[gnutls-devel] [PATCH 3/3] _asn1_ordering_set_of(): Fix memory leak in case of error.

Peter Williams home_pw at msn.com
Sun Apr 20 19:13:46 CEST 2014


off topic.


Remember, ASN.1 is abstract and begets several concrete encodings. In particular, BER was INTENDED to allow (security) processors doing relaying to reorder set elements on the wire (or drop tagged elements they just could not process). IN the associated doctrine for ASN.1 - heavily used in 1990s era military messaging system security concepts, one should not assume that the inbound wire has the originator’s instance of BER coding or all the originally-tagged data elements.  Recoding into the canonical form (of those elements actually received) is of course the classical DER requirement - used when performing a security services on the inbound PDU.


As I recall, canonical encoding set of requires forming a binary representation of the collection of child TLVs, and doing a binary compare to order the set.


If the code to do all this is within the security module (within the FIPS 140 crypto module boundary that is) one gets to time all this activity, since one can inject different orderings under these BER rules and induce difference amount of work - and associated energy/power usage.


Sneaky, no!

 

One might leak the raw signal in one module, and then, ahem, induce another - via garbage collection etc - to modulate that signal on a suitable bearer easily available to the party penetrating the commodity crypto module.






From: Kurt Roeckx
Sent: ‎Sunday‎, ‎April‎ ‎20‎, ‎2014 ‎7‎:‎59‎ ‎AM
To: gnutls-devel at lists.gnutls.org





On Sat, Apr 19, 2014 at 08:13:58PM +0200, Kurt Roeckx wrote:
> I need to look at this again, more examples cases of it in the
> same file different function.  And I might have misunderstood the
> intention of the function, so I'm looking at this again.

So I ended up submitting a reworked version of this patch and a
few others to libtasn1.


Kurt


_______________________________________________
Gnutls-devel mailing list
Gnutls-devel at lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140420/64b915ab/attachment.html>


More information about the Gnutls-devel mailing list