[Swan-dev] Swan-dev Digest, Vol 88, Issue 6

Jayati Dev devjayati at outlook.com
Fri May 8 05:39:30 UTC 2020 

Please unsubscribe me from this list. Thank you!

- Jayati

________________________________
From: Swan-dev <swan-dev-bounces at lists.libreswan.org> on behalf of swan-dev-request at lists.libreswan.org <swan-dev-request at lists.libreswan.org>
Sent: Thursday, May 7, 2020 5:30 PM
To: swan-dev at lists.libreswan.org <swan-dev at lists.libreswan.org>
Subject: Swan-dev Digest, Vol 88, Issue 6

Send Swan-dev mailing list submissions to
        swan-dev at lists.libreswan.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.libreswan.org/mailman/listinfo/swan-dev
or, via email, send a message with subject or body 'help' to
        swan-dev-request at lists.libreswan.org

You can reach the person managing the list at
        swan-dev-owner at lists.libreswan.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Swan-dev digest..."


Today's Topics:

   1. f32 as a host (Andrew Cagney)
   2. Re: ikev2-child-rekey-09-windows test confusion (Paul Wouters)
   3. Re: FIPS algorithms list (Paul Wouters)
   4. Re: f32 as a host (Antony Antony)
   5. Re: ikev2-child-rekey-09-windows test confusion (Antony Antony)


----------------------------------------------------------------------

Message: 1
Date: Wed, 6 May 2020 16:30:53 -0400
From: Andrew Cagney <andrew.cagney at gmail.com>
To: Libreswan Development List <swan-dev at lists.libreswan.org>
Subject: [Swan-dev] f32 as a host
Message-ID:
        <CAJeAr6u6X3ZM-BdokggPAyiO2U7_HROrN9pUffjmKa81QFbKgw at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

FYI, and unlike F31, has F32 managed to run the full testsuite without crashing.
I've pushed the necessary tweaks.


------------------------------

Message: 2
Date: Thu, 7 May 2020 00:16:10 -0400 (EDT)
From: Paul Wouters <paul at nohats.ca>
To: Andrew Cagney <andrew.cagney at gmail.com>
Cc: Libreswan Development List <swan-dev at lists.libreswan.org>
Subject: Re: [Swan-dev] ikev2-child-rekey-09-windows test confusion
Message-ID: <alpine.LRH.2.21.2005070015240.536 at bofh.nohats.ca>
Content-Type: text/plain; charset=US-ASCII; format=flowed

On Mon, 4 May 2020, Andrew Cagney wrote:

> If this test should work then the --async can be removed.
> It's there because whack, which at the time was attached to both the old and new child, was left hanging.

Once someone makes the decision which of the two patches to put in git
master, yes this test will work properly.

Paul


------------------------------

Message: 3
Date: Thu, 7 May 2020 00:19:26 -0400 (EDT)
From: Paul Wouters <paul at nohats.ca>
To: Andrew Cagney <andrew.cagney at gmail.com>
Cc: Libreswan Development List <swan-dev at lists.libreswan.org>
Subject: Re: [Swan-dev] FIPS algorithms list
Message-ID: <alpine.LRH.2.21.2005070017380.536 at bofh.nohats.ca>
Content-Type: text/plain; charset=US-ASCII; format=flowed

On Sun, 3 May 2020, Andrew Cagney wrote:

>> So NSS is running in fips mode, but when we asked it, it said it was
>> not running in fips mode. So, using NSS to determine fips mode means we have to open the NSS
>> database in algparse too? Ofcourse, we don't parse ipsec.conf so we do
>> not know which database to open.
>
> Why do I have this feeling of deja-vu...
>
>         * Need to ensure that NSS is initialized before calling
>         * ike_alg_init().  Sanity checks and algorithm testing
>         * require a working NSS.
>         *
>         * When testing the algorithms in FIPS mode (i.e., executing
>         * crypto code) NSS needs to be pointed at a real FIPS mode
>         * NSS directory.

Things in git master should now be working properly again. The plutomain
code was changed so it does not have to check the fips status twice. And
the algparse case now initializes nss without db, so then nss returns
the system/kernel fips mode as its own fips mode.

Paul


------------------------------

Message: 4
Date: Thu, 7 May 2020 08:03:02 +0200
From: Antony Antony <antony at phenome.org>
To: Andrew Cagney <andrew.cagney at gmail.com>
Cc: Libreswan Development List <swan-dev at lists.libreswan.org>
Subject: Re: [Swan-dev] f32 as a host
Message-ID: <20200507060302.fzdmn5far7siq2q7 at AntonyAntony.local>
Content-Type: text/plain; charset=us-ascii

good. F32 guests also looks promising, smooth upgrade.
Running a couple of tests manually passed without any changes. It suggest
minimal changes to console outputs.

I have puhsed initial f32.{ks,mk} may be we can co-ordiante and upgrade
default guest version F32 sooner than letter.

to try F32 kvm add the following line to Makefile.inc.local

KVM_GUEST_OS ?= f32

On Wed, May 06, 2020 at 04:30:53PM -0400, Andrew Cagney wrote:
> FYI, and unlike F31, has F32 managed to run the full testsuite without crashing.
> I've pushed the necessary tweaks.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev


------------------------------

Message: 5
Date: Thu, 7 May 2020 08:20:54 +0200
From: Antony Antony <antony at phenome.org>
To: Paul Wouters <paul at nohats.ca>
Cc: Libreswan Development List <swan-dev at lists.libreswan.org>
Subject: Re: [Swan-dev] ikev2-child-rekey-09-windows test confusion
Message-ID: <20200507062053.6ep3i224dpvku7na at AntonyAntony.local>
Content-Type: text/plain; charset=utf-8

On Mon, May 04, 2020 at 09:09:25PM -0400, Paul Wouters wrote:
> On Mon, 4 May 2020, Andrew Cagney wrote:
>
> > I found this and other tests weren't working as expected:
>
> Yes, because the patch was not in and the test case assuming a patch was
> :)
>
> >       ? # output should be empty
> >       road #
> >       ? grep "Notify Message Type: v2N_TS_UNACCEPTABLE" /tmp/pluto.log
> >       road #
> >
> > ?
> >       Then why is this not getting hit ?
> >
> > "road-east-x509-ipv4"[1] 192.1.2.23 #3: dropping unexpected ISAKMP_v2_CREATE_CHILD_SA message containing
> > v2N_TS_UNACCEPTABLE notification; message payloads: SK; encrypted payloads: N; missing payloads:
> > SA,Ni,TSi,TSr

that line should not be found by the grep. Grep is looking for another one.

> Ok, I guess it is hit, but _that_ output was not put in the good console
> output :)

Take look at testing, without fixes the grep found match as expected.

https://testing.libreswan.org/v3.30-659-g89de6b42a9-master/ikev2-child-rekey-09-windows/OUTPUT/east.console.txt

https://testing.libreswan.org/v3.30-659-g89de6b42a9-master/ikev2-child-rekey-09-windows/OUTPUT/road.console.txt

I was not sure to commit console output with or without the fix, while we
are undeided about the patch.


------------------------------

Subject: Digest Footer

_______________________________________________
Swan-dev mailing list
Swan-dev at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev


------------------------------

End of Swan-dev Digest, Vol 88, Issue 6
***************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200508/8a9f8206/attachment-0001.html>

More information about the Swan-dev mailing list