* Linux counter_validate() RFC6479 replay detection modifies bitmap before authentication?
@ 2023-04-20 19:58 Leon Woestenberg
2023-04-22 12:03 ` Jason A. Donenfeld
0 siblings, 1 reply; 2+ messages in thread
From: Leon Woestenberg @ 2023-04-20 19:58 UTC (permalink / raw)
To: wireguard
Hello all,
I am trying to understand a few details in WireGuard protocol, looking
at the Linux kernel WireGuard implementation if I am unsure about the
description from the paper. One question I have:
Does counter_validate() in the receive path update the bitmap from the
Type 4 counter (their_counter) before the received Type 4 packet was
authenticated?
Regards,
Leon.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Linux counter_validate() RFC6479 replay detection modifies bitmap before authentication?
2023-04-20 19:58 Linux counter_validate() RFC6479 replay detection modifies bitmap before authentication? Leon Woestenberg
@ 2023-04-22 12:03 ` Jason A. Donenfeld
0 siblings, 0 replies; 2+ messages in thread
From: Jason A. Donenfeld @ 2023-04-22 12:03 UTC (permalink / raw)
To: Leon Woestenberg; +Cc: wireguard
On 4/20/23, Leon Woestenberg <leon@sidebranch.com> wrote:
> Hello all,
>
> I am trying to understand a few details in WireGuard protocol, looking
> at the Linux kernel WireGuard implementation if I am unsure about the
> description from the paper. One question I have:
>
> Does counter_validate() in the receive path update the bitmap from the
> Type 4 counter (their_counter) before the received Type 4 packet was
> authenticated?
No, it happens after authentication. Otherwise that'd be a real DoS vector.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-04-22 12:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-20 19:58 Linux counter_validate() RFC6479 replay detection modifies bitmap before authentication? Leon Woestenberg
2023-04-22 12:03 ` Jason A. Donenfeld
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).