Re: [Swan-dev] debian continuous integration

g something i can rely on for this purpose? > > Thoughts and suggestions welcome, > > --dkg > ___ > Swan-dev mailing list > Swan-dev@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan-dev >From b96ef56d

Re: [Swan-dev] swantest vs kvmrunner.py and final.sh

On Sat, Oct 21, 2017 at 06:10:14PM -0400, Paul Wouters wrote: > > I think that kvmrunner.py runs final.sh on nic, while swantest does not. > > this gives different output, eg: >

Re: [Swan-dev] xauth protocol and retransmits

01905fd751490070 Mon Sep 17 00:00:00 2001 From: Antony Antony <ant...@phenome.org> Date: Thu, 19 Oct 2017 19:33:38 + Subject: [PATCH] xauth: cancel pending EVENT_v1_SEND_XAUTH IKEv1 responder, when an xauth response arrive cancel the pending EVENT_v1_SEND_XAUTH --- programs/pluto/

Re: [Swan-dev] prefixing debug lines with connection/state?

On Wed, Oct 18, 2017 at 11:35:55AM -0400, Andrew Cagney wrote: > Hi, > > I'm wondering if debug output should be prefixed with the connection/state > information as in: > > | "westnet-eastnet" #1: . If every line add such a prefix it would be hard to read, I would struggle to read the

Re: [Swan-dev] crash during testing xauth (2) when processing dpd event

I pushed a fix for this. It will detect dangling hp in a simple case. I am not sure about complicated cases, such as mix of CK_INSTANCE and CK_PERMANENT connections between same IP addresses. On Mon, Oct 02, 2017 at 01:02:41PM -0400, Paul Wouters wrote: > On Mon, 2 Oct 2017, Antony Antony wr

Re: [Swan-dev] tests failing due to retransmissions

On Wed, Sep 27, 2017 at 12:38:08PM -0400, D. Hugh Redelmeier wrote: > I get a lot of them. This isn't good or useful. > > I ran the following script: > > for i in testing/pluto/*/OUTPUT/*.diff ; do > if [ ! -s "$i" ] ; then > : no difference >

Re: [Swan-dev] xauth_send_request has a comment that confuses me

On Mon, Oct 02, 2017 at 01:50:18PM -0400, Paul Wouters wrote: > On Mon, 2 Oct 2017, Antony Antony wrote: > > > well if the comment was true I could avoid double sending in server.c > > I don't understand that part. We still have the issue of sending some > kind of Main or Ag

Re: [Swan-dev] [Bug 299] crash after pluto: Fix addresspool reference count

of re-factoring. that also the reason I am testing more. regards, -antony On Sat, Oct 07, 2017 at 01:57:54PM +0200, wolfg...@linogate.de wrote: > On Sat, 7 Oct 2017 13:35:18 +0200, Antony Antony wrote > > On Sat, Oct 07, 2017 at 12:02:59PM +0200, wolfg...@linogate.de wrote: > > &g

Re: [Swan-dev] pfree checks

I link with Electric Fence. It will detect double free, and cause Segmentation fault. It kicks in before libreswan magic is executed. Here is an example. The passert in pfree(), before your patch is applied, do not provide any extra info in when linked with efnece. I just tried a double

Re: [Swan-dev] crash after pluto: Fix addresspool reference count

Hi Wolfgang, I couldn't stay away from this mystery since I already spend days on it. One line summary, I can reproduce lsw299. And need to define some things before fixing it. There is a partial workaround to get connections established. I applied patch to the test case and forked it to

Re: [Swan-dev] crash after pluto: Fix addresspool reference count

On Fri, Oct 06, 2017 at 09:29:33PM +0200, wolfg...@linogate.de wrote: > > May be you need sharing address pools too, I am not sure. > > Sorry, I missed that the initial problem was triggered with a configured > static ip in /etc/ipsec.d/passwd. Thanks for this detail. I will stop beating up

Re: [Swan-dev] crash after pluto: Fix addresspool reference count

On Thu, Oct 05, 2017 at 09:57:06PM +0200, Wolfgang Nothdurft wrote: > Am 05.10.2017 um 20:57 schrieb Antony Antony: > > On Thu, Oct 05, 2017 at 08:36:52PM +0200, Wolfgang Nothdurft wrote: > > > Am 05.10.2017 um 20:18 schrieb Antony Antony: > > > > Wow, this patch look

Re: [Swan-dev] crash after pluto: Fix addresspool reference count

On Fri, Oct 06, 2017 at 10:51:38AM -0400, Paul Wouters wrote: > I've reverted the previous patch, then tested with this patch only. It > did not cause regression for me. So if Antony is fine with it, we can > merge this last patch in. I am still hunting the original bug. I am possibly missing

[Swan-dev] libefence in testing

Hugh, To link libreswan with Electric Fence in testing just add the following in your Makefile.inc.local EFENCE=-lefence There is a sanitizer for the extra line" Electric Fence "... -antony ___ Swan-dev mailing list Swan-dev@lists.libreswan.org

[Swan-dev] --impair

Hi, > antony, b90248262fbb9975d13a64ab91375a09efb6 enumcheck-01 needs an > update, and do we really want to keep adding --impair... options when > --impair ... now works? what I added is ipsec whack --debug-all --impair drop-xauth-r0 ipsec whack --impair-drop-xauth-r0 do not work.

Re: [Swan-dev] crash after pluto: Fix addresspool reference count

On Thu, Oct 05, 2017 at 08:36:52PM +0200, Wolfgang Nothdurft wrote: > Am 05.10.2017 um 20:18 schrieb Antony Antony: > > Wow, this patch looks like a heavy hammer solution. To reference count the > > pool for each lease? There is something else going on. I imagine reproducing >

Re: [Swan-dev] crash after pluto: Fix addresspool reference count

for the proposed patch, it gave a bit more insight into the issue. -antony On Thu, Oct 05, 2017 at 02:52:06PM +0200, Wolfgang Nothdurft wrote: > Am 05.10.2017 um 10:13 schrieb Antony Antony: > > Hi Wolfgang, > > > > Thanks for the config so far I only looked at test run resu

Re: [Swan-dev] crash after pluto: Fix addresspool reference count

Hi Wolfgang, I tried to reproduce your issue and no luck yet. Did you try ipsec stop? On Thu, Oct 05, 2017 at 09:45:02AM +0200, Wolfgang Nothdurft wrote: > Am 02.10.2017 um 13:58 schrieb Antony Antony: > > Hi Paul > > > > A quick test after the commit bd3a5f01 show a crash i

Re: [Swan-dev] crash after pluto: Fix addresspool reference count

ng up the connection and "ipsec stop" regards, -antony On Thu, Oct 05, 2017 at 09:45:02AM +0200, Wolfgang Nothdurft wrote: > Am 02.10.2017 um 13:58 schrieb Antony Antony: > > Hi Paul > > > > A quick test after the commit bd3a5f01 show a crash in test xauth-pluto-16 > >

Re: [Swan-dev] [PATCH libreswan v2] netlink: Silence negative shift coverity false warning

On Sun, Sep 24, 2017 at 05:05:42PM +, Aviv Heller wrote: > > coverity-detected anomalies are sometimes subtle.  So I looked at this > > code and found a couple of bugs.  I also did some tidying.  But no > > testing! > > > > Aviv, Antony: please have a look at commit > >

Re: [Swan-dev] [PATCH libreswan v2] netlink: Silence negative shift coverity false warning

Hi Aviv, On Sun, Sep 24, 2017 at 05:05:42PM +, Aviv Heller wrote: > > coverity-detected anomalies are sometimes subtle.  So I looked at this > > code and found a couple of bugs.  I also did some tidying.  But no > > testing! > > > > Aviv, Antony: please have a look at commit > >

Re: [Swan-dev] Converting all test cases to not use ipsec.conf.common

How about one level of "also=" A few globally well defined connections with one connection per file e.g. westnet-eastnet.conf in /testing/baseconfig/etc/ipsec.d. This file do not contain "also=" line. However, they are not necessary full connection. The test specific config:

Re: [Swan-dev] crash during testing xauth (2) when processing dpd event

ted using xauth-pluto-17 I am, still, suspecious of restart code. If there are multiple connections from same NAT GW it would restart all of them when one dpd fails. Probably for another day. Lets fix this crash first. Also the test is weired. The combination IKEv1 aggressive mode, xauth , %an

[Swan-dev] crash after pluto: Fix addresspool reference count

Hi Paul A quick test after the commit bd3a5f01 show a crash in test xauth-pluto-16 pointing to addresspool.c. The crash happens with ipsec stop I couldn't repoduce lsw#299 yet. Did you manage to reproduce before bd3a5f0 patch? (gdb) bt #0 0x55a3e7f6830b in unreference_addresspool

[Swan-dev] ***UNCHECKED*** Re: crash during testing xauth (2) when processing dpd event

On Sat, Sep 30, 2017 at 08:18:11PM -0400, D. Hugh Redelmeier wrote: > testing/pluto/xauth-pluto-17 failed east:CORE,output-different > road:output-different .. > I don't know whether it is repeatable so I'm freezing my test machine for > now. The crash appears in my testruns since Sept 28th,

Re: [Swan-dev] crash during testing xauth (1) when trying to retransmit

On Sat, Sep 30, 2017 at 08:18:03PM -0400, D. Hugh Redelmeier wrote: > Sadly this is old news -- I've been isolated due to cable problems and > other commitments. > > The last commit on the tree I'm working from is Tuomo's > 18f05093e718b803480be2dd94c24eef8d7b6f69 > 2017-09-28 12:39:50 > >

Re: [Swan-dev] recent debian changes and build failure?

may be a missing dpkg-checkbuilddep call. The Debian experimental depends on latest package versions, e.g libunbound 1.6.5 Which is not available on last year's Ubuntu. So, I disabled dpkg-checkbuilddep to work on older Debian/Ubuntu. I re-introduced dpkg-checkbuilddep and relaxed version

Re: [Swan-dev] tests failing due to retransmissions

Which side is retransmitting? east or west? In IKEv1 tests --impair-retransmits should be on both ends. I did not know this at the begining. So I may have made mistakes in some tests. Keep this mind when creating new test cases. On Thu, Sep 28, 2017 at 02:04:32AM -0400, D. Hugh Redelmeier

Re: [Swan-dev] Converting all test cases to not use ipsec.conf.common

Hi Paul, Thanks for adding --conn option. It is a good to have option. If expanding "also" is done well this is a good idea. My experience with readwriteconf is it need more work before this effort could begin. Currently, I wonder it work at all! See the example below. If we do this, my

[Swan-dev] FYI: recent Coverity warnings

New defect(s) Reported-by: Coverity Scan Showing 1 of 1 defect(s) ** CID 1457046:(BAD_SHIFT) /programs/whack/whack.c: 2114 in main() /programs/whack/whack.c: 2125 in main() *** CID

Re: [Swan-dev] [PATCH libreswan v2] netlink: Silence negative shift coverity false warning

On Fri, Sep 15, 2017 at 11:17:43PM -0400, D. Hugh Redelmeier wrote: > | From: Antony Antony <ant...@phenome.org> > > coverity-detected anomalies are sometimes subtle. So I looked at this > code and found a couple of bugs. I also did some tidying. But no > testing! >

Re: [Swan-dev] nflog-03-conns fails on my system

On Sun, Sep 17, 2017 at 06:00:58PM -0400, D. Hugh Redelmeier wrote: > West starts to diverge with this line: > > +002 "westnet-eastnet-nflog" #1: switched from "westnet-eastnet-nflog" to > "west-east-nflog" > > Does anyone else see this? yes.

[Swan-dev] FYI: recent Coverity warnings

New defect(s) Reported-by: Coverity Scan Showing 3 of 3 defect(s) ** CID 1456790:(MIXED_ENUMS) /programs/pluto/ikev1_spdb_struct.c: 2574 in parse_ipsec_sa_body() /programs/pluto/ikev1_spdb_struct.c: 2575 in parse_ipsec_sa_body() /programs/pluto/ikev1_spdb_struct.c: 2576 in

Re: [Swan-dev] [PATCH libreswan v2] netlink: Silence negative shift coverity false warning

r.ifr_name, sizeof(ifr.ifr_name), ifname); > -- > 1.8.3.1 > > ___ > Swan-dev mailing list > Swan-dev@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan-dev >From 39744f56220ba3da93f283251b7c2dc6dd5ddf8a Mon

Re: [Swan-dev] why remove USERLAND_CFLAGS+=-DDEFAULT_DNSSEC_ROOTKEY_FILE

On Tue, Sep 12, 2017 at 10:26:36AM -0400, Paul Wouters wrote: > On Tue, 12 Sep 2017, Antony Antony wrote: > > > > It is now set using DEFAULT_DNSSEC_ROOTKEY_FILE which has a builtin > > > default? So you can still set it to build on debian, but you don't have > &

Re: [Swan-dev] pluto: no code change. just sort the getopt options

On Tue, Sep 12, 2017 at 03:08:59PM -0400, D. Hugh Redelmeier wrote: > commit 29c0396e3ec932839d769f68b71fcb2a64094880 > Author: Antony Antony <ant...@phenome.org> > Date: Tue Sep 12 01:47:45 2017 +0200 > > pluto: no code change. just so

Re: [Swan-dev] why remove USERLAND_CFLAGS+=-DDEFAULT_DNSSEC_ROOTKEY_FILE

On Thu, Aug 24, 2017 at 12:18:20PM -0400, Paul Wouters wrote: > On Wed, 23 Aug 2017, Antony Antony wrote: > > > Why is commit e0a15de removing DEFAULT_DNSSEC_ROOTKEY_FILE from > > USERLAND_CFLAGS. The compile time option is necessary for Debian, pluto need >

Re: [Swan-dev] [PATCH libreswan] netlink: Silence negative shift coverity false warning

Hi Aviv, thanks for trying to fix the issue. However, this patch introduce more problems. netlink_esp_hw_offload = UINT_MAX or UINT_MAX-1 netlink_esp_hw_offload + 32 would overflow. ** CID 1455227:(INTEGER_OVERFLOW) /programs/pluto/kernel_netlink.c: 932 in netlink_detect_offload()

[Swan-dev] why remove USERLAND_CFLAGS+=-DDEFAULT_DNSSEC_ROOTKEY_FILE

Hi Paul, Why is commit e0a15de removing DEFAULT_DNSSEC_ROOTKEY_FILE from USERLAND_CFLAGS. The compile time option is necessary for Debian, pluto need the defined value. USERLAND_CFLAGS+=-DDEFAULT_DNSSEC_ROOTKEY_FILE=\"${DEFAULT_DNSSEC_ROOTKEY_FILE}\" After the commit e0a15de

[Swan-dev] coverity warning in nic offload : shifting by negative amount has undefined behavior

Hi Ilan, There is a coverity warning in the recently added nic-offload code. I do not understand the related code completely to fix it myself. Would you please take a look? and see if you can fix it. programs/pluto/kernel_netlink.c:979 netlink_detect_offload 976 977/* Feature is

[Swan-dev] avoid strncpy : Discouraged or forbidden C functions

In recent scans I noticed a few warnings appearing due to possible incorrect use strncpy and alike in libreswan code. These are probably not exploits immediately, because these strings seems to come after other checks. However, scans generate annoying warnings! If we avoid those may be Hugh's

Re: [Swan-dev] [PATCH] ikev2_ipsec: include limits.h for HOST_NAME_MAX

> #include > +#include > #include > #include /* for inet_ntop */ > #include > ___ > Swan-dev mailing list > Swan-dev@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan-dev >From ee7952c5112a2b08c1b196cabd946e0b3c3dc7

Re: [Swan-dev] [libreswan/libreswan] Multiple compile errors with gcc (GCC) 7.1.1 20170528 (#104)

I committed this change for now to be able to compile on F26 On Wed, Jun 14, 2017 at 03:39:38PM -0400, Paul Wouters wrote: > On Wed, 14 Jun 2017, Antony Antony wrote: > > > for Wimplicit-fallthrough=3 complaince > > I have a patch sitting around when I played with F26. I

Re: [Swan-dev] [PATCH libreswan v2 2/3] pluto, whack: Add nic-offload 'auto' mode

Hi Ilan, now all three patches are on the libreswan master. I added a few minor style changes. please test merge. -antony On Fri, Aug 04, 2017 at 02:30:45PM +0200, Antony Antony wrote: > a couple minor comments. 1/3 is already applied by Paul. > Here are my comments about 2/3 and wil

Re: [Swan-dev] [PATCH libreswan v2 3/3] kernel, netlink: Add support for nic_offload='auto' mode

On Wed, Aug 02, 2017 at 06:22:28PM +0300, il...@mellanox.com wrote: > From: Ilan Tayari > > Detect kernel capability when adding the first interface. > Ethtool IOCTL requires a valid device, so this cannot be done > before that. > > Detect per-device capability using ethtool

Re: [Swan-dev] [PATCH libreswan v2 2/3] pluto, whack: Add nic-offload 'auto' mode

a couple minor comments. 1/3 is already applied by Paul. Here are my comments about 2/3 and will send another one for 3/3 On Wed, Aug 02, 2017 at 06:22:27PM +0300, il...@mellanox.com wrote: > From: Ilan Tayari > > Convert nic-offload configuration from boolean to 3-choice

Re: [Swan-dev] [libreswan RFC 2/3] pluto, whack: Add nic-offload 'auto' mode

@@ int main(int argc, char **argv) > continue; > > case CD_NIC_OFFLOAD: /* --nic-offload */ > - msg.nic_offload = TRUE; > + if (streq(optarg, "never")) > + msg.nic_offload = ni

Re: [Swan-dev] Libreswan nic-offload automatic and fallback

On Tue, Jul 04, 2017 at 01:58:51PM +, Ilan Tayari wrote: > Hi Paul, Antony, and all, > > I want to discuss an improvement to the basic Libreswan nic-offload feature. > > We (Mellanox) propose the following change: > * Upgrade the nic-offload configuration option from bool to tristate enum: >

Re: [Swan-dev] config file diagnostics

On Mon, Jul 03, 2017 at 04:09:24PM -0400, Paul Wouters wrote: > On Mon, 3 Jul 2017, D. Hugh Redelmeier wrote: > > > Thanks, Paul, for dealing with the one I reported. > > > > Here's from last night's run. Could you fix these too? Or hand them > > off to whoever understands the particular test?

Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

Hi Ilan, offload patches are in the libreswan master now. thanks, -antony On Sun, Jul 02, 2017 at 06:30:51AM +, Ilan Tayari wrote: > > -Original Message- > > From: Antony Antony [mailto:ant...@phenome.org] > > Subject: Re: [Swan-dev] [PATCH libreswan] Add su

Re: [Swan-dev] config file diagnostics

On Mon, Jul 03, 2017 at 10:40:07AM -0400, D. Hugh Redelmeier wrote: > | From: Antony Antony <ant...@phenome.org> > > | I am just saying "conn us" could be in the test config file. > > Summary: I can find an error but I don't know what the correct fix is. > That'

Re: [Swan-dev] config file diagnostics

On Mon, Jul 03, 2017 at 01:44:59AM -0400, D. Hugh Redelmeier wrote: > I've been playing with confread.c > > I've made it complain when an also= cannot be found. sounds great. It would nice to resolve this. > Now lots of tests fail. > > Example problem: > testing/baseconfigs/all/etc/ipsec.d >

Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

On Wed, Jun 28, 2017 at 05:53:17AM +, Ilan Tayari wrote: > Hi Antony, > (Sorry for confusing you with Paul in previous email) no problem. > > 1. how to detect which esp algorithms are supported by this card? > There is no kernel API for that :/ > Currently the user is supposed to be aware

Re: [Swan-dev] interop-ikev2-strongswan-23-initiator-cp failure

On Thu, Jun 29, 2017 at 11:02:03AM -0400, D. Hugh Redelmeier wrote: > > testing/pluto/interop-ikev2-strongswan-23-initiator-cp failed > > road:output-different > > +CHILD_SA roadnet-eastnet-ikev2{1} established with SPIs SPISPI_i SPISPI_o > and TS 192.0.2.1/32 === 0.0.0.0/0 > > I don't think

Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

I got the xfrm.h updated. I am running tests various distros. The errors were due to the order in which in.h and in6.h were included. On Wed, Jun 28, 2017 at 08:03:49AM +, Ilan Tayari wrote: > This reminds me of a different thing. > With the crypto offload we easily reach 18Gbps on a single

Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

On Wed, Jun 28, 2017 at 05:31:06AM +, Ilan Tayari wrote: > > -Original Message- > > From: Antony Antony [mailto:ant...@phenome.org] > > Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload > > on the NIC > > > > I guess this

Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

oh, few informational questions. 1. how to detect which esp algorithms are supported by this card? 2. how does it deal with add_sa for a unsupported algorithm? 3. does the card support AH SA? 4. does it support xfrm acquire, block and pass polices too? 5. Any limits on number of SA supported? and

Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

I guess this is could be applied. However, please hold on, lets update xfrm.h first. I plan to update linux26/xfrm.h with history from kernel commits. It should happen before this patch. Otherwise it hard to know how upto date xfrm.h is. Another comment. It would be nice to add whack option?

Re: [Swan-dev] regression newoe-02-klips rasie some questions.

On Mon, Jun 26, 2017 at 07:37:25AM -0400, Paul Wouters wrote: > On Mon, 26 Jun 2017, Antony Antony wrote: > > > AUTH payload failure is a different code path. This was AUTH payload success > > and installing SA failed; ie AUTH exchange failure. So parent advanced and > > t

Re: [Swan-dev] regression newoe-02-klips rasie some questions.

On Fri, Jun 23, 2017 at 10:00:23PM -0400, Andrew Cagney wrote: > > http://swantest.libreswan.fi/results/blackswan/2017-06-23-swantest-3.21rc2-142-g4cb3a8b-master/newoe-02-klips/OUTPUT/road.pluto.log > > I'm not sure that us proposing something we don't support is the root > cause here; rather it

[Swan-dev] debian patch for dnssec root.key

o do more dns magic. Thanks for testing 3.21rcX on debain. regards, -antony >From fdf94f2756d3b3844b8d6fe62286c941d705e59f Mon Sep 17 00:00:00 2001 From: Antony Antony <ant...@phenome.org> Date: Sat, 24 Jun 2017 00:21:12 +0200 Subject: [PATCH] add dns-root-data dependency and use root.key

Re: [Swan-dev] test suite status

On Sun, Jun 18, 2017 at 12:19:25PM -0400, Paul Wouters wrote: > On Sun, 18 Jun 2017, D. Hugh Redelmeier wrote: > > > After a pause of a few months, I ran the test suite last night. > > I tested HEAD, as of ce5d67b98214746e8e55a2a1c401343117dba1aa. > > > > A *lot* of tests seem to have failed. I

Re: [Swan-dev] new fedora22.mk missing a stuff

I need the following packages too. I use for debugging. telnet screen mtr > I've added these (minus the version number): > > bind-utils-9.10.4-4.P8.fc24.x86_64 > net-tools-2.0-0.37.20160329git.fc24.x86_64 > psmisc-22.21-8.fc24.x86_64 > tcpdump-4.7.4-4.fc24.x86_64 > well I am also adding to

Re: [Swan-dev] future of 9fs

Outside RHEL, the 9pfs support is gaining more support. EPEL kernel has 9fs enabled. Ubuntu seems to support it now, and XEN now. Eventually RHEL will support something like 9pfs + Windows support in secure way! For 'security' reasons 9fs is not supported now. The new RHEL blessed one seems

Re: [Swan-dev] build dependency for version.c is broken ccd2cf87 ?

yes thanks. I didn't notice the fix when replying to .gitignore suggestion. On Wed, Apr 26, 2017 at 01:02:42PM -0400, Andrew Cagney wrote: > On 26 April 2017 at 10:20, Antony Antony <ant...@phenome.org> wrote: > > > I don't understand why not in the old behavior, > >

Re: [Swan-dev] build dependency for version.c is broken ccd2cf87 ?

On Tue, Apr 25, 2017 at 10:52:12AM -0400, Paul Wouters wrote: > On Tue, 25 Apr 2017, Andrew Cagney wrote: > > >- the obvious problem is that the generated file version.c shouldn't > >even be in the source tree > > Can we add these to .gitignore ? Probably not necessary if the old behavior is

[Swan-dev] build dependency for version.c is broken ccd2cf87 ?

I noticed libreswan build system is keeping a stale copy of lib/libswan/version.c possibly since commit ccd2cf. Also another related one is modobj/version.c. The second one is probably due to a different issue. And it probably has a longer history. To demonstrate the issue I picked a test

Re: [Swan-dev] multiple RSA keys for rollover, ipsec.secrets, ckaid issues

On Wed, Apr 12, 2017 at 09:37:37PM -0400, Paul Wouters wrote: > > > I am looking at ensuring that RSA key rollover works. This is supposed > to be supported via leftrsasigkey= and leftrsasigkey2= Wouldn't a simple RSA keyrollover work with one key in the connection? May be you are thinking of

Re: [Swan-dev] Problematic commits in master

On Mon, Apr 10, 2017 at 02:10:32PM -0400, Andrew Cagney wrote: > Can we agree that the use of macros that conditionally return as a > side effect are, in general, a bad idea and their use should not be > encouraged? why is it a bad idea? one reason I can think is running in gdb. I think it is

Re: [Swan-dev] [Swan-commit] Changes to ref refs/heads/master

On Sun, Nov 27, 2016 at 10:48:37PM -0500, Andrew Cagney wrote: > On 27 November 2016 at 13:40, Antony Antony <ant...@vault.libreswan.fi> wrote: > > commit 749c8d5ea579fde2831cf553909c5062b41e5e74 > > Author: Antony Antony <ant...@phenome.org> > > Date:

[Swan-dev] auto-start and PLUTO_MY_SOURCEIP='192.0.2.1'

called with up-client. Here is a simple patch for proof of concept. I modified and existing test ikev2-48-nat-cp to test, changed auto=start and removed add and up from road* -antony >From d66ee4897381d769ddb47680d34ad7da4e42033d Mon Sep 17 00:00:00 2001 From: Antony Antony <ant...@pheno

[Swan-dev] crash introduced in c2ea0911 while replacing IKEv1 ISKAMP SA

c2ea0911 introduced a crasher for IKEv1. When pluto replace IKE SA and delete itself. #0 0x5610ca3c34b7 in free_generalNames (gn=0xe, free_name=1) at /home/build/libreswan/lib/libswan/x509dn.c:742 #1 0x5610ca329edb in delete_state (st=0x5610cb16eaa0) at

Re: [Swan-dev] missing make dependencies

On Tue, Aug 09, 2016 at 08:51:02AM -0400, Andrew Cagney wrote: > On 8 August 2016 at 13:39, Antony Antony <ant...@phenome.org> wrote: > > here is a report of missing make dependencies. > > > > Over the weekend I tracked down a couple missing make dependencies.

[Swan-dev] missing make dependencies

here is a report of missing make dependencies. Over the weekend I tracked down a couple missing make dependencies. Some of them are hard to trackdown when compiling over 9pfs or nfs... 1. addconn is missing dependency on lib/libipsecconf/keywords.c. Seee below to reproduce. 2. make base or

[Swan-dev] set systemd variables to aovid SIGABORT

luto/server.c:628 #4 0x55584ea49643 in call_server () at /home/build/libreswan/programs/pluto/server.c:742 -antony commit e927f35a93c2a55f3d37ac8681230d91f5593e0a Author: Antony Antony <ant...@phenome.org> Date: Tue Jul 12 16:19:20 2016 +0200 install: expose systemd varia

Re: [Swan-dev] a scan of failing tests

On Mon, Jul 11, 2016 at 03:54:03PM -0400, Andrew Cagney wrote: > On 11 July 2016 at 13:51, Paul Wouters <p...@nohats.ca> wrote: > > On Mon, 11 Jul 2016, Antony Antony wrote: > > > >> Subject: Re: [Swan-dev] a scan of failing tests > >> > >> may

Re: [Swan-dev] a scan of failing tests

new files weren't added to git yet. Pushed now > > Sent from my iPhone > > > On Jul 8, 2016, at 23:53, Antony Antony <ant...@phenome.org> wrote: > > > > good to see tests are cleaned up. Thanks! From the last run, some of the > > ikev2-liveness-0x tests stil

[Swan-dev] pssert libreswan/programs/pluto/pluto_crypt.c:389

here is the stack trace while running an interop test interop-ikev2-strongswan-15-create_child_sa ASSERTION FAILED at /home/build/libreswan/lib/libswan/constants.c:2090: p->en_last - p->en_first + 1 == p->en_checklen (gdb) bt #0 0x7fd985472a28 in __GI_raise (sig=sig@entry=6) at

Re: [Swan-dev] should final.sh shut down pluto?

On Fri, Jun 24, 2016 at 12:42:03PM -0400, Andrew Cagney wrote: > On 24 June 2016 at 11:43, Antony Antony <ant...@phenome.org> wrote: > > additional run scripts would be nice to have. > > More than just nice. For instance: > > - west brings up a connection &

Re: [Swan-dev] should final.sh shut down pluto?

On Fri, Jun 24, 2016 at 10:30:13AM -0400, Andrew Cagney wrote: > On 5 February 2016 at 16:31, Andrew Cagney wrote: > > On 5 February 2016 at 15:56, Paul Wouters wrote: > >> On Fri, 5 Feb 2016, Andrew Cagney wrote: > >> > >>> While this question is kind of

[Swan-dev] test suite multiple instances

On Sun, May 22, 2016 at 10:00:31AM +0200, Antony Antony wrote: > so finally we could run multiple instances. And only one instance we could > ssh into. that is fine to me. last night it was an interesting moement to get multiple instances working :) The last couple of days when I started

Re: [Swan-dev] Two identical networks

dhcp is not required, if you removed ip. I guess you figured that out and change to kvmsh looks good my run using two instances went well. Each instance finished in less than 5:00 hours where as one instance would take 9:30 and results are good. so finally we could run multiple instances. And

Re: [Swan-dev] Two identical networks

are you trying to run two tests concurrently? In Docker setup bridges (on the host) have no IP address configured. So bridge with no ip address and namespace isolates the tests. In the past few days I tried similar trick with KVM. There is no IP address on swan112 which seems to work. I just

Re: [Swan-dev] [Testing] Test Suite & Docker

not allow multiple virtual network interfaces at start. pipework is the workaround I found. This way the real ethX configs are in one place which is also used by kvm tests. -antony On Sun, May 15, 2016 at 05:51:49PM +0200, Antony Antony wrote: > Hi Ondrej, > I am still on F22:) ik

Re: [Swan-dev] [Testing] Test Suite & Docker

how to make protostack=klips work under docker. The module is loaded on the host. All instances share the same module. -antony On Sun, May 15, 2016 at 04:21:10PM +0200, Ondrej Moris wrote: > Hey Antony, thanks for your reply, sorry for such a delayed answer, > please see my inline comments

Re: [Swan-dev] [Testing] Test Suite & Docker

Hi Ondrej, here is a quick response. Do you still have the system where you followed the steps in [1]? On Wed, May 11, 2016 at 01:42:37PM +0200, Ondrej Moris wrote: > Hi, > > a few months ago I became aware of "libreswan testing suite docker > adventures" [1].Then I had a chance to have a

Re: [Swan-dev] Generate test certificates iff missing

ior. make check "UPDATEONLY=1" is used while working one specific test case that has nothing to do with certs and want update the pluto on vm. Especially the uncommited working directory. On Fri, Nov 20, 2015 at 10:02:22AM +0100, Antony Antony wrote: > On Thu, Nov 19, 2015 at 0

Re: [Swan-dev] Generate test certificates iff missing

On Thu, Nov 19, 2015 at 01:50:48PM -0500, Andrew Cagney wrote: > Heads up! > > On 23 October 2015 at 10:21, Andrew Cagney wrote: > > On 22 October 2015 at 11:02, Matt Rogers wrote: > >> > >> One note is that the CRLs (except for needupdate.crl) are

Re: [Swan-dev] early Monday test: result changes

On Mon, Sep 21, 2015 at 11:42:03AM -0400, D. Hugh Redelmeier wrote: > newoe-20-ipv6 > New test. > Fails. Pretty completely. > Maybe it relates to this in road.pluto.log: > initiate on demand from 2001:db8:1:3::209:1 to 2001:db8:1:3::209:3 proto=58 > state: fos_start because:

Re: [Swan-dev] ikev2 broke in master 500519c..6eca8ba

just sharing my experince. that commit, 6eca8ba4, seems to have many failures runnig test cases too. may be try one before. many simple ikev2 tests have failed. e.g

Re: [Swan-dev] ikev2-12-x509-ikev1* tests fail

On Tue, Sep 08, 2015 at 02:19:47PM -0400, Andrew Cagney wrote: > On 7 September 2015 at 12:06, Paul Wouters wrote: > > On Sat, 5 Sep 2015, D. Hugh Redelmeier wrote: > > > >> I imagine that somebody changed something without updating the > >> reference logs. > >> > >> Please fix

Re: [Swan-dev] my test run hung last night

On Sat, Sep 05, 2015 at 06:22:30PM -0400, D. Hugh Redelmeier wrote: > | From: D. Hugh Redelmeier > > | So: this looks like a bug in stwantest. > > I'm surprised to find that gdb can tell one something about a running > python program. > > Apparently swantest is hung in line

Re: [Swan-dev] netlink.h:NLMSG_OK change to avoid GCC warnings

Here is a data point. I don't see the warning you mentioned. May be I need a newer gcc? There is no warning on stock Ubuntu 15.04, i686, and libreswan master. gcc --version gcc (Ubuntu 4.9.2-10ubuntu13) 4.9.2 root@vivid32:~# uname -m i686 cc -c -pthread -g -fexceptions

Re: [Swan-dev] IKEv1: Remove all IPsec SA's of a connection when newest SA is removedrefs/heads/master

On Wed, Aug 26, 2015 at 11:26:08AM -0400, Lennart Sorensen wrote: On Wed, Aug 26, 2015 at 11:23:39AM -0400, Paul Wouters wrote: On Wed, 26 Aug 2015, Lennart Sorensen wrote: Aug 5 14:50:13 ruggedcom pluto[8239]: Test #3: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xbd111c17) not

Re: [Swan-dev] Bison rule

On Mon, Aug 03, 2015 at 03:55:23PM -0400, D. Hugh Redelmeier wrote: I just poked at the Bison rule in out lib/libipsecconf/Makefile I hope that the plan9 filesystem problem that Antony encountered remains fixed. Instead of a cat, I used a mv. yes. Thanks Paul Hugh. -antony I noticed

Re: [Swan-dev] error make check UPDATE=1

On Thu, Jul 23, 2015 at 03:17:36AM -0400, Paul Wouters wrote: On Thu, 23 Jul 2015, D. Hugh Redelmeier wrote: | cd . bison -g --verbose -v -d ../../../lib/libipsecconf/$(basename ../../../lib/libipsecconf/parser.y) | cd . sed -i 's/if YYENABLE_NLS/if defined YYENABLE_NLS \\

[Swan-dev] error make check UPDATE=1

I am running into an error while compiling on the vm, make check UPDATE=1 It appears to be caused by permission error, after 44e03f97f200ab8f33f3599a0b1d0d06450795da introduced a check. + tail -20 compile-log.txt * ) echo # $f ignored by Makefile.dep ;; \ esac ; \ done

Re: [Swan-dev] fips test results

On Wed, Jul 15, 2015 at 12:58:23PM -0400, Andrew Cagney wrote: when run against a non-FIPS pluto things are more of a mess; I'm tweaking things to skip the tests by default. However, I think it would be useful to always build pluto capable of being in FIPS mode so the good tests could be run.

Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?

I still have issues to install the patched pyOpenssl RPM on FC20. The patched package is a barrier for me. Of the 3 servers I run, so far I only manged to run distcert.py on one and I copied the generated files to the other tow. -antony On Tue, Jun 23, 2015 at 12:25:48PM -0300, Paul Wouters

Re: [Swan-dev] testing, testing

On Sun, Jun 14, 2015 at 11:38:32AM -0400, D. Hugh Redelmeier wrote: | From: Paul Wouters p...@nohats.ca | On Sun, 14 Jun 2015, D. Hugh Redelmeier wrote: | | 31 lines were unique. | 256 appeared twice. | | Why the heck are tests being run twice? When will it stop? | | Because you

<    1   2   3   4   >