summaryrefslogtreecommitdiff
path: root/distrib/alpha
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2021-07-18 14:38:21 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2021-07-18 14:38:21 +0000
commitcd8098560ae5c49bf2c08f0304a1da55936179e4 (patch)
tree7b9561eddcd3003ee8e397710ed6b13492fd10cf /distrib/alpha
parent5b8f807a78f498c67c79e51656903593cf41fb7e (diff)
The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb: authentication failed for packet in SA" errors. As we run crypto operations async, thousands of packets are stored in the crypto task. During the queueing the replay counter of the tdb can change. Then the higher 32 bits may increment although the lower 32 bits did not wrap. checkreplaywindow() must be called twice per packet with the same replay counter. Store the value in struct tdb_crypto while dangling in the task queue and doing crypto operations. tested by Hrvoje Popovski; joint work with tobhe@
Diffstat (limited to 'distrib/alpha')
0 files changed, 0 insertions, 0 deletions