Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hello, I would like to fix CVE-2018-10844 and CVE-2018-10845 in stretch. Moritz has brought this up. Neither of us has strong feelings whether it is better fix this via proposed-updates or via stretch-security. However proposed-updates probably gets more public testing so we will try this way. Find attached the debdiff, which pulls the respective merge tmp-gnutls_3_5_x-backport-record-pad-fixes (unfuzzed) from gnutls_3.5.x branch. - The change is included in 3.5.19 (sid/buster). cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
[The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .changes but not in first ----------------------------------------- -rw-r--r-- root/root /usr/lib/debug/.build-id/0e/df33e82a82671f7e361a8ffa83b02400337604.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/1c/1bc93c559cfe2ebd1b5676fa4b355118edf38e.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/1c/399494f95f5e9ff28fcbd0243e96639fad69d3.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/1d/b976be2d75d79dfd97e68dba3ee84babe5a3cc.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/51/a6d9549543590e69584a2dd9df4e919cd62918.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/64/414524cec63b3a8334146aa0c4dab71fae4080.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/6f/0012f94a9f80ef7e652dacc713347841f66907.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/98/eef0a29dcce526336be09fbbb0eccb3ece9f17.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/a5/c92e78a7d0a175b524703387c994518830abfa.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/ad/42bf08cf713e4a18ed1dd04dcc200a1cdafe94.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/c0/cf4951b3020f4fdf0b30c32934e922348e3660.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f4/43a08baf0b78f1286c82e9d3e085c83734d37b.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f7/a745a4765a1efbfc31d0e21d0b5aca9aa2c5b1.debug Files in first .changes but not in second ----------------------------------------- -rw-r--r-- root/root /usr/lib/debug/.build-id/07/a8f58a7e4e32a36feee7511f728d5896439b13.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/25/228bbeb1c692f8764099a856ab8c9463f7c325.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/56/b071cc5cdbf3379e2fbd90ef0cd5220c2f5184.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/62/b6624925c412cac109e9da7365741013909148.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/82/fd500760efeffc6ab6218382df366b21e45cd7.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/95/ecbc8c0bed5fb3f85263c86ab04236c62074e9.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/a7/9a2015b873e022124d9315238ad03a4402bdf9.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/a8/a2ad066f20b10398a4047b4a5ac2032fdcc3d7.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/ae/d5f6101feccff8bc000ecacbba48fec06e8287.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/b4/6e61051b2031f71073e6c0ea4bb76107f34ea9.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/b9/f0527947a73e0ec453baca3986a122b8a74777.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/ba/f0016a0105eb9eb689bd33997207d4a704386d.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f2/80a75bf8875888acc5b3c2f9a99496ade949c4.debug Control files of package gnutls-bin: lines which differ (wdiff format) ---------------------------------------------------------------------- Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package gnutls-bin-dbgsym: lines which differ (wdiff format) ----------------------------------------------------------------------------- Build-Ids: [-56b071cc5cdbf3379e2fbd90ef0cd5220c2f5184 62b6624925c412cac109e9da7365741013909148 82fd500760efeffc6ab6218382df366b21e45cd7 95ecbc8c0bed5fb3f85263c86ab04236c62074e9 a79a2015b873e022124d9315238ad03a4402bdf9 aed5f6101feccff8bc000ecacbba48fec06e8287 b46e61051b2031f71073e6c0ea4bb76107f34ea9 b9f0527947a73e0ec453baca3986a122b8a74777 f280a75bf8875888acc5b3c2f9a99496ade949c4-] {+0edf33e82a82671f7e361a8ffa83b02400337604 1db976be2d75d79dfd97e68dba3ee84babe5a3cc 64414524cec63b3a8334146aa0c4dab71fae4080 6f0012f94a9f80ef7e652dacc713347841f66907 98eef0a29dcce526336be09fbbb0eccb3ece9f17 a5c92e78a7d0a175b524703387c994518830abfa ad42bf08cf713e4a18ed1dd04dcc200a1cdafe94 c0cf4951b3020f4fdf0b30c32934e922348e3660 f7a745a4765a1efbfc31d0e21d0b5aca9aa2c5b1+} Depends: gnutls-bin (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+} Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package gnutls-doc: lines which differ (wdiff format) ---------------------------------------------------------------------- Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls-dane0: lines which differ (wdiff format) --------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>= 2.14), libunbound2 (>= 1.4.1) Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format) ---------------------------------------------------------------------------------- Build-Ids: [-25228bbeb1c692f8764099a856ab8c9463f7c325-] {+1c399494f95f5e9ff28fcbd0243e96639fad69d3+} Depends: libgnutls-dane0 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+} Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls-openssl27: lines which differ (wdiff format) ------------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>= 2.14) Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format) -------------------------------------------------------------------------------------- Build-Ids: [-baf0016a0105eb9eb689bd33997207d4a704386d-] {+51a6d9549543590e69584a2dd9df4e919cd62918+} Depends: libgnutls-openssl27 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+} Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls28-dev: lines which differ (wdiff format) --------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutls-openssl27 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutlsxx28 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutls-dane0 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} nettle-dev, libc6-dev | libc-dev, zlib1g-dev, libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31) Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls30: lines which differ (wdiff format) ----------------------------------------------------------------------- Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls30-dbgsym: lines which differ (wdiff format) ------------------------------------------------------------------------------ Build-Ids: [-07a8f58a7e4e32a36feee7511f728d5896439b13-] {+1c1bc93c559cfe2ebd1b5676fa4b355118edf38e+} Depends: libgnutls30 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+} Installed-Size: [-2880-] {+2882+} Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutlsxx28: lines which differ (wdiff format) ------------------------------------------------------------------------- Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>= 2.4), libgcc1 (>= 1:3.0), libstdc++6 (>= 5) Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format) -------------------------------------------------------------------------------- Build-Ids: [-a8a2ad066f20b10398a4047b4a5ac2032fdcc3d7-] {+f443a08baf0b78f1286c82e9d3e085c83734d37b+} Depends: libgnutlsxx28 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+} Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} diff -Nru gnutls28-3.5.8/debian/changelog gnutls28-3.5.8/debian/changelog --- gnutls28-3.5.8/debian/changelog 2017-07-23 14:28:37.000000000 +0200 +++ gnutls28-3.5.8/debian/changelog 2018-10-06 14:06:18.000000000 +0200 @@ -1,3 +1,14 @@ +gnutls28 (3.5.8-5+deb9u4) stretch; urgency=medium + + * Pull fixes for CVE-2018-10844 and CVE-2018-10845 from gnutls 3.5.19 + + 39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch + + 39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch + + 39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch + + 39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch + + 39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch + + -- Andreas Metzler <ametz...@debian.org> Sat, 06 Oct 2018 14:06:18 +0200 + gnutls28 (3.5.8-5+deb9u3) stretch; urgency=medium * 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch diff -Nru gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch --- gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch 2018-10-06 13:53:23.000000000 +0200 @@ -0,0 +1,92 @@ +From e14d85eb8b1987d86f7b1d101a0e7795675d20d4 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Tue, 12 Jun 2018 14:22:52 +0200 +Subject: [PATCH 1/5] dummy_wait: correctly account the length field in SHA384 + HMAC + +The existing lucky13 attack count-measures did not work correctly for +SHA384 HMAC. + +The overall impact of that should not be significant as SHA384 is prioritized +lower than SHA256 or SHA1 and thus it is not typically negotiated, unless a +client prioritizes a SHA384 MAC, or a server only supports SHA384, and in both +cases the vulnerability is only present if Encrypt-then-MAC (RFC7366) is unsupported +by the peer. + +Relates #455 + +Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com> +--- + lib/algorithms/mac.c | 4 ++-- + lib/cipher.c | 24 +++++++++++------------- + 2 files changed, 13 insertions(+), 15 deletions(-) + +diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c +index 0198e4a205..d345ddb712 100644 +--- a/lib/algorithms/mac.c ++++ b/lib/algorithms/mac.c +@@ -37,9 +37,9 @@ static const mac_entry_st hash_algorithms[] = { + {"SHA256", HASH_OID_SHA256, MAC_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1, + 64}, + {"SHA384", HASH_OID_SHA384, MAC_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48, 0, 0, 1, +- 64}, ++ 128}, + {"SHA512", HASH_OID_SHA512, MAC_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64, 0, 0, 1, +- 64}, ++ 128}, + {"SHA224", HASH_OID_SHA224, MAC_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28, 0, 0, 1, + 64}, + {"SHA3-256", HASH_OID_SHA3_256, NULL, GNUTLS_MAC_SHA3_256, 32, 32, 0, 0, 1, +diff --git a/lib/cipher.c b/lib/cipher.c +index 84f30637be..c675a64032 100644 +--- a/lib/cipher.c ++++ b/lib/cipher.c +@@ -459,9 +459,10 @@ static void dummy_wait(record_parameters_st * params, + gnutls_datum_t * plaintext, unsigned pad_failed, + unsigned int pad, unsigned total) + { +- /* this hack is only needed on CBC ciphers */ ++ /* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode ++ * is not supported by the peer. */ + if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { +- unsigned len; ++ unsigned len, v; + + /* force an additional hash compression function evaluation to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. +@@ -469,11 +470,14 @@ static void dummy_wait(record_parameters_st * params, + if (pad_failed == 0 && pad > 0) { + len = _gnutls_mac_block_size(params->mac); + if (len > 0) { +- /* This is really specific to the current hash functions. +- * It should be removed once a protocol fix is in place. +- */ +- if ((pad + total) % len > len - 9 +- && total % len <= len - 9) { ++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) ++ /* v = 1 for the hash function padding + 16 for message length */ ++ v = 17; ++ else /* v = 1 for the hash function padding + 8 for message length */ ++ v = 9; ++ ++ if ((pad + total) % len > len - v ++ && total % len <= len - v) { + if (len < plaintext->size) + _gnutls_auth_cipher_add_auth + (¶ms->read. +@@ -814,12 +818,6 @@ ciphertext_to_compressed(gnutls_session_t session, + if (unlikely(ret < 0)) + return gnutls_assert_val(ret); + +- /* Here there could be a timing leakage in CBC ciphersuites that +- * could be exploited if the cost of a successful memcmp is high. +- * A constant time memcmp would help there, but it is not easy to maintain +- * against compiler optimizations. Currently we rely on the fact that +- * a memcmp comparison is negligible over the crypto operations. +- */ + if (unlikely + (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { + /* HMAC was not the same. */ +-- +2.19.0 + diff -Nru gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch --- gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.5.8/debian/patches/39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch 2018-10-06 13:53:23.000000000 +0200 @@ -0,0 +1,107 @@ +From c2e094acd68f7159025b2e2556d6fb4427b41dd7 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Tue, 12 Jun 2018 14:27:57 +0200 +Subject: [PATCH 2/5] dummy_wait: always hash the same amount of blocks that + would have been on minimum pad + +This improves protection against lucky13-type of attacks when +encrypt-then-mac is not in use. + +Resolves #456 + +Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com> +--- + lib/cipher.c | 63 +++++++++++++++++++++++++++------------------------- + 1 file changed, 33 insertions(+), 30 deletions(-) + +diff --git a/lib/cipher.c b/lib/cipher.c +index c675a64032..287f2e8c8a 100644 +--- a/lib/cipher.c ++++ b/lib/cipher.c +@@ -455,41 +455,42 @@ compressed_to_ciphertext(gnutls_session_t session, + return length; + } + +-static void dummy_wait(record_parameters_st * params, +- gnutls_datum_t * plaintext, unsigned pad_failed, +- unsigned int pad, unsigned total) ++static void dummy_wait(record_parameters_st *params, ++ gnutls_datum_t *plaintext, ++ unsigned int mac_data, unsigned int max_mac_data) + { + /* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode + * is not supported by the peer. */ + if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { +- unsigned len, v; ++ unsigned v; ++ unsigned int tag_size = ++ _gnutls_auth_cipher_tag_len(¶ms->read.cipher_state); ++ unsigned hash_block = _gnutls_mac_block_size(params->mac); + +- /* force an additional hash compression function evaluation to prevent timing ++ /* force additional hash compression function evaluations to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. + */ +- if (pad_failed == 0 && pad > 0) { +- len = _gnutls_mac_block_size(params->mac); +- if (len > 0) { +- if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) +- /* v = 1 for the hash function padding + 16 for message length */ +- v = 17; +- else /* v = 1 for the hash function padding + 8 for message length */ +- v = 9; +- +- if ((pad + total) % len > len - v +- && total % len <= len - v) { +- if (len < plaintext->size) +- _gnutls_auth_cipher_add_auth +- (¶ms->read. +- cipher_state, +- plaintext->data, len); +- else +- _gnutls_auth_cipher_add_auth +- (¶ms->read. +- cipher_state, +- plaintext->data, +- plaintext->size); +- } ++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) ++ /* v = 1 for the hash function padding + 16 for message length */ ++ v = 17; ++ else /* v = 1 for the hash function padding + 8 for message length */ ++ v = 9; ++ ++ if (hash_block > 0) { ++ int max_blocks = (max_mac_data+v+hash_block-1)/hash_block; ++ int hashed_blocks = (mac_data+v+hash_block-1)/hash_block; ++ unsigned to_hash; ++ ++ max_blocks -= hashed_blocks; ++ if (max_blocks < 1) ++ return; ++ ++ to_hash = max_blocks * hash_block; ++ if ((unsigned)to_hash+1+tag_size < plaintext->size) { ++ _gnutls_auth_cipher_add_auth ++ (¶ms->read.cipher_state, ++ plaintext->data+plaintext->size-tag_size-to_hash-1, ++ to_hash); + } + } + } +@@ -821,8 +822,10 @@ ciphertext_to_compressed(gnutls_session_t session, + if (unlikely + (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { + /* HMAC was not the same. */ +- dummy_wait(params, compressed, pad_failed, pad, +- length + preamble_size); ++ gnutls_datum_t data = {compressed->data, ciphertext->size}; ++ ++ dummy_wait(params, &data, length + preamble_size, ++ preamble_size + ciphertext->size - tag_size - 1); + + return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + } +-- +2.19.0 + diff -Nru gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch --- gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.5.8/debian/patches/39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch 2018-10-06 13:53:23.000000000 +0200 @@ -0,0 +1,39 @@ +From 62a39773e9d0c4a686a3d8d2b6cca32f82c26cd7 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Tue, 12 Jun 2018 14:29:57 +0200 +Subject: [PATCH 3/5] cbc_mac_verify: require minimum padding under SSL3.0 + +Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com> +--- + lib/cipher.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/cipher.c b/lib/cipher.c +index 287f2e8c8a..8e7bd8227d 100644 +--- a/lib/cipher.c ++++ b/lib/cipher.c +@@ -747,8 +747,12 @@ ciphertext_to_compressed(gnutls_session_t session, + * because there is a timing channel in that memory access (in certain CPUs). + */ + #ifdef ENABLE_SSL3 +- if (ver->id != GNUTLS_SSL3) ++ if (ver->id == GNUTLS_SSL3) { ++ if (pad >= blocksize) ++ pad_failed = 1; ++ } else + #endif ++ { + for (i = 2; i <= MIN(256, ciphertext->size); i++) { + tmp_pad_failed |= + (compressed-> +@@ -756,6 +760,7 @@ ciphertext_to_compressed(gnutls_session_t session, + pad_failed |= + ((i <= (1 + pad)) & (tmp_pad_failed)); + } ++ } + + if (unlikely + (pad_failed != 0 +-- +2.19.0 + diff -Nru gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch --- gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.5.8/debian/patches/39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch 2018-10-06 13:53:23.000000000 +0200 @@ -0,0 +1,101 @@ +From c433cdf92349afae66c703bdacedf987f423605e Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Tue, 12 Jun 2018 14:31:40 +0200 +Subject: [PATCH 4/5] hmac-sha384 and sha256 ciphersuites were removed from + defaults + +These ciphersuites are deprecated since the introduction of AEAD +ciphersuites, and are only necessary for compatibility with older +servers. Since older servers already support hmac-sha1 there is +no reason to keep these ciphersuites enabled by default, as they +increase our attack surface. + +Relates #456 + +## Unfuzzed for Debian 3.5.8. + +Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com> +--- + lib/priority.c | 8 -------- + tests/dtls1-2-mtu-check.c | 2 +- + tests/priorities.c | 12 ++++++------ + 3 files changed, 7 insertions(+), 15 deletions(-) + +--- a/lib/priority.c ++++ b/lib/priority.c +@@ -417,8 +417,6 @@ static const int* sign_priority_secure19 + + static const int mac_priority_normal_default[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + GNUTLS_MAC_MD5, + 0 +@@ -426,8 +424,6 @@ static const int mac_priority_normal_def + + static const int mac_priority_normal_fips[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; +@@ -461,16 +457,12 @@ static const int* mac_priority_suiteb = + + static const int _mac_priority_secure128[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; + static const int* mac_priority_secure128 = _mac_priority_secure128; + + static const int _mac_priority_secure192[] = { +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; +--- a/tests/dtls1-2-mtu-check.c ++++ b/tests/dtls1-2-mtu-check.c +@@ -79,7 +79,7 @@ static void dtls_mtu_try(const char *nam + serverx509cred); + + assert(gnutls_priority_set_direct(server, +- "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519", ++ "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SHA256", + NULL) >= 0); + gnutls_transport_set_push_function(server, server_push); + gnutls_transport_set_pull_function(server, server_pull); +--- a/tests/priorities.c ++++ b/tests/priorities.c +@@ -93,21 +93,21 @@ try_prio(const char *prio, unsigned expe + + void doit(void) + { +- const int normal = 57; +- const int null = 5; +- const int sec128 = 53; ++ const int normal = 41; ++ const int null = 4; ++ const int sec128 = 37; + +- try_prio("PFS", 42, 12, __LINE__); ++ try_prio("PFS", 30, 12, __LINE__); + try_prio("NORMAL", normal, 12, __LINE__); + try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 12, __LINE__); + #ifndef ENABLE_FIPS140 + try_prio("NORMAL:+CIPHER-ALL", normal, 12, __LINE__); /* all (except null) */ + try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1, __LINE__); /* null */ + try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 13, __LINE__); /* should be null + all */ +- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 8, 1, __LINE__); /* should be null + all */ ++ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 4, 1, __LINE__); /* should be null + all */ + #endif + try_prio("PERFORMANCE", normal, 12, __LINE__); +- try_prio("SECURE256", 22, 6, __LINE__); ++ try_prio("SECURE256", 14, 6, __LINE__); + try_prio("SECURE128", sec128, 11, __LINE__); + try_prio("SECURE128:+SECURE256", sec128, 11, __LINE__); /* should be the same as SECURE128 */ + try_prio("SECURE128:+SECURE256:+NORMAL", normal, 12, __LINE__); /* should be the same as NORMAL */ diff -Nru gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch --- gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.5.8/debian/patches/39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch 2018-10-06 13:53:23.000000000 +0200 @@ -0,0 +1,38 @@ +From 9fdd24d53c84cc68dac1be28f8b1436e424ce1f1 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Wed, 13 Jun 2018 12:55:02 +0200 +Subject: [PATCH 5/5] tests: pkcs12_encode: fix test for SHA512 + +We don't support SHA512 in the 3.5.x branch. + +Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com> +--- + tests/pkcs12_encode.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c +index 46c5092e49..e45755789b 100644 +--- a/tests/pkcs12_encode.c ++++ b/tests/pkcs12_encode.c +@@ -220,18 +220,6 @@ void doit(void) + exit(1); + } + +- ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1"); +- if (ret < 0) { +- fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret); +- exit(1); +- } +- +- ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1"); +- if (ret < 0) { +- fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret); +- exit(1); +- } +- + size = sizeof(outbuf); + ret = + gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf, +-- +2.19.0 + diff -Nru gnutls28-3.5.8/debian/patches/series gnutls28-3.5.8/debian/patches/series --- gnutls28-3.5.8/debian/patches/series 2017-07-23 13:50:20.000000000 +0200 +++ gnutls28-3.5.8/debian/patches/series 2018-10-06 13:53:23.000000000 +0200 @@ -15,3 +15,8 @@ 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch 38_02-OCSP-find_signercert-improved-DER-length-calculation.patch +39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch +39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch +39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch +39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch +39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch
signature.asc
Description: PGP signature