Add missing code needed for the detection of IPSec packet replays. [1]

Correctly identify the user running opiepasswd(1) when the login name differs from the account name. [2] Security: FreeBSD-SA-06:11.ipsec [1] Security: FreeBSD-SA-06:12.opie [2]
svn path=/head/; revision=156997
2024-11-24 01:07:21 +01:00 · 2006-03-22 16:00:42 +00:00 · 2006-03-22 16:00:42 +00:00 · d16f6f5027 · 2020-12-20 02:59:44 +00:00
commit d16f6f5027
parent e72f58bbd9
2 changed files with 25 additions and 1 deletions
--- a/contrib/opie/opiepasswd.c
+++ b/contrib/opie/opiepasswd.c
@ -118,11 +118,18 @@ int main FUNCTION((argc, argv), int argc AND char *argv[])
  struct opie opie;
  int rval, n = 499, i, mode = MODE_DEFAULT, force = 0;
  char seed[OPIE_SEED_MAX+1];
+  char *username;
+  uid_t ruid;
  struct passwd *pp;

  memset(seed, 0, sizeof(seed));

-  if (!(pp = getpwnam(getlogin()))) {
+  ruid = getuid();
+  username = getlogin();
+  pp = getpwnam(username);
+  if (username == NULL || pp == NULL || pp->pw_uid != ruid)
+    pp = getpwuid(ruid);
+  if (pp == NULL) {
    fprintf(stderr, "Who are you?");
    return 1;
  }
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@ -555,6 +555,23 @@ esp_input_cb(struct cryptop *crp)
 	 */
 	m->m_flags |= M_DECRYPTED;

+	/*
+	 * Update replay sequence number, if appropriate.
+	 */
+	if (sav->replay) {
+		u_int32_t seq;
+
+		m_copydata(m, skip + offsetof(struct newesp, esp_seq),
+			   sizeof (seq), (caddr_t) &seq);
+		if (ipsec_updatereplay(ntohl(seq), sav)) {
+			DPRINTF(("%s: packet replay check for %s\n", __func__,
+			    ipsec_logsastr(sav)));
+			espstat.esps_replay++;
+			error = ENOBUFS;
+			goto bad;
+		}
+	}
+
 	/* Determine the ESP header length */
 	if (sav->flags & SADB_X_EXT_OLD)
 		hlen = sizeof (struct esp) + sav->ivlen;