[Swan-dev] test cases to look into before release
Andrew Cagney
andrew.cagney at gmail.com
Fri Jan 25 22:45:52 UTC 2019
On Thu, 24 Jan 2019 at 15:59, Paul Wouters <paul at nohats.ca> wrote:
>
> On Thu, 24 Jan 2019, Andrew Cagney wrote:
>
> > Yea, that code is pretty messed up (and it always used the wrong
> > event). Unfortunately the change poked the IKE vs CHILD switch
> > monster. We now see:
> >
> > 002 "nss-cert-incorrect" #4: Peer public key SubjectAltName does not
> > match peer ID for this connection
> > 002 "nss-cert-incorrect" #4: X509: CERT payload does not match connection ID
> > 224 "nss-cert-incorrect" #4: STATE_PARENT_I2: v2N_AUTHENTICATION_FAILED
> > -002 "nss-cert-incorrect" #4: deleting other state #4
> > (STATE_PARENT_I2) and NOT sending notification
> > -002 "nss-cert-incorrect" #3: deleting state (STATE_PARENT_I2) and NOT
> > sending notification
> > -west #
> > +002 "nss-cert-incorrect" #5: initiating v2 parent SA to replace #3
> > +133 "nss-cert-incorrect" #5: STATE_PARENT_I0: initiate, replacing #3
> > +031 "nss-cert-incorrect" #4: STATE_PARENT_I2: 60 second timeout
> > exceeded after 0 retransmits. Possible authentication failure: no
> > acceptable response to our first encrypted message
> > +000 "nss-cert-incorrect" #4: starting keying attempt 2 of an
> > unlimited number, but releasing whack
> > +133 "nss-cert-incorrect" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
> > +*** exception running script westrun.sh ***
>
> This is not incorrect?
Everything isn't correct ...
> East accept the "incorrect" connection from west, because its IDs match
> its expected IDs. It then authenticates as "east" to west" which is
> misconfigured on purpose to expect "road" and it fails the connection.
>
> Now, the one thing that is wrong is that we should not delete #4 without
> sending a notify - we are supposed to send a DELETE notify with
> AUTHENTICATION_FAILED payload.
Right, this is a long standing bug.
(as an aside the above should be blaming state #3, and not #4, for all
the auth problems)
> But the test case does change output a bit, and worse is that it is
> doing retransmits and keeps the whack longer than our test system waits.
> I added retransmit-timeout=10s to the "incorrect" conn, so it releases
> the whack sooner.
It also announces that it is releasing whack, but doesn't :-(
The log suggests there are now two states trying to establish:
#5 replacing #2
#4 trying another keying attempt
which I suspect is worse.
> Do you think there is a code change that is needed? Because I'm not sure
> what would be needed.
An alternative to setting the IKE SA to REPLACE, would be to make the
IKE SA responsible for the re-transmit. In theory that means deleting
the line:
md->st = cst; /* switch to child */
but who knows what will really happen.
More information about the Swan-dev
mailing list