[Swan-commit] Changes to ref refs/heads/main

Paul Wouters paul at vault.libreswan.fi
Fri Sep 11 00:26:56 UTC 2020


New commits:
commit 4ec6444c2ca42dd6e962cbb2f0e1d041c4d7b1fb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Sep 10 20:25:30 2020 -0400

    testing: fixup ikev2-child-rekey-10-impair-rekey-*
    
    unexpected ping up due to firewall no longer started on road.
    updated traffic counters

commit df7cccf04f2b764225bf7034a4958bbd219f9900
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Sep 10 19:39:00 2020 -0400

    testing: fixup ikev2-child-rekey-09-windows

commit 44ffb63c707a6989340fff01fc4c2d3c0303c38d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Sep 10 19:38:42 2020 -0400

    documentation: updated CHANGES

commit 8edd8bb910ae91162d1d028e25a64d309df1e484
Author: Antony Antony <antony at phenome.org>
Date:   Thu Sep 10 19:36:01 2020 -0400

    IKEv2: rekey responder check use exising scoring logic
    
    Fix Windows 10 rekey response. Windows during rekey request a wider TS than
    in IKE_AUTH response.
    
    Relax 7be41582a3 check, and respond with same TS as responded in IKE_AUTH.
    RFC7296 allow requesting  a superset TS than IKE_AUTH response, still respond
    with same TS as in IKE_AUTH response. The predecessor RFC, 5996, possibly
    allow changing the TS during rekey.
    
    Fixes: 7be41582a340 "(IKEv2: Verify (not ignore) expected TSi/TSr payloads for IPsec rekeys)"
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 34d442b507e4ddee599a741959678fdf3ca11cdf
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Sep 10 19:00:42 2020 -0400

    testing: updated description of ikev2-cp-rekey-01 to list the known bugs
    
    1) On initiator, why did we not include a CP request for the IPsec SA rekey ?
    2) On receiving CREATE_CHILD_SA without having send a CP request, why do we
       reject a reply with no CP reply?
    3) Why does the initiator send multiple proposals? We MUST only use the same
       crypto parameters as the IPsec SA that is currently in use is using. Anything
       else is not allowed.
    4) Is the responder and the initiator verifying the chosen proposal is identical
       (other than in theory the CP IP address, but for us it is always the same)

commit c1a2a153d6d50a172b282952c188f7584161b6c2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Sep 10 18:46:42 2020 -0400

    testing: update description for interop-ikev2-strongswan-36-initiator-sha1-sha2-rsa_pss-no



More information about the Swan-commit mailing list