[Swan-commit] Changes to ref refs/heads/ddos
Paul Wouters
paul at vault.libreswan.fi
Mon Feb 9 09:08:49 EET 2015
New commits:
commit 2afec3a4b701715cf43e1269a5f7212c4eacbd89
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 9 09:37:22 2015 +0800
delete temp debug lines
commit 732d3db29ccf2df5bf2f5321f87a615b90f54028
Merge: 95b46b4 eab7838
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 9 09:35:06 2015 +0800
Merge branch 'master' into ddos
Conflicts:
programs/pluto/ikev2_parent.c
commit eab7838e2a187fc08bfd6eca267074cc286c18bc
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 7 08:23:52 2015 -0500
update changes
commit 43f284a5f6406974230714392ef5ead0aa2ec7d7
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 7 08:22:18 2015 -0500
IKEv2: authby=null support [Paul/Antony/Hugh]
commit 95b46b47b52023a327936d7faa660dfd87448a0f
Merge: 84e8f9f 3c45c61
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 6 18:47:08 2015 -0500
Merge branch 'master' into ddos
commit 43a3909258d5c1d73848a77ea718a075b791e721
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Fri Feb 6 18:30:56 2015 -0500
pluto: fix some whitespace
commit 3c45c610324339c132d1c6ee2931dc1bf0dd1654
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 6 15:22:07 2015 -0500
x509: properly abort when encoutering an expired certificate
We rejeceted the expired certificate, but tried to go on anyway.
commit 8ea8aa0a76dea558ae0c8f82ace49f5188cebc0a
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Feb 6 11:38:24 2015 -0500
building: add mk/local.mk which only includes Makefile.inc.local once
Hack to avoid duplicate include as mk/dirs.mk will need to include
Makefile.inc.local.
commit 37e9b88593307f8581ab52ecc1a28153333ac9e5
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Feb 6 11:29:28 2015 -0500
testing: update expected output to match current pluto and vms
Supported interfaces updated, and non-existant interfaces removed.
commit 8d5c97926977ba2ab20da3e98df980e34b004e6d
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 6 00:25:59 2015 -0500
pluto: sync impair/dbg that got out of sync, fix impair-send-no-delete logic
commit abbba2875f58c076bc1930c5bdd87e72afde0271
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 5 13:18:52 2015 -0500
testing: ikev2-10-2behind-nat dont use logtime=no yet.
commit c7f20ec62a0b046bb003858de704ec8e7d15f0f1
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 5 13:01:32 2015 -0500
testing: update sshd server output string to SSH-2.0-OpenSSH_XXX
commit 1ddbfab22b9a1566daf128eb57d811d198e9efea
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 5 13:01:14 2015 -0500
testing: fix iptables rule in l2tp-05-netkey/northinit.sh
commit 67472f9dac0885d9bfefd30fcbfb406b6fbd304f
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 5 13:00:41 2015 -0500
testing: added l2tp-05-netkey as WIP
commit 8ee94145c57014737e0c9052fc2f731544dd5ab2
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 5 12:49:05 2015 -0500
testig: renamed pid-sanitize.sed to misc-santize.sed
And added openssh string sanitizer
commit e944aab923be52ed55a4480ad844a55a07bd4191
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 4 23:28:19 2015 -0500
IKEv2 instantiation and refine_host_connection fixes
This supports multiple cert based road warriors behind the same NAT.
commit 893073109158a8e59ac4fe8560cc95a72d466c26
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Thu Feb 5 13:54:27 2015 -0500
building: rename Makefile.dirs -> mk/dirs.mk
commit 9a7906eb1bc57bc337c841cbf75c5549aa4b3f0b
Author: Antony Antony <antony at phenome.org>
Date: Wed Feb 4 05:43:20 2015 -0600
testing: add pyOpenSSL to guests (Dockerfile and fedorabase.ks)
preparing to switch dist_certs.py
commit a86d5f46d4fa00fffe79dc5754b661f61220d1bb
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Feb 4 10:00:47 2015 -0500
building: delete more code assuming SRCDIR=OBJDIR (=.)
commit 84e8f9f710dc975ea8db6823f23bf206503a1d6d
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 2 11:16:46 2015 -0500
WIP: shorten lifetime of halfopen SAs
commit 39dabbcef3aa01702daada2e6747e2a0003901d5
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 1 21:51:48 2015 -0500
pluto: don't use busy calculation when in unlimited mode
When administrator ran: ipsec whack --ddos-unlimited, do not
ever require DDoS cookies
commit ff5f5be646852aa8f80571f0b1adb0ee86dae844
Merge: 932359f 28d409e
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 1 20:49:20 2015 -0500
Merge branch 'master' into ddos
commit c94179b6e7b53a6511f943ba2ec89c170e1f7e9a
Author: Antony Antony <antony at phenome.org>
Date: Sat Jan 31 04:16:39 2015 -0600
testing: put the dist_certs back with its history. lets not re-write it by
changing name.
commit 12acbff83167712b06d082f37099c05a776753b3
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Tue Feb 3 12:11:12 2015 -0500
testing: neuter auto-generation of certs change
Use keys/mainca.key as flag that things are wrong
(old systems may not have nss-pw file).
Print a warning and not an error when trying to configure for x509
and it looks like certificates were not generated.
(reinstate broken old_dist_certs.sh file)
commit f81b19d94e867eb2f4894baa0ea7573c49557bcb
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Tue Feb 3 10:39:57 2015 -0500
testing: Have dist_certs.py generate nss-pw; and run it when pluto's make check
Also remove running the old broken dist_certs script from libvirt/install.sh
and delete the old script.
commit 011c6b9156bdddca753384e5847b594094b99cfc
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Tue Feb 3 09:51:30 2015 -0500
testing: when x509 and no nss password file, barf
Presumably the certificates need to be generated.
commit 28d409e42dee6a607fc685d603cd247ab4fee6f2
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 17:01:10 2015 -0500
IKEv2: define and use MAXIMUM_INVALID_KE_RETRANS
The invalid_ke handling code was misusing the variable
MAXIMUM_RETRANSMISSIONS for this. Create its own variable
(also fixup whitespace)
commit 4ba746284a2b91fc09ba682b2e6a05c4a0b56c4f
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 16:52:52 2015 -0500
IKEv2: clarify INVALID_KE rcookie handling in dbg and log msg.
commit 4c16b01f8f2ffcf8fd21fcdcf4281a8724bd8467
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 15:48:55 2015 -0500
testing: remove zeroconf interfaces, no longer expected
commit 44f0cae39f8ade548c01736ffd5ef5ef76862a21
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 15:14:33 2015 -0500
testing: update expected SSH version to match current vm
commit 929087a56b72c115f8cfae347fa57e44b9587090
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 15:06:51 2015 -0500
remove obsoleted comment
commit 9f8842b3dd50b4e3047915662adfab1e239a7ac3
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 15:02:21 2015 -0500
testing: added delete-sa-03
This shows the problem where we delete an IKE(v1) SA that is still in
use for another IPsec SA, causing DPD to fail for the remaining IPsec SA.
commit 934af4c4fd4f875f9b76bfbfe3d6b798c0ed0965
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 13:43:01 2015 -0500
testing: add aes_gcm to east's list of supported algorithms
Fallout from adding those algorithms.
commit 1e1006512186457166b6903d63206f60f591bb81
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 13:27:31 2015 -0500
testing: update expected default IKEv2 algorithm to aes_gcm_16
Fallout from merge of ikev2-policy4.
commit 949fa2bc9bdd1143ed78b4f986913c04ab4913c7
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 13:04:21 2015 -0500
testing: expect all 4 pings to work (assumes a faster machine I guess)
commit 3487b61b380a13b7769e144b7925a481ee32941d
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 11:49:31 2015 -0500
testing: update expected default IKEv2 algorithm to aes_gcm_16
This is the simple case.
Fallout from merge of ikev2-policy4.
commit 4aa964ff283e03d79057b33112e6eec54d0511c9
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 01:17:24 2015 -0500
fix renamed function name in comment
commit 81d0d18d230727793536c3be0f8d0b4ef09de022
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 00:33:57 2015 -0500
pluto: support for impair-send-no-delete
This will cause pluto to omit sending Delete/Notify payloads. It can be used
for testing without needing to use "killall -9 pluto"
This also already removed adns impairs (to make some space < 32) as
those are about to die anyway
commit 23c739b77de7190d9d76f5620ae26b24a9145143
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Thu Jan 29 15:11:49 2015 -0500
pluto: set the IKEv1 default group list to DEFAULT_OAKLEY_GROUPS
Was accidently changed to DEFAULT_OAKLEY_EALGS.
Fix regression from 5a48a5ec8e372e5a5bcfd8b4323d1e3bcfdc3903
(Update IKEv2 defaults) merge.
commit 06da58410cc7e599952d9c761b43aa7ecfc9afc9
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 28 20:08:58 2015 -0500
pluto: some additional logging when switching conns
So we can see if we are switching to/from a template or which instance
commit 7df1643f72e7aebcf2d39841ae64b0bc29a16576
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 28 16:32:26 2015 -0500
testing: enable IKEv2 invalid-ke tests
commit 4cb96a37cd924346b4cfcb95c800eaafdbace338
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 28 16:23:42 2015 -0500
testing: delete ikev2-21-invalid-ke from list; test deleted
in its place are new tests
commit 5a48a5ec8e372e5a5bcfd8b4323d1e3bcfdc3903
Merge: 05d9e47 8b2cc0f
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 28 15:52:23 2015 -0500
Merge branch 'ikev2-policy4': update default IKEv2 policies; fix ensuing INVALID_KE mess
By default, IKEv2 only supports AES_GCM and AES_CBC.
commit 8b2cc0f309fccca4feff6c6bd9f0b0a721d05c7e
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 28 15:50:15 2015 -0500
pluto: for IKEv2 default policies, ignore any xauth flags
commit ff569b024cd20055ddceb711b5377937133ac84a
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 28 15:03:17 2015 -0500
pluto: convert sadb_index and the arrays into IKEv[12] functions
commit fa8ef4cb03ce0a71e87791007146ed1e191cdc1d
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 28 12:10:32 2015 -0500
testing: IKEv2 test with an explicit DH-group that isn't in the responder's defaults
West's explicitly selected DH-group doesn't match any thing in east's
default policy list. East responds with an INVALID_KE message and
valid group
commit 2d8d61d04a6f57903f20e899476c1adf47914dbc
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Mon Jan 26 14:55:45 2015 -0500
testing: IKEv2 test with the initiator's default DH-group being invalid.
Since west's default DH-group is not found in east's explicitly listed
policies, east responds with INVALID_KE and suggests a group.
commit 64b42759e8890a4d53510323ce68ca83dda46124
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Mon Jan 26 14:55:07 2015 -0500
testing: IKEv2 test with an explicit wrong DH-group for the chosen algorithm.
While west's explicitly selected DH-group is found in east's explict
list of policies, the group is wrong for the selected algorithm. East
responds with INVALID_KE suggesting the group required for the
selected algorithm.
commit eedd9f64cd33540c30fd0cb12073b2629a32500a
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Mon Jan 26 14:54:11 2015 -0500
testing: IKEv2 test with an invalid explicit DH-group.
Since west's explicitly selected DH-group is not found in any of
east's explictly listed policies, east responds with INVALID_KE and
suggests a group.
commit 1625e92b80f854b074460f180e44d6eda1590e78
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 21 16:34:58 2015 -0500
pluto: rewrite the IKEv2 default policies.
Contains:
aes_gcm_16_{128,256}/sha{1,2};modp{2048,4096,8192}
aes_cbc{128,256}-{sha1,sha2,aes_xcbc};modp{1536,2048}
default groups also updated.
commit 8e2d88de5973933a82de203ce1529e67db8b1788
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 28 12:11:24 2015 -0500
pluto: for INVALID_KE response, always use the DH-group from the selected policy
commit 33acca8be882584ab361da7bafd6176767245307
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 23 22:32:21 2015 -0500
pluto: hack: for late detection of a bad modp group, supress the RCOOKIE
The code is:
- checking if the modp is is in the list
- computing DH based on modp size
- doing the policy match, selecting an algorighm, and finding modp is wrong
- backing out the previously set RCOOKIE so the sent packet has it set to zero
It should do the policy match before DH and before any RCOOKIE is set up.
commit 05d9e47a9aeba15d8eaf8a1200f5cd0a3b5fa8e8
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 28 11:18:13 2015 -0500
building: fix more cases of relative SRCDIR paths; sigh
commit 116a41ad90b21c1cf9979d6df8e0b119aa1c499e
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 28 11:15:07 2015 -0500
building: Put VPATH back to absolute (at least for now ... :-).
Accidently flipped in 1e25773b8320f4729f0280bb51d683c45b519242
commit 51b11707570041077bed0ddebd9b8e27c13ae698
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 27 20:07:31 2015 -0500
testing: added ikev2-ddns-02 which uses a DNS server
renamed ikev2-38-ddns to ikev2-ddns-01
commit 68b18b8c1f7cc05b02b32797cbc4f9d74186a2f9
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 27 19:59:33 2015 -0500
testing: swan-prep also restore resolv.conf
commit b5bec1a1aacb5de5e9f28779f400e3e7391a5979
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 27 17:58:11 2015 -0500
testing: added ikev2-38-ddns
This shows what the EVENT_DDNS is supposed to do (although it
is better redesigned from scratch I think)
commit 9e6a4ef938b32acd7a5b4172330d6cc37e9985e1
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 27 17:13:44 2015 -0500
testing: swan-prep should restore /etc/hosts to original
some tests modify /etc/hosts, so ensure we start fresh
commit 2c98d8f1f2bfba4ecdac79e520c0e29a69e0e28b
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jan 27 15:23:02 2015 -0500
testing: ikev2-05-basic-psk-oneconf fix duplicate authby= entry
commit 27bb6702cc810bdb5ff29a3a704d09e495516b7e
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 26 01:32:26 2015 -0500
testing: added ikev1-2behind-nat-01
commit 3d53451282f4095802c11f030d135dedc844a71b
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 26 01:19:53 2015 -0500
testing: Added ikev2-10-2behind-nat
This shows the problem of two clients behind the same NAT with X.509
using a killall -9 pluto on road where road then connects a 2nd
time using the north credentials.
Error for the second client is:
"road-eastnet-ikev2"[1] 192.1.2.254 #3: Signature check (on C=ca, ST=Ontario, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=testing at libreswan.org) failed (wrong key?); tried *AwEAAdrh2
"road-eastnet-ikev2"[1] 192.1.2.254 #3: RSA authentication failed
commit 112d56c3eecd83192269979c46a662d75e15b2fb
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 23 21:48:22 2015 -0500
pluto: create separate default-group and groups table for IKEv2
commit 03400affe56cc8161e1a7e4470cf51e155e44a10
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 21 15:50:37 2015 -0500
pluto: clone IKEv1_oakley_spdb policies to IKEv2_oakley_spdb
Everything, but the low-level transorms are cloned.
Being a simple clone - nothing really changed - nothing should break.
commit 0c412d74bd07e8e4d84f2ee92ecc6bf8c5dc82fa
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 21 11:01:05 2015 -0500
pluto: add IKEv1 prefix (IKEv1_oakley_...) to IKEv1 policies.
(yes, I know IKEv1 should be in lower case; unfortunatly ikev1 looks wierd)
commit 39964ee5cb182362558b71a350c8876b18414703
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 23 21:37:54 2015 -0500
pluto: on receipt of INVALID_KE, do not save/update the RCOOKIE
If the RCOOKIE is updated, we ignore further packets from the responder.
commit 19269b4ddcd109365c55286d4674cf8ac298ec16
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 23 21:35:36 2015 -0500
pluto: delete redundant check
first_modp_from_propset returns the same value.
commit 374b9feab1371469bbb7e045776a0f18a7660b92
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 21 10:25:58 2015 -0500
pluto: delete undefined declaration
commit fee0e8c01aa7b31530bcab278a41b9e98c897dd9
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Jan 21 10:23:08 2015 -0500
pluto: for xauth client, prefer aes+sha1 over aes+md5
commit 1e25773b8320f4729f0280bb51d683c45b519242
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Tue Jan 20 13:59:04 2015 -0500
building: make autoconf style make variables, like abs_top_srcdir, available
The list is:
srcdir
builddir
abs_srcdir
abs_builddir
top_srcdir
top_builddir
abs_top_srcdir
abs_top_builddir
They are only defined in the build tree (under $(OBJDIR)).
(The source tree requires further incremental updates).
commit 0b294ce7c34b0c6b9e3365c9faf0d6050d1fa3fb
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 16 19:51:37 2015 -0500
building: rename the make variable "srcdir" to "SRCDIR".
And try to be consistent about its trailing /. This makes room for
an autoconf style relative srcdir which does not contain a trailing /
commit 5a4b98c2ce6d9c56136cde16888fba581edfa357
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Thu Jan 15 16:07:02 2015 -0500
building: unconditionally assume OBJDIR is being used (delete USE_OBJDIR)
commit 930185b0b83b97b9665b10544056edc29e6c01d4
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 25 18:40:48 2015 -0500
GCM gcm test vectors were left out of merge commit
commit 4f20f86157407dba78ea4ac86d30f398ae763831
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Sun Jan 25 14:45:10 2015 -0500
IKEv2: Support for AES_GCM
commit c860828d7d429adb55363c8a4aaac6cff2f47692
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 25 14:43:59 2015 -0500
testing: fixup algo reference output for GCM addition
commit e600cf926b8743ad8e457ddd9ffa9e9ce0f7e8e0
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 25 14:42:59 2015 -0500
testing: narrowing test simplification
Remove full status output. allow for new retransmit message
commit 5e350effb30969c2ad28f40a85df61a99af43dff
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 25 14:38:04 2015 -0500
testing: netkey-audit-01 now also displays prf= in audit log
commit 112a1edcb16a514dcc2f2548adb8a43563cff72f
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 25 14:20:52 2015 -0500
testing: dpd-01: removal of 169 routes in reference output
commit c5c5cb1af82cb2a1e86fe2d00ac7cc562040e5d4
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 25 14:14:14 2015 -0500
testing: aggr-pluto-03 cleared referenec output copied from other test
This test uses aggressive mode, and is failing
commit 447a9fd3fabc04c57204b3cdcb9d3f6899c13c69
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 15:49:09 2015 -0500
testing: fixup gcm for netkey-pluto-0[12]
commit a73ef0b38979f9af8098cdb67d96f43ae6b115ae
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 15:47:29 2015 -0500
testing: ipv6-transport-ts-mode-04-netkey-netkey fix nc command.
The tcpdump still shows this test is not using ESP but still sends
plaintext?
commit 4f72444dc2564bac5b96f8386f31c8951279fede
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 15:39:41 2015 -0500
testing: fixup nat-pluto-09 - passes
commit a160f2aeeb08cc232036e842828d3d6754b1775b
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 15:36:38 2015 -0500
testing: fixes to basic-pluto-12-netkey but unsure it is passing now
it seems improved compared to the comments in description.txt but
I'm confused the tcpdump capture does not show the port 22 attempt
in either clear or encrypted
commit c38da9f5180b9c0da736ade8c5a3dcadbec628c7
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 15:33:11 2015 -0500
testing: interop-ikev2-racoon-02-psk-responder sanitizer fixup
commit 4d937182113f947394dd544c5ee361465b3c0fce
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 15:32:42 2015 -0500
testing: racoon sanitizer needs to mask ephemeral hex blob
commit 663c86f8f3097797ba542c04352ab6a0e93d5d87
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 15:26:57 2015 -0500
testing: dnssec-pluto-01 updated for GCM
commit f289a16081b39bd8d4cfca5183f8542013ee5fff
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 15:26:09 2015 -0500
testing: replay-authip-01 updated for GCM
commit 9c63ddbf5ae376b9effc0bfc9fccc63e69b18fd9
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 15:22:07 2015 -0500
testing: fixup and clarified basic-pluto-12.
The test has an obscure routing isue but it _is_ correct.
(the exclusion of a port causes it to miss the ipsec tunnel and
therefor turns out to miss the only route to the remote network
that goes via ipsec.
commit 3ce626c526a296b94f93007e276cdf4aff36ed17
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 15:03:06 2015 -0500
testing: clarified and cleaned up basic-pluto-14-klips-route
The packet leak should NOT happen. This is a bug. an auto=route
connection should place a shunt in and so packets should never
leak during negotiation!
commit 644e56636ff506f8e3604d32a174524bf62ffa1a
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 14:57:07 2015 -0500
testing: mark algo-pluto-04 as wip - it shows a bug that needs fixing
commit 77764c5b007e9682fb244b5065f436acc0369def
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 14:53:53 2015 -0500
testing: removed ah-pluto-06 and ah-pluto-07
also tested algos the linux kernel does not support
commit 03c3c7f8fa8c90c71db59f0dffccc311221c3000
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 14:53:03 2015 -0500
testing: removed ah-pluto-08 - it tests an unsupported kernel algo
commit 554f271b4c6a45772116caf074f7ec7899652dd2
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 14:51:24 2015 -0500
testing: mark loopback tests WIP while pending redoing/ripping it out
commit e383244d54eebce694d105ad6b7adc0213873bd6
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 14:50:42 2015 -0500
testing: fixup ipv6-tunnel-mode-04-rw
commit fb49f1bc017a8b9e9b183e0fea4ea63f3e711fa3
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 24 14:38:12 2015 -0500
testing: some cleanup of ipv6-tunnel-mode-03-rw
test still fails - using link local instead of the v6 IPs of the
tunnel, so no ESP packets observed in tcpdump and ICMP6 hitting
firewall rule. Marked test as WIP
commit 7e5af2658cbf7dfe6187a42865afd3e220f41ddc
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 23 21:47:24 2015 -0500
testing: added v6.sed sanitizer
The firewall logs with ephemeral ID= entries :/
commit 11085c5c093c725b401ff673239c5a97209c5ff9
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 23 21:47:05 2015 -0500
testing: fixup ikev2-ipv6-transport-mode-02-netkey-netkey
commit 14fa5fb30b1c29968534c5be3d8eb7e36306a828
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 23 20:58:53 2015 -0500
testing: some fixes to interop-ikev2-racoon-04-x509-responder
(still failing)
commit 8d4617377f1e37a0987835750b2b79ada8592c00
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 23 16:38:08 2015 -0500
testing: mark interop-ikev2-strongswan-18-psk-cast as good
commit 02d7c439cf896d2903968b18516d1f4504076404
Merge: f9b0176 1e23461
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jan 22 14:24:57 2015 -0500
Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan
commit f9b0176e0155f777d0ed917ec603c9b085fb5423
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 12 21:45:03 2015 -0500
testing: update racoon2 PSK to match the new preshared key. Remove eastrun.sh files
More information about the Swan-commit
mailing list