From nobody Mon Apr 18 18:08:14 2022 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8DEFD5D4ED7 for ; Mon, 18 Apr 2022 18:08:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Khw0H2sfQz3lgV for ; Mon, 18 Apr 2022 18:08:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4270617AEE for ; Mon, 18 Apr 2022 18:08:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 23II8Fbr012505 for ; Mon, 18 Apr 2022 18:08:15 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 23II8FJO012504 for net@FreeBSD.org; Mon, 18 Apr 2022 18:08:15 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode Date: Mon, 18 Apr 2022 18:08:14 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: jhb@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jhb@FreeBSD.org X-Bugzilla-Flags: mfc-stable13? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1650305295; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=R7zGVovDnEBurTmOp/2sHXRS9BMw7gNWdeJbinRkzFA=; b=rI8FktJn6Qb7Y7IrqJqASL3pWXn5A7DxHSEWDQ+CsaZ6NJ/JZQm7dio7H1f87pJz+0xxVb yU8HItaotQweUvyTQJU3ztlld7/c1Coais6C2ZUwvgWkdGJmjApuGP2bGMeOxVd2E3l+ZZ 05/+tDv+Emy2SfEEfbShaqfCEAAC3RqwQJOXD4FbATYELKYnAeFf7+XJ05/MpkNy4kaPAD cycPIuPzRL8w7yi+uoW4G6Mz/Xu8b3etPnYIEozW1RiA5S9lGnGZgIbId2VvOgIPSa0log MMH05BNsyGXWlpwTdqsTYdkExsFY1OJi33eLq9/4asmHUl3NwmbP23y4gqM5jA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1650305295; a=rsa-sha256; cv=none; b=ovJx2uKmsKABzzqflHwfS40d1v95VbsrcOzpJPtQojYFbAqNonfE+dF/EiXp6NXTFSafew zTpWekYUaIQGWSkuIQQC/z44eywUaqDQ00jeN8+x0JJ8XrSasXEeBtY0cqrNtXTVywzyi2 wQhAdjZBSpKcfkpzugYOuHm6vy+AuBPFG2jvOUqa3h6Vbq9rvGAYHBojjrZNJOpjCjJLAG eNp5G84A/yp2PWbVU58dfbhxz2O6vyXR+SsiL/yzL3t/L7Fda+4egd3aNgl0o6ciLp+HLD kP2pQInKfk5oSBGtk5Timz17slDqIqalfV3krIK6Tqj0QjJcTQkqNGw2kZ4gRw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263379 --- Comment #3 from John Baldwin --- So the issue with the setkey manpage is it was written before AEAD algorith= ms were a thing and when you always had to use Encrypt-then-Auth (ETA) combinations of distinct ciphers and MACs. In general when using an AEAD algorithm like AES-GCM, AES-CCM, or Chacha20-Poly1305, you provide a single= key that is then used to generate keys for both the cipher (AES-CTR for AES-GCM= /CCM and Chacha20 for Chacha20-Poly1305) and the MAC (GMAC, CBC-MAC, and Poly130= 5, respectively). For those three AEAD ciphers, the cipher is a stream cipher= and the key stream block for a given counter value is used as the key of the MA= C. The fact that stable/12 let you construct this combination is a long-standi= ng bug in cryptosoft.c and there's no way to express the combination of the AES-CTR "side" of AES-GCM combined with some other MAC in stable/13 and lat= er.=20 For the purposes of upgrading, you could switch your existing 12.x hosts to= use a supported cipher first prior to upgrading. I would suggest just using -E aes-gcm-16 and dropping the -A entirely. Unfortunately, the AES-CTR cipher defined for IPsec does not permit setting= all 16 bytes of the nonce and instead mandates that the low 4 bytes define a 32= -bit counter starting at 1 (whereas AES-GCM uses block 1 internally and starts encrypting with the low 4 bytes set to block 2 for the AES-CTR "part"), so there isn't a way to recreate the thing stable/12 is doing by using -E aes-= ctr combined with the existing -A. It might be possible to do this though usin= g a local hack that would let you use -E aes-ctr in place of -E aes-gcm-16. You would keep the same key for -E, but just change it to use 'aes-ctr' and then apply this patch: diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index ee363a7c911a..465716c3ea7c 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -455,7 +455,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int ski= p, int protoff) _KEYLEN(sav->key_enc) - 4, 4); m_copydata(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]= ); if (SAV_ISCTR(sav)) { - be32enc(&ivp[sav->ivlen + 4], 1); + be32enc(&ivp[sav->ivlen + 4], 2); } crp->crp_flags |=3D CRYPTO_F_IV_SEPARATE; } else if (sav->ivlen !=3D 0) @@ -880,7 +880,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, _KEYLEN(sav->key_enc) - 4, 4); be64enc(&ivp[4], cntr); if (SAV_ISCTR(sav)) { - be32enc(&ivp[sav->ivlen + 4], 1); + be32enc(&ivp[sav->ivlen + 4], 2); } m_copyback(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]= ); crp->crp_flags |=3D CRYPTO_F_IV_SEPARATE; This breaks the "official" AES-CTR defined in RFC 3686 (so it can't be committed), but you could try applying this locally and keeping it as a loc= al patch if it works until you are able to migrate existing hosts to using a supported cipher suite. I can work on clarifying the language in the setkey(8) manual page to clari= fy that -A should not be used with AEAD ciphers. --=20 You are receiving this mail because: You are on the CC list for the bug.=