[gnutls-devel] advisory GNUTLS-SA-2013-1
thoger at redhat.com
Fri Feb 8 10:59:04 CET 2013
On Mon, 04 Feb 2013 18:21:04 +0100 Nikos Mavrogiannopoulos wrote:
> I've put online a security advisory on the "lucky 13" CBC ciphersuite
> attack in . The advisory can be found at:
> . http://www.isg.rhul.ac.uk/tls/
It seems a part of the fix did not get backported to 2.12 properly.
Both 2.x and 3.x sources include the following comment:
* Note that we access all 256 bytes of ciphertext for padding check
* because there is a timing channel in that memory access (in certain CPUs).
However, what is described did not get implemented in 2.x, see:
It's unclear to me if this mitigation was omitted from 2.x backport
intentionally, given that the code comment suggests it should be there
and hence was likely left out by mistake. Can you clarify?
Tomas Hoger / Red Hat
More information about the Gnutls-devel