if_ovpn: ensure we never re-use sequence numbers
ClosedPublic
Actions

Authored by kp on May 20 2023, 6:38 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Sat, Oct 25, 4:02 PM

	Unknown Object (File)
	Sat, Oct 25, 2:34 PM

	Unknown Object (File)
	Wed, Oct 1, 12:55 AM

	Unknown Object (File)
	Mon, Sep 29, 5:48 AM

	Unknown Object (File)
	Sep 28 2025, 3:27 PM

	Unknown Object (File)
	Sep 27 2025, 10:42 PM

	Unknown Object (File)
	Sep 17 2025, 12:36 AM

	Unknown Object (File)
	Sep 16 2025, 1:59 AM

Subscribers

Details

Reviewers

None

Group Reviewers

pfsense
network

Commits

rG81877287a99e: if_ovpn: ensure we never re-use sequence numbers

Summary

if_ovpn already notified userpsace when there was a risk of sequence
number re-use, but it trusted userspace to actually rotate the key.

Convert the internal sequence number counter to 64 bits so we can detect
overflows and then refuse to send packets.

Event: BSDCan 2023
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 51585
Build 48476: arc lint + arc unit

Event Timeline

kp created this revision.May 20 2023, 6:38 PM

Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptMay 20 2023, 6:38 PM

kp requested review of this revision.May 20 2023, 6:38 PM

Harbormaster completed remote builds in B51585: Diff 122172.May 20 2023, 6:38 PM

This revision was not accepted when it landed; it landed in state Needs Review.May 23 2023, 2:14 PM

Closed by commit rG81877287a99e: if_ovpn: ensure we never re-use sequence numbers (authored by kp). · Explain Why

This revision was automatically updated to reflect the committed changes.

kp added a commit: rG81877287a99e: if_ovpn: ensure we never re-use sequence numbers.

Revision Contents
Changeset List

Path

Size

sys/

net/

if_ovpn.c

22 lines

Diff 122172

View Options

if_ovpn: ensure we never re-use sequence numbersClosedPublicActions