diff options
author | Emanuel Haupt <ehaupt@FreeBSD.org> | 2011-02-25 19:42:32 +0000 |
---|---|---|
committer | Emanuel Haupt <ehaupt@FreeBSD.org> | 2011-02-25 19:42:32 +0000 |
commit | 5cee224d7b974117c5afa774d5e230e2ec1b9b48 (patch) | |
tree | 0340c3944deb10a9ffd6b123a331407bde048e47 /security/vpnc | |
parent | b90098046531ba6e5d6d0e90053da191c4c51005 (diff) | |
download | ports-5cee224d7b974117c5afa774d5e230e2ec1b9b48.tar.gz ports-5cee224d7b974117c5afa774d5e230e2ec1b9b48.zip |
Notes
Diffstat (limited to 'security/vpnc')
-rw-r--r-- | security/vpnc/Makefile | 2 | ||||
-rw-r--r-- | security/vpnc/distinfo | 1 | ||||
-rw-r--r-- | security/vpnc/files/patch-vpnc.c | 72 |
3 files changed, 73 insertions, 2 deletions
diff --git a/security/vpnc/Makefile b/security/vpnc/Makefile index 1907e17602ca..50324e0990b6 100644 --- a/security/vpnc/Makefile +++ b/security/vpnc/Makefile @@ -7,7 +7,7 @@ PORTNAME= vpnc PORTVERSION= 0.5.3 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security MASTER_SITES= http://www.unix-ag.uni-kl.de/~massar/vpnc/ \ CRITICAL diff --git a/security/vpnc/distinfo b/security/vpnc/distinfo index 3e4f8e04612d..b99131285a59 100644 --- a/security/vpnc/distinfo +++ b/security/vpnc/distinfo @@ -1,3 +1,2 @@ -MD5 (vpnc-0.5.3.tar.gz) = 4378f9551d5b077e1770bbe09995afb3 SHA256 (vpnc-0.5.3.tar.gz) = 46cea3bd02f207c62c7c6f2f22133382602baeda1dc320747809e94881414884 SIZE (vpnc-0.5.3.tar.gz) = 98740 diff --git a/security/vpnc/files/patch-vpnc.c b/security/vpnc/files/patch-vpnc.c new file mode 100644 index 000000000000..467a553f671b --- /dev/null +++ b/security/vpnc/files/patch-vpnc.c @@ -0,0 +1,72 @@ +--- ./vpnc.c.orig 2011-02-25 20:17:00.000000000 +0100 ++++ ./vpnc.c 2011-02-25 20:18:49.000000000 +0100 +@@ -2861,28 +2861,34 @@ + free(dh_shared_secret); + free_isakmp_packet(r); + +- if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) { +- s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port); +- s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL; +- s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP; +- } else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) { +- s->esp_fd = s->ike_fd; +- } else { ++ if (s->esp_fd == 0) { ++ if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) { ++ s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port); ++ s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL; ++ s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP; ++ } else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) { ++ s->esp_fd = s->ike_fd; ++ } else { + #ifdef IP_HDRINCL +- int hincl = 1; ++ int hincl = 1; + #endif + +- s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP); +- if (s->esp_fd == -1) { +- close_tunnel(s); +- error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)"); +- } ++ s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP); ++ if (s->esp_fd == -1) { ++ close_tunnel(s); ++ error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)"); ++ } ++#ifdef FD_CLOEXEC ++ /* do not pass socket to vpnc-script, etc. */ ++ fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC); ++#endif + #ifdef IP_HDRINCL +- if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) { +- close_tunnel(s); +- error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)"); +- } ++ if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) { ++ close_tunnel(s); ++ error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)"); ++ } + #endif ++ } + } + + s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1; +@@ -3224,9 +3230,14 @@ + */ + /* FIXME: any cleanup needed??? */ + +- free_isakmp_packet(r); +- do_phase2_qm(s); +- return; ++ if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) { ++ free_isakmp_packet(r); ++ do_phase2_qm(s); ++ return; ++ } else { ++ DEBUG(2, printf("got isakmp delete with bogus spi, ignoring...\n")); ++ continue; ++ } + } + /* skip ipsec-esp delete */ + if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) { |