mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-12 05:05:34 +00:00
Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk of random Initialisation Vectors (IV) repeating values. The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and it isn't compliant with RFC5116. Furthermore, strictly speaking it is a different cipher suite from the TLS (RFC5246) point of view. Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above problems. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS", USENIX WOOT '16
This commit is contained in:
parent
6d3e3389e5
commit
0be55a0549
|
@ -3,6 +3,10 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
= mbed TLS 2.1.x branch released 2016-xx-xx
|
= mbed TLS 2.1.x branch released 2016-xx-xx
|
||||||
|
|
||||||
Security
|
Security
|
||||||
|
* Remove MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
|
||||||
|
with RFC5116 and could lead to session key recovery in very long TLS
|
||||||
|
sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic -
|
||||||
|
"Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS")
|
||||||
* Fix potential stack corruption in mbedtls_x509write_crt_der() and
|
* Fix potential stack corruption in mbedtls_x509write_crt_der() and
|
||||||
mbedtls_x509write_csr_der() when the signature is copied to the buffer
|
mbedtls_x509write_csr_der() when the signature is copied to the buffer
|
||||||
without checking whether there is enough space in the destination. The
|
without checking whether there is enough space in the destination. The
|
||||||
|
|
|
@ -868,18 +868,6 @@
|
||||||
*/
|
*/
|
||||||
//#define MBEDTLS_SHA256_SMALLER
|
//#define MBEDTLS_SHA256_SMALLER
|
||||||
|
|
||||||
/**
|
|
||||||
* \def MBEDTLS_SSL_AEAD_RANDOM_IV
|
|
||||||
*
|
|
||||||
* Generate a random IV rather than using the record sequence number as a
|
|
||||||
* nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
|
|
||||||
*
|
|
||||||
* Using the sequence number is generally recommended.
|
|
||||||
*
|
|
||||||
* Uncomment this macro to always use random IVs with AEAD ciphersuites.
|
|
||||||
*/
|
|
||||||
//#define MBEDTLS_SSL_AEAD_RANDOM_IV
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
|
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
|
||||||
*
|
*
|
||||||
|
|
|
@ -1364,17 +1364,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
|
||||||
/*
|
/*
|
||||||
* Generate IV
|
* Generate IV
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
|
|
||||||
ret = ssl->conf->f_rng( ssl->conf->p_rng,
|
|
||||||
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
|
|
||||||
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
|
|
||||||
if( ret != 0 )
|
|
||||||
return( ret );
|
|
||||||
|
|
||||||
memcpy( ssl->out_iv,
|
|
||||||
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
|
|
||||||
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
|
|
||||||
#else
|
|
||||||
if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
|
if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
|
||||||
{
|
{
|
||||||
/* Reminder if we ever add an AEAD mode with a different size */
|
/* Reminder if we ever add an AEAD mode with a different size */
|
||||||
|
@ -1385,7 +1374,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
|
||||||
memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
|
memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
|
||||||
ssl->out_ctr, 8 );
|
ssl->out_ctr, 8 );
|
||||||
memcpy( ssl->out_iv, ssl->out_ctr, 8 );
|
memcpy( ssl->out_iv, ssl->out_ctr, 8 );
|
||||||
#endif
|
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
|
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
|
||||||
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
|
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
|
||||||
|
|
|
@ -309,9 +309,6 @@ static const char *features[] = {
|
||||||
#if defined(MBEDTLS_SHA256_SMALLER)
|
#if defined(MBEDTLS_SHA256_SMALLER)
|
||||||
"MBEDTLS_SHA256_SMALLER",
|
"MBEDTLS_SHA256_SMALLER",
|
||||||
#endif /* MBEDTLS_SHA256_SMALLER */
|
#endif /* MBEDTLS_SHA256_SMALLER */
|
||||||
#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
|
|
||||||
"MBEDTLS_SSL_AEAD_RANDOM_IV",
|
|
||||||
#endif /* MBEDTLS_SSL_AEAD_RANDOM_IV */
|
|
||||||
#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
|
#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
|
||||||
"MBEDTLS_SSL_ALL_ALERT_MESSAGES",
|
"MBEDTLS_SSL_ALL_ALERT_MESSAGES",
|
||||||
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
|
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
|
||||||
|
|
Loading…
Reference in a new issue