if_ovpn: ensure we never re-use sequence numbers
ClosedPublic
Actions

Authored by kp on May 20 2023, 6:38 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, May 14, 2:55 PM

	Unknown Object (File)
	Mon, May 11, 4:41 AM

	Unknown Object (File)
	Mon, May 11, 4:41 AM

	Unknown Object (File)
	Mon, May 11, 3:23 AM

	Unknown Object (File)
	Thu, May 7, 8:21 AM

	Unknown Object (File)
	Thu, May 7, 5:15 AM

	Unknown Object (File)
	Wed, May 6, 11:10 PM

	Unknown Object (File)
	Wed, May 6, 10:55 PM

Subscribers

Details

Reviewers

None

Group Reviewers

pfsense
network

Commits

rG81877287a99e: if_ovpn: ensure we never re-use sequence numbers

Summary

if_ovpn already notified userpsace when there was a risk of sequence
number re-use, but it trusted userspace to actually rotate the key.

Convert the internal sequence number counter to 64 bits so we can detect
overflows and then refuse to send packets.

Event: BSDCan 2023
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.May 20 2023, 6:38 PM

Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptMay 20 2023, 6:38 PM

kp requested review of this revision.May 20 2023, 6:38 PM

Harbormaster completed remote builds in B51585: Diff 122172.May 20 2023, 6:38 PM

This revision was not accepted when it landed; it landed in state Needs Review.May 23 2023, 2:14 PM

Closed by commit rG81877287a99e: if_ovpn: ensure we never re-use sequence numbers (authored by kp). · Explain Why

This revision was automatically updated to reflect the committed changes.

kp added a commit: rG81877287a99e: if_ovpn: ensure we never re-use sequence numbers.

Revision Contents
Changeset List

Path

Size

sys/

net/

if_ovpn.c

22 lines

Diff 122292

View Options

if_ovpn: ensure we never re-use sequence numbersClosedPublicActions