You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The responder, roughly does the following when it receives an IKE_SA_INIT message:
in demux.c
-- allocate MD (struct msg_digest)
-- allocate/clone raw message
in process_v2_IKE_SA_INIT() case MESSAGE_REQUEST performs basic sanity checks (mumble something about breaking this function in two)
-- sanity checks I/R flags, non-zero initiator, zero responder)
-- re-transmit?
-- drop new exchanges?
-- decode payloads (needed by cookie)
-- cookie
-- redirect
-- drop oppo based on VID?
-- find v2_state_transition (basic check of needed payloads)
-- find a [template] connection based on INITIATOR:RESPONDER and %any:RESPONDER
-- instantate connection (if needed)
-- allocate state
v2_dispatch() which calls process_v2_IKE_SA_INIT_request() and has
the code your asking about
-- match proposals against connection (allocate)
-- cross check proposal with KE
-- dispatch crypto (by this point the state must exist)
What things can be improved?
allocate msg_digest+buffer as a single blob (see refcnt_overalloc())
only instantiate the connection/state after proposals have been matched and ke verified (the template connection can be used when matching the proposal)?
use the proposal to improve connection matching (any value)?
This discussion was converted from issue #603 on March 13, 2022 23:45.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The responder, roughly does the following when it receives an IKE_SA_INIT message:
-- allocate MD (struct msg_digest)
-- allocate/clone raw message
-- sanity checks I/R flags, non-zero initiator, zero responder)
-- re-transmit?
-- drop new exchanges?
-- decode payloads (needed by cookie)
-- cookie
-- redirect
-- drop oppo based on VID?
-- find v2_state_transition (basic check of needed payloads)
-- find a [template] connection based on INITIATOR:RESPONDER and %any:RESPONDER
-- instantate connection (if needed)
-- allocate state
the code your asking about
-- match proposals against connection (allocate)
-- cross check proposal with KE
-- dispatch crypto (by this point the state must exist)
What things can be improved?
Beta Was this translation helpful? Give feedback.
All reactions