From: Tobias Brunner Date: Mon, 25 Nov 2024 10:40:57 +0000 (+0100) Subject: testing: Make timing for TKM rekey scenarios a bit more stable X-Git-Tag: 6.0.0rc2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e310e34259bcf10d9f401fa1058a2bf5e3f1ee1;p=thirdparty%2Fstrongswan.git testing: Make timing for TKM rekey scenarios a bit more stable In particular for the first one randomization could trigger an additional rekeying, which let the "Adding ESA ..." check fail. But even without randomization (could be seen in the second scenario that already uses `rand_time=0`) 4 seconds can apparently be too low some time. --- diff --git a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat index 2ff2f61892..66330e376b 100644 --- a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat +++ b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat @@ -1,6 +1,6 @@ moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES -moon::sleep 4::wait for rekeying::NO +moon::sleep 5::wait for rekeying::NO moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES @@ -18,7 +18,7 @@ moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Ke_Id 1 #1 / 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES -moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 4, hard 60 \]::2 +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 5, hard 60 \]::2 moon::cat /tmp/tkm.log::Resetting ESA context 1::YES moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf index 62b103a808..50c714812a 100644 --- a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf @@ -14,7 +14,7 @@ 192.168.0.2 - 4 + 5 60 diff --git a/testing/tests/tkm/xfrmproxy-expire/pretest.dat b/testing/tests/tkm/xfrmproxy-expire/pretest.dat index 4a00923420..d5411d41ce 100644 --- a/testing/tests/tkm/xfrmproxy-expire/pretest.dat +++ b/testing/tests/tkm/xfrmproxy-expire/pretest.dat @@ -2,6 +2,8 @@ sun::systemctl start strongswan moon::rm /etc/swanctl/rsa/* moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd moon::cat /etc/swanctl/swanctl.conf +# disable randomization to avoid issues with our low rekey time +moon::sed -i '/rekey_time=./arand_time=0' /etc/swanctl/swanctl.conf moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & moon::expect-file /tmp/tkm.rpc.ike moon::service charon-tkm start diff --git a/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat b/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat index fb7d0bf215..9843b0e98a 100644 --- a/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat +++ b/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat @@ -1,6 +1,6 @@ moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES -moon::sleep 4::wait for rekeying::NO +moon::sleep 5::wait for rekeying::NO sun::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/swanctl/swanctl.conf index eda900ff74..ac9662bf07 100644 --- a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/swanctl/swanctl.conf +++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/swanctl/swanctl.conf @@ -18,7 +18,7 @@ connections { children { host-host { life_time=10s - rekey_time=4s + rekey_time=5s rand_time=0 mode = transport esp_proposals = aes256-sha512-modp4096