xref: /titanic_41/usr/src/uts/common/inet/sctp/sctp_cookie.c (revision bbb1277b6ec1b0daad4e3ed1a2b891d3e2ece2eb)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/types.h>
28 #include <sys/systm.h>
29 #include <sys/stream.h>
30 #include <sys/cmn_err.h>
31 #include <sys/md5.h>
32 #include <sys/kmem.h>
33 #include <sys/strsubr.h>
34 #include <sys/random.h>
35 #include <sys/tsol/tnet.h>
36 
37 #include <netinet/in.h>
38 #include <netinet/ip6.h>
39 
40 #include <inet/common.h>
41 #include <inet/ip.h>
42 #include <inet/ip6.h>
43 #include <inet/ipsec_impl.h>
44 #include <inet/sctp_ip.h>
45 #include <inet/ipclassifier.h>
46 #include "sctp_impl.h"
47 
48 /*
49  * Helper function for SunCluster (PSARC/2005/602) to get the original source
50  * address from the COOKIE
51  */
52 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *);
53 
54 /*
55  * From RFC 2104. This should probably go into libmd5 (and while
56  * we're at it, maybe we should make a libdigest so we can later
57  * add SHA1 and others, esp. since some weaknesses have been found
58  * with MD5).
59  *
60  * text		IN			pointer to data stream
61  * text_len	IN			length of data stream
62  * key		IN			pointer to authentication key
63  * key_len	IN			length of authentication key
64  * digest	OUT			caller digest to be filled in
65  */
66 static void
67 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len,
68     uchar_t *digest)
69 {
70 	MD5_CTX context;
71 	uchar_t k_ipad[65];	/* inner padding - key XORd with ipad */
72 	uchar_t k_opad[65];	/* outer padding - key XORd with opad */
73 	uchar_t tk[16];
74 	int i;
75 
76 	/* if key is longer than 64 bytes reset it to key=MD5(key) */
77 	if (key_len > 64) {
78 		MD5_CTX tctx;
79 
80 		MD5Init(&tctx);
81 		MD5Update(&tctx, key, key_len);
82 		MD5Final(tk, &tctx);
83 
84 		key = tk;
85 		key_len = 16;
86 	}
87 
88 	/*
89 	 * the HMAC_MD5 transform looks like:
90 	 *
91 	 * MD5(K XOR opad, MD5(K XOR ipad, text))
92 	 *
93 	 * where K is an n byte key
94 	 * ipad is the byte 0x36 repeated 64 times
95 	 * opad is the byte 0x5c repeated 64 times
96 	 * and text is the data being protected
97 	 */
98 
99 	/* start out by storing key in pads */
100 	bzero(k_ipad, sizeof (k_ipad));
101 	bzero(k_opad, sizeof (k_opad));
102 	bcopy(key, k_ipad, key_len);
103 	bcopy(key, k_opad, key_len);
104 
105 	/* XOR key with ipad and opad values */
106 	for (i = 0; i < 64; i++) {
107 		k_ipad[i] ^= 0x36;
108 		k_opad[i] ^= 0x5c;
109 	}
110 	/*
111 	 * perform inner MD5
112 	 */
113 	MD5Init(&context);			/* init context for 1st */
114 						/* pass */
115 	MD5Update(&context, k_ipad, 64);	/* start with inner pad */
116 	MD5Update(&context, text, text_len);	/* then text of datagram */
117 	MD5Final(digest, &context);		/* finish up 1st pass */
118 	/*
119 	 * perform outer MD5
120 	 */
121 	MD5Init(&context);			/* init context for 2nd */
122 						/* pass */
123 	MD5Update(&context, k_opad, 64);	/* start with outer pad */
124 	MD5Update(&context, digest, 16);	/* then results of 1st */
125 						/* hash */
126 	MD5Final(digest, &context);		/* finish up 2nd pass */
127 }
128 
129 /*
130  * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP
131  * info in initmp to send the abort. Otherwise, no abort will be sent.
132  *
133  * When called from stcp_send_initack() while processing parameters
134  * from a received INIT_CHUNK want_cookie will be NULL.
135  *
136  * When called from sctp_send_cookie_echo() while processing an INIT_ACK,
137  * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t.
138  * However, this last pointer will be NULL until the cookie is processed
139  * at which time it will be set to point to a sctp_parm_hdr_t that contains
140  * the cookie info.
141  *
142  * Note: an INIT_ACK is expected to contain a cookie.
143  *
144  * When processing an INIT_ACK, an ERROR chunk and chain of one or more
145  * error CAUSE blocks will be created if unrecognized parameters marked by
146  * the sender as reportable are found.
147  *
148  * When processing an INIT chunk, a chain of one or more error CAUSE blocks
149  * will be created if unrecognized parameters marked by the sender as
150  * reportable are found. These are appended directly to the INIT_ACK chunk.
151  *
152  * In both cases the error chain is visible to the caller via *errmp.
153  *
154  * Returns 1 if the parameters are OK (or if there are no optional
155  * parameters), returns 0 otherwise.
156  */
157 static int
158 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
159     sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie,
160     mblk_t **errmp, int *supp_af, uint_t *sctp_options, ip_recv_attr_t *ira)
161 {
162 	sctp_parm_hdr_t		*cph;
163 	sctp_init_chunk_t	*ic;
164 	ssize_t			remaining;
165 	uint16_t		serror = 0;
166 	char			*details = NULL;
167 	size_t			errlen = 0;
168 	boolean_t		got_cookie = B_FALSE;
169 	boolean_t		got_errchunk = B_FALSE;
170 	uint16_t		ptype;
171 	sctp_mpc_t		mpc;
172 	conn_t			*connp = sctp->sctp_connp;
173 
174 
175 	ASSERT(errmp != NULL);
176 
177 	if (sctp_options != NULL)
178 		*sctp_options = 0;
179 
180 	/* First validate stream parameters */
181 	if (init->sic_instr == 0 || init->sic_outstr == 0) {
182 		serror = SCTP_ERR_BAD_MANDPARM;
183 		dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n",
184 		    htons(init->sic_instr), htons(init->sic_outstr)));
185 		goto abort;
186 	}
187 	if (ntohl(init->sic_inittag) == 0) {
188 		serror = SCTP_ERR_BAD_MANDPARM;
189 		dprint(1, ("validate_init_params: inittag = 0\n"));
190 		goto abort;
191 	}
192 
193 	remaining = ntohs(ch->sch_len) - sizeof (*ch);
194 	ic = (sctp_init_chunk_t *)(ch + 1);
195 	remaining -= sizeof (*ic);
196 	if (remaining < sizeof (*cph)) {
197 		/*
198 		 * When processing a received INIT_ACK, a cookie is
199 		 * expected, if missing there is nothing to validate.
200 		 */
201 		if (want_cookie != NULL)
202 			goto cookie_abort;
203 		return (1);
204 	}
205 
206 	cph = (sctp_parm_hdr_t *)(ic + 1);
207 
208 	while (cph != NULL) {
209 		ptype = ntohs(cph->sph_type);
210 		switch (ptype) {
211 		case PARM_HBINFO:
212 		case PARM_UNRECOGNIZED:
213 		case PARM_ECN:
214 			/* just ignore them */
215 			break;
216 		case PARM_FORWARD_TSN:
217 			if (sctp_options != NULL)
218 				*sctp_options |= SCTP_PRSCTP_OPTION;
219 			break;
220 		case PARM_COOKIE:
221 			got_cookie = B_TRUE;
222 			/*
223 			 * Processing a received INIT_ACK, we have a cookie
224 			 * and a valid pointer in our caller to attach it to.
225 			 */
226 			if (want_cookie != NULL) {
227 				*want_cookie = cph;
228 			}
229 			break;
230 		case PARM_ADDR4:
231 			*supp_af |= PARM_SUPP_V4;
232 			break;
233 		case PARM_ADDR6:
234 			*supp_af |= PARM_SUPP_V6;
235 			break;
236 		case PARM_COOKIE_PRESERVE:
237 		case PARM_ADAPT_LAYER_IND:
238 			/* These are OK */
239 			break;
240 		case PARM_ADDR_HOST_NAME:
241 			/* Don't support this; abort the association */
242 			serror = SCTP_ERR_BAD_ADDR;
243 			details = (char *)cph;
244 			errlen = ntohs(cph->sph_len);
245 			dprint(1, ("sctp:validate_init_params: host addr\n"));
246 			goto abort;
247 		case PARM_SUPP_ADDRS: {
248 			/* Make sure we have a supported addr intersection */
249 			uint16_t *p, addrtype;
250 			int plen;
251 
252 			plen = ntohs(cph->sph_len);
253 			p = (uint16_t *)(cph + 1);
254 			while (plen > 0) {
255 				addrtype = ntohs(*p);
256 				switch (addrtype) {
257 				case PARM_ADDR6:
258 					*supp_af |= PARM_SUPP_V6;
259 					break;
260 				case PARM_ADDR4:
261 					*supp_af |= PARM_SUPP_V4;
262 					break;
263 				default:
264 					/*
265 					 * Do nothing, silently ignore hostname
266 					 * address.
267 					 */
268 					break;
269 				}
270 				p++;
271 				plen -= sizeof (*p);
272 			}
273 			break;
274 		}
275 		default:
276 			/*
277 			 * Handle any unrecognized params, the two high order
278 			 * bits of ptype define how the remote wants them
279 			 * handled.
280 			 * Top bit:
281 			 *    1. Continue processing other params in the chunk
282 			 *    0. Stop processing params after this one.
283 			 * 2nd bit:
284 			 *    1. Must report this unrecognized param to remote
285 			 *    0. Obey the top bit silently.
286 			 */
287 			if (ptype & SCTP_REPORT_THIS_PARAM) {
288 				if (!got_errchunk && want_cookie != NULL) {
289 					/*
290 					 * Processing an INIT_ACK, this is the
291 					 * first reportable param, create an
292 					 * ERROR chunk and populate it with a
293 					 * CAUSE block for this parameter.
294 					 */
295 					*errmp = sctp_make_err(sctp,
296 					    PARM_UNRECOGNIZED,
297 					    (void *)cph,
298 					    ntohs(cph->sph_len));
299 					got_errchunk = B_TRUE;
300 				} else {
301 					/*
302 					 * If processing an INIT chunk add
303 					 * an additional CAUSE block to an
304 					 * INIT_ACK, got_errchunk is B_FALSE.
305 					 */
306 					sctp_add_unrec_parm(cph, errmp,
307 					    got_errchunk);
308 				}
309 			}
310 			if (ptype & SCTP_CONT_PROC_PARAMS) {
311 				/*
312 				 * Continue processing params after this
313 				 * parameter.
314 				 */
315 				break;
316 			}
317 
318 			/*
319 			 * Stop processing params, report any reportable
320 			 * unrecognized params found so far.
321 			 */
322 			goto done;
323 		}
324 
325 		cph = sctp_next_parm(cph, &remaining);
326 	}
327 done:
328 	/*
329 	 * Some sanity checks.  The following should not fail unless the
330 	 * other side is broken.
331 	 *
332 	 * 1. If this is a V4 endpoint but V4 address is not
333 	 * supported, abort.
334 	 * 2. If this is a V6 only endpoint but V6 address is
335 	 * not supported, abort.  This assumes that a V6
336 	 * endpoint can use both V4 and V6 addresses.
337 	 * We only care about supp_af when processing INIT, i.e want_cookie
338 	 * is NULL.
339 	 */
340 	if (want_cookie == NULL &&
341 	    ((connp->conn_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
342 	    (connp->conn_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
343 	    sctp->sctp_connp->conn_ipv6_v6only))) {
344 		dprint(1, ("sctp:validate_init_params: supp addr\n"));
345 		serror = SCTP_ERR_BAD_ADDR;
346 		goto abort;
347 	}
348 
349 	if (want_cookie != NULL && !got_cookie) {
350 cookie_abort:
351 		/* Will populate the CAUSE block in the ABORT chunk. */
352 		mpc.mpc_num =  htons(1);
353 		mpc.mpc_param = htons(PARM_COOKIE);
354 		mpc.mpc_pad = 0;
355 
356 		dprint(1, ("validate_init_params: cookie absent\n"));
357 		sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM,
358 		    (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE, ira);
359 		return (0);
360 	}
361 
362 	/* OK */
363 	return (1);
364 
365 abort:
366 	if (want_cookie != NULL)
367 		return (0);
368 
369 	sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details,
370 	    errlen, inmp, 0, B_FALSE, ira);
371 	return (0);
372 }
373 
374 /*
375  * Initialize params from the INIT and INIT-ACK when the assoc. is
376  * established.
377  */
378 boolean_t
379 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init,
380     sctp_init_chunk_t *iack)
381 {
382 	/* Get initial TSN */
383 	sctp->sctp_ftsn = ntohl(init->sic_inittsn);
384 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
385 
386 	/* Serial number is initialized to the same value as the TSN */
387 	sctp->sctp_fcsn = sctp->sctp_lastacked;
388 
389 	/*
390 	 * Get verification tags; no byteordering is necessary, since
391 	 * verfication tags are never processed except for byte-by-byte
392 	 * comparisons.
393 	 */
394 	sctp->sctp_fvtag = init->sic_inittag;
395 	sctp->sctp_sctph->sh_verf = init->sic_inittag;
396 	sctp->sctp_sctph6->sh_verf = init->sic_inittag;
397 	sctp->sctp_lvtag = iack->sic_inittag;
398 
399 	/* Get the peer's rwnd */
400 	sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
401 
402 	/* Allocate the in/out-stream counters */
403 	sctp->sctp_num_ostr = iack->sic_outstr;
404 	sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
405 	    sctp->sctp_num_ostr, KM_NOSLEEP);
406 	if (sctp->sctp_ostrcntrs == NULL)
407 		return (B_FALSE);
408 
409 	sctp->sctp_num_istr = iack->sic_instr;
410 	sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
411 	    sctp->sctp_num_istr, KM_NOSLEEP);
412 	if (sctp->sctp_instr == NULL) {
413 		kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
414 		    sctp->sctp_num_ostr);
415 		sctp->sctp_ostrcntrs = NULL;
416 		return (B_FALSE);
417 	}
418 	return (B_TRUE);
419 }
420 
421 /*
422  * Copy the peer's original source address into addr. This relies on the
423  * following format (see sctp_send_initack() below):
424  * 	relative timestamp for the cookie (int64_t) +
425  * 	cookie lifetime (uint32_t) +
426  * 	local tie-tag (uint32_t) +  peer tie-tag (uint32_t) +
427  * 	Peer's original src ...
428  */
429 int
430 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr)
431 {
432 	uchar_t	*off;
433 
434 	ASSERT(addr != NULL);
435 
436 	if (ch->sch_id != CHUNK_COOKIE)
437 		return (EINVAL);
438 
439 	off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) +
440 	    sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t);
441 
442 	bcopy(off, addr, sizeof (*addr));
443 
444 	return (0);
445 }
446 
447 #define	SCTP_CALC_COOKIE_LEN(initcp) \
448 	sizeof (int64_t) +		/* timestamp */			\
449 	sizeof (uint32_t) +		/* cookie lifetime */		\
450 	sizeof (sctp_init_chunk_t) +	/* INIT ACK */			\
451 	sizeof (in6_addr_t) +		/* peer's original source */ 	\
452 	ntohs((initcp)->sch_len) +	/* peer's INIT */		\
453 	sizeof (uint32_t) +		/* local tie-tag */		\
454 	sizeof (uint32_t) +		/* peer tie-tag */		\
455 	sizeof (sctp_parm_hdr_t) +	/* param header */		\
456 	16				/* MD5 hash */
457 
458 /*
459  * Note that sctp is the listener, hence we shouldn't modify it.
460  */
461 void
462 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
463     mblk_t *initmp, ip_recv_attr_t *ira)
464 {
465 	ipha_t			*initiph;
466 	ip6_t			*initip6h;
467 	ipha_t			*iackiph = NULL;
468 	ip6_t			*iackip6h = NULL;
469 	sctp_chunk_hdr_t	*iack_ch;
470 	sctp_init_chunk_t	*iack;
471 	sctp_init_chunk_t	*init;
472 	sctp_hdr_t		*iacksh;
473 	size_t			cookielen;
474 	size_t			iacklen;
475 	size_t			ipsctplen;
476 	size_t			errlen = 0;
477 	sctp_parm_hdr_t		*cookieph;
478 	mblk_t			*iackmp;
479 	uint32_t		itag;
480 	uint32_t		itsn;
481 	int64_t			*now;
482 	int64_t			nowt;
483 	uint32_t		*lifetime;
484 	char			*p;
485 	boolean_t		 isv4;
486 	int			supp_af = 0;
487 	uint_t			sctp_options;
488 	uint32_t		*ttag;
489 	int			pad;
490 	mblk_t			*errmp = NULL;
491 	boolean_t		initcollision = B_FALSE;
492 	boolean_t		linklocal = B_FALSE;
493 	sctp_stack_t		*sctps = sctp->sctp_sctps;
494 	conn_t			*connp = sctp->sctp_connp;
495 	int			err;
496 	ip_xmit_attr_t		*ixa = NULL;
497 
498 	BUMP_LOCAL(sctp->sctp_ibchunks);
499 	isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION);
500 
501 	/* Extract the INIT chunk */
502 	if (isv4) {
503 		initiph = (ipha_t *)initmp->b_rptr;
504 		ipsctplen = sctp->sctp_ip_hdr_len;
505 		supp_af |= PARM_SUPP_V4;
506 	} else {
507 		initip6h = (ip6_t *)initmp->b_rptr;
508 		ipsctplen = sctp->sctp_ip_hdr6_len;
509 		if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src) ||
510 		    IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_dst))
511 			linklocal = B_TRUE;
512 		supp_af |= PARM_SUPP_V6;
513 		if (!sctp->sctp_connp->conn_ipv6_v6only)
514 			supp_af |= PARM_SUPP_V4;
515 	}
516 	ASSERT(OK_32PTR(initsh));
517 	init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch));
518 
519 	/* Make sure we like the peer's parameters */
520 	if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp,
521 	    &supp_af, &sctp_options, ira) == 0) {
522 		return;
523 	}
524 	if (errmp != NULL)
525 		errlen = msgdsize(errmp);
526 	if (connp->conn_family == AF_INET) {
527 		/*
528 		 * Irregardless of the supported address in the INIT, v4
529 		 * must be supported.
530 		 */
531 		supp_af = PARM_SUPP_V4;
532 	}
533 	if (sctp->sctp_state <= SCTPS_LISTEN) {
534 		/* normal, expected INIT: generate new vtag and itsn */
535 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
536 		if (itag == 0)
537 			itag = (uint32_t)gethrtime();
538 		itsn = itag + 1;
539 		itag = htonl(itag);
540 	} else if (sctp->sctp_state == SCTPS_COOKIE_WAIT ||
541 	    sctp->sctp_state == SCTPS_COOKIE_ECHOED) {
542 		/* init collision; copy vtag and itsn from sctp */
543 		itag = sctp->sctp_lvtag;
544 		itsn = sctp->sctp_ltsn;
545 		/*
546 		 * In addition we need to send all the params that was sent
547 		 * in our INIT chunk. Essentially, it is only the supported
548 		 * address params that we need to add.
549 		 */
550 		initcollision = B_TRUE;
551 		/*
552 		 * When we sent the INIT, we should have set linklocal in
553 		 * the sctp which should be good enough.
554 		 */
555 		if (linklocal)
556 			linklocal = B_FALSE;
557 	} else {
558 		/* peer restart; generate new vtag but keep everything else */
559 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
560 		if (itag == 0)
561 			itag = (uint32_t)gethrtime();
562 		itag = htonl(itag);
563 		itsn = sctp->sctp_ltsn;
564 	}
565 
566 	/*
567 	 * Allocate a mblk for the INIT ACK, consisting of the link layer
568 	 * header, the IP header, the SCTP common header, and INIT ACK chunk,
569 	 * and finally the COOKIE parameter.
570 	 */
571 	cookielen = SCTP_CALC_COOKIE_LEN(ch);
572 	iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen;
573 	if (sctp->sctp_send_adaptation)
574 		iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t));
575 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
576 	    sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
577 		iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION);
578 	}
579 	if (initcollision)
580 		iacklen += sctp_supaddr_param_len(sctp);
581 	if (!linklocal)
582 		iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE);
583 	ipsctplen += sizeof (*iacksh) + iacklen;
584 	iacklen += errlen;
585 	if ((pad = ipsctplen % 4) != 0) {
586 		pad = 4 - pad;
587 		ipsctplen += pad;
588 	}
589 
590 	/*
591 	 * Base the transmission on any routing-related socket options
592 	 * that have been set on the listener.
593 	 */
594 	ixa = conn_get_ixa_exclusive(connp);
595 	if (ixa == NULL) {
596 		sctp_send_abort(sctp, sctp_init2vtag(ch),
597 		    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
598 		return;
599 	}
600 	ixa->ixa_flags &= ~IXAF_VERIFY_PMTU;
601 
602 	if (isv4)
603 		ixa->ixa_flags |= IXAF_IS_IPV4;
604 	else
605 		ixa->ixa_flags &= ~IXAF_IS_IPV4;
606 
607 	/*
608 	 * If the listen socket is bound to a trusted extensions multi-label
609 	 * port, a MAC-Exempt connection with an unlabeled node, we use the
610 	 * the security label of the received INIT packet.
611 	 * If not a multi-label port, attach the unmodified
612 	 * listener's label directly.
613 	 *
614 	 * We expect Sun developed kernel modules to properly set
615 	 * cred labels for sctp connections. We can't be so sure this
616 	 * will be done correctly when 3rd party kernel modules
617 	 * directly use sctp. We check for a NULL ira_tsl to cover this
618 	 * possibility.
619 	 */
620 	if (is_system_labeled()) {
621 		/* Discard any old label */
622 		if (ixa->ixa_free_flags & IXA_FREE_TSL) {
623 			ASSERT(ixa->ixa_tsl != NULL);
624 			label_rele(ixa->ixa_tsl);
625 			ixa->ixa_free_flags &= ~IXA_FREE_TSL;
626 			ixa->ixa_tsl = NULL;
627 		}
628 
629 		if (connp->conn_mlp_type != mlptSingle ||
630 		    connp->conn_mac_mode != CONN_MAC_DEFAULT) {
631 			if (ira->ira_tsl == NULL) {
632 				sctp_send_abort(sctp, sctp_init2vtag(ch),
633 				    SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0,
634 				    B_FALSE, ira);
635 				ixa_refrele(ixa);
636 				return;
637 			}
638 			label_hold(ira->ira_tsl);
639 			ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl);
640 		} else {
641 			ixa->ixa_tsl = crgetlabel(connp->conn_cred);
642 		}
643 	}
644 
645 	iackmp = allocb(ipsctplen + sctps->sctps_wroff_xtra, BPRI_MED);
646 	if (iackmp == NULL) {
647 		sctp_send_abort(sctp, sctp_init2vtag(ch),
648 		    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
649 		ixa_refrele(ixa);
650 		return;
651 	}
652 
653 	/* Copy in the [imcomplete] IP/SCTP composite header */
654 	p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra);
655 	iackmp->b_rptr = (uchar_t *)p;
656 	if (isv4) {
657 		bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len);
658 		iackiph = (ipha_t *)p;
659 
660 		/* Copy the peer's IP addr */
661 		iackiph->ipha_dst = initiph->ipha_src;
662 		iackiph->ipha_src = initiph->ipha_dst;
663 		iackiph->ipha_length = htons(ipsctplen + errlen);
664 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
665 		ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len;
666 	} else {
667 		bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
668 		iackip6h = (ip6_t *)p;
669 
670 		/* Copy the peer's IP addr */
671 		iackip6h->ip6_dst = initip6h->ip6_src;
672 		iackip6h->ip6_src = initip6h->ip6_dst;
673 		iackip6h->ip6_plen = htons(ipsctplen + errlen - IPV6_HDR_LEN);
674 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
675 		ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len;
676 	}
677 	ixa->ixa_pktlen = ipsctplen + errlen;
678 
679 	ASSERT(OK_32PTR(iacksh));
680 
681 	/* Fill in the holes in the SCTP common header */
682 	iacksh->sh_sport = initsh->sh_dport;
683 	iacksh->sh_dport = initsh->sh_sport;
684 	iacksh->sh_verf = init->sic_inittag;
685 
686 	/* INIT ACK chunk header */
687 	iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1);
688 	iack_ch->sch_id = CHUNK_INIT_ACK;
689 	iack_ch->sch_flags = 0;
690 	iack_ch->sch_len = htons(iacklen);
691 
692 	/* The INIT ACK itself */
693 	iack = (sctp_init_chunk_t *)(iack_ch + 1);
694 	iack->sic_inittag = itag;	/* already in network byteorder */
695 	iack->sic_inittsn = htonl(itsn);
696 
697 	iack->sic_a_rwnd = htonl(sctp->sctp_rwnd);
698 	/* Advertise what we would want to have as stream #'s */
699 	iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr,
700 	    ntohs(init->sic_instr)));
701 	iack->sic_instr = htons(sctp->sctp_num_istr);
702 
703 	p = (char *)(iack + 1);
704 	p += sctp_adaptation_code_param(sctp, (uchar_t *)p);
705 	if (initcollision)
706 		p += sctp_supaddr_param(sctp, (uchar_t *)p);
707 	if (!linklocal)
708 		p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE);
709 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
710 	    sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
711 		p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION);
712 	}
713 	/*
714 	 * Generate and lay in the COOKIE parameter.
715 	 *
716 	 * Any change here that results in a change of location for
717 	 * the peer's orig source address must be propagated to the fn
718 	 * cl_sctp_cookie_paddr() above.
719 	 *
720 	 * The cookie consists of:
721 	 * 1. The relative timestamp for the cookie (lbolt64)
722 	 * 2. The cookie lifetime (uint32_t) in tick
723 	 * 3. The local tie-tag
724 	 * 4. The peer tie-tag
725 	 * 5. Peer's original src, used to confirm the validity of address.
726 	 * 6. Our INIT ACK chunk, less any parameters
727 	 * 7. The INIT chunk (may contain parameters)
728 	 * 8. 128-bit MD5 signature.
729 	 *
730 	 * Since the timestamp values will only be evaluated locally, we
731 	 * don't need to worry about byte-ordering them.
732 	 */
733 	cookieph = (sctp_parm_hdr_t *)p;
734 	cookieph->sph_type = htons(PARM_COOKIE);
735 	cookieph->sph_len = htons(cookielen);
736 
737 	/* timestamp */
738 	now = (int64_t *)(cookieph + 1);
739 	nowt = ddi_get_lbolt64();
740 	bcopy(&nowt, now, sizeof (*now));
741 
742 	/* cookie lifetime -- need configuration */
743 	lifetime = (uint32_t *)(now + 1);
744 	*lifetime = sctp->sctp_cookie_lifetime;
745 
746 	/* Set the tie-tags */
747 	ttag = (uint32_t *)(lifetime + 1);
748 	if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) {
749 		*ttag = 0;
750 		ttag++;
751 		*ttag = 0;
752 		ttag++;
753 	} else {
754 		/* local tie-tag (network byte-order) */
755 		*ttag = sctp->sctp_lvtag;
756 		ttag++;
757 		/* peer tie-tag (network byte-order) */
758 		*ttag = sctp->sctp_fvtag;
759 		ttag++;
760 	}
761 	/*
762 	 * Copy in peer's original source address so that we can confirm
763 	 * the reachability later.
764 	 */
765 	p = (char *)ttag;
766 	if (isv4) {
767 		in6_addr_t peer_addr;
768 
769 		IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr);
770 		bcopy(&peer_addr, p, sizeof (in6_addr_t));
771 	} else {
772 		bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t));
773 	}
774 	p += sizeof (in6_addr_t);
775 	/* Copy in our INIT ACK chunk */
776 	bcopy(iack, p, sizeof (*iack));
777 	iack = (sctp_init_chunk_t *)p;
778 	/* Set the # of streams we'll end up using */
779 	iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr));
780 	iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr));
781 	p += sizeof (*iack);
782 
783 	/* Copy in the peer's INIT chunk */
784 	bcopy(ch, p, ntohs(ch->sch_len));
785 	p += ntohs(ch->sch_len);
786 
787 	/*
788 	 * Calculate the HMAC ICV into the digest slot in buf.
789 	 * First, generate a new secret if the current secret is
790 	 * older than the new secret lifetime parameter permits,
791 	 * copying the current secret to sctp_old_secret.
792 	 */
793 	if (sctps->sctps_new_secret_interval > 0 &&
794 	    (sctp->sctp_last_secret_update +
795 	    MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) {
796 		bcopy(sctp->sctp_secret, sctp->sctp_old_secret,
797 		    SCTP_SECRET_LEN);
798 		(void) random_get_pseudo_bytes(sctp->sctp_secret,
799 		    SCTP_SECRET_LEN);
800 		sctp->sctp_last_secret_update = nowt;
801 	}
802 
803 	hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16,
804 	    (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p);
805 
806 	iackmp->b_wptr = iackmp->b_rptr + ipsctplen;
807 	if (pad != 0)
808 		bzero((iackmp->b_wptr - pad), pad);
809 
810 	iackmp->b_cont = errmp;		/*  OK if NULL */
811 
812 	if (is_system_labeled()) {
813 		ts_label_t *effective_tsl = NULL;
814 
815 		ASSERT(ira->ira_tsl != NULL);
816 
817 		/* Discard any old label */
818 		if (ixa->ixa_free_flags & IXA_FREE_TSL) {
819 			ASSERT(ixa->ixa_tsl != NULL);
820 			label_rele(ixa->ixa_tsl);
821 			ixa->ixa_free_flags &= ~IXA_FREE_TSL;
822 		}
823 		ixa->ixa_tsl = ira->ira_tsl;	/* A multi-level responder */
824 
825 		/*
826 		 * We need to check for label-related failures which implies
827 		 * an extra call to tsol_check_dest (as ip_output_simple
828 		 * also does a tsol_check_dest as part of computing the
829 		 * label for the packet, but ip_output_simple doesn't return
830 		 * a specific errno for that case so we can't rely on its
831 		 * check.)
832 		 */
833 		if (isv4) {
834 			err = tsol_check_dest(ixa->ixa_tsl, &iackiph->ipha_dst,
835 			    IPV4_VERSION, connp->conn_mac_mode,
836 			    connp->conn_zone_is_global, &effective_tsl);
837 		} else {
838 			err = tsol_check_dest(ixa->ixa_tsl, &iackip6h->ip6_dst,
839 			    IPV6_VERSION, connp->conn_mac_mode,
840 			    connp->conn_zone_is_global, &effective_tsl);
841 		}
842 		if (err != 0) {
843 			sctp_send_abort(sctp, sctp_init2vtag(ch),
844 			    SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE,
845 			    ira);
846 			ixa_refrele(ixa);
847 			freemsg(iackmp);
848 			return;
849 		}
850 		if (effective_tsl != NULL) {
851 			/*
852 			 * Since ip_output_simple will redo the
853 			 * tsol_check_dest, we just drop the ref.
854 			 */
855 			label_rele(effective_tsl);
856 		}
857 	}
858 
859 	BUMP_LOCAL(sctp->sctp_opkts);
860 	BUMP_LOCAL(sctp->sctp_obchunks);
861 
862 	(void) ip_output_simple(iackmp, ixa);
863 	ixa_refrele(ixa);
864 }
865 
866 void
867 sctp_send_cookie_ack(sctp_t *sctp)
868 {
869 	sctp_chunk_hdr_t *cach;
870 	mblk_t *camp;
871 	sctp_stack_t	*sctps = sctp->sctp_sctps;
872 
873 	camp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*cach));
874 	if (camp == NULL) {
875 		/* XXX should abort, but don't have the inmp anymore */
876 		SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed);
877 		return;
878 	}
879 
880 	cach = (sctp_chunk_hdr_t *)camp->b_wptr;
881 	camp->b_wptr = (uchar_t *)(cach + 1);
882 	cach->sch_id = CHUNK_COOKIE_ACK;
883 	cach->sch_flags = 0;
884 	cach->sch_len = htons(sizeof (*cach));
885 
886 	BUMP_LOCAL(sctp->sctp_obchunks);
887 
888 	sctp_set_iplen(sctp, camp, sctp->sctp_current->ixa);
889 	(void) conn_ip_output(camp, sctp->sctp_current->ixa);
890 	BUMP_LOCAL(sctp->sctp_opkts);
891 }
892 
893 static int
894 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code)
895 {
896 
897 	if (len < sizeof (*sph))
898 		return (-1);
899 	while (sph != NULL) {
900 		if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) &&
901 		    ntohs(sph->sph_len) >= (sizeof (*sph) +
902 		    sizeof (uint32_t))) {
903 			*adaptation_code = *(uint32_t *)(sph + 1);
904 			return (0);
905 		}
906 		sph = sctp_next_parm(sph, &len);
907 	}
908 	return (-1);
909 }
910 
911 void
912 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp,
913     ip_recv_attr_t *ira)
914 {
915 	mblk_t			*cemp;
916 	mblk_t			*mp = NULL;
917 	mblk_t			*head;
918 	mblk_t			*meta;
919 	sctp_faddr_t		*fp;
920 	sctp_chunk_hdr_t	*cech;
921 	sctp_init_chunk_t	 *iack;
922 	int32_t			cansend;
923 	int32_t			seglen;
924 	size_t			ceclen;
925 	sctp_parm_hdr_t		*cph;
926 	sctp_data_hdr_t		*sdc;
927 	sctp_tf_t		*tf;
928 	int			pad = 0;
929 	int			hdrlen;
930 	mblk_t			*errmp = NULL;
931 	uint_t			sctp_options;
932 	int			error;
933 	uint16_t		old_num_str;
934 	sctp_stack_t		*sctps = sctp->sctp_sctps;
935 
936 	iack = (sctp_init_chunk_t *)(iackch + 1);
937 
938 	cph = NULL;
939 	if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp,
940 	    &pad, &sctp_options, ira) == 0) { /* result in 'pad' ignored */
941 		BUMP_MIB(&sctps->sctps_mib, sctpAborted);
942 		sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL);
943 		sctp_clean_death(sctp, ECONNABORTED);
944 		return;
945 	}
946 	ASSERT(cph != NULL);
947 
948 	ASSERT(sctp->sctp_cookie_mp == NULL);
949 
950 	/* Got a cookie to echo back; allocate an mblk */
951 	ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph);
952 	if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0)
953 		pad = SCTP_ALIGN - pad;
954 
955 	if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION)
956 		hdrlen = sctp->sctp_hdr_len;
957 	else
958 		hdrlen = sctp->sctp_hdr6_len;
959 
960 	cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad,
961 	    BPRI_MED);
962 	if (cemp == NULL) {
963 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
964 		    sctp->sctp_current->rto);
965 		if (errmp != NULL)
966 			freeb(errmp);
967 		return;
968 	}
969 	cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen);
970 
971 	/* Process the INIT ACK */
972 	sctp->sctp_sctph->sh_verf = iack->sic_inittag;
973 	sctp->sctp_sctph6->sh_verf = iack->sic_inittag;
974 	sctp->sctp_fvtag = iack->sic_inittag;
975 	sctp->sctp_ftsn = ntohl(iack->sic_inittsn);
976 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
977 	sctp->sctp_fcsn = sctp->sctp_lastacked;
978 	sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd);
979 
980 	/*
981 	 * Populate sctp with addresses given in the INIT ACK or IP header.
982 	 * Need to set the df bit in the current fp as it has been cleared
983 	 * in sctp_connect().
984 	 */
985 	sctp->sctp_current->df = B_TRUE;
986 	sctp->sctp_ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;
987 
988 	/*
989 	 * Since IP uses this info during the fanout process, we need to hold
990 	 * the lock for this hash line while performing this operation.
991 	 */
992 	/* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, connp->conn_ports); */
993 	ASSERT(sctp->sctp_conn_tfp != NULL);
994 	tf = sctp->sctp_conn_tfp;
995 	/* sctp isn't a listener so only need to hold conn fanout lock */
996 	mutex_enter(&tf->tf_lock);
997 	if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) {
998 		mutex_exit(&tf->tf_lock);
999 		freeb(cemp);
1000 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
1001 		    sctp->sctp_current->rto);
1002 		if (errmp != NULL)
1003 			freeb(errmp);
1004 		return;
1005 	}
1006 	mutex_exit(&tf->tf_lock);
1007 
1008 	fp = sctp->sctp_current;
1009 
1010 	/*
1011 	 * There could be a case when we get an INIT-ACK again, if the INIT
1012 	 * is re-transmitted, for e.g., which means we would have already
1013 	 * allocated this resource earlier (also for sctp_instr). In this
1014 	 * case we check and re-allocate, if necessary.
1015 	 */
1016 	old_num_str = sctp->sctp_num_ostr;
1017 	if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr)
1018 		sctp->sctp_num_ostr = ntohs(iack->sic_instr);
1019 	if (sctp->sctp_ostrcntrs == NULL) {
1020 		sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
1021 		    sctp->sctp_num_ostr, KM_NOSLEEP);
1022 	} else {
1023 		ASSERT(old_num_str > 0);
1024 		if (old_num_str != sctp->sctp_num_ostr) {
1025 			kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
1026 			    old_num_str);
1027 			sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
1028 			    sctp->sctp_num_ostr, KM_NOSLEEP);
1029 		}
1030 	}
1031 	if (sctp->sctp_ostrcntrs == NULL) {
1032 		freeb(cemp);
1033 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1034 		if (errmp != NULL)
1035 			freeb(errmp);
1036 		return;
1037 	}
1038 
1039 	/*
1040 	 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs
1041 	 * hold here too.
1042 	 */
1043 	old_num_str = sctp->sctp_num_istr;
1044 	if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr)
1045 		sctp->sctp_num_istr = ntohs(iack->sic_outstr);
1046 	if (sctp->sctp_instr == NULL) {
1047 		sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
1048 		    sctp->sctp_num_istr, KM_NOSLEEP);
1049 	} else {
1050 		ASSERT(old_num_str > 0);
1051 		if (old_num_str != sctp->sctp_num_istr) {
1052 			kmem_free(sctp->sctp_instr,
1053 			    sizeof (*sctp->sctp_instr) * old_num_str);
1054 			sctp->sctp_instr = kmem_zalloc(
1055 			    sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr,
1056 			    KM_NOSLEEP);
1057 		}
1058 	}
1059 	if (sctp->sctp_instr == NULL) {
1060 		kmem_free(sctp->sctp_ostrcntrs,
1061 		    sizeof (uint16_t) * sctp->sctp_num_ostr);
1062 		freeb(cemp);
1063 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1064 		if (errmp != NULL)
1065 			freeb(errmp);
1066 		return;
1067 	}
1068 
1069 	if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware)
1070 		sctp->sctp_prsctp_aware = B_FALSE;
1071 
1072 	if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1),
1073 	    ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)),
1074 	    &sctp->sctp_rx_adaptation_code) == 0) {
1075 		sctp->sctp_recv_adaptation = 1;
1076 	}
1077 
1078 	cech = (sctp_chunk_hdr_t *)cemp->b_rptr;
1079 	ASSERT(OK_32PTR(cech));
1080 	cech->sch_id = CHUNK_COOKIE;
1081 	cech->sch_flags = 0;
1082 	cech->sch_len = htons(ceclen);
1083 
1084 	/* Copy the cookie (less the parm hdr) to the chunk */
1085 	bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph));
1086 
1087 	cemp->b_wptr = cemp->b_rptr + ceclen;
1088 
1089 	if (sctp->sctp_unsent > 0) {
1090 		sctp_msg_hdr_t	*smh;
1091 		mblk_t		*prev = NULL;
1092 		uint32_t	unsent = 0;
1093 
1094 		mp = sctp->sctp_xmit_unsent;
1095 		do {
1096 			smh = (sctp_msg_hdr_t *)mp->b_rptr;
1097 			if (smh->smh_sid >= sctp->sctp_num_ostr) {
1098 				unsent += smh->smh_msglen;
1099 				if (prev != NULL)
1100 					prev->b_next = mp->b_next;
1101 				else
1102 					sctp->sctp_xmit_unsent = mp->b_next;
1103 				mp->b_next = NULL;
1104 				sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID,
1105 				    B_FALSE);
1106 				if (prev != NULL)
1107 					mp = prev->b_next;
1108 				else
1109 					mp = sctp->sctp_xmit_unsent;
1110 			} else {
1111 				prev = mp;
1112 				mp = mp->b_next;
1113 			}
1114 		} while (mp != NULL);
1115 		if (unsent > 0) {
1116 			ASSERT(sctp->sctp_unsent >= unsent);
1117 			sctp->sctp_unsent -= unsent;
1118 			/*
1119 			 * Update ULP the amount of queued data, which is
1120 			 * sent-unack'ed + unsent.
1121 			 * This is not necessary, but doesn't harm, we
1122 			 * just use unsent instead of sent-unack'ed +
1123 			 * unsent, since there won't be any sent-unack'ed
1124 			 * here.
1125 			 */
1126 			if (!SCTP_IS_DETACHED(sctp))
1127 				SCTP_TXQ_UPDATE(sctp);
1128 		}
1129 		if (sctp->sctp_xmit_unsent == NULL)
1130 			sctp->sctp_xmit_unsent_tail = NULL;
1131 	}
1132 	ceclen += pad;
1133 	cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd);
1134 	meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen,
1135 	    cansend,  NULL);
1136 	/*
1137 	 * The error cannot be anything else since we could have an non-zero
1138 	 * error only if sctp_get_msg_to_send() tries to send a Forward
1139 	 * TSN which will not happen here.
1140 	 */
1141 	ASSERT(error == 0);
1142 	if (meta == NULL)
1143 		goto sendcookie;
1144 	sctp->sctp_xmit_tail = meta;
1145 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
1146 	seglen = ntohs(sdc->sdh_len);
1147 	if ((ceclen + seglen) > fp->sfa_pmss ||
1148 	    (seglen - sizeof (*sdc)) > cansend) {
1149 		goto sendcookie;
1150 	}
1151 	/* OK, if this fails */
1152 	cemp->b_cont = dupmsg(mp);
1153 sendcookie:
1154 	head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL);
1155 	if (head == NULL) {
1156 		freemsg(cemp);
1157 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1158 		if (errmp != NULL)
1159 			freeb(errmp);
1160 		SCTP_KSTAT(sctps, sctp_send_cookie_failed);
1161 		return;
1162 	}
1163 	/*
1164 	 * Even if cookie-echo exceeds MTU for one of the hops, it'll
1165 	 * have a chance of getting there.
1166 	 */
1167 	if (fp->isv4) {
1168 		ipha_t *iph = (ipha_t *)head->b_rptr;
1169 		iph->ipha_fragment_offset_and_flags = 0;
1170 	}
1171 	BUMP_LOCAL(sctp->sctp_obchunks);
1172 
1173 	sctp->sctp_cookie_mp = dupmsg(head);
1174 	/* Don't bundle, we will just resend init if this cookie is lost. */
1175 	if (sctp->sctp_cookie_mp == NULL) {
1176 		if (cemp->b_cont != NULL) {
1177 			freemsg(cemp->b_cont);
1178 			cemp->b_cont = NULL;
1179 		}
1180 	} else if (cemp->b_cont != NULL) {
1181 		ASSERT(mp != NULL && mp == meta->b_cont);
1182 		SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont);
1183 		cemp->b_wptr += pad;
1184 		seglen -= sizeof (*sdc);
1185 		SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta);
1186 	}
1187 	if (errmp != NULL) {
1188 		if (cemp->b_cont == NULL)
1189 			cemp->b_wptr += pad;
1190 		linkb(head, errmp);
1191 	}
1192 	sctp->sctp_state = SCTPS_COOKIE_ECHOED;
1193 	SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1194 
1195 	sctp_set_iplen(sctp, head, fp->ixa);
1196 	(void) conn_ip_output(head, fp->ixa);
1197 	BUMP_LOCAL(sctp->sctp_opkts);
1198 }
1199 
1200 int
1201 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
1202     sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation,
1203     in6_addr_t *peer_addr, ip_recv_attr_t *ira)
1204 {
1205 	int32_t			clen;
1206 	size_t			initplen;
1207 	uchar_t			*p;
1208 	uchar_t			*given_hash;
1209 	uchar_t			needed_hash[16];
1210 	int64_t			ts;
1211 	int64_t			diff;
1212 	uint32_t		*lt;
1213 	sctp_init_chunk_t	*iack;
1214 	sctp_chunk_hdr_t	*initch;
1215 	sctp_init_chunk_t	*init;
1216 	uint32_t		*lttag;
1217 	uint32_t		*fttag;
1218 	uint32_t		ports;
1219 	sctp_stack_t		*sctps = sctp->sctp_sctps;
1220 	conn_t			*connp = sctp->sctp_connp;
1221 
1222 	BUMP_LOCAL(sctp->sctp_ibchunks);
1223 	/* Verify the ICV */
1224 	clen = ntohs(ch->sch_len) - sizeof (*ch) - 16;
1225 	if (clen < 0) {
1226 		dprint(1, ("invalid cookie chunk length %d\n",
1227 		    ntohs(ch->sch_len)));
1228 
1229 		return (-1);
1230 	}
1231 	p = (uchar_t *)(ch + 1);
1232 
1233 	hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN,
1234 	    needed_hash);
1235 
1236 	/* The given hash follows the cookie data */
1237 	given_hash = p + clen;
1238 
1239 	if (bcmp(given_hash, needed_hash, 16) != 0) {
1240 		/* The secret may have changed; try the old secret */
1241 		hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret,
1242 		    SCTP_SECRET_LEN, needed_hash);
1243 		if (bcmp(given_hash, needed_hash, 16) != 0) {
1244 			return (-1);
1245 		}
1246 	}
1247 
1248 	/* Timestamp is int64_t, and we only guarantee 32-bit alignment */
1249 	bcopy(p, &ts, sizeof (ts));
1250 	/* Cookie life time, uint32_t */
1251 	lt = (uint32_t *)(p + sizeof (ts));
1252 
1253 	/*
1254 	 * To quote PRC, "this is our baby", so let's continue.
1255 	 * We need to pull out the encapsulated INIT ACK and
1256 	 * INIT chunks. Note that we don't process these until
1257 	 * we have verified the timestamp, but we need them before
1258 	 * processing the timestamp since if the time check fails,
1259 	 * we need to get the verification tag from the INIT in order
1260 	 * to send a stale cookie error.
1261 	 */
1262 	lttag = (uint32_t *)(lt + 1);
1263 	fttag = lttag + 1;
1264 	if (peer_addr != NULL)
1265 		bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t));
1266 	iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t));
1267 	initch = (sctp_chunk_hdr_t *)(iack + 1);
1268 	init = (sctp_init_chunk_t *)(initch + 1);
1269 	initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch));
1270 	*iackpp = iack;
1271 	*recv_adaptation = 0;
1272 
1273 	/*
1274 	 * Check the staleness of the Cookie, specified in 3.3.10.3 of
1275 	 * RFC 2960.
1276 	 *
1277 	 * The mesaure of staleness is the difference, in microseconds,
1278 	 * between the current time and the time the State Cookie expires.
1279 	 * So it is lbolt64 - (ts + *lt).  If it is positive, it means
1280 	 * that the Cookie has expired.
1281 	 */
1282 	diff = ddi_get_lbolt64() - (ts + *lt);
1283 	if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag ||
1284 	    iack->sic_inittag != sctp->sctp_lvtag)) {
1285 		uint32_t staleness;
1286 
1287 		staleness = TICK_TO_USEC(diff);
1288 		staleness = htonl(staleness);
1289 		sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE,
1290 		    (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE,
1291 		    ira);
1292 
1293 		dprint(1, ("stale cookie %d\n", staleness));
1294 
1295 		return (-1);
1296 	}
1297 
1298 	/* Check for attack by adding addresses to a restart */
1299 	bcopy(insctph, &ports, sizeof (ports));
1300 	if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP,
1301 	    sctps, ira) != 1) {
1302 		return (-1);
1303 	}
1304 
1305 	/* Look for adaptation code if there any parms in the INIT chunk */
1306 	if ((initplen >= sizeof (sctp_parm_hdr_t)) &&
1307 	    (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen,
1308 	    &sctp->sctp_rx_adaptation_code) == 0)) {
1309 		*recv_adaptation = 1;
1310 	}
1311 
1312 	/* Examine tie-tags */
1313 
1314 	if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) {
1315 		if (sctp->sctp_state == SCTPS_ESTABLISHED &&
1316 		    init->sic_inittag == sctp->sctp_fvtag &&
1317 		    iack->sic_inittag == sctp->sctp_lvtag &&
1318 		    *fttag == 0 && *lttag == 0) {
1319 
1320 			dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n",
1321 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1322 			    (int)(connp->conn_fport)));
1323 			return (-1);
1324 		}
1325 
1326 		if (init->sic_inittag != sctp->sctp_fvtag &&
1327 		    iack->sic_inittag != sctp->sctp_lvtag &&
1328 		    *fttag == sctp->sctp_fvtag &&
1329 		    *lttag == sctp->sctp_lvtag) {
1330 			int i;
1331 
1332 			/* Section 5.2.4 case A: restart */
1333 			sctp->sctp_fvtag = init->sic_inittag;
1334 			sctp->sctp_lvtag = iack->sic_inittag;
1335 
1336 			sctp->sctp_sctph->sh_verf = init->sic_inittag;
1337 			sctp->sctp_sctph6->sh_verf = init->sic_inittag;
1338 
1339 			sctp->sctp_ftsn = ntohl(init->sic_inittsn);
1340 			sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1341 			sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
1342 			sctp->sctp_fcsn = sctp->sctp_lastacked;
1343 
1344 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1345 				sctp->sctp_state = SCTPS_ESTABLISHED;
1346 				sctp->sctp_assoc_start_time =
1347 				    (uint32_t)ddi_get_lbolt();
1348 			}
1349 
1350 			dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n",
1351 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1352 			    (int)(connp->conn_fport)));
1353 			/* reset parameters */
1354 			sctp_congest_reset(sctp);
1355 
1356 			/* reset stream bookkeeping */
1357 			sctp_instream_cleanup(sctp, B_FALSE);
1358 
1359 			sctp->sctp_istr_nmsgs = 0;
1360 			sctp->sctp_rxqueued = 0;
1361 			for (i = 0; i < sctp->sctp_num_ostr; i++) {
1362 				sctp->sctp_ostrcntrs[i] = 0;
1363 			}
1364 			/* XXX flush xmit_list? */
1365 
1366 			return (0);
1367 		} else if (init->sic_inittag != sctp->sctp_fvtag &&
1368 		    iack->sic_inittag == sctp->sctp_lvtag) {
1369 
1370 			/* Section 5.2.4 case B: INIT collision */
1371 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1372 				if (!sctp_initialize_params(sctp, init, iack))
1373 					return (-1);	/* Drop? */
1374 				sctp->sctp_state = SCTPS_ESTABLISHED;
1375 				sctp->sctp_assoc_start_time =
1376 				    (uint32_t)ddi_get_lbolt();
1377 			}
1378 
1379 			dprint(1, ("init collision with %x:%x:%x:%x (%d)\n",
1380 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1381 			    (int)(connp->conn_fport)));
1382 
1383 			return (0);
1384 		} else if (iack->sic_inittag != sctp->sctp_lvtag &&
1385 		    init->sic_inittag == sctp->sctp_fvtag &&
1386 		    *fttag == 0 && *lttag == 0) {
1387 
1388 			/* Section 5.2.4 case C: late COOKIE */
1389 			dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n",
1390 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1391 			    (int)(connp->conn_fport)));
1392 			return (-1);
1393 		} else if (init->sic_inittag == sctp->sctp_fvtag &&
1394 		    iack->sic_inittag == sctp->sctp_lvtag) {
1395 
1396 			/*
1397 			 * Section 5.2.4 case D: COOKIE ECHO retransmit
1398 			 * Don't check cookie lifetime
1399 			 */
1400 			dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n",
1401 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1402 			    (int)(connp->conn_fport)));
1403 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1404 				if (!sctp_initialize_params(sctp, init, iack))
1405 					return (-1);	/* Drop? */
1406 				sctp->sctp_state = SCTPS_ESTABLISHED;
1407 				sctp->sctp_assoc_start_time =
1408 				    (uint32_t)ddi_get_lbolt();
1409 			}
1410 			return (0);
1411 		} else {
1412 			/* unrecognized case -- silently drop it */
1413 			return (-1);
1414 		}
1415 	}
1416 
1417 	return (0);
1418 }
1419 
1420 /*
1421  * Similar to ip_fanout_sctp, except that the src addr(s) are drawn
1422  * from address parameters in an INIT ACK's address list. This
1423  * function is used when an INIT ACK is received but IP's fanout
1424  * function could not find a sctp via the normal lookup routine.
1425  * This can happen when a host sends an INIT ACK from a different
1426  * address than the INIT was sent to.
1427  *
1428  * Returns the sctp_t if found, or NULL if not found.
1429  */
1430 sctp_t *
1431 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
1432     zoneid_t zoneid, sctp_stack_t *sctps)
1433 {
1434 	int isv4;
1435 	ipha_t *iph;
1436 	ip6_t *ip6h;
1437 	in6_addr_t dst;
1438 	in6_addr_t src;
1439 	sctp_parm_hdr_t *ph;
1440 	ssize_t remaining;
1441 	sctp_init_chunk_t *iack;
1442 	uint32_t ports;
1443 	sctp_t *sctp = NULL;
1444 
1445 	ASSERT(ich->sch_id == CHUNK_INIT_ACK);
1446 
1447 	isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
1448 	if (isv4) {
1449 		iph = (ipha_t *)mp->b_rptr;
1450 		IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst);
1451 	} else {
1452 		ip6h = (ip6_t *)mp->b_rptr;
1453 		dst = ip6h->ip6_dst;
1454 	}
1455 
1456 	ports = *(uint32_t *)sctph;
1457 
1458 	dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n",
1459 	    ports, SCTP_PRINTADDR(dst)));
1460 
1461 	/* pull out any address parameters */
1462 	remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack);
1463 	if (remaining < sizeof (*ph)) {
1464 		return (NULL);
1465 	}
1466 
1467 	iack = (sctp_init_chunk_t *)(ich + 1);
1468 	ph = (sctp_parm_hdr_t *)(iack + 1);
1469 
1470 	while (ph != NULL) {
1471 		/*
1472 		 * params have been put in host byteorder by
1473 		 * sctp_check_input()
1474 		 *
1475 		 * For labeled systems, there's no need to check the
1476 		 * label here.  It's known to be good as we checked
1477 		 * before allowing the connection to become bound.
1478 		 */
1479 		if (ph->sph_type == PARM_ADDR4) {
1480 			IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1),
1481 			    &src);
1482 
1483 			sctp = sctp_conn_match(&src, &dst, ports, zoneid,
1484 			    0, sctps);
1485 
1486 			dprint(1,
1487 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1488 			    SCTP_PRINTADDR(src), (void *)sctp));
1489 
1490 
1491 			if (sctp != NULL) {
1492 				return (sctp);
1493 			}
1494 		} else if (ph->sph_type == PARM_ADDR6) {
1495 			src = *(in6_addr_t *)(ph + 1);
1496 			sctp = sctp_conn_match(&src, &dst, ports, zoneid,
1497 			    0, sctps);
1498 
1499 			dprint(1,
1500 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1501 			    SCTP_PRINTADDR(src), (void *)sctp));
1502 
1503 			if (sctp != NULL) {
1504 				return (sctp);
1505 			}
1506 		}
1507 
1508 		ph = sctp_next_parm(ph, &remaining);
1509 	}
1510 
1511 	return (NULL);
1512 }
1513