diff options
| author | Hakan Olsson <ho@cvs.openbsd.org> | 2001-06-25 00:00:45 +0000 |
|---|---|---|
| committer | Hakan Olsson <ho@cvs.openbsd.org> | 2001-06-25 00:00:45 +0000 |
| commit | 7d83caee1620a10da905e3db3b57be77a510deba (patch) | |
| tree | c976df8d228398e94a31db0e56596e93ee5f4590 | |
| parent | c0cf66397cb710980a34a3368c632eb52943b59d (diff) | |
Handle responder cookies same as initiator cookies.
| -rw-r--r-- | sbin/isakmpd/cookie.c | 66 | ||||
| -rw-r--r-- | sbin/isakmpd/cookie.h | 4 | ||||
| -rw-r--r-- | sbin/isakmpd/init.c | 4 |
3 files changed, 9 insertions, 65 deletions
diff --git a/sbin/isakmpd/cookie.c b/sbin/isakmpd/cookie.c index a83d9da676e..0219c02d188 100644 --- a/sbin/isakmpd/cookie.c +++ b/sbin/isakmpd/cookie.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cookie.c,v 1.6 1999/08/05 22:40:37 niklas Exp $ */ +/* $OpenBSD: cookie.c,v 1.7 2001/06/25 00:00:44 ho Exp $ */ /* $EOM: cookie.c,v 1.21 1999/08/05 15:00:04 niklas Exp $ */ /* @@ -45,18 +45,11 @@ #include "cookie.h" #include "exchange.h" #include "hash.h" -#include "log.h" -#include "timer.h" #include "transport.h" #include "util.h" -#define COOKIE_EVENT_FREQ 360 #define COOKIE_SECRET_SIZE 16 -void cookie_secret_reset (void); - -u_int8_t cookie_secret[COOKIE_SECRET_SIZE]; - /* * Generate an anti-clogging token (a protection against an attacker forcing * us to keep state for a flood of connection requests) a.k.a. a cookie @@ -71,63 +64,18 @@ cookie_gen (struct transport *t, struct exchange *exchange, u_int8_t *buf, struct hash* hash = hash_get (HASH_SHA1); struct sockaddr *name; int name_len; + u_int8_t tmpsecret[COOKIE_SECRET_SIZE]; hash->Init (hash->ctx); (*t->vtbl->get_dst) (t, &name, &name_len); hash->Update (hash->ctx, (u_int8_t *)name, name_len); (*t->vtbl->get_src) (t, &name, &name_len); hash->Update (hash->ctx, (u_int8_t *)name, name_len); - if (exchange->initiator) - { - u_int8_t tmpsecret[COOKIE_SECRET_SIZE]; - - getrandom (tmpsecret, COOKIE_SECRET_SIZE); - hash->Update (hash->ctx, tmpsecret, COOKIE_SECRET_SIZE); - } - else - { - hash->Update (hash->ctx, exchange->cookies + ISAKMP_HDR_ICOOKIE_OFF, - ISAKMP_HDR_ICOOKIE_LEN); - hash->Update (hash->ctx, cookie_secret, COOKIE_SECRET_SIZE); - } - + if (exchange->initiator == 0) + hash->Update (hash->ctx, exchange->cookies + ISAKMP_HDR_ICOOKIE_OFF, + ISAKMP_HDR_ICOOKIE_LEN); + getrandom (tmpsecret, COOKIE_SECRET_SIZE); + hash->Update (hash->ctx, tmpsecret, COOKIE_SECRET_SIZE); hash->Final (hash->digest, hash->ctx); memcpy (buf, hash->digest, len); } - -/* - * Reset the secret which is used for the responder cookie. - * As responder we do not want to keep state in the cookie - * exchange, which means when the cookie secret is reset, - * our cookie response has timed out. - */ -void -cookie_secret_reset (void) -{ - getrandom (cookie_secret, COOKIE_SECRET_SIZE); -} - -/* - * Handle the cookie reset event, and reschedule with timer. - */ -void -cookie_reset_event (void *arg) -{ - struct timeval now; - - cookie_secret_reset (); - - gettimeofday (&now, 0); - now.tv_sec += COOKIE_EVENT_FREQ; - timer_add_event ("cookie_reset_event", cookie_reset_event, arg, &now); -} - -void -cookie_init (void) -{ - if (regrand) - cookie_secret_reset (); - else - /* Start responder cookie resets. */ - cookie_reset_event (0); -} diff --git a/sbin/isakmpd/cookie.h b/sbin/isakmpd/cookie.h index 0683b26e403..9190985df7b 100644 --- a/sbin/isakmpd/cookie.h +++ b/sbin/isakmpd/cookie.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cookie.h,v 1.3 1998/11/17 11:10:09 niklas Exp $ */ +/* $OpenBSD: cookie.h,v 1.4 2001/06/25 00:00:44 ho Exp $ */ /* $EOM: cookie.h,v 1.5 1998/08/05 09:21:43 niklas Exp $ */ /* @@ -45,7 +45,5 @@ struct transport; extern void cookie_gen (struct transport *, struct exchange *, u_int8_t *, size_t); -extern void cookie_init (void); -extern void cookie_reset_event (void *); #endif /* _COOKIE_H_ */ diff --git a/sbin/isakmpd/init.c b/sbin/isakmpd/init.c index 0da9ab65484..fe9b96228d5 100644 --- a/sbin/isakmpd/init.c +++ b/sbin/isakmpd/init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: init.c,v 1.15 2000/04/07 22:05:08 niklas Exp $ */ +/* $OpenBSD: init.c,v 1.16 2001/06/25 00:00:44 ho Exp $ */ /* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */ /* @@ -43,7 +43,6 @@ #include "cert.h" #include "conf.h" #include "connection.h" -#include "cookie.h" #include "doi.h" #include "exchange.h" #include "init.h" @@ -81,7 +80,6 @@ init () /* The following group are depending on timer_init having run. */ conf_init (); connection_init (); - cookie_init (); #ifdef USE_POLICY /* policy_init depends on conf_init having run. */ |