[gnutls-devel] advisory GNUTLS-SA-2013-1

Tomas Hoger thoger at redhat.com
Fri Feb 8 10:59:04 CET 2013


Hi Nikos!

On Mon, 04 Feb 2013 18:21:04 +0100 Nikos Mavrogiannopoulos wrote:

>  I've put online a security advisory on the "lucky 13" CBC ciphersuite
> attack in [0]. The advisory can be found at:
> http://www.gnutls.org/security.html#GNUTLS-SA-2013-1
> 
> [0]. http://www.isg.rhul.ac.uk/tls/

It seems a part of the fix did not get backported to 2.12 properly.
Both 2.x and 3.x sources include the following comment:

  * Note that we access all 256 bytes of ciphertext for padding check
  * because there is a timing channel in that memory access (in certain CPUs).

However, what is described did not get implemented in 2.x, see:

https://gitorious.org/gnutls/gnutls/blobs/gnutls_2_12_x/lib/gnutls_cipher.c#line564

vs.

https://gitorious.org/gnutls/gnutls/blobs/master/lib/gnutls_cipher.c#line740

It's unclear to me if this mitigation was omitted from 2.x backport
intentionally, given that the code comment suggests it should be there
and hence was likely left out by mistake.  Can you clarify?

Thank you!

-- 
Tomas Hoger / Red Hat



More information about the Gnutls-devel mailing list