Comments (3)
but it checks for: keypair.isInitiator
from boringtun.
I opened a PR that directly fixes problems 1, 4, 5 and 6.
Problem 2: indeed that is an extra handshake message, but I don't see much harm in it. To fix, we'd have to add an extra overhead to check the time for each processed outbound packet. If no data is sent using the new session, no new handshakes should be exchange further on.
Problem 3:
It seems the whitepaper is in disagreement with https://www.wireguard.com/protocol/ and wireguard-go implementation, as both state it only applies to the initiator.
from boringtun.
Problem 1 is not fully addressed, out-of-order packets (legitimate or forced by an attacker) can still convince a receiver to change a new session to an old session:
Lines 391 to 397 in 6feb8e6
Before changing the session, it should probably check that the candidate session is newer than the current one.
Problem 3: that protocol page does not seem to list all requirements. The wireguard-go implementation does implement the handshake initiation when the session associated with a received packet is too old:
https://github.com/WireGuard/wireguard-go/blob/7bc0e118317d20974107a8a0f17cf57d400f4791/device/receive.go#L77-L86
func (peer *Peer) keepKeyFreshReceiving() {
if peer.timers.sentLastMinuteHandshake.Get() {
return
}
keypair := peer.keypairs.Current()
if keypair != nil && keypair.isInitiator && time.Since(keypair.created) > (RejectAfterTime-KeepaliveTimeout-RekeyTimeout) {
peer.timers.sentLastMinuteHandshake.Set(true)
peer.SendHandshakeInitiation(false)
}
}
from boringtun.
Related Issues (20)
- [ server_mode ] Cannot connect , 1970-01-01 Timestamp for latest handshake, no data sent to client
- Is this crate still "undergoing a restructuring"? HOT 1
- Usage documentation or samples for Android and iOS HOT 1
- `wg set private-key` does not give any output with `wg show`
- Example to test functionality
- Failed to initialize tunnel HOT 1
- Slow work during testing on VM HOT 17
- The wireguard_write encryption result is different from the official one HOT 5
- libboringtun.so shared lib
- Decapsulate error InvalidCounter (not a huge problem, just curious why it happens and whether I should worry) HOT 2
- Tag 0.6.0?
- Intermittent connection loss with HANDSHAKE(REKEY_TIMEOUT) errors HOT 9
- Add support for mips(el) with ring 0.17.0
- Failed to initialize tunnel, error: Socket kind: NotFound
- any benchmarks against Wireguard? HOT 5
- Apple Silicon Support? HOT 2
- i found it's hard to compile this project to shared lib for android, lets share it here HOT 1
- Bad latest handshake timestamp and keepalives not being sent
- Fails to create API socket when /var/lib/wireguard does not exist
- Appetite for refactoring to be SANS-IO (including time?)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from boringtun.