diff options
| -rw-r--r-- | CHANGES | 32 | ||||
| -rw-r--r-- | INSTALL | 39 | ||||
| -rw-r--r-- | Makefile.ver | 2 | ||||
| -rw-r--r-- | README | 4 | ||||
| -rwxr-xr-x | programs/ipsec/ipsec.in | 17 | ||||
| -rw-r--r-- | programs/pluto/connections.c | 11 | ||||
| -rw-r--r-- | programs/pluto/demux.c | 5 | ||||
| -rw-r--r-- | programs/pluto/fetch.c | 6 | ||||
| -rw-r--r-- | programs/pluto/kernel.c | 4 | ||||
| -rw-r--r-- | programs/pluto/log.c | 6 | ||||
| -rw-r--r-- | programs/pluto/rcv_whack.c | 72 | ||||
| -rw-r--r-- | programs/pluto/state.c | 4 | ||||
| -rw-r--r-- | programs/pluto/vendor.c | 9 | ||||
| -rw-r--r-- | programs/pluto/vendor.h | 7 | ||||
| -rw-r--r-- | programs/starter/confread.c | 26 | ||||
| -rw-r--r-- | programs/starter/interfaces.c | 19 | ||||
| -rw-r--r-- | programs/starter/starterwhack.c | 10 | ||||
| -rw-r--r-- | testing/INSTALL | 8 | ||||
| -rwxr-xr-x | testing/testing.conf | 8 |
19 files changed, 193 insertions, 96 deletions
@@ -1,3 +1,35 @@ +strongswan-2.7.2 +---------------- + +- The mixed PSK/RSA roadwarrior detection capability introduced by the + strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal + payloads by the responder right before any defined IKE Main Mode state had + been established. Although any form of bad proposal syntax was being correctly + detected by the payload parser, the subsequent error handler didn't check + the state pointer before logging current state information, causing an + immediate crash of the pluto keying daemon due to a NULL pointer. + + We strongly recommend to update to the 2.7.2 released which fixes this + vulnerability to malformed proposal payload that could otherwise be + exploited by Denial-of-Service attacks. + + +strongswan-2.7.1 +---------------- + +- Calling ipsec up|down|route|unroute with a non-empty connection name + caused pluto to crash. As a fix argument checks have been added both + to the ipsec command on the sender end and pluto/rcv_whack.c on the + receiver end. + +- reactivated the PPP pointopoint code in starter/interfaces.c which + creates an ipsecN interface when used with Linux 2.4 KLIPS. + +- replaced free() by curl_free() in pluto/fetch.c thus fixing pluto + crashes occuring on some 64 bit hardware platforms when curl couldn't + successfully resolve a DNS request prior to fetching a CRL. + + strongswan-2.7.0 ---------------- @@ -125,9 +125,9 @@ Contents in "Makefile.inc" # Uncomment this line if using OpenSC <= 0.9.6 - PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\" + #PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\" # Uncomment tis line if using OpenSC >= 0.10.0 - #PKCS11_DEFAULT_LIB=\"usr/lib/opensc-pkcs11.so\" + PKCS11_DEFAULT_LIB=\"usr/lib/opensc-pkcs11.so\" This default path to the easily-obtainable OpenSC library module can be simply overridden during run-time by specifying an alternative path in @@ -156,10 +156,8 @@ Contents * Now change into the strongswan-2.x.x source directory. - First uncomment any desired compile options in "programs/pluto/Makefile" - (see section 2. Optional packages). - - Then in the top source directory type + First select any desired compile options in "Makefile.inc" (see section 2. + Optional packages). Then in the top source directory type make menumod @@ -186,9 +184,10 @@ Contents and then install and boot the modified kernel. - * Next add your connections to "/etc/ipsec.conf" and start strongSwan with + * Next add your connections to "/etc/ipsec.conf" and your secrets to + "/etc/ipsec.secrets" and start strongSwan with - ipsec setup start + ipsec start 4. Updating strongSwan with a Linux 2.4 kernel @@ -197,10 +196,8 @@ Contents * If you have already successfully installed strongSwan and want to update to a newer version then the following shortcut can be taken: - First uncomment any desired compile options in "programs/pluto/Makefile" - (see section 2. Optional packages). - - Then in the strongwan-2.x.x top directory type + First select any desired compile options in "Makefile.inc" (see section 2. + Optional packages). Then in the strongwan-2.x.x top directory type make programs; make install @@ -210,7 +207,7 @@ Contents * You can then start the updated strongSwan version with - ipsec setup restart + ipsec restart 5. Building strongSwan with a Linux 2.6 kernel @@ -225,14 +222,13 @@ Contents o esp4 o ipcomp o xfrm_user - + o xfrm4_tunnel + Also the built-in kernel Cryptoapi modules with selected encryption and hash algorithms should be available. - * First uncomment any desired compile options in "programs/pluto/Makefile" - (see section 2. Optional packages). - - Then in the strongwan-2.x.x top directory type + * First select any desired compile options in "Makefile.inc" (see section 2. + Optional packages). Then in the strongwan-2.x.x top directory type make programs @@ -240,10 +236,11 @@ Contents make install - * Next add your connections to "etc/ipsec.conf" and start strongSwan with + * Next add your connections to "/etc/ipsec.conf" and your secrets to + "/etc/ipsec.secrets" and start strongSwan with - ipsec setup start + ipsec start ----------------------------------------------------------------------------- -This file is RCSID $Id: INSTALL,v 1.8 2006/01/22 16:22:23 as Exp $ +This file is RCSID $Id: INSTALL,v 1.11 2006/05/19 06:44:17 as Exp $ diff --git a/Makefile.ver b/Makefile.ver index 435dd7311..252fc3bf4 100644 --- a/Makefile.ver +++ b/Makefile.ver @@ -1 +1 @@ -IPSECVERSION=2.7.0 +IPSECVERSION=2.7.2 @@ -2650,7 +2650,7 @@ and can be used when the following prerequisites are fulfilled: - Linux 2.4.x kernel, KLIPS IPsec stack, and arbitrary iptables version. Filtering of tunneled traffic is based on ipsecN interfaces. - - Linux 2.4.16 kernel or newer, native NETKEY IPsec stack, and + - Linux 2.6.16 kernel or newer, native NETKEY IPsec stack, and iptables-1.3.5 or newer. Filtering of tunneled traffic is based on IPsec policy matching rules. @@ -3087,5 +3087,5 @@ an LDAP-based lookup mechanism will be supported. for more details. ----------------------------------------------------------------------------- -This file is RCSID $Id: README,v 1.33 2006/04/24 21:27:49 as Exp $ +This file is RCSID $Id: README,v 1.34 2006/04/26 18:19:34 as Exp $ diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in index 0616561d8..1c657b9e7 100755 --- a/programs/ipsec/ipsec.in +++ b/programs/ipsec/ipsec.in @@ -12,7 +12,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: ipsec.in,v 1.13 2006/03/09 20:09:33 as Exp $ +# RCSID $Id: ipsec.in,v 1.14 2006/05/25 11:52:03 as Exp $ IPSEC_NAME=strongSwan @@ -122,6 +122,11 @@ case "$1" in ;; down) shift + if [ "$#" -ne 1 ] + then + echo "Usage: ipsec down <connection name>" + exit 1 + fi $IPSEC_EXECDIR/whack --name "$1" --terminate exit 0 ;; @@ -161,6 +166,11 @@ restart) route|unroute) op="$1" shift + if [ "$#" -ne 1 ] + then + echo "Usage: ipsec $op <connection name>" + exit 1 + fi $IPSEC_EXECDIR/whack --name "$1" "--$op" exit 0 ;; @@ -197,6 +207,11 @@ stop) ;; up) shift + if [ "$#" -ne 1 ] + then + echo "Usage: ipsec up <connection name>" + exit 1 + fi $IPSEC_EXECDIR/whack --name "$1" --initiate exit 0 ;; diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c index 263bdbd1e..6cf6a6a8b 100644 --- a/programs/pluto/connections.c +++ b/programs/pluto/connections.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: connections.c,v 1.42 2006/04/22 21:59:20 as Exp $ + * RCSID $Id: connections.c,v 1.43 2006/04/29 18:16:02 as Exp $ */ #include <string.h> @@ -4022,7 +4022,7 @@ show_connections_status(bool all, const char *name) /* sort it! */ qsort(array, count, sizeof(struct connection *), connection_compare_qsort); - for (i=0; i<count; i++) + for (i = 0; i < count; i++) { const char *ifn; char instance[1 + 10 + 1]; @@ -4076,7 +4076,7 @@ show_connections_status(bool all, const char *name) if (c->spd.that.groups != NULL) { char buf[BUF_LEN]; - + format_groups(c->spd.that.groups, buf, BUF_LEN); whack_log(RC_COMMENT , "\"%s\"%s: groups: %s" @@ -4097,7 +4097,7 @@ show_connections_status(bool all, const char *name) , (unsigned long) c->sa_keying_tries); /* show DPD parameters if defined */ - + if (c->dpd_action != DPD_ACTION_NONE) whack_log(RC_COMMENT , "\"%s\"%s: dpd_action: %s;" @@ -4141,6 +4141,9 @@ show_connections_status(bool all, const char *name) kernel_alg_show_connection(c, instance); } } + if (count > 0) + whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */ + pfree(array); } diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c index 2f8fb9a8f..db7f1c4a6 100644 --- a/programs/pluto/demux.c +++ b/programs/pluto/demux.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: demux.c,v 1.13 2005/02/18 21:08:59 as Exp $ + * RCSID $Id: demux.c,v 1.14 2006/06/22 11:58:25 as Exp $ */ /* Ordering Constraints on Payloads @@ -2397,7 +2397,8 @@ complete_state_transition(struct msg_digest **mdp, stf_status result) * whatever retrying was in place, remains in place. */ whack_log(RC_NOTIFICATION + md->note - , "%s: %s", enum_name(&state_names, st->st_state) + , "%s: %s" + , enum_name(&state_names, (st == NULL)? STATE_MAIN_R0:st->st_state) , enum_name(¬ification_names, md->note)); SEND_NOTIFICATION(md->note); diff --git a/programs/pluto/fetch.c b/programs/pluto/fetch.c index 075b88fd2..4bfb6031b 100644 --- a/programs/pluto/fetch.c +++ b/programs/pluto/fetch.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: fetch.c,v 1.11 2005/11/25 10:08:00 as Exp $ + * RCSID $Id: fetch.c,v 1.12 2006/05/16 14:19:27 as Exp $ */ #include <stdlib.h> @@ -339,7 +339,7 @@ fetch_curl(char *url, chunk_t *blob) } curl_easy_cleanup(curl); /* not using freeanychunk because of realloc (no leak detective) */ - free(response.ptr); + curl_free(response.ptr); } return strlen(errorbuffer) > 0 ? "libcurl error" : NULL; #else /* !LIBCURL */ @@ -728,7 +728,7 @@ fetch_ocsp_status(ocsp_location_t* location) curl_easy_cleanup(curl); pfree(uri); /* not using freeanychunk because of realloc (no leak detective) */ - free(response.ptr); + curl_free(response.ptr); } freeanychunk(location->nonce); freeanychunk(request); diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c index 5d7c5f78a..d2070c0d4 100644 --- a/programs/pluto/kernel.c +++ b/programs/pluto/kernel.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: kernel.c,v 1.25 2006/04/17 14:58:09 as Exp $ + * RCSID $Id: kernel.c,v 1.26 2006/04/29 18:16:02 as Exp $ */ #include <stddef.h> @@ -934,6 +934,8 @@ show_shunt_status(void) , ourst, ourport, hist, hisport, sat, bs->transport_proto , prio, bs->why); } + if (bare_shunts != NULL) + whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */ } /* Setup an IPsec route entry. diff --git a/programs/pluto/log.c b/programs/pluto/log.c index 137e92980..73ffceccd 100644 --- a/programs/pluto/log.c +++ b/programs/pluto/log.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: log.c,v 1.7 2005/07/11 18:33:45 as Exp $ + * RCSID $Id: log.c,v 1.8 2006/04/29 18:16:02 as Exp $ */ #include <stdio.h> @@ -770,13 +770,11 @@ show_status(bool all, const char *name) show_ifaces_status(); show_myid_status(); show_debug_status(); + whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */ } - whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */ show_connections_status(all, name); - whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */ show_states_status(name); #ifdef KLIPS - whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */ show_shunt_status(); #endif } diff --git a/programs/pluto/rcv_whack.c b/programs/pluto/rcv_whack.c index 164a4f249..99c377765 100644 --- a/programs/pluto/rcv_whack.c +++ b/programs/pluto/rcv_whack.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: rcv_whack.c,v 1.17 2005/12/25 12:41:23 as Exp $ + * RCSID $Id: rcv_whack.c,v 1.18 2006/05/25 11:33:57 as Exp $ */ #include <stdio.h> @@ -557,7 +557,14 @@ whack_handle(int whackctlfd) if (msg.whack_route) { if (!listening) + { whack_log(RC_DEAF, "need --listen before --route"); + } + if (msg.name == NULL) + { + whack_log(RC_UNKNOWN_NAME + , "whack --route requires a connection name"); + } else { struct connection *c = con_by_name(msg.name, TRUE); @@ -579,37 +586,54 @@ whack_handle(int whackctlfd) if (msg.whack_unroute) { - struct connection *c = con_by_name(msg.name, TRUE); - - if (c != NULL) + if (msg.name == NULL) { - struct spd_route *sr; - int fail = 0; - - set_cur_connection(c); + whack_log(RC_UNKNOWN_NAME + , "whack --unroute requires a connection name"); + } + else + { + struct connection *c = con_by_name(msg.name, TRUE); - for (sr = &c->spd; sr != NULL; sr = sr->next) + if (c != NULL) { - if (sr->routing >= RT_ROUTED_TUNNEL) - fail++; + struct spd_route *sr; + int fail = 0; + + set_cur_connection(c); + + for (sr = &c->spd; sr != NULL; sr = sr->next) + { + if (sr->routing >= RT_ROUTED_TUNNEL) + fail++; + } + if (fail > 0) + whack_log(RC_RTBUSY, "cannot unroute: route busy"); + else if (c->policy & POLICY_GROUP) + unroute_group(c); + else + unroute_connection(c); + reset_cur_connection(); } - if (fail > 0) - whack_log(RC_RTBUSY, "cannot unroute: route busy"); - else if (c->policy & POLICY_GROUP) - unroute_group(c); - else - unroute_connection(c); - reset_cur_connection(); } } if (msg.whack_initiate) { if (!listening) + { whack_log(RC_DEAF, "need --listen before --initiate"); + } + else if (msg.name == NULL) + { + whack_log(RC_UNKNOWN_NAME + , "whack --initiate requires a connection name"); + } else + { initiate_connection(msg.name , msg.whack_async? NULL_FD : dup_any(whackfd)); + } } if (msg.whack_oppo_initiate) @@ -623,7 +647,17 @@ whack_handle(int whackctlfd) } if (msg.whack_terminate) - terminate_connection(msg.name); + { + if (msg.name == NULL) + { + whack_log(RC_UNKNOWN_NAME + , "whack --terminate requires a connection name"); + } + else + { + terminate_connection(msg.name); + } + } if (msg.whack_status) show_status(msg.whack_statusall, msg.name); diff --git a/programs/pluto/state.c b/programs/pluto/state.c index 5957654e3..0781d2eb3 100644 --- a/programs/pluto/state.c +++ b/programs/pluto/state.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: state.c,v 1.12 2006/04/03 15:49:36 as Exp $ + * RCSID $Id: state.c,v 1.13 2006/04/29 18:16:02 as Exp $ */ #include <stdio.h> @@ -902,6 +902,8 @@ show_states_status(const char *name) if (IS_PHASE1(st->st_state)) show_pending_phase2(st->st_connection->host_pair, st); } + if (count > 0) + whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */ /* free the array */ pfree(array); diff --git a/programs/pluto/vendor.c b/programs/pluto/vendor.c index 51931c239..3a8ac15a9 100644 --- a/programs/pluto/vendor.c +++ b/programs/pluto/vendor.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: vendor.c,v 1.35 2006/04/12 16:44:28 as Exp $ + * RCSID $Id: vendor.c,v 1.38 2006/06/04 09:42:35 as Exp $ */ #include <stdlib.h> @@ -198,7 +198,12 @@ static struct vid_struct _vid_tab[] = { /* * strongSwan */ - DEC_MD5_VID(STRONGSWAN, "strongSwan 2.7.0") + DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0") + DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1") + + DEC_MD5_VID(STRONGSWAN, "strongSwan 2.7.2") + DEC_MD5_VID(STRONGSWAN_2_7_1, "strongSwan 2.7.1") + DEC_MD5_VID(STRONGSWAN_2_7_0, "strongSwan 2.7.0") DEC_MD5_VID(STRONGSWAN_2_6_4, "strongSwan 2.6.4") DEC_MD5_VID(STRONGSWAN_2_6_3, "strongSwan 2.6.3") DEC_MD5_VID(STRONGSWAN_2_6_2, "strongSwan 2.6.2") diff --git a/programs/pluto/vendor.h b/programs/pluto/vendor.h index d6b414be2..e0c3a5f30 100644 --- a/programs/pluto/vendor.h +++ b/programs/pluto/vendor.h @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: vendor.h,v 1.30 2006/04/12 16:44:28 as Exp $ + * RCSID $Id: vendor.h,v 1.33 2006/06/04 09:42:35 as Exp $ */ #ifndef _VENDOR_H_ @@ -76,6 +76,11 @@ enum known_vendorid { VID_STRONGSWAN_2_6_2 = 55, VID_STRONGSWAN_2_6_3 = 56, VID_STRONGSWAN_2_6_4 = 57, + VID_STRONGSWAN_2_7_0 = 58, + VID_STRONGSWAN_2_7_1 = 59, + + VID_STRONGSWAN_4_0_0 = 70, + VID_STRONGSWAN_4_0_1 = 71, /* 101 - 200 : NAT-Traversal */ VID_NATT_STENBERG_01 =101, diff --git a/programs/starter/confread.c b/programs/starter/confread.c index cf12d05ca..af0f00877 100644 --- a/programs/starter/confread.c +++ b/programs/starter/confread.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: confread.c,v 1.37 2006/04/17 19:35:07 as Exp $ + * RCSID $Id: confread.c,v 1.38 2006/06/20 21:52:53 as Exp $ */ #include <stddef.h> @@ -31,6 +31,9 @@ #include "args.h" #include "interfaces.h" +/* strings containing a colon are interpreted as an IPv6 address */ +#define ip_version(string) (strchr(string, ':') != NULL)? AF_INET6 : AF_INET; + static const char ike_defaults[] = "3des-sha, 3des-md5"; static const char esp_defaults[] = "3des-sha1, 3des-md5"; @@ -166,8 +169,13 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token goto err; } } - else if (streq(value,"%any")) - { + else if (streq(value, "%any")) + { + anyaddr(conn->addr_family, &end->addr); + } + else if (streq(value, "%any6")) + { + conn->addr_family = AF_INET6; anyaddr(conn->addr_family, &end->addr); } else if (value[0] == '%') @@ -183,6 +191,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token } else { + conn->addr_family = ip_version(value); ugh = ttoaddr(value, 0, conn->addr_family, &end->addr); if (ugh != NULL) { @@ -203,10 +212,14 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token } } else if (streq(value, "%direct")) + { ugh = anyaddr(conn->addr_family, &end->nexthop); + } else + { + conn->addr_family = ip_version(value); ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop); - + } if (ugh != NULL) { plog("# bad addr: %s=%s [%s]", name, value, ugh); @@ -222,6 +235,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token else { end->has_client = TRUE; + conn->tunnel_addr_family = ip_version(value); ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet); if (ugh != NULL) { @@ -233,6 +247,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token case KW_SUBNETWITHIN: end->has_client = TRUE; end->has_client_wildcard = TRUE; + conn->tunnel_addr_family = ip_version(value); ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet); break; case KW_PROTOPORT: @@ -246,7 +261,8 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token } else { - ugh = ttoaddr(value, 0, conn->addr_family, &end->srcip); + conn->tunnel_addr_family = ip_version(value); + ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip); if (ugh != NULL) { plog("# bad addr: %s=%s [%s]", name, value, ugh); diff --git a/programs/starter/interfaces.c b/programs/starter/interfaces.c index 9926ea059..3b24e2faf 100644 --- a/programs/starter/interfaces.c +++ b/programs/starter/interfaces.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: interfaces.c,v 1.15 2006/02/05 10:51:55 as Exp $ + * RCSID $Id: interfaces.c,v 1.16 2006/05/25 12:10:15 as Exp $ */ #include <sys/socket.h> @@ -192,9 +192,6 @@ _iface_up (int sock, struct st_ipsec_if *iface, char *phys struct ipsectunnelconf *shc=(struct ipsectunnelconf *)&req.ifr_data; short phys_flags; int ret = 0; - /* sscholz@astaro.com: for network mask 32 bit - struct sockaddr_in *inp; - */ strncpy(req.ifr_name, phys, IFNAMSIZ); if (ioctl(sock, SIOCGIFFLAGS, &req) !=0 ) @@ -239,13 +236,6 @@ _iface_up (int sock, struct st_ipsec_if *iface, char *phys if (ioctl(sock, SIOCGIFNETMASK, &req) == 0) { strncpy(req.ifr_name, iface->name, IFNAMSIZ); - /* sscholz@astaro.com: changed netmask to 32 bit - * in order to prevent network routes from being created - - inp = (struct sockaddr_in *)&req.ifr_addr; - inp->sin_addr.s_addr = 0xFFFFFFFFL; - - */ ioctl(sock, SIOCSIFNETMASK, &req); } @@ -253,8 +243,7 @@ _iface_up (int sock, struct st_ipsec_if *iface, char *phys strncpy(req.ifr_name, iface->name, IFNAMSIZ); if (ioctl(sock, SIOCGIFFLAGS, &req)==0) { -/* removed by sscholz@astaro.com (caused trouble with DSL/ppp0) */ -/* if (phys_flags & IFF_POINTOPOINT) + if (phys_flags & IFF_POINTOPOINT) { req.ifr_flags |= IFF_POINTOPOINT; req.ifr_flags &= ~IFF_BROADCAST; @@ -266,9 +255,7 @@ _iface_up (int sock, struct st_ipsec_if *iface, char *phys ioctl(sock, SIOCSIFDSTADDR, &req); } } - else - */ - if (phys_flags & IFF_BROADCAST) + else if (phys_flags & IFF_BROADCAST) { req.ifr_flags &= ~IFF_POINTOPOINT; req.ifr_flags |= IFF_BROADCAST; diff --git a/programs/starter/starterwhack.c b/programs/starter/starterwhack.c index a671c560c..0d7a3715e 100644 --- a/programs/starter/starterwhack.c +++ b/programs/starter/starterwhack.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: starterwhack.c,v 1.17 2006/04/17 10:32:36 as Exp $ + * RCSID $Id: starterwhack.c,v 1.18 2006/06/20 21:52:53 as Exp $ */ #include <sys/types.h> @@ -161,13 +161,13 @@ set_whack_end(whack_end_t *w, starter_end_t *end) w->host_addr = end->addr; w->host_nexthop = end->nexthop; w->host_srcip = end->srcip; + w->has_client = end->has_client; - if (end->has_client) - w->client = end->subnet; + if (w->has_client) + w->client = end->subnet; else - w->client.addr.u.v4.sin_family = AF_INET; + w->client.addr.u.v4.sin_family = addrtypeof(&w->host_addr); - w->has_client = end->has_client; w->has_client_wildcard = end->has_client_wildcard; w->has_port_wildcard = end->has_port_wildcard; w->has_srcip = end->has_srcip; diff --git a/testing/INSTALL b/testing/INSTALL index dfe21cc04..5fc87a6c7 100644 --- a/testing/INSTALL +++ b/testing/INSTALL @@ -53,7 +53,7 @@ are required for the strongSwan testing environment: * A vanilla Linux kernel on which the UML kernel will be based on. We recommend the use of - http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.16.9.tar.bz2 + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.1.tar.bz2 * Starting with Linux kernel 2.6.9 no patch must be applied any more in order to make the vanilla kernel UML-capable. For older kernels you'll find @@ -63,7 +63,7 @@ are required for the strongSwan testing environment: * The matching .config file required to compile the UML kernel: - http://download.strongswan.org/uml/.config-2.6.16 + http://download.strongswan.org/uml/.config-2.6.17 * A gentoo-based UML file system (compressed size 130 MBytes) found at @@ -71,7 +71,7 @@ are required for the strongSwan testing environment: * The latest strongSwan distribution - http://download.strongswan.org/strongswan-2.7.0.tar.gz + http://download.strongswan.org/strongswan-2.7.2.tar.gz 3. Creating the environment @@ -146,5 +146,5 @@ README document. ----------------------------------------------------------------------------- -This file is RCSID $Id: INSTALL,v 1.39 2006/04/24 16:58:03 as Exp $ +This file is RCSID $Id: INSTALL,v 1.41 2006/06/22 13:07:24 as Exp $ diff --git a/testing/testing.conf b/testing/testing.conf index 92a138288..dc5c74fbf 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -14,27 +14,27 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: testing.conf,v 1.52 2006/04/24 16:58:03 as Exp $ +# RCSID $Id: testing.conf,v 1.54 2006/06/22 13:07:24 as Exp $ # Root directory of testing UMLTESTDIR=~/strongswan-testing # Bzipped kernel sources # (file extension .tar.bz2 required) -KERNEL=$UMLTESTDIR/linux-2.6.16.9.tar.bz2 +KERNEL=$UMLTESTDIR/linux-2.6.17.1.tar.bz2 # Extract kernel version KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` # Kernel configuration file -KERNELCONFIG=$UMLTESTDIR/.config-2.6.16 +KERNELCONFIG=$UMLTESTDIR/.config-2.6.17 # Bzipped uml patch for kernel # (not needed anymore for 2.6.9 kernel or higher) UMLPATCH= # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-2.7.0.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-2.7.2.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" |