Re: [Swan-dev] error message when not running?

On Mon, Mar 20, 2017 at 12:20 PM, Paul Wouters wrote: > > I received this bug report, which I kind of agree with. But I'd like to > hear from others. > > Paul > I agree as well, it's redundant. Regards, Matt ___ Swan-dev mailing list Swan-dev@lists.libr

Re: [Swan-dev] crash introduced in c2ea0911 while replacing IKEv1 ISKAMP SA

On Sat, 2016-11-12 at 10:21 +0200, Tuomo Soini wrote: > On Fri, 11 Nov 2016 13:47:03 -0500 > Matt Rogers wrote: > > > > > I've added a patch and comment to the bug; with 14348a4e reverted > > and > > the patch applied, there should be no more

Re: [Swan-dev] crash introduced in c2ea0911 while replacing IKEv1 ISKAMP SA

On Wed, 2016-11-02 at 20:32 +0200, Tuomo Soini wrote: > On Sat, 29 Oct 2016 19:10:18 +0200 > Antony Antony wrote: > > > > > c2ea0911 introduced a crasher for IKEv1. When pluto replace IKE SA > > and delete itself. > > > > #0  0x5610ca3c34b7 in free_generalNames (gn=0xe, free_name=1) > >    

Re: [Swan-dev] Generate test certificates iff missing

- Original Message - > From: "Andrew Cagney" > To: "Libreswan Development List" > Sent: Thursday, October 22, 2015 10:32:12 AM > Subject: [Swan-dev] Generate test certificates iff missing > > I'd like to change testing/pluto/Makefile so that "make check" will > generate the certificates

[Swan-dev] Including "ipsec ca"

I've pushed a branch called ipsec_ca with the WIP python code that makes up the 'ipsec ca' command. Right now it's not install-able to be used with the ipsec wrapper, so if you want to test it out, you can run _ipsec_ca under the programs/_ipsec_ca/ directory. 'ipsec ca' is a tool for users that

Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?

On June 24, 2015 11:34:53 AM EDT, "D. Hugh Redelmeier" wrote: >| From: Andrew Cagney > >| This doesn't seem like a reason for retaining the old shell scripts - >| they are so far behind that they don't even generate all the required >| keys. BTW, best place to run dist_certs.py is on one of th

Re: [Swan-dev] pluto: Fix bogus "no RSA public key known for '%fromcert'"

On 05/01, Herbert Xu wrote: > When refine_host_connection tests against a %fromcert RW connection > followed by other right=%any connections with fixed IDs (e.g., > @hostname), it will lose the fromcert setting. So when it does > eventually return with the %fromcert RW connection fromcert will > b

Re: [Swan-dev] pluto: Fix NSS certificate crash

On 04/30, Herbert Xu wrote: > When we instantiate a connection we simply copy the certificate > over, without getting a reference count over the new certificate > reference, resulting in a bogus certificate when the instance is > deleted. > > Signed-off-by: Herbert Xu > > diff --git a/programs/p

Re: [Swan-dev] notes from meeting nss guys

On 02/26, Paul Wouters wrote: > On Tue, 24 Feb 2015, Matt Rogers wrote: > > >Yes, the re-write uses the SQL format database which is for allowing > >simultaneous access. Now the decoding, verification, revocation checking > >and importing of certificates is handled by a

Re: [Swan-dev] notes from meeting nss guys

On 02/24, Antony Antony wrote: > Hi, > Yesterday Paul and I met with NSS guys and here are some notes from the > meeting. > Thanks for the notes! I'm bummed I missed it considering I have been working on the x509 NSS re-write recently. > NSPR threading: no need to use NSPR threading on Linux, b

Re: [Swan-dev] Pluto crash with expired certificates

On 02/05, Paul Wouters wrote: > On Thu, 5 Feb 2015, Wolfgang Nothdurft wrote: > > >With commit aac20299b27be6c401cb5d45262a559994e52431 a bug was > >introduced that causes pluto to crash if an end user certificate > >is expired. > > >The attached patch added the missing return false statement to

Re: [Swan-dev] test caes as documentation versus ipsec.conf.common ease of use

On 02/04, Paul Wouters wrote: > > Antony brought up a while ago that due to our use of ipsec.conf.common, > the test cases do not work very well as documentation. It would be much > better to write out the full configurations so people can read them and > understand them better. > > I did not lik

Re: [Swan-dev] generating x509 certificates

On 02/04, Andrew Cagney wrote: > Matt, > thanks for the reply, > > On 3 February 2015 at 17:27, Matt Rogers wrote: > > > Hey, sorry for the late reply here. Been away from email/irc for the > > day. In short the dist_certs.py is the WIP replacement for the > > s

Re: [Swan-dev] generating x509 certificates

On 02/03, Andrew Cagney wrote: > Hi, > > I've hit a few problems when trying to run the tests that require > certificates. The main one is that the script dist_certs fails as > openssl (Fedora release 20 (Heisenbug) at least) doesn't like > generating the bad certificate: > > The organizationNam

Re: [Swan-dev] shared IKE SA interop bug with cisco

On 12/04, Antony Antony wrote: > can you commit test as a wip? I am curious to see what is going on. I need > the same for IKEv2 and CREATE_CHILD_SA. > Take a look at the conn_shared_ike branch that I pushed, it has a test and continuation of the patch. I was focusing on the IKEv1 side of this s

Re: [Swan-dev] shared IKE SA interop bug with cisco

On 11/30, Paul Wouters ? wrote: > On Fri, 28 Nov 2014, Matt Rogers wrote: > > >>Matt wrote the problem below. I am still confused what exactly is > >>happening and why we would need his patch for this. I would think > >>that if we --down tunnelA we should notic

Re: [Swan-dev] dist_certs.py and crl tests

On 11/28, Paul Wouters ? wrote: > On Fri, 28 Nov 2014, Matt Rogers wrote: > > (moved discussion to swan-dev) > > >>The intent was that the signature made by the CAcert over the CRL was > >>either not yet valid or expired. This is unrelated to the content of the

Re: [Swan-dev] shared IKE SA interop bug with cisco

On 11/25, Paul Wouters ? wrote: > > Matt wrote the problem below. I am still confused what exactly is > happening and why we would need his patch for this. I would think > that if we --down tunnelA we should notice the phase1 is still used > by tunnelB and leave/move it around instead? > The use

Re: [Swan-dev] OCSP support in libreswan

On November 7, 2014 10:28:31 AM EST, "CHEN, JIANFU (RC-CA)" wrote: >The company I am working with plan to have OCSP (online certificate >status protocol) support for VPN. > >The system we are using for VPN is libreswan. But I found that >currently libreswan does not have OCSP support. > >I foun

Re: [Swan-dev] a different git branching model for Libreswan

On 10/30, Paul Wouters wrote: > > > >In this one, master is sacred and seems to only include final > >releases. > > This is the model (and in fact the actual web page describing it) that > we were trying to deploy. What I like about it is th

Re: [Swan-dev] OCSP timeline ?

On 10/29, jone...@teksavvy.com wrote: > Hello, > > Is there a timeline for the integration of an OCSP feature in > Libreswan ? What would be a reasonable timeframe ? > > Thanks ! No real timeline to share, but it's being worked on. The current x509 code is changing significantly in order to h

Re: [Swan-dev] a different git branching model for Libreswan

On 10/29, D. Hugh Redelmeier wrote: > My suggested solution: release/freeze branches > == > > We should never freeze master. > > When we want a freeze for a release, create a release branch. > > Work continues on master. > > If something should be in

Re: [Swan-dev] VID and IKE v2

On October 3, 2014 7:25:17 PM EDT, Paul Wouters wrote: >On Fri, 3 Oct 2014, D. Hugh Redelmeier wrote: >fragmentation will be done differently in ikev2 unfortunately, using: > >https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-fragmentation-10 > >Although nothing stops us from adding a Notify

[Swan-dev] NSS DB update

Hey all, I've pushed a branch called nss_upgrade_9_03 that has patches for pluto to start using an SQL format NSS database, outside of the ipsec.d dir (/var/lib/pluto by default). Pluto still opens the database read-only as the intent is to use helper programs to write to the database as needed in

Re: [Swan-dev] naming v2 states

I like the suggested set at the bottom there. I think avoiding calling the resulting states a CHILD and instead calling them IKE or IPSEC is a good idea. I also like the idea of incorporating the intended SA type in the CHILD exchange's state names. Matt __

[Swan-dev] CA chains / Bug 182

Hey all, I pushed the branch for this so I can start getting some eyes on it. Test cases are on the way. A summary of the changes: - Added load_end_ca_path() to load the available intermediate CA certs into the connection - Added the connection option "sendca=none|issuer|all". This is a very

[Swan-dev] Storing of cert chains

I'm using the spd "end" structures 'this' and 'that' (ie c->spd.that.ca_path) to store the chain of CA certs. The 'this' end is loaded with the local cert path of the end certificate on a connection add, and the 'that' end is a list of CA certs received from the peer (which are all validated as a g

[Swan-dev] passert on latest master

Just noticed this while testing other things (I was creating the auth fail on purpose): Jun 8 11:29:05 east pluto[18494]: "cert" #1: ignoring informational payload AUTHENTICATION_FAILED, msgid=, length=12 Jun 8 11:29:05 east pluto[18494]: | ISAKMP Notification Payload Jun 8 11:29:05 ea

[Swan-dev] IKEv2 rekey saga

Here's what I have so far. With the event replacement changes in the patch, ipsecdoi_replace initiates and sends a new Parent SA when the old one expires. The rekeymargin options also don't seem to work with IKEv2 (since it's not negotiated?) so I needed a hack to delay the delete event otherwise i

Re: [Swan-dev] nss updates, addcon bug #86 and libreswan 3.9 release

On 05/28, Wolfgang Nothdurft wrote: > Hi Matt, > > I've tested the nss_updates branch and it works good. > I have updated your changes to the actual master branch if needed. > > The only problem is, if you renew a certificate, libreswan holds the > old one. > > The problem seems the missing CERT

Re: [Swan-dev] atoi -- just say no

On 05/17, D. Hugh Redelmeier wrote: > Through this process, I'm coming to think that a ttoul-like function that > also does range-checking would be worthwhile. It is just too easy to be > lazy about range checks. It could just be a wrapper for ttoul, and that could replace the manual checks in

Re: [Swan-dev] blocked old dev branches - deleting soon

On 05/14, Paul Wouters wrote: > > The following branches are now locked and will not accept updates > anymore. git push to these will fail. > > 3.5_modecfgdomain > 3.5_payload_constants_update > addresspool-play > crypt-helper-simplify > fedora18 > fragmentation > hugh-wip > hughdaniel > ikev2-fe

[Swan-dev] Adding standalone test program

Is there a generic Makefile or a spot in the source tree to add in a standalone test program? It will just need the usual headers plus the NSS libraries. I tried using some of the Makefiles for other programs in testing/lib, but it looks like the testing "functions.sh" script didn't like it. I'm no

Re: [Swan-dev] More confusion of options to clean up regarding phase1 and phase2 options

On 04/19, Paul Wouters wrote: > >> > >Aliasing options right now is a hack, so that is something that should be > >built in and easy for us to add new aliases. > > I'm not sure how easy that is to do. I'm fine with an easier way of > adding them. Are you thinking a "preparsing" that rewrites alia

Re: [Swan-dev] More confusion of options to clean up regarding phase1 and phase2 options

On April 18, 2014 7:52:34 PM EDT, Paul Wouters wrote: > >I worked on the esp= / ike= mess yesterday by reviving the test case. >Also something I should not have put so much time in :( Those keywords >are a true mess, and it will get worse with EC. We need to deal with: > > esp=/ah= or phase2

Re: [Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

On Thu, Apr 10, 2014 at 10:40:40AM -0400, Lennart Sorensen wrote: > On Mon, Apr 07, 2014 at 07:22:51PM -0400, Paul Wouters wrote: > > wonder if we can use this instead of the legacy x509 code > > I would prefer avoiding having to maintain yet another crypto library. > Needing openssl and gnutl

Re: [Swan-dev] understanding output of the tests

On Wed, Apr 02, 2014 at 12:10:38AM -0400, D. Hugh Redelmeier wrote: > > > Some prompts and commands don't seem to line up properly. This would > seem to be a challenge to the integrity of the tests. Here's an > example from my current run of basic-pluto-01: > > west # > - ipse

[Swan-dev] fedora 20 klips build

o act as the global root namespace. I tested klips on fedora kernels with and without CONFIG_USER_NS with this patch and things worked normally. Thanks, Matt commit be0cef873b85a8b4356ecf0fbebb5f83d19ca3b4 Author: Matt Rogers Date: Wed Mar 12 22:34:45 2014 -0400 klips: convert kuid_t wit

[Swan-dev] Building current HEAD on Fedora 20

For 3.13.4-200.fc20.x86_64 this runs into: /source/modobj/pfkey_v2.c: In function ‘pfkey_create’: /source/modobj/pfkey_v2.c:742:14: error: incompatible types when assigning to type ‘uint32_t’ from type ‘kuid_t’ key_pid(sk) = current_uid(); This has something to do with some newish user namespac

Re: [Swan-dev] dpd vs liveness code suggests possibly missing code for liveness

- Original Message - > From: "Paul Wouters" > To: mrog...@redhat.com > Cc: swan-dev@lists.libreswan.org > Sent: Sunday, February 9, 2014 5:28:00 PM > Subject: dpd vs liveness code suggests possibly missing code for liveness > > > I was cleaning up some dpd.h includes while trying to cl

Re: [Swan-dev] more dpd and liveness comments

- Original Message - > From: "Paul Wouters" > To: mrog...@redhat.com > Cc: swan-dev@lists.libreswan.org > Sent: Sunday, February 9, 2014 5:50:53 PM > Subject: more dpd and liveness comments > > > Looking at: > > bool st_liveness; /* Liveness checks */ >

Re: [Swan-dev] dpd vs liveness code suggests possibly missing code for liveness

- Original Message - > From: "Paul Wouters" > To: mrog...@redhat.com > Cc: swan-dev@lists.libreswan.org > Sent: Sunday, February 9, 2014 5:28:00 PM > Subject: dpd vs liveness code suggests possibly missing code for liveness > > > I was cleaning up some dpd.h includes while trying to clea

Re: [Swan-dev] Matt's changes to informational message handling

Just pushed an update to the main test case, to test both hosts having liveness enabled. Example of what we would be looking for in the logs: east initiating liveness from the scheduled event: | next event EVENT_v2_LIVENESS in 0 seconds for #2 | *time to handle event | handling event EVENT_v2_L

Re: [Swan-dev] Matt's changes to informational message handling

- Original Message - > From: "Paul Wouters" > To: "D. Hugh Redelmeier" , "Matt Rogers" > Cc: "Libreswan Develpment List" > Sent: Tuesday, February 4, 2014 1:52:26 AM > Subject: Re: [Swan-dev] Matt's changes to informational