## Description of problem: While the fix released for CVE-2023-5981 improves the side-channel situation, it does not eliminate the side-channel leakage in RSA-PSK ciphersuites. ## Version of gnutls used: gnutls-3.7.6-23.el9_3.1.aarch64 ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL) RHEL ## How reproducible: Run the tlsfuzzer test-bleichenbacher-timing-pregenerate.py test, collect enough data to have 95% CI below 1 ns ## Actual results: When tested with gnutls-3.7.6-23.el9_3.1 (which includes the backport from 3.8.2), after collecting 203 M measurements per probe I got the following result on aarch64 platform: ``` Sign test mean p-value: 0.3669, median p-value: 0.2982, min p-value: 5.462e-09 Friedman test (chisquare approximation) for all samples p-value: 3.410443646538283e-25 Worst pair: 1(control - fuzzed pre master secret 2), 28(very short (4-byte) pre master secret) Mean of differences: 1.82076e-08s, 95% CI: 3.30444e-10s, 3.443278e-08s (±1.705e-08s) Median of differences: 0.00000e+00s, 95% CI: 0.00000e+00s, 0.000000e+00s (±0.000e+00s) Trimmed mean (5%) of differences: 1.68087e-08s, 95% CI: 1.43544e-09s, 3.058237e-08s (±1.457e-08s) Trimmed mean (25%) of differences: 3.13186e-09s, 95% CI: 1.95789e-09s, 4.359888e-09s (±1.201e-09s) Trimmed mean (45%) of differences: 2.04542e-09s, 95% CI: 1.33240e-09s, 2.830705e-09s (±7.492e-10s) Trimean of differences: 2.50000e-10s, 95% CI: 2.50000e-10s, 3.750000e-09s (±1.750e-09s) Layperson explanation: Definite side-channel detected, implementation is VULNERABLE ``` the pairwise test results are here: [report.csv](/uploads/5e6be366eb265988e10c39aaba5cf6ca/report.csv) ## Expected results: I've tested also a compile that includes changes from https://gitlab.com/gnutls/gnutls-security/-/merge_requests/2 After collecting 181 M measurements per probe I got the following result: ``` Sign test mean p-value: 0.5273, median p-value: 0.521, min p-value: 0.00362 Friedman test (chisquare approximation) for all samples p-value: 0.7956032096884457 Worst pair: 10(low Hamming weight RSA plaintext - 0x4 - low), 23(too short PKCS padding - 8 bytes) Mean of differences: 1.03088e-08s, 95% CI: -4.83769e-09s, 2.789450e-08s (±1.637e-08s) Median of differences: 0.00000e+00s, 95% CI: 0.00000e+00s, 0.000000e+00s (±0.000e+00s) Trimmed mean (5%) of differences: 7.47585e-09s, 95% CI: -6.32033e-09s, 2.201555e-08s (±1.417e-08s) Trimmed mean (25%) of differences: 1.50104e-09s, 95% CI: 3.63771e-10s, 2.595192e-09s (±1.116e-09s) Trimmed mean (45%) of differences: 1.02879e-09s, 95% CI: 3.35454e-10s, 1.805351e-09s (±7.349e-10s) Trimean of differences: 2.50000e-10s, 95% CI: 0.00000e+00s, 1.006250e-09s (±5.031e-10s) Layperson explanation: Implementation most likely not providing a timing side-channel signal ``` The pairwise test results are here:[report.csv](/uploads/65131875164b6db4dd7ffcee12a78bbf/report.csv)