[Swan-commit] Changes to ref refs/heads/addresspool
Antony Antony
antony at vault.libreswan.fi
Sat Mar 9 15:38:53 EET 2013
New commits:
commit 3a00a0c87e11098a1f4237490f35e6476282d916
Merge: 409d7a0 2c03d72
Author: Antony Antony <antony at phenome.org>
Date: Sat Mar 9 15:17:22 2013 +0200
Merge branch 'master' into addresspool
Conflicts:
programs/pluto/demux.h
testing/guestbin/swan-prep
testing/x509/dist_certs
commit 2c03d725571a9750f2961b556f09a597520a0973
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 9 00:13:09 2013 -0500
* IKEv1: Only mark peer as fragment capable after assembling a fragment
We used to mark a peer as fragment-capable after receiving a first
fragment. Now we wait until we have assembled a full IKE packet from
fragments.
Regardless, when we receive the vendorid we deem them fragment capable.
In theory this could be spoofed, but an attacker that can modify packets
can do a DOS anyway.
commit 934a4944d6edd7a5aeac9fd7ed2e03f664da9d42
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 9 00:12:34 2013 -0500
* IKEv1: Don't process incoming fragments with ike_frag=no
commit 06b26d0c2b76e9abee5816d88c5cdcd90d741b1c
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 21:59:21 2013 -0500
* pluto: fix log message causing crash on INVALID_COOKIE
Introduced a few commits ago by me using a wrong:
(st == NULL) ? st->st_msgid : ""
(I paid for it with a few hours of my time)
commit 4d226e7c78305fe8b6554718bb06e1959c80a78c
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:32:10 2013 -0500
* ipsec.conf: Add documentation for ike_frag= option
commit e8f212ba5029ea093ff160058ded237e5ae75caf
Merge: d3459cf b771ac1
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:15:35 2013 -0500
Merge branch 'fragmentation' of vault.foobar.fi:/srv/src/libreswan into fragmentation
commit b771ac179fab828f4e35d964c3cf472b5217d440
Merge: 9748787 cd4aa64
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:15:07 2013 -0500
Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into vault_fragmentation
Conflicts:
testing/guestbin/swan-prep
commit 97487873be3fd2846dd3f17b3bf9cea40938b735
Merge: 0b6b498 54ec872
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:14:13 2013 -0500
Merge branch 'fragmentation' into vault_fragmentation
commit d3459cfda7a02bc946c251384af4e184be2a127a
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:12:25 2013 -0500
* vendor.c: mark st UNUSED in handle_known_vendorid
commit cd4aa6479bd9dfe7dfdc8583d743e402987161c5
Merge: 0b6b498 42a46c4
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 18:57:55 2013 -0500
Merge branch 'master' into fragmentation
Conflicts:
programs/pluto/demux.h
testing/guestbin/swan-prep
testing/x509/dist_certs
commit 42a46c43be90dda2c9054312ea6ebf915adeabbd
Merge: 61bd40d e0c6962
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 18:52:17 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 61bd40dfbe10337f65e7f690508850a49857e872
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 18:49:18 2013 -0500
* pluto: fixup phread locking using lock_certs_and_keys()/unlock_certs_and_keys()
The code using lock_certs_and_keys()/unlock_certs_and_keys() was commented
out because it depended on LIBCURL which is not always present. A "fixme"
warning was issued.
But only the CRL code should depend on LIBCURL. So I re-instated the
pthread locking by moving these functions from programs/pluto/fetch.c
to lib/libswan/secrets.c
commit 54ec872a12a81ed3003155b35ec0d433ad9b362c
Merge: 2b997d7 961dc4e
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 18:32:24 2013 -0500
Merge branch 'master' into fragmentation
Conflicts:
programs/pluto/demux.h
testing/guestbin/swan-prep
testing/x509/dist_certs
commit e0c6962f636408cdd4600177c5ff0acd1284efe0
Author: Tuomo Soini <tis at foobar.fi>
Date: Fri Mar 8 23:36:08 2013 +0200
scripts: fix ipv6 default route split
commit be31894a46c6af0fea62e41c49c24d22ffe8f28a
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 14:15:20 2013 -0500
* pluto: Add pthread mutex locks to some logging functions
Some logging functions are calling non re-entrant functions. Until we've
caught them all, use a mutex to insure threads aren't accessing them at
the same time.
Functions changed: libreswan_log() DBG_log() loglog() and fmt_log()
commit 12acc276f502ec0c9379cba5be158e22cbd1c28e
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 13:51:48 2013 -0500
* clarify logging example in ipsec.conf
commit 00c8c8e3a0918145b382370c7c08405906266e06
Merge: 2a97164 961dc4e
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 13:46:54 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 2a9716410c34e9786770d846ca6d6d53515bd197
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 13:42:50 2013 -0500
* log XAUTH username on same line as Traffic statistics
In ipsec auto --status it shows up as:
000 #2: "redhat" esp.e4432d35 at 66.187.233.55 esp.a9433c16 at 172.20.10.2 tun.0 at 66.187.233.55 tun.0 at 172.20.10.2 ref=0 refhim=4294901761 XAUTHuser=pwouters Traffic: ESPin=474B ESPout=336B ESPmax=4095GB
when the connection goes down, it shows up as:
"redhat" #2: deleting state (STATE_QUICK_I2)
"redhat" #2: ESP traffic information: in=474B out=336B XAUTHuser=pwouters
Also, make humanize_number() static
commit 5b725c34ae3477c326474319a367f05171d7178c
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 19:43:01 2013 -0500
* Removed xfrm xuctx security context log message with incomplete format string
commit 961dc4eb72c221b6fa13c3799dc5b52a5305ba93
Merge: 4d7ce94 bd44e1c
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 7 22:05:20 2013 +0200
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit bd44e1c18d1315f163655e324a5f14a34d830176
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 14:34:32 2013 -0500
* Bug 73 - extra logging from dpd packets after commit d18825150b
Fixed, and added a comment to ensure this isn't 'fixed' again.
commit 5627bf955e2f207c0097f0e3f45212da8e3c060d
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 14:17:04 2013 -0500
* threads: protect crypt() with a mutex
crypt_r requires -D_GNU_SOURCE. Not sure crypt_r is implemented under
OpenBSD and FreeBSD. crypt requires -D_XOPEN_SOURCE and thus should
be implemented on every Unix/Unix-like. The pthread library is even
implemented under Windows/Cygwin. It is implemented on Linux/HP-UX/Tru64
(both HP's Unix). So the pthread library should as well be under
OpenBSD/FreeBSD.
Patch by Philippe Vouters <philippe.vouters at laposte.net>
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit bdddc287874d7fe9a36c3ce6f66f93f37e7a7da4
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 14:07:31 2013 -0500
* xauth: crypt() can return NULL (ie in FIPS mode)
commit a1f1b5815cee2327183045d09d50cdf1a8c3f5cc
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 14:05:51 2013 -0500
* audit: add comment about false positive valgrind warning
commit 713deb1a7294f59134eda52a8eef1d14106dadbe
Merge: 5ede192 5291079
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 7 11:55:31 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit 4d7ce94fd7f245ccfcb1d7ac3ee3afa2517aba71
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 7 11:23:27 2013 +0200
scripts: remove whitespaces at end of the line
commit 52910798b6c8d81e3c57194901fc0397528ec846
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 7 11:10:35 2013 +0200
scripts: fix hardcoded path in ipsec.in
commit fb534e5dc42faa26ede1331fb6e4365c8cebc091
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 7 11:04:52 2013 +0200
initsystem: fix bashism in init scripts
commit ef11afa8971af1c5b4c2fd1039c89a0b94a6d08a
Author: Tuomo Soini <tis at foobar.fi>
Date: Thu Mar 7 11:01:18 2013 +0200
scripts: cleanup ipsec script and fix one bashism.
commit 5ede19293a9f604923dd135214258bbfe2c92ca5
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 23:15:49 2013 -0500
* simplify PK11_Derive_lsw() and squash a warning about an unreachable switch default
commit 819b129f617f94b27bbcd9f80ba51d491340091f
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 14 23:46:38 2013 -0500
* sprinkled a few passert()s to ensure conn name is not NULL
commit 578e6c4ad6d8c65182c27998b5526e2feb50dde4
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 6 17:31:23 2013 -0500
* added testcase for basic-pluto-01 with valgrind
commit 4103f3b8a6b9a9dcaa51301c82cda5eb7fd381c0
Merge: cb798e0 e25f507
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 6 15:41:10 2013 -0500
Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
commit cb798e0817fa5bf2a193dd0d158c860ba7ddfe18
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 6 15:37:30 2013 -0500
* pluto: display the number of loaded/active connections in status
000 "redhat": prio: 32,32; interface: bnep0; metric: 0, mtu: unset;
000 "redhat": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "redhat": IKE algorithms wanted: AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2)
000 "redhat": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "redhat": IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
000 "redhat": ESP algorithms wanted: AES(12)_000-SHA1(2)_000; pfsgroup=MODP1024(2)
000 "redhat": ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "redhat": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=MODP1024
000
000 Total IPsec connections: loaded 1, active 1
000
000 #2: "redhat":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 85643s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
commit e25f5079936682e1add8e8c0362497750c300ca4
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 21:56:17 2013 +0200
fix typo in d18825150b042f7dbe2c25e85b1c0b6a949a663a
commit b4bbff0949ee9b5f225669b4cb6ec7058fc2e359
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 21:28:18 2013 +0200
init.debian.in: fix wrong variable expansion
commit 4d75cf59b1b8264294c0d95d6f282c59ce672b83
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 21:21:36 2013 +0200
plutorun: use correct variable for config file
commit 9664adc5d309055b1016d177f615aaf2241d69a4
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 21:18:30 2013 +0200
stackmanager: remove extra then and finalize cleanup
commit 982e36711df044604e48a1a700cd1940a4b4c202
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 20:36:09 2013 +0200
add changelog entry for bug#50
commit 6d534f25b26ade55c4c18c4029a85f7f610188bf
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 6 12:49:57 2013 -0500
KLIPS: fix kmod building for rhel/fedora spec file versioning with arch
commit c382317f1e21a0939a1f01d7e9f29efd81066f15
Merge: d5a9176 ec3054f
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 17:33:53 2013 +0200
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit d5a917623ce2fb58ca254dd9013c7c7a5532aa70
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Mar 6 17:31:00 2013 +0200
scripts: big script cleanup unifying coding style to new one where possible.
This cleanup also fixes multiple bugs in scripts.
Also this should fix libreswan bug #50.
commit 0b6b498f8f80782929583b7fe6a28daba058eae0
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 20 10:53:51 2013 -0500
* fragmentation: Remove spurious Racoon non-ESP marker
During testing we found that racoon sometimes adds a bogus non-esp marker
to the IKE packet. This confuses libreswan, because it causes the ICOOKIE
to not match to an existing state.
We assume now that if the ICOOKIE starts with 00 00 00 00, that it is
such a bogus marker, and we use out_raw() to remove the 4 bytes from
the packet stream. However, it still looks like racoon gets it wrong,
because the ISAKMP header is still not properly formatted.
We're still investigating
commit 2b997d71d48c9ed794aaebd25beea69a3e51871c
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 16 15:25:11 2013 -0500
* DPD: clarify log message is about a DPD event
commit 6f3c006ba72cecb30234264c01302126e73c2235
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Fri Feb 15 14:53:06 2013 +0100
* removed redundant vendor id logging
the used vendor id will be logged twice because of a removed return
in 75269b8de30ae6368c41d5c53e25631ed2e20cc8
e.g.
received Vendor ID payload [RFC 3947]
received Vendor ID payload [RFC 3947]
commit 738701a89b3e391b5773fcc4f8ac7b49203e9694
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date: Fri Feb 15 10:59:45 2013 +0100
* IKEv1: fragmentation never fragment initial main mode packet
If the first packet is fragmented the peer ignore it
"packet from 10.0.11.203:500: received IKE fragment, but have no state.
Ignoring packet"
This can either happen with force on or when pluto
changed the policy to force after receiving a fragmented packet and the
initiator starts the phase one rekeying.
The first packet exceeds ISAKMP_FRAG_MAXLEN fast with all the proposals
and vendorids.
10:05:15.519781 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 640)
10.0.11.203.isakmp > 10.0.14.204.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie f7490449d6831ca1->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=12
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp2048)(type=keylen value=0080))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp2048)(type=keylen value=0080))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp2048))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp2048))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1536)(type=keylen value=0080))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1536)(type=keylen value=0080))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1536))
(t: #7 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1536))
(t: #8 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024))
(t: #9 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024))
(t: #10 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024)(type=keylen value=0080))
(t: #11 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024)(type=keylen value=0080))))
(vid: len=12 4f454e584468416b74625a76)
(vid: len=16 afcad71368a1f1c96b8696fc77570100)
(vid: len=16 4048b7d56ebce88525e7de7f00d6c2d3)
(vid: len=16 4a131c81070358455c5728f20e95452f)
(vid: len=16 7d9419a65310ca6f2c179d9215529d56)
(vid: len=16 90cb80913ebb696e086381b5ec427b1f)
(vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
(vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
More information about the Swan-commit
mailing list