1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #include <sys/types.h> 28 #include <sys/systm.h> 29 #include <sys/stream.h> 30 #include <sys/cmn_err.h> 31 #include <sys/md5.h> 32 #include <sys/kmem.h> 33 #include <sys/strsubr.h> 34 #include <sys/random.h> 35 #include <sys/tsol/tnet.h> 36 37 #include <netinet/in.h> 38 #include <netinet/ip6.h> 39 40 #include <inet/common.h> 41 #include <inet/ip.h> 42 #include <inet/ip6.h> 43 #include <inet/ipsec_impl.h> 44 #include <inet/sctp_ip.h> 45 #include <inet/ipclassifier.h> 46 #include "sctp_impl.h" 47 48 /* 49 * Helper function for SunCluster (PSARC/2005/602) to get the original source 50 * address from the COOKIE 51 */ 52 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *); 53 54 /* 55 * From RFC 2104. This should probably go into libmd5 (and while 56 * we're at it, maybe we should make a libdigest so we can later 57 * add SHA1 and others, esp. since some weaknesses have been found 58 * with MD5). 59 * 60 * text IN pointer to data stream 61 * text_len IN length of data stream 62 * key IN pointer to authentication key 63 * key_len IN length of authentication key 64 * digest OUT caller digest to be filled in 65 */ 66 static void 67 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 68 uchar_t *digest) 69 { 70 MD5_CTX context; 71 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 72 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 73 uchar_t tk[16]; 74 int i; 75 76 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 77 if (key_len > 64) { 78 MD5_CTX tctx; 79 80 MD5Init(&tctx); 81 MD5Update(&tctx, key, key_len); 82 MD5Final(tk, &tctx); 83 84 key = tk; 85 key_len = 16; 86 } 87 88 /* 89 * the HMAC_MD5 transform looks like: 90 * 91 * MD5(K XOR opad, MD5(K XOR ipad, text)) 92 * 93 * where K is an n byte key 94 * ipad is the byte 0x36 repeated 64 times 95 * opad is the byte 0x5c repeated 64 times 96 * and text is the data being protected 97 */ 98 99 /* start out by storing key in pads */ 100 bzero(k_ipad, sizeof (k_ipad)); 101 bzero(k_opad, sizeof (k_opad)); 102 bcopy(key, k_ipad, key_len); 103 bcopy(key, k_opad, key_len); 104 105 /* XOR key with ipad and opad values */ 106 for (i = 0; i < 64; i++) { 107 k_ipad[i] ^= 0x36; 108 k_opad[i] ^= 0x5c; 109 } 110 /* 111 * perform inner MD5 112 */ 113 MD5Init(&context); /* init context for 1st */ 114 /* pass */ 115 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 116 MD5Update(&context, text, text_len); /* then text of datagram */ 117 MD5Final(digest, &context); /* finish up 1st pass */ 118 /* 119 * perform outer MD5 120 */ 121 MD5Init(&context); /* init context for 2nd */ 122 /* pass */ 123 MD5Update(&context, k_opad, 64); /* start with outer pad */ 124 MD5Update(&context, digest, 16); /* then results of 1st */ 125 /* hash */ 126 MD5Final(digest, &context); /* finish up 2nd pass */ 127 } 128 129 /* 130 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 131 * info in initmp to send the abort. Otherwise, no abort will be sent. 132 * 133 * When called from stcp_send_initack() while processing parameters 134 * from a received INIT_CHUNK want_cookie will be NULL. 135 * 136 * When called from sctp_send_cookie_echo() while processing an INIT_ACK, 137 * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t. 138 * However, this last pointer will be NULL until the cookie is processed 139 * at which time it will be set to point to a sctp_parm_hdr_t that contains 140 * the cookie info. 141 * 142 * Note: an INIT_ACK is expected to contain a cookie. 143 * 144 * When processing an INIT_ACK, an ERROR chunk and chain of one or more 145 * error CAUSE blocks will be created if unrecognized parameters marked by 146 * the sender as reportable are found. 147 * 148 * When processing an INIT chunk, a chain of one or more error CAUSE blocks 149 * will be created if unrecognized parameters marked by the sender as 150 * reportable are found. These are appended directly to the INIT_ACK chunk. 151 * 152 * In both cases the error chain is visible to the caller via *errmp. 153 * 154 * Returns 1 if the parameters are OK (or if there are no optional 155 * parameters), returns 0 otherwise. 156 */ 157 static int 158 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 159 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 160 mblk_t **errmp, int *supp_af, uint_t *sctp_options, ip_recv_attr_t *ira) 161 { 162 sctp_parm_hdr_t *cph; 163 sctp_init_chunk_t *ic; 164 ssize_t remaining; 165 uint16_t serror = 0; 166 char *details = NULL; 167 size_t errlen = 0; 168 boolean_t got_cookie = B_FALSE; 169 boolean_t got_errchunk = B_FALSE; 170 uint16_t ptype; 171 sctp_mpc_t mpc; 172 conn_t *connp = sctp->sctp_connp; 173 174 175 ASSERT(errmp != NULL); 176 177 if (sctp_options != NULL) 178 *sctp_options = 0; 179 180 /* First validate stream parameters */ 181 if (init->sic_instr == 0 || init->sic_outstr == 0) { 182 serror = SCTP_ERR_BAD_MANDPARM; 183 dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n", 184 htons(init->sic_instr), htons(init->sic_outstr))); 185 goto abort; 186 } 187 if (ntohl(init->sic_inittag) == 0) { 188 serror = SCTP_ERR_BAD_MANDPARM; 189 dprint(1, ("validate_init_params: inittag = 0\n")); 190 goto abort; 191 } 192 193 remaining = ntohs(ch->sch_len) - sizeof (*ch); 194 ic = (sctp_init_chunk_t *)(ch + 1); 195 remaining -= sizeof (*ic); 196 if (remaining < sizeof (*cph)) { 197 /* 198 * When processing a received INIT_ACK, a cookie is 199 * expected, if missing there is nothing to validate. 200 */ 201 if (want_cookie != NULL) 202 goto cookie_abort; 203 return (1); 204 } 205 206 cph = (sctp_parm_hdr_t *)(ic + 1); 207 208 while (cph != NULL) { 209 ptype = ntohs(cph->sph_type); 210 switch (ptype) { 211 case PARM_HBINFO: 212 case PARM_UNRECOGNIZED: 213 case PARM_ECN: 214 /* just ignore them */ 215 break; 216 case PARM_FORWARD_TSN: 217 if (sctp_options != NULL) 218 *sctp_options |= SCTP_PRSCTP_OPTION; 219 break; 220 case PARM_COOKIE: 221 got_cookie = B_TRUE; 222 /* 223 * Processing a received INIT_ACK, we have a cookie 224 * and a valid pointer in our caller to attach it to. 225 */ 226 if (want_cookie != NULL) { 227 *want_cookie = cph; 228 } 229 break; 230 case PARM_ADDR4: 231 *supp_af |= PARM_SUPP_V4; 232 break; 233 case PARM_ADDR6: 234 *supp_af |= PARM_SUPP_V6; 235 break; 236 case PARM_COOKIE_PRESERVE: 237 case PARM_ADAPT_LAYER_IND: 238 /* These are OK */ 239 break; 240 case PARM_ADDR_HOST_NAME: 241 /* Don't support this; abort the association */ 242 serror = SCTP_ERR_BAD_ADDR; 243 details = (char *)cph; 244 errlen = ntohs(cph->sph_len); 245 dprint(1, ("sctp:validate_init_params: host addr\n")); 246 goto abort; 247 case PARM_SUPP_ADDRS: { 248 /* Make sure we have a supported addr intersection */ 249 uint16_t *p, addrtype; 250 int plen; 251 252 plen = ntohs(cph->sph_len); 253 p = (uint16_t *)(cph + 1); 254 while (plen > 0) { 255 addrtype = ntohs(*p); 256 switch (addrtype) { 257 case PARM_ADDR6: 258 *supp_af |= PARM_SUPP_V6; 259 break; 260 case PARM_ADDR4: 261 *supp_af |= PARM_SUPP_V4; 262 break; 263 default: 264 /* 265 * Do nothing, silently ignore hostname 266 * address. 267 */ 268 break; 269 } 270 p++; 271 plen -= sizeof (*p); 272 } 273 break; 274 } 275 default: 276 /* 277 * Handle any unrecognized params, the two high order 278 * bits of ptype define how the remote wants them 279 * handled. 280 * Top bit: 281 * 1. Continue processing other params in the chunk 282 * 0. Stop processing params after this one. 283 * 2nd bit: 284 * 1. Must report this unrecognized param to remote 285 * 0. Obey the top bit silently. 286 */ 287 if (ptype & SCTP_REPORT_THIS_PARAM) { 288 if (!got_errchunk && want_cookie != NULL) { 289 /* 290 * The incoming pointer want_cookie is 291 * NULL so processing an INIT_ACK. 292 * This is the first reportable param, 293 * create an ERROR chunk and populate 294 * it with a CAUSE block for this parm. 295 */ 296 *errmp = sctp_make_err(sctp, 297 PARM_UNRECOGNIZED, 298 (void *)cph, 299 ntohs(cph->sph_len)); 300 got_errchunk = B_TRUE; 301 } else { 302 /* 303 * If processing an INIT_ACK, we already 304 * have an ERROR chunk, just add a new 305 * CAUSE block and update ERROR chunk 306 * length. 307 * If processing an INIT chunk add a new 308 * CAUSE block to the INIT_ACK, in this 309 * case there is no ERROR chunk thus 310 * got_errchunk will be B_FALSE. Chunk 311 * length is computed by our caller. 312 */ 313 sctp_add_unrec_parm(cph, errmp, 314 got_errchunk); 315 } 316 } 317 if (ptype & SCTP_CONT_PROC_PARAMS) { 318 /* 319 * Continue processing params after this 320 * parameter. 321 */ 322 break; 323 } 324 325 /* 326 * Stop processing params, report any reportable 327 * unrecognized params found so far. 328 */ 329 goto done; 330 } 331 332 cph = sctp_next_parm(cph, &remaining); 333 } 334 done: 335 /* 336 * Some sanity checks. The following should not fail unless the 337 * other side is broken. 338 * 339 * 1. If this is a V4 endpoint but V4 address is not 340 * supported, abort. 341 * 2. If this is a V6 only endpoint but V6 address is 342 * not supported, abort. This assumes that a V6 343 * endpoint can use both V4 and V6 addresses. 344 * We only care about supp_af when processing INIT, i.e want_cookie 345 * is NULL. 346 */ 347 if (want_cookie == NULL && 348 ((connp->conn_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 349 (connp->conn_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 350 sctp->sctp_connp->conn_ipv6_v6only))) { 351 dprint(1, ("sctp:validate_init_params: supp addr\n")); 352 serror = SCTP_ERR_BAD_ADDR; 353 goto abort; 354 } 355 356 if (want_cookie != NULL && !got_cookie) { 357 cookie_abort: 358 /* Will populate the CAUSE block in the ABORT chunk. */ 359 mpc.mpc_num = htons(1); 360 mpc.mpc_param = htons(PARM_COOKIE); 361 mpc.mpc_pad = 0; 362 363 dprint(1, ("validate_init_params: cookie absent\n")); 364 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 365 (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE, ira); 366 return (0); 367 } 368 369 /* OK */ 370 return (1); 371 372 abort: 373 if (want_cookie != NULL) 374 return (0); 375 376 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 377 errlen, inmp, 0, B_FALSE, ira); 378 return (0); 379 } 380 381 /* 382 * Initialize params from the INIT and INIT-ACK when the assoc. is 383 * established. 384 */ 385 boolean_t 386 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 387 sctp_init_chunk_t *iack) 388 { 389 /* Get initial TSN */ 390 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 391 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 392 393 /* Serial number is initialized to the same value as the TSN */ 394 sctp->sctp_fcsn = sctp->sctp_lastacked; 395 396 /* 397 * Get verification tags; no byteordering is necessary, since 398 * verfication tags are never processed except for byte-by-byte 399 * comparisons. 400 */ 401 sctp->sctp_fvtag = init->sic_inittag; 402 sctp->sctp_sctph->sh_verf = init->sic_inittag; 403 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 404 sctp->sctp_lvtag = iack->sic_inittag; 405 406 /* Get the peer's rwnd */ 407 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 408 409 /* Allocate the in/out-stream counters */ 410 sctp->sctp_num_ostr = iack->sic_outstr; 411 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 412 sctp->sctp_num_ostr, KM_NOSLEEP); 413 if (sctp->sctp_ostrcntrs == NULL) 414 return (B_FALSE); 415 416 sctp->sctp_num_istr = iack->sic_instr; 417 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 418 sctp->sctp_num_istr, KM_NOSLEEP); 419 if (sctp->sctp_instr == NULL) { 420 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 421 sctp->sctp_num_ostr); 422 sctp->sctp_ostrcntrs = NULL; 423 return (B_FALSE); 424 } 425 return (B_TRUE); 426 } 427 428 /* 429 * Copy the peer's original source address into addr. This relies on the 430 * following format (see sctp_send_initack() below): 431 * relative timestamp for the cookie (int64_t) + 432 * cookie lifetime (uint32_t) + 433 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) + 434 * Peer's original src ... 435 */ 436 int 437 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr) 438 { 439 uchar_t *off; 440 441 ASSERT(addr != NULL); 442 443 if (ch->sch_id != CHUNK_COOKIE) 444 return (EINVAL); 445 446 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) + 447 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t); 448 449 bcopy(off, addr, sizeof (*addr)); 450 451 return (0); 452 } 453 454 #define SCTP_CALC_COOKIE_LEN(initcp) \ 455 sizeof (int64_t) + /* timestamp */ \ 456 sizeof (uint32_t) + /* cookie lifetime */ \ 457 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 458 sizeof (in6_addr_t) + /* peer's original source */ \ 459 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 460 sizeof (uint32_t) + /* local tie-tag */ \ 461 sizeof (uint32_t) + /* peer tie-tag */ \ 462 sizeof (sctp_parm_hdr_t) + /* param header */ \ 463 16 /* MD5 hash */ 464 465 /* 466 * Note that sctp is the listener, hence we shouldn't modify it. 467 */ 468 void 469 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch, 470 mblk_t *initmp, ip_recv_attr_t *ira) 471 { 472 ipha_t *initiph; 473 ip6_t *initip6h; 474 ipha_t *iackiph = NULL; 475 ip6_t *iackip6h = NULL; 476 sctp_chunk_hdr_t *iack_ch; 477 sctp_init_chunk_t *iack; 478 sctp_init_chunk_t *init; 479 sctp_hdr_t *iacksh; 480 size_t cookielen; 481 size_t iacklen; 482 size_t ipsctplen; 483 size_t errlen = 0; 484 sctp_parm_hdr_t *cookieph; 485 mblk_t *iackmp; 486 uint32_t itag; 487 uint32_t itsn; 488 int64_t *now; 489 int64_t nowt; 490 uint32_t *lifetime; 491 char *p; 492 boolean_t isv4; 493 int supp_af = 0; 494 uint_t sctp_options; 495 uint32_t *ttag; 496 int pad; 497 mblk_t *errmp = NULL; 498 boolean_t initcollision = B_FALSE; 499 boolean_t linklocal = B_FALSE; 500 sctp_stack_t *sctps = sctp->sctp_sctps; 501 conn_t *connp = sctp->sctp_connp; 502 int err; 503 ip_xmit_attr_t *ixa = NULL; 504 505 BUMP_LOCAL(sctp->sctp_ibchunks); 506 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 507 508 /* Extract the INIT chunk */ 509 if (isv4) { 510 initiph = (ipha_t *)initmp->b_rptr; 511 ipsctplen = sctp->sctp_ip_hdr_len; 512 supp_af |= PARM_SUPP_V4; 513 } else { 514 initip6h = (ip6_t *)initmp->b_rptr; 515 ipsctplen = sctp->sctp_ip_hdr6_len; 516 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src) || 517 IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_dst)) 518 linklocal = B_TRUE; 519 supp_af |= PARM_SUPP_V6; 520 if (!sctp->sctp_connp->conn_ipv6_v6only) 521 supp_af |= PARM_SUPP_V4; 522 } 523 ASSERT(OK_32PTR(initsh)); 524 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 525 526 /* Make sure we like the peer's parameters */ 527 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 528 &supp_af, &sctp_options, ira) == 0) { 529 return; 530 } 531 if (errmp != NULL) 532 errlen = msgdsize(errmp); 533 if (connp->conn_family == AF_INET) { 534 /* 535 * Regardless of the supported address in the INIT, v4 536 * must be supported. 537 */ 538 supp_af = PARM_SUPP_V4; 539 } 540 if (sctp->sctp_state <= SCTPS_LISTEN) { 541 /* normal, expected INIT: generate new vtag and itsn */ 542 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 543 if (itag == 0) 544 itag = (uint32_t)gethrtime(); 545 itsn = itag + 1; 546 itag = htonl(itag); 547 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 548 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 549 /* init collision; copy vtag and itsn from sctp */ 550 itag = sctp->sctp_lvtag; 551 itsn = sctp->sctp_ltsn; 552 /* 553 * In addition we need to send all the params that was sent 554 * in our INIT chunk. Essentially, it is only the supported 555 * address params that we need to add. 556 */ 557 initcollision = B_TRUE; 558 /* 559 * When we sent the INIT, we should have set linklocal in 560 * the sctp which should be good enough. 561 */ 562 if (linklocal) 563 linklocal = B_FALSE; 564 } else { 565 /* peer restart; generate new vtag but keep everything else */ 566 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 567 if (itag == 0) 568 itag = (uint32_t)gethrtime(); 569 itag = htonl(itag); 570 itsn = sctp->sctp_ltsn; 571 } 572 573 /* 574 * Allocate a mblk for the INIT ACK, consisting of the link layer 575 * header, the IP header, the SCTP common header, and INIT ACK chunk, 576 * and finally the COOKIE parameter. 577 */ 578 cookielen = SCTP_CALC_COOKIE_LEN(ch); 579 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 580 if (sctp->sctp_send_adaptation) 581 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 582 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 583 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 584 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 585 } 586 if (initcollision) 587 iacklen += sctp_supaddr_param_len(sctp); 588 if (!linklocal) 589 iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE); 590 ipsctplen += sizeof (*iacksh) + iacklen; 591 iacklen += errlen; 592 /* 593 * Padding is applied after the cookie which is the end of chunk 594 * unless CAUSE blocks are appended when the pad must also be 595 * accounted for in iacklen. 596 */ 597 if ((pad = ipsctplen % SCTP_ALIGN) != 0) { 598 pad = SCTP_ALIGN - pad; 599 ipsctplen += pad; 600 if (errmp != NULL) 601 iacklen += pad; 602 } 603 604 /* 605 * Base the transmission on any routing-related socket options 606 * that have been set on the listener. 607 */ 608 ixa = conn_get_ixa_exclusive(connp); 609 if (ixa == NULL) { 610 sctp_send_abort(sctp, sctp_init2vtag(ch), 611 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira); 612 return; 613 } 614 ixa->ixa_flags &= ~IXAF_VERIFY_PMTU; 615 616 if (isv4) 617 ixa->ixa_flags |= IXAF_IS_IPV4; 618 else 619 ixa->ixa_flags &= ~IXAF_IS_IPV4; 620 621 /* 622 * If the listen socket is bound to a trusted extensions multi-label 623 * port, a MAC-Exempt connection with an unlabeled node, we use the 624 * the security label of the received INIT packet. 625 * If not a multi-label port, attach the unmodified 626 * listener's label directly. 627 * 628 * We expect Sun developed kernel modules to properly set 629 * cred labels for sctp connections. We can't be so sure this 630 * will be done correctly when 3rd party kernel modules 631 * directly use sctp. We check for a NULL ira_tsl to cover this 632 * possibility. 633 */ 634 if (is_system_labeled()) { 635 /* Discard any old label */ 636 if (ixa->ixa_free_flags & IXA_FREE_TSL) { 637 ASSERT(ixa->ixa_tsl != NULL); 638 label_rele(ixa->ixa_tsl); 639 ixa->ixa_free_flags &= ~IXA_FREE_TSL; 640 ixa->ixa_tsl = NULL; 641 } 642 643 if (connp->conn_mlp_type != mlptSingle || 644 connp->conn_mac_mode != CONN_MAC_DEFAULT) { 645 if (ira->ira_tsl == NULL) { 646 sctp_send_abort(sctp, sctp_init2vtag(ch), 647 SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, 648 B_FALSE, ira); 649 ixa_refrele(ixa); 650 return; 651 } 652 label_hold(ira->ira_tsl); 653 ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl); 654 } else { 655 ixa->ixa_tsl = crgetlabel(connp->conn_cred); 656 } 657 } 658 659 iackmp = allocb(ipsctplen + sctps->sctps_wroff_xtra, BPRI_MED); 660 if (iackmp == NULL) { 661 sctp_send_abort(sctp, sctp_init2vtag(ch), 662 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira); 663 ixa_refrele(ixa); 664 return; 665 } 666 667 /* Copy in the [imcomplete] IP/SCTP composite header */ 668 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra); 669 iackmp->b_rptr = (uchar_t *)p; 670 if (isv4) { 671 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 672 iackiph = (ipha_t *)p; 673 674 /* Copy the peer's IP addr */ 675 iackiph->ipha_dst = initiph->ipha_src; 676 iackiph->ipha_src = initiph->ipha_dst; 677 iackiph->ipha_length = htons(ipsctplen + errlen); 678 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 679 ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len; 680 } else { 681 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 682 iackip6h = (ip6_t *)p; 683 684 /* Copy the peer's IP addr */ 685 iackip6h->ip6_dst = initip6h->ip6_src; 686 iackip6h->ip6_src = initip6h->ip6_dst; 687 iackip6h->ip6_plen = htons(ipsctplen + errlen - IPV6_HDR_LEN); 688 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 689 ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len; 690 } 691 ixa->ixa_pktlen = ipsctplen + errlen; 692 693 ASSERT(OK_32PTR(iacksh)); 694 695 /* Fill in the holes in the SCTP common header */ 696 iacksh->sh_sport = initsh->sh_dport; 697 iacksh->sh_dport = initsh->sh_sport; 698 iacksh->sh_verf = init->sic_inittag; 699 700 /* INIT ACK chunk header */ 701 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 702 iack_ch->sch_id = CHUNK_INIT_ACK; 703 iack_ch->sch_flags = 0; 704 iack_ch->sch_len = htons(iacklen); 705 706 /* The INIT ACK itself */ 707 iack = (sctp_init_chunk_t *)(iack_ch + 1); 708 iack->sic_inittag = itag; /* already in network byteorder */ 709 iack->sic_inittsn = htonl(itsn); 710 711 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 712 /* Advertise what we would want to have as stream #'s */ 713 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 714 ntohs(init->sic_instr))); 715 iack->sic_instr = htons(sctp->sctp_num_istr); 716 717 p = (char *)(iack + 1); 718 p += sctp_adaptation_code_param(sctp, (uchar_t *)p); 719 if (initcollision) 720 p += sctp_supaddr_param(sctp, (uchar_t *)p); 721 if (!linklocal) 722 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE); 723 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 724 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 725 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 726 } 727 /* 728 * Generate and lay in the COOKIE parameter. 729 * 730 * Any change here that results in a change of location for 731 * the peer's orig source address must be propagated to the fn 732 * cl_sctp_cookie_paddr() above. 733 * 734 * The cookie consists of: 735 * 1. The relative timestamp for the cookie (lbolt64) 736 * 2. The cookie lifetime (uint32_t) in tick 737 * 3. The local tie-tag 738 * 4. The peer tie-tag 739 * 5. Peer's original src, used to confirm the validity of address. 740 * 6. Our INIT ACK chunk, less any parameters 741 * 7. The INIT chunk (may contain parameters) 742 * 8. 128-bit MD5 signature. 743 * 744 * Since the timestamp values will only be evaluated locally, we 745 * don't need to worry about byte-ordering them. 746 */ 747 cookieph = (sctp_parm_hdr_t *)p; 748 cookieph->sph_type = htons(PARM_COOKIE); 749 cookieph->sph_len = htons(cookielen); 750 751 /* timestamp */ 752 now = (int64_t *)(cookieph + 1); 753 nowt = ddi_get_lbolt64(); 754 bcopy(&nowt, now, sizeof (*now)); 755 756 /* cookie lifetime -- need configuration */ 757 lifetime = (uint32_t *)(now + 1); 758 *lifetime = sctp->sctp_cookie_lifetime; 759 760 /* Set the tie-tags */ 761 ttag = (uint32_t *)(lifetime + 1); 762 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 763 *ttag = 0; 764 ttag++; 765 *ttag = 0; 766 ttag++; 767 } else { 768 /* local tie-tag (network byte-order) */ 769 *ttag = sctp->sctp_lvtag; 770 ttag++; 771 /* peer tie-tag (network byte-order) */ 772 *ttag = sctp->sctp_fvtag; 773 ttag++; 774 } 775 /* 776 * Copy in peer's original source address so that we can confirm 777 * the reachability later. 778 */ 779 p = (char *)ttag; 780 if (isv4) { 781 in6_addr_t peer_addr; 782 783 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 784 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 785 } else { 786 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 787 } 788 p += sizeof (in6_addr_t); 789 /* Copy in our INIT ACK chunk */ 790 bcopy(iack, p, sizeof (*iack)); 791 iack = (sctp_init_chunk_t *)p; 792 /* Set the # of streams we'll end up using */ 793 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 794 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 795 p += sizeof (*iack); 796 797 /* Copy in the peer's INIT chunk */ 798 bcopy(ch, p, ntohs(ch->sch_len)); 799 p += ntohs(ch->sch_len); 800 801 /* 802 * Calculate the HMAC ICV into the digest slot in buf. 803 * First, generate a new secret if the current secret is 804 * older than the new secret lifetime parameter permits, 805 * copying the current secret to sctp_old_secret. 806 */ 807 if (sctps->sctps_new_secret_interval > 0 && 808 (sctp->sctp_last_secret_update + 809 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) { 810 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 811 SCTP_SECRET_LEN); 812 (void) random_get_pseudo_bytes(sctp->sctp_secret, 813 SCTP_SECRET_LEN); 814 sctp->sctp_last_secret_update = nowt; 815 } 816 817 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 818 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 819 820 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 821 if (pad != 0) 822 bzero((iackmp->b_wptr - pad), pad); 823 824 iackmp->b_cont = errmp; /* OK if NULL */ 825 826 if (is_system_labeled()) { 827 ts_label_t *effective_tsl = NULL; 828 829 ASSERT(ira->ira_tsl != NULL); 830 831 /* Discard any old label */ 832 if (ixa->ixa_free_flags & IXA_FREE_TSL) { 833 ASSERT(ixa->ixa_tsl != NULL); 834 label_rele(ixa->ixa_tsl); 835 ixa->ixa_free_flags &= ~IXA_FREE_TSL; 836 } 837 ixa->ixa_tsl = ira->ira_tsl; /* A multi-level responder */ 838 839 /* 840 * We need to check for label-related failures which implies 841 * an extra call to tsol_check_dest (as ip_output_simple 842 * also does a tsol_check_dest as part of computing the 843 * label for the packet, but ip_output_simple doesn't return 844 * a specific errno for that case so we can't rely on its 845 * check.) 846 */ 847 if (isv4) { 848 err = tsol_check_dest(ixa->ixa_tsl, &iackiph->ipha_dst, 849 IPV4_VERSION, connp->conn_mac_mode, 850 connp->conn_zone_is_global, &effective_tsl); 851 } else { 852 err = tsol_check_dest(ixa->ixa_tsl, &iackip6h->ip6_dst, 853 IPV6_VERSION, connp->conn_mac_mode, 854 connp->conn_zone_is_global, &effective_tsl); 855 } 856 if (err != 0) { 857 sctp_send_abort(sctp, sctp_init2vtag(ch), 858 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE, 859 ira); 860 ixa_refrele(ixa); 861 freemsg(iackmp); 862 return; 863 } 864 if (effective_tsl != NULL) { 865 /* 866 * Since ip_output_simple will redo the 867 * tsol_check_dest, we just drop the ref. 868 */ 869 label_rele(effective_tsl); 870 } 871 } 872 873 BUMP_LOCAL(sctp->sctp_opkts); 874 BUMP_LOCAL(sctp->sctp_obchunks); 875 876 (void) ip_output_simple(iackmp, ixa); 877 ixa_refrele(ixa); 878 } 879 880 void 881 sctp_send_cookie_ack(sctp_t *sctp) 882 { 883 sctp_chunk_hdr_t *cach; 884 mblk_t *camp; 885 sctp_stack_t *sctps = sctp->sctp_sctps; 886 887 camp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*cach)); 888 if (camp == NULL) { 889 /* XXX should abort, but don't have the inmp anymore */ 890 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed); 891 return; 892 } 893 894 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 895 camp->b_wptr = (uchar_t *)(cach + 1); 896 cach->sch_id = CHUNK_COOKIE_ACK; 897 cach->sch_flags = 0; 898 cach->sch_len = htons(sizeof (*cach)); 899 900 BUMP_LOCAL(sctp->sctp_obchunks); 901 902 sctp_set_iplen(sctp, camp, sctp->sctp_current->ixa); 903 (void) conn_ip_output(camp, sctp->sctp_current->ixa); 904 BUMP_LOCAL(sctp->sctp_opkts); 905 } 906 907 static int 908 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code) 909 { 910 911 if (len < sizeof (*sph)) 912 return (-1); 913 while (sph != NULL) { 914 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 915 ntohs(sph->sph_len) >= (sizeof (*sph) + 916 sizeof (uint32_t))) { 917 *adaptation_code = *(uint32_t *)(sph + 1); 918 return (0); 919 } 920 sph = sctp_next_parm(sph, &len); 921 } 922 return (-1); 923 } 924 925 void 926 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp, 927 ip_recv_attr_t *ira) 928 { 929 mblk_t *cemp; 930 mblk_t *mp = NULL; 931 mblk_t *head; 932 mblk_t *meta; 933 sctp_faddr_t *fp; 934 sctp_chunk_hdr_t *cech; 935 sctp_init_chunk_t *iack; 936 int32_t cansend; 937 int32_t seglen; 938 size_t ceclen; 939 sctp_parm_hdr_t *cph; 940 sctp_data_hdr_t *sdc; 941 sctp_tf_t *tf; 942 int pad = 0; 943 int hdrlen; 944 mblk_t *errmp = NULL; 945 uint_t sctp_options; 946 int error; 947 uint16_t old_num_str; 948 sctp_stack_t *sctps = sctp->sctp_sctps; 949 950 iack = (sctp_init_chunk_t *)(iackch + 1); 951 952 cph = NULL; 953 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 954 &pad, &sctp_options, ira) == 0) { /* result in 'pad' ignored */ 955 BUMP_MIB(&sctps->sctps_mib, sctpAborted); 956 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 957 sctp_clean_death(sctp, ECONNABORTED); 958 return; 959 } 960 ASSERT(cph != NULL); 961 962 ASSERT(sctp->sctp_cookie_mp == NULL); 963 964 /* Got a cookie to echo back; allocate an mblk */ 965 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 966 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 967 pad = SCTP_ALIGN - pad; 968 969 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 970 hdrlen = sctp->sctp_hdr_len; 971 else 972 hdrlen = sctp->sctp_hdr6_len; 973 974 cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad, 975 BPRI_MED); 976 if (cemp == NULL) { 977 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 978 sctp->sctp_current->rto); 979 if (errmp != NULL) 980 freeb(errmp); 981 return; 982 } 983 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen); 984 985 /* Process the INIT ACK */ 986 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 987 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 988 sctp->sctp_fvtag = iack->sic_inittag; 989 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 990 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 991 sctp->sctp_fcsn = sctp->sctp_lastacked; 992 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 993 994 /* 995 * Populate sctp with addresses given in the INIT ACK or IP header. 996 * Need to set the df bit in the current fp as it has been cleared 997 * in sctp_connect(). 998 */ 999 sctp->sctp_current->df = B_TRUE; 1000 sctp->sctp_ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS; 1001 1002 /* 1003 * Since IP uses this info during the fanout process, we need to hold 1004 * the lock for this hash line while performing this operation. 1005 */ 1006 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, connp->conn_ports); */ 1007 ASSERT(sctp->sctp_conn_tfp != NULL); 1008 tf = sctp->sctp_conn_tfp; 1009 /* sctp isn't a listener so only need to hold conn fanout lock */ 1010 mutex_enter(&tf->tf_lock); 1011 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 1012 mutex_exit(&tf->tf_lock); 1013 freeb(cemp); 1014 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 1015 sctp->sctp_current->rto); 1016 if (errmp != NULL) 1017 freeb(errmp); 1018 return; 1019 } 1020 mutex_exit(&tf->tf_lock); 1021 1022 fp = sctp->sctp_current; 1023 1024 /* 1025 * There could be a case when we get an INIT-ACK again, if the INIT 1026 * is re-transmitted, for e.g., which means we would have already 1027 * allocated this resource earlier (also for sctp_instr). In this 1028 * case we check and re-allocate, if necessary. 1029 */ 1030 old_num_str = sctp->sctp_num_ostr; 1031 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 1032 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 1033 if (sctp->sctp_ostrcntrs == NULL) { 1034 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 1035 sctp->sctp_num_ostr, KM_NOSLEEP); 1036 } else { 1037 ASSERT(old_num_str > 0); 1038 if (old_num_str != sctp->sctp_num_ostr) { 1039 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 1040 old_num_str); 1041 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 1042 sctp->sctp_num_ostr, KM_NOSLEEP); 1043 } 1044 } 1045 if (sctp->sctp_ostrcntrs == NULL) { 1046 freeb(cemp); 1047 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1048 if (errmp != NULL) 1049 freeb(errmp); 1050 return; 1051 } 1052 1053 /* 1054 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 1055 * hold here too. 1056 */ 1057 old_num_str = sctp->sctp_num_istr; 1058 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 1059 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 1060 if (sctp->sctp_instr == NULL) { 1061 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 1062 sctp->sctp_num_istr, KM_NOSLEEP); 1063 } else { 1064 ASSERT(old_num_str > 0); 1065 if (old_num_str != sctp->sctp_num_istr) { 1066 kmem_free(sctp->sctp_instr, 1067 sizeof (*sctp->sctp_instr) * old_num_str); 1068 sctp->sctp_instr = kmem_zalloc( 1069 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 1070 KM_NOSLEEP); 1071 } 1072 } 1073 if (sctp->sctp_instr == NULL) { 1074 kmem_free(sctp->sctp_ostrcntrs, 1075 sizeof (uint16_t) * sctp->sctp_num_ostr); 1076 freeb(cemp); 1077 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1078 if (errmp != NULL) 1079 freeb(errmp); 1080 return; 1081 } 1082 1083 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 1084 sctp->sctp_prsctp_aware = B_FALSE; 1085 1086 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 1087 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 1088 &sctp->sctp_rx_adaptation_code) == 0) { 1089 sctp->sctp_recv_adaptation = 1; 1090 } 1091 1092 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 1093 ASSERT(OK_32PTR(cech)); 1094 cech->sch_id = CHUNK_COOKIE; 1095 cech->sch_flags = 0; 1096 cech->sch_len = htons(ceclen); 1097 1098 /* Copy the cookie (less the parm hdr) to the chunk */ 1099 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 1100 1101 cemp->b_wptr = cemp->b_rptr + ceclen; 1102 1103 if (sctp->sctp_unsent > 0) { 1104 sctp_msg_hdr_t *smh; 1105 mblk_t *prev = NULL; 1106 uint32_t unsent = 0; 1107 1108 mp = sctp->sctp_xmit_unsent; 1109 do { 1110 smh = (sctp_msg_hdr_t *)mp->b_rptr; 1111 if (smh->smh_sid >= sctp->sctp_num_ostr) { 1112 unsent += smh->smh_msglen; 1113 if (prev != NULL) 1114 prev->b_next = mp->b_next; 1115 else 1116 sctp->sctp_xmit_unsent = mp->b_next; 1117 mp->b_next = NULL; 1118 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 1119 B_FALSE); 1120 if (prev != NULL) 1121 mp = prev->b_next; 1122 else 1123 mp = sctp->sctp_xmit_unsent; 1124 } else { 1125 prev = mp; 1126 mp = mp->b_next; 1127 } 1128 } while (mp != NULL); 1129 if (unsent > 0) { 1130 ASSERT(sctp->sctp_unsent >= unsent); 1131 sctp->sctp_unsent -= unsent; 1132 /* 1133 * Update ULP the amount of queued data, which is 1134 * sent-unack'ed + unsent. 1135 * This is not necessary, but doesn't harm, we 1136 * just use unsent instead of sent-unack'ed + 1137 * unsent, since there won't be any sent-unack'ed 1138 * here. 1139 */ 1140 if (!SCTP_IS_DETACHED(sctp)) 1141 SCTP_TXQ_UPDATE(sctp); 1142 } 1143 if (sctp->sctp_xmit_unsent == NULL) 1144 sctp->sctp_xmit_unsent_tail = NULL; 1145 } 1146 ceclen += pad; 1147 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 1148 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 1149 cansend, NULL); 1150 /* 1151 * The error cannot be anything else since we could have an non-zero 1152 * error only if sctp_get_msg_to_send() tries to send a Forward 1153 * TSN which will not happen here. 1154 */ 1155 ASSERT(error == 0); 1156 if (meta == NULL) 1157 goto sendcookie; 1158 sctp->sctp_xmit_tail = meta; 1159 sdc = (sctp_data_hdr_t *)mp->b_rptr; 1160 seglen = ntohs(sdc->sdh_len); 1161 if ((ceclen + seglen) > fp->sfa_pmss || 1162 (seglen - sizeof (*sdc)) > cansend) { 1163 goto sendcookie; 1164 } 1165 /* OK, if this fails */ 1166 cemp->b_cont = dupmsg(mp); 1167 sendcookie: 1168 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 1169 if (head == NULL) { 1170 freemsg(cemp); 1171 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1172 if (errmp != NULL) 1173 freeb(errmp); 1174 SCTP_KSTAT(sctps, sctp_send_cookie_failed); 1175 return; 1176 } 1177 /* 1178 * Even if cookie-echo exceeds MTU for one of the hops, it'll 1179 * have a chance of getting there. 1180 */ 1181 if (fp->isv4) { 1182 ipha_t *iph = (ipha_t *)head->b_rptr; 1183 iph->ipha_fragment_offset_and_flags = 0; 1184 } 1185 BUMP_LOCAL(sctp->sctp_obchunks); 1186 1187 sctp->sctp_cookie_mp = dupmsg(head); 1188 /* Don't bundle, we will just resend init if this cookie is lost. */ 1189 if (sctp->sctp_cookie_mp == NULL) { 1190 if (cemp->b_cont != NULL) { 1191 freemsg(cemp->b_cont); 1192 cemp->b_cont = NULL; 1193 } 1194 } else if (cemp->b_cont != NULL) { 1195 ASSERT(mp != NULL && mp == meta->b_cont); 1196 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 1197 cemp->b_wptr += pad; 1198 seglen -= sizeof (*sdc); 1199 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 1200 } 1201 if (errmp != NULL) { 1202 if (cemp->b_cont == NULL) 1203 cemp->b_wptr += pad; 1204 linkb(head, errmp); 1205 } 1206 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 1207 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1208 1209 sctp_set_iplen(sctp, head, fp->ixa); 1210 (void) conn_ip_output(head, fp->ixa); 1211 BUMP_LOCAL(sctp->sctp_opkts); 1212 } 1213 1214 int 1215 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 1216 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation, 1217 in6_addr_t *peer_addr, ip_recv_attr_t *ira) 1218 { 1219 int32_t clen; 1220 size_t initplen; 1221 uchar_t *p; 1222 uchar_t *given_hash; 1223 uchar_t needed_hash[16]; 1224 int64_t ts; 1225 int64_t diff; 1226 uint32_t *lt; 1227 sctp_init_chunk_t *iack; 1228 sctp_chunk_hdr_t *initch; 1229 sctp_init_chunk_t *init; 1230 uint32_t *lttag; 1231 uint32_t *fttag; 1232 uint32_t ports; 1233 sctp_stack_t *sctps = sctp->sctp_sctps; 1234 conn_t *connp = sctp->sctp_connp; 1235 1236 BUMP_LOCAL(sctp->sctp_ibchunks); 1237 /* Verify the ICV */ 1238 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1239 if (clen < 0) { 1240 dprint(1, ("invalid cookie chunk length %d\n", 1241 ntohs(ch->sch_len))); 1242 1243 return (-1); 1244 } 1245 p = (uchar_t *)(ch + 1); 1246 1247 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1248 needed_hash); 1249 1250 /* The given hash follows the cookie data */ 1251 given_hash = p + clen; 1252 1253 if (bcmp(given_hash, needed_hash, 16) != 0) { 1254 /* The secret may have changed; try the old secret */ 1255 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1256 SCTP_SECRET_LEN, needed_hash); 1257 if (bcmp(given_hash, needed_hash, 16) != 0) { 1258 return (-1); 1259 } 1260 } 1261 1262 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1263 bcopy(p, &ts, sizeof (ts)); 1264 /* Cookie life time, uint32_t */ 1265 lt = (uint32_t *)(p + sizeof (ts)); 1266 1267 /* 1268 * To quote PRC, "this is our baby", so let's continue. 1269 * We need to pull out the encapsulated INIT ACK and 1270 * INIT chunks. Note that we don't process these until 1271 * we have verified the timestamp, but we need them before 1272 * processing the timestamp since if the time check fails, 1273 * we need to get the verification tag from the INIT in order 1274 * to send a stale cookie error. 1275 */ 1276 lttag = (uint32_t *)(lt + 1); 1277 fttag = lttag + 1; 1278 if (peer_addr != NULL) 1279 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1280 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1281 initch = (sctp_chunk_hdr_t *)(iack + 1); 1282 init = (sctp_init_chunk_t *)(initch + 1); 1283 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1284 *iackpp = iack; 1285 *recv_adaptation = 0; 1286 1287 /* 1288 * Check the staleness of the Cookie, specified in 3.3.10.3 of 1289 * RFC 2960. 1290 * 1291 * The mesaure of staleness is the difference, in microseconds, 1292 * between the current time and the time the State Cookie expires. 1293 * So it is lbolt64 - (ts + *lt). If it is positive, it means 1294 * that the Cookie has expired. 1295 */ 1296 diff = ddi_get_lbolt64() - (ts + *lt); 1297 if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag || 1298 iack->sic_inittag != sctp->sctp_lvtag)) { 1299 uint32_t staleness; 1300 1301 staleness = TICK_TO_USEC(diff); 1302 staleness = htonl(staleness); 1303 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1304 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE, 1305 ira); 1306 1307 dprint(1, ("stale cookie %d\n", staleness)); 1308 1309 return (-1); 1310 } 1311 1312 /* Check for attack by adding addresses to a restart */ 1313 bcopy(insctph, &ports, sizeof (ports)); 1314 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP, 1315 sctps, ira) != 1) { 1316 return (-1); 1317 } 1318 1319 /* Look for adaptation code if there any parms in the INIT chunk */ 1320 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1321 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1322 &sctp->sctp_rx_adaptation_code) == 0)) { 1323 *recv_adaptation = 1; 1324 } 1325 1326 /* Examine tie-tags */ 1327 1328 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1329 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1330 init->sic_inittag == sctp->sctp_fvtag && 1331 iack->sic_inittag == sctp->sctp_lvtag && 1332 *fttag == 0 && *lttag == 0) { 1333 1334 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1335 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1336 (int)(connp->conn_fport))); 1337 return (-1); 1338 } 1339 1340 if (init->sic_inittag != sctp->sctp_fvtag && 1341 iack->sic_inittag != sctp->sctp_lvtag && 1342 *fttag == sctp->sctp_fvtag && 1343 *lttag == sctp->sctp_lvtag) { 1344 int i; 1345 1346 /* Section 5.2.4 case A: restart */ 1347 sctp->sctp_fvtag = init->sic_inittag; 1348 sctp->sctp_lvtag = iack->sic_inittag; 1349 1350 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1351 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1352 1353 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1354 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1355 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1356 sctp->sctp_fcsn = sctp->sctp_lastacked; 1357 1358 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1359 sctp->sctp_state = SCTPS_ESTABLISHED; 1360 sctp->sctp_assoc_start_time = 1361 (uint32_t)ddi_get_lbolt(); 1362 } 1363 1364 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1365 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1366 (int)(connp->conn_fport))); 1367 /* reset parameters */ 1368 sctp_congest_reset(sctp); 1369 1370 /* reset stream bookkeeping */ 1371 sctp_instream_cleanup(sctp, B_FALSE); 1372 1373 sctp->sctp_istr_nmsgs = 0; 1374 sctp->sctp_rxqueued = 0; 1375 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1376 sctp->sctp_ostrcntrs[i] = 0; 1377 } 1378 /* XXX flush xmit_list? */ 1379 1380 return (0); 1381 } else if (init->sic_inittag != sctp->sctp_fvtag && 1382 iack->sic_inittag == sctp->sctp_lvtag) { 1383 1384 /* Section 5.2.4 case B: INIT collision */ 1385 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1386 if (!sctp_initialize_params(sctp, init, iack)) 1387 return (-1); /* Drop? */ 1388 sctp->sctp_state = SCTPS_ESTABLISHED; 1389 sctp->sctp_assoc_start_time = 1390 (uint32_t)ddi_get_lbolt(); 1391 } 1392 1393 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1394 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1395 (int)(connp->conn_fport))); 1396 1397 return (0); 1398 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1399 init->sic_inittag == sctp->sctp_fvtag && 1400 *fttag == 0 && *lttag == 0) { 1401 1402 /* Section 5.2.4 case C: late COOKIE */ 1403 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1404 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1405 (int)(connp->conn_fport))); 1406 return (-1); 1407 } else if (init->sic_inittag == sctp->sctp_fvtag && 1408 iack->sic_inittag == sctp->sctp_lvtag) { 1409 1410 /* 1411 * Section 5.2.4 case D: COOKIE ECHO retransmit 1412 * Don't check cookie lifetime 1413 */ 1414 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1415 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1416 (int)(connp->conn_fport))); 1417 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1418 if (!sctp_initialize_params(sctp, init, iack)) 1419 return (-1); /* Drop? */ 1420 sctp->sctp_state = SCTPS_ESTABLISHED; 1421 sctp->sctp_assoc_start_time = 1422 (uint32_t)ddi_get_lbolt(); 1423 } 1424 return (0); 1425 } else { 1426 /* unrecognized case -- silently drop it */ 1427 return (-1); 1428 } 1429 } 1430 1431 return (0); 1432 } 1433 1434 /* 1435 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1436 * from address parameters in an INIT ACK's address list. This 1437 * function is used when an INIT ACK is received but IP's fanout 1438 * function could not find a sctp via the normal lookup routine. 1439 * This can happen when a host sends an INIT ACK from a different 1440 * address than the INIT was sent to. 1441 * 1442 * Returns the sctp_t if found, or NULL if not found. 1443 */ 1444 sctp_t * 1445 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1446 zoneid_t zoneid, sctp_stack_t *sctps) 1447 { 1448 int isv4; 1449 ipha_t *iph; 1450 ip6_t *ip6h; 1451 in6_addr_t dst; 1452 in6_addr_t src; 1453 sctp_parm_hdr_t *ph; 1454 ssize_t remaining; 1455 sctp_init_chunk_t *iack; 1456 uint32_t ports; 1457 sctp_t *sctp = NULL; 1458 1459 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1460 1461 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1462 if (isv4) { 1463 iph = (ipha_t *)mp->b_rptr; 1464 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1465 } else { 1466 ip6h = (ip6_t *)mp->b_rptr; 1467 dst = ip6h->ip6_dst; 1468 } 1469 1470 ports = *(uint32_t *)sctph; 1471 1472 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1473 ports, SCTP_PRINTADDR(dst))); 1474 1475 /* pull out any address parameters */ 1476 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1477 if (remaining < sizeof (*ph)) { 1478 return (NULL); 1479 } 1480 1481 iack = (sctp_init_chunk_t *)(ich + 1); 1482 ph = (sctp_parm_hdr_t *)(iack + 1); 1483 1484 while (ph != NULL) { 1485 /* 1486 * params have been put in host byteorder by 1487 * sctp_check_input() 1488 * 1489 * For labeled systems, there's no need to check the 1490 * label here. It's known to be good as we checked 1491 * before allowing the connection to become bound. 1492 */ 1493 if (ph->sph_type == PARM_ADDR4) { 1494 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1495 &src); 1496 1497 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1498 0, sctps); 1499 1500 dprint(1, 1501 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1502 SCTP_PRINTADDR(src), (void *)sctp)); 1503 1504 1505 if (sctp != NULL) { 1506 return (sctp); 1507 } 1508 } else if (ph->sph_type == PARM_ADDR6) { 1509 src = *(in6_addr_t *)(ph + 1); 1510 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1511 0, sctps); 1512 1513 dprint(1, 1514 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1515 SCTP_PRINTADDR(src), (void *)sctp)); 1516 1517 if (sctp != NULL) { 1518 return (sctp); 1519 } 1520 } 1521 1522 ph = sctp_next_parm(ph, &remaining); 1523 } 1524 1525 return (NULL); 1526 } 1527