From 30b273c78e4f86486709c102eef68e5b7cb6f8b1 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 8 Sep 2016 10:44:16 +0100 Subject: [PATCH] Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In a USENIX WOOT '16 paper the authors warn about a security risk of random Initialisation Vectors (IV) repeating values. The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and it isn't compliant with RFC5116. Furthermore, strictly speaking it is a different cipher suite from the TLS (RFC5246) point of view. Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above problems. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS", USENIX WOOT '16 --- ChangeLog | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5c2bf4c6e..c6cb0e9cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,11 +7,7 @@ Security with RFC5116 and could lead to session key recovery in very long TLS sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic - "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS") - * Fix potential stack corruption in mbedtls_x509write_crt_der() and - mbedtls_x509write_csr_der() when the signature is copied to the buffer - without checking whether there is enough space in the destination. The - issue cannot be triggered remotely. (found by Jethro Beekman) - * Fix potential stack corruption in mbedtls_x509write_crt_der() and + * Fix potential stack corruption in mbedtls_x509write_crt_der() and mbedtls_x509write_csr_der() when the signature is copied to the buffer without checking whether there is enough space in the destination. The issue cannot be triggered remotely. (found by Jethro Beekman) @@ -40,22 +36,6 @@ Changes accepting certificates with non-standard time format (that is without seconds or with a time zone). Patch provided by OpenVPN. -Bugfix - * Fix an issue that caused valid certificates being rejected whenever an - expired or not yet valid version of the trusted certificate was before the - valid version in the trusted certificate list. - * Fix incorrect handling of block lengths in crypt_and_hash sample program, - when GCM is used. #441 - * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't - enabled unless others were also present. Found by David Fernandez. #428 - * Fixed configuration of debug output in cert_app sample program. - * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for - builds where the configuration POLARSSL_PEM_WRITE_C is not defined. Found - by inestlerode. #559. - * Fix an issue that caused valid certificates being rejected whenever an - expired or not yet valid version of the trusted certificate was before the - valid version in the trusted certificate list. - = mbed TLS 1.3.17 branch 2016-06-28 Security