1088 if ((ceclen + seglen) > fp->sfa_pmss || 1089 (seglen - sizeof (*sdc)) > cansend) { 1090 goto sendcookie; 1091 } 1092 /* OK, if this fails */ 1093 cemp->b_cont = dupmsg(mp); 1094 sendcookie: 1095 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 1096 if (head == NULL) { 1097 freemsg(cemp); 1098 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1099 if (errmp != NULL) 1100 freeb(errmp); 1101 SCTP_KSTAT(sctps, sctp_send_cookie_failed); 1102 return; 1103 } 1104 /* 1105 * Even if cookie-echo exceeds MTU for one of the hops, it'll 1106 * have a chance of getting there. 1107 */ 1108 if (fp->isv4) { 1109 ipha_t *iph = (ipha_t *)head->b_rptr; 1110 iph->ipha_fragment_offset_and_flags = 0; 1111 } 1112 BUMP_LOCAL(sctp->sctp_obchunks); 1113 1114 sctp->sctp_cookie_mp = dupmsg(head); 1115 /* Don't bundle, we will just resend init if this cookie is lost. */ 1116 if (sctp->sctp_cookie_mp == NULL) { 1117 if (cemp->b_cont != NULL) { 1118 freemsg(cemp->b_cont); 1119 cemp->b_cont = NULL; 1120 } 1121 } else if (cemp->b_cont != NULL) { 1122 ASSERT(mp != NULL && mp == meta->b_cont); 1123 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 1124 cemp->b_wptr += pad; 1125 seglen -= sizeof (*sdc); 1126 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 1127 } 1128 if (errmp != NULL) { 1129 if (cemp->b_cont == NULL) 1130 cemp->b_wptr += pad; 1131 linkb(head, errmp); 1132 } 1133 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 1134 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1135 1136 sctp_set_iplen(sctp, head); 1137 sctp_add_sendq(sctp, head); 1138 } 1139 1140 int 1141 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 1142 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation, 1143 in6_addr_t *peer_addr) 1144 { 1145 int32_t clen; 1146 size_t initplen; 1147 uchar_t *p; 1148 uchar_t *given_hash; 1149 uchar_t needed_hash[16]; 1150 int64_t ts; 1151 int64_t diff; 1152 uint32_t *lt; 1153 sctp_init_chunk_t *iack; 1154 sctp_chunk_hdr_t *initch; 1155 sctp_init_chunk_t *init; 1156 uint32_t *lttag; 1157 uint32_t *fttag; 1158 uint32_t ports; 1159 sctp_stack_t *sctps = sctp->sctp_sctps; 1160 1161 BUMP_LOCAL(sctp->sctp_ibchunks); 1162 /* Verify the ICV */ 1163 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1164 if (clen < 0) { 1165 dprint(1, ("invalid cookie chunk length %d\n", 1166 ntohs(ch->sch_len))); 1167 1168 return (-1); 1169 } 1170 p = (uchar_t *)(ch + 1); 1171 1172 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1173 needed_hash); 1174 1175 /* The given hash follows the cookie data */ 1176 given_hash = p + clen; 1177 1178 if (bcmp(given_hash, needed_hash, 16) != 0) { 1179 /* The secret may have changed; try the old secret */ 1180 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1181 SCTP_SECRET_LEN, needed_hash); 1182 if (bcmp(given_hash, needed_hash, 16) != 0) { 1183 return (-1); 1184 } 1185 } 1186 1187 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1188 bcopy(p, &ts, sizeof (ts)); 1189 /* Cookie life time, uint32_t */ 1190 lt = (uint32_t *)(p + sizeof (ts)); 1191 1192 /* 1193 * To quote PRC, "this is our baby", so let's continue. 1194 * We need to pull out the encapsulated INIT ACK and 1195 * INIT chunks. Note that we don't process these until 1196 * we have verified the timestamp, but we need them before 1197 * processing the timestamp since if the time check fails, 1198 * we need to get the verification tag from the INIT in order 1199 * to send a stale cookie error. 1200 */ 1201 lttag = (uint32_t *)(lt + 1); 1202 fttag = lttag + 1; 1203 if (peer_addr != NULL) 1204 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1205 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1206 initch = (sctp_chunk_hdr_t *)(iack + 1); 1207 init = (sctp_init_chunk_t *)(initch + 1); 1208 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1209 *iackpp = iack; 1210 *recv_adaptation = 0; 1211 1212 /* 1213 * Check the staleness of the Cookie, specified in 3.3.10.3 of 1214 * RFC 2960. 1215 * 1216 * The mesaure of staleness is the difference, in microseconds, 1217 * between the current time and the time the State Cookie expires. 1218 * So it is lbolt64 - (ts + *lt). If it is positive, it means 1219 * that the Cookie has expired. 1220 */ 1221 diff = lbolt64 - (ts + *lt); 1222 if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag || 1223 iack->sic_inittag != sctp->sctp_lvtag)) { 1224 uint32_t staleness; 1225 1226 staleness = TICK_TO_USEC(diff); 1227 staleness = htonl(staleness); 1228 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1229 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE); 1230 1231 dprint(1, ("stale cookie %d\n", staleness)); 1232 1233 return (-1); 1234 } 1235 1236 /* Check for attack by adding addresses to a restart */ 1237 bcopy(insctph, &ports, sizeof (ports)); 1238 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP, 1239 sctps) != 1) { 1240 return (-1); 1241 } 1242 1243 /* Look for adaptation code if there any parms in the INIT chunk */ 1244 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1245 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1246 &sctp->sctp_rx_adaptation_code) == 0)) { 1247 *recv_adaptation = 1; 1248 } 1249 1250 /* Examine tie-tags */ 1251 1252 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1253 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1254 init->sic_inittag == sctp->sctp_fvtag && 1255 iack->sic_inittag == sctp->sctp_lvtag && 1256 *fttag == 0 && *lttag == 0) { 1257 1258 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1259 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1260 (int)(sctp->sctp_fport))); 1261 return (-1); 1262 } 1263 1264 if (init->sic_inittag != sctp->sctp_fvtag && 1265 iack->sic_inittag != sctp->sctp_lvtag && 1266 *fttag == sctp->sctp_fvtag && 1267 *lttag == sctp->sctp_lvtag) { 1268 int i; 1269 1270 /* Section 5.2.4 case A: restart */ 1271 sctp->sctp_fvtag = init->sic_inittag; 1272 sctp->sctp_lvtag = iack->sic_inittag; 1273 1274 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1275 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1276 1277 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1278 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1279 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1280 sctp->sctp_fcsn = sctp->sctp_lastacked; 1281 1282 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1283 sctp->sctp_state = SCTPS_ESTABLISHED; 1284 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1285 } 1286 1287 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1288 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1289 (int)(sctp->sctp_fport))); 1290 /* reset parameters */ 1291 sctp_congest_reset(sctp); 1292 1293 /* reset stream bookkeeping */ 1294 sctp_instream_cleanup(sctp, B_FALSE); 1295 1296 sctp->sctp_istr_nmsgs = 0; 1297 sctp->sctp_rxqueued = 0; 1298 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1299 sctp->sctp_ostrcntrs[i] = 0; 1300 } 1301 /* XXX flush xmit_list? */ 1302 1303 return (0); 1304 } else if (init->sic_inittag != sctp->sctp_fvtag && 1305 iack->sic_inittag == sctp->sctp_lvtag) { 1306 1307 /* Section 5.2.4 case B: INIT collision */ 1308 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1309 if (!sctp_initialize_params(sctp, init, iack)) 1310 return (-1); /* Drop? */ 1311 sctp->sctp_state = SCTPS_ESTABLISHED; 1312 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1313 } 1314 1315 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1316 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1317 (int)(sctp->sctp_fport))); 1318 1319 return (0); 1320 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1321 init->sic_inittag == sctp->sctp_fvtag && 1322 *fttag == 0 && *lttag == 0) { 1323 1324 /* Section 5.2.4 case C: late COOKIE */ 1325 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1326 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1327 (int)(sctp->sctp_fport))); 1328 return (-1); 1329 } else if (init->sic_inittag == sctp->sctp_fvtag && 1330 iack->sic_inittag == sctp->sctp_lvtag) { 1331 1332 /* 1333 * Section 5.2.4 case D: COOKIE ECHO retransmit 1334 * Don't check cookie lifetime 1335 */ 1336 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1337 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1338 (int)(sctp->sctp_fport))); 1339 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1340 if (!sctp_initialize_params(sctp, init, iack)) 1341 return (-1); /* Drop? */ 1342 sctp->sctp_state = SCTPS_ESTABLISHED; 1343 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1344 } 1345 return (0); 1346 } else { 1347 /* unrecognized case -- silently drop it */ 1348 return (-1); 1349 } 1350 } 1351 1352 return (0); 1353 } 1354 1355 /* 1356 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1357 * from address parameters in an INIT ACK's address list. This 1358 * function is used when an INIT ACK is received but IP's fanout 1359 * function could not find a sctp via the normal lookup routine. 1360 * This can happen when a host sends an INIT ACK from a different 1361 * address than the INIT was sent to. 1362 * 1363 * Returns the sctp_t if found, or NULL if not found. 1364 */ 1365 sctp_t * 1366 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1367 zoneid_t zoneid, sctp_stack_t *sctps) 1368 { 1369 int isv4; 1370 ipha_t *iph; 1371 ip6_t *ip6h; 1372 in6_addr_t dst; 1373 in6_addr_t src; 1374 sctp_parm_hdr_t *ph; 1375 ssize_t remaining; 1376 sctp_init_chunk_t *iack; 1377 uint32_t ports; 1378 sctp_t *sctp = NULL; 1379 1380 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1381 1382 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1383 if (isv4) { 1384 iph = (ipha_t *)mp->b_rptr; 1385 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1386 } else { 1387 ip6h = (ip6_t *)mp->b_rptr; 1388 dst = ip6h->ip6_dst; 1389 } 1390 1391 ports = *(uint32_t *)sctph; 1392 1393 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1394 ports, SCTP_PRINTADDR(dst))); 1395 1396 /* pull out any address parameters */ 1397 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1398 if (remaining < sizeof (*ph)) { 1399 return (NULL); 1400 } 1401 1402 iack = (sctp_init_chunk_t *)(ich + 1); 1403 ph = (sctp_parm_hdr_t *)(iack + 1); 1404 1405 while (ph != NULL) { 1406 /* 1407 * params have been put in host byteorder by 1408 * sctp_check_input() 1409 */ 1410 if (ph->sph_type == PARM_ADDR4) { 1411 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1412 &src); 1413 1414 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1415 sctps); 1416 1417 dprint(1, 1418 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1419 SCTP_PRINTADDR(src), (void *)sctp)); 1420 1421 1422 if (sctp != NULL) { 1423 return (sctp); 1424 } 1425 } else if (ph->sph_type == PARM_ADDR6) { 1426 src = *(in6_addr_t *)(ph + 1); 1427 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1428 sctps); 1429 1430 dprint(1, 1431 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1432 SCTP_PRINTADDR(src), (void *)sctp)); 1433 1434 if (sctp != NULL) { 1435 return (sctp); 1436 } 1437 } 1438 1439 ph = sctp_next_parm(ph, &remaining); 1440 } 1441 1442 return (NULL); 1443 } 1444