CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2021/07/18 08:38:20
Modified files:
sys/netinet : ip_ah.c ip_esp.c ip_ipsp.h
Log message:
The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@
