[Swan-dev] regression due to xfrmi merge : SHA2 to SHA1
antony at phenome.org
Sun Jan 26 22:08:08 UTC 2020
I tracked the regression to addconn. You will see difference ipsec status
after adding the connection: v2-auth-hash-policy: none
with "none" the initiator will only propose RSASIG-v1.5. Before it was
proposing Digital signature, rsa-sha2_512.
seemingly unrelated one line change to a conn changes v2-auth-hash-policy.
will cause this change.
here is output from ikev2-x509-38-failureshunt
000 "westnet-eastnet": our auth:rsasig, their auth:rsasig
000 "westnet-eastnet": policy: RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5;
000 "westnet-eastnet": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "failureshunt": our auth:rsasig, their auth:rsasig
000 "failureshunt": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5+failurePASS;
000 "failureshunt": v2-auth-hash-policy: none;
I pushed a testcase, ikev2-x509-38-failureshunt, to verify the effect of
"failureshunt=passthrough". And will I look at the code tomorrow.
There is more to this regression, some test cases, say
ikev2-liveness-11-silent, see the output diff link bellow,
changed from RSASIG-v1.5 to rsa-sha2_512. between e79e3fcce4(before xfrmi) -
Tuomo verified change to SHA2-512 on his laptop. It was doing SHA1 with
e79e3fcce4 and after xfrmi merge, 0eb65623, it is proposing rsa-sha2_512.
I think he can also reproduce with his connection failureshunt=passthrough
will change v2-auth-hash-policy: none;
Note: I could not reproduce it on other x509 configurations. Some simple
config without also lines does not seems to change with
On Sun, Jan 26, 2020 at 12:40:42PM +0100, Antony Antony wrote:
> after xfrmi merge a change IPsec algorithm was noticed. Sorry I didn't
> notice this on xfrmi branch alone.
> Careful committing new console outputs before this is fixed. If you commit
> new outputs now once this regression is fixed those tests may flip back.
> cagney: is pointing at commit 32e11cc9b4946ab6e655485993700a67cf4e784a I am
> not sure, I will get to it today. I will take look tomorrow. I have a
> feeling he is right:) Thanks cagney.
> -003 "private-or-clear#126.96.36.199/24" ...188.8.131.52 #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA2_512
> +003 "private-or-clear#184.108.40.206/24" ...220.127.116.11 #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA1
> Also note some flipped the other way.
> -003 "west-east" #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA1
> +003 "west-east" #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA2_512
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
More information about the Swan-dev