diff options
author | pjd <pjd@FreeBSD.org> | 2006-04-09 19:11:45 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2006-04-09 19:11:45 +0000 |
commit | 0501edbc66645c32bd26858286dc77bbda7e3720 (patch) | |
tree | 77a503b7833e317fcc529ff99d821491c8d3ddfc /sys/netipsec/xform_ah.c | |
parent | b9b788a5760c97968cafc3828641761cfe07fae2 (diff) | |
download | FreeBSD-src-0501edbc66645c32bd26858286dc77bbda7e3720.zip FreeBSD-src-0501edbc66645c32bd26858286dc77bbda7e3720.tar.gz |
Introduce two new sysctls:
net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
the same sequence number. This allows to verify if the other side
has proper replay attacks detection.
net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
corrupted HMAC. This allows to verify if the other side properly
detects modified packets.
I used the first one to discover that we don't have proper replay attacks
detection in ESP (in fast_ipsec(4)).
Diffstat (limited to 'sys/netipsec/xform_ah.c')
-rw-r--r-- | sys/netipsec/xform_ah.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index e3da578..cd23fe3 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -998,7 +998,9 @@ ah_output( error = EINVAL; goto bad; } - sav->replay->count++; + /* Emulate replay attack when ipsec_replay is TRUE. */ + if (!ipsec_replay) + sav->replay->count++; ah->ah_seq = htonl(sav->replay->count); } @@ -1178,6 +1180,18 @@ ah_output_cb(struct cryptop *crp) free(tc, M_XDATA); crypto_freereq(crp); + /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ + if (ipsec_integrity) { + int alen; + + /* + * Corrupt HMAC if we want to test integrity verification of + * the other side. + */ + alen = AUTHSIZE(sav); + m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes); + } + /* NB: m is reclaimed by ipsec_process_done. */ err = ipsec_process_done(m, isr); KEY_FREESAV(&sav); |