[Swan-dev] Regarding ikev2-03-basic-rawrsa-ckaid

Andrew Cagney andrew.cagney at gmail.com
Tue Sep 8 12:34:01 UTC 2020 

On Tue, 8 Sep 2020 at 00:32, Paul Wouters <paul at nohats.ca> wrote:
>
>
> The test case was failing because there is a bug. connections with
> raw RSA keys without ipsec.secrets entry do not load properly.

A config file containing ckaid= and rsapubkey=.

> The commit below "fixes" this with a hack, but I'd rather keep
> the test case failing so we remember to fix this issue.

Er, NO.

This specific test, which I wrote, passed before the commit vis:
  https://testing.libreswan.org/v3.30-1565-gf016c018d3-main/ikev2-03-basic-rawrsa-ckaid/
so should pass now

This is deliberate.

It exercises both the current broken behaviour and a work-around.  If
that behaviour changes then I'd like to know (and it has - a look at
the diff of the description shows that changed significantly).

This of course brings up basic-pluto-01-nosecrets which has _never_
passed, had a description.txt containing utter crap, yet had to be
marked as GOOD.


> ---------- Forwarded message ----------
> Date: Mon, 7 Sep 2020 17:29:35
> From: Andrew Cagney <cagney at vault.libreswan.fi>
> To: swan-commit at lists.libreswan.org
> Subject: [Swan-commit] Changes to ref refs/heads/main
>
> New commits:
> commit f22ca063af1bece186346f1fdf02514ae089035c
> Author: Andrew Cagney <cagney at gnu.org>
> Date:   Mon Sep 7 17:27:37 2020 -0400
>
>      testing: review and update ikev2-03-basic-rawrsa-ckaid
>
>      Querks when specifying the CKAID of a raw RSA key in a basic IKEv2 connection.
>
>      Connections involving rsasigkey are performed using two whack messages
>      which:
>
>      1. add the connection _without_ the raw key
>      2. add the raw key
>
>      This breaks "ipsec auto --add east-ckaid-rsasigkey":
>
>      - the first whack message tries to add the connection; since it
>        specifies ..ckaid=..., but rsasigkey hasn't yet been added, it fails
>
>      But there's a work-around:
>
>      1. "ipsec auto --add east-rsasigkey"
>
>         this adds east'ts rsasigkey to the database
>
>      2. "ipsec auto --add east-ckaid"
>
>         loads because the command above loaded the RSASIGKEY
>
> _______________________________________________
> Swan-commit mailing list
> Swan-commit at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-commit
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list