(Perhaps Paul has kept back a commit to fix this because we're frozen.)
- sed -n -e '/IMPAIR: start duplicate packet/,/IMPAIR: stop duplicate packet/ {
/^[^|]/ p }' /tmp/pluto.log
+ sed -n -e '/IMPAIR: start processing duplicate packet/,/IMPAIR: stop
processing duplicate packet/ { /^[^|]/ p }'
| From: Paul Wouters
| Sure. We need support for .mobileconfig support so people can just
| import that on Linux as well as Apple devices. I don't know how to
| create a "profile" for Windows. I would be nice if we could do that
| too.
Fine. But that isn't what I asked for.
To be at
I keep seeing people, in various venues, saying that wireshark is
wonderful.
Paul claims that Libreswan configuring is just as simple if the problem is
reduced to the scope of wireshark.
Paul (or anyone else): can you create simple instructions for setting up a
VPN that has feature-parity
| From: Andrew Cagney
| On Sun, 30 Sep 2018 at 15:52, D. Hugh Redelmeier wrote:
| > This absolutely brings these statements into conformity with
| >
<https://github.com/torvalds/linux/blob/master/Documentation/process/coding-style.rst>
|
| I couldn't find anything specific? An
should we
follow them when they make the code less readable?
| From: D. Hugh Redelmeier
| To: Libreswan Development List
| Date: Sun, 15 Jun 2014 14:08:01 -0400 (EDT)
| Subject: readable C style for split control statements
|
| Here's a change that Tuomo just checked in. This changes t
| From: Andrew Cagney
| Er, don't we already have functions to boilerplate at least SK payloads?
Yes, but I hadn't noticed. Unfortunate.
I was fixing five copies of code in ikev2_parent.c. I didn't change
the code much, I just factored it out.
These previously existing functions are used
Andrew: your change c29928174f caused a few tests to fail.
-|af+type: OAKLEY_KEY_LENGTH (0x800e)
+|af+type: AF+OAKLEY_KEY_LENGTH (0x800e)
Could you update the reference logs?
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
Paul: your change 684f97acbc causes lots of tests to fail.
Could you fix the reference scripts?
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
| From: Andrew Cagney
|
| On Sat, 22 Sep 2018 at 14:19, D. Hugh Redelmeier wrote:
| >
| > | From: Andrew Cagney
| >
| > | > There are no good exception mechnisms.
| > |
| > | There is, its called abort(). Part of libreswan's start up is dealing
| > | with any me
since libreswan 3.26 + 83e33a69b27f6c5d5f4aff2fc94a1357d5126ed1 I
get these syslog messages very often:
http://paste.debian.net/hidden/a99f6aa9/ - that's annoying ;)
I've just pushed fa004e7d4b83fbeaa8d0f6d8430a96aed97a97b9
to log the state name
DHR-x, LetoTo, LetoThinkpad: message ignored
| From: Andrew Cagney
| I'm wondering why we bother to write code like:
|
| return ikev1_out_generic(np, _keyex_desc, outs, ) &&
| out_zero(g->len, , "fake g^x") &&
| (close_output_pbs(), TRUE);
|
| that goes out of its way to terminate the construction of a
I was thinking "Paul Wouters" when I wrote "you" in the following. I need
more sleep :-)
On Fri, 21 Sep 2018, D. Hugh Redelmeier wrote:
| From: D. Hugh Redelmeier
| To: Libreswan Development List
| Date: Fri, 21 Sep 2018 06:54:58 -0400 (EDT)
| from the most recent part
from the most recent part of our CHANGES file:
* IKEv1: Fix XAUTH message padding [Hugh]
I did not fix this. I wanted to but you were worried that this would
break compatability with unknown other implementations.
You were trying to contact Checkpoint about this but I never heard that
anyone
- don't initialize a variable unnecessarily.
+ this confuses the human reader -- she thinks the initialization has
some meaning, but it does not
+ this prevents automatic tools from discovering paths were the variable
will not be set before being used. (Technically the spurious
| From: Andrew Cagney
| On Thu, 6 Sep 2018 at 11:53, Andrew Cagney wrote:
Sorry for not replying sooner.
| > Short term we can get some extra bits by splitting debug and impair so
| > that they each have their own lset_t.
That seems pretty clean and non-controversial.
The original idea was
Note: also hits
interop-ikev2-strongswan-46-responder-ecdsa-384
ikev2-ecdsa-01
east.console.diff starts off badly:
/testing/guestbin/swan-prep
east #
PATH/bin/pk12util -i /testing/x509/strongswan/strongEast.p12 -d
sql:/etc/ipsec.d -w /testing/x509/nss-pw
-pk12util: PKCS12
Is the tree still frozen for the next release?
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
| From: D. Hugh Redelmeier
| Date: Sat, 18 Aug 2018 23:20:18 -0400 (EDT)
| History of VLA (variable-length arrays) in C.
Here's an interesting LWN article about a move to ban VLAs from the
kernel.
<https://lwn.net/Articles/749064/>
This involves a struggle with "max" from whi
IKEv1 packet.h routines will fill in the next payload field automatically.
This was done by extending what Andrew had already done for v2.
It is intended for this to be set up correctly but removing the
pre-computing code might expose flaws. I don't expect any since the
automatic code checks
| From: Andrew Cagney
| On Wed, 5 Sep 2018 at 23:54, D. Hugh Redelmeier wrote:
| > The pattern /\/ is more reliable and easier. I'd recommend
| > this:
| >
| > sed -i -e 's/\/uint\1_t/g' -e 's/\/unsigned/g'
|
| It looks like a gnu extension, or something new to POSIX?
DHR, fyi, 6d0aea9400 isn't portable
the timeval fields are long long on 32-bit machines
Thanks. You are right about the tv_sec field.
I happened to look at select(2) when I wrote 6d0aea9400. It says that the
fields are long. Nothing about long long on 32-bit machines.
It turns out that
| commit 8ae190998e1aa32aa8903d541b7c0365934d4735
| Author: Andrew Cagney
| Date: Wed Sep 5 17:16:17 2018 -0400
|
| bsd: sed -i -e 's/u_int\([0-9]*\)_t/uint\1_t/g' -e
's/u_int\([^0-9]\)/unsigned\1/g'
The pattern /\/ is more reliable and easier. I'd recommend
this:
sed -i -e
Why is connalias not documented?
It is tested in testing/pluto/alias-01.
If it isn't documented, does anyone use it? If not, can we delete it?
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
| From: Paul Wouters
| Date: Sun, 19 Aug 2018 15:11:27 -0400 (EDT)
| On Sat, 18 Aug 2018, D. Hugh Redelmeier wrote:
|
| > So these calls are wrong.
In other words: it is a bug in our code.
We can fix it by simply deleting these calls.
| I agree, but the question is what interop issues wo
For some reason that I don't understand, my test system doesn't seem to
reliably run the tests.
- a smattering of tests produce no output.
- a smattering of tests require retransmission of some message, and if
that gets logged on the console, the test is considered to have failed
These
I got this diagnostic in psk-pluto-05, in the pluto log for east
"road-east-psk"[1] 192.1.3.174 #2: message ignored because it contains an
unexpected payload type (ISAKMP_NEXT_HASH)
"road-east-psk"[1] 192.1.3.174 #2: sending encrypted notification
INVALID_PAYLOAD_TYPE to 192.1.3.174:500
The
I've introduced a new function, with a prefixed name. I chose to break
new ground by naming it "v2_build_id_payload". I think that this is
better than "ikev2_build_id_payload".
- adding IKE is redundant. We know that we're dealing with IKE. There is
no IPv2, for example.
- names should
commit 3f29a679a4c02a13fd152c2f86bebba87739f32f
Author: D. Hugh Redelmeier
Date: Sun Aug 19 02:10:25 2018 -0400
pluto: aggr_inR1_outI2_tail: correctly build ID payload for hashing
The ID payload would not have its length field filled in. I wonder why we
observed no problems?
Ahh
| From: Paul Wouters
| On Tue, 24 Jul 2018, D. Hugh Redelmeier wrote:
|
| > Paul (or anyone else):
| > Can you verify that these uses of obsolete keywords should go?
| > Can you fix them?
|
| done. Note that I wiped testing/scripts as it was full of cruft from
| freeswan style OE
| From: Paul Wouters
| But RFC 2408 section 3.6 does mention padding for attributes:
|
| https://tools.ietf.org/html/rfc2408#section-3.6
|
| If the SA Attributes are not aligned on 4-byte boundaries,
| then subsequent payloads will not be aligned and any padding will
| be
| From: Sahana Prasad
| Thank you for the comments.
Thanks for your code and thanks for your proposed changes.
History of VLA (variable-length arrays) in C.
- originally: all C types, when used for allocating memory, have to
have a size that is known at compile time. (This is true of array
| From: Antony Antony
| Date: Tue, 31 Jul 2018 11:05:35 +0200
[catching up on old mail]
| I can imagine some inconvenience while updating outputs blindly, such as with
sed.
| However, I am of the opinion do not update blindly. Only update if the test
ran.
I like (judicious) global updating.
I sometimes make mistakes that cause a simple problem that shows up in a
lot of these (you've seend that today).
I would like to be able to edit the OUTPUT/*.verbose.txt files and the
OUTPUT/*.pluto.log files and have the results analyzed again.
I don't know how to do that now. I've spent a
| From: Andrew Cagney
| (to upgrade the domains use 'make kvm-upgrade' or 'make kvm-purge
| kvm-upgrade-base-domain')
Darn.
I kicked of a test last night with only "make kvm-purge". So I guess
I still get the old version of Strongswan.
I thought kvm-purge was as hard as you could hit it.
| From: Paul Wouters
| This means that if you don't upgrade the guests to this, the strongswan
| tests will fail in swan-prep since it refuses to run the test (to avoid
| people pingponging output when they have different strongswan versions)
|
| For fedora-22 I've made the rpm available at:
(This message is mostly archaeology, and incomplete at that.)
This function has a very useful rationale in comments:
/*
* In IKEv1, some implementations (including freeswan/openswan/libreswan)
* interpreted the RFC that the whole IKE message must padded to a multiple
* of 4 octets, but other
| From: Andrew Cagney
| When I run ikev2-03-basic-rawrsa-ckaid with f28c65e2c5a1325621725
| checked out (and master),
The last time I ran the tests, that test's directory existed but it
wasn't in TESTLIST. So I guess I've never run it.
| I get:
|
| /testing/guestbin/swan-prep
| *** Error
you answered my question. Which is correct:
libreswan_vendorid or pluto_vendorid. Surely not both!
| From: Paul Wouters
|
| On Mon, 30 Jul 2018, D. Hugh Redelmeier wrote:
|
| > Some of our code emits our vendorid payload using libreswan_vendorid
| > as our Vendor ID using
| >
ikev1-x509-05-san-firstemail-match/west.console.txt
seems to still be broken.
| From: Paul Wouters
| Date: Mon, 23 Jul 2018 02:02:50 -0400 (EDT)
| Subject: Re: [Swan-dev] ikev1-x509-07-san-ip-mismatch [was please fix
| ikev1-x509-05-san-firstemail-match]
|
| On Wed, 18 Jul 2018, D. Hugh
| From: Andrew Cagney
| > -webdir=$(cd $(dirname $0) && pwd)
| > +webdir="$(cd "$(dirname $0)" && pwd)"
|
| Actually, no. In this context, the outer quotes are not needed
True.
| and
| should not be used.
Why?
| When this was was explained to me, it came with
| the phrase common
The Bourne Shell and all relatives are very unforgiving about requiring
quoting. Most uses of $ should be quoted to avoid surprises.
It's easy to not bother, and the result usually works, but that's just not
good enough when scripting.
For example, a filename can have a space in it. This is
| From: Andrew Cagney
| I'd have to ask the same question. Your output below which shows
| where -origin/master/ is coming from is, lets say, original. What's
| up with git?
I would like to know! Somehow I wandered into a part of git that I
don't understand.
There are parts of git that I
I did a
make kvm-uninstall
this time in case some cruft had built up.
Then I did
make kvm-install && make kvm-check
and walked away.
I came back after a couple of hours to see how it was cooking. It had
crashed out with this:
mkdir
I ran
make kvm-clean
make kvm-install && make kvm-check
and came back in 6 hours to see how it was doing.
Well, it quit really early. I had not seen this before:
:
: According to /proc/sys/kernel/random/entropy_avail your computer do not seem
to have much entropy.
:
: Check the
Paul (or anyone else):
Can you verify that these uses of obsolete keywords should go?
Can you fix them?
PS this list is the output of grep -n. I think that VIM has a feature
called quickfix to conveniently navigate such a list. I use the
similar JOVE feature all the time. So I'd recommend
| From: Andrew Cagney
| I like the idea but I'm not sure about the error being printed - it
| makes me think of a Microsoft joke - while the information provided is
| technically correct it is completely useless :-)
Better to report an error where it is discovered than hope the null
action will
| From: Andrew Cagney
| BTW, as a general rule - learnt from autoconf - test for a feature and
| not for the OS..
Absolutely. (I learned this from experience, before autoconf. It's nice
to learn things from a less painful teacher than experience.)
Sometimes code evolution deviates from
The use of resolve_defaultroute() in file programs/addconn/addconn.c
is the focus of my concern.
Have a look at at 389bd0f3e66774f0da63d23653cbdf85a9ceb2d1
(I've included it at the bottom for your convenience.)
1) after the commit resolve_defaultroute does nothing if HAVE_NETKEY is
I used to use an old machine for testing. After a long hiatus, I'm
trying again, with a fresh install of everything
The processor is an Intel i5-2400 "Sandy Bridge". This processor does not
have the RDRAND feature. You can test your own processor:
grep rdrand /proc/cpuinfo
To get
I'm setting up a new test system.
make kvm-install failed with this message:
qemu-img convert \
-p -O qcow2 \
/home/build/pool/swanfedora22base.qcow2 \
/home/build/pool/a.clone.qcow2.tmp
qemu-img: Could not open '/home/build/pool/swanfedora22base.qcow2': Could not
open
It fails with lots of missing XFRMs in road.console.diff
When I look in east.pluto.log, I see this which seems suspicious:
"authenticated"[1] 192.1.3.209 #3: STATE_PARENT_R1: received v2I1, sent v2R1
{auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048}
"authenticated"[1]
Same problem in
ikev1-x509-07-san-ip-mismatch
| From: D. Hugh Redelmeier
| To: Libreswan Development List
| Date: Wed, 18 Jul 2018 18:42:26 -0400 (EDT)
| Subject: [Swan-dev] please fix ikev1-x509-05-san-firstemail-match
|
| west.console.diff:
|
| -002 "san" #1: deleting state (STA
24:0/0
"westnet-eastnet-3des" #2: IPsec encryption transform rejected: 3DES_CBC
key_len 0 is incorrect
"westnet-eastnet-3des" #2: sending encrypted notification BAD_PROPOSAL_SYNTAX
to 192.1.2.45:500
"westnet-eastnet-3des" #2: deleting state (STATE_QUICK_R0) and
PROPOSAL_SYNTAX
to 192.1.2.45:500
"westnet-eastnet-null" #2: deleting state (STATE_QUICK_R0) and NOT sending
notification
| From: D. Hugh Redelmeier
| Subject: [Swan-dev] please fix ikev1-algo-05-3des-sha2
| Pluto log on east says:
|
| "westnet-eastnet-ipv4-psk-ikev1&
Same problem with algo-pluto-08 and fips-06-ikev1-3des-sha1
| From: D. Hugh Redelmeier
| Subject: [Swan-dev] please fix ikev1-algo-05-3des-sha2
|
| Pluto log on east says:
|
| "westnet-eastnet-ipv4-psk-ikev1" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=PRESHARED_
An inaccurate message has disappeared. But an accurate message did not
replace it. This seems suspicious.
# will only show up on east - note "expired" is wrong and should be "not yet
valid"
east #
grep "ERROR" /tmp/pluto.log
-"nss-cert" #1: ERROR: Peer's Certificate has expired.
east #
east.console.txt has this difference:
grep "ERROR" /tmp/pluto.log
+"nss-cert" #2: ERROR: netlink response for Del SA esp.ESPSPIi@192.1.2.45
included errno 3: No such process
+"nss-cert" #2: ERROR: netlink response for Del SA esp.ESPSPIi@192.1.2.23
included errno 3: No such process
Why would
Why is /var/log/audit/audit.log missing?
testing/pluto/seccomp-01-enabled/OUTPUT/west.console.diff:
# one entry of SECCOMP activating should show up in the log
west #
grep SECCOMP /var/log/audit/audit.log | sed "s/ip=.*/ip=XXX/"
-type=SECCOMP msg=audit(XXX): auid=AUID uid=0 gid=0 ses=SES
west.console.diff:
-002 "san" #1: deleting state (STATE_MAIN_I3)
+002 "san" #1: deleting state (STATE_MAIN_I3) and NOT sending notification
This looks like an old change by Paul.
Paul: Is my diagnosis correct? Can you fix it?
___
Swan-dev mailing
Pluto log on east says:
"westnet-eastnet-ipv4-psk-ikev1" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
"westnet-eastnet-ipv4-psk-ikev1" #1: the peer proposed: 192.0.2.0/24:0/0 ->
192.0.1.0/24:0/0
| From: Antony Antony
| This is possibly another another workaround. Try it?
|
| KVM_PREFIX='' a.
|
| always have '' as a prefix and then there will be two sets, a.east and east
Thanks.
I thought of that. I decided not to do it because:
- I did not know if it would work and it would take
t is named.
| Full disclosure?
|
| 5618b2c31d (D. Hugh Redelmeier 2018-07-14 08:59:54 -0400
| 300)/* COOKIE_SIZE is also IKEv2 IKE SPI size */
Right, it was part of the commit we're talking about. Called out in
the commit message.
| > So if someone is puzzled about a reference to COOKIE_SI
| From: Paul Wouters
|
| I want to start merging in some code that will cause some test failures
| to fixup. So are we waiting to move to f28 before those, or are we doing
| these first now because the tree is already heavilly modified since
| 3.25?
I don't understand. I try to commit test
| From: Andrew Cagney
| > My POV is to follow the C standard where possible. The C standard does
| > not provide the guarantee. Intentionally.
|
| The systems we target do; so lets not make things harder than they already
are.
The hardware we target happens to. As far as we know. But
| From: Andrew Cagney
| - COOKIE_SIZE is IKEv1 so should not appear in IKEv2 code at all!
| IKEv2 has cookies but they are completely different, having nothing to
| do with this value.
COOKIE_SIZE is the size of the fields in the header that hold v2 IKE
SPIs. This is by protocol design, not an
| From: Paul Wouters
| cd testing/pluto/sometest
| ../../utils/kvmrunner.py .
It didn't work for me. It boils down to:
error: Domain not found: no domain with matching name 'road'
That's because I have this in my Makefile.inc.local:
KVM_WORKERS=2
KVM_PREFIX=a. b.
So I
| From: Andrew Cagney
| Subject: [Swan-dev] Fwd: [Swan-commit] Changes to ref refs/heads/master
When replying to a commit message, please edit the Subject: to be useful.
| Hugh,
| - ensure alg_info_ike and alg_info_esp fields are initialized to NULL
| (initializing a pointer's raw
My run of the test suite is making glacial progress.
It has been stuck for seven hours in dnssec-keygen on the host
computer:
\_ make kvm-check
\_ /bin/sh ./testing/baseconfigs/all/etc/bind/generate-dnssec.sh
\_ dnssec-keygen -K keys -b 2048 -f KSK -a RSASHA256 -n ZONE
| From: Andrew Cagney
| Subject: Re: [Swan-dev] [Swan-commit] Changes to ref refs/heads/master
It is useful to change the subject when replying to a commit message
since those messages have totally non-descriptive and non-distinguishing
subjects.
| Just pass in a stack allocated lswlog
I
I've just pushed an improvement in how confread handles diagnostics.
Test testing/pluto/ikev2-asymmetric-01-parsing will now fail. I don't
know what we should hope for here. Some errors are being reported by
two different mechanisms. I don't know which report to eliminate.
I've been told
I got a number of test failures with this in the pluto log (not the
console log), repeated a lot:
"westnet-eastnet-ipv4-psk-ikev1" #1: the peer proposed: 192.0.2.0/24:0/0 ->
192.0.1.0/24:0/0
"westnet-eastnet-ipv4-psk-ikev1" #2: IPsec encryption transform rejected:
3DES_CBC key_len 0 is
This looks like a good change. After all, "(null)" is scary. So I guess
that the reference logs should be fixed.
I guess that all these are wrong:
grep '^000 algorithm AH/ESP auth: name=(null), keysizemin=256, keysizemax=256'
*/*.console.txt | cat
When I try this, I get this message
Either hostname or domain must be specified
I'm guessing that's because my vms are named a.* and b.*
Is there a way to use runkbm.py?
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
| From: D. Hugh Redelmeier
|
| /source/lib/libswan/ike_alg_dh.c:337:13: error: ‘SEC_OID_CURVE25519’
undeclared here (not in a function)
| .nss_oid = SEC_OID_CURVE25519,
|
| On Fedora 28, this is defined in nss-util-devel-3.37.3-1.0.fc28.x86_64
|
| How do we get it into the standard testing
/source/lib/libswan/ike_alg_dh.c:337:13: error: ‘SEC_OID_CURVE25519’ undeclared
here (not in a function)
.nss_oid = SEC_OID_CURVE25519,
On Fedora 28, this is defined in nss-util-devel-3.37.3-1.0.fc28.x86_64
How do we get it into the standard testing
These are failures on last night's run that were not failures on the
previous run, started July 1 at 2:33 AM EDT.
My comments are on lines starting with ?.
testing/pluto/ikev2-ddns-02 failed east:output-different west:output-different
testing/pluto/ikev2-ddns-02/OUTPUT/east.console.diff
| From: Antony Antony
| I stumbled on something similar and from a quick look pointed me to
| the commit 1dbc99118f . The test passed in v3.25
Thanks. You were quite right.
A merge silently moved a chunk of code inside a conditional. So
important stuff was only done in the AH case (i.e.
Andrew:
I don't understand this title.
In IKEv1 both Initiator and Responder may need to retransmit.
Maybe you mean "Replying", not "responding"? These are synonyms in
english but a useful distinction can be made in IKE, I think.
If we are not replying, what would "remember_received_packet"
| commit 5c6cd3cf0c32b0ff39fee2de2878bf2337197b8c
| Author: Andrew Cagney
| Date: Wed May 23 13:40:20 2018 -0400
|
| includes: move typedef err_t to "err.h"
|
| Hidden in libreswan.h (nee openswan.h). Sprinkle #includes.
|
| Given the assumption that pluto is
| From: Paul Wouters
| On Sat, 23 Jun 2018, D. Hugh Redelmeier wrote:
|
| > pluto/basic-pluto-01-nokey/west.console.txt
| >
| > -002 "westnet-eastnet" #1: deleting state (STATE_MAIN_I2)
| > +002 "westnet-eastnet" #1: deleting state (STATE_MAIN_I
| From: Paul Wouters
| > Which notification error type? Maybe some XAUTH draft spells this
| > out. Failing that, RFC 2408 specifies 26 for ADDRESS-NOTIFICATION but
| > doesn't seem to suggest when it might be used or what it means.
| > Googling only gets me obsolete drafts. We don't
pluto/basic-pluto-01-nokey/west.console.txt
-002 "westnet-eastnet" #1: deleting state (STATE_MAIN_I2)
+002 "westnet-eastnet" #1: deleting state (STATE_MAIN_I2) and NOT sending
notification
Is this an expected change? dc04bd1a20?
If so, please fix the reference log.
| From: Paul Wouters
| As I wrote in the other email, this can be turned back to the original
| pool size. I'll pick it up later today if you haven't already put it
| back.
I'll leave it to you.
I recommend turning one test into two:
- one with addresspool failure, so that gets tested.
| From: D. Hugh Redelmeier
| < | request lease from addresspool 192.0.2.1-192.0.2.200 reference count 3
thatid '@road' that.client.addr 192.1.2.63
| > | request lease from addresspool 192.0.2.1-192.0.2.1 reference count 3
thatid '@road' that.client.addr 192.1.2.63
|
| Notice the diff
I'm comparing east.pluto.log from a while ago (which didn't fail this way)
and a run from a night or so ago.
< | request lease from addresspool 192.0.2.1-192.0.2.200 reference count 3
thatid '@road' that.client.addr 192.1.2.63
> | request lease from addresspool 192.0.2.1-192.0.2.1 reference
The Coverity report (at the bottom of this message) is interesting.
It was triggered by e30778728ea01dacb051276d835648e0fda0618c which
actually fixed a leak and did not introduce any new one (as far as I
know).
The flow of whack file descriptors is quite subtle and it seems that
maintainers
| From: Andrew Cagney
I like it that we don't accept crappy whitespace by default. On the
other hand, this GNU diff flag is mostly harmless:
-Z, --ignore-trailing-space
ignore white space at line end
Don't get me wrong: I would like to consider trailing whitespace to be
a
I think that failed because the reference log for road was not updated to
reflect 8f79b69b1eed8e8422618bf9598ba8cc4d31e92f
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
(I'm testing the tree from almost 24 hours ago. This might have already
been fixed.)
Here's an example:
--- MASTER/testing/pluto/klips-ikev2-algo-sha2-07/east.console.txt
+++ OUTPUT/testing/pluto/klips-ikev2-algo-sha2-07/east.console.txt
@@ -48,12 +48,14 @@
east #
| Perhaps NIC doesn't have Libreswan.
|
| Note: the reference log has a related but different error message.
This also applies to
testing/pluto/certoe-03-poc-whack/OUTPUT/nic.console.diff
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
Perhaps NIC doesn't have Libreswan.
Note: the reference log has a related but different error message.
--- MASTER/testing/pluto/certoe-07-nat-2-clients/nic.console.txt
+++ OUTPUT/testing/pluto/certoe-07-nat-2-clients/nic.console.txt
@@ -33,7 +33,7 @@
-bash: ipsec: command not found
nic #
, nothing to see.
|
| --
|
| While both complete_v[12]_state_transition() implementations stink.
| We don't need coverity to tell us that. The good news is that we've
| managed to compensate by accumulating reasonable test coverage.
|
| On 3 June 2018 at 20:34, D. Hugh Redelmeier wrote
| From: Andrew Cagney
|
| It might be useful to figure out of llvm supports this feature, or just go
with:
|
| + ((ASSERTION) ? true : (libreswan_pexpect_fail(__func__, \
| + PASSERT_BASENAME, __LINE__, \
| + #ASSERTION), false))
|
| except that wraps ASSERTION in paren :-(
I don't
In front of this function, the following comment appears:
/*
* We need an md because the crypto continuation mechanism requires one
* but we don't have one because we are not responding to an
* incoming packet.
* Solution: build a fake one. How much do we need to fake?
* Note: almost
(1) it isn't clear to me why the streq(best->name, t->name) is not negated
Could someone add a comment expaining this? Paul? Antony?
929 if (LIN(POLICY_GROUPINSTANCE, t->policy) && (t->kind == CK_TEMPLATE)) {
930 /* ??? clang 6.0.0 thinks best might be NULL but I don't see
how
There is some long-standing code in complete_v1_state_transition that
looks fishy. clang thinks so, but just for a shallow reason.
Can someone who understands DPD logic look at this?
/*
* make sure that a DPD event gets created for a new phase 1
clang gave warnings near programs/pluto/foodgroups.c.
They are about redundant assignments to r. In itself, a redundant
assignment isn't a bug. But it often indicates some kind of mistake.
So I added some ??? comments.
Does anyone know the intent? Paul?
--- a/programs/pluto/foodgroups.c
+++
By accident, I just did a "git diff" on my test machine. I didn't need
to because I don't normally make changes there.
So I was surprised to see that ther WAS some change. Running the test
system is changing a part of the git tree. This seems very wrong.
One practical example of a problem
| From: Andrew Cagney
| Google flagged this as spam, I agree.
Heh.
Static analysis is always imperfect (Halting Problem).
I've made a change to the definition of pexpect in an attempt to make
the control flow around pexpect clearer to Coverity Scan. It might
even help a compiler produce
void complete_v1_state_transition(struct msg_digest **mdp, stf_status result)
{
struct msg_digest *md = *mdp;
passert(md != NULL);
...
switch (result) {
case STF_SUSPEND:
set_cur_state(md->st); /* might have changed */
if
201 - 300 of 552 matches
Mail list logo