Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-3]: src/crypto/dist/ipsec-tools/src/racoon Pull up revision 1.7 (...

details:   https://anonhg.NetBSD.org/src/rev/9619ce4155ea
branches:  netbsd-3
changeset: 576434:9619ce4155ea
user:      tron <tron%NetBSD.org@localhost>
date:      Sat Jul 02 23:22:34 2005 +0000

description:
Pull up revision 1.7 (requested by manu in ticket #503):
NAT-T fix: We treat null ports in SPD as wildcard so that IKE ports
are used instead. This was done on phase 2 initiation from the kernel
(acquire message), but not on phase 2 initiation retries when the
phase 2 had been queued  for a phase 1.

diffstat:

 crypto/dist/ipsec-tools/src/racoon/isakmp.c |  22 +++++++++++++++++++---
 1 files changed, 19 insertions(+), 3 deletions(-)

diffs (37 lines):

diff -r f843166800a4 -r 9619ce4155ea crypto/dist/ipsec-tools/src/racoon/isakmp.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c       Sat Jul 02 23:21:24 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c       Sat Jul 02 23:22:34 2005 +0000
@@ -1,6 +1,6 @@
-/*     $NetBSD: isakmp.c,v 1.1.1.3.2.5 2005/06/29 12:17:23 tron Exp $  */
-
-/* $Id: isakmp.c,v 1.1.1.3.2.5 2005/06/29 12:17:23 tron Exp $ */
+/*     $NetBSD: isakmp.c,v 1.1.1.3.2.6 2005/07/02 23:22:34 tron Exp $  */
+
+/* $Id: isakmp.c,v 1.1.1.3.2.6 2005/07/02 23:22:34 tron Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -2141,7 +2141,23 @@
                return;
        }
 
+       /* 
+        * Search isakmp status table by address and port 
+        * If NAT-T is in use, consider null ports as a 
+        * wildcard and use IKE ports instead.
+        */
+#ifdef ENABLE_NATT
+       if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
+               if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
+                       set_port(iph2->src, extract_port(iph1->local));
+                       set_port(iph2->dst, extract_port(iph1->remote));
+               }
+       } else {
+               iph1 = getph1byaddr(iph2->src, iph2->dst);
+       }
+#else
        iph1 = getph1byaddr(iph2->src, iph2->dst);
+#endif
 
        /* XXX Even if ph1 as responder is there, should we not start
         * phase 2 negotiation ? */
Home | Main Index | Thread Index | Old Index