Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon Improve DPD sequence chec...
details: https://anonhg.NetBSD.org/src/rev/b42faded4124
branches: trunk
changeset: 758651:b42faded4124
user: tteras <tteras%NetBSD.org@localhost>
date: Fri Nov 12 09:09:47 2010 +0000
description:
Improve DPD sequence checks to allow any reply within valid sequence window
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.
diffstat:
crypto/dist/ipsec-tools/src/racoon/handler.h | 5 ++-
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c | 27 ++++++++++--------------
2 files changed, 14 insertions(+), 18 deletions(-)
diffs (89 lines):
diff -r 3a7acb6e17f6 -r b42faded4124 crypto/dist/ipsec-tools/src/racoon/handler.h
--- a/crypto/dist/ipsec-tools/src/racoon/handler.h Fri Nov 12 09:08:26 2010 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.h Fri Nov 12 09:09:47 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.h,v 1.23 2010/10/21 06:04:33 tteras Exp $ */
+/* $NetBSD: handler.h,v 1.24 2010/11/12 09:09:47 tteras Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
@@ -202,7 +202,8 @@
#ifdef ENABLE_DPD
int dpd_support; /* Does remote supports DPD ? */
- u_int16_t dpd_seq; /* DPD seq number to receive */
+ u_int32_t dpd_last_ack;
+ u_int32_t dpd_seq; /* DPD seq number to receive */
u_int8_t dpd_fails; /* number of failures */
struct sched dpd_r_u;
#endif
diff -r 3a7acb6e17f6 -r b42faded4124 crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fri Nov 12 09:08:26 2010 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fri Nov 12 09:09:47 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.42 2010/06/22 09:41:33 vanhu Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.43 2010/11/12 09:09:47 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1450,17 +1450,16 @@
struct isakmp_pl_ru *ru;
u_int32_t msgid;
{
+ u_int32_t seq;
plog(LLV_DEBUG, LOCATION, iph1->remote,
"DPD R-U-There-Ack received\n");
- /* XXX Maintain window of acceptable sequence numbers ?
- * => ru->data <= iph2->dpd_seq &&
- * ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */
- if (ntohl(ru->data) != iph1->dpd_seq-1) {
+ seq = ntohl(ru->data);
+ if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "Wrong DPD sequence number (%d, %d expected).\n",
- ntohl(ru->data), iph1->dpd_seq-1);
+ "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n",
+ seq, iph1->dpd_last_ack, iph1->dpd_seq);
return 0;
}
@@ -1472,6 +1471,7 @@
}
iph1->dpd_fails = 0;
+ iph1->dpd_last_ack = seq;
sched_cancel(&iph1->dpd_r_u);
isakmp_sched_r_u(iph1, 0);
@@ -1536,12 +1536,13 @@
memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t));
memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t));
- if (iph1->dpd_seq == 0){
+ if (iph1->dpd_seq == 0) {
/* generate a random seq which is not too big */
- srand(time(NULL));
- iph1->dpd_seq = rand() & 0x0fff;
+ iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff;
}
+ iph1->dpd_seq++;
+ iph1->dpd_fails++;
ru->data = htonl(iph1->dpd_seq);
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
@@ -1550,12 +1551,6 @@
plog(LLV_DEBUG, LOCATION, iph1->remote,
"DPD R-U-There sent (%d)\n", error);
- /* will be decreased if ACK received... */
- iph1->dpd_fails++;
-
- /* XXX should be increased only when ACKed ? */
- iph1->dpd_seq++;
-
/* Reschedule the r_u_there with a short delay,
* will be deleted/rescheduled if ACK received before */
isakmp_sched_r_u(iph1, 1);
Home |
Main Index |
Thread Index |
Old Index