]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
doc update
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 11 Sep 2013 11:42:06 +0000 (13:42 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Mon, 16 Sep 2013 22:18:55 +0000 (00:18 +0200)
lib/gnutls_cipher.c

index 1e87d5d2dd4ea5ace56467573584c02297c1402e..eeda3394f302e6d573d5cf4b113ce75a44027813 100644 (file)
@@ -834,6 +834,12 @@ ciphertext_to_compressed (gnutls_session_t session,
   if (unlikely(ret < 0))
     return gnutls_assert_val(ret);
 
+  /* Here there could be a timing leakage in CBC ciphersuites that
+   * could be exploited if the cost of a successful memcmp is high. 
+   * A constant time memcmp would help there, but it is not easy to maintain
+   * against compiler optimizations. Currently we rely on the fact that
+   * a memcmp comparison is negligible over the crypto operations.
+   */
   if (unlikely(memcmp (tag, tag_ptr, tag_size) != 0 || pad_failed != 0))
     {
       /* HMAC was not the same. */