diff options
author | Markus Friedl <markus@cvs.openbsd.org> | 2004-12-08 16:05:38 +0000 |
---|---|---|
committer | Markus Friedl <markus@cvs.openbsd.org> | 2004-12-08 16:05:38 +0000 |
commit | baa89893d8da7b8999d8a6e0ce39fa4d161d2bd1 (patch) | |
tree | 1fd2a81245d046b73ed526e270ce3544d1ec3049 /sbin/isakmpd | |
parent | 7a5b042343e0ad37cd00eb80f4b9935b36475f95 (diff) |
NAT/T: replace the isakmpd SA transport with the transport from the
message (only during phase 1). this avoids DPD messages to the
'wrong' port. ok hshoexer
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r-- | sbin/isakmpd/message.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c index 7d23cbaef96..bc86f0f1acc 100644 --- a/sbin/isakmpd/message.c +++ b/sbin/isakmpd/message.c @@ -1,4 +1,4 @@ -/* $OpenBSD: message.c,v 1.89 2004/09/17 13:45:02 ho Exp $ */ +/* $OpenBSD: message.c,v 1.90 2004/12/08 16:05:37 markus Exp $ */ /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ /* @@ -1225,6 +1225,9 @@ message_recv(struct message *msg) struct keystate *ks = 0; struct proto tmp_proto; struct sa tmp_sa; +#if defined (USE_NAT_TRAVERSAL) + struct transport *t; +#endif /* Messages shorter than an ISAKMP header are bad. */ if (sz < ISAKMP_HDR_SZ || sz != GET_ISAKMP_HDR_LENGTH(buf)) { @@ -1451,6 +1454,18 @@ message_recv(struct message *msg) free(ks); return -1; } +#if defined (USE_NAT_TRAVERSAL) + /* + * Update the isakmp transport, but only in phase 1, + * since phase 2 SAs might use this transport + */ + if (msg->exchange->phase == 1) { + t = msg->isakmp_sa->transport; + msg->isakmp_sa->transport = msg->transport; + transport_reference(msg->transport); + transport_release(t); + } +#endif /* * Now we can validate DOI-specific exchange types. If we have no SA * DOI-specific exchange types are definitely wrong. |