DTLS1.3 Modification of the IV generation function
Categories
(NSS :: Libraries, defect, P4)
Tracking
(Not tracked)
People
(Reporter: anna.weine, Assigned: anna.weine)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
It seems that there is a difference between the AEAD Nonce generation (https://searchfox.org/mozilla-central/source/security/nss/lib/ssl/tls13con.c#5671).
Let's call the extracted nonce as IV, and the buffer to randomize it - Nonce.
For WolfSSL implementation the nonce is presented as a sequence number, for us it includes epoch etc.
See RFC 8446: 5.3. Per-Record Nonce
Found during the interoperability testing with WolfSSL.
|
Assignee | |
Comment 1•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 2•2 years ago
|
||
Actually, the required modifications seem to be more complicated than I expected:
it seems that we need to check for the epoch as well :
ivOffset = tls13_SetupAeadIv(IS_DTLS_1_OR_12(ss) || cwSpec->epoch == 1, ivOut, cwSpec->keyMaterial.iv,
ivOffset, ivLen, cwSpec->epoch);
and update the nonce offset for the DTLS1.3 case.
|
|
||
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
The severity field is not set for this bug.
:beurdouche, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Comment 4•2 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:nkulatova, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 5•2 years ago
|
||
We plan to land all the DTLS1.3 bugs at once.
|
|
Assignee | |
Comment 6•2 years ago
|
||
Description
•