[Swan-dev] fixing Windows rekeying
Antony Antony
antony at phenome.org
Wed Apr 29 16:25:12 UTC 2020
On Wed, Apr 29, 2020 at 09:45:56AM -0400, Andrew Cagney wrote:
>
>
> On Wed, 29 Apr 2020 at 01:54, Antony Antony <antony at phenome.org> wrote:
>
> Here is my attempt to fix it. I guess there more attempts Paul and Andrew
> has their own? I didnt commit because there more happening around. May be
> combine and take the best.
>
> During rekey on the responder this patch validate TS before the crypto
> starts. Which I think is way better. I have been thinking of the same for
> initiator; when get the response to. May be that should be later fix,
> first
> commmit the responder side clean up.
>
>
> Yea, good idea. And using record means that the IKE SA can respond to
> retransmits (ignoring bugs such as needing i&r buffers).
yes, if not record_**() responder would respond with IKE_AUTH response when
it fail to accept TS during rekey. I think responder should clear out the
t_pkt when it accept next IKE message to avoid replying with unexpected
messages incase of STF_FAIL.
More information about the Swan-dev
mailing list