[Swan-commit] Changes to ref refs/heads/main
New commits: commit ca6cfbe2682dd18200672d05baf09daa75465d70 Author: Paul Wouters Date: Wed Apr 10 21:59:05 2024 -0400 security: add CVE-2024-3652.txt ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a9fd7976c1b2691a027edc73205595c76e0233ce Author: Paul Wouters Date: Mon Apr 15 12:40:02 2024 -0400 documentation: update CHANGES for v4.15 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 38b5ca55c4e8f0265da8a98e91cfb9bcc55d89b4 Author: Paul Wouters Date: Mon Mar 11 22:09:05 2024 -0400 documentation: merge in v4.13/v4.14 CHANGES ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit e80ee435de583eebad690e91f3af4fd3e0f929c8 Author: Paul Wouters Date: Mon Mar 11 17:47:37 2024 -0400 Bump to 5.0rc2 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2546f2783560b4e19dbbfc595d47e7f72547fe49 Author: Paul Wouters Date: Sun Mar 10 19:25:41 2024 -0400 security: Added CVE-2024-2357.txt ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d834d7660569fc95731bfd8bc475bf8af0321559 Author: Paul Wouters Date: Sat Mar 9 18:10:06 2024 -0500 testing: clean some cruft comments ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 98cdfe71c053dbd6f076bcccbbc998e4802826cf Author: Paul Wouters Date: Tue Mar 5 10:24:06 2024 -0500 documentation: fix man page for listen-tcp= default ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c040ce61a3899bc2df0fd8a18be8d6e4fb919696 Author: Paul Wouters Date: Fri Feb 23 16:31:24 2024 -0500 testing: ikev2-05-basic-psk add global secrets This re-uses the test to ensure the most specific secret is picked irrespective of the location of the global all matching secret. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d2ccd5d58f491bef3253151faf4c4bf253965bd4 Author: Paul Wouters Date: Wed Feb 21 15:03:44 2024 -0500 testing: update forgotten west.console.txt for addconn-37-nic-offload ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 6c8b02569f7270266bc1e51661b5c761c584c804 Author: Paul Wouters Date: Wed Feb 21 14:21:29 2024 -0500 testing: add test to addconn-37-nic-offload for encapsulation=yes commit b1957720206ff006c87b5471faa9c7a371432469 Author: Paul Wouters Date: Wed Feb 21 13:43:06 2024 -0500 pluto: do not allow nic-offload=packet with encapsulation=yes also fix old references of "auto" in error msgs. Resolves: https://github.com/libreswan/libreswan/issues/1603 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1cd6ead3160c5449201035b47360e8c36184ad7e Author: Paul Wouters Date: Wed Feb 21 13:28:26 2024 -0500 pluto: If connection is NAT'ed abort on nic-offload=packet No known hardware currently supports offloading with encapsulation. On initiator, we can abort early on NAT-T detection. On responder, we can only abort after we won't switch connections anymore, so we abort later in add_sa() ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b8d327f911da6e1c672dea25c19c04da11209769 Author: Paul Wouters Date: Wed Feb 21 12:29:47 2024 -0500 documentation: minor update to libreswan(7) man page Resolves: https://github.com/libreswan/libreswan/issues/1469 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 481c0eb7957d3ad8e1f744cb8f2434a1f596d5e1 Author: Paul Wouters Date: Wed Feb 21 11:55:11 2024 -0500 cleanup: remove configs/st which is a copy of portexcludes.conf.in ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d300ead77078a338efa0ce7964c4822aa933bbc0 Author: Paul Wouters Date: Thu Feb 8 20:55:27 2024 -0500 documentation: remove alsoflip= mentions commit 81fa930d8935eda428da53762063cd55e8a6a927 Author: Paul Wouters Date: Thu Feb 8 20:53:30 2024 -0500 pluto: Do not run updown for type=passthrough|drop|reject The only operations needed for these is installing the SPDs. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit dbebd05ce620bbe5bc462f3ed0d984f9e59ec18a Author: Paul Wouters Date: Fri Feb 2 21:40:37 2024 -0500 documentation: update seccomp man page entry of ipsec.conf commit 5c58697d75f141ebfeb1b5ab2a0bf30be9b8 Author: Paul Wouters Date: Fri Feb 2 21:30:02 2024 -0500 SECCOMP: update syscall list for pluto and addconn ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 441236b9aecf5094c45736cd1ae2b9406a2cfe73 Author: Paul Wouters Date: Mon Jan 22 16:25:21 2024 -0500 testing: update TFC test cases to properly show TFC is set This is to confirm the fix for https://github.com/libreswan/libreswan/issues/1569 commit 0a8aa6093d0300e6b1d04c5d12f95f6c04a89009 Author: Paul Wouters Date: Mon Jan 22 16:24:11 2024 -0500 pluto: TFC padding was not set for AEAD algorithms Report and patch by SaiKumarCholleti @ github Resolves: https://github.com/libreswan/libreswan/issues/1569 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 8d39780969fe29941deb855993789a0a0abe47f9 Author: Paul Wouters Date: Sun Jan 21 19:43:30 2024 -0500 testing: add whack-04-route-route to TESTLIST commit b4d847721e285a585d080cc6f68655589beeb699 Author: Paul Wouters Date: Sun Jan 21 19:43:09 2024 -0500 testing: add whack-04-route-route commit 630d5bf3646a937d08bd79dad0f2cb4575148e91 Author: Paul Wouters Date: Sun Jan 21 19:30:52 2024 -0500 pluto: don't allow whack to route a routed connection This resolves https://github.com/libreswan/libreswan/issues/1562 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit acf150b5b39bdf2cf9c9ba9604efa08dfcac4d65 Author: Paul Wouters Date: Fri Jan 19 14:06:45 2024 -0500 testing: fixup dynamic-iface-01 for orient log line commit e00873e8ad67b16e897cd0025ab3921efba3c857 Author: Paul Wouters Date: Fri Jan 19 12:32:30 2024 -0500 testing: interop-ikev1-strongswan-11-ah-initiator-sha512 fixup is missing a "sending packet" log line ? commit d8287e3a6d29657f892bb39154e10778a56696b2 Author: Paul Wouters Date: Fri Jan 19 12:31:52 2024 -0500 testing: ikev2-removed-iface-01 has new orient log message commit 35de384c53bbe262e53664270484003ab0fb4998 Author: Paul Wouters Date: Fri Jan 19 12:21:43 2024 -0500 testing: ipv6-transport-mode-04-ondemand-netkey enable plutodebug ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 5decbc7a5be448fc351653b8cb664d7b76d53080 Author: Paul Wouters Date: Thu Jan 18 21:57:31 2024 -0500 testing: fixup addconn-20-conn-default ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit efaf8421734914130a4bd35b72950fa92a4e8808 Author: Paul Wouters Date: Thu Jan 18 21:54:09 2024 -0500 testing: fixup addconn-34-encap-proto for orienting log line ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 6ab359275cbeefd0267e9207dfe286a42f195b79 Author: Paul Wouters Date: Thu Jan 18 20:11:52 2024 -0500 testing: update orient and addconn testcases for new orient msg commit be1b45921a0a5dfae2c7f26f108404374935eb96 Author: Paul Wouters Date: Thu Jan 18 18:36:57 2024 -0500 pluto: log when only nic-offload setting causes interface rejection When orienting and looking through all interfaces, log if the only reason for interface rejection is the nic-offload requirement. Otherwise the connection would silently load, but fail to orient and the user would not have any idea what went wrong. commit e888dd15680724fa5c2fb3d257ebf4ef67818338 Author: Paul Wouters Date: Thu Jan 18 18:36:09 2024 -0500 pluto: warn if loaded connection ended up unoriented Before, it would just silently load and only on trying to initiate would it show an error message. commit 3e4ce4a62af4135966314e0249e8346d63da615d Author: Paul Wouters Date: Thu Jan 18 17:35:52 2024 -0500 documentation: update CHANGES ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c53c0b6c784a841261a715a40a8ad5ed922dc59b Author: Paul Wouters Date: Thu Jan 18 16:49:24 2024 -0500 pluto: change esp-hw-offload= to nic-offload= in logs ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 495403a498696d8bf36544621b21e34b8908e3a5 Author: Paul Wouters Date: Thu Jan 18 16:46:51 2024 -0500 pluto: renane detect_offload() functions to nic_detect_offload() commit 9c09d13fa2b758d3f653752579f9c0b9f8cf4021 Author: Paul Wouters Date: Thu Jan 18 16:44:30 2024 -0500 documentation: minor update to nic-offload man page entry ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit ec028da78d9cbcfd004d009a02fc82ecbe7a5a14 Author: Paul Wouters Date: Wed Jan 17 19:42:43 2024 -0500 pluto: tweak logging and ipsec traffic for HW offload Don't log/whack: "test" #1: initiator established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '10.0.1.1' "test" #2: kernel_xfrm_policy_add() adding offload via interface ens8191f0np0 for IPsec policy, type: Packet "test" #2: kernel_xfrm_policy_add() adding offload via interface ens8191f0np0 for IPsec policy, type: Packet "test" #2: initiator established Child SA using #1; IPsec transport [10.0.1.2/32===10.0.1.1/32] {ESP/ESN=>0xd58a3176 <0x13602000 xfrm=AES_GCM_16_128-NONE DPD=passive} Instead: "test" #5: initiator established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '10.0.1.1' "test" #6: initiator established Child SA using #5; IPsec transport [10.0.1.2/32===10.0.1.1/32] {ESP/ESN=>0xe93b3bb9 <0xc212f708 xfrm=AES_GCM_16_128-NONE esp-hw-offload=packet DPD=passive} Also show this in trafficstatus: Since the new output appears as part of the ESP string before the existing comma, this shouldn't break people parsing this output. We don't yet remember the crypto in a state variable, so unfortunately this uses c->iface->nic_offload with c->config->nic_offload to determine crypto state. This should really get moved to somewhere in struct state. No output changes when no esp-hw-offload= offload is used. The kernel_xfrm_policy_add() log lines were changed to debug lines. (side note: ipsec_doi.c is badly named and its code should move elsewhere) ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c637914bfb68055d3d3a9927f8b1290669711a82 Author: Paul Wouters Date: Tue Jan 16 18:34:52 2024 -0500 testing: fix addconn-37-nic-offload and add comment to description.txt ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit fc3013aaf90a54ef1f1321c89be30091bcb187c3 Author: Paul Wouters Date: Tue Jan 16 10:15:25 2024 -0500 testing: update addconn-37-nic-offload ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1d09af8cde61f12db1826b427d76360c9faf9812 Author: Paul Wouters Date: Tue Jan 16 10:13:45 2024 -0500 testing: remove ikev2-26-nic-offload-no-hw-auto the option is no longer supported. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 9c6af054b0902ecea9fb0d159f23f6d1eb7aeff4 Author: Paul Wouters Date: Tue Jan 16 09:50:18 2024 -0500 documentation: add a note about delayed traffic counters with packet offload ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7db75995d0b24edf320fcca0a99c5d9522f14f67 Author: Paul Wouters Date: Mon Jan 15 20:42:10 2024 -0500 pluto: remove nic-offload=auto It is complicated to make this work as we need to load the policy matching for crypto or packet offload before we know if packet offload is supported for the negotiated parameters of the IPsec SA. For now, only allow "packet" or "crypto". Don't attempt any fallbacks ourselves. On Linux, the kernel provides crypto to none fallback for AEADs (or at least for AES-GCM) commit 27fb7e3f87a0f78db23319804fb4dbef6db1300c Author: Paul Wouters Date: Mon Jan 15 19:38:33 2024 -0500 pluto: handle install_inbound_ipsec_kernel_policy() failure This was assumed to never fail, but can fail for various reasons, including trying to use hardware offload that does not support the current properties of the IPsec SA. eg it could install the "in" policy, then try the "fwd" policy and fail. But it would continue doing the "out" policy and then claim successful IPsec SA. This commit does not attempt to cleanup any partially installed policies before the failure point. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3352ae704c1e2aedd9a4b87365d7d2de703840b6 Author: Paul Wouters Date: Wed Jan 10 14:14:13 2024 -0500 Revert "pluto: scrubbing keys from memory just before the return" This reverts commit c0d4e4f1a3e419dc471da485a16161caef944fba. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c0d4e4f1a3e419dc471da485a16161caef944fba Author: Paul Wouters Date: Wed Jan 10 12:58:09 2024 -0500 pluto: scrubbing keys from memory just before the return ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 375fd77468e0128ec52f646e201bdd5b6a48535a Author: Paul Wouters Date: Tue Jan 9 21:56:46 2024 -0500 testing: update ikev2-26-nic-offload-no-hw-* Since tunnel mode is now blocked from loading, convert test cases to transport mode. commit 29614eb87ae6e5dc2abd3e7bec9e981be8676399 Author: Paul Wouters Date: Tue Jan 9 21:36:46 2024 -0500 pluto: check various incompatible settings with nic-offload=packet|auto - Limit the replay-window size to what is supported in known HW. (but what to do with replay-window=0 and it disabling ESN?) - Only allow ESP, not AH or IPTFS - Do not allow compression - TODO: what about tfcpad= , encap-dscp, nopmtudisc, ikepad, encapsulation, ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b32b987cf6b5dc41e38dd0b422b74caac4993636 Author: Paul Wouters Date: Tue Jan 9 20:38:29 2024 -0500 pluto: fixup against 158dfb081fb735c ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 9931fdada3b534689674760751352bcc098eef19 Author: Paul Wouters Date: Tue Jan 9 20:26:11 2024 -0500 testing: added ikev2-26-nic-offload-no-hw-* commit a7b6806930f7a2c49e6a2eeb36f3d922ce130494 Author: Paul Wouters Date: Tue Jan 9 20:14:22 2024 -0500 pluto: tweak nic_offload fallback and logging It seems nic-offload=crypto when not available in hardware fails back to software without offload within the kernel. That is, we cannot control this. It can fail for the wrong algorithm though. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 9b19d9fc3933c085415caf7e26baf6af9d1b8f74 Author: Paul Wouters Date: Tue Jan 9 10:48:00 2024 -0500 whack: also change nic-offload default to no ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2fb2fb766e7a5551f5aee6bc87843de1d75a3d61 Author: Paul Wouters Date: Mon Jan 8 15:54:16 2024 -0500 testing: update status output for new nic-offload=no default ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3be6424fb35ade0f587c1998119c967613513f3d Author: Paul Wouters Date: Mon Jan 8 09:44:51 2024 -0500 libipsecconf: change nic-offload= defaults - Set default to "no", as unexpected problems might arise, eg not supporting tunnel mode. - Change old "yes" value to mean "crypto", not "auto" which ends up packing "packet" when HW is available. - Update man page entry. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 0d76f3c2c1aece7cbed155e0e5ce0ff5ee7a2ed3 Author: Paul Wouters Date: Mon Jan 1 21:07:40 2024 -0500 testing: remove ikev2-x509-31-wifi-assist It was wip. It no longer tests anything useful, as the properly configured test is under ikev2-x509-31-wifi-assist-nonat. The wip test shows road failing to start a second duplicate connection with the same lease IP, but that is currently expected until libreswan handles multiple identical SAs (see also multi-sa or pCPU feature) ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2ddd6c9a0cc9309bd492d5767c936b2afddbd758 Author: Paul Wouters Date: Mon Jan 1 21:07:40 2024 -0500 testing: remove ikev2-x509-31-wifi-assist It was wip. It no longer tests anything useful, as the properly configured test is under ikev2-x509-31-wifi-assist-nonat. The wip test shows road failing to start a second duplicate connection with the same lease IP, but that is currently expected until libreswan handles multiple identical SAs (see also multi-sa or pCPU feature) ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 9a3b13641e6c00a678787b84b09b488fdb24a10a Author: Paul Wouters Date: Mon Jan 1 20:14:21 2024 -0500 testing: sanitize new warning away Delete "WARNING: ipsec auto has been deprecated" from output. This is needed to keep git bisecting useful. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d10e9e8a7b9d58f6d90c9601e1c5538a7930cf3b Author: Paul Wouters Date: Sat Dec 30 11:00:50 2023 -0500 testing: forgot to git add console output for ikev2-xfrmi-15-interface-ip commit 8116a49394886f306dee7572bbb87d6fe0a7b223 Author: Paul Wouters Date: Sat Dec 30 10:22:08 2023 -0500 pluto: only set replay-window on the inbound IPsec SA ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3d67fb249dd6a60d2b7b655678c7a246a1c9e65d Author: Paul Wouters Date: Sat Dec 30 10:08:31 2023 -0500 testing: fix strongswan sanitizer from f4b4619b9e6 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1309f5fb035b76d2774b4db32f8c66a2e129bb2a Author: Paul Wouters Date: Fri Dec 29 22:16:45 2023 -0500 testing: fixup some ikev2-xfrmi testcases for sanitizers eg no more tcpdump.sh error and no more "left promiscuous mode" ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b740a34b4b34c8b147457ad61767ed1a6cf347bb Author: Paul Wouters Date: Fri Dec 29 22:10:16 2023 -0500 testing: updates TESTLIST The following tests now pass: ikev2-xfrmi-15-interface-ip ikev2-xfrmi-16-rekey interop-ikev2-strongswan-14-delete-sa-shared commit 4268a322bdc0d30ff0648cc958448cad312d8b0d Author: Paul Wouters Date: Fri Dec 29 22:05:44 2023 -0500 testing: fixup ikev2-xfrmi-16-rekey final.sh was showing the side not using ipsec interface The test used "ipsec add|up" which will cause issues if we need to git bisect to where "ipsec auto" was needed. Confusing messages from tcpdump.sh no longer appear Explain a bit better that rekeying over a /32 tunnel tests that IKE does not go over ESP by accident. commit 73dd5030b08e0f7b06cccfb185b7fa0e5a1549e0 Author: Paul Wouters Date: Fri Dec 29 22:08:24 2023 -0500 testing: stop_tcpdump in tcpdump.sh start should not show output. It was showing confusing output (eg tpcdump not running") and it would be different whether or not it killed a runaway tcpdump (thereby making the workaround not be useful as the test would fail on this extra output) commit 924fc0ef9c579325c322757d3df15c3d216ef52d Author: Paul Wouters Date: Fri Dec 29 21:18:24 2023 -0500 testing: complete ikev2-xfrmi-15-interface-ip Could be simplified more. commit ec4f90717c788033c25b9285322ed9765b6d3778 Author: Paul Wouters Date: Fri Dec 29 21:10:07 2023 -0500 testing: fix interop-ikev2-strongswan-14-delete-sa-shared This never worked before because we used "strongswan down conn" instead of "strongswan down conn{1}". The first deletes the IKE SA, the latter deletes the Child SA. The console output of strongswan confirms libreswan's delete response. commit f4b4619b9e6fd03b4553ec6d765db6517da58bc7 Author: Paul Wouters Date: Fri Dec 29 21:08:10 2023 -0500 testing: add more SPI sanitizers to strongswan.sed commit a8c9ecb14031191c328163a12acf4d4d6307a439 Author: Paul Wouters Date: Fri Dec 29 20:01:04 2023 -0500 testing: delete freeswan era multinet-03 depends on too many timers, dates to uml/freeswan days ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c512e62d19240bbc2d0837d459d23c58ad83c57b Author: Paul Wouters Date: Wed Dec 27 12:03:38 2023 -0500 building: remove IPSEC_CONNECTION_LIMIT option This hardcoded a maximum number of connections that could be established. It has been untested for years. It makes little sense (configuration should limit connections) Also, IKEv2 has build in anti-DDoS cookies which properly limits the half-open connections, which is already a configurable option. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit e043319ff3a4db16d8a1317be2b17958be0cf1dd Author: Paul Wouters Date: Wed Dec 27 12:41:36 2023 -0500 pluto: tweak 52c5cecda7543 for USE_CAT Only use the define at the single place it can be set, warn if set but support not compiled in. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit dd975f1c51406672f879aca2bbfba31bc369d26f Author: Paul Wouters Date: Sun Dec 24 17:27:10 2023 -0500 testing: add new cat ipsec policies to two tests certoe-11-symmetric-cert-nat and certoe-17-asymmetric-cert-nat commit 05b6611367abada232554dcc4a7b1487a6ee96b2 Author: Paul Wouters Date: Sun Dec 24 17:24:34 2023 -0500 testing: update TESTLIST for cat tests that are good, not wip ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 52c5cecda7543c4910a075a68e684469bacbbbd7 Author: Paul Wouters Date: Sun Dec 24 16:51:45 2023 -0500 building: do not abuse USE_IPTABLES or USE_NFTABLES These defines were misused to see if we were compiling for Linux. Introduce USE_CAT and USE_NFLOG instead. Disable keywords and whack commands when OS does not support them. Note that leftcat/rightcat has no corresponding whack option. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 56cf20b2f15276aab42f24f2830d8ea4c063efe8 Author: Paul Wouters Date: Sat Dec 23 22:37:04 2023 -0500 testing: swan-prep fixes swan-prep shouldn't really be called on nic. It is used to setup DNS on nic though. So the swan-prep check for eth0 fails when using namespaces on nic. Also, the nsd keygen service no longer exists (a socket is used instead of a TLS connection to localhost) Unfixed still is the missing nsd.conf when using namespaces. commit 044cfaa3f3f4a70f2c1e745fe0bac2e678b25253 Author: Paul Wouters Date: Sat Dec 23 22:01:58 2023 -0500 testing: don't make addconn-24-conn-default-rsasigkey "pass" The error was in the console output, falsely flagging a "good" ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 6bac0e66d1106ea10be090d23014e00f945b0ff1 Author: Paul Wouters Date: Sat Dec 23 21:56:52 2023 -0500 testing: updated TESTLIST for addconn-25-missing-cert commit 67da6c5eec9c8989be2c1c8bb3166cbf877f3260 Author: Paul Wouters Date: Sat Dec 23 21:55:47 2023 -0500 testing: addconn-25-missing-cert - add pluto log check Just to confirm pluto logs things as well. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 984a20ddcce1ac4a6b262645f0d6671d228b472e Author: Paul Wouters Date: Sat Dec 23 20:01:05 2023 -0500 testing: minor tweaks for certoe-17-asymmetric-cert-nat* and certoe-11-symmetric-cert-nat Some cleanup and tweaks. There is still an issue with the CAT IPsec SA still. This is an out only policy but some regression caused the in/fwd policy to have also been installed. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 87956ac71960056d82ecfbbb02d0b28b1e87db33 Author: Paul Wouters Date: Tue Dec 12 19:36:52 2023 -0500 Bump version to 5.0rc1 commit 49c19fbc7a937e5b0e31b312d578a64957d13978 Author: Paul Wouters Date: Tue Dec 12 20:01:33 2023 -0500 documentation: add sudo before restorecon instruction For easier copy & paste. commit 796e4aee411c82865a43f044470a2c303ad54fe3 Author: Paul Wouters Date: Tue Dec 12 20:00:54 2023 -0500 pluto: Remove header of ipsec briefconnectionstatus ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 29d44f302c2ea2b88c06582b7842c9e23bdda4ec Author: Paul Wouters Date: Mon Dec 4 17:17:45 2023 -0500 testing: update TESTLIST ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 69cec5cc98f7ce797c38744b4839f814544febf9 Author: Paul Wouters Date: Mon Dec 4 16:12:21 2023 -0500 testing: add ikev2-x509-10-san-ipv6-match (wip) ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 30686971507459b590ff203b7f6435d8a313f4ee Author: Paul Wouters Date: Mon Dec 4 16:08:56 2023 -0500 testing: add IPv6 SANs to west/east/road certs. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d52d9ca125260e70f39d0ad9a1aca0d9a8adc8d9 Author: Paul Wouters Date: Wed Nov 29 15:54:32 2023 -0500 documentation: fix a comment ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2a2d4225c7b494beda16e57a10a8d30677863fd1 Author: Paul Wouters Date: Wed Nov 22 10:35:07 2023 -0500 testing: fixup kev2-child-rekey-05 left as "wip" because I'm not entirely sure this is the proper test for the use case described in description.txt ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit dd89d810bbff57d3beb407ed641c50f142351978 Author: Paul Wouters Date: Thu Nov 23 20:16:12 2023 -0500 pluto: static bool dispatch should be static :P ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7168a72f302f8a0cdbd6a81edecfaa39cc7f1638 Author: Brady Johnson Date: Tue Nov 21 11:21:06 2023 -0500 building: Use spectool instead of rpmdev-spectool - It is not available on some older RHEL releases yet Resolves: https://github.com/libreswan/libreswan/pull/1417 Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 55075275ef35ed2fa807af5a9cf9593bf9e97eee Author: Guillaume Winter Date: Thu Nov 2 13:00:17 2023 +0100 testing: Fix uplading semgrep erroring when semgrep fails. Resolves: https://github.com/libreswan/libreswan/pull/1370 Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 982212ed49238c87e078cf30a4b7e02911ad36d0 Author: Paul Wouters Date: Tue Oct 24 12:41:22 2023 -0400 testing: extend ikev2-xfrmi-01 to test refcounting xfrmi eg this tests for re-adding a connection not causing: 002 "north": cannot delete ipsec-interface=ipsec1 if_id=1, not created by pluto which it currently does. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 5166a50999a8563f37fa4ff97d0b859cb2396633 Author: Paul Wouters Date: Tue Oct 24 12:37:24 2023 -0400 testing: added ikev2-xfrmi-18-responder-iface-check ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d4fc632d8855edb51e26c78cca547293e608 Author: Paul Wouters Date: Wed Oct 11 10:48:33 2023 -0400 documentation: update CHANGES ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 8851acb5e69f5dab48563e9e845598e12b2a9198 Author: Wolfgang Nothdurft Date: Wed Oct 11 10:41:35 2023 -0400 pluto: Fix IPCOMP with XFRMi Resolves: https://github.com/libreswan/libreswan/pull/1325 When using ipcomp with xfrmi the xfrm state for ipcomp is added without if_id and mark. The kernel sends XFRM_MSG_ACQUIRE when using the connection and the connection is retriggerd on every packet sending through the tunnel. | netlink_get() recvfrom() returned 448 bytes | netlink_xfrm_message_processor() got XFRM_MSG_ACQUIRE message with length 448 | xfrm netlink msg len 448 | xfrm_user_acquire id { daddr: xfrm_address_t spi: 0 proto: 6c saddr: struct xfrm_address_t sel: struct xfrm_selector} policy { lft { soft_add_expires_seconds=0 hard_add_expires_seconds=0 soft_use_expires_seconds=0 hard_use_expires_seconds=0} curlft { add_time=>0 use_time=0} } aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295 seq: 5 | xfrm acquire rtattribute type 5 ... | xfrm_user_tmpl { id: xfrm_id id family: 2 saddr: xfrm_address_t reqid: 16390 mode: 1 share: 0 optional: 0 aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295} | xfrm acquire rtattribute type 16 ... | xfrm_userpolicy_type { type: 0} | xfrm acquire rtattribute type 31 ... | netlink_acquire() ... ignoring unknown xfrm acquire payload type 31 | find_connection_for_packet() looking for an out-going connection that matches packet 192.0.3.254:8-ICMP->192.0.2.254:0 sec_label= | FOR_EACH_CONNECTION_ in (find_connection_for_packet() +3824 programs/pluto/connections.c) | found "north" | choosing "north" priority 25214988; as first best | matches: 1 | concluding with "north" priority 25214988 kind=PERMANENT | "north": addref @0x560c00588e68(3->4) (initiate_ondemand() +135 programs/pluto/acquire.c) | "north": no whack to attach "north": initiate on-demand for packet 192.0.3.254:8-ICMP->192.0.2.254:0 Signed-off-by: Paul Wouters commit 9bdb8b20408d28ab27fa370e762173efdb812576 Author: Wolfgang Nothdurft Date: Wed Oct 11 10:45:08 2023 -0400 testing: added ikev2-xfrmi-17-ipcomp Resolves: https://github.com/libreswan/libreswan/pull/1325 Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 91c08b51990df657db585aeaf67158ce5a2c1056 Author: Paul Wouters Date: Fri Sep 22 12:14:07 2023 -0400 pluto: handle xfrmlifetime= option inside of pluto Resolves: https://github.com/libreswan/libreswan/issues/1274 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 46dcb993984b5e91004e152ae412e1257612161e Author: Paul Wouters Date: Fri Sep 15 16:38:37 2023 -0400 whack: make PFS the default - Add new --no-pfs - Ignore --pfs (as to not break people's whack scripts) ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 64474c37dcb1142772080e069f1c98da10c91689 Author: Paul Wouters Date: Fri Sep 8 12:30:53 2023 -0400 testing: add capabilities-01 to TESTLIST commit d95525377e2b2358b2ce26df614fc5a3b1503cda Author: Paul Wouters Date: Fri Sep 8 12:30:19 2023 -0400 testing: add capabilities-01 test libcap-ng code in plutomain, using /usr/bin/netcap commit b9b93d9115b877be20c1cc975e32058c84a6df13 Author: Paul Wouters Date: Fri Sep 8 12:27:31 2023 -0400 pluto: cleanup and make libcap-ng failures non-fatal If our environment (eg systemd service file) already constrained our capabilities, continue without setting our own capabilities commit 9e7ddeada54c137b4a6d31c6507fd87c514dbbbe Author: Paul Wouters Date: Fri Sep 8 11:45:55 2023 -0400 testing: add libcap-ng-utils for the netcap command This can verify the pluto process' capabilities ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b8a5851c8a9beee0c39de27a4a78d75aaf3b2c92 Author: Paul Wouters Date: Wed Sep 6 09:33:00 2023 -0400 pluto: fixup previous caplib-ng call. Add CAP_SETPCAP to the list and re-enable CAPNG_SELECT_BOTH ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1b8b9982b3698b6ac9246449653bd6ea9be9baba Author: Paul Wouters Date: Wed Sep 6 09:10:57 2023 -0400 pluto: fix capng_apply() call Use CAPNG_SELECT_BOUNDS not CAPNG_SELECT_BOTH as we don't seem to have CAP_SETPCAP. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 19690ef6ef41c73819e424336fbc0adfc1c11451 Author: Paul Wouters Date: Tue Sep 5 22:51:47 2023 -0400 documentation: update CHANGES commit ba5bad09f55959872022fa506d5ac06eafe3a314 Author: Paul Wouters Date: Tue Sep 5 22:49:28 2023 -0400 pluto: check return code of libcap-ng functions Avoids "error: ignoring return value of ‘capng_apply’ ..." ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 217ed595534f3c4b7e3e9d2a9b295cd7e3a4810e Author: Paul Wouters Date: Tue Sep 5 11:20:27 2023 -0400 documentation: update CHANGES commit 0cfec8bc587296d9f1f6619fe6bc75711858e9d9 Author: Paul Wouters Date: Tue Sep 5 11:13:20 2023 -0400 programs: Remove support for ipsec show and ipsec verify These tools are not commonly used, and have not aged very well. It also causes the package to pull in a python dependency. Note that "ipsec portexcludes" uses python, but it is not installed by default. See also: https://github.com/coreos/fedora-coreos-tracker/issues/1504 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 531b917c77e8c126878b0b595f26cdffbbd1e70b Author: Brady Johnson Date: Thu Aug 31 14:34:29 2023 -0400 pluto: Fix i686 build error Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit bdc66758febc7f22b5407e66ce242ced15937a13 Author: Paul Wouters Date: Wed Aug 30 14:06:45 2023 -0400 documentation: update CHANGES ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c205c2c85ee55db413b0a8a3c34b6ca9a426953b Author: Brady Johnson Date: Wed Aug 30 13:59:50 2023 -0400 libipsec: Enable interface-ip configuration option Signed-off-by: Brady Johnson Signed-off-by: Paul Wouters commit 32c87516189f69088fac9fd8588162a88cc44247 Author: Brady Johnson Date: Wed Aug 30 13:58:55 2023 -0400 updown: Remove XFRM interface IP management from updown script Signed-off-by: Brady Johnson Signed-off-by: Paul Wouters commit 670dbbdfc7183db7660e215fcf8aeef1a17c1f12 Author: Brady Johnson Date: Wed Aug 30 13:57:32 2023 -0400 pluto: Add XFRM interface IP mgmt with ref-counting Signed-off-by: Brady Johnson Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1368c69a4229e09b0b2d15dfb53b6cd65e0e1276 Author: Paul Wouters Date: Fri Aug 18 12:11:51 2023 -0400 testing: add nat-pluto-12 to TESTLIST commit dec15dcbb5d160d2ff9b7853cabd015c8d6f1df7 Author: Paul Wouters Date: Fri Aug 18 12:11:15 2023 -0400 testing: add nat-pluto-12 to test nat-ikev1-method=none commit 25f81c7b9d67f118bc86b99e6155eeebc88872da Author: Paul Wouters Date: Fri Aug 18 12:06:36 2023 -0400 IKEv1: honour nat-ikev1-method=none Of course it means the connection is disfunctional in the normal use case, as both ends see different IP addresses as the endpoints. Also add logging of the nat-ikev1-method=none to the NATT logs. Resolves: https://github.com/libreswan/libreswan/issues/1238 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 553d2d7db9e0b5cf07a186c7f9c989c437b7da07 Author: Paul Wouters Date: Mon Aug 14 12:41:11 2023 -0400 documentation: fix typos ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 91b0e37fe1ffe14d493b18f3b20359789b1c3dd1 Author: Paul Wouters Date: Mon Aug 14 12:05:15 2023 -0400 documentation: more aes_gcm / aes_ccm man page clarifications ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit ed8789f6f4add8ff9247ba5a881b004cad74af07 Author: Paul Wouters Date: Mon Aug 14 11:47:00 2023 -0400 documentation: update ike= entry with an example using sha2_256 PRF ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 99357b7ba05521495ef9dd181fa43fffa58f1591 Author: Paul Wouters Date: Mon Aug 14 11:43:36 2023 -0400 documentation: update ipsec.conf man page for nic-hw packet offload. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 41c853d4ff4a41c3cc05bb8da77f0d4e7aae082b Author: Paul Wouters Date: Tue Aug 8 15:02:19 2023 -0400 pluto: Add support for if_id in HW offload policy Patch by Leon Romanovsky ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 70a80c160063f5fe23993cbc97aafa801fe3a34e Author: Paul Wouters Date: Tue Aug 8 12:00:07 2023 -0400 documentation: Add CVE releases for CVE-2023-3871[012].txt ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b096f5ca473770bdf8873f5982294585660de00b Author: Paul Wouters Date: Tue Aug 8 11:56:04 2023 -0400 documentation: update CHANGES ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 4d05498889f7734b1a791dc79aa3b314d20829fc Author: Paul Wouters Date: Tue Aug 8 09:04:45 2023 -0400 documentation: update CHANGES ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 82567dc627e9f31b0f6c8d55cea26c5b76742397 Author: Paul Wouters Date: Mon Aug 7 14:48:39 2023 -0400 documentation: fix typo ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 46ce831369f70f740229a3ab0dac9eaeb6ceb6e8 Author: Paul Wouters Date: Sat Aug 5 17:15:18 2023 -0400 pluto: re-enable nic-offload=auto Prior to packet offload support, we already were set to auto, so we cannot really switch this to disabled now, as it would affect everyone already uses nic crypto offload. commit aedc17be79b7c328477326dce88ada5f57d712dd Author: Paul Wouters Date: Sat Aug 5 17:04:16 2023 -0400 kernel: Add IKE policy exception support Based on patches by Raed Salem Requires Linux kernel 6.3+ In the HW Packet offload path all traffic that matches the policy will pass through IPsec, and does not inherit the non-offload IKE policy holes to ensure IKE traffic does not (require to) go through IPsec. For each nic that supports packet offload, add an IKE policy hole in HW. This policy has the second highest priority (2) and the IKE UDP udp port number as selector. Two holes are poked (IPv4 and IPv6) commit 38bda01a5e154835e0e191d752363225ba8d8308 Author: Paul Wouters Date: Sat Aug 5 16:52:09 2023 -0400 pluto: Support xfrm policy Packet offload Based on patches by Raed Salem Requires Linux kernel 6.3+ NIC Packet offload support mandates also offloading the policies to HW so the IPsec data path entirely is offloaded to HW. Offload the various policies to HW through the XFRM api. commit 8e77c72cd4d0cb57990aadbe6ab3a08074d71d2d Author: Paul Wouters Date: Sat Aug 5 15:21:48 2023 -0400 pluto: Add support for nic-offload=packet Based on patches by Raed Salem Requires Linux kernel 6.3+ This offload extends the current crypto offload where in addition to the crypto operations, once can now offload the entire cleartext packet to be encapsulated and encrypted by hardware offload. This includes managing the IPsec SA policy in the offload hardware, and requires additional IKE holes for the hardware to ensure IKE packets are not required to be ESP encrypted. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2ba8ce199ad4510cd776fce4128d574919bc382a Author: Guillaume Winter Date: Wed Jul 19 11:51:40 2023 -0400 testing: update github actions with full commit sha Resolves: https://github.com/libreswan/libreswan/pull/1199 Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 09461926d847ae567d71964bc8be2c9c7eb9dd1e Author: Paul Wouters Date: Fri Jul 7 12:58:37 2023 -0400 testing: a few more dpdtimeout= fixes ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit aeaa45cf1a3359acb5a566527de0ed6658d07d1d Author: Paul Wouters Date: Fri Jul 7 12:54:22 2023 -0400 testing: nsrun remove obsoleted --wait-interval= option commit 4a94c49cd88b51578f4398346a0a404308f00657 Author: Paul Wouters Date: Fri Jul 7 11:29:15 2023 -0400 testing: remove dpdtimeout= from all ikev2 tests commit d1fc082b0949f2933f755c937725eea10af6c646 Author: Paul Wouters Date: Fri Jul 7 11:21:40 2023 -0400 libipsecconf: change dpdtimeout to ikev1-dpdtimeout Leaves an alias in place for dpdtimeout= Updated man page ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1b98b79ca32bacebf2fc66d496d3a918a9d08a02 Author: Paul Wouters Date: Tue Mar 7 16:09:11 2023 -0500 documentation: remove comment we (and everyone else) do not support ESP+AH ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit bb570a81c98ded7ffeb895ea0c2af96ee62b98f7 Author: Paul Wouters Date: Thu Apr 13 16:55:54 2023 -0400 testing: added kev2-75-ondemand-trap ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d974f192150011f1267518ab676b52fed0a6a6ea Author: Vukasin Karadzic Date: Sat Mar 25 16:59:42 2023 +0900 libipsecconf: set INTERMEDIATE policy bit only if version is IKEv2 Include missing man page entry for intermediate= Resolves: https://github.com/libreswan/libreswan/pull/1052 Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 33181e477993847c85af5bfbdef9608d804c1fec Author: Paul Wouters Date: Thu Mar 16 14:16:03 2023 -0400 libswan: use strncpy() in datatot() to make CodeQL happy commit 64ba360f3bb8ad47d8a94284b5f689bc9bed431e Author: Guillaume Winter Date: Thu Mar 16 14:14:50 2023 -0400 testing: Enable CodeQL scanning and semgrep scanning Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit dbae4e3820dcf3b15ef45731543074422a85dce2 Author: Paul Wouters Date: Mon Mar 6 09:24:25 2023 -0500 testing: update whack-02-globalstatus commit 8a8a9d99c8b11b966208301823a529d43f9bc18b Author: Paul Wouters Date: Mon Mar 6 09:22:31 2023 -0500 testing: update testing/programs/enumcheck/OUTPUT.enumcheck.txt Update for v2N_STATE_NOT_FOUND ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a04e13ba323b00749f3f34e7e0cac8194169b443 Author: Paul Wouters Date: Sun Mar 5 21:08:10 2023 -0500 pluto: fix notification array end points ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3b7130a6d25a51d5315ff7bb0e9ad92ca5017a1b Author: Paul Wouters Date: Sun Mar 5 20:34:51 2023 -0500 pluto: add missing , in ietf_constants.h ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c8a6d4539275579d51e52d84ca0910792e22c9cd Author: Paul Wouters Date: Sun Mar 5 20:24:37 2023 -0500 pluto: update constants.c and add v2N_STATE_NOT_FOUND ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 6a0ada1388704d418531640832af36e9fd0dbfb4 Author: Paul Wouters Date: Sun Mar 5 16:48:09 2023 -0500 pluto: Remove obsoleted forceencaps= option. commit b54301dda847ea9cb930c5c4fb981cbdfbe98961 Author: Paul Wouters Date: Sun Mar 5 14:57:45 2023 -0500 IKEv2: Add latest four Notify messages to ietf_constants.h ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 881f1864ca1f0e5fbd21a012ab6dc94cbc7f0fb5 Author: Paul Wouters Date: Tue Feb 28 20:50:16 2023 -0500 documentation: added security/CVE-2023-23009.txt ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3db26088e2057dae11f3ab5f43e8efd68e899a4e Author: Vukasin Karadzic Date: Tue Feb 28 16:06:15 2023 -0500 ikev2: modify .story of STATE_V2_PARENT_R1 state Resolves: https://github.com/libreswan/libreswan/pull/1023 Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 0361849a7375c4aba1e6a26d2bb5c13ba59b7ba5 Author: Brady Johnson Date: Thu Feb 23 09:20:44 2023 -0500 building: Fix versioning when using topic branch - The command "git describe --tags" used in setlibreswanversion returns error: "fatal: No names found, cannot describe anything." that is fixed adding the "--always" as a fallback. - When the branch name is something like "topic/some_name" the sed scripts in the Makefiles need some slight tweaking. Resolves: https://github.com/libreswan/libreswan/pull/1019 Signed-off-by: Brady Johnson Signed-off-by: Paul Wouters --- Makefile| 2 +- lib/libswan/Makefile| 4 ++-- packaging/utils/setlibreswanversion | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit