diff options
Diffstat (limited to 'main/ipsec-tools/90-dpd-window-fix.patch')
| -rw-r--r-- | main/ipsec-tools/90-dpd-window-fix.patch | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/main/ipsec-tools/90-dpd-window-fix.patch b/main/ipsec-tools/90-dpd-window-fix.patch new file mode 100644 index 0000000000..d3ac9a9aa2 --- /dev/null +++ b/main/ipsec-tools/90-dpd-window-fix.patch @@ -0,0 +1,85 @@ +Index: src/racoon/isakmp_inf.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c,v +retrieving revision 1.41 +diff -u -r1.41 isakmp_inf.c +--- a/src/racoon/isakmp_inf.c 3 Jul 2009 06:41:46 -0000 1.41 ++++ b/src/racoon/isakmp_inf.c 5 May 2010 15:56:38 -0000 +@@ -1450,17 +1450,16 @@ + struct isakmp_pl_ru *ru; + u_int32_t msgid; + { ++ u_int32_t seq; + + plog(LLV_DEBUG, LOCATION, iph1->remote, + "DPD R-U-There-Ack received\n"); + +- /* XXX Maintain window of acceptable sequence numbers ? +- * => ru->data <= iph2->dpd_seq && +- * ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */ +- if (ntohl(ru->data) != iph1->dpd_seq-1) { ++ seq = ntohl(ru->data); ++ if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) { + plog(LLV_ERROR, LOCATION, iph1->remote, +- "Wrong DPD sequence number (%d, %d expected).\n", +- ntohl(ru->data), iph1->dpd_seq-1); ++ "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n", ++ seq, iph1->dpd_last_ack, iph1->dpd_seq); + return 0; + } + +@@ -1472,6 +1471,7 @@ + } + + iph1->dpd_fails = 0; ++ iph1->dpd_last_ack = seq; + sched_cancel(&iph1->dpd_r_u); + isakmp_sched_r_u(iph1, 0); + +@@ -1535,12 +1535,13 @@ + memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)); + memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t)); + +- if (iph1->dpd_seq == 0){ ++ if (iph1->dpd_seq == 0) { + /* generate a random seq which is not too big */ +- srand(time(NULL)); +- iph1->dpd_seq = rand() & 0x0fff; ++ iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff; + } + ++ iph1->dpd_seq++; ++ iph1->dpd_fails++; + ru->data = htonl(iph1->dpd_seq); + + error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0); +@@ -1549,12 +1550,6 @@ + plog(LLV_DEBUG, LOCATION, iph1->remote, + "DPD R-U-There sent (%d)\n", error); + +- /* will be decreased if ACK received... */ +- iph1->dpd_fails++; +- +- /* XXX should be increased only when ACKed ? */ +- iph1->dpd_seq++; +- + /* Reschedule the r_u_there with a short delay, + * will be deleted/rescheduled if ACK received before */ + isakmp_sched_r_u(iph1, 1); +Index: src/racoon/handler.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v +retrieving revision 1.22 +diff -u -r1.22 handler.h +--- a/src/racoon/handler.h 3 Sep 2009 09:29:07 -0000 1.22 ++++ b/src/racoon/handler.h 5 May 2010 15:56:39 -0000 +@@ -202,7 +202,8 @@ + + #ifdef ENABLE_DPD + int dpd_support; /* Does remote supports DPD ? */ +- u_int16_t dpd_seq; /* DPD seq number to receive */ ++ u_int32_t dpd_last_ack; ++ u_int32_t dpd_seq; /* DPD seq number to receive */ + u_int8_t dpd_fails; /* number of failures */ + struct sched dpd_r_u; + #endif |