[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Wed Oct 28 11:43:54 UTC 2015
New commits:
commit 47e956bd75f170b5c8299e76df4b9aa55d1334c2
Author: Lubomir Rintel <lkundrak at v3.sk>
Date: Wed Oct 28 12:42:13 2015 +0100
XAUTH: Don't attempt to read attributes when there's just padding
Libreswan, unlike cisco, likes to add padding when transform payload attributes
don't line up to 4-octet boundaries while it doesn't seem to be too happy about
padding, being non-interoperable with itself (unless "ikepad" is turned off):
002 "conn" #4: modecfg: Sending IP request (MODECFG_I1)
005 "conn" #4: Received IPv4 address: 10.0.0.10/32
005 "conn" #4: Received IP4 NETMASK 255.255.255.255
005 "conn" #4: Received DNS server 8.8.8.8
005 "conn" #4: Received Domain: yolo
005 "conn" #4: Received Banner: swag
005 "conn" #4: Received subnet 192.168.100.156/32, maskbits 32
003 "conn" #4: not enough room in input packet for ISAKMP ModeCfg attribute (remain=2, sd->size=4)
RFC 2408 3.6 seems to be a bit unclear about how to pad the attributes
referring to "any padding." Let's just assume anything shorter than four octets
(minimal attribute size) at the end is padding and don't attempt to read
through it.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 97a165013e67527efbd06d93b0b4993db4820070
Author: Lubomir Rintel <lkundrak at v3.sk>
Date: Wed Oct 28 12:40:04 2015 +0100
selinux: support dynamic class/perm discovery
The older API has been deprecated which breaks Werror builds.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit d4230d050afaee7f988c0e9a8fd50c1190c90127
Author: Lubomir Rintel <lkundrak at v3.sk>
Date: Wed Oct 28 12:28:20 2015 +0100
systemd: add socket activation
This fixes a startup race where the tools don't know whether it's safe to use
the managemenet socket after launching the service.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 97544cdfdb3caa7dd088c0064782a2626a99fad9
Author: Lubomir Rintel <lkundrak at v3.sk>
Date: Wed Oct 28 12:22:33 2015 +0100
_updown.*: Fix NetworkManager callback
Letting NM know is not just specific to resolver configuration management, NM
always needs to know if setting up the connection succeeded or timed out.
Moreover, it's probably not a good idea to unset the variables upon disconnect
as it would be nice if NetworkManager could identify the connection that goes
down.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
More information about the Swan-commit
mailing list