Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1]

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1]

From:	Simon Josefsson
Subject:	Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1]
Date:	Mon, 19 May 2008 21:43:32 +0200
User-agent:	Gnus/5.110009 (No Gnus v0.9) Emacs/22.2 (gnu/linux)

Simon Josefsson <address@hidden> writes:

> I don't understand why the self-tests didn't catch something like this
> though.

I looked into this, and the reason is that the self tests uses TLS 1.1
and uses record padding.  The incorrect debug message check was only
triggered for incoming packet shorter than the hash size plus the
blocksize, which can happen if the server sends a short message.  If TLS
1.1 is used, an IV is always sent so the packet becomes longer, or if
padding is used, the packet typically also becomes longer.

My patch in the other message appears to be the right thing.  I'll
release 2.2.5 with it.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1], Simon Josefsson, 2008/05/19
- Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1], Simon Josefsson, 2008/05/19
- Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1], Andreas Metzler, 2008/05/19
  - Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1], Simon Josefsson, 2008/05/19
    - Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1], Andreas Metzler, 2008/05/19
    - Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1], Simon Josefsson, 2008/05/19
    - Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1], Simon Josefsson <=

Prev by Date: Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1]
Next by Date: GnuTLS 2.2.5 - Brown paper bag release
Previous by thread: Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1]
Next by thread: GnuTLS 2.3.10
Index(es):
- Date
- Thread