Add simple test for repeated IVs when using AEAD

In a USENIX WOOT '16 paper the authors exploit implementation
mistakes that cause Initialisation Vectors (IV) to repeat. This
did not happen in mbed TLS, and this test makes sure that this
won't happen in the future either.

A new test option is introduced to ssl-opt.sh that checks the server
and client logs for a pattern and fails in case there are any
duplicates in the lines following the matching ones. (This is
necessary because of the structure of the logging)

Added a test case as well to utilise the new option. This test forces
the TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 ciphersuite to make the
client and the server use an AEAD cipher.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
This commit is contained in:
Janos Follath 2016-09-07 15:48:48 +01:00 committed by Simon Butcher
parent 73b94e3512
commit 6d3e3389e5

View file

@ -286,8 +286,10 @@ detect_dtls() {
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]] # Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
# Options: -s pattern pattern that must be present in server output # Options: -s pattern pattern that must be present in server output
# -c pattern pattern that must be present in client output # -c pattern pattern that must be present in client output
# -u pattern lines after pattern must be unique in client output
# -S pattern pattern that must be absent in server output # -S pattern pattern that must be absent in server output
# -C pattern pattern that must be absent in client output # -C pattern pattern that must be absent in client output
# -U pattern lines after pattern must be unique in server output
run_test() { run_test() {
NAME="$1" NAME="$1"
shift 1 shift 1
@ -419,29 +421,50 @@ run_test() {
do do
case $1 in case $1 in
"-s") "-s")
if grep -v '^==' $SRV_OUT | grep "$2" >/dev/null; then :; else if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
fail "-s $2" fail "pattern '$2' MUST be present in the Server output"
return return
fi fi
;; ;;
"-c") "-c")
if grep -v '^==' $CLI_OUT | grep "$2" >/dev/null; then :; else if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
fail "-c $2" fail "pattern '$2' MUST be present in the Client output"
return return
fi fi
;; ;;
"-S") "-S")
if grep -v '^==' $SRV_OUT | grep "$2" >/dev/null; then if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
fail "-S $2" fail "pattern '$2' MUST NOT be present in the Server output"
return return
fi fi
;; ;;
"-C") "-C")
if grep -v '^==' $CLI_OUT | grep "$2" >/dev/null; then if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
fail "-C $2" fail "pattern '$2' MUST NOT be present in the Client output"
return
fi
;;
# The filtering in the following two options (-u and -U) do the following
# - ignore valgrind output
# - filter out everything but lines right after the pattern occurances
# - keep one of each non-unique line
# - count how many lines remain
# A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
# if there were no duplicates.
"-U")
if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
fail "lines following pattern '$2' must be unique in Server output"
return
fi
;;
"-u")
if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
fail "lines following pattern '$2' must be unique in Client output"
return return
fi fi
;; ;;
@ -572,6 +595,14 @@ run_test "Default, DTLS" \
-s "Protocol is DTLSv1.2" \ -s "Protocol is DTLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
# Test for uniqueness of IVs in AEAD ciphersuites
run_test "Unique IV in GCM" \
"$P_SRV exchanges=20 debug_level=4" \
"$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
0 \
-u "IV used" \
-U "IV used"
# Tests for rc4 option # Tests for rc4 option
requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES