From owner-freebsd-net@FreeBSD.ORG  Wed Dec  3 07:54:58 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4C2981065672
	for <freebsd-net@freebsd.org>; Wed,  3 Dec 2008 07:54:58 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id ECC378FC16
	for <freebsd-net@freebsd.org>; Wed,  3 Dec 2008 07:54:57 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru;
	h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender;
	b=RbrnZtySlNyQkUiaXC8PzH5UaCt+67B0KA7gMPMt2H6icPyq/1mOyhmlCKVJwY6LPHKcVGOmxtprKb3q0CCeuUngsI8glY/ia7XtbfwHYV0v+LU92CA5zKI0vFMHYrnmFEUY7hDUW/FPByJEUjjv1Ek7TnDCteEIbbnAd+zHyqU=;
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256)
	id 1L7mZU-000OWK-8k; Wed, 03 Dec 2008 10:54:56 +0300
Date: Wed, 3 Dec 2008 10:54:55 +0300
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Christian Weisgerber <naddy@mips.inka.de>
Message-ID: <JsLl5HMkEyWlPKM1sYjNK0G+M34@+FxG3S39oD8KW2mcneDQRW6aq9s>
References: <49349E26.30002@redhat.com> <gh44rc$11fc$1@lorvorc.mips.inka.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="mjeOt6n4R71vn6wN"
Content-Disposition: inline
In-Reply-To: <gh44rc$11fc$1@lorvorc.mips.inka.de>
Sender: rea-fbsd@codelabs.ru
Cc: freebsd-net@freebsd.org, gnn@freebsd.org
Subject: Re: [ipsec] aes-ctr question
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2008 07:54:58 -0000


--mjeOt6n4R71vn6wN
Content-Type: multipart/mixed; boundary="2R+TDOstMAPx/aG/"
Content-Disposition: inline


--2R+TDOstMAPx/aG/
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Christian, good day.

Tue, Dec 02, 2008 at 08:12:28PM +0000, Christian Weisgerber wrote:
> wang_jiabo <jiabwang@redhat.com> wrote:
> > add 3ffe:501:ffff:103:20a:ebff:fe85:9e56
> > 3ffe:501:ffff:104:21d:fff:fe19:59fc  esp 0x1000 -m tunnel -E aes-ctr
> > "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1";
>
> Do not use AES-CTR with static keys!  Re-use of keys with a stream
> cipher will allow listeners to recover the plaintext.
> (See section 7 of RFC 3686.)

Good catch.  Perhaps setkey should be extended to warn the user about
this neat.  The patch is attached.  George, people, what do you think
about it?
--=20
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual  =20
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
    {_.-``-'         {_/            #

--2R+TDOstMAPx/aG/
Content-Type: text/x-diff; charset=koi8-r
Content-Disposition: attachment;
	filename="warn-user-if-he-wants-AES-CTR-mode.diff"
Content-Transfer-Encoding: quoted-printable

=46rom 9e076653cefc7c987c339d7a0bfd99ad6c83bd83 Mon Sep 17 00:00:00 2001
=46rom: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Wed, 3 Dec 2008 10:48:19 +0300
Subject: [PATCH] setkey: warn user if he wants AES CTR mode

Static encryption keys are very evil with the CTR modes: they allow to
get the XORed plaintext values from two sessions sharing the same key.
Warn user about possible consequences.

There are reasons why this mode shouldn't be completely banned from the
setkey and one of them is that user can do dynamic rekeying by himself.
But in this case he would better use IKE or simular to avoid troubles.

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 sbin/setkey/parse.y |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y
index 4107453..6c03810 100644
--- a/sbin/setkey/parse.y
+++ b/sbin/setkey/parse.y
@@ -335,6 +335,11 @@ enc_alg
 				return -1;
 			}
 			p_alg_enc =3D $1;
+			if ($1 =3D=3D SADB_X_EALG_AESCTR) {
+				fprintf(stderr,
+				    "WARNING: AES-CTR mode shouldn't be used with static encryption ke=
ys.\n"
+				    "WARNING: See RFC 3686, section 7 for explanations.\n");
+			}
=20
 			p_key_enc_len =3D $2.len;
 			p_key_enc =3D $2.buf;
--=20
1.6.0.4


--2R+TDOstMAPx/aG/--

--mjeOt6n4R71vn6wN
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkk2O08ACgkQthUKNsbL7YjvxQCeP5F9XGF/vtGjKsqIsRfXeLAz
2DUAoJUdvAf4x5UaOZeZ4/RYu4MiqpcO
=YXN6
-----END PGP SIGNATURE-----

--mjeOt6n4R71vn6wN--