summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2012-10-18 10:49:49 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2012-10-18 10:49:49 +0000
commit814a8549472749080b04fc1a4c291134ef69728f (patch)
treebc9643fdbc2264b54bac57edd75a99738ae6f570 /sys
parentbf46ee06e9fc03ec2b42c42502e8dfcb232c05ba (diff)
simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/ip_ah.c40
-rw-r--r--sys/netinet/ip_esp.c66
-rw-r--r--sys/netinet/ip_ipsp.h5
3 files changed, 66 insertions, 45 deletions
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index b60215e965b..243c82a7264 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ah.c,v 1.103 2012/09/26 14:53:23 markus Exp $ */
+/* $OpenBSD: ip_ah.c,v 1.104 2012/10/18 10:49:48 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -568,36 +568,36 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
sizeof(u_int32_t), (caddr_t) &btsx);
btsx = ntohl(btsx);
- switch (checkreplaywindow(btsx, &tdb->tdb_rpl, tdb->tdb_wnd,
- &tdb->tdb_bitmap, &esn, tdb->tdb_flags & TDBF_ESN, 0)) {
+ switch (checkreplaywindow(tdb, btsx, &esn, 0)) {
case 0: /* All's well. */
break;
-
case 1:
+ m_freem(m);
DPRINTF(("ah_input(): replay counter wrapped for "
"SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
ntohl(tdb->tdb_spi)));
-
ahstat.ahs_wrap++;
- m_freem(m);
return ENOBUFS;
-
case 2:
+ m_freem(m);
+ DPRINTF(("ah_input(): old packet received in "
+ "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
+ ntohl(tdb->tdb_spi)));
+ ahstat.ahs_replay++;
+ return ENOBUFS;
case 3:
+ m_freem(m);
DPRINTF(("ah_input(): duplicate packet received in "
"SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
ntohl(tdb->tdb_spi)));
-
ahstat.ahs_replay++;
- m_freem(m);
return ENOBUFS;
-
default:
+ m_freem(m);
DPRINTF(("ah_input(): bogus value from "
"checkreplaywindow() in SA %s/%08x\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
-
- m_freem(m);
+ ahstat.ahs_replay++;
return ENOBUFS;
}
}
@@ -852,38 +852,38 @@ ah_input_cb(void *op)
sizeof(u_int32_t), (caddr_t) &btsx);
btsx = ntohl(btsx);
- switch (checkreplaywindow(btsx, &tdb->tdb_rpl, tdb->tdb_wnd,
- &tdb->tdb_bitmap, &esn, tdb->tdb_flags & TDBF_ESN, 1)) {
+ switch (checkreplaywindow(tdb, btsx, &esn, 1)) {
case 0: /* All's well. */
#if NPFSYNC > 0
pfsync_update_tdb(tdb,0);
#endif
break;
-
case 1:
DPRINTF(("ah_input(): replay counter wrapped for "
"SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
ntohl(tdb->tdb_spi)));
-
ahstat.ahs_wrap++;
error = ENOBUFS;
goto baddone;
-
case 2:
+ DPRINTF(("ah_input_cb(): old packet received in "
+ "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
+ ntohl(tdb->tdb_spi)));
+ ahstat.ahs_replay++;
+ error = ENOBUFS;
+ goto baddone;
case 3:
DPRINTF(("ah_input_cb(): duplicate packet received in "
"SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
ntohl(tdb->tdb_spi)));
-
ahstat.ahs_replay++;
error = ENOBUFS;
goto baddone;
-
default:
DPRINTF(("ah_input_cb(): bogus value from "
"checkreplaywindow() in SA %s/%08x\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
-
+ ahstat.ahs_replay++;
error = ENOBUFS;
goto baddone;
}
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 1d724727763..40553c92e9c 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp.c,v 1.119 2012/09/20 10:25:03 blambert Exp $ */
+/* $OpenBSD: ip_esp.c,v 1.120 2012/10/18 10:49:48 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -364,27 +364,36 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
(unsigned char *) &btsx);
btsx = ntohl(btsx);
- switch (checkreplaywindow(btsx, &tdb->tdb_rpl, tdb->tdb_wnd,
- &tdb->tdb_bitmap, &esn, tdb->tdb_flags & TDBF_ESN, 0)) {
+ switch (checkreplaywindow(tdb, btsx, &esn, 0)) {
case 0: /* All's well */
break;
-
case 1:
m_freem(m);
- DPRINTF(("esp_input(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_input(): replay counter wrapped"
+ " for SA %s/%08x\n",
+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_wrap++;
return EACCES;
-
case 2:
+ m_freem(m);
+ DPRINTF(("esp_input(): old packet received"
+ " in SA %s/%08x\n",
+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ espstat.esps_replay++;
+ return EACCES;
case 3:
- DPRINTF(("esp_input(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
m_freem(m);
+ DPRINTF(("esp_input(): duplicate packet received"
+ " in SA %s/%08x\n",
+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
return EACCES;
-
default:
m_freem(m);
- DPRINTF(("esp_input(): bogus value from checkreplaywindow() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_input(): bogus value from"
+ " checkreplaywindow() in SA %s/%08x\n",
+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ espstat.esps_replay++;
return EACCES;
}
}
@@ -613,8 +622,7 @@ esp_input_cb(void *op)
(unsigned char *) &btsx);
btsx = ntohl(btsx);
- switch (checkreplaywindow(btsx, &tdb->tdb_rpl, tdb->tdb_wnd,
- &tdb->tdb_bitmap, &esn, tdb->tdb_flags & TDBF_ESN, 1)) {
+ switch (checkreplaywindow(tdb, btsx, &esn, 1)) {
case 0: /* All's well */
#if NPFSYNC > 0
pfsync_update_tdb(tdb,0);
@@ -622,20 +630,31 @@ esp_input_cb(void *op)
break;
case 1:
- DPRINTF(("esp_input_cb(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_input_cb(): replay counter wrapped"
+ " for SA %s/%08x\n",
+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_wrap++;
error = EACCES;
goto baddone;
-
case 2:
+ DPRINTF(("esp_input_cb(): old packet received"
+ " in SA %s/%08x\n",
+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ espstat.esps_replay++;
+ error = EACCES;
+ goto baddone;
case 3:
- DPRINTF(("esp_input_cb(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_input_cb(): duplicate packet received"
+ " in SA %s/%08x\n",
+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
error = EACCES;
goto baddone;
-
default:
- DPRINTF(("esp_input_cb(): bogus value from checkreplaywindow() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_input_cb(): bogus value from"
+ " checkreplaywindow() in SA %s/%08x\n",
+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ espstat.esps_replay++;
error = EACCES;
goto baddone;
}
@@ -1130,14 +1149,17 @@ setreplay(u_int64_t *bitmap, u_int32_t diff, u_int32_t window, int wupdate)
* return 3 for packet within current window but already received
*/
int
-checkreplaywindow(u_int32_t seq, u_int64_t *last, u_int32_t window,
- u_int64_t *bitmap, u_int32_t *seqhigh, int esn, int commit)
+checkreplaywindow(struct tdb *tdb, u_int32_t seq, u_int32_t *seqhigh,
+ int commit)
{
u_int32_t tl, th, wl;
u_int32_t seqh, diff;
+ u_int32_t window = tdb->tdb_wnd;
+ u_int64_t *bitmap = &tdb->tdb_bitmap;
+ int esn = tdb->tdb_flags & TDBF_ESN;
- tl = (u_int32_t)*last;
- th = (u_int32_t)(*last >> 32);
+ tl = (u_int32_t)tdb->tdb_rpl;
+ th = (u_int32_t)(tdb->tdb_rpl >> 32);
/* Zero SN is not allowed */
if (seq == 0 && tl == 0 && th == 0)
@@ -1160,7 +1182,7 @@ checkreplaywindow(u_int32_t seq, u_int64_t *last, u_int32_t window,
return (2);
if (commit) {
setreplay(bitmap, seq - tl, window, 1);
- *last = ((u_int64_t)seqh << 32) | seq;
+ tdb->tdb_rpl = ((u_int64_t)seqh << 32) | seq;
}
} else {
if (checkreplay(bitmap, tl - seq))
@@ -1207,7 +1229,7 @@ checkreplaywindow(u_int32_t seq, u_int64_t *last, u_int32_t window,
diff = (u_int32_t)((((u_int64_t)seqh << 32) | seq) -
(((u_int64_t)th << 32) | tl));
setreplay(bitmap, diff, window, 1);
- *last = ((u_int64_t)seqh << 32) | seq;
+ tdb->tdb_rpl = ((u_int64_t)seqh << 32) | seq;
}
return (0);
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index ddb9e6d6da3..2e6afe7e398 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.h,v 1.151 2012/10/08 17:41:55 camield Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.152 2012/10/18 10:49:48 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -616,8 +616,7 @@ extern int tcp_signature_tdb_output(struct mbuf *, struct tdb *,
struct mbuf **, int, int);
/* Replay window */
-extern int checkreplaywindow(u_int32_t, u_int64_t *, u_int32_t, u_int64_t *,
- u_int32_t *, int, int);
+extern int checkreplaywindow(struct tdb *, u_int32_t, u_int32_t *, int);
extern unsigned char ipseczeroes[];