/*
* Returns 0 on success, ENOMEM on memory allocation failure, EHOSTUNREACH
* if the connection credentials fail remote host accreditation or
* if the new destination does not support the previously established
* connection security label. If sleep is true, this function should
* never fail for a memory allocation failure. The boolean parameter
* "first" decides whether the newly created faddr structure should be
* added at the beginning of the list or at the end.
*
* Note: caller must hold conn fanout lock.
*/
int
sctp_add_faddr(sctp_t *sctp, in6_addr_t *addr, int sleep, boolean_t first)
{
sctp_faddr_t *faddr;
mblk_t *timer_mp;
int err;
conn_t *connp = sctp->sctp_connp;
if (is_system_labeled()) {
ip_xmit_attr_t *ixa = connp->conn_ixa;
ts_label_t *effective_tsl = NULL;
ASSERT(ixa->ixa_tsl != NULL);
/*
* Verify the destination is allowed to receive packets
* at the security label of the connection we are initiating.
*
* tsol_check_dest() will create a new effective label for
* this connection with a modified label or label flags only
* if there are changes from the original label.
*
* Accept whatever label we get if this is the first
* destination address for this connection. The security
* label and label flags must match any previuous settings
* for all subsequent destination addresses.
*/
if (IN6_IS_ADDR_V4MAPPED(addr)) {
uint32_t dst;
IN6_V4MAPPED_TO_IPADDR(addr, dst);
err = tsol_check_dest(ixa->ixa_tsl,
&dst, IPV4_VERSION, connp->conn_mac_mode,
connp->conn_zone_is_global, &effective_tsl);
} else {
err = tsol_check_dest(ixa->ixa_tsl,
addr, IPV6_VERSION, connp->conn_mac_mode,
connp->conn_zone_is_global, &effective_tsl);
}
if (err != 0)
return (err);
if (sctp->sctp_faddrs == NULL && effective_tsl != NULL) {
ip_xmit_attr_replace_tsl(ixa, effective_tsl);
} else if (effective_tsl != NULL) {
label_rele(effective_tsl);
return (EHOSTUNREACH);
}
}
if ((faddr = kmem_cache_alloc(sctp_kmem_faddr_cache, sleep)) == NULL)
return (ENOMEM);
bzero(faddr, sizeof (*faddr));
timer_mp = sctp_timer_alloc((sctp), sctp_rexmit_timer, sleep);
if (timer_mp == NULL) {
kmem_cache_free(sctp_kmem_faddr_cache, faddr);
return (ENOMEM);
}
((sctpt_t *)(timer_mp->b_rptr))->sctpt_faddr = faddr;
/* Start with any options set on the conn */
faddr->ixa = conn_get_ixa_exclusive(connp);
if (faddr->ixa == NULL) {
freemsg(timer_mp);
kmem_cache_free(sctp_kmem_faddr_cache, faddr);
return (ENOMEM);
}
faddr->ixa->ixa_notify_cookie = connp->conn_sctp;
sctp_init_faddr(sctp, faddr, addr, timer_mp);
ASSERT(faddr->ixa->ixa_cred != NULL);
/* ip_attr_connect didn't allow broadcats/multicast dest */
ASSERT(faddr->next == NULL);
if (sctp->sctp_faddrs == NULL) {
ASSERT(sctp->sctp_lastfaddr == NULL);
/* only element on list; first and last are same */
sctp->sctp_faddrs = sctp->sctp_lastfaddr = faddr;
} else if (first) {
ASSERT(sctp->sctp_lastfaddr != NULL);
faddr->next = sctp->sctp_faddrs;
sctp->sctp_faddrs = faddr;
} else {
sctp->sctp_lastfaddr->next = faddr;
sctp->sctp_lastfaddr = faddr;
}
sctp->sctp_nfaddrs++;
return (0);
}
/*
* If iserror == 0, sends an abort. If iserror != 0, sends an error.
*/
void
sctp_send_abort(sctp_t *sctp, uint32_t vtag, uint16_t serror, char *details,
size_t len, mblk_t *inmp, int iserror, boolean_t tbit, ip_recv_attr_t *ira)
{
mblk_t *hmp;
uint32_t ip_hdr_len;
ipha_t *iniph;
ipha_t *ahiph = NULL;
ip6_t *inip6h;
ip6_t *ahip6h = NULL;
sctp_hdr_t *sh;
sctp_hdr_t *insh;
size_t ahlen;
uchar_t *p;
ssize_t alen;
int isv4;
conn_t *connp = sctp->sctp_connp;
sctp_stack_t *sctps = sctp->sctp_sctps;
ip_xmit_attr_t *ixa;
isv4 = (IPH_HDR_VERSION(inmp->b_rptr) == IPV4_VERSION);
if (isv4) {
ahlen = sctp->sctp_hdr_len;
} else {
ahlen = sctp->sctp_hdr6_len;
}
/*
* If this is a labeled system, then check to see if we're allowed to
* send a response to this particular sender. If not, then just drop.
*/
if (is_system_labeled() && !tsol_can_reply_error(inmp, ira))
return;
hmp = allocb(sctps->sctps_wroff_xtra + ahlen, BPRI_MED);
if (hmp == NULL) {
/* XXX no resources */
return;
}
/* copy in the IP / SCTP header */
p = hmp->b_rptr + sctps->sctps_wroff_xtra;
hmp->b_rptr = p;
hmp->b_wptr = p + ahlen;
if (isv4) {
bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len);
/*
* Composite is likely incomplete at this point, so pull
* info from the incoming IP / SCTP headers.
*/
ahiph = (ipha_t *)p;
iniph = (ipha_t *)inmp->b_rptr;
ip_hdr_len = IPH_HDR_LENGTH(inmp->b_rptr);
sh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
ASSERT(OK_32PTR(sh));
insh = (sctp_hdr_t *)((uchar_t *)iniph + ip_hdr_len);
ASSERT(OK_32PTR(insh));
/* Copy in the peer's IP addr */
ahiph->ipha_dst = iniph->ipha_src;
ahiph->ipha_src = iniph->ipha_dst;
} else {
bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
ahip6h = (ip6_t *)p;
inip6h = (ip6_t *)inmp->b_rptr;
ip_hdr_len = ip_hdr_length_v6(inmp, inip6h);
sh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
ASSERT(OK_32PTR(sh));
insh = (sctp_hdr_t *)((uchar_t *)inip6h + ip_hdr_len);
ASSERT(OK_32PTR(insh));
/* Copy in the peer's IP addr */
ahip6h->ip6_dst = inip6h->ip6_src;
ahip6h->ip6_src = inip6h->ip6_dst;
}
/* Fill in the holes in the SCTP common header */
sh->sh_sport = insh->sh_dport;
sh->sh_dport = insh->sh_sport;
sh->sh_verf = vtag;
/* Link in the abort chunk */
if ((alen = sctp_link_abort(hmp, serror, details, len, iserror, tbit))
< 0) {
freemsg(hmp);
return;
}
/*
* Base the transmission on any routing-related socket options
* that have been set on the listener/connection.
*/
ixa = conn_get_ixa_exclusive(connp);
if (ixa == NULL) {
freemsg(hmp);
return;
}
ixa->ixa_flags &= ~IXAF_VERIFY_PMTU;
ixa->ixa_pktlen = ahlen + alen;
if (isv4) {
ixa->ixa_flags |= IXAF_IS_IPV4;
ahiph->ipha_length = htons(ixa->ixa_pktlen);
ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len;
} else {
ixa->ixa_flags &= ~IXAF_IS_IPV4;
ahip6h->ip6_plen = htons(ixa->ixa_pktlen - IPV6_HDR_LEN);
ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len;
}
SCTPS_BUMP_MIB(sctps, sctpAborted);
BUMP_LOCAL(sctp->sctp_obchunks);
if (is_system_labeled() && ixa->ixa_tsl != NULL) {
ASSERT(ira->ira_tsl != NULL);
ixa->ixa_tsl = ira->ira_tsl; /* A multi-level responder */
}
if (ira->ira_flags & IRAF_IPSEC_SECURE) {
/*
* Apply IPsec based on how IPsec was applied to
* the packet that caused the abort.
*/
if (!ipsec_in_to_out(ira, ixa, hmp, ahiph, ahip6h)) {
ip_stack_t *ipst = sctps->sctps_netstack->netstack_ip;
BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
/* Note: mp already consumed and ip_drop_packet done */
ixa_refrele(ixa);
return;
}
} else {
ixa->ixa_flags |= IXAF_NO_IPSEC;
}
BUMP_LOCAL(sctp->sctp_opkts);
BUMP_LOCAL(sctp->sctp_obchunks);
(void) ip_output_simple(hmp, ixa);
ixa_refrele(ixa);
}
