[Swan-dev] fixing Windows rekeying

Antony Antony antony at phenome.org
Wed Apr 29 16:25:12 UTC 2020

On Wed, Apr 29, 2020 at 09:45:56AM -0400, Andrew Cagney wrote:
> On Wed, 29 Apr 2020 at 01:54, Antony Antony <antony at phenome.org> wrote:
>     Here is my attempt to fix it. I guess there more attempts Paul and Andrew
>     has their own? I didnt commit because there more happening around. May be
>     combine and take the best.
>     During rekey on the responder this patch validate TS before the crypto
>     starts.  Which I think is way better. I have been thinking of the same for
>     initiator; when get the response to.  May be that should be later fix,
>     first
>     commmit the responder side clean up.
> Yea, good idea.  And using record means that the IKE SA can respond to
> retransmits (ignoring bugs such as needing i&r buffers).

yes, if not record_**() responder would respond with IKE_AUTH response when 
it fail to accept TS during rekey. I think responder should clear out the 
t_pkt when it accept next IKE message to avoid replying with unexpected 
messages incase of STF_FAIL. 

More information about the Swan-dev mailing list