Use seq_num as AEAD nonce by default

This commit is contained in:
Manuel Pégourié-Gonnard 2014-10-29 22:29:20 +01:00
parent a6c5ea2c43
commit d056ce0e3e
3 changed files with 31 additions and 0 deletions

View file

@ -1,5 +1,11 @@
PolarSSL ChangeLog (Sorted per branch, date) PolarSSL ChangeLog (Sorted per branch, date)
= PolarSSL 1.3.z branch
Changes
* Use deterministic nonces for AEAD ciphers in TLS by default (possible to
switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
= PolarSSL 1.3.9 released 2014-10-20 = PolarSSL 1.3.9 released 2014-10-20
Security Security
* Lowest common hash was selected from signature_algorithms extension in * Lowest common hash was selected from signature_algorithms extension in

View file

@ -781,6 +781,18 @@
*/ */
#define POLARSSL_SELF_TEST #define POLARSSL_SELF_TEST
/**
* \def POLARSSL_SSL_AEAD_RANDOM_IV
*
* Generate a random IV rather than using the record sequence number as a
* nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
*
* Using the sequence number is generally recommended.
*
* Uncomment this macro to always use random IVs with AEAD ciphersuites.
*/
//#define POLARSSL_SSL_AEAD_RANDOM_IV
/** /**
* \def POLARSSL_SSL_ALL_ALERT_MESSAGES * \def POLARSSL_SSL_ALL_ALERT_MESSAGES
* *

View file

@ -1137,6 +1137,7 @@ static int ssl_encrypt_buf( ssl_context *ssl )
/* /*
* Generate IV * Generate IV
*/ */
#if defined(POLARSSL_SSL_AEAD_RANDOM_IV)
ret = ssl->f_rng( ssl->p_rng, ret = ssl->f_rng( ssl->p_rng,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
@ -1146,6 +1147,18 @@ static int ssl_encrypt_buf( ssl_context *ssl )
memcpy( ssl->out_iv, memcpy( ssl->out_iv,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
#else
if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
{
/* Reminder if we ever add an AEAD mode with a different size */
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->out_ctr, 8 );
memcpy( ssl->out_iv, ssl->out_ctr, 8 );
#endif
SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );