search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge commit 'ea01a15a654b9e1c7b37d958f4d1911882ed7781'
[unleashed.git] / kernel / net / sctp / sctp_cookie.c
blob502f34bd79dcb5328593653eb387d71e2c4ef08b
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 #include <sys/types.h>
27 #include <sys/systm.h>
28 #include <sys/stream.h>
29 #include <sys/cmn_err.h>
30 #include <sys/md5.h>
31 #include <sys/kmem.h>
32 #include <sys/strsubr.h>
33 #include <sys/random.h>
34
35 #include <netinet/in.h>
36 #include <netinet/ip6.h>
37
38 #include <inet/common.h>
39 #include <inet/ip.h>
40 #include <inet/ip6.h>
41 #include <inet/ipsec_impl.h>
42 #include <inet/sctp_ip.h>
43 #include <inet/ipclassifier.h>
44 #include <inet/sctp/sctp_impl.h>
45
46 /*
47 * From RFC 2104. This should probably go into libmd5 (and while
48 * we're at it, maybe we should make a libdigest so we can later
49 * add SHA1 and others, esp. since some weaknesses have been found
50 * with MD5).
51 *
52 * text IN pointer to data stream
53 * text_len IN length of data stream
54 * key IN pointer to authentication key
55 * key_len IN length of authentication key
56 * digest OUT caller digest to be filled in
57 */
58 static void
59 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len,
60 uchar_t *digest)
61 {
62 MD5_CTX context;
63 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */
64 uchar_t k_opad[65]; /* outer padding - key XORd with opad */
65 uchar_t tk[16];
66 int i;
67
68 /* if key is longer than 64 bytes reset it to key=MD5(key) */
69 if (key_len > 64) {
70 MD5_CTX tctx;
71
72 MD5Init(&tctx);
73 MD5Update(&tctx, key, key_len);
74 MD5Final(tk, &tctx);
75
76 key = tk;
77 key_len = 16;
78 }
79
80 /*
81 * the HMAC_MD5 transform looks like:
82 *
83 * MD5(K XOR opad, MD5(K XOR ipad, text))
84 *
85 * where K is an n byte key
86 * ipad is the byte 0x36 repeated 64 times
87 * opad is the byte 0x5c repeated 64 times
88 * and text is the data being protected
89 */
90
91 /* start out by storing key in pads */
92 bzero(k_ipad, sizeof (k_ipad));
93 bzero(k_opad, sizeof (k_opad));
94 bcopy(key, k_ipad, key_len);
95 bcopy(key, k_opad, key_len);
96
97 /* XOR key with ipad and opad values */
98 for (i = 0; i < 64; i++) {
99 k_ipad[i] ^= 0x36;
100 k_opad[i] ^= 0x5c;
101 }
102 /*
103 * perform inner MD5
104 */
105 MD5Init(&context); /* init context for 1st */
106 /* pass */
107 MD5Update(&context, k_ipad, 64); /* start with inner pad */
108 MD5Update(&context, text, text_len); /* then text of datagram */
109 MD5Final(digest, &context); /* finish up 1st pass */
110 /*
111 * perform outer MD5
112 */
113 MD5Init(&context); /* init context for 2nd */
114 /* pass */
115 MD5Update(&context, k_opad, 64); /* start with outer pad */
116 MD5Update(&context, digest, 16); /* then results of 1st */
117 /* hash */
118 MD5Final(digest, &context); /* finish up 2nd pass */
119 }
120
121 /*
122 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP
123 * info in initmp to send the abort. Otherwise, no abort will be sent.
124 *
125 * When called from stcp_send_initack() while processing parameters
126 * from a received INIT_CHUNK want_cookie will be NULL.
127 *
128 * When called from sctp_send_cookie_echo() while processing an INIT_ACK,
129 * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t.
130 * However, this last pointer will be NULL until the cookie is processed
131 * at which time it will be set to point to a sctp_parm_hdr_t that contains
132 * the cookie info.
133 *
134 * Note: an INIT_ACK is expected to contain a cookie.
135 *
136 * When processing an INIT_ACK, an ERROR chunk and chain of one or more
137 * error CAUSE blocks will be created if unrecognized parameters marked by
138 * the sender as reportable are found.
139 *
140 * When processing an INIT chunk, a chain of one or more error CAUSE blocks
141 * will be created if unrecognized parameters marked by the sender as
142 * reportable are found. These are appended directly to the INIT_ACK chunk.
143 *
144 * In both cases the error chain is visible to the caller via *errmp.
145 *
146 * Returns 1 if the parameters are OK (or if there are no optional
147 * parameters), returns 0 otherwise.
148 */
149 static int
150 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
151 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie,
152 mblk_t **errmp, int *supp_af, uint_t *sctp_options, ip_recv_attr_t *ira)
153 {
154 sctp_parm_hdr_t *cph;
155 sctp_init_chunk_t *ic;
156 ssize_t remaining;
157 uint16_t serror = 0;
158 char *details = NULL;
159 size_t errlen = 0;
160 boolean_t got_cookie = B_FALSE;
161 boolean_t got_errchunk = B_FALSE;
162 uint16_t ptype;
163 sctp_mpc_t mpc;
164 conn_t *connp = sctp->sctp_connp;
165
166
167 ASSERT(errmp != NULL);
168
169 if (sctp_options != NULL)
170 *sctp_options = 0;
171
172 /* First validate stream parameters */
173 if (init->sic_instr == 0 || init->sic_outstr == 0) {
174 serror = SCTP_ERR_BAD_MANDPARM;
175 dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n",
176 htons(init->sic_instr), htons(init->sic_outstr)));
177 goto abort;
178 }
179 if (ntohl(init->sic_inittag) == 0) {
180 serror = SCTP_ERR_BAD_MANDPARM;
181 dprint(1, ("validate_init_params: inittag = 0\n"));
182 goto abort;
183 }
184
185 remaining = ntohs(ch->sch_len) - sizeof (*ch);
186 ic = (sctp_init_chunk_t *)(ch + 1);
187 remaining -= sizeof (*ic);
188 if (remaining < sizeof (*cph)) {
189 /*
190 * When processing a received INIT_ACK, a cookie is
191 * expected, if missing there is nothing to validate.
192 */
193 if (want_cookie != NULL)
194 goto cookie_abort;
195 return (1);
196 }
197
198 cph = (sctp_parm_hdr_t *)(ic + 1);
199
200 while (cph != NULL) {
201 ptype = ntohs(cph->sph_type);
202 switch (ptype) {
203 case PARM_HBINFO:
204 case PARM_UNRECOGNIZED:
205 case PARM_ECN:
206 /* just ignore them */
207 break;
208 case PARM_FORWARD_TSN:
209 if (sctp_options != NULL)
210 *sctp_options |= SCTP_PRSCTP_OPTION;
211 break;
212 case PARM_COOKIE:
213 got_cookie = B_TRUE;
214 /*
215 * Processing a received INIT_ACK, we have a cookie
216 * and a valid pointer in our caller to attach it to.
217 */
218 if (want_cookie != NULL) {
219 *want_cookie = cph;
220 }
221 break;
222 case PARM_ADDR4:
223 *supp_af |= PARM_SUPP_V4;
224 break;
225 case PARM_ADDR6:
226 *supp_af |= PARM_SUPP_V6;
227 break;
228 case PARM_COOKIE_PRESERVE:
229 case PARM_ADAPT_LAYER_IND:
230 /* These are OK */
231 break;
232 case PARM_ADDR_HOST_NAME:
233 /* Don't support this; abort the association */
234 serror = SCTP_ERR_BAD_ADDR;
235 details = (char *)cph;
236 errlen = ntohs(cph->sph_len);
237 dprint(1, ("sctp:validate_init_params: host addr\n"));
238 goto abort;
239 case PARM_SUPP_ADDRS: {
240 /* Make sure we have a supported addr intersection */
241 uint16_t *p, addrtype;
242 int plen;
243
244 plen = ntohs(cph->sph_len);
245 p = (uint16_t *)(cph + 1);
246 while (plen > 0) {
247 addrtype = ntohs(*p);
248 switch (addrtype) {
249 case PARM_ADDR6:
250 *supp_af |= PARM_SUPP_V6;
251 break;
252 case PARM_ADDR4:
253 *supp_af |= PARM_SUPP_V4;
254 break;
255 default:
256 /*
257 * Do nothing, silently ignore hostname
258 * address.
259 */
260 break;
261 }
262 p++;
263 plen -= sizeof (*p);
264 }
265 break;
266 }
267 default:
268 /*
269 * Handle any unrecognized params, the two high order
270 * bits of ptype define how the remote wants them
271 * handled.
272 * Top bit:
273 * 1. Continue processing other params in the chunk
274 * 0. Stop processing params after this one.
275 * 2nd bit:
276 * 1. Must report this unrecognized param to remote
277 * 0. Obey the top bit silently.
278 */
279 if (ptype & SCTP_REPORT_THIS_PARAM) {
280 if (!got_errchunk && want_cookie != NULL) {
281 /*
282 * The incoming pointer want_cookie is
283 * NULL so processing an INIT_ACK.
284 * This is the first reportable param,
285 * create an ERROR chunk and populate
286 * it with a CAUSE block for this parm.
287 */
288 *errmp = sctp_make_err(sctp,
289 PARM_UNRECOGNIZED,
290 (void *)cph,
291 ntohs(cph->sph_len));
292 got_errchunk = B_TRUE;
293 } else {
294 /*
295 * If processing an INIT_ACK, we already
296 * have an ERROR chunk, just add a new
297 * CAUSE block and update ERROR chunk
298 * length.
299 * If processing an INIT chunk add a new
300 * CAUSE block to the INIT_ACK, in this
301 * case there is no ERROR chunk thus
302 * got_errchunk will be B_FALSE. Chunk
303 * length is computed by our caller.
304 */
305 sctp_add_unrec_parm(cph, errmp,
306 got_errchunk);
307 }
308 }
309 if (ptype & SCTP_CONT_PROC_PARAMS) {
310 /*
311 * Continue processing params after this
312 * parameter.
313 */
314 break;
315 }
316
317 /*
318 * Stop processing params, report any reportable
319 * unrecognized params found so far.
320 */
321 goto done;
322 }
323
324 cph = sctp_next_parm(cph, &remaining);
325 }
326 done:
327 /*
328 * Some sanity checks. The following should not fail unless the
329 * other side is broken.
330 *
331 * 1. If this is a V4 endpoint but V4 address is not
332 * supported, abort.
333 * 2. If this is a V6 only endpoint but V6 address is
334 * not supported, abort. This assumes that a V6
335 * endpoint can use both V4 and V6 addresses.
336 * We only care about supp_af when processing INIT, i.e want_cookie
337 * is NULL.
338 */
339 if (want_cookie == NULL &&
340 ((connp->conn_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
341 (connp->conn_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
342 sctp->sctp_connp->conn_ipv6_v6only))) {
343 dprint(1, ("sctp:validate_init_params: supp addr\n"));
344 serror = SCTP_ERR_BAD_ADDR;
345 goto abort;
346 }
347
348 if (want_cookie != NULL && !got_cookie) {
349 cookie_abort:
350 /* Will populate the CAUSE block in the ABORT chunk. */
351 mpc.mpc_num = htons(1);
352 mpc.mpc_param = htons(PARM_COOKIE);
353 mpc.mpc_pad = 0;
354
355 dprint(1, ("validate_init_params: cookie absent\n"));
356 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM,
357 (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE, ira);
358 return (0);
359 }
360
361 /* OK */
362 return (1);
363
364 abort:
365 if (want_cookie != NULL)
366 return (0);
367
368 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details,
369 errlen, inmp, 0, B_FALSE, ira);
370 return (0);
371 }
372
373 /*
374 * Initialize params from the INIT and INIT-ACK when the assoc. is
375 * established.
376 */
377 boolean_t
378 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init,
379 sctp_init_chunk_t *iack)
380 {
381 /* Get initial TSN */
382 sctp->sctp_ftsn = ntohl(init->sic_inittsn);
383 sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
384
385 /* Serial number is initialized to the same value as the TSN */
386 sctp->sctp_fcsn = sctp->sctp_lastacked;
387
388 /*
389 * Get verification tags; no byteordering is necessary, since
390 * verfication tags are never processed except for byte-by-byte
391 * comparisons.
392 */
393 sctp->sctp_fvtag = init->sic_inittag;
394 sctp->sctp_sctph->sh_verf = init->sic_inittag;
395 sctp->sctp_sctph6->sh_verf = init->sic_inittag;
396 sctp->sctp_lvtag = iack->sic_inittag;
397
398 /* Get the peer's rwnd */
399 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
400
401 /* Allocate the in/out-stream counters */
402 sctp->sctp_num_ostr = iack->sic_outstr;
403 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
404 sctp->sctp_num_ostr, KM_NOSLEEP);
405 if (sctp->sctp_ostrcntrs == NULL)
406 return (B_FALSE);
407
408 sctp->sctp_num_istr = iack->sic_instr;
409 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
410 sctp->sctp_num_istr, KM_NOSLEEP);
411 if (sctp->sctp_instr == NULL) {
412 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
413 sctp->sctp_num_ostr);
414 sctp->sctp_ostrcntrs = NULL;
415 return (B_FALSE);
416 }
417 return (B_TRUE);
418 }
419
420 #define SCTP_CALC_COOKIE_LEN(initcp) \
421 sizeof (int64_t) + /* timestamp */ \
422 sizeof (uint32_t) + /* cookie lifetime */ \
423 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \
424 sizeof (in6_addr_t) + /* peer's original source */ \
425 ntohs((initcp)->sch_len) + /* peer's INIT */ \
426 sizeof (uint32_t) + /* local tie-tag */ \
427 sizeof (uint32_t) + /* peer tie-tag */ \
428 sizeof (sctp_parm_hdr_t) + /* param header */ \
429 16 /* MD5 hash */
430
431 /*
432 * Note that sctp is the listener, hence we shouldn't modify it.
433 */
434 void
435 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
436 mblk_t *initmp, ip_recv_attr_t *ira)
437 {
438 ipha_t *initiph;
439 ip6_t *initip6h;
440 ipha_t *iackiph = NULL;
441 ip6_t *iackip6h = NULL;
442 sctp_chunk_hdr_t *iack_ch;
443 sctp_init_chunk_t *iack;
444 sctp_init_chunk_t *init;
445 sctp_hdr_t *iacksh;
446 size_t cookielen;
447 size_t iacklen;
448 size_t ipsctplen;
449 size_t errlen = 0;
450 sctp_parm_hdr_t *cookieph;
451 mblk_t *iackmp;
452 uint32_t itag;
453 uint32_t itsn;
454 int64_t *now;
455 int64_t nowt;
456 uint32_t *lifetime;
457 char *p;
458 boolean_t isv4;
459 int supp_af = 0;
460 uint_t sctp_options;
461 uint32_t *ttag;
462 int pad;
463 mblk_t *errmp = NULL;
464 boolean_t initcollision = B_FALSE;
465 boolean_t linklocal = B_FALSE;
466 sctp_stack_t *sctps = sctp->sctp_sctps;
467 conn_t *connp = sctp->sctp_connp;
468 int err;
469 ip_xmit_attr_t *ixa = NULL;
470
471 BUMP_LOCAL(sctp->sctp_ibchunks);
472 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION);
473
474 /* Extract the INIT chunk */
475 if (isv4) {
476 initiph = (ipha_t *)initmp->b_rptr;
477 ipsctplen = sctp->sctp_ip_hdr_len;
478 supp_af |= PARM_SUPP_V4;
479 } else {
480 initip6h = (ip6_t *)initmp->b_rptr;
481 ipsctplen = sctp->sctp_ip_hdr6_len;
482 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src) ||
483 IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_dst))
484 linklocal = B_TRUE;
485 supp_af |= PARM_SUPP_V6;
486 if (!sctp->sctp_connp->conn_ipv6_v6only)
487 supp_af |= PARM_SUPP_V4;
488 }
489 ASSERT(OK_32PTR(initsh));
490 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch));
491
492 /* Make sure we like the peer's parameters */
493 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp,
494 &supp_af, &sctp_options, ira) == 0) {
495 return;
496 }
497 if (errmp != NULL)
498 errlen = msgdsize(errmp);
499 if (connp->conn_family == AF_INET) {
500 /*
501 * Regardless of the supported address in the INIT, v4
502 * must be supported.
503 */
504 supp_af = PARM_SUPP_V4;
505 }
506 if (sctp->sctp_state <= SCTPS_LISTEN) {
507 /* normal, expected INIT: generate new vtag and itsn */
508 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
509 if (itag == 0)
510 itag = (uint32_t)gethrtime();
511 itsn = itag + 1;
512 itag = htonl(itag);
513 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT ||
514 sctp->sctp_state == SCTPS_COOKIE_ECHOED) {
515 /* init collision; copy vtag and itsn from sctp */
516 itag = sctp->sctp_lvtag;
517 itsn = sctp->sctp_ltsn;
518 /*
519 * In addition we need to send all the params that was sent
520 * in our INIT chunk. Essentially, it is only the supported
521 * address params that we need to add.
522 */
523 initcollision = B_TRUE;
524 /*
525 * When we sent the INIT, we should have set linklocal in
526 * the sctp which should be good enough.
527 */
528 if (linklocal)
529 linklocal = B_FALSE;
530 } else {
531 /* peer restart; generate new vtag but keep everything else */
532 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag));
533 if (itag == 0)
534 itag = (uint32_t)gethrtime();
535 itag = htonl(itag);
536 itsn = sctp->sctp_ltsn;
537 }
538
539 /*
540 * Allocate a mblk for the INIT ACK, consisting of the link layer
541 * header, the IP header, the SCTP common header, and INIT ACK chunk,
542 * and finally the COOKIE parameter.
543 */
544 cookielen = SCTP_CALC_COOKIE_LEN(ch);
545 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen;
546 if (sctp->sctp_send_adaptation)
547 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t));
548 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
549 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
550 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION);
551 }
552 if (initcollision)
553 iacklen += sctp_supaddr_param_len(sctp);
554 if (!linklocal)
555 iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE);
556 ipsctplen += sizeof (*iacksh) + iacklen;
557 iacklen += errlen;
558 /*
559 * Padding is applied after the cookie which is the end of chunk
560 * unless CAUSE blocks are appended when the pad must also be
561 * accounted for in iacklen.
562 */
563 if ((pad = ipsctplen % SCTP_ALIGN) != 0) {
564 pad = SCTP_ALIGN - pad;
565 ipsctplen += pad;
566 if (errmp != NULL)
567 iacklen += pad;
568 }
569
570 /*
571 * Base the transmission on any routing-related socket options
572 * that have been set on the listener.
573 */
574 ixa = conn_get_ixa_exclusive(connp);
575 if (ixa == NULL) {
576 sctp_send_abort(sctp, sctp_init2vtag(ch),
577 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
578 return;
579 }
580 ixa->ixa_flags &= ~IXAF_VERIFY_PMTU;
581
582 if (isv4)
583 ixa->ixa_flags |= IXAF_IS_IPV4;
584 else
585 ixa->ixa_flags &= ~IXAF_IS_IPV4;
586
587 iackmp = allocb(ipsctplen + sctps->sctps_wroff_xtra, BPRI_MED);
588 if (iackmp == NULL) {
589 sctp_send_abort(sctp, sctp_init2vtag(ch),
590 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
591 ixa_refrele(ixa);
592 return;
593 }
594
595 /* Copy in the [imcomplete] IP/SCTP composite header */
596 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra);
597 iackmp->b_rptr = (uchar_t *)p;
598 if (isv4) {
599 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len);
600 iackiph = (ipha_t *)p;
601
602 /* Copy the peer's IP addr */
603 iackiph->ipha_dst = initiph->ipha_src;
604 iackiph->ipha_src = initiph->ipha_dst;
605 iackiph->ipha_length = htons(ipsctplen + errlen);
606 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
607 ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len;
608 } else {
609 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
610 iackip6h = (ip6_t *)p;
611
612 /* Copy the peer's IP addr */
613 iackip6h->ip6_dst = initip6h->ip6_src;
614 iackip6h->ip6_src = initip6h->ip6_dst;
615 iackip6h->ip6_plen = htons(ipsctplen + errlen - IPV6_HDR_LEN);
616 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
617 ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len;
618 }
619 ixa->ixa_pktlen = ipsctplen + errlen;
620
621 ASSERT(OK_32PTR(iacksh));
622
623 /* Fill in the holes in the SCTP common header */
624 iacksh->sh_sport = initsh->sh_dport;
625 iacksh->sh_dport = initsh->sh_sport;
626 iacksh->sh_verf = init->sic_inittag;
627
628 /* INIT ACK chunk header */
629 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1);
630 iack_ch->sch_id = CHUNK_INIT_ACK;
631 iack_ch->sch_flags = 0;
632 iack_ch->sch_len = htons(iacklen);
633
634 /* The INIT ACK itself */
635 iack = (sctp_init_chunk_t *)(iack_ch + 1);
636 iack->sic_inittag = itag; /* already in network byteorder */
637 iack->sic_inittsn = htonl(itsn);
638
639 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd);
640 /* Advertise what we would want to have as stream #'s */
641 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr,
642 ntohs(init->sic_instr)));
643 iack->sic_instr = htons(sctp->sctp_num_istr);
644
645 p = (char *)(iack + 1);
646 p += sctp_adaptation_code_param(sctp, (uchar_t *)p);
647 if (initcollision)
648 p += sctp_supaddr_param(sctp, (uchar_t *)p);
649 if (!linklocal)
650 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE);
651 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) &&
652 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
653 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION);
654 }
655 /*
656 * Generate and lay in the COOKIE parameter.
657 *
658 * The cookie consists of:
659 * 1. The relative timestamp for the cookie (lbolt64)
660 * 2. The cookie lifetime (uint32_t) in tick
661 * 3. The local tie-tag
662 * 4. The peer tie-tag
663 * 5. Peer's original src, used to confirm the validity of address.
664 * 6. Our INIT ACK chunk, less any parameters
665 * 7. The INIT chunk (may contain parameters)
666 * 8. 128-bit MD5 signature.
667 *
668 * Since the timestamp values will only be evaluated locally, we
669 * don't need to worry about byte-ordering them.
670 */
671 cookieph = (sctp_parm_hdr_t *)p;
672 cookieph->sph_type = htons(PARM_COOKIE);
673 cookieph->sph_len = htons(cookielen);
674
675 /* timestamp */
676 now = (int64_t *)(cookieph + 1);
677 nowt = LBOLT_FASTPATH64;
678 bcopy(&nowt, now, sizeof (*now));
679
680 /* cookie lifetime -- need configuration */
681 lifetime = (uint32_t *)(now + 1);
682 *lifetime = sctp->sctp_cookie_lifetime;
683
684 /* Set the tie-tags */
685 ttag = (uint32_t *)(lifetime + 1);
686 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) {
687 *ttag = 0;
688 ttag++;
689 *ttag = 0;
690 ttag++;
691 } else {
692 /* local tie-tag (network byte-order) */
693 *ttag = sctp->sctp_lvtag;
694 ttag++;
695 /* peer tie-tag (network byte-order) */
696 *ttag = sctp->sctp_fvtag;
697 ttag++;
698 }
699 /*
700 * Copy in peer's original source address so that we can confirm
701 * the reachability later.
702 */
703 p = (char *)ttag;
704 if (isv4) {
705 in6_addr_t peer_addr;
706
707 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr);
708 bcopy(&peer_addr, p, sizeof (in6_addr_t));
709 } else {
710 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t));
711 }
712 p += sizeof (in6_addr_t);
713 /* Copy in our INIT ACK chunk */
714 bcopy(iack, p, sizeof (*iack));
715 iack = (sctp_init_chunk_t *)p;
716 /* Set the # of streams we'll end up using */
717 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr));
718 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr));
719 p += sizeof (*iack);
720
721 /* Copy in the peer's INIT chunk */
722 bcopy(ch, p, ntohs(ch->sch_len));
723 p += ntohs(ch->sch_len);
724
725 /*
726 * Calculate the HMAC ICV into the digest slot in buf.
727 * First, generate a new secret if the current secret is
728 * older than the new secret lifetime parameter permits,
729 * copying the current secret to sctp_old_secret.
730 */
731 if (sctps->sctps_new_secret_interval > 0 &&
732 (sctp->sctp_last_secret_update +
733 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) {
734 bcopy(sctp->sctp_secret, sctp->sctp_old_secret,
735 SCTP_SECRET_LEN);
736 (void) random_get_pseudo_bytes(sctp->sctp_secret,
737 SCTP_SECRET_LEN);
738 sctp->sctp_last_secret_update = nowt;
739 }
740
741 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16,
742 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p);
743
744 iackmp->b_wptr = iackmp->b_rptr + ipsctplen;
745 if (pad != 0)
746 bzero((iackmp->b_wptr - pad), pad);
747
748 iackmp->b_cont = errmp; /* OK if NULL */
749
750 BUMP_LOCAL(sctp->sctp_opkts);
751 BUMP_LOCAL(sctp->sctp_obchunks);
752
753 (void) ip_output_simple(iackmp, ixa);
754 ixa_refrele(ixa);
755 }
756
757 void
758 sctp_send_cookie_ack(sctp_t *sctp)
759 {
760 sctp_chunk_hdr_t *cach;
761 mblk_t *camp;
762 sctp_stack_t *sctps = sctp->sctp_sctps;
763
764 camp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*cach));
765 if (camp == NULL) {
766 /* XXX should abort, but don't have the inmp anymore */
767 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed);
768 return;
769 }
770
771 cach = (sctp_chunk_hdr_t *)camp->b_wptr;
772 camp->b_wptr = (uchar_t *)(cach + 1);
773 cach->sch_id = CHUNK_COOKIE_ACK;
774 cach->sch_flags = 0;
775 cach->sch_len = htons(sizeof (*cach));
776
777 BUMP_LOCAL(sctp->sctp_obchunks);
778
779 sctp_set_iplen(sctp, camp, sctp->sctp_current->sf_ixa);
780 (void) conn_ip_output(camp, sctp->sctp_current->sf_ixa);
781 BUMP_LOCAL(sctp->sctp_opkts);
782 }
783
784 static int
785 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code)
786 {
787
788 if (len < sizeof (*sph))
789 return (-1);
790 while (sph != NULL) {
791 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) &&
792 ntohs(sph->sph_len) >= (sizeof (*sph) +
793 sizeof (uint32_t))) {
794 *adaptation_code = *(uint32_t *)(sph + 1);
795 return (0);
796 }
797 sph = sctp_next_parm(sph, &len);
798 }
799 return (-1);
800 }
801
802 void
803 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp,
804 ip_recv_attr_t *ira)
805 {
806 mblk_t *cemp;
807 mblk_t *mp = NULL;
808 mblk_t *head;
809 mblk_t *meta;
810 sctp_faddr_t *fp;
811 sctp_chunk_hdr_t *cech;
812 sctp_init_chunk_t *iack;
813 int32_t cansend;
814 int32_t seglen;
815 size_t ceclen;
816 sctp_parm_hdr_t *cph;
817 sctp_data_hdr_t *sdc;
818 sctp_tf_t *tf;
819 int pad = 0;
820 int hdrlen;
821 mblk_t *errmp = NULL;
822 uint_t sctp_options;
823 int error;
824 uint16_t old_num_str;
825 sctp_stack_t *sctps = sctp->sctp_sctps;
826
827 iack = (sctp_init_chunk_t *)(iackch + 1);
828
829 cph = NULL;
830 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp,
831 &pad, &sctp_options, ira) == 0) { /* result in 'pad' ignored */
832 SCTPS_BUMP_MIB(sctps, sctpAborted);
833 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL);
834 sctp_clean_death(sctp, ECONNABORTED);
835 return;
836 }
837 ASSERT(cph != NULL);
838
839 ASSERT(sctp->sctp_cookie_mp == NULL);
840
841 /* Got a cookie to echo back; allocate an mblk */
842 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph);
843 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0)
844 pad = SCTP_ALIGN - pad;
845
846 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION)
847 hdrlen = sctp->sctp_hdr_len;
848 else
849 hdrlen = sctp->sctp_hdr6_len;
850
851 cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad,
852 BPRI_MED);
853 if (cemp == NULL) {
854 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
855 sctp->sctp_current->sf_rto);
856 if (errmp != NULL)
857 freeb(errmp);
858 return;
859 }
860 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen);
861
862 /* Process the INIT ACK */
863 sctp->sctp_sctph->sh_verf = iack->sic_inittag;
864 sctp->sctp_sctph6->sh_verf = iack->sic_inittag;
865 sctp->sctp_fvtag = iack->sic_inittag;
866 sctp->sctp_ftsn = ntohl(iack->sic_inittsn);
867 sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
868 sctp->sctp_fcsn = sctp->sctp_lastacked;
869 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd);
870
871 /*
872 * Populate sctp with addresses given in the INIT ACK or IP header.
873 * Need to set the df bit in the current fp as it has been cleared
874 * in sctp_connect().
875 */
876 sctp->sctp_current->sf_df = B_TRUE;
877 sctp->sctp_ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;
878
879 /*
880 * Since IP uses this info during the fanout process, we need to hold
881 * the lock for this hash line while performing this operation.
882 */
883 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, connp->conn_ports); */
884 ASSERT(sctp->sctp_conn_tfp != NULL);
885 tf = sctp->sctp_conn_tfp;
886 /* sctp isn't a listener so only need to hold conn fanout lock */
887 mutex_enter(&tf->tf_lock);
888 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) {
889 mutex_exit(&tf->tf_lock);
890 freeb(cemp);
891 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
892 sctp->sctp_current->sf_rto);
893 if (errmp != NULL)
894 freeb(errmp);
895 return;
896 }
897 mutex_exit(&tf->tf_lock);
898
899 fp = sctp->sctp_current;
900
901 /*
902 * There could be a case when we get an INIT-ACK again, if the INIT
903 * is re-transmitted, for e.g., which means we would have already
904 * allocated this resource earlier (also for sctp_instr). In this
905 * case we check and re-allocate, if necessary.
906 */
907 old_num_str = sctp->sctp_num_ostr;
908 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr)
909 sctp->sctp_num_ostr = ntohs(iack->sic_instr);
910 if (sctp->sctp_ostrcntrs == NULL) {
911 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
912 sctp->sctp_num_ostr, KM_NOSLEEP);
913 } else {
914 ASSERT(old_num_str > 0);
915 if (old_num_str != sctp->sctp_num_ostr) {
916 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) *
917 old_num_str);
918 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) *
919 sctp->sctp_num_ostr, KM_NOSLEEP);
920 }
921 }
922 if (sctp->sctp_ostrcntrs == NULL) {
923 freeb(cemp);
924 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
925 if (errmp != NULL)
926 freeb(errmp);
927 return;
928 }
929
930 /*
931 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs
932 * hold here too.
933 */
934 old_num_str = sctp->sctp_num_istr;
935 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr)
936 sctp->sctp_num_istr = ntohs(iack->sic_outstr);
937 if (sctp->sctp_instr == NULL) {
938 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) *
939 sctp->sctp_num_istr, KM_NOSLEEP);
940 } else {
941 ASSERT(old_num_str > 0);
942 if (old_num_str != sctp->sctp_num_istr) {
943 kmem_free(sctp->sctp_instr,
944 sizeof (*sctp->sctp_instr) * old_num_str);
945 sctp->sctp_instr = kmem_zalloc(
946 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr,
947 KM_NOSLEEP);
948 }
949 }
950 if (sctp->sctp_instr == NULL) {
951 kmem_free(sctp->sctp_ostrcntrs,
952 sizeof (uint16_t) * sctp->sctp_num_ostr);
953 freeb(cemp);
954 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
955 if (errmp != NULL)
956 freeb(errmp);
957 return;
958 }
959
960 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware)
961 sctp->sctp_prsctp_aware = B_FALSE;
962
963 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1),
964 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)),
965 &sctp->sctp_rx_adaptation_code) == 0) {
966 sctp->sctp_recv_adaptation = 1;
967 }
968
969 cech = (sctp_chunk_hdr_t *)cemp->b_rptr;
970 ASSERT(OK_32PTR(cech));
971 cech->sch_id = CHUNK_COOKIE;
972 cech->sch_flags = 0;
973 cech->sch_len = htons(ceclen);
974
975 /* Copy the cookie (less the parm hdr) to the chunk */
976 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph));
977
978 cemp->b_wptr = cemp->b_rptr + ceclen;
979
980 if (sctp->sctp_unsent > 0) {
981 sctp_msg_hdr_t *smh;
982 mblk_t *prev = NULL;
983 uint32_t unsent = 0;
984
985 mp = sctp->sctp_xmit_unsent;
986 do {
987 smh = (sctp_msg_hdr_t *)mp->b_rptr;
988 if (smh->smh_sid >= sctp->sctp_num_ostr) {
989 unsent += smh->smh_msglen;
990 if (prev != NULL)
991 prev->b_next = mp->b_next;
992 else
993 sctp->sctp_xmit_unsent = mp->b_next;
994 mp->b_next = NULL;
995 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID,
996 B_FALSE);
997 if (prev != NULL)
998 mp = prev->b_next;
999 else
1000 mp = sctp->sctp_xmit_unsent;
1001 } else {
1002 prev = mp;
1003 mp = mp->b_next;
1004 }
1005 } while (mp != NULL);
1006 if (unsent > 0) {
1007 ASSERT(sctp->sctp_unsent >= unsent);
1008 sctp->sctp_unsent -= unsent;
1009 /*
1010 * Update ULP the amount of queued data, which is
1011 * sent-unack'ed + unsent.
1012 * This is not necessary, but doesn't harm, we
1013 * just use unsent instead of sent-unack'ed +
1014 * unsent, since there won't be any sent-unack'ed
1015 * here.
1016 */
1017 if (!SCTP_IS_DETACHED(sctp))
1018 SCTP_TXQ_UPDATE(sctp);
1019 }
1020 if (sctp->sctp_xmit_unsent == NULL)
1021 sctp->sctp_xmit_unsent_tail = NULL;
1022 }
1023 ceclen += pad;
1024 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd);
1025 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen,
1026 cansend, NULL);
1027 /*
1028 * The error cannot be anything else since we could have an non-zero
1029 * error only if sctp_get_msg_to_send() tries to send a Forward
1030 * TSN which will not happen here.
1031 */
1032 ASSERT(error == 0);
1033 if (meta == NULL)
1034 goto sendcookie;
1035 sctp->sctp_xmit_tail = meta;
1036 sdc = (sctp_data_hdr_t *)mp->b_rptr;
1037 seglen = ntohs(sdc->sdh_len);
1038 if ((ceclen + seglen) > fp->sf_pmss ||
1039 (seglen - sizeof (*sdc)) > cansend) {
1040 goto sendcookie;
1041 }
1042 /* OK, if this fails */
1043 cemp->b_cont = dupmsg(mp);
1044 sendcookie:
1045 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL);
1046 if (head == NULL) {
1047 freemsg(cemp);
1048 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
1049 if (errmp != NULL)
1050 freeb(errmp);
1051 SCTP_KSTAT(sctps, sctp_send_cookie_failed);
1052 return;
1053 }
1054 /*
1055 * Even if cookie-echo exceeds MTU for one of the hops, it'll
1056 * have a chance of getting there.
1057 */
1058 if (fp->sf_isv4) {
1059 ipha_t *iph = (ipha_t *)head->b_rptr;
1060 iph->ipha_fragment_offset_and_flags = 0;
1061 }
1062 BUMP_LOCAL(sctp->sctp_obchunks);
1063
1064 sctp->sctp_cookie_mp = dupmsg(head);
1065 /* Don't bundle, we will just resend init if this cookie is lost. */
1066 if (sctp->sctp_cookie_mp == NULL) {
1067 if (cemp->b_cont != NULL) {
1068 freemsg(cemp->b_cont);
1069 cemp->b_cont = NULL;
1070 }
1071 } else if (cemp->b_cont != NULL) {
1072 ASSERT(mp != NULL && mp == meta->b_cont);
1073 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont);
1074 cemp->b_wptr += pad;
1075 seglen -= sizeof (*sdc);
1076 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta);
1077 }
1078 if (errmp != NULL) {
1079 if (cemp->b_cont == NULL)
1080 cemp->b_wptr += pad;
1081 linkb(head, errmp);
1082 }
1083 sctp->sctp_state = SCTPS_COOKIE_ECHOED;
1084 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
1085
1086 sctp_set_iplen(sctp, head, fp->sf_ixa);
1087 (void) conn_ip_output(head, fp->sf_ixa);
1088 BUMP_LOCAL(sctp->sctp_opkts);
1089 }
1090
1091 int
1092 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
1093 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation,
1094 in6_addr_t *peer_addr, ip_recv_attr_t *ira)
1095 {
1096 int32_t clen;
1097 size_t initplen;
1098 uchar_t *p;
1099 uchar_t *given_hash;
1100 uchar_t needed_hash[16];
1101 int64_t ts;
1102 int64_t diff;
1103 uint32_t *lt;
1104 sctp_init_chunk_t *iack;
1105 sctp_chunk_hdr_t *initch;
1106 sctp_init_chunk_t *init;
1107 uint32_t *lttag;
1108 uint32_t *fttag;
1109 uint32_t ports;
1110 sctp_stack_t *sctps = sctp->sctp_sctps;
1111 conn_t *connp = sctp->sctp_connp;
1112
1113 BUMP_LOCAL(sctp->sctp_ibchunks);
1114 /* Verify the ICV */
1115 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16;
1116 if (clen < 0) {
1117 dprint(1, ("invalid cookie chunk length %d\n",
1118 ntohs(ch->sch_len)));
1119
1120 return (-1);
1121 }
1122 p = (uchar_t *)(ch + 1);
1123
1124 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN,
1125 needed_hash);
1126
1127 /* The given hash follows the cookie data */
1128 given_hash = p + clen;
1129
1130 if (bcmp(given_hash, needed_hash, 16) != 0) {
1131 /* The secret may have changed; try the old secret */
1132 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret,
1133 SCTP_SECRET_LEN, needed_hash);
1134 if (bcmp(given_hash, needed_hash, 16) != 0) {
1135 return (-1);
1136 }
1137 }
1138
1139 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */
1140 bcopy(p, &ts, sizeof (ts));
1141 /* Cookie life time, uint32_t */
1142 lt = (uint32_t *)(p + sizeof (ts));
1143
1144 /*
1145 * To quote PRC, "this is our baby", so let's continue.
1146 * We need to pull out the encapsulated INIT ACK and
1147 * INIT chunks. Note that we don't process these until
1148 * we have verified the timestamp, but we need them before
1149 * processing the timestamp since if the time check fails,
1150 * we need to get the verification tag from the INIT in order
1151 * to send a stale cookie error.
1152 */
1153 lttag = (uint32_t *)(lt + 1);
1154 fttag = lttag + 1;
1155 if (peer_addr != NULL)
1156 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t));
1157 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t));
1158 initch = (sctp_chunk_hdr_t *)(iack + 1);
1159 init = (sctp_init_chunk_t *)(initch + 1);
1160 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch));
1161 *iackpp = iack;
1162 *recv_adaptation = 0;
1163
1164 /*
1165 * Check the staleness of the Cookie, specified in 3.3.10.3 of
1166 * RFC 2960.
1167 *
1168 * The mesaure of staleness is the difference, in microseconds,
1169 * between the current time and the time the State Cookie expires.
1170 * So it is lbolt64 - (ts + *lt). If it is positive, it means
1171 * that the Cookie has expired.
1172 */
1173 diff = LBOLT_FASTPATH64 - (ts + *lt);
1174 if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag ||
1175 iack->sic_inittag != sctp->sctp_lvtag)) {
1176 uint32_t staleness;
1177
1178 staleness = TICK_TO_USEC(diff);
1179 staleness = htonl(staleness);
1180 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE,
1181 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE,
1182 ira);
1183
1184 dprint(1, ("stale cookie %d\n", staleness));
1185
1186 return (-1);
1187 }
1188
1189 /* Check for attack by adding addresses to a restart */
1190 bcopy(insctph, &ports, sizeof (ports));
1191 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP,
1192 sctps, ira) != 1) {
1193 return (-1);
1194 }
1195
1196 /* Look for adaptation code if there any parms in the INIT chunk */
1197 if ((initplen >= sizeof (sctp_parm_hdr_t)) &&
1198 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen,
1199 &sctp->sctp_rx_adaptation_code) == 0)) {
1200 *recv_adaptation = 1;
1201 }
1202
1203 /* Examine tie-tags */
1204
1205 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) {
1206 if (sctp->sctp_state == SCTPS_ESTABLISHED &&
1207 init->sic_inittag == sctp->sctp_fvtag &&
1208 iack->sic_inittag == sctp->sctp_lvtag &&
1209 *fttag == 0 && *lttag == 0) {
1210
1211 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n",
1212 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1213 (int)(connp->conn_fport)));
1214 return (-1);
1215 }
1216
1217 if (init->sic_inittag != sctp->sctp_fvtag &&
1218 iack->sic_inittag != sctp->sctp_lvtag &&
1219 *fttag == sctp->sctp_fvtag &&
1220 *lttag == sctp->sctp_lvtag) {
1221 int i;
1222
1223 /* Section 5.2.4 case A: restart */
1224 sctp->sctp_fvtag = init->sic_inittag;
1225 sctp->sctp_lvtag = iack->sic_inittag;
1226
1227 sctp->sctp_sctph->sh_verf = init->sic_inittag;
1228 sctp->sctp_sctph6->sh_verf = init->sic_inittag;
1229
1230 sctp->sctp_ftsn = ntohl(init->sic_inittsn);
1231 sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1232 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd);
1233 sctp->sctp_fcsn = sctp->sctp_lastacked;
1234
1235 if (sctp->sctp_state < SCTPS_ESTABLISHED)
1236 SCTP_ASSOC_EST(sctps, sctp);
1237
1238 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n",
1239 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1240 (int)(connp->conn_fport)));
1241 /* reset parameters */
1242 sctp_congest_reset(sctp);
1243
1244 /* reset stream bookkeeping */
1245 sctp_instream_cleanup(sctp, B_FALSE);
1246
1247 sctp->sctp_istr_nmsgs = 0;
1248 sctp->sctp_rxqueued = 0;
1249 for (i = 0; i < sctp->sctp_num_ostr; i++) {
1250 sctp->sctp_ostrcntrs[i] = 0;
1251 }
1252 /* XXX flush xmit_list? */
1253
1254 return (0);
1255 } else if (init->sic_inittag != sctp->sctp_fvtag &&
1256 iack->sic_inittag == sctp->sctp_lvtag) {
1257
1258 /* Section 5.2.4 case B: INIT collision */
1259 if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1260 if (!sctp_initialize_params(sctp, init, iack))
1261 return (-1); /* Drop? */
1262 SCTP_ASSOC_EST(sctps, sctp);
1263 }
1264
1265 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n",
1266 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1267 (int)(connp->conn_fport)));
1268
1269 return (0);
1270 } else if (iack->sic_inittag != sctp->sctp_lvtag &&
1271 init->sic_inittag == sctp->sctp_fvtag &&
1272 *fttag == 0 && *lttag == 0) {
1273
1274 /* Section 5.2.4 case C: late COOKIE */
1275 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n",
1276 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1277 (int)(connp->conn_fport)));
1278 return (-1);
1279 } else if (init->sic_inittag == sctp->sctp_fvtag &&
1280 iack->sic_inittag == sctp->sctp_lvtag) {
1281
1282 /*
1283 * Section 5.2.4 case D: COOKIE ECHO retransmit
1284 * Don't check cookie lifetime
1285 */
1286 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n",
1287 SCTP_PRINTADDR(sctp->sctp_current->sf_faddr),
1288 (int)(connp->conn_fport)));
1289 if (sctp->sctp_state < SCTPS_ESTABLISHED) {
1290 if (!sctp_initialize_params(sctp, init, iack))
1291 return (-1); /* Drop? */
1292 SCTP_ASSOC_EST(sctps, sctp);
1293 }
1294 return (0);
1295 } else {
1296 /* unrecognized case -- silently drop it */
1297 return (-1);
1298 }
1299 }
1300
1301 return (0);
1302 }
1303
1304 /*
1305 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn
1306 * from address parameters in an INIT ACK's address list. This
1307 * function is used when an INIT ACK is received but IP's fanout
1308 * function could not find a sctp via the normal lookup routine.
1309 * This can happen when a host sends an INIT ACK from a different
1310 * address than the INIT was sent to.
1311 *
1312 * Returns the sctp_t if found, or NULL if not found.
1313 */
1314 sctp_t *
1315 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
1316 zoneid_t zoneid, sctp_stack_t *sctps)
1317 {
1318 int isv4;
1319 ipha_t *iph;
1320 ip6_t *ip6h;
1321 in6_addr_t dst;
1322 in6_addr_t src, *srcp = &src;
1323 sctp_parm_hdr_t *ph;
1324 ssize_t remaining;
1325 sctp_init_chunk_t *iack;
1326 uint32_t ports;
1327 sctp_t *sctp = NULL;
1328
1329 ASSERT(ich->sch_id == CHUNK_INIT_ACK);
1330
1331 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
1332 if (isv4) {
1333 iph = (ipha_t *)mp->b_rptr;
1334 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst);
1335 } else {
1336 ip6h = (ip6_t *)mp->b_rptr;
1337 dst = ip6h->ip6_dst;
1338 }
1339
1340 ports = *(uint32_t *)sctph;
1341
1342 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n",
1343 ports, SCTP_PRINTADDR(dst)));
1344
1345 /* pull out any address parameters */
1346 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack);
1347 if (remaining < sizeof (*ph)) {
1348 return (NULL);
1349 }
1350
1351 iack = (sctp_init_chunk_t *)(ich + 1);
1352 ph = (sctp_parm_hdr_t *)(iack + 1);
1353
1354 while (ph != NULL) {
1355 /*
1356 * params have been verified in sctp_check_input(),
1357 * so no need to do it again here.
1358 *
1359 * According to RFC4960 :
1360 * All integer fields in an SCTP packet MUST be transmitted
1361 * in network byte order, unless otherwise stated.
1362 * Therefore convert the param type to network byte order.
1363 */
1364 if (ph->sph_type == htons(PARM_ADDR4)) {
1365 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1),
1366 srcp);
1367
1368 sctp = sctp_conn_match(&srcp, 1, &dst, ports, zoneid,
1369 0, sctps);
1370
1371 dprint(1,
1372 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1373 SCTP_PRINTADDR(src), (void *)sctp));
1374
1375
1376 if (sctp != NULL) {
1377 return (sctp);
1378 }
1379 } else if (ph->sph_type == htons(PARM_ADDR6)) {
1380 srcp = (in6_addr_t *)(ph + 1);
1381 sctp = sctp_conn_match(&srcp, 1, &dst, ports, zoneid,
1382 0, sctps);
1383
1384 dprint(1,
1385 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
1386 SCTP_PRINTADDR(src), (void *)sctp));
1387
1388 if (sctp != NULL) {
1389 return (sctp);
1390 }
1391 }
1392
1393 ph = sctp_next_parm(ph, &remaining);
1394 }
1395
1396 return (NULL);
1397 }
Unleashed OS