[Design] FreeS/WAN 2.00-rc2 released (w/diff)

From: Sam Sgro <sam(at)freeswan.org>
Date: Fri Feb 28 2003 - 06:00:36 EST

-----BEGIN PGP SIGNED MESSAGE----- FreeS/WAN 2.00-rc2 of our IPSec for Linux has been released. It is publically available on xs4all:

ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/development/freeswan-\*

This is the "Speak now or forever hold your peace" section of the release process. As such, -rc2 may be followed up with -rc3 if last minute changes warrant. Once all are satisfied, we'll begin intense testing over the weekend and likely culminate with a 2.00 release at the beginning of next week.

Here is a diff against -rc2. Aside from many changes in the doc tree, there is little difference. Since it's hard to understand the doc changes without their full context, I've edited the output to simply note which files have changed. I encourage interested parties to re-read those documents, or run their own diff against -rc1.

A summary of the major changes:

1. The doc tree in its entirety. It includes some changes to doc's Makefile, which do NOT cause the basic-docmake-01 to fail, produce any different files in a built FS release package, or any problems building on a non-htmldoc enabled system.
2. Disabling -Wpointer-arith: in linux/net/ipsec/Makefile at MCR's request; and in programs/Makefile.program to address the Slackware 8.0 compilation issue.
3. Pulling up a small bugfix to programs/pluto/state.c for Delete-SA code.

Lastly, I don't know how pgp might butcher this file. This output should not be used as a patch, but as a hint.

Files changed in the doc tree:

Index: doc/draft-richardson-ipsec-rr.txt
Index: doc/opportunism.known-issues
Index: doc/src/adv_config.html
Index: doc/src/config.html
Index: doc/src/draft-richardson-ipsec-rr.html
Index: doc/src/draft-richardson-ipsec-rr.xml
Index: doc/src/faq.html
Index: doc/src/glossary.html
Index: doc/src/index.html
Index: doc/src/install.html
Index: doc/src/makecheck.html
Index: doc/src/policy-groups-table.html
Index: doc/src/policygroups.html
Index: doc/src/quickstart.html
Index: doc/src/trouble.html
Index: doc/src/umltesting.html
Index: doc/src/upgrading.html

Index: Makefile.ver

---

RCS file: /freeswan/MASTER/freeswan/Makefile.ver,v retrieving revision 1.11.2.1
retrieving revision 1.11.4.1
diff -u -r1.11.2.1 -r1.11.4.1

- --- Makefile.ver	23 Feb 2003 23:44:45 -0000	1.11.2.1


+++ Makefile.ver	28 Feb 2003 09:58:13 -0000	1.11.4.1

@@ -1 +1 @@
- -IPSECVERSION=2.00-rc1
+IPSECVERSION=2.00-rc2

Index: README

---

RCS file: /freeswan/MASTER/freeswan/README,v

retrieving revision 1.85.4.1.4.1.2.1.2.1
retrieving revision 1.86.2.1
diff -u -r1.85.4.1.4.1.2.1.2.1 -r1.86.2.1
- --- README	22 Feb 2003 23:08:18 -0000	1.85.4.1.4.1.2.1.2.1


+++ README	28 Feb 2003 06:57:11 -0000	1.86.2.1

@@ -1,4 +1,4 @@
- -This is release 2.00-rc1 of Linux FreeS/WAN, our freely-redistributable IPsec
+This is release 2.00-rc2 of Linux FreeS/WAN, our freely-redistributable IPsec
 implementation. See http://www.freeswan.org for current news and pointers  to more recent releases (if any). The BUGS file lists bugs that we  consider major, and the CHANGES file lists the major things that have been @@ -27,8 +27,8 @@
 two methods of getting plain-text versions if needed. See doc/roadmap.html  for a guide to what's where in this distribution.  

• -Unpacking the distribution needs about 12MB, and compiling it perhaps
• -another 50MB. For setup procedures, start at doc/intro.html; the INSTALL
  +Unpacking the distribution needs about 20MB, and compiling it perhaps
  +another 10-20MB. For setup procedures, start at doc/intro.html; the INSTALL
  file is now intended for experts only.

 Please also see doc/makecheck.html for information on automated regression @@ -59,5 +59,5 @@
 Our thanks to Sandy Harris (former documentation)

               Henry Spencer (former technical lead)  

• -P.S. This file is RCSID $Id: README,v 1.85.4.1.4.1.2.1.2.1 2003/02/22 23:08:18 sam Exp $.
  +P.S. This file is RCSID $Id: README,v 1.86.2.1 2003/02/28 06:57:11 sam Exp $.
  Bet you were just dying to know that. Index: doc/Makefile

  ---

  RCS file: /freeswan/MASTER/freeswan/doc/Makefile,v retrieving revision 1.69 retrieving revision 1.71 diff -u -r1.69 -r1.71
• --- doc/Makefile 22 Jan 2003 00:22:51 -0000 1.69
  +++ doc/Makefile 24 Feb 2003 04:52:19 -0000 1.71
  @@ -117,44 +117,29 @@ @$(foreach f, $(alldocs), \ echo ${DOCDIR}/$f; \ )
• - @find ${HMANDIR} -type f -name "*.html" -print | while read file; \
  + @if [ -d ${HMANDIR} ]; then find ${HMANDIR} -type f -name "*.html" -print | while read file; \
  do \ echo ${DOCDIR}/$f; \
• - done;
  + done; fi;
  

 checkprograms: ;  

 check: ;  

 # not enabled by default, because xml2rfc must be installed first. - -drafts: draft-richardson-ipsec-opportunistic.txt src/draft-richardson-ipsec-opportunistic.html
+drafts: draft-richardson-ipsec-opportunistic.txt src/draft-richardson-ipsec-opportunistic.html \
+ draft-richardson-ipsec-rr.txt src/draft-richardson-ipsec-rr.html
 

• -# below, was, but the nroff had to be edited for RFC use.
• -#echo XML_LIBRARY=$(XML_LIBRARY):./src xml2rfc xml2rfc $? $@
  +draft-%.txt: src/draft-%.xml
  + XML_LIBRARY=$(XML_LIBRARY):./src xml2rfc xml2rfc $? $@
  
• -# cat draft-richardson-ipsec-opportunistic.nr \
• -
• -rfc_pg: utils/rfc_pg.c
• -
• -draft-richardson-ipsec-opportunistic.txt: draft-richardson-ipsec-opportunistic.nr rfc_pg
• - perl utils/killtoodeepcontents.pl draft-richardson-ipsec-opportunistic.nr \
• - | nroff -ms \
• - | sed -e 's/FORMFEED\[Page/ \[Page/' | ./rfc_pg -n5 >draft-richardson-ipsec-opportunistic.txt
• -
• -draft-richardson-ipsec-rr.txt: draft-richardson-ipsec-rr.nr rfc_pg
• - perl utils/killtoodeepcontents.pl draft-richardson-ipsec-rr.nr \
• - | nroff -ms \
• - | sed -e 's/FORMFEED\[Page/ \[Page/' | ./rfc_pg -n5 >draft-richardson-ipsec-rr.txt
• -
• -draft-richardson-ipsec-rr.nr: src/draft-richardson-ipsec-rr.xml
  +draft-%.nr: src/draft-%.xml
  XML_LIBRARY=$(XML_LIBRARY):./src xml2rfc xml2nroff $? $@
• -draft-richardson-ipsec-opportunistic.nr: src/draft-richardson-ipsec-opportunistic.xml
• - XML_LIBRARY=$(XML_LIBRARY):./src xml2rfc xml2nroff $? $@
• -
• -src/draft-richardson-ipsec-opportunistic.html: src/draft-richardson-ipsec-opportunistic.xml
  +draft-%.html: draft-%.xml
  XML_LIBRARY=$(XML_LIBRARY):./src xml2rfc xml2html $? $@

+

 .fig.eps:

         fig2dev -L ps $< $@  

@@ -165,4 +150,15 @@
 multi_netjig.png: testing/multi_netjig.fig  

 makecheck.html: single_netjig.png multi_netjig.png
+
+#
+# DocBook based documentation
+#
+xmldocs: mast.html klips/mast.4
+
+mast.html: klips/mast.xml
+ xmlto html klips/mast.xml
+
+klips/mast.4: klips/mast.xml
+ xmlto -o klips man klips/mast.xml
 

Index: linux/net/ipsec/Makefile

---

RCS file: /freeswan/MASTER/freeswan/linux/net/ipsec/Makefile,v

retrieving revision 1.58
retrieving revision 1.58.4.1
diff -u -r1.58 -r1.58.4.1
- --- linux/net/ipsec/Makefile	3 Jan 2003 00:36:44 -0000	1.58


+++ linux/net/ipsec/Makefile	28 Feb 2003 06:34:23 -0000	1.58.4.1

@@ -12,7 +12,7 @@

 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #

- -# RCSID $Id: Makefile,v 1.58 2003/01/03 00:36:44 rgb Exp $
+# RCSID $Id: Makefile,v 1.58.4.1 2003/02/28 06:34:23 sam Exp $

 #
 # Note! Dependencies are done automagically by 'make dep', which also
 # removes any old dependencies. DON'T put your own dependencies here

@@ -128,9 +128,9 @@

 #EXTRA_CFLAGS += -Wmissing-prototypes 
 # cannot use both -Wpointer-arith and -Werror with CONFIG_HIGHMEM
 # include/linux/highmem.h has an inline function definition that uses void* arithmentic.
- -ifeq ($(CONFIG_NOHIGHMEM),y)

- -EXTRA_CFLAGS += -Wpointer-arith
- -endif
+#ifeq ($(CONFIG_NOHIGHMEM),y)
+#EXTRA_CFLAGS += -Wpointer-arith
+#endif

 #EXTRA_CFLAGS += -Wcast-qual 
 #EXTRA_CFLAGS += -Wmissing-declarations 
 #EXTRA_CFLAGS += -Wstrict-prototypes

@@ -193,6 +193,9 @@  

 #
 # $Log: Makefile,v $

+# Revision 1.58.4.1  2003/02/28 06:34:23  sam

+# disabling -Wpointer-arith

+#

 # Revision 1.58  2003/01/03 00:36:44  rgb
 #
 # Added emacs compile-command.
Index: programs/Makefile.program
===================================================================
Can we help you?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
RCS file: /freeswan/MASTER/freeswan/programs/Makefile.program,v
retrieving revision 1.34

retrieving revision 1.34.4.1
diff -u -r1.34 -r1.34.4.1

- --- programs/Makefile.program	21 Feb 2003 01:50:28 -0000	1.34


+++ programs/Makefile.program	28 Feb 2003 06:32:59 -0000	1.34.4.1

@@ -7,7 +7,7 @@
 CFLAGS+= -Wall
 #CFLAGS+= -Wconversion
 #CFLAGS+= -Wmissing-prototypes
- -CFLAGS+= -Wpointer-arith
+#CFLAGS+= -Wpointer-arith

 CFLAGS+= -Wcast-qual
 #CFLAGS+= -Wmissing-declarations
 CFLAGS+= -Wstrict-prototypes
Index: programs/_confread/ipsec.conf.5

---

RCS file: /freeswan/MASTER/freeswan/programs/_confread/ipsec.conf.5,v retrieving revision 1.89
retrieving revision 1.92
diff -u -r1.89 -r1.92

- --- programs/_confread/ipsec.conf.5	22 Feb 2003 05:18:57 -0000	1.89

+++ programs/_confread/ipsec.conf.5	27 Feb 2003 16:51:54 -0000	1.92

@@ -1,5 +1,5 @@
 .TH IPSEC.CONF 5 "26 Nov 2001"
- -.\" RCSID $Id: ipsec.conf.5,v 1.89 2003/02/22 05:18:57 claudia Exp $
+.\" RCSID $Id: ipsec.conf.5,v 1.92 2003/02/27 16:51:54 dhr Exp $
 .SH NAME
 ipsec.conf \- IPsec configuration and connections  .SH DESCRIPTION
@@ -864,6 +864,14 @@
 .B setup
 section are:
 .TP 14
+.B myid
+the identity (\fBleftid\fP) to be used for this machine in implicit policy group conns.
+Defaults to value of
+.BR left ,
+which in turn defaults to
+.BR %defaultroute .
+Generally starts with ``\fB@\fP''.
+.TP

 .B interfaces
 virtual and physical interfaces for IPsec to use:  a single
@@ -1227,6 +1235,21 @@
 <http://www.freeswan.org>
 by Henry Spencer.
 .SH BUGS
+.PP
+When
+.B type
+or
+.B failureshunt
+is set to
+.B drop
+or
+.BR reject,
+FreeS/WAN blocks outbound packets using eroutes, but assumes inbound
+blocking is handled by the firewall. FreeS/WAN offers firewall hooks
+via an ``updown'' script. However, the default
+.B ipsec _updown
+provides no help in controlling a modern firewall.
+.PP

 Including attributes of the keying channel  (authentication methods,
 .BR ikelifetime ,
@@ -1285,3 +1308,5 @@
 does not actually use the public key for our side of a conn but it  isn't generally known at a add-time which side is ours (Road Warrior  and Opportunistic conns are currently exceptions).
+.PP
+The \fBmyid\fP option does not affect explicit \fB ipsec auto \-\-add\fP or \fBipsec auto \-\-replace\fP commands for implicit conns.
Index: programs/_confread/ipsec.conf.in

---

RCS file: /freeswan/MASTER/freeswan/programs/_confread/ipsec.conf.in,v retrieving revision 1.6
retrieving revision 1.9
diff -u -r1.6 -r1.9

- --- programs/_confread/ipsec.conf.in	24 Jan 2003 01:54:20 -0000	1.6


+++ programs/_confread/ipsec.conf.in	27 Feb 2003 05:48:35 -0000	1.9

@@ -1,78 +1,32 @@
 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file - -# RCSID $Id: ipsec.conf.in,v 1.6 2003/01/24 01:54:20 dhr Exp $
+# RCSID $Id: ipsec.conf.in,v 1.9 2003/02/27 05:48:35 claudia Exp $
 

• -# More elaborate and more varied sample configurations can be found
• -# in FreeS/WAN's doc/examples file, and in the HTML documentation.
• -# As supplied (before any editing) this file is equivalent to an empty
• -# or absent one. A virgin copy of this file can be found in
  +# This file: @FINALEXAMPLECONFDIR@/ipsec.conf-sample
  #
• -# @FINALEXAMPLECONFDIR@/ipsec.conf-sample
  +# Manual: ipsec.conf.5
  #
  +# Help:
  +# http://www.freeswan.org/freeswan_trees/freeswan-2.00-rc2/doc/quickstart.html
  +# http://www.freeswan.org/freeswan_trees/freeswan-2.00-rc2/doc/config.html
  +# http://www.freeswan.org/freeswan_trees/freeswan-2.00-rc2/doc/adv_config.html
  +#
  +# Policy groups are enabled by default. See:
  +# http://www.freeswan.org/freeswan_trees/freeswan-2.00-rc2/doc/policygroups.html
  +#
  +# Examples:
  +# http://www.freeswan.org/freeswan_trees/freeswan-2.00-rc2/doc/examples
  

 version 2.0 # conforms to second version of ipsec.conf specification  

 # basic configuration
 config setup

- -	# THIS SETTING MUST BE CORRECT or almost nothing will work;
- -	# %defaultroute is okay for most simple cases.
- -	#default# interfaces=%defaultroute
 	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
- -	#default# klipsdebug=none
- -	#default# plutodebug=none
- -	# Close down old connection when new one using same ID shows up.
- -	#default# uniqueids=yes
- -
- -
- -
- -# defaults for subsequent connection descriptions
- -conn %default
- -	#default# keyingtries=%forever
- -	#default# disablearrivalcheck=no
- -	#default# authby=rsasig
- -	#default# leftrsasigkey=%dnsondemand
- -	#default# rightrsasigkey=%dnsondemand
- -
- -# user defined conn's may be added from this point down. 
- -# DO NOT add conns before the "conn %default"

- -
- -
+ # klipsdebug=all
+ # plutodebug=dns
 

• -# Connection descriptions for policy groups between this machine
• -# and the world. Supplied implicitly! Not affected by conn %default.
• -# To suppress or change, you must define a new one with the same name.
• -# Requires KEY record in your DNS reverse map; see doc/opportunism.howto.
• -# Initiator-only OE requires leftid=.
• -#implicit# conn clear
• -#implicit# type=passthrough
• -#implicit# authby=never
• -#implicit# right=%group
• -#implicit# auto=route
• -#implicit#
• -#implicit# conn clear-or-private
• -#implicit# type=passthrough
• -#implicit# right=%opportunisticgroup
• -#implicit# failureshunt=passthrough
• -#implicit# auto=route
• -#implicit#
• -#implicit# conn private-or-clear
• -#implicit# type=tunnel
• -#implicit# right=%opportunisticgroup
• -#implicit# failureshunt=passthrough
• -#implicit# auto=route
• -#implicit#
• -#implicit# conn private
• -#implicit# type=tunnel
• -#implicit# right=%opportunisticgroup
• -#implicit# failureshunt=drop
• -#implicit# auto=route
• -#implicit#
• -#implicit# conn block
• -#implicit# type=reject
• -#implicit# authby=never
• -#implicit# right=%group
• -#implicit# auto=route

+# Add connections here.
 

 # sample VPN connection
 #sample# conn sample
Index: programs/pluto/state.c

---

RCS file: /freeswan/MASTER/freeswan/programs/pluto/state.c,v

retrieving revision 1.102.14.1
retrieving revision 1.102.14.1.4.1
diff -u -r1.102.14.1 -r1.102.14.1.4.1
- --- programs/pluto/state.c	14 Feb 2003 21:23:16 -0000	1.102.14.1


+++ programs/pluto/state.c	28 Feb 2003 06:28:22 -0000	1.102.14.1.4.1

@@ -12,7 +12,7 @@

• or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
• for more details. * - - * RCSID $Id: state.c,v 1.102.14.1 2003/02/14 21:23:16 sam Exp $
  + * RCSID $Id: state.c,v 1.102.14.1.4.1 2003/02/28 06:28:22 sam Exp $
  */

 #include <stdio.h>
@@ -562,7 +562,7 @@

 		{
 		    if (pr->attrs.spi == spi)
 			return st;
- -		    if (pr->our_spi)

+		    if (pr->our_spi == spi)


 			*bogus = TRUE;
 		}
 	    }

Index: programs/verify/verify.8

---

RCS file: /freeswan/MASTER/freeswan/programs/verify/verify.8,v retrieving revision 1.1
retrieving revision 1.4
diff -u -r1.1 -r1.4

- --- programs/verify/verify.8	10 Jun 2002 00:19:44 -0000	1.1


+++ programs/verify/verify.8	27 Feb 2003 04:52:21 -0000	1.4

@@ -1,16 +1,39 @@
 .TH IPSEC_VERIFY 8 "8 June 2002"
- -.\" RCSID $Id: verify.8,v 1.1 2002/06/10 00:19:44 mcr Exp $
+.\" RCSID $Id: verify.8,v 1.4 2003/02/27 04:52:21 claudia Exp $
 .SH NAME
 ipsec verify \- see if FreeSWAN has been installed correctly

 .SH SYNOPSIS
 .B ipsec
 .B verify

+[
+.B \-\-host
+\ name\ ]

 .SH DESCRIPTION

- -.I verify
- -examines a system for a number of common system faults: KLIPS not
Can't find what you're looking for?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
- -loading, no secrets file generated, and pluto not running. In addition,
- -it looks for appropriate KEY records in forward and reverse DNS for 
- -IP addresses of the host.

+.PP
+Invoked without argument,
+.I verify
+examines the local system for a number of common system faults:
+IPsec not in path, no secrets file generated,
+pluto not running, and IPsec support not present in kernel
+(or IPsec module not loaded).
+If two or more interfaces are found, it performs checks relevant on an
+IPsec gateway: whether IP forwarding is allowed, and if so,
+whether MASQ or NAT rules are in play.
+.PP
+In addition,
+.I verify
+performs checks relevant to Opportunistic Encryption.
+It looks in forward DNS for a KEY record for the system's hostname, and
+in reverse DNS for KEY and TXT records for the system's IP addresses.
+It checks whether the system has a public IP.
+.PP
+The
+.B \-\-host
+option causes
+.B verify
+to look for KEY and TXT records for
+.I name
+in forward and reverse DNS.

 .SH FILES
 .nf
 /proc/net/ipsec_eroute
@@ -21,3 +44,10 @@
 <http://www.freeswan.org>
 by Michael Richardson.
 .SH BUGS
+.I Verify
+does not check for
+.B ipchains
+masquerading.
+.PP
+.I Verify
+does not look for TXT records for Opportunistic clients behind the system.
Index: testing/testresults.txt

---

RCS file: /freeswan/MASTER/freeswan/testing/Attic/testresults.txt,v

retrieving revision 1.1.2.1.4.1.2.1.2.1
retrieving revision 1.1.2.1.4.1.2.1.4.1
diff -u -r1.1.2.1.4.1.2.1.2.1 -r1.1.2.1.4.1.2.1.4.1
- --- testing/testresults.txt	23 Feb 2003 23:48:31 -0000	1.1.2.1.4.1.2.1.2.1


+++ testing/testresults.txt	28 Feb 2003 10:02:36 -0000	1.1.2.1.4.1.2.1.4.1

@@ -1,10 +1,10 @@  

• -Here is a summary of test results for 2.00-rc1; if you run the
  +Here is a summary of test results for 2.00-rc2; if you run the
  tests yourself, you should find something similar.

 You can find more info on FreeS/WAN's test suite in doc/makecheck.html.  

• -2.00-rc1 testing results for Sun Feb 23 8:12:21 2003
  +2.00-rc2 testing results for Fri Feb 28 2:12:03 2003
  

    Test name                     Result         Detail 
 
@@ -32,7 +32,7 @@
    east-hold-02                  passed                 
    east-hold-02-module           passed                 
    east-icmp-01                  passed                 
- -   east-icmp-01-module           passed                 


+   east-icmp-01-module           FAILED pkt cons        


    east-lifetime-02              passed                 
    east-lifetime-02-module       passed                 
    east-lifetime-03              passed                 
@@ -57,7 +57,7 @@
    east-trap-01-module           passed                 
    east-trap-02                  passed                 
    east-trap-02-module           passed                 
- -   east-trapsubnet-01            FAILED cons            


+   east-trapsubnet-01            passed                 


    east-trapsubnet-01-module     passed                 
    east-trapsubnet-02            passed                 
    east-trapsubnet-02-module     passed                 

• -- Sam Sgro sam@freeswan.org

-----BEGIN PGP SIGNATURE-----

Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPl9BVkOSC4btEQUtAQFDKgP/WMFeLcYXP5CbZEzMoAHOZYzMa/VxwrMT uUFvmGWrfWqaCk05AZKyAbOfT/tXQeklVe2HubYBZmsLyyqmQ+ZVAZcAHLx786cs aSrvVj7/NPR8aa9bE7VdqdJrvbtZdPcuWnMQe3ZRa/AhO8Q34UhTXBmpXv//tSuk e3HSyntA8MU=
=pRCn
-----END PGP SIGNATURE-----

---

Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design Received on Fri Feb 28 07:01:03 2003