Module Name: src
Committed By: tteras
Date: Fri Nov 12 09:09:48 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.h isakmp_inf.c
Log Message:
Improve DPD sequence checks to allow any reply within valid sequence window
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.42 -r1.43 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.23 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.23 Thu Oct 21 06:04:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h Fri Nov 12 09:09:47 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.h,v 1.23 2010/10/21 06:04:33 tteras Exp $ */
+/* $NetBSD: handler.h,v 1.24 2010/11/12 09:09:47 tteras Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
@@ -202,7 +202,8 @@
#ifdef ENABLE_DPD
int dpd_support; /* Does remote supports DPD ? */
- u_int16_t dpd_seq; /* DPD seq number to receive */
+ u_int32_t dpd_last_ack;
+ u_int32_t dpd_seq; /* DPD seq number to receive */
u_int8_t dpd_fails; /* number of failures */
struct sched dpd_r_u;
#endif
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.42 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.43
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.42 Tue Jun 22 09:41:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fri Nov 12 09:09:47 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.42 2010/06/22 09:41:33 vanhu Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.43 2010/11/12 09:09:47 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1450,17 +1450,16 @@
struct isakmp_pl_ru *ru;
u_int32_t msgid;
{
+ u_int32_t seq;
plog(LLV_DEBUG, LOCATION, iph1->remote,
"DPD R-U-There-Ack received\n");
- /* XXX Maintain window of acceptable sequence numbers ?
- * => ru->data <= iph2->dpd_seq &&
- * ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */
- if (ntohl(ru->data) != iph1->dpd_seq-1) {
+ seq = ntohl(ru->data);
+ if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "Wrong DPD sequence number (%d, %d expected).\n",
- ntohl(ru->data), iph1->dpd_seq-1);
+ "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n",
+ seq, iph1->dpd_last_ack, iph1->dpd_seq);
return 0;
}
@@ -1472,6 +1471,7 @@
}
iph1->dpd_fails = 0;
+ iph1->dpd_last_ack = seq;
sched_cancel(&iph1->dpd_r_u);
isakmp_sched_r_u(iph1, 0);
@@ -1536,12 +1536,13 @@
memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t));
memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t));
- if (iph1->dpd_seq == 0){
+ if (iph1->dpd_seq == 0) {
/* generate a random seq which is not too big */
- srand(time(NULL));
- iph1->dpd_seq = rand() & 0x0fff;
+ iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff;
}
+ iph1->dpd_seq++;
+ iph1->dpd_fails++;
ru->data = htonl(iph1->dpd_seq);
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
@@ -1550,12 +1551,6 @@
plog(LLV_DEBUG, LOCATION, iph1->remote,
"DPD R-U-There sent (%d)\n", error);
- /* will be decreased if ACK received... */
- iph1->dpd_fails++;
-
- /* XXX should be increased only when ACKed ? */
- iph1->dpd_seq++;
-
/* Reschedule the r_u_there with a short delay,
* will be deleted/rescheduled if ACK received before */
isakmp_sched_r_u(iph1, 1);
