--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hello,
I would like to fix CVE-2018-10844 and CVE-2018-10845 in stretch. Moritz
has brought this up. Neither of us has strong feelings whether it is
better fix this via proposed-updates or via stretch-security. However
proposed-updates probably gets more public testing so we will try this
way.
Find attached the debdiff, which pulls the respective merge
tmp-gnutls_3_5_x-backport-record-pad-fixes (unfuzzed) from gnutls_3.5.x
branch. - The change is included in 3.5.19 (sid/buster).
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .changes but not in first
-----------------------------------------
-rw-r--r-- root/root
/usr/lib/debug/.build-id/0e/df33e82a82671f7e361a8ffa83b02400337604.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/1c/1bc93c559cfe2ebd1b5676fa4b355118edf38e.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/1c/399494f95f5e9ff28fcbd0243e96639fad69d3.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/1d/b976be2d75d79dfd97e68dba3ee84babe5a3cc.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/51/a6d9549543590e69584a2dd9df4e919cd62918.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/64/414524cec63b3a8334146aa0c4dab71fae4080.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/6f/0012f94a9f80ef7e652dacc713347841f66907.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/98/eef0a29dcce526336be09fbbb0eccb3ece9f17.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/a5/c92e78a7d0a175b524703387c994518830abfa.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/ad/42bf08cf713e4a18ed1dd04dcc200a1cdafe94.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/c0/cf4951b3020f4fdf0b30c32934e922348e3660.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/f4/43a08baf0b78f1286c82e9d3e085c83734d37b.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/f7/a745a4765a1efbfc31d0e21d0b5aca9aa2c5b1.debug
Files in first .changes but not in second
-----------------------------------------
-rw-r--r-- root/root
/usr/lib/debug/.build-id/07/a8f58a7e4e32a36feee7511f728d5896439b13.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/25/228bbeb1c692f8764099a856ab8c9463f7c325.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/56/b071cc5cdbf3379e2fbd90ef0cd5220c2f5184.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/62/b6624925c412cac109e9da7365741013909148.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/82/fd500760efeffc6ab6218382df366b21e45cd7.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/95/ecbc8c0bed5fb3f85263c86ab04236c62074e9.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/a7/9a2015b873e022124d9315238ad03a4402bdf9.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/a8/a2ad066f20b10398a4047b4a5ac2032fdcc3d7.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/ae/d5f6101feccff8bc000ecacbba48fec06e8287.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/b4/6e61051b2031f71073e6c0ea4bb76107f34ea9.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/b9/f0527947a73e0ec453baca3986a122b8a74777.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/ba/f0016a0105eb9eb689bd33997207d4a704386d.debug
-rw-r--r-- root/root
/usr/lib/debug/.build-id/f2/80a75bf8875888acc5b3c2f9a99496ade949c4.debug
Control files of package gnutls-bin: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Build-Ids: [-56b071cc5cdbf3379e2fbd90ef0cd5220c2f5184
62b6624925c412cac109e9da7365741013909148
82fd500760efeffc6ab6218382df366b21e45cd7
95ecbc8c0bed5fb3f85263c86ab04236c62074e9
a79a2015b873e022124d9315238ad03a4402bdf9
aed5f6101feccff8bc000ecacbba48fec06e8287
b46e61051b2031f71073e6c0ea4bb76107f34ea9
b9f0527947a73e0ec453baca3986a122b8a74777
f280a75bf8875888acc5b3c2f9a99496ade949c4-]
{+0edf33e82a82671f7e361a8ffa83b02400337604
1db976be2d75d79dfd97e68dba3ee84babe5a3cc
64414524cec63b3a8334146aa0c4dab71fae4080
6f0012f94a9f80ef7e652dacc713347841f66907
98eef0a29dcce526336be09fbbb0eccb3ece9f17
a5c92e78a7d0a175b524703387c994518830abfa
ad42bf08cf713e4a18ed1dd04dcc200a1cdafe94
c0cf4951b3020f4fdf0b30c32934e922348e3660
f7a745a4765a1efbfc31d0e21d0b5aca9aa2c5b1+}
Depends: gnutls-bin (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+}
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package gnutls-doc: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package libgnutls-dane0: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>=
2.14), libunbound2 (>= 1.4.1)
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff
format)
----------------------------------------------------------------------------------
Build-Ids: [-25228bbeb1c692f8764099a856ab8c9463f7c325-]
{+1c399494f95f5e9ff28fcbd0243e96639fad69d3+}
Depends: libgnutls-dane0 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+}
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package libgnutls-openssl27: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>=
2.14)
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff
format)
--------------------------------------------------------------------------------------
Build-Ids: [-baf0016a0105eb9eb689bd33997207d4a704386d-]
{+51a6d9549543590e69584a2dd9df4e919cd62918+}
Depends: libgnutls-openssl27 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+}
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package libgnutls28-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+}
libgnutls-openssl27 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutlsxx28
(= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutls-dane0 (=
[-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} nettle-dev, libc6-dev | libc-dev,
zlib1g-dev, libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31)
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package libgnutls30: lines which differ (wdiff format)
-----------------------------------------------------------------------
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package libgnutls30-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------
Build-Ids: [-07a8f58a7e4e32a36feee7511f728d5896439b13-]
{+1c1bc93c559cfe2ebd1b5676fa4b355118edf38e+}
Depends: libgnutls30 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+}
Installed-Size: [-2880-] {+2882+}
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package libgnutlsxx28: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>=
2.4), libgcc1 (>= 1:3.0), libstdc++6 (>= 5)
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Build-Ids: [-a8a2ad066f20b10398a4047b4a5ac2032fdcc3d7-]
{+f443a08baf0b78f1286c82e9d3e085c83734d37b+}
Depends: libgnutlsxx28 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+}
Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+}
diff -Nru gnutls28-3.5.8/debian/changelog gnutls28-3.5.8/debian/changelog
--- gnutls28-3.5.8/debian/changelog 2017-07-23 14:28:37.000000000 +0200
+++ gnutls28-3.5.8/debian/changelog 2018-10-06 14:06:18.000000000 +0200
@@ -1,3 +1,14 @@
+gnutls28 (3.5.8-5+deb9u4) stretch; urgency=medium
+
+ * Pull fixes for CVE-2018-10844 and CVE-2018-10845 from gnutls 3.5.19
+ + 39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch
+ + 39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
+ + 39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
+ + 39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
+ + 39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
+
+ -- Andreas Metzler <ametz...@debian.org> Sat, 06 Oct 2018 14:06:18 +0200
+
gnutls28 (3.5.8-5+deb9u3) stretch; urgency=medium
* 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
diff -Nru
gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch
gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch
---
gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch
1970-01-01 01:00:00.000000000 +0100
+++
gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch
2018-10-06 13:53:23.000000000 +0200
@@ -0,0 +1,92 @@
+From e14d85eb8b1987d86f7b1d101a0e7795675d20d4 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Tue, 12 Jun 2018 14:22:52 +0200
+Subject: [PATCH 1/5] dummy_wait: correctly account the length field in SHA384
+ HMAC
+
+The existing lucky13 attack count-measures did not work correctly for
+SHA384 HMAC.
+
+The overall impact of that should not be significant as SHA384 is prioritized
+lower than SHA256 or SHA1 and thus it is not typically negotiated, unless a
+client prioritizes a SHA384 MAC, or a server only supports SHA384, and in both
+cases the vulnerability is only present if Encrypt-then-MAC (RFC7366) is
unsupported
+by the peer.
+
+Relates #455
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com>
+---
+ lib/algorithms/mac.c | 4 ++--
+ lib/cipher.c | 24 +++++++++++-------------
+ 2 files changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c
+index 0198e4a205..d345ddb712 100644
+--- a/lib/algorithms/mac.c
++++ b/lib/algorithms/mac.c
+@@ -37,9 +37,9 @@ static const mac_entry_st hash_algorithms[] = {
+ {"SHA256", HASH_OID_SHA256, MAC_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32,
0, 0, 1,
+ 64},
+ {"SHA384", HASH_OID_SHA384, MAC_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48,
0, 0, 1,
+- 64},
++ 128},
+ {"SHA512", HASH_OID_SHA512, MAC_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64,
0, 0, 1,
+- 64},
++ 128},
+ {"SHA224", HASH_OID_SHA224, MAC_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28,
0, 0, 1,
+ 64},
+ {"SHA3-256", HASH_OID_SHA3_256, NULL, GNUTLS_MAC_SHA3_256, 32, 32, 0,
0, 1,
+diff --git a/lib/cipher.c b/lib/cipher.c
+index 84f30637be..c675a64032 100644
+--- a/lib/cipher.c
++++ b/lib/cipher.c
+@@ -459,9 +459,10 @@ static void dummy_wait(record_parameters_st * params,
+ gnutls_datum_t * plaintext, unsigned pad_failed,
+ unsigned int pad, unsigned total)
+ {
+- /* this hack is only needed on CBC ciphers */
++ /* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode
++ * is not supported by the peer. */
+ if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) {
+- unsigned len;
++ unsigned len, v;
+
+ /* force an additional hash compression function evaluation to
prevent timing
+ * attacks that distinguish between wrong-mac + correct pad,
from wrong-mac + incorrect pad.
+@@ -469,11 +470,14 @@ static void dummy_wait(record_parameters_st * params,
+ if (pad_failed == 0 && pad > 0) {
+ len = _gnutls_mac_block_size(params->mac);
+ if (len > 0) {
+- /* This is really specific to the current hash
functions.
+- * It should be removed once a protocol fix is
in place.
+- */
+- if ((pad + total) % len > len - 9
+- && total % len <= len - 9) {
++ if (params->mac && params->mac->id ==
GNUTLS_MAC_SHA384)
++ /* v = 1 for the hash function padding
+ 16 for message length */
++ v = 17;
++ else /* v = 1 for the hash function padding + 8
for message length */
++ v = 9;
++
++ if ((pad + total) % len > len - v
++ && total % len <= len - v) {
+ if (len < plaintext->size)
+ _gnutls_auth_cipher_add_auth
+ (¶ms->read.
+@@ -814,12 +818,6 @@ ciphertext_to_compressed(gnutls_session_t session,
+ if (unlikely(ret < 0))
+ return gnutls_assert_val(ret);
+
+- /* Here there could be a timing leakage in CBC ciphersuites that
+- * could be exploited if the cost of a successful memcmp is
high.
+- * A constant time memcmp would help there, but it is not easy
to maintain
+- * against compiler optimizations. Currently we rely on the
fact that
+- * a memcmp comparison is negligible over the crypto operations.
+- */
+ if (unlikely
+ (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed
!= 0)) {
+ /* HMAC was not the same. */
+--
+2.19.0
+
diff -Nru
gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
---
gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
1970-01-01 01:00:00.000000000 +0100
+++
gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
2018-10-06 13:53:23.000000000 +0200
@@ -0,0 +1,107 @@
+From c2e094acd68f7159025b2e2556d6fb4427b41dd7 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Tue, 12 Jun 2018 14:27:57 +0200
+Subject: [PATCH 2/5] dummy_wait: always hash the same amount of blocks that
+ would have been on minimum pad
+
+This improves protection against lucky13-type of attacks when
+encrypt-then-mac is not in use.
+
+Resolves #456
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com>
+---
+ lib/cipher.c | 63 +++++++++++++++++++++++++++-------------------------
+ 1 file changed, 33 insertions(+), 30 deletions(-)
+
+diff --git a/lib/cipher.c b/lib/cipher.c
+index c675a64032..287f2e8c8a 100644
+--- a/lib/cipher.c
++++ b/lib/cipher.c
+@@ -455,41 +455,42 @@ compressed_to_ciphertext(gnutls_session_t session,
+ return length;
+ }
+
+-static void dummy_wait(record_parameters_st * params,
+- gnutls_datum_t * plaintext, unsigned pad_failed,
+- unsigned int pad, unsigned total)
++static void dummy_wait(record_parameters_st *params,
++ gnutls_datum_t *plaintext,
++ unsigned int mac_data, unsigned int max_mac_data)
+ {
+ /* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode
+ * is not supported by the peer. */
+ if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) {
+- unsigned len, v;
++ unsigned v;
++ unsigned int tag_size =
++ _gnutls_auth_cipher_tag_len(¶ms->read.cipher_state);
++ unsigned hash_block = _gnutls_mac_block_size(params->mac);
+
+- /* force an additional hash compression function evaluation to
prevent timing
++ /* force additional hash compression function evaluations to
prevent timing
+ * attacks that distinguish between wrong-mac + correct pad,
from wrong-mac + incorrect pad.
+ */
+- if (pad_failed == 0 && pad > 0) {
+- len = _gnutls_mac_block_size(params->mac);
+- if (len > 0) {
+- if (params->mac && params->mac->id ==
GNUTLS_MAC_SHA384)
+- /* v = 1 for the hash function padding
+ 16 for message length */
+- v = 17;
+- else /* v = 1 for the hash function padding + 8
for message length */
+- v = 9;
+-
+- if ((pad + total) % len > len - v
+- && total % len <= len - v) {
+- if (len < plaintext->size)
+- _gnutls_auth_cipher_add_auth
+- (¶ms->read.
+- cipher_state,
+- plaintext->data, len);
+- else
+- _gnutls_auth_cipher_add_auth
+- (¶ms->read.
+- cipher_state,
+- plaintext->data,
+- plaintext->size);
+- }
++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
++ /* v = 1 for the hash function padding + 16 for message
length */
++ v = 17;
++ else /* v = 1 for the hash function padding + 8 for message
length */
++ v = 9;
++
++ if (hash_block > 0) {
++ int max_blocks =
(max_mac_data+v+hash_block-1)/hash_block;
++ int hashed_blocks =
(mac_data+v+hash_block-1)/hash_block;
++ unsigned to_hash;
++
++ max_blocks -= hashed_blocks;
++ if (max_blocks < 1)
++ return;
++
++ to_hash = max_blocks * hash_block;
++ if ((unsigned)to_hash+1+tag_size < plaintext->size) {
++ _gnutls_auth_cipher_add_auth
++ (¶ms->read.cipher_state,
++
plaintext->data+plaintext->size-tag_size-to_hash-1,
++ to_hash);
+ }
+ }
+ }
+@@ -821,8 +822,10 @@ ciphertext_to_compressed(gnutls_session_t session,
+ if (unlikely
+ (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed
!= 0)) {
+ /* HMAC was not the same. */
+- dummy_wait(params, compressed, pad_failed, pad,
+- length + preamble_size);
++ gnutls_datum_t data = {compressed->data,
ciphertext->size};
++
++ dummy_wait(params, &data, length + preamble_size,
++ preamble_size + ciphertext->size - tag_size
- 1);
+
+ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
+ }
+--
+2.19.0
+
diff -Nru
gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
---
gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
1970-01-01 01:00:00.000000000 +0100
+++
gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
2018-10-06 13:53:23.000000000 +0200
@@ -0,0 +1,39 @@
+From 62a39773e9d0c4a686a3d8d2b6cca32f82c26cd7 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Tue, 12 Jun 2018 14:29:57 +0200
+Subject: [PATCH 3/5] cbc_mac_verify: require minimum padding under SSL3.0
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com>
+---
+ lib/cipher.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cipher.c b/lib/cipher.c
+index 287f2e8c8a..8e7bd8227d 100644
+--- a/lib/cipher.c
++++ b/lib/cipher.c
+@@ -747,8 +747,12 @@ ciphertext_to_compressed(gnutls_session_t session,
+ * because there is a timing channel in that memory
access (in certain CPUs).
+ */
+ #ifdef ENABLE_SSL3
+- if (ver->id != GNUTLS_SSL3)
++ if (ver->id == GNUTLS_SSL3) {
++ if (pad >= blocksize)
++ pad_failed = 1;
++ } else
+ #endif
++ {
+ for (i = 2; i <= MIN(256, ciphertext->size);
i++) {
+ tmp_pad_failed |=
+ (compressed->
+@@ -756,6 +760,7 @@ ciphertext_to_compressed(gnutls_session_t session,
+ pad_failed |=
+ ((i <= (1 + pad)) &
(tmp_pad_failed));
+ }
++ }
+
+ if (unlikely
+ (pad_failed != 0
+--
+2.19.0
+
diff -Nru
gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
---
gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
1970-01-01 01:00:00.000000000 +0100
+++
gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
2018-10-06 13:53:23.000000000 +0200
@@ -0,0 +1,101 @@
+From c433cdf92349afae66c703bdacedf987f423605e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Tue, 12 Jun 2018 14:31:40 +0200
+Subject: [PATCH 4/5] hmac-sha384 and sha256 ciphersuites were removed from
+ defaults
+
+These ciphersuites are deprecated since the introduction of AEAD
+ciphersuites, and are only necessary for compatibility with older
+servers. Since older servers already support hmac-sha1 there is
+no reason to keep these ciphersuites enabled by default, as they
+increase our attack surface.
+
+Relates #456
+
+## Unfuzzed for Debian 3.5.8.
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com>
+---
+ lib/priority.c | 8 --------
+ tests/dtls1-2-mtu-check.c | 2 +-
+ tests/priorities.c | 12 ++++++------
+ 3 files changed, 7 insertions(+), 15 deletions(-)
+
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -417,8 +417,6 @@ static const int* sign_priority_secure19
+
+ static const int mac_priority_normal_default[] = {
+ GNUTLS_MAC_SHA1,
+- GNUTLS_MAC_SHA256,
+- GNUTLS_MAC_SHA384,
+ GNUTLS_MAC_AEAD,
+ GNUTLS_MAC_MD5,
+ 0
+@@ -426,8 +424,6 @@ static const int mac_priority_normal_def
+
+ static const int mac_priority_normal_fips[] = {
+ GNUTLS_MAC_SHA1,
+- GNUTLS_MAC_SHA256,
+- GNUTLS_MAC_SHA384,
+ GNUTLS_MAC_AEAD,
+ 0
+ };
+@@ -461,16 +457,12 @@ static const int* mac_priority_suiteb =
+
+ static const int _mac_priority_secure128[] = {
+ GNUTLS_MAC_SHA1,
+- GNUTLS_MAC_SHA256,
+- GNUTLS_MAC_SHA384,
+ GNUTLS_MAC_AEAD,
+ 0
+ };
+ static const int* mac_priority_secure128 = _mac_priority_secure128;
+
+ static const int _mac_priority_secure192[] = {
+- GNUTLS_MAC_SHA256,
+- GNUTLS_MAC_SHA384,
+ GNUTLS_MAC_AEAD,
+ 0
+ };
+--- a/tests/dtls1-2-mtu-check.c
++++ b/tests/dtls1-2-mtu-check.c
+@@ -79,7 +79,7 @@ static void dtls_mtu_try(const char *nam
+ serverx509cred);
+
+ assert(gnutls_priority_set_direct(server,
+-
"NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519",
++
"NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SHA256",
+ NULL) >= 0);
+ gnutls_transport_set_push_function(server, server_push);
+ gnutls_transport_set_pull_function(server, server_pull);
+--- a/tests/priorities.c
++++ b/tests/priorities.c
+@@ -93,21 +93,21 @@ try_prio(const char *prio, unsigned expe
+
+ void doit(void)
+ {
+- const int normal = 57;
+- const int null = 5;
+- const int sec128 = 53;
++ const int normal = 41;
++ const int null = 4;
++ const int sec128 = 37;
+
+- try_prio("PFS", 42, 12, __LINE__);
++ try_prio("PFS", 30, 12, __LINE__);
+ try_prio("NORMAL", normal, 12, __LINE__);
+ try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 12, __LINE__);
+ #ifndef ENABLE_FIPS140
+ try_prio("NORMAL:+CIPHER-ALL", normal, 12, __LINE__); /* all (except
null) */
+ try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1, __LINE__); /* null
*/
+ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 13,
__LINE__); /* should be null + all */
+-
try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 8, 1,
__LINE__); /* should be null + all */
++
try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 4, 1,
__LINE__); /* should be null + all */
+ #endif
+ try_prio("PERFORMANCE", normal, 12, __LINE__);
+- try_prio("SECURE256", 22, 6, __LINE__);
++ try_prio("SECURE256", 14, 6, __LINE__);
+ try_prio("SECURE128", sec128, 11, __LINE__);
+ try_prio("SECURE128:+SECURE256", sec128, 11, __LINE__); /* should be
the same as SECURE128 */
+ try_prio("SECURE128:+SECURE256:+NORMAL", normal, 12, __LINE__); /*
should be the same as NORMAL */
diff -Nru
gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
---
gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
1970-01-01 01:00:00.000000000 +0100
+++
gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
2018-10-06 13:53:23.000000000 +0200
@@ -0,0 +1,38 @@
+From 9fdd24d53c84cc68dac1be28f8b1436e424ce1f1 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Wed, 13 Jun 2018 12:55:02 +0200
+Subject: [PATCH 5/5] tests: pkcs12_encode: fix test for SHA512
+
+We don't support SHA512 in the 3.5.x branch.
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com>
+---
+ tests/pkcs12_encode.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
+index 46c5092e49..e45755789b 100644
+--- a/tests/pkcs12_encode.c
++++ b/tests/pkcs12_encode.c
+@@ -220,18 +220,6 @@ void doit(void)
+ exit(1);
+ }
+
+- ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1");
+- if (ret < 0) {
+- fprintf(stderr, "generate_mac2: %s (%d)\n",
gnutls_strerror(ret), ret);
+- exit(1);
+- }
+-
+- ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1");
+- if (ret < 0) {
+- fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret),
ret);
+- exit(1);
+- }
+-
+ size = sizeof(outbuf);
+ ret =
+ gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf,
+--
+2.19.0
+
diff -Nru gnutls28-3.5.8/debian/patches/series
gnutls28-3.5.8/debian/patches/series
--- gnutls28-3.5.8/debian/patches/series 2017-07-23 13:50:20.000000000
+0200
+++ gnutls28-3.5.8/debian/patches/series 2018-10-06 13:53:23.000000000
+0200
@@ -15,3 +15,8 @@
37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch
38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
38_02-OCSP-find_signercert-improved-DER-length-calculation.patch
+39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch
+39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
+39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
+39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
+39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
signature.asc
Description: PGP signature
--- End Message ---
