* Tue May 13 2014 Paul Wouters <pwouters@redhat.com> - 1.3.6-1

- Updated to 1.3.6 - using github-only monstrosity packaging
- Resolves: rhbz#1051785 (new upstream version available)
- Resolves: rhbz#868391 xl2tpd sends response packets from wrong IP address
- Revert: rhbz#929447 Incorrect "ipparam" manipulation
- Resolves: rhbz#1055196 Don't order service after syslog.target
- Resolves: rhbz#984332 xl2tpd tmpfiles configuration file in wrong directory
- Removed patches merged in upstream.
- FIPS patch updated with advertising clause for openssl in xl2tpd -V
  (although the GPL code was already basically taken from openssl)
epel9
Paul Wouters 11 years ago
parent 19afcbe0fc
commit 38e97b03ea

1
.gitignore vendored

@ -11,3 +11,4 @@ xl2tpd-1.2.7.tar.gz
xl2tpd-1.2.8.tar.gz
xl2tpd-1.3.0.tar.gz
xl2tpd-1.3.1.tar.gz
/xl2tpd-5619e1771048e74b729804e8602f409af0f3faea.tar.gz

@ -1 +1 @@
cf61576fef5c2d6c68279a408ec1f0d5 xl2tpd-1.3.1.tar.gz
e08e34510a97e126b324f3407c71806c xl2tpd-5619e1771048e74b729804e8602f409af0f3faea.tar.gz

@ -1,436 +0,0 @@
diff --git a/Makefile b/Makefile
index 6f6481f..778f38d 100644
--- a/Makefile
+++ b/Makefile
@@ -62,8 +62,8 @@
# are packages seperately (eg kernel-headers on Fedora)
# Note: 2.6.23+ support still needs some changes in the xl2tpd source
#
-#OSFLAGS+= -DUSE_KERNEL
-#
+# Kernel mode fixed by sigwall <fionov@gmail.com>
+OSFLAGS+= -DUSE_KERNEL
#
# Uncomment the next line for FreeBSD
#
diff --git a/call.c b/call.c
index d1b1858..b672f91 100644
--- a/call.c
+++ b/call.c
@@ -680,6 +680,8 @@ struct call *get_call (int tunnel, int call, struct in_addr addr, int port,
st->peer.sin_port = port;
st->refme = refme;
st->refhim = refhim;
+ st->udp_fd = -1;
+ st->pppox_fd = -1;
bcopy (&addr, &st->peer.sin_addr, sizeof (addr));
st->next = tunnels.head;
tunnels.head = st;
diff --git a/control.c b/control.c
index 0892df9..9362ffd 100644
--- a/control.c
+++ b/control.c
@@ -596,6 +596,9 @@ int control_finish (struct tunnel *t, struct call *c)
if (gconfig.debug_state)
l2tp_log (LOG_DEBUG, "%s: sending SCCCN\n", __FUNCTION__);
control_xmit (buf);
+
+ connect_pppol2tp(t);
+
/* Schedule a HELLO */
tv.tv_sec = HELLO_DELAY;
tv.tv_usec = 0;
@@ -608,6 +611,7 @@ int control_finish (struct tunnel *t, struct call *c)
"Connection established to %s, %d. Local: %d, Remote: %d (ref=%u/%u).\n",
IPADDY (t->peer.sin_addr),
ntohs (t->peer.sin_port), t->ourtid, t->tid, t->refme, t->refhim);
+
if (t->lac)
{
/* This is part of a LAC, so we want to go ahead
@@ -635,6 +639,9 @@ int control_finish (struct tunnel *t, struct call *c)
IPADDY (t->peer.sin_addr),
ntohs (t->peer.sin_port), t->ourtid, t->tid, t->refme, t->refhim,
t->lns->entname);
+
+ connect_pppol2tp(t);
+
/* Schedule a HELLO */
tv.tv_sec = HELLO_DELAY;
tv.tv_usec = 0;
diff --git a/l2tp.h b/l2tp.h
index 2724fff..856423f 100644
--- a/l2tp.h
+++ b/l2tp.h
@@ -167,6 +167,8 @@ struct tunnel
int ourrws; /* Receive Window Size */
int rxspeed; /* Receive bps */
int txspeed; /* Transmit bps */
+ int udp_fd; /* UDP fd */
+ int pppox_fd; /* PPPOX tunnel fd */
struct call *self;
struct lns *lns; /* LNS that owns us */
struct lac *lac; /* LAC that owns us */
@@ -220,6 +222,7 @@ extern void control_xmit (void *);
extern int ppd;
extern int switch_io; /* jz */
extern int control_fd;
+extern int connect_pppol2tp(struct tunnel *t);
extern int start_pppd (struct call *c, struct ppp_opts *);
extern void magic_lac_dial (void *);
extern int get_entropy (unsigned char *, int);
diff --git a/linux/include/linux/if_pppol2tp.h b/linux/include/linux/if_pppol2tp.h
index a7d6a22..0795e4a 100644
--- a/linux/include/linux/if_pppol2tp.h
+++ b/linux/include/linux/if_pppol2tp.h
@@ -36,6 +36,20 @@ struct pppol2tp_addr
__u16 d_tunnel, d_session; /* For sending outgoing packets */
};
+/* The L2TPv3 protocol changes tunnel and session ids from 16 to 32
+ * bits. So we need a different sockaddr structure.
+ */
+struct pppol2tpv3_addr {
+ pid_t pid; /* pid that owns the fd.
+ * 0 => current */
+ int fd; /* FD of UDP or IP socket to use */
+
+ struct sockaddr_in addr; /* IP address and port to send to */
+
+ __u32 s_tunnel, s_session; /* For matching incoming packets */
+ __u32 d_tunnel, d_session; /* For sending outgoing packets */
+};
+
/* Socket options:
* DEBUG - bitmask of debug message categories
* SENDSEQ - 0 => don't send packets with sequence numbers
diff --git a/network.c b/network.c
index 241bd82..fde250e 100644
--- a/network.c
+++ b/network.c
@@ -22,6 +22,7 @@
#include <unistd.h>
#include <stdlib.h>
#include <sys/ioctl.h>
+#include <sys/wait.h>
#ifndef LINUX
# include <sys/uio.h>
#endif
@@ -36,6 +37,51 @@ int server_socket; /* Server socket */
int kernel_support; /* Kernel Support there or not? */
#endif
+#ifdef USE_KERNEL
+void modprobe() {
+ char * modules[] = { "l2tp_ppp", "pppol2tp", NULL };
+ char ** module;
+ char buf[256], *tok;
+ int pid, exit_status, fd;
+
+ FILE * fmod = fopen("/proc/modules", "r");
+
+ if (fmod == NULL)
+ return;
+
+ while (fgets(buf, 255, fmod) != NULL) {
+ if ((tok = strtok(buf, " ")) != NULL) {
+ for (module = modules; *module != NULL; ++module) {
+ if (!strcmp(*module, tok)) {
+ fclose(fmod);
+ return;
+ }
+ }
+ }
+ }
+
+ fclose(fmod);
+
+ for (module = modules; *module != NULL; ++module) {
+ if ((pid = fork()) >= 0) {
+ if (pid == 0) {
+ setenv("PATH", "/sbin:/usr/sbin:/bin:/usr/bin", 1);
+ if ((fd = open("/dev/null", O_RDWR)) > -1) {
+ dup2(fd, 1);
+ dup2(fd, 2);
+ }
+ execlp("modprobe", "modprobe", "-q", *module, (char *)NULL);
+ exit(1);
+ } else {
+ if ((pid = waitpid(pid, &exit_status, 0)) != -1 && WIFEXITED(exit_status)) {
+ if (WEXITSTATUS(exit_status) == 0)
+ return;
+ }
+ }
+ }
+ }
+}
+#endif
int init_network (void)
{
@@ -45,6 +91,7 @@ int init_network (void)
server.sin_family = AF_INET;
server.sin_addr.s_addr = gconfig.listenaddr;
server.sin_port = htons (gconfig.port);
+ int flags;
if ((server_socket = socket (PF_INET, SOCK_DGRAM, 0)) < 0)
{
l2tp_log (LOG_CRIT, "%s: Unable to allocate socket. Terminating.\n",
@@ -52,6 +99,10 @@ int init_network (void)
return -EINVAL;
};
+ flags = 1;
+ setsockopt(server_socket, SOL_SOCKET, SO_REUSEADDR, &flags, sizeof(flags));
+ setsockopt(server_socket, SOL_SOCKET, SO_NO_CHECK, &flags, sizeof(flags));
+
if (bind (server_socket, (struct sockaddr *) &server, sizeof (server)))
{
close (server_socket);
@@ -91,6 +142,7 @@ int init_network (void)
}
else
{
+ modprobe();
int kernel_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (kernel_fd < 0)
{
@@ -321,6 +373,11 @@ int build_fdset (fd_set *readfds)
while (tun)
{
+ if (tun->udp_fd > -1) {
+ if (tun->udp_fd > max)
+ max = tun->udp_fd;
+ FD_SET (tun->udp_fd, readfds);
+ }
call = tun->call_head;
while (call)
{
@@ -390,6 +447,8 @@ void network_thread ()
struct iovec iov;
char cbuf[256];
unsigned int refme, refhim;
+ int * currentfd;
+ int server_socket_processed;
/* This one buffer can be recycled for everything except control packets */
buf = new_buf (MAX_RECV_SIZE);
@@ -428,7 +487,21 @@ void network_thread ()
{
do_control ();
}
- if (FD_ISSET (server_socket, &readfds))
+ server_socket_processed = 0;
+ currentfd = NULL;
+ st = tunnels.head;
+ while (st || !server_socket_processed) {
+ if (st && (st->udp_fd == -1)) {
+ st=st->next;
+ continue;
+ }
+ if (st) {
+ currentfd = &st->udp_fd;
+ } else {
+ currentfd = &server_socket;
+ server_socket_processed = 1;
+ }
+ if (FD_ISSET (*currentfd, &readfds))
{
/*
* Okay, now we're ready for reading and processing new data.
@@ -457,12 +530,19 @@ void network_thread ()
msgh.msg_flags = 0;
/* Receive one packet. */
- recvsize = recvmsg(server_socket, &msgh, 0);
+ recvsize = recvmsg(*currentfd, &msgh, 0);
if (recvsize < MIN_PAYLOAD_HDR_LEN)
{
if (recvsize < 0)
{
+ if (errno == ECONNREFUSED) {
+ close(*currentfd);
+ }
+ if ((errno == ECONNREFUSED) ||
+ (errno == EBADF)) {
+ *currentfd = -1;
+ }
if (errno != EAGAIN)
l2tp_log (LOG_WARNING,
"%s: recvfrom returned error %d (%s)\n",
@@ -567,6 +647,8 @@ void network_thread ()
}
};
}
+ if (st) st=st->next;
+ }
/*
* finished obvious sources, look for data from PPP connections.
@@ -639,3 +721,82 @@ void network_thread ()
}
}
+
+int connect_pppol2tp(struct tunnel *t) {
+#ifdef USE_KERNEL
+ if (kernel_support) {
+ int ufd = -1, fd2 = -1;
+ int flags;
+ struct sockaddr_pppol2tp sax;
+
+ struct sockaddr_in server;
+ server.sin_family = AF_INET;
+ server.sin_addr.s_addr = gconfig.listenaddr;
+ server.sin_port = htons (gconfig.port);
+ if ((ufd = socket (PF_INET, SOCK_DGRAM, 0)) < 0)
+ {
+ l2tp_log (LOG_CRIT, "%s: Unable to allocate UDP socket. Terminating.\n",
+ __FUNCTION__);
+ return -EINVAL;
+ };
+
+ flags=1;
+ setsockopt(ufd, SOL_SOCKET, SO_REUSEADDR, &flags, sizeof(flags));
+ setsockopt(ufd, SOL_SOCKET, SO_NO_CHECK, &flags, sizeof(flags));
+
+ if (bind (ufd, (struct sockaddr *) &server, sizeof (server)))
+ {
+ close (ufd);
+ l2tp_log (LOG_CRIT, "%s: Unable to bind UDP socket: %s. Terminating.\n",
+ __FUNCTION__, strerror(errno), errno);
+ return -EINVAL;
+ };
+ server = t->peer;
+ flags = fcntl(ufd, F_GETFL);
+ if (flags == -1 || fcntl(ufd, F_SETFL, flags | O_NONBLOCK) == -1) {
+ l2tp_log (LOG_WARNING, "%s: Unable to set UDP socket nonblock.\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ if (connect (ufd, (struct sockaddr *) &server, sizeof(server)) < 0) {
+ l2tp_log (LOG_CRIT, "%s: Unable to connect UDP peer. Terminating.\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+
+ t->udp_fd=ufd;
+
+ fd2 = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
+ if (fd2 < 0) {
+ l2tp_log (LOG_WARNING, "%s: Unable to allocate PPPoL2TP socket.\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ flags = fcntl(fd2, F_GETFL);
+ if (flags == -1 || fcntl(fd2, F_SETFL, flags | O_NONBLOCK) == -1) {
+ l2tp_log (LOG_WARNING, "%s: Unable to set PPPoL2TP socket nonblock.\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ sax.sa_family = AF_PPPOX;
+ sax.sa_protocol = PX_PROTO_OL2TP;
+ sax.pppol2tp.pid = 0;
+ sax.pppol2tp.fd = t->udp_fd;
+ sax.pppol2tp.addr.sin_addr.s_addr = t->peer.sin_addr.s_addr;
+ sax.pppol2tp.addr.sin_port = t->peer.sin_port;
+ sax.pppol2tp.addr.sin_family = AF_INET;
+ sax.pppol2tp.s_tunnel = t->ourtid;
+ sax.pppol2tp.s_session = 0;
+ sax.pppol2tp.d_tunnel = t->tid;
+ sax.pppol2tp.d_session = 0;
+ if ((connect(fd2, (struct sockaddr *)&sax, sizeof(sax))) < 0) {
+ l2tp_log (LOG_WARNING, "%s: Unable to connect PPPoL2TP socket. %d %s\n",
+ __FUNCTION__, errno, strerror(errno));
+ close(fd2);
+ return -EINVAL;
+ }
+ t->pppox_fd = fd2;
+ }
+#endif
+ return 0;
+}
diff --git a/xl2tpd.c b/xl2tpd.c
index 307ac2e..3fb6dd7 100644
--- a/xl2tpd.c
+++ b/xl2tpd.c
@@ -278,7 +278,11 @@ void death_handler (int signal)
struct tunnel *st, *st2;
int sec;
l2tp_log (LOG_CRIT, "%s: Fatal signal %d received\n", __FUNCTION__, signal);
+#ifdef USE_KERNEL
+ if (kernel_support || signal != SIGTERM) {
+#else
if (signal != SIGTERM) {
+#endif
st = tunnels.head;
while (st)
{
@@ -349,7 +353,7 @@ int start_pppd (struct call *c, struct ppp_opts *opts)
int flags;
#endif
int pos = 1;
- int fd2;
+ int fd2 = -1;
#ifdef DEBUG_PPPD
int x;
#endif
@@ -397,7 +401,7 @@ int start_pppd (struct call *c, struct ppp_opts *opts)
sax.sa_family = AF_PPPOX;
sax.sa_protocol = PX_PROTO_OL2TP;
sax.pppol2tp.pid = 0;
- sax.pppol2tp.fd = server_socket;
+ sax.pppol2tp.fd = c->container->udp_fd;
sax.pppol2tp.addr.sin_addr.s_addr = c->container->peer.sin_addr.s_addr;
sax.pppol2tp.addr.sin_port = c->container->peer.sin_port;
sax.pppol2tp.addr.sin_family = AF_INET;
@@ -408,6 +412,7 @@ int start_pppd (struct call *c, struct ppp_opts *opts)
if (connect(fd2, (struct sockaddr *)&sax, sizeof(sax)) < 0) {
l2tp_log (LOG_WARNING, "%s: Unable to connect PPPoL2TP socket.\n",
__FUNCTION__);
+ close(fd2);
return -EINVAL;
}
stropt[pos++] = strdup ("plugin");
@@ -484,7 +489,7 @@ int start_pppd (struct call *c, struct ppp_opts *opts)
dup2 (fd2, 0);
dup2 (fd2, 1);
close(fd2);
-
+ }
/* close all the calls pty fds */
st = tunnels.head;
while (st)
@@ -492,12 +497,17 @@ int start_pppd (struct call *c, struct ppp_opts *opts)
sc = st->call_head;
while (sc)
{
- close (sc->fd);
+#ifdef USE_KERNEL
+ if (kernel_support) {
+ close(st->udp_fd); /* tunnel UDP fd */
+ close(st->pppox_fd); /* tunnel PPPoX fd */
+ } else
+#endif
+ close (sc->fd); /* call pty fd */
sc = sc->next;
}
st = st->next;
}
- }
/* close the UDP socket fd */
close (server_socket);
@@ -615,6 +625,10 @@ void destroy_tunnel (struct tunnel *t)
the memory pointed to by t->chal_us.vector at some other place */
if (t->chal_them.vector)
free (t->chal_them.vector);
+ if (t->pppox_fd > -1 )
+ close (t->pppox_fd);
+ if (t->udp_fd > -1 )
+ close (t->udp_fd);
free (t);
free (me);
}

@ -1,21 +0,0 @@
diff -Naur xl2tpd-1.3.1-orig/Makefile xl2tpd-1.3.1/Makefile
--- xl2tpd-1.3.1-orig/Makefile 2013-04-01 16:05:42.459122589 -0400
+++ xl2tpd-1.3.1/Makefile 2013-04-01 16:06:03.800359414 -0400
@@ -98,6 +98,7 @@
#LIBS= $(OSLIBS) # -lefence # efence for malloc checking
EXEC=xl2tpd
CONTROL_EXEC=xl2tpd-control
+CONTROL_OBJ=xl2tpd-control.o
PREFIX?=/usr/local
SBINDIR?=$(DESTDIR)${PREFIX}/sbin
@@ -114,7 +115,8 @@
$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LDLIBS)
$(CONTROL_EXEC): $(CONTROL_SRCS)
- $(CC) $(CONTROL_SRCS) -o $@
+ $(CC) $(CFLAGS) -c $(CONTROL_SRCS)
+ $(CC) $(LDFLAGS) -o $@ $(CONTROL_OBJ)
pfc:
$(CC) $(CFLAGS) -c contrib/pfc.c

@ -1,41 +0,0 @@
diff --git a/control.c b/control.c
index 0892df9..a124d04 100644
--- a/control.c
+++ b/control.c
@@ -1685,7 +1685,6 @@ void handle_special (struct buffer *buf, struct call *c, _u16 call)
* call if it was a CDN, otherwise, send a CDN to notify them
* that this call has been terminated.
*/
- struct buffer *outgoing;
struct tunnel *t = c->container;
/* Don't do anything unless it's a control packet */
if (!CTBIT (*((_u16 *) buf->start)))
@@ -1705,7 +1704,6 @@ void handle_special (struct buffer *buf, struct call *c, _u16 call)
return;
}
/* Make a packet with the specified call number */
- outgoing = new_outgoing (t);
/* FIXME: If I'm not a CDN, I need to send a CDN */
control_zlb (buf, t, c);
c->cid = 0;
diff --git a/network.c b/network.c
index 783a181..82aedd7 100644
--- a/network.c
+++ b/network.c
@@ -377,7 +377,7 @@ void network_thread ()
* our network socket. Control handling is no longer done here.
*/
struct sockaddr_in from, to;
- unsigned int fromlen, tolen;
+ unsigned int fromlen;
int tunnel, call; /* Tunnel and call */
int recvsize; /* Length of data received */
struct buffer *buf; /* Payload buffer */
@@ -443,7 +443,6 @@ void network_thread ()
memset(&to, 0, sizeof(to));
fromlen = sizeof(from);
- tolen = sizeof(to);
memset(&msgh, 0, sizeof(struct msghdr));
iov.iov_base = buf->start;

@ -1,94 +0,0 @@
diff -Naur xl2tpd-1.3.1-orig/examples/chapsecrets.sample xl2tpd-1.3.1/examples/chapsecrets.sample
--- xl2tpd-1.3.1-orig/examples/chapsecrets.sample 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1/examples/chapsecrets.sample 2012-06-12 12:08:26.850851970 -0400
@@ -1,7 +1,10 @@
-# Secrets for authentication using CHAP
-# client server secret IP addresses
-jacco * "mysecret" 192.168.1.128/25
-* jacco "mysecret" 192.168.1.128/25
-sam * "rumpelstiltskin" 192.168.1.5
-* sam "rumpelstiltskin" 192.168.1.5
-
+# Secrets for authentication on server using CHAP
+# See /etc/ppp/options.xl2tpd on how to use Windows authentication
+# client server secret IP addresses
+jacco * "mysecret" 192.168.1.128/25 # Dynamic IP
+sam * "rumpelstiltskin" 192.168.1.5 # Static IP
+#
+# Secrets for authentication on client using CHAP
+# client server secret IP addresses
+* jacco "mysecret"
+* sam "rumpelstiltskin"
diff -Naur xl2tpd-1.3.1-orig/examples/README xl2tpd-1.3.1/examples/README
--- xl2tpd-1.3.1-orig/examples/README 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1/examples/README 2012-06-12 12:08:26.850851970 -0400
@@ -1,2 +1,4 @@
-These are example files for use with xl2tpd. The xl2tpd*conf files are
-examples to use xl2tpd with Openswan's IPsec. See www.openswan.org
+These are example files for use with xl2tpd.
+
+Openswan carries config examples for use with l2tp-over-ipsec.
+See http://www.openswan.org/
diff -Naur xl2tpd-1.3.1-orig/examples/xl2tpd.conf xl2tpd-1.3.1/examples/xl2tpd.conf
--- xl2tpd-1.3.1-orig/examples/xl2tpd.conf 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1/examples/xl2tpd.conf 2012-06-12 12:27:00.922911049 -0400
@@ -14,6 +14,11 @@
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.
+
+; IMPORTANT: always set listen-addr to a specific address, to work around a
+; udpfromto bug!!!
+
+
[global]
; listen-addr = 192.168.1.98
;
@@ -24,14 +29,15 @@
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; ipsec refinfo = 30
;
-; forceuserspace = yes
+; force userspace = yes
;
; debug tunnel = yes
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
-require chap = yes
+; leave chap unspecified for maximum compatibility with windows, iOS, etc
+; require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
diff -aur xl2tpd-1.3.1-orig/examples/ppp-options.xl2tpd xl2tpd-1.3.1/examples/ppp-options.xl2tpd
--- xl2tpd-1.3.1-orig/examples/ppp-options.xl2tpd 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1/examples/ppp-options.xl2tpd 2012-07-19 10:54:13.810503823 -0400
@@ -1,9 +1,10 @@
ipcp-accept-local
ipcp-accept-remote
-ms-dns 192.168.1.1
-ms-dns 192.168.1.3
-ms-wins 192.168.1.2
-ms-wins 192.168.1.4
+ms-dns 8.8.8.8
+# ms-dns 192.168.1.1
+# ms-dns 192.168.1.3
+# ms-wins 192.168.1.2
+# ms-wins 192.168.1.4
noccp
auth
crtscts
@@ -15,3 +16,11 @@
lock
proxyarp
connect-delay 5000
+# To allow authentication against a Windows domain EXAMPLE, and require the
+# user to be in a group "VPN Users". Requires the samba-winbind package
+# require-mschap-v2
+# plugin winbind.so
+# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
+# You need to join the domain on the server, for example using samba:
+# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
+

@ -1,29 +0,0 @@
--- xl2tpd-1.3.1-orig/control.c 2011-10-06 21:22:05.000000000 +0200
+++ xl2tpd-1.3.1/control.c 2013-03-30 21:45:04.641605756 +0100
@@ -898,7 +898,7 @@
po = add_opt (po, c->lac->pppoptfile);
}
};
- po = add_opt (po, "ipparam");
+ po = add_opt (po, "remotenumber");
po = add_opt (po, IPADDY (t->peer.sin_addr));
start_pppd (c, po);
opt_destroy (po);
@@ -974,7 +974,7 @@
po = add_opt (po, "file");
po = add_opt (po, c->lns->pppoptfile);
}
- po = add_opt (po, "ipparam");
+ po = add_opt (po, "remotenumber");
po = add_opt (po, IPADDY (t->peer.sin_addr));
start_pppd (c, po);
opt_destroy (po);
@@ -1034,7 +1034,7 @@
po = add_opt (po, c->lac->pppoptfile);
}
};
- po = add_opt (po, "ipparam");
+ po = add_opt (po, "remotenumber");
po = add_opt (po, IPADDY (t->peer.sin_addr));
start_pppd (c, po);

@ -1,362 +0,0 @@
diff -Naur xl2tpd-1.3.1-orig/call.c xl2tpd-1.3.1/call.c
--- xl2tpd-1.3.1-orig/call.c 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1/call.c 2012-06-15 15:57:17.250953288 -0400
@@ -680,6 +680,8 @@
st->peer.sin_port = port;
st->refme = refme;
st->refhim = refhim;
+ st->udp_fd = -1;
+ st->pppox_fd = -1;
bcopy (&addr, &st->peer.sin_addr, sizeof (addr));
st->next = tunnels.head;
tunnels.head = st;
diff -Naur xl2tpd-1.3.1-orig/control.c xl2tpd-1.3.1/control.c
--- xl2tpd-1.3.1-orig/control.c 2012-06-15 15:56:30.169585604 -0400
+++ xl2tpd-1.3.1/control.c 2012-06-15 15:57:17.251953296 -0400
@@ -596,6 +596,9 @@
if (gconfig.debug_state)
l2tp_log (LOG_DEBUG, "%s: sending SCCCN\n", __FUNCTION__);
control_xmit (buf);
+
+ connect_pppol2tp(t);
+
/* Schedule a HELLO */
tv.tv_sec = HELLO_DELAY;
tv.tv_usec = 0;
@@ -608,6 +611,7 @@
"Connection established to %s, %d. Local: %d, Remote: %d (ref=%u/%u).\n",
IPADDY (t->peer.sin_addr),
ntohs (t->peer.sin_port), t->ourtid, t->tid, t->refme, t->refhim);
+
if (t->lac)
{
/* This is part of a LAC, so we want to go ahead
@@ -635,6 +639,9 @@
IPADDY (t->peer.sin_addr),
ntohs (t->peer.sin_port), t->ourtid, t->tid, t->refme, t->refhim,
t->lns->entname);
+
+ connect_pppol2tp(t);
+
/* Schedule a HELLO */
tv.tv_sec = HELLO_DELAY;
tv.tv_usec = 0;
diff -Naur xl2tpd-1.3.1-orig/l2tp.h xl2tpd-1.3.1/l2tp.h
--- xl2tpd-1.3.1-orig/l2tp.h 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1/l2tp.h 2012-06-15 15:57:17.251953296 -0400
@@ -167,6 +167,8 @@
int ourrws; /* Receive Window Size */
int rxspeed; /* Receive bps */
int txspeed; /* Transmit bps */
+ int udp_fd; /* UDP fd */
+ int pppox_fd; /* PPPOX tunnel fd */
struct call *self;
struct lns *lns; /* LNS that owns us */
struct lac *lac; /* LAC that owns us */
@@ -220,6 +222,7 @@
extern int ppd;
extern int switch_io; /* jz */
extern int control_fd;
+extern int connect_pppol2tp(struct tunnel *t);
extern int start_pppd (struct call *c, struct ppp_opts *);
extern void magic_lac_dial (void *);
extern int get_entropy (unsigned char *, int);
diff -Naur xl2tpd-1.3.1-orig/Makefile xl2tpd-1.3.1/Makefile
--- xl2tpd-1.3.1-orig/Makefile 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1/Makefile 2012-06-15 15:57:17.250953288 -0400
@@ -62,8 +62,8 @@
# are packages seperately (eg kernel-headers on Fedora)
# Note: 2.6.23+ support still needs some changes in the xl2tpd source
#
-#OSFLAGS+= -DUSE_KERNEL
-#
+# Kernel mode fixed by sigwall <fionov@gmail.com>
+OSFLAGS+= -DUSE_KERNEL
#
# Uncomment the next line for FreeBSD
#
diff -Naur xl2tpd-1.3.1-orig/network.c xl2tpd-1.3.1/network.c
--- xl2tpd-1.3.1-orig/network.c 2012-06-15 15:56:30.169585604 -0400
+++ xl2tpd-1.3.1/network.c 2012-06-15 16:00:26.259429931 -0400
@@ -22,6 +22,7 @@
#include <unistd.h>
#include <stdlib.h>
#include <sys/ioctl.h>
+#include <sys/wait.h>
#ifndef LINUX
# include <sys/uio.h>
#endif
@@ -36,7 +37,6 @@
int kernel_support; /* Kernel Support there or not? */
#endif
-
int init_network (void)
{
long arg;
@@ -45,6 +45,7 @@
server.sin_family = AF_INET;
server.sin_addr.s_addr = gconfig.listenaddr;
server.sin_port = htons (gconfig.port);
+ int flags;
if ((server_socket = socket (PF_INET, SOCK_DGRAM, 0)) < 0)
{
l2tp_log (LOG_CRIT, "%s: Unable to allocate socket. Terminating.\n",
@@ -52,6 +53,10 @@
return -EINVAL;
};
+ flags = 1;
+ setsockopt(server_socket, SOL_SOCKET, SO_REUSEADDR, &flags, sizeof(flags));
+ setsockopt(server_socket, SOL_SOCKET, SO_NO_CHECK, &flags, sizeof(flags));
+
if (bind (server_socket, (struct sockaddr *) &server, sizeof (server)))
{
close (server_socket);
@@ -94,7 +99,7 @@
int kernel_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (kernel_fd < 0)
{
- l2tp_log (LOG_INFO, "L2TP kernel support not detected.\n");
+ l2tp_log (LOG_INFO, "L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)\n");
kernel_support = 0;
}
else
@@ -321,6 +326,11 @@
while (tun)
{
+ if (tun->udp_fd > -1) {
+ if (tun->udp_fd > max)
+ max = tun->udp_fd;
+ FD_SET (tun->udp_fd, readfds);
+ }
call = tun->call_head;
while (call)
{
@@ -390,6 +400,8 @@
struct iovec iov;
char cbuf[256];
unsigned int refme, refhim;
+ int * currentfd;
+ int server_socket_processed;
/* This one buffer can be recycled for everything except control packets */
buf = new_buf (MAX_RECV_SIZE);
@@ -428,7 +440,21 @@
{
do_control ();
}
- if (FD_ISSET (server_socket, &readfds))
+ server_socket_processed = 0;
+ currentfd = NULL;
+ st = tunnels.head;
+ while (st || !server_socket_processed) {
+ if (st && (st->udp_fd == -1)) {
+ st=st->next;
+ continue;
+ }
+ if (st) {
+ currentfd = &st->udp_fd;
+ } else {
+ currentfd = &server_socket;
+ server_socket_processed = 1;
+ }
+ if (FD_ISSET (*currentfd, &readfds))
{
/*
* Okay, now we're ready for reading and processing new data.
@@ -456,12 +482,19 @@
msgh.msg_flags = 0;
/* Receive one packet. */
- recvsize = recvmsg(server_socket, &msgh, 0);
+ recvsize = recvmsg(*currentfd, &msgh, 0);
if (recvsize < MIN_PAYLOAD_HDR_LEN)
{
if (recvsize < 0)
{
+ if (errno == ECONNREFUSED) {
+ close(*currentfd);
+ }
+ if ((errno == ECONNREFUSED) ||
+ (errno == EBADF)) {
+ *currentfd = -1;
+ }
if (errno != EAGAIN)
l2tp_log (LOG_WARNING,
"%s: recvfrom returned error %d (%s)\n",
@@ -566,6 +599,8 @@
}
};
}
+ if (st) st=st->next;
+ }
/*
* finished obvious sources, look for data from PPP connections.
@@ -638,3 +673,82 @@
}
}
+
+int connect_pppol2tp(struct tunnel *t) {
+#ifdef USE_KERNEL
+ if (kernel_support) {
+ int ufd = -1, fd2 = -1;
+ int flags;
+ struct sockaddr_pppol2tp sax;
+
+ struct sockaddr_in server;
+ server.sin_family = AF_INET;
+ server.sin_addr.s_addr = gconfig.listenaddr;
+ server.sin_port = htons (gconfig.port);
+ if ((ufd = socket (PF_INET, SOCK_DGRAM, 0)) < 0)
+ {
+ l2tp_log (LOG_CRIT, "%s: Unable to allocate UDP socket. Terminating.\n",
+ __FUNCTION__);
+ return -EINVAL;
+ };
+
+ flags=1;
+ setsockopt(ufd, SOL_SOCKET, SO_REUSEADDR, &flags, sizeof(flags));
+ setsockopt(ufd, SOL_SOCKET, SO_NO_CHECK, &flags, sizeof(flags));
+
+ if (bind (ufd, (struct sockaddr *) &server, sizeof (server)))
+ {
+ close (ufd);
+ l2tp_log (LOG_CRIT, "%s: Unable to bind UDP socket: %s. Terminating.\n",
+ __FUNCTION__, strerror(errno), errno);
+ return -EINVAL;
+ };
+ server = t->peer;
+ flags = fcntl(ufd, F_GETFL);
+ if (flags == -1 || fcntl(ufd, F_SETFL, flags | O_NONBLOCK) == -1) {
+ l2tp_log (LOG_WARNING, "%s: Unable to set UDP socket nonblock.\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ if (connect (ufd, (struct sockaddr *) &server, sizeof(server)) < 0) {
+ l2tp_log (LOG_CRIT, "%s: Unable to connect UDP peer. Terminating.\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+
+ t->udp_fd=ufd;
+
+ fd2 = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
+ if (fd2 < 0) {
+ l2tp_log (LOG_WARNING, "%s: Unable to allocate PPPoL2TP socket.\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ flags = fcntl(fd2, F_GETFL);
+ if (flags == -1 || fcntl(fd2, F_SETFL, flags | O_NONBLOCK) == -1) {
+ l2tp_log (LOG_WARNING, "%s: Unable to set PPPoL2TP socket nonblock.\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ sax.sa_family = AF_PPPOX;
+ sax.sa_protocol = PX_PROTO_OL2TP;
+ sax.pppol2tp.pid = 0;
+ sax.pppol2tp.fd = t->udp_fd;
+ sax.pppol2tp.addr.sin_addr.s_addr = t->peer.sin_addr.s_addr;
+ sax.pppol2tp.addr.sin_port = t->peer.sin_port;
+ sax.pppol2tp.addr.sin_family = AF_INET;
+ sax.pppol2tp.s_tunnel = t->ourtid;
+ sax.pppol2tp.s_session = 0;
+ sax.pppol2tp.d_tunnel = t->tid;
+ sax.pppol2tp.d_session = 0;
+ if ((connect(fd2, (struct sockaddr *)&sax, sizeof(sax))) < 0) {
+ l2tp_log (LOG_WARNING, "%s: Unable to connect PPPoL2TP socket. %d %s\n",
+ __FUNCTION__, errno, strerror(errno));
+ close(fd2);
+ return -EINVAL;
+ }
+ t->pppox_fd = fd2;
+ }
+#endif
+ return 0;
+}
diff -Naur xl2tpd-1.3.1-orig/xl2tpd.c xl2tpd-1.3.1/xl2tpd.c
--- xl2tpd-1.3.1-orig/xl2tpd.c 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1/xl2tpd.c 2012-06-15 15:57:25.189015286 -0400
@@ -278,7 +278,11 @@
struct tunnel *st, *st2;
int sec;
l2tp_log (LOG_CRIT, "%s: Fatal signal %d received\n", __FUNCTION__, signal);
+#ifdef USE_KERNEL
+ if (kernel_support || signal != SIGTERM) {
+#else
if (signal != SIGTERM) {
+#endif
st = tunnels.head;
while (st)
{
@@ -349,7 +353,7 @@
int flags;
#endif
int pos = 1;
- int fd2;
+ int fd2 = -1;
#ifdef DEBUG_PPPD
int x;
#endif
@@ -397,7 +401,7 @@
sax.sa_family = AF_PPPOX;
sax.sa_protocol = PX_PROTO_OL2TP;
sax.pppol2tp.pid = 0;
- sax.pppol2tp.fd = server_socket;
+ sax.pppol2tp.fd = c->container->udp_fd;
sax.pppol2tp.addr.sin_addr.s_addr = c->container->peer.sin_addr.s_addr;
sax.pppol2tp.addr.sin_port = c->container->peer.sin_port;
sax.pppol2tp.addr.sin_family = AF_INET;
@@ -408,6 +412,7 @@
if (connect(fd2, (struct sockaddr *)&sax, sizeof(sax)) < 0) {
l2tp_log (LOG_WARNING, "%s: Unable to connect PPPoL2TP socket.\n",
__FUNCTION__);
+ close(fd2);
return -EINVAL;
}
stropt[pos++] = strdup ("plugin");
@@ -484,7 +489,7 @@
dup2 (fd2, 0);
dup2 (fd2, 1);
close(fd2);
-
+ }
/* close all the calls pty fds */
st = tunnels.head;
while (st)
@@ -492,12 +497,17 @@
sc = st->call_head;
while (sc)
{
- close (sc->fd);
+#ifdef USE_KERNEL
+ if (kernel_support) {
+ close(st->udp_fd); /* tunnel UDP fd */
+ close(st->pppox_fd); /* tunnel PPPoX fd */
+ } else
+#endif
+ close (sc->fd); /* call pty fd */
sc = sc->next;
}
st = st->next;
}
- }
/* close the UDP socket fd */
close (server_socket);
@@ -615,6 +625,10 @@
the memory pointed to by t->chal_us.vector at some other place */
if (t->chal_them.vector)
free (t->chal_them.vector);
+ if (t->pppox_fd > -1 )
+ close (t->pppox_fd);
+ if (t->udp_fd > -1 )
+ close (t->udp_fd);
free (t);
free (me);
}

@ -1,19 +0,0 @@
diff -aur xl2tpd-1.3.1-orig/pty.c xl2tpd-1.3.1/pty.c
--- xl2tpd-1.3.1-orig/pty.c 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1/pty.c 2012-06-25 23:45:51.241543911 -0400
@@ -87,6 +87,7 @@
return -EINVAL;
}
+#if 0 /* not needed, triggers SElinux block */
/* change the onwership */
if (grantpt(fd))
{
@@ -95,6 +96,7 @@
close(fd);
return -EINVAL;
}
+#endif
if (unlockpt(fd))
{

@ -0,0 +1,40 @@
diff -Naur xl2tpd-1.3.6-orig/examples/ppp-options.xl2tpd xl2tpd-1.3.6/examples/ppp-options.xl2tpd
--- xl2tpd-1.3.6-orig/examples/ppp-options.xl2tpd 2014-01-15 15:58:37.000000000 -0500
+++ xl2tpd-1.3.6/examples/ppp-options.xl2tpd 2014-05-12 14:46:24.358653357 -0400
@@ -1,9 +1,10 @@
ipcp-accept-local
ipcp-accept-remote
-ms-dns 192.168.1.1
-ms-dns 192.168.1.3
-ms-wins 192.168.1.2
-ms-wins 192.168.1.4
+ms-dns 8.8.8.8
+# ms-dns 192.168.1.1
+# ms-dns 192.168.1.3
+# ms-wins 192.168.1.2
+# ms-wins 192.168.1.4
noccp
auth
crtscts
@@ -15,3 +16,11 @@
lock
proxyarp
connect-delay 5000
+# To allow authentication against a Windows domain EXAMPLE, and require the
+# user to be in a group "VPN Users". Requires the samba-winbind package
+# require-mschap-v2
+# plugin winbind.so
+# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
+# You need to join the domain on the server, for example using samba:
+# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
+
diff -Naur xl2tpd-1.3.6-orig/examples/README xl2tpd-1.3.6/examples/README
--- xl2tpd-1.3.6-orig/examples/README 2014-01-15 15:58:37.000000000 -0500
+++ xl2tpd-1.3.6/examples/README 2014-05-12 14:46:59.168476547 -0400
@@ -1,4 +1,4 @@
These are example files for use with xl2tpd.
-Openswan carries config examples for use with l2tp-over-ipsec.
-See http://www.openswan.org/
+xl2tpd is often used in combination with libreswan to offer L2TP/IPsec
+See https://libreswan.org/

@ -1,6 +1,6 @@
diff -Naur xl2tpd-1.3.1/aaa.c xl2tpd-1.3.1-fips/aaa.c
--- xl2tpd-1.3.1/aaa.c 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1-fips/aaa.c 2013-04-01 16:36:40.929098507 -0400
diff -Naur xl2tpd-1.3.6-orig/aaa.c xl2tpd-1.3.6/aaa.c
--- xl2tpd-1.3.6-orig/aaa.c 2014-01-15 15:58:37.000000000 -0500
+++ xl2tpd-1.3.6/aaa.c 2014-05-12 15:01:05.936492449 -0400
@@ -21,6 +21,8 @@
#include <errno.h>
#include "l2tp.h"
@ -95,9 +95,9 @@ diff -Naur xl2tpd-1.3.1/aaa.c xl2tpd-1.3.1-fips/aaa.c
cnt = 0;
}
/* at the beginning of each segment, we save the current segment (16 octets or less) of cipher
diff -Naur xl2tpd-1.3.1/aaa.h xl2tpd-1.3.1-fips/aaa.h
--- xl2tpd-1.3.1/aaa.h 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1-fips/aaa.h 2013-04-01 16:46:39.532823130 -0400
diff -Naur xl2tpd-1.3.6-orig/aaa.h xl2tpd-1.3.6/aaa.h
--- xl2tpd-1.3.6-orig/aaa.h 2014-01-15 15:58:37.000000000 -0500
+++ xl2tpd-1.3.6/aaa.h 2014-05-12 15:02:39.262697808 -0400
@@ -15,7 +15,7 @@
#ifndef _AAA_H
@ -107,20 +107,19 @@ diff -Naur xl2tpd-1.3.1/aaa.h xl2tpd-1.3.1-fips/aaa.h
#define ADDR_HASH_SIZE 256
#define MD_SIG_SIZE 16
@@ -34,7 +43,8 @@
@@ -34,7 +34,7 @@
struct challenge
{
- struct MD5Context md5;
+ /* struct MD5Context md5; */
+ MD5_CTX md5;
unsigned char ss; /* State we're sending in */
unsigned char secret[MAXSTRLEN]; /* The shared secret */
unsigned char *challenge; /* The original challenge */
diff -Naur xl2tpd-1.3.1/Makefile xl2tpd-1.3.1-fips/Makefile
--- xl2tpd-1.3.1/Makefile 2013-04-01 16:40:44.576870296 -0400
+++ xl2tpd-1.3.1-fips/Makefile 2013-04-01 16:48:30.405039381 -0400
@@ -91,8 +91,8 @@
diff -Naur xl2tpd-1.3.6-orig/Makefile xl2tpd-1.3.6/Makefile
--- xl2tpd-1.3.6-orig/Makefile 2014-01-15 15:58:37.000000000 -0500
+++ xl2tpd-1.3.6/Makefile 2014-05-12 15:03:43.832223559 -0400
@@ -92,8 +92,8 @@
IPFLAGS?= -DIP_ALLOCATION
CFLAGS+= $(DFLAGS) -O2 -fno-builtin -Wall -DSANITY $(OSFLAGS) $(IPFLAGS)
@ -139,11 +138,11 @@ diff -Naur xl2tpd-1.3.1/Makefile xl2tpd-1.3.1-fips/Makefile
+ $(CC) $(LDFLAGS) -o $@ $(OBJS) -lcrypto $(LDLIBS)
$(CONTROL_EXEC): $(CONTROL_SRCS)
$(CC) $(CFLAGS) -c $(CONTROL_SRCS)
diff -Naur xl2tpd-1.3.1/md5.c xl2tpd-1.3.1-fips/md5.c
--- xl2tpd-1.3.1/md5.c 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1-fips/md5.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,275 +0,0 @@
$(CC) $(CFLAGS) $(LDFLAGS) $(CONTROL_SRCS) -o $@
diff -Naur xl2tpd-1.3.6-orig/md5.c xl2tpd-1.3.6/md5.c
--- xl2tpd-1.3.6-orig/md5.c 2014-01-15 15:58:37.000000000 -0500
+++ xl2tpd-1.3.6/md5.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,274 +0,0 @@
-#ifdef FREEBSD
-# include <machine/endian.h>
-#elif defined(OPENBSD)
@ -307,8 +306,7 @@ diff -Naur xl2tpd-1.3.1/md5.c xl2tpd-1.3.1-fips/md5.c
- byteReverse (ctx->in, 14);
-
- /* Append length in bits and transform */
- ((uint32 *) ctx->in)[14] = ctx->bits[0];
- ((uint32 *) ctx->in)[15] = ctx->bits[1];
- memcpy(ctx->in + 14 * sizeof(uint32), ctx->bits, sizeof(ctx->bits));
-
- MD5Transform (ctx->buf, (uint32 *) ctx->in);
- byteReverse ((unsigned char *) ctx->buf, 4);
@ -419,9 +417,9 @@ diff -Naur xl2tpd-1.3.1/md5.c xl2tpd-1.3.1-fips/md5.c
-}
-
-#endif
diff -Naur xl2tpd-1.3.1/md5.h xl2tpd-1.3.1-fips/md5.h
--- xl2tpd-1.3.1/md5.h 2011-10-06 15:22:05.000000000 -0400
+++ xl2tpd-1.3.1-fips/md5.h 1969-12-31 19:00:00.000000000 -0500
diff -Naur xl2tpd-1.3.6-orig/md5.h xl2tpd-1.3.6/md5.h
--- xl2tpd-1.3.6-orig/md5.h 2014-01-15 15:58:37.000000000 -0500
+++ xl2tpd-1.3.6/md5.h 1969-12-31 19:00:00.000000000 -0500
@@ -1,28 +0,0 @@
-#ifndef MD5_H
-#define MD5_H
@ -451,3 +449,18 @@ diff -Naur xl2tpd-1.3.1/md5.h xl2tpd-1.3.1-fips/md5.h
-typedef struct MD5Context MD5_CTX;
-
-#endif /* !MD5_H */
diff -Naur xl2tpd-1.3.6-orig/xl2tpd.c xl2tpd-1.3.6/xl2tpd.c
--- xl2tpd-1.3.6-orig/xl2tpd.c 2014-01-15 15:58:37.000000000 -0500
+++ xl2tpd-1.3.6/xl2tpd.c 2014-05-12 14:58:58.903490392 -0400
@@ -1310,7 +1310,10 @@
void usage(void) {
- printf("\nxl2tpd version: %s\n", SERVER_VERSION);
+ printf("\nxl2tpd version: %s\n"
+"This product includes software developed by the OpenSSL Project for use\n"
+"in the OpenSSL Toolkit. (http://www.openssl.org/)\n"
+, SERVER_VERSION);
printf("Usage: xl2tpd [-c <config file>] [-s <secret file>] [-p <pid file>]\n"
" [-C <control file>] [-D]\n"
" [-v, --version]\n");

@ -1,22 +0,0 @@
diff --git a/file.c b/file.c
index 289aee6..d710e30 100644
--- a/file.c
+++ b/file.c
@@ -1229,7 +1229,7 @@ int parse_config (FILE * f)
/* Read in the configuration file handed to us */
/* FIXME: I should check for incompatible options */
int context = 0;
- char buf[STRLEN];
+ char buf[1024];
char *s, *d, *t;
int linenum = 0;
int def = 0;
@@ -1395,7 +1395,7 @@ int parse_config (FILE * f)
}
if (!(t = strchr (s, '=')))
{
- l2tp_log (LOG_WARNING, "parse_config: line %d: no '=' in data\n",
+ l2tp_log (LOG_WARNING, "parse_config: line %d: line too long or no '=' in data\n",
linenum);
return -1;
}

@ -1,101 +0,0 @@
#!/bin/sh
#
# xl2tpd This shell script takes care of starting and stopping l2tpd.
#
# chkconfig: - 80 30
# description: Layer 2 Tunnelling Protocol Daemon (RFC 2661)
#
# processname: /usr/sbin/xl2tpd
# config: /etc/xl2tpd/xl2tpd.conf
# pidfile: /var/run/xl2tpd.pid
### BEGIN INIT INFO
# Provides: xl2tpd
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $network $syslog
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: start|stop|status|restart|try-restart|reload|force-reload xl2tpd server
# Description: control xl2tpd server
### END INIT INFO
#Servicename
SERVICE=xl2tpd
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
[ -x /usr/sbin/$SERVICE ] || exit 0
RETVAL=0
start() {
echo -n "Starting $SERVICE: "
# Look for the L2TP kernel handler module, load when needed
if [ ! -d /sys/module/l2tp_ppp ]; then modprobe l2tp_ppp
# if still not found, try legacy one
if [ ! -d /sys/module/l2tp_ppp ]; then modprobe pppol2tp
if [ ! -d /var/run/xl2tpd ]
then
mkdir /var/run/xl2tpd
fi
daemon $SERVICE
RETVAL=$?
echo
if [ $RETVAL -eq 0 ];then
touch /var/lock/subsys/$SERVICE
else
exit 7;
fi
return 0;
}
stop() {
echo -n "Stopping $SERVICE: "
killproc $SERVICE
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
rm -f /var/run/xl2tpd/$SERVICE
rm -f /var/lock/subsys/$SERVICE
fi
echo
return $RETVAL
}
restart() {
stop
start
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $SERVICE
RETVAL=$?
;;
restart|reload)
restart
;;
condrestart)
[ -f /var/lock/subsys/$SERVICE ] && restart || :
;;
*)
echo "Usage: $SERVICE {start|stop|status|restart|reload|condrestart}"
exit 1
esac

@ -1,6 +1,6 @@
[Unit]
Description=Level 2 Tunnel Protocol Daemon (L2TP)
After=syslog.target network.target
After=network.target
After=ipsec.service
# Some ISPs in Russia use l2tp without IPsec, so don't insist anymore
#Wants=ipsec.service

@ -1,27 +1,17 @@
# upstream is switching to github, but has not released a new tar ball there yet
%global commit 3be48f8b7fc0e8de8cef7675a9861484b8b68c52
%global shortcommit %(c=%{commit}; echo ${c:0:7})
%global commit 5619e1771048e74b729804e8602f409af0f3faea
Summary: Layer 2 Tunnelling Protocol Daemon (RFC 2661)
Name: xl2tpd
Version: 1.3.1
Release: 14%{?dist}
Version: 1.3.6
Release: 1%{?dist}
License: GPL+
Url: https://github.com/xelerance/xl2tpd
Url: https://github.com/xelerance/%{name}/
Group: System Environment/Daemons
Source0: http://www.xelerance.com/software/xl2tpd/xl2tpd-%{version}.tar.gz
#Source0: https://github.com/xelerance/%{name}/archive/v%{version}.tar.gz
#Source0: https://github.com/xelerance/%{name}/archive/%{commit}/%{name}-%{version}-%{shortcommit}.tar.gz
Source0: https://github.com/xelerance/%{name}/archive/%{commit}/%{name}-%{commit}.tar.gz
Source1: xl2tpd.service
Source2: tmpfiles-xl2tpd.conf
Patch1: xl2tpd-1.3.1-Wunused.patch
Patch2: xl2tpd-bz80693.patch
Patch3: xl2tpd-1.3.1-kernelmode.patch
Patch4: xl2tpd-1.3.1-conf.patch
Patch5: xl2tpd-1.3.1-pty.patch
Patch6: xl2tpd-1.3.1-ipparam-to-remotenumber.patch
Patch7: xl2tpd-1.3.1-Makefile
Patch8: xl2tpd-1.3.1-md5-fips.patch
Patch1: xl2tpd-1.3.6-conf.patch
Patch2: xl2tpd-1.3.6-md5-fips.patch
Requires: ppp >= 2.4.5-18, kernel-modules-extra
# If you want to authenticate against a Microsoft PDC/Active Directory
@ -59,19 +49,9 @@ Xl2tpd is based on the 0.69 L2TP by Jeff McAdams <jeffm@iglou.com>
It was de-facto maintained by Jacco de Leeuw <jacco2@dds.nl> in 2002 and 2003.
%prep
# for git version
#% setup -qn %{name}-%{commit}
%setup -q
%setup -qn %{name}-%{commit}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
rm linux/include/linux/if_pppol2tp.h
%build
#make DFLAGS="$RPM_OPT_FLAGS -g -DDEBUG_HELLO -DDEBUG_CLOSE -DDEBUG_FLOW -DDEBUG_PAYLOAD -DDEBUG_CONTROL -DDEBUG_CONTROL_XMIT -DDEBUG_FLOW_MORE -DDEBUG_MAGIC -DDEBUG_ENTROPY -DDEBUG_HIDDEN -DDEBUG_PPPD -DDEBUG_AAA -DDEBUG_FILE -DDEBUG_FLOW -DDEBUG_HELLO -DDEBUG_CLOSE -DDEBUG_ZLB -DDEBUG_AUTH"
@ -86,9 +66,8 @@ rm -rf %{buildroot}
make DESTDIR=%{buildroot} PREFIX=%{_prefix} install
install -d 0755 %{buildroot}%{_unitdir}
install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/xl2tpd.service
mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/tmpfiles.d/%{name}.conf
mkdir -p %{buildroot}%{_prefix}/lib/tmpfiles.d/
install -m 0644 %{SOURCE2} %{buildroot}%{_prefix}/lib/tmpfiles.d/%{name}.conf
install -p -D -m644 examples/xl2tpd.conf %{buildroot}%{_sysconfdir}/xl2tpd/xl2tpd.conf
install -p -D -m644 examples/ppp-options.xl2tpd %{buildroot}%{_sysconfdir}/ppp/options.xl2tpd
@ -98,6 +77,7 @@ install -p -D -m755 -d %{buildroot}%{_localstatedir}/run/xl2tpd
%preun
%systemd_preun xl2tpd.service
%post
%systemd_post xl2tpd.service
@ -125,10 +105,21 @@ install -p -D -m755 -d %{buildroot}%{_localstatedir}/run/xl2tpd
%config(noreplace) %{_sysconfdir}/ppp/*
%dir %{_localstatedir}/run/xl2tpd
%{_unitdir}/%{name}.service
%config(noreplace) %{_sysconfdir}/tmpfiles.d/%{name}.conf
%{_prefix}/lib/tmpfiles.d/%{name}.conf
%ghost %attr(0600,root,root) %{_localstatedir}/run/xl2tpd/l2tp-control
%changelog
* Tue May 13 2014 Paul Wouters <pwouters@redhat.com> - 1.3.6-1
- Updated to 1.3.6 - using github-only monstrosity packaging
- Resolves: rhbz#1051785 (new upstream version available)
- Resolves: rhbz#868391 xl2tpd sends response packets from wrong IP address
- Revert: rhbz#929447 Incorrect "ipparam" manipulation
- Resolves: rhbz#1055196 Don't order service after syslog.target
- Resolves: rhbz#984332 xl2tpd tmpfiles configuration file in wrong directory
- Removed patches merged in upstream.
- FIPS patch updated with advertising clause for openssl in xl2tpd -V
(although the GPL code was already basically taken from openssl)
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
@ -339,7 +330,7 @@ install -p -D -m755 -d %{buildroot}%{_localstatedir}/run/xl2tpd
configuration files to /etc/ipsec.d and create symbolic links in
those directories.
* Tue Aug 18 2004 Jacco de Leeuw <jacco2@dds.nl>
* Wed Aug 18 2004 Jacco de Leeuw <jacco2@dds.nl>
- Removed 'leftnexthop=' lines. Not relevant for recent versions
of FreeS/WAN and derivates.
@ -363,7 +354,7 @@ install -p -D -m755 -d %{buildroot}%{_localstatedir}/run/xl2tpd
('Specify your hostname', error 629: "You have been disconnected
from the computer you are dialing").
* Thu Jul 20 2003 Jacco de Leeuw <jacco2@dds.nl> 0.69-7jdl
* Sun Jul 20 2003 Jacco de Leeuw <jacco2@dds.nl> 0.69-7jdl
- Added the "listen-addr" global parameter for l2tpd.conf. By
default, the daemon listens on *all* interfaces. Use
"listen-addr" if you want it to bind to one specific
@ -380,7 +371,7 @@ install -p -D -m755 -d %{buildroot}%{_localstatedir}/run/xl2tpd
IPsec client by Microsoft, it turns out that 17/0 must have
been a mistake: the updated client now also uses 17/1701.
* Mon Apr 10 2003 Jacco de Leeuw <jacco2@dds.nl> 0.69-6jdl
* Thu Apr 10 2003 Jacco de Leeuw <jacco2@dds.nl> 0.69-6jdl
- Changed sample chap-secrets to be valid only for specific
IP addresses.

Loading…
Cancel
Save