xref: /titanic_52/usr/src/uts/common/inet/sctp/sctp_cookie.c (revision 5279807d7e1818eac6f90ac640b7a89cdb37522d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/types.h>
28 #include <sys/systm.h>
29 #include <sys/stream.h>
30 #include <sys/cmn_err.h>
31 #include <sys/md5.h>
32 #include <sys/kmem.h>
33 #include <sys/strsubr.h>
34 #include <sys/random.h>
35 #include <sys/tsol/tnet.h>
36 
37 #include <netinet/in.h>
38 #include <netinet/ip6.h>
39 
40 #include <inet/common.h>
41 #include <inet/ip.h>
42 #include <inet/ip6.h>
43 #include <inet/sctp_ip.h>
44 #include <inet/ipclassifier.h>
45 #include "sctp_impl.h"
46 
47 /*
48  * Helper function for SunCluster (PSARC/2005/602) to get the original source
49  * address from the COOKIE
50  */
51 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *);
52 
53 /*
54  * From RFC 2104. This should probably go into libmd5 (and while
55  * we're at it, maybe we should make a libdigest so we can later
56  * add SHA1 and others, esp. since some weaknesses have been found
57  * with MD5).
58  *
59  * text		IN			pointer to data stream
60  * text_len	IN			length of data stream
61  * key		IN			pointer to authentication key
62  * key_len	IN			length of authentication key
63  * digest	OUT			caller digest to be filled in
64  */
65 static void
66 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len,
67     uchar_t *digest)
68 {
69 	MD5_CTX context;
70 	uchar_t k_ipad[65];	/* inner padding - key XORd with ipad */
71 	uchar_t k_opad[65];	/* outer padding - key XORd with opad */
72 	uchar_t tk[16];
73 	int i;
74 
75 	/* if key is longer than 64 bytes reset it to key=MD5(key) */
76 	if (key_len > 64) {
77 		MD5_CTX tctx;
78 
79 		MD5Init(&tctx);
80 		MD5Update(&tctx, key, key_len);
81 		MD5Final(tk, &tctx);
82 
83 		key = tk;
84 		key_len = 16;
85 	}
86 
87 	/*
88 	 * the HMAC_MD5 transform looks like:
89 	 *
90 	 * MD5(K XOR opad, MD5(K XOR ipad, text))
91 	 *
92 	 * where K is an n byte key
93 	 * ipad is the byte 0x36 repeated 64 times
94 	 * opad is the byte 0x5c repeated 64 times
95 	 * and text is the data being protected
96 	 */
97 
98 	/* start out by storing key in pads */
99 	bzero(k_ipad, sizeof (k_ipad));
100 	bzero(k_opad, sizeof (k_opad));
101 	bcopy(key, k_ipad, key_len);
102 	bcopy(key, k_opad, key_len);
103 
104 	/* XOR key with ipad and opad values */
105 	for (i = 0; i < 64; i++) {
106 		k_ipad[i] ^= 0x36;
107 		k_opad[i] ^= 0x5c;
108 	}
109 	/*
110 	 * perform inner MD5
111 	 */
112 	MD5Init(&context);			/* init context for 1st */
113 						/* pass */
114 	MD5Update(&context, k_ipad, 64);	/* start with inner pad */
115 	MD5Update(&context, text, text_len);	/* then text of datagram */
116 	MD5Final(digest, &context);		/* finish up 1st pass */
117 	/*
118 	 * perform outer MD5
119 	 */
120 	MD5Init(&context);			/* init context for 2nd */
121 						/* pass */
122 	MD5Update(&context, k_opad, 64);	/* start with outer pad */
123 	MD5Update(&context, digest, 16);	/* then results of 1st */
124 						/* hash */
125 	MD5Final(digest, &context);		/* finish up 2nd pass */
126 }
127 
128 /*
129  * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP
130  * info in initmp to send the abort. Otherwise, no abort will be sent.
131  *
132  * When called from stcp_send_initack() while processing parameters
133  * from a received INIT_CHUNK want_cookie will be NULL.
134  *
135  * When called from sctp_send_cookie_echo() while processing an INIT_ACK,
136  * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t.
137  * However, this last pointer will be NULL until the cookie is processed
138  * at which time it will be set to point to a sctp_parm_hdr_t that contains
139  * the cookie info.
140  *
141  * Note: an INIT_ACK is expected to contain a cookie.
142  *
143  * When processing an INIT_ACK, an ERROR chunk and chain of one or more
144  * error CAUSE blocks will be created if unrecognized parameters marked by
145  * the sender as reportable are found.
146  *
147  * When processing an INIT chunk, a chain of one or more error CAUSE blocks
148  * will be created if unrecognized parameters marked by the sender as
149  * reportable are found. These are appended directly to the INIT_ACK chunk.
150  *
151  * In both cases the error chain is visible to the caller via *errmp.
152  *
153  * Returns 1 if the parameters are OK (or if there are no optional
154  * parameters), returns 0 otherwise.
155  */
156 static int
157 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
158     sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie,
159     mblk_t **errmp, int *supp_af, uint_t *sctp_options)
160 {
161 	sctp_parm_hdr_t		*cph;
162 	sctp_init_chunk_t	*ic;
163 	ssize_t			remaining;
164 	uint16_t		serror = 0;
165 	char			*details = NULL;
166 	size_t			errlen = 0;
167 	boolean_t		got_cookie = B_FALSE;
168 	boolean_t		got_errchunk = B_FALSE;
169 	uint16_t		ptype;
170 	sctp_mpc_t		mpc;
171 
172 
173 	ASSERT(errmp != NULL);
174 
175 	if (sctp_options != NULL)
176 		*sctp_options = 0;
177 
178 	/* First validate stream parameters */
179 	if (init->sic_instr == 0 || init->sic_outstr == 0) {
180 		serror = SCTP_ERR_BAD_MANDPARM;
181 		dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n",
182 		    htons(init->sic_instr), htons(init->sic_outstr)));
183 		goto abort;
184 	}
185 	if (ntohl(init->sic_inittag) == 0) {
186 		serror = SCTP_ERR_BAD_MANDPARM;
187 		dprint(1, ("validate_init_params: inittag = 0\n"));
188 		goto abort;
189 	}
190 
191 	remaining = ntohs(ch->sch_len) - sizeof (*ch);
192 	ic = (sctp_init_chunk_t *)(ch + 1);
193 	remaining -= sizeof (*ic);
194 	if (remaining < sizeof (*cph)) {
195 		/*
196 		 * When processing a received INIT_ACK, a cookie is
197 		 * expected, if missing there is nothing to validate.
198 		 */
199 		if (want_cookie != NULL)
200 			goto cookie_abort;
201 		return (1);
202 	}
203 
204 	cph = (sctp_parm_hdr_t *)(ic + 1);
205 
206 	while (cph != NULL) {
207 		ptype = ntohs(cph->sph_type);
208 		switch (ptype) {
209 		case PARM_HBINFO:
210 		case PARM_UNRECOGNIZED:
211 		case PARM_ECN:
212 			/* just ignore them */
213 			break;
214 		case PARM_FORWARD_TSN:
215 			if (sctp_options != NULL)
216 				*sctp_options |= SCTP_PRSCTP_OPTION;
217 			break;
218 		case PARM_COOKIE:
219 			got_cookie = B_TRUE;
220 			/*
221 			 * Processing a received INIT_ACK, we have a cookie
222 			 * and a valid pointer in our caller to attach it to.
223 			 */
224 			if (want_cookie != NULL) {
225 				*want_cookie = cph;
226 			}
227 			break;
228 		case PARM_ADDR4:
229 			*supp_af |= PARM_SUPP_V4;
230 			break;
231 		case PARM_ADDR6:
232 			*supp_af |= PARM_SUPP_V6;
233 			break;
234 		case PARM_COOKIE_PRESERVE:
235 		case PARM_ADAPT_LAYER_IND:
236 			/* These are OK */
237 			break;
238 		case PARM_ADDR_HOST_NAME:
239 			/* Don't support this; abort the association */
240 			serror = SCTP_ERR_BAD_ADDR;
241 			details = (char *)cph;
242 			errlen = ntohs(cph->sph_len);
243 			dprint(1, ("sctp:validate_init_params: host addr\n"));
244 			goto abort;
245 		case PARM_SUPP_ADDRS: {
246 			/* Make sure we have a supported addr intersection */
247 			uint16_t *p, addrtype;
248 			int plen;
249 
250 			plen = ntohs(cph->sph_len);
251 			p = (uint16_t *)(cph + 1);
252 			while (plen > 0) {
253 				addrtype = ntohs(*p);
254 				switch (addrtype) {
255 				case PARM_ADDR6:
256 					*supp_af |= PARM_SUPP_V6;
257 					break;
258 				case PARM_ADDR4:
259 					*supp_af |= PARM_SUPP_V4;
260 					break;
261 				default:
262 					/*
263 					 * Do nothing, silently ignore hostname
264 					 * address.
265 					 */
266 					break;
267 				}
268 				p++;
269 				plen -= sizeof (*p);
270 			}
271 			break;
272 		}
273 		default:
274 			/*
275 			 * Handle any unrecognized params, the two high order
276 			 * bits of ptype define how the remote wants them
277 			 * handled.
278 			 * Top bit:
279 			 *    1. Continue processing other params in the chunk
280 			 *    0. Stop processing params after this one.
281 			 * 2nd bit:
282 			 *    1. Must report this unrecognized param to remote
283 			 *    0. Obey the top bit silently.
284 			 */
285 			if (ptype & SCTP_REPORT_THIS_PARAM) {
286 				if (!got_errchunk && want_cookie != NULL) {
287 					/*
288 					 * Processing an INIT_ACK, this is the
289 					 * first reportable param, create an
290 					 * ERROR chunk and populate it with a
291 					 * CAUSE block for this parameter.
292 					 */
293 					*errmp = sctp_make_err(sctp,
294 					    PARM_UNRECOGNIZED,
295 					    (void *)cph,
296 					    ntohs(cph->sph_len));
297 					got_errchunk = B_TRUE;
298 				} else {
299 					/*
300 					 * If processing an INIT chunk add
301 					 * an additional CAUSE block to an
302 					 * INIT_ACK, got_errchunk is B_FALSE.
303 					 */
304 					sctp_add_unrec_parm(cph, errmp,
305 					    got_errchunk);
306 				}
307 			}
308 			if (ptype & SCTP_CONT_PROC_PARAMS) {
309 				/*
310 				 * Continue processing params after this
311 				 * parameter.
312 				 */
313 				break;
314 			}
315 
316 			/*
317 			 * Stop processing params, report any reportable
318 			 * unrecognized params found so far.
319 			 */
320 			goto done;
321 		}
322 
323 		cph = sctp_next_parm(cph, &remaining);
324 	}
325 done:
326 	/*
327 	 * Some sanity checks.  The following should not fail unless the
328 	 * other side is broken.
329 	 *
330 	 * 1. If this is a V4 endpoint but V4 address is not
331 	 * supported, abort.
332 	 * 2. If this is a V6 only endpoint but V6 address is
333 	 * not supported, abort.  This assumes that a V6
334 	 * endpoint can use both V4 and V6 addresses.
335 	 * We only care about supp_af when processing INIT, i.e want_cookie
336 	 * is NULL.
337 	 */
338 	if (want_cookie == NULL &&
339 	    ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
340 	    (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
341 	    sctp->sctp_connp->conn_ipv6_v6only))) {
342 		dprint(1, ("sctp:validate_init_params: supp addr\n"));
343 		serror = SCTP_ERR_BAD_ADDR;
344 		goto abort;
345 	}
346 
347 	if (want_cookie != NULL && !got_cookie) {
348 cookie_abort:
349 		/* Will populate the CAUSE block in the ABORT chunk. */
350 		mpc.mpc_num =  htons(1);
351 		mpc.mpc_param = htons(PARM_COOKIE);
352 		mpc.mpc_pad = 0;
353 
354 		dprint(1, ("validate_init_params: cookie absent\n"));
355 		sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM,
356 		    (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE);
357 		return (0);
358 	}
359 
360 	/* OK */
361 	return (1);
362 
363 abort:
364 	if (want_cookie != NULL)
365 		return (0);
366 
367 	sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details,
368 	    errlen, inmp, 0, B_FALSE);
369 	return (0);
370 }
371 
372 /*
373  * Initialize params from the INIT and INIT-ACK when the assoc. is
374  * established.
375  */
376 boolean_t
377 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init,
378     sctp_init_chunk_t *iack)
379 {
380 	/* Get initial TSN */
381 	sctp->sctp_ftsn = ntohl(init->sic_inittsn);
382 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
383 
384 	/* Serial number is initialized to the same value as the TSN */
385 	sctp->sctp_fcsn = sctp->sctp_lastacked;
386 
387 	/*
388 	 * Get verification tags; no byteordering is necessary, since
389 	 * verfication tags are never processed except for byte-by-byte
390 	 * comparisons.
391 	 */
392 	sctp->sctp_fvtag = init->sic_inittag;
393 	sctp->sctp_sctph->sh_verf = init->sic_inittag;
394 	sctp->sctp_sctph6->sh_verf = init->sic_inittag;
395 	sctp->sctp_lvtag = iack->sic_inittag;
396 
397 	/* Get the peer's rwnd */
398 	sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
399 
400 	/* Allocate the in/out-stream counters */
401 	sctp->sctp_num_ostr = iack->sic_outstr;
402 	sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
403 	    sctp->sctp_num_ostr, KM_NOSLEEP);
404 	if (sctp->sctp_ostrcntrs == NULL)
405 		return (B_FALSE);
406 
407 	sctp->sctp_num_istr = iack->sic_instr;
408 	sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
409 	    sctp->sctp_num_istr, KM_NOSLEEP);
410 	if (sctp->sctp_instr == NULL) {
411 		kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
412 		    sctp->sctp_num_ostr);
413 		sctp->sctp_ostrcntrs = NULL;
414 		return (B_FALSE);
415 	}
416 	return (B_TRUE);
417 }
418 
419 /*
420  * Copy the peer's original source address into addr. This relies on the
421  * following format (see sctp_send_initack() below):
422  * 	relative timestamp for the cookie (int64_t) +
423  * 	cookie lifetime (uint32_t) +
424  * 	local tie-tag (uint32_t) +  peer tie-tag (uint32_t) +
425  * 	Peer's original src ...
426  */
427 int
428 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr)
429 {
430 	uchar_t	*off;
431 
432 	ASSERT(addr != NULL);
433 
434 	if (ch->sch_id != CHUNK_COOKIE)
435 		return (EINVAL);
436 
437 	off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) +
438 	    sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t);
439 
440 	bcopy(off, addr, sizeof (*addr));
441 
442 	return (0);
443 }
444 
445 #define	SCTP_CALC_COOKIE_LEN(initcp) \
446 	sizeof (int64_t) +		/* timestamp */			\
447 	sizeof (uint32_t) +		/* cookie lifetime */		\
448 	sizeof (sctp_init_chunk_t) +	/* INIT ACK */			\
449 	sizeof (in6_addr_t) +		/* peer's original source */ 	\
450 	ntohs((initcp)->sch_len) +	/* peer's INIT */		\
451 	sizeof (uint32_t) +		/* local tie-tag */		\
452 	sizeof (uint32_t) +		/* peer tie-tag */		\
453 	sizeof (sctp_parm_hdr_t) +	/* param header */		\
454 	16				/* MD5 hash */
455 
456 void
457 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
458     mblk_t *initmp)
459 {
460 	ipha_t			*initiph;
461 	ip6_t			*initip6h;
462 	ipha_t			*iackiph;
463 	ip6_t			*iackip6h;
464 	sctp_chunk_hdr_t	*iack_ch;
465 	sctp_init_chunk_t	*iack;
466 	sctp_init_chunk_t	*init;
467 	sctp_hdr_t		*iacksh;
468 	size_t			cookielen;
469 	size_t			iacklen;
470 	size_t			ipsctplen;
471 	size_t			errlen = 0;
472 	sctp_parm_hdr_t		*cookieph;
473 	mblk_t			*iackmp;
474 	uint32_t		itag;
475 	uint32_t		itsn;
476 	int64_t			*now;
477 	int64_t			nowt;
478 	uint32_t		*lifetime;
479 	char			*p;
480 	boolean_t		 isv4;
481 	int			supp_af = 0;
482 	uint_t			sctp_options;
483 	uint32_t		*ttag;
484 	int			pad;
485 	mblk_t			*errmp = NULL;
486 	boolean_t		initcollision = B_FALSE;
487 	boolean_t		linklocal = B_FALSE;
488 	cred_t			*cr;
489 	ts_label_t		*initlabel;
490 	sctp_stack_t		*sctps = sctp->sctp_sctps;
491 
492 	BUMP_LOCAL(sctp->sctp_ibchunks);
493 	isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION);
494 
495 	/* Extract the INIT chunk */
496 	if (isv4) {
497 		initiph = (ipha_t *)initmp->b_rptr;
498 		ipsctplen = sctp->sctp_ip_hdr_len;
499 		supp_af |= PARM_SUPP_V4;
500 	} else {
501 		initip6h = (ip6_t *)initmp->b_rptr;
502 		ipsctplen = sctp->sctp_ip_hdr6_len;
503 		if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src))
504 			linklocal = B_TRUE;
505 		supp_af |= PARM_SUPP_V6;
506 	}
507 	ASSERT(OK_32PTR(initsh));
508 	init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch));
509 
510 	/* Make sure we like the peer's parameters */
511 	if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp,
512 	    &supp_af, &sctp_options) == 0) {
513 		return;
514 	}
515 	if (errmp != NULL)
516 		errlen = msgdsize(errmp);
517 	if (sctp->sctp_family == AF_INET) {
518 		/*
519 		 * Irregardless of the supported address in the INIT, v4
520 		 * must be supported.
521 		 */
522 		supp_af = PARM_SUPP_V4;
523 	}
524 	if (sctp->sctp_state <= SCTPS_LISTEN) {
525 		/* normal, expected INIT: generate new vtag and itsn */
526 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
527 		if (itag == 0)
528 			itag = (uint32_t)gethrtime();
529 		itsn = itag + 1;
530 		itag = htonl(itag);
531 	} else if (sctp->sctp_state == SCTPS_COOKIE_WAIT ||
532 	    sctp->sctp_state == SCTPS_COOKIE_ECHOED) {
533 		/* init collision; copy vtag and itsn from sctp */
534 		itag = sctp->sctp_lvtag;
535 		itsn = sctp->sctp_ltsn;
536 		/*
537 		 * In addition we need to send all the params that was sent
538 		 * in our INIT chunk. Essentially, it is only the supported
539 		 * address params that we need to add.
540 		 */
541 		initcollision = B_TRUE;
542 		/*
543 		 * When we sent the INIT, we should have set linklocal in
544 		 * the sctp which should be good enough.
545 		 */
546 		if (linklocal)
547 			linklocal = B_FALSE;
548 	} else {
549 		/* peer restart; generate new vtag but keep everything else */
550 		(void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
551 		if (itag == 0)
552 			itag = (uint32_t)gethrtime();
553 		itag = htonl(itag);
554 		itsn = sctp->sctp_ltsn;
555 	}
556 
557 	/*
558 	 * Allocate a mblk for the INIT ACK, consisting of the link layer
559 	 * header, the IP header, the SCTP common header, and INIT ACK chunk,
560 	 * and finally the COOKIE parameter.
561 	 */
562 	cookielen = SCTP_CALC_COOKIE_LEN(ch);
563 	iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen;
564 	if (sctp->sctp_send_adaptation)
565 		iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t));
566 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
567 	    sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
568 		iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION);
569 	}
570 	if (initcollision)
571 		iacklen += sctp_supaddr_param_len(sctp);
572 	if (!linklocal)
573 		iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE);
574 	ipsctplen += sizeof (*iacksh) + iacklen;
575 	iacklen += errlen;
576 	if ((pad = ipsctplen % 4) != 0) {
577 		pad = 4 - pad;
578 		ipsctplen += pad;
579 	}
580 
581 	/*
582 	 * If the listen socket is bound to a trusted extensions
583 	 * multi-label port, attach a copy of the listener's cred
584 	 * to the new INITACK mblk. Modify the cred to contain
585 	 * the security label of the received INIT packet.
586 	 * If not a multi-label port, attach the unmodified
587 	 * listener's cred directly.
588 	 *
589 	 * We expect Sun developed kernel modules to properly set
590 	 * cred labels for sctp connections. We can't be so sure this
591 	 * will be done correctly when 3rd party kernel modules
592 	 * directly use sctp. The initlabel panic guard logic was
593 	 * added to cover this possibility.
594 	 */
595 	if (sctp->sctp_connp->conn_mlp_type != mlptSingle) {
596 		pid_t cpid;
597 
598 		cr = msg_getcred(initmp, &cpid);
599 		if (cr == NULL || (initlabel = crgetlabel(cr)) == NULL) {
600 			sctp_send_abort(sctp, sctp_init2vtag(ch),
601 			    SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, B_FALSE);
602 			return;
603 		}
604 		cr = copycred_from_bslabel(CONN_CRED(sctp->sctp_connp),
605 		    &initlabel->tsl_label, initlabel->tsl_doi, KM_NOSLEEP);
606 		if (cr == NULL) {
607 			sctp_send_abort(sctp, sctp_init2vtag(ch),
608 			    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE);
609 			return;
610 		}
611 		iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra,
612 		    cr, cpid);
613 		crfree(cr);
614 	} else {
615 		iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra,
616 		    CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid);
617 	}
618 	if (iackmp == NULL) {
619 		sctp_send_abort(sctp, sctp_init2vtag(ch),
620 		    SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE);
621 		return;
622 	}
623 
624 	/* Copy in the [imcomplete] IP/SCTP composite header */
625 	p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra);
626 	iackmp->b_rptr = (uchar_t *)p;
627 	if (isv4) {
628 		bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len);
629 		iackiph = (ipha_t *)p;
630 
631 		/* Copy the peer's IP addr */
632 		iackiph->ipha_dst = initiph->ipha_src;
633 		iackiph->ipha_src = initiph->ipha_dst;
634 		iackiph->ipha_length = htons(ipsctplen + errlen);
635 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
636 	} else {
637 		bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
638 		iackip6h = (ip6_t *)p;
639 
640 		/* Copy the peer's IP addr */
641 		iackip6h->ip6_dst = initip6h->ip6_src;
642 		iackip6h->ip6_src = initip6h->ip6_dst;
643 		iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) +
644 		    errlen);
645 		iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
646 	}
647 	ASSERT(OK_32PTR(iacksh));
648 
649 	/* Fill in the holes in the SCTP common header */
650 	iacksh->sh_sport = initsh->sh_dport;
651 	iacksh->sh_dport = initsh->sh_sport;
652 	iacksh->sh_verf = init->sic_inittag;
653 
654 	/* INIT ACK chunk header */
655 	iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1);
656 	iack_ch->sch_id = CHUNK_INIT_ACK;
657 	iack_ch->sch_flags = 0;
658 	iack_ch->sch_len = htons(iacklen);
659 
660 	/* The INIT ACK itself */
661 	iack = (sctp_init_chunk_t *)(iack_ch + 1);
662 	iack->sic_inittag = itag;	/* already in network byteorder */
663 	iack->sic_inittsn = htonl(itsn);
664 
665 	iack->sic_a_rwnd = htonl(sctp->sctp_rwnd);
666 	/* Advertise what we would want to have as stream #'s */
667 	iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr,
668 	    ntohs(init->sic_instr)));
669 	iack->sic_instr = htons(sctp->sctp_num_istr);
670 
671 	p = (char *)(iack + 1);
672 	p += sctp_adaptation_code_param(sctp, (uchar_t *)p);
673 	if (initcollision)
674 		p += sctp_supaddr_param(sctp, (uchar_t *)p);
675 	if (!linklocal)
676 		p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE);
677 	if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
678 	    sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
679 		p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION);
680 	}
681 	/*
682 	 * Generate and lay in the COOKIE parameter.
683 	 *
684 	 * Any change here that results in a change of location for
685 	 * the peer's orig source address must be propagated to the fn
686 	 * cl_sctp_cookie_paddr() above.
687 	 *
688 	 * The cookie consists of:
689 	 * 1. The relative timestamp for the cookie (lbolt64)
690 	 * 2. The cookie lifetime (uint32_t) in tick
691 	 * 3. The local tie-tag
692 	 * 4. The peer tie-tag
693 	 * 5. Peer's original src, used to confirm the validity of address.
694 	 * 6. Our INIT ACK chunk, less any parameters
695 	 * 7. The INIT chunk (may contain parameters)
696 	 * 8. 128-bit MD5 signature.
697 	 *
698 	 * Since the timestamp values will only be evaluated locally, we
699 	 * don't need to worry about byte-ordering them.
700 	 */
701 	cookieph = (sctp_parm_hdr_t *)p;
702 	cookieph->sph_type = htons(PARM_COOKIE);
703 	cookieph->sph_len = htons(cookielen);
704 
705 	/* timestamp */
706 	now = (int64_t *)(cookieph + 1);
707 	nowt = lbolt64;
708 	bcopy(&nowt, now, sizeof (*now));
709 
710 	/* cookie lifetime -- need configuration */
711 	lifetime = (uint32_t *)(now + 1);
712 	*lifetime = sctp->sctp_cookie_lifetime;
713 
714 	/* Set the tie-tags */
715 	ttag = (uint32_t *)(lifetime + 1);
716 	if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) {
717 		*ttag = 0;
718 		ttag++;
719 		*ttag = 0;
720 		ttag++;
721 	} else {
722 		/* local tie-tag (network byte-order) */
723 		*ttag = sctp->sctp_lvtag;
724 		ttag++;
725 		/* peer tie-tag (network byte-order) */
726 		*ttag = sctp->sctp_fvtag;
727 		ttag++;
728 	}
729 	/*
730 	 * Copy in peer's original source address so that we can confirm
731 	 * the reachability later.
732 	 */
733 	p = (char *)ttag;
734 	if (isv4) {
735 		in6_addr_t peer_addr;
736 
737 		IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr);
738 		bcopy(&peer_addr, p, sizeof (in6_addr_t));
739 	} else {
740 		bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t));
741 	}
742 	p += sizeof (in6_addr_t);
743 	/* Copy in our INIT ACK chunk */
744 	bcopy(iack, p, sizeof (*iack));
745 	iack = (sctp_init_chunk_t *)p;
746 	/* Set the # of streams we'll end up using */
747 	iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr));
748 	iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr));
749 	p += sizeof (*iack);
750 
751 	/* Copy in the peer's INIT chunk */
752 	bcopy(ch, p, ntohs(ch->sch_len));
753 	p += ntohs(ch->sch_len);
754 
755 	/*
756 	 * Calculate the HMAC ICV into the digest slot in buf.
757 	 * First, generate a new secret if the current secret is
758 	 * older than the new secret lifetime parameter permits,
759 	 * copying the current secret to sctp_old_secret.
760 	 */
761 	if (sctps->sctps_new_secret_interval > 0 &&
762 	    (sctp->sctp_last_secret_update +
763 	    MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) {
764 		bcopy(sctp->sctp_secret, sctp->sctp_old_secret,
765 		    SCTP_SECRET_LEN);
766 		(void) random_get_pseudo_bytes(sctp->sctp_secret,
767 		    SCTP_SECRET_LEN);
768 		sctp->sctp_last_secret_update = nowt;
769 	}
770 
771 	hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16,
772 	    (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p);
773 
774 	iackmp->b_wptr = iackmp->b_rptr + ipsctplen;
775 	if (pad != 0)
776 		bzero((iackmp->b_wptr - pad), pad);
777 
778 	iackmp->b_cont = errmp;		/*  OK if NULL */
779 
780 	if (is_system_labeled() && (cr = msg_getcred(iackmp, NULL)) != NULL &&
781 	    crgetlabel(cr) != NULL) {
782 		conn_t *connp = sctp->sctp_connp;
783 		int err;
784 
785 		if (isv4)
786 			err = tsol_check_label(cr, &iackmp,
787 			    connp->conn_mac_exempt,
788 			    sctps->sctps_netstack->netstack_ip);
789 		else
790 			err = tsol_check_label_v6(cr, &iackmp,
791 			    connp->conn_mac_exempt,
792 			    sctps->sctps_netstack->netstack_ip);
793 		if (err != 0) {
794 			sctp_send_abort(sctp, sctp_init2vtag(ch),
795 			    SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE);
796 			freemsg(iackmp);
797 			return;
798 		}
799 	}
800 
801 	/*
802 	 * Stash the conn ptr info. for IP only as e don't have any
803 	 * cached IRE.
804 	 */
805 	SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL);
806 
807 	/* XXX sctp == sctp_g_q, so using its obchunks is valid */
808 	BUMP_LOCAL(sctp->sctp_opkts);
809 	BUMP_LOCAL(sctp->sctp_obchunks);
810 
811 	/* OK to call IP_PUT() here instead of sctp_add_sendq(). */
812 	CONN_INC_REF(sctp->sctp_connp);
813 	iackmp->b_flag |= MSGHASREF;
814 	IP_PUT(iackmp, sctp->sctp_connp, isv4);
815 }
816 
817 void
818 sctp_send_cookie_ack(sctp_t *sctp)
819 {
820 	sctp_chunk_hdr_t *cach;
821 	mblk_t *camp;
822 	sctp_stack_t	*sctps = sctp->sctp_sctps;
823 
824 	camp = sctp_make_mp(sctp, NULL, sizeof (*cach));
825 	if (camp == NULL) {
826 		/* XXX should abort, but don't have the inmp anymore */
827 		SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed);
828 		return;
829 	}
830 
831 	cach = (sctp_chunk_hdr_t *)camp->b_wptr;
832 	camp->b_wptr = (uchar_t *)(cach + 1);
833 	cach->sch_id = CHUNK_COOKIE_ACK;
834 	cach->sch_flags = 0;
835 	cach->sch_len = htons(sizeof (*cach));
836 
837 	sctp_set_iplen(sctp, camp);
838 
839 	BUMP_LOCAL(sctp->sctp_obchunks);
840 
841 	sctp_add_sendq(sctp, camp);
842 }
843 
844 static int
845 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code)
846 {
847 
848 	if (len < sizeof (*sph))
849 		return (-1);
850 	while (sph != NULL) {
851 		if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) &&
852 		    ntohs(sph->sph_len) >= (sizeof (*sph) +
853 		    sizeof (uint32_t))) {
854 			*adaptation_code = *(uint32_t *)(sph + 1);
855 			return (0);
856 		}
857 		sph = sctp_next_parm(sph, &len);
858 	}
859 	return (-1);
860 }
861 
862 void
863 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp)
864 {
865 	mblk_t			*cemp;
866 	mblk_t			*mp = NULL;
867 	mblk_t			*head;
868 	mblk_t			*meta;
869 	sctp_faddr_t		*fp;
870 	sctp_chunk_hdr_t	*cech;
871 	sctp_init_chunk_t	 *iack;
872 	int32_t			cansend;
873 	int32_t			seglen;
874 	size_t			ceclen;
875 	sctp_parm_hdr_t		*cph;
876 	sctp_data_hdr_t		*sdc;
877 	sctp_tf_t		*tf;
878 	int			pad = 0;
879 	int			hdrlen;
880 	mblk_t			*errmp = NULL;
881 	uint_t			sctp_options;
882 	int			error;
883 	uint16_t		old_num_str;
884 	sctp_stack_t		*sctps = sctp->sctp_sctps;
885 
886 	iack = (sctp_init_chunk_t *)(iackch + 1);
887 
888 	cph = NULL;
889 	if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp,
890 	    &pad, &sctp_options) == 0) { /* result in 'pad' ignored */
891 		BUMP_MIB(&sctps->sctps_mib, sctpAborted);
892 		sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL);
893 		sctp_clean_death(sctp, ECONNABORTED);
894 		return;
895 	}
896 	ASSERT(cph != NULL);
897 
898 	ASSERT(sctp->sctp_cookie_mp == NULL);
899 
900 	/* Got a cookie to echo back; allocate an mblk */
901 	ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph);
902 	if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0)
903 		pad = SCTP_ALIGN - pad;
904 
905 	if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION)
906 		hdrlen = sctp->sctp_hdr_len;
907 	else
908 		hdrlen = sctp->sctp_hdr6_len;
909 
910 	cemp = allocb_cred(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad,
911 	    CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid);
912 	if (cemp == NULL) {
913 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
914 		    sctp->sctp_current->rto);
915 		if (errmp != NULL)
916 			freeb(errmp);
917 		return;
918 	}
919 	cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen);
920 
921 	/* Process the INIT ACK */
922 	sctp->sctp_sctph->sh_verf = iack->sic_inittag;
923 	sctp->sctp_sctph6->sh_verf = iack->sic_inittag;
924 	sctp->sctp_fvtag = iack->sic_inittag;
925 	sctp->sctp_ftsn = ntohl(iack->sic_inittsn);
926 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
927 	sctp->sctp_fcsn = sctp->sctp_lastacked;
928 	sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd);
929 
930 	/*
931 	 * Populate sctp with addresses given in the INIT ACK or IP header.
932 	 * Need to set the df bit in the current fp as it has been cleared
933 	 * in sctp_connect().
934 	 */
935 	sctp->sctp_current->df = B_TRUE;
936 	/*
937 	 * Since IP uses this info during the fanout process, we need to hold
938 	 * the lock for this hash line while performing this operation.
939 	 */
940 	/* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, sctp->sctp_ports); */
941 	ASSERT(sctp->sctp_conn_tfp != NULL);
942 	tf = sctp->sctp_conn_tfp;
943 	/* sctp isn't a listener so only need to hold conn fanout lock */
944 	mutex_enter(&tf->tf_lock);
945 	if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) {
946 		mutex_exit(&tf->tf_lock);
947 		freeb(cemp);
948 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
949 		    sctp->sctp_current->rto);
950 		if (errmp != NULL)
951 			freeb(errmp);
952 		return;
953 	}
954 	mutex_exit(&tf->tf_lock);
955 
956 	fp = sctp->sctp_current;
957 
958 	/*
959 	 * There could be a case when we get an INIT-ACK again, if the INIT
960 	 * is re-transmitted, for e.g., which means we would have already
961 	 * allocated this resource earlier (also for sctp_instr). In this
962 	 * case we check and re-allocate, if necessary.
963 	 */
964 	old_num_str = sctp->sctp_num_ostr;
965 	if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr)
966 		sctp->sctp_num_ostr = ntohs(iack->sic_instr);
967 	if (sctp->sctp_ostrcntrs == NULL) {
968 		sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
969 		    sctp->sctp_num_ostr, KM_NOSLEEP);
970 	} else {
971 		ASSERT(old_num_str > 0);
972 		if (old_num_str != sctp->sctp_num_ostr) {
973 			kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
974 			    old_num_str);
975 			sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
976 			    sctp->sctp_num_ostr, KM_NOSLEEP);
977 		}
978 	}
979 	if (sctp->sctp_ostrcntrs == NULL) {
980 		freeb(cemp);
981 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
982 		if (errmp != NULL)
983 			freeb(errmp);
984 		return;
985 	}
986 
987 	/*
988 	 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs
989 	 * hold here too.
990 	 */
991 	old_num_str = sctp->sctp_num_istr;
992 	if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr)
993 		sctp->sctp_num_istr = ntohs(iack->sic_outstr);
994 	if (sctp->sctp_instr == NULL) {
995 		sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
996 		    sctp->sctp_num_istr, KM_NOSLEEP);
997 	} else {
998 		ASSERT(old_num_str > 0);
999 		if (old_num_str != sctp->sctp_num_istr) {
1000 			kmem_free(sctp->sctp_instr,
1001 			    sizeof (*sctp->sctp_instr) * old_num_str);
1002 			sctp->sctp_instr = kmem_zalloc(
1003 			    sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr,
1004 			    KM_NOSLEEP);
1005 		}
1006 	}
1007 	if (sctp->sctp_instr == NULL) {
1008 		kmem_free(sctp->sctp_ostrcntrs,
1009 		    sizeof (uint16_t) * sctp->sctp_num_ostr);
1010 		freeb(cemp);
1011 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1012 		if (errmp != NULL)
1013 			freeb(errmp);
1014 		return;
1015 	}
1016 
1017 	if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware)
1018 		sctp->sctp_prsctp_aware = B_FALSE;
1019 
1020 	if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1),
1021 	    ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)),
1022 	    &sctp->sctp_rx_adaptation_code) == 0) {
1023 		sctp->sctp_recv_adaptation = 1;
1024 	}
1025 
1026 	cech = (sctp_chunk_hdr_t *)cemp->b_rptr;
1027 	ASSERT(OK_32PTR(cech));
1028 	cech->sch_id = CHUNK_COOKIE;
1029 	cech->sch_flags = 0;
1030 	cech->sch_len = htons(ceclen);
1031 
1032 	/* Copy the cookie (less the parm hdr) to the chunk */
1033 	bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph));
1034 
1035 	cemp->b_wptr = cemp->b_rptr + ceclen;
1036 
1037 	if (sctp->sctp_unsent > 0) {
1038 		sctp_msg_hdr_t	*smh;
1039 		mblk_t		*prev = NULL;
1040 		uint32_t	unsent = 0;
1041 
1042 		mp = sctp->sctp_xmit_unsent;
1043 		do {
1044 			smh = (sctp_msg_hdr_t *)mp->b_rptr;
1045 			if (smh->smh_sid >= sctp->sctp_num_ostr) {
1046 				unsent += smh->smh_msglen;
1047 				if (prev != NULL)
1048 					prev->b_next = mp->b_next;
1049 				else
1050 					sctp->sctp_xmit_unsent = mp->b_next;
1051 				mp->b_next = NULL;
1052 				sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID,
1053 				    B_FALSE);
1054 				if (prev != NULL)
1055 					mp = prev->b_next;
1056 				else
1057 					mp = sctp->sctp_xmit_unsent;
1058 			} else {
1059 				prev = mp;
1060 				mp = mp->b_next;
1061 			}
1062 		} while (mp != NULL);
1063 		if (unsent > 0) {
1064 			ASSERT(sctp->sctp_unsent >= unsent);
1065 			sctp->sctp_unsent -= unsent;
1066 			/*
1067 			 * Update ULP the amount of queued data, which is
1068 			 * sent-unack'ed + unsent.
1069 			 * This is not necessary, but doesn't harm, we
1070 			 * just use unsent instead of sent-unack'ed +
1071 			 * unsent, since there won't be any sent-unack'ed
1072 			 * here.
1073 			 */
1074 			if (!SCTP_IS_DETACHED(sctp))
1075 				SCTP_TXQ_UPDATE(sctp);
1076 		}
1077 		if (sctp->sctp_xmit_unsent == NULL)
1078 			sctp->sctp_xmit_unsent_tail = NULL;
1079 	}
1080 	ceclen += pad;
1081 	cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd);
1082 	meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen,
1083 	    cansend,  NULL);
1084 	/*
1085 	 * The error cannot be anything else since we could have an non-zero
1086 	 * error only if sctp_get_msg_to_send() tries to send a Forward
1087 	 * TSN which will not happen here.
1088 	 */
1089 	ASSERT(error == 0);
1090 	if (meta == NULL)
1091 		goto sendcookie;
1092 	sctp->sctp_xmit_tail = meta;
1093 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
1094 	seglen = ntohs(sdc->sdh_len);
1095 	if ((ceclen + seglen) > fp->sfa_pmss ||
1096 	    (seglen - sizeof (*sdc)) > cansend) {
1097 		goto sendcookie;
1098 	}
1099 	/* OK, if this fails */
1100 	cemp->b_cont = dupmsg(mp);
1101 sendcookie:
1102 	head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL);
1103 	if (head == NULL) {
1104 		freemsg(cemp);
1105 		SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1106 		if (errmp != NULL)
1107 			freeb(errmp);
1108 		SCTP_KSTAT(sctps, sctp_send_cookie_failed);
1109 		return;
1110 	}
1111 	/*
1112 	 * Even if cookie-echo exceeds MTU for one of the hops, it'll
1113 	 * have a chance of getting there.
1114 	 */
1115 	if (fp->isv4) {
1116 		ipha_t *iph = (ipha_t *)head->b_rptr;
1117 		iph->ipha_fragment_offset_and_flags = 0;
1118 	}
1119 	BUMP_LOCAL(sctp->sctp_obchunks);
1120 
1121 	sctp->sctp_cookie_mp = dupmsg(head);
1122 	/* Don't bundle, we will just resend init if this cookie is lost. */
1123 	if (sctp->sctp_cookie_mp == NULL) {
1124 		if (cemp->b_cont != NULL) {
1125 			freemsg(cemp->b_cont);
1126 			cemp->b_cont = NULL;
1127 		}
1128 	} else if (cemp->b_cont != NULL) {
1129 		ASSERT(mp != NULL && mp == meta->b_cont);
1130 		SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont);
1131 		cemp->b_wptr += pad;
1132 		seglen -= sizeof (*sdc);
1133 		SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta);
1134 	}
1135 	if (errmp != NULL) {
1136 		if (cemp->b_cont == NULL)
1137 			cemp->b_wptr += pad;
1138 		linkb(head, errmp);
1139 	}
1140 	sctp->sctp_state = SCTPS_COOKIE_ECHOED;
1141 	SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1142 
1143 	sctp_set_iplen(sctp, head);
1144 	sctp_add_sendq(sctp, head);
1145 }
1146 
1147 int
1148 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
1149     sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation,
1150     in6_addr_t *peer_addr)
1151 {
1152 	int32_t			clen;
1153 	size_t			initplen;
1154 	uchar_t			*p;
1155 	uchar_t			*given_hash;
1156 	uchar_t			needed_hash[16];
1157 	int64_t			ts;
1158 	int64_t			diff;
1159 	uint32_t		*lt;
1160 	sctp_init_chunk_t	*iack;
1161 	sctp_chunk_hdr_t	*initch;
1162 	sctp_init_chunk_t	*init;
1163 	uint32_t		*lttag;
1164 	uint32_t		*fttag;
1165 	uint32_t		ports;
1166 	sctp_stack_t		*sctps = sctp->sctp_sctps;
1167 
1168 	BUMP_LOCAL(sctp->sctp_ibchunks);
1169 	/* Verify the ICV */
1170 	clen = ntohs(ch->sch_len) - sizeof (*ch) - 16;
1171 	if (clen < 0) {
1172 		dprint(1, ("invalid cookie chunk length %d\n",
1173 		    ntohs(ch->sch_len)));
1174 
1175 		return (-1);
1176 	}
1177 	p = (uchar_t *)(ch + 1);
1178 
1179 	hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN,
1180 	    needed_hash);
1181 
1182 	/* The given hash follows the cookie data */
1183 	given_hash = p + clen;
1184 
1185 	if (bcmp(given_hash, needed_hash, 16) != 0) {
1186 		/* The secret may have changed; try the old secret */
1187 		hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret,
1188 		    SCTP_SECRET_LEN, needed_hash);
1189 		if (bcmp(given_hash, needed_hash, 16) != 0) {
1190 			return (-1);
1191 		}
1192 	}
1193 
1194 	/* Timestamp is int64_t, and we only guarantee 32-bit alignment */
1195 	bcopy(p, &ts, sizeof (ts));
1196 	/* Cookie life time, uint32_t */
1197 	lt = (uint32_t *)(p + sizeof (ts));
1198 
1199 	/*
1200 	 * To quote PRC, "this is our baby", so let's continue.
1201 	 * We need to pull out the encapsulated INIT ACK and
1202 	 * INIT chunks. Note that we don't process these until
1203 	 * we have verified the timestamp, but we need them before
1204 	 * processing the timestamp since if the time check fails,
1205 	 * we need to get the verification tag from the INIT in order
1206 	 * to send a stale cookie error.
1207 	 */
1208 	lttag = (uint32_t *)(lt + 1);
1209 	fttag = lttag + 1;
1210 	if (peer_addr != NULL)
1211 		bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t));
1212 	iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t));
1213 	initch = (sctp_chunk_hdr_t *)(iack + 1);
1214 	init = (sctp_init_chunk_t *)(initch + 1);
1215 	initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch));
1216 	*iackpp = iack;
1217 	*recv_adaptation = 0;
1218 
1219 	/*
1220 	 * Check the staleness of the Cookie, specified in 3.3.10.3 of
1221 	 * RFC 2960.
1222 	 *
1223 	 * The mesaure of staleness is the difference, in microseconds,
1224 	 * between the current time and the time the State Cookie expires.
1225 	 * So it is lbolt64 - (ts + *lt).  If it is positive, it means
1226 	 * that the Cookie has expired.
1227 	 */
1228 	diff = lbolt64 - (ts + *lt);
1229 	if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag ||
1230 	    iack->sic_inittag != sctp->sctp_lvtag)) {
1231 		uint32_t staleness;
1232 
1233 		staleness = TICK_TO_USEC(diff);
1234 		staleness = htonl(staleness);
1235 		sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE,
1236 		    (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE);
1237 
1238 		dprint(1, ("stale cookie %d\n", staleness));
1239 
1240 		return (-1);
1241 	}
1242 
1243 	/* Check for attack by adding addresses to a restart */
1244 	bcopy(insctph, &ports, sizeof (ports));
1245 	if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP,
1246 	    sctps) != 1) {
1247 		return (-1);
1248 	}
1249 
1250 	/* Look for adaptation code if there any parms in the INIT chunk */
1251 	if ((initplen >= sizeof (sctp_parm_hdr_t)) &&
1252 	    (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen,
1253 	    &sctp->sctp_rx_adaptation_code) == 0)) {
1254 		*recv_adaptation = 1;
1255 	}
1256 
1257 	/* Examine tie-tags */
1258 
1259 	if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) {
1260 		if (sctp->sctp_state == SCTPS_ESTABLISHED &&
1261 		    init->sic_inittag == sctp->sctp_fvtag &&
1262 		    iack->sic_inittag == sctp->sctp_lvtag &&
1263 		    *fttag == 0 && *lttag == 0) {
1264 
1265 			dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n",
1266 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1267 			    (int)(sctp->sctp_fport)));
1268 			return (-1);
1269 		}
1270 
1271 		if (init->sic_inittag != sctp->sctp_fvtag &&
1272 		    iack->sic_inittag != sctp->sctp_lvtag &&
1273 		    *fttag == sctp->sctp_fvtag &&
1274 		    *lttag == sctp->sctp_lvtag) {
1275 			int i;
1276 
1277 			/* Section 5.2.4 case A: restart */
1278 			sctp->sctp_fvtag = init->sic_inittag;
1279 			sctp->sctp_lvtag = iack->sic_inittag;
1280 
1281 			sctp->sctp_sctph->sh_verf = init->sic_inittag;
1282 			sctp->sctp_sctph6->sh_verf = init->sic_inittag;
1283 
1284 			sctp->sctp_ftsn = ntohl(init->sic_inittsn);
1285 			sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1286 			sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
1287 			sctp->sctp_fcsn = sctp->sctp_lastacked;
1288 
1289 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1290 				sctp->sctp_state = SCTPS_ESTABLISHED;
1291 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1292 			}
1293 
1294 			dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n",
1295 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1296 			    (int)(sctp->sctp_fport)));
1297 			/* reset parameters */
1298 			sctp_congest_reset(sctp);
1299 
1300 			/* reset stream bookkeeping */
1301 			sctp_instream_cleanup(sctp, B_FALSE);
1302 
1303 			sctp->sctp_istr_nmsgs = 0;
1304 			sctp->sctp_rxqueued = 0;
1305 			for (i = 0; i < sctp->sctp_num_ostr; i++) {
1306 				sctp->sctp_ostrcntrs[i] = 0;
1307 			}
1308 			/* XXX flush xmit_list? */
1309 
1310 			return (0);
1311 		} else if (init->sic_inittag != sctp->sctp_fvtag &&
1312 		    iack->sic_inittag == sctp->sctp_lvtag) {
1313 
1314 			/* Section 5.2.4 case B: INIT collision */
1315 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1316 				if (!sctp_initialize_params(sctp, init, iack))
1317 					return (-1);	/* Drop? */
1318 				sctp->sctp_state = SCTPS_ESTABLISHED;
1319 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1320 			}
1321 
1322 			dprint(1, ("init collision with %x:%x:%x:%x (%d)\n",
1323 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1324 			    (int)(sctp->sctp_fport)));
1325 
1326 			return (0);
1327 		} else if (iack->sic_inittag != sctp->sctp_lvtag &&
1328 		    init->sic_inittag == sctp->sctp_fvtag &&
1329 		    *fttag == 0 && *lttag == 0) {
1330 
1331 			/* Section 5.2.4 case C: late COOKIE */
1332 			dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n",
1333 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1334 			    (int)(sctp->sctp_fport)));
1335 			return (-1);
1336 		} else if (init->sic_inittag == sctp->sctp_fvtag &&
1337 		    iack->sic_inittag == sctp->sctp_lvtag) {
1338 
1339 			/*
1340 			 * Section 5.2.4 case D: COOKIE ECHO retransmit
1341 			 * Don't check cookie lifetime
1342 			 */
1343 			dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n",
1344 			    SCTP_PRINTADDR(sctp->sctp_current->faddr),
1345 			    (int)(sctp->sctp_fport)));
1346 			if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1347 				if (!sctp_initialize_params(sctp, init, iack))
1348 					return (-1);	/* Drop? */
1349 				sctp->sctp_state = SCTPS_ESTABLISHED;
1350 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
1351 			}
1352 			return (0);
1353 		} else {
1354 			/* unrecognized case -- silently drop it */
1355 			return (-1);
1356 		}
1357 	}
1358 
1359 	return (0);
1360 }
1361 
1362 /*
1363  * Similar to ip_fanout_sctp, except that the src addr(s) are drawn
1364  * from address parameters in an INIT ACK's address list. This
1365  * function is used when an INIT ACK is received but IP's fanout
1366  * function could not find a sctp via the normal lookup routine.
1367  * This can happen when a host sends an INIT ACK from a different
1368  * address than the INIT was sent to.
1369  *
1370  * Returns the sctp_t if found, or NULL if not found.
1371  */
1372 sctp_t *
1373 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
1374     zoneid_t zoneid, sctp_stack_t *sctps)
1375 {
1376 	int isv4;
1377 	ipha_t *iph;
1378 	ip6_t *ip6h;
1379 	in6_addr_t dst;
1380 	in6_addr_t src;
1381 	sctp_parm_hdr_t *ph;
1382 	ssize_t remaining;
1383 	sctp_init_chunk_t *iack;
1384 	uint32_t ports;
1385 	sctp_t *sctp = NULL;
1386 
1387 	ASSERT(ich->sch_id == CHUNK_INIT_ACK);
1388 
1389 	isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
1390 	if (isv4) {
1391 		iph = (ipha_t *)mp->b_rptr;
1392 		IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst);
1393 	} else {
1394 		ip6h = (ip6_t *)mp->b_rptr;
1395 		dst = ip6h->ip6_dst;
1396 	}
1397 
1398 	ports = *(uint32_t *)sctph;
1399 
1400 	dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n",
1401 	    ports, SCTP_PRINTADDR(dst)));
1402 
1403 	/* pull out any address parameters */
1404 	remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack);
1405 	if (remaining < sizeof (*ph)) {
1406 		return (NULL);
1407 	}
1408 
1409 	iack = (sctp_init_chunk_t *)(ich + 1);
1410 	ph = (sctp_parm_hdr_t *)(iack + 1);
1411 
1412 	while (ph != NULL) {
1413 		/*
1414 		 * params have been put in host byteorder by
1415 		 * sctp_check_input()
1416 		 */
1417 		if (ph->sph_type == PARM_ADDR4) {
1418 			IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1),
1419 			    &src);
1420 
1421 			sctp = sctp_conn_match(&src, &dst, ports, zoneid,
1422 			    sctps);
1423 
1424 			dprint(1,
1425 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1426 			    SCTP_PRINTADDR(src), (void *)sctp));
1427 
1428 
1429 			if (sctp != NULL) {
1430 				return (sctp);
1431 			}
1432 		} else if (ph->sph_type == PARM_ADDR6) {
1433 			src = *(in6_addr_t *)(ph + 1);
1434 			sctp = sctp_conn_match(&src, &dst, ports, zoneid,
1435 			    sctps);
1436 
1437 			dprint(1,
1438 			    ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1439 			    SCTP_PRINTADDR(src), (void *)sctp));
1440 
1441 			if (sctp != NULL) {
1442 				return (sctp);
1443 			}
1444 		}
1445 
1446 		ph = sctp_next_parm(ph, &remaining);
1447 	}
1448 
1449 	return (NULL);
1450 }
1451