Don't send informational responses before we're having the key material. - wireguard-openbsd - WireGuard implementation for the OpenBSD kernel

diff options

author	reyk <reyk@openbsd.org>	2017-03-28 16:25:21 +0000
committer	reyk <reyk@openbsd.org>	2017-03-28 16:25:21 +0000
commit	de143f6cde79806c80d19e72f83480421513c1cf (patch)
tree	813ea565905e496be75a4a8bf1256f1bd988897d /lib/libc/stdlib/malloc.c
parent	Link pledge sockopt regression tests to build. (diff)
download	wireguard-openbsd-de143f6cde79806c80d19e72f83480421513c1cf.tar.xz wireguard-openbsd-de143f6cde79806c80d19e72f83480421513c1cf.zip

Don't send informational responses before we're having the key material.

iked starts sending keepalive messages after authentication and after successfully completing the handshake. Other implementations, like we've seen on Microsoft Azure, start sending keepalive messages right after receiving the first SA_INIT message when they set up the key material, even before we received the SA_INIT response to complete the DH exchange. The solution is to ignore early keepalive messages before we're ready to encrypt our response, in the transition between SA_INIT and AUTH. The peer should still accept one or more missed keepalives. OK mikeb@

Diffstat (limited to 'lib/libc/stdlib/malloc.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: