Function: nsm-protocol-check--ecdsa-cbc-cipher
nsm-protocol-check--ecdsa-cbc-cipher is a byte-compiled function
defined in nsm.el.gz.
Signature
(nsm-protocol-check--ecdsa-cbc-cipher HOST PORT STATUS &optional SETTINGS)
Documentation
Check for CBC mode cipher usage under ECDSA key exchange.
CBC mode cipher in TLS versions earlier than 1.3 are problematic because of MAC-then-encrypt. This construction is vulnerable to padding oracle attacks[1].
Due to current widespread use of CBC mode ciphers by servers, this function only checks for CBC mode cipher usage in combination with ECDSA key exchange, which is virtually non-existent[2].
Since GnuTLS 3.4.0, the TLS encrypt-then-MAC extension[3] has been enabled by default[4]. If encrypt-then-MAC is negotiated, this check has no effect.
References:
[1]: Sullivan (Feb 2016). "Padding oracles and the decline of
CBC-mode cipher suites",
https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/
[2]: Chrome Platform Status (2017). "Remove CBC-mode ECDSA ciphers in
TLS", https://www.chromestatus.com/feature/5740978103123968
[3]: P. Gutmann (Sept 2014). "Encrypt-then-MAC for Transport Layer
Security (TLS) and Datagram Transport Layer Security (DTLS)",
https://tools.ietf.org/html/rfc7366
[4]: N. Mavrogiannopoulos (Nov 2015). "An overview of GnuTLS
3.4.x",
https://nikmav.blogspot.com/2015/11/an-overview-of-gnutls-34x.html
Source Code
;; Defined in /usr/src/emacs/lisp/net/nsm.el.gz
(defun nsm-protocol-check--ecdsa-cbc-cipher (_host _port status &optional _settings)
"Check for CBC mode cipher usage under ECDSA key exchange.
CBC mode cipher in TLS versions earlier than 1.3 are problematic
because of MAC-then-encrypt. This construction is vulnerable to
padding oracle attacks[1].
Due to current widespread use of CBC mode ciphers by servers,
this function only checks for CBC mode cipher usage in
combination with ECDSA key exchange, which is virtually
non-existent[2].
Since GnuTLS 3.4.0, the TLS encrypt-then-MAC extension[3] has
been enabled by default[4]. If encrypt-then-MAC is negotiated,
this check has no effect.
References:
[1]: Sullivan (Feb 2016). \"Padding oracles and the decline of
CBC-mode cipher suites\",
`https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/'
[2]: Chrome Platform Status (2017). \"Remove CBC-mode ECDSA ciphers in
TLS\", `https://www.chromestatus.com/feature/5740978103123968'
[3]: P. Gutmann (Sept 2014). \"Encrypt-then-MAC for Transport Layer
Security (TLS) and Datagram Transport Layer Security (DTLS)\",
`https://tools.ietf.org/html/rfc7366'
[4]: N. Mavrogiannopoulos (Nov 2015). \"An overview of GnuTLS
3.4.x\",
`https://nikmav.blogspot.com/2015/11/an-overview-of-gnutls-34x.html'"
(when (not (plist-get status :encrypt-then-mac))
(let ((kx (plist-get status :key-exchange))
(cipher (plist-get status :cipher)))
(and (string-match "\\bECDSA\\b" kx)
(string-match "\\bCBC\\b" cipher)
(format-message
"CBC mode cipher (%s) can be insecure"
cipher)))))