[Swan-dev] Regarding ikev2-03-basic-rawrsa-ckaid

Paul Wouters paul at nohats.ca
Tue Sep 8 14:09:05 UTC 2020

On Tue, 8 Sep 2020, Andrew Cagney wrote:

>> The test case was failing because there is a bug. connections with
>> raw RSA keys without ipsec.secrets entry do not load properly.
> A config file containing ckaid= and rsapubkey=.
>> The commit below "fixes" this with a hack, but I'd rather keep
>> the test case failing so we remember to fix this issue.
> Er, NO.
> This specific test, which I wrote, passed before the commit vis:
>  https://testing.libreswan.org/v3.30-1565-gf016c018d3-main/ikev2-03-basic-rawrsa-ckaid/
> so should pass now
> This is deliberate.
> It exercises both the current broken behaviour and a work-around.  If
> that behaviour changes then I'd like to know (and it has - a look at
> the diff of the description shows that changed significantly).

Oh, you are right. The test case for no secrets file is

> This of course brings up basic-pluto-01-nosecrets which has _never_
> passed, had a description.txt containing utter crap, yet had to be
> marked as GOOD.

According to git, that is your text :)

commit dffc14bdb3dd3f0b0dfb0cd4a64718b558f732bb
Author: Andrew Cagney <cagney at gnu.org>
Date:   Mon Sep 7 21:33:08 2020 -0400

     testing: fix basic-pluto-01-nosecrets's description

Before yesterday's commit, it had the standard basic-pluto-01 text
because it was literally a copy of basic-pluto-01 without the "no
longer needed" secrets entry for raw RSA keys. Which got broken.

The test case shows an important bug. When you run "ipsec newhostkey"
without capturing the output, you cannot use it for any authenitcation
because keys no longer load on the connection. This has been a bug since
3.1x ? I even had to revert the documentation on the wiki and the RHEL
guide to re-document the command to "ipsec newhostkey > /etc/ipsec.d/some.secret"
because of this. To me, this is a very important bug tht should get


More information about the Swan-dev mailing list