Changeset View
Changeset View
Standalone View
Standalone View
sys/netipsec/xform_esp.c
Show First 20 Lines • Show All 256 Lines • ▼ Show 20 Lines | esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) | ||||
const struct auth_hash *esph; | const struct auth_hash *esph; | ||||
const struct enc_xform *espx; | const struct enc_xform *espx; | ||||
struct xform_data *xd; | struct xform_data *xd; | ||||
struct cryptop *crp; | struct cryptop *crp; | ||||
struct newesp *esp; | struct newesp *esp; | ||||
uint8_t *ivp; | uint8_t *ivp; | ||||
crypto_session_t cryptoid; | crypto_session_t cryptoid; | ||||
int alen, error, hlen, plen; | int alen, error, hlen, plen; | ||||
uint32_t seqh; | |||||
IPSEC_ASSERT(sav != NULL, ("null SA")); | IPSEC_ASSERT(sav != NULL, ("null SA")); | ||||
IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform")); | IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform")); | ||||
error = EINVAL; | error = EINVAL; | ||||
/* Valid IP Packet length ? */ | /* Valid IP Packet length ? */ | ||||
if ( (skip&3) || (m->m_pkthdr.len&3) ){ | if ( (skip&3) || (m->m_pkthdr.len&3) ){ | ||||
DPRINTF(("%s: misaligned packet, skip %u pkt len %u", | DPRINTF(("%s: misaligned packet, skip %u pkt len %u", | ||||
▲ Show 20 Lines • Show All 42 Lines • ▼ Show 20 Lines | if ((plen & (espx->blocksize - 1)) || (plen <= 0)) { | ||||
goto bad; | goto bad; | ||||
} | } | ||||
/* | /* | ||||
* Check sequence number. | * Check sequence number. | ||||
*/ | */ | ||||
SECASVAR_LOCK(sav); | SECASVAR_LOCK(sav); | ||||
if (esph != NULL && sav->replay != NULL && sav->replay->wsize != 0) { | if (esph != NULL && sav->replay != NULL && sav->replay->wsize != 0) { | ||||
if (ipsec_chkreplay(ntohl(esp->esp_seq), sav) == 0) { | if (ipsec_chkreplay(ntohl(esp->esp_seq), &seqh, sav) == 0) { | ||||
SECASVAR_UNLOCK(sav); | SECASVAR_UNLOCK(sav); | ||||
DPRINTF(("%s: packet replay check for %s\n", __func__, | DPRINTF(("%s: packet replay check for %s\n", __func__, | ||||
ipsec_sa2str(sav, buf, sizeof(buf)))); | ipsec_sa2str(sav, buf, sizeof(buf)))); | ||||
ESPSTAT_INC(esps_replay); | ESPSTAT_INC(esps_replay); | ||||
error = EACCES; | error = EACCES; | ||||
goto bad; | goto bad; | ||||
} | } | ||||
} | } | ||||
▲ Show 20 Lines • Show All 399 Lines • ▼ Show 20 Lines | #endif /* INET6 */ | ||||
if (sav->replay) { | if (sav->replay) { | ||||
uint32_t replay; | uint32_t replay; | ||||
#ifdef REGRESSION | #ifdef REGRESSION | ||||
/* Emulate replay attack when ipsec_replay is TRUE. */ | /* Emulate replay attack when ipsec_replay is TRUE. */ | ||||
if (!V_ipsec_replay) | if (!V_ipsec_replay) | ||||
#endif | #endif | ||||
sav->replay->count++; | sav->replay->count++; | ||||
replay = htonl(sav->replay->count); | replay = htonl((uint32_t)sav->replay->count); | ||||
bcopy((caddr_t) &replay, mtod(mo, caddr_t) + roff + | bcopy((caddr_t) &replay, mtod(mo, caddr_t) + roff + | ||||
sizeof(uint32_t), sizeof(uint32_t)); | sizeof(uint32_t), sizeof(uint32_t)); | ||||
} | } | ||||
cryptoid = sav->tdb_cryptoid; | cryptoid = sav->tdb_cryptoid; | ||||
if (SAV_ISCTRORGCM(sav)) | if (SAV_ISCTRORGCM(sav)) | ||||
cntr = sav->cntr++; | cntr = sav->cntr++; | ||||
SECASVAR_UNLOCK(sav); | SECASVAR_UNLOCK(sav); | ||||
▲ Show 20 Lines • Show All 222 Lines • Show Last 20 Lines |