[gnutls-devel] Incorrect SSL heartbeat bounds checking (not exploitable)

Peter Dettman peter.dettman at bouncycastle.org
Sat Apr 12 05:53:55 CEST 2014

Hi Nikos,
I noticed the git commit go thru yesterday and it appears correct to me 
(although the commit message names the wrong Peter!).

On 11/04/2014 6:46 PM, Nikos Mavrogiannopoulos wrote:
> I remember that this was not the choice of the authors. That change 
> was forced by the IESG reviewers. 
> http://www.ietf.org/mail-archive/web/tls/current/msg08311.html 

Thankyou for the link; your comments on that thread do you credit. May I 
infer that you were somehat dubious of the reasoning at the time?

> I'd be afraid to introduce more complexity by an rng only for that 
> code (which is really rarely enabled/used). In 3.3.0 I've separated 
> the rng to generate keys from the rng that generates nonces as in that 
> case, and I believe that should be sufficient.

I confirmed for myself that the heartbeat padding is now filled using 
GNUTLS_RND_NONCE (as of 26 Jan, 2013). I agree that is probably 
sufficient, and am glad to see that such a separation exists in GnuTLS 
more generally. The original author's "decision" to use GNUTLS_RND_NONCE 
in one place and GNUTLS_RND_RANDOM in another (if I understand the code 
- for the padding) is less comforting.

Pete Dettman

More information about the Gnutls-devel mailing list