[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Fri Apr 14 02:31:48 UTC 2017


New commits:
commit 6d903baa347454ef67bd1de9e7e6dd60ab0d1728
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 13 22:23:03 2017 -0400

    libipsecconf/pluto: Be more strict in verifying authby= and type= combinations
    
    - No longer allowe initiating authby=never conns (bug introduced in 3.19)
    - Don't change struct starter_conn *conn, it is read to parse, not to update
    - Make struct starter_conn *conn a const everywhere to avoid above error
    - Remove dead code
    - Check the combinations of authby= and type= to see if it makes sense
    - Unset some inherited default IKE/IPsec policy bits for authby=never
      (eg POLICY_PFS, POLICY_COMPRESS, POLICY_IKEV1_ALLOW, etc etc)
    - Make starter_permutate_conns() static
    - Remove unused blocks within PARSER_TYPE_DEBUG
    
    This patch does not yet change NEVER_NEGOTIATE() to check via POLICY_AUTH_NEVER
    instead of checking lack of POLICY_ENCRYPT | POLICY_AUTHENTICATE. It probably
    should be changed to do so.

commit 6dbf69460b849f1b328e19a21aaa6c2e4b3ad357
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 13 13:16:24 2017 -0400

    libipsecconf/pluto: distinguish authby=never from default properly
    
    When introducing leftauthby/rightauthby in 3.19, a bug was introduced
    that did not properly recognise authby=ever connections with the
    NEVER_NEGOTIATE() macro. This was due to the lack of authentication
    via both auth= and leftauthby/rightauthby= being seen as a default,
    and a symmetric RSASIG policy is then added to the policy. This
    meant authby=never connections ended up with an auth policy and so
    NEVER_NEGOTIATE() was false.
    
    To fix this, instead of relying on a lack of RSASIG/PSK policy to
    determine authby=never, use a specific policy bit to represent this,
    using POLICY_AUTH_NEVER_IX.
    
    While fixing this in whack and the parser, it also appeared that
    there was no whack option for authby=null, so --auth-null was added.
    
    NEVER_NEGOTIATE() only checked for absence of POLICY_ENCRYPT and
     POLICY_AUTHENTICATE which also

commit 0ead701697b0022f50e83d266a760ef47493a9fe
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 13 12:10:06 2017 -0400

    pluto: remove unused define for POLICY_ISAKMP_SHIFT

commit 5241de5b0d7ae907c54921e25013556ea6c017b2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 13 12:09:47 2017 -0400

    libipsecconf: cleanup auth check call



More information about the Swan-commit mailing list