summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2004-12-08 16:05:38 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2004-12-08 16:05:38 +0000
commitbaa89893d8da7b8999d8a6e0ce39fa4d161d2bd1 (patch)
tree1fd2a81245d046b73ed526e270ce3544d1ec3049
parent7a5b042343e0ad37cd00eb80f4b9935b36475f95 (diff)
NAT/T: replace the isakmpd SA transport with the transport from the
message (only during phase 1). this avoids DPD messages to the 'wrong' port. ok hshoexer
-rw-r--r--sbin/isakmpd/message.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index 7d23cbaef96..bc86f0f1acc 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.c,v 1.89 2004/09/17 13:45:02 ho Exp $ */
+/* $OpenBSD: message.c,v 1.90 2004/12/08 16:05:37 markus Exp $ */
/* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -1225,6 +1225,9 @@ message_recv(struct message *msg)
struct keystate *ks = 0;
struct proto tmp_proto;
struct sa tmp_sa;
+#if defined (USE_NAT_TRAVERSAL)
+ struct transport *t;
+#endif
/* Messages shorter than an ISAKMP header are bad. */
if (sz < ISAKMP_HDR_SZ || sz != GET_ISAKMP_HDR_LENGTH(buf)) {
@@ -1451,6 +1454,18 @@ message_recv(struct message *msg)
free(ks);
return -1;
}
+#if defined (USE_NAT_TRAVERSAL)
+ /*
+ * Update the isakmp transport, but only in phase 1,
+ * since phase 2 SAs might use this transport
+ */
+ if (msg->exchange->phase == 1) {
+ t = msg->isakmp_sa->transport;
+ msg->isakmp_sa->transport = msg->transport;
+ transport_reference(msg->transport);
+ transport_release(t);
+ }
+#endif
/*
* Now we can validate DOI-specific exchange types. If we have no SA
* DOI-specific exchange types are definitely wrong.