diff options
| author | cperciva <cperciva@FreeBSD.org> | 2006-03-22 16:00:42 +0000 |
|---|---|---|
| committer | cperciva <cperciva@FreeBSD.org> | 2006-03-22 16:00:42 +0000 |
| commit | e66460b8942afc349793d018627b403bbd4eaad0 (patch) | |
| tree | 505281ed70ef5587153603a305cee43608da2925 /sys/netipsec/xform_esp.c | |
| parent | d663b33f930b54b91e851c202bd44ddd3e110361 (diff) | |
| download | FreeBSD-src-e66460b8942afc349793d018627b403bbd4eaad0.zip FreeBSD-src-e66460b8942afc349793d018627b403bbd4eaad0.tar.gz | |
Add missing code needed for the detection of IPSec packet replays. [1]
Correctly identify the user running opiepasswd(1) when the login name
differs from the account name. [2]
Security: FreeBSD-SA-06:11.ipsec [1]
Security: FreeBSD-SA-06:12.opie [2]
Diffstat (limited to 'sys/netipsec/xform_esp.c')
| -rw-r--r-- | sys/netipsec/xform_esp.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index fdcee7f..d9c013b 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -555,6 +555,23 @@ esp_input_cb(struct cryptop *crp) */ m->m_flags |= M_DECRYPTED; + /* + * Update replay sequence number, if appropriate. + */ + if (sav->replay) { + u_int32_t seq; + + m_copydata(m, skip + offsetof(struct newesp, esp_seq), + sizeof (seq), (caddr_t) &seq); + if (ipsec_updatereplay(ntohl(seq), sav)) { + DPRINTF(("%s: packet replay check for %s\n", __func__, + ipsec_logsastr(sav))); + espstat.esps_replay++; + error = ENOBUFS; + goto bad; + } + } + /* Determine the ESP header length */ if (sav->flags & SADB_X_EXT_OLD) hlen = sizeof (struct esp) + sav->ivlen; |
