[PATCH] Save latest ESP sequence number even if replay protection isn't in use
David Woodhouse
dwmw2 at infradead.org
Mon Jan 8 00:30:30 PST 2018
On Sun, 2018-01-07 at 17:54 -0800, Daniel Lenski wrote:
>
> This patch tracks the latest sequence number even if ESP replay protection
> isn't in use -- however inadvisable that may be -- allowing the handover to
> work correctly.
This implies that the seq# *is* being set in these packets. So we come
back to my question in the source code from three years ago:
/* Why in $DEITY's name would you ever *not* set this? Perhaps we
* should do th check anyway, but only warn instead of discarding
* the packet? */
if (vpninfo->esp_replay_protect &&
(Shudder. I hate seeing old typos of my own)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20180108/c5f10e17/attachment.bin>
More information about the openconnect-devel
mailing list