GnuTLS has incomplete fix for CVE-2023-5981
Description of problem:
While the fix released for CVE-2023-5981 improves the side-channel situation, it does not eliminate the side-channel leakage in RSA-PSK ciphersuites.
Version of gnutls used:
gnutls-3.7.6-23.el9_3.1.aarch64
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
RHEL
How reproducible:
Run the tlsfuzzer test-bleichenbacher-timing-pregenerate.py test, collect enough data to have 95% CI below 1 ns
Actual results:
When tested with gnutls-3.7.6-23.el9_3.1 (which includes the backport from 3.8.2), after collecting 203 M measurements per probe I got the following result on aarch64 platform:
Sign test mean p-value: 0.3669, median p-value: 0.2982, min p-value: 5.462e-09
Friedman test (chisquare approximation) for all samples
p-value: 3.410443646538283e-25
Worst pair: 1(control - fuzzed pre master secret 2), 28(very short (4-byte) pre master secret)
Mean of differences: 1.82076e-08s, 95% CI: 3.30444e-10s, 3.443278e-08s (±1.705e-08s)
Median of differences: 0.00000e+00s, 95% CI: 0.00000e+00s, 0.000000e+00s (±0.000e+00s)
Trimmed mean (5%) of differences: 1.68087e-08s, 95% CI: 1.43544e-09s, 3.058237e-08s (±1.457e-08s)
Trimmed mean (25%) of differences: 3.13186e-09s, 95% CI: 1.95789e-09s, 4.359888e-09s (±1.201e-09s)
Trimmed mean (45%) of differences: 2.04542e-09s, 95% CI: 1.33240e-09s, 2.830705e-09s (±7.492e-10s)
Trimean of differences: 2.50000e-10s, 95% CI: 2.50000e-10s, 3.750000e-09s (±1.750e-09s)
Layperson explanation: Definite side-channel detected, implementation is VULNERABLE
the pairwise test results are here: report.csv
Expected results:
I've tested also a compile that includes changes from https://gitlab.com/gnutls/gnutls-security/-/merge_requests/2
After collecting 181 M measurements per probe I got the following result:
Sign test mean p-value: 0.5273, median p-value: 0.521, min p-value: 0.00362
Friedman test (chisquare approximation) for all samples
p-value: 0.7956032096884457
Worst pair: 10(low Hamming weight RSA plaintext - 0x4 - low), 23(too short PKCS padding - 8 bytes)
Mean of differences: 1.03088e-08s, 95% CI: -4.83769e-09s, 2.789450e-08s (±1.637e-08s)
Median of differences: 0.00000e+00s, 95% CI: 0.00000e+00s, 0.000000e+00s (±0.000e+00s)
Trimmed mean (5%) of differences: 7.47585e-09s, 95% CI: -6.32033e-09s, 2.201555e-08s (±1.417e-08s)
Trimmed mean (25%) of differences: 1.50104e-09s, 95% CI: 3.63771e-10s, 2.595192e-09s (±1.116e-09s)
Trimmed mean (45%) of differences: 1.02879e-09s, 95% CI: 3.35454e-10s, 1.805351e-09s (±7.349e-10s)
Trimean of differences: 2.50000e-10s, 95% CI: 0.00000e+00s, 1.006250e-09s (±5.031e-10s)
Layperson explanation: Implementation most likely not providing a timing side-channel signal
The pairwise test results are here:report.csv