[Swan-dev] test cases to look into before release

[Paul Wouters]

On Thu, 24 Jan 2019, Andrew Cagney wrote:

> Yea, that code is pretty messed up (and it always used the wrong
> event).  Unfortunately the change poked the IKE vs CHILD switch
> monster.  We now see:
>
> 002 "nss-cert-incorrect" #4: Peer public key SubjectAltName does not
> match peer ID for this connection
> 002 "nss-cert-incorrect" #4: X509: CERT payload does not match connection ID
> 224 "nss-cert-incorrect" #4: STATE_PARENT_I2: v2N_AUTHENTICATION_FAILED
> -002 "nss-cert-incorrect" #4: deleting other state #4
> (STATE_PARENT_I2) and NOT sending notification
> -002 "nss-cert-incorrect" #3: deleting state (STATE_PARENT_I2) and NOT
> sending notification
> -west #
> +002 "nss-cert-incorrect" #5: initiating v2 parent SA to replace #3
> +133 "nss-cert-incorrect" #5: STATE_PARENT_I0: initiate, replacing #3
> +031 "nss-cert-incorrect" #4: STATE_PARENT_I2: 60 second timeout
> exceeded after 0 retransmits.  Possible authentication failure: no
> acceptable response to our first encrypted message
> +000 "nss-cert-incorrect" #4: starting keying attempt 2 of an
> unlimited number, but releasing whack
> +133 "nss-cert-incorrect" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
> +*** exception running script westrun.sh ***

This is not incorrect?

East accept the "incorrect" connection from west, because its IDs match
its expected IDs. It then authenticates as "east" to west" which is
misconfigured on purpose to expect "road" and it fails the connection.

Now, the one thing that is wrong is that we should not delete #4 without
sending a notify - we are supposed to send a DELETE notify with
AUTHENTICATION_FAILED payload.

But the test case does change output a bit, and worse is that it is
doing retransmits and keeps the whack longer than our test system waits.
I added retransmit-timeout=10s to the "incorrect" conn, so it releases
the whack sooner.

Do you think there is a code change that is needed? Because I'm not sure
what would be needed.

Paul