Fix Debian Wheezy's Openswan Regression with Apple Devices
In late March Debian Security team pushed a security update to Openswan package in Wheezy. My Macbook Air cannot connect to Openswan anymore after upgrading.
I searched a bit and found out that somebody already filed a bug report on Debian bug tracker: bug 744717 . There's also a report on Openswan's Github page to confirm this bug: issue 78.
On Debian bug tracker a user named Liu DongMiao provided a patch and it was reported to work. I had a look at that patch but didn't quite like it, because it leaked a macro in C file, which is not a proper fix to me.
The root cause of the problem is confilict in header file. Debian Security team removed ISAKMP_NEXT_NATD_BADDRAFTS. Then they had to comment out or remove some code to handle that flag, of which Apple devices make use. Unfortunately I cannot get Apple to fix their code so I have to fix mine.
The fix is simplier than I thought. I compared upstream Openswan 2.6.37 with Wheezy's patched version, then restored the original flag and those code snippets. I was worried that the overriden new flag was used in code but it wasn't. I didn't touch changelog or version number of that package, so that when a new package is out it can be automatically updated when the maintainers push a new package to fix that bug.
I have my patch attached. If you want to know how to rebuild Debian package, Debian New Maintainers' Guide is a good starting point.
Tweet