From e66460b8942afc349793d018627b403bbd4eaad0 Mon Sep 17 00:00:00 2001
From: cperciva <cperciva@FreeBSD.org>
Date: Wed, 22 Mar 2006 16:00:42 +0000
Subject: Add missing code needed for the detection of IPSec packet replays.
 [1]

Correctly identify the user running opiepasswd(1) when the login name
differs from the account name. [2]

Security:	FreeBSD-SA-06:11.ipsec [1]
Security:	FreeBSD-SA-06:12.opie [2]
---
 sys/netipsec/xform_esp.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'sys/netipsec/xform_esp.c')

diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index fdcee7f..d9c013b 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -555,6 +555,23 @@ esp_input_cb(struct cryptop *crp)
 	 */
 	m->m_flags |= M_DECRYPTED;
 
+	/*
+	 * Update replay sequence number, if appropriate.
+	 */
+	if (sav->replay) {
+		u_int32_t seq;
+
+		m_copydata(m, skip + offsetof(struct newesp, esp_seq),
+			   sizeof (seq), (caddr_t) &seq);
+		if (ipsec_updatereplay(ntohl(seq), sav)) {
+			DPRINTF(("%s: packet replay check for %s\n", __func__,
+			    ipsec_logsastr(sav)));
+			espstat.esps_replay++;
+			error = ENOBUFS;
+			goto bad;
+		}
+	}
+
 	/* Determine the ESP header length */
 	if (sav->flags & SADB_X_EXT_OLD)
 		hlen = sizeof (struct esp) + sav->ivlen;
-- 
cgit v1.1