yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 17:05:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge fix for AEAD Random IVs

Browse Source
This commit is contained in:
Simon Butcher 2016-10-14 00:48:33 +01:00
parent 9800a058ae
commit 8e00410402
5 changed files with 39 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -3,6 +3,10 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.3.x branch released 2016-xx-xx = mbed TLS 2.3.x branch released 2016-xx-xx
Security Security
* Remove MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
with RFC5116 and could lead to session key recovery in very long TLS
sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic -
"Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS")
* Fix potential stack corruption in mbedtls_x509write_crt_der() and * Fix potential stack corruption in mbedtls_x509write_crt_der() and
mbedtls_x509write_csr_der() when the signature is copied to the buffer mbedtls_x509write_csr_der() when the signature is copied to the buffer
without checking whether there is enough space in the destination. The without checking whether there is enough space in the destination. The

12
include/mbedtls/config.h
View File

@ -940,18 +940,6 @@
*/ */
//#define MBEDTLS_SHA256_SMALLER //#define MBEDTLS_SHA256_SMALLER
/**
* \def MBEDTLS_SSL_AEAD_RANDOM_IV
*
* Generate a random IV rather than using the record sequence number as a
* nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
*
* Using the sequence number is generally recommended.
*
* Uncomment this macro to always use random IVs with AEAD ciphersuites.
*/
//#define MBEDTLS_SSL_AEAD_RANDOM_IV
/** /**
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
* *

12
library/ssl_tls.c
View File

@ -1373,17 +1373,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
/* /*
* Generate IV * Generate IV
*/ */
#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
ret = ssl->conf->f_rng( ssl->conf->p_rng,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
if( ret != 0 )
return( ret );
memcpy( ssl->out_iv,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
#else
if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 ) if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
{ {
/* Reminder if we ever add an AEAD mode with a different size */ /* Reminder if we ever add an AEAD mode with a different size */
@ -1394,7 +1383,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->out_ctr, 8 ); ssl->out_ctr, 8 );
memcpy( ssl->out_iv, ssl->out_ctr, 8 ); memcpy( ssl->out_iv, ssl->out_ctr, 8 );
#endif
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );

3
library/version_features.c
View File

@ -324,9 +324,6 @@ static const char *features[] = {
#if defined(MBEDTLS_SHA256_SMALLER) #if defined(MBEDTLS_SHA256_SMALLER)
"MBEDTLS_SHA256_SMALLER", "MBEDTLS_SHA256_SMALLER",
#endif /* MBEDTLS_SHA256_SMALLER */ #endif /* MBEDTLS_SHA256_SMALLER */
#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
"MBEDTLS_SSL_AEAD_RANDOM_IV",
#endif /* MBEDTLS_SSL_AEAD_RANDOM_IV */
#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
"MBEDTLS_SSL_ALL_ALERT_MESSAGES", "MBEDTLS_SSL_ALL_ALERT_MESSAGES",
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */ #endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */

39
tests/ssl-opt.sh
View File

@ -333,8 +333,10 @@ detect_dtls() {
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]] # Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
# Options: -s pattern pattern that must be present in server output # Options: -s pattern pattern that must be present in server output
# -c pattern pattern that must be present in client output # -c pattern pattern that must be present in client output
# -u pattern lines after pattern must be unique in client output
# -S pattern pattern that must be absent in server output # -S pattern pattern that must be absent in server output
# -C pattern pattern that must be absent in client output # -C pattern pattern that must be absent in client output
# -U pattern lines after pattern must be unique in server output
run_test() { run_test() {
NAME="$1" NAME="$1"
shift 1 shift 1
@ -475,28 +477,49 @@ run_test() {
case $1 in case $1 in
"-s") "-s")
if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
fail "-s $2" fail "pattern '$2' MUST be present in the Server output"
return return
fi fi
;; ;;
"-c") "-c")
if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
fail "-c $2" fail "pattern '$2' MUST be present in the Client output"
return return
fi fi
;; ;;
"-S") "-S")
if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
fail "-S $2" fail "pattern '$2' MUST NOT be present in the Server output"
return return
fi fi
;; ;;
"-C") "-C")
if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
fail "-C $2" fail "pattern '$2' MUST NOT be present in the Client output"
return
fi
;;
# The filtering in the following two options (-u and -U) do the following
# - ignore valgrind output
# - filter out everything but lines right after the pattern occurances
# - keep one of each non-unique line
# - count how many lines remain
# A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
# if there were no duplicates.
"-U")
if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
fail "lines following pattern '$2' must be unique in Server output"
return
fi
;;
"-u")
if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
fail "lines following pattern '$2' must be unique in Client output"
return return
fi fi
;; ;;
@ -639,6 +662,14 @@ run_test "Default, DTLS" \
-s "Protocol is DTLSv1.2" \ -s "Protocol is DTLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
# Test for uniqueness of IVs in AEAD ciphersuites
run_test "Unique IV in GCM" \
"$P_SRV exchanges=20 debug_level=4" \
"$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
0 \
-u "IV used" \
-U "IV used"
# Tests for rc4 option # Tests for rc4 option
requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES