On Wed, 29 Apr 2020 at 01:54, Antony Antony <ant...@phenome.org> wrote:
> Here is my attempt to fix it. I guess there more attempts Paul and Andrew > has their own? I didnt commit because there more happening around. May be > combine and take the best. > > During rekey on the responder this patch validate TS before the crypto > starts. Which I think is way better. I have been thinking of the same for > initiator; when get the response to. May be that should be later fix, > first > commmit the responder side clean up. > Yea, good idea. And using record means that the IKE SA can respond to retransmits (ignoring bugs such as needing i&r buffers). BTW. Unlike loglog(), log_state() works when cur_state is snafued. And for liveness I added 338ff4cd2c6052ada19e9dccd6fe9724ce9c21b9 which might be a better fit for the initiator. > I used 4 test cases and Windows 10 Tuomo runs to validate. > > ikev2-child-rekey-09-windows this should emulate what Windows 10 is doing > with rekey. It seems DH downgrade is fixed. This is based on logs provided > by Tuomo. Next 3 tests are more impairments to TS during rekey, emulating > other possible scenarios > > ikev2-child-rekey-10-impair-rekey-initiate-subnet > ikev2-child-rekey-10-impair-rekey-respond-subnet > ikev2-child-rekey-10-impair-rekey-respond-supernet > > Also regarding: > https://lists.libreswan.org/pipermail/swan-dev/2020-April/003754.html > Andrew is right the initiator does not call the new functions added in > 7be41582a340. That is why it is removed. Initiator already call the score > fuction follow the last two test cases. > > Also Tuomo has been testing this? any issues? > > regards, > -antony > _______________________________________________ > Swan-dev mailing list > Swan-dev@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan-dev >
_______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
