[Swan-commit] Changes to ref refs/heads/hugh-wip

Paul Wouters paul at vault.libreswan.fi
Wed Nov 27 02:37:11 EET 2013


New commits:
commit 0342fcc294599fb419478eea20680911521798f6
Merge: dc2fb3d 677f256
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 26 19:36:57 2013 -0500

    Merge branch 'hugh-wip' of vault.libreswan.org:/srv/src/libreswan into hugh-wip

commit dc2fb3db2902d1a6d9c5fd566bfc016d8f019564
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 26 19:36:34 2013 -0500

    Comments: Clarified some IKEv2 delete SA code

commit 8f9e0345f3cc546a9d235d1ba6139098d0959a07
Merge: 05ebb0e daf45e1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 26 14:14:06 2013 -0500

    Merge branch 'master' into hugh-wip
    
    Conflicts:
    	lib/libswan/lswconf.c

commit 05ebb0eb2493f9c8d6473d996c6732e765177bd7
Merge: 7db45e3 6561b56
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 26 13:57:54 2013 -0500

    Merge branch 'hugh-wip' of vault.libreswan.org:/srv/src/libreswan into hugh-wip

commit daf45e1b7e22c9346778af9a89bc6e7cd197db94
Merge: 2b3082a cd36d5d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 25 13:24:26 2013 -0500

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 2b3082a7cd787c4c6e285257706404759901fae4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 25 13:24:02 2013 -0500

    testing: added sanitizer labeled-ipsec.sed

commit cd36d5d19290fd8dbd9102c10d8226e439641bc5
Author: Matt Rogers <mrogers at redhat.com>
Date:   Sun Nov 24 22:08:17 2013 -0500

    x509: Minor formatting cleanup

commit ecd8ec090a8c6c50b2d3137aff6bbf6d5d9c69eb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Nov 23 13:25:24 2013 -0500

    testing: updated three more test cases

commit aef70a8d0860d768c107a6483ec76e1cc989daaf
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Nov 22 14:57:17 2013 -0500

    testing: added basic-pluto-13 for esp=cast128
    
    It seems NETKEY/XFRM also does not support this (anymore? yet?) or there is a bug
    with respect to the name (cast vs cast128?)
    
    "westnet-eastnet-cast128" #2: ERROR: netlink response for Add SA esp.fe470ce2 at 192.1.2.45 included errno 38: Function not implemented

commit 7aff57ee134840e0bfc851f366e87be1f46c8c61
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Nov 22 14:42:49 2013 -0500

    testing: added basic-pluto-12 which tests esp=camellia

commit 90fac12b4770bcb2ccb25db8fb656e9ee80c24ab
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Nov 22 11:32:59 2013 -0500

    updated changes

commit 3e261712ebc05e1396b793bfccdc936414ba4bfd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Nov 22 11:30:55 2013 -0500

    KLIPS: Claim we do namespaces to make it work for the simple host case

commit ace99bdab9145cd23ce6cb5f1590291d34193be2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 23:56:22 2013 -0500

    updated changes

commit 1e81bff423242ca8e314a94eae4a858570be1729
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 23:55:24 2013 -0500

    KLIPS: PDE_DATA() is also needed on 3.9 kernels

commit 3d9561b957507c81d2c01fa90e25beee1d6948fd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 23:46:29 2013 -0500

    testing: remove all testparams.sh so test uses default-testparams.sh

commit 25d1d7576030cd86208e593e3120a899b7531a4a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 23:43:59 2013 -0500

    testing: fixup 3 more test cases

commit 432f79d1cf6e54bf08c388decbbfd55ce7b6db94
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 23:23:40 2013 -0500

    testing: fixup ikev2-major-version-initiator
    
    Note that we currently only log:
    
            Informational Exchange must be encrypted
    
    We should show more details, in this case it would reveal the true
    error is INVALID_MAJOR_VERSION

commit 93e80fb1cd1ebce0a271bea3433d38ba19ed4a92
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 22:00:17 2013 -0500

    ikev2: created build_ike_version() to consolidate IKE version code

commit b602a672fd930ec9b7fcd0d35e8480fedb365910
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 21:59:22 2013 -0500

    testing: added new syntax of ping to fixups/host-ping-sanitize.sed

commit e55d607afa7b2ae0c35cf6a2c14afc57594f6d03
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 21:58:54 2013 -0500

    testing: added labeled-ipsec.sed to default-testparams.sh

commit e32250a268009c4cd41d14bb0f6145cb21343f67
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 21:58:30 2013 -0500

    testing: updated output for ikev2-01-fallback-ikev1

commit 9da583f1c1d045a7914b12447ce599bd584f65ad
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 21:57:41 2013 -0500

    testing: updated outpur for basic-pluto-0[1234]

commit d98b6946e6c97c848966cc50bc502cf3e6c16499
Merge: 349d03d c3699d4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 21:54:10 2013 -0500

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 349d03df5392dd92049abdc494891be5c049a1ac
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 21:53:53 2013 -0500

    updated changes

commit 96495d1c78c205b9e08b3567b150514177895866
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 21:51:08 2013 -0500

    NETKEY: Add esp=twofish and esp=serpent as valid ESP algorithms

commit 0a66406546c0afd200d5d07a61522173c045bd0f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 21:49:17 2013 -0500

    testing: fixed twofish and added serpent test case

commit 5efb4553050a2511656fee152a0f1a52be48d59e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 20:21:58 2013 -0500

    testing: fixup add filter for new AVX or AES-NI kernel output

commit c3699d4353fe2e21337cefeef0e36a1b8a909d60
Merge: 733887c 0dd632b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 15:54:48 2013 -0500

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 733887c08e0c074b6d6660c3a7e649c353bd03e8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 11:57:59 2013 -0500

    update changes

commit 88ed7600fb8581514b80a56aececd2b54fba4e4e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 21 11:56:26 2013 -0500

    barf: don't load l2tp kernel modules and use new syntax (rhbz#1033191)

commit 0dd632bddddca70eff73e07ece9f77f7adb35314
Merge: 47dd412 1688f77
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Nov 20 12:18:53 2013 -0500

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 47dd41230049daff941a8429e6791ce9badaf554
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Nov 20 12:17:30 2013 -0500

    testing: dont bring up dhcp/eth3 on nic per default on fedora/rhel
    
    It causes us to route the eastnet when pinging from north, introducing
    the eth3 IP in the output. Leave it there to manually bring it up.

commit 1688f7768c0dacf371a7df6a32cc39981c91b3ab
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Nov 20 12:15:01 2013 -0500

    testing: support a global testparams.sh
    
    if there is no per-test version, use the global one. This gets rid
    of most testparams.sh per test and makes it easier to add a filter
    to all tests (eg like i just did for labeled_ipsec and a different
    ping output)

commit e0b6ac07279d65e3103ba5b6bfe27674c0826e96
Merge: 2687153 bd2e9ba
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 19 18:28:11 2013 -0500

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 26871534ff8b4581c50004844d8387967e74d7f1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 19 18:23:27 2013 -0500

    testing: log labeled_ipsec info as "no" to ease testing output
    
    This makes testing output the same regardless of whether we were
    compiled with USE_LABELED_IPSEC (which requires SElinux which is
    not available on debian/ubuntu)

commit 76ba9e855301a574f8c1167920ed6fc44c5c6171
Merge: efead90 bd2e9ba
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 19 17:52:41 2013 -0500

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit bd2e9ba3381f9f78a4368d0155db916e974929ac
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Nov 19 19:44:24 2013 +0200

    CHANGES: 87edb2e1813fd320ce7b85711b1f92ad905c12cd

commit 87edb2e1813fd320ce7b85711b1f92ad905c12cd
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Nov 19 19:41:42 2013 +0200

    setup: fix systemd init detection

commit 7829e69bc32c68cc35b921fcdd83b6d84cdb97d0
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Nov 19 18:16:44 2013 +0200

    CHANGES: b89d42d3fbbdaaef13883ef02bf9f295155075b6

commit b89d42d3fbbdaaef13883ef02bf9f295155075b6
Author: Natanael Copa <ncopa at alpinelinux.org>
Date:   Tue Nov 19 15:25:41 2013 +0000

    initsystems: fix typo in openrc script
    
    Signed-off-by: Tuomo Soini <tis at foobar.fi>

commit efead90bd34bb634e827a42492a7385a10155a06
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 18:25:42 2013 -0500

    testing: known good output for replay-authip-01

commit 55efcab981bc38c6540ce35d075319b6e6dd2b0a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 17:50:40 2013 -0500

    ikev2 impair testing: remove use of hardcoded IKEv2 BUMP defines
    
    Use DBGP(IMPAIR_MINOR_VERSION_BUMP) and DBGP(IMPAIR_MAJOR_VERSION_BUMP)
    instead.

commit 64f7454f2b68414438077771d532be615e0fa9eb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 17:44:52 2013 -0500

    testing: update ikev2-major-version-initiator

commit fc8d5aee00c7814d67932b87f3e155f89af084cb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 16:04:34 2013 -0500

    updated changes

commit c24864394729bfea0cff597bee7dbefb61199d50
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 16:03:22 2013 -0500

    ikev2: in R1 don't copy their IKEv2 minor for our reply packet
    
    They might be running IKE 2.1 while we only do 2.0, so our reply
    should be based on our minor, not theirs.

commit b99e6aa5b1d2dddf910b15562c60d4559427526a
Merge: 13f9419 6a5e804
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 15:59:56 2013 -0500

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 13f9419eef2ec91791f88f3dd26a54205c5a315d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 15:59:04 2013 -0500

    testing: added two new console outputs for dpd-04

commit 353c940917c7617d5b26e03056ef3f39071d9f9b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 15:58:12 2013 -0500

    testing: added replay-authip-01 test case
    
    This tests a crasher found only in libreswan-3.6

commit 6a5e804f408bcdef564bb6756f4f2389ba270d13
Merge: 8190db0 747da32
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 14:31:02 2013 -0500

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 747da32b252e334608373046a92682fc3424c80e
Merge: 2628cd9 e2c20c6
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Nov 18 20:18:15 2013 +0200

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 8190db0b58f0d43b66670f1542822fdab922b348
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 12:38:31 2013 -0500

    updated man page for ipsec.conf with information by Richard Haines

commit e2c20c609fcc24af31a95ec22a04f0274921becb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 11:24:31 2013 -0500

    updated changes

commit 889686bb88f5ee10c30e7fd3110816b0832036ef
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 11:24:02 2013 -0500

    added two comments

commit ef5c5fdef5f8c61fe232af2aff0b3ac9b6c3b39c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 11:23:18 2013 -0500

    updated changes

commit 2628cd9f7952947cac33d1b3cd7cf30f3db7c98a
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Nov 18 18:19:33 2013 +0200

    lswconf: fix formatting

commit 0b121326657f82f94d391e1031e286dc5f318d4d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 10:10:27 2013 -0500

    labeled ipsec: Set the default secctx attribute value to 32001
    
    (that's a private use assignment)

commit 057f3a13a4bdc29e4194bb1e187c45c63f25bf27
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Nov 18 18:08:47 2013 +0200

    lswlog: fix formatting of comments and too long lines

commit 3cdde9edd306be33056aa723628fc29104d76098
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Nov 18 18:05:11 2013 +0200

    lswconf: fix logging in selinux disabled case

commit 8e65f910fd1be2fea7032a656c533cac1ce40a79
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Nov 18 01:29:10 2013 -0500

    testing: fixed output for ikev2-minor-version-initiator

commit 7a480f96e524eff9ac5466c2b987009a5bc2d1ed
Merge: dafe436 995352f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Nov 17 19:32:04 2013 -0500

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 995352f6b7e6904256b2f51e1bbc4455b05d0ba2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Nov 17 19:19:18 2013 -0500

    testing: updated 4 ikev2 test cases
    
    ikev2-algo-01-modp2048-initiator
    ikev2-algo-02-modp2048-responder
    ikev2-algo-ike-sha2-01
    ikev2-algo-ike-sha2-02
    
    Mostly for the blowfish/twofish changes, statsbin, myid, jiffies
    layout changes

commit 9b31deafbdbf0c2206358dfbf2d4e343e365f23f
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Thu Nov 14 23:59:14 2013 -0500

    SECURITY: Do not inspect or continue on very short packets
    
    Code introduced in Openswan to ensure the IKEv2 minor was ignored
    introduced a vulnerability that caused mangled short IKE packets to
    be processed as valid IKE packets despite in_struct() returning a
    failure, resulting in pluto crashing and restarting.
    
    Reported by Nick Howitt.
    
    Additionally, with the introduction of IKEv2, incoming packets always
    assumed it could at least read the IKE Major version number, and would
    crash when the packet was overly short and did not contain such a number
    
    This patch ensures the code not attempt to read the IKE version and might cause an
    IKEv1 packet to be sent as response to a badly mangled IKEv2 packet, as
    we default to IKEv1 for this type of error. It also no longer skips aborting
    a failed in_struct() read.
    
    It turns the version number in a loose enum.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit dafe436ea3484f29febd83f61fb6a86b9b40cbae
Merge: d66fa81 1fd9e8c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Nov 17 13:46:02 2013 -0500

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit d66fa81aad208a6fccef6aa9e4bcf1842db2def0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Nov 17 13:45:08 2013 -0500

    disable debug in vendorid_init accidentally enabled in previous version

commit 8e613a1e3b077e25c37f97cfad2ff0b328f122d8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Nov 17 13:44:55 2013 -0500

    update changes

commit 1fd9e8c0d344c43f942dca67fd9f354d83355cd8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 14 16:08:27 2013 -0500

    Disable vendorid logging accidentally enabled in previous version

commit 42d76050296d6eabaf1b46c9685da8f3e283a07d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 14 13:12:00 2013 -0500

    update changes

commit e9ba211b8c85352b7ca24c0fc17de205a7d44541
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 14 13:07:16 2013 -0500

    secrets: Log glob failing for secrets parser as warning, not error
    
    This ensures that "ipsec secrets" or "systemctl force-reload ipsec"
    does not return with non-zero, which is interpreted as failure.

commit dd4a8a82a802e85fa54e19cca536967ec0e42581
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Nov 13 16:18:01 2013 -0500

    Previously unused v2N_INVALID_SPI had a typo in its name.
    
    It was mistakenly called V2_INVALID_SPI.

commit cc47a1da5d758e9fe7c142b67797d42dcb1d4615
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Nov 13 16:13:27 2013 -0500

    updated changes

commit 4a3790ce057fa61af70d60ad7ec57534956c1900
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Nov 13 16:12:07 2013 -0500

    IKEv2: Fix some error codes that mistakenly used IKEv1 versions
    
    Some of these actually were not defined for IKEv2 (reserved) although
    most of these have the same value for IKEv1 and IKEv2

commit d5afaf96a29a59966cfb47d9f2a4fbc189717645
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 12 23:31:56 2013 -0500

    updated changes

commit ce04a0afc244ec1421d305772587c2896d80de8d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 12 21:42:55 2013 -0500

    fortify IKE major code for mysterious crasher

commit bf67f09cb6566530c46d0294aa607a663fa64f1c
Merge: 17a040c 7dcdd5a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 12 21:23:07 2013 -0500

    Merge branch 'master' of vault.libreswan.org:/srv/src/libreswan

commit 7dcdd5ab9a92269965f7ad51810dabee4cc32042
Author: Matt Rogers <mrogers at redhat.com>
Date:   Sun Nov 10 23:41:16 2013 -0500

    IKEv2: Check for inbound traffic before sending liveness exchange
    
    This is the intended RFC behavior, and will result in
    exchanges being sent only when needed.

commit 7db45e3b2c134328dfd2c8e48d99c16566471787
Merge: 60203fa d118cb6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Nov 10 06:16:53 2013 -0800

    Merge branch 'hugh-wip' of vault.libreswan.org:/srv/src/libreswan into hugh-wip

commit fab873513f3a15bd3a57b4fdda576ff69e60740d
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Nov 10 10:17:23 2013 +0200

    CHANGES: update for 31e2af055cb51a51651661ad5fff146418eb7c5c

commit 17a040c7097f3ad51fd7afbc8d3f830e11aeb587
Author: root <pwouters at redhat.com>
Date:   Sat Nov 9 13:26:59 2013 -0800

    Fix a bugreference back to openswan
    
    It got replaced to libreswan in the Great Rename

commit 60203fa0feba9942b1bb97a126bec46b658e5e59
Merge: 2120485 1c2e01a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Nov 9 10:24:42 2013 -0800

    Merge branch 'master' into hugh-wip

commit 2120485cc9f72bf7f825f929cd1f42471e553369
Merge: c47e8e7 805ff7c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Nov 9 10:24:35 2013 -0800

    Merge branch 'hugh-wip' of vault.libreswan.org:/srv/src/libreswan into hugh-wip

commit c47e8e7b1c4bc6f468b81e184278ffce9ffe422c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Nov 2 23:12:39 2013 -0700

    fix two #if's to #ifdef's. Although both are dead code.
    
    The confread one is an extra debug one could enable.
    The PFKEY_PROXY one I'm not sure if that has ever been used for anything.



More information about the Swan-commit mailing list