Changeset View
Changeset View
Standalone View
Standalone View
sys/netipsec/xform_ah.c
Show First 20 Lines • Show All 528 Lines • ▼ Show 20 Lines | |||||
{ | { | ||||
IPSEC_DEBUG_DECLARE(char buf[128]); | IPSEC_DEBUG_DECLARE(char buf[128]); | ||||
const struct auth_hash *ahx; | const struct auth_hash *ahx; | ||||
struct cryptop *crp; | struct cryptop *crp; | ||||
struct xform_data *xd; | struct xform_data *xd; | ||||
struct newah *ah; | struct newah *ah; | ||||
crypto_session_t cryptoid; | crypto_session_t cryptoid; | ||||
int hl, rplen, authsize, ahsize, error; | int hl, rplen, authsize, ahsize, error; | ||||
uint32_t seqh; | |||||
IPSEC_ASSERT(sav != NULL, ("null SA")); | IPSEC_ASSERT(sav != NULL, ("null SA")); | ||||
IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key")); | IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key")); | ||||
IPSEC_ASSERT(sav->tdb_authalgxform != NULL, | IPSEC_ASSERT(sav->tdb_authalgxform != NULL, | ||||
("null authentication xform")); | ("null authentication xform")); | ||||
/* Figure out header size. */ | /* Figure out header size. */ | ||||
rplen = HDRSIZE(sav); | rplen = HDRSIZE(sav); | ||||
if (m->m_len < skip + rplen) { | if (m->m_len < skip + rplen) { | ||||
m = m_pullup(m, skip + rplen); | m = m_pullup(m, skip + rplen); | ||||
if (m == NULL) { | if (m == NULL) { | ||||
DPRINTF(("ah_input: cannot pullup header\n")); | DPRINTF(("ah_input: cannot pullup header\n")); | ||||
AHSTAT_INC(ahs_hdrops); /*XXX*/ | AHSTAT_INC(ahs_hdrops); /*XXX*/ | ||||
error = ENOBUFS; | error = ENOBUFS; | ||||
goto bad; | goto bad; | ||||
} | } | ||||
} | } | ||||
ah = (struct newah *)(mtod(m, caddr_t) + skip); | ah = (struct newah *)(mtod(m, caddr_t) + skip); | ||||
/* Check replay window, if applicable. */ | /* Check replay window, if applicable. */ | ||||
SECASVAR_LOCK(sav); | SECASVAR_LOCK(sav); | ||||
if (sav->replay != NULL && sav->replay->wsize != 0 && | if (sav->replay != NULL && sav->replay->wsize != 0 && | ||||
ipsec_chkreplay(ntohl(ah->ah_seq), sav) == 0) { | ipsec_chkreplay(ntohl(ah->ah_seq), &seqh, sav) == 0) { | ||||
SECASVAR_UNLOCK(sav); | SECASVAR_UNLOCK(sav); | ||||
AHSTAT_INC(ahs_replay); | AHSTAT_INC(ahs_replay); | ||||
DPRINTF(("%s: packet replay failure: %s\n", __func__, | DPRINTF(("%s: packet replay failure: %s\n", __func__, | ||||
ipsec_sa2str(sav, buf, sizeof(buf)))); | ipsec_sa2str(sav, buf, sizeof(buf)))); | ||||
error = EACCES; | error = EACCES; | ||||
goto bad; | goto bad; | ||||
} | } | ||||
cryptoid = sav->tdb_cryptoid; | cryptoid = sav->tdb_cryptoid; | ||||
▲ Show 20 Lines • Show All 366 Lines • ▼ Show 20 Lines | if (sav->replay->count == ~0 && | ||||
error = EACCES; | error = EACCES; | ||||
goto bad; | goto bad; | ||||
} | } | ||||
#ifdef REGRESSION | #ifdef REGRESSION | ||||
/* Emulate replay attack when ipsec_replay is TRUE. */ | /* Emulate replay attack when ipsec_replay is TRUE. */ | ||||
if (!V_ipsec_replay) | if (!V_ipsec_replay) | ||||
#endif | #endif | ||||
sav->replay->count++; | sav->replay->count++; | ||||
ah->ah_seq = htonl(sav->replay->count); | ah->ah_seq = htonl((uint32_t)sav->replay->count); | ||||
} | } | ||||
cryptoid = sav->tdb_cryptoid; | cryptoid = sav->tdb_cryptoid; | ||||
SECASVAR_UNLOCK(sav); | SECASVAR_UNLOCK(sav); | ||||
/* Get crypto descriptors. */ | /* Get crypto descriptors. */ | ||||
crp = crypto_getreq(cryptoid, M_NOWAIT); | crp = crypto_getreq(cryptoid, M_NOWAIT); | ||||
if (crp == NULL) { | if (crp == NULL) { | ||||
DPRINTF(("%s: failed to acquire crypto descriptors\n", | DPRINTF(("%s: failed to acquire crypto descriptors\n", | ||||
▲ Show 20 Lines • Show All 194 Lines • Show Last 20 Lines |