xref: /titanic_44/usr/src/uts/common/inet/sctp/sctp_cookie.c (revision 49df45665521d358380d3324f56fbc1ef143e72f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <sys/types.h>
30 #include <sys/systm.h>
31 #include <sys/stream.h>
32 #include <sys/cmn_err.h>
33 #include <sys/md5.h>
34 #include <sys/kmem.h>
35 #include <sys/strsubr.h>
36 #include <sys/random.h>
37 
38 #include <netinet/in.h>
39 #include <netinet/ip6.h>
40 
41 #include <inet/common.h>
42 #include <inet/ip.h>
43 #include <inet/ip6.h>
44 #include <inet/sctp_ip.h>
45 #include <inet/ipclassifier.h>
46 #include "sctp_impl.h"
47 
48 /*
49  * From RFC 2104. This should probably go into libmd5 (and while
50  * we're at it, maybe we should make a libdigest so we can later
51  * add SHA1 and others, esp. since some weaknesses have been found
52  * with MD5).
53  *
54  * text		IN			pointer to data stream
55  * text_len	IN			length of data stream
56  * key		IN			pointer to authentication key
57  * key_len	IN			length of authentication key
58  * digest	OUT			caller digest to be filled in
59  */
60 static void
61 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len,
62     uchar_t *digest)
63 {
64 	MD5_CTX context;
65 	uchar_t k_ipad[65];	/* inner padding - key XORd with ipad */
66 	uchar_t k_opad[65];	/* outer padding - key XORd with opad */
67 	uchar_t tk[16];
68 	int i;
69 
70 	/* if key is longer than 64 bytes reset it to key=MD5(key) */
71 	if (key_len > 64) {
72 		MD5_CTX tctx;
73 
74 		MD5Init(&tctx);
75 		MD5Update(&tctx, key, key_len);
76 		MD5Final(tk, &tctx);
77 
78 		key = tk;
79 		key_len = 16;
80 	}
81 
82 	/*
83 	 * the HMAC_MD5 transform looks like:
84 	 *
85 	 * MD5(K XOR opad, MD5(K XOR ipad, text))
86 	 *
87 	 * where K is an n byte key
88 	 * ipad is the byte 0x36 repeated 64 times
89 	 * opad is the byte 0x5c repeated 64 times
90 	 * and text is the data being protected
91 	 */
92 
93 	/* start out by storing key in pads */
94 	bzero(k_ipad, sizeof (k_ipad));
95 	bzero(k_opad, sizeof (k_opad));
96 	bcopy(key, k_ipad, key_len);
97 	bcopy(key, k_opad, key_len);
98 
99 	/* XOR key with ipad and opad values */
100 	for (i = 0; i < 64; i++) {
101 		k_ipad[i] ^= 0x36;
102 		k_opad[i] ^= 0x5c;
103 	}
104 	/*
105 	 * perform inner MD5
106 	 */
107 	MD5Init(&context);			/* init context for 1st */
108 						/* pass */
109 	MD5Update(&context, k_ipad, 64);	/* start with inner pad */
110 	MD5Update(&context, text, text_len);	/* then text of datagram */
111 	MD5Final(digest, &context);		/* finish up 1st pass */
112 	/*
113 	 * perform outer MD5
114 	 */
115 	MD5Init(&context);			/* init context for 2nd */
116 						/* pass */
117 	MD5Update(&context, k_opad, 64);	/* start with outer pad */
118 	MD5Update(&context, digest, 16);	/* then results of 1st */
119 						/* hash */
120 	MD5Final(digest, &context);		/* finish up 2nd pass */
121 }
122 
123 /*
124  * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP
125  * info in initmp to send the abort. Otherwise, no abort will be sent.
126  * If errmp is non-NULL, a chain of unrecognized parameters will
127  * be created and returned via *errmp.
128  *
129  * Returns 1 if the parameters are OK (or there are no parameters), or
130  * 0 if not.
131  */
132 static int
133 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
134     sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie,
135     mblk_t **errmp, int *supp_af, uint_t *sctp_options)
136 {
137 	sctp_parm_hdr_t		*cph;
138 	sctp_init_chunk_t	*ic;
139 	ssize_t			remaining;
140 	uint16_t		serror = 0;
141 	char			*details = NULL;
142 	size_t			errlen = 0;
143 	boolean_t		got_cookie = B_FALSE;
144 	uint16_t		ptype;
145 
146 	if (sctp_options != NULL)
147 		*sctp_options = 0;
148 
149 	/* First validate stream parameters */
150 	if (init->sic_instr == 0 || init->sic_outstr == 0) {
151 		serror = SCTP_ERR_BAD_MANDPARM;
152 		dprint(1,
153 		    ("validate_init_params: bad sid, is=%d os=%d\n",
154 			htons(init->sic_instr), htons(init->sic_outstr)));
155 		goto abort;
156 	}
157 	if (ntohl(init->sic_inittag) == 0) {
158 		serror = SCTP_ERR_BAD_MANDPARM;
159 		dprint(1, ("validate_init_params: inittag = 0\n"));
160 		goto abort;
161 	}
162 
163 	remaining = ntohs(ch->sch_len) - sizeof (*ch);
164 	ic = (sctp_init_chunk_t *)(ch + 1);
165 	remaining -= sizeof (*ic);
166 	if (remaining < sizeof (*cph)) {
167 		/* Nothing to validate */
168 		if (want_cookie != NULL)
169 			goto cookie_abort;
170 		return (1);
171 	}
172 
173 	cph = (sctp_parm_hdr_t *)(ic + 1);
174 
175 	while (cph != NULL) {
176 		ptype = ntohs(cph->sph_type);
177 		switch (ptype) {
178 		case PARM_HBINFO:
179 		case PARM_UNRECOGNIZED:
180 		case PARM_ECN:
181 			/* just ignore them */
182 			break;
183 		case PARM_FORWARD_TSN:
184 			if (sctp_options != NULL)
185 				*sctp_options |= SCTP_PRSCTP_OPTION;
186 			break;
187 		case PARM_COOKIE:
188 			got_cookie = B_TRUE;
189 			if (want_cookie != NULL) {
190 				*want_cookie = cph;
191 			}
192 			break;
193 		case PARM_ADDR4:
194 			*supp_af |= PARM_SUPP_V4;
195 			break;
196 		case PARM_ADDR6:
197 			*supp_af |= PARM_SUPP_V6;
198 			break;
199 		case PARM_COOKIE_PRESERVE:
200 		case PARM_ADAPT_LAYER_IND:
201 			/* These are OK */
202 			break;
203 		case PARM_ADDR_HOST_NAME:
204 			/* Don't support this; abort the association */
205 			serror = SCTP_ERR_BAD_ADDR;
206 			details = (char *)cph;
207 			errlen = ntohs(cph->sph_len);
208 			dprint(1, ("sctp:validate_init_params: host addr\n"));
209 			goto abort;
210 		case PARM_SUPP_ADDRS: {
211 			/* Make sure we have a supported addr intersection */
212 			uint16_t *p, addrtype;
213 			int plen;
214 
215 			plen = ntohs(cph->sph_len);
216 			p = (uint16_t *)(cph + 1);
217 			while (plen > 0) {
218 				addrtype = ntohs(*p);
219 				switch (addrtype) {
220 				case PARM_ADDR6:
221 					*supp_af |= PARM_SUPP_V6;
222 					break;
223 				case PARM_ADDR4:
224 					*supp_af |= PARM_SUPP_V4;
225 					break;
226 				default:
227 					/*
228 					 * Do nothing, silently ignore hostname
229 					 * address.
230 					 */
231 					break;
232 				}
233 				p++;
234 				plen -= sizeof (*p);
235 			}
236 			break;
237 		}
238 		default:
239 			/* Unrecognized param; check the high order bits */
240 			if ((ptype & 0xc000) == 0xc000) {
241 				/*
242 				 * report unrecognized param, and
243 				 * keep processing
244 				 */
245 				if (errmp != NULL) {
246 					if (want_cookie != NULL) {
247 						*errmp = sctp_make_err(sctp,
248 						    PARM_UNRECOGNIZED,
249 						    (void *)cph,
250 						    ntohs(cph->sph_len));
251 					} else {
252 						sctp_add_unrec_parm(cph, errmp);
253 					}
254 				}
255 				break;
256 			}
257 			if (ptype & 0x4000) {
258 				/*
259 				 * Stop processing and drop; report
260 				 * unrecognized param
261 				 */
262 				serror = SCTP_ERR_UNREC_PARM;
263 				details = (char *)cph;
264 				errlen = ntohs(cph->sph_len);
265 				goto abort;
266 			}
267 			if (ptype & 0x8000) {
268 				/* skip and continue processing */
269 				break;
270 			}
271 
272 			/*
273 			 * 2 high bits are clear; stop processing and
274 			 * drop packet
275 			 */
276 			return (0);
277 		}
278 
279 		cph = sctp_next_parm(cph, &remaining);
280 	}
281 	/*
282 	 * Some sanity checks.  The following should not fail unless the
283 	 * other side is broken.
284 	 *
285 	 * 1. If this is a V4 endpoint but V4 address is not
286 	 * supported, abort.
287 	 * 2. If this is a V6 only endpoint but V6 address is
288 	 * not supported, abort.  This assumes that a V6
289 	 * endpoint can use both V4 and V6 addresses.
290 	 * We only care about supp_af when processing INIT, i.e want_cookie
291 	 * is NULL.
292 	 */
293 	if (want_cookie == NULL &&
294 	    ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
295 	    (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
296 	    sctp->sctp_connp->conn_ipv6_v6only))) {
297 		dprint(1, ("sctp:validate_init_params: supp addr\n"));
298 		serror = SCTP_ERR_BAD_ADDR;
299 		goto abort;
300 	}
301 
302 	if (want_cookie != NULL && !got_cookie) {
303 cookie_abort:
304 		dprint(1, ("validate_init_params: cookie absent\n"));
305 		sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM,
306 		    details, errlen, inmp, 0, B_FALSE);
307 		return (0);
308 	}
309 
310 	/* OK */
311 	return (1);
312 
313 abort:
314 	if (want_cookie != NULL)
315 		return (0);
316 
317 	sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details,
318 	    errlen, inmp, 0, B_FALSE);
319 	return (0);
320 }
321 
322 /*
323  * Initialize params from the INIT and INIT-ACK when the assoc. is
324  * established.
325  */
326 boolean_t
327 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init,
328     sctp_init_chunk_t *iack)
329 {
330 	/* Get initial TSN */
331 	sctp->sctp_ftsn = ntohl(init->sic_inittsn);
332 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
333 
334 	/* Serial number is initialized to the same value as the TSN */
335 	sctp->sctp_fcsn = sctp->sctp_lastacked;
336 
337 	/*
338 	 * Get verification tags; no byteordering is necessary, since
339 	 * verfication tags are never processed except for byte-by-byte
340 	 * comparisons.
341 	 */
342 	sctp->sctp_fvtag = init->sic_inittag;
343 	sctp->sctp_sctph->sh_verf = init->sic_inittag;
344 	sctp->sctp_sctph6->sh_verf = init->sic_inittag;
345 	sctp->sctp_lvtag = iack->sic_inittag;
346 
347 	/* Get the peer's rwnd */
348 	sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
349 
350 	/* Allocate the in/out-stream counters */
351 	sctp->sctp_num_ostr = iack->sic_outstr;
352 	sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
353 	    sctp->sctp_num_ostr, KM_NOSLEEP);
354 	if (sctp->sctp_ostrcntrs == NULL)
355 		return (B_FALSE);
356 
357 	sctp->sctp_num_istr = iack->sic_instr;
358 	sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
359 	    sctp->sctp_num_istr, KM_NOSLEEP);
360 	if (sctp->sctp_instr == NULL) {
361 		kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
362 		    sctp->sctp_num_ostr);
363 		sctp->sctp_ostrcntrs = NULL;
364 		return (B_FALSE);
365 	}
366 	return (B_TRUE);
367 }
368 
369 #define	SCTP_CALC_COOKIE_LEN(initcp) \
370 	sizeof (int64_t) +		/* timestamp */			\
371 	sizeof (uint32_t) +		/* cookie lifetime */		\
372 	sizeof (sctp_init_chunk_t) +	/* INIT ACK */			\
373 	sizeof (in6_addr_t) +		/* peer's original source */ 	\
374 	ntohs((initcp)->sch_len) +	/* peer's INIT */		\
375 	sizeof (uint32_t) +		/* local tie-tag */		\
376 	sizeof (uint32_t) +		/* peer tie-tag */		\
377 	sizeof (sctp_parm_hdr_t) +	/* param header */		\
378 	16				/* MD5 hash */
379 
380 void
381 sctp_send_initack(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *initmp)
382 {
383 	ipha_t			*initiph;
384 	ip6_t			*initip6h;
385 	ipha_t			*iackiph;
386 	ip6_t			*iackip6h;
387 	sctp_chunk_hdr_t	*iack_ch;
388 	sctp_init_chunk_t	*iack;
389 	sctp_init_chunk_t	*init;
390 	sctp_hdr_t		*iacksh;
391 	sctp_hdr_t		*initsh;
392 	size_t			cookielen;
393 	size_t			iacklen;
394 	size_t			ipsctplen;
395 	size_t			errlen = 0;
396 	sctp_parm_hdr_t		*cookieph;
397 	mblk_t			*iackmp;
398 	uint32_t		itag;
399 	uint32_t		itsn;
400 	int64_t			*now;
401 	int64_t			nowt;
402 	uint32_t		*lifetime;
403 	char			*p;
404 	boolean_t		 isv4;
405 	int			supp_af = 0;
406 	uint_t			sctp_options;
407 	uint32_t		*ttag;
408 	int			pad;
409 	mblk_t			*errmp = NULL;
410 	boolean_t		initcollision = B_FALSE;
411 	boolean_t		linklocal = B_FALSE;
412 
413 	BUMP_LOCAL(sctp->sctp_ibchunks);
414 	isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION);
415 
416 	/* Extract the INIT chunk */
417 	if (isv4) {
418 		initiph = (ipha_t *)initmp->b_rptr;
419 		initsh = (sctp_hdr_t *)((char *)initiph +
420 		    IPH_HDR_LENGTH(initmp->b_rptr));
421 		ipsctplen = sctp->sctp_ip_hdr_len;
422 		supp_af |= PARM_SUPP_V4;
423 	} else {
424 		initip6h = (ip6_t *)initmp->b_rptr;
425 		initsh = (sctp_hdr_t *)(initip6h + 1);
426 		ipsctplen = sctp->sctp_ip_hdr6_len;
427 		if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src))
428 			linklocal = B_TRUE;
429 		supp_af |= PARM_SUPP_V6;
430 	}
431 	ASSERT(OK_32PTR(initsh));
432 	init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch));
433 
434 	/* Make sure we like the peer's parameters */
435 	if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp,
436 		&supp_af, &sctp_options) == 0) {
437 		return;
438 	}
439 	if (errmp != NULL)
440 		errlen = msgdsize(errmp);
441 	if (sctp->sctp_family == AF_INET) {
442 		/*
443 		 * Irregardless of the supported address in the INIT, v4
444 		 * must be supported.
445 		 */
446 		supp_af = PARM_SUPP_V4;
447 	}
448 	if (sctp->sctp_state <= SCTPS_LISTEN) {
449 		/* normal, expected INIT: generate new vtag and itsn */
450 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
451 		if (itag == 0)
452 			itag = (uint32_t)gethrtime();
453 		itsn = itag + 1;
454 		itag = htonl(itag);
455 	} else if (sctp->sctp_state == SCTPS_COOKIE_WAIT ||
456 	    sctp->sctp_state == SCTPS_COOKIE_ECHOED) {
457 		/* init collision; copy vtag and itsn from sctp */
458 		itag = sctp->sctp_lvtag;
459 		itsn = sctp->sctp_ltsn;
460 		/*
461 		 * In addition we need to send all the params that was sent
462 		 * in our INIT chunk. Essentially, it is only the supported
463 		 * address params that we need to add.
464 		 */
465 		initcollision = B_TRUE;
466 		/*
467 		 * When we sent the INIT, we should have set linklocal in
468 		 * the sctp which should be good enough.
469 		 */
470 		if (linklocal)
471 			linklocal = B_FALSE;
472 	} else {
473 		/* peer restart; generate new vtag but keep everything else */
474 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
475 		if (itag == 0)
476 			itag = (uint32_t)gethrtime();
477 		itag = htonl(itag);
478 		itsn = sctp->sctp_ltsn;
479 	}
480 
481 	/*
482 	 * Allocate a mblk for the INIT ACK, consisting of the link layer
483 	 * header, the IP header, the SCTP common header, and INIT ACK chunk,
484 	 * and finally the COOKIE parameter.
485 	 */
486 	cookielen = SCTP_CALC_COOKIE_LEN(ch);
487 	iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen;
488 	if (sctp->sctp_send_adaption)
489 		iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t));
490 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
491 	    sctp->sctp_prsctp_aware && sctp_prsctp_enabled) {
492 		iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION);
493 	}
494 	if (initcollision)
495 		iacklen += sctp_supaddr_param_len(sctp);
496 	if (!linklocal)
497 		iacklen += sctp_addr_params_len(sctp, supp_af, B_FALSE);
498 	ipsctplen += sizeof (*iacksh) + iacklen;
499 	iacklen += errlen;
500 	if ((pad = ipsctplen % 4) != 0) {
501 		pad = 4 - pad;
502 		ipsctplen += pad;
503 	}
504 	iackmp = allocb(ipsctplen + sctp_wroff_xtra, BPRI_MED);
505 	if (iackmp == NULL) {
506 		sctp_send_abort(sctp, sctp_init2vtag(ch),
507 		    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE);
508 		return;
509 	}
510 
511 	/* Copy in the [imcomplete] IP/SCTP composite header */
512 	p = (char *)(iackmp->b_rptr + sctp_wroff_xtra);
513 	iackmp->b_rptr = (uchar_t *)p;
514 	if (isv4) {
515 		bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len);
516 		iackiph = (ipha_t *)p;
517 
518 		/* Copy the peer's IP addr */
519 		iackiph->ipha_dst = initiph->ipha_src;
520 		iackiph->ipha_src = initiph->ipha_dst;
521 		iackiph->ipha_length = htons(ipsctplen + errlen);
522 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
523 	} else {
524 		bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
525 		iackip6h = (ip6_t *)p;
526 
527 		/* Copy the peer's IP addr */
528 		iackip6h->ip6_dst = initip6h->ip6_src;
529 		iackip6h->ip6_src = initip6h->ip6_dst;
530 		iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) +
531 		    errlen);
532 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
533 	}
534 	ASSERT(OK_32PTR(iacksh));
535 
536 	/* Fill in the holes in the SCTP common header */
537 	iacksh->sh_sport = initsh->sh_dport;
538 	iacksh->sh_dport = initsh->sh_sport;
539 	iacksh->sh_verf = init->sic_inittag;
540 
541 	/* INIT ACK chunk header */
542 	iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1);
543 	iack_ch->sch_id = CHUNK_INIT_ACK;
544 	iack_ch->sch_flags = 0;
545 	iack_ch->sch_len = htons(iacklen);
546 
547 	/* The INIT ACK itself */
548 	iack = (sctp_init_chunk_t *)(iack_ch + 1);
549 	iack->sic_inittag = itag;	/* already in network byteorder */
550 	iack->sic_inittsn = htonl(itsn);
551 
552 	iack->sic_a_rwnd = htonl(sctp->sctp_rwnd);
553 	/* Advertise what we would want to have as stream #'s */
554 	iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr,
555 	    ntohs(init->sic_instr)));
556 	iack->sic_instr = htons(sctp->sctp_num_istr);
557 
558 	p = (char *)(iack + 1);
559 	p += sctp_adaption_code_param(sctp, (uchar_t *)p);
560 	if (initcollision)
561 		p += sctp_supaddr_param(sctp, (uchar_t *)p);
562 	if (!linklocal)
563 		p += sctp_addr_params(sctp, supp_af, (uchar_t *)p);
564 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
565 	    sctp->sctp_prsctp_aware && sctp_prsctp_enabled) {
566 		p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION);
567 	}
568 	/*
569 	 * Generate and lay in the COOKIE parameter.
570 	 *
571 	 * The cookie consists of:
572 	 * 1. The relative timestamp for the cookie (lbolt64)
573 	 * 2. The cookie lifetime (uint32_t) in tick
574 	 * 3. The local tie-tag
575 	 * 4. The peer tie-tag
576 	 * 5. Peer's original src, used to confirm the validity of address.
577 	 * 6. Our INIT ACK chunk, less any parameters
578 	 * 7. The INIT chunk (may contain parameters)
579 	 * 8. 128-bit MD5 signature.
580 	 *
581 	 * Since the timestamp values will only be evaluated locally, we
582 	 * don't need to worry about byte-ordering them.
583 	 */
584 	cookieph = (sctp_parm_hdr_t *)p;
585 	cookieph->sph_type = htons(PARM_COOKIE);
586 	cookieph->sph_len = htons(cookielen);
587 
588 	/* timestamp */
589 	now = (int64_t *)(cookieph + 1);
590 	nowt = lbolt64;
591 	bcopy(&nowt, now, sizeof (*now));
592 
593 	/* cookie lifetime -- need configuration */
594 	lifetime = (uint32_t *)(now + 1);
595 	*lifetime = sctp->sctp_cookie_lifetime;
596 
597 	/* Set the tie-tags */
598 	ttag = (uint32_t *)(lifetime + 1);
599 	if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) {
600 		*ttag = 0;
601 		ttag++;
602 		*ttag = 0;
603 		ttag++;
604 	} else {
605 		/* local tie-tag (network byte-order) */
606 		*ttag = sctp->sctp_lvtag;
607 		ttag++;
608 		/* peer tie-tag (network byte-order) */
609 		*ttag = sctp->sctp_fvtag;
610 		ttag++;
611 	}
612 	/*
613 	 * Copy in peer's original source address so that we can confirm
614 	 * the reachability later.
615 	 */
616 	p = (char *)ttag;
617 	if (isv4) {
618 		in6_addr_t peer_addr;
619 
620 		IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr);
621 		bcopy(&peer_addr, p, sizeof (in6_addr_t));
622 	} else {
623 		bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t));
624 	}
625 	p += sizeof (in6_addr_t);
626 	/* Copy in our INIT ACK chunk */
627 	bcopy(iack, p, sizeof (*iack));
628 	iack = (sctp_init_chunk_t *)p;
629 	/* Set the # of streams we'll end up using */
630 	iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr));
631 	iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr));
632 	p += sizeof (*iack);
633 
634 	/* Copy in the peer's INIT chunk */
635 	bcopy(ch, p, ntohs(ch->sch_len));
636 	p += ntohs(ch->sch_len);
637 
638 	/*
639 	 * Calculate the HMAC ICV into the digest slot in buf.
640 	 * First, generate a new secret if the current secret is
641 	 * older than the new secret lifetime parameter permits,
642 	 * copying the current secret to sctp_old_secret.
643 	 */
644 	if (sctp_new_secret_interval > 0 &&
645 	    (sctp->sctp_last_secret_update +
646 	    MSEC_TO_TICK(sctp_new_secret_interval)) <= nowt) {
647 		bcopy(sctp->sctp_secret, sctp->sctp_old_secret,
648 		    SCTP_SECRET_LEN);
649 		(void) random_get_pseudo_bytes(sctp->sctp_secret,
650 		    SCTP_SECRET_LEN);
651 		sctp->sctp_last_secret_update = nowt;
652 	}
653 
654 	hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16,
655 	    (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p);
656 
657 	iackmp->b_wptr = iackmp->b_rptr + ipsctplen;
658 	iackmp->b_cont = errmp;		/*  OK if NULL */
659 
660 	/*
661 	 * Stash the conn ptr info. for IP only as e don't have any
662 	 * cached IRE.
663 	 */
664 	SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL);
665 
666 	/* XXX sctp == sctp_g_q, so using its obchunks is valid */
667 	BUMP_LOCAL(sctp->sctp_opkts);
668 	BUMP_LOCAL(sctp->sctp_obchunks);
669 
670 	/* OK to call IP_PUT() here instead of sctp_add_sendq(). */
671 	CONN_INC_REF(sctp->sctp_connp);
672 	iackmp->b_flag |= MSGHASREF;
673 	IP_PUT(iackmp, sctp->sctp_connp, isv4);
674 }
675 
676 void
677 sctp_send_cookie_ack(sctp_t *sctp)
678 {
679 	sctp_chunk_hdr_t *cach;
680 	mblk_t *camp;
681 
682 	camp = sctp_make_mp(sctp, NULL, sizeof (*cach));
683 	if (camp == NULL) {
684 		/* XXX should abort, but don't have the inmp anymore */
685 		return;
686 	}
687 
688 	cach = (sctp_chunk_hdr_t *)camp->b_wptr;
689 	camp->b_wptr = (uchar_t *)(cach + 1);
690 	cach->sch_id = CHUNK_COOKIE_ACK;
691 	cach->sch_flags = 0;
692 	cach->sch_len = htons(sizeof (*cach));
693 
694 	sctp_set_iplen(sctp, camp);
695 
696 	BUMP_LOCAL(sctp->sctp_obchunks);
697 
698 	sctp_add_sendq(sctp, camp);
699 }
700 
701 static int
702 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaption_code)
703 {
704 
705 	if (len < sizeof (*sph))
706 		return (-1);
707 	while (sph != NULL) {
708 		if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) &&
709 		    ntohs(sph->sph_len) >= (sizeof (*sph) +
710 			sizeof (uint32_t))) {
711 			*adaption_code = *(uint32_t *)(sph + 1);
712 			return (0);
713 		}
714 		sph = sctp_next_parm(sph, &len);
715 	}
716 	return (-1);
717 }
718 
719 void
720 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp)
721 {
722 	mblk_t			*cemp;
723 	mblk_t			*mp = NULL;
724 	mblk_t			*head;
725 	mblk_t			*meta;
726 	sctp_faddr_t		*fp;
727 	sctp_chunk_hdr_t	*cech;
728 	sctp_init_chunk_t	 *iack;
729 	int32_t			cansend;
730 	int32_t			seglen;
731 	size_t			ceclen;
732 	sctp_parm_hdr_t		*cph;
733 	sctp_data_hdr_t		*sdc;
734 	sctp_tf_t		*tf;
735 	int			pad = 0;
736 	int			hdrlen;
737 	mblk_t			*errmp = NULL;
738 	uint_t			sctp_options;
739 	int			error;
740 	uint16_t		old_num_str;
741 
742 	iack = (sctp_init_chunk_t *)(iackch + 1);
743 
744 	cph = NULL;
745 	if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp,
746 	    &pad, &sctp_options) == 0) { /* result in 'pad' ignored */
747 		BUMP_MIB(&sctp_mib, sctpAborted);
748 		sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL);
749 		sctp_clean_death(sctp, ECONNABORTED);
750 		return;
751 	}
752 	ASSERT(cph != NULL);
753 
754 	ASSERT(sctp->sctp_cookie_mp == NULL);
755 
756 	/* Got a cookie to echo back; allocate an mblk */
757 	ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph);
758 	if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0)
759 		pad = SCTP_ALIGN - pad;
760 
761 	if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION)
762 		hdrlen = sctp->sctp_hdr_len;
763 	else
764 		hdrlen = sctp->sctp_hdr6_len;
765 
766 	cemp = allocb(sctp_wroff_xtra + hdrlen + ceclen + pad, BPRI_MED);
767 	if (cemp == NULL) {
768 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
769 		    sctp->sctp_current->rto);
770 		if (errmp != NULL)
771 			freeb(errmp);
772 		return;
773 	}
774 	cemp->b_rptr += (sctp_wroff_xtra + hdrlen);
775 
776 	/* Process the INIT ACK */
777 	sctp->sctp_sctph->sh_verf = iack->sic_inittag;
778 	sctp->sctp_sctph6->sh_verf = iack->sic_inittag;
779 	sctp->sctp_fvtag = iack->sic_inittag;
780 	sctp->sctp_ftsn = ntohl(iack->sic_inittsn);
781 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
782 	sctp->sctp_fcsn = sctp->sctp_lastacked;
783 	sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd);
784 
785 	/*
786 	 * Populate sctp with addresses given in the INIT ACK or IP header.
787 	 * Need to set the df bit in the current fp as it has been cleared
788 	 * in sctp_connect().
789 	 */
790 	sctp->sctp_current->df = B_TRUE;
791 	/*
792 	 * Since IP uses this info during the fanout process, we need to hold
793 	 * the lock for this hash line while performing this operation.
794 	 */
795 	/* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctp->sctp_ports); */
796 	ASSERT(sctp->sctp_conn_tfp != NULL);
797 	tf = sctp->sctp_conn_tfp;
798 	/* sctp isn't a listener so only need to hold conn fanout lock */
799 	mutex_enter(&tf->tf_lock);
800 	if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) {
801 		mutex_exit(&tf->tf_lock);
802 		freeb(cemp);
803 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
804 		    sctp->sctp_current->rto);
805 		if (errmp != NULL)
806 			freeb(errmp);
807 		return;
808 	}
809 	mutex_exit(&tf->tf_lock);
810 
811 	fp = sctp->sctp_current;
812 
813 	/*
814 	 * There could be a case when we get an INIT-ACK again, if the INIT
815 	 * is re-transmitted, for e.g., which means we would have already
816 	 * allocated this resource earlier (also for sctp_instr). In this
817 	 * case we check and re-allocate, if necessary.
818 	 */
819 	old_num_str = sctp->sctp_num_ostr;
820 	if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr)
821 		sctp->sctp_num_ostr = ntohs(iack->sic_instr);
822 	if (sctp->sctp_ostrcntrs == NULL) {
823 		sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
824 		    sctp->sctp_num_ostr, KM_NOSLEEP);
825 	} else {
826 		ASSERT(old_num_str > 0);
827 		if (old_num_str != sctp->sctp_num_ostr) {
828 			kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
829 			    old_num_str);
830 			sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
831 			    sctp->sctp_num_ostr, KM_NOSLEEP);
832 		}
833 	}
834 	if (sctp->sctp_ostrcntrs == NULL) {
835 		freeb(cemp);
836 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
837 		if (errmp != NULL)
838 			freeb(errmp);
839 		return;
840 	}
841 
842 	/*
843 	 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs
844 	 * hold here too.
845 	 */
846 	old_num_str = sctp->sctp_num_istr;
847 	if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr)
848 		sctp->sctp_num_istr = ntohs(iack->sic_outstr);
849 	if (sctp->sctp_instr == NULL) {
850 		sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
851 		    sctp->sctp_num_istr, KM_NOSLEEP);
852 	} else {
853 		ASSERT(old_num_str > 0);
854 		if (old_num_str != sctp->sctp_num_istr) {
855 			kmem_free(sctp->sctp_instr,
856 			    sizeof (*sctp->sctp_instr) * old_num_str);
857 			sctp->sctp_instr = kmem_zalloc(
858 			    sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr,
859 			    KM_NOSLEEP);
860 		}
861 	}
862 	if (sctp->sctp_instr == NULL) {
863 		kmem_free(sctp->sctp_ostrcntrs,
864 		    sizeof (uint16_t) * sctp->sctp_num_ostr);
865 		freeb(cemp);
866 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
867 		if (errmp != NULL)
868 			freeb(errmp);
869 		return;
870 	}
871 
872 	if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware)
873 		sctp->sctp_prsctp_aware = B_FALSE;
874 
875 	if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1),
876 		ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)),
877 		&sctp->sctp_rx_adaption_code) == 0) {
878 		sctp->sctp_recv_adaption = 1;
879 	}
880 
881 	cech = (sctp_chunk_hdr_t *)cemp->b_rptr;
882 	ASSERT(OK_32PTR(cech));
883 	cech->sch_id = CHUNK_COOKIE;
884 	cech->sch_flags = 0;
885 	cech->sch_len = htons(ceclen);
886 
887 	/* Copy the cookie (less the parm hdr) to the chunk */
888 	bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph));
889 
890 	cemp->b_wptr = cemp->b_rptr + ceclen;
891 
892 	if (sctp->sctp_unsent > 0) {
893 		sctp_msg_hdr_t	*smh;
894 		mblk_t		*prev = NULL;
895 		uint32_t	unsent = 0;
896 
897 		mp = sctp->sctp_xmit_unsent;
898 		do {
899 			smh = (sctp_msg_hdr_t *)mp->b_rptr;
900 			if (smh->smh_sid >= sctp->sctp_num_ostr) {
901 				unsent += smh->smh_msglen;
902 				if (prev != NULL)
903 					prev->b_next = mp->b_next;
904 				else
905 					sctp->sctp_xmit_unsent = mp->b_next;
906 				mp->b_next = NULL;
907 				sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID,
908 				    B_FALSE);
909 				if (prev != NULL)
910 					mp = prev->b_next;
911 				else
912 					mp = sctp->sctp_xmit_unsent;
913 			} else {
914 				prev = mp;
915 				mp = mp->b_next;
916 			}
917 		} while (mp != NULL);
918 		if (unsent > 0) {
919 			ASSERT(sctp->sctp_unsent >= unsent);
920 			sctp->sctp_unsent -= unsent;
921 			/*
922 			 * Update ULP the amount of queued data, which is
923 			 * sent-unack'ed + unsent.
924 			 * This is not necessary, but doesn't harm, we
925 			 * just use unsent instead of sent-unack'ed +
926 			 * unsent, since there won't be any sent-unack'ed
927 			 * here.
928 			 */
929 			if (!SCTP_IS_DETACHED(sctp)) {
930 				sctp->sctp_ulp_xmitted(sctp->sctp_ulpd,
931 				    sctp->sctp_unsent);
932 			}
933 		}
934 		if (sctp->sctp_xmit_unsent == NULL)
935 			sctp->sctp_xmit_unsent_tail = NULL;
936 	}
937 	ceclen += pad;
938 	cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd);
939 	meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen,
940 	    cansend,  NULL);
941 	/*
942 	 * The error cannot be anything else since we could have an non-zero
943 	 * error only if sctp_get_msg_to_send() tries to send a Forward
944 	 * TSN which will not happen here.
945 	 */
946 	ASSERT(error == 0);
947 	if (meta == NULL)
948 		goto sendcookie;
949 	sctp->sctp_xmit_tail = meta;
950 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
951 	seglen = ntohs(sdc->sdh_len);
952 	if ((ceclen + seglen) > fp->sfa_pmss ||
953 	    (seglen - sizeof (*sdc)) > cansend) {
954 		goto sendcookie;
955 	}
956 	/* OK, if this fails */
957 	cemp->b_cont = dupmsg(mp);
958 sendcookie:
959 	head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL);
960 	if (head == NULL) {
961 		freemsg(cemp);
962 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
963 		if (errmp != NULL)
964 			freeb(errmp);
965 		return;
966 	}
967 	/*
968 	 * Even if cookie-echo exceeds MTU for one of the hops, it'll
969 	 * have a chance of getting there.
970 	 */
971 	if (fp->isv4) {
972 		ipha_t *iph = (ipha_t *)head->b_rptr;
973 		iph->ipha_fragment_offset_and_flags = 0;
974 	}
975 	BUMP_LOCAL(sctp->sctp_obchunks);
976 
977 	sctp->sctp_cookie_mp = dupmsg(head);
978 	/* Don't bundle, we will just resend init if this cookie is lost. */
979 	if (sctp->sctp_cookie_mp == NULL) {
980 		if (cemp->b_cont != NULL) {
981 			freemsg(cemp->b_cont);
982 			cemp->b_cont = NULL;
983 		}
984 	} else if (cemp->b_cont != NULL) {
985 		ASSERT(mp != NULL && mp == meta->b_cont);
986 		SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont);
987 		cemp->b_wptr += pad;
988 		seglen -= sizeof (*sdc);
989 		SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta);
990 	}
991 	if (errmp != NULL)
992 		linkb(head, errmp);
993 	sctp->sctp_state = SCTPS_COOKIE_ECHOED;
994 	SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
995 
996 	sctp_set_iplen(sctp, head);
997 	sctp_add_sendq(sctp, head);
998 }
999 
1000 int
1001 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
1002     sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaption,
1003     in6_addr_t *peer_addr)
1004 {
1005 	int32_t			clen;
1006 	size_t			initplen;
1007 	uchar_t			*p;
1008 	uchar_t			*given_hash;
1009 	uchar_t			needed_hash[16];
1010 	int64_t			ts;
1011 	int64_t			diff;
1012 	uint32_t		*lt;
1013 	sctp_init_chunk_t	*iack;
1014 	sctp_chunk_hdr_t	*initch;
1015 	sctp_init_chunk_t	*init;
1016 	uint32_t		*lttag;
1017 	uint32_t		*fttag;
1018 	uint32_t		ports;
1019 
1020 	BUMP_LOCAL(sctp->sctp_ibchunks);
1021 	/* Verify the ICV */
1022 	clen = ntohs(ch->sch_len) - sizeof (*ch) - 16;
1023 	if (clen < 0) {
1024 		dprint(1, ("invalid cookie chunk length %d\n",
1025 		    ntohs(ch->sch_len)));
1026 
1027 		return (-1);
1028 	}
1029 	p = (uchar_t *)(ch + 1);
1030 
1031 	hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN,
1032 	    needed_hash);
1033 
1034 	/* The given hash follows the cookie data */
1035 	given_hash = p + clen;
1036 
1037 	if (bcmp(given_hash, needed_hash, 16) != 0) {
1038 		/* The secret may have changed; try the old secret */
1039 		hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret,
1040 		    SCTP_SECRET_LEN, needed_hash);
1041 		if (bcmp(given_hash, needed_hash, 16) != 0) {
1042 			return (-1);
1043 		}
1044 	}
1045 
1046 	/* Timestamp is int64_t, and we only guarantee 32-bit alignment */
1047 	bcopy(p, &ts, sizeof (ts));
1048 	/* Cookie life time, int32_t */
1049 	lt = (uint32_t *)(p + sizeof (ts));
1050 
1051 	/*
1052 	 * To quote PRC, "this is our baby", so let's continue.
1053 	 * We need to pull out the encapsulated INIT ACK and
1054 	 * INIT chunks. Note that we don't process these until
1055 	 * we have verified the timestamp, but we need them before
1056 	 * processing the timestamp since if the time check fails,
1057 	 * we need to get the verification tag from the INIT in order
1058 	 * to send a stale cookie error.
1059 	 */
1060 	lttag = (uint32_t *)(lt + 1);
1061 	fttag = lttag + 1;
1062 	if (peer_addr != NULL)
1063 		bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t));
1064 	iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t));
1065 	initch = (sctp_chunk_hdr_t *)(iack + 1);
1066 	init = (sctp_init_chunk_t *)(initch + 1);
1067 	initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch));
1068 	*iackpp = iack;
1069 	*recv_adaption = 0;
1070 
1071 	/* Check the timestamp */
1072 	diff = lbolt64 - ts;
1073 	if (diff > *lt && (init->sic_inittag != sctp->sctp_fvtag ||
1074 	    iack->sic_inittag != sctp->sctp_lvtag)) {
1075 
1076 		uint32_t staleness;
1077 
1078 		staleness = TICK_TO_USEC(diff);
1079 		staleness = htonl(staleness);
1080 		sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE,
1081 		    (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE);
1082 
1083 		dprint(1, ("stale cookie %d\n", staleness));
1084 
1085 		return (-1);
1086 	}
1087 
1088 	/* Check for attack by adding addresses to a restart */
1089 	bcopy(insctph, &ports, sizeof (ports));
1090 	if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP) != 1) {
1091 		return (-1);
1092 	}
1093 
1094 	/* Look for adaptation code if there any parms in the INIT chunk */
1095 	if ((initplen >= sizeof (sctp_parm_hdr_t)) &&
1096 	    (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen,
1097 	    &sctp->sctp_rx_adaption_code) == 0)) {
1098 		*recv_adaption = 1;
1099 	}
1100 
1101 	/* Examine tie-tags */
1102 
1103 	if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) {
1104 		if (sctp->sctp_state == SCTPS_ESTABLISHED &&
1105 		    init->sic_inittag == sctp->sctp_fvtag &&
1106 		    iack->sic_inittag == sctp->sctp_lvtag &&
1107 		    *fttag == 0 && *lttag == 0) {
1108 
1109 			dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n",
1110 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1111 			    (int)(sctp->sctp_fport)));
1112 			return (-1);
1113 		}
1114 
1115 		if (init->sic_inittag != sctp->sctp_fvtag &&
1116 		    iack->sic_inittag != sctp->sctp_lvtag &&
1117 		    *fttag == sctp->sctp_fvtag &&
1118 		    *lttag == sctp->sctp_lvtag) {
1119 			int i;
1120 
1121 			/* Section 5.2.4 case A: restart */
1122 			sctp->sctp_fvtag = init->sic_inittag;
1123 			sctp->sctp_lvtag = iack->sic_inittag;
1124 
1125 			sctp->sctp_sctph->sh_verf = init->sic_inittag;
1126 			sctp->sctp_sctph6->sh_verf = init->sic_inittag;
1127 
1128 			sctp->sctp_ftsn = ntohl(init->sic_inittsn);
1129 			sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1130 			sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
1131 			sctp->sctp_fcsn = sctp->sctp_lastacked;
1132 
1133 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1134 				sctp->sctp_state = SCTPS_ESTABLISHED;
1135 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1136 			}
1137 
1138 			dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n",
1139 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1140 			    (int)(sctp->sctp_fport)));
1141 			/* reset parameters */
1142 			sctp_congest_reset(sctp);
1143 
1144 			/* reset stream bookkeeping */
1145 			sctp_instream_cleanup(sctp, B_FALSE);
1146 
1147 			sctp->sctp_istr_nmsgs = 0;
1148 			sctp->sctp_rxqueued = 0;
1149 			for (i = 0; i < sctp->sctp_num_ostr; i++) {
1150 				sctp->sctp_ostrcntrs[i] = 0;
1151 			}
1152 			/* XXX flush xmit_list? */
1153 
1154 			return (0);
1155 		} else if (init->sic_inittag != sctp->sctp_fvtag &&
1156 		    iack->sic_inittag == sctp->sctp_lvtag) {
1157 
1158 			/* Section 5.2.4 case B: INIT collision */
1159 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1160 				if (!sctp_initialize_params(sctp, init, iack))
1161 					return (-1);	/* Drop? */
1162 				sctp->sctp_state = SCTPS_ESTABLISHED;
1163 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1164 			}
1165 
1166 			dprint(1, ("init collision with %x:%x:%x:%x (%d)\n",
1167 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1168 			    (int)(sctp->sctp_fport)));
1169 
1170 			return (0);
1171 		} else if (iack->sic_inittag != sctp->sctp_lvtag &&
1172 		    init->sic_inittag == sctp->sctp_fvtag &&
1173 		    *fttag == 0 && *lttag == 0) {
1174 
1175 			/* Section 5.2.4 case C: late COOKIE */
1176 			dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n",
1177 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1178 			    (int)(sctp->sctp_fport)));
1179 			return (-1);
1180 		} else if (init->sic_inittag == sctp->sctp_fvtag &&
1181 		    iack->sic_inittag == sctp->sctp_lvtag) {
1182 
1183 			/*
1184 			 * Section 5.2.4 case D: COOKIE ECHO retransmit
1185 			 * Don't check cookie lifetime
1186 			 */
1187 			dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n",
1188 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1189 			    (int)(sctp->sctp_fport)));
1190 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1191 				if (!sctp_initialize_params(sctp, init, iack))
1192 					return (-1);	/* Drop? */
1193 				sctp->sctp_state = SCTPS_ESTABLISHED;
1194 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1195 			}
1196 			return (0);
1197 		} else {
1198 			/* unrecognized case -- silently drop it */
1199 			return (-1);
1200 		}
1201 	}
1202 
1203 	return (0);
1204 }
1205 
1206 /*
1207  * Similar to ip_fanout_sctp, except that the src addr(s) are drawn
1208  * from address parameters in an INIT ACK's address list. This
1209  * function is used when an INIT ACK is received but IP's fanout
1210  * function could not find a sctp via the normal lookup routine.
1211  * This can happen when a host sends an INIT ACK from a different
1212  * address than the INIT was sent to.
1213  *
1214  * Returns the sctp_t if found, or NULL if not found.
1215  */
1216 sctp_t *
1217 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
1218     uint_t ipif_seqid, zoneid_t zoneid)
1219 {
1220 	int isv4;
1221 	ipha_t *iph;
1222 	ip6_t *ip6h;
1223 	in6_addr_t dst;
1224 	in6_addr_t src;
1225 	sctp_parm_hdr_t *ph;
1226 	ssize_t remaining;
1227 	sctp_init_chunk_t *iack;
1228 	uint32_t ports;
1229 	sctp_t *sctp = NULL;
1230 
1231 	ASSERT(ich->sch_id == CHUNK_INIT_ACK);
1232 
1233 	isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
1234 	if (isv4) {
1235 		iph = (ipha_t *)mp->b_rptr;
1236 		IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst);
1237 	} else {
1238 		ip6h = (ip6_t *)mp->b_rptr;
1239 		dst = ip6h->ip6_dst;
1240 	}
1241 
1242 	ports = *(uint32_t *)sctph;
1243 
1244 	dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n",
1245 	    ports, SCTP_PRINTADDR(dst)));
1246 
1247 	/* pull out any address parameters */
1248 	remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack);
1249 	if (remaining < sizeof (*ph)) {
1250 		return (NULL);
1251 	}
1252 
1253 	iack = (sctp_init_chunk_t *)(ich + 1);
1254 	ph = (sctp_parm_hdr_t *)(iack + 1);
1255 
1256 	while (ph != NULL) {
1257 		/*
1258 		 * params have been put in host byteorder by
1259 		 * sctp_check_input()
1260 		 */
1261 		if (ph->sph_type == PARM_ADDR4) {
1262 			IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1),
1263 			    &src);
1264 
1265 			sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid,
1266 			    zoneid);
1267 
1268 			dprint(1,
1269 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1270 			    SCTP_PRINTADDR(src), sctp));
1271 
1272 
1273 			if (sctp != NULL) {
1274 				return (sctp);
1275 			}
1276 		} else if (ph->sph_type == PARM_ADDR6) {
1277 			src = *(in6_addr_t *)(ph + 1);
1278 			sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid,
1279 			    zoneid);
1280 
1281 			dprint(1,
1282 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1283 			    SCTP_PRINTADDR(src), sctp));
1284 
1285 			if (sctp != NULL) {
1286 				return (sctp);
1287 			}
1288 		}
1289 
1290 		ph = sctp_next_parm(ph, &remaining);
1291 	}
1292 
1293 	return (NULL);
1294 }
1295