It has been discovered that r275732[1] on HEAD introduced a bug in the aesni(4) module where the initialization vector (IV) is not properly generated when using AES-CBC, aka rijndael-cbc. This only happens when both the CRD_F_IV_PRESENT and CRD_F_IV_EXPLICIT flags are not set. This ONLY affects HEAD and does not affect any stable branch as the code in r275732 has not yet been back ported. The only happen when the system is running IPsec and has a security policy that only includes encryption (ESP). If an authentication policy (AH) is specified along with an encryption policy, which is the recommended configuration to prevent an attacker from modifying packets, the aesni(4) module will not be used, and this bug will not affect the policy. This bug has been fixed in r285216[2]. Please upgrade immediately if you are using IPsec w/ an ESP only policy and the aesni(4) module. The bug will leak the XOR difference[3] of the first 16 bytes of the packet, and possibly more. In tunnel mode, this only covers part of the IP header, including the internal source IP. In transport mode, most of the TCP header will be leaked and the header and first 8 bytes of a UDP packet. Other subsystems in FreeBSD, kgssapi, geli and cryptodev, set the CRD_F_IV_PRESENT and/or CRD_F_IV_EXPLICIT flags and are not affected by this bug. Thanks go to Olivier Cochard-Labbé for reporting a related issue and discovering that the packet IVs were not properly random. [1] https://svnweb.freebsd.org/changeset/base/r275732 [2] https://svnweb.freebsd.org/changeset/base/r285216 [3] https://defuse.ca/cbcmodeiv.htm -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."Received on Mon Jul 06 2015 - 17:30:47 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:58 UTC