From 56ee8fcc96f1e16ae9eeac3ca5bafbb647d2b37c Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 31 Jul 2009 18:10:39 +0200 Subject: FreeBSD and Mac OS X both set the sequence number of an SADB_X_SPDGET response to zero, we accept that for now. --- .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) (limited to 'src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c') diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 592af431a..ce34f19fa 100644 --- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -751,6 +751,8 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket this->mutex_pfkey->lock(this->mutex_pfkey); + /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367, + * in particular the behavior in response to an SADB_ACQUIRE. */ in->sadb_msg_seq = ++this->seq; in->sadb_msg_pid = getpid(); @@ -812,14 +814,23 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket } if (msg->sadb_msg_seq != this->seq) { - DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, " - "was %d expected %d", msg->sadb_msg_seq, this->seq); - if (msg->sadb_msg_seq < this->seq) + DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence " + "number, was %d expected %d", msg->sadb_msg_seq, this->seq); + if (msg->sadb_msg_seq == 0) + { + /* FreeBSD and Mac OS X do this for the response to + * SADB_X_SPDGET (but not for the response to SADB_GET). + * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */ + } + else if (msg->sadb_msg_seq < this->seq) { continue; } - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; + else + { + this->mutex_pfkey->unlock(this->mutex_pfkey); + return FAILED; + } } if (msg->sadb_msg_type != in->sadb_msg_type) { -- cgit v1.2.3