[Swan-commit] Changes to ref refs/heads/master

cagney at vault.libreswan.fi cagney at vault.libreswan.fi
Wed Jan 28 23:18:52 EET 2015


New commits:
commit 5a48a5ec8e372e5a5bcfd8b4323d1e3bcfdc3903
Merge: 05d9e47 8b2cc0f
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 28 15:52:23 2015 -0500

    Merge branch 'ikev2-policy4': update default IKEv2 policies; fix ensuing INVALID_KE mess
    
    By default, IKEv2 only supports AES_GCM and AES_CBC.

commit 8b2cc0f309fccca4feff6c6bd9f0b0a721d05c7e
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 28 15:50:15 2015 -0500

    pluto: for IKEv2 default policies, ignore any xauth flags

commit ff569b024cd20055ddceb711b5377937133ac84a
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 28 15:03:17 2015 -0500

    pluto: convert sadb_index and the arrays into IKEv[12] functions

commit fa8ef4cb03ce0a71e87791007146ed1e191cdc1d
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 28 12:10:32 2015 -0500

    testing: IKEv2 test with an explicit DH-group that isn't in the responder's defaults
    
    West's explicitly selected DH-group doesn't match any thing in east's
    default policy list.  East responds with an INVALID_KE message and
    valid group

commit 2d8d61d04a6f57903f20e899476c1adf47914dbc
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Mon Jan 26 14:55:45 2015 -0500

    testing: IKEv2 test with the initiator's default DH-group being invalid.
    
    Since west's default DH-group is not found in east's explicitly listed
    policies, east responds with INVALID_KE and suggests a group.

commit 64b42759e8890a4d53510323ce68ca83dda46124
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Mon Jan 26 14:55:07 2015 -0500

    testing: IKEv2 test with an explicit wrong DH-group for the chosen algorithm.
    
    While west's explicitly selected DH-group is found in east's explict
    list of policies, the group is wrong for the selected algorithm.  East
    responds with INVALID_KE suggesting the group required for the
    selected algorithm.

commit eedd9f64cd33540c30fd0cb12073b2629a32500a
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Mon Jan 26 14:54:11 2015 -0500

    testing: IKEv2 test with an invalid explicit DH-group.
    
    Since west's explicitly selected DH-group is not found in any of
    east's explictly listed policies, east responds with INVALID_KE and
    suggests a group.

commit 1625e92b80f854b074460f180e44d6eda1590e78
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 21 16:34:58 2015 -0500

    pluto: rewrite the IKEv2 default policies.
    
    Contains:
      aes_gcm_16_{128,256}/sha{1,2};modp{2048,4096,8192}
      aes_cbc{128,256}-{sha1,sha2,aes_xcbc};modp{1536,2048}
    default groups also updated.

commit 8e2d88de5973933a82de203ce1529e67db8b1788
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 28 12:11:24 2015 -0500

    pluto: for INVALID_KE response, always use the DH-group from the selected policy

commit 33acca8be882584ab361da7bafd6176767245307
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Fri Jan 23 22:32:21 2015 -0500

    pluto: hack: for late detection of a bad modp group, supress the RCOOKIE
    
    The code is:
      - checking if the modp is is in the list
      - computing DH based on modp size
      - doing the policy match, selecting an algorighm, and finding modp is wrong
      - backing out the previously set RCOOKIE so the sent packet has it set to zero
    It should do the policy match before DH and before any RCOOKIE is set up.

commit 112d56c3eecd83192269979c46a662d75e15b2fb
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Fri Jan 23 21:48:22 2015 -0500

    pluto: create separate default-group and groups table for IKEv2

commit 03400affe56cc8161e1a7e4470cf51e155e44a10
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 21 15:50:37 2015 -0500

    pluto: clone IKEv1_oakley_spdb policies to IKEv2_oakley_spdb
    
    Everything, but the low-level transorms are cloned.
    Being a simple clone - nothing really changed - nothing should break.

commit 0c412d74bd07e8e4d84f2ee92ecc6bf8c5dc82fa
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 21 11:01:05 2015 -0500

    pluto: add IKEv1 prefix (IKEv1_oakley_...) to IKEv1 policies.
    
    (yes, I know IKEv1 should be in lower case; unfortunatly ikev1 looks wierd)

commit 39964ee5cb182362558b71a350c8876b18414703
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Fri Jan 23 21:37:54 2015 -0500

    pluto: on receipt of INVALID_KE, do not save/update the RCOOKIE
    
    If the RCOOKIE is updated, we ignore further packets from the responder.

commit 19269b4ddcd109365c55286d4674cf8ac298ec16
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Fri Jan 23 21:35:36 2015 -0500

    pluto: delete redundant check
    
    first_modp_from_propset returns the same value.

commit 374b9feab1371469bbb7e045776a0f18a7660b92
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 21 10:25:58 2015 -0500

    pluto: delete undefined declaration

commit fee0e8c01aa7b31530bcab278a41b9e98c897dd9
Author: Andrew Cagney <andrew.cagney at gmail.com>
Date:   Wed Jan 21 10:23:08 2015 -0500

    pluto: for xauth client, prefer aes+sha1 over aes+md5



More information about the Swan-commit mailing list