On Wed, Apr 29, 2020 at 09:45:56AM -0400, Andrew Cagney wrote: > > > On Wed, 29 Apr 2020 at 01:54, Antony Antony <ant...@phenome.org> wrote: > > Here is my attempt to fix it. I guess there more attempts Paul and Andrew > has their own? I didnt commit because there more happening around. May be > combine and take the best. > > During rekey on the responder this patch validate TS before the crypto > starts. Which I think is way better. I have been thinking of the same for > initiator; when get the response to. May be that should be later fix, > first > commmit the responder side clean up. > > > Yea, good idea. And using record means that the IKE SA can respond to > retransmits (ignoring bugs such as needing i&r buffers).
yes, if not record_**() responder would respond with IKE_AUTH response when it fail to accept TS during rekey. I think responder should clear out the t_pkt when it accept next IKE message to avoid replying with unexpected messages incase of STF_FAIL. _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev