Forbid sequence number wrapping

2024-11-22 12:35:40 +01:00 · 2014-03-10 21:20:29 +01:00 · 2014-03-10 21:20:29 +01:00 · 83cdffc437
commit 83cdffc437
parent 3c599f11b0
5 changed files with 19 additions and 1 deletions
--- a/1
+++ b/1
@ -19,6 +19,7 @@ Security
     "triple handshake" attack when authentication mode is optional (the
     attack was already impossible when authentication is required).
   * Check notBefore timestamp of certificates and CRLs from the future.
+   * Forbid sequence number wrapping

 Bugfix
   * ecp_gen_keypair() does more tries to prevent failure because of
--- a/include/polarssl/error.h
+++ b/include/polarssl/error.h
@ -89,7 +89,7 @@
 * ECP       4   7 (Started from top)
 * MD        5   4
 * CIPHER    6   6
- * SSL       6   8 (Started from top)
+ * SSL       6   9 (Started from top)
 * SSL       7   31
 *
 * Module dependent error code (5 bits 0x.00.-0x.F8.)
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -139,6 +139,7 @@
 #define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH                  -0x6D00  /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
 #define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY                  -0x6C80  /**< Unkown identity received (eg, PSK identity) */
 #define POLARSSL_ERR_SSL_INTERNAL_ERROR                    -0x6C00  /**< Internal error (eg, unexpected failure in lower-level module) */
+#define POLARSSL_ERR_SSL_COUNTER_WRAPPING                  -0x6B80  /**< A counter would wrap (eg, too many messages exchanged). */

 /*
 * Various constants
--- a/library/error.c
+++ b/library/error.c
@ -433,6 +433,8 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
            snprintf( buf, buflen, "SSL - Unkown identity received (eg, PSK identity)" );
        if( use_ret == -(POLARSSL_ERR_SSL_INTERNAL_ERROR) )
            snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" );
+        if( use_ret == -(POLARSSL_ERR_SSL_COUNTER_WRAPPING) )
+            snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" );
 #endif /* POLARSSL_SSL_TLS_C */

 #if defined(POLARSSL_X509_USE_C) || defined(POLARSSL_X509_CREATE_C)
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1309,6 +1309,13 @@ static int ssl_encrypt_buf( ssl_context *ssl )
        if( ++ssl->out_ctr[i - 1] != 0 )
            break;

+    /* The loops goes to its end iff the counter is wrapping */
+    if( i == 0 )
+    {
+        SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
+        return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
+    }
+
    SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );

    return( 0 );
@ -1775,6 +1782,13 @@ static int ssl_decrypt_buf( ssl_context *ssl )
        if( ++ssl->in_ctr[i - 1] != 0 )
            break;

+    /* The loops goes to its end iff the counter is wrapping */
+    if( i == 0 )
+    {
+        SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
+        return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
+    }
+
    SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );

    return( 0 );