Add missing code needed for the detection of IPSec packet replays. [1]
Correctly identify the user running opiepasswd(1) when the login name differs from the account name. [2] Security: FreeBSD-SA-06:11.ipsec [1] Security: FreeBSD-SA-06:12.opie [2]
This commit is contained in:
parent
d663b33f93
commit
e66460b894
@ -118,11 +118,18 @@ int main FUNCTION((argc, argv), int argc AND char *argv[])
|
||||
struct opie opie;
|
||||
int rval, n = 499, i, mode = MODE_DEFAULT, force = 0;
|
||||
char seed[OPIE_SEED_MAX+1];
|
||||
char *username;
|
||||
uid_t ruid;
|
||||
struct passwd *pp;
|
||||
|
||||
memset(seed, 0, sizeof(seed));
|
||||
|
||||
if (!(pp = getpwnam(getlogin()))) {
|
||||
ruid = getuid();
|
||||
username = getlogin();
|
||||
pp = getpwnam(username);
|
||||
if (username == NULL || pp == NULL || pp->pw_uid != ruid)
|
||||
pp = getpwuid(ruid);
|
||||
if (pp == NULL) {
|
||||
fprintf(stderr, "Who are you?");
|
||||
return 1;
|
||||
}
|
||||
|
@ -555,6 +555,23 @@ esp_input_cb(struct cryptop *crp)
|
||||
*/
|
||||
m->m_flags |= M_DECRYPTED;
|
||||
|
||||
/*
|
||||
* Update replay sequence number, if appropriate.
|
||||
*/
|
||||
if (sav->replay) {
|
||||
u_int32_t seq;
|
||||
|
||||
m_copydata(m, skip + offsetof(struct newesp, esp_seq),
|
||||
sizeof (seq), (caddr_t) &seq);
|
||||
if (ipsec_updatereplay(ntohl(seq), sav)) {
|
||||
DPRINTF(("%s: packet replay check for %s\n", __func__,
|
||||
ipsec_logsastr(sav)));
|
||||
espstat.esps_replay++;
|
||||
error = ENOBUFS;
|
||||
goto bad;
|
||||
}
|
||||
}
|
||||
|
||||
/* Determine the ESP header length */
|
||||
if (sav->flags & SADB_X_EXT_OLD)
|
||||
hlen = sizeof (struct esp) + sav->ivlen;
|
||||
|
Loading…
Reference in New Issue
Block a user