Hello community,
here is the log from the commit of package vpnc for openSUSE:Factory checked in at 2011-11-14 13:46:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/vpnc (Old)
and /work/SRC/openSUSE:Factory/.vpnc.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vpnc", Maintainer is "coolo@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/vpnc/vpnc.changes 2011-10-28 15:26:23.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.vpnc.new/vpnc.changes 2011-11-14 13:46:07.000000000 +0100
@@ -1,0 +2,38 @@
+Wed Nov 9 06:25:30 UTC 2011 - seife+obs@b1-systems.com
+
+- update to rev 472 of nortel branch
+ - memleak fix improved and upstreamed
+
+-------------------------------------------------------------------
+Tue Nov 8 16:15:48 UTC 2011 - seife+obs@b1-systems.com
+
+- update to rev 469 of nortel branch
+ - fritzbox compatibility patches improved and upstreamed
+- add patch to fix memleaks, to be upstreamed
+- add a very ugly patch to restart vpnc after lifetime expired
+
+-------------------------------------------------------------------
+Fri Nov 4 08:04:55 UTC 2011 - seife+obs@b1-systems.com
+
+- update to rev 464 of nortel branch
+ - fix some endianness issues
+ - improve handling of some isakmp delete payloads
+ - fix some format string warnings from debug messages and
+ strict aliasing warnings
+- add URL to spec file
+- add "checkout_svn.sh" to generate a new tarball from SVN
+
+-------------------------------------------------------------------
+Fri Nov 4 06:52:02 UTC 2011 - seife+obs@b1-systems.com
+
+- add another patch from the vpnc mailing list for fritzbox
+ compatibility (vpnc-fritzbox2.diff)
+
+-------------------------------------------------------------------
+Thu Nov 3 20:21:21 UTC 2011 - seife+obs@b1-systems.com
+
+- add patch to make vpnc work against fritzbox vpn:
+ - ignore invalid(?) ike lifetime attribute instead of asserting
+ - ignore ISAKMP_PAYLOAD_N message instead of aborting
+
+-------------------------------------------------------------------
Old:
----
vpnc-0.5.3r449.tar.bz2
New:
----
checkout_svn.sh
vpnc-0.5.3r472.tar.bz2
vpnc-restart-after-timeout.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ vpnc.spec ++++++
--- /var/tmp/diff_new_pack.F1uoeu/_old 2011-11-14 13:46:09.000000000 +0100
+++ /var/tmp/diff_new_pack.F1uoeu/_new 2011-11-14 13:46:09.000000000 +0100
@@ -21,17 +21,22 @@
Group: Productivity/Networking/Security
BuildRequires: libgcrypt-devel
BuildRequires: gnutls libgnutls-devel pkg-config
-Version: 0.5.3r449
-Release: 12
+Version: 0.5.3r472
+Release: 13
License: BSD3c(or similar) ; GPLv2+
AutoReqProv: on
Summary: A Client for Cisco VPN concentrator
+Url: http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
Requires: /usr/bin/sed /sbin/ip
Source: %{name}-%{version}.tar.bz2
+# only for checkin warnings...
+Source1: checkout_svn.sh
Patch0: bugfix.diff
Patch1: vpnc-no-build-dates.patch
Patch2: work-with-netconfig.patch
Patch3: vpnc-ipid.diff
+# most ugly hack ever
+Patch4: vpnc-restart-after-timeout.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -61,9 +66,10 @@
#Patch is not yet working :-(
#patch2 -p0
%patch -P 3 -p1
+%patch4 -p1
%build
-export CFLAGS="%optflags -fno-strict-aliasing"
+export CFLAGS="%optflags"
make PREFIX=/usr
%install
++++++ checkout_svn.sh ++++++
#!/bin/bash
URL=http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
REL=0.5.3
if [ x$1 = x-h ]; then
echo "usage: $0 <rev>"
echo " check out revision 'rev' of $URL"
echo " and pack it as vpnc-${REL}r<rev>.tar.bz2"
echo
exit 0
fi
REV=""
if [ $1 ]; then
REV="$1"
else
REV=$(LC_ALL=C svn info $URL| awk -F": " '/^Revision: / { print $2 }')
fi
DIR=$(mktemp -d ./vpnc-download-XXXXXX)
cd $DIR
echo "exporting revision $REV..."
svn export -r $REV $URL vpnc
if [ $? != 0 ]; then
echo "export failed? please check and cleanup $DIR afterwards..."
exit 1
fi
tar cpjf vpnc-${REL}r${REV}.tar.bz2 vpnc
mv -i vpnc-${REL}r${REV}.tar.bz2 ../
cd ..
rm -r $DIR
++++++ vpnc-0.5.3r449.tar.bz2 -> vpnc-0.5.3r472.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/enum2debug.pl new/vpnc/enum2debug.pl
--- old/vpnc/enum2debug.pl 2009-09-12 19:17:49.000000000 +0200
+++ new/vpnc/enum2debug.pl 2011-08-22 16:19:18.000000000 +0200
@@ -54,6 +54,8 @@
} elsif ($in_enum && /^}/) {
print "\t{ 0,\t(const char *) 0 }\n};\n\n";
$in_enum = 0;
+ } elsif (/^\s*\/\*.*\*\/\s*$/) {
+ next;
} elsif ($in_enum && /^\W*(\w+)\W*/) {
print "\t{ $1,\t\" ($1)\" },\n";
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/isakmp-pkt.c new/vpnc/isakmp-pkt.c
--- old/vpnc/isakmp-pkt.c 2009-06-16 12:02:23.000000000 +0200
+++ new/vpnc/isakmp-pkt.c 2011-11-09 03:01:50.000000000 +0100
@@ -16,7 +16,7 @@
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- $Id: isakmp-pkt.c 397 2009-06-16 10:02:23Z Antonio Borneo $
+ $Id: isakmp-pkt.c 470 2011-11-09 02:01:50Z Antonio Borneo $
*/
#include
@@ -468,6 +468,7 @@
case ISAKMP_PAYLOAD_N:
free(p->u.n.spi);
free(p->u.n.data);
+ free_isakmp_attributes(p->u.n.attributes);
break;
case ISAKMP_PAYLOAD_D:
if (p->u.d.spi) {
@@ -928,7 +929,7 @@
}
DEBUG(3, printf("BEGIN_PARSE\n"));
- DEBUG(3, printf("Recieved Packet Len: %d\n", data_len));
+ DEBUG(3, printf("Recieved Packet Len: %zu\n", data_len));
fetchn(r->i_cookie, ISAKMP_COOKIE_LENGTH);
hex_dump("i_cookie", r->i_cookie, ISAKMP_COOKIE_LENGTH, NULL);
fetchn(r->r_cookie, ISAKMP_COOKIE_LENGTH);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/isakmp.h new/vpnc/isakmp.h
--- old/vpnc/isakmp.h 2009-10-31 17:05:14.000000000 +0100
+++ new/vpnc/isakmp.h 2011-08-22 16:19:18.000000000 +0200
@@ -15,7 +15,7 @@
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- $Id: isakmp.h 448 2009-10-31 16:05:14Z Antonio Borneo $
+ $Id: isakmp.h 460 2011-08-22 14:19:18Z Antonio Borneo $
*/
#ifndef __ISAKMP_H__
@@ -486,6 +486,10 @@
ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT,
ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN, /* whatever 0x7006 is... */
ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS,
+ /* Cisco Ext: Smartcard Disconnect */
+ /* Cisco Ext: IKE_CFG_FWTYPE_VENDOR */
+ /* Cisco Ext: IKE_CFG_FWTYPE_PRODUCT */
+ /* Cisco Ext: IKE_CFG_FWTYPE_CAPABILITIES??? */
ISAKMP_MODECFG_ATTRIB_CISCO_FW_TYPE,
ISAKMP_MODECFG_ATTRIB_CISCO_BACKUP_SERVER,
ISAKMP_MODECFG_ATTRIB_CISCO_DDNS_HOSTNAME,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/sysdep.h new/vpnc/sysdep.h
--- old/vpnc/sysdep.h 2008-11-26 09:03:43.000000000 +0100
+++ new/vpnc/sysdep.h 2011-08-20 14:21:51.000000000 +0200
@@ -109,6 +109,9 @@
#define HAVE_FGETLN 1
#define HAVE_UNSETENV 1
#define HAVE_SETENV 1
+#if (__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__-0) >= 1070
+#define HAVE_GETLINE 1
+#endif
#endif
/***************************************************************************/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/test-crypto.c new/vpnc/test-crypto.c
--- old/vpnc/test-crypto.c 2009-09-12 20:24:21.000000000 +0200
+++ new/vpnc/test-crypto.c 2011-08-22 16:19:38.000000000 +0200
@@ -114,7 +114,7 @@
if (size != sizeof(dec_data)) {
fprintf(stderr, "Error decrypting signature: unexpected "
- "decrypted size %zd (expected %u)\n", size, sizeof(dec_data));
+ "decrypted size %zd (expected %zu)\n", size, sizeof(dec_data));
return 1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/tunip.c new/vpnc/tunip.c
--- old/vpnc/tunip.c 2009-09-05 19:10:59.000000000 +0200
+++ new/vpnc/tunip.c 2011-11-08 16:52:17.000000000 +0100
@@ -21,7 +21,7 @@
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- $Id: tunip.c 425 2009-09-05 17:10:59Z Antonio Borneo $
+ $Id: tunip.c 465 2011-11-08 15:52:17Z Antonio Borneo $
*/
/* borrowed from pipsecd (-; */
@@ -177,7 +177,7 @@
return -1;
}
if (r < (p->ip_hl << 2) + s->ipsec.em->fixed_header_size) {
- syslog(LOG_ALERT, "packet too short. got %d, expected %d", r, (p->ip_hl << 2) + s->ipsec.em->fixed_header_size);
+ syslog(LOG_ALERT, "packet too short. got %zd, expected %d", r, (p->ip_hl << 2) + s->ipsec.em->fixed_header_size);
return -1;
}
@@ -216,7 +216,7 @@
return -1;
}
if (r < s->ipsec.em->fixed_header_size) {
- syslog(LOG_ALERT, "packet too short from %s. got %d, expected %d",
+ syslog(LOG_ALERT, "packet too short from %s. got %zd, expected %d",
inet_ntoa(s->dst), r, s->ipsec.em->fixed_header_size);
return -1;
}
@@ -521,7 +521,7 @@
}
blksz = s->ipsec.blk_len;
- if ((len % blksz) != 0) {
+ if (s->ipsec.cry_algo && ((len % blksz) != 0)) {
syslog(LOG_ALERT,
"payload len %d not a multiple of algorithm block size %lu", len,
(unsigned long)blksz);
@@ -616,7 +616,7 @@
ntohs(arp->arp_op) != ARPOP_REQUEST ||
!memcmp(arp->arp_spa, arp->arp_tpa, 4) ||
memcmp(eth->ether_shost, s->tun_hwaddr, ETH_ALEN) ||
- !memcmp(arp->arp_tpa, s->our_address, 4)) {
+ !memcmp(arp->arp_tpa, &s->our_address, 4)) {
/* whatever .. just drop it */
return 1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/tunip.h new/vpnc/tunip.h
--- old/vpnc/tunip.h 2009-09-12 03:32:55.000000000 +0200
+++ new/vpnc/tunip.h 2011-08-22 16:19:38.000000000 +0200
@@ -15,7 +15,7 @@
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- $Id: tunip.h 439 2009-09-12 01:32:55Z Antonio Borneo $
+ $Id: tunip.h 464 2011-08-22 14:19:38Z Antonio Borneo $
*/
#ifndef __TUNIP_H__
@@ -107,7 +107,7 @@
int natd_type;
uint8_t *natd_us, *natd_them;
} ike;
- uint8_t our_address[4], our_netmask[4];
+ struct in_addr our_address;
struct {
int do_pfs;
int cry_algo, md_algo;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vpnc/vpnc.c new/vpnc/vpnc.c
--- old/vpnc/vpnc.c 2009-10-31 18:01:55.000000000 +0100
+++ new/vpnc/vpnc.c 2011-11-09 03:01:50.000000000 +0100
@@ -18,7 +18,7 @@
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- $Id: vpnc.c 449 2009-10-31 17:01:55Z Antonio Borneo $
+ $Id: vpnc.c 470 2011-11-09 02:01:50Z Antonio Borneo $
*/
#define _GNU_SOURCE
@@ -89,6 +89,10 @@
0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E,
0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F
};
+const unsigned char VID_NATT_03[] = { /* "draft-ietf-ipsec-nat-t-ike-03" */
+ 0x7d, 0x94, 0x19, 0xa6, 0x53, 0x10, 0xca, 0x6f,
+ 0x2c, 0x17, 0x9d, 0x92, 0x15, 0x52, 0x9d, 0x56
+};
const unsigned char VID_NATT_RFC[] = { /* "RFC 3947" */
0x4A, 0x13, 0x1C, 0x81, 0x07, 0x03, 0x58, 0x45,
0x5C, 0x57, 0x28, 0xF2, 0x0E, 0x95, 0x45, 0x2F
@@ -151,6 +155,7 @@
{ VID_NATT_01, sizeof(VID_NATT_01), "Nat-T 01" },
{ VID_NATT_02, sizeof(VID_NATT_02), "Nat-T 02" },
{ VID_NATT_02N, sizeof(VID_NATT_02N), "Nat-T 02N" },
+ { VID_NATT_03, sizeof(VID_NATT_03), "Nat-T 03" },
{ VID_NATT_RFC, sizeof(VID_NATT_RFC), "Nat-T RFC" },
{ VID_DWR, sizeof(VID_DWR), "Delete With Reason" },
{ VID_CISCO_FRAG, sizeof(VID_CISCO_FRAG), "Cisco Fragmentation" },
@@ -760,7 +765,7 @@
memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
pl->u.n.data_length = 4;
pl->u.n.data = xallocc(4);
- memcpy(pl->u.n.data, &seqno, 4);
+ *((uint32_t *) pl->u.n.data) = htonl(seqno);
gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
/* 2007-09-06 JKU/ZID: Sonicwall drops non hashed r_u_there-requests */
sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid,
@@ -778,7 +783,7 @@
*/
s->ike.dpd_attempts = 6;
s->ike.dpd_sent = time(NULL);
- ++s->ike.dpd_seqno;
+ s->ike.dpd_seqno++;
send_dpd(s, 0, s->ike.dpd_seqno);
} else {
/* Our last dpd request has not yet been acked. If it's been
@@ -936,7 +941,7 @@
reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
else {
addenv_ipv4("INTERNAL_IP4_ADDRESS", a->u.lots.data);
- memcpy(s->our_address, a->u.lots.data, 4);
+ memcpy(&s->our_address, a->u.lots.data, 4);
}
seen_address = 1;
break;
@@ -949,7 +954,7 @@
if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
else {
- uint32_t netaddr = ((struct in_addr *)(s->our_address))->s_addr & ((struct in_addr *)(a->u.lots.data))->s_addr;
+ uint32_t netaddr = s->our_address.s_addr & ((struct in_addr *)(a->u.lots.data))->s_addr;
addenv_ipv4("INTERNAL_IP4_NETMASK", a->u.lots.data);
asprintf(&strbuf, "%d", mask_to_masklen(*((struct in_addr *)a->u.lots.data)));
setenv("INTERNAL_IP4_NETMASKLEN", strbuf, 1);
@@ -1207,8 +1212,11 @@
value = a->next->u.attr_16;
else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4)
value = ntohl(*((uint32_t *) a->next->u.lots.data));
- else
- assert(0);
+ else {
+ DEBUG(2, printf("got unknown ike lifetime attributes af %d len %d\n",
+ a->next->af, a->next->u.lots.length));
+ return;
+ }
DEBUG(2, printf("got ike lifetime attributes: %d %s\n", value,
(a->u.attr_16 == IKE_LIFE_TYPE_SECONDS) ? "seconds" : "kilobyte"));
@@ -1334,6 +1342,8 @@
l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
VID_NATT_RFC, sizeof(VID_NATT_RFC));
l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
+ VID_NATT_03, sizeof(VID_NATT_03));
+ l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
VID_NATT_02N, sizeof(VID_NATT_02N));
l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
VID_NATT_02, sizeof(VID_NATT_02));
@@ -1571,6 +1581,12 @@
seen_natt_vid = 1;
if (natt_draft < 1) natt_draft = 2;
DEBUG(2, printf("peer is NAT-T capable (RFC 3947)\n"));
+ } else if (rp->u.vid.length == sizeof(VID_NATT_03)
+ && memcmp(rp->u.vid.data, VID_NATT_03,
+ sizeof(VID_NATT_03)) == 0) {
+ seen_natt_vid = 1;
+ if (natt_draft < 1) natt_draft = 2;
+ DEBUG(2, printf("peer is NAT-T capable (draft-03)\n"));
} else if (rp->u.vid.length == sizeof(VID_NATT_02N)
&& memcmp(rp->u.vid.data, VID_NATT_02N,
sizeof(VID_NATT_02N)) == 0) {
@@ -1657,6 +1673,19 @@
seen_natd_them = 1;
}
break;
+ case ISAKMP_PAYLOAD_N:
+ if (rp->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
+ if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
+ lifetime_ike_process(s, rp->u.n.attributes);
+ else if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
+ lifetime_ipsec_process(s, rp->u.n.attributes);
+ else
+ DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
+ } else {
+ DEBUG(1, printf("rejecting ISAKMP_PAYLOAD_N, type is not lifetime\n"));
+ reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
+ }
+ break;
default:
DEBUG(1, printf("rejecting invalid payload type %d\n", rp->type));
reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
@@ -2690,7 +2719,7 @@
// Nortel specific version
static struct isakmp_payload *make_our_sa_ipsec_nortel(struct sa_block *s, struct isakmp_payload *transform, int proposal_number)
{
- struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
+ struct isakmp_payload *r;
struct isakmp_payload *p = NULL, *pn;
struct isakmp_attribute *a;
int dh_grp = get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id;
@@ -2738,7 +2767,7 @@
static struct isakmp_payload *make_our_sa_ipsec(struct sa_block *s)
{
- struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
+ struct isakmp_payload *r;
struct isakmp_payload *p = NULL, *pn;
struct isakmp_attribute *a;
int dh_grp = get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id;
@@ -2748,12 +2777,6 @@
r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
r->u.sa.doi = ISAKMP_DOI_IPSEC;
r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
- r->u.sa.proposals = new_isakmp_payload(ISAKMP_PAYLOAD_P);
- r->u.sa.proposals->u.p.spi_size = 4;
- r->u.sa.proposals->u.p.spi = xallocc(4);
- /* The sadb_sa_spi field is already in network order. */
- memcpy(r->u.sa.proposals->u.p.spi, &s->ipsec.rx.spi, 4);
- r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
keylen = supp_crypt[crypt].keylen;
for (hash = 0; supp_hash[hash].name != NULL; hash++) {
@@ -3128,7 +3151,7 @@
us->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR;
us->u.id.length = 4;
us->u.id.data = xallocc(4);
- memcpy(us->u.id.data, s->our_address, sizeof(struct in_addr));
+ memcpy(us->u.id.data, &s->our_address, sizeof(struct in_addr));
them = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
them->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR_SUBNET;
them->u.id.length = 8;
@@ -3374,36 +3397,38 @@
free_isakmp_packet(r);
}
- if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
- s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
- s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
- s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
- } else if ((opt_natt_mode == NATT_NORTEL_UDP) && s->ipsec.peer_udpencap_port) {
- s->esp_fd = make_socket(s, 0, s->ipsec.peer_udpencap_port);
- s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
- s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP; /* AB: change it */
- } else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
- s->esp_fd = s->ike_fd;
- } else {
+ if (s->esp_fd == 0) {
+ if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
+ s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
+ s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
+ s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
+ } else if ((opt_natt_mode == NATT_NORTEL_UDP) && s->ipsec.peer_udpencap_port) {
+ s->esp_fd = make_socket(s, 0, s->ipsec.peer_udpencap_port);
+ s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
+ s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP; /* AB: change it */
+ } else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
+ s->esp_fd = s->ike_fd;
+ } else {
#ifdef IP_HDRINCL
- int hincl = 1;
+ int hincl = 1;
#endif
- s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
- if (s->esp_fd == -1) {
- close_tunnel(s);
- error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
- }
+ s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
+ if (s->esp_fd == -1) {
+ close_tunnel(s);
+ error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
+ }
#ifdef FD_CLOEXEC
- /* do not pass socket to vpnc-script, etc. */
- fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
+ /* do not pass socket to vpnc-script, etc. */
+ fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
#endif
#ifdef IP_HDRINCL
- if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
- close_tunnel(s);
- error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
- }
+ if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
+ close_tunnel(s);
+ error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
+ }
#endif
+ }
}
s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
@@ -3659,7 +3684,7 @@
DEBUG(2, printf("ignoring bad data length R-U-THERE request\n"));
continue;
}
- memcpy(&seq, rp->u.n.data, 4);
+ seq = ntohl(*((uint32_t *) rp->u.n.data));
send_dpd(s, 1, seq);
DEBUG(2, printf("got r-u-there request sent ack\n"));
continue;
@@ -3669,7 +3694,7 @@
DEBUG(2, printf("ignoring bad data length R-U-THERE-ACK\n"));
continue;
}
- memcpy(&seqack, rp->u.n.data, 4);
+ seqack = ntohl(*((uint32_t *) rp->u.n.data));
if (seqack == s->ike.dpd_seqno) {
s->ike.dpd_seqno_ack = seqack;
} else {
@@ -3694,9 +3719,14 @@
*/
/* FIXME: any cleanup needed??? */
- free_isakmp_packet(r);
- do_phase2_qm(s);
- return;
+ if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) {
+ free_isakmp_packet(r);
+ do_phase2_qm(s);
+ return;
+ } else {
+ DEBUG(2, printf("got isakmp delete with bogus spi (expected %d, received %d), ignoring...\n", s->ipsec.tx.spi, *(rp->u.d.spi[0]) ));
+ continue;
+ }
}
/* skip ipsec-esp delete */
if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {
++++++ vpnc-restart-after-timeout.diff ++++++
Index: b/tunip.c
===================================================================
--- a/tunip.c
+++ b/tunip.c
@@ -884,10 +884,13 @@ static void vpnc_main_loop(struct sa_blo
time(NULL) - s->ipsec.life.start,
s->ipsec.life.seconds,
s->ipsec.life.rx/1024,
s->ipsec.life.tx/1024,
s->ipsec.life.kbytes));
+ if (s->ipsec.life.seconds &&
+ (time(NULL) - s->ipsec.life.start + 1 >= s->ipsec.life.seconds))
+ do_kill = -3;
} while ((presult == 0 || (presult == -1 && errno == EINTR)) && !do_kill);
if (presult == -1) {
syslog(LOG_ERR, "select: %m");
continue;
}
@@ -945,10 +948,13 @@ static void vpnc_main_loop(struct sa_blo
}
}
switch (do_kill) {
+ case -3:
+ syslog(LOG_NOTICE, "connection terminated by timeout -> restart");
+ break;
case -2:
syslog(LOG_NOTICE, "connection terminated by dead peer detection");
break;
case -1:
syslog(LOG_NOTICE, "connection terminated by peer");
Index: b/vpnc.c
===================================================================
--- a/vpnc.c
+++ b/vpnc.c
@@ -3779,24 +3779,25 @@ int main(int argc, char **argv)
#endif
gcry_check_version("1.1.90");
gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0);
group_init();
- memset(s, 0, sizeof(*s));
- s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL;
- s->ike.timeout = 1000; /* 1 second */
-
do_config(argc, argv);
if (opt_vendor == VENDOR_NORTEL)
group_id = tolowercase(config[CONFIG_IPSEC_ID]);
else
group_id = config[CONFIG_IPSEC_ID];
DEBUG(1, printf("\nvpnc version " VERSION "\n"));
hex_dump("hex_test", hex_test, sizeof(hex_test), NULL);
+ do {
+ memset(s, 0, sizeof(*s));
+ s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL;
+ s->ike.timeout = 1000; /* 1 second */
+
DEBUGTOP(2, printf("S1 init_sockaddr\n"));
init_sockaddr(&s->dst, config[CONFIG_IPSEC_GATEWAY]);
init_sockaddr(&s->opt_src_ip, config[CONFIG_LOCAL_ADDR]);
DEBUGTOP(2, printf("S2 make_socket\n"));
s->ike.src_port = atoi(config[CONFIG_LOCAL_PORT]);
@@ -3847,10 +3848,11 @@ int main(int argc, char **argv)
close_tunnel(s);
/* Free resources */
DEBUGTOP(2, printf("S9 cleanup\n"));
cleanup(s);
+ } while (do_kill == -3);
if (opt_vendor == VENDOR_NORTEL)
free((void *)group_id);
return 0;
}
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org