Linux counter_validate() RFC6479 replay detection modifies bitmap before authentication?

Jason A. Donenfeld Jason at zx2c4.com
Sat Apr 22 12:03:42 UTC 2023


On 4/20/23, Leon Woestenberg <leon at sidebranch.com> wrote:
> Hello all,
>
> I am trying to understand a few details in WireGuard protocol, looking
> at the Linux kernel WireGuard implementation if I am unsure about the
> description from the paper. One question I have:
>
> Does counter_validate() in the receive path update the bitmap from the
> Type 4 counter (their_counter) before the received Type 4 packet was
> authenticated?

No, it happens after authentication. Otherwise that'd be a real DoS vector.


More information about the WireGuard mailing list