On Wed, 31 Jul 2019 at 08:56, Antony Antony wrote:
> Hi
> tangential to "make showversion" discussion, there is an issue that annoys
> me. Now I have a fix for it! If there is no violent opposition against
> this
> proposed patch I would like to apply the attached patch.
>
> version.c dependency
On Mon, 29 Jul 2019 at 15:58, Antony Antony wrote:
> On Mon, Jul 29, 2019 at 03:18:03PM -0400, Andrew Cagney wrote:
> > On Mon, 29 Jul 2019 at 14:27, Antony Antony wrote:
> >
> > > On Mon, Jul 29, 2019 at 11:31:30AM -0400, Andrew Cagney wrote:
> > > > On Mon,
On Mon, 29 Jul 2019 at 14:27, Antony Antony wrote:
> On Mon, Jul 29, 2019 at 11:31:30AM -0400, Andrew Cagney wrote:
> > On Mon, 29 Jul 2019 at 08:38, Andrew Cagney
> wrote:
> >
> > > These make variables should only be expanded when web pages are
>
On Mon, 29 Jul 2019 at 08:38, Andrew Cagney wrote:
> These make variables should only be expanded when web pages are enabled?
> Per the comment:
>
> # shortcuts to use when web is enabled, set up to evaluate once as
> # they can be a little expensive. These make variable can o
For instance, in the below, once the SA is established a single packet is
sent from west->east, but it is lost vis:
004 "authenticate-ikev1-md5" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {AH=>0xAHAH <0xAHAH xfrm=HMAC_MD5_96 NATOA=none
NATD=none DPD=passive}
+
004
On Thu, 4 Jul 2019 at 12:49, Paul Wouters wrote:
>
> On Thu, 4 Jul 2019, Andrew Cagney wrote:
>
> > The code is roughly:
> >
> > for st in all states do:
> >if ((IS_CHILD_SA(nfo_st) &&
> >(st->st_serialno == nfo_st->st_
The code is roughly:
for st in all states do:
if ((IS_CHILD_SA(nfo_st) &&
(st->st_serialno == nfo_st->st_clonedfrom ||
st->st_clonedfrom == nfo_st->st_clonedfrom)) ||
st->st_serialno == nfo_st->st_serialno) {
do stuff
}
if I transform the if() I
On Wed, 3 Jul 2019 at 23:39, D. Hugh Redelmeier wrote:
>
> New commits:
> commit cd9b2eb60844aae857e14959f15b8278d19af603
> Author: D. Hugh Redelmeier
> Date: Wed Jul 3 23:38:09 2019 -0400
>
> pfkey_v2_build.c: resynchronize the two copies
>
> Missed in 226afc3fc06.
>
> We really
I touched it last so I guess it's me ...
On Mon, 1 Jul 2019 at 13:40, Paul Wouters wrote:
>
>
> It seems we can end up entering in_struct() when we got an ICMP instead
> of an IKE message.
The code was changed so it extracts the header from the ICMP message
and then uses that to find the sender
Is there a guideline for what needs to be audited (perhaps in linux_audit.[hc]).
For instance, two simple cases are hopefully straight forward:
- a protected payload that turns out corrupt triggers a delete_state()
so needs to be audited
- a message so screwed up that not even the IKE SA can be
On Fri, 28 Jun 2019 at 03:31, Tuomo Soini wrote:
>
> On Thu, 27 Jun 2019 17:14:14 -0400
> Andrew Cagney wrote:
>
> > On Thu, 27 Jun 2019 at 15:24, Paul Wouters wrote:
> > >
> > > I build rpms on east or west usually. I guess I could use the
> > > “bu
ke kvm-install-test-domains
?
> Paul
>
> Sent from mobile device
>
> > On Jun 27, 2019, at 13:48, Andrew Cagney wrote:
> >
> >> On Thu, 27 Jun 2019 at 13:30, Paul Wouters wrote:
> >>
> >>> On Thu, 27 Jun 2019, Andrew Cagney wrote:
> >>>
On Thu, 27 Jun 2019 at 13:30, Paul Wouters wrote:
>
> On Thu, 27 Jun 2019, Andrew Cagney wrote:
>
> > Have you tried doing this on the big bloated build machine:
> >
> > $ sudo virsh dominfo build
> > Max memory: 524288 KiB
> > Used memory:524288 Ki
Have you tried doing this on the big bloated build machine:
$ sudo virsh dominfo build
Max memory: 524288 KiB
Used memory:524288 KiB
$ make kvmsh-build
[root@swanbase ~]# cd /source
[root@swanbase source]# make man
[root@swanbase source]# ...
On Thu, 27 Jun 2019 at 11:52, Paul Wouters
to
publish newer results.
On Mon, 24 Jun 2019 at 10:57, Andrew Cagney wrote:
>
> On Sun, 23 Jun 2019 at 12:26, Antony Antony wrote:
>
> > I also curious to see F30 testrun output on testing.libreswan.org to compare
> > with my testrun. Andrew if you get a chance please ru
On Sun, 23 Jun 2019 at 12:26, Antony Antony wrote:
> I also curious to see F30 testrun output on testing.libreswan.org to compare
> with my testrun. Andrew if you get a chance please run one commit with F30
> and F28.
I've got testing running f30 in the background (results are going to
On Sat, 22 Jun 2019 at 09:00, Andrew Cagney wrote:
>
> https://testing.libreswan.org/v3.28-214-g00f4ca6a5-master/ikev1-ikev2-connswitch-01/OUTPUT/east.pluto.log.gz
>
> The test currently core dumps as the IKEv2 code goes to use the IKE
> proposal suite but discovers it missing. Ho
On Fri, 21 Jun 2019 at 08:31, Antony Antony wrote:
>
> /home/build/libreswan/testing/ipcheck/ip_endpoint_check.c: In function
> 'check_sockaddr_as_endpoint':
> /home/build/libreswan/testing/ipcheck/ip_endpoint_check.c:103:3: error:
> missing braces around initializer [-Werror=missing-braces]
>
https://testing.libreswan.org/v3.28-276-g4bcbe4ec4-master/ikev2-ike-rekey-04/OUTPUT/
The expectation failure is correct. Here's roughly what happens:
west:
west.#8 needs a rekey, so west.#11 is created and it sends off a
CREATE_CHILD_SA, with ID 3
#8 gives up on the re-key so it forces a delete
On Wed, 19 Jun 2019 at 15:15, Paul Wouters wrote:
>
> On Tue, 18 Jun 2019, Andrew Cagney wrote:
>
> > why is a library function calling printf()? (if a c file needs
> > something #include it).
>
> Because it is used in addconn which has no logging mecha
On Thu, 20 Jun 2019 at 09:57, Antony Antony wrote:
>
> On Wed, Jun 19, 2019 at 03:15:02PM -0400, Paul Wouters wrote:
> > On Tue, 18 Jun 2019, Andrew Cagney wrote:
> >
> > > why is a library function calling printf()? (if a c file needs
> > > something #inc
why is a library function calling printf()? (if a c file needs
something #include it).
On Tue, 18 Jun 2019 at 11:55, D. Hugh Redelmeier wrote:
>
> Sorry, I was addressing this subject before I read this message.
>
> On Tue, 18 Jun 2019, Antony Antony wrote:
>
> | From: Antony Antony
>
> | A
thanks, results are looking a lot better
On Tue, 18 Jun 2019 at 05:25, Antony Antony wrote:
>
> On Mon, Jun 17, 2019 at 11:20:25AM -0400, Andrew Cagney wrote:
> > Is this expected?
>
> This should be fixed now. I broke F28 while working on F30.
>
> And shoutout
On Tue, 18 Jun 2019 at 00:47, Paul Wouters wrote:
>
> New commits:
> commit c43abee11ba2fa7be7f33a68fea5b91b2f7609de
> Author: Paul Wouters
> Date: Tue Jun 18 00:47:15 2019 -0400
>
> documentation: update CHANGES
>
> commit 4724862e437c972c64f1ca24677dfb8e5f8d6979
> Author: Paul Wouters
>
To expand on:
Because the IKEv2 proposal parser can exactly describe the default
proposal suite there is no externally visible change (well, other
than fixing that obscure bug). This isn't true of IKEv1 (but that
doesn't mean a similar change to IKEv1 isn't a good idea).
For
Is this expected?
https://testing.libreswan.org/v3.28-227-gef699a5fa-master/ikev2-03-basic-rawrsa-nhelpers0/OUTPUT/west.console.diff
--- MASTER/testing/pluto/ikev2-03-basic-rawrsa-nhelpers0/east.console.txt
+++ OUTPUT/testing/pluto/ikev2-03-basic-rawrsa-nhelpers0/east.console.txt
@@ -40,6 +40,9
Did you mean dbg(), introduced 6 months ago(?) :-). It merges:
/* so things don't break */
#define DBG_RAW DBG_BASE
#define DBG_PARSING DBG_BASE
#define DBG_EMITTINGDBG_BASE
#define DBG_CONTROL DBG_BASE
#define DBG_LIFECYCLE DBG_BASE
#define DBG_KERNEL DBG_BASE
#define
On Tue, 28 May 2019 at 18:57, Andrew Cagney wrote:
>
> Note the initiator=0 in these log lines:
>
> May 28 21:12:44 bar-host-01 pluto[27621]: | Message ID: ike
> #3.PARENT_R2receiver #8.V2_IPSEC_R request 1; ike.initiator: sent=-1
> recv=-1; ike.responder: sent=0 recv=
Note the initiator=0 in these log lines:
May 28 21:12:44 bar-host-01 pluto[27621]: | Message ID: ike
#3.PARENT_R2receiver #8.V2_IPSEC_R request 1; ike.initiator: sent=-1
recv=-1; ike.responder: sent=0 recv=0->1; receiver.wip: initiator=0
responder=0
May 28 21:12:44 bar-host-01 pluto[27621]: |
On Thu, 16 May 2019 at 11:29, D. Hugh Redelmeier wrote:
>
> I ran 3 tests but the statistics stated I ran 2. Andrew?
>
> Command: make kvm-check KVM_TESTS=" testing/pluto/listen-change-01
> testing/pluto/dynamic-iface-01 testing/pluto/dynamic-iface-01 "
The second test was run twice?!?
> Lets start a new thread to serialize changes the usual suspects want to push
> post 3.28, in the next couple of weeks. Some of us have 6 months of
> finished, or almost finished branches to push. Such as xfrmi, Andrew O(1)
> patches, this one..
>
> -antony
>
>
> On W
PARENT_I2);
+ bool responder = (st->st_state->kind != STATE_PARENT_I2);
where the "correct fix" is to instead use attributes such as
st->st_sa_role or md->message_role. Later for that.
On Thu, 21 Feb 2019 at 10:40, Antony Antony wrote:
>
> Hi Andrew,
>
>
On Wed, 22 May 2019 at 10:37, Paul Wouters wrote:
>
> On Wed, 22 May 2019, Andrew Cagney wrote:
>
> > Subject: [Swan-dev] when debugging is enabled,
> > can pluto's whack messages be debug-logged?
> >
> > It would help fill a big gap in pluto's debug loggin
On Wed, 22 May 2019 at 09:47, Antony Antony wrote:
>
> On Tue, May 21, 2019 at 10:44:09AM -0400, Andrew Cagney wrote:
> > Antony,
> >
> > These dates are confusing testing causing it to list 3.27 changes before
> > 3.28:
>
> This time I know what happened.
It would help fill a big gap in pluto's debug logging (and probably
made tracking down a bizarre connection failure, due to a whack
status, easier)
Andrew
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
Antony,
These dates are confusing testing causing it to list 3.27 changes before 3.28:
Posted Monday:
On Mon, 20 May 2019 at 06:12, Antony Antony wrote:
>
> New commits:
> commit 4f5f1e39809d9e73aecc54f759339f241dcc99a0
> Author: Antony Antony
> Date: Wed May 22 18:32:09 2019 +
but
state.
I suspect this is also the better thing to do when
encrypted_payload_status.bad but I didn't tweak that.
(and it should really be recording the response and then zombifying
the state so retransmits get handled)
Andrew
On Wed, 15 May 2019 at 16:55, Andrew Cagney wrote:
https://testing.libreswan.org/v3.27-1219-g7142d2c37-master/newoe-27-replace-sa-authnull-authnull/OUTPUT/east.pluto.log.gz
FYI, several things go wrong. Most notably, pluto's inability to
handle an IKE_AUTH where the IKE SA succeeds but the CHILD SA fails.
- IKE_SA_INIT is exchanged
- first
On Tue, 14 May 2019 at 13:04, Antony Antony wrote:
>
> On Tue, May 14, 2019 at 10:40:49AM -0400, Andrew Cagney wrote:
> > I'd like to log the SO_{SND,RCV}BUF sizes for each interface (as best
>
> is this going to be dynamic? would there be what is set and what is
> current(ca
I'd like to log the SO_{SND,RCV}BUF sizes for each interface (as best
I can tell we've no way to validate that interfaces are correctly
configured using ike-socket-bufsize et.al.).
So my question is where should it be added?
- there's show_ifaces_status(void) called by 'show status' which looks
Paul's pushing test results based on the 5.0x kernel so to get things
to match, your KVM's kernel needs an upgrade.
Up until now, we've been really careful to not upgrade the kernel:
- new kernels broke KLIPS builds
- identical kernels meant identical behaviour
and to this end the VMs' DNF was
On Wed, 8 May 2019 at 10:30, Paul Wouters wrote:
> But we agreed a few weeks ago to do that change post 3.28 as well :)
Months? I claim my hand was forced by the absolutely horrendous and
O(#STATE) flush_pending_child().
___
Swan-dev mailing list
On Tue, 7 May 2019 at 21:22, Paul Wouters wrote:
>
>
> -#define IS_IKE_SA(st) ( ((st)->st_clonedfrom == SOS_NOBODY) && \
> - (IS_PHASE1((st)->st_state) || IS_PHASE15((st)->st_state) ||
> IS_PARENT_SA(st)) )
> +#define IS_IKE_SA(st) ((st)->st_clonedfrom == SOS_NOBODY)
>
>
>
> The
Hi,
I added the option:
whack --impair revival
so we can cripple pluto's desire revive SAs when they are deleted.
I'm going to tweak a few tests to use it.
However, I wonder if what we really need is a way to tell pluto that a
connection should only try to come up once:
ipsec auto --try
I
On Wed, 17 Apr 2019 at 17:27, D. Hugh Redelmeier wrote:
>
> | commit 94c2c3708a98ffde7cf0f14f35689c8a9816eed1
> | Author: Andrew Cagney
> | Date: Wed Apr 17 17:00:11 2019 -0400
> |
> | libswan: replace type-safe min() with PMIN() in the realloc code
> |
I'm looking at this code in connections.c
same_leftca = extract_end(>spd.this, >left, "left");
same_rightca = extract_end(>spd.that, >right, "right");
if (same_rightca == -1 || same_leftca == -1) {
loglog(RC_LOG_SERIOUS, "extract_end() as failed - ID or
certificate might be
(the easy way is 'dnf downgrade python3')
I've pushed a tentative fix to ptyprocess so that it it avoids all the
Python subprocess / fork / ... crap. However, using it isn't trivial.
The below is an untested outline:
- lets assume cwd is /home/python
- clone, configure, build python mainline
On Fri, 5 Apr 2019 at 12:32, D. Hugh Redelmeier wrote:
>
> Summary: the new python3*-3.7.2-5.fc29.x86_64 doesn't fix things
While, like I predicted, upstream (i.e., python.org, and not fedora)
gave us the knee jerk response:
I see many flaws with the libreswan code's design
the've also
See:
https://bugs.python.org/issue6721?@ok_message=msg%20339458%20created%0Aissue%206721%20message_count%2C%20messages%20edited%20ok&@template=item#msg339458
I expect to get the knee jerk response.
Meanwhile, I'm trying this hack which ... deletes a lock :-/
diff --git
In part at least, it was me ...
On Tue, 2 Apr 2019 at 10:08, Paul Wouters wrote:
>
>
> Is there any reasin the final.sl uses ../../pluto/bin/ipsec-look.sh
> instead of the more intuitive ../bin/ipsec-look.sh ?
... and your observation ...
> I mean, I do think testing/pluto/bin has seen
On Sat, 23 Mar 2019 at 13:58, Paul Wouters wrote:
>
>
> Did someone change road's "random" IP address from 192.1.3.209 to
> 192.1.33.222 ?
>
> I see changes I don't understand from the test run.
For instance, xauth-pluto-24-static-addresspool? I see that pass here
(f28) but not on testing
I've pushed the below - I've since used it to find a real memory leak.
On Fri, 22 Mar 2019 at 14:16, Andrew Cagney wrote:
>
> Attached is a patch to configure libevent so that it uses pluto's
> leak-detective. It does throw up some leaks but they are mostly
> harmless - plut
t
logging leaves the impression that the remote end sent only one
packet.
Perhaps a heuristic where a ludicrous number of duplicates for a given
state triggers DDOS mode?
> Sent from mobile device
>
> Begin forwarded message:
>
> From: Andrew Cagney
> Date: March 26, 2019 at 18
On Thu, 21 Mar 2019 at 09:41, D. Hugh Redelmeier wrote:
>
> | From: D. Hugh Redelmeier
>
> | -002 "westnet-all": deleting non-instance connection
> | +002 "westnet-all": terminating SAs using this connection
Yea :-(
I just pushed a rather mindless and only lightly tested change to
expect this
ev2-12-x509-ikev1-rw), but that can wait until later.
Andrew
PS: more surprisingly is that this patch and count-pointers.awk found
a bug in leak-detective :-)
commit f4c519e61129446dbe833115d5b6ecfc5b73b87a
Author: Andrew Cagney
Date: Fri Mar 22 10:50:34 2019 -0400
events: point libevent at pluto's me
On Wed, 20 Mar 2019 at 23:49, D. Hugh Redelmeier wrote:
>
> | From: Andrew Cagney
>
> | Next I'm trying:
> |dnf downgrade python3
>
> Andrew seems to have found a Python bug report for this bug. No fix,
> but a bug report:
Yea. I think its related - someone
BTW, per IRC, another code path is whack --deletestate #N
On Thu, 14 Mar 2019 at 06:09, Paul Wouters wrote:
>
>
> I found out why linux-audit-01 falsely triggered the new "connection must
> remain up" messagem
> and false trigered the revive connection code.
What's the expectation here?
>
On Thu, 7 Mar 2019 at 10:00, Andrew Cagney wrote:
>
> Hugh,
>
> The testing machine might be hitting this problem (yesterday it hung
> twice) so I crippled it.
>
> On the machine that hangs, have you tried a run with KVM_WORKERS unset
> and/or KVM_PREFIXES with only on
Hugh,
The testing machine might be hitting this problem (yesterday it hung
twice) so I crippled it.
On the machine that hangs, have you tried a run with KVM_WORKERS unset
and/or KVM_PREFIXES with only one entry?
Just note that, before changing KVM_PREFIXES, a kvm-purge is strongly
recommended
On Wed, 6 Mar 2019 at 22:01, Paul Wouters wrote:
>
>
> Andrew fixed the libreswan_log() causing whack output changes with:
>
> - libreswan_log("IKE delete_state for %lu but connection '%s'
> is supposed to remain up. schedule EVENT_INIT_CONN",
> - st ==
On Fri, 1 Mar 2019 at 11:42, Paul Wouters wrote:
>
> On Fri, 1 Mar 2019, Andrew Cagney wrote:
>
> > On Thu, 28 Feb 2019 at 15:50, Paul Wouters wrote:
> >>
> >> On Thu, 28 Feb 2019, Andrew Cagney wrote:
> >>
> >>> That's the case I'm look
On Thu, 28 Feb 2019 at 15:50, Paul Wouters wrote:
>
> On Thu, 28 Feb 2019, Andrew Cagney wrote:
>
> > That's the case I'm looking at. Not doing it is demonstrably wrong,
> > yet you're suggesting it shouldn't be done? Is there a test case?
>
> interop-ikev1-strongswan
On Thu, 28 Feb 2019 at 11:48, Paul Wouters wrote:
>
> On Thu, 28 Feb 2019, Andrew Cagney wrote:
>
> >> New commits:
> >> commit c46b7d010ba30670a768b1651070a666211e648c
> >> Author: Paul Wouters
> >> Date: Wed Feb 27 23:24:24 2019 -0500
>
On Wed, 27 Feb 2019 at 23:25, Paul Wouters wrote:
>
> New commits:
> commit c46b7d010ba30670a768b1651070a666211e648c
> Author: Paul Wouters
> Date: Wed Feb 27 23:24:24 2019 -0500
>
> IKEv1: Another follow up on aa6b8949
>
> It also broke msgid handling for DPD and DELETE routines.
I
FYI (and perhaps provide an incentive to learn more about git).
The testing.libreswan.org script that looks for something to test
really likes merges (and tags):
- when idle, it will look for an untested merge before anything else
- when (manually) deleting old test results, merges get left
On Wed, 20 Feb 2019 at 17:37, D. Hugh Redelmeier
wrote:
>
> New commits:
> commit 43a95b7ed73b0e989b97344ec79574f6e643b09f
> Author: D. Hugh Redelmeier
> Date: Wed Feb 20 17:33:14 2019 -0500
>
> libswwan: ike_alg.c: dh_desc_check: don't segfault if a pexpect fails
Thanks. Yea, they could
Perhaps we need a function or macro called coverity_eat_this() that
eats the values passed to it - I'm likely to continue writing code
like what Hugh cited (and if I need to touch that code I'll likely
restore the assignments). So what great security risk do unused
values pose.
On Wed, 20 Feb
This continues a face-to-face discussion from last year.
It was pointed out that one downside of replacing 'enum state_kind'
with 'struct finite_state' is that when a 'struct state' is printed
using a debugger it no longer shows the 'state' as an enum.
Off hand I can think of two solutions:
-
On Tue, 19 Feb 2019 at 12:36, D. Hugh Redelmeier wrote:
>
> | From: Andrew Cagney
>
> | On Tue, 19 Feb 2019 at 00:33, D. Hugh Redelmeier
> | wrote:
> | >
> | > New commits:
> | > commit b9cd04d93e96ed04baf3a5d25eb50e1ea2d8370f
> | > Author: D. Hugh Redelm
On Tue, 19 Feb 2019 at 00:33, D. Hugh Redelmeier
wrote:
>
> New commits:
> commit b9cd04d93e96ed04baf3a5d25eb50e1ea2d8370f
> Author: D. Hugh Redelmeier
> Date: Tue Feb 19 00:21:22 2019 -0500
>
> libswan/addrtot.c: simplify so scan-build can understand it
BTW, what is scan-build? A search
On Mon, 18 Feb 2019 at 18:41, Paul Wouters wrote:
>
> On Tue, 19 Feb 2019, Antony Antony wrote:
>
> > Here a few corner cases.
> > what happens in case where
> > an admin type connection down in the middle of the rekey.
> > I mean the initial rekey message is lost and pluto is doing its
On Sun, 10 Feb 2019 at 23:18, Paul Wouters wrote:
> It is called from v2_event_sa_rekey() and v2_event_sa_replace()
>
> The calls pass a child st state.
[...]
> Then it checks:
>
> if (IS_IKE_SA(st)) {
> ike = pexpect_ike_sa(st);
> cst =
On Sun, 10 Feb 2019 at 23:18, Paul Wouters wrote:
>
>
> I'm looking at fixing ikev2-delete-sa-04 behaviour, where an auto=start
> IKEv2 connection receiving a delete doesn't cause a new connection to
> initiate. While a bug was found a fixed, it did lead me and Hugh into
> a look at
> > Ah few cases got their default key size to go from 128 to 256? Probably
> > as a result of the proposal parser changes? I'm fine with that. Let uses
> > go back to 128 key manually if they really want to do that.
>
> I'll look at this. It wasn't expected. IKE proposals should prefer
> 256
On Wed, 13 Feb 2019 at 14:46, Paul Wouters wrote:
>
> On Wed, 13 Feb 2019, Andrew Cagney wrote:
>
> > So looking at the parser, officially, for IKE, it expected:
> >
> > encr-prf-dh
> >
> > but, unofficially, it could also parse (I don't think this was d
The awk script:
testing/utils/count-pointers.awk
was written to track NSS pointers. It assumes that they are
debug-logged in a consistent way. Invoke it as:
$ awk -f testing/utils/count-pointers.awk
testing/pluto/ikev2-03-basic-rawrsa/OUTPUT/west.pluto.log
On Wed, 13 Feb 2019 at 13:44, Paul Wouters wrote:
>
> On Wed, 13 Feb 2019, Andrew Cagney wrote:
>
> > It would be from more algorithms being added to defaults. But there's
> > another change I think needs to follow. Namely changing the way IKE
> > proposals ar
On Wed, 13 Feb 2019 at 10:16, Paul Wouters wrote:
>
> On Wed, 13 Feb 2019, D. Hugh Redelmeier wrote:
>
> > I ran the tests last evening. The new failures look simple to fix.
> >
> > I include a diff of the summary from the previous run
> > (summary produced by "testing/utils/kvmresults.py
On Wed, 13 Feb 2019 at 12:05, D. Hugh Redelmeier wrote:
> | However, pluto does still use the declarations - they provide a way to
> | strongly differentiate between an IKE and CHILD proposal. But that is
> | something local to pluto and connections.h, hence my note above
> | pointing out that
On Wed, 13 Feb 2019 at 04:41, Antony Antony wrote:
>
> On Tue, Feb 12, 2019 at 07:21:46PM -0500, Andrew Cagney wrote:
> > On Tue, 12 Feb 2019 at 11:25, D. Hugh Redelmeier wrote:
> > >
> > > commit 6909918af77cb8cc39bdad12c51543e16f8297a9
> > > Author: Paul
On Tue, 12 Feb 2019 at 11:25, D. Hugh Redelmeier wrote:
>
> commit 6909918af77cb8cc39bdad12c51543e16f8297a9
> Author: Paul Wouters
> Date: Mon Feb 11 19:26:40 2019 -0500
>
> pluto: removal all but one include of proposals.h
>
> Since connections.h needs it, and that is included
On Fri, 8 Feb 2019 at 00:53, Paul Wouters wrote:
>
> I suspect andrew’s kvm magic compile invocations to not yet enable IPsec
> profiles for nss
Yea, it turned out getting it to auto-detect got messy - plutomain.c
likes to print the decision.
Just tweaking the KVM make line is likely easiest
On Thu, 7 Feb 2019 at 10:53, D. Hugh Redelmeier wrote:
>
> I like it that pexpect failures are flagged in test summaries.
>
> For example:
> testing/pluto/nss-cert-ocsp-05-ikev2 failed east:EXPECTATION
> west:EXPECTATION,output-different
>
> But some are not reported. For example:
>
>
Off list I was asked what happens given the scenario:
- IKE SA #1 with three CHILD SA's - #2 #3 #4
- user enters --down #2 --down #2
Below is my attempt at illustrating how it works. Yes it ends up very granular:
--down #2
- records a delete notification; and routes the reply to #2
- schedules
uite (or WIP tests that should now work).
Over coming days I'll switch pluto to rely on the new code and values.
The old code can then be deleted.
Andrew
On Mon, 4 Feb 2019 at 10:38, Andrew Cagney wrote:
>
> New commits:
> commit 6fa2fd9f21407581397d6cd6e7b24ebe6566378f
> Merge: 4bc3929 8
In IKEv2, where pluto's window size aka N==1:
An IKE endpoint MUST NOT exceed the peer's stated window size for
transmitted IKE requests. In other words, if the responder stated
its window size is N, then when the initiator needs to make a request
X, it MUST wait until it has
The test is a little racy:
"westnet-eastnet-ipv4-psk-slow" #2: received and ignored notification
payload: INVALID_KEY_INFORMATION
-|Notify Message Type: INVALID_KEY_INFORMATION (0x11)
-"westnet-eastnet-ipv4-psk-slow" #3: ignoring informational payload
INVALID_KEY_INFORMATION, msgid=,
On Sat, 2 Feb 2019 at 22:06, Paul Wouters wrote:
>
> On Sat, 2 Feb 2019, Andrew Cagney wrote:
>
> > Already fixed.
> > testing: update ikev2-03-basic-rawrsa-ckaid to expect new output
> > (but I suspect the sanitizer tweak broke something)
>
> But what doe
I don't understand null auth and try to avoid it :-)
One thing however,where ever you see AUTH_ECDSA or AUTH_RSA, think
instead in terms of AUTH_PKI - those two code paths really need to be
merged.
On Sun, 3 Feb 2019 at 13:28, D. Hugh Redelmeier wrote:
>
> ikev2_send_auth's internal variable
On Sun, 3 Feb 2019 at 12:44, D. Hugh Redelmeier wrote:
>
> New commits:
> commit 0ff22d6bbabf1539ce1565111c103701ff6c3520
> Author: D. Hugh Redelmeier
> Date: Sun Feb 3 12:44:01 2019 -0500
>
> pluto: add a ??? to v2_check_auth
>
> commit 7d870086d4e43d64c4a9a304b78e0e3b3c5329e7
> Author:
Already fixed.
testing: update ikev2-03-basic-rawrsa-ckaid to expect new output
(but I suspect the sanitizer tweak broke something)
On Sat, 2 Feb 2019 at 17:51, D. Hugh Redelmeier wrote:
>
> | From: Paul Wouters
> |
> | Because of the raw pub key not being in secrets and then we cannot find
Already fixed.
testing: in ikev2-42-rw-replace-responder only grep for debug lines with a state
On Sat, 2 Feb 2019 at 16:37, D. Hugh Redelmeier wrote:
>
> This failed for me last night with
>
> testing/pluto/ikev2-42-rw-replace-responder/OUTPUT/road.console.diff
>
> -| ignoring microcode for
Did you read the comment above the definition?
On Sat, 2 Feb 2019 at 11:58, D. Hugh Redelmeier wrote:
>
> Why do the "real" values start at 3?
>
> In general, I prefer to let the compiler pick values of enums. (Of course
> that makes no sense if the values are specified by the IETF.)
>
> - the
Have a look in debug.log - it should contain absolutely everything.
The problem then becomes one of figuring out where the log lines came
from.
On Fri, 1 Feb 2019 at 01:33, D. Hugh Redelmeier wrote:
>
> I decided to take a poke at this since I had a hung run sitting around for
> 24 or so hours.
On Mon, 28 Jan 2019 at 15:47, D. Hugh Redelmeier wrote:
>
> | From: Andrew Cagney
>
> | Try an older kernel.
>
> I just did that. Originally I was using
> kernel-4.20.3-200.fc29.x86_64
> Now I've fallen back to
> kernel-4.19.15-300.fc29.x86_64
The ne
Try an older kernel.
On Mon, 28 Jan 2019 at 01:47, D. Hugh Redelmeier wrote:
>
> Twice today I've tried to run the test suite. Twice it has hung after
> less than half an hour.
>
> The first time I started with "make kvm-clean".
> The second time I started with "make kvm-purge".
>
> I gave up
Heads up, I've pushed the below.
As noted below, this will trigger an upgrade of the base domain (but only once).
commit 093a9d912ec6a56602d2813196fc3d1cd871 (HEAD -> master,
origin/master, origin/HEAD)
Author: Andrew Cagney
Date: Wed Jan 23 14:02:36 2019 -0500
kvm: merge b
(I saw your followup, but this e-mail has more context)
On Fri, 25 Jan 2019 at 21:33, Paul Wouters wrote:
>
> On Fri, 25 Jan 2019, Andrew Cagney wrote:
>
> >> This is not incorrect?
> >
> > Everything isn't correct ...
> >
> >> East accept the &quo
On Thu, 24 Jan 2019 at 15:59, Paul Wouters wrote:
>
> On Thu, 24 Jan 2019, Andrew Cagney wrote:
>
> > Yea, that code is pretty messed up (and it always used the wrong
> > event). Unfortunately the change poked the IKE vs CHILD switch
> > monster. We now see:
> >
On Thu, 24 Jan 2019 at 00:06, Paul Wouters wrote:
>
> On Mon, 21 Jan 2019, Paul Wouters wrote:
>
> > - ikev2-26-keyingtries
>
> Fixed - it used the wrong EVENT type
Yea, that code is pretty messed up (and it always used the wrong
event). Unfortunately the change poked the IKE vs CHILD switch
501 - 600 of 1126 matches
Mail list logo
