Re: [Swan-dev] XFRMi routing problems with some special cases

> ok, thanks, I will create some tests for the problematic cases and hopefully > some fixes. I'll push it once I've got a full test result. Long term, should: +#ifdef USE_XFRM_INTERFACE +if (c->xfrmi != NULL && c->xfrmi->if_id != 0) +if (!add_xfrm_interface(c, c->logger)) +

Re: [Swan-dev] XFRMi routing problems with some special cases

On Thu, 2 May 2024 at 05:02, Wolfgang Nothdurft via Swan-dev wrote: > > Hi, > > I am currently trying to sort out a few cases where routes and rules are > not handled correctly. Some internals (i.e., in theory, I'm just including this for completeness) Part of 5.0+'s overhaul was routing.[hc]

Re: [Swan-dev] [Swan-commit] Changes to ref refs/heads/main

On Sat, 20 Apr 2024 at 19:40, Paul Wouters via Swan-dev wrote: > > On Sat, 20 Apr 2024, Andrew Cagney via Swan-commit wrote: > > >libipsecconf: rename internal enum AUTOSTART_ONDEMAND -> AUTOSTART_ROUTE > > This is wrong. The libipsecconf names match the _keywords_

Re: [Swan-dev] Bug libreswan-5.0rc2

On Wed, 20 Mar 2024 at 06:42, Armen Dilanyan wrote: > > The "discarding" and "dropping" log lines? These aren't really > errors, or were you not seeing them before? > > > Previously, when RemoteAccess_user1 connected, the event logs showed the ID > of RemoteAccess_user1 > > Feb 05 15:02:15

Re: [Swan-dev] Bug libreswan-5.0rc2

On Sat, 16 Mar 2024 at 05:03, Armen Dilanyan wrote: > > Hi all. > Hi Andrew. > Yes, you are right, I did not enable debugging. I use one IP address in the > pool, since users must have a static IP address. Configurations are below in > the letter. The debug logs should be gone in mainline. >

Re: [Swan-dev] Bug libreswan-5.0rc2

See https://github.com/libreswan/libreswan/issues/1653 On Fri, 15 Mar 2024 at 11:27, Andrew Cagney wrote: > > I assume you don't have debugging enabled (ya). > It looks like liveness messages which aren't normally logged. Please > file a bug and thanks for pointing this out. > &

Re: [Swan-dev] Bug libreswan-5.0rc2

I assume you don't have debugging enabled (ya). It looks like liveness messages which aren't normally logged. Please file a bug and thanks for pointing this out. On Fri, 15 Mar 2024 at 05:48, Armen Dilanyan via Swan-dev wrote: > > Hi all. > I have Debian 12.5 operating system installed. > I

Re: [Swan-dev] state numbers in enduser output?

On Tue, 5 Mar 2024 at 10:23, Paul Wouters via Swan-dev wrote: > > On Tue, 5 Mar 2024, Andrew Cagney via Swan-commit wrote: > > > Date: Mon Mar 4 20:15:11 2024 -0500 > > > >ikev2: drop and NOT sending notify > > > >it's redundant and confusi

Re: [Swan-dev] What does "missing v2CP reply" mean?

On Tue, 27 Feb 2024 at 05:10, Brady Johnson wrote: > > We tried several changes to the client nmstate configuration. Setting "ipv4: > dhcp: false" caused a configuration error in nmstate. We have created a bug > for that and the nmstate team is working on it. I didn't see it here

Re: [Swan-dev] What does "missing v2CP reply" mean?

On Fri, 16 Feb 2024 at 10:18, Tuomo Soini via Swan-dev wrote: > > On Fri, 16 Feb 2024 16:12:20 +0100 > Brady Johnson via Swan-dev wrote: > > > I included the configuration in the original email, and it did not > > include "narrowing", nor "leftmodecfgclient". I'll check if either of > > those

Re: [Swan-dev] NAT and intermediate exchange

On Thu, 22 Feb 2024 at 13:43, Paul Wouters via Swan-dev wrote: > > On Thu, 22 Feb 2024, Andrew Cagney via Swan-commit wrote: > > > New commits: > > commit 8f2151aab6084561bdeb8c49206ee238b508eecc > > Author: Andrew Cagney > > Date: Thu Feb 22 10:58:13 2024

Re: [Swan-dev] labeled TS don't search for a connection ?

On Tue, 20 Feb 2024 at 21:16, Paul Wouters via Swan-dev wrote: > > > I see this commit: > > commit f198add4b08640d1b67aef19168998070b65b725 > Author: Andrew Cagney > Date: Tue Feb 20 20:25:33 2024 -0500 > > ikev2: when responding to labeled TS don't search for

Re: [Swan-dev] What does "missing v2CP reply" mean?

> Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: processing > decrypted IKE_AUTH request: SK{IDi,CERT,AUTH,CP,SA,TSi,TSr} notice how the client sent a CP payload in the request (CP_REQUEST to be exact). but > #2: missing v2CP reply, not attempting to setup child SA > #1: IKE

Re: [Swan-dev] On re-applying "pluto: warn if loaded connection ended up unoriented" et.al.

On Tue, 23 Jan 2024 at 10:44, Paul Wouters wrote: > > On Mon, 22 Jan 2024, Andrew Cagney wrote: > > >> Also, please use separate commits for code and test cases in the future. > > > > Except this wasn't my mess. > > > > I was dealing with a commit that, o

Re: [Swan-dev] On re-applying "pluto: warn if loaded connection ended up unoriented" et.al.

On Mon, 22 Jan 2024 at 19:40, Paul Wouters wrote: > > On Mon, 22 Jan 2024, Andrew Cagney wrote: > > > commit b575e15e80bcf0924bc96e3e7420092becedc42a > > Author: Andrew Cagney > > Date: Mon Jan 22 13:32:01 2024 -0500 > > > >Reapply "pluto: w

Re: [Swan-dev] On re-applying "pluto: warn if loaded connection ended up unoriented" et.al.

On Mon, 22 Jan 2024 at 19:40, Paul Wouters wrote: > > On Mon, 22 Jan 2024, Andrew Cagney wrote: > > > commit b575e15e80bcf0924bc96e3e7420092becedc42a > > Author: Andrew Cagney > > Date: Mon Jan 22 13:32:01 2024 -0500 > > > >Reapply "pluto: w

[Swan-dev] testing: interop-ikev1-strongswan-11-ah-initiator-sha512 fixup

commit e00873e8ad67b16e897cd0025ab3921efba3c857 Author: Paul Wouters Date: Fri Jan 19 12:32:30 2024 -0500 testing: interop-ikev1-strongswan-11-ah-initiator-sha512 fixup is missing a "sending packet" log line ? While unlikely - the kvm tests are expected to pass - it can't be ruled

Re: [Swan-dev] [Swan-commit] Changes to ref refs/heads/main

On Thu, 18 Jan 2024 at 12:14, Paul Wouters wrote: > The RFC isn’t useless here. If we complied to the RFC, there would never be > an error based on it - one MUST accept tunnel mode. Actually, yes and no. I was reading: The USE_TRANSPORT_MODE notification MAY be included in a request

Re: [Swan-dev] pluto: tweak logging and ipsec traffic for HW offload

On Wed, 17 Jan 2024 at 21:35, Paul Wouters wrote: > > On Wed, 17 Jan 2024, Andrew Cagney wrote: > > > Much better - keeping with one log line for establishing the child. BTW, > > {ESP/ESN... esp-hw-offload=packet ...} > > could be reduced further to: > >

Re: [Swan-dev] pluto: tweak logging and ipsec traffic for HW offload

On Wed, 17 Jan 2024 at 19:52, Paul Wouters wrote: > > New commits: > commit ec028da78d9cbcfd004d009a02fc82ecbe7a5a14 > Author: Paul Wouters > Date: Wed Jan 17 19:42:43 2024 -0500 > > pluto: tweak logging and ipsec traffic for HW offload > > Don't log/whack: > > "test" #1: initiator

Re: [Swan-dev] Libreswan 5.0 RC1 IPv6 ULA not accepted

On Sat, 13 Jan 2024 at 18:13, Bill Atwood wrote: > > ?? > > I do not understand your reply. Offhand, it looks like the connection should match: conn RITA6c left=fd51:20d9:5ad2:b::2 leftid="CN=Ritchie Certificate" leftrsasigkey=%cert leftcert=RIcert right=fd51:20d9:5ad2:b::1

Re: [Swan-dev] Libreswan 5.0 RC1 Suggested Documentation Fixes

<> like every other Makefile out there. > Note 1: the INSTALL file in the same directory suggests "make all". INSTALL was gutted. > Note 2: this error was reported to swan-dev on 2023-09-13, and a > response was sent by Andrew Cagney to the list on 2023-12-19, reporting &g

Re: [Swan-dev] 5.0 RC1 connection not found

> root@Ritchie:/etc/ipsec.d# cat RITA6C > conn RITA6c > left=fd51:20d9:5ad2:b::2 > leftid="CN=Ritchie Certificate" > leftrsasigkey=%cert > leftcert=RIcert > right=fd51:20d9:5ad2:b::1 > rightid="CN=Tarjan Certificate" > rightrsasigkey=%cert > auto=add rename RITA6C

Re: [Swan-dev] [Swan-commit] Changes to ref refs/heads/main

> commit 29614eb87ae6e5dc2abd3e7bec9e981be8676399 > Author: Paul Wouters > Date: Tue Jan 9 21:36:46 2024 -0500 > > pluto: check various incompatible settings with nic-offload=packet|auto > > - Limit the replay-window size to what is supported in known HW. > (but what to do with

Re: [Swan-dev] Certificate based authentication failures with libreswan

On Mon, 8 Jan 2024 at 15:56, Paul Wouters wrote: > > This likely depends on the crypto policies set. > And yes 1024 is probably no longer allowed. > > You can try: update-crypto-policies —set LEGACY Yes. Between 4.6 and 4.7, and as part of the digital signature work, some of the crypto code was

Re: [Swan-dev] building: do not abuse USE_IPTABLES or USE_NFTABLES

> But I've removed the #ifdef around here and only have a single ifdef > at the only place in the code that sets has_client_address_translation, > and so the ifdef on this location is not needed. That is more robust. The less #ifdef-s the better. ___

Re: [Swan-dev] break down of 5.0 fixes v2

> building: do not abuse USE_IPTABLES or USE_NFTABLES > building: add sanity check for USE_CAT and USE_NFLOG > building: fix logics in sanity check > building: when USE_NFLOG is disabled, disable it really > ... with more to come ... for instance, see attached: diff --git a/mk/config.mk

[Swan-dev] break down of 5.0 fixes v2

We've started pushing more stuff into mainline, which for all Looking over the commits since: documentation: more README.md tweaks 7312fe13a454e81b167c83d85d1e6dab33777906 This group are straight forward doco updates: documentation: use @@IPSEC_CONFDDIR@@ and not @@IPSEC__CONFDDIR@@

Re: [Swan-dev] break down of 5.0's potential blockers

On Tue, 19 Dec 2023 at 09:32, Bill Atwood wrote: > > Paul, Brady, > > On 12/18/2023 9:42 PM, Paul Wouters wrote: > > * 4a936b2aad - The XFRM address scope must be global (12 hours ago) > > > > While this constraint must be true for the current XFRM (it does not > understand that Link-Local

Re: [Swan-dev] building: do not abuse USE_IPTABLES or USE_NFTABLES

On Sun, 24 Dec 2023 at 19:02, Andrew Cagney wrote: > > On Sun, 24 Dec 2023 at 16:55, Paul Wouters wrote: > > > > New commits: > > commit 52c5cecda7543c4910a075a68e684469bacbbbd7 > > Author: Paul Wouters > > Date: Sun Dec 24 16:51:45 2023 -0500 > > &

[Swan-dev] building: do not abuse USE_IPTABLES or USE_NFTABLES

On Sun, 24 Dec 2023 at 16:55, Paul Wouters wrote: > > New commits: > commit 52c5cecda7543c4910a075a68e684469bacbbbd7 > Author: Paul Wouters > Date: Sun Dec 24 16:51:45 2023 -0500 > > building: do not abuse USE_IPTABLES or USE_NFTABLES > > These defines were misused to see if we were

Re: [Swan-dev] Comments/Suggestions for Libreswan Documentation

FYI, The documentation has been given a slight refresh, hopefully addressing the points you made below. As for debian and xml, if the problem is still there can you file a bug. Andrew On Wed, 13 Sept 2023 at 15:56, Bill Atwood wrote: > > Applicable to version 4.12 tarball > > In README.md > >

Re: [Swan-dev] break down of 5.0's potential blockers

On Mon, 18 Dec 2023 at 21:42, Paul Wouters wrote: > > On Mon, 18 Dec 2023, Andrew Cagney wrote: > > >> Is there a reason why git head shouldn’t all go in? > > > > git head is at v5.0rc1 > > No? Tuomo and I cleared the backlog yesterday morning. Which w

Re: [Swan-dev] break down of 5.0's potential blockers

On Sun, 17 Dec 2023 at 14:37, Paul Wouters wrote: > > Is there a reason why git head shouldn’t all go in? git head is at v5.0rc1 > Paul > > Sent using a virtual keyboard on a phone > > > On Dec 17, 2023, at 11:03, Andrew Cagney wrote: > > > > First the eas

[Swan-dev] break down of 5.0's potential blockers

First the easy ones, I think these patches should go in: #1482 building openbsd: don't try to use SADB_X_SPDFLUSH #1483 building: fix typo in ok[] initializer #1464 The XFRM address scope must be global The next group fix packaging. They are low-risk in that they don't touch the code base so I

Re: [Swan-dev] What happened to "ipsec show" ?

On Mon, 20 Nov 2023 at 05:14, Brady Johnson wrote: > > Andrew pointed out a use case that is not covered yet, which is "transport > mode when host==client". This is caused by the following check in the > jam_end_client() function: > > if (selector_eq_address(this->client, this->host->addr)) { >

Re: [Swan-dev] Heads up; fedora test guest domain switching to f38

On Fri, 3 Nov 2023 at 10:19, Andrew Cagney wrote: > > One pushed, you'll want to run: >./kvm demolish >./kvm install extra scary; testing didn't need kicking: https://testing.libreswan.org/v4.9-3076-gcb1b39e584-main/kvm-transmogrif

[Swan-dev] Heads up; fedora test guest domain switching to f38

One pushed, you'll want to run: ./kvm demolish ./kvm install ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] What happened to "ipsec show" ?

> How about I add "whack --briefconnectionstatus", which would be wrapped by > "ipsec briefconnectionstatus"? This would show (at least) what you listed > above. It would somehow display both: host<->host kernel state selector<->selector kernel policy ? I suspect more useful than the

Re: [Swan-dev] What happened to "ipsec show" ?

and found this commit: > > commit a4d3d235e89739691b4d4acfe6eff280dcbcc763 > Author: Andrew Cagney > Date: Fri Aug 12 15:42:50 2022 -0400 > > > ipsec: make <> linux only > > I looked at the code changes in that git commit, and saw that the "ipsec > show" and ot

Re: [Swan-dev] testing machinery tries to download Fedora 36 ISO but it has moved

On Tue, 24 Oct 2023 at 02:51, D. Hugh Redelmeier wrote: > > Since Fedora no longer supports it, it has moved to their archive > > The new URL > grep FEDORA_ISO_URL

Re: [Swan-dev] cfg being a template ?

On Wed, 17 May 2023 at 20:49, Paul Wouters wrote: > > > > commit 6fa13e8890f7ae363c3779846d45fe007c41fc96 > > Author: Andrew Cagney > > Date: Wed May 17 18:33:03 2023 -0400 > > > >connections: assume anything with modecfg{client,server} is a template

Re: [Swan-dev] Fedora 38 breaks egrep and fgrep

> Grrr. double grr with grr's on the side ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] adding a test domain

On Mon, 10 Apr 2023 at 10:58, Paul Wouters wrote: > > On Mon, 10 Apr 2023, Andrew Cagney wrote: > > > I'm not sure what to do about floating domains, although road seems > > strangely hardwired :-) > > It is from a dhcp point of view, but from a configuration poi

Re: [Swan-dev] adding a test domain

ld be namespace instead of > kvm. I use such setup manually. > > If and when we tidy up the network diagrams I propose the following too: > addresspools should use a separate rage on each host. Such as east pool > 192.0.8.0/24 west pool192.0.9.0/24 and special cases you can confi

[Swan-dev] heads up, VMs need an upgrade / rebuild

New kernel with new output. see https://github.com/libreswan/libreswan/issues/1049 ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] [Swan-commit] Changes to ref refs/heads/main

On Mon, 20 Mar 2023 at 21:41, Paul Wouters wrote: > > > On Mar 21, 2023, at 09:33, Andrew Cagney wrote: > > > > New commits: > > commit 98ebb28b89895d14aac2a4dab71edc54f4277220 > > Author: Andrew Cagney > > Date: Mon Mar 20 18:19:40 2023 -0400 >

Re: [Swan-dev] Cat and CP, was Re: [Swan-commit] Changes to ref refs/heads/main

On Wed, 8 Mar 2023 at 18:15, Paul Wouters wrote: > > > > > On Mar 8, 2023, at 16:13, Andrew Cagney wrote: > > > > New commits: > > commit 1f762e584d49aa76e2563ee6aa590c9af0dcc913 > > Author: Andrew Cagney > > Date: Wed Mar 8 16:12:18 2023 -0500

Re: [Swan-dev] ref-counting xfrmi interfaces

> > struct pluto_ips { > > ip_address ip; > > Is there a prefix length in struct ip_address? I didn't see one one in a > quick look! I thingk pluto has one with prefix length. I imagine use case > 10.0.0.1/24 and 10.0.0.1/16 on the same xfrmi from two different > connections. that's ip_cidr.

[Swan-dev] heads up test KVM OS updates

FYI the guest OSs were updated: - Fedora 35 -> 37 -> 36 seems that testing can't handle Fedora 38's install DVD so it was reverted to 36 https://github.com/libreswan/libreswan/issues/963 - NetBSD 10 beta In addition to updating output I flipped two tests to WIP and filed bugs:

Re: [Swan-dev] I think that Coverity found a bug in ECDSA_ipseckey_rdata_to_pubkey_content

On Wed, 21 Dec 2022 at 03:14, D. Hugh Redelmeier wrote: > > The pointer variable "group" is initialized to NULL. > > group can then be set in the FOR_EACH_ELEMENT loop. > Whenever it is set, the loop terminates. > So the code in the loop that dereferences group must fail. > > if

Re: [Swan-dev] puzzled by TS code Coverity flagged

On Wed, 21 Dec 2022 at 03:26, D. Hugh Redelmeier wrote: > > Coverity flags an uninitialized scalar value in ikev2_ts.c. > > The scalar in question is verify_rekey_child_request_ts()'s "best". > > Part of best seems to be initialized by calls to fit_tsp_to_end > but only some paths through the

[Swan-dev] heads up; Libreswan's build system dropped $(FINAL...) variables for install destination

If you're into packaging libreswan for a distro can I encourage you to try a package run with mainline and let us know how it goes. Libreswan has dropped make variables such as FINALSBINDIR and is instead using the more common convention of $(DESTDIR)$(SBINDIR). The full list to play with is in

Re: [Swan-dev] heads up, the great spd scramble

> > - spd.this -> spd.local + spd.that -> spd.remote > > because this and that get used to refer to either end Here's something concrete: case ENCAP_DIRECTION_INBOUND: src = >remote; dst = >local; > The idea of this/that was that it was not always already

[Swan-dev] heads up, the great spd scramble

I'm about to change "spd" in struct connection to a pointer; that is from: struct spd_route spd; to: struct spd_route *spd; My motivation is to make the code generating a list of SPDs from subnets simpler (I'm guessing the first spd was embedded in the connection as a memory optimization).

[Swan-dev] are OE connections clients, servers, neither, or both

Consider east which has this OE configuration in newoe-25-cat-1: conn oe-base-server type=tunnel left=%defaultroute authby=null leftid=%null rightid=%null right=%opportunisticgroup leftaddresspool=10.0.10.1-10.0.10.200 leftmodecfgclient=yes narrowing=yes

Re: [Swan-dev] LTO (link time optimization) enabled on Linux

On Fri, 2 Sept 2022 at 14:14, Paul Wouters wrote: > > On Fri, 2 Sep 2022, Andrew Cagney wrote: > > > Subject: [Swan-dev] LTO (link time optimization) enabled on Linux > > > > discuss :-) > > If it now seems to work, lets do it. It's

[Swan-dev] LTO (link time optimization) enabled on Linux

discuss :-) ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] memory: in clone_bytes() don't call memcpy(,,0)

On Thu, 1 Sept 2022 at 18:51, D. Hugh Redelmeier wrote: > > | From: Andrew Cagney > | > | New commits: > | commit ba30451878021e304e510cfc3adc1493bd41a31d > | Author: Andrew Cagney > | Date: Thu Sep 1 14:24:46 2022 -0400 > | > | memory: in clone_by

Re: [Swan-dev] large numbers in libreswan conf files

On Tue, 30 Aug 2022 at 22:31, D. Hugh Redelmeier wrote: > > All numbers in conf files are whole numbers (that's all the parser > will accept). Let's say all byte counts. (I've a long standing wish list item for accepting things like timeout=0.5s which would mean a separate parser) > > How large

[Swan-dev] adding a test domain

I'd like to add a domain to the test framework. The motivation is to allow end-to-end testing of scenarios where non IPsec domains route their traffic through IPsec gateways. For instance: {ROAD,TRAIN} - NORTH = NIC - {EAST,WEST} where NORTH and NIC would be running libreswan, while ROAD,

[Swan-dev] Testing using a Linux Mint host

For what it's worth, I've got the linux side of the KVM testsuite to run using linux mint 20.3 as the host. See https://libreswan.org/wiki/Test_Suite_-_KVM The motivator is https://bugzilla.redhat.com/show_bug.cgi?id=2075736 - linux mint (debian) has the old libvirt so isn't yet suffering from

[Swan-dev] ipsec showhostkey --pem --ckaid .... (RSA)

This should print the raw public RSA key in PEM format suitable for consumption by OpenSSL; so I'm looking for testers. Tests were updated, see ipsec-hostkey*/: - one test is feeding the output into openssl pkey to see if it barfs - another test generates hostkeys on east/west and then uses them

Re: [Swan-dev] adding nft support

On Thu, 16 Jun 2022 at 12:12, Paul Wouters wrote: > > > > > On Jun 16, 2022, at 11:56, Antony Antony wrote: > > > > I made iptables optional now. this will allow > > Thanks! > > > do we need iptables in "ipsec look" To me it seems a remenant from KLIPS > > mast? > > I think the entire command

Re: [Swan-dev] test suite needs some NSS something

On Mon, 6 Jun 2022 at 23:06, D. Hugh Redelmeier wrote: > > I just ran the test suite for the first time in a few months. Just to be > safe, I started with "make kvm-demolish". > > At the end of the (apparently complete) run, I got this new message: > > make[1]: Entering directory

[Swan-dev] heads up, ./kvm demolish

changing how /source is added can mean a rebuild of the domains is required (specifically, re-running transmogrify) ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev

[Swan-dev] heads up VM rebuild needed

FYI, The fedora test VMs need a rebuild to add the new package sshpass. Suggest: ./kvm downgrade install ... (it's a new package so upgrade won't add it, grrr). Some reason a packaging change splitting SSH in two was backported to about-to-die Fedora releases.

Re: [Swan-dev] Ipcomp and get_sa_info()

On Fri, 25 Mar 2022 at 16:44, Paul Wouters wrote: > > Are we sure the code was not wrong ? > > Some tests with ipcomp used ping which didn’t compress enough and would > actually go out over the non-ipcomp transform. Hence tests sending really large pings. > I believe our code was wrong but I

Re: [Swan-dev] Parser commitment

On Mon, 21 Mar 2022 at 10:40, Paul Wouters wrote: > > > > > On Mar 21, 2022, at 13:46, Andrew Cagney wrote: > > > > CHANGES: config: end keywords with no left/right prefix are applied to both > > ends > > I am not ready to commit us to this. We als

Re: [Swan-dev] Thanks for state cleanups, one Q, was Fwd: [Swan-commit] Changes to ref refs/heads/main

On Sun, 13 Mar 2022 at 09:25, Andrew Cagney wrote: > > On Sun, 13 Mar 2022 at 08:42, Paul Wouters wrote: > > > > Begin forwarded message: > > > > > commit f20a3dba83b77dc615057cac1ec7f498987f7963 > > > Author: Andrew Cagney > > > Date: Sat Ma

Re: [Swan-dev] Thanks for state cleanups, one Q, was Fwd: [Swan-commit] Changes to ref refs/heads/main

On Sun, 13 Mar 2022 at 08:42, Paul Wouters wrote: > > Begin forwarded message: > > > commit f20a3dba83b77dc615057cac1ec7f498987f7963 > > Author: Andrew Cagney > > Date: Sat Mar 12 14:34:38 2022 -0500 > > > >ikev2: when responding to bad IKE_SA_INIT,

Re: [Swan-dev] nss-cert-crl-03 failure

On Sun, 6 Feb 2022 at 20:06, Paul Wouters wrote: > > On Sun, 6 Feb 2022, Andrew Cagney wrote: > > >> During my run last night, nss-cert-crl-03 failed. I don't think that it > >> is due to the changes that I'm testing. > > > > I don't see it locally but I

Re: [Swan-dev] Strongswan tests failing

On Sun, 6 Feb 2022 at 10:33, D. Hugh Redelmeier wrote: > > Yesterday I did a run of the test suite, starting with "make > kvm-demolish". > > About 88 tests involving Strongswan failed. Is there a step that I've > skipped? > > Typical of the failures that I checked: > > --- >

Re: [Swan-dev] nss-cert-crl-03 failure

On Sun, 6 Feb 2022 at 10:30, D. Hugh Redelmeier wrote: > > During my run last night, nss-cert-crl-03 failed. I don't think that it > is due to the changes that I'm testing. I don't see it locally but I do see it on testing. If you're seeing it consistently then perhaps you can figure out what

[Swan-dev] pluto: ikev2_create_child_sa.c: avoid NULL dereferences

Nice cleanup, The back story here is 6341e0d0257f26a7883bc5d1abff50ac362c625b and e7567d0906e7a17a068cbd8851d4d07912cdca7b which changed things so that the responder's IKE SA (and not the child) process these requests (any comments about losing parent have become nonsensical). On Sat, 5 Feb 2022

Re: [Swan-dev] Unbound stuff

It's (still) used by FreeBSD On Tue, 25 Jan 2022 at 15:06, Paul Wouters wrote: > > > On Jan 25, 2022, at 15:01, Andrew Cagney wrote: > > > > New commits: > > commit 37dfc06797b870f6e5bf863d149fe2bb39831b80 > > Author: Andrew Cagney > >

[Swan-dev] kvm: fix syntax error in calculation

FYI, args[$i]="${arg}" ; i=$((i + 1)) is POSIX's Arithmetic Expansion. Most shells even support: args[$((i++))]="${arg}" however POSIX state's that it is an extension. On Mon, 24 Jan 2022 at 02:37, Tuomo Soini wrote: > > New commits: > commit 1e6d758a878947d0ccf5ac072200d875e9616464 >

[Swan-dev] refine_host_connection*()

FYI, I've updated/merged/cleaned out these code paths: - only main mode responder and IKE_AUTH responder call refine_host_connection*() no other code path can change the connection during AUTH (not to be confused with TS) - all code paths use update_peer_id() to select the peer; if you've

Re: [Swan-dev] questions about find_next_v2_host_connection

On Sun, 19 Dec 2021 at 21:42, Andrew Cagney wrote: > > > > > > > > > > if (peer_id != NULL && !same_id(peer_id, >spd.that.id) && > > > (c->spd.that.id.kind != ID_FROMCERT && !id_is_any(>spd.that.id)))

Re: [Swan-dev] questions about find_next_v2_host_connection

> > > > > > if (peer_id != NULL && !same_id(peer_id, >spd.that.id) && > > (c->spd.that.id.kind != ID_FROMCERT && !id_is_any(>spd.that.id))) { > > continue; /* incompatible ID */ > > } More coffee. I think this and the peer_id parameter should be deleted. -

Re: [Swan-dev] questions about find_next_v2_host_connection

On Sun, 19 Dec 2021 at 17:54, D. Hugh Redelmeier wrote: > > Why does this deal with V1? > > Its name includes "v2", so that suggests that it does not. > > It has a local variable "ike_version" which is immutably IKEv2. > > And yet it has a comment that includes the line > > * (2) kind of

Re: [Swan-dev] heads up tests switching to f35 from f32; build->fedora-build

On Tue, 14 Dec 2021 at 12:51, D. Hugh Redelmeier wrote: > > | From: Andrew Cagney > > Great! > > Trying it out now. > > | You'll want to rebuild the domains from scratch and wipe your > | $(KVM_POOLDIR), probably: > | ./kvm demolish > > Is that different f

Re: [Swan-dev] heads up tests switching to f35 from f32; build->fedora-build

Nov 2021 at 21:25, Andrew Cagney wrote: > > It's down to 6 fails (slightly more if I include some tests that have things > to fix such as seccomm). > as well as switching east, west, to f35, there's been some re-org of how > domains are built: > > - Fedora, NetBSD, and OpenBS

Re: [Swan-dev] testing/programs/enumcheck/OUTPUT.enumcheck.txt

On Mon, 6 Dec 2021 at 14:17, D. Hugh Redelmeier wrote: > > This file doesn't seem to match the output of the enumcheck program. > Is it supposed to? Yes, tt's matching here: https://testing.libreswan.org/v4.5-663-g126deedda1-main/check-01/OUTPUT/west.console.txt but I wonder if the KVM and

Re: [Swan-dev] WIP: supporting xfrm SA expire

On Wed, 1 Dec 2021 at 14:49, Antony Antony wrote: > On Sat, Nov 27, 2021 at 07:23:00PM -0500, Andrew Cagney wrote: > > > > > > One thing decide as group is how to represent big number (2^64) > bytes > > and > > packets, especially the

[Swan-dev] heads up tests switching to f35 from f32; build->fedora-build

It's down to 6 fails (slightly more if I include some tests that have things to fix such as seccomm). as well as switching east, west, to f35, there's been some re-org of how domains are built: - Fedora, NetBSD, and OpenBSD use the same make rules when being built the consequence is that

Re: [Swan-dev] WIP: supporting xfrm SA expire

> > >> >> One thing decide as group is how to represent big number (2^64) bytes and >> packets, especially the default 2^64 will appear in "ipsec status: >> output. >> 18446744073709551615 look ugly:) > > > There's readable_humber() but that would need work. > Conversely is there something to

Re: [Swan-dev] WIP: supporting xfrm SA expire

On Sat, 27 Nov 2021 at 14:04, Antony Antony wrote: > Hi, > I rebased this branch and improved expire handling. > > #sa-expire or #sa-expire-20211127 > https://github.com/antonyantony/libreswan/tree/sa-expire > > I renamed keywords to salifebytes= salifepackets= > > added few basic checks to

[Swan-dev] And then there were three (heads up KVM changes coming)

FYI, I just pushed changes so that: make kvm-netbsd creates an i386 NetBSD domain (credit to Ravi Teja for figuring out the approach). With a bit of guess work and https://libreswan.org/wiki/Building_and_installing_from_source#NetBSD_9 it can be used to build Libreswan. The next step is to

[Swan-dev] Heads up KVM tweaks

FYI, I made the below tweaks to how KVMs are built. It also should automatically update (...), and building should be faster overall. If you're not already setting KVM_WORKERS in Makefile.inc.local, there's now another incentive - the heuristic is #cores/2. Andrew kvm: use KVM_WORKERS as

[Swan-dev] pluto: follow up on 8d9c30bfd93e3e7d (pluto: Ensure PLUTO_PEER_CLIENT= has netmask included)

This got me curious, why would PLUTO_PEER_CLIENT need to be set to the host and not client address. Adding a pexpect turned this up: ikev1-l2tp-02 EXPECTATION FAILED: selector=192.1.3.33/32:UDP/1701 == address=192.1.2.254 (jam_common_shell_out() +467 programs/pluto/kernel.c)

[Swan-dev] one test failure / regression

Assuming the winds all blow in your favour, a test run could have just one good test fail: ikev2-replay-window - its a regression, see bug 529 However, a far more likely scenario is that there'll be a few party poopers in the results. For instance, in this run:

Re: [Swan-dev] Test Suite: speed effects of hardware differences

apped around pretty much everything. On Thu, 1 Jul 2021 at 14:22, Andrew Cagney wrote: > > Another might be to try building from /tmp - there's a significant amount of > data being written? vs debug.log > > On Thu, 1 Jul 2021 at 14:18, Andrew Cagney wrote: >> >> Set KVM_L

[Swan-dev] test script limitation

(I'm referring to the *.sh scripts within a test) Traditional test directories, such as dpd-02, contain the script files: $ ls *.sh eastinit.sh final.sh westinit.sh westrun.sh so that more complicated sequences could be built, this was extended to allow arbitrary names with a lexicographic

[Swan-dev] testing using ./kvm (was make kvm-...)

I've overhauled: https://libreswan.org/wiki/Test_Suite_-_KVM which describes how to drive the testsuite using KVM. Several things of note: - the examples use <<./kvm ...>> instead of <> (./kvm uses gmake underneath, while it is still rough I'm finding it far easier to use) - it adds the

Re: [Swan-dev] two test runs, on different machines, matched

-different road:output-different On Thu, 9 Sept 2021 at 20:41, Andrew Cagney wrote: > > > On Sun, 5 Sept 2021 at 11:17, Paul Wouters wrote: > >> On Sun, 5 Sep 2021, Andrew Cagney wrote: >> >> > On Sun, 5 Sept 2021 at 09:44, D. Hugh Redelmeier >> wrote: >

Re: [Swan-dev] two test runs, on different machines, matched

On Sun, 5 Sept 2021 at 11:17, Paul Wouters wrote: > On Sun, 5 Sep 2021, Andrew Cagney wrote: > > > On Sun, 5 Sept 2021 at 09:44, D. Hugh Redelmeier > wrote: > > I ran the tests suite last night on two machines. It used to be > that one > > would exp

Re: [Swan-dev] two test runs, on different machines, matched

On Sun, 5 Sept 2021 at 09:44, D. Hugh Redelmeier wrote: > I ran the tests suite last night on two machines. It used to be that one > would expect different results from two runs "due to non-determanism", > even on the same machine. > > I got the same results on two machines. That's either good

[Swan-dev] Heads up, expect a test kvm rebuild

With 4.5 out I pushed some fixes to the openbsd KVMs. The downside is that the changes trigger a scratch build of all the VMs. ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] Coverity Scan doesn't seem to understand passert

On Fri, 20 Aug 2021 at 11:01, D. Hugh Redelmeier wrote: > passert never returns if the test is false. > Coverity Scan doesn't seem to know this. > This leads to false positives in its reports. > Based on other code I've tweaked, I'm pretty sure that coverity grok's passert() being no-return.

  1   2   3   4   5   6   7   8   9   10   >