A lot of my tests fail because messages like the following don't appear in
the output of ipsec erout. Is this actually highlighting a real
problem?
-169.254.0.0/16 dev eth0 scope link metric 1002
-169.254.0.0/16 dev eth1 scope link metric 1003
-169.254.0.0/16 dev eth2 scope link metric
| From: Paul Wouters p...@nohats.ca
| To: D. Hugh Redelmeier h...@mimosa.com
| Cc: Libreswan Development List swan-dev@lists.libreswan.org
| Date: Sun, 21 Dec 2014 16:40:41 -0500 (EST)
| Subject: Re: [Swan-dev] aggressive mode
|
| On Sun, 21 Dec 2014, D. Hugh Redelmeier wrote
| From: Paul Wouters p...@nohats.ca
|
| On Fri, 19 Dec 2014, Andrew Cagney wrote:
|
| I've some code that uses test-vectors to check:
|
|struct encrypt_desc.do_crypt
|
| I'm wondering if anyone has a preference for where they should live?
| Separate file; next to the crypto code; ...
|
In IKE terms, this thing is not an attribute value, it is an attribute
type.
The attribute has a value and it is nothing to do with the attribute type.
The value is not affected by the setting of secctx_attr_value.
Who named this variable and this flag? Why did they give it such a
confusing
There seem to be some scars in the code from trying to use
ECN_TUNNEL's type as the secctx_attr_value [type].
Do we stil want to support this or is this mistake sufficiently behind
us that we can get rid of the scar tissue?
___
Swan-dev mailing list
My latest commit highlights some mysteries.
I would like some other eyes on them.
In particular, I think that some of what I poked at is under Antony's
microscope at the moment.
(I hope that this will hit the public git tree within a week.)
| From: D. Hugh Redelmeier h...@vault.libreswan.fi
| From: Antony Antony ant...@phenome.org
| Is it an accident that this commit ended up in #master? Or you are sure it is
suitable for
| the upcoming bug fix release?
I think that it's OK. All the risky bits are only in comments :-)
___
Swan-dev
Current model, as I understand it:
==
master is where everything goes.
We make releases off the HEAD of master.
When we wish to make a release, we freeze master to some extent, until
the release can happen. Only things important enough break through the
Just checking:
complete_v1_state_transition copies these VID settings from md to st:
fragvid, dpd, nortel
complete_v2_state_transition does not.
Are these VID settings meaningful in v2?
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
We tried to use this option in testing to speed up failure. You know, the
fail fast paradigm (not really).
It turns out that this option was not suitable for that purpose. Its name
was misleading. The documentation says:
At times it may be desirable to turn off all timed events in
I don't like them.
Antony tells me that they don't work with systemd.
Can we get just rid of them?
(I made the changes but then chickened out on committing them.)
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
I'm looking at disk usage on the machine that use to run make check.
Large directories in build's home directory (in ascending order of 1K
blocks):
691316 libreswan
2948256 results
20908400pool
So results is serious (larger than libreswan itself by a factor of 4).
But pool seems to be
We've decided that the V2 state naming is awkward and can be improved.
Antony created https://libreswan.org/wiki/IKEv2_Child_SA.
I'm treating it as if it is only about naming states (in which case the
name of the wiki entry is wrong). Can we rename it? (Sounds awfully
meta.)
I've added some
Generally speaking, time should not be represented within Pluto with a
uint64_t.
Most (not all!) times in system and library calls are time_t, which
may or may not be uint64_t (system dependent).
There are three kinds of time_t that are not the same.
So Pluto has three distinct types for these
In testing/pluto/TESTLIST, several tests appear more than once. This
seems wasteful and confusing.
kvmplutotestikev2-17-rekey good
kvmplutotestikev2-17-rekey good
kvmplutotestikev2-algo-05-aes-default good
kvmplutotest
There are substantive tests that have been wrapped in #if 0. Why?
ce2cea89 (Michael Richardson 2006-07-28 15:26:49 -0400 1025)
Maybe RW with PSK and RSA can both be OK.
ec977000 (Paul Wouters2010-06-25 15:25:06 -0400 1042)
Allow rightsubnet=vnet:%priv or
| From: Tuomo Soini t...@foobar.fi
| I see in one system new problem which never happened in 3.8.
|
| Jul 15 15:27:16 firewall2 pluto[15180]: tunnel1 #10794: message in
| state STATE_MAIN_R1 ignored due to cryptographic overload
I'm not sure what's going on. I added some more logging to
http://redsymbol.net/articles/unofficial-bash-strict-mode/
This article advocates using shell options I've recommended, plus a few
more useful tricks.
Perhaps people will find it more convincing than my exhorations.
I thought his IFS suggestions were quite interesting.
There's a lot of code like this at the start of functions:
if (st == NULL)
return;
in places where it should not be needed.
This is the case in release_fragments() as far as I can tell.
If it should not be needed, it should be left out. That way we'll crash
when
| From: Ruben Laban r.laban+li...@ism.nl
...
| diff --git a/programs/_stackmanager/_stackmanager.in
| b/programs/_stackmanager/_stackmanager.in
| index 6c2a98f..0ad1066 100644
| --- a/programs/_stackmanager/_stackmanager.in
| +++ b/programs/_stackmanager/_stackmanager.in
| @@ -367,7 +367,6 @@
Man page change:
-The first significant line of the file must specify the version of this
specification that it conforms to:
+The first significant line of the file may specify a version of this
specification for backwards compatibility with freeswan and openswan\. It is
ignored and unused\.
I just spent a bunch of time to simplify how IP addresses get
formatted in libreswan.
Why?
- addrtot, while complete and powerful, is tedious to invoke.
- ip_str was easy to invoke in common cases but had problems
- it used a static buffer so
-it wasn't safe to use in more than one
| From: Paul Wouters p...@nohats.ca
| Things in linux/net/ipsec are typically shared between userland and
| kernel. Does this affect KLIPS in any way?
A tiny bit: the (one-line) function will be loaded as part of addrtot.o.
It currently isn't used. But it would work if it were used. I guess
| From: Paul Wouters p...@nohats.ca
| The code could be simplified (and at least one goto eliminated).
|
| Done,
You just started :-)
See 0e00834183923af6209900f36839be3431ddfb09 on hugh-2014may branch.
I didn't want to do this to master when we are so close.
Of course I think all are worth adding. I mean before the release.
54e1a7c1f155ed36276d768e5f5447be4699b4a3
Try to correctly model v2 Transform Attribute Types.
[This one gets rid of a compiler warning.]
4d989b11e0b43c80def708b392aa1a643362c524
packet.c: diplay the name for IKEv2
Is there a good explanation for what this is about? Certainly not in the
code (which is where I'd want at least some of it, or a pointer).
http://support.microsoft.com/kb/818043 was released in 2003 and applies
to products that microsoft has obsoleted (WinXP and Win 2000).
Was the problem
The Robustness Principle from RFC 1122:
Be liberal in what you accept, and
conservative in what you send
Here's a tricky case.
Apparently, when the ipsec.conf specifies aes, for example, we take
it to mean:
propose AES 128 (bug: 256 for ESP)
but
| From: D. Hugh Redelmeier h...@mimosa.com
Oops: in editing I introduced a mistake that is surely confusing.
| Apparently, when the ipsec.conf specifies aes, for example, we take
| it to mean:
| propose AES 128 (bug: 256 for ESP)
| Consider a case where the other side can only do AES 128
Most uses of atoi are a mistake. That's because it is not convenient to
detect when a malformed number it present. So good error handling isn't
easy and (generally) coded that uses atoi just ignores problems.
So: any atoi call should be replaced. With what?
strtoul is a useful function. It
For the last few weeks, I've been unable to run the test systems on my
Fedora 20 system. The scripts could not find the VMs responsive on the
console. Paul says that it seems to be something with the simulated
serial console.
I downgraded my Fedora kernel on the host machine from
timetoa is defined two places, identically, and that's silly. I'm
deleting the one in programs/pluto/lswtime.c. Unfortunately, I've put
another function in there so I cannot delete that file until I find
another home for it.
As far as I can tell, none of our code uses anything in
if (sa_p-ips_iv_bits) {
int j;
seq_printf(seq, iv_bits=%dbits iv=0x, sa_p-ips_iv_bits);
#ifdef CONFIG_KLIPS_OCF
if (!sa_p-ips_iv) {
/* ocf doesn't set the IV, fake it for the UML tests */
| From: Paul Wouters p...@nohats.ca
| One of the test cases showed an issue with binding a received address
| from the addresspool by an XAUTH client. It turned out it was 192.0.2.0.
|
| I would suggest that if an addresspool is defined that includes
| a.b.c.0/32 that we actually skip that
| From: Paul Wouters p...@nohats.ca
| Do we have a way of knowing the whole local subnet? If so, we might
| ban the top and bottom addresses of it (not the top and bottom of the
| addressrange).
|
| a subnet (CIDR) is not an address range. I don't think we can infer
| anything of an address
| From: Paul Wouters p...@nohats.ca
| The whole point of that change was to fix a dead lock:
|
| https://github.com/xelerance/Openswan/issues/74
What you want is a monotonic clock. That's not what time(2) does.
A long time ago, I wrote now() to try to implement a monotonic clock
by
4a55e7428a4165b74af11d7f2416b1e80beabd93
Author: D. Hugh Redelmeier h...@mimosa.com
Date: Wed Apr 30 14:10:01 2014 -0400
Fix log_mark_time so it will actually do something.
Will like what it does?
___
Swan-dev mailing list
Swan-dev
| From: Paul Wouters p...@vault.libreswan.fi
| commit b7f0b35aadf214c0b50140ee7a9397c0c7b4f192
| Author: Paul Wouters pwout...@redhat.com
| Date: Wed Apr 30 12:39:03 2014 -0400
|
| pluto: Ensure time going backwards does not screw up queued events
now() is a tricky function. Maybe not
| From: D. Hugh Redelmeier h...@mimosa.com
| OID 89 is terminal but has no name
|
| I don't know what OID names are used for, but this is the only
| terminal that has no name. Odd.
|
| Should we see what look to see if StrongSwan has improved the table?
Yes, we should. OID 89's
Antony and I are having a debate.
Address pools are a range of IP addresses that can be doled out by a
host to clients. IPv4-only. Antony added this feature to Pluto.
Each conn can have an address pool. If two conns' address pools are
identical, they are shared (a single common pool).
If
| From: Paul Wouters p...@nohats.ca
| Why are the quotes needed when using : ?
: is really a command that does nothing, rather than a comment.
So redirection and variable expansion are done on the operands.
: file
would actually create an empty file file.
: 'file'
would act
| From: Tuomo Soini t...@foobar.fi
| Use of objdir is still partial and make clean doesn't wipe objdir - it
| really should clean whole objdir directory structure. Problem is in
| make clean.
I don't understand this explanation. Make is supposed to work without
cleaning -- that's the whole
In find_host_connection2:
for (; c != NULL; c = c-hp_next) {
DBG(DBG_CONTROLMORE,
DBG_log(found policy = %s (%s),
bitnamesof(sa_policy_bit_names,
| From: Paul Wouters p...@nohats.ca
| These were added after a FIPS review. I am not saying you are wrong. But
| I am not ready to remove them yet either. There could be a bug that for
| instance would send some uninitialised space from one endpoint to
| another. I know normally this cannot
Why are modules built in /source/modobj, even though OBJDIR is set
differently? Are those from a kernel build that follows different
conventions?
If the modules are always in modobj, why does testing/guestbin/swan-build
do
rm -rf modobj*
instead of
rm -rf modobj
? (I'm always
| From: D. Hugh Redelmeier h...@mimosa.com
I ran make check last night. Wow: it mostly completed! I don't
think that anything passed -- the baseline scripts are not current.
Two tests failed because KLIPS could not load. Out of all those
tests. Seems random. But basic-pluto-01 was one
The script testing/guestbin/swan-install contains the following line:
make module_install 21 compile-log.txt
That is a bit odd. The first redirection probably does nothing in normal
cases. It redirects stderr to what stdout was before stdout is
redirected.
A clearer way to get this
I tried to merge smoother-nss into master and the result had several
unexpected compile-time warnings.
It turns out that master has those, even without my merging.
I don't think we should be checking in things that result in such
diagnostics.
Paul kindly set up a testing invironment on a machine for me. Now I'm
trying to use it.
I updated my local tree and then ran swan-update as root on west.
The initial result doesn't look good to me. What am I doing wrong? Or is
it all fine?
I wonder:
- is it right to build this stuff as
GDB seems useless since there are no debugging symbols.
How can this be fixed?
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
Pluto still takes --foodgroupsdir. Why?
It is a synonym for --ipsecdir and --ipsec_dir.
Only --ipsecdir is documented. So that's the only one that should
remain.
It also looks as if these are all synonyms:
{ noklips, no_argument, NULL, 'n' },
{ use-nostack, no_argument,
In struct state:
#define st_skeyid st_skeyseed
chunk_t st_skeyseed;/* Key material */
#define st_skeyid_d st_skey_d
chunk_t st_skey_d; /* KM for non-ISAKMP key
derivation */
#define st_skeyid_a st_skey_ai
chunk_t st_skey_ai;
I've made a whack of changes that SHOULD not break libreswan.
Tuomo? Paul? Can you do a bit of testing?
Thanks.
More to come!
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
501 - 552 of 552 matches
Mail list logo