Make sure the first packet of an SA has sequence number 1 (as described in

RFC 4302 and RFC 4303).  It seems this was changed by accident when support
for 64 bit sequence numbers was added.

ok bluhm@ patrick@

2 files changed, 11 insertions, 9 deletions

diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index e94b9ead813..5d1a30cc90e 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ah.c,v 1.144 2019/09/30 01:53:05 dlg Exp $ */
+/*	$OpenBSD: ip_ah.c,v 1.145 2020/12/18 12:30:23 tobhe Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -890,6 +890,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 	struct tdb_crypto *tc = NULL;
 	struct mbuf *mi;
 	struct cryptop *crp = NULL;
+	u_int64_t replay64;
 	u_int16_t iplen;
 	int error, rplen, roff;
 	u_int8_t prot;
@@ -1041,8 +1042,8 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 	/* Zeroize authenticator. */
 	m_copyback(m, skip + rplen, ahx->authsize, ipseczeroes, M_NOWAIT);
 
-	tdb->tdb_rpl++;
-	ah->ah_rpl = htonl((u_int32_t)(tdb->tdb_rpl & 0xffffffff));
+	replay64 = tdb->tdb_rpl++;
+	ah->ah_rpl = htonl((u_int32_t)replay64);
 #if NPFSYNC > 0
 	pfsync_update_tdb(tdb,1);
 #endif
@@ -1071,7 +1072,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 	if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) {
 		u_int32_t esn;
 
-		esn = htonl((u_int32_t)(tdb->tdb_rpl >> 32));
+		esn = htonl((u_int32_t)(replay64 >> 32));
 		memcpy(crda->crd_esn, &esn, 4);
 		crda->crd_flags |= CRD_F_ESN;
 	}
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 05105d0fe07..36b761273cd 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_esp.c,v 1.160 2020/12/16 19:28:59 tobhe Exp $ */
+/*	$OpenBSD: ip_esp.c,v 1.161 2020/12/18 12:30:23 tobhe Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -737,6 +737,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 	struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform;
 	struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform;
 	int ilen, hlen, rlen, padding, blks, alen, roff, error;
+	u_int64_t replay64;
 	u_int32_t replay;
 	struct mbuf *mi, *mo = (struct mbuf *) NULL;
 	struct tdb_crypto *tc = NULL;
@@ -881,8 +882,8 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 	/* Initialize ESP header. */
 	memcpy(mtod(mo, caddr_t) + roff, (caddr_t) &tdb->tdb_spi,
 	    sizeof(u_int32_t));
-	tdb->tdb_rpl++;
-	replay = htonl((u_int32_t)tdb->tdb_rpl);
+	replay64 = tdb->tdb_rpl++;	/* used for both header and ESN */
+	replay = htonl((u_int32_t)replay64);
 	memcpy(mtod(mo, caddr_t) + roff + sizeof(u_int32_t), (caddr_t) &replay,
 	    sizeof(u_int32_t));
 
@@ -951,7 +952,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 		if (espx->type == CRYPTO_AES_CTR ||
 		    espx->type == CRYPTO_AES_GCM_16 ||
 		    espx->type == CRYPTO_CHACHA20_POLY1305)
-			bcopy(&tdb->tdb_rpl, crde->crd_iv, sizeof(tdb->tdb_rpl));
+			bcopy(&replay64, crde->crd_iv, sizeof(replay64));
 		else
 			arc4random_buf(crde->crd_iv, espx->ivsize);
 	} else
@@ -992,7 +993,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 		if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) {
 			u_int32_t esn;
 
-			esn = htonl((u_int32_t)(tdb->tdb_rpl >> 32));
+			esn = htonl((u_int32_t)(replay64 >> 32));
 			memcpy(crda->crd_esn, &esn, 4);
 			crda->crd_flags |= CRD_F_ESN;
 		}