From baa89893d8da7b8999d8a6e0ce39fa4d161d2bd1 Mon Sep 17 00:00:00 2001 From: Markus Friedl Date: Wed, 8 Dec 2004 16:05:38 +0000 Subject: NAT/T: replace the isakmpd SA transport with the transport from the message (only during phase 1). this avoids DPD messages to the 'wrong' port. ok hshoexer --- sbin/isakmpd/message.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'sbin/isakmpd') diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c index 7d23cbaef96..bc86f0f1acc 100644 --- a/sbin/isakmpd/message.c +++ b/sbin/isakmpd/message.c @@ -1,4 +1,4 @@ -/* $OpenBSD: message.c,v 1.89 2004/09/17 13:45:02 ho Exp $ */ +/* $OpenBSD: message.c,v 1.90 2004/12/08 16:05:37 markus Exp $ */ /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ /* @@ -1225,6 +1225,9 @@ message_recv(struct message *msg) struct keystate *ks = 0; struct proto tmp_proto; struct sa tmp_sa; +#if defined (USE_NAT_TRAVERSAL) + struct transport *t; +#endif /* Messages shorter than an ISAKMP header are bad. */ if (sz < ISAKMP_HDR_SZ || sz != GET_ISAKMP_HDR_LENGTH(buf)) { @@ -1451,6 +1454,18 @@ message_recv(struct message *msg) free(ks); return -1; } +#if defined (USE_NAT_TRAVERSAL) + /* + * Update the isakmp transport, but only in phase 1, + * since phase 2 SAs might use this transport + */ + if (msg->exchange->phase == 1) { + t = msg->isakmp_sa->transport; + msg->isakmp_sa->transport = msg->transport; + transport_reference(msg->transport); + transport_release(t); + } +#endif /* * Now we can validate DOI-specific exchange types. If we have no SA * DOI-specific exchange types are definitely wrong. -- cgit v1.2.3