[Swan-dev] regressions since v3.22-1715-gc22eea8cd-master

Antony Antony antony at phenome.org
Mon Jul 2 18:13:04 UTC 2018 

Hi Hugh,

I will share what I stumbled up on and my suspicious commit. 

On Mon, Jul 02, 2018 at 01:12:19PM -0400, D. Hugh Redelmeier wrote:
> I noticed that some tests have started failing recently.  I haven't looked 
> carefully into why they fail.
> 
> My baseline was a run that seems to have been 
> v3.22-1715-gc22eea8cd-master (if I read my logging correctly).
> 
> Could whoever caused these fix them?  It would help the rest of us.
> 
> I don't think that I caused any of these.  If you disagree, please tell me.
> 
> ================
> 
> A bunch of certificate tests failed.  I don't know why.  (There is a
> chance that this is my fault.)
> 
> I'm looking at certoe-03-poc-whack for now, assuming all are similar.
> 
> The packet where things seem to go wrong came from road.
> In both runs, the packets are SA, KE, Notify, Notify, Notify.
> The old run had a Vendor ID payload at the end but the new one does
> not.
> 
> Each of the payloads has the same length in the old and new runs'
> packets.  So they are pretty similar.
> 
> The Vendor ID payload is interpreted by the old run:
> | received Vendor ID payload [Opportunistic IPsec]
> 
> The failure is noted with this in east.pluto.log:
> 
> | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy AUTHNULL+IKEV2_ALLOW
> packet from 192.1.3.209:500: initial parent SA message received on 192.1.2.23:500 but no suitable connection found with IKEv2 policy
> 
> The old run isn't exactly comparable, but this looks relevant:
> | found connection: clear-or-private#192.1.3.0/24[1] ...192.1.3.209 with policy RSASIG+IKEV2_ALLOW
> 
> So why do the runs think that the authorization technique is different?
> 
> find_next_host_connection() pours out a lot of logging.  At the top of its 
> outer loop, it logs "found policy =" for each connection examined.  In the 
> old run, the first ones include RSASIG but in the old run they do not.
> I suspect that this is the root of the problem.

I stumbled on something similar and from a quick look pointed me to 
the commit 1dbc99118f .  The test passed in v3.25 

NOTE: I followed a slightly different test. I think it is the same issue.

Passed 
https://swantest.libreswan.fi/results/blackswan/2018-06-27-swantest-3.25-1-gad5ba687e-master/rawrsaoe-asymmetric-01/OUTPUT/east.pluto.log

Failed:
https://swantest.libreswan.fi/results/blackswan/2018-06-28-swantest-3.25-31-g78dc1a2ff-master/rawrsaoe-asymmetric-01/OUTPUT/east.pluto.log

I noticed a few, 20 or so, asymetric, certoe*, and dnsoe* tests failed. All possibly same cause.

-antony

More information about the Swan-dev mailing list