File 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch of Package gnutls.8596

From 29ffa2a1fa4cc396c5d1563a3e5cdca0174de28b Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Wed, 20 Jun 2018 13:00:00 +0200
Subject: [PATCH 4/4] hmac-sha384 and sha256 ciphersuites were removed from
 defaults

These ciphersuites are deprecated since the introduction of AEAD
ciphersuites, and are only necessary for compatibility with older
servers. Since older servers already support hmac-sha1 there is
no reason to keep these ciphersuites enabled by default, as they
increase our attack surface.

Relates #456
---
 lib/gnutls_priority.c |  8 --------
 tests/priorities.c    | 10 +++++-----
 2 files changed, 5 insertions(+), 13 deletions(-)

Index: gnutls-3.2.15/lib/gnutls_priority.c
===================================================================
--- gnutls-3.2.15.orig/lib/gnutls_priority.c	2018-08-27 13:55:14.591522147 +0200
+++ gnutls-3.2.15/lib/gnutls_priority.c	2018-08-27 14:01:16.361902629 +0200
@@ -463,8 +463,6 @@ static const int sign_priority_secure192
 
 static const int mac_priority_normal[] = {
 	GNUTLS_MAC_SHA1,
-	GNUTLS_MAC_SHA256,
-	GNUTLS_MAC_SHA384,
 	GNUTLS_MAC_AEAD,
 	GNUTLS_MAC_MD5,
 	0
@@ -482,15 +480,11 @@ static const int mac_priority_suiteb192[
 
 static const int mac_priority_secure128[] = {
 	GNUTLS_MAC_SHA1,
-	GNUTLS_MAC_SHA256,
-	GNUTLS_MAC_SHA384,
 	GNUTLS_MAC_AEAD,
 	0
 };
 
 static const int mac_priority_secure192[] = {
-	GNUTLS_MAC_SHA256,
-	GNUTLS_MAC_SHA384,
 	GNUTLS_MAC_AEAD,
 	0
 };
Index: gnutls-3.2.15/tests/priorities.c
===================================================================
--- gnutls-3.2.15.orig/tests/priorities.c	2018-08-27 13:55:15.687529359 +0200
+++ gnutls-3.2.15/tests/priorities.c	2018-08-27 14:17:25.992145299 +0200
@@ -92,18 +92,18 @@ try_prio(const char *prio, unsigned expe
 
 void doit(void)
 {
-	const int normal = 66;
-	const int null = 5;
-	const int sec128 = 56;
+	const int normal = 46;
+	const int null = 4;
+	const int sec128 = 36;
 
 	try_prio("NORMAL", normal, 10);
 	try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 10);
 	try_prio("NORMAL:+CIPHER-ALL", normal, 10);	/* all (except null) */
 	try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1);	/* null */
 	try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 11);	/* should be null + all */
-	try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1);	/* should be null + all */
+	try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 5, 1);
 	try_prio("PERFORMANCE", normal, 10);
-	try_prio("SECURE256", 20, 4);
+	try_prio("SECURE256", 10, 4);
 	try_prio("SECURE128", sec128, 8);
 	try_prio("SECURE128:+SECURE256", sec128, 8);	/* should be the same as SECURE128 */
 	try_prio("SECURE128:+SECURE256:+NORMAL", normal, 10);	/* should be the same as NORMAL */