[Swan-dev] regression due to xfrmi merge : SHA2 to SHA1
Antony Antony
antony at phenome.org
Sun Jan 26 22:08:08 UTC 2020
I tracked the regression to addconn. You will see difference ipsec status
after adding the connection: v2-auth-hash-policy: none
with "none" the initiator will only propose RSASIG-v1.5. Before it was
proposing Digital signature, rsa-sha2_512.
seemingly unrelated one line change to a conn changes v2-auth-hash-policy.
failureshunt=passthrough
will cause this change.
here is output from ikev2-x509-38-failureshunt
000 "westnet-eastnet": our auth:rsasig, their auth:rsasig
000 "westnet-eastnet": policy: RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5;
000 "westnet-eastnet": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "failureshunt": our auth:rsasig, their auth:rsasig
000 "failureshunt": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5+failurePASS;
000 "failureshunt": v2-auth-hash-policy: none;
I pushed a testcase, ikev2-x509-38-failureshunt, to verify the effect of
"failureshunt=passthrough". And will I look at the code tomorrow.
There is more to this regression, some test cases, say
ikev2-liveness-11-silent, see the output diff link bellow,
changed from RSASIG-v1.5 to rsa-sha2_512. between e79e3fcce4(before xfrmi) -
0eb65623(after xfrmi)
Tuomo verified change to SHA2-512 on his laptop. It was doing SHA1 with
e79e3fcce4 and after xfrmi merge, 0eb65623, it is proposing rsa-sha2_512.
I think he can also reproduce with his connection failureshunt=passthrough
will change v2-auth-hash-policy: none;
https://testing.libreswan.org/v3.28-1518-gf5cfad54a3-master/ikev2-x509-38-failureshunt/OUTPUT/east.console.txt
https://testing.libreswan.org/v3.28-1518-gf5cfad54a3-master/ikev2-x509-38-failureshunt/east.conf
Note: I could not reproduce it on other x509 configurations. Some simple
config without also lines does not seems to change with
failureshunt=passthrough.
On Sun, Jan 26, 2020 at 12:40:42PM +0100, Antony Antony wrote:
> after xfrmi merge a change IPsec algorithm was noticed. Sorry I didn't
> notice this on xfrmi branch alone.
>
> Careful committing new console outputs before this is fixed. If you commit
> new outputs now once this regression is fixed those tests may flip back.
>
> cagney: is pointing at commit 32e11cc9b4946ab6e655485993700a67cf4e784a I am
> not sure, I will get to it today. I will take look tomorrow. I have a
> feeling he is right:) Thanks cagney.
> https://testing.libreswan.org/v3.28-1515-g43fdc02c8c-master/certoe-03-poc-whack/OUTPUT/road.console.diff
> -003 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA2_512
> +003 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA1
>
> Also note some flipped the other way.
> https://testing.libreswan.org/v3.28-1499-g0eb656232d-master/ikev2-liveness-11-silent/OUTPUT/west.console.diff
>
> -003 "west-east" #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA1
> +003 "west-east" #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA2_512
>
> -antony
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list