[Swan-dev] ikev2: decode notify payloads into the message digest

Andrew Cagney andrew.cagney at gmail.com
Fri Feb 21 01:40:24 UTC 2020

On Thu, 20 Feb 2020 at 18:34, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 20 Feb 2020, Andrew Cagney wrote:
> >    Instead of storing the message digest's notify payloads directly into
> >    struct state or local variables, store them in the message digest, and
> >    then access the values as needed.
> How does that work after the exchange is completely processed? Are there
> cases where we need to remember having received these before? For IPsec,
> I guess we can look things up in the IPsec SA, and ensure we send only
> the things we did last time. Is there anything we might have received
> for the IKE SA that we need to remember for a rekey?

Yes, anything that needs preserving is eventually copied from the MD to the ST.

However that can now be delayed until after the message is accepted.
For instance, the notifies from an IKE_SA_INIT response shouldn't be
copied into the ST until after DH has completed and we've committed to
initiating the IKE_AUTH exchange.

> Looking through the payloads now, I don't see anything. So this might be
> okay for now.

Yea, I suspect we're saving some stuff in state that we don't need to.

> Also, if we are doing this, why should we store some of these in a new
> structure as bools? Couldn't we just write wrapper functions that just
> re-read the parsed list of notifies? eg ntfy->payload.v2n.isan_type[x]

I'm not sure I follow.  You mean wrapper functions that each
individually scan the entire list of notifies for the just the one
we're interested?

Even with such wrapper functions we still need to make a preliminary
scan of all notifies - just to check for anything suspect giving us
cause for dropping the packet.  Since we're there, we might as well
save the results.


More information about the Swan-dev mailing list