Re: Gnutls investigation and request for advice for Jessie

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Gnutls investigation and request for advice for Jessie
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Mon, 01 Oct 2018 14:07:15 -0400
Message-id: <[🔎] 87va6l8rsc.fsf@curie.anarc.at>
In-reply-to: <871saexlbf.fsf@curie.anarc.at>
References: <CABY6=0nu1qG9Beb5qc-mbZfubmQGxp9dbgnicFuPPpiwz+oJnw@mail.gmail.com> <87d0tyxssp.fsf@curie.anarc.at> <CABY6=0k5Mu+htgfGp6mqd5V5+95CrZxsNvhvT45UFTFhALP5hA@mail.gmail.com> <874lfaxpb4.fsf@curie.anarc.at> <871saexlbf.fsf@curie.anarc.at>

I contacted three parties to try and settle this:

 * the original authors of the paper
 * the GnuTLS upstream
 * the RedHat security team

The original authors "still stand behind what is written in the paper"
and believe only a constant-time implementation is the proper fix. They
point to BoringSSL, OpenSSL and WolfSSL as properly implementing this
now, but acknowledge such a fix might impose API breakage, at least in
the low-level hash functions.

Upstream GnuTLS replied the following:

https://gitlab.com/gnutls/gnutls/issues/456#note_105621260

> The solution applied in gnutls 3.3.30 is a mitigation against the
> attack published by the authors. As such these CVEs are
> addressed. What the authors claim is that these mitigations may not be
> sufficient to address a future attack similar in principle to that
> one; they indeed have a point but I guess that's with all attacks one
> way or another. So backporting these mitigations (or preferably by
> updating to 3.3.30) is sufficient to address that vulnerability. A
> more general solution is tracked at #503.

In other words: that's the solution we got now, use it or wait (possibly
for months) for a longer term fix.

RedHat security hasn't answered yet, but GnuTLS upstream also replied
there:

https://bugzilla.redhat.com/show_bug.cgi?id=1582571#c12

> That is, the existing counter-measures present were improved to
> protect against this attack. Indeed the paper authors mention that
> this may not be sufficient to counter other future attacks, and they
> are correct in that. How critical however would be such future
> attacks? For that one must note what is the actual impact of this
> attack. This type of attacks does only affect the legacy HMAC-based
> ciphersuites and only when the gnutls peer does not implement the
> encrypt-then-mac construction. That's why the majority of HMAC
> ciphersuites are now disabled by default keeping HMAC-SHA1 for
> compatibility only.

In other words: yes, an attack is still possible, but it's not critical
because the impact is smaller.

I agree with this analysis: the fix is imperfect, but it's all we
got. So I'll be looking at backporting this shortly.

Or should we update jessie to 3.3.30 as recommended upstream? There
*were* API/ABI changes since 3.3.8, but only new symbols were added - no
signatures were changed or removed...

A.
-- 
Music gives a soul to the universe, wings to the mind, flight to the
imagination and life to everything
                         - Plato

Reply to:

Follow-Ups:
- Re: Gnutls investigation and request for advice for Jessie
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: LTS/ELTS Report for September 2018
Next by Date: Re: Firefox-esr 60?
Previous by thread: LTS/ELTS Report for September 2018
Next by thread: Re: Gnutls investigation and request for advice for Jessie
Index(es):
- Date
- Thread