Use seq_num as AEAD nonce by default

2025-11-03 20:22:59 -05:00 · 2014-10-29 22:29:20 +01:00 · 2014-10-29 22:29:20 +01:00 · d056ce0e3e
commit d056ce0e3e
parent a6c5ea2c43
3 changed files with 31 additions and 0 deletions
--- a/6
+++ b/6
@ -1,5 +1,11 @@
 PolarSSL ChangeLog (Sorted per branch, date)

+= PolarSSL 1.3.z branch
+
+Changes
+   * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
+     switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
+
 = PolarSSL 1.3.9 released 2014-10-20
 Security
   * Lowest common hash was selected from signature_algorithms extension in
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -781,6 +781,18 @@
 */
 #define POLARSSL_SELF_TEST

+/**
+ * \def POLARSSL_SSL_AEAD_RANDOM_IV
+ *
+ * Generate a random IV rather than using the record sequence number as a
+ * nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
+ *
+ * Using the sequence number is generally recommended.
+ *
+ * Uncomment this macro to always use random IVs with AEAD ciphersuites.
+ */
+//#define POLARSSL_SSL_AEAD_RANDOM_IV
+
 /**
 * \def POLARSSL_SSL_ALL_ALERT_MESSAGES
 *
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1137,6 +1137,7 @@ static int ssl_encrypt_buf( ssl_context *ssl )
        /*
         * Generate IV
         */
+#if defined(POLARSSL_SSL_AEAD_RANDOM_IV)
        ret = ssl->f_rng( ssl->p_rng,
                ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
                ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
@ -1146,6 +1147,18 @@ static int ssl_encrypt_buf( ssl_context *ssl )
        memcpy( ssl->out_iv,
                ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
                ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
+#else
+        if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
+        {
+            /* Reminder if we ever add an AEAD mode with a different size */
+            SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
+                             ssl->out_ctr, 8 );
+        memcpy( ssl->out_iv, ssl->out_ctr, 8 );
+#endif

        SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
                ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );