3 files changed, 73 insertions, 2 deletions

diff --git a/security/vpnc/Makefile b/security/vpnc/Makefile
index 1907e17602ca..50324e0990b6 100644
--- a/security/vpnc/Makefile
+++ b/security/vpnc/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	vpnc
 PORTVERSION=	0.5.3
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security
 MASTER_SITES=	http://www.unix-ag.uni-kl.de/~massar/vpnc/ \
 		CRITICAL
diff --git a/security/vpnc/distinfo b/security/vpnc/distinfo
index 3e4f8e04612d..b99131285a59 100644
--- a/security/vpnc/distinfo
+++ b/security/vpnc/distinfo
@@ -1,3 +1,2 @@
-MD5 (vpnc-0.5.3.tar.gz) = 4378f9551d5b077e1770bbe09995afb3
 SHA256 (vpnc-0.5.3.tar.gz) = 46cea3bd02f207c62c7c6f2f22133382602baeda1dc320747809e94881414884
 SIZE (vpnc-0.5.3.tar.gz) = 98740
diff --git a/security/vpnc/files/patch-vpnc.c b/security/vpnc/files/patch-vpnc.c
new file mode 100644
index 000000000000..467a553f671b
--- /dev/null
+++ b/security/vpnc/files/patch-vpnc.c
@@ -0,0 +1,72 @@
+--- ./vpnc.c.orig	2011-02-25 20:17:00.000000000 +0100
++++ ./vpnc.c	2011-02-25 20:18:49.000000000 +0100
+@@ -2861,28 +2861,34 @@
+ 		free(dh_shared_secret);
+ 		free_isakmp_packet(r);
+ 		
+-		if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
+-			s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
+-			s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
+-			s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
+-		} else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
+-			s->esp_fd = s->ike_fd;
+-		} else {
++		if (s->esp_fd == 0) {
++			if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
++				s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
++				s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
++				s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
++			} else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
++				s->esp_fd = s->ike_fd;
++			} else {
+ #ifdef IP_HDRINCL
+-			int hincl = 1;
++				int hincl = 1;
+ #endif
+ 		
+-			s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
+-			if (s->esp_fd == -1) {
+-				close_tunnel(s);
+-				error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
+-			}
++				s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
++				if (s->esp_fd == -1) {
++					close_tunnel(s);
++					error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
++				}
++#ifdef FD_CLOEXEC
++				/* do not pass socket to vpnc-script, etc. */
++				fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
++#endif
+ #ifdef IP_HDRINCL
+-			if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
+-				close_tunnel(s);
+-				error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
+-			}
++				if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
++					close_tunnel(s);
++					error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
++				}
+ #endif
++			}
+ 		}
+ 		
+ 		s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
+@@ -3224,9 +3230,14 @@
+ 			 */
+ 			/* FIXME: any cleanup needed??? */
+ 
+-			free_isakmp_packet(r);
+-			do_phase2_qm(s);
+-			return;
++			if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) {
++				free_isakmp_packet(r);
++				do_phase2_qm(s);
++				return;
++			} else {
++				DEBUG(2, printf("got isakmp delete with bogus spi, ignoring...\n"));
++				continue;
++			}
+ 		}
+ 		/* skip ipsec-esp delete */
+ 		if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {