From 441d6f98336940a6eb2f6db4720bc265a36eca2f Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 8 Sep 2016 10:44:16 +0100 Subject: [PATCH] Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In a USENIX WOOT '16 paper the authors warn about a security risk of random Initialisation Vectors (IV) repeating values. The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and it isn't compliant with RFC5116. Furthermore, strictly speaking it is a different cipher suite from the TLS (RFC5246) point of view. Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above problems. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS", USENIX WOOT '16 --- ChangeLog | 4 ++++ include/polarssl/config.h | 12 ------------ library/ssl_tls.c | 12 ------------ library/version_features.c | 3 --- 4 files changed, 4 insertions(+), 27 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4c93aa46d..4ab77fa62 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 1.3.x branch 2016-xx-xx Security + * Remove MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant + with RFC5116 and could lead to session key recovery in very long TLS + sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic - + "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS") * Fix potential stack corruption in mbedtls_x509write_crt_der() and mbedtls_x509write_csr_der() when the signature is copied to the buffer without checking whether there is enough space in the destination. The diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 4e52790bb..498fc5b9a 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -838,18 +838,6 @@ */ #define POLARSSL_SELF_TEST -/** - * \def POLARSSL_SSL_AEAD_RANDOM_IV - * - * Generate a random IV rather than using the record sequence number as a - * nonce for ciphersuites using and AEAD algorithm (GCM or CCM). - * - * Using the sequence number is generally recommended. - * - * Uncomment this macro to always use random IVs with AEAD ciphersuites. - */ -//#define POLARSSL_SSL_AEAD_RANDOM_IV - /** * \def POLARSSL_SSL_ALL_ALERT_MESSAGES * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d9eb0a995..2eb24b259 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1217,17 +1217,6 @@ static int ssl_encrypt_buf( ssl_context *ssl ) /* * Generate IV */ -#if defined(POLARSSL_SSL_AEAD_RANDOM_IV) - ret = ssl->f_rng( ssl->p_rng, - ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, - ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); - if( ret != 0 ) - return( ret ); - - memcpy( ssl->out_iv, - ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, - ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); -#else if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 ) { /* Reminder if we ever add an AEAD mode with a different size */ @@ -1238,7 +1227,6 @@ static int ssl_encrypt_buf( ssl_context *ssl ) memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, ssl->out_ctr, 8 ); memcpy( ssl->out_iv, ssl->out_ctr, 8 ); -#endif SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); diff --git a/library/version_features.c b/library/version_features.c index d5f446827..02e14fb26 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -285,9 +285,6 @@ static const char *features[] = { #if defined(POLARSSL_SELF_TEST) "POLARSSL_SELF_TEST", #endif /* POLARSSL_SELF_TEST */ -#if defined(POLARSSL_SSL_AEAD_RANDOM_IV) - "POLARSSL_SSL_AEAD_RANDOM_IV", -#endif /* POLARSSL_SSL_AEAD_RANDOM_IV */ #if defined(POLARSSL_SSL_ALERT_MESSAGES) "POLARSSL_SSL_ALERT_MESSAGES", #endif /* POLARSSL_SSL_ALERT_MESSAGES */