File 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch of Package gnutls.8613
From 29ffa2a1fa4cc396c5d1563a3e5cdca0174de28b Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Wed, 20 Jun 2018 13:00:00 +0200
Subject: [PATCH 4/4] hmac-sha384 and sha256 ciphersuites were removed from
defaults
These ciphersuites are deprecated since the introduction of AEAD
ciphersuites, and are only necessary for compatibility with older
servers. Since older servers already support hmac-sha1 there is
no reason to keep these ciphersuites enabled by default, as they
increase our attack surface.
Relates #456
---
lib/gnutls_priority.c | 8 --------
tests/priorities.c | 10 +++++-----
2 files changed, 5 insertions(+), 13 deletions(-)
Index: gnutls-3.6.2/lib/priority.c
===================================================================
--- gnutls-3.6.2.orig/lib/priority.c 2018-02-14 20:16:48.000000000 +0100
+++ gnutls-3.6.2/lib/priority.c 2018-09-03 14:34:26.742547276 +0200
@@ -431,16 +431,12 @@ static const int* sign_priority_secure19
static const int mac_priority_normal_default[] = {
GNUTLS_MAC_SHA1,
- GNUTLS_MAC_SHA256,
- GNUTLS_MAC_SHA384,
GNUTLS_MAC_AEAD,
0
};
static const int mac_priority_normal_fips[] = {
GNUTLS_MAC_SHA1,
- GNUTLS_MAC_SHA256,
- GNUTLS_MAC_SHA384,
GNUTLS_MAC_AEAD,
0
};
@@ -474,16 +470,12 @@ static const int* mac_priority_suiteb =
static const int _mac_priority_secure128[] = {
GNUTLS_MAC_SHA1,
- GNUTLS_MAC_SHA256,
- GNUTLS_MAC_SHA384,
GNUTLS_MAC_AEAD,
0
};
static const int* mac_priority_secure128 = _mac_priority_secure128;
static const int _mac_priority_secure192[] = {
- GNUTLS_MAC_SHA256,
- GNUTLS_MAC_SHA384,
GNUTLS_MAC_AEAD,
0
};
Index: gnutls-3.6.2/tests/priorities.c
===================================================================
--- gnutls-3.6.2.orig/tests/priorities.c 2018-02-12 08:06:04.000000000 +0100
+++ gnutls-3.6.2/tests/priorities.c 2018-09-03 14:45:15.890897556 +0200
@@ -94,19 +94,19 @@ try_prio(const char *prio, unsigned expe
void doit(void)
{
- const int null = 4;
- int sec128_cs = 53;
- int sec256_cs = 22;
- int normal_cs = 53;
+ const int null = 3;
+ int sec128_cs = 37;
+ int sec256_cs = 14;
+ int normal_cs = 37;
int normal_ciphers = 11;
- int pfs_cs = 39;
+ int pfs_cs = 27;
if (gnutls_fips140_mode_enabled()) {
- normal_cs = 30;
+ normal_cs = 24;
normal_ciphers = 6;
pfs_cs = 22;
- sec256_cs = 11;
- sec128_cs = 30;
+ sec256_cs = 9;
+ sec128_cs = 24;
}
try_prio("NORMAL", normal_cs, normal_ciphers, __LINE__);
@@ -117,7 +117,7 @@ void doit(void)
try_prio("NORMAL:+CIPHER-ALL", normal_cs, 11, __LINE__); /* all (except null) */
try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1, __LINE__); /* null */
try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal_cs + null, 12, __LINE__); /* should be null + all */
- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 8, 1, __LINE__); /* should be null + all */
+ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 4, 1, __LINE__); /* should be null + all */
}
try_prio("PERFORMANCE", normal_cs, normal_ciphers, __LINE__);
Index: gnutls-3.6.2/tests/dtls1-2-mtu-check.c
===================================================================
--- gnutls-3.6.2.orig/tests/dtls1-2-mtu-check.c 2018-02-12 08:06:04.000000000 +0100
+++ gnutls-3.6.2/tests/dtls1-2-mtu-check.c 2018-09-03 14:34:26.742547276 +0200
@@ -79,7 +79,7 @@ static void dtls_mtu_try(const char *nam
serverx509cred);
assert(gnutls_priority_set_direct(server,
- "NORMAL:+ANON-ECDH:+ANON-DH:+3DES-CBC:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519",
+ "NORMAL:+ANON-ECDH:+ANON-DH:+3DES-CBC:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+SHA256:+CURVE-X25519",
NULL) >= 0);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
