AES256-GCM emits all-zeros ciphertext on aarch64 with hardware acceleration

Yeah, I just noticed that as well. I could do an update, need to fix the one from +deb9u3 as well.

Do we have a reproducible test case for an SRU?

On 1 September 2017 at 14:10, Julian Andres Klode
<email address hidden> wrote:
> Do we have a reproducible test case for an SRU?
>

Doesn't the debian bug report have one?

> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1707172
>
> Title:
> AES256-GCM emits all-zeros ciphertext on aarch64 with hardware
> acceleration
>
> Status in gnutls28 package in Ubuntu:
> New
>
> Bug description:
> The following Debian issue exists in the Ubuntu package as well
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867581
>
> It breaks gnome-terminal and xfce4-terminal on arm64 machines.
>
> The issue is fixed upstream in 3.5.13, and the fix was backported to
> Debian stretch as well (3.5.8-5+deb9u2)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1707172/+subscriptions

It says to run "yes" in a terminal, that's somewhat suboptimal to test.

Ah, https://gitlab.com/gnutls/gnutls/issues/204 has more details.

On 1 September 2017 at 14:32, Julian Andres Klode
<email address hidden> wrote:
> Ah, https://gitlab.com/gnutls/gnutls/issues/204 has more details.
>
> ** Description changed:
>
> + [Impact]
> + AES256-GCM ciphertext is all zero on arm64 with hardware acceleration, breaking gnome-terminal and xfce4-terminal which use encrypted scrollback buffers.
> +
> + [Test case]
> + Compile the program from https://gitlab.com/gnutls/gnutls/issues/204 and make sure the cipher text is not all zeros
> +

Yeah, this is the one I was referring to.

@ard Are released older than zesty affected as well? I don't have a machine to test this, I'm just uploading the fix for zesty and artful.

On 2 September 2017 at 15:49, Julian Andres Klode
<email address hidden> wrote:
> @ard Are released older than zesty affected as well? I don't have a
> machine to test this, I'm just uploading the fix for zesty and artful.
>

No, the issue appeared only after upgrading to Zesty.

Thanks Ard.

Fixes for both artful and zesty are uploaded now.

On 2 September 2017 at 16:22, Julian Andres Klode
<email address hidden> wrote:
> Thanks Ard.
>
> Fixes for both artful and zesty are uploaded now.
>

Great! Thanks.

This bug was fixed in the package gnutls28 - 3.5.8-6ubuntu3

---------------
gnutls28 (3.5.8-6ubuntu3) artful; urgency=medium

  * Cherry pick several fixes from Debian 3.5.8-5+deb9u3:
    - 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
      38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from
      gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa
      signatures. LP: #1714506
    - 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from
      upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and
      decryption on aarch64. LP: #1707172

 -- Julian Andres Klode <email address hidden> Sat, 02 Sep 2017 16:12:49 +0200

Given that this essentially destroys data when encrypting it in-place, I'm increasing importance to critical.

Hello Ard, or anyone else affected,

Accepted gnutls28 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnutls28/3.5.6-4ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Bug is fixed on zesty with package version 3.5.6-4ubuntu4.3

This bug was fixed in the package gnutls28 - 3.5.6-4ubuntu4.3

---------------
gnutls28 (3.5.6-4ubuntu4.3) zesty; urgency=medium

  * Cherry pick several fixes from Debian 3.5.8-5+deb9u3:
    - 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
      38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from
      gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa
      signatures. LP: #1714506
    - 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from
      upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and
      decryption on aarch64. LP: #1707172

 -- Julian Andres Klode <email address hidden> Sat, 02 Sep 2017 16:12:49 +0200

The verification of the Stable Release Update for gnutls28 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.