Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature

In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16

ChangeLog

@@ -3,6 +3,10 @@ mbed TLS ChangeLog (Sorted per branch, date)
 = mbed TLS 1.3.x branch 2016-xx-xx
 
 Security
+   * Remove MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
+     with RFC5116 and could lead to session key recovery in very long TLS
+     sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic -
+     "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS")
    * Fix potential stack corruption in mbedtls_x509write_crt_der() and
      mbedtls_x509write_csr_der() when the signature is copied to the buffer
      without checking whether there is enough space in the destination. The

include/polarssl/config.h

@@ -838,18 +838,6 @@
  */
 #define POLARSSL_SELF_TEST
 
-/**
- * \def POLARSSL_SSL_AEAD_RANDOM_IV
- *
- * Generate a random IV rather than using the record sequence number as a
- * nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
- *
- * Using the sequence number is generally recommended.
- *
- * Uncomment this macro to always use random IVs with AEAD ciphersuites.
- */
-//#define POLARSSL_SSL_AEAD_RANDOM_IV
-
 /**
  * \def POLARSSL_SSL_ALL_ALERT_MESSAGES
  *

library/ssl_tls.c

@@ -1217,17 +1217,6 @@ static int ssl_encrypt_buf( ssl_context *ssl )
         /*
          * Generate IV
          */
-#if defined(POLARSSL_SSL_AEAD_RANDOM_IV)
-        ret = ssl->f_rng( ssl->p_rng,
-                ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
-                ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
-        if( ret != 0 )
-            return( ret );
-
-        memcpy( ssl->out_iv,
-                ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
-                ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
-#else
         if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
         {
             /* Reminder if we ever add an AEAD mode with a different size */
@@ -1238,7 +1227,6 @@ static int ssl_encrypt_buf( ssl_context *ssl )
         memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
                              ssl->out_ctr, 8 );
         memcpy( ssl->out_iv, ssl->out_ctr, 8 );
-#endif
 
         SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
                 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );

library/version_features.c

@@ -285,9 +285,6 @@ static const char *features[] = {
 #if defined(POLARSSL_SELF_TEST)
     "POLARSSL_SELF_TEST",
 #endif /* POLARSSL_SELF_TEST */
-#if defined(POLARSSL_SSL_AEAD_RANDOM_IV)
-    "POLARSSL_SSL_AEAD_RANDOM_IV",
-#endif /* POLARSSL_SSL_AEAD_RANDOM_IV */
 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
     "POLARSSL_SSL_ALERT_MESSAGES",
 #endif /* POLARSSL_SSL_ALERT_MESSAGES */