[Swan-dev] testing machinery tries to download Fedora 36 ISO but it has moved

Since Fedora no longer supports it, it has moved to their archive The new URL Updates have moved too (I don't know if the scripts use the updates). Is it easy to move

Re: [Swan-dev] Fedora 38 breaks egrep and fgrep

| From: Paul Wouters | alias egrep=grep -E | | I will have to do that myself :) It's easy to fix our code. I would do it now but the CRA has better(!) uses of my time right now. ___ Swan-dev mailing list Swan-dev@lists.libreswan.org

[Swan-dev] Fedora 38 breaks egrep and fgrep

They each spit a diagnostic saying that they are going away. Not so great for scripts. https://mastodon.social/@cks/110232377928840323 There are 24 lines using or mentioning these in our tree. git grep '\<[ef]grep\>' | wc -l Worse: my fingers have been using egrep for 44 years. I

[Swan-dev] puzzled by TS code Coverity flagged

Coverity flags an uninitialized scalar value in ikev2_ts.c. The scalar in question is verify_rekey_child_request_ts()'s "best". Part of best seems to be initialized by calls to fit_tsp_to_end but only some paths through the function initialize. The bool result returned does not actually

[Swan-dev] I think that Coverity found a bug in ECDSA_ipseckey_rdata_to_pubkey_content

The pointer variable "group" is initialized to NULL. group can then be set in the FOR_EACH_ELEMENT loop. Whenever it is set, the loop terminates. So the code in the loop that dereferences group must fail. if (group->nss_adds_ec_point_form_uncompressed && I guess that it has never been

Re: [Swan-dev] memory: in clone_bytes() don't call memcpy(,,0)

| From: Andrew Cagney | | New commits: | commit ba30451878021e304e510cfc3adc1493bd41a31d | Author: Andrew Cagney | Date: Thu Sep 1 14:24:46 2022 -0400 | | memory: in clone_bytes() don't call memcpy(,,0) | | undefined; fix github #836 I don't understand this change. It prevents

[Swan-dev] large numbers in libreswan conf files

All numbers in conf files are whole numbers (that's all the parser will accept). How large should we allow them to be? Slightly easier question; What are the largest numbers used now? I cannot answer that because I can't see everyones conf files. ===> People: could you tell me the large

[Swan-dev] integer types biting us [long]

1) intmax_t and uintmax_t should never be used. Those types were always bit sloppy. For example, they may be quite inefficient. They used to be safe to use in code that was trying to be generic. A function parameter of this type could handle any int type thrown at it (if the signedness

[Swan-dev] test suite needs some NSS something

I just ran the test suite for the first time in a few months. Just to be safe, I started with "make kvm-demolish". At the end of the (apparently complete) run, I got this new message: make[1]: Entering directory '/home/build/libreswan' Package nss was not found in the

Re: [Swan-dev] Ipcomp and get_sa_info()

| From: Paul Wouters | On Mar 25, 2022, at 23:08, D. Hugh Redelmeier wrote: | > | > |BTW, which code do you suspect? | | Based on commit message, removal of get_sa_info() for ipcomp It didn't do anything. get_sa_info ignored IPCOMP. All three pairs of calls to get_sa_info were ide

Re: [Swan-dev] Ipcomp and get_sa_info()

| From: Paul Wouters | Are we sure the code was not wrong ? No. I only think that I know what it did. I changed almost no behaviour. Only the order of displaying flow counts for AH. BTW, which code do you suspect? I think that all the code that I changed was about logging or reporting in

Re: [Swan-dev] pluto: ikev2_create_child_sa.c: avoid NULL dereferences

In process_v2_CREATE_CHILD_SA_request_continue_2, if ike is NULL: - the comment I added says that the result is failure - but the result returned is STF_OK (most analogous cases return STF_INTERNAL_ERROR) One of these is wrong and should be fixed. A comment doesn't affect correctness (the

[Swan-dev] Strongswan tests failing

Yesterday I did a run of the test suite, starting with "make kvm-demolish". About 88 tests involving Strongswan failed. Is there a step that I've skipped? Typical of the failures that I checked: --- MASTER/testing/pluto/ikev2-44-switch-initiator-strongswan/east.console.txt +++

[Swan-dev] nss-cert-crl-03 failure

During my run last night, nss-cert-crl-03 failed. I don't think that it is due to the changes that I'm testing. --- MASTER/testing/pluto/nss-cert-crl-03/east.console.txt +++ OUTPUT/testing/pluto/nss-cert-crl-03/east.console.txt @@ -39,5 +39,11 @@ east # ipsec auto --listcrls | grep issuer

[Swan-dev] questions about find_next_v2_host_connection

Why does this deal with V1? Its name includes "v2", so that suggests that it does not. It has a local variable "ike_version" which is immutably IKEv2. And yet it has a comment that includes the line * (2) kind of IKEV1 (POLICY_AGGRESSIVE) /* * Success may require

Re: [Swan-dev] heads up tests switching to f35 from f32; build->fedora-build

| From: Andrew Cagney Great! Trying it out now. | You'll want to rebuild the domains from scratch and wipe your | $(KVM_POOLDIR), probably: | ./kvm demolish Is that different from "make kvm-demolish"? I did both. | rm ../pooldir/* Should there be a make target to do this? | I'd also

Re: [Swan-dev] testing/programs/enumcheck/OUTPUT.enumcheck.txt

| From: D. Hugh Redelmeier | | This file doesn't seem to match the output of the enumcheck program. | Is it supposed to? False alarm. The destination for object files must have changed a year ago. I was running rubble from before that change

[Swan-dev] testing/programs/enumcheck/OUTPUT.enumcheck.txt

This file doesn't seem to match the output of the enumcheck program. Is it supposed to? ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev

[Swan-dev] two test runs, on different machines, matched

I ran the tests suite last night on two machines. It used to be that one would expect different results from two runs "due to non-determanism", even on the same machine. I got the same results on two machines. That's either good news or luck. This is probably the result of hard work: thanks!

Re: [Swan-dev] passert.h: PASSERT should not return a value

| From: Andrew Cagney | includes: allow if (!passert(...)) | | mainly so it is easy to switch between pexpect() | and passert(). | | (which is presumably to make debugging easier) Ahh. The use of a passert as if it returned a value looks like a mistake. It makes unreachable

[Swan-dev] Coverity Scan doesn't seem to understand passert

passert never returns if the test is false. Coverity Scan doesn't seem to know this. This leads to false positives in its reports. For example, consider these lines from programs/pluto/ikev1_spdb_struct.c: 2478 passert(ty < ipsec_attr_val_descs_roof); 2479 vdesc =

[Swan-dev] lib/libbsdpfkey/policy_parse.y

This code has at least a couple of problems. - using atol is considered a Bad Thing. One reason is that errors cannot be caught. Use strtol instead. - atol does not set errno, but the code assumes that it does. - at least once, errno is set to 0 after the atol call and then the value is

[Swan-dev] Test Suite: speed effects of hardware differences

I have two similar machines for running tests. - ThinkCentre M93p Tiny - i5-4570T CPU @ 2.90GHz (Haswell generation) - as far as I know, all available firmware updates for security (i.e. slowdowns) - Fedora 34 (arrived at by many upgrades) They differ in: - the first has a 2.5" HDD and 16G of

[Swan-dev] text_said() calls in create_xfrm_migrate_sa() puzzle me

I don't understand this code but I'm "improving" it, based on symmetry. I've hit a snag. Advice welcome! There are four calls to text_said. Here's what they look like, with details removed: if (endpoint_is_specified(st->st_mobike_local_endpoint)) { if (dir ==

[Swan-dev] "policy" is an overused word

I see some functions have been renamed with "policy" replacing "eroute". The trouble with "policy" is that it is used to label way too many things in networking (and the rest of the computer field). It isn't that the word is inappropriate, but that the word retains no specificity. I strongly

Re: [Swan-dev] pluto: ikev2_ts.c: convert large const by-value parameters to by-ref

| From: Andrew Cagney | I saw that but decided to ignore it. | | On Wed, 16 Jun 2021 at 12:14, D. Hugh Redelmeier | wrote: | > Wishful thinking: a compiler ought to be able to do this | > transformation. | What makes you think the compiler can't eliminate this? It is 2021 after

[Swan-dev] style question

In 8b254f86c6740a4eb900e481c9c21e8da745b130 before: the type for a priority was unsigned, 32 bit. Actual bits within that were allocated and documented. After: the type was changed to unsigned. Comments and a passert were added to make it clear that the type must be at least 32 bits: -

Re: [Swan-dev] libreswan package on Fedora 33 has problem with ldns package.

| From: Paul Wouters | X-Mailer: iPhone Mail (18E212) | Try dnf update =E2=80=94enablerepo=3Dupdates-testing | | I pushed a new update for f33 this morning That worked. Thanks! Except: your iPhone Mail user agent converted your -- to some Unicode dash. So copy-and-paste into a shell fails

[Swan-dev] libreswan package on Fedora 33 has problem with ldns package.

Something is odd in the packaging of libreswan on Fedora 33. Here's a transcript that shows it. [hugh@redeye ~]$ sudo dnf update libreswan Last metadata expiration check: 3:58:19 ago on Sun 30 May 2021 05:43:15 PM. Dependencies resolved. Nothing to do. Complete! [hugh@redeye ~]$ sudo dnf list

[Swan-dev] Coverty detects apparent problem with ikev2_send_cert

This report appears accurate. | 1234 const struct cert *mycert = c->spd.this.cert.nss_cert != NULL ? >spd.this.cert : NULL; It sure looks as if can leave mycert == NULL. | 1240 SECItem *pkcs7 = nss_pkcs7_blob(mycert, send_full_chain); This passes mycert to

[Swan-dev] naming of functions that return something

[Feel free to ignore this philosophical exploration.] Algol distinguishes procedures and functions. Let's use that terminology. A procedure call is a kind of statement. Statements are composed by sequential execution (left to right, top to bottom). So it is natural to name something like

Re: [Swan-dev] why I added a consistency check to pbs_in_struct

| From: Andrew Cagney | The old behavior was that a NULL implied that the nested struct, if any, | could be ignored. I'd call that obvious behaviour. | (passing a pbs when not needed was benign). That's not what the contract said. Ever. | Now, if this is done wrong, and on a rarely executed

[Swan-dev] why I added a consistency check to pbs_in_struct

| commit 9945236619b17fa13dfd1cfbe60359dcbf3fcd21 | Author: D. Hugh Redelmeier | Date: Fri May 7 23:58:52 2021 -0400 | | pluto: packet.c: add consistency check to pbs_in_struct | | pbs_in_struct now requires that if and only if the structure has a | length field

Re: [Swan-dev] Coverity Scan finds issue with programs/pluto/keys.c

| From: Andrew Cagney | On Tue, 4 May 2021 at 01:15, D. Hugh Redelmeier wrote: | | > I'm suspicious about the case where both calls to try_all_keys return | > true. I'll call this "double stop". I should have called this double not-stop. | /* | * Try all key

[Swan-dev] Coverity Scan finds issue with programs/pluto/keys.c

| From: scan-ad...@coverity.com | | *** CID 1504578:(FORWARD_NULL) | /programs/pluto/keys.c: 529 in authsig_and_log_using_pubkey() | 523 stop = try_all_keys("preloaded",

[Swan-dev] possible ip_range_check.c bug caught by Coverity Scan

| From: scan-ad...@coverity.com | | *** CID 1504581: Incorrect expression (COPY_PASTE_ERROR) | /testing/programs/ipcheck/ip_range_check.c: 395 in check_range_op_range() | 389

Re: [Swan-dev] libswan/ttoaddress.c: use getaddrinfo(3) instead of gethostbyname2(3)

| From: Andrew Cagney | FYI, | https://testing.libreswan.org/v4.4-73-g379929c054-main/ikev2-ddns-03/OUTPUT/west.console.diff Thanks. Could you see if my latest commit fixes the problem. ___ Swan-dev mailing list Swan-dev@lists.libreswan.org

Re: [Swan-dev] libswan/ttoaddress.c: use getaddrinfo(3) instead of gethostbyname2(3)

| From: Andrew Cagney | On Mon, 3 May 2021 at 13:54, D. Hugh Redelmeier | wrote: | | > commit 379929c054bbe6022abbc456f5c1fd9bd453470d | > We always accept the first result from getaddrinfo(3). This may | > change prioritization of IPv4 vs IPv6, but at least it ma

Re: [Swan-dev] get rid of getnetbyname() /etc/networks?

| From: Paul Wouters | Related, there are still a few places that end up calling | gethostbyname2() which is also obsolete and does not work for IPv6: | | lib/libswan/ttoaddress.c: struct hostent *h = gethostbyname2(p, af); | | The case in ttoaddress.c is the main one. Since it is used

Re: [Swan-dev] get rid of getnetbyname() /etc/networks?

| From: Paul Wouters | > Subject: [Swan-dev] get rid of getnetbyname() /etc/networks? | kill it :) Done. | Related, there are still a few places that end up calling | gethostbyname2() which is also obsolete and does not work for IPv6: In what way does it not work for IPv6? I admit that it

[Swan-dev] get rid of getnetbyname() /etc/networks?

Comments I added recently: + /* +* try a name from /etc/networks +* +* Seems pretty obsolete: +* - latest RFC, 1101, dated April 1989 +* - IPv4 only +* - doesn't support classless networks +* - Window has it +*/ We are using

[Swan-dev] /etc/NetworkManager/VPN in Fedora 34

Does Libreswan care about this directory? It seems like it might get removed. - NM tries to monitor it - SELinux generates AVCs every time - current work-around seems to be to delete the directory - reports seem to be about systems first installed long ago. In my case, it looks as if the

[Swan-dev] race condition in free_root_certs()

The only place where I notice a refcnt_t manipulated without a lock is in free_root_certs. One problem is that the refcount can change between being observed and the action that is affected by the observation. Another is that the actual refcnt member isn't guaranteed to be atomic. If all

Re: [Swan-dev] tasks for 4.5

| From: Andrew Cagney | Around the 4.5 release I'd like to put forward making a few pervasive | changes. I don't know all the logisticsl | When I say around I mean that period around the release during which the | mainline is pretty much frozen. Makes sense. | before: | - s/TRUE/true/

[Swan-dev] lib/libswan/goodmask.3.xml is obsolete

This describes three functions that no longer exist: goodmask, masktobits, and bitstomask. - we should delete it and the things that reference it lib/libswan/ipsec_bitstomask.3 lib/libswan/ipsec_masktobits.3 - we should document any replacement function I think Andrew made the

[Swan-dev] replacing a loop in unbound_resolve() with memcpy?

Code: for (unsigned b = 0; b < afi->ip_size; b++) { bytes.byte[b] = result->data[0][b]; } Could this loop not be replaced by a memcpy? memcpy(bytes.byte, result->data[0], afi->ip_size); Is there some reason that this is a bad idea?

Re: [Swan-dev] style issue

| From: Andrew Cagney | I've now started changing this and a big motivator is so that I can | write address expressions more naturally, and just like you suggest. Great! I did not look at the history, only the code. Sorry. Since I only used the code as an example, this doesn't change the

[Swan-dev] style issue

This is about a matter of taste. I'd like to understand why others don't agree with me. I'm not just jumping in to "improve" the code. I like compact code. It means that more functionality can be seen at once. That's one reason that I like C better than COBOL (there are many others). But

Re: [Swan-dev] IKEv2: fix a crash when only one endpoint specifies policy-label=

| commit 2a2376e5bfa6c19e9a334e2a651b54135e64ab21 | Author: Kavinda Wewegama | Date: Tue Mar 9 21:38:55 2021 -0500 | | IKEv2: fix a crash when only one endpoint specifies policy-label= | | Signed-off-by: Paul Wouters Code is extracted from score_ends_seclabel: if

Re: [Swan-dev] the coding twine holding end's .host_addr, .client, .port, .protocol and .has_client together

| From: Andrew Cagney | (is "coding twine" original?) "Baling wire" is a term of art for jury-rigged fixes. "Haywire" is another word for baling wire, but with difference connotations.. All the balers we had used "binder twine". Baling wire seems like a bad idea. It seems easy to be leave

Re: [Swan-dev] the coding twine holding end's .host_addr, .client, .port, .protocol and .has_client together

| From: Andrew Cagney | - instantiate non-template connections (this idea keeps coming up on IRC) This is off the top of my head. It might be wrong. And too philosophical. The original idea was that connections were immutable -- all changes were in state objects. It was convenient to add

Re: [Swan-dev] shunk_t vs chunk_t

| From: Andrew Cagney | On Mon, 1 Mar 2021 at 10:17, D. Hugh Redelmeier wrote: | > | > In shunk_t | > const void *ptr; | | BTW, it started out as const char * because it was being used on | strings. It changed to const void * as part of being made more | generic. c

[Swan-dev] loop structure of score_ends_seclabel()

[These comments would have been better made during code review. I'm sorry that I didn't have time to do this earlier. Idiosyncratic excuse: I gain understanding while nit-picking (see a5c5d5ca7828f3b3aa0384b22cc9154acd23f985)] The loop structure of score_ends_seclabel doesn't look right to me.

Re: [Swan-dev] libswan: ip_endpoint.c: endpoint_eq(): simplify

amp; | + ( l->ipproto == 0 || r->ipproto == 0 || | + l->ipproto == r->ipproto ); | | | On Tue, 29 Dec 2020 at 18:15, D. Hugh Redelmeier | wrote: | > | > New commits: | > commit 826c11f4f0

Re: [Swan-dev] rr works with `pluto`

| From: "Wewegama, Kavinda" | In case you weren't aware, the latest version of rr (record + replay) | debugger which is capable of efficient reverse execution works with | `pluto` (https://rr-project.org/). Good to know. I've been intrigued by rr. | Earlier this year, Robert O'Callahan (one

[Swan-dev] code smell

(This isn't a term that rolls off my tongue, but it is a term of art.) There is a big chunk of code that is almost identical in encrypt_v2SK_payload and ikev2_verify_and_decrypt_sk_payload. It would be good if this code be shared (likely in a function). This would mean that whenever a change

[Swan-dev] testing/pluto/check-01

This test fails because some new enum values have been added. Example: ISAKMP_v2_GSA_AUTH Probably check/enum/OUTPUT.enumcheck.txt needs updating. ___ Swan-dev mailing list Swan-dev@lists.libreswan.org

Re: [Swan-dev] testing/utils/kvmresults.py has a problem

| From: Andrew Cagney | So why is that log file so big? | | Hmm ..., TCP. Hmm ... | | perhaps you need the custom kernel with the upstream tcp fixes? | > -rw-rw-r--. 1 build build 278 Sep 3 03:27 RESULT | > -rw-rw-r--. 1 build build 0 Sep 3 03:27 nic.console.diff | >

Re: [Swan-dev] testing/utils/kvmresults.py has a problem

| From: Andrew Cagney | there is a really really really big pluto.log somewhere? $ ls -s testing/pluto/*/OUTPUT/*pluto.log | sort -n | tail 1624 testing/pluto/impair-08-ikev2-key-length-attribute/OUTPUT/east.pluto.log 1684

[Swan-dev] kibitzing about logger

Passing logger around is a very clean but noisy solution. But what is the problem? My impression is that the main problem is that using a global logger is hard to do correctly with threads. Implicitly global (shared) variables can be mutated in parallel, with disastrous results, some of which

[Swan-dev] testing/utils/kvmresults.py has a problem

After each run of the test suite, I use kvmresults.py to create a useful summary of how each test did. Recently it has crashed when I run it, but only after producing the results I want. So this isn't a big problem. Here's the most recent traceback: Traceback (most recent call last): File

Re: [Swan-dev] a few test are broken because reference logs need updating

| From: Antony Antony | | oh, that was me. I added new tests and sanitizer line when I noticed new | test need it. I did not realize it would affet existing tests. Let me push | the two tests. Thanks. I was worried that this intermediate state had been intentional. I certainly accidentally

[Swan-dev] code for impossible situations

If a case is impossible, but you feel unsure about it, use passert. Then you'll know. Actually handling an impossible case requires or suggests that all related code should handle it too. And that multiplies complexity and the chance for bugs. This code will never be exercised by our test

[Swan-dev] a few test are broken because reference logs need updating

It looks like a new filter was added. If your changes are going to require reference file changes, please push both sets of changes at the same time. > testing/pluto/interop-ikev2-strongswan-29-rekey failed west:output-different

[Swan-dev] unexpected diagnostic

I've cloned the source tree onto my machine. I currently have no ambition to run the code or the tests on the machine. When I type "make tags", I think that the tag file is built, but I get these diagnostics. They seem irrelevant to "make tags". /home/hugh/libreswan/mk/kvm-targets.mk:931:

[Swan-dev] test suite noise

The testsuite seems to report a bunch of errors. Could folks fix the ones that they are responsible for? Here are the first few that I encounted when trying to test a change. Most look easy or important. Or even expected but not documented in any way. basic-pluto-09-orienting failed

[Swan-dev] style: naming of parameters should match in function prototype and definition

I just noticed an example where our code violates this. The function prototype for initsubnet: extern err_t initsubnet(const ip_address *addr, int maskbits, int clash, ip_subnet *dst); The start of its definition: err_t /* NULL for success, else string literal */

[Swan-dev] please use a useful message Subject

[grumpy old man mode] | From: Andrew Cagney | To: Libreswan Development List | Date: Fri, 5 Jun 2020 16:11:07 -0400 | Subject: Re: [Swan-dev] [Swan-commit] Changes to ref refs/heads/master This thread has useless Subject: headers. It is much more useful to have an apt Subject. If you lack

Re: [Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections

| From: Paul Wouters | On Thu, 5 Mar 2020, D. Hugh Redelmeier wrote: | | > | I meant "resolved by setting it to 1". | > | > I don't really understand the issues. | | A failure shunt is installed after the first keyingtries= fails. | If a second keyingtries is started, it w

Re: [Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections

| From: Paul Wouters | On Tue, 3 Mar 2020, Paul Wouters wrote: | | > Current shunt handling cannot deal with this, as the second keyingtries | > sometimes tries to install a second shunt, which sometimes “works” due to | > not being widened. This is causing customer issues that at resolved by

Re: [Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections

| commit 21100cee5f207c24ee55ad6c612a84a6140ba583 | Author: Paul Wouters | Date: Sun Mar 1 21:46:17 2020 -0500 | | IKEv2: Set keyingtries to 1 for Opportunistic Encryption connections. | | We cannot have unlimited keyingtries for Opportunistic, or else we gain | infinite

Re: [Swan-dev] clarify ikev2_ts_r_desc length field

I don't think that the logging change is good. 1. (almost?) all lengths in IKE are the length of the whole structure. By changing logging for only one, you raise more questions than you answer. "ft_len" means "length of the whole structure". 3. The result is quite wordy. I suggest that

[Swan-dev] VPP (Vector Packet Processing)

This seems to be a different networking stack for (some) Linux. Inspired by a Cisco design. Naive question: how does/can/should Libreswan fit in? Guess: wait until distros adopt it? Or perhaps it has no impact on our code. It has IPSEC as one of its "features"

Re: [Swan-dev] pluto: sprinkle const on many struct fd * parameters

| From: Andrew Cagney | On Thu, 20 Feb 2020 at 17:00, D. Hugh Redelmeier wrote: | > | > | From: Andrew Cagney | > | > | On Thu, 20 Feb 2020 at 15:59, D. Hugh Redelmeier wrote: | > | > | > | > | From: Andrew Cagney | > | | > | > If one declares all

[Swan-dev] udpfromto()

| New commits: | commit 4b6ae4c757c85bbca12e048ab9eec7f7cce586b0 | Author: Andrew Cagney | Date: Thu Feb 20 16:31:28 2020 -0500 | | server: delete udpfromto.[hc] | | It was added in 2005 (I suspect to support ::/500) with the comment: | | we do not do anything with

Re: [Swan-dev] pluto: sprinkle const on many struct fd * parameters

| From: Andrew Cagney | On Thu, 20 Feb 2020 at 15:59, D. Hugh Redelmeier wrote: | > | > | From: Andrew Cagney | | > If one declares all possible struct fd * things const, the absence of | > const highlights where references could go wrong. | | Why? Those are the only pla

Re: [Swan-dev] pluto: sprinkle const on many struct fd * parameters

| From: Andrew Cagney | This feels wrong - struct fd is opaque so what more needs to be said? | Adding the 'const', forces an internal detail onto the clients and an | artifical limitation on the implementation. For instance: | | ssize_t fd_read(const struct fd *fd, void *buf, size_t nbytes, |

[Swan-dev] tests: missing directory

I ran the tests last night and got this error message frpm kvmresults.py: kvmresults 0.01: ** testing/pluto/TESTLIST:356: invalid test ikev2-x509-21-shared-ip: test directory not found: testing/pluto/ikev2-x509-21-shared-ip ___ Swan-dev mailing

Re: [Swan-dev] better name for {left,right}ifaceip?

General comment: We have way too many options. We cannot lightly delete any that have been advertised in a release. Has iface-ip been advertised? Andrew's points all seem valid too. But I haven't thought deeply about this. ___ Swan-dev mailing list

Re: [Swan-dev] updating test system leaves it broken

| From: Andrew Cagney | Did you install as in: | gmake kvm-install? Oops, it was so long that I forgot that kvm-test didn't imply kvm-install. Thanks! ___ Swan-dev mailing list Swan-dev@lists.libreswan.org

[Swan-dev] updating test system leaves it broken

I hadn't run the tests in months. And I've updated the host to Fedora 31. So I did: git pull make kvm-demolish make kvm-test The result was that almost all tests failed (unresolved) because test virtual machines didn't seem to start up properly. This happened on two

[Swan-dev] Test Suite vs Fedora 31?

Does that test suite get along with Fedora 31 as a host? ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] proposal: "const struct ip_protocol" => "ip_protocol"

| From: Andrew Cagney | because it gets confusing and is obscure; better to spell out: |const something | where the code is being used than leave everyone wondering, for instance, given: |ip_something(something *foo, const someotherthing *bar, somethingelse *baz); | which are typos and

[Swan-dev] proposal: "const struct ip_protocol" => "ip_protocol"

We currently have struct ip_protocol {...}; As far as I can tell, all uses of it are of the form const struct ip_protocol Why not typedef const struct {...} ip_protocol; Then all uses should be changed appropriately (a sed script would do it). That way the "const" could

[Swan-dev] ip_range

The ip_range type seems to be used for two purposes: - traffic selectors - ip address pools The two uses have diverged. Lots of complexity has been added for the address pool case which is not clearly correct or useful for the traffic selector case. Is there an RFC-based limit on range

Re: [Swan-dev] const version of str_*()

| From: D. Hugh Redelmeier | I don't think that C guarantees that the id_buf value would live long | enough. The expression is more explicitly written | | _str().buf[0] | | As soon as the & is applied, I believe that C's semantics allows the | temporary id_buf value to be disca

Re: [Swan-dev] const version of str_*()

| From: Andrew Cagney Nice analysis. | But here's a different problem. We've code micro-optimized as follows: | | char buf[ID_LEN] | idtoa(, buf); | | if (dbg) printf("id1 = %s\n", buf); | ... | if (dbg) printf("id 2 = %s\n", buf); | | presumably to minimise the number of string

[Swan-dev] nic:%NULL

A number of tests seem to be failing for a reason I don't understand. testing/pluto/ikev1-algo-esp-null-01 failed nic:%NULL testing/pluto/ikev1-hostpair-01 failed east:output-different nic:%NULL road:output-different testing/pluto/ikev1-hostpair-02 failed nic:%NULL

Re: [Swan-dev] man pages for our library routines

| From: Paul Wouters | No, it was never a real library. It was basically freeswan developer | information in the form of man pages. It was a library. Interestingly, it did not depend on the rest of FreeS/WAN. It wasn't adopted by other projects, but that's too bad. It created some useful

[Swan-dev] man pages for our library routines

>From IRC: DHR, unlike snprintf(), the *tot() return a length that includes the '\0'? The way to answer this is to read the man pages. Unfortunately, those have become unknown. Henry created very comprehensive man pages for those library routines. The FreeS/WAN and Openswan projects

Re: [Swan-dev] redirect: in emit_redirect_notification_decoded_dest() delete '-' in column 1 negating a bool

| commit b473d2b9be0a244672aa2934e3feaac55ad23b82 | Author: Andrew Cagney | Date: Sat Aug 17 08:08:56 2019 -0400 | | redirect: in emit_redirect_notification_decoded_dest() delete '-' in column 1 negating a bool | | Looks like a merge botch. Worryingly, fixing this doesn't seem

Re: [Swan-dev] pluto: Change some connection loading IKE version checks

I don't understand why 211c2b7b1fce9c72f15e68de6b69580c050e954d is a good idea. The old tests were of the form "if we are not the right version, complain" The new versions are of the form "if we are a particular wrong version, complain" The original versions seem more robust. Paul: can you

Re: [Swan-dev] "route" vs "ondemand"

| From: Paul Wouters | On Tue, 2 Jul 2019, D. Hugh Redelmeier wrote: | | > So it sounds as if auto=route is obsolete. | | Yes. | | > But uses are scattered through | > our tree. I assume that they should be updated. Any objection? Shall I fix this? (Maybe not: see below.) | >

[Swan-dev] "route" vs "ondemand"

According to ipsec.conf(5) The option ondemand used to be called route So it sounds as if auto=route is obsolete. But uses are scattered through our tree. I assume that they should be updated. Any objection? In the case of ipsec_auto(8), --ondemand is the same as --add then

Re: [Swan-dev] CentOS libreswan vs Fedora libreswan

Still figuring this out, but I'm wrong. Libreswan does pay attention to the unencrypted (and unauthenticated) notification. On Sun, 30 Jun 2019, D. Hugh Redelmeier wrote: | From: D. Hugh Redelmeier | To: Libreswan Development List | Date: Sun, 30 Jun 2019 12:10:27 -0400 (EDT) | Subject: [Swan

[Swan-dev] CentOS libreswan vs Fedora libreswan

I'm trying to build a tunnel between a Fedora and a CentOS system, both running libreswan-3.29-1 packages. I don't specify any cryptosuites -- I just let them default. Much to my surprise, the CentOS Responder refuses the Fedora Initiator's negotiation: initiator guessed wrong keying

[Swan-dev] printf called from our library [was Re: CentOS 6 "implicit declaration of function ‘printf’"]

(I'm replying to the wrong message because I don't have the right one.) | From: Paul Wouters | | On Tue, 18 Jun 2019, Andrew Cagney wrote: | | > why is a library function calling printf()? (if a c file needs | > something #include it). | | Because it is used in addconn which has no logging

Re: [Swan-dev] ace1aaf777 CentOS 6 addr_lookup.c:220: error: 'errno' undeclared

| From: Antony Antony | I am writing this e-mail really amused(too many broken commits in the name | of fixing) and annoyed when I wake up master is broken again! You are | warned! Yes, I broke it. Sorry about that. It worked for me. Thanks for fixing it! The fundamental problem is

[Swan-dev] different odd error on RHEL 6 [was Re: odd error only on ppc64 on rhel6]

' [-Werror=implicit-function-declaration] | printf("found peer %s to interface %s\n", | | From: D. Hugh Redelmeier ... | | [1] | | https://travis-ci.org/antonyantony/libreswan/builds/546142308 | | /home/build/libreswan/lib/libswan/addr_lookup.c:67:6: error: implicit declaration o

Re: [Swan-dev] _stackmanager: set some variables to prevent coverity warning

| commit 5e6e29f16706cf996f5e331038191b866f5a1b1e | Author: Paul Wouters | Date: Mon Jun 17 17:00:54 2019 -0400 | | _stackmanager: set some variables to prevent coverity warning | | Comes in via an eval() of ipsec addconn --configsetup +# Tehse prevent coverity warnings,

  1   2   3   4   5   6   >