Forbid sequence number wrapping

2024-11-26 22:55:38 +01:00 · 2014-03-10 21:20:29 +01:00 · 2014-03-10 21:20:29 +01:00 · be04673c49
commit be04673c49
parent 50a5c53398
5 changed files with 19 additions and 1 deletions
--- a/1
+++ b/1
@ -9,6 +9,7 @@ Security
     "triple handshake" attack when authentication mode is optional (the
     attack was already impossible when authentication is required).
   * Check notBefore timestamp of certificates and CRLs from the future.
+   * Forbid sequence number wrapping

 Bugfix
   * Fixed X.509 hostname comparison (with non-regular characters)
--- a/include/polarssl/error.h
+++ b/include/polarssl/error.h
@ -80,7 +80,7 @@
 * RSA      4   9
 * MD       5   4
 * CIPHER   6   5
- * SSL      6   2 (Started from top)
+ * SSL      6   3 (Started from top)
 * SSL      7   31
 *
 * Module dependent error code (5 bits 0x.08.-0x.F8.)
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -91,6 +91,7 @@
 #define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH              -0x6F80  /**< Hardware acceleration function skipped / left alone data */
 #define POLARSSL_ERR_SSL_COMPRESSION_FAILED                -0x6F00  /**< Processing of the compression / decompression failed */
 #define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION           -0x6E80  /**< Handshake protocol not within min/max boundaries */
+#define POLARSSL_ERR_SSL_COUNTER_WRAPPING                  -0x6B80  /**< A counter would wrap (eg, too many messages exchanged). */

 /*
 * Various constants
--- a/library/error.c
+++ b/library/error.c
@ -339,6 +339,8 @@ void error_strerror( int ret, char *buf, size_t buflen )
            snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" );
        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION) )
            snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
+        if( use_ret == -(POLARSSL_ERR_SSL_COUNTER_WRAPPING) )
+            snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" );
 #endif /* POLARSSL_SSL_TLS_C */

 #if defined(POLARSSL_X509_PARSE_C)
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1191,6 +1191,13 @@ static int ssl_encrypt_buf( ssl_context *ssl )
        if( ++ssl->out_ctr[i - 1] != 0 )
            break;

+    /* The loops goes to its end iff the counter is wrapping */
+    if( i == 0 )
+    {
+        SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
+        return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
+    }
+
    SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );

    return( 0 );
@ -1589,6 +1596,13 @@ static int ssl_decrypt_buf( ssl_context *ssl )
        if( ++ssl->in_ctr[i - 1] != 0 )
            break;

+    /* The loops goes to its end iff the counter is wrapping */
+    if( i == 0 )
+    {
+        SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
+        return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
+    }
+
    SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );

    return( 0 );