xref: /titanic_50/usr/src/uts/common/inet/sctp/sctp_cookie.c (revision 45916cd2fec6e79bca5dee0421bd39e3c2910d1e)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/systm.h>
30 #include <sys/stream.h>
31 #include <sys/cmn_err.h>
32 #include <sys/md5.h>
33 #include <sys/kmem.h>
34 #include <sys/strsubr.h>
35 #include <sys/random.h>
36 #include <sys/tsol/tnet.h>
37 
38 #include <netinet/in.h>
39 #include <netinet/ip6.h>
40 
41 #include <inet/common.h>
42 #include <inet/ip.h>
43 #include <inet/ip6.h>
44 #include <inet/sctp_ip.h>
45 #include <inet/ipclassifier.h>
46 #include "sctp_impl.h"
47 
48 /*
49  * Helper function for SunCluster (PSARC/2005/602) to get the original source
50  * address from the COOKIE
51  */
52 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *);
53 
54 /*
55  * From RFC 2104. This should probably go into libmd5 (and while
56  * we're at it, maybe we should make a libdigest so we can later
57  * add SHA1 and others, esp. since some weaknesses have been found
58  * with MD5).
59  *
60  * text		IN			pointer to data stream
61  * text_len	IN			length of data stream
62  * key		IN			pointer to authentication key
63  * key_len	IN			length of authentication key
64  * digest	OUT			caller digest to be filled in
65  */
66 static void
67 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len,
68     uchar_t *digest)
69 {
70 	MD5_CTX context;
71 	uchar_t k_ipad[65];	/* inner padding - key XORd with ipad */
72 	uchar_t k_opad[65];	/* outer padding - key XORd with opad */
73 	uchar_t tk[16];
74 	int i;
75 
76 	/* if key is longer than 64 bytes reset it to key=MD5(key) */
77 	if (key_len > 64) {
78 		MD5_CTX tctx;
79 
80 		MD5Init(&tctx);
81 		MD5Update(&tctx, key, key_len);
82 		MD5Final(tk, &tctx);
83 
84 		key = tk;
85 		key_len = 16;
86 	}
87 
88 	/*
89 	 * the HMAC_MD5 transform looks like:
90 	 *
91 	 * MD5(K XOR opad, MD5(K XOR ipad, text))
92 	 *
93 	 * where K is an n byte key
94 	 * ipad is the byte 0x36 repeated 64 times
95 	 * opad is the byte 0x5c repeated 64 times
96 	 * and text is the data being protected
97 	 */
98 
99 	/* start out by storing key in pads */
100 	bzero(k_ipad, sizeof (k_ipad));
101 	bzero(k_opad, sizeof (k_opad));
102 	bcopy(key, k_ipad, key_len);
103 	bcopy(key, k_opad, key_len);
104 
105 	/* XOR key with ipad and opad values */
106 	for (i = 0; i < 64; i++) {
107 		k_ipad[i] ^= 0x36;
108 		k_opad[i] ^= 0x5c;
109 	}
110 	/*
111 	 * perform inner MD5
112 	 */
113 	MD5Init(&context);			/* init context for 1st */
114 						/* pass */
115 	MD5Update(&context, k_ipad, 64);	/* start with inner pad */
116 	MD5Update(&context, text, text_len);	/* then text of datagram */
117 	MD5Final(digest, &context);		/* finish up 1st pass */
118 	/*
119 	 * perform outer MD5
120 	 */
121 	MD5Init(&context);			/* init context for 2nd */
122 						/* pass */
123 	MD5Update(&context, k_opad, 64);	/* start with outer pad */
124 	MD5Update(&context, digest, 16);	/* then results of 1st */
125 						/* hash */
126 	MD5Final(digest, &context);		/* finish up 2nd pass */
127 }
128 
129 /*
130  * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP
131  * info in initmp to send the abort. Otherwise, no abort will be sent.
132  * If errmp is non-NULL, a chain of unrecognized parameters will
133  * be created and returned via *errmp.
134  *
135  * Returns 1 if the parameters are OK (or there are no parameters), or
136  * 0 if not.
137  */
138 static int
139 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
140     sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie,
141     mblk_t **errmp, int *supp_af, uint_t *sctp_options)
142 {
143 	sctp_parm_hdr_t		*cph;
144 	sctp_init_chunk_t	*ic;
145 	ssize_t			remaining;
146 	uint16_t		serror = 0;
147 	char			*details = NULL;
148 	size_t			errlen = 0;
149 	boolean_t		got_cookie = B_FALSE;
150 	uint16_t		ptype;
151 
152 	if (sctp_options != NULL)
153 		*sctp_options = 0;
154 
155 	/* First validate stream parameters */
156 	if (init->sic_instr == 0 || init->sic_outstr == 0) {
157 		serror = SCTP_ERR_BAD_MANDPARM;
158 		dprint(1,
159 		    ("validate_init_params: bad sid, is=%d os=%d\n",
160 			htons(init->sic_instr), htons(init->sic_outstr)));
161 		goto abort;
162 	}
163 	if (ntohl(init->sic_inittag) == 0) {
164 		serror = SCTP_ERR_BAD_MANDPARM;
165 		dprint(1, ("validate_init_params: inittag = 0\n"));
166 		goto abort;
167 	}
168 
169 	remaining = ntohs(ch->sch_len) - sizeof (*ch);
170 	ic = (sctp_init_chunk_t *)(ch + 1);
171 	remaining -= sizeof (*ic);
172 	if (remaining < sizeof (*cph)) {
173 		/* Nothing to validate */
174 		if (want_cookie != NULL)
175 			goto cookie_abort;
176 		return (1);
177 	}
178 
179 	cph = (sctp_parm_hdr_t *)(ic + 1);
180 
181 	while (cph != NULL) {
182 		ptype = ntohs(cph->sph_type);
183 		switch (ptype) {
184 		case PARM_HBINFO:
185 		case PARM_UNRECOGNIZED:
186 		case PARM_ECN:
187 			/* just ignore them */
188 			break;
189 		case PARM_FORWARD_TSN:
190 			if (sctp_options != NULL)
191 				*sctp_options |= SCTP_PRSCTP_OPTION;
192 			break;
193 		case PARM_COOKIE:
194 			got_cookie = B_TRUE;
195 			if (want_cookie != NULL) {
196 				*want_cookie = cph;
197 			}
198 			break;
199 		case PARM_ADDR4:
200 			*supp_af |= PARM_SUPP_V4;
201 			break;
202 		case PARM_ADDR6:
203 			*supp_af |= PARM_SUPP_V6;
204 			break;
205 		case PARM_COOKIE_PRESERVE:
206 		case PARM_ADAPT_LAYER_IND:
207 			/* These are OK */
208 			break;
209 		case PARM_ADDR_HOST_NAME:
210 			/* Don't support this; abort the association */
211 			serror = SCTP_ERR_BAD_ADDR;
212 			details = (char *)cph;
213 			errlen = ntohs(cph->sph_len);
214 			dprint(1, ("sctp:validate_init_params: host addr\n"));
215 			goto abort;
216 		case PARM_SUPP_ADDRS: {
217 			/* Make sure we have a supported addr intersection */
218 			uint16_t *p, addrtype;
219 			int plen;
220 
221 			plen = ntohs(cph->sph_len);
222 			p = (uint16_t *)(cph + 1);
223 			while (plen > 0) {
224 				addrtype = ntohs(*p);
225 				switch (addrtype) {
226 				case PARM_ADDR6:
227 					*supp_af |= PARM_SUPP_V6;
228 					break;
229 				case PARM_ADDR4:
230 					*supp_af |= PARM_SUPP_V4;
231 					break;
232 				default:
233 					/*
234 					 * Do nothing, silently ignore hostname
235 					 * address.
236 					 */
237 					break;
238 				}
239 				p++;
240 				plen -= sizeof (*p);
241 			}
242 			break;
243 		}
244 		default:
245 			/* Unrecognized param; check the high order bits */
246 			if ((ptype & 0xc000) == 0xc000) {
247 				/*
248 				 * report unrecognized param, and
249 				 * keep processing
250 				 */
251 				if (errmp != NULL) {
252 					if (want_cookie != NULL) {
253 						*errmp = sctp_make_err(sctp,
254 						    PARM_UNRECOGNIZED,
255 						    (void *)cph,
256 						    ntohs(cph->sph_len));
257 					} else {
258 						sctp_add_unrec_parm(cph, errmp);
259 					}
260 				}
261 				break;
262 			}
263 			if (ptype & 0x4000) {
264 				/*
265 				 * Stop processing and drop; report
266 				 * unrecognized param
267 				 */
268 				serror = SCTP_ERR_UNREC_PARM;
269 				details = (char *)cph;
270 				errlen = ntohs(cph->sph_len);
271 				goto abort;
272 			}
273 			if (ptype & 0x8000) {
274 				/* skip and continue processing */
275 				break;
276 			}
277 
278 			/*
279 			 * 2 high bits are clear; stop processing and
280 			 * drop packet
281 			 */
282 			return (0);
283 		}
284 
285 		cph = sctp_next_parm(cph, &remaining);
286 	}
287 	/*
288 	 * Some sanity checks.  The following should not fail unless the
289 	 * other side is broken.
290 	 *
291 	 * 1. If this is a V4 endpoint but V4 address is not
292 	 * supported, abort.
293 	 * 2. If this is a V6 only endpoint but V6 address is
294 	 * not supported, abort.  This assumes that a V6
295 	 * endpoint can use both V4 and V6 addresses.
296 	 * We only care about supp_af when processing INIT, i.e want_cookie
297 	 * is NULL.
298 	 */
299 	if (want_cookie == NULL &&
300 	    ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
301 	    (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
302 	    sctp->sctp_connp->conn_ipv6_v6only))) {
303 		dprint(1, ("sctp:validate_init_params: supp addr\n"));
304 		serror = SCTP_ERR_BAD_ADDR;
305 		goto abort;
306 	}
307 
308 	if (want_cookie != NULL && !got_cookie) {
309 cookie_abort:
310 		dprint(1, ("validate_init_params: cookie absent\n"));
311 		sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM,
312 		    details, errlen, inmp, 0, B_FALSE);
313 		return (0);
314 	}
315 
316 	/* OK */
317 	return (1);
318 
319 abort:
320 	if (want_cookie != NULL)
321 		return (0);
322 
323 	sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details,
324 	    errlen, inmp, 0, B_FALSE);
325 	return (0);
326 }
327 
328 /*
329  * Initialize params from the INIT and INIT-ACK when the assoc. is
330  * established.
331  */
332 boolean_t
333 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init,
334     sctp_init_chunk_t *iack)
335 {
336 	/* Get initial TSN */
337 	sctp->sctp_ftsn = ntohl(init->sic_inittsn);
338 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
339 
340 	/* Serial number is initialized to the same value as the TSN */
341 	sctp->sctp_fcsn = sctp->sctp_lastacked;
342 
343 	/*
344 	 * Get verification tags; no byteordering is necessary, since
345 	 * verfication tags are never processed except for byte-by-byte
346 	 * comparisons.
347 	 */
348 	sctp->sctp_fvtag = init->sic_inittag;
349 	sctp->sctp_sctph->sh_verf = init->sic_inittag;
350 	sctp->sctp_sctph6->sh_verf = init->sic_inittag;
351 	sctp->sctp_lvtag = iack->sic_inittag;
352 
353 	/* Get the peer's rwnd */
354 	sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
355 
356 	/* Allocate the in/out-stream counters */
357 	sctp->sctp_num_ostr = iack->sic_outstr;
358 	sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
359 	    sctp->sctp_num_ostr, KM_NOSLEEP);
360 	if (sctp->sctp_ostrcntrs == NULL)
361 		return (B_FALSE);
362 
363 	sctp->sctp_num_istr = iack->sic_instr;
364 	sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
365 	    sctp->sctp_num_istr, KM_NOSLEEP);
366 	if (sctp->sctp_instr == NULL) {
367 		kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
368 		    sctp->sctp_num_ostr);
369 		sctp->sctp_ostrcntrs = NULL;
370 		return (B_FALSE);
371 	}
372 	return (B_TRUE);
373 }
374 
375 /*
376  * Copy the peer's original source address into addr. This relies on the
377  * following format (see sctp_send_initack() below):
378  * 	relative timestamp for the cookie (int64_t) +
379  * 	cookie lifetime (uint32_t) +
380  * 	local tie-tag (uint32_t) +  peer tie-tag (uint32_t) +
381  * 	Peer's original src ...
382  */
383 int
384 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr)
385 {
386 	uchar_t	*off;
387 
388 	ASSERT(addr != NULL);
389 
390 	if (ch->sch_id != CHUNK_COOKIE)
391 		return (EINVAL);
392 
393 	off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) +
394 	    sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t);
395 
396 	bcopy(off, addr, sizeof (*addr));
397 
398 	return (0);
399 }
400 
401 #define	SCTP_CALC_COOKIE_LEN(initcp) \
402 	sizeof (int64_t) +		/* timestamp */			\
403 	sizeof (uint32_t) +		/* cookie lifetime */		\
404 	sizeof (sctp_init_chunk_t) +	/* INIT ACK */			\
405 	sizeof (in6_addr_t) +		/* peer's original source */ 	\
406 	ntohs((initcp)->sch_len) +	/* peer's INIT */		\
407 	sizeof (uint32_t) +		/* local tie-tag */		\
408 	sizeof (uint32_t) +		/* peer tie-tag */		\
409 	sizeof (sctp_parm_hdr_t) +	/* param header */		\
410 	16				/* MD5 hash */
411 
412 void
413 sctp_send_initack(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *initmp)
414 {
415 	ipha_t			*initiph;
416 	ip6_t			*initip6h;
417 	ipha_t			*iackiph;
418 	ip6_t			*iackip6h;
419 	sctp_chunk_hdr_t	*iack_ch;
420 	sctp_init_chunk_t	*iack;
421 	sctp_init_chunk_t	*init;
422 	sctp_hdr_t		*iacksh;
423 	sctp_hdr_t		*initsh;
424 	size_t			cookielen;
425 	size_t			iacklen;
426 	size_t			ipsctplen;
427 	size_t			errlen = 0;
428 	sctp_parm_hdr_t		*cookieph;
429 	mblk_t			*iackmp;
430 	uint32_t		itag;
431 	uint32_t		itsn;
432 	int64_t			*now;
433 	int64_t			nowt;
434 	uint32_t		*lifetime;
435 	char			*p;
436 	boolean_t		 isv4;
437 	int			supp_af = 0;
438 	uint_t			sctp_options;
439 	uint32_t		*ttag;
440 	int			pad;
441 	mblk_t			*errmp = NULL;
442 	boolean_t		initcollision = B_FALSE;
443 	boolean_t		linklocal = B_FALSE;
444 	cred_t			*cr;
445 
446 	BUMP_LOCAL(sctp->sctp_ibchunks);
447 	isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION);
448 
449 	/* Extract the INIT chunk */
450 	if (isv4) {
451 		initiph = (ipha_t *)initmp->b_rptr;
452 		initsh = (sctp_hdr_t *)((char *)initiph +
453 		    IPH_HDR_LENGTH(initmp->b_rptr));
454 		ipsctplen = sctp->sctp_ip_hdr_len;
455 		supp_af |= PARM_SUPP_V4;
456 	} else {
457 		initip6h = (ip6_t *)initmp->b_rptr;
458 		initsh = (sctp_hdr_t *)(initip6h + 1);
459 		ipsctplen = sctp->sctp_ip_hdr6_len;
460 		if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src))
461 			linklocal = B_TRUE;
462 		supp_af |= PARM_SUPP_V6;
463 	}
464 	ASSERT(OK_32PTR(initsh));
465 	init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch));
466 
467 	/* Make sure we like the peer's parameters */
468 	if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp,
469 		&supp_af, &sctp_options) == 0) {
470 		return;
471 	}
472 	if (errmp != NULL)
473 		errlen = msgdsize(errmp);
474 	if (sctp->sctp_family == AF_INET) {
475 		/*
476 		 * Irregardless of the supported address in the INIT, v4
477 		 * must be supported.
478 		 */
479 		supp_af = PARM_SUPP_V4;
480 	}
481 	if (sctp->sctp_state <= SCTPS_LISTEN) {
482 		/* normal, expected INIT: generate new vtag and itsn */
483 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
484 		if (itag == 0)
485 			itag = (uint32_t)gethrtime();
486 		itsn = itag + 1;
487 		itag = htonl(itag);
488 	} else if (sctp->sctp_state == SCTPS_COOKIE_WAIT ||
489 	    sctp->sctp_state == SCTPS_COOKIE_ECHOED) {
490 		/* init collision; copy vtag and itsn from sctp */
491 		itag = sctp->sctp_lvtag;
492 		itsn = sctp->sctp_ltsn;
493 		/*
494 		 * In addition we need to send all the params that was sent
495 		 * in our INIT chunk. Essentially, it is only the supported
496 		 * address params that we need to add.
497 		 */
498 		initcollision = B_TRUE;
499 		/*
500 		 * When we sent the INIT, we should have set linklocal in
501 		 * the sctp which should be good enough.
502 		 */
503 		if (linklocal)
504 			linklocal = B_FALSE;
505 	} else {
506 		/* peer restart; generate new vtag but keep everything else */
507 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
508 		if (itag == 0)
509 			itag = (uint32_t)gethrtime();
510 		itag = htonl(itag);
511 		itsn = sctp->sctp_ltsn;
512 	}
513 
514 	/*
515 	 * Allocate a mblk for the INIT ACK, consisting of the link layer
516 	 * header, the IP header, the SCTP common header, and INIT ACK chunk,
517 	 * and finally the COOKIE parameter.
518 	 */
519 	cookielen = SCTP_CALC_COOKIE_LEN(ch);
520 	iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen;
521 	if (sctp->sctp_send_adaption)
522 		iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t));
523 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
524 	    sctp->sctp_prsctp_aware && sctp_prsctp_enabled) {
525 		iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION);
526 	}
527 	if (initcollision)
528 		iacklen += sctp_supaddr_param_len(sctp);
529 	if (!linklocal)
530 		iacklen += sctp_addr_params_len(sctp, supp_af, B_FALSE);
531 	ipsctplen += sizeof (*iacksh) + iacklen;
532 	iacklen += errlen;
533 	if ((pad = ipsctplen % 4) != 0) {
534 		pad = 4 - pad;
535 		ipsctplen += pad;
536 	}
537 	iackmp = allocb_cred(ipsctplen + sctp_wroff_xtra,
538 	    CONN_CRED(sctp->sctp_connp));
539 	if (iackmp == NULL) {
540 		sctp_send_abort(sctp, sctp_init2vtag(ch),
541 		    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE);
542 		return;
543 	}
544 
545 	/* Copy in the [imcomplete] IP/SCTP composite header */
546 	p = (char *)(iackmp->b_rptr + sctp_wroff_xtra);
547 	iackmp->b_rptr = (uchar_t *)p;
548 	if (isv4) {
549 		bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len);
550 		iackiph = (ipha_t *)p;
551 
552 		/* Copy the peer's IP addr */
553 		iackiph->ipha_dst = initiph->ipha_src;
554 		iackiph->ipha_src = initiph->ipha_dst;
555 		iackiph->ipha_length = htons(ipsctplen + errlen);
556 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
557 	} else {
558 		bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
559 		iackip6h = (ip6_t *)p;
560 
561 		/* Copy the peer's IP addr */
562 		iackip6h->ip6_dst = initip6h->ip6_src;
563 		iackip6h->ip6_src = initip6h->ip6_dst;
564 		iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) +
565 		    errlen);
566 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
567 	}
568 	ASSERT(OK_32PTR(iacksh));
569 
570 	/* Fill in the holes in the SCTP common header */
571 	iacksh->sh_sport = initsh->sh_dport;
572 	iacksh->sh_dport = initsh->sh_sport;
573 	iacksh->sh_verf = init->sic_inittag;
574 
575 	/* INIT ACK chunk header */
576 	iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1);
577 	iack_ch->sch_id = CHUNK_INIT_ACK;
578 	iack_ch->sch_flags = 0;
579 	iack_ch->sch_len = htons(iacklen);
580 
581 	/* The INIT ACK itself */
582 	iack = (sctp_init_chunk_t *)(iack_ch + 1);
583 	iack->sic_inittag = itag;	/* already in network byteorder */
584 	iack->sic_inittsn = htonl(itsn);
585 
586 	iack->sic_a_rwnd = htonl(sctp->sctp_rwnd);
587 	/* Advertise what we would want to have as stream #'s */
588 	iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr,
589 	    ntohs(init->sic_instr)));
590 	iack->sic_instr = htons(sctp->sctp_num_istr);
591 
592 	p = (char *)(iack + 1);
593 	p += sctp_adaption_code_param(sctp, (uchar_t *)p);
594 	if (initcollision)
595 		p += sctp_supaddr_param(sctp, (uchar_t *)p);
596 	if (!linklocal)
597 		p += sctp_addr_params(sctp, supp_af, (uchar_t *)p);
598 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
599 	    sctp->sctp_prsctp_aware && sctp_prsctp_enabled) {
600 		p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION);
601 	}
602 	/*
603 	 * Generate and lay in the COOKIE parameter.
604 	 *
605 	 * Any change here that results in a change of location for
606 	 * the peer's orig source address must be propagated to the fn
607 	 * cl_sctp_cookie_paddr() above.
608 	 *
609 	 * The cookie consists of:
610 	 * 1. The relative timestamp for the cookie (lbolt64)
611 	 * 2. The cookie lifetime (uint32_t) in tick
612 	 * 3. The local tie-tag
613 	 * 4. The peer tie-tag
614 	 * 5. Peer's original src, used to confirm the validity of address.
615 	 * 6. Our INIT ACK chunk, less any parameters
616 	 * 7. The INIT chunk (may contain parameters)
617 	 * 8. 128-bit MD5 signature.
618 	 *
619 	 * Since the timestamp values will only be evaluated locally, we
620 	 * don't need to worry about byte-ordering them.
621 	 */
622 	cookieph = (sctp_parm_hdr_t *)p;
623 	cookieph->sph_type = htons(PARM_COOKIE);
624 	cookieph->sph_len = htons(cookielen);
625 
626 	/* timestamp */
627 	now = (int64_t *)(cookieph + 1);
628 	nowt = lbolt64;
629 	bcopy(&nowt, now, sizeof (*now));
630 
631 	/* cookie lifetime -- need configuration */
632 	lifetime = (uint32_t *)(now + 1);
633 	*lifetime = sctp->sctp_cookie_lifetime;
634 
635 	/* Set the tie-tags */
636 	ttag = (uint32_t *)(lifetime + 1);
637 	if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) {
638 		*ttag = 0;
639 		ttag++;
640 		*ttag = 0;
641 		ttag++;
642 	} else {
643 		/* local tie-tag (network byte-order) */
644 		*ttag = sctp->sctp_lvtag;
645 		ttag++;
646 		/* peer tie-tag (network byte-order) */
647 		*ttag = sctp->sctp_fvtag;
648 		ttag++;
649 	}
650 	/*
651 	 * Copy in peer's original source address so that we can confirm
652 	 * the reachability later.
653 	 */
654 	p = (char *)ttag;
655 	if (isv4) {
656 		in6_addr_t peer_addr;
657 
658 		IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr);
659 		bcopy(&peer_addr, p, sizeof (in6_addr_t));
660 	} else {
661 		bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t));
662 	}
663 	p += sizeof (in6_addr_t);
664 	/* Copy in our INIT ACK chunk */
665 	bcopy(iack, p, sizeof (*iack));
666 	iack = (sctp_init_chunk_t *)p;
667 	/* Set the # of streams we'll end up using */
668 	iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr));
669 	iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr));
670 	p += sizeof (*iack);
671 
672 	/* Copy in the peer's INIT chunk */
673 	bcopy(ch, p, ntohs(ch->sch_len));
674 	p += ntohs(ch->sch_len);
675 
676 	/*
677 	 * Calculate the HMAC ICV into the digest slot in buf.
678 	 * First, generate a new secret if the current secret is
679 	 * older than the new secret lifetime parameter permits,
680 	 * copying the current secret to sctp_old_secret.
681 	 */
682 	if (sctp_new_secret_interval > 0 &&
683 	    (sctp->sctp_last_secret_update +
684 	    MSEC_TO_TICK(sctp_new_secret_interval)) <= nowt) {
685 		bcopy(sctp->sctp_secret, sctp->sctp_old_secret,
686 		    SCTP_SECRET_LEN);
687 		(void) random_get_pseudo_bytes(sctp->sctp_secret,
688 		    SCTP_SECRET_LEN);
689 		sctp->sctp_last_secret_update = nowt;
690 	}
691 
692 	hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16,
693 	    (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p);
694 
695 	iackmp->b_wptr = iackmp->b_rptr + ipsctplen;
696 	iackmp->b_cont = errmp;		/*  OK if NULL */
697 
698 	if (is_system_labeled() && (cr = DB_CRED(initmp)) != NULL &&
699 	    crgetlabel(cr) != NULL) {
700 		conn_t *connp = sctp->sctp_connp;
701 		int err, adjust;
702 
703 		if (isv4)
704 			err = tsol_check_label(cr, &iackmp, &adjust,
705 			    connp->conn_mac_exempt);
706 		else
707 			err = tsol_check_label_v6(cr, &iackmp, &adjust,
708 			    connp->conn_mac_exempt);
709 		if (err != 0) {
710 			sctp_send_abort(sctp, sctp_init2vtag(ch),
711 			    SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE);
712 			freemsg(iackmp);
713 			return;
714 		}
715 		if (isv4) {
716 			iackiph = (ipha_t *)iackmp->b_rptr;
717 			adjust += ntohs(iackiph->ipha_length);
718 			iackiph->ipha_length = htons(adjust);
719 		}
720 	}
721 
722 	/*
723 	 * Stash the conn ptr info. for IP only as e don't have any
724 	 * cached IRE.
725 	 */
726 	SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL);
727 
728 	/* XXX sctp == sctp_g_q, so using its obchunks is valid */
729 	BUMP_LOCAL(sctp->sctp_opkts);
730 	BUMP_LOCAL(sctp->sctp_obchunks);
731 
732 	/* OK to call IP_PUT() here instead of sctp_add_sendq(). */
733 	CONN_INC_REF(sctp->sctp_connp);
734 	iackmp->b_flag |= MSGHASREF;
735 	IP_PUT(iackmp, sctp->sctp_connp, isv4);
736 }
737 
738 void
739 sctp_send_cookie_ack(sctp_t *sctp)
740 {
741 	sctp_chunk_hdr_t *cach;
742 	mblk_t *camp;
743 
744 	camp = sctp_make_mp(sctp, NULL, sizeof (*cach));
745 	if (camp == NULL) {
746 		/* XXX should abort, but don't have the inmp anymore */
747 		return;
748 	}
749 
750 	cach = (sctp_chunk_hdr_t *)camp->b_wptr;
751 	camp->b_wptr = (uchar_t *)(cach + 1);
752 	cach->sch_id = CHUNK_COOKIE_ACK;
753 	cach->sch_flags = 0;
754 	cach->sch_len = htons(sizeof (*cach));
755 
756 	sctp_set_iplen(sctp, camp);
757 
758 	BUMP_LOCAL(sctp->sctp_obchunks);
759 
760 	sctp_add_sendq(sctp, camp);
761 }
762 
763 static int
764 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaption_code)
765 {
766 
767 	if (len < sizeof (*sph))
768 		return (-1);
769 	while (sph != NULL) {
770 		if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) &&
771 		    ntohs(sph->sph_len) >= (sizeof (*sph) +
772 			sizeof (uint32_t))) {
773 			*adaption_code = *(uint32_t *)(sph + 1);
774 			return (0);
775 		}
776 		sph = sctp_next_parm(sph, &len);
777 	}
778 	return (-1);
779 }
780 
781 void
782 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp)
783 {
784 	mblk_t			*cemp;
785 	mblk_t			*mp = NULL;
786 	mblk_t			*head;
787 	mblk_t			*meta;
788 	sctp_faddr_t		*fp;
789 	sctp_chunk_hdr_t	*cech;
790 	sctp_init_chunk_t	 *iack;
791 	int32_t			cansend;
792 	int32_t			seglen;
793 	size_t			ceclen;
794 	sctp_parm_hdr_t		*cph;
795 	sctp_data_hdr_t		*sdc;
796 	sctp_tf_t		*tf;
797 	int			pad = 0;
798 	int			hdrlen;
799 	mblk_t			*errmp = NULL;
800 	uint_t			sctp_options;
801 	int			error;
802 	uint16_t		old_num_str;
803 
804 	iack = (sctp_init_chunk_t *)(iackch + 1);
805 
806 	cph = NULL;
807 	if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp,
808 	    &pad, &sctp_options) == 0) { /* result in 'pad' ignored */
809 		BUMP_MIB(&sctp_mib, sctpAborted);
810 		sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL);
811 		sctp_clean_death(sctp, ECONNABORTED);
812 		return;
813 	}
814 	ASSERT(cph != NULL);
815 
816 	ASSERT(sctp->sctp_cookie_mp == NULL);
817 
818 	/* Got a cookie to echo back; allocate an mblk */
819 	ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph);
820 	if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0)
821 		pad = SCTP_ALIGN - pad;
822 
823 	if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION)
824 		hdrlen = sctp->sctp_hdr_len;
825 	else
826 		hdrlen = sctp->sctp_hdr6_len;
827 
828 	cemp = allocb(sctp_wroff_xtra + hdrlen + ceclen + pad, BPRI_MED);
829 	if (cemp == NULL) {
830 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
831 		    sctp->sctp_current->rto);
832 		if (errmp != NULL)
833 			freeb(errmp);
834 		return;
835 	}
836 	cemp->b_rptr += (sctp_wroff_xtra + hdrlen);
837 
838 	/* Process the INIT ACK */
839 	sctp->sctp_sctph->sh_verf = iack->sic_inittag;
840 	sctp->sctp_sctph6->sh_verf = iack->sic_inittag;
841 	sctp->sctp_fvtag = iack->sic_inittag;
842 	sctp->sctp_ftsn = ntohl(iack->sic_inittsn);
843 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
844 	sctp->sctp_fcsn = sctp->sctp_lastacked;
845 	sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd);
846 
847 	/*
848 	 * Populate sctp with addresses given in the INIT ACK or IP header.
849 	 * Need to set the df bit in the current fp as it has been cleared
850 	 * in sctp_connect().
851 	 */
852 	sctp->sctp_current->df = B_TRUE;
853 	/*
854 	 * Since IP uses this info during the fanout process, we need to hold
855 	 * the lock for this hash line while performing this operation.
856 	 */
857 	/* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctp->sctp_ports); */
858 	ASSERT(sctp->sctp_conn_tfp != NULL);
859 	tf = sctp->sctp_conn_tfp;
860 	/* sctp isn't a listener so only need to hold conn fanout lock */
861 	mutex_enter(&tf->tf_lock);
862 	if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) {
863 		mutex_exit(&tf->tf_lock);
864 		freeb(cemp);
865 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
866 		    sctp->sctp_current->rto);
867 		if (errmp != NULL)
868 			freeb(errmp);
869 		return;
870 	}
871 	mutex_exit(&tf->tf_lock);
872 
873 	fp = sctp->sctp_current;
874 
875 	/*
876 	 * There could be a case when we get an INIT-ACK again, if the INIT
877 	 * is re-transmitted, for e.g., which means we would have already
878 	 * allocated this resource earlier (also for sctp_instr). In this
879 	 * case we check and re-allocate, if necessary.
880 	 */
881 	old_num_str = sctp->sctp_num_ostr;
882 	if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr)
883 		sctp->sctp_num_ostr = ntohs(iack->sic_instr);
884 	if (sctp->sctp_ostrcntrs == NULL) {
885 		sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
886 		    sctp->sctp_num_ostr, KM_NOSLEEP);
887 	} else {
888 		ASSERT(old_num_str > 0);
889 		if (old_num_str != sctp->sctp_num_ostr) {
890 			kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
891 			    old_num_str);
892 			sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
893 			    sctp->sctp_num_ostr, KM_NOSLEEP);
894 		}
895 	}
896 	if (sctp->sctp_ostrcntrs == NULL) {
897 		freeb(cemp);
898 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
899 		if (errmp != NULL)
900 			freeb(errmp);
901 		return;
902 	}
903 
904 	/*
905 	 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs
906 	 * hold here too.
907 	 */
908 	old_num_str = sctp->sctp_num_istr;
909 	if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr)
910 		sctp->sctp_num_istr = ntohs(iack->sic_outstr);
911 	if (sctp->sctp_instr == NULL) {
912 		sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
913 		    sctp->sctp_num_istr, KM_NOSLEEP);
914 	} else {
915 		ASSERT(old_num_str > 0);
916 		if (old_num_str != sctp->sctp_num_istr) {
917 			kmem_free(sctp->sctp_instr,
918 			    sizeof (*sctp->sctp_instr) * old_num_str);
919 			sctp->sctp_instr = kmem_zalloc(
920 			    sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr,
921 			    KM_NOSLEEP);
922 		}
923 	}
924 	if (sctp->sctp_instr == NULL) {
925 		kmem_free(sctp->sctp_ostrcntrs,
926 		    sizeof (uint16_t) * sctp->sctp_num_ostr);
927 		freeb(cemp);
928 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
929 		if (errmp != NULL)
930 			freeb(errmp);
931 		return;
932 	}
933 
934 	if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware)
935 		sctp->sctp_prsctp_aware = B_FALSE;
936 
937 	if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1),
938 		ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)),
939 		&sctp->sctp_rx_adaption_code) == 0) {
940 		sctp->sctp_recv_adaption = 1;
941 	}
942 
943 	cech = (sctp_chunk_hdr_t *)cemp->b_rptr;
944 	ASSERT(OK_32PTR(cech));
945 	cech->sch_id = CHUNK_COOKIE;
946 	cech->sch_flags = 0;
947 	cech->sch_len = htons(ceclen);
948 
949 	/* Copy the cookie (less the parm hdr) to the chunk */
950 	bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph));
951 
952 	cemp->b_wptr = cemp->b_rptr + ceclen;
953 
954 	if (sctp->sctp_unsent > 0) {
955 		sctp_msg_hdr_t	*smh;
956 		mblk_t		*prev = NULL;
957 		uint32_t	unsent = 0;
958 
959 		mp = sctp->sctp_xmit_unsent;
960 		do {
961 			smh = (sctp_msg_hdr_t *)mp->b_rptr;
962 			if (smh->smh_sid >= sctp->sctp_num_ostr) {
963 				unsent += smh->smh_msglen;
964 				if (prev != NULL)
965 					prev->b_next = mp->b_next;
966 				else
967 					sctp->sctp_xmit_unsent = mp->b_next;
968 				mp->b_next = NULL;
969 				sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID,
970 				    B_FALSE);
971 				if (prev != NULL)
972 					mp = prev->b_next;
973 				else
974 					mp = sctp->sctp_xmit_unsent;
975 			} else {
976 				prev = mp;
977 				mp = mp->b_next;
978 			}
979 		} while (mp != NULL);
980 		if (unsent > 0) {
981 			ASSERT(sctp->sctp_unsent >= unsent);
982 			sctp->sctp_unsent -= unsent;
983 			/*
984 			 * Update ULP the amount of queued data, which is
985 			 * sent-unack'ed + unsent.
986 			 * This is not necessary, but doesn't harm, we
987 			 * just use unsent instead of sent-unack'ed +
988 			 * unsent, since there won't be any sent-unack'ed
989 			 * here.
990 			 */
991 			if (!SCTP_IS_DETACHED(sctp)) {
992 				sctp->sctp_ulp_xmitted(sctp->sctp_ulpd,
993 				    sctp->sctp_unsent);
994 			}
995 		}
996 		if (sctp->sctp_xmit_unsent == NULL)
997 			sctp->sctp_xmit_unsent_tail = NULL;
998 	}
999 	ceclen += pad;
1000 	cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd);
1001 	meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen,
1002 	    cansend,  NULL);
1003 	/*
1004 	 * The error cannot be anything else since we could have an non-zero
1005 	 * error only if sctp_get_msg_to_send() tries to send a Forward
1006 	 * TSN which will not happen here.
1007 	 */
1008 	ASSERT(error == 0);
1009 	if (meta == NULL)
1010 		goto sendcookie;
1011 	sctp->sctp_xmit_tail = meta;
1012 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
1013 	seglen = ntohs(sdc->sdh_len);
1014 	if ((ceclen + seglen) > fp->sfa_pmss ||
1015 	    (seglen - sizeof (*sdc)) > cansend) {
1016 		goto sendcookie;
1017 	}
1018 	/* OK, if this fails */
1019 	cemp->b_cont = dupmsg(mp);
1020 sendcookie:
1021 	head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL);
1022 	if (head == NULL) {
1023 		freemsg(cemp);
1024 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1025 		if (errmp != NULL)
1026 			freeb(errmp);
1027 		return;
1028 	}
1029 	/*
1030 	 * Even if cookie-echo exceeds MTU for one of the hops, it'll
1031 	 * have a chance of getting there.
1032 	 */
1033 	if (fp->isv4) {
1034 		ipha_t *iph = (ipha_t *)head->b_rptr;
1035 		iph->ipha_fragment_offset_and_flags = 0;
1036 	}
1037 	BUMP_LOCAL(sctp->sctp_obchunks);
1038 
1039 	sctp->sctp_cookie_mp = dupmsg(head);
1040 	/* Don't bundle, we will just resend init if this cookie is lost. */
1041 	if (sctp->sctp_cookie_mp == NULL) {
1042 		if (cemp->b_cont != NULL) {
1043 			freemsg(cemp->b_cont);
1044 			cemp->b_cont = NULL;
1045 		}
1046 	} else if (cemp->b_cont != NULL) {
1047 		ASSERT(mp != NULL && mp == meta->b_cont);
1048 		SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont);
1049 		cemp->b_wptr += pad;
1050 		seglen -= sizeof (*sdc);
1051 		SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta);
1052 	}
1053 	if (errmp != NULL)
1054 		linkb(head, errmp);
1055 	sctp->sctp_state = SCTPS_COOKIE_ECHOED;
1056 	SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1057 
1058 	sctp_set_iplen(sctp, head);
1059 	sctp_add_sendq(sctp, head);
1060 }
1061 
1062 int
1063 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
1064     sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaption,
1065     in6_addr_t *peer_addr)
1066 {
1067 	int32_t			clen;
1068 	size_t			initplen;
1069 	uchar_t			*p;
1070 	uchar_t			*given_hash;
1071 	uchar_t			needed_hash[16];
1072 	int64_t			ts;
1073 	int64_t			diff;
1074 	uint32_t		*lt;
1075 	sctp_init_chunk_t	*iack;
1076 	sctp_chunk_hdr_t	*initch;
1077 	sctp_init_chunk_t	*init;
1078 	uint32_t		*lttag;
1079 	uint32_t		*fttag;
1080 	uint32_t		ports;
1081 
1082 	BUMP_LOCAL(sctp->sctp_ibchunks);
1083 	/* Verify the ICV */
1084 	clen = ntohs(ch->sch_len) - sizeof (*ch) - 16;
1085 	if (clen < 0) {
1086 		dprint(1, ("invalid cookie chunk length %d\n",
1087 		    ntohs(ch->sch_len)));
1088 
1089 		return (-1);
1090 	}
1091 	p = (uchar_t *)(ch + 1);
1092 
1093 	hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN,
1094 	    needed_hash);
1095 
1096 	/* The given hash follows the cookie data */
1097 	given_hash = p + clen;
1098 
1099 	if (bcmp(given_hash, needed_hash, 16) != 0) {
1100 		/* The secret may have changed; try the old secret */
1101 		hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret,
1102 		    SCTP_SECRET_LEN, needed_hash);
1103 		if (bcmp(given_hash, needed_hash, 16) != 0) {
1104 			return (-1);
1105 		}
1106 	}
1107 
1108 	/* Timestamp is int64_t, and we only guarantee 32-bit alignment */
1109 	bcopy(p, &ts, sizeof (ts));
1110 	/* Cookie life time, int32_t */
1111 	lt = (uint32_t *)(p + sizeof (ts));
1112 
1113 	/*
1114 	 * To quote PRC, "this is our baby", so let's continue.
1115 	 * We need to pull out the encapsulated INIT ACK and
1116 	 * INIT chunks. Note that we don't process these until
1117 	 * we have verified the timestamp, but we need them before
1118 	 * processing the timestamp since if the time check fails,
1119 	 * we need to get the verification tag from the INIT in order
1120 	 * to send a stale cookie error.
1121 	 */
1122 	lttag = (uint32_t *)(lt + 1);
1123 	fttag = lttag + 1;
1124 	if (peer_addr != NULL)
1125 		bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t));
1126 	iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t));
1127 	initch = (sctp_chunk_hdr_t *)(iack + 1);
1128 	init = (sctp_init_chunk_t *)(initch + 1);
1129 	initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch));
1130 	*iackpp = iack;
1131 	*recv_adaption = 0;
1132 
1133 	/* Check the timestamp */
1134 	diff = lbolt64 - ts;
1135 	if (diff > *lt && (init->sic_inittag != sctp->sctp_fvtag ||
1136 	    iack->sic_inittag != sctp->sctp_lvtag)) {
1137 
1138 		uint32_t staleness;
1139 
1140 		staleness = TICK_TO_USEC(diff);
1141 		staleness = htonl(staleness);
1142 		sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE,
1143 		    (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE);
1144 
1145 		dprint(1, ("stale cookie %d\n", staleness));
1146 
1147 		return (-1);
1148 	}
1149 
1150 	/* Check for attack by adding addresses to a restart */
1151 	bcopy(insctph, &ports, sizeof (ports));
1152 	if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP) != 1) {
1153 		return (-1);
1154 	}
1155 
1156 	/* Look for adaptation code if there any parms in the INIT chunk */
1157 	if ((initplen >= sizeof (sctp_parm_hdr_t)) &&
1158 	    (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen,
1159 	    &sctp->sctp_rx_adaption_code) == 0)) {
1160 		*recv_adaption = 1;
1161 	}
1162 
1163 	/* Examine tie-tags */
1164 
1165 	if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) {
1166 		if (sctp->sctp_state == SCTPS_ESTABLISHED &&
1167 		    init->sic_inittag == sctp->sctp_fvtag &&
1168 		    iack->sic_inittag == sctp->sctp_lvtag &&
1169 		    *fttag == 0 && *lttag == 0) {
1170 
1171 			dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n",
1172 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1173 			    (int)(sctp->sctp_fport)));
1174 			return (-1);
1175 		}
1176 
1177 		if (init->sic_inittag != sctp->sctp_fvtag &&
1178 		    iack->sic_inittag != sctp->sctp_lvtag &&
1179 		    *fttag == sctp->sctp_fvtag &&
1180 		    *lttag == sctp->sctp_lvtag) {
1181 			int i;
1182 
1183 			/* Section 5.2.4 case A: restart */
1184 			sctp->sctp_fvtag = init->sic_inittag;
1185 			sctp->sctp_lvtag = iack->sic_inittag;
1186 
1187 			sctp->sctp_sctph->sh_verf = init->sic_inittag;
1188 			sctp->sctp_sctph6->sh_verf = init->sic_inittag;
1189 
1190 			sctp->sctp_ftsn = ntohl(init->sic_inittsn);
1191 			sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1192 			sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
1193 			sctp->sctp_fcsn = sctp->sctp_lastacked;
1194 
1195 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1196 				sctp->sctp_state = SCTPS_ESTABLISHED;
1197 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1198 			}
1199 
1200 			dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n",
1201 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1202 			    (int)(sctp->sctp_fport)));
1203 			/* reset parameters */
1204 			sctp_congest_reset(sctp);
1205 
1206 			/* reset stream bookkeeping */
1207 			sctp_instream_cleanup(sctp, B_FALSE);
1208 
1209 			sctp->sctp_istr_nmsgs = 0;
1210 			sctp->sctp_rxqueued = 0;
1211 			for (i = 0; i < sctp->sctp_num_ostr; i++) {
1212 				sctp->sctp_ostrcntrs[i] = 0;
1213 			}
1214 			/* XXX flush xmit_list? */
1215 
1216 			return (0);
1217 		} else if (init->sic_inittag != sctp->sctp_fvtag &&
1218 		    iack->sic_inittag == sctp->sctp_lvtag) {
1219 
1220 			/* Section 5.2.4 case B: INIT collision */
1221 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1222 				if (!sctp_initialize_params(sctp, init, iack))
1223 					return (-1);	/* Drop? */
1224 				sctp->sctp_state = SCTPS_ESTABLISHED;
1225 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1226 			}
1227 
1228 			dprint(1, ("init collision with %x:%x:%x:%x (%d)\n",
1229 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1230 			    (int)(sctp->sctp_fport)));
1231 
1232 			return (0);
1233 		} else if (iack->sic_inittag != sctp->sctp_lvtag &&
1234 		    init->sic_inittag == sctp->sctp_fvtag &&
1235 		    *fttag == 0 && *lttag == 0) {
1236 
1237 			/* Section 5.2.4 case C: late COOKIE */
1238 			dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n",
1239 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1240 			    (int)(sctp->sctp_fport)));
1241 			return (-1);
1242 		} else if (init->sic_inittag == sctp->sctp_fvtag &&
1243 		    iack->sic_inittag == sctp->sctp_lvtag) {
1244 
1245 			/*
1246 			 * Section 5.2.4 case D: COOKIE ECHO retransmit
1247 			 * Don't check cookie lifetime
1248 			 */
1249 			dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n",
1250 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1251 			    (int)(sctp->sctp_fport)));
1252 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1253 				if (!sctp_initialize_params(sctp, init, iack))
1254 					return (-1);	/* Drop? */
1255 				sctp->sctp_state = SCTPS_ESTABLISHED;
1256 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1257 			}
1258 			return (0);
1259 		} else {
1260 			/* unrecognized case -- silently drop it */
1261 			return (-1);
1262 		}
1263 	}
1264 
1265 	return (0);
1266 }
1267 
1268 /*
1269  * Similar to ip_fanout_sctp, except that the src addr(s) are drawn
1270  * from address parameters in an INIT ACK's address list. This
1271  * function is used when an INIT ACK is received but IP's fanout
1272  * function could not find a sctp via the normal lookup routine.
1273  * This can happen when a host sends an INIT ACK from a different
1274  * address than the INIT was sent to.
1275  *
1276  * Returns the sctp_t if found, or NULL if not found.
1277  */
1278 sctp_t *
1279 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
1280     uint_t ipif_seqid, zoneid_t zoneid)
1281 {
1282 	int isv4;
1283 	ipha_t *iph;
1284 	ip6_t *ip6h;
1285 	in6_addr_t dst;
1286 	in6_addr_t src;
1287 	sctp_parm_hdr_t *ph;
1288 	ssize_t remaining;
1289 	sctp_init_chunk_t *iack;
1290 	uint32_t ports;
1291 	sctp_t *sctp = NULL;
1292 
1293 	ASSERT(ich->sch_id == CHUNK_INIT_ACK);
1294 
1295 	isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
1296 	if (isv4) {
1297 		iph = (ipha_t *)mp->b_rptr;
1298 		IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst);
1299 	} else {
1300 		ip6h = (ip6_t *)mp->b_rptr;
1301 		dst = ip6h->ip6_dst;
1302 	}
1303 
1304 	ports = *(uint32_t *)sctph;
1305 
1306 	dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n",
1307 	    ports, SCTP_PRINTADDR(dst)));
1308 
1309 	/* pull out any address parameters */
1310 	remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack);
1311 	if (remaining < sizeof (*ph)) {
1312 		return (NULL);
1313 	}
1314 
1315 	iack = (sctp_init_chunk_t *)(ich + 1);
1316 	ph = (sctp_parm_hdr_t *)(iack + 1);
1317 
1318 	while (ph != NULL) {
1319 		/*
1320 		 * params have been put in host byteorder by
1321 		 * sctp_check_input()
1322 		 */
1323 		if (ph->sph_type == PARM_ADDR4) {
1324 			IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1),
1325 			    &src);
1326 
1327 			sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid,
1328 			    zoneid);
1329 
1330 			dprint(1,
1331 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1332 			    SCTP_PRINTADDR(src), (void *)sctp));
1333 
1334 
1335 			if (sctp != NULL) {
1336 				return (sctp);
1337 			}
1338 		} else if (ph->sph_type == PARM_ADDR6) {
1339 			src = *(in6_addr_t *)(ph + 1);
1340 			sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid,
1341 			    zoneid);
1342 
1343 			dprint(1,
1344 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1345 			    SCTP_PRINTADDR(src), (void *)sctp));
1346 
1347 			if (sctp != NULL) {
1348 				return (sctp);
1349 			}
1350 		}
1351 
1352 		ph = sctp_next_parm(ph, &remaining);
1353 	}
1354 
1355 	return (NULL);
1356 }
1357