I found the root cause of this issue, fix in commit f2967f3bffd18. It was not related to xfrmi code. xfrmi merge made an existing bug more visible.
The fix also changed a few other test's v2-auth-hash-policy default to SHA2_256+SHA2_384+SHA2_512 previosly it was none and authenticated using RSA1.5 SHA1 sig. there are 3 tests I am not quite sure wheather related xfrmi or not. >From a quick comparison of testrun these appear as regression due xfrmi merge. However, I suspect these are connection switch and ID fixes related and not xfrmi related. Paul could you take a look? https://testing.libreswan.org/v3.28-1524-gb2b9f4eea1-master/ikev2-10-2behind-nat/OUTPUT/road.console.diff https://testing.libreswan.org/v3.28-1524-gb2b9f4eea1-master/ikev2-connswitch-01/OUTPUT/west.console.diff https://testing.libreswan.org/v3.28-1524-gb2b9f4eea1-master/ikev2-x509-02-smoketest/OUTPUT/west.console.diff -antony On Sun, Jan 26, 2020 at 11:08:08PM +0100, Antony Antony wrote: > I tracked the regression to addconn. You will see difference ipsec status > after adding the connection: v2-auth-hash-policy: none > with "none" the initiator will only propose RSASIG-v1.5. Before it was > proposing Digital signature, rsa-sha2_512. > > seemingly unrelated one line change to a conn changes v2-auth-hash-policy. > failureshunt=passthrough > will cause this change. > > here is output from ikev2-x509-38-failureshunt > 000 "westnet-eastnet": our auth:rsasig, their auth:rsasig > 000 "westnet-eastnet": policy: > RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5; > 000 "westnet-eastnet": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512; > > 000 "failureshunt": our auth:rsasig, their auth:rsasig > 000 "failureshunt": policy: > RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5+failurePASS; > 000 "failureshunt": v2-auth-hash-policy: none; > > I pushed a testcase, ikev2-x509-38-failureshunt, to verify the effect of > "failureshunt=passthrough". And will I look at the code tomorrow. > > There is more to this regression, some test cases, say > ikev2-liveness-11-silent, see the output diff link bellow, > changed from RSASIG-v1.5 to rsa-sha2_512. between e79e3fcce4(before xfrmi) - > 0eb65623(after xfrmi) > > Tuomo verified change to SHA2-512 on his laptop. It was doing SHA1 with > e79e3fcce4 and after xfrmi merge, 0eb65623, it is proposing rsa-sha2_512. > > I think he can also reproduce with his connection failureshunt=passthrough > will change v2-auth-hash-policy: none; > > https://testing.libreswan.org/v3.28-1518-gf5cfad54a3-master/ikev2-x509-38-failureshunt/OUTPUT/east.console.txt > > https://testing.libreswan.org/v3.28-1518-gf5cfad54a3-master/ikev2-x509-38-failureshunt/east.conf > > Note: I could not reproduce it on other x509 configurations. Some simple > config without also lines does not seems to change with > failureshunt=passthrough. > > On Sun, Jan 26, 2020 at 12:40:42PM +0100, Antony Antony wrote: > > after xfrmi merge a change IPsec algorithm was noticed. Sorry I didn't > > notice this on xfrmi branch alone. > > > > Careful committing new console outputs before this is fixed. If you commit > > new outputs now once this regression is fixed those tests may flip back. > > > > cagney: is pointing at commit 32e11cc9b4946ab6e655485993700a67cf4e784a I am > > not sure, I will get to it today. I will take look tomorrow. I have a > > feeling he is right:) Thanks cagney. > > https://testing.libreswan.org/v3.28-1515-g43fdc02c8c-master/certoe-03-poc-whack/OUTPUT/road.console.diff > > -003 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: Authenticated > > using RSA with IKEv2_AUTH_HASH_SHA2_512 > > +003 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: Authenticated > > using RSA with IKEv2_AUTH_HASH_SHA1 > > > > Also note some flipped the other way. > > https://testing.libreswan.org/v3.28-1499-g0eb656232d-master/ikev2-liveness-11-silent/OUTPUT/west.console.diff > > > > -003 "west-east" #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA1 > > +003 "west-east" #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA2_512 > > > > -antony > > _______________________________________________ > > Swan-dev mailing list > > Swan-dev@lists.libreswan.org > > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
