Properly constrain use of nonces with AEAD crypto

Simo simo at samba.org
Fri May 29 10:43:52 MDT 2015


On Thu, 2015-05-28 at 19:58 +0200, Stefan (metze) Metzmacher wrote:
> Hi Simo,
> 
> > The current AEAD crypto primitives we have access to and use (AES-128-CCM and
> > AES-128-GCM) have a very annoying failure mode if a nonce is ever reused with
> > the same key.
> > The attached patch adds checks to avoid ever wrapping and resusing a nonce.
> > 
> > It passes a custom autobuild.
> 
> What about the attached patchset it also fixes the client side and a few
> minor bugs.
> 
> Do you think we need to backport similar fixes to 4.1 and 4.2?
> If so please create a bug report and add a link to the commit messages
> before possibly pushing to master.
> 
> Thanks!
> metze

Opened 11300 and pushed patches to autobuild.

Simo.

-- 
Simo Sorce



More information about the samba-technical mailing list