Merge fix for AEAD Random IVs

This commit is contained in:
Simon Butcher 2016-10-14 00:48:33 +01:00
parent 9800a058ae
commit 8e00410402
5 changed files with 39 additions and 31 deletions

View file

@ -3,6 +3,10 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.3.x branch released 2016-xx-xx
Security
* Remove MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
with RFC5116 and could lead to session key recovery in very long TLS
sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic -
"Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS")
* Fix potential stack corruption in mbedtls_x509write_crt_der() and
mbedtls_x509write_csr_der() when the signature is copied to the buffer
without checking whether there is enough space in the destination. The

View file

@ -940,18 +940,6 @@
*/
//#define MBEDTLS_SHA256_SMALLER
/**
* \def MBEDTLS_SSL_AEAD_RANDOM_IV
*
* Generate a random IV rather than using the record sequence number as a
* nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
*
* Using the sequence number is generally recommended.
*
* Uncomment this macro to always use random IVs with AEAD ciphersuites.
*/
//#define MBEDTLS_SSL_AEAD_RANDOM_IV
/**
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
*

View file

@ -1373,17 +1373,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
/*
* Generate IV
*/
#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
ret = ssl->conf->f_rng( ssl->conf->p_rng,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
if( ret != 0 )
return( ret );
memcpy( ssl->out_iv,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
#else
if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
{
/* Reminder if we ever add an AEAD mode with a different size */
@ -1394,7 +1383,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->out_ctr, 8 );
memcpy( ssl->out_iv, ssl->out_ctr, 8 );
#endif
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );

View file

@ -324,9 +324,6 @@ static const char *features[] = {
#if defined(MBEDTLS_SHA256_SMALLER)
"MBEDTLS_SHA256_SMALLER",
#endif /* MBEDTLS_SHA256_SMALLER */
#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
"MBEDTLS_SSL_AEAD_RANDOM_IV",
#endif /* MBEDTLS_SSL_AEAD_RANDOM_IV */
#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
"MBEDTLS_SSL_ALL_ALERT_MESSAGES",
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */

View file

@ -333,8 +333,10 @@ detect_dtls() {
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
# Options: -s pattern pattern that must be present in server output
# -c pattern pattern that must be present in client output
# -u pattern lines after pattern must be unique in client output
# -S pattern pattern that must be absent in server output
# -C pattern pattern that must be absent in client output
# -U pattern lines after pattern must be unique in server output
run_test() {
NAME="$1"
shift 1
@ -475,28 +477,49 @@ run_test() {
case $1 in
"-s")
if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
fail "-s $2"
fail "pattern '$2' MUST be present in the Server output"
return
fi
;;
"-c")
if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
fail "-c $2"
fail "pattern '$2' MUST be present in the Client output"
return
fi
;;
"-S")
if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
fail "-S $2"
fail "pattern '$2' MUST NOT be present in the Server output"
return
fi
;;
"-C")
if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
fail "-C $2"
fail "pattern '$2' MUST NOT be present in the Client output"
return
fi
;;
# The filtering in the following two options (-u and -U) do the following
# - ignore valgrind output
# - filter out everything but lines right after the pattern occurances
# - keep one of each non-unique line
# - count how many lines remain
# A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
# if there were no duplicates.
"-U")
if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
fail "lines following pattern '$2' must be unique in Server output"
return
fi
;;
"-u")
if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
fail "lines following pattern '$2' must be unique in Client output"
return
fi
;;
@ -639,6 +662,14 @@ run_test "Default, DTLS" \
-s "Protocol is DTLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
# Test for uniqueness of IVs in AEAD ciphersuites
run_test "Unique IV in GCM" \
"$P_SRV exchanges=20 debug_level=4" \
"$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
0 \
-u "IV used" \
-U "IV used"
# Tests for rc4 option
requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES