[Swan-dev] interop-ikev2-racoon-02-psk-responder test

D. Hugh Redelmeier hugh at mimosa.com
Tue Sep 1 00:00:37 EEST 2015 

| From: Andrew Cagney <andrew.cagney at gmail.com>

| On 30 August 2015 at 14:40, Paul Wouters <paul at nohats.ca> wrote:
| > On Sun, 30 Aug 2015, D. Hugh Redelmeier wrote:

| >> It fails with this message in the console log:
| >> +002 "westnet-eastnet-ikev2" #2: invalid padding-length octet: 0x23
| >>
| >> I think that this is an oblique way of saying that the encrypted payload
| >> is smells bad and will be rejected.  If so, it isn't really user-friendly.

| I concluded that racoon, for aes-cbc, was forgetting to add a
| pad-length.

Seems likely.  Are you convinced enough to change the test to consider
this a pass?

On the surface, the collection of messages isn't enough for the user
to understand what has gone on.  Pluto needs to explain that this
event causes the message to be ignored / discarded.  The implication
being that negotiation might fail due to this.  Maybe I read the log
too carelessly and all is clear.

| On 30 August 2015 at 14:40, Paul Wouters <paul at nohats.ca> wrote:

| > This message has appeared a long time ago when Andrew redid our CBC-only
| > crypto to CBC/CTR/GCM.

I think that this failure is unstable and that the test is marked as if it 
should pass.  Here are some results from recent runs:

Jul 20 00:33 tests.LOG16.results        west:bad,east:ok
Jul 20 14:56 tests.LOG17.results        west:bad,east:ok
Jul 22 01:17 tests.LOG18.results        good
Jul 24 00:50 tests.LOG19.results        west:ok,east:bad
Jul 25 03:04 tests.LOG20.results        dunno
Jul 26 10:29 tests.LOG21.results        west:bad,east:ok
Jul 27 12:57 tests.LOG23.results        good
Jul 28 09:47 tests.LOG24.results        good
Aug 24 09:00 tests.LOG26.results        west:bad,east:ok
Aug 29 11:12 tests.LOG27.results        good
Aug 30 00:38 tests.LOG28.results        west:bad,east:ok
Aug 31 10:59 tests.LOG29.results        west:bad,east:ok

It isn't always the same side that fails.

This isn't a good situation.

| >  I think this might be a
| > bug in racoon2. No one is really using or developing racoon2 AFAIK. In
| > fact, racoon1 (aka ipsec-tools) sees more development still, but has no
| > IKEv2 support.

Is there nobody to receive a bug report?

More information about the Swan-dev mailing list