Attachment #93186 for bug #134480

View | Details | Raw Unified | Return to bug 134480
Collapse All | Expand All




static uint8_t r_packet[2048];
static ssize_t r_length;

extern int vpnc_doit(unsigned long tous_spi,
	const unsigned char *tous_key,
	struct sockaddr_in *tous_dest,
	unsigned long tothem_spi,
	const unsigned char *tothem_key,
	struct sockaddr_in *tothem_dest,
	int tun_fd, int md_algo, int cry_algo,
	uint8_t * kill_packet_p, size_t kill_packet_size_p,
	struct sockaddr *kill_dest_p,
	uint16_t encap_mode, int isakmp_fd,
	const char *pidfile);


	time_t start = time(NULL);
	time_t end = 0;
	void *realtosend;
	static uint32_t zero;

	pfd.fd = sockfd;
	pfd.events = POLLIN;

		if (pollresult != 0) {
			recvsize = recv_ignore_dup(recvbuf, recvbufsize);
			end = time(NULL);
			if (recvsize != -1) {
	        		if (encap_mode == IPSEC_ENCAP_TUNNEL ||
					 memcmp(recvbuf, &zero, sizeof(zero)) == 0)
					 /* this hack drops ESP packets on NATed connections
					    during rekeying, but it shouldn't matter much */ 
					 break;
			}
			continue;
		}
		


	if (encap_mode != IPSEC_ENCAP_TUNNEL) {
		recvsize -= 4; /* 4 bytes non-esp marker */
		memmove(recvbuf, recvbuf+4, recvsize);
	}

	/* Wait at least 2s for a response or 4 times the time it took

	return recvsize;
}

static void
flushrecv(void)
{
	struct pollfd pfd;
	int recvsize = -1;
	struct sockaddr_in recvaddr;
	socklen_t recvaddr_size = sizeof(recvaddr);
	uint8_t r_packet[2048];

	pfd.fd = sockfd;
	pfd.events = POLLIN;

	for (;;) {
		int pollresult;

		pollresult = poll(&pfd, 1, 0);
		
		if (pollresult <= 0)
			return;

		recvsize = recvfrom(sockfd, r_packet, sizeof(r_packet), 0,
		(struct sockaddr *)&recvaddr, &recvaddr_size);
	}
}

int isakmp_crypt(struct sa_block *s, uint8_t * block, size_t blocklen, int enc)
{
	unsigned char *new_iv, *iv = NULL;

	return r;
}

static int setup_link(struct sa_block *s)
{
	struct isakmp_payload *rp, *us, *ke = NULL, *them, *nonce_r = NULL;
	struct isakmp_packet *r;

	size_t p_size = 0;
	uint8_t nonce[20], *dh_public = NULL;
	int ipsec_cry_algo = 0, ipsec_hash_algo = 0, i;
	static int rekey = 0;
	static int tunnelfd = -1;

	DEBUG(2, printf("S7.1\n"));
	/* Set up the Diffie-Hellman stuff.  */

		msgid = 1;

	DEBUG(2, printf("S7.2\n"));
	
	if(rekey) {
		flushrecv();
	}
	
	for (i = 0; i < 4; i++) {
		sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_IKE_QUICK,
			msgid, 0, &p_flat, &p_size, 0, 0, 0, 0);


		DEBUG(2, printf("S7.3\n"));
		reject = unpack_verify_phase2(s, r_packet, r_length, &r, nonce, sizeof(nonce));
		if (reject != 0 && reject != ISAKMP_N_AUTHENTICATION_FAILED) {
			DEBUG(2, printf("ignoring bad packet, retrying\n"));
			r_length = sendrecv(r_packet, sizeof(*r_packet), NULL, 0, 0);
			continue;
		}

		DEBUG(2, printf("S7.4\n"));
		if (((reject == 0) || (reject == ISAKMP_N_AUTHENTICATION_FAILED))
			&& r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL) {
			/* handle notifie responder-lifetime (ignore) */
			/* (broken hash => ignore AUTHENTICATION_FAILED) */
			if (reject == 0
				&& r->payload->next->type == ISAKMP_PAYLOAD_D && rekey) {
				DEBUG(2, printf("ignoring delete old ESP SA notify\n"));
				r_length = sendrecv(r_packet, sizeof(*r_packet), NULL, 0, 0);
				continue;
			}
			
			if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_N)
				reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;


		nonce_r->u.nonce.data, nonce_r->u.nonce.length);

	DEBUG(2, printf("S7.7\n"));
	/* Create the delete payload, now that we have all the information.  */
	{
		struct isakmp_payload *d_isakmp, *d_ipsec;
		uint32_t del_msgid;

		gcry_randomize((uint8_t *) & del_msgid, sizeof(del_msgid), GCRY_WEAK_RANDOM);
		d_isakmp = new_isakmp_payload(ISAKMP_PAYLOAD_D);
		d_isakmp->u.d.doi = ISAKMP_DOI_IPSEC;
		d_isakmp->u.d.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
		d_isakmp->u.d.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
		d_isakmp->u.d.num_spi = 1;
		d_isakmp->u.d.spi = xallocc(1 * sizeof(uint8_t *));
		d_isakmp->u.d.spi[0] = xallocc(2 * ISAKMP_COOKIE_LENGTH);
		memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 0, s->i_cookie,
			ISAKMP_COOKIE_LENGTH);
		memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 1, s->r_cookie,
			ISAKMP_COOKIE_LENGTH);
		d_ipsec = new_isakmp_payload(ISAKMP_PAYLOAD_D);
		d_ipsec->next = d_isakmp;
		d_ipsec->u.d.doi = ISAKMP_DOI_IPSEC;
		d_ipsec->u.d.protocol = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
		d_ipsec->u.d.spi_length = 4;
		d_ipsec->u.d.num_spi = 2;
		d_ipsec->u.d.spi = xallocc(2 * sizeof(uint8_t *));
		d_ipsec->u.d.spi[0] = xallocc(d_ipsec->u.d.spi_length);
		memcpy(d_ipsec->u.d.spi[0], &s->tous_esp_spi, 4);
		d_ipsec->u.d.spi[1] = xallocc(d_ipsec->u.d.spi_length);
		memcpy(d_ipsec->u.d.spi[1], &s->tothem_esp_spi, 4);
		phase2_authpacket(s, d_ipsec, ISAKMP_EXCHANGE_INFORMATIONAL,
			del_msgid, &s->kill_packet, &s->kill_packet_size,
			nonce, sizeof(nonce), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
		isakmp_crypt(s, s->kill_packet, s->kill_packet_size, 1);
	}
	DEBUG(2, printf("S7.8\n"));

	/* Set up the interface here so it's ready when our acknowledgement
	 * arrives.  */
	if (!rekey) {
	    config_tunnel();
	}
	
	DEBUG(2, printf("S7.8\n"));
	{
		uint8_t *tous_keys, *tothem_keys;
		struct sockaddr_in tothem_dest, tous_dest;
		unsigned char *dh_shared_secret = NULL;
		uint16_t em = encap_mode;
		
		if (dh_grp) {
			/* Determine the shared secret.  */
			dh_shared_secret = xallocc(dh_getlen(dh_grp));

			nonce, sizeof(nonce), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
		memcpy(&tous_dest, dest_addr, sizeof(tous_dest));
		if (opt_udpencap && s->peer_udpencap_port) {
			if (!rekey) {
				tunnelfd = make_socket(htons(opt_udpencapport));
			}
			tous_dest.sin_port = htons(s->peer_udpencap_port);
			em = IPSEC_ENCAP_UDP_TUNNEL;
		} else if (em != IPSEC_ENCAP_TUNNEL) {
			tunnelfd = sockfd;
		} else {
			if (!rekey) {
			        tunnelfd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
				if (tunnelfd == -1) {
					error(1, errno, "socket(SOCK_RAW) failed");
				}
			}
		}
		if (dh_grp)
			group_free(dh_grp);
		DEBUG(2, printf("S7.9\n"));
		reject = vpnc_doit(s->tous_esp_spi, tous_keys, &tothem_dest,
			s->tothem_esp_spi, tothem_keys, (struct sockaddr_in *)&tous_dest,
			s->tun_fd, ipsec_hash_algo, ipsec_cry_algo, em, tunnelfd,
			s->kill_packet, s->kill_packet_size, dest_addr,
			encap_mode, tunnelfd,
			config[CONFIG_PID_FILE]);
		rekey = reject == 0;
	}

	DEBUG(2, printf("S7.10\n"));
	/* Create and send the delete payload.  */
	if (reject != 0) {
		struct isakmp_payload *d_isakmp = NULL, *d_ipsec;
		uint32_t del_msgid;

		gcry_create_nonce((uint8_t *) & del_msgid, sizeof(del_msgid));
		d_isakmp = new_isakmp_payload(ISAKMP_PAYLOAD_D);
		d_isakmp->u.d.doi = ISAKMP_DOI_IPSEC;
		d_isakmp->u.d.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
		d_isakmp->u.d.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
		d_isakmp->u.d.num_spi = 1;
		d_isakmp->u.d.spi = xallocc(1 * sizeof(uint8_t *));
		d_isakmp->u.d.spi[0] = xallocc(2 * ISAKMP_COOKIE_LENGTH);
		memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 0, s->i_cookie,
			ISAKMP_COOKIE_LENGTH);
		memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 1, s->r_cookie,
			ISAKMP_COOKIE_LENGTH);

		d_ipsec = new_isakmp_payload(ISAKMP_PAYLOAD_D);
		d_ipsec->next = d_isakmp;
		d_ipsec->u.d.doi = ISAKMP_DOI_IPSEC;
		d_ipsec->u.d.protocol = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
		d_ipsec->u.d.spi_length = 4;
		d_ipsec->u.d.num_spi = 2;
		d_ipsec->u.d.spi = xallocc(2 * sizeof(uint8_t *));
		d_ipsec->u.d.spi[0] = xallocc(d_ipsec->u.d.spi_length);
		memcpy(d_ipsec->u.d.spi[0], &s->tous_esp_spi, 4);
		d_ipsec->u.d.spi[1] = xallocc(d_ipsec->u.d.spi_length);
		memcpy(d_ipsec->u.d.spi[1], &s->tothem_esp_spi, 4);
		sendrecv_phase2(s, d_ipsec, ISAKMP_EXCHANGE_INFORMATIONAL,
			del_msgid, 1, NULL, NULL,
			NULL, 0, NULL, 0);
	}
	return reject;
}

int main(int argc, char **argv)

			do_load_balance = do_phase_2_config(oursa);
	} while (do_load_balance);
	DEBUG(2, printf("S7\n"));
	while(setup_link(oursa) == 0) {
	    DEBUG(2, printf("S7 Rekeying\n"));
	}
	DEBUG(2, printf("S8\n"));
	setenv("reason", "disconnect", 1);
	system(config[CONFIG_SCRIPT]);

Lines 56-61 Link Here

(-)vpnc-0.3.3/config.c.rekeying (+28 lines)
56	int opt_1des;	56	int opt_1des;
57	int opt_udpencap;	57	int opt_udpencap;
58	uint16_t opt_udpencapport;	58	uint16_t opt_udpencapport;
		59	int opt_nat_keepalive;
		60	int opt_rekey_interval;
59		61
60	void hex_dump(const char str, const void data, ssize_t len)	62	void hex_dump(const char str, const void data, ssize_t len)
61	{	63	{
Lines 113-118 Link Here
113	return "10000";	115	return "10000";
114	}	116	}
115		117
		118	static const char *config_def_nat_keepalive(void)
		119	{
		120	return "0";
		121	}
		122
		123	static const char *config_def_rekey_interval(void)
		124	{
		125	return "0";
		126	}
		127
116	static const char *config_def_app_version(void)	128	static const char *config_def_app_version(void)
117	{	129	{
118	struct utsname uts;	130	struct utsname uts;
Lines 299-304 Link Here
299	"disable use of NAT-T",	311	"disable use of NAT-T",
300	NULL	312	NULL
301	}, {	313	}, {
		314	CONFIG_NAT_KEEPALIVE, 1, 1,
		315	"--nat-keepalive",
		316	"NAT-Keepalive packet interval ",
		317	"<Seconds>",
		318	"If non-zero, send out NAT-Keepalive packets at specified interval",
		319	config_def_nat_keepalive
		320	}, {
		321	CONFIG_REKEY_INTERVAL, 1, 1,
		322	"--rekey-interval",
		323	"Rekeying interval ",
		324	"<Seconds>",
		325	"If non-zero, rekey the connection at specified interval",
		326	config_def_rekey_interval
		327	}, {
302	CONFIG_NON_INTERACTIVE, 0, 1,	328	CONFIG_NON_INTERACTIVE, 0, 1,
303	"--non-inter",	329	"--non-inter",
304	"Noninteractive",	330	"Noninteractive",
Lines 535-540 Link Here
535	opt_1des = (config[CONFIG_ENABLE_1DES]) ? 1 : 0;	561	opt_1des = (config[CONFIG_ENABLE_1DES]) ? 1 : 0;
536	opt_udpencap=(config[CONFIG_UDP_ENCAP]) ? 1 : 0;	562	opt_udpencap=(config[CONFIG_UDP_ENCAP]) ? 1 : 0;
537	opt_udpencapport=atoi(config[CONFIG_UDP_ENCAP_PORT]);	563	opt_udpencapport=atoi(config[CONFIG_UDP_ENCAP_PORT]);
		564	opt_nat_keepalive=atoi(config[CONFIG_NAT_KEEPALIVE]);
		565	opt_rekey_interval=atoi(config[CONFIG_REKEY_INTERVAL]);
538	}	566	}
539		567
540	if (opt_debug >= 99) {	568	if (opt_debug >= 99) {




	return 1;
}

int encap_esp_new(struct encap_method *encap, int encap_fd)
{
#ifdef IP_HDRINCL
	int hincl = 1;
#endif

	encap->fd = encap_fd;

	if (encap->fd == -1) {
		perror("socket(SOCK_RAW)");
		return -1;
	}
#ifdef IP_HDRINCL
	if (setsockopt(encap->fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl))
		== -1) {

}

static uint8_t volatile do_kill;
static uint8_t *kill_packet;
static size_t kill_packet_size;
static struct sockaddr *kill_dest;

#define VPNC_POLL_TIMEOUT 2000

static int vpnc_main_loop(struct peer_desc *peer, struct encap_method *meth, int tun_fd, const char *pidfile)
{
	int sock;
	struct pollfd pollfds[2];
	time_t keepalive, rekey, now;
	int rv = 1;

	keepalive = rekey = time(NULL);
	pollfds[0].fd = tun_fd;
	pollfds[0].events = POLLIN;
	pollfds[1].fd = encap_get_fd(meth);

		int presult;

		do {
			presult = poll(pollfds, sizeof(pollfds) / sizeof(pollfds[0]), VPNC_POLL_TIMEOUT);
		} while (presult == -1 && errno == EINTR && !do_kill);
		if (presult == -1) {
			syslog(LOG_ERR, "poll: %m");
			continue;
		}

		now = time(NULL);
		if (opt_nat_keepalive && now-keepalive >= opt_nat_keepalive) {
			const char *payload = "\xff";
			sendto(meth->fd, payload, 1, 0,
				(struct sockaddr *)&peer->remote_sa->dest, 
				sizeof(peer->remote_sa->dest));
		}

		if (opt_rekey_interval && now-rekey >= opt_rekey_interval) {
			rv = 0;
			do_kill = 255;
		}

		if (pollfds[0].revents & POLLIN) {
			int pack;


		}
	}
	
	if (rv != 0) {
		tun_close(oursa->tun_fd, oursa->tun_name);
		if (pidfile)
			unlink(pidfile); /* ignore errors */
		syslog(LOG_NOTICE, "terminated");
	}
	return rv;
	if (pidfile)
		unlink(pidfile); /* ignore errors */
	syslog(LOG_NOTICE, "terminated");
}

void killit(int signum)

	fclose(pf);
}

int
vpnc_doit(unsigned long tous_spi,
	const unsigned char *tous_key,
	struct sockaddr_in *tous_dest,

	const unsigned char *tothem_key,
	struct sockaddr_in *tothem_dest,
	int tun_fd, int md_algo, int cry_algo,
	uint16_t encap_mode, int encap_fd,
	struct sockaddr *kill_dest_p,
	uint16_t encap_mode, int udp_fd,
	const char *pidfile)
{
	struct encap_method meth;


	switch (encap_mode) {
		case IPSEC_ENCAP_TUNNEL:
			if (encap_esp_new(&meth, encap_fd) == -1)
				exit(1);
			opt_nat_keepalive = 0;
			break;
		case IPSEC_ENCAP_UDP_TUNNEL:
		case IPSEC_ENCAP_UDP_TUNNEL_OLD:
			if (encap_udp_new(&meth, encap_fd) == -1)
				exit(1);
			break;
		default:

	vpnpeer.local_sa = &tous_sa;
	vpnpeer.remote_sa = &tothem_sa;

	do_kill = 0;
	kill_packet = kill_packet_p;
	kill_packet_size = kill_packet_size_p;
	kill_dest = kill_dest_p;

	signal(SIGHUP, killit);
	signal(SIGINT, killit);
	signal(SIGTERM, killit);

	chdir("/");

	setsid();
	if (do_kill == 0 && !opt_nd) {  /* do_kill != 0 -> rekeying */
		pid_t pid;
		if ((pid = fork()) < 0) {
			fprintf(stderr, "Warning, could not fork the child process!\n");

		openlog("vpnc", LOG_PID, LOG_DAEMON);
	}

	do_kill = 0;

	return vpnc_main_loop(&vpnpeer, &meth, tun_fd, (!opt_nd) ? pidfile : NULL);
}

Lines 44-49 Link Here

(-)vpnc-0.3.3/config.h.rekeying (+4 lines)
44	CONFIG_UDP_ENCAP,	44	CONFIG_UDP_ENCAP,
45	CONFIG_UDP_ENCAP_PORT,	45	CONFIG_UDP_ENCAP_PORT,
46	CONFIG_DISABLE_NATT,	46	CONFIG_DISABLE_NATT,
		47	CONFIG_NAT_KEEPALIVE,
		48	CONFIG_REKEY_INTERVAL,
47	LAST_CONFIG	49	LAST_CONFIG
48	};	50	};
49		51
Lines 60-65 Link Here
60	extern int opt_1des;	62	extern int opt_1des;
61	extern int opt_udpencap;	63	extern int opt_udpencap;
62	extern uint16_t opt_udpencapport;	64	extern uint16_t opt_udpencapport;
		65	extern int opt_nat_keepalive;
		66	extern int opt_rekey_interval;
63		67
64	#define DEBUG(lvl, a) do {if (opt_debug >= (lvl)) {a;}} while (0)	68	#define DEBUG(lvl, a) do {if (opt_debug >= (lvl)) {a;}} while (0)
65		69

Lines 46-53 Link Here

(-)vpnc-0.3.3/vpnc.h.rekeying (-2 lines)
46	uint8_t *current_iv;	46	uint8_t *current_iv;
47	uint8_t our_address[4], our_netmask[4];	47	uint8_t our_address[4], our_netmask[4];
48	uint32_t tous_esp_spi, tothem_esp_spi;	48	uint32_t tous_esp_spi, tothem_esp_spi;
49	uint8_t *kill_packet;
50	size_t kill_packet_size;
51	uint16_t peer_udpencap_port;	49	uint16_t peer_udpencap_port;
52	int do_pfs;	50	int do_pfs;
53	};	51	};

Return to bug 134480

Lines 333-350 Link Here

(-)vpnc-0.3.3/tunip.c.rekeying (-35 / +38 lines)
333	return 1;	333	return 1;
334	}	334	}
335		335
336	int encap_esp_new(struct encap_method *encap, unsigned char proto)	336	int encap_esp_new(struct encap_method *encap, int encap_fd)
337	{	337	{
338	#ifdef IP_HDRINCL	338	#ifdef IP_HDRINCL
339	int hincl = 1;	339	int hincl = 1;
340	#endif	340	#endif
341		341
342	encap->fd = socket(PF_INET, SOCK_RAW, proto);	342	encap->fd = encap_fd;
343		343
344	if (encap->fd == -1) {
345	perror("socket(SOCK_RAW)");
346	return -1;
347	}
348	#ifdef IP_HDRINCL	344	#ifdef IP_HDRINCL
349	if (setsockopt(encap->fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl))	345	if (setsockopt(encap->fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl))
350	== -1) {	346	== -1) {
Lines 766-780 Link Here
766	}	762	}
767		763
768	static uint8_t volatile do_kill;	764	static uint8_t volatile do_kill;
769	static uint8_t *kill_packet;
770	static size_t kill_packet_size;
771	static struct sockaddr *kill_dest;
772		765
773	static void vpnc_main_loop(struct peer_desc peer, struct encap_method meth, int tun_fd, const char *pidfile)	766	#define VPNC_POLL_TIMEOUT 2000
		767
		768	static int vpnc_main_loop(struct peer_desc peer, struct encap_method meth, int tun_fd, const char *pidfile)
774	{	769	{
775	int sock;
776	struct pollfd pollfds[2];	770	struct pollfd pollfds[2];
		771	time_t keepalive, rekey, now;
		772	int rv = 1;
777		773
		774	keepalive = rekey = time(NULL);
778	pollfds[0].fd = tun_fd;	775	pollfds[0].fd = tun_fd;
779	pollfds[0].events = POLLIN;	776	pollfds[0].events = POLLIN;
780	pollfds[1].fd = encap_get_fd(meth);	777	pollfds[1].fd = encap_get_fd(meth);
Lines 784-796 Link Here
784	int presult;	781	int presult;
785		782
786	do {	783	do {
787	presult = poll(pollfds, sizeof(pollfds) / sizeof(pollfds[0]), -1);	784	presult = poll(pollfds, sizeof(pollfds) / sizeof(pollfds[0]), VPNC_POLL_TIMEOUT);
788	} while (presult == -1 && errno == EINTR && !do_kill);	785	} while (presult == -1 && errno == EINTR && !do_kill);
789	if (presult == -1) {	786	if (presult == -1) {
790	syslog(LOG_ERR, "poll: %m");	787	syslog(LOG_ERR, "poll: %m");
791	continue;	788	continue;
792	}	789	}
793		790
		791	now = time(NULL);
		792	if (opt_nat_keepalive && now-keepalive >= opt_nat_keepalive) {
		793	const char *payload = "\xff";
		794	sendto(meth->fd, payload, 1, 0,
		795	(struct sockaddr *)&peer->remote_sa->dest,
		796	sizeof(peer->remote_sa->dest));
		797	}
		798
		799	if (opt_rekey_interval && now-rekey >= opt_rekey_interval) {
		800	rv = 0;
		801	do_kill = 255;
		802	}
		803
794	if (pollfds[0].revents & POLLIN) {	804	if (pollfds[0].revents & POLLIN) {
795	int pack;	805	int pack;
796		806
Lines 863-878 Link Here
863	}	873	}
864	}	874	}
865		875
866	sock = socket(AF_INET, SOCK_DGRAM, 0);	876	if (rv != 0) {
867	if (sock >= 0) {	877	tun_close(oursa->tun_fd, oursa->tun_name);
868	sendto(sock, kill_packet, kill_packet_size, 0,	878	if (pidfile)
869	kill_dest, sizeof(struct sockaddr_in));	879	unlink(pidfile); /* ignore errors */
870	close(sock);	880	syslog(LOG_NOTICE, "terminated");
871	}	881	}
872	tun_close(oursa->tun_fd, oursa->tun_name);	882	return rv;
873	if (pidfile)
874	unlink(pidfile); /* ignore errors */
875	syslog(LOG_NOTICE, "terminated");
876	}	883	}
877		884
878	void killit(int signum)	885	void killit(int signum)
Lines 898-904 Link Here
898	fclose(pf);	905	fclose(pf);
899	}	906	}
900		907
901	void	908	int
902	vpnc_doit(unsigned long tous_spi,	909	vpnc_doit(unsigned long tous_spi,
903	const unsigned char *tous_key,	910	const unsigned char *tous_key,
904	struct sockaddr_in *tous_dest,	911	struct sockaddr_in *tous_dest,
Lines 906-914 Link Here
906	const unsigned char *tothem_key,	913	const unsigned char *tothem_key,
907	struct sockaddr_in *tothem_dest,	914	struct sockaddr_in *tothem_dest,
908	int tun_fd, int md_algo, int cry_algo,	915	int tun_fd, int md_algo, int cry_algo,
909	uint8_t * kill_packet_p, size_t kill_packet_size_p,	916	uint16_t encap_mode, int encap_fd,
910	struct sockaddr *kill_dest_p,
911	uint16_t encap_mode, int udp_fd,
912	const char *pidfile)	917	const char *pidfile)
913	{	918	{
914	struct encap_method meth;	919	struct encap_method meth;
Lines 918-929 Link Here
918		923
919	switch (encap_mode) {	924	switch (encap_mode) {
920	case IPSEC_ENCAP_TUNNEL:	925	case IPSEC_ENCAP_TUNNEL:
921	if (encap_esp_new(&meth, IPPROTO_ESP) == -1)	926	if (encap_esp_new(&meth, encap_fd) == -1)
922	exit(1);	927	exit(1);
		928	opt_nat_keepalive = 0;
923	break;	929	break;
924	case IPSEC_ENCAP_UDP_TUNNEL:	930	case IPSEC_ENCAP_UDP_TUNNEL:
925	case IPSEC_ENCAP_UDP_TUNNEL_OLD:	931	case IPSEC_ENCAP_UDP_TUNNEL_OLD:
926	if (encap_udp_new(&meth, udp_fd) == -1)	932	if (encap_udp_new(&meth, encap_fd) == -1)
927	exit(1);	933	exit(1);
928	break;	934	break;
929	default:	935	default:
Lines 984-994 Link Here
984	vpnpeer.local_sa = &tous_sa;	990	vpnpeer.local_sa = &tous_sa;
985	vpnpeer.remote_sa = &tothem_sa;	991	vpnpeer.remote_sa = &tothem_sa;
986		992
987	do_kill = 0;
988	kill_packet = kill_packet_p;
989	kill_packet_size = kill_packet_size_p;
990	kill_dest = kill_dest_p;
991
992	signal(SIGHUP, killit);	993	signal(SIGHUP, killit);
993	signal(SIGINT, killit);	994	signal(SIGINT, killit);
994	signal(SIGTERM, killit);	995	signal(SIGTERM, killit);
Lines 1000-1006 Link Here
1000	chdir("/");	1001	chdir("/");
1001		1002
1002	setsid();	1003	setsid();
1003	if (!opt_nd) {	1004	if (do_kill == 0 && !opt_nd) { /* do_kill != 0 -> rekeying */
1004	pid_t pid;	1005	pid_t pid;
1005	if ((pid = fork()) < 0) {	1006	if ((pid = fork()) < 0) {
1006	fprintf(stderr, "Warning, could not fork the child process!\n");	1007	fprintf(stderr, "Warning, could not fork the child process!\n");
Lines 1019-1023 Link Here
1019	openlog("vpnc", LOG_PID, LOG_DAEMON);	1020	openlog("vpnc", LOG_PID, LOG_DAEMON);
1020	}	1021	}
1021		1022
1022	vpnc_main_loop(&vpnpeer, &meth, tun_fd, (!opt_nd) ? pidfile : NULL);	1023	do_kill = 0;
		1024
		1025	return vpnc_main_loop(&vpnpeer, &meth, tun_fd, (!opt_nd) ? pidfile : NULL);
1023	}	1026	}

Lines 60-74 Link Here

(-)vpnc-0.3.3/vpnc.c.rekeying (-54 / +118 lines)
60	static uint8_t r_packet[2048];	60	static uint8_t r_packet[2048];
61	static ssize_t r_length;	61	static ssize_t r_length;
62		62
63	extern void vpnc_doit(unsigned long tous_spi,	63	extern int vpnc_doit(unsigned long tous_spi,
64	const unsigned char *tous_key,	64	const unsigned char *tous_key,
65	struct sockaddr_in *tous_dest,	65	struct sockaddr_in *tous_dest,
66	unsigned long tothem_spi,	66	unsigned long tothem_spi,
67	const unsigned char *tothem_key,	67	const unsigned char *tothem_key,
68	struct sockaddr_in *tothem_dest,	68	struct sockaddr_in *tothem_dest,
69	int tun_fd, int md_algo, int cry_algo,	69	int tun_fd, int md_algo, int cry_algo,
70	uint8_t * kill_packet_p, size_t kill_packet_size_p,
71	struct sockaddr *kill_dest_p,
72	uint16_t encap_mode, int isakmp_fd,	70	uint16_t encap_mode, int isakmp_fd,
73	const char *pidfile);	71	const char *pidfile);
74		72
Lines 332-337 Link Here
332	time_t start = time(NULL);	330	time_t start = time(NULL);
333	time_t end = 0;	331	time_t end = 0;
334	void *realtosend;	332	void *realtosend;
		333	static uint32_t zero;
335		334
336	pfd.fd = sockfd;	335	pfd.fd = sockfd;
337	pfd.events = POLLIN;	336	pfd.events = POLLIN;
Lines 365-372 Link Here
365	if (pollresult != 0) {	364	if (pollresult != 0) {
366	recvsize = recv_ignore_dup(recvbuf, recvbufsize);	365	recvsize = recv_ignore_dup(recvbuf, recvbufsize);
367	end = time(NULL);	366	end = time(NULL);
368	if (recvsize != -1)	367	if (recvsize != -1) {
369	break;	368	if (encap_mode == IPSEC_ENCAP_TUNNEL \|\|
		369	memcmp(recvbuf, &zero, sizeof(zero)) == 0)
		370	/* this hack drops ESP packets on NATed connections
		371	during rekeying, but it shouldn't matter much */
		372	break;
		373	}
370	continue;	374	continue;
371	}	375	}
372		376
Lines 383-389 Link Here
383		387
384	if (encap_mode != IPSEC_ENCAP_TUNNEL) {	388	if (encap_mode != IPSEC_ENCAP_TUNNEL) {
385	recvsize -= 4; /* 4 bytes non-esp marker */	389	recvsize -= 4; /* 4 bytes non-esp marker */
386	memcpy(recvbuf, recvbuf+4, recvsize);	390	memmove(recvbuf, recvbuf+4, recvsize);
387	}	391	}
388		392
389	/* Wait at least 2s for a response or 4 times the time it took	393	/* Wait at least 2s for a response or 4 times the time it took
Lines 396-401 Link Here
396	return recvsize;	400	return recvsize;
397	}	401	}
398		402
		403	static void
		404	flushrecv(void)
		405	{
		406	struct pollfd pfd;
		407	int recvsize = -1;
		408	struct sockaddr_in recvaddr;
		409	socklen_t recvaddr_size = sizeof(recvaddr);
		410	uint8_t r_packet[2048];
		411
		412	pfd.fd = sockfd;
		413	pfd.events = POLLIN;
		414
		415	for (;;) {
		416	int pollresult;
		417
		418	pollresult = poll(&pfd, 1, 0);
		419
		420	if (pollresult <= 0)
		421	return;
		422
		423	recvsize = recvfrom(sockfd, r_packet, sizeof(r_packet), 0,
		424	(struct sockaddr *)&recvaddr, &recvaddr_size);
		425	}
		426	}
		427
399	int isakmp_crypt(struct sa_block s, uint8_t block, size_t blocklen, int enc)	428	int isakmp_crypt(struct sa_block s, uint8_t block, size_t blocklen, int enc)
400	{	429	{
401	unsigned char new_iv, iv = NULL;	430	unsigned char new_iv, iv = NULL;
Lines 1882-1888 Link Here
1882	return r;	1911	return r;
1883	}	1912	}
1884		1913
1885	static void setup_link(struct sa_block *s)	1914	static int setup_link(struct sa_block *s)
1886	{	1915	{
1887	struct isakmp_payload rp, us, ke = NULL, them, *nonce_r = NULL;	1916	struct isakmp_payload rp, us, ke = NULL, them, *nonce_r = NULL;
1888	struct isakmp_packet *r;	1917	struct isakmp_packet *r;
Lines 1893-1898 Link Here
1893	size_t p_size = 0;	1922	size_t p_size = 0;
1894	uint8_t nonce[20], *dh_public = NULL;	1923	uint8_t nonce[20], *dh_public = NULL;
1895	int ipsec_cry_algo = 0, ipsec_hash_algo = 0, i;	1924	int ipsec_cry_algo = 0, ipsec_hash_algo = 0, i;
		1925	static int rekey = 0;
		1926	static int tunnelfd = -1;
1896		1927
1897	DEBUG(2, printf("S7.1\n"));	1928	DEBUG(2, printf("S7.1\n"));
1898	/* Set up the Diffie-Hellman stuff. */	1929	/* Set up the Diffie-Hellman stuff. */
Lines 1934-1939 Link Here
1934	msgid = 1;	1965	msgid = 1;
1935		1966
1936	DEBUG(2, printf("S7.2\n"));	1967	DEBUG(2, printf("S7.2\n"));
		1968
		1969	if(rekey) {
		1970	flushrecv();
		1971	}
		1972
1937	for (i = 0; i < 4; i++) {	1973	for (i = 0; i < 4; i++) {
1938	sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_IKE_QUICK,	1974	sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_IKE_QUICK,
1939	msgid, 0, &p_flat, &p_size, 0, 0, 0, 0);	1975	msgid, 0, &p_flat, &p_size, 0, 0, 0, 0);
Lines 1946-1957 Link Here
1946		1982
1947	DEBUG(2, printf("S7.3\n"));	1983	DEBUG(2, printf("S7.3\n"));
1948	reject = unpack_verify_phase2(s, r_packet, r_length, &r, nonce, sizeof(nonce));	1984	reject = unpack_verify_phase2(s, r_packet, r_length, &r, nonce, sizeof(nonce));
		1985	if (reject != 0 && reject != ISAKMP_N_AUTHENTICATION_FAILED) {
		1986	DEBUG(2, printf("ignoring bad packet, retrying\n"));
		1987	r_length = sendrecv(r_packet, sizeof(*r_packet), NULL, 0, 0);
		1988	continue;
		1989	}
1949		1990
1950	DEBUG(2, printf("S7.4\n"));	1991	DEBUG(2, printf("S7.4\n"));
1951	if (((reject == 0) \|\| (reject == ISAKMP_N_AUTHENTICATION_FAILED))	1992	if (((reject == 0) \|\| (reject == ISAKMP_N_AUTHENTICATION_FAILED))
1952	&& r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL) {	1993	&& r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL) {
1953	/* handle notifie responder-lifetime (ignore) */	1994	/* handle notifie responder-lifetime (ignore) */
1954	/* (broken hash => ignore AUTHENTICATION_FAILED) */	1995	/* (broken hash => ignore AUTHENTICATION_FAILED) */
		1996	if (reject == 0
		1997	&& r->payload->next->type == ISAKMP_PAYLOAD_D && rekey) {
		1998	DEBUG(2, printf("ignoring delete old ESP SA notify\n"));
		1999	r_length = sendrecv(r_packet, sizeof(*r_packet), NULL, 0, 0);
		2000	continue;
		2001	}
		2002
1955	if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_N)	2003	if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_N)
1956	reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;	2004	reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1957		2005
Lines 2122-2172 Link Here
2122	nonce_r->u.nonce.data, nonce_r->u.nonce.length);	2170	nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2123		2171
2124	DEBUG(2, printf("S7.7\n"));	2172	DEBUG(2, printf("S7.7\n"));
2125	/* Create the delete payload, now that we have all the information. */
2126	{
2127	struct isakmp_payload d_isakmp, d_ipsec;
2128	uint32_t del_msgid;
2129
2130	gcry_randomize((uint8_t *) & del_msgid, sizeof(del_msgid), GCRY_WEAK_RANDOM);
2131	d_isakmp = new_isakmp_payload(ISAKMP_PAYLOAD_D);
2132	d_isakmp->u.d.doi = ISAKMP_DOI_IPSEC;
2133	d_isakmp->u.d.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
2134	d_isakmp->u.d.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
2135	d_isakmp->u.d.num_spi = 1;
2136	d_isakmp->u.d.spi = xallocc(1 * sizeof(uint8_t *));
2137	d_isakmp->u.d.spi[0] = xallocc(2 * ISAKMP_COOKIE_LENGTH);
2138	memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 0, s->i_cookie,
2139	ISAKMP_COOKIE_LENGTH);
2140	memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 1, s->r_cookie,
2141	ISAKMP_COOKIE_LENGTH);
2142	d_ipsec = new_isakmp_payload(ISAKMP_PAYLOAD_D);
2143	d_ipsec->next = d_isakmp;
2144	d_ipsec->u.d.doi = ISAKMP_DOI_IPSEC;
2145	d_ipsec->u.d.protocol = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
2146	d_ipsec->u.d.spi_length = 4;
2147	d_ipsec->u.d.num_spi = 2;
2148	d_ipsec->u.d.spi = xallocc(2 * sizeof(uint8_t *));
2149	d_ipsec->u.d.spi[0] = xallocc(d_ipsec->u.d.spi_length);
2150	memcpy(d_ipsec->u.d.spi[0], &s->tous_esp_spi, 4);
2151	d_ipsec->u.d.spi[1] = xallocc(d_ipsec->u.d.spi_length);
2152	memcpy(d_ipsec->u.d.spi[1], &s->tothem_esp_spi, 4);
2153	phase2_authpacket(s, d_ipsec, ISAKMP_EXCHANGE_INFORMATIONAL,
2154	del_msgid, &s->kill_packet, &s->kill_packet_size,
2155	nonce, sizeof(nonce), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2156	isakmp_crypt(s, s->kill_packet, s->kill_packet_size, 1);
2157	}
2158	DEBUG(2, printf("S7.8\n"));
2159		2173
2160	/* Set up the interface here so it's ready when our acknowledgement	2174	/* Set up the interface here so it's ready when our acknowledgement
2161	* arrives. */	2175	* arrives. */
2162	config_tunnel();	2176	if (!rekey) {
2163	DEBUG(2, printf("S7.9\n"));	2177	config_tunnel();
		2178	}
		2179
		2180	DEBUG(2, printf("S7.8\n"));
2164	{	2181	{
2165	uint8_t tous_keys, tothem_keys;	2182	uint8_t tous_keys, tothem_keys;
2166	struct sockaddr_in tothem_dest, tous_dest;	2183	struct sockaddr_in tothem_dest, tous_dest;
2167	unsigned char *dh_shared_secret = NULL;	2184	unsigned char *dh_shared_secret = NULL;
2168	int tunnelfd = sockfd;	2185	uint16_t em = encap_mode;
2169		2186
2170	if (dh_grp) {	2187	if (dh_grp) {
2171	/* Determine the shared secret. */	2188	/* Determine the shared secret. */
2172	dh_shared_secret = xallocc(dh_getlen(dh_grp));	2189	dh_shared_secret = xallocc(dh_getlen(dh_grp));
Lines 2186-2206 Link Here
2186	nonce, sizeof(nonce), nonce_r->u.nonce.data, nonce_r->u.nonce.length);	2203	nonce, sizeof(nonce), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2187	memcpy(&tous_dest, dest_addr, sizeof(tous_dest));	2204	memcpy(&tous_dest, dest_addr, sizeof(tous_dest));
2188	if (opt_udpencap && s->peer_udpencap_port) {	2205	if (opt_udpencap && s->peer_udpencap_port) {
2189	close(tunnelfd);	2206	if (!rekey) {
2190	tunnelfd = make_socket(htons(opt_udpencapport));	2207	tunnelfd = make_socket(htons(opt_udpencapport));
		2208	}
2191	tous_dest.sin_port = htons(s->peer_udpencap_port);	2209	tous_dest.sin_port = htons(s->peer_udpencap_port);
2192	encap_mode = IPSEC_ENCAP_UDP_TUNNEL;	2210	em = IPSEC_ENCAP_UDP_TUNNEL;
		2211	} else if (em != IPSEC_ENCAP_TUNNEL) {
		2212	tunnelfd = sockfd;
		2213	} else {
		2214	if (!rekey) {
		2215	tunnelfd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
		2216	if (tunnelfd == -1) {
		2217	error(1, errno, "socket(SOCK_RAW) failed");
		2218	}
		2219	}
2193	}	2220	}
2194	if (dh_grp)	2221	if (dh_grp)
2195	group_free(dh_grp);	2222	group_free(dh_grp);
2196	DEBUG(2, printf("S7.10\n"));	2223	DEBUG(2, printf("S7.9\n"));
2197	vpnc_doit(s->tous_esp_spi, tous_keys, &tothem_dest,	2224	reject = vpnc_doit(s->tous_esp_spi, tous_keys, &tothem_dest,
2198	s->tothem_esp_spi, tothem_keys, (struct sockaddr_in *)&tous_dest,	2225	s->tothem_esp_spi, tothem_keys, (struct sockaddr_in *)&tous_dest,
2199	s->tun_fd, ipsec_hash_algo, ipsec_cry_algo,	2226	s->tun_fd, ipsec_hash_algo, ipsec_cry_algo, em, tunnelfd,
2200	s->kill_packet, s->kill_packet_size, dest_addr,
2201	encap_mode, tunnelfd,
2202	config[CONFIG_PID_FILE]);	2227	config[CONFIG_PID_FILE]);
		2228	rekey = reject == 0;
		2229	}
		2230
		2231	DEBUG(2, printf("S7.10\n"));
		2232	/* Create and send the delete payload. */
		2233	if (reject != 0) {
		2234	struct isakmp_payload d_isakmp = NULL, d_ipsec;
		2235	uint32_t del_msgid;
		2236
		2237	gcry_create_nonce((uint8_t *) & del_msgid, sizeof(del_msgid));
		2238	d_isakmp = new_isakmp_payload(ISAKMP_PAYLOAD_D);
		2239	d_isakmp->u.d.doi = ISAKMP_DOI_IPSEC;
		2240	d_isakmp->u.d.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
		2241	d_isakmp->u.d.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
		2242	d_isakmp->u.d.num_spi = 1;
		2243	d_isakmp->u.d.spi = xallocc(1 * sizeof(uint8_t *));
		2244	d_isakmp->u.d.spi[0] = xallocc(2 * ISAKMP_COOKIE_LENGTH);
		2245	memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 0, s->i_cookie,
		2246	ISAKMP_COOKIE_LENGTH);
		2247	memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 1, s->r_cookie,
		2248	ISAKMP_COOKIE_LENGTH);
		2249
		2250	d_ipsec = new_isakmp_payload(ISAKMP_PAYLOAD_D);
		2251	d_ipsec->next = d_isakmp;
		2252	d_ipsec->u.d.doi = ISAKMP_DOI_IPSEC;
		2253	d_ipsec->u.d.protocol = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
		2254	d_ipsec->u.d.spi_length = 4;
		2255	d_ipsec->u.d.num_spi = 2;
		2256	d_ipsec->u.d.spi = xallocc(2 * sizeof(uint8_t *));
		2257	d_ipsec->u.d.spi[0] = xallocc(d_ipsec->u.d.spi_length);
		2258	memcpy(d_ipsec->u.d.spi[0], &s->tous_esp_spi, 4);
		2259	d_ipsec->u.d.spi[1] = xallocc(d_ipsec->u.d.spi_length);
		2260	memcpy(d_ipsec->u.d.spi[1], &s->tothem_esp_spi, 4);
		2261	sendrecv_phase2(s, d_ipsec, ISAKMP_EXCHANGE_INFORMATIONAL,
		2262	del_msgid, 1, NULL, NULL,
		2263	NULL, 0, NULL, 0);
2203	}	2264	}
		2265	return reject;
2204	}	2266	}
2205		2267
2206	int main(int argc, char **argv)	2268	int main(int argc, char **argv)
Lines 2239-2245 Link Here
2239	do_load_balance = do_phase_2_config(oursa);	2301	do_load_balance = do_phase_2_config(oursa);
2240	} while (do_load_balance);	2302	} while (do_load_balance);
2241	DEBUG(2, printf("S7\n"));	2303	DEBUG(2, printf("S7\n"));
2242	setup_link(oursa);	2304	while(setup_link(oursa) == 0) {
		2305	DEBUG(2, printf("S7 Rekeying\n"));
		2306	}
2243	DEBUG(2, printf("S8\n"));	2307	DEBUG(2, printf("S8\n"));
2244	setenv("reason", "disconnect", 1);	2308	setenv("reason", "disconnect", 1);
2245	system(config[CONFIG_SCRIPT]);	2309	system(config[CONFIG_SCRIPT]);