[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Fri Oct 16 03:26:03 UTC 2015
New commits:
commit 093382a4da5f175bbb8a84e81368aa035c9edc83
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Oct 15 23:23:27 2015 -0400
pluto: retransmit_v2_msg() should delete parent and child sa's on failure
When retransmit_v2_msg() hits failure for EVENT_v2_RETRANSMIT, it only
deleted the larvae child sa, and not the parent sa. It would be left
to die on the EVENT_SA_TIMEOUT. This caused dozens of lingering states
for OE.
commit d105132f773257e359b04b0140d73ab9193f56ef
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Oct 15 23:20:17 2015 -0400
pluto: A mixup in parent vs child SA caused the keyingtries number to be lost
This resulted in unlimited keyingtries. OE connections would never stop trying.
This is due to the child sa being created prematurely in ikev2_parent_inR1outI2_tail()
It should really be created only after IKE_AUTH was received with confirmation?
As a bandaid, we copy the parent's st_try to the child's st_try when duplicating
the state.
commit c8ae77fae976db831b49f327a69d51eff71f19db
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Oct 15 23:19:26 2015 -0400
ikev2_parent.c: Add comments that a child SA is created prematurely
commit 22b0b78daf7fc1151da16536f33c340b08bbc86c
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Oct 15 23:16:08 2015 -0400
pluto: remove two bogus state machine entries
"I2: process INFORMATIONAL"
"R1: process INFORMATIONAL"
These states have no authenticated parent sa and so should never even
process an informational. Only R2 and I3 states are allowed to do so.
These were added by mistake because the SEND_V2_NOTIFICATION() related
code could cause an IKE_AUTH or IKE_INIT request to be answered with
and INFORMATIONAL reply, which is incorrect. The code that did so was
fixed a few commits before this commit.
More information about the Swan-commit
mailing list