Bug#838194: [Pkg-swan-devel] Bug#838194: Bug#838194: support for network-manager-strongswan 1.4?

[Yves-Alexis Perez]

On Tue, Sep 20, 2016 at 07:07:02AM +0200, Harald Dunkel wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Hi Yves,
> 
> I can see the new 5.5.0-2 source package on the ftp server,
> but many binary packages are still missing, esp. for amd64.
> Other platforms look fine.
> 
> Is there a problem with the patch?

Not with the patch, but the testsuite hit a timeout. I'll try to have it
given back.

Regards,
-- 
Yves-Alexis

Bug#838194: [Pkg-swan-devel] Bug#838194: support for network-manager-strongswan 1.4?

[Harald Dunkel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi Yves,

I can see the new 5.5.0-2 source package on the ftp server,
but many binary packages are still missing, esp. for amd64.
Other platforms look fine.

Is there a problem with the patch?


Regards
Harri

-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJX4MPwAAoJEAqeKp5m04HLlYcH/27qKCYpQLt5iVfVyxMFHajn
QeFiXP8w21Fq0VOhtE7MO4z4N0ECNeAZbh5Mzjqao2iET2I3sqVrTCKj4DKO0wPW
is/GZ8ssPC//5cKita9RLVvbFtj3uvWuZQMb+iGb5oR7AfIc5PMyh4FWVVpvVjPs
KIMkn+hAgTrk5tEyziJy7HdSdLk/RoKipjUR9ohv6AXifvrFHB3RyHZ9u+BCKUUQ
aUyNaBpBwAIbsOOprnmDQU/JQCKS0AFWtWUpGDC0/cBaGVsL3KtaWmzSKJVBvZ42
U/xoSiO5Y9J2n4nlLCeXbipqFtcGphFO0T+ULzarPI/QPautZP6IYoeCSrDcEeM=
=G5Y+
-END PGP SIGNATURE-

Bug#838194: [Pkg-swan-devel] Bug#838194: support for network-manager-strongswan 1.4?

[Yves-Alexis Perez]

On dim., 2016-09-18 at 11:57 +0200, Harald Dunkel wrote:
> Package: strongswan-nm
> Version: 5.5.0-1
> Severity: wishlist
> Tags: patch
> 
> Hi Yves,
> 
> I would like to upgrade the network-manager-strongswan package
> for Stretch to version 1.4.0, but this requires 2 patches to
> charon-nm. See https://www.strongswan.org/download.html and
> the attachment.
> 
> Do you think it would be possible to add these patches to
> strongswan 5.5.0?
> 
> Of course I see that upstream plans to release strongswan 5.5.1
> (including the patches) in about 3 weeks. Adding the patches to
> 5.5.0 now would save the time.
If you can't wait 3 weeks, I guess including patches should be doable.

Regards,
-- 
Yves-Alexis

signature.asc
Description: This is a digitally signed message part

Bug#838194: support for network-manager-strongswan 1.4?

[Harald Dunkel]

Package: strongswan-nm
Version: 5.5.0-1
Severity: wishlist
Tags: patch

Hi Yves,

I would like to upgrade the network-manager-strongswan package
for Stretch to version 1.4.0, but this requires 2 patches to
charon-nm. See https://www.strongswan.org/download.html and
the attachment.

Do you think it would be possible to add these patches to
strongswan 5.5.0?

Of course I see that upstream plans to release strongswan 5.5.1
(including the patches) in about 3 weeks. Adding the patches to
5.5.0 now would save the time.


Thanx very much
Harri
From 9e74a0952e27e3ac0055b0831919aaddfef1e1b5 Mon Sep 17 00:00:00 2001
From: Tobias Brunner 
Date: Mon, 5 Sep 2016 10:54:07 +0200
Subject: [PATCH] nm: Enforce min. length for PSKs in backend

---
 src/charon-nm/nm/nm_service.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 5991c24..c0c78ef 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -428,6 +428,16 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		{
 			user = identification_create_from_string((char*)str);
 			str = nm_setting_vpn_get_secret(vpn, "password");
+			if (auth_class == AUTH_CLASS_PSK &&
+strlen(str) < 20)
+			{
+g_set_error(err, NM_VPN_PLUGIN_ERROR,
+			NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+			"pre-shared key is too short.");
+gateway->destroy(gateway);
+user->destroy(user);
+return FALSE;
+			}
 			priv->creds->set_username_password(priv->creds, user, (char*)str);
 		}
 	}
-- 
1.9.1

From f201d86debb12731b634625a0278e289e3e05e10 Mon Sep 17 00:00:00 2001
From: Tobias Brunner 
Date: Mon, 5 Sep 2016 14:34:07 +0200
Subject: [PATCH] nm: Pass external gateway to NM

This seems to be required by newer versions.
---
 src/charon-nm/nm/nm_service.c | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index c0c78ef..0fe10e0 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -88,12 +88,19 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
 	GValue *val;
 	GHashTable *config;
 	enumerator_t *enumerator;
-	host_t *me;
+	host_t *me, *other;
 	nm_handler_t *handler;
 
 	config = g_hash_table_new(g_str_hash, g_str_equal);
 	handler = priv->handler;
 
+	/* NM apparently requires to know the gateway */
+	val = g_slice_new0 (GValue);
+	g_value_init (val, G_TYPE_UINT);
+	other = ike_sa->get_other_host(ike_sa);
+	g_value_set_uint (val, *(uint32_t*)other->get_address(other).ptr);
+	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY, val);
+
 	/* NM requires a tundev, but netkey does not use one. Passing the physical
 	 * interface does not work, as NM fiddles around with it. So we pass a dummy
 	 * TUN device along for NM to play with... */
-- 
1.9.1



signature.asc
Description: OpenPGP digital signature