[gnutls-devel] Incorrect SSL heartbeat bounds checking (not exploitable)
Peter Dettman
peter.dettman at bouncycastle.org
Sat Apr 12 05:53:55 CEST 2014
Hi Nikos,
I noticed the git commit go thru yesterday and it appears correct to me
(although the commit message names the wrong Peter!).
On 11/04/2014 6:46 PM, Nikos Mavrogiannopoulos wrote:
> I remember that this was not the choice of the authors. That change
> was forced by the IESG reviewers.
> http://www.ietf.org/mail-archive/web/tls/current/msg08311.html
Thankyou for the link; your comments on that thread do you credit. May I
infer that you were somehat dubious of the reasoning at the time?
> I'd be afraid to introduce more complexity by an rng only for that
> code (which is really rarely enabled/used). In 3.3.0 I've separated
> the rng to generate keys from the rng that generates nonces as in that
> case, and I believe that should be sufficient.
I confirmed for myself that the heartbeat padding is now filled using
GNUTLS_RND_NONCE (as of 26 Jan, 2013). I agree that is probably
sufficient, and am glad to see that such a separation exists in GnuTLS
more generally. The original author's "decision" to use GNUTLS_RND_NONCE
in one place and GNUTLS_RND_RANDOM in another (if I understand the code
- for the padding) is less comforting.
Regards,
Pete Dettman
More information about the Gnutls-devel
mailing list