diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-06-18 11:33:34 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-06-20 10:32:23 +0000 |
commit | 789cc9ca9ae033e600542ab4c1e9dc433c319f9b (patch) | |
tree | 1b504d946ead021090bf42d8e46f85c2dc92b3f2 | |
parent | 601e12472f2f533d19ee52410f89dc36543354c0 (diff) | |
download | gnutls-tmp-safe-padding-removal-made-optional.tar.gz |
document new behavior on safe padding removaltmp-safe-padding-removal-made-optional
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | doc/cha-gtls-app.texi | 8 | ||||
-rw-r--r-- | doc/cha-intro-tls.texi | 8 | ||||
-rw-r--r-- | lib/record.c | 4 |
3 files changed, 16 insertions, 4 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index c23c848d90..59b448547c 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1294,10 +1294,10 @@ and @ref{tab:prio-special2}. will enable compatibility mode. It might mean that violations of the protocols are allowed as long as maximum compatibility with problematic clients and servers is achieved. More specifically this -string would disable TLS record random padding, tolerate packets -over the maximum allowed TLS record, and add a padding to TLS Client -Hello packet to prevent it being in the 256-512 range which is known -to be causing issues with a commonly used firewall (see the %DUMBFW option). +string will tolerate packets over the maximum allowed TLS record, +and add a padding to TLS Client Hello packet to prevent it being in the +256-512 range which is known to be causing issues with a commonly used +firewall (see the %DUMBFW option). @item %DUMBFW @tab will add a private extension with bogus data that make the client diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi index ca3fa92daa..0c82f0853b 100644 --- a/doc/cha-intro-tls.texi +++ b/doc/cha-intro-tls.texi @@ -243,6 +243,14 @@ interface is provided by @funcref{gnutls_record_send2}, and is made available when under TLS1.3; alternatively @funcref{gnutls_record_can_use_length_hiding} can be queried. +Note that this interface is not sufficient to completely hide the length of the +data. The application code may reveal the data transferred by leaking its +data processing time, or by leaking the TLS1.3 record processing time by +GnuTLS. That is because under TLS1.3 the padding removal time depends on the +padding data for an efficient implementation. To make that processing +constant time the @funcref{gnutls_init} function must be called with +the flag @code{GNUTLS_SAFE_PADDING_CHECK}. + @showfuncdesc{gnutls_record_send2} Older GnuTLS versions provided an API suitable for cases where the sender diff --git a/lib/record.c b/lib/record.c index c9bf616caa..ce0ecb672a 100644 --- a/lib/record.c +++ b/lib/record.c @@ -1760,6 +1760,10 @@ gnutls_record_send(gnutls_session_t session, const void *data, * To determine the maximum size of padding, use * gnutls_record_get_max_size() and gnutls_record_overhead_size(). * + * Note that in order for GnuTLS to provide constant time processing + * of padding and data in TLS1.3, the flag %GNUTLS_SAFE_PADDING_CHECK + * must be used in gnutls_init(). + * * Returns: The number of bytes sent, or a negative error code. The * number of bytes sent might be less than @data_size. The maximum * number of bytes this function can send in a single call depends |