[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Sun Oct 8 23:49:58 UTC 2017 

New commits:
commit bf4d8229ee5a89aaa69856abd844500686955182
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Oct 8 19:49:04 2017 -0400

    testing: new xauth story output
    
    awaiting CFG_set -> possibly awaiting CFG_set

commit b9d8541da8124ebea79e44ce7e6832f43a422a0a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Oct 8 19:48:14 2017 -0400

    pluto: slightly change story of MODE_XAUTH_I0 / MODE_XAUTH_I1
    
    We now include the word "possibly" since these states are not
    guaranteed to require or do ModeCFG.

commit 5da0aece3817881b72966e81bd73ffe1abffd2cb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Oct 8 19:45:14 2017 -0400

    testing: updated xauth-pluto-03 and xauth-pluto-04
    
    fixed up to show the phase 1 state and the new output of the
    new state changes for the case of xauth without modecfg

commit 9a6cf2394a9e9cc7dd4f18009b2efdd66c400c9c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Oct 8 19:34:29 2017 -0400

    XAUTH: Perform custom state change for XAUTH without ModeCFG
    
    It is not possible to use different smc state machine changes based
    on ModeCFG payloads, as the content of these payloads determine
    which state change we should do, but in both cases with and without
    modecfg, we get some modecfg payload.
    
    What happened until this commit, was that the ISAKMP SA was left
    dangling despite also moving on and doing quick mode successfully
    in the case of NOT doing modecfg.
    
    But since the dangling state ends up timing out and restarting new
    keying attempts, it would delete the established IPsec and IKE SA's.
    The test cases xauth-pluto-03 and xauth-pluto-04 suffered from this,
    but it was not visible in the test case because it ended before the
    dangling state caused damage. The test cases were updated to show
    the STATEs so any future regression on this becomes visible.
    
    History showed this was attempted to have been fixed before, but
    was partially left in an #if 0 statement.
    
    As most XAUTH also involves ModeCFG, this bad case was apparently
    rarely hit.

commit 56dcc5a8bf81187f947f754e4d186286a334bc4e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Oct 8 19:31:46 2017 -0400

    pluto: clarify branch taken with xauth_inI1() in debug logging

More information about the Swan-commit mailing list