[Swan-dev] testing/pluto/netkey-audit-01 fails for me
Paul Wouters
paul at nohats.ca
Tue Oct 3 02:14:23 UTC 2017
On Sun, 1 Oct 2017, Paul Wouters wrote:
> On Sun, 1 Oct 2017, D. Hugh Redelmeier wrote:
>
>> In the reference output, ksize=128
>> In the actual output, ksize=0
>>
>> This is for a bunch of lines. Here's one:
>>
>>> type=CRYPTO_IPSEC_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES
>> subj=system_u:system_r:unconfined_service_t:s0 msg='op=start
>> conn-name="ikev1" connstate=2, satype=ipsec-esp samode=tunnel cipher=AES
>> ksize=0 integ=HMAC_SHA1 in-spi=DEC(HEX) out-spi=DEC(HEX) in-spi=DEC(HEX)
>> out-spi=DEC(HEX) laddr=192.1.2.45 exe="PATH/libexec/ipsec/pluto"
>> hostname=? addr=192.1.2.23 terminal=? res=success'
>>
>> Which is correct?
>
> The reference output. This is a new bug I guess.
I fixed the ksize= bug, but I noticed another one based on the audit
log diffs that are still present in this test case when run with my
bugfix applied.
The test case runs:
ipsec auto --up ikev1
ipsec auto --delete ikev1
ipsec auto --up ikev1-aggr
ipsec auto --delete ikev1-aggr
ipsec auto --up ikev2
ipsec auto --down ikev2
This tests the three different kind of CRYPTO_IKE_SA logs that can be
produced. It also creates an CRYPTO_IPSEC_SA log 3 times.
Because we run --up and --delete, we expect to see:
IKE op=start
IPsec op=start
IPsec op=destroy
IKE op=destroy
[ times 3]
But the test case currently sows that IPsec is not getting destroyed.
And instead, this only happens in final.sl when 'ipsec stop' is called.
I think this is also why out delete-sa-* cases show up a little
different. It seems we now linger ipsec sa's much longer then we used to.
Paul
> Paul
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
More information about the Swan-dev
mailing list