[SERVER-20919] Use OpenSSL to generate IVs Created: 14/Oct/15  Updated: 05/Nov/15  Resolved: 02/Nov/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.0.7
Fix Version/s: 3.2.0-rc2

Type: Improvement Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-21253 Improve structure and functionality o... Backlog
is related to SERVER-9058 Use FIPS-140-2 Approved Pseudorandom ... Backlog
Backwards Compatibility: Fully Compatible
Sprint: Security B 10/30/15, Security C 11/20/15
Participants:

 Description   

AES-CBC encryption requires IVs which are random and unpredictable. Using OpenSSL to generate these values ensures both that these properties will hold, and that a FIPS compliant PRNG is used when operating in FIPS mode.

This change will only effect the ESE components, and more wide scale restructuring of random number generation is discussed in SERVER-21253.



 Comments   
Comment by Githook User [ 05/Nov/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20919: Check and log RAND_bytes return codes
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/964ff1e1b4f1472c425c2cee53bc771013133f83

Comment by Githook User [ 29/Oct/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20919: Use RAND_bytes to generate CBC IVs
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/997c1d76668a37638c78e17d37f79527eb12f682

Comment by Andrew Morrow (Inactive) [ 23/Oct/15 ]

spencer.jackson - When workign on this, can you try to improve some of the weaknesses related to SecureRandom construction and logging identified in SERVER-21099.

Generated at Thu Feb 08 03:55:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.