Embargoed issue reported upstream: --- My team and I have tested GnuTLS and we found that it is vulnerable to the Minerva attack. GnuTLS on its own is not vulnerable but when we are using the deterministic code we can see a step from 513 K-bit-size to 512 K-bit-size. The test scenario is that we are signing random messages using the gnutls_privkey_sign_data2 API function using "GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE" flag. Then using the private key, we extract the K value from the signatures. After that, based on the bit size of the extracted nonce we compare full-sized nonces to smaller ones and use the statistical tests to compare the signature times. For testing, we used gnutls-3.7.6-23.el9.x86_64 and gnutls-devel-3.7.6-23.el9.x86_64 In these results, we can clearly see that there is a "step" from nonce size of 513 bits to nonce size of 512 bits. The size of this side channel is around 34 ns. The sample tested has 43,190,069 observations. Reference: https://minerva.crocs.fi.muni.cz
Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 2270616]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1879 https://access.redhat.com/errata/RHSA-2024:1879
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1997 https://access.redhat.com/errata/RHSA-2024:1997
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:2044 https://access.redhat.com/errata/RHSA-2024:2044
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:2889 https://access.redhat.com/errata/RHSA-2024:2889