Reset reconfigure token when dropping a lease.

Only send a reconfigure accept option if we aren't sending any
authentication OR don't require authentication.

diff --git a/auth.c b/auth.c
index e5f787fcd2f0b24dc751e00153eb6e44a5981178..ad9075fd4232f1f8edef5c375b220786fc7992d4 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -74,6 +74,16 @@ ntohll(uint64_t x)
 
 #define HMAC_LENGTH    16
 
+void
+dhcp_auth_reset(struct authstate *state)
+{
+
+       if (state->reconf) {
+               free(state->reconf);
+               state->reconf = NULL;
+       }
+}
+
 /*
  * Authenticate a DHCP message.
  * m and mlen refer to the whole message.
@@ -215,6 +225,12 @@ dhcp_auth_validate(struct authstate *state, const struct auth *auth,
                        /* Nothing to validate, just accepting the key */
                        return state->reconf;
                case 2:
+                       if (!((mp == 4 && mt == DHCP_FORCERENEW) ||
+                           (mp == 6 && mt == DHCP6_RECONFIGURE)))
+                       {
+                               errno = EINVAL;
+                               return NULL;
+                       }
                        if (state->reconf == NULL) {
                                errno = ENOENT;
                                return NULL;

diff --git a/auth.h b/auth.h
index 3f578a85adc879eb8dcdc0b5ad353cc3f4a768bf..9234ca5019d0e29ab024f418d19c6cd016a2703f 100644 (file)
--- a/auth.h
+++ b/auth.h
@@ -34,6 +34,8 @@
 #define DHCPCD_AUTH_REQUIRE    (1 << 1)
 #define DHCPCD_AUTH_RDM_COUNTER        (1 << 2)
 
+#define DHCPCD_AUTH_SENDREQUIRE        (DHCPCD_AUTH_SEND | DHCPCD_AUTH_REQUIRE)
+
 #define AUTH_PROTO_TOKEN       0
 #define AUTH_PROTO_DELAYED     1
 #define AUTH_PROTO_DELAYEDREALM        2
@@ -69,6 +71,8 @@ struct authstate {
        struct token *reconf;
 };
 
+void dhcp_auth_reset(struct authstate *);
+
 const struct token * dhcp_auth_validate(struct authstate *,
     const struct auth *,
     const uint8_t *, unsigned int, int, int,

diff --git a/dhcp.c b/dhcp.c
index 6ea91525af23c06130f5038c808b2fbabc8f5da1..280a676fea99a91d1a5ccec636b3055e22be77d9 100644 (file)
--- a/dhcp.c
+++ b/dhcp.c
@@ -867,10 +867,14 @@ make_message(struct dhcp_message **message,
                        p += ifo->vendor[0] + 1;
                }
 
-               /* We support HMAC-MD5 */
-               *p++ = DHO_FORCERENEW_NONCE;
-               *p++ = 1;
-               *p++ = AUTH_ALG_HMAC_MD5;
+               if ((ifo->auth.options & DHCPCD_AUTH_SENDREQUIRE) !=
+                   DHCPCD_AUTH_SENDREQUIRE)
+               {
+                       /* We support HMAC-MD5 */
+                       *p++ = DHO_FORCERENEW_NONCE;
+                       *p++ = 1;
+                       *p++ = AUTH_ALG_HMAC_MD5;
+               }
 
                if (ifo->vivco_len) {
                        *p++ = DHO_VIVCO;
@@ -2014,6 +2018,7 @@ dhcp_drop(struct interface *ifp, const char *reason)
        state = D_STATE(ifp);
        if (state == NULL)
                return;
+       dhcp_auth_reset(&state->auth);
        dhcp_close(ifp);
        arp_close(ifp);
        eloop_timeouts_delete(ifp, dhcp_expire, NULL);

diff --git a/dhcp6.c b/dhcp6.c
index 046736fa8c030defeaad574d93bccb96639de2f1..eb5c7996d6d7ac661291573fdf445596e859fcfa 100644 (file)
--- a/dhcp6.c
+++ b/dhcp6.c
@@ -419,7 +419,9 @@ dhcp6_makemessage(struct interface *ifp)
                if (fqdn != FQDN_DISABLE)
                        len += sizeof(*o) + 1 + encode_rfc1035(hostname, NULL);
 
-               len += sizeof(*o); /* Reconfigure Accept */
+               if ((ifo->auth.options & DHCPCD_AUTH_SENDREQUIRE) !=
+                   DHCPCD_AUTH_SENDREQUIRE)
+                       len += sizeof(*o); /* Reconfigure Accept */
        }
 
        len += sizeof(*state->send);
@@ -653,9 +655,13 @@ dhcp6_makemessage(struct interface *ifp)
                        o->len = htons(l + 1);
                }
 
-               o = D6_NEXT_OPTION(o);
-               o->code = htons(D6_OPTION_RECONF_ACCEPT);
-               o->len = 0;
+               if ((ifo->auth.options & DHCPCD_AUTH_SENDREQUIRE) !=
+                   DHCPCD_AUTH_SENDREQUIRE)
+               {
+                       o = D6_NEXT_OPTION(o);
+                       o->code = htons(D6_OPTION_RECONF_ACCEPT);
+                       o->len = 0;
+               }
 
                if (n_options) {
                        o = D6_NEXT_OPTION(o);
@@ -2637,6 +2643,10 @@ dhcp6_freedrop(struct interface *ifp, int drop, const char *reason)
         * of which interface is delegating as we remeber it by pointer.
         * So if we need to change this behaviour, we need to change
         * how we remember which interface delegated.
+        *
+        * XXX The below is no longer true due to the change of the
+        * default IAID, but do PPP links have stable ethernet addresses?
+        *
         * To make it more interesting, on some OS's with PPP links
         * there is no guarantee the delegating interface will have
         * the same name or index so think very hard before changing
@@ -2650,6 +2660,7 @@ dhcp6_freedrop(struct interface *ifp, int drop, const char *reason)
 
        state = D6_STATE(ifp);
        if (state) {
+               dhcp_auth_reset(&state->auth);
                if (ifp->options->options & DHCPCD_RELEASE) {
                        if (ifp->carrier != LINK_DOWN)
                                dhcp6_startrelease(ifp);