You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The protocol defines the following message limits:
Rekey-After-Messages 2^64 * 2^16 - 1
Reject-After-Messages 2^64 − 2^4 − 1
Although unlikely in practice, the implementation must check that these message limits are not reached and avoid a counter wraparound. The implementation of ReceivingKeyCounterValidator in src/noise/session.rs must be updated to check this.
Right now a malicious implementation could produce the following messages sequence which is accepted by boringtun:
counter=0 (sets next to 1 in mark_did_receive)
counter=2^64 - 1 (sets next to 0 due to integer overflow)
Additionally, going from counter 0 to counter 2^64 will also result in a lot of unnecessary executions which facilitates a DoS:
// Packets where dropped, or maybe reordered, skip them and mark unusedletmut i = self.next;// 1while i < counter {// i = 1 .. 2^64 - 1self.clear_bit(i);
i += 1;}
If the gap is too big, perhaps the whole bitmap should be cleared.
FWIW, the WireGuard kernel implementation uses a window of 2048 bits whereas this one uses 1024.
Another related issue is that sending_key_counter and sending_key_counter are an AtomicUsize which may be 32-bit on 32-bit architectures whereas the counter in the protocol is 64-bit.
The text was updated successfully, but these errors were encountered:
The protocol defines the following message limits:
Although unlikely in practice, the implementation must check that these message limits are not reached and avoid a counter wraparound. The implementation of ReceivingKeyCounterValidator in src/noise/session.rs must be updated to check this.
Right now a malicious implementation could produce the following messages sequence which is accepted by boringtun:
mark_did_receive
)Additionally, going from counter 0 to counter 2^64 will also result in a lot of unnecessary executions which facilitates a DoS:
If the gap is too big, perhaps the whole bitmap should be cleared.
FWIW, the WireGuard kernel implementation uses a window of 2048 bits whereas this one uses 1024.
Another related issue is that
sending_key_counter
andsending_key_counter
are an AtomicUsize which may be 32-bit on 32-bit architectures whereas the counter in the protocol is 64-bit.The text was updated successfully, but these errors were encountered: