[Swan-commit] Changes to ref refs/heads/master

[Paul Wouters]

New commits:
commit 68b3e1ad1441e409b9c7b0d58d07d9c5bb1b91ee
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 22 21:44:23 2018 +0700

    IKEv1: Properly reject key size < 0 in ikev1_verify_ike()
    
    This wasn't seen before because normally we don't reach this code and
    it gets rejected before it gets here.  But we had a customer fuzzing
    with a 0 key size that caused us to hit this error.

commit 3b44f8999c8e2d5bc2cb348fe785a069291673a8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 22 20:36:09 2018 +0700

    IKEv1: Simplify logging for PAYLOAD_MALFORMED
    
    It requires accessing st which can have been deleted already.
    
    An improved fix would be to properly schedule a delete_state()
    event for 0 seconds instead of deleting inline.

commit f0d430e1fc1a4c6229b1b741954d45df7dba4c7a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Nov 22 20:35:40 2018 +0700

    documentation: updated CHANGES

commit ff295fcab7a72d7d0409d4b1de9cadf2bd07f061
Author: Stepan Broz <stepan at izitra.cz>
Date:   Thu Nov 22 12:13:04 2018 +0700

    X509: Fix ocsp-method=get|post which broke with use of CERT_PKIXVerifyCert()
    
    This was broken upon re-introduction in libreswan 3.13, and the NSS library
    call would always first try GET and then do POST.
    
    This patch correctly skips the first GET attempt, which can confuse some
    OCSP servers (eg ocspd)
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>