From owner-freebsd-current@freebsd.org  Mon Jul  6 19:30:47 2015
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6EED0ACE7
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Mon,  6 Jul 2015 19:30:47 +0000 (UTC)
 (envelope-from jmg@gold.funkthat.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 517BA157C
 for <freebsd-current@freebsd.org>; Mon,  6 Jul 2015 19:30:47 +0000 (UTC)
 (envelope-from jmg@gold.funkthat.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 4E2BFACE5; Mon,  6 Jul 2015 19:30:47 +0000 (UTC)
Delivered-To: current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4DA17ACE4
 for <current@mailman.ysv.freebsd.org>; Mon,  6 Jul 2015 19:30:47 +0000 (UTC)
 (envelope-from jmg@gold.funkthat.com)
Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 16BEB157B
 for <current@FreeBSD.org>; Mon,  6 Jul 2015 19:30:46 +0000 (UTC)
 (envelope-from jmg@gold.funkthat.com)
Received: from gold.funkthat.com (localhost [127.0.0.1])
 by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t66JUjuI094967
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
 for <current@FreeBSD.org>; Mon, 6 Jul 2015 12:30:45 -0700 (PDT)
 (envelope-from jmg@gold.funkthat.com)
Received: (from jmg@localhost)
 by gold.funkthat.com (8.14.5/8.14.5/Submit) id t66JUjSD094966
 for current@FreeBSD.org; Mon, 6 Jul 2015 12:30:45 -0700 (PDT)
 (envelope-from jmg)
Date: Mon, 6 Jul 2015 12:30:45 -0700
From: John-Mark Gurney <jmg@funkthat.com>
To: current@FreeBSD.org
Subject: Security issue when using aesni(4) module with only ESP on HEAD
Message-ID: <20150706193045.GL8523@funkthat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Operating-System: FreeBSD 9.1-PRERELEASE amd64
X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88  9322 9CB1 8F74 6D3F A396
X-Files: The truth is out there
X-URL: http://resnet.uoregon.edu/~gurney_j/
X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html
X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE
X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger?
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7
 (gold.funkthat.com [127.0.0.1]); Mon, 06 Jul 2015 12:30:45 -0700 (PDT)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 19:30:47 -0000

It has been discovered that r275732[1] on HEAD introduced a bug in the
aesni(4) module where the initialization vector (IV) is not properly
generated when using AES-CBC, aka rijndael-cbc.  This only happens
when both the CRD_F_IV_PRESENT and CRD_F_IV_EXPLICIT flags are not
set.  This ONLY affects HEAD and does not affect any stable branch
as the code in r275732 has not yet been back ported.

The only happen when the system is running IPsec and has a security
policy that only includes encryption (ESP).  If an authentication
policy (AH) is specified along with an encryption policy, which is the
recommended configuration to prevent an attacker from modifying packets,
the aesni(4) module will not be used, and this bug will not affect the
policy.

This bug has been fixed in r285216[2].  Please upgrade immediately if you
are using IPsec w/ an ESP only policy and the aesni(4) module.

The bug will leak the XOR difference[3] of the first 16 bytes of the
packet, and possibly more.  In tunnel mode, this only covers part of
the IP header, including the internal source IP.  In transport mode,
most of the TCP header will be leaked and the header and first 8 bytes 
of a UDP packet.

Other subsystems in FreeBSD, kgssapi, geli and cryptodev, set the
CRD_F_IV_PRESENT and/or CRD_F_IV_EXPLICIT flags and are not affected
by this bug.

Thanks go to Olivier Cochard-Labbé for reporting a related
issue and discovering that the packet IVs were not properly random.

[1] https://svnweb.freebsd.org/changeset/base/r275732
[2] https://svnweb.freebsd.org/changeset/base/r285216
[3] https://defuse.ca/cbcmodeiv.htm

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."