Re: [Bug 1419436] Re: tls_socket_read (Decryption has failed.)
After recompiling mutt with openssl instead of gnutls I discovered that openssl was also affected, so I tried another USB ethernet dongle and that seems to have fixed it. At least I can't reproduce the problem with the large IMAP fetch using openssl s_client. I've now blacklisted the module for the onboard ethernet phy_twl4030_usb. Maybe this bug could be reassigned? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419436 Title: tls_socket_read (Decryption has failed.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1419436/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1419436] Re: tls_socket_read (Decryption has failed.)
Sorry, I spoke too soon, I was just able to reproduce it on the new NIC, but it happens much less often. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419436 Title: tls_socket_read (Decryption has failed.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1419436/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1419436] Re: tls_socket_read (Decryption has failed.)
Donn, was it a different kind of usb NIC or the same kind? Perhaps there's a kernel bug to fix or perhaps you just need to throw away the old NIC, depending upon what changed. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419436 Title: tls_socket_read (Decryption has failed.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1419436/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1419436] Re: tls_socket_read (Decryption has failed.)
Yes, I realise that now. I've tried on a Raspberry Pi with 2.12.20 (armhf) without problems. What is curious is why it was working before under Ubuntu 12.04. Comparing tag and tag_ptr, I can say that it is in fact the HMAC that differs, and not the padding check. I'll keep debugging. On Mon, Feb 09, 2015 at 06:58:52PM -, Seth Arnold wrote: > It appears your patch disables authentication entirely; if I'm correct, > a MITM attacker can modify bytes at will and you're unlikely to discover > that they have been modified while in transit. > > I'm sorry that I don't have anything better to recommend; it'd be worth > running some stressors on your hardware and seeing if they can run to > completion, e.g. kernel compiles or http://kernel.ubuntu.com/~cking > /stress-ng/ > > Thanks > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1419436 > > Title: > tls_socket_read (Decryption has failed.) > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1419436/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419436 Title: tls_socket_read (Decryption has failed.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1419436/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1419436] Re: tls_socket_read (Decryption has failed.)
It appears your patch disables authentication entirely; if I'm correct, a MITM attacker can modify bytes at will and you're unlikely to discover that they have been modified while in transit. I'm sorry that I don't have anything better to recommend; it'd be worth running some stressors on your hardware and seeing if they can run to completion, e.g. kernel compiles or http://kernel.ubuntu.com/~cking /stress-ng/ Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419436 Title: tls_socket_read (Decryption has failed.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1419436/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1419436] Re: tls_socket_read (Decryption has failed.)
I dug a little deeper and recompiled gnutls28-3.2.11 from sources provided by "apt-get source" and commented out the block at gnutls_cipher.c:951(see snippet below) which caused the first assertion in the log above. This fixes the problem, that is, I can download attachments in mutt seemingly without problem. My question now is, what are the implications of removing this check? Any idea why this is only happening on armhf? /* Here there could be a timing leakage in CBC ciphersuites that * could be exploited if the cost of a successful memcmp is high. * A constant time memcmp would help there, but it is not easy to maintain * against compiler optimizations. Currently we rely on the fact that * a memcmp comparison is negligible over the crypto operations. */ // if (unlikely if (0 && unlikely (memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { /* HMAC was not the same. */ dummy_wait(params, compressed, pad_failed, pad, length + preamble_size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419436 Title: tls_socket_read (Decryption has failed.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1419436/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs