From 6add206c2f91e50524c654cc139dc5fbfebfcddb Mon Sep 17 00:00:00 2001 From: manu Date: Fri, 13 May 2005 14:09:44 +0000 Subject: [PATCH] - Fix a double free - For acquire messages, when NAT-T is in use, consider null port as a wildcard and use IKE port --- crypto/dist/ipsec-tools/ChangeLog | 14 +++++++++++++ crypto/dist/ipsec-tools/src/racoon/isakmp.c | 22 +++++++++++++++++---- lib/libipsec/package_version.h | 4 ++-- 3 files changed, 34 insertions(+), 6 deletions(-) diff --git a/crypto/dist/ipsec-tools/ChangeLog b/crypto/dist/ipsec-tools/ChangeLog index 7b968530f15e..4c382640bdbf 100644 --- a/crypto/dist/ipsec-tools/ChangeLog +++ b/crypto/dist/ipsec-tools/ChangeLog @@ -1,3 +1,17 @@ +2005-05-13 Emmanuel Dreyfus + + * src/racoon/isakmp.c: For acquire messages, when NAT-T is in use, + consider null port as a wildcard and use IKE port + +2005-05-13 Yvan Vanhullebus + + * src/racoon/isakmp.c: Fixed a double ph2handler free in + isakmp_ph2begin_i(). + +--------------------------------------------- + + 0.6b2 released + 2005-05-10 Emmanuel Dreyfus * src/racoon/samples/roadwarrior/client/racoon.conf diff --git a/crypto/dist/ipsec-tools/src/racoon/isakmp.c b/crypto/dist/ipsec-tools/src/racoon/isakmp.c index 9bcdf1a841a3..bf9f3b49b215 100644 --- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c +++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c @@ -1,6 +1,6 @@ -/* $NetBSD: isakmp.c,v 1.4 2005/05/08 08:57:26 manu Exp $ */ +/* $NetBSD: isakmp.c,v 1.5 2005/05/13 14:09:44 manu Exp $ */ -/* Id: isakmp.c,v 1.34.2.2 2005/03/13 17:31:55 vanhu Exp */ +/* $Id: isakmp.c,v 1.5 2005/05/13 14:09:44 manu Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -1164,7 +1164,6 @@ isakmp_ph2begin_i(iph1, iph2) unbindph12(iph2); /* release ipsecsa handler due to internal error. */ remph2(iph2); - delph2(iph2); return -1; } return 0; @@ -2000,8 +1999,23 @@ isakmp_post_acquire(iph2) return 0; } - /* search isakmp status table by address with masking port */ + /* + * Search isakmp status table by address and port + * If NAT-T is in use, consider null ports as a + * wildcard and use IKE ports instead. + */ +#ifdef ENABLE_NATT + if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { + if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) { + set_port(iph2->src, extract_port(iph1->local)); + set_port(iph2->dst, extract_port(iph1->remote)); + } + } else { + iph1 = getph1byaddr(iph2->src, iph2->dst); + } +#else iph1 = getph1byaddr(iph2->src, iph2->dst); +#endif /* no ISAKMP-SA found. */ if (iph1 == NULL) { diff --git a/lib/libipsec/package_version.h b/lib/libipsec/package_version.h index 769a0e8fadc0..068118aa1ffc 100644 --- a/lib/libipsec/package_version.h +++ b/lib/libipsec/package_version.h @@ -1,5 +1,5 @@ #define TOP_PACKAGE "ipsec-tools" #define TOP_PACKAGE_NAME "ipsec-tools" -#define TOP_PACKAGE_VERSION "0.6-nb20050510" -#define TOP_PACKAGE_STRING "ipsec-tools 0.6-nb20050510" +#define TOP_PACKAGE_VERSION "0.6-nb20050513" +#define TOP_PACKAGE_STRING "ipsec-tools 0.6-nb20050513" #define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"