From e9eb1aa55946e2271e1422068847f5f01f5bc9e8 Mon Sep 17 00:00:00 2001
From: cegger <cegger@pkgsrc.org>
Date: Sat, 5 Mar 2011 17:54:17 +0000
Subject: [PATCH] Apply patches from debian: - Bug fix: "Disconnect after an
 hour and loops trying to reconnect" - Additional vpnc functionality
 (resolvconf, Target Networks,   DNSUpdate options)

Bump revision
Forgot to 'cvs add' the new files before. Sorry.
---
 net/vpnc/patches/patch-ba |  12 +++++
 net/vpnc/patches/patch-bb | 101 ++++++++++++++++++++++++++++++++++++++
 net/vpnc/patches/patch-bc |  13 +++++
 3 files changed, 126 insertions(+)
 create mode 100644 net/vpnc/patches/patch-ba
 create mode 100644 net/vpnc/patches/patch-bb
 create mode 100644 net/vpnc/patches/patch-bc

diff --git a/net/vpnc/patches/patch-ba b/net/vpnc/patches/patch-ba
new file mode 100644
index 000000000000..97f2b24b2aa6
--- /dev/null
+++ b/net/vpnc/patches/patch-ba
@@ -0,0 +1,12 @@
+$NetBSD: patch-ba,v 1.1 2011/03/05 17:54:17 cegger Exp $
+
+--- sysdep.h.orig	2011-03-01 13:49:38.000000000 +0000
++++ sysdep.h
+@@ -57,6 +57,7 @@ int tun_get_hwaddr(int fd, char *dev, ui
+ #define HAVE_FGETLN    1
+ #define HAVE_UNSETENV  1
+ #define HAVE_SETENV    1
++#define HAVE_GETLINE   1
+ #endif
+ 
+ /***************************************************************************/
diff --git a/net/vpnc/patches/patch-bb b/net/vpnc/patches/patch-bb
new file mode 100644
index 000000000000..eb5768334c8b
--- /dev/null
+++ b/net/vpnc/patches/patch-bb
@@ -0,0 +1,101 @@
+$NetBSD: patch-bb,v 1.1 2011/03/05 17:54:17 cegger Exp $
+
+--- vpnc.c.orig	2008-11-19 20:55:51.000000000 +0000
++++ vpnc.c
+@@ -360,6 +360,8 @@ static void config_tunnel(struct sa_bloc
+ {
+ 	setenv("VPNGATEWAY", inet_ntoa(s->dst), 1);
+ 	setenv("reason", "connect", 1);
++	setenv("DNS_UPDATE", config[CONFIG_DNS_UPDATE], 1);
++	setenv("TARGET_NETWORKS", config[CONFIG_TARGET_NETWORKS], 1);
+ 	system(config[CONFIG_SCRIPT]);
+ }
+ 
+@@ -1147,7 +1149,7 @@ static struct isakmp_payload *make_our_s
+ 
+ static void lifetime_ike_process(struct sa_block *s, struct isakmp_attribute *a)
+ {
+-	uint32_t value;
++	uint32_t value = 0;
+ 	
+ 	assert(a != NULL);
+ 	assert(a->type == IKE_ATTRIB_LIFE_TYPE);
+@@ -1174,7 +1176,7 @@ static void lifetime_ike_process(struct 
+ 
+ static void lifetime_ipsec_process(struct sa_block *s, struct isakmp_attribute *a)
+ {
+-	uint32_t value;
++	uint32_t value = 0;
+ 	
+ 	assert(a != NULL);
+ 	assert(a->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE);
+@@ -2861,28 +2863,34 @@ static void do_phase2_qm(struct sa_block
+ 		free(dh_shared_secret);
+ 		free_isakmp_packet(r);
+ 		
+-		if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
+-			s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
+-			s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
+-			s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
+-		} else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
+-			s->esp_fd = s->ike_fd;
+-		} else {
++		if (s->esp_fd == 0) {
++			if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
++				s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
++				s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
++				s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
++			} else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
++				s->esp_fd = s->ike_fd;
++			} else {
+ #ifdef IP_HDRINCL
+-			int hincl = 1;
++				int hincl = 1;
+ #endif
+ 		
+-			s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
+-			if (s->esp_fd == -1) {
+-				close_tunnel(s);
+-				error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
+-			}
++				s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
++				if (s->esp_fd == -1) {
++					close_tunnel(s);
++					error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
++				}
++#ifdef FD_CLOEXEC
++				/* do not pass socket to vpnc-script, etc. */
++				fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
++#endif
+ #ifdef IP_HDRINCL
+-			if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
+-				close_tunnel(s);
+-				error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
+-			}
++				if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
++					close_tunnel(s);
++					error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
++				}
+ #endif
++			}
+ 		}
+ 		
+ 		s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
+@@ -3224,9 +3232,14 @@ void process_late_ike(struct sa_block *s
+ 			 */
+ 			/* FIXME: any cleanup needed??? */
+ 
+-			free_isakmp_packet(r);
+-			do_phase2_qm(s);
+-			return;
++			if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) {
++				free_isakmp_packet(r);
++				do_phase2_qm(s);
++				return;
++			} else {
++				DEBUG(2, printf("got isakmp delete with bogus spi, ignoring...\n"));
++				continue;
++			}
+ 		}
+ 		/* skip ipsec-esp delete */
+ 		if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {
diff --git a/net/vpnc/patches/patch-bc b/net/vpnc/patches/patch-bc
new file mode 100644
index 000000000000..0afcbdc896a1
--- /dev/null
+++ b/net/vpnc/patches/patch-bc
@@ -0,0 +1,13 @@
+$NetBSD: patch-bc,v 1.1 2011/03/05 17:54:17 cegger Exp $
+
+--- config.h.orig	2008-11-19 20:36:12.000000000 +0000
++++ config.h
+@@ -58,6 +58,8 @@ enum config_enum {
+ 	CONFIG_AUTH_MODE,
+ 	CONFIG_CA_FILE,
+ 	CONFIG_CA_DIR,
++	CONFIG_DNS_UPDATE,
++	CONFIG_TARGET_NETWORKS,
+ 	LAST_CONFIG
+ };
+