[Swan-commit] Changes to ref refs/heads/master

Antony Antony antony at vault.libreswan.fi
Sun Apr 30 20:31:55 UTC 2017


New commits:
commit 6ee1e2bab048234cfcb73b0b2ce1a77cdb21f104
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 11 11:05:48 2017 +0200

    ikev2: during I1 retransmit if this negotation not needed drop it

commit dced0ca6564f7e9f81f8a759c1e0667d0aa0753d
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 11 11:05:19 2017 +0200

    testing: ikev2-57-restart

commit dc4a51c5f634d963ab2338dec96f9aafae6c5493
Merge: af2fa41 c2b4316
Author: Antony Antony <antony at phenome.org>
Date:   Sun Apr 30 22:24:35 2017 +0200

    Merge branch 'rekey-ipsec-pfs'
    
    add pfs=yes support for:
    	CREATE_CHILD_SA 1.3.1 as initiator and respondor
    	CREATE_CHILD_SA 1.3.2 as respondor
    
    This is accepting and sending KE and Child SA proposal part.
    It still need fixing the configuration option

commit c2b43163cab6f780ad93541869b8dccc4511e7a7
Author: Antony Antony <antony at phenome.org>
Date:   Thu Apr 27 14:55:54 2017 +0000

    copyright: added a few more copyright

commit acf205fab220cc9ffcc5b0ad0b6e6cfa2f673c49
Author: Antony Antony <antony at phenome.org>
Date:   Mon Apr 10 23:06:10 2017 +0200

    ikev2: use ike state modp if not specified with phase2alg and pfs=yes
    
    This could work well for the initiator. However as responder it is
    a bit limiting. Ideally responder should be preard to accept more than
    one modp.

commit dcdf8dbfd43be81d1d7cdb8b11ab9eea4ab543ba
Author: Antony Antony <antony at phenome.org>
Date:   Fri Mar 31 22:46:22 2017 +0200

    ikev2: CREATE_CHILD_SA use message role.
    
    During CREATE_CHILD_SA many role checks are based on message role
    It could be different from parent IKE state role.
    
    When responding IKE rekey always ORIGINAL_RESPONDER no matter what
    this end IKE parent state was.

commit b77ae90644c8bd9dcc59d949c9b1dae66b92bd05
Author: Antony Antony <antony at phenome.org>
Date:   Wed Mar 29 12:17:10 2017 +0200

    ikev2: flush ESP/AH proposals on the initiator. It could be stale.
    
    Becasue CERATE_CHILD_SA may have changed c->esp_or_ah_proposals.
    Convert again from the connection.

commit ce9ec314cba40b7e8c8a1e5831ad972c31e7f6cf
Author: Antony Antony <antony at phenome.org>
Date:   Tue Mar 28 15:25:26 2017 +0200

    ikev2: update svm entries processing CREATE_CHILD_SA exhcange.
    
    remove SMF2_IKE_I_SET and SMF2_IKE_I_CLEAR flags from svm entries.
    This help to reduce the svm entries. Original IKE roles, initiator and
    responder, are not relevent during CREATE_CHILD_SA exchange.
    This exchange's role is based on  message SMF2_MSG_R_CLEAR SMF2_MSG_R_SET

commit 00a0b5d6a2d01c93dc5e76c84f78ea0e53a6e5eb
Author: Antony Antony <antony at phenome.org>
Date:   Tue Mar 28 11:12:35 2017 +0200

    ikev2: DH role is based on message role not original IK role.
    
    For DH calcuation use the role of message. In case of IKE_INIT and IKE_AUTH
    exchanges it is the same.
    However, during CREATE_CHILD_SA with KE i.e. pfs=yes and IKE Rekey,
    original IKE role and message/exchange could be different.
    For these use message role or state.

commit c4e85066a75b60b119019e5058d43a04c7c44001
Author: Antony Antony <antony at phenome.org>
Date:   Sun Mar 26 20:59:10 2017 +0200

    ikev2: refactor ESP/AH SA payload processing on responder, inR2

commit 6a27ce4608c3be0600f76ac3798f276c86ada3ff
Author: Antony Antony <antony at phenome.org>
Date:   Sun Mar 26 17:10:18 2017 +0200

    ikev2: Child SA initiating with pfs=yes send KE payload

commit 0f6ce016fca2b68bb74310b4689d4144fc9a6aea
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 25 20:44:44 2017 +0100

    ikev2: add pfs=yes check CREATE_CHILD_SA ESP proposal parsing
    
    If pfs=yes compute a new shared secret (g^ir) using prf from IKE SA.

commit 5b87d987e7ce2d76efc20e7a8cb1f465c9a19a5f
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 25 17:34:57 2017 +0100

    ikev2: add function to check message role, request or response

commit 7d1a2a3e1794ddb3f1af7d6365c7f139c16f7446
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 25 10:29:44 2017 +0100

    ikev2: add pfsgroup(DH) to Child SA ESP proposal set.
    
    If the connection has a phase2alg specified and pfs=yes, add the pfs_group
    to ESP proposal taransforms. Only during Child SA ESP negotiation.
    Add it when converting esp_or_ah_proposals before matching.
    
    Matching and sending functions will take care of the rest if
    the esp_or_ah_proposal is initialized with correct pfs_group.
    This does not work if the phase2alg/esp is not specified in config;
    with default esp proposals pfs=yes will not work.
    
    e.g. phase2alg=aes256-sha2_256;modp2048

commit 8c1ced1a7df814313afb3e074a770b665f2ac25a
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 25 10:18:29 2017 +0100

    ikev2: return CHILD_SA_NOT_FOUND when appropriate
    
    When a Child rekey request received and can't find the rekey SPI return
     CHILD_SA_NOT_FOUND. It is supposed dot be CREATE_CHILD_SA reply.
    this a partial work, Now sending withv2N_CHILD_SA_NOT_FOUND.

commit 4785b9d7cd600332eef0f8d9c7627321ee6ed8d9
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 25 02:20:54 2017 +0100

    ikev2: extend finish_dh_v2 optinally extract shared only
    
    for a Child SA with KE extract only "shared" g^ir from the DH.
    I could optionally make a new crypto op type to do this in one go.

commit 5fcbd7d087e94f7b7bbe5edb1ba46327e265d213
Author: Antony Antony <antony at phenome.org>
Date:   Fri Mar 24 22:58:24 2017 +0100

    ikev2: ship KE when pfs=yes

commit 3aaba04dd98a91d81bce54d63f8538becb1bcad5
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 25 15:49:49 2017 +0100

    testing: testing update for the branch rekey-ipsec-pfs

commit 60615ed4e09a617f81eb28dd2263c5fc00844d76
Author: Antony Antony <antony at phenome.org>
Date:   Sun Mar 26 14:07:27 2017 +0200

    testing: change permissions to +x on .sh

commit c10acbc1081a827bc09bde00ff8ca1baf48b5b62
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 25 14:48:49 2017 +0100

    pluto: after an ike rekey rehash inherited Child SA to new parent

commit 705b035d652e7091770d370fb6c62b3a98f93936
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 25 14:37:59 2017 +0100

    pluto: extend rehash_state to accept icookie too
    
    IKEv2 rekeying should updaate icookie and rcookie when inheriting a Child SA.

commit c4c2c62a4aaabb125228fe567b34c602c66603b8
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 25 16:55:52 2017 +0100

    ikev2: update svm to support CREATE_CHILD_SA continuations

commit 6d93cd17946c8e1e5c1636d479c34fdc84e952d1
Author: Antony Antony <antony at phenome.org>
Date:   Sun Mar 26 14:01:52 2017 +0200

    ikev2: rename macro IS_CHILD_SA_REQUEST

commit 5a805d47689e9452fecd2dd227e7ed871b27206c
Author: Antony Antony <antony at phenome.org>
Date:   Mon Apr 3 21:49:22 2017 +0200

    ikev2: do not install livensss/dpd for IKE rekeyed state
    
    It start as child statate however when done it is a parent and no dpd.
    remove the parent states from IS_CHILD_SA_ESTABLISHED macro.

commit 2528b2ddb64255aa96c5de88cf414997401940ee
Author: Antony Antony <antony at phenome.org>
Date:   Fri Apr 28 13:58:43 2017 +0000

    Revert "pluto: make ike_alg_pfsgroup() local to ikev1_quick.c"
    
    this can't be local. ikev2 is also using it now.
    
    This reverts commit 3d07314b38973d1ccc0e3bddc7a1b0ec1b134560.

commit 3cd1278e056de850f75796c3d17841439a1cfaeb
Author: Antony Antony <antony at phenome.org>
Date:   Mon Apr 10 15:01:54 2017 +0200

    pluto: bring back macro RETURN_STF_FAILURE_STATUS
    
    It got removed e685c3d. It is used more in this branch.
    One day combine with RETURN_STF_FAILURE



More information about the Swan-commit mailing list