[gnutls-devel] advisory GNUTLS-SA-2013-1
Nikos Mavrogiannopoulos
nmav at gnutls.org
Fri Feb 8 18:46:30 CET 2013
On 02/08/2013 10:59 AM, Tomas Hoger wrote:
> It seems a part of the fix did not get backported to 2.12 properly.
> Both 2.x and 3.x sources include the following comment:
>
> * Note that we access all 256 bytes of ciphertext for padding check
> * because there is a timing channel in that memory access (in certain CPUs).
[...]
> https://gitorious.org/gnutls/gnutls/blobs/master/lib/gnutls_cipher.c#line740
> It's unclear to me if this mitigation was omitted from 2.x backport
> intentionally, given that the code comment suggests it should be there
> and hence was likely left out by mistake. Can you clarify?
Hello Tomas,
Indeed I left it out intentionally to reduce the code that was changed.
In my measurements that change affected on a very low scale the overall
timings. The comment above may exaggerate a bit, because initially I had
attributed to this code some other (unrelated) delay I encountered.
So to summarize, in master branch a more careful (with respect to timing
attacks) re-organization took place, and the other branches took just
enough code to avoid the attack in the paper.
regards,
Nikos
More information about the Gnutls-devel
mailing list