[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Fri Apr 14 02:31:48 UTC 2017
New commits:
commit 6d903baa347454ef67bd1de9e7e6dd60ab0d1728
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 13 22:23:03 2017 -0400
libipsecconf/pluto: Be more strict in verifying authby= and type= combinations
- No longer allowe initiating authby=never conns (bug introduced in 3.19)
- Don't change struct starter_conn *conn, it is read to parse, not to update
- Make struct starter_conn *conn a const everywhere to avoid above error
- Remove dead code
- Check the combinations of authby= and type= to see if it makes sense
- Unset some inherited default IKE/IPsec policy bits for authby=never
(eg POLICY_PFS, POLICY_COMPRESS, POLICY_IKEV1_ALLOW, etc etc)
- Make starter_permutate_conns() static
- Remove unused blocks within PARSER_TYPE_DEBUG
This patch does not yet change NEVER_NEGOTIATE() to check via POLICY_AUTH_NEVER
instead of checking lack of POLICY_ENCRYPT | POLICY_AUTHENTICATE. It probably
should be changed to do so.
commit 6dbf69460b849f1b328e19a21aaa6c2e4b3ad357
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 13 13:16:24 2017 -0400
libipsecconf/pluto: distinguish authby=never from default properly
When introducing leftauthby/rightauthby in 3.19, a bug was introduced
that did not properly recognise authby=ever connections with the
NEVER_NEGOTIATE() macro. This was due to the lack of authentication
via both auth= and leftauthby/rightauthby= being seen as a default,
and a symmetric RSASIG policy is then added to the policy. This
meant authby=never connections ended up with an auth policy and so
NEVER_NEGOTIATE() was false.
To fix this, instead of relying on a lack of RSASIG/PSK policy to
determine authby=never, use a specific policy bit to represent this,
using POLICY_AUTH_NEVER_IX.
While fixing this in whack and the parser, it also appeared that
there was no whack option for authby=null, so --auth-null was added.
NEVER_NEGOTIATE() only checked for absence of POLICY_ENCRYPT and
POLICY_AUTHENTICATE which also
commit 0ead701697b0022f50e83d266a760ef47493a9fe
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 13 12:10:06 2017 -0400
pluto: remove unused define for POLICY_ISAKMP_SHIFT
commit 5241de5b0d7ae907c54921e25013556ea6c017b2
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Apr 13 12:09:47 2017 -0400
libipsecconf: cleanup auth check call
More information about the Swan-commit
mailing list