[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Sat Feb 2 08:56:06 EET 2013 

New commits:
commit c015d1a038546a5c32d9a36d16462d490108e254
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 2 01:41:04 2013 -0500

    * XAUTH: modecfgdns* parameter was broken, modecfgwins* removed
    
    The modecfgdns1/modecfgdns2/modecfgwins1/modecfgwins2 were never
    properly working using libipsecconf. They only worked when you used
    whack directly.
    
    Someone (properly me) put these in as KSCF_MODECFG* instead of as
    KSF_MODECFG*, so the parser was looking for left/rightmodecfgdn1 etc.
    
    While fixing these, I removed support for XAUTH WINS, as that died a
    decade ago.
    
    We had defined POLICY_MODECFGDNS1 etc apparently as policy bits that
    would determine if we would send these options, but then they were
    never queried ever, so I removed them. It's quite obvious when you
    need to set these, namely if we are an xauthserver and modecfg_dns1=
    is set.
    
    libipsecconf got compiled without XAUTH because it was not being
    added to the CFLAGS when USE_XAUTH was set. So none of the parsing
    code was reading the code I wrote to read these options.
    (the only reason xauthby= ever worked was because it was _missing_
    and #ifdef XAUTH)
    
    Parsing of the modecfgdns1/modecfgdns2 keywords as kt_ipaddr also
    gave some problems because ipaddr processing was really only done
    for the left/right parts of the connection. The easier fix was to
    change these into kt_string, and when reading the struct starter_conn
    information into a struct whack_message, do the tnatoaddr() conversion.
    If the IP for this option is bogus, we ignore it and continue.
    
    modecfgwins1/modecfgwins2 is now kt_obsolete, and they were removed from
    whack, the xauth sending xauth attributes code and the man pages.
    
    The ipsec auto --status was updated to show the xauth information better:
    
    000 "test": 76.10.157.69<76.10.157.69>[+XS+S=C]...5.6.7.8<5.6.7.8>; unrouted; eroute owner: #0
    000 "test":     oriented; my_ip=unset; their_ip=unset;
    000 "test":     xauth info: my_xauthuser=pwouters; their_xauthuser=[any]; dns1:1.8.8.8, dns2:3.8.8.8;
    000 "test":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
    000 "test":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+XAUTH+IKEv2ALLOW+ModeCFGDNS1+ModeCFGWINS1;
    000 "test":   prio: 32,32; interface: virbr0; metric: 0, mtu: unset;
    000 "test":   dpd: action:clear; delay:0; timeout:0;
    000 "test":   newest ISAKMP SA: #0; newest IPsec SA: #0;
    000

commit 16548119c880df68971f382751d584e3a60f51a9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 1 22:22:58 2013 -0500

    * libipsecconf: remove another leftover used for manual keying

More information about the Swan-commit mailing list