eclair snapshot
diff --git a/ChangeLog b/ChangeLog
index d00a9d7..0bc2ef7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,35 @@
+2009-08-13 tag ipsec-tools-0_7_3
+
+2009-08-13 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * NEWS, configure.ac: 0.7.3 release
+
+ * src/racoon/oakley.c: fixed a potential DoS in
+ oakley_do_decrypt(), reported by Orange Labs
+
+2009-08-06 Timo Teras <timo.teras@iki.fi>
+
+ * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
+ setkey to make gcc happy.
+
+2009-06-19 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/ipsec_doi.c: Backport S.P.Zeidler's fix to IPv6
+ address related stack smashing in ipsecdoi_id2str() from CVS HEAD.
+
+2009-05-18 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
+ not really used; only referenced while uninitialized causing
+ valgrind error.
+
+ * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
+
+2009-04-29 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
+ X509 certificate validation.
+
2009-04-22 tag ipsec-tools-0_7_2
2009-04-22 Timo Teras <timo.teras@iki.fi>
diff --git a/NEWS b/NEWS
index 3084f14..29ce752 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
Version history:
----------------
+0.7.3 - 23 August 2009
+ o Fix a remote crash and a memory leak
+ o Fixed a NAT-T flag check
+ o Some code cleanups/compilation fixes with recent gcc
+
0.7.2 - 22 April 2009
o Fix a remote crash in fragmentation code
o Phase2 message identities are phase1 specific (Vista compatibility=
diff --git a/config.h b/config.h
index b0fb71b..fd560d4 100644
--- a/config.h
+++ b/config.h
@@ -6,7 +6,7 @@
#undef ENABLE_DPD
#define HAVE_OPENSSL_AES_H
-#define HAVE_OPENSSL_ENGINE_H
+#undef HAVE_OPENSSL_ENGINE_H
#define WITH_SHA2
#define HAVE_SHA2_IN_SHA_H
diff --git a/main.c b/main.c
index a17757b..75e09f8 100644
--- a/main.c
+++ b/main.c
@@ -156,7 +156,7 @@
signal(SIGPIPE, SIG_IGN);
setup(argc, argv);
- do_plog(LLV_INFO, "ipsec-tools 0.7.2 (http://ipsec-tools.sf.net)\n");
+ do_plog(LLV_INFO, "ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)\n");
atexit(terminated);
eay_init();
@@ -266,12 +266,10 @@
{
vchar_t *p = NULL;
#ifdef ANDROID_CHANGES
- char *value = keystore_get(key, &size);
- if (value) {
- if ((p = vmalloc(size)) != NULL) {
- memcpy(p->v, value, p->l);
- }
- free(value);
+ char value[KEYSTORE_MESSAGE_SIZE];
+ int length = keystore_get(key, value);
+ if (length != -1 && (p = vmalloc(length)) != NULL) {
+ memcpy(p->v, value, length);
}
#else
if (key && (p = vmalloc(size)) != NULL) {
diff --git a/src/include-glibc/Makefile.in b/src/include-glibc/Makefile.in
index 0455572..842728e 100644
--- a/src/include-glibc/Makefile.in
+++ b/src/include-glibc/Makefile.in
@@ -58,18 +58,23 @@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTOBJS = @CRYPTOBJS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
+ECHO = @ECHO@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
EXTRA_CRYPTO = @EXTRA_CRYPTO@
-FGREP = @FGREP@
+F77 = @F77@
+FFLAGS = @FFLAGS@
FRAG_OBJS = @FRAG_OBJS@
GLIBC_BUGS = @GLIBC_BUGS@
GREP = @GREP@
@@ -83,7 +88,6 @@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
KERNEL_INCLUDE = @KERNEL_INCLUDE@
KRB5_CONFIG = @KRB5_CONFIG@
-LD = @LD@
LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
@@ -91,17 +95,13 @@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NATT_OBJS = @NATT_OBJS@
-NM = @NM@
NMEDIT = @NMEDIT@
OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
@@ -124,7 +124,8 @@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
@@ -156,7 +157,6 @@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 7ace051..748877a 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -107,18 +107,23 @@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTOBJS = @CRYPTOBJS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
+ECHO = @ECHO@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
EXTRA_CRYPTO = @EXTRA_CRYPTO@
-FGREP = @FGREP@
+F77 = @F77@
+FFLAGS = @FFLAGS@
FRAG_OBJS = @FRAG_OBJS@
GLIBC_BUGS = @GLIBC_BUGS@
GREP = @GREP@
@@ -132,7 +137,6 @@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
KERNEL_INCLUDE = @KERNEL_INCLUDE@
KRB5_CONFIG = @KRB5_CONFIG@
-LD = @LD@
LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
@@ -140,17 +144,13 @@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NATT_OBJS = @NATT_OBJS@
-NM = @NM@
NMEDIT = @NMEDIT@
OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
@@ -173,7 +173,8 @@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
@@ -205,7 +206,6 @@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
diff --git a/src/racoon/Makefile.in b/src/racoon/Makefile.in
index 575104e..47e997b 100644
--- a/src/racoon/Makefile.in
+++ b/src/racoon/Makefile.in
@@ -143,18 +143,23 @@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTOBJS = @CRYPTOBJS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
+ECHO = @ECHO@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
EXTRA_CRYPTO = @EXTRA_CRYPTO@
-FGREP = @FGREP@
+F77 = @F77@
+FFLAGS = @FFLAGS@
FRAG_OBJS = @FRAG_OBJS@
GLIBC_BUGS = @GLIBC_BUGS@
GREP = @GREP@
@@ -168,7 +173,6 @@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
KERNEL_INCLUDE = @KERNEL_INCLUDE@
KRB5_CONFIG = @KRB5_CONFIG@
-LD = @LD@
LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
@@ -176,17 +180,13 @@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NATT_OBJS = @NATT_OBJS@
-NM = @NM@
NMEDIT = @NMEDIT@
OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
@@ -209,7 +209,8 @@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
@@ -241,7 +242,6 @@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c
index aca2f02..77d9ee9 100644
--- a/src/racoon/crypto_openssl.c
+++ b/src/racoon/crypto_openssl.c
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.11.6.5 2009/04/20 13:33:30 tteras Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.11.6.6 2009/04/29 10:50:25 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -440,16 +440,10 @@
static BIO *BIO_from_keystore(char *key)
{
BIO *bio = NULL;
- char *value;
- int size;
-
- value = keystore_get(key, &size);
- if (value) {
- bio = BIO_new(BIO_s_mem());
- if (bio) {
- BIO_write(bio, value, size);
- }
- free(value);
+ char value[KEYSTORE_MESSAGE_SIZE];
+ int length = keystore_get(key, value);
+ if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL) {
+ BIO_write(bio, value, length);
}
return bio;
}
@@ -540,7 +534,7 @@
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
#endif
error = X509_verify_cert(csc);
- X509_STORE_CTX_cleanup(csc);
+ X509_STORE_CTX_free(csc);
/*
* if x509_verify_cert() is successful then the value of error is
diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
index 220d93e..0aa1843 100644
--- a/src/racoon/ipsec_doi.c
+++ b/src/racoon/ipsec_doi.c
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_doi.c,v 1.23.4.9 2008/06/18 07:30:19 mgrooms Exp $ */
+/* $NetBSD: ipsec_doi.c,v 1.23.4.10 2009/06/19 07:32:52 tteras Exp $ */
/* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
@@ -4383,20 +4383,29 @@
char *dat;
static char buf[BUFLEN];
struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id->v;
- struct sockaddr saddr;
+ struct sockaddr_storage saddr_storage;
+ struct sockaddr *saddr;
+ struct sockaddr_in *saddr_in;
+ struct sockaddr_in6 *saddr_in6;
u_int plen = 0;
+ saddr = (struct sockaddr *)&saddr_storage;
+ saddr_in = (struct sockaddr_in *)&saddr_storage;
+ saddr_in6 = (struct sockaddr_in6 *)&saddr_storage;
+
+
switch (id_b->type) {
case IPSECDOI_ID_IPV4_ADDR:
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
case IPSECDOI_ID_IPV4_ADDR_RANGE:
#ifndef __linux__
- saddr.sa_len = sizeof(struct sockaddr_in);
+ saddr->sa_len = sizeof(struct sockaddr_in);
#endif
- saddr.sa_family = AF_INET;
- ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
- memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
+ saddr->sa_family = AF_INET;
+
+ saddr_in->sin_port = IPSEC_PORT_ANY;
+ memcpy(&saddr_in->sin_addr,
id->v + sizeof(*id_b), sizeof(struct in_addr));
break;
#ifdef INET6
@@ -4405,12 +4414,17 @@
case IPSECDOI_ID_IPV6_ADDR_RANGE:
#ifndef __linux__
- saddr.sa_len = sizeof(struct sockaddr_in6);
+ saddr->sa_len = sizeof(struct sockaddr_in6);
#endif
- saddr.sa_family = AF_INET6;
- ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
- memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
+ saddr->sa_family = AF_INET6;
+
+ saddr_in6->sin6_port = IPSEC_PORT_ANY;
+ memcpy(&saddr_in6->sin6_addr,
id->v + sizeof(*id_b), sizeof(struct in6_addr));
+ saddr_in6->sin6_scope_id =
+ (IN6_IS_ADDR_LINKLOCAL(&saddr_in6->sin6_addr)
+ ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
+ : 0);
break;
#endif
}
@@ -4420,7 +4434,7 @@
#ifdef INET6
case IPSECDOI_ID_IPV6_ADDR:
#endif
- len = snprintf( buf, BUFLEN, "%s", saddrwop2str(&saddr));
+ len = snprintf( buf, BUFLEN, "%s", saddrwop2str(saddr));
break;
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
@@ -4476,42 +4490,46 @@
plen += l;
}
- len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(&saddr), plen);
+ len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(saddr), plen);
}
break;
case IPSECDOI_ID_IPV4_ADDR_RANGE:
- len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(&saddr));
+ len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(saddr));
#ifndef __linux__
- saddr.sa_len = sizeof(struct sockaddr_in);
+ saddr->sa_len = sizeof(struct sockaddr_in);
#endif
- saddr.sa_family = AF_INET;
- ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
- memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
+ saddr->sa_family = AF_INET;
+ saddr_in->sin_port = IPSEC_PORT_ANY;
+ memcpy(&saddr_in->sin_addr,
id->v + sizeof(*id_b) + sizeof(struct in_addr),
sizeof(struct in_addr));
- len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr));
+ len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(saddr));
break;
#ifdef INET6
case IPSECDOI_ID_IPV6_ADDR_RANGE:
- len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(&saddr));
+ len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(saddr));
#ifndef __linux__
- saddr.sa_len = sizeof(struct sockaddr_in6);
+ saddr->sa_len = sizeof(struct sockaddr_in6);
#endif
- saddr.sa_family = AF_INET6;
- ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
- memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
+ saddr->sa_family = AF_INET6;
+ saddr_in6->sin6_port = IPSEC_PORT_ANY;
+ memcpy(&saddr_in6->sin6_addr,
id->v + sizeof(*id_b) + sizeof(struct in6_addr),
sizeof(struct in6_addr));
+ saddr_in6->sin6_scope_id =
+ (IN6_IS_ADDR_LINKLOCAL(&saddr_in6->sin6_addr)
+ ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
+ : 0);
- len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr));
+ len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(saddr));
break;
#endif
diff --git a/src/racoon/isakmp_inf.c b/src/racoon/isakmp_inf.c
index 4f29c54..5f487d2 100644
--- a/src/racoon/isakmp_inf.c
+++ b/src/racoon/isakmp_inf.c
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.14.4.16 2009/04/20 13:35:36 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.14.4.17 2009/05/18 17:07:46 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -136,7 +136,6 @@
struct isakmp_gen *nd;
u_int8_t np;
int encrypted;
- int flag;
plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n");
@@ -313,11 +312,8 @@
"received unexpected payload type %s.\n",
s_isakmp_nptype(gen->np));
}
- if(error < 0) {
+ if (error < 0)
break;
- } else {
- flag |= error;
- }
}
end:
if (msg != NULL)
diff --git a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
index 51f3399..963438d 100644
--- a/src/racoon/isakmp_quick.c
+++ b/src/racoon/isakmp_quick.c
@@ -434,6 +434,7 @@
/* for IDcr */
vp = iph2->id_p;
}
+
#ifndef ANDROID_PATCHED
if (memcmp(vp->v, (caddr_t)pa->ptr + sizeof(struct isakmp_gen), vp->l)) {
diff --git a/src/racoon/nattraversal.c b/src/racoon/nattraversal.c
index a94da31..9fd4bcd 100644
--- a/src/racoon/nattraversal.c
+++ b/src/racoon/nattraversal.c
@@ -1,4 +1,4 @@
-/* $NetBSD: nattraversal.c,v 1.6.6.1 2009/04/20 13:27:12 tteras Exp $ */
+/* $NetBSD: nattraversal.c,v 1.6.6.2 2009/05/18 17:01:07 tteras Exp $ */
/*
* Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -287,7 +287,7 @@
void
natt_float_ports (struct ph1handle *iph1)
{
- if (! (iph1->natt_flags && NAT_DETECTED) )
+ if (! (iph1->natt_flags & NAT_DETECTED) )
return;
if (! iph1->natt_options->float_port){
/* Drafts 00 / 01, just schedule keepalive */
diff --git a/src/racoon/oakley.c b/src/racoon/oakley.c
index 0eff94a..183ac2f 100644
--- a/src/racoon/oakley.c
+++ b/src/racoon/oakley.c
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.9.6.3 2008/03/06 17:00:25 vanhu Exp $ */
+/* $NetBSD: oakley.c,v 1.9.6.4 2009/08/13 09:18:45 vanhu Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -1372,6 +1372,7 @@
return ISAKMP_INTERNAL_ERROR;
#else
break;
+
case ISAKMP_CERT_PLAINRSA:
error = get_plainrsa_fromlocal(iph1, 0);
break;
@@ -1638,12 +1639,14 @@
if (iph1->cert)
return 0;
return get_cert_fromlocal(iph1, 1);
+
#ifndef ANDROID_PATCHED
case ISAKMP_CERT_PLAINRSA:
if (iph1->rsa)
return 0;
return get_plainrsa_fromlocal(iph1, 1);
#endif
+
default:
plog(LLV_ERROR, LOCATION, NULL,
"Unknown certtype #%d\n",
@@ -3128,7 +3131,7 @@
/* do decrypt */
new = alg_oakley_encdef_decrypt(iph1->approval->enctype,
buf, iph1->key, ivdp);
- if (new == NULL) {
+ if (new == NULL || new->v == NULL || new->l == 0) {
plog(LLV_ERROR, LOCATION, NULL,
"decryption %d failed.\n", iph1->approval->enctype);
goto end;
