summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoryasuoka <yasuoka@openbsd.org>2016-03-10 07:32:16 +0000
committeryasuoka <yasuoka@openbsd.org>2016-03-10 07:32:16 +0000
commit20c653eb9ccb0d9471dbd915a965aa5fa4d29a00 (patch)
tree80ae37e0793983b2e655e2358f62e707d5fb95d8
parentbeck@ forgot to commit this with sys/kern/vfs_bio.c r1.100. (diff)
downloadwireguard-openbsd-20c653eb9ccb0d9471dbd915a965aa5fa4d29a00.tar.xz
wireguard-openbsd-20c653eb9ccb0d9471dbd915a965aa5fa4d29a00.zip
Don't retransmit responses for unauthenticated messages.
Base on diff from Yuuichi Someya ok markus reyk mikeb
Diffstat
-rw-r--r--sbin/isakmpd/exchange.c11
-rw-r--r--sbin/isakmpd/message.h5
-rw-r--r--sbin/isakmpd/transport.c6
3 files changed, 18 insertions, 4 deletions
diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c
index f48ea00f6df..e06ef88f7cf 100644
--- a/sbin/isakmpd/exchange.c
+++ b/sbin/isakmpd/exchange.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: exchange.c,v 1.137 2015/12/10 17:27:00 mmcc Exp $ */
+/* $OpenBSD: exchange.c,v 1.138 2016/03/10 07:32:16 yasuoka Exp $ */
/* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */
/*
@@ -328,6 +328,15 @@ exchange_run(struct message *msg)
/* FALLTHROUGH */
case 0:
+ /*
+ * Don't retransmit responses for
+ * unauthenticated messages.
+ */
+ if ((exchange->type == ISAKMP_EXCH_ID_PROT ||
+ exchange->type == ISAKMP_EXCH_AGGRESSIVE) &&
+ exchange->phase == 1 && exchange->step == 1)
+ msg->flags |= MSG_DONTRETRANSMIT;
+
/* XXX error handling. */
message_send(msg);
break;
diff --git a/sbin/isakmpd/message.h b/sbin/isakmpd/message.h
index c202651e55b..5df66b7e332 100644
--- a/sbin/isakmpd/message.h
+++ b/sbin/isakmpd/message.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.h,v 1.26 2015/01/16 06:39:59 deraadt Exp $ */
+/* $OpenBSD: message.h,v 1.27 2016/03/10 07:32:16 yasuoka Exp $ */
/* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -168,6 +168,9 @@ struct message {
/* The message was received on the NAT-T port. */
#define MSG_NATT 0x20
+/* The message must not be retransmitted. */
+#define MSG_DONTRETRANSMIT 0x40
+
TAILQ_HEAD(msg_head, message);
/* The number of different ISAKMP payloads supported. */
diff --git a/sbin/isakmpd/transport.c b/sbin/isakmpd/transport.c
index 71956c06a99..65fb31d3e97 100644
--- a/sbin/isakmpd/transport.c
+++ b/sbin/isakmpd/transport.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: transport.c,v 1.36 2013/03/21 04:30:14 deraadt Exp $ */
+/* $OpenBSD: transport.c,v 1.37 2016/03/10 07:32:16 yasuoka Exp $ */
/* $EOM: transport.c,v 1.43 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -309,7 +309,9 @@ transport_send_messages(fd_set * fds)
* seeing a duplicate of our peer's previous message.
*/
if ((msg->flags & MSG_LAST) == 0) {
- if (msg->xmits > conf_get_num("General",
+ if (msg->flags & MSG_DONTRETRANSMIT)
+ exchange->last_sent = 0;
+ else if (msg->xmits > conf_get_num("General",
"retransmits", RETRANSMIT_DEFAULT)) {
t->virtual->vtbl->get_dst(t->virtual, &dst);
if (getnameinfo(dst, SA_LEN(dst), peer,
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.