TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 30b273c78e4f86486709c102eef68e5b7cb6f8b1^! / .
commit30b273c78e4f86486709c102eef68e5b7cb6f8b1[log] [tgz]
authorJanos Follath <janos.follath@arm.com>Thu Sep 08 10:44:16 2016 +0100
committerSimon Butcher <simon.butcher@arm.com>Thu Oct 13 14:34:35 2016 +0100
tree377b256909c3557d1c5e25434252a18c8f92b9d1
parentaac152328d5bcc837bafb80d3be72ef030e7f710 [diff]
Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature

In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16

diff --git a/ChangeLog b/ChangeLog
index 5c2bf4c..c6cb0e9 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -7,11 +7,7 @@
      with RFC5116 and could lead to session key recovery in very long TLS
      sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic -
      "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS")
-   * Fix potential stack corruption in mbedtls_x509write_crt_der() and
-     mbedtls_x509write_csr_der() when the signature is copied to the buffer
-     without checking whether there is enough space in the destination. The
-     issue cannot be triggered remotely. (found by Jethro Beekman)
-   * Fix potential stack corruption in mbedtls_x509write_crt_der() and
+  * Fix potential stack corruption in mbedtls_x509write_crt_der() and
      mbedtls_x509write_csr_der() when the signature is copied to the buffer
      without checking whether there is enough space in the destination. The
      issue cannot be triggered remotely. (found by Jethro Beekman)
@@ -40,22 +36,6 @@
      accepting certificates with non-standard time format (that is without
      seconds or with a time zone). Patch provided by OpenVPN.
 
-Bugfix
-   * Fix an issue that caused valid certificates being rejected whenever an
-     expired or not yet valid version of the trusted certificate was before the
-     valid version in the trusted certificate list.
-   * Fix incorrect handling of block lengths in crypt_and_hash sample program,
-     when GCM is used. #441
-   * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
-     enabled unless others were also present. Found by David Fernandez. #428
-   * Fixed configuration of debug output in cert_app sample program.
-   * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
-     builds where the configuration POLARSSL_PEM_WRITE_C is not defined. Found
-     by inestlerode. #559.
-   * Fix an issue that caused valid certificates being rejected whenever an
-   expired or not yet valid version of the trusted certificate was before the
-   valid version in the trusted certificate list.
-
 = mbed TLS 1.3.17 branch 2016-06-28
 
 Security