Use seq_num as AEAD nonce by default
diff --git a/ChangeLog b/ChangeLog
index fd83b9e..fdcf028 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
PolarSSL ChangeLog (Sorted per branch, date)
+= PolarSSL 1.3.z branch
+
+Changes
+ * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
+ switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
+
= PolarSSL 1.3.9 released 2014-10-20
Security
* Lowest common hash was selected from signature_algorithms extension in
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 50b4e33..fa15b37 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -782,6 +782,18 @@
#define POLARSSL_SELF_TEST
/**
+ * \def POLARSSL_SSL_AEAD_RANDOM_IV
+ *
+ * Generate a random IV rather than using the record sequence number as a
+ * nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
+ *
+ * Using the sequence number is generally recommended.
+ *
+ * Uncomment this macro to always use random IVs with AEAD ciphersuites.
+ */
+//#define POLARSSL_SSL_AEAD_RANDOM_IV
+
+/**
* \def POLARSSL_SSL_ALL_ALERT_MESSAGES
*
* Enable sending of alert messages in case of encountered errors as per RFC.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5f080de..6689894 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1137,6 +1137,7 @@
/*
* Generate IV
*/
+#if defined(POLARSSL_SSL_AEAD_RANDOM_IV)
ret = ssl->f_rng( ssl->p_rng,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
@@ -1146,6 +1147,18 @@
memcpy( ssl->out_iv,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
+#else
+ if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
+ {
+ /* Reminder if we ever add an AEAD mode with a different size */
+ SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
+ ssl->out_ctr, 8 );
+ memcpy( ssl->out_iv, ssl->out_ctr, 8 );
+#endif
SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );