[Swan-dev] pluto: Fix bogus "no RSA public key known for '%fromcert'"

When refine_host_connection tests against a %fromcert RW connection followed by other right=%any connections with fixed IDs (e.g., @hostname), it will lose the fromcert setting. So when it does eventually return with the %fromcert RW connection fromcert will be set to false and therefore the actua

Re: [Swan-dev] pluto: Add RFC7383 fragmentation support

On Thu, 30 Apr 2015, Herbert Xu wrote: Subject: [Swan-dev] pluto: Add RFC7383 fragmentation support This patch adds RFC7383 IKEv2 fragmentation support to pluto. Wow! Thanks for doing all that work to implement fragmentation! I'll spin this into a branch and run it through our full test suit

Re: [Swan-dev] pluto: Fix undefined memory dereference in crt_tmp_import

On Thu, 30 Apr 2015, Herbert Xu wrote: We can only dereference cc after the fin_count check as otherwise we may dereference unallocated memory. Merged in nss_pkix branch, which should merge into master very soon. Paul ___ Swan-dev mailing list Swan-

Re: [Swan-dev] pluto: Fix modecfg client/server display

On Thu, 30 Apr 2015, Herbert Xu wrote: The display for modecfg client/server status in ipsec whack --status is reversed. Signed-off-by: Herbert Xu Applied. thanks! Paul ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan

Re: [Swan-dev] pluto: Fix ipsec whack --status crash

On Thu, 30 Apr 2015, Herbert Xu wrote: The current IKEv2 code is prone to generating STATE_UNDEFINED child states when something goes wrong (e.g., no proposal chosen). So we best not crash when encountering such states. This was fixed differently by adding the state_story entries for those sta

[Swan-dev] pluto: Add RFC7383 fragmentation support

This patch adds RFC7383 IKEv2 fragmentation support to pluto. Signed-off-by: Herbert Xu diff --git a/include/ietf_constants.h b/include/ietf_constants.h index e56683d..95fb27a 100644 --- a/include/ietf_constants.h +++ b/include/ietf_constants.h @@ -529,6 +529,11 @@ enum next_payload_types_ikev2

[Swan-dev] pluto: Fix NSS certificate crash

When we instantiate a connection we simply copy the certificate over, without getting a reference count over the new certificate reference, resulting in a bogus certificate when the instance is deleted. Signed-off-by: Herbert Xu diff --git a/programs/pluto/connections.c b/programs/pluto/connecti

[Swan-dev] pluto: Fix undefined memory dereference in crt_tmp_import

We can only dereference cc after the fin_count check as otherwise we may dereference unallocated memory. Signed-off-by: Herbert Xu diff --git a/programs/pluto/nss_cert_vfy.c b/programs/pluto/nss_cert_vfy.c index 41ec630..ae13de6 100644 --- a/programs/pluto/nss_cert_vfy.c +++ b/programs/pluto

[Swan-dev] pluto: Do address setting before check TS in IKEv2

We need to parse the CP payload and set the address before we do the TS check as otherwise we are bound to fail if the TS uses the address that CP will set. Signed-off-by: Herbert Xu diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c index 5620f97..95803a3 100644 ---

[Swan-dev] pluto: Fix modecfg client/server display

The display for modecfg client/server status in ipsec whack --status is reversed. Signed-off-by: Herbert Xu diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c index 1a03c29..6e9b2f2 100644 --- a/programs/pluto/connections.c +++ b/programs/pluto/connections.c @@ -3438,8 +343

[Swan-dev] pluto: Fix ipsec whack --status crash

The current IKEv2 code is prone to generating STATE_UNDEFINED child states when something goes wrong (e.g., no proposal chosen). So we best not crash when encountering such states. Signed-off-by: Herbert Xu diff --git a/programs/pluto/state.c b/programs/pluto/state.c index acbf0c7..a720845 1