Add missing ESN bits

5 files changed, 24 insertions, 12 deletions

diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index 33fbb2a4f72..969c9c8c74c 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.h,v 1.50 2012/06/26 11:00:28 mikeb Exp $	*/
+/*	$OpenBSD: iked.h,v 1.51 2012/06/29 15:05:49 mikeb Exp $	*/
 /*	$vantronix: iked.h,v 1.61 2010/06/03 07:57:33 reyk Exp $	*/
 
 /*
@@ -164,6 +164,7 @@ struct iked_childsa {
 	u_int8_t			 csa_rekey;	/* will be deleted */
 	u_int8_t			 csa_allocated;	/* from the kernel */
 	u_int8_t			 csa_persistent;/* do not rekey */
+	u_int8_t			 csa_esn;	/* use ESN */
 
 	struct iked_spi			 csa_spi;
 
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index e17647192c2..64dfd976b28 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.69 2012/06/26 11:05:43 mikeb Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.70 2012/06/29 15:05:49 mikeb Exp $	*/
 /*	$vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $	*/
 
 /*
@@ -89,7 +89,7 @@ int	 ikev2_childsa_negotiate(struct iked *, struct iked_sa *, int);
 int	 ikev2_match_proposals(struct iked_proposal *, struct iked_proposal *,
 	    struct iked_transform **);
 int	 ikev2_valid_proposal(struct iked_proposal *,
-	    struct iked_transform **, struct iked_transform **);
+	    struct iked_transform **, struct iked_transform **, int *);
 
 ssize_t	 ikev2_add_proposals(struct iked *, struct iked_sa *, struct ibuf *,
 	    struct iked_proposals *, u_int8_t, int, int);
@@ -3400,7 +3400,7 @@ ikev2_childsa_negotiate(struct iked *env, struct iked_sa *sa, int initiator)
 	u_int32_t		 spi = 0;
 	u_int			 i;
 	size_t			 ilen = 0;
-	int			 skip, ret = -1;
+	int			 esn, skip, ret = -1;
 
 	if (!sa_stateok(sa, IKEV2_STATE_VALID))
 		return (-1);
@@ -3457,7 +3457,7 @@ ikev2_childsa_negotiate(struct iked *env, struct iked_sa *sa, int initiator)
 
 	/* Create the new flows */
 	TAILQ_FOREACH(prop, &sa->sa_proposals, prop_entry) {
-		if (ikev2_valid_proposal(prop, NULL, NULL) != 0)
+		if (ikev2_valid_proposal(prop, NULL, NULL, NULL) != 0)
 			continue;
 
 		RB_FOREACH(flow, iked_flows, &sa->sa_policy->pol_flows) {
@@ -3508,7 +3508,7 @@ ikev2_childsa_negotiate(struct iked *env, struct iked_sa *sa, int initiator)
 
 	/* create the CHILD SAs using the key material */
 	TAILQ_FOREACH(prop, &sa->sa_proposals, prop_entry) {
-		if (ikev2_valid_proposal(prop, &encrxf, &integrxf) != 0)
+		if (ikev2_valid_proposal(prop, &encrxf, &integrxf, &esn) != 0)
 			continue;
 
 		spi = 0;
@@ -3523,6 +3523,7 @@ ikev2_childsa_negotiate(struct iked *env, struct iked_sa *sa, int initiator)
 		csa->csa_srcid = localid;
 		csa->csa_dstid = peerid;
 		csa->csa_spi.spi_protoid = prop->prop_protoid;
+		csa->csa_esn = esn;
 
 		/* Set up responder's SPIs */
 		if (initiator) {
@@ -3698,10 +3699,10 @@ ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto,
 
 int
 ikev2_valid_proposal(struct iked_proposal *prop,
-    struct iked_transform **exf, struct iked_transform **ixf)
+    struct iked_transform **exf, struct iked_transform **ixf, int *esn)
 {
 	struct iked_transform	*xform, *encrxf, *integrxf;
-	u_int			 i;
+	u_int			 i, doesn = 0;
 
 	switch (prop->prop_protoid) {
 	case IKEV2_SAPROTO_ESP:
@@ -3718,6 +3719,9 @@ ikev2_valid_proposal(struct iked_proposal *prop,
 			encrxf = xform;
 		else if (xform->xform_type == IKEV2_XFORMTYPE_INTEGR)
 			integrxf = xform;
+		else if (xform->xform_type == IKEV2_XFORMTYPE_ESN &&
+		    xform->xform_id == IKEV2_XFORMESN_ESN)
+			doesn = 1;
 	}
 
 	if (prop->prop_protoid == IKEV2_SAPROTO_IKE) {
@@ -3735,6 +3739,8 @@ ikev2_valid_proposal(struct iked_proposal *prop,
 		*exf = encrxf;
 	if (ixf)
 		*ixf = integrxf;
+	if (esn)
+		*esn = doesn;
 
 	return (0);
 }
diff --git a/sbin/iked/ikev2.h b/sbin/iked/ikev2.h
index 29e5067ad5e..4187cd03f3b 100644
--- a/sbin/iked/ikev2.h
+++ b/sbin/iked/ikev2.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.h,v 1.7 2012/05/07 10:58:38 mikeb Exp $	*/
+/*	$OpenBSD: ikev2.h,v 1.8 2012/06/29 15:05:49 mikeb Exp $	*/
 /*	$vantronix: ikev2.h,v 1.27 2010/05/19 12:20:30 reyk Exp $	*/
 
 /*
@@ -51,6 +51,7 @@ extern size_t ikev2_default_nike_transforms;
 	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },	\
 	{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },\
 	{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },\
+	{ IKEV2_XFORMTYPE_ESN,	IKEV2_XFORMESN_ESN },		\
 	{ IKEV2_XFORMTYPE_ESN,	IKEV2_XFORMESN_NONE },		\
 }
 
diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index 2256b905f5b..afb6484544a 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.24 2012/05/08 08:53:14 mikeb Exp $	*/
+/*	$OpenBSD: parse.y,v 1.25 2012/06/29 15:05:49 mikeb Exp $	*/
 /*	$vantronix: parse.y,v 1.22 2010/06/03 11:08:34 reyk Exp $	*/
 
 /*
@@ -108,6 +108,7 @@ struct ipsec_transforms {
 	const struct ipsec_xf *prfxf;
 	const struct ipsec_xf *encxf;
 	const struct ipsec_xf *groupxf;
+	const struct ipsec_xf *esnxf;
 };
 
 struct ipsec_mode {
diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c
index 11b25111cc4..a82dae0ae0b 100644
--- a/sbin/iked/pfkey.c
+++ b/sbin/iked/pfkey.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkey.c,v 1.17 2012/03/24 00:40:25 jsg Exp $	*/
+/*	$OpenBSD: pfkey.c,v 1.18 2012/06/29 15:05:49 mikeb Exp $	*/
 /*	$vantronix: pfkey.c,v 1.11 2010/06/03 07:57:33 reyk Exp $	*/
 
 /*
@@ -475,11 +475,14 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, struct iked_childsa *sa)
 	sadb.sadb_sa_exttype = SADB_EXT_SA;
 	sadb.sadb_sa_spi = htonl(sa->csa_spi.spi);
 	sadb.sadb_sa_state = SADB_SASTATE_MATURE;
-	sadb.sadb_sa_replay = 16;
+	sadb.sadb_sa_replay = 64;
 
 	/* XXX we don't support transport mode, yet */
 	sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
 
+	if (sa->csa_esn)
+		sadb.sadb_sa_flags |= SADB_X_SAFLAGS_ESN;
+
 	bzero(&sa_src, sizeof(sa_src));
 	sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
 	sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;