[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Sun Feb 15 23:48:12 EET 2015 

New commits:
commit 22c50a804e2f530fa39e317ec39f758a725b62d0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 16 02:37:35 2015 +0800

    ikev2: delay duplicate_state until after KE check

commit 69c99e0b04ebb4e41d465fcc591e4abbd11a80ec
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 16 02:26:59 2015 +0800

    pluto: Fix st_total counting in update_state_stats()

commit b4ebc3118204fe41793894c869426a98c9d37167
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 15 20:28:42 2015 +0800

    IKEv2: ID_NULL support (see draft-ietf-ipsecme-ikev2-null-auth)

commit 451d8c5c141798db3b6a6d4939d471770581cea4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 15 20:18:00 2015 +0800

    IKEv2: send_v2_notification() used hardcoded ISAKMP_v2_SA_INIT exchange
    
    If an ID is mismatched, and we find out during IKE_AUTH, we sent
    an error back using the wrong exchange type. The value is now part
    of a switch, which still needs to be extended, but should handle
    the error in IKE_AUTH now.

commit 38299da76e4a612ba8b32f8f9537dcdb79b71ecd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 15 20:08:54 2015 +0800

    pluto: fix peer ID checking in ikev2_decode_peer_id_and_certs()
    
    ikev2_decode_peer_id_and_certs() was passed a role but that is not
    needed in IKEv2 because of the request/response message bit available
    in the IKE header in the md. (it also used the wrong enum, the one
    for determining Original Initiator instead of Message Responder)
    
    Too much code was moved into the "not initiator" branch, resulting
    in a peer ID mismatch not always failing the connection (introduced
    a few commits ago)

commit 6ad15f97980ed571d0300078ddb8b057a566c248
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 15 19:50:11 2015 +0800

    Fix log message prefix

commit fe8585f38ed7fdbbb344029dd5fe07a277e3654f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 15 19:43:20 2015 +0800

    IKEv2: abort refine_host_connection() early for POLICY_AUTH_NULL
    
    For AUTH_NULL, the PSK is formed with part of the SKEYSEED, so
    we cannot ever switch connection.

commit 58e52a298222d196fc46d3fd62d16ac37994bb42
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 15 11:58:13 2015 +0800

    KLIPS: Move nfmarking into CONFIG_KLIPS_COMPAT_NAT_NFMARK and disable per default
    
    The old-style NAT-Traversal support uses the nfmark along with the old
    natt-patch. Kernels since 2.6.23 no longer need this. However, we were
    still setting the nfmark which interfered with other other kernel modules
    and userland applications that rely on their own nfmark.
    
    The old behaviour can be re-enabled using CONFIG_KLIPS_COMPAT_NAT_NFMARK.
    
    This only makes sense when also using CONFIG_IPSEC_NAT_TRAVERSAL

commit 074d7b803975946db309884310d7d27e36a743e6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 15 10:59:32 2015 +0800

    deleted obsoleted Config.in.os2_2

commit bb02b9f7870a80f0e46d326590c7632112b4f5bc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 15 10:28:35 2015 +0800

    add note to KLIPS about IP_SELECT_IDENT_NEW version check
    
    These versions match debian/ubuntu backported kernels, not
    fedora/rhel kernels and those backports.

More information about the Swan-commit mailing list