xref: /titanic_52/usr/src/uts/common/inet/sctp/sctp_cookie.c (revision 6be61d4ea129a94bdfe33533b2bc265d4447f05c)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <sys/types.h>
#include <sys/systm.h>
#include <sys/stream.h>
#include <sys/cmn_err.h>
#include <sys/md5.h>
#include <sys/kmem.h>
#include <sys/strsubr.h>
#include <sys/random.h>
#include <sys/tsol/tnet.h>

#include <netinet/in.h>
#include <netinet/ip6.h>

#include <inet/common.h>
#include <inet/ip.h>
#include <inet/ip6.h>
#include <inet/ipsec_impl.h>
#include <inet/sctp_ip.h>
#include <inet/ipclassifier.h>
#include "sctp_impl.h"

/*
 * Helper function for SunCluster (PSARC/2005/602) to get the original source
 * address from the COOKIE
 */
int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *);

/*
 * From RFC 2104. This should probably go into libmd5 (and while
 * we're at it, maybe we should make a libdigest so we can later
 * add SHA1 and others, esp. since some weaknesses have been found
 * with MD5).
 *
 * text		IN			pointer to data stream
 * text_len	IN			length of data stream
 * key		IN			pointer to authentication key
 * key_len	IN			length of authentication key
 * digest	OUT			caller digest to be filled in
 */
static void
hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len,
    uchar_t *digest)
{
	MD5_CTX context;
	uchar_t k_ipad[65];	/* inner padding - key XORd with ipad */
	uchar_t k_opad[65];	/* outer padding - key XORd with opad */
	uchar_t tk[16];
	int i;

	/* if key is longer than 64 bytes reset it to key=MD5(key) */
	if (key_len > 64) {
		MD5_CTX tctx;

		MD5Init(&tctx);
		MD5Update(&tctx, key, key_len);
		MD5Final(tk, &tctx);

		key = tk;
		key_len = 16;
	}

	/*
	 * the HMAC_MD5 transform looks like:
	 *
	 * MD5(K XOR opad, MD5(K XOR ipad, text))
	 *
	 * where K is an n byte key
	 * ipad is the byte 0x36 repeated 64 times
	 * opad is the byte 0x5c repeated 64 times
	 * and text is the data being protected
	 */

	/* start out by storing key in pads */
	bzero(k_ipad, sizeof (k_ipad));
	bzero(k_opad, sizeof (k_opad));
	bcopy(key, k_ipad, key_len);
	bcopy(key, k_opad, key_len);

	/* XOR key with ipad and opad values */
	for (i = 0; i < 64; i++) {
		k_ipad[i] ^= 0x36;
		k_opad[i] ^= 0x5c;
	}
	/*
	 * perform inner MD5
	 */
	MD5Init(&context);			/* init context for 1st */
						/* pass */
	MD5Update(&context, k_ipad, 64);	/* start with inner pad */
	MD5Update(&context, text, text_len);	/* then text of datagram */
	MD5Final(digest, &context);		/* finish up 1st pass */
	/*
	 * perform outer MD5
	 */
	MD5Init(&context);			/* init context for 2nd */
						/* pass */
	MD5Update(&context, k_opad, 64);	/* start with outer pad */
	MD5Update(&context, digest, 16);	/* then results of 1st */
						/* hash */
	MD5Final(digest, &context);		/* finish up 2nd pass */
}

/*
 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP
 * info in initmp to send the abort. Otherwise, no abort will be sent.
 *
 * When called from stcp_send_initack() while processing parameters
 * from a received INIT_CHUNK want_cookie will be NULL.
 *
 * When called from sctp_send_cookie_echo() while processing an INIT_ACK,
 * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t.
 * However, this last pointer will be NULL until the cookie is processed
 * at which time it will be set to point to a sctp_parm_hdr_t that contains
 * the cookie info.
 *
 * Note: an INIT_ACK is expected to contain a cookie.
 *
 * When processing an INIT_ACK, an ERROR chunk and chain of one or more
 * error CAUSE blocks will be created if unrecognized parameters marked by
 * the sender as reportable are found.
 *
 * When processing an INIT chunk, a chain of one or more error CAUSE blocks
 * will be created if unrecognized parameters marked by the sender as
 * reportable are found. These are appended directly to the INIT_ACK chunk.
 *
 * In both cases the error chain is visible to the caller via *errmp.
 *
 * Returns 1 if the parameters are OK (or if there are no optional
 * parameters), returns 0 otherwise.
 */
static int
validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
    sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie,
    mblk_t **errmp, int *supp_af, uint_t *sctp_options, ip_recv_attr_t *ira)
{
	sctp_parm_hdr_t		*cph;
	sctp_init_chunk_t	*ic;
	ssize_t			remaining;
	uint16_t		serror = 0;
	char			*details = NULL;
	size_t			errlen = 0;
	boolean_t		got_cookie = B_FALSE;
	boolean_t		got_errchunk = B_FALSE;
	uint16_t		ptype;
	sctp_mpc_t		mpc;
	conn_t			*connp = sctp->sctp_connp;


	ASSERT(errmp != NULL);

	if (sctp_options != NULL)
		*sctp_options = 0;

	/* First validate stream parameters */
	if (init->sic_instr == 0 || init->sic_outstr == 0) {
		serror = SCTP_ERR_BAD_MANDPARM;
		dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n",
		    htons(init->sic_instr), htons(init->sic_outstr)));
		goto abort;
	}
	if (ntohl(init->sic_inittag) == 0) {
		serror = SCTP_ERR_BAD_MANDPARM;
		dprint(1, ("validate_init_params: inittag = 0\n"));
		goto abort;
	}

	remaining = ntohs(ch->sch_len) - sizeof (*ch);
	ic = (sctp_init_chunk_t *)(ch + 1);
	remaining -= sizeof (*ic);
	if (remaining < sizeof (*cph)) {
		/*
		 * When processing a received INIT_ACK, a cookie is
		 * expected, if missing there is nothing to validate.
		 */
		if (want_cookie != NULL)
			goto cookie_abort;
		return (1);
	}

	cph = (sctp_parm_hdr_t *)(ic + 1);

	while (cph != NULL) {
		ptype = ntohs(cph->sph_type);
		switch (ptype) {
		case PARM_HBINFO:
		case PARM_UNRECOGNIZED:
		case PARM_ECN:
			/* just ignore them */
			break;
		case PARM_FORWARD_TSN:
			if (sctp_options != NULL)
				*sctp_options |= SCTP_PRSCTP_OPTION;
			break;
		case PARM_COOKIE:
			got_cookie = B_TRUE;
			/*
			 * Processing a received INIT_ACK, we have a cookie
			 * and a valid pointer in our caller to attach it to.
			 */
			if (want_cookie != NULL) {
				*want_cookie = cph;
			}
			break;
		case PARM_ADDR4:
			*supp_af |= PARM_SUPP_V4;
			break;
		case PARM_ADDR6:
			*supp_af |= PARM_SUPP_V6;
			break;
		case PARM_COOKIE_PRESERVE:
		case PARM_ADAPT_LAYER_IND:
			/* These are OK */
			break;
		case PARM_ADDR_HOST_NAME:
			/* Don't support this; abort the association */
			serror = SCTP_ERR_BAD_ADDR;
			details = (char *)cph;
			errlen = ntohs(cph->sph_len);
			dprint(1, ("sctp:validate_init_params: host addr\n"));
			goto abort;
		case PARM_SUPP_ADDRS: {
			/* Make sure we have a supported addr intersection */
			uint16_t *p, addrtype;
			int plen;

			plen = ntohs(cph->sph_len);
			p = (uint16_t *)(cph + 1);
			while (plen > 0) {
				addrtype = ntohs(*p);
				switch (addrtype) {
				case PARM_ADDR6:
					*supp_af |= PARM_SUPP_V6;
					break;
				case PARM_ADDR4:
					*supp_af |= PARM_SUPP_V4;
					break;
				default:
					/*
					 * Do nothing, silently ignore hostname
					 * address.
					 */
					break;
				}
				p++;
				plen -= sizeof (*p);
			}
			break;
		}
		default:
			/*
			 * Handle any unrecognized params, the two high order
			 * bits of ptype define how the remote wants them
			 * handled.
			 * Top bit:
			 *    1. Continue processing other params in the chunk
			 *    0. Stop processing params after this one.
			 * 2nd bit:
			 *    1. Must report this unrecognized param to remote
			 *    0. Obey the top bit silently.
			 */
			if (ptype & SCTP_REPORT_THIS_PARAM) {
				if (!got_errchunk && want_cookie != NULL) {
					/*
					 * The incoming pointer want_cookie is
					 * NULL so processing an INIT_ACK.
					 * This is the first reportable param,
					 * create an ERROR chunk and populate
					 * it with a CAUSE block for this parm.
					 */
					*errmp = sctp_make_err(sctp,
					    PARM_UNRECOGNIZED,
					    (void *)cph,
					    ntohs(cph->sph_len));
					got_errchunk = B_TRUE;
				} else {
					/*
					 * If processing an INIT_ACK, we already
					 * have an ERROR chunk, just add a new
					 * CAUSE block and update ERROR chunk
					 * length.
					 * If processing an INIT chunk add a new
					 * CAUSE block to the INIT_ACK, in this
					 * case there is no ERROR chunk thus
					 * got_errchunk will be B_FALSE. Chunk
					 * length is computed by our caller.
					 */
					sctp_add_unrec_parm(cph, errmp,
					    got_errchunk);
				}
			}
			if (ptype & SCTP_CONT_PROC_PARAMS) {
				/*
				 * Continue processing params after this
				 * parameter.
				 */
				break;
			}

			/*
			 * Stop processing params, report any reportable
			 * unrecognized params found so far.
			 */
			goto done;
		}

		cph = sctp_next_parm(cph, &remaining);
	}
done:
	/*
	 * Some sanity checks.  The following should not fail unless the
	 * other side is broken.
	 *
	 * 1. If this is a V4 endpoint but V4 address is not
	 * supported, abort.
	 * 2. If this is a V6 only endpoint but V6 address is
	 * not supported, abort.  This assumes that a V6
	 * endpoint can use both V4 and V6 addresses.
	 * We only care about supp_af when processing INIT, i.e want_cookie
	 * is NULL.
	 */
	if (want_cookie == NULL &&
	    ((connp->conn_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
	    (connp->conn_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
	    sctp->sctp_connp->conn_ipv6_v6only))) {
		dprint(1, ("sctp:validate_init_params: supp addr\n"));
		serror = SCTP_ERR_BAD_ADDR;
		goto abort;
	}

	if (want_cookie != NULL && !got_cookie) {
cookie_abort:
		/* Will populate the CAUSE block in the ABORT chunk. */
		mpc.mpc_num =  htons(1);
		mpc.mpc_param = htons(PARM_COOKIE);
		mpc.mpc_pad = 0;

		dprint(1, ("validate_init_params: cookie absent\n"));
		sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM,
		    (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE, ira);
		return (0);
	}

	/* OK */
	return (1);

abort:
	if (want_cookie != NULL)
		return (0);

	sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details,
	    errlen, inmp, 0, B_FALSE, ira);
	return (0);
}

/*
 * Initialize params from the INIT and INIT-ACK when the assoc. is
 * established.
 */
boolean_t
sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init,
    sctp_init_chunk_t *iack)
{
	/* Get initial TSN */
	sctp->sctp_ftsn = ntohl(init->sic_inittsn);
	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;

	/* Serial number is initialized to the same value as the TSN */
	sctp->sctp_fcsn = sctp->sctp_lastacked;

	/*
	 * Get verification tags; no byteordering is necessary, since
	 * verfication tags are never processed except for byte-by-byte
	 * comparisons.
	 */
	sctp->sctp_fvtag = init->sic_inittag;
	sctp->sctp_sctph->sh_verf = init->sic_inittag;
	sctp->sctp_sctph6->sh_verf = init->sic_inittag;
	sctp->sctp_lvtag = iack->sic_inittag;

	/* Get the peer's rwnd */
	sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);

	/* Allocate the in/out-stream counters */
	sctp->sctp_num_ostr = iack->sic_outstr;
	sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
	    sctp->sctp_num_ostr, KM_NOSLEEP);
	if (sctp->sctp_ostrcntrs == NULL)
		return (B_FALSE);

	sctp->sctp_num_istr = iack->sic_instr;
	sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
	    sctp->sctp_num_istr, KM_NOSLEEP);
	if (sctp->sctp_instr == NULL) {
		kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
		    sctp->sctp_num_ostr);
		sctp->sctp_ostrcntrs = NULL;
		return (B_FALSE);
	}
	return (B_TRUE);
}

/*
 * Copy the peer's original source address into addr. This relies on the
 * following format (see sctp_send_initack() below):
 * 	relative timestamp for the cookie (int64_t) +
 * 	cookie lifetime (uint32_t) +
 * 	local tie-tag (uint32_t) +  peer tie-tag (uint32_t) +
 * 	Peer's original src ...
 */
int
cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr)
{
	uchar_t	*off;

	ASSERT(addr != NULL);

	if (ch->sch_id != CHUNK_COOKIE)
		return (EINVAL);

	off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) +
	    sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t);

	bcopy(off, addr, sizeof (*addr));

	return (0);
}

#define	SCTP_CALC_COOKIE_LEN(initcp) \
	sizeof (int64_t) +		/* timestamp */			\
	sizeof (uint32_t) +		/* cookie lifetime */		\
	sizeof (sctp_init_chunk_t) +	/* INIT ACK */			\
	sizeof (in6_addr_t) +		/* peer's original source */ 	\
	ntohs((initcp)->sch_len) +	/* peer's INIT */		\
	sizeof (uint32_t) +		/* local tie-tag */		\
	sizeof (uint32_t) +		/* peer tie-tag */		\
	sizeof (sctp_parm_hdr_t) +	/* param header */		\
	16				/* MD5 hash */

/*
 * Note that sctp is the listener, hence we shouldn't modify it.
 */
void
sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
    mblk_t *initmp, ip_recv_attr_t *ira)
{
	ipha_t			*initiph;
	ip6_t			*initip6h;
	ipha_t			*iackiph = NULL;
	ip6_t			*iackip6h = NULL;
	sctp_chunk_hdr_t	*iack_ch;
	sctp_init_chunk_t	*iack;
	sctp_init_chunk_t	*init;
	sctp_hdr_t		*iacksh;
	size_t			cookielen;
	size_t			iacklen;
	size_t			ipsctplen;
	size_t			errlen = 0;
	sctp_parm_hdr_t		*cookieph;
	mblk_t			*iackmp;
	uint32_t		itag;
	uint32_t		itsn;
	int64_t			*now;
	int64_t			nowt;
	uint32_t		*lifetime;
	char			*p;
	boolean_t		 isv4;
	int			supp_af = 0;
	uint_t			sctp_options;
	uint32_t		*ttag;
	int			pad;
	mblk_t			*errmp = NULL;
	boolean_t		initcollision = B_FALSE;
	boolean_t		linklocal = B_FALSE;
	sctp_stack_t		*sctps = sctp->sctp_sctps;
	conn_t			*connp = sctp->sctp_connp;
	int			err;
	ip_xmit_attr_t		*ixa = NULL;

	BUMP_LOCAL(sctp->sctp_ibchunks);
	isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION);

	/* Extract the INIT chunk */
	if (isv4) {
		initiph = (ipha_t *)initmp->b_rptr;
		ipsctplen = sctp->sctp_ip_hdr_len;
		supp_af |= PARM_SUPP_V4;
	} else {
		initip6h = (ip6_t *)initmp->b_rptr;
		ipsctplen = sctp->sctp_ip_hdr6_len;
		if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src) ||
		    IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_dst))
			linklocal = B_TRUE;
		supp_af |= PARM_SUPP_V6;
		if (!sctp->sctp_connp->conn_ipv6_v6only)
			supp_af |= PARM_SUPP_V4;
	}
	ASSERT(OK_32PTR(initsh));
	init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch));

	/* Make sure we like the peer's parameters */
	if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp,
	    &supp_af, &sctp_options, ira) == 0) {
		return;
	}
	if (errmp != NULL)
		errlen = msgdsize(errmp);
	if (connp->conn_family == AF_INET) {
		/*
		 * Regardless of the supported address in the INIT, v4
		 * must be supported.
		 */
		supp_af = PARM_SUPP_V4;
	}
	if (sctp->sctp_state <= SCTPS_LISTEN) {
		/* normal, expected INIT: generate new vtag and itsn */
		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
		if (itag == 0)
			itag = (uint32_t)gethrtime();
		itsn = itag + 1;
		itag = htonl(itag);
	} else if (sctp->sctp_state == SCTPS_COOKIE_WAIT ||
	    sctp->sctp_state == SCTPS_COOKIE_ECHOED) {
		/* init collision; copy vtag and itsn from sctp */
		itag = sctp->sctp_lvtag;
		itsn = sctp->sctp_ltsn;
		/*
		 * In addition we need to send all the params that was sent
		 * in our INIT chunk. Essentially, it is only the supported
		 * address params that we need to add.
		 */
		initcollision = B_TRUE;
		/*
		 * When we sent the INIT, we should have set linklocal in
		 * the sctp which should be good enough.
		 */
		if (linklocal)
			linklocal = B_FALSE;
	} else {
		/* peer restart; generate new vtag but keep everything else */
		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
		if (itag == 0)
			itag = (uint32_t)gethrtime();
		itag = htonl(itag);
		itsn = sctp->sctp_ltsn;
	}

	/*
	 * Allocate a mblk for the INIT ACK, consisting of the link layer
	 * header, the IP header, the SCTP common header, and INIT ACK chunk,
	 * and finally the COOKIE parameter.
	 */
	cookielen = SCTP_CALC_COOKIE_LEN(ch);
	iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen;
	if (sctp->sctp_send_adaptation)
		iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t));
	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
	    sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
		iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION);
	}
	if (initcollision)
		iacklen += sctp_supaddr_param_len(sctp);
	if (!linklocal)
		iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE);
	ipsctplen += sizeof (*iacksh) + iacklen;
	iacklen += errlen;
	/*
	 * Padding is applied after the cookie which is the end of chunk
	 * unless CAUSE blocks are appended when the pad must also be
	 * accounted for in iacklen.
	 */
	if ((pad = ipsctplen % SCTP_ALIGN) != 0) {
		pad = SCTP_ALIGN - pad;
		ipsctplen += pad;
		if (errmp != NULL)
			iacklen += pad;
	}

	/*
	 * Base the transmission on any routing-related socket options
	 * that have been set on the listener.
	 */
	ixa = conn_get_ixa_exclusive(connp);
	if (ixa == NULL) {
		sctp_send_abort(sctp, sctp_init2vtag(ch),
		    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
		return;
	}
	ixa->ixa_flags &= ~IXAF_VERIFY_PMTU;

	if (isv4)
		ixa->ixa_flags |= IXAF_IS_IPV4;
	else
		ixa->ixa_flags &= ~IXAF_IS_IPV4;

	/*
	 * If the listen socket is bound to a trusted extensions multi-label
	 * port, a MAC-Exempt connection with an unlabeled node, we use the
	 * the security label of the received INIT packet.
	 * If not a multi-label port, attach the unmodified
	 * listener's label directly.
	 *
	 * We expect Sun developed kernel modules to properly set
	 * cred labels for sctp connections. We can't be so sure this
	 * will be done correctly when 3rd party kernel modules
	 * directly use sctp. We check for a NULL ira_tsl to cover this
	 * possibility.
	 */
	if (is_system_labeled()) {
		/* Discard any old label */
		if (ixa->ixa_free_flags & IXA_FREE_TSL) {
			ASSERT(ixa->ixa_tsl != NULL);
			label_rele(ixa->ixa_tsl);
			ixa->ixa_free_flags &= ~IXA_FREE_TSL;
			ixa->ixa_tsl = NULL;
		}

		if (connp->conn_mlp_type != mlptSingle ||
		    connp->conn_mac_mode != CONN_MAC_DEFAULT) {
			if (ira->ira_tsl == NULL) {
				sctp_send_abort(sctp, sctp_init2vtag(ch),
				    SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0,
				    B_FALSE, ira);
				ixa_refrele(ixa);
				return;
			}
			label_hold(ira->ira_tsl);
			ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl);
		} else {
			ixa->ixa_tsl = crgetlabel(connp->conn_cred);
		}
	}

	iackmp = allocb(ipsctplen + sctps->sctps_wroff_xtra, BPRI_MED);
	if (iackmp == NULL) {
		sctp_send_abort(sctp, sctp_init2vtag(ch),
		    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
		ixa_refrele(ixa);
		return;
	}

	/* Copy in the [imcomplete] IP/SCTP composite header */
	p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra);
	iackmp->b_rptr = (uchar_t *)p;
	if (isv4) {
		bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len);
		iackiph = (ipha_t *)p;

		/* Copy the peer's IP addr */
		iackiph->ipha_dst = initiph->ipha_src;
		iackiph->ipha_src = initiph->ipha_dst;
		iackiph->ipha_length = htons(ipsctplen + errlen);
		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
		ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len;
	} else {
		bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
		iackip6h = (ip6_t *)p;

		/* Copy the peer's IP addr */
		iackip6h->ip6_dst = initip6h->ip6_src;
		iackip6h->ip6_src = initip6h->ip6_dst;
		iackip6h->ip6_plen = htons(ipsctplen + errlen - IPV6_HDR_LEN);
		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
		ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len;
	}
	ixa->ixa_pktlen = ipsctplen + errlen;

	ASSERT(OK_32PTR(iacksh));

	/* Fill in the holes in the SCTP common header */
	iacksh->sh_sport = initsh->sh_dport;
	iacksh->sh_dport = initsh->sh_sport;
	iacksh->sh_verf = init->sic_inittag;

	/* INIT ACK chunk header */
	iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1);
	iack_ch->sch_id = CHUNK_INIT_ACK;
	iack_ch->sch_flags = 0;
	iack_ch->sch_len = htons(iacklen);

	/* The INIT ACK itself */
	iack = (sctp_init_chunk_t *)(iack_ch + 1);
	iack->sic_inittag = itag;	/* already in network byteorder */
	iack->sic_inittsn = htonl(itsn);

	iack->sic_a_rwnd = htonl(sctp->sctp_rwnd);
	/* Advertise what we would want to have as stream #'s */
	iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr,
	    ntohs(init->sic_instr)));
	iack->sic_instr = htons(sctp->sctp_num_istr);

	p = (char *)(iack + 1);
	p += sctp_adaptation_code_param(sctp, (uchar_t *)p);
	if (initcollision)
		p += sctp_supaddr_param(sctp, (uchar_t *)p);
	if (!linklocal)
		p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE);
	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
	    sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
		p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION);
	}
	/*
	 * Generate and lay in the COOKIE parameter.
	 *
	 * Any change here that results in a change of location for
	 * the peer's orig source address must be propagated to the fn
	 * cl_sctp_cookie_paddr() above.
	 *
	 * The cookie consists of:
	 * 1. The relative timestamp for the cookie (lbolt64)
	 * 2. The cookie lifetime (uint32_t) in tick
	 * 3. The local tie-tag
	 * 4. The peer tie-tag
	 * 5. Peer's original src, used to confirm the validity of address.
	 * 6. Our INIT ACK chunk, less any parameters
	 * 7. The INIT chunk (may contain parameters)
	 * 8. 128-bit MD5 signature.
	 *
	 * Since the timestamp values will only be evaluated locally, we
	 * don't need to worry about byte-ordering them.
	 */
	cookieph = (sctp_parm_hdr_t *)p;
	cookieph->sph_type = htons(PARM_COOKIE);
	cookieph->sph_len = htons(cookielen);

	/* timestamp */
	now = (int64_t *)(cookieph + 1);
	nowt = LBOLT_FASTPATH64;
	bcopy(&nowt, now, sizeof (*now));

	/* cookie lifetime -- need configuration */
	lifetime = (uint32_t *)(now + 1);
	*lifetime = sctp->sctp_cookie_lifetime;

	/* Set the tie-tags */
	ttag = (uint32_t *)(lifetime + 1);
	if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) {
		*ttag = 0;
		ttag++;
		*ttag = 0;
		ttag++;
	} else {
		/* local tie-tag (network byte-order) */
		*ttag = sctp->sctp_lvtag;
		ttag++;
		/* peer tie-tag (network byte-order) */
		*ttag = sctp->sctp_fvtag;
		ttag++;
	}
	/*
	 * Copy in peer's original source address so that we can confirm
	 * the reachability later.
	 */
	p = (char *)ttag;
	if (isv4) {
		in6_addr_t peer_addr;

		IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr);
		bcopy(&peer_addr, p, sizeof (in6_addr_t));
	} else {
		bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t));
	}
	p += sizeof (in6_addr_t);
	/* Copy in our INIT ACK chunk */
	bcopy(iack, p, sizeof (*iack));
	iack = (sctp_init_chunk_t *)p;
	/* Set the # of streams we'll end up using */
	iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr));
	iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr));
	p += sizeof (*iack);

	/* Copy in the peer's INIT chunk */
	bcopy(ch, p, ntohs(ch->sch_len));
	p += ntohs(ch->sch_len);

	/*
	 * Calculate the HMAC ICV into the digest slot in buf.
	 * First, generate a new secret if the current secret is
	 * older than the new secret lifetime parameter permits,
	 * copying the current secret to sctp_old_secret.
	 */
	if (sctps->sctps_new_secret_interval > 0 &&
	    (sctp->sctp_last_secret_update +
	    MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) {
		bcopy(sctp->sctp_secret, sctp->sctp_old_secret,
		    SCTP_SECRET_LEN);
		(void) random_get_pseudo_bytes(sctp->sctp_secret,
		    SCTP_SECRET_LEN);
		sctp->sctp_last_secret_update = nowt;
	}

	hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16,
	    (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p);

	iackmp->b_wptr = iackmp->b_rptr + ipsctplen;
	if (pad != 0)
		bzero((iackmp->b_wptr - pad), pad);

	iackmp->b_cont = errmp;		/*  OK if NULL */

	if (is_system_labeled()) {
		ts_label_t *effective_tsl = NULL;

		ASSERT(ira->ira_tsl != NULL);

		/* Discard any old label */
		if (ixa->ixa_free_flags & IXA_FREE_TSL) {
			ASSERT(ixa->ixa_tsl != NULL);
			label_rele(ixa->ixa_tsl);
			ixa->ixa_free_flags &= ~IXA_FREE_TSL;
		}
		ixa->ixa_tsl = ira->ira_tsl;	/* A multi-level responder */

		/*
		 * We need to check for label-related failures which implies
		 * an extra call to tsol_check_dest (as ip_output_simple
		 * also does a tsol_check_dest as part of computing the
		 * label for the packet, but ip_output_simple doesn't return
		 * a specific errno for that case so we can't rely on its
		 * check.)
		 */
		if (isv4) {
			err = tsol_check_dest(ixa->ixa_tsl, &iackiph->ipha_dst,
			    IPV4_VERSION, connp->conn_mac_mode,
			    connp->conn_zone_is_global, &effective_tsl);
		} else {
			err = tsol_check_dest(ixa->ixa_tsl, &iackip6h->ip6_dst,
			    IPV6_VERSION, connp->conn_mac_mode,
			    connp->conn_zone_is_global, &effective_tsl);
		}
		if (err != 0) {
			sctp_send_abort(sctp, sctp_init2vtag(ch),
			    SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE,
			    ira);
			ixa_refrele(ixa);
			freemsg(iackmp);
			return;
		}
		if (effective_tsl != NULL) {
			/*
			 * Since ip_output_simple will redo the
			 * tsol_check_dest, we just drop the ref.
			 */
			label_rele(effective_tsl);
		}
	}

	BUMP_LOCAL(sctp->sctp_opkts);
	BUMP_LOCAL(sctp->sctp_obchunks);

	(void) ip_output_simple(iackmp, ixa);
	ixa_refrele(ixa);
}

void
sctp_send_cookie_ack(sctp_t *sctp)
{
	sctp_chunk_hdr_t *cach;
	mblk_t *camp;
	sctp_stack_t	*sctps = sctp->sctp_sctps;

	camp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*cach));
	if (camp == NULL) {
		/* XXX should abort, but don't have the inmp anymore */
		SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed);
		return;
	}

	cach = (sctp_chunk_hdr_t *)camp->b_wptr;
	camp->b_wptr = (uchar_t *)(cach + 1);
	cach->sch_id = CHUNK_COOKIE_ACK;
	cach->sch_flags = 0;
	cach->sch_len = htons(sizeof (*cach));

	BUMP_LOCAL(sctp->sctp_obchunks);

	sctp_set_iplen(sctp, camp, sctp->sctp_current->sf_ixa);
	(void) conn_ip_output(camp, sctp->sctp_current->sf_ixa);
	BUMP_LOCAL(sctp->sctp_opkts);
}

static int
sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code)
{

	if (len < sizeof (*sph))
		return (-1);
	while (sph != NULL) {
		if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) &&
		    ntohs(sph->sph_len) >= (sizeof (*sph) +
		    sizeof (uint32_t))) {
			*adaptation_code = *(uint32_t *)(sph + 1);
			return (0);
		}
		sph = sctp_next_parm(sph, &len);
	}
	return (-1);
}

void
sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp,
    ip_recv_attr_t *ira)
{
	mblk_t			*cemp;
	mblk_t			*mp = NULL;
	mblk_t			*head;
	mblk_t			*meta;
	sctp_faddr_t		*fp;
	sctp_chunk_hdr_t	*cech;
	sctp_init_chunk_t	 *iack;
	int32_t			cansend;
	int32_t			seglen;
	size_t			ceclen;
	sctp_parm_hdr_t		*cph;
	sctp_data_hdr_t		*sdc;
	sctp_tf_t		*tf;
	int			pad = 0;
	int			hdrlen;
	mblk_t			*errmp = NULL;
	uint_t			sctp_options;
	int			error;
	uint16_t		old_num_str;
	sctp_stack_t		*sctps = sctp->sctp_sctps;

	iack = (sctp_init_chunk_t *)(iackch + 1);

	cph = NULL;
	if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp,
	    &pad, &sctp_options, ira) == 0) { /* result in 'pad' ignored */
		SCTPS_BUMP_MIB(sctps, sctpAborted);
		sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL);
		sctp_clean_death(sctp, ECONNABORTED);
		return;
	}
	ASSERT(cph != NULL);

	ASSERT(sctp->sctp_cookie_mp == NULL);

	/* Got a cookie to echo back; allocate an mblk */
	ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph);
	if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0)
		pad = SCTP_ALIGN - pad;

	if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION)
		hdrlen = sctp->sctp_hdr_len;
	else
		hdrlen = sctp->sctp_hdr6_len;

	cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad,
	    BPRI_MED);
	if (cemp == NULL) {
		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
		    sctp->sctp_current->sf_rto);
		if (errmp != NULL)
			freeb(errmp);
		return;
	}
	cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen);

	/* Process the INIT ACK */
	sctp->sctp_sctph->sh_verf = iack->sic_inittag;
	sctp->sctp_sctph6->sh_verf = iack->sic_inittag;
	sctp->sctp_fvtag = iack->sic_inittag;
	sctp->sctp_ftsn = ntohl(iack->sic_inittsn);
	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
	sctp->sctp_fcsn = sctp->sctp_lastacked;
	sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd);

	/*
	 * Populate sctp with addresses given in the INIT ACK or IP header.
	 * Need to set the df bit in the current fp as it has been cleared
	 * in sctp_connect().
	 */
	sctp->sctp_current->sf_df = B_TRUE;
	sctp->sctp_ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;

	/*
	 * Since IP uses this info during the fanout process, we need to hold
	 * the lock for this hash line while performing this operation.
	 */
	/* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, connp->conn_ports); */
	ASSERT(sctp->sctp_conn_tfp != NULL);
	tf = sctp->sctp_conn_tfp;
	/* sctp isn't a listener so only need to hold conn fanout lock */
	mutex_enter(&tf->tf_lock);
	if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) {
		mutex_exit(&tf->tf_lock);
		freeb(cemp);
		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
		    sctp->sctp_current->sf_rto);
		if (errmp != NULL)
			freeb(errmp);
		return;
	}
	mutex_exit(&tf->tf_lock);

	fp = sctp->sctp_current;

	/*
	 * There could be a case when we get an INIT-ACK again, if the INIT
	 * is re-transmitted, for e.g., which means we would have already
	 * allocated this resource earlier (also for sctp_instr). In this
	 * case we check and re-allocate, if necessary.
	 */
	old_num_str = sctp->sctp_num_ostr;
	if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr)
		sctp->sctp_num_ostr = ntohs(iack->sic_instr);
	if (sctp->sctp_ostrcntrs == NULL) {
		sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
		    sctp->sctp_num_ostr, KM_NOSLEEP);
	} else {
		ASSERT(old_num_str > 0);
		if (old_num_str != sctp->sctp_num_ostr) {
			kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
			    old_num_str);
			sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
			    sctp->sctp_num_ostr, KM_NOSLEEP);
		}
	}
	if (sctp->sctp_ostrcntrs == NULL) {
		freeb(cemp);
		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
		if (errmp != NULL)
			freeb(errmp);
		return;
	}

	/*
	 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs
	 * hold here too.
	 */
	old_num_str = sctp->sctp_num_istr;
	if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr)
		sctp->sctp_num_istr = ntohs(iack->sic_outstr);
	if (sctp->sctp_instr == NULL) {
		sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
		    sctp->sctp_num_istr, KM_NOSLEEP);
	} else {
		ASSERT(old_num_str > 0);
		if (old_num_str != sctp->sctp_num_istr) {
			kmem_free(sctp->sctp_instr,
			    sizeof (*sctp->sctp_instr) * old_num_str);
			sctp->sctp_instr = kmem_zalloc(
			    sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr,
			    KM_NOSLEEP);
		}
	}
	if (sctp->sctp_instr == NULL) {
		kmem_free(sctp->sctp_ostrcntrs,
		    sizeof (uint16_t) * sctp->sctp_num_ostr);
		freeb(cemp);
		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
		if (errmp != NULL)
			freeb(errmp);
		return;
	}

	if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware)
		sctp->sctp_prsctp_aware = B_FALSE;

	if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1),
	    ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)),
	    &sctp->sctp_rx_adaptation_code) == 0) {
		sctp->sctp_recv_adaptation = 1;
	}

	cech = (sctp_chunk_hdr_t *)cemp->b_rptr;
	ASSERT(OK_32PTR(cech));
	cech->sch_id = CHUNK_COOKIE;
	cech->sch_flags = 0;
	cech->sch_len = htons(ceclen);

	/* Copy the cookie (less the parm hdr) to the chunk */
	bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph));

	cemp->b_wptr = cemp->b_rptr + ceclen;

	if (sctp->sctp_unsent > 0) {
		sctp_msg_hdr_t	*smh;
		mblk_t		*prev = NULL;
		uint32_t	unsent = 0;

		mp = sctp->sctp_xmit_unsent;
		do {
			smh = (sctp_msg_hdr_t *)mp->b_rptr;
			if (smh->smh_sid >= sctp->sctp_num_ostr) {
				unsent += smh->smh_msglen;
				if (prev != NULL)
					prev->b_next = mp->b_next;
				else
					sctp->sctp_xmit_unsent = mp->b_next;
				mp->b_next = NULL;
				sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID,
				    B_FALSE);
				if (prev != NULL)
					mp = prev->b_next;
				else
					mp = sctp->sctp_xmit_unsent;
			} else {
				prev = mp;
				mp = mp->b_next;
			}
		} while (mp != NULL);
		if (unsent > 0) {
			ASSERT(sctp->sctp_unsent >= unsent);
			sctp->sctp_unsent -= unsent;
			/*
			 * Update ULP the amount of queued data, which is
			 * sent-unack'ed + unsent.
			 * This is not necessary, but doesn't harm, we
			 * just use unsent instead of sent-unack'ed +
			 * unsent, since there won't be any sent-unack'ed
			 * here.
			 */
			if (!SCTP_IS_DETACHED(sctp))
				SCTP_TXQ_UPDATE(sctp);
		}
		if (sctp->sctp_xmit_unsent == NULL)
			sctp->sctp_xmit_unsent_tail = NULL;
	}
	ceclen += pad;
	cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd);
	meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen,
	    cansend,  NULL);
	/*
	 * The error cannot be anything else since we could have an non-zero
	 * error only if sctp_get_msg_to_send() tries to send a Forward
	 * TSN which will not happen here.
	 */
	ASSERT(error == 0);
	if (meta == NULL)
		goto sendcookie;
	sctp->sctp_xmit_tail = meta;
	sdc = (sctp_data_hdr_t *)mp->b_rptr;
	seglen = ntohs(sdc->sdh_len);
	if ((ceclen + seglen) > fp->sf_pmss ||
	    (seglen - sizeof (*sdc)) > cansend) {
		goto sendcookie;
	}
	/* OK, if this fails */
	cemp->b_cont = dupmsg(mp);
sendcookie:
	head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL);
	if (head == NULL) {
		freemsg(cemp);
		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
		if (errmp != NULL)
			freeb(errmp);
		SCTP_KSTAT(sctps, sctp_send_cookie_failed);
		return;
	}
	/*
	 * Even if cookie-echo exceeds MTU for one of the hops, it'll
	 * have a chance of getting there.
	 */
	if (fp->sf_isv4) {
		ipha_t *iph = (ipha_t *)head->b_rptr;
		iph->ipha_fragment_offset_and_flags = 0;
	}
	BUMP_LOCAL(sctp->sctp_obchunks);

	sctp->sctp_cookie_mp = dupmsg(head);
	/* Don't bundle, we will just resend init if this cookie is lost. */
	if (sctp->sctp_cookie_mp == NULL) {
		if (cemp->b_cont != NULL) {
			freemsg(cemp->b_cont);
			cemp->b_cont = NULL;
		}
	} else if (cemp->b_cont != NULL) {
		ASSERT(mp != NULL && mp == meta->b_cont);
		SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont);
		cemp->b_wptr += pad;
		seglen -= sizeof (*sdc);
		SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta);
	}
	if (errmp != NULL) {
		if (cemp->b_cont == NULL)
			cemp->b_wptr += pad;
		linkb(head, errmp);
	}
	sctp->sctp_state = SCTPS_COOKIE_ECHOED;
	SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);

	sctp_set_iplen(sctp, head, fp->sf_ixa);
	(void) conn_ip_output(head, fp->sf_ixa);
	BUMP_LOCAL(sctp->sctp_opkts);
}

int
sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
    sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation,
    in6_addr_t *peer_addr, ip_recv_attr_t *ira)
{
	int32_t			clen;
	size_t			initplen;
	uchar_t			*p;
	uchar_t			*given_hash;
	uchar_t			needed_hash[16];
	int64_t			ts;
	int64_t			diff;
	uint32_t		*lt;
	sctp_init_chunk_t	*iack;
	sctp_chunk_hdr_t	*initch;
	sctp_init_chunk_t	*init;
	uint32_t		*lttag;
	uint32_t		*fttag;
	uint32_t		ports;
	sctp_stack_t		*sctps = sctp->sctp_sctps;
	conn_t			*connp = sctp->sctp_connp;

	BUMP_LOCAL(sctp->sctp_ibchunks);
	/* Verify the ICV */
	clen = ntohs(ch->sch_len) - sizeof (*ch) - 16;
	if (clen < 0) {
		dprint(1, ("invalid cookie chunk length %d\n",
		    ntohs(ch->sch_len)));

		return (-1);
	}
	p = (uchar_t *)(ch + 1);

	hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN,
	    needed_hash);

	/* The given hash follows the cookie data */
	given_hash = p + clen;

	if (bcmp(given_hash, needed_hash, 16) != 0) {
		/* The secret may have changed; try the old secret */
		hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret,
		    SCTP_SECRET_LEN, needed_hash);
		if (bcmp(given_hash, needed_hash, 16) != 0) {
			return (-1);
		}
	}

	/* Timestamp is int64_t, and we only guarantee 32-bit alignment */
	bcopy(p, &ts, sizeof (ts));
	/* Cookie life time, uint32_t */
	lt = (uint32_t *)(p + sizeof (ts));

	/*
	 * To quote PRC, "this is our baby", so let's continue.
	 * We need to pull out the encapsulated INIT ACK and
	 * INIT chunks. Note that we don't process these until
	 * we have verified the timestamp, but we need them before
	 * processing the timestamp since if the time check fails,
	 * we need to get the verification tag from the INIT in order
	 * to send a stale cookie error.
	 */
	lttag = (uint32_t *)(lt + 1);
	fttag = lttag + 1;
	if (peer_addr != NULL)
		bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t));
	iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t));
	initch = (sctp_chunk_hdr_t *)(iack + 1);
	init = (sctp_init_chunk_t *)(initch + 1);
	initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch));
	*iackpp = iack;
	*recv_adaptation = 0;

	/*
	 * Check the staleness of the Cookie, specified in 3.3.10.3 of
	 * RFC 2960.
	 *
	 * The mesaure of staleness is the difference, in microseconds,
	 * between the current time and the time the State Cookie expires.
	 * So it is lbolt64 - (ts + *lt).  If it is positive, it means
	 * that the Cookie has expired.
	 */
	diff = LBOLT_FASTPATH64 - (ts + *lt);
	if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag ||
	    iack->sic_inittag != sctp->sctp_lvtag)) {
		uint32_t staleness;

		staleness = TICK_TO_USEC(diff);
		staleness = htonl(staleness);
		sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE,
		    (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE,
		    ira);

		dprint(1, ("stale cookie %d\n", staleness));

		return (-1);
	}

	/* Check for attack by adding addresses to a restart */
	bcopy(insctph, &ports, sizeof (ports));
	if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP,
	    sctps, ira) != 1) {
		return (-1);
	}

	/* Look for adaptation code if there any parms in the INIT chunk */
	if ((initplen >= sizeof (sctp_parm_hdr_t)) &&
	    (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen,
	    &sctp->sctp_rx_adaptation_code) == 0)) {
		*recv_adaptation = 1;
	}

	/* Examine tie-tags */

	if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) {
		if (sctp->sctp_state == SCTPS_ESTABLISHED &&
		    init->sic_inittag == sctp->sctp_fvtag &&
		    iack->sic_inittag == sctp->sctp_lvtag &&
		    *fttag == 0 && *lttag == 0) {

			dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n",
			    SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
			    (int)(connp->conn_fport)));
			return (-1);
		}

		if (init->sic_inittag != sctp->sctp_fvtag &&
		    iack->sic_inittag != sctp->sctp_lvtag &&
		    *fttag == sctp->sctp_fvtag &&
		    *lttag == sctp->sctp_lvtag) {
			int i;

			/* Section 5.2.4 case A: restart */
			sctp->sctp_fvtag = init->sic_inittag;
			sctp->sctp_lvtag = iack->sic_inittag;

			sctp->sctp_sctph->sh_verf = init->sic_inittag;
			sctp->sctp_sctph6->sh_verf = init->sic_inittag;

			sctp->sctp_ftsn = ntohl(init->sic_inittsn);
			sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
			sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
			sctp->sctp_fcsn = sctp->sctp_lastacked;

			if (sctp->sctp_state < SCTPS_ESTABLISHED)
				SCTP_ASSOC_EST(sctps, sctp);

			dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n",
			    SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
			    (int)(connp->conn_fport)));
			/* reset parameters */
			sctp_congest_reset(sctp);

			/* reset stream bookkeeping */
			sctp_instream_cleanup(sctp, B_FALSE);

			sctp->sctp_istr_nmsgs = 0;
			sctp->sctp_rxqueued = 0;
			for (i = 0; i < sctp->sctp_num_ostr; i++) {
				sctp->sctp_ostrcntrs[i] = 0;
			}
			/* XXX flush xmit_list? */

			return (0);
		} else if (init->sic_inittag != sctp->sctp_fvtag &&
		    iack->sic_inittag == sctp->sctp_lvtag) {

			/* Section 5.2.4 case B: INIT collision */
			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
				if (!sctp_initialize_params(sctp, init, iack))
					return (-1);	/* Drop? */
				SCTP_ASSOC_EST(sctps, sctp);
			}

			dprint(1, ("init collision with %x:%x:%x:%x (%d)\n",
			    SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
			    (int)(connp->conn_fport)));

			return (0);
		} else if (iack->sic_inittag != sctp->sctp_lvtag &&
		    init->sic_inittag == sctp->sctp_fvtag &&
		    *fttag == 0 && *lttag == 0) {

			/* Section 5.2.4 case C: late COOKIE */
			dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n",
			    SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
			    (int)(connp->conn_fport)));
			return (-1);
		} else if (init->sic_inittag == sctp->sctp_fvtag &&
		    iack->sic_inittag == sctp->sctp_lvtag) {

			/*
			 * Section 5.2.4 case D: COOKIE ECHO retransmit
			 * Don't check cookie lifetime
			 */
			dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n",
			    SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
			    (int)(connp->conn_fport)));
			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
				if (!sctp_initialize_params(sctp, init, iack))
					return (-1);	/* Drop? */
				SCTP_ASSOC_EST(sctps, sctp);
			}
			return (0);
		} else {
			/* unrecognized case -- silently drop it */
			return (-1);
		}
	}

	return (0);
}

/*
 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn
 * from address parameters in an INIT ACK's address list. This
 * function is used when an INIT ACK is received but IP's fanout
 * function could not find a sctp via the normal lookup routine.
 * This can happen when a host sends an INIT ACK from a different
 * address than the INIT was sent to.
 *
 * Returns the sctp_t if found, or NULL if not found.
 */
sctp_t *
sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
    zoneid_t zoneid, sctp_stack_t *sctps)
{
	int isv4;
	ipha_t *iph;
	ip6_t *ip6h;
	in6_addr_t dst;
	in6_addr_t src, *srcp = &src;
	sctp_parm_hdr_t *ph;
	ssize_t remaining;
	sctp_init_chunk_t *iack;
	uint32_t ports;
	sctp_t *sctp = NULL;

	ASSERT(ich->sch_id == CHUNK_INIT_ACK);

	isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
	if (isv4) {
		iph = (ipha_t *)mp->b_rptr;
		IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst);
	} else {
		ip6h = (ip6_t *)mp->b_rptr;
		dst = ip6h->ip6_dst;
	}

	ports = *(uint32_t *)sctph;

	dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n",
	    ports, SCTP_PRINTADDR(dst)));

	/* pull out any address parameters */
	remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack);
	if (remaining < sizeof (*ph)) {
		return (NULL);
	}

	iack = (sctp_init_chunk_t *)(ich + 1);
	ph = (sctp_parm_hdr_t *)(iack + 1);

	while (ph != NULL) {
		/*
		 * params have been verified in sctp_check_input(),
		 * so no need to do it again here.
		 *
		 * For labeled systems, there's no need to check the
		 * label here.  It's known to be good as we checked
		 * before allowing the connection to become bound.
		 *
		 * According to RFC4960 :
		 * All integer fields in an SCTP packet MUST be transmitted
		 * in network byte order, unless otherwise stated.
		 * Therefore convert the param type to network byte order.
		 */
		if (ph->sph_type == htons(PARM_ADDR4)) {
			IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1),
			    srcp);

			sctp = sctp_conn_match(&srcp, 1, &dst, ports, zoneid,
			    0, sctps);

			dprint(1,
			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
			    SCTP_PRINTADDR(src), (void *)sctp));


			if (sctp != NULL) {
				return (sctp);
			}
		} else if (ph->sph_type == htons(PARM_ADDR6)) {
			srcp = (in6_addr_t *)(ph + 1);
			sctp = sctp_conn_match(&srcp, 1, &dst, ports, zoneid,
			    0, sctps);

			dprint(1,
			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
			    SCTP_PRINTADDR(src), (void *)sctp));

			if (sctp != NULL) {
				return (sctp);
			}
		}

		ph = sctp_next_parm(ph, &remaining);
	}

	return (NULL);
}