diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2004-12-08 16:08:11 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2004-12-08 16:08:11 +0000 |
| commit | 2b039b3afde4351e37929160cdc1daee8870997c (patch) | |
| tree | e8d31f31e05c96b411ca28de3494a58f6d4a910a | |
| parent | 8910e56c45fde68b6067da68e09b9d0c92696530 (diff) | |
1. allow up to DPD_RETRANS_MAX retransmitted R_U_THERE messages.
2. reset dpd_failcount when switching to DPD_TIMER_NORMAL.
3. ignore DPD timeouts on SAs that are marked SA_FLAG_REPLACED.
ok hshoexer, ho
| -rw-r--r-- | sbin/isakmpd/dpd.c | 16 | ||||
| -rw-r--r-- | sbin/isakmpd/sa.h | 3 |
2 files changed, 15 insertions, 4 deletions
diff --git a/sbin/isakmpd/dpd.c b/sbin/isakmpd/dpd.c index 6eb2ceb97c9..cd9aad3873f 100644 --- a/sbin/isakmpd/dpd.c +++ b/sbin/isakmpd/dpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dpd.c,v 1.4 2004/08/10 15:59:10 ho Exp $ */ +/* $OpenBSD: dpd.c,v 1.5 2004/12/08 16:08:10 markus Exp $ */ /* * Copyright (c) 2004 Håkan Olsson. All rights reserved. @@ -154,12 +154,17 @@ dpd_handle_notify(struct message *msg, struct payload *p) switch (notify) { case ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE: /* The other peer wants to know we're alive. */ - if (p_seq <= isakmp_sa->dpd_rseq) { + if (p_seq < isakmp_sa->dpd_rseq || + (p_seq == isakmp_sa->dpd_rseq && + ++isakmp_sa->dpd_rdupcount >= DPD_RETRANS_MAX)) { log_print("dpd_handle_notify: bad R_U_THERE seqno " "%u <= %u", p_seq, isakmp_sa->dpd_rseq); return; } - isakmp_sa->dpd_rseq = p_seq; + if (isakmp_sa->dpd_rseq != p_seq) { + isakmp_sa->dpd_rdupcount = 0; + isakmp_sa->dpd_rseq = p_seq; + } message_send_dpd_notify(isakmp_sa, ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK, p_seq); break; @@ -213,6 +218,7 @@ dpd_timer_reset(struct sa *sa, u_int32_t time_passed, enum dpd_tstate mode) gettimeofday(&tv, 0); switch (mode) { case DPD_TIMER_NORMAL: + sa->dpd_failcount = 0; tv.tv_sec += dpd_timer_interval(time_passed); sa->dpd_event = timer_add_event("dpd_event", dpd_event, sa, &tv); @@ -294,6 +300,8 @@ dpd_event(void *v_sa) #endif isakmp_sa->dpd_event = 0; + if (isakmp_sa->flags & SA_FLAG_REPLACED) + return; /* Check if there's been any incoming SA activity since last time. */ args.isakmp_sa = isakmp_sa; @@ -344,6 +352,8 @@ dpd_check_event(void *v_sa) struct sa *sa; isakmp_sa->dpd_event = 0; + if (isakmp_sa->flags & SA_FLAG_REPLACED) + return; if (++isakmp_sa->dpd_failcount < DPD_RETRANS_MAX) { LOG_DBG((LOG_MESSAGE, 10, "dpd_check_event: " diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h index 4f6100f83a7..a7b9174a4ab 100644 --- a/sbin/isakmpd/sa.h +++ b/sbin/isakmpd/sa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.h,v 1.41 2004/08/10 15:59:10 ho Exp $ */ +/* $OpenBSD: sa.h,v 1.42 2004/12/08 16:08:10 markus Exp $ */ /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ /* @@ -213,6 +213,7 @@ struct sa { u_int32_t dpd_seq; /* sent */ u_int32_t dpd_rseq; /* recieved */ u_int32_t dpd_failcount; /* # of subsequent failures */ + u_int32_t dpd_rdupcount; /* # of subsequent duplicates */ struct event *dpd_event; /* time of next event */ #endif }; |