[Swan-commit] Changes to ref refs/heads/master

[Andrew Cagney]

New commits:
commit ca6fdd60fb19ae7e96293b474da47eefbe0c6325
Merge: 499b24f 985a300
Author: Andrew Cagney <cagney at gnu.org>
Date:   Wed Mar 21 11:28:08 2018 -0400

    ikev2: when ms_dh_downgrade=yes, include CHILD_SA proposals with no DH
    
    For instance, esp=aes-sha1, will be expanded into:
         esp=aes-sha1-<IKE-SA-DH>,aes-sha1-[no-dh]
    
    It follows up a031270cefc7a6dc197f2781777aa05b5ad5ebdd.
    Need windows machine to see if this really helps.
    
    Merge commit '985a300857916e6a8aba015e5ac055413edf2172'

commit 985a300857916e6a8aba015e5ac055413edf2172
Author: Andrew Cagney <cagney at gnu.org>
Date:   Tue Mar 20 14:35:51 2018 -0400

    ikev2: when POLICY_MSDH_DOWNGRADE, duplicate CHILD_SA proposals stripping DH

commit 3024c3f463e220389416bdb747685d403c61830c
Author: Andrew Cagney <cagney at gnu.org>
Date:   Tue Mar 20 19:40:50 2018 -0400

    testing: interop CHILD_SA with east set to pfs=yes ms_dh_downgrade=yes
    
    This sets east up with two sets of proposals.  The first contains
    DH from the IKE SA, and the second contains no DH.
    
    West tries pfs={yes,no} X ms_dh_downgrade={yes,no}.  Everything
    should interop.

commit 9e60898d6c02ed4978bb85f7105f95ffc0aa3e5a
Author: Andrew Cagney <cagney at gnu.org>
Date:   Tue Mar 20 19:17:29 2018 -0400

    testing: interop CHILD_SA with east set to pfs=no ms_dh_downgrade=no
    
    This sets east up with one set of proposals containing no DH.
    
    West tries pfs={yes,no} X ms_dh_downgrade={yes,no}.  All but
    pfs=yes ms_dh_downgrade=no should interop (fails because east
    doesn't allow DH and west only proposes DH).
    
    (actually, for moment, it skips pfs=yes ms_dh_downgrade=no because that
    seems to cause the next interop to hang, see ikev2-child-00-dh-hang)