[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Sat Dec 22 02:16:59 UTC 2018


New commits:
commit 2ee068227d4dc02122cbca25ef4c8ea8be0bba37
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Dec 21 21:15:52 2018 -0500

    testing: fixup dpd-10-alias for EVENT_RETRANSMIT -> EVENT_v1_RETRANSMIT

commit 0295fe46358084765757c1790e25a23897f9960a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Dec 21 18:37:28 2018 -0500

    documentation: add a comment on DPD

commit 25658bc963fb1150ff490c48107546a5cba36873
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Dec 21 18:30:00 2018 -0500

    documentation: updated CHANGES

commit 4653197dcea29561733f21a33368a7de021e3c7c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Dec 21 18:28:03 2018 -0500

    IKEv1: Do not schedule a DPD event on the ISAKMP SA.
    
    See the deleted comment. The code would override the regular
    failure/timeout mechanisms of IPsec SA's with the DPD timeout timer.

commit 5145206d469d43217483d26fbdcebccd31cb915d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Dec 21 18:15:10 2018 -0500

    IKEv1: Do not active DPD when remote peer did not support DPD
    
    This caused libreswan to restart the connection if it had DPD enabled.
    
    - Remove all checks before dpd_init() to inside dpd_init() as they were
      all the same
    
    - Log more clearly (eg when ISAKMP SA or IPsec SA hits dpd_init())
    
    - Only call find_state_ikev1() if we are not an ISAKMP state already
      (also: shouldn't we find it based on st->clonedfrom ?)

commit 90ceafc023a4d2428ceade4f06899b1a53100328
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Dec 21 18:14:04 2018 -0500

    IKEv1: print "DPD=unsupported" in IPsec SA established message if peer does not support DPD
    
    This cannot happen for IKEv2, as DPD/liveness is always supported.

commit 8c72f0fd65e398ed0f715cf5e68f38b572e94d7e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Dec 21 17:40:07 2018 -0500

    NSS: Use keyhi.h and keythi.h instead of obsolete key.h and keyt.h



More information about the Swan-commit mailing list