Development discussion of WireGuard
 help / color / mirror / Atom feed
* Linux counter_validate() RFC6479 replay detection modifies bitmap before authentication?
@ 2023-04-20 19:58 Leon Woestenberg
  2023-04-22 12:03 ` Jason A. Donenfeld
  0 siblings, 1 reply; 2+ messages in thread
From: Leon Woestenberg @ 2023-04-20 19:58 UTC (permalink / raw)
  To: wireguard

Hello all,

I am trying to understand a few details in WireGuard protocol, looking
at the Linux kernel WireGuard implementation if I am unsure about the
description from the paper. One question I have:

Does counter_validate() in the receive path update the bitmap from the
Type 4 counter (their_counter) before the received Type 4 packet was
authenticated?

Regards,

Leon.

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Linux counter_validate() RFC6479 replay detection modifies bitmap before authentication?
  2023-04-20 19:58 Linux counter_validate() RFC6479 replay detection modifies bitmap before authentication? Leon Woestenberg
@ 2023-04-22 12:03 ` Jason A. Donenfeld
  0 siblings, 0 replies; 2+ messages in thread
From: Jason A. Donenfeld @ 2023-04-22 12:03 UTC (permalink / raw)
  To: Leon Woestenberg; +Cc: wireguard

On 4/20/23, Leon Woestenberg <leon@sidebranch.com> wrote:
> Hello all,
>
> I am trying to understand a few details in WireGuard protocol, looking
> at the Linux kernel WireGuard implementation if I am unsure about the
> description from the paper. One question I have:
>
> Does counter_validate() in the receive path update the bitmap from the
> Type 4 counter (their_counter) before the received Type 4 packet was
> authenticated?

No, it happens after authentication. Otherwise that'd be a real DoS vector.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-04-22 12:11 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-20 19:58 Linux counter_validate() RFC6479 replay detection modifies bitmap before authentication? Leon Woestenberg
2023-04-22 12:03 ` Jason A. Donenfeld

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).