[Swan-commit] Changes to ref refs/heads/md5-cleanup
Paul Wouters
paul at vault.libreswan.fi
Tue Apr 30 05:10:20 EEST 2013
New commits:
commit c9f6102ea396d56e7b28988b1bbdab0710f410a7
Merge: e86a6f0 63a9b7e
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Apr 29 22:10:11 2013 -0400
Merge branch 'master' into md5-cleanup
Conflicts:
programs/pluto/vendor.c
commit 63a9b7e2da1173ded689e4a5bd36db65392a414a
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 20:31:46 2013 -0400
updated changes
commit 3c7711bd4f67524cbf123d1546fe0e64b339d624
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 20:29:23 2013 -0400
* security: cleanup CFLAGS handling
Per default, everything now gets a WERROR set to:
-Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security #-pedantic
(pedantic causes a lot of additional warnings, like "comma at end of
enumerator list", which we often do on purpose to reduce diff size)
commit f6b8563f83271388f981d35797a38d6bbbc584ff
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 18:56:02 2013 -0400
* log length of information payload that we are ignoring.
commit be33d462b1f552d404bac540537b9732a8f040ec
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 18:55:12 2013 -0400
* add comment to checking esp/ah/ipcomp states
Added comment to ensure someone later on does not "optimise" the if/else
loop with a switch()
commit aaca56dd807c52553e256733bb9ee083efb0de7e
Merge: 5dae612 db32c8a
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 18:29:32 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit db32c8ac547c5b32c586816922a6895d6bf08236
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 13:18:58 2013 -0400
* PK11_CreateContextBySymKey() cannot actually return SECFailure
It returns a pointer, so NULL is the only failure case. The error
introduced by Florian was just that he checked for not-NULL instead
of NULL.
commit 1966f881b4d908cb72db93829dec8620266005e6
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 13:00:35 2013 -0400
* updated changes
commit a7ed46071760b5a329e3bb40a06206cb5806f204
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 12:50:30 2013 -0400
* security: Fix the abort calls for do_aes() and do_3des()
The NSS function PK11_CreateContextBySymKey() can return 0 in the functional
case. It returns NULL or SECFailure in the failure case.
commit 7fbdc1adc71cd0ccc29466612866f54b552e0784
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 12:38:55 2013 -0400
* update changes
commit 45af631a213859b8bc72200496cf99d3baa5b6f3
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 12:37:31 2013 -0400
* Removed unused function load_host_cert()
This function was only used in the non-NSS path which we no longer
support.
commit 8827a35fea604eb19d8d15010ab40250ddf8ab3b
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 12:32:34 2013 -0400
* security: Fix misuse of ASN1_BUF_LEN and PATH_MAX in unused function
ASN1_BUF_LEN was declared as 512 at one location and 256 at another. Moved
it to x509.h as 512 and verified its usage.
In load_host_cert() it copied a char[PATH_MAX] for ASN1_BUF_LEN length. Luckilly,
PATH_MAX is 1024 so it would always fit.
Additionally, since load_host_cert() is only used in the non-NSS code branch
which we no lnoger support, this function has been #if'defed out.
commit bd59ffdf2fe39c2139f1126c4c3d10fff89bcb22
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 27 12:29:47 2013 -0400
* updated changes
commit c78e908fcc01da7c89e5f7bb2a090889ab988309
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 25 13:49:24 2013 -0400
updated changes
commit a62ba1bb2675d2b8cd7f9616ed118c44ea3d5bd0
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 25 13:48:41 2013 -0400
* security: list_acerts: Correct snprintf length argument
and do not use return value
commit f96f513a0fdd1b48cf50c856deb22c3bb7a02bfa
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 25 13:47:11 2013 -0400
* security: unpack_RSA_public_key: Check modulus length against key
commit ebf7d7d75d94269cd3d852bb5e4a3bb7448fead0
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 25 13:40:12 2013 -0400
* updated changes
commit 2cd9002ceee7602c1a51061ee9c50bd7e76781e3
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 25 13:37:34 2013 -0400
* security: fetch_curl: Set timeout for the entire request
Otherwise a stuck connection could effectively disable CRL fetching.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
This is due to the CRL fetching not using proper helper threads like
the crypto/dns threads. This only affects a broken CRL URI point
as taken from the CA certificate.
commit 34e669419f7b130ddeedf2c3559f75f98f73f316
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 25 13:34:43 2013 -0400
* security: do_aes: Abort on failure
The routine cannot signal encryption failures to the caller
and would leave the buffer unencrypted on error.
commit 30da4deb7f01ce260f5905a7d6032225c1998fd1
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 25 13:34:14 2013 -0400
* security: do_3des: Abort on failure
The routine cannot signal encryption failures to the caller
and would leave the buffer unencrypted on error.
commit a0d451dd055cc30014d67f7ee563dfdb9791c23f
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 25 13:31:07 2013 -0400
* security: Check that origin of netlink message is the kernel [Florian]
commit 0c9e7831570fbe1c641df16baf51446b55e63a7e
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 25 13:29:30 2013 -0400
* security: escape_metachar: Do not write beyond the end of the buffer
commit 8f5b979438c89297daa2c608e7250e1064c3f8ab
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 25 13:26:26 2013 -0400
* security: alloc_bytes1(): Integer overflow if the leak detective enabled
leak detective is not enabled per default.
commit 41b7588627719b36807fd4d23dd695ca13e6537b
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 4 11:45:15 2013 +0200
prettypolicy: Avoid buffer length computations
This ensures that snprintf is not called with a length argument of
zero.
commit efd322f6cc8c24174e49cd437c79fc4f3779dbdb
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 4 11:50:12 2013 +0200
readwhackmsg: Guard against integer overflow when rounding up length
commit bb4402e9fbda06afb3153b97a2494c3d2b90c435
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 4 11:59:45 2013 +0200
alg_enum_search_prefix, alg_enum_search_ppfix: Guard against long prefix
Existing callers use short, constant strings, so this does not make a
difference at present.
commit 43b5d6ee61a38167b45c7c9f67552dca91430a28
Author: Florian Weimer <fweimer at redhat.com>
Date: Mon Apr 8 15:46:18 2013 +0200
spawn_worker: Call _exit instead of exit in the child process
This suppresses unwanted cleanup actions.
commit 201247c6b0798d1e5f239284940aa7db4a4e6b04
Author: Florian Weimer <fweimer at redhat.com>
Date: Mon Apr 8 16:30:58 2013 +0200
Remove random_devices variable from programs/pluto/rnd.c
commit 1a968534c35fdb236c0dcc1ab29eaaaa1a09f15e
Author: Florian Weimer <fweimer at redhat.com>
Date: Mon Apr 8 16:33:01 2013 +0200
linux/net/ipsec/prng.c: Remove, no longer used
commit f93f5a4fbaa1a895640b6b994c3aaefc88a123fa
Author: Florian Weimer <fweimer at redhat.com>
Date: Mon Apr 8 16:42:12 2013 +0200
get_rnd_bytes: Abort on random number generator failure
We must not return without overwriting the buffer.
commit 5c5d103c836cd4d5ecc3e58adef60db85cc4aac6
Author: Florian Weimer <fweimer at redhat.com>
Date: Mon Apr 8 17:21:28 2013 +0200
db_trans_expand, db_attrs_expand: Use ptrdiff_t for the pointer offset
This still invokes undefined behavior, but is more 64 bit safe.
commit 4f90867f0c804a68a538c1fb3d370e6fd35984ff
Author: Florian Weimer <fweimer at redhat.com>
Date: Tue Apr 9 16:19:11 2013 +0200
pluto_crypto_allocchunk: Avoid wrapround in assert
commit 4d1dda24046ae4e713d34baf61b1911522736ed8
Author: Florian Weimer <fweimer at redhat.com>
Date: Tue Apr 9 16:21:48 2013 +0200
pluto_crypt_handle_dead_child: Remove, dead code
commit ecce8df69fa88fd89efd62672c238882a3289dbf
Author: Florian Weimer <fweimer at redhat.com>
Date: Tue Apr 9 16:48:22 2013 +0200
humanize_number: Avoid variable format string
Also add check for snprintf result.
commit ba2104c9d4634701e77e18ef95722b9f63c6d2c8
Author: Florian Weimer <fweimer at redhat.com>
Date: Tue Apr 9 17:03:34 2013 +0200
get_addr: Move docstring comment in front of the function
commit 33faa04556b7e8de0547a032b89f4d8e29d336fc
Author: Florian Weimer <fweimer at redhat.com>
Date: Wed Apr 10 09:52:56 2013 +0200
LSW_FDMASK: Avoid signed integer overflow
Shifting into the sign position is currently a GCC extension, but that
may change in the future (according to the GCC manual).
commit 2ea078b21cbaab5f8824b85f95f6e4554f05b54a
Author: Florian Weimer <fweimer at redhat.com>
Date: Wed Apr 10 10:14:20 2013 +0200
format_connection: Avoid using the snprintf return value
commit 612cb44274692713d598347d6cf98c9cdb87df08
Author: Florian Weimer <fweimer at redhat.com>
Date: Wed Apr 10 10:35:57 2013 +0200
biglset_format: Do not rely on the return value of snprintf
commit 4031611a1c187c6e7968add1a54ddfc729befa85
Author: Florian Weimer <fweimer at redhat.com>
Date: Wed Apr 10 10:47:59 2013 +0200
alg_info_snprint: Do not rely on the return value of snprintf
commit e8779816991b191eccdb2c498edae9d1ba9347fb
Author: Florian Weimer <fweimer at redhat.com>
Date: Wed Apr 10 11:21:49 2013 +0200
quick_inI1_outR1_authtail: Do not rely on the snprintf result
commit f137fcb99d40a0b102af1e4fa6e4c0fe98895f97
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 25 13:11:46 2013 -0400
* update changes
commit 7ecc33cd9bf4ee01ae1f72dfb58ee8d25e15cb5d
Author: Florian Weimer <fweimer at redhat.com>
Date: Thu Apr 25 13:08:23 2013 -0400
* security: dn_parse(), hex_str() write beyond end of the buffer
lib/libswan/x509dn.c:dn_parse(), hex_str() seem to write beyond the
end of the buffer, via side effect in the second arguments of
update_chunk calls. update_chunk should call snprintf itself, with
the proper remaining buffer length.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 7d0ca355a5c7f8337130d4b0b3e7686f2fa4d4c2
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 25 12:44:55 2013 -0400
* security: atodn() / atoid() buffer overflow
lib/libswan/x509dn.c:atodn() does not perform any length checking
whatsoever on the output buffer.
Affected:
- Libreswan 3.0 and 3.1 (3.2 disabled the oe= option)
- Openswan versions up to and including 2.6.38
- Possibly certain strongswan 3.x/4.x versions
This overflow is exposed (pre-authentication) only in opportunistic
encryption mode. When it is called via receiving a certificate
via IKEv1 or IKEv2, and when it is loaded from disk, the buffers
passed to atodn() are big enough.
This means this vulnerability can only be triggered when:
- Opportunistic Encryption is enabled (oe=yes)
- The attacker is local in the same network and adds a malicious
reverse DNS record to the client's IP, or
- The attacker can trigger an OE DNS lookup to a client fully
configured with OE and their own key.
Libreswan and openswan versions do not enable Opportunistic Encryption
per default. Most distributions like RHEL, Fedora, Debian and Ubuntu
also do not enable OE per default.
This patch addresses the vulnerability in atodn() and further limits the
atoid() call not to traverse into the ASN1 case when triggered by non-cert
cases such as opportunistic encryption.
Vulnerability discoverd by Florian Weimer <fweimer at redhat.com> of the
Red Hat Product Security Team.
Patch by D. Hugh Redelmeier <hugh at mimosa.com> and Paul Wouters <pwouters at redhat.com>
commit 33c14306a63f63b96c833ee325d06ce1adce0856
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 25 12:39:37 2013 -0400
* testing: converted ikev2-04-basic-x509 to kvm
commit b2f4192db2710306ac9a00773b69681c98ce54e3
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 25 12:22:56 2013 -0400
* testing: bring tunnel down to look for broken remnants
commit 9be71a403aa7033f984d98ce1eb565a81538d8ba
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 24 15:39:47 2013 -0400
* testing: converted ikev2-05-basic-psk to KVM
commit 5dae61236e9bb597046178834497bb2243cbac64
Merge: 32df6c4 97fc483
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 24 12:22:37 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit f82ba4566a712bb48e67eb692e226f94e3176229
Merge: 1f5e3f9 97fc483
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 23 22:50:04 2013 -0400
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 1f5e3f914a9a9e35606b3f44c9fc4430fa12e388
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Tue Apr 23 15:59:07 2013 -0400
* libreswan_log takes a format string and arguments: no need for a buffer
commit 97fc483a43857d24c5c0a69381de98336786ec38
Author: Kim B. Heino <b at bbbs.net>
Date: Tue Apr 23 10:43:47 2013 +0300
pluto/kernel: remove tailing whitespace
commit a5cbacf0a8c375e56ceb3528803079d7d079ca41
Merge: a2d0f2c f1d25aa
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Apr 22 13:27:16 2013 -0400
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit a2d0f2cc05a2ddb622ec4ab531bbd7b04bdd369c
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Apr 22 13:05:03 2013 -0400
* _stackmanager: Warn properly when esp4/esp6 module fails to unload
commit 32df6c4175a5f22e5c83f1478356d20776d9f64e
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 20 12:29:46 2013 -0400
* remove commented out sha2_256-96 handling
commit 6a72cc8d13a6c7e926b9992836e8372aa5317e09
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 20 12:18:46 2013 -0400
* pluto: fix error message
The error for ike=modp1536 said "esp error" instead of "ike error"
commit f1d25aaf74f5efb8ec091ee41c6616f361eb03de
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Apr 19 13:42:53 2013 -0400
* verify: debian has the ss command in /sbin/
commit 434d2118f98a99e8a146c45c24b361feb8020fdc
Merge: 49070b2 5a4a17e
Author: Kim B. Heino <b at bbbs.net>
Date: Thu Apr 18 11:38:07 2013 +0300
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 49070b2917de21bf0328d9974803f128c3dcfe05
Author: Kim B. Heino <b at bbbs.net>
Date: Thu Apr 18 11:37:28 2013 +0300
pluto/kernel_netlink: remove tailing whitespaces
commit 5a4a17e4e7789716c57aab2543b07d929d9bd3b9
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 17 16:01:06 2013 -0400
* testing: added results for ipv6-tunnel-mode-02-netkey-netkey
These also need sanitation for the ip xfrm commands.
commit 07eb404e4c08a604b7c8c1b34c8d52fe3378c8e5
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 17 15:37:43 2013 -0400
* testing: preliminary results for ipv6-transport-mode-02-netkey-netkey
commit 4f9f33b54b1edc7926900c881460030637a01a29
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 17 11:40:24 2013 -0400
* testing: Added six IPv6 test cases for host-host mode
These test host-host for transport and tunnel mode. Using klips, netkey
and an interop for with both stacks.
commit 4eaf13c1533f6765189a9a257cdd80f74085f841
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 17 00:40:21 2013 -0400
* testing: mark ipv6-v6-through-v6-klips-klips as converted in TESTLIST
commit 67705a3652bad02233558460e0fead3067372273
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 17 00:33:55 2013 -0400
* testing: updated ping sanitizer
The old ping command shows icmp_req= while the new ping command shows icmp_seq=
Allow either one.
commit 7ef7e03f3026356ce2247d0a4cbd1717bbc6939f
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 17 00:33:47 2013 -0400
* testing: Updated test case ipv6-v6-through-v6-klips-klips
commit 99c1bb2c0b24ded83f02afdc11285168227aee79
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 17 00:15:36 2013 -0400
* parsing: turn oe= into kt_obsolete_quiet
commit 9549da61bbeeeb9ce21e1b8b11c89897eb2fcf38
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 17 00:14:55 2013 -0400
* parser: Added keyword type kt_obsolete_quiet
Same as kt_obsolete, but we only log a warning in full debug mode.
commit f21102b2336f668c72f06334be535155141232bd
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 16 18:51:40 2013 -0400
* testing: SElinux update to avoid false positive audit avc messages
- No longer bind mount, but copy the host files in swan-transmogrify
to allow us to relabel SElinux context.
- For Fedora/RHEL guests, add context= parameters to /etc/fstab for
the /testing and /source mounts to provide proper SElinux context
to avoid audit avc messages
- Wipe the audit log on boot in swan-transmogrify so previous SElinux
audit warnings don't flag in the current test.
commit f2d7f1255da6c20d8edc3c6311bbeb633a5641a3
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 16 14:38:24 2013 -0400
* testing: use raw format for ausearch so it does not display "<no matches>"
This ensures the output of final.nl is the same for "no audit tools insalled"
and "audit tools installed but no problem found"
commit 4da132b6860f2927ad4c7ca2be3457ee24b1658f
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 16 09:19:00 2013 +0000
* testing : add more timezones to look sanitizer
commit a11e97dc50a9b222e41577a3778ada16316ba491
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 16 09:16:54 2013 +0000
* testing : fix the flow problem when running final.sh on respnder
every sendline need a matching expect
commit 357da69ece3a9801c10d4c52324f5f4cf7f695b6
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 16 08:40:21 2013 +0000
* testing : put the wait_pid initiator line back
commit 2ded8b4e354da5ee2faf663f931eb02a2a0c0bd8
Merge: 1e5ee54 0f88ab9
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 16 05:14:21 2013 +0000
Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan
commit 0f88ab9d40532cabd2be77ee3ab0fb96f7534088
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Apr 15 18:31:30 2013 -0400
* testing: run final.sh directly on initiator still on serial console
This is a workaround (and optimization) as it prevents some expect/flow
issues.
commit 545779dfe68648e48123f0e08fa465a245d789f2
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Apr 15 10:23:07 2013 -0400
* building: Enable some more hardening features
- Enable -z now linker flag
- Added -Wformat-nonliteral -Wformat-security
- Changed -fstack-protector to -fstack-protector-all
commit d3eecd069717a103db2ebcef6adaf7add910c577
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Apr 14 21:43:56 2013 -0400
* testing: Make date replacement a bit more robust for within ipsec look
But match more exactly using numbers to prevent matching other things
commit bf169d9c9a3a41e8a27a3c71844d1fb29cdc41b6
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Apr 14 21:22:22 2013 -0400
* testing: account for dropped leading zero's in ipsec-look-sanitize.sed
commit c193a53c490e7b73da5fff3a88b21d708fadde55
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Apr 14 20:08:04 2013 -0400
* testing: fixup ipsec-look-sanitize.sed
also sanitize esp.XXXXXXXX@ lines (and ah/comp)
commit 072f0b2fd91518eaf26c25877b20a2bfd051f409
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 20 15:00:45 2013 -0400
* testing: add new sanitizer backgrounder.sed
This removes the variable pid from the output of background tasks,
such as lauches of "nc" on eastinit.sh
It removes strings like: ^[1] 1234
(upto 3 processes only, for more we assume its something else)
commit 3e1cb19d5084ba59d3dcc75602b3b6e711181a80
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 20 20:48:20 2013 -0400
* stackmanager: if mtu of mast0 interface is 0, set it to 16260
commit fac1d97a0792fbc9012c087f9587713142900d2d
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 20 17:02:16 2013 -0400
* testing: cleanup all final.sh scripts
Should probably be replaced by a smarter output script that we can run
on all hosts.
Importantly, the "cat /tmp/pluto.log" was removed everywhere because
we now just cp that log from VM to host. Additionally, the test for
core's now include numbered cores (core.1234) and we check for any
SElinux warnings.
Conflicts:
testing/pluto/basic-pluto-02/final.sh
testing/pluto/basic-pluto-04/final.sh
testing/pluto/dpd-02/final.sh
testing/pluto/dpd-03/final.sh
testing/pluto/dpd-04/final.sh
testing/pluto/dpd-06/final.sh
testing/pluto/ikev2-04-basic-x509/final.sh
testing/pluto/phase1-expire-02-reconnect-netkey/final.sh
testing/pluto/tpm-accept-01/final.sh
testing/pluto/tpm-accept-01b/final.sh
testing/pluto/tpm-accept-02/final.sh
testing/pluto/tpm-accept-03/final.sh
testing/pluto/tpm-accept-04/final.sh
testing/pluto/tpm-accept-05/final.sh
testing/pluto/tpm-accept-06/final.sh
testing/pluto/tpm-accept-07/final.sh
testing/pluto/tpm-accept-08/final.sh
testing/pluto/tpm-pluto-01/final.sh
testing/pluto/xauth-pluto-07/final.sh
commit dfab0317767e5104c7202f9a4c9e9cf317b25c96
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Apr 14 14:26:35 2013 -0400
* setup CHANGES for 3.3
commit caa4b2cbf812a2c7ea49212c28d310e7c9f076aa
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Apr 14 13:19:02 2013 -0400
* packaging: updated rhel6 version of spec file
commit 1e5ee54d64d60874b7aacd405b21daf8c161e27e
Merge: ee70e48 26396e4
Author: Antony Antony <antony at phenome.org>
Date: Sun Apr 14 09:17:27 2013 +0000
Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan
commit 26396e441aa5b8909682ea6d38d8cbb5e69c612f
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 13 16:11:21 2013 -0400
* add release date
commit b0de3eb18542ef988225b933240e739f1e1d134e
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Apr 13 16:09:41 2013 -0400
* testing: fixup compress-pluto-netkey-03 and compress-pluto-01
commit ee70e48e42500e500e1b1203cc86ccd63fd534f3
Author: Antony Antony <antony at phenome.org>
Date: Sat Apr 13 17:41:22 2013 +0000
* testing : add check for stop-tests-now so we can interrup make check.
commit 219bd86b4b260f75b419da535960f728ea9e5837
Author: Tuomo Soini <tis at foobar.fi>
Date: Fri Apr 12 19:59:25 2013 +0300
CHANGES: update for lswbz#85
commit 80dfdb8ce980372d606adc1590f5ea0ec54ddf44
Merge: 16d1604 7b1cd93
Author: Tuomo Soini <tis at foobar.fi>
Date: Fri Apr 12 19:56:02 2013 +0300
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 16d160428ad1a8f97f601140f0c3ee17513d6960
Merge: a23cd52 21a6e0c
Author: Tuomo Soini <tis at foobar.fi>
Date: Fri Apr 12 19:54:42 2013 +0300
Merge branch 'lswbz85'
commit 21a6e0c79732a3ea16dfbeeda4edff9ccc1dad1d
Author: Kim Heino <b at bbbs.net>
Date: Fri Apr 12 19:36:57 2013 +0300
This is fix for libreswan bug #85.
We only add traffic selectors for transport mode. The problem is that
Tunnel mode ipsec with ipcomp is layered so that ipcomp tunnel is
protected with transport mode ipsec but in this case we shouldn't any
more add traffic selectors or we break the tunnel.
Function setup_half_ipsec_sa was modified to inform netlink_setup_sa with
add_selector boolean about need to add selectors. This prevents breaking
ipcomp in tunnel mode. Direction of sa is now passed to netlink_setup_sa
so client can be substituted with host ip so that selector works for natted
transport mode.
Signed-off-by: Tuomo Soini <tis at foobar.fi>
commit 7b1cd93056a67c499f4b20d28565733af33f3550
Merge: a2c8632 a23cd52
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Apr 12 12:23:25 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit d38911304a0129c67130de68ced87e28d79a4171
Author: Tuomo Soini <tis at foobar.fi>
Date: Fri Apr 12 19:02:51 2013 +0300
NETKEY: remove irrelevant logging - this is not needed when traffic selectors
support has been restored.
Revert "Revert "netkey: remove logged warning which is not true after commit 9ed4d3e9""
This reverts commit 340329cdf966f8467eced54327189eb52cbfd736.
commit f3fbf2a9a196da8db16dd73cbd04c4313cba776d
Author: Tuomo Soini <tis at foobar.fi>
Date: Fri Apr 12 18:58:20 2013 +0300
NETKEY: restore traffic selectors for fixing them to work with transport
mode nat-traversal.
Revert "Revert "* Pass traffic selectors to the kernel in Transport Mode""
This reverts commit a4e6195811c6685c1c440ff965890a2d3c9f56e3.
commit 375fe9d54d4aa27279046c099691a0a93155b876
Author: Tuomo Soini <tis at foobar.fi>
Date: Fri Apr 12 18:55:01 2013 +0300
NETKEY: remove work-around for NATD port leaking to traffic selectors
commit a2c86320ea2cf2c39501adaa59dfe4dbb9a5ef58
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Apr 12 10:28:24 2013 -0400
* Temporarily disable option to enable opportunistic encryption
This will be re-implemented with an external helper that is more aware
of the forward DNS query and IP address answer, so it will not require
the reverse DNS.
commit a23cd52fd7c1fc9f1297a57107b74f78d860d1d4
Author: Tuomo Soini <tis at foobar.fi>
Date: Fri Apr 12 15:31:41 2013 +0300
remove CHANGES entry which is not relevant yet
commit 9605d7628de60f975154d6359f59d21233c9b992
Merge: 2291b98 7eb3db6
Author: Antony Antony <antony at phenome.org>
Date: Thu Apr 11 22:40:38 2013 +0000
Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan
commit 2291b989359d68922dcd8027e080af6220fb0784
Author: Antony Antony <antony at phenome.org>
Date: Thu Apr 11 22:40:11 2013 +0000
* testing : cleanup commit reults with initial_contact:no;
commit 8d324608d97250d00ca8f9369cbde2d898d90c82
Author: Antony Antony <antony at phenome.org>
Date: Thu Apr 11 22:07:10 2013 +0000
* testing : remove 'cat /tmp/pluto.log' from final.sh
commit 7eb3db6cdd9fffaaf5d1ba5a98675046de726031
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 11 18:03:40 2013 -0400
* showhostkey: --ipseckey option mistakenly printed "0s" prefix
also moved an nss configdir diagnostic into --verbose like the rest
commit c5b3aa10d9720634aeb784985d40af38bfd8e008
Author: Antony Antony <antony at phenome.org>
Date: Thu Apr 11 21:33:54 2013 +0000
* testing : ikev2-05-basic-psk results
ikev2-04-basic-x509 results
commit 85942b9e5e9917df75eb276ac3654c83e5449e18
Author: Antony Antony <antony at phenome.org>
Date: Thu Apr 11 18:31:44 2013 +0000
* testing : swan-build rm OBJ.linux.x86_64 no *
commit 2e15e2f9f2a9c3c42b5f3980278ef3a914496b54
Author: Antony Antony <antony at phenome.org>
Date: Thu Apr 11 18:18:47 2013 +0000
* .gitignore added Makefile.inc.local and removed UMLPOOL
commit 9760a966d24bd149ef170a779933b0452106e5c5
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 11 11:06:36 2013 -0400
* packaging: updated ipsec.conf.d with the commeted *.conf include
commit a46d2d7405401f0f140f2275b2ca5c93bf53f384
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 10 22:14:50 2013 -0400
* packaging: use full relro (-z,relro,-z,now) for fedora spec
commit 670a5175a7daf4bccee8daf88833077112752f1f
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 10 17:14:20 2013 -0400
* packaging: we need the INITSYSTEM= override in make install as well
commit 38d3347c24880060995359d39f3f06ed8a3ccef2
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 10 16:29:50 2013 -0400
* packaging: updates to libreswan.spec for fedora 18
- Enable _hardened_build
- Added -Wformat-nonliteral -Wformat-security to USERCOMPILE
- Added -Wl,-z,relro to USERLINK
- Support macros for 'prever' to get proper versions for dr/rc releases
- Removed obsolets defkv/kversion/krelver/srcpkgver variables
- Add Obsoletes/Requires/Conflicts for openswan
- Force init system detection with INITSYSTEM=systemd
commit be90ed4683612df489afec74fb54404327bcaa58
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 10 13:16:50 2013 -0400
* packaging: changed remaining $RPM_BUILD_ROOT to %{buildroot}
commit d2474fcd5d9a7ffad5c8a774d4bf0873bb775422
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 10 13:10:41 2013 -0400
* permissions: open up /var/run/pluto, close down /etc/ipsec.d
The rundir (default /var/run/pluto) is changed from 700 to 755, to
allow non-root processes to read pluto.pid (eg monitor scripts)
The ipsecddir (default /etc/ipsec.d) and its subdirectories is changed
from 755 to 700. This was already the case for some distributions
(Fedora, RHEL). This provides a little more privacy about which IPsec
tunnels are configured, which certificates are known, etc.
commit 4bbdd9fa73bd3c22958d794f71beddac270b6dd9
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 9 23:45:56 2013 -0400
* added comment for unknown juniper vendorid.
commit 98751d85f47131a5bd599e6d67bea113b6f6330d
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 9 13:44:32 2013 -0400
* initial_contact man page entry
commit 12a24be0b1639e1d6a60022d999852603208aab2
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 9 13:38:18 2013 -0400
* updated changes
commit d74f33f22a7e6d6bf6b4ff32367b81ffbab56b40
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 9 13:35:55 2013 -0400
* IKEv1: Support initial_contact=yes|no (default no) in Main Mode [Paul]
This only affects sending the payload. As responder, we still ignore this
payload and base our decision for replacing the IPsec SA on the uniqueids=
setting. That code does not cause downtime like the initial_contact behaviour
(on Cisco) does.
commit 3e6543a6bd5db6bf3c11ad72a0fccdec5e8cf542
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 9 13:05:37 2013 -0400
* fix whack usage for --addresspool with mandatory range argument
commit d6a2b4b80a340a3dda6d9b5ea520dbb4285f5b53
Merge: b5fe675 78c4e52
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 9 12:58:40 2013 -0400
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit b5fe675402b64532a535083ca05c1a9785840348
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 9 12:58:23 2013 -0400
* more updates to CHANGES
commit 78c4e524aa68db4b4c9126aea264dd21b3d9baf1
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 9 16:45:25 2013 +0000
* addresspool : code cleanup. removed unused bits
commit a1d7edfae641371025ebd1c5a5a127356a0aa2d0
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 9 12:32:10 2013 -0400
* updated changes
commit b7e19e8dad109fb14c6826438ee8c3acfea2f07e
Merge: afd74c1 49793ba
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 9 12:31:04 2013 -0400
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit afd74c1b4c430248b491a9296cc715b03c14d8dc
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Apr 9 12:30:45 2013 -0400
* updated changes
commit 9c3130dbe56a12349fb672afcb934ed3fcc7b3f4
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 9 12:28:15 2013 -0400
* addresspool: Use same_id() to identify reconnecting client and re-use lease
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 49793baeb4659d6013346b67737627bcda584e68
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 9 09:57:27 2013 +0000
* testing : ikev2-05-basic-psk seems to need nhelpers=4 too. may be 2 is
enough
commit a9d558f144f106a3b1f5069d4eab37e636c59f09
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 9 09:51:40 2013 +0000
* ikev2 nss : fix bug 78. may need nhelpers=4 or so too
commit d31fbfc9dcf376df7ae5fb5fa7c7129faa0cd1ff
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Apr 7 18:48:10 2013 -0400
* added another (unknown) nortel vendorid in a vendor.c comment.
commit 955ba75cd49f87bb48f0a156ce2d052c3de96ed4
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Apr 5 22:37:26 2013 -0400
* _stackmanager: when unloading NETKEY, unload ip_vti before xfrm*tunnel
commit bbe1d2e134188e2442df8dde54d0c1209c0b42f5
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 4 13:26:22 2013 -0400
* updated changes
commit 68c98e67ef3c4e6aaaaabc5b1d07d368c8ec121c
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 4 13:24:27 2013 -0400
* pluto: Obsoleted force_keepalive= and --force_keepalive
It violates RFC 3947/3948 where an explicit DOS is mentioned. It was
not enabled per default. It would not actually accomplish keeping the
NAT mapping open in the opposite direction.
commit 4556b56267fe0ddd67cc94e54ed6837afb9394ae
Merge: e08e793 9678a75
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 4 00:55:26 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit e08e793a4267a258829f47ca790fe87721b25cf1
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 4 00:44:08 2013 -0400
* pluto: added per-conn nat_keepalive= (whack --no-nat_keepalive)
Add an option nat_keepalive= to allow disabling keep alives by
specifying nat_keepalive=no. The default (yes) causes the same
behaviour as we have currently without the option.
This option takes precedence over the global force_keepalive= option
Note: I don't fully understand the purpose of the global option, it
would send NAT-T KA packets when "they are NATed" where as normally
we only send NAT-T KA packets when "we are NATed". Is there an actual
use case for this?
To ensure we don't change the current behaviour, the whack option
does the negative, eg --no-nat-keepalives, so that not specifying it
gives the proper default behaviour of doing regular NAT-KA packets.
NOTE: We currently always send these packets, even when there is
traffic flowing over the IPsec SA (and thus over port 4500 so the
NAT router would keep the port mapping open anyway)
commit f3b76f40f668f4222dd0ae3d010de9675525597a
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 4 00:42:56 2013 -0400
* oeconns: fix format string which was missing a %s.
commit 86a76b8e79b01fe1fd2c082a281d57cda9290df0
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 3 23:28:47 2013 -0400
* starterwhack: fix format string in starter_log() to use %d for int
commit 03e41b968673c3aa5ec6f4a030d4461d95e6d65a
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 3 23:19:02 2013 -0400
* pluto: Log out own vendorid as "received" instead of "ignored"
commit 9678a75e575542c4edb75e1fed34ee0231c98c1e
Merge: 0250657 2a88180
Author: Antony Antony <antony at phenome.org>
Date: Wed Apr 3 21:53:31 2013 +0000
Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan
commit 0250657938a220fe15cb12a3e96b31a17ab1ed2f
Author: Antony Antony <antony at phenome.org>
Date: Wed Apr 3 21:52:43 2013 +0000
* testing : fixed sed line Restart=no
commit 37637bbf2f637a5822ecb89ac99734eb337a41ee
Author: Antony Antony <antony at phenome.org>
Date: Wed Apr 3 21:51:29 2013 +0000
*testing : swan-prep creates OUTPUT/<hostname>.pluto.log with right
permissions
commit 06f645fe136a98b03d67406e34968827694ad444
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 3 16:53:29 2013 -0400
* pluto: clarify Commit Flag log message
commit 2a8818092e4da79c549fd8fe7c44b95998ad3c8f
Merge: b8d8d59 2690046
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 3 16:37:23 2013 -0400
Merge branch 'fweimer'
commit b8d8d59b572bcf80646cbea46a18644e2e5b7e06
Merge: 2a9e59c 241da18
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 3 16:33:27 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 2a9e59c481591c3720b73521c45048523fec8205
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 3 16:24:17 2013 -0400
* IKEv1: fragmentation check for null state was too late.
We would have already tried to dereference it
commit 269004618ec392706e4f198644c5b59d79d28fed
Author: Florian Weimer <fweimer at redhat.com>
Date: Wed Apr 3 18:32:43 2013 +0200
Add missing format string attribute to starter_log
And add format strings to call sites which lack them.
commit 2595da46930233c405d86b35bde3caa40043643a
Author: Florian Weimer <fweimer at redhat.com>
Date: Wed Apr 3 11:38:32 2013 +0200
Replace GNU-style designated initializers with C99-style ones
commit 241da18e477598ad14ffc776137f64b105874191
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Wed Apr 3 13:27:06 2013 -0400
* pluto: constants.c: jam_str: fix typo in comment
commit af00a6d746c8dcfe24c0d6ef007d5581fafa9650
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 3 12:42:48 2013 -0400
* pluto: sadetails of 256 is actually also not enough, raised to 512
commit bd04fc15c44775aec1f501b0e1c4a94a2d48644c
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Apr 3 12:36:56 2013 -0400
* pluto: increased sadetails string from 128 to 256 so XAUTHuser isn't cut off
The size of sadetails is for the message that is printed when the IPsec SA comes
up, and is passed via fmt_ipsec_sa_established(). Since we now log the XAUTH user
name, this 128 character limit was causing the line to be cut of at 128, leaving
out the partial XAUTH user name (especially when NAT was used and the NATOA/NATD
info was also printed)
It now looks like:
Apr 3 16:36:12: "iphone-general"[6] 76.10.157.78 #6: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0d0f1c0c <0x8600e9d1 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none XAUTHuser=B6188A01A77A6825B535A5A20D5E44E013BFF326}
commit f8b0a4497ba2aa1931f2962d45d0cd14dc27075d
Author: Antony Antony <antony at phenome.org>
Date: Wed Apr 3 11:05:15 2013 +0000
*testing : skip the umlplutotest don't run final.sh twice on initiator
commit e18d621a95ac1827cf97862d26b44712a5e89a0b
Merge: bb75c17 6218791
Author: Antony Antony <antony at phenome.org>
Date: Wed Apr 3 10:49:23 2013 +0000
Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan
commit bb75c1788751aa69143a85dc38f315d61a752092
Author: Antony Antony <antony at phenome.org>
Date: Wed Apr 3 10:46:14 2013 +0000
* testing : hack to get make check run for pluto tests. disbled kvm
checks. change the TESTLIST command to kvmplutotest
commit 621879100f7acabd1ac4b5038d5f941e29de329f
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 30 16:48:44 2013 -0400
* Added our GPG key as LIBRESWAN-GPG-KEY.txt
commit 10f43a7b7542c88dcf3b68ffca4da9445534a3b1
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 30 16:47:28 2013 -0400
* updated changes
commit 9f1ab06d52870e4d6d92914dd96e6ee6c2918266
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 30 16:43:57 2013 -0400
* pluto: don't log 0 bytes traffic stats for phase1 SA's
We tried to determine the amount of traffic on ISAKMP SA's as well as
IPsec SA's. We no longer log bogus 0byte traffic for ISAKMP SA's.
commit 18d929eb88e5984cd1635cabec0c918845d9ef82
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 30 16:29:12 2013 -0400
* XAUTH: cleanup XAUTHuser in ipsec auto --status/--down
Don't list it with connections and down events that don't have an XAUTHuser
commit 3ee789af4728f22219273c33eba3b81f67490fd5
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 28 17:07:15 2013 -0400
* building: make depend cleanup - two old nss/nspr entries were left
commit 0cbdd95da9808a851787e28a08621d510772a45b
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 26 11:36:25 2013 -0400
* building: make depend results should not include any nss/nspr includes
commit e180ac8af232c3df815c294d775fca29bf1df226
Merge: 9172d28 2287094
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 26 11:15:30 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 9172d281447ef915094c91961add9ef8b25fa7a7
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 26 11:03:04 2013 -0400
* initscripts: IPsec stack was not cleaned up for upstart, non-modular
ipsec setup stop on upstart did an "exec stop ipsec" preventing the
module cleanup code to be called, leaving old kernel policy around
If the stack was compiled inline, cleanup was not performed either.
commit 228709416591f3120793b06003da00d19984de95
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue Mar 26 11:49:27 2013 +0200
add changelog entry for defaultroute finder improvement
commit fe2af772c58227b0dbab09dba0bdefddcc20c14e
Author: Kim B. Heino <b at bbbs.net>
Date: Tue Mar 26 11:33:49 2013 +0200
addconn: improve defaultroute finder
If both nexthop and source are undefined find out values in two pass:
1) find out nexthop for destination
2) find out source for nexthop
Doing both in one pass returns source for destination.
commit b52a9e44222d0d3568bd28854c550b200a1494bf
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 25 16:34:24 2013 -0400
* building: remove nss3/utilmodt.h from Makefile.depend.linux
We won't detect if it is changed, but it should not change anyway.
This file is not present in nss-3.13 (RHEL5)
commit b6af19187467107dc577bda86e5c2e2f3ec2173c
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 25 16:17:41 2013 -0400
* building: remove check for labeled security file - it breaks make depend
commit a96f9d47e1d2385f85385d0469a7d097d5c26351
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 25 12:37:47 2013 -0400
* building: Add -pie to default linker flags, ensure relro is not overwritten
commit fc26df66145f47775aa9e169a7cffbd83d260a34
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 25 09:56:57 2013 +0200
update changes for variable tweaks
commit 340329cdf966f8467eced54327189eb52cbfd736
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 25 09:53:52 2013 +0200
Revert "netkey: remove logged warning which is not true after commit 9ed4d3e9"
This reverts commit 6470bb3737da49370d511afd1d3f63bbbbab4f18.
We need this warning because commit 9ed4d3e9 was reverted.
commit 2e6a5396a38baf83d727e4c8d8be50b4a377d4b8
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 25 09:40:25 2013 +0200
libswan: fix conffile to use correct define
commit 7ecac68f816f02ef857575abe219ea590ae3b61b
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 25 09:26:34 2013 +0200
build: don't use buildsystem variables in code
commit 8bd19428ecd9a5f7a0633da2b37d7359269105cf
Author: Antony Antony <antony at phenome.org>
Date: Sun Mar 24 23:29:44 2013 -0400
* building: fix "make depend" in programs/pluto
Makefile was using $(GCC) instead of $(CC)
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 67049b41ab4a8be3dca7a10d0be59da097d86710
Merge: 15f7131 5efb4a4
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 24 21:08:36 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 15f7131fb6dacb7197e446277ddaa8da53f8769a
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 24 21:06:52 2013 -0400
* _stackmanager: flush netkey unconditionally upon restart
It seemed sometimes we did end up with some leftovers from the
previous run, causing module unload failure and lingering unknown
internal state. To prevent that, we unconditionally flush state and policy now
commit c05eb90259d89fd3108a3bf53808e03adb380611
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 24 21:05:09 2013 -0400
* pluto: clear out old logfile on restart
Don't append. Old behaviour was to start a new file and is preferred.
commit 5efb4a4a9134ea08134d0a0a2855de9345b62449
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 24 21:43:58 2013 +0200
update changes for VERIFY confdir location
commit e21ff23e439484e2b2a98b33fbbc87d2b82b8c81
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 24 21:41:25 2013 +0200
verify: fix wrong confdir location
commit f40a2237e5cad7149d0f3188b816ac4c965ab4a0
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 24 21:15:27 2013 +0200
initsystem: fixed default sysv init status function
commit 89e3b517348b46ffd4f65407123a2b9512d66949
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 24 20:19:04 2013 +0200
update changes for ipsec --help fix
commit 168554fec90325e2089c7f1115a0629547ec573a
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 24 20:16:11 2013 +0200
ipsec: fix syntax error in --help
commit c736bc94dd289bc29da6a78f6c2a27d39cdbd1a0
Author: Antony Antony <antony at phenome.org>
Date: Fri Mar 22 20:17:07 2013 +0000
*testing : rename test output file, fixed and pluto log files
east.console.verbose.txt fixed file east.console.txt
pluto logs are east.pluto.log
commit 644a65f213b99a98601fed2771f13eb74905961e
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 21 22:59:18 2013 -0400
* packaging: rhel5 has no %{_isa} macro and no nss-softokn
commit f5192fc258f1d3e2f36c2531a0867afd658cfbbe
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 21 22:21:32 2013 -0400
* packaging: Split RHEL spec files into rhel5/rhel6 versions
Also added OCF support as an option.
commit 94d08ca0e05b53bce6bb4c663dcb7bf518d05975
Author: Pavel Kopchyk <pkopchyk at gmail.com>
Date: Thu Mar 21 14:54:01 2013 -0400
* KLIPS: SAref patches for 3.0.55+ kernels
This takes into account changes made by upstream in:
http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/net/ipv4/ip_sockglue.c?h=linux-3.0.y&id=26aeb8bdda7619453e0958e8c38a84c7add3643b
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 6987e4d1c0ee62d879778eb3da68e252b371bfcb
Merge: 983259f a4e6195
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 20 22:22:03 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 983259fffc586bc00512ea12852ebbd789eceb86
Author: Pavel Kopchyk <pkopchyk at gmail.com>
Date: Wed Mar 20 22:10:19 2013 -0400
* SAref patches for RHEL/CentOS 2.6.32-358.2.1
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit a4e6195811c6685c1c440ff965890a2d3c9f56e3
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue Mar 19 16:41:51 2013 +0200
Revert "* Pass traffic selectors to the kernel in Transport Mode"
This reverts commit 9ed4d3e9ca2f57872167149c633f7ee2a3b01549.
This patch was quite badly wrong and caused natted transport mode
to break up completely.
commit fac4e47f1d27ed89aaba92b45037c090c21d269c
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue Mar 19 10:42:33 2013 +0200
ipsec: use environment variable in script
commit 25db3fa3ea6d2ccd5e8f1baa4095c7f82fa87045
Merge: 7e8af6e c81069f
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue Mar 19 10:29:49 2013 +0200
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
Conflicts:
Makefile.inc
commit 7e8af6e16897daa681c6fe6e96cfbe750857e59a
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue Mar 19 10:26:09 2013 +0200
ipsec: cleanup coding style
commit 6ffca8740086509964d2c2ce6024438df33d663a
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue Mar 19 10:14:22 2013 +0200
update changes for bug #76 fix
commit fb89162dccb46e1f2158957fe821f99cc506deba
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue Mar 19 10:12:06 2013 +0200
initnss: fix bug #76: ipsec initnss fails with a @FINALCONFDDIR@ replace and
no default configdir
commit c81069f40a2f99d0e3d51f91521b3e85cf1074cc
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 18 23:34:40 2013 -0400
* fix preprocessing filename comment for /etc/ipsec.conf
commit b7b38a766f465d9df365f955eacd3fc311158224
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 19 03:23:48 2013 +0000
* testing: Give north a new raw rsa key
commit f8c3714cc4ea778259d31daa9cfb51f37660eadb
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 19 03:21:01 2013 +0000
* testing: fixup basic-pluto-03 test results
This test required a new north raw rsa key as the NSS db files never got
commited.
consoles taken from OUTPUT/*fixed* except for two manual changes that
still need fixing:
- mark tcpdump output as still needing a filter
- pretend we correctly identify all Libreswan vendorid's
(instead of logging a "ignored vendorid [....])
commit 16c3e70d7987c58f5d435c85aea9c9e27514eb66
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 18 22:50:09 2013 -0400
* newhostkey: set default NSS dir for call to newrsakey
via @FINALCONFDDIR@ which becomes /etc/ipsec.d per default
commit 99ca899eccb7b4c361bf34cdab4520fdd79e0ab5
Merge: be0448c 93e0992
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 18 22:35:54 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit be0448c05b7d72e04c85ee2fdc8ad6b08fd5282f
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 18 22:35:17 2013 -0400
* building: @FINALCONFDDIR@ was not properly expanded in the ipsec cmd
commit 93e0992e829fd8e3736000c6628e4d2c8f39d67d
Author: Libreswan Build <build at libreswan.org>
Date: Tue Mar 19 01:51:21 2013 +0000
* testing: basic-pluto-02 fixup as it likely was meant to be.
Since part of the "known good output" was missing, west specifically,
I have to take a guess at what this was supposed to do. I believe it
is meant to reject the connection on east because the eastnet-westnet
conn is explicitely not loaded, and the OE conn would not match such
subnets.
commit 25f4be69f7449a082961082c55cb1b145d249dd1
Author: Libreswan Build <build at libreswan.org>
Date: Tue Mar 19 01:11:18 2013 +0000
* testing: cleanup east/west conf for basic-pluto-01
commit 1fb4e818765e157e9bcfa2ffe3650cf49b9a0eba
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 18 21:01:26 2013 -0400
* testing: update basic-pluto-01 known good output
Now includes a line with "Total IPsec connections", as well as
receiveing the FRAGMENTATION vendorid
commit e4d035a61be2cc13d115a6d7efd50017c71461ee
Merge: 17e355d 244b79b
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 18 20:51:12 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 17e355d9ed6d495b8df7091149e762a2bd4b48c4
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 18 20:49:23 2013 -0400
* _updown.klips: Fix parse error introduced with b5cc4343f567
commit 244b79bcd86baed9d65ce051f87329e762fe84df
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 18 09:59:15 2013 +0200
CHANGES: #75: Libreswan inserts wrong xfrm policies on some configurations [Tuomo]
commit a55f9d8ad1b1541f639d954bb461d6781ebf340d
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 18 09:56:14 2013 +0200
netkey: clarify comment on bug #75 fix
commit d37adcebbca781a2ad40769ea077619faa2f2cb9
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 18 09:50:42 2013 +0200
Revert "Revert "Revert "Revert "Always use XFRM_MSG_UPDPOLICY instead of XFRM_MSG_NEWPOLICY. This avoids""""
This reverts commit 39b7891e50fae053e8acebdc1f55af6408f8fdad.
Fixes bug #75
Without this code we fail to insert another policy with same subnets.
commit 40948526dff2482351e36bfe2889718df6a9c279
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 15 17:16:53 2013 -0400
* update CHANGES for next release
commit 32e465ee578c97cee0ff582ae9ebe96b43a62f1e
Merge: 6470bb3 5eccf88
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 14 22:16:18 2013 +0200
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 6470bb3737da49370d511afd1d3f63bbbbab4f18
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 14 22:16:02 2013 +0200
netkey: remove logged warning which is not true after commit 9ed4d3e9
commit 5eccf8876c4ca95cee94661415fe0f3dcfa6ded6
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 14 13:24:02 2013 -0400
* libipsecconf: fix parsing nexthop= setting
When sourceip was specified, we could accidentally overwrite nexthop
setting.
Bug was introduced with HAVE_DNSSEC in libreswan 3.0
commit cdd265136cd77d7dc558bbafafeae57f491ccea0
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 14 13:19:10 2013 -0400
* update changes
commit be65143a730807479e9dcc57112c8d8a6fd0a906
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 14 12:59:03 2013 -0400
* libipsecconf: Remove unused cmp.[ch]
commit c6fce31a7725e1e7e923bc539343afb9f7b872f6
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 14 12:48:31 2013 -0400
* readwriteconf: update usage(), initialise rootdir2
commit 497aa2501f1ad6f04bd7208bd170cb3c32c73fa6
Merge: 2284147 cfdc7df
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 14 00:46:19 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 228414770f2e2309eb3cbcc2f2f7280bb1f1e6f9
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 14 00:45:41 2013 -0400
* packaging: fixup libreswan-kmod.spec to work on rhel5 as well
commit cfdc7dfec523508a90546431d11023082230a14a
Merge: cfb763e a2b28b8
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 13 17:37:42 2013 -0400
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit cfb763e00952e643abc104971dd08ed0ec07ef67
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 13 17:36:08 2013 -0400
* clarify error "defaulting leftsubnet to 1.2.3.4"
This really means the user specified leftsourceip=a.b.c.d where left=
is not a.b.c.d and no leftsubnet= containing a.b.c.d was specified.
We then construct leftsubnet=a.b.c.d/32
commit a2b28b81f1e8500f2993a3132d903d2fe2476249
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 13 23:16:05 2013 +0200
initsystem: sysvinit whitespace cleanup
commit b5cc4343f567abb0aa963b2f0e74c8cbbbc60ec8
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 13 22:31:30 2013 +0200
_updown.*: script cleanup
commit 688511ce24c743804432fafd15aaddd1ff368c9b
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 13 15:47:46 2013 -0400
* make default case the last switch entry
commit da225cdc0e7b71d51b1138484b63436f28db7e54
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 13 13:16:20 2013 -0400
* man page entry for leftaddresspool=
commit 0a9e0ae3402d7c158e6100d674d8840b3f9e0af2
Author: T.J. Yang <tjyang2001 at gmail.com>
Date: Wed Mar 13 14:20:02 2013 +0200
packaging: fix crl fetching support in rhel rpm spec
commit b22c95888b71050ff4e7c13da185dcea70c5c179
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 13 10:35:43 2013 +0200
update CHANGELOG for bug #71
commit bccae61ee685b7232d90bb6ea1a790bac33f7434
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 13 10:27:59 2013 +0200
Revert "* Block rules created by openswan remain even after tunnel establishment"
This reverts commit 8c4cc708ff398a2addd2923d9e461078b1a714f7.
Fixes bug #71.
commit dfb32e4b87e1056e3132eea078b753925411f16f
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 12 18:50:37 2013 -0400
* Remove an unused variable buftest
commit 5b825cfc5325ab2a04643b873d96af8dd97f65d8
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 12 18:49:26 2013 -0400
* packaging: remove klips from fedora spec file
commit 8c745b3f22259190c806404b9ea5c599d79b17c0
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 12 18:47:39 2013 -0400
* packaging: remove KLIPS parts from libreswan.spec
This is all located in the kmod-libreswan.spec file
commit 6b275e62b1ba4d84f832d7fb12b3ab8c5eca0690
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 12 18:43:34 2013 -0400
* X509: Don't compile authcert locking when not compiling with LIBCURL
commit 1271c4a5eaca5fd6285937fe99d0992de89db40c
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 12 18:33:07 2013 -0400
* libipsecconf: prevent leftaddresspool= + leftsubnet= in 1 connection
commit f3c47d25fa18efa863114d440b314b5b03f075ad
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 12 15:26:25 2013 -0400
* update changes
commit 59287b227316ab4f655d0ba59abc0d186fca07ad
Merge: 7806bec a7758cd
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 12 15:21:33 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit a7758cdf297b3335abcf5fff2a8b18b1671b795b
Author: Kim B. Heino <b at bbbs.net>
Date: Tue Mar 12 20:59:35 2013 +0200
addconn: find peer address if default gateway is ppp without via
commit 88af3c398e1f22c77873f8eab1b485182b0415a6
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 12 14:29:57 2013 -0400
* updated CHANGES
commit ce3e91696c6a751ae90a2578d7d9c055e5aaa576
Author: Antony Antony <antony at phenome.org>
Date: Tue Mar 12 17:19:19 2013 +0200
* addresspool : fix warnings. internal functions are type static
commit 7806becb61b74a832806c8ab6368395ca512a120
Merge: f617aee 4b677f6
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 11 22:34:07 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit f617aee5b170ef1d0e60c124b815cc2c6040c298
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 11 22:32:22 2013 -0400
* packaging: Added libreswan-kmod.spec and kmodtool-libreswan-el6.sh
kmodtool-libreswan-el6.sh should be copied into the SOURCES/ directory
and then libreswan-kmod.spec can be used to make a kmod kernel package
for KLIPS.
commit 4b677f60ba8925a2c32433ea41d9bd5a30ca936c
Author: Antony Antony <antony at phenome.org>
Date: Tue Mar 12 01:08:13 2013 +0200
*config remove obsolete/unused modecfg_wins*
commit 649e5c0d5e412a1dfa0f179f215ffb112b43a20f
Author: Antony Antony <antony at phenome.org>
Date: Tue Mar 12 00:40:16 2013 +0200
*addresspool : added to Makefile.options
commit 581b42695b1ec14563caf304cc8b8385247665c5
Author: Antony Antony <antony at phenome.org>
Date: Tue Mar 12 00:19:58 2013 +0200
*addresspool : left|rightaddresspol support and testcases
commit f0530a007b8b7a17db4c100b035c099081dce311
Merge: 21045bd 6e9f6f9
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 11 19:52:54 2013 +0200
Merge branch 'fragmentation'
commit 6e9f6f959b63db72a429449fa844320437d9feaa
Merge: 54ad009 21045bd
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 11 19:36:10 2013 +0200
Merge branch 'master' into fragmentation
commit 21045bd0d125fa9385798e5ded7d656f85786291
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 11 14:54:24 2013 +0200
update CHANGELOG for _plutorun changes and sysvinit tuning
commit 08887f953a6da062a5ae47df92132db77e8c295c
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 11 14:49:53 2013 +0200
sysvinit: change initscripts to use new _plutorun interface which passes all pluto options
commit 37be2781d9ab457384338403f3c38d2ebdf915fa
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 11 14:45:25 2013 +0200
_plutorun: change plutorun to pass all command line options to pluto
simplify script to actually work
commit 54ad009025f27f364df94691a16a8bc453464f5d
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Mar 11 07:53:17 2013 +0200
ipsec.conf: Fix some typos in ike_frag= documentation
commit bbc65776e8896e8f83dab9869f1b49f1a7780932
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 10 13:27:04 2013 -0400
* pluto: threading cleanup in log.c
Use one mutex for all locks.
Protect whack_log() with a mutex
Don't protect fmt_log with mutex
Change debug_prefix to const
Based on patch by Philippe Vouters
commit e9969f7de062d93a906ca79c80d5687011b67d7f
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 10 18:27:02 2013 +0200
re-fixed CHANGES for pthread
commit fc06d1ca87c59142a1c1bf609f153a12496b25fc
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 10 18:26:39 2013 +0200
compiling: correct fix for CFLAGS: -pthread
commit f819a384c8beef5158ed54985748723020c089b9
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 10 17:34:45 2013 +0200
add info about -pthreads to changelog
commit a47146d38f96abb80da188aee43c3646cf7ce04b
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 10 17:27:16 2013 +0200
compiling: added -pthreads to CFLAGS
commit 6e267fe116c13e58e71a07f87f9f9f8b74d28245
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 10 12:46:04 2013 +0200
pthreads: Make sure pthread.h is the first include file
commit 2dbbbc7011042ccc6c273b89c557eede2d73f288
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 9 22:52:03 2013 -0500
* packaging: make pluto pam file %config(noreplace) in spec files
commit 4a07734ffc75e6bdaceadddcb6eec98d2dbbc02a
Merge: 13cb4f5 cd2acdf
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 10 00:06:26 2013 +0200
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 13cb4f591e65a6fe1434a7cdcc37ee47f43a5d07
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 10 00:06:11 2013 +0200
sysvinit: fix location of sysconfig dir on install
commit cd2acdfec8f153eab5b9ef92fb0ec2024d34a20d
Author: Antony Antony <antony at phenome.org>
Date: Sat Mar 9 21:43:31 2013 +0200
*updwon script syntax fix _updown.klips.in
commit 2c03d725571a9750f2961b556f09a597520a0973
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 9 00:13:09 2013 -0500
* IKEv1: Only mark peer as fragment capable after assembling a fragment
We used to mark a peer as fragment-capable after receiving a first
fragment. Now we wait until we have assembled a full IKE packet from
fragments.
Regardless, when we receive the vendorid we deem them fragment capable.
In theory this could be spoofed, but an attacker that can modify packets
can do a DOS anyway.
commit 934a4944d6edd7a5aeac9fd7ed2e03f664da9d42
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 9 00:12:34 2013 -0500
* IKEv1: Don't process incoming fragments with ike_frag=no
commit 06b26d0c2b76e9abee5816d88c5cdcd90d741b1c
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 21:59:21 2013 -0500
* pluto: fix log message causing crash on INVALID_COOKIE
Introduced a few commits ago by me using a wrong:
(st == NULL) ? st->st_msgid : ""
(I paid for it with a few hours of my time)
commit 4d226e7c78305fe8b6554718bb06e1959c80a78c
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:32:10 2013 -0500
* ipsec.conf: Add documentation for ike_frag= option
commit e8f212ba5029ea093ff160058ded237e5ae75caf
Merge: d3459cf b771ac1
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:15:35 2013 -0500
Merge branch 'fragmentation' of vault.foobar.fi:/srv/src/libreswan into fragmentation
commit b771ac179fab828f4e35d964c3cf472b5217d440
Merge: 9748787 cd4aa64
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:15:07 2013 -0500
Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into vault_fragmentation
Conflicts:
testing/guestbin/swan-prep
commit 97487873be3fd2846dd3f17b3bf9cea40938b735
Merge: 0b6b498 54ec872
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:14:13 2013 -0500
Merge branch 'fragmentation' into vault_fragmentation
commit d3459cfda7a02bc946c251384af4e184be2a127a
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:12:25 2013 -0500
* vendor.c: mark st UNUSED in handle_known_vendorid
commit cd4aa6479bd9dfe7dfdc8583d743e402987161c5
Merge: 0b6b498 42a46c4
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 18:57:55 2013 -0500
Merge branch 'master' into fragmentation
Conflicts:
programs/pluto/demux.h
testing/guestbin/swan-prep
testing/x509/dist_certs
commit 42a46c43be90dda2c9054312ea6ebf915adeabbd
Merge: 61bd40d e0c6962
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 18:52:17 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 61bd40dfbe10337f65e7f690508850a49857e872
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 18:49:18 2013 -0500
* pluto: fixup phread locking using lock_certs_and_keys()/unlock_certs_and_keys()
The code using lock_certs_and_keys()/unlock_certs_and_keys() was commented
out because it depended on LIBCURL which is not always present. A "fixme"
warning was issued.
But only the CRL code should depend on LIBCURL. So I re-instated the
pthread locking by moving these functions from programs/pluto/fetch.c
to lib/libswan/secrets.c
commit 54ec872a12a81ed3003155b35ec0d433ad9b362c
Merge: 2b997d7 961dc4e
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 18:32:24 2013 -0500
Merge branch 'master' into fragmentation
Conflicts:
programs/pluto/demux.h
testing/guestbin/swan-prep
testing/x509/dist_certs
commit e0c6962f636408cdd4600177c5ff0acd1284efe0
Author: Tuomo Soini <tis at foobar.fi>
Date: Fri Mar 8 23:36:08 2013 +0200
scripts: fix ipv6 default route split
commit be31894a46c6af0fea62e41c49c24d22ffe8f28a
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 14:15:20 2013 -0500
* pluto: Add pthread mutex locks to some logging functions
Some logging functions are calling non re-entrant functions. Until we've
caught them all, use a mutex to insure threads aren't accessing them at
the same time.
Functions changed: libreswan_log() DBG_log() loglog() and fmt_log()
commit 12acc276f502ec0c9379cba5be158e22cbd1c28e
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 13:51:48 2013 -0500
* clarify logging example in ipsec.conf
commit 00c8c8e3a0918145b382370c7c08405906266e06
Merge: 2a97164 961dc4e
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 13:46:54 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 2a9716410c34e9786770d846ca6d6d53515bd197
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 13:42:50 2013 -0500
* log XAUTH username on same line as Traffic statistics
In ipsec auto --status it shows up as:
000 #2: "redhat" esp.e4432d35 at 66.187.233.55 esp.a9433c16 at 172.20.10.2 tun.0 at 66.187.233.55 tun.0 at 172.20.10.2 ref=0 refhim=4294901761 XAUTHuser=pwouters Traffic: ESPin=474B ESPout=336B ESPmax=4095GB
when the connection goes down, it shows up as:
"redhat" #2: deleting state (STATE_QUICK_I2)
"redhat" #2: ESP traffic information: in=474B out=336B XAUTHuser=pwouters
Also, make humanize_number() static
commit 5b725c34ae3477c326474319a367f05171d7178c
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 19:43:01 2013 -0500
* Removed xfrm xuctx security context log message with incomplete format string
commit 961dc4eb72c221b6fa13c3799dc5b52a5305ba93
Merge: 4d7ce94 bd44e1c
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 7 22:05:20 2013 +0200
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit bd44e1c18d1315f163655e324a5f14a34d830176
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 14:34:32 2013 -0500
* Bug 73 - extra logging from dpd packets after commit d18825150b
Fixed, and added a comment to ensure this isn't 'fixed' again.
commit 5627bf955e2f207c0097f0e3f45212da8e3c060d
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 14:17:04 2013 -0500
* threads: protect crypt() with a mutex
crypt_r requires -D_GNU_SOURCE. Not sure crypt_r is implemented under
OpenBSD and FreeBSD. crypt requires -D_XOPEN_SOURCE and thus should
be implemented on every Unix/Unix-like. The pthread library is even
implemented under Windows/Cygwin. It is implemented on Linux/HP-UX/Tru64
(both HP's Unix). So the pthread library should as well be under
OpenBSD/FreeBSD.
Patch by Philippe Vouters <philippe.vouters at laposte.net>
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit bdddc287874d7fe9a36c3ce6f66f93f37e7a7da4
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 14:07:31 2013 -0500
* xauth: crypt() can return NULL (ie in FIPS mode)
commit a1f1b5815cee2327183045d09d50cdf1a8c3f5cc
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 14:05:51 2013 -0500
* audit: add comment about false positive valgrind warning
commit 713deb1a7294f59134eda52a8eef1d14106dadbe
Merge: 5ede192 5291079
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 11:55:31 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 4d7ce94fd7f245ccfcb1d7ac3ee3afa2517aba71
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 7 11:23:27 2013 +0200
scripts: remove whitespaces at end of the line
commit 52910798b6c8d81e3c57194901fc0397528ec846
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 7 11:10:35 2013 +0200
scripts: fix hardcoded path in ipsec.in
commit fb534e5dc42faa26ede1331fb6e4365c8cebc091
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 7 11:04:52 2013 +0200
initsystem: fix bashism in init scripts
commit ef11afa8971af1c5b4c2fd1039c89a0b94a6d08a
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 7 11:01:18 2013 +0200
scripts: cleanup ipsec script and fix one bashism.
commit 5ede19293a9f604923dd135214258bbfe2c92ca5
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 23:15:49 2013 -0500
* simplify PK11_Derive_lsw() and squash a warning about an unreachable switch default
commit 819b129f617f94b27bbcd9f80ba51d491340091f
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 23:46:38 2013 -0500
* sprinkled a few passert()s to ensure conn name is not NULL
commit 578e6c4ad6d8c65182c27998b5526e2feb50dde4
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 6 17:31:23 2013 -0500
* added testcase for basic-pluto-01 with valgrind
commit 4103f3b8a6b9a9dcaa51301c82cda5eb7fd381c0
Merge: cb798e0 e25f507
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 6 15:41:10 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit cb798e0817fa5bf2a193dd0d158c860ba7ddfe18
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 6 15:37:30 2013 -0500
* pluto: display the number of loaded/active connections in status
000 "redhat": prio: 32,32; interface: bnep0; metric: 0, mtu: unset;
000 "redhat": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "redhat": IKE algorithms wanted: AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2)
000 "redhat": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "redhat": IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
000 "redhat": ESP algorithms wanted: AES(12)_000-SHA1(2)_000; pfsgroup=MODP1024(2)
000 "redhat": ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "redhat": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=MODP1024
000
000 Total IPsec connections: loaded 1, active 1
000
000 #2: "redhat":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 85643s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
commit e25f5079936682e1add8e8c0362497750c300ca4
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 21:56:17 2013 +0200
fix typo in d18825150b042f7dbe2c25e85b1c0b6a949a663a
commit b4bbff0949ee9b5f225669b4cb6ec7058fc2e359
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 21:28:18 2013 +0200
init.debian.in: fix wrong variable expansion
commit 4d75cf59b1b8264294c0d95d6f282c59ce672b83
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 21:21:36 2013 +0200
plutorun: use correct variable for config file
commit 9664adc5d309055b1016d177f615aaf2241d69a4
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 21:18:30 2013 +0200
stackmanager: remove extra then and finalize cleanup
commit 982e36711df044604e48a1a700cd1940a4b4c202
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 20:36:09 2013 +0200
add changelog entry for bug#50
commit 6d534f25b26ade55c4c18c4029a85f7f610188bf
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 6 12:49:57 2013 -0500
KLIPS: fix kmod building for rhel/fedora spec file versioning with arch
commit c382317f1e21a0939a1f01d7e9f29efd81066f15
Merge: d5a9176 ec3054f
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 17:33:53 2013 +0200
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit d5a917623ce2fb58ca254dd9013c7c7a5532aa70
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 17:31:00 2013 +0200
scripts: big script cleanup unifying coding style to new one where possible.
This cleanup also fixes multiple bugs in scripts.
Also this should fix libreswan bug #50.
commit ec3054f1c17e521adc38d452cfb9539c4a42fa65
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Wed Mar 6 03:07:39 2013 -0500
* address re-entrancy
- add NOT RE-ENTRANT comments where evident
- make bitnamesofb() re-entrant
- add a jame_str function to do what people try to use strncpy for
- replace confusing global buffer diag_space with local variables
- convert some file-static variables to function-static
commit 5d4e8cd79e147ca6e64f65852230e71b0378e300
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Wed Mar 6 02:04:03 2013 -0500
* tweak timetoa to make it more concise
commit 852a7c61cff495acbb1707cdb683f5bc4c787d65
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 5 14:49:36 2013 -0500
* testing: int/string issue in swan-prep
commit 418da26c1f5ffdd13cf3ea523bf7a69f295f6a17
Merge: 29999c3 896ff57
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 5 14:19:13 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 896ff57192f6846ef6864c5596d00ef200d76766
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue Mar 5 21:18:50 2013 +0200
pluto: fix IPCOMP logging to be easier to read
commit 29999c34453352a80feaad787fd8b2961998cd52
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 5 14:17:27 2013 -0500
* fixup recently introduced check for rekey=no plus dpdaction=restart
commit 4dde1771e5e89cd80 to implement this never triggered because it
confused conn->options_set[X] and conn->options[X]
commit a0e4dd1a3a854286deef1ef876b94ea17b5d31f7
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 5 14:11:35 2013 -0500
* testing: added testing/klips/fixups/cut-postfinal.sed
commit 79a9a9d9a951d8cdd8a69d28ed37c94b7e34bd4d
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 5 13:35:28 2013 -0500
* lswconf.c: remove unused variable env
commit d18825150b042f7dbe2c25e85b1c0b6a949a663a
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 5 13:33:44 2013 -0500
* ikev1.c: code cleanup - as suggested by dhr on the mailing list
commit eeaf4d5c2cbf8257cce3ed5715581ef8ce518c77
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 5 12:25:18 2013 -0500
* libswan/pluto: don't use localtime/gmtime - not thread safe
Instead use localtime_r/gmtime_r
This resolves a crasher when many rekeys with XAUTH are happening,
and the do_authentication() call in the threads are logging a lot.
commit 9ff70cbb08ecb00c045354f80c6d44a46b62078c
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 5 11:52:49 2013 -0500
* testing: swan-prep: fix regression in killing old IKE daemons
commit 76ae9b534a24159f23da1fcc1043e14b3fa15192
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Mar 5 00:11:25 2013 -0500
* testing: sync up test case work.
commit 2ed580d33b18ee5dbd66c30856fb81c2a2f9cc36
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 4 23:53:29 2013 -0500
* testing: dotest logs RESULT now.
commit 04e006fd6e97005599ebc0cb00d0dac79c376849
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 4 23:52:51 2013 -0500
* testing: swan-prep: don't use lstat, it throws exception.
commit ff4dfee2c2c5cdf2e20e5afff45f618b7de02e1f
Merge: ece0d94 d666696
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 4 17:58:17 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit ece0d94d7e2f699fe6779b70d3ddc554914310ca
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 4 17:57:41 2013 -0500
* testing: make stackmanager call path independant
commit d666696d755b4fbd58fd7f68621abd9b6734f3fd
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 4 16:03:27 2013 -0500
* testing: lstat / testname/dir fix.
commit 8d406e98dd1be3272f4bd424902b20e6f2da3b62
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 4 15:36:00 2013 -0500
* testing: run swan-prep in each test, to assist manual test runs
It has been taken from runkvm.py so it is easier to run test manually.
Some better checks for the /tmp/pluto.log softlink as well
commit 426c47723f6a96e1e9dac3a13b2c01c089b3fdd0
Merge: 7542cd1 a7ff698
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 4 11:13:06 2013 -0500
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 7542cd1cb5eab5eab955d3d7f4eaf6eac84a46b8
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Mar 4 11:10:40 2013 -0500
* testing: added four testcases for compression=
compress-pluto-01 is klips-klips with compress=yes
compress-pluto-02 is klips-klips with compress=yes/no mismatch (should fail)
compress-pluto-03 is netkey-netkey with compress=yes (should not fail but does)
compress-pluto-03 is klips-netkey with compress=yes (should not fail but does)
This shows a clear bug in kernel_netlink.[ch] with compress handling on NETKEY
(regression from osw 2.6.38)
commit a7ff69897209ccdc7ebaccb71d7e190190379e30
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 3 20:44:39 2013 +0200
update changes for rpm spec file changes
commit 506a0d3b97f353aba2cd2eed3ef0996aa245a95e
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Mar 3 20:42:55 2013 +0200
packaging: add /etc/ipsec.d/crls and /etc/ipsec.d/cacerts dirs to rpm spec files
commit c821518211729228ee3b397632b7d24cf4dd9ea2
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 3 12:38:55 2013 -0500
* testing: fixups of basic-pluto-0[134]
commit b42987f38600d68f90fcd275362791c3af379343
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 3 12:10:30 2013 -0500
* testing: added host-prompt-sanitize.sed
commit 02c89c841f45e1acd9b90cd10626021589d4d0aa
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 3 11:54:39 2013 -0500
* testing: basic-pluto-01 dont run duplicate swan-prep
commit cd113d3d11be3027806c5435d3cd7352890074d9
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 3 11:49:39 2013 -0500
* testing: dotest.sh store RESULT in OUTPUT/
Also, at the start of the test, create the RESULT file with content "RUNNING"
commit 59cf5d47d2a04e442aa92897dab0b87dc0017c8b
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 3 00:47:23 2013 -0500
* testing: fix version sanitizer
commit d2692a785fb2c4637ca431b4cd883a43f275f6e2
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 3 00:46:22 2013 -0500
* testing: dotest.sh should pick different tcpdump iface for north tests
commit 6d1594d509e859f99f4859a4f057a20e488280ee
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Mar 3 00:45:47 2013 -0500
* testing: fixed basic-pluto-03
commit cda1132a8e30d14d3c04ab287d81bf637cf974cc
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 2 23:32:16 2013 -0500
* testing: fixup klips-spi-sanitize.sed to replace all esp.XXXXX occurances
commit 6c95cc11947399a28f704148b579066e098b6af0
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 2 22:37:40 2013 -0500
* testing: basic-pluto-03 converted to kvm style
commit 84327a996a94d1c79426c5742218c637b798d264
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 2 22:36:06 2013 -0500
* testing: sanitizer fixup for "Starting Pluto" without pid.
commit 3a28e178f34d460466306d0bc91a2f1ef6caec30
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 2 18:24:57 2013 -0500
* testing: dotest.sh would abort when nic was in use.
The following would terminate dotest.sh
if [ -n "$NIC_PID" ] ; then
kill -9 $NIC_PID
fi
Commented out
commit 16789b973974c0fff9a89876ba8d7130c9ca0bda
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 2 18:23:43 2013 -0500
* testing: remove lefnexthop= from left=%any setting in ipsec.conf.common
commit e78c346c1c2f2e0fb00c613fb04b51360732da14
Merge: f5b7db1 7f3fa6c
Author: Antony Antony <antony at phenome.org>
Date: Fri Mar 1 20:37:44 2013 +0200
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 7f3fa6cc56c28a24cd4f71a7c77c6f3d0cc8de3d
Author: Tuomo Soini <tis at foobar.fi>
Date: Fri Mar 1 20:21:15 2013 +0200
fix: crlcheckinterval value is time, not number
commit 86fe4d1afa7a33de799c381e872b263f843110a8
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Thu Feb 28 23:09:36 2013 -0500
* add comments describing protocol for Informational Exchange
commit 3d3594f5406260e91d8732cdbc9ccd20f87dbc67
Merge: a65a4e6 ab5d717
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Thu Feb 28 23:07:10 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit a65a4e6e21058c78bb6921b16c4568af326059ce
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Thu Feb 28 23:01:36 2013 -0500
* struct msg_digest: clarify that some fields are only for ikev1 and some are only for ikev2
commit ab5d71709978bcdf4bed7d2927afc8f6c03aa571
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 28 18:08:26 2013 -0500
* stackmanager: don't do anything without kernel module support
commit 67de91d21fe22515a17fdc0878186dd49b7d7e84
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 28 10:46:51 2013 -0500
* testing: runkvm.py: give the prompt a 0.5ms margin to appear.
This secret sauce seems to make final.sh happier.
commit 9cee42c35d4ece93db1f8cadda6877d369b3b993
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 28 10:28:37 2013 -0500
* testing: runkvm.py Attempts to grab serial reduced from 200s to 20s
This was put in by mistake by me. Also removed the implicit default
for hostname to east
commit c7d0d0d5cf165b60be77dfb75d4fe40eacc79194
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 28 10:25:06 2013 -0500
* testing: runkvm.sh also needs full prompt for running final.sh
commit f50caa292f0de28efc2c5330fb9decd0e8b25ae4
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 28 00:15:58 2013 -0500
* documentation: updated stock ipsec.conf file
commit 43e1428e8c5b070b2dd109a99ad3a4c718a8cacc
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 27 23:45:00 2013 -0500
* testing: Figured out the occasional mangling of lines!!
The cause was that we were waiting in the expect loop on the prompt
to return, to then send the next line. But the prompt was defined
as "root at hostname", even though it was "[root at hostname testname]# ".
probably the [] were left out because within expect that also has
meaning so you have to protect them using \[ and \]
With matching the full prompt now, I managed to run basic-pluto-01
5 times in a row without seeing the mangling anywhere.
commit eee8e35e170f32d9d9a568f141bb76668c660c8a
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 27 23:44:14 2013 -0500
* testing: north gets a new raw rsa key that's in NSS
commit aad9f13140ed57b2c6f3fccb85682d0226d390fb
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 27 23:14:45 2013 -0500
* testing: remove unused virtinstall-base
commit 3dcf525c51d81c44b88bd389bc74fc2e671d05b5
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 27 22:59:58 2013 -0500
* testing: dotest.sh now logs results to testname/RESULT
commit ba895127bf6fa79d5f37d8b522f0d577b81aa24e
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 27 21:52:30 2013 -0500
* testing: Make dotest.sh and runkvm.py a little more robust
I was regularly seeing "hangs" and a failure for a test case to take
control of a VM. These changes resolve the hangs for me and improves
the output for humans to figure out what's going on.
We used the serial console to reboot a VM, now we use virsh reboot
directly. When we still had something running (eg ipsec auto --up retrying
a long time) our reboot command would never arrive.
Related, we now hit return and ctrl-c when reconnecting to the
VM. Additionally, we run stty sane because the console's tty insanity upon
reconnect seems to cause what we called "flow problems" in the output.
Use setproctitle to rename the runkvm.py processes (called python) to
"swankvm". This allows us to "killall swankvm" at the start of a test
to kill any lingering python scripts from previous runs. We also kill
any remaining tcpdump processes.
Prepend the prompt (hostname at testname:) for all output to the shell
running the test, to make it easier for the human to see which of the
running hosts is generating the output while the test is running. This
does not change the output in the test OUTPUT/ directory
wrap all child.expect() calls into a try: / except: statement, so we can
just throw a human readable error, instead of a python stack trace that
scrolls off the screen, especially when sharing a screen with 'screen'.
When expect is waiting on either the login: prompt or the root prompt,
act differently based on which we actually get back. Only attempt to
login when we did not get a root prompt.
Move deletion of /tmp/pluto.log and symlink from runkvm.py to swan-prep
Also reboot "nic" for each test so it properly clears the iptables and
conntrack tables.
Reduce the timeout values for expect so failing tests fail a little quicker.
Before this it would take minutes to fail.
Clearly notify failure/success for gaining access to a VM.
When hitting return to get a shell prompt, also attempt ctrl-c
commit 99767039c33ee7bf73fea5594dec339de4bc8f46
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 26 21:12:17 2013 -0500
* testing: basic-pluto-01 fix in eastinit.sh to use rm -f not rm -r
commit b00165aa6eb21bcbf016c25efbd6355afb3c969c
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Mon Feb 4 16:41:02 2013 +0100
* XAUTH: remove modecfg* from sa_policy_bit_names
They were only removed from pluto_policy in commit c015d1a038546a5c32d9a36d16462d490108e254.
commit 840b15e445a5544f8446d010f9d3ee3d16ca0f01
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 26 16:40:55 2013 -0500
* testing: basic-pluto-01 showed wrong policy name for SAREFTRACK and IKE_FRAG
commit 06564f0fff2d6ddd99e1e1da2d9064db36fabb9d
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue Feb 26 16:23:12 2013 +0200
Fix ipsec.secrets.5 man page name which was broken by
8a0165bd09ce2e7328abbc95dfab14b855f84526
commit f9039425c342523d86d43eb566e7024585c5c2fb
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 26 01:54:25 2013 -0500
* testing: fix harmless typo in dotest.sh
commit e82619d2410083e2f8b638d12acf0763ace382fa
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 26 01:43:03 2013 -0500
* testing: basic-pluto-01 now passes on bofh.nohats.ca.
commit dec81090c44f70a7225e33c068b1045d5c5e5681
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 26 01:38:01 2013 -0500
* testing: fixup of runkvm.py
I had introduced the skipping of lines starting with "#" a while ago
to fix text flow issues, but that caused us to not put in the markers
in the console log for # --- cut --- and # --- tuc --- and we would
end up with too much for the sanitized console.
runkvm.py also called ipsec whack shutdown, even though we do that already
in final.sh. At for non-pluto userlands it would need to be different anyway.
And for some tests (eg netkey) we want to test if the ip xfrm tables are
empty afterwards, so it is not neccessarily the last action we want to do.
So leave it up to final.sh to do the shutdown.
commit 0cdfdf67e0114ff12188b073cc72a8aac4e9d75b
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 26 01:30:51 2013 -0500
* testing: add esp.XXXXXXXX syntax to klips-spi-sanitize.sed
commit dd1ccbc6433488b2f2c4b39fda8e0925401b9eb6
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 26 01:29:52 2013 -0500
* testing: cut out kernel AVX/padlock detection messages in kern-list-fixups.sed
commit e29b8a5c04fb14a26c79db59f8919f4596ea4e3d
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 26 01:29:06 2013 -0500
* testing: add EST and UTC timezones to ipsec-look-sanitize.sed
commit 17891b5bff97a4e77a6cd8c3859f8e6f6090377c
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 25 22:59:36 2013 -0500
* testing: fix dotest.sh to properly find functions.sh
commit 5bee229727e8b59fb85b25d829893e8c7a03048b
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 25 22:58:30 2013 -0500
* testing: libvirt: generate X509 certs, fixup libvirt net create, nic vm
commit b0332e34e0a704604ce9c02765e6c89d80bbcae1
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 25 22:58:04 2013 -0500
* testing: add host entries to VMs for north/west/east/road/nic
commit 80683a439e5190ba94c9556997c7b3a0f152ab7d
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 24 17:26:50 2013 -0500
* testing: flat.conf fixups
commit e7aaedcd1ec1cf6f0a0a169ce874bb70bfed2796
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 24 17:24:55 2013 -0500
* testing: swan-prep needs glob and pexpect
commit 501596dfec6d4692030c9a39c39cc8a4bec0879d
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 24 17:24:28 2013 -0500
* fixup ipsec.conf.common path
commit 7fe25c551be7566d25437495b0ed70e6861176c4
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 24 17:06:02 2013 -0500
* testing: initialise the nss database in swan-prep
commit 6c7a6a400579a235b9ffe9d7238a09467a0bee88
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 24 17:05:16 2013 -0500
* testing: add north to sanitizer
commit d38ad8a048a9ca3a93f7349474feb6ee53718c4c
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 24 16:38:53 2013 -0500
* testing: remove default testname from swan-prep for autodetect, fix typo
commit 2fb6cd5073abd23633f8429cd42d246127341695
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 24 16:35:57 2013 -0500
* testing: support north as initiator
commit a5872b4fb00435df924079ca674ba4bc2ad395b0
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 24 16:30:17 2013 -0500
* testing: fix all occurances of ipsec.common.conf
Fix them to point to /testing/baseconfigs/all/etc/ipsec.d/
commit 3df2893c9a3330762abd033269ee33745df00e2a
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 24 16:21:08 2013 -0500
* testing: add pexpect to VMs for Fedora 17
commit 77ee60ec235fbace1748d558ede4914c24c0f708
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 23 22:20:50 2013 -0500
* testing: pull up nat-pluto-01 from addresspool branch
commit 4dde1771e5e89cd80c60f97683659d6d1e3671b3
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 23 22:17:07 2013 -0500
* DPD: Do not allow dpdaction=restart/restart_by_peer for rekey=no
Do not allow DPD to restart/initiate a connection when the policy is
rekey=no. If this is configured by the user, log a message and use
the default dpdaction of "hold".
commit 62e53fd9a384c1b2faac2d066522864fe2e35520
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 23 21:38:55 2013 -0500
* NAT-T: Added more debugging lines in DBG_NATT category
commit f5b7db1472324b74bded8e73bb0b834eed6c6dbf
Merge: 087f529 211996f
Author: Antony Antony <antony at phenome.org>
Date: Fri Feb 22 13:07:56 2013 +0200
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 211996f47a2efce92d656ddb95e85d967cc48254
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 22 00:27:07 2013 -0500
* testing: remove obsoletd netjig documentation
netjig was used with uml in the past, but the current kvm setup
does not use it anymore.
commit e1dfe1ad49caec945a439d1e158f302a9676f820
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 21 20:50:24 2013 -0500
* testing: filter STP from tcpdump
commit 23a4c0d9e497fe7875558e63a5b7624e9a5878bd
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 21 16:15:23 2013 -0500
* testing: Fix north's IP address and east's nexthop for east-north cases
The configuration and documentation (testnet.png) mismatched and caused
nat-pluto-01 to fail as north could not orient itself to its bogus IP
address.
commit 9c32f2fec0f77aafc198019ee30001fe7206feb4
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 21 16:02:37 2013 -0500
* testing: fix paste error in gateway setting for north's baseconfig
commit d6bd8efb010727aaa3bb918f1ecad8545ea77d68
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 21 15:04:21 2013 -0500
* testing: swan-prep tries to determine testname on pwd if not specified
This saves us from needing to set/export TESTNAME and makes copying
test cases easier.
commit 3612a6dd5abd5b683bac41dc8094f99b2af9fc67
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Feb 20 23:29:19 2013 +0200
rhel: fix debug package creation
commit 737734f8e2fd25180056936e78f915e97539759f
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Feb 20 23:05:09 2013 +0200
rhel: libreswan.spec cleanup
commit 0b6b498f8f80782929583b7fe6a28daba058eae0
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 20 10:53:51 2013 -0500
* fragmentation: Remove spurious Racoon non-ESP marker
During testing we found that racoon sometimes adds a bogus non-esp marker
to the IKE packet. This confuses libreswan, because it causes the ICOOKIE
to not match to an existing state.
We assume now that if the ICOOKIE starts with 00 00 00 00, that it is
such a bogus marker, and we use out_raw() to remove the 4 bytes from
the packet stream. However, it still looks like racoon gets it wrong,
because the ISAKMP header is still not properly formatted.
We're still investigating
commit be27d31e1e9997d2d48cada82f2b1f9a45548e08
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Feb 20 11:11:46 2013 +0200
out_sa: fix syntax errors caused by 249fbd0eda68d71e466812ea8298dc28f6235d74
commit 9bcb72743bdd0b007ceb1873c4582f512985b1e8
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Feb 20 00:08:29 2013 +0200
update CHANGES for X509: Warn 14 days before certificates expire
commit 747190592b92a4383d7095637e28a9c6dd2034c0
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Feb 20 00:06:01 2013 +0200
checkpubkeys: warn 14 days before public keys expire
commit 62402104e4b280bf0deab23950d00ea0ed47cd06
Author: Tuomo Soini <tis at foobar.fi>
Date: Tue Feb 19 20:35:18 2013 +0200
makerelease: fix git archive command to work with older git versions.
commit 2b997d71d48c9ed794aaebd25beea69a3e51871c
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 16 15:25:11 2013 -0500
* DPD: clarify log message is about a DPD event
commit 2ca5e969c230eabdf3aae14154ec8333e7568123
Merge: d992d7b 1e9faef
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 15 14:12:48 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit d992d7bb2ec313c63e77bd9de07af697b629ef5a
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 15 14:11:45 2013 -0500
* DPD: Don't try to delete non-events
This happened only when we were just firing up the phase2. It was
ignored, so this is mostly a cosmetic fix.
commit 1e9faef52b7b4cea87adc43a78a0985c2c59a428
Merge: 9ad72f1 e7bb0e2
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 15 11:34:42 2013 -0500
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 9ad72f16ccacd721c4c85d281843302a3594ea86
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 15 11:33:36 2013 -0500
* IKEv2: narrowing used a wrong port range in determining bestfit
This could lead to narrowed proposals failing.
commit 6f3c006ba72cecb30234264c01302126e73c2235
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Fri Feb 15 14:53:06 2013 +0100
* removed redundant vendor id logging
the used vendor id will be logged twice because of a removed return
in 75269b8de30ae6368c41d5c53e25631ed2e20cc8
e.g.
received Vendor ID payload [RFC 3947]
received Vendor ID payload [RFC 3947]
commit 738701a89b3e391b5773fcc4f8ac7b49203e9694
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Fri Feb 15 10:59:45 2013 +0100
* IKEv1: fragmentation never fragment initial main mode packet
If the first packet is fragmented the peer ignore it
"packet from 10.0.11.203:500: received IKE fragment, but have no state.
Ignoring packet"
This can either happen with force on or when pluto
changed the policy to force after receiving a fragmented packet and the
initiator starts the phase one rekeying.
The first packet exceeds ISAKMP_FRAG_MAXLEN fast with all the proposals
and vendorids.
10:05:15.519781 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 640)
10.0.11.203.isakmp > 10.0.14.204.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie f7490449d6831ca1->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=12
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp2048)(type=keylen value=0080))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp2048)(type=keylen value=0080))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp2048))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp2048))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1536)(type=keylen value=0080))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1536)(type=keylen value=0080))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1536))
(t: #7 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1536))
(t: #8 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024))
(t: #9 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024))
(t: #10 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024)(type=keylen value=0080))
(t: #11 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024)(type=keylen value=0080))))
(vid: len=12 4f454e584468416b74625a76)
(vid: len=16 afcad71368a1f1c96b8696fc77570100)
(vid: len=16 4048b7d56ebce88525e7de7f00d6c2d3)
(vid: len=16 4a131c81070358455c5728f20e95452f)
(vid: len=16 7d9419a65310ca6f2c179d9215529d56)
(vid: len=16 90cb80913ebb696e086381b5ec427b1f)
(vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
(vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
commit e7bb0e20f3815d43c0cbbc4b973df1f59141a3a3
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Fri Feb 15 00:48:01 2013 -0500
* in oakley_alg_makedb, gsp is already NULL enough (Coverity Scan)
commit f860cc7f360d34196c30ac408c275f608903b118
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Thu Feb 14 23:44:01 2013 -0500
* fix type error in init_nat_traversal (found by Coverity)
commit e3570cae16ab9e6a111f0b12bafe2f96eb11d5f4
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 22:06:11 2013 -0500
* fix for printing a ";" in ipsec auto --status
Introduced in 9ac4101f
commit 249fbd0eda68d71e466812ea8298dc28f6235d74
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 22:01:52 2013 -0500
* pluto: more missing checks for failing out_raw() / out_struct() calls
commit 7adaad527de3a005a7bf989a6a6e8fee4a79ab25
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 19:42:02 2013 -0500
* IKEv1: fragmenting comment out stripping non-ESP marker
The code states "Strip non-ESP marker from first fragment", but
it was only stripped out 1 byte, not 4 bytes. We expect this code
is never triggered, so commented out for now.
commit d402bd16fb0c85f441dbaf2e0023d1dcf7665cba
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 19:39:14 2013 -0500
* IKEv1: fragmentation non-ESP marker is 4x 0x00, not 0xFF
commit b67dbad175df9009a4bd4fb7c567a05956c4e9ab
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 15:37:47 2013 -0500
* xauth: fix indentation of CISCO_SPLIT_DNS and }
commit 5ac0162adc886f713f600671029c66c57567cf09
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 15:12:44 2013 -0500
* XAUTH: Added missing return code checks for out_struct/out_raw
We were not always checking the return code of out_struct() and
out_raw() in the xauth processing states. So we could have failed
to construct a part of the packet, and continued without returning
STF_INTERNAL_ERROR
commit 3782879b074c88dd1ea0dbae8de41ece28a5108f
Merge: 0df29df 02c3afc
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 14:32:55 2013 -0500
Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation
commit 5b5576f6299de8f0b2e3c7099942c4c6bf9d6a18
Merge: f1c2510 158a418
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 13:39:01 2013 -0500
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit f1c25101e80783cf1625f47c5c8724e626a3770d
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 13:38:06 2013 -0500
* document the retransmits=yes|no option for the ipsec.conf man page
commit 158a418b7606b45f449c45df0815443d3668528d
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 12:57:52 2013 -0500
* IANA: Added note about our PEN number 41286
commit 02c3afcca6ac4bf5cb61ba179c3ef703826a3976
Merge: 1ddb6c8 e749530
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 12:38:47 2013 -0500
Merge branch 'fragmentation' of vault.foobar.fi:/srv/src/libreswan into fragmentation
commit 1ddb6c8d500d8d6a2a1faf34392e2e3dd5939d41
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 12:24:02 2013 -0500
* IKEv1: if receiving fragments, immediately respond with fragments too
commit 0df29dfd10401ec39e59d00310d17d8af29b9e4d
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 13 22:02:18 2013 -0500
* testing: import glob for swan-prep
commit e7495301464ef1aebb50691aab77a033bbc8a9a6
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 13 21:53:43 2013 -0500
* testing: add python expect to the guest package list (for swan-prep)
commit 2e388ba3fa4bf9a81029ea984cd3679e6a612c42
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 13 21:47:25 2013 -0500
* testing: pexepect -> pexpect
commit cf47612b6417e782daa1059b797d70759079ea4a
Merge: dafcba8 55f1d3f
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 13 21:46:22 2013 -0500
Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation
commit dafcba8527cca0c78be1c8c799ab37abc68ffd55
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 13 21:43:57 2013 -0500
* testing: swan-prep was importing p12 files without starting fresh
It also caused it to prompt for a password when initiating the nss
db files. It now runs it through pexpect to create it, then fills
it in with the right p12 file.
Currently it then imports the public certs of east, west and road.
This is needed for rightcert=XXXX when there is no CA and certs
don't come in over IKE. Test cases that want to use the CA should
delete these public certs.
commit 55f1d3fb9225b823c38dcf6ae6dd2fd1e3f2277d
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 13 21:16:02 2013 -0500
* testing: not all filse were git add'ed for x509-pluto-frag tests
commit 972f233ebd348c3c128417646d382dda88ebb448
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 13 21:07:18 2013 -0500
* testing: fix typo for "can't idenity INITIATOR"
commit 6ea2584c5886cca5d3ac6c14ccb6e26d3b245652
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 13 14:16:36 2013 -0500
* remove temporary debug line
commit a27ab0914536f760e7207566d53dd6fcaf5bde02
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Wed Feb 13 12:15:47 2013 -0500
* fix send_packet's packet length reporting
commit 6967f4e1aa1499d5499be5bfd047644342ec1118
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 13 00:37:48 2013 -0500
* testing: add road to dist_certs
commit 6af094e7c1c50288a23d99e9fdd8f5e05f155eed
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 13 00:37:07 2013 -0500
* testing: updates testcases for fragmentation support
commit 087f5293b82fe46e4eb23db1aeb3255b02c21637
Merge: a580f91 94669a3
Author: Antony Antony <antony at phenome.org>
Date: Wed Feb 13 03:30:51 2013 +0200
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 65b49c0f7852f3ea463727c61e5d3a4470d1f34a
Merge: d0099d5 94669a3
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 12 16:49:18 2013 -0500
Merge branch 'master' into fragmentation
commit 94669a3ead39c02ca91a10f313345f0a585d4540
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 12 16:46:36 2013 -0500
* XAUTH: MODECFG and MODECFG_DNSWINS defines did not make it into lib/
This caused some modecfg code in the parser to not actually load
left/rightmode{server|client} parameters properly.
commit 4cc68a54ed8402462eeff10fe05e801a1f6fde7b
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 12 16:34:36 2013 -0500
* XAUTH: improve ipsec auto --status for xauth/modeconfig
Now shows all xauth/modecfg info
commit d0099d52f2bfe4538bdcc50ad272d5f83a8cfc5a
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 12 16:28:38 2013 -0500
* added comment with xauth draft name
commit 30da6123acd345efcbfe4fdd76fe3ff5ea6a6108
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 12 11:48:31 2013 -0500
* testing: swan-prep did not handle multiple daemons matching for kill
commit a580f917eff48c97f759f750a6ac797655904064
Author: Antony Antony <antony at phenome.org>
Date: Tue Feb 12 09:14:56 2013 +0200
*testing : add road dist_cert
runkvm won't run shutdown it could be in final.sh
commit 2999cad7acd808bfb02b7872bb69f81133ba94d6
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 10 22:30:08 2013 -0500
* added iphone5 success log for reference in the future
commit a04aae69304b86579ac47f555402194629118229
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 10 17:52:59 2013 -0500
* fragmentation: store seen_fragvid in md first, fix force policy
When reading vendorids on the first packet, we don't have a state
yet, so apparently we store things in the message digest (md) first,
then copy it into the state for persistence.
Hugh's reformatting/refactoring missed the check for checking for
having seen the fragmentation vendorid at the peer, and used the
wrong policy flag to check for the "forced" scenario (where we send
fragments despite not having seen the vendorid)
commit 9cca3bfb55674a1eea8f77d0e822701c42e4d68c
Merge: 2ad979a 3a61bbf
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 10 16:53:55 2013 -0500
Merge branch 'master' into fragmentation
commit 2ad979a67da4fdfe597eb78c3293e461440c51d5
Merge: 07bec55 a6a380d
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 10 16:51:13 2013 -0500
Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation
Conflicts:
programs/pluto/server.c
commit a6a380dd257d296bd10ec25c22a565cbec194618
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Sun Feb 10 11:15:53 2013 -0500
* improve send_ike_msg logic
Simplify handling of keepalive.
Make fragmentation logic only work for IKE V1.
Clarify that resend_ike_msg is only for V1.
commit fff9986fb2c187c2323050a0abd75dedea6aec8e
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Sun Feb 10 01:26:46 2013 -0500
* refactor send_packet
Renamed send_ike_msg since that is what it actually does.
Variants resend_ike_msg and send_keepalive created to capture relevant distictions.
Broken down into layers, simplifying complex and buggy logic and reducing duplication.
Touched up source formatting, again.
(Added a couple of consts missed due to bad makefile dependencies.)
commit a023b4cba4b06f3a1e8b08de0ac72dc16dc11953
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Sat Feb 9 21:52:01 2013 -0500
* improve vendor.c
Eliminate leading _ from _vid_tab and _hexdig.
Make out_vendorid and out_vid return bool, as they are declared to do.
Clarify and simplify out_vendorid and out_vid.
Shrink the scopes of i and j in handle_known_vendorid.
Replace two memsets with two simple assignments.
Add const to pgp_vendorid's type.
commit 75269b8de30ae6368c41d5c53e25631ed2e20cc8
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Sat Feb 9 21:01:25 2013 -0500
* tidy vendor.c
Rename vid_usefull as vid_useful.
Change code to reflect that vid_useful is a bool.
Make initial value of vid_useful TRUE to reduce code.
Eliminate confusing early returns from handle_known_vendorid.
Regularize some formatting.
Narrow the scopes of some variables.
commit 511a02ebd2992baf7bd5b9e84c3e96495b4389f5
Author: root <pwouters at redhat.com>
Date: Sat Feb 9 16:14:39 2013 -0500
* WIP: Store FRAGMENTATION vendorid and fixup resending logic
commit 3a61bbf9ca3f26e68dfb4155d676db303438b5ac
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 9 16:13:22 2013 -0500
* XAUTH: More elaborate logging of error conditions in do_pam_authentication()
commit 071a8c6de9ff03e2163cfa1e5965f2044ba5ce61
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Sat Feb 9 14:07:44 2013 -0500
* improve frag code
Detect when marshalling cheat will fail.
Simplify and clean up code.
commit 07bec55dc7fde0a60ec990471432174235c05ac2
Merge: 298724d 3789f66
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 9 13:53:39 2013 -0500
Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation
commit 298724d671abb2492764c9dcef7372a56e1e478a
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 8 13:35:37 2013 -0500
* remove dead code in kernel_mast that used to configure mast0
It was triggering a checking script for "ifconfig" usage despite
it being ifdef'ed out.
commit 90d774516467ed15e74d74161b528110d181ba70
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 23:35:23 2013 -0500
* ike frag: document ISAKMP_FRAG_MAXLEN and ISAKMP_FRAG_FLAGS
commit 251296bba18fd33964246f34782762fc8785e214
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 23:33:31 2013 -0500
* ike frag: fixup logging calls and add pointers to online documentation
commit 3789f664446e6be4d48099a5b1e380d32be2dc9b
Merge: dc05619 eaeb0a7
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 23:14:11 2013 -0500
Merge branch 'master' into fragmentation
commit eaeb0a735d08e17ae46fb424cb30230190d433a4
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 14:21:05 2013 -0500
* XAUTH: Example file to authenticate against PAM over HTTPS (eg FAS)
commit 0824fa962a9c10d70877350eef82a4a927b579e6
Merge: 648fc1e 6bee4c2
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 23:02:28 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 648fc1eed4decbfe3520f69927e12ad4af34b3e3
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 23:01:39 2013 -0500
* XAUTH: Added xauthfail=hard|soft option
Also some minor fixes of #ifdef XAUTH
commit 2626f3254ff002f6a50f605e9ffb44dd7e537b18
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 23:01:31 2013 -0500
* updated changes
commit dc0561989f4d031af6907d2b6cf69095550aaa18
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 14:21:05 2013 -0500
* XAUTH: Example file to authenticate against PAM over HTTPS (eg FAS)
commit 4cd596ffa85ada225328725747567f837d34f2d5
Merge: 0413b15 6bee4c2
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 09:56:20 2013 -0500
Merge branch 'master' into fragmentation
commit 0413b15545c06d4dd555298189390f7c1d7a263f
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Thu Feb 7 14:17:19 2013 +0100
* fragmentation: revert the changes at the state_microcode_table
Revert the first change from commit
f0dce92c26df14561bac81ab0e530fb6794fa5d9.
It is no longer needed with the latest changes.
commit dd2ef476a663954d59ba75bf299d7956985fcba5
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Thu Feb 7 14:12:57 2013 +0100
* fragmentation: changed behaviour when fragments are sent
The query in ikev1.c is no longer necessary, the decision is
completely made in send_packet (server.c).
Maybe an additional state check is necessary.
commit 6bee4c2f0603e8e7aca6d5fa8c3fbf2c03714415
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 02:59:59 2013 -0500
* testing: swan-prep tried to kill pluto twice, instead of charon
commit aa6b33a32261da156ea158d05574848d61b4ebfb
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Thu Feb 7 02:12:43 2013 -0500
* IKEv1: ike fragmentation should not use st->st_suspended_md
This code is based on racoon code, which strongswan also uses, and they
all make the mistake of using sizeof(struct ) and offsets for wire format.
Simplify the handling of the non-ESP Marker using NON_ESP_MARKER_SIZE
Rename and moved variables to reduce their scope
Don't rebuild the ISAKMP header for the IKE fragment from scratch, but
use the existing IKE header, with small changes.
Retrieve the stored unfragmented IKE packet from st->st_tpacket not from
st->st_suspended_md.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit f70a8b95a38208a5056842212d95198bbc745302
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 7 00:21:06 2013 -0500
* pluto: send_packet/send_frags mixed architecture/wire formats
It was using size(u_int32_t) instead of 4 octets for the RFC-3948
Non-ESP Marker. So instead, define NON_ESP_MARKER_SIZE and use that.
commit b109e580725f4e1f8b8fe070b80e12d2a529dab1
Merge: f350553 a4e9e16
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 6 23:12:23 2013 -0500
Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation
commit a4e9e16e8a2d3fdf6fa6a4b1e2ad674447fe042e
Author: D. Hugh Redelmeier <hugh at redsquare.mimosa.com>
Date: Wed Feb 6 23:10:04 2013 -0500
* check for impossible buffer overflow
commit 562df17d161c4d27bce75b2bbb898daffac8e2c2
Author: D. Hugh Redelmeier <hugh at redsquare.mimosa.com>
Date: Wed Feb 6 23:06:58 2013 -0500
* remove unused variable "env" from lsw_conf_setdefault()
commit c0b6f35116123c66b58b07bfaf3d90da74a121ab
Merge: 3b03abe 076839a
Author: D. Hugh Redelmeier <hugh at redsquare.mimosa.com>
Date: Wed Feb 6 22:26:14 2013 -0500
Merge branch 'master' into fragmentation
commit f3505532c6bb6eb7242b451d4086966785714785
Merge: 3b03abe 076839a
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 6 22:24:12 2013 -0500
Merge branch 'master' into fragmentation
commit 076839aee85d4ba84950f69c933bfd60fa7ae6fc
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 6 22:21:11 2013 -0500
* Somehow TAGFILES got deleted, breaking make tag
commit 9237371195c1227bd02abd417d9f10dd7a210ac4
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 6 20:45:28 2013 -0500
* disable x509 check in dotest.sh
commit a32ff76095b100f9c0fdd4e98a15803ffec30866
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 6 16:42:31 2013 -0500
* pluto: remove unneccessary and incomplete check for msg.xauthby
commit 79a86c3ecf6b10c034164c7645392c6e0b1acf30
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 6 16:41:34 2013 -0500
* whack: add labeled ipsec options to whack usage
commit 0d059db5cdb639d8f1869a70ab9ad5941b1c1a3f
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 6 16:38:50 2013 -0500
* pluto: Show labeled IPsec information in ipsec auto --status
commit a7966d0db6311022a69671b4cd46409f6d6f745d
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 4 22:44:05 2013 -0500
* mtustr was capped at 8 chars, not 16
As the compiler wisely told us:
In function ‘snprintf’,
inlined from ‘show_one_connection’ at /source/programs/pluto/connections.c:3458:10:
/usr/include/bits/stdio2.h:65:3: warning: call to __builtin___snprintf_chk will always overflow destination buffer [enabled by default]
This cannot be exploited other than by whomever can edit the local ipsec
config, at which point you can already set leftupdown=/some/script that
runs as root. Still, not good :/
commit abddae19625495f5de4d8a8e56cbd45ed9a96a22
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 6 16:31:51 2013 -0500
* plutomain: factor out pluto_init_nss() in static function
commit 967e300896d74986b7d59a45f7f2481418814bd0
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 6 16:25:36 2013 -0500
* X509: Allow CRLs to be on TLS/SSL resources
We were initiating libcurl without SSL support.
commit 3b03abe786296f30d8e81128aac249a926d6be5f
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 5 13:35:40 2013 -0500
* describe IKE fragments better now we know the fields
commit 0042cc156e14712fa0da00d8ee716357765ee22e
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 5 10:39:03 2013 -0500
* send_frags can be static, fill in a little more of packet format.
commit 976ef3b1ee9430a107509a0a4f42f02596d1aa53
Merge: 3eeb304 f0dce92
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 5 10:31:10 2013 -0500
Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation
commit f0dce92c26df14561bac81ab0e530fb6794fa5d9
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Tue Feb 5 15:11:32 2013 +0100
* fragmentation: fix for libreswan <-> libreswan interoperability
When libreswan communicates with libreswan the ike fragmentation will
not start, because SMF_RETRANSMIT_ON_DUPLICATE is not set in case of
retransmission MAIN_I3.
Only call send_frags when send_packet is called for ike fragmentation.
commit 3eeb3047634c586c8ca69e46c7676dc6382c679f
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 4 22:44:05 2013 -0500
* mtustr was capped at 8 chars, not 16
As the compiler wisely told us:
In function ‘snprintf’,
inlined from ‘show_one_connection’ at /source/programs/pluto/connections.c:3458:10:
/usr/include/bits/stdio2.h:65:3: warning: call to __builtin___snprintf_chk will always overflow destination buffer [enabled by default]
This cannot be exploited other than by whomever can edit the local ipsec
config, at which point you can already set leftupdown=/some/script that
runs as root. Still, not good :/
commit 7cf0ba6ab21d858145de298490bc298f78464767
Merge: e65eafa 8cae519
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 4 20:21:28 2013 -0500
Merge branch 'master' into fragmentation
commit 8cae51971c52925384f93c9a56b4ad765573b377
Author: Antony Antony <antony at phenome.org>
Date: Tue Feb 5 02:44:49 2013 +0200
*testing : basic-pluto-11 good output
commit 9fa23bcf910d2f4a6f5464bccd243713099b03bc
Author: Antony Antony <antony at phenome.org>
Date: Tue Feb 5 02:38:38 2013 +0200
*testing basic-pluto-01 fixes. need a bit more sanitizing. an output for reference
commit fb5d299c8eb1f0fac60477c6b0094a9ee6882c00
Author: Antony Antony <antony at phenome.org>
Date: Tue Feb 5 02:34:32 2013 +0200
*testing : use san-build and isntall
commit 7d5904abf3027db6af0924c0257e77a17f88d1de
Author: Antony Antony <antony at phenome.org>
Date: Tue Feb 5 02:13:51 2013 +0200
*testing : xauth-pluto-12 final.sh add shutdown
commit 63d97568110a4acfb6c5eb1e735f7bec87606b43
Author: Antony Antony <antony at phenome.org>
Date: Tue Feb 5 02:12:17 2013 +0200
*testing : fix auth-pluto-12 (almost, modecfg works. However, i see packet loss 1 packet?
host-ping-sanitize.sed allow variable packets in and out
commit e244e7df64ed8b73ab43762ea2b2d1c2da9547aa
Author: root <pwouters at redhat.com>
Date: Mon Feb 4 13:19:22 2013 -0500
* updated changes
commit 361a04404523ce632018b359e04db0aef304e017
Author: root <pwouters at redhat.com>
Date: Mon Feb 4 13:17:52 2013 -0500
* starter: auto=route and auto=start only performed auto=add [Wolfgang]
We only loaded the connections, we did not route or initiate these.
This was previously done by the shell script _plutoload, which was
obsoleted in libreswan 3.0
commit e65eafa3634d3bf8815390d712a919c2d65d27cf
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Mon Feb 4 16:41:02 2013 +0100
* XAUTH: remove modecfg* from sa_policy_bit_names
They were only removed from pluto_policy in commit c015d1a038546a5c32d9a36d16462d490108e254.
commit 8f1839f315211eb24fda3d6e86ae23082367b49c
Merge: 829065e b6f2854
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 2 15:59:06 2013 -0500
Merge branch 'master' into fragmentation
commit b6f28549c2dea311ea80491993d50f17f4780bc8
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 2 15:58:06 2013 -0500
* repair previous commit
It is st->st_connection, not st
commit 829065e85e857f6d87c76e724ab2b8211ffe3b7c
Merge: bcaf1b7 c78e93e
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 2 15:44:54 2013 -0500
Merge branch 'master' into fragmentation
commit c78e93e7d9a2b3f25d5380af59015307cd532b2d
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 2 15:44:21 2013 -0500
* XAUTH: Only try to update resolveconf/restoreconf when XAUTH client
commit 86c1242a6440d751ae1c3d6dd114b0f73ecff4ec
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 2 01:58:03 2013 -0500
updated changes
commit c015d1a038546a5c32d9a36d16462d490108e254
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 2 01:41:04 2013 -0500
* XAUTH: modecfgdns* parameter was broken, modecfgwins* removed
The modecfgdns1/modecfgdns2/modecfgwins1/modecfgwins2 were never
properly working using libipsecconf. They only worked when you used
whack directly.
Someone (properly me) put these in as KSCF_MODECFG* instead of as
KSF_MODECFG*, so the parser was looking for left/rightmodecfgdn1 etc.
While fixing these, I removed support for XAUTH WINS, as that died a
decade ago.
We had defined POLICY_MODECFGDNS1 etc apparently as policy bits that
would determine if we would send these options, but then they were
never queried ever, so I removed them. It's quite obvious when you
need to set these, namely if we are an xauthserver and modecfg_dns1=
is set.
libipsecconf got compiled without XAUTH because it was not being
added to the CFLAGS when USE_XAUTH was set. So none of the parsing
code was reading the code I wrote to read these options.
(the only reason xauthby= ever worked was because it was _missing_
and #ifdef XAUTH)
Parsing of the modecfgdns1/modecfgdns2 keywords as kt_ipaddr also
gave some problems because ipaddr processing was really only done
for the left/right parts of the connection. The easier fix was to
change these into kt_string, and when reading the struct starter_conn
information into a struct whack_message, do the tnatoaddr() conversion.
If the IP for this option is bogus, we ignore it and continue.
modecfgwins1/modecfgwins2 is now kt_obsolete, and they were removed from
whack, the xauth sending xauth attributes code and the man pages.
The ipsec auto --status was updated to show the xauth information better:
000 "test": 76.10.157.69<76.10.157.69>[+XS+S=C]...5.6.7.8<5.6.7.8>; unrouted; eroute owner: #0
000 "test": oriented; my_ip=unset; their_ip=unset;
000 "test": xauth info: my_xauthuser=pwouters; their_xauthuser=[any]; dns1:1.8.8.8, dns2:3.8.8.8;
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: RSASIG+ENCRYPT+TUNNEL+PFS+XAUTH+IKEv2ALLOW+ModeCFGDNS1+ModeCFGWINS1;
000 "test": prio: 32,32; interface: virbr0; metric: 0, mtu: unset;
000 "test": dpd: action:clear; delay:0; timeout:0;
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
commit 16548119c880df68971f382751d584e3a60f51a9
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 1 22:22:58 2013 -0500
* libipsecconf: remove another leftover used for manual keying
commit c298aa30aa4bff596210f2f3b5364ae9d012eda9
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 1 11:41:35 2013 -0500
* updated changes
commit 187cee68e25547102699afbe522eaf081261a017
Author: Matt Rogers <mrogers at redhat.com>
Date: Fri Feb 1 11:38:59 2013 -0500
* #53: ipsec auto --status does not show phase2 parameters
when using (unspecified) defaults
Not specifying phase2alg= leaves c->alg_info_esp NULL so the rest of the
information was being skipped, when c->alg_info_esp was only needed to
determine the pfsgroup in whack_log. Relocating the pfsgroup determination
outside of the whack_log functions will let us see the rest of the info
even if the pfsgroup is unspecified.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit b9994a9657f7b847cc66fb1ba6cf2f482c5d0542
Merge: 31645a3 8a2a75d
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 1 11:14:09 2013 -0500
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 8a2a75dbaeadc606e0f8c7bd53e193992734db98
Author: Antony Antony <antony at phenome.org>
Date: Fri Feb 1 10:10:50 2013 +0200
Revert "*debug: add debug lines in set_cur_state macro"
This reverts commit 3b0d6c99385d8b97efc75e5be52231353fdf0652.
commit 31645a3f77a0d71855e14fa6c51fc6bffd720c85
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jan 31 22:04:21 2013 -0500
* fixed typo in log message
commit bcaf1b74b984ab831c1c47e102b8269925afd522
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jan 31 14:48:03 2013 -0500
* testing: updated testcase psk-pluto-01
commit 916d033154971eec2774913b70c5cf6b443e0bf7
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 30 22:39:03 2013 -0500
* fragmentation: when we cannot access the md, pretend we sent it.
That way, on the next retry we have access to st->st_suspended_md
commit f301123d377c3eb0252b31498466349d40c8dd87
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 30 22:33:50 2013 -0500
* testing: added more x509-pluto-frag-0* tests
x509-pluto-frag-00 is used to confirm filtering UDP fragments
will cause problems. Both ends have ike_frag=no
x509-pluto-frag-01 is using the default policy of ike_frag=yes that
should send/receive ike fragments by both west and east.
x509-pluto-frag-02 uses ike_frag=force on west and ike_frag=yes on
east, so it should send out MAIN_I3 in fragments on the first go.
x509-pluto-frag-04 has ike_frag=yes on west, and ike_frag=no on
east, so west will not see the VID and should not send fragments.
commit c959ed4f730d22d6f05d15682c6e2315391eeba8
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 30 22:30:33 2013 -0500
* testing: added more x509-pluto-frag-0* tests
x509-pluto-frag-00 is used to confirm filtering UDP fragments
will cause problems.
x509-pluto-frag-01 is the default policy that should send/receive
ike fragments
x509-pluto-frag-02 uses ike_frag=force
commit 2cb636012906a02133e487d7456f7ff8b8b71675
Merge: d53aaa1 4dd3f22
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 30 10:50:01 2013 -0500
Merge branch 'master' into fragmentation
commit 4dd3f22621e839a668520829fb682a13eb0b8f28
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 30 10:48:32 2013 -0500
* nat-t: add DBG_NATT debug line before send_packet()
because send_packet is called with verbose FALSE
commit 7ba8d8e15f10d8c36bdd890873e9161dc9c6cb0d
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 30 10:46:21 2013 -0500
* pluto: log ikev2-responder-retransmit in send_packet like IKEv1
commit d53aaa18c97c8284983d3502abc35ec5ac6c8bfe
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 30 10:48:32 2013 -0500
* nat-t: add DBG_NATT debug line before send_packet()
because send_packet is called with verbose FALSE
commit 9ca9fabee9101d9650338ed71d057683e320b44f
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 30 10:46:21 2013 -0500
* pluto: log ikev2-responder-retransmit in send_packet like IKEv1
commit 148db9aeaa77d6b4b06b1593faa7756847adf677
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Wed Jan 30 13:59:04 2013 +0100
removed unneeded debug log entry
commit db441734c920eb0fb2fd1d728abb4dc2a1a181f7
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Wed Jan 30 13:55:03 2013 +0100
- also send VID_IKE_FRAGMENTATION when we are the responder
- increasing numvitosend must be done before adding the first vendorid, otherwise it never adds the rest
(alternative put the always sent dpd vendorid at the end and set next=ISAKMP_NEXT_VID on all vendorids before)
commit a6950dc2f22b8db605514ddab40251eab0205acc
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Wed Jan 30 13:49:16 2013 +0100
removed duplicate ike fragmentation vendor id, racoon called it broken Microsoft ID: FRAGMENTATION
commit fc4d8a23d3e604b9804d5ffd24423e19611b8cab
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 29 23:53:58 2013 -0500
* testing: x509-pluto-frag-01 test case
commit ef813c5bf39f2e778b105e0ce8923a009af56036
Merge: 19c89df 347eb50
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 29 23:49:14 2013 -0500
Merge branch 'master' into fragmentation
commit 347eb5024267bb6b32289e5b547aa4e209d6a7d1
Merge: b0b75ac 140d85a
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 29 23:48:55 2013 -0500
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit b0b75ace1bca3b3274b2956235a57a4e5e238a88
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 29 23:48:34 2013 -0500
* testing: add fragmentation test to list
commit 140d85a0ea607c1e39d82573f493984c98191bcb
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 29 15:58:54 2013 -0500
* pluto: Don't print empty XAUTHuser value in IPsec established
commit 08a719c28180371b051034751f3a3ec18fa7cb01
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 29 14:27:24 2013 -0500
* testing: x509-pluto-01 was missing secrets files to load cert keys
commit 82fbbebbe2cb7355286fee1d5449dea921a653f8
Merge: 49cb8a8 02418cc
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 29 14:00:56 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 49cb8a8869fd6a3d8deceaebc99c908ddc9b78de
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 29 14:00:29 2013 -0500
* testing: add missing config files for x509-pluto-01
commit 19c89dfcd2ae43f0f88b649ca5576afbd19f7ca0
Author: Copyright (C) 2013 Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Tue Jan 29 13:40:09 2013 -0500
* IKEv1: Support for sending IKE fragments
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 02418ccfaea8c1cf86af890fb01200e467bf342c
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 29 00:04:08 2013 -0500
* WIP: testing: started to merge testing/libvirt/install.sh into Makefile
- So we can call it using "make check".
- testing/utils/lswan-check is using the libvirt python module
- testing/utils/virtinstall-base is broken of into a shell script for better
(unbuffered) viewing
- networks and vms slightly removed to make python code easier
- Only add networks/vms not already in existence (unless --force)
commit 91e0e001530a485cf61bd9afd5f580bf6f0c208a
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 23:42:13 2013 -0500
* testing: Added generated testing/x509/* content to .gitignore
commit 39bcf9919ac3537ff76107f77045b19279cda2b5
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 23:39:49 2013 -0500
* testing: dotest.sh aborts when dist_certs has not been run
commit 072ab86c96187dd8a8d151ea44c4bf41b449561a
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 23:36:12 2013 -0500
* testing: swan-prep Load the other side's public certificate
On east,west and road we import the public cert of the other two
machines. This ensures we can run leftcert=XXX and rightcert=XXX
for the X509 tests that do not use the CA.
commit 11d07dfcaf7833859bbb1337bbb80adb88ebf221
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 23:06:09 2013 -0500
* pluto: don't try to load non-existing AA certs
This removes an error from startup:
Could not change to directory '/etc/ipsec.d/aacerts': No such file or directory
commit 3406966c3f21e2a591696f4eccdb64543b47d36e
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 22:55:40 2013 -0500
* testing: dist_certs was not generating PKCS#12 files for special cases
commit b406ac60d903cab951d53945a2a87201d669c0ca
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 22:54:35 2013 -0500
* testing: swan-prep fixes
- Import certs from /testing/x509/pkcs12/mainca/
- Convert pidof string to int for os.kill()
commit a0d60b6756c48a6ed1fd5b640b1f5d7aa7a38955
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 22:53:39 2013 -0500
* ipsec look: display NSS certificates
commit b02f2fb8d38f8d2533523061b8575fd4862dd339
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 22:27:06 2013 -0500
* testing: dist_certs Fix PKCS#12 generation, work with any cwd
- pushd / popd into the directory containing dist_certs so it can
be run from anywhere.
- The CA friendly name apparently cannot contain spaces or openssl pkcs12
just fails with a usage error.
commit c06224afd4f28c5f8639e56ca94f272ea05121b7
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 22:19:40 2013 -0500
* testing: runkvm.py support for --x509
Read testparams.sh to see if X509=yes, if so pass --x509 to swan-prep
commit ebf7be3be679acc2dd6a76e9e8b4425e46e97de7
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 22:16:45 2013 -0500
* testing: fixes to dotest.sh
- Typo fix for LIBRESWANDIR
- Use the presence or absence of *run.sh to determine INITOATOR
(and not *init.sh because responders have an init.sh file too)
- Set the testname based on the pwd of the test using basename()
commit 754d12d3b40c97f34f5a9c3386efd1adf567ebcd
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 22:13:58 2013 -0500
* testing: CA rename and no longer copy generated files into testing/baseconfig/
We now read the files from testing/x509/* so they don't get into git
dist_certs now calls the main CA "mainca" instead of "ca", as the Friendly
Name of the CA was "ca" which was getting confusing, especially because
the country is also ca.
commit 844a92b21baed175466336a9ab4821dfe52f03eb
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 22:13:15 2013 -0500
* testing: updated x509-pluto-01
commit 86488332c58e7d68f46414eee7cb5f9a3b6a97ae
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 22:10:02 2013 -0500
* testing: swan-prep functionality extended
- kill all IKE daemons (strongswan, racoon, shrewsoft as well as pluto)
- unload NETKEY and KLIPS stacks using _stackmanager stop
The above no longer needs to be in the individual test case *init.sh files.
- added --x509 option to force adding x509 certs into NSS
- testparams.sh is checked for X509=yes and if so certs are added to NSS
commit 163a8c36707a282c2eb0ba20e38157044cfb4f59
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 17:53:55 2013 -0500
* testing: cleanup X509 generation and output
commit b78c10ed3dc0b718b50766578a4ab613e5a372f2
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 27 11:40:33 2013 -0500
* put find_ifaces() back to where the testcases think it should be
commit bd04be397fbfb4c7049919121833e8a4e61df039
Merge: 6dd4196 b47b6c9
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 26 19:51:02 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 6dd419682c44117fc5dc4cb83b73659da9393d4e
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 26 19:14:20 2013 -0500
* testing: two configurations to compile pluto for testing
minimal: disable everything but NETKEY
everything: enable everything except taproom and dmalloc
commit b47b6c97f7a11ff73f6f77bb0dece52bec0f9ac1
Merge: 6969ded 48cb493
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 27 02:13:29 2013 +0200
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 6969ded5e123f1dcf56ac4ceee74db729e05bbe1
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 27 02:12:50 2013 +0200
* testing: cleanup test basic-pluto-11 good
commit 4fa3a57ece83dfefa57543bb4123b84c388add7b
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 26 19:11:43 2013 -0500
* taproom: minor fixes to taproom
Fixed some missing "goto" statements for taproom. Ifdef'ed the
TCL calls in IKEv2 as they have never been tested or run (taproom
predates ikev2) - but programs/pluto/tpm/ needs to be fixed or
removed. (I think removal is best - code hasn't compiled or run
since about 2007, no one uses it)
commit 562a433a4719b4f556ba0e201f84980d656d60d8
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 27 02:10:41 2013 +0200
* testing: ping-sanitize.sed fix
commit 7e10c81840750c3a76b209e401a9a029ad069c83
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 26 18:53:51 2013 -0500
* XAUTH: missing ifdef's around two blocks dealing with XAUTH
commit 48cb493736a9672d3c96cf1a74eeb6a17d5c7c94
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 26 18:35:51 2013 -0500
* testing: runkvm.py aborts on all missing python modules now
commit 5c336c8c3620e8e72ad26bfdfb0f3b34caf609c7
Merge: 1bd333a 9ac4101
Author: Antony Antony <antony at phenome.org>
Date: Sat Jan 26 22:13:25 2013 +0200
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 9ac4101fe819d73dac1097bf88396452dd2169ee
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 26 11:59:20 2013 -0500
* status: slight change in output of ipsec auto --status
We used to only display metric and mtu when one of these were set.
We now always display these. The prio and interface were moved on
their own line with metric and mtu. This gives us more space for
our ever increasing list of POLICY bits to be displayed.
old:
000 "redhat": policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+XAUTH+AGGRESSIVE+IKEv2ALLOW+IKE_FRAG; prio: 32,32; interface: virbr0;
new:
000 "redhat": policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+XAUTH+AGGRESSIVE+IKEv2ALLOW+IKE_FRAG;
000 "redhat": prio: 32,32; interface: virbr0; metric:0, mtu:unset;
For OE, the DNS policies (+lKOD and +rKOD) are added to the policy line, but after the ";"
to avoid confusing thinking these are c->policy bits.
commit c4b8b3dd170f7b80458be857dfa8d18c24971af0
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 26 11:56:45 2013 -0500
* libipsecconf: Do not set key_from_DNS_on_demand = TRUE per default
For RSA connections, the OE settings turn this to TRUE if OE was
used, and false otherwise. However, for PSK connections this was left
at TRUE as well. Although it caused no harm it could confusingly
state "+lKOD+rKOD" in the policy for PSK connections.
commit a769227f37e8c320a3276e311aeb2b4c58b2abd2
Merge: 9ea8310 3b0d6c9
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 26 11:04:50 2013 -0500
Merge branch 'fragmentation' of vault.foobar.fi:/srv/src/libreswan into fragmentation
commit 3b0d6c99385d8b97efc75e5be52231353fdf0652
Author: Antony Antony <antony at phenome.org>
Date: Fri Jan 25 14:59:46 2013 +0100
*debug: add debug lines in set_cur_state macro
commit 84172f1a521f778f72f69bb0f4e1ed83409b18d5
Author: Antony Antony <antony at phenome.org>
Date: Fri Jan 25 14:59:05 2013 +0100
*plutodebug: add debug lines debug racoon MODECFG situations
commit 93454a6630726e35df3f57c80b798e4e957bce2a
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 23 21:00:12 2013 -0500
* ike frags: Only log for controlmore, define MAX_IKE_FRAGMENTS 16
commit 5b7a8c3b8868be619742362c02b81820ecb2b203
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 23 20:58:52 2013 -0500
* ipsec: Add "ipsec start|stop|restart" as aliases to "ipsec setup"
commit 9ea831051e3aa50b3a8a23bf36ac6aa028d725e7
Merge: b29ddb4 6d27b65
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 23 17:11:46 2013 -0500
Merge branch 'master' into fragmentation
commit 1bd333af35fe20cef79d6093224c9c8f4a3d258d
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 23 21:54:39 2013 +0200
*testing forgot to commit with xauth-pluto-12
commit 6d27b6565b8c2cd9cc182630e166c10ca3b048d6
Merge: 16c37ae 9046a7d
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 23 21:05:57 2013 +0200
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 16c37ae41b54d8284ac723fa5663668a30d03316
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 23 21:05:06 2013 +0200
*testing: to sanitize manually sanitize.sh . run from the test dir
commit ae81539a050ed110aa909eb3844e96e873c2562c
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 23 21:03:55 2013 +0200
*testing: known good output for xauth-pluto-12
commit 9046a7d3fc9d56760d0edc01d5f6c0f6e2543336
Author: Kim B. Heino <b at bbbs.net>
Date: Wed Jan 23 14:32:10 2013 +0200
dist_certs: fix expect to wait until spawned child returns
Previous version waited for nothing and then killed the child, resulting
empty certificates. This fixed version waits until child returns, or
maximum of 10 seconds. Use "set timeout 60" if you need bigger timeout.
commit e919be630dc412afd249446d76ab183f7410485f
Author: Kim B. Heino <b at bbbs.net>
Date: Wed Jan 23 14:27:30 2013 +0200
dist_certs: it's not year 2011 anymore, fix future date calculation
commit 304ff5b77f44d17d1b725482040e863e119838bd
Author: Kim B. Heino <b at bbbs.net>
Date: Wed Jan 23 14:19:00 2013 +0200
dist_certs: remove tailing whitespaces
commit 7b7f32f107497dc938c53627e2981442f1d0fd8d
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 23 01:12:18 2013 +0200
*testing: more fixes to sanitizers timzone and kernel messages
commit 0f757eb3f0971fcc2270005dbe4e33b0559bf32f
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 22 20:42:57 2013 +0200
*testing: change output file names
commit fe27d8b9e002bf453ffb738ad4642d135501a528
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 22 20:41:50 2013 +0200
*testing: good output for psk-pluto-01
commit 0840c0c27b225cfbff37613668214fba2947b2d5
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 22 20:38:55 2013 +0200
*testing: reame output files
commit 6a891802852671fe19203122adc010a2d9b30831
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 22 17:29:01 2013 +0200
*testing: fixing psk-pluto-01 for sanitizing
commit fc84a75fd7fdeb2f61585cd42ebae25a49133493
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 22 17:28:01 2013 +0200
*testing: consolediff sanitizer after a run
commit db9d010c01c16a7871e507f59b262647deb1c009
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 22 17:26:34 2013 +0200
*testing: update sanitizer to cope with kvm
commit b29ddb46a32acee5523a806f9c3dcde476aa7dad
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 23:54:25 2013 -0500
* updated changes
commit b9d8758fc681b317e92bcce49e5956a6d0e6902f
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 23:23:21 2013 -0500
* testing: added interop-racoon-iphone5-nonat
This test, once completed, will test interop with iphone5's racoon
using the Apple default of ike_frag force; on the racoon side.
commit 88e33b64be8a5c439d51ac75f5a243bbabf989e4
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 23:16:36 2013 -0500
* IKEv1: Support for receiving IKEv1 fragments (not RFC)
added support for incoming fragmented ike packets to solve iOS6 (iphone)
problems. This is often the case when large X.509 certificates are used.
Some third-party vendor devices, such as firewalls configured for stateful
packet inspection, do not permit the passthrough of User Datagram Protocol
(UDP) fragments in case they are part of a fragmentation attack. If
fragments are not passed through, Internet Key Exchange (IKE) negotiation
fails because the intended responder for the virtual private network (VPN)
tunnel cannot reconstruct the IKE packet and proceed with establishment
of the tunnel.
This feature provides for the fragmentation of large IKE packets into a series
of smaller IKE packets to avoid fragmentation at the UDP layer.
This feature provides support for Cisco IOS in terms of being a responder in an
IKEv1 main mode exchange.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 326d7fa345c73eae94041c2db634290688153ffe
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 22:54:06 2013 -0500
* pluto: Add support for ike_frag=yes|no|force keyword
This adds the option to the parser, along with two policy flags
POLICY_IKE_FRAG_ALLOW and POLICY_IKE_FRAG_FORCE
We send the fragmentation vendorid except when ike_frag=no
Processing of fragments and sending of fragments are not yet
implemented with this commit.
VID_MISC_FRAGMENTATION renamed to VID_IKE_FRAGMENTATION
commit 4e78b421379a9c34f78a015b328395230c199374
Merge: de2f1f5 a38479b
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 22:18:01 2013 -0500
Merge branch 'master' into fragmentation
commit a38479b931dcf4b000a3ba7fe0ead353c9978e17
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 22:10:32 2013 -0500
* libipsecconf: policy misuse due to type change from int to lset_t
Some code is still using policy as if it was an int, but it is an lset_t.
This would cause problems for every policy bit > 31, which up to now was
only the SAref tracking policy bits:
POLICY_SAREF_TRACK = LELEM(32), /* Saref tracking via _updown */
POLICY_SAREF_TRACK_CONNTRACK = LELEM(33), /* use conntrack optimization */
But I will be adding the IKE fragmentation policy flags, so this
became an issue in confwrite.c.
The assumption that c->policy is of type int is probably all over the
code and needs a thorough review.
commit 777f76e74487c7446290fbdaab7387e4397a54eb
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 22:04:23 2013 -0500
* whack: C is not python - cannot do switch() over non-int
commit 6593c9c9a68ececaf7d1ebda1a8163e1c7ac0576
Merge: c330b64 22da35c
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 21:55:35 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 22da35cb1df8b2c6b49af881fa7251a89d054fa5
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 21 20:56:08 2013 -0500
* XAUTH: expose xauthby=alwaysok to "ipsec whack"
ipsec whack [...] --xauthby XXX did not yet support "alwaysok"
commit c330b64f19235d511d65f8f9703ce62174dfd9d3
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 18:16:13 2013 -0500
* clarify a break statement with a comment
commit de2f1f5dc3d6ef9dccb3fdffad976a115b9b9f0d
Merge: 7c3ba62 32dc901
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 17:14:43 2013 -0500
Merge branch 'master' into fragmentation
commit 32dc9011475009f7731f1ba405e91f7554a08ed5
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 21 14:49:42 2013 -0500
* man page: added note on systemd to plutorestartoncrash=
commit 83e5a088d5437b971fd4293151cb326b89894177
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 21 14:33:09 2013 -0500
* pluto: Do not attempt to open a logfile if none is configured
commit 953da179c961aa1e77c7439affaba1a5b24337bd
Merge: 608d435 18eb872
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 21 14:12:40 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 608d435ce5f39403d7f0182b7f0310a2d77dc3b1
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 21 14:11:26 2013 -0500
* testing: net.ipv4.conf.eth0.rp_filter was missing from sysctl.conf
We disabled rp_filter in testing/baseconfigs/all/sysctl.conf for
all but eth0.
commit 18eb872e6d64256d3a4b5002912529195ce063a8
Author: Antony Antony <antony at phenome.org>
Date: Mon Jan 21 02:44:53 2013 +0200
*testing: cleanup basic-pluto-01 to run final.sh
commit fe757536dfffd05cf69f95a0c4363ba47671080b
Author: Antony Antony <antony at phenome.org>
Date: Mon Jan 21 02:43:32 2013 +0200
*testing: run final.sh
commit 0f36fe2f89faca0c3b65c35dc842206e4fa85f2c
Author: Antony Antony <antony at phenome.org>
Date: Mon Jan 21 01:03:29 2013 +0200
*testing: paul's changes ping sanitizer
commit 4f5186a00e8bb5780ea5b478de44896002f93529
Author: Antony Antony <antony at phenome.org>
Date: Mon Jan 21 01:01:42 2013 +0200
*testing: don't send emptly lines from *init and *run
commit 6c98431c9e94c141d926d6c85bb7ca701fb5bdc0
Merge: a5668a4 3ed96dc
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 20 12:26:53 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit a5668a45b2778ac9050996db427a739490731227
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 20 12:25:17 2013 -0500
* updated changes
commit cf4343357b22a484c1f441eddebe6bd5d786340f
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 20 12:24:24 2013 -0500
* addconn: If no protostack= is configured, return "netkey" as default
commit 3ed96dcb3030905c4109c7da5042a5e0cc46b3d8
Merge: cb2ffa7 1001e39
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 19 18:40:47 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit cb2ffa7ee4b04f602889f5c0f88770985c3b04ae
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 19 18:36:01 2013 -0500
* pluto: show orientation with ipsec auto --status
When a connection is not oriented, the display of such a connection
in ipsec auto --status is 'undefined'. One side is called "left" without
any real proof. As such, one could not see the difference between a
properly oriented connection, and a unoriented connection that just
happened to look the same. This adds an entry to the output that will
state "oriented" or "unoriented", eg:
000 "redhat": 76.10.157.69[@RH-standard,+MC+XC+S=C]---76.10.157.65...66.187.233.55<vpn-rdu.redhat.com>[MS+XS+S=C]; unrouted; eroute owner: #0
000 "redhat": oriented; myip=unset; hisip=unset;
000 "redhat": xauth info: myxauthuser=pwouters;
000 "redhat": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug: yes
000 "redhat": policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+XAUTH+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: virbr0;
000 "redhat": dpd: action:hold; delay:30; timeout:60;
commit 1001e39467063126362df7f869f60e9bf870b618
Merge: 49edd0c de7c4a4
Author: Antony Antony <antony at phenome.org>
Date: Fri Jan 18 16:00:28 2013 +0200
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 49edd0c0f097881e71369a392855fb8b437d110a
Author: Antony Antony <antony at phenome.org>
Date: Fri Jan 18 15:59:39 2013 +0200
* testing: use stty --echo in runkvm.py
commit de7c4a4ce86f4b730dad94b1fd7d63a63eb04f38
Author: Paul Wouters <paul at libreswan.org>
Date: Thu Jan 17 17:45:59 2013 -0500
* manual: Remove last remnants of manual keying from man pages
commit 7c3ba626f9fee80e08ecdc28f226b4445acb79a6
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 16 13:22:13 2013 -0500
* IKE: Add cisco IKE fragmentation next payload pointer
This also renames the NAT draft payloads in their proper name,
and clarifies the 'relocation' comment, which is really about
the payload number change between draft (130,131) and RFC-3947 (20,21)
commit 3930ef11a43baf3b765c87c19580452bc3e3e32f
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 16 11:26:30 2013 -0500
* updated man page for compress= and regenerated it
commit 8cecd371007e9c5d8c9df5ccd7909e9ff282e576
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 16 11:16:00 2013 -0500
updated changes
commit 7cf80a87d4d7f1e13ce0bff7d855f7707b3ca863
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Jan 16 11:13:30 2013 -0500
* #8 honour compress=no option
Due to increased security concerns of mixing compression with encryption, in
light of the BEAST like attacks, we no longer always accept ipcomp as we
did before. It needs to be explicitely set using compress=yes
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit f3a57a1ab4bd66bbb6df0198ee1e750e9b6cb82e
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 15 23:22:16 2013 -0500
* Missed a KLIPS -> KLIPS24 reference in make output
commit a6610e143bfe94aa79258ba59cbdbbc5cff7f09d
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 15 23:21:49 2013 -0500
* updated changes
commit 635ad927c648a2a26c79d4df6eb306e66f29f4cd
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 15 23:17:34 2013 -0500
* XAUTH: Added xauthby=alwaysok option
Setting xauthby to alwaysok causes the XAUTH authentication to always succeed.
This is useful to supoprt clients that require XAUTH, but for which no real
XAUTH usernames/passwords are provisioned. This is valid for some certificate
based deployments of devices.
The static function do_md5_authentication() got renamed to do_file_authentication(),
because it is using the crypt() call, which supports more then just MD5.
The man page has been updated to reflect this, and also adds a note about MD5 not
being available in FIPS mode.
A separate bug has been opened for a feature to set the xauth password file name,
instead of hardcoding it to /etc/ipsec.d/passwd.
commit f0f95e1465ac65a3b97794e3adc0cd806060ff6b
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 15 21:59:45 2013 -0500
* KLIPS: makefile switch some more "26" vs "24" strings
module26.make -> module.make
module.make -> module24.make
There are still some occurances of "26" left (which are misleading because
it is really "2.6 and higher").
While we need packaging/makefiles/module.defs I don't think it is actually used,
because per default we use MODULE_DEF_INCLUDE=[..]/packaging/linus/config-all.h
(perhaps with make kpatch?)
commit 27ff91db99fb969f9418ed5473bc449865dc4abe
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 15 21:57:51 2013 -0500
* enable crytoapi in packaging/makefiles/module.defs
commit 529779a83462a4d52f630bc214de58618d6df4f3
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 14 17:47:18 2013 -0500
updated changes
commit 1565fdc5c9c4963a0a052fac86d961bd38d34c42
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 14 17:46:29 2013 -0500
* pluto: log XAUTHusername in the "established IPsec SA" line
i.e.:
004 "redhat" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x7aacc5fa <0xa46a8a1f xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none XAUTHuser=pwouters}
commit 5f188f90317d0275e0136527f68b9db40f686126
Merge: 62661d8 fe5a7bf
Author: Antony Antony <antony at phenome.org>
Date: Mon Jan 14 22:06:40 2013 +0000
Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan
commit 62661d8be946f3087f8348d32b7470a21a17ce11
Author: Antony Antony <antony at phenome.org>
Date: Mon Jan 14 22:05:02 2013 +0000
*testing: TERM=dumb expect get less ANSI escape caharacters
commit fe5a7bf9eeeb96aeb2bfe3ca38b1f2dc66902bb5
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 14 15:48:45 2013 -0500
* testing: fix calls to swanprep to swan-prep
commit 051efa54ee0a3543a5308943a35c213ab001ea38
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 14 15:29:26 2013 -0500
* testing: missed swan-update softlink in /usr/bin/
commit b8410d2cb81c1e2ff841c47a08c91aa385a5ddf7
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 14 15:20:37 2013 -0500
* testing: softlink swan-* binaries in /usr/bin/ to avoid PATH issues
also rename all to be consistent with "swan-" prefix.
commit f5868559d64579649586dccda85a49267d0d758c
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 14 15:20:10 2013 -0500
* testing: swan-prep should first copy in baseconfigs then specific test files
commit 83bf302d261300dd7d2b7a0aeb31d41fb3e2eb10
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 14 15:18:52 2013 -0500
* testing: swan-install support for disabled service and selinux
- disable systemd from restarting pluto on crash
- restorecon /usr/local
commit 6b4074e986f36170073f8223fc326a50d8552c07
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 14 15:17:55 2013 -0500
* testing: swan-build deletes modobj* as well as OBJ.*
commit 64eec39b92b0d83dc22ede07b03f300094b92e11
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 14 14:58:11 2013 -0500
* systemd: Added RestartPreventExitStatus= line to ipserv.service file
Added a commented line:
This mimics the old openswan _plutorun script that read
plutorestartoncrash=no and if set, would not restart pluto when its exit
code was 137 (term) or 143 (kill)
This is not the default, because if we crash, we _do_ want to
get restarted.
commit e3a8d972f80124dde4b31ee87331b882f98b693d
Author: Antony Antony <antony at phenome.org>
Date: Mon Jan 14 17:48:29 2013 +0000
*testing: start nic if there nicinit. reboot before init.
commit 2430ea35fe155418d3442b304ca4e1bd86e15644
Author: Paul Wouters <paul at libreswan.org>
Date: Sun Jan 13 14:11:00 2013 -0500
* testing: Added testcases netkey-psk-vhost-0[1..4]
These test cases investigate the behaviour of subnet=vhost:%no,%priv
versus subnet=%vhost:%priv,%no with and without NAT on nic.
They also use a virtual_private=%v4:!192.0.2.0/24,%v4:192.0.0.0/8
which should NOT cause rejection.
commit a11921e1158b1199b3d9ebf3d63d3a94de0eef0e
Merge: ed88209 7376fee
Author: Paul Wouters <paul at libreswan.org>
Date: Sun Jan 13 12:15:10 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit ed8820992b3a8e3be3a46b789ab82b06a9b602a0
Author: Paul Wouters <paul at libreswan.org>
Date: Sun Jan 13 12:14:42 2013 -0500
* testing: added netkey-psk-pluto-06
commit 7376feedbe157f783ae9a9af8241439ffbd7f2a4
Merge: f720c79 7c9d8c5
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 13 17:37:48 2013 +0100
Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan
commit 7c9d8c5c7eaa47aae821991a1e6b507291283be1
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Sun Jan 13 14:36:52 2013 +0100
Adding EOL when an EOF at EOL
commit f720c7923846d926e37aaa61f85e7e71ee4042b3
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 13 13:56:02 2013 +0100
*testing: road need 192.1.3.254 as nameserver
commit c7b217ffb4d1409a9cbbe1393a9b96b1b3d78b96
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 13 13:54:48 2013 +0100
*testing: runkvm.py namespace collision.
commit a4eb285b0d2f7f59c36b2f7fac8fc85ebc6ef93c
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Sun Jan 13 04:11:11 2013 +0100
find_ifaces() call moved from rcv_whack.c to server.c - Reason : for my roadwarrior test to work
commit a9037fbf620029f1989150985f54ff37454afe2b
Merge: 988551c 3660560
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Sun Jan 13 03:21:32 2013 +0100
Merge branch 'master' of vault.libreswan.org:/srv/src/libreswan
Conflicts:
lib/libipsecconf/parser.l
lib/libipsecconf/parser.y
programs/pluto/rcv_whack.c
commit 988551cded876cd20eb2733df82e92424baeaa47
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Sun Jan 13 03:14:59 2013 +0100
Fixed up (not found) printf when addconn --verbose
commit 02a0d794787d6a526ca23436ffb644f6b18965f3
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Sun Jan 13 03:12:34 2013 +0100
find_ifaces() call moved from rcv_whack.c to server.c - Reason : for my roadwarrior test to work
commit 8ce117a706cfa4b1cfc3884f583fc26fada3df22
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Sun Jan 13 03:08:35 2013 +0100
Adding EOL when an EOF at EOL
commit 36605602d4681ec6343128d66d92f834f5338ad9
Author: Antony Antony <antony at phenome.org>
Date: Sat Jan 12 22:27:07 2013 +0000
*testing fix test cases. support running rw tests
commit 5bfd3b7623bf0d70fe3d7c0433a95e9ff161a33b
Author: Antony Antony <antony at phenome.org>
Date: Sat Jan 12 21:56:51 2013 +0100
*testing: improve runkvm.py compile and install options
commit 4b409089bbe9b64bd0fdf4372612d642b83fc447
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 12 14:49:24 2013 -0500
updated changes
commit 06e49a26ff8ef1b03ba0e8fb5a87d9bd1072f539
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 12 14:44:05 2013 -0500
* libipecconf: Improved missing EOL bug in parser.
This fix by Philippe improves the parser, so it no longer requires
read-write access to the file for parsing which was introduced in
the previous fix to avoid a segfault when parsing a file with no EOL
on the last line.
This was testing with pluto, addconn and readwriteconf, including the
relevant tests in itesting/scripts/readwrite*
commit 2bb6aca0e056db0bb5375eb0ff72c80c272c22ed
Merge: 45ac59f 4f1fa2c
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 12 14:37:45 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 4f1fa2cf06beb9d418e1a17c8417178990c30ebb
Merge: 9e11cd7 f9b1bef
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 12 14:33:19 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 9e11cd71ab6e16bf2875d1b18fc122c69b93b4da
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 12 14:31:12 2013 -0500
* pluto: move call to find_ifaces()
This implements Philippe's resolution for correct connection loading
at startup with the changed timing as a result of the new addconn
thread that pluto starts to load the connections that used to be
loaded using the _plutoload script started separately.
commit 45ac59f254de1d74eb4ec535af9375d9104d0ad1
Author: Paul Wouters <paul at libreswan.org>
Date: Thu Jan 10 20:53:07 2013 -0500
* testing: testcase readwriteconf-26 has no neol.conf
commit f9b1bef31d65c4c9d02d15aef7b7ff9006e6e85a
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Thu Jan 10 22:22:15 2013 +0100
addcon doesn't exit on EOF at EOL
commit 7fb81cf80b14b502181af27eb68547c83bed960d
Merge: e91c6a6 5eb2b6f
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 9 16:16:50 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit e91c6a6f028ca4c80c08f4282d0693699c76bcb2
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 9 16:14:05 2013 -0500
* testing: added iphone 4s racoon config within testing framework
This test is incomplete. But contains the racoon config extracted
from an iphone 4s. It is likely modified for using the apple keychain
to obtain certificates, so we will need to use the stock racoon
method for specifying the certificates.
commit 5eb2b6f06de240104cdf4dee4853f3a7aaa0fc3a
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 9 17:08:29 2013 +0100
* testing: removed eth3 from swanhosts.
commit 1d9067f16bb65141501435fbfd634cd4a2a1f752
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 9 16:47:52 2013 +0100
* testing: fixed an roadwarrior test psk-pluto-01
commit fdcf2fec989440a486dc33fe032b6ad0232d8048
Merge: 52aa7df c970c6f
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 9 14:46:24 2013 +0100
Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan
commit c970c6f0c9438b3267c3faa6e5262fbf51ac3629
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 9 11:42:05 2013 -0500
* bump default IPSECBASEVERSION in git to "3.0"
So git builds show up like: v3.0-66-gf3dd213-master which means
66 commits past version 3.0.
commit ee43c8d31f36865557d099a4c608d5ed5b77d9d9
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 9 11:38:45 2013 -0500
* Addded @BINSH@ variable to Makefile.inc (default /bin/sh)
This is used when building the systemd service file. This addresses
the issue of Fedora 16 not having /usr/bin/sh, which was the value
used in the systemd ipsec service file.
commit e72a77a38b2814fd05d2bd87f77e170cf28893a5
Merge: 41c6459 590ec24
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 9 11:32:52 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 41c64592b2dd6766fdd2073e71259e00a099ff60
Merge: 18b7f2c d0a13fe
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 9 08:47:57 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 52aa7df2a43a5c529697a6f896b5d5b8d2bb0ca8
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 9 14:45:15 2013 +0100
*testing: fix typo, dumplicate mac in swan13
commit 590ec24ddc945e10ac128b1bcfd4c16831fa3181
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 9 14:14:47 2013 +0100
*testing: add nic vm config for roadwarrior tests
commit d0a13fe3001cc34504f69837913a8e34bd790b5f
Author: Antony Antony <antony at phenome.org>
Date: Wed Jan 9 10:03:27 2013 +0100
* testing: adding compile on east
commit 18b7f2ca7433623c3e4e3e615186fa234c48252d
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Jan 8 19:02:24 2013 -0500
* documentation: better document HAVE_OCF in Makefile.inc
commit f3dd21396c7b3383290bf06454f7dbda7a1c53e7
Merge: 83bdac7 2217bf3
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Jan 8 17:49:31 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 83bdac7932097526ff5063614787fdb6cb6195f2
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Jan 8 17:48:56 2013 -0500
* testing: add testcase for no EOL on last line
commit 99513b380392ff58b77a982d2035909fba174a39
Merge: ae49483 2e1e0db
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Tue Jan 8 22:01:53 2013 +0100
Merge branch 'master' of vault.libreswan.org:/srv/src/libreswan
commit ae494838dfd124cedddd74bf9e6f775606bd5bea
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Tue Jan 8 22:01:06 2013 +0100
EOF at EOL condition; even better fix. Could SIGSEGV
commit 5ac8c4b45fd2b54d873668e77d85146f1c4e28d4
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Tue Jan 8 21:19:33 2013 +0100
Revert "To be checked by Paul with redhat connection"
This reverts commit 026705c5be4d3ed6958fa51d03ad6f9901bf548f.
commit cec871e3ca536880978c7c4ed1f536e8a1846f86
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Tue Jan 8 21:19:00 2013 +0100
Revert "This should fit Paul's redhat connection and match my roadwarrior tests"
This reverts commit dcbbbbc23e678aed68f95bdfbdcc81c4bc81b5d6.
commit 41abe31889f93cb1e29602156cb1c4656e8d37c2
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Tue Jan 8 21:18:22 2013 +0100
Revert "To be checked by Paul with redhat connection"
This reverts commit 9368dfa89508985b7c3ad4c9e1f2e263f81d45e6.
commit 30b22084a56c19fbabd036e8d8adc2d0a594671e
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Tue Jan 8 21:17:20 2013 +0100
Revert "* addconn: do DNS(SEC) lookup for case KH_IPHOSTNAME"
This reverts commit bfa4b9d76f19e7dd8d3736827f93f86a493eebca.
commit bc187be34fe05faff16b5c7f31588a8bbb664f31
Merge: 947ca83 da4c16f
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Tue Jan 8 21:01:21 2013 +0100
Merge branch 'master' of vault.libreswan.org:/srv/src/libreswan
commit 947ca838b3836ea0ef690c9c79d6ed7334b7d5f2
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Tue Jan 8 21:00:18 2013 +0100
EOF at EOL condition; best fix
commit 31d2694e9283f86ab75509acae7a507dfdb4e99e
Merge: 6e6d76a f3dd213
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 8 20:53:30 2013 +0100
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 6e6d76a53a5dc06cd691fc8ad3179c44b1b58599
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 8 20:52:57 2013 +0100
don't ipsec setup start instead pluto ...
commit 2217bf3513781bf89009ea7038d81e141c81f487
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 8 20:51:57 2013 +0100
begining to add compile option
commit 2e1e0db6ae7a48dc2992f095e375b77cf79435b7
Merge: 32d9313 bc187be
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 8 18:47:35 2013 +0100
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 32d9313cc33ed24c2b5d4cec458ecc26f5b0ca40
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 8 18:45:31 2013 +0100
python swanprep instead of
source /testing/pluto/bin/eastlocal.sh
commit da4c16f95a38bf20bf6c55c39330b4400e48b9ba
Author: Antony Antony <antony at phenome.org>
Date: Tue Jan 8 16:32:53 2013 +0100
copy host specific ipsec.secrets
commit 905d4b6756d9c050275c429ff03c076ad4dab37c
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Jan 7 15:35:51 2013 -0500
* testing: suppress warning on ipsec setup stop with no ipsec.conf
commit e5d4355651a1ffdabaa807d1f08820bade3120df
Author: Paul Wouters <paul at libreswan.org>
Date: Sun Jan 6 17:12:24 2013 -0500
* testing: enable core dumps for pluto
commit 978eddd32a1a17f052e18cc636eafb384dca0cbb
Author: Paul Wouters <paul at libreswan.org>
Date: Sun Jan 6 16:43:42 2013 -0500
* testing: we need yum update to get the latest nss (on f17)
commit 8a2238c8278b27822058e2e24be697909a59e798
Merge: c5dab95 e082c05
Author: Paul Wouters <paul at libreswan.org>
Date: Sun Jan 6 16:24:43 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit c5dab95adaf99a96299607fc0d1743ba4cb2c96c
Author: Paul Wouters <paul at libreswan.org>
Date: Sun Jan 6 16:24:15 2013 -0500
* testing: ensure pluto does not get restarted by systemd on crash
commit e082c05539e86485cfdbba97704b78bfe4215927
Merge: 75aa6e8 597cb26
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 6 19:16:55 2013 +0100
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 75aa6e8acbb7ff2c74af1b0cd528604262fb35b7
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 6 19:16:15 2013 +0100
add strace to fedorabase.ks
commit 597cb26a3165e6ad15d15a341f51ae4a4775137a
Author: Paul Wouters <paul at libreswan.org>
Date: Sun Jan 6 12:31:40 2013 -0500
* ipsec status worked but also said "unknown command" due to missing exit 0
commit ff5c9c22ab8fcb069f10f95d0b86d71aaaa3810d
Author: Paul Wouters <paul at libreswan.org>
Date: Sun Jan 6 12:28:26 2013 -0500
* ipsec setup restart on systemd calls stop+start, not restart
because systemd refuses to run the start part of restart when the
system is already stopped.
commit 1d2635cb14d719515a306e1049b0b72b959b5580
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 6 17:06:10 2013 +0100
fix the test. weired thing east also need up for PSK to work
commit 3d7a29f6500ad19affd0c2e0691da5bc06c93ccb
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 6 16:40:34 2013 +0100
link /tmp/pluto.log /testing/pluto/<test>/OUTPUT/pluto.<host>.log
commit 72d254d580c83e73d294b18a48204486aab8c8ed
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 6 15:44:45 2013 +0100
a basic ikv1 psk test without including all/etc/ipsec.d/ipsec.conf.common
commit 987b8c863eec4f9d4497e14b1efea593b594ec64
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 6 15:42:56 2013 +0100
copy general ipsec.secrets not specific one exist in the test dir
commit 76594a6d4e5cecdc8f608188143ef076221c7c6c
Merge: d079adc b8a6115
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 6 11:52:23 2013 +0100
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit d079adc7e6cf5831deb6a35a1f9c2ac61f0adfaa
Author: Antony Antony <antony at phenome.org>
Date: Sun Jan 6 11:49:16 2013 +0100
added test case ikev2-11-simple-psk without any includes.
commit d2e9dfaf4fa1245bc1ce3a291c6e1eec23b5064b
Merge: 5dde459 b8a6115
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 5 19:32:33 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 5dde459768c3c803e465c5cc93f5a0a9595298d7
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 5 19:17:56 2013 -0500
* updated changes
commit b3251e764c31f670cc40cca1cf65f3d47148ae01
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 5 19:09:06 2013 -0500
* SAref patches for Ubuntu kernel 3.2.0-33.52 [Simon]
commit b8a611540148b5d3c8a589ff8ef4a2ca9af61d1c
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 5 03:02:42 2013 -0500
* remove log_with_timestamp_desired and add comment about _desired vars
We don't need the two-step setting from log_with_timestamp_desired to
log_with_timestamp, as there is no risk of using this before the
logging system is ready. As the comment explained:
* We read the intentions for how to log from command line options
* and the config file. Then we prepare to be able to log, but until
* then log to stderr (better then nothing). Once we are ready to
* actually do loggin according to the methods desired, we set the
* variables for those methods
commit 0b04fc41f88a1c98f1f771d2252ab052db707d1b
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 5 02:29:43 2013 -0500
* remove pluto loglog() function from showhostkey.c
Still needs some stubs due to other issues in lswlog.c but no
longer needs lswlog.h
commit a072b9fbaae120fa89db3cb2792104a12741f5b3
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 5 02:17:29 2013 -0500
* spi: cur_debugging has no place outside pluto/whack
commit 6077002d4c12290629216f4d1f7a66a1485241b4
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 5 02:12:17 2013 -0500
* plutoalg.c leakage of libreswan_loglog()
pluto uses loglog() while the rest uses libreswan_loglog()
loglog() needs programs/pluto/log.h but libreswan_loglog() needs
include/lswlog.h. Someone mistakenly did the reverse in plutoalg.c
and fixed it by including the wrong include file.
(note the logging drama goes much deeper, but the diffs I have to fix
that are not yet ready to push)
commit a5a4de54650ba38a076acd79e846513589bbc665
Merge: d3ebcb1 8c11315
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 5 02:08:40 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit d3ebcb111dbc6f86b82440e1330f04419857b07a
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 5 02:07:23 2013 -0500
* pluto: was not logging all messages to file since libreswan 3.0
plutostderrlog= was not fully ported in, and not all logging
functions inside programs/pluto/log.c supported log_to_file.
commit 9e4a140daf7d43e43c76a297e130b88b9c5237b9
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 5 01:43:10 2013 -0500
* logging: vendorid leaked some info which should be under DEBUG only
commit 8c113159e19bfcc508ca1c5b281535313001159d
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Jan 4 11:36:57 2013 -0500
* Ensure the debian/ directory gets updated version numbers too
commit 491d38d625d2af9fb0d2a51329242d4c30f1d783
Author: Antony Antony <antony at phenome.org>
Date: Fri Jan 4 14:05:32 2013 +0100
added nss and unbound dependencies
commit 3a49276fb7d9d8edf8b1a2ca0d3752a256041851
Author: Paul Wouters <paul at libreswan.org>
Date: Thu Jan 3 14:05:06 2013 -0500
* update changes
commit dbf0e5be02ed7a214894c00275e867a1ca5fec03
Merge: 3bccac8 b0673a0
Author: Paul Wouters <paul at libreswan.org>
Date: Thu Jan 3 14:02:43 2013 -0500
Merge branch 'sa-stats'
commit 3bccac842565ae2e17915c629a356af2180ea23e
Author: Paul Wouters <paul at libreswan.org>
Date: Thu Jan 3 13:43:30 2013 -0500
* increase number of ike_info/esp_info entries
The alg_info_ike struct needed a bigger number in some cases
when 1DES was enabled (requires explicit recompile) causing a
crash. Bumped alg_info_esp while at it just to be safe.
commit 319bbfa0218e7151099555b64e2fa6f299b26775
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 2 01:32:01 2013 -0500
updated changes with release date
commit 35f5d410ef858429f5ad8adaa840ce134af14641
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 2 00:54:41 2013 -0500
* export IPSEC_CONF from the ipsec command
commit c00211359b44bf51a436a7189624843a7d14d4f1
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 2 00:05:37 2013 -0500
* install: sysvinit changes for non-default install
commit e9be5ea898425cfbd7f0bc3c76c1697c277789c0
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Jan 1 23:43:21 2013 -0500
* setup: also calls addconn and needs --config for non-standard install
commit 5b07bf26b4dd79cb5f3e2d2f761b96766ba5767b
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Jan 1 23:37:16 2013 -0500
* second call to addconn was missing --config for non-default install location
commit 27f9f668edfda3285e5e1377e15b0d65027f371d
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Jan 1 23:09:48 2013 -0500
* install: fix non-standard ipsec.conf installation issues.
addconn needs to get passed the --config option, via the ipsec
command. The same for _stackmanager which needs the location to
find the stack type. And the same for the systemd service file
commit 85964c8e47376baee57b4fa65af6e1efaeca8b9b
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Jan 1 21:48:29 2013 -0500
* packaging: minor cleanup of spec files. Fixups new stable URLs
commit 0077791721cb81106e71f19c3d713a5845f4a6df
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Jan 1 20:09:02 2013 -0500
updated credits
commit f5de082b7cfaff96655983f1d3517bca40c5d621
Merge: a691bb0 e6b466a
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Jan 1 19:53:29 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit a691bb00933d47b82a730dc327da727f102af725
Author: root <paul at libreswan.org>
Date: Tue Jan 1 19:52:09 2013 -0500
* add note on AUDIT in changes
commit bfa4b9d76f19e7dd8d3736827f93f86a493eebca
Author: root <paul at libreswan.org>
Date: Tue Jan 1 19:50:18 2013 -0500
* addconn: do DNS(SEC) lookup for case KH_IPHOSTNAME
commit e6b466a5ab01398245600b571dec1434648d7d87
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Jan 1 16:29:24 2013 -0500
* update example sysctl.conf with some ipv6 settings
commit 71ce7ed8f6496560653a835508ba91e048cd429a
Author: Paul Wouters <paul at libreswan.org>
Date: Sun Dec 30 12:55:40 2012 -0500
* disable USE_LINUX_AUDIT in main branch
commit 0eba202091d2962dc7e87d3640bcc97bfbf806eb
Author: Antony Antony <antony at phenome.org>
Date: Sat Dec 29 08:10:02 2012 +0100
fix typos and use distutils.dir_util.copy_tre
commit 6af4cfde44717ef431d457c0d3a042e97b4865f9
Merge: dcbbbbc e6ef9d1
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Sat Dec 29 01:22:37 2012 +0100
Merge branch 'master' of vault.libreswan.org:/srv/src/libreswan
commit dcbbbbc23e678aed68f95bdfbdcc81c4bc81b5d6
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Sat Dec 29 01:21:19 2012 +0100
This should fit Paul's redhat connection and match my roadwarrior tests
commit e6ef9d159a06f620920ff3abf3f4a94743168c67
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 13:30:19 2012 -0500
* testing: ported ikev2-05-basic-psk to new swanprep testing setup
commit 6cd9251b1dadb39c40107e7592ecc04a009c9928
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 13:28:46 2012 -0500
* testing: swanprep: use -H for hostname, -h is builtin help with argparse
commit 62352c6649a617189c13a0efd361b4def542126f
Merge: 7a3d372 6d1a557
Author: Antony Antony <antony at phenome.org>
Date: Fri Dec 28 17:07:00 2012 +0100
Merge branch 'audit' of vault.foobar.fi:/srv/src/libreswan into audit
commit 6d1a55763fd15a435ca46aeb80b7418642d072ec
Merge: 6039d55 075fe44
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Dec 29 17:37:30 2012 -0500
Merge branch 'master' into audit
commit 075fe4472f490f7c2fd28eb41388de5bfc8cbc41
Merge: 0c96eca f6b0288
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Dec 29 17:37:19 2012 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 6039d557dcbccd5c18c8d727f05ed69785d6f2bc
Merge: 97239a5 41ac859
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Dec 29 17:36:57 2012 -0500
Merge branch 'audit' of vault.foobar.fi:/srv/src/libreswan into audit
commit 97239a5132c29684c550ac0265d068554f29b1bf
Merge: e9f5b59 0c96eca
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Dec 29 17:36:21 2012 -0500
Merge branch 'master' into audit
commit e9f5b59fd936b065e929d33168277fbb393ac85e
Merge: 1a550e0 e8012e0
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Dec 29 16:25:52 2012 -0500
Merge branch 'audit' of vault.foobar.fi:/srv/src/libreswan into audit
commit 1a550e0df67ed7ff1146e4e520e30759fd6d437b
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Dec 29 16:19:23 2012 -0500
* audit: for now, let's not abort pluto on startup at audit failures
We will re-enable this once we have written mode audit code
commit 0c96eca4ab2d5870166906536944ba0a80b3e43e
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Dec 29 16:14:48 2012 -0500
* Remove obsoleted IPSEC_EXECDIR env support
commit 6f5e0c485c1eb62fbbae35a6b9aac3f948811b13
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Dec 29 13:11:18 2012 -0500
* Remove obsoleted $IPSEC_CONFS
commit 138ec347a2a0782b31c3056e028146f7c268ffca
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Dec 29 12:57:45 2012 -0500
* Removed obsolete env var IPSEC_CONFDIR_VAR
commit c875af2274955285504ed4baabb5d46af49b20ab
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Dec 29 12:54:27 2012 -0500
* removed obsolete $IPSECsyslog
commit f6b02885ac4368c20fc482c36c2133935497b41f
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 23:30:50 2012 -0500
* updated changes
commit 579494e03d5fbf1359742075cf264795eb943f3b
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 23:21:45 2012 -0500
* pluto: honour plutostderrlog= natively now _plutorun is gone
plutostderrlog=/some/file was implemented by the _plutorun wrapper,
which redirected pluto --stderrlog output to the named file, obtained
from awk/sed calls on ipsec.conf. pluto itself had no concept of this
log file location.
This introduced the log file location to pluto, and adds the --logfile
argument to the pluto daemon. It also processes plutostderrlog= from
any config file given with --config
commit e8012e0863cb484ae3bb32b144ab5d6cf3d312c0
Merge: acb0b41 6af4cfd
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 21:35:08 2012 -0500
Merge branch 'master' into audit
commit acb0b41b563ddc362c6b2866ab456b4df6341382
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 13:30:19 2012 -0500
* testing: ported ikev2-05-basic-psk to new swanprep testing setup
commit 7529be5cc53ead4e27a0e6bf7a34dddcae4d2b9f
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 13:28:46 2012 -0500
* testing: swanprep: use -H for hostname, -h is builtin help with argparse
commit 8ca77f767df5b8562baae7a0c4b582613921fd30
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 01:16:57 2012 -0500
* testing: run "swanprep" to copy testfiles to proper place in VM
commit dc2929575a2bb3b367ef9c6f8137f088ad48d97f
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 00:05:26 2012 -0500
* testing: source testparams.sh, not tparams.sh
commit 0f6dd6a0a4276a64be0bc844a1e5905ea194187f
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Dec 26 17:02:53 2012 -0500
* fix override for using sysv not upstart for rhel
commit 92dd28a38206c264740676a130ae0e894b7a99e7
Author: Antony Antony <appu at phenome.org>
Date: Fri Dec 28 13:42:58 2012 -0500
* audit branch: do not enable fips and labeled ipsec
commit 7a3d372ab8bfabcc87f5646240717f4fe67b9c79
Author: Antony Antony <antony at phenome.org>
Date: Fri Dec 28 17:05:22 2012 +0100
testing linux audit call
commit 026705c5be4d3ed6958fa51d03ad6f9901bf548f
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Fri Dec 28 16:42:00 2012 +0100
To be checked by Paul with redhat connection
commit 9368dfa89508985b7c3ad4c9e1f2e263f81d45e6
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Fri Dec 28 16:26:57 2012 +0100
To be checked by Paul with redhat connection
commit b9656a3a6c0a1a1cdf2687c508ac9cae38000a4d
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Fri Dec 28 16:22:13 2012 +0100
improve diagnostic for loglog(RC_ORIENT, connection must specify host IP address for our side)
commit 91a973a3849f4b84f2bfae079fab74dd4eb41b90
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date: Fri Dec 28 16:18:32 2012 +0100
resolve_defaultroute_one was wrongly setting parse_src=0 when no {left|right}nexthop
commit 41ac859014d5cb540c3473abc7dffa41624c7cb3
Author: Antony Antony <antony at phenome.org>
Date: Fri Dec 28 16:07:18 2012 +0100
add audit-libs-devel
commit 94dc00b84aa6fc88c2a99ee1dee2376f01df470a
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 01:16:57 2012 -0500
* testing: run "swanprep" to copy testfiles to proper place in VM
commit f2c216bd7f3d1db12b1c2c47bc9ba99304f4ae1f
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Dec 28 00:05:26 2012 -0500
* testing: source testparams.sh, not tparams.sh
commit 76b8eb7c61590dfbe1fe1b8f14cd608027db7aa0
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Dec 26 17:02:53 2012 -0500
* fix override for using sysv not upstart for rhel
commit b0673a022e3c4295ba12989f211d36c22b26065d
Merge: fa036c8 524be4e
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Dec 25 15:23:08 2012 -0500
Merge branch 'master' into sa-stats
commit 70403b646233a58e855949e3ec4b363be920e768
Merge: 70bf68d 524be4e
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Dec 25 15:22:30 2012 -0500
Merge branch 'master' into audit
Conflicts:
packaging/fedora/libreswan.spec
commit fa036c88e3f807a3101509dc220c8682bf211041
Author: Wes Hardaker <opensource at hardakers.net>
Date: Sat Dec 22 10:44:13 2012 -0800
print ah and ipcomp data too
commit 786aee35df273dd3e0903c172dcd7d390c4a7424
Author: Wes Hardaker <opensource at hardakers.net>
Date: Sat Dec 22 09:43:23 2012 -0800
log ah and ipcomp data too
commit ed1ca2c23ba0f296f535dc732f92e5122c2000eb
Author: Wes Hardaker <opensource at hardakers.net>
Date: Sat Dec 22 09:31:50 2012 -0800
only log down info on ESP usage
commit 292123162b1db9e7d31f507a5e8bc5105034d585
Author: Wes Hardaker <opensource at hardakers.net>
Date: Sat Dec 22 09:26:22 2012 -0800
humanize the down output traffic information too
commit e2fff38821a2ba81e8cffe3ff38d13556870ec37
Author: Wes Hardaker <opensource at hardakers.net>
Date: Sat Dec 22 09:19:28 2012 -0800
print humanized numbers for in/out traffic on auto --status
commit 68aaf930e51f9cf075ce2c07bf53d112d95a5b1a
Author: Wes Hardaker <opensource at hardakers.net>
Date: Sat Dec 22 09:04:39 2012 -0800
Print in/out/max bytes properly
commit 3392d69dc0eb6851286dc48c3d04e65db6d02216
Author: Wes Hardaker <opensource at hardakers.net>
Date: Sat Dec 22 08:50:41 2012 -0800
log traffic information in a better way
commit f3c27c57095adfcbaaa6a45556637c69e13ddc3c
Author: Wes Hardaker <opensource at hardakers.net>
Date: Thu Dec 20 09:01:34 2012 -0800
initial stab at printing statistics
commit 70bf68deda87ee6ea9fc72057839d3ccb48fe76d
Merge: ed2ac56 1d7ff88
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Dec 12 19:04:41 2012 -0500
Merge branch 'master' into audit
Conflicts:
CHANGES
packaging/fedora/libreswan.spec
commit ed2ac56ce6e71b0c4537dfffaa1e5b1b981826a6
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Dec 4 09:42:30 2012 -0500
updated changes
commit c225588ab32093336be30caa4a25961c98a52924
Author: Paul Wouters <paul at libreswan.org>
Date: Tue Dec 4 09:40:03 2012 -0500
* Don't set XAUTH as policy based on receiving XAUTH VID
As some ipsec clients (eg strongswan) send these vendor id's
even when they are not planning or allowing XAUTH in the
connection. Instead, we rely on our loading of the connection
to set the XAUTH policy on the connection.
commit 3111464867ae74e8ccef4f6f0cc59db0ca88e87d
Merge: 655f0b2 54c516c
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Dec 3 21:47:53 2012 -0500
Merge branch 'master' into audit
Conflicts:
Makefile.inc
programs/pluto/plutomain.c
commit 655f0b20fc7492c415e2d5dcf95f149bf128db28
Author: Paul Wouters <paul at libreswan.org>
Date: Mon Dec 3 11:14:15 2012 -0500
* Set POLICY_XAUTH when receiving XAUTHInitPreShared / XAUTHInitRSA
commit 6151f47821b0577092842cc8c503e55849da2993
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Nov 30 18:37:59 2012 -0500
* Initial Linux audit support and test message
commit df2ccdd849e78116f38e341e3ce90058d054c6ee
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Nov 30 18:37:21 2012 -0500
* fix hunk
commit 701512a3ba98e1503dee705734c2fe23a28b4aea
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Nov 30 18:10:04 2012 -0500
* forcebusy.xml > force_busy.xml
commit 523aa3ef556939d39f99eef0c59f7d83b3747d6a
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Nov 30 17:35:22 2012 -0500
* add "FATAL" to error when failing fips mode and aborting
commit e5c7ed9f43ec23f3ed69ef2df7823fdddeb454b3
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Nov 30 17:32:34 2012 -0500
* Display whether fips support is compiled in on startup
Similar to the other USE_XXX options.
Also, display when support is compiled in, but pluto is not running
in fips mode.
commit 2ad672346ea108d54331b58c3f27ad5b30ae4646
Author: Paul Wouters <paul at libreswan.org>
Date: Fri Nov 30 17:29:33 2012 -0500
* Log NSS success via libreswan_log(), not via RC_LOG_SERIOUS
This prevents a spurious message by pluto at startup
More information about the Swan-commit
mailing list