[Swan-dev] fixing Windows rekeying
Andrew Cagney
andrew.cagney at gmail.com
Wed Apr 29 13:45:56 UTC 2020
On Wed, 29 Apr 2020 at 01:54, Antony Antony <antony at phenome.org> wrote:
> Here is my attempt to fix it. I guess there more attempts Paul and Andrew
> has their own? I didnt commit because there more happening around. May be
> combine and take the best.
>
> During rekey on the responder this patch validate TS before the crypto
> starts. Which I think is way better. I have been thinking of the same for
> initiator; when get the response to. May be that should be later fix,
> first
> commmit the responder side clean up.
>
Yea, good idea. And using record means that the IKE SA can respond to
retransmits (ignoring bugs such as needing i&r buffers).
BTW. Unlike loglog(), log_state() works when cur_state is snafued. And
for liveness I added 338ff4cd2c6052ada19e9dccd6fe9724ce9c21b9 which might
be a better fit for the initiator.
> I used 4 test cases and Windows 10 Tuomo runs to validate.
>
> ikev2-child-rekey-09-windows this should emulate what Windows 10 is doing
> with rekey. It seems DH downgrade is fixed. This is based on logs provided
> by Tuomo. Next 3 tests are more impairments to TS during rekey, emulating
> other possible scenarios
>
> ikev2-child-rekey-10-impair-rekey-initiate-subnet
> ikev2-child-rekey-10-impair-rekey-respond-subnet
> ikev2-child-rekey-10-impair-rekey-respond-supernet
>
> Also regarding:
> https://lists.libreswan.org/pipermail/swan-dev/2020-April/003754.html
> Andrew is right the initiator does not call the new functions added in
> 7be41582a340. That is why it is removed. Initiator already call the score
> fuction follow the last two test cases.
>
> Also Tuomo has been testing this? any issues?
>
> regards,
> -antony
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200429/c56dbefc/attachment.html>
More information about the Swan-dev
mailing list