Add missing code needed for the detection of IPSec packet replays. [1]

Correctly identify the user running opiepasswd(1) when the login name
differs from the account name. [2]

Security:	FreeBSD-SA-06:11.ipsec [1]
Security:	FreeBSD-SA-06:12.opie [2]

contrib/opie/opiepasswd.c

@@ -118,11 +118,18 @@ int main FUNCTION((argc, argv), int argc AND char *argv[])
   struct opie opie;
   int rval, n = 499, i, mode = MODE_DEFAULT, force = 0;
   char seed[OPIE_SEED_MAX+1];
+  char *username;
+  uid_t ruid;
   struct passwd *pp;
 
   memset(seed, 0, sizeof(seed));
 
-  if (!(pp = getpwnam(getlogin()))) {
+  ruid = getuid();
+  username = getlogin();
+  pp = getpwnam(username);
+  if (username == NULL || pp == NULL || pp->pw_uid != ruid)
+    pp = getpwuid(ruid);
+  if (pp == NULL) {
     fprintf(stderr, "Who are you?");
     return 1;
   }

sys/netipsec/xform_esp.c

@@ -555,6 +555,23 @@ esp_input_cb(struct cryptop *crp)
 	 */
 	m->m_flags |= M_DECRYPTED;
 
+	/*
+	 * Update replay sequence number, if appropriate.
+	 */
+	if (sav->replay) {
+		u_int32_t seq;
+
+		m_copydata(m, skip + offsetof(struct newesp, esp_seq),
+			   sizeof (seq), (caddr_t) &seq);
+		if (ipsec_updatereplay(ntohl(seq), sav)) {
+			DPRINTF(("%s: packet replay check for %s\n", __func__,
+			    ipsec_logsastr(sav)));
+			espstat.esps_replay++;
+			error = ENOBUFS;
+			goto bad;
+		}
+	}
+
 	/* Determine the ESP header length */
 	if (sav->flags & SADB_X_EXT_OLD)
 		hlen = sizeof (struct esp) + sav->ivlen;