[gnutls-devel] advisory GNUTLS-SA-2013-1
nmav at gnutls.org
Fri Feb 8 18:46:30 CET 2013
On 02/08/2013 10:59 AM, Tomas Hoger wrote:
> It seems a part of the fix did not get backported to 2.12 properly.
> Both 2.x and 3.x sources include the following comment:
> * Note that we access all 256 bytes of ciphertext for padding check
> * because there is a timing channel in that memory access (in certain CPUs).
> It's unclear to me if this mitigation was omitted from 2.x backport
> intentionally, given that the code comment suggests it should be there
> and hence was likely left out by mistake. Can you clarify?
Indeed I left it out intentionally to reduce the code that was changed.
In my measurements that change affected on a very low scale the overall
timings. The comment above may exaggerate a bit, because initially I had
attributed to this code some other (unrelated) delay I encountered.
So to summarize, in master branch a more careful (with respect to timing
attacks) re-organization took place, and the other branches took just
enough code to avoid the attack in the paper.
More information about the Gnutls-devel