[Swan-dev] fixing Windows rekeying

Andrew Cagney andrew.cagney at gmail.com
Wed Apr 29 13:45:56 UTC 2020

On Wed, 29 Apr 2020 at 01:54, Antony Antony <antony at phenome.org> wrote:

> Here is my attempt to fix it. I guess there more attempts Paul and Andrew
> has their own? I didnt commit because there more happening around. May be
> combine and take the best.
> During rekey on the responder this patch validate TS before the crypto
> starts.  Which I think is way better. I have been thinking of the same for
> initiator; when get the response to.  May be that should be later fix,
> first
> commmit the responder side clean up.

Yea, good idea.  And using record means that the IKE SA can respond to
retransmits (ignoring bugs such as needing i&r buffers).

BTW.  Unlike loglog(), log_state() works when cur_state is snafued.  And
for liveness I added 338ff4cd2c6052ada19e9dccd6fe9724ce9c21b9 which might
be a better fit for the initiator.

> I used 4 test cases and Windows 10 Tuomo runs to validate.
> ikev2-child-rekey-09-windows  this should emulate what Windows 10 is doing
> with rekey. It seems DH downgrade is fixed. This is based on logs provided
> by Tuomo.  Next 3 tests are more impairments to TS during rekey, emulating
> other possible scenarios
> ikev2-child-rekey-10-impair-rekey-initiate-subnet
> ikev2-child-rekey-10-impair-rekey-respond-subnet
> ikev2-child-rekey-10-impair-rekey-respond-supernet
> Also regarding:
> https://lists.libreswan.org/pipermail/swan-dev/2020-April/003754.html
> Andrew is right the initiator does not call the new functions added in
> 7be41582a340. That is why it is removed. Initiator already call the score
> fuction follow the last two test cases.
> Also Tuomo has been testing this? any issues?
> regards,
> -antony
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200429/c56dbefc/attachment.html>

More information about the Swan-dev mailing list