[Swan-commit] Changes to ref refs/heads/libevent
Antony Antony
antony at vault.libreswan.fi
Wed Feb 18 01:01:49 EET 2015
New commits:
commit 09cc7e78b572fa65396299cd9b1727af140b1ee9
Merge: 65dbc02 e33cd03
Author: Antony Antony <antony at phenome.org>
Date: Tue Feb 17 13:13:52 2015 -0600
Merge branch 'master' into libevent
Conflicts:
include/pluto_constants.h
programs/pluto/server.c
programs/pluto/server.h
commit e33cd03148ef2632fa55a80eba124aaba7915f94
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 17 01:01:54 2015 -0800
fix logline to debug only - comment out pexect for now
commit 40f2292d51f61c55aceed5c4ede8b57fb4fa67f9
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 17 03:32:52 2015 -0500
testing: update ref output for ddos status, aes_ gcm and x509 peer id changes
commit bd29bc38bfd33647cca6815663db24e7b0156505
Author: Andrew Cagney <cagney at gnu.org>
Date: Mon Feb 16 11:21:35 2015 -0500
building: Add "set -e" so the recursive make call will fail.
commit 178cc073a7322554c09f76508c5ccb3ebe2cb444
Author: Andrew Cagney <cagney at gnu.org>
Date: Mon Feb 16 11:16:42 2015 -0500
building: use "set -e" instead of exit in recursive make invocation
commit a08b98e4d4bac6a0a527e69ce111d253894fe67f
Author: Andrew Cagney <cagney at gnu.org>
Date: Fri Feb 13 11:25:44 2015 -0500
building: merge simple Makefile subdir code into mk/subdirs.mk
Makefiles with simple recurisve makes changed.
Cases involving :: targets and/or differences between recursive targets
left alone. For instance Makefiles including Makefile.top.
commit 40cb64b53ea8db26e8750a96dee7f74d0518eaf2
Merge: 4684336 22c50a8
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Sun Feb 15 17:31:45 2015 -0500
Merge branch 'master' of vault.libreswan.org:/srv/src/libreswan
commit 22c50a804e2f530fa39e317ec39f758a725b62d0
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 16 02:37:35 2015 +0800
ikev2: delay duplicate_state until after KE check
commit 69c99e0b04ebb4e41d465fcc591e4abbd11a80ec
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Feb 16 02:26:59 2015 +0800
pluto: Fix st_total counting in update_state_stats()
commit b4ebc3118204fe41793894c869426a98c9d37167
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 15 20:28:42 2015 +0800
IKEv2: ID_NULL support (see draft-ietf-ipsecme-ikev2-null-auth)
commit 451d8c5c141798db3b6a6d4939d471770581cea4
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 15 20:18:00 2015 +0800
IKEv2: send_v2_notification() used hardcoded ISAKMP_v2_SA_INIT exchange
If an ID is mismatched, and we find out during IKE_AUTH, we sent
an error back using the wrong exchange type. The value is now part
of a switch, which still needs to be extended, but should handle
the error in IKE_AUTH now.
commit 38299da76e4a612ba8b32f8f9537dcdb79b71ecd
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 15 20:08:54 2015 +0800
pluto: fix peer ID checking in ikev2_decode_peer_id_and_certs()
ikev2_decode_peer_id_and_certs() was passed a role but that is not
needed in IKEv2 because of the request/response message bit available
in the IKE header in the md. (it also used the wrong enum, the one
for determining Original Initiator instead of Message Responder)
Too much code was moved into the "not initiator" branch, resulting
in a peer ID mismatch not always failing the connection (introduced
a few commits ago)
commit 6ad15f97980ed571d0300078ddb8b057a566c248
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 15 19:50:11 2015 +0800
Fix log message prefix
commit fe8585f38ed7fdbbb344029dd5fe07a277e3654f
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 15 19:43:20 2015 +0800
IKEv2: abort refine_host_connection() early for POLICY_AUTH_NULL
For AUTH_NULL, the PSK is formed with part of the SKEYSEED, so
we cannot ever switch connection.
commit 58e52a298222d196fc46d3fd62d16ac37994bb42
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 15 11:58:13 2015 +0800
KLIPS: Move nfmarking into CONFIG_KLIPS_COMPAT_NAT_NFMARK and disable per default
The old-style NAT-Traversal support uses the nfmark along with the old
natt-patch. Kernels since 2.6.23 no longer need this. However, we were
still setting the nfmark which interfered with other other kernel modules
and userland applications that rely on their own nfmark.
The old behaviour can be re-enabled using CONFIG_KLIPS_COMPAT_NAT_NFMARK.
This only makes sense when also using CONFIG_IPSEC_NAT_TRAVERSAL
commit 074d7b803975946db309884310d7d27e36a743e6
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 15 10:59:32 2015 +0800
deleted obsoleted Config.in.os2_2
commit bb02b9f7870a80f0e46d326590c7632112b4f5bc
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Feb 15 10:28:35 2015 +0800
add note to KLIPS about IP_SELECT_IDENT_NEW version check
These versions match debian/ubuntu backported kernels, not
fedora/rhel kernels and those backports.
commit 4684336fe3fcaf49015faa8cfc04ff43173b65d9
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Sat Feb 14 15:11:21 2015 -0500
includes: make empty then-clause look intentional
commit 9208194ba2ccbddc5ee9da3788dc096e25b85f4b
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Feb 6 13:04:36 2015 -0500
building: make mk/dirs.mk easier to use and usable from src tree
It determines top_srcdir et.al. using the path to dirs.mk so no
variables need to be pre-defined.
Provides values for variables like $(SRCDIR) so that any assignments
in Makefiles can be eliminated.
commit e57d15830b78ad3591928143b09dd322e903c506
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Feb 11 11:08:01 2015 -0500
building: do not tunnel (wrong) values into scripts and makefiles via the environment
This deletes what I consider to be the most egregious cases so far.
OBJDIR was being assigned a totally bogus value; it was just "luck"
that the generated OBJDIR makefiles fixed up the damage.
BUILDENV and OSDEP also get removed for similar reasons.
makeshadowdir only works because those values were pushed into the
environment. Run makeshadowdir stand-alone and its behaviour changes.
commit a5fd08c9037c6c12ad04b85ed0ebe3634cfc4962
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Feb 11 20:51:19 2015 -0500
includes: don't supress -Wparen - if(x=foo) - in passert
Follow on from 843d659e8c5.
commit 843d659e8c507c5bd67dfb37e7069bb3cf845b9a
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Wed Feb 11 19:50:01 2015 -0500
pluto: = should be ==
commit f694deb647411f479609116b688c93973f141e37
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Wed Feb 11 19:46:59 2015 -0500
showhostkey: don't let impossible event slip by
commit 934ded61f266d9b5179ad88b3d6c7e29ee209faf
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Wed Feb 11 19:43:49 2015 -0500
pluto: removed unused variables
commit 5f753e07a17a50839d6a44d3a6a078e21c4f5ce8
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 11 13:10:05 2015 +0800
remote accidentally commited temporary log line
commit 5d39793f65011cd280338eb871717a2baf25d1e1
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 11 11:41:04 2015 +0800
pluto: Fix status output for policy bit names
Regression was introduced in commit 43f284a5f64
commit e182a48583f16fe3545bd708ed2b969c54db2395
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 10 10:36:33 2015 +0800
showhostkey: make compiler happy about PPK_NULL in switch statement
commit 19af1f3022019306dc909a555ecd63d3cdfe621b
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 10 10:23:22 2015 +0800
testing: added ikev2-ddos-01
commit 7ea539844e2344f6852f5edca967ee764b6d5e44
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 10 10:17:42 2015 +0800
pluto: anti-DDOS support
This adds the keywords:
ddos-ike-treshold : number of IKE SAs before sending DCOOKIES in IKEv2
(we should prob refuse new conn for IKEv1 when we hit this)
max-halfopen-ike : number of half-open IKE SAs before we start refusing new IKE_INIT
(we should prob refuse new conn for IKEv1 when we hit this)
New status output in ipsec status:
000 State Information: DDoS cookies REQUIRED, Accepting new IKE connections
000 IKE SAs: total(100), half-open(100), authenticated(0), anonymous(100)
000 IPsec SAs: total(0), anonymous(<todo>)
New command: ipsec whack --globalstatus (format will change) will show an enumered
list of states and count. The idea is to move most of the "config setup items from
"ipsec status" to "ipsec globalstatus"
commit a1344cbb08a9306368155c5a300a85fcdc9b54ca
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Feb 6 13:33:53 2015 -0500
building: move code setting OBJDIR, BUILDENV, OSDEP, ARCH to mk/objdir.mk
- so it can be included earlier, and by mk/dirs.mk
- so it isn't scattered through Makefile.inc
commit 9338209983e837aac8126e9628dcf5dc58994807
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Feb 6 13:30:12 2015 -0500
building: set variables BUILDENV and OSDEP earlier in generated Makefiles.
And document how they are tunneled in to the makeshadowdir script
as environment variables.
commit eab7838e2a187fc08bfd6eca267074cc286c18bc
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 7 08:23:52 2015 -0500
update changes
commit 43f284a5f6406974230714392ef5ead0aa2ec7d7
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 7 08:22:18 2015 -0500
IKEv2: authby=null support [Paul/Antony/Hugh]
commit 43a3909258d5c1d73848a77ea718a075b791e721
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date: Fri Feb 6 18:30:56 2015 -0500
pluto: fix some whitespace
commit 3c45c610324339c132d1c6ee2931dc1bf0dd1654
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 6 15:22:07 2015 -0500
x509: properly abort when encoutering an expired certificate
We rejeceted the expired certificate, but tried to go on anyway.
commit 8ea8aa0a76dea558ae0c8f82ace49f5188cebc0a
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Feb 6 11:38:24 2015 -0500
building: add mk/local.mk which only includes Makefile.inc.local once
Hack to avoid duplicate include as mk/dirs.mk will need to include
Makefile.inc.local.
commit 37e9b88593307f8581ab52ecc1a28153333ac9e5
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Feb 6 11:29:28 2015 -0500
testing: update expected output to match current pluto and vms
Supported interfaces updated, and non-existant interfaces removed.
commit 8d5c97926977ba2ab20da3e98df980e34b004e6d
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 6 00:25:59 2015 -0500
pluto: sync impair/dbg that got out of sync, fix impair-send-no-delete logic
commit abbba2875f58c076bc1930c5bdd87e72afde0271
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 5 13:18:52 2015 -0500
testing: ikev2-10-2behind-nat dont use logtime=no yet.
commit c7f20ec62a0b046bb003858de704ec8e7d15f0f1
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 5 13:01:32 2015 -0500
testing: update sshd server output string to SSH-2.0-OpenSSH_XXX
commit 1ddbfab22b9a1566daf128eb57d811d198e9efea
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 5 13:01:14 2015 -0500
testing: fix iptables rule in l2tp-05-netkey/northinit.sh
commit 67472f9dac0885d9bfefd30fcbfb406b6fbd304f
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 5 13:00:41 2015 -0500
testing: added l2tp-05-netkey as WIP
commit 8ee94145c57014737e0c9052fc2f731544dd5ab2
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 5 12:49:05 2015 -0500
testig: renamed pid-sanitize.sed to misc-santize.sed
And added openssh string sanitizer
commit e944aab923be52ed55a4480ad844a55a07bd4191
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Feb 4 23:28:19 2015 -0500
IKEv2 instantiation and refine_host_connection fixes
This supports multiple cert based road warriors behind the same NAT.
commit 893073109158a8e59ac4fe8560cc95a72d466c26
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Thu Feb 5 13:54:27 2015 -0500
building: rename Makefile.dirs -> mk/dirs.mk
commit 9a7906eb1bc57bc337c841cbf75c5549aa4b3f0b
Author: Antony Antony <antony at phenome.org>
Date: Wed Feb 4 05:43:20 2015 -0600
testing: add pyOpenSSL to guests (Dockerfile and fedorabase.ks)
preparing to switch dist_certs.py
commit a86d5f46d4fa00fffe79dc5754b661f61220d1bb
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Wed Feb 4 10:00:47 2015 -0500
building: delete more code assuming SRCDIR=OBJDIR (=.)
commit c94179b6e7b53a6511f943ba2ec89c170e1f7e9a
Author: Antony Antony <antony at phenome.org>
Date: Sat Jan 31 04:16:39 2015 -0600
testing: put the dist_certs back with its history. lets not re-write it by
changing name.
commit 12acbff83167712b06d082f37099c05a776753b3
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Tue Feb 3 12:11:12 2015 -0500
testing: neuter auto-generation of certs change
Use keys/mainca.key as flag that things are wrong
(old systems may not have nss-pw file).
Print a warning and not an error when trying to configure for x509
and it looks like certificates were not generated.
(reinstate broken old_dist_certs.sh file)
commit f81b19d94e867eb2f4894baa0ea7573c49557bcb
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Tue Feb 3 10:39:57 2015 -0500
testing: Have dist_certs.py generate nss-pw; and run it when pluto's make check
Also remove running the old broken dist_certs script from libvirt/install.sh
and delete the old script.
commit 011c6b9156bdddca753384e5847b594094b99cfc
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Tue Feb 3 09:51:30 2015 -0500
testing: when x509 and no nss password file, barf
Presumably the certificates need to be generated.
commit 28d409e42dee6a607fc685d603cd247ab4fee6f2
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 17:01:10 2015 -0500
IKEv2: define and use MAXIMUM_INVALID_KE_RETRANS
The invalid_ke handling code was misusing the variable
MAXIMUM_RETRANSMISSIONS for this. Create its own variable
(also fixup whitespace)
commit 4ba746284a2b91fc09ba682b2e6a05c4a0b56c4f
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 16:52:52 2015 -0500
IKEv2: clarify INVALID_KE rcookie handling in dbg and log msg.
commit 4c16b01f8f2ffcf8fd21fcdcf4281a8724bd8467
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 15:48:55 2015 -0500
testing: remove zeroconf interfaces, no longer expected
commit 44f0cae39f8ade548c01736ffd5ef5ef76862a21
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 15:14:33 2015 -0500
testing: update expected SSH version to match current vm
commit 929087a56b72c115f8cfae347fa57e44b9587090
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 15:06:51 2015 -0500
remove obsoleted comment
commit 9f8842b3dd50b4e3047915662adfab1e239a7ac3
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 15:02:21 2015 -0500
testing: added delete-sa-03
This shows the problem where we delete an IKE(v1) SA that is still in
use for another IPsec SA, causing DPD to fail for the remaining IPsec SA.
commit 934af4c4fd4f875f9b76bfbfe3d6b798c0ed0965
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 13:43:01 2015 -0500
testing: add aes_gcm to east's list of supported algorithms
Fallout from adding those algorithms.
commit 1e1006512186457166b6903d63206f60f591bb81
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 13:27:31 2015 -0500
testing: update expected default IKEv2 algorithm to aes_gcm_16
Fallout from merge of ikev2-policy4.
commit 949fa2bc9bdd1143ed78b4f986913c04ab4913c7
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 13:04:21 2015 -0500
testing: expect all 4 pings to work (assumes a faster machine I guess)
commit 3487b61b380a13b7769e144b7925a481ee32941d
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Fri Jan 30 11:49:31 2015 -0500
testing: update expected default IKEv2 algorithm to aes_gcm_16
This is the simple case.
Fallout from merge of ikev2-policy4.
commit 4aa964ff283e03d79057b33112e6eec54d0511c9
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 01:17:24 2015 -0500
fix renamed function name in comment
commit 81d0d18d230727793536c3be0f8d0b4ef09de022
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jan 30 00:33:57 2015 -0500
pluto: support for impair-send-no-delete
This will cause pluto to omit sending Delete/Notify payloads. It can be used
for testing without needing to use "killall -9 pluto"
This also already removed adns impairs (to make some space < 32) as
those are about to die anyway
commit 23c739b77de7190d9d76f5620ae26b24a9145143
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date: Thu Jan 29 15:11:49 2015 -0500
pluto: set the IKEv1 default group list to DEFAULT_OAKLEY_GROUPS
Was accidently changed to DEFAULT_OAKLEY_EALGS.
Fix regression from 5a48a5ec8e372e5a5bcfd8b4323d1e3bcfdc3903
(Update IKEv2 defaults) merge.
More information about the Swan-commit
mailing list