[Swan-commit] Changes to ref refs/heads/main

Paul Wouters paul at vault.libreswan.fi
Fri Feb 19 03:13:06 UTC 2021

New commits:
commit bdd0f6879ffc1e2a80aa621f8589bf7cae5e140d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 18 22:01:40 2021 -0500

    testing: update TESTLIST

commit 4c8bc7e8c0e8538f65c0e550cc8bce441876b1c6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 18 22:00:50 2021 -0500

    testing: added ikev1-labeled-ipsec-03-multi-acquires and ikev2-labeled-ipsec-03-multi-acquires

commit 131a0ec8bcb70ca903488835ec819ba8cd3a2cf2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 18 21:52:49 2021 -0500

    pluto: Rework Labeled IPsec to send the right narrowed labels
    We need to send the right labels over IKE and to the kernel XFRM stack,
    otherwise we keep getting acquired for the wide %trap policy
    For IKEv2, it is a bit of a hack due to the fact that we aren't
    instantiating  regularly. Normally, instantiated connections
    don't share their IKE SA, but here we need to share it. So there
    is some juggling happening.
    We also missed copying the trailing NUL from the whack string into
    the chunk_t sec_label.
    It fixes IKEv1 to send the narrowed label, instead of the connection
    Add sec_label to the pending and oppo bundle structs so we can pick
    it up in the outI1 functions.
    The outI1 functions now all copy the ACQUIREd label into the state
    for later use with IKE payloads and XFRM messages.

More information about the Swan-commit mailing list