[Swan] OSX Server interop patch, was Re: Connecting to OS X Server

Paul Wouters paul at nohats.ca
Tue Jan 13 03:24:43 EET 2015


On Mon, 12 Jan 2015, Ali Gangji wrote:

> So i stopped ipsec, applied the patch, ran make programs and sudo make install, and restarted ipsec. I still get the
> same message about the unknown value 16777216

Ah yes, I still forgot that we have another check for valid numbers that
still failed. I've updated the patch, so try this version 2 patch :)

Paul
-------------- next part --------------
diff --git a/include/ietf_constants.h b/include/ietf_constants.h
index 784ec73..c47c984 100644
--- a/include/ietf_constants.h
+++ b/include/ietf_constants.h
@@ -435,6 +435,8 @@
 /* Domain of Interpretation */
 #define ISAKMP_DOI_ISAKMP 0
 #define ISAKMP_DOI_IPSEC 1
+/* htonl(1) == 16777216 */
+#define ISAKMP_DOI_OSX_SERVER_HTONL_BUG 16777216
 
 /* IPsec DOI things */
 
diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
index 61d88a8..abe14dd 100644
--- a/lib/libswan/constants.c
+++ b/lib/libswan/constants.c
@@ -150,11 +150,22 @@ static const char *const doi_name[] = {
 	"ISAKMP_DOI_IPSEC",
 };
 
+static const char *const doi_name_osx[] = {
+	"ISAKMP_DOI_OSX_SERVER_HTONL_BUG",
+};
+
+static enum_names doi_names_osx = {
+	ISAKMP_DOI_OSX_SERVER_HTONL_BUG,
+	ISAKMP_DOI_OSX_SERVER_HTONL_BUG,
+	doi_name_osx,
+	NULL
+};
+
 enum_names doi_names = {
 	ISAKMP_DOI_ISAKMP,
 	ISAKMP_DOI_IPSEC,
 	doi_name,
-	NULL
+	&doi_names_osx
 };
 
 /*
diff --git a/programs/pluto/ikev1_spdb_struct.c b/programs/pluto/ikev1_spdb_struct.c
index d3d32f9..46abc5e 100644
--- a/programs/pluto/ikev1_spdb_struct.c
+++ b/programs/pluto/ikev1_spdb_struct.c
@@ -850,10 +850,14 @@ notification_t parse_isakmp_sa_body(pb_stream *sa_pbs,		/* body of input SA Payl
 
 	/* DOI */
 	if (sa->isasa_doi != ISAKMP_DOI_IPSEC) {
-		loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s",
-		       enum_show(&doi_names, sa->isasa_doi));
-		/* XXX Could send notification back */
-		return DOI_NOT_SUPPORTED;
+		if (sa->isasa_doi == ISAKMP_DOI_OSX_SERVER_HTONL_BUG) {
+			loglog(RC_LOG_SERIOUS, "OSX Server DOI htonl(1) bug workaround enabled");
+		} else {
+			loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s",
+				enum_show(&doi_names, sa->isasa_doi));
+			/* XXX Could send notification back */
+			return DOI_NOT_SUPPORTED;
+		}
 	}
 
 	/* Situation */


More information about the Swan mailing list