[gnutls-devel] [PATCH] Don't call _gnutls_cipher_encrypt2 with textlen = 0 in _gnutls_auth_cipher_encrypt2_tag

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Dec 30 11:04:04 CET 2014

On Tue, 2014-12-30 at 03:21 +0100, Matthias-Christian Ott wrote:
> On 2014-12-30 02:15, Matthias-Christian Ott wrote:
> > If the plaintext is shorter than the block size of the used cipher,
> > _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
> > textlen = 0. By definition _gnutls_cipher_encrypt2 does nothing in this
> > case and thus does not need to be called.
> There are more uses of _gnutls_cipher_encrypt2 where textlen could be
> zero. Probably this needs some more thought and GnuTLS needs to make the
> contracts between the functions explicit, especially the preconditions.
> Please review the patch thoroughly. I'm not sure whether it introduces a
> timing side channel.

Patches applied. There is no issue of timing channel in that case, as
the ciphertext length will be known in the wire anyway.


More information about the Gnutls-devel mailing list