Hello community, here is the log from the commit of package vpnc for openSUSE:Factory checked in at 2011-11-14 13:46:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vpnc (Old) and /work/SRC/openSUSE:Factory/.vpnc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vpnc", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/vpnc/vpnc.changes 2011-10-28 15:26:23.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.vpnc.new/vpnc.changes 2011-11-14 13:46:07.000000000 +0100 @@ -1,0 +2,38 @@ +Wed Nov 9 06:25:30 UTC 2011 - [email protected] + +- update to rev 472 of nortel branch + - memleak fix improved and upstreamed + +------------------------------------------------------------------- +Tue Nov 8 16:15:48 UTC 2011 - [email protected] + +- update to rev 469 of nortel branch + - fritzbox compatibility patches improved and upstreamed +- add patch to fix memleaks, to be upstreamed +- add a very ugly patch to restart vpnc after lifetime expired + +------------------------------------------------------------------- +Fri Nov 4 08:04:55 UTC 2011 - [email protected] + +- update to rev 464 of nortel branch + - fix some endianness issues + - improve handling of some isakmp delete payloads + - fix some format string warnings from debug messages and + strict aliasing warnings +- add URL to spec file +- add "checkout_svn.sh" to generate a new tarball from SVN + +------------------------------------------------------------------- +Fri Nov 4 06:52:02 UTC 2011 - [email protected] + +- add another patch from the vpnc mailing list for fritzbox + compatibility (vpnc-fritzbox2.diff) + +------------------------------------------------------------------- +Thu Nov 3 20:21:21 UTC 2011 - [email protected] + +- add patch to make vpnc work against fritzbox vpn: + - ignore invalid(?) ike lifetime attribute instead of asserting + - ignore ISAKMP_PAYLOAD_N message instead of aborting + +------------------------------------------------------------------- Old: ---- vpnc-0.5.3r449.tar.bz2 New: ---- checkout_svn.sh vpnc-0.5.3r472.tar.bz2 vpnc-restart-after-timeout.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vpnc.spec ++++++ --- /var/tmp/diff_new_pack.F1uoeu/_old 2011-11-14 13:46:09.000000000 +0100 +++ /var/tmp/diff_new_pack.F1uoeu/_new 2011-11-14 13:46:09.000000000 +0100 @@ -21,17 +21,22 @@ Group: Productivity/Networking/Security BuildRequires: libgcrypt-devel BuildRequires: gnutls libgnutls-devel pkg-config -Version: 0.5.3r449 -Release: 12 +Version: 0.5.3r472 +Release: 13 License: BSD3c(or similar) ; GPLv2+ AutoReqProv: on Summary: A Client for Cisco VPN concentrator +Url: http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel Requires: /usr/bin/sed /sbin/ip Source: %{name}-%{version}.tar.bz2 +# only for checkin warnings... +Source1: checkout_svn.sh Patch0: bugfix.diff Patch1: vpnc-no-build-dates.patch Patch2: work-with-netconfig.patch Patch3: vpnc-ipid.diff +# most ugly hack ever +Patch4: vpnc-restart-after-timeout.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -61,9 +66,10 @@ #Patch is not yet working :-( #patch2 -p0 %patch -P 3 -p1 +%patch4 -p1 %build -export CFLAGS="%optflags -fno-strict-aliasing" +export CFLAGS="%optflags" make PREFIX=/usr %install ++++++ checkout_svn.sh ++++++ #!/bin/bash URL=http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel REL=0.5.3 if [ x$1 = x-h ]; then echo "usage: $0 <rev>" echo " check out revision 'rev' of $URL" echo " and pack it as vpnc-${REL}r<rev>.tar.bz2" echo exit 0 fi REV="" if [ $1 ]; then REV="$1" else REV=$(LC_ALL=C svn info $URL| awk -F": " '/^Revision: / { print $2 }') fi DIR=$(mktemp -d ./vpnc-download-XXXXXX) cd $DIR echo "exporting revision $REV..." svn export -r $REV $URL vpnc if [ $? != 0 ]; then echo "export failed? please check and cleanup $DIR afterwards..." exit 1 fi tar cpjf vpnc-${REL}r${REV}.tar.bz2 vpnc mv -i vpnc-${REL}r${REV}.tar.bz2 ../ cd .. rm -r $DIR ++++++ vpnc-0.5.3r449.tar.bz2 -> vpnc-0.5.3r472.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/enum2debug.pl new/vpnc/enum2debug.pl --- old/vpnc/enum2debug.pl 2009-09-12 19:17:49.000000000 +0200 +++ new/vpnc/enum2debug.pl 2011-08-22 16:19:18.000000000 +0200 @@ -54,6 +54,8 @@ } elsif ($in_enum && /^}/) { print "\t{ 0,\t(const char *) 0 }\n};\n\n"; $in_enum = 0; + } elsif (/^\s*\/\*.*\*\/\s*$/) { + next; } elsif ($in_enum && /^\W*(\w+)\W*/) { print "\t{ $1,\t\" ($1)\" },\n"; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/isakmp-pkt.c new/vpnc/isakmp-pkt.c --- old/vpnc/isakmp-pkt.c 2009-06-16 12:02:23.000000000 +0200 +++ new/vpnc/isakmp-pkt.c 2011-11-09 03:01:50.000000000 +0100 @@ -16,7 +16,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - $Id: isakmp-pkt.c 397 2009-06-16 10:02:23Z Antonio Borneo $ + $Id: isakmp-pkt.c 470 2011-11-09 02:01:50Z Antonio Borneo $ */ #include <assert.h> @@ -468,6 +468,7 @@ case ISAKMP_PAYLOAD_N: free(p->u.n.spi); free(p->u.n.data); + free_isakmp_attributes(p->u.n.attributes); break; case ISAKMP_PAYLOAD_D: if (p->u.d.spi) { @@ -928,7 +929,7 @@ } DEBUG(3, printf("BEGIN_PARSE\n")); - DEBUG(3, printf("Recieved Packet Len: %d\n", data_len)); + DEBUG(3, printf("Recieved Packet Len: %zu\n", data_len)); fetchn(r->i_cookie, ISAKMP_COOKIE_LENGTH); hex_dump("i_cookie", r->i_cookie, ISAKMP_COOKIE_LENGTH, NULL); fetchn(r->r_cookie, ISAKMP_COOKIE_LENGTH); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/isakmp.h new/vpnc/isakmp.h --- old/vpnc/isakmp.h 2009-10-31 17:05:14.000000000 +0100 +++ new/vpnc/isakmp.h 2011-08-22 16:19:18.000000000 +0200 @@ -15,7 +15,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - $Id: isakmp.h 448 2009-10-31 16:05:14Z Antonio Borneo $ + $Id: isakmp.h 460 2011-08-22 14:19:18Z Antonio Borneo $ */ #ifndef __ISAKMP_H__ @@ -486,6 +486,10 @@ ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT, ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN, /* whatever 0x7006 is... */ ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS, + /* Cisco Ext: Smartcard Disconnect */ + /* Cisco Ext: IKE_CFG_FWTYPE_VENDOR */ + /* Cisco Ext: IKE_CFG_FWTYPE_PRODUCT */ + /* Cisco Ext: IKE_CFG_FWTYPE_CAPABILITIES??? */ ISAKMP_MODECFG_ATTRIB_CISCO_FW_TYPE, ISAKMP_MODECFG_ATTRIB_CISCO_BACKUP_SERVER, ISAKMP_MODECFG_ATTRIB_CISCO_DDNS_HOSTNAME, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/sysdep.h new/vpnc/sysdep.h --- old/vpnc/sysdep.h 2008-11-26 09:03:43.000000000 +0100 +++ new/vpnc/sysdep.h 2011-08-20 14:21:51.000000000 +0200 @@ -109,6 +109,9 @@ #define HAVE_FGETLN 1 #define HAVE_UNSETENV 1 #define HAVE_SETENV 1 +#if (__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__-0) >= 1070 +#define HAVE_GETLINE 1 +#endif #endif /***************************************************************************/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/test-crypto.c new/vpnc/test-crypto.c --- old/vpnc/test-crypto.c 2009-09-12 20:24:21.000000000 +0200 +++ new/vpnc/test-crypto.c 2011-08-22 16:19:38.000000000 +0200 @@ -114,7 +114,7 @@ if (size != sizeof(dec_data)) { fprintf(stderr, "Error decrypting signature: unexpected " - "decrypted size %zd (expected %u)\n", size, sizeof(dec_data)); + "decrypted size %zd (expected %zu)\n", size, sizeof(dec_data)); return 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/tunip.c new/vpnc/tunip.c --- old/vpnc/tunip.c 2009-09-05 19:10:59.000000000 +0200 +++ new/vpnc/tunip.c 2011-11-08 16:52:17.000000000 +0100 @@ -21,7 +21,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - $Id: tunip.c 425 2009-09-05 17:10:59Z Antonio Borneo $ + $Id: tunip.c 465 2011-11-08 15:52:17Z Antonio Borneo $ */ /* borrowed from pipsecd (-; */ @@ -177,7 +177,7 @@ return -1; } if (r < (p->ip_hl << 2) + s->ipsec.em->fixed_header_size) { - syslog(LOG_ALERT, "packet too short. got %d, expected %d", r, (p->ip_hl << 2) + s->ipsec.em->fixed_header_size); + syslog(LOG_ALERT, "packet too short. got %zd, expected %d", r, (p->ip_hl << 2) + s->ipsec.em->fixed_header_size); return -1; } @@ -216,7 +216,7 @@ return -1; } if (r < s->ipsec.em->fixed_header_size) { - syslog(LOG_ALERT, "packet too short from %s. got %d, expected %d", + syslog(LOG_ALERT, "packet too short from %s. got %zd, expected %d", inet_ntoa(s->dst), r, s->ipsec.em->fixed_header_size); return -1; } @@ -521,7 +521,7 @@ } blksz = s->ipsec.blk_len; - if ((len % blksz) != 0) { + if (s->ipsec.cry_algo && ((len % blksz) != 0)) { syslog(LOG_ALERT, "payload len %d not a multiple of algorithm block size %lu", len, (unsigned long)blksz); @@ -616,7 +616,7 @@ ntohs(arp->arp_op) != ARPOP_REQUEST || !memcmp(arp->arp_spa, arp->arp_tpa, 4) || memcmp(eth->ether_shost, s->tun_hwaddr, ETH_ALEN) || - !memcmp(arp->arp_tpa, s->our_address, 4)) { + !memcmp(arp->arp_tpa, &s->our_address, 4)) { /* whatever .. just drop it */ return 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/tunip.h new/vpnc/tunip.h --- old/vpnc/tunip.h 2009-09-12 03:32:55.000000000 +0200 +++ new/vpnc/tunip.h 2011-08-22 16:19:38.000000000 +0200 @@ -15,7 +15,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - $Id: tunip.h 439 2009-09-12 01:32:55Z Antonio Borneo $ + $Id: tunip.h 464 2011-08-22 14:19:38Z Antonio Borneo $ */ #ifndef __TUNIP_H__ @@ -107,7 +107,7 @@ int natd_type; uint8_t *natd_us, *natd_them; } ike; - uint8_t our_address[4], our_netmask[4]; + struct in_addr our_address; struct { int do_pfs; int cry_algo, md_algo; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/vpnc.c new/vpnc/vpnc.c --- old/vpnc/vpnc.c 2009-10-31 18:01:55.000000000 +0100 +++ new/vpnc/vpnc.c 2011-11-09 03:01:50.000000000 +0100 @@ -18,7 +18,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - $Id: vpnc.c 449 2009-10-31 17:01:55Z Antonio Borneo $ + $Id: vpnc.c 470 2011-11-09 02:01:50Z Antonio Borneo $ */ #define _GNU_SOURCE @@ -89,6 +89,10 @@ 0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E, 0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F }; +const unsigned char VID_NATT_03[] = { /* "draft-ietf-ipsec-nat-t-ike-03" */ + 0x7d, 0x94, 0x19, 0xa6, 0x53, 0x10, 0xca, 0x6f, + 0x2c, 0x17, 0x9d, 0x92, 0x15, 0x52, 0x9d, 0x56 +}; const unsigned char VID_NATT_RFC[] = { /* "RFC 3947" */ 0x4A, 0x13, 0x1C, 0x81, 0x07, 0x03, 0x58, 0x45, 0x5C, 0x57, 0x28, 0xF2, 0x0E, 0x95, 0x45, 0x2F @@ -151,6 +155,7 @@ { VID_NATT_01, sizeof(VID_NATT_01), "Nat-T 01" }, { VID_NATT_02, sizeof(VID_NATT_02), "Nat-T 02" }, { VID_NATT_02N, sizeof(VID_NATT_02N), "Nat-T 02N" }, + { VID_NATT_03, sizeof(VID_NATT_03), "Nat-T 03" }, { VID_NATT_RFC, sizeof(VID_NATT_RFC), "Nat-T RFC" }, { VID_DWR, sizeof(VID_DWR), "Delete With Reason" }, { VID_CISCO_FRAG, sizeof(VID_CISCO_FRAG), "Cisco Fragmentation" }, @@ -760,7 +765,7 @@ memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH); pl->u.n.data_length = 4; pl->u.n.data = xallocc(4); - memcpy(pl->u.n.data, &seqno, 4); + *((uint32_t *) pl->u.n.data) = htonl(seqno); gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid)); /* 2007-09-06 JKU/ZID: Sonicwall drops non hashed r_u_there-requests */ sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, @@ -778,7 +783,7 @@ */ s->ike.dpd_attempts = 6; s->ike.dpd_sent = time(NULL); - ++s->ike.dpd_seqno; + s->ike.dpd_seqno++; send_dpd(s, 0, s->ike.dpd_seqno); } else { /* Our last dpd request has not yet been acked. If it's been @@ -936,7 +941,7 @@ reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED; else { addenv_ipv4("INTERNAL_IP4_ADDRESS", a->u.lots.data); - memcpy(s->our_address, a->u.lots.data, 4); + memcpy(&s->our_address, a->u.lots.data, 4); } seen_address = 1; break; @@ -949,7 +954,7 @@ if (a->af != isakmp_attr_lots || a->u.lots.length != 4) reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED; else { - uint32_t netaddr = ((struct in_addr *)(s->our_address))->s_addr & ((struct in_addr *)(a->u.lots.data))->s_addr; + uint32_t netaddr = s->our_address.s_addr & ((struct in_addr *)(a->u.lots.data))->s_addr; addenv_ipv4("INTERNAL_IP4_NETMASK", a->u.lots.data); asprintf(&strbuf, "%d", mask_to_masklen(*((struct in_addr *)a->u.lots.data))); setenv("INTERNAL_IP4_NETMASKLEN", strbuf, 1); @@ -1207,8 +1212,11 @@ value = a->next->u.attr_16; else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4) value = ntohl(*((uint32_t *) a->next->u.lots.data)); - else - assert(0); + else { + DEBUG(2, printf("got unknown ike lifetime attributes af %d len %d\n", + a->next->af, a->next->u.lots.length)); + return; + } DEBUG(2, printf("got ike lifetime attributes: %d %s\n", value, (a->u.attr_16 == IKE_LIFE_TYPE_SECONDS) ? "seconds" : "kilobyte")); @@ -1334,6 +1342,8 @@ l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, VID_NATT_RFC, sizeof(VID_NATT_RFC)); l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, + VID_NATT_03, sizeof(VID_NATT_03)); + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, VID_NATT_02N, sizeof(VID_NATT_02N)); l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, VID_NATT_02, sizeof(VID_NATT_02)); @@ -1571,6 +1581,12 @@ seen_natt_vid = 1; if (natt_draft < 1) natt_draft = 2; DEBUG(2, printf("peer is NAT-T capable (RFC 3947)\n")); + } else if (rp->u.vid.length == sizeof(VID_NATT_03) + && memcmp(rp->u.vid.data, VID_NATT_03, + sizeof(VID_NATT_03)) == 0) { + seen_natt_vid = 1; + if (natt_draft < 1) natt_draft = 2; + DEBUG(2, printf("peer is NAT-T capable (draft-03)\n")); } else if (rp->u.vid.length == sizeof(VID_NATT_02N) && memcmp(rp->u.vid.data, VID_NATT_02N, sizeof(VID_NATT_02N)) == 0) { @@ -1657,6 +1673,19 @@ seen_natd_them = 1; } break; + case ISAKMP_PAYLOAD_N: + if (rp->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) { + if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP) + lifetime_ike_process(s, rp->u.n.attributes); + else if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP) + lifetime_ipsec_process(s, rp->u.n.attributes); + else + DEBUG(2, printf("got unknown lifetime notice, ignoring..\n")); + } else { + DEBUG(1, printf("rejecting ISAKMP_PAYLOAD_N, type is not lifetime\n")); + reject = ISAKMP_N_INVALID_PAYLOAD_TYPE; + } + break; default: DEBUG(1, printf("rejecting invalid payload type %d\n", rp->type)); reject = ISAKMP_N_INVALID_PAYLOAD_TYPE; @@ -2690,7 +2719,7 @@ // Nortel specific version static struct isakmp_payload *make_our_sa_ipsec_nortel(struct sa_block *s, struct isakmp_payload *transform, int proposal_number) { - struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA); + struct isakmp_payload *r; struct isakmp_payload *p = NULL, *pn; struct isakmp_attribute *a; int dh_grp = get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id; @@ -2738,7 +2767,7 @@ static struct isakmp_payload *make_our_sa_ipsec(struct sa_block *s) { - struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA); + struct isakmp_payload *r; struct isakmp_payload *p = NULL, *pn; struct isakmp_attribute *a; int dh_grp = get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id; @@ -2748,12 +2777,6 @@ r = new_isakmp_payload(ISAKMP_PAYLOAD_SA); r->u.sa.doi = ISAKMP_DOI_IPSEC; r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY; - r->u.sa.proposals = new_isakmp_payload(ISAKMP_PAYLOAD_P); - r->u.sa.proposals->u.p.spi_size = 4; - r->u.sa.proposals->u.p.spi = xallocc(4); - /* The sadb_sa_spi field is already in network order. */ - memcpy(r->u.sa.proposals->u.p.spi, &s->ipsec.rx.spi, 4); - r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_IPSEC_ESP; for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) { keylen = supp_crypt[crypt].keylen; for (hash = 0; supp_hash[hash].name != NULL; hash++) { @@ -3128,7 +3151,7 @@ us->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR; us->u.id.length = 4; us->u.id.data = xallocc(4); - memcpy(us->u.id.data, s->our_address, sizeof(struct in_addr)); + memcpy(us->u.id.data, &s->our_address, sizeof(struct in_addr)); them = new_isakmp_payload(ISAKMP_PAYLOAD_ID); them->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR_SUBNET; them->u.id.length = 8; @@ -3374,36 +3397,38 @@ free_isakmp_packet(r); } - if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) { - s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port); - s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL; - s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP; - } else if ((opt_natt_mode == NATT_NORTEL_UDP) && s->ipsec.peer_udpencap_port) { - s->esp_fd = make_socket(s, 0, s->ipsec.peer_udpencap_port); - s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL; - s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP; /* AB: change it */ - } else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) { - s->esp_fd = s->ike_fd; - } else { + if (s->esp_fd == 0) { + if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) { + s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port); + s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL; + s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP; + } else if ((opt_natt_mode == NATT_NORTEL_UDP) && s->ipsec.peer_udpencap_port) { + s->esp_fd = make_socket(s, 0, s->ipsec.peer_udpencap_port); + s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL; + s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP; /* AB: change it */ + } else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) { + s->esp_fd = s->ike_fd; + } else { #ifdef IP_HDRINCL - int hincl = 1; + int hincl = 1; #endif - s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP); - if (s->esp_fd == -1) { - close_tunnel(s); - error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)"); - } + s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP); + if (s->esp_fd == -1) { + close_tunnel(s); + error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)"); + } #ifdef FD_CLOEXEC - /* do not pass socket to vpnc-script, etc. */ - fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC); + /* do not pass socket to vpnc-script, etc. */ + fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC); #endif #ifdef IP_HDRINCL - if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) { - close_tunnel(s); - error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)"); - } + if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) { + close_tunnel(s); + error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)"); + } #endif + } } s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1; @@ -3659,7 +3684,7 @@ DEBUG(2, printf("ignoring bad data length R-U-THERE request\n")); continue; } - memcpy(&seq, rp->u.n.data, 4); + seq = ntohl(*((uint32_t *) rp->u.n.data)); send_dpd(s, 1, seq); DEBUG(2, printf("got r-u-there request sent ack\n")); continue; @@ -3669,7 +3694,7 @@ DEBUG(2, printf("ignoring bad data length R-U-THERE-ACK\n")); continue; } - memcpy(&seqack, rp->u.n.data, 4); + seqack = ntohl(*((uint32_t *) rp->u.n.data)); if (seqack == s->ike.dpd_seqno) { s->ike.dpd_seqno_ack = seqack; } else { @@ -3694,9 +3719,14 @@ */ /* FIXME: any cleanup needed??? */ - free_isakmp_packet(r); - do_phase2_qm(s); - return; + if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) { + free_isakmp_packet(r); + do_phase2_qm(s); + return; + } else { + DEBUG(2, printf("got isakmp delete with bogus spi (expected %d, received %d), ignoring...\n", s->ipsec.tx.spi, *(rp->u.d.spi[0]) )); + continue; + } } /* skip ipsec-esp delete */ if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) { ++++++ vpnc-restart-after-timeout.diff ++++++ Index: b/tunip.c =================================================================== --- a/tunip.c +++ b/tunip.c @@ -884,10 +884,13 @@ static void vpnc_main_loop(struct sa_blo time(NULL) - s->ipsec.life.start, s->ipsec.life.seconds, s->ipsec.life.rx/1024, s->ipsec.life.tx/1024, s->ipsec.life.kbytes)); + if (s->ipsec.life.seconds && + (time(NULL) - s->ipsec.life.start + 1 >= s->ipsec.life.seconds)) + do_kill = -3; } while ((presult == 0 || (presult == -1 && errno == EINTR)) && !do_kill); if (presult == -1) { syslog(LOG_ERR, "select: %m"); continue; } @@ -945,10 +948,13 @@ static void vpnc_main_loop(struct sa_blo } } switch (do_kill) { + case -3: + syslog(LOG_NOTICE, "connection terminated by timeout -> restart"); + break; case -2: syslog(LOG_NOTICE, "connection terminated by dead peer detection"); break; case -1: syslog(LOG_NOTICE, "connection terminated by peer"); Index: b/vpnc.c =================================================================== --- a/vpnc.c +++ b/vpnc.c @@ -3779,24 +3779,25 @@ int main(int argc, char **argv) #endif gcry_check_version("1.1.90"); gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0); group_init(); - memset(s, 0, sizeof(*s)); - s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL; - s->ike.timeout = 1000; /* 1 second */ - do_config(argc, argv); if (opt_vendor == VENDOR_NORTEL) group_id = tolowercase(config[CONFIG_IPSEC_ID]); else group_id = config[CONFIG_IPSEC_ID]; DEBUG(1, printf("\nvpnc version " VERSION "\n")); hex_dump("hex_test", hex_test, sizeof(hex_test), NULL); + do { + memset(s, 0, sizeof(*s)); + s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL; + s->ike.timeout = 1000; /* 1 second */ + DEBUGTOP(2, printf("S1 init_sockaddr\n")); init_sockaddr(&s->dst, config[CONFIG_IPSEC_GATEWAY]); init_sockaddr(&s->opt_src_ip, config[CONFIG_LOCAL_ADDR]); DEBUGTOP(2, printf("S2 make_socket\n")); s->ike.src_port = atoi(config[CONFIG_LOCAL_PORT]); @@ -3847,10 +3848,11 @@ int main(int argc, char **argv) close_tunnel(s); /* Free resources */ DEBUGTOP(2, printf("S9 cleanup\n")); cleanup(s); + } while (do_kill == -3); if (opt_vendor == VENDOR_NORTEL) free((void *)group_id); return 0; } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
