Page MenuHomeFreeBSD
Differential D22367

Implement anti-replay algorithm with ESN support
ClosedPublic
Actions

Authored by jaz_semihalf.com on Nov 14 2019, 12:27 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jan 4, 7:25 AM
Unknown Object (File)
Wed, Dec 18, 12:32 AM
Unknown Object (File)
Dec 17 2024, 3:51 AM
Unknown Object (File)
Dec 4 2024, 4:16 AM
Unknown Object (File)
Dec 1 2024, 3:09 AM
Unknown Object (File)
Dec 1 2024, 3:09 AM
Unknown Object (File)
Dec 1 2024, 3:09 AM
Unknown Object (File)
Nov 29 2024, 9:34 AM
View All Files
Subscribers
ae
gordon
imp
melifaro

Details

Reviewers
mw
wma
jmg
pdk_semihalf.com
jhb
trasz
Group Reviewers
secteam
security
Commits
rS366757: Implement anti-replay algorithm with ESN support
Summary

As RFC 4304 describes there is anti-replay algorithm responsibility
to provide appropriate value of Extended Sequence Number.

This patch introduces anti-replay algorithm with ESN support based on
RFC 4304, however to avoid performance regressions window implementation
was based on RFC 6479, which was already implemented in FreeBSD.

To keep things clean and improve code readability, implementation of window
is kept in separate functions.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

pdk_semihalf.com created this revision.Nov 14 2019, 12:27 PM
Herald added subscribers: ae, imp. · View Herald TranscriptNov 14 2019, 12:27 PM
pdk_semihalf.com added a reviewer: jmg.Nov 14 2019, 12:34 PM
pdk_semihalf.com added a comment.Jan 2 2020, 4:19 PM

@secteam Do you have any objections to this patch?

gordon added a subscriber: gordon.Jan 2 2020, 7:03 PM

I don't think secteam is the right reviewer for this change. Has this been reviewed by folks on the freebsd-net mailing list?

pdk_semihalf.com added a comment.Jan 7 2020, 9:57 AM
In D22367#504144, @gordon wrote:

I don't think secteam is the right reviewer for this change. Has this been reviewed by folks on the freebsd-net mailing list?

Secteam was added automatically. As far as I know their approval is neseccary to push commit into tree.
At this time no one reviewed it. I must admit that I don't really know who should review IPSec related patches. If you know someone who can review this patch feel free to add.

trasz resigned from this revision.Jan 14 2020, 2:32 PM
jaz_semihalf.com commandeered this revision.May 14 2020, 2:21 PM
jaz_semihalf.com added a reviewer: pdk_semihalf.com.
Herald added a subscriber: melifaro. · View Herald TranscriptMay 14 2020, 2:21 PM
jaz_semihalf.com updated this revision to Diff 71772.May 14 2020, 2:23 PM

Rebase + improvements in sys/netipsec/key_debug.c which came out after enabling IPSEC_DEBUG

jaz_semihalf.com updated this revision to Diff 76981.Sep 13 2020, 5:45 PM

Rebase to HEAD

jaz_semihalf.com added a reviewer: jhb.Sep 24 2020, 4:22 PM
jhb added a comment.Sep 24 2020, 10:14 PM

I'm not intimately familiar with IPsec replay detection, but this look to me from a cursory review.

sys/netipsec/ipsec.c
1184 ↗(On Diff #76981)
1337 ↗(On Diff #76981)
jhb added a child revision: D22368: Improve sequence number overflow detection in AH protocol.Sep 24 2020, 10:14 PM
jhb mentioned this in D22368: Improve sequence number overflow detection in AH protocol.
jaz_semihalf.com updated this revision to Diff 77833.Oct 3 2020, 10:31 PM

Address @jhb review: improve some comments and squash D22368 changes into this one.

jaz_semihalf.com marked 2 inline comments as done.Oct 3 2020, 10:32 PM
jhb accepted this revision.Oct 5 2020, 5:39 PM
This revision is now accepted and ready to land.Oct 5 2020, 5:39 PM
Closed by commit rS366757: Implement anti-replay algorithm with ESN support (authored by mw). · Explain WhyOct 16 2020, 11:24 AM
This revision was automatically updated to reflect the committed changes.
mw added a commit: rS366757: Implement anti-replay algorithm with ESN support.

Revision Contents
Changeset List

PathSize
head/
sys/
netipsec/
2 lines
293 lines
4 lines
5 lines
9 lines
5 lines

Diff 78306

View Options

head/sys/netipsec/ipsec.h

Loading...
View Options

head/sys/netipsec/ipsec.c

Loading...
View Options

head/sys/netipsec/key_debug.c

Loading...
View Options

head/sys/netipsec/keydb.h

Loading...
View Options

head/sys/netipsec/xform_ah.c

Loading...
View Options

head/sys/netipsec/xform_esp.c

Loading...