[Swan-commit] Changes to ref refs/heads/ddos

Paul Wouters paul at vault.libreswan.fi
Mon Jan 26 00:32:46 EET 2015 

New commits:
commit 932359f58e77d4a221653e554b2cff8cb0ce2ea5
Merge: d3df263 1e23461
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 25 17:32:32 2015 -0500

    Merge branch 'master' into ddos
    
    Conflicts:
    	lib/libipsecconf/confread.c
    	programs/configs/ipsec.conf.5
    	programs/pluto/pluto.8

commit 1e2346106af28b4cfed57fa7760e430691385112
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 21 20:29:56 2015 -0500

    pluto: Don't include/print a # in test vector descriptions.
    
    Actually don't include any number.  Not relevant.
    Convention is for #N to denote a state.

commit a8de85564b4030e496a400ca276af9a7158cd69d
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 21 04:02:36 2015 -0600

    pluto: use PRIu64 for st->st_esp.add_time

commit 8f6972af9523ddbfab2fd41ab570fdafceae1b74
Author: Antony Antony <antony at phenome.org>
Date:   Fri Jan 16 14:15:37 2015 +0100

    testing: ikev2-32-nat-rw-rekey added to TESTLIST, change to netkey

commit 834c7c4c414048c01d2dabb2ba8cd2c6a1c232db
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Thu Jan 15 15:27:09 2015 -0500

    testing: when make fails, really exit with a non-zero status.
    
    Since "if ! make ... ; then" succeeds, the exit status ($?)
    was being set to zero.  Consequently the build didn't abort.

commit 0284478af9d18580f342bd10a18f1260aa34a4d1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 14 23:22:28 2015 -0500

    updated changes

commit b891e396468b1c5657ba35c58b40b4a96651c408
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 14 23:21:38 2015 -0500

    documentation: regenerated man pages

commit 450b647d647d84c961b83fa6f5735e0039380a9b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 14 23:10:39 2015 -0500

    documentation: updated xml man pages for the new seed option

commit 6cce0301a12390a7211df35d98114cbe8f956918
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 14 23:01:39 2015 -0500

    * pluto/rsasigkey: Allow specifying seedbits for NSS RNG
    
    * Added --seedbits <numbits> option to pluto and rsasigkey
    * Added seedbits= to ipsec.conf "config setup" section
    
    There is a BSI requirement that we seed at least 440bits of random
    from /dev/random into the NSS via PK11_RandomUpdate() before we
    are allowed to pull random from PK11_GenerateRandom() despite the
    fact that NSS already deals on it own with initialising its PRNG.
    
    Since this can seriously stall startup on low-entropy machines,
    we do not inflict this upon everyone.
    
    rsasigkey already fed 480 bits into NSS, so I turned this into
    an option with 480 as default. pluto's default is to not do this.
    
    A big warning was added to the code using /dev/random in plutomain.c
    to ensure people don't change this in the future and to ensure the
    function to read from /dev/random is never exported to other parts of
    the code.

commit e8324403cbdcabca1284ef049c19b60fc58e49d8
Merge: 9283b87 9ad8689
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Thu Jan 15 10:39:09 2015 -0500

    testing: Merge branch 'kvm-uninstall' - make setting up/tearing down VMs more robust
    
    - adds testing/libvirt/uninstall.sh for tearing down the VMs
      And deletes "make distclean" code that blindly deleted the VMs disks, outch!
    - fixes fedorabase.kb so that reliably installs all the RPMs
      Needs to be done during %post as the install repo doesn't contain some RPMs
    - points the install URL at the more generic download.fedoraproject.org
      Local repos may be faster but often don't work when you're across the planet.
      The repo needs to contain initrd and kernel, which Everything does not.

commit 9ad8689fa2bcf68167f22ad9620da978cbaf7d2f
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 14 20:31:46 2015 -0500

    Install most of the RPMs using yum during the %post phase
    
    The repository used during the install has stuff missing
    (I guess it didn't fit on the DVD) where as YUM, %post, uses
    the Everything repo which has Everything!

commit 4e749afd2818bb92ef88374589567048c8025ed1
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 14 14:57:37 2015 -0500

    Replace distclean rule deleting VMs with a more robust script.

commit 4925dce30ac607c9c3c917fc6a25f71219faa64e
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 14 14:53:28 2015 -0500

    Point OSMEDIA at downloads.fedora.org  "Server" directory.
    
    - for initial install it needs the images directory
    - downloads.fedora.org, which redirects, is hopefully more robust than
      some arbitrary mirror

commit 9283b87191353c23ce43e0dbfe3a3ab98e29076b
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 14 19:15:11 2015 +0100

    testing ikev1-connswitch-ports-01 fix the ports

commit 9558dce373ea69c57ca9b86587cab012bb7fd656
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 14 09:04:46 2015 +0100

    testing: swantest handle exception due borken result line

commit 0bf55d44c900e6181598a998ca801c8478b5e477
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 14 09:03:03 2015 +0100

    testing: sanitizer use case insensititve for IPv4 over IPsec

commit a34328a8e6c4acd61f350c9f2c0d73d2b8567d59
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 13 20:36:22 2015 -0500

    pluto: do not try to send out packets if interface vanished.
    
    I brought up my VPN that gave me an address using XAUTH. This ip got
    configured on my interface (eg wlan0). I brought my tunnel down which
    did not remove the IP address. Now this IP address was being used for
    all my traffic, so I was dead in the water. I tried to --replace and
    --up and this used my old IP. So I manually removed it using ip addr
    del XXXX/32 dev wlan0. Then a retransmit must have hit pluto:
    
    Program received signal SIGSEGV, Segmentation fault.
    0x00007fa435f010ac in send_or_resend_ike_msg (st=0x7fa437474b00, where=0x7fa435fe4e4d "aggr_outI1", resending=0)
        at /home/paul/libreswan/programs/pluto/server.c:1301
    
    1300         const size_t natt_bonus =
    1301                 st->st_interface->ike_float ? NON_ESP_MARKER_SIZE : 0;
    1302
    
    (gdb) p st->st_interface
    $5 = (const struct iface_port *) 0x0

commit 1586f711dd0ea62a6eab0a2c1aade7b4c4f98b53
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Mon Jan 12 23:07:51 2015 -0500

    tidy contrib/labeled-ipsec/getpeercon_server.c:
    - prevent overflow of buffer cli_sock_addr_str
    - eliminate -Wall warnings
    - reduce scope of many variables
    - clarify inner loop
    - for each system call error, print system call name and strerror(errno)
    - add required freecon calls

More information about the Swan-commit mailing list