[Swan-dev] regressions since v3.22-1715-gc22eea8cd-master

Antony Antony antony at phenome.org
Mon Jul 2 18:13:04 UTC 2018

Hi Hugh,

I will share what I stumbled up on and my suspicious commit. 

On Mon, Jul 02, 2018 at 01:12:19PM -0400, D. Hugh Redelmeier wrote:
> I noticed that some tests have started failing recently.  I haven't looked 
> carefully into why they fail.
> My baseline was a run that seems to have been 
> v3.22-1715-gc22eea8cd-master (if I read my logging correctly).
> Could whoever caused these fix them?  It would help the rest of us.
> I don't think that I caused any of these.  If you disagree, please tell me.
> ================
> A bunch of certificate tests failed.  I don't know why.  (There is a
> chance that this is my fault.)
> I'm looking at certoe-03-poc-whack for now, assuming all are similar.
> The packet where things seem to go wrong came from road.
> In both runs, the packets are SA, KE, Notify, Notify, Notify.
> The old run had a Vendor ID payload at the end but the new one does
> not.
> Each of the payloads has the same length in the old and new runs'
> packets.  So they are pretty similar.
> The Vendor ID payload is interpreted by the old run:
> | received Vendor ID payload [Opportunistic IPsec]
> The failure is noted with this in east.pluto.log:
> | initial parent SA message received on but no connection has been authorized with policy AUTHNULL+IKEV2_ALLOW
> packet from initial parent SA message received on but no suitable connection found with IKEv2 policy
> The old run isn't exactly comparable, but this looks relevant:
> | found connection: clear-or-private#[1] ... with policy RSASIG+IKEV2_ALLOW
> So why do the runs think that the authorization technique is different?
> find_next_host_connection() pours out a lot of logging.  At the top of its 
> outer loop, it logs "found policy =" for each connection examined.  In the 
> old run, the first ones include RSASIG but in the old run they do not.
> I suspect that this is the root of the problem.

I stumbled on something similar and from a quick look pointed me to 
the commit 1dbc99118f .  The test passed in v3.25 

NOTE: I followed a slightly different test. I think it is the same issue.



I noticed a few, 20 or so, asymetric, certoe*, and dnsoe* tests failed. All possibly same cause.


More information about the Swan-dev mailing list