linux-ipsec: a byteorder bug in spi.c

FreeSWAN-0.90 (0.91 seems to be affected too, but not tested)   platform: Linux-2.0.33 on an i586, ethernet, glibc-2.0.6

1.
found a bug in 'spi.c' (on little endian machines only) result: AH doesn't work, exits with the 'Illegal window size' error

$Id: spi.c,v 1.16 1998/08/28 03:14:12 rgb Exp $ line 726
 description + solution:

	/* replay_window = htonl(strtoul(optarg, &endptr, 0)); // flaw */
/*** 'int replay_window' had the NET format now ...*/       
        replay_window = strtoul(optarg, &endptr, 0); /* added fix*/
	
	if(!(endptr == optarg + strlen(optarg))) {
		fprintf(stderr, "%s: Invalid character in replay_window parameter: %s\n",
			program, optarg);
		exit (1);

	}

/*** ... and here was a comparsion between the NET and the HOST formats 
         (which have different byteorder on intel): */
	if((replay_window < 1) || (replay_window > 64))
	{
		fprintf(stderr, "%s: Failed -- Illegal window size: %s  Must be 1 <= size <= 64.\n",
			program, optarg);
		exit(1);

	}

	replay_window = htonl(replay_window); /* added fix*/
	break;

other notes:
2.
If the '--replay_window' option is not specified along with '--ah', the 'spi' program fails.

at line 389 doesn't work (while writing into '/dev/ipsec'):   xd->ame_replayp = xd->ame_ooowin = 0; ?

3.
No matter how '--replay_window' is set, real size is always 4 B ?

FreeS/WAN runs fine on intels, i have tried out all modes. I have written some overview on IPSec and ISAKMP and a description of caught IPSec packets. All is it on my homepage, all in Czech language ;-) , it will be part of my diploma thesis (VPN, firewall management).

Pluto works too, but doesn't want to negotiate keys between two machines on the local eth segment in our lab

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

I didn't succeed in running IPSec on localhost at home (packets are sent but don't came back). The Linux crashed during experiments with an aliasing+ipsec on loopback.

  looking forward to FreeSWAN-1.0

josef ungerman
ungerman@students.zcu.cz
http://home.zcu.cz/~ungerman
eoj Received on Fri Jan 15 05:36:31 1999