Changeset View
Changeset View
Standalone View
Standalone View
sys/netipsec/xform_esp.c
| Show First 20 Lines • Show All 256 Lines • ▼ Show 20 Lines | esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) | ||||
| const struct auth_hash *esph; | const struct auth_hash *esph; | ||||
| const struct enc_xform *espx; | const struct enc_xform *espx; | ||||
| struct xform_data *xd; | struct xform_data *xd; | ||||
| struct cryptop *crp; | struct cryptop *crp; | ||||
| struct newesp *esp; | struct newesp *esp; | ||||
| uint8_t *ivp; | uint8_t *ivp; | ||||
| crypto_session_t cryptoid; | crypto_session_t cryptoid; | ||||
| int alen, error, hlen, plen; | int alen, error, hlen, plen; | ||||
| uint32_t seqh; | |||||
| IPSEC_ASSERT(sav != NULL, ("null SA")); | IPSEC_ASSERT(sav != NULL, ("null SA")); | ||||
| IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform")); | IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform")); | ||||
| error = EINVAL; | error = EINVAL; | ||||
| /* Valid IP Packet length ? */ | /* Valid IP Packet length ? */ | ||||
| if ( (skip&3) || (m->m_pkthdr.len&3) ){ | if ( (skip&3) || (m->m_pkthdr.len&3) ){ | ||||
| DPRINTF(("%s: misaligned packet, skip %u pkt len %u", | DPRINTF(("%s: misaligned packet, skip %u pkt len %u", | ||||
| ▲ Show 20 Lines • Show All 42 Lines • ▼ Show 20 Lines | if ((plen & (espx->blocksize - 1)) || (plen <= 0)) { | ||||
| goto bad; | goto bad; | ||||
| } | } | ||||
| /* | /* | ||||
| * Check sequence number. | * Check sequence number. | ||||
| */ | */ | ||||
| SECASVAR_LOCK(sav); | SECASVAR_LOCK(sav); | ||||
| if (esph != NULL && sav->replay != NULL && sav->replay->wsize != 0) { | if (esph != NULL && sav->replay != NULL && sav->replay->wsize != 0) { | ||||
| if (ipsec_chkreplay(ntohl(esp->esp_seq), sav) == 0) { | if (ipsec_chkreplay(ntohl(esp->esp_seq), &seqh, sav) == 0) { | ||||
| SECASVAR_UNLOCK(sav); | SECASVAR_UNLOCK(sav); | ||||
| DPRINTF(("%s: packet replay check for %s\n", __func__, | DPRINTF(("%s: packet replay check for %s\n", __func__, | ||||
| ipsec_sa2str(sav, buf, sizeof(buf)))); | ipsec_sa2str(sav, buf, sizeof(buf)))); | ||||
| ESPSTAT_INC(esps_replay); | ESPSTAT_INC(esps_replay); | ||||
| error = EACCES; | error = EACCES; | ||||
| goto bad; | goto bad; | ||||
| } | } | ||||
| } | } | ||||
| ▲ Show 20 Lines • Show All 399 Lines • ▼ Show 20 Lines | #endif /* INET6 */ | ||||
| if (sav->replay) { | if (sav->replay) { | ||||
| uint32_t replay; | uint32_t replay; | ||||
| #ifdef REGRESSION | #ifdef REGRESSION | ||||
| /* Emulate replay attack when ipsec_replay is TRUE. */ | /* Emulate replay attack when ipsec_replay is TRUE. */ | ||||
| if (!V_ipsec_replay) | if (!V_ipsec_replay) | ||||
| #endif | #endif | ||||
| sav->replay->count++; | sav->replay->count++; | ||||
| replay = htonl(sav->replay->count); | replay = htonl((uint32_t)sav->replay->count); | ||||
| bcopy((caddr_t) &replay, mtod(mo, caddr_t) + roff + | bcopy((caddr_t) &replay, mtod(mo, caddr_t) + roff + | ||||
| sizeof(uint32_t), sizeof(uint32_t)); | sizeof(uint32_t), sizeof(uint32_t)); | ||||
| } | } | ||||
| cryptoid = sav->tdb_cryptoid; | cryptoid = sav->tdb_cryptoid; | ||||
| if (SAV_ISCTRORGCM(sav)) | if (SAV_ISCTRORGCM(sav)) | ||||
| cntr = sav->cntr++; | cntr = sav->cntr++; | ||||
| SECASVAR_UNLOCK(sav); | SECASVAR_UNLOCK(sav); | ||||
| ▲ Show 20 Lines • Show All 222 Lines • Show Last 20 Lines | |||||