1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <sys/systm.h> 31 #include <sys/stream.h> 32 #include <sys/cmn_err.h> 33 #include <sys/md5.h> 34 #include <sys/kmem.h> 35 #include <sys/strsubr.h> 36 #include <sys/random.h> 37 #include <sys/tsol/tnet.h> 38 39 #include <netinet/in.h> 40 #include <netinet/ip6.h> 41 42 #include <inet/common.h> 43 #include <inet/ip.h> 44 #include <inet/ip6.h> 45 #include <inet/sctp_ip.h> 46 #include <inet/ipclassifier.h> 47 #include "sctp_impl.h" 48 49 /* 50 * Helper function for SunCluster (PSARC/2005/602) to get the original source 51 * address from the COOKIE 52 */ 53 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *); 54 55 /* 56 * From RFC 2104. This should probably go into libmd5 (and while 57 * we're at it, maybe we should make a libdigest so we can later 58 * add SHA1 and others, esp. since some weaknesses have been found 59 * with MD5). 60 * 61 * text IN pointer to data stream 62 * text_len IN length of data stream 63 * key IN pointer to authentication key 64 * key_len IN length of authentication key 65 * digest OUT caller digest to be filled in 66 */ 67 static void 68 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 69 uchar_t *digest) 70 { 71 MD5_CTX context; 72 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 73 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 74 uchar_t tk[16]; 75 int i; 76 77 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 78 if (key_len > 64) { 79 MD5_CTX tctx; 80 81 MD5Init(&tctx); 82 MD5Update(&tctx, key, key_len); 83 MD5Final(tk, &tctx); 84 85 key = tk; 86 key_len = 16; 87 } 88 89 /* 90 * the HMAC_MD5 transform looks like: 91 * 92 * MD5(K XOR opad, MD5(K XOR ipad, text)) 93 * 94 * where K is an n byte key 95 * ipad is the byte 0x36 repeated 64 times 96 * opad is the byte 0x5c repeated 64 times 97 * and text is the data being protected 98 */ 99 100 /* start out by storing key in pads */ 101 bzero(k_ipad, sizeof (k_ipad)); 102 bzero(k_opad, sizeof (k_opad)); 103 bcopy(key, k_ipad, key_len); 104 bcopy(key, k_opad, key_len); 105 106 /* XOR key with ipad and opad values */ 107 for (i = 0; i < 64; i++) { 108 k_ipad[i] ^= 0x36; 109 k_opad[i] ^= 0x5c; 110 } 111 /* 112 * perform inner MD5 113 */ 114 MD5Init(&context); /* init context for 1st */ 115 /* pass */ 116 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 117 MD5Update(&context, text, text_len); /* then text of datagram */ 118 MD5Final(digest, &context); /* finish up 1st pass */ 119 /* 120 * perform outer MD5 121 */ 122 MD5Init(&context); /* init context for 2nd */ 123 /* pass */ 124 MD5Update(&context, k_opad, 64); /* start with outer pad */ 125 MD5Update(&context, digest, 16); /* then results of 1st */ 126 /* hash */ 127 MD5Final(digest, &context); /* finish up 2nd pass */ 128 } 129 130 /* 131 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 132 * info in initmp to send the abort. Otherwise, no abort will be sent. 133 * If errmp is non-NULL, a chain of unrecognized parameters will 134 * be created and returned via *errmp. 135 * 136 * Returns 1 if the parameters are OK (or there are no parameters), or 137 * 0 if not. 138 */ 139 static int 140 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 141 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 142 mblk_t **errmp, int *supp_af, uint_t *sctp_options) 143 { 144 sctp_parm_hdr_t *cph; 145 sctp_init_chunk_t *ic; 146 ssize_t remaining; 147 uint16_t serror = 0; 148 char *details = NULL; 149 size_t errlen = 0; 150 boolean_t got_cookie = B_FALSE; 151 uint16_t ptype; 152 153 if (sctp_options != NULL) 154 *sctp_options = 0; 155 156 /* First validate stream parameters */ 157 if (init->sic_instr == 0 || init->sic_outstr == 0) { 158 serror = SCTP_ERR_BAD_MANDPARM; 159 dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n", 160 htons(init->sic_instr), htons(init->sic_outstr))); 161 goto abort; 162 } 163 if (ntohl(init->sic_inittag) == 0) { 164 serror = SCTP_ERR_BAD_MANDPARM; 165 dprint(1, ("validate_init_params: inittag = 0\n")); 166 goto abort; 167 } 168 169 remaining = ntohs(ch->sch_len) - sizeof (*ch); 170 ic = (sctp_init_chunk_t *)(ch + 1); 171 remaining -= sizeof (*ic); 172 if (remaining < sizeof (*cph)) { 173 /* Nothing to validate */ 174 if (want_cookie != NULL) 175 goto cookie_abort; 176 return (1); 177 } 178 179 cph = (sctp_parm_hdr_t *)(ic + 1); 180 181 while (cph != NULL) { 182 ptype = ntohs(cph->sph_type); 183 switch (ptype) { 184 case PARM_HBINFO: 185 case PARM_UNRECOGNIZED: 186 case PARM_ECN: 187 /* just ignore them */ 188 break; 189 case PARM_FORWARD_TSN: 190 if (sctp_options != NULL) 191 *sctp_options |= SCTP_PRSCTP_OPTION; 192 break; 193 case PARM_COOKIE: 194 got_cookie = B_TRUE; 195 if (want_cookie != NULL) { 196 *want_cookie = cph; 197 } 198 break; 199 case PARM_ADDR4: 200 *supp_af |= PARM_SUPP_V4; 201 break; 202 case PARM_ADDR6: 203 *supp_af |= PARM_SUPP_V6; 204 break; 205 case PARM_COOKIE_PRESERVE: 206 case PARM_ADAPT_LAYER_IND: 207 /* These are OK */ 208 break; 209 case PARM_ADDR_HOST_NAME: 210 /* Don't support this; abort the association */ 211 serror = SCTP_ERR_BAD_ADDR; 212 details = (char *)cph; 213 errlen = ntohs(cph->sph_len); 214 dprint(1, ("sctp:validate_init_params: host addr\n")); 215 goto abort; 216 case PARM_SUPP_ADDRS: { 217 /* Make sure we have a supported addr intersection */ 218 uint16_t *p, addrtype; 219 int plen; 220 221 plen = ntohs(cph->sph_len); 222 p = (uint16_t *)(cph + 1); 223 while (plen > 0) { 224 addrtype = ntohs(*p); 225 switch (addrtype) { 226 case PARM_ADDR6: 227 *supp_af |= PARM_SUPP_V6; 228 break; 229 case PARM_ADDR4: 230 *supp_af |= PARM_SUPP_V4; 231 break; 232 default: 233 /* 234 * Do nothing, silently ignore hostname 235 * address. 236 */ 237 break; 238 } 239 p++; 240 plen -= sizeof (*p); 241 } 242 break; 243 } 244 default: 245 /* Unrecognized param; check the high order bits */ 246 if ((ptype & 0xc000) == 0xc000) { 247 /* 248 * report unrecognized param, and 249 * keep processing 250 */ 251 if (errmp != NULL) { 252 if (want_cookie != NULL) { 253 *errmp = sctp_make_err(sctp, 254 PARM_UNRECOGNIZED, 255 (void *)cph, 256 ntohs(cph->sph_len)); 257 } else { 258 sctp_add_unrec_parm(cph, errmp); 259 } 260 } 261 break; 262 } 263 if (ptype & 0x4000) { 264 /* 265 * Stop processing and drop; report 266 * unrecognized param 267 */ 268 serror = SCTP_ERR_UNREC_PARM; 269 details = (char *)cph; 270 errlen = ntohs(cph->sph_len); 271 goto abort; 272 } 273 if (ptype & 0x8000) { 274 /* skip and continue processing */ 275 break; 276 } 277 278 /* 279 * 2 high bits are clear; stop processing and 280 * drop packet 281 */ 282 return (0); 283 } 284 285 cph = sctp_next_parm(cph, &remaining); 286 } 287 /* 288 * Some sanity checks. The following should not fail unless the 289 * other side is broken. 290 * 291 * 1. If this is a V4 endpoint but V4 address is not 292 * supported, abort. 293 * 2. If this is a V6 only endpoint but V6 address is 294 * not supported, abort. This assumes that a V6 295 * endpoint can use both V4 and V6 addresses. 296 * We only care about supp_af when processing INIT, i.e want_cookie 297 * is NULL. 298 */ 299 if (want_cookie == NULL && 300 ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 301 (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 302 sctp->sctp_connp->conn_ipv6_v6only))) { 303 dprint(1, ("sctp:validate_init_params: supp addr\n")); 304 serror = SCTP_ERR_BAD_ADDR; 305 goto abort; 306 } 307 308 if (want_cookie != NULL && !got_cookie) { 309 cookie_abort: 310 dprint(1, ("validate_init_params: cookie absent\n")); 311 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 312 details, errlen, inmp, 0, B_FALSE); 313 return (0); 314 } 315 316 /* OK */ 317 return (1); 318 319 abort: 320 if (want_cookie != NULL) 321 return (0); 322 323 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 324 errlen, inmp, 0, B_FALSE); 325 return (0); 326 } 327 328 /* 329 * Initialize params from the INIT and INIT-ACK when the assoc. is 330 * established. 331 */ 332 boolean_t 333 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 334 sctp_init_chunk_t *iack) 335 { 336 /* Get initial TSN */ 337 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 338 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 339 340 /* Serial number is initialized to the same value as the TSN */ 341 sctp->sctp_fcsn = sctp->sctp_lastacked; 342 343 /* 344 * Get verification tags; no byteordering is necessary, since 345 * verfication tags are never processed except for byte-by-byte 346 * comparisons. 347 */ 348 sctp->sctp_fvtag = init->sic_inittag; 349 sctp->sctp_sctph->sh_verf = init->sic_inittag; 350 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 351 sctp->sctp_lvtag = iack->sic_inittag; 352 353 /* Get the peer's rwnd */ 354 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 355 356 /* Allocate the in/out-stream counters */ 357 sctp->sctp_num_ostr = iack->sic_outstr; 358 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 359 sctp->sctp_num_ostr, KM_NOSLEEP); 360 if (sctp->sctp_ostrcntrs == NULL) 361 return (B_FALSE); 362 363 sctp->sctp_num_istr = iack->sic_instr; 364 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 365 sctp->sctp_num_istr, KM_NOSLEEP); 366 if (sctp->sctp_instr == NULL) { 367 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 368 sctp->sctp_num_ostr); 369 sctp->sctp_ostrcntrs = NULL; 370 return (B_FALSE); 371 } 372 return (B_TRUE); 373 } 374 375 /* 376 * Copy the peer's original source address into addr. This relies on the 377 * following format (see sctp_send_initack() below): 378 * relative timestamp for the cookie (int64_t) + 379 * cookie lifetime (uint32_t) + 380 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) + 381 * Peer's original src ... 382 */ 383 int 384 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr) 385 { 386 uchar_t *off; 387 388 ASSERT(addr != NULL); 389 390 if (ch->sch_id != CHUNK_COOKIE) 391 return (EINVAL); 392 393 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) + 394 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t); 395 396 bcopy(off, addr, sizeof (*addr)); 397 398 return (0); 399 } 400 401 #define SCTP_CALC_COOKIE_LEN(initcp) \ 402 sizeof (int64_t) + /* timestamp */ \ 403 sizeof (uint32_t) + /* cookie lifetime */ \ 404 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 405 sizeof (in6_addr_t) + /* peer's original source */ \ 406 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 407 sizeof (uint32_t) + /* local tie-tag */ \ 408 sizeof (uint32_t) + /* peer tie-tag */ \ 409 sizeof (sctp_parm_hdr_t) + /* param header */ \ 410 16 /* MD5 hash */ 411 412 void 413 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch, 414 mblk_t *initmp) 415 { 416 ipha_t *initiph; 417 ip6_t *initip6h; 418 ipha_t *iackiph; 419 ip6_t *iackip6h; 420 sctp_chunk_hdr_t *iack_ch; 421 sctp_init_chunk_t *iack; 422 sctp_init_chunk_t *init; 423 sctp_hdr_t *iacksh; 424 size_t cookielen; 425 size_t iacklen; 426 size_t ipsctplen; 427 size_t errlen = 0; 428 sctp_parm_hdr_t *cookieph; 429 mblk_t *iackmp; 430 uint32_t itag; 431 uint32_t itsn; 432 int64_t *now; 433 int64_t nowt; 434 uint32_t *lifetime; 435 char *p; 436 boolean_t isv4; 437 int supp_af = 0; 438 uint_t sctp_options; 439 uint32_t *ttag; 440 int pad; 441 mblk_t *errmp = NULL; 442 boolean_t initcollision = B_FALSE; 443 boolean_t linklocal = B_FALSE; 444 cred_t *cr; 445 ts_label_t *initlabel; 446 sctp_stack_t *sctps = sctp->sctp_sctps; 447 448 BUMP_LOCAL(sctp->sctp_ibchunks); 449 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 450 451 /* Extract the INIT chunk */ 452 if (isv4) { 453 initiph = (ipha_t *)initmp->b_rptr; 454 ipsctplen = sctp->sctp_ip_hdr_len; 455 supp_af |= PARM_SUPP_V4; 456 } else { 457 initip6h = (ip6_t *)initmp->b_rptr; 458 ipsctplen = sctp->sctp_ip_hdr6_len; 459 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src)) 460 linklocal = B_TRUE; 461 supp_af |= PARM_SUPP_V6; 462 } 463 ASSERT(OK_32PTR(initsh)); 464 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 465 466 /* Make sure we like the peer's parameters */ 467 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 468 &supp_af, &sctp_options) == 0) { 469 return; 470 } 471 if (errmp != NULL) 472 errlen = msgdsize(errmp); 473 if (sctp->sctp_family == AF_INET) { 474 /* 475 * Irregardless of the supported address in the INIT, v4 476 * must be supported. 477 */ 478 supp_af = PARM_SUPP_V4; 479 } 480 if (sctp->sctp_state <= SCTPS_LISTEN) { 481 /* normal, expected INIT: generate new vtag and itsn */ 482 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 483 if (itag == 0) 484 itag = (uint32_t)gethrtime(); 485 itsn = itag + 1; 486 itag = htonl(itag); 487 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 488 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 489 /* init collision; copy vtag and itsn from sctp */ 490 itag = sctp->sctp_lvtag; 491 itsn = sctp->sctp_ltsn; 492 /* 493 * In addition we need to send all the params that was sent 494 * in our INIT chunk. Essentially, it is only the supported 495 * address params that we need to add. 496 */ 497 initcollision = B_TRUE; 498 /* 499 * When we sent the INIT, we should have set linklocal in 500 * the sctp which should be good enough. 501 */ 502 if (linklocal) 503 linklocal = B_FALSE; 504 } else { 505 /* peer restart; generate new vtag but keep everything else */ 506 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 507 if (itag == 0) 508 itag = (uint32_t)gethrtime(); 509 itag = htonl(itag); 510 itsn = sctp->sctp_ltsn; 511 } 512 513 /* 514 * Allocate a mblk for the INIT ACK, consisting of the link layer 515 * header, the IP header, the SCTP common header, and INIT ACK chunk, 516 * and finally the COOKIE parameter. 517 */ 518 cookielen = SCTP_CALC_COOKIE_LEN(ch); 519 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 520 if (sctp->sctp_send_adaptation) 521 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 522 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 523 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 524 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 525 } 526 if (initcollision) 527 iacklen += sctp_supaddr_param_len(sctp); 528 if (!linklocal) 529 iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE); 530 ipsctplen += sizeof (*iacksh) + iacklen; 531 iacklen += errlen; 532 if ((pad = ipsctplen % 4) != 0) { 533 pad = 4 - pad; 534 ipsctplen += pad; 535 } 536 537 /* 538 * If the listen socket is bound to a trusted extensions 539 * multi-label port, attach a copy of the listener's cred 540 * to the new INITACK mblk. Modify the cred to contain 541 * the security label of the received INIT packet. 542 * If not a multi-label port, attach the unmodified 543 * listener's cred directly. 544 * 545 * We expect Sun developed kernel modules to properly set 546 * cred labels for sctp connections. We can't be so sure this 547 * will be done correctly when 3rd party kernel modules 548 * directly use sctp. The initlabel panic guard logic was 549 * added to cover this possibility. 550 */ 551 if (sctp->sctp_connp->conn_mlp_type != mlptSingle) { 552 initlabel = MBLK_GETLABEL(initmp); 553 if (initlabel == NULL) { 554 sctp_send_abort(sctp, sctp_init2vtag(ch), 555 SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, B_FALSE); 556 return; 557 } 558 cr = copycred_from_bslabel(CONN_CRED(sctp->sctp_connp), 559 &initlabel->tsl_label, initlabel->tsl_doi, KM_NOSLEEP); 560 if (cr == NULL) { 561 sctp_send_abort(sctp, sctp_init2vtag(ch), 562 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 563 return; 564 } 565 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, cr); 566 crfree(cr); 567 } else { 568 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, 569 CONN_CRED(sctp->sctp_connp)); 570 } 571 if (iackmp == NULL) { 572 sctp_send_abort(sctp, sctp_init2vtag(ch), 573 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 574 return; 575 } 576 577 /* Copy in the [imcomplete] IP/SCTP composite header */ 578 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra); 579 iackmp->b_rptr = (uchar_t *)p; 580 if (isv4) { 581 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 582 iackiph = (ipha_t *)p; 583 584 /* Copy the peer's IP addr */ 585 iackiph->ipha_dst = initiph->ipha_src; 586 iackiph->ipha_src = initiph->ipha_dst; 587 iackiph->ipha_length = htons(ipsctplen + errlen); 588 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 589 } else { 590 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 591 iackip6h = (ip6_t *)p; 592 593 /* Copy the peer's IP addr */ 594 iackip6h->ip6_dst = initip6h->ip6_src; 595 iackip6h->ip6_src = initip6h->ip6_dst; 596 iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) + 597 errlen); 598 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 599 } 600 ASSERT(OK_32PTR(iacksh)); 601 602 /* Fill in the holes in the SCTP common header */ 603 iacksh->sh_sport = initsh->sh_dport; 604 iacksh->sh_dport = initsh->sh_sport; 605 iacksh->sh_verf = init->sic_inittag; 606 607 /* INIT ACK chunk header */ 608 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 609 iack_ch->sch_id = CHUNK_INIT_ACK; 610 iack_ch->sch_flags = 0; 611 iack_ch->sch_len = htons(iacklen); 612 613 /* The INIT ACK itself */ 614 iack = (sctp_init_chunk_t *)(iack_ch + 1); 615 iack->sic_inittag = itag; /* already in network byteorder */ 616 iack->sic_inittsn = htonl(itsn); 617 618 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 619 /* Advertise what we would want to have as stream #'s */ 620 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 621 ntohs(init->sic_instr))); 622 iack->sic_instr = htons(sctp->sctp_num_istr); 623 624 p = (char *)(iack + 1); 625 p += sctp_adaptation_code_param(sctp, (uchar_t *)p); 626 if (initcollision) 627 p += sctp_supaddr_param(sctp, (uchar_t *)p); 628 if (!linklocal) 629 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE); 630 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 631 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 632 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 633 } 634 /* 635 * Generate and lay in the COOKIE parameter. 636 * 637 * Any change here that results in a change of location for 638 * the peer's orig source address must be propagated to the fn 639 * cl_sctp_cookie_paddr() above. 640 * 641 * The cookie consists of: 642 * 1. The relative timestamp for the cookie (lbolt64) 643 * 2. The cookie lifetime (uint32_t) in tick 644 * 3. The local tie-tag 645 * 4. The peer tie-tag 646 * 5. Peer's original src, used to confirm the validity of address. 647 * 6. Our INIT ACK chunk, less any parameters 648 * 7. The INIT chunk (may contain parameters) 649 * 8. 128-bit MD5 signature. 650 * 651 * Since the timestamp values will only be evaluated locally, we 652 * don't need to worry about byte-ordering them. 653 */ 654 cookieph = (sctp_parm_hdr_t *)p; 655 cookieph->sph_type = htons(PARM_COOKIE); 656 cookieph->sph_len = htons(cookielen); 657 658 /* timestamp */ 659 now = (int64_t *)(cookieph + 1); 660 nowt = lbolt64; 661 bcopy(&nowt, now, sizeof (*now)); 662 663 /* cookie lifetime -- need configuration */ 664 lifetime = (uint32_t *)(now + 1); 665 *lifetime = sctp->sctp_cookie_lifetime; 666 667 /* Set the tie-tags */ 668 ttag = (uint32_t *)(lifetime + 1); 669 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 670 *ttag = 0; 671 ttag++; 672 *ttag = 0; 673 ttag++; 674 } else { 675 /* local tie-tag (network byte-order) */ 676 *ttag = sctp->sctp_lvtag; 677 ttag++; 678 /* peer tie-tag (network byte-order) */ 679 *ttag = sctp->sctp_fvtag; 680 ttag++; 681 } 682 /* 683 * Copy in peer's original source address so that we can confirm 684 * the reachability later. 685 */ 686 p = (char *)ttag; 687 if (isv4) { 688 in6_addr_t peer_addr; 689 690 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 691 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 692 } else { 693 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 694 } 695 p += sizeof (in6_addr_t); 696 /* Copy in our INIT ACK chunk */ 697 bcopy(iack, p, sizeof (*iack)); 698 iack = (sctp_init_chunk_t *)p; 699 /* Set the # of streams we'll end up using */ 700 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 701 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 702 p += sizeof (*iack); 703 704 /* Copy in the peer's INIT chunk */ 705 bcopy(ch, p, ntohs(ch->sch_len)); 706 p += ntohs(ch->sch_len); 707 708 /* 709 * Calculate the HMAC ICV into the digest slot in buf. 710 * First, generate a new secret if the current secret is 711 * older than the new secret lifetime parameter permits, 712 * copying the current secret to sctp_old_secret. 713 */ 714 if (sctps->sctps_new_secret_interval > 0 && 715 (sctp->sctp_last_secret_update + 716 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) { 717 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 718 SCTP_SECRET_LEN); 719 (void) random_get_pseudo_bytes(sctp->sctp_secret, 720 SCTP_SECRET_LEN); 721 sctp->sctp_last_secret_update = nowt; 722 } 723 724 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 725 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 726 727 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 728 iackmp->b_cont = errmp; /* OK if NULL */ 729 730 if (is_system_labeled() && (cr = DB_CRED(iackmp)) != NULL && 731 crgetlabel(cr) != NULL) { 732 conn_t *connp = sctp->sctp_connp; 733 int err; 734 735 if (isv4) 736 err = tsol_check_label(cr, &iackmp, 737 connp->conn_mac_exempt, 738 sctps->sctps_netstack->netstack_ip); 739 else 740 err = tsol_check_label_v6(cr, &iackmp, 741 connp->conn_mac_exempt, 742 sctps->sctps_netstack->netstack_ip); 743 if (err != 0) { 744 sctp_send_abort(sctp, sctp_init2vtag(ch), 745 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE); 746 freemsg(iackmp); 747 return; 748 } 749 } 750 751 /* 752 * Stash the conn ptr info. for IP only as e don't have any 753 * cached IRE. 754 */ 755 SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL); 756 757 /* XXX sctp == sctp_g_q, so using its obchunks is valid */ 758 BUMP_LOCAL(sctp->sctp_opkts); 759 BUMP_LOCAL(sctp->sctp_obchunks); 760 761 /* OK to call IP_PUT() here instead of sctp_add_sendq(). */ 762 CONN_INC_REF(sctp->sctp_connp); 763 iackmp->b_flag |= MSGHASREF; 764 IP_PUT(iackmp, sctp->sctp_connp, isv4); 765 } 766 767 void 768 sctp_send_cookie_ack(sctp_t *sctp) 769 { 770 sctp_chunk_hdr_t *cach; 771 mblk_t *camp; 772 sctp_stack_t *sctps = sctp->sctp_sctps; 773 774 camp = sctp_make_mp(sctp, NULL, sizeof (*cach)); 775 if (camp == NULL) { 776 /* XXX should abort, but don't have the inmp anymore */ 777 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed); 778 return; 779 } 780 781 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 782 camp->b_wptr = (uchar_t *)(cach + 1); 783 cach->sch_id = CHUNK_COOKIE_ACK; 784 cach->sch_flags = 0; 785 cach->sch_len = htons(sizeof (*cach)); 786 787 sctp_set_iplen(sctp, camp); 788 789 BUMP_LOCAL(sctp->sctp_obchunks); 790 791 sctp_add_sendq(sctp, camp); 792 } 793 794 static int 795 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code) 796 { 797 798 if (len < sizeof (*sph)) 799 return (-1); 800 while (sph != NULL) { 801 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 802 ntohs(sph->sph_len) >= (sizeof (*sph) + 803 sizeof (uint32_t))) { 804 *adaptation_code = *(uint32_t *)(sph + 1); 805 return (0); 806 } 807 sph = sctp_next_parm(sph, &len); 808 } 809 return (-1); 810 } 811 812 void 813 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp) 814 { 815 mblk_t *cemp; 816 mblk_t *mp = NULL; 817 mblk_t *head; 818 mblk_t *meta; 819 sctp_faddr_t *fp; 820 sctp_chunk_hdr_t *cech; 821 sctp_init_chunk_t *iack; 822 int32_t cansend; 823 int32_t seglen; 824 size_t ceclen; 825 sctp_parm_hdr_t *cph; 826 sctp_data_hdr_t *sdc; 827 sctp_tf_t *tf; 828 int pad = 0; 829 int hdrlen; 830 mblk_t *errmp = NULL; 831 uint_t sctp_options; 832 int error; 833 uint16_t old_num_str; 834 sctp_stack_t *sctps = sctp->sctp_sctps; 835 836 iack = (sctp_init_chunk_t *)(iackch + 1); 837 838 cph = NULL; 839 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 840 &pad, &sctp_options) == 0) { /* result in 'pad' ignored */ 841 BUMP_MIB(&sctps->sctps_mib, sctpAborted); 842 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 843 sctp_clean_death(sctp, ECONNABORTED); 844 return; 845 } 846 ASSERT(cph != NULL); 847 848 ASSERT(sctp->sctp_cookie_mp == NULL); 849 850 /* Got a cookie to echo back; allocate an mblk */ 851 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 852 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 853 pad = SCTP_ALIGN - pad; 854 855 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 856 hdrlen = sctp->sctp_hdr_len; 857 else 858 hdrlen = sctp->sctp_hdr6_len; 859 860 cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad, 861 BPRI_MED); 862 if (cemp == NULL) { 863 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 864 sctp->sctp_current->rto); 865 if (errmp != NULL) 866 freeb(errmp); 867 return; 868 } 869 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen); 870 871 /* Process the INIT ACK */ 872 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 873 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 874 sctp->sctp_fvtag = iack->sic_inittag; 875 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 876 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 877 sctp->sctp_fcsn = sctp->sctp_lastacked; 878 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 879 880 /* 881 * Populate sctp with addresses given in the INIT ACK or IP header. 882 * Need to set the df bit in the current fp as it has been cleared 883 * in sctp_connect(). 884 */ 885 sctp->sctp_current->df = B_TRUE; 886 /* 887 * Since IP uses this info during the fanout process, we need to hold 888 * the lock for this hash line while performing this operation. 889 */ 890 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, sctp->sctp_ports); */ 891 ASSERT(sctp->sctp_conn_tfp != NULL); 892 tf = sctp->sctp_conn_tfp; 893 /* sctp isn't a listener so only need to hold conn fanout lock */ 894 mutex_enter(&tf->tf_lock); 895 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 896 mutex_exit(&tf->tf_lock); 897 freeb(cemp); 898 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 899 sctp->sctp_current->rto); 900 if (errmp != NULL) 901 freeb(errmp); 902 return; 903 } 904 mutex_exit(&tf->tf_lock); 905 906 fp = sctp->sctp_current; 907 908 /* 909 * There could be a case when we get an INIT-ACK again, if the INIT 910 * is re-transmitted, for e.g., which means we would have already 911 * allocated this resource earlier (also for sctp_instr). In this 912 * case we check and re-allocate, if necessary. 913 */ 914 old_num_str = sctp->sctp_num_ostr; 915 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 916 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 917 if (sctp->sctp_ostrcntrs == NULL) { 918 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 919 sctp->sctp_num_ostr, KM_NOSLEEP); 920 } else { 921 ASSERT(old_num_str > 0); 922 if (old_num_str != sctp->sctp_num_ostr) { 923 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 924 old_num_str); 925 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 926 sctp->sctp_num_ostr, KM_NOSLEEP); 927 } 928 } 929 if (sctp->sctp_ostrcntrs == NULL) { 930 freeb(cemp); 931 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 932 if (errmp != NULL) 933 freeb(errmp); 934 return; 935 } 936 937 /* 938 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 939 * hold here too. 940 */ 941 old_num_str = sctp->sctp_num_istr; 942 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 943 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 944 if (sctp->sctp_instr == NULL) { 945 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 946 sctp->sctp_num_istr, KM_NOSLEEP); 947 } else { 948 ASSERT(old_num_str > 0); 949 if (old_num_str != sctp->sctp_num_istr) { 950 kmem_free(sctp->sctp_instr, 951 sizeof (*sctp->sctp_instr) * old_num_str); 952 sctp->sctp_instr = kmem_zalloc( 953 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 954 KM_NOSLEEP); 955 } 956 } 957 if (sctp->sctp_instr == NULL) { 958 kmem_free(sctp->sctp_ostrcntrs, 959 sizeof (uint16_t) * sctp->sctp_num_ostr); 960 freeb(cemp); 961 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 962 if (errmp != NULL) 963 freeb(errmp); 964 return; 965 } 966 967 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 968 sctp->sctp_prsctp_aware = B_FALSE; 969 970 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 971 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 972 &sctp->sctp_rx_adaptation_code) == 0) { 973 sctp->sctp_recv_adaptation = 1; 974 } 975 976 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 977 ASSERT(OK_32PTR(cech)); 978 cech->sch_id = CHUNK_COOKIE; 979 cech->sch_flags = 0; 980 cech->sch_len = htons(ceclen); 981 982 /* Copy the cookie (less the parm hdr) to the chunk */ 983 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 984 985 cemp->b_wptr = cemp->b_rptr + ceclen; 986