mirror of
https://github.com/yuzu-emu/mbedtls
synced 2024-11-24 16:28:15 +00:00
Merge fix for AEAD Random IVs
This commit is contained in:
parent
9800a058ae
commit
8e00410402
5 changed files with 39 additions and 31 deletions
|
@ -3,6 +3,10 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
|||
= mbed TLS 2.3.x branch released 2016-xx-xx
|
||||
|
||||
Security
|
||||
* Remove MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
|
||||
with RFC5116 and could lead to session key recovery in very long TLS
|
||||
sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic -
|
||||
"Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS")
|
||||
* Fix potential stack corruption in mbedtls_x509write_crt_der() and
|
||||
mbedtls_x509write_csr_der() when the signature is copied to the buffer
|
||||
without checking whether there is enough space in the destination. The
|
||||
|
|
|
@ -940,18 +940,6 @@
|
|||
*/
|
||||
//#define MBEDTLS_SHA256_SMALLER
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_AEAD_RANDOM_IV
|
||||
*
|
||||
* Generate a random IV rather than using the record sequence number as a
|
||||
* nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
|
||||
*
|
||||
* Using the sequence number is generally recommended.
|
||||
*
|
||||
* Uncomment this macro to always use random IVs with AEAD ciphersuites.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_AEAD_RANDOM_IV
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
|
||||
*
|
||||
|
|
|
@ -1373,17 +1373,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
|
|||
/*
|
||||
* Generate IV
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
|
||||
ret = ssl->conf->f_rng( ssl->conf->p_rng,
|
||||
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
|
||||
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
memcpy( ssl->out_iv,
|
||||
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
|
||||
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
|
||||
#else
|
||||
if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
|
||||
{
|
||||
/* Reminder if we ever add an AEAD mode with a different size */
|
||||
|
@ -1394,7 +1383,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
|
|||
memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
|
||||
ssl->out_ctr, 8 );
|
||||
memcpy( ssl->out_iv, ssl->out_ctr, 8 );
|
||||
#endif
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
|
||||
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
|
||||
|
|
|
@ -324,9 +324,6 @@ static const char *features[] = {
|
|||
#if defined(MBEDTLS_SHA256_SMALLER)
|
||||
"MBEDTLS_SHA256_SMALLER",
|
||||
#endif /* MBEDTLS_SHA256_SMALLER */
|
||||
#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
|
||||
"MBEDTLS_SSL_AEAD_RANDOM_IV",
|
||||
#endif /* MBEDTLS_SSL_AEAD_RANDOM_IV */
|
||||
#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
|
||||
"MBEDTLS_SSL_ALL_ALERT_MESSAGES",
|
||||
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
|
||||
|
|
|
@ -333,8 +333,10 @@ detect_dtls() {
|
|||
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
|
||||
# Options: -s pattern pattern that must be present in server output
|
||||
# -c pattern pattern that must be present in client output
|
||||
# -u pattern lines after pattern must be unique in client output
|
||||
# -S pattern pattern that must be absent in server output
|
||||
# -C pattern pattern that must be absent in client output
|
||||
# -U pattern lines after pattern must be unique in server output
|
||||
run_test() {
|
||||
NAME="$1"
|
||||
shift 1
|
||||
|
@ -475,28 +477,49 @@ run_test() {
|
|||
case $1 in
|
||||
"-s")
|
||||
if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
|
||||
fail "-s $2"
|
||||
fail "pattern '$2' MUST be present in the Server output"
|
||||
return
|
||||
fi
|
||||
;;
|
||||
|
||||
"-c")
|
||||
if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
|
||||
fail "-c $2"
|
||||
fail "pattern '$2' MUST be present in the Client output"
|
||||
return
|
||||
fi
|
||||
;;
|
||||
|
||||
"-S")
|
||||
if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
|
||||
fail "-S $2"
|
||||
fail "pattern '$2' MUST NOT be present in the Server output"
|
||||
return
|
||||
fi
|
||||
;;
|
||||
|
||||
"-C")
|
||||
if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
|
||||
fail "-C $2"
|
||||
fail "pattern '$2' MUST NOT be present in the Client output"
|
||||
return
|
||||
fi
|
||||
;;
|
||||
|
||||
# The filtering in the following two options (-u and -U) do the following
|
||||
# - ignore valgrind output
|
||||
# - filter out everything but lines right after the pattern occurances
|
||||
# - keep one of each non-unique line
|
||||
# - count how many lines remain
|
||||
# A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
|
||||
# if there were no duplicates.
|
||||
"-U")
|
||||
if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
|
||||
fail "lines following pattern '$2' must be unique in Server output"
|
||||
return
|
||||
fi
|
||||
;;
|
||||
|
||||
"-u")
|
||||
if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
|
||||
fail "lines following pattern '$2' must be unique in Client output"
|
||||
return
|
||||
fi
|
||||
;;
|
||||
|
@ -639,6 +662,14 @@ run_test "Default, DTLS" \
|
|||
-s "Protocol is DTLSv1.2" \
|
||||
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
|
||||
|
||||
# Test for uniqueness of IVs in AEAD ciphersuites
|
||||
run_test "Unique IV in GCM" \
|
||||
"$P_SRV exchanges=20 debug_level=4" \
|
||||
"$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
|
||||
0 \
|
||||
-u "IV used" \
|
||||
-U "IV used"
|
||||
|
||||
# Tests for rc4 option
|
||||
|
||||
requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
|
||||
|
|
Loading…
Reference in a new issue