[Swan-dev] CAVP testing of libreswan build on debian

Paul Wouters paul at nohats.ca
Sat Feb 4 00:48:55 UTC 2017

On Fri, 3 Feb 2017, Daniel Kahn Gillmor wrote:

[ CC:ing swan-dev and Apostol ]

> On Fri 2017-02-03 18:14:40 -0500, Paul Wouters wrote:
>> We run CAVP tests in the "%check" part of our rpm building. Perhaps you
>> can add that to the debian builds too? This can be done on the build
>> binaries before/without running make install:
>> Basically:
>> # get the CAVP test files from https://download.libreswan.org/cavs/
>> bunzip2 *.fax.bz2
>> # work around for older xen based machines
>> export NSS_DISABLE_HW_GCM=1
>> : starting CAVS test for IKEv2
>> OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | \
>>      diff -u ikev2.fax - > /dev/null
>> : starting CAVS test for IKEv1 RSASIG
>> OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | \
>>      diff -u ikev1_dsa.fax - > /dev/null
>> : starting CAVS test for IKEv1 PSK
>> OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | \
>>      diff -u ikev1_psk.fax - > /dev/null
>> : CAVS tests passed
>> The cavs files are the originals from NIST, but with the bogus SHA-224
>> entries removed (since IKE/IPsec does not have SHA-224 defined)
> As i said on IRC:
> 18:45 < dkg> LetoThinkpad: any reason we shouldn't be discussing this on-list?

No :)

> 18:45 < dkg> fetching files over the network isn't going to be OK on the debian build daemons
> 18:46 < dkg> so we'd need to ship the CAVP test files in debian

That's what we do for fedora/rhel.

> 18:46 < dkg> which means i'd need to review their licensing :/
> I don't see any licensing info immediately available in them either :(

It is published by the US Government, if that helps.


It states at:


 	Test Vectors

 	Use of these test vectors does not replace validation obtained through
 	the CAVP.

 	The test vectors linked below can be used to informally verify the
 	correctness of the KBKDF algorithm listed above.

 	See the KBKDFVS document for an explanation of the files.

Unfortunately, there is no clear mention on the NIST website either
what the license of these files are. Apostol, can you clarify this?


More information about the Swan-dev mailing list