lucky13 counter-measures are incorrect for SHA384
In SHA384 we have used the wrong constants for the Lucky13 counter-measures (CVE-2018-10845).
Note that this attack affects GnuTLS clients and servers which communicate with a peer who does not support the encrypt-then-mac extension. We should consider dropping HMAC-SHA256 and HMAC-SHA384 (already removed in master for different reason) from the default set of ciphersuites in 3.6.x, as they are only used for compatibility with older servers and clients (new should use AEAD or EtM), and provide no significant advantage over HMAC-SHA1 in these cases. We should also consider dropping them all, or part of them (e.g., SHA384) completely from the supported set of ciphersuites.
Should be addressed in:
- 3.6.x
- 3.5.x
- 3.3.x
Edited by Nikos Mavrogiannopoulos