[Openswan dev] [PATCH] Fix bogus header with delayed MAIN I2->R2
Herbert Xu
herbert at gondor.apana.org.au
Wed Oct 5 12:18:27 CEST 2005
Hi:
When main mode I2->R2 is delayed for crypto, it may pick up a bogus
ISAKMP header when resuming. This is because reply_buffer is global
and another transaction could've used it in the time being.
So we simply generate the header in main_inI2_outR2_tail instead of
process_packet for this case.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-------------- next part --------------
Index: programs/pluto/ipsec_doi.c
===================================================================
RCS file: /public/cvs/openswan-2/programs/pluto/ipsec_doi.c,v
retrieving revision 1.311
diff -u -r1.311 ipsec_doi.c
--- programs/pluto/ipsec_doi.c 26 Sep 2005 04:02:45 -0000 1.311
+++ programs/pluto/ipsec_doi.c 5 Oct 2005 01:12:54 -0000
@@ -2571,7 +2571,11 @@
&& !has_preloaded_public_key(st)
&& st->st_connection->spd.that.ca.ptr != NULL;
- /* HDR out done */
+ /* HDR out.
+ * We can't leave this to process_packet() because the state
+ * may be suspended for crypto.
+ */
+ echo_hdr(md, FALSE, ISAKMP_NEXT_KE);
/* KE out */
if (!ship_KE(st, r, &st->st_gr
Index: programs/pluto/demux.c
===================================================================
RCS file: /public/cvs/openswan-2/programs/pluto/demux.c,v
retrieving revision 1.237
diff -u -r1.237 demux.c
--- programs/pluto/demux.c 4 Oct 2005 01:31:45 -0000 1.237
+++ programs/pluto/demux.c 5 Oct 2005 01:12:55 -0000
@@ -296,9 +296,9 @@
{ STATE_MAIN_R1, STATE_MAIN_R2
, SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY
#ifdef NAT_TRAVERSAL
- , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE)
+ , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(NONE)
#else
- , P(KE) | P(NONCE), P(VID) | P(CR), PT(KE)
+ , P(KE) | P(NONCE), P(VID) | P(CR), PT(NONE)
#endif
, EVENT_RETRANSMIT, main_inI2_outR2 },
More information about the Dev
mailing list