[Swan-commit] Changes to ref refs/heads/main
Paul Wouters
paul at vault.libreswan.fi
Fri Feb 19 03:13:06 UTC 2021
New commits:
commit bdd0f6879ffc1e2a80aa621f8589bf7cae5e140d
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 18 22:01:40 2021 -0500
testing: update TESTLIST
commit 4c8bc7e8c0e8538f65c0e550cc8bce441876b1c6
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 18 22:00:50 2021 -0500
testing: added ikev1-labeled-ipsec-03-multi-acquires and ikev2-labeled-ipsec-03-multi-acquires
commit 131a0ec8bcb70ca903488835ec819ba8cd3a2cf2
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Feb 18 21:52:49 2021 -0500
pluto: Rework Labeled IPsec to send the right narrowed labels
We need to send the right labels over IKE and to the kernel XFRM stack,
otherwise we keep getting acquired for the wide %trap policy
For IKEv2, it is a bit of a hack due to the fact that we aren't
instantiating regularly. Normally, instantiated connections
don't share their IKE SA, but here we need to share it. So there
is some juggling happening.
We also missed copying the trailing NUL from the whack string into
the chunk_t sec_label.
It fixes IKEv1 to send the narrowed label, instead of the connection
label.
Add sec_label to the pending and oppo bundle structs so we can pick
it up in the outI1 functions.
The outI1 functions now all copy the ACQUIREd label into the state
for later use with IKE payloads and XFRM messages.
More information about the Swan-commit
mailing list