diff --git a/ChangeLog b/ChangeLog index 86f36bbb2..5f4774a5d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 2.3.x branch released 2016-xx-xx Security + * Remove MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant + with RFC5116 and could lead to session key recovery in very long TLS + sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic - + "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS") * Fix potential stack corruption in mbedtls_x509write_crt_der() and mbedtls_x509write_csr_der() when the signature is copied to the buffer without checking whether there is enough space in the destination. The diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 498e5b598..6fc9c772a 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -940,18 +940,6 @@ */ //#define MBEDTLS_SHA256_SMALLER -/** - * \def MBEDTLS_SSL_AEAD_RANDOM_IV - * - * Generate a random IV rather than using the record sequence number as a - * nonce for ciphersuites using and AEAD algorithm (GCM or CCM). - * - * Using the sequence number is generally recommended. - * - * Uncomment this macro to always use random IVs with AEAD ciphersuites. - */ -//#define MBEDTLS_SSL_AEAD_RANDOM_IV - /** * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 52723187b..84a04ae53 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1373,17 +1373,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) /* * Generate IV */ -#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV) - ret = ssl->conf->f_rng( ssl->conf->p_rng, - ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, - ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); - if( ret != 0 ) - return( ret ); - - memcpy( ssl->out_iv, - ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, - ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); -#else if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 ) { /* Reminder if we ever add an AEAD mode with a different size */ @@ -1394,7 +1383,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, ssl->out_ctr, 8 ); memcpy( ssl->out_iv, ssl->out_ctr, 8 ); -#endif MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); diff --git a/library/version_features.c b/library/version_features.c index 0a2f06575..e866e67a2 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -324,9 +324,6 @@ static const char *features[] = { #if defined(MBEDTLS_SHA256_SMALLER) "MBEDTLS_SHA256_SMALLER", #endif /* MBEDTLS_SHA256_SMALLER */ -#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV) - "MBEDTLS_SSL_AEAD_RANDOM_IV", -#endif /* MBEDTLS_SSL_AEAD_RANDOM_IV */ #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) "MBEDTLS_SSL_ALL_ALERT_MESSAGES", #endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 09a947e65..57155b89d 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -333,8 +333,10 @@ detect_dtls() { # Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]] # Options: -s pattern pattern that must be present in server output # -c pattern pattern that must be present in client output +# -u pattern lines after pattern must be unique in client output # -S pattern pattern that must be absent in server output # -C pattern pattern that must be absent in client output +# -U pattern lines after pattern must be unique in server output run_test() { NAME="$1" shift 1 @@ -475,28 +477,49 @@ run_test() { case $1 in "-s") if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else - fail "-s $2" + fail "pattern '$2' MUST be present in the Server output" return fi ;; "-c") if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else - fail "-c $2" + fail "pattern '$2' MUST be present in the Client output" return fi ;; "-S") if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then - fail "-S $2" + fail "pattern '$2' MUST NOT be present in the Server output" return fi ;; "-C") if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then - fail "-C $2" + fail "pattern '$2' MUST NOT be present in the Client output" + return + fi + ;; + + # The filtering in the following two options (-u and -U) do the following + # - ignore valgrind output + # - filter out everything but lines right after the pattern occurances + # - keep one of each non-unique line + # - count how many lines remain + # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1 + # if there were no duplicates. + "-U") + if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then + fail "lines following pattern '$2' must be unique in Server output" + return + fi + ;; + + "-u") + if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then + fail "lines following pattern '$2' must be unique in Client output" return fi ;; @@ -639,6 +662,14 @@ run_test "Default, DTLS" \ -s "Protocol is DTLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" +# Test for uniqueness of IVs in AEAD ciphersuites +run_test "Unique IV in GCM" \ + "$P_SRV exchanges=20 debug_level=4" \ + "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ + 0 \ + -u "IV used" \ + -U "IV used" + # Tests for rc4 option requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES