From owner-freebsd-security@freebsd.org Mon Aug 21 12:12:48 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12BD0DD6FB2 for ; Mon, 21 Aug 2017 12:12:48 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward101j.mail.yandex.net (forward101j.mail.yandex.net [IPv6:2a02:6b8:0:801:2::101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AAFF66CFBB for ; Mon, 21 Aug 2017 12:12:47 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback14j.mail.yandex.net (mxback14j.mail.yandex.net [IPv6:2a02:6b8:0:1619::90]) by forward101j.mail.yandex.net (Yandex) with ESMTP id 3215812424BB; Mon, 21 Aug 2017 15:12:44 +0300 (MSK) Received: from smtp2p.mail.yandex.net (smtp2p.mail.yandex.net [2a02:6b8:0:1472:2741:0:8b6:7]) by mxback14j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id xMp5yEcFCq-ChwmbIp9; Mon, 21 Aug 2017 15:12:44 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1503317564; bh=lvQp/5zvpqz8m94wToCM1jX8qxT3I1IC7lp+10joSPo=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=btKVEP8an/gh3hy/UJlYsGLKfDBuF3f5DWag4Zc0kJVBxL4vlg6lH1f6L7dr7qAOW LrJpxfEbBUYoXnJ3B0ogrpWIUUR8ON5xPAVJAo6I6hjuZeXjclFDFafDPtyULIXLg6 Ym4AoFxSYOR7lXWL5gN1MfrYYtclD31MV/HrOemE= Received: by smtp2p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 5AbO1fxG35-CgTSlgPn; Mon, 21 Aug 2017 15:12:42 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1503317562; bh=lvQp/5zvpqz8m94wToCM1jX8qxT3I1IC7lp+10joSPo=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=IkWb9TUPyz2VJMfxZzF0ECq9+jca9/U4DlXzOjTMqPTBa0d7URBOS6W3nQ+NqZFho Lvbru9SHKxwcrCynK25t51xmtnCX1YKLJyIROjtzm5qochGHh2gkw3fHtOdzzyjInc VBUX2Lh581s/9G2FkqnqTSOAlghx/0Zy4SgRTSuo= Authentication-Results: smtp2p.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: IPSEC anomaly on FreeBSD11.1S when specifying specific port in policy rules. To: Dewayne Geraghty , "freebsd-security@freebsd.org" References: <321a4895-8c4e-8261-eedf-c93bccd696d0@heuristicsystems.com.au> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: Date: Mon, 21 Aug 2017 15:09:12 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <321a4895-8c4e-8261-eedf-c93bccd696d0@heuristicsystems.com.au> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qQaBnMJPdM6KxcvJhi7pf3LBAnjt8SDPK" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2017 12:12:48 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --qQaBnMJPdM6KxcvJhi7pf3LBAnjt8SDPK Content-Type: multipart/mixed; boundary="nm0xx5K4MV0g9oTkla59UUU3hBLoHC0jm"; protected-headers="v1" From: "Andrey V. Elsukov" To: Dewayne Geraghty , "freebsd-security@freebsd.org" Message-ID: Subject: Re: IPSEC anomaly on FreeBSD11.1S when specifying specific port in policy rules. References: <321a4895-8c4e-8261-eedf-c93bccd696d0@heuristicsystems.com.au> In-Reply-To: <321a4895-8c4e-8261-eedf-c93bccd696d0@heuristicsystems.com.au> --nm0xx5K4MV0g9oTkla59UUU3hBLoHC0jm Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 17.08.2017 06:50, Dewayne Geraghty wrote: > I was about to send to @freebsd-stable until I realised that there are > security implications for folks that may be using this, thinking that > their confidential material is protected, which may not be entirely cor= rect. Hi, I think this was broken by me in r275710. This SYN+ACK packet is sent by syncache code directly when PCB is not yet created. And due to missing inpcb pointer this packet is considered as "forwarded" and thus TCP ports are not filled properly for SP lookup. We can fix this in two ways: 1. Always fill ports. This will add a small extra overhead, but will solve restriction described in the setkey(8): NOTE: upperspec does not work in the forwarding case at this moment, as it requires extra reassembly at forwarding node, which is not implemented at this moment. 2. Resurrect the flags argument and always fill ports when not forwarding= =2E What is the best solution? --=20 WBR, Andrey V. Elsukov --nm0xx5K4MV0g9oTkla59UUU3hBLoHC0jm-- --qQaBnMJPdM6KxcvJhi7pf3LBAnjt8SDPK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlmazWgACgkQAcXqBBDI oXq5XQf/Y41aejNvTNgaxjZ9YIQfuTQSYbzk0NakHov1Iq9uiYUCCGsHVUroQ1UE 7TAiV+DD+nqHjzBUwlRIeCkqbNAj8njdth2I4eQiSmHIAbK8pNCTuk2VMIV5FKdv zIGXm7pMJyNtvcan3++caxIusXX9g4zHh8abQ7IuYyPYdW1izPz6WDsxXAANyMb4 vuGdkqDBD20BzlOXBGQnxEZI5ROXSIkZEjYOTJOnBQ+A+rphm93GHZvGrsq77xoH g3gA+LOJtwKjCI4BUJevFA3+a68sscU2M31WXR1KWgJtjBwja6RLQG7RVNArQwSx FmewroyVjVOdS5IbuGJ36XuYEGYVeQ== =ucRs -----END PGP SIGNATURE----- --qQaBnMJPdM6KxcvJhi7pf3LBAnjt8SDPK--