[gnutls-devel] advisory GNUTLS-SA-2013-1

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Feb 8 18:46:30 CET 2013

On 02/08/2013 10:59 AM, Tomas Hoger wrote:

> It seems a part of the fix did not get backported to 2.12 properly.
> Both 2.x and 3.x sources include the following comment:
>   * Note that we access all 256 bytes of ciphertext for padding check
>   * because there is a timing channel in that memory access (in certain CPUs).
> https://gitorious.org/gnutls/gnutls/blobs/master/lib/gnutls_cipher.c#line740
> It's unclear to me if this mitigation was omitted from 2.x backport
> intentionally, given that the code comment suggests it should be there
> and hence was likely left out by mistake.  Can you clarify?

Hello Tomas,
 Indeed I left it out intentionally to reduce the code that was changed.
In my measurements that change affected on a very low scale the overall
timings. The comment above may exaggerate a bit, because initially I had
attributed to this code some other (unrelated) delay I encountered.

So to summarize, in master branch a more careful (with respect to timing
attacks) re-organization took place, and the other branches took just
enough code to avoid the attack in the paper.


More information about the Gnutls-devel mailing list