Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature In a USENIX WOOT '16 paper the authors warn about a security risk of random Initialisation Vectors (IV) repeating values. The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and it isn't compliant with RFC5116. Furthermore, strictly speaking it is a different cipher suite from the TLS (RFC5246) point of view. Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above problems. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS", USENIX WOOT '16

commit: 0be55a0549c01bea702249fafacde12188ace11d [log] [tgz]
author: Janos Follath <janos.follath@arm.com> Thu Sep 08 10:44:16 2016 +0100
committer: Simon Butcher <simon.butcher@arm.com> Thu Oct 13 10:35:34 2016 +0100
tree: d462f2d0ea26957f28c760cce4944dfcc31dde31
parent: 6d3e3389e5764e175e225fb3077bba70cb20408e [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 6813b34..e85af2e 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -3,6 +3,10 @@
 = mbed TLS 2.1.x branch released 2016-xx-xx
 
 Security
+   * Remove MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
+     with RFC5116 and could lead to session key recovery in very long TLS
+     sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic -
+     "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS")
    * Fix potential stack corruption in mbedtls_x509write_crt_der() and
      mbedtls_x509write_csr_der() when the signature is copied to the buffer
      without checking whether there is enough space in the destination. The
commit	0be55a0549c01bea702249fafacde12188ace11d	[log] [tgz]
author	Janos Follath <janos.follath@arm.com>	Thu Sep 08 10:44:16 2016 +0100
committer	Simon Butcher <simon.butcher@arm.com>	Thu Oct 13 10:35:34 2016 +0100
tree	d462f2d0ea26957f28c760cce4944dfcc31dde31
parent	6d3e3389e5764e175e225fb3077bba70cb20408e [diff] [blame]