1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #include <sys/types.h> 28 #include <sys/systm.h> 29 #include <sys/stream.h> 30 #include <sys/cmn_err.h> 31 #include <sys/md5.h> 32 #include <sys/kmem.h> 33 #include <sys/strsubr.h> 34 #include <sys/random.h> 35 #include <sys/tsol/tnet.h> 36 37 #include <netinet/in.h> 38 #include <netinet/ip6.h> 39 40 #include <inet/common.h> 41 #include <inet/ip.h> 42 #include <inet/ip6.h> 43 #include <inet/sctp_ip.h> 44 #include <inet/ipclassifier.h> 45 #include "sctp_impl.h" 46 47 /* 48 * Helper function for SunCluster (PSARC/2005/602) to get the original source 49 * address from the COOKIE 50 */ 51 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *); 52 53 /* 54 * From RFC 2104. This should probably go into libmd5 (and while 55 * we're at it, maybe we should make a libdigest so we can later 56 * add SHA1 and others, esp. since some weaknesses have been found 57 * with MD5). 58 * 59 * text IN pointer to data stream 60 * text_len IN length of data stream 61 * key IN pointer to authentication key 62 * key_len IN length of authentication key 63 * digest OUT caller digest to be filled in 64 */ 65 static void 66 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 67 uchar_t *digest) 68 { 69 MD5_CTX context; 70 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 71 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 72 uchar_t tk[16]; 73 int i; 74 75 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 76 if (key_len > 64) { 77 MD5_CTX tctx; 78 79 MD5Init(&tctx); 80 MD5Update(&tctx, key, key_len); 81 MD5Final(tk, &tctx); 82 83 key = tk; 84 key_len = 16; 85 } 86 87 /* 88 * the HMAC_MD5 transform looks like: 89 * 90 * MD5(K XOR opad, MD5(K XOR ipad, text)) 91 * 92 * where K is an n byte key 93 * ipad is the byte 0x36 repeated 64 times 94 * opad is the byte 0x5c repeated 64 times 95 * and text is the data being protected 96 */ 97 98 /* start out by storing key in pads */ 99 bzero(k_ipad, sizeof (k_ipad)); 100 bzero(k_opad, sizeof (k_opad)); 101 bcopy(key, k_ipad, key_len); 102 bcopy(key, k_opad, key_len); 103 104 /* XOR key with ipad and opad values */ 105 for (i = 0; i < 64; i++) { 106 k_ipad[i] ^= 0x36; 107 k_opad[i] ^= 0x5c; 108 } 109 /* 110 * perform inner MD5 111 */ 112 MD5Init(&context); /* init context for 1st */ 113 /* pass */ 114 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 115 MD5Update(&context, text, text_len); /* then text of datagram */ 116 MD5Final(digest, &context); /* finish up 1st pass */ 117 /* 118 * perform outer MD5 119 */ 120 MD5Init(&context); /* init context for 2nd */ 121 /* pass */ 122 MD5Update(&context, k_opad, 64); /* start with outer pad */ 123 MD5Update(&context, digest, 16); /* then results of 1st */ 124 /* hash */ 125 MD5Final(digest, &context); /* finish up 2nd pass */ 126 } 127 128 /* 129 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 130 * info in initmp to send the abort. Otherwise, no abort will be sent. 131 * 132 * When called from stcp_send_initack() while processing parameters 133 * from a received INIT_CHUNK want_cookie will be NULL. 134 * 135 * When called from sctp_send_cookie_echo() while processing an INIT_ACK, 136 * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t. 137 * However, this last pointer will be NULL until the cookie is processed 138 * at which time it will be set to point to a sctp_parm_hdr_t that contains 139 * the cookie info. 140 * 141 * Note: an INIT_ACK is expected to contain a cookie. 142 * 143 * When processing an INIT_ACK, an ERROR chunk and chain of one or more 144 * error CAUSE blocks will be created if unrecognized parameters marked by 145 * the sender as reportable are found. 146 * 147 * When processing an INIT chunk, a chain of one or more error CAUSE blocks 148 * will be created if unrecognized parameters marked by the sender as 149 * reportable are found. These are appended directly to the INIT_ACK chunk. 150 * 151 * In both cases the error chain is visible to the caller via *errmp. 152 * 153 * Returns 1 if the parameters are OK (or if there are no optional 154 * parameters), returns 0 otherwise. 155 */ 156 static int 157 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 158 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 159 mblk_t **errmp, int *supp_af, uint_t *sctp_options) 160 { 161 sctp_parm_hdr_t *cph; 162 sctp_init_chunk_t *ic; 163 ssize_t remaining; 164 uint16_t serror = 0; 165 char *details = NULL; 166 size_t errlen = 0; 167 boolean_t got_cookie = B_FALSE; 168 boolean_t got_errchunk = B_FALSE; 169 uint16_t ptype; 170 sctp_mpc_t mpc; 171 172 173 ASSERT(errmp != NULL); 174 175 if (sctp_options != NULL) 176 *sctp_options = 0; 177 178 /* First validate stream parameters */ 179 if (init->sic_instr == 0 || init->sic_outstr == 0) { 180 serror = SCTP_ERR_BAD_MANDPARM; 181 dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n", 182 htons(init->sic_instr), htons(init->sic_outstr))); 183 goto abort; 184 } 185 if (ntohl(init->sic_inittag) == 0) { 186 serror = SCTP_ERR_BAD_MANDPARM; 187 dprint(1, ("validate_init_params: inittag = 0\n")); 188 goto abort; 189 } 190 191 remaining = ntohs(ch->sch_len) - sizeof (*ch); 192 ic = (sctp_init_chunk_t *)(ch + 1); 193 remaining -= sizeof (*ic); 194 if (remaining < sizeof (*cph)) { 195 /* 196 * When processing a received INIT_ACK, a cookie is 197 * expected, if missing there is nothing to validate. 198 */ 199 if (want_cookie != NULL) 200 goto cookie_abort; 201 return (1); 202 } 203 204 cph = (sctp_parm_hdr_t *)(ic + 1); 205 206 while (cph != NULL) { 207 ptype = ntohs(cph->sph_type); 208 switch (ptype) { 209 case PARM_HBINFO: 210 case PARM_UNRECOGNIZED: 211 case PARM_ECN: 212 /* just ignore them */ 213 break; 214 case PARM_FORWARD_TSN: 215 if (sctp_options != NULL) 216 *sctp_options |= SCTP_PRSCTP_OPTION; 217 break; 218 case PARM_COOKIE: 219 got_cookie = B_TRUE; 220 /* 221 * Processing a received INIT_ACK, we have a cookie 222 * and a valid pointer in our caller to attach it to. 223 */ 224 if (want_cookie != NULL) { 225 *want_cookie = cph; 226 } 227 break; 228 case PARM_ADDR4: 229 *supp_af |= PARM_SUPP_V4; 230 break; 231 case PARM_ADDR6: 232 *supp_af |= PARM_SUPP_V6; 233 break; 234 case PARM_COOKIE_PRESERVE: 235 case PARM_ADAPT_LAYER_IND: 236 /* These are OK */ 237 break; 238 case PARM_ADDR_HOST_NAME: 239 /* Don't support this; abort the association */ 240 serror = SCTP_ERR_BAD_ADDR; 241 details = (char *)cph; 242 errlen = ntohs(cph->sph_len); 243 dprint(1, ("sctp:validate_init_params: host addr\n")); 244 goto abort; 245 case PARM_SUPP_ADDRS: { 246 /* Make sure we have a supported addr intersection */ 247 uint16_t *p, addrtype; 248 int plen; 249 250 plen = ntohs(cph->sph_len); 251 p = (uint16_t *)(cph + 1); 252 while (plen > 0) { 253 addrtype = ntohs(*p); 254 switch (addrtype) { 255 case PARM_ADDR6: 256 *supp_af |= PARM_SUPP_V6; 257 break; 258 case PARM_ADDR4: 259 *supp_af |= PARM_SUPP_V4; 260 break; 261 default: 262 /* 263 * Do nothing, silently ignore hostname 264 * address. 265 */ 266 break; 267 } 268 p++; 269 plen -= sizeof (*p); 270 } 271 break; 272 } 273 default: 274 /* 275 * Handle any unrecognized params, the two high order 276 * bits of ptype define how the remote wants them 277 * handled. 278 * Top bit: 279 * 1. Continue processing other params in the chunk 280 * 0. Stop processing params after this one. 281 * 2nd bit: 282 * 1. Must report this unrecognized param to remote 283 * 0. Obey the top bit silently. 284 */ 285 if (ptype & SCTP_REPORT_THIS_PARAM) { 286 if (!got_errchunk && want_cookie != NULL) { 287 /* 288 * Processing an INIT_ACK, this is the 289 * first reportable param, create an 290 * ERROR chunk and populate it with a 291 * CAUSE block for this parameter. 292 */ 293 *errmp = sctp_make_err(sctp, 294 PARM_UNRECOGNIZED, 295 (void *)cph, 296 ntohs(cph->sph_len)); 297 got_errchunk = B_TRUE; 298 } else { 299 /* 300 * If processing an INIT chunk add 301 * an additional CAUSE block to an 302 * INIT_ACK, got_errchunk is B_FALSE. 303 */ 304 sctp_add_unrec_parm(cph, errmp, 305 got_errchunk); 306 } 307 } 308 if (ptype & SCTP_CONT_PROC_PARAMS) { 309 /* 310 * Continue processing params after this 311 * parameter. 312 */ 313 break; 314 } 315 316 /* 317 * Stop processing params, report any reportable 318 * unrecognized params found so far. 319 */ 320 goto done; 321 } 322 323 cph = sctp_next_parm(cph, &remaining); 324 } 325 done: 326 /* 327 * Some sanity checks. The following should not fail unless the 328 * other side is broken. 329 * 330 * 1. If this is a V4 endpoint but V4 address is not 331 * supported, abort. 332 * 2. If this is a V6 only endpoint but V6 address is 333 * not supported, abort. This assumes that a V6 334 * endpoint can use both V4 and V6 addresses. 335 * We only care about supp_af when processing INIT, i.e want_cookie 336 * is NULL. 337 */ 338 if (want_cookie == NULL && 339 ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 340 (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 341 sctp->sctp_connp->conn_ipv6_v6only))) { 342 dprint(1, ("sctp:validate_init_params: supp addr\n")); 343 serror = SCTP_ERR_BAD_ADDR; 344 goto abort; 345 } 346 347 if (want_cookie != NULL && !got_cookie) { 348 cookie_abort: 349 /* Will populate the CAUSE block in the ABORT chunk. */ 350 mpc.mpc_num = htons(1); 351 mpc.mpc_param = htons(PARM_COOKIE); 352 mpc.mpc_pad = 0; 353 354 dprint(1, ("validate_init_params: cookie absent\n")); 355 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 356 (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE); 357 return (0); 358 } 359 360 /* OK */ 361 return (1); 362 363 abort: 364 if (want_cookie != NULL) 365 return (0); 366 367 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 368 errlen, inmp, 0, B_FALSE); 369 return (0); 370 } 371 372 /* 373 * Initialize params from the INIT and INIT-ACK when the assoc. is 374 * established. 375 */ 376 boolean_t 377 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 378 sctp_init_chunk_t *iack) 379 { 380 /* Get initial TSN */ 381 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 382 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 383 384 /* Serial number is initialized to the same value as the TSN */ 385 sctp->sctp_fcsn = sctp->sctp_lastacked; 386 387 /* 388 * Get verification tags; no byteordering is necessary, since 389 * verfication tags are never processed except for byte-by-byte 390 * comparisons. 391 */ 392 sctp->sctp_fvtag = init->sic_inittag; 393 sctp->sctp_sctph->sh_verf = init->sic_inittag; 394 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 395 sctp->sctp_lvtag = iack->sic_inittag; 396 397 /* Get the peer's rwnd */ 398 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 399 400 /* Allocate the in/out-stream counters */ 401 sctp->sctp_num_ostr = iack->sic_outstr; 402 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 403 sctp->sctp_num_ostr, KM_NOSLEEP); 404 if (sctp->sctp_ostrcntrs == NULL) 405 return (B_FALSE); 406 407 sctp->sctp_num_istr = iack->sic_instr; 408 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 409 sctp->sctp_num_istr, KM_NOSLEEP); 410 if (sctp->sctp_instr == NULL) { 411 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 412 sctp->sctp_num_ostr); 413 sctp->sctp_ostrcntrs = NULL; 414 return (B_FALSE); 415 } 416 return (B_TRUE); 417 } 418 419 /* 420 * Copy the peer's original source address into addr. This relies on the 421 * following format (see sctp_send_initack() below): 422 * relative timestamp for the cookie (int64_t) + 423 * cookie lifetime (uint32_t) + 424 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) + 425 * Peer's original src ... 426 */ 427 int 428 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr) 429 { 430 uchar_t *off; 431 432 ASSERT(addr != NULL); 433 434 if (ch->sch_id != CHUNK_COOKIE) 435 return (EINVAL); 436 437 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) + 438 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t); 439 440 bcopy(off, addr, sizeof (*addr)); 441 442 return (0); 443 } 444 445 #define SCTP_CALC_COOKIE_LEN(initcp) \ 446 sizeof (int64_t) + /* timestamp */ \ 447 sizeof (uint32_t) + /* cookie lifetime */ \ 448 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 449 sizeof (in6_addr_t) + /* peer's original source */ \ 450 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 451 sizeof (uint32_t) + /* local tie-tag */ \ 452 sizeof (uint32_t) + /* peer tie-tag */ \ 453 sizeof (sctp_parm_hdr_t) + /* param header */ \ 454 16 /* MD5 hash */ 455 456 void 457 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch, 458 mblk_t *initmp) 459 { 460 ipha_t *initiph; 461 ip6_t *initip6h; 462 ipha_t *iackiph; 463 ip6_t *iackip6h; 464 sctp_chunk_hdr_t *iack_ch; 465 sctp_init_chunk_t *iack; 466 sctp_init_chunk_t *init; 467 sctp_hdr_t *iacksh; 468 size_t cookielen; 469 size_t iacklen; 470 size_t ipsctplen; 471 size_t errlen = 0; 472 sctp_parm_hdr_t *cookieph; 473 mblk_t *iackmp; 474 uint32_t itag; 475 uint32_t itsn; 476 int64_t *now; 477 int64_t nowt; 478 uint32_t *lifetime; 479 char *p; 480 boolean_t isv4; 481 int supp_af = 0; 482 uint_t sctp_options; 483 uint32_t *ttag; 484 int pad; 485 mblk_t *errmp = NULL; 486 boolean_t initcollision = B_FALSE; 487 boolean_t linklocal = B_FALSE; 488 cred_t *cr; 489 ts_label_t *initlabel; 490 sctp_stack_t *sctps = sctp->sctp_sctps; 491 492 BUMP_LOCAL(sctp->sctp_ibchunks); 493 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 494 495 /* Extract the INIT chunk */ 496 if (isv4) { 497 initiph = (ipha_t *)initmp->b_rptr; 498 ipsctplen = sctp->sctp_ip_hdr_len; 499 supp_af |= PARM_SUPP_V4; 500 } else { 501 initip6h = (ip6_t *)initmp->b_rptr; 502 ipsctplen = sctp->sctp_ip_hdr6_len; 503 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src)) 504 linklocal = B_TRUE; 505 supp_af |= PARM_SUPP_V6; 506 } 507 ASSERT(OK_32PTR(initsh)); 508 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 509 510 /* Make sure we like the peer's parameters */ 511 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 512 &supp_af, &sctp_options) == 0) { 513 return; 514 } 515 if (errmp != NULL) 516 errlen = msgdsize(errmp); 517 if (sctp->sctp_family == AF_INET) { 518 /* 519 * Irregardless of the supported address in the INIT, v4 520 * must be supported. 521 */ 522 supp_af = PARM_SUPP_V4; 523 } 524 if (sctp->sctp_state <= SCTPS_LISTEN) { 525 /* normal, expected INIT: generate new vtag and itsn */ 526 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 527 if (itag == 0) 528 itag = (uint32_t)gethrtime(); 529 itsn = itag + 1; 530 itag = htonl(itag); 531 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 532 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 533 /* init collision; copy vtag and itsn from sctp */ 534 itag = sctp->sctp_lvtag; 535 itsn = sctp->sctp_ltsn; 536 /* 537 * In addition we need to send all the params that was sent 538 * in our INIT chunk. Essentially, it is only the supported 539 * address params that we need to add. 540 */ 541 initcollision = B_TRUE; 542 /* 543 * When we sent the INIT, we should have set linklocal in 544 * the sctp which should be good enough. 545 */ 546 if (linklocal) 547 linklocal = B_FALSE; 548 } else { 549 /* peer restart; generate new vtag but keep everything else */ 550 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 551 if (itag == 0) 552 itag = (uint32_t)gethrtime(); 553 itag = htonl(itag); 554 itsn = sctp->sctp_ltsn; 555 } 556 557 /* 558 * Allocate a mblk for the INIT ACK, consisting of the link layer 559 * header, the IP header, the SCTP common header, and INIT ACK chunk, 560 * and finally the COOKIE parameter. 561 */ 562 cookielen = SCTP_CALC_COOKIE_LEN(ch); 563 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 564 if (sctp->sctp_send_adaptation) 565 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 566 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 567 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 568 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 569 } 570 if (initcollision) 571 iacklen += sctp_supaddr_param_len(sctp); 572 if (!linklocal) 573 iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE); 574 ipsctplen += sizeof (*iacksh) + iacklen; 575 iacklen += errlen; 576 if ((pad = ipsctplen % 4) != 0) { 577 pad = 4 - pad; 578 ipsctplen += pad; 579 } 580 581 /* 582 * If the listen socket is bound to a trusted extensions 583 * multi-label port, attach a copy of the listener's cred 584 * to the new INITACK mblk. Modify the cred to contain 585 * the security label of the received INIT packet. 586 * If not a multi-label port, attach the unmodified 587 * listener's cred directly. 588 * 589 * We expect Sun developed kernel modules to properly set 590 * cred labels for sctp connections. We can't be so sure this 591 * will be done correctly when 3rd party kernel modules 592 * directly use sctp. The initlabel panic guard logic was 593 * added to cover this possibility. 594 */ 595 if (sctp->sctp_connp->conn_mlp_type != mlptSingle) { 596 pid_t cpid; 597 598 cr = msg_getcred(initmp, &cpid); 599 if (cr == NULL || (initlabel = crgetlabel(cr)) == NULL) { 600 sctp_send_abort(sctp, sctp_init2vtag(ch), 601 SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, B_FALSE); 602 return; 603 } 604 cr = copycred_from_bslabel(CONN_CRED(sctp->sctp_connp), 605 &initlabel->tsl_label, initlabel->tsl_doi, KM_NOSLEEP); 606 if (cr == NULL) { 607 sctp_send_abort(sctp, sctp_init2vtag(ch), 608 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 609 return; 610 } 611 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, 612 cr, cpid); 613 crfree(cr); 614 } else { 615 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, 616 CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid); 617 } 618 if (iackmp == NULL) { 619 sctp_send_abort(sctp, sctp_init2vtag(ch), 620 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 621 return; 622 } 623 624 /* Copy in the [imcomplete] IP/SCTP composite header */ 625 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra); 626 iackmp->b_rptr = (uchar_t *)p; 627 if (isv4) { 628 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 629 iackiph = (ipha_t *)p; 630 631 /* Copy the peer's IP addr */ 632 iackiph->ipha_dst = initiph->ipha_src; 633 iackiph->ipha_src = initiph->ipha_dst; 634 iackiph->ipha_length = htons(ipsctplen + errlen); 635 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 636 } else { 637 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 638 iackip6h = (ip6_t *)p; 639 640 /* Copy the peer's IP addr */ 641 iackip6h->ip6_dst = initip6h->ip6_src; 642 iackip6h->ip6_src = initip6h->ip6_dst; 643 iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) + 644 errlen); 645 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 646 } 647 ASSERT(OK_32PTR(iacksh)); 648 649 /* Fill in the holes in the SCTP common header */ 650 iacksh->sh_sport = initsh->sh_dport; 651 iacksh->sh_dport = initsh->sh_sport; 652 iacksh->sh_verf = init->sic_inittag; 653 654 /* INIT ACK chunk header */ 655 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 656 iack_ch->sch_id = CHUNK_INIT_ACK; 657 iack_ch->sch_flags = 0; 658 iack_ch->sch_len = htons(iacklen); 659 660 /* The INIT ACK itself */ 661 iack = (sctp_init_chunk_t *)(iack_ch + 1); 662 iack->sic_inittag = itag; /* already in network byteorder */ 663 iack->sic_inittsn = htonl(itsn); 664 665 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 666 /* Advertise what we would want to have as stream #'s */ 667 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 668 ntohs(init->sic_instr))); 669 iack->sic_instr = htons(sctp->sctp_num_istr); 670 671 p = (char *)(iack + 1); 672 p += sctp_adaptation_code_param(sctp, (uchar_t *)p); 673 if (initcollision) 674 p += sctp_supaddr_param(sctp, (uchar_t *)p); 675 if (!linklocal) 676 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE); 677 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 678 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 679 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 680 } 681 /* 682 * Generate and lay in the COOKIE parameter. 683 * 684 * Any change here that results in a change of location for 685 * the peer's orig source address must be propagated to the fn 686 * cl_sctp_cookie_paddr() above. 687 * 688 * The cookie consists of: 689 * 1. The relative timestamp for the cookie (lbolt64) 690 * 2. The cookie lifetime (uint32_t) in tick 691 * 3. The local tie-tag 692 * 4. The peer tie-tag 693 * 5. Peer's original src, used to confirm the validity of address. 694 * 6. Our INIT ACK chunk, less any parameters 695 * 7. The INIT chunk (may contain parameters) 696 * 8. 128-bit MD5 signature. 697 * 698 * Since the timestamp values will only be evaluated locally, we 699 * don't need to worry about byte-ordering them. 700 */ 701 cookieph = (sctp_parm_hdr_t *)p; 702 cookieph->sph_type = htons(PARM_COOKIE); 703 cookieph->sph_len = htons(cookielen); 704 705 /* timestamp */ 706 now = (int64_t *)(cookieph + 1); 707 nowt = lbolt64; 708 bcopy(&nowt, now, sizeof (*now)); 709 710 /* cookie lifetime -- need configuration */ 711 lifetime = (uint32_t *)(now + 1); 712 *lifetime = sctp->sctp_cookie_lifetime; 713 714 /* Set the tie-tags */ 715 ttag = (uint32_t *)(lifetime + 1); 716 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 717 *ttag = 0; 718 ttag++; 719 *ttag = 0; 720 ttag++; 721 } else { 722 /* local tie-tag (network byte-order) */ 723 *ttag = sctp->sctp_lvtag; 724 ttag++; 725 /* peer tie-tag (network byte-order) */ 726 *ttag = sctp->sctp_fvtag; 727 ttag++; 728 } 729 /* 730 * Copy in peer's original source address so that we can confirm 731 * the reachability later. 732 */ 733 p = (char *)ttag; 734 if (isv4) { 735 in6_addr_t peer_addr; 736 737 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 738 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 739 } else { 740 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 741 } 742 p += sizeof (in6_addr_t); 743 /* Copy in our INIT ACK chunk */ 744 bcopy(iack, p, sizeof (*iack)); 745 iack = (sctp_init_chunk_t *)p; 746 /* Set the # of streams we'll end up using */ 747 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 748 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 749 p += sizeof (*iack); 750 751 /* Copy in the peer's INIT chunk */ 752 bcopy(ch, p, ntohs(ch->sch_len)); 753 p += ntohs(ch->sch_len); 754 755 /* 756 * Calculate the HMAC ICV into the digest slot in buf. 757 * First, generate a new secret if the current secret is 758 * older than the new secret lifetime parameter permits, 759 * copying the current secret to sctp_old_secret. 760 */ 761 if (sctps->sctps_new_secret_interval > 0 && 762 (sctp->sctp_last_secret_update + 763 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) { 764 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 765 SCTP_SECRET_LEN); 766 (void) random_get_pseudo_bytes(sctp->sctp_secret, 767 SCTP_SECRET_LEN); 768 sctp->sctp_last_secret_update = nowt; 769 } 770 771 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 772 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 773 774 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 775 if (pad != 0) 776 bzero((iackmp->b_wptr - pad), pad); 777 778 iackmp->b_cont = errmp; /* OK if NULL */ 779 780 if (is_system_labeled() && (cr = msg_getcred(iackmp, NULL)) != NULL && 781 crgetlabel(cr) != NULL) { 782 conn_t *connp = sctp->sctp_connp; 783 int err; 784 785 if (isv4) 786 err = tsol_check_label(cr, &iackmp, 787 connp->conn_mac_exempt, 788 sctps->sctps_netstack->netstack_ip); 789 else 790 err = tsol_check_label_v6(cr, &iackmp, 791 connp->conn_mac_exempt, 792 sctps->sctps_netstack->netstack_ip); 793 if (err != 0) { 794 sctp_send_abort(sctp, sctp_init2vtag(ch), 795 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE); 796 freemsg(iackmp); 797 return; 798 } 799 } 800 801 /* 802 * Stash the conn ptr info. for IP only as e don't have any 803 * cached IRE. 804 */ 805 SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL); 806 807 /* XXX sctp == sctp_g_q, so using its obchunks is valid */ 808 BUMP_LOCAL(sctp->sctp_opkts); 809 BUMP_LOCAL(sctp->sctp_obchunks); 810 811 /* OK to call IP_PUT() here instead of sctp_add_sendq(). */ 812 CONN_INC_REF(sctp->sctp_connp); 813 iackmp->b_flag |= MSGHASREF; 814 IP_PUT(iackmp, sctp->sctp_connp, isv4); 815 } 816 817 void 818 sctp_send_cookie_ack(sctp_t *sctp) 819 { 820 sctp_chunk_hdr_t *cach; 821 mblk_t *camp; 822 sctp_stack_t *sctps = sctp->sctp_sctps; 823 824 camp = sctp_make_mp(sctp, NULL, sizeof (*cach)); 825 if (camp == NULL) { 826 /* XXX should abort, but don't have the inmp anymore */ 827 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed); 828 return; 829 } 830 831 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 832 camp->b_wptr = (uchar_t *)(cach + 1); 833 cach->sch_id = CHUNK_COOKIE_ACK; 834 cach->sch_flags = 0; 835 cach->sch_len = htons(sizeof (*cach)); 836 837 sctp_set_iplen(sctp, camp); 838 839 BUMP_LOCAL(sctp->sctp_obchunks); 840 841 sctp_add_sendq(sctp, camp); 842 } 843 844 static int 845 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code) 846 { 847 848 if (len < sizeof (*sph)) 849 return (-1); 850 while (sph != NULL) { 851 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 852 ntohs(sph->sph_len) >= (sizeof (*sph) + 853 sizeof (uint32_t))) { 854 *adaptation_code = *(uint32_t *)(sph + 1); 855 return (0); 856 } 857 sph = sctp_next_parm(sph, &len); 858 } 859 return (-1); 860 } 861 862 void 863 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp) 864 { 865 mblk_t *cemp; 866 mblk_t *mp = NULL; 867 mblk_t *head; 868 mblk_t *meta; 869 sctp_faddr_t *fp; 870 sctp_chunk_hdr_t *cech; 871 sctp_init_chunk_t *iack; 872 int32_t cansend; 873 int32_t seglen; 874 size_t ceclen; 875 sctp_parm_hdr_t *cph; 876 sctp_data_hdr_t *sdc; 877 sctp_tf_t *tf; 878 int pad = 0; 879 int hdrlen; 880 mblk_t *errmp = NULL; 881 uint_t sctp_options; 882 int error; 883 uint16_t old_num_str; 884 sctp_stack_t *sctps = sctp->sctp_sctps; 885 886 iack = (sctp_init_chunk_t *)(iackch + 1); 887 888 cph = NULL; 889 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 890 &pad, &sctp_options) == 0) { /* result in 'pad' ignored */ 891 BUMP_MIB(&sctps->sctps_mib, sctpAborted); 892 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 893 sctp_clean_death(sctp, ECONNABORTED); 894 return; 895 } 896 ASSERT(cph != NULL); 897 898 ASSERT(sctp->sctp_cookie_mp == NULL); 899 900 /* Got a cookie to echo back; allocate an mblk */ 901 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 902 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 903 pad = SCTP_ALIGN - pad; 904 905 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 906 hdrlen = sctp->sctp_hdr_len; 907 else 908 hdrlen = sctp->sctp_hdr6_len; 909 910 cemp = allocb_cred(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad, 911 CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid); 912 if (cemp == NULL) { 913 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 914 sctp->sctp_current->rto); 915 if (errmp != NULL) 916 freeb(errmp); 917 return; 918 } 919 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen); 920 921 /* Process the INIT ACK */ 922 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 923 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 924 sctp->sctp_fvtag = iack->sic_inittag; 925 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 926 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 927 sctp->sctp_fcsn = sctp->sctp_lastacked; 928 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 929 930 /* 931 * Populate sctp with addresses given in the INIT ACK or IP header. 932 * Need to set the df bit in the current fp as it has been cleared 933 * in sctp_connect(). 934 */ 935 sctp->sctp_current->df = B_TRUE; 936 /* 937 * Since IP uses this info during the fanout process, we need to hold 938 * the lock for this hash line while performing this operation. 939 */ 940 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, sctp->sctp_ports); */ 941 ASSERT(sctp->sctp_conn_tfp != NULL); 942 tf = sctp->sctp_conn_tfp; 943 /* sctp isn't a listener so only need to hold conn fanout lock */ 944 mutex_enter(&tf->tf_lock); 945 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 946 mutex_exit(&tf->tf_lock); 947 freeb(cemp); 948 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 949 sctp->sctp_current->rto); 950 if (errmp != NULL) 951 freeb(errmp); 952 return; 953 } 954 mutex_exit(&tf->tf_lock); 955 956 fp = sctp->sctp_current; 957 958 /* 959 * There could be a case when we get an INIT-ACK again, if the INIT 960 * is re-transmitted, for e.g., which means we would have already 961 * allocated this resource earlier (also for sctp_instr). In this 962 * case we check and re-allocate, if necessary. 963 */ 964 old_num_str = sctp->sctp_num_ostr; 965 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 966 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 967 if (sctp->sctp_ostrcntrs == NULL) { 968 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 969 sctp->sctp_num_ostr, KM_NOSLEEP); 970 } else { 971 ASSERT(old_num_str > 0); 972 if (old_num_str != sctp->sctp_num_ostr) { 973 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 974 old_num_str); 975 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 976 sctp->sctp_num_ostr, KM_NOSLEEP); 977 } 978 } 979 if (sctp->sctp_ostrcntrs == NULL) { 980 freeb(cemp); 981 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 982 if (errmp != NULL) 983 freeb(errmp); 984 return; 985 } 986 987 /* 988 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 989 * hold here too. 990 */ 991 old_num_str = sctp->sctp_num_istr; 992 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 993 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 994 if (sctp->sctp_instr == NULL) { 995 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 996 sctp->sctp_num_istr, KM_NOSLEEP); 997 } else { 998 ASSERT(old_num_str > 0); 999 if (old_num_str != sctp->sctp_num_istr) { 1000 kmem_free(sctp->sctp_instr, 1001 sizeof (*sctp->sctp_instr) * old_num_str); 1002 sctp->sctp_instr = kmem_zalloc( 1003 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 1004 KM_NOSLEEP); 1005 } 1006 } 1007 if (sctp->sctp_instr == NULL) { 1008 kmem_free(sctp->sctp_ostrcntrs, 1009 sizeof (uint16_t) * sctp->sctp_num_ostr); 1010 freeb(cemp); 1011 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1012 if (errmp != NULL) 1013 freeb(errmp); 1014 return; 1015 } 1016 1017 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 1018 sctp->sctp_prsctp_aware = B_FALSE; 1019 1020 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 1021 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 1022 &sctp->sctp_rx_adaptation_code) == 0) { 1023 sctp->sctp_recv_adaptation = 1; 1024 } 1025 1026 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 1027 ASSERT(OK_32PTR(cech)); 1028 cech->sch_id = CHUNK_COOKIE; 1029 cech->sch_flags = 0; 1030 cech->sch_len = htons(ceclen); 1031 1032 /* Copy the cookie (less the parm hdr) to the chunk */ 1033 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 1034 1035 cemp->b_wptr = cemp->b_rptr + ceclen; 1036 1037 if (sctp->sctp_unsent > 0) { 1038 sctp_msg_hdr_t *smh; 1039 mblk_t *prev = NULL; 1040 uint32_t unsent = 0; 1041 1042 mp = sctp->sctp_xmit_unsent; 1043 do { 1044 smh = (sctp_msg_hdr_t *)mp->b_rptr; 1045 if (smh->smh_sid >= sctp->sctp_num_ostr) { 1046 unsent += smh->smh_msglen; 1047 if (prev != NULL) 1048 prev->b_next = mp->b_next; 1049 else 1050 sctp->sctp_xmit_unsent = mp->b_next; 1051 mp->b_next = NULL; 1052 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 1053 B_FALSE); 1054 if (prev != NULL) 1055 mp = prev->b_next; 1056 else 1057 mp = sctp->sctp_xmit_unsent; 1058 } else { 1059 prev = mp; 1060 mp = mp->b_next; 1061 } 1062 } while (mp != NULL); 1063 if (unsent > 0) { 1064 ASSERT(sctp->sctp_unsent >= unsent); 1065 sctp->sctp_unsent -= unsent; 1066 /* 1067 * Update ULP the amount of queued data, which is 1068 * sent-unack'ed + unsent. 1069 * This is not necessary, but doesn't harm, we 1070 * just use unsent instead of sent-unack'ed + 1071 * unsent, since there won't be any sent-unack'ed 1072 * here. 1073 */ 1074 if (!SCTP_IS_DETACHED(sctp)) 1075 SCTP_TXQ_UPDATE(sctp); 1076 } 1077 if (sctp->sctp_xmit_unsent == NULL) 1078 sctp->sctp_xmit_unsent_tail = NULL; 1079 } 1080 ceclen += pad; 1081 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 1082 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 1083 cansend, NULL); 1084 /* 1085 * The error cannot be anything else since we could have an non-zero 1086 * error only if sctp_get_msg_to_send() tries to send a Forward 1087 * TSN which will not happen here. 1088 */ 1089 ASSERT(error == 0); 1090 if (meta == NULL) 1091 goto sendcookie; 1092 sctp->sctp_xmit_tail = meta; 1093 sdc = (sctp_data_hdr_t *)mp->b_rptr; 1094 seglen = ntohs(sdc->sdh_len); 1095 if ((ceclen + seglen) > fp->sfa_pmss || 1096 (seglen - sizeof (*sdc)) > cansend) { 1097 goto sendcookie; 1098 } 1099 /* OK, if this fails */ 1100 cemp->b_cont = dupmsg(mp); 1101 sendcookie: 1102 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 1103 if (head == NULL) { 1104 freemsg(cemp); 1105 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1106 if (errmp != NULL) 1107 freeb(errmp); 1108 SCTP_KSTAT(sctps, sctp_send_cookie_failed); 1109 return; 1110 } 1111 /* 1112 * Even if cookie-echo exceeds MTU for one of the hops, it'll 1113 * have a chance of getting there. 1114 */ 1115 if (fp->isv4) { 1116 ipha_t *iph = (ipha_t *)head->b_rptr; 1117 iph->ipha_fragment_offset_and_flags = 0; 1118 } 1119 BUMP_LOCAL(sctp->sctp_obchunks); 1120 1121 sctp->sctp_cookie_mp = dupmsg(head); 1122 /* Don't bundle, we will just resend init if this cookie is lost. */ 1123 if (sctp->sctp_cookie_mp == NULL) { 1124 if (cemp->b_cont != NULL) { 1125 freemsg(cemp->b_cont); 1126 cemp->b_cont = NULL; 1127 } 1128 } else if (cemp->b_cont != NULL) { 1129 ASSERT(mp != NULL && mp == meta->b_cont); 1130 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 1131 cemp->b_wptr += pad; 1132 seglen -= sizeof (*sdc); 1133 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 1134 } 1135 if (errmp != NULL) { 1136 if (cemp->b_cont == NULL) 1137 cemp->b_wptr += pad; 1138 linkb(head, errmp); 1139 } 1140 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 1141 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1142 1143 sctp_set_iplen(sctp, head); 1144 sctp_add_sendq(sctp, head); 1145 } 1146 1147 int 1148 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 1149 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation, 1150 in6_addr_t *peer_addr) 1151 { 1152 int32_t clen; 1153 size_t initplen; 1154 uchar_t *p; 1155 uchar_t *given_hash; 1156 uchar_t needed_hash[16]; 1157 int64_t ts; 1158 int64_t diff; 1159 uint32_t *lt; 1160 sctp_init_chunk_t *iack; 1161 sctp_chunk_hdr_t *initch; 1162 sctp_init_chunk_t *init; 1163 uint32_t *lttag; 1164 uint32_t *fttag; 1165 uint32_t ports; 1166 sctp_stack_t *sctps = sctp->sctp_sctps; 1167 1168 BUMP_LOCAL(sctp->sctp_ibchunks); 1169 /* Verify the ICV */ 1170 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1171 if (clen < 0) { 1172 dprint(1, ("invalid cookie chunk length %d\n", 1173 ntohs(ch->sch_len))); 1174 1175 return (-1); 1176 } 1177 p = (uchar_t *)(ch + 1); 1178 1179 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1180 needed_hash); 1181 1182 /* The given hash follows the cookie data */ 1183 given_hash = p + clen; 1184 1185 if (bcmp(given_hash, needed_hash, 16) != 0) { 1186 /* The secret may have changed; try the old secret */ 1187 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1188 SCTP_SECRET_LEN, needed_hash); 1189 if (bcmp(given_hash, needed_hash, 16) != 0) { 1190 return (-1); 1191 } 1192 } 1193 1194 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1195 bcopy(p, &ts, sizeof (ts)); 1196 /* Cookie life time, uint32_t */ 1197 lt = (uint32_t *)(p + sizeof (ts)); 1198 1199 /* 1200 * To quote PRC, "this is our baby", so let's continue. 1201 * We need to pull out the encapsulated INIT ACK and 1202 * INIT chunks. Note that we don't process these until 1203 * we have verified the timestamp, but we need them before 1204 * processing the timestamp since if the time check fails, 1205 * we need to get the verification tag from the INIT in order 1206 * to send a stale cookie error. 1207 */ 1208 lttag = (uint32_t *)(lt + 1); 1209 fttag = lttag + 1; 1210 if (peer_addr != NULL) 1211 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1212 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1213 initch = (sctp_chunk_hdr_t *)(iack + 1); 1214 init = (sctp_init_chunk_t *)(initch + 1); 1215 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1216 *iackpp = iack; 1217 *recv_adaptation = 0; 1218 1219 /* 1220 * Check the staleness of the Cookie, specified in 3.3.10.3 of 1221 * RFC 2960. 1222 * 1223 * The mesaure of staleness is the difference, in microseconds, 1224 * between the current time and the time the State Cookie expires. 1225 * So it is lbolt64 - (ts + *lt). If it is positive, it means 1226 * that the Cookie has expired. 1227 */ 1228 diff = lbolt64 - (ts + *lt); 1229 if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag || 1230 iack->sic_inittag != sctp->sctp_lvtag)) { 1231 uint32_t staleness; 1232 1233 staleness = TICK_TO_USEC(diff); 1234 staleness = htonl(staleness); 1235 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1236 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE); 1237 1238 dprint(1, ("stale cookie %d\n", staleness)); 1239 1240 return (-1); 1241 } 1242 1243 /* Check for attack by adding addresses to a restart */ 1244 bcopy(insctph, &ports, sizeof (ports)); 1245 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP, 1246 sctps) != 1) { 1247 return (-1); 1248 } 1249 1250 /* Look for adaptation code if there any parms in the INIT chunk */ 1251 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1252 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1253 &sctp->sctp_rx_adaptation_code) == 0)) { 1254 *recv_adaptation = 1; 1255 } 1256 1257 /* Examine tie-tags */ 1258 1259 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1260 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1261 init->sic_inittag == sctp->sctp_fvtag && 1262 iack->sic_inittag == sctp->sctp_lvtag && 1263 *fttag == 0 && *lttag == 0) { 1264 1265 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1266 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1267 (int)(sctp->sctp_fport))); 1268 return (-1); 1269 } 1270 1271 if (init->sic_inittag != sctp->sctp_fvtag && 1272 iack->sic_inittag != sctp->sctp_lvtag && 1273 *fttag == sctp->sctp_fvtag && 1274 *lttag == sctp->sctp_lvtag) { 1275 int i; 1276 1277 /* Section 5.2.4 case A: restart */ 1278 sctp->sctp_fvtag = init->sic_inittag; 1279 sctp->sctp_lvtag = iack->sic_inittag; 1280 1281 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1282 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1283 1284 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1285 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1286 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1287 sctp->sctp_fcsn = sctp->sctp_lastacked; 1288 1289 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1290 sctp->sctp_state = SCTPS_ESTABLISHED; 1291 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1292 } 1293 1294 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1295 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1296 (int)(sctp->sctp_fport))); 1297 /* reset parameters */ 1298 sctp_congest_reset(sctp); 1299 1300 /* reset stream bookkeeping */ 1301 sctp_instream_cleanup(sctp, B_FALSE); 1302 1303 sctp->sctp_istr_nmsgs = 0; 1304 sctp->sctp_rxqueued = 0; 1305 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1306 sctp->sctp_ostrcntrs[i] = 0; 1307 } 1308 /* XXX flush xmit_list? */ 1309 1310 return (0); 1311 } else if (init->sic_inittag != sctp->sctp_fvtag && 1312 iack->sic_inittag == sctp->sctp_lvtag) { 1313 1314 /* Section 5.2.4 case B: INIT collision */ 1315 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1316 if (!sctp_initialize_params(sctp, init, iack)) 1317 return (-1); /* Drop? */ 1318 sctp->sctp_state = SCTPS_ESTABLISHED; 1319 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1320 } 1321 1322 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1323 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1324 (int)(sctp->sctp_fport))); 1325 1326 return (0); 1327 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1328 init->sic_inittag == sctp->sctp_fvtag && 1329 *fttag == 0 && *lttag == 0) { 1330 1331 /* Section 5.2.4 case C: late COOKIE */ 1332 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1333 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1334 (int)(sctp->sctp_fport))); 1335 return (-1); 1336 } else if (init->sic_inittag == sctp->sctp_fvtag && 1337 iack->sic_inittag == sctp->sctp_lvtag) { 1338 1339 /* 1340 * Section 5.2.4 case D: COOKIE ECHO retransmit 1341 * Don't check cookie lifetime 1342 */ 1343 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1344 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1345 (int)(sctp->sctp_fport))); 1346 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1347 if (!sctp_initialize_params(sctp, init, iack)) 1348 return (-1); /* Drop? */ 1349 sctp->sctp_state = SCTPS_ESTABLISHED; 1350 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1351 } 1352 return (0); 1353 } else { 1354 /* unrecognized case -- silently drop it */ 1355 return (-1); 1356 } 1357 } 1358 1359 return (0); 1360 } 1361 1362 /* 1363 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1364 * from address parameters in an INIT ACK's address list. This 1365 * function is used when an INIT ACK is received but IP's fanout 1366 * function could not find a sctp via the normal lookup routine. 1367 * This can happen when a host sends an INIT ACK from a different 1368 * address than the INIT was sent to. 1369 * 1370 * Returns the sctp_t if found, or NULL if not found. 1371 */ 1372 sctp_t * 1373 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1374 zoneid_t zoneid, sctp_stack_t *sctps) 1375 { 1376 int isv4; 1377 ipha_t *iph; 1378 ip6_t *ip6h; 1379 in6_addr_t dst; 1380 in6_addr_t src; 1381 sctp_parm_hdr_t *ph; 1382 ssize_t remaining; 1383 sctp_init_chunk_t *iack; 1384 uint32_t ports; 1385 sctp_t *sctp = NULL; 1386 1387 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1388 1389 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1390 if (isv4) { 1391 iph = (ipha_t *)mp->b_rptr; 1392 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1393 } else { 1394 ip6h = (ip6_t *)mp->b_rptr; 1395 dst = ip6h->ip6_dst; 1396 } 1397 1398 ports = *(uint32_t *)sctph; 1399 1400 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1401 ports, SCTP_PRINTADDR(dst))); 1402 1403 /* pull out any address parameters */ 1404 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1405 if (remaining < sizeof (*ph)) { 1406 return (NULL); 1407 } 1408 1409 iack = (sctp_init_chunk_t *)(ich + 1); 1410 ph = (sctp_parm_hdr_t *)(iack + 1); 1411 1412 while (ph != NULL) { 1413 /* 1414 * params have been put in host byteorder by 1415 * sctp_check_input() 1416 */ 1417 if (ph->sph_type == PARM_ADDR4) { 1418 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1419 &src); 1420 1421 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1422 sctps); 1423 1424 dprint(1, 1425 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1426 SCTP_PRINTADDR(src), (void *)sctp)); 1427 1428 1429 if (sctp != NULL) { 1430 return (sctp); 1431 } 1432 } else if (ph->sph_type == PARM_ADDR6) { 1433 src = *(in6_addr_t *)(ph + 1); 1434 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1435 sctps); 1436 1437 dprint(1, 1438 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1439 SCTP_PRINTADDR(src), (void *)sctp)); 1440 1441 if (sctp != NULL) { 1442 return (sctp); 1443 } 1444 } 1445 1446 ph = sctp_next_parm(ph, &remaining); 1447 } 1448 1449 return (NULL); 1450 } 1451