[Swan-dev] tests and bugs (might be interesting to GSoC students) Re: Marking never pass tests with WIP
Paul Wouters
paul at nohats.ca
Sun Mar 12 23:21:21 UTC 2017
On Thu, 9 Mar 2017, Andrew Cagney wrote:
Note: These problems listed will have minor test cases issues that are
nice small problems for GSOC students to get familiar with our code
base. But some might also be real and difficult bugs. If you want to
have a go and some of these, do join the #swan channel and ask for help.
If you want to know how to run tests, see:
https://libreswan.org/wiki/Test_Suite
> Looking at http://testing.libreswan.org/results/testing/ and excluding
> WIP we seem to consistently have 100 failing tests (you can eyeball
> this from the graph) so I did a little analysis using the script
> testing/web/never-passed.sh:
>
> - 45 are 'original' and have never ever passed
> - 16 are more recent yet also show no sign of passing
It might be worth redoing the list you made with the PEXPECT removed?
Some comments from the top of my head on your list:
> 0 230 230 ikev2-allow-narrow-01
> 0 230 230 ikev2-allow-narrow-02
> 0 230 230 ikev2-allow-narrow-03
These used to pass, but they are testing failure path. I think the
logging in the path changed.
> 0 230 230 interop-ikev2-racoon-02-psk-responder
We have no good racoon sanitizer.
> 0 230 230 interop-ikev2-strongswan-19-x509-res-certreq
> 0 230 230 interop-ikev2-strongswan-21-transport-02
> 0 230 230 interop-ikev2-strongswan-21-transport-03
> 0 230 230 interop-ikev2-strongswan-26-ke-mismatch-responder
> 0 230 230 interop-ikev2-strongswan-27-fragmentation
Should all pass, but might be kernel/strongswan version specific.
> 0 230 230 newoe-07-ike-replace-initiator-esp
> 0 230 230 newoe-15-portpass
> 0 230 230 newoe-18-poc-block
> 0 230 230 newoe-18-poc-blockall
> 0 230 230 newoe-18-private-clear
> 0 230 230 newoe-18-private-clearall
> 0 230 230 newoe-19-poc-poc-clear
> 0 230 230 newoe-20-ipv6
> 0 230 230 newoe-21-liveness-clear
Should all pass.
> 0 230 230 nss-cert-08-mismatch
Recently got a code fix to get it to pass, but needs updatin.
> 0 230 230 nss-cert-nosecret
> 0 230 230 nss-cert-ocsp-01-strict
> 0 230 230 nss-cert-ocsp-02
> 0 230 230 nss-cert-ocsp-02-ikev2
> 0 230 230 nss-cert-ocsp-03-strict
> 0 230 230 nss-cert-ocsp-04
> 0 230 230 nss-cert-ocsp-05-strict
> 0 230 230 nss-cert-ocsp-06
> 0 230 230 nss-cert-ocsp-07-nourl
Some people show a weird ocspd problem on nic. Some people have
no ocspd on nic :P
> 0 218 218 dnssec-pluto-01
I'm working on this code and will pick it up
> 0 218 218 dpd-01
> 0 218 218 dpd-04
> 0 218 218 dpd-06
the dpd and liveness tests are awful to get consistent :( Usually
all these are false positives.
> 0 218 218 l2tp-01
> 0 218 218 l2tp-02
I've looked at this a few times. It seems a real bug, but I haven't
been able to locate it yet.
> 0 177 177 seccomp-01-enabled
> 0 177 177 seccomp-02-tolerant
experimental code needs fixing
> 0 152 152 nss-cert-09-notyetvalid-initiator
> 0 152 152 nss-cert-09-notyetvalid-initiator-ikev2
> 0 152 152 nss-cert-10-notyetvalid-responder
> 0 152 152 nss-cert-10-notyetvalid-responder-ikev2
These should work, but do require libfaketime and faketime seems to
not work properly when using docker. I thought these should pass
using kvm though.
> 0 152 152 nss-cert-ocsp-08-post
same ocspd issue?
> 0 75 75 addconn-01
A recent add for testing a parser bug. The bug is still there :)
> 0 53 53 certoe-01-whack
should work?
> 0 53 53 certoe-07-nat-2-clients
> 0 53 53 certoe-08-nat-packet-cop-restart
> 0 49 49 nss-cert-chain-01-ikev2
> 0 49 49 nss-cert-chain-03-ikev2
> 0 49 49 nss-cert-chain-04-ikev2
Should also work.
> 0 37 37 ikev1-aggr-sendcert-01
Recently added test case to show a bug where we did not properly
send CERT payloads in Aggressive Mode. I think this bug still needs
fixing. It was fixed recently for Main Mode I think.
> 0 18 18 netkey-vti-06c
I think this one shows a known kernel bug.
> 5 225 230 nflog-01-global
This is a weird one too. I looked at it a few times. It should work.
> 6 224 230 ipsec-hostkey-ckaid-02-fips
> 8 0 8 ikev2-algo-ike-dh-ecp-01
> 8 0 8 interop-ikev2-strongswan-33-ike-dh-ecp-responder
I assume you know best about these? :)
> 33 197 230 nss-cert-ocsp-01
> 33 197 230 nss-cert-ocsp-01-chain
> 33 197 230 nss-cert-ocsp-01-ikev2
> 33 197 230 nss-cert-ocsp-03
> 33 197 230 nss-cert-ocsp-03-ikev2
> 33 197 230 nss-cert-ocsp-05
> 33 197 230 nss-cert-ocsp-05-ikev2
same ocspd?
> 41 6 47 delete-sa-09-rhbz1311360-c32
This shows a bug that is fixed, so it should work. Perhaps test just
needs updating.
> 45 8 53 ikev2-asymmetric-01-parsing
This is a new one to ensure we parse all auth/authby properly. Probably
needs updating.
> 47 1 48 delete-sa-08-rhbz1311360
Also shows a bug that is fixed so should work or might need an update.
> 48 1 49 nss-cert-chain-02-ikev2
> 48 1 49 nss-cert-chain-04
Recent work should have fixed these too.
> 50 3 53 ikev2-asymmetric-04-null-rsaraw
> 50 3 53 ikev2-asymmetric-07-psk-rsaraw
> 50 3 53 ikev2-asymmetric-08-psk-rsacert
> 50 3 53 ikev2-asymmetric-09-rsaraw-null
> 50 3 53 ikev2-asymmetric-12-rsacert-null
> 50 3 53 ikev2-asymmetric-13-rsacert-psk
> 50 3 53 ikev2-asymmetric-15-rsaraw-rsaraw
Should all work. There might be a bug in finding the right
connection in some combinations. I forgot what the current
status was here.
> 63 167 230 ikev2-01-fallback-ikev1
The code tested here is slated to be removed, once we make
conns to be either ikev1 or ikev2 but not both. Similar with
the bidown attack test case. But it should currently work
with the fallback.
> 66 39 105 klips-algo-twofish-01
> 71 34 105 klips-algo-serpent-01
should work?
> 72 100 172 ikev1-impair-gx-02
some of these were the pexect problems that got resolved two
days ago.
> 89 16 105 klips-algo-cast-01
should work ?
> 113 105 218 netkey-audit-01
Requires proper USE_LINUX_AUDIT=true which is not the default.
I think if debian/ubuntu support the auditd now, we can change
the default to be enabled.
> 159 59 218 netkey-algo-twofish-01
should work.
> 160 58 218 netkey-algo-aes_ccm-01
> 160 58 218 netkey-algo-aes_gcm-01
> 160 58 218 netkey-algo-aes_gcm-02
> 160 58 218 netkey-algo-aes_gcm-03
should work?
> 167 63 230 ikev2-delete-02
We changed some of our delete/restart bhaviour, and we are not
done with the changes yet. So some of these delete test cases
might be in flux for a bit.
> 167 63 230 netkey-tfc-01
> 167 63 230 netkey-tfc-02
> 171 59 230 netkey-tfc-03
Requires new enough kernel (4.x maybe?)
> 172 58 230 ikev2-invalid-ke-02-wrong-modp
> 174 56 230 ikev2-11-simple-psk
> 174 56 230 ikev2-algo-ike-sha2-03
should work?
> 174 56 230 xauth-pluto-05
> 174 56 230 xauth-pluto-06
> 174 56 230 xauth-pluto-09
> 174 56 230 xauth-pluto-19
> 175 55 230 basic-pluto-06
these might need fixing.
> 177 53 230 ikev2-delete-01
See above.
> 179 39 218 netkey-algo-null-01
> 179 39 218 netkey-algo-serpent-01
> 180 50 230 ikev2-12-transport-psk
should work.
> 181 49 230 x509-pluto-02
> 181 49 230 x509-pluto-03
might be obsolete ones, will need to look.
> 181 37 218 ikev1-isakmp-reserved-flags-01
> 181 37 218 ikev1-isakmp-reserved-flags-02
I think the failure path changed output.
> 184 46 230 algo-pluto-13-invalid-3des
I think this tested a bogus keysize, but then we
switched to rejecting to load these. Might require
a new impair to send bogus keysize value over the
wire.
> 184 46 230 ikev2-21-mode-mismatch-02
This might have changed. The RFC says if client requests
transport mode, but server refuses transport mode, client
needs to use tunnel mode. We might insist on exact match,
or changed to following the spec without updating the
test case.
> 201 29 230 ikev2-invalid-ke-01-invalid-modp
> 201 29 230 ikev2-invalid-ke-03-default-initiator
> 201 29 230 ikev2-invalid-ke-04-default-responder
Should work but failure path output might have changed?
> 212 18 230 ikev2-isakmp-reserved-flags-01
> 212 18 230 ikev2-isakmp-reserved-flags-02
> 212 18 230 ikev2-minor-version-initiator
> 212 18 230 ikev2-minor-version-responder
> 212 18 230 ikev2-payload-reserved-flags-01
Same.
> 213 17 230 ikev2-algo-esn-01
> 213 17 230 ikev2-algo-esn-03
> 213 17 230 ikev2-algo-esn-05
> 213 17 230 ikev2-algo-esn-06
Might depend on kernel version. Might need 4.x
> 213 5 218 l2tp-02-netkey
A real concern / bug like the other two l2tp test cases.
> 214 4 218 netkey-vti-02
I believe these first two VTI testcases predated some of the
VTI features and need updating. I thought I did that though?
> 229 1 230 newoe-18-*
And all the others. These should pass, but are known to be
sensitive to machine speeds with false positives on whether
it eats 1 or 2 packets.
Paul
More information about the Swan-dev
mailing list